Configuring the VIOS firewall for partition mobility

You must manually configure the Virtual I/O Server (VIOS) firewall to allow partition mobility before you enable the VIOS firewall.

Partition mobility operations fails because of the following reasons:
  • The VIOS firewall is enabled with default settings.
  • The firewall blocks the Internet Control Message Protocol (ICMP) that is required during partition mobility validation
  • The firewall blocks ephemeral ports that are required for partition mobility
You must manually configure the VIOS firewall to prevent partition mobility failure.

To add ICMP roles to the firewall configuration on all the Virtual I/O Servers, complete the following steps:

  1. From the VIOS command line, run the oem_setup_env command. Running this command provides a new environment to run other commands.
  2. From the new environment, run the following commands: 
    1. /usr/sbin/genfilt -v 4 -n 16 -a P
-s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0
-M 0.0.0.0 -g n -c icmp -o eq -p 0
-O any -P 0 -r L -w I -l N -t 0
-i all -D echo_reply
    2. /usr/sbin/genfilt -v 4 -n 16 -a P
-s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0
-M 0.0.0.0 -g n -c icmp -o eq -p 8
-O any -P 0 -r L -w I -l N -t 0
-i all -D echo_request
    3. Run the exit command to return to the VIOS command line.
  3. Reduce the range of ephemeral ports and create a role for each of the ephemeral ports in the firewall configuration.
    For example, to reduce the range of ephemeral ports to nine, run the following commands from the VIOS command line: 
    chdev -dev vioslpm0 -attr tcp_port_high=40010
    chdev -dev vioslpm0 -attr tcp_port_low=40001
    Note: Live Partition Mobility uses two ephemeral ports per migration. The ephemeral port ranges from 32 K - 64 K and the network stack randomly selects the ports to be used for partition mobility operations. With VIOS version 2.2.2.0, or later, the tcp_port_high and tcp_port_low attributes are used to control the range of ports that you can select for partition mobility operations. You can change the value by using the chdev command. You must choose the range of ports such that you can run the maximum number of concurrent partition mobility operations, and also choose additional ports if any of the ports are used by another program.
  4. Enable the ports to be used in the VIOS firewall.
    For example, to enable the ports 1 and 2 in the VIOS firewall, run the following commands from the VIOS command line: 
    viosecure -firewall allow -port 40001
    viosecure -firewall allow -port 40002
Parent topic: Partition mobility environment


Last updated: Tue, March 12, 2019