Slashdot Mirror
OS Router Challenges Proprietary Networking
Jane Walker writes "Dave Roberts talks about Vyatta's open source router and how open source technology may soon alter the landscape of enterprise networking." From the article: "Initially, we believe that the x86 PC running Vyatta -- given the range of hardware that's available in the PC world -- can basically replace the midrange of the router market; to use Cisco terminology and model numbers, simply because it's convenient shorthand, basically from the 2800 series to the 7200 series. There's a whole host of equivalent products from Nortel and Alcatel -- but essentially in that range. I wouldn't describe it as Cisco model numbers so much as T1 branch office to gigabit LAN product categories."
Cisco and Juniper offer 24/7 worldwide support. Whether or not it sucks, this is the thing that keeps people cozily asleep at night, knowing that if they have a problem, they have an unchallengeable defense of having bought the best in class support solution (notice I avoid any discussion of h/w, because in the enterprise, h/w without support is worthless).
Yes, Vyatta talks a good game, but 24/7 worldwide support isn't something you build with a few million bucks in VC funding.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
You get OpenBGPD and OpenOSPFD all working in concert through the kernel. Oh and did I mention the price? $40.
Brilliant!
GateD used to be under a semi-open license. Then there was MRTD, Zebra and Quagga. XORP is said to be pretty good, too. MIT's Click is probably the most versatile, as you can just about script your own routing elements - very pluggable - with the added capability of routing between physical and simulated (eg: NS-2) networks.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
My former employer is using three relatively simple Tyan dual Xeons with a couple of Syskonnekt cards to shove 4-5 gigabits per second of traffic over the internet (yes, full routing, and over 240 peers on AMS-IX and NL-IX). Most of that is usenet (http://www.top1000.org/top1000.current.txt look for 'tweaknews') but well over a gigabit is DSL end user traffic and some hosting. Those boxes cost in the order of 7000 euro's a piece, and are about as stable as a cisco running an current IOS (not as stable as you'd like). 7 grand buys me a single linecard for a 7200 on the secondhand market, and no 7200 will do as much traffic.
Cisco and Juniper: start getting scared *now*
Just in case anyone was wondering, there are other routers that are open source. I think all of Netgears routers firmware is open.
The first Juniper routers were "Olives", which were PC's running modified BSD. JUNOS is BSD based.
UUNET, IMHO the greatest ISP ever, first tested them in 1998 or 1999. CISCO had annoyed UUNET with poor service, so UUNET helped bring Juniper into the market. Yes, I am former UUNET and proud of it.
I found an interesting link to Olives at http://juniper.cluepon.net/index.php/Olive.
In the land of the blind, the one-eyed man is usually crucified.
This keeps coming up every 6 months or so. To rehash it for you:
...... AND you want to save $30k by using a #@$%#$%#$% software router running on a DELL?????
1) performance wise a 6x PCI-X motherboard is rare and commodity computers are not built for the buses to independantly talk to each other without invoking cpu.
2) feature wise you Have to have a RTOS or bad things happen when you try to implement QOS. speaking of features they have libraries full of books that talk about the *thousands* of features technologies that real routers implement (its hard to do that most companies spend tens/hundreds of millions to do this). implementing a few protocols/nat/firewall does not a router make.
3) If you actually have been involved with these things you would know:
-ds3/oc3/oc12's are not cheap... phone company bills of $100k a *month* is very common.
-a couple network engineers $100k/year each
-dedicated power/colo space/ups/generators $50+k/year
-SLA's and peering arraingment... $$$
-uptime to your customers measured in seconds of uptime (revenue $200+k/MONTH).
really, try explaining that to the CEO after the site has lost $10k/HOUR because something wonky is going on with the cpu or the memory oorrr it could be the kernel, I dunno I just rebooted the thing "cuz that usually fixes MY problems"... bye bye SLA.
--jboss
It'll never, EVER challenge Cisco in the big iron market. Why? Simple. No IT manager has EVER been fired for buying Sun servers, Cisco routers/switches, or IBM PCs. Big iron isn't about open source. Big iron is about triple-redundant reliability, service contracts, and brand trust.
------- "From bored to fanboy in 3.8 asian girls" ----------
If the solution was really that simple, you just proved the parents post. The referenced Cisco world class support team took nine months to diagnose and fix a problem that a random person on /. could have fixed in 30 seconds.
Bad boys rape our young girls but Violet gives willingly.
Two words: cut through.
With a software router (aka your typical Linux-nerd router), the entire packet has to be read before the routing decision can be made. Then it has to be sent out again.
With Cisco, what you are paying for isn't the routing, it's the low latency of hardware that can see the destination IP address in a packet header, then effortlessly shunt the bits off to another interface in real time. You're also paying for the hardware being designed with 24/7 operation in mind, with little extras like watchdog reset timers that you won't find in that seven-year-old beige box.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Dude, they surely tried this. Don't assume you fixed the problem when in fact you weren't there! Depending on the platform and functions applied to this particular device, it could have been much more complicated. Usually they are running traffic tunnelled through the FWSM module and it forgets to take into account the .1q tag or they are using an encryption module which had calculated on pre encryption sizes.
FTR, if you can manage the support and deal with irregularities as they might come up, as it sounds like your company probably can, I totally agree. I'd even go so far as to recommend ClarkConnect, personally.
:)
But these still don't deal with the issues of hardware/platform stability (yes, its a *lot* easier to design, troubleshoot and design driver modules if you control the platform first), QA (testing commercial *before* sending a product out the door), organized 'knowledge bases' (assuming your appliance has large enough penetration), commercial support because things *will* go wrong and if your running mission critical applications behind your 'appliance' you'd better be able to get fixed fast and have the CMOA part dealt with too (after all, the large the company the less forgiving they can be for mission critical application/server/network downtime).
So, ya, if you've got the wiggle room and need to allocate re$ources elsewhere and have someone onboard who's stable (hate to inherit someone elses 'customized' framework) I think its very useful.
But if your company/job/livelyhood/client-base depends on it I feel pretty strongly about using something start to finish purpose built.
As an aside I did a lot of research on firewall appliances before we purchased our own and of the sys admins I know Sonicwall was the one product that almost unanimously was not recommended. So its probably not just you, just bad luck. We've gone with Astaro, who aside from making a software distrobution also does build an appliance. Its Linux, so I know if things every really went south I could get my hands dirty and make things right, but I don't and shouldn't have to. I can dynamically update rules, add nodes, do hot/cold or hot/hot failover and I don't have to string together a bunch of software applications of varying quality and flexabilty.
And best of all, although possibly alarming, if I should ever leave the company whoever picks up my work will be able to quickly learn to manage the software. The network doesn't skip a beat.
Anyway, I'm not trying to argue against what your saying. If it suits your needs use it. You know your company better then I do. I work for a medium sized sompany and some large (fortune 500) sized clients. So we've got a little room in the budget (of course its always a fine line) and certainly a justified need. I don't know if you've ever had to sit in a meeting and explain your network topology and how you handle things like redundancy but when you start naming OSS products outside of say the top 10 you get some pretty disarming looks.
Enjoy IPCop. I'd say take a look a ClarkConnect but until they get the rules/insert method updated I won't touch it, they were using Shorewall and even a minor change (like say opening an FTP port for a new client) requires a Shorewall/IPTables restart (or a CLI insert, but I always though those were more prone to error...as in sleep deprived, up at the colo human error then a clean GUI) and that, at least in my case, is totally unacceptable. Maybe IPCop has dealt with this differently since I last used it, but on the fly changes should be the first priority of any serious firewall solution (well, after overall system security).
Anyway, I'm just throwing out my $.02. You certainly don't sound like an idiot.
Quack, quack.
> That's not quite true. There's no reason I can think of why you couldn't make a backplane for a PC that handles all the network traffic locally, without touching the PCI bus (or whatever bus). In fact, high speed interconnects used on clusters do that sort of thing already, and I suspect any high speed backplane for any platform would need to do the same.
:)
:)
I think you're missing the point. The backplane of the Cat6500 is pretty much what the PCI bus does for a PC. A 32bit/33mhz PCI bus gives you just about 1 Gbps while the Cat6500 backplane provides three buses of 256, 32 and 4 Gbps (not 720 GBps as the GP suggested - the "Sup720" refers to the 720 Mpps switching capacity). Switching to PCIE gives you 2.5 Gbps per lane, but how many motherboards provide the 100 PCIE lanes needed to compete?
> I'm not intimately familiar with ASICs, but if they add this type of functionality regardless of the clockspeed on the core chip, they probably handle all the traffic locally too.
ASICs offload the hard work from the CPU of the Cisco systems. Basically any kind of compute-intensive bulk work, switching (yes, it switches layer 3 too), filtering (access-lists) and so on, is handled by dedicated ASICs and require little or no CPU intervention. This enables the catalyst to handle high amounts of data with a quite small CPU. Things that do end up on the CPU is management work, route computation (BGP changes, for example) and logging. To handle 720 million packets per second, you'd need quite a lot of CPU in your PC.
> A backplane like that may not exist for a PC currently, but if their PC router is successful enough to get companies using it, somebody will create one. Engineering a high speed backplane for arbitrary hardware is a problem that has already been solved, all that's needed now is a market with enough demand to make it worthwhile to build.
Well, large Juniper routers are run by a FreeBSD service processor, but i doubt you can run your open source router on it...
One thing the GP doesn't mention is the availability of special service modules, which one again do their work mostly in hardware: firewalls, load balancing, intrusion detection, intrusion protection, voice gateways, etc. Also, it takes 4 port 10GigE and 48 port GigE blades, giving it up to 48 10GigE or 576 GigE ports in a 13 blade chassis (one slot goes to the supervisor), something you'd have a hard time stuffing into a PC
With regard to ease of use, within 15 minutes of powering it on for the first time, most Cisco admins could have it up and running, switching and routing - IOS is a fantastic OS for most things.
Either way, i doubt the catalyst 6500 is the intended target for an open source routing platform and i'm sure it'll do just fine competing with the 2800-sized routers.
You may commence flaming the Cisco fanboy now.
I have configured many Cisco routers, switches, and VPN concentrators. None had anything close to an intuitive interface, and even standard operations differ from model to model. There's as much backward-compatibility cruft and illogical organization in IOS as in Windows. Cisco documentation is often just plain wrong or so poorly written as to have ambiguous meaning.
In fact I've never worked on another brand of router besides Cisco, but the CLIs and GUIs of other complex networking devices like Checkpoints & SonicWalls let me know that something more intiutive than IOS is definitely possible.
I had some experience with Olives as well. However, their performance wasn't that great. Especially compared to a M10. ASICs made a huge difference.
You can easily route 5 T1's on a Thrown away 586MMX at 266Mhz.
I did it for 6 years with a hand rolled linux install and ipchains. IT was faster than the HP 6 port router it replaced in both speed and network performance and adding in some filtering gave us a product that sould have cost $6000 at the time from the New Cisco company or then popular Colorado networking.
Every single one of these guys here claiming that no way a PC can route much traffic knows absolutely nothing about networking and routers. Hell a cheap P4-2.8 with the right hardware can route ATM speeds over ethernet easily (Yes kids, you can get ethernet termination on anything from your provider).
Hell a slow 386 can do a single T1 without getting about 5% processor loads.
Do not look at laser with remaining good eye.