I don't understand. I thought NTP used port 123? I see no mention of other ports in the link that was provided. I too have a lot of devices listening on port 2228, but not on 1975.

Thanks, Edison. A port scan on a bunch of 3550 switches also shows that each switch seems to be listening on a seemingly random UDP port in the range between 49439 - 58955. Any idea what this is?

Do you have the 'service small-udp servers' as part of your config ?

No. After looking on the switches though it might be an outbound UDP port opened to communicate with the Ciscoworks syslog server. In this display, 10.1.2.3 is the Ciscoworks server. Not sure why there seem to be 2 high ports opened but only one shows a connection to the syslog server. Looks this way on all 4 switches that I checked manually. How does IOS determine that a UDP "connection" exists anyway? And what is meant by a "connection" to 0.0.0.0?

Proto Remote Port Local Port In Out Stat TTY OutputIF

17 0.0.0.0 0 10.2.2.75 68 0 0 1 0

17 --listen-- 10.2.2.75 67 0 0 489 0

17 --listen-- 10.2.2.75 2228 0 0 89 0

17 0.0.0.0 1589 10.2.2.75 49999 0 0 1 0

17 0.0.0.0 123 10.2.2.75 123 0 0 1 0

17 0.0.0.0 0 10.20.81.128 1589 0 0 11 0

17 0.0.0.0 0 10.2.2.75 52541 0 0 1 0

17 10.1.2.3 3214 10.2.2.75 161 0 0 1 0

17 0.0.0.0 0 10.2.2.75 162 0 0 9 0

17 0.0.0.0 0 10.2.2.75 50727 0 0 9 0

17 10.1.2.3 514 10.2.2.75 51563 0 0 0 2

Ah, CiscoWorks, it could be it.

0.0.0.0 denotes the traffic will remain local.

Are any of these UDP ports documented somewhere?

For regulation we need to document TCP/UDP ports open in the equipment and their use.

I have the same regulation issue.  We are trying to comply with NERC CIP requirements. TAC told me 1975 is the cluster managment feature and can be disabled with the "no cluster run".  They also confirmed 2228 is the layer 2 traceroute service.  TAC told me it could not be disabled, that I should use an ACL.  It does not work without cdp enabled, but the service is still running if you turn off cdp.

There appear to be randomly generated high port numbers in the 10s of thousands.  They show up in the output of the show ip sockets command and on an nmap scan.  What are they?

Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF

17 10.10.20.56       162 10.10.10.2      62382   0   0    0   0

17 10.10.30.56      162 10.10.10.2      63789   0   0    0   0

17 0.0.0.0             0 10.10.10.2         67   0   0 2211   0

17 0.0.0.0             0 10.10.10.2       2228   0   0  211   0

17 10.10.30.58      18878 10.10.10.2        161   0   0    1   0

17   --listen--          10.10.10.2        162   0   0   11   0

17   --listen--          10.10.10.2      52821   0   0    1   0

17   --listen--          --any--           161   0   0 20001   0

17   --listen--          --any--           162   0   0 20011   0

17   --listen--          --any--         50209   0   0 20001   0

17   --listen--          10.10.10.2        123   0   0    1   0

17 10.10.20.56       514 10.10.10.2      61849   0   0 400211   0

17 10.10.30.56      514 10.10.10.2      58322   0   0 400211   0

17 10.10.20.58      162 10.10.10.2      54340   0   0    0   0

17 10.10.20.58      514 10.10.10.2      60963   0   0 400211   0

17 10.10.20.57       162 10.10.10.2      53679   0   0    0   0

17 10.10.30.57       162 10.10.10.2      51945   0   0    0   0

The high number UDP port is part of the SNMP process.  It is the SNMP Inform port.  Per Cisco docs it should be randomly generated high numbered port.  I had found something in the documentation indicating it should be over some number like 52k, however I have seen the number as low as 49k.  On a higher revision of IOS (12.4T train, or 15.x code) you can show more information than a typical 'show ip socket' does.  Here is the output from one of my 15.x devices using the command 'show control-plane host open-ports'. 

I am opening a discussion with our Cisco SE, but from what I have tested the only way to disable this is to turn off SNMP.  Completely.  You CANNOT do a 'no snmp-server informs', or 'no snmp-server enable traps'. to disable it, unfortunately.  We have the same issue with regulatory compliance, and just to speak from my position, I consider this part of a necessary service (SNMP).  It can be used for 'emergency business operations'.  I can argue that in an emergency situation, if it is required that we have confirmation of SNMP traps, we use the inform service. 

As another suggestion, you could file a TFE (technical feasibility exception for you non NERC folks out there) for this port range, since it cannot be disabled normally (I included everything north of 49192).  The only way to block this traffic is to either apply Control-plane policing, or use an interface ACL to block this traffic.  The problem with this action is that the port number will change after every SNMP reload, or any reboot of the router, which would require either a programatic approach, or a manual change after every reboot.

This article does not describe the port ranges, but it definately describes the SNMP Inform process.

http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/snmpinfm.html

Also, as a side note,  I would argue that Layer 2 traceroute (UDP 2228) can be used for emergency troubleshooting purposes as well.

Regarding UDP port 1975, the 'no cluster run' command does not work on certain platforms.  We have CGR 2010's in our network that this command is not recognized.  The port is clearly opened in the ‘show control-plane host open-ports’ output. It is labeled as IPC port. I am following up with the SE about this as well.

I agree and further would state that it doesn't have to be some emergency. The ports just need to be utilized for some actual purpose and documented on your ports and services list. You just need to know they are open and what they are used for. Good management and alerting for your switches is part of the reliability and it is perfectly fine to have them on. We are struggling also though with figuring out what is open and documenting them for both Cisco switches and firewalls.