Re: EPICS across subnets

[Randall Cayford via Tech-talk <tech-talk at aps.anl.gov>]

CA-Gateway turned out to be really simple to install and solves our problem very cleanly.

Thanks for the info.

> On Jun 18, 2020, at 8:59 AM, Michael Davidsaver <mdavidsaver at gmail.com> wrote:
> 
> On 6/18/20 8:40 AM, Mark Rivers wrote:
>> Hi Michael,
>> 
>> 
>> Thanks for the explanation.
>> 
>> 
>> One of the options we use is to set EPICS_CA_ADDR_LIST to the broadcast address of a remote subnet.  Is that option included in your table?  It does require the router to be configured to allow directed broadcasts.  We have found this mode to be useful to be able to access PVs across beamlines at the APS.
> 
> I've never set up this sort of "router trickery" myself,
> so it didn't occur to me to specifically mention.
> 
> 
>> Without setting EPICS_CA_ADDR_LIST:
>> 
>> corvette:~>caget 15IDA:m1
>> Channel connect timed out: '15IDA:m1' not found.
>> 
>> 
>> Set EPICS_CA_ADDR_LIST to broadcast address of remote network:
>> corvette:~>setenv EPICS_CA_ADDR_LIST 164.54.162.255
>> corvette:~>caget 15IDA:m1
>> 15IDA:m1                       0
>> 
>> 
>> Mark
>> 
>> 
>> ________________________________
>> From: Tech-talk <tech-talk-bounces at aps.anl.gov> on behalf of Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov>
>> Sent: Wednesday, June 17, 2020 9:59 PM
>> To: Randall Cayford
>> Cc: tech-talk at aps.anl.gov
>> Subject: Re: EPICS across subnets
>> 
>> On 6/17/20 12:10 PM, Randall Cayford via Tech-talk wrote:
>>> I'm trying to understand what the options are for working with EPICS across subnets and for remote access.
>> 
>> With CA circa Base 7.0 there are a number of options for CA search
>> 
>> 1. Broadcast UDP through local interfaces.
>> 
>> I mention this only because it is the default.  Absent some router
>> trickery broadcasts can't cross sub-nets.
>> 
>> 2. Unicast UDP
>> 
>> Can be targeted at any IP+port, but will generally only be received
>> by one IOC process listening on the IP+port.  This would be an easy
>> solution if your target system has only one IOC.
>> 
>> 3. Multicast UDP
>> 
>> Recent CA knows how to send searches to IPv4 multicast addresses.
>> With appropriate router/switch configuration, these can cross
>> sub-net boundaries.
>> 
>> 4. Unicast TCP
>> 
>> Similar to #2 but with transport through TCP instead of UDP.
>> Easier than #2 to accommodate multiple IOCs, but still not so
>> scalable.  Requires manually picking a well known TCP port for
>> each IOC and configuring all clients accordingly.
>> 
>> 5. CA gateway
>> 
>> An active proxy-like daemon which would sit between the two
>> sub-nets (on a host with direct access to both)
>> 
>> 
>> Possibilities 1-3 are configured through EPICS_CA_ADDR_LIST.
>> The special IP types (local interface broadcast, or multicast)
>> are detected and handled appropriately.  With multicast you'll
>> also want to set EPICS_CA_MCAST_TTL.
>> 
>> Possibility 4 involves setting EPICS_CA_NAME_SERVERS
>> 
>> Possibility 5 involves building and running cagateway.  It would
>> take more than a paragraph to explain how to do this.
>> 
>> https://github.com/epics-extensions/ca-gateway
>> 
>> 
>>> We have some IOCs running on subnet A.  We also need access to a few PVs from IOCs running on network B.  I would like to access PVs on both A and B from subnet C.  Subnets are separated by multiple layers of routers.  Subnet A is on the experimental floor and is pretty locked down to control network traffic.
>>> 
>>> My understanding is that EPICS_CA_ADDR_LIST will let me access other subnets but only if if multicast packets are passed between the subnets or if there is a cagateway running.  Is that correct?
>>> 
>>> If cagateway is running on subnet B does it pass only the packets requested by a client on subnet A or does it pass all the broadcast traffic from subnet B?
>>> 
>>> Is EPICS_CA_ADDR_LIST supposed to include all of subnet B (subnetB.255) or just the IP of the gateway?
>>> 
>>> What router access rules are needed to allow connections to PVs on B from clients on A or C?
>>> 
>>> Does PVaccess change any of this?
>>> 
>>> 
>>> I'm sure this is all somewhere in the documentation but I haven't been able to sort it out by reading.  This involves a lot of different people to set up so I'm looking for some clarity on what needs to be done and who needs to do it.
>>> 
>>> Randall
>>> 
>>> 
>>> 
>> 
>