Is Co-Administration the Answer?
Rick Vanover, blogging at TechRepublic's Network Administrator site, suggests a solution to the problem of overlapping between the span of administrative control normally provided to the network admin, and that required of a VM server admin. It's a solution that might appeal to a network administrator, but I'm dubious. I'd very much like to hear from the network crowd as to how this might work in practice.
Here's my take. In our investigations at Replicate, we've noted that VM admins are often unwilling to dig into the network management systems. (There are a number of reasons, which we won't go into here.) So, how would a network admin view this solution? These seem to be the implications of Vanover's approach:
- the network admin must be cross-trained in the use of the VME's management system (e.g. VMware's Virtual Center or Citrix' XenCenter)
- the network admin is required, at installation setup, to establish consistent configurations on the virtual switches and (in separate management system) the physical switches.
- The configuration settings on the vSwitches are supposed to remain inviolate and untouched by the VM admin in order to prevent configuration problems.
- the network admin thereafter is relegated to a passive, read-only audience for the VM management system reports, unless ...
- when there is a physical network issue (a problem or need to reconfigure), the network admin is reinstated with the necessary privileges to make those changes.
This sounds workable, at most, for a short period of time, an installation that changes almost never, or a very small installation.
Co-Administration is the new virtualization endpoint | Network Administrator | TechRepublic.com
Almost every organization has embraced some amount of virtualization, and the network has surely been a hot topic as a virtual environment scales upward. Most virtual host systems (VMware ESX, Citrix XenServer, etc.) offer host-based switches that implement 802.1Q tagging on the ports to the virtual machines. This poses a unique question: Who administers the virtual switch when the network and server administration are handled by different groups?
...
One creative way to solve this dilemma is with a co-administration approach. This would give the network engineers access to the virtual environment for configuration during a change and read-only access for ongoing checks of configuration and for assurance that a virtual machine is not breaking any network rules, such as having a virtual network adapter on two interfaces where one is a secured or external network. In most situations, the network administrator has no visibility into the configuration of the network within virtualization installations, and the co-administered approach can change that. ...
Ummm...OK, so that's 2 out of the 3...what about the security teams? Oh, wait, how about audit? Oh, and don't forget the storage admins...
Co-administration isn't creative, is desperate. It's basically all you *can* do today unless you roll your own code like big shops do to automate the stack.
The "single pane of glass" approach needs to also include business process, application deployment, etc.
If you want a view into what the world should look like according to Cisco, look no further than vFrame.
/Hoff
Posted by: Christofer Hoff | 03 June 2008 at 06:09 PM
The "swivel chair" management of systems definitely doesn't appeal to me.
And, while I'll always aspire to creating the "single pane of glass", it's got to be an "open" pane of glass ... I can't imagine one, closed system covering all the bases. vFrame seems to be the antithesis ... brittle, big-company and requiring a fork-lift upgrade. But a good (?) way to sell a lot of Cisco equipment.
As for Co-administration: "Desperate" is the right word. Thanks for the comment.
Posted by: Rich Miller | 03 June 2008 at 09:41 PM