PSM Networking Considerations
The PSM platform offers a set of services for visualizing and controlling network equipment. Figure 1 shows a typical network deployment with management traffic being separated onto a secure management network.
Figure 1: Typical Network Deployment
The network elements under management connect to the public Internet, but also maintain a separate and distinct connection to the management network. Traffic cannot cross from the public Internet to the management network. This can be enforced through physical segregation as shown above.
The PSM clients are connected to the management network. In some deployments, the clients might connect to the management network across the public Internet by using a VPN (not shown).
The PSM server (and other servers) are directly connected to the management network. Although the servers are shown as co-located, this is not necessary. If the servers are not co-located, the respective router/firewalls might need to be configured to allow proper communication between the servers (if necessary). These servers typically have public Internet connections as well, but through a separate physical interface. This is not shown.
The PSM platform requires communication paths between the following:
- the PSM clients and the PSM server
- the PSM server(s) and the PSM server(s)
- the PSM clients and the network elements under management
- the PSM server and the network elements under management
- the PSM server and the external RADIUS server (if applicable)
- the PSM server and other hosts, such as for backups, downloading of software images, etc. (not shown)
PSM Port Usage
The PSM platform provides services that are advertised on a set of protocol ports and leveraged by the PSM applications as well as by third party applications such as web browsers and servers running standard services.
If you are configuring a firewall to allow PSM traffic to pass through, you should be aware of the following communication paths in the PSM operating environment:
- PSM client to/from PSM server
- PSM server to/from PSM server
- PSM server to/from a network element
- PSM client to/from a network element
- PSM server to/from a Network Operations Center (NOC), such as for HP Openview
- PSM server to/from an external RADIUS server
- PSM server to/from other hosts
 | Note: Communication between a PSM client and the PSM server assumes a secure, non-NATed network. Network address translation (NAT), which effectively hides the actual IP addresses, can cause connectivity problems between the client and the server. |
Table 1 through Table 7 show the default port numbers that PSM and its attendant applications use on these different paths. Depending on the path, each endpoint can assume a client role or a server role or both roles. Since some of the applications support configurable port numbers, you will need to adjust the table entries accordingly if you change the port numbers from their defaults.
Additionally, network elements might have their own networking requirements outside of PSM connectivity. Table 8 shows the BTI7800 networking port numbers.
The tables in this section provide information on the typical operating environment and cannot cover all possible scenarios in your network. For this reason, use the information in these tables to complement your own network implementation.
| Note: To ensure there are no issues with the PSM operating environment, we recommend that the full ephemeral port range defined by IANA be open for client ports, that is, TCP ports 1023:65535. |
Table 1: Port Usage in PSM Client to PSM Server Communications
Application | Description | PSM client port numbers | PSM server port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
FTP | For file transfer between a PSM client and PSM server. | TCP:ephemeral | TCP:20,21 |
SSH, SCP, SFTP | For secure connectivity, server administration, and secure file transfers. | TCP:ephemeral | TCP:22 |
Monit Web GUI | For monitoring the PSM server using a Web GUI. | TCP:ephemeral | TCP:2812 |
MySQL (support) | For troubleshooting. | TCP:ephemeral | TCP:3306 |
Graphite web interface | For historical PMs. | TCP:ephemeral | TCP:8080 |
proNX Service Manager Dashboard | For proNX Service Manager Dashboard connectivity. | TCP:ephemeral | TCP:9000 |
JMX (support) | For troubleshooting. | TCP:ephemeral | TCP:9520 |
PSM REST WS | Representational state transfer web service, for normal HTTPS communication between a PSM client and the PSM server. | TCP:ephemeral | TCP:9998 |
Protocol Role: server | Protocol Role: client | ||
PSM REST Notification WS | Representational state transfer web service, for notifications from the PSM server. | TCP:9999-10100 | TCP:ephemeral |
Table 2: Port Usage in PSM Server to PSM Server Communications
Application | Description | PSM server port numbers | PSM server port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
Server Replication | For server replication messages between servers. | TCP:ephemeral | TCP:9999-10100 |
Table 3: Port Usage in PSM Server to Network Element Communications
Application | Description | PSM server port numbers | Network element port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
ICMP | Ping utility, used by the PSM server to check connectivity to the NEs. | port numbers not applicable | port numbers not applicable |
NETCONF | For normal communication between the PSM server and the NE. | TCP:ephemeral | BTI7800: TCP:2022 Juniper Networks MX Series router: TCP:830 |
CLI | For access to the CLI, normally executed from a PSM client, but can be run from the PSM server, as applicable. | TCP:ephemeral | See Table 4. |
TL1 | For access to TL1, normally executed from a PSM client, but can be run from the PSM server, as applicable. | TCP:ephemeral | See Table 4. |
SNMP | For normal communication between the PSM server and the NE. | UDP:ephemeral | UDP:161 |
Protocol Role: server | Protocol Role: client | ||
FTP | For NE backup, restore, and software upgrades. This is only required if the FTP server on the PSM server is used. If an external FTP server is used, then the NEs will need access to those ports on the external FTP server. | TCP:20,21 | TCP:ephemeral |
SFTP | For NE backup, restore, and software upgrades. This is only required if the SFTP server on the PSM server is used. If an external SFTP server is used, then the NEs will need access to those ports on the external SFTP server. | TCP:22 | TCP:ephemeral |
NTP | For the NTP time synchronization service provided to the NEs. This is only required if the NTP (server-side) service on the PSM server is used. | UDP:123 | UDP:ephemeral |
SNMP | For notifications from the NEs. | UDP:162,1620 | UDP:ephemeral |
RADIUS | For authentication when logging in to the NEs. This is only required if the RADIUS server on the PSM server is used. | UDP:1812,1813 | UDP:ephemeral |
Table 4: Port Usage in PSM Client to Network Element Communications (includes proNX 900 Running on the Client Machine)
Application | Description | PSM client port numbers | Network element port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
ICMP | Ping utility, used by the proNX 900 on the PSM client machine to check connectivity to the NEs. | port numbers not applicable | port numbers not applicable |
SNMP | For normal proNX 900 communication with the NE. | UDP:ephemeral | UDP:161 |
CLI | For access to the CLI on the NE. | TCP:ephemeral | TCP: 22 (SSH to BTI7800 Series NEs and MX Series routers), 23 (telnet to BTI700 Series and BTI800 Series NEs), 3084 (telnet to BTI7000 Series NEs), 8022 (SSH to BTI7000 Series NEs) |
TL1 | For access to TL1 on the NE. | TCP:ephemeral | TCP: 3021 (SSH used by proNX 900), 3022 (SSH), 3082 (telnet used by proNX 900), 3083 (telnet) |
Shell | For access to the BTI7800 operating system shell. | TCP:ephemeral | TCP:2024 |
Protocol Role: server | Protocol Role: client | ||
FTP | For NE backup, restore, and software upgrades. This is only required if the FTP server on a PSM client is used. If an external FTP server is used, then the NEs will need access to those ports on the external FTP server. | TCP:20,21 | TCP:ephemeral |
SFTP | For NE backup, restore, and software upgrades. This is only required if the SFTP server on a PSM client is used. If an external SFTP server is used, then the NEs will need access to those ports on the external SFTP server. | TCP:22 | TCP:ephemeral |
Table 5: Port Usage in PSM Server to Network Operations Center Communications
Application | Description | PSM server port numbers | Network Operations Center (NOC) port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
SNMP | For northbound traps to the NOC (for example, to HP Openview) | UDP:ephemeral | UDP:162 |
Table 6: PSM Server to External RADIUS Server Communications
Application | Description | PSM server port numbers | External RADIUS server port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
RADIUS | For authentication when logging in to the PSM server. This is only required if an external RADIUS server is used. | UDP:ephemeral | UDP:1812,1813 |
Table 7: PSM Server to Other Hosts
Application | Description | PSM server port numbers | Remote server/host port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
FTP | For NE backup, restore, and software upgrades. This is only required if an external FTP server is used. | TCP:ephemeral | TCP:20,21 |
SFTP | For NE backup, restore, and software upgrades. This is only required if an external SFTP server is used. | TCP:ephemeral | TCP:22 |
DNS | For domain name lookups of hosts under management. | UDP:ephemeral | UDP:53 |
HTTP | For communication with web services. | TCP:ephemeral | TCP:80 |
NTP | For synchronization when using the NTP servers. | UDP:ephemeral | UDP:123 |
Table 8: BTI7800 Port Usage
Application | Description | BTI7800 port numbers | Remote server/host port numbers |
|---|---|---|---|
Protocol Role: client | Protocol Role: server | ||
FTP | For NE software upgrades, log file rotation, and other file transfer applications. | TCP:ephemeral | TCP:20,21 |
SFTP, SCP | For NE software upgrades, log file rotation, and other file transfer applications. | TCP:ephemeral | TCP:22 |
DNS | Domain name service, used by the BTI7800 to resolve domain names. | UDP:ephemeral | UDP:53 |
NTP | For NTP time synchronization. | UDP:123 | UDP:123 |
SNMP | For SNMP traps to management systems. | UDP:ephemeral | UDP:162 |
SYSLOG | For access to the syslog server. | UDP:ephemeral | UDP:514 |
RADIUS | For authentication and authorization when logging in to the BTI7800. This is only required if a RADIUS server is used. | UDP:ephemeral | UDP:1812 |
TACACS+ | For authentication and authorization when logging in to the BTI7800. This is only required if a TACACS+ server is used. | TCP:ephemeral | TCP:49 |
Protocol Role: server | Protocol Role: client | ||
CLI over SSH | For access to the CLI. | TCP:22 | TCP:ephemeral |
NETCONF | For NETCONF access from management systems. | TCP:2022 | TCP:ephemeral |
SSH | For direct access to the NE shell. | TCP:2024 | TCP:ephemeral |
TL1 over Telnet | For access to TL1. | TCP:3083 | TCP:ephemeral |
SNMP | For SNMP access from management systems. | UDP:161 | UDP:ephemeral |
Traceroute | For traceroute messages. | UDP:33434-33436 | UDP:ephemeral |
