| VTYs are not the only way to gain
configuration access to a router. Many administrators manage their
devices using a web browser, and Cisco routers and switches
typically run web services (on port 80, by default) to permit this.
Securing the VTYs will not do much good if a web surfer can access the
router's web-based command interface. If your organization uses the
IOS web interface, be sure to apply an access list to it as well.
The following commands provide an example for web server
configuration:
RTA(config)#access-list 17
permit 202.206.100.0 0.0.0.255
RTA(config)#ip http server
RTA(config)#ip http access-class 17
When applying an access class to an IOS HTTP server, the
in
keyword is not used. Because this
service can accept only incoming connections, the access list cannot
be applied to outbound traffic.
In the above example, the
ip http server
command enables web-based
configuration, while the
ip http access-class 17
command restricts the web
interface to source IP addresses matching access list 17.
|