I did the "no" form of the

brianssw0713 · ‎05-16-2016

Not sure if this is the correct community to be posting this, but here goes.

I need to see if I can disable the following UDP ports on my Cisco 3850 switches.

UDP ports: 5246, 5247, 6352, 12124,12125,12134,12135,12222,12223,16666,16667,16668

From research I have conducted I understand the following:

Ports 5246 & 5247 relate to Control And Provisioning of Wireless Access Points (control & data)

Port 6352 relates to Rogue Location Discovery Protocol (RLDP)

Ports 12124, 12125, 12134 & 12135 relate to Wireless Lan Controller (WLC)

Ports 12222 & 12223 relate to Light Weight Access Point Protocol (control & data)

Ports 16666, 16667 & 16668 relate to Wireless Lan Controller (WLC) Mobility Groups

Our switch do not have the WAP cards and no wireless on the network. Can I disable the services on the switch and in turn disable the ports. For example UDP port 2228 relate to layer 2 traceroute feature. I was able to disable this port by turning off the feature with the "no l2 traceroute" command. Are there commands for disabling the wireless features on the switch.

Brian

Furose M · ‎05-19-2016

Hey Brian,

wireless feature is not enabled by default in 3850. in case if its, you can remove the following commands, if present.

Wireless mobility controller

Wireless management interface

let me know if this helps.

brianssw0713 · ‎05-19-2016

Furose,

Yes, by default the switches are configured as mobility agents. Which is why I see UDP port 16666.

Mobility Agent Summary:

Mobility Role                                   : Mobility Agent
Mobility Protocol Port                          : 16666
Mobility Switch Peer Group Name                 :
Multicast IP Address                            : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 0
Switch Peer Group Members Configured            : 0

Link Status is Control Link Status : Data Link Status

The status of Mobility Controller:

IP Public IP Link Status
------------------------------------------------
0.0.0.0 0.0.0.0 N/A

I have been researching the 3850 command reference and do not see where I can disable these ports. I may just have to do an ACL to block these ports. However, I think they will still show up in the "sh ip sockets" command output.

Proto        Remote      Port      Local       Port In Out Stat TTY OutputIF
17     0.0.0.0             0 172.17.8.5      16666   0   0   0   0
17     0.0.0.0             0 172.17.8.5      16667   0   0   0   0
17     0.0.0.0             0 172.17.8.5      12124   0   0   0   0
17     0.0.0.0             0 172.17.8.5      12125   0   0   0   0
17     0.0.0.0             0 172.17.8.5      12134   0   0   0   0
17     0.0.0.0             0 172.17.8.5      12135   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5246   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5       5247   0   0   0   0
17     0.0.0.0             0 172.17.8.5      12223   0   0   0   0
17     0.0.0.0             0 172.17.8.5       6352   0   0   0   0
17       --listen--          172.17.8.5       1985   0   0 13001001   0
17       --listen--          172.17.8.5        123   0   0 13001001   0
17(v6)   --listen--          --any--           123   0   0 13020001   0
17     0.0.0.0             0 172.17.8.5       5247   0   0 1000011   0
17(v6)   --listen--          --any--           161   0   0 13020001   0
17(v6)   --listen--          --any--           162   0   0 13020011   0
17(v6)   --listen--          --any--          1025   0   0 13020001   0
17     172.17.4.60     51144 172.17.0.1        161   0   0 13001001   0
17       --listen--          172.17.8.5        162   0   0 13001011   0
17       --listen--          172.17.8.5       1025   0   0 13001011   0
17     172.18.11.40       67 172.17.8.5         67   0   0 11002211   0
17     172.17.4.60       514 172.17.0.1       1026   0   0 3400200   0
17     172.17.4.62       514 172.17.0.1       1027   0   0 3400200   0
17     172.17.4.60       162 172.17.0.1       1028   0   0 13000000   0
17     172.17.4.62       162 172.17.0.1       1029   0   0 13000000   0

Brian

Furose M · ‎05-19-2016

Brian,

can you do a no form of those 2 commands i mentioned nd check?

brianssw0713 · ‎05-19-2016

I did the "no" form of the above commands and this did not disable the ports.

SWITCH#sh ip sockets
Proto        Remote      Port      Local       Port In Out Stat TTY OutputIF
17     0.0.0.0             0 xxx.xx.x.x      16666   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      16667   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12124   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12125   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12134   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12135   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5246   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12223   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       6352   0   0   0   0
17       --listen--          xxx.xx.x.x       1985   0   0 13001001   0
17       --listen--          xxx.xx.x.x        123   0   0 13001001   0
17(v6)   --listen--          --any--           123   0   0 13020001   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0 1000011   0
17(v6)   --listen--          --any--           161   0   0 13020001   0
17(v6)   --listen--          --any--           162   0   0 13020011   0
17(v6)   --listen--          --any--          1025   0   0 13020001   0
17     xxx.xx.x.xx     50486 xxx.xx.x.x        161   0   0 13001001   0
17       --listen--          xxx.xx.x.x        162   0   0 13001011   0
17       --listen--          xxx.xx.x.x       1025   0   0 13001011   0
17     xxx.xx.xx.xx       67 xxx.xx.x.x         67   0   0 11002211   0
17     xxx.xx.x.xx       514 xxx.xx.x.x       1026   0   0 3400200   0
17     xxx.xx.x.xx       514 xxx.xx.x.x       1027   0   0 3400200   0
17     xxx.xx.x.xx       162 xxx.xx.x.x       1028   0   0 13000000   0
17     xxx.xx.x.xx       162 xxx.xx.x.x       1029   0   0 13000000   0
SWITCH#config t
Enter configuration commands, one per line. End with CNTL/Z.
SWITCH(config)#no wireless mobility controller
SWITCH(config)#no wireless management interface
SWITCH(config)#end
SWITCH#sh ip sockets
Proto        Remote      Port      Local       Port In Out Stat TTY OutputIF
17     0.0.0.0             0 xxx.xx.x.x      16666   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      16667   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12124   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12125   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12134   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12135   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5246   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x      12223   0   0   0   0
17     0.0.0.0             0 xxx.xx.x.x       6352   0   0   0   0
17       --listen--          xxx.xx.x.x       1985   0   0 13001001   0
17       --listen--          xxx.xx.x.x        123   0   0 13001001   0
17(v6)   --listen--          --any--           123   0   0 13020001   0
17     0.0.0.0             0 xxx.xx.x.x       5247   0   0 1000011   0
17(v6)   --listen--          --any--           161   0   0 13020001   0
17(v6)   --listen--          --any--           162   0   0 13020011   0
17(v6)   --listen--          --any--          1025   0   0 13020001   0
17     xxx.xx.x.xx     63093 xxx.xx.x.x        161   0   0 13001001   0
17       --listen--          xxx.xx.x.x        162   0   0 13001011   0
17       --listen--          xxx.xx.x.x       1025   0   0 13001011   0
17     xxx.xx.xx.xx       67 xxx.xx.x.x         67   0   0 11002211   0
17     xxx.xx.x.xx       514 xxx.xx.x.x       1026   0   0 3400200   0
17     xxx.xx.x.xx       514 xxx.xx.x.x       1027   0   0 3400200   0
17     xxx.xx.x.xx       162 xxx.xx.x.x       1028   0   0 13000000   0
17     xxx.xx.x.xx       162 xxx.xx.x.x       1029   0   0 13000000   0
SWITCH#

disable UDP ports on Cisco 3850 switch