Network Ports – TCP/UDP Endpoints, Ranges, and Security

1. What Are Network Ports?

A network port is a 16-bit logical number (0–65535) embedded in the TCP or UDP header that identifies which application or service on a device should receive a packet. Ports enable multiplexing — dozens or hundreds of applications can share the same IP address simultaneously, each distinguished by its unique port number.

Think of an IP address as a building address and a port number as the apartment number inside that building. The IP gets the packet to the right device; the port routes it to the right application. 

  One device, multiple simultaneous sessions:
  192.168.1.10 : 54321  →  203.0.113.5 : 443   (HTTPS – browser tab 1)
  192.168.1.10 : 54322  →  203.0.113.5 : 443   (HTTPS – browser tab 2)
  192.168.1.10 : 54323  →  8.8.8.8     : 53    (DNS query)
  192.168.1.10 : 54324  →  10.0.0.5    : 22    (SSH session)
  All four sessions use the same IP address; ports keep them separate.

Related pages: OSI Model | TCP/IP Model | NAT | Ping (ICMP) | Applying ACLs | Common Port Numbers | Firewall | SSH

2. Physical Ports vs. Logical Ports

Feature Physical Port Logical Port (TCP/UDP)
Definition A hardware interface on a network device A 16-bit number in a TCP or UDP header
OSI Layer Layer 1 – Physical. See OSI Model. Layer 4 – Transport. See TCP/IP Model.
Examples Ethernet RJ-45 jack, SFP module, USB-A socket, serial console port Port 80 (HTTP), port 443 (HTTPS), port 22 (SSH), port 53 (DNS)
Purpose Connects cables and physical media to transmit bits Identifies which application or service on a device receives the data
Number of ports Fixed; determined by hardware (e.g., 48-port switch) 0–65535 (65,536 possible per protocol per IP address)
Security concern Unauthorised physical access to network equipment Unauthorised remote access to open services via open ports; mitigate with firewalls and ACLs

3. TCP vs. UDP Ports

Both TCP and UDP use 16-bit port numbers, but they behave differently. See TCP/IP Model for the full transport layer context.

Characteristic TCP UDP
Connection Connection-oriented — three-way handshake before data transfer Connectionless — data sent without establishing a session
Reliability Guaranteed delivery; lost packets are retransmitted Best-effort; no retransmission
Overhead Higher (sequence numbers, ACKs, flow control) Lower (minimal header, no ACKs)
Use cases SSH (22), SMTP (25), HTTP/HTTPS — where every byte must arrive DNS (53), DHCP (67/68), VoIP, video streaming — where speed matters more than guaranteed delivery
Port space Separate 0–65535 space from UDP Separate 0–65535 space from TCP

Important: TCP port 80 and UDP port 80 are independent. A service can listen on TCP 80, UDP 80, or both. Most services use only one protocol on any given port. See Common Port Numbers for the full reference table.

4. Port Number Ranges

Range Name Assigned By Description Examples
0 – 1023 Well-Known Ports IANA Reserved for common, standardised services. Require root/admin privileges to bind on most operating systems. HTTP (80), HTTPS (443), SSH (22), DNS (53), FTP (21), SMTP (25)
1024 – 49151 Registered Ports IANA (by application) Assigned to vendor-specific or user applications. Commonly used by server-side software that does not need root privileges. MS SQL (1433), MySQL (3306), RDP (3389), LDAP (389), Kerberos (88)
49152 – 65535 Dynamic / Ephemeral / Private Ports OS (auto-assigned) Assigned automatically by the OS as the source port for outbound client connections. Freed when the connection closes. Browser connecting to a web server, DNS client querying a resolver

5. Common Well-Known Ports – Complete Reference

See also: Common Port Numbers for the full quick-reference table.

Port Protocol Service Description
20 TCP FTP Data File Transfer Protocol – data channel (active mode)
21 TCP FTP Control File Transfer Protocol – command/control channel
22 TCP SSH Secure Shell – encrypted remote login and command execution. See SSH & Telnet Security and SSH Configuration Lab.
23 TCP Telnet Unencrypted remote terminal; replaced by SSH in modern networks. See SSH & Telnet Security.
25 TCP SMTP Simple Mail Transfer Protocol – sending email between servers
53 TCP/UDP DNS Domain Name System – name resolution; UDP for queries, TCP for zone transfers. See How DNS Works.
67 UDP DHCP Server Dynamic Host Configuration Protocol – server listens for client requests. See How DHCP Works.
68 UDP DHCP Client DHCP – client-side port for receiving IP configuration
80 TCP HTTP HyperText Transfer Protocol – unencrypted web traffic
110 TCP POP3 Post Office Protocol v3 – retrieving email from a server
123 UDP NTP Network Time Protocol – time synchronisation. See NTP Time Synchronisation.
143 TCP IMAP Internet Message Access Protocol – email access with server-side storage
161 UDP SNMP Simple Network Management Protocol – network device monitoring and management. See SNMP.
443 TCP HTTPS HTTP over TLS/SSL – encrypted web traffic
514 UDP Syslog System logging messages sent to a syslog server. See Syslog.
3389 TCP RDP Remote Desktop Protocol – Windows graphical remote access

6. How Ports Work in Network Communication – Socket Pairs

Every active TCP or UDP connection is uniquely identified by a socket pair: the combination of source IP, source port, destination IP, and destination port. The OS uses this four-tuple to demultiplex incoming packets to the correct process. 

  Socket pair (four-tuple):
  [ Source IP : Source Port ] → [ Destination IP : Destination Port ]

  Browser tab 1:  192.168.1.10:54321  →  203.0.113.5:443
  Browser tab 2:  192.168.1.10:54322  →  203.0.113.5:443
  SSH session:    192.168.1.10:54323  →   10.0.0.1:22

  All three are distinct socket pairs even though the source IP is identical.

Step-by-step example — HTTPS request:

  1. John’s browser wants to load https://www.example.com.
  2. The OS assigns a random ephemeral source port (e.g., 54321) from the dynamic range.
  3. A TCP three-way handshake is completed to the server on destination port 443.
  4. The server replies: source = server IP:443, destination = 192.168.1.10:54321.
  5. John’s OS sees port 54321 and delivers the data to that browser process.

7. Port Scanning and Security Implications

Port scanning is the process of probing a device to discover which ports are open, closed, or filtered. Network administrators use it to audit their own infrastructure; attackers use it to find exploitable entry points. Tools like Wireshark can capture and analyse port scan traffic at the packet level.

Port State Meaning Firewall/Security Implication
Open A service is actively listening; the device sends a SYN-ACK (TCP) or a reply (UDP) Potential attack surface if the service has vulnerabilities; restrict with firewall rules or ACLs
Closed No service listening; the device sends a TCP RST Informs the attacker that the host is up; consider filtering to “Filtered” instead
Filtered A firewall drops or rejects the probe; no response Best security posture — attacker cannot determine if a service exists

Security best practices: close or filter every port that is not required; change default ports for sensitive services like SSH (port 22); use access control lists (ACLs) and stateful firewalls to allow only legitimate traffic; regularly audit open ports with tools like nmap or ss.

Example: Port 22 (SSH) open on a public-facing server is a common target for brute-force attacks. Mitigations include: changing the listening port, disabling password authentication (use key pairs only), and rate-limiting failed login attempts. See SSH & Telnet Security and SSH Configuration Lab.

8. Port Forwarding and NAT

Port forwarding is a NAT configuration that maps an external IP address + port number to an internal (private) IP address + port. It allows devices on the Internet to initiate connections to services hosted inside a private network that uses NAT. 

  Internet                  Router / NAT Device          Internal Network
  ---------                 ------------------           ----------------
  Client at                 External: 203.0.113.1        Web server:
  1.2.3.4                   Internal: 192.168.1.1        192.168.1.50:80

  1.2.3.4  →  203.0.113.1:8080
                NAT rule: 203.0.113.1:8080 → 192.168.1.50:80
                Router rewrites dest IP and port, forwards to web server
  192.168.1.50:80  receives the request and responds

Common use cases for port forwarding: self-hosted web or game servers; CCTV cameras accessible remotely; home lab services exposed to the Internet; RDP access to a Windows PC behind NAT.

See also: NAT – Network Address Translation

9. Troubleshooting Port Issues

When an application cannot connect, the first question is whether the destination port is actually open and reachable. These tools let you test port-level connectivity independently of the application.

Tool Platform Command Example What It Tests
telnet Windows, Linux, macOS, Cisco IOS telnet server.com 443 TCP connection to a specific port; blank screen = port open; “Connection refused” = port closed. See SSH & Telnet Security.
nc (netcat) Linux, macOS nc -zv server.com 443 TCP or UDP port reachability; -z = scan only, -v = verbose output
Test-NetConnection Windows PowerShell Test-NetConnection server.com -Port 443 TCP port test; returns TcpTestSucceeded: True/False with latency
nmap Linux, Windows, macOS nmap -p 22,80,443 server.com Scans multiple ports; reports open/closed/filtered state for each
ss / netstat Linux / all platforms ss -tlnp / netstat -an Lists all ports currently listening on the local device; identify which service owns each port
Wireshark Windows, Linux, macOS Filter: tcp.port == 443 Captures and analyses actual port traffic at packet level; useful for diagnosing handshake failures and filtering issues 
! Test a specific port from Cisco IOS (useful for verifying ACLs or firewall rules):
Router# telnet 10.0.0.5 80
! Trying 10.0.0.5, 80...
! Connected to 10.0.0.5.   ← port 80 is open
! OR:
! % Connection refused by remote host  ← port 80 is closed/filtered

Use ping to test basic reachability first, then telnet or netcat to test the specific port. If the port is unexpectedly blocked, check the firewall rules and ACL configuration on the path.

10. Port-Based Firewall Rules and ACLs

Firewalls and ACLs use port numbers as one of their primary match criteria. By allowing or denying traffic based on destination port, administrators can control exactly which services are reachable from which networks. 

! Cisco IOS Extended ACL example:
! Allow HTTPS (443) from any source to web server 10.0.0.10
! Allow SSH (22) from management network 10.10.0.0/24 to any host
! Deny all other inbound traffic

ip access-list extended INBOUND-POLICY
 permit tcp any host 10.0.0.10 eq 443
 permit tcp 10.10.0.0 0.0.0.255 any eq 22
 deny   ip any any log

interface GigabitEthernet0/1
 ip access-group INBOUND-POLICY in

See also: Applying ACLs | ACL Overview | Extended ACLs | Standard ACLs | Named ACLs | Firewall | Extended ACL Configuration Lab

11. Physical vs. Logical Ports – Summary Table

Feature Physical Port Logical Port (TCP/UDP)
OSI Layer Layer 1 – Physical Layer 4 – Transport
Examples Ethernet RJ-45, SFP module, USB, console port Port 80 (HTTP), 22 (SSH), 53 (DNS), 443 (HTTPS)
Purpose Connects cables and physical media; transmits bits Demultiplexes incoming packets to the correct application
Quantity Fixed by hardware (e.g., 48 ports on a switch) 65,536 per transport protocol per IP address
Identified by Physical slot number (e.g., Gi0/1) or connector type 16-bit integer in the TCP/UDP header (0–65535)
Security concern Unauthorised physical access; port security (MAC limiting) Open ports with vulnerable services; restrict with firewall/ACL

12. Key Points & CCNA Exam Tips

  • A port is a 16-bit number (0–65535) in the TCP or UDP header that identifies the destination application on a device. See TCP/IP Model.
  • Ports enable multiplexing — multiple applications share one IP address using different ports
  • Port numbers are per transport protocol: TCP port 53 and UDP port 53 are independent (both used by DNS)
  • Well-known ports (0–1023) are assigned by IANA for standardised services and typically require root/admin to bind
  • Registered ports (1024–49151) are used by vendor applications; dynamic ports (49152–65535) are auto-assigned as client source ports
  • Know these ports for the CCNA exam: FTP 20/21, SSH 22, Telnet 23, SMTP 25, DNS 53, DHCP 67/68, HTTP 80, POP3 110, NTP 123, IMAP 143, SNMP 161, HTTPS 443, Syslog 514, RDP 3389. See Common Port Numbers.
  • A socket pair (src IP, src port, dst IP, dst port) uniquely identifies every active TCP connection
  • TCP = reliable, connection-oriented; UDP = fast, connectionless — both use the same 0–65535 port space independently
  • Open ports are potential attack surfaces; firewalls and ACLs match on destination port to allow or deny specific services
  • Port forwarding maps an external port to an internal device; commonly used on home/office routers to expose internal services. See NAT.
  • Test port connectivity with: telnet <host> <port>, nc -zv <host> <port>, or Test-NetConnection in PowerShell
  • View listening ports on a device: ss -tlnp (Linux) or netstat -an (Windows/Linux)
  • Capture port traffic at packet level with Wireshark using port-specific filters like tcp.port == 22

Networking Ports Quiz

1. What is the primary purpose of a port number in networking?

Correct answer is B. Port numbers enable multiplexing — many applications can share the same IP address simultaneously. The OS reads the destination port number in the incoming TCP or UDP header and delivers the data to the correct application. See TCP/IP Model for the full transport layer context.

2. At which OSI layer do logical (TCP/UDP) ports operate?

Correct answer is A. Port numbers are 16-bit fields in the TCP and UDP headers, both of which are Layer 4 (Transport) protocols. Physical ports (Ethernet jacks, SFP modules) operate at Layer 1. See OSI Model.

3. Which port number is used for HTTPS (encrypted web) traffic?

Correct answer is D. HTTPS uses TCP port 443. Port 21 is FTP control, port 22 is SSH, and port 53 is DNS. Memorising these is essential for both CCNA and real-world firewall rule configuration. See Common Port Numbers.

4. Which range defines the well-known port numbers?

Correct answer is C. Ports 0–1023 are the well-known (system) ports assigned by IANA for standardised services such as HTTP (80), SSH (22), and DNS (53). They typically require administrator or root privileges to bind on a server.

5. What is port forwarding used for?

Correct answer is B. Port forwarding is a NAT feature that allows Internet users to reach a service on a private IP address by sending traffic to the router’s public IP on a specific external port. The router translates the destination IP and port and forwards the packet internally. See NAT – Network Address Translation.

6. Which range covers dynamic (ephemeral) port numbers?

Correct answer is A. Ports 49152–65535 are dynamic (ephemeral) ports, automatically assigned by the OS as the source port for outbound client connections. They are freed when the session closes. Some OS implementations use a slightly different range (e.g., Linux defaults to 32768–60999).

7. Which command can test TCP connectivity to a specific port on a remote host?

Correct answer is D. telnet <host> <port> attempts a TCP connection to the specified port. A blank screen means the port is open; “Connection refused” means it is closed. Ping uses ICMP and cannot test specific TCP/UDP ports. See SSH & Telnet Security for why Telnet should not be used for actual remote management.

8. Which well-known port does the DNS service use?

Correct answer is C. DNS uses port 53 on both UDP (standard queries) and TCP (zone transfers and large responses exceeding 512 bytes). Port 80 is HTTP, port 25 is SMTP, and port 443 is HTTPS. See Common Port Numbers.

9. What is the primary security risk of leaving unnecessary ports open?

Correct answer is B. Every open port exposes a service to the network. If that service has an unpatched vulnerability, an attacker can exploit it remotely. Best practice is to close or filter all ports that are not required, and apply firewall rules and ACLs to restrict which sources can reach permitted ports.

10. Physical ports differ from logical ports because they:

Correct answer is A. Physical ports are hardware connectors (Ethernet jacks, SFP modules, USB sockets) that operate at OSI Layer 1 and transmit electrical or optical signals. Logical ports are 16-bit numbers in TCP/UDP headers that operate at Layer 4 and identify applications — the two meanings of the word “port” should never be confused. See OSI Model.

← Back to Home