10-06-2014 02:31 PM - edited 02-21-2020 05:18 AM
I ran a vulnerability scan on a 2960 switch and some "ports" (I don't even know if this is the right way to call them) showed being open or that needed to be reviewed. I really need to know what they are and if I need to keep them or need to get rid of them. How do you disable "ports" (I am not talking about the actual ports on the switch ex. gig1/0/1) on a cisco switch? The ports are 4786 tcp, 67 udp, 161 udp, 162 udp, 1975 udp, 2228 udp, and 49688 udp.
Solved! Go to Solution.
10-06-2014 02:48 PM
udp/67 is bootp (used by DHCP). The switch listens on that port if it is either a DHCP server itself or is setup to provide "ip helper" service which is used to translate local segment end users broadcasts to a unicast packet which is then forwarded to your DHCP server elsewhere.
udp 161 and 162 are used by SNMP. Best practice has SNMP restricted to SNMP v3 (with authentication and privacy or encryption) and an access-list applied to define your permitted SNMP servers.
The high numbered ports are usually a sign that the device (or a user session on it) is logged into something remotely and that's the random port is selected from the >1024 range (sometimes known as "ephemeral" ports since they come and go somewhat at random) to use as its source port. As long as the session is open, the devices will be "listening" on that port for replies.
06-03-2015 08:58 AM
You're welcome.
Please rate or mark correct if it answers your question.
10-06-2014 02:48 PM
udp/67 is bootp (used by DHCP). The switch listens on that port if it is either a DHCP server itself or is setup to provide "ip helper" service which is used to translate local segment end users broadcasts to a unicast packet which is then forwarded to your DHCP server elsewhere.
udp 161 and 162 are used by SNMP. Best practice has SNMP restricted to SNMP v3 (with authentication and privacy or encryption) and an access-list applied to define your permitted SNMP servers.
The high numbered ports are usually a sign that the device (or a user session on it) is logged into something remotely and that's the random port is selected from the >1024 range (sometimes known as "ephemeral" ports since they come and go somewhat at random) to use as its source port. As long as the session is open, the devices will be "listening" on that port for replies.
06-03-2015 08:57 AM
Thanks for your reply!
06-03-2015 08:58 AM
You're welcome.
Please rate or mark correct if it answers your question.
10-06-2014 03:06 PM
The most effective way to disable those ports is on a firewall.
06-03-2015 08:56 AM
Thanks for your reply!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: