Category: Web

Cisco IOS has the ability to define command aliases - short words that substitute a whole exec-mode or configuration command. These aliases can also be used in command execution URLs. For example, if you define alias exec showdefault show ip route 0.0.0.0 0.0.0.0, you can view the status of the default route with the http://router/exec/showdefault/CR URL.

To optimize the space utilizations and file transfer operations in flash: memory, Cisco IOS web server allows files to be served from tar archives stored on flash: (or any other) filesystem. The URL syntax to access a file in a tar archive is /archive/archive-name-without-tar-suffix/file-in-archive.

Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:

1. The home.html file if it exists in any filesystem;
2. The home.shtml file if it exists in any filesystem;
3. a default page with links to exec, SDM, QDM and TAC support

Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.

These tips will help you get the most out of the Cisco IOS embedded web server:

• Home page for a Cisco IOS web server;
• Tar archives used by Cisco IOS web server;
• Multilevel web (HTTP) access to a router;
• Use command aliases to simplify Cisco IOS web server URLs;
• Include a default username/password in web request;
• Use Cisco IOS FTP server to bypass Microsoft "security patch".

If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):

I've got a great question related to a previous post:

Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?

You can specify username and password as part of standard URL syntax http://username:password@host/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):

http://guest:guest@router/level/1/exec/show/ip/interface/brief

Note: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.

In some scenarios you want to use true username/password authentication when accessing the router's web server (by default, you have to use enable password). To change the HTTP authentication method, use the ip http authentication local configuration command; it tells the router to use local usernames and passwords when authentication web requests.

Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:

If you have HTTP enabled on your router, you can use it to automate router reloads through web requests. To enable HTTP on the router, use the following commands:

ip http server
ip http access-class 90
access-list 90 permit network-management-ip-address

The ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.

The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):

If you have HTTP server enabled on your router (on by default in many IOS releases, enable with ip http server), you can download the current router configuration into your web browser simply by typing in the URL http://router/exec/show/running/full. To get the startup configuration, use http://router/exec/show/startup-config/CR.

Of course, you need to authenticate to the router. By default, you can use anything as the username and the enable-password as the password, but you also use local usernames or AAA authentication. To use local usernames, configure ip http authentication local and enter username and password with the username username privilege 15 password password configuration command.

It's been possible for a long time to use HTTP to download information from a web server to a router. In IOS release 12.3(2)T, integrated in 12.4 release, Cisco has introduced the ability to store local information (for example, router configurations) on a web server. To use this feature, configure the username and password giving you write access to the web server with:

ip http client username web-user
ip http client password secret-password

After the username and password have been configured, you can use copy running http: to copy router's configuration to a web server.

Note: on the web server, you have to configure the target virtual directory for write access (default: disabled) and allow file-system write access to the underlying physical directory for the target user.

router#copy running http://student:lab@192.168.0.2/router-config
Address or name of remote host [192.168.0.2]?
Destination filename [router]?
Storing http://student:lab@192.168.0.2/router-config !!
4231 bytes copied in 0.864 secs (4897 bytes/sec)

router#