Enabling HTTP Access to a Router
Problem
You want to configure and monitor your router using a browser interface.
Solution
Cisco includes an HTTP server in the IOS. You can enable this feature on a router, and then use any standard web browser to access the router instead of Telnet:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 75 permit 172.25.1.1
Router1(config)#access-list 75 deny any
Router1(config)#ip http server
Router1(config)#ip http access-class 75
Router1(config)#end
Router1#
Discussion
After configuring this feature on a router, you can then connect to the router from a standard web browser. For example, using the Lynx text-based web browser, the router's home page looks like this:
Router1 Home Page
Cisco Systems
Accessing Cisco 2621 "Router1"
Telnet - to the router.
Show interfaces - display the status of the interfaces.
Show diagnostic log - display the diagnostic log.
Monitor the router - HTML access to the command line interface at
level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
Connectivity test - ping the nameserver.
Show tech-support - display information commonly needed by tech
support.
QoS Device Manager - Configure and monitor QoS through the web
interface.
________________________________________________________________ _
Help resources
1. CCO at www.cisco.com - Cisco Connection Online, including the
Technical Assistance Center (TAC).
2. tac@cisco.com - e-mail the TAC.
3. 1-800-553-2447 or +1-408-526-7209 - phone the TAC.
4. cs-html@cisco.com - e-mail the HTML interface development group.
The highlighted words are links that allow you to execute IOS EXEC commands. For example, the Show interfaces link will run the show interfaces command and display the result on your browser. You can even use this interface to configure the router. If you select one of the command-line interface level options, it will give you access to all of the EXEC commands at the corresponding authorization level. Please refer to Chapter 3 for more information about these user authorization levels.
This option for accessing a router has been available since IOS level 11.2. However, there was an extremely serious bug in the feature that was fixed in IOS level 12.1(5). This bug would cause the router to crash if the user issued a relatively simple typographical error. If a Telnet user types a question mark as part of a command, the router will respond with a list of valid options for this command. However, including a question mark in a URL would cause the router to crash. So since even a legitimate user could easily make this mistake, we strongly recommend against using the feature in any IOS levels before 12.1(5).
In more recent IOS versions, this web interface is no more or less secure than Telnet access to the router's EXEC command-line interface. You still need to supply the same valid user authentication information to connect using a browser that you would need to connect with Telnet. In Chapters 3 and 4 we will discuss different authentication methods, such as AAA, that you can use with Telnet. These methods are also all available with HTTP, and you can configure the one you want using the authentication keyword. For example, you can configure the HTTP server to use AAA authentication as follows:
Router1(config)#ip http authentication aaa
You can even restrict which devices are permitted to access the router's web interface using the access-class keyword. In the example, we have told the router to restrict access to the router's web server based on access-list number 75, which allows only one workstation IP address:
Router1(config)#access-list 75 permit 172.25.1.1
Router1(config)#access-list 75 deny any
Router1(config)#ip http access-class 75
If you are concerned about security of the HTTP protocol, but you still want the convenience of a web interface, you can opt instead for HTTPS. We discuss HTTPS in Recipe 2.9.
We find that the Telnet command-line interface is much easier to use than the web interface. The only really compelling use for this option that we have encountered is to allow first level technical staff access to basic commands, such as show interfaces.