Throughout our Cisco environment there are roughly 30 or more 3500XL (makes up about 70% of my layer 2 environment). The dilemna I'm faced with is securing port 23 access to these from an administrative standpoint. We use TACACS+ for authentication, however, it is my understanding that the authentication from the switch to the tacacs server is sent in clear text. This is a problem in our environment, and unfortunately the 3500XLs do not support SSH. Anyone have any creative suggestions of securing up mgmt access to these devices? ACLs are an answer, but I'd like to see if there are any other suggestions prior to ACL implementation.
Have you considered using only console access and not configuring layer-3 interfaces on the swithces. There are some terminal servers (Lantronix) that can support SSH, but direct access to the 3500s would be via the console port. Logistics of a large (30+) switch rollout may be another matter, but it is an idea and the problem is solved.
Another option is using Cisco's authentication proxy feature. This would require implementing ACLs, but would require authentication to gain access to the network via port 23 and then you would still ahve to authenticate to the local device...