Re: Cisco config generator

[Phil Howard <phil () charon milepost com>]

Alan Hannan writes...

> > If, for example, one user is set up with a variety of access services,
> > and I disable or delete that user, then it should be removed from all
> > places where it is configured without me having to know.
>
>   This is a slightly different specification; you are talking about
>   deploying distributed security permissions.  This could be a subfunction
>   of the configuration system.

Among other things, yes.  But I don't see it as exactly a subfunction.
I see it as one complete system.


> > Yes, I do combine my network operations and server operations together
> > and I want a package that allows me to fully integrate it all together
> > without having to have separate packages.
>
>   You will be hard pressed to find a ready-made off the shelf package
>   to do what you want.

I figured so, but I should check anyway.


>   <rambling opinion>
>
>   Today's internet technology is complex.  Harder than rocket science,
>   but it appears easier because we make up with BS that which is lost
>   by not understanding the formulas or having granular flow statistics.
>
>   The sum complexity of a network configuration system is a function of 
>   the router/switch interpreter, the routing policy, the routing protocols, 
>   and the databases with which one works.
>
>   Since implementing this complexity requires adhering to standards 
>   or understanding your own policies and protocols (which few
>   really do), it's difficult to make generic solutions work for 
>   networks of a given complexity.
>
>   We worked hard with one router vendor to create such a system, but
>   the exponential amount of work put in resulted in only a few useful
>   widgetish interfaces.  They just didn't get it.
>
>   This is because they don't live and breathe it; they code; they write 
>   MIBs; they don't fantasize about pull/push/check/click *presto* it's
>   configged.  They live in their world, and rarely is the vendor's world 
>   the practical world of the network engineer/operator.

You've hit the nail on the head.  That probably explains why lots of the
software on the market is lacking in being a complete solution.


>   A smart guy who sends out reports that embarrass people once pointed
>   out to me: the largest internet networks all have radically different
>   designs, and yet they all work remarkably well.
>
>   So, until someone with enough savvy, experience, and coding skills
>   attempts this task, I think it will stay proprietary and internally
>   developed by, and for, each network.

Probably will.


>   A middleware interpretation layer (ie. sendmail's configuration
>   file) is needed before this generic configuration system can
>   be (fairly) easily implemented.

Among other things.


>   Tools exist (whose names escape me, but I'm sure bmanning
>   or vixie will point them out) that profess to interpret 
>   radb configs into cisco and ascend configs, but they (in my/our
>   limited experience and exploration) fail to capture the IGP
>   variables or the various L2/L3 platform requirements.

Lots of tools exist, but do they work to gether and cover everything?
I tend to doubt it.  And will the database even include it all?


> > It wouldn't be that big for a software development business that is
> > banking on selling it to a lot of providers.  
>
>   Yes it would; read _The Mythical Man-Month_ by Brooks, pub. Addison-Wesley.

I was incomplete in what I was saying.  You are right for the real case.
What I meant to refer to was what would be the case if things were done
right.


> > But is there even a market for this?
>
>   There certainly is; but the cost of customization may exceed the
>   demand.

Customization in terms of the variety of platforms?  Or the variety of
policies?


> > One thing I note about Netsation's product is that they promote it as
> > a tool to deal with "cryptic IOS commands".  IOS is _NOT_ cryptic.
>
>   I think one could say that Netstation or Netsys are good tools 
>   for people who think IOS is cryptic.  (don't flame me, dear vendors,
>   your tool can help mitigate detailed analysis, or help find 
>   idiot mistakes [which we all make]; however, last time I looked
>   they didn't support IS-IS and choked when we tried to enter a smidgen
>   of our routers into the network).

Imagine how you will feel when you see a copy of "Cisco Routers for Dummies"
show up in the bookstore.


> > Where such a product is useful is managing the huge complexity of a
> > large network, and in the case of what I am looking for, all of the
> > other services as well.
>
>   For this, I think
>                  you
>               should
>                write
>              your
>                own
>              or
>                hire or
>                 fund
>               someone.

It might happen.

-- 
Phil Howard | no9way87 () dumbads6 org ads1suck () s5p9a4m7 com a3b2c7d8 () spam0mer net
  phil      | stop2991 () lame6ads edu eat5this () nowhere6 org stop0it3 () s6p4a3m6 net
    at      | suck3it9 () anyplace net a0b0c2d3 () no7place com stop8it9 () s2p6a5m6 org
  milepost  | no8way47 () spam7mer net no9spam6 () no4place net eat11me0 () spam4mer net
    dot     | stop9it9 () spammer8 net suck6it4 () s8p8a3m7 net eat95me3 () no9place org
  com       | stop8it7 () lame6ads org stop7ads () dumbads8 com eat50me9 () s7p4a6m4 com