Charles,
Agreed on some of your points - The ssh issue would be the biggest problem,
however we separate the term servers on a private, out-of-band network, so
we haven't been particularly concerned with telnet snooping, especially
considering the ssh code on Cisco still only has limited platform support.
Something to bring up with our security team nonetheless. We haven't sen
the amphenols dislodge, and we have hundreds of these babies, so that is
weird. Maybe a lot of them are dropped downward - haven't inspected them
all.
As far as configs, we can manually copy them via FTP, but as I said, we only
use them for Tservers, so nothing to fancy with PPP, etc. We do use RADIUS,
which hasn't been a big issue. I think the primary reason we use them is
high port density and our original network engineers had extensive
experience with them, so they've stuck around. How many large NSPs have
whole racks of 2511s in the field (I think a lot).
The setup and recovery totally sucks. I remember the first time I reloaded
one. It prompted for the boot file and I put the config filename in by
mistake. Whoops, tserver is dead, have to dispatch with a
wacky-pinout-having console cable and rebuild.
*sigh*
We are replacing them with 3660's, unless someone has a better
recommendation (The primary reason being TACACS+ support).
chris
I'm just currious. I've seen sevaral posts over the past few months
regarding TACACS and RADUIS being used for authentication for term servers
that are used for OOB access to devices. Something just isn't making
sense here. If you need to use the device to access something OOB, has it
perhaps come to your attention that it is quite possible that YOUR IPV4
NETWORK CONNECTION TO YOUR TSERVER IS MOST LIKELY DOWN AS WELL and as
such, IT CAN'T AUTHENTICATE YOU TO THE TACACS OR RADIUS SERVER?
Thank you for letting me get that off my chest.
I welcome enlightenment from those who see past the gotcha I've outlined
above.
I'm just currious. I've seen sevaral posts over the past few months
regarding TACACS and RADUIS being used for authentication for term servers
that are used for OOB access to devices. Something just isn't making
sense here. If you need to use the device to access something OOB, has it
perhaps come to your attention that it is quite possible that YOUR IPV4
NETWORK CONNECTION TO YOUR TSERVER IS MOST LIKELY DOWN AS WELL and as
such, IT CAN'T AUTHENTICATE YOU TO THE TACACS OR RADIUS SERVER?
You can configure "default" passwords which are used if your
authentication servers are down.
.. you guys do this, right? 
Thank you for letting me get that off my chest.
Welcome.
I welcome enlightenment from those who see past the gotcha I've outlined
above.
I'm sure you can find example configurations for this on cisco's
website.
In any case, it is certainly plausible that you'd need OOB access to
a device that you can't get IP connectivity to but you can get
connectivity to the local term server. Think "crashed server".
Or "broken flash". Or "Failed remote software upgrade".
Adrian