Common Network Port Numbers – Full Reference

1. What Are Ports and Why Do They Exist?

An IP address identifies a device on a network — but a modern device runs dozens of applications simultaneously (web server, SSH daemon, DNS resolver, SNMP agent). A port number is a 16-bit integer (0–65535) that identifies a specific service or process on a device, allowing the transport layer (TCP or UDP) to deliver each incoming packet to the correct application.

The combination of IP address + protocol + port number is called a socket. A unique socket pair (source socket + destination socket) identifies every active network session. For example, your browser connecting to a web server creates a session from 192.168.1.10:54321 → 93.184.216.34:443 — your device's random ephemeral port to the server's HTTPS port.

  How ports differentiate services on the same IP address:

  Device IP: 192.168.1.1

  Incoming packet → Dst port 22  → SSH daemon  (remote management)
  Incoming packet → Dst port 80  → HTTP server (web interface)
  Incoming packet → Dst port 161 → SNMP agent  (network monitoring)
  Incoming packet → Dst port 443 → HTTPS server (secure web)

  Without port numbers, the device would not know which application
  should receive each packet. Ports are the mechanism that allows
  a single IP address to host multiple concurrent services.

  Socket pair example — SSH session:
  Client: 10.0.0.5:52341   (source: random ephemeral port)
  Server: 192.168.1.1:22   (destination: SSH well-known port)
  These four values together uniquely identify the session.

2. TCP vs UDP — Choosing the Right Transport

Port numbers exist in two flavours depending on the Layer 4 transport protocol. A port 80 TCP and port 80 UDP are technically different sockets — though in practice most well-known services use one or the other, not both (HTTP uses TCP 80; QUIC/HTTP3 uses UDP 443). Understanding why a protocol uses TCP or UDP explains much about its behaviour.

Feature	TCP (Transmission Control Protocol)	UDP (User Datagram Protocol)
Connection	Connection-oriented — 3-way handshake (SYN → SYN-ACK → ACK) before data transfer	Connectionless — data sent immediately, no setup
Reliability	Guaranteed delivery — acknowledgements, retransmission of lost segments, sequence numbers	Best-effort — no acknowledgements, no retransmission; lost packets are gone
Ordering	In-order delivery — segments reassembled in sequence	No ordering guarantee — datagrams may arrive out of order
Overhead	High — 20-byte minimum header; windowing; congestion control	Low — 8-byte header; minimal processing
Speed	Slower due to overhead and acknowledgement delays	Faster — no handshake, no ACK wait
Flow control	Yes — sliding window prevents sender from overwhelming receiver	No — sender sends at full speed regardless
Typical uses	HTTP/HTTPS, FTP, SSH, Telnet, SMTP, BGP — any application where data integrity is critical	DNS (queries), DHCP, SNMP, Syslog, TFTP, VoIP/RTP, NTP — fast, latency-sensitive, or simple request-reply protocols

Port Number Ranges

Range	Name	Description
0 – 1023	Well-Known Ports (System Ports)	Assigned by IANA to standard, widely-used services. Require root/administrator privileges to bind on most operating systems. All CCNA exam ports are in this range or the registered range.
1024 – 49151	Registered Ports	Registered by vendors for specific applications. Examples: RDP (3389), MySQL (3306), HTTPS alt (8443). Do not require root privileges.
49152 – 65535	Dynamic / Ephemeral / Private Ports	Assigned by the OS to client-side sockets automatically (source ports for outbound connections). Not statically assigned to any service.

3. Essential CCNA Port Numbers — Master Table

The following table covers every port number that appears on the CCNA exam or is encountered in real-world network configuration and troubleshooting. Sorted by port number for easy reference.

Port(s)	Protocol	Transport	Description	Notes
20	FTP Data	TCP	File Transfer Protocol — data channel (active mode)	Used only in active FTP; passive FTP uses a dynamic high port instead. See: FTP Overview
21	FTP Control	TCP	FTP command/control channel — authentication, directory listing commands	Always port 21 for control regardless of active/passive mode. See: FTP Overview
22	SSH	TCP	Secure Shell — encrypted remote management, secure file transfer (SFTP/SCP run over SSH)	Replacement for Telnet and rlogin. Cisco devices default to SSH v2. See: SSH Overview \| SSH Configuration Lab
23	Telnet	TCP	Remote terminal access — unencrypted plaintext	Insecure — all data including passwords sent in plaintext. Replaced by SSH 22 in all modern deployments. See: Telnet Overview
25	SMTP	TCP	Simple Mail Transfer Protocol — mail server to mail server delivery	Unauthenticated relay between MTAs. Port 25 is commonly blocked by ISPs to prevent spam. See: SMTP Overview
49	TACACS+	TCP	Terminal Access Controller Access-Control System Plus — AAA protocol for device administration	Cisco-enhanced version of TACACS. Encrypts entire payload (unlike RADIUS which only encrypts password). See: AAA Overview
53	DNS	TCP and UDP	Domain Name System — name-to-IP resolution	UDP 53 for standard queries (under 512 bytes). TCP 53 for large responses (DNSSEC, zone transfers, responses >512 bytes). See: DNS Overview
67	DHCP Server	UDP	DHCP server listens on this port for client Discover and Request messages	Client uses source port 68, destination port 67. Uses UDP because clients have no IP yet (cannot use TCP). See: DHCP Overview \| DHCP Server Configuration Lab
68	DHCP Client	UDP	DHCP client port — receives Offer and ACK from server	Client sends from 0.0.0.0:68 → 255.255.255.255:67 (broadcast) during DORA process. See: DHCP Overview
69	TFTP	UDP	Trivial File Transfer Protocol — simple file transfer with no authentication	Used for Cisco IOS image transfers, router config backups, and IP phone firmware. No directory listing support. See: FTP/TFTP Comparison
80	HTTP	TCP	Hypertext Transfer Protocol — unencrypted web traffic	Increasingly redirected to HTTPS 443 by modern web servers. Also used for Cisco router HTTP management interface. See: HTTP & HTTPS
110	POP3	TCP	Post Office Protocol v3 — email retrieval from server to client	Downloads and typically deletes mail from server. Largely replaced by IMAP 143 in modern deployments.
119	NNTP	TCP	Network News Transfer Protocol — Usenet newsgroup access	Legacy protocol. Rarely encountered in modern networks.
123	NTP	UDP	Network Time Protocol — clock synchronisation	Both source and destination port 123 for NTP. UDP used because low latency matters more than reliability for time sync. See: NTP Overview \| NTP Configuration Lab
143	IMAP	TCP	Internet Message Access Protocol — email retrieval with server-side folder management	Unlike POP3, IMAP keeps mail on the server — multi-device access. IMAPS (encrypted) uses port 993.
161	SNMP	UDP	Simple Network Management Protocol — manager queries agent / agent responds	Manager sends GET/SET to agent at UDP 161. See: SNMP Overview \| SNMP Configuration Lab
162	SNMP Trap	UDP	SNMP Trap / Inform — agent sends unsolicited alerts to the manager	Agent sends Trap to manager's UDP port 162. Direction is reversed from 161. See: SNMP Traps
179	BGP	TCP	Border Gateway Protocol — inter-AS routing between routers / ISPs	BGP peers establish TCP 179 sessions. TCP ensures reliable delivery of routing updates. See: BGP Overview
389	LDAP	TCP (and UDP)	Lightweight Directory Access Protocol — directory service queries (Active Directory, OpenLDAP)	LDAPS (encrypted) uses port 636. Used by 802.1X, AAA systems.
443	HTTPS	TCP	HTTP Secure — TLS-encrypted web traffic	Standard for all secure web and API communication. Also used by RESTCONF (device programmability). See: HTTP & HTTPS
465	SMTPS	TCP	SMTP over SSL/TLS (implicit TLS)	Used for email client to mail server submission with implicit TLS. Some prefer 587 with STARTTLS. See: SMTP Overview
514	Syslog	UDP	System Logging Protocol — devices send log messages to a central syslog server	UDP 514 is the default (no reliability guarantee). TCP 514 (or TLS 6514) can be used for reliable delivery. See: Syslog Overview \| Syslog Configuration Lab
520	RIP	UDP	Routing Information Protocol — distance-vector routing protocol	RIP uses UDP 520 for routing updates between neighbours. RIPv2 uses multicast 224.0.0.9. See: RIP Concepts
587	SMTP Submission	TCP	SMTP mail submission — authenticated email from client to outbound mail server	Modern standard for email client to server submission (with STARTTLS). Replaces port 25 for client authentication. See: SMTP Overview
636	LDAPS	TCP	LDAP over SSL/TLS — encrypted directory service	Encrypted equivalent of LDAP 389. Used for secure Active Directory queries.
646	LDP	TCP and UDP	Label Distribution Protocol — distributes MPLS labels between routers in an MPLS network	LDP hello messages use UDP 646 (discovery). LDP sessions use TCP 646. See: MPLS Overview
830	NETCONF	TCP (over SSH)	Network Configuration Protocol — XML-based programmatic device configuration	SSH is the transport; NETCONF sessions run on port 830 (not the standard SSH port 22). See: NETCONF & RESTCONF
989	FTPS Data	TCP	FTP over SSL/TLS — data channel (implicit mode)	Encrypted FTP. FTPS implicit mode uses 989 (data) and 990 (control).
990	FTPS Control	TCP	FTP over SSL/TLS — control channel (implicit mode)	Encrypted FTP control channel.
993	IMAPS	TCP	IMAP over SSL/TLS — encrypted email retrieval	Encrypted IMAP. Used by email clients for secure mailbox access.
995	POP3S	TCP	POP3 over SSL/TLS — encrypted email download	Encrypted POP3 for legacy email clients.
1812	RADIUS Auth	UDP	RADIUS authentication and authorisation requests	NAS (Network Access Server) sends auth requests to RADIUS server at UDP 1812. See: AAA Local vs RADIUS
1813	RADIUS Accounting	UDP	RADIUS accounting — session start/stop records	NAS sends accounting records (login time, bytes transferred) to RADIUS server at UDP 1813. See: AAA Local vs RADIUS
2049	NFS	TCP and UDP	Network File System — remote filesystem mounting (Unix/Linux)	Used in data centre environments. NFSv4 uses TCP 2049.
3389	RDP	TCP (and UDP)	Remote Desktop Protocol — graphical remote access to Windows systems	Microsoft proprietary. Frequently targeted by brute-force attacks — restrict access via ACL or VPN.

4. Routing Protocol Ports and Identifiers

Routing protocols are a special case — some use TCP or UDP port numbers, but others are defined as IP protocol numbers (not TCP/UDP ports at all) and operate directly above the IP layer. This distinction matters for ACL and firewall configuration.

Protocol	Transport / IP Protocol	Port / Protocol Number	Multicast Address	Notes
RIP / RIPv2	UDP	520	224.0.0.9 (RIPv2)	RIPv1 uses broadcast; RIPv2 uses multicast. See: RIP Concepts
OSPF	IP Protocol 89	No TCP/UDP port — IP protocol 89	224.0.0.5 (All OSPF Routers) 224.0.0.6 (DR/BDR)	OSPF runs directly over IP (not TCP or UDP). To permit OSPF in an ACL: `permit ospf …` or `permit ip protocol 89`. See: OSPF Config
EIGRP	IP Protocol 88	No TCP/UDP port — IP protocol 88	224.0.0.10 (All EIGRP Routers)	EIGRP runs directly over IP. To permit in ACL: `permit eigrp …`. See: EIGRP Overview
BGP	TCP	179	N/A — unicast only	BGP uses TCP for reliable session establishment. TCP ensures reliable delivery of routing updates. See: BGP Overview
VRRP	IP Protocol 112	No TCP/UDP port — IP protocol 112	224.0.0.18	Virtual Router Redundancy Protocol. See: VRRP & GLBP
HSRP	UDP	1985 (v1) / 2029 (v2)	224.0.0.2 (v1) / 224.0.0.102 (v2)	Cisco proprietary FHRP. Uses UDP for hello messages. See: HSRP Overview
PIM	IP Protocol 103	No TCP/UDP port — IP protocol 103	224.0.0.13 (All PIM Routers)	Protocol Independent Multicast — multicast routing.
LDP (MPLS)	TCP and UDP	646	224.0.0.2	Label Distribution Protocol for MPLS label exchange. See: MPLS Overview

IP Protocol Numbers vs Port Numbers: OSPF (89) and EIGRP (88) do not use TCP or UDP — they are identified by their IP Protocol Number in the IP header, not a port number. When writing extended ACLs to permit OSPF, you use permit ospf any any (Cisco syntax) rather than a TCP/UDP port. Port 179 (BGP), 520 (RIP), and 646 (LDP) are true TCP/UDP port numbers.

5. File Transfer and Remote Access Ports

File transfer and remote access protocols are among the most commonly configured services on network devices and servers. Understanding their ports — and the security implications of each — is essential for both the CCNA exam and real-world network design.

FTP — Active vs Passive Mode (Ports 20 and 21)

FTP Active Mode (uses both port 20 and 21):
┌────────────────────────────────────────────────────────────┐
│ 1. Client connects FROM random ephemeral port TO server 21 │
│ (control connection established) │
│ 2. Client sends PORT command: "connect back to me on │
│ port X for data" │
│ 3. Server initiates data connection FROM port 20 TO client │
│ port X │
│ Problem: server initiates inbound — blocked by most NAT │
│ and firewalls on the client side. │
└────────────────────────────────────────────────────────────┘

FTP Passive Mode (uses only port 21 for control, dynamic for data):
┌────────────────────────────────────────────────────────────┐
│ 1. Client connects FROM random port TO server 21 │
│ (control connection) │
│ 2. Client sends PASV command: "tell me where to connect │
│ for data" │
│ 3. Server responds with a random high port (e.g., 50000) │
│ 4. Client initiates data connection TO server:50000 │
│ Benefit: client always initiates both connections — │
│ NAT and firewalls work correctly. │
└────────────────────────────────────────────────────────────┘

Summary: Active mode uses port 20 for data (server-initiated).
Passive mode uses a dynamic server port for data (client-initiated).
Modern FTP clients use passive mode by default.

SSH vs Telnet Security Comparison

Feature	SSH (Port 22)	Telnet (Port 23)
Encryption	Full encryption — all data, credentials, and commands are encrypted	None — all data including passwords transmitted in plaintext
Authentication	Password, public key, or certificate-based	Password only (in plaintext)
Host verification	Server key fingerprint prevents MITM attacks	No verification — susceptible to MITM
ACL filtering	Permit only SSH (port 22) from trusted management IPs	Permit only Telnet (port 23) from trusted IPs — or better: disable entirely
Cisco IOS config	`transport input ssh` on VTY lines	`transport input telnet` — avoid in production

6. Email Protocol Ports

Email uses multiple protocols and ports depending on whether the system is transferring mail between servers (MTA to MTA), or delivering mail to a client (mail client to mailbox). Understanding each role prevents common configuration mistakes.

  Email protocol flow:

  [Sender's email client]
         │
         │ SMTP Submission — TCP 587 (with STARTTLS)
         │ or SMTPS — TCP 465 (implicit TLS)
         ▼
  [Outbound Mail Server (MTA)]
         │
         │ SMTP — TCP 25 (server-to-server relay)
         ▼
  [Recipient's Mail Server (MTA/MDA)]
         │
         ├─ POP3  — TCP 110 (client downloads and deletes from server)
         │  POP3S — TCP 995 (encrypted)
         │
         └─ IMAP  — TCP 143 (client syncs with server; mail stays on server)
            IMAPS — TCP 993 (encrypted)
         ▼
  [Recipient's email client]

Protocol	Port	TCP/UDP	Encrypted?	Role
SMTP	25	TCP	No (plaintext)	Server-to-server mail relay (MTA to MTA)
SMTP Submission	587	TCP	STARTTLS (opportunistic)	Authenticated client-to-server mail submission
SMTPS	465	TCP	Yes — implicit TLS	Client-to-server mail submission (implicit TLS)
POP3	110	TCP	No	Client downloads mail from server (usually deletes from server)
POP3S	995	TCP	Yes — TLS	Encrypted POP3
IMAP	143	TCP	No (STARTTLS optional)	Client syncs with server; mail stays on server
IMAPS	993	TCP	Yes — TLS	Encrypted IMAP

7. Network Management and Monitoring Ports

Protocol	Port	TCP/UDP	Description	Notes
SNMP	161	UDP	Manager polls agent; agent responds	GET, GET-NEXT, GET-BULK, SET operations. See: SNMP Overview
SNMP Trap	162	UDP	Agent sends unsolicited traps to manager	Agent → Manager direction (opposite of 161). See: SNMP Traps
Syslog	514	UDP	Device log messages sent to syslog server	UDP = no delivery guarantee. TCP 514 optional for reliability. TLS syslog uses port 6514. See: Syslog Overview
NTP	123	UDP	Time synchronisation queries and responses	Both sides use port 123. See: NTP Overview
NETCONF	830	TCP (SSH)	XML-based device configuration protocol	Runs over SSH, not standard port 22. See: NETCONF & RESTCONF \| NETCONF Lab
RESTCONF	443	TCP (HTTPS)	REST-style device configuration over HTTPS	Uses standard HTTPS port. See: NETCONF & RESTCONF
NetFlow / IPFIX	2055 / 4739	UDP	Flow export from network device to collector	NetFlow v5/v9: UDP 2055. IPFIX: UDP 4739. See: NetFlow Overview
Cisco CDP	N/A	Layer 2 only	Cisco Discovery Protocol — no IP/port number	Operates at Layer 2 — uses multicast MAC 01:00:0C:CC:CC:CC. See: CDP Overview
LLDP	N/A	Layer 2 only	Link Layer Discovery Protocol — standard CDP equivalent	IEEE 802.1AB. Layer 2 — no IP/port. See: LLDP Overview

8. AAA and Security Protocol Ports

Protocol	Port	TCP/UDP	Description	Notes
TACACS+	49	TCP	AAA for network device administration (Cisco proprietary enhancement)	Encrypts entire packet body (more secure than RADIUS which only encrypts password). See: AAA Overview
RADIUS Auth	1812	UDP	RADIUS authentication and authorisation	Replaced legacy port 1645. Used for 802.1X, VPN, Wi-Fi Enterprise authentication. See: AAA Local vs RADIUS
RADIUS Accounting	1813	UDP	RADIUS session accounting records	Replaced legacy port 1646. See: AAA Local vs RADIUS
LDAP	389	TCP (and UDP)	Directory service protocol — Active Directory queries	Unencrypted. Use LDAPS 636 in production.
LDAPS	636	TCP	LDAP over TLS — encrypted directory service	Preferred over 389 for any production deployment.
Kerberos	88	TCP and UDP	Kerberos authentication protocol — Active Directory ticket exchange	Used by Windows domain authentication (Active Directory KDC). UDP for queries ≤1500 bytes; TCP for larger exchanges.
IKE / ISAKMP	500	UDP	Internet Key Exchange — IPsec phase 1 negotiation	Establishes security associations for IPsec VPN. See: IPsec Basics \| Site-to-Site IPsec VPN Lab
IKEv2 / NAT-T	4500	UDP	IPsec NAT Traversal — IPsec ESP over UDP when NAT is detected	When IKE peers detect NAT, they switch to UDP 4500 to encapsulate ESP in UDP for NAT compatibility. See: IPsec VPN
ESP	IP Protocol 50	IP Protocol (not TCP/UDP)	Encapsulating Security Payload — IPsec data encryption	IP protocol 50 (like OSPF 89). To permit in ACL: `permit esp …`. See: IPsec Basics
AH	IP Protocol 51	IP Protocol (not TCP/UDP)	Authentication Header — IPsec integrity without encryption	IP protocol 51. Rarely used in modern deployments (ESP preferred as it does both auth and encryption). See: IPsec Basics

9. Ports and ACL Configuration

Port numbers are the basis of many ACL (Access Control List) rules on Cisco routers and switches. Extended ACLs can match traffic based on source and destination IP addresses, protocol (TCP/UDP), and source/destination port numbers — making them far more granular than standard ACLs which only match source IP.

  Extended ACL using port numbers — practical examples:

  ! Permit SSH (TCP 22) from management network to any device:
  Router(config)# ip access-list extended MGMT-IN
  Router(config-ext-nacl)# permit tcp 10.0.10.0 0.0.0.255 any eq 22
  ! "eq 22" = equal to port 22 (destination port)

  ! Permit HTTP and HTTPS outbound from LAN:
  Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
  Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443

  ! Permit DNS queries (UDP and TCP) outbound:
  Router(config-ext-nacl)# permit udp 192.168.1.0 0.0.0.255 any eq 53
  Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 53

  ! Permit DHCP (both ports needed for relay):
  Router(config-ext-nacl)# permit udp any eq 68 any eq 67

  ! Permit SNMP from NMS to all devices:
  Router(config-ext-nacl)# permit udp 10.0.20.5 0.0.0.0 any eq 161

  ! Permit BGP (TCP 179) between eBGP peers:
  Router(config-ext-nacl)# permit tcp 203.0.113.0 0.0.0.3 any eq 179
  Router(config-ext-nacl)# permit tcp any 203.0.113.0 0.0.0.3 eq 179
  ! BGP can be initiated from either side — need both directions

  ! Permit OSPF (IP protocol 89 — not TCP/UDP):
  Router(config-ext-nacl)# permit ospf any any

  ! Block Telnet (TCP 23) entirely — all sources:
  Router(config-ext-nacl)# deny tcp any any eq 23

  ! Implicit deny all at end (shown explicitly):
  Router(config-ext-nacl)# deny ip any any

ACL Port Matching Keywords

Keyword	Meaning	Example
eq	Equal to (exact port match)	`eq 22` — matches port 22 only
neq	Not equal to (everything except)	`neq 23` — matches everything except port 23
lt	Less than	`lt 1024` — matches ports 0–1023
gt	Greater than	`gt 1023` — matches ports 1024–65535 (registered + dynamic)
range	Range of ports (inclusive)	`range 20 21` — matches ports 20 and 21 (FTP)

10. Quick-Reference Cheat Sheet

A condensed, exam-ready summary of the most important port numbers. Memorise these — they appear regularly on the CCNA exam and are essential for ACL, firewall, and troubleshooting questions.

  ┌──────┬────────────────────────────┬─────────┬──────────────────────────┐
  │ Port │ Protocol                   │ TCP/UDP │ Key Note                 │
  ├──────┼────────────────────────────┼─────────┼──────────────────────────┤
  │  20  │ FTP Data (active mode)     │ TCP     │ Server-initiated data    │
  │  21  │ FTP Control                │ TCP     │ Always port 21           │
  │  22  │ SSH                        │ TCP     │ Secure CLI + SFTP/SCP    │
  │  23  │ Telnet                     │ TCP     │ Insecure — avoid         │
  │  25  │ SMTP (server relay)        │ TCP     │ MTA to MTA               │
  │  49  │ TACACS+                    │ TCP     │ Encrypts full packet     │
  │  53  │ DNS                        │ TCP+UDP │ UDP queries, TCP large   │
  │  67  │ DHCP Server                │ UDP     │ Server listens here      │
  │  68  │ DHCP Client                │ UDP     │ Client receives here     │
  │  69  │ TFTP                       │ UDP     │ IOS images, configs      │
  │  80  │ HTTP                       │ TCP     │ Unencrypted web          │
  │  88  │ Kerberos                   │ TCP+UDP │ AD authentication        │
  │ 110  │ POP3                       │ TCP     │ Email download           │
  │ 123  │ NTP                        │ UDP     │ Time sync                │
  │ 143  │ IMAP                       │ TCP     │ Email sync (server-side) │
  │ 161  │ SNMP (queries)             │ UDP     │ Manager → Agent          │
  │ 162  │ SNMP Trap                  │ UDP     │ Agent → Manager          │
  │ 179  │ BGP                        │ TCP     │ eBGP/iBGP sessions       │
  │ 389  │ LDAP                       │ TCP+UDP │ Directory queries        │
  │ 443  │ HTTPS / RESTCONF           │ TCP     │ Secure web + REST API    │
  │ 465  │ SMTPS (implicit TLS)       │ TCP     │ Email submission (TLS)   │
  │ 500  │ IKE / ISAKMP               │ UDP     │ IPsec phase 1            │
  │ 514  │ Syslog                     │ UDP     │ Log to central server    │
  │ 520  │ RIP / RIPv2                │ UDP     │ Routing updates          │
  │ 587  │ SMTP Submission (STARTTLS) │ TCP     │ Authenticated email send │
  │ 636  │ LDAPS                      │ TCP     │ Encrypted LDAP           │
  │ 646  │ LDP (MPLS labels)          │ TCP+UDP │ Label distribution       │
  │ 830  │ NETCONF                    │ TCP/SSH │ Programmatic config      │
  │ 993  │ IMAPS                      │ TCP     │ Encrypted IMAP           │
  │ 995  │ POP3S                      │ TCP     │ Encrypted POP3           │
  │1812  │ RADIUS Auth                │ UDP     │ Auth + Authorisation     │
  │1813  │ RADIUS Accounting          │ UDP     │ Session records          │
  │3389  │ RDP                        │ TCP+UDP │ Windows remote desktop   │
  │4500  │ IPsec NAT-T                │ UDP     │ IPsec over NAT           │
  └──────┴────────────────────────────┴─────────┴──────────────────────────┘

  IP Protocol Numbers (not TCP/UDP ports):
  Protocol 6   = TCP
  Protocol 17  = UDP
  Protocol 47  = GRE (Generic Routing Encapsulation)
  Protocol 50  = ESP (IPsec Encapsulating Security Payload)
  Protocol 51  = AH  (IPsec Authentication Header)
  Protocol 88  = EIGRP
  Protocol 89  = OSPF
  Protocol 103 = PIM
  Protocol 112 = VRRP

CCNA exam memorisation tips:
FTP is always 20 (data) and 21 (control) — "data comes before control"
SSH=22, Telnet=23 — sequential, SSH came after Telnet
SMTP=25 — "25 letters to mail" (alphabet mnemonic)
DNS=53 — just memorise this one cold
DHCP=67/68 — two consecutive ports, server is lower number
HTTP=80, HTTPS=443 — the two most recognisable ports
SNMP=161 (queries), 162 (traps) — sequential, queries first
BGP=179 — the only routing protocol using TCP
Syslog=514 — the "5" starts the number like "syslog starts with S(yslog)"

Test Your Knowledge — Port Numbers Quiz

1. Which port number and transport protocol does SSH use?

A. TCP port 23 B. UDP port 22 C. TCP port 22 D. TCP port 830

Correct answer is C. SSH (Secure Shell) uses TCP port 22. It uses TCP because remote management sessions require reliable, ordered, error-free delivery — losing a CLI command or response due to packet loss would be unacceptable. TCP port 23 is Telnet (SSH's insecure predecessor). UDP port 22 does not exist as a standard service. TCP port 830 is NETCONF (which also uses SSH as transport, but on a different port). See: SSH Overview

2. DNS primarily uses UDP port 53 for queries. When does DNS use TCP port 53 instead?

A. When responses exceed 512 bytes (e.g., DNSSEC records, zone transfers), DNS falls back to TCP 53 for reliable delivery of large data B. TCP 53 is only used when the UDP path is blocked by a firewall C. DNS never uses TCP — it is UDP-only D. TCP 53 is used for reverse DNS lookups only

Correct answer is A. DNS uses UDP 53 for standard queries because speed matters and a single response fits in one datagram. When a response would exceed 512 bytes (the original UDP DNS limit), DNS automatically retries using TCP 53, which can carry arbitrarily large responses reliably. TCP 53 is also used for DNS zone transfers (AXFR/IXFR) — the replication of entire DNS zones between authoritative servers — which contain far more data than a single query response. See: DNS Overview

3. Why does DHCP use UDP rather than TCP for its DORA exchange?

A. DHCP needs to send large amounts of data that exceeds TCP's capacity B. UDP is more reliable than TCP for broadcast messages C. DHCP was designed before TCP was standardised D. A DHCP client has no IP address yet when it sends the Discover — it cannot establish a TCP connection (which requires a valid source IP). UDP broadcasts (0.0.0.0:68 → 255.255.255.255:67) allow a client to reach the server without a pre-assigned address

Correct answer is D. TCP requires a three-way handshake between valid IP addresses before data can be sent. A DHCP client at the start of the DORA process has no IP address — it cannot form a TCP connection. UDP broadcasts allow the client to send a Discover message from 0.0.0.0 to 255.255.255.255 without needing a pre-configured address. The DHCP server receives this broadcast and responds with an offer. See: DHCP Overview

4. An engineer writes an ACL to permit BGP traffic between two eBGP peers. Which permit statement is correct?

A. permit udp any any eq 179 B. permit tcp any any eq 179 — and also permit tcp any eq 179 any because BGP sessions can be initiated from either peer C. permit ospf any any D. permit ip any any eq 179

Correct answer is B. BGP uses TCP port 179 — not UDP, not OSPF, not a raw IP protocol number. When configuring an ACL to permit BGP, two rules are typically needed: one permitting TCP to port 179 (for sessions initiated by the other peer) and one permitting TCP from port 179 (for established sessions where the local router is the initiator). BGP is unique among routing protocols in using TCP for reliability. See: BGP Overview

5. What is the difference between SNMP port 161 and SNMP port 162?

A. Port 161 is for SNMPv3 and port 162 is for SNMPv2c B. Port 161 is TCP and port 162 is UDP C. UDP port 161 is used for manager-to-agent queries (GET, SET); UDP port 162 is used for agent-to-manager traps — the direction of traffic is reversed between the two ports D. They are the same — either port can be used for any SNMP operation

Correct answer is C. Both use UDP, but the direction differs. UDP 161: the SNMP manager sends queries (GET, GET-NEXT, SET) to the agent's port 161; the agent responds back to the manager. UDP 162: the agent sends unsolicited Trap or Inform messages to the manager's port 162 — no query was sent; the agent is alerting the manager to an event. Always remember: 161 is the agent's listening port; 162 is the manager's listening port. See: SNMP Traps

6. How does OSPF differ from BGP when it comes to TCP/UDP port usage?

A. OSPF does not use TCP or UDP — it runs directly over IP as IP protocol 89 and has no port number. BGP uses TCP port 179 for session establishment and update exchange B. OSPF uses UDP port 89 and BGP uses UDP port 179 C. Both OSPF and BGP use TCP — OSPF on port 89 and BGP on port 179 D. OSPF uses TCP port 520 and BGP uses UDP port 179

Correct answer is A. OSPF is identified by IP protocol number 89 — not a TCP or UDP port number. OSPF packets are carried directly in IP packets with protocol field = 89, sending to multicast 224.0.0.5 (all OSPF routers) or 224.0.0.6 (DR/BDR). To permit OSPF in an extended ACL: permit ospf any any. BGP uses TCP port 179 — it needs TCP's reliable, ordered delivery because losing BGP update messages would cause routing instability. See: OSPF Configuration

7. A security policy requires blocking all Telnet access to network devices while allowing SSH. What ACL statement achieves this on the inbound interface?

A. deny udp any any eq 23 B. deny tcp any any eq 22 C. permit tcp any any eq 23 D. deny tcp any any eq 23 — blocks TCP connections to Telnet's port 23 from any source. SSH remains permitted unless explicitly denied.

Correct answer is D. Telnet uses TCP port 23. The deny statement must specify TCP (not UDP — Telnet is TCP-only) and port 23. This blocks all TCP connections destined for port 23 from reaching the device. SSH on TCP port 22 is unaffected by this rule. The order matters in an ACL — place deny statements before any broad permit rules that might otherwise allow port 23 traffic through. See: ACL Overview

8. Which two ports does RADIUS use, and what function does each serve?

A. TCP 49 for authentication; TCP 50 for accounting B. UDP 1812 for authentication and authorisation; UDP 1813 for accounting (session records) C. UDP 1645 for authentication; UDP 1646 for accounting — the current standard ports D. TCP 1812 for all RADIUS traffic; UDP is not used

Correct answer is B. RADIUS uses UDP 1812 for authentication and authorisation requests (the NAS sends access-request; RADIUS responds with accept/reject/challenge) and UDP 1813 for accounting records (session start, stop, interim updates with usage statistics). Note: older RADIUS deployments used ports 1645 (auth) and 1646 (accounting) — these are now deprecated in favour of 1812/1813. TACACS+ (a different AAA protocol) uses TCP 49. See: AAA Local vs RADIUS

9. What is the purpose of having separate ports for FTP control (21) and FTP data (20)?

A. Security — separating the ports prevents eavesdropping on the control channel B. Port 21 is for IPv4 and port 20 is for IPv6 connections C. The control channel (port 21) carries commands and authentication; data transfers use a separate connection (port 20 in active mode) to keep command flow and file transfer independent, allowing commands to be sent while a transfer is in progress D. Port 20 is used for uploads and port 21 for downloads

Correct answer is C. FTP uses a two-channel architecture: a persistent control connection (TCP 21) that stays open for the entire session to exchange commands (USER, PASS, LIST, RETR, STOR) and a separate data connection opened for each file transfer or directory listing (TCP 20 in active mode; a dynamic port in passive mode). Separating command and data channels is an intentional design choice — it allows directory commands to continue working even while a large file is transferring on the data channel. See: FTP Overview

10. An engineer configures an extended ACL keyword `range 20 21` after specifying TCP. What traffic does this match?

A. Only TCP port 20 (FTP data) B. Only TCP port 21 (FTP control) C. All TCP ports between 20 and 21 inclusive — which is ports 20 and 21 only, but the range keyword is not valid syntax for adjacent ports D. TCP ports 20 and 21 inclusive — the range keyword matches all ports from the first value to the second value inclusive. range 20 21 matches both FTP data (20) and FTP control (21) in a single ACE, which is more compact than two separate permit/deny statements

Correct answer is D. The Cisco IOS ACL range keyword matches all ports from the lower bound to the upper bound, inclusive. range 20 21 matches TCP ports 20 and 21 — both FTP channels. This is a common shorthand when you need to permit or deny FTP entirely (both channels) in a single ACE. Other useful range examples: range 1024 65535 matches all registered and ephemeral ports; range 16384 32767 matches the common RTP voice port range. See: ACL Overview

← Back to Home