Enabling HTTP Access to a Router:
You want to configure and monitor your router using a browser interface.
Cisco includes an HTTP server in the IOS. You can enable this feature on a router, and then use any standard web browser to access the router instead of Telnet:
After configuring this feature on a router, you can then connect to the router from a standard web browser. For example, using the Lynx text-based web browser, the router’s home page looks like this:
The highlighted words are links that allow you to execute IOS EXEC commands. For example, the Show interfaces link will run the show interfaces command and display the result on your browser. You can even use this interface to configure the router. If you select one of the command-line interface level options, it will give you access to all of the EXEC commands at the corresponding authorization level.
This option for accessing a router has been available since IOS level 11.2. However, there was an extremely serious bug in the feature that was fixed in IOS level 12.1(5). This bug would cause the router to crash if the user issued a relatively simple typographical error. If a Telnet user types a question mark as part of a command, the router will respond with a list of valid options for this command. However, including a question mark in a URL would cause the router to crash. So since even a legitimate user could easily make this mistake, we strongly recommend against using the feature in any IOS levels before 12.1(5).
In more recent IOS versions, this web interface is no more or less secure than Telnet access to the router’s EXEC command-line interface. You still need to supply the same valid user authentication information to connect using a browser that you would need to connect with Telnet. In Chapters 3 and 4 we will discuss different authentication methods, such as AAA, that you can use with Telnet. These methods are also all available with HTTP, and you can configure the one you want using the authentication keyword. For example, you can configure the HTTP server to use AAA authentication as follows:
You can even restrict which devices are permitted to access the router’s web interface using the access-class keyword. In the example, we have told the router to restrict access to the router’s web server based on access-list number 75, which allows only one workstation IP address:
If you are concerned about security of the HTTP protocol, but you still want the convenience of a web interface, you can opt instead for HTTPS.
We find that the Telnet command-line interface is much easier to use than the web interface. The only really compelling use for this option that we have encountered is to allow first level technical staff access to basic commands, such as show interfaces.