Enabling HTTP Access to a Router

Problem

You want to configure and monitor your router using a browser interface.

Solution

Cisco includes an HTTP server in the IOS. You can enable this feature on a router, and then use any standard web browser to access the router instead of Telnet:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 75 permit 172.25.1.1
Router1(config)#access-list 75 deny any
Router1(config)#ip http server
Router1(config)#ip http access-class 75
Router1(config)#end
Router1#

 

Discussion

After configuring this feature on a router, you can then connect to the router from a standard web browser. For example, using the Lynx text-based web browser, the router's home page looks like this:

 Router1 Home Page

 Cisco Systems

Accessing Cisco 2621 "Router1"

 Telnet - to the router.

 Show interfaces - display the status of the interfaces.
 Show diagnostic log - display the diagnostic log.
 Monitor the router - HTML access to the command line interface at
 level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

 Connectivity test - ping the nameserver.

 Show tech-support - display information commonly needed by tech
 support.

 QoS Device Manager - Configure and monitor QoS through the web
 interface.
 ________________________________________________________________ _

 Help resources

 1. CCO at www.cisco.com - Cisco Connection Online, including the
 Technical Assistance Center (TAC).
 2. tac@cisco.com - e-mail the TAC.
 3. 1-800-553-2447 or +1-408-526-7209 - phone the TAC.
 4. cs-html@cisco.com - e-mail the HTML interface development group.

The highlighted words are links that allow you to execute IOS EXEC commands. For example, the Show interfaces link will run the show interfaces command and display the result on your browser. You can even use this interface to configure the router. If you select one of the command-line interface level options, it will give you access to all of the EXEC commands at the corresponding authorization level. Please refer to Chapter 3 for more information about these user authorization levels.

This option for accessing a router has been available since IOS level 11.2. However, there was an extremely serious bug in the feature that was fixed in IOS level 12.1(5). This bug would cause the router to crash if the user issued a relatively simple typographical error. If a Telnet user types a question mark as part of a command, the router will respond with a list of valid options for this command. However, including a question mark in a URL would cause the router to crash. So since even a legitimate user could easily make this mistake, we strongly recommend against using the feature in any IOS levels before 12.1(5).

In more recent IOS versions, this web interface is no more or less secure than Telnet access to the router's EXEC command-line interface. You still need to supply the same valid user authentication information to connect using a browser that you would need to connect with Telnet. In Chapters 3 and 4 we will discuss different authentication methods, such as AAA, that you can use with Telnet. These methods are also all available with HTTP, and you can configure the one you want using the authentication keyword. For example, you can configure the HTTP server to use AAA authentication as follows:

Router1(config)#ip http authentication aaa

You can even restrict which devices are permitted to access the router's web interface using the access-class keyword. In the example, we have told the router to restrict access to the router's web server based on access-list number 75, which allows only one workstation IP address:

Router1(config)#access-list 75 permit 172.25.1.1
Router1(config)#access-list 75 deny any
Router1(config)#ip http access-class 75

If you are concerned about security of the HTTP protocol, but you still want the convenience of a web interface, you can opt instead for HTTPS. We discuss HTTPS in Recipe 2.9.

We find that the Telnet command-line interface is much easier to use than the web interface. The only really compelling use for this option that we have encountered is to allow first level technical staff access to basic commands, such as show interfaces.

See Also

Recipe 2.9; Chapter 3; Chapter 4


Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net