Cisco To Develop Third-Party APIs For IOS

MT628496 tips a Computerworld article on Cisco's announcement that it plans to build IOS on a UNIX kernel, in modules, and allow third-party developers to access certain parts of it. IOS has traditionally been a closely guarded piece of software without any way for anyone to add functionality. No timetable was given for when APIs will be available. A Forrester analyst said, "...the network is one of the least programmable pieces of the infrastructure. The automation and orchestration market is far more oriented towards servers, storage and desktop environments. The ability to dynamically change the network is a missing component." The article mentions that Juniper Networks had announced on Monday its own developer platform for Juniper routers, and it's available now.

A little confused about this

[the_humeister]

Wouldn't this make the networking equipment more prone to attacks?

Re:

[unixan]

Most networking equipment these days have a separate "admin" interface from the rest of the "traffic" interfaces. The intent of that is you can secure the "admin" connection and only access admin functions (like APIs) through that.

But as bright as some some Senior Network Engineers (with a string of letters after their name) are, yes, you can count on an increase of vulnerabilities!

Cisco is a late-comer to this game, by the way. Some other (even popular) network vendors are based on unix/linux with a rich

Re:

[giminy]

Most networking equipment these days have a separate "admin" interface from the rest of the "traffic" interfaces. The intent of that is you can secure the "admin" connection and only access admin functions (like APIs) through that.

Nobody ever made a mistake in either software implementation of this kind of access scheme, and nobody ever made a mistake in deploying such a system.

You pretty much nail it on the head, this is going to result in an increase in (scary!) vulnerabilities. If an attacker can take a

Re:

[Martin Blank]

Taps are often the recommended method of handling IDS now if you're not doing it in-line. However, if someone can see which ports are mirrored, there's a good chance that they can figure out which interfaces are handling the most traffic, and so more likely to be on IDS (if one's IDS deployment is more on the limited side, that is).

Re:

[brucifer]

As is, Cisco already has plenty of vulnerabilities. Heck, I ran across a particular packet sequence from my VA tool that killed one of my Cisco routers and I wasn't even scanning the router!

It will be interesting to see what they do with it. As much as I love IOS, it isn't the most intuitive piece of code in the world so a SDK could make things a little easier. Of course, it could also go no where.

Thank you for asking my question

[Khyber]

Hate to say it, but security thru proprietary technology is nice in this case, IMHO. The less the technology controlling our network is exposed, the better, in some cases. Sadly, vice-versa is true. It's a trade-off, but it is still better than everyone being able to look at it and go "Oh, THAT'S how we shut down and infiltrate major networks!"

Re:

[Antique Geekmeister]

What you've actually described is security through obscurity.. Being proprietary does not keep it unpublished. The "proprietary technology" source code and utilities have been repeatedly stolen, published, and republished among the cracker crowd, and the tools they write get released and circulated among the script kiddie crowd eventually. And Cisco has repeatedly engaged in really unfortunate security standards for decades, with a lack of reporting of the incidents for both non-disclosure reeasons, and an

Re:

[Tony Hoyle]

The problem with IOS is every release breaks something different.. so if cisco says there's a security vulnerability well there's not a lot you can do - you get a release that works for you and never update it, because the downtime of having that release possibly having a bug in something you use and the general slowness of TAC (took me 6 months to get them to fix one bug for example.. they demand dozens of packet dumps etc. and it takes up a fair amount of time even though the bug I found was 100% reproduc

Re:

[stefanlasiewski]

Proprietary technology doesn't provide absolute security. If the code is exposed, or if crackers are secretly able to probe a system to determine how it works, the device can become vulnerable to attack. Cisco doesn't always inform it's clients of new vulnerabilities to it's hardware.

A few years ago, someone leaked portions of Cisco IOS source code [com.com]. I forget if this ended up being a hoax.

Hmmm.... a Unix based kernel?

[flydpnkrtn]

I wonder if they'll license something like QNX, or port one of the BSD kernels over. I can't imagine they'd use anything with the GPL, this being proprietary-out-the-ass Cisco after all.

Re:

[larry bagina]

They use Linux in some Linksys boxes.

Re:

[mrmeval]

Only because the bought linksys and got that as a bonus. I suspect they'll rape that as soon as they can.

Re:

[Tony Hoyle]

The newer linksys boxes do *not* use Linux, only the ones they inherited when they bought the company.

I can't see cisco policy changing.. they'll use a proper embedded OS or simply open IOS to certain plugins without changing the OS at all.

Re:

[flydpnkrtn]

Yes I know from personal experience new Linksys boxes (greater than v5 I believe) run VxWorks as their OS. You can flash DD-WRT micro to them though, which in my experience has made a huge difference in their stability

A quick search revealed this article: http://www.linuxdevices.com/news/NS4729641740.html [linuxdevices.com]

Re:

[nick5546]

From what I understand, IOS-XR IS already based on QNX (from what I remember, the codename for the project was Chaos, but not sure...)

Re:

[Phishcast]

Not so fast -- Their whole line of MDS Fibre Channel switches are Linux underneath. There's even a GPL notice that comes up when they boot.

Re:

[fwr]

And so are their IPS sensors. And so is MARS.

Speaking as a Cisco engineer...

[Anonymous Coward]

...even we're not sure. Different parts of the company have experimented with all of the above options.

Re:

[imp]

I wonder if this is related to the following post on the FreeBSD jobs list.

http://www.freebsd.org/cgi/getmsg.cgi?fetch=0+4570+/usr/local/www/db/text/2007/freebsd-jobs/20071209.freebsd-jobs [freebsd.org]

Re:

[Bert64]

Cisco make a lot of devices which are linux based...
Their current version of call manager runs on linux
Their old IDS boxes ran on linux
The current series of ASA boxes run on linux
And a lot more too i would imagine.

Re:

[Huh?]

Can you substantiate the ASA statement? Links..etc would be useful.

Re:

[fwr]

The ASA does not run Linux, although the IPS AIP-SSM does. All their IPS devices still run Linux. Interestingly, you can get them to run under a VMware session. You can also run IOS code using dynamips, and you can run PIX code (but not ASA code) using pixemu.

Re:

[flydpnkrtn]

I know this is a bit of a late reply, but what the hell.

Just because their IOS binary images are tar'd up, does not imply automatically that anything they make is necessarily Unix-based. Hell, technically I could tar up all of C:\WINDOWS, and at the end of the day that file has nothing to do with the GPL, or being Unix based, or whatever

More like...

[SuperBanana]

When Company A announces they've done something already- and Company B announces they will, that's more like the "Company-B-caught-with-pants-down-and-family-jewels-showing department."

Cisco's response is laughably cliche...

Re:

[arivanov]

And who cares anyway. They are talking about this like it is rocket science.

I have done that for a living for nearly 10 years now and frankly it is trivial (at least for Cisco). There is _NO_ rocket science in it. It takes a couple of weeks tops for someone who is good in both software development and network engineering to write one. There is no need for an extra API. The techniques on how to deal with IOS are well known.

The problem is elsewhere. The problem is "what to orchestrate?". Data modelling a netw

Long Time Coming

[bignetbuy]

JunOS, which sits on a FreeBSD kernel, has had the modular ability since forever now. Certain versions of JunOS allow individual core system processes to be restarted without taking down the router or requiring a reboot. Glad to see Cisco is getting with the program.

Re:

[Burdell]

I think all versions of JUNOS allow individual processes to be restarted. Different versions have different processes (for example, PPP is in the kernel for most versions, but it is being moved to a user-space process). Juniper also already works with third-parties for hardware. For example, on the J-series, you can get a PIM that has an Avaya PBX in a slot.

Re:

[bignetbuy]

That is impressive. Thanks for the info about all versions supporting process restarts. I must have mixed up vendor C with Vendor J. Cisco's IOS XR has that feature but the regular Cisco IOS does not.

It is fun watching these two companies go head to head.

Enron Broadband tried to work with CIsco on this

[addikt10]

Enron Broadband was working on this with Cisco starting in 1998. In fact, they bought two companies to try and make this happen. They told everyone that automatic provisioning was the wave of future.

Think of a Tibco like messaging layer allowing automatic provisioning of more or less bandwidth between carriers throughout the day as companies need it (for real time communications or nightly data warehouse creations.... Whatever).

10 years later it actually gets implemented.

Interesting, but...

[Zen]

Cisco IOS has already been running in house (for development purposes) on Unix for years. They call it IOU (IOS on Unix). It is a closely guarded secret. Supposedly it is fully featured and can emulate as many routers with as many interfaces as you want, all on one Solaris system. Supposedly Cisco employees get in trouble (fired??) for even mentioning its existence and certainly if they ever gave access to somebody, and only a very small number of Cisco employees even have access to it. It wouldn't be

Re:Interesting, but...

[the_humeister]

Haha! Next you're going to tell us that Apple has an in-house x86 version of OS X which they use as a sanity check for their code. I'm not falling for that one again...

Re:

[Tony Hoyle]

It is a closely guarded secret.

Clearly not *that* closely guarded..

Re:

[dodobh]

Not a Cisco employee, but I have seen it in action last year. IOU runs on Intel Macs, and Linux definitely. I was told that it also runs on FreeBSD, but didn't see it in action on that OS.

Re:

[netik]

Closely guarded secret?

When I interviewed there they showed me the emulation farm they use to test IOS. It's no secret.

They emulate everything from the route processor to the individual network cards/supervisor modules on Solaris and have a team of admins that maintain the test cluster.

This isn't exactly groundbreaking...

[pLnCrZy]

Extreme Networks has had a fully modular, Linux-based OS for years, called XOS. Individual processes can be cycled without taking down the box, the OS supports scripting (TCL-based), and they provide an API for extending the functionality of the OS though add-on modules.

Juniper does similar things (though I'm not sure to what extent) with JunOS, and Force10 has a *nix (BSD?) -based modular OS in the works as well. It may even be available now.

Good for Cisco. It's about time they stop playing the "We're C

Re:

[geniusj]

FTOS is NetBSD-based, but it doesn't allow shell access like JunOS does. At least, not that I've seen. Juniper and Force10 both make fantastic equipment in their respective segments. The Juniper CLI, though, I think is the best around. For example, I wish they all used 'less' as their pager :-)

Web 2.0 IOS?

[grumling]

"This is a nice sense of direction statement - it says that Cisco understands that SOA and Web 2.0 are fundamentally changing how applications are built"

"According to our router's logfile, your port on the switch has been modded down below the switch's current threshold."

router#show int eth0/0
adds by google:
Get a Juniper router today!
Best deals on Cisco routers: www.cisco4less.com
Sid : 5
Traffic Priority : 0
Maximum Sustained Rate : 64000
Maximum Burst : 0
Minimum Reserved Rate : 0
Minimum Packet Size : 0
Maximum Concatenated Burst : 1522
Scheduling Type : Best Effort
Nominal Grant Interval : 0
Tolerated Grant Jitter : 0
Nominal Polling Interval : 0
Tolerated Polling Jitter : 0
Unsolicited Grant Size : 0
Grants per Interval : 0
Request/Transmission Policy : 0x0
IP ToS Overwrite [AND-mask, OR-mask] : 0x0, 0x0
Current Throughput : 0 bits/sec, 0 packets/sec

May be end-of-life open sourcing

[Animats]

Cisco has been running QNX in their high end routers for several years now. They call it "IOS XR", but it's QNX. Classic IOS, unlike QNX, isn't a protected-mode OS. In classic IOS, everything runs in one address space. They need to get beyond that. So maybe this is just opening up classic IOS as an end of life measure.

Re:

[Anonymous Coward]

Let's clear a few things up.

The QNX used wasn't the operating system "QNX" that most people associate with PC-based embedded systems. It was "Neutrino," a true microkernel with POSIX API's that QNX (the company) started shipping in 1996. This was a completely different and new product from the QNX (operating system) that QNX (the company) had been shipping for many years prior to 1996.

Second, the reason why IOS has run in one (or two) address spaces for so long is easy: think about how you get the fastest p

Re:

[haruchai]

Interesting. But Cisco took too long to realize that they needed a change. They were squeezing every drop
of performance through microcode programming - that gets really difficult really quickly.
Other manufacturers were able to chip away at some of Cisco market share and to
create some rather well performing platforms without having to burden themselves
with such extreme low-level programming.
Not to mention Cisco's customers were getting somewhat tired of being
bled dry for upgrades - I remember pricing out RAM

Look! My carburetor is wearing a beautiful dress!

[Antique Geekmeister]

More seriously, IOS is a high-performance but extremely poor interface toolkit on top of a lot of proprietary hardware. It doesn't matter much which kernel runs on it, unless they've been tuned out of all recognizability to deal with the high load, low latency issues of routing. And the kernels are pretty near the limits of their ability to tune performance to the hardware: the next level up is the compiler, and the next level up is the actual interface. And the extreaordinarily poor behavior of the user in

Support Issues

[pacman on prozac]

Not sure I like the sound of this. It's going to confuse the support for applications quite a lot.

Right now if there's an application problem it is fairly easy to tell where it comes from. You can quite quickly rule out a network problem by checking the basic network traffic works and look at other similar traffic for issues.

However if you move a load of your application logic onto the networking hardware and something starts running slow, unless your app has a lot of benchmarking built in for troubleshooti

I already have IOS on Unix...

[Slashcrap]

...thanks to Dynamips.

I was going to say that it's only of use for training purposes, and can't be used in the real world. But then I noticed a lot of people in this thread advocating the use of consumer routers, and they probably would put emulated IOS on an old PIII and expect it to route 1Mpps. So knock yourselves out, retards.

Re:Get a D-Link or a LinkSys, Routers r a commodit

[Jeremiah Cornelius]

IOS is universally accepted. The model of its tiered, context-determined command structure has been emulated by many. This is including Microsoft, with it's cascaded netsh and other command utilities.

That said, this kind of command navigation sucks. You are trapped in a maze of twisty, little prompts, all alike.

The structure of these commands were determined in antiquity, when embedded networking devices were resource starved for storage and memory. That's pretty clearly not the case today.

Screw IOS, its resistance to simple scripting, and its defiance to be committed easily to memory.

Re:

[DECS]

Isn't Cisco selling IOS-XR based on QNX to accomplish the same thing? Did it not work out, or is it too expensive, or does BSD just sound like a better plan for a modular router OS?

Re:

[phillips321]

I can't believe the first post actually thinks that cisco routers are worthless, what the hell does he think is on the other end of his internet circuit? A linksys router? Cisco routers are very very stable, i work for an ISP and we use cisco throughout. We have plenty of 100MB megastream ethernet circuits going into cisco routers and they never seem to fail. What about MPLS, you really think it is possible to implement MPLS over £50-100 routers? GET REAL!!!

Re:

[atamido]

The first post says no such thing. It simply says that IOS has a very antiquated command system, which it does. If IOS were to break backwards compatibility they would have the opportunity to create a much easier to use and much more flexible ways of doing things. It would be really good in the long run, but is not likely to happen because the short term consequences would probably be so painful.

Re:

[funkboy]

At the moment, IOX only runs on CRS-1 or [propoerly upgraded] GSRs, which pretty much excludes anything in their "enterpise" product portfolio.

Fact is, Cisco has been trying to be all things to all people and dominate every sector of the market that involves gear or software beyond the PC for such a long time that they have lost focus in their core business of making routers, where they are accustomed to market domination. Competitors have caught up to the point where anything short of carrier-grade Cisco

Re:

[mrsteveman1]

I would be surprised if they went and developed something else entirely because QNX itself is POSIX compliant and has been in development for quite a while now, i can't think of any reason to drop it and develop something BSD based for the rest of the routers. It would make little sense outside of the realm of "ZOMG BSD is teh kewl".

For a while IOS XR was only on the CRS-1, and the edge devices have been regular IOS, with all its disadvantages like the single memory space, total lack of memory protection, l

Re:

[MECC]

That said, this kind of command navigation sucks

I don't know - I wish unix had the command parameter prompting system that the shell in IOS has. It's actually really useful. Not sure what the parameters are for any command? Press the question mark key.

You are trapped in a maze of twisty, little prompts, all alike

Actually, the prompts change with context. Configuration mode has a different prompt, and within that mode the prompts change with context indicating what you're configuring

That sa

Re:Get a D-Link or a LinkSys, Routers r a commodit

[Antique Geekmeister]

That's not an OS issue. It's a command interface issue. Much of it is built into bash.

The user interface people writing IOS need to read Eric Raymond's document on user interface, at http://www.catb.org/~esr/writings/cups-horror.html [catb.org]. It applies to closed source interfaces as well.

Re:

[MECC]

That's not an OS issue. It's a command interface issue.

that the shell in IOS has.

Re:

[gtwilliams]

I wish unix had the command parameter prompting system that the shell in IOS has.

zsh
http://zsh.sourceforge.net/FAQ/zshfaq04.html#l44 [sourceforge.net]

Re:

[MECC]

I do find the tab completion handy. The shell in IOS tab completes/lists all the parameters for a given command as well. I haven't found a way to get bash and zsh to do that.

Re:

[mysidia]

What's nice about IOS is unified config; managed from one place (the CLI). Sweeping changes to multiple services can be made in seconds, not minutes, and the changes can be temporary (reversible by reboot), until proper operation is verified.

But also made permanent easily, with no chance of typos in the process of making them permanent. When you're all done and ready to make things permanent, one write mem does that for you, with IOS.

With Linux you may change a kernel option using sysctl, ifconfig,

Re:

[jddunlap]

Screw IOS, its resistance to simple scripting, and its defiance to be committed easily to memory.

The IOS can only be scripted through a recorded telnet session, which is to say not at tall. The command line is counter intuitive and the commands are difficult to remember.

Personally, I used Linux based routers at work. They are dirt cheap, they perform extremely well, they never crash(except when the cleaning lady unplugs them... But that's another story), and they are infinitely more flexible than a Cisco router.

Re:

[mrsteveman1]

The command interface isn't the problem with IOS, the rest of the platform is. You don't really have to remember every little command and every option in IOS because the entire system provides help for every step of every command.

Linux as a routing platform is in some ways much worse than IOS unless you use some sort of usable interface on top of it. My home firewall is an Astaro box (linux) which I'm quite happy with but i would never dream of editing firewall rules (or anything else) by hand on it, like w

Re:

[jddunlap]

Install Shorewall controlling the firewall. Shorewall is far easier to use than raw IP Tables or Cisco ACL's. The whole delete the list and start over part is a real turn off and the syntax is completely stupid. For routing protocols install Quagga. At any rate, if you don't like rolling a Linux router yourself you can always try Vyatta.

Re:

[fwr]

You don't have to delete the list and start over. Mysteriously, if you add and delete lines from a named ACL called "1" it somehow modifies the numbered ACL 1. Whodathunkit?

Most of the commends I've read so far slamming IOS appear to be from unexperienced people.

Ever hear of TCL? That's a script language and available right on the router. You want to script command line changes? That's not a very smart thing to do from a change control and configuration control perspective. Experienced engineers don't

Re:

[jddunlap]

Which brings us back to Cisco routers not being as flexible as a Linux based router.

Re:

[Tony Hoyle]

You can very easily script IOS, just use the copy command to copy a file onto the running confog. This is basic IOS that you should have learned in school.

Re:

[jddunlap]

So... This is event driven how exactly?

Re:Get a D-Link or a LinkSys, Routers r a commodit

[flydpnkrtn]

There are specific reasons a business might need a "real" router though. Cisco's equipment is very modular... it's very easy to throw a VPN encryption module in a router and do tunnels at the router level instead of worrying about RRAS or and OpenSWAN server.

Linksys routers have their uses, especially if you flash them over to Linux with DD-WRT, but they only go so far when you have a branch office of 200 people you need to have securely on the main corporate network. A Linksys wouldn't have the horsepower

Re:

[moosesocks]

The three laws of network hardware:

1) Quality network hardware is expensive. Often frighteningly so.

2) If reliability is even remotely important to you, the expense is easily worth it.

3) Failure to comprehend #2 will almost inevitably cost you your job.

Re:Get a D-Link or a LinkSys, Routers r a commodit

[Enleth]

Ever seen a commodity router under a FULL 100Mbit/s load, let alone gigabit? They drop packets, mangle packets, route wrong packets... That is, until they hit a buffer overrun, overheat or just reboot repeatedly for no clear reason. They're not meant for serious use. They're designed to be actually capable of handling whatever Joe Average can do with his home network and nothing more. Because they're commodity hardware. Cheap crap, that is. Period.
People buy those expensive, rackable switches and routers because they want something *reliable* for *serious* use that absolutely requires reliability.

Re:

[sjames]

People buy those expensive, rackable switches and routers because they want something *reliable* for *serious* use that absolutely requires reliability.

It's a matter of the right tool for the right job. If all you're doing is routing a T1, you're certainly not going to be processing 100Mbps. In fact, you'll be routing less than Joe Average might route on his cable connection.

It's hard to say about the reliability, however as long as it's within it's capability, any device with no moving parts can be e

Re:

[Enleth]

Right, but the OP sounded as if he wanted to use consumer devices for everything - which certainly isn't the brightest idea. Anyway, cheap routers and switches can as well fail under their normal working conditions, been there, seen that, always keeping a spare just in case. I'm currently in charge of an improvised dorm network (about 80 computers, 30Mbit/s connection to the outside world, almost saturated all the time), with a 30-port industrial-grade Cisco switch just by the router and dozens of crappy co

Re:

[masdog]

Sounds like you could benefit from wiring closets in different sections of the dorm. Surely it would beat having little Linksys switches scattered around as repeaters.

Re:

[Enleth]

Of course I could, but that's a significant cost for the shool administration to cover, and the administration is, obviously, glacially slow when it comes to accounting and finances. Eventually it will be done, but not anytime soon...

Re:

[masdog]

So break it up over a couple of years. Get the money to do one section of the building at a time, then it wouldn't be as hard to convince the school to go along with it. I have to do that to get the money to rewire both of my plants - corporate won't surrender their entire capital budget to let me repull all the Cat5 in the plant, so I have to pick and choose which areas need the work the most.

This year's goal is to remove all the Thinnet from one plant and move most of an IDF up into the computer room

Re:

[Antique Geekmeister]

He'd benefit more from blocking Bittorrent, I hate to admit.

Re:

[masdog]

Yeah, but there is something for doing the cabling right the first time and not having to worry about it again.

Re:

[Antique Geekmeister]

What is "right"? Expending a few thousand per closet on well-equipped wiring points, in dormitory space where living space is cramped and valuable, or lowering the load on the switches so that they run reliably enough for casual use and using the same money, if it was ever available, to actually wire the rest of the dorm rooms? Or spending the money on pizza and beer to supply a few geeks to actually work out what the real issues are and fix those?

Spending money on "server-grade hardware" is not an automati

Re:

[sjames]

Agreed, the OP was way on the other extreme.

In your case, it sounds like there must be some sort of problem there with power or perhaps grounding. I agree that consumer grade switches fail more frequently, but unless you have more switches than computers, one every two weeks is excessive even for cheap switches.

Does anyone have one of these [fiftythree.org] in their dorm?

Re:

[Antique Geekmeister]

Or air flow. When the switch is buried under someone's pile of dirty laundry or gets pizza and beer spilled on it, it's going to fail pretty regularly.

Re:

[Bert64]

The grandparent post mentioned moving parts, many decent switches have fans while cheap small ones don't... Tho this is for quite the opposite reason, fans will keep the device cooler and increase its life. If the fans fail, your just in the same boat as a cheaper switch.

Those cheaper switches often have no protection against connecting two of their ports together with a crossover cable either, that can cause utter chaos.

Re:

[masdog]

Those cheaper switches often have no protection against connecting two of their ports together with a crossover cable either, that can cause utter chaos.

That happened on a production network I support (but didn't design...currently redesigning to avoid this problem). A maintenance supervisor accidentally unplugged the switch and then plugged the two ends of the same cable into the switch. Chaos ensued for the day as our entire network came to a standstill.

Re:

[Agripa]

Usually a switch just dies, I throw it away and put a new one in there, but sometimes those little bastards look just fine, blink their lights happily - and wreak havoc in the network, sending half a packet here, half a packet there and even more random crap somewhere else, clogging other switches that are just too dumb to ignore a broken packet, so they reboot every couple of seconds.

I have had exactly the same problem. Given my EE background, my suspicion is that these devices suffer from power supply lo

Re:

[The -e**(i*pi)]

Actually, I have tried home routers with the 3rd party firmware. They only get to 20 mbps, and then are unreliable and with NAT they crash if you have over a few hundred connections open with the max at like 4096.
Now linux or bsd based or DD-WRTx86 are nice for power users at home.

but yes, for businesses, anyone using anything other than Cisco professional equipment is just plain dumb if they have more than a handful of users.

Re:

[xmodem_and_rommon]

My company has found that the most cost-effective way of building a high performance router is to buy Symantec 5440's on ebay. These boxes are basically a xeon, 1GB of ram, with 6 gigabit interfaces. Throw mikrotik routeros on it and it can route 3 gigabit without pushing the hardware much. I would have thrown some more at it but i didn't have enough machines with gigabit interfaces lying around at the time.

Re:

[Agripa]

I have never had a problem with state table size even with thousands of connections (although I know other that have) but physical reliability has been an issue. I have obsolete full blown PCs running FreeBSD in the form of m0n0wall, pfsense, or just bare that have higher uptime then the routers and switches I have used made by D-Link or Linksys which have a propensity to spontaneously turn into bricks. Netgear (especially the Bay Networks stuff) and SMC seem to hold up better but I do not have many of th

Re:

[Bert64]

A lot of supposedly higher end kit falls over well below it's rated capacity too...
Try synflooding across 100mb interfaces on a 7200vxr, a lot of cisco kit is based on the same pci-bus design as a pc but with a slower cpu. The NIC will generate an interrupt on the bus for each packet, lots of small packets will saturate the pci bus and take the device down wether it's a cisco 7200 or a pc with 2 nics.
You can improve the situation by using 64bit pci, pcie, pci-x etc but the problem remains it's just got a hi

Re:

[funkboy]

Network processors are moving towards remedying this. The Gemini SL3518 [stormsemi.com] costs 20 bucks for q1000. This is not just a different ballpark from embedded solutions based on typical processor-based forwarding, it's a whole new league.

Re:Get a D-Link or a LinkSys, Routers r a commodit

[Jerome H]

Because I've already seen some cheap routers hang when they had hundreds of connections open.
Because sometimes you need more than just 10 forwarding rules.
Or because you need to handle VLANs.

It's true they aren't cheap but when you need some advanced features well just go buy the real thing.

Re:

[Bert64]

So do my linux and macos based laptops..

As a test tho, login to a fast box hosted somewhere, and run a syn flooding tool against your home box over the cheap consumer level router. Flood yourself with small packets, and see how many of them actually make it past the router to hit your box.

I managed to receive about 300k of small packets, on an 8mb dsl connection. When hit with small packets, 300k is all the router could manage. The box flooding me was generating more than 8mb of packets, and needless to say

Re:Get a D-Link or a LinkSys, Routers r a commodit

[WizardX]

Soory, but I must feed this troll.

Most people do not buy 800 series routers, but if they do, it is typically because of managability and security. When it comes to being able to manage a remote network device and use a central authentication system, Cisco beats the pants off of ANY comsumer grade device.

Once you get to 1800 devices and above (even 1600 and 1700, but they are EOL) you have features that far exceed any consumer device.

Real routing capabilities (RIP, OSPF, EIGRP, ISIS, BRP, etc).
Modular interface cards. You have Modem, ISDN, xDSL, Cable, 56k, DS1, ATM, DS3, SONET, etc.)
QoS. Should be self explanitory
Various security functionality. VPN, tunnles, RADIUS, TACACS+, etc. (I am not a security guy)
Voice Terminate voice, act as a phone system (2800 and 3800) run VXML, etc

These are just the routers. Switches are just as much above the consumer grade as the routers are. QoS, port density, VLANs, true Layer 3, etc.

Both have their place and in some cases, a consumer grade equipment has its place in the corp environment. I have used them many times. T

To say Cisco is a rip-off is pure ignorance. (Do not use the list price to justify yourself either. NO ONE pays list for Cisco gear. As a general rule 35% - 50% is the rule.) Sure Cisco is not the cheapest or the best, but they provide a complete end-to-end solution and everyone knows Cisco. Heck, even Nortel switches and Extreme (I think) made their interfaces to emulate IOS.

Re:

[phantomcircuit]

true Layer 3, etc.

What do you mean by that? why is it "true" layer 3?

Re:

[WizardX]

You know, I am not entirely sure. I was trying to corral the kids at the time. Strike the word true.

Re:

[pacman on prozac]

No need to strike it you're quite right.

A layer 3 switch is one that can do IP routing at wire speed, usually by doing the routing in hardware.

Normally switches are layer 2 only and don't understand IP, they just pass stuff based on MAC address. You then need a separate router to do the layer 3 work.

Consumer grade stuff like the wrt54g does support layer 3, otherwise you wouldn't be able to connect to anything. But it uses software routing, not hardware, which is nowhere near as fast.

Re:

[Agripa]

Consumer grade stuff like the wrt54g does support layer 3, otherwise you wouldn't be able to connect to anything. But it uses software routing, not hardware, which is nowhere near as fast.

As someone pointed out, the consumer grade stuff routes at about 20 Mbits/s although in my experience it is more like 30 Mbits/s. If your needs are below that, then performance is not an issue although reliability for consumer grade network equipment is awful.

Re:

[phantomcircuit]

The measurement that really matters then is latency, obviously it can process a ton of data relatively quickly but how fast can it process a small amount of data?

Re:

[Agripa]

I have always found the latency on even consumer level equipment to be insignificant. It is higher than a layer 2 store and forward switch (it would have to be since traffic between the WAN and any of the multiple LAN ports traverses the internal switch) but still relatively low. That is only the case of course when not saturated.

There could be exceptions. It would not surprise me at all to find that some consumer equipment does not maintain state tables to speed up rule searches causing excessive latenc

Re:

[superskippy]

Sure Cisco is not the cheapest or the best, but they provide a complete end-to-end solution and everyone knows Cisco.

That's it in a nutshell, and it's a real shame. Cisco is the new "nobody got fired buying IBM". People are just so scared to try anything else on their networks, and it really holds back competition. Got a budget to build a network? Buy a Cisco, and no one will blame you. If it goes wrong, well hey, you did the industry standard thing- that's just how networks work, right?

Re:

[funkboy]

Extreme's CLI resembles IOS like my brother's '74 VW bug resembles a Porsche 993.

Re:

[Crackez]

WizardX is spot on. I'm a Cisco/Solaris administrator and even the old cisco switches are better than a D-Link/Linksys/SMC or whatever. I have a few nice bit's of equipment at home (plenty of awesome ones at work: Cat4506's, some 6509s, 2960's, just got a new 4948, lots of 2600/2800/3745/3845's, and my favorite the 7206VXR) and I have load tested them. Take the very common combo of a Cisco 3640 router (2x NM-2FE-2W) and a 2924XL switch which together can consistently route at 100Mb/s when using CEF. Now, if

Re:Get a D-Link or a LinkSys, Routers r a commodit

[sjames]

Does linksys or d-link support ssh? (I'd really like to know). Does linksys support T1, frame relay, and DS3? What about E1 and E3 support?

If you reflash a Linksys with DD-WRT, it DOES support BGP and ssh. It's going to be fast ethernet only, and no support for automatic failover.

Re:

[pyite]

If you reflash a Linksys with DD-WRT, it DOES support BGP and ssh. It's going to be fast ethernet only, and no support for automatic failover.

And does it support 128MB of RAM? Because you need 128MB RAM for a full Internet BGP feed.

Re:

[pacman on prozac]

You don't necessarily need the full internet BGP feed to run a dual homed setup, it depends how you use them.

If the routers are at your site and connect directly to the ISP then you only need a default route on each. You may only have BGP to advertise your own network out to the internet and keep it reachable if the link fails over to the backup ISP.

But then if you are paying thousands each month for a dual homed BGP capable connection you aren't going to worry about saving a few thousand and use a consumer

Re:

[MECC]

When two routers are set up in failover, by definition one of them is primary. If only default routes are used, all traffic goes through one ISP, not both. If you're paying for the extra bandwidth, why not use it?

Re:

[Ajehals]

I just spent 5 minutes making sure that that link went where it claimed to go and no further (It points to a /. article entitled "FCC To Require Backdoor Network Access for Feds").