Channel Access Gateway

1
Channel Access Gateway
2
What is a Channel Access Gateway?

• It forwards channel access to a different
  network.
• Allows access control and filtering.
• Can reduce network traffic.

3
Reduction of network traffic

• Monitors from many clients to the same IOC are
  bundled.
• Saves bandwidth, memory and CPU time on IOC.
• IOC has to serve only one client the gateway.
• Already connected channels are not searched
  again.
• Saves broadcast traffic with many clients of the
  same channel.
• Channels stay connected for at least two hours.
• Saves broadcast traffic with short-lived clients
  (caget).

4
Old SLS Network Layout (2007)
PSI network
SLS Accelerator
Gate way
Beamlines
5
New SLS Network Layout (now)
PSI network
Firewall Switch
SLS Accelerator
Gate way
Gate way
Beamline1
Beamline2
6
PSI-XFEL Network layout
backbone network(control room, central IOCs)
VLAN router
beamline 1
gun
linac 1
linac n
undulators
...
...
beamline n
vacuum system PLCs
machine interlock system PLCs
EPICS
web cameras
non EPICS
...
7
Installed SLS gateways

• office ? machine
• Read-only access to machine.
• 16 beamlines ? machine
• Most channels are read-only
• Special beamline related channels are writable
• Each gateway computer runs 2 gateway processes
• X-IMPGW imports other channels into beamline
  network
• X-EXPGW exports beamline channels to other
  networks

8
Filtering and access control

• Filtering is done by channel name patterns.
• Only configured patterns are forwared, others are
  blocked.
• Saves broadcast traffic if channel is blocked.
• Requires simple rules to know network from
  channel name.
• Wrong filter settings make channels unavailable.
• Access can be read-only or read-write.
• Filter rules can be combined with rules for users
  and hosts.
• Beamlines can write only to selected channels on
  machine.
• Beamlines cannot write to other beamlines.
• Wrong filter settings give wrong access rights.

9
Example configuration
EVALUATION ORDER ALLOW, DENY get machine and
other beamline channels X(?!12SA).
ALLOW ILUUL. ALLOW A.
ALLOW allow statistic
channels X12SA-IMPGW.
ALLOW X12SA-EXPGW. ALLOW Orbit
Feedback .-LBB. ALLOW
PLCs MIS, VCS, LAC .-MIS.
ALLOW .-VCS. ALLOW .-FE-.
ALLOW .-LAC.
ALLOW Special X12SA-VME-ID.
ALLOW X12SA-ID.
ALLOW WRITE ACOAU-ACCUOP-X12SA(\.VAL)?
ALLOW WRITE ACOAU-ACCUALARM-X12SA(\.VAL)?
ALLOW WRITE X12SA-FE-.CLOSE4BL(\.VAL)?
ALLOW WRITE X12SA-FE-.OPEN-BLMODE(\.VAL)?
ALLOW WRITE X12SA-FE-FI1WT_SET(\.VAL)?
ALLOW WRITE block everything but my own
status channels to my beamline IP to prevent
loops !X12SA-IMPGW. DENY FROM
129.129.122.14

• Filename GATEWAY.pvlist
• Install directory on gateway/usr/local/caGateway
  
• Copy on fileserver/exchange/home/zimoch/caGatewa
  y
• CVS repositoryG/EPICS/extensions/src/gateway/con
  figor short gateway/config
• Filtering based on Perl regular expressions

10
How can I see that a gateway has a problem?

• Records on other networks ...
• are unavailable. (Most probable error)
• Is the record new? It might not match the filter
  pattern.
• disconnect unexpectedly.
• take long to connect.
• update irregularly or delayed.

11
Diagnostic medm sceens

• medm -x gateways.adl
• Should work on all SLS networks.
• From office net, type cam first.
• Launcher

Existing channels
Not existing channels