08-30-2012 01:39 PM - edited 03-07-2019 08:37 AM
Anyone know of a way to disable UDP/68/BOOTPc on a catalyst switch? I was able to turn off UDP/67/BOOTPs. Just wondering if I can do the same with UDP/68.
Using a 356G-24-TS running IOS 12.2(50)SE3 code.
OUTPUT FROM SWITCH
switch#sh ip sock
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.1.1 68 0 0 1 0
17 0.0.0.0 0 192.168.1.1 2228 0 0 211 0
17 --listen-- 192.168.1.1 161 0 0 1001 0
17 --listen-- 192.168.1.1 162 0 0 1011 0
17 --listen-- 192.168.1.1 56874 0 0 1011 0
17 --listen-- --any-- 161 0 0 20001 0
17 --listen-- --any-- 162 0 0 20011 0
17 --listen-- --any-- 52946 0 0 20001 0
17 --listen-- 192.168.1.1 123 0 0 1 0
17 192.168.1.2 514 192.168.1.1 57436 0 0 400211 0
switch#
"flash:/c3560-ipbasek9-mz.122-50.SE3.bin"
WS-C3560G-24TS-S
Thanks in advance
Solved! Go to Solution.
08-31-2012 10:56 AM
Hey,
take a look to this website:
http://www.cisco-faq.com/163/forward_udp_broadcas.html
It will give you the idea of why you do not need to further block udp 68 on your test switch.
mark the thread as "answered" if you like.
Take Care
Alessio
08-30-2012 02:32 PM
http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf
Page 16-17
Just you are there, read all of it. Everybody should be implementing this recommendation .
No ip forward udp 68
Is the short answer
Take care
Alessio
Have a good reading
Alessio
Sent from Cisco Technical Support iPad App
08-30-2012 02:53 PM
Hi Alessio
Thanks for the reply and the great link. Unfortuately the command didn't take.
switch(config)#no ip forward-protocol udp bootpc
UDP port 68 not found to delete
switch#sh ip sock
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.1.1 68 0 0 1 0
17 0.0.0.0 0 192.168.1.1 2228 0 0 211 0
17 --listen-- 192.168.1.1 161 0 0 1001 0
17 --listen-- 192.168.1.1 162 0 0 1011 0
17 --listen-- 192.168.1.1 56874 0 0 1011 0
17 --listen-- --any-- 161 0 0 20001 0
17 --listen-- --any-- 162 0 0 20011 0
17 --listen-- --any-- 52946 0 0 20001 0
17 --listen-- 192.168.1.1 123 0 0 1 0
17 192.168.1.2 514 192.168.1.1 57436 0 0 400211 0
switch#
Also, I don't know if it makes any difference or not, but this is a standalone test switch with no connections to anything else.
Thanks
08-31-2012 10:56 AM
Hey,
take a look to this website:
http://www.cisco-faq.com/163/forward_udp_broadcas.html
It will give you the idea of why you do not need to further block udp 68 on your test switch.
mark the thread as "answered" if you like.
Take Care
Alessio
08-31-2012 12:03 PM
Hi alessio,
Can you explain how it can be listening on a client port? If i'm not mistaken devices only listen on server ports?
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide