10.2 Basic Security
10.2.5 Restricting VTY and HTTP access

Configuring the HTTP Server

To configure the HTTP server, perform the tasks shown in Figure at the command-line interface (CLI). 

By default, there are five virtual terminal lines on each Cisco device. However, you can usually create as many as you need. The virtual terminal line that you "get" is based on the number of vty sessions that are currently in use. Because you will never know exactly which vty line you are using, you should set identical restrictions on all lines.

The line first vty-number last vty- line number command takes you into the selected configuration mode of the virtual terminal lines. The most common use of this command will be line vty 0 4. This indicates that you are modifying the first five virtual terminal lines.

The access-class command applies the access list to the interface. The access list is a standard access list that indicates the source addresses that are either permitted or denied. The in|out condition at the end of the access-class statement indicates whether the source address should be allowed to establish a Telnet session into this device or out of this device.

Cisco IOS Software allows you to use a Web browser to issue Cisco IOS commands to your network device. The Hypertext Transfer Protocol (HTTP) server software required to do this is found in Releases 11.0(6) and later. This makes configuring network devices easier, but opens some security holes at the same time. By default, HTTP access is disabled. To enable HTTP access on a Cisco IOS command-based switch or router, enter the following command:

Switch(config)#ip http server

An access list can then be used to filter the access to the HTTP management of the network device. In Figure , the access list explicitly permits the station 172.16.1.3 and implicitly denies everyone else. By applying the access list with the ip http access-class 1 statement, all stations other than 172.16.1.3 are denied access to the HTTP software. Password security for Web access is similar to console and virtual terminal access. Use the following command to specify where the authentication information is contained.

Switch(config)#ip http authentication [aaa | enable | local | tacacs]

Recently, some set command-based switches have implemented a Web interface as well. The Catalyst® Web Interface (CWI) is a browser-based tool that you can use to configure the Catalyst 6000, 5000, and 4000 Family Switches. It consists of a graphical user interface (GUI) that runs on the client, Catalyst CV 5.0 (Catalyst version of CiscoView 5.0), and an HTTP server that runs on the switch.

A GUI alternative to the CLI and Simple Network Management Protocol (SNMP) interfaces, the CWI provides a real-time graphical representation of the switch and detailed information, such as port status, module status, type of chassis, and modules. The CWI uses HTTP to download Catalyst CV from the server to the client. HTTP is the TCP/IP protocol that the World Wide Web uses to exchange HTML documents.

Communication between the client and server usually occurs on a TCP/IP connection. The TCP/IP port number for HTTP is 80. In this client/server mode, the client opens a connection to the server and sends a request. The server receives the request, sends a response back to the client, and closes the connection. To enable HTTP access to the actual switch itself, issue the commands shown in Figure .