Cisco Catalyst 3650, opened port tcp 16113 - how to disable
Following a TCP scan port on our Catalyst 3650 from the Security team, we found port TCP 16113 is opened on our boxes. I found this is used by Network Mobility Services Protocol (NMSP) protocol; however, we don' t use it & want it disabled.
I was not able to find on Cisco documentation how to remove this service & close this TCP port. We use 3.3.3 IOS-XE train.
I haven't found any information on shutting this down directly, but you can potentially use control plane policing to drop packets destined to this port.
class-map match-all CM_NMSP
match access-group name ACL_NMSP
ip access-list extended ACL_NMSP
permit tcp any any eq 16113
service-policy input PM_CoPP
thanks for your interest & your answer. Control-Plane policy is a good idea, unfortunately, the CoPP configuration is limited on Calyst 3650 (we can't just police on pre-defined classes)
It seems the only think we can do it to disable NMSP replies on an interface basis (nmsp attachment suppress on the interface); the port will still appear open on that interface, but the switch should not reply to NMSP messages.
Another solution would be to put ACL on every interfaces, but this will be hard to maintain.
We also had this problem, but in the newer versions you can disable it easily with no nmsp enable. It seems like this makes an ACL for e.g. the vlan, but it helped us a lot. It was important for us to make this port not accessible. We use now 03.06.03.
Help us make the Cisco smart building solutions more useful for your industry.
Let us know how important these solutions are to your company by answering this short 4-question survey (your responses will remain completely anonymous).
Please take a minute...
Introduction to Routing ProtocolsStatic vs DynamicDistance Vector vs Link StateRoute Selection AlgorithmSingle Routing Protocol OnlyOpen Shortest Path First (OSPF)AreasRoute ConvergencePath SelectionMetric CalculationCharacteristicsEnhanced Interior Gatew...
Cisco DNA Center version 2.2.2.x includes the features and improvements that
New intelligence provides an easy, gradual, and complete adoption of SD-Access. Faster Cisco DNA Center set-up saves time and effort.
When using Cisco cellular modules with a SIM card an APN must be provided. The APN cannot be stored in the SIM card and is supplied by your SIM card provider. Cisco cellular software contains a database of well-known APNs based on the country and ...
Cisco 3850: IOS-XE/Firmware Upgrade
This procedure is aimed at Cisco 3850 switch ONLY.
IOS-XE Bundle Mode is not covered.
9300, 9500 (vanilla & high-performance), ISR 1k, ISR 4k and ASR is not covered.