ASCEND FREQUENTLY ASKED QUESTIONS LIST content last modified 31 August 1995 Update: 25 June,1997 The FAQ has not been revised for an excessively long time, and sadly should be considered an obsolete resource. Those parties interested in taking on the maintanence of a user-contributed Ascend FAQ should feel free to adopt any useful information in these documents; I place my text on the subject into the public domain (although other contributors still retain copyright on their words). All html files are also available via FTP, in ftp://ftp.shore.net/members/dreaming/html/. I sincerely apologize for the abandonment of this project over the past couple of years; it was helpful and educational for me (and hopefully others). - Derek Lichter Sydney, Australia 25 June 1997 ------------------------------ Subject: 0. Acknowledgements This list was compiled by Derek Lichter , with the invaluable contributions of: Bob Atkins Mel Beckman Jan Bottorff Bob Cameron Chris Chaundy Robin Cutshaw Brian Del Vecchio Andrew W. Donoho John Dwyer Tom Easterday Andrew J. Ernstein John Galloway Peter Gladding Greg Grose Fred R. Goldstein Brad Hall Joe Huber Steve Jasik Simon Kenyon John Kuran Steve Lemke Mark Lentczner Derek Lichter Rob Logan Dave Miller Daniel C. Newman Raymond Overdijk Victoria Risk Curtis N. Sanford Christopher Seiwald Vernon Schryver Jeff Smith Dave Steele Zbigniew J. Tyrlik Jacques Vidrine Loren Wilson Mark H. Zellers and especially Marco S Hyman for setting up the Ascend User's mailing list (and for his tireless engineering efforts). ------------------------------ Table of Contents: 1. Introduction -- What's Ascend, anyway? 1a. Okay, what's ISDN? 2. The Ascend User's Mailing List 2a. Mailing List Archive 3. What ISDN equipment does Ascend make? 3a. Pipeline 50 3b. Pipeline 50 HX 3c. MAX 3d. MAX 4000 [MAX HP] 3e. Pipeline 400 3g. Pipeline 25 4. Where can I purchase an Ascend ? 5. How should a BRI be provisioned for a Pipeline 50? 5a. What about AT&T Multipoint, and the AT&T "type sets" (A/B/C/D/E)? 5b. Should my BRI channels be provisioned as CSV, CSD, or PSD? 6. What ISDN terminal adapters are compatible with Ascend's? 6a. Cisco 2500 series with BRI 6b. Digiboard Datafire / PC-IMAC 6c. Combinet 6d. Gandalf 6e. 3Com Impact / AccessWorks 6f. Sun on-board BRI with PPP (SunLink, Morningstar) 6g. IBM WaveRunner 6h. ISDN*Tek PC-card 6i. ISC Securelink II PC-card 6j. Motorola BitSURFR 6k. Telebit NetBlazer 6l. Notes on Windows NT 7. Does my computer need anything special to connect with Ascend equipment? 8. Can I use a digital (ISDN) phone and a Pipeline 50/50HX on the same BRI? 9. Can I use an analog (POTS) phone and a Pipeline 50/50HX on the same BRI? 10. Should I route or bridge IP between two Pipeline 50s? 11. How does Ascend measure current line utilization? 12. Filtering overview 13. My connection won't stay down! Help! 13a. Novell "spoofing". 14. Does Ascend support third-party security extensions like SecurID? 15. How can I set up my Ascend router as an Internet firewall? 16. How can I protect against IP spoofing attacks? 17. I'm seeing terrible performance in my Novell IPX file transfers. Why? 18. I'm seeing really odd routing table entries. Why? 19. I want to assign IP addresses to my workstation dynamically. ... How? 20. How can I prevent incoming telnet console connections to my unit? 21. How can I log and account for calls? 22. Does the Ascend support Caller-ID/ANI authentication? 23. How can I debug a problem? What are all the debug commands? 24. What's RADIUS? How can I use it? 25. How can I make an outbound call with a RADIUS profile? 26. How can analog dial-in users modify their own RADIUS passwords? 27. I sometimes get "LAN security error" violations. ... Why? 28. Why do I see lots of CRC errors? Why is my line so slow? 29. Can I use an Ascend router/bridge to hook up to the Internet? 30. How does Ascend support Frame Relay? 31. What's a digital modem board, and how does it work? 32. SNMP 33. How can I upgrade system code or configurations remotely? 33a. How do I save/restore configurations over the network? 34. What can I do if my new software upload gets screwed up? 35. Some info on software release 4.4B Reference Material: * Cause codes [Q931] * Helpful information for building filters (protocol reference) * Mel Beckman's Pipeline 50 syslog massager This document is copyright 1995 by Derek D. Lichter. Individual contributors retain copyright over their work. I have attempted to contact other authors whose writing is quoted herein, to obtain permission for using excerpts of their work (if I have missed contacting you and you wish to give (or withdraw) your permission, please contact me at ). This document is neither affiliated with nor supported by Ascend Communications, Inc. ------------------------------ Subject: 1. Introduction -- What's Ascend, anyway? Ascend is a networking equipment manufacturer, located in Alameda, California, USA. Their products are type-approved in many countries [I will add a list of which countries approve which products]. The company produces a popular line of inexpensive IP routers/multi- protocol bridges which connect over ISDN (switched-56 and frame relay are also supported). In addition, Ascend produces more powerful "hub" units which can process many calls at once. 1a. Okay, what's ISDN? ISDN stands for Integrated Services Digital Network; essentially digital telephony provided over standard copper wire by your local telco. For more information on ISDN, great references are Dan Kegel's ISDN Page: and the ISDN FAQ: ------------------------------ Subject: 2. The Ascend User's Mailing List To subscribe to the main list send a message with the word "subscribe" in the body of the message, not the subject, to: ascend-users-request@dumbcat.sf.ca.us To subscribe to the digest version of the list send a message with the word "subscribe" in the body of the message, not the subject, to: ascend-users-digest-request@dumbcat.sf.ca.us The submission address to send entries to the list is: ascend-users@dumbcat.sf.ca.us The list is maintained by Marc Hyman who happens to be an employee of Ascend. The list is his own invention, managed on his own time, on his own machine, etc. However, the machine dumbcat.sf.ca.us is connected to the Internet through Ascend's T1 link via a Frame-Relay connection between a Max-HP in the Ascend engineering lab and a Pipeline 400/S56 in a spare bedroom in Marc's house. 2a. Mailing List Archive An online, hypertext archive of the list is maintained by Chris Johnson . This is a fantastic service. He also collects other bits and pieces of useful information there. The URL is: http://www.visi.com/~chris/ascend/index.html ------------------------------ Subject: 3. What ISDN equipment does Ascend make? Detailed information on most Ascend products can be found on the Ascend web page: [removed references to specific resellers in this section. -ddl] 3a. Pipeline 50 The Pipeline 50 is a small (8.5" x 6.25" x 1") IP router and multiprotocol bridge. It sports a basic rate interface (BRI) and an ethernet interface (switchable 10baseT and AUI ports). Bearer channels on the BRI may be aggregated for greater total bandwidth. LAN features include packet filtering, RIP and static IP routing, header and data compression. The BRI code supports most PTT switch types across the United States, Europe, and the pacific rim. The P-50 has a Motorola MC68360 CPU. Ascend sells the P-50 both with and without an internal NT1 (ISDN telephone network termination device). Typically, "U" interface units with an NT1 (model P50-1UBRI) sell for around $1300, and S/T models without an NT1 (model P50-1SBRI) for around $1200. Corporations and educational institutions also receive significant discounts. There are two revisions of Pipeline 50 floating around. The newer model (dubbed "rev B") differs from the older model (dubbed "rev A") in the following ways: * It has a toggle switch on the back that doesn't do anything yet ("reserved for future use" ("this page intentionally left blank")); * Upon powerup, it loads code from flash memory into DRAM and runs directly from main memory, instead of running from flash; * As a result of the above, revB model P-50s can have new software loaded into flash memory remotely via TFTP (as can the MAX-HP); the revA P-50 cannot. There is no upgrade available from revA to revB models. 3b. Pipeline 50 HX The P-50 HX is identical to the [revB] P-50, except that it's software-limited to allow only one ethernet device to communicate with the wide area network at any time (through filtering of the ethernet hardware address); thus, it's intended for the individual user. Note that it will talk only to the FIRST device it hears from on the local ethernet, which can cause needless anguish if you have multiple hosts around. It can be upgraded to the full P-50 for a few hundred dollars. Typical prices are around $1000 with the built-in NT1, and $900 without it. 3c. MAX The MAX is a multi-slot "central-office" router/bridge. It comes with two T1/PRI (E1/PRI in Europe) ports with integrated CSUs, two serial DTE ports, and two DB-9 control ports on the backplane, and six free slots for optional cards. It's based on an Intel i960 RISC CPU clocked at 16MHz. Available cards include T1 boards with or without integrated CSUs, E1/G.703 boards, eight-port BRI cards, sync serial (v.35 or RS-449) cards, Ethernet cards, and eight-port digital modem (v.32 or v.34) boards. The base MAX unit costs around $13,000, but optional cards can raise that a lot (for most people, an ethernet board isn't optional). 3d. MAX 4000 [MAX HP] The MAX 4000 (also known as the MAX HP) is a faster MAX (clocked at 25MHz), with four T1/PRI (E1/G.703) ports included instead of two, an on-board ethernet interface, one 8Mbit/sec v.35 sync serial port, only one control port, and an internal STAC 9760 compression daughterboard (taking compression processing load off the CPU). All cards available for the MAX work in the MAX 4000/HP (except that one cannot add another ethernet board to a MAX 4000). The MAX 4000/HP also differs from the original MAX in that it has more DRAM (10MB) and loads and runs its software from it, rather than from flash memory (as the original MAX does). This also means that the MAX 4000/HP can load software into flash via TFTP (using the debug monitor command "tloadcode"), something the original MAX cannot do. The base MAX 4000 prices out around $16,000-$17,000. (Thanks to Victoria Risk for the updated info!) 3e. Pipeline 400 The P-400 is a multiport router/bridge that has most of the features of the Ascend MAX, but smaller WAN capacity and upgradability. It can handle four BRI interfaces, or a single T1 interface (it also comes in models with four SW-56 ports or eight RS-232 ports). The P-400 also supports also v.32 digital modems (to my knowledge, v.34 support isn't available yet). It also comes with a built-in diagnostic modem, or so the literature says. NOTE: Because the Pipeline 400 runs its system software from flash, it cannot take load a new version via TFTP (as can the MAX 4000/HP and newer (revB) Pipeline 50s, under rev 4.4B or later). The P-400 generally retails between $3,000 and $7,000, depending on WAN configuration and features. 3g. Pipeline 25 The Pipeline 25 is similar in form and function to a Pipeline 50, with the following major differences: * Compression and IP routing features are unbundled; that is, they may be purchased separately. The base model P-25 is a transparent bridge only, with no compression. Also, the optional compression is implemented in hardware, as a plug-in daughterboard (the Pipeline 50 compresses in software). * The P-25 comes with two POTS (analog telephone) jacks, which may be used with any standard phone/modem/fax/answering machine/etc. The software will handle details of call pre-emption (e.g., when an incoming analog call arrives while both bearer channels are in use for ISDN data) * The P-25 CPU is a Motorola 68302 clocked at 16MHz, somewhat slower than the Pipeline 50. * Note that there is *no* coded limitation on the number of ethernet devices which may be attached to the P-25 ethernet port. The rumor that the P-25 is limited to four MAC addresses (earlier mistakenly perpetuated in this FAQ) is completely false. The base Pipeline 25 model lists for $895. ------------------------------ Subject: 4. Where can I purchase an Ascend ? [I am collecting data for this section. I would like to get names of resellers and mail-order companies which take orders nationwide. However, I do not want this to become an advertising section, so I will not include prices. All submissions are appreciated (from vendors too!), and I will include the info when I feel there's a varied and representative collection. My reasoning is that one of the most frequent questions on comp.dcom.isdn is "where can I get a Pipeline 50?"; I'd like to provide some answers. If this seems like a bad way of accomplishing this goal, please advise me! -ddl] ------------------------------ Subject: 5. How should a BRI be provisioned for a Pipeline 50? In the United States, BRIs tend to come in two basic flavors: either NI-1, or AT&T "Custom" Point-to-Point. NI-1 is a Bellcore standard that the major switch manufacturers have agreed to support; AT&T does support it in their switches, but they still promote their own customized way of dealing with a BRI (as it's simpler and easier to use); as a result, most local telcos with AT&T 4ESS or 5ESS switches choose to offer "AT&T Custom" over NI-1. The other prevalent ISDN-capable switches in the U.S. are Northern Telecom DMS-100s; Nortel supports only NI-1 (at least until it's superseded by another standard). With an NI-1 switch, the user must find out the Service Profile IDs (SPIDs) associated with the BRI, and enter them in the appropriate fields in the main "Configure..." menu. Since the local telephone company assigns the SPIDs, only it can inform you what they are (and they have been known to get them wrong). With a BRI provisioned as AT&T custom Point-to-Point, the user merely needs to enter the telephone number associated with their line. 5a. What about AT&T Multipoint, and the AT&T "type sets" (A/B/C/D/E)? AT&T Multipoint should be used when you wish to have multiple devices connected to your BRI. Each device then needs to be assigned at least one SPID and directory number, so you lose the simple configuration of P-t-P. Steve Lemke notes: > I have a multipoint BRI line on an AT&T 5ESS switch. I clearly > didn't need multipoint when all I had was the P50, but now that I > have a 7845, I'm glad I set it up that way. I've assigned one > directory number and SPID to the 7845, for the POTS interface > (which is now my fax line), and I've entered the other directory > number and SPID into *BOTH* fields of the P50's "Configure..." > screen. > It would appear that the P50 really only needs one directory > number (and a SPID in the case of multipoint) to be happy. Fred R. Goldstein explained the AT&T type sets (specified in telco provisioning) in comp.dcom.isdn: > The five Terminal Types are an AT&T invention, part of the AT&T > Custom feature set. Types A-D correspond to telephone types, > E to pure data. In practice E is rarely used. > > A = HCDT, FCO > B = HCDT, FCO, TM > C = HCDT, FCO, KEY > D = HCDT, FCO, TM, KEY > E = Data only > > HCDT is "hold, conference, drop, transfer" (mainly voice features) > FCO is "flexible call offering" (make/take calls with others on hold) > TM is Terminal Management (light the lights on the feature phone) > KEY is Key System emulation (multiple DNs, shared DNs, etc.) > > So if you have D, you have all of C plus some TM features that > your gear may or may not tolerate (usually will). You need C > for the "extended" features because that basically emulates a > key telephone set in order to jockey the calls. > > The trick to AT&T Custom is that you have to think like a phone; > if you can figure that out, it's extremely powerful. But its > Centrex heritage is obvious. 5b. Should my BRI channels be provisioned as CSV, CSD, or PSD? What about DOSBS/V.110? And what the heck does that all mean? If you're going to use your BRI for both voice and data (using an ISDN phone or NT1 that supports analog phones), then you'll need to have it provisioned by your phone company to support circuit-switched voice (CSV+D) on at least one bearer channel. It can be set up that way on both B channels, but some RBOCs do not permit both channels to be CSV+D, requiring at one to be circuit-switched data (CSD) only. Packet-switched data (PSD) provisioning implies that your BRI will be connecting to a packet-switched network, like X.25. [I know of no one who actually does this with a Pipeline 50; if you're out there, drop me a line!] Using V.110 (aka DOSBS, Data Over Speech Bearer Service) means your ISDN device does a call SETUP as if it were an analog/voice call traversing the public telephone network. The advantage to this is that residential customers can make local calls at a flat rate, something that many RBOCs do not support for ISDN (wretched tarrifs). Ascend supports this: set "Data Svc=Voice" in your connection profile (Telco options). There are a few downsides to using DOSBS: data rate is generally restricted to 56Kbps, and on long-distance calls, you might not get through because of the rare non-digital trunk (but then, DOSBS is really only useful for local calls anyway). Locally, there may be special encoding on the line geared towards voice traffic (echo cancellation, for example), which will cause a digital call to fail. Some ISDN T.A.s which support V.110/DOSBS try to emulate a modem signal for the first few seconds of the call, to cause the telco switch not to use any special processing routines; as far as I know, Ascend does not. ------------------------------ Subject: 6. What ISDN terminal adapters are compatible with Ascend's? Some interoperability tests have been run by the California ISDN User Group. Take a look at their page: Any device compatible with an Ascend cannot support payload (data) compression unless it uses the STAC algorithm. Also, unless otherwise noted, bearer channels cannot be aggregated. According to Marco Hyman, Ascend supports RFC1717 (the Multilink-PPP standard), as well as its own extensions for better bandwidth control (together known as "MPP", which are being offered to the industry as a whole, at no fee). If the Ascend MPP extensions aren't available, the Ascend will drop back to MP. However, like most new "standards," vendors are still working out their implementation details, so MP may not behave the same way on all platforms. * What about BONDING? Curtis Sanford had this to say about BONDING: > BONDING (Bandwidth ON Demand INteroperability Group) is a protocol for > CIRCUIT-SWITCHED aggregation of B-channels to form a synchronous channel > at the aggregate bitrate. It is available from the DCE serial ports on > the main MAX chassis, or from our MX-SL-2PMHP or our MX-SL-6PMHP slot > cards. These V.35/RS449/X.21 serial ports are generally connected to an > external bridge/router, mux, or videoconferencing terminal. The MAX on > these ports is acting as an IMUX'ing TA. > > When you make a remote LAN connection to the MAX, you are using a > different set of protocols, based on PPP. These aggregate at the packet > level, rather than the bit level, and we call that Multilink PPP (MPP), > and are strictly speaking not BONDING. "Bonding" has been generally > (mis)used to describe any channel aggregation, but BONDING is a specific > protocol. > > To support BONDING on the serial ports of your MAX, you have to buy an > additional software option such as MX-SO-NX or a package such as > MX-SP-VIDEO or MX-SP-DATA. But note that the latter of these packages > only supports Ascend Inverse Multiplexing (AIM), which is the native IMUX > protocol between Ascend products and much more functional than BONDING. > BONDING is supported in our products for compatibility with other > manufacturer's IMUX products. The other packages and options listed > include both AIM and BONDING. What about V.120? As of Ascend software rev 4.5, Ascend supports the V.120 asynchronous rate-adaption protocol, which should allow a larger number of terminal adapters without synchronous modes to communicate via asynch PPP. 6a. Cisco 2500 series with BRI I have successfully called a Cisco 2503 from an Ascend MAX and Pipeline 50, and dialed a MAX from the 2503. Data compression is not supported; I haven't tested multiple B channels. Attempts to use unnumbered BRI ports on the C2503 had "interesting" (read: frustrating) results. The Cisco was running IOS 10.2(5), using ppp encapsulation and no ppp authentication (it will still authenticate CHAP and PAP requests from a remote MAX or P-50, but incoming calls will go unchallenged). When authentication is turned on on the Cisco, the PPP negotiation phase fails. It appears (to me) that this is caused by a difference in the way the two companies interpret the RFCs, with respect to the proper way to authenticate calls (see below for details). Kevin Smith described a way to connect an Ascend with a Cisco without having to configure an unnumbered interface on the Cisco (which some networkers are loath to do): > In reality, all that needs to happen is that the right routes > get put into the routing table...that can hapen in the way > documented, if the IP addresses are all available to you.... > otherwise, you can add routes using the static routes menus, > connection profiles....an alternative option is: > > > XYZ-net ----- [cisco] ---------- [Ascend] ----- My-net > ^ ^ ^ ^ > A B C D > > XYZ-net is my *desired* destination > A is a secret held by my ISP > B is the WAN IP address they shared with me > C is an IP address I *pretend* to be assigned to my > WAN interface > D is my ethernet IP address. > > Add a connection profile called [XYZ-net], with LAN IP address > set to (B) - yes the WAN address. Set the netmask to whatever it > is (OR /32 if you don't know/care). Then add a static route to > XYZ-net (see - we don't need to know (A)), where the gateway > is set to (B). > > The cisco will have a route pointing at "my-net" via address (C) > ......they don't need to know (D). [discussion of the authentication problem follows, from the Ascend and Cisco users' mailing lists. -ddl] As Keith Stone writes: > The MAX returns a REJECT to the Cisco's request for CHAP during > the PPP initial link establishment phase, and so the authentication > phase where the two peers will swap names and passwords is never > reached. As far as I can tell this makes it impossible for the > Cisco to ever let the MAX know who it is, and so two way > authentication is not possible. I have tried this with 4.4 > and 4.4Ap12. Chris Chaundy laments: >The proverbial rock and hard place... I guess the issues are >(1) why won't/can't the Ascend respond to the cisco CHAP request, >(2) why can't the cisco be set for one-way authentication (the >documentation implies that only one-way authenication is done). > >This becomes an issue when you have BRI interface where you want >to call on one channel and be called on the other - you can only >have one CHAP setting for both channels (of course, Ascend suffer >from similar problems in that you can only use one kind of >authentication for all ISDN channels). [Note that in v4.4+ code, the MAX/P400 can be set to authenticate incoming calls using PAP, CHAP, or either one -- whichever is used by the remote unit that's calling. Most recently (as of 4.4B) caller ID/ANI is supported too. -ddl] Marco Hyman writes in response to Chris: > An explanation of (1): > * It is "bad" to have one secret shared by all dial in users. > You may disagree with this statement. > * In order to look up the secret for a dial-in user I have to know > who he is. I don't who he is until he authenticates himself to me. > * PPP is peer-to-peer. I can't (or at least shouldn't) wait for the > caller to identify himself before picking the proper password for > PAP/CHAP negotiation. > > The above items lead me to believe that it is best to not do two-way > authentication on dial-in lines. This also gets around the inherent > security hole in PPP negotiation: > > There are two communiting units A and B. C pretends to be B and > calls A, requesting PAP. A sends C the password it uses when > talking to B. C now pretends to be A and calls B, using the > password it got from A in the first step. > > The Pipeline/Max is typically configured to require that dial-in > users authenticate themselve. The Pipeline/Max will refuse requests > to authenticate themselves to dial-in users. After all, how often > do you demand that the person you just called identify themselves > to you :-) > > I'll let one of the Cisco people answer (2). 6b. Digiboard Datafire / PC-IMAC The Datafire can dial an Ascend unit, but there have been problems reported with PAP/CHAP authentication. Specifically: a bug in the DOS/Windows Datafire drivers that always set the password to lower case; Win-NT drivers are more reliable. Even so, if the WinNT driver tries to negotiate a CHAP authentication algorithm different from the MD5 routine Ascend uses, negotiation will fail (this bug was fixed in Ascend software rev 4.5). In addition, Microsoft's drivers prevents Digi products from authenticating *incoming* calls. Ken Germann reported that: > The DOS Client PPP drivers for this board have been fixed and are > able to connect to an Ascend P50 with CHAP authentication enabled. > The upper and lower case issue in the user and password fields have > been fixed as well. > > ftp.digibd.com:/drivers/beta/isdn/dosclient/dc1321.EXE > is the drivers. Here's an extensive set of instructions from Ken, on configuring a PC with a Digiboard and PPP for proper connection to an Ascend: > There have been enough requests to warrant this: > > Quick Start PPP guide for setting up connections to the Ascend: > > ** THIS WILL NOT WORK CORRECTLY WITHOUT THE 1.3.2.1 DOS Client > beta drivers ** > > 1> At the C prompt, type 'cd \pc_imac'. > > 2> For an NDIS PPP type > 'ldndis datafire ppp' > > or > > For Netware ODI > 'ldodi datafire ppp' > > 3> You should see a '4 4 0' appear in the right hand side of > your screen within 30-60 seconds. If you don't see this > status, get faxback document #4020 at 612-943-0573. > > 4> pcp > > 5> Type at the pcp > prompt > > copy profile default ascend > > 5> Type at the pcp > prompt > > set profile ascend /user= /pass=pass /auth=none > /fall=no /num=1 /address= > > 6> At the pcp > prompt > > save profile ascend > > 7> At the pcp > prompt > > conn ascend > > The connection with a single B channel should go active in a > few seconds. > > 8> Change the ldndis.bat or ldodi.bat file to do a 'conn ascend'. > This will allow you to do a 'call \pc_imac\ld.bat' > from your autoexec.bat file to setup the connection at the > time your PC is coming up. > > Note: > > WinISDN drivers are being worked on. They should be available > by mid-July to early August. These drivers will work with > Windows for Workgroups and Win 95. > > -------- Driver info ------ > > Driver information follows: > > ISDN Beta Drivers > -------------------------------------------------------------------- > > Notes: Start your FTP clients in binary mode. From a unix or > like > host with a command line for ftp you can enter do a > 'ftp -i -n ftp.digibd.com' or 'ftp -i -n 199.86.0.193'. > > Recommend using Ymodem or Zmodem for Download protocol. > Xmodem and Kermit are going to be slower protocol for > downloading files. > > OS: WFWG 3.11 (Windows for Workgroups) > Digi: Datafire - PC IMAC > > BBS Login: iwfwbeta > Password: wfw100 > File(s): wfw100.exe > > FTP Login: anonymous Password: email address > Directory: cd /drivers/beta/isdn/wfw > File(s): wfw100.exe > -------------------------------------------------------- > OS: Novell > Digi: PC IMAC - PC IMAC/X > > BBS Login: nw41beta > Password: nw130e > File(s): nw130e1.exe & nw130e2.exe > > FTP Login: anonymous Password: email address > Directory: cd /drivers/beta/isdn/nw > File(s): nw130e1.exe & nw130e2.exe > -------------------------------------------------------- > OS: DOS Client beta released 5/30/95 > Digi: Datafire - PC IMAC > > BBS Login: dclient > Password: dc1321 > File(s): dc1321.exe > > FTP Login: anonymous Password: email address > Directory: cd /drivers/beta/isdn/dosclient > File(s): dc1321.exe > > Relnotes: Chap Authenticator fixed, some size reduction done, > mixed case login/password fixed. > -------------------------------------------------------- > > OS: Win NT 3.5 > Digi: Datafire - PC IMAC - PC IMAC/4 > > BBS Login: int35bta > Password: nt130b9 > File(s): nt130b9.exe > > FTP Login: anonymous Password: email address > Directory: cd /drivers/beta/wnt35b9/nt130b9.exe > File(s): nt130b9.exe *Also see section on Windows NT below.* Digi is actively soliciting Ascend<->Digi problem reports, so they seem interested in solving incompatibility problems. Contact keng@digibd.com. 6c. Combinet Combinet EVERYWHERE 2000 series software 3.0.1 and later supports both PPP and MP, as well as their proprietary protocol. Thus, they should be interoperable without using special Combinet settings. Geoffrey Alder listed his settings for Combinet 150s dialing into an Ascend MAX, using bridging:

[RADIUS] 0040f9011a86 Password = "xxxxxx" Framed-Address = y.y.y.y, Framed-Netmask = 255.255.255.0, Framed-Protocol = COMB, Framed-Routing = None, Ascend-Bridge = Bridge-Yes, Ascend-Link-Compression = Link-Comp-Stac, Ascend-Route-IP = Route-IP-No, Ascend-Send-Auth = Send-Auth-None [Combinet 150] SET DEFAULTS SET 1 NU = dial number SET 1 TI = 120 SET IP y.y.y.y SET SU 255.255.255.0 SET PAS SY xxxxxx SET PAS CL xxxxxx 6d. Gandalf Gandalf makes remote ISDN bridges, the LANLine 5240i and 5242i, which now (as of August 1995) support PPP and MP, and are therefore compatible. I have no personal experience testing interoperability between the two (yet). Concerning their central-office hub, an engineer at Gandalf told me the following: > The Xpressway 3.0 release does work with the Ascend. Indeed for a > while it worked with two B channels with ascend. However when ascend > released the newer software it stopped working with two B channels. > I cannot give you the exact details as our PPP guru is on vacation. > > The Gandalf Xpressway supports the MP protocol extensions. The main > issue I think is when will we see a standardized compression that > can be used used to improve throughput. Having just one/two B > channels without compression really isn't that impressive. I do > hope this gets resolved soon. Note that Gandalf units will include STAC compression as a fall-back standard for when their proprietary compression algorithm cannot be employed. (This may be available now, August 1995; I'm not sure.) Gandalf also has a 5250 line of routers, with which I have no experience. 6e. 3Com Impact / AccessWorks Zbigniew J. Tyrlik writes: > I got 3Com Impact (previously Access Works) to work with Ascend; > using software rev 1.5 on 3Com, and connecting from Win3.1 unit, > using Trumpet DLL. PAP was enabled on both ends. I was unable to > get it working with NT machine. And Rohit Fedane wrote: > Try this AT command: ATS71=1 > > That forces a PPP connection. By default it is set to autoselect > and seems to prefer a clear channel link. *Also see section on Windows NT below.* 6f. Sun on-board BRI with PPP (SunLink, Morningstar) Bob Atkins writes: > Yes, I am using the SunLinkISDN v1.0.2 with a SPARC LX and it > works just fine. > > The PPP package that is shipped with Solaris does not support > an ISDN link. You will need a copy of SunLinkISDN v1.0.2. As > regards to successes or failures overall I found the SunLinkISDN > package a bit challenging without any documentation, however the > configuration files are fairly well commented. No failures to > speak of, but then again ISDN WAN is my business :) 6g. IBM WaveRunner Laurence V. Marks reports that the WaveRunner card with rel. 2.2 software can dial Ascend units, using the WinISDN interface. and John Kuran wrote in to provide more detail: > I've been able to do 2B over data and voice with an Ascend > P50 with V2.2 software on WaveRunner ISA card. At this time > it requires Chameleon 4.5.1 for WinISDN interface. Others in > our mailing list have been successful with the PCMCIA version. 6h. ISDN*Tek PC-card [It's been reported that this PC-card T.A. works, but I have no details on it myself. -d.d.]

6i. ISC Securelink II PC-card Dror Matalon wrote: > The Ascend will drop the line after 5-15 Secs of inactivity > when connected to this device. Going into debug mode and typing > "noidle" will make this behavior go away and the line gets timed > out after the number of minutes we specify in the RADIUS entry. > This works quite nicely except that the 400 reverts to the > original behavior on its own and we need to go through the process > of going into debug mode and typing noidle again. > We found out the "noidle" work around from Ascend support who > told us that the Ascend sends a query to the other device to see > if it's there and the Securelink doesn't respond which is why the > 400 times out. The noidle is a [short-term] workaround for that. 6j. Motorola BitSURFER Several users have written in to attest to success in calling Ascend units from BitSURFRs. Robert Sanders gave advice about doing so using Trumpet Winsock: > Trumpet doesn't bridge. Use routing on, bridging off. Turn on > proxy arp if you're using an IP address from the same subnet the > P50's ethernet interface is on. > > There are some other important parameters, most of which have been > mentioned here and on comp.dcom.isdn. Turn link compression off in > the P50, use PAP, set the BitSURFR's protocol to PPPC, etc. > > I've used Trumpet with both a P50 and a MAX with excellent results. And Turnando Fuad noted that "We had to do manual login in Trumpet instead of the script and hit the ESC key once you make the connection and PAP will kick in." 6k. Telebit NetBlazer [It's been reported that this T.A. works, but I have no details on it myself. -d.d.] 6l. Notes on Windows NT Jan Bottorff uncovered some details on reported compatibility problems between Ascend's and Windows NT's PPP implementations. Following is a semi-long account: [email to support@ascend.com] > My ISP is using P50's on each BRI line and I was using Microsoft > Windows NT 3.5 connected to an ISDN Terminal Adapter (Quick Access > Remote). They were calling my TA with NT 3.5 doing the PPP protocol. > > Using the NT SMS network sniffer, I have packet traces that seem to > indicate the P50 ack's authentication protocol it does not support. > The trace goes like this: > > A few LCP packets are exchanged and rejected. NT eventually sends > one that requests CHAP authentication with an encryption algorithm > field of 0x80. The PPP authentication RFC does not say what > encryption method 0x80 is, but does say that 0x5 is MD5. The > Pipeline 50 send an ack, apparently accepting this configuration. > My belief is algorithm 0x80 is DES. The NT Resource Kit seems to > say NT will use MD5 or DES when dialing out, but allways uses DES > for dial-in calls. NT then starts sending the challenge packets. > The response comes back, and is not accepted. NT actually logs an > error, probably because the reply packets are not even the correct > length. NT then tries 8 more times and disconnects. I believe the > response packets are encrypted with MD5, not DES as was negotiated. > I believe this because the length of the response packets has the > correct 16 byte (for MD5) size for some data fields. NT is quite > willing to negotiate down to PAP authentication if the remote end > will not do CHAP. The Pipeline 50 says it's willing to do CHAP > w/DES, so things never authenticate correctly. The above problem is FIXED as of Ascend rev. 4.5. Jacques Vidrine reports that Microsoft will be including support for Multipoint PPP [MP] in the next revision of Windows NT, due late 1995 or early 1996, and possibly in a service package update sometime before then. ------------------------------ Subject: 7. Does my computer need anything special to connect with Ascend equipment? You need an ethernet card, and a network that supports 10baseT (eight-pin RJ45 jack) or AUI (15-pin) interfaces. If your medium is BNC/thinnet, you'll need a tap/converter. Note that if you plan to connect your workstation's ethernet port directly to the port on the Ascend unit, without a hub in between, you need to use a "crossover" cable: a 4-pair RJ-45 cable with pins #2 and #3 swapped. (Ascend now provides a crossover cable in the box of every Pipeline 50/50-HX.) You'll also need a 10baseT ethernet card. NOTE: Make sure you don't mistakenly use a crossed RJ-45 cable to connect the WAN port of your Ascend to your telco ISDN jack! This may have harmful results! ------------------------------ Subject: 8. Can I use a digital (ISDN) phone and a Pipeline 50/50HX on the same BRI? You need to be using an external NT1 (and the P-50-1SBRI model). If you have two SPIDs associated with your BRI, assign one to the P-50 and one to the ISDN phone. On a DMS-100 switch, this will leave you without the ability to use two channels. As Bob Cameron wrote: > Actually, the DMS 100 can support 8 devices but only two can be circuit > switched - the other 6 must be D Channel packet. Confusion arises > because the DMS supports two logical terminals where a logical terminal > equates to a Service Profile Identifier or B Channel. So if you have a > data device which requires two SPIDS, you have two logical terminals > and you can't add any more circuit switched devices. This is a real > problem if you want to add an iISDN phone to the same line. The only > answer is to power down the data device when you want to use the phone > and unplug the phone when you want to use the both B Channels for 128 > KBPS data. The phone and one half of the data device would be > programmed with the same SPID. Joe Huber mentions that since software version 4.3C: > with an AT&T Custom switch, the Ascend can now utilize BOTH > B channels on a single SPID and TEI. Leaving the other SPID and > TEI for voice services in the ADAK or other device. ------------------------------ Subject: 9. Can I use an analog (POTS) phone and a Pipeline 50/50HX on the same BRI? The Pipeline 25 (to be released Real Soon Now), will have built-in POTS jacks, which means any analog device (phone, answering or fax machine, etc.) can be used on the BRI.. For those who already have P-50s or P-50HXs, using an analog phone on your BRI entails using an external NT1 that includes a POTS jack, such an ADAK NT1 or IBM 7845. These are fairly expensive, however, and you lose the ability to aggregate channels on the P-50, unless (as mentioned above) you're off an AT&T Custom switch. Here's how Robin Cutshaw got this working with an IBM 7845 (NT1 + POTS jack) and Southern Bell: > I've got three SPID's: 2 type D for data/voice and one type C for voice > only. The voice only spid has two phone numbers associated with it, > the primary and secondary. > > As per the IBM 7845 manual, chose terminal type C with EKTS and CACH > (page5) and configure the keyset for the primary # as key 1 and > secondary as key 11 (page 67). Not mentioned in the manual is the fact > that you should choose NI-1 (national). All of the above setup is done > by the phone company. > > Then simply follow the manual for programming the 7845 using the primary > spid/number. > > I'm using an SR3 distinctive ring splitter on the back of the 7845. This > This box came from Hello direct (800-HI-HELLO). It seems to work fine > with the two numbers that I'm using (but I haven't tried the max of 3). > > To get the 7845 to program properly, you need to disconnect the P50 from > the ISDN line while programming. I typically have one B-channel nailed > up from the P50 with MPP bonding to the second for heavy traffic. As > long as I'm not using both B-channels for data, the 7845 seems happy. ------------------------------ Subject: 10. Should I route or bridge IP between two Pipeline 50s? This is truly situation-dependent; many flamewars have been waged over the advantages and disadvantages of routing over bridging. Generally, routing IP has these advantages: + easier to prevent unneeded traffic (of unused protocols, or of other stations); + easier-to-manage security; + more flexible: with dynamic routing, your unit could call into different locations with the same source address, allowing the answering unit(s) to propagate your route; this has the effect of providing some dynamic failover capability (when bridging IP, you must be numerically part of the remote subnet you call). Bridging has the advantage of conserving address space: you can bridge many more stations into one IP class C-size subnet than you could route, (even with the tightest 30-bit subnet mask, you could only get 62 remote stations into a class C network). So if you have many stations but limited address space (not unusual these days), it may be necessary to bridge. ------------------------------ Subject: 11. How does Ascend measure current line utilization? Answer from Marco S Hyman : > Take the number of octets sent in a second plus a "fudge factor" to > account for flags, CRC, and 0 bit insertion. The current "fudge factor" > is 5 octets per packet sent. > > Divide by the available bandwidth of a session, e.g 112 kbit/s for a two > channel call over 56 kbit/s links or 64 kbit/s for a 1 channel call over > a single 654 kbit/s link. > > The available bandwidth does not include calls that are active but not > yet merged into the MP bundle. Once a second (more or less) we do the > calculation and clear the number of octest transmitted. Note, we *only* > measure outgoing data. ------------------------------ Subject: 12. Filtering overview Ascend implements two types of filters: IP filters (layer 3, network), and GENERIC filters (layer 2, data-link/MAC/ethernet). IP filters literally operate at a higher level than GENERIC filters, and are easier to maintain and understand. GENERIC filters require much more detailed knowledge of the packets being delivered, which might mean using a packet sniffer. Please see question #34 for some protocol information that might be helpful when building filters. Filters (either type) can be applied in two different ways: as data filters, or as call filters. Data filters will examine packets and drop (or forward) matching entries, depending on filter construction. Call filters don't drop packets, but packets that match will not cause the unit to bring up a new call, and won't reset the idle timer (which means the line will eventually time out properly). NOTE: Packets are _always_ compared to Data filters before Call filters. Finally, filters can be applied to different ports on the Ascend units, in different "directions". A packet can be examined as it enters the port, or as it leaves the port (input and output, respectively). Filters are actually defined under Ethernet->Filters. A Pipeline 50 only allows four different filter sets, each of which can include 12 independent input and output rules each. The order in which they are defined is important! In any live connection, there are essentially four choke points at which packets can be filtered: + the calling unit's ethernet interface: Ethernet->Mod Config->Ether options->Filter=[#] + the calling unit's BRI, Ethernet->Connections->[profile]->Session options->[Call|Data] Filter=[#] + the answering unit's BRI, Ethernet->Connections->[profile]->Session options->[Call|Data] Filter=[#] + the answering unit's ethernet. Ethernet->Mod Config->Ether options->Filter=[#) With different directions being examined, that means eight different filtering sets can be implemented, with varying results. A simplistic diagram might look like this: .----. T A._____.B C._____.D T [remote PC]__|___| P50 | ~ ~ ~ ~ ~ ~ ~ | P50 |_____| [office LAN] |____| | `-----' `-----' | l l [ethernet] [ethernet] Input and output call filters applied at point "B" would prevent matching packets from bringing up the connection to point "C", or from keeping the line up. Once up, the packets would still traverse the link. An input data filter set applied at point "C" would drop any matching packets arriving over the wide-area connection. This is generally a desired effect. (My rule of thumb for filtering is to apply call filters at the calling Ascend, and apply data filters (for security) at the answering one; the reason I do it this way is because the central office network is more important to protect than the remote user. I apply filters only to the WAN ports (in the appropriate connection profiles), although they certainly can be applied to the local area networks.) Brian Del Vecchio describes Ascend filtering methodology in the following way: > On output to the WAN, we filter packets in this order: > > 1) Apply the output data filter. Packets may be explicitly forwarded or > dropped. If there are any filter entries, the default for a packet that > does not match is to DROP. If no filter entries, the default is to > FORWARD. > > 2) Apply the output call filter. If a connection to the designated target > is up, then packets are always forwarded--the call filter is used only to > determine when to reset the idle timer. For multi-channel connections, > there is one idle timer. If a call is not up, then only a packet that > passes the call filter will cause a call to be placed. Otherwise, the > packets will be dropped. Again, the default behavior is DROP if there > are any output call filter entries specified, FORWARD if there are none. > > On Input, we do the same, applying the Data filter before the call filter. > > Ethernet filtering is often used to prevent certain protocols from being > bridged. For example, one could place an Input filter on the Ethernet > that told the Pipeline to ignore all IPX packets. > > One thing to watch out for if you apply an IP filter to the Ethernet: If > you terminate your filter list with an IP type filter that says "forward > everything," it really means IP, and excludes ARP. Without ARP, you'll > see everything work for five to ten minutes, and then your Ethernet will > appear to break. Instead, terminate the filter list with a Generic type > filter that says "forward all." > > This is a particularly subtle misconfiguration, since everything seems to > work fine for a few minutes until the ARP entries age out. ------------------------------ Subject: 13. My connection won't stay down! Help! If you haven't already, try using the prewritten call filters that Ascend has included (in version 4.3C and later), for IP, NetWare and AppleTalk. These filters should be applied to the Connection Profile of the _calling_ Ascend unit (menu: Ethernet->Connections->[profile]-> Session options->Call filter=[filter-set #]). When configured this way, the filters inform your unit which packets should be ignored as traffic. Protocols such as LAT, DECnet, XNS, NetBIOS and Vines don't have pre-written filters yet, and have yet to be formalized. Appropriate filtering examples will be included in the FAQ as they come along, but if the intent is to block an entire protocol type (or prevent it from resetting the idle timer as a Call filter), a generic filter of the following form may be implemented: Valid=Yes Type=GENERIC Generic: Forward=No Offset=12 Length=4 Mask=ffff Value=[protocol ID] More=No A list of protocol IDs is available in the FAQ, in the protocol reference appendix. UNIX System Tips ---------------- If you're connecting a remote UNIX system back to a central office, here are some "gotchas" to keep in mind: * If you're automounting remote filesystems via NFS, make sure processes aren't periodically accessing those directories. [Greg Grose ] * Don't run sendmail with a periodic queue-check interval (the '-q#m' option); instead, just put it in the background and run a cron process under root that only processes the mail queue after making sure the link is up first.[Greg Grose ] * Run your local window manager with the "save under" option, which prevents it from bringing up the link on exposure events (e.g. every time you uncover the icon or window from the background, and the WM refreshes the display). [John Galloway ] * Make sure syslog isn't pointing to a loghost across the ISDN link. [Rob Logan ] 13a. Novell "spoofing". Ascend recently included a few software features to make bridging Novell IPX traffic less painful. The 4.4 release notes (dated 2 Feb 95) do a good job of explaining the feature. Some background: NetWare servers expect all connected client systems to be reachable, and expect to hear a watchdog "are you there" packet at regular intervals. If they don't for an extended period of time, the client connection is cleared, and the user is logged out. In addition, Netware servers send out announcements of various network services once per minute. Both of these attributes can cause the line to remain up even when there's no "interesting" user traffic. SAPs can be handled simply by ignoring them using a call filter (and Ascend provides a predefined filter to do just that), but watchdog keepalive packets must be sent. If not, users run into situations where, when the line idles out for a while (i.e. a file is being edited on their local system), and the next time they wish to access their fileserver, they find the server session has been logged out. Windows has been known to deal with this condition, umm, less than gracefully. :) Ascend's solution was to include a new connection profile menu (called "Ipx options..."). Setting "Handle IPX=Server" means this Ascend unit (the one on which the setting is applied) will send out keepalive packets for the remotely-bridged workstations connecting over the associated link. The "Netware t/o" value is the length of time (in minutes) that this spoofing will continue. The Ascend unit on the opposite side of the connection should set "Handle IPX=Client". This assumes there are only Netware clients on that local ethernet; if there are servers there as well, both should set "Handle IPX=None". ------------------------------ Subject: 14. Does Ascend support third-party security extensions like SecurID? Not yet, but this feature is in development (according to Ascend); expected to be available sometime this year. No details on this yet. ------------------------------ Subject: 15. How can I set up my Ascend router as an Internet firewall? Question from: Rich Braun >I have a question about IP filtering on the P50. Basically, what I >want to do is set it up as a simple packet-level firewall. > > Essentially: > > - Allow ARP/ICMP/PING packets > - Allow TCP/UDP traffic to ports > 1023 > - Allow HTTP, SMTP, NNTP, DNS, and a couple of others > - Block everything else inbound from the net [from ddl:] I wrote some filters to try and accomplish this. Here's the output from a "Save Cfg" command (if loaded into a P-50 with "Restore Cfg", this will be filter #4, called "Inet firewall"). I applied it to the BRI, in the default connection profile. START=FILT=200=3 Name=Inet firewall In filter 01...Valid=Yes In filter 01...Type=IP In filter 01...Generic...Forward=Yes In filter 01...Ip...Forward=Yes In filter 01...Ip...Protocol=6 In filter 01...Ip...Dst Port Cmp=Eql In filter 01...Ip...Dst Port #=25 In filter 02...Valid=Yes In filter 02...Type=IP In filter 02...Generic...Forward=Yes In filter 02...Ip...Forward=Yes In filter 02...Ip...Protocol=6 In filter 02...Ip...Dst Port Cmp=Eql In filter 02...Ip...Dst Port #=80 In filter 03...Valid=Yes In filter 03...Type=IP In filter 03...Generic...Forward=Yes In filter 03...Ip...Forward=Yes In filter 03...Ip...Protocol=6 In filter 03...Ip...Dst Port Cmp=Eql In filter 03...Ip...Dst Port #=119 In filter 04...Valid=Yes In filter 04...Type=IP In filter 04...Generic...Forward=Yes In filter 04...Ip...Forward=Yes In filter 04...Ip...Protocol=6 In filter 04...Ip...Dst Port Cmp=Eql In filter 04...Ip...Dst Port #=53 In filter 05...Valid=Yes In filter 05...Type=IP In filter 05...Generic...Forward=Yes In filter 05...Ip...Forward=Yes In filter 05...Ip...Protocol=17 In filter 05...Ip...Dst Port Cmp=Eql In filter 05...Ip...Dst Port #=53 In filter 06...Valid=Yes In filter 06...Type=IP In filter 06...Generic...Forward=Yes In filter 06...Ip...Forward=Yes In filter 06...Ip...Protocol=6 In filter 06...Ip...Dst Port Cmp=Gtr In filter 06...Ip...Dst Port #=1023 In filter 07...Valid=Yes In filter 07...Type=IP In filter 07...Generic...Forward=Yes In filter 07...Ip...Forward=Yes In filter 07...Ip...Protocol=17 In filter 07...Ip...Dst Port Cmp=Gtr In filter 07...Ip...Dst Port #=1023 In filter 08...Valid=Yes In filter 08...Type=IP In filter 08...Generic...Forward=Yes In filter 08...Ip...Forward=Yes In filter 08...Ip...Protocol=6 In filter 08...Ip...TCP Estab=Yes In filter 09...Valid=Yes In filter 09...Type=IP In filter 09...Generic...Forward=Yes In filter 09...Ip...Forward=Yes In filter 09...Ip...Protocol=1 In filter 10...Valid=Yes In filter 10...Generic...Forward=Yes In filter 10...Generic...Offset=12 In filter 10...Generic...Length=4 In filter 10...Generic...Mask=ffff000000000000 In filter 10...Generic...Value=0806000000000000 END=FILT=200=3 In order, this filter should permit incoming: + SMTP from anywhere + HTTP from anywhere + NNTP from anywhere + DNS [TCP, for zone transfers] from anywhere + DNS [UDP, for queries] from anywhere + connections on TCP ports higher than 1023 from anywhere + connections on UDP ports higher than 1023 from anywhere + established sessions (TCP sessions with the EST bit set) from anywhere + ICMP from anywhere + ARP from anywhere There are no outgoing filter rules because I wanted to allow anything outbound. ------------------------------ Subject: 16. How can I protect against IP spoofing attacks? Answer from "Andrew W. Donoho" : > Here is an augmented version of my "IP Spoofing" filter for an > Ascend Pipeline 50 ISDN <-> Ethernet router. Since I am a novice at this > game, I decided to see what other vendor's filters look like. So far, I > have only examined Livingston's filters. In their filters, I discovered > that they use a different output filter than I originally published. I > believe that their filter tries to defeat a "bounceback" packet. I am > defining a bounceback packet as one that, because of its destination > address, will be immediately routed back to your network. I have added > it to my filter scheme. > > My filter scheme tries to implement the following policy (this is > for my 16 IP address subnet): > > On input: > deny packets from the outside that claim to be from the inside. > (deny from xxx.xxx.xxx.xxx/28) > Allow everything that isn't spoofing us. > Implicit deny all other packets. > > On output: > deny "bounceback" packets > (deny to xxx.xxx.xxx.xxx/28 > allow packets that come from us. <- Truth in Packet Addressing! > (allow from xxx.xxx.xxx.xxx/28) > Implicit deny all other packets. > > The truth in packet addressing filter is not strictly needed (the > CERT approved Livingston filters don't do it) but I think that it is > useful in limiting the degrees of freedom that a hacker might have if > he set up shop on my subnet. I don't want my subnet to be a source of > spoofing attacks. > > I would appreciate any feedback on this spoofing policy and code. > And since I am a novice, a "this looks OK to me" comment is especially > desired. Of course, a go back to the drawing board comment is also > appreciated. > > After loading into your PL50 please edit the addresses and masks to meet > your needs. The mask is currently: 255.255.255.240 and the address is my > subnet:199.183.109.224. These addresses occur in In Filter 01 and in Out > Filters 01 & 02. > > ---- Begin Included Ascend PL50 Filter Profile ---- [further quote marks removed to make copying/pasting easier -ddl] START=FILT=200=3 Name=IP_Spoofing In filter 01...Valid=Yes In filter 01...Type=IP In filter 01...Generic...Length=65535 In filter 01...Generic...Mask=c7b76de000000000 In filter 01...Generic...More= In filter 01...Ip...Src Mask=255.255.255.240 In filter 01...Ip...Src Adrs=199.183.109.224 In filter 02...Valid=Yes In filter 02...Generic...Forward=Yes In filter 02...Ip...Forward=Yes Out filter 01...Valid=Yes Out filter 01...Type=IP Out filter 01...Generic...Mask=00000000fffffff0 Out filter 01...Generic...Value=c7b76de000000000 Out filter 01...Ip...Dst Mask=255.255.255.240 Out filter 01...Ip...Dst Adrs=199.183.109.224 Out filter 02...Valid=Yes Out filter 02...Type=IP Out filter 02...Generic...Forward=Yes Out filter 02...Generic...Length=65535 Out filter 02...Generic...Mask=c7b76de000000000 Out filter 02...Generic...More= Out filter 02...Ip...Forward=Yes Out filter 02...Ip...Src Mask=255.255.255.240 Out filter 02...Ip...Src Adrs=199.183.109.224 END=FILT=200=3 END DOWNLOAD ------------------------------ Subject: 17. I'm seeing terrible performance in my Novell IPX file transfers. Why? Novell NetWare users should make sure that they're using Virtual Loadable Modules (VLM.EXE) on the client workstations, instead of NETX.EXE; the former can take advantage of larger packet sizes and packet streaming, but the latter cannot. In addition, NetWare 3.11 servers should have LIPX and PBURST NLMs loaded (Netware 3.12 and later load these by default). ------------------------------ Subject: 18. I'm seeing really odd routing table entries. Why? Marc S Hyman reports with some glee: >Solved! The bogus routes are a result of a bug which sometimes shows >up processing ICMP redirects. If your unit never sees a redirect you'll >never see the bogus routes. Fixed in the next release. [4.5 -ddl] > >Many will say that the Pipeline is a router and should never pay attention >to redirects. Others will insist that to work in their environment the >Pipeline must support redirects. To try to please both a new option >is being added. The next release will add this to the ethernet >mod config: > > ICMP Redirects=Accept/Ignore ------------------------------ Subject: 19. I want to assign IP addresses to my workstation dynamically. How can I do this over an Ascend ISDN link? Ascend equipment can allocate addresses by PPP/IPCP negotiation, but that only applies to the device that's doing the work of connecting: the remote calling device. It cannot apply to the computer behind the router, because nothing on that workstation is negotiating (it just thinks of itself as being on a little ethernet). Ascend units with digital modems can assign addresses out of pools to the remote workstations calling in, because the workstation itself is doing the PPP negotiating. If you want to assign remote addresses dynamically to workstations attached to Ascend routers via ethernet, you'll need a BOOTP/DHCP server sitting on your backbone LAN, answering requests for IP addresses from remote workstations. In order to accomplish this you'll have to turn bridging on, because the ethernet BOOTP packet which requests an IP address must be bridged (you can't speak TCP/IP if you don't have an address yet). [I haven't tested this yet over ISDN; if you have, please let us know your positive or negative experiences with it. -ddl] ------------------------------ Subject: 20. How can I prevent incoming telnet console connections to my unit? In software release 4.4 and later, Ascend has added a 'telnet password' to the code; when set, it is the first thing prompted for when a telnet session is established. If you want to drop all incoming telnet sessions from being established, you can create an incoming data filter and apply it to your connection profile. An example would be: In filter 01...Valid=Yes In filter 01...Type=IP In filter 02...Ip...Forward=No In filter 02...Ip...Protocol=6 In filter 01...Ip...Dst Mask=255.255.255.255 In filter 01...Ip...Dst Adrs=10.10.10.10 In filter 02...Ip...Dst Port Cmp=Eql In filter 02...Ip...Dst Port #=23 [replace "10.10.10.10" with your P-50's IP address] This filter should be applied in conjunction with other filters that permit the kind of data you wish to pass through (e.g., everything else). Otherwise you won't see anything much at all... :) ------------------------------ Subject: 21. How can I log and account for calls? Syslog can be used to track incoming and outgoing calls. You'll need a host that runs a syslog daemon (most UNIX systems will do, preferrably one with a BSD style syslog). On your Ascend unit, start logging information by moving to the menu Ethernet->Mod Config, and setting the following: Syslog=Yes Log Host=[IP address of your logging host] Log Facility=localn (Where "n" in localn is a number from 0 to 7, corresponding with a user-defined log facility selected on the logging host.) Under UNIX, add the following line to /etc/syslog.conf: localn.info /var/log/ascend-log Where "localn" corresponds to the facility selected on the Ascend unit (presumably one not already assigned in syslog.conf). Make sure the above line starts at the left margin and that the two fields are separated by tabs, not spaces. The filename can be whatever you like. If the log file doesn't already exist, create the file in the location you specified, and kill and restart the syslog daemon. Under VMS, Dan Newman provides these tips: > On OpenVMS systems running TGV MultiNet(R): > > $ MULTINET CONFIGURE/SERVER > SERVER-CONFIG> ENABLE SYSLOG > SERVER-CONFIG> RESTART > SERVER-CONFIG> EXIT > $ > > Messages received by the MultiNet syslog daemon are, by default, directed > to OPCOM. See the MultiNet SYSLOG documentation in for further details. > > FYI, to the best of my knowledge, none of the other TCP/IP stacks for > OpenVMS support syslog. Accounting for calls, in the business sense, is not easily accomplished with Ascend's current software release. Syslog records must be heavily massaged (as mentioned above) in order to create usable records, and diligent programming is necessary for anything approaching real billable accounting. Some individuals have written and made available their own solutions (not necessarily for free); posting on the Ascend User's list may garner some responses on this subject. Eventually, Ascend will support RADIUS accounting, but RADIUS accounting itself isn't firmly defined yet, so this will take a while. Ascend Ascend recommends using its latest SNMP MIB (see FAQ question #32) with the latest software rev (4.4B). This MIB generates and maintains accounting events for Max, Max 4000/HP, and Pipeline 400 units. My experiments with it to date have not been very promising, though, and Ascend hasn't provided any documentation on how valid billable records might be generated from it. Mel Beckman has written a UNIX-based program to take syslog data from a Pipeline 50 and massage it into more readable, useful form. Its source code is included at the bottom of this document. Mark Lentczner has written a syslog parsing program for the Pipeline 50, available in both perl and awk. It may be found, along with a description, at the following location: ------------------------------ Subject: 22. Does the Ascend support Caller-ID/ANI authentication? Yes, in software release 4.4B, just released. I have no information about it yet except the following: Marc Hyman wrote about it: > The feature is in beta test. A "caller #" has been added to the > connection profile. When caller-id is being used a profile is selected > by matching the incoming phone number with the field in the profile. > A profile authenticated this way will *not* be re-authenticated using > PAP or CHAP. > > If a local profile is not found a RADIUS request will be made using > the phone number as the name with a magic password. An attribute is > passed to RADIUS with the request that is not passed with normal > authentication requests. This stops joe user from trying to > authenticate by guessing phone numbers. ------------------------------ Subject: 23. How can I debug a problem? What are all the debug commands? To drop into debug monitor mode from the main console display, type the following characters in quick succession (within one second): [ = (escape-key, left-bracket, escape-key, equals-sign) You will be presented with a "> " prompt. In this mode, debugging output is displayed by typing a command name (listed below). You can toggle multiple commands for output about more than one process. When you're done, make sure you turn off output, by entering the command name(s) again. To quit debug mode, type "q". [*Warning*: make sure you do not type " [ -" (escape, left-bracket, escape, minus-sign) when trying to enter debug mode. This sequence tells to unit to stop everything and start waiting for new system code to be uploaded over the console port, via XModem. At the very least, you will reset your unit by typing this, and at worst, you might wipe flash memory of your existing code. Be careful!] Jeff Smith provided the following list of debug commands, and I have updated them with new commands in rev. 4.4B, using the same method (by poring over the output of 'strings -a mp1t1.bin'). WARNING: USE AT YOUR OWN RISK. Neither Ascend, Jeff, myself nor anyone else assume responsibility for any damage done to your hardware by executing any of the following commands. Please be careful. These commands were derived from the Max image. They may or may not be applicable to other Ascend products. AcctEvnt Toggle acctevnt debug display (SNMP Accounting events?) ansi Send H channels ANSI style assert show and clear the last assert failure BNCP Toggle bncp debug output (BONDING?) bridgeInfo display bridge address buckets briDisplay Display the first n bytes of BRI messages brouterDebug Toggle brouter debug display buster Reset other vender's BONDING units bypassUserif Toggle mode to jump directly to termsrv bypassUserif Toggle mode to jump directly to termsrv callback Toggle callback debug output callBlocks show networki call blocks callRequests show networki call requests callroute Toggle callroute debug display callself Toggle call self test debug output cbState Toggle Combinet debug messages clid Fake clid detection clockSource show the current clock source clrHistory Clear history log compress Toggle compress debug display core Toggle core debug display D

Display Memory debug Display/alter memory/ports dialEnabled Toggle TS dial modem DnsDebug Toggle DNS Debug Messages dnsDebug Toggle DNS Debug Messages dumpBytes dumpbytes address length dumpWord Dump a single word of memory dynamicToggle Toggle DYNAMIC debug output E
Examine Memory etherDisplay Display the first n bytes of ETHER messages EtherStats Dump ethernet statistics fatalHistory List history log fmark Execute an fmark frdlState toggle frdlcall state display frdump dump Frame Relay if table frMgrdump dump Frame Relay Mgr table frState Toggle for Frame Relay if messages hdlcdrv Toggle hdlcdrv debug display help List all monitor commands ipRoutes Toggle IP route manager debug display ipxConn Display the IPX connection table ipxSpoof Toggle IPX spoofing debug display lanval Enable messages in lanval module lcState Toggle lancore state display loopDisable disable loop loopEnable enable loop lpState Toggle lanport state display modemdrvState Toggle modemdrv debug display mpcmToggle Toggle MPCM debug output mppcm Toggle MPPCM debug output mppec Toggle MPPEC debug output mpToggle Toggle MP debug output netclock Toggle netclock debug output networki Toggle networki debug display nindy Goto NINDY debugger noansi Don't send H channels ANSI style noidle Toggle sending of idle messages nompp Toggle nompp mode NsLookup Perform DNS Lookup NVRAMClear Clear system configuration memory perf Turn on poor man's performance monitor pools Display pool allocation data (buffers) portInfo Dump portMgr info for slot pppfsm Toggle pppfsm state change display pppif Toggle pppif debug display quit Exit from monitor to menus radif Enable Radius client debug messages reservations Show networki channel reservations reset Reset unit restore Restore configuration from tftp host [pre-4.4B versions] revision Set revision info ripDebug Toggle rip debug display routmgr Toggle routmgr debug display save Save configuration to tftp host [pre-4.4B versions] session Print session entry setDslNT Toggles PRI TE/NT emulation showperf Results performance monitor showtrace Display results of last trace spyderDump Dump spyder receive chains spyderStats Dump spyder counters stackUsage Display stack usage tcpbind Toggle tcpbind debug output telnetDebug Toggle telnet debug output telnetDebug Toggle telnet debug output termSrv Toggle TermSrv debug messages termSrvConsole Toggle console is remote mode termSrvState Toggle TermSrv debug messages tloadcode Load new software code using TFTP trace Turn on poor man's logic analyzer trestore Restore configuration from tftp host [4.4B and later] tsave Save configuration to tftp host [4.4B and later] tsConsole Treat console as remote unit (toggle) tsdial Toggle ts dial debug output tsdriver Toggle tsdriver debug output tsDump Dump Terminal server table entry tserver Dump Terminal server table entry tssdrvState Toggle tssdrv state display tssmgrCrissCross Criss-cross highways on slot tssmgrDebug Toggle tssmgr debug display tstcp Toggle tstcp debug output twCounts Display TCP vs WAN data counts update Enable feature useEtherData Toggle use of ether data card wanDisplay Display the first n bytes of WAN messages wanNext Display the first n bytes of the next WAN connection wanToggle Toggle WANDRV debug output wdState Toggle wandata state display ------------------------------ Subject: 24. What's RADIUS? How can I use it? RADIUS (Remote Access DIalup User Service) is a protocol written by Livingston and given away to the Internet community; Ascend has implemented it based on the Livingston code, and supports it in the Pipeline 400 and MAX units. To quote Livingston: RADIUS is a protocol by which users (and in some cases systems) are provided access to secure networks through a centrally managed server. Authentication is provided for a variety of services (login, dialback, SLIP, PPP, etc.). The communications channel between a RADIUS client and server is UDP/IP, with messages acknowledged. The protocol is now being entered into the IETF standards track (not as an internet standard, just to document its existence). The primary advantage in using RADIUS to authenticate incoming calls is that all user information is maintained offline, on a separate UNIX-based server. This server can accept authentication requests from many machines, which makes swapping out one dial-in network server for another much easier. Virtually all information that could be maintained in a connection profile can be served via RADIUS. Profile attributes are entered in a flat ASCII database. Here's an example profile (my own, in fact, with some items changed): ddl-pl50 Password = "xxxxxxx" User-Service = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.10.10.1, Framed-Netmask = 255.255.255.0, Ascend-Data-Svc = Switched-64K, Ascend-Metric = 2, Ascend-Route-IP = Route-IP-Yes, Ascend-Link-Compression = Link-Comp-Stac, Ascend-Data-Filter = "ip in forward dstip 10.10.11.12/32", Ascend-Data-Filter = "ip in forward dstip 10.10.12.12/32", Ascend-Data-Filter = "ip in forward dstip 10.10.25.11/32", Ascend-Data-Filter = "ip in forward dstip 10.10.129.101/32", Ascend-Data-Filter = "ip in forward dstip 10.10.129.111/32", Ascend-Data-Filter = "ip in forward dstip 10.10.198.100/32", Ascend-Data-Filter = "ip in forward dstip 10.10.154.252/32", Ascend-Data-Filter = "ip in forward udp dstport = 53", Ascend-Data-Filter = "ip in forward tcp est", Ascend-Data-Filter = "ip in forward icmp", Ascend-Data-Filter = "ip out forward", Ascend-Idle-Limit = 240 Ascend provides a version of Livingston's radiusd source code (v.1.13) with a few modifications. This is available at The UNIX daemon source code is radius.tar.Z (a ZIP'd version of the same files is radius.zip). A sample user database file is included. Radius can be run in debug mode ('radius -x'). This provides a wealth of useful information about incoming calls, most helpful when resolving a problem. ------------------------------ Subject: 25. How can I make an outbound call with a RADIUS profile? This is documented by Ascend in their manual set and in the same RADIUS user database. One caveat is that I've not been able to dial out to a bridged remote user, only to routed users. This is because the outbound profile is linked directly to a static route entry. The method is pretty kludgy, and I hope a more graceful method is implemented someday. Another problem I've run into recently, with 4.4Ap12 and 4.4B software, is that the first outbound call using a RADIUS profile is successful, but subsequent calls fail. The routing tables appear to be all right, but queries to the RADIUS server appear corrupted. I'm waiting for a response from Ascend. -ddl ------------------------------ Subject: 26. How can analog dial-in users modify their own RADIUS passwords? Okay, not really a FAQ, but I want to know. :) Ascend has taken this as a feature request. I've kludged this for the time being by setting up a dummy account on the UNIX radius server, where the shell is a simple script which prompts for a RADIUS userid and allows a change of password. Ugly, but it's all I've got. -ddl ------------------------------ Subject: 27. I sometimes get "LAN security error" violations, but I know my PAP|CHAP username/password combinations are correct. Why? Marco Hyman (marc@dumbcat.sf.ca.us) writes: > A "LAN Security error" is what you get when someone calls into a > unit and tries to use the same IP address as a currently active users. > It typically is a transient problem caused by call collision. Imagine > P50A calls P50B at the same time that P50B calls P50A. The two ends > use PPP and exchange IP addresses. P50A sees that the IP address > received from P50B as part of the *incoming* call negotiation is the > in use (for *outgoing* call negotiation). A LAN security error is > logged. I'd add that a good way to debug PPP problems is to drop into debug monitor mode (see above) and run the debug commands "pppif" (and perhaps "pppfsm"). You should see PPP negotiation status the next time your unit makes or receives a call. ------------------------------ Subject: 28. Why do I see lots of CRC errors? Why is my line so slow? Dan Newman brought up this topic, and suggests one path to follow: > "Make sure that the phone company uses gas or solid state lightning > arrestors and not carbon arrestors on your circuit". This is a problem > which I see all too often: installers use a carbon arrestor either by > accident, because it's all they had at hand, or because that's what was > already on the pair assigned to the circuit. Carbon arrestors introduce > too much noise and should not be used on data circuits of any kind. > On one ISDN line I had with carbon arrestors installed at both the CO > and POP, I saw anywhere from 5 to 80 CRC errors per B channel per minute. > Sync was frequently lost. Once the carbon arrestors were replaced with > gas arrestors, the error rate went down to 2 - 4 CRC errors per B channel > per day. As the CRC error rate increases, the performance of any > protocol will begin to decline. This is particularly a problem with > protocols that do not handle packet loss well. For instance, at error > rates of 15+ CRC errors per minute (per B channel), I saw a significant > loss of performance with AppleTalk. ------------------------------ Subject: 29. Can I use an Ascend router/bridge to hook up to the Internet? Sure, as long as your Internet Service Provider supports ISDN calls, and Ascend equipment. I'm collecting a list of those that do; here are a few, organized alphabetically by country, then state: Beckemeyer Development; Oakland, California USA (info from Christopher Seiwald ) Brainstorm Products; Mountain View, California USA (info from David Zampino CerfNet; San Diego, California USA (info from Hugh Tebault ) Internex; San Francisco Bay area, California, USA (info from Hugh Tebault ) The Internet MainStreet; Los Altos, California USA (info from Don Jackson ) InterServe; Palo Alto, California USA (info from Mark H. Zellers ) Multiverse; Cleveland, Ohio USA (info from Rob Logan ) APKnet; Cleveland, Ohio USA (info from Zbigniew J. Tyrlik ) The Black Box; Houston area, Texas USA , 713-480-2684 (voice) (info from Marc Newman ) NeoSoft; Houston area, Texas USA , 713-870-1334 (voice) (info from Randy Kunkee ) PSI Interramp; USA (nationwide) UUNet; USA (nationwide) ISP policies differ on configuration: some prefer to route, some bridge; some allow two B channels (most don't), some enable compression. Many package Ascend units in with the cost of the service. [NOTE: The above should not be construed as endorsements for the service providers listed. The number of ISPs offering ISDN is still very small, so I feel it's a useful resource. As it becomes more common, this section won't be as necessary. -ddl] ------------------------------ Subject: 30. How does Ascend support Frame Relay? [Ascend is selling frame-relay software support on their MAX and Pipeline 400 products; there is also a frame-relay model of the Pipeline 50, the EtherFrame (with DSU). I have no experience with them, so please send in an update for this FAQ if you have any tips or opinions on Ascend FR! -ddl] ------------------------------ Subject: 31. What's a digital modem board, and how does it work? Digital modem boards are available for the Pipeline 400 and MAX; the MAX supports both v.34 (28.8Kbps) and v.32bis (14.4Kbps), while the P400 can only use the latter. Each board has eight modems, and they are essentially "real modems", taking the digital signal and shunting it through a little D/A-converter and back again, simulating the local loop you would have to your phone company if you were running analog modems. Digital modems can be used to answer calls only, not make them (as far as I know). A note on the P-400 support for digital modems, from Marc Newman : > 400T's can have 8 modems, 400B's can have only 4. On the 400B you > cannot use 1 B channel for ISDN and the other for a modem call. The > modem call seems to block both channels. ------------------------------ Subject: 32. SNMP The overview in this section was written and generously provided by Dave Steele . It was based on experience with the Pipeline 50. All thanks go to him! The Simple Network Management Protocol (SNMP) provides a standard means for computers to share networking information. There are two types of communicators in SNMP, 'agents' and 'managers'. Ascend products implement snmp 'agents' which provide networking information to 'manager' applications running on other computers. The 'manager' may be running on just about any kind of computer, and can range from a simple command-line utility to an automated GUI application. The agents and managers agree beforehand on the layout of the database of the information to be shared. This layout is called the Management Information Base, or MIB. The MIB is structured as a tree - all SNMP variables are represented as branches from a single node. There are also special messages, called traps, that agents can use to send unsolicited information to the manager. Security is implemented through a sniffable password, called the 'community name', that is sent with each request. Two community names are supported, one with read access, and the other with read/write access to the MIB. The SNMP FAQ gives a quick overview of the protocol, and provides pointers to various manager applications. It can be found at http://www.cis.ohio-state.edu/hypertext/faq/usenet/snmp-faq/faq.html ftp://rtfm.mit.edu/pub/usenet-by-hierarchy/comp/protocols/snmp/comp.protocols.snmp_%5BSNMP%5D_Frequently_Asked_Questions_%28FAQ%29 and the usual other places. The Ascend ftp site has a number of documents relating to SNMP. The first, ftp://ftp.ascend.com/pub/Mib/ascend.mib and ftp://ftp.ascend.com/pub/Mib/ascend.trp contain the definition of the ascend-specific MIB in a database language syntax (i.e. it's hard to read). Depending on the manager application, you can compile these files to a format that allows the manager to understand the ascend database format. Another file, ftp://ftp.ascend.com/pub/Doc/SNMP/SNMP.ps or ftp://ftp.ascend.com/pub/Doc/SNMP/SNMP.pdf is a PostScript/Adobe Acrobat file that describes the MIBs supported by Ascend products. This include RFC-standard MIBs for accessing TCP/IP, DS1, RS232, and Frame Relay information, as well as an Ascend-specific MIB. The standard MIBs contain a lot of useful information. For instance, the TCP/IP MIB (RFC1213) contains a table (ifTable) with data for the Ascend interfaces. For every port, it lists whether or not the port is active, the maximum data rate, how many bytes have entered/exited the port, and other information. The Ascend MIB offers other goodies. The doGroup table has the same functionality as the 'do' command in the telnet interface. You can use this to dial or hang up interfaces, and to add/delete bonded calls. The hostStatus table has more detail than the ifTable on the status of the ports. One thing to be aware of - not all Ascend products support the entire Ascend MIB. In particular, the Pipeline 50 does not support the doGroup and hostStatus tables. Following is a table of implemented ascend MIB groups on the P50, based on a 'walk' through the MIB tree. Group MIB Pipeline 50 --------------------------------------- products ascend.1 No slots ascend.2 Yes hostTypes ascend.3 No wanTypes ascend.4 No lanTypes ascend.5 No doGroup ascend.6 No hostStatus ascend.7 No console ascend.8 Yes systemStatus ascend.9 No ascendEvent ascend.10 No callStatus ascend.11 No sessionStatus ascend.12 No There are two menus for configuring SNMP in the Ascend menu interface. SNMP traps are defined under Ethernet->SNMP Traps. The SNMP community names are defined under Ethernet->Mod Config->SNMP Options. Be sure to change the 'R/W Comm' value from its default (you will need higher privileges to do this). [end overview by Dave Steele] ------------------------------ Subject: 33. How can I upgrade system code or configurations remotely? Ascend provides a standard way of upgrading the system software using the console port. Documentation is available via ftp at: ftp://ftp.ascend.com/pub/Doc/ there are different files for the Max, Pipeline, MultiBand and MB+. As of software rev 4.4B, certain units can also be upgraded using TFTP. Currently, only the Max 4000/HP and "revB" Pipeline 50 units (see question #3) can use this method. Marco Hyman explained: > Jacques Vidrine writes: > > Why is this not available for the Pipeline MAX?? > > Good question. The Max and the Pipeline 400s and the older P50 > execute out of flash. I can't erase and put new code into flash > while the system is running on these units. The code loader exists > in the (very small) boot rom which knows nothing about the lan or wan > or tftp, etc. > > The Max-4000 (nee Max-HP) and the new P50s run out of DRAM so we > can download code to flash while the unit is running. The new code > is used at next power cycle. The process to upgrade via TFTP is as follows: 1. Drop into debug monitor mode (described in question #23); 2. Run the command: tloadcode where is the name or IP address of your TFTP server, and is a (world-readable) Ascend code release on the server. Example: > tloadcode tftp-server mhpt1.bin will load a new Max 4000/HP version into flash from the machine "tftp-server". The current configuration is also saved to flash before new code is received, as a precaution. Upon the next reset, the new code will be run out of DRAM. If necessary, the saved configuration will be loaded and a second reset performed automatically. 33a. How do I save/restore configurations over the network? All Ascend units permit saving and restoring configs via TFTP. To save a config, perform the following steps: 1. Drop into debug monitor mode (described in question #23); 2. Under software rev 4.4B and later, run the command: tsave (Under previous revisions, the command was "save".) Where is your remote TFTP server, and is an *existing* world-writable file on the server (whatever this file contains will be overwritten). To restore a config, perform the following steps: 1. Drop into debug monitor mode (described in question #23); 2. Under software rev 4.4B and later, run the command: trestore (Under previous revisions, the command was "restore".) Where is your remote TFTP server, and is an existing world-readable config file on the server. Note that any configurations saved using TFTP will contain *all* passwords associated with the unit, in clear text. Special care should be taken with these files (to say that TFTP was not designed for security would be a major understatement). ------------------------------ Subject: 34. What do I do if my new software upload gets screwed up? Sometimes the documented method of upgrading software on an Ascend unit (Xmodem upload over the console port) can get hosed up, either by a power loss, user error, bad cable, crappy workstation communications, or other acts of god and building maintenance. For those occasions, we have some advice from an undisclosed source inside Ascend: > Usually, when you load a bad binary into a Pipeline, it will > recover by booting into the downloader, which displays "CKCK" on > the console port. Occasionally, however, that doesn't happen. > To resuscitate a Pipeline that has been loaded with the wrong code > and can't recover, you'll need to short a jumper that causes the > box to power up into the boot rom debug monitor, type the 'DF' > command, then download good code through the console port. > > Platform location (console speed) > > SOS BRI P20 (38400) > SOS T1 P8 (38400) > MAX-HP P3 (57600) > P50-4WS56 C43 (57600) > P50-BRI (revB) P9 (57600) > > Platform-specific notes: > > PIPE50 > > On the original Pipe 50, there are no jumpers. > > MAX > > On the MAX E1 and T1, the Boot ROM doesn't talk to the console port. > If your Max requires resuscitation like this, you'll need to contact > Ascend Customer Service. ------------------------------ Subject: 35. Some info on software release 4.4B The latest major software update (rev 4.4B) was released in early June, 1995. Here's what Marco Hyman posted about it to the Ascend User's list: > What not to forget > ------------------ > * Grab the Ascend MIB if you've got a Max/Max-4000/P400 > and you're interested in the accounting/event log. > * Grab the new radius > (radius-950529.tar.Z in pub/Radius/Radius-4.4B) > if you use RADIUS. It is based upon version 1.16 > of the reference implementation and contains the latest > dictionary and a sample users file. > > What's new and undocumented > --------------------------- > * The magic key sequence ESC [ ESC 0 (thats zero, not oh) > will take you directly to the terminal server if you have > System or Field Service privs. > > What's new in debug mode > ------------------------ > * new command, wannext. Like wandisplay, but only dumps > packets belonging to the next call. Nice way to see what > kind of problems a particular caller is having on a loaded > unit. Debug output terminates with the call unless > terminated manually. > * save is now named tsave > * restore is now named trestore > * new command, tloadcode exists ONLY FOR THE FOLLOWING UNITS: > - Max-4000 (nee Max-HP) > - P50 BRI units with the switch on the back > > The command: > 1) writes the current configuration to flash > 2) loads the named file from a tftp server into flash > > The next reset will cause the new code to be loaded. > If necessary, the saved configuration will be loaded > and a second reset performed automatically. > > There was lots of noise about a feature like this just > a week or so ago. We do listen. > > > What's been fixed since 4.4/4.4A (at least the ones I remember) > --------------------------------------------------------------- > * Max (and P400) crashes, especially after using terminal server > * Calls left in dialing state > * lost default route > * voice calls not handled in Australia > * PPP ML protocol interop problems > * failure to get terminal server prompt > * security profile not refreshed after update > * Support for > 26 nailed groups. > * PAP authentication problem > * CHAP and Windows/NT authentication problem > * ARP/RARP/IP Bcast incorrectly bridged over routed links > * Max download failure causes brain death > * IP fragmantation problems (didn't send ICMP can't frag) > * Nethopper interop problem > * MIF avail under default security > * Radius outdial didn't take call-by-call value > * P50 and leased lines > * protocol reject now terminats NCP > * RADIUS NAS-Port now always correct in logout > * Misc SNMP glitches fixed > * tcp/telnet termsrv flow control problems fixed > * Ignore delayed PPP responses as we should > * Better processing of out of sequence TCP segments > (terminal server) > > > What's new with V.34 modems > --------------------------- > > * Several people have reported problems with the V.34 modems, > specifically when using USR modems. See earlier messages > posted to the list regarding USR firmware upgrades. 4.4B > contains modem firmware that is most likely to interoperate > with other modems. However, there is nothing we can do when > the remote end constantly request retrains and/or goes into > the spiraling death syndrome. > > > What's New > ---------- > Get the release notes for the full listing with full details. > * frame relay mib > * ascend accounting mib (get ascend.mib) > * TCP-CLEAR profile type > * Option to accept default route from RIP > * Option to accept ICMP redirects > * Option to use split horizon vs poison reverse with RIP > * address pools from radius > * better error notification on TCP/TELNET failures > * CLID support > * "Either" is an answer profile option in addition to PAP and CHAP. > * EUNET (EU-UI and EU-RAW) encapsulation protocols > * Improved serial wan support for the Max-4000 (nee Max-HP) ------------------------------ Subject: Cause codes [Q931] From: Loren Wilson , Tarl Neustaedter , Derek Lichter , Ascend Tech Support Code Cause 0 Valid cause code not yet received 1 Unallocated (unassigned) number 2 No route to specified transit network (WAN) 3 No route to destination 4 send special information tone 5 misdialled trunk prefix. 6 Channel unacceptable 7 Call awarded and being delivered in an established channel 8 Prefix 0 dialed but not allowed 9 Prefix 1 dialed but not allowed 10 Prefix 1 dialed but not required 11 More digits received than allowed, call is proceeding 16 Normal call clearing 17 User busy 18 No user responding 19 no answer from user 21 Call rejected 22 Number changed 23 Reverse charging rejected 24 Call suspended 25 Call resumed 26 Non-selected user clearing 27 Destination out of order 28 Invalid number format (incomplete number) 29 Facility rejected 30 Response to STATUS ENQUIRY 31 Normal, unspecified 33 Circuit out of order 34 No circuit/channel available 35 Destination unattainable 37 Degraded service 38 Network (WAN) out of order 39 Transit delay range cannot be achieved 40 Throughput range cannot be achieved 41 Temporary failure 42 Switching equipment congestion 43 Access information discarded 44 Requested circuit channel not available 45 Pre-empted 46 Precedence call blocked 47 Resource unavailable - unspecified 49 Quality of service unavailable 50 Requested facility not subscribed 51 Reverse charging not allowed 52 Outgoing calls barred 53 Outgoing calls barred within CUG 54 Incoming calls barred 55 Incoming calls barred within CUG 56 Call waiting not subscribed 57 Bearer capability not authorized 58 Bearer capability not presently available 63 Service or option not available, unspecified 65 Bearer service not implemented 66 Channel type not implemented 67 Transit network selection not implemented 68 Message not implemented 69 Requested facility not implemented 70 Only restricted digital information bearer capability is available 79 Service or option not implemented, unspecified 81 Invalid call reference value 82 Identified channel does not exist 83 A suspended call exists, but this call identity does not 84 Call identity in use 85 No call suspended 86 Call having the requested call identity has been cleared 87 Called user not member of CUG 88 Incompatible destination 89 Non-existent abbreviated address entry 90 Destination address missing, and direct call not subscribed 91 Invalid transit network selection (national use) 92 Invalid facility parameter 93 Mandatory information element is missing 95 Invalid message, unspecified 96 Mandatory information element is missing 97 Message type non-existent or not implemented 98 Message not compatible with call state or message type non-existent or not implemented 99 information element nonexistant or not implemented 100 Invalid information element contents 101 Message not compatible with call state 102 Recovery on timer expiry 103 parameter non-existent or not implemented - passed on 111 Protocol error unspecified 127 Internetworking, unspecified ------------------------------ Subject: Helpful information for building filters This section contains IP and ethernet protocol information which should be helpful when building filters, or when analyzing network traces. Most of the following information was provided by John Dwyer . He also notes that the definitive reference on assigned numbers is available via ftp at: ftp://nic.ddn.mil/rfc/RFC1700.TXT and contains a plethora of material, including vendor addresses, multicast and broadcast ranges, etc. Tables included below: * Well-known IP port number assignments * Internet Protocol numbers * Hexadecimal number table * Ethernet frame breakdown * Common Ethernet protocol types Well known IP (TCP & UDP) Port numbers: --------------------------------------- Decimal Description ------- ----------- 0 Reserved 1 TCP Port Service Multiplexer 2 Management Utility 3 Compression Process 4 Unassigned 5 Remote Job Entry 6 Unassigned 7 Echo 8 Unassigned 9 Discard 10 Unassigned 11 Active Users 12 Unassigned 13 Daytime 14 Unassigned 15 Unassigned 16 Unassigned 17 Quote of the Day 18 Message Send Protocol 19 Character Generator 20 File Transfer [Default Data] 21 File Transfer [Control] 22 Unassigned 23 Telnet 24 any private mail system 25 Simple Mail Transfer 26 Unassigned 27 NSW User System FE 28 Unassigned 29 MSG ICP 30 Unassigned 31 MSG Authentication 32 Unassigned 33 Display Support Protocol 34 Unassigned 35 any private printer server 36 Unassigned 37 Time 38 Route Access Protocol 39 Resource Location Protocol 40 Unassigned 41 Graphics 42 Host Name Server 43 Who Is 44 MPM FLAGS Protocol 45 Message Processing Module [recv] 46 MPM [default send] 47 NI FTP 48 Digital Audit Daemon 49 Login Host Protocol 50 Remote Mail Checking Protocol 51 IMP Logical Address Maintenance 52 XNS Time Protocol 53 Domain Name Server 54 XNS Clearinghouse 55 ISI Graphics Language 56 XNS Authentication 57 any private terminal access 58 XNS Mail 59 any private file service 60 Unassigned 61 NI MAIL 62 ACA Services 63 Unassigned 64 Communications Integrator (CI) 65 TACACS-Database Service 66 Oracle SQL*NET 67 Bootstrap Protocol Server 68 Bootstrap Protocol Client 69 Trivial File Transfer 70 Gopher 71 Remote Job Service 72 Remote Job Service 73 Remote Job Service 74 Remote Job Service 75 any private dial out service 76 Distributed External Object Store 77 any private RJE service 78 vettcp 79 Finger 80 World Wide Web HTTP 81 HOSTS2 Name Server 82 XFER Utility 83 MIT ML Device 84 Common Trace Facility 85 MIT ML Device 86 Micro Focus Cobol 87 any private terminal link 88 Kerberos 89 SU/MIT Telnet Gateway 90 DNSIX Securit Attribute Token Map 91 MIT Dover Spooler 92 Network Printing Protocol 93 Device Control Protocol 94 Tivoli Object Dispatcher 95 SUPDUP 96 DIXIE Protocol Specification 97 Swift Remote Vitural File Protocol 98 TAC News 99 Metagram Relay 100 [unauthorized use] 101 NIC Host Name Server 102 ISO-TSAP 103 Genesis Point-to-Point Trans Net 104 ACR-NEMA Digital Imag. & Comm. 300 105 Mailbox Name Nameserver 106 3COM-TSMUX 107 Remote Telnet Service 108 SNA Gateway Access Server 109 Post Office Protocol - Version 2 110 Post Office Protocol - Version 3 111 SUN Remote Procedure Call 112 McIDAS Data Transmission Protocol 113 Authentication Service 114 Audio News Multicast 115 Simple File Transfer Protocol 116 ANSA REX Notify 117 UUCP Path Service 118 SQL Services 119 Network News Transfer Protocol 120 CFDPTKT 121 Encore Expedited Remote Pro.Call 122 SMAKYNET 123 Network Time Protocol 124 ANSA REX Trader 125 Locus PC-Interface Net Map Ser 126 Unisys Unitary Login 127 Locus PC-Interface Conn Server 128 GSS X License Verification 129 Password Generator Protocol 130 cisco FNATIVE 131 cisco TNATIVE 132 cisco SYSMAINT 133 Statistics Service 134 INGRES-NET Service 135 Location Service 136 PROFILE Naming System 137 NETBIOS Name Service 138 NETBIOS Datagram Service 139 NETBIOS Session Service 140 EMFIS Data Service 141 EMFIS Control Service 142 Britton-Lee IDM 143 Interim Mail Access Protocol v2 144 NewS 145 UAAC Protocol 146 ISO-IP0 147 ISO-IP 148 CRONUS-SUPPORT 149 AED 512 Emulation Service 150 SQL-NET 151 HEMS 152 Background File Transfer Program 153 SGMP 154 NETSC 155 NETSC 156 SQL Service 157 KNET/VM Command/Message Protocol 158 PCMail Server 159 NSS-Routing 160 SGMP-TRAPS 161 SNMP 162 SNMPTRAP 163 CMIP/TCP Manager 164 CMIP/TCP Agent 165 Xerox 166 Sirius Systems 167 NAMP 168 RSVD 169 SEND 170 Network PostScript 171 Network Innovations Multiplex 172 Network Innovations CL/1 173 Xyplex 174 MAILQ 175 VMNET 176 GENRAD-MUX 177 X Display Manager Control Protocol 178 NextStep Window Server 179 Border Gateway Protocol 180 Intergraph 181 Unify 182 Unisys Audit SITP 183 OCBinder 184 OCServer 185 Remote-KIS 186 KIS Protocol 187 Application Communication Interface 188 Plus Five's MUMPS 189 Queued File Transport 190 Gateway Access Control Protocol 191 Prospero Directory Service 192 OSU Network Monitoring System 193 Spider Remote Monitoring Protocol 194 Internet Relay Chat Protocol 195 DNSIX Network Level Module Audit 196 DNSIX Session Mgt Module Audit Redir 197 Directory Location Service 198 Directory Location Service Monitor 199 SMUX 200 IBM System Resource Controller 201 AppleTalk Routing Maintenance 202 AppleTalk Name Binding 203 AppleTalk Unused 204 AppleTalk Echo 205 AppleTalk Unused 206 AppleTalk Zone Information 207 AppleTalk Unused 208 AppleTalk Unused 209 Trivial Authenticated Mail Protocol 210 ANSI Z39.50 211 Texas Instruments 914C/G Terminal 212 ATEXSSTR 213 IPX 214 VM PWSCS 215 Insignia Solutions 216 Access Technology License Server 217 dBASE Unix 218 Netix Message Posting Protocol 219 Unisys ARPs 220 Interactive Mail Access Protocol v3 221 Berkeley rlogind with SPX auth 222 Berkeley rshd with SPX auth 223 Certificate Distribution Center 242 Unassigned 243 Survey Measurement 244 Unassigned 245 LINK 246 Display Systems Protocol 247 Reserved 344 Prospero Data Access Protocol 345 Perf Analysis Workbench 346 Zebra server 347 Fatmen Server 348 Cabletron Management Protocol 349-370 Unassigned 371 Clearcase 372 Unix Listserv 373 Legent Corporation 374 Legent Corporation 375 Hassle 376 Amiga Envoy Network Inquiry Proto 377 NEC Corporation 378 NEC Corporation 379 TIA/EIA/IS-99 modem client 380 TIA/EIA/IS-99 modem server 381 hp performance data collector 382 hp performance data managed node 383 hp performance data alarm manager 384 A Remote Network Server System 385 IBM Application 386 ASA Message Router Object Def. 387 Appletalk Update-Based Routing Pro. 388 Unidata LDM Version 4 389 Lightweight Directory Access Protocol 390 UIS 391 SynOptics SNMP Relay Port 392 SynOptics Port Broker Port 393 Data Interpretation System 394 EMBL Nucleic Data Transfer 395 NETscout Control Protocol 396 Novell Netware over IP 397 Multi Protocol Trans. Net. 398 Kryptolan 399 Unassigned 400 Workstation Solutions 401 Uninterruptible Power Supply 402 Genie Protocol 403 decap 404 nced 405 ncld 406 Interactive Mail Support Protocol 407 Timbuktu 408 Prospero Resource Manager Sys. Man. 409 Prospero Resource Manager Node Man. 410 DECLadebug Remote Debug Protocol 411 Remote MT Protocol 412 Trap Convention Port 413 SMSP 414 InfoSeek 415 BNet 416 Silverplatter 417 Onmux 418 Hyper-G 419 Ariel 420 SMPTE 421 Ariel 422 Ariel 423 IBM Operations Planning and Control Start 424 IBM Operations Planning and Control Track 425 ICAD 426 smartsdp 427 Server Location 428 OCS_CMU 429 OCS_AMU 430 UTMPSD 431 UTMPCD 432 IASD 433 NNSP 434 MobileIP-Agent 435 MobilIP-MN 436 DNA-CML 437 comscm 438 dsfgw 439 dasp tommy@inlab.m.eunet.de 440 sgcp 441 decvms-sysmgt 442 cvc_hostd 443 https MCom 444 Simple Network Paging Protocol 445 Microsoft-DS 446 DDM-RDB 447 DDM-RFM 448 DDM-BYTE 449 AS Server Mapper 450 TServer 451-511 Unassigned 512/tcp remote process execution; authentication performed using passwords and UNIX loppgin names 512/udp used by mail system to notify users of new mail received; currently receives messages only from processes on the same machine 513/tcp remote login a la telnet; automatic authentication performed based on priviledged port numbers and distributed data bases which identify "authentication domains" 513/udp maintains data bases showing who's logged in to machines on a local net and the load average of the machine 514/tcp like exec, but automatic authentication is performed as for login server 514/udp 515/tcp spooler 515/udp spooler 516/tcp Unassigned 516/udp Unassigned 517/tcp like tenex link, but across machine - unfortunately, doesn't use link protocol (this is actually just a rendezvous port from which a tcp connection is established) 517/udp like tenex link, but across machine - unfortunately, doesn't use link protocol (this is actually just a rendezvous port from which a tcp connection is established) 518/tcp 518/udp 519/tcp unixtime 519/udp unixtime 520/tcp extended file name server 520/udp local routing process (on site); uses variant of Xerox NS routing information protocol 521-524 Unassigned 525 timeserver 526 newdate 527-529 Unassigned 530 rpc 531 chat 532 readnews 533 for emergency broadcasts 534-538 Unassigned 539 Apertus Technologies Load Determination 540 uucpd 541 uucp-rlogin sl@wimsey.com 542 Unassigned 543 544 krcmd 550 new-who 550 new-who 551-555 Unassigned 556 rfs server 557-559 Unassigned 560 rmonitord 561 562 chcmd 563 Unassigned 564 plan 9 file service 565 whoami 566-569 Unassigned 570 demon 571 udemon 572-599 Unassigned 600 Sun IPC server 607 nqs 606 Cray Unified Resource Manager 608 Sender-Initiated/Unsolicited File Transfer 609 npmp-trap 610 npmp-local 611 npmp-gui 634 ginad 666 666 doom Id Software 704 errlog copy/server daemon 709 EntrustManager 729 IBM NetView DM/6000 Server/Client 730 IBM NetView DM/6000 send/tcp 731 IBM NetView DM/6000 receive/tcp 741 netGW 742 Network based Rev. Cont. Sys. 744 Flexible License Manager 747 Fujitsu Device Control 748 Russell Info Sci Calendar Manager 749 kerberos administration 750 751 752 753 754 send 758 759 760 761 762 763 764 765 767 phone 766 769 770 771 772 773 774 775 776 780 786 Concert 800 801 996 Central Point Software 997 998 999 999 Applix ac 1000 1023 Reserved 1024 Reserved ===================================================================== Assigned Internet Protocol Numbers: ----------------------------------- Decimal Keyword Protocol ------- ------- -------- 0 Reserved (internet pseudo-protocol number) 1 ICMP Internet Control Message 2 IGMP Internet Group Management 3 GGP Gateway-to-Gateway 4 IP IP in IP (encasulation) 5 ST Stream 6 TCP Transmission Control 7 UCL UCL 8 EGP Exterior Gateway Protocol 9 IGP any private interior gateway 10 BBN-RCC-MON BBN RCC Monitoring 11 NVP-II Network Voice Protocol 12 PUP PUP 13 ARGUS ARGUS 14 EMCON EMCON 15 XNET Cross Net Debugger 16 CHAOS Chaos 17 UDP User Datagram 18 MUX Multiplexing 19 DCN-MEAS DCN Measurement Subsystems 20 HMP Host Monitoring 21 PRM Packet Radio Measurement 22 XNS-IDP XEROX NS IDP 23 TRUNK-1 Trunk-1 24 TRUNK-2 Trunk-2 25 LEAF-1 Leaf-1 26 LEAF-2 Leaf-2 27 RDP Reliable Data Protocol 28 IRTP Internet Reliable Transaction 29 ISO-TP4 ISO Transport Protocol Class 4 30 NETBLT Bulk Data Transfer Protocol 31 MFE-NSP MFE Network Services Protocol 32 MERIT-INP MERIT Internodal Protocol 33 SEP Sequential Exchange Protocol 34 3PC Third Party Connect Protocol 35 IDPR Inter-Domain Policy Routing Protocol 36 XTP XTP 37 DDP Datagram Delivery Protocol 38 IDPR-CMTP IDPR Control Message Transport Proto 39 TP++ TP++ Transport Protocol 40 IL IL Transport Protocol 41 SIP Simple Internet Protocol 42 SDRP Source Demand Routing Protocol 43 SIP-SR SIP Source Route 44 SIP-FRAG SIP Fragment 45 IDRP Inter-Domain Routing Protocol 46 RSVP Reservation Protocol 47 GRE General Routing Encapsulation 48 MHRP Mobile Host Routing Protocol 49 BNA BNA 50 SIPP-ESP SIPP Encap Security Payload 51 SIPP-AH SIPP Authentication Header 52 I-NLSP Integrated Net Layer Security TUBA 53 SWIPE IP with Encryption 54 NHRP NBMA Next Hop Resolution Protocol 55-60 Unassigned 61 any host internal protocol 62 CFTP CFTP 63 any local network 64 SAT-EXPAK SATNET and Backroom EXPAK 65 KRYPTOLAN Kryptolan 66 RVD MIT Remote Virtual Disk Protocol 67 IPPC Internet Pluribus Packet Core 68 any distributed file system 69 SAT-MON SATNET Monitoring 70 VISA VISA Protocol 71 IPCV Internet Packet Core Utility 72 CPNX Computer Protocol Network Executive 73 CPHB Computer Protocol Heart Beat 74 WSN Wang Span Network 75 PVP Packet Video Protocol 76 BR-SAT-MON Backroom SATNET Monitoring 77 SUN-ND SUN ND PROTOCOL-Temporary 78 WB-MON WIDEBAND Monitoring 79 WB-EXPAK WIDEBAND EXPAK 80 ISO-IP ISO Internet Protocol 81 VMTP VMTP 82 SECURE-VMTP SECURE-VMTP 83 VINES VINES 84 TTP TTP 85 NSFNET-IGP NSFNET-IGP 86 DGP Dissimilar Gateway Protocol 87 TCF TCF 88 IGRP IGRP 89 OSPFIGP OSPFIGP 90 Sprite-RPC Sprite RPC Protocol 91 LARP Locus Address Resolution Protocol 92 MTP Multicast Transport Protocol 93 AX.25 AX.25 Frames 94 IPIP IP-within-IP Encapsulation Protocol 95 MICP Mobile Internetworking Control Pro. 96 SCC-SP Semaphore Communications Sec. Pro. 97 ETHERIP Ethernet-within-IP Encapsulation 98 ENCAP Encapsulation Header 99 any private encryption scheme 100 GMTP GMTP 101-254 Unassigned 255 Reserved ===================================================================== HEX Number Table: ----------------- MSB BIT2 BIT3 LSB --------------------------------------------------------------------- LS _| 8 4 2 1 Byte | 128 64 32 16 2048 1024 512 256 32,768 16,384 8,192 4,096 524,288 262,144 131,072 65,536 8,388,608 4,194,304 2,097,152 1,048,576 MS _| 134,217,728 67,108,864 33,554,432 16,777,216 Byte | 2,147,483,648 1,073,744,824 536,870,912 268,435,456 ===================================================================== Ethernet Frame Structures: -------------------------- Ethernet -------- Field length (in bytes): 7 1 6 6 2 46-1500 4 .-----------------------------------...------------. |Preamble|S|Dest. |Source| T| | | | |O|Addr. | Addr.| y| [DATA] |FCS | | |F| | | p| | CRC| | | | | | e| | | `-----------------------------------...------------' IEEE 802.3 Frame Structure -------------------------- Field length (in bytes): 7 1 6 6 2 46-1500 4 .-----------------------------------...------------. |Preamble|S|Dest. |Source| L| | | | |O|Addr. | Addr.|en| [802.2 header |FCS | | |F| | |gt| and DATA] | CRC| | | | | | h| | | `-----------------------------------...------------' ===================================================================== Commonly Used Ethernet Protocol Types: -------------------------------------- Decimal Hex Description ------- --------- ----------- 000 0000-05DC IEEE 802.3 Length Field 257 0101-01FF Experimental 512 0200 XEROX PUP (see 0A00) 513 0201 PUP Addr Trans (see 0A01) 0400 Nixdorf 1536 0600 XEROX NS IDP 0660 DLOG 0661 DLOG 2048 0800 Internet IP (IPv4) 2049 0801 X.75 Internet 2050 0802 NBS Internet 2051 0803 ECMA Internet 2052 0804 Chaosnet 2053 0805 X.25 Level 3 2054 0806 ARP 2055 0807 XNS Compatability 2076 081C Symbolics Private 2184 0888-088A Xyplex 2304 0900 Ungermann-Bass net debugr 2560 0A00 Xerox IEEE802.3 PUP 2561 0A01 PUP Addr Trans 2989 0BAD Banyan Systems 4096 1000 Berkeley Trailer nego 4097 1001-100F Berkeley Trailer encap/IP 5632 1600 Valid Systems 16962 4242 PCS Basic Block Protocol 21000 5208 BBN Simnet 24576 6000 DEC Unassigned (Exp.) 24577 6001 DEC MOP Dump/Load 24578 6002 DEC MOP Remote Console 24579 6003 DEC DECNET Phase IV Route 24580 6004 DEC LAT 24581 6005 DEC Diagnostic Protocol 24582 6006 DEC Customer Protocol 24583 6007 DEC LAVC, SCA 24584 6008-6009 DEC Unassigned 24586 6010-6014 3Com Corporation 28672 7000 Ungermann-Bass download 28674 7002 Ungermann-Bass dia/loop 28704 7020-7029 LRT 28720 7030 Proteon 28724 7034 Cabletron 32771 8003 Cronus VLN 32772 8004 Cronus Direct 32773 8005 HP Probe 32774 8006 Nestar 32776 8008 AT&T 32784 8010 Excelan 32787 8013 SGI diagnostics 32788 8014 SGI network games 32789 8015 SGI reserved 32790 8016 SGI bounce server 32793 8019 Apollo Computers 32815 802E Tymshare 32816 802F Tigan, Inc. 32821 8035 Reverse ARP 32822 8036 Aeonic Systems 32824 8038 DEC LANBridge 32825 8039-803C DEC Unassigned 32829 803D DEC Ethernet Encryption 32830 803E DEC Unassigned 32831 803F DEC LAN Traffic Monitor 32832 8040-8042 DEC Unassigned 32836 8044 Planning Research Corp. 32838 8046 AT&T 32839 8047 AT&T 32841 8049 ExperData 32859 805B Stanford V Kernel exp. 32860 805C Stanford V Kernel prod. 32861 805D Evans & Sutherland 32864 8060 Little Machines 32866 8062 Counterpoint Computers 32869 8065 Univ. of Mass. @ Amherst 32870 8066 Univ. of Mass. @ Amherst 32871 8067 Veeco Integrated Auto. 32872 8068 General Dynamics 32873 8069 AT&T 32874 806A Autophon 32876 806C ComDesign 32877 806D Computgraphic Corp. 32878 806E-8077 Landmark Graphics Corp. 32890 807A Matra 32891 807B Dansk Data Elektronik 32892 807C Merit Internodal 32893 807D-807F Vitalink Communications 32896 8080 Vitalink TransLAN III 32897 8081-8083 Counterpoint Computers 32923 809B Appletalk 32924 809C-809E Datability 32927 809F Spider Systems Ltd. 32931 80A3 Nixdorf Computers 32932 80A4-80B3 Siemens Gammasonics Inc. 32960 80C0-80C3 DCA Data Exchange Cluster 80C4 Banyan Systems 80C5 Banyan Systems 32966 80C6 Pacer Software 32967 80C7 Applitek Corporation 32968 80C8-80CC Intergraph Corporation 32973 80CD-80CE Harris Corporation 32975 80CF-80D2 Taylor Instrument 32979 80D3-80D4 Rosemount Corporation 32981 80D5 IBM SNA Service on Ether 32989 80DD Varian Associates 32990 80DE-80DF Integrated Solutions TRFS 32992 80E0-80E3 Allen-Bradley 32996 80E4-80F0 Datability 33010 80F2 Retix 33011 80F3 AppleTalk AARP (Kinetics) 33012 80F4-80F5 Kinetics 33015 80F7 Apollo Computer 33023 80FF-8103 Wellfleet Communications 33031 8107-8109 Symbolics Private 33072 8130 Hayes Microcomputers 33073 8131 VG Laboratory Systems 8132-8136 Bridge Communications 33079 8137-8138 Novell, Inc. 33081 8139-813D KTI 8148 Logicraft 8149 Network Computing Devices 814A Alpha Micro 33100 814C SNMP 814D BIIN 814E BIIN 814F Technically Elite Concept 8150 Rational Corp 8151-8153 Qualcomm 815C-815E Computer Protocol Pty Ltd 8164-8166 Charles River Data System 817D-818C Protocol Engines 818D Motorola Computer 819A-81A3 Qualcomm 81A4 ARAI Bunkichi 81A5-81AE RAD Network Devices 81B7-81B9 Xyplex 81CC-81D5 Apricot Computers 81D6-81DD Artisoft 81E6-81EF Polygon 81F0-81F2 Comsat Labs 81F3-81F5 SAIC 81F6-81F8 VG Analytical 8203-8205 Quantum Software 8221-8222 Ascom Banking Systems 823E-8240 Advanced Encryption Syste 827F-8282 Athena Programming 8263-826A Charles River Data System 829A-829B Inst Ind Info Tech 829C-82AB Taurus Controls 82AC-8693 Walker Richer & Quinn 8694-869D Idea Courier 869E-86A1 Computer Network Tech 86A3-86AC Gateway Communications 86DB SECTRA 86DE Delta Controls 34543 86DF ATOMIC 86E0-86EF Landis & Gyr Powers 8700-8710 Motorola 8A96-8A97 Invisible Software 36864 9000 Loopback 36865 9001 3Com(Bridge) XNS Sys Mgmt 36866 9002 3Com(Bridge) TCP-IP Sys 36867 9003 3Com(Bridge) loop detect 65280 FF00 BBN VITAL-LanBridge cache FF00-FF0F ISC Bunker Ramo The standard for transmission of IP datagrams over Ethernets and Experimental Ethernets is specified in [RFC894] and [RFC895] respectively. ------------------------------ Subject: Mel Beckman's Pipeline 50 syslog massager >From: mbeckman@mbeckman.mbeckman.com (Mel Beckman) >Newsgroups: comp.dcom.isdn >Subject: New Ascend P50 log analysis utility! >Date: Sun, 29 Jan 95 08:01:09 PST >Organization: Beckman Software Engineering >Reply-To: mbeckman@mbeckman.com There must be a lot of P50's out there, because I've had over 100 people download my Pipeline-50 log analyzer. The analyzer consists of a shell script and an ANSI C program. It reports length and cost of calls, but doesn't accomodate changing day rates (default is set up for .04 for the first minute, .01 per minute thereafter). To avoid having quite so many hits on my ISDN-connected anonymous FTP server (deliberately not named here ) I'm posting the whole utility to this group -- it's pretty short anyway. I've also received several revisions, all doing about the same thing: cleaning up the code and fixing some bugs. Dave Yost caught everything the others did (Thank you John Borney, David E. Smith, and Doug Lakin), plus made some very nice improvements to the code, so I'm folding his changes into the latest version, version 1.1. To use this, you must enable SYSLOG logging in your P50. Remember NOT to log a remote P50 to a local host, unless you want your ISDN line to be up all the time fielding log entries! Things I wish somebody would do (because I don't have time): 1. Build in configurable constants for message unit costs 2. Allow for different costs based on incoming/outgoing and time (e.g. to allow for outgoing Home ISDN calls, billed only 8-5) 3. Provide some kind of alarm threshold to call out high conntimes 4. Parameterize the shell script to pass in path to logfile ----------------BEGIN INCLUDED MESSAGE-------------- >From: Dave@Yost.com >To: mbeckman@mbeckman.com >Subject: isdnlog, isdnhist >Cc: Dave@Yost.com >Reply-To: Dave@Yost.com >Date: Sun, 29 Jan 1995 00:27:00 -0800 Thanks! I've been waiting for something like this to show up on the net. Couldn't help hacking it a bit. See enclosed files. This should really be in Perl (which I haven't learned yet)... Dave ======== isdnlog V1.1 #!/bin/sh # Parse /var/console.log to cull just call initiations and terminations case "$1" in "") log=/var/adm/SYSLOG ;; *) log=$1 esac grep 'port.*Call' $log \ | tr -s " " \ | cut -d" " -f1-3,6-22 \ | isdnhist ======== isdnhist.c V1.1 /*******************************************************/ /* Program Name : isdnhist.c */ /* Print ISDN call history */ /* Date 11/04/94 */ /* Written by : Mel Beckman */ /* Prime Contractor: Beckman Software Engineering */ /* */ /* Input: STDIN- Digested console log */ /* Output: STDOUT- Call history w/elapsed times */ /* */ /* */ /* */ /* Modification Log : */ /* 1/29/95 Dave Yost */ /* tightened up code; deal with dangling */ /* disconnects without corresponding */ /* connect log entry */ /*******************************************************/ #include #include enum direction { OUTGOING, INCOMING, UNKNOWN }; /****************************************************************************** * Input is a digested form of the console log file containing Ascend * Pipeline-50 call start and end messages. The call start messages are * of the form: * * Nov 4 16:54:55 slot 2 port 1, Outgoing Call, 6580801 * or * Oct 28 06:51:13 slot 0 port 0, line 1, channel 1, Incoming Call, MBID 118 * * Call end messages are of the form: * * Oct 28 09:58:09 slot 2 port 1, Call Terminated * * The keywords for validating each message are "Outgoing", "line", and * "Terminated", respectively. All other messages will be bypassed. * * An ISDN line can have either one or two calls, indicated by a channel * number for "incoming" messages or a port number of "outgoing" and "call * terminated" messages. We keep track of each call appearance separately. */ main() { /* working variables */ time_t right_now, temptime, begtime, endtime; time_t start[2]; struct tm timestring; struct tm *mytime; int callnumber; char buffer[255]; char monthstring[4]; char testa[32], testb[32], testc[32], testd[32], teste[32], testf[32], testg[32], testh[32]; enum direction direction, dir[2]; int port; int channel; int z; double totcost, totincost, totoutcost; double elapsed, elapsedm, totelapsed, totelapsedm; static const char *const months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; /* * Read each record and extract ident info and total due, then cvt to money & print */ right_now = time(NULL); mytime = localtime(&right_now); timestring.tm_year = mytime->tm_year; printf ("\nisdnhist v1.1 ISDN Call History %s\n", ctime(&right_now)); printf ("\nCall# -----Beg Time---- Day -----End Time---- -Secs- -Mins- -Cost- I/O\n"); totelapsed = 0; totelapsedm = 0; totcost = 0; totincost = 0; totoutcost = 0; while ( fgets (buffer, 254, stdin) != NULL) { /* printf ("%s", buffer); */ sscanf (buffer, " %3s %2d %2d:%2d:%2d %s %s %s %1d %s %s %s %s %1d", monthstring, ×tring.tm_mday, ×tring.tm_hour, ×tring.tm_min, ×tring.tm_sec, testa, testb, testc, &port, testd, teste, testf, testg, &channel ); #if 0 printf ("month=%s, day=%d, hh=%d, mm=%d, ss=%d, port=%d, a=%s, b=%s, c=%s, d=%s, e=%s, f=%s, g=%s, chan=%d\n", monthstring, timestring.tm_mday, timestring.tm_hour, timestring.tm_min, timestring.tm_sec, port, testa, testb, testc, testd, teste, testf, testg, channel ); #endif for ( z=0; z<12; z+=1) { if (strcmp(months[z], monthstring) == 0) break; } timestring.tm_mon = z; right_now = time(NULL); mytime = localtime(&right_now); timestring.tm_year = mytime->tm_year; temptime = mktime(×tring); port--; /* so we're 0-based */ port %= 2; /* Cast odd ports to 0, even to 1 */ if (strcmp(teste, "Outgoing") == 0) { /* Outgoing Call */ start[port] = temptime; dir [port] = OUTGOING; } if ( (strcmp(teste, "line") == 0) && (port == -1) ) { /* ? -1 ? DY */ /* line m, channel n, Call Disconnected (?) DY */ channel--; /* so we're 0-based */ start[channel] = temptime; dir [channel] = INCOMING; } if (strcmp(teste, "Call") == 0) { char begstring[32], endstring[32]; double cost; /* Call Terminated */ endtime = temptime; begtime = start[port] != 0 ? start[port] : endtime + 1; direction = dir [port]; start[port] = 0; dir [port] = UNKNOWN; #if 0 printf ("begtime=%d, endtime=%d\n", begtime, endtime); #endif callnumber += 1; elapsed = difftime(endtime, begtime); elapsedm = (elapsed / 60) + 1; strftime(endstring, 31, "%m/%d/%y %H:%M:%S", localtime(&endtime)); if ( elapsed >= 0 ) { cost = ( elapsedm / 100 ) + .03; totcost += cost; if (direction == OUTGOING) { totoutcost += cost; }else{ totincost += cost; } totelapsed += elapsed; totelapsedm += elapsedm; strftime(begstring, 31, "%m/%d/%y %H:%M:%S %a", localtime(&begtime)); printf ("%4d. %s %s %6d %6d %.2f %s\n", callnumber, begstring, endstring, (int)elapsed, (int)elapsedm, cost, direction == OUTGOING ? "O" : direction == INCOMING ? "I" : "?" ); }else{ strftime(begstring, 31, "**/**/** **:**:** %a", localtime(&endtime)); printf ("%4d. %s %s %6s %6s %4s %s\n", callnumber, begstring, endstring, "???", "???", "????", direction == OUTGOING ? "O" : direction == INCOMING ? "I" : "?" ); } } } printf ("\nTotal Calls=%d Elapsed secs=%d Elapsed mins=%d $%.2f\n", callnumber, (int)totelapsed, (int)totelapsedm, totcost ); printf ("\n Incoming=$%.2f Outgoing=$%.2f\n", totincost, totoutcost ); exit(0); } ======== ------------------------------ End of Ascend FAQ