NSP Port Communications
Overview
This section will document network communications between components in a NSP deployment. These tables can be used by customers to design traffic management policies based on their NSP deployment.
A complete listing of network communications for additional NSP components can be found in section 6.10 of this guide.
The following port changes are reported for NSP in Release 24.8
-
Ports for Flow Collector and Flow Collector Controller have been updated to reflect its new location in the NSP cluster.
-
Add communications from NSP to Auxiliary Database Server port 9100.
Table notes:
-
Each table identifies network communications based on the destination component.
-
Each communication link defines traffic from the originating component/port to the destination component/port. When traffic policies are applied in both directions of communication, the return path must also be permitted.
-
Communications originating from NSP to a destination must allow traffic from each node of that NSP cluster to the destination component. Traffic destined to a NSP cluster will require communications to the virtual IP addresses defined by the ingress applications of the NSP cluster.
-
For NSP deployments with multiple network interfaces, the communications matrix will define on which network interface the communications will be received.
-
Where multiple components may be communicating with a destination component and port, each source component with source port range is listed.
-
A system administrator will require SSH access to components in the NSP deployment for installation and maintenance purposes. For this purpose, tables will list a source component of System administration server.
Note: The ephemeral port range of different server types may vary. Many Linux kernels use the port range 32768 - 61000. To determine the ephemeral port range of a server, execute
cat /proc/sys/net/ipv4/ip_local_port_range
Note: Some NSP operations require idle TCP ports to remain open for long periods of time. Therefore, customers that implement a network traffic policy that closes idle TCP connections should adjust operating system TCP keep-alives to ensure that NSP communications is not impacted (ie. set OS TCP keep-alives to be less than idle TCP timeout within network traffic policies).
Note: The use of firewalld is not supported on NSP cluster virtual machines. Nokia recommends using Calico policies to control traffic to an NSP cluster deployment. (Kubernetes networking relies on calico rules added to iptables. Using firewalld changes the order of those calico rules and can disrupt traffic flow in the NSP cluster.)
Table 6-1: NSP Kubernetes virtual machine communications
|
Source component(s) |
Source Port |
NSP Destination Port |
Transport Protocol |
Network Interface |
Description/Purpose |
|---|---|---|---|---|---|
|
System administration server |
any |
22 |
TCP |
any |
Administrator SSH access, software installation |
|
remote DR NSP cluster |
>32768 | ||||
|
Network element |
any |
162 |
UDP |
mediation |
SNMP traps |
|
Network element |
n/a |
n/a |
ICMP |
mediation |
ICMP traffic between NSP and NEs. |
|
browser/OSS clients |
any |
443 |
TCP |
client |
HTTPS communications for NSP applications, REST API, session management |
|
Simulation Tool |
>32768 |
443 |
TCP |
internal |
authentication, authorization, REST API |
|
redundant NSP |
>32768 |
443 |
TCP |
internal |
redundancy communications (DR only) |
|
NFM-P main, NFM-P Auxiliary |
>15000 |
443 |
TCP |
internal |
authentication, authorization, REST API |
|
OSS clients |
any |
443 |
TCP |
client |
MDM applications |
|
WS-NOC |
>49192 |
443 |
TCP |
client |
authentication, authorization, REST API |
|
Network element |
any |
2055 |
UDP |
mediation |
Flow Collector: netflowV5 |
|
NFM-P main, NFM-P Auxiliary |
>15000 |
2281 |
TCP |
internal |
Secure Zookeeper communications |
|
WS-NOC |
>49192 | ||||
|
remote DR NSP cluster |
>32768 |
4152 |
TCP |
internal |
ASM module (DR only) |
|
Network element |
any |
4739 |
UDP |
mediation |
Flow Collector: ipfixV10IANA |
|
Network element |
any |
4740 |
UDP |
mediation |
Flow Collector: ipfixV10NokiaAA |
|
Network element |
any |
4741 |
UDP |
mediation |
Flow Collector: ipfixV10NokiaSYS |
|
Network element |
any |
4742 |
UDP |
mediation |
Flow Collector: ipfixV10NokiaBBNAT |
|
remote DR NSP cluster |
>32768 |
5000, 5001 |
TCP |
internal |
nspos-neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
5002 |
TCP |
internal |
nspos-neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
5100, 5101 |
TCP |
internal |
nsp-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
5102 |
TCP |
internal |
nsp-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
5200, 5201 |
TCP |
internal |
nrcx-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
5202 |
TCP |
internal |
nrcx-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
6000, 6001 |
TCP |
internal |
nspos-neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
6002 |
TCP |
internal |
nspos-neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
6100, 6101 |
TCP |
internal |
nsp-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
6102 |
TCP |
internal |
nsp-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
6200, 6201 |
TCP |
internal |
nrcx-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
6202 |
TCP |
internal |
nrcx-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
6432 |
TCP |
internal |
Postgres database |
|
NFM-P main |
>15000 | ||||
|
WS-NOC |
>49192 | ||||
|
remote DR NSP cluster |
>32768 |
7000, 7001 |
TCP |
internal |
nspos-neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
7002 |
TCP |
internal |
nspos-neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
7100, 7101 |
TCP |
internal |
nsp-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
7102 |
TCP |
internal |
nsp-tomcat neo4j (HA/DR only) |
|
remote DR NSP cluster |
>32768 |
7200, 7201 |
TCP |
internal |
nrcx-tomcat neo4j (DR only) |
|
remote DR NSP cluster |
>32768 |
7202 |
TCP |
internal |
nrcx-tomcat neo4j (HA/DR only) |
|
external controller |
any |
8185 |
TCP |
internal |
REST trap forwarder port |
|
NSP deployer node |
any |
8548 |
TCP |
internal |
adaptor installation |
|
OSS clients |
any |
8548 |
TCP |
client |
mdmTomcat |
|
browser |
any |
8561 |
TCP |
client |
file service GUI |
|
OSS clients |
any |
8565 |
TCP |
client |
file service SFTP |
|
remote DR NSP cluster |
>32768 |
8566 |
TCP |
internal |
File synchronization with redundant NSP |
|
NE |
any |
8567 |
TCP |
mediation |
File transfer with Nokia NEs. |
|
NFM-P main |
>15000 |
8575 |
TCP |
internal |
system token for components external to NSP |
|
remote DR NSP cluster |
>32768 |
8663 |
TCP |
internal |
CAM data synchronization (DR only) |
|
browser/OSS clients |
any |
9192 |
TCP |
client |
Kafka |
|
NFM-P main, NFM-P Auxiliary |
>15000 |
9192 |
TCP |
client/internal |
Kafka Applies to NSP deployments where client/internal communications are on same network interface. |
|
WS-NOC |
>49192 | ||||
|
browser/OSS clients |
any |
9193, 9194 |
TCP |
client |
Kafka - enhanced NSP deployments only |
|
NFM-P main, NFM-P Auxiliary |
>15000 |
9193, 9194 |
TCP |
client/internal |
Kafka - enhanced NSP deployments only Applies to NSP deployments where client/internal communications are on same network interface. |
|
WS-NOC |
>49192 | ||||
|
NFM-P main, database |
>15000 |
9200 |
TCP |
internal |
Opensearch log collection |
|
NFM-P main, NFM-P Auxiliary |
>15000 |
9292 |
TCP |
internal |
Kafka Applies to NSP deployments where client/internal communications are on separate network interfaces. |
|
WS-NOC |
>49192 | ||||
|
NFM-P main, NFM-P Auxiliary |
>15000 |
9293, 9294 |
TCP |
internal |
Kafka - enhanced NSP only Applies to NSP deployments where client/internal communications are on separate network interfaces. |
|
WS-NOC |
>49192 | ||||
|
browser/OSS clients |
any |
80 |
TCP |
client |
Redirects to 443 - use only where required |
Some NSP components may require communications with the PKI server at install time or when regenerating TLS certificates. The NSP cluster hosts the PKI server application.
Table 6-2: PKI Server Communications
|
Source Component |
Source Port |
PKI Server Port |
Transport Protocol |
Description |
|---|---|---|---|---|
|
NFM-P main, NFM-P database, NFM-P Auxiliary |
>15000 |
80 |
TCP |
PKI server |
|
Auxiliary database |
>15000 | |||
|
WS-NOC |
>49192 |
Table 6-3: Network Element Communications
|
Source component |
Source port |
NE Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|
|
System administration server |
any |
22 |
TCP |
Administrator SSH access, SFTP |
|
NSP kubernetes VM |
>32768 | |||
|
NSP kubernetes VM |
>32768 |
161 |
UDP |
SNMP mediation |
|
NSP kubernetes VM |
>32768 |
830 |
TCP |
NETCONF mediation |
|
NSP kubernetes VM |
>32768 |
57400 |
TCP |
gRPC |
|
NSP kubernetes VM |
>32768 |
21 |
TCP |
telnet, FTP access - use only where required |
|
NSP kubernetes VM |
n/a |
n/a |
ICMP |
ICMP traffic between NSP and NEs |
Table 6-4: VSR-NRC Communications
|
Source component |
Source port |
VSR-NRC Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
4199 |
TCP |
Network topology information, service management |
Refer to the Security Best Practices and Hardening Guide for detailed information on secure communications with VSR-NRC.
Refer to section 6.10 of this guide for a complete list of firewall rules for NFM-P and associated components.
Table 6-5: NFM-P Main Server Communications
|
Source component |
Source port |
NFM-P Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
7879 |
TCP |
internal |
CPROTO port |
|
NSP kubernetes VM |
>32768 |
8087 |
TCP |
client |
web applications communications |
|
NSP kubernetes VM |
>32768 |
8089 |
TCP |
client |
web applications communications |
|
NSP kubernetes VM |
>32768 |
8443 |
TCP |
client |
XML API |
|
NSP kubernetes VM |
>32768 |
8543 |
TCP |
client |
NFM-P web applications, REST API |
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
NSP communicates with NFM-P Database Server and NFM-P Auxiliary Server for collecting metrics.
Table 6-6: NFM-P Database Server Communications
|
Source component |
Source port |
NFM-P Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node-exporter |
Table 6-7: NFM-P Auxiliary Server Communications
|
Source component |
Source port |
NFM-P Aux Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
Table 6-8: Auxiliary Database Server Communications
|
Source Component |
Source Port |
AuxDB Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
5433 |
TCP |
internal |
|
|
NSP kubernetes VM |
>32768 |
7299 |
TCP |
internal |
|
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
Refer to WS-NOC documentation for a complete list of WS-NOC application communications.
Table 6-9: WS-NOC Communications
|
Source Component |
Source Port |
WS-NOC Destination Port |
Transport Protocol |
Network Interface |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
443 |
TCP |
client |
|
|
NSP kubernetes VM |
>32768 |
8443 |
TCP |
client |
GUI |
|
NSP kubernetes VM |
>32768 |
8543 |
TCP |
client |
WS-RC REST API |
Table 6-10: Syslog Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
Syslog server |
514 |
TCP |
syslog notifications |
Table 6-11: Mail Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
Mail Server |
25 |
TCP |
SMTP mail server (unsecure) |
|
NSP kubernetes VM |
>32768 |
Mail Server |
465 |
TCP |
SMTPS mail server (secure) |
|
NSP kubernetes VM |
>32768 |
Mail Server |
587 |
TCP |
STARTTLS mail server (secure) |
Table 6-12: Remote Authentication Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
LDAP server |
389 |
TCP |
LDAP (unsecure) |
|
NSP kubernetes VM |
>32768 |
LDAP server |
636 |
TCP |
LDAP (secure) |
|
NSP kubernetes VM |
>32768 |
RADIUS server |
1812 |
TCP |
RADIUS |
|
NSP kubernetes VM |
>32768 |
TACACS server |
49 |
TCP |
TACACS |
Table 6-13: Splunk Server Communications
|
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
|---|---|---|---|---|---|
|
NSP kubernetes VM |
>32768 |
Splunk Server |
8088 (see Note) |
TCP |
NSP application logs to Splunk |
Note: Destination port determined by Splunk server configuration.