Slashdot Mirror
Cisco IT Manager Targeting 70% Linux
RMX writes "LinuxWorld Australia has an
interesting article discussing Linux Desktop adoption in Cisco.
Cisco "already converted more than 2,000 of its engineers to Linux desktops...plans to move many laptop users to the platform over the next few years...the driver for Linux on the desktop is not cost savings, but easier support. Manning estimates that it takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops.'"
Ha, 40:1 ratio for desktop support personell for windows? Tell that to alot of IT managers, in particular, my former employer. Try 200:1
Don't Tread on Me
That is the worst support ratio in history. I hate Windoze, but no large support org has that bad of ratios. Mine are approx. 250:1 for a Win2k shop, which is pretty average.
- Erst kommt das Fressen, dann die Moral
because Cisco is now a security company?
So, Linux TCO is greater, eh?
Now Balmer is going to get on a plane and install Ad-Aware and SP2 on their machines to help with tech support.
So when linux reaches critical mass and people spend as much time searching for/writing worms for it as they do for windows, how's that support ration going to look?
What gets me is that what they describe could be done with Active Directory and group policies.
I wonder if those microsoft studies that show Windows' TCO better than Linux's account for the "productivity" of a linux engineer...
What i'm sure it doesn't show is that a linux engineer handling 200 computers can provide a much better service (due to the fact that more is "known and controllable" in linux than windows) than a windows sysadmin handling the same amount of computers, resulting in lower costs of security, less costs related to spywares, viruses, user support calls, etc.
There are two kinds of people in the world: Those with good memory.
but microsoft is more secore according to microsoft... /sigh what to do
I am sure they (CISCO) have some Mozilla/Firefox on these PCs. Question is: How have they decided o manage it? Central managing of Mozilla/Firefox is still not [officially] possible now. Any ideas?
They obviously don't know their own department. I worked as a contractor for them a couple years ago. I was the only onsite tech support person for two sites with a total of 250 users, with 99% of those being windows. I was also part of the support teams initial Linux push, and I can tell you that the biggest driver from a customer (end user) perspective was the idea of using cheap Opteron workstations instead of uber expensive Sun stations. A Sun dual CPU workstation at the time with 12GB of ram was over $50k dollars, whereas an Opteron station with more cpu power and the same amount of ram was under $10K. That is a huge difference in price. The biggest factor stopping it from becoming a reality was the fact that at the time the Clearcase tool chain and support tools weren't fully functional under Linux. So I doubt the driver was so much lower desktop support costs as it was lower equipment costs.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
"... the driver for Linux on the desktop is not cost savings, but easier support. Manning estimates that it takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops."
Isn't this still Cost Savings, when you don't need to hire as many admins?
We're typically 1:30 for local areas which is basically admin of the LAN, user applications, etc. Add to that central security, networking, hardware support, and we're down to 1:15.
Including in-house bespoke application support (specialist programmers emplyed under an IT remit, rather than technically able and active users) and you're down to 1:6 in some areas. On the other hand we have specialist terminals (with high maintainence requirements as well as user training etc) which are more like 1:90.
Inefficiency abounds in some companies.
the driver for Linux on the desktop is not cost savings, but easier support. Manning estimates that it takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops.'
And this does not represent a cost savings?
You see? You see? Your stupid minds! Stupid! Stupid!
Apart from the ease of creating a company software update ftp (apt-get, yeast, swaret, slapt-get, etc), I really think the license and CD administration to be a pain in the Windows admin's butt.
My Windows co-workers often need a CD either because they need new software, or due to their computer requesting a CD due to some function not already installed. Finding the RIGHT CD (they are like 1000 cd's every month, and they are neatly marked in INVISIBLE, but very fancy, writing) is a total pain. Then, there is the issue of which key is used for this one (oh, you used the english version!) really turns this into a nightmare.
Folks running windows run all kinds of different versions of their software. Why, upgrading costs time and money. On my Slackware machines, swaret has done all upgrades for me, totally automatically! Just upgraded one PC from Slackware 9.0 to 10.1 - swaret --upgrade wait for a while (was a 200mhz...) and reboot when all is done. No keys, no CDs, no cost. Totally brilliant!
A clever person solves a problem. A wise person avoids it. -- Einstein
but usually patches for OSS vulnerabilities are not bundled along with all sorts of other updates. This means that far less testing is usually needed for OSS security patches. (Or, that's the theory, anyway.)
HAND.
Linux is easier to maintain than Windows, largely thanks to IBM. Linux is more reliable and is less prone to infection by viruses and malware (e.g. spyware) than Windows. IBM ensures that any OS (whether it is commercial or free) shipped to customers on its computer systems meets stringent requirements for reliability.
IBM has been vindicated. IBM initially tried to dethrone Microsoft by producing OS/2, but it was a failure. Now, IBM has thrown its weight behind a product (i.e. Linux) developed outside of IBM, and that product is succeeding in hurting Windows.
.. and I have to say that their Linux Workstations are extremely well deployed and managed. The desktops themselves are Dual-CPU 3G boxes running a customized version of Red Hat Enterprise Linux. Red Carpet is used to manage packages, supported by really nice internal mirrors providing fast access to everything you need to get the job done. The default install even includes acess to Microsoft Office and Internet Explorer. Not sure if this is through Crossover or something -- it is so well integrated that I've never had to look under the covers to see how it is done. Having worked at other networking companies where Linux is the default engineering desktop, I have to say that Cisco really gets it when it comes to desktop linux.
... for all those Linksys cards.
lists and you'll find that most vulnerabilities are either buffer overflows or string format vulnerabilities. There are very few circumstances where fixing those with a one-liner patch would change behavior in a way that other code depends on. If there were any such code then that in itself indicate possible data corruption bugs in the currently running software.
In short: When you don't bundle fixes you typically have one-line fixes which don't break code which isn't already broken (by relying on buggy behavior). Hence, testing time is minimized.
HAND.
What about this idea...
If a support tech can only support 40 windows PCs, but another support tech can support 200 Linux PCs, is the difference the amount of support or the intelligence of the tech.
Now I run windows, and have administered windows and I develop software for windows. However, Linux is not as straightforward to administer as windows. I think it requires someone with more skills to administer a Linux box than a windows box.
Someone with more skills will likely be better at administration in general, regardless of which OS. So it is kind of a split problem. To administer linux boxes, you need someone with a good skill set, but they can administer more boxes, but probably at a higher salary. To administer windows boxes, you may not have to pay as much but each tech supports fewer boxes.
It is dangerous to be right on a subject on which the established authorities are wrong. - Voltaire
At my company, we have over 5,000 Windows XP workstations; notebooks and desktops. A team of about 10 people manage the entire system.
With the help of Active Directory, some really neat software (Marimba) and some planning, you can manage thousands of Windows workstations with a minimal staff.
You lock down the machines (no admin logins) you manage the software versions and patches (centralized software distribution) and you don't allow users to install software on their own.
Denying admin logins alone stops 95% of all spyware.
40 workstations without any control WOULD be all an admin could handle, but when you deploy them correctly you can support over 10x that - just like any other system.
- It's not the Macs I hate. It's Digg users. -
I work for a Cisco reseller, and I see Cisco sales guys all the time.
There are rumors that the CallManager software (Cisco's IP PBX) will be ported from Windows 2000 to Linux. As it is, to run this box safely today requires having the box on its own subnet with access lists, running anti-virus software on the box(es), running Cisco Security Agent (looks for anamolous behavior of running programs), and running the boxes in a redundant fashion. Not that porting to Linux would solve all problems, but a box that runs a web server, SQL2000, and Windows 2000 has a fair number of issues that could r0x the b0x. Not the least is that if you download a patch from Microsoft that Cisco hasn't approved, and it breaks the box, Cisco TAC will wash its hands of you.
However, Cisco and Microsoft are not only in bed with each other, they are spooning. Part of Cisco's new security initiative involves running Cisco software on desktops to check if the anti-virus and CSA software are up to date, and not allow them to join the network until they are. This is part of those Cisco commercials where the "Self-defending Network" comes in and stops attacks. Getting Cisco software to use the Microsoft API in a world where MS could simply roll their own software just like it for free is a tricky business. Cisco needs to know what Microsoft is doing, and Microsoft could just as easily start doing more business with Juniper should they want to.
What I'm saying is that Cisco uses Linux today for a good number of its products (Content Networking, CallManager, etc) because of its stability. However, the aims of this guy to publically change internal desktops to Linux would be nullified by just one phone call from Gates to Chambers (Cisco CEO).
Active Directory would only address the issue if it was deployed in a homogenous Windows environment. Since Cisco have decided to have at least some Linux workstations, Active Directory is effectively useless, since it is not possible (AFAIK) to have true single sign on in an Active Directory domain on a Linux box.
Of course, when Microsoft releases the Linux client, I'm sure Cisco would be willing to evaluate it as a solution...
Bob
Listen to my latest album here
>> AND we are absolutely not overworked.
Hi! This is your manager here!
Thanks for that great and timely information.
Starting Monday, your team will comprise 4 persons instead of 5.
Have a nice weekend, and don't bother coming in on Monday.
As the poster says, the driver for Linux on the desktop is not cost savings, but easier support
And EVERYONE knows that easier support doesn't save any cost.
I work for a school district. We have thirteen field technicians to support 25,000 desktop computers and approximately 2000 network printers. We have at least eight different Apple platforms (5260/5400/5500, beige G3, "new world" G series towers, iMacs of each vintage, and the eMac), and thirteen different PC platforms from NEC (1), Compaq (4), ABIT (1), ASUS (1), Dell (2), and Intel (5), plus all of the proprietary crap that people bring in. Our computers run everything from Windows 95 through XP, MacOS 7.5.3 through 10.4. Somehow we're still averaging 24 hour turnaround on our initial appearance, despite having about 100 sites (85 schools, fifteen or so admin sites) over a 20 mile wide area.
I have absolutely no sympathy for people who can't support their fifty computers because it's too hard for them. I would love it if we were down to less than 500:1 or if we could exchange 90% of the equipment to standardize on two or three Macs and two or three PCs, but it'll never happen.
Do not look into laser with remaining eye.
I work on the Unix/Linux side of one of the IT departments at my work. We have about 25 admins for 180+ servers and 900+ workstations, plus a beowulf cluster and associated SAN/NAS devices. And we actually have free time to work on other projects (like in-house software development/support, training, and learning/developing new technologies to roll-out). The PC group has about 80 people to support ~700 PC's and 70 servers. Do the math...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
It seems like this discussion is basically going like this:
"Linux is easy because we set up proper polcies and enforce them. Windows is hard because we haven't bothered to do so."
In other words, you guys are proposing a technological solution (Linux) to a political problem (user desktop control, admin saavy).
Not as their primary job. THAT would be to post regularly on /. The $25-$50 is just during regular hours. Mac mod surfing is done on overtime rates. :-)
Now accepting PayPal donations!
My advice, and that of serious Windows support pros I've worked with: Do it over the network. All of it. Even OS installs. Slipstream service packs and fixes into your build image, along with your base software etc. Install packages automatically on login using AD. You can do all this... and it'll save you a lot of pain. Hell, you don't even need to worry about your CD key, you can do that as part of the automated network install script.
I'm using Linux thin clients for most of my basic needs users at work. They're getting pretty good now, but I'm still running into a frustrating number of stupid bugs. I think I spend about an equal amount of time supporting them and the win98 users - at "near zero". Ditto our one and only XP user now that I've got the bugs ironed out. Most of my time is wasted supporting the MacOS 9 desktop publishing staff due to the nightmarish OS and apps involved there.
If you think Windows is hard to manage, try MacOS. ARRGGGGHHHHHH. MacOS/X is a little better, but still pretty awful IMO.
Microsoft is also pretty reasonable with CD keys etc compared to many companies. QuarkXPress and Adobe Photoshop both scan the network for other copies, interrogate them for their CD key, and refuse to run if they find it's the same. This makes image based installs impossible since they don't provide any way to install and configure the app, then "de-personalize" it so all you have to do to get it working is enter the CD key. (You can do this with Windows, BTW). Those apps are a nightmare and in comparison Windows looks absolutely lovely to manage.
I'm also finding my trials with OO.o and GNOME for our journalists pretty dismal so far. All sorts of weird bugs keep on turning up and I'm about to give up and get them Windows boxes. I use Linux at home without issues, but these uses can and do break stuff all the time.
In the end, I guess it comes down to picking the right tool for the right job. MS desktops, managed well, are OK. I don't like them, but they work. Especially if you lock IE down so hard the user can't even run it, and if they figure out how to run it anyway, can't visit anywhere or do anything. Too bad they cost so bloody much and still insist on bundling IE, Outlook Express (Yes you can remove it, but it'll be back every time you patch the damn OS), etc.
Well, the company I worked for was so large that they had there own IT maintenance company.
/.
... From a user perspective around 0 to 400 hours have been spent 'building' this computer.", so what did you do with the rest of the morning apart from a 10min phone call.
/.
at most we needed 2 people got the office to get the required skills base, so as a standalone company I'd say you need
1 person = 30 employees, or 1:15-1:40
3 people for 50+ employees, or 1:16
after that you can start to drop the ratios down quite quickly because you've got enough people for a reasonable problem.
'AM. Came into work, our email client was not working. ',....' Later arises the email server ran out of disk space.' isn't that the first thing you check?
Put quotas on all servers, and have them email you an alert when they start to run out of space or something sits at 100% CPU etc... also make sure all email accounts have a fixed quota, and try to make the quotas total no more than 150% of the disk space on the server.
This would have turned you Monday into an occasional job of fitting a new disk or emailing everyone holding lots of email telling them to clean it out or face the rm -rf *.
pm, browsed
"Someone complains they've not received the laptop
PM. Someone has a problem with ODBC drivers in an application they're using. Turns out the drivers client application drivers were out of date for the server application.
Lock down the clients, no problem.
Wednesday.
Thursday.
'Someone's computer reset overnight ', all computers should be turned off at night and screen locked when the user is away from them.
It is a fire and security hazard to leave a pc on overnight.
'They remember their password but not their username(!)',
How?, don't you assign someone a user name when they get the job and keep records. Also try looking on one of the access logs of a server they used to get the users name. Failing that you'll find it recorded in the windows system log, of the pc, logging as admin and take a look.
PM.
'User complains of persistent popups on IE on various websites'
I recommend locking down the workstations,
Patching shouldn't be critical, you do run a firewall, web proxy and filter all email don't you?
Friday.
'Network folders seem slow (30+ secs to browse a folder with few files).', Wins or network configuration problem, make sure all you subnets are ok, there are lots of free tools to do this, and it only takes an hour or so.
failing that it could be a worm spewing all kinds of crap. The system should have been configured correctly in the first place, locked down and firewalled off.
PM: Trouble receiving attachments in email. takes several hours to partically resolve.
Why do I expect that you get a lot of 'email' and 'network' related problems where you work?
Revised week....
Monday, recieved an email from the mail server, bills inbox is full, sent him a reminder to tidy it up or I'd archive anything more than 3 months old.
Total time for the day 5 mins.
Tuesday, one ten minute phone call. Explained that the laptop was 'non-standard' so we were taking more time to check the configuration was good so that they didn't have any problems with it later on.
Total time for the day 10 mins,
Wednesday.
nothing
Total time for the day 0 mins,
Thursday,
Looked up someones user name for them.
Time 10 mins.
PM.
Nothing.
Friday.
AM. can't say, but should take too long, shouldn't have happened in the first-place.
PM. again can't say because.
So, in a week you probably would have had to do at most a days work, if the system had been locked down and configured properly. Do the same with the rest of the sysadmins &co and 80% would be out of a job.
(a little better than the 70% I claimed to be able to save you)
thank God the internet isn't a human right.
you can use samba 3 to join an active directory in full native mode (no schema extensions, no mixed mode) we have completed this on Solaris and Linux.
I think that if we bought products from the company of every CEO that has slept in the Lincoln Bedroom, we'd have more prosperity, fewer terrorists, better return on our investment dollars, and higher executive bonuses that would trickle down to all layers of our economy, especially at American-staffed Mercedes and Lexus auto dealerships. So stay away from that Linux corruption. It's bad, very BAD!!!
DT
Is this thing on? Hello?
Maybe it's those ceyboards you're using that are the problem. ;-)
Computer And Chair
:-)
Call it the Brittish spelling if you wish
sigaar
Ok, so someone explain to me why Cisco's web-based and desktop-based management tools are almost always Windows-only? Not only Windows-only, but frequently don't run right under anything but Internet Explorer.
Guess I'll continue to stick to CLI and console cables for configuration and management.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
No, and I don't see any need to. Users are free to run sofware they install within their own accounts -- being developers, this is a frequent requirement.
This thread is typical of the IT support mindset that says "if only we can restrict what the users are doing we will have a much easier ride". The problem is that assumes that a one size fits all PC configuration can really work for all users.
It probably won't cause a problem if nobody in the company can install screen savers, desktop images, custom sounds, their favourite media player, or games. What does cause a problem is when your engineers cannot install the software they need to do their work.
I work in a large multinational manufacturer of telecoms equipment. I routinely have to install software: drivers for various types of mobile phones, different JVM versions to be compatible with vaious applications we have to test, test tools, etc. If I ring my helpdesk and ask them to install them, they say "sorry, this is not an SOE approved application". Luckily I was able to put the case to be given Admin rights.
I would also add that this type of user usually has the requisite skills to fix most problems anyway - so doesn't need to call the help desk as much anyway. One of my colleagues recently picked up a virus that the SOE antivirus did not pick up. He located the fix for it on the net and applied it himself.