smiles@ferrari.nmc.ed.ray.com (Kevin Ruddy) (10/25/90)
I was just asked by an officemate of mine what the disadvantages of using an intelligent bridge over a dedicated router would be. We have about 20 SPARCstation 1s on a subnet, and another bunch of PCs and things on another subnet. Since most of the traffic on these two subnets is local to their segment, what problems would we encounter by removing the dedicated routers and replacing them with intelligent bridges? It would keep the local traffic local, but I know we would be vulnerable to broadcast storms. The company is, of course, interested in cost-savings. So what are the downfalls? Thanks for your help. Kevin Ruddy smiles@ferrari.nmc.ed.ray.com
allan@frisbee.cisco.com (Allan Leinwand) (10/25/90)
I can think of a few downfalls other than broadcast storms: 1. an intelligent bridge will not separate your address space like a router. Thus, your two subnets will exist on one logical LAN. This may result in configuring routers to understand this situation. 2. a bridge will not allow you to control the network for security reasons as well as a router if you are running multiple protocols (such as IP and DECnet). With a bridge all of your security control is usually based upon the MAC level address of a host. Keeping up with boards swaps and changing MAC addresses can become a configuration nightmare. With a router, the security can usually be setup to understand the network protocol level addresses. This usually makes security management a bit easier. 3. dare I say this? With many routers having SNMP agents, this gives you a basis for network management. Yet, (contradicting myself :-)) some bridges now answer SNMP. 4. the cost of a low end, two port router (which has router functionality AND bridge functionality) may surprise you.... Thanks, Allan Leinwand cisco Systems leinwand@cisco.com
salzman@NMS.HLS.COM (Mike Salzman) (10/27/90)
Allan Leinwand of cisco writes: > > I can think of a few downfalls other than broadcast storms: > > 1. an intelligent bridge will not separate your address space like a > router. Thus, your two subnets will exist on one logical LAN. This > may result in configuring routers to understand this situation. > Alan, it is disingenuous to argue the case of routers vs bridges on the basis of the damage that bridges inflict on the router. More importantly, routers impose an absolutely necessary management overhead on the installer/user of the router, while bridges can be plug and play (for the simple bridging functions). I have seen articles written by network managers of two major corporations ogling over their routers and all the wonderful ingenious schemes that they came up with to partition their subnets and address spaces so that they could use their routers. While they struggled to deal with organizational movements and the subsequent impact on address allocations, they could have simply moved the users in a bridged environment and be done with it. The burden of planning and administering a routered system is neglected by purveyors of routers to the detriment of innocent users who view routers as a better alternative to bridges. More about this issue later. > 2. a bridge will not allow you to control the network for security > reasons as well as a router if you are running multiple protocols (such > as IP and DECnet). With a bridge all of your security control is usually > based upon the MAC level address of a host. Keeping up with boards > swaps and changing MAC addresses can become a configuration nightmare. > With a router, the security can usually be setup to understand the > network protocol level addresses. This usually makes security > management a bit easier. > Here too, you are furthering half truths. Stopping at the network layer is not the magical solution. You imply that the MAC address is insufficient, yet you make the point that protocol independence is a necessary attribute of security. I agree with your assertion that the router can more finely control its activity. Today's bridges, however, offer filtering options which can effectively accomplish the same task, via protocol filtering and masking. Moreover, we find it quite usefule to specify the MAC address of those machines which we permit to access the net, regardless of the protocols they use. I can also argue that the next layer up would offer an even finer level of control, and stopping at the IP layer is not necessarily the optimal answer. Kerberos offers an even better answer. The conclusion is that routers offer a different, finer granularity, and more complex form of access control, which may be appropriate in certain cases. > 3. dare I say this? With many routers having SNMP agents, this > gives you a basis for network management. Yet, (contradicting myself > :-)) some bridges now answer SNMP. > In the 89 Interop, we demonstrated several bridges with SNMP management. This argument is clearly a red herring. > 4. the cost of a low end, two port router (which has router > functionality AND bridge functionality) may surprise you.... > Touche. Your recent announcement is indeed a triumph and an innovation. It still does not replace bridges. You do not need to denigrate bridges in order to gain a place for routers -- they are not head to head competitors. In competitive situations, vendors often pitch one against the other, based on the rule that you sell what you have, or what will win the bid. Nevertheless, routers have a role in backbone applications, in wide area applications, and in cases where the address management features are fruitfully applicable. Bridges have an equally important role in subnet traffic management, and providing connectivity behind the backbone, within a building, or within a facility. Bridges will remain easier and cheaper to operate simply because they operate at lower levels than routers. Similarly, repeaters operate at an even lower level, and are correspondingly easier to administer. > Thanks, > > Allan Leinwand > cisco Systems > leinwand@cisco.com > You're welcome. -- -------------------- salzman@hls.com ---------------------- Michael M. Salzman Voice (415) 966-7479 Fax (415)960-3738 Hughes Lan Systems 1225 Charleston Road Mt View Ca 94043