Port 3222 doesn't appear in the IANA registry with a name. But if you run a packet capture on a Cisco enterprise network, you'll find it busy—every three seconds, routers sending hellos to each other, confirming they're still standing.
The Registered Range
Port 3222 sits in the registered port range (1024–49151). These ports are meant to be claimed: a vendor or developer registers their service with IANA, gets their port number, and that binding becomes official. IANA tracks it; tools recognize it; firewall rules can be written with confidence.
Port 3222 skipped that step. Cisco built GLBP, shipped it in IOS, and the port came along without a registration. This isn't unusual for Cisco's proprietary protocols—it's a pattern, not an oversight.
What Actually Uses This Port
GLBP (Gateway Load Balancing Protocol) uses UDP port 3222 for its hello messages.1
GLBP is a first-hop redundancy protocol—the same category as HSRP (port 1985) and VRRP. The job of these protocols is to ensure that if your default gateway dies, another router steps in before your workstations notice anything is wrong.
What GLBP does differently from HSRP and VRRP: it load balances, not just fails over. Standard redundancy protocols designate one active router and keep others warm and waiting. GLBP distributes traffic across multiple routers simultaneously, each answering ARP requests with different virtual MAC addresses. The standby routers aren't just waiting—they're working.
The hello packets that flow over port 3222 carry the information that makes this possible: who's the Active Virtual Gateway (AVG), who's an Active Virtual Forwarder (AVF), what's the current weighting, who's healthy. Every three seconds. To multicast address 224.0.0.102, with both source and destination port set to 3222.2
If three consecutive hellos go missing, a router assumes its peer is gone and elections begin.
Who Will Find This Port Open
You'll encounter port 3222 in enterprise networks—specifically, on Cisco routers configured for gateway redundancy. It's link-local multicast traffic, meaning it doesn't cross routers; it stays on the local segment. You won't see it on the open Internet.
If you see port 3222 on a device that isn't a Cisco router participating in a GLBP group, investigate. It doesn't belong there.
How to Check What's Listening
On Linux or macOS:
On Windows:
On a Cisco device, to see GLBP state:
Why Unassigned Ports Matter
The IANA registry exists so that when a packet arrives on port 3222, you have somewhere to look up what it might mean. When that registration is missing, the port becomes a question mark—benign in controlled environments, suspicious everywhere else.
Unassigned ports in the registered range aren't inherently dangerous. They're just undocumented. The danger is that "unassigned" and "unused" aren't the same thing, and assuming they are is how things get missed.
GLBP's use of port 3222 is the clearest example: widespread, real, consequential—and invisible to anyone who only consults the registry.
Byla tato stránka užitečná?