Default Open Ports in Cumulus Linux and NetQ

Cumulus Linux Ports

The following ports are opened when a switch running Cumulus Linux 3.2 or later boots up:

Internet ProtocolPortProtocol
TCP22Secure Shell (ssh)
TCP53DNS forwarder and DHCP server (dnsmasq) (RMP only)
TCP622Secure Shell (ssh)
TCP653DNS forwarder and DHCP server (dnsmasq) (RMP Only)
UDP53DNS forwarder and DHCP server (dnsmasq) (RMP Only)
UDP68*DHCP client (dhclient)
UDP123Network Time Protocol (ntp)
UDP3784/3785/4784Prescriptive Topology Manager (ptm)
UDP653DNS forwarder and DHCP server (dnsmasq) (RMP Only)
UDP6123Network Time Protocol (ntp)
UDP63784/4784Prescriptive Topology Manager (ptm)
UDP6*DHCP client (dhclient)

*Has a dynamically assigned port.

The ports can be seen with the following command:

cumulus@switch:~$ sudo netstat -nlp --inet --inet6

Active Internet Connections (only servers)

ProtocolRecv-QSend-QLocal AddressForeign AddressStatePID/Program name
tcp000.0.0.0:530.0.0.0:*LISTEN444/dnsmasq
tcp000.0.0.0:220.0.0.0:*LISTEN874/sshd
tcp600:::53:::*LISTEN444/dnsmasq
tcp600:::22:::*LISTEN874/sshd
udp000.0.0.0:284500.0.0.0:*839/dhclient
udp000.0.0.0:530.0.0.0:*444/dnsmasq
udp000.0.0.0:680.0.0.0:*839/dhclient
udp00192.168.0.42:1230.0.0.0:*907/ntpd
udp00127.0.0.1:1230.0.0.0:*907/ntpd
udp000.0.0.0:1230.0.0.0:*907/ntpd
udp000.0.0.0:47840.0.0.0:*909/ptmd
udp000.0.0.0:37840.0.0.0:*909/ptmd
udp000.0.0.0:37850.0.0.0:*909/ptmd
udp600:::58352:::*839/dhclient
udp600:::53:::*444/dnsmasq
udp600fe80::a200:ff:fe00::123:::*907/ntpd
udp600::1:123:::*907/ntpd
udp600:::123:::*907/ntpd
udp600:::4784:::*909/ptmd
udp600:::3784:::*909/ptmd

*Has a dynamically assigned port.

Cumulus NetQ Ports

The following ports must be open to use the NetQ 2.4 and later software:

PortProtocolAccess
31980TCPNetQ Agent Communication
443TCPNetQ UI
8443TCPAdmin UI
32708TCPAPI Gateway
22TCPSSH

For cluster-based deployments, the following ports must also be opened for internal cluster communication:

PortProtocolAccess
8080TCPAdmin API
5000TCPDocker Registry
8472UDPFlannel port for VXLAN
6443TCPKubernetes API server
10250TCPKubelet health probe
2379TCPetcd
2380TCPetcd
7072TCPKafka JMX monitoring
9092TCPKafka client
7071TCPCassandra JMX monitoring
7000TCPCassandra cluster communication
9042TCPCassandra client
7073TCPZookeeper JSM monitoring
2888TCPZookeeper cluster communication
3888TCPZookeeper cluster communication
2181TCPZookeeper client