[c-nsp] management access BCP?

Charles Sprickman spork at bway.net
Thu Mar 13 22:02:29 EDT 2014


Hello all,

This is hopefully an easy one.

This Cisco document on "hardening" IOS seems fairly complete:

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

You will note that it's from 2011.  Is this still mostly applicable, or have more recent changes to IOS already dated this information?  I'm mostly looking at what common practice is to protect the router itself.  I was a bit surprised to see that on the ASR1K default setup, you're pushed towards putting the GigE management port in its own VRF.  Seems like a not bad idea, but we're really too small to have a full OOB management network.  Backend network for server-server communications and such, but up until now I've simply relied on ACLs to limit management access.  It's not ideal, but I have constraints to work with here.

Two other vaguely related questions:

-cisco-nsp is a great list, but I often feel like some of the simpler questions (like this one) would be better handled elsewhere.  Can anyone recommend another place to ask this sort of question that's a true mailing list and not a forum?

-We're in a rack in a colo.  I'd like to have true OOB access, but our options are limited.  No one is going to pay $100+/month for the line and cross-connect fees to get a POTS line in there, and really with no real POTS line at home I'm not even sure I could get in that way if I had to (I know faxing is incredibly hit and miss over VoIP).  What are people doing these days to get OOB into a single small location?  Cellular?

Thanks,

Charles
-- 
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
spork at bway.net - 212.982.9800

-- 
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
spork at bway.net - 212.982.9800




More information about the cisco-nsp mailing list