> Another question, There are many systems, such as RF system, timing
> system, control system, power supply system, etc in the accelerator.
> What's the consideration of designing the VLANs internal of the
> accelerator's network. Do you design VLANs according to the physical
> location or system, i.e. LINAC VLAN, RING VLAN or timing system
> VLAN, control system VLAN, etc.
Well, my experience is from the S-DALINAC, a small university machine.
For this machine segregation has been done like this:
1. office network
2. accelerator network (IOCs, control room PCs, PLCs, archiver...)
3. accelerator DMZ (database backend for archiver, WebOPI, AlarmHandler,...)
4. experiment network (data acquisition systems,...)
Firewalls prevent access between those networks. Only SSH connections
are allowed. CA gateways provides read-only access to PVs on (2) from
(1) and (4). Read-only access to PVs on (4) from (1) and (2) is
permitted as well. Read-only access to the archiver's database system is
allowed from all four networks while write access is only permitted from
the archiver machine (2).
Separation between (1) and (2) is obvious. Separation between (2) and
(3) has been driven by the fact that complex web services,
database servers, etc. are difficult to keep free of vulnerabilities but
usually are not strictly necessary for operation. Separating these
machines from the core accelerator network can significantly improve
security without introducing to much hassle.
Separation between (2) and (4) is based on social factors: IOCs on (2)
are maintained by the accelerator group while the experiment guys are
responsible for machines on (4). They share their experience but both
want to be sure they know about everything that is going on in their
net. Keeping the net/group small makes that easier.
> We are considering designing VLANs according to systems. For large
> systems, design one VLAN for each system , and for small systems,
> several system will share a VLAN. Any advice?
Makes sense to me. If you have let's say 25+ devices/IOCs for RF which
are more or less independent from the rest of the IOCs, it might be
worth moving them into their own VLAN. Separating PLCs from PCs might
make it harder to attack the PLCs.
Find reasons like this and you'll end up with the right amount of
segregation. Note that it's not a big deal to add an additional VLAN or
merge two VLANs later.
Let me know if you publish your experience about this topic. We are
facing the same kind of decisions for FRIB in the near future.
Control System Engineer
Facility for Rare Isotope Beams
Michigan State University
640 South Shaw Lane
East Lansing, MI 48824-1321, USA
- Re: VLANS designing，Geographical vs functional? Konrad, Martin
- Navigate by Date:
Re: Sequencer Installation error Benjamin Franksen
EPICS 188.8.131.52 base with vxWorks-6.9 compile error for the ppc604_long target Oleg A. Makarov
- Navigate by Thread:
Re: VLANS designing，Geographical vs functional? Konrad, Martin
Streamdevice extract bytestream Stanley.He