Port number questions are guaranteed to appear on the Network+ exam. Memorising all well-known ports is not realistic, but knowing the ones CompTIA specifically tests — and the traps they set — gives you an edge on these questions.
The Must-Know Ports
| Port | Protocol | Service |
|---|---|---|
| 20 | TCP | FTP data |
| 21 | TCP | FTP control |
| 22 | TCP | SSH |
| 23 | TCP | Telnet |
| 25 | TCP | SMTP (sending email) |
| 53 | UDP/TCP | DNS |
| 67 | UDP | DHCP server |
| 68 | UDP | DHCP client |
| 69 | UDP | TFTP |
| 80 | TCP | HTTP |
| 110 | TCP | POP3 |
| 119 | TCP | NNTP (Usenet) |
| 123 | UDP | NTP |
| 137-139 | UDP/TCP | NetBIOS |
| 143 | TCP | IMAP |
| 161 | UDP | SNMP |
| 162 | UDP | SNMP trap |
| 389 | TCP | LDAP |
| 443 | TCP | HTTPS |
| 445 | TCP | SMB |
| 465 | TCP | SMTPS (SMTP over SSL) |
| 514 | UDP | Syslog |
| 587 | TCP | SMTP submission |
| 636 | TCP | LDAPS |
| 993 | TCP | IMAPS |
| 995 | TCP | POP3S |
| 1433 | TCP | Microsoft SQL Server |
| 1723 | TCP | PPTP VPN |
| 3306 | TCP | MySQL |
| 3389 | TCP | RDP |
| 5060 | UDP/TCP | SIP (VoIP) |
| 8080 | TCP | HTTP alternate |
The Most Common Exam Traps
FTP: Port 20 vs 21
FTP uses two ports: 21 for control (commands) and 20 for data transfer in active mode. In passive mode, the data port is negotiated dynamically (above 1023).
"Which port is used to establish an FTP control connection?" — Port 21. "Which port transfers the actual file data in active FTP?" — Port 20.
Candidates often pick 20 for the control connection because it is the first one listed. Control = 21, Data = 20.
SMTP: Port 25 vs 587 vs 465
Port 25 is the standard SMTP port for server-to-server email relay. Port 587 is for client-to-server email submission (when an email client sends to a mail server). Port 465 is SMTPS (SMTP over SSL) — older, still used.
"Which port does a mail client use to submit email to the outgoing mail server?" — Port 587 (submission), not 25.
POP3 vs IMAP
POP3 (port 110) downloads email and typically deletes it from the server — meant for single-device access. IMAP (port 143) keeps email on the server and syncs — meant for multi-device access.
"A user accesses email from a laptop, phone, and tablet, and needs messages to sync across all devices." — IMAP (143), not POP3.
SNMP: Port 161 vs 162
Port 161: SNMP queries (manager queries devices) Port 162: SNMP traps (devices send alerts to the manager unsolicited)
"A network monitoring system receives unsolicited alerts from network devices. Which port is used?" — Port 162 (SNMP trap).
LDAP vs LDAPS
LDAP uses port 389 (unencrypted). LDAPS (LDAP over SSL) uses port 636.
Secure versions of common protocols:
| Unencrypted | Port | Encrypted | Port |
|---|---|---|---|
| HTTP | 80 | HTTPS | 443 |
| FTP | 21 | SFTP (uses SSH) | 22 |
| SMTP | 25 | SMTPS | 465 |
| POP3 | 110 | POP3S | 995 |
| IMAP | 143 | IMAPS | 993 |
| LDAP | 389 | LDAPS | 636 |
| Telnet | 23 | SSH | 22 |
A pattern: many secure protocols add 850–900 to the original port number (POP3: 110 → 995, IMAP: 143 → 993). This is not a rule — just a memory pattern.
RDP and Telnet
"Which port is used for remote desktop connections on Windows?" — 3389 (RDP). "Which port is used for unencrypted remote terminal access?" — 23 (Telnet). "What is the secure alternative to Telnet?" — SSH on port 22.
Practice Network+ port number questions to build automatic recall of the ports that appear most frequently on the exam.
The Port Numbers You Must Know Cold — No Exceptions
Network+ N10-009 tests specific port numbers directly and in scenario questions. Here are the 25 you must have memorised:
| Port | Protocol | TCP/UDP | Service |
|---|---|---|---|
| 20 | FTP | TCP | FTP data transfer |
| 21 | FTP | TCP | FTP control (commands) |
| 22 | SSH | TCP | Secure Shell, SFTP |
| 23 | Telnet | TCP | Unencrypted remote terminal |
| 25 | SMTP | TCP | Email sending (server-to-server) |
| 53 | DNS | TCP + UDP | DNS (UDP for queries, TCP for zone transfers) |
| 67 | DHCP | UDP | DHCP server |
| 68 | DHCP | UDP | DHCP client |
| 69 | TFTP | UDP | Trivial FTP (no authentication) |
| 80 | HTTP | TCP | Web (unencrypted) |
| 110 | POP3 | TCP | Email retrieval (downloads and deletes) |
| 123 | NTP | UDP | Network Time Protocol |
| 143 | IMAP | TCP | Email retrieval (sync, stays on server) |
| 161 | SNMP | UDP | SNMP queries |
| 162 | SNMP Trap | UDP | SNMP traps (unsolicited alerts) |
| 389 | LDAP | TCP | Directory services (unencrypted) |
| 443 | HTTPS | TCP | Web (encrypted) |
| 445 | SMB | TCP | Windows file sharing, Active Directory |
| 514 | Syslog | UDP | Log forwarding |
| 636 | LDAPS | TCP | LDAP over SSL |
| 993 | IMAPS | TCP | IMAP over SSL |
| 995 | POP3S | TCP | POP3 over SSL |
| 1433 | MS SQL | TCP | Microsoft SQL Server |
| 3306 | MySQL | TCP | MySQL database |
| 3389 | RDP | TCP | Remote Desktop Protocol |
The exam has favourite targets: DNS (both TCP and UDP), DHCP (67 vs 68), the difference between FTP data (20) and control (21), and the encrypted vs unencrypted pairs.
TCP vs UDP — Which Protocol for Which Service
The exam often asks whether a service uses TCP or UDP, and two services generate the most wrong answers:
DNS — Uses both. UDP port 53 for standard queries (fast, low overhead, most common). TCP port 53 for zone transfers (authoritative server to secondary server) and for large responses that exceed 512 bytes (EDNS can extend this, but TCP is the fallback). Answer "both TCP and UDP" when the exam asks about DNS protocol.
DHCP — Uses UDP only (ports 67 and 68). This is counterintuitive since DHCP involves a request-response exchange, but because the client has no IP at the start, it can't establish a TCP connection. UDP broadcast is the only option.
SNMP — UDP for both queries (161) and traps (162). SNMP traps are asynchronous notifications from devices to the management system — they fire and forget. No acknowledgment needed, so UDP is appropriate.
NTP — UDP port 123. Time synchronization is tolerant of occasional packet loss (the client just tries again), making UDP suitable.
Syslog — UDP port 514 traditionally. Some implementations use TCP for reliable delivery, but the default and exam-tested port is UDP 514.
The reliable TCP services (those where lost data is unacceptable): HTTP, HTTPS, FTP, SSH, Telnet, SMTP, POP3, IMAP, LDAP, LDAPS, RDP, SMB, SQL Server.
Firewall Rule Interpretation Questions
The exam presents firewall rule tables and asks what traffic is permitted. The key rules for reading them:
- Rules are evaluated top-to-bottom, first match wins.
- Most firewalls have an implicit "deny all" at the bottom if no rule matches.
- Stateful firewalls automatically permit return traffic for established connections — you don't need explicit return rules.
- Stateless firewalls (ACLs) need explicit rules for both directions.
Sample scenario: A firewall allows TCP port 443 inbound, allows UDP port 53 inbound and outbound, and blocks all other traffic.
- Can users browse HTTPS websites? Yes (port 443 allowed inbound).
- Can users browse HTTP websites? No (port 80 not in the allow list).
- Can the server send DNS queries? Yes (UDP 53 outbound allowed).
- Can users receive email via IMAP? No (port 143 not allowed).
Another common scenario: "A company's email server can receive email from the internet but cannot send email. Which port must be opened outbound?" → Port 25 (SMTP) outbound. Receiving uses port 25 inbound; sending uses port 25 outbound. Many ISPs block outbound port 25 to prevent spam from compromised systems — this is a real-world configuration that the exam models.
Port Knocking and NAT Port Forwarding
NAT port forwarding (also called destination NAT or DNAT) maps an external port on the router's public IP to an internal private IP and port. This allows external clients to reach internal servers.
Example: web server at 192.168.1.10 on internal port 80. Router's public IP is 203.0.113.1. Configure: external port 80 on 203.0.113.1 → forward to 192.168.1.10:80. External clients connect to 203.0.113.1:80 and reach the internal web server.
Non-standard port mapping: external port 8080 → internal 192.168.1.10:80. External clients connect to 203.0.113.1:8080 and reach the web server. The port change adds minor security through obscurity.
Exam pattern: "A company hosts a web server at 10.0.0.50 on port 80. External users must access it at the company's public IP. What must be configured?" → NAT port forwarding (or static NAT) mapping the public IP port 80 to 10.0.0.50 port 80.
Port knocking is a security technique where a firewall port remains closed until a specific sequence of connection attempts (the "knock") is made to other ports. Only a client who knows the sequence and timing gets the firewall to temporarily open the target port. The exam tests this as a security concept, not a configuration skill.
Ephemeral Ports and Connection Tracking
When a client initiates an outbound TCP connection, it uses a source port chosen from the ephemeral port range (1024–65535). This is called an ephemeral or dynamic port — it's randomly assigned by the OS for the duration of the connection.
Example: your browser connects to google.com:443. Your OS picks a random source port, say 52341. The connection is: your-IP:52341 → google-IP:443. Google's response comes back to your-IP:52341.
A stateful firewall tracks this connection in a state table: {src: your-IP:52341, dst: google-IP:443, state: ESTABLISHED}. Return traffic matching this tuple is automatically permitted without an explicit rule.
A stateless firewall or ACL does not track state. To allow this connection through, you need:
- Inbound rule: permit TCP from google-IP port 443 to your-IP port 1024-65535 (or any)
- Outbound rule: permit TCP from your-IP any-port to google-IP port 443
The exam tests the difference: "A network administrator configures an ACL to allow outbound HTTPS (port 443). Users can reach HTTPS sites but pages don't load. What is missing?" → A rule permitting inbound return traffic on ephemeral ports (or switching to a stateful firewall).