Nokia recommends using a strict CPM filter policy allowing traffic from trusted IP subnets for protocols and ports actively used in the router and to explicitly drop other traffic.
Table: Protocols and ports identifies which ports are used by which applications in the SR OS. The source port and destination port reflect the CPM filter entry configuration for traffic ingressing the router and sent to the CPM.
| Src port number | Dst port number | IP protocol | Application | Description | Accessible out of band | Accessible in band |
|---|---|---|---|---|---|---|
20 |
TCP |
FTP |
FTP Server Data. Active FTP Client. |
Yes |
Yes |
|
21 |
TCP |
FTP |
FTP Server Control |
Yes |
Yes |
|
20 |
TCP |
FTP |
FTP Client Data |
Yes |
Yes |
|
21 |
TCP |
FTP |
FTP Client Control |
Yes |
Yes |
|
22 |
TCP |
SSH, NETCONF |
SSH Server, NETCONF Server |
Yes |
Yes |
|
22 |
TCP |
SSH |
SSH Client. Responses for initiated TCP sessions. |
Yes |
Yes |
|
23 |
TCP |
Telnet |
Telnet server |
Yes |
Yes |
|
49 |
TCP |
TACACS+ |
TACACS+ client. Responses for initiated sessions. |
Yes |
Yes |
|
53 |
UDP |
DNS |
DNS client |
— |
Yes |
|
67 |
67 |
UDP |
DHCPv4 |
DHCPv4: Relay agent to server, server to relay agent, and relay agent to relay agent |
— |
Yes |
68 |
67 |
UDP |
DHCPv4 |
DHCPv4: Client to relay agent/server |
— |
Yes |
67 |
68 |
UDP |
DHCPv4 |
DHCPv4: relay agent/server to client |
— |
Yes |
123 |
UDP |
NTP |
NTP server |
Yes |
Yes |
|
123 |
UDP |
NTP |
NTP client |
Yes |
Yes |
|
161 |
UDP |
SNMP |
SNMP server: SET and GET commands |
Yes |
Yes |
|
179 |
TCP |
BGP |
BGP: server terminated TCP sessions |
— |
Yes |
|
179 |
BGP |
BGP: client responses for initiated TCP session |
— |
Yes |
||
319 |
UDP |
PTP |
1588 PTP event |
— |
Yes |
|
320 |
UDP |
PTP |
1588 PTP general |
— |
Yes |
|
389 |
TCP |
LDAP |
LDAP client (non TLS) |
Yes |
Yes |
|
520 |
UDP |
RIP |
RIP |
— |
Yes |
|
546 |
547 |
UDP |
DHCPv6 |
DHCPv6 - Client to Server/Relay Agent |
— |
Yes |
547 |
547 |
UDP |
DHCPv6 |
DHCPv6 - server to relay agent, relay agent to server, and relay agent to relay agent |
— |
Yes |
639 |
UDP |
PIM |
MSDP: multicast source discovery protocol |
— |
Yes |
|
636 |
TCP |
LDAPS |
LDAP client over TLS |
— |
Yes |
|
646 |
UDP |
LDP |
LDP Hello adjacency |
— |
Yes |
|
646 |
TCP |
LDP |
LDP/T-LDP: terminated TCP sessions |
— |
Yes |
|
646 |
TCP |
LDP |
LDP/T-LDP: responses for initiated TCP sessions |
— |
Yes |
|
701 |
UDP |
LMP |
Link management protocol |
— |
Yes |
|
830 |
TCP |
NETCONF |
NETCONF Server |
Yes |
Yes |
|
ANY |
UDP |
TWAMP |
TWAMP test |
— |
Yes |
|
862 |
TCP |
TWAMP |
TWAMP control: terminated TCP session |
— |
Yes |
|
862, 64364-64373 |
UDP |
TWAMP |
TWAMP Light (Reflector) |
— |
Yes |
|
862, 64364-64373 |
UDP |
TWAMP |
Nokia TWAMP Light Initiator. Non Nokia initiator may use the entire range. |
— |
Yes |
|
1025 |
UDP |
MC-LAG-APS-EP-IPsec |
Multi Chassis: LAG, APS (Automation Protection Switching), End Point, IPsec (MIMP), AARP |
— |
Yes |
|
1491 |
TCP |
SNMP Streaming |
SNMP streaming server |
Yes |
Yes |
|
1645 |
UDP |
RADIUS Proxy |
RADIUS proxy authentication |
— |
Yes |
|
1646 |
UDP |
RADIUS Proxy |
RADIUS proxy accounting |
— |
Yes |
|
1647 |
UDP |
RADIUS CoA |
RADIUS Dynamic authorization (CoA/DM) |
Yes |
Yes |
|
1700 |
UDP |
RADIUS CoA |
RADIUS Dynamic authorization (CoA/DM) |
Yes |
Yes |
|
1701 |
UDP |
L2TP |
L2TP server |
— |
Yes |
|
1812 |
UDP |
RADIUS CoA |
RADIUS Dynamic authorization (CoA/DM) |
Yes |
Yes |
|
1812 |
UDP |
RADIUS |
RADIUS authentication |
Yes |
Yes |
|
1813 |
UDP |
RADIUS |
RADIUS accounting |
Yes |
Yes |
|
2000 |
UDP |
WPP |
Web portal authentication protocol |
— |
Yes |
|
2083 |
TCP |
RADIUS |
RADIUS over TLS |
Yes |
Yes |
|
2123 |
UDP |
GTP |
GTP control plane |
— |
Yes |
|
2123 |
UDP |
GTP |
GTP control plane |
— |
Yes |
|
2152 |
UDP |
GTP |
GTP user plane |
— |
Yes |
|
2152 |
UDP |
GTP |
GTP user plane |
— |
Yes |
|
3232 |
UDP |
PIM |
PIM MDT |
— |
Yes |
|
3503 |
UDP |
OAM |
LSP Ping, LSP Trace, VPRN Trace, VPRN Ping |
— |
Yes |
|
3868 |
UDP |
DIAMETER |
Diameter |
Yes |
Yes |
|
3784 |
UDP |
BFD |
BFD Control 1 hop BFD and BFD over MPLS LSP |
— |
Yes |
|
3785 |
UDP |
BFD |
BFD echo |
— |
Yes |
|
3799 |
UDP |
RADIUS |
RADIUS Dynamic Authorization (CoA/DM) |
Yes |
Yes |
|
4189 |
TCP |
PCEP |
Path Computation Element Protocol |
Yes |
Yes |
|
4739 |
UDP |
NAT |
NAT debug |
— |
Yes |
|
4784 |
UDP |
BFD |
BFD control multi-hop |
— |
Yes |
|
4789 |
UDP |
VXLAN Ping |
VXLAN ping request |
No |
Yes |
|
4790 |
UDP |
VXLAN Ping |
VXLAN ping response |
No |
Yes |
|
5000 |
UDP |
Mtrace2 |
IP Multicast Mtrace2 |
— |
Yes |
|
5351 |
UDP |
NAT |
PCP NAT port mapping protocol |
— |
Yes |
|
6068 |
TCP |
ANCP |
ANCP - terminated TCP session |
— |
Yes |
|
6514 |
TCP |
Syslog |
Syslog over TLS |
Yes |
Yes |
|
6635 |
UDP |
MPLS over UDP |
MPLS over UDP OAM |
No |
Yes |
|
6653 |
TCP |
OpenFlow |
OpenFlow - terminated TCP sessions |
— |
Yes |
|
6784 |
UDP |
BFD |
uBFD |
— |
Yes |
|
8805 |
UDP |
PFCP |
Packet and forwarding control protocol - Used to install dynamic forwarding state |
— |
Yes |
|
33408-33535 |
UDP |
OAM |
OAM Traceroute |
— |
Yes |
|
45067 |
TCP |
MCS |
Multi-chassis synchronization - Terminated TCP Session (mcs, mc-ring, mc-ipsec) |
— |
Yes |
|
45067 |
TCP |
MCS |
Multi-chassis synchronization - Responses for initiated TCP session (mcs, mc-ring, mc-ipsec) |
— |
Yes |
|
49151 |
UDP |
L2TP |
L2TP |
— |
Yes |
|
57400 |
TCP |
gRPC |
gRPC |
— |
Yes |
|
64353 |
UDP |
MPLS DM |
MPLS Delay Measurement using UDP return object |
— |
Yes |
|
N/A |
N/A |
GRE |
GRE |
GRE |
— |
Yes |
N/A |
N/A |
ICMP |
ICMP |
ICMP |
Yes |
Yes |
N/A |
N/A |
IGMP |
IGMP |
IGMP |
— |
Yes |
N/A |
N/A |
OSPF |
OSPF |
OSPF |
— |
Yes |
N/A |
N/A |
PIM |
PIM |
PIM |
— |
Yes |
N/A |
N/A |
RSVP |
RSVP |
RSVP |
— |
Yes |
N/A |
N/A |
VRRP |
VRRP, SRRP |
VRRP, SRRP |
— |
Yes |
pki-server-port or 80/8080 |
any |
TCP |
PKI |
CMPv2 (Certificate Management Protocol v2) client - Responses for initiated TCP session |
— |
Yes |
pki-server-port |
any |
TCP |
PKI |
OCSP (Online Certificate Status Protocol) client - Responses for initiated TCP session |
— |
Yes |
pki-server-port or 80/8080 |
any |
TCP |
PKI |
Auto CRL (Certificate Revocation List) update (client) - Responses for initiated TCP session |
Yes |
Yes |