Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Hardware

Linux Ported to Cisco Routers, BSD chosen by router manufacturers 174

calc writes "Linux has now been ported to the Cisco 2500/3000/4000 routers. Click here for more details." This seems like a fairly logical (albeit not so useful hack). I mean, one would assume that cisco's have some wacky hardware in them... but then again, using standard tools to config them seems allright by me. And you could use your router as a web server if you were on crack *grin*. [Update by nik]: Not the first time a free operating system is used like this. For example, routers from Juniper run a modified FreeBSD, while Effnet base many of their products on NetBSD.
This discussion has been archived. No new comments can be posted.

Linux Ported to Cisco Routers

Comments Filter:
  • Now i can run some RC5 clients on my routers!

    (What an effective use of resources :P )

    I think, therefor i think. i think?
  • Port Linux to a door? Is that how Sirius Cybernetics did it?

    Share and Enjoy.
  • ... when you think about it a little.

    If you're running a webserver cluster behind the router, and using the router itself to do the load balancing (IANASA - I am not a Sys Admin), then if all the dedicated webserving machines decide to go bye-bye on you, it would be a Nice Thing to be able to have the router throw out a "Sorry, our stuff is unavailable right now" message. Not that you should let the aforementioned state occur, but as the saying goes, 'better safe than dead.'
  • IOS does NAT and packet filtering pretty well. The only difference between IPNat, IPFilter and IOS is that IPFilter is stateful. Mind you, I love stateful packet filters and think it's the greatest fucking feature in the world, it's still not much of a difference. Oh, wait, IOS does have a "firewall" feature set that is stateful, so nevermind. When is Linux going to get stateful packet filtering?
  • Cisco does NAT pretty well, thank you. [cisco.com] and with the right access lists can do all the things that you are describing.
  • Well some yahoo had to go and do it.
    BSD runs on the P200 that manages the box. Like the ssh session you might use to configure it. ASICs handle the packet forwarding, route table, forwards table, etc. No matter how cool BSD is, it still doesn't push an OC-192 at wire speed. Moderate that guy down like the uninformed bastard that he is.

    kashani
  • by Anonymous Coward
    this is supremely useful to the cracker who has an 0wn3d router but didn't know what to do with it.

    just think - so long as the unit performs its duties and does not invite administrator scrutiny, you now have the perfect base for sniffing and password logging.

    how many more reasons do we need before all those old cleartext application protocols get scrapped?
  • I really appreciate the answer, alot of good info in there on OpenBSD's abilities. I just have a few comments... (NOTE: my comments are about the 2.4 series, alot of these abilities are new)

    1. Linux *does* allow multiple port matching.

    2. Linux *does* allow you to redirect to another machine, you are no longer restricted to localhost (under 2.2 you can as well with 3rd party utils which I hated because they sucked.)

    3. Host mapping is *not* a problem under 2.4

    (I know how useful the redirection can be, that DNS task of yours would be hell without it.)

    4. Connection State Matching is possible in Linux.

    5. Rate blocking: I *think* so. I would have to look a bit more before being able to say for sure though... the limit match helps on this, but I don't think it does what you wanted it to - but there may be something else.

    To help, here is a simple list on the basic options included in the "make menuconfig" under 2.4 for NAT/filtering/MASQ decisions:

    limit match, MAC, netfilter MARK, multiple port support, TOS match, connection state match, unclean match, owner match

    Packet Filtering Targets: REJECT, MIRROR
    Full NAT Targets: MASQUERADE, REDIRECT
    Packet Mangling: TOS, MARK

    In summary, I know about the limitations you were discussing - at least in regards to the 2.2 series. What I would like to know, is what does *BSD have over the 2.4 Linux Kernel (which I have running on 7 production machines WITHOUT a single hickup) with regards to router functionality?

    I should also point out that though I am a fan of Linux, I would use Win2k before I would use RedHat and I believe in using the best tools for the job at hand. (Yes, even if the best tool is Win95 or FreeBSD *shudder*)

    So, once again, anyone want to please explain why someone would use OpenBSD over Linux (to clarify, 2.4) as a router? (please avoid the security arguments, that's a whole different can of worms.)

    -Nathan
  • I mean, one would assume that cisco's have some wacky hardware in them... but then again, using standard tools to config them seems allright by me.

    Standard as in what is most familiar to yourself? -- As in non-cisco? By many Cisco peoples' standards, the Operating System and the configuration tools are the "standard" for cisco routers.

    <request for clarification/>


  • the online brokerage I work for uses foundry [foundrynet.com] networking equipment, and it has the option to use SSH (and only SSH) as a connectivity method. I've got to say that it now is as slick as all our unix boxen, and I'm loving it... They also make their firmware upgrades available for free, so I haven't had to pay for feature adds. (cough cough *cisco* cough) That, and the wire speed gigabit ethernet rocks too... 480Gbps backplane on those beasties.
  • by Anonymous Coward
    Howdy all! I see some issues with this from a performance perspective: a. All of the hardware mentioned here uses software switching of packets vs hardware ASICS. Therefore, you are either "Fast Switching" or "Process Switching" the packets dependant upon router configuration. Naturally, Fast swithcing develops a cache for layer 2 MAC address information and routes. See Cisco's definition: Process Switcing: Operation that provides full route evaluation and per-packet load balancing across parallel WAN links. Involves the transmission of entire frames to the router CPU, where they are repackaged for delivery to or from a WAN interface, with the router making a route selection for each packet. Process switching is the most resource-intensive switching operation that the CPU can perform. Router has to evaluate each packet individually, look up next hop route, re-package dependant upon interface and next hop address for destination route and send to interface. Used with following; access-lists (requires packet evaluation vs. lists applied to an interface), load balancing - to use multiple routes versus first acquired cache route, wan links to prevent overrun of serial interfaces by wan interfaces, etc. Fast Switching: Cisco feature whereby a route cache is used to expedite packet switching through a router. Contrast with process switching. A route is looked up once, cache is formed for next-hop address and next hop address information can be switched into place witout having to evaluate every packet within the TCP session.... In higher end routers (7000 +), they went to developing RP/RSP or route switch processors to implement caching in hardware vs. software. With Cisco's newer Versatile Interface Processors (VIP), they actually run a microcode OS on the line card which permits line cards to switch directly between each other using what they call distributed CEF. Can achieve 1,000,000 packets per second via CEF.... Anyway, before I went off on my geek tangent. I'm damn sure that this Linux port does not have any fast caching algorithms...and at best would only meet process switching speeds implemented under IOS (if at best). You would then see a signifiant decrease in PPS using Linux over IOS and a hefty increase in CPU utilization (2500 is about the equiv of 386....4000 is not much better mayble 486 at best). 2500 pumps about 25k pps fast switched where 4000 is 40,000 fast switched. I would suspect these would plumet significantly. Additionally, you couldn't run linux and IOS concurrently on the same box. You have to re-boot it (no connectivity on any interface hence causing an outage) to boot between both OSs. You can't, as one user stated, obtain a tcp dump while routing under IOS. IOS has these features via off box logging, IP accounting, Logged access-lists, etc. With very small memory configurations available for true system type applications (Web servers...etc), what type of decent apps could you really run on a router that would make it feasible? Benifits of using Linux on a Cisco legacy router (2500 and 4000 are considered end-of-life). Size! A 2500 is extremely small. Alibeit, I'm not sure which intefaces and hardware the linux ios would support; Async, Ethernet, Ethernet Hubs internal to some 2500 series.... Cost What does IBM charge for the 2u height web servers? Although, one PIII class box could out crank a handful of 2500s... Oh well. In my travels I did find one product for linux that got me excited about affording an Cisco Interface and management to a linux system. It was at http://www.zebra.org. I installed it and thought it kicked some ass. Hope I could lend some insight as to the performance issues...... simple_in_seattle@hotmail.dontspamme.com
  • This is a plug for my employer. I work at http://www.imagestream-is.com [imagestream-is.com] we sell both the cards and routers. the cards work with every distro we've come across, and the routers run linux. why kiss a vendors ass for anything?
  • Exactly. Linux changes itself to fit on different platforms. Bill tries to change you to fit his solutions.

    There's a huge difference there.
  • HAve your CISCO's spare cycles help this worthy cause! =grin=
  • From my understanding those cisco routers run on QNX, which is a POSIX compliant OS. As is Linux.
    So the port should have been trivial.
    I think that being able to run perl scripts on a router is a cool side effect of this hack though.
    Or could you do it previously? Anyone?
  • In the older days, you were buying expensive hardware. The older models especially that are mentioned in this article are all Motorola 68k chips.

    Newer models moved away from general purpose CPUs to proprietary chips designed for fast routing/switching.
  • . . .okay . . . Why? What do you gain?

    This flamebait? Seems like a basic question as to any advantages...
  • HTTP server is a standard feature in IOS... But it's only used to administer the router and run some commands through a web browser. However, it shouldn't too be hard to extend the built-in server a bit further, to host your domain and serve your pages :-)
  • Yes, you can use any average 486 to route between two ethernets, but price out getting dual T-1/sync ports on that same machine for a real router. They are about $600 or more for a decent one that won't load down your machine at above 56k.


    I've played a bit with getting ucLinux running on older Bay/Wellfleet AN routers. They are basically a system on a chip (68EN360) with some RAM and flash. It's a project for another day, though.

  • Anything has to be better than their OS. Jinkies!

    Anyway, real men use Foundry. ;>

  • Hell, if we can make a Linux Box into a Router, we should sure as hell be able to make a Router into a Linux Box.

    Go Slackware!

    -- Give him Head? Be a Beacon?

  • I was reading a story about component and product outsourcing the other day. It was either in the Minneapolis Star Tribune or the NYT. Apparently this is one of the Big Dirty Secrets of the computer industry as a whole -- a few, rapidly growing businesses are taking over the job of circuit board manufacture for a number of computer companies. "HP doesn't want you to know that your server mobos come from a the same factory in Detroit that makes controller computers for GM." I guess I didn't want to know it..

  • I wouldn't talk trash like that without thinking

    Can your Cisco IOS based router/firewall redirect traffic through arbitrary software or filters on the router itself, that you can code yourself in C? Think about it, man. For a custom solution, Linux is infinitely more flexible. You can damn near do anything with a packet if you have the coding knowledge to take a whack at it. IOS is a closed environment.

    THAT's what I meant, and I do know what I'm talking about

  • As I said to the other naysayer (see other reply) Linux still wins in customizability and flexibility.

    I still consider simple masquerading and true NAT different, although they are fundamentally the same thing.

    I know IOS supports these things, but if it it ain't in IOS, you can't do it, it's a closed environment. In linux, my NAT could also scan packet contents of outbound SMTP traffic, and filter certain packets containing certain data through an external chunk of C code on the router itself that I wrote before processing it onwards... for a really wierd example (and yes, I've done that before).

  • Um... The PIX 520 is a P2 350, the case is mostly air. Same mobo and processor in the local directors too. I'll withhold my opinion of the PIX's abilities as a real(tm) firewall though :)
  • actually - cant remember the name, sorry - I used a beta product that was an IOS for linux.

    It ran on a pc but allowed you to setup your linux box with IOS syntax. You could setup any service that linux would run - and it was just like being in a router.... (had a whole boat load of cool things like setting up VOIP calling gateways etc.) and it is to be sold as a development tool - so anyone can create an IOS interface for what they run on linux.

    anyway - its coming soon. will see if I can getthe name of it again.
  • > Um... The PIX 520 is a P2 350, the case is mostly air.

    Ah, I was thinking of the PIX 515.
    I think the 506 is also a p200 though.
  • . . . .okay . . . Why? What do you gain?
  • "second first post of the day, and it's my birthday!"

    12?
  • I use my server as a router also with a partial
    firewall, I don't see why they shouldn't do it.

  • On the routers listed, your contribution would be minimal at best. These boxes have fairly slow old 680[c]30's in 'em.

    Though I bet some of the MIPS processors used in the 7x00 series would do a fine job...

    -LjM
  • Linux doesn't "come" with emacs either. Nothing "comes" with emacs. It's in OpenBSD's ports collection surely, and if it's not, I hear there's this thing called Open Source. You should try it some time.
  • IOS can perform NAT and redirection to internal hosts. Check out the "extendable" flags in the "ip nat" commands. You may need to check your version of IOS.... 12.0.12 is the latest stable release and has those functions. 12.1.3 is the "most stable" release with firewall features that can do "stateful packet inspection."

    The Cisco IOS can also translate inside AND outside addresses, do port address translation (like MASQUERADING). As for a "range of addresses", like a 1-to-1 mapping 10.1.x.x to 20.1.x.x, I know the PIX is capable of doing that; I can't vouch for IOS (but it would seem like a logical extension they have). But you can create a global pool of addresses.

    I work with cisco routers every day. They're the best in the industry for features and performance. But this linux-on-router thing is still cool. :)
    --
    John Kramer
  • You could think its kind of futle to just port linux to everything imaginable... but you can look at it as a kind of basic research not so much praticle use. You have to do the basic research... to get high quality products out the door.
  • Zebra and gated both run on linux, admittedly zebra wasn't so good last I heard. but you can get OSPF/RIP/BGP implementations for linux
  • by mrmud ( 219198 ) on Tuesday September 12, 2000 @07:32AM (#785215) Homepage Journal
    yippy skippy, now we can have cisco linux-distro' flame wars!

    "MY cisco runs redhat!"
    "oh yeah? my cisco runs slackware!"
    "hah! amateurs! mine runs turbo!"

  • Huh? Netflow switching runs cisco gear...I think you are getting confused with the flow collector, which runs on a UNIX/NT server.
  • I guess all the admins who want to run statistics and trend grapher applications on their routers (other than SNMP-based solutions) are smoking crack.


    - Mike Hughes
  • There has been HTTP over routers for a long time. I know for a fact that CISCO has optional (you have to turn it on) HTTP interfaces for configuring their routers. I don't see any reason why that couldn't be used to serve other static pages.
  • by waldoj ( 8229 ) <waldo&jaquith,org> on Tuesday September 12, 2000 @07:32AM (#785219) Homepage Journal
    And you could use your router as a web server if you were on crack *grin*.

    If we can use IP over DNS [slashdot.org], http over routers seems reasonable.

    I'm holding out for SSH over my toaster.

    -Waldo

    -------------------
  • If you put a terminal on the PIX's console port and watch what it does when it boots. The first thing you will notice is that it's a Phoenix BIOS modified to a) use a serial port instead of a VGA board, b) boot the OS from flash memory. It also identifies it's CPU at that point (in the PIX-515 it actually a Pentium 200 MMX) - that's why I'm kind of surprised that you were surprised to find it was just a really expensive Intel PC. It tells you what it is, you just have to listen :).

    As an aside, I did try to put the PIX 4-port ethernet card into a normal PC. Linux identified it as 4 Intel EEpro adapters. I didn't try to see if it would actually work.

  • SO you take a great general purpose OS, Linux, and then stick it on expensive propietary hardware, a CISCO router, to replace the router-optimized OS already there.

    Of course, a 486 running Freesco [freesco.org], a Linux derived firewall router, would probably have better performance and be far cheaper, but it's not as hackworthy.

    Next week, a Linux router/firewall on a wristwatch, but you can't move your arm or your network will go down.

  • >so i guess it's standard x86?

    Depends on the model, many Cisco routers use Motorola 680x0 chips, some MIPS...

    I can't recall any off the top of my head that used x86 family chips.

    -LjM
  • by Jordy ( 440 ) <jordan&snocap,com> on Tuesday September 12, 2000 @07:52AM (#785223) Homepage
    Cisco IOS can run on a couple unices (BSD and Solaris I believe) as well as Cisco hardware. As far as I know, Cisco folks develop on Unix and then use a cross compiler to build for their router hardware when required.
  • Although this is definetely a cool hack/experiment/learning experience....


    It has no use....

    The Linux tcp/ip stack is not up to the job of high end routing ( even for these low end routers ) ... yes, even 2.4 boys and girls...


    If you want an os that can handle high loads of routing, why not use what the best performing router uses... ( juniper networks M series )...

    WHat is that you ask? well, FreeBSD of course....

    Yeah, i know, this will get marked as flamebait, but, does it look like i care?
  • Mistakes and wrong assumptions here. For the hardware platform, it depends which one. Most routers architectures are based on Motorola 68xxx for low-end (2500's) or any kind of MIPS-based CPU for higher grade routers.

    And IOS is NOT QNX, and doesn't use QNX in any way. It didn't say so in the press release, I'm telling you so now. Whatever is Cisco doing with QNX is confidential at this point :)

  • by jms ( 11418 )
    Seems useless to me. Why break the security of a Cisco router by putting Linux on it?

    Security? What does anyone really know about the security of Cisco routers? Are you sure that there are no back doors imbedded in the IOS? Can you prove it?

    At least with Linux, you can.
  • Seems someone is pissed off that it was Linux and not Windows CE.
  • Have a look at the Junipe r White Paper [juniper.net] about JunOS. Yes, it's FreeBSD, but the TCP/IP stack was completely gutted and replaced. If you go through the paper, there are a number of other areas where it differs from standard FreeBSD, too.

    I'm a FreeBSD fan, but I'm interested in the truth, too!

    Also, don't forget that Juniper do contribute stuff back to the FreeBSD code base even though they don't give the whole OS away for free. Which they couldn't do with a GPL-licensed piece of software.

    -Dom

  • Cheap old cisco router?? what are you on drugs? A cisco 2500 doesn't go for cheap and it's older technology.. you could easily buy a new PIII system for the same price range. Also Cisco IOS 11.3 and above support NAT, etc.. so why bother? Yes it is a cool idea.. I'll probably try it out just for the hell of it, but you can trust I'll be putting Cisco IOS back on there after the novelty wore off.
  • Well, for those interested.. it kind of works even.. I hooked up the sacrificial virgin.. an old Cisco 2501 w/ 8MB and here are the results:

    uClinux-cisco-log.txt [krux.org]

  • I know it's Cisco, but I still call them CRISCO. They make excellent network products, love the CLI over Nortel's BCC/menu system/Site Manager/MIBS, but I have issues with their RFC compatability, and how they implement thier own versions of it. And sticking a CRISCO router into a Bay network is hell, because oif all the changes I have to make on the CRISCO router. I work in carrier and Nortel is made for this environment, where CRISCO is lacking.
  • Umm, please re-read my post. It wasn't a rumor, it came directly from a "higher-up" at D-Link.

    "I can say that I am not aware of anyone designing or building hardware for cisco other than cisco."

    Jeez... you're not AWARE of that happening? Well I guess that means it can't be happening then, right?

    -thomas

    "Extraordinary claims require extraordinary evidence."
  • Routing protocol implementations like:
    • zebra [zebra.org]
    • gated [gated.org]
    • VRRP [arobas.net] (the IETF equivalent of HSRP)
    -- jochen
  • Don't even try to weasal out and say you weren't implying that D-Link built million-dollar Cisco routers and all Cisco did was slap their name on them in order to jack the price up.

    Again, don't put words in my mouth. I said D-Link "builds a lot of the hardware for Cisco." Had I wanted to imply that Cisco re-sells D-Link routers, I would have said, "D-Link builds Cisco routers, and Cisco sells them."

    PMC-Sierra also builds hardware for Cisco, as well as other companies. Obviously if D-Link was able to actually manufacture an entire router themselves, they would not be selling them to Cisco, they'd be selling them direct to companies.

    Talk about a feeb... sheesh.

    -thomas


    "Extraordinary claims require extraordinary evidence."
  • Didn't see anything about this in the comments. Imagine a cracker takes over a Cisco router, downloads Linux onto it and starts running more advanced attack tools that Cisco can't natively do. Since the cracker is potentially operating from a position of trust (depending on where the router is). You could do some interesting things. Not the lest of which would be a custom sniffer to grab passwords.
  • The USB provides control for the tuning - it's much nicer than adding Yet Another Interrupt-Wasting Serial Port Frob. I've got mixed feelings about whether it should do audio over the USB (which is what I'd expected also) - it's actually connecting analog audio to the sound card, rather than digitizing it itself, which would have added to the cost of the device. I have noticed a major quality difference between playing the audio directly from my sound card into the speakers and using the radio software to digitize it as a WAV file - not sure if this is because I've got an El Cheapo $5 sound card, or because the PC software doesn't use the best possible settings for the card, but there's typically lots of hiss and distortion in the saved version (bad enough it's not worth degrading it further by MP3ifying the WAV.) It might be interesting to try it with a better soundcard, so I may move it the radio to the office and see if it works better here - I'm certainly not going to spend $50 on a new sound card and $100 on more disk space just to make the $29 radio work better :-)
  • Cisco designs its own hardware and software, but it's common knowledge that it outsources quite a lot of its manufacturing, like many other high tech companies.
  • I've got a D-Link USB-controlled radio on my home PC. Nice hardware. Software sucks rocks - it's way clueless, e.g. there's a freeware MP3 encoder available, but to actually produce MP3s, you need to store the radio program in WAV format in RAM/Swapspace, save it to disk, and then run the encoder. (So you're using 2X the uncompressed space, instead of 1X uncompressed + 1x compressed, or even better 2X compressed.) And it's got a timer that knows how to wake up and record stuff - with a 24-hour clock only, so you have to reset the thing TODAY. You can't go away for the weekend and tell it to record something Sunday night, or tell it to record The Grateful Dead Hour every Wednesday night. You could probably do something to integrate it with a Win98 scheduler, but it's pretty tough.

    By contrast, when you buy a Cisco router, you're mainly buying IOS and the design of the hardware - manufacturing's less important.

  • The 7200VXR is a very nice box - I have tested this with 38 Mbps of traffic going through it (from one fast ethernet interface to another), including half a page of access lists and route maps to mark IP Precedence. The CPU load was only 30% or so.

    More realistically, it can run custom queuing with minimal CPU loads (very nice for allocating bandwidth to high priority applications, i.e. class of service/QoS), unlike some older high-end routers.

    It has some backplane improvements over the older 7200s, so it's not just a matter of CPU speed and cache.
  • Nice to know, but the 700 series routers don't run IOS.

    The cheapest routers to run IOS are the 800 series, I believe (but watch out for exactly which features are implemented, some low end feature packs are missing surprising stuff).
  • Of course the port is mostly for hack value. But Cisco 2500s on EBay are rumored to cost ~US$500-1000, so it's not much more expensive than a much faster low-end PC. :-) The question is whether you can run Linux Router Project or equivalent router software on them with enough drivers for the various interface cards.
  • How much do you think it costs to hook a T1 (or E1 for the Europeans) to your Linux box. Hint, check out http://www.sangoma.com [sangoma.com]. You can get cisco routers this old pretty cheap now.
  • As I am in the process of porting linux to a Performance Technology "Instant Internet" router, I can explain why this is desirable.

    1) Cisco hardware is extremely trustworthy, much more so than the generic PC. Good telecommunications equipment (routers, muxes, DSUs)will run for decades in poorly ventilated dusty closets without any hardware maintenance at all.
    2) Router hardware boots fast. WAY fast. Iff it has a decent operating system. This is important in real life because even UPSes are really uninteruptable.
    3) Routers (though not the 2500) typically have ridiculously fast RAM for packet buffering. If linux can get Cisco-7000 class throughput on Pentium III hardware, think what it could do on a real router!
    4) All software can become obsolete, due to lack of compatability with the real world (what do you mean we need NAT? We didn't need it yesterday!) or penetration (huh? our version of IOS is vulnerable to a script that's all over the net?) or various other reasons. Router software updates are EXPENSIVE!!! Trust me, I have "SmartNet Maintenance" from Cisco not because the hardware ever fails (it doesn't) but because it gives me access to the IOS download site for a single yearly fee. Linux updates are FREE.

    The last reason is the most compelling, obviously. Money talks, linux walks, er, runs.
    --Charlie
  • Isn't the point exactly that people shouldn't be posting with the aim
    of attracting positive moderation. By the time you've got to +50,
    hopefully you've proved yourself to be a house-trained member of the
    \. community, and so your only concern should be making posts that you
    think others would be interested in reading.

    That said, the current system is bizarre: I had a recent post [slashdot.org]
    that attracted a fair amount of moderation (as RMS criticisms do),
    which, although it received net positive moderation, knocked by karma
    down 4 points. Suggestion: instead of changing the way moderation is
    done, simply change the way it is displayed: if you have over 50 karma
    just show ">50".

  • it outsources its construction to places like celestica and such (just using this build-shop as an example; I have no idea if cisco uses this particular shop or not).

    but its for certain that dlink is NOT a build shop. that was my only point.

    --

  • Sir, we're seeing Packets From Mars!


    A Cisco 2500 is what, a 20MHz 68030? Lotsa spare cycles there....

  • People have theoretically showed themselves to be housetrained members of the slashdot community by the time they get the +2 bonus (well before reaching 50 karma) karma exists then not as a means of demonstrating you are housetrained but of accumulating respect.

    A quest for respect is in fact the reason we do most things. It doesn't actually benifit us any to post our ideas to slashdot except we somehow gain pleasure out of the thought we will convince others of the validity of our positions. It is a similar desire for respect which drives altruism and other nice things in local communities (and some people who are just truly good).

    The internet however presents a medium where our contact with others is so fleeting (i.e. there are so many people we may interact with an entierly differnt set of people today aw we did yesterday) that traditional methods of accumulating respect (people remember what you said before and gauge your current statements by it) aren't as efficent. To this end karma sort of serves as a cybernetic enhancement of these notions of respect...a limited one dimensional sort of group respect. Therefore by limiting karma at 50 you probably reduce the incentive for many people to post informative useful opinions.

    On the other hand just as you might have the con man manufacturing fake respect in the real world you might have karma whore using multiple accounts or other moderation schemes to falsely gain karma.
  • I almost hate to say this, but if someone is able to

    • replace IOS with Linux on my router
    • write a driver for Cisco's CSU/DSU modules and other proprietary hardware
    • have the whole thing work
    I say they can have my router. Hell I might even send 'em a case of Leinie's Red for just for putting on a good show.
  • I agree on the CSU stuff. Biggest target would probably be the 2 ethernet boxes like the 2514. Attacking from the inside is another option. I agree it will take a while to write the drivers but the Cisco source code has been floating in the cracker community for a while now. Can't be too hard to port the drivers. And heck, we just saw IP over DNS. There will always be people with too much free time. Oh, and I prefer Guiness...
  • by Anonymous Coward
    The fact is.. Modern Linux kernels (2.2 and ESP pre2.4) make a better router then IOS. I've seen a Linux router box (PIII 600) with 6x100TX/FDX sustaining 600mbit/sec of IP traffic with packet filtering and CBQ.

    The 5xxx series falls down above 200mbit/sec in the fastest forward-only mode.
  • by trims ( 10010 ) on Tuesday September 12, 2000 @08:41AM (#785276) Homepage

    I've seen alot of truely, ahhh, stunning, ports of Linux over the last couple of years. Wristwatches, toasters, etc. all seem to attract the attention and adoration of linux porters.

    Now, what I'm seeing here is I think a conflict between two fundamental hacker tenants:

    1. Admire difficult and elegant coding - hackers tend to look up to others who can pull of a hard job. Call it the "hack value" karma.
    2. Use the right tool for the job - we also tend to stress utilitarianism and appropriateness.

    What I guess I'm worried about is that I tend to see the over-emphasis on the first (especially amongst the younger of us), and the slighting of the second.

    Yeah, there might be good, personal reasons for the above people to have ported Linux to Cisco. However, I'm not particularly happy that people tend to glorify these hackers and look down on the ones who might be (for instance) writing neat ASP scripts to talk to MS SQL servers from IIS.

    Fundamentally, I'm worried that in our zeal to promote Linux and Free Software, we run into the "Round Peg, Square Hole" syndrome (or, the "If all you have is a hammer, everything starts to look like a nail" problem).

    I guess what I'd like to see us as a community do is to place more value on doing the job right, which means using the appropriate tools (or, if there truely aren't good ones available, writing the correct thing), rather than spend time on things that in the end, are almost useless (other than perhaps educational use).

    Feeling a bit crotchity today...
    -Erik

  • Cish [freshmeat.net], config shell for linux routers that mimics a Cisco. Hey, it's a start.
  • Ever since they forgot to ask for the old one back when they upgraded me, I've been wondering what I could do with it. Heck, too bad I don't have a bunch of them, I could make them into a Beowulf cluster!

  • uClinux-cisco2500-0.1.tar.gz is 1169524 bytes
    INSTALL is 13164 bytes [virtualave.net]
    README is 254 bytes [virtualave.net]
    linux.bin is 1071900 bytes
    uClinux-c2500-uClinux-2_0_38_1pre7.diff is 4351814 bytes

    Wristwatches, Routers and what next?
    Personally I like the idea of being able to hack anything you want into the router....let it be FREE, but I wonder at the potential havoc that could be caused by bugs in these if it ever adopted in volume (what's cisco's record like at security and bug fixing and will any GPL/OS solution be any better)? I also agree with a previous poster that Cisco are not going to be happy with this if it is viable for production systems. I can forsee the DoJ anti-trust case where Cisco are taken to task for hacking their routers and engaging in anti-competitive practices to maintain their monopoly.....oh dear, somethings never change.

  • Many network-statistics gathering programs require support from routers. The most notable of these is NetFlow, which is a very compute-intensive traffic aggregation tool run on Cisco routers. The router has to keep track of every packet stream pasing through it, and routinely send information to a collector. This is a pretty powerful feature; Combine NetFlow with cflowd (www.caida.org), write a short little program to parse cflowd's output, and you know instantly how much network traffic you have, where it's coming from, where it's going, when it happened, what ports it crossed, total stream size, total packets sent, hop count and propagation delay. You can even expand this: With intelligent use of NetFlow and a little hacking, you can find out what protocols are running across your network, detect some types of malicious intrusion, and even throttle-back (or shutdown entirely) the network usage of some applications. Yes, there is a way to fix the network saturation problems around the widespread use of Napster - A way that doesn't involve legislation.

    All this is made possible /because/ routers have an operating system. Throw linux on them, and now you have a 'standard' platform, instead of CiscoOS or AIX, depending on the router.

    Intelligent routers are a very good thing - Think about the crazy caching schemes you could run if you could simply write a little C, rather than fabbing some new hardware.

  • cisco 3640 (R4700) processor (revision 0x00) with 73728K/24576K bytes of memory.

    Not to be obnoxious, but the 3640 isn't a totally low-end router (four slots) and its running an IDT-licensed version of the MIPS R4000 processor. From the datasheet at IDT [idt.com] it appears to be just another general purpose CPU, not one dedicated to routing functions. I'm well aware that the really high-end products (like the 75xx series) have much more specialized route interface processors that handle routing, fast switching, and so on that PC architecture would be hard to handle. But I'd still like to see how many packets IOS running as the sole process on a 1Ghz PIII with a dozen 100Mbit full duplex interfaces (on 64 bit PCI cards @ 66Mhz) could forward. The biggest advantage wouldn't be for situations where you needed specific functions or capbilities, like load balancing across interfaces or aggregating interfaces -- best to buy the right hardware. Where I see the advantage is cheap, fast CPUs and cheap RAM.
  • Well, at least WRT ipnat, OpenBSD has the ability to have the internet side be a range, rather than a single address, and ports will be matched up if possible. Also, ipnat allows you to redirect things to other machines, instead of merely to the localhost. Ipnat also allows host mapping, where all packets meeting a certain criterion are rewritten to a specific host. IOS dosen't NAT at all.

    I'm currently employed in moving all the IPs in a class B, and OpenBSD's NAT capability has been invaluable in moving DNS servers and the like.

    In terms of ipfilter, ipf can keep state. That's the biggest thing. I think linux allows you to firewall based on any part of the packet, but ipfilter allows you to implement rules than consider multiple packets: e.g. ipfilter was able to filter the recent stream.c DoS, by blocking ACKs that didn't belong to a session in progress. You could also, for example, block all ICMP above a certain rate. AFAIK IOS' ability to filter is limited to port and ip address.

    Now, the Cisco PIX does have a NAT capability and probably has more thorough filtering capacity. But I don't know too much about it.

    Finally, I should point out that I am very much a Linux fan. I run linux at home. But if you're looking for a powerful router, OpenBSD is where it's at. Secure and functional. But I wouldn't want to run it as a workstation, and mabye not even a server -- after all, it dosen't even come with emacs!
  • Gandalf?!

    Oh my god, I have an old Gandalf ISDN modem sitting in my closet somewhere. I bought it for $3.00, and only because I like the LCD screen's diagnostics.

    WHat's this thing worth?

    -- Give him Head? Be a Beacon?

  • I also bought their USB radio... it sucks, plain and simple.

    First of all, it should have come with AM support.

    Second of all, why didn't they design it so that the audio is sent over the USB connection as well? There's plenty of bandwidth available. I mean, what exactly is the point of having a USB cable on the thing when you have to plug the other cable into "Line In" to get it to work???

    Yeah, I found it hard to believe they make million dollar cisco router hardware once I bought that piece of crap...

    -thomas


    "Extraordinary claims require extraordinary evidence."
  • CRISCO? The vegetable oil?
  • There isn't a +50 karma cap. I think the cap is 100 (though do to various bugs in /. I've got it up to 101. Now, the karma-meter only registers mod-downs and not mod-ups. Don't you just love /.?)
  • by tswinzig ( 210999 ) on Tuesday September 12, 2000 @08:20AM (#785294) Journal
    My father used to install cable modems for RoadRunner in Orlando, FL. He got to install for all kinds of interesting people (a manager for the band Creed, the lead programmer on the Madden football games, etc).

    One time he installed a cable modem for a suit from D-Link. He asked me dad what he thought of D-Link products. My dad stated that he honestly thought of them as "generic" or low-end hardware.

    The guy laughed... then he told my dad that D-Link actually builds a lot of the hardware for Cisco. Not the cheap routers either ... the million-dollar ones.

    You are paying for the Cisco name.

    -thomas


    "Extraordinary claims require extraordinary evidence."
  • I've always wanted the ability to run tcpdump on a Cisco, and this would allow that. Furthermore, linux has much better packet mangling facilities than IOS. Sure IOS is good for passing packets around, but if you want to do any kind of NAT, port mapping, redirection, logging, or replication, you have to go with a UNIX.

    What would really be cool would be to see one of the BSDs (preferably OpenBSD) ported to these Ciscos. Then I could take advantage of the full functionality of ipnat and ipfilter, which are much more powerful than anything Cisco or Linux has to offer.

    Hmm, OpenBSD runs on an m68k. I wonder how much effort it would take to make this work....
  • by Ralph Wiggam ( 22354 ) on Tuesday September 12, 2000 @07:33AM (#785304) Homepage
    Every night, I kneel down at the foot of my bed and pray, "God bless Mommy, and Daddy, and can I please run Fortune on my Cisco router." Prayers do get answered.

    -B
  • by Frederic54 ( 3788 ) on Tuesday September 12, 2000 @07:33AM (#785305) Journal
    Actually there's QNX in cisco router, so i guess it's standard x86? here's the press release [qnx.com] on QNX web site. Maybe the visco router can be the next i-opener thinggy :)
    --
  • Well, think about this pragmatically. All these people porting Linux to silly platforms keeps them from making more GUI toolkits for X.

    X toolkits. Bring 'em on. The more the better.
  • Leseee, Linux on a wristwatch, router, Iopener, the list goes on and on. Yet Bill's pictured as the borg here?
  • by crgrace ( 220738 ) on Tuesday September 12, 2000 @07:36AM (#785313)

    If Cisco routers ran Linux, then no one would have to waste their time getting Cisco certified and Cisco wouldn't be able to make a mint training them. Somehow I don't think Cisco is going to think Linux on their routers is such a good idea.

  • having worked for several router manuf's in the past (cisco being one of them), I can say that I am not aware of anyone designing or building hardware for cisco other than cisco.

    your d-link rumor is pure falsehood...

    --

  • "I mean, one would assume that cisco's have some wacky hardware in them" they actually use a lot of standard stuff. 2500's, for example, use a Motorola 68030 (or one in that family) CPU, some NVRAM for permanent config stuff, some flash RAM as a sort of hard drive (permanent storage, the actual IOS image is stored there) and some DRAM for, well, DRAM stuff. (interface buffers, among other things), The higher end stuff uses RISC CPU's (MIPS for instance). Also, IOS is based on *nix, I believe, so I'd have thought this would be a fairly straight forward hack.
  • There are ways to bring down Cisco Switches using simple SNMP --whether you have community strings or not. They are IOS specific bugs.

    When brought to Cisco's attention, it was ignored. Then, all of a sudden, Cisco 1700/2900/5k/5500/6000 series switches don't support bridge tables anymore.

    There are other issues as well that I have identified, such as ISL trunks leaking un-encapsulated packets into a trunk, and certain plain packet header patterns (for example netbios browsing) triggering the multicast ISL interface (multicast, all interfaces on the trunk process it)to trigger Spanning-Tree recaluclations, which causes the interface to go dead for: 2 * maxforward_delay + hello_time. Unless of course you have portfast/nodefast enabled (Which is Cisco's *extension* of 802.1d/q) whereby when this happens, all ports on Vlan1 (all designated bridges) flood while spanning-tree is recalculated.

    This basically turns your entire broadcast domain into one HUGE repeater. lol

    There's more. Point is, statements like that, which are unfounded aren't much use to anyone.

    Every OS has problems, and IOS is no exception.

    Anonymous on purpose.

  • I used to work at a company called Gandalf, who used to do routers and bridges and switches and stuff. While I was there, most of the boxes used Intel i960 processors, and they cross compiled all the C code on Solaris boxes using a GCC cross compiler.

    Since I was busy at the time writing an automated test tool that ran on a network of Linux computers (SLS 1.03, installed from 5.25" floppies), I thought it was cool that I was using a free operating system to test stuff that had been cross compiled on a free compiler.

    --
  • by jms ( 11418 )
    Did you review every line of the linux source code for this router?

    Of course not. That isn't my point.

    My point is:

    One is possible to verify.
    One is impossible to verify.

  • OK. I've been waiting to post this for a few weeks.

    We have one of the older, boxy Cisco PIX 50x firewalls. We have three ethernet ports on the box, and originally, 32 meg RAM. We had never opened the box for any reason before. Who knew what we could screw up on such an expensive piece of equipment? One day, we were messing around with the thing via telnet, and I discovered that the machine is actually an Intel P2-266 box! We immediately cracked the box open, to discover that there really was a full-size pentium II chip in the damn thing! What's even funnier is that the fan on the chip was Unplugged! The heatsink was burning hot to touch, since the machine had been running like this for approximately four months with no downtime. Needless to say, I reconnected the fan to the mobo.

    Let's describe the interior. We have a standard Intel motherboard, cicso-labed RAM, no HD, a floppy plugged into the floppy controller, two NIC's, and the PIX card itself. All of the "special" pix IOS resides on this single ISA card. If this wasn't so damn expensive, I would have plugged the card into one of our older servers to see if what would happen. has anyone tried this? Also, there is the standard monitor port, etc. etc. on the mobo. I didn't try plugging in a display, because that would have involved dismounting the board from the box, and I don't think Cisco would have liked that. Anyway, the serial ports on the unit are actually routed into the COM ports on the mainboard via cables routed around the inside of the case.

    Now, have any of you ever seen the price of a RAM upgrade for one of these? Cisco wanted $900 for an upgrade to 128. Taking a leap of faith, I grabbed two dimms out of a box I had lying around in the office, and stuck them in the PIX. These were, by the way, cheap kingston, run-of-the-mill dimms that cost maybe $60 each. We restarted the monster, and waited about a minute for a telnet connection. Nothing happened. We powered it down, and removed the new RAM and rebooted. We timed the startup, and added the new RAM in again. It turns out that the delay was due to the BIOS POSTing the new RAM! The machine came up with no problems at all, and identified its new total amount of RAM with no problems.

    Has anyone tried anything more daring with a PIX?

    Also, if anyone has a broken pix, please e-mail me! gunnar@midsouth.rr.com.nospam
    --
    Michael C. Hollinger
    ePeople Mentor and Support Provider
    Please see my certifications at http://www.brainbench.com/transcript.jsp?pid=74170 2
  • Let's get the ISPs to run Quake Servers! That's the way to reduce latency; run it right at the router level!


    --

  • yes, there is something very useful about this...

    you'll be able to ssh into the router.

    Of course I remember something about Cisco starting to bundle ssh into IOS, but I don't know if its there yet.
  • by swb ( 14022 ) on Tuesday September 12, 2000 @07:42AM (#785352)
    Personally I'd like to see IOS running on x86 hardware more than Linux on Cisco hardware. I'd love to get the functionality of IOS for ethernet routing on a box that didn't cost $20k. Yes, I know IOS is specially tuned to unique Cisco hardware, but for vanilla routing between ethernet interfaces (not frame-relay, not ATM, not OC-3) it'd be kind of nice to be able to run IOS on a 1 or 2U PC with 2-3 dual or quad port ethernet adapters.

    I'd be interested to see what kind of performance you could get out of IOS on x86, anyway -- are we really buying cool hardware with expensive routers, or just the Cisco name?

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Working...