FOSS Router solution

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Greetings:

I am trying to find a good replacement for our cisco 2610 router. I have looked at the routing features of PFsense, Vayatta, Quagga, BSDRouter and a few others and I was wondering if anyone has any experience with these in the enterprise. Cost is a major issue here and we only need a box to terminate our wan connections into.

Comments

  • Met44Met44 Member Posts: 194
    For someone with Cisco experience, the nice thing about Quagga is that you can configure it using IOS syntax through the vty shell. Vyatta and XORP syntax will be familiar to JunOS users.

    Another difference is that the Vyatta CE distro provides services like DHCP through the shell, whereas with something like Quagga you will need to install and configure those separately (which might be good if you also want to gain experience with Linux services).
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Cool. Have you ever used one in production?
  • Met44Met44 Member Posts: 194
    Nope. Using Quagga in a testbed at work.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Met44 wrote: »
    Nope. Using Quagga in a testbed at work.


    I see. Did you think it was "Enterprise ready"? I was looking at either building a box or 2 or buying some cisco 2811s and we are trying to save money. We are running a 2610 right now and it has to go.
  • MentholMooseMentholMoose Member Posts: 1,525 ■■■■■■■■□□
    knwminus wrote: »
    I see. Did you think it was "Enterprise ready"? I was looking at either building a box or 2 or buying some cisco 2811s and we are trying to save money. We are running a 2610 right now and it has to go.
    Last year a BGP routing update triggered a bug in Quagga and a few thousand networks went down, so it's seeing fairly wide production use:
    AfNOG Takes Byte Out of Internet - Renesys Blog
    MentholMoose
    MCSA 2003, LFCS, LFCE (expired), VCP6-DCV
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Last year a BGP routing update triggered a bug in Quagga and a few thousand networks went down, so it's seeing fairly wide production use:
    AfNOG Takes Byte Out of Internet - Renesys Blog

    That concerns me. But I guess if we have cisco gear w/o smart net, it is basically the same as a FOSS solution. I mean support wise. The question is going to be whether I want to build a box or not and cost of course.
  • Met44Met44 Member Posts: 194
    I would suggest investigating the respective sites for rate of releases and bug reports (both open and solved), to determine if this is something you want to use in production. Those are usually good indications of what you might expect in the future from each project. That said, Quagga has been around for quite a while and seems to have development wind behind it. I haven't evaluated it for production purposes, so I don't know a lot of what you're interested in.

    As far as bugs go, it's notable that since the routing of packets is still handled by the kernel, a good chunk of the complexity in being a "router" is handled by some of the most used and tested code in the world. So it's more likely the protocol implementations (like the above link shows) that one might be worried about with any of these projects. As a commenter on that link pointed out, it does help to be able to tweak the code if something goes wrong -- but even if you can't, at least you can apply patches generated by the community. Support will depend on the communities around the project, although there are many companies that offer support for Vyatta and to a lesser extent Quagga.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I don't think you're spending enough time factoring in the cost of items such as support, downtime, working around bugs, etc. Those things can often cost more than the hardware/software, so don't just look at the initial sticker. Come up with estimates of how much the devices will cost to operate over 3-5 years and compare those numbers.

    Don't get me wrong, I <3 things like pfSense, and I'm not necessarily saying don't go with them. You just need to evaluate all those other costs as well.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Pfsense offers commerical support but my main concern is this: If we cannot or we choose not to get support on our routers and one goes down, how much of a pain is it going to be for me to get one back up and running. I am pretty sure that since we wouldn't have vendor support either way, having at least community support with updates is better than nothing.


    @DYN

    Believe you me I am thinking about that. My fellow admin seems to think it wouldn't be too hard to set up a PFsense box or something like it. Personally I am starting to learn towards the cisco boxes but I need to present at least two options.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    knwminus wrote: »
    Pfsense offers commerical support but my main concern is this: If we cannot or we choose not to get support on our routers and one goes down, how much of a pain is it going to be for me to get one back up and running. I am pretty sure that since we wouldn't have vendor support either way, having at least community support with updates is better than nothing.


    @DYN

    Believe you me I am thinking about that. My fellow admin seems to think it wouldn't be too hard to set up a PFsense box or something like it. Personally I am starting to learn towards the cisco boxes but I need to present at least two options.

    Have you estimated how much it would cost the company per hour of downtime and how many additional hours of annual downtime would result from an unsupported option? How long would it typically take the community to respond to your problems? That should make the decision whether to purchase support pretty clear.

    While 60 users isn't enormous, I have a hunch that support on critical pieces of network infrastructure would more than likely be justified. Who knows though, maybe you guys can get by without connectivity for extended periods of time and not even be inconvenienced. It depends on the business.

    Also, remember that setting things up can often the easiest part. Being able to properly maintain the service, troubleshoot problems effectively, and get replacement parts in a timely matter can be much more problematic. pfSense is slick, and you could probably get things working with a few clicks. Do you have the expertise to address any issue that may arise (I'm not saying or implying you don't)? Will the solution meet projected needs down the road? What if you, or whoever, isn't available? What happens then? Would your manager know how to go to X community and solicit support? What about in the event of someone getting fired or moving on? What happens if there's a problem in the scenario of the expert being unavailable? Those are just some things to think about...

    Sorry for that sort of deteriorating into a ramble. I'm falling asleep, but I HTH.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    No your 100% correct. This is all new for me. Remember my last job was working in a NOC, 100% on the support side. This is totally on the other side of the spectrum.


    Do I feel I have the expertise to solve any and every problem? Probably not. I mean I just learned about this system a few days ago. I have read the admin guides but I know I don't know everything. The same goes with cisco though. I mean I am not some CCIE x10 with 20 years of networking experience and I know passing the NA isn't going to teach me how to solve every issue. I yes I have thought about how much it would cost the company. I also know that our existing setup is a ticking timebomb and we have got to upgrade our 2610. I mean its running half duplex for heaven's sake. So basically what it is going to come down to is what am I going to be able to support the quickest. I know a little about cisco and I think that picking up a 2811 and running with it would be easier than Pfsense. It would be more initial cost for the 2811 but depending on what happens it could be the "better" option. Idk....
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    knwminus wrote: »
    I am pretty sure that since we wouldn't have vendor support either way, having at least community support with updates is better than nothing.

    I look at that from a different perspective. Cisco and IOS are probably the most well known networking company and networking OS, people that understand them are relatively easy to find and relatively cheap. This is important for both support and so that you can be replaced in the event that you leave. It may be very hard and expensive to find someone with the skills to manage a "non-standard" solution. At which point the best solution may be to totally replace the system.

    That being said I am no opponent to open source and have deploy open source solutions for an employer before. Though I was upfront about the pros and cons, which is all ways the best way to go.

    Research the options, decided which you think will be best, then explain the pros and cons of each option and why you selected the one you did. Ultimately the final decision should be left up to management, in my opinion.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    kalebksp wrote: »
    I look at that from a different perspective. Cisco and IOS are probably the most well known networking company and networking OS, people that understand them are relatively easy to find and relatively cheap. This is important for both support and so that you can be replaced in the event that you leave. It may be very hard and expensive to find someone with the skills to manage a "non-standard" solution. At which point the best solution may be to totally replace the system.

    That being said I am no opponent to open source and have deploy open source solutions for an employer before. Though I was upfront about the pros and cons, which is all ways the best way to go.

    Research the options, decided which you think will be best, then explain the pros and cons of each option and why you selected the one you did. Ultimately the final decision should be left up to management, in my opinion.



    I didn't think about that. The final decision will be the CITO but she wants something effective and low cost. Either option will work but they will be very different animals to support. Since it will be me primarly supporting I want to make it as easy on me as possible while giving us that flexibility and scaleability that our business says.
  • varelgvarelg Banned Posts: 790
    As far as cost saving attempts, something I hope we all noticed: poor always pays twice. Pinching the penny may cost you two.
    Anything "community" in the name scares even the keyboard that I am typing on. But this is only my experience. I would imagine community support good enough for in- house experimentation or educational purposes. On production machines however, that may very likely mean a lot of DIY.
    At certain point, the chiefs have to decide on something. Just make sure they get on all the options and especially how much does cheap cost.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    i've looked at the options and I think I am going to try to get them to get a Cisco 2811. I have looked at ease of setup and learning curve and while I KNOW I could do get PFsense to work how they want it, I don't think our board of trusties are that progressive. Oh well. I am still going to use it at home.


    Now as far as monitoring, I think Alienvault will fly, but that is another thread.
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    knwminus wrote: »
    i've looked at the options and I think I am going to try to get them to get a Cisco 2811. I have looked at ease of setup and learning curve and while I KNOW I could do get PFsense to work how they want it, I don't think our board of trusties are that progressive. Oh well. I am still going to use it at home.


    Now as far as monitoring, I think Alienvault will fly, but that is another thread.

    I love open source software, but I think this is one of those situations you should look at a commercial solution. You don't have a big network, but I think the Cisco routers are the way to go.
    I bring nothing useful to the table...
Sign In or Register to comment.