Hi all,
We want to use RESTCONF in our network (Cat9k / IOS-XE 16.12). However, I want to restrict access by using an ACL.
So, there are two options:
- ip http access-class ipv4 <ACL-NAME>
- restconf ipv4 access-list name <ACL-NAME>
Both options are not really an option, because the switch still answers to not allowed IPs with HTTP 403 (ip http access-class) or HTTP 401 (restconf ipv4 access-list). This is not really what I understand under hardending. For the SNMP or VTY ACL functionality, the packet is dropped, before it reaches the corresponding daemon.
Open socket means, that the whole HTTP server (nginx) is still attackable.
CoPP is not an option, because user classes are not supported on IOS-XE for Catalyst 9k
MPP is not an option, because it's not implemented on IOS-XE for Catalyst 9k.
How to handle this?
