Software Routers vs. Hardware Routers? 28
Daniel Garcia asks: "I recently got put on a task at work to find out if using Win2k as a router is a good idea or not. So far, the only information I've found lies here. Only problem is that the article doesn't have any benchmarks or real data to back up some of their claims. I just wanted to ask the /. community if anyone has used any version of NT as a software router and how it compares to using a hardware router. Personally, I'd rather use a hardware router than a Microsoft product but I don't have any data to back up those claims."
Windows 2k or Linux? (Score:1)
Re:Windows 2k or Linux? (Score:1)
I don't know much about hardware routers, but I know that a Linux box will do the job nicely.
--
Ridiculous question (Score:1)
A good hardware router will be faster than any consumer-level-OS based router (W2K, *nix, whatever), at all times. If you want to know if NT/W2K will make a good router compared to Linux or a *BSD, ask. Dedicated hardware wins every time. The only reason to not go that route [a pun!] is cost.
BTW, your best bet for a good Intel-based router is probably FreeBSD. I know Linux has some options to tune it for routing, and it's TCP/IP stack is good, but my gut feeling is that *BSD's will still edge it out.
Performance-wise... (Score:3)
A hardware router still runs firmware, but the internal bus structure and routing is far more expedient than a PC trying the same tasks. Since real routing happens a couple layers up on the OSI stack, the frames have to be translated and passed through the driver, and in some cases all the way to user space to be filtered. Granted, routing can be in kernel space, but this is still significantly slower (especially considering PCI and uProc bus latency) than a streamlined piece of specific hardware.
netcard1 -> PCI -> mem.... uProc
If this is for a buisness, get some real hardware. If this is for your home network, you could have one of the other boxes do it.
Of course, if you are only routing a 28.8 dial-up, you could probably use bicycle messengers, too... the latency isn't *that* much of a problem. For a real pipe, get a real piece of silicon.
System speed. (Score:1)
The question I would raise would be processor speed. A good Cisco 25xx has been around for ever, and I can't imagine that the processor is that fast. I know that it can't always handle it's own (a full T1 on a serial port). Maybe a dual 800Mhz PIII could. It do think it is possible to make a faster router out of a PC. I don't think it will be as a reliable though.
What do you want to route? (Score:2)
When I think "router" I think of something that can support lots of T1s, a few T3s, and hopefully scalability to OC-3, 12 and 48. You're not going to find a PC that can do that. If you're just trying to bridge 2-5 Ethernet LANs in the same building you should be looking at Ethernet switches. If you're trying to connect diverse types of LAN (Token Ring, FDDI, CDDI) you could do it with a PC if your administrator is slave labor. If you pay your administrator any sort of respectable amount you'll waste more money troubleshooting and maintaining than you'd spend on a dinky little Cisco. I certainly wouldn't want to maintain a Win2K or Linux box with a variety of different kinds of NICs.
? who are you routing with ? (Score:2)
Routing protocol - if you're connecting to any existing routed network, you must use a routing protocol (EIGRP, OSPF, RIP2, NLSP...) the other site supports. Otherwise you get stuck maintaing static routes (not a problem for tiny networks, but an administrative nightmare for corporate enterprise internetworks).
Size and complexity of internetwork - a large/complex routed internetwork requires robust hardware and software. Think Cisco and EIGRP if you have any choice. OSPF or RIP2 if you don't.
RoutED protocol support - are the routed networks supporting TCP/IP clients only, or do you have to deal with IPX/SPX, Appletalk, LAT... ? If multiprotocol, think Cisco and EIGRP if you have any choice, otherwise you're stuck running multiple routING protocols (OSPF and NLSP, or IP RIP and IPX RIP...).
Are you connecting a LAN directly to multiple ISP's ? You may be forced to use either static routes or BGP.
If implementing a frame-relay WAN, will you support the routers, or will the carrier? Unless you have a substantial training budget and time to spend applying what you learn, a carrier-managed WAN may be your best bet.
Are you setting up a remote access (dial-up) router? Multiple options exist - WinNT RAS, dedicated access router (Shiva, Cisco 5200/5300), managed service like AT&T Global Network.
If this is all very new to you, consider hiring a consultant short term, to help you make wise choices. Just take their recomendation(s) with a grain of salt. They may have hidden agendas.
good luck !
rdndc
Re:Windows 2k or Linux? (Score:1)
Remember when your router "goes down" and needs to be restarted, Linux on a floppy will take ~1 minute. Win2K on new hardware boots fast but is expensive, and on old hardware and will take several minutes.
How long does something have to be broken before *your* phone extension starts ringing off the hook?
Of course, if you have the dough then a Cisco somethingerouter looks great on that rack!!
:-)
Performance and cost perks: go hardware (Score:2)
As an admin, you want something that is configurable, stable, and low maintenence. SOmething you can set up right and be done with it. If you are in a serious working environment, go hardware. Less to no security concerns, faster routing (see above explanation. If you don't believe it yourself, run a traceroute to anywhere, and a few queso's along the latent IPs.) no headaches, and low maintenence. In case you are afraid of Linux bias, know without a doubt I would take a cisco over a linux box anyday in a true work environment. With Win2k, you got a case, cdrom, floppy, monitor, and tons of BS a router just doesn't need. With a cisco, you got a cute, small, black box that can sit in a corner. An if you want to fall for the spin in that document about how you can do this/that/otherthing win Win2k, like the dial on demand modem connection, and want this kind of added bells and whistles for your routing solution, grab a Cobalt Qube. Same functionality, less maintence, less security concerns, and you won't have some janitor turn it off hoping to get to play Solitaire on it.
From a professional standpoint, use the right tool for the job. Use a router if you are routing. Using a win2k box instead is like trying to change spark plugs with a leatherman.
Don't forget to take into account cost, either. Win2k liscensing, for the server version, is hefty enough you could pick up a router to do the job for the cost of liscensing the software alone. Use the extra to talk the bosses into a laptop.
Toodles
Re:Windows 2k or Linux? (Score:1)
Dedicated is better, but... (Score:3)
For modern hardware, there's no appreciable performance difference for the kinds of loads most people will see. For one of my clients, I set up dual Celeron-based Linux boxes as routers. One is the active router, and the other is a hot spare, automatically failing over if anything happens to the primary. (Kudos, BTW, to the folks at the High Availability Linux Project [linux-ha.org].)
This solution happily routes about 15 Mb/s around the clock, and I've tested it up to 100 Mb/s. Total cost for the pair was about $3200 in 1U rackmount cases. I can run all the latest Linux security tools on them. And other Linux sysadmins can work on them without learning, say, Cisco's arcane configuration language.
So a dedicated router may be better on the same hardware, but using a full-blown OS can make a lot of sense.
As a Media Converter for Temp and Low Traffic (Score:1)
Re:System speed. (Score:2)
The Cisco PIX firewall has a P-II processor on it's own operating system, and can filter 170mbps.
Re:What do you want to route? (Score:1)
My local computer shop has NICs cheap and easy, for nearly whatever network/connection I need, which run just fine on my linux router. When the surge comes down a notwork line, how much bux and how long does it take to replace that port on the dinky cisco? Can you replace it at all?
Not having used any sort of dedicated router I can't compare ease of use; I grant that building anything more than moderately complex out of PC parts and free software isn't gonna be anything like as easy as buying. It's much cheaper. Administering is about the same, I think: Once it's set up, it just runs.
Of course, there is the most telling argument, the source availability. Even if someone else doesn't fix a problem for me (usually before I'm aware of it's existance), I've got a shot at fixing it myself. That's a comfort that as far as I know just ain't available from dedicated vendors.
There's other arguments, rehash until satisfied...
Several reasons why not: (Score:3)
Hardware: A PC relies on too many moving parts, too many points of failure. Harddrives crash, and then you have to reinstall, restore from backups (you are going to make backups, right?). A hardware router has no moving parts except for a fan or two. Backing up a cisco's running-config is trivial, and easily transferred to a replacement router if there ever is a catastrophic hardware failure.
Data-Link Layer: Who's on the other end of the line, and what protocol do they want you to speak? What card are you going to find to drop in the PC that speaks X.25, or HDLC, or whatever? If you can find them, how much do they cost? Do you trust the manufacturer?
Network Layer: What routing protocol do you need to speak? BGP4, EGRP, IGRP, EIGRP? Forget using a PC. Even Zebra for Unix isn't mature enough, unfortunately.
Amdministration: Sure, Cisco's command-line is archaic. But it quite elegantly allows someone who knows what they are doing to do exactly what they need to do, without going through all the bullshit of a gui. There's also having to deal with all the administration responsibilities of configuring a full-blown PC hardware and OS, even for stuff in the OS you won't ever be using, as opposed to the administration of a hardware router which is, when it boils down to it, merely a matter of enabling the services you need, without ever having to touch anything you don't. Furthermore, as stated above, a cisco's entire configuration is contained in a single text file, and can be backed up and restored easily; the same is obviously not true of a PC based solution.
Upgrades: Do you want to have to administer Service Packs to your Windows2000 router? Upgrading a cisco's IOS is almost as trivial as restoring its running-config.
I hate to sound so one-sided. But the fact is that in a production environment it is professionally irresponsible to go with a solution other than that which is best suited for the task. A dedicated, hardware based router is much better suited for the task than a PC based router.
I'll second that, use old hardware and a free *nix (Score:1)
I use an old alpha box(233MHz old) for firewall, email, dns, ip masquerading, junkbuster and squid. It sits in the closet all the time and it's rock solid. The day that I converted from isdn to dsl I had to take it down to add another NIC. Uptime was ~350 days.
"Alternative" architectures like the axp also provide additional security against some exploits like buffer overflows built for x86...
Re:System speed. (Score:1)
Re:I'll second that, use old hardware and a free * (Score:1)
Can it really be considered a "firewall" if you run DNS, mail, squid?
:-)
Re:What do you want to route? (Score:1)
I did acknowledge that you could use a PC to link together a variety of legacy network protocols. If you're in a small company and you're fortunate enough to have the IT equivalent of a handyman/jack-of-all-trades who'll be working for the company forever, go for it. If your IT handyman ever leaves you'll wish you'd gotten a Cisco up front because the next IT handyman will probably declare that the first one's jury-rigging is crap.
If you are the IT handyman and you don't mind (or perhaps like the idea of) screwing the company when you leave then go ahead and patch something together. And make sure not to leave any network architecture diagrams laying around where someone might find them.
NT Software router info (Score:1)
NT doesn't do BGP so making a NT server a dedicated router on the Internet will not work, but for a small network or internal network it can do the trick. I am not sure Linux does it either but I am sure someone is looking into it.
There is a really good article in this months Windows 2000 zine that talks about software routing vs hardware. You can read the article off the web if you want.
The_Toddler
Re:I'll second that, use old hardware and a free * (Score:1)
A friend of mine had a 486 DX2/66 runnning a mongrel form of Linux working as his firewall, router, samba server, web server, and distributed.net client IIRC. The damn thing was up for almost 500 days before he accidentally unplugged it cleaning up his apartment.
He had often wondered if it qualified as the longest running 2.2.x system since he had started it up basically as soon as 2.2.3 came out. he had upgraded libraries and software on it of course, but not the kernel because of the need to reboot for that. I think it was a great illustration of another reason why *nix is so great for uptime that Microsoft is only NOW figuring out... reduced reboot situations.
Of course the machine is back up now, he was able to upgrade it with a DX4/100 overdrive chip... I dunno if he upgraded the kernel. I guess he will be shooting for a new record soon ;).
Maybe someone should make a hall of fame for these boxen where you can post your uptimes.. the important thing about uptime is you have to be able to go and type the command.. Microsoft, sitting there on and frozen while some fool from Ziff Davis holds a stopwatch doesn't cut it.
Re:I'll second that, use old hardware and a free * (Score:1)
Sure can. First off squid is a proxy service so it makes perfect sense to me on a firewall. DNS doesn't necesarily have to be on the firewall, but it does talk to the outside world, so it might as well be. Ditto with mail. The point is, if you are not running these services on your firewall you would have to port forward to the box that does run them, giving you more boxes to harden.
The machines inside the firewall are usually running more services, are accessable to more users, and generally are tougher to harden and keep that way because of that. The firewall should never be touched except perhaps for security updates, and therefore is a safer place to host these services.
Of course there are advocates for port forwarding from a firewall that does nothing else, and ideally every system in your operation should be secure as hell, but PHB's who don't care about security and in fact undermine it regularly but will blame YOU if the l337 5kr33p+ |After all, look what happened to Yahoo, etc. They blame the kiddeez, but I see classic signs of PHB activity, which would be the real culprit.
Re:I'll second that, use old hardware and a free * (Score:1)
Sure can. First off squid is a proxy service so it makes perfect sense to me on a firewall. DNS doesn't necessarily have to be on the firewall, but it does talk to the outside world, so it might as well be. Ditto with mail. The point is, if you are not running these services on your firewall you would have to port forward to the box that does run them, giving you more boxes to harden.
The machines inside the firewall are usually running more services, are accessable to more users, and generally are tougher to harden and keep that way because of that. The firewall should never be touched except perhaps for security updates, and therefore is a safer place to host these services.
Of course there are advocates for port forwarding from a firewall that does nothing else, and ideally every system in your operation should be secure as hell, but PHB's who don't care about security and in fact undermine it regularly but will blame YOU if the l337 5kr33p+ k1dd33z come knocking are a factor in this equation. Especially since you will probably not be given the time you need to get every machine properly secured; you will be lucky to get the firewall.
After all, look what happened to Yahoo, etc. They blame the kiddeez, but I see classic signs of PHB activity, which would be the real culprit.
As a sidenote, I would like to add that it is too bad that one cannot change comments. It appears that thanks to the trolls you cannot post any similar comment after posting one before. They seem to get away with it anyway though. I know there is a preview button, but hey, who knew that an html page would try to use a pipe. Now in order to make my comment not look like total garbage, I have to add this rant to the end of it. Oh well.
Re:offtopic: main page (Score:1)
Kept getting that all day recently... oh well, "No Slash for you!"
Re:System speed. (Score:1)
The 4 things you need to know. (Score:2)
Re:What do you want to route? (Score:1)
IT managers such as the one you describe (hope it's not you) were the who-are-you-gonna-sue-if-it-breaks-please-buy-NT types who couldn't bear Linux in the bussiness...do I see a pattern here???
Hugonz
Re:What do you want to route? (Score:2)
I've maintained both small Cisco routers (1500, 2501, 4500) and Linux boxen, and the Linux boxen are both more intuitive and easier to troubleshoot.
Granted, they won't handle the throughput of Cisco big iron; but we're not talking about that.
A Linux box will handle a couple T1s with no problems, and I can set up a much nicer firewall, and any other services I might need, with little fuss.
Since you're usually going to need other services anyway, you might as well not spend the extra bucks on a dedicate piece of hardware that's going to gain you nothing but another platform to support.
--