Multiple Private Interconnects and Oracle Linux

Certain scanning software may recommend setting rp_filter to 1 for security purposes. While it is acceptable to set this value for public networks, it does not apply to Oracle RAC interconnects. Oracle recommends setting rp_filter for private interconnects to 0 or 2.

Note:

When multiple private interconnects are configured, you must set the rp_filter value for the private interconnects to either 0 (no filtering) or 2 (loose filtering). Setting the private interconnect NIC to strict filtering (1) can cause connection issues on the private interconnect.
It is safe to disable or relax this filtering, because the private interconnect should be on a private and isolated network.
This requirement does not apply to a single private interconnect.

This requirement applies to all systems running Linux kernel 2.6.32 or later, including Exadata systems. Without these rp_filter parameter settings, interconnect packets can be blocked or discarded.

For example, where eth1 and eth2 are the private interconnect NICs, and eth0 is the public network NIC, set the rp_filter of the private address to 2 (loose filtering), the public address to 1 (strict filtering), using the following entries in /etc/sysctl.conf:

# private interconnects (loose filtering)
net.ipv4.conf.eth1.rp_filter = 2
net.ipv4.conf.eth2.rp_filter = 2

# public network (strict filtering is OK/preferred)
net.ipv4.conf.eth0.rp_filter = 1

Note:

The kernel applies the maximum of net.ipv4.conf.all.rp_filter and the interface-specific net.ipv4.conf.<iface>.rp_filter. As a result, if net.ipv4.conf.all.rp_filter is set to

1
                    (strict)

, the private interconnects will effectively operate in strict mode even if their interface-specific value is set to 0. In this case, set the interface-specific value for the private interconnects to

2
                    (loose filtering)

, as shown in the above example.