Most people are familiar with the netstat command on Windows and UNIX-like systems, which lists the open TCP and UDP ports as well as current TCP connections. Cisco IOS provides a similar command: show control-plane host open-ports. Recall that a router's control plane is what handles traffic destined for the router itself, versus the data plane which is responsible for passing transient traffic. The output of this command is nearly identical to that of Windows' netstat -n:
Router# show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
udp *:2887 *:0 DDP LISTEN
Above is the output for a default configuration running IOS 12.4(9)T1. We can see listed TCP/23 (telnet), TCP/80 (HTTP), UDP/67 (DHCP daemon), and UDP/2887 (WLCCP). Just like netstat, new TCP connections will be listed with a state of "established." Below an administrator has connected to the web configuration interface of the router:
Router# show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:80 10.0.0.8:53743 HTTP CORE ESTABLIS
udp *:67 *:0 DHCPD Receive LISTEN
udp *:2887 *:0 DDP LISTEN
Disabling the web configuration service will remove TCP/80 from the open ports:
Router(config)# no ip http server
Router(config)# ^Z
Router# show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
udp *:2887 *:0 DDP LISTEN
Similarly, enabling a new connection-oriented service on the control plane will add additional ports. For example, BGP opens TCP/179 and initiates a connection with each neighbor:
Router(config)# router bgp 100
Router(config-router)# neighbor 10.0.0.2 remote-as 100
Router(config)# ^Z
Router# show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:179 *:0 BGP LISTEN
tcp *:179 10.0.0.2:15158 BGP ESTABLIS
udp *:67 *:0 DHCPD Receive LISTEN
udp *:2887 *:0 DDP LISTEN
A similar command is show ip sockets on older IOS versions, but it doesn't seem to list TCP sockets. However, it will list other non-UDP protocols, like EIGRP:
Router# show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- --any-- 2887 0 0 11 0
17 0.0.0.0 0 10.0.0.1 67 0 0 2211 0
88 --listen-- --any-- 100 0 0 0 0
You can also issue the command "show tcp brief all" to list TCP-sockets in use or in listening. The command "show control-plane .." is not yet available in all releases, like the 12.2(33)SR -train.
Thanks for a really nice blog!
Thanks a lot, that's very useful. I was looking for that command for a while.
Thanks.
Good article, stretch. I enjoy your stuff.
Stretch,
What IOS ver is this command available on? I am on 12.4-21 and it seems it is unavailable.
Keep up the awesome work!
Hey, Stretch could you please describe command:
R#show inventoryWhich list all Network Modules on router.
Thanks!
I met a case that rip is routing protocol between routers but port 520 is closed by my security policy on control plane closed-port option. It's the only option applied to open ports on routers in IOS 12.4(14T) Anyone know how to open an arbitrary port on a router?
hi,everybody one of the best site i have visited thanks