Running Cisco DCNM Behind a Firewall
Generally, an Enterprise (external world) and Datacenter is separated by a firewall, i.e., DCNM is configured behind a firewall. The Cisco DCNM Web Client, Cisco DCNM SAN Client, and Cisco Device Manager connectivity will pass-through that firewall. A firewall can be placed between the DCNM Server and DCNM-managed devices also.
Beginning with Cisco DCNM Release 11.0(1), DCNM SAN Client initiates communication with DCNM SAN Server on HTTPS port 443. However, both DCNM SAN Client and Device Manager communicate with the devices directly also. Device Manager can be invoked through DCNM SAN Server UI and it runs within the context of the DCNM SAN Server. The Device Manager communication with devices remains same, as if it was running independently.
DCNM SNMP proxy services on DCNM SAN Server use a configurable TCP port (9198 by default) for SNMP communications between the DCNM SAN Client or Device Manager, and DCNM Server.
Performance Manager uses TCP, by default, for data collections.
The UDP SNMP_TRAP local ports are between 1163-1170, for both Cisco DCNM-SAN and Device Manager. DCNM-SAN Client and Device Manager use the first available UDP port for sending and receiving SNMP responses.
You can select the UDP port that the Device Manager uses for SNMP responses by uncommenting the following statement:
-
On a Windows desktop, uncomment the following in the DeviceManager.bat file in the C:\Program Files\Cisco Systems\MDS9000\bin directory:
rem JVMARGS=%JVMARGS% -Dsnmp.localport=[localport]
Where [localport] is the value of free local port.
Note
On the windows VM, run the netstat -nab command, to view the ports that are used by the javaw.exe process.
-
On a LINUX desktop, uncomment the following in the DeviceManager.sh file in the $HOME/.cisco_mds9000/bin directory:
Where [localport] is the value of free local port.# JVMARGS=$JVMARGS -Dsnmp.localport=[localport]
Any standard port where the Ingress traffic enters from clients cannot be modified unless you disable the local firewall.
The following table lists all ports that are used for communication between DCNM Web Client, DCNM SAN Client, Device Manager, SSH Client, and DCNM Server.
Port Number |
Protocol |
Service Name |
Direction of Communication |
Remarks |
---|---|---|---|---|
22 |
TCP |
SSH |
SSH to DCNM SAN Server |
SSH access to external world is optional. |
443 |
TCP |
HTTPS |
Client to DCNM SAN Server |
Cisco DCNM Web Client, Cisco DCNM SAN Client to the Cisco DCNM Server |
1099 |
TCP |
Java RMI |
Client to DCNM SAN Server |
Cisco DCNM SAN Client to Server |
1163 to 1170 |
UDP |
SNMP_TRAP |
Device to SAN Client and Device Manager |
Cisco DCNM SAN Client and Cisco Device Manager use same range of ports. |
2443 |
TCP |
HTTPS |
Client to DCNM Server |
Required during installation, to reach the server. DCNM closes this port after installation completes. Required only for DCNM SAN OVA/ISO during installation, to reach the server. DCNM SAN server closes this port after installation completes. |
3528 |
TCP |
JBOSS |
Client to DCNM SAN Server |
Wildfly JBOSS IIOP |
3529 |
TCP |
JBOSS |
Client to DCNM SAN Server |
Wildfly JBOSS IIOP SSL |
9198 |
UDP/TCP |
SNMP |
SAN Client, Device Manager to DCNM SAN Server. Cisco DCNM SAN Client picks a random free local port (UDP) or 9198 (TCP) if SNMP proxy is enabled. The port can be changed with the client -Dsnmp.localport option. Cisco Device Manager picks a random free local port (UDP) or 9198 (TCP) if SNMP proxy is enabled. The port can be changed in server.properties file. DCNM SNMP proxy is used when SAN Client or Device Manager cannot reach managed devices directly and SNMP responses coming to DCNM SAN Server from managed devices can be relayed to SAN Client and Device Manager. DCNM SAN Client and Device Manager must reach to DCNM SAN Server port 9198 (or whatever port is configured) to get the SNMP response. |
Cisco DCNM SNMP proxy services use the TCP port (9198 by default) for SNMP communications between the Cisco DCNM SAN Client or Cisco Device Manager and the Cisco DCNM Server. |
61616 |
TCP |
Messaging |
DCNM SAN Client to DCNM SAN Server |
The following table lists all the ports that are used for communication between the Cisco DCNM Server and other services which can be hosted on either side of the firewall.
Port Number |
Protocol |
Service Name |
Direction of Communication |
Remarks |
||
---|---|---|---|---|---|---|
49 |
TCP/UDP |
TACACS+ |
Cisco DCNM SAN Server to ACS Server |
ACS Server can be on either side of the firewall. |
||
53 |
TCP/UDP |
DNS |
Cisco DCNM SAN Server to DNS Server |
DNS Server can be on either side of the firewall. |
||
123 |
UDP |
NTP |
Cisco DCNM SAN Server to NTP Server |
NTP Server can be on either side of the firewall. |
||
1521 |
TCP |
Oracle |
DCNM SAN Server to the Oracle database Server |
This is necessary if the Oracle server is installed external to the DCNM host machine. Oracle server may be configured to listen on a different port and in that case that port in question must be taken into account.
|
||
5432 |
TCP |
Postgres |
Cisco DCNM SAN Server to Postgres Server |
The default installation of DCNM does not need this port. This is necessary if Postgres is installed externally to the DCNM host machine. |
||
9198 |
UDP\TCP |
SNMP |
DCNM SAN Client, Device Manager to DCNM SAN Server |
Cisco DCNM SNMP proxy services use the TCP port (9198 by default) on DCNM SAN Server for SNMP communications between the Cisco DCNM SAN Client or Cisco Device Manager and the Cisco DCNM Server. Cisco DCNM SAN Client picks a random free local port (UDP) or 9198 (TCP) to reach SNMP proxy. The port can be changed with the client -Dsnmp.localportoption. Cisco Device Manager picks a random free local port (UDP) or 9198 (TCP) to reach SNMP proxy. The port can be changed in the server.properties file. DCNM SNMP proxy is used when SAN Client or Device Manager cannot reach the managed devices directly and SNMP responses coming to DCNM SAN Server from managed devices can be relayed to SAN Client and Device Manager. DCNM SAN Client and Device Manager must reach to DCNM SAN Server port 9198 (or whatever port is configured) to get the SNMP response. |
The following table lists all the ports that are used for communication between Cisco DCNM Server and Managed devices.
Port Number |
Protocol |
Service Name |
Direction of Communication |
Remarks |
---|---|---|---|---|
22 |
TCP |
SSH |
Both Direction |
Server to Device – To manage devices. Device to Server – SCP (POAP) |
67 |
UDP |
DHCP |
Device to DCNM SAN Server |
|
69 |
TCP |
TFTP |
Device to DCNM SAN Server |
Required for POAP |
161 |
TCP/UDP |
SNMP |
DCNM SAN Server to Device |
Cisco DCNM configured via server.properties to use TCP on port 161 instead of UDP port 161. |
514 |
UDP |
Syslog |
Device to DCNM SAN Server |
|
2162 |
UDP |
SNMP_TRAP |
Device to DCNM SAN Server |
|
5989 |
TCP |
SMI-S Agent |
Both direction |
Server to Device. This is where the Storage device listens. An application to DCNM Server – When DCNM Server is acting as storage proxy. Server to the Storage device port number is depended upon where the storage device is listening on. It could be 5989, 5888, or other ports. |
33000 |
TCP |
gRPC |
Device to DCNM SAN Server |
SAN Telemetry Streaming |