50 likes | 184 Views
Separation of the NA62 network from the GPN. R. Fantechi. The NA62 network. Configured in summer 2012 Set of routed network segments On each switch three segments coexist Configuration, Data and DCS Different configuration in the future for the LKr
E N D
Separation of the NA62 network from the GPN R. Fantechi
The NA62 network • Configured in summer 2012 • Set of routed network segments • On each switch three segments coexist • Configuration, Data and DCS • Different configuration in the future for the LKr • By default, opened to/from any host on the GPN • But closed to the outside world, as it has a non routed address range • Need to improve the security of it • As the other experiments, including Compass • A specific request from DCS. • Also a (not official) way of relaxing a little bit the configuration of single NA62 machines
How filtering is done • It relies on two mechanisms • The “bypass” and “exposed” sets of machines (or other sets) • In the bypass set there are machines on the GPN which we have to access (i.e. AFS or Linuxsoft) • In the exposed set there are all NA62 machines which we want to be seen by the GPN • The management of this set is left to us. We can choose to add/remove sets/machines from these sets • A default pair of bypass end exposed sets exist already • A configuration parameter in our router’s configuration • Now it is “off”, and the default sets are not active • When put “on”, all the machines in the bypass and exposed sets will be active. The other’s access will be blocked
How to proceed • The gateway between NA62 and technical network has been activated this week • No major problems for the moment. • It will affect mainly DCS (and Run control..) • We have to carefully setup the bypass and exposed sets in order to have all the needed functionality • Then, during a quite period, activate the gateway and iterate to reach the expected performance • Two machines are ready to be configured as application gateways
Application gateways • Application access points to the NA62 network • There will be two of them, one running Windows terminal server, the other running Linux • On the NA62 network, exposed to GPN • The Windows one mainly used for DCS • Specific recommended application: use it to run the DCS UI for standalone operation on detector HVs. • CAEN tool in the production environment not recommended • The Linux one to be used for • SSH terminal access to jump on specific NA62 machines • SSH tunnels to access applications on the NA62 network • Dim bridge to pass DIM packets from the run control (TN) to the TEL62 • Instead of exposing all the TEL62s to the TN • Anyway this mechanism is under study.