NSP Port Communications

Overview

This section will document network communications between components in a NSP deployment. These tables can be used by customers to design traffic management policies based on their NSP deployment.

A complete listing of network communications for additional NSP components can be found in section 6.10 of this guide.

The following port changes are reported for NSP in Release 24.8

Table notes:

Note: The ephemeral port range of different server types may vary. Many Linux kernels use the port range 32768 - 61000. To determine the ephemeral port range of a server, execute

cat /proc/sys/net/ipv4/ip_local_port_range

Note: Some NSP operations require idle TCP ports to remain open for long periods of time. Therefore, customers that implement a network traffic policy that closes idle TCP connections should adjust operating system TCP keep-alives to ensure that NSP communications is not impacted (ie. set OS TCP keep-alives to be less than idle TCP timeout within network traffic policies).

Note: The use of firewalld is not supported on NSP cluster virtual machines. Nokia recommends using Calico policies to control traffic to an NSP cluster deployment. (Kubernetes networking relies on calico rules added to iptables. Using firewalld changes the order of those calico rules and can disrupt traffic flow in the NSP cluster.)

Table 6-1: NSP Kubernetes virtual machine communications

Source component(s)

Source Port

NSP Destination Port

Transport Protocol

Network Interface

Description/Purpose

System administration server

any

22

TCP

any

Administrator SSH access, software installation

remote DR NSP cluster

>32768

Network element

any

162

UDP

mediation

SNMP traps

Network element

n/a

n/a

ICMP

mediation

ICMP traffic between NSP and NEs.

browser/OSS clients

any

443

TCP

client

HTTPS communications for NSP applications, REST API, session management

Simulation Tool

>32768

443

TCP

internal

authentication, authorization, REST API

redundant NSP

>32768

443

TCP

internal

redundancy communications (DR only)

NFM-P main, NFM-P Auxiliary

>15000

443

TCP

internal

authentication, authorization, REST API

OSS clients

any

443

TCP

client

MDM applications

WS-NOC

>49192

443

TCP

client

authentication, authorization, REST API

Network element

any

2055

UDP

mediation

Flow Collector: netflowV5

NFM-P main, NFM-P Auxiliary

>15000

2281

TCP

internal

Secure Zookeeper communications

WS-NOC

>49192

remote DR NSP cluster

>32768

4152

TCP

internal

ASM module (DR only)

Network element

any

4739

UDP

mediation

Flow Collector: ipfixV10IANA

Network element

any

4740

UDP

mediation

Flow Collector: ipfixV10NokiaAA

Network element

any

4741

UDP

mediation

Flow Collector: ipfixV10NokiaSYS

Network element

any

4742

UDP

mediation

Flow Collector: ipfixV10NokiaBBNAT

remote DR NSP cluster

>32768

5000, 5001

TCP

internal

nspos-neo4j (DR only)

remote DR NSP cluster

>32768

5002

TCP

internal

nspos-neo4j (HA/DR only)

remote DR NSP cluster

>32768

5100, 5101

TCP

internal

nsp-tomcat neo4j (DR only)

remote DR NSP cluster

>32768

5102

TCP

internal

nsp-tomcat neo4j (HA/DR only)

remote DR NSP cluster

>32768

5200, 5201

TCP

internal

nrcx-tomcat neo4j (DR only)

remote DR NSP cluster

>32768

5202

TCP

internal

nrcx-tomcat neo4j (HA/DR only)

remote DR NSP cluster

>32768

6000, 6001

TCP

internal

nspos-neo4j (DR only)

remote DR NSP cluster

>32768

6002

TCP

internal

nspos-neo4j (HA/DR only)

remote DR NSP cluster

>32768

6100, 6101

TCP

internal

nsp-tomcat neo4j (DR only)

remote DR NSP cluster

>32768

6102

TCP

internal

nsp-tomcat neo4j (HA/DR only)

remote DR NSP cluster

>32768

6200, 6201

TCP

internal

nrcx-tomcat neo4j (DR only)

remote DR NSP cluster

>32768

6202

TCP

internal

nrcx-tomcat neo4j (HA/DR only)

remote DR NSP cluster

>32768

6432

TCP

internal

Postgres database

NFM-P main

>15000

WS-NOC

>49192

remote DR NSP cluster

>32768

7000, 7001

TCP

internal

nspos-neo4j (DR only)

remote DR NSP cluster

>32768

7002

TCP

internal

nspos-neo4j (HA/DR only)

remote DR NSP cluster

>32768

7100, 7101

TCP

internal

nsp-tomcat neo4j (DR only)

remote DR NSP cluster

>32768

7102

TCP

internal

nsp-tomcat neo4j (HA/DR only)

remote DR NSP cluster

>32768

7200, 7201

TCP

internal

nrcx-tomcat neo4j (DR only)

remote DR NSP cluster

>32768

7202

TCP

internal

nrcx-tomcat neo4j (HA/DR only)

external controller

any

8185

TCP

internal

REST trap forwarder port

NSP deployer node

any

8548

TCP

internal

adaptor installation

OSS clients

any

8548

TCP

client

mdmTomcat

browser

any

8561

TCP

client

file service GUI

OSS clients

any

8565

TCP

client

file service SFTP

remote DR NSP cluster

>32768

8566

TCP

internal

File synchronization with redundant NSP

NE

any

8567

TCP

mediation

File transfer with Nokia NEs.

NFM-P main

>15000

8575

TCP

internal

system token for components external to NSP

remote DR NSP cluster

>32768

8663

TCP

internal

CAM data synchronization (DR only)

browser/OSS clients

any

9192

TCP

client

Kafka

NFM-P main, NFM-P Auxiliary

>15000

9192

TCP

client/internal

Kafka

Applies to NSP deployments where client/internal communications are on same network interface.

WS-NOC

>49192

browser/OSS clients

any

9193, 9194

TCP

client

Kafka - enhanced NSP deployments only

NFM-P main, NFM-P Auxiliary

>15000

9193, 9194

TCP

client/internal

Kafka - enhanced NSP deployments only

Applies to NSP deployments where client/internal communications are on same network interface.

WS-NOC

>49192

NFM-P main, database

>15000

9200

TCP

internal

Opensearch log collection

NFM-P main, NFM-P Auxiliary

>15000

9292

TCP

internal

Kafka

Applies to NSP deployments where client/internal communications are on separate network interfaces.

WS-NOC

>49192

NFM-P main, NFM-P Auxiliary

>15000

9293, 9294

TCP

internal

Kafka - enhanced NSP only

Applies to NSP deployments where client/internal communications are on separate network interfaces.

WS-NOC

>49192

browser/OSS clients

any

80

TCP

client

Redirects to 443 - use only where required

Some NSP components may require communications with the PKI server at install time or when regenerating TLS certificates. The NSP cluster hosts the PKI server application.

Table 6-2: PKI Server Communications

Source Component

Source Port

PKI Server Port

Transport Protocol

Description

NFM-P main, NFM-P database, NFM-P Auxiliary

>15000

80

TCP

PKI server

Auxiliary database

>15000

WS-NOC

>49192

Table 6-3: Network Element Communications

Source component

Source port

NE Destination Port

Transport Protocol

Description

System administration server

any

22

TCP

Administrator SSH access, SFTP

NSP kubernetes VM

>32768

NSP kubernetes VM

>32768

161

UDP

SNMP mediation

NSP kubernetes VM

>32768

830

TCP

NETCONF mediation

NSP kubernetes VM

>32768

57400

TCP

gRPC

NSP kubernetes VM

>32768

21

TCP

telnet, FTP access - use only where required

NSP kubernetes VM

n/a

n/a

ICMP

ICMP traffic between NSP and NEs

Table 6-4: VSR-NRC Communications

Source component

Source port

VSR-NRC Destination Port

Transport Protocol

Description

NSP kubernetes VM

>32768

4199

TCP

Network topology information, service management

Refer to the Security Best Practices and Hardening Guide for detailed information on secure communications with VSR-NRC.

Refer to section 6.10 of this guide for a complete list of firewall rules for NFM-P and associated components.

Table 6-5: NFM-P Main Server Communications

Source component

Source port

NFM-P Destination Port

Transport Protocol

Network Interface

Description

NSP kubernetes VM

>32768

7879

TCP

internal

CPROTO port

NSP kubernetes VM

>32768

8087

TCP

client

web applications communications

NSP kubernetes VM

>32768

8089

TCP

client

web applications communications

NSP kubernetes VM

>32768

8443

TCP

client

XML API

NSP kubernetes VM

>32768

8543

TCP

client

NFM-P web applications, REST API

NSP kubernetes VM

>32768

9100

TCP

internal

node exporter

NSP communicates with NFM-P Database Server and NFM-P Auxiliary Server for collecting metrics.

Table 6-6: NFM-P Database Server Communications

Source component

Source port

NFM-P Destination Port

Transport Protocol

Network Interface

Description

NSP kubernetes VM

>32768

9100

TCP

internal

node-exporter

Table 6-7: NFM-P Auxiliary Server Communications

Source component

Source port

NFM-P Aux Destination Port

Transport Protocol

Network Interface

Description

NSP kubernetes VM

>32768

9100

TCP

internal

node exporter

Table 6-8: Auxiliary Database Server Communications

Source Component

Source Port

AuxDB Destination Port

Transport Protocol

Network Interface

Description

NSP kubernetes VM

>32768

5433

TCP

internal

NSP kubernetes VM

>32768

7299

TCP

internal

NSP kubernetes VM

>32768

9100

TCP

internal

node exporter

Refer to WS-NOC documentation for a complete list of WS-NOC application communications.

Table 6-9: WS-NOC Communications

Source Component

Source Port

WS-NOC Destination Port

Transport Protocol

Network Interface

Description

NSP kubernetes VM

>32768

443

TCP

client

NSP kubernetes VM

>32768

8443

TCP

client

GUI

NSP kubernetes VM

>32768

8543

TCP

client

WS-RC REST API

Table 6-10: Syslog Server Communications

Source Component

Source Port

Destination Component

Destination Port

Transport Protocol

Description

NSP kubernetes VM

>32768

Syslog server

514

TCP

syslog notifications

Table 6-11: Mail Server Communications

Source Component

Source Port

Destination Component

Destination Port

Transport Protocol

Description

NSP kubernetes VM

>32768

Mail Server

25

TCP

SMTP mail server (unsecure)

NSP kubernetes VM

>32768

Mail Server

465

TCP

SMTPS mail server (secure)

NSP kubernetes VM

>32768

Mail Server

587

TCP

STARTTLS mail server (secure)

Table 6-12: Remote Authentication Server Communications

Source Component

Source Port

Destination Component

Destination Port

Transport Protocol

Description

NSP kubernetes VM

>32768

LDAP server

389

TCP

LDAP (unsecure)

NSP kubernetes VM

>32768

LDAP server

636

TCP

LDAP (secure)

NSP kubernetes VM

>32768

RADIUS server

1812

TCP

RADIUS

NSP kubernetes VM

>32768

TACACS server

49

TCP

TACACS

Table 6-13: Splunk Server Communications

Source Component

Source Port

Destination Component

Destination Port

Transport Protocol

Description

NSP kubernetes VM

>32768

Splunk Server

8088 (see Note)

TCP

NSP application logs to Splunk

Note: Destination port determined by Splunk server configuration.