From 46a9be72896c44572a5391d42a5aa0812dbf4ad3 Mon Sep 17 00:00:00 2001
From: Alessandro Boch <aboch@users.noreply.github.com>
Date: Thu, 16 Feb 2017 11:52:55 -0800
Subject: [PATCH] Clarify port to open for overlay networking (#1762)

Signed-off-by: Alessandro Boch <aboch@docker.com>
---
 datacenter/ucp/1.1/installation/system-requirements.md       | 2 +-
 .../ucp/2.0/guides/installation/system-requirements.md       | 2 +-
 engine/swarm/swarm-tutorial/index.md                         | 4 ++--
 swarm/plan-for-production.md                                 | 5 +++--
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/datacenter/ucp/1.1/installation/system-requirements.md b/datacenter/ucp/1.1/installation/system-requirements.md
index df1a32d6aa..71d2710651 100644
--- a/datacenter/ucp/1.1/installation/system-requirements.md
+++ b/datacenter/ucp/1.1/installation/system-requirements.md
@@ -34,7 +34,7 @@ When installing UCP on a host, make sure the following ports are open:
 | controllers, nodes |    in     | TCP 443  (configurable) | Web app and CLI client access to UCP.                                      |
 | controllers, nodes |    in     | TCP 2375                | Heartbeat for nodes, to ensure they are running.                           |
 | controllers        |    in     | TCP 2376 (configurable) | Swarm manager accepts requests from UCP controller.                        |
-| controllers, nodes |  in, out  | TCP + UDP 4789          | Overlay networking.                                                        |
+| controllers, nodes |  in, out  | UDP 4789                | Overlay networking.                                                        |
 | controllers, nodes |  in, out  | TCP + UDP 7946          | Overlay networking.                                                        |
 | controllers, nodes |    in     | TCP 12376               | Proxy for TLS, provides access to UCP, Swarm, and Engine.                  |
 | controller         |    in     | TCP 12379               | Internal node configuration, cluster configuration, and HA.                |
diff --git a/datacenter/ucp/2.0/guides/installation/system-requirements.md b/datacenter/ucp/2.0/guides/installation/system-requirements.md
index 1590be6a9f..05fbb1be8b 100644
--- a/datacenter/ucp/2.0/guides/installation/system-requirements.md
+++ b/datacenter/ucp/2.0/guides/installation/system-requirements.md
@@ -31,7 +31,7 @@ When installing UCP on a host, make sure the following ports are open:
 | managers, workers |    in     | TCP 443  (configurable) | Port for the UCP web UI and API                                                   |
 | managers          |    in     | TCP 2376 (configurable) | Port for the Docker Swarm manager. Used for backwards compatibility               |
 | managers, workers |    in     | TCP 2377 (configurable) | Port for communication between swarm nodes                                        |
-| managers, workers |  in, out  | TCP, UDP 4789           | Port for overlay networking                                                       |
+| managers, workers |  in, out  | UDP 4789                | Port for overlay networking                                                       |
 | managers, workers |  in, out  | TCP, UDP 7946           | Port  for overlay networking                                                      |
 | managers, workers |    in     | TCP 12376               | Port for a TLS proxy that provides access to UCP, Docker Engine, and Docker Swarm |
 | managers          |    in     | TCP 12379               | Port for internal node configuration, cluster configuration, and HA               |
diff --git a/engine/swarm/swarm-tutorial/index.md b/engine/swarm/swarm-tutorial/index.md
index 01fe2cccba..5bac15ec3a 100644
--- a/engine/swarm/swarm-tutorial/index.md
+++ b/engine/swarm/swarm-tutorial/index.md
@@ -111,10 +111,10 @@ The following ports must be available. On some systems, these ports are open by
 
 * **TCP port 2377** for cluster management communications
 * **TCP** and **UDP port 7946** for communication among nodes
-* **TCP** and **UDP port 4789** for overlay network traffic
+* **UDP port 4789** for overlay network traffic
 
 If you are planning on creating an overlay network with encryption (`--opt encrypted`),
-you will also need to ensure ip protocol 50 (ESP) traffic is allowed.
+you will also need to ensure **ip protocol 50** (**ESP**) traffic is allowed.
 
 ## What's next?
 
diff --git a/swarm/plan-for-production.md b/swarm/plan-for-production.md
index 28b9630686..73f6de1bcf 100644
--- a/swarm/plan-for-production.md
+++ b/swarm/plan-for-production.md
@@ -50,8 +50,8 @@ For more information on configuring Swarm for TLS, see the [Overview Docker Swar
 ### Network access control
 
 Production networks are complex, and usually locked down so that only allowed
-traffic can flow on the network. The list below shows the network ports that
-the different components of a Swam cluster listen on. You should use these to
+traffic can flow on the network. The list below shows the network ports and protocols
+that the different components of a Swam cluster listen on. You should use these to
 configure your firewalls and other network access control lists.
 
 - **Swarm manager.**
@@ -72,6 +72,7 @@ configure your firewalls and other network access control lists.
     - **Inbound 7946/udp** Allows for discovering other container networks.
     - **Inbound `<store-port>`/tcp** Network key-value store service port.
     - **4789/udp** For the container overlay network.
+    - **ESP packets** For encrypted overlay networks.
 
 
 If your firewalls and other network devices are connection state aware, they