Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
10
Helpful
2
Replies

DNA - Vulnerability - HTTP Port 80

Go to solution
danibqb01
Level 1
Level 1

‎07-29-2021 02:06 PM

We ran a scan to identify the vulnerabilities, and it was identified that the DNA uses port 80.

I couldn't find any documentation to disable this port.

When we access http://dnac.xpto.com (80) it automatically directs to https://dnac.xpto.com (443).

But through the "CMD" we were able to connect by running the command "telnet dnac.xpto.com 80".

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Preston Chilcote
Cisco Employee
Cisco Employee

‎07-29-2021 02:19 PM

There is at least one feature that relies on HTTP being available.  When a new device is being onboarded with Plug and Play, it doesn't yet have the certificate of the Cisco DNA applaincet to do HTTPS.  So, initially it connects over HTTP to get that cert, then switches over to HTTTPs.

 

 

View solution in original post

2 Replies 2

Go to solution
Preston Chilcote
Cisco Employee
Cisco Employee

‎07-29-2021 02:19 PM

There is at least one feature that relies on HTTP being available.  When a new device is being onboarded with Plug and Play, it doesn't yet have the certificate of the Cisco DNA applaincet to do HTTPS.  So, initially it connects over HTTP to get that cert, then switches over to HTTTPs.

 

 

Go to solution
danibqb01
Level 1
Level 1
In response to Preston Chilcote

‎07-30-2021 08:19 AM

Hi @Preston Chilcote 

 

Thank you very much for the information, as I was able to find in this guide exactly what you commented.

As I understand it, not only PnP, but also other features like SWIM, EEM and others.

 

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html


"Software image download from Cisco DNA Center through HTTPS:443, SFTP:22, HTTP:80.

Certificate download from Cisco DNA Center through HTTPS:443, HTTP:80 (Cisco 9800 Wireless Controller, PnP), Sensor/Telemetry."

 

"Note: Block port 80 if you don't use Plug and Play (PnP), Software Image Management (SWIM), Embedded Event Management (EEM), device enrollment, and Cisco 9800 Wireless Controller."

 

Your information was extremely helpful in locating what you needed.

 

I haven't figured out how I could block port 80 if I don't use these functions.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents