Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ports (vulnerability scan)

I ran a vulnerability scan on a 2960 switch and some "ports" (I don't even know if this is the right way to call them) showed being open or that needed to be reviewed. I really need to know what they are and if I need to keep them or need to get rid of them. How do you disable "ports" (I am not talking about the actual ports on the switch ex. gig1/0/1) on a cisco switch? The ports are 4786 tcp, 67 udp, 161 udp, 162 udp, 1975 udp, 2228 udp, and 49688 udp.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

udp/67 is bootp (used by DHCP

udp/67 is bootp (used by DHCP). The switch listens on that port if it is either a DHCP server itself or is setup to provide "ip helper" service which is used to translate local segment end users broadcasts to a unicast packet which is then forwarded to your DHCP server elsewhere.

udp 161 and 162 are used by SNMP. Best practice has SNMP restricted to SNMP v3 (with authentication and privacy or encryption) and an access-list applied to define your permitted SNMP servers.

The high numbered ports are usually a sign that the device (or a user session on it) is logged into something remotely and that's the random port is selected from the >1024 range (sometimes known as "ephemeral" ports since they come and go somewhat at random) to use as its source port. As long as the session is open, the devices will be "listening" on that port for replies.

 

Good link for port number reference.

Hall of Fame Super Silver

You're welcome.Please rate or

You're welcome.

Please rate or mark correct if it answers your question.

5 REPLIES
Hall of Fame Super Silver

udp/67 is bootp (used by DHCP

udp/67 is bootp (used by DHCP). The switch listens on that port if it is either a DHCP server itself or is setup to provide "ip helper" service which is used to translate local segment end users broadcasts to a unicast packet which is then forwarded to your DHCP server elsewhere.

udp 161 and 162 are used by SNMP. Best practice has SNMP restricted to SNMP v3 (with authentication and privacy or encryption) and an access-list applied to define your permitted SNMP servers.

The high numbered ports are usually a sign that the device (or a user session on it) is logged into something remotely and that's the random port is selected from the >1024 range (sometimes known as "ephemeral" ports since they come and go somewhat at random) to use as its source port. As long as the session is open, the devices will be "listening" on that port for replies.

 

Good link for port number reference.

Community Member

Thanks for your reply!

Thanks for your reply!

Hall of Fame Super Silver

You're welcome.Please rate or

You're welcome.

Please rate or mark correct if it answers your question.

Hall of Fame Super Gold

The most effective way to

The most effective way to disable those ports is on a firewall.

Community Member

Thanks for your reply!

Thanks for your reply!

299
Views
0
Helpful
5
Replies
CreatePlease to create content