I'm in the process of figuring out what types of devices I'll want to use at a new colo install. We have some experience configuring Cisco routers but our knowledge is much deeper on the Linux sysadmin side. (Contracting a CCNA is an option but I'm concerned if they'll be available when we really need them.) Therefore instead of using a Cisco/Juniper router I'm tempted to use a Linux box running Shorewall. This would also allow us to leverage our existing configuration management and compliance infrastructure. Most of it will be setup will be fairly simple NAT. No BGP, OSFP, RIP or other real routing protocols.
Here's the imagined setup:
- 100Mbit throughput max on the circuit. Our standard peak throughput more like 10Mbit.
- 20-30 hosts behind this
- Mostly HTTPS traffic. Some HTTP, SMTP and SSH
- /24 IP block
My main concern is ease of implementation and maintenance. Cost isn't the primary concern, but I would prefer not to go over $2500 for a new device (I've had bad luck with refurb gear). Our current network gear will stay where it is. Whatever we use will be new purchases.
On the Cisco side I was looking at something like a 2901. If I were to go with the Linux solution, what would I be giving up? Can a modern Xeon-based Linux/Shorewall box handle 100Mbit of NAT with ~300 rules? Would the Cisco device handle a DDoS attack considerably better?
Best Answer
Yes, your specified hardware could easily handle this workload, and quite a bit more honestly, with decent NICs.
Have you considered pfSense instead of Linux/Shorewall? pfSense is based on the FreeBSD network stack and pf - as such its network performance, stability, and security is second to none when it comes to "software" router platforms. It comes with a nice web browser-based configuration interface. I've had extensive experience with pfSense in this sort of environment, and I've never been disappointed in its performance or functionality.
Sure, the Cisco device may be able to deal with a DDoS better than a pfSense or Shorewall box would be able to, but not necessarily. The 2901 is not a high-powered router and is doing all of its routing/switching in software anyway, so even if configured optimally, it may not fare any better than the alternative.
One recommendation - ditch the NAT idea if you can. You're getting a /24, so you'll have plenty of IP addresses. Turn off NAT on the router, set up a default deny firewall policy, and then add allow rules for only the hosts/ports you need. NAT adds additional load on the router, adds additional management complexity, and doesn't buy you any additional security.