Help with Why this is Bad!

[jugster42]

I am trying to explain why we cannot have a virtual router for our physical network, why its bad to plug the internet connection into our core switch and run a virtual router. 

 

Apart from it being a bad idea due to traffic flooding the switch, what security issues does it pose, I know there are lots but im not a network engineer and cannot articulate them.

 

Any help would be great 

 

Thanks

Stephen

 

 

[You_are_a_cunt]

virtual routers are prone to exploits and frequent failures. Not to mention they're a headache to manage and properly set up.

[unijab]

virtual routers are prone to exploits and frequent failures. Not to mention they're a headache to manage and properly set up.

 

So in what way is a virtual machine pfsense router worse than pfsense running on physical hardware?

[You_are_a_cunt]

So in what way is a virtual machine pfsense router worse than pfsense running on physical hardware?

the virtual machine part, the fact that it depends on a host OS and the wasted resources on the host PC/server

[SpaceNugget]

the virtual machine part, the fact that it depends on a host OS and the wasted resources on the host PC/server

how is it wasted resources if thats what the resources are for? You didn't really say how its worse.

[You_are_a_cunt]

how is it wasted resources if thats what the resources are for? You didn't really say how its worse.

Running a virtual machine on a machine that is dedicated to run said virtual machine is just asking for problems and, to be honest, plain dumb.

 

If you're running a VM you're running a host OS. That host OS requires certain resources to run in the first place, then another set of resources to be able to host the VM.

VMs are notorious for being unstable (at least in my experience) and resource hogs. They'll reserve as much as you give them (say you give it 2 CPU cores and 1GB of memory. Those resources are set aside and marked as "in use" making them unavailable to the host OS)

Higher resource requirements = higher resource usage = higher power draw (also = less lifespan on your components to some extent)

 

Then there's the part where everything is controlled by, basically, software which comes with its fair share of bugs, issues, shortcoming and vulnerabilities.

 

Furthermore, running a host OS, a VM, and something in said VM provides far more points of failure rather than using a dedicated router/machine

[tt2468]

I have never run a Pfsense VM before, but it sounds like it would work. Being that pfsense is so stable and durable, you should be able to get by... Only problem I found is it is very sensetive to CPU time offsets (aka stolen time, virtual servers can be prone to stolen time.)

[SpaceNugget]

Running a virtual machine on a machine that is dedicated to run said virtual machine is just asking for problems and, to be honest, plain dumb.

 

If you're running a VM you're running a host OS. That host OS requires certain resources to run in the first place, then another set of resources to be able to host the VM.

VMs are notorious for being unstable (at least in my experience) and resource hogs. They'll reserve as much as you give them (say you give it 2 CPU cores and 1GB of memory. Those resources are set aside and marked as "in use" making them unavailable to the host OS)

Higher resource requirements = higher resource usage = higher power draw (also = less lifespan on your components to some extent)

 

Then there's the part where everything is controlled by, basically, software which comes with its fair share of bugs, issues, shortcoming and vulnerabilities.

 

Furthermore, running a host OS, a VM, and something in said VM provides far more points of failure rather than using a dedicated router/machine

I know what a vm is, I have many running all the time. I am asking how you think a using a vm is a waste of resources. the vast majority of commercial website hosting is done on vms, many of them with over 99.9% uptime, so if you find them unstable you probably just don't know what you are doing.

[Wombo]

I am trying to explain why we cannot have a virtual router for our physical network, why its bad to plug the internet connection into our core switch and run a virtual router. 

 

Apart from it being a bad idea due to traffic flooding the switch, what security issues does it pose, I know there are lots but im not a network engineer and cannot articulate them.

 

Any help would be great 

 

Thanks

Stephen

I would say the number 1 issue with virtual routers is the fact that they (in most cases) lack hardware level access to components such as NICs. This leaves the device to do absolutely every routing function in software. Essentially it is taking away everything that makes a quality router a fast and efficient machine and turning it into a 1980's style router doing processor-based switching.

 

As for plugging your internet connection into the core switch, this can be O.K. as long as you have proper network segmentation on that port. For this I would have to say Vlans are not enough and you would be looking at a higher level feature such as VRF or Cisco VRF Lite.

 

I feel you are on the right track with not wanting to do things this way. Using a dedicated high quality router with the ability to do proper ASIC based caching and forwarding will be the fastest, most secure and most stable option.

[unijab]

Running a virtual machine on a machine that is dedicated to run said virtual machine is just asking for problems and, to be honest, plain dumb.

 

If you're running a VM you're running a host OS. That host OS requires certain resources to run in the first place, then another set of resources to be able to host the VM.

VMs are notorious for being unstable (at least in my experience) and resource hogs. They'll reserve as much as you give them (say you give it 2 CPU cores and 1GB of memory. Those resources are set aside and marked as "in use" making them unavailable to the host OS)

Higher resource requirements = higher resource usage = higher power draw (also = less lifespan on your components to some extent)

 

Then there's the part where everything is controlled by, basically, software which comes with its fair share of bugs, issues, shortcoming and vulnerabilities.

 

Furthermore, running a host OS, a VM, and something in said VM provides far more points of failure rather than using a dedicated router/machine

 

You know there are many hypervisors out there that take very little resources and are specifically for running virtual machines.

VMs were likely to be unstable years ago, but the past 5+ they have done nothing but get better. 

My work runs i-dont-know how many virtual servers on a few hyper-v clusters.

 

I have also personally run ESXi with great results. Never had anything crash or take out my physical machine. 

[dzonidev]

I know what a vm is, I have many running all the time. I am asking how you think a using a vm is a waste of resources. the vast majority of commercial website hosting is done on vms, many of them with over 99.9% uptime, so if you find them unstable you probably just don't know what you are doing.

 

Those commercial sites that are run on VMs are connected to physical routers. So let's assume this, I run pfSense in a VM on a VM machine. The machine fails, what now?

[Zergom]

It's not bad at all to run pfSense or another software router in a virtual machine.

 

From a failure perspective, running on a VM gives you the ability to setup High Availability, which allows for near zero downtime (usually you lose one packet in a failover scenario), in the event of a host failure.

 

From a performance perspective, you're maximizing resources. If you just run a pfsense on a bare set of hardware, you may only use 10-30% CPU and memory, therefore not taking full advantage of the hardware. Whereas with VM's you can have 3-4 VM's on the same set of hardware, leveraging 100% of the resources you have.

 

From a hardware to software interfacing and security perspective, the risk is minimal. Hypervisors like Hyper-V or VMWare allow you to assign specific network interfaces to specific VM's, so the hardware passes through transparently.

 

This is where things are heading, on a larger scale, you'll continue hearing the phrase "Software Defined Networking". Pretty much, in large corporate networkings, things are converging so that you run your voice, storage, data networks all on the same hardware, and you use a software layer to control how information flows.

 

I run pfSense on VMware and it works flawlessly. Zero complaints.

[unijab]

Those commercial sites that are run on VMs are connected to physical routers. So let's assume this, I run pfSense in a VM on a VM machine. The machine fails, what now?

 

you revert to a snapshot.... bam it's back up and running.

[dzonidev]

you revert to a snapshot.... bam it's back up and running.

 

Not sure hardware can be reversed by a snapshot. Don't you think the industry would have caught on the VM trend for core routing if it were a viable choice? Guess what, Cisco/Juniper/Brocade/Mikrotik wins.

[Zergom]

Not sure hardware can be reversed by a snapshot. Don't you think the industry would have caught on the VM trend for core routing if it were a viable choice? Guess what, Cisco/Juniper/Brocade/Mikrotik wins.

 

 

Uhhh... VM Firewall appliances from Cisco, Juniper, Brocade, SonicWall, Palo Alto, Checkpoint, Fortinet.... I could go on, those are links to all of their virtual offerings. Clearly the industry has bought into selling Virtual Appliances.

[dzonidev]

Uhhh... VM Firewall appliances from Cisco, Juniper, Brocade, SonicWall, Palo Alto, Checkpoint, Fortinet.... I could go on, those are links to all of their virtual offerings. Clearly the industry has bought into selling Virtual Appliances.

 

There's a difference between being offered and actually being used. Visit your local Carrier PoP or DC and ask them have they switched over to VMs. And you might want to read up on what you linked. These appliances can't withstand more than 1Gbps. For core networks that is a joke.

 

Most of these appliances were meant to serve as firewalls, node routers, switches in virtual environments not core networking.

[Zergom]

There's a difference between being offered and actually being used. Visit your local Carrier PoP or DC and ask them have they switched over to VMs. And you might want to read up on what you linked. These appliances can't withstand more than 1Gbps. For core networks that is a joke.

 

Most of these appliances were meant to serve as firewalls, node routers, switches in virtual environments not core networking.

 

It really depends on the scale of the network. A datacenter with hundreds of racks of servers is probably running Cisco Nexus gear or similar. A smaller outfit with a couple racks could achieve better performance by virtualizing the firewall or router and allocating compute and high bandwidth network infrastructure to that, with minimal increased security risk.