Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Switches listening on 1975/udp and 2228/udp

How come many switches show that they are listening on port 2228/udp and 1975/udp?

You can see this by running 'show ip sockets'.

11 REPLIES
Bronze

Re: Switches listening on 1975/udp and 2228/udp

Both these ports ( 1975/udp and 2228/udp) are used by NTP (Network Time Protocol) protocol.

Check your switch has NTP is enabled , if so disble NTP.

Refer this link for more info about NTP:

http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml

New Member

Re: Switches listening on 1975/udp and 2228/udp

I don't understand. I thought NTP used port 123? I see no mention of other ports in the link that was provided. I too have a lot of devices listening on port 2228, but not on 1975.

Hall of Fame Super Bronze

Re: Switches listening on 1975/udp and 2228/udp

1975:Cluster Management Protocol that is used for CNA

corresponds to

CSCeg36576

fixed in 12.2(25)EWA

2228: L2 Traceroute feature

supporting from 12.1(15)EW

New Member

Re: Switches listening on 1975/udp and 2228/udp

Thanks, Edison. A port scan on a bunch of 3550 switches also shows that each switch seems to be listening on a seemingly random UDP port in the range between 49439 - 58955. Any idea what this is?

Hall of Fame Super Bronze

Re: Switches listening on 1975/udp and 2228/udp

Do you have the 'service small-udp servers' as part of your config ?

New Member

Re: Switches listening on 1975/udp and 2228/udp

No. After looking on the switches though it might be an outbound UDP port opened to communicate with the Ciscoworks syslog server. In this display, 10.1.2.3 is the Ciscoworks server. Not sure why there seem to be 2 high ports opened but only one shows a connection to the syslog server. Looks this way on all 4 switches that I checked manually. How does IOS determine that a UDP "connection" exists anyway? And what is meant by a "connection" to 0.0.0.0?

Proto Remote Port Local Port In Out Stat TTY OutputIF

17 0.0.0.0 0 10.2.2.75 68 0 0 1 0

17 --listen-- 10.2.2.75 67 0 0 489 0

17 --listen-- 10.2.2.75 2228 0 0 89 0

17 0.0.0.0 1589 10.2.2.75 49999 0 0 1 0

17 0.0.0.0 123 10.2.2.75 123 0 0 1 0

17 0.0.0.0 0 10.20.81.128 1589 0 0 11 0

17 0.0.0.0 0 10.2.2.75 52541 0 0 1 0

17 10.1.2.3 3214 10.2.2.75 161 0 0 1 0

17 0.0.0.0 0 10.2.2.75 162 0 0 9 0

17 0.0.0.0 0 10.2.2.75 50727 0 0 9 0

17 10.1.2.3 514 10.2.2.75 51563 0 0 0 2

Hall of Fame Super Bronze

Re: Switches listening on 1975/udp and 2228/udp

Ah, CiscoWorks, it could be it.

0.0.0.0 denotes the traffic will remain local.

Re: Switches listening on 1975/udp and 2228/udp

Are any of these UDP ports documented somewhere?

For regulation we need to document TCP/UDP ports open in the equipment and their use.

New Member

Re: Switches listening on 1975/udp and 2228/udp

I have the same regulation issue.  We are trying to comply with NERC CIP requirements. TAC told me 1975 is the cluster managment feature and can be disabled with the "no cluster run".  They also confirmed 2228 is the layer 2 traceroute service.  TAC told me it could not be disabled, that I should use an ACL.  It does not work without cdp enabled, but the service is still running if you turn off cdp.

There appear to be randomly generated high port numbers in the 10s of thousands.  They show up in the output of the show ip sockets command and on an nmap scan.  What are they?

Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF

17 10.10.20.56       162 10.10.10.2      62382   0   0    0   0

17 10.10.30.56      162 10.10.10.2      63789   0   0    0   0

17 0.0.0.0             0 10.10.10.2         67   0   0 2211   0

17 0.0.0.0             0 10.10.10.2       2228   0   0  211   0

17 10.10.30.58      18878 10.10.10.2        161   0   0    1   0

17   --listen--          10.10.10.2        162   0   0   11   0

17   --listen--          10.10.10.2      52821   0   0    1   0

17   --listen--          --any--           161   0   0 20001   0

17   --listen--          --any--           162   0   0 20011   0

17   --listen--          --any--         50209   0   0 20001   0

17   --listen--          10.10.10.2        123   0   0    1   0

17 10.10.20.56       514 10.10.10.2      61849   0   0 400211   0

17 10.10.30.56      514 10.10.10.2      58322   0   0 400211   0

17 10.10.20.58      162 10.10.10.2      54340   0   0    0   0

17 10.10.20.58      514 10.10.10.2      60963   0   0 400211   0

17 10.10.20.57       162 10.10.10.2      53679   0   0    0   0

17 10.10.30.57       162 10.10.10.2      51945   0   0    0   0

New Member

Switches listening on 1975/udp and 2228/udp

The high number UDP port is part of the SNMP process.  It is the SNMP Inform port.  Per Cisco docs it should be randomly generated high numbered port.  I had found something in the documentation indicating it should be over some number like 52k, however I have seen the number as low as 49k.  On a higher revision of IOS (12.4T train, or 15.x code) you can show more information than a typical 'show ip socket' does.  Here is the output from one of my 15.x devices using the command 'show control-plane host open-ports'. 

I am opening a discussion with our Cisco SE, but from what I have tested the only way to disable this is to turn off SNMP.  Completely.  You CANNOT do a 'no snmp-server informs', or 'no snmp-server enable traps'. to disable it, unfortunately.  We have the same issue with regulatory compliance, and just to speak from my position, I consider this part of a necessary service (SNMP).  It can be used for 'emergency business operations'.  I can argue that in an emergency situation, if it is required that we have confirmation of SNMP traps, we use the inform service. 

As another suggestion, you could file a TFE (technical feasibility exception for you non NERC folks out there) for this port range, since it cannot be disabled normally (I included everything north of 49192).  The only way to block this traffic is to either apply Control-plane policing, or use an interface ACL to block this traffic.  The problem with this action is that the port number will change after every SNMP reload, or any reboot of the router, which would require either a programatic approach, or a manual change after every reboot.

   

udp

*:53285

*:0

IP SNMP

LISTEN

This article does not describe the port ranges, but it definately describes the SNMP Inform process.

http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/snmpinfm.html

Also, as a side note,  I would argue that Layer 2 traceroute (UDP 2228) can be used for emergency troubleshooting purposes as well.

Regarding UDP port 1975, the 'no cluster run' command does not work on certain platforms.  We have CGR 2010's in our network that this command is not recognized.  The port is clearly opened in the ‘show control-plane host open-ports’ output. It is labeled as IPC port. I am following up with the SE about this as well.

New Member

Re: Switches listening on 1975/udp and 2228/udp

I agree and further would state that it doesn't have to be some emergency. The ports just need to be utilized for some actual purpose and documented on your ports and services list. You just need to know they are open and what they are used for. Good management and alerting for your switches is part of the reliability and it is perfectly fine to have them on. We are struggling also though with figuring out what is open and documenting them for both Cisco switches and firewalls.

5426
Views
11
Helpful
11
Replies
CreatePlease to create content