Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    PSM Networking Considerations

    The PSM platform offers a set of services for visualizing and controlling network equipment. Figure 1 shows a typical network deployment with management traffic being separated onto a secure management network.

    Figure 1: Typical Network Deployment

    Typical Network Deployment

    The network elements under management connect to the public Internet, but also maintain a separate and distinct connection to the management network. Traffic cannot cross from the public Internet to the management network. This can be enforced through physical segregation as shown above.

    The PSM clients are connected to the management network. In some deployments, the clients might connect to the management network across the public Internet by using a VPN (not shown).

    The PSM server (and other servers) are directly connected to the management network. Although the servers are shown as co-located, this is not necessary. If the servers are not co-located, the respective router/firewalls might need to be configured to allow proper communication between the servers (if necessary). These servers typically have public Internet connections as well, but through a separate physical interface. This is not shown.

    The PSM platform requires communication paths between the following:

    • the PSM clients and the PSM server
    • the PSM server(s) and the PSM server(s)
    • the PSM clients and the network elements under management
    • the PSM server and the network elements under management
    • the PSM server and the external RADIUS server (if applicable)
    • the PSM server and other hosts, such as for backups, downloading of software images, etc. (not shown)

    PSM Port Usage

    The PSM platform provides services that are advertised on a set of protocol ports and leveraged by the PSM applications as well as by third party applications such as web browsers and servers running standard services.

    If you are configuring a firewall to allow PSM traffic to pass through, you should be aware of the following communication paths in the PSM operating environment:

    1. PSM client to/from PSM server
    2. PSM server to/from PSM server
    3. PSM server to/from a network element
    4. PSM client to/from a network element
    5. PSM server to/from a Network Operations Center (NOC), such as for HP Openview
    6. PSM server to/from an external RADIUS server
    7. PSM server to/from other hosts

    Note: Communication between a PSM client and the PSM server assumes a secure, non-NATed network. Network address translation (NAT), which effectively hides the actual IP addresses, can cause connectivity problems between the client and the server.

    Table 1 through Table 7 show the default port numbers that PSM and its attendant applications use on these different paths. Depending on the path, each endpoint can assume a client role or a server role or both roles. Since some of the applications support configurable port numbers, you will need to adjust the table entries accordingly if you change the port numbers from their defaults.

    Additionally, network elements might have their own networking requirements outside of PSM connectivity. Table 8 shows the BTI7800 networking port numbers.

    The tables in this section provide information on the typical operating environment and cannot cover all possible scenarios in your network. For this reason, use the information in these tables to complement your own network implementation.

    Note: To ensure there are no issues with the PSM operating environment, we recommend that the full ephemeral port range defined by IANA be open for client ports, that is, TCP ports 1023:65535.

    Table 1: Port Usage in PSM Client to PSM Server Communications

    Application

    Description

    PSM client port numbers

    PSM server port numbers

     

    Protocol Role: client

    Protocol Role: server

    FTP

    For file transfer between a PSM client and PSM server.

    TCP:ephemeral

    TCP:20,21

    SSH, SCP, SFTP

    For secure connectivity, server administration, and secure file transfers.

    TCP:ephemeral

    TCP:22

    Monit Web GUI

    For monitoring the PSM server using a Web GUI.

    TCP:ephemeral

    TCP:2812

    MySQL (support)

    For troubleshooting.

    TCP:ephemeral

    TCP:3306

    Graphite web interface

    For historical PMs.

    TCP:ephemeral

    TCP:8080

    proNX Service Manager Dashboard

    For proNX Service Manager Dashboard connectivity.

    TCP:ephemeral

    TCP:9000

    JMX (support)

    For troubleshooting.

    TCP:ephemeral

    TCP:9520

    PSM REST WS

    Representational state transfer web service, for normal HTTPS communication between a PSM client and the PSM server.

    TCP:ephemeral

    TCP:9998

     

    Protocol Role: server

    Protocol Role: client

    PSM REST Notification WS

    Representational state transfer web service, for notifications from the PSM server.

    TCP:9999-10100

    TCP:ephemeral

    Table 2: Port Usage in PSM Server to PSM Server Communications

    Application

    Description

    PSM server port numbers

    PSM server port numbers

     

    Protocol Role: client

    Protocol Role: server

    Server Replication

    For server replication messages between servers.

    TCP:ephemeral

    TCP:9999-10100

    Table 3: Port Usage in PSM Server to Network Element Communications

    Application

    Description

    PSM server port numbers

    Network element port numbers

     

    Protocol Role: client

    Protocol Role: server

    ICMP

    Ping utility, used by the PSM server to check connectivity to the NEs.

    port numbers not applicable

    port numbers not applicable

    NETCONF

    For normal communication between the PSM server and the NE.

    TCP:ephemeral

    BTI7800: TCP:2022

    Juniper Networks MX Series router: TCP:830

    CLI

    For access to the CLI, normally executed from a PSM client, but can be run from the PSM server, as applicable.

    TCP:ephemeral

    See Table 4.

    TL1

    For access to TL1, normally executed from a PSM client, but can be run from the PSM server, as applicable.

    TCP:ephemeral

    See Table 4.

    SNMP

    For normal communication between the PSM server and the NE.

    UDP:ephemeral

    UDP:161

     

    Protocol Role: server

    Protocol Role: client

    FTP

    For NE backup, restore, and software upgrades. This is only required if the FTP server on the PSM server is used. If an external FTP server is used, then the NEs will need access to those ports on the external FTP server.

    TCP:20,21

    TCP:ephemeral

    SFTP

    For NE backup, restore, and software upgrades. This is only required if the SFTP server on the PSM server is used. If an external SFTP server is used, then the NEs will need access to those ports on the external SFTP server.

    TCP:22

    TCP:ephemeral

    NTP

    For the NTP time synchronization service provided to the NEs. This is only required if the NTP (server-side) service on the PSM server is used.

    UDP:123

    UDP:ephemeral

    SNMP

    For notifications from the NEs.

    UDP:162,1620

    UDP:ephemeral

    RADIUS

    For authentication when logging in to the NEs. This is only required if the RADIUS server on the PSM server is used.

    UDP:1812,1813

    UDP:ephemeral

    Table 4: Port Usage in PSM Client to Network Element Communications (includes proNX 900 Running on the Client Machine)

    Application

    Description

    PSM client port numbers

    Network element port numbers

     

    Protocol Role: client

    Protocol Role: server

    ICMP

    Ping utility, used by the proNX 900 on the PSM client machine to check connectivity to the NEs.

    port numbers not applicable

    port numbers not applicable

    SNMP

    For normal proNX 900 communication with the NE.

    UDP:ephemeral

    UDP:161

    CLI

    For access to the CLI on the NE.

    TCP:ephemeral

    TCP: 22 (SSH to BTI7800 Series NEs and MX Series routers), 23 (telnet to BTI700 Series and BTI800 Series NEs), 3084 (telnet to BTI7000 Series NEs), 8022 (SSH to BTI7000 Series NEs)

    TL1

    For access to TL1 on the NE.

    TCP:ephemeral

    TCP: 3021 (SSH used by proNX 900), 3022 (SSH), 3082 (telnet used by proNX 900), 3083 (telnet)

    Shell

    For access to the BTI7800 operating system shell.

    TCP:ephemeral

    TCP:2024

     

    Protocol Role: server

    Protocol Role: client

    FTP

    For NE backup, restore, and software upgrades. This is only required if the FTP server on a PSM client is used. If an external FTP server is used, then the NEs will need access to those ports on the external FTP server.

    TCP:20,21

    TCP:ephemeral

    SFTP

    For NE backup, restore, and software upgrades. This is only required if the SFTP server on a PSM client is used. If an external SFTP server is used, then the NEs will need access to those ports on the external SFTP server.

    TCP:22

    TCP:ephemeral

    Table 5: Port Usage in PSM Server to Network Operations Center Communications

    Application

    Description

    PSM server port numbers

    Network Operations Center (NOC) port numbers

     

    Protocol Role: client

    Protocol Role: server

    SNMP

    For northbound traps to the NOC (for example, to HP Openview)

    UDP:ephemeral

    UDP:162

    Table 6: PSM Server to External RADIUS Server Communications

    Application

    Description

    PSM server port numbers

    External RADIUS server port numbers

     

    Protocol Role: client

    Protocol Role: server

    RADIUS

    For authentication when logging in to the PSM server. This is only required if an external RADIUS server is used.

    UDP:ephemeral

    UDP:1812,1813

    Table 7: PSM Server to Other Hosts

    Application

    Description

    PSM server port numbers

    Remote server/host port numbers

     

    Protocol Role: client

    Protocol Role: server

    FTP

    For NE backup, restore, and software upgrades. This is only required if an external FTP server is used.

    TCP:ephemeral

    TCP:20,21

    SFTP

    For NE backup, restore, and software upgrades. This is only required if an external SFTP server is used.

    TCP:ephemeral

    TCP:22

    DNS

    For domain name lookups of hosts under management.

    UDP:ephemeral

    UDP:53

    HTTP

    For communication with web services.

    TCP:ephemeral

    TCP:80

    NTP

    For synchronization when using the NTP servers.

    UDP:ephemeral

    UDP:123

    Table 8: BTI7800 Port Usage

    Application

    Description

    BTI7800 port numbers

    Remote server/host port numbers

     

    Protocol Role: client

    Protocol Role: server

    FTP

    For NE software upgrades, log file rotation, and other file transfer applications.

    TCP:ephemeral

    TCP:20,21

    SFTP, SCP

    For NE software upgrades, log file rotation, and other file transfer applications.

    TCP:ephemeral

    TCP:22

    DNS

    Domain name service, used by the BTI7800 to resolve domain names.

    UDP:ephemeral

    UDP:53

    NTP

    For NTP time synchronization.

    UDP:123

    UDP:123

    SNMP

    For SNMP traps to management systems.

    UDP:ephemeral

    UDP:162

    SYSLOG

    For access to the syslog server.

    UDP:ephemeral

    UDP:514

    RADIUS

    For authentication and authorization when logging in to the BTI7800. This is only required if a RADIUS server is used.

    UDP:ephemeral

    UDP:1812

    TACACS+

    For authentication and authorization when logging in to the BTI7800. This is only required if a TACACS+ server is used.

    TCP:ephemeral

    TCP:49

     

    Protocol Role: server

    Protocol Role: client

    CLI over SSH

    For access to the CLI.

    TCP:22

    TCP:ephemeral

    NETCONF

    For NETCONF access from management systems.

    TCP:2022

    TCP:ephemeral

    SSH

    For direct access to the NE shell.

    TCP:2024

    TCP:ephemeral

    TL1 over Telnet

    For access to TL1.

    TCP:3083

    TCP:ephemeral

    SNMP

    For SNMP access from management systems.

    UDP:161

    UDP:ephemeral

    Traceroute

    For traceroute messages.

    UDP:33434-33436

    UDP:ephemeral

    Modified: 2017-11-07