Client-premises Cohesity Networking Requirements
- 04 Jun 2024
- DarkLight
Client-premises Cohesity Networking Requirements
- Updated on 04 Jun 2024
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Network Requirements
Whenever a Cohesity cluster is stood up in the client's network, the switchport used for the device will require a tagged VLAN on a trunked port.
Additionally, It is assumed that bidirectional traffic is allowed - or, at the very least, that return traffic is stateful. While not required, it is highly recommended to leverage jumbo frames (MTU 9000; packet size 8972) for performance optimization.
Network Bandwidth
The ROBOs support two 10gbps interfaces for management and data management workloads. The ports MUST be aggregated via LACP for a combined bandwidth of 20gbps. It is recommended to leverage "end-to-end" jumbo frames over the replication network path to optimize performance.
IP Addresses
Three IPs are needed for each server node in the cluster.
One for IPMI. Out-of-band support and initial server configuration.
Two for Cohesity. One for Server MGMT. One for a VIP that Cohesity uses for the backup data. The MGMT and VIP can be in the same VLAN or different. But all MGMT IPs must be in the same VLAN. All VIPs must be in the same VLAN.
Switch Port Configuration
Three switch ports are needed for each server node.
IPMI - This port is setup as an access port.
Server NIC ports are setup as trunk ports and aggregated via LACP.
Network Requirements (Internal node communication)
Internal node communication is recommended to be uplinked to an edge switch that allows unfiltered communication between nodes. In the absence of this, the following TCP ports are required to be opened for internal cluster communication:
3022 - 3025 | 23456 | 25678 - 25680 |
Network Requirements (Expedient Internal to Client-premises Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
iDRAC (Web) | HTTP (80/tcp) HTTPS (443/tcp) | Expedient Management Networks | Client-premises Cluster |
Remote Management Access (DOME, node management) | SSH (22/tcp) | Expedient Management Networks | Client-premises Cluster |
IPMI (DOME, iDRAC) | custom (623/udp) | Expedient Management Networks | Client-premises Cluster |
Firmware Updates (DOME) | TFTP (69/udp) | Expedient Management Networks | Client-premises Cluster |
Uptime Monitoring (ISM) | >> ICMP << | Expedient Management Networks | Client-premises Cluster |
Expedient Monitoring Bot (Automated SMC Ticket Creation) | HTTPS (443/tcp) | Expedient Management Networks | Client-premises Cluster |
vRO (Capacity Planning) | HTTPS (443/tcp) | Expedient Management Networks | Client-premises Cluster |
Network Requirements (Client-premises Cluster to Expedient Internal)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Monitoring Notifications (DOME, Monitoring) | SNMP (161/udp) SNMPTRAP (162/udp) | Client-premises Cluster | Expedient Management Networks |
Mail Notifications | SMTP (25/tcp) | Client-premises Cluster | Expedient Management Networks |
Expedient Monitoring Bot (Automated SMC Ticket Creation) | custom (3000-3099/tcp) | Client-premises Cluster | Expedient Management Networks |
Network Requirements (Client-premises Cluster to Client Networks)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
vCenter (Management, Backup, and Recovery) | SSH (22/tcp) HTTP (80/tcp) custom (111/tcp) HTTPS (443/tcp) Microsoft DS (445/tcp) custom (902/tcp) NFS (2049/tcp) iSCSI (3260/tcp) WBEM (5986/tcp) alternate HTTP (8080/tcp) custom (3205/tcp) custom (3260/tcp) custom (9440/tcp) custom (50051/tcp) | Client-premises Cluster | Client Hypervisor |
Agent-based Backup | custom (111/tcp) HTTPS (443/tcp) Microsoft DS (445/tcp) custom (902/tcp) NFS (2049/tcp) iSCSI (3260/tcp) WBEM (5986/tcp) alternate HTTP (8080/tcp) custom (50051/tcp) | Client-premises Cluster | Client Network |
Name Resolution | DNS (53/tcp, 53/udp) | Client-premises Cluster | Client DNS servers |
Active Directory (Access Management) | DNS (53/tcp, 53/udp) Kerberos (88/tcp, 88/udp) NETBIOS (137/tcp, 137/udp, 139/tcp, 139/udp) LDAP (389/tcp, 389/udp) Microsoft DS (445/tcp) | Client-premises Cluster | Client Domain Controllers |
Network Requirements (Client Networks to Client-premises Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Cohesity Web UI | HTTP (80/tcp) HTTPS (443/tcp) | Client Network | Client-premises Cluster |
Network Requirements (Client-premises Cluster to Cohesity Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Cohesity Replication | HTTPS (443/tcp) custom (11111/tcp) custom (20000/tcp) custom (24444/tcp) | Client-premises Cluster | Cohesity Cluster/Replication Target |
Network Requirements (Client-premises Cluster to Public)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Time Services | NTP (123/udp) Crony (323/udp) | Client-premises Cluster | Expedient Public NTP |
OneLogin | HTTPS (443/tcp) | Client-premises Cluster | OneLogin
|
Cohesity Support Channel | SSH (22/tcp) HTTPS (443/tcp) | Client-premises Cluster | Cohesity
|
Cohesity Helios | HTTPS (443/tcp) | Client-premises Cluster | Cohesity
|
Network Requirements (Public to Client-premises Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Agent Update | HTTPS (443/tcp) | Cohesity
| Client-premises Cluster |
OneLogin | HTTPS (443/tcp) | OneLogin
| Client-premises Cluster |
Was this article helpful?