Date: Wed, 21 Mar 2001 22:34:03 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Dave VanAuken" <dave@hawk-systems.com>, "Steve Curry" <scurry505@yahoo.com>, "FreeBSD Questions" <questions@FreeBSD.ORG> Subject: RE: Software vs Hardware Router (was: What name brand would you buy for a firewall/router) Message-ID: <002c01c0b29a$161422e0$1401a8c0@tedm.placo.com> In-Reply-To: <DBEIKNMKGOBGNDHAAKGNGEDFEGAA.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In our network I manage 3 major routers and a host of minor ones. The major routers are 2 Cisco 7206's and 1 FreeBSD 4.0 system running on a Celeron 350. We take a total of 4 feeds that pass us full BGP4 tables and 2 of the major routers are in the BGP4 mesh, (with iBGP running between them) One of those BGP systems is the FreeBSD router running gated, the other is one of the Cisco 7206s. (the other 7206 is running DS3 egresses to DSL providers) The minor routers in the system consist of various Cisco flavors, from 1005's to 3600's We've been doing this for about a year now so I think I can speak somewhat authoratatively on it. For starters, if you attempt to mix DSL and anything in the 2600 line your going to fall flat on your face. Cisco IOS has hard-coded limits for ATM vc's in 2600 series IOS of about 100. You need at least a 7200 series for DSL and a DS3 card which will go up to 1000 vc's (2K if IOS 12.1 is used I think) Secondly, a full BGP table requires at least 128MB of ram in a Cisco. I think you can stuff 128mb in a 3640, but I think that's as low as you can go in the Cisco line and still take a full BGP table. And, the 3640 really isn't designed for this sort of nonsense anyway. So, that leaves a PC-on-a-router solution. Well, the first question is how are you interconnecting? In our case, the FreeBSD box has 3 10/100 Ethernet connections and a SDL communications serial interface. It works fine now, but there's a bit of tuning that you have to do, like raising MAXUSERS. A lot. I use 96. You also have to understand that gated has no concept of graceful error control and it's very memory hungry, and uses all kinds of odd tables in the OS that are normally smaller. If it runs out of kernel route table space it will trash the system and you have to reboot. Second, gated itself isn't exactly bug free, in fact we don't use the current version because of that. Also, according to the license, (the way I read it) you have to pay Merit if you use the current version of gated in a commercial setting. In short, unless your willing to spend time learning and really understanding BGP, then don't attempt to run it with a full route table using gated on a UNIX system. It's not an out-of-box configuration by any means. Now, if your not running BGP then setting up a FreeBSD router using Ethernet interfaces or T1 cards is pretty easy to do and anyone who is reasonably competent can do it. Keep in mind, of course, that PCI wan cards like the SDL comm cards cost around $700 so your not going to be saving a tremendous amount of money over a used Cisco. In fact, Ebay is full of used Cisco 2600 gear at very attractive prices. What you gain is a large amount of functionality. For example, Cisco Firewall IOS for a 1600 series costs about $700 for the license alone, and with FreeBSD, ipfw with stateful inspection gives you the same thing as FW IOS. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Dave VanAuken >Sent: Wednesday, March 21, 2001 1:54 PM >To: Steve Curry; FreeBSD Questions >Subject: RE: Software vs Hardware Router (was: What name brand would you >buy for a firewall/router) > > >By edge routing, I am referring to the edge or outer limit >of our network, where we, and all subnets managed by our >clients or ourselves interact with other carriers (Sprint, >UU-Net, PSI Net, and so forth). This may be a POP location >for broadband and dialup(T1-T3), or a central connection >(T3-OC3). In reviewing the network layout, if we were to go >with entirely Cisco products we would be looking at the >routers mentioned (2651, 7204) with the integrated CSU/DSU >modules. Would love to test out the implementation of >replacing a planned 2651 with a FreeBSD/CSU/DSU solution and >see how it fares. > >Traffic consists of broadband access(piles of junk), private >network traffic over provisioned T1 and DSL links to >clients, dialup, and a decent availability for hosting >traffic. > >Routing tables could get heavy, and redundancy over networks >is an issue. We would be pairing any solutions with single >point of failure. > >Again, easy solution is plug the appropriate Cisco >"appliance" in at each location... that ends up being a wack >of cash, and then dealing with different(even slightly at >times) configurations for each type of hardware. The last >thing I want is to come up with the great idea of plugging >in FreeBSD based solutions and they end up being the weak >link. > >There is also the question of loadout. I have seen FreeBSD >operate on some pretty scantily clad systems quite >hapilly... Assuming that each box will have routing, nat, >and firewall duties, what load will say a mid range PIII >system, 256/512 RAM, IDE HDD handle? At what point will >that system be the choke point of the network? Or better >yet, what loadout do you recommend for various traffic >loads? > >Hope that gives sufficient information. The short of it is, >looking for bang for buck. Profitability is the key word in >today's market and everything is under the looking glass. :) > >Dave > >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of >Steve Curry >Sent: Wednesday, March 21, 2001 3:57 PM >To: Dave VanAuken; FreeBSD Questions >Subject: Re: Software vs Hardware Router (was: What name >brand would you >buy for a firewall/router) > > >Dave, > > >First of all I appoligize if in a previous email you >described what type of environment you are in. I've >been busy and I haven't had a chance to read each and >every email on this busy list. I'm in a environment >that uses tonz of Cisco, tonz of Foundery, and *TONZ* >of freeBSD. I use a freeBSD router in my job-domain >here at Yahoo and it works great. It gets hammered >and often and is always a happy little box. However >my job is not to sell you on a BSD box or a job >specific <brand-name-goes-here> router. I also use a >box at home to do the whole filter >packets/firewall/port-forwarding role and once again >it works fine. I use a BSD box because it's cost >effective, reliable and I understand it. I can't see >spending the money to buy a job specific router >although if I did I wouldn't hesitate to using it. >You mention edge routing, are you doing this? What is >your application? Cough up some details and maybe we >(the list) can help. > > >Steve Curry >Technical Yahoo >Yahoo! Inc. > >--- Dave VanAuken <dave@hawk-systems.com> wrote: >> I would love to see some real stats (not claims to >> fame by someone in >> thier basement with a couple of systems who dables) >> on the >> effectiveness and capabilities of a FreeBSD Router >> vs say a "Cisco >> 2651", or the "7204VXR" which are some edge routers >> we are looking at >> for routing T1, T3, and OC3 connections. >> >> At what point it a FreeBSD Box (or Boxes) just not >> up to the task >> capability wise (ignoring the previous thread on >> reliability of >> componants, and moving parts). >> >> At about 3k for the 2650 (with appropriate loadout) >> to close to 15k >> for the 7204 I could see a FreeBSD box decently >> loaded out capturing >> the low end, but wonder where the divide would be on >> the higher end of >> the scale. >> >> Any first hand experience or thoughts on this? >> >> Dave >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of >> the message >> >> >> >> > > >__________________________________________________ >Do You Yahoo!? >Get email at your own domain with Yahoo! Mail. >http://personal.mail.yahoo.com/ > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the >message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002c01c0b29a$161422e0$1401a8c0>