Whispers & Screams
And Other Things

OSPF DR and BDR Election

Participating routers in an OSPF network have varying roles to play in ensuring that the processes which route the data around the network maintain a true and accurate picture of the network topology. The two primary roles in this structure are the Designated Router (DR) and the Backup Designated Router (BDR). Their roles, whilst primarily aimed at maintaining network function from a routing perspective, are equally focused on ensuring that network bandwidth used to accomplish this is used judiciously.

An Election

Consider a multi-access environment (such as LAN or MAN), where three or more routers are connected together. If all the routers in the OSPF network had to form adjacencies with every other OSPF router present, forming a fully meshed OSPF adjacency network, the resultant conceptualised routing mesh would be overly chatty flooding Link State Advertisements (LSAs) with each and every other OSPF router. As a direct result, router CPU load and network bandwidth would be consumed wastefully. OSPF is designed to be far more efficient in its use of these resources, and, in order to prevent this from happening, OSPF holds an election process to determine and fill roles named Designated Router (DR) and a Backup Designated Router (BDR) so that the workload of propagating routing information around the network is more effectively managed. Election for the DR and BDR is determined primarily on the Router Priority (which by default is 1) and the Router ID. If the value of the router interface priority is changed to 0, it prevents that router from becoming the DR or the BDR.

Router priority can be adjusted on Cisco routers on a per interface basis. The Router ID however is a 32-bit number that uniquely identifies the router in the Autonomous System. One algorithm for Router ID assignment is to choose the largest or smallest IP address assigned to the router. If a router's OSPF Router ID is changed, the router's OSPF software should be restarted before the new Router ID takes effect. Before restarting in order to change its Router ID, the router should flush its self-originated LSAs from the routing domain or they will persist for up to MaxAge minutes. Cisco uses a method that some other vendors choose to follow, but it is not a requirement. If you have a loopback interface, since that's the most stable interface on your router, that will be used. If there is no loopback interface, the highest IP address on the router is used. If there is more than one loopback then the highest of them is used. In many elections in OSPF, the higher RID wins. this is the logic for choosing higher over lower. It should be noted however that you can manually specify an RID that isn't even a valid ip address such as


The DR is the router which receives LSAs and other updates when there is a change in the inter-neighbor communications. These LSAs are sent out by the DROTHERS routers (all non-DR/BDR routers), and consequently, any further updates are propagated by the DR to the rest of the DROTHERS routers. The show ip ospf neighbor command, when executed, indicates the non-DR/BDR routers as DROTHERS. Every network segment in OSPF has a DR and a BDR.

The Process

What actually happens is that whenever there is a change in network routing status, instead of flooding each and every path with LSAs advertising new information about network topology, the update is only sent to the DR. The DR then takes on this job and floods the routers in its network segment with the update. If the DR fails or is not functioning, the BDR takes over. When this happens, the BDR replaces the existing DR as the new Designated Router, and a new BDR is elected.

Continue reading
1366 Hits

Configuring 3G Wireless WAN on Modular and Fixed ISRs (HWIC-3G-GSM, HWIC-3G-HSPA, PCEX-3G-HSPA-x)

Cisco Integrated Services Routers are branch routers which support the new paradigms of network traffic delivery in the cloud and on the move. They provide Internet connectivity to teleworkers, and minor sites supporting less than 20 users. They also support bridging and routing between the LAN and the WAN whilst providing many advanced features such as antivirus protection.


The Third Generation (3G) Wireless High-Speed WAN Interface Card (HWIC) is a multiband, multiservice WAN card for use over WCDMA Radio Access Networks (RAN).


Both the fixed and the modular 3G routers can be used as the primary WAN connectivity and as a backup for critical applications which require a fallback service. 3G WAN is supported on the following modular Cisco ISRs: 800, 1841, 1861, 2800 series, 3800 series, 1900, 2900 and 3900.


One of the first actions required will be to configure a new 3G HWIC data profile.


To configure your 3G HWIC data profile, you will need the following information from your service provider:


Username (if required by your carrier)


Password (if required by your carrier)


Access Point Name (APN)


Once obtained, we can begin to set up the 3G features on the equipment itself by following these procedures:

    1. Data Account Provisioning


    1. Data Call Setup


    1. Voice Initiated Data Callback or Remote Dial-in (Optional)

In order to provision our data account we must have first obtained the key information from the service provider. The next priority is to ensure that we have the necessary service availability and signal strength in order for the connection to work. We need to use the following commands to examine the services available on the 3G network at the location in question.

    1. show cellular network - This displays info about the carrier network.


    1. show cellular radio - This shows the signal strength. We are looking for RSSI of -90dBm for a steady and reliable connection.


    1. show cellular security - This shows SIM lock status and modem lock status.

Once we have determined that the conditions are favourable we can go ahead and set up a modem data profile. To examine the existing data profiles configured on the equipment use the command show cellular profile. 

Assuming the profile we need is not already created we will need to go ahead and create it. In order to do this we use the command cellular gsm profile create . The syntax required is as follows:

cellular <slot/wic/port> gsm profile create <profile number> <apn> <authentication> <username> <password>

for example

cellular 0/0/0 gsm profile create 1 vodafone.apn chap 3guser 3guserpass

The data profile parameters are as follows:

    • apn - Access Point Name - This must be obtained from the service provider


    • authentication - Usually chap or pap


    • username - provided by service provider


    • password - provided by service provider

Once the data profile is properly set we then look to set up the parameters for the correct operation of the data call.

Firstly it is necessary to configure the cellular interface. The steps in summary are as follows:

1. configure terminal


2. interface cellular <slot/wic/port>


3. encapsulation ppp


4. ppp chap hostname <host>


5. ppp chap password 0 <password>


6. asynchronous mode interactive


7. ip address negotiated


The authentication parameters used here must be the same as those configured under the earlier GSM profile.


Once this is configured we need only configure the dialer and the steps for doing this in summary are as follows:


1. configure terminal


2. interface cellular <slot/wic/port>


3. dialer in-band


4. dialer idle-timeout <seconds>


5. dialer string <string>


6. dialer group <number>


7. exit


8. dialer-list <dialer-group> protocol <protocol-name> {permit | deny | list <access-list-number> | access-group}>


9. ip access-list<access list number>permit <ip source address>


10. line <slot/wic/port>


11. script dialer <regexp>


12. exit


13. chat-script <script name> "" "ATDT*98*<profile number>#" TIMEOUT <timeout value> CONNECT


14. interface cellular <slot/wic/port>


So that should be it. Assuming the router is properly configured elsewhere, the traffic should begin to flow using the 3G interface and everything should be working just fine. Of course sometimes things dont work out quite so smoothly and I will publish a post soon detailing the steps needed to troubleshoot these types of connections when they dont work as planned.


I hope this summary is useful and would appreciate your comments using the form provided below.

Continue reading
2089 Hits

Cisco Open SOC

So a couple of days ago Cisco, it would seem, have finally released their new open source security analytics framework: OpenSOC to the developer community. OpenSOC sits conceptually at the intersection between Big Data and Security Analytics

OpensocThe current totalizer on the Breach Level Index website (breachlevelindex.com) sits at almost 2.4 billion data records lost this year so far which works out approximately 6 million per day. The levels of this data loss will not be dropping anytime soon as attackers are only going to get better at getting their hands on this information. There is hope however as even the best hackers leave clues in their wake although finding these clues in enormous amounts of analytical data such as logs and telemetry can be the biggest of challenges.

This is where OpenSOC will seek to make the crucial difference and bridge the gap. Incorporating a platform of anomaly detection and incident forensics, it integrates elements of the Hadoop environment such as Kafka, Elasticsearch and Storm to deliver a scalable platform enabling full-packet capture indexing, storage, data enrichment, stream processing, batch processing, real-time search and telemetry aggregation. It will seek to provide security professionals the facility to detect and react to complex threats on a single converged platform.

The OpenSOC framework provides three key elements for security analytics:

    1. Context

      An extremely high speed mechanism to capture and store security data. OpenSOC consumes data by delivering it to multiple high speed processors capable of heavy lift contextual analytics in tandem with appropriate storage enabling subsequent forensic investigations.


    1. Real-time Processing

      Application of enrichments such as threat intelligence, geolocation, and DNS information to collected telemetry providing for quick reaction investigations.


    1. Centralized Perspective

      The interface presents alert summaries with threat intelligence and enrichment data specific to an alert on a single page. The advanced search capabilities and full packet-extraction tools are available for investigation without the need to pivot between multiple tools.

When sensitive data is compromised, the company’s reputation, resources, and intellectual property is put at risk. Quickly identifying and resolving the issue is critical, but, traditional approaches to security incident investigation can be time-consuming. An analyst may need to take the following steps:

    1. Review reports from a Security Incident and Event Manager (SIEM) and run batch queries on other telemetry sources for additional context.


    1. Research external threat intelligence sources to uncover proactive warnings to potential attacks.


    1. Research a network forensics tool with full packet capture and historical records in order to determine context.

Apart from having to access several tools and information sets, the act of searching and analyzing the amount of data collected can take minutes to hours using traditional techniques. Security professionals can use a single tool to navigate data with narrowed focus instead of wasting precious time trying to make sense of mountains of unstructured data.

Continue reading
1652 Hits

Cisco Banners

A banner is a useful tool for sending a security message to selected visitors to the equipment. Cisco equipment uses four different banner types to provide different messages at different times and these types are exec process creation banner, incoming terminal line banner, login banner and message of the day banner.

Of these four types, message of the day is the most extensively used banner. Is message is seen by anybody connecting to the router whether they connect via Telnet, Aux port or Console port.



The image above shows the available types on the command line.

The most frequently seen type of banner is the Message of the day (MOTD) as mentioned above. When configuring this type of banner the following prompt is seen:



Router(config)#banner motd ?


LINE  c banner-text c, where 'c' is a delimiting character


Router(config)#banner motd #


Enter TEXT message.  End with the character '#'.


If you are not authorised to be using this router you must disconnect immediately.








20:25:12: %SYS-5-CONFIG_I: Configured from console by console




Router con0 is now available


Press enter to get started.


If you are not authorised to be using this router you must disconnect immediately.




The most important part to understand is the delimiting character—this is the element that’s used to tell the router when the message is complete. Any character can be used as a delimiting character, but you can’t use the delimiting character in the message itself. Also, once the message is complete, press Enter, then the delimiting character, and then Enter again.

Below are some details of the other banners discussed:
Exec banner You can configure a line-activation (exec) banner to be displayed when an EXEC process (such as a line activation or incoming connection to a VTY line) is created. By
simply starting a user exec session through a console port, you’ll activate the exec banner.
Incoming banner You can configure a banner to be displayed on terminals connected to reverse Telnet lines. This banner is useful for providing instructions to users who use reverse Telnet.
Login banner You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner but before the login prompts. The login banner can’t be disabled on a per-line basis, so to globally disable it, you’ve got to delete it with the no banner login command.

Here is an example of a login banner:
banner login ^C
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege
level of 15.
Please change these publicly known initial credentials using SDM or the IOS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
For more information about SDM please follow the instructions in the QUICK
START GUIDE for your router or go to http://www.cisco.com/go/sdm

The above login banner should look pretty familiar—it’s the banner that Cisco has in its default configuration for its ISR routers. Again, this banner is displayed before the login
prompts but after the MOTD banner.

Continue reading
1606 Hits