NCE-Campus V300R020C00 communication matrix

iMaster-NCE Campus V300R020C00
Communication Matrix
Issue 01
Date 2020/12/08
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei
Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the
products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise
specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to
ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of a
kind, express or implied.
Huawei Technologies Co., Ltd.

Huawei Industrial Base
Bantian, Longgang
Address:
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
ut prior written consent of Huawei
ective holders.
wei and the customer. All or part of the

e or the usage scope. Unless otherwise
e provided "AS IS" without warranties,
de in the preparation of this document to

ocument do not constitute a warranty of any
Purpose
This document describes the communication ports of Network Cloud Engine (NCE).
Intended Audience
This document is intended for:
● Network planners
● System engineers
● Field engineers
● Network shift engineers
● Network operators
● Network administrators
Organization
Source Device Name of the source device.
IP address of the source device. This IP address must conform to the product-specific IP
Source IP Address
naming rules.
Number of the source port or source port number range. For well-known protocols, use
Source Port port as the source port. If the value of Source Port is Any, the port number ranges from
65535.
Destination Device Name of the destination device.
IP address of the destination device. This IP address must conform to the product-speci
Destination IP Address
address naming rules.
Number of the destination port or destination port number range. The destination port p
Destination Port
listening service. If the value of Destination Port is N/A, the representative is not applic
Protocol Protocol (such as TCP, UDP, or SCTP) used at the transport layer.
Port Description Details about the services provided by the destination port.
Listening Port Configurable Whether the destination port can be changed through the GUI or CLI.
Authentication mode of the destination port, for example, authentication using the usern
Authentication Mode
password.
Encryption Mode Encryption mode of the destination port.
Plane to which the destination port belongs, such as the OM plane, control and signalin
Plane
user plane, or shared by all three planes.
Version Version of the destination device.

Special Scenario Special scenario where the destination port is used.
Service Service to which the destination port belongs.
Process Process to which the destination port belongs.
Component Component to which the destination port belongs.
Configuration File and Parameter Place where the destination port is configured.
Remarks Content customized based on service or customer requirements.
Huawei Proprietary and Confidential

Issue 01 (07/05/2024) 5
Copyright © Huawei Technologies Co., Ltd
Change History
Changes between document issues are cumulative. The latest document issue contains a
changes in earlier issues.
Issue Date
01 2020/10/22
02 12/8/2020

Issue 01 (07/05/2024) 6
This document describes the communication ports of Network Cloud Engine (NCE).
This document is intended for:

● Network planners
● System engineers
● Field engineers
● Network shift engineers
● Network operators
● Network administrators
Name of the source device.

IP address of the source device. This IP address must conform to the product-specific IP address
naming rules.
Number of the source port or source port number range. For well-known protocols, use a common
port as the source port. If the value of Source Port is Any, the port number ranges from 32768 to
65535.
Name of the destination device.
IP address of the destination device. This IP address must conform to the product-specific IP
address naming rules.
Number of the destination port or destination port number range. The destination port provides the
listening service. If the value of Destination Port is N/A, the representative is not applicable.
Protocol (such as TCP, UDP, or SCTP) used at the transport layer.
Details about the services provided by the destination port.
Whether the destination port can be changed through the GUI or CLI.
Authentication mode of the destination port, for example, authentication using the username and
password.
Encryption mode of the destination port.
Plane to which the destination port belongs, such as the OM plane, control and signaling plane,
user plane, or shared by all three planes.
Version of the destination device.

Special scenario where the destination port is used.
Service to which the destination port belongs.
Process to which the destination port belongs.
Component to which the destination port belongs.
Place where the destination port is configured.
Content customized based on service or customer requirements.

Issue 01 (07/05/2024) 7
Changes between document issues are cumulative. The latest document issue contains all the
changes in earlier issues.
Description
This issue is the first official release.

Add“AC Service Port Overview”、change Server to Controller

Issue 01 (07/05/2024) 8
770259839.xlsx 文档密级
NCE Service Ports

When configuring firewall security policies, ensure that traffic is
TCP/UDP port IDs can be used to filter data packets and transm
TCP/UDP port IDs range from 0 to 65535 and are divided into th
1. Port 0 to port 1023 are used to identify some standard services
2. 1024-32767: Port numbers in this segment are assigned to reg
3. The range of allocable dynamic port IDs varies according to t
SUSE12 Linux: The default value range is 32768-60999, and the
EulerOS: The default value range is 32768-60999, and the custo
These ports may be dynamically allocated to any applications (s
NCE Service Port Connection Types

The ports on the southbound network, client, or northbound netw
whether to enable the data replication and heartbeat ports betwee
1. Sheet for southbound connections:

(1) Server-NE: Provides ports for communication between NCE
different servers, the southbound IP addresses of the Manager ar
2. Sheets for client/northbound connections:

(1) Server-Client: Provides ports for communication between NC
(2) Server-OSS: Provides ports for communication between NCE
(3) Server-Third party Server: Provides ports for communication
authentication server. In this sheet, NCE server IP address map
3. Sheets for other ports:

(1) Others: Provides ports used for the operating system and disk
enable necessary ports on the firewall of the NCE server based o
(2) EasySuite–Server Ports: Provides ports used only for installa
(3) Third-party: Provides ports used for third-party software. For
(4) Inter-service: Provides local listening ports of the NCE node
(5) Inter-node: Provides listening ports between NCE nodes. The
heartbeat and replication ports are marked "Ports between the pr
bidirectional ports, that is, enable the ports for communication b
Note: If a firewall is deployed, for example, between the primary

You are advised to disable the ports that are not used on NCE to
after hardening the operating system.
07/05/2024 华为保密信息,未经授权禁止扩散第9页，共898页

The following describes how to determine the IP address specifi

1 NCE communication networks can be classified into VM/hard
communication entities on different networks, see "Service Port
2 In the EasySuite network planning table, the IP address name u
northbound/client floating IP address, hardware monitoring m
3 Different service nodes have different protection schemes, for
used to communicate with external clients. Users only need to al
4 Some IP address names do not contain keywords. The relation
(inter-node), web floating IP address (inter-node), and JHS float
5 By default, a specific Ethernet port is used for network commu
based on the Ethernet port name of the NIC.
You can determine the IP address specified by NCE server IP ad
NIC Planning
Network Plane Default Port
:n
Internal
:3
communication plane
:dbs
:1
Service distribution :dip
plane
:0
:sv
Southbound plane
:fv
:on
Northbound plane
:nv
NCE Service Port Diagram

nodes in the iMaster NCE-Campus cluster, including comm

FusionInsight and GaussDB.
• Service distribution plane: provisions southbound and nor
of iMaster NCE-Campus. For example, the service distribu
distributes services to different nodes through LVS.
• Northbound plane: used to receive iMaster NCE-Campus
services,
1. Nginx for example,
floating accessing
IP address: Thisthe
IPmanagement plane
address resides on of
thei
Campus through a web browser.
communication plane and is used to process some internal s
Network plane
•such
Southbound
as HTTPplane: used
requests fortouploading
receive iMaster NCE-Campus
and downloading files
services,
2. ACA_Nginx floating IP address: This IP address using
for example, communicating with devices residesN
Based on the customer's
communication plane andactual networking,
is used to processsome
HTTPnetwork
requestsp
combined.
admission, Currently,
such as HTTPtwo-plane andforthree-plane
requests uploadingnetwork
customize so
supported.
3. ER floating IP address: This IP address resides on the ser
•plane
Two-plane networking:
and is used In this
to distribute solution,
LVS only the
northbound UI internal
and nortc
plane and service distribution plane (combined with the sou
requests.
northbound
4. ER floatingplanes) are available.
IP address The firewallplane:
of the management performs
ThisNAIP
the service distribution plane and is used to access the mana
iMaster NCE-Campus.
5. LVS load balancing DIP: This IP address resides on the s
plane. LVS backend nodes load balance return traffic to thi
6. FusionInsight Manager floating IP address: This IP addre
northbound plane and is used to access FusionInsight Mana
7. Virtual IP address for LVS southbound load balancing: T
resides on the southbound plane and forwards southbound a
8. Virtual IP address for LVS file server load balancing: Th
IP address resides on the southbound plane and forwards traffic such a
traffic of devices.
9. Virtual IP address for LVS northbound load balancing: T
resides on the northbound plane and forwards northbound U
requests.
10. DBservice floating IP address: This address is used as t
address of the master and slave FusionInsight databases.
11. Northbound management IP address and domain name:
northbound IP address and domain name of iMaster NCE-C
07/05/2024 NAT scenarios, the northbound第11页，共898页
华为保密信息,未经授权禁止扩散 management IP address is t
address for LVS northbound load balancing.
12. Southbound service IP address and domain name: Thes
southbound IP address and domain name of iMaster NCE-C
traffic of devices.
9. Virtual IP address for LVS northbound load balancing: T
resides on the northbound plane and forwards northbound U
requests.
10. DBservice floating IP address: This address is used as t
address of the master and slave FusionInsight databases.
11. Northbound management IP address and domain name:
northbound IP address and domain name of iMaster NCE-C
Method for Querying Port IDs NAT scenarios, the northbound management IP address is t
address for LVS northbound load balancing.
12. Southbound service IP address and domain name: Thes
southbound
The method for IP querying
address and domain
enabled portsname
on theofoperating
iMaster system
NCE-C
NAT scenarios, the southbound service IP address is the vir
LVS southbound load balancing.
Linux
13.
# File server
/bin/netstat -antIP address: This is the public IP address of th
Campus filesimilar
Information server.toInthenon-NAT
followingscenarios,
is displayed:the file server IP
virtual Internet
Active IP address for LVS(servers
connections file server
and load balancing.
established)
Proto
14. WebRecv-Q
systemSend-Q Local Address
northbound Foreign
IP address: This IP Address
address is u
tcp 0 0 10.90.132.127:6514
NCE-Campus to access device web systems. 0.0.0.0:* LISTEN
tcp 0 0 10.90.132.127:13170 0.0.0.0:* LISTE
tcp 0 0 10.90.132.127:13331 0.0.0.0:* LISTE
tcp 0 0 127.0.0.1:13301 0.0.0.0:* LISTEN
...

ity policies, ensure that traffic is filtered based on IP addresses and Transmission Control Protocol (TCP)/User Datagram Protocol (UDP
o filter data packets and transmit data packets to their destined application programs.
to 65535 and are divided into the following segments:

identify some standard services such as SFTP and STelnet.
this segment are assigned to registered application programs by Internet Assigned Number Authority (IANA).
ic port IDs varies according to the OS type:
e range is 32768-60999, and the customized value range is 32768-65535.
e is 32768-60999, and the customized value range is 34000-61000.
allocated to any applications (such as notificat and gnome-ses).
work, client, or northbound network must be enabled on the required firewalls. In other scenarios, you can determine whether to enable
ation and heartbeat ports between the primary and secondary sites. The port types are described as follows:
ons:
r communication between NCE and NEs. In this sheet, NCE server IP address maps to the southbound IP address of each planned nod
IP addresses of the Manager are nodes deployed on the Manager, such as the NMS nodes, and those of the Controller are nodes deploy
onnections:
for communication between NCE and clients. In this sheet, NCE server IP address maps to the client IP address of each planned node
or communication between NCE and the OSS. In this sheet, NCE server IP address maps to the northbound IP address of each planne
ovides ports for communication between NCE and third-party servers, such as the SYSLOG server, email server, SMS server, SNMP s
et, NCE server IP address maps to the northbound IP address of each planned node.
or the operating system and disk array of the NCE server. This port type collects ports that are not used by NCE services or cannot be c
ewall of the NCE server based on the usage scenario.
vides ports used only for installation and deployment. These ports are not used during NCE running.
sed for third-party software. For details, see the description of third-party ports.
listening ports of the NCE nodes (locally bound to 127.0.0.1). These ports do not need to be enabled on the firewall of the NCE server.
g ports between NCE nodes. These ports, excluding the heartbeat and replication ports between the primary and secondary sites, must no
e marked "Ports between the primary and secondary sites." in the Special Scenario column.If a firewall is deployed between the prima
e the ports for communication between the two sites to ensure normal communication.
or example, between the primary and secondary sites of an HA system, or between the NCE server and NEs, allow the ICMP packets to
orts that are not used on NCE to ensure NCE security. Dynamic ports may be listened to during the running of certain OS services. Ther
tem.

determine the IP address specified by NCE server IP address based on the EasySuite network planning table:
can be classified into VM/hardware management network, northbound/client network, southbound network, inter-node communication
ent networks, see "Service Port Diagram".
ning table, the IP address name usually contains the network type keyword to indicate the usage of the IP address, for example, client lo
ddress, hardware monitoring module communication IP address, southbound IP address, southbound floating IP address, and inter-n
ifferent protection schemes, for example, cluster, active/standby, single instance.In active/standby mode, a floating IP address is configu
nal clients. Users only need to allow the floating IP address traffic of the service node to pass the firewall.
contain keywords. The relationships between these IP address names and network types are as follows: BGP (southbound), OMS floati
ress (inter-node), and JHS floating IP address (inter-node).
port is used for network communication in a specific direction during the network planning using EasySuite. If the default planning is n
of the NIC.
s specified by NCE server IP address by referring to the description in the preceding two cells.
Note
Nginx floating IP address
ACA_Nginx floating IP address
DBservice floating IP address
ER floating IP address
LVS load balancing DIP
FusionInsight Manager floating IP
address
Virtual IP address for LVS southbound
load balancing
Virtual IP address for LVS file server

load balancing
ER floating IP address of the

management plane
Virtual IP address for LVS northbound
load balancing

mpus cluster, including communication with
rovisions southbound and northbound services

example, the service distribution plane
t nodes through LVS.
eceive iMaster NCE-Campus northbound
ng the
This IPmanagement plane
address resides on of
theiMaster
internalNCE-
er.
sed to process some internal service requests,
eceive
oadingiMaster NCE-Campus
and downloading files.southbound
dress: This IP address residesNETCONF.
nicating with devices using on the internal
l networking,
sed to processsome
HTTPnetwork
requestsplanes can
related to be
user
ne and three-plane network solutions are
uests for uploading customized portal pages.
s IP address resides on the service distribution
is
LVSsolution, only the
northbound UI internal communication
and northbound API
plane (combined with the southbound and
ble. The firewallplane:
e management performs
ThisNAT for southbound
IP address resides on
and is used to access the management plane of
his IP address resides on the service distribution

ad balance return traffic to this IP address.
ting IP address: This IP address resides on the
to access FusionInsight Manager.
southbound load balancing: This IP address
ne and forwards southbound access traffic.
file server load balancing: This IP address
ne and forwards traffic such as file download
northbound load balancing: This IP address

ne and forwards northbound UI and API
ress: This address is used as the floating IP

e FusionInsight databases.
IP address and domain name: These are the
main name of iMaster NCE-Campus. In non-
d management IP address is the virtual IP
oad balancing.
dress and domain name: These are the
northbound load balancing: This IP address
ne and forwards northbound UI and API
ress: This address is used as the floating IP
e FusionInsight databases.
IP address and domain name: These are the
d management IP address is the virtual IP
oad balancing.
dress and domain name: These are the
dmain
portsname
on theofoperating
iMaster system
NCE-Campus. In non-
is as follows:
nd service IP address is the virtual IP address for
ng.
s is the public IP address of the iMaster NCE-
ATingscenarios,
is displayed:the file server IP address is the
server
vers and load balancing.
established)
dress Foreign
P address: This IP Address
address is usedState
by iMaster
14 0.0.0.0:*
e web systems. LISTEN
170 0.0.0.0:* LISTEN
331 0.0.0.0:* LISTEN
0.0.0.0:* LISTEN

based on IP addresses and Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) port IDs.
ackets to their destined application programs.
wing segments:
SFTP and STelnet.
pplication programs by Internet Assigned Number Authority (IANA).
pe:
ized value range is 32768-65535.
alue range is 34000-61000.
otificat and gnome-ses).
st be enabled on the required firewalls. In other scenarios, you can determine whether to enable the ports based on the actual deploymen
imary and secondary sites. The port types are described as follows:
s. In this sheet, NCE server IP address maps to the southbound IP address of each planned node. If the Manager and the Controller are
deployed on the Manager, such as the NMS nodes, and those of the Controller are nodes deployed on the Controller, such as the Contro
lients. In this sheet, NCE server IP address maps to the client IP address of each planned node.
e OSS. In this sheet, NCE server IP address maps to the northbound IP address of each planned node.
n NCE and third-party servers, such as the SYSLOG server, email server, SMS server, SNMP server, DNS server, NTP server, and third
northbound IP address of each planned node.
f the NCE server. This port type collects ports that are not used by NCE services or cannot be categorized into other port types.You are
age scenario.
deployment. These ports are not used during NCE running.
see the description of third-party ports.
y bound to 127.0.0.1). These ports do not need to be enabled on the firewall of the NCE server.
, excluding the heartbeat and replication ports between the primary and secondary sites, must not be enabled on the firewall of the NCE
d secondary sites." in the Special Scenario column.If a firewall is deployed between the primary and secondary sites of an HA system,
he two sites to ensure normal communication.
condary sites of an HA system, or between the NCE server and NEs, allow the ICMP packets to pass through the firewall.
NCE security. Dynamic ports may be listened to during the running of certain OS services. Therefore, you are not advised to enable syst

CE server IP address based on the EasySuite network planning table:

nagement network, northbound/client network, southbound network, inter-node communication network, and DR network. For details a
m".
ontains the network type keyword to indicate the usage of the IP address, for example, client login IP address, northbound/client login
ommunication IP address, southbound IP address, southbound floating IP address, and inter-node communication/replication IP addr
, cluster, active/standby, single instance.In active/standby mode, a floating IP address is configured for the active node. The floating IP
floating IP address traffic of the service node to pass the firewall.
ween these IP address names and network types are as follows: BGP (southbound), OMS floating IP address (inter-node), DBS floating
ddress (inter-node).
in a specific direction during the network planning using EasySuite. If the default planning is not modified, the network type can be de
referring to the description in the preceding two cells.
Description
When the southbound plane, northbound plane, and service distribution plane
are combined, :dip and :nv can be combined.
When the virtual IP address for LVS southbound load balancing is combined
with the virtual IP address for LVS northbound load balancing, :nv is used.
When the virtual IP address for LVS file server load balancing is combined
with the virtual IP address for LVS southbound load balancing, :sv is used.
When the virtual IP address for LVS file server load balancing, virtual IP
address for LVS southbound load balancing, and virtual IP address for LVS
northbound load balancing are combined, :nv is used.


ows:

t IDs.
orts based on the actual deployment, for example,
he Manager and the Controller are deployed on

the Controller, such as the Controller nodes.
e.
DNS server, NTP server, and third-party
ized into other port types.You are advised to
enabled on the firewall of the NCE server. The

d secondary sites of an HA system, enable the
hrough the firewall.

you are not advised to enable system services

ork, and DR network. For details about
P address, northbound/client login IP address,

communication/replication IP address.
or the active node. The floating IP address is
address (inter-node), DBS floating IP address
odified, the network type can be determined



Source IP Address Mapping Destination IP Address Destination Port
Source Device Source Port
Address Scenario (Before Mapping) (Before Mapping)
NE IP
NEs Any port - - -
address
NE IP Floating IP address for

NEs Any port Yes 10022
address southbound load balancing




Controller
Controller server server IP 161 No - -
address
Controller
14001~159
Controller server server IP - - -
00
address
Controller
Controller server server IP Any port - - -
address
NE IP
NEs Any port Yes SouthBound business IP 162
address
NE IP Floating IP address for file
address server load balancing


Client IP
Client Any port No - -
address
Client IP
Client Any port No - -
address

Controller
address
NE IP
NEs Any port No - -
address
NE IP
NEs Any port No - -
address

NEs Any port Yes 40024~40027

NEs Any port Yes 40028~40029
NE IP
NEs Any port No - -
address


Controller
Controller server server IP Any port No - -
address


NE IP
NEs Any port No - -
address
NE IP
NEs Any port No - -
address
Controller
address
Controller
address
Controller
address
Controller
address
Destination Destination IP Destination Listening Port
Protocol Port Description
Device Address Port Configurable (Y/N)
This port is enabled for

Southbound
Controller NetconfClientService to receive
service IP 10020 TCP No
server callhome connections from
address
southbound devices.
Port used by the

Southbound
Controller CampusOAMService process to
server provide web command line
address
service.
Port used by the

Southbound
address
service.
Port used by the

Southbound
address
service.
The port used by the

Southbound
Controller DataCollectorService process
server provides device performance
address
collection service.

Southbound
address
collection service.
Southbound
address
collection service.
This port is used for sending or

NEs NE IP address 161 UDP No
receiving SNMP packets of NE.

NEs NE IP address 161 UDP receiving SNMP packets of NE. No

NEs NE IP address 161 UDP No
receiving SNMP packets of NE.
Floating IP
address for
Controller Device alarm reporting monitor
southbound 162 UDP No
server port.
load
balancing
Controller The port used by the
Controller
server IP 18020 TCP Fls_OpenAS_Tomcat7 process to No
server
address provide file download services.

FIProxyService process provides a
Controller File server IP file download service. The
18021 TCP No
server address difference from the 18020 port is
that the 18021 port uses the old
device certificate.

FIProxyService process provides a
file download service. The
Controller File server IP
18022 TCP difference from the No
server address
18020\18021port is that the 18022
port uses the third-party
certificate.
Southbound Port for Radius authentication

Controller
service IP 1812 UDP provided by the Radius No
server
address authentication server.
Southbound Port for Radius accounting

Controller
service IP 1813 UDP provided by the Radius No
server
address authentication server.
Southbound Port used by the aca_nginx

Controller
service IP 19008 TCP process to provide portal No
server
address authentication services.
This port is an STelnet service
port. It provides secure Telnet
NEs NE IP address 22 TCP services and is used for secure No
Telnet communication between
NCE and NEs.
Southbound Port used by the

Controller
service IP 30049 TCP RadiusServerService process to No
server
address provide tacas services.
Southbound
Controller
service IP 31922 TCP SFTP server listening port. No
server
address
Port used by the

PortalServerService process to
Southbound provide the RADIUS relay
Controller
service IP 3799 UDP authentication mode for the Portal No
server
address authentication service. This port is
used by the standard RADIUS
protocol.
Southbound
Controller SSHServerService process
service IP 40024~40027 TCP Not Concerning
server provides the SSH reverse proxy
address
service for the Sweb device.

Southbound
Controller SSHServerService process
service IP 40028~40029 TCP Not Concerning
server provides the SSH reverse proxy
address
service for the Sweb device.
Southbound Used in Portal1.0 and CMCC

Controller
service IP 50100 UDP Portal protocol, listening for user No
server
address offline message send by device.
Port used by the

Southbound
Controller PortalServerService process to
server provide portal authentication
address
services.
Port used by the

Southbound
Controller PortalServerService process to
server provide portal authentication
address
services.

Controller
service IP 50302 TCP CampusAccountService process to Yes
server
address provide data sync to iae sc.

Controller
service IP 50304 TCP CampusAccesscfgService process No
server
address to provide ip-group services.
Port used by the aca_nginx

Southbound
Controller process to provide the HTTP
server access mode for the Portal
address
authentication service.
Online behavior management
device query online user
Southbound
Controller information from AC-Campus.
service IP 8885 UDP No
server The online user information
address
include user name, user group,
role and ip address.
Online behavior management

device query online user
Southbound
Controller information from AC-Campus.
service IP 8886 UDP No
server The online user information
address
include user name, user group,
role and ip address.
The radius server will send online

user information to the online
behavior management device
Specified port through udp source port 1819 after
NEs NE IP address UDP No
on the server radius authentication succeeds.
The onlie user information
includes: user
name,group,role,and ip address.
The controller send SNMP request

Specified port to the device.The value range is
on the server specified by the device. 161 is the
default.
Used in Portal2.0 and CMCC

Portal protocol, Controller will
Specified port
NEs NE IP address UDP send login and logout message, No
on the server
user synchronization mesage, and
heartbeat message to device.
The portal server will send online

user information to the online
behavior management device
Specified port through udp source port 1820 after
on the server portal authentication succeeds.
includes: user
name,group,role,and ip address.
Encryption
Authentication Mode Version Special Scenario Service Process Component
Mode
Digital certificate (two-way); This port is not NetconfCli NetconfCli

SSH AC-BP
User Name/Password used for NCE. entService entService
CampusOA CampusOA
Digital certificate (two-way) SSH None AC-Campus
MService MService
CampusOA CampusOA
MService MService
CampusOA CampusOA
MService MService
NCEV1R18C DataCollec DataCollec

Digital certificate (two-way) HTTPS None AC-Campus
10 and later torService torService
NCEV1R18C DataCollec DataCollec

10 and later torService torService
DataCollec DataCollec
torService torService
SNMPV1/
EndpointPr EndpointPr
SNMPv1/SNMPv2c: V2c: none;
None ofileServic ofileServic AC-Campus
Community name, SNMPv3 SNMPV3:
e e
encryption
EnpowerService
NEBackup
is provided only
MgrService DCServer;
for NCE-FAN.
SNMPV1/ ;NESoftMg NEUpgrad
NEBackupMgrSer
SNMPv1/SNMPv2c: V2c: none; rService;En e;Enpower
vice and DC
Community name, SNMPv3 SNMPV3: powerServi Dm;nesmar
NESoftMgrServic
encryption ce;NESmar tupgradeser
e are not provided
tUpgradeSe vice
for campus
rvice
products.
SNMPV1/
NESmartU
SNMPv1/SNMPv2c: V2c: none; nesmartupg
None pgradeServ DC
Community name, SNMPv3 SNMPV3: radeservice
ice
encryption
SNMPV1/
V1:None;S
SouthBoun
NMPv3:Enc
SNMPv1/SNMPv2c: dNodeServ LVSServic
ryption;SN None AC-Campus
Community name, SNMPv3 ice;LVSSer e
MPv3
vice
DH:Encrypti
on
NCEV1R18C FIProxySer Fls_OpenA
10 and later vice S_Tomcat7
FIProxySer FIProxySer
vice vice
FIProxySer FIProxySer
vice vice
RadiusServ RadiusServ
Preshared key None None AC-Campus
erService erService
erService erService
ACANginx
Digital certificate (one-way) HTTPS None Service;LV aca_nginx AC-Campus
SService
The microservices
NEBackupMgrSer
vice,
NESoftMgrServic
e, NELicService,
NEBackup
and the
MgrService
corresponding
;NESoftMg DCServer;
processes
rService;N NEUpgrad
DCServer,
ELicServic e;nelicServ
NEUpgrade, and
e;NESmart er;nesmartu
User Name/Password; Public nelicServer are
SSH UpgradeSe pgradeservi DC
key provided for
rvice;NEBa ce;Backup
carriers. In the
ckupExecut Executor;U
enterprise
orService; pgradeExec
scenario, only
NEUpgrad utor
NESmartUpgrade
eExecutorS
Service and the
ervice;
corresponding
process
nesmartupgradese
rvice are
involved.
erService erService
SouthBoun SouthBoun
User Name/Password SSH None. dNodeServ dNodeServ AC-Campus
ice ice
None: standard protocol PortalServe PortalServe

None None AC-Campus
(application layer protocol) rService rService
SSHServer SSHServer
Service Service
SSHServer SSHServer
Service Service
PortalServe PortalServe
rService rService
rService rService
PortalServe
PortalServe
Digital certificate (two-way) HTTPS None rService;L AC-Campus
rService
VSService
CampusAc CampusAc
Digital certificate (two-way) SSL/TLS None countServi countServi AC-Campus
ce ce
CampusAc CampusAc
Digital certificate (two-way) HTTPS None cesscfgSer cesscfgSer AC-Campus
vice vice
ACANginx
User Name/Password None None Service;LV aca_nginx AC-Campus
SService
erService erService
rService rService
erService erService
SNMPV1/
V1:None;S
NMPv3:Enc SouthBoun SouthBoun
SNMPv1/SNMPv2c:
ryption;SN None dNodeServ dNodeServ eSight
Community name, SNMPv3
MPv3 ice ice
DH:Encrypti
on
rService rService
rService rService
Configuration File and Parameter Remarks Certificate Catalog Bound IP Address Type
None Public IP address
None None Public IP address
/opt/oss/envs/Product-
DataCollectorService/
{datetime}/controller/
configuration/ssl
configuration/ssl
configuration/ssl
None. Public IP address

FIProxyService/ Public IP address; Private
None
{datetime}/tomcat/ IP address
Fls_OpenAS_To
FIProxyService/
None None {datetime}/tomcat/ Public IP address
Fls_OpenAS_Tomcat7/
conf/device/old_cert/
FIProxyService/
{datetime}/tomcat/
Fls_OpenAS_Tomcat7/
conf/
None None truststore.keystore; Public IP address
FIProxyService/{dateti
me}/tomcat/Fls_OpenA
S_Tomcat7/conf/
keystore.keystore;
None None ACANginxService/ Public IP address
{datetime}/cert/
None. Public IP address

None
Public IP address
PortalServerService/
configuration
configuration
CampusAccountServic
CampusAccountService/{datetime}/
None e/{datetime}/ Public IP address
controller/configuration/iae/server/
controller/
sm.properties port
configuration/iae/server
CampusAccesscfgServi
CampusAccesscfgService/
ce/{datetime}/
{datetime}/controller/configuration/ None Public IP address
controller/
http2-config-new.xml
configuration/ssl/
listener.server.port
new_cert

The radius server will send

online user information to
the online behavior
management device
through udp source port
None 1819 after radius Public IP address
authentication succeeds.
includes: user
name,group,role,and ip
address.

Port Can Be Port Is Disabled by
Enabling Method Disabling Method Type Office TDT
Disabled Default
The
The
rest/netconf/disableCa
rest/netconf/enableC
llhome interface Foreign
allhome interface Yes Yes
needs to be invoked to show
needs to be invoked
end listening.
to start listening.
Start the
End the
CampusOAMService
CampusOAMService
process. The port is Foreign
process. The port is No No
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusOAMService
CampusOAMService
enabled show
disabled
automatically and
automatically.
remains open.
After a third-party
certificate is added.
End the
Start the
CampusOAMService
CampusOAMService Foreign
process. The port is Yes Yes
process. The port is show
disabled
enabled
automatically.
automatically and
remains open.
Start the
End the
DataCollectorService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
enabled show
disabled
automatically and
automatically.
remains open.
After a third-party
certificate is added,
End the
start the
DataCollectorService Foreign
disabled
enabled
automatically.
automatically and
remains open.
After the
EndpointProfileServi
ce process is started, This port is
the SNMP periodic automatically disabled
Foreign
scanning task is when the periodic Not Concerning Yes
show
triggered. This port SNMP scanning task
is automatically is complete.
enabled and always
exists.
NE side port, it can

NE side port, it can be Foreign
be open by CLI in Not Concerning Not Concerning
closed by CLI in NE. show
NE.
NE side port, it can

NE side port, it can be Foreign
be open by CLI in Not Concerning Not Concerning
closed by CLI in NE. show
NE.
In a single scenario,
In a single scenario,
start the
stop the
SouthBoundNodeSer
SouthBoundNodeServ
vice process, which
ice process, the port is
opens automatically
disabled
and will always Foreign
automatically; in a No No
exist; in a cluster show
cluster scenario, stop
scenario, start the
the
LVSService process,
LVSServiceprocess,
which opens
the port is disabled
automatically and
automatically.
will always exist.
Start the
End the
Fls_OpenAS_Tomca
Fls_OpenAS_Tomcat
t7 process. The port Foreign
7 process. The port is No No
is enabled show
disabled
automatically and
automatically.
remains open.
On the NCE On the NCE

management plane, management plane,
set set Foreign
Yes Yes
DEVICE_OLD_CE DEVICE_OLD_CER show
RT_ENABLE to true T_ENABLE to false
to enable the port. to disable the port.
After a third-party
End the
start the
FIProxyService
FIProxyService Foreign
disabled
enabled
automatically.
automatically and
remains open.
Start the
End the
RadiusServerService
RadiusServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
RadiusServerService
RadiusServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the aca_nginx

End the aca_nginx
process. The port is
enabled No No
disabled show
automatically and
automatically.
remains open.
This port is This port is
automatically automatically disabled Foreign
Not Concerning Not Concerning
enabled when the NE when the NE is show
is powered on. powered off.
Start the
RadiusServerService End the
process. The port is RadiusServerService Foreign
No No
enabled process. The port is show
automatically and disabled automatically
remains open.
Start the
Stop the
SouthBoundNodeSer
SouthBoundNodeServ
vice process, which Foreign
ice process, the port is No No
opens automatically show
disabled
and will always
automatically.
exist.
Modify the
configuration
parameters of
iMaster_NCE- End the
Campus on PortalServerService
Foreign
CloudSOP-UniEP, process. The port is No No
show
set disabled
ENABLE_RADIUS automatically.
_PORT to 'true', and
restart
PortalServerService.
Start the
End the
SSHServerService
SSHServerServicepro
cess. The port is No No
enabled show
disabled
automatically and
automatically.
remains open.
After a third-party
End the
start the
SSHServerServicepro
SSHServerService Foreign
cess. The port is Yes Yes
disabled
enabled
automatically.
automatically and
remains open.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusAccountServ
CampusAccountServi
ice process. The port Foreign
ce process. The port is No No
is enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusAccesscfgSe
CampusAccesscfgSer
rvice process. The Foreign
vice process. The port No No
port is enabled show
is disabled
automatically and
automatically.
remains open.
Start the aca_nginx

End the aca_nginx
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
End the
RadiusServerService
RadiusServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
RadiusServerService
RadiusServerService
process. The port is Not Concerning Not Concerning
enabled show
disabled
automatically and
automatically.
remains open.
SNMP service
When SNMP service
triggers, opens
ends, the client's Foreign
random ports, and Not Concerning Not Concerning
random port is show
connects 161 ports of
automatically closed.
devices.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Remark 1 (authentication standards for ports that do not
Feature Name Subsystem
support authentication)
1. NCE-Common默认提供10020端口，但是NCE-
FAN产品提出诉求，要将10020修改为4334.
2. NCE-Common已提供定制修改的接口，当前仅供
NCE-FAN产品使用。该定制修改是NCE内部的事情
Netconf 苏州子系统
，不对外部客户体现
3. NCE-FAN需要将4334端口信息自行录入ROC系统
，并说明清楚4334与10020的关系，在NCE-FAN最
终对外提供的通信矩阵中删除10020端口信息
Remark 2 (encryption standards for ports that do
not support encryption)
无
Source IP Source Address Mapping Destination IP Address Destination Port
Source Device
Address Port Scenario (Before Mapping) (Before Mapping)
Floating IP address for

Client IP
Client Any port Yes LVS northbound load 18001
address
balancing
Client IP Floating IP address for

Client Any port Yes 18008
address northbound load balancing
Floating IP address for load

Client IP
Client Any port Yes balancing on the 18102
address
management plane
Client IP
Client Any port - - -
address
Floating IP address for load

Client IP
Client 443 Yes balancing on the 443
address
management plane
Floating IP address for

Client IP
Client Any port Yes LVS northbound load 64450~64469
address
balancing
Client IP Northbound management
Client Any port Yes 80
address IP
Controller
address
Destination Destination Destination Listening Port
Device IP Address Port Configurable (Y/N)
The port used by the LVSService

Northbound
Controller and NginxService processes
management 18001 TCP No
server provides web command line login
IP address
service.
Port open for the LVSService

(corresponding to the process
Northbound name is Keepalive). In the
Controller
management 18008 TCP northbound non-domain name No
server
IP address access scenario of the controller,
the service provides a web server
and a third-party interface.
The port is started with the

Management
Controller HIROERService and is used to
Plane IP 18102 TCP No
server forward to the internal 31945 port
address
of the HIROERService.
This port is enabled for the

SwiftDeploy web client to provide
quick installation and one-click
Controller
Controller upgrade functions. The IP address
server IP 31050 TCP No
server corresponding to the port is public
address
IP address of the CloudSOP
server. 31050 is the HTTPS
encryption port.
Port open for the LVSService (the

corresponding process name is
Northbound Keepalive), and for connection to
Controller
management 443 TCP a web server or third-party No
server
IP address interface in the scenario in which a
northbound domain name is used
for access.

Northbound
Controller SSHServerService process, the
management 64450~64469 TCP No
server Sweb service port of the proxy
IP address
device.
The port is an open port for the
LVSService (the corresponding
process name is Keepalive). If the
URL does not carry HTTPS when
the domain name is accessed, the
Northbound LVS forwards the port traffic to
Controller
management 80 TCP the port 31943 of the ERService. No
server
IP address When ERService determines that
it is not a HTTPS protocol request,
it will automatically initiate a
redirect, and the browser will
redirect to the URL request page
with HTTPS.
The NCE server is connected to

Third-party
Third-party Specified port the SA server and provides
server IP TCP Not Concerning
server on the server signature database files
address
downloading.
Encryption
Mode
LVSServic
User Name/Password HTTPS None e;NginxSer Keepalive AC-Campus
vice
NCEV1R18C LVSServic
User Name/Password HTTPS None Keepalive AC-Campus
10 and later e
HIROERSe HIROERSe
User Name/Password HTTPS None AC-Campus
rvice rvice
MCHIROE CloudSOP-
User Name/Password SSL/TLS No mchiroer
RService UniEP
NCEV1R18C LVSServic
User Name/Password HTTPS None Keepalive AC-Campus
10 and later e
SSHServer SSHServer
Service Service
LVSServic
User Name/Password None None Keepalive AC-Campus
e
CampusCf CampusCf
Digital certificate (two-way) SSL/TLS None gCommon gCommon AC-Campus
Service Service
None None NginxService/ Public IP address
{datetime}/init/cert/
Public IP address; Private
None NginxService/
IP address
None None /opt/oss/manager/etc/ssl Public IP address
Configuration item swiftdeploy_port

in {installation /opt/oss/swiftdeploy/
directory}/manager/apps/DeployAgent No SwiftDeploy/etc/ssl/ Public IP address
-*/etc/mcagent.conf internal
None NginxService/
IP address
None 证书在网元上 Public IP address

CampusCfgCommonSe
None rvice/{time-shot}/ Public IP address
controller/
configuration/saupdate
Disabled Default
Start the LVSService

process or End the LVSService
NginxService process and the
Foreign
process. The port is NginxService process, No No
show
enabled the port is disabled
automatically and automatically.
remains open.
Start the Keepalive

End the Keepalive
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
End the
HIROERService
HIROERService
enabled show
disabled
automatically and
automatically.
remains open.
The port is enabled

End the mchiroer
automatically and
remains open when Yes No
disabled show
the swiftdeploy is
automatically.
deployed.
Start the Keepalive

End the Keepalive
enabled No No
disabled show
automatically and
automatically.
remains open.
Listen to the port Turn off listening to

when the device the port when the Foreign
Yes Yes
establishes an SSH device closes the SSH show
reverse connection. reverse connection.
Start the Keepalive
End the Keepalive
enabled No No
disabled show
automatically and
automatically.
remains open.
The NCE server acts

as a client and No business triggers
Foreign
accesses the third- will not access third- Not Concerning Not Concerning
show
party server after the party servers.
service is triggered.
Remark 1 (authentication standards for ports that
do not support authentication)
Remark 2 (encryption standards for ports that
do not support encryption)
Feature list

Source Device
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address

Issue 01 (07/05/2024) 81
Feature list
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address

Issue 01 (07/05/2024) 82
Feature list
Controller
address
Controller
address
Controller
address

Issue 01 (07/05/2024) 83
Feature list
Controller
address
Controller
address
Controller
address
Controller
address

Issue 01 (07/05/2024) 84
Feature list
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address

Issue 01 (07/05/2024) 85
Feature list
Controller
address
Controller
address

Issue 01 (07/05/2024) 86
Feature list

Controller The port used by the karaf process

Controller
server IP 20029 TCP provides the command console No
server
address service.
These ports are listening ports

enabled for the management plane
service (Java process). They are
25900~25999,2
Controller used for the application IR reverse
Controller 6016~26199,26
server IP TCP proxy ports, which are No
server 600~26649,318
address dynamically allocated. Each
00~31899
application process occupies one
port.

Controller
Controller HIROIRService management,
server such as off-hook, on-hook, and
address
isolation.

Controller
Controller HIROERService management,
address
isolation.
This port is used to register and

deregister service routing
information. (If the management
plane and service plane are
deployed on the same node,
Controller
Controller MCHIROIRService listens to this
server port. If the management plane and
address
service plane are deployed on
different nodes,
MCHIROIRService and
HIROIRService both listen on this
port.)

Issue 01 (07/05/2024) 87
Feature list
Controller This port is used to register and

Controller
server IP 26307 TCP deregister service routing No
server
address information.
HIROBERService management
Controller
Controller port for maintenance operations,
address
isolation.

Controller MCHIROIRService management,
Controller
server IP 26331 TCP which is used to manage the No
server
address online and offline status of service
instances.

Controller MCHIROERService management,
Controller
server IP 26332 TCP which is used to manage the No
server
address online and offline status of service
instances.
Controller Zenith listening port, which is

Controller
server IP 26500~26509 TCP used by applications to access No
server
address relational databases.
UDP is used only in the GaussDB

scenario. The port is used to
Controller
Controller collect UDP connections between
server IP 26500~26509 UDP No
server the statistics collection process of
address
the GaussDB server and the main
process.

Issue 01 (07/05/2024) 88
Feature list
26550~26599,2
The application data proxy service
Controller MCDBProxyService(dr) listens on
server IP 060,32063~320 TCP No
server the port. Used to access the master
address 79,28002~2823
and slave databases.
1,28234,28235
This port is the listening port

26550~26599,2
enabled for the application data
Controller proxy service
server IP 060,32063~320 TCP No
server MCDBProxyService (mcdr). This
address 79,28002~2823
port is used to access the master
1,28234,28235
and slave databases.
Zenith replication port, which is

Controller
Controller used to synchronize data between
server IP 26950~26969 TCP No
server the active and standby Zenith
address
databases.

Issue 01 (07/05/2024) 89
Feature list
ExtendedPkgRTService process
uses a port that provides dynamic
loading of programming
Controller
Controller framework tripartite packages and
server the ability to provide
address
corresponding services. Used to
provide programmable tripartite
customization in SSL mode.
BusService management port.

This port functions as a proxy
service port to support HTTP. In
Controller
Controller the default BusService scenario,
server HTTP is disabled. Therefore, if a
address
service uses this port, it must
ensure communication security of
itself.
Listening port for local OMMHA

processes. This port is enabled for
listening to communication
Controller
Controller requests between local processes.
server This port is enabled only when the
address
OMMHA primary and secondary
nodes are deployed.
This port is a listening port of the

Controller
Controller DeployAgent service. This port is
server used for the agent service
address
deployment system.

Issue 01 (07/05/2024) 90
Feature list
Listening port of the Zenith

Controller
Controller 32080~32089,2 database, which is used by
server IP TCP No
server 6500~26509 applications to access the
address
relational database.
Controller
Controller
server IP 7811 TCP Maintenance port of OMMHA. No
server
address
Controller This port is used to generate

Controller
server IP 8088 TCP configuration files during No
server
address LVSService installation.
Controller This port is used to generate

Controller
server IP 8089 TCP configuration files during No
server
address NginxService installation.
This port is used by the karaf

process and provides the local
Controller
Controller command line service, which is
server used to receive karaf commands
address
sent by users from command line
clients.
This port provides the local

Controller
Controller command line service for
server receiving Karaf commands sent by
address
users from command line clients.
Controller
Controller
server IP 8412 TCP Karaf shell local login port. No
server
address

Issue 01 (07/05/2024) 91
Feature list
Controller
Controller
server
address
Controller
Controller
server
address

Issue 01 (07/05/2024) 92
Feature list
Encryption
Mode
SecoManag
Digital certificate (two-way) SSH None KARAF SecoManager
erService
CloudSOP-
Digital certificate (two-way) SSL/TLS None ALL All
UniEP
HIROIRSe
Digital certificate (two-way) HTTPS None hiroir CloudSOP
rvice
HIROERSe
Digital certificate (two-way) HTTPS None hiroer CloudSOP
rvice
HIROIRSe
Digital certificate (two-way) SSL/TLS None hiroir CloudSOP
rvice

Issue 01 (07/05/2024) 93
Feature list
MCHIROI CloudSOP-
Digital certificate (two-way) SSL/TLS None mchiroir
RService UniEP
HIROBER
Digital certificate (two-way) HTTPS None hirober CloudSOP
Service
MCHIROI CloudSOP-
RService UniEP
MCHIROE CloudSOP-
Digital certificate (two-way) SSL/TLS None mchiroer
RService UniEP
Port between
CloudSOP-
User Name/Password SSL/TLS primary and N/A zengine
UniEP
secondary sites.
Port between
UniEPServ CloudSOP-
User Name/Password SNMPV3 primary and gaussdb
ice UniEP
secondary sites

Issue 01 (07/05/2024) 94
Feature list
Need to deploy
DBProxyS
User Name/Password None master-slave dr CloudSOP
ervice
database.
MCDBPro CloudSOP-
User Name/Password None None mcdr
xyService UniEP
Port between
CloudSOP-
Digital certificate (two-way) SSL/TLS primary and N/A zengine
UniEP
secondary sites

Issue 01 (07/05/2024) 95
Feature list
ExtendedP ExtendedP
Digital certificate (two-way) HTTPS None kgRTServi kgRTServi AC-BP
ce ce
In the default
BusService
scenario, this port
is disabled. When
a service installs
None None BusService ir CloudSOP
BusService on
GUIs, relevant
parameters must
be configured to
enable this port.
Used in
OMMHAS CloudSOP-
Digital certificate (two-way) SSL/TLS distributed HA ommha
ervice UniEP
scenarios.
DeployAge deployagen CloudSOP-

Digital certificate (two-way) SSL/TLS None
nt t UniEP

Issue 01 (07/05/2024) 96
Feature list
Port between
User Name/Password; Digital CloudSOP-
SSL/TLS primary and N/A zengine
certificate (two-way) UniEP
secondary sites
NCEV1R18C ACANginx
Digital certificate (two-way) SSL/TLS None ha AC-Campus
10 and later Service
CampusLV LVSServic
None None None AC-Campus
SService e
NginxServi NginxServi
None None None AC-Campus
ce ce
OMPubSer
User Name/Password SSH None KARAF AC-BP
vice
Northboun Northboun
dCommuni dCommuni
User Name/Password SSH None AC-BP
cationServi cationServi
ce ce
The port is from

NCEV1R19C SDWANCf SDWANCf
User Name/Password SSH this machine to AC-Campus
00 and later gService gService
the machine.

Issue 01 (07/05/2024) 97
Feature list
The port is from

SDWANO SDWANO
AMService AMService
the machine.
The port is from

SDWANPe SDWANPe
rfService rfService
the machine.

Issue 01 (07/05/2024) 98
Feature list
None 127.0.0.1
IRListenPorts and exIRListenPorts in

{installation
None /opt/oss/manager/etc/ssl Private IP address
directory}/manager/apps/DeployAgent
-*/etc/install/default_value.json
processes/hiroir-{0}-{0}/MGMT in
{installation
directory}/{tenant}/apps/HIROIRServ
ice/etc/sysconf/HIROIRService- PaaS port /opt/oss/NCE/etc/ssl 127.0.0.1
{version}.json
Note: This configuration item cannot
be modified.
processes/hiroer-{0}-{0}/MGMT in
{installation
directory}/{tenant}/apps/HIROERSer
vice/etc/sysconf/HIROERService- None /opt/oss/NCE/etc/ssl 127.0.0.1
{version}.json
Note: This configuration item cannot
be modified.
None None /opt/oss/manager/etc/ssl 127.0.0.1

Issue 01 (07/05/2024) 99
Feature list
None None /opt/oss/manager/etc/ssl 127.0.0.1
processes/hiroer-{0}-{0}/BER, BER2,
BER_ACCESS, BER_ACCESS2 in
{installation
PaaS Port /opt/oss/NCE/etc/ssl 127.0.0.1
directory}/{tenant}/apps/HIROERSer
vice/etc/sysconf/HIROERService-
version.json
processes/mchiroir-{0}-{0}/MGMT in
{installation
directory}/manager/apps/MCHIROIR
Service/etc/sysconf/MCHIROIRServi None /opt/oss/manager/etc/ssl 127.0.0.1
ce-{version}.json
Note: This parameter is
unconfigurable.
processes/mchiroer-{0}-{0}/MGMT
in {installation
directory}/manager/apps/MCHIROER
Service/etc/sysconf/MCHIROERServi None /opt/oss/manager/etc/ssl 127.0.0.1
ce-{version}.json
unconfigurable.
A relational database has a

maximum of 20 database
instances. Each instance is
configured with an access
port and a replication port.
The microservice is
Private IP address;
None MCDeployService /opt/oss/manager/etc/ssl
127.0.0.1
(UniEPLiteService in the
compact scenario).
Connections to this port are
not long connections, and
this port is enabled only if
connected.
/opt/oss/envs/DBAgent/*/
dbcontainer/gauss/conf/ None 127.0.0.1
defaultArgs.json/PORTS

Issue 01 (07/05/2024) 100
Feature list
None None 127.0.0.1
None None 127.0.0.1

IP addresses of the active
and standby DB nodes
None (including DB and Domain /opt/oss/manager/etc/ssl
IP address
DB)
The source and destination
IP addresses are subject to
the actual configuration of
the replication network
between the active and
standby sites.

Issue 01 (07/05/2024) 101
Feature list
When a third-party
programming component
package is activated, the
ExtendedPkgRTService
process creates a virtual
local private network IP
address (192.168.xxx.xxx
/opt/oss/NCE/etc/ssl/
or 172.16.xxx.xxx) and
None internal; 127.0.0.1
binds the ports from 30254
{APP_ROOT}/etc/ssl
to 30274 to the IP address
for internal communication.
This IP address is used only
for internal communication
within the programmable
framework and cannot be
used for external access.
None 127.0.0.1
None /opt/oss/manager/etc/ssl 127.0.0.1
127.0.0.1; Private IP
None /opt/oss/manager/etc/ssl
address

Issue 01 (07/05/2024) 102
Feature list

Private IP address;
None instances. Each instance is /opt/oss/manager/etc/ssl
127.0.0.1
ACANginxService/
None 127.0.0.1
{datetime}/ha/ha-
aca_nginx/ha/local/cert
None None 127.0.0.1
None None 127.0.0.1
None 127.0.0.1
None None 127.0.0.1
None 127.0.0.1

Issue 01 (07/05/2024) 103
Feature list
None None 127.0.0.1
None None 127.0.0.1

Issue 01 (07/05/2024) 104
Feature list

Enabling Method Disabling Method Type Office
Disabled Default
Start the Karaf

End the Karaf process
process of
of
SecoManagerService Foreign
SecoManagerService. No No
. The port is enabled show
The port is disabled
automatically and
automatically.
remains open.
Start the
microservice. The
End the microservice.
port is enabled Foreign
The port is disabled Yes No
automatically and show
automatically.
remains open.
Start the hiroir

End the hiroir
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the hiroer

End the hiroer
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the hiroir

End the hiroir
enabled Yes No
disabled show
automatically and
automatically.
remains open.

Issue 01 (07/05/2024) 105
Feature list
The mchiroir process

is started and the port
is stopped and the Foreign
is automatically Yes No
port is automatically show
opened and will
shut down.
always exist.
Start the hirober

End the hirober
enabled No No
disabled show
automatically and
automatically.
remains open.

opened and will
shut down.
always exist.
Start the mchiroer

End the mchiroer
enabled Yes No
disabled show
automatically and
automatically.
remains open.
Start the zengine

Stop the zengine
database process, the
database process and Foreign
port is automatically Yes No
the port is show
opened and will
always exist.
Start the gauss

Stop the gauss
the port is show
opened and will
always exist.

Issue 01 (07/05/2024) 106
Feature list
The dr process is
The dr process is
started and the port is
stopped and the port Foreign
automatically opened Yes No
is automatically shut show
and will always
down.
exist.
Start the mcdr

process. The port is End the mcdr process.
Foreign
enabled The port is disabled Yes No
show
remains open.
Start the zengine

Stop the zengine
the port is show
opened and will
always exist.

Issue 01 (07/05/2024) 107
Feature list
When
ExtendedPkgRTServ
End the
ice is started and a
ExtendedPkgRTServi
third-party
ce process or unload
programming
the third-party Foreign
package is loaded, a No No
programming show
port is automatically
package. The port is
opened for each
disabled
package that is
automatically.
loaded and will
always be there.
In the default
BusService scenario,
this port is disabled.
It is not turned on by
When a service
default, or it is turned Foreign
installs BusService No Yes
off after the NCE show
on GUIs, relevant
system shutdown.
parameters must be
configured to enable
this port.
The ommha process

The ommha process is
is automatically Yes Yes
opened and will
down.
always exist.
The deployagent
The deployagent
process is started and
process is stopped and
the port is Foreign
the port is Yes No
automatically opened show
automatically shut
and will always
down.
exist.

Issue 01 (07/05/2024) 108
Feature list
Start the zengine

Stop the zengine
the port is show
opened and will
always exist.
Start the ha process.

End the ha process.
The port is enabled Foreign
The port is disabled No No
automatically.
remains open.
This port is
This port is
automatically
automatically enabled
enabled during
during LVSService Foreign
LVSService Yes Yes
installation and show
installation and
disabled after the
disabled after the
installation.
installation.
This port is
This port is
automatically
automatically enabled
enabled during
during NginxService Foreign
NginxService Yes Yes
installation and show
installation and
disabled after the
disabled after the
installation.
installation.
Start the Karaf

process of End the Karaf process
OMPubService. The of OMPubService. Foreign
No No
port is enabled The port is disabled show
remains open.
Start the Karaf

process of
of
NorthboundCommun
NorthboundCommuni Foreign
icationService. The No No
cationService. The show
port is enabled
port is disabled
automatically and
automatically.
remains open.
Start the
End the
SDWANCfgService
SDWANCfgService
enabled show
disabled
automatically and
automatically.
remains open.

Issue 01 (07/05/2024) 109
Feature list
Start the
End the
SDWANOAMServic
SDWANOAMService
e process. The port is Foreign
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
SDWANPerfService
SDWANPerfService
enabled show
disabled
automatically and
automatically.
remains open.

Issue 01 (07/05/2024) 110
Feature list

TDT Feature Name Subsystem

Issue 01 (07/05/2024) 111
Feature list

Issue 01 (07/05/2024) 112
Feature list

Issue 01 (07/05/2024) 113
Feature list
开放编程框架统一南向无

Issue 01 (07/05/2024) 114
Feature list
OMPubService 杭州机制 NA
NorthboundCom
municationServic 杭州机制 NA
e

Issue 01 (07/05/2024) 115
Feature list

Issue 01 (07/05/2024) 116
Feature list


Issue 01 (07/05/2024) 117
Feature list

Issue 01 (07/05/2024) 118
Feature list

Issue 01 (07/05/2024) 119
Feature list

Issue 01 (07/05/2024) 120
Feature list
NA
NA

Issue 01 (07/05/2024) 121
Feature list

Issue 01 (07/05/2024) 122
Source Device
NE IP
Controller server Any port No - -
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
Controller server server IP 32026 - - -
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Client IP
Client Any port - - -
address
Hardware
Hardware Server Server IP Any port - - -
address
This port is a port for

Controller SouthBoundNodeService (process
Controller
server IP 10162 UDP name: SouthBoundNodeService), No
server
address which provides alarm Trap
reporting function.
This port is the default NTP

Controller
Controller listening port and is used to ensure
server IP 123 UDP No
server time consistency among all agent
address
nodes.
Controller
Controller SouthBoundNodeService process
server listening port.
address
This port is listened to by the
devicedb service instance and
Controller
Controller receives connection requests from
server clients. The port is used to transfer
address
data in an upgrade scenario.

commondb service instance and
Controller
address

localdb service instance and
Controller
address

fmlogdb service instance and
Controller
address

fcapsdb service instance and
Controller
address
secmdb service instance and
Controller
address

omdb service instance and
Controller
address
The port used by the internal

Controller
Controller component miniGate, which
server provides web command line
address
functionality.

Controller
Controller FIProxyService process is used by
server the file server internal interface
address
call.
The Nginx process uses ports for
Controller
Controller load balancing of internal system
server interfaces, such as the internal
address
interface of the file server.
The port is open to the CloudSOP

Controller interface bus and provides related
Controller
server IP 18027 TCP interfaces such as disaster No
server
address recovery and portal page
acquisition.
Controller
Controller Port used by the ACM to upload
server portal page thumbnails.
address
The LVS node receives the

Controller original Radius authentication
Controller
server IP 1814 UDP packet and forwards it to No
server
address ACANginxService's port 1814 for
load balancing.
Controller The SouthboundService process

Controller
server IP 19117 TCP routedrpc port provides the No
server
address routedrpc service.
The port used by the karaf process

Controller
Controller provides the service for message
server transfer or communication among
address
nodes.
Controller Jetty listening port in DTPService
Controller
server IP 19136 TCP process, providing https access No
server
address service.
This port is the listening port for

HOFSNbService, which is used to
Controller
Controller receive filestreams from the agent
server service and store the files to the
address
local PC to provide the file
aggregation capability.
Controller
Controller Nginx processes use ports to load
server static UI pages.
address

Controller
Controller NMQZookeeperService process
server provides the election service for
address
kafka service
Controller
Controller The oss_nginx process use ports to
server load static UI pages.
address
This port is a listening port for the

etcd-service process, which
Controller provides the distributed lock and
Controller
server IP 2379 TCP election functions. This port is Yes
server
address used by other service clients to
interact with EtcdService in SSL
mode.
Port used by the Etcd component

for communication between Etcd
Controller
Controller nodes in a cluster and for
server identifying the Etcd component
address
leader and synchronizing logs.
Controller
Controller
server IP 2380 TCP Port occupied by the Etcd service. No
server
address

etcd-service process for
Controller communications in the ETCD
Controller
server IP 2480 TCP cluster. This port is used for data Yes
server
address transfer or communications
between multiple service instances
of EtcdService in SSL mode.
Controller The PortalServerService process

Controller
server
Controller The CampusBaseService process

Controller
server
Controller The CampusFabricService process
Controller
server
Controller The CampusOAMService process

Controller
server
Controller The CampusPerfService process

Controller
server
These ports are listening ports

enabled for the management plane
service (Java process). They are
25900~25999,2
Controller used for the application IR reverse
server IP TCP proxy ports, which are No
server 600~26649,318
address dynamically allocated. Each
00~31899
application process occupies one
port.
Controller The SecoManagerService process
Controller
server

Controller MCHIROIRService. This port is
Controller
server IP 26301 TCP used to obtain the IP address, port, No
server
address and software package directory of
the service deployment system.
This port is enabled for external

Controller services to obtain the database
Controller
server IP 26310 TCP routing information stored in No
server
address ZooKeeper of the management
plane.
Controller
Controller This port is enabled for leader
server election in the ZooKeeper cluster.
address

Controller
Controller synchronization from non-leader
server nodes to the leader node in the
address
ZooKeeper cluster.
This port is used by the karaf

process and provides the local
Controller
Controller command line service, which is
server used to receive karaf commands
address
sent by users from command line
clients.
This port provides communication
services between nodes. This port
Controller is used for data transfer or
Controller
server IP 26321 TCP communication between other No
server
address service processes and
NorthboundCommunicationServic
e.
Listening port for the

Controller
Controller MessagingLBService service. This
server port is used for other applications
address
to access messaging services.
Controller
Controller Listening port for the
server MessagingService service.
address
The port is the listening port of

Controller
Controller MessagingBrokeService and is
server used for Kafka clients to access
address
the message service.
This port is used for cross-region

Controller accesses of nodes. This port is the
Controller
server IP 26330 TCP listening port for No
server
address HIROBERService and is
encrypted using SSL.
The HomepageNoticeService
service internal listening port is
Controller
Controller used by the bus to forward
server websocket requests to the
address
websocket service node.
This port is enabled for MQProxy

(whose process is mqproxy). This
service processes gRPC requests
Controller and provides the MQ cluster
Controller
server IP 26337 TCP registration information, No
server
address ZooKeeper connection
information, MQ cluster
connection information, and topic
information.
Controller Zenith listening port, which is
Controller
server IP 26500~26509 TCP used by applications to access No
server
address relational databases.
Controller The SDWANPerfService process

Controller
server
This port is used by the

Controller LiteCASignService process and
Controller
server IP 26801 TCP uses the CMPv2 protocol to apply No
server
address for certificates.
Controller
server

Controller
server
The port is used by the

ACANginxService process,
Controller provides liteCA load balancing
Controller
server IP 26811 TCP and forwards to port 26801. The No
server
address encryption method depends on
port 26801.
Zenith replication port, which is
Controller
Controller used to synchronize data between
server the active and standby Zenith
address
databases.
Port used for receiving https

Controller
Controller request from the third party
server application forwarded by the
address
North LB.
This port is used by the heartbeat

channel of DRMgrService, and is
enabled by default after
Controller
Controller DRMgrService is deployed.
server IP 27320 TCP Yes
server Ensure that this port can be used
address
for inter-site communication
before establishing the DR
relationship between the sites.
Port used for receiving callback

Controller
Controller requests forwarded by northbound
server APIs through
address
MinAPIGatewayService.
Controller Port used to receive API query
Controller
server IP 27334 TCP requests from No
server
address MinAPIGatewayService.
Controller Port used to synchronize API

Controller
server IP 27335 TCP information from No
server
address MinAPIGatewayService.
Port used to synchronize API

Controller
Controller information between
server MinAPIGatewayService service
address
nodes.
This port is used to receive

requests forwarded by the
Controller MCHIROERService or
Controller
server IP 28232 TCP MCHIROIRService. This port is No
server
address the listening port for
MCHIROIRService and is
This port is used to receive

requests forwarded by
HIROERService or
Controller
Controller HIROIRService, and is used by
server the bus to forward cross-node
address
requests. This port is the listening
port for HIROIRService and is

Controller
server IP 2878 TCP provides the communication No
server
address service for zookeeper leader and
follower node.
Controller
Controller TCP,UD
server IP 28888 karafport of SecoManagerService No
server P
address
Port 30087 is open by the
Controller
Controller management plane and is used to
server send alerts to the product alert
address
service.
This port is used for service

Controller registration and service discovery.
Controller
server IP 30100 TCP This port is the listening port for No
server
address ServiceCenter and is encrypted
using SSL.
Controller
Controller This port is the Etcd management
server port.
address

Controller
Controller SMPMQService process provides
server the SMPManagerService service
address
for data transfer in SSL mode.
These ports are openning for

Controller AuthService. They are used for
Controller
server IP 30113 TCP application IR reverse agent ports, No
server
address provide communication between
service instances in (TLS) mode.

Controller SSOWebSite for the IR reverse
Controller
server IP 30114 TCP proxy of applications to provide No
server
address communication services for
services instances in TLS mode.

Controller AuthWebSite for the IR reverse
Controller
server

Controller DomainService for the IR reverse
Controller
server
Smpagentservice process provides
Controller
Controller health checks and data acquisition
server services for inspection and
address
acquisition functions in HTTPS
mode.
These ports are openning for

NetconfClientService. They are
Controller
Controller used for application IR reverse
server agent ports, provide
address
communication between service
instances in (TLS) mode.
Controller The CampusAccesscfgService

Controller
server IP 31110 TCP process inner communication No
server
address port(Internal restful).
Controller
Controller The CampusL3NetPrvnService
server process inner communication port.
address
Controller The CampusCfgCommonService

Controller
server
Controller
Controller tomcat port of
server RadiusServerService
address
Controller The SouthboundService process

Controller
server IP 31115 TCP inner communication port(Internal No
server
address restful).
Controller The CampusAccountService
Controller
server
Controller The SDWANVNService process

Controller
server
address restful).
Controller The CampusFabricService process

Controller
server
address restful).
This port is an open port for

CampusBaseService
Controller corresponding to the
Controller
server IP 31323 TCP CampusBaseService process. This No
server
address service provides basic functions
such as device management and
tenant management.
These ports are open ports for

ACUpgradeService. They are used
Controller
Controller for application IR reverse proxy
server ports to provide service instance
address
communication services in TLS
mode.

CampusOAMService. It is used
Controller
address
mode.

AlarmService. It is used for
Controller
Controller application IR reverse proxy ports
server to provide service instance
address
mode.
SSHServerService. It is used for
Controller
address
mode.

DataCollectorService. It is used
Controller
address
mode.

CampusPerfService. It is used for
Controller
address
mode.

RouterService corresponding to
Controller the RouterService process. This
Controller
server IP 31330 TCP service is used to transparently No
server
address transmit northbound requests to
each cluster in multi-cluster
scenarios.
Controller The CampusCfgService process

Controller
server
address restful).
The hiroer service listening port,

which is used to receive the
Controller
Controller northbound request forwarded by
server the LVS service, and continues to
address
forward as an HTTP reverse
proxy.
This port is the RESTful listening

Controller
Controller port of DBAgent, which is used by
server the management plane to access
address
the DBAgent service.
This port is used for
Controller communications between nodes of
Controller
server IP 32018 TCP the service plane. This port is the No
server
address listening port for HIROIRService
and is encrypted using SSL.
Listening port of the OMMHA

heartbeat link. This port is used
Controller for establishing the heartbeat link
Controller
server IP 32026 TCP with the peer OMMHA to listen to No
server
address the peer heartbeat. This port is
opened only when
Data synchronization port of

OMMHA. This port is used for
establishing the data
Controller synchronization link with the peer
Controller
server IP 32027 TCP OMMHA for data transfer. This No
server
address port is enabled only when the
OMMHA primary and secondary
nodes are deployed.
Listening port of the OMMHA

heartbeat link. This port is used
for establishing the heartbeat link
Controller with the peer OMMHA to listen to
Controller
server IP 32031 TCP the peer heartbeat. This port is No
server
address enabled only when dual heartbeat
links are deployed between the
primary and secondary sites.
Data synchronization port of
OMMHA. This port is used for
establishing the data
synchronization link with the peer
Controller
Controller OMMHA for data transfer. This
server port is enabled only when dual
address
heartbeat links are deployed
between the primary and
secondary sites.
This port is used for

communications between nodes of
Controller
Controller the management plane. This port
server is the listening port for
address
MCHIROIRService and is

Controller
Controller DeployAgent service. This port is
server used for the agent service
address
deployment system.
ZooKeeper, an open-source
Controller distributed coordination
Controller
server IP 32041 TCP framework service. This port is No
server
address used by the ZooKeeper server to
receive requests from the client.
This port is encrypted using SSL.

distributed coordination
framework service. This port is
Controller used for communication and data
Controller
server IP 32042 TCP synchronization between No
server
address ZooKeeper clusters. This port is
encrypted using SSL. By default,
this port is disabled in non-
distributed scenarios and enabled
in distributed scenarios.
distributed coordination
framework service. All nodes in a
ZooKeeper cluster elect a leader.
Controller
Controller This port is the communication
server port for the ZooKeeper leader
address
election. This port is encrypted
using SSL. By default, this port is
disabled in non-distributed
scenarios and enabled in
distributed scenarios.
Listening port of the Zenith

Controller
Controller 32080~32089,2 database, which is used by
server IP TCP No
server 6500~26509 applications to access the
address
relational database.
Controller 32090~32099,2 This port is the listening port for

Controller
server IP 6520~26549,26 TCP the Redis database, which is used No
server
address 650~26749 to access the Redis database.
Controller
Controller tomcat port of
server EndpointProfileService
address

SDWANCfgService. It is used for
Controller
address
mode.
SDWANOAMService. It is used
Controller
address
mode.

SDWANPerfService. It is used for
Controller
address
mode.

Controller
server provides the election service for
address
zookeeper service.
The CampusAccountService
Controller
Controller process inner communication port
server provides the inner communication
address
service.
Controller MiniGateService connect to

Controller
server IP 62000~63000 TCP CampusOAMService to provide Not Concerning
server
address web command line service.
This port is enabled for the DHCP
service (whose process is
/usr/sbin/dhcpd). When the OS of
Controller
Controller another node is restored on a node,
server IP 67 UDP No
server the UDP port is enabled on the
address
local node.
This port is only temporarily
enabled during the OS restoration.
This port is enabled for the TFTP

Controller service (whose process is
Controller
server IP 69 UDP /usr/sbin/in.tftpd). No
server
address This port is only temporarily
enabled during the OS restoration.
Controller The NginxService ha process

Controller
server IP 7709 TCP interaction port is used for No
server
address active/standby heartbeat check.
NginxService HA process
Controller
Controller interaction port, used for file
server synchronization between the
address
active and standby nodes.
Controller
Controller NginxService ha process local
server maintenance port.
address
Controller
Controller OMM-HA interactive port for
server active and backup heartbeat check.
address
Controller OMM-HA interactive port, used

Controller
server IP 7810 TCP for file synchronization between No
server
address the active and standby nodes.
Controller
Controller DRService process listen port,
server used for inner heartbeat.
address
Controller The PortalServerService process

Controller
server IP 8281 TCP jetty port provides REST interface No
server
address access.
A port initiated by the Rsync

process when creating a disaster
Controller
Controller tolerance relationship. This port is
server used for file synchronization
address
between disaster tolerance primary
and standby clusters.
DmqKafkaService to provide the
distributed high reliable message
queue function. The distributed
Controller
Controller high reliable message queue
server function consists of senders and
address
receivers. The sender provides the
sending interface, and the receiver
provides the subscription
interface.
Controller The DrProductService process

Controller
server IP 9527 TCP port provides REST interface No
server
address access.
MinAPIGateway server port,

Controller which is an HTTP protocol used
Controller
server IP 9808 TCP to listen to WEBSOCKET No
server
address persistent connections forwarded
by the APIMLBService.

Controller
server
Controller
server

Controller
server
This port is used to access the

Controller management plane. This port is
Controller
server IP 31945 TCP the listening port for No
server
address MCHIROERService and is
The port that is open for the alarm
module (the corresponding
Controller process is java). Receive alarms
Controller
server IP 30085 UDP through the connection between No
server
address the alarm module and the E9000
server/disk array/PCServer server,
using the SNMPv3 protocol.
Encryption
Mode
SNMPV1/
V1:None;S
NMPv3:Enc SouthBoun SouthBoun
SNMPv1/SNMPv2c:
ryption;SN None dNodeServ dNodeServ AC-Campus
Community name, SNMPv3
MPv3 ice ice
DH:Encrypti
on
Used in a
distributed
scenario, where CloudSOP-
HMAC-SHA256 None NTP ntpd
ntp is used as a UniEP
client usage
scenario.
SouthBoun SouthBoun
Digital certificate (two-way) SSH None. dNodeServ dNodeServ AC-Campus
ice ice
The port is used
to transfer data in
an upgrade
db-migrate-
Digital certificate (two-way) SSL/TLS scenario. The port gaussdb AC-BP
service
is automatically
disabled after
migrating data.
The port is used

to transfer data in
an upgrade
scenario. The port db-migrate-
Digital certificate (two-way) SSL/TLS gaussdb AC-BP
is automatically service
disabled after
migrating data.
The port is used

to transfer data in
an upgrade
disabled after
migrating data.
The port is used

to transfer data in
an upgrade
disabled after
migrating data.
The port is used

to transfer data in
an upgrade
disabled after
migrating data.
The port is used
to transfer data in
an upgrade
disabled after
migrating data.
The port is used

to transfer data in
an upgrade
disabled after
migrating data.
NCEV1R18C MinigateSe
Digital certificate (two-way) HTTPS None miniGate AC-Campus
10 and later rvice
NCEV1R18C FIProxySer FIProxySer

10 and later vice vice
NCEV1R18C NginxServi
Digital certificate (two-way) HTTPS None nginx AC-Campus
10 and later ce
NCEV1R18C ACANginx
Digital certificate (two-way) HTTPS None aca_nginx AC-Campus
NCEV1R18C ACANginx
Digital certificate (two-way) HTTPS None aca_nginx AC-Campus
ACANginx ACANginx
Service Service
NCEV1R18C Southboun Southboun

10 and later dService dService
NCEV1R18C NetconfCli NetconfCli

Digital certificate (two-way) SSL/TLS None AC-BP
10 and later entService entService
NCEV1R18C DTPServic DTPServic
10 and later e e
HOFSNbS hofsnbservi
Digital certificate (two-way) HTTPS None CloudSOP
ervice ce
Digital certificate (two-way) HTTPS None nginx AC-Campus
10 and later ce
NMQZook NMQZook
Digital certificate (two-way) SSL/TLS None eeperServic eeperServic AC-BP
e e
MultiLang
Digital certificate (one-way) HTTPS None uageServic oss_nginx AC-Campus
e
EtcdServic etcd-
e service
CloudSOP-
Digital certificate (two-way) SSL/TLS None Etcd cse-etcd
UniEP
Digital certificate (two-way) SSL/TLS None Etcd etcd CloudSOP
EtcdServic etcd-
e service
NCEV1R18C PortalServe PortalServe

10 and later rService rService
NCEV1R19C CampusBa CampusBa

Digital certificate (two-way) SSL/TLS None AC-Campus
00 and later seService seService
NCEV1R19C CampusFa CampusFa
00 and later bricService bricService
NCEV1R19C CampusOA CampusOA

00 and later MService MService
CampusPer CampusPer
fService fService
CloudSOP-
Digital certificate (two-way) SSL/TLS None ALL All
UniEP
SecoManag SecoManag
Digital certificate (two-way) SSL/TLS None SecoManager
erService erService
In distributed
scenarios, this
port is used for
application nodes MCHIROI CloudSOP-
Digital certificate (one-way) SSL/TLS mchiroir
to communicate RService UniEP
with management
nodes.
MCZKServ CloudSOP-
Digital certificate (two-way) SSL/TLS None mczkapp
ice UniEP
Digital certificate (two-way); MCZKServ CloudSOP-

SSL/TLS None mczkapp
SNMPv3 ice UniEP
MCZKServ CloudSOP-
Digital certificate (two-way) SSL/TLS None mczkapp
ice UniEP
OMPubSer OMPubSer
vice vice
Northboun Northboun
dCommuni dCommuni
ce ce
NCEV1R18C Messaging
Digital certificate (two-way) HTTPS None msglbsrv CloudSOP
00 and later LBService
NCEV1R18C Messaging
Digital certificate (two-way) HTTPS None msgsrv CloudSOP
Messaging
Digital certificate (two-way) HTTPS None BrokeServi msgbrksrv CloudSOP
ce
HIROBER
Digital certificate (two-way) HTTPS None hirober CloudSOP
Service
HomePage homepagen
Digital certificate (two-way) SSL/TLS None NoticeServ oticeservic CloudSOP
ice e
Digital certificate (two-way) HTTPS None MQProxy mqproxy CloudSOP

Port between
CloudSOP-
User Name/Password SSL/TLS primary and N/A zengine
UniEP
secondary sites.
SDWANPe SDWANPe
rfService rfService
LiteCASig LiteCASig
Digital certificate (two-way) None None AC-Campus
nService nService
LiteCASig LiteCASig
Digital certificate (one-way) SSL/TLS None AC-Campus
nService nService
LiteCASig LiteCASig
nService nService
ACANginx ACANginx
Service Service
Port between
CloudSOP-
Digital certificate (two-way) SSL/TLS primary and N/A zengine
UniEP
secondary sites
MinAPIGat
minapigate
Token SSL/TLS None ewayServic CloudSOP
wayservice
e
Port between
DRMgrSer drmgrservi CloudSOP-
Digital certificate (two-way) SSL/TLS primary and
vice ce UniEP
secondary sites
APINotify
apinotifypr
None SSL/TLS None ProxyServi CloudSOP
oxyservice
ce
MinAPIGat
minapigate
Digital certificate (one-way) SSL/TLS None ewayServic CloudSOP
wayservice
e
MinAPIGat
User Name/Password SSL/TLS None ewayServic nats CloudSOP
e
MinAPIGat
NCEV1R18C
User Name/Password SSL/TLS None ewayServic nats CloudSOP
10 and later
e
MCHIROI CloudSOP-
RService UniEP
HIROIRSe
Digital certificate (two-way) SSL/TLS None hiroir CloudSOP
rvice
NMQZook NMQZook
e e
SecoManag SecoManag
Digital certificate (two-way) HTTPS None SecoManager
erService erService
UniEPServ uniepservic CloudSOP-
User Name/Password SNMPV3 None
ice e UniEP
ServiceCen
Digital certificate (two-way) SSL/TLS None sc CloudSOP
ter
Digital certificate (two-way) SSL/TLS None Etcd etcd CloudSOP
NCEV1R18C SMPMQSe SMPMQSe NCE-

Digital certificate (one-way) SSL/TLS None
10 and later rvice rvice Common
AuthServic AuthServic
e e
SSOWebSi SSOWebSi
te te
AuthWebSi AuthWebSi
te te
DomainSer DomainSer
vice vice
NCEV1R18C SMPAgent SMPAgent NCE-
Digital certificate (two-way) HTTPS None
10 and later Service Service Common
NetconfCli NetconfCli
entService entService
CampusAc CampusAc
Digital certificate (two-way) HTTPS None cesscfgSer cesscfgSer AC-Campus
vice vice
CampusL3 CampusL3
Digital certificate (two-way) HTTPS None NetPrvnSer NetPrvnSer AC-Campus
vice vice
CampusCf CampusCf
Digital certificate (two-way) HTTPS None gCommon gCommon AC-Campus
Service Service
erService erService
Southboun Southboun
dService dService
CampusAc CampusAc
Digital certificate (two-way) HTTPS None countServi countServi AC-Campus
ce ce
SDWANV SDWANV
NService NService
CampusFa CampusFa
bricService bricService
CampusBa CampusBa NCE-

seService seService EeShare
ACUpgrad ACUpgrad NCE-

eService eService EeShare
CampusOA CampusOA NCE-

MService MService EeShare
AlarmServi AlarmServi NCE-

ce ce EeShare
SSHServer SSHServer NCE-
Service Service EeShare
DataCollec DataCollec NCE-

torService torService EeShare
CampusPer CampusPer NCE-

fService fService EeShare
RouterServ RouterServ NCE-

ice ice EeShare
CampusCf CampusCf
gService gService
HIROERSe
User Name/Password HTTPS None hiroer AC-Campus
rvice
CloudSOP-
Digital certificate (two-way) SSL/TLS None DBAgent dbagentapp
UniEP
HIROIRSe
Digital certificate (two-way) HTTPS None hiroir CloudSOP
rvice
OMMHAS CloudSOP-
Digital certificate (two-way) SSL/TLS None ommha
ervice UniEP
OMMHAS CloudSOP-
Digital certificate (two-way) SSL/TLS None ommha
ervice UniEP
IP address for
communication
between the active
and standby
OMMHA nodes.
Dual-heartbeat is
configured by
default. Small
network for OMMHAS CloudSOP-
Digital certificate (two-way) SSL/TLS ommha
communication ervice UniEP
between bound
nodes IP and NCE
large network IP
(depending on the
service node,
Binding a
northbound or
southbound IP)
IP address for
communication
between the active
and standby
OMMHA nodes.
Dual-heartbeat is
configured by
default. Small
network for OMMHAS CloudSOP-
Digital certificate (two-way) SSL/TLS ommha
communication ervice UniEP
between bound
nodes IP and NCE
large network IP
(depending on the
service node,
Binding a
northbound or
southbound IP)
MCHIROI CloudSOP-
RService UniEP
DeployAge deployagen CloudSOP-

nt t UniEP
Zookeeper zookeepera
Digital certificate (two-way) SSL/TLS None CloudSOP
Service pp
Service pp
Service pp
Port between
User Name/Password; Digital CloudSOP-
SSL/TLS primary and N/A zengine
certificate (two-way) UniEP
secondary sites
CloudSOP-
User Name/Password None None N/A redis-server
UniEP
EndpointPr EndpointPr
Digital certificate (two-way) HTTPS None ofileServic ofileServic AC-Campus
e e
SDWANCf SDWANCf
gService gService
SDWANO SDWANO
AMService AMService
SDWANPe SDWANPe
rfService rfService
NMQZook NMQZook
e e
CampusAc CampusAc
Digital certificate (two-way) SSL/TLS None countServi countServi AC-Campus
ce ce
CampusOA CampusOA
MService MService
None: standard protocol CloudSOP-
None None DHCP dhcpd
(application layer protocol) UniEP
None: standard protocol CloudSOP-

None None TFTP tftpd
(application layer protocol) UniEP
10 and later ce
10 and later ce
10 and later ce
NCEV1R18C ACANginx
NCEV1R18C ACANginx
NCEV1R18C
Digital certificate (two-way) SSL/TLS None DRService DRService AC-BP
10 and later
rService rService
NCEV1R18C ACANginx
Public key SSH None rsyncd AC-Campus
DmqKafka dmqkafkas
Service vr
NCEV1R18C DrProductS DrProductS

10 and later ervice ervice
MinAPIGat
minapigate
Token SSL/TLS None ewayServic CloudSOP
wayservice
e
LiteCASig LiteCASig
nService nService
LiteCASig LiteCASig
Digital certificate (one-way) SSL/TLS None AC-Campus
nService nService
LiteCASig LiteCASig
nService nService
MCHIROE CloudSOP-
User Name/Password SSL/TLS None mcer
RService UniEP
UniEPServ uniepservic CloudSOP-
User Name/Password SNMPV3 None
ice e UniEP
None Private IP address
NTP is a standard protocol.

It uses the HMAC-SHA256
or HMAC-MD5 algorithm
for authentication to
synchronize time of all
other clients. The NTP
server synchronizes the
clock of the local system
with a public NTP server
and functions as the time
host to provide services. In
this way, all clients on the
local network can
synchronize the clock.
Standard NTP service port
123 cannot be bound to
fixed IP addresses. For
security purposes,
configure the /etc/ntp.conf
file to restrict the IP
addresses bound to the NTP
service. x86 EulerOS
supports only the HMAC-
MD5 algorithm at most,
which has security risks.
ARM EulerOS supports the
HMAC-SHA256 algorithm,
which is secure.

None /opt/gauss/ssl Private IP address

None MinigateService/ Private IP address
FIProxyService/
{datetime}/tomcat/
Fls_OpenAS_Tomcat7/
conf/
None keystore.keystore; Private IP address
FIProxyService/{dateti
me}/tomcat/Fls_OpenA
S_Tomcat7/conf/
truststore.keystore
NginxService/
local.crt;
NginxService/{datetim
e}/init/cert/local.key;
NginxService/{datetim
e}/init/cert/ca.crt;
None ACANginxService/ Private IP address
{datetime}//cert/
None ACANginxService/ Private IP address
{datetime}//cert/
None None Private IP address
SouthboundService/
configuration/ssl/
akka_ssl/
SouthboundService/{da
tetime}/controller/confi
guration/ssl/akka_ssl/
truststore.keystore;
$NAAS_HOME/
controller/
configuration/ssl/
akka_ssl
${APP_ROOT}/
None controller/ Private IP address
configuration/ssl/jetty/
processes/hofsnbservice-{0}-{0}/
osd/port in {installation
directory}/{tenant}/apps/HOFSNbSer None /opt/oss/NCE/etc/ssl Private IP address
vice/etc/sysconf/HOFSNbService-
{version}.json
/opt/oss/
NCECAMPUS/etc/ssl/
internal/server.cer;
/opt/oss/NCECAMPUS
None /etc/ssl/internal/server_ Private IP address
key.pem;
/opt/oss/NCECAMPUS
/etc/ssl/internal/trust.cer
;
None None /opt/oss/NCECOMMO Private IP address

NE/etc/ssl/internal
/opt/oss/
NCECAMPUS/etc/ssl/
internal/server.cer;
/opt/oss/NCECAMPUS
None /etc/ssl/internal/server_ Private IP address
key.pem;
/opt/oss/NCECAMPUS
/etc/ssl/internal/trust.cer
;
/opt/oss/envs/Product-EtcdService/
{time-shot}/conf/etcd_server.yaml/
advertise-client-urls
None EtcdService/{time- Private IP address
shot}/conf
listen-client-urls

initial-advertise-peer-urls
/opt/oss/envs/Product-EtcdService/ /opt/oss/envs/Product-
{time-shot}/conf/etcd_server.yaml/ None EtcdService/{time- Private IP address
listen-peer-urls shot}/conf
initial-cluster
configuration/ssl/
akka_ssl/
PortalServerService/{d
atetime}/controller/conf
iguration/ssl/akka_ssl/
CampusBaseService/
configuration/ssl/
akka_ssl/
CampusBaseService/{d
CampusFabricService/
configuration/ssl/
akka_ssl/
CampusOAMService/
configuration/ssl/
akka_ssl/
CampusPerfService/
configuration/ssl/
akka_ssl/
IRListenPorts and exIRListenPorts in

{installation
directory}/manager/apps/DeployAgent
-*/etc/install/default_value.json
SecoManagerService/
None {time-shot}/controller/ Private IP address
configuration/ssl/
akka_ssl
processes/mchiroir-{0}-{0}/
ONEWAY_AUTH in {installation
Service/etc/sysconf/MCHIROIRServi None /opt/oss/manager/etc/ssl Private IP address
ce-{version}.json
unconfigurable.
server.* in {root directory of the

configuration file}/oss/product
name/MCZKService/conf/zoo_v2.cfg
parameters,
ZookeeperService.PortList, and
default in {installation
directory}/manager/apps/MCZKServi
ce/pub/app_define.json
server.* in {root directory of the

configuration file}/oss/product
parameters, /opt/oss/manager/etc/
ZookeeperService.PortList, and ssl/internal
secureClientPort in {root directory of

the configuration file}/oss/product
parameters, /opt/oss/manager/etc/
ZookeeperService.PortList, and ssl/internal
${APP_ROOT}/
None controller/ Private IP address
${APP_ROOT}/
None None controller/ Private IP address
PaaS port /opt/oss/NCE/etc/ssl Private IP address
PaaS Port /opt/oss/NCE/etc/ssl Private IP address
listeners in {installation
directory}/{tenant}/apps/MessagingBr
None /opt/oss/NCE/etc/ssl Private IP address
okeService/kafka/kafka_version/
config/server.properties
processes/hiroer-{0}-{0}/BER, BER2, The source and destination

BER_ACCESS, BER_ACCESS2 in IP addresses are subject to
{installation the actual configuration of
/opt/oss/NCE/etc/ssl Private IP address
directory}/{tenant}/apps/HIROERSer the replication network
vice/etc/sysconf/HIROERService- between the active and
version.json standby sites.
Configuration File ：<Installation

directory >/<Product Name
>/apps/HomePageNoticeService/etc/s
ysconf/HomePageNoticeService- /opt/oss/NCE/etc/ssl/
{version}.json internal/
Configuration
Item：processes/homepagenoticeservi
ce-{0}-{0}/ local/port
None None /opt/oss/NCE/etc/ssl Private IP address

The microservice is
Private IP address;
None MCDeployService /opt/oss/manager/etc/ssl
127.0.0.1
(UniEPLiteService in the
compact scenario).
Connections to this port are
not long connections, and
this port is enabled only if
connected.
SDWANPerfService/
configuration/ssl/
akka_ssl/
SDWANPerfService/{datetime}/
controller/configuration/initial/
akka.conf:port
SDWANPerfService/{d
/opt/oss/NCECAMPUS/apps/
LiteCASignService/conf/server.xml None
IP address
LiteCASignService/conf/server.xml None 数据库
IP address
IP address
/etc/aca_nginx/aca_nginx.conf
IP addresses of the active
and standby DB nodes
None (including DB and Domain /opt/oss/manager/etc/ssl
IP address
DB)
The source and destination
IP addresses are subject to
the actual configuration of
the replication network
between the active and
standby sites.

Open source third party

software nats privare /opt/oss/NCE/etc/ssl Private IP address
agreement.
/opt/oss/manager/etc/
ssl/internal/
internal/
/opt/oss/
None None NCECOMMONE/etc/ Private IP address
ssl/internal
/opt/oss/envs/Prouct-
add SecoManagerService SecoManagerService/
prot of karaf {datetime}/controller/
configuration/ssl
Configuration item NBI_PORT in The engrnotifyservice.cfg
installation file is not available by
Private IP address
directory/manager/var/etc/engrnotifys default and needs to be
ervice/engrnotifyservice.cfg customized.
httpport in <installation
directory>/{tenant}/apps/ServiceCente None /opt/oss/manager/etc/ssl Private IP address
r/conf/app.conf
ssl/internal/
internal/
internal/
internal/
internal/
ssl/internal
internal/
/opt/oss/
None None NCECAMPUS/etc/ssl/ Private IP address
internal
/opt/oss/
internal
/opt/oss/
internal
RadiusServerService/
configuration/ssl
/opt/oss/
internal
/opt/oss/
internal
/opt/oss/
internal
/opt/oss/
internal
/opt/oss/
${APP_ROOT}/pub/app_define.json None Private IP address
NCECAMPUS/etc/ssl
/opt/oss/
NCECAMPUS/etc/ssl
/opt/oss/
NCECAMPUS/etc/ssl
/opt/oss/
NCECAMPUS/etc/ssl
/opt/oss/
NCECAMPUS/etc/ssl
/opt/oss/
NCECAMPUS/etc/ssl
/opt/oss/
NCECAMPUS/etc/ssl
/opt/oss/
NCECAMPUS/etc/ssl
/opt/oss/
internal
processes/hiroer-{0}-{0}/ER, ER2,
ACCESS_EXTERNAL,
ACCESS_EXTERNAL2 in
{installation None /opt/oss/NCE/etc/ssl Private IP address
directory}/tenant/apps/HIROERServic
e/etc/sysconf/HIROERService-
version.json
REST_PORT in {installation
directory}/manager/apps/DBAgent/en None /opt/oss/manager/etc/ssl Private IP address
vs/*.properties
processes/hiroir-{0}-{0}/IR in
{installation
directory}/{tenant}/apps/HIROIRServ None /opt/oss/NCE/etc/ssl Private IP address
ice/etc/sysconf/HIROIRService-
{version}.json
Private IP address; Public

IP address
Private IP address; Public
IP address
processes/mchiroir-{0}-{0}/IR in
{installation
Service/etc/sysconf/MCHIROIRServi None /opt/oss/manager/etc/ssl Private IP address
ce-{version}.json
unconfigurable.
127.0.0.1; Private IP
address
secureClientPort in {configuration file
path}/oss/product
name/ZookeeperService/conf/zoo_v2.
cfg
"env":"stage":"config":"ZookeeperSer
vice.PortList" in {installation
directory}/{product
name}/apps/ZookeeperService/etc/sys
conf/deployment_env.json
ZookeeperService.PortList in
{installation directory}/{product
name}/apps/ZookeeperService/envs/*. None /opt/oss/manager/etc/ssl Private IP address
properties
"parameters":"ZookeeperService.Port
List":"default" in {installation
directory}/{product
name}/apps/ZookeeperService/pub/ap
p_define.json
directory}/{product
name}/etc/pub/ZookeeperService-*/pu
b/app_define.json
server.* in {configuration file

path}/oss/{product
name}/ZookeeperService/conf/zoo_v2
.cfg
directory}/{product
{installation directory}/{product
name}/apps/ZookeeperService/envs/*. None /opt/oss/manager/etc/ssl Private IP address
properties
directory}/{product
p_define.json
directory}/{product
b/app_define.json
server.* in {configuration file
path}/oss/{product
name}/ZookeeperService/conf/zoo_v2
.cfg
directory}/{product
installation directory/product
name/apps/ZookeeperService/envs/*.p None /opt/oss/manager/etc/ssl Private IP address
roperties
directory}/{product
p_define.json
directory}/{product
b/app_define.json

Private IP address;
None instances. Each instance is /opt/oss/manager/etc/ssl
127.0.0.1
/opt/oss/envs/Prouct-
EndpointProfileService
/{datetime}/controller/
configuration/ssl
/opt/oss/
${APP_ROOT}/pub/app_define.json None NCECOMMONE/etc/ Private IP address
ssl
/opt/oss/
${APP_ROOT}/pub/app_define.json None NCECOMMONE/etc/ Private IP address
ssl
/opt/oss/
ssl
/opt/oss/
ssl/internal
FreeMobilityService/
None None {datetime}/controller/ Private IP address
configuration/ssl/
iae_ssl

This port uses the DHCP
protocol that complies with
the RFC-2131
specifications.
In earlier DHCP versions,
in addition to fixed port 67,
a UDP port is randomly
enabled. The port number
ranges from 4096 to 65535. Private IP address
The port is bound to 0.0.0.0
and is temporarily bound
only when the DHCP
service is enabled. After
DHCP is upgraded to a
version later than dhcp-
4.3.3-10.11.1, no random
port is not enabled.
This port uses the TFTP

protocol that complies with
the RFC-1350
specifications.
TFTP is insecure and is
temporarily used to push
the minimum OS package
to the node to be restored
and to transfer non- Private IP address
sensitive data. After
security hardening of the
firewall, only the node to
be restored can access the
restoration node. After the
OS is restored, the TFTP
service is immediately
disabled.
NginxService/
{datetime}/ha/ha-
None NginxService/ Private IP address
None NginxService/ 127.0.0.1
ACANginxService/
{datetime}/ha/ha-
ACANginxService/
{datetime}/ha/ha-
ssl/dr
server.p12;/opt/oss/
envs/Product-
trust.jks

listeners in
/opt/oss/
/opt/oss/NCECOMMONE/apps/Dmq
None NCECOMMONE/etc/ Private IP address
KafkaService/tools/kafka/config/serve
ssl/internal
r.properties
/opt/oss/
None NCECOMMONE/etc/ Private IP address
ssl
LiteCASignService/conf/server.xml None
IP address
IP address
IP address
processes/mchiroer-{0}-{0}/ER in
{installation
directory}/manager/apps/MCHIROER
Service/etc/sysconf/MCHIROERServi None /opt/oss/manager/etc/ssl Public IP address
ce-{version}.json
unconfigurable.
This file is not available by
default. If the user needs to
Private IP address;
customize it, a new file
Hardware IP
needs to be created.
Disabled Default
Start the
End the
SouthBoundNodeSer
SouthBoundNodeServ
vice process. The Foreign
ice process. The port No No
is disabled
automatically and
automatically.
remains open.
Start the NTP

service, the port Stop NTP service, the
Foreign
automatically open, port automatically Yes No
show
and will always shut down.
exist.
Start the
End the
SouthBoundNodeSer
SouthBoundNodeServ
vice process. The Foreign
ice process. The port No No
is disabled
automatically and
automatically.
remains open.
The port is
The port is enabled automatically disabled
when the devicedb if the devicedb service Foreign
Yes Yes
service instance instance in the show
starts. Gaussdb process is
stopped.
The port is
when the commondb if the commondb
Foreign
service instance service instance in the Yes Yes
show
stopped.
The port is
when the localdb if the localdb service
Foreign
service instance instance in the Yes Yes
show
stopped.
The port is
when the fmlogdb if the fmlogdb service
Foreign
show
stopped.
The port is
when the fcapsdb if the fcapsdb service
Foreign
show
stopped.
The port is
when the secmdb if the secmdb service
Foreign
show
stopped.
The port is
when the omdb if the omdb service
Foreign
show
stopped.
Start the miniGate

End the miniGate
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
End the
FIProxyService
FIProxyService
enabled show
disabled
automatically and
automatically.
remains open.
Start the nginx
End the nginx
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the aca_nginx

End the aca_nginx
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the aca_nginx

End the aca_nginx
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
End the
ACANginxService
ACANginxService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
SouthboundService
SouthboundService
enabled show
disabled
automatically and
automatically.
remains open.
Start the karaf

process. The port is End the karaf process.
Foreign
enabled The port is disabled No No
show
remains open.
Start the DTP
process, the port is Stop the DTP process,
Foreign
automatically opened the port is No No
show
and will always automatically closed.
exist.
Start the
hofsnbservice End the hofsnbservice
process. The port is process. The port is Foreign
No No
enabled disabled show
remains open.
Start the nginx

End the nginx
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
End the
NMQZookeeperServ
NMQZookeeperServi
ce process. The port is No Yes
is enabled show
disabled
automatically and
automatically.
remains open.
Start the oss_nginx

End the oss_nginx
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the etcd-service

End the etcd-service
enabled No No
disabled show
automatically and
automatically.
remains open.
The cse-etcd process

The cse-etcd process
opened and will
shut down.
always exist.
The etcd process is
The etcd process is
and will always
down.
exist.
Start the etcd-service

End the etcd-service
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusBaseService
CampusBaseService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusFabricServic
CampusFabricService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusOAMService
CampusOAMService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusPerfService
CampusPerfService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
microservice. The
End the microservice.
port is enabled Foreign
automatically.
remains open.
Start the
End the
SecoManagerService
SecoManagerService
enabled show
disabled
automatically and
automatically.
remains open.

opened and will
shut down.
always exist.
The mczkapp process

The mczkapp process
opened and will
shut down.
always exist.
Start mczkapp End the mczkapp

Yes No
automatically open. automatically.
Start mczkapp End the mczkapp

process.The port is process.The port is Foreign
Yes No
automatically open. automatically.
Start the
Stop the
OMPubService karaf
OMPubService karaf
process. The port is Yes No
enabled show
disabled
automatically and
automatically.
remains open.
Start the
Stop the
NorthboundCommun
NorthboundCommuni
icationService karaf
cationService karaf Foreign
process. The port is Yes No
enabled
disabled
automatically and
automatically.
remains open.
disable
Start
MessagingLBService, Foreign
MessagingLBService No No
the port will close. show
, the port will open.
Start Disable
Foreign
MessagingService, MessagingService, No No
show
the port will open. the port will close.
Start the
End the
MessagingBrokeServ
MessagingBrokeServi
is enabled show
automatically
automatically and
disabled.
remains open.
Start the hirober

End the hirober
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
End the
homepagenoticeservi
homepagenoticeservic
ce process. The port Foreign
e process. The port is Yes No
is enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the basicwebsite
basicwebsite process.
The port is enabled No No
disabled show
automatically and
automatically.
remains open.
Start the zengine
Stop the zengine
the port is show
opened and will
always exist.
Start the
End the
SDWANPerfService
SDWANPerfService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
LiteCASignService
LiteCASignService
enabled No No
disabled show
automatically and
automatically.
remains open.
Log in to the system
as the admin user. On
Log in to the system the CA
as the admin user, Service/CMP/TLS
upload the identity Configuration page,
certificate and trust delete the identity
certificate on the CA certificate and trust
Service/CMP/TLS certificate, and restart
Foreign
Configuration page, the Yes Yes
show
and restart the LiteCASignService
LiteCASignService process. The port is
process. The port is disabled. Or End the
enabled and always LiteCASignService
exists. process. The port is
disabled
automatically.

Log in as the admin the CA
user, delete the Service/CMP/TLS
identity certificate Configuration page,
and trust certificate delete the identity
on the CA certificate and trust
Service/CMP/TLS certificate, and restart Foreign
Yes Yes
Configuration page, the show
process. The port is disabled. Or end the
disabled
automatically.
Start the
End the
ACANginxService
ACANginxService
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the zengine
Stop the zengine
the port is show
opened and will
always exist.
The
The
minapigatewayservic
minapigatewayservice
e process is started
process is stopped and Foreign
and the port is Yes No
the port is show
automatically opened
automatically shut
and will always
down.
exist.
The drmgrservice
The drmgrservice
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
The
The
apinotifyproxyservic
apinotifyproxyservice
the port is show
automatically shut
and will always
down.
exist.
The
The
minapigatewayservic
the port is show
automatically shut
and will always
down.
exist.
The nats process is

The nats process is
and will always
down.
exist.
The nats process is

The nats process is
and will always
down.
exist.
Start the mchiroir

End the mchiroir
enabled Yes No
disabled show
automatically and
automatically.
remains open.
Start the hiroir

End the hiroir
enabled Yes No
disabled show
automatically and
automatically.
remains open.
Start the
End the
NMQZookeeperServ
NMQZookeeperServi
is enabled show
disabled
automatically and
automatically.
remains open.
Start the
SecoManagerService End the
process. The port is SecoManagerService Foreign
No No
enabled process. The port is show
automatically and disabled automatically
remains open
The uniepservice
The uniepservice
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
Start the sc process.

End the sc process.
automatically.
remains open.
The etcd process is

The etcd process is
and will always
down.
exist.
Start the
Stop the
SMPMQService
SMPMQService
enabled show
disabled
automatically and
automatically.
remains open.
Start the AuthService

End the AuthService
enabled No No
disabled show
automatically and
automatically.
remains open.
Start the
SSOWebSite End the SSOWebSite
No No
remains open.
Start the
AuthWebSite End the AuthWebSite
No No
remains open.
Start the
End the
DomainService
DomainService
enabled show
disabled
automatically and
automatically.
remains open.
Start
Stop the
SMPAgentService
SMPAgentService
process, the port is Foreign
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
NetconfClientService
NetconfClientService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusAccesscfgSe
CampusAccesscfgSer
rvice process. The Foreign
is disabled
automatically and
automatically.
remains open.
Start the
End the
CampusL3NetPrvnS
CampusL3NetPrvnSe
ervice process. The Foreign
rvice process. The No No
port is disabled
automatically and
automatically.
remains open.
Start the
End the
CampusCfgCommon
CampusCfgCommon
Service process. The Foreign
Service process. The No No
port is disabled
automatically and
automatically.
remains open.
Start the
End the
RadiusServerService
RadiusServerService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
SouthboundService
CampusAccesscfgSer
enabled show
is disabled
automatically and
automatically.
remains open.
Start the
End the
CampusAccountServ
CampusAccountServi
is enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
SDWANVNService
SDWANVNService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusFabricServic
CampusFabricService
enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusBaseService
CampusBaseService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
ACUpgradeService
ACUpgradeService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
CampusOAMService
CampusOAMService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
AlarmService End the AlarmService
No No
enabled automatically show
automatically and disabled.
remains open.
Start the
End the
SSHServerService
SSHServerService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
CampusPerfService
CampusPerfService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
RouterService
RouterService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
CampusCfgService
CampusCfgService
enabled show
disabled
automatically and
automatically.
remains open.
Start Disable
Foreign
HIROERService, the HIROERService, the No No
show
Port will open. Port will close.
The dbagentapp
The dbagentapp
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
Open with NCE Close when NCE Foreign
No No
system startup. system shutdown. show
The ommha process

opened and will
down.
always exist.
The ommha process

opened and will
down.
always exist.
The ommha process

opened and will
down.
always exist.
The ommha process
opened and will
down.
always exist.

opened and will
shut down.
always exist.
The deployagent
The deployagent
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
The zookeeperapp
The zookeeperapp
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
Start the
zookeeperapp End the zookeeperapp
Yes No
enabled automatically show
automatically and disabled.
remains open.
The zookeeperapp
The zookeeperapp
the port is Foreign
the port is No No
automatically shut
and will always
down.
exist.
Start the zengine

Stop the zengine
the port is show
opened and will
always exist.
The redis-server
The redis-server
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
Start the
End the
EndpointProfileServi
EndpointProfileServic
ce process. The port Foreign
e process. The port is No No
is enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
SDWANCfgService
SDWANCfgService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
SDWANOAMServic
SDWANOAMService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
SDWANPerfService
SDWANPerfService
enabled show
automatically
automatically and
disabled.
remains open.
Start the
End the
NMQZookeeperServ
NMQZookeeperServi
is enabled show
disabled
automatically and
automatically.
remains open.
Start the
End the
CampusAccountServ
CampusAccountServi
ce process. The port No No
is enabled show
is disabled
automatically and
automatically.
remains open.
After the device is

Disconnect the
reversely connected Foreign
reverse connection of Yes Yes
to the AC, the port is show
the device.
enabled.
The dhcpd process is
The dhcpd process is
automatically opened Yes Yes
and will always
down.
exist.
The tftpd process is

The tftpd process is
automatically opened Yes Yes
and will always
down.
exist.

End the ha process.
automatically.
remains open.

End the ha process.
automatically.
remains open.
End the ha process.
automatically.
remains open.

End the ha process.
automatically.
remains open.

End the ha process.
automatically.
remains open.
Start the
End the
DRServiceprocess.
DRServiceprocess. Foreign
The port is enabled No No
The port is disabled show
automatically and
automatically.
remains open.
Start the
End the
PortalServerService
PortalServerService
enabled show
disabled
automatically and
automatically.
remains open.
Open automatically It is automatically

when building a closed when the Foreign
Yes Yes
disaster tolerance disaster recovery show
relationship. relationship is deleted.
Start the
dmqkafkasvr End the dmqkafkasvr
No No
remains open.
Start the
End the
DrProductService
DrProductService
enabled show
disabled
automatically and
automatically.
remains open.
The
The
minapigatewayservic
the port is show
automatically shut
and will always
down.
exist.
Start the
End the
LiteCASignService
LiteCASignService
enabled No No
disabled show
automatically and
automatically.
remains open.
Log in to the system the CA
as the admin user, Service/CMP/TLS
upload the identity Configuration page,
certificate and trust delete the identity
certificate on the CA certificate and trust
Service/CMP/TLS certificate, and restart
Foreign
Configuration page, the Yes Yes
show
process. The port is disabled. Or End the
disabled
automatically.

Log in as the admin the CA
user, delete the Service/CMP/TLS
identity certificate Configuration page,
and trust certificate delete the identity
on the CA certificate and trust
Service/CMP/TLS certificate, and restart Foreign
Yes Yes
Configuration page, the show
process. The port is disabled. Or end the
disabled
automatically.
The mcer process is

The mcer process is
and will always
down.
exist.
The uniepservice
The uniepservice
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
gauss 杭州子系统无
无
gaussdb 杭州子系统
gaussdb 杭州子系统无
Netconf 苏州子系统无
NCE Common
DTPService 无
统一南向服务
NMQZookeeperS
中间件服务无
ervice
Etcd 杭州子系统 None

Etcd 杭州子系统 None
OMPubService微
杭州子系统无
服务
NorthboundCom
municationServic 杭州子系统无
e微服务
NMQZookeeperS NCE Common
无
ervice 中间件服务
NCE-Common
租户管理无
协议框架PD
NCE-Common
租户管理无
协议框架PD
NCE-Common
租户管理无
协议框架PD
NCE-Common
租户管理无
协议框架PD
NCE-E共享服
南向协议无
务域
NMQZookeeperS NCE Common
无
ervice 中间件服务
容灾服务协议框架服务无
NCE-
DmqKafkaServic
COMMON 中无
e
间件服务
无
无
无
无
无
无
None
None
无
无
无
无
无
无
无
无
无

Source Device
EasySuite EasySuiteIP Any port - - -
EasySuite EasySuiteIP Any port - - -


windows: EasySuite bind the local

IP address. Only localhost can be
used to access 19090.
EasySuite EasySuiteIP 19090 TCP linux: EasySuite allows remote Yes
access. The IP address bound to
port 19090 is the IP address of the
node where EasySuite is located.
Hardware The EasySuite uses IPMI to log in

Hardware
Server IP 623 UDP to the hardware server for No
Server
address deployment.

Encryption
Mode
NCE-
User Name/Password HTTPS None EasySuite EasySuite
Engineer
NCE-
User Name/Password None None EasySuite IPMI
Engineer

windows: easysuite\easysuite\
runsslserver.bat set HOST=127.0.0.1 127.0.0.1; Public IP
None \easysuite\certs
set PORT=19090 address
linux: easysuite\start.sh


Disabled Default
Start the EasySuite

End the EasySuite
enabled Yes Yes
disabled show
automatically and
automatically.
remains open.
Enable the IPMI

LAN service when
Disable the IPMI Foreign
the hardware server Yes No
LAN service. show
starts. The port
automatically starts.






Source Device
Controller
address
Controller
address
Controller
address

Third-party
Third-party
server IP Any port - - -
server
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address

Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address
Controller
address

Controller
address
Controller
address
Controller
address
Controller
address

Controller
address
Controller
address
Controller
address
Third-party
Third-party
server IP Any port - - -
server
address
Third-party
Third-party
server IP Any port - -
server
address
OSS IP
OSS Any port - - -
address

Controller
address
Controller
address
Controller
address
Controller
address
Controller
address

NTP server
NTP server Any port - - -
IP address



NTP server IP listening port and is used to ensure
NTP server 123 UDP No
address time consistency among all agent
nodes.
Port used by the arbitration-etcd

Third-party
Third-party process. DRService connects to
server this port to obtain the arbitration
address
status.
DNS server IP APINotifyProxyService internal

DNS server 53 UDP No
address ATS component DNS.


NMQKafkaService process to
provide a northbound distributed
message bus service.
Service scenario: 1. The third-
party server is a Kafka client, and
Controller
Controller performs business interaction with
server the north-facing Kafka server
address
inside the NCE. 2. The NCE
internal north-facing Kafka client
performs business interaction with
the north Kafka server. (The
source device is the NCE internal
northward Kafka client).
ActiveDirecto NCE acts as a client and does not

ActiveDirect
ry involve listening. The port
ory Specified port
authentication TCP provided by the third-party AD Yes
authenticatio on the server
server IP server for AD authentication. The
n server
address default port is 389.
ActiveDirecto NCE acts as a client and does not

ActiveDirect
ry involve listening. The port
ory Specified port
authentication TCP provided by the third-party AD Yes
authenticatio on the server
server IP server for AD authentication. The
n server
address default port is 636.
NCE acts as a client and does not

RADIUS
RADIUS involve listening. The port
authentication Specified port
authenticatio UDP provided by the third-party Radius Yes
server IP on the server
n server server for Radius authentication.
address
The default port is 1812.
The NCE server interconnects

Third-party
Third-party Specified port with the OSCP server and provide
server on the server terminal user authentication
address
functions.

Third-party
Third-party Specified port with the third-party database
server on the server server and provide terminal user
address
authentication functions.

ActiveDirecto
ActiveDirect The NCE server interconnects
ry
ory Specified port with the AD server and provide
authentication TCP Not Concerning
authenticatio on the server terminal user authentication and
server IP
n server data synchronization functions.
address
The source port is disabled by

default and is enabled for
RMService to communicate with a
Third-party third-party system.
Third-party Specified port
server IP UDP The source port is opened for Yes
server on the server
address RMService (whose process is
rmservice). RMService provides
resource management and NE
access management.
Third-party The NCE server interconnects

server IP TCP with the SCEP server terminal Not Concerning
address user authentication functions.

Third-party
Third-party Specified port with the adfsserver and provide
server on the server terminal user authentication
address
functions.
NCE functions as the client to

proactively report REST messages
Third-party
Third-party Specified port to the third-party system. The
server on the server destination port is specified in the
address
REST northbound request of
NCE.
Third-party The NCE service acts as a client

server IP TCP and connects to the registration No
address query center.

Email server Specified port
Email server TCP the mail server and provides the Not Concerning
IP address on the server
function of sending mail.


SMS server IP Specified port
SMS server TCP the SMS server and provides SMS No
address on the server
sending function.
Port for authentication and

Third-party
Third-party Specified port accounting of RADIUS clients,
server IP UDP No
server on the server and the NCE server acts as a
address
client.
Port for authentication and

Third-party
Third-party Specified port accounting of RADIUS clients,
server IP UDP No
server on the server and the NCE server acts as a
address
client.
Third-party Port for reporting non-operating

server IP TCP authentication logs, and the NCE Yes
address server acts as a client.

The port is opened for snmp agent

service, which process name is
NorthboundCommunicationServic
e. The service supported the
SNMP server Specified port
SNMP server UDP function of reporting trap and the No
IP address on the server
data source the third devices are
interested in, so the third device
can receive trap or acquire the data
they want.
Third-party The NCE server interconnects

server IP TCP with the LDAP server and provide Not Concerning
address terminal user authentication.
LDAP The NCE server interconnects

LDAP
authentication Specified port with the LDAP server and provide
authenticatio TCP Not Concerning
server IP on the server terminal user authentication and
n server
address data synchronization functions.
Port used for the third party

system to connect to the
northbound load balance service.
Controller
Controller The northbound load balance
server service forwards HTTPS request
address
to API Management service after
it receives https request from the
third party application.

Controller the Websocket channel and is used
Controller
server IP 18010 TCP to report alarm data required by No
server
address the OSS.
Port used by the northbound

Controller
Controller SNMP interface to receive GET
server and SET request data from the
address
OSS.

Third-party This port is used to report syslogs

server IP TCP to the OSS. The port number is Not Concerning
address user-defined.
Third-party This port is used to report alarms

server IP TCP and performance data to the OSS. Not Concerning
address The port number is user-defined.
Third-party This port is used to upload files to

server IP TCP the OSS. The port number is user- Not Concerning
address defined.
Port used by the CloudSOP server

OSS IP Specified port
OSS UDP to report alarm data to the NMS No
address on the server
over SNMP.
Third-party This port is used to report syslogs

server IP UDP to the OSS. The port number is Not Concerning
address user-defined.


Controller
Controller listening port and is used to ensure
server time consistency among all agent
address
nodes.

Encryption
Mode
Used in a
distributed
scenario, where CloudSOP-
ntp is used as a UniEP
client usage
scenario.
arbitration- NCE-
Digital certificate (two-way) SSL/TLS None DRService
etcd Common
The destination
port is on a third-
party server. Pay
attention to this APINotify
apinotifypr
None None port only when ProxyServi CloudSOP
oxyservice
outbound rules ce
must be
configured on the
firewall.

NMQKafk NMQKafk
aService aService
User Name/Password None None AC-BP
e e
User Name/Password SSL/TLS None AC-BP
e e
NCEV1R18C AuthServic AuthServic

Preshared key None None AC-BP
10 and later e e
CampusAc CampusAc
User Name/Password None None countServi countServi AC-Campus
ce ce
CampusAc CampusAc
User Name/Password SSL/TLS None countServi countServi AC-Campus
ce ce

CampusAc CampusAc
ce ce
The destination
port is on a third-
party server. Pay
attention to this
SNMPV1/ port only when
SNMPv1/SNMPv2c: V2c: none; outbound rules
RMService rmservice CloudSOP
Community name, SNMPv3 SNMPV3: must be
encryption configured on the
firewall. No
default value is
provided on the
NCE GUI.
CampusAc CampusAc
User Name/Password HTTPS None countServi countServi AC-Campus
ce ce
CampusAc CampusAc
Public key; User
SSL/TLS None countServi countServi AC-Campus
Name/Password
ce ce
The destination
port is on a third-
party server. Pay
attention to this APINotify
apinotifypr
Digital certificate (one-way) SSL/TLS port only when ProxyServi CloudSOP
oxyservice
outbound rules ce
must be
configured on the
firewall.
Digital certificate (one-way); CampusBa CampusBa

HTTPS None AC-Campus
User Name/Password seService seService
CampusBa CampusBa
User Name/Password SSL/TLS None AC-Campus
seService seService

CampusBa CampusBa
seService seService
User Name/Password None None AC-Campus
rService rService
User Name/Password None None AC-Campus
rService rService
rService rService

Northboun Northboun
SNMPv2c: Community name, dCommuni dCommuni
SNMPV3 None AC-BP
SNMPv3 cationServi cationServi
ce ce
CampusAc CampusAc
User Name/Password HTTPS None countServi countServi AC-Campus
ce ce
CampusAc CampusAc
ce ce
NCEV1R18C APIMLBS APIMLBS

Token SSL/TLS None AC-BP
10 and later ervice ervice
Northboun Northboun
dCommuni dCommuni
ce ce
SNMPV1/
SNMPv1/SNMPv2c: V2c: none; SnmpAgen snmpagents
None CloudSOP
Community name, SNMPv3 SNMPV3: tService ervice
encryption

Northboun Northboun
dCommuni dCommuni
ce ce
Northboun Northboun
dCommuni dCommuni
ce ce
Northboun Northboun
dCommuni dCommuni
User Name/Password SSH None AC-BP
ce ce
SNMPV1/
SNMPv1/SNMPv2c: V2c: none; SnmpAgen snmpagents
None CloudSOP
Community name, SNMPv3 SNMPV3: tService ervice
encryption
Northboun Northboun
dCommuni dCommuni
None None None AC-BP
ce ce

Used in a
distributed
scenario, this CloudSOP-
describes the UniEP
usage scenario of
ntp as a server.


local network can
Public IP address
security purposes,
which is secure.
/opt/arbitration-etcd/
keystore
This port is only enabled if

None a DNS server is configured Public IP address
in /etc/resolv.conf.

/opt/oss/
NCECOMMONE/
None None apps/ Public IP address
NMQKafkaService/
tools/ssl
由用户配置并上传，
None 只保存证书内容，不 Public IP address
保存证书目录。
None None 二进制存储数据库表 Public IP address

中


中

中

中
None /opt/oss/NCE/etc/ssl Public IP address
CampusBaseService/
None {datetime}/controller/ Public IP address
configuration/ssl/
registerCenter/
控制器为client端不涉
None 及server证书，ca使用 Public IP address
系统ca

None 客户端不提供证书 Public IP address
configuration


中

中
None /opt/oss/NCE/etc/ssl Public IP address
NorthboundCommunic
ationService/{time-
shot}/controller/
configuration/ssl/
websocket/

NorthboundCommunic
ationService/{time-
shot}/controller/
configuration/ssl/
syslog/client/
NorthboundCommunic
ationService/{time-
shot}/controller/
configuration/restful-
trust/


local network can
127.0.0.1; ::1; All-0;
IP address
security purposes,
which is secure.


Disabled Default
Start the NTP

Foreign
automatically open, port automatically Not Concerning Not Concerning
show
exist.
Start the arbitration-

End the arbitration-
etcd process. The
etcd process. The port Foreign
port is enabled Not Concerning Not Concerning
is disabled show
automatically and
automatically.
remains open.
Start the
End the
enabled show
disabled
automatically and
automatically.
remains open.

Start the
End the
NMQKafkaService
NMQKafkaService
process. The port is No Yes
enabled show
disabled
automatically and
automatically.
remains open
The authentication
mode is configured
for AD Disable the AD Foreign
authentication and authentication mode. show
connecting to the AD
server.
The authentication
mode is configured
for AD Disable the AD Foreign
connecting to the AD
server.
The authentication
mode is configured
for Radius Disable the Radius Foreign
connecting to the
Radius server.
The NCE server acts

Foreign
show
The NCE server acts

Foreign
show

The NCE server acts

Foreign
show
The rmservice
process is started and The rmservice process
the port is is stopped and the Foreign
automatically opened port is automatically show
exist.
The NCE server acts

Foreign
show
The NCE server acts

Foreign
show
The
The
and the port is Not Concerning Not Concerning
the port is show
automatically shut
and will always
down.
exist.
The NCE server acts

Foreign
show
The NCE server acts

Foreign
show

The NCE server acts

Foreign
show
Modify the
configuration
parameters of
iMaster_NCE-
Campus on
CloudSOP-UniEP,
set
No business triggers
ENABLE_RADIUS Foreign
will not access third- Not Concerning Not Concerning
_PORT to 'true', and show
party servers.
restart
PortalServerService,
the port is used when
sending radius
Access-Request and
Accounting-Request
packets after that.
Modify the
configuration
parameters of
iMaster_NCE-
Campus on
CloudSOP-UniEP,
set No business triggers
Foreign
ENABLE_RADIUS will not access third- Not Concerning Not Concerning
show
_PORT to 'true', and party servers.
restart
PortalServerService,
the port is used when
sending radius
detection packets
after that.
The NCE server acts

Foreign
show

Start port at the snmp End port at the snmp

Foreign
agent website of agent website of NCE Not Concerning Not Concerning
show
NCE controller. controller.
The NCE server acts

Foreign
show
The NCE server acts

Foreign
show
The apimlbservice
The apimlbservice
the port is Foreign
the port is Yes No
automatically shut
and will always
down.
exist.
Start the Karaf

process of
of
NorthboundCommun
NorthboundCommuni Foreign
icationService. The No No
cationService. The show
port is automatically
port is disabled
enabled and always
automatically.
exists.
The
snmpagentservice The snmpagentservice
process is started and process is stopped and
Foreign
the port is the port is Yes No
show
automatically opened automatically shut
and will always down.
exist.

Add a Syslog server Disable TLS reporting

Foreign
and enable TLS or delete the server Not Concerning Not Concerning
show
reporting. configuration.
This port is enabled This port is disabled

when web UI when web UI Foreign
configurations are configurations are show
delivered. deleted.
Files have been

Create a file upload Foreign
uploaded Not Concerning Not Concerning
task. show
successfully.
The
snmpagentservice The snmpagentservice
process is started and process is stopped and
Foreign
the port is the port is Not Concerning Not Concerning
show
automatically opened automatically shut
and will always down.
exist.
This port is disabled

This port is enabled
when the Syslog Foreign
when the Syslog Not Concerning Not Concerning
server configuration is show
server is added.
deleted.

Start the NTP

Foreign
automatically open, port automatically Yes No
show
exist.



NMQKafkaServi NCE Common

无
ce 中间件服务
AAA 协议框架服务不涉及
AAA 苏州机制不涉及
AAA 协议框架服务不涉及



NorthboundCom
NCE Common
municationServic 无
协议框架服务
e
杭州中间件
API Gateway XFT 支持认证
Websocket通道杭州机制 NA

Syslog通道杭州机制 NA
Restful上报通道杭州机制 NA
SFTP通道杭州机制 NA
Syslog通道杭州机制是




不涉及
不涉及
不涉及



支持加密
NA

NA
NA
NA


Port Type Allowed Port Range
Southbound port All ports on the Southbound Ports tab page
Northbound port All ports on the Northbound and Third Party tab page
Geographic redundancy port All ports on the Geographic Redundancy tab page
NAT Policy
Configure a NAT policy if NAT is enabled.
Configure a NAT policy if NAT is enabled.
N/A
Remarks
N/A
Enable port 22 based on the site requirements. Enable this port if external users
need to access internal servers. Otherwise, this port does not need to be enabled.
In the DR scenario, the ports need to be enabled on firewalls.

Source IP Destinatio
Source Device Source Port
Address n Device
ssh client Any IP Random sshd

address
ntp client Any IP Random ntp

address
HTTP client Any IP Random WebServic

address e
SNMP Any IP Random WebServic

address e
FMS 127.0.0.1 Random webservice

WEB server 127.0.0.1 Random IAM
WEB server 127.0.0.1 Random ACS
WEB server 127.0.0.1 Random AOS
WEB server 127.0.0.1 Random ControllerS

ervice

address e
OMS database OMS node Random OMS

IP address database
HA.bin OMS node Random HA.bin
IP address
HA.bin OMS node Random HA.bin

IP address
OMS 127.0.0.1 Random HA.bin
OMA OMA node Random Fms

IP address
OMS 127.0.0.1 Random gaussdb
OMS GaussDB main process OMS node Random OMS

IP address GaussDB
statistics
collection
process
OMS OMS node Random omm_agent
IP address
PMS 127.0.0.1 Random cep
OMA OMA node Random PMS

IP address
cep 127.0.0.1 Random PMS
ControllerService 127.0.0.1 Random PMS
WEB server 127.0.0.1 Random PMS

telnet 127.0.0.1 Random WebServic
e
WEB server 127.0.0.1 Random Fms
License client (LC process) 127.0.0.1 Random License

server (LM
process)
ControllerService OMS node Random NodeAgent

IP address
NodeAgent NodeAgent Random ControllerS

node IP ervice
address
HTTPS client Any IP Random HTTPD

address
Component CAS client Component Random HTTPD

client IP
address
HTTPS client Any IP Random HTTPD
address

address e
MPA NodeAgent Random MPA

node IP
address
ControllerService 127.0.0.1 Random BackupRecov
IAM WebServic Random SFTP

e node IP Server
address
NFS Client NameNode Random NFS Server

/OMS node
service
plane IP
address
CIFS Client NameNode Random CIFS

/OMS node Server
service
plane IP
address
WebService WebServic Random 4A System

e node IP
address
FTP Client WebServic Random FTP Server
e node IP
address
SFTP Client WebServic Random SFTP

e node IP Server
address
Syslog Client WebServic Random Syslog

e node IP Server
address
DBServer DBServer Random DBServer

node IP
address
Hive/Loader/Metadata/Hue/Spark/Oozie Nodes Random Active

where DBServer
Hive,
Loader,Met
adata,Hue,
Spark and
Oozie
services are
deployed
DBService GaussDB main process DBServer Random DBService
node IP GaussDB
address statistics
collection
process
DBService HA DBServer Random DBService

node IP HA
address
DBService HA DBServer Random DBService

node IP HA
address
DBService 127.0.0.1 Random DBService

HA
NodeAgent NodeAgent Random HiveServer

node IP
address
NodeAgent NodeAgent Random WebHCat
node IP
address
WebHCat client WebHCat Random WebHCat

client IP
address
HiveServer client HiveServer Random HiveServer

client node
IP address
MetaStore client MetaStore Random MetaStore

client node
IP address
NodeAgent NodeAgent Random MetaStore
node IP
address
yarn application NodeMana Random HiveServer

ger node IP
address

node IP 1
address
NodeAgent NodeAgent Random WebHCat1

node IP
address
WebHCat client WebHCat Random WebHCat1
client IP
address

client node 1
IP address
MetaStore client MetaStore Random MetaStore1

client node
IP address
NodeAgent NodeAgent Random MetaStore1

node IP
address
ger node IP 1
address

node IP 2
address
NodeAgent NodeAgent Random WebHCat2

node IP
address

client IP
address
client node 2
IP address

client node
IP address

node IP
address

ger node IP 2
address
NodeAgent HiveServer Random HiveServer
node IP 3
address
NodeAgent WebHCat Random WebHCat3

node IP
address

client IP
address

client node 3
IP address
client node
IP address

node IP
address

ger node IP 3
address
NodeAgent HiveServer Random HiveServer

node IP 4
address
NodeAgent WebHCat Random WebHCat4
node IP
address

client IP
address

client node 4
IP address

client node
IP address
node IP
address

ger node IP 4
address
NodeAgent NodeAgent Random Flume

IP address
Flume client Flume Random Flume

client node
IP address
Flume client Flume Random MonitorSer

client node ver
IP address
Flume client Flume Random Flume

client IP
address
HTTPS client HTTPS Random Hue
client IP
address
kerberos client kerberos Random Kerberos

client node
IP address

client node
IP address

client node
IP address

client node
IP address

client node
IP address
client node
IP address

client node
IP address

client node
IP address
LDAP client LDAP Random LDAP

client node
IP address
LDAP client LDAP Random LDAP

client node
IP address
FTP client FTP client Random FTP-Server

IP address
HTTP client HTTP Random FTP-Server
client IP
address

IP address

IP address

IP address
HTTP client HTTP Random MetaData

client IP Server
address
HTTP client HTTP Random MetaData

client IP Server
address
Telnet client 127.0.0.1 Random MetaData
Server

IP address

IP address
HDFS clients/ DataNode and Mapred processes IP address Random NameNode

of the
machines
where the
HDFS
clients are
running
HTTP client HTTP Random NameNode

client node
IP address
HTTPS client HTTPS Random NameNode
client node
IP address
DataNode/ZKFC DataNode Random NameNode

IP
address/ZK
FC node IP
address
DataNode/ZKFC DataNode Random NameNode

IP
address/ZK
FC node IP
address
HDFS clients/ DataNode and Mapred processes IP address Random Datanode

of the
machines
where the
HDFS
clients are
running
HDFS clients/Peer Datanode IP address Random Datanode
of the
machines
where the
HDFS
clients/Peer
Datanodes
are running
User's machine (where the web browser opens) IP of the Random Datanode
user's
machine
(where the
web
browser
opens)
User's machine (where the web browser opens) IP of the Random Datanode
user's
machine
(where the
web
browser
opens)
NameNode machine NameNode Random JournalNod

machine e
NameNode machine IP address Random JournalNod
of the e
machines
where the
Web clients
are running
NameNode machine IP address Random JournalNod

of the e
machines
where the
Web clients
are running
NameNode machine IP address Random NameNode

of the
machines
where the
NameNode
is running
Datanode Datanode Random Datanode

machine IP
User's machine (Using REST interface to access) IP of User's Random HttpFS
machine
(Using
REST
interface to
access)
HDFS client HDFS Random Router

client IP
address
HDFS client HDFS Random Router

client IP
address
Machines accessed by using the Web browser HTTP Random Router
client IP
address
Machines accessed by using the Web browser HTTPS Random Router

client IP
address
Backup and Recovery source-end NodeManager Backup and Random Backup and
Recovery Recovery
source-end destination-
NodeMana end
ger node IP Datanode
address
Backup and Recovery source-end NodeManager Backup and Random Backup and
Recovery Recovery
source-end destination-
NodeMana end
ger node IP NameNode
address
Peer Zookeeper servers Peer Random Zookeeper

Zookeeper
machines
IP address

Zookeeper
machines
IP address
ZooKeeper clients Machines Random Zookeeper

where the
zookeeper
clients are
running
Zookeeper
machines
IP address
Zookeeper JMX port 127.0.0.1 Random Zookeeper
Peer Zookeeper servers Peer 24030-24049 Zookeeper

Zookeeper Port range: 24000-24049
machines
IP address
ResourceManager IP address Random ResourceM

of the anager
machines
where the
ResourceM
anager is
running
Users machine (where the web browser is opens)/ Users Random ResourceM
machine anager
IP(where
the RM UI
is opened)
ApplicationMaster running machine Application Random ResourceM

Master anager
running
machine IP
NodeManager NodeMana Random ResourceM

gers IP anager
address
MapReduce clients/NodeManager/AM NodeMana Random ResourceM
gers IP anager
address
ResourceManager Users Random ResourceM

machine anager
IP(where
the RM UI
is opened)
NodeManager IP address Random NodeMana

of the ger
machines
where the
NodeMana
ger is
running
Users machine (where the web browser is opens) IP address Random NodeMana
of the ger
machines
where the
NodeMana
ger is
running
NodeManager (where the containers are running) IP address Random NodeMana
of the ger
machines
where the
NodeMana
ger is
running
Map-red Jobs (the same machines as the IP address Random NodeMana

NodeManager) of the ger
machines
where the
NodeMana
ger is
running
NodeManager (where the containers are running) IP address Random NodeMana

of the ger
machines
where the
NodeMana
ger is
running
NodeManager IP address Random NodeMana

of the ger
machines
where the
NodeMana
ger is
running
ResourceManager IP address Random NodeMana
of the ger
machines
where the
ResourceM
anager is
running
Users machine(where the web browser is opens) Users Random JobHistory

machine Server
IP(where
the History
UI is
opened)/
Mapred Client (To retrieve history data) IP address Random JobHistory

of the Server
machines
where the
MapReduc
e clients
are running
Users machine(where the web browser is opens) Users Random JobHistory

machine Server
IP(where
the History
UI is
opened)
Users machine (where the web browser is opens) Users Random JobHistory
machine Server
(where the
web
browser is
opens)
Users machine (where the Job client is open) Users Random Application
machine Master
(where the
Job client
is open)
machine Master
(where the
Job client
is open)
machine Master
(where the
Job client
is open)
HBase clients [Region server and user clients] IP address Random HMaster
of the
machines
where the
HBase
clients are
running
Users machine (where the web browser is opens) Users Random HMaster
machine
IP(where
the HBase
server UI is
opened)
HMaster and user clients [HBase clients] IP address Random RegionServ

of the er
machines
where the
HMaster
and HBase
clients are
running
Users machine (where the web browser is opens) Users Random RegionServ
machine er
IP(where
the
RegionServ
er UI is
opened)
HMaster and user clients [HBase clients] Users Random ThriftServe

machine r
IP(where
the Thrift
Server is
Started)
Users machine (where the web browser is opens) Users Random ThriftServe
machine r
IP(where
the
RegionServ
er is
Started)
Node agent machine(where the Hmaster is started) Users Random HMaster

machine
IP(where
the
HMaster is
Started)
Node agent machine(where the RegionServer is Users Random RegionServ

started) machine er
IP(where
the
RegionServ
er is
Started)
HBase clients [Region server and user clients] IP address Random HMaster1
of the
machines
where the
HBase1
clients are
running
Users machine (where the web browser is opens) Users Random HMaster1
machine
IP(where
the HBase
server1 UI
is opened)

of the er1
machines
where the
HMaster1
and
HBase1
clients are
running
machine er1
IP(where
the
RegionServ
er1 UI is
opened)

machine r1
IP(where
the Thrift
Server1 is
Started)
machine r1
IP(where
the
RegionServ
er1 is
Started)
Node agent machine(where the Hmaster is Started) Users Random HMaster1

machine
IP(where
the
HMaster1
is Started)
Node agent machine(where the RegionServer is Users Random RegionServ

Started) machine er1
IP(where
the
RegionServ
er1 is
Started)
of the
machines
where the
HBase2
clients are
running
machine
IP(where
the HBase
server2 UI
is opened)

of the er2
machines
where the
HMaster2
and
HBase2
clients are
running
machine er2
IP(where
the
RegionServ
er2 UI is
opened)

machine r2
IP(where
the Thrift
Server is
Started)
machine r2
IP(where
the
RegionServ
er2 is
Started)

machine
IP(where
the
HMaster2
is Started)
Node agent machine(where the Region Server is Users Random RegionServ

IP(where
the
RegionServ
er2 is
Started)
of the
machines
where the
HBase3
clients are
running
machine
IP(where
the HBase
server3 UI
is opened)

of the er3
machines
where the
HMaster3
and
HBase3
clients are
running
machine er3
IP(where
the
RegionServ
er3 UI is
opened)

machine r3
IP(where
the Thrift
Server3 is
Started)
machine r3
IP(where
the
RegionServ
er3 is
Started)

machine
IP(where
the
HMaster3
is Started)

IP(where
the
RegionServ
er3 is
Started)
of the
machines
where the
HBase4
clients are
running
machine
IP(where
the HBase
server4 UI
is opened)

of the er4
machines
where the
HMaster4
and
HBase4
clients are
running
machine er4
IP(where
the
RegionServ
er4 UI is
opened)

machine r4
IP(where
the Thrift
Server is
Started)
machine r4
IP(where
the
RegionServ
er4 is
Started)
Node agent machine(where the HMaster is Started) Users Random HMaster4

machine
IP(where
the
HMaster4
is Started)

IP(where
the
RegionServ
er4 is
Started)
Nimbus client Nimbus Random Nimbus

client node
IP address
NodeAgent 127.0.0.1 Random Nimbus
Storm UI HTTPS client Storm UI Random Storm UI

HTTPS
client IP
address
Storm UI HTTP client Storm UI Random Storm UI
HTTP
client IP
address
Logviewer HTTPS client UI client IP Random logviewer
address
Logviewer HTTP client UI client IP Random logviewer

address
worker client worker Random worker

node IP
address
Kafka client node Kafka Random Broker
client node
IP address
NodeAgent 127.0.0.1 Random Broker

client node
IP address
Kafka Controller node Kafka Random Broker

Controller
node IP
address
NodeAgent NodeAgent Random Oozie
IP address
telnet 127.0.0.1 Random Oozie
Oozie HTTPS client Oozie Random Oozie

HTTPS IP
address
Oozie HTTP client Oozie Random Oozie
HTTP IP
address
solr client solr client Random Solr-Server

IP address
solr client solr client Random Solr-Server

IP address
solr 127.0.0.1 Random Solr-Server
solr server HA solr server Random solr service

admin node
IP address
solr server HA solr server Random solr service

admin node
IP address
solr 127.0.0.1 Random solr service
HBase Region server HBase Random Solr HBaseI

Region
server
node IP
Loader client Loader Random Loader Serv
client IP
address
HTTP client HTTP Random Loader Serv

client IP
address
telnet client 127.0.0.1 Random Loader Serv
SmallFS clients IP address Random SmallFS

of the
machines
where the
SmallFS
clients are
running
Redis client Redis Random Redis server

client IP
address
Other Redis server Other Random Redis server
Redis
server
client node
IP address

client node
IP address
Jobmanager Jobmanage Dynamic Taskmanage

IP 1024-65535
Taskmanager Taskmanag Dynamic Taskmanage
er IP 1024-65535
Flink client Flink client Dynamic Jobmanager

IP 1024-65535
Taskmanager Taskmanag Dynamic Jobmanager

er IP 1024-65535
Taskmanager Taskmanag Dynamic Taskmanag

er IP 1024-65536 er
Taskmanager Taskmanag Dynamic Taskmanag

er IP 1024-65537 er

IP 1024-65535
Taskmanager Taskmanag Dynamic Jobmanager

er IP 1024-65535

IP 1024-65535
Jobmanager Jobmanage Dynamic Flink client

r IP 1024-65535
NettySource NettySourc Dynamic NettySink

e IP 1024-65536

IP 1024-65537
Jobmanager Jobmanage Dynamic Taskmanage

IP 1024-65538
IP address of the Elasticsearch client Random Random Elasticsear

ch_Server
IP address of the Elasticsearch client Random Random Elasticsear
ch_Server
GraphBase client node IP address Random Node

of the where
GraphBase GraphServ
client er is
installed
Node where GraphServer is installed IP address Random LoadBalan

of the node cer active
where node of
GraphServ GraphBase
er is
deployed
GraphBase LoadBalancer active node. 127.0.0.1 Random Active

node of the
LoadBalan
cer service
of the
GraphBase
service.
Node where GraphServer is installed IP address Random Node

of the node where
where GraphServ
GraphServ er is
er is installed
deployed
Node where GraphServer is installed 127.0.0.1 Random Node
where
GraphServ
er is
installed
LoadBalancer active node of GraphBase IP address Random Node

of the where
LoadBalan GraphServ
cer active er is
node of installed
GraphBase
Node where GraphServer is installed IP address Random Node

of the node where
where GraphServ
GraphServ er is
er is installed
deployed
LoadBalancer active node of GraphBase IP address Random LoadBalan

of the cer active
LoadBalan node of
cer active GraphBase
node of
GraphBase
LoadBalancer active node of GraphBase IP address Random LoadBalan

of the cer active
LoadBalan node of
cer active GraphBase
node of
GraphBase
LoadBalancer active node of GraphBase 127.0.0.1 Random LoadBalan

cer active
node of
GraphBase
NodeAgent 127.0.0.1 Random JobHistory

Spark client IP address Random Spark
of the JobHistory
Spark server
client
Spark client IP address Random SparkUI

of the server
Spark
client
Driver Driver IP Random JDBC

server
Spark CLI/JDBC client Spark Random JDBC
CLI/JDBC server
client IP
address
Spark CLI/JDBC client Spark Random Web port

CLI/JDBC of the
client IP JDBC
address server.
Spark Executor Spark Random Driver

Executor IP

Executor IP

Executor IP
Driver Driver IP Random Spark
Executor

Executor
NodeAgent 127.0.0.1 Random JDBCServe

r
Driver/Executor Driver Random Spark
IP/Executo Executor
r IP

of the JobHistory
Spark server
client
of the server
Spark
client

r
server

CLI/JDBC server
client IP
address
CLI/JDBC of the
client IP JDBC
address server.

Executor IP

Executor IP

Executor IP

Executor
Executor

IP/Executo Executor
r IP

of the JobHistory
Spark server
client

of the server
Spark
client

r
server

CLI/JDBC server
client IP
address

CLI/JDBC of the
client IP JDBC
address server.

Executor IP

Executor IP
Executor IP

Executor

Executor

IP/Executo Executor
r IP

of the JobHistory
Spark server
client
of the server
Spark
client

r
server

CLI/JDBC server
client IP
address
CLI/JDBC of the
client IP JDBC
address server.

Executor IP

Executor IP

Executor IP

Executor
Executor

IP/Executo Executor
r IP

of the JobHistory
Spark server
client

of the server
Spark
client

r
server

CLI/JDBC server
client IP
address

CLI/JDBC of the
client IP JDBC
address server.

Executor IP

Executor IP
Executor IP

Executor

Executor

IP/Executo Executor
r IP
Spark2x Executor Spark2x Dynamic Driver

Executor IP
NodeAgent 127.0.0.1 22551 JDBCServe

r2x
NodeAgent 127.0.0.1 22501 JobHistory
2x
Driver Driver IP Random JDBC2x
server
Spark2x CLI/JDBC2x client Spark2x Dynamic JDBC2x

CLI/JDBC 1024-65535 server
2x client IP
address
Client Client IP Dynamic Web port

address 1024-65535 of the
JDBC2x
server

Executor IP
Driver/Executor Driver Dynamic Spark2x
IP/Executo Executor
r IP
Spark2x client Spark2x Dynamic Spark2x

client IP 1024-65535 JobHistory
address 2x server
Spark2x client Spark2x Dynamic Spark2xUI

client IP 1024-65536 server
address

Executor IP

r2x
2x
server

2x client IP
address

JDBC2x
server

Executor IP
IP/Executo Executor
r IP

address 2x server

address

Executor IP

r2x
2x
server

2x client IP
address

JDBC2x
server

Executor IP
IP/Executo Executor
r IP

address 2x server

address

Executor IP

r2x
2x
server

2x client IP
address

JDBC2x
server

Executor IP
IP/Executo Executor
r IP

address 2x server

address

Executor IP

r2x
2x
server

2x client IP
address

JDBC2x
server

Executor IP
IP/Executo Executor
r IP

address 2x server

address
NTP client Any IP Random NTP

address
KafkaUI HTTPS client KafkaUI Random Node
HTTPS where the
client IP KafkaUI is
address located
Destination IP Address Destination Port Protocol
Local node IP address 22 TCP
Local node IP address 123 UDP
WebService node IP address 8080 TCP
WebService node IP address 20000 UDP
127.0.0.1 20002 TCP

127.0.0.1 20003 TCP
127.0.0.1 20006 TCP
127.0.0.1 20007 TCP
127.0.0.1 20008 TCP
OMS node IP address 20010 TCP

127.0.0.1 20013 TCP
127.0.0.1 20015 TCP
: : 1: or 127.0.0.1 20015 UDP

OMA node IP address 20016 TCP
127.0.0.1 20017 TCP
127.0.0.1 20019 TCP
127.0.0.1 20019 TCP
127.0.0.1 20019 TCP

127.0.0.1 20020 TCP
127.0.0.1 20021 TCP
127.0.0.1 20023 TCP
NodeAgent node IP address 20024 TCP

127.0.0.1 20030 TCP
127.0.0.1 20028 TCP
SFTP Server IP address Default: 22 TCP
NFS Server IP address Default: 111 NFS
CIFS Server IP address Default: 445 CIFS
4A System IP address Default: Random TCP

FTP Server IP address Default: 21 FTP
SFTP Server IP address Default: 22 TCP
Syslog Server IP address Default: 514 UDP/TCP
DBServer node IP address 20050 TCP
DBService float IP address and 20051 TCP

127.0.0.1
: : 1: or 127.0.0.1 20051 UDP
DBServer node IP address 20052 UDP
DBServer node IP address 20053 UDP
127.0.0.1 20054 TCP
127.0.0.1 21050 TCP

127.0.0.1 21060 TCP
WebHCat node IP address 21055 TCP
HiveServer node IP address 21066 TCP
MetaStore node IP address 21088 TCP

127.0.0.1 21071 TCP
HiveServer node IP address (servic21076 TCP
127.0.0.1 21051 TCP
127.0.0.1 21061 TCP

WebHCat1 node IP address 21056 TCP
HiveServer1 node IP address 21067 TCP
MetaStore1 node IP address 21089 TCP
127.0.0.1 21072 TCP

HiveServer1 node IP address (servi21077 TCP
127.0.0.1 21052 TCP
127.0.0.1 21062 TCP

127.0.0.1 21073 TCP

127.0.0.1 21053 TCP
127.0.0.1 21063 TCP

127.0.0.1 21074 TCP
127.0.0.1 21054 TCP

127.0.0.1 21064 TCP

127.0.0.1 21075 TCP
127.0.0.1 21150 TCP
Flume node IP address Default: 21151 TCP

Port range: 21153-
21199
MonitorServer node IP address Default: 21152 TCP

Port range: any port that
does not conflict with
other service port
Flume node IP address Port range: 21154- TCP

21199
Hue node IP address Default: 21200 TCP
Port range: 21200-
21299
Kerberos server node IP address Default: 21730 TCP

Port range: 21730-
21749
Kerberos server node IP address Default: 21731 UDP

Port range: 21730-
21749

Port range: 21730-
21749

Port range: 21730-
21749

Port range: 21700-
21729
Port range: 21700-
21729

Port range: 21700-
21729

Port range: 21700-
21729
LDAP server node IP address Default: 21750 TCP

Port range: 21750-
21779
LDAP server node IP address Default: 21780 TCP

Port range: 21780-
21796
FTP-Server node IP address Default: 22020 TCP

Port range: 1025-65535
FTP-Server node IP address 22022 TCP



MetaData node IP 28052 TCP

address(Management IP)
MetaData node IP address 28054 TCP

127.0.0.1 28050 TCP
FTP-Server node IP address 22000-22249 TCP
FTP-Server node IP address 22000-22249 TCP
Namenode Machine IP Default: 25000 TCP

Port range: 25000-
25049

Port range: 25000-
25049
Port range: 25000-
25049
NameNode IP address Default: 25005 TCP

Port range: 25000 to
25049
NameNode IP address Default: 25006 TCP

Port range: 25000 to
25049

Port range: 25000-
25049
Datanode machine IP Default: 25009 TCP
Port range: 25000-
25049

Port range: 25000-
25049

Port range: 25000-
25049
JournalNode machine IP Default: 25012 TCP

Port range: 25000-
25049
Port range: 25000-
25049

Port range: 25000-
25049

Port range: 25000-
25049
127.0.0.1 Default: 25016 TCP

HttpFS machine IP Default: 25018 TCP
Port range: 25000-
25049
Router node IP address Default value: 25019 TCP

Range: 25000-25049
Router node IP address Default value: 25020 TCP

Range: 25000-25049
Router node IP Default value: 25021 TCP
Range: 25000-25049
Router node IP Default value: 25022 TCP

Range: 25000-25049
Backup and Recovery destination- Default: 25009 TCP

end Datanode node IP address Port range: 25000-
25049
Backup and Recovery destination- Default: 25000 TCP
end Namenode node IP address Port range:25000-25049
Zookeeper Machine IP Default: 24000 TCP

Port range: 24000-
24049

Port range: 24000-
24049

Port range: 24000-
24049
Port range: 24000-
24049

Port range: 24000-
24049

Port range: 24000-
24049
IP address of the machines where Default: 26000 TCP

the ResourceManager is running Port range: 26000-
27999
ResourceManager Machine IP Default: 26001 TCP
Port range: 26000-
27999

Port range: 26000-
27999

Port range: 26000-
27999
Port range: 26000-
27999

Port range: 26000-
27999
NodeManager Machine IP Default: 26006 TCP

Port range: 26000-
27999

Port range: 26000-
27999
Port range: 26000-
27999

Port range: 26000-
27999

Port range: 26000-
27999

Port range: 26000-
27999
Port range: 26000-
27999
Jobhistory Server machine IP Default: 26012 TCP

Port range: 26000-
27999

Port range: 26000-
27999

Port range: 26000-
27999
Port range: 26000-
27999
NodeManager Machine IP Default Range: 27100- TCP

27999
Port range: In
FusionManager, you
can set the port range in
yarn.app.mapreduce.am.
job.client.port-range
parameter.

27999
Port range: In
FusionManager, you
parameter.

27999
Port range: In
FusionManager, you
parameter.
HMaster Machine IP Default: 21300 TCP

Port range: 21300-
21349
HMaster Machine IP Default: 21301 TCP
Port range: 21300-
21349
Region Server Machine IP Default: TCP

21302,21025,21026,210
27,21028
Port range: 21300-
21349

21303,21029,21030,210
31,21032
Port range: 21300-
21349
Thrift prot Default: 21304 TCP

Port range: 21300-
21349
Thrift prot Default: 21305 TCP
Port range: 21300-
21349
HMaster Machine IP (127.0.0.1) Default: 21306 TCP

Port range: 21300-
21349

(127.0.0.1) 21307,21033,21034,210
35,21036
Port range: 21300-
21349
HMaster1 Machine IP Default: 21310 TCP

Port range: 21300-
21349
Port range: 21300-
21349
Region Server1 Machine IP Default: 21312 TCP

Port range: 21300-
21349

Port range: 21300-
21349
Thrift1 prot Default: 21314 TCP

Port range: 21300-
21349
Port range: 21300-
21349
HMaster1 Machine IP (127.0.0.1) Default: 21316 TCP

Port range: 21300-
21349

(127.0.0.1) Port range: 21300-
21349

Port range: 21300-
21349
Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349
Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349
Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349
Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349
Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349
Port range: 21300-
21349

Port range: 21300-
21349

Port range: 21300-
21349
Nimbus node IP address 29200 TCP
Nimbus node IP address 29201 TCP
Storm UI node IP address 29243 TCP
Storm UI node IP address 29280 TCP

Logviewer node IP address 29248 TCP
Logviewer node IP address 29288 TCP
Worker node IP address 29300-29499 TCP
Broker node IP address 21005 TCP
127.0.0.1 Default values: 21002 TCP

Reference values:
21000-21004
Oozie server node IP address Default values: 21001 TCP

Reference values:
21000-21004

Reference values:
21000-21004
Reference values:
21000-21004
solr server node IP address Default values: 21101, TCP

21104, 21107, 21110,
21113, 21116
Reference values:
21100-21149
solr server node IP address Default values: 21100, TCP

21103, 21106, 21109,
21112, 21115
Reference values:
21100-21149
127.0.0.1 Default values: 21102, TCP

21105, 21108, 21111,
21114, 21117
Reference values:
21100-21149
solr server admin node IP address 21147 UDP
solr server admin node IP address 21148 UDP
127.0.0.1 21149 TCP
solr server node IP address Default values: 21146 TCP

Loader server float ip Default value: 21351 TCP
Value range: 21350-
21399
Loader node IP address 21353 TCP
127.0.0.1 21352 TCP
SmallFS machine IP Default: 25050 TCP

Port range: 25050-
25069
Redis server IP address 22400-22499 TCP
Redis server IP address 24350-24449 TCP
Taskmanager IP 32326-32390 TCP

Jobmanager IP 32456-32520 TCP
Flink client IP 32651-32720 TCP
NettySink IP 28444-28843 TCP
Service IP address of the Default value: 24100,24102,24104,24106,24108,24110,24112,24114,24116,24148

TCP
Elasticsearch server node Reference value: 24100-24149
Service IP address of the Default value: 24101,24103,24105,24107,24109,24111,24113,24115,24117,24147
TCP
Elasticsearch server node Reference value: 24100-24149
Floating IP address of the 22380 TCP

GraphBase server
The floating IP address of the 22390 TCP

GraphBase server
Floating IP address of the 22391 TCP

GraphBase server.
IP address of the node where 22381 TCP

GraphServer is deployed
127.0.0.1 22382 TCP


The floating IP address of the 22385 UDP

GraphBase server
The floating IP address of the 22386 UDP

GraphBase server
127.0.0.1 22387 TCP
127.0.0.1 23021 TCP

Spark JobHistory IP Default value: 23020 TCP
Value range: 23000-23999
IP address of the SparkUI server Default value: Random TCP

Spark CLI/JDBC server Default value: 23042 TCP


Driver IP Default value: Random TCP

The value range can be changed by setting spark.random.port.max and spark.random.port.min in <CONF


Spark Executor IP Default value: Random TCP

127.0.0.1 23021 TCP
127.0.0.1 23041 TCP

127.0.0.1 23121 TCP

127.0.0.1 23141 TCP







127.0.0.1 23221 TCP


127.0.0.1 23241 TCP








127.0.0.1 23321 TCP

127.0.0.1 23341 TCP







127.0.0.1 23421 TCP


127.0.0.1 23441 TCP









127.0.0.1 22551 TCP
127.0.0.1 22501 TCP

JDBC2x server Default value: 22550 TCP



Spark2x Executor IP Default value: Random TCP
Spark2x JobHistory2x IP Default value: 22500 TCP

IP address of the Spark2xUI Default value: Random TCP

server Value range: 22600-22899

127.0.0.1 22561 TCP
127.0.0.1 22511 TCP







127.0.0.1 22571 TCP
127.0.0.1 22521 TCP







127.0.0.1 22581 TCP
127.0.0.1 22531 TCP







127.0.0.1 22591 TCP
127.0.0.1 22541 TCP






FusionStorage OBS node 8020 TCP

FusionStorage OBS node 9866 TCP
Destination Port Connectio
Port Description
Configurable (Y/N) n Type
Port that provides ssh services No Non-

persistent
connection
NTP port No Non-

persistent
connection
User access port provided by WebService No Non-

This port is used for: persistent
Accessing WebUIs connection
Is the port enabled by default during the installation: Yes

Is the port enabled after security hardening: Yes
SNMP protocol port Yes Non-

Connecting to the SNMP NMS connection
Is the port enabled by default during the installation: No

Is the port enabled after security hardening: N/A
The port can be configured, ranging from 1025 to 65535.
The local port can be configured on the SNMP
Configuration page.
RPC port for receiving northbound alarm information No Persistent

This port is used for: connection
FMS to send alarm notification to WebService

Audit log port provided by the IAM No Non-
Audit log recording and query connection

ACS port No Non-

ACS user management connection

AOS port No Non-

AOS rights management connection

Access port provided by Controller for WebService No Non-

Running cluster commands connection

CAS port No Non-

User login authenticating connection

Port for data synchronization between the active and standby No Non-
nodes during OMS database reconstruction persistent
Synchronizing the data between the active and standby
databases

HA synchronization port No Non-
Synchronizing files between the active and standby nodes connection

HA heartbeat port No Persistent

Transferring heartbeat messages between the active and
standby nodes

HA RPC port for receiving commands No Persistent

Receiving file synchronization commands

Thrift port for OMA to report alarm data to PMS No Non-

Receiving alarm data of each node connection

OMS database service port No Non-

Providing database services connection

Data statistics collection port No Non-

The statistics collection process to accept the connection connection
request from the main process and receive statistics data from
the main process after the connection is set up. Based on the
statistics data, a proper and efficient execution plan can be
generated to analyze and clear tables in a timely manner.
(IPv6 is preferred. If the environment does not support IPv6,
use 127.0.0.1.)
Thrift port for OMA to exchange messages with PMS and No Non-
FMS persistent
PMS/FMS to return a confirmation message after receiving a
message

RPC port of the cep process No Non-

Providing performance data aggregation service connection

Thrift port for OMA to report monitoring data to PMS No Non-

Receiving performance monitoring data of each node connection

Port used by the CEP to obtain data from the PMS for No Non-
statistics collection and calculation persistent
Querying performance monitoring data

Port used by the Controller to obtain monitoring data from the No Non-
PMS persistent
Querying performance monitoring data

Port provided by the PMS for obtaining monitoring data No Non-

Querying performance monitoring data connection

Port for monitoring requests for stopping Tomcat No Persistent
Stopping tomcat

Port provided by the FMS for querying alarms No Non-

Querying alarm data connection

Port for the communication between the license server and the No Non-
license client persistent
License management

Management channel service port No Non-

Controller to deliver maintenance commands to NodeAgents connection

heartbeat channel service port No Persistent

Controller to send heartbeat message to NodeAgents

Web service proxy port provided by HTTPD No Non-

Accessing WebUIs in proxy mode connection

CAS certification proxy port provided by HTTPD No Non-

Components to access CAS in proxy mode for authentication connection

Hue proxy port provided by HTTPD No Non-
Accessing Hue WebUI in proxy mode connection

User access port provided by WebService No Non-

Accessing WebUIs connection

Port that MPA provides for NodeAgent to upload monitoring No Non-

data persistent
connection
Port for controller to send backup and recovery commands to No Non-

BackupPluginProcess. persistent
connection
SFTP Server Port NO Non-

Connecting the SFTP server for the audit log dumping connection
Is the port enabled by default during the installation: no
Is the port enabled after security hardening: no
This port is configurable, range 1~65535.
NFS Server Port YES Non-

Connecting NFS server connection
CIFS Server Port YES Non-

Connecting CIFS server connection
4A Server Port YES Non-

Connecting 4A server for authentication connection
FTP Server Port YES Non-
Connecting FTP server for dumping monitor statistics connection
SFTP Server Port YES Non-

Connecting SFTP server for dumping monitor statistics connection
Syslog Server Port YES Non-

Connecting SFTP server for dumping alarm information connection
Port for data synchronization between the active and standby No Persistent
nodes during database reconstruction connection
This port is used for:
Synchronizing the data between the active and standby
databases

Database service port of DBService No Persistent

Providing database services

Data statistics collection port No Persistent
The statistics collection process to accept the connection
request from the main process and receive statistics data from
the main process after the connection is set up. Based on the
statistics data, a proper and efficient execution plan can be
generated to analyze and clear tables in a timely manner.
(IPv6 is preferred. If the environment does not support IPv6,
use 127.0.0.1.)
HA active/standby heartbeat detection port No Persistent

Transferring heartbeat messages between the active and
standby nodes

HA file synchronization port No Persistent

Synchronizing files between the active and standby nodes

HA RPC port for receiving commands No Persistent

Receiving file synchronization commands

HiveServer JMX port. (hive.rmi.registry.port) Yes Non-

persistent
The OMA Agent to collect measurement data from

HiveServer.

WebHCat JMX port. (templeton.rmi.registry.port) Yes Non-
persistent
The OMA Agent to collect measurement data from WebHCat.
Port for WebHCat to provide REST services. (templeton.port) Yes Non-

persistent
WebHCat clients to communicate with WebHCat.
Port for HiveServer to provide Thrift services. Yes Non-

(hive.server2.thrift.port) persistent
connection
HiveServer clients to communicate with HiveServer.
Port for MetaStore to provide Thrift services. Yes Non-

(hive.metastore.port) persistent
connection
MetaStore clients to communicate with MetaStore.
That is, communication between HiveServer and MetaStore.

MetaStore JMX port.(metastore.rmi.registry.port) Yes Non-
persistent
MetaStore.
Port for HiveServer to provide netty services. Yes Non-

persistent
Hive on spark application to communicate with HiveServer.
HiveServer1 JMX port. (hive.rmi.registry.port) Yes Non-

persistent

HiveServer1.
WebHCat1 JMX port. (templeton.rmi.registry.port) Yes Non-

persistent

WebHCat1.

Port for WebHCat1 to provide REST services. Yes Non-
(templeton.port) persistent
connection
WebHCat1 clients to communicate with WebHCat1.
Port for HiveServer1 to provide Thrift services. Yes Non-

connection
HiveServer1 clients to communicate with HiveServer1.
Port for MetaStore1 to provide Thrift services. Yes Non-

(hive.MetaStore.port) persistent
connection
MetaStore1 clients to communicate with MetaStore1.
That is, communication between HiveServer and MetaStore1.
MetaStore1 JMX port.(metastore.rmi.registry.port) Yes Non-

persistent
MetaStore1.

Port for HiveServer1 to provide netty services. Yes Non-
persistent
Hive on spark application to communicate with HiveServer1.

persistent

HiveServer2.

persistent

WebHCat2.

connection

connection

connection

persistent
MetaStore2.

persistent

persistent

HiveServer3.

persistent

WebHCat3.

connection

connection

connection

persistent
MetaStore3.

persistent

persistent

HiveServer4.

persistent

WebHCat4.

connection

connection

connection

persistent
MetaStore4.

persistent
This port is used for: No Non-

Port that provides JMX services persistent
Parameter: connection
[Whether to be enabled by default after installation] Yes
[Whether to be enabled after security hardening] N/A
This port is used for: No Persistent

Port that provides RPC services connection
Parameter:
This port is used for: Yes Persistent

Parameter: The value of rpc_server_port in
/opt/huawei/Bigdata/apache-flume-1.4.0-bin/flume/conf/servi
ce/application.properties.

Parameter: The value of server.sources.avro_source.port in
properties.properties on the server must be consistent with the
value of client.sinks.static_log_sink.port in
properties.properties on the client.
Port for Hue to provide HTTPS services. Yes Persistent
This port is used for providing web services in https mode. It connection
corresponds to the configuration item HTTP_PORT on the
Manager portal and can be changed.

[Description]kerberos User management port Yes Non-

(KADMIN_PORT) persistent
kerberos port for User management port

[Whether to be enabled after security hardening] Yes
[Description]kerberosPort for changing passwords Yes Non-

(KPASSWD_PORT) persistent
kerberos Port for changing passwords


kerberos Port for changing passwords


(kdc_ports) persistent
kerberos Port for Authentication

[Description]okerberosPort for changing passwords Yes Non-

(kdc_ports) persistent
kerberos Port for Authentication (OMS)

[Description]okerberos User management port Yes Non-
(KADMIN_PORT) persistent
kerberos port for User management port(OMS)

[Description]okerberos Port for changing passwords Yes Non-

kerberos Port for changing passwords(OMS)

[Description]okerberos Port for changing passwords Yes Non-

kerberos Port for changing passwords(OMS)

[Description]Port for connecting to the OLDAP client Yes Non-

(LDAP_SERVER_PORT) persistent
Port for connecting to the OLDAP client(OMS)

[Description]Port for connecting to the LDAP client Yes Non-

(LDAP_SERVER_PORT) persistent
Port for connecting to the LDAP client

This port is used for (this port is not open by default): Yes Persistent
FTP data port connection
[Parameter] active-data-port
[Description] FTP-Server JMXPort NO Persistent
Note: The default port range is used and cannot be modified. connection

The Http-Server JMX server to receive JMX server listening
requests.[Whether to be enabled by default after installation]
Yes
This port is used for (this port is not open by default): Yes Non-
FTP control port persistent
connection
[Parameter] port
This port is used for (this port is not open by default): Yes Persistent
FTPS data port connection
[Parameter] ssl-active-data-port

FTPS control port connection
[Parameter] ssl-port
[Description] Port for the UI to provide HTTPS services No Non-

persistent
remote Web clients to access the Metadata UI.

[Description] Metadata JMXPort NO Non-

Note: The default port range is used and cannot be modified. persistent
connection

The Metadata JMX server to receive JMX server listening
Yes
[Description] Port for stopping Tomcat services No Persistent
connection
stopping the Tomcat service on local Telnet clients.

This port is used for : Yes Persistent

Data transmission port working in passive mode connection
[Parameter] passive-data-ports
[Whether to be enabled by default after installation] No

Data transmission port working in passive mode using FTPS connection
[Parameter] ssl-passive-data-ports
[Description] NameNode RPC Port. (dfs.namenode.rpc.port) YES Persistent

Note: Port Range is advice configuration, assigned by connection
product, not limited at code.

1. HDFS client to communicate with Namenode
2. Data nodes to connect to Namenode

[Description] HDFS HTTP Port [NN] YES Non-

(dfs.namenode.http.port) persistent
This port is used in https mode for:

1. Peer Namenode for checkpointing operation
2. Remote web client to connect to Namenode UI

[Description] HDFS HTTPS Port [NN] YES Non-
(dfs.namenode.https.port) persistent

1. Peer Namenode for checkpointing operation
2. Remote web client to connect to Namenode UI

[Description] RPC port of the NameNode Lifeline protocol. YES Persistent

(dfs.namenode.lifeline.rpc.port) connection
Note: The port ID is a recommended value and is specified
based on the product. The port range is not restricted in the
code.
1. NameNodes to process the Lifeline protocol requests of
DataNodes.
2. NameNodes to process the HA health check requests from
ZKFC.
[Description] RPC port for HDFS service communication. YES Persistent

(dfs.namenode.servicerpc.port) connection
Note: The port ID is a recommended value and is specified
code.

NameNodes to communicate with DataNodes and ZKFC.
[Description] Datanode IPC Server Port YES Persistent

(dfs.datanode.ipc.port) connection
Note: Port Range is advice configuration, assigned by

Client to connect to Datanode for RPC operations

[Description] Datanode Port for data transfer YES Persistent
(dfs.datanode.port) connection

1. HDFS clients for transfering data to/from Datanode
2. Peer Datanode to transfer data

[Description] Datanode HTTP port (dfs.datanode.http.port) YES Non-

Note: Port Range is advice configuration, assigned by persistent
product, not limited at code. connection

Remote web clients to connect to Datanode UI in Secure
mode

[Description] Datanode HTTPS port (dfs.datanode.https.port) YES Non-


mode

[Description] JournalNode RPC port YES Persistent

(dfs.journalnode.rpc.port) connection

1. Client to communicate for asking various information.

[Description] JournalNode HTTP port YES Non-
(dfs.journalnode.http.port) persistent

1. Remote web clients to connect JournalNode in secured
channel.

[Description] JournalNode HTTPS port YES Non-

(dfs.journalnode.https.port) persistent

1. Remote web clients to connect JournalNode in secured
channel.

[Description] ZKFC port (dfs.ha.zkfc.port) YES Persistent


1. Handling HA switch and namenode management

[Description] Datanode HTTP extensional address port YES Non-

(dfs.datanode.http.internal-proxy.port) persistent

mode

[Description] The port the HttpFS HTTP server listens on YES Non-
(httpfs.http.port) persistent

Remote rest interface access HttpFS.

Router RPC port (Router). (dfs.federation.router.rpc.port) YES Long connec

Description: The port range is a recommended value and is
specified based on the product. The port range is not restricted
in the code.

the HDFS client to communicate with Router
Whether to enable this port by default during the installation:

Yes
Whether to enable this port after security hardening: Yes
Router Admin RPC port (Router). YES Long connec

(dfs.federation.router.admin.port)
in the code.

the HDFS client to communicate with Router

Yes
Router HTTP port (Router). (dfs.federation.router.http.port) YES Short connec
in the code.

the remote web client to connect to the Router UI in security
mode

Yes
Router HTTPS port (Router). (dfs.federation.router.https.port) YES Short connec

in the code.

the remote web client to connect to the Router UI in security
mode

Yes
[Description] Datanode Port for data transfer YES Persistent

(dfs.datanode.port) connection

1. HDFS clients for transfering data to/from Datanode
2. Peer Datanode to transfer data

[Description] NameNode RPC Port. (dfs.namenode.rpc.port) YES Persistent

1. HDFS client to communicate with Namenode
2. Data nodes to connect to Namenode

[Description] Peer communication port (peer.comm.port) YES Persistent

This port is used by:

1. Peer Zookeepers to connect to zookeeper
2. To connect followers to the leader.
3. Only in leader node.

[Description] Leader Election port (leader.election.port) YES Persistent


1. Leader election procedure. This is opened only at leader
side

[Description] Zookeeper clientPort (clientPort) YES Persistent


Zookeeper clients to connect to the zookeeper server.

[Description] Zookeeper adminPort NO Persistent
(zookeeper.admin.serverPort) connection
The API (zookeeper.admin.serverPort) provided by

Zookeeper is used to execute four-character commands
through web page. However, the ZooKeeper in the current
FusionInsight does not support the web access mode, so this
API is not enabled and the function is not provided.

[Whether to be enabled after security hardening] No
[Description] Zookeeper JMXPort (JMXPORT) NO Non-

connection

The ZooKeeper JMX server to receive JMX server listening
Yes
[Description] Zookeeper health check port. YES Persistent

Note: The port ID is a recommended value and is specified connection
code.
The source port is used for:

Performing ZooKeeper health check by binding the port
ensures that health check can be performed even in some
special scenarios and the ZooKeeper process is not killed
incorrectly.

[Whether to be enabled after security hardening] No
[Description] ResourceManager server web http port YES Non-

(yarn.resourcemanager.webapp.port) Note: persistent
Port Range is advice configuration, assigned by product, not connection
limited at code.

Remote rest interface access ResourceManager web
Application.

[Description] ResourceManager server web https port YES Non-
(yarn.resourcemanager.webapp.https.port) persistent
1. Accessing RM web application in channel secure channel.

[Description] ApplicationMaster to ResourceManager YES Persistent

communication port (yarn.resourcemanager.scheduler.port) connection
AM to register, heartbeat and unregister with RM.

[Description] NodeManager to ResourceManamger YES Persistent

communication port ( yarn.resourcemanager.resource- connection
tracker.address.port)

NodeManager to register, heartbeat and unregister with RM.

[Description] The address(: port) of the applications manager YES Persistent
interface in the RM (yarn.resourcemanager.port) connection
1. Cilent to connect to RM
2.NM to connect to RM
3. AM to connect to RM

[Description] ResourceManager admin interface port YES Persistent

(yarn.resourcemanager.admin.address.port). connection
1. This will be used by RM admin commands to connect and

execute
[Description] NodeManager Webapp http port. YES Non-

(yarn.nodemanager.webapp.port) persistent

NodeManager Webapp http port.

[Description] NodeManager Webapp https port. YES Non-

(yarn.nodemanager.webapp.https.port) persistent

1. Accessing NodeManager web application

[Description] NodeManager localizer port YES Persistent
(yarn.nodemanager.localizer.port) connection
1. localizing jobs data from hdfs to local machine

[Description] NodeManager shuffle port YES Persistent

(mapreduce.shuffle.port) connection

1. This will be used by job client during job execution

[Description] NodeManager shuffle port YES Persistent

(spark.shuffle.service.port) connection

1. This will be used by spark during job execution

[Description] NodeManager External shuffle Service port YES Persistent


1. This will be used by spark v2 during job execution

[Description] NodeManager RPC port YES Persistent
(yarn.nodemanager.port) connection
1. This will be used by job client during job execution

[Description] Jobhistory server web port YES Non-

(mapreduce.jobhistory.webapp.port) persistent

1. This port is used for viewing the Jobhistory server web
page

[Description] Jobhistory server port YES Persistent

(mapreduce.jobhistory.port) connection

1. This will be used by map reduce client to retrieve the job
data
2 Used by Job Client to get job report .

[Description] Jobhistory server web https port YES Non-

(mapreduce.jobhistory.webapp.https.port) persistent

1. This port is used for viewing the Jobhistory server web
page

[Description] Jobhistory server admin port YES Persistent
(mapreduce.jobhistory.admin.port) connection

1. Admin operations.

[Description] Application Master Info Port YES Persistent

connection
1. Jobclient to connect to Application master process to get
the status and other information

[Description] Application Master RPC Port for job client YES Persistent
connection
1. Jobclient to connect to Application master process to get

the task related informations

[Description] Application Master Info Port for tasks YES Persistent

connection
1. Tasks to connect to application master for publishing the

status and running informations

[Description] HMaster RPC port (HBase.master.port) YES Non-


HBase clients to connect to HMaster.

[Description] HMaster HTTPs port (HBase.master.info.port) YES Persistent

Remote web clients to HMaster UI

[Description] RS (RegoinServer) RPC port YES Non-

(HBase.regionserver.port) persistent
The default ports correspond to the ports used when
RegionServers are deployed on the same node.

HBase clients to connect to RegionServer

[Description] Region server HTTPs port YES Persistent

(HBase.regionserver.info.port) connection

Remote web clients to RegionServer UI

[Description] Thrift Server port (HBase.thrift.info.port) YES Non-


1. listen on this port for client connection

[Description] Thrift Server port YES Non-
(HBase.regionserver.thrift.port) persistent

1. listen on this port for client connection at regionserver

[Description] HMaster JMX port (master.rmi.connector.port) YES Non-


OMA agent to collect the metrics data from HMaster

[Description] Region server HTTP port YES Non-

(regionserver.rmi.registry.port) persistent

OMA agent to collect the metrics data from Region server

























































































Port for Nimbus to provide thrift services YES Persistent

connection
Port for Nimbus to provide JMX services No Non-

persistent
connection
Port for the UI to provide HTTPS services YES Persistent

connection
Port for the UI to provide HTTP services YES Persistent

connection
Port for the logviewer to provide HTTPS services YES Persistent
connection
Port for the logviewer to provide HTTP services YES Persistent

connection
Port for receiving service requests that are forwarded from YES Persistent
other servers connection
Port for Broker to receive data and obtain services YES Persistent
connection
Port for Broker to provide JMX services No Non-

persistent
connection
Port used by Broker to provide SASL security authentication, YES Persistent

which provides the security Kafka service. connection
Port used by Broker to provide SASL security authentication, YES Persistent

which provides the security Kafka service. connection
Oozie JMX port. (Oozie.rmi.connector.port, Yes Non-

oozie.rmi.registry.port) persistent
connection
Port that provides JMX services

Oozie management port (OOZIE_ADMIN_PORT) Yes Non-

persistent
managing the Oozing service.

User access port provided by Oozie Yes Persistent

Accessing WebUIs

User access port provided by Oozie Yes Persistent
Accessing WebUIs

Port for accessing the SolrCloud service using HTTPS Yes Persistent
connection
Port for accessing the SolrCloud service using HTTP Yes Persistent
connection
Port for monitoring requests for stopping Tomcat, to stop Yes Non-
tomcat and the SolrServer service persistent
connection
HA heartbeat port No Non-

Transferring heartbeat messages between the active and connection
standby nodes
HA file synchronization port No Non-

Synchronizing files between the active and standby nodes connection
HA RPC port for receiving commands No Non-

Receiving file synchronization commands connection
HBaseIndexer RPC port No Non-

persistent
connection
Providing REST interfaces for configuration and running connection
Loader jobs.
Parameter: LOADER_HTTPS_PORT
Is the default value used during the installation: Yes
Is the port enabled during security hardening: Yes
[Description] Loader JMXPort NO Non-

connection

The Loader JMX server to receive JMX server listening
Yes
tomcat management No Persistent

connection
[Description] FGCServer RPC Port. YES Persistent

(fgcservice.rpc.server.bind.port) connection

1. SmallFS client to communicate with FGCServer
2. FGCServer to connect to another FGCServer

Listening port for processing Redis protocol commands No Persistent

connection
Port used for the communication between Redis servers in the No Persistent
Redis cluster, including heartbeat and Gossip message connection
exchange
Port for Broker to provide SSL communication, which YES Persistent
provides the communication encryption service. connection
Port for Broker to provide SASL security authentication and YES Persistent
SSL communication, which provides the security connection
authentication and communication encryption services.
Taskmanager RPC port, an internal Flink port used for YES Persistent
communication between the Taskmanager and Jobmanager connection
RPC
Taskmanager Data port, an internal Flink port used for Netty YES Persistent
data exchange between Taskmanagers connection
BLOB Server port, an internal Flink port used for delivering YES Persistent
JAR files of user jobs connection
BLOB Server port, an internal Flink port used for delivering YES Persistent
JAR files of user jobs connection
The port of the queryable state server YES Persistent

connection
The port of the queryable state proxy YES Persistent

connection
WebUI port used for HTTP/HTTPS communication between YES Non-

Client Web requests and the Flink server persistent
connection
Jobmanager RPC port, an internal Flink port used for YES Persistent
Jobmanager RPC communication connection
Jobmanager RPC port, an internal Flink port used for YES Persistent
Jobmanager RPC communication connection
Flink client RPC port, an internal Flink port used for YES Persistent
communication between the Jobmanager and Flink client connection
RPC port of the Netty Connector feature YES Persistent

This Flink internal port is used only when the Netty connection
Connector feature is adopted. It sets the range of the
NettySink port.
In YARN cluster mode, this port can be configured by using

nettyconnector.registerserver.topic.range to change the port
range and using nettyconnector.sinkserver.subnet to change
the network domain in flink-conf.yaml.
The port range used for Flink's internal metric query service YES Persistent
connection
The port range used for Flink's internal metric query service YES Persistent
connection
Port for accessing the Elasticsearch service using HTTP or Yes Persistent c
HTTPS
Port for accessing the Elasticsearch service using RPC Yes Persistent c
The port of GraphServer is accessed using the Hypertext Yes Short connec
Transfer Protocol (HTTP).
The port is used by the Tomcat of the TaskManager service. No Short connec
jmx monitoring port of the TaskManager service. No Short connec
The port is the listening port of the Socket service of No Long connec
GremlinServer.
The port is the listening port of the HTTP service of No Long connec
GremlinServer.
The port is used by the Tomcat of the GraphServer service. No Short connec
The port is the Java management extensions (JMX) No Short connec

monitoring port of the GraphServer service.
This port is the heartbeat port in HA mode. No Long connec

This port is used to transfer heartbeat information between the
active and standby nodes.
Whether to enable this port by default: Yes
Whether to enable this port after the security hardening: Yes
This port is the file synchronization port in HA mode. No Long connec

This port is used to synchronize files between the active and
the standby nodes.
This port is the HA command receiving port. No Long connec

This port is used to receive file synchronization commands.
jmx port used by the JobHistory. No Non-persiste

JobHistory Web UI port (spark.history.ui.port) Yes Persistent c
Note: The system verifies the validity of the port according to
the setting of the port. If the value is invalid, the port number
is +1 until the valid value is obtained. (The upper limit is 16,
and the number of retry times can be changed by configuring
spark.port.maxRetries.)
This port is used for: HTTPS/HTTP communication between
web requests and Spark History Server
Indicates whether to enable the function by default during
installation. The options are as follows: Yes
Indicates whether to enable the function after security
hardening. Yes
Spark UI(Driver UI) port (spark.ui.port) Yes Persistent c

Note: In yarn-cluster mode, this port has no default value and
is randomly selected from 23000-23999.
The server can be configured on the GUI. The client is
configured in the spark-defaults.conf configuration file.
This port is used for: The client accesses the Spark UI.
hardening. Yes
JDBC rpc port (hive.spark.client.server.port) Yes Persistent c

Note: If the hive.spark.client.server.port is occupied, a
message is displayed, indicating that the port is occupied.
The Spark CLI/JDBC communicates with the Spark
CLI/JDBC server through socket.
hardening. Yes
JDBC thrift port (hive.server2.thrift.port) Yes Persistent c
Note: If the hive.server2.thrift.port is occupied, a message is
displayed, indicating that the port is occupied.
hardening. Yes
JDBC Web UI port (spark.ui.port) Yes Persistent c

This port is used for: The web server requests the JDBC
Server Web UI server to communicate with the HTTPS/HTTP
server.
hardening. Yes
Spark internal port. This port exists only after the Spark N/A Persistent c
application is started.
This port is used for: Controls message communication.
hardening. Yes
This port is used for: Obtain resource files.
hardening. Yes
This port is used for: Manages data transmission.
hardening. Yes
Spark internal port. This port exists only after N/A Persistent c
CoarseGrainedExecutorBackend is started in Yarn mode.
This port is used for: Obtain the Spark attribute of the driver.
hardening. Yes
hardening. Yes
jmx port used by the JDBCServer. No Non-persiste
CoarseGrainedExecutorBackend is started in Yarn mode and
is used for data transmission.
hardening. Yes

hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes
server.
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes

hardening. Yes

hardening. Yes

server.
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes

hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes
server.
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes

hardening. Yes

hardening. Yes

server.
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
hardening. Yes
Spark2x internal port, which is available only after the N/A Persistent c
Spark2x application is started.
hardening. Yes
jmx port used by the JDBCServer2x. No Non-persiste
jmx port used by the JobHistory2x. No Non-persiste

JDBC2x rpc port (hive.spark.client.server.port) Yes Persistent c
hardening. Yes
JDBC2x thrift port (hive.server2.thrift.port) Yes Persistent c

The Spark2x CLI/JDBC2x communicates with the Spark2x
CLI/JDBC2x server through socket.
hardening. Yes
Web UI port of JDBC2x (spark.ui.port) Yes Persistent c

This port is used for: The web server requests the JDBC2x
server.
hardening. Yes
Internal port of the Spark2x. This port exists only after the N/A Persistent c
hardening. Yes
hardening. Yes
JobHistory2x Web UI port (spark.history.ui.port) Yes Persistent c

web requests and Spark2x History Server
hardening. Yes
Spark2x UI(Driver UI) port (spark.ui.port) Yes Persistent c

This port is used for: The client accesses the Spark2x UI.
hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes

server.
hardening. Yes
hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes

server.
hardening. Yes
hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes

server.
hardening. Yes
hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes

server.
hardening. Yes
hardening. Yes
hardening. Yes

hardening. Yes

hardening. Yes
NameNode RPC port of the FusionStorageHDFS. Yes persistent c

Note: The port number is specified by the
FusionStorageHDFS. The port range is not limited in the
code.
1. Communication between the HDFS client and NameNode.
2. Connection between the Datanode and NameNode.
hardening. Yes
Datanode data conversion port. No persistent c
(dfs.datanode.port)
Note: The value range of the port is a recommended value,
which is specified by the FusionStroageHDFS. The port range
is not limited in the code.
1. The HDFS client converts data from DataNodes or converts
data to DataNodes.
2. Point to point Datanode conversion data.
hardening. Yes
Authentication Mode Authentication Mode
(Security Mode) (Normal Mode)
Username and password,or Public Key Username and password,or Public Key
Ntp authentication Ntp authentication
N/A N/A
SNMP v2 Community SNMP v2 Community

SNMP v3 HMAC-SHA/HMAC-MD5 SNMP v3 HMAC-SHA/HMAC-MD5
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Username and password Username and password
N/A N/A
Certificate Certificate
Certificate Certificate
N/A N/A
N/A N/A
HMAC-SHA HMAC-SHA
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Keytab Keytab
Keytab Keytab
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Username and password+SFTP Service Username and password

PublicKey
N/A N/A
TOKEN TOKEN
Username and password+SFTP Service Username and password

PublicKey
N/A N/A
HMAC-SHA HMAC-SHA
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
Keytab N/A
N/A N/A
DIGEST N/A
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
Keytab N/A
N/A N/A
DIGEST N/A
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
Keytab N/A
N/A N/A
DIGEST N/A
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
Keytab N/A
N/A N/A
DIGEST N/A
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
Keytab N/A
N/A N/A
DIGEST N/A
N/A N/A
N/A N/A
There is no authentication mode by default. N/A

You are advised to configure SSL
bidirectional authentication based on the CPI
documentation.
There is no authentication mode by default. N/A

You are advised to configure SSL
bidirectional authentication based on the CPI
documentation.
Username and password,or keytab file Username and password,or keytab file
certification certification
Username and password,or keytab file Username and password,or keytab file
certification certification
Username and password N/A

N/A N/A
Username and password TLS
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
N/A N/A
Keytab N/A
Keytab N/A
N/A N/A
Keytab N/A
Keytab N/A
N/A N/A
Keytab N/A
Keytab None
Keytab None
Keytab None
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Internal communication between the Internal communication between the
processes processes
N/A N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
IP Filtering N/A
IP Filtering N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
IP Filtering N/A
IP Filtering N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
IP Filtering N/A
IP Filtering N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
IP Filtering N/A
IP Filtering N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
Keytab N/A
IP Filtering N/A
IP Filtering N/A
Keytab N/A
IP Filtering IP Filtering
N/A N/A
N/A N/A
Internal communication between the Internal communication between the

processes processes
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
N/A N/A
N/A N/A

N/A N/A
Keytab N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Keytab N/A
Username and password or keytab file N/A
authentication
N/A N/A
N/A N/A
Keytab N/A
Keytab N/A
Access between internal processes Access between internal processes
N/A N/A
Keytab N/A
Security Cookie authentication is supported. N/A

Whitelist filtering is supported. N/A
Keytab None
Access between internal processes None
None None
None None
None None
None None
None None
None None
None None
None None
None None
None None
keytab/Username and password None
Keytab None
Keytab None
digest None
digest None
digest None
digest None
digest None
None None
None None
digest None
None None

None None
Keytab None
Keytab None
digest None
digest None
digest None
digest None
digest None
digest None
None None
None None
Keytab None
Keytab None
digest None
digest None
digest None
digest None
digest None
digest None
None None

None None
Keytab None
Keytab None
digest None
digest None
digest None
digest None
digest None
digest None
None None
None None
Keytab None
Keytab None
digest None
digest None
digest None
digest None
digest None
digest None
digest None
None None
None None
Keytab None
Keytab None
digest None
digest None
digest None
None None
None None
Keytab None
Keytab None
digest None
digest None
digest None
None None
None None
Keytab None
Keytab None
digest None
digest None
digest None
None None
None None
Keytab None
Keytab None
digest None
digest None
digest None
None None
None None
Keytab None
Keytab None
digest None
digest None
kerberos+token None
kerberos+token None
Destinatio
n Port
Enabled
Encryption Mode Encryption Mode
Plane for
(Security Mode) (Normal Mode)
External
Access
(Yes/No)
Rsa encryption and asymmetric encryption Rsa encryption and asymmetric encryption Manageme Yes
algorithms algorithms nt plane
MD5-key MD5-key Manageme Yes

nt plane
N/A N/A External Yes

plane
SNMP v2 N/A SNMP v2 N/A External Yes

SNMP v3 AES256/AES192/AES128/DES SNMP v3 AES256/AES192/AES128/DES plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No
nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
TLS TLS External Yes

plane
N/A N/A Manageme No

nt plane
TLS TLS Manageme No
nt plane
TLS TLS Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No
nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No
nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane

plane
TLS TLS Manageme No

nt plane
plane

plane
N/A N/A Manageme No

nt plane
N/A N/A Manageme No

nt plane
SSH v2 SSH v2 External Yes

plane
N/A N/A Service No

plane
N/A N/A Service No

plane

plane
plane
SSH v2 SSH v2 External Yes

plane
TLS N/A External Yes

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No
plane
TLS N/A Service Yes

plane
AES128 N/A Service Yes

plane

plane
N/A N/A Service No
plane

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
TLS N/A Service Yes
plane

plane

plane
N/A N/A Service No

plane
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
TLS N/A Service Yes

plane
plane

plane
N/A N/A Service No

plane

plane
N/A N/A Service No
plane
N/A N/A Service No

plane
TLS N/A Service Yes

plane

plane
plane
N/A N/A Service No

plane

plane
N/A N/A Service No

plane
N/A N/A Service No
plane
TLS N/A Service Yes

plane

plane

plane
N/A N/A Service No
plane

plane
N/A N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes

plane
TLS TLS Service No
plane
AES256 AES256 Service No

plane

plane

plane
AES256 AES256 Service Yes

plane
AES256 AES256 Manageme No

nt plane
nt plane

nt plane

nt plane
TLS1.0 or later (except the weak password SSLv3 or later (except the weak password Manageme No
suite) suite) nt plane
TLS1.0 or later (except the weak password SSLv3 or later (except the weak password Service No
suite) suite) plane
N/A N/A Service Yes

plane
N/A N/A Service No
plane
N/A N/A Service Yes

plane
TLS TLS Service Yes

plane
TLS TLS Service Yes

plane
TLS TLS Manageme No

nt plane
N/A N/A Service No

plane
N/A N/A Manageme No
nt plane
N/A N/A Service Yes

plane
TLS TLS Service Yes

plane
N/A N/A Service Yes

plane
NA N/A Service Yes

plane
TLS N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes
plane
NA N/A Service Yes

plane
TLS N/A Service Yes

plane
N/A N/A Service No

plane
NA N/A Service No
plane
TLS N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service Yes
plane
None None Service Yes

plane

plane
plane
TLS N/A Service Yes

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service No
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service Yes

plane
TLS N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No
plane
N/A N/A Service Yes

plane
N/A N/A Service Yes

plane
TLS N/A Service Yes

plane
N/A N/A Service No
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No
plane
TLS N/A Service Yes

plane
N/A N/A Service No

plane
TLS N/A Service Yes

plane
N/A N/A Service No
plane
N/A N/A Service Yes

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes

plane
RPC encryption N/A Service Yes

plane
TLS N/A Service No
plane

plane
TLS N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane

plane
TLS N/A Service No
plane

plane
TLS N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane

plane
TLS N/A Service No
plane

plane
TLS N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane

plane
TLS N/A Service No
plane

plane
TLS N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane

plane
TLS N/A Service No
plane

plane
TLS N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
TLS N/A Service Yes

plane
N/A N/A Service No

plane
TLS N/A Service No

plane
N/A N/A Service No

plane
TLS N/A Service No
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
TLS TLS Service No

plane
N/A N/A Service No
plane
TLS N/A Service Yes

plane
N/A N/A Service Yes

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
TLS TLS Service Yes
plane
N/A N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service Yes

plane
N/A N/A Service Yes

plane
N/A N/A Service No

plane
SSL SSL Service Yes

plane
SSL N/A Service Yes

plane
SSL N/A Service No

plane
SSL N/A Service No
plane
SSL N/A Service No

plane
SSL N/A Service No

plane
N/A N/A Service No

plane
N/A N/A Service No

plane
None N/A Service No

The port is accessed through the plane
ResourceManager page in Flink on YARN
mode.
SSL N/A Service No
plane
SSL N/A Service No

plane
SSL N/A Service No

plane
SSL N/A Service No

plane
SSL N/A Service No

plane
SSL N/A Service No

plane
TLS None Service planYes

TLS TLS Service planYes
None None Service planNo

None None Service planYes
























Data Transmission
Direction in DMZ-
Whether the Port Relies on based Deployment
Special Scenario Subsystem
the Client (Yes/No) (between internal
communication planes
by default)
No You are advised to harden the security of the OS Management to APP

sshd service, including but not limited to: Between APP nodes
1. Ensure that only the SSH2 protocol is
supported.
2. Set the permission for the
/etc/ssh/sshd_config file to 600.
3. Set SSH MaxAuthTries to 4 or less.
4. Set SSH IgnoreRhosts to yes.
5. Set SSH HostbasedAuthentication to no.
6. Set SSH PermitEmptyPasswords to no.
No Only whole network listeners, OS APP to untrusted

Unable to configuration changes, Between APP nodes
Recommend setting the firewall filtering,
Only allow management plane IP access
No N/A Manager Untrusted to APP
(The destination port is
on the service plane.)
No N/A Manager Between APP nodes
No Only the local IP address can access the port. Manager Between APP nodes

DMZ to APP


DMZ to APP



No N/A DBService Between APP nodes

No Only the local IP address can access the port. DBService Between APP nodes
No Only the local IP address can access the port. DBService Between APP nodes
No N/A Hive Between APP nodes

Yes N/A Hive Between APP nodes
Yes N/A Hive Between APP nodes

No N/A Hive1 Between APP nodes

Yes N/A Hive1 Between APP nodes






No N/A Flume Between APP nodes
Yes N/A Flume Between APP nodes

No N/A Hue Between APP nodes
No N/A Kerberos Between APP nodes
Yes N/A Kerberos Between APP nodes

No N/A LDAP Between APP nodes
No N/A LDAP Between APP nodes
Yes N/A FTPServer Between APP nodes

No N/A FTPServer Between APP nodes
No N/A MetaData Between APP nodes
No N/A MetaData Between APP nodes

No Only the local IP address can access the port. MetaData Between APP nodes
Yes N/A HDFS Between APP nodes
Yes This port needs to be enabled only when HDFS Between APP nodes
WebHDFS HTTP is used to access HDFS.
WebHDFS HTTPS is used to access HDFS.
No N/A HDFS Between APP nodes



Router is used.
Router is used.
Router is used.
Router is used.
N/A HDFS Between APP nodes

N/A HDFS Between APP nodes
No N/A ZooKeeper Between APP nodes
Yes N/A ZooKeeper Between APP nodes

Yes N/A ZooKeeper Between APP nodes
Yes N/A Yarn Between APP nodes

No N/A Yarn Between APP nodes



No N/A Mapreduce Between APP nodes
Yes N/A Mapreduce Between APP nodes

Yes N/A HBase Between APP nodes


No N/A HBase Between APP nodes
No N/A HBase Between APP nodes
Yes N/A HBase1 Between APP nodes


No N/A HBase1 Between APP nodes






No N/A Storm Between APP nodes

Yes N/A Storm Between APP nodes
Yes N/A Kafka Between APP nodes
Yes Under the system for the installation of secure Kafka Between APP nodes
version to use
version to use
No N/A Oozie Between APP nodes
No This port can be accessed only by a local IP Oozie Between APP nodes
address.
No N/A Oozie Untrusted to APP

No N/A Oozie Untrusted to APP
Yes N/A Solr Between APP nodes
Yes Under the system for the installation of normal Solr Between APP nodes
mode version to use
No This port can be accessed only by a local IP Solr Between APP nodes
address.
No N/A Solr Between APP nodes
No This port can be accessed only by a local IP Solr Between APP nodes
address.

No N/A Loader Between APP nodes
No N/A Loader Between APP nodes
No This port can be accessed only by a local IP Loader Between APP nodes
address.
Yes N/A SmallFS Between APP nodes
Yes N/A Redis Between APP nodes
No N/A Redis Between APP nodes
version to use
Yes N/A Flink Between APP nodes

No N/A Flink Between APP nodes
No N/A Flink Between APP nodes
Yes N/A Flink Untrusted to APP

Yes None Elasticsearc Between APP nodes

Yes None Elasticsearc Between APP nodes
Yes None GraphBase Between APP nodes
No No GraphBase Between APP nodes
No No GraphBase Between APP nodes
No None GraphBase Between APP nodes

Yes This scenario is only applicable to requests GraphBase Between APP nodes
from the current node.
No This scenario is only applicable to requests GraphBase Between APP nodes

from the current node.
Yes None Spark Between APP nodes

Yes None Spark Untrusted to APP

Yes None Spark Untrusted to APP


Yes None Spark1 Between APP nodes
Yes None Spark1 Untrusted to APP














Yes None Spark2x Between APP nodes

Yes None Spark2x Untrusted to APP


Yes None Spark2x Untrusted to APP

Yes None Spark2x1 Between APP nodes

Yes None Spark2x1 Untrusted to APP















No None FusionStor Between APP nodes

No None FusionStor Between APP nodes
Remarks
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
N/A
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
N/A
When the
OS
OpenLDA
P version is
earlier than
2.4.39,
SSLv3,
TLSv1.0,
TLSv1.1,
and
TLSv1.2
are
supported.
When the
OpenLDA
P version is
2.4.39,
TLSv1.0,
TLSv1.1,
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
N/A
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
N/A
N/A
Supported
TLS
versions:
TLSv1.1
and
TLSv1.2
N/A
N/A
This port
will be
deleted
from the
official
version.
Therefore,
do not use
it.This
interface is
not
supported
in security
mode.
Supported
TLS
versions:
TLS1.1,TL
S1.2
Supported
TLS
versions:
TLS1.1,TL
S1.2
System Source Device Source IP Address Source Port Destination Device
Controller server IP addresses of internal Any port Controller server

communication NICs on the first and
second Agile Controller-Campus
nodes

nodes
iMaster NCE
nodes

nodes

nodes

nodes

nodes
nodes

nodes

nodes

nodes

nodes

nodes
Kerberos client Random Kerberos
IP addresses of internal communicatio

HDFS Random NameNode

client/DataNode and
Mapred processes
FI
HDFS client/Peer Random Datanode
DataNode
FI
HBase clients Random HMaster

(RegionServer and
user clients)

HMaster and user Random RegionServer
clients (HBase
clients)
ZooKeeper clients Machines where the zookeeper Random Zookeeper

clients are running
Destination Port
Destination IP Address Protocol Port Description
(Listening)
IP addresses of internal 26500 to 26509 TCP Listening port allocated by the

communication NICs on the first MCDeployService to the MySQL, Gauss and
and second Agile Controller- Zenith databases. This port is used by
Campus nodes applications to access relational databases.
IP addresses of internal 26950 to 26969 TCP This port is used as a listening port for data
communication NICs on the first synchronization between relational database
and second Agile Controller- clusters (Gauss).
Campus nodes
IP addresses of internal 27320 TCP Ports for communication between primary

communication NICs on the first and secondary sites. This port is disabled by
and second Agile Controller- default and needs to be enabled in geographic
Campus nodes redundancy scenarios.
IP addresses of internal 32080 to 32089 TCP Listening port allocated by the

communication NICs on the first MCDeployService to the MySQL, Gauss and
and second Agile Controller- Zenith databases. This port is used by
Campus nodes applications to access relational databases.
IP addresses of internal 26328 TCP Listening port allocated by

communication NICs on the first theMessagingBrokeService.
and second Agile Controller-
Campus nodes
IP addresses of internal 32041 TCP Request port of the application plane

communication NICs on the first ZooKeeper.
and second Agile Controller-
Campus nodes
IP addresses of internal 22 TCP Listening port for the SFTP process. This
communication NICs on the first port provides secure file transfer services and
and second Agile Controller- is used to copy CA certificates. When the
Campus nodes arbitration software is installed, the
arbitration port information is transmitted to
the active and standby commonservice nodes.
IP addresses of internal 123 UDP Default NTP listening port. This port is used
communication NICs on the first to ensure that the time of all Agent
and second Agile Controller- application nodes is the same.
Campus nodes
IP addresses of internal 2390,2392,2394,239 TCP Port used by the arbitration service of the DR
communication NICs on the first 6,2398,2400,2402,2 system. This port is used by the arbitration-
and second Agile Controller- 404,2406,2408 etcd process and the DRService connects to
Campus nodes this port to obtain the arbitration status.
IP addresses of internal 2391,2393,2395,239 TCP Port used by the arbitration service of the DR
communication NICs on the first 7,2399,2401,2403,2 system. This port is used by the arbitration-
and second Agile Controller- 405,2407,2409 etcd process for internal ETCD
Campus nodes communication as well as raft status and data
synchronization.
IP addresses of internal 8099 TCP Port used by the arbitration service of the DR
communication NICs on the first system. This port is used by the arbitration-
and second Agile Controller- monitor process for heartbeat detection
Campus nodes between arbitration-monitor processes of
active and standby clusters.
IP addresses of internal 9001 TCP Port used by the automatic switchover service
communication NICs on the first of the DR system. This port is the listening
and second Agile Controller- port of the DRService process used for
Campus nodes heartbeat detection of the DR system.
IP addresses of internal 26330 TCP SSL-encrypted listening port for

communication NICs on the first HIROBERService. This port is used for
and second Agile Controller- cross-domain access between servers.
Campus nodes
The value depends TCP [Description] Kerberos port for user

on the actual management
configuration. The (KADMIN_PORT)
default value is This port is a Kerberos port for user
21730. management.
IP addresses of internal communicat [Whether to be enabled by default during
installation] Yes
[Whether to be enabled after security
hardening] Yes
The value depends UDP [Description] Kerberos port for password
on the actual change
configuration. The (KPASSWD_PORT)
default value is This port is a Kerberos port for password
21731. change.
installation] Yes
hardening] Yes
The value depends TCP [Description] Kerberos port for password

on the actual change
configuration. The (KPASSWD_PORT)
default value is This port is a Kerberos port for password
21731. change.
installation] Yes
hardening] Yes
The value depends UDP [Description] Kerberos port for authentication

on the actual (kdc_ports)
configuration. The This is a Kerberos port for authentication.
default value is [Whether to be enabled by default during
IP addresses of internal communicat 21732. installation] Yes
hardening] Yes
The value depends TCP [Description] NameNode RPC port

on the actual (dfs.namenode.rpc.port)
configuration. The Note: The actual port range varies depending
default value is on products and no limit is posed on the port
25000. range. You can use the recommended port
range. The port range is not restricted in the
code.

1. Communication between HDFS clients and
IP addresses of internal communicat NameNode.
2. Connection between DataNode and
NameNode.
[Whether to be enabled by default during

installation] Yes
hardening] Yes
The value depends TCP [Description] Datanode Port for data transfer
on the actual (dfs.datanode.port)
code.

1. HDFS clients for transferring data to/from
IP addresses of internal communicat DataNode
2. Peer DataNode to transfer data

installation] Yes
hardening] Yes
The value depends TCP [Description] HMaster RPC port

on the actual (HBase.master.port)
code.

IP addresses of internal communicat HBase clients to connect to HMaster.

installation] Yes
hardening] Yes
The value depends TCP [Description] RS (RegionServer) RPC port
on the actual (HBase.regionserver.port)
21302,21025,21026, range. You can use the recommended port
21027,or 21028. range. The port range is not restricted in the
code.
Multiple default ports correspond to the ports
used when multiple RegionServers are
deployed on the same server.
IP addresses of internal communicat This port is used for:


installation] Yes
hardening] Yes
Zookeeper Machine IP Default: 24002 TCP [Description] Zookeeper clientPort

(clientPort)
Note: Port Range is advice configuration,
assigned by product, not limited at code.

Zookeeper clients to connect to the zookeeper
server.
[Whether to be enabled by default after

installation] Yes
hardening] Yes
Communication
Network Between
Listening Port Authentication
Encryption Mode Special Scenario Primary and
Configurable (Y/N) Mode
Secondary Clusters in
the DR System
N Username and None Port connecting Internal communication

password primary and plane in the APP zones
secondary sites of the primary and
secondary clusters
N Digital certificate None Port connecting Internal communication

(two-way) primary and plane in the APP zones
secondary clusters
Y Digital certificate SSL/TLS Port connecting Internal communication

(two-way) primary and plane in the DB zones
secondary clusters
N Username and None Port connecting Internal communication

password primary and plane in the DB zones
secondary clusters
N Digital certificate HTTPS Port connecting Internal communication

secondary clusters
N Digital certificate SSL/TLS Port connecting Internal communication

secondary clusters
N Username and SSH Port connecting Internal communication

password primary and plane in the APP zones
secondary clusters
N HMAC-SHA256 None Distributed scenario Internal communication
where the NTP plane in the APP zones
server functions as of the primary and
the client secondary clusters

secondary clusters

secondary clusters

secondary clusters

Heartbeat secondary clusters
communication
between two clusters
working in DR mode
N Digital certificate HTTPS DR scenario where Internal communication

(two-way) the standby node plane in the APP zones
receives the file of the primary and
change message secondary clusters
from the active node
and triggers file
synchronization
through HFS
Y Username and Username and Kerberos Internal communication

password password plane in the APP zones
of the primary and
secondary clusters
password password plane in the DB zones
of the primary and
secondary clusters

password password plane in the APP zones
of the primary and
secondary clusters

password or keytab password or keytab plane in the APP zones
files files of the primary and
secondary clusters
Y Keytab None HDFS Internal communication

plane in the APP zones
of the primary and
secondary clusters
Y Keytab None HDFS Internal communication
of the primary and
secondary clusters
Y Keytab None HBase Internal communication

of the primary and
secondary clusters
Y Keytab None HBase Internal communication
of the primary and
secondary clusters
YES Keytab N/A ZooKeeper Internal communication

of the primary and
secondary clusters
770259839.xlsx
The internal ports used by FusionCompute are as follows:

For the list of ports that must be opened for the FusionCompute, see:
FusionCompute 8.0.0 Communication Matrix

https://support.huawei.com/carrier/docview?nid=DOC1100642223&path=PBI1-21430725/PBI1-23710112/PBI1
21462737/PBI1-8576912&detailId=PBI1-250482695
770259839.xlsx
25/PBI1-23710112/PBI1-21431666/PBI1-

NCE-Campus V300R020C00 communication matrix

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NCE-Campus V300R020C00 communication matrix

Uploaded by

Copyright:

Available Formats

iMaster-NCE Campus V300R020C00

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

wei and the customer. All or part of the

de in the preparation of this document to

Version Version of the destination device.

Huawei Proprietary and Confidential

Huawei Proprietary and Confidential

This document is intended for:

Name of the source device.

Version of the destination device.

Huawei Proprietary and Confidential

This issue is the first official release.

Huawei Proprietary and Confidential

NCE Service Ports

NCE Service Port Connection Types

1. Sheet for southbound connections:

2. Sheets for client/northbound connections:

3. Sheets for other ports:

Note: If a firewall is deployed, for example, between the primary

07/05/2024 华为保密信息,未经授权禁止扩散 第9页，共898页

The following describes how to determine the IP address specifi

NCE Service Port Diagram

07/05/2024 华为保密信息,未经授权禁止扩散 第10页，共898页

nodes in the iMaster NCE-Campus cluster, including comm

07/05/2024 华为保密信息,未经授权禁止扩散 第12页，共898页

to 65535 and are divided into the following segments:

07/05/2024 华为保密信息,未经授权禁止扩散 第13页，共898页

Virtual IP address for LVS file server

ER floating IP address of the

07/05/2024 华为保密信息,未经授权禁止扩散 第14页，共898页

mpus cluster, including communication with

rovisions southbound and northbound services

his IP address resides on the service distribution

northbound load balancing: This IP address

ress: This address is used as the floating IP

07/05/2024 华为保密信息,未经授权禁止扩散 第16页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散 第17页，共898页

CE server IP address based on the EasySuite network planning table:

referring to the description in the preceding two cells.

07/05/2024 华为保密信息,未经授权禁止扩散 第18页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散 第19页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散 第20页，共898页

orts based on the actual deployment, for example,

he Manager and the Controller are deployed on

ized into other port types.You are advised to

enabled on the firewall of the NCE server. The

hrough the firewall.

07/05/2024 华为保密信息,未经授权禁止扩散 第21页，共898页

ork, and DR network. For details about

P address, northbound/client login IP address,

address (inter-node), DBS floating IP address

odified, the network type can be determined

07/05/2024 华为保密信息,未经授权禁止扩散 第22页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散 第23页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散 第24页，共898页

NE IP Floating IP address for

NE IP Floating IP address for

NE IP Floating IP address for

NE IP Floating IP address for

NE IP Floating IP address for

NE IP Floating IP address for file

NE IP Floating IP address for file

07/05/2024 华为保密信息,未经授权禁止扩散第9页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第10页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第12页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第13页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第14页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第16页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第17页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第18页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第19页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第20页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第21页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第22页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第23页，共898页

07/05/2024 华为保密信息,未经授权禁止扩散第24页，共898页