12-17-2021 02:13 AM
I know Cisco have confirmed IOS and IOS-XE are not vulnerable to Log4J but there is now an increased security concern around anything apache or http related.
We have onboarded most of our network switches to DNA Center to take advantage of telemetry and software image manager. During the onboarding DNA enables the below configuration as part of the provision process:
ip http server
ip http authentication local
ip http secure-server
ip http max-connections 16
ip http client source-interface xxxx
I'll need to justify to my security department why we need to enable these commands. Can anyone explain why the above is required or point me in the direction of some documentation?
Again, I know the above has no relationship to Log4J but still need to know why the commands are required.
12-19-2021 06:10 PM
Hi
You need HTTP enable if you have Wireless Lan Controller on the Switch with Guest access. Otherwise, you dont need. DNAC does not enable it by default, I´m assuming that someone added this lines on the template. You can run a template disabling it with "no ip http server" if you dont need HTTP on the switch.
12-22-2021 05:53 AM
Good Morning Flavio,
I experience the same issue as Steve. I deploy switches fully configured with both options disabled. When I add them into DNAC it pushes the config out to them to re-enable.
12-22-2021 05:51 AM
I've always been curious why DNAC does this as well. We have always disabled both by default as there always seem to be a critical bug in their switch software for HTTP(s).
06-12-2022 01:07 AM
Hi All,
I'm in the same boat, anyone got any update on this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide