
How Brocade missed the boat with Vyatta (2014) - walterbell
http://dotbalm.org/brocade-missed-the-boat-with-vyatta/
======
godzillabrennus
[http://Pfsense.org](http://Pfsense.org) has the open source use as you want
model and hardware you can buy as well.

Unlike Vyatta it lacks a strong command line management console but more than
makes up for it with a best in class web GUI.

Unfortunately though Pfsense took a huge step backwards with its founder CMB
moving over to Ubiquity to work on proprietary software/hardware. Hopefully
Netgate the corporation behind the hardware and software for Pfsense will keep
development moving forward without the founder.

~~~
ddeck
If the Vyatta CLI is important you might consider VyOS [1], which is the open
source version of Vyatta. It was forked from the community edition after the
Brocade stopped development of it and close sourced the main edition.

[1] [https://vyos.io/](https://vyos.io/)

------
jauer
This is a case where the writer isn't in Brocade's target market or the
article just hasn't aged well :)

There are any number of open source router distributions using kernel-based
forwarding (e.g. not fast enough for high PPS/limited utility in carrier
environments). When it was introduced Vyatta was trying to sell hardware to
compete with Cisco branch/ISR routers using the FOSS & make money on
hardware+services model. Thing is Cisco ISRs integrate a lot more than routing
(to the point of being a branch office in a box) so there wasn't a ton of
demand for pricy commodity hardware. Imagestream was another vendor trying to
complete on that model that has faded.

Around that time NFV became the new hotness (moving services like NAT, VPN,
firewall to VMs so big expensive routers can focus on just moving traffic).
Now, kernel-based forwarding routers are glass cannons. They can achieve high
data rates with large packet sizes but tend to fall over when exposed to high
rates of small packets like you'd find in VoIP or DoS traffic. This limits
their usefulness in environments where you need to handle and block a lot of
bad traffic. Brocade acquires Vyatta and reworks it to use DPDK (userland
forwarding) so it doesn't fall over. They aren't the only one: Juniper has
vMX, Alcatel-Lucent has VSR. All router products designed to fit into a pretty
specific niche--one where _not_ selling hardware is the niche.

------
walterbell
Are there open-source or proprietary firewall distros (*BSD, Linux) which
support per-user or per-group firewall rules for IPsec VPN users?

e.g. pfSense has Radius support, but no way to link users with firewall rules.
IPsec cannot assign a unique IP address to an authenticated user, so it's not
possible to use host-based firewall rules. One use case is to provide
different groups of users with access to isolated networks or subsets of the
public internet.

------
TimMeade
Just wanted to say we started with vyatta back in 2012 or so. When they went
the way of brocade, we switched ultimately to VyOS and have been running on it
ever sense. Some on atom boxes with small offices and some on dell machines
for datacenter use and some vmware virtual for sdn type stuff. For 99% of the
time, we have been pretty pleased. VyOS is well worth a look.

------
jstoja
Anyone has ever worked with Ubiquiti networks products? I'm wondering how well
would it behave for Datacenter Switching.

~~~
user5994461
OMG. I wouldn't put that anywhere near a datacenter network.

It's cheap hardware for small business. It isn't anywhere close to the level
of quality required for a datacenter and it lacks basic features/protocol.

War story: If we change the wifi password, all our ubiquiti access point will
reboot and the wifi will be unavailable for the next 10-30 minutes :D

~~~
FireBeyond
What basic features and protocols are the Edge stuff missing (certainly BGP)?

"War story: If we change the wifi password, all our ubiquiti access point will
reboot and the wifi will be unavailable for the next 10-30 minutes :D"

This is how it used to be. When I update firmware, all our Apps don't go down
at once, they go down sequentially, one at a time.

I've never seen a reboot to change an SSID password.

~~~
user5994461
Well, I only have Wifi access points, I don't know what will be missing from
switches/routers.

I'd have a doubt about these features for instances: 802.1x, some VLAN stuff,
rate limiting/traffic shaping, ACL, OSPF, BGP, LCAP.

And even if they're adversited as "present" in the datasheet, that doesn't
necessarily mean that they are fully functional. Plus there is no CLI for the
configuration.

\---

"I've never seen a reboot to change an SSID password."

I've never seen that except with ubiquiti. And I guarantee you that ALL access
points do reboot at the same time. To add to the pain, they take > 10 minutes
to come back online so it's really painful.

~~~
FireBeyond
Perhaps look at your controller software, enable some of the Update settings.
Because I guarantee you that the three APs I have here will reboot, one at a
time, in sequence. And when they do, it's <2 minutes (with AP AC Pro v2s).

There's no CLI for configuration? You really haven't done much research -
there absolutely is, based off Vyatta/VyOS/JunOS.

In fact, most of the "advanced" functionality is CLI-only.

I use: VLANs, traffic shaping, ACLs, LACP. RIP and OSPF is supported but I
don't use. 802.1x and BGP are not.

