Scribd
Upload
280 views12 pages

Ip Services and Port Numbers: Alcatel Omnipcx Enterprise

Uploaded by

Ariel Becerra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
280 views12 pages

Ip Services and Port Numbers: Alcatel Omnipcx Enterprise

Uploaded by

Ariel Becerra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Alcatel OmniPCX Enterprise

IP Services and Port Numbers


NOTE:

Product specifications contained in this document are subject to change


without notice. Products and services described in this document may not be
offered in every country. For the most current information, please contact
your Alcatel representative or your Alcatel equipment provider.

Copyright (c) 2006 Alcatel. All rights reserved for all countries. This
document may not be reproduced in whole or in part without the express
written permission of Alcatel.

Alcatel® and the Alcatel logo are registered trademarks of Alcatel. All other
trademarks are the property of their respective owners.

The CE mark indicates that this product conforms to the following Council
Directives:
- 89/336/CEE (concerning electro-magnetic compatibility)
- 73/23/CEE (concerning electrical safety)
- 1999/5/CE (R&TTE)

 

 
   

Chapter 1
Overview

 Dynamic Port Range ............................................................................. 1.1


 Types of Port ............................................................................................ 1.1
 TFTP Connection .................................................................................... 1.1
 Passive FTP Connection ..................................................................... 1.2
 IP services and Port Numbers ........................................................... 1.3

Chapter 2
Configuring Dynamic Port Range

 Configuring Dynamic Port Range .................................................... 2.1


 Determine the Thresholds to Be Configured ............................................ 2.1
 Configuring Thresholds .............................................................................. 2.1
 Configuring the Firewall ............................................................................. 2.2
 Incidents .................................................................................................... 2.3

 
    0-1
 
   

0-2  
   
 

1 

1.1 Dynamic Port Range


In R5.1.2 and lower, dynamic port range cannot be configured. The range covered is
10000-20000.
As of R6.0, dynamic port range can be set. The default range is reduced to 10000-10499.
Dynamic port range can be used by all applications that allow the core to select a port for
them. This includes TFTP and FTP when the Call Server is client.
In addition, to facilitate configuration, free port range uses the same limits as dynamic port
range. This may give the impression that the range is a common range, although this is not the
case.
For more information on the different types of ports, refer to § Types of Port .
Range limits are configured using Netadmin, see module IP Services and Port Numbers -
Configuring Dynamic Port Range .

1.2 Types of Port


There are different types of ports:
- "Well known" ports (1 - 511)
This range includes all "well known" ports between 1 and 511. These ports are identified
(in /etc/services) and only the ports associated with the desired services (DHCP, FTP
(partially), RSH, etc.) are opened on the firewalls. The DHCP ports (67, 68) and TFTP
ports (69), for example, are located in this area.
- Supervisor dynamic port range (512 - 1023)
These are dynamic ports used for certain special services. RSH and TELNET open
sockets using a port from this range. This range has fixed limits and cannot be expanded
or reduced.
Given its size, this range cannot be used for TFTP.
- Low dynamic port range
These ports have the same function as the previous ports, but are used for other services.
The ports in this range are generally used by proprietary applications. Currently, the TFTP
port is taken from this range (see § TFTP Connection ).
From R6.0, this range can be configured.
- Free port range
In fact, this is more than a range as it is a list of all free TCP ports. It is therefore difficult to
make this range configurable. The ports in this range are for example, used by the FTP
server CSs for the FTP server data channel ports used for passive connections.

1.3 TFTP Connection


figure: TFTP Connection shows how standard TFTP connection exchanges are performed.
The client sends a file request from a port C (selected by the client), to port 69 on the TFTP
server. If a server is "listening", it determines which port (port S) to use to respond to the

     !  "  ! 


# 1-1
Chapter 1 ! 
#

request. It then sends a first block via port S to port C on the client. The client returns an “ACK”
message via ports C to S and so on, until the file has been completely transferred.

Figure 1.1: TFTP Connection


Selection of ports C and S varies depending on the operating system installed on the
machines. On a CS, port S is arbitrarily selected in the range of dynamic ports by the core.
The IP-Phone selects port P from its own specific range. If the client were to be a CS (highly
unlikely with TFTP), port P would also be selected from dynamic port range.

1.4 Passive FTP Connection


figure: Passive FTP Connections shows how standard passive FTP connection exchanges are
performed. Acknowledgement exchanges at TCP level are not shown in the figure.
The client sets up the command channel (setup is not shown in the figure) between port Cc on
the client and port 21 on the server. When a transfer request is made, the client requests
passive connection to the server via the command channel. The server responds by assigning
a port number, Ds, to which the client must connect for the DATA connection.
The client then determines a new local port (port Dc) for the DATA connection, and opens the
socket between this port and port Ds, assigned by the server in the previous step. Once open,
this channel is used for A SINGLE data transfer between the client and the server (irrespective
of direction). An FTP 'get' is shown in the figure, but the mechanism is the same for a 'put' or
'dir'.

1-2      !  "  ! 


#
! 
#

Figure 1.2: Passive FTP Connections


In the same way as for TFTP, port selection policy varies depending on the operating system
used:
- If the server is a CS, port Ds is selected by the FTP server (not by the core) from the list of
free ports. The configuration mechanism for the range of usable ports is therefore different
from that used for TFTP.
- If the client is a CS, then ports Cc and Dc are determined in the range of dynamic ports.
- For other types of machines, refer to the documentation for the machine concerned.

1.5 IP services and Port Numbers


To see the list of open ports on the OmniPCX Enterprise and IP devices, consult the file
module Security - Description of IP flows in OmniPCX Enterprise solutions .
It is important to know these numbers if the PCX is to be integrated in a secure network with a
firewall.
To obtain a list of the ports that a server is "listening" to at a specific time in order to compare it
with the list in the table and thus detect any unusual service, enter the command

.

     !  "  ! 


# 1-3
Chapter 1 ! 
#

1-4      !  "  ! 


#
 

2
     
 

2.1 Configuring Dynamic Port Range


Important: Range limits must only be modified with the agreement of the client network
administrator. The range configured for the Call Server must be included in the range configured
for firewalls.

2.1.1 Determine the Thresholds to Be Configured


1. Make an inventory of all applications using one (or more) dynamic ports on the site. This
includes the FTP and TFTP services, but there are others.
The server using the highest number of ports is the FTP server. Like TFTP, this server
uses a port per file transfer during a session but, unlike TFTP, a released port can only be
reused when the TIME_WAIT for the socket elapses (usually 60s). A port is therefore
unavailable for a full minute after use. This may affect the applications using FTP for data
transfer, in particular, retrieval of accounting records.
An IP-Phone uses three dynamic ports.
2. Among the applications inventoried, assess how many applications may be used
simultaneously and calculate the number of dynamic ports used.
3. Add a safety margin of around 20%.
4. Calculate the size of the range to be configured.
5. Calculate the thresholds: in most cases, only the upper limit of the range needs to be
modified, the lower limit remains at 10 000.
Example:
- The site includes 100 IP-Phones that are likely to be started up (almost) simultaneously. TFTP may
therefore (potentially) use 300 ports (for the IP-Phones only).
- The safety margin is 300 x 0.2 = 60.
- Range is thus 300 + 60 = 360.
- The range to configure is thus 10 000 to (at least) 10359.

2.1.2 Configuring Thresholds


1. Connect to the system with the "root" account.
2. Run the command   .
3. Select 11. 'Security'
4. Select 6. 'Low dynamic port range configuration'
5. Select 2. 'Update configuration'
The following screen is displayed:
       


 

       !" 


  #$%

" $    !  "  %&


'
' () 
 * ' 2-1
Chapter 2 %&
'
' () 
 * '

6. Enter the lower limit of the range (in general, this threshold can be left at its default value,
10000)
The following screen is displayed:
 & & 

  ##'    ( (" 


  #)!!$%

7. Enter the upper limit of the range according to estimated needs.


Note: Port range must include at least 128 ports.
8. Enter 0 to return to the main menu, then select 16. 'Apply modifications'
9. Enter 0 to exit netadmin.

2.1.3 Configuring the Firewall


A typical environment is a Call Server and one or more IP-Phones separated by an IP network
and a firewall.
Another typical environment is a Call Server and one or more FTP clients using passive FTP
connections (OmniVista 4760 for example) separated by an IP network and a firewall.
figure: Example Topology with IP Phones shows an example of a Call Server with IP-Phones.
In this example, the firewall must be configured to allow passage of DHCP traffic (UDP port
67) and TFTP traffic (UDP port 69), as well as the entire range of dynamic ports configured on
the Call Server.

Figure 2.1: Example Topology with IP Phones


figure: Example Topology with a 4760 shows an example with a Call Server and 4760. In this
example, the FTP client (4760) connects to the Call Server via passive FTP connections. If the
firewall is unable to determine the port used for the data channel by "listening" to the command
channel, the entire range of usable ports has to be opened. The advantages gained by use of
a firewall are severely reduced. For firewalls of this type, FTP port range is also reduced.

2-2 " $    !  "  %&


'
' () 
 * '
%&
'
' () 
 * '

Figure 2.2: Example Topology with a 4760

2.2 Incidents
When no ports in the range remain available, incident 1529 is sent, in the limit of one incident
per minute:
- 1529 No dynamic ports, proto 6
For a port request for a TCP socket,
- 1529 No dynamic ports, proto 17
For a port request for a UDP socket.
Caution: No incident is sent when the FTP server does not have enough ports. However, the
client sends an explicit message stating that the server does not have enough resources.

" $    !  "  %&


'
' () 
 * ' 2-3
Chapter 2 %&
'
' () 
 * '

2-4 " $    !  "  %&


'
' () 
 * '

You might also like