Re: Hardware recommendation for firewalls (more than 4 NICs)

Mon, 11 Aug 2008 04:44:47 -0700 

On Mon, Aug 11, 2008 at 01:14:53PM +0200, Marco Fretz wrote:
>>> well heres my 3 cents,
>>> first why use a stupid PC (any os) for routing...... REALY BAD jue,jue brake
>>> down and buy a old Cisco 7200,  7500, 3600 they are all very good routers, I
>>> used a 7500 for a while and now use a 3640
>>> i use pf as a transparent bridge behind my router.. and protects my servers
>>> I have 3 nics, (world, dmz, ssh)
>>
>> How odd. I know at least one site that runs all of their BGP off of
>> OpenBGP on OpenBSD boxes that are dedicated as routers. In all cases,
>> these systems outperform the equivalent Cisco hardware for a fraction
>> of the cost.
>
> Forget this. Cisco does CEF (cisco express forwarding) that's stream 
> forwarding in hardware. You don't have a chance to reach this PPS with a pc 
> / server based router (any os). And I don't think there is any equivalent 
> hardware for Cisco and other router vendors. Because only routing decision 
> is done in CPU / memory, packet forwarding is done on the "hardware 
> layer"... so you can't compare Cisco CPU / memory against PC cpu / memory 
> that's not fair :-)

Careful now. CEF does speed things up in certain situations, but if
it's not backed by a very powerful cpu, you can easily completely
cripple your cisco by sending a stream of carefully crafted packets.
If you have to make a routing decision for every packet you process,
things will get nasty pretty fast. To handle such traffic, you'd need
even bigger boxes from Cisco while the OpenBSD solution does not care
all too much about this sort of thing (since it's not doing something
CEF-like anyway).

> But software routers e.g. OpenBSD are cheap and work well. If you don't 
> need more than about 800Mbit/s throughput and you want to save some money 
> us software routers... but agree, with a good server hardware, intel nics, 
> dual core cpu, etc. you can get good performance out off a server based 
> router / firewall.

If you want more than 800Mbit/s you shouldn't use a 3600. With this
sort of bandwidth, you're going to have to spend a lot of money
anyway. Add to that the fact that the original poster was interested
in doing pfsync and ipsec on these machines, Cisco general purpose
routers wouldn't be a good match either.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to