Do We Have Too Many Knobs?

The last day of Interop New York found me sitting in the Speaker Center with a few friends pondering the hype and reality of SDN and brokenness of traditional network products. One of the remarks during that conversation was very familiar: “we have too many knobs to configure”, and I replied “and how many knobs do you think there are in Windows registry?" (or Linux kernel and configuration files).

I don’t find modern operating systems any less complex than networking devices, and I’m positive there are people complaining about too many knobs one needs to turn to configure Linux kernel (not to mention the wonderful syntax of iptables), and yet most people manage to make these operating systems work. The trick: wizards and simplified configuration interfaces.

Speaking of Linux, iptables seems to be a perfect example (or sendmail, but I’m too familiar with that arcane syntax - I ported it to MS-DOS decades ago as the core of an email product we wrote in those days). I know iptables are an extremely powerful tool, but I never took time to study them. Whenever I need to configure a firewall on a Linux box I use system-config-firewall. It gives me a list of common services I might be running on my box, and allows me to enable or disable access to them.

Why can’t we have a similar configuration wizard for data center switches? Why do we have to get just the right combination of STP-related parameters? Someone deploying a typical enterprise cloud (which I believe needs no more than two ToR switches) should be able to specify server-facing links, uplinks, VLANs and subnets, and get a configuration optimized for that particular design (L2 only, L3 only or mixed L2+L3). All the knobs would still be there, and you’d still be able to configure the switch any way you wish using the CLI or API, but you would no longer need a CCIE to get the basics right.

Why can’t we configure OSPF with a wizard? Specify the number of switches in the network (the wizard might give up and tell you to get an expert if you say you’ll have more than 50 or so), specify the edge (stub) and transit links, WAN and LAN interfaces (to tune the OSPF timers) and you’re done.

Another one of my real-life favorites: have you ever tried configuring usernames and passwords for WPA2 authentication on Cisco wireless access point using their wonderful GUI? It can be done, but there’s no easy way to figure out how to do it (hint: you need local RADIUS server on the box, and it works on non-standard ports to make your troubleshooting efforts more interesting), and the GUI you get with the box is just a pretty useless eye candy on top of configuration knobs. I don’t need configuration knobs presented in a web browser, I need an abstraction that allows me to think in terms of what I need to get done, and translate that into what device wants to see to get it done.

Will we ever see wizards like this? Based on what I’ve seen so far, I remain skeptical. Most networking vendors quickly get infected by featuritis and corner cases - instead of trying to figure out what works for 80% of the customers, they try to address every corner case out there - and most network management products (the ideal place for configuration wizards) prove section 2.4 of RFC 1925. It seems we really need a Steve Jobs of networking.

Am I too pessimistic? Have you seen something that actually works? Please share it in the comments.


  1. Yes, what the IT industry needs now is a gradual effort towards major simplifications.
    "I need an abstraction that allows me to think in terms of what I need to get done, and translate that into what device wants to see to get it done."
    That's one of the services Cisco's ACI/APIC tries to offer.

    Also, I've seen a simple Canonical "auto-pilot" installation of OpenStack with "Landscape":
    More details here:
  2. Well I think Cisco tried that with the built in web gui on switches and routers at one point. Remember those? There was the Cluster Management suite on Catalysts switches and Web QoS tools. No one used them but they had good promise at reducing the "knobs" but no one ever used them or knew they were there.
    This was also "attempted" at the network management level with SNMP as well.
  3. Cisco Meraki seems to be making some advances in this area. In respect to two items you mentioned, they have simplified implementation of OSPF and WPA2 enterprise authentication to the point I would say they can both be configured and managed by a relatively novice user/administrator:
  4. One of the points would be to identify the set of configurable objects that is sufficent to cover 80% of the use cases. Then someone must declare (who will do that?) what "the baseline mandatory set of configurable objects" to make the 80% use cases configurarable really *is*. Then we need some agreement amongst key players in the industry that they put that into their roadmap (ok, that won't work until a serious portion of the demand side in the market will beat many of them into submission by not longer buying stuff without it). Then you finally need to have publicly available toolkits that allows anyone on the planet to embed and utilize the configuration meachnism and using the YANG definitions within the "wizards" that you consider potentielly desireable.

    Do you think a good way to represent the configurable objects and network configuration in Yang models could be is a proper way to perform transactions on those objects?
    It seems we have begun to see a growingly stronger traction on a YANG based configuration approach in the IETF Internet drafts at this time - including OSPF, BGP, ISIS, maybe its worth to have a look into every few months into the topic:

    Will this have to compete with RESTFUL APIs like seesn in or does it make sense to asap have a NETCONF/YANG based configuration interface in Linux as well?
    1. A few years ago I would have agreed with you. Seeing how fast IETF progresses in defining Yang models makes me skeptical - I think we need someone coming up with something really cool (like what Arista did with some of their software features) to pull the industry forward.

      As for NETCONF versus REST - it really doesn't matter. You can use the same data models regardless of the presentation-layer syntax.
  5. Disclaimer: I am in Solutions for Cumulus Networks, I previously helped launch ACI in NYC for Insieme/Cisco.

    Hey Ivan,

    We have never met but I hope to some day. I am a long time reader of your blogs and respect your perspective. I know you are not really into what we are doing but your iptables example really resonates with what we are doing at Cumulus maybe more than you think.

    One of our goals is that by standardizing on Linux as a network OS we provide uniform 'knobs', making it possible to create consistent and useful wizards and as you know, Matt Stone has an interesting project to create an API on our platform. (Great podcast btw and we appreciate you keeping an open mind). Many of our customers have written their own custom interfaces and tools that suit their environment. This is something that would be very hard with a traditional network OS.

    Part of our goal is to smooth the ride to Linux as well since it was developed as a host OS and not a Network OS. There is a lot of work that has been done there with us introducing unnumbered support into Quagga for OSPF and BGP along with creating PTM. We are continuing to work very hard on this aspect including the recent improvement of ifupdown with ifupdown2 which makes greatly improves networking in the Linux world. The job is not finished and we really want to make it so that both Network admins and System admins can feel equally at home. Stay tuned though... there is a lot more good stuff coming and Linux is a fantastic platform to do rapid development on. We are seeing lots of innovation from our expanding community of users also.

    best regards,
Add comment