Re: ip http and ip secure http

Steve Allen · ‎12-17-2021

I know Cisco have confirmed IOS and IOS-XE are not vulnerable to Log4J but there is now an increased security concern around anything apache or http related.

We have onboarded most of our network switches to DNA Center to take advantage of telemetry and software image manager. During the onboarding DNA enables the below configuration as part of the provision process:

ip http server
ip http authentication local
ip http secure-server
ip http max-connections 16
ip http client source-interface xxxx

I'll need to justify to my security department why we need to enable these commands. Can anyone explain why the above is required or point me in the direction of some documentation?

Again, I know the above has no relationship to Log4J but still need to know why the commands are required.

Flavio Miranda · ‎12-19-2021

Hi

You need HTTP enable if you have Wireless Lan Controller on the Switch with Guest access. Otherwise, you dont need. DNAC does not enable it by default, I´m assuming that someone added this lines on the template. You can run a template disabling it with "no ip http server" if you dont need HTTP on the switch.

AdamF1 · ‎12-22-2021

Good Morning Flavio,

I experience the same issue as Steve. I deploy switches fully configured with both options disabled. When I add them into DNAC it pushes the config out to them to re-enable.

AdamF1 · ‎12-22-2021

I've always been curious why DNAC does this as well. We have always disabled both by default as there always seem to be a critical bug in their switch software for HTTP(s).

Rajesh Kongath · ‎06-12-2022

Hi All,

I'm in the same boat, anyone got any update on this?

81001 · ‎10-24-2024

Im also having this issue.

We deploy a day-n template when provisioning switches that disable http(s) server, but this causes the device to be "non-compliant". Is there a way around this now? Or is there another way to secure the webserver - because using access-class does not stop the http server from responding, it still responds with http 403 unauthorized if the source doesnt match the acl. We are looking for guidance on this before we go ahead and re-enable it.

It is annoying that all our switches are non-compliant because of this, so we can't spot switches that are genuinely out of compliance.

Preston Chilcote · ‎10-24-2024

@81001 Which compliance test is failing? Perhaps it's the Security Advisory?

81001 · ‎10-24-2024

No, Network settings. Violation is :

HTTP NR Settings

Is HTTP Server Enabled

Changed

true

false

expects this condition to be true, but our day-n has issues a "no ip http server" command

Preston Chilcote · ‎10-24-2024

You should have the option to "Acknowledge" the violation when you click on the Network Settings tile of the Compliance summary page in Inventory. Did you already try this?

81001 · ‎10-24-2024

Yes there is an option - but we have 400+ switches. Is there an API to do this with latest catalyst center release? We are on 2.3.5.5 now

Preston Chilcote · ‎10-24-2024

Ya, that is a pain to do in bulk. There is no way to day to acknowledge in bulk, but I think it's something that needs to be added. You (and anyone else reading this) could do us all a favor by submitting a Make a Wish from the Cat Center help menu to deliver this request directly to Product Management.