Hi recently I became aware, through some customers PEN tests, that our 3850 aggregation SW is answering probes, requests for https access on broadcast addresses. For example we have customer A on vlan100, ip 10.10.10.1/32 customer is 10.10.10.2/30. The probes are making it to the broadcast address 10.10.10.3 and will can bring up the GUI via 10.10.10.3 despite having an ACL on https access. This happens on all broadcast ips on all L3 VLAN interfaces. I have looked at another 3850 SW in our network and can confirm this is default behavior.
Does anyone know how I can stop the switch from answering and serving http access, BTW not sure what else the SW answers for broadcast ips.
TIA, Paul
Hi
Switch stop responding HTTP and HTTPS service by issuing the command
no ip http
ip http secure-server
what code running on the switch : ( do you need to http GUI for switch to config ?)
if you need GUI, then add ACL for Certain IP to access, so when some one does the Pen tesitng, it will be denied.
you can check is the service running or not
#show ip http server status
...
HTTP server status: Disabled
....
HTTP secure server status: Disabled
Version 16.9.4 - I don't want to turn off https, just trying to figure out how to stop the switch from answering to https requests on broadcast ips.
thanks Paul
Hi, I know how to turn it off but the issue is that the switch serves up the gui via https to broadcast ips on configured vlans and stated above. Trying to find out how to stop this.
P
If you are refering to "ip direct broadcast" it is disabled by default in newer IOSs.
device# configure terminal
device(config)# interface ethernet 2/1
device(config-if)# ip address 114.114.114.1 255.255.255.0
device(config-if)# ip directed-broadcast
device(config-if)# end
Hi, I have that off and that is not what Im looking for. The issue is the broadcast ip on a /29 subnet is answering http and serving up the cisco GUI.
ex
interface Vlan100
ip address 10.10.12.1 255.255.255.0 secondary
ip address 172.17.0.1 255.255.255.252 secondary
ip address 192.168.6.1 255.255.255.248
no ip redirects
!
no ip http server
ip http access-class ipv4 2
ip http authentication local
ip http secure-server
192.168.6.7 which is the broadcast for the /29 above brings up the Cisco's 3850 https mgt page and I dont want this to happen.
Can you post the configuration here for the Layer 3 interface config and also http config. I prefer to use ACL where it can ?
interface Vlan100
ip address 10.10.12.1 255.255.255.0 secondary
ip address 172.17.0.1 255.255.255.252 secondary
ip address 192.168.6.1 255.255.255.248
no ip redirects
!
no ip http server
ip http access-class ipv4 2
ip http authentication local
ip http secure-server
192.168.6.7 which is the broadcast for the /29 above brings up the Cisco's 3850 https mgt page and I don't want this to happen. Not sure why the switch is answering for broadcast ip for http access, if there a way to stop this?