[c-nsp] ASR9000/RSP440 Console Issue

Benny Amorsen benny+usenet at amorsen.dk
Fri Jun 15 07:16:23 EDT 2012


Saku Ytti <saku at ytti.fi> writes:

> On CMP you can upload images, on on-band RS232 you cannot (most don't even
> support anymore and even those which do it's not practical, as it takes
> less time time go on-site, short of moon nazis Internet, and while they pay
> well, we thought it was unethical to provide connectivity).
> On CMP you can build cheap OOB network (eth switches cost nothing compared
> to proper RS232 server like Avocent)

You are so completely right. In addition, servers can be power cycled
remotely through CMP if need be, whereas routers need an expensive
managed PDU and you always have the risk that someone got the wiring or
the documentation wrong and you hit the wrong box.

Similar problems with the serial wiring/documentation of course, but at
least you generally discover the problem before you do anything bad.

In addition, properly implemented CMP interfaces provide a certain
amount of defence against attacks on the management network, because a
configuration mistake can never link production and management -- for
that you need a vulnerability in the CMP.

IMHO no switch or router should have management access enabled on an
interface which can be configured to pass non-management traffic.

> I'd say kill the on-band RS232 and roll CMP only.

Absolutely. RS232 is not quite useless, but it is far from a proper OOB
management solution.

Do the Cisco servers have proper OOB management? If so, can they send a
few people from the various other business units on a field trip to the
server guys?


/Benny



More information about the cisco-nsp mailing list