East/west segmentation is required in the data center to protect backend networks from each other. Segmentation is often implemented using ACLs between VLANS on your core switch. The ACLS are maintained by network or security engineers but define the flows permitted between hosts or host classes.
I was doing some testing on a 3750X and saw that the http and http services were enabled. I knew that you could apply an ACL to restrict HTTP access, but had assumed that the HTTP security was an optional extra on top of the VTY ACL. I tested this … and found out I was wrong. Although http(s) uses the same inband access path as SSH, web admin is not restricted in any way by VTY ACLS. This will be quite obvious to…