================================== Gandalf Frequently-Asked-Questions ================================== Version: 1.0 Date: January 1, 1996 This document is a list of some frequently asked questions and answers dealing with usage of the ISDN products manufactured by Gandalf Technologies. (Gandalf makes other network products, but this FAQ focuses only on ISDN). It contains a variety of (hopefully) interesting information and tips. This document is developed by the Gandalf Users Group. This is NOT an official Gandalf document; in fact, it is neither affiliated with nor supported by Gandalf. Where possible, the content has been reviewed by Gandalf for accuracy. However, Gandalf assumes no responsibility for the content. This document was written by John Dwyer of PG&E (jtd1@pge.com), along with the excellent contributions by: Dan Newman Innosoft dan@innosoft.com Paul Wilson Gandalf pwilson@gandalf.ca Your comments and contributions are welcome! If you would like to contribute, or have topics you would like to see included, please contact John Dwyer at jtd1@pge.com. This document is available via anonymous ftp from: ftp.crl.com/ftp/users/jd/jdwyer/gandalf.faq Gandalf Users Group Mailing List -------------------------------- A mailing list is available, supported by the users. To join, send an e-mail message to: To: listproc@pge.com subject: (leave blank) body of message: subscribe Gandalf-Users e.g. subscribe Gandalf Users Bart Simpson For questions or administrivia regarding the mailing list, please contact John Kennedy, jmk5@pge.com (c) Copyright 1995 by John Dwyer Permission granted to copy and/or use excerpts. Document provided "as is". No warranty provided. Use at your own risk. Table of Contents: A. General ISDN Stuff --------------------- A1. What's ISDN? A2. What should I know about the telco switch? A3. How should BRI be provisioned for a 5242i/5240? B: Gandalf stuff ---------------- B1. What's a Gandalf? B2. What equipment does Gandalf make? B3. Where can I purchase Gandalf products? B4. What ISDN terminal adapters are compatible with Gandalf hubs? B5. Some details on vendor interoperability a. Ascend B6. Some tips on connecting to other equipment B7. Does my computer need anything special to connect with Gandalf equipment? C: Software stuff ----------------- C1. What software is used in the products? C2. What are the differences between Teleworker and EdgeRouter software? C3. How do I run the software? C4. How can I upgrade system code or configurations remotely? a. How do I save/restore configurations over the network? C5. What can I do if my new software upload gets screwed up? C6. Some info on software release x.x D: Phone stuff -------------- D1. Can I use a digital (ISDN) phone and a 5242i on the same BRI? D2. Can I use an analog (POTS) phone on a 5242i? D3. How do I hook up modems to my hub? D4. How can I configure my 5242 via the phone? E: Routing ---------- E1. Should I route or bridge IP? E2. Filtering overview E3. Novell "spoofing" E4. I want to assign IP addresses to my workstation dynamically. ... How? E5. Can I use a Gandalf router/bridge to hook up to the Internet? E6. How does Gandalf support Frame Relay? F: Performance -------------- F1. My connection won't come up! Help! F2. My connection won't stay down! Help! F3. How does Gandalf measure current line utilization? F4. I get terrible performance in my Novell IPX (or other) file transfers. F5. How does Gandalf implement compression? F6. Why do I see lots of CRC errors? Why is my line so slow? F7. Why can't I connect at 64K? G: Security ----------- G1. Does Gandalf support third-party security extensions like SecurID? G2. How can I set up my Gandalf router as an Internet firewall? G3. How can I protect against IP spoofing attacks? G4. Does the Gandalf support Caller-ID/ANI authentication? G5. How can I prevent incoming telnet console connections to my unit? H: Management ------------- H1. How can I log and account for calls? H2. How can I debug a problem? What are all the debug commands? H3. How can I manage multiple hubs? H4. What's RADIUS? How can I use it? When will Gandalf support it? H5. SNMP MIB M: Miscellaneous stuff ---------------------- M1: ISDN Cause codes ZZZzzz: What's new? (ho-hum) ---------------------------- B4: Added results for Gandalf from "PPP Interoperability Tests" in San Ramon B5: New Section on vendor specifics, with Ascend details B6: New section. Tips for interconnecting with other equipment C3: Added more detail about terminal emulation software. F1: Added info on Teleworker Remote ID entry preventing connect. F7: New Section. Connecting at 64K. G2: Added detail about setting up internet firewall M1: New section. Standard ISDN cause codes. ------------------------------------------------------------------------------- A1. What's ISDN? ISDN stands for "Integrated Services Digital Network". It integrates data, voice and video signals into a digital (as opposed to analog) telephone line. The original ISDN standard, known as narrowband ISDN, has a maximum rate of 2Mbits/sec and works over copper cable. (The developing broadband ISDN standard operates in the megabit-to-gigabit range). Basic Rate Interface (BRI) is most commonly used in home and small office installations. The service consists of two 64Kbits/sec channels for data transmission (called bearer or "B" channels). In addition, a 16 Kbits/sec "D" channel provides control and signaling info for the B channels. For more details, try some of the resources below: Books: "ISDN for Dummies" Author: David Angell "ISDN Networking Essentials" Author: Ed Tittel/Steve James "ISDN" Author: Gary Kessler "Using ISDN" Author: James Boyce Publisher: Que comp.dcom.isdn USENET news group. Generally good technical discussions and advice. comp.dcom.isdn FAQ available at various locations; rtfm.mit.edu is a good start Dan Kegel's ISDN Web Page: http://alumni.caltech.edu/~dank/isdn/ ------------------------------------------------------------------------------- A2. How should BRI be provisioned for a 5242i/5240? In general, you want the line configured for both data and voice. There are various manufacturer code configs that the phone companies are familiar with. "Intel Blue" is one of the most common, and eventually the "Gandalf purple" setup will be widely recognized as well. ------------------------------------------------------------------------------- B1. What's a Gandalf? "Gandalf the Grey" was a character in "The Hobbit". After succeeding in bringing about Sauron's defeat, he emigrated from Middle Earth, lured by Canada's liberal immigration policy. After failing in a restaurant venture, he founded a company to manufacture network equipment. This company was a success. Their products are sold worldwide, and they have offices all over the place. In recent years, they have made a strategic switch to emphasize the "remote connectivity" segment of the market. Their headquarters are at: Gandalf Technologies, Inc. 130 Colonnade Road South Phone: 613-723-6500 or 1-800-GANDALF Nepean, Ontario, K2E 7M4 FAX: 613-226-1717 Canada ------------------------------------------------------------------------------- B2. What ISDN equipment does Gandalf make? Basically, Gandalf makes two types of remote bridges/routers designed for the home and small office. The LANline 5242i (now also known as the XpressConnect) and the more powerful 5240. In the near future, the 5250, a router, will be released. For the central hub site, the basic models are the XpressStack, which supports 8 BRI connections, and the chassis-design XpressWay, which can support up to 6 PRI modules. For more detail, check out Gandalf's web page: http://www.gandalf.ca ------------------------------------------------------------------------------- B3. Where can I purchase Gandalf products? "Wherever fine products are sold" :) Best to contact a Gandalf sales office to find your nearest authorized vendor. You can find these listed to the Gandalf web page, or try the Nepean, Ontario number, (613) 723-6500. Also useful for U.S./Canada based users is 1-800-GANDALF. Customers on the West Coast can try the Foster City office, (415) 571-6100 ------------------------------------------------------------------------------- B4. What ISDN terminal adapters are compatible with Gandalf hubs? The compatibility issue is somewhat complicated by the various claims by manufacturers and testing done in labs with different versions of software. Here are some general notes: Gandalf remote device ------> other Hub/remote Currently none under Teleworker Bridge software. Theoretically, if both sides support PPP, connection should be possible. EdgeRouter (and 5250) support PPP/MPP. Other remote device ------> Gandalf Hub (XpressWay or XpressStack) (see matrix further below). The connectivity issue is somewhat complicated by the still evolving standards of communication protocols. Many devices on the market now support PPP, which should be sufficient to establish a single link connection. (Leaving out issues of PAP/CHAP authentication). Most manufacturers are working on MPP (multilink PP, established by RFC 1717), which will enable two-channel connectivity. In addition, the compatibility of compression protocols, through the use of CCP, is still not resolved. So even if both sides use STAC, you still might not get compression working. (note: If you have experience connecting to other hosts/remotes, please drop a note with your impressions). Here are recent (Sept.95) results from testing done under the auspices of the California ISDN Users Group and PacBell at their San Ramon facility: "PPP Interoperability Tests: (Gandalf RLAN)" Vendor Product Rev. BCP IPCP PAP CHAP MPP in/out ------ ------- ---- --- ---- --- ---- --- ------ 3com Impact x x x out 3com AccessBuilder 6.0 x x x x x both Ascend Max 4.5 x x x x both Cisco 2503 11.0 x x Combinet Everywhere2000 3.2 x DigiBoard DataFire/PCIMAC 1.3.2 x x x x x both Eicon/Diehl DIVA Solo 5.03 x x x both Flowpoint Flowpoint200 MPX 1.0 x x x x x both IBM Waverunner 2.2 x x x x both ISC Securelink 3.11t x x x x x both ISDN Tek Commuter 123.2099 x x x x both KNIX ISIS x x both Motorola Bitsurfer x x x out NetManage Chameleon 4.5.2 x x x x both Network Express Interhub 5.1 x x x x x both Novell MPV 3.1 x x x x both Rockwell RNS Nethopper 4.1 x x x both SGI Indy wrkstat. x x x x x both Telesoft TSLink3 8.4 x x x both Xyplex Network9000 x x x x x both The connection is from the perspective of the vendor. For example, the 3com Impact connected successfully to an RLAN. ------------------------------------------------------------------------------- B5. Comments & Experiences on vendor compatibilities: a. Ascend Under the current version of Ascend's software (4.5B), MPP is not implemented to RFC 1717 standard. Instead, Ascend has a proprietary protocol, MP+, which they claim to be superior to the standard. In order to push MP+, they license the code at no charge. Whether the other vendors will take them up on the offer remains to be seen. In their favor, Ascend is by far the hub of choice for large ISP, so vendors might be tempted to implement MP+ if it's not too difficult in order to gain remote market share. However, since MPP is not currently supported, you will be unable to connect on both B channels. (MPP may now be supported in their product line.) When negotiating PAP/CHAP, make sure the the passwords really match. I have tested connecting Ascend to Gandalf equipment using PPP. Using an Ascend Pipeline-50, on software versions 4.4B and 4.5B, a single B channel was successfully connected. On the Ascend side, Link Comp needs to be turned "off" (and compression "Off" on the RLAN Remote RLAN profile for the Ascend device.) Also, the same CHAP Send/Receive password was used on the Pipeline-50. (A single entry "Remote Secret" on the RLAN). Note that the "Line Quality" statistics on the DYN STAT window on the Pipeline-50 will not be displayed, but the connection seemed to work fine. Also successful was connecting a Pipeline-400 to an RLAN. (hub-to-hub). The only issue here was that when the connection was brought down, the RLAN redialed the Pipeline 400 immediately. This can be solved by making the RLAN "Answer Only" or by designing a filter. ------------------------------------------------------------------------------- B6. Some tips on connecting to other vendor equipment: a. PAP/CHAP password: This is a sneaky problem that easily becomes a gotcha. The issue is that the 5242i sends it's PAP/CHAP in hex, and other vendors, such as Cisco or Ascend use printable ASCII characters. Hence, on the Cisco, CHAP password = "hello" but on a 5242i = "48454C4C4F" This is also an important issue when using PAP/CHAP and EdgeRouter when communicating between Gandalf devices. The RLAN seems to want the password in ASCII characters. Running on an XpressStack with RLAN ver 3.2.0, CHAP was correctly passed to other PPP compliant devices in ASCII format. I have not tried connecting a 5242i to an RLAN using PPP except in class. note: In a recent RLAN class, there seemed to be an inconsistency in that one side wanted the password in ascii, and the other in hex. This was presumably due to beta software being used. b. Compression For starters, it's probably a good idea to turn compression "off" on both sides unless you're absolutely sure that both devices are using the same compression. (Most likely STAC). You can always experiment after you've established that a connection does work. ------------------------------------------------------------------------------- B7. Does my computer need anything special to connect with Gandalf equipment? The basic device that you need is a 10BaseT compatible ethernet card. You may also need an external 10BT transceiver. The ethernet card is required to support the higher throughput speeds of the bridge/router. There are other manufacturers that make ISDN modems, which attach to the serial port. The problem is that the maximum speed on the serial port is 115Kbps, so you cannot get maximum throughput. If you are going to attach to a hub, you will need a crossover cable. You will probably also want a serial cable to enable you to run terminal emulation software (e.g. Procomm Plus) for configuration. On the ISDN side, you will need an external NT-1 if you don't have the built-in NT-1 option. For a central site hub, you basically need to connect the hub to the ethernet. For the XpressStack, you will need an external NT-1 for each BRI. (Also if you have BRI modules installed in an XpressWay). ------------------------------------------------------------------------------- C1. What software is used in the products? There are three basic software configurations used in the Gandalf ISDN products: RLAN: For the central site hubs, such as XpressWay and XpressStack Teleworker: Bridging software used by 5242i EdgeRouter: Newer Bridging/routing software used by 5242i (In addition, 5240 has bridging software, and the 5250 will have routing software). ------------------------------------------------------------------------------- C2. What are the differences between TeleworkerBridge and EdgeRouter software? Teleworker software is the older version of Gandalf's 5242i software. It is still available and supported, but the future of Gandalf's 5242i product is the newer EdgeRouter software. If you plan on connecting with non-Gandalf devices, you will need to use EdgeRouter. Teleworker EdgeRouter ----------- ---------- Protocol Gandalf only PPP/MPP Authentication XID PAP/CHAP Bridge/Route Bridge only Bridging/Routing Configurable dest. 10 1 Menu Built-in Windows software Compression FZA (Gandalf) FZA and STAC ------------------------------------------------------------------------------- C3. How do I run the software? For the RLAN and Teleworker software, you will need some type of terminal emulation software, e.g. Procomm Plus or Windows Terminal. You will also need a serial cable, as you communicate via the serial port. Set your terminal type for VT-100, and then set the speeds at 9600 (RLAN) or 19200 (Teleworker). If you are using Windows Terminal, make sure you turn off the option "Use Function,Cntl,Atl keys for Windows" off. Unfortunately, if you are going back and forth between an RLAN and a Teleworker, you will need to keep on changing the speed, since for some strange reason they don't support both speeds. Gandalf has promised to fix this in a later release. In the meantime, simply change the speed and then hit "cntl-w" to refresh the screen. If using telnet, make sure that your "enter" key is set to "CR" rather than "CR/LF". For the EdgeRouter, you really need the Windows Console software. In order to save memory, the internal menus were removed. A command line interface is available, but the Windows software is much more useful. The router/bridge will need to have a valid IP address, as the software actually uses SNMP calls for configuration. Since you will need to set up the IP address before you can use the "Brouter" software, you still need to use a serial connection. Gandalf will provide an "Xsetup" utility for a quick configuration (SPIDs, IP etc.), which is then saved and uploaded to the device. You would then use the "Brouter" software (aka 5242.exe) for more detailed configuration. (This software is not in general release, but was used in class and should be available soon.) Barring the availibility of the pre-configuration software, you would have to use the command-line interface in order to setup the unit. ------------------------------------------------------------------------------- C4. How can I upgrade system code or configurations remotely? a. How do I save/restore configurations over the network? You can't with the 5242i. With the RLAN, the basic method is to use TFTP. ------------------------------------------------------------------------------- C5. What can I do if my new software upload gets screwed up? Well usually, you can just try again. ------------------------------------------------------------------------------- C6. Some info on software release x.x "Teleworker Bridge" This software is in "mature" release, and will not see further changes, except to fix bugs. I believe the last release was 1.04, dated August 95. "Edge Router" The latest version of EdgeRouter is 2.0.0. This is semi-beta. A REV A00 was shipping with units, but many of the diskettes turned out to be bad. Version 2.1.0 was slated for release end December 95. This version will include the utility XSETUP for the initial quick configuration. Other changes include support of up to 75 local LAN nodes, and 10 known IP destinations. SPX spoofing is implemented. "RLAN/RAC" The latest version of RLAN software to hit the street is 3.2.0. ------------------------------------------------------------------------------- D1. Can I use a digital (ISDN) phone and a 5242i on the same BRI? Yes, but you need to have an external NT-1 that allows this feature. A much easier (and cheaper) approach is to use a standard analog phone with the built-in NT-1 on the Gandalf device. ------------------------------------------------------------------------------- D2. Can I use an analog (POTS) phone on a 5242i? Yes. The POTS interface fully supports any analog device, e.g. modem, fax, telephone. You can configure the POTS interface to drop a data B-channel session for an incoming or outgoing call. Note: This is feature Telco phone switch dependent. It would appear that your switch needs to be capable of supporting National ISDN-1 for it to work, at least on the AT&T 5ESS. The phone appears to ring OK regardless of the switch if the 2nd B channel is NOT in use. PacBell territory: Actually, this is a source of un-ending confusion. The latest that I have heard is that PacBell will NOT offer NI-1 on AT&T 5ESS switches, and have configured them all for Custom. I have seen statements that the Northern Telecom DMS DOES work. (Although in a Gandalf class here in San Francisco, our NTL switch did not ring the 5242.) Since areas serviced by GTE do offer NI-1 on AT&T equipment, and certainly other competitors will, most likely PacBell will eventually relent. Southwestern Bell: You also may need additional service from the phone company. It's been reported that you may receive busy signals on incoming calls when two B channels are being used for data. Apparently in Southwestern Bell territory, on the AT&T 5ESS (NI-1) switch, you need the additional "CSV ACO" (circuit switched voice/additional call offering) option, an additional $3.50/month in order for it to work. ------------------------------------------------------------------------------- D3. How do I hook up modems to my hub? The XpressWay hub offers an Asynchronous Terminal Server card as an option. This would allow you to hook up external modems to these ports, giving you dial-modem access for your users. The user profiles would be configured in a similar manner, but outgoing calls would of course need to be routed to an asynch port. ------------------------------------------------------------------------------- D4. How can I configure my 5242 via the phone? This info is included in the EdgeRouter manuals, but not the Teleworker. Gandalf offers a nice cheat sheet on how to configure your Teleworker using the phone. The part number is 8994G-A1. For those of you who just can't wait, here are the basics: You plug in the phone and all the cables. You then need to fill in the numbers based on your switch. Note that you start each sequence by hitting the star key twice (**) and finish with the pound (#) key: AT&T PTP AT&T MP NTL Nat ISDN EuroISDN -------- ------- ----- -------- -------- Switch Type **11# **12# **13# **14# NA SPID 1 NA **2...# **2...# **2.....# NA SPID 2 NA **3...# **3...# **3.....# NA Dir Num 1 NA **4...# **4...# **4.....# **4...# Dir Num 2 NA **5...# **5...# **5.....# **5...# Speed Dial **6...# **6...# **6...# **6.....# **6...# IP address **7...# **7...# **7...# **7.....# NA Store Configuration with a **9# sequence. At this point, you should be able to make a call with Speed Dial. notes: Directory number entries are optional on Euro-ISDN. Use a # for decimal points in an IP address, e.g. 130.19.99.1 becomes **7130#19#99#1# ------------------------------------------------------------------------------- E1. Should I route or bridge IP? Ahh, the $64,000 question! ($87,680 in Canada) The wimpy response is "it really depends on your application". The real answer is that if you have a routable protocol, then you should route :) Well, actually, this is a fun topic for a flame fest! Keep in mind that if you are planning to connect to the internet via ISP, you will probably be forced to implement IP routing. In some cases, you can have your cake and eat it too. You can set up your EdgeRouter to route IP, and bridge all other protocols. ------------------------------------------------------------------------------- E2. Filtering overview Teleworker software does not allow generic level (i.e. length/offset etc.) based filters. You can filter by protocol ID, but not specific ports or IP protocols. For example, you can filter out TCP/IP entirely, but not just UDP or TCP. EdgeRouter is a little better. In the current release, you can filter by IP protocol type. (ICMP, TCP, UDP) and then down to the Well-known port. Full level generic packet breakdown will be available in a later release. ------------------------------------------------------------------------------- E3. Novell "spoofing" RLAN can optionally implement Novell IPX "spoofing" to essentially trick the network into keeping the line down when in fact the line needs to be up in order to receive packets with the server. In the Novell IPX protocol, "keep alive" packets are sent out from the server to all workstations logged into the network. If the workstation does not respond to these packets, the server assumes the workstation is no longer active on the net. However, in a Novell scenario, it is very reasonable to assume that the workstation may still want to be attached to the net, even though there is currently no activity (causing the line to drop.) In this case, the RLAN will intercept the "keep alive" packets and respond to the server. If there are data packets coming to/from the workstation, then the line is brought up again. A similar function is also performed for SAP broadcasts. (The duration of the "spoofing" function is user configurable). Gandalf also plans to implement SPX keep-alive spoofing in a later release. ------------------------------------------------------------------------------- E4. I want to assign IP addresses to my workstation dynamically. ... How? Currently, dynamic IP addressing (assignment from a pool) is not supported directly from within the RLAN. However, it is likely that DHCP will be supported. ------------------------------------------------------------------------------- E5. Can I use an Gandalf router/bridge to hook up to the Internet? If you have Teleworker, only if your ISP has a Gandalf hub. If you have EdgeRouter, then as long as the ISP's hub supports PPP, you should be able to connect. However, keep in mind that almost all ISP require IP routing. ------------------------------------------------------------------------------- E6. How does Gandalf support Frame Relay? This is currently not supported in the base configuration of the hub. With the XpressWay, you can plug in a card, such as the AR7220. Apparently the 5250 will also support frame relay. The RLAN can of course be attached via ethernet to a frame relay device. ------------------------------------------------------------------------------- F1. My connection won't come up! Help! If you are using the Teleworker software, bear in mind that the settings on the RLAN and the 5242 must be in sync. For example, options such as Compression and spoofing must be set the same or you will immediately be dropped. (and possibly blacklisted) If your line seems to come up momentarily and then drop, there is probably a mismatch in configuration. You can get a hint by looking at the Log File. After checking to see that the settings are the same, make sure that you also check the Blacklist table, to make sure that the RLAN has not placed the calling number into a no-access state. (Teleworker) Another thing to check is whether you have configured any Remote ID/Serial Number entries in your DIR section. For example, if you have configured at least one remote device, then you must configure ALL the devices you want to connect to. Typically, in this scenario, you will see the 5242i dial, and the DATA light turn green. The Line1 "State" setting = B1. However, although you get an outgoing call at 56K, the "Link" setting never goes to the UP state. To remedy this, you must either delete all the existing ID entries, or enter in the XID of the remote RLAN. ------------------------------------------------------------------------------- F2. My connection won't stay down! Help! This is one of the biggest issues with ISDN use, especially in bridge mode. There are several things to consider when approaching this problem: If your connection is "coming up by itself", then the culprit is almost always that the ethernet card has in fact sent a packet to the device with a destination address off the local lan. If your 5242 is configured to dial on any outgoing packet, the line will come up. One possibility is to delete the destination on the Line1/Options so that there is no entry to connect to "on Any Traffic". Here are some other things to look at: a) Reboot your PC (removing the OS drivers, e.g. Banyan VINES) Simply pressing the speed-dial button will not work. Although the line will drop momentarily, the next packet off an active ethernet card will bring the line back up. After the PC is initialized without the ethernet drivers, the card will no longer send out packets, and a button press will drop the line permanently. Of course, this might not work at all if your 5242 is supporting a small network off a hub or thinnet. b) If running a Novell lan, make sure that Novell IPX spoofing is enabling and correctly configured. (see the manual for details) c) Examine your timeout parameters. If your line is staying up with no traffic, you might have your timeout set too long. d) Some unecessary broadcast (or multicast) packets may be sent out off the local lan. You may be able to filter this protocol and prevent packets from leaving the local net. NetBEUI is often a culprit if you have Windows NT servers. (?) e) If possible, go to routing. ------------------------------------------------------------------------------- F3. How does Gandalf measure current line utilization? Overflow calls are only initialized by the remote side (i.e. 5242i). This makes sense, since it usually the remote (i.e. 5242) that is paying for the call. (The RLAN can be configured to bring up an initial call to the remote.) ------------------------------------------------------------------------------- F4. I'm seeing terrible performance in my Novell IPX (or other) file transfers. Why? One of the first things to look at is the transmit statistics. Pull up the statistics screen (cntl-V in Teleworker or RLAN) and examine the utilization and compression rates. Also check to see if the second B channel is coming up properly. In some cases, you may need to adjust the threshhold for the 2nd B channel. A typical problem is that the threshhold may be set to drop too quickly. For example, assume that your rate reaches 60% on a single channel and brings up the 2nd channel. If the host server or network is slow, your 5242 may determine that since no packets have been coming, it's OK to drop the 2nd channel after a short period of time. Then the whole process has to begin again. You could perhaps avoid the up-down-up-down scenario by adjusting the drop time up. Low compression rates might indicate that the data is already compressed, so your expected gain of 128K plus compression will not happen. In fact, highly compressed data will probably give you lower net throughput. Transmit stats will also give CRC errors, which could be an indication of line or telco problems. With Novell IPX, standard size packets are only 576 bytes. If you are running a Netware network, you might want to look at not installing NETX.EXE on the client, and instead using VLM.EXE, which supports larger packet sizes and packet streaming. ------------------------------------------------------------------------------- F5. How does Gandalf implement compression? Gandalf uses a proprietary algorithm to negotiate compression between Gandalf devices. This algorithm (developed by Dave Carr, now with Newbridge Networks), has the highest compression rates currently used on ISDN devices. Although marketing types claim 8:1 compression, real data tests show much lower rates. (Stac is often claimed to 4:1, but "your mileage may vary"). It really depends on your data. One good rule of thumb is to run PKZIP against your data set. The Gandalf FZA algorithm will deliver roughly equivalent results. Highly "pre-compressed" data, such as .ZIP or .GIF files will in fact lead to reduction in net-throughput. FZA is smart enough to recognize quickly that a file cannot be further compressed, but some CPU time is consumed in the testing process. Generally speaking, it appears that the Gandalf algorithm does deliver better performance than the more commonly implemented STAC-LZS algorithm. However, Gandalf finally realized that if they wanted to stay in the market, they would need to support what everybody else was doing. In the recent release of EdgeRouter software, Gandalf has also announced support of the STAC algorithm. This will be implemented at the software level. (But the devices are smart enough to use FZA if Gandalf is at both ends.) Note that compression compatibility is not a completely done deal as of yet. Eventually, everyone will need to support a standard compression protocol, most likely CCP. The final status of CCP is currently in limbo due to some contraversy over Motorola patents. ------------------------------------------------------------------------------- F6. Why do I see lots of CRC errors? Why is my line so slow? This problem is often related to line quality errors. Dan Newman sites the following as an example: "Make sure that the phone company uses gas or solid state lightning arrestors and not carbon arrestors on your circuit. This is a problem which I see all too often: installers use a carbon arrestor either by accident, because it's all they had at hand, or because that's what was already on the pair assigned to the circuit. Carbon arrestors introduce too much noise and should not be used on data circuits of any kind. On one ISDN line I had with carbon arrestors installed at both the CO and POP, I saw anywhere from 5 to 80 CRC errors per B channel per minute. Sync was frequently lost. Once the carbon arrestors were replaced with gas arrestors, the error rate went down to 2 - 4 CRC errors per B channel per day. As the CRC error rate increases, the performance of any protocol will begin to deline. This is particularly a problem with protocols that do not handle packet loss well. For instance, at error rates of 15+ CRC errors per minute (per B channel), I saw a significant loss of performance with AppleTalk." ------------------------------------------------------------------------------- F7. Why can't I connect at 64K? In order to connect at full 64K per B channel, your telco switch must support clear channel signaling. Many switches only support 56K, as the local telco grabs 8K for signalling control. Generally speaking, telcos are upgrading their switches. In PacBell territory, most of Northern California/Bay Area was converted to full 64K in 1995. Southern California was also slated for upgrade. Another thing to check is to make sure that you use full 11 digit call numbers, EVEN if your call is local. That is "1+AreaCode+Number". For example, if you have an entry of 987-6543 in your directory, you will connect at 56K. In order to get full 64K, you would need something like 1-210-987-6543. ------------------------------------------------------------------------------- G1. Does Gandalf support third-party security extensions like SecurID? SecurID is fully supported. Check the Gandalf notes for implementation tips. ------------------------------------------------------------------------------- G2. How can I set up my Gandalf router as an Internet firewall? The 5242i may be too slow, if you're talking about becoming an ISP! :) It might be workable as the front end for a small site. This implies that you only have a couple of devices connected to the 5242, and you are mainly worried by having an "open door" to your network. The general strategy would be to set up a simple packet level firewall based on IP. (You would want to use EdgeRouter software and use IP routing). Essentially, this would entail: - Allow anything outgoing - Allow ARP/ICMP/PING packets - Allow TCP/UDP packets to ports > 1023 - Allow HTTP,SMTP, NNTP, DNS, and a couple of others - Block everything else inbound from the net. The actual IP Restriction Table might look something like this. (example only; not operational!) Name Access Source Dest Protocol Port ---- ------ ------ ---- -------- ---- SMTP Forward 0/0 0/0 6 25 HTTP Forward 0/0 0/0 6 80 NNTP Forward 0/0 0/0 6 119 DNS1 Forward 0/0 0/0 6 53 DNS2 Forward 0/0 0/0 17 53 ICMP Forward 0/0 0/0 1 TCP Forward 0/0 0/0 6 1023 to 65535 UDP Forward 0/0 0/0 17 1023 to 65535 All Filter 0/0 0/0 (more details to follow) ------------------------------------------------------------------------------- G3. How can I protect against IP spoofing attacks? (This refers to an outside "intruder" gaining access to your net by pretending to be a legitimate IP address on your local net. A hot topic in internet security a few months back.) This is one of the purposes of a firewall. ------------------------------------------------------------------------------- G4. Does the Gandalf support Caller-ID/ANI authentication? Yes. Note that in certain cases, the Caller-ID may impact your performance even if not being used. For example, currently in California, Caller-ID is not available to customers. However, the underlying technology IS functioning. The RLAN will use the calling number information for blacklisting purposes. (The name may not be passed along, but the number is recorded by the RLAN). ------------------------------------------------------------------------------- G5. How can I prevent incoming telnet console connections to my unit? First, you want to set a password on your unit. Next, if you are running EdgeRouter software, you could set up a filter to block incoming telnet sessions (Well known IP port 23). ------------------------------------------------------------------------------- H1. How can I log and account for calls? RLAN keeps track of it's call statistics in flash memory. This is then (optionally) sent to an external device via ftp. All you need to do is give the IP address, host directory and file name of the ftp server. The file will be sent periodically and appended to the existing file. ------------------------------------------------------------------------------- H2. How can I debug a problem? What are all the debug commands? Ha! Gandalf Tech Support will be losing some sleep over this! There is limited information available in the RLAN through the System Info menu. (As info becomes available, this section will be expanded). ------------------------------------------------------------------------------- H3. How can I manage multiple hubs (i.e. RLANs)? There is no simple way to do this right now. So if you have several thousand users dialing in to several XpressWays, you are stuck with configuring them on all the boxes. Of course, you are limited to 510 users configurations per RLAN. Bummer, eh? One way to get around this is to implement a centralized authentication server along the lines of TACACS or RADIUS. Gandalf plans to support RADIUS in a future release of RLAN/EdgeRouter. (see next question) ------------------------------------------------------------------------------- H4. What's RADIUS? How can I use it? When will Gandalf support it? RADIUS stands for "Remote Authentication Dial In User Service", and is a UNIX based authentication server developed by Livingston. Essentially, all user configurations are handled by the Radius server, and all RLANs connected to the network authenticate and receive the user profiles from the server. This theoretically allows you to configure all users once and then simply point all the RLANs to the Radius. Gandalf has announced plans to fully support Radius in a later release of the RLAN and EdgeRouter software. (My guess is that Teleworker will not be supported). In addition, there are also plans to develop a Windows database server management system that will perform the same function as Radius. The latest news I heard on this topic was that there were some problems with the database server backend product. ------------------------------------------------------------------------------- H6. SNMP MIB Gandalf has opted for a relatively complete implementation of SNMP for their products. They support both MIB-II, and have a product specific MIB. In fact, a MIB is available for each product. (Contact your Gandalf rep.) As for MIB-II, which through RFC 1213 identifies 10 groups to be optionally supported, Gandalf supports 8: 1. The System Group 2. The Interface Group ( local lan port only) 3. Address Translation Group 4. IP Group 5. ICMP Group 6. TCP Group 7. UDP Group 8. SNMP Group The missing groups are EGP, Transmission and CMOT (historical;no longer used). Probably of more interest is the vendor specific implementation of the Xpress MIB groups supported by the Xpress SNMP agent. The following summary is based on the RAC300 version of the MIB. (for RLAN 3.00) 1. System Box level info: diagnostics, eeprom rev, etc. 2. Card Info on I/O cards 3. D Channel Attributes to monitor and configure D channels 4. Channel Attributes to monitor and configure data channels 5. WAN Stats Stats associated with WAN links 6. WAN Sum Summary WAN stats since last system reset 7. Remote LAN Config Remote LAN 8. Local LAN Config parameters for the local LAN port 9. Local LAN filter Filtering stats for the LAN port 10. Filter Config Parameters of filter, e.g. Aging Time of MAC 11. MAC Filter MAC address tables. Based on RFC 1286. 12. TCP/IP TCP/IP settings, subnet mask, gateways, telnet, ftp 13. Blacklist Table 64 entries deep. CLIDs blacklisted by system. 14. Protocol Trigger mechanism for outgoing calls based on IP address 15. PRI port Configuration and statistics on PRI ports 16. IPX Configure Watchdog spoofing/timer. SAP learning. 17. SAP IPX SAP table entries and info in SAP frames 18. RIP Info from IPX RIP frames on local LAN (read-only) 19. SNMP Config Communities, trap communities, trap profiles, mib views 20. Audit Configurable info on maintenace and trigger of audit records 21. Flash Lists files stored in Flash Memory and additional info. ------------------------------------------------------------------------------- M1: ISDN Cause codes [Q931] This info is also available in the manual. Code Cause 0 Valid cause code not yet received 1 Unallocated (unassigned) number 2 No route to specified transit network (WAN) 3 No route to destination 4 Send special information tone/Channel unacceptable 5 Misdialled trunk prefix. 6 Channel unacceptable 7 Call awarded and being delivered in an established channel 8 Prefix 0 dialed but not allowed 9 Prefix 1 dialed but not allowed 10 Prefix 1 dialed but not required 11 More digits received than allowed, call is proceeding 16 Normal call clearing 17 User busy 18 No user responding 19 No answer from user 21 Call rejected 22 Number changed 23 Reverse charging rejected 24 Call suspended 25 Call resumed 26 Non-selected user clearing 27 Destination out of order 28 Invalid number format (incomplete number) 29 Facility rejected 30 Response to STATUS ENQUIRY 31 Normal, unspecified 33 Circuit out of order 34 No circuit/channel available 35 Destination unattainable 36 Out of order 37 Degraded service 38 Network (WAN) out of order 39 Transit delay range cannot be achieved 40 Throughput range cannot be achieved 41 Temporary failure 42 Switching equipment congestion 43 Access information discarded 44 Requested circuit channel not available 45 Pre-empted 46 Precedence call blocked 47 Resource unavailable - unspecified 49 Quality of service unavailable 50 Requested facility not subscribed 51 Reverse charging not allowed 52 Outgoing calls barred 53 Outgoing calls barred within CUG 54 Incoming calls barred 55 Incoming calls barred within CUG 56 Call waiting not subscribed 57 Bearer capability not authorized 58 Bearer capability not presently available 63 Service or option not available, unspecified 65 Bearer service not implemented 66 Channel type not implemented 67 Transit network selection not implemented 68 Message not implemented 69 Requested facility not implemented 70 Only restricted digital information bearer capability is available 79 Service or option not implemented, unspecified 81 Invalid call reference value 82 Identified channel does not exist 83 A suspended call exists, but this call identity does not 84 Call identity in use 85 No call suspended 86 Call having the requested call identity has been cleared 87 Called user not member of CUG 88 Incompatible destination 89 Non-existent abbreviated address entry 90 Destination address missing, and direct call not subscribed 91 Invalid transit network selection (national use) 92 Invalid facility parameter 93 Mandatory information element is missing 95 Invalid message, unspecified 96 Mandatory information element is missing 97 Message type non-existent or not implemented 98 Message not compatible with call state or message type non-existent or not implemented 99 Information element nonexistant or not implemented 100 Invalid information element contents 101 Message not compatible with call state 102 Recovery on timer expiry 103 Parameter non-existent or not implemented - passed on 111 Protocol error, unspecified 127 Internetworking, unspecified ------------------ End of Gandalf-FAQ