|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Advice requested for OpenBSD vs. Linux/OpenBGP vs. Quagga router deployment.
Hi Marc, I saw from previous email that Quagga was recommended as opposed to OpenBGP. Any further comments on that? Also, any comments on the choice of OpenBSD vs. Linux? We run a similar setup since about a year. I also don't want to start a "religious war" (being a happy user of both Linux and OpenBSD, for different purposes), but in this scenario my decision was quick and clear: I went for OpenBSD with OpenBGPD, consistent with my experience throughout the last few years, that for the basic, "hidden" (from end user perspective) network services (routing, firewalling, DHCP, DNS…) OpenBSD never let me down and saved me a _lot_ of time and hassle as an admin (doing this stuff with Linux before). And admin time is often more valuable than that of one or two CPU cycles… (and as long as I get the throughput I demand plus a large enough margin I really don't care about those). My basic rule of thumb now is (and I'm just pragmatic, not religious): If I can get away with the base installation of OpenBSD for a service, I really give it the first try. So for OpenBGPD. It was also the documentation, the clean design and the usability (okay, that's really personal taste, but I really got to love the OpenBSD config file style) that helped with that decision. And from my perspective, it really was the right one: The setup just works, right from the beginning. Flawless. With both Junipers and Ciscos as neighbors. We are planning to run two OpenBSD based firewalls (with CARP and pf) running OpenBGP in order to connect to the two ISPs. Just one thing independent of the OpenBSD vs. Linux question: Depending on the complexity of your setup and maybe also for a cleaner design and possibly additional layers of security, I'd recommend to think about separating the "pure" firewalls from the BGP stuff. I do have three OpenBGPD boxes towards the Internet as our BGP peers plus two redundant pairs of OpenBSD carp/pf boxes towards different internal networks and DMZs. Between the OpenBGPD and the carp/pf boxes is our "backbone". I experimented with a setup as you describe it (many different BGP/ router/firewalling roles combined on one pair of OpenBSD boxes) first, but soon realized that (while perfectly okay for a simple setup) as soon as you get more and more specialized requirements, things tend to get unneccessarily complicated and you're probably better of with dedicated boxes (if not for performance reasons, then still for the design). Best regards, Beat Vontobel -- Beat Vontobel, CTO, MeteoNews AG Siewerdtstr. 105, CH-8050 Zurich, Switzerland E-Mail: [email protected] IT Department: +41 (0)43 288 40 54 Main phone: +41 (0)43 288 40 50
|