vyatta的fork开源版本vyos

vyatta的fork开源版本vyos

来源： https://www.reddit.com/r/networking/comments/3dvwfy/who_here_is_using_vyos/

Vyatta came in two flavors: Community Edition and Subscription Edition. VyOS was forked from Vyatta CE 6.6R1. The commercial version of Vyatta at the time (SE) used a different (non-free) routing engine called ZebOS from IP Infusion. IP Infusion was started by the authors of GNU Zebra when they realized they could make money off the project and closed it up. Quagga (which is what VyOS is using) was a fork of GNU Zebra from before they went closed source.

The major functionality you get with ZebOS instead of Quagga is multicast routing and DMVPN support. IIRC up until 6.6 Vyatta was also using Quagga for its commercial offering. The major feature of the commercial offering vs. open source was the web GUI and support and "config-sync" for clustering.

When Brocade purchased Vyatta Inc the product became the "Vyatta vRouter 5400". Brocade also released another version of Vyatta that leverages Intel DPDK to implement a custom (non-free) forwarding engine that scales performance into the 100G range. That one is called the "vRouter 5600".
Similarly EdgeOS (Ubiquiti EdgeRouter) was forked from Vyatta CE 6.3. Changes between 6.3 and 6.6 are a major reason for configuration inconsistencies between EdgeOS and VyOS (specifically in the areas of NAT and policy routing configuration). Ubiquiti EdgeOS is built using the Linux SDK for the Cavium Octeon network CPU that they use for the EdgeRouter to take advantage of hardware acceleration. The other big thing Ubiquiti brought to the table was a really well designed web GUI (both visually and technically).

VyOS has made some progress as well. Initial support for DMVPN and VXLAN were introduced in the 2nd major release (1.1) along with support for 802.1ad (Q-in-Q tagging) and IGMP proxy for basic multicast support.

VyOS is a pretty active project with their IRC channel on Freenode having over 100 users and 11 releases since 1.0.0 in December of 2013 and the 3rd major release (Lithium) around the corner.

Support for Intel DPDK is out of scope for VyOS but a lot of companies are building versions of Linux that support Intel DPDK which VyOS can be built upon. Specific examples being Wind River Linux (now an Intel company) 6WIND and MontaVista. Because they implement DPDK support at the kernel level VyOS is basically a drop-in to add configuration management for these. I am hoping that with the purchase of Wind River Intel will eventually open source the DPDK-powered Linux enhancements.

Where I use VyOS the most is as a firewall. The flexibility to right-size a single solution across physical and virtual firewall needs is really a killer app of VyOS. The firewall policy configuration syntax is very verbose and makes policy audits easy even for security engineers unfamiliar with VyOS specifically. We were able to modify RANCID pretty easily to automate configuration backups for VyOS devices like we do for Cisco. 

Because the configuration file has all system config it makes swapping a failed unit less like rebuilding a Linux server and more like applying a configuration file to a traditional network device. I use VRRP and conntrack-sync for failover which works nicely.

Shortcomings and things to improve:
1 Network/Address group support for IPv6 (currently IPv4 only)
2 It would be nice to see VRRP support for IPv6
3 Adjustments to firewall policy engine when applied to bridge interfaces to better support VyOS in a transparent bridge firewall configuration (currently possible but not "clean").
4 Cross-system LACP to support horizontal scaling of transparent firewall.
5 More work is needed to polish up "cluster mode" and we need config-sync to avoid having to configure multiple devices when in pairs.
6 NAT logging is a challenge at large scale (10000+ users). This is a Linux problem. It would be nice to see the netfilter project implement a CGN kind of offering that mapped a specific range of ports to each internal IP to avoid the need for translation logging.
7 It would be nice to see a DHCPv6 relay agent support injecting routes for DHCPv6-PD and more DHCPv6 support in general.
8 IPv6 transition technologies like NAT64 with DNS ALG.
9 Add VRF-Lite support (start with isolating management VRF)
10 Add Multicast routing support (PIM-SM)
11 JSON-RPC based web API and an optional web GUI that uses the API that can be run locally or on a separate system.

============ End