Appendix E, Cisco ISE 3300 Series Appliance Ports Reference

Available Languages

Download Options

PDF (102.7 KB)
View with Adobe Reader on a variety of devices

Updated:January 14, 2011

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco ISE 3300 Series Appliance Ports Reference

Table Of Contents

Cisco ISE 3300 Series Appliance Ports Reference

Cisco ISE 3300 Series Appliance Ports Reference

This appendix lists the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that Cisco ISE Release 1.0 uses for intranetwork communications with external applications and devices. Table E-1 lists the ports by TCP and UDP port number, identifies the associated feature, service, or protocol, and describes any specific port-related information that applies to the four Gigabit Ethernet ports: GbEth0, GbEth1, GbEth2, and GbEth3. The Cisco ISE ports listed in this table must be open on the corresponding firewall. The ports list provides information that can be useful when configuring a firewall, creating ACLs, and configuring services on a Cisco ISE network.

Table E-1 Cisco ISE Services and Ports

Cisco ISE
Service

Ports on
GbEth0

Ports on
GbEth1

Ports on
GbEth2

Ports on
GbEth3

Administration
(ISE node)

•TCP: 22
(SSH server)

•TCP: 80¹ (HTTP)

•TCP: 443² (HTTPS)

Note Port 80 is redirected to port 443 (not an configurable port).

Note Ports 80 and 443 support Admin web applications and are enabled by default.

•TCP: 61616 (HTTPS)

Note Port 61616 replicates config data between primary and secondary.

Cisco ISE management is restricted to GbEth0.

Cisco ISE management is restricted to GbEth0.

Cisco ISE management is restricted to GbEth0.

•UDP: 161 (SNMPQUERY)

Note This port is route table dependent.

•UDP: 1521³ (Database Listener)

Monitoring
(ISE node)

•TCP: 22
(SSH server)

•TCP: 80 (HTTP)

•TCP: 443 (HTTPS)

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•UDP: 1521 (Database Listener)

•UDP: 20514 (Syslog)

•UDP: 1521 (Database Listener)

•UDP: 20514 (Syslog)

•UDP: 1521 (Database Listener)

•UDP: 20514 (Syslog)

•UDP: 1521 (Database Listener)

•UDP: 20514 (Syslog)

Session

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•UDP: 1521 (Database Listener)

•UDP: 1645,1812 (RADIUS Authentication)

•UDP: 1646, 1813
(RADIUS Accounting)

•UDP: 1700
(RADIUS CoA)

Note UDP port 1700 is not configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

•UDP: 45588, 45590

Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.

•UDP: 1521 (Database Listener)

•UDP: 1645,1812 (RADIUS Authentication)

•UDP: 1646, 1813
(RADIUS Accounting)

•UDP: 1700
(RADIUS CoA)

Note UDP port 1700 is not configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

•UDP: 45588, 45590

Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.

•UDP: 1521 (Database Listener)

•UDP: 1645,1812 (RADIUS Authentication)

•UDP: 1646, 1813
(RADIUS Accounting)

•UDP: 1700
(RADIUS CoA)

Note UDP port 1700 is not configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

•UDP: 45588, 45590

Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.

•UDP: 1521 (Database Listener)

•UDP: 1645,1812 (RADIUS Authentication)

•UDP: 1646, 1813
(RADIUS Accounting)

•UDP: 1700
(RADIUS CoA)

Note UDP port 1700 is not configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

•UDP: 45588, 45590

Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.

Guest/Sponsor Portal

•TCP: 8080 (HTTP)

•TCP: 8443 (HTTPS)

Note TCP ports 8080 and 8443 are enabled by default and are configurable.

•TCP: 8080 (HTTP)

•TCP: 8443 (HTTPS)

Note TCP ports 8080 and 8443 are enabled by default and are configurable.

•TCP: 8080 (HTTP)

•TCP: 8443 (HTTPS)

Note TCP ports 8080 and 8443 are enabled by default and are configurable.

•TCP: 8080 (HTTP)

•TCP: 8443 (HTTPS)

Note TCP ports 8080 and 8443 are enabled by default and are configurable.

Client
Provisioning

•TCP: 8443 (web or Cisco NAC agent installation)

Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest.

•TCP: 8905 (Cisco NAC agent update)

•TCP: 8443 (web or Cisco NAC agent installation)

Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest.

•TCP: 8905 (Cisco NAC agent update)

•TCP: 8443 (web or Cisco NAC agent installation)

Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest.

•TCP: 8905 (Cisco NAC agent update)

•TCP: 8443 (web or Cisco NAC agent installation)

Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest.

•TCP: 8905 (Cisco NAC agent update)

Posture and Heartbeat

•TCP: 8905 Discovery (HTTPS)

•TCP: 8905 Discovery (HTTPS)

•TCP: 8905 Discovery (HTTPS)

•TCP: 8905 Discovery (HTTPS)

•UDP: 8905
(Layer 2) Discovery (SWISS)

•UDP: 8905 PRA/Keepalive (SWISS)

•UDP: 8905
(Layer 2) Discovery (SWISS)

•UDP: 8905
PRA/Keepalive (SWISS)

•UDP: 8905
(Layer 2) Discovery (SWISS)

•UDP: 8905
PRA/Keepalive (SWISS)

•UDP: 8905
(Layer 2) Discovery (SWISS)

•UDP: 8905
PRA/Keepalive (SWISS)

Profiler

•TCP: 80, 8080 (DHCPSPAN probe; HTTP)

•TCP: 80, 8080 (DHCPSPAN probe; HTTP)

•TCP: 80, 8080 (DHCPSPAN probe; HTTP)

•TCP: 80, 8080 (DHCPSPAN probe; HTTP)

•UDP: 53
(DNS Lookup)

Note This port is route table dependent.

•UDP: 67, 68 (DHCP)

Note This port is configurable.

•UDP: 161 (SNMPQUERY)

Note This port is route table dependent.

•UDP: 162 (SNMPTRAP)

Note This port is configurable.

•UDP: 9996 (Netflow)

Note This port is configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

•UDP: 53
(DNS Lookup)

Note This port is route table dependent.

•UDP: 67, 68 (DHCP)

Note This port is configurable.

•UDP: 161 (SNMPQUERY)

Note This port is route table dependent.

•UDP: 162 (SNMPTRAP)

Note This port is configurable.

•UDP: 9996 (Netflow)

Note This port is configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

•UDP: 53
(DNS Lookup)

Note This port is route table dependent.

•UDP: 67, 68 (DHCP)

Note This port is configurable.

•UDP: 161 (SNMPQUERY)

Note This port is route table dependent.

•UDP: 162 (SNMPTRAP)

Note This port is configurable.

•UDP: 9996 (Netflow)

Note This port is configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

•UDP: 53
(DNS Lookup)

Note This port is route table dependent.

•UDP: 67, 68 (DHCP)

Note This port is configurable.

•UDP: 161 (SNMPQUERY)

Note This port is route table dependent.

•UDP: 162 (SNMPTRAP)

Note This port is configurable.

•UDP: 9996 (Netflow)

Note This port is configurable.

•UDP: 30514 (RADIUS)

Note This is internal via session services.

Inline Posture

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•TCP: 22
(SSH server)

•UDP: 1645, 1812 (RADIUS proxy for authentication)

•UDP: 1646, 1813 (RADIUS proxy for accounting)

•UDP: 1700 (RADIUS CoA)

•UDP: 1645, 1812 (RADIUS proxy for authentication)

•UDP: 1646, 1813 (RADIUS proxy for accounting)

•UDP: 1700 (RADIUS CoA)

N/A

N/A

Note High Availability and Management services are Inline Posture-specific and do not apply to for any other Cisco ISE node types.

High Availability

N/A

N/A

UDP: 694 (Heartbeat)

UDP: 694 (Heartbeat)

Management

TCP: 9090 (REST API)

N/A

N/A

N/A

¹Because Inline Posture nodes do not support the Administration persona, they will not have access to this port.

²Because Inline Posture nodes do not support the Administration persona, they will not have access to this port.

³Because Inline Posture nodes do not support the database listener function, they will not have access to this port.

Table E-1 Cisco ISE Services and Ports
Cisco ISE Service	Ports on GbEth0	Ports on GbEth1	Ports on GbEth2	Ports on GbEth3
Administration (ISE node)	•TCP: 22 (SSH server) •TCP: 80¹ (HTTP) •TCP: 443² (HTTPS) Note Port 80 is redirected to port 443 (not an configurable port). Note Ports 80 and 443 support Admin web applications and are enabled by default. •TCP: 61616 (HTTPS) Note Port 61616 replicates config data between primary and secondary.	Cisco ISE management is restricted to GbEth0.	Cisco ISE management is restricted to GbEth0.	Cisco ISE management is restricted to GbEth0.
•UDP: 161 (SNMPQUERY) Note This port is route table dependent. •UDP: 1521³ (Database Listener)
Monitoring (ISE node)	•TCP: 22 (SSH server) •TCP: 80 (HTTP) •TCP: 443 (HTTPS)	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)
•UDP: 1521 (Database Listener) •UDP: 20514 (Syslog)	•UDP: 1521 (Database Listener) •UDP: 20514 (Syslog)	•UDP: 1521 (Database Listener) •UDP: 20514 (Syslog)	•UDP: 1521 (Database Listener) •UDP: 20514 (Syslog)
Session	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)
•UDP: 1521 (Database Listener) •UDP: 1645,1812 (RADIUS Authentication) •UDP: 1646, 1813 (RADIUS Accounting) •UDP: 1700 (RADIUS CoA) Note UDP port 1700 is not configurable. •UDP: 30514 (RADIUS) Note This is internal via session services. •UDP: 45588, 45590 Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.	•UDP: 1521 (Database Listener) •UDP: 1645,1812 (RADIUS Authentication) •UDP: 1646, 1813 (RADIUS Accounting) •UDP: 1700 (RADIUS CoA) Note UDP port 1700 is not configurable. •UDP: 30514 (RADIUS) Note This is internal via session services. •UDP: 45588, 45590 Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.	•UDP: 1521 (Database Listener) •UDP: 1645,1812 (RADIUS Authentication) •UDP: 1646, 1813 (RADIUS Accounting) •UDP: 1700 (RADIUS CoA) Note UDP port 1700 is not configurable. •UDP: 30514 (RADIUS) Note This is internal via session services. •UDP: 45588, 45590 Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.	•UDP: 1521 (Database Listener) •UDP: 1645,1812 (RADIUS Authentication) •UDP: 1646, 1813 (RADIUS Accounting) •UDP: 1700 (RADIUS CoA) Note UDP port 1700 is not configurable. •UDP: 30514 (RADIUS) Note This is internal via session services. •UDP: 45588, 45590 Note UDP ports 45588 and 45590 support Policy Service communication for clustering support.
Guest/Sponsor Portal	•TCP: 8080 (HTTP) •TCP: 8443 (HTTPS) Note TCP ports 8080 and 8443 are enabled by default and are configurable.	•TCP: 8080 (HTTP) •TCP: 8443 (HTTPS) Note TCP ports 8080 and 8443 are enabled by default and are configurable.	•TCP: 8080 (HTTP) •TCP: 8443 (HTTPS) Note TCP ports 8080 and 8443 are enabled by default and are configurable.	•TCP: 8080 (HTTP) •TCP: 8443 (HTTPS) Note TCP ports 8080 and 8443 are enabled by default and are configurable.
Client Provisioning	•TCP: 8443 (web or Cisco NAC agent installation) Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest. •TCP: 8905 (Cisco NAC agent update)	•TCP: 8443 (web or Cisco NAC agent installation) Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest. •TCP: 8905 (Cisco NAC agent update)	•TCP: 8443 (web or Cisco NAC agent installation) Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest. •TCP: 8905 (Cisco NAC agent update)	•TCP: 8443 (web or Cisco NAC agent installation) Note TCP port 8443 is enabled by default, is configurable, and corresponds to a configuration for Guest. •TCP: 8905 (Cisco NAC agent update)
Posture and Heartbeat	•TCP: 8905 Discovery (HTTPS)	•TCP: 8905 Discovery (HTTPS)	•TCP: 8905 Discovery (HTTPS)	•TCP: 8905 Discovery (HTTPS)
•UDP: 8905 (Layer 2) Discovery (SWISS) •UDP: 8905 PRA/Keepalive (SWISS)	•UDP: 8905 (Layer 2) Discovery (SWISS) •UDP: 8905 PRA/Keepalive (SWISS)	•UDP: 8905 (Layer 2) Discovery (SWISS) •UDP: 8905 PRA/Keepalive (SWISS)	•UDP: 8905 (Layer 2) Discovery (SWISS) •UDP: 8905 PRA/Keepalive (SWISS)
Profiler	•TCP: 80, 8080 (DHCPSPAN probe; HTTP)	•TCP: 80, 8080 (DHCPSPAN probe; HTTP)	•TCP: 80, 8080 (DHCPSPAN probe; HTTP)	•TCP: 80, 8080 (DHCPSPAN probe; HTTP)
•UDP: 53 (DNS Lookup) Note This port is route table dependent. •UDP: 67, 68 (DHCP) Note This port is configurable. •UDP: 161 (SNMPQUERY) Note This port is route table dependent. •UDP: 162 (SNMPTRAP) Note This port is configurable. •UDP: 9996 (Netflow) Note This port is configurable. •UDP: 30514 (RADIUS) Note This is internal via session services.	•UDP: 53 (DNS Lookup) Note This port is route table dependent. •UDP: 67, 68 (DHCP) Note This port is configurable. •UDP: 161 (SNMPQUERY) Note This port is route table dependent. •UDP: 162 (SNMPTRAP) Note This port is configurable. •UDP: 9996 (Netflow) Note This port is configurable. •UDP: 30514 (RADIUS) Note This is internal via session services.	•UDP: 53 (DNS Lookup) Note This port is route table dependent. •UDP: 67, 68 (DHCP) Note This port is configurable. •UDP: 161 (SNMPQUERY) Note This port is route table dependent. •UDP: 162 (SNMPTRAP) Note This port is configurable. •UDP: 9996 (Netflow) Note This port is configurable. •UDP: 30514 (RADIUS) Note This is internal via session services.	•UDP: 53 (DNS Lookup) Note This port is route table dependent. •UDP: 67, 68 (DHCP) Note This port is configurable. •UDP: 161 (SNMPQUERY) Note This port is route table dependent. •UDP: 162 (SNMPTRAP) Note This port is configurable. •UDP: 9996 (Netflow) Note This port is configurable. •UDP: 30514 (RADIUS) Note This is internal via session services.
Inline Posture	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)	•TCP: 22 (SSH server)
•UDP: 1645, 1812 (RADIUS proxy for authentication) •UDP: 1646, 1813 (RADIUS proxy for accounting) •UDP: 1700 (RADIUS CoA)	•UDP: 1645, 1812 (RADIUS proxy for authentication) •UDP: 1646, 1813 (RADIUS proxy for accounting) •UDP: 1700 (RADIUS CoA)	N/A	N/A
Note High Availability and Management services are Inline Posture-specific and do not apply to for any other Cisco ISE node types.
High Availability	N/A	N/A	UDP: 694 (Heartbeat)	UDP: 694 (Heartbeat)
Management	TCP: 9090 (REST API)	N/A	N/A	N/A

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)