****Note – While I thought about detailing the technical steps necessary for delegation on different pieces of equipment, I decided to go with the more “architectural” or “philosophical” approach in this post. Besides, there are plenty of others out there who do a far better job with graphics and CLI examples.
Recently, I took some steps to make my job a little easier. I delegated access to another group that does not normally have anything to do with the network side of the house. In this particular instance, I was able to give that group access to a Cisco ACE load balancer. Normally, giving non-network people access to equipment would be frowned upon. This is especially true for equipment in a data center that controls data flows for your most important applications. I had to consider the following:
1. Can I give them specific levels of access?
2. Will they be able to perform operations with relative ease?
3. Does it make sense to do this?
Question 1 was easy. Of course we can provide granular levels of access. It is hard to find a piece of equipment on most enterprise networks that can’t do this. Question 2 was a “most likely”, but could have been tough if everything needed to be done via CLI. Question 3 was probably the most important. Generally speaking, most technical problems can be solved given enough time and resources(ie people, money, and equipment). What many of us should ask, and some of us fail to ask, is whether or not we SHOULD do something. I for one love playing with new equipment. Build an Ethernet switch that interfaces with a toaster and I want to play with it. However, is there any use for something like that? Is there a large community of people out there that want connectivity with their toaster?
The point, is that while a lot of things are possible, not everything is necessary. Sometimes giving people access to network equipment can cause more harm than good. While I am a big fan of wanting to provide as much information to others as possible, if that information cannot be interpreted correctly, you are wasting your time. For example, I have been in environments where non-network related groups were given access to Netflow data. While that sounds great on the surface, the reality was that the data was being interpreted incorrectly. When looking at something like a 3Mbps circuit, some people would see full utilization and assume that more bandwidth was required. What they failed to take into account was that the QoS markings of the traffic indicated that a bunch of AF11(what was deemed scavenger) traffic was using the bulk of the bandwidth. Had any additional traffic come over the circuit that was tagged as AF21 or higher, it would have pushed down the AF11 traffic and gradually used more and more of the circuit until it reached the bandwidth limit that was set for that specific class of traffic. More bandwidth was not needed when the Netflow data was viewed in its entirety. Had this particular group understood QoS markings, they would have come to a different conclusion. Could we the network group have provided more in depth training on this particular product? Sure, but how long would that training have to be before the individuals understood QoS well enough to interpret traffic flows correctly? If you are a QoS fan, how long did it take you before you understood things like shaping vs policing? Or L2 vs L3 markings?
Back to the issue at hand. Does it make sense to give another group access to the load balancer? Yes. In this case it did. The typical process for maintenance on a server getting requests via the ACE load balancer was to have the network group pull it out of the active pool. Then, another group would make whatever changes were needed. Once they were done, they would contact the network group who would place the server back into the pool. If you are having to make changes to a dozen servers, this process can take some time. Why not just give the group making changes to the server limited access to the load balancer so they can do everything themselves? Time and resources would be saved by all.
That brings me back to the second question of can we make it easy for them to make changes to the load balancer? In the case of Cisco ACE, yes. We had an instance of Application Network Manager(ANM) running in our data center to help us. While I tend to be a fan of CLI (except in the case of the Cisco ASA), not everyone else is. Sometimes a GUI is far more helpful for people who need to make changes to network gear. That’s where ANM comes in. In a matter of minutes, I was able to create a domain(which is where you define the servers and farms you are giving access to), and role(you can create your own if you don’t like the default ones) for this other group to use. Now they had access to select servers and their corresponding server farms, but not enough access to do any real damage.
After doing that, I just had to create some instructions for the 2 tasks they would need to do. First, they need to know how to remove servers from a load balanced pool. Second, they need to know how to add servers to a load balanced pool. With ANM and the specific domain/role I assigned to their group, this is a piece of cake. I took the appropriate screen shots to walk them through the process of adding and removing a server and put it in a nice concise MS Word document. There are times when I am hesitant to put a lot of pictures in instructions. Sometimes people get offended when you drop it down to an elementary school level. Thankfully this particular group LOVED pictures, so everything worked out. In about 15 minutes we ran through the instructions. Additionally, I asked if they wanted a bit more detail about the Cisco ACE load balancer in general, so we talked about what it does and where it sits in terms of its physical place in the network. Everyone seemed happy with the training, and I think they were truly excited about not having to wait on the network group anymore when they needed to make changes.
Problem solved. Everyone was happy, and I know that outside group is reaping the benefits of being able to make changes on their own. I have jumped on to conference calls several times recently and noticed that servers were being added to and removed from load balanced pools without the network group having to do anything. The group I gave access to was taking care of it.
If you have the means to delegate processes to other groups, I would recommend that you do it provided it complies with any security and administrative policies your company or IT department has. You do have those policies in place right? 😉 If it makes your job easier, makes other people’s jobs easier, and you get to impart some knowledge about the network to external groups, why not do it?