-
Cisco IOS Configuration Fundamentals Command Reference, Release 12.2T
-
About the Cisco IOS Release 12.2 T Documentation Set
-
Basic Command-Line Interface Commands
-
The Setup Command
-
Terminal Operating Characteristics Commands
-
Connection, Menu, and System Banner Commands
-
Cisco IOS Web Browser User Interface Commands
-
Cisco IOS File System Commands
-
Configuration File Management Commands
-
System Image and Microcode Commands
-
Router Memory Commands
-
Booting Commands
-
Basic File Transfer Services Commands
-
Basic System Management Commands
-
Troubleshooting and Fault Management Commands
-
SNMP Commands
-
CDP Commands
-
RMON Commands
-
Cisco Service Assurance Agent Commands
-
WCCP Commands
-
CNS Commands
-
Distributed Director Commands
-
XSM Commands for VPN Device Manager (VDM)
-
Appendix: ASCII Character Set and Hex Values
-
Index: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 T
-
Table Of Contents
Cisco IOS HTTP Server, Client and Web Browser User Interface Commands
ip http client secure-ciphersuite
ip http client secure-trustpoint
Cisco IOS HTTP Server, Client and Web Browser User Interface Commands
This chapter provides descriptions of the commands used to enable the HTTP server and secure HTTP server on your router. The HTTP server allows the use of the Cisco IOS Web browser user interface (UI) and additional services, such as ClickStart.
For configuration tasks and examples, refer to the "Using the Cisco Web Browser User Interface" chapter in the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
international
If you are using Telnet to access a Cisco IOS platform and you want to display 8-bit and multibyte international characters (for example, Kanji) and print the Escape character as a single character instead of as the caret and bracket symbols (^[), use the international command in line configuration mode. To display characters in 7-bit format, use the no form of this command.
international
no international
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Line configuration
Command History
Usage Guidelines
If you are configuring a Cisco IOS platform using the Cisco Web browser UI, this feature is enabled automatically when you enable the Cisco Web browser UI using the ip http server global configuration command.
Examples
The following example enables a Cisco IOS platform to display 8-bit and multibyte characters and print the Escape character as a single character instead of as the caret and bracket symbols (^[) when you are using Telnet to access the platform:
line vty 4internationalRelated Commands
ip http access-class
To specify the access list that should be used to restrict access to the HTTP server, use the ip http access-class command in global configuration mode. To remove a previously configured access list association, use the no form of this command.
ip http access-class access-list-number
no ip http access-class access-list-number
Syntax Description
access-list-number
Standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.
Defaults
No access list is applied to the HTTP server.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is configured, the specified access list is assigned to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection.
Examples
In the following example the access list identified as "20" is defined and assigned to the HTTP server:
Router(config)# ip access-list standard 20Router(config-std-nacl)# permit 209.165.202.0 0.0.0.255Router(config-std-nacl)# permit 209.165.0.0 0.0.255.255Router(config-std-nacl)# permit 209.0.0.0 0.255.255.255! (Note: all other access implicitly denied)Router(config-std-nacl)# exitRouter(config)# ip http access-class 20Related Commands
ip http authentication
To specify a particular authentication method for HTTP server users, use the ip http authentication command in global configuration mode. To disable a configured authentication method, use the no form of this command.
ip http authentication {aaa | enable | local | tacacs}
no ip http authentication {aaa | enable | local | tacacs}
Syntax Description
Defaults
The "enable" password is required when users (clients) connect to the HTTP server.
Command Modes
Global configuration
Command History
Usage Guidelines
The ip http authentication commandspecifies the authentication method to be used for login when a client connects to the HTTP server.
If the enable password is used, the client connects to the HTTP server with a default privilege level of 15.
Use of the ip http authentication aaa command is recommended. The enable, local, and tacacs methods should be specifiedusing the aaa authentication login command.
Examples
The following example specifies that the method configured for AAA should be used for authentication for HTTP server users. The AAA login method is configured as the "enable" password method.
Router(config)# ip http authentication aaaRouter(config)# aaa authentication login default enableRelated Commands
ip http client secure-ciphersuite
To specify the CipherSuite that should be used for encryption over the secure HTTP connection from the client to a remote server, use the ip http client secure-ciphersuite command in global configuration mode. To remove a previously configured CipherSuite specification for the client, use the no form of this command.
ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}
no ip http client secure-ciphersuite
Syntax Description
Defaults
The client and server negotiate the best CipherSuite that they both support from the list of available CipherSuites.
Command Modes
Global configuration
Command History
Usage Guidelines
This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuite(s) to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).
Examples
In the following example the HTTPS client is configured to use only the SSL_RSA_WITH_3DES_EDE_CBC_SHA CipherSuite:
Router(config)# ip http client secure-ciphersuite 3des-ede-cbc-shaRelated Commands
show ip http client secure status
Displays the configuration status of the secure HTTP client.
ip http client secure-trustpoint
To specify the remote CA trustpoint that should be used if certification is needed for the secure HTTP client, use the ip http client secure-trustpoint command in global configuration mode. To remove a client trustpoint from the configuration, use the no form of this command.
ip http client secure-trustpoint trustpoint-name
no ip http client secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Defaults
If the remote HTTPS server requests client certification, the secure HTTP client will use the trustpoint configured as primary in the CA trustpoint configuration.
If a trustpoint is not configured, client certification will fail.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the secure HTTP client should use the certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be used by the secure HTTP (HTTPS) client for cases when the remote HTTPS server requires client authorization.
Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If the remote HTTPS server requires client authorization and a trustpoint is not configured for the client, the remote HTTPS server will reject the connection.
If this command is not used, the client will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.
Examples
In the following example the CA trustpoint is configured then referenced in the secure HTTP server configuration:
!The following commands specifies a CA trustpoint that can be used!to obtain a X.509v3 security certificate.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exit!The following command is used to actually obtain the security certificate.!A trustpoint NAME is used because there could be multiple trust points!configured for the router.Router(config)# crypto ca enrollment TP1!The following command specifies that the secure HTTP client!should use the certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http client secure-trustpoint tp1Related Commands
ip http max-connections
To configure the maximum number of concurrent connections allowed for the HTTP server, use the ip http max-connections command in global configuration mode. To return the maximum connection value to the default, use the no form of this command.
ip http max-connections value
no ip http max-connections value
Syntax Description
Defaults
5 concurrent HTTP connections.
Command Modes
Global configuration
Command History
Usage Guidelines
Platform-specific implementations can supercede the upper range limit of 16.
If a new value is configured that is less than the previously configured value while the current number of connections exceeds the new maximum value, the HTTP server will not abort any of the current connections. However, the server will not accept any new connections until the current number of connections falls below the new configured value.
Examples
In the following example the HTTP server is configured to allow up to 10 simultaneous connections:
Router(config)# ip http serverRouter(config)# ip http max-connections 10Related Commands
ip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http path
To specify the base path used to locate files for use by the HTTP server, use the ip http path command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http path URL
no ip http path URL
Syntax Description
URL
Cisco IOS File System (IFS) Uniform Resource Locator (URL) specifying the location of the HTML files used by the HTTP server.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling the HTTP server, you should set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP Web Server typically reside in system Flash memory.
Remote URLs can be specified using this command, but use of remote pathnames (for example, where HTML files are located on a remote TFTP server) is not recommended.
Examples
In the following example, the HTML files are located in the default Flash location on the system:
Router(config)# ip http path flash:In the following example, the HTML files are located in the directory named "web" on the Flash memory card inserted in slot 0:
Router(config)# ip http path slot0:webRelated Commands
ip http server
Enables the HTTP server, including the Cisco web browser user interface.
ip http port
To specify the port number to be used by the HTTP server, use the ip http port command in global configuration mode. To return the port number to the default, use the no form of this command.
ip http port port-number
no ip http port port-number
Syntax Description
port-number
The port number to be used for the HTTP server. Valid values are 80 or any value from 1024 to 65535. The default is 80.
Defaults
The HTTP server uses port 80.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.2(15)T
This command was modified to restrict port numbers. The port number 443 is now reserved for HTTPS (HTTP over SSL) connections.
Usage Guidelines
HTTP port 80 is the standard port used by web servers.
Examples
In the following example the HTTP server port is changed to port 8080.
Router(config)# ip http serverRouter(config)# ip http port 8080Related Commands
ip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http secure-ciphersuite
To specify the CipherSuites that should be used by the secure HTTP server when negotiating a connection with a remote client, use the ip http secure-ciphersuite command in global configuration mode. To return the configuration to the default set of CipherSuites, use the no form of this command.
ip http secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}
no ip http secure-ciphersuite
Syntax Description
Defaults
The HTTPS server negotiates the best CipherSuite using the list received from connecting client.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuite(s) to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).
The supported CipherSuites vary by Cisco IOS software image. For example, "IP Sec56" ("k8") images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2T.
In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites) :
1.
SSL_RSA_WITH_DES_CBC_SHA
2.
3.
4.
Additional information about these CipherSuites can be found online from sources that document the Secure Socket Layer (SSL) 3.0 protocol.
Examples
The following example restricts the CipherSuites offered to a connecting secure web client:
Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5Related Commands
ip http secure-server
Enables the secure HTTP (HTTPS) server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-client-auth
To configure the secure HTTP sever to authenticate connecting clients, use the ip http secure-client-auth command in global configuration mode. To remove the requirement for client authorization, use the no form of this command.
ip http secure-client-auth
no ip http secure-client-auth
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled (that is, client authentication is not required for connections to the secure HTTP server).
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the HTTP server to request an X.509v3 certificate from the client in order to authenticate the client during the connection process.
In the default connection and authentication process, the client requests a certificate from the HTTP server, but the server does not attempt to authenticate the client. Authenticating the client provides more security than server authentication by itself, but not all web clients may be configured for certificate authority (CA) authentication.
Examples
In the following example the secure web server is enabled and the server is configured to accept connections only from clients with a signed security certificate:
Router(config)# no ip http serverRouter(config)# ip http secure-serverRouter(config)# ip http secure-client-authRelated Commands
ip http secure-server
Enables the secure HTTP (HTTPS) server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-port
To specify the port (socket) to be used for connections to the secure HTTP (HTTPS) sever, use the ip http secure-port command in global configuration mode. To return the secure HTTP server port number to the default, use the no form of this command.
ip http secure-port port-number
no ip http secure-port
Syntax Description
port-number
Port number that should be used for the secure HTTP server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535.
Defaults
Port 443
Command Modes
Global configuration
Command History
Examples
The following example changes the port for HTTPS server connections from 443 to 1025:
Router(config)# ip http secure-port 1025Related Commands
ip http secure-server
To enable the secure HTTP web server, use the ip http secure-server command in global configuration mode. To disable the secure HTTP server, use the no form of this command.
ip http secure-server
no ip http secure-server
Syntax Description
This command has no arguments or keywords.
Defaults
The secure HTTP server is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The secure HTTP server (also called the HTTPS server) uses the Secure Socket Layer (SSL) version 3.0 protocol.
Note
If a certificate authority is to be used for certification, you should declare the CA trustpoint on the routing device before enabling the secure HTTP server.
Examples
In the following example the secure HTTP server is enabled, and the (previously configured) CA trustpoint CA_trust_local is specified:
Router# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip http secure-serverRouter(config)# ip http secure-trustpoint CA_trust_localRouter(config)# endRouter# show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA_trust_localRelated Commands
ip http secure-trustpoint
To specify the certificate authority (CA) trustpoint that should be used for obtaining signed certificates for the secure HTTP server, use the ip http secure-trustpoint command in global configuration mode. To remove a previously specified CA trustpoint, use the no form of this command.
ip http secure-trustpoint trustpoint-name
no ip http secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Defaults
The secure HTTP server will use the trustpoint configured as primary in the CA trustpoint configuration.
If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the secure HTTP server should use the X.509v3 certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be usedto authenticate the server to connecting clients, and, if remote client authentication is enabled, to authenticate the connecting clients.
Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.
If this command is not used, the server will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.
Examples
In the following example the CA trustpoint is configured, a certificate is obtained, then the certificate is referenced in the secure HTTP server configuration:
!The following commands specifies a CA trustpoint that can be used!to obtain a X.509v3 security certificate.!A trustpoint NAME is used because there could be multiple trustpoints!configured for the router.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exitRouter(config)# crypto ca authenticate tp1!The following command is used to actually obtain the security certificate.Router(config)# crypto ca enrollment tp1Router(config)# ip http secure-server!The following command specifies that the secure HTTP server!should use a certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http secure-trustpoint tp1Related Commands
ip http server
To enable the HTTP server on your system, including the Cisco web browser user interface, use the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http server
no ip http server
Syntax Description
This command has no arguments or keywords.
Defaults
The HTTP server is disabled.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.2(15)T
The HTTP 1.0 implementation was replaced by the HTTP 1.1 implementation.
The secure HTTP server feature was added.
Usage Guidelines
The HTTP server uses the standard port 80 by default.
Caution
Examples
In the following example the HTTP server is enabled:
Router(config)# ip http serverRouter(config)# ip http path flash:Related Commands
ip http path
Specifies the base path used to locate files for use by the HTTP server.
ip http secure-server
Enables the secure HTTP server.
ip http timeout-policy
To configure the parameters for closing connections to the local HTTP server, use the ip http timeout-policy command in global configuration mode. To return the parameters to their defaults, use the no form of this command.
ip http timeout-policy idle seconds life seconds requests value
no ip http timeout-policy
Syntax Description
Defaults
HTTP server connection idle time: 180 seconds (3 minutes)
HTTP server connection life time: 180 seconds (3 minutes)
HTTP server connection maximum requests: 1
Command Modes
Global configuration
Command History
Usage Guidelines
This command sets the characteristics that determine how long a connection to the HTTP server should remain open.
This command may not take effect immediately on any HTTP connections that are open at the time you use this command. In other words, new values for idle time, life time, and maximum requests will apply only to connections made to the HTTP server after this command is issued.
A connection may be closed sooner than the configured idle time if the server is too busy or the limit on the life time or the number of requests is reached.
A connection may be closed sooner than the configured life time if the server is too busy or the limit on the idle time or the number of requests is reached. Also, since the server will not close a connection while actively processing a request, the connection may remain open longer than the specified life time if processing is occurring when the life maximum is reached. In this case, the connection will be closed when processing finishes.
A connection may be closed before the maximum number of requests are processed if the server is too busy or the limit on the idle time or life time is reached.
The ip http timeout-policy command allows you to specify a general access policy to the HTTP server by adjusting the connection timeout values. For example, if you want to maximize throughput for HTTP connections, you should configure a policy that minimizes connection overhead. You can do this by specifying large values for the life and request options so that each connection stays open longer and more requests are processed for each connection.
Another example would be to configure a policy that minimizes the response time for new connections. You can do this by specifying small values for the life and request options so that the connections are quickly released to serve new clients.
A throughput policy would be better for HTTP sessions with dedicated management applications, as it would allow the application to send more requests before the connection is closed, while a response time policy would be better for interactive HTTP sessions, as it would allow more people to connect to the server at the same time without having to wait for connections to become available.
In general, you should configure these options as appropriate for your environment. The value for the idle option should be balanced so that it is large enough not to cause an unwanted request or response timeout on the connection, but small enough that it does not hold a connection open longer than necessary.
Examples
In the following example, a Throughput timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will remain open (be "alive") until either the HTTP server has been busy processing requests for approximately 2 minutes (120 seconds) or until approximately 100 requests have been processed.
Router(config)# ip http timeout-policy idle 30 life 120 requests 100In the following example, a Response Time timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will be closed as soon as the first request has been processed.
Router(config)# ip http timeout-policy idle 30 life 30 requests 1Related Commands
ip http server
Enables the HTTP server, including the Cisco web browser user interface.
show ip http server
To display details about the current configuration of the HTTP server, use the show ip http server command in privileged EXEC mode.
show ip http server {all | status | session-module | connection | statistics | history}
Syntax Description
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
Use this command to show detailed status information about the HTTP server.
If the HTTP secure server capability is present, the output of the show ip http server all command will also include the information found in the output of the show ip http server secure status command.
Examples
The following is sample output from the show ip http server all command:
Router# show ip http server allHTTP server status: EnabledHTTP server port: 80HTTP server authentication method: enableHTTP server access class: 0HTTP server base path:Maximum number of concurrent server connections allowed: 5Server idle time-out: 30 secondsServer life time-out: 120 secondsMaximum number of requests allowed on a connection: 2HTTP secure server capability: Not PresentHTTP server application session modules:Session module Name Handle DescriptionHomepage_Server 5 IOS Homepage ServerQDM 2 QOS Device Manager ServerHTTP IFS Server 1 HTTP based IOS File ServerQDM SA 3 QOS Device Manager Signed Applet ServerWEB_EXEC 4 HTTP based IOS EXEC ServerXSM 6 XML Session ManagerVDM 7 VPN Device Manager ServerITS 8 IOS Telephony ServiceITS_LOCDIR 9 ITS Local Directory SearchHTTP server current connections:local-ipaddress:port remote-ipaddress:port in-bytes out-bytes172.19.254.37:80 128.190.254.45:33737 70 2294HTTP server statistics:Accepted connections total: 1360HTTP server history:local-ipaddress:port remote-ipaddress:port in-bytes out-bytes end-time172.91.254.37:80 128.190.254.45:63530 60 1596 10:50:00 12/19Table 16 describes the significant fields shown in the display.
The following example shows sample output for the show ip http server status command:
Router# show ip http server statusHTTP server status: DisabledHTTP server port: 80HTTP server authentication method: enableHTTP server access class: 0HTTP server base path:Maximum number of concurrent server connections allowed: 5Server idle time-out: 600 secondsServer life time-out: 600 secondsMaximum number of requests allowed on a connection: 1HTTP secure server capability: PresentHTTP secure server status: DisabledHTTP secure server port: 443HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12aHTTP secure server client authentication: DisabledHTTP secure server trustpoint:The lines indicating the status of the HTTP secure (HTTPS) server will only be visible if your software image supports the HTTPS server. If your software image does not support SSL, only the following line will be visible:
HTTP secure server capability: Not present
Related Commands
terminal international
If you are using Telnet to access a Cisco IOS platform and you want to display 8-bit and multibyte international characters (for example, Kanji) and print the Escape character as a single character instead of as the caret and bracket symbols (^[) for a current Telnet session, use the terminal international command in EXEC mode. To display characters in 7-bit format for a current Telnet session, use the no form of this command.
terminal international
no terminal international
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
If you are configuring a Cisco IOS platform using the Cisco Web browser UI, this feature is enabled automatically when you enable the Cisco Web browser UI using the ip http server global configuration command.
Examples
The following example enables a Cisco IOS platform to display 8-bit and multibyte characters and print the Escape character as a single character instead of as the caret and bracket symbols (^[) when you are using Telnet to access the platform for the current Telnet session:
Router# terminal internationalRelated Commands
