> From: Charles Sprickman <[email protected]> > Sent: Saturday, April 20, 2019 7:29 PM > > > > On Apr 20, 2019, at 9:49 AM, Alex K. <[email protected]> wrote: > > > > Hello Dave, > > > > Thank you. > > > > Sure, it isn't *really* separated. After all, RPs' CPU connected to > > both (management interface and router forwarding matrix). It's really > > software imposed separation. > > I’m always a bit puzzled by the design choices and how long they’ve stayed > around. Back in 10.3 I got it - nobody cared about this, you just access-list > everything and hope you didn’t miss some service. And now it seems > essentially the same. Why the command shell wouldn’t be bound to a single > IP (or a defined list of IPs) as part of the isolation is beyond me. The fact > that > if I have 200 interfaces configured with an IP that the shell process (and > snmp, and ntp and whatever else is running) listens on those IPs is just > insane. > > I’m a bit of a dinosaur, so maybe in the new versions this has changed, but as > of the last time I really paid attention to IOS they were still in the 90’s > as far as > keeping the management processes separate. > > Yup that's beyond me too, would like to understand the thought process... But at least in XR you have an easy way of limiting what service listens on what physical interfaces. Still waiting for the rest of NOS-es to catch up...
adam _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
