Port 130 is officially assigned by IANA to cisco-fna, a protocol Cisco calls FNATIVE. Both TCP and UDP are registered. And that is nearly everything the public has ever been told about it.
What Cisco FNATIVE Is (and Isn't)
Cisco FNATIVE is a proprietary protocol used by the Network Analysis Module (NAM), a hardware blade that slotted into Cisco Catalyst 6000 and 6500 series switches1. The NAM provided deep traffic monitoring, RMON-based analytics, and application-layer visibility, the kind of instrumentation network engineers needed to troubleshoot problems across large campus and data center networks.
Port 130 was one of three consecutive well-known ports Cisco registered for this purpose:
| Port | Service Name | Description |
|---|---|---|
| 130 | cisco-fna | Cisco FNATIVE |
| 131 | cisco-tna | Cisco TNATIVE |
| 132 | cisco-sys | Cisco SYSMAINT |
These three ports handled communication between the NAM module and the switch's management plane. The "F" in FNATIVE likely stands for "Fast" and the "T" in TNATIVE for "Trunk," though Cisco has never confirmed this publicly. SYSMAINT handled system maintenance operations2.
The Protocol That Was Never Documented
Here is what makes port 130 genuinely unusual: it is an officially assigned well-known port with no public documentation of its protocol.
In August 2003, a network administrator posted on the Cisco Community forums asking what cisco-fna actually does. The response from Cisco: "They are for Cisco Proprietary Protocols use on Cisco Catalyst 6000 Network Analysis Modules. It is considered internal information and hence is not documented on CCO"3.
That was in 2003. Over twenty years later, the answer hasn't changed. The protocol appears in Cisco IOS firewall inspection rules alongside HTTP, FTP, and SNMP, recognizable enough for a router to inspect, but never explained to the people configuring those routers4.
The Hardware Behind the Port
The Catalyst 6000 series launched in 1999, and the original Network Analysis Module (WS-X6380-NAM) shipped around the same time5. The NAM was a physical blade that sat inside the switch chassis, capturing and analyzing traffic at wire speed. It provided:
- Layer 2 through Layer 7 traffic visibility
- RMON and RMON-2 based monitoring
- Application performance analytics
- Real-time troubleshooting capabilities
The NAM needed to communicate with the switch's supervisory engine, and that communication ran over ports 130, 131, and 132. Think of it as a private conversation between two pieces of hardware sharing the same chassis, conducted over the same TCP/IP stack that carried everyone else's traffic.
The NAM product line went through several generations (NAM-1, NAM-2, NAM-3) before evolving into standalone appliances and eventually virtual appliances (vNAM). The original Catalyst 6500 NAM modules have been retired and are no longer supported6.
Security Considerations
Port 130 has been flagged in some threat databases because malware has historically used it for communication. This is a common pattern: attackers choose obscure ports precisely because they are unlikely to be monitored or understood by security teams.
If you are not running Cisco Catalyst 6000/6500 hardware with a Network Analysis Module, there is no reason for port 130 to be open on your network. Block it at the firewall. If you see unexpected traffic on port 130, investigate.
Checking What's Listening on Port 130
On Linux:
On macOS:
On Windows:
The Bigger Picture: Proprietary Ports in Public Space
Port 130 raises an interesting question about the well-known port range (0 through 1023). These ports are assigned by IANA and historically reserved for system-level services that serve the common infrastructure of the Internet. DNS gets port 53. HTTP gets port 80. SSH gets port 22. These are public protocols with public documentation, RFCs anyone can read, implementations anyone can write.
Cisco secured three of these ports for protocols it has never documented. The ports are registered. They are legitimate. And they are, for all practical purposes, private property on a public street.
This is not unique to Cisco. Other vendors have registered well-known ports for proprietary purposes. But port 130 and its siblings are among the purest examples of the tension between open standards and proprietary systems that has shaped networking since its earliest days.
Frequently Asked Questions
Was this page helpful?