cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
366
Views
0
Helpful
4
Replies
Steve Allen
Beginner

ip http and ip secure http

I know Cisco have confirmed IOS and IOS-XE are not vulnerable to Log4J but there is now an increased security concern around anything apache or http related.

 

We have onboarded most of our network switches to DNA Center to take advantage of telemetry and software image manager. During the onboarding DNA enables the below configuration as part of the provision process:

 

ip http server
ip http authentication local
ip http secure-server
ip http max-connections 16
ip http client source-interface xxxx

 

I'll need to justify to my security department why we need to enable these commands. Can anyone explain why the above is required or point me in the direction of some documentation?

 

Again, I know the above has no relationship to Log4J but still need to know why the commands are required.

4 REPLIES 4
Flavio Miranda
Advisor

Hi

 You need HTTP enable if you have Wireless Lan Controller on the Switch with Guest access. Otherwise, you dont need. DNAC does not enable it by default, I´m assuming that someone added this lines on the template. You can run a template disabling it with "no ip http server" if you dont need HTTP on the switch.

Good Morning Flavio,

 

I experience the same issue as Steve. I deploy switches fully configured with both options disabled. When I add them into DNAC it pushes the config out to them to re-enable.

AdamF1
Beginner

I've always been curious why DNAC does this as well. We have always disabled both by default as there always seem to be a critical bug in their switch software for HTTP(s).

Rajesh Kongath
Beginner

Hi All,

I'm in the same boat, anyone got any update on this?