When working with the Cisco IOS, it's very important to know your TCP and UDP port numbers. This is especially true when creating IOS access control lists (ACLs). Let's take a closer look.
What's a port number?
Most of you likely know what port numbers are, but here's a brief overview just in case: Port numbers are unique, well-known numbers used by TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) applications. For example, Telnet uses port 23, and HTTP uses port 80 for Web traffic.
Well-known port numbers are 0 through 1023, registered port numbers are 1024 through 49151, and dynamic or private port numbers are 49152 through 65535. The Internet Assigned Numbers Authority (IANA) provides a complete list of these port numbers on its Web site. The Internet Corporation for Assigned Names and Numbers (ICANN) assigns well-known and registered port numbers.
Keep in mind that there's a big difference between a port number and a protocol number -- don't confuse the two. A protocol number is a reserved number used to identify protocols. For example, IP is protocol number 4, ICMP is 1, EIGRP is 88, and OSPF is protocol number 89. IANA's Web site offers a complete list of assigned protocol numbers.
What does this have to do with the Cisco IOS?
There are various places in the Cisco IOS where you would use a port number. Most often, I find myself using port numbers when configuring IOS ACLs. The Cisco IOS does recognize many port numbers, so you don't have to memorize all 65,535 possible ports.
On my Cisco 2800 Series router using IOS 12.4, the IOS knows about 34 common port numbers. Here's the list:
Router(config)# access-list 151 permit tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
drip Dynamic Routing Information Protocol (3949)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)www World Wide Web (HTTP, 80) Router(config)# access-list 151 permit tcp any any eq
You'll notice some familiar and frequently used ports in this list, including:
- WWW -- port 80
- Telnet -- port 23
- SMTP -- port 25
- FTP and FTP-data -- ports 21 and 20
- Domain (actually DNS) -- port53
- BGP -- port 179
However, the remainder of the ports is depressingly outdated. Who uses UUCP anymore? In my opinion, Cisco really needs to update this list by removing old and unused applications and adding new ones. For example, the first two applications that I would add would be HTTPS at port 443 and RDP/Terminal Sever at port 3389. Which ones would you add?
When do I need to know a port number?
While 34 ports may seem like a lot, in reality, it's very few compared to the 50,000 or so potentially registered port numbers. Because of this, you need to know many of the port numbers you'll configure inside an ACL.
For example, let's say I want to configure an ACL to deny all AOL AIM (Instant Messenger) traffic from any source. Here's what I would do:
Router(config)# access-list 152 deny tcp any any eq 5190
Port 5190 is the registered port for AOL AIM. I would then permit other traffic and apply the ACL, as shown below:
Router(config)# access-list 152 permit ip any any
Router(config)# interface fa0/0Router(config)# ip access-group in
Now, let's say that a month later, I decide I want to also stop MSN Messenger traffic. I could use the Edit ACL option in the Cisco IOS and add the denial of port 1863, as shown below:
Router(config)# ip access-list 152 ext Router(config-ext-nacl)# 15 deny tcp any any eq 1863
In the end, here's my ACL:
Router# show ip access-lists 152
Extended IP access list 152
10 deny tcp any any eq 5190
15 deny tcp any any eq 1863
20 permit ip any anyRouter#
Notice how it shows the port numbers as the numbers I entered. However, if I enter an ACL using one of the port numbers known by the Cisco IOS, it translates that port number to the alpha abbreviation, as shown below:
Router(config)# access-list 158 permit tcp any any eq 80
Router# show ip access-lists 158
Extended IP access list 158
10 permit tcp any any eq wwwRouter#
In addition, you can also enter an ACL using the known Cisco alpha abbreviations. For example, I can represent port 23 by entering tel (for Telnet), as shown below:
Router(config)# access-list 157 permit tcp any any eq tel
There are other times that you need to know port numbers. While the Cisco IOS knew about port 23 in our example, that isn't always the case. Recently, I used the debug ip packet detail command on my Telnet connection to a router. As you can see from the output below, it says that the destination port number is 23 -- not telnet(23):
Aug 24: IP: s=10.1.1.1 (Serial0/2/0), d=10.2.2.2, len 42, rcvd 4 Aug 24: TCP src=4672, dst=23, seq=4227579056, ack=1459609700, win=64636 ACK PSH
This is yet another reason to memorize common port numbers -- it saves time. In addition, if you're studying for Cisco certification exams such as the CCNA or CCNP, it's very likely you'll need to know common TCP/UDP port numbers.
TCP and UDP port numbers are very important in networking in general and when working with the Cisco IOS. While the Cisco IOS can help you translate some ports, it's still important to know the port numbers in use today -- or at least know how to quickly find them.
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!