Port 1589: Cisco VQP — The MAC address bouncer

Port 1589 carries Cisco's VLAN Query Protocol (VQP), a proprietary protocol that answered one question: "Which VLAN should this device belong to?"

What VQP Does

When a device plugged into a Cisco switch configured for dynamic VLAN membership, the switch would:

1. Read the device's MAC address
2. Send a VQP query over UDP port 1589 to a VLAN Management Policy Server (VMPS)
3. Wait for the VMPS to respond with a VLAN assignment
4. Place the device in that VLAN

The idea: centralized control over which devices could access which network segments, based entirely on MAC address.

The Problem VQP Solved (in 1997)

In the late 1990s, VLANs were relatively new. Network admins wanted a way to automatically assign devices to the correct VLAN without manually configuring every switch port. VQP gave them a database-driven approach: maintain a list of MAC addresses and their allowed VLANs on a central server, and let the switches query it.

This worked. For a while.

Why VQP Is Dead

Cisco deprecated VQP around 2009.¹ The reasons:

Proprietary: VQP only worked with Cisco switches. No RFC, no interoperability, no future.

MAC-based security is weak: MAC addresses can be spoofed trivially. Basing network access control on MAC addresses is like locking your front door but leaving the key under the mat.

802.1X exists: The industry standardized on 802.1X port-based network access control with RADIUS servers handling dynamic VLAN assignment. It's authenticated, encrypted, vendor-neutral, and actually secure.

VQP made sense in 1997. By 2009, it was obsolete. By 2026, it's archaeology.

The Ghost in the Config

VQP still appears in:

• Old Cisco documentation for Catalyst switches running IOS 15.x and earlier
• Legacy enterprise networks that haven't been upgraded in 15+ years
• Security scans that flag port 1589 as open and wonder what's listening

If you see port 1589 open on a modern network, someone either forgot to turn off VMPS or is running infrastructure old enough to vote.

How to Check What's on Port 1589

On Linux/macOS:

sudo lsof -i :1589

On Windows:

netstat -an | findstr :1589

If something's listening, it's almost certainly a legacy Cisco VMPS server. Or someone repurposed the port for something else entirely, which happens with unassigned registered ports.

The Registered Ports Range

Port 1589 sits in the registered ports range (1024-49151). These ports are registered with IANA but not reserved for system services. Anyone can use them, but well-known services tend to claim specific numbers to avoid conflicts.

VQP claimed 1589 in the Cisco ecosystem. Outside that ecosystem, 1589 is just another number.

What This Port Represents

Port 1589 is a reminder that proprietary protocols age poorly. Cisco built VQP when they dominated enterprise networking and could define their own standards. But vendor lock-in loses to open standards eventually. 802.1X won because it worked everywhere, not just on Cisco gear.

The Internet doesn't remember proprietary protocols fondly. It buries them and moves on.