SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

Display open TCP and UDP ports

With the introduction of Control Plane Policing features (available from 12.3(4)T), you can easily inspect all the open ports (servers and clients) on a router with the show control-plane host open-ports command, resulting in a printout very similar to the netstat -a printout on a Unix/Windows workstation.For example, on the router where I've configured BGP, HTTP server, NTP and DHCP, this command produces the following output (a session to a BGP neighbor as well as a telnet session was established):

R1#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
 tcp *:23 *:0 Telnet LISTEN
 tcp *:80 *:0 HTTP CORE LISTEN
 tcp *:179 *:0 BGP LISTEN
 tcp *:179 10.0.7.2:43962 BGP ESTABLIS
 tcp *:23 10.0.7.2:18036 Telnet ESTABLIS
 udp *:67 *:0 DHCPD Receive LISTEN
 udp *:68 *:0 BootP client LISTEN
 udp *:123 *:0 NTP LISTEN
Notes:
  • This show command does not display non-TCP/UDP servers (OSPF, EIGRP, RSVP) or even some UDP-based services (RIP).
  • Although I was considering writing about CPP for a long time, Artur Szymanski was the one that brought this command to my attention. Thanks!

9 comments:

  1. I've been looking for this for a while now. Thanks a heap.

    ReplyDelete
  2. "show ip sockets" is a similar command that works on older IOS versions.

    ReplyDelete
  3. I can't test the "show ip sockets" command, as it's gone from 12.4T, but if I remember correctly, it did not display the TCP sessions ... but I may be completely wrong.

    ReplyDelete
  4. Prior to 12.4T I used both show ip sockets and show tcp brief. However, I agree that in 12.4T the control plane command is much better.

    ReplyDelete
  5. Sample from ver 12.2

    router#sho ip sockets
    Proto Remote Port Local Port In Out Stat TTY OutputIF
    17 --listen-- multicast 1985 0 0 41 0
    17 x.x.x.x 514 ServerIP 58795 0 0 20 0
    17 x.x.x.x 514 ServerIP 58849 0 0 20 0
    17 x.x.x.x 162 ServerIP 56261 0 0 0 0
    17 x.x.x.x 162 ServerIP 55417 0 0 0 0
    17 x.x.x.x 67 ServerIP 67 0 0 2211 0
    17 0.0.0.0 0 ServerIP 2228 0 0 211 0
    17 x.x.x.x 1058 ServerIP 161 0 0 1 0
    17 --listen-- ServerIP 162 0 0 11 0
    17 --listen-- ServerIP 51525 0 0 11 0
    17 --listen-- ServerIP 123 0 0 1 0
    17 --listen-- ServerIP 496 0 0 61 0


    router# sho tcp brief
    TCB Local Address Foreign Address (state)
    47198FA8 router.23 user.3305 ESTAB
    4724E2C8 router.14191 server.49 ESTAB
    4738EAB0 router.14190 server.49 TIMEWAIT

    ReplyDelete
  6. Funniest thing

    I used the show control-plane host open-ports command on my little 877 ADSL Router running c870-advipservicesk9-mz.124-11.T.bin and it dropped the ATM (ADSL) interface.

    Anyhow, I found an open port I wasn't even aware was open and have closed it up. Very annoying.

    #show control-plane host open-ports
    Active internet connections (servers and established)
    Prot Local Address Foreign Address Service State
    tcp *:22 *:0 SSH-Server LISTEN
    tcp *:23 *:0 Telnet LISTEN
    tcp *:80 *:0 HTTP CORE LISTEN
    tcp *:443 *:0 HTTP CORE LISTEN
    udp *:67 *:0 DHCPD Receive LISTEN
    udp *:2887 *:0 DDP LISTEN
    udp *:123 *:0 NTP LISTEN


    Thanks Ivan

    ReplyDelete
    Replies
    1. Ivan,

      Did you use an ACL or a specific command to close UDP port 2887?

      Thanks.

      Delete
    2. That wasn't me but one of the readers ;)

      DDP is AppleTalk-related, so he probably had some leftover AppleTalk configuration that he had to remove.

      Delete
  7. running 12.4(13b) on a 7200 (C7200-IK9S-M) and the command is not available

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354 Emeritus, is an independent network architect. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.