Software VS Hardware [Router/Firewall/Loadbalancer]

[uberguru]

I am just wondering since there seems to be more and more software appliances for router(vyatta and others), Firewall(Pfsense), Loadbalancer(NetScaler)...wouldn't there still be need for hardware since one still need ports and uplinks to connect to several servers?
I mean with servers having 2 to 6 network ports i am thinking there will still be need for the hardware regardless, so what exactly is this new thing of software appliances

Please chip in and lets hear your take on this issue. As for me i am planning having a 6U with 2 x 2U(4 node servers like Supermicro twin or C6100) server and 2 x 1U hardware Firewall/Switch(possibly also Loadbalancer/Router). I will need the hardware because i need to connect the ports of the servers to the network. So seriously the software appliances sound nice but i mean i still need connect to the ports to run, so what exactly is with this software? Why can't these companies just freaking install their supposedly magical software in their same hardware they already sell at unreasonably over high prices i.e cisco and the other goons.

Thanks

 

[PigLover]

There's really no reason you couldn't go with 2x 1U servers for the software LB/Firewall/Router (Vayatta, etc) and then put a relatively inexpensive 24 port switch in the rack to distribute ports. With VLAN separation you can break the switch up into multiple "virtual" switches. If you need redundancy you can go with two of them.

Switches like HP 1810-24g v2 or 1910-24g are perfect.

You can still get this to fit in 6U by using half-depth chassis for the 1U servers and then mounting the switch(es) on the rear of the rack behind the 1U servers.

 

[uberguru]

There's really no reason you couldn't go with 2x 1U servers for the software LB/Firewall/Router (Vayatta, etc) and then put a relatively inexpensive 24 port switch in the rack to distribute ports. With VLAN separation you can break the switch up into multiple "virtual" switches. If you need redundancy you can go with two of them.

Switches like HP 1810-24g v2 or 1910-24g are perfect.

You can still get this to fit in 6U by using half-depth chassis for the 1U servers and then mounting the switch(es) on the rear of the rack behind the 1U servers.

The problem with that is i will still need to have 2 x switches...then i will be needing 4 x 1U just for firewall etc...that is why i believe hardware 2 x 1U is the best way to go...plus i believe i will get more performance, reliability and security going the hardware route. Do you agree?

 

[PigLover]

Perhaps. If you could find an appliance with your specs - Router/Switch/Firewall/LB + enough ports embedded to support 8 blades each with 2x LAN + 1x IPMI - I might agree. I'd probably agree even more if, having found it, if you could acquire it at a decent price. But AFAIK it doesn't exist in products that can be easily acquired for less than about $5k used.

You don't need 4U for 2 appliances and 2 switches. Like I said - use short depth servers attached to the front of your rack. Then place the 2 1U switches on the rear of the rack in the same "space" as the appliances running the software R/S/LB. Net 2U for appliances and switches - and bonus - cable management is radically simplified because all the network ends up facing the same face of the rack (the 2U blade chassis have network to the rear too).

 

[NetWise]

The problem with that is i will still need to have 2 x switches...then i will be needing 4 x 1U just for firewall etc...that is why i believe hardware 2 x 1U is the best way to go...plus i believe i will get more performance, reliability and security going the hardware route. Do you agree?

How do you end up with 4x 1U for the firewall on top of switches?

I guess one question is why you want to use 1U servers for Firewall/LoadBalancer/Router in the first place. Just put them on your 4 node 2U systems. You still need 2 switches of course, but you bring your internet into both switches on a VLAN - say 99. Then to your VM's (I use vSphere), on your hosts, you ensure that you have at least one port group that is on VLAN 99 and brings in your internet to your VA firewall/router. From there, you bring out your trusted side on any or all port groups you like. Not only do you have the flexibility, but you don't have a single point of failure. Your firewall VM can move around with vMotion or HA as needed. As you have 2 of the 4 node servers, you have physical segregation to protect against that.

So all you really need is 2x 1U switches, and 2x 2U 4 node servers. The extra 2x 1U servers is "a way" to do it, but it doesn't have to be done - you can consolidate onto the VM hosts.

You may get more performance the other way, but unless your internet inbound is 1Gbit, it's not going to matter, you're exceptionally unlikely to saturate it.

I will need the hardware because i need to connect the ports of the servers to the network. So seriously the software appliances sound nice but i mean i still need connect to the ports to run, so what exactly is with this software? Why can't these companies just freaking install their supposedly magical software in their same hardware they already sell at unreasonably over high prices i.e cisco and the other goons.

You answered your own question. Why don't they do something that works best for you, when they sell it at unreasonably high prices? How would they keep charging that if they made it simple. As to what makes the software appliances nice:
* Ability to spin them up in a multi-tenant environment with no additional power/cooling/rack space. Multi-tenant may also mean DEV/TEST.
* Ability to replicate the virtual appliances, such as to DR. Forget migrating rules and configs - move the ACTUAL VM's to the DR site.
* Want to test something - spin up a clone. It's hard to clone a 1U physical appliance.
* Want to expand it? Add more vRAM/vCPU or vNIC's by adding commodity hardware to your host
* If you're using 10GbE+ vs 1GbE, then the issues with performance and saturation of links largely goes away.

That's just my $0.02....

 

[uberguru]

Perhaps. If you could find an appliance with your specs - Router/Switch/Firewall/LB + enough ports embedded to support 8 blades each with 2x LAN + 1x IPMI - I might agree. I'd probably agree even more if, having found it, if you could acquire it at a decent price. But AFAIK it doesn't exist in products that can be easily acquired for less than about $5k used.

You don't need 4U for 2 appliances and 2 switches. Like I said - use short depth servers attached to the front of your rack. Then place the 2 1U switches on the rear of the rack in the same "space" as the appliances running the software R/S/LB. Net 2U for appliances and switches - and bonus - cable management is radically simplified because all the network ends up facing the same face of the rack (the 2U blade chassis have network to the rear too).

Well i already will have redundant PDU as well at the back of the security hardwares. And i am not sure if C6100 is a short depth server either.
I am not sure if i need the router...only reason i am thinking of the router part is if i plan on getting my own ASN number...which i am seriously thinking of...server will be in netherlands..so not sure how easy it is to get ASN number from RIPE

 

[uberguru]

Just put them on your 4 node 2U systems. You still need 2 switches of course, but you bring your internet into both switches on a VLAN

Well that is 2 servers i can be using for something else. I understand the cost part but i am thinking investing in solid setup that will probably be on for years...like 5 years at least you know.

I will think about the software part though especially as one can even get free or open source ones..which will be great cost saver. So yes will look into that as well..thanks.

 

[uberguru]

Perhaps. If you could find an appliance with your specs - Router/Switch/Firewall/LB + enough ports embedded to support 8 blades each with 2x LAN + 1x IPMI - I might agree. I'd probably agree even more if, having found it, if you could acquire it at a decent price. But AFAIK it doesn't exist in products that can be easily acquired for less than about $5k used.

You don't need 4U for 2 appliances and 2 switches. Like I said - use short depth servers attached to the front of your rack. Then place the 2 1U switches on the rear of the rack in the same "space" as the appliances running the software R/S/LB. Net 2U for appliances and switches - and bonus - cable management is radically simplified because all the network ends up facing the same face of the rack (the 2U blade chassis have network to the rear too).

You answered your own question. Why don't they do something that works best for you, when they sell it at unreasonably high prices? How would they keep charging that if they made it simple. As to what makes the software appliances nice:
* Ability to spin them up in a multi-tenant environment with no additional power/cooling/rack space. Multi-tenant may also mean DEV/TEST.
* Ability to replicate the virtual appliances, such as to DR. Forget migrating rules and configs - move the ACTUAL VM's to the DR site.
* Want to test something - spin up a clone. It's hard to clone a 1U physical appliance.
* Want to expand it? Add more vRAM/vCPU or vNIC's by adding commodity hardware to your host
* If you're using 10GbE+ vs 1GbE, then the issues with performance and saturation of links largely goes away.

That's just my $0.02....

I think i will be going for the software option because of cost and flexibility. I will just get redundant siwtches instead.
Thanks for the advice and recommendations.

 

[uberguru]

Quick question.

Is the opensource Vyatta same fature wise as the enterprise Vyatta 5400/5600?
What is in the enterprise Vyatta that is not in the opensource Vyatta? apart from the support ofcourse.

Also since the Vyatta is known to be a vRouter...can i just use it as a firewall/security without the router functionality?

Is Vyatta and Pfsense like same thing? If yes then Vyatta or Pfsense which one you vote for?


Thanks.

 

[bwillcox]

The open source Vyatta does not have the web interface or support from Brocade. Honestly pfsense will be easier to work with unless you have some Cisco/Juniper/etc command line experience.