On Fri, Dec 27, 2013 at 1:33 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 26 Dec 2013 11:16:53 -0800, Seth Mattinen said:
On 12/26/13, 9:24, Andrew D Kirch wrote:
If he can afford a 10G link... he should be buying real gear... I mean, look, I've got plenty of infrastructure horror stories, but lets not cobble together our own 10gbit solutions, please? At least get one of the new microtik CCR's with a 10gig sfp+? They're only a kilobuck... If you can't afford that I suggest you can't afford to be an ISP.
Unless all the money is going into the 10 gig link.
If you've sunk so much into the 10G link (or anything else, for that matter) that you don't have a kilobuck to spare, you're probably undercapitalized to be an ISP.
I have issue with this line of thought. Granted, a router is built with custom ASICs and most network people understand IOS. However, this is where the benefit of a multi-thousand buck router ends. Most have limited RAM, so this limits the size of your policies and how many routes can be stored and the likes. With a computer with multi 10s or 100s of gigs of RAM, this really isn't an issue. Routers also have slow-ish processors (which is fine for pure routing since they are custom chips but) if you want to do packet inspection, this can slow things down quite a bit. You could argue that this is the same with iptables or pf. However, if you just offload the packets and analyze generally boring packets with snort or bro or whatever, packets flow as fast as they would without analysis. If you have multiple VPNs, this can start to slow down a router whereas a computer can generally keep up. ... And then there's the money issue. Sure, if you're buying a gig+ link, you should be able to afford a fully spec'd out router. However, (in my experience) people don't order equipment with all features enabled and when you find you need a feature, you have to put in a request to buy it and then it takes a month (if you're lucky) for it to be approved. This isn't the case if you use ipt/pf - if te feature is there, it's there - use it. And if a security flaw is found in a router, it might be fixed in the next month... or not. With Linux/BSD, it'll be fixed within a few days (at the most). And, if your support has expired on a router or the router is EOL, you're screwed. I think in the near future, processing packets with GPUs will become a real thing which will make doing massive real time deep packet inspection at 10G+ a real thing. Granted, your network people knowing IOS when they're hired is a big win for just ordering Cisco. But, I don't see that as a show stopper. Stating the scope of what a box is supposed to be used for and not putting endless crap on it might be another win for an actual router. However, this is a people/business thing and not a technical issue. Also, I'm approaching this as more of a question of the best tool for the job vs pure economics - a server is generally going to be cheaper, but I generally find a server nicer/easier to configure than a router.