HP-UX IPFilter Version A.03.05.14 Administrator's Guide
HP-UX IPFilter and Serviceguard
Using HP-UX IPFilter with Serviceguard
Chapter 10 145
Serviceguard Manager If you are using the station-management
version of Serviceguard Manager, you must configure rules to let SNMP
traffic pass between all nodes in the cluster and the Serviceguard
Manager node.
Each cluster node must have the following rules configured:
pass in quick proto udp from
<SGMgr node>
to
<clusternodes>
port = 161 keep state
pass out quick proto udp from
<clusternodes>
to
<SGMgr node>
port = 162 keep state
Each Serviceguard Manager node must have the following rules
configured:
pass out quick proto udp from
<SGMgr node>
to
<clusternodes>
port = 161 keep state
pass in quick proto udp from
<clusternodes>
to
<SGMgr node>
port = 162 keep state
In the previous set of rules,
<clusternodes>
are all nodes in the cluster,
including the local node, and
<SGMgr node>
is the node or nodes running
Serviceguard Manager.
NOTE The previous sections are examples and meant to serve as guidelines.
You might need to modify them to work with your network configuration
and the applications you use. Specific applications used within the
Serviceguard cluster might require additional ports to be opened.
DCA Remote Failover
Normally, IPFilter keep state rules are configured with the flags S
parameter. This parameter instructs IPFilter to create a TCP state entry
only when a SYN packet is parsed.
To enable transparent failover between IPFilter DCA nodes, do not use
flags S with keep limit rules. If incoming TCP/IP traffic is switched
from the active to the standby node, DCA can rebuild the previous
IPFilter state table and IPFilter DCA limit tables from the data stream.
Without flags S in the keep limit rule, IPFilter creates a new state