Re: ip http and ip secure http

Steve Allen · ‎12-17-2021

I know Cisco have confirmed IOS and IOS-XE are not vulnerable to Log4J but there is now an increased security concern around anything apache or http related.

We have onboarded most of our network switches to DNA Center to take advantage of telemetry and software image manager. During the onboarding DNA enables the below configuration as part of the provision process:

ip http server
ip http authentication local
ip http secure-server
ip http max-connections 16
ip http client source-interface xxxx

I'll need to justify to my security department why we need to enable these commands. Can anyone explain why the above is required or point me in the direction of some documentation?

Again, I know the above has no relationship to Log4J but still need to know why the commands are required.

Flavio Miranda · ‎12-19-2021

Hi

You need HTTP enable if you have Wireless Lan Controller on the Switch with Guest access. Otherwise, you dont need. DNAC does not enable it by default, I´m assuming that someone added this lines on the template. You can run a template disabling it with "no ip http server" if you dont need HTTP on the switch.

AdamF1 · ‎12-22-2021

Good Morning Flavio,

I experience the same issue as Steve. I deploy switches fully configured with both options disabled. When I add them into DNAC it pushes the config out to them to re-enable.

AdamF1 · ‎12-22-2021

I've always been curious why DNAC does this as well. We have always disabled both by default as there always seem to be a critical bug in their switch software for HTTP(s).

Rajesh Kongath · ‎06-12-2022

Hi All,

I'm in the same boat, anyone got any update on this?