Experimental Physics and
Industrial Control System

Hi Andrew,

I thought we were doing directed UDP broadcasts to Cisco switches at the APS.

Here is what we do.  By default I set my EPICS_CA_ADDR_LIST to the broadcast address of only my local subnet, 164.54.160.255

corvette:ADAndor3/andor3App/src>echo $EPICS_CA_ADDR_LIST
164.54.160.255

When I do that I cannot reach PVs on another sector's subnet (164.54.162.*)

corvette:ADAndor3/andor3App/src>caget 15IDA:m1
Channel connect timed out: '15IDA:m1' not found.

However, if I add the broadcast address of the 164.54.162.* subnet:

corvette:ADAndor3/andor3App/src>setenv EPICS_CA_ADDR_LIST "164.64.160.255 164.54.162.255"
corvette:ADAndor3/andor3App/src>echo $EPICS_CA_ADDR_LIST
164.64.160.255 164.54.162.255

Then I can see PVs on their subnet.
corvette:ADAndor3/andor3App/src>caget 15IDA:m1
15IDA:m1                       0

Isn't that doing a directed UDP broadcast to the switch for the 164.54.162.* subnet?

Thanks,
Mark


-----Original Message-----
From: [email protected] <[email protected]> On Behalf Of Andrew Johnson
Sent: Monday, July 16, 2018 12:08 PM
To: [email protected]
Subject: Re: caget randomly returns Channel connect timed out

Hi Dirk,

On 07/16/2018 02:42 AM, Dirk Zimoch via Tech-talk wrote:
> We at PSI hat problems with new Cisco switches (I don't know the 
> model) dropping CA directed broadcasts (i.e. broadcasts into another 
> subnet, such as 172.17.2.255 172.17.3.255) and even blocking them for 
> a while when the rate went over a certain limit (e.g. when a huge UI starts up).
> I think that was supposed to be a counter measure against denial of 
> service attacks. It took over a year of discussion with Cisco to get a fix.

You managed to get Cisco to support the conversion of a UDP packet sent to a subnet's broadcast address into a real broadcast packet on that subnet? I'm impressed! Our older HP switches used to allow this but IT replaced them several years ago (we weren't relying on this behaviour, which does have some fairly obvious DoS attack possibilities).

For the record, can you find out if that Cisco solution is specific to a particular model or family of switches, or if they made it generic?

- Andrew

--
Arguing for surveillance because you have nothing to hide is no different than making the claim, "I don't care about freedom of speech because I have nothing to say." -- Edward Snowdon

Replies:

Re: caget randomly returns Channel connect timed out Andrew Johnson

References:

caget randomly returns Channel connect timed out Matt Rippa

Re: caget randomly returns Channel connect timed out Andrew Johnson

Re: caget randomly returns Channel connect timed out Michael Davidsaver

Re: caget randomly returns Channel connect timed out Matt Rippa

Re: caget randomly returns Channel connect timed out Dirk Zimoch via Tech-talk

Re: caget randomly returns Channel connect timed out Andrew Johnson

Navigate by Date:

Prev: Re: caget randomly returns Channel connect timed out Andrew Johnson

Next: Re: caget randomly returns Channel connect timed out Andrew Johnson

Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <2018>  2019  2020  2021  2022  2023  2024 

Navigate by Thread:

Prev: Re: caget randomly returns Channel connect timed out Andrew Johnson

Next: Re: caget randomly returns Channel connect timed out Andrew Johnson

Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <2018>  2019  2020  2021  2022  2023  2024