NSP Port Communications
Overview
This section will document network communications between components in a NSP deployment. These tables can be used by customers to design traffic management policies based on their NSP deployment.
A complete listing of network communications for additional NSP components can be found in section 6.10 of this guide.
The following port changes are reported for NSP in Release 25.4
Table notes:
-
Each table identifies network communications based on the destination component.
-
Each communication link defines traffic from the originating component/port to the destination component/port. When traffic policies are applied in both directions of communication, the return path must also be permitted.
-
In a multi-node NSP cluster deployment, communications originating from NSP to a destination must allow traffic from each node of that NSP cluster to the destination component. Traffic destined to a multi-node NSP cluster will require communications to the virtual IP address of the NSP cluster.
-
For NSP deployments with multiple network interfaces, the communications matrix will define on which network interface the communications will be received.
-
Where multiple components may be communicating with a destination component and port, each source component with source port range is listed.
-
A system administrator will require SSH access to components in the NSP deployment for installation and maintenance purposes. For this purpose, tables will list a source component of System administration server.
Note: The ephemeral port range of different server types may vary. Many Linux kernels use the port range 32768 - 61000. To determine the ephemeral port range of a server, execute
cat /proc/sys/net/ipv4/ip_local_port_range
Note: Some NSP operations require idle TCP ports to remain open for long periods of time. Therefore, customers that implement a network traffic policy that closes idle TCP connections should adjust operating system TCP keep-alives to ensure that NSP communications is not impacted (ie. set OS TCP keep-alives to be less than idle TCP timeout within network traffic policies).
Note: The use of firewalld is not supported on NSP cluster virtual machines. Nokia recommends using Calico policies to control traffic to an NSP cluster deployment. (Kubernetes networking relies on calico rules added to iptables. Using firewalld changes the order of those calico rules and can disrupt traffic flow in the NSP cluster.)
Table 6-2: NSP Kubernetes virtual machine communications
Source component(s) |
Source Port |
NSP Destination Port |
Transport Protocol |
Encryption |
Network Interface |
Description/Purpose |
---|---|---|---|---|---|---|
System administration server |
any |
22 |
TCP |
Dynamic Encryption |
any |
Administrator SSH access, software installation |
remote DR NSP cluster |
>32768 | |||||
NFM-P main, NFM-P database, NFM-P Auxiliary |
>15000 |
80 |
TCP |
Dynamic Encryption provided by TLS |
any |
PKI server |
Auxiliary database |
>15000 | |||||
WS-NOC |
>49192 | |||||
Network element |
any |
162 |
UDP |
None |
mediation |
SNMP traps |
Network element |
n/a |
n/a |
ICMP |
None |
mediation |
ICMP traffic between NSP and NEs. |
browser/OSS clients |
any |
443 |
TCP |
Dynamic Encryption provided by TLS |
client |
HTTPS communications for NSP applications, REST API, session management |
Simulation Tool |
>32768 |
443 |
TCP |
Dynamic Encryption provided by TLS |
internal |
authentication, authorization, REST API |
redundant NSP |
>32768 |
443 |
TCP |
Dynamic Encryption provided by TLS |
internal |
redundancy communications (DR only) |
NFM-P main, NFM-P Auxiliary |
>15000 |
443 |
TCP |
Dynamic Encryption provided by TLS |
internal |
authentication, authorization, REST API |
WS-NOC |
>49192 |
443 |
TCP |
Dynamic Encryption provided by TLS |
client |
authentication, authorization, REST API |
Network element |
any |
2055 |
UDP |
None |
mediation |
Flow Collector: netflowV5 |
NFM-P main, NFM-P Auxiliary |
>15000 |
2281 |
TCP |
Dynamic Encryption provided by TLS |
internal |
Secure Zookeeper communications |
WS-NOC |
>49192 | |||||
remote DR NSP cluster |
>32768 |
4152 |
TCP |
Dynamic Encryption provided by TLS |
internal |
ASM module (DR only) |
Network element |
any |
4739 |
UDP |
None |
mediation |
Flow Collector: ipfixV10IANA |
Network element |
any |
4740 |
UDP |
None |
mediation |
Flow Collector: ipfixV10NokiaAA |
Network element |
any |
4741 |
UDP |
None |
mediation |
Flow Collector: ipfixV10NokiaSYS |
Network element |
any |
4742 |
UDP |
None |
mediation |
Flow Collector: ipfixV10NokiaBBNAT |
remote DR NSP cluster |
>32768 |
5000, 5001 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-neo4j (DR only) |
remote DR NSP cluster |
>32768 |
5002 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
5100, 5101 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nsp-tomcat neo4j (DR only) |
remote DR NSP cluster |
>32768 |
5102 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nsp-tomcat neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
5200, 5201 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nrcx-tomcat neo4j (DR only) |
remote DR NSP cluster |
>32768 |
5202 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nrcx-tomcat neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
6000, 6001 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-neo4j (DR only) |
remote DR NSP cluster |
>32768 |
6002 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
6100, 6101 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nsp-tomcat neo4j (DR only) |
remote DR NSP cluster |
>32768 |
6102 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nsp-tomcat neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
6200, 6201 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nrcx-tomcat neo4j (DR only) |
remote DR NSP cluster |
>32768 |
6202 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nrcx-tomcat neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
6379 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-redis/Devicestore data replication |
remote DR NSP cluster |
>32768 |
6380 |
TCP |
Dynamic Encryption provided by TLS |
internal |
devicestore-fileserver/Initiate data replication |
remote DR NSP cluster |
>32768 |
6432 |
TCP |
Dynamic Encryption provided by TLS |
internal |
Postgres database |
NFM-P main |
>15000 | |||||
WS-NOC |
>49192 | |||||
remote DR NSP cluster |
>32768 |
7000, 7001 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-neo4j (DR only) |
remote DR NSP cluster |
>32768 |
7002 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
7100, 7101 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nsp-tomcat neo4j (DR only) |
remote DR NSP cluster |
>32768 |
7102 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nsp-tomcat neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
7200, 7201 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nrcx-tomcat neo4j (DR only) |
remote DR NSP cluster |
>32768 |
7202 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nrcx-tomcat neo4j (HA/DR only) |
remote DR NSP cluster |
>32768 |
7687 |
TCP |
Dynamic Encryption provided by TLS |
internal |
nspos-neo4j (DR only) |
remote DR NSP cluster |
>32768 |
8001 |
TCP |
Dynamic Encryption provided by TLS |
internal |
Role Manager (DR only) |
remote DR NSP cluster |
>32768 |
8482 |
TCP |
Dynamic Encryption provided by TLS |
internal |
System Admin App (DR only) |
OSS clients |
any |
8545 |
TCP |
Dynamic Encryption provided by TLS |
client |
MDM applications |
NSP deployer node |
any |
8548 |
TCP |
Dynamic Encryption provided by TLS |
internal |
adaptor installation |
OSS clients |
any |
8548 |
TCP |
Dynamic Encryption provided by TLS |
client |
mdmTomcat |
OSS clients |
any |
8565 |
TCP |
Dynamic Encryption |
client |
file service SFTP |
remote DR NSP cluster |
>32768 |
8566 |
TCP |
Dynamic Encryption provided by TLS |
internal |
File synchronization with redundant NSP |
NE |
any |
8567 |
TCP |
Dynamic Encryption provided by TLS |
mediation |
File transfer with Nokia NEs. |
NFM-P main |
>15000 |
8575 |
TCP |
Dynamic Encryption provided by TLS |
internal |
system token for components external to NSP |
remote DR NSP cluster |
>32768 |
8663 |
TCP |
Dynamic Encryption provided by TLS |
internal |
CAM data synchronization (DR only) |
OSS clients |
any |
9192 |
TCP |
Dynamic Encryption provided by TLS |
client |
Kafka |
NFM-P main, NFM-P Auxiliary |
>15000 |
9192 |
TCP |
Dynamic Encryption provided by TLS |
client/internal |
Kafka Applies to NSP deployments where client/internal communications are on same network interface. |
WS-NOC |
>49192 | |||||
OSS clients |
any |
9193, 9194 |
TCP |
Dynamic Encryption provided by TLS |
client |
Kafka - enhanced NSP deployments only |
NFM-P main, NFM-P Auxiliary |
>15000 |
9193, 9194 |
TCP |
Dynamic Encryption provided by TLS |
client/internal |
Kafka - enhanced NSP deployments only Applies to NSP deployments where client/internal communications are on same network interface. |
WS-NOC |
>49192 | |||||
NFM-P main, database |
>15000 |
9200 |
TCP |
Dynamic Encryption provided by TLS |
internal |
Opensearch log collection |
NFM-P main, NFM-P Auxiliary |
>15000 |
9292 |
TCP |
Dynamic Encryption provided by TLS |
internal |
Kafka Applies to NSP deployments where client/internal communications are on separate network interfaces. |
WS-NOC |
>49192 | |||||
NFM-P main, NFM-P Auxiliary |
>15000 |
9293, 9294 |
TCP |
Dynamic Encryption provided by TLS |
internal |
Kafka - enhanced NSP only Applies to NSP deployments where client/internal communications are on separate network interfaces. |
WS-NOC |
>49192 |
Table 6-3: Network Element Communications
Source component |
Source port |
NE Destination Port |
Transport Protocol |
Description |
---|---|---|---|---|
NSP kubernetes VM |
n/a |
n/a |
ICMP |
Network connectivity test, ICMP type 8 (request) and type 0 (reply) |
System administration server |
any |
22 |
TCP |
Administrator SSH access, SFTP |
NSP kubernetes VM |
>32768 | |||
NSP kubernetes VM |
>32768 |
161 |
UDP |
SNMP mediation |
NSP kubernetes VM |
>32768 |
830 |
TCP |
NETCONF mediation |
NSP kubernetes VM |
>32768 |
57400 |
TCP |
gRPC |
NSP kubernetes VM |
>32768 |
21 |
TCP |
telnet, FTP access - use only where required |
Table 6-4: VSR-NRC Communications
Source component |
Source port |
VSR-NRC Destination Port |
Transport Protocol |
Description |
---|---|---|---|---|
NSP kubernetes VM |
>32768 |
4199 |
TCP |
Network topology information, service management |
Refer to the Security Best Practices and Hardening Guide for detailed information on secure communications with VSR-NRC.
Refer to section 6.10 of this guide for a complete list of firewall rules for NFM-P and associated components.
Table 6-5: NFM-P Main Server Communications
Source component |
Source port |
NFM-P Destination Port |
Transport Protocol |
Network Interface |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
7879 |
TCP |
internal |
CPROTO port |
NSP kubernetes VM |
>32768 |
8087 |
TCP |
client |
web applications communications |
NSP kubernetes VM |
>32768 |
8089 |
TCP |
client |
web applications communications |
NSP kubernetes VM |
>32768 |
8443 |
TCP |
client |
XML API |
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
NSP communicates with NFM-P Database Server and NFM-P Auxiliary Server for collecting metrics.
Table 6-6: NFM-P Database Server Communications
Source component |
Source port |
NFM-P Destination Port |
Transport Protocol |
Network Interface |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node-exporter |
Table 6-7: NFM-P Auxiliary Server Communications
Source component |
Source port |
NFM-P Aux Destination Port |
Transport Protocol |
Network Interface |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
Table 6-8: Auxiliary Database Server Communications
Source Component |
Source Port |
AuxDB Destination Port |
Transport Protocol |
Network Interface |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
5433 |
TCP |
internal |
|
NSP kubernetes VM |
>32768 |
7299 |
TCP |
internal |
|
NSP kubernetes VM |
>32768 |
9100 |
TCP |
internal |
node exporter |
Refer to WS-NOC documentation for a complete list of WS-NOC application communications.
Table 6-9: WS-NOC Communications
Source Component |
Source Port |
WS-NOC Destination Port |
Transport Protocol |
Network Interface |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
443 |
TCP |
client |
|
NSP kubernetes VM |
>32768 |
8443 |
TCP |
client |
GUI |
NSP kubernetes VM |
>32768 |
8543 |
TCP |
client |
WS-RC REST API |
Table 6-10: Syslog Server Communications
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
Syslog server |
514 |
TCP |
syslog notifications |
Table 6-11: Mail Server Communications
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
Mail Server |
25 |
TCP |
SMTP mail server (unsecure) |
NSP kubernetes VM |
>32768 |
Mail Server |
465 |
TCP |
SMTPS mail server (secure) |
NSP kubernetes VM |
>32768 |
Mail Server |
587 |
TCP |
STARTTLS mail server (secure) |
Table 6-12: Remote Authentication Server Communications
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
n/a |
RADIUS server |
n/a |
ICMP |
Test connectivity of NSP and RADIUS server |
NSP kubernetes VM |
n/a |
TACACS server |
n/a |
ICMP |
Test connectivity of NSP and TACACS server |
NSP kubernetes VM |
>32768 |
LDAP server |
389 |
TCP |
LDAP (unsecure) |
NSP kubernetes VM |
>32768 |
LDAP server |
636 |
TCP |
LDAP (secure) |
NSP kubernetes VM |
>32768 |
RADIUS server |
1812 |
UDP |
RADIUS |
NSP kubernetes VM |
>32768 |
TACACS server |
49 |
TCP |
TACACS |
Note: NSP requires ICMP connectivity to the configured remote authentication servers.
Table 6-13: Splunk Server Communications
Source Component |
Source Port |
Destination Component |
Destination Port |
Transport Protocol |
Description |
---|---|---|---|---|---|
NSP kubernetes VM |
>32768 |
Splunk Server |
8088 (see Note) |
TCP |
NSP application logs to Splunk |
Note: Destination port determined by Splunk server configuration.