NSP Port Communications
Overview
This section will document network communications between components in a NSP deployment. These tables can be used by customers to design traffic management policies based on their NSP deployment.
A complete listing of network communications for NFM-P and associated components can be found in section 6.10 of this guide.
The following port changes are reported for NSP in Release 23.11
-
Add Kafka and REST communications between NSP and Flow Collector.
-
Remove NSP ports 8182, 8543, 8549 and 9543. Applications integrated onto standard HTTPS port 443.
-
Add port and firewall information for port 9100 on the NFM-P Main, Database and Auxiliary Servers.
Table notes:
-
Each table identifies network communications based on the destination component.
-
Each communication link defines traffic from the originating component/port to the destination component/port. When traffic policies are applied in both directions of communication, the return path must also be permitted.
-
In a multi-node NSP cluster deployment, communications originating from NSP to a destination must allow traffic from each node of that NSP cluster to the destination component. Traffic destined to a multi-node NSP cluster will require communications to the virtual IP address of the NSP cluster.
-
For NSP deployments with multiple network interfaces, the communications matrix will define on which network interface the communications will be received.
-
Where multiple components may be communicating with a destination component and port, each source component with source port range is listed.
-
A system administrator will require SSH access to components in the NSP deployment for installation and maintenance purposes. For this purpose, tables will list a source component of System administration server.
-
Any ports that are optional, or are required only for unsecure communications, are identified at the bottom of each table.
Note: The ephemeral port range of different server types may vary. Many Linux kernels use the port range 32768 - 61000. To determine the ephemeral port range of a server, execute
cat /proc/sys/net/ipv4/ip_local_port_range
Note: Some NSP operations require idle TCP ports to remain open for long periods of time. Therefore, customers that implement a network traffic policy that closes idle TCP connections should adjust operating system TCP keep-alives to ensure that NSP communications is not impacted (ie. set OS TCP keep-alives to be less than idle TCP timeout within network traffic policies).
Note: The use of firewalld is not supported on NSP cluster virtual machines. Nokia recommends using Calico policies to control traffic to an NSP cluster deployment. (Kubernetes networking relies on calico rules added to iptables. Using firewalld changes the order of those calico rules and can disrupt traffic flow in the NSP cluster.)
Table 6-1: NSP Kubernetes virtual machine communications
|
Source component(s) |
Source Port |
NSP Destination Port |
Transport Protocol |
Network Interface |
Description/Purpose |
|---|---|---|---|---|---|
|
System administration server |
any |
22 |
TCP |
any |
Administrator SSH access, software installation |
|
remote DR NSP cluster |
>32768 | ||||
|
Network element |
any |
162 |
UDP |
mediation |
SNMP traps |
|
Network element |
n/a |
n/a |
ICMP |
mediation |
ICMP traffic between NSP and NEs. |
|
browser/OSS clients |
any |
443 |
TCP |
client |
HTTPS communications for NSP applications, REST API, session management |
|
Analytics, Simulation Tool |
>32768 |
443 |
TCP |
internal |
authentication, authorization, REST API |
|
redundant NSP |
>32768 |
443 |
TCP |
internal |
redundancy communications (DR only) |
|
NFM-P main, NFM-P Auxiliary |
>15000 |
443 |
TCP |
internal |
authentication, authorization, REST API |
|
WS-NOC |
>49192 |
443 |
TCP |
client |
authentication, authorization, REST API |
|
Analytics |
>32768 |
2281 |
TCP |
internal |
Secure Zookeeper communications |
|
NFM-P main, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
remote DR NSP cluster |
>32768 |
4152 |
TCP |
internal |
ASM module (DR only) |
|
remote DR NSP cluster |
>32768 |
5000, 5001 |
TCP |
internal |
nspos-neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
5002 |
TCP |
internal |
nspos-neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
5100, 5101 |
TCP |
internal |
nsp-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
5102 |
TCP |
internal |
nsp-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
5200, 5201 |
TCP |
internal |
nrcx-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
5202 |
TCP |
internal |
nrcx-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
6000, 6001 |
TCP |
internal |
nspos-neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
6002 |
TCP |
internal |
nspos-neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
6100, 6101 |
TCP |
internal |
nsp-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
6102 |
TCP |
internal |
nsp-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
6200, 6201 |
TCP |
internal |
nrcx-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
6202 |
TCP |
internal |
nrcx-tomcat neo4j (HA/DR only) |
|
Analytics, redundant NSP |
>32768 |
6432 |
TCP |
internal |
Postgres database |
|
NFM-P main |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
remote DR NSP cluster |
>32768 |
7000, 7001 |
TCP |
internal |
nspos-neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
7002 |
TCP |
internal |
nspos-neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
7100, 7101 |
TCP |
internal |
nsp-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
7102 |
TCP |
internal |
nsp-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
7200, 7201 |
TCP |
internal |
nrcx-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
7202 |
TCP |
internal |
nrcx-tomcat neo4j (HA/DR only) |
|
NetAct NEs |
>32768 |
7443 |
TCP |
mediation |
REST event forwarder for NetAct NEs |
|
external controller |
any |
8185 |
TCP |
internal |
REST trap forwarder port |
|
browser/OSS clients |
any |
8545 |
TCP |
client |
MDM applications |
|
browser/OSS clients |
any |
8546 |
TCP |
client |
WFM GUI and REST API |
|
browser/OSS clients |
any |
8547 |
TCP |
client |
mdtTomcat |
|
NSP deployer node |
any |
8548 |
TCP |
internal |
adaptor installation |
|
browser/OSS clients |
any |
8548 |
TCP |
client |
mdmTomcat |
|
browser/OSS clients |
any |
8560 |
TCP |
client |
nrcx-tomcat GUI and REST API |
|
browser/OSS clients |
any |
8565 |
TCP |
client |
file service SFTP |
|
remote DR NSP cluster |
>32768 |
8566 |
TCP |
internal |
File synchronization with redundant NSP |
|
NE |
any |
8567 |
TCP |
mediation |
File transfer with Nokia NEs. |
|
NFM-P main |
>15000 |
8575 |
TCP |
internal |
system token for components external to NSP |
|
remote DR NSP cluster |
>32768 |
8663 |
TCP |
internal |
CAM data synchronization (DR only) |
|
browser/OSS clients |
any |
9192 |
TCP |
client |
Kafka |
|
Analytics |
>32768 |
9192 |
TCP |
client |
Kafka For NSP deployments where client/internal communications on same network interface |
|
Flow Collector, Flow Collector Controller |
>32768 | ||||
|
NFM-P main, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
browser/OSS clients |
any |
9193, 9194 |
TCP |
client |
Kafka - enhanced NSP only |
|
Analytics |
>32768 |
9193, 9194 |
TCP |
client |
Kafka - enhanced NSP only For NSP deployments where client/internal communications on same network interface |
|
Flow Collector, Flow Collector Controller |
>32768 | ||||
|
NFM-P main, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
NFM-P main, db, auxiliary |
>15000 |
9200 |
TCP |
internal |
Opensearch log collection |
|
Flow Collector, Flow Collector Controller |
>32768 | ||||
|
Analytics |
>32768 |
9292 |
TCP |
internal |
Kafka For NSP deployments where client/internal communications on different network interfaces |
|
Flow Collector, Flow Collector Controller |
>32768 | ||||
|
NFM-P main, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
Analytics |
>32768 |
9293, 9294 |
TCP |
internal |
Kafka - enhanced NSP only For NSP deployments where client/internal communications on different network interfaces |
|
Flow Collector, Flow Collector Controller |
>32768 | ||||
|
NFM-P main, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
browser/OSS clients |
any |
80 |
TCP |
client |
Redirects to 443 - use only where required |
|
Analytics |
>32768 |
2181 |
TCP |
internal |
unsecure Zookeeper - use only where required |
|
NFM-P, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
browser/OSS clients |
any |
9092 |
TCP |
client |
unsecure Kafka - use only where required |
|
Analytics |
>32768 |
9092 |
TCP |
client |
unsecure Kafka - use only where required For NSP deployments where client/internal communications on same network interface |
|
Flow Collector, Flow Collector Controller |
>32768 | ||||
|
NFM-P main, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
browser/OSS clients |
any |
9093, 9094 |
TCP |
client |
unsecure Kafka (enhanced deployment only) - use only where required |
|
Analytics |
>32768 |
9093, 9094 |
TCP |
client |
unsecure Kafka (enhanced deployment only) - use only where required For NSP deployments where client/internal communications on same network interface |
|
Flow Collector, Flow Collector Controller |
>32768 | ||||
|
NFM-P main, NFM-P Auxiliary |
>15000 | ||||
|
WS-NOC |
>49192 |
Some NSP components may require communications with the PKI server at install time or when regenerating TLS certificates. The NSP deployer node hosts the PKI server application.
Table 6-2: PKI Server Communications
|
Source Component |
Source Port |
PKI Server Port |
Transport Protocol |
Description |
|---|---|---|---|---|
|
Analytics |
>32768 |
2391 |
TCP |
PKI server |
|
NFM-P main, NFM-P database, NFM-P auxiliary |
>15000 | |||
|
AuxDB |
>32768 | |||
|
Flow Collector, Flow Collector Controller |
>32768 | |||
|
WS-NOC |
>49192 |
Table 6-3: Network Element Communications
|
Source component |
Source port |
NE Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|
|
System administration server |
any |
22 |
TCP |
Administrator SSH access, SFTP |
|
NSP kubernetes VM |
>32768 | |||
|
NSP kubernetes VM |
>32768 |
161 |
UDP |
SNMP mediation |
|
NSP kubernetes VM |
>32768 |
830 |
TCP |
NETCONF mediation |
|
NSP kubernetes VM |
>32768 |
57400 |
TCP |
gRPC |
|
NSP kubernetes VM |
>32768 |
21 |
TCP |
telnet, FTP access - use only where required |
|
NSP kubernetes VM |
n/a |
n/a |
ICMP |
ICMP traffic between NSP and NEs |
Table 6-4: VSR-NRC Communications
|
Source component |
Source port |
VSR-NRC Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
4199 |
TCP |
Network topology information, service management |
Refer to the Security Best Practices and Hardening Guide for detailed information on secure communications with VSR-NRC.
Refer to section 6.10 of this guide for a complete list of firewall rules for NFM-P and associated components.
Table 6-5: NFM-P Main Server Communications
|
Source component |
Source port |
NFM-P Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
7879 |
TCP |
internal |
CPROTO port |
|
NSP kubernetes VM |
>32768 |
8087 |
TCP |
client |
web applications communications |
|
NSP kubernetes VM |
>32768 |
8089 |
TCP |
client |
web applications communications |
|
NSP kubernetes VM |
>32768 |
8443 |
TCP |
client |
XML API |
|
NSP kubernetes VM |
>32768 |
8543 |
TCP |
client |
NFM-P web applications, REST API |
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
NSP communicates with NFM-P Database Server and NFM-P Auxiliary Server for collecting metrics.
Table 6-6: NFM-P Database Server Communications
|
Source component |
Source port |
NFM-P Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node-exporter |
Table 6-7: NFM-P Auxiliary Server Communications
|
Source component |
Source port |
NFM-P Aux Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
Table 6-8: Analytics Server Communications
|
Source Component |
Source Port |
Analytics Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM or web-based clients |
>32768 |
8443 |
TCP |
client |
HTTPS web user interface |
Table 6-9: Auxiliary Database Server Communications
|
Source Component |
Source Port |
AuxDB Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
5433 |
TCP |
internal |
|
|
NSP kubernetes VM |
>32768 |
7299 (secure=true) 7299-7309 (secure=false) |
TCP |
internal |
Table 6-10: Flow Collector Communications
|
Source Component |
Source Port |
Flow Collector Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
8443 |
TCP |
internal |
REST API |
Refer to WS-NOC documentation for a complete list of WS-NOC application communications.
Table 6-11: WS-NOC Communications
|
Source Component |
Source Port |
WS-NOC Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
443 |
TCP |
client |
|
|
NSP kubernetes VM |
>32768 |
8443 |
TCP |
client |
GUI |
|
NSP kubernetes VM |
>32768 |
8543 |
TCP |
client |
WS-RC REST API |
Table 6-12: Syslog Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
Syslog server |
514 |
TCP |
syslog notifications |
Table 6-13: Mail Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
Mail Server |
25 |
TCP |
SMTP mail server (unsecure) |
|
NSP kubernetes VM |
>32768 |
Mail Server |
465 |
TCP |
SMTPS mail server (secure) |
|
NSP kubernetes VM |
>32768 |
Mail Server |
587 |
TCP |
STARTTLS mail server (secure) |
Table 6-14: Remote Authentication Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
LDAP server |
389 |
TCP |
LDAP (unsecure) |
|
NSP kubernetes VM |
>32768 |
LDAP server |
636 |
TCP |
LDAP (secure) |
|
NSP kubernetes VM |
>32768 |
RADIUS server |
1812 |
TCP |
RADIUS |
|
NSP kubernetes VM |
>32768 |
TACACS server |
49 |
TCP |
TACACS |
Table 6-15: Splunk Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
Splunk Server |
8088 (see Note) |
TCP |
NSP application logs to Splunk |
Note: Destination port determined by Splunk server configuration.