Considerations for using clusters with firewalls

If you are using clustering in a network that uses firewalls, you should be aware of some limitations and requirements.

If you are using clustering with a firewall, you need to give each node the ability to send outbound messages to and receive inbound messages from other cluster nodes. An opening in the firewall must exist for each cluster address on each node to communicate with every cluster address on every other node. IP packets traveling across a network can be of various types of traffic. Clustering uses ping, which is type ICMP, and also uses UDP and TCP. When you configure a firewall, you can filter traffic based on the type. For clustering to work the firewall needs to allow traffic of ICMP, UDP and TCP. Outbound traffic can be sent on any port and inbound traffic is received on ports 5550 and 5551.

In addition, if you are making use of advanced node failure detection, any cluster node that is to receive failure messages from a Hardware Management Console (HMC) or a Virtual I/O Server (VIOS) on an Integrated Virtualization Manager (IVM) managed server must be able to communicate with that HMC or VIOS partition. The cluster node will send to the HMC or VIOS on the IP address that is associated with the HMC's or VIOS domain name and to port 5989. The cluster node will receive from the HMC or VIOS on the IP address that is associated with the cluster node's system name and on port 5989.