Solved: Is it possible to access the http web interface over the fa1 management interface?

moss.shawn · ‎03-21-2015

Hello All,

I am remotely connected into a Cat 4500 + Supervisor V module via console cable and point to point connection from laptop to fa1 management interface on SupV. SupV module is running IOS 15.0(2)SG8.

I am not able to physically change the patch cable from fa1 management interface to gi2/3 or any other switch port for a couple days and would like to see if it is possible to access the http server through this fa1 port since I am working remotely. I can ping the laptop from fa1 and tftp ok but cannot access the http/https server. Is this even possible without connecting the laptop into a regular switch port like gi 2/3 gi 2/4 etc..? The reason I ask is I would like to use Cisco Networking Assistant gui for some things but need access to https server first over the fa1 link.

Any suggestions would be much appreciated.

Thanks!

-S

Jon Marshall · ‎03-22-2015

I think the issue is that http is not a VRF aware service in your IOS for that switch.

Which means the http server can only use the global routing table but the management interface is in a VRF.

I could be wrong but I suspect it may not work.

See this link for VRF aware services with your switch and IOS -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/15-02SG/configuration/guide/config/vrf.html#wp1079187

Edit - just read the section on the management interface from the same configuration guide and it does specifically state that any service using the management port has to be VRF aware so it looks like that is your problem.

Jon

View solution in original post

Reza Sharifi · ‎03-21-2015

Hi,

If you can access the out-of-band management port (fa1) via telnet or SSH, you should be able to open an http or https session to the same IP as well. This is if the devices is configured to accept http or https sessions. BTW, I have never used a gui interface to access a router or switch, so if I am saying something incorrect please ignore.

HTH

moss.shawn · ‎03-21-2015

Well the commands "ip http server" and "ip http secure-server" are both in the config and rsa key pairs have been generated. I get the feeling that when I can plugin to a regular switch port everything will be fine but it would be nice to have web management access through the vrf mgmt fa1 interface : )

Thanks!

-S

rakeshvelagala · ‎03-21-2015

What is the error message you are getting? try putting ip http authentication local and do not forget to have an username and password configured.

Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
Router(config)# username <username> privilege 15 password 0 <password>

moss.shawn · ‎03-22-2015

Hi Rakeshvelagala,

Thank you for the response. Yes I have all of the following entries in the config. I do not get an error per se, but the port 80 and port 443 are not accessible from the laptop browser. The management interface is 192.168.1.254 and the laptop is 192.168.1.99

Please see attached config.

Thanks!

-S

moss.shawn · ‎03-22-2015

Here is the ACL list. I have not made any entries into this list and all of these are default at this time. Do I need to make an explicit allow ACL for http?

Thanks!

-S

#show access-list
Extended IP access list system-cpp-all-routers-on-subnet
    10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
    10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
    10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
    10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
    10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
    10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
    10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
    10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
    10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
    10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
    10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
    10 permit ip any host 224.0.0.9
Extended MAC access list system-cpp-bpdu-range
    permit any 0180.c200.0000 0000.0000.000c
Extended MAC access list system-cpp-cdp
    permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-cgmp
    permit any host 0100.0cdd.dddd
Extended MAC access list system-cpp-dot1x
    permit any host 0180.c200.0003
Extended MAC access list system-cpp-lldp
    permit any host 0180.c200.000e
Extended MAC access list system-cpp-mcast-cfm
    permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-pppoe-disc
    permit any any protocol-family pppoe-disc
Extended MAC access list system-cpp-sstp
    permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
    permit any host 000d.6558.d5fd

Richard Burts · ‎03-22-2015

S

Thank you for posting the config and the output of show access list. This does help clarify some things. The web interface has been configured and uses local authentication. There is not any access list configured to restrict access to the web interface. It looks to me like the switch should accept connections on both TCP port 80 and 443. Do you get anything when you attempt to connect from the laptop to the web interface? Any error message or anything?

HTH

Rick

HTH

Rick

moss.shawn · ‎03-22-2015

Hi Richard,

No error, just not able to connect. I cannot even telnet to port 80 or 443 on the catalyst from laptop which would at least show me the port is open and daemon is up on the interface. It looks like it is not serving those daemons on those ports for fa1 interface.

Attached is the wireshark dump of attempting to connect from the laptop to the catalyst http and https.

I am not quite sure what is going on. Not sure if http or https servers only serve on regular interfaces or not? (regular switch ports)

Please rename pcapDump.txt to pcapDump.pcapng to view in wireshark.

Thanks for everyones assistance on this!

-S

moss.shawn · ‎03-22-2015

There was an issue when I tried to open the last pcap file in wireshark. Please use this one instead and remove the .txt extension and it should load ok. It looks like the connection gets reset by the catalyst when trying to access http or https on the switch...

Thanks!

-S

Jon Marshall · ‎03-22-2015

I think the issue is that http is not a VRF aware service in your IOS for that switch.

Which means the http server can only use the global routing table but the management interface is in a VRF.

I could be wrong but I suspect it may not work.

See this link for VRF aware services with your switch and IOS -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/15-02SG/configuration/guide/config/vrf.html#wp1079187

Edit - just read the section on the management interface from the same configuration guide and it does specifically state that any service using the management port has to be VRF aware so it looks like that is your problem.

Jon

moss.shawn · ‎03-23-2015

Hi Jon,

I think you are absolutely correct. I reviewed the document you posted and indeed I did not see http as a supported vrf service.

I had the client plug my patch cable into gi 2/3 and I assigned an IP address to that interface and I was good to go! I disabled regular http and now can access and manage the switch through cisco network assistant like I originally wanted.

Thank you all for your assistance with this. Still strange to me that cisco would not allow the http management interface on the "management port"! : )

Cheers!

-S

Jon Marshall · ‎03-23-2015

Thanks for getting back to us on this.

I did check the latest IOS version for your switch and it still isn't supported.

I guess the management port is for when it is up and running as opposed to initial configuration.

Jon

rakeshvelagala · ‎03-22-2015

Hi

Can you please run wireshark trace and attach the pcap?

Thanks

Richard Burts · ‎03-22-2015

S

you tell us that you are working remotely and that your laptop has connection via serial to the switch console and via Ethernet to fa1. So if you are remote how are you accessing the laptop?

You tell us that ping works and that tftp works so the interface must have an IP address configured and operating. The other thing that could impact using the web interface would be whether authentication is configured for the web interface or if an access list is configured to control what source addresses may access the web interface (I have seen some Cisco devices which default to using access list 23 to control this but do not know whether your switches does this). Otherwise I would think that fa1 is intended for management and see no reason why the web interface would not be accessible.

HTH

Rick

HTH

Rick

moss.shawn · ‎03-22-2015

Hi Rick,

I am connected via Team viewer connection to laptop that has wireless access. This is a new facility and "new" switch so nothing is connected into it yet but this laptop.

I will double check the access list 23. Thanks for that.

I will post the config shortly.

Thanks!

-S