HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

111

112

113

114

115

116

117

118

119

120

14 HP-UX IPFilter and Serviceguard

This chapter describes configuration procedures for HP-UX IPFilter used in a Serviceguard

environment.

It contains the following sections for using HP-UX IPFilter with Serviceguard:

• “Local Failover” (page 111)

• “Remote Failover” (page 112)

— “Filtering on a Package IP Address” (page 112)

— “Mandatory Rules” (page 112)

• “DCA Remote Failover” (page 116)

Using HP-UX IPFilter with Serviceguard

HP-UX IPFilter supports local failover in a Serviceguard environment.

CAUTION: NAT functionality is not supported with Serviceguard.

Enabling or Disabling IPFilter

CAUTION: HP recommends that you enable or disable IPFilter when interrupting network

connectivity is not disruptive. HP recommends that you do not enable or disable HP-UX IPFilter

when critical network applications are running.

Disabling or enabling IPFilter using briefly brings down all IP interfaces, then brings up only

the IP interfaces configured in the /etc/rc.config.d/netconf and /etc/rc.config.d/

netconf-ipv6 files. IP addresses not configured in the netconf or netconf-ipv6 file, such

as Serviceguard relocatable IP addresses, are not re-enabled.

Enabling or disabling IPFilter causes the system to briefly lose network connectivity. If a system

has several IP interfaces or there is heavy network traffic, the time required to re-establish network

connectivity might be interpreted as a network or card failure. For example, Serviceguard might

interpret a network interruption as a card failure, which can cause it to reform the cluster.

Local Failover

NOTE: See the Serviceguard documentation for information on configuring a local failover

system in Serviceguard.

IPFilter local failover is transparent to users. Network sessions are not disrupted during failover

or failback.

You do not need to configure any additional rules in IPFilter. When an interface fails over, the

HP-UX IPFilter rules that specify interface names are automatically changed.

For example, a node in a Serviceguard cluster has a primary interface named lan0 and a standby

interface named lan1. The following rule is configured for lan0:

pass in on lan0 proto tcp from any to any port = telnet

Upon failover, the rule is automatically modified to:

pass in on lan1 proto tcp from any to any port = telnet

The rule will be changed back automatically on failback.

All rules that filter on interface names are changed at failover and failback in both the active

ruleset and the inactive ruleset. In addition, logging reflects the changes; the standby interface

name will appear in logs and reports when it is in use.

Using HP-UX IPFilter with Serviceguard 111