Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

PSM Networking Considerations

 

The PSM platform offers a set of services for visualizing and controlling network equipment. Figure 1 shows a typical network deployment with management traffic being separated onto a secure management network.

Figure 1: Typical Network Deployment
Typical Network Deployment

The network elements under management connect to the public Internet, but also maintain a separate and distinct connection to the management network. Traffic cannot cross from the public Internet to the management network. This can be enforced through physical segregation as shown above.

The PSM clients are connected to the management network. In some deployments, the clients might connect to the management network across the public Internet by using a VPN (not shown).

The PSM server (and other servers) are directly connected to the management network. Although the servers are shown as co-located, this is not necessary. If the servers are not co-located, the respective router/firewalls might need to be configured to allow proper communication between the servers (if necessary). These servers typically have public Internet connections as well, but through a separate physical interface. This is not shown.

The PSM platform requires communication paths between the following:

  • the PSM clients and the PSM server

  • the PSM server(s) and the PSM server(s)

  • the PSM clients and the network elements under management

  • the PSM server and the network elements under management

  • the PSM server and the external RADIUS server (if applicable)

  • the PSM server and other hosts, such as for backups, downloading of software images, etc. (not shown)

PSM Port Usage

The PSM platform provides services that are advertised on a set of protocol ports and leveraged by the PSM applications as well as by third party applications such as web browsers and servers running standard services.

If you are configuring a firewall to allow PSM traffic to pass through, you should be aware of the following communication paths in the PSM operating environment:

  1. PSM client to/from PSM server

  2. PSM server to/from PSM server

  3. PSM server to/from a network element

  4. PSM client to/from a network element

  5. PSM server to/from a Network Operations Center (NOC), such as for HP Openview

  6. PSM server to/from an external RADIUS server

  7. PSM server to/from other hosts

Note

Communication between a PSM client and the PSM server assumes a secure, non-NATed network. Network address translation (NAT), which effectively hides the actual IP addresses, can cause connectivity problems between the client and the server.

Table 1 through Table 7 show the default port numbers that PSM and its attendant applications use on these different paths. Depending on the path, each endpoint can assume a client role or a server role or both roles. Since some of the applications support configurable port numbers, you will need to adjust the table entries accordingly if you change the port numbers from their defaults.

Additionally, network elements might have their own networking requirements outside of PSM connectivity. Table 8 shows the BTI7800 networking port numbers.

The tables in this section provide information on the typical operating environment and cannot cover all possible scenarios in your network. For this reason, use the information in these tables to complement your own network implementation.

Note

To ensure there are no issues with the PSM operating environment, we recommend that the full ephemeral port range defined by IANA be open for client ports, that is, TCP ports 1023:65535.

Table 1: Port Usage in PSM Client to PSM Server Communications

Application

Description

PSM client port numbers

PSM server port numbers

 

Protocol Role: client

Protocol Role: server

FTP

For file transfer between a PSM client and PSM server.

TCP:ephemeral

TCP:20,21

SSH, SCP, SFTP

For secure connectivity, server administration, and secure file transfers.

TCP:ephemeral

TCP:22

Monit Web GUI

For monitoring the PSM server using a Web GUI.

TCP:ephemeral

TCP:2812

MySQL (support)

For troubleshooting.

TCP:ephemeral

TCP:3306

Graphite web interface

For historical PMs.

TCP:ephemeral

TCP:8080

proNX Service Manager Dashboard

For proNX Service Manager Dashboard connectivity.

TCP:ephemeral

TCP:9000

JMX (support)

For troubleshooting.

TCP:ephemeral

TCP:9520

PSM REST WS

Representational state transfer web service, for normal HTTPS communication between a PSM client and the PSM server.

TCP:ephemeral

TCP:9998

 

Protocol Role: server

Protocol Role: client

PSM REST Notification WS

Representational state transfer web service, for notifications from the PSM server.

TCP:9999-10100

TCP:ephemeral

Table 2: Port Usage in PSM Server to PSM Server Communications

Application

Description

PSM server port numbers

PSM server port numbers

 

Protocol Role: client

Protocol Role: server

Server Replication

For server replication messages between servers.

TCP:ephemeral

TCP:9999-10100

Table 3: Port Usage in PSM Server to Network Element Communications

Application

Description

PSM server port numbers

Network element port numbers

 

Protocol Role: client

Protocol Role: server

ICMP

Ping utility, used by the PSM server to check connectivity to the NEs.

port numbers not applicable

port numbers not applicable

NETCONF

For normal communication between the PSM server and the NE.

TCP:ephemeral

BTI7800: TCP:2022

Juniper Networks MX Series router: TCP:830

CLI

For access to the CLI, normally executed from a PSM client, but can be run from the PSM server, as applicable.

TCP:ephemeral

See Table 4.

TL1

For access to TL1, normally executed from a PSM client, but can be run from the PSM server, as applicable.

TCP:ephemeral

See Table 4.

SNMP

For normal communication between the PSM server and the NE.

UDP:ephemeral

UDP:161

 

Protocol Role: server

Protocol Role: client

FTP

For NE backup, restore, and software upgrades. This is only required if the FTP server on the PSM server is used. If an external FTP server is used, then the NEs will need access to those ports on the external FTP server.

TCP:20,21

TCP:ephemeral

SFTP

For NE backup, restore, and software upgrades. This is only required if the SFTP server on the PSM server is used. If an external SFTP server is used, then the NEs will need access to those ports on the external SFTP server.

TCP:22

TCP:ephemeral

NTP

For the NTP time synchronization service provided to the NEs. This is only required if the NTP (server-side) service on the PSM server is used.

UDP:123

UDP:ephemeral

SNMP

For notifications from the NEs.

UDP:162,1620

UDP:ephemeral

RADIUS

For authentication when logging in to the NEs. This is only required if the RADIUS server on the PSM server is used.

UDP:1812,1813

UDP:ephemeral

Table 4: Port Usage in PSM Client to Network Element Communications (includes proNX 900 Running on the Client Machine)

Application

Description

PSM client port numbers

Network element port numbers

 

Protocol Role: client

Protocol Role: server

ICMP

Ping utility, used by the proNX 900 on the PSM client machine to check connectivity to the NEs.

port numbers not applicable

port numbers not applicable

SNMP

For normal proNX 900 communication with the NE.

UDP:ephemeral

UDP:161

CLI

For access to the CLI on the NE.

TCP:ephemeral

TCP: 22 (SSH to BTI7800 Series NEs and MX Series routers), 23 (telnet to BTI700 Series and BTI800 Series NEs), 3084 (telnet to BTI7000 Series NEs), 8022 (SSH to BTI7000 Series NEs)

TL1

For access to TL1 on the NE.

TCP:ephemeral

TCP: 3021 (SSH used by proNX 900), 3022 (SSH), 3082 (telnet used by proNX 900), 3083 (telnet)

Shell

For access to the BTI7800 operating system shell.

TCP:ephemeral

TCP:2024

 

Protocol Role: server

Protocol Role: client

FTP

For NE backup, restore, and software upgrades. This is only required if the FTP server on a PSM client is used. If an external FTP server is used, then the NEs will need access to those ports on the external FTP server.

TCP:20,21

TCP:ephemeral

SFTP

For NE backup, restore, and software upgrades. This is only required if the SFTP server on a PSM client is used. If an external SFTP server is used, then the NEs will need access to those ports on the external SFTP server.

TCP:22

TCP:ephemeral

Table 5: Port Usage in PSM Server to Network Operations Center Communications

Application

Description

PSM server port numbers

Network Operations Center (NOC) port numbers

 

Protocol Role: client

Protocol Role: server

SNMP

For northbound traps to the NOC (for example, to HP Openview)

UDP:ephemeral

UDP:162

Table 6: PSM Server to External RADIUS Server Communications

Application

Description

PSM server port numbers

External RADIUS server port numbers

 

Protocol Role: client

Protocol Role: server

RADIUS

For authentication when logging in to the PSM server. This is only required if an external RADIUS server is used.

UDP:ephemeral

UDP:1812,1813

Table 7: PSM Server to Other Hosts

Application

Description

PSM server port numbers

Remote server/host port numbers

 

Protocol Role: client

Protocol Role: server

FTP

For NE backup, restore, and software upgrades. This is only required if an external FTP server is used.

TCP:ephemeral

TCP:20,21

SFTP

For NE backup, restore, and software upgrades. This is only required if an external SFTP server is used.

TCP:ephemeral

TCP:22

DNS

For domain name lookups of hosts under management.

UDP:ephemeral

UDP:53

HTTP

For communication with web services.

TCP:ephemeral

TCP:80

NTP

For synchronization when using the NTP servers.

UDP:ephemeral

UDP:123

Table 8: BTI7800 Port Usage

Application

Description

BTI7800 port numbers

Remote server/host port numbers

 

Protocol Role: client

Protocol Role: server

FTP

For NE software upgrades, log file rotation, and other file transfer applications.

TCP:ephemeral

TCP:20,21

SFTP, SCP

For NE software upgrades, log file rotation, and other file transfer applications.

TCP:ephemeral

TCP:22

DNS

Domain name service, used by the BTI7800 to resolve domain names.

UDP:ephemeral

UDP:53

NTP

For NTP time synchronization.

UDP:123

UDP:123

SNMP

For SNMP traps to management systems.

UDP:ephemeral

UDP:162

SYSLOG

For access to the syslog server.

UDP:ephemeral

UDP:514

RADIUS

For authentication and authorization when logging in to the BTI7800. This is only required if a RADIUS server is used.

UDP:ephemeral

UDP:1812

TACACS+

For authentication and authorization when logging in to the BTI7800. This is only required if a TACACS+ server is used.

TCP:ephemeral

TCP:49

 

Protocol Role: server

Protocol Role: client

CLI over SSH

For access to the CLI.

TCP:22

TCP:ephemeral

NETCONF

For NETCONF access from management systems.

TCP:2022

TCP:ephemeral

SSH

For direct access to the NE shell.

TCP:2024

TCP:ephemeral

TL1 over Telnet

For access to TL1.

TCP:3083

TCP:ephemeral

SNMP

For SNMP access from management systems.

UDP:161

UDP:ephemeral

Traceroute

For traceroute messages.

UDP:33434-33436

UDP:ephemeral