Port 2000: Cisco's Skinny Protocol — Officially Unassigned, Practically Ubiquitous

Port 2000 sits in the registered port range (1024–49151) — the middle territory of the port numbering system, where IANA coordinates assignments but doesn't mandate them. According to IANA's official registry, port 2000 has no assigned service.¹

In practice, that's not quite the full story.

What Actually Runs Here

If you scan the Internet and find port 2000 open, you're almost certainly looking at a Cisco phone system running SCCP — the Skinny Client Control Protocol.

Cisco IP phones use SCCP to register with and talk to Cisco Unified Communications Manager (CUCM, formerly CallManager). The phone connects via TCP on port 2000, announces itself, and from that moment on the call manager owns the phone: ringing it, routing calls, pushing button labels to the screen, telling it when to start and stop transmitting audio.

Every call you make from a Cisco desk phone — the ring, the pickup, the transfer, the hold music — is choreographed through port 2000.²

The Name "Skinny"

SCCP earned its nickname honestly. In the late 1990s, enterprise VoIP was dominated by H.323, a protocol so complex it required significant processing power just to parse. Selsius Corporation, a Dallas-based startup, built a leaner alternative designed to run comfortably on the modest hardware inside an IP phone. They called it Skinny.

Cisco acquired Selsius in 1998 for $145 million and inherited the protocol. It's still sometimes called the Selsius Skinny Station Protocol in Cisco documentation, a small archaeological artifact of where it came from.³

SCCP uses a simple binary message format over a persistent TCP connection. The phone stays connected to its call manager indefinitely — the connection itself is the registration. If it drops, the phone goes dark until it can reconnect.

What the Port Range Means

Registered ports (1024–49151) are the middle tier:

• Well-known ports (0–1023): Reserved for major protocols (HTTP on 80, HTTPS on 443, SSH on 22). Require elevated privileges to bind on most systems.
• Registered ports (1024–49151): IANA maintains a registry here, but registration is voluntary. Services apply for a number; many don't bother, or use numbers informally.
• Dynamic/ephemeral ports (49152–65535): Assigned temporarily by the OS for outgoing connections. Never registered.

Port 2000 is registered territory, but Cisco never formally claimed it. They simply used it, it spread across millions of deployments, and now "port 2000" and "Cisco phones" are effectively synonymous in network diagnostics.⁴

Security Considerations

SCCP transmits signaling data in plaintext by default. An attacker with network access can observe call setup, teardown, and metadata. Cisco addressed this with SCCPS (Secure SCCP) on port 2443, which wraps the protocol in TLS.

If you see port 2000 open on a device that isn't a Cisco communications server, investigate. Historically, several remote access trojans have used port 2000 as a backdoor, knowing that firewalls configured for Cisco environments often permit it.

How to Check What's Listening

On any machine:

# Linux / macOS
sudo ss -tlnp | grep :2000
sudo lsof -i TCP:2000

# Windows
netstat -ano | findstr :2000

On a network scanner:

nmap -sV -p 2000 <target>

Nmap will usually fingerprint SCCP correctly and report cisco-sccp. If it reports something else — or nothing — that's worth investigating.

Related Ports

• 2443 — Secure SCCP (SCCPS), the TLS-wrapped version
• 5060 — SIP, the open-standard alternative to SCCP for VoIP signaling
• 5061 — SIP over TLS
• 1720 — H.323, the complex predecessor SCCP was designed to replace