SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

HTTP-over-IPv6 on Cisco IOS

Stumbled across this marvel while updating my IPv6 presentations for a 2-day seminar in Milano and Rome (straight from 15.2M&T command reference):

With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported.

Wait ... WHAT? I cannot control who can access the HTTP(S) server running in Cisco IOS over IPv6 (apart from kludges like ingress ACLs on all interfaces or CoPP), and this stupidity has been left unfixed for nine(9) years?. Are we really in 2012, less than a month away from World IPv6 Launch or have I been transported to 1990’s?


  1. Moreover

    ip http access-class access-list-number

    Where "access-list-number" is - standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.
    No named or extended ACL's, and no ACL's with expanded range <1300-1999>
    Seems to be very strange

  2. Pffff.... all I have to say :)

  3. It's a shame how big vendors still treat IPv6 as an experimental protocol without commercial relevance. A respected North-European telco equipment vendor delivered us an IPv6 implementation that doesn't support path MTU discovery. 'Just use TCP if you you want to send anything bigger than 1280 bytes'. In 2012.

  4. any decent STIG would have the http server disabled.

  5. Haha. The truth is no one cares. Even bad guys :)

  6. What would be our world without your blog! Thanks to that posting, I can now go to bed with a calm conscience...

  7. Open a case and add this URL to the case notes:

  8. I suppose this is an indication of justhow awful the IOS code base has become. Lord knows release quality has also taken a nose-dive in the last few years


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.