05-27-2022 06:10 AM
I know what is port-offset and how port-hopping works, but I am unable to understand why do we need this port-hopping in the first place?
Does all the controllers listen to all these ports used in port-hopping? 12346, 12366 etc.?
What has port-hopping to do with NAT?
Why port-hopping is used only by WANEdge and not by controllers?
I also understand on vManage and vSmart, each CPU core listens on different ports? Does this have anything to do with port-hopping?
All the documents tell how port-hopping works, but no single document tell why is this needed.
Would appreciate if anyone can explain why is port-hopping needed?
thanks a lot!
Mohan
05-27-2022 01:20 PM - edited 05-27-2022 01:22 PM
Hi
I agree with you that this is not well documented. But after reading some docs, I can try to help you based on what I understood.
"I know what is port-offset and how port-hopping works, but I am unable to understand why do we need this port-hopping in the first place?
In my inderstanding, this is used for resilience. cEdges and Controllers will build the DTLS tunnel anyway and will use by default the port 12246, in case you disable Port hopping. But, if you enable Port hopping, they can try different ports in case the currently port is not available.
Does all the controllers listen to all these ports used in port-hopping? 12346, 12366 etc.?
They must listen to make sense but, as you can disable it, they will listen in, at least the default port 12346. However, it is not smart let one side only with port hopping.
What has port-hopping to do with NAT?
Nothing. And for that, cisco docs says:
"If a NAT device is present, the port number listed in the Public Port column is used by the NAT device, and BFD. This public port number is used by remote Cisco vEdge devices to send traffic to the local site. "
Why port-hopping is used only by WANEdge and not by controllers?
They are used for both. But Controllers usually are on the same place and, mostly probably, on the same network segment. So, dont make sense use port hopping between then. But, they can use in some condition:
"When Cisco vBond Orchestrator crashes, Cisco vManage might take down all connections to the Cisco vEdge devices. The sequence of events that occurs is as follows: When Cisco vBond Orchestrator crashes, Cisco vManage might lose or close all its control connections. Cisco vManage then port hops, to try to establish connections to the Cisco vSmart Controllers on a different port. This port hopping on Cisco vManage shuts down and then restarts all its control connections, including those to the Cisco vEdge devices."
I also understand on vManage and vSmart, each CPU core listens on different ports?
The following table lists the port used by each vCPU core for Cisco vManage. Each port is incremented by the configured port offset, if offset is configured.
Core Number |
Ports for DTLS (UDP) |
Ports for TLS (TCP) |
---|---|---|
Core0 |
12346 |
23456 |
Core1 |
12446 |
23556 |
Core2 |
12546 |
23656 |
Core3 |
12646 |
23756 |
Core4 |
12746 |
23856 |
Core5 |
12846 |
23956 |
Core6 |
12946 |
24056 |
Core7 |
13046 |
24156 |
Does this have anything to do with port-hopping?
Is the same concept.
All the documents tell how port-hopping works, but no single document tell why is this needed.
Would appreciate if anyone can explain why is port-hopping needed?
That´s what I understand. The "Why" is for resilience or port redundancy in case you can not use the default port.
05-27-2022 02:47 PM
Hi,
Suppose, 2 edge routers behind the same NAT device with PAT. Then, when they connect to controller (say vBond) they will have the same source port and the same source IP. It is an issue and port-hopping fixes this.
Based on initial design, why edge routers don't use random ports, I don't know.
By default routers does port-hopping (when choosing source port) to connect controllers. Controllers can also do, but it is disabled by default.
HTH,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide