Re: PC Routers (was Re: /24s run amuck)

[jlewis () lewis org]

On Wed, 14 Jan 2004, Stephen J. Wilcox wrote:

> Have been discussing PCs for a bit but as yet not deployed one, as I
> understand it a *nix based PC running Zebra will work pretty fine but
> has the constraints that:
>
> o) It has no features - not a problem for a lot of purposes

Which "no features"?  I haven't played with zebra yet, but my 
understanding is that it supports a large subset of the IOS BGP config 
language including application of route-maps to incoming/outgoing routes, 
and therefore things like prepending, setting metrics or preference, etc.  
Am I mistaken?

> o) On a standard PCI but your limit is about 350Mb, you can increase that to a 
> couple of Gb using 64-bit fancy thingies

The application where I'm caring for one of these is around a dozen T1's
to several different transit providers on a Gateway router.  According to 
Imagestream, this router can handle up to 1 OC3 at "wire speed".  We're 
obviously not pushing anywhere near that through it.  The same customer 
has a handful of Rebel routers used for T1s/ethernets within their 
network.

> o) This may be fixed but I found it slow to update the kernel routing table
> which isnt designed to take 120000 routes being added at once
>
> Icky, could perhaps cause issues if theres a major reconvergence due to an 
> adjacent backbone router failing etc, might be okay tho

I've never timed it, but I haven't noticed it taking routes any slower 
than the ciscos I'm used to.

> o) As its entirely process based it will hurt badly in a DoS attack
>
> This is a show stopper. I need the box to stay up in an attack and be responsive 
> to me whilst I attempt to find the source.

But it's got so much more CPU power than comparably priced ciscos...and 
most of the cisco gear I've worked on doesn't to terribly well under 
DoS...so I don't see a distinction here.  Either way, getting DoS'd sucks, 
but I've never seen a DoS hit any of the Imagestreams, so I don't know how 
it copes.

> I'm not an expert in PC hardware, so I do struggle to work out the
> architecture that I need and I'm sure its possible to build boxes that
> are optimised for this purpose however I'm still not convinced that the
> box can keep up with the demands of day to day packet switching - I'd

Their bigger routers, I'm pretty sure, have multiple PCI buses, so if you 
wanted to push lots of traffic, careful planning of which bus you put each 
card in may make a difference.  Their tech support is pretty responsive, 
so they'd be the place to go with technical/architectural questions.

Another nice feature is with iptables, they can now do stateful 
firewalling / connection tracking.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________