Hi, If I'have mislead anyone, I'm Sorry. I was talking about NATing.
Thanks, Sudheer
Marco Colombo wrote:
On Thu, 8 Jul 2004, Sudheer Divakaran wrote:
Hi,
I've a local LAN consisting of about 150 machines. I'm using a machine with Linux + IPTables as the gateway machine which inturn connects to two different ISPs. My question is can a Linux based machine match the performance of a hardware based routers provided by Cisco,... OR is my decision to go for a Linux based solution is a wrong one?.
Is there so much difference between these two solutions?
Can I achieve the same performance using a high end PC and Linux?
I'm asking this because one guy told me that my decision to go for a Linux based solution is a wrong one and it can never match the performance of hardware based Routers.
iptables is not concerned with routing. If you're comparing a Cisco _routing_ solution with a linux-based one, this is the wrong
list I think. There are many things to consider: raw performances,
routing software (are you running EIGRP?) and so on, all off topic here.
Despite, ask that guy to show you a real 'hardware based router'. That is, remove any software (IOS) from a Cisco piece of hardware and see how it performs. Ciscos (but high end ones only) do have specialized hardware, so you may refer to it as "hardware-assisted routing", no more. But they're software-based routers, too. Again, this is quite off topic.
iptables is about filtering, NATing, mangling IP packets (am I missing anything?). Yeah, Ciscos can do that too. But, please correct me if I'm wrong, I'm not aware of _any_ hardware that assists them in that. So it's not hardware-based filtering anyway. It's all in software.
The following rule:
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
which may make sense in simple setups, takes _global_ decisions, hardly it can be "distributed" to interface processors (think of packets belonging to the same flow that may arrive from two different interfaces).
In the end, the right question is: how do iptables compare to IOS access-lists? I'll leave the comparison to others. All I know is that there's no UNIX shell running on a Cisco. There's no UNIX-like environment. Put two lines in crontab, and have them invoke a script that sets iptables up, passing it a parameter (night/day), in order to implement less permissive rules at night and during weekends. Now do the same with a Cisco. You get the idea.
.TM.
