×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco Catalyst 3650, opened port tcp 16113 - how to disable

Unanswered Question
Nov 14th, 2014
User Badges:

Hello

 Following a TCP scan port on our Catalyst 3650 from the Security team, we found port TCP 16113 is opened on our boxes.
 I found this is used by Network Mobility Services Protocol (NMSP) protocol; however, we don' t use it & want it disabled.

 I was not able to find on Cisco documentation how to remove this service & close this TCP port.
 We use 3.3.3 IOS-XE train.

Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jody Lemoine Fri, 11/14/2014 - 18:11
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Member's Choice, April 2016

I haven't found any information on shutting this down directly, but you can potentially use control plane policing to drop packets destined to this port.

class-map match-all CM_NMSP
 match access-group name ACL_NMSP
!
policy-map PM_CoPP
 class CM_NMSP
  drop
!
ip access-list extended ACL_NMSP
 permit tcp any any eq 16113
!
control-plane
 service-policy input PM_CoPP
g.fabre Sun, 11/16/2014 - 23:42
User Badges:

HI Jody

 thanks for your interest & your answer.
 Control-Plane policy is a good idea, unfortunately, the CoPP configuration is limited on Calyst 3650 (we can't just police on pre-defined classes)

 It seems the only think we can do it to disable NMSP replies on an interface basis (nmsp attachment suppress on the interface); the port will still appear open on that interface, but the switch should not reply to NMSP messages.

 Another solution would be to put ACL on every interfaces, but this will be hard to maintain.

Regards.

 

 

 

 

 

fabian.gengenbach Tue, 10/20/2015 - 07:35
User Badges:

We also had this problem, but in the newer versions you can disable it easily with no nmsp enable. It seems like this makes an ACL for e.g. the vlan, but it helped us a lot. It was important for us to make this port not accessible. We use now 03.06.03.

eugene.lvovsky@... Mon, 02/01/2016 - 13:27
User Badges:

As was already mentioned you have to do upgrade to have the ability to turn that off. I know it works in 3.6.3

Actions

This Discussion