Client-premises Cohesity Networking Requirements
- 29 Jul 2022
-
DarkLight
Client-premises Cohesity Networking Requirements
- Updated on 29 Jul 2022
-
DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Network Requirements
Whenever a Cohesity cluster is stood up in the client's network, the switchport used for the device will require a tagged VLAN on a trunked port.
Additionally, It is assumed that bidirectional traffic is allowed - or, at the very least, that return traffic is stateful. While not required, it is highly recommended to leverage jumbo frames (MTU 9000; packet size 8972) for performance optimization.
Network Bandwidth
The ROBOs support two 10gbps interfaces for management and data management workloads. The ports MUST be aggregated via LACP for a combined bandwidth of 20gbps. It is recommended to leverage "end-to-end" jumbo frames over the replication network path to optimize performance.
IP Addresses
Three IPs are needed for each server node in the cluster.
- One for IPMI. Out-of-band support and initial server configuration.
- Two for Cohesity. One for Server MGMT. One for a VIP that Cohesity uses for the backup data. The MGMT and VIP can be in the same VLAN or different. But all MGMT IPs must be in the same VLAN. All VIPs must be in the same VLAN.
Switch Port Configuration
Three switch ports are needed for each server node.
- IPMI - This port is setup as an access port.
- Server NIC ports are setup as trunk ports and aggregated via LACP.
Network Requirements (Internal node communication)
Internal node communication is recommended to be uplinked to an edge switch that allows unfiltered communication between nodes. In the absence of this, the following TCP ports are required to be opened for internal cluster communication:
3022 - 3025 12222 | 23456 | 25678 - 25680 25700 |
Network Requirements (Expedient Internal to Client-premises Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
iDRAC (Web) | HTTP (80/tcp) HTTPS (443/tcp) | Expedient Management Networks | Client-premises Cluster |
Remote Management Access (DOME, node management) | SSH (22/tcp) | Expedient Management Networks | Client-premises Cluster |
IPMI (DOME, iDRAC) | custom (623/udp) | Expedient Management Networks | Client-premises Cluster |
Firmware Updates (DOME) | TFTP (69/udp) | Expedient Management Networks | Client-premises Cluster |
Uptime Monitoring (ISM) | >> ICMP << | Expedient Management Networks | Client-premises Cluster |
Expedient Monitoring Bot (Automated SMC Ticket Creation) | HTTPS (443/tcp) | Expedient Management Networks | Client-premises Cluster |
vRO (Capacity Planning) | HTTPS (443/tcp) | Expedient Management Networks | Client-premises Cluster |
Network Requirements (Client-premises Cluster to Expedient Internal)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Monitoring Notifications (DOME, Monitoring) | SNMP (161/udp) SNMPTRAP (162/udp) | Client-premises Cluster | Expedient Management Networks |
Mail Notifications | SMTP (25/tcp) | Client-premises Cluster | Expedient Management Networks |
Expedient Monitoring Bot (Automated SMC Ticket Creation) | custom (3000-3099/tcp) | Expedient Management Networks |
Network Requirements (Client-premises Cluster to Client Networks)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
vCenter (Management, Backup, and Recovery) | SSH (22/tcp) HTTP (80/tcp) custom (111/tcp) HTTPS (443/tcp) Microsoft DS (445/tcp) custom (902/tcp) NFS (2049/tcp) iSCSI (3260/tcp) WBEM (5986/tcp) alternate HTTP (8080/tcp) custom (50051/tcp) | Client-premises Cluster | Client vCenter |
Agent-based Backup | custom (111/tcp) HTTPS (443/tcp) Microsoft DS (445/tcp) custom (902/tcp) NFS (2049/tcp) iSCSI (3260/tcp) WBEM (5986/tcp) alternate HTTP (8080/tcp) custom (50051/tcp) | Client-premises Cluster | Client Network |
Name Resolution | DNS (53/tcp, 53/udp) | Client-premises Cluster | Client DNS servers |
Active Directory (Access Management) | DNS (53/tcp, 53/udp) Kerberos (88/tcp, 88/udp) NETBIOS (137/tcp, 137/udp, 139/tcp, 139/udp) LDAP (389/tcp, 389/udp) Microsoft DS (445/tcp) | Client-premises Cluster | Client Domain Controllers |
Network Requirements (Client Networks to Client-premises Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Cohesity Web UI | HTTP (80/tcp) HTTPS (443/tcp) | Client Network | Client-premises Cluster |
Network Requirements (Client-premises Cluster to Cohesity Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Cohesity Replication | HTTPS (443/tcp) custom (11111/tcp) custom (20000/tcp) | Client-premises Cluster | Cohesity Cluster/Replication Target |
Network Requirements (Client-premises Cluster to Public)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Time Services | NTP (123/udp) Crony (323/udp) | Client-premises Cluster | Expedient Public NTP |
OneLogin | HTTPS (443/tcp) | Client-premises Cluster | OneLogin
|
Cohesity Support Channel | SSH (22/tcp) HTTPS (443/tcp) | Client-premises Cluster | Cohesity
|
Cohesity Helios | HTTPS (443/tcp) | Client-premises Cluster | Cohesity
|
Network Requirements (Public to Client-premises Cluster)
Application/Purpose | Service Name (Port Number/Transport Protocol) | Source | Destination |
Agent Update | HTTPS (443/tcp) | Cohesity
| Client-premises Cluster |
OneLogin | HTTPS (443/tcp) | OneLogin
| Client-premises Cluster |
Was this article helpful?