Hi Calin,

Yeaaa we were thinking about ACL interface filtering !!!

We didn't want to penalize the innocent with this (ACL) sort of blanket coverage. We have several hundred routers in this state.

We were hoping to get some insite as to why the ports are open since IPv6 is not enabled (no ipv6 unicast-routing).

:

We would like to disable the features in IOS that are causing the ports to be open in the first place. - Perhaps this is a TAC case?

:

The other wierd thing is why the same IOS, same hardward, nearly identical config has different listen IPv6 ports.

Regards

Frank

ipv6 unicas-routing reference only to the routing part of the IPv6.

You don't have any command related to "ipv6" in your configuration?

I have a 28xx with 12.4 (24) T6 and :

show udp

Proto        Remote      Port      Local       Port  In Out  Stat TTY OutputIF

17       --listen--          172.30.32.1      1698   0   0     1   0

17     0.0.0.0             0 172.30.32.1        67   0   0  2211   0

17       --listen--          172.30.32.1       711   0   0     1   0

17       --listen--          172.30.32.1       646   0   0     1   0

17       --listen--          172.30.32.1      3503   0   0     1   0

The only IPv6 command that I have is:

no ipv6 cef

HTH,

Calin

Here is the complete config; passwords and IP addresses etc.removed,

NO reference to IPv6 anywhere.

HQ_HD#sh ip sockets

Proto      Remote      Port      Local      Port  In Out  Stat TTY OutputIF

17      --listen--         172.16.0.8      2887    0  0     11   0

17    10.8.1.11      59503 10.10.0.8        161    0  0   1001   0

17      --listen--         172.16.0.8       162    0  0   1011   0

17      --listen--         172.16.0.8     64265    0  0   1011   0

17(v6)  --listen--         --any--          161    0  0  20001   0

17(v6)  --listen--         --any--          162    0  0  20011   0

17(v6)  --listen--         --any--        49402    0  0  20011   0

17      --listen--         172.16.0.8       123    0  0      1   0

17      --listen--         172.16.0.8       500    0  0     11   0

17      --listen--         172.16.0.8      4500    0  0     11   0

17    10.8.1.9         514 172.16.0.8     56794    0  0    200   0

HQ_HD#term leng 0

HQ_HD#sh run

Building configuration...

Current configuration : 5464 bytes

!

! Last configuration change at 14:12:54 EST Wed Feb 1 2012 by XXXXXXXXXXXXXXXX

! NVRAM config last updated at 14:12:56 EST Wed Feb 1 2012 by XXXXXXXXXXXXXXXX

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HQ_HD

!

boot-start-marker

boot system flash:c2800nm-advipservicesk9-mz.124-25d.bin

boot system flash:c2800nm-advipservicesk9-mz.124-25b.bin

boot-end-marker

!

logging buffered 4096 debugging

enable secret --removed--

!

aaa new-model

!

aaa group server tacacs+ group1

server --removed--

!

aaa authentication login default group group1 local line

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group group1

aaa accounting commands 1 default stop-only group group1

aaa accounting commands 15 default stop-only group group1

aaa accounting connection default start-stop group group1

aaa accounting system default start-stop group group1

!

aaa session-id common

clock timezone EST -5

clock summer-time EDT recurring

no ip source-route

!

ip cef

!

no ip bootp server

no ip domain lookup

ip domain name --removed--

ip name-server --removed--

ip name-server --removed--

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

voice-card 0

no dspfarm

!

archive

log config

   hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 90

ip ssh authentication-retries 2

ip ssh source-interface Loopback0

ip ssh version 2

! !

crypto isakmp policy 10

encr --gone--

hash --gone--

authentication --gone--

group --removed--

crypto isakmp key --gone-- address --gone--

crypto isakmp keepalive xxxxx

!

crypto ipsec transform-set stronger --removed-- esp-sha-hmac

!

crypto map vpn 20 ipsec-isakmp

set peer --removed--

set transform-set stronger

match address 110

!

interface Loopback0

ip address 172.16.0.8 255.255.255.255

!

interface FastEthernet0/0

ip address removed--

!

interface FastEthernet0/1

ip address --removed--

ip access-group 100 in

ip tcp adjust-mss 1460

load-interval 30

crypto map vpn

hold-queue 100 out

!

ip forward-protocol nd

ip route --gone--

!

!

no ip http server

no ip http secure-server

!

logging history informational

logging facility syslog

logging source-interface Loopback0

logging --removed--

access-list 1 remark VTY and SNMP and ssh

access-list 1 permit --removed--

access-list 1 permit --removed--

access-list 1 deny  any log

access-list 100 permit esp --removed--

access-list 100 permit udp --removed--

access-list 110 permit ip --removed--

access-list 110 permit ip --removed--

snmp-server engineID --removed--

snmp-server community --removed--

snmp-server community --removed--

snmp-server enable --removed--

!

!

tacacs-server host --removed-- key --gone--

tacacs-server directed-request

!

control-plane

!

scheduler allocate 20000 1000

ntp clock-period 17208029

ntp server --gone--

ntp server --gone--

ntp server --gone--

!

end

HQ_HD#sh run | i v6

...blank

HQ_HD#sh run | i V6

...blank

Thanks for helping

Frank