wran com mat ru50 03

WCDMA RAN, Rel. RU50, Operating Documentation, Issue 02

WCDMA RAN Communication Matrix DN70962119

Approval date 2014-06-04

WCDMA RAN Communication Matrix

DN0962119 Issue 03

© Nokia Solutions and Networks Confidential

2

The information in this document is subject to change without notice and describes only the product defined in the introduction of this documentation. This documentation is intended for the use of Nokia Solutions and Networks customers only for the purposes of the agreement under which the document is submitted, and no part of it may be used, reproduced, modified or transmitted in any form or means without the prior written permission of Nokia Solutions and Networks. The documentation has been prepared to be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Nokia Solutions and Networks welcomes customer comments as part of the process of continuous development and improvement of the documentation. The information or statements given in this documentation concerning the suitability, capacity, or performance of the mentioned hardware or software products are given "as is" and all liability arising in connection with such hardware or software products shall be defined conclusively and finally in a separate agreement between Nokia Solutions and Networks and the customer. However, Nokia Solutions and Networks has made all reasonable efforts to ensure that the instructions contained in the document are adequate and free of material errors and omissions. Nokia Solutions and Networks will, if deemed necessary Nokia Solutions and Networks, explain issues which may not be covered by the document. Nokia Solutions and Networks will correct errors in this documentation as soon as possible. IN NO EVENT WILL NOKIA SOLUTIONS AND NETWORKS BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA, THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT. NSN is a trademark of Nokia Solutions and Networks. Nokia is a registered trademark of Nokia Corporation. Other product names mentioned in this document may be trademarks of their respective owners, and they are mentioned for identification purposes only. Copyright © Nokia Solutions and Networks 2014. All rights reserved.

Nokia Solutions and Networks are continually striving to reduce the adverse environmental effects of its products and services. We would like to encourage you as our customers and users to join us in working towards a cleaner, safer environment. Please recycle product packaging and follow the recommendations for power use and proper disposal of our products and their components. If you should have questions regarding our Environmental Policy or any of the environmental services we offer, please contact us at Nokia Solutions and Networks for additional information.


DN0962119 Issue 03


3

Table of contents Summary of changes ...................................................................................................... 4

1. Introduction…………………………………………………………………...5 2. Flexi BTS……………………………………………………………………...6 3. IPA RNC………………………………………………………………………12 4. OMS……………………………………………………………………………18


DN0962119 Issue 03


4

Summary of changes The document comprises 23 pages.

Multicontroller RNC content is on mcRNC3.0 level and is not valid for RU50. Flexi Direct content is on Flexi Direct RU40 level, and is not valid for RU50. Changes between issues 02E (2014-03-07, RU40) and 03 (2014-06-04, RU50)

• mcRNC and FlexiDirect have been removed due to no release for these products in RU50

• iOMS ILO connections has been added • Co-siting connections has been removed • Traffic ports have been corrected for IPA RNC • Virtual printer port has been added to IPA RNC • NTP and DNS have been added to IPA RNC.

Changes between issues 02D (2014-02-18, RU40) and 02E (2014-03-07, RU40)

• Certificate management section has been added to the mcRNC chapter.

Changes between issues 02C (2013-09-11, RU40) and 02D (2014-02-18, RU40)

• Older releases, Ultra Site and ToP Master have been removed.

i

Nokia Solutions and Networks Issue 03 Confidential 5

Limitations

Legend:Local system: Indicates the local Network Element and the address within the elementLocal port: Indicates which port or ports used by the local Network Element. They can be either fixed, configurable or dynamically selected.

Any Indicates that a dynamic port, from the range [1024, 65535] is usedConfigurable Indicates that the port can be configured in the user interface of the network elementN/A Indicates that there is no port number

Init direction: It indicates which peer initiates the connection

↔ Either Network Element can initiate the connection

← The remote Network Element initiates the connection, or sends the first packet

→ The local Network Element initiates the connection, or sends the first packetTraffic direction: It indicates which peer initiates the connection

↔ Either Network Element can send a packet

← Only the remote Network Element sends packets

→ Only the local Network Element send packetsRemote system: Indicates the remote Network Element and the address within the elementRemote port: Indicates which port or ports used by the remote Network Element. They can be either fixed, configurable or dynamically selected.

Any Indicates that a dynamic port, from the range [1024, 65535] is usedConfigurable Indicates that the port can be configured in the user interface of the network elementN/A Indicates that there is no port number

Protocol: Transport protocol used by the connectionService: Service supported by the connectionAuthenticated Service Indicates if the service has some type of authentication (username/password, certificates, PSK, etc)Availability: Indicate whether the connection is present in the system or not

always on If feature is available in release and license is available (if applicable), then ports are always open or connection existdefault on If feature is available in release and license is available (if applicable), then ports are open by default or connections exist by default. However they can be closed by configuration.default off If feature is available in release and license is available (if applicable), then ports are closed by default. However they can be opened by configuration.dynamic Connection exists depending on feature availability/configuration or on dynamic negotiations between network elements

Supported Remote System FamiliesWhen the remote system might be of different product family, the supported family is listed. At this moment this applies only to BTS and RNC.N/A indicates that there is only one product family for the remote system, or there is no practical difference between them.

Secure Network Indicates whether the connection is required when using securityN/A The connection is not related to security (typically non O&M connections)Yes The connection does exist when security is usedNo The connection does not exist when security is usedBoth The connection will be present both when security is used and when not, usually because there is no secure alternative

Related feature Feature(s) where the connection was introduced


The purpose of this document is to list all the IP based connection established between the RAN network elements as well as the connections towards other network elements outside the RAN.It is intended to be used by R&D to be aware of all the possible IP services available in the RAN, so that appropriate hardening and security measures are taken into account. In particular, this document can be used as input to configure the firewalls in the network.

The following limitations exist in this document:1- Only IP over Ethernet connections are listed. This affects BTS O&M connections and Iu-PS user plane and control plane, since both can be also based on IP over ATM.2- Local connections used for local management purposes are not listed.3- Internal connections (not visible in the external interfaces) are not listed.

FlexiBTS


Local system(NE/Functional unit/address) Local port Init Direction Direction Remote system

(NE/IP address) Remote port Protocol Service name / description Authentication Availability Remarks FSM-r2 FSM-r3 FlexiLite

User plane, control plane, synchronization plane

General

BTS/Any [33434 ... 33933] ← ← Any Any UDP traceroute No default on x x x

BTS/Any N/A ↔ ↔ Any N/A ICMP ICMP No always on x x x

IPsec

BTS/IPsec tunnel endpoint 500 ↔ ↔IPSecSecurityGateway

500 UDP IPSec Key management Yes dynamic The source port of the IPSec Security gateway unit could be a different port than port 500. The port 500 is usually used. x x x

BTS/IPsec tunnel endpoint N/A ↔ ↔IPSecSecurityGateway

N/A ESP IPSec Encapsulation Security Payload Yes dynamic x x x

Monitoring

BTS/Transport Interface 7 ← ↔ Echo client Any UDP FTM UDP Echo No default off x x x

BTS/TWAMP sender Configurable (5001, …, 5010) → ↔ TWAMP reflector configurable UDP TWAMP sender (client) No default off TWAMP session1=Port 5001, …, TWAMP Session10=Port

5010 x x x

BTS/TWAMP reflector 5018 ← ↔ TWAMP sender Any UDP TWAMP reflector (server) No default off x x x

BFD

BTS/Transport Interface Configurable → → Site Router 3784 UDP Bidirectional Forward Detection(Single Hop) No dynamic x x x

BTS/BFD Configurable → → RNC 4784 UDP Bidirectional Forward Detection(MultiHop) No dynamic x x x

BTS/Transport Interface 3784 ← ← Site Router Any UDP Bidirectional Forward Detection(Single Hop) No dynamic x x x

BTS/BFD 4784 ← ← RNC 4784 UDP Bidirectional Forward Detection(MultiHop) No dynamic x x x

OSPF

BTS/Transport Interface NA ↔ ↔ OSPF peer N/A OSPF OSPF No dynamic x x -

BTS/Multicast NA ← ← OSPF peer N/A OSPF OSPF No dynamic x x -

BTS/Transport Interface NA → → Multicast N/A OSPF OSPF No dynamic x x -


BTS/Control plane Configurable ← ↔ RNC Configurable SCTP NetworkLayerSignallingCNBAP via SCTP No always on

The local port is configurable by Minimum SCTP port. With RAN2512 RNC Resiliency a second RNC Far End SCTP Subnet can be configured.

x x x

BTS/Control plane Configurable ← ↔ RNC Configurable SCTP NetworkLayerSignallingDNBAP via SCTP No always on

The local port is configurable by Minimum SCTP port + 1.With RAN2512 RNC Resiliency a second RNC Far End SCTP Subnet can be configured.

x x x

BTS/User plane [49152 … 65535] → ↔ RNC [1026 … 65535] UDP

IP based U-planeThe lower value of the BTS port range can be configured by the operator ( TMPAR: minUDPPort to a higher value up to 63135)

No default on x x x

BTS/Transport Interface N/A ↔ ↔ ATMoPSN GW N/A MPLS ATM over Ethernet (PSN): Pseudowire No dynamic x x -

BTS/Transport Interface Configurable ↔ ↔ CESoPSN GW, BSC3i with ETIP card Configurable UDP Generic: CESoPSN No dynamic

Local port is configurable in the range of [49152..65535]. 4, 8 or 16 Ports out of that range starting with "Minimum UDP Port". Selectable at the „CES over PSN“ tab.

x x -

BTS/Synchronization plane [319, 320] → ↔ ToP Server [319, 320] UDP Timing Over Packet No dynamic x x x

BTS/Synchronization plane [319, 320] ← ↔ ToP Server Any UDP Timing Over Packet No dynamic x x x

FlexiBTS




Management plane

General

BTS/Management plane or BTS/DHCP assigned Any → ↔ RNC, OMS 8003 TCP/TLS Secure BTS O&M Interface Yes dynamic With RAN2512 RNC Resiliency a second RNC M-Plane IP

address can be configured x x x

BTS/Management plane or BTS/DHCP assigned Any → ↔ RNC, OMS 8002 TCP BTS O&M Interface No dynamic With RAN2512 RNC Resiliency a second RNC M-Plane IP

address can be configured x x x

DHCP

BTS/(0.0.0.0) 68 → → DHCP Server via broadcast/(255.255.255.255) 67 UDP DHCP for autoconnection No dynamic x x x

BTS/DHCP assigned 68 ← ← DHCP Server 67 UDP DHCP for autoconnection No dynamic x x x

HTTP

BTS/Management plane 80 ← ↔ BTS SM Any TCPO&M operations- Session IOR retrieval from BTS SM- Webserver unauthenticated pages

No always on x - -

BTS/Management plane 80 ← ↔ BTS SM Any TCPO&M operations- Webserver authenticated page access. (e.g. log file retrieval, ping, reboot)

Yes always on x - -

BTS/Management plane 443 ← ↔ BTS SM Any TCP/TLS

O&M operations- Session IOR retrieval from BTS SM- Webserver unauthenticated pages- Webserver authenticated page access. (e.g. log file retrieval, ping, reboot)

Yes always on Security relevant actions are authenticated x x x

BTS/Management plane 6000 ← ↔ BTS SM, OMS, NetAct Any TCP File transfer via HTTP Yesalways on (<WN8.0)default on(>= LN1.0, >= WN8.0)

Security relevant file access is authenticated x x x

BTS/Management plane 6001 ← ↔ BTS SM, OMS, NetAct Any TCP/TLS File transfer via HTTPS Yes always on Security relevant file access is authenticated x x x

BTS/Management plane or BTS/DHCP assigned Any → ↔ OMS 80 TCP File transfer via HTTP Yes

dynamic (<WN8.0)default on(>= LN1.0, >= WN8.0)

x x x

BTS/Management plane Any → ↔ BTS SM [13062...13092] TCP File transfer via HTTP Yesdynamic (<WN8.0)default on(>= LN1.0, >= WN8.0)

x x x

BTS/Management plane or BTS/DHCP assigned Any → ↔ BTS SM [13062...13092] TCP/TLS File transfer via HTTPS Yes

dynamic (<WN8.0)default on(>= LN1.0, >= WN8.0)

x x x

BTS/Management plane or BTS/DHCP assigned Any → ↔ OMS 443 TCP/TLS


Yesdynamic (<WN8.0)default on(>= LN1.0, >= WN8.0)

x x x

BTS/BTS address 80 ← ↔ BTS SM Any TCPSiteEM.xml retrieval from TRS network to FCM Note: Request will be redirect to FTM starting from RU20

No always on x - -

FTP

BTS/BTS address 21 ← ↔ BTS SM / NetAct, OMS Any TCP

ftp (control)SCF + Perf.Data upload from FCM to NetAct or BTS SM, triggered by ASN.1

Note: This connection will not be used starting with RU20 BTS SM and RU10 OMS, as it does not exist anymore in the peer. However forwarding still exists and server is still available (remains for compatibility)

Yes default offThe remote system is the client. The availability is set to default off because this link exists only when the optional IP address BTS/BTS address is configured

x - -

BTS/BTS address 20 ← ↔ BTS SM / NetAct, OMS Any TCP

ftp (active ftp data)SCF + Perf.Data upload from FCM to NetAct or BTS SM, triggered by ASN.1


Yes default offThe remote system is the client. The availability is set to default off because this link exists only when the optional IP address BTS/BTS address is configured

x - -

FlexiBTS




BTS/BTS address Any → ↔ BTS SM / NetAct, OMS [13062...13092] TCP

ftp (active+passive ftp control+data)SWDL to FCM


Yes default offThe remote system is the server. The availability is set to default off because this link exists only when the optional IP address BTS/BTS address is configured

x - -

BTS/BTS address Any → ↔ BTS SM / NetAct, OMS 21 TCP

ftp (control)SWDL to FCM



x - -

BTS/BTS address Any → ↔ BTS SM / NetAct, OMS 20 TCP

ftp (active ftp data)SWDL to FCM



x - -

BTS/BTS address Any ↔ ↔ BTS SM / NetAct, OMS Any TCP

ftp (passive ftp data)SWDL to FCM



x - -

BTS/Management plane 21 ← ↔ BTS SM / NetAct/OMS Any TCP

external ftp client (control) e.g.SCF + Perf.Data upload from TM to NetAct or BTS SM, triggered by ASN.1 (ftp will not be selected any more for >= RU20 but server is still reachable)

Yesalways on (<=RU20 EP1) default on (RU30) default off (RU40)

The remote system is the client x x x

BTS/Management plane 20 ← ↔ BTS SM / NetAct/OMS Any TCP

external ftp client (active ftp data) e.g.SCF + Perf.Data upload from TM to NetAct or BTS SM, triggered by ASN.1 (ftp will not be selected any more for >= RU20 but server is still reachable)



BTS/Management plane Any ↔ ↔ BTS SM / NetAct/OMS Any TCP

external ftp client (passive ftp data) e.g.SCF + Perf.Data upload from TM to NetAct or BTS SM, triggered by ASN.1 (ftp will not be selected any more for >= RU20 but server is still reachable)



NTP

BTS/Management plane 123 → ↔ NTP Server(Server 1, 2 or 3) 123 UDP NTP client No dynamic x x x

XoH

BTS/Management plane 12000 ← ↔ BTS SM Any TCP/TLS XoH connection Yes always on x x x

CMP and LDAP

BTS/Management plane or BTS/DHCP assigned Any → ↔ Certificate Authority

CA Server configurable TCP Certificate Management Protocolfor IPSec and TLS Yes dynamic x x x

BTS/Management plane or BTS/DHCP assigned Any → ↔ Certificate Repository

Configurable (in CRLDP extension of

the relevant certificate)TCP Certificate Revocation List (CRL) retrieval LDAP

over HTTP Yes dynamic x x x

BTS/Management plane or BTS/DHCP assigned Any → ↔ Authentication LDAP Server configurable TCP LDAP RUIM server Yes dynamic x x x

BTS/Management plane or BTS/DHCP assigned Any → ↔ Authentication LDAP Server configurable TCP/TLS LDAP RUIM server Yes dynamic x x x

Site support

BTS/SSE subnet N/A ↔ ↔ Site Support Management Any anyConnection between SSE and equipment on transport network N/A dynamic x x x

FlexiBTS




Microwave Radio

Flexi Packet Radio Manager/ SSE subnet Any ↔ ↔ Flexi Packet Radio Any TCPFlexi Packet Radio Management(needs to be enabled via IP filtering exception rules)

N/A dynamic x x x

BTS/Management plane 27500 ← ↔ Flexi Hub MGR Any TCP Flexbus block management on FTFA/FTFB.Flexi Hub MGRaddress needs to be configured N/A always on x - -

Local ICMP

(192.168.255.129),BTS/Management plane andBTS/TRS

N/A ↔ ↔ Any N/A ICMP ICMP No always on x x x

Local DHCP

BTS/(255.255.255.255) 67 ← ← SSE (0.0.0.0) 68 UDP DHCP for SSE devices No dynamic x x x

BTS/TRS (DHCP Server) 67 → ↔ SSE/DHCP assigned 68 UDP DHCP for SSE devices No dynamic x x x

Local HTTP


80 ← ↔ BTS SM/ Web Browser any TCP File transfer via HTTP Yes always on x - -


443 ← ↔ BTS SM/ Web Browser any TCP/TLS


Yes always on x x x


6000 ← ↔ BTS SM any TCP File transfer via HTTP Yesalways on (<WN8.0)default on(>= LN1.0, >= WN8.0)

x x x


6001 ← ↔ BTS SM any TCP/TLS File transfer via HTTPS Yes always on x x x


any → ↔ BTS SM [13062..13092] TCP File transfer via HTTP Yesdynamic (<WN8.0)default on(>= LN1.0, >= WN8.0)

x x x


any → ↔ BTS SM [13062..13092] TCP/TLS File transfer via HTTPS Yesdynamic (<WN8.0)default on(>= LN1.0, >= WN8.0)

x x x

Local FTP


21 ← ↔ BTS SM(ftp control)) any TCP

external ftp client (control)file transfers from LMPBTS SM SCF upload from TM to BTS SM


x - -


20 ← ↔ BTS SM(active ftp data) any TCP

external ftp client (active ftp data)file transfers from LMPBTS SM SCF upload from TM to BTS SM (ftp will not be selected any more for >= RU20 but server is still reachable)


x - -


any ← ↔ BTS SM(passive ftp data) any TCP

external ftp client (passive ftp data)file transfers from LMPBTS SM SCF upload from TM to BTS SM (ftp will not be selected any more for >= RU20 but server is still reachable)


x - -

Local XoH


12000 ← ↔ BTS SM any TCP/TLS XoH connectionfrom/to LMP Yes always on x x x

FlexiBTS




NSN Service interface

Remote R&D test interface

BTS/BTS address 15001 ← ↔ Tester Any TCP

TASSU (remote via TRS)- with RAN1209 disabled by default, can be enabled via BTS Site Manager.- no authentication-public FCM IP address not used in LTE

No default off x - -


DSP Browser (remote via TRS)- with RAN1209 disabled by default, can be enabled via BTS Site Manager.- no authentication-public FCM IP address not used in LTE



BTS Browser (remote via TRS)- with RAN1209 disabled by default, can be enabled via BTS Site Manager.- no authentication- public FCM IP address not used in LTE



BTS Log (remote via TRS)-with RAN1209 disabled by default, can be enabled via BTS Site Manager.- no authentication-public FCM IP address not used in LTE



Tester IF port (remote via TRS)-with RAN1209 disabled by default, can be enabled via BTS Site Manager- no authentication- public FCM IP address not used in LTE


BTS/Management plane 15001 ← ↔ Tester Any TCP TASSU (NSN R&D) No default off - x x

BTS/Management plane 15002 ← ↔ Tester Any TCP DSP Browser (NSN R&D) No default off - x x

BTS/Management plane 15003 ← ↔ Tester Any TCP BTS Browser (NSN R&D) No default off - x x

BTS/Management plane 15004 ← ↔ Tester Any TCP BTS Logs (NSN R&D) No default off - x x

BTS/Management plane 15005 ← ↔ Tester Any TCP Tester Interface Port (NSN R&D) No default off - x x

BTS/Management plane 15006 ← ↔ Tester Any TCP GPS Maintenance Access (NSN R&D) No default off - x -

Remote Telnet

BTS/BTS address 23 ← ↔ Telnet Client Any TCP

Telnet on FCM (remote) - R&D purposes, login rejected in FCM by default, must be enabled by BTS SM, - authentication WCDMA: fixed account,- TM forwarding is not restricted

Yes default on x - -

Remote SSH

BTS/Management plane 22 ← ↔ SSH Client Any TCP SSH on FTM Yes default off x - -

BTS/Management plane 22 ← ↔ SSH Client Any TCP SSH on FCT Yes default off - x x

Remote FTP

BTS/Management plane 21 ← ↔ FTP client Any TCP FTP Yesalways on (<=RU20 EP1) default on (RU30) default off (RU40)

x - -

BTS/Management plane 20 ← ↔ FTP client Any TCP FTP Yesalways on (<=RU20 EP1) default on (RU30) default off (RU40)

x - -

BTS/Management plane Any ← ↔ FTP client Any TCP FTP Yesalways on (<=RU20 EP1) default on (RU30) default off (RU40)

x - -

Local FTP at FTM


21 ← ↔ FTP client any TCP FTPto/from LMP Yes

always on (<=RU20 EP1) default on (RU30) default off (RU40)

x - -

FlexiBTS





20 ← ↔ FTP client any TCP FTPto/from LMP Yes


x - -


any ← ↔ FTP client any TCP FTPto/from LMP Yes


x - -

Local SSH


22 ← ↔ SSH Client any TCP SSH on FTMto/from LMP Yes default off x x x

IPA RNC


Local system(NE/Functional unit/) Local port Init Direction Traffic Direction Remote system

(NE/Functional unit/) Remote port Protocol Service name / description

Authenticated Service Remarks


General

RNC/any N/A ↔ ↔ Any N/A ICMP ICMP No

RNC/Interface [33434 ... 33933] ← ← Any Any UDP Traceroute No

RNC/interface [32768 … 65535] → → Any [33434 ... 33933] UDP Traceroute No

OSPF

RNC/interface N/A ↔ ↔ Adjacent routers N/A OSPF OSPF No

RNC/interface N/A → → Multicast N/A OSPF OSPF No

RNC/Multicast N/A ← ← Adjacent routers N/A OSPF OSPF No

RNC/Management plane N/A ↔ ↔ Adjacent routers N/A OSPF OSPF No

RNC/Management plane N/A → → Multicast N/A OSPF OSPF No

BFD

RNC/BFD 4784 → → BTS/BFD , Neighbour RNC 4784 UDP Multi-hop BFD No

RNC/BFD 4784 ← ← BTS/BFD 4784, [49152 … 65535] UDP Multi-hop BFD No

RNC/BFD 4784 ← ← Neighbour RNC 4784 UDP Multi-hop BFD No

RNC/BFD 3784 ← ← RNC site routers Any UDP Single-hop BFD No

RNC/BFD 49152 → → RNC site routers 3784 UDP Single-hop BFD No

IPA RNC





Iub user plane, control plane

RNC/Control plane Configurable → ↔ BTS/Control plane Configurable SCTP Iub Control Plane NoPorts should be the same in RNC and in BTS for a given SCTP association.2..7 ports from [49152..65535]

RNC/User plane Configurable ↔ ↔ BTS/User plane [49152 … 65535] UDP Iub User Plane No configurable range [start..65535]

Iur user plane, control plane

RNC/Control plane Configurable ↔ ↔ Neighbour RNC/Flexi Direct BTS Configurable SCTP Iur Control Plane No Server role is configurable

RNC/User plane Any ↔ ↔ Neighbour RNC/Flexi Direct BTS Any UDP Iur User Plane No

Iu user plane, control plane

RNC/Control plane Configurable → ↔ 3G SGSN Configurable SCTP IuPS Control Plane No

RNC/User plane 2152 ↔ ↔ 3G SGSN 2152 UDP IuPS User Plane No

RNC/User plane 2152 ↔ ↔ 3G GGSN 2152 UDP IuPS User Plane No Direct tunnel connection

RNC/Control plane Configurable → ↔ MSC Server Configurable SCTP IuCS Control Plane No

RNC/User plane Any ↔ ↔ MGW Any UDP IuCS User Plane No

Iu-PC

RNC/Iu-PC Any → ↔ SAS 2905 SCTP IuPC NoOnly applicable if NPGE or NPS1 units do not exist in the RNC. (when RSMU is directly to SAS using Ethernet through ESA)

Iu-BC

RNC/Iu-BC 3452 ← ↔ CBC Any TCP Iu-BC No

IPA RNC





RNC/Iu-BC 3453 → ↔ CBC 3452 TCP Iu-BC No

Monitoring

RNC/UDP echo 7 ← ↔ BTS, Remote test tool Configurable UDP UDP echo No

RNC/TWAMP reflector 1000 ← ↔ BTS, TWAMP sender Configurable UDP TWAMP No

RNC/TWAMP sender 5000 → ↔ BTS, TWAMP reflector Configurable UDP TWAMP No

Management plane

General

RNC/Management plane 8002 ← ↔ BTS/Management plane Any TCP BTS O&M interface No

RNC/Management plane 8003 ← ↔ BTS/Management plane Any TCP/TLS Secure BTS O&M

interface Yes

RNC/Monitoring address 8019 ← ↔ RNC collector tool Any TCP RNC collector tool No

RNC/Monitoring address Configurable → ↔ RNC collector tool Configurable TCP RNC collector tool No

RNC/Monitoring address Configurable → ↔ RNC collector tool Configurable UDP RNC collector tool No

RNC/Monitoring address 8021 ← ↔ RNC collector tool Any TCP RNC collector tool Yes

RNC/Management plane 80 ← ↔ OMS EM Any TCP HTTP Yes

Display, modification and activation of configuration files. Requires authentication. From RU40 onwards it is recommended to disable the service.

IPSec

RNC/Management plane 500 ↔ ↔ NetAct VPN GW, OMS 500 UDP IKE Yes

RNC/Management plane N/A ↔ ↔ NetAct VPN GW, OMS N/A ESP (IP protocol 50) ESP Yes

IPA RNC





RNC/Management plane N/A ↔ ↔ NetAct VPN GW, OMS N/A AH (IP protocol 51) AH Yes

Traffica

RNC/Management plane 60000 ↔ ↔ Traffica Any UDP Traffica reporting No

Internal File Transfer

RNC/Management plane 21 ← ↔ OMS Any TCP FTP (control) Yes OMS is the client

RNC/Management plane 20 → ↔ OMS Any TCP FTP(active FTP data) Yes OMS is the client

RNC/Management plane [49152 ... 65535] ← ↔ OMS Any TCP FTP(passive FTP data) Yes OMS is the client

RNC/Management plane [49152 ... 65535] → ↔ OMS 21 TCP FTP (control) Yes OMS is the server

RNC/Management plane [49152 ... 65535] ← ↔ OMS 20 TCP FTP(active FTP data) Yes OMS is the server

RNC/Management plane [49152 ... 65535] → ↔ OMS Any TCP FTP(passive FTP data) Yes OMS is the server

NetAct File Transfer

RNC/Management plane 21 ← ↔ NetAct Any TCP FTP (control) Yes NetAct is the client

RNC/Management plane 20 → ↔ NetAct Any TCP FTP (active FTP data) Yes

RNC/Management plane [49152 ... 65535] ← ↔ NetAct Any TCP FTP (passive FTP data) Yes

Management connections

RNC/Management plane 22 ← ↔ OMS Any TCP SSH Yes SFTP is also using this connection (SFTP over SSH)

RNC/Management plane [49152 ... 65535] → ↔ OMS 22 TCP SSH Yes SFTP

RNC/Management plane [49152 ... 65535] → ↔ OMS 8002 TCP BTS O&M No

IPA RNC





RNC/Management plane [49152 ... 65535] → ↔ OMS 8003 TCP/TLS Secure BTS O&M Yes

RNC/Management plane 22 ← ↔ NetAct Any TCP SSH Yes SFTP is also using this connection (SFTP over SSH)

RNC/Management plane 23 ← ↔ NetAct Any TCP Telnet Yes

RNC/Management plane 22 ← ↔ OMS EM Any TCP SSH Yes

Other NetAct connections

RNC/Management plane [49152 ... 65535] → ↔ NetAct 389 TCP LDAP Yes

RNC/Management plane [49152 ... 65535] → ↔ NetAct 389 TCP LDAP over SSL Yes

ESA24 management

RNC/ESA24 22 ← ↔ OMS EM Any TCP SSH Yes

RNC/ESA24 23 ← ↔ OMS EM Any TCP Telnet Yes

NTP

RNC/Management plane 123 → ↔ NTP server 123 UDP NTP No

DNS

RNC/Management plane [49152 ... 65535] → ↔ DNS server 53 UDP DNS No

Certificate management

RNC/Management plane [49152 ... 65535] → ↔ Certification Authority server Configurable TCP CMP over HTTP Yes Configurable port. CMP over HTTP, configurable

based on CA server configuration

RNC/Management plane [49152 ... 65535] → ↔ Certification Authority certificate repository Configurable TCP LDAP No Configurable port. CA certificate retrieval

IPA RNC





Remote connections (only NSN services interface, manufacturing related and IPoATM)

RNC/OMU 67 ← ← BTS/(0.0.0.0) 68 UDP DHCP No

This port is used only for IPoATM.It does not accept packets through the Ethernet interface.The OMU does not respond to standard DHCP requests since some proprietary extensions are required.

RNC/OMU 67 → → BTS/DHCP assigned address 68 UDP DHCP No This port is used only for IPoATM.

RNC/NPS1/broadcast 67 ← ← BTS/(0.0.0.0) 68 UDP DHCP No

Only applicable for FlexiBTS, for IPoATM with NPS1. The NPS1 does not respond to standard DHCP requests since some proprietary extensions are required.

RNC/NPS1/IF address 67 → → BTS/DHCP assigned address 68 UDP DHCP No

Only applicable for FlexiBTS, for IPoATM with NPS1.The return packet is unicast to the leased address.This service does not respond to standard DHCP requests since some proprietary extensions are required.

RNC/Management plane 21 ← ↔IPA RNC maintenance workstation Any TCP FTP (control) Yes Local monitoring workstation is the client

RNC/Management plane 20 → ↔IPA RNC maintenance workstation Any TCP

FTP (active FTP data) Yes

RNC/Management plane [49152 ... 65535] ← ↔IPA RNC maintenance workstation Any TCP

FTP (passive FTP data) Yes

RNC/Management plane 22 ← ↔IPA RNC maintenance workstation Any TCP SSH Yes

SFTP is also using this connection (SFTP over SSH)

OMS


Local system(NE/Functional unit/address)

Local port Init Direction Traffic DirectionRemote system(NE/Functional unit/address)

Remote port Protocol Service name / description


General

OMS N/A ↔ ↔ Any N/A ICMP ICMP No

IPSec

OMS 500 → ↔ NetAct VPN GW, RNC/Management plane 500 UDP IKE Yes

OMS N/A ↔ ↔ NetAct VPN GW, RNC/Management plane N/A ESP (IP protocol 50) ESP Yes

OMS N/A ↔ ↔ NetAct VPN GW, RNC/Management plane N/A AH (IP protocol 51) AH Yes

RNC File Transfer

OMS [54000 ... 65535] → ↔ RNC/Management plane 21 TCP FTP (control) Yes

OMS [54000 ... 65535] ← ↔ RNC/Management plane 20 TCP FTP(active FTP data) Yes

OMS [54000 ... 65535] → ↔ RNC/Management plane Any TCP FTP(passive FTP data) Yes

OMS 80 ← ↔RNC/Management plane, Flexi Direct RNC/Management plane

Any TCP HTTP Yes


Any TCP/TLS HTTPS Yes

OMS [54000 ... 65535] → ↔RNC/Management plane, Flexi Direct RNC/Management plane

80 TCP HTTP Yes

OMS [54000 ... 65535] → ↔RNC/Management plane, Flexi Direct RNC/Management plane

443 TCP/TLS HTTPS Yes

OMS(FTP server) 21 ← ↔ RNC/Management plane Any TCP FTP (control) Yes

OMS(FTP server) 20 → ↔ RNC/Management plane Any TCP FTP

(active FTP data) Yes

OMS(FTP server)

[50000 ...51 000] ← ↔ RNC/Management plane Any TCP FTP

(passive FTP data) Yes

OMS






BTS File Transfer

OMS 21 ← ↔ BTS/Management plane Any TCP FTP (control) YesSW DL. For Ultrasite this connection is used also with O&M security as there is no secure alternative.

OMS 20 → ↔ BTS/Management plane Any TCP FTP (active FTP data) Yes

SW DL. For Ultrasite this connection is used also with O&M security as there is no secure alternative.

OMS [50000 ...51 000] ← ↔ BTS/Management plane Any TCP FTP (passive FTP

data) YesSW DL. For Ultrasite this connection is used also with O&M security as there is no secure alternative.

OMS [54000 ... 65535] → ↔ BTS/Management plane 21 TCP FTP (control) YesPerformance data upload. For Ultrasite this connection is used also with O&M security as there is no secure alternative.

OMS [54000 ... 65535] ← ↔ BTS/Management plane 20 TCP FTP (active FTP data) Yes

Performance data upload. For Ultrasite this connection is used also with O&M security as there is no secure alternative.

OMS [54000 ... 65535] ↔ ↔ BTS/Management plane Any TCP FTP (passive FTP data) Yes

Performance data upload. For Ultrasite this connection is used also with O&M security as there is no secure alternative.

OMS 80 ← ↔ BTS/Management plane Any TCP File transfer via HTTP Yes For Ultrasite this connection is used also with

O&M security as there is no secure alternative.

OMS 443 ← ↔ BTS/Management plane Any TCP/TLS File transfer via HTTPS Yes For Ultrasite this connection is used also with

O&M security as there is no secure alternative.

OMS 80 ← ↔ BTS/DHCP assigned Any TCP File transfer via HTTP Yes Autoconfiguration commissioning file download

OMS 443 ← ↔ BTS/DHCP assigned Any TCP/TLS File transfer via HTTPS Yes Autoconfiguration commissioning file download

OMS [54000 ... 65535] → ↔ BTS/Management plane 6000 TCP HTTP server YesO&M operations. For Ultrasite the connection is used also with O&M security as there is no secure alternative.

OMS [54000 ... 65535] → ↔ BTS/Management plane 6001 TCP/TLS HTTPS server Yes O&M operations

NetAct File Transfer

OMS 21 ← ↔ NetAct Any TCP FTP (control) Yes NetAct is the client

OMS 20 → ↔ NetAct Any TCP FTP (active FTP data) Yes NetAct is the client

OMS [50000 ...51000] ← ↔ NetAct Any TCP FTP (passive FTP

data) Yes NetAct is the client

Note 1: From RU20 onwards, the services are available. However they will not normally selected for file transfer since secure file transfer over HTTP is also available.

OMS






Note 2: FTP not needed to normal usage. It is available e.g. for local management usage

OMS [54000 ... 65535] → ↔ NetAct 21 TCP FTP (control) Yes NetAct is the server

OMS [54000 ... 65535] ← ↔ NetAct 20 TCP FTP (active FTP data) Yes NetAct is the server

OMS [54000 ... 65535] → ↔ NetAct Any TCP FTP (passive FTP data) Yes NetAct is the server

OMS 80 ← ↔ NetAct Any TCP HTTP Yes

OMS 443 ← ↔ NetAct Any TCP/TLS HTTPS Yes

OMS [54000 ... 65535] → ↔ NetAct 80 TCP HTTP Yes

OMS [54000 ... 65535] → ↔ NetAct 443 TCP/TLS HTTPS Yes

Management connections

OMS [54000 ... 65535] → ↔ RNC/Management plane 22 TCP SSH Yes

OMS 22 ← ↔ RNC/Management plane any TCP SSH Yes SFTP


any TCP BTS O&M No


any TCP/TLS Secure BTS O&M Yes

OMS 8002 ← ↔ BTS/DHCP assigned any TCP BTS O&M NoTemporary management connection used when the BTS uses a DHCP server other than the RNC during autoconnection

OMS 8003 ← ↔ BTS/DHCP assigned any TCP/TLS Secure BTS O&M YesTemporary management connection used when the BTS uses a DHCP server other than the RNC during autoconnection

OMS 22 ← ↔ NetAct Any TCP SSH Yes

OMS






Other NetAct connections

OMS 53 ← ↔ NetAct Any TCP DNS No

OMS 53 ← ↔ NetAct Any UDP DNS No

OMS 636 ← ↔ NetAct Any TCP LDAP over SSL Yes AL / Parameter Tool

OMS [49152 … 49652] ← ↔ NetAct Any TCP NWI3 callbacks Yes

OMS Any → ↔ NetAct 53 TCP DNS No

OMS Any → ↔ NetAct 53 UDP DNS No

OMS [54000 ... 65535] → ↔ NetAct 389 TCP LDAP Yes RUIM

OMS [54000 ... 65535] → ↔ NetAct 389 TCP LDAP over SSL Yes RUIM

OMS [54000 ... 65535] → ↔ NetAct 7003 TCP NWI3 and OMS EM Yes

OMS [54000 ... 65535] → ↔ NetAct [7021 … 7023] TCP NWI3 and OMS EM Yes



OMS [54000 ... 65535] → ↔ NetAct 19020 TCP NWI3 and OMS EM Yes


DNS

OMS [54000 ... 65535] → ↔ DNS server 53 UDP DNS No

Element manager connections

OMS 22 ← ↔ OMS EM Any TCP SSH Yes

OMS 80 ← ↔ OMS EM Any TCP HTTP Yes

OMS






OMS 443 ← ↔ OMS EM Any TCP/TLS HTTPS Yes

OMS 636 ← ↔ OMS EM Any TCP LDAP over SSL Yes

OMS [49152 … 49652] ← ↔ OMS EM Any TCP NWI3 callbacks Yes

OMS [54000 ... 65535] → ↔ OMS EM 80 TCP HTTP Yes

OMS [54000 ... 65535] → ↔ OMS EM 443 TCP/TLS HTTPS Yes

OMS [54000 ... 65535] → ↔ OMS EM [49152 … 49652] TCP NWI3 callbacks Yes

OMS [54000 ... 65535] → ↔ OMS EM 49300 TCP/TLS NWI3 CM Yes

NTP

OMS 123 ← ↔ NTP client, NetAct, RNC/Management plane 123 UDP NTP No

In particular, BTS can be a client.The client functionality is disabled by default in OMU.

OMS 123 → ↔ NetAct 123 UDP NTP No

ESA24/ESA40 management

OMS [54000 ... 65535] → ↔ RNC/ESA24/ESA40 161 TCP SNMP Yes SNMP-based supervision of ESA24/ESA40. Disabled by default.

OMS N/A → ↔ RNC/ESA24/ESA40 162 TCP SNMP Yes SNMP-based supervision of ESA24/ESA40. Disabled by default.

OMS 161 ← ↔ RNC/ESA24/ESA40 N/A TCP SNMP Yes SNMP-based supervision of ESA24/ESA40. Disabled by default.

OMS 162 ← ↔ RNC/ESA24/ESA40 N/A TCP SNMP Yes SNMP-based supervision of ESA24/ESA40. Disabled by default.

iLO2 / HP G6

OMS / System NIC 161 ← ↔ HP SIM Any UDP SNMP No SNMP access.

OMS / System NIC Any → → HP SIM 162 UDP SNMP No SNMP Alerts / Traps.

OMS / iLO NIC 22 ← ↔ HP SIM N/A TCP SSH Yes Secure Shell (SSH) Connections. Enabled by default: Yes

OMS / iLO NIC 23 ← ↔ HP SIM N/A TCP Telnet No Remote graphical console, remote text console, virtual serial port. Enabled by default: Yes.

OMS / iLO NIC 80 ← ↔ HP SIM N/A TCP HTTP No HTTP interface to iLO management board. Enabled by default: Yes.

OMS






OMS / iLO NIC 443 ← ↔ HP SIM N/A TCP / TLS HTTPS Yes SSL access to iLO management board. Encrypted XML access. Enabled by default: Yes.

OMS / iLO NIC 17988 ← ↔ HP SIM N/A TCP Virtual Media Yes Virtual Media Port. Enabled by default: Yes.

OMS / iLO NIC 636 ← ↔ HP SIM N/A LDAP LDAP YesSecure connection to the directory server. Enabled by default: Yes, if directory support is enabled.

OMS / iLO NIC 3389 ← ↔ HP SIM N/A RDP RDC / TS YesTerminal Services session software based remote console using Microsoft Windows (RDC / TS). Enabled by default: Yes.

OMS / iLO NIC 9300 ← ↔ HP SIM N/A TCP Telnet No Multi-user remote console. Enabled by default: No.

OMS / iLO NIC 17990 ← ↔ HP SIM N/A TCP Telnet No Console replay. Enabled by default: No.

Based on HP documentation: HP integrated Lights-Out security; Technology brief, 7th Edition (http://www.officeproductnews.net/sites/www.officeproductnews.net/files/imce/HPWhitepaper_1.pdf)

iLO4 / HP Gen 8

OMS / iLO NIC 161 ← ↔ HP SIM Any UDP SNMP No SNMP access.

OMS / iLO NIC Any → → HP SIM 162 UDP SNMP No SNMP Alerts / Traps.

OMS / iLO NIC 22 ← ↔ HP SIM N/A TCP SSH Yes Secure Shell (SSH) Port

OMS / iLO NIC 17990 ← ↔ HP SIM N/A TCP Remote Console protocol Yes Remote Console Port

OMS / iLO NIC 80 ← ↔ HP SIM N/A TCP HTTP No Web Server Non-SSL Port

OMS / iLO NIC 443 ← ↔ HP SIM N/A TCP / TLS HTTPS Yes Web Server SSL Port

OMS / iLO NIC 17988 ← ↔ HP SIM N/A TCP Virtual Media Yes Virtual Media Port

OMS / iLO NIC 623 ← ↔ HP SIM N/A IPMI over LANIntelligent Platform Management Interface (IPMI)

Yes Configuring IPMI / DCMI settings

Based on HP documentation: HP iLO 4 User Guide (http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03334051-10.pdf)

Certificate management

OMS [54000 ... 65535] → ↔ Certification Authority server Configurable TCP CMP over HTTP Yes

OMS [54000 ... 65535] → ↔ Certification Authority certificate repository Configurable TCP LDAP No

wran com mat ru50 03

Documents

use of nokia solutions

trademark of nokia solutions

necessary nokia solutions

copyright nokia solutions

networks confidential

networks customers

operating documentation

wcdma ran