From: Ken Diliberto (ken@kdmd.net)
Date: Fri Aug 05 2005 - 03:21:21 GMT-3
Chuck,
You're adding chocolate to the fairly vanilla environment I was talking
about. :-)
You make good arguments in favor of real routers over *nix machines (not
hard to do, but you do it well). I'm not advocating the wholesale
replacement of dedicated routers with unix boxes, just trying to make an
argument in favor of them in some environments and to open some eyes to
the possibility.
How much does a router cost with redundant motherboards, power supplies,
etc? I think if you compare that price to your $5000 server class
machine, the server is still a lower priced box. But once you're in
this performance class, I would argue in favor of the router - unless
money is a huge issue, which makes this not a technical decision, but a
business decision.
Something else to consider is how many times a router is used as a
firewall device with sometimes complex ACL's. The little routers I'm
thinking of in these situations don't have the horsepower to support
many users.
The *nix routers do support some QoS, but not the large variety found in
dedicated routers. Then again, that's adding fudge to the vanilla
environment.
For redundancy, OpenBSD has CARP (Common Address Redundancy Protocol -
or a fish if you're hungry) which is touted as a free alternative to
HSRP and VRRP, so you can stick with the really cheap hardware and still
have uptime when (not if, same as with regular routers) something
breaks. For hardware replacement, take the money you're not paying for
maintenance and keep a spare box on hand.
Something I forgot in my first message was along the lines of IDS and
proxy as add-ons. If you want NAM features, add Ethereal/Tethereal
and/or NTOP.
I think we both agree that when it comes to doing it right, it's going
to cost money.
Finally, would I put a *nix router out at a remote site? Not if I had a
choice. That's where I'd want the convenience of a dedicated router.
Would I put one in the core of a high performance network? If I did, it
would probably be time for a long vacation in a heavily padded room.
Ken
Church, Chuck wrote:
> Ken,
>
> Your argument for firewall makes sense. Being able to add proxy
> and IDS for free are compelling. But for a router, I don't quite see an
> advantage in using a *NIX box. A $1000 PC isn't going to have a
> redundant power supply. Pretty much need to jump to a server-platform
> PC to get that. Redundant hard drives add cost too. Still, the
> motherboard is another single point of failure. Pretty soon, you're
> looking at a $5000+ machine. You can do a pair of PCs, but will *NIX
> support HSRP, VRRP, or GLBP? How about the routing protocol extensions
> that NSF uses, such as OSPF sub-second hellos?
> So maybe with multiple PCs, you can get greater uptime. But
> what about QoS support? Being able to do linerate policing, shaping,
> and ACLs at gigabit speed is important in most converged networks these
> days.
> Also, what about device failure? A router dies somehow, you get
> a new one overnighted, paste your config back in, and you're back in
> business. How long does it take to build a new linux router? Certainly
> the engineer's time in building a box has to factor into the cost.
> Security-wise, I think that leans in Cisco's favor too. Any
> time a new vulnerability is found, Cisco is pretty good about letting
> people know work-arounds and usually has a patched IOS available in a
> few days. Just some food for thought...
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation Team
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 864-266-3978
> cchurch@netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ken Diliberto
> Sent: Thursday, August 04, 2005 11:15 PM
> To: Sheahan, John; ccielab@groupstudy.com
> Subject: Re: OT- Open Source Networking Devices
>
> John,
>
> Having used the PIX, Raptor and AV (commercial Unix based), IPTables and
> IPChains (Linux), IPF (Solaris, OpenBSD and FreeBSD) and PF (OpenBSD and
> FreeBSD) firewalls, I'd pick OpenBSD running PF for a firewall over the
> others almost any day. OpenBSD is stable and can have almost all the
> features of the others if you can invest some effort. Want a proxy?
> Add Squid. Want IDS? Install Snort. Both at no extra charge.
>
> You can substitute Linux with IPTables for OpenBSD if you like. It's a
> stable platform and will do the same things, just in a slightly
> different way. I'm not much of a Linux fan - more of a BSD zealot. But
> I don't resent Linux or its supporters - just not my preferred platform.
>
> In a fairly vanilla environment, Linux boxes will route just as well as
> a dedicated router in the same price range. The down side to a Linux
> box is bandwidth and some of the fancy features you find in dedicated
> routers. Comparing a $1000 PC running Linux with a 3550 with EMI
> feature set, you'll find the 3550 a much faster box, but at a much
> greater price tag. Compare a Linux box with GigE interfaces plugged in
> to a switch compared to a similar router, I think you'll find the price
> to performance ratio favoring the Linux box by a long shot. Need a
> routing protocol on your Linux box? GateD and Zebra have been around
> for a long time. I know with Zebra you get RIP 1&2, OSPF and BGP. Even
> IPv6 variants. Zebra even feels like IOS.
>
> So let me ask you:
> What's wrong with a Linux box as a router?
>
> What's wrong with a Linux box as a firewall?
>
> I've gone 'round and 'round with TAC on issues with dedicated routers
> and not received a satisfactory resolution, so I don't buy the "you get
> Cisco standing behind their routers" argument unless you're a very big
> customer that pays a lot of money in support. I've pointed out problems
> with open source software and been very satisfied with the free support
> from the authors and other users. YMMV.
>
> Some useful links:
> http://lartc.org/howto/
> http://www.openbsd.org/
> http://www.benzedrine.cx/pf.html
>
> Ken
[snip]
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3