Re: HTTP GUI access through broadcast ips

paul amaral · ‎05-17-2022

Hi recently I became aware, through some customers PEN tests, that our 3850 aggregation SW is answering probes, requests for https access on broadcast addresses. For example we have customer A on vlan100, ip 10.10.10.1/32 customer is 10.10.10.2/30. The probes are making it to the broadcast address 10.10.10.3 and will can bring up the GUI via 10.10.10.3 despite having an ACL on https access. This happens on all broadcast ips on all L3 VLAN interfaces. I have looked at another 3850 SW in our network and can confirm this is default behavior.

Does anyone know how I can stop the switch from answering and serving http access, BTW not sure what else the SW answers for broadcast ips.

TIA, Paul

Flavio Miranda · ‎05-17-2022

Hi

Switch stop responding HTTP and HTTPS service by issuing the command

no ip http

ip http secure-server

balaji.bandi · ‎05-17-2022

what code running on the switch : ( do you need to http GUI for switch to config ?)

if you need GUI, then add ACL for Certain IP to access, so when some one does the Pen tesitng, it will be denied.

you can check is the service running or not

#show ip http server status

...

HTTP server status: Disabled

....

HTTP secure server status: Disabled

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul amaral · ‎05-17-2022

Version 16.9.4 - I don't want to turn off https, just trying to figure out how to stop the switch from answering to https requests on broadcast ips.

thanks Paul

paul amaral · ‎05-17-2022

Hi, I know how to turn it off but the issue is that the switch serves up the gui via https to broadcast ips on configured vlans and stated above. Trying to find out how to stop this.

P

Flavio Miranda · ‎05-17-2022

If you are refering to "ip direct broadcast" it is disabled by default in newer IOSs.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/System-Interface/systems-interfaces-book-xe-sdwan/ip-directed-broadcast.html

device# configure terminal
device(config)# interface ethernet 2/1
device(config-if)# ip address 114.114.114.1 255.255.255.0
device(config-if)# ip directed-broadcast
device(config-if)# end

paul amaral · ‎05-18-2022

Hi, I have that off and that is not what Im looking for. The issue is the broadcast ip on a /29 subnet is answering http and serving up the cisco GUI.

ex

interface Vlan100
ip address 10.10.12.1 255.255.255.0 secondary
ip address 172.17.0.1 255.255.255.252 secondary
ip address 192.168.6.1 255.255.255.248
no ip redirects

!

no ip http server
ip http access-class ipv4 2
ip http authentication local
ip http secure-server

192.168.6.7 which is the broadcast for the /29 above brings up the Cisco's 3850 https mgt page and I dont want this to happen.

balaji.bandi · ‎05-18-2022

Can you post the configuration here for the Layer 3 interface config and also http config. I prefer to use ACL where it can ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul amaral · ‎05-18-2022

interface Vlan100
ip address 10.10.12.1 255.255.255.0 secondary
ip address 172.17.0.1 255.255.255.252 secondary
ip address 192.168.6.1 255.255.255.248
no ip redirects

!

no ip http server
ip http access-class ipv4 2
ip http authentication local
ip http secure-server

192.168.6.7 which is the broadcast for the /29 above brings up the Cisco's 3850 https mgt page and I don't want this to happen. Not sure why the switch is answering for broadcast ip for http access, if there a way to stop this?

ulasinski · ‎10-24-2023

Hi Paul,

I have this problem too. Not only brodcast but also network's ips response to https request. In your example response 192.168.6.0 and 192.168.6.7. Did you find solution? I have C9500-48Y4C with Cisco IOS XE Software, Version 17.03.04

Joseph W. Doherty · ‎10-24-2023

I would think a correctly written ACL should block access.

From a quick review of the replies, perhaps many don't recognize the broadcast destination, to the host, is just as valid as interface unicast IPs.

Possibly the easiest ACL is one that controls what traffic is allowed. I.e. start (logically) with a deny all and then, very, very carefully allow specific access.

Also, don't overlook other device management vectors.