MediaWiki API result
This is the HTML representation of the JSON format. HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format. To see the non-HTML representation of the JSON format, set format=json.
See the complete documentation, or the API help for more information.
{ "warnings": { "query": { "*": "Formatting of continuation data will be changing soon. To continue using the current formatting, use the 'rawcontinue' parameter. To begin using the new format, pass an empty string for 'continue' in the initial query." } }, "query-continue": { "allpages": { "gapcontinue": "SIP" } }, "query": { "pages": { "1478": { "pageid": 1478, "ns": 0, "title": "Registrace MAC", "revisions": [ { "contentformat": "text/x-wiki", "contentmodel": "wikitext", "*": "=Popis \u0159e\u0161en\u00ed=\n\nPovinn\u00e9 registrace s\u00ed\u0165ov\u00fdch za\u0159\u00edzen\u00ed jsou na FJFI (v Trojance) \u0159e\u0161eny (primitivn\u011b) na \u00farovni p\u0159id\u011blov\u00e1n\u00ed r\u016fzn\u00fdch adres DHCP serverem. Sice se toto \u0159e\u0161en\u00ed d\u00e1 lehce obej\u00edt, ale prim\u00e1rn\u00edm \u00fa\u010delem nen\u00ed zabezpe\u010dit s\u00ed\u0165 proti neopr\u00e1vn\u011bn\u00e9mu pou\u017e\u00edv\u00e1n\u00ed (mo\u017enosti zabezpe\u010den\u00ed jsou uvedeny na konci) n\u00fdbr\u017e mo\u017enost jednodu\u0161e dohledat spr\u00e1vce za\u0159\u00edzen\u00ed v p\u0159\u00edpad\u011b podivn\u00e9ho chov\u00e1n\u00ed na s\u00edti nebo p\u0159\u00edmo st\u00ed\u017enost\u00ed.\n\nStroje, kter\u00e9 nejsou zaregistrov\u00e1ny v datab\u00e1zi dost\u00e1vaj\u00ed pouze IPv4 adresy ze [[Network|Priv\u00e1tn\u00ed adresy na default VLAN fjfi-*-def|speci\u00e1ln\u00edho rozsahu]], kter\u00fd nen\u00ed norm\u00e1ln\u011b routov\u00e1n do internetu. S touto adresou se u\u017eivatel dostane pouze na web str\u00e1nku s [https://nms.fjfi.cvut.cz/user/register.php registra\u010dn\u00edm formul\u00e1\u0159em] (a p\u00e1r z\u00e1kladn\u00edch informa\u010dn\u00edch str\u00e1nek \u010cVUT/FJFI). Po vypln\u011bn\u00ed tohoto formul\u00e1\u0159e s ov\u011b\u0159en\u00edm identity je ihned povolen p\u0159\u00edstup \"ven\". U\u017eivatel m\u00e1 sice st\u00e1le priv\u00e1tn\u00ed adresu (zm\u011bnu adresy toti\u017e nelze vynutit a dojde k n\u00ed do 10 minut expirac\u00ed DHCP leasu), ale na nms.fjfi.cvut.cz je p\u0159id\u00e1no pravidlo povoluj\u00edc\u00ed NAT do internetu pro danou IP a MAC. Toto pravidlo je automaticky smaz\u00e1no, kdy\u017e dan\u00e9 za\u0159\u00edzen\u00ed nen\u00ed del\u0161\u00ed dobu (hodinu) dostupn\u00e9 pomoci ARPingu.\n\nKonfigurace DHCP/DHCPv6 serveru se (zat\u00edm) updatuje ka\u017ed\u00fdch 5 minut na z\u00e1klad\u011b informac\u00ed o zaregistrovan\u00fdch za\u0159\u00edzen\u00ed. Po update DHCP bude dost\u00e1vat ka\u017ed\u00e9 zaregistrovan\u00e9 za\u0159\u00edzen\u00ed IP adresy z vyhrazen\u00e9ho rozsahu rozsahu (nap\u0159. ve\u0159ejn\u00e9 adresy 147.32.7.0/24 v Trojance). V\u00fdhledov\u011b je v pl\u00e1nu dynamick\u00e1 konfigurace DHCP serveru, tak\u017ee se zm\u011bny v konfiguraci projev\u00ed okam\u017eit\u011b (tedy z pohledu klienta samoz\u0159ejm\u011b a\u017e po nejbli\u017e\u0161\u00ed \u017e\u00e1dosti o DHCP adresu). Standardn\u00ed doba platnosti pro dynamicky p\u0159id\u011blovan\u00e9 adresy je jedna hodina.\n\nAdministr\u00e1tor m\u016f\u017ee zlobiv\u00e1 za\u0159\u00edzen\u00ed \"[https://nms.fjfi.cvut.cz/user/?p=admin&sp=mac zablokovat]\" a takov\u00e9 za\u0159\u00edzen\u00ed bude dost\u00e1vat stejn\u00e9 adresy jako neregistrovan\u00e1 (smazan\u00e1) za\u0159\u00edzen\u00ed. Narozd\u00edl od neregistrovan\u00fdch (smazan\u00fdch) za\u0159\u00edzen\u00ed ale u\u017eivatel nem\u00e1 mo\u017enost prov\u00e9st novou registraci a bude pouze informov\u00e1n o blokaci s kontakty na spr\u00e1vce. Pokud m\u00e1 za\u0159izen\u00ed zkonfigurovanou statickou adresu, potom tento zp\u016fsob blokace nen\u00ed funk\u010dn\u00ed a je pot\u0159eba IP resp MAC adresu nechat zablokovat p\u0159\u00edmo na switch (disablovat port) nebo na routeru.\n\nRegistrace se samoz\u0159ejm\u011b \"net\u00fdkaj\u00ed\" WiFi s\u00edt\u00ed (Eduroam, WiFiFJFI), proto\u017ee tam je za\u0159\u00edzen\u00ed automaticky zaregistrov\u00e1n\u00e9 p\u0159i p\u0159ihl\u00e1\u0161en\u00ed u\u017eivatele k t\u00e9to s\u00edti. Z tohoto d\u016fvodu je tak\u00e9 pot\u0159eba m\u00edt WiFi s\u00edt\u011b na zvl\u00e1\u0161tn\u00edch VLAN\u00e1ch (pro Eduroam by se to je\u0161t\u011b dalo vy\u0159e\u0161it bez VLAN, ale u WiFiFJFI to bez VLAN nejde). Vzhledem k samostatn\u011b routovan\u00fdm VLAN\u00e1m pak maj\u00ed tyto s\u00edt\u011b i vlastn\u00ed IP rozsahy ([[Network#Priv\u00e1tn\u00ed adresy na eduroam VLAN fjfi-*-eduroam|Eduroam]], [[Network#Priv\u00e1tn\u00ed adresy na wififjfi VLAN fjfi-*-wififjfi|WiFiFJFI]], [[Network|...]]).\n\nJe\u0161t\u011b je nutn\u00e9 zajistit, aby blokovan\u00e1 resp. smazan\u00e1 za\u0159\u00edzen\u00ed n\u011bm\u011bla p\u0159\u00edstup ani p\u0159es WiFiFJFI a Eduroam s\u00edt. K tomu je vyhrazen rozsah priv\u00e1tn\u00edch adres z nich\u017e op\u011bt nelze komunikovat do internetu a zobraz\u00ed se captive port\u00e1l s informac\u00ed o blokaci za\u0159\u00edzen\u00ed + kontakty na spr\u00e1vce. Stejn\u011b jako p\u0159i registrac\u00edch ani v tomto p\u0159\u00edpad\u011b klientovi nep\u0159id\u011bl\u00ed DHCPv6 \u017e\u00e1dnou IPv6 adres, tak\u017ee sta\u010d\u00ed m\u00edt registra\u010dn\u00ed procesy zkonfigurovan\u00e9 a funk\u010dn\u00ed pouze pro IPv4. Samoz\u0159em\u011b, \u017ee a\u017e se roz\u0161\u00ed\u0159\u00ed IPv6-only za\u0159\u00edzen\u00ed bude nutn\u00e9 prov\u00e9st revizi aktu\u00e1ln\u00edho p\u0159\u00edstupu, kter\u00fd takov\u00e1 za\u0159\u00edzen\u00ed p\u0159\u00edmo nepodporuje.\n\n=Pou\u017eit\u00e9 komponenty=\n\n*[https://gitlab.fjfi.cvut.cz/comp/nmsui rozhran\u00ed pro u\u017eivatelsk\u00e9 konfigurace]\n**[https://nms.fjfi.cvut.cz/user/register.php registra\u010dn\u00ed formul\u00e1\u0159]\n**[https://nms.fjfi.cvut.cz/user/?p=admin&sp=mac \u00fapravy registrovan\u00fdch za\u0159\u00edzen\u00ed]\n**[https://nms.fjfi.cvut.cz/user/?p=admin&sp=ip_rules pravidla pro p\u0159id\u011blov\u00e1n\u00ed rezervovan\u00fdch IP adres]\n*[https://gitlab.fjfi.cvut.cz/comp/dinfo daemon m\u011bn\u00edc\u00ed konfiguraci iptables / ipset]\n*[https://gitlab.fjfi.cvut.cz/comp/scripts/UpdateNAT.py skript pro odmaz\u00e1v\u00e1n\u00ed star\u00fdch z\u00e1znam\u016f z iptables / ipset] (spou\u0161t\u011bn\u00fd pravideln\u011b z cronu)\n*[[nms.fjfi.cvut.cz#DHCP|DHCP server]]\n**p\u0159id\u011blov\u00e1n\u00ed r\u016fzn\u00fdch adres pro (ne)registrovan\u00e1 za\u0159\u00edzen\u00ed\n**lok\u00e1ln\u00ed statick\u00e9 konfigurace DHCP a DHCPv6 v <tt>/etc/dhcp/dhcp[6]*.conf</tt>\n**[https://gitlab.fjfi.cvut.cz/comp/scripts/DhcpUpdate.py konfigurace generov\u00e1ny skriptem] z registra\u010dn\u00ed datab\u00e1ze\n*[[nms.fjfi.cvut.cz#HTTP|HTTP server]]\n**konfigurace redirectu s IP adresou klienta na str\u00e1nku registrac\u00ed (captive portal)\n**konfigurace virtualhosta na priv\u00e1tn\u00ed adrese + redirect v index.php pro lokace mimo Trojanku\n*VLAN pro odd\u011blen\u00ed samostatn\u011b autentizovan\u00fdch WiFiFJFI za\u0159\u00edzen\u00ed\n\n=Registrace=\n\nRegistruje-li za\u0159\u00edzen\u00ed b\u011b\u017en\u00fd u\u017eivatel p\u0159es rozhran\u00ed [https://nms.fjfi.cvut.cz/user/?p=mac&sp=add nmsui] nebo libovoln\u00fd u\u017eivatel p\u0159es [https://nms.fjfi.cvut.cz/user/register.php captive port\u00e1l], potom je mo\u017en\u00e9 nastavit pouze z\u00e1kladn\u00ed parametry. Bez speci\u00e1ln\u00edch pr\u00e1v tak nelze prov\u00e1d\u011bt rezervaci vlastn\u00ed IP adresy nebo nap\u0159\u00edklad automatick\u00e9 p\u0159id\u00e1n\u00ed jm\u00e9na za\u0159\u00edzen\u00ed do DNS. Pro b\u011b\u017en\u00e9ho u\u017eivatele se registrace chov\u00e1 tak, jako kdyby po\u017eadoval IP adresu \"auto\" a ta je vyhodnocena na z\u00e1klad\u011b [https://nms.fjfi.cvut.cz/user/?p=admin&sp=ip_rules pravidel] zaji\u0161\u0165uj\u00edc\u00edch p\u0159i\u0159azen\u00ed konkr\u00e9tn\u00edch rezervovan\u00fdch IP adres. Pou\u017eit\u00e9 pravidlo pro p\u0159i\u0159azen\u00ed IPv4/IPv6 adres m\u016f\u017ee b\u00fdt i pr\u00e1zdn\u00e9 a v takov\u00e9m p\u0159\u00edpad\u011b bude za\u0159\u00edzen\u00ed p\u0159id\u011blov\u00e1na adresa z dynamick\u00e9ho DHCP poolu (pokud je pro dan\u00fd subnet podporov\u00e1n). P\u0159i u\u017eivatelsk\u00e9 registraci tak\u00e9 nedoch\u00e1z\u00ed k \u017e\u00e1dn\u00fdm modifikac\u00edm z\u00e1znam\u016f v DNS.\n\n{|\n|[[Image:register-captive.png|captive portal registration|thumb|200px]]\n|[[Image:register-user.png|user registration|thumb|250px]]\n|[[Image:register-admin.png|admin registration|thumb|250px]]\n|}\n\nOpr\u00e1vn\u011bn\u00ed spr\u00e1vc\u00ed mohou na [https://nms.fjfi.cvut.cz/user/?p=mac&sp=add str\u00e1nce s registracemi] p\u0159\u00edmo p\u0159esn\u011b specifikovat IPv4/IPv6 adresy a VLANy (standardn\u011b je spr\u00e1vna VLAN p\u0159i\u0159azena automaticky a nen\u00ed doporu\u010deno specifikovat vlastn\u00ed jm\u00e9na). Jako IP adresu lze tedy zvolit:\n\n* auto - defaultn\u00ed volba, kter\u00e1 vybere automaticky adresy dle [https://nms.fjfi.cvut.cz/user/?p=admin&sp=ip_rules pravidel] (je mo\u017en\u00e9 vytv\u00e1\u0159et nov\u00e1 pravidla s nov\u00fdmi jm\u00e9ny a r\u016fzn\u00fdmi filtry)\n* auto@vlan - vybere automaticky adresy, ale pouze z VLAN dan\u00e9ho jm\u00e9na\n* 192.0.2.123 - p\u0159i\u0159azen\u00ed konkr\u00e9tn\u00ed IP adresy s automatick\u00fdm v\u00fdb\u011brem VLAN (adresa mus\u00ed b\u00fdt ze zn\u00e1m\u00e9ho rozsahu)\n* 192.0.2.123@VLAN - p\u0159i\u0159azen\u00ed konkr\u00e9tn\u00ed IP adresy na VLAN dan\u00e9ho jm\u00e9na\n* 2001:DB8::123 - p\u0159i\u0159azen\u00ed konkr\u00e9tn\u00ed IP adresy s automatick\u00fdm v\u00fdb\u011brem VLAN (adresa mus\u00ed b\u00fdt ze zn\u00e1m\u00e9ho rozsahu)\n* 2001:DB8::123@VLAN - p\u0159i\u0159azen\u00ed konkr\u00e9tn\u00ed IP adresy na VLAN dan\u00e9ho jm\u00e9na\n* 192.0.2.123,2001:DB8::123 - p\u0159i\u0159azen\u00ed v\u00edce adres jednomu rozhran\u00ed (nebo v p\u0159\u00edpad\u011b v\u00edce rozhran\u00ed/MAC bude prvn\u00ed adresa p\u0159id\u011blena prvn\u00edmu rozhran\u00ed/MAC, ...)\n* auto,192.0.2.123,2001:DB8::123 - kombinace \"auto\" pravidla + p\u0159id\u00e1n\u00ed dal\u0161\u00edch dvou specifick\u00fdch adres\n* \"pr\u00e1zdn\u00e9 pole\" - za\u0159\u00edzen\u00ed nebude m\u00edt rezervovanou \u017e\u00e1dnou adresu a bude dost\u00e1vat dynamicky p\u0159idelovan\u00e9 adresy\n\n==Pravidla pro automatick\u00e9 vytv\u00e1\u0159en\u00ed rezervovan\u00fdch adres==\n\nPokud u\u017eivatel registruje za\u0159\u00edzen\u00ed pomoc\u00ed [https://nms.fjfi.cvut.cz/user/register.php captive port\u00e1lu] nebo administr\u00e1tor [https://nms.fjfi.cvut.cz/user/?p=mac&sp=add p\u0159i ru\u010dn\u00ed registraci] zvol\u00ed jako IP adresu kl\u00ed\u010dov\u00e9 slovo \"auto\" (resp. libovoln\u00fd [https://nms.fjfi.cvut.cz/user/?p=admin&sp=ip_rules n\u00e1zev pravidla ze seznamu]) dojde k automatick\u00e9mu v\u00fdb\u011bru rezervovan\u00e9 IPv4/IPv6 adresy. Aktivn\u00ed [https://nms.fjfi.cvut.cz/user/?p=admin&sp=ip_rules pravidla] s odpov\u00eddaj\u00edc\u00edm jm\u00e9nem jsou vyfiltrov\u00e1na podle zadefinovan\u00fdch vlastnost\u00ed za\u0159\u00edzen\u00ed (vlastn\u00edka, typu za\u0159\u00edzen\u00ed, um\u00edst\u011bn\u00ed, ...) a se\u0159azena sestupn\u011b podle v\u00e1hy. Pravidlo s nejv\u011bt\u0161\u00ed vahou je n\u00e1sledn\u011b pou\u017eito pro automatick\u00fd v\u00fdb\u011br voln\u00fdch IPv4/IPv6 adres z uveden\u00fdch rozsah\u016f.\n\nJedn\u00edm pravidlem m\u016f\u017eeme za\u0159\u00edzen\u00ed p\u0159i\u0159adit libovoln\u00fd po\u010det IPv4/IPv6 adres z r\u016fzn\u00fdch VLAN. P\u0159i aplikaci konkr\u00e9tn\u00edho pravidla se postupn\u011b zpracuj\u00ed v\u0161echny zadefinovan\u00e9 IPv4/IPv6 rozsahy a pro ka\u017edou VLAN se vybere prvn\u00ed voln\u00e1 adresa z uveden\u00e9ho rozsahu. Pokud je ji\u017e p\u0159id\u011blen\u00fd rozsah pln\u011b obsazen (resp. jsou pln\u011b obsazeny v\u0161echny rozsah na dan\u00e9 VLAN), za\u0159\u00edzen\u00ed nez\u00edsk\u00e1 \u017e\u00e1dnou rezervovanou adresu. P\u0159i vytv\u00e1\u0159en\u00ed pravidel nen\u00ed nutn\u00e9 uv\u00e1det z jak\u00e9 VLAN je konkr\u00e9tn\u00ed IP rozsah a v takov\u00e9m p\u0159\u00edpad\u011b se vybere spr\u00e1vn\u00e1 VLAN odpov\u00eddaj\u00edc\u00ed IP rozsahu.\n\nFilter u pravidel m\u016f\u017ee obsahovat jak z\u00e1kladn\u00ed vlastnosti za\u0159\u00edzen\u00ed (vlastn\u00edka, typ, um\u00edst\u011bn\u00ed, status), tak i polo\u017eky nep\u0159\u00edmo souvisej\u00edc\u00ed s registovan\u00fdm za\u0159\u00edzen\u00edm:\n\n* VLAN - administr\u00e1tor m\u016f\u017ee jako IP adresu za\u0159izen\u00ed zvolit nejen \"auto\", ale i adresu z konkr\u00e9tn\u00ed vlany jako nap\u0159\u00edklad \"auto@fjfi-tr-def\" a pomoc\u00ed VLAN filtru pak m\u016f\u017eeme p\u0159i\u0159azovat r\u016fzn\u00e9 adresy v z\u00e1vislosti na po\u017eadavku na konkr\u00e9tn\u00ed VLAN\n* users - tento filtr m\u016f\u017ee obsahovat seznam u\u017eivatelsk\u00fdch jmen odd\u011blen\u00fdch \u010d\u00e1rkou a u\u017eivatel registruj\u00edc\u00ed za\u0159\u00edzen\u00ed mus\u00ed b\u00fdt v seznamu uveden, aby se na n\u011bj toto pravidlo aplikovalo (nap\u0159.: \"vokacpet,keroupav,schlopet\")\n* groups - podobn\u011b jako filtr users m\u016f\u017ee obsahovat seznam skupin a u\u017eivatel registruj\u00edc\u00ed za\u0159\u00edzen\u00ed mus\u00ed b\u00fdt \u010dlenem jedn\u00e9 z uveden\u00fdch skupin (nap\u0159.: \"km_all,kf_all\")\n* priv - tento filtr lze aplikovat na [https://nms.fjfi.cvut.cz/user/?p=admin&sp=info pr\u00e1va p\u0159id\u011blen\u00e1 spr\u00e1vc\u016fm] p\u0159\u00edmo pro toto web rozhran\u00ed (nap\u0159. \"mac_ro\")\n\n==Dohled\u00e1n\u00ed speci\u00e1ln\u00edch za\u0159\u00edzen\u00ed==\n\nU po\u010d\u00edta\u010d\u016f, notebook\u016f, PDA, ... by nem\u011bla registrace d\u011blat probl\u00e9m, proto\u017ee tyto za\u0159\u00edzen\u00ed obsahuj\u00ed web browser p\u0159esm\u011brovan\u00fd automaticky na captive port\u00e1l (n\u011bkter\u00e9 adresy/porty jsou dostupn\u00e9 i pro neregistrovan\u00e1 za\u0159\u00edzen\u00ed - informa\u010dn\u00ed weby \u010cVUT/FJFI, slu\u017eby FJFI AD pro joinut\u00ed stroje do dom\u00e9ny, ...). Jin\u00e9 je to pro ostatn\u00ed za\u0159\u00edzen\u00ed jako jsou nap\u0159\u00edklad s\u00ed\u0165ov\u00e9 tisk\u00e1rny, VoIP telefony, ... Ty je pot\u0159eba registrovat p\u0159edem (MAC adresa b\u00fdv\u00e1 v\u011bt\u0161inou u s\u00ed\u0165ov\u00e9ho rozhran\u00ed uvedena) nebo je pot\u0159eba nastavit statickou IP adresu z [[IP rozsahy|p\u0159id\u011blen\u00e9ho rozsahu]].\n\nNen\u00ed-li MAC adresa zn\u00e1ma a nelze-li nakonfigurovat ru\u010dn\u011b statickou IP adresu (dohledatelnou p\u0159es [https://nms.fjfi.cvut.cz/user/?p=ipstat&sp=arping online historii]), potom pro zji\u0161t\u011bn\u00ed MAC m\u016f\u017ee poslou\u017eit [https://nms.fjfi.cvut.cz/user/?p=admin&sp=fingerprint online p\u0159\u00edstup k informac\u00edm o DHCP po\u017eadavc\u00edch]. V hor\u0161\u00edm p\u0159\u00edpad\u011b mohou poslou\u017eit [https://nms.fjfi.cvut.cz/user/?p=admin&sp=mac&sp=dhcp logy DHCP serveru] nebo by hled\u00e1n\u00ed mohl usnadnit [https://nms.fjfi.cvut.cz/user/?p=ipstat&view=vendor seznam za\u0159\u00edzen\u00ed podle typu v\u00fdrobce] nebo nakonec [https://nms.fjfi.cvut.cz/user/?p=ipstat&view=arping b\u011b\u017e\u00edc\u00ed za\u0159\u00edzen\u00ed] v rozsahu neregistrovan\u00fdch za\u0159\u00edzen\u00ed (tyto rozsahy lze dohledat na str\u00e1nce s informacemi o [[Network|vyu\u017eit\u00ed IP adres]] pro neregistrovan\u00e1/blokovan\u00e1/smazan\u00e1 za\u0159\u00edzen\u00ed).\n\n==Zaregistrovan\u00e9 adresy==\n\nZaregistovat je nutn\u00e9 nejen v\u0161echny MAC adresy objevuj\u00edc\u00ed se na FJFI s\u00edti (optim\u00e1ln\u011b v\u0161echny MAC jednoho za\u0159\u00edzen\u00ed p\u0159idat k jedn\u00e9 registraci), ale tak\u00e9 v\u0161echny pou\u017e\u00edvan\u00e9 IPv4/IPv6 adresy a to i pro za\u0159\u00edzen\u00ed, kter\u00e9 maj\u00ed IPv4/IPv6 adresy zkonfigurov\u00e1ny staticky lok\u00e1ln\u011b a nevyu\u017e\u00edvaj\u00ed DHCP (nap\u0159. servery). Pokud za\u0159\u00edzen\u00ed nevy\u017eaduje st\u00e1lou IP adresu, nemus\u00ed b\u00fdt pro dan\u00e9 s\u00ed\u0165ov\u00e9 rozhran\u00ed (MAC) zaregistrov\u00e1na \u017e\u00e1dn\u00e1 adresa a v takov\u00e9m p\u0159\u00edpad\u011b bude za\u0159\u00edzen\u00ed dost\u00e1vat adresu z rozsahu vyhrazen\u00e9ho pro dynamickou alokaci IP adres (n\u011bkter\u00e9 speci\u00e1ln\u00ed VLAN nemus\u00ed dynamickou alokaci podporovat). Dynamick\u00e1 alokace IPv4 adres je vhodn\u00e1 zvl\u00e1\u0161t\u011b pro za\u0159\u00edzen\u00ed, kter\u00e1 nejsou p\u0159ipojena do s\u00ed\u0165\u011b pernamentn\u011b (notebooky student\u016f, ...), jeliko\u017e t\u011bchto adres nen\u00ed neomezen\u00e9 mno\u017estv\u00ed. U kancel\u00e1\u0159sk\u00fdch po\u010d\u00edta\u010d\u016f pou\u017e\u00edvan\u00fdch denn\u011b je doporu\u010deno vyu\u017e\u00edvat rezervovan\u00e9 (st\u00e1l\u00e9) adresy. Stejn\u011b tak na IPv6 je vzhledem k prakticky neomezen\u00e9mu mno\u017estv\u00ed adres doporu\u010deno pou\u017e\u00edvat/rezerovat konkr\u00e9tn\u00ed adresu (minim\u00e1ln\u011b pro VLAN/budovu, kde se za\u0159\u00edzen\u00ed \u010dasto vyskytuje).\n\nSou\u010d\u00e1st\u00ed registrace konkr\u00e9tn\u00ed adresy je i VLAN na n\u00ed\u017e se bude adresa pou\u017e\u00edvat. Standardn\u011b ji p\u0159i registraci nen\u00ed pot\u0159eba uv\u00e1d\u011bt, proto\u017ee se automaticky vybere spr\u00e1vn\u00e1 VLAN dle hodnoty IPv4 resp. IPv6 adresy (IP rozsahy pro r\u016fzn\u00e9 VLAN maj\u00ed pr\u00e1zdn\u00fd pr\u016fnik a VLAN tak lze jednozna\u010dn\u011b ur\u010dit). U\u017eivatel m\u00e1 ale mo\u017enost specifikovat uv\u00e9st libovoln\u00e9 jmeno VLAN bez ohledu na to jestli v\u016fbec existuje nebo odpov\u00edd\u00e1 hodnot\u011b IP adresy (nedoporu\u010deno - opravdu mus\u00edte v\u011bd\u011bt co d\u011bl\u00e1te) a aplikace vyu\u017e\u00edvaj\u00edc\u00ed data z registrac\u00ed si s tim mus\u00ed n\u011bjak rozumn\u011b poradit (nap\u0159. takov\u00e9 \"nespr\u00e1vn\u00e9\" z\u00e1znamy adres/VLAN ignorovat).\n\n<strike>Toto nen\u00ed dostate\u010dn\u011b dokon\u010dno/otestov\u00e1no - pokud chcete tuto vlastnost vyu\u017e\u00edvat kontaktujte [http://nms.fjfi.cvut.cz/user/who.php?uid=vokacpet|spr\u00e1vce]. Existuje tak\u00e9 mo\u017enost zak\u00e1zat p\u0159id\u011blov\u00e1n\u00ed IPv4 resp. IPv6 adres a to bu\u010f glob\u00e1ln\u011b na v\u0161ech VLAN nebo pro konkr\u00e9tn\u00ed VLAN. K tomu slou\u017e\u00ed speci\u00e1ln\u00ed kl\u00ed\u010dov\u00e9 slovo \"disabled4\" resp. \"disabled6\", kter\u00e9 se uvede m\u00edsto IP adresy u registrovan\u00e9ho za\u0159\u00edzen\u00ed. D\u00e1le m\u00e1te mo\u017enost specifikovat pomoc\u00ed kl\u00ed\u010dov\u00fdch slov \"nat4\" a \"nat6\", \u017ee si p\u0159ejete dost\u00e1vat priv\u00e1tn\u00ed NATovan\u00e9 adresy z dynamicky p\u0159id\u011blovan\u00e9ho rozsahu.</strike>\n\nRegistrovan\u00e9 adresy jsou pou\u017e\u00edv\u00e1ny nejen ke konfiguraci DHCP, ale tak\u00e9 k [[arpmon|monitorov\u00e1n\u00ed]], jestli dan\u00e9 za\u0159\u00edzen\u00ed nen\u00ed chybn\u011b zkonfigurov\u00e1no a nevyu\u017e\u00edv\u00e1 n\u00e1hodou ciz\u00ed adresu. To by mohlo potenci\u00e1ln\u011b v\u00e9st k probl\u00e9m\u016fm se s\u00ed\u0165ov\u00fdm p\u0159ipojen\u00edm a proto je na takovou situaci upozorn\u011bn spr\u00e1vce za\u0159\u00edzen\u00ed a dan\u00e9ho subnetu. V\u00edce informac\u00ed je na str\u00e1nce t\u00fdkaj\u00edc\u00ed se [[arpmon|monitoringu]].\n\nPodporovan\u00e9 hodnoty pro zaregistrovanou adresu:\n\n* IPv4 adresa - rezervovan\u00e1 IPv4 adresa pro za\u0159\u00edzen\u00ed / interface\n* IPv6 adresa - rezervovan\u00e1 IPv6 adresa pro za\u0159\u00edzen\u00ed / interface\n* <strike>disabled4 - nep\u0159id\u011blovat IPv4 adresu, viz. v\u00fd\u0161e</strike>\n* <strike>disabled6 - nep\u0159id\u011blovat IPv6 adresu, viz. v\u00fd\u0161e</strike>\n* <strike>nat4 - pou\u017e\u00edvat priv\u00e1tn\u00ed IPv4 adresu, viz. v\u00fd\u0161e</strike>\n* <strike>nat6 - pou\u017e\u00edvat priv\u00e1tn\u00ed IPv6 adresu, viz. v\u00fd\u0161e</strike>\n\n==Registra\u010dn\u00ed data - detaily==\n\n===U\u017eivatelsky definovan\u00e9 p\u0159\u00edznaky \"Flags\"===\n\nTyto polo\u017eky mohou obsahovat libovoln\u00e1 u\u017eivatelsk\u00e1 data slou\u017e\u00edc\u00ed dal\u0161\u00edm aplikac\u00edm vyu\u017e\u00edvaj\u00edc\u00edm registrace (nap\u0159. PXE bootovac\u00ed volby aplikovan\u00e9 na konfiguraci DHCP serveru). Jedn\u00e1 se v podstat\u011b o key/value seznam, kde kl\u00ed\u010d ur\u010duje typ z\u00e1znamu a hodnota m\u016f\u017ee obsahovat libovoln\u00e1 data vyu\u017e\u00edvan\u00e1 c\u00edlovou aplikac\u00ed. Pro ka\u017ed\u00fd typ z\u00e1znamu je mo\u017en\u00e9 nadefinovat p\u0159\u00edstupov\u00e1 pr\u00e1va (aktu\u00e1ln\u011b jsou ulo\u017eena p\u0159\u00edmo v konfigura\u010dn\u00edm souboru RESTful API) pomoc\u00ed nich\u017e lze specifikovat kdo m\u00e1 m\u00edt p\u0159\u00edstup pro \u010dten\u00ed/z\u00e1pis (god/admin/user/anonym).\n\n{|class=\"wikitable\"\n!colspan=\"6\"|Device registration Flags\n|-\n!rowspan=\"2\"|name\n!scope\n!acl (read/write)\n!owner\n!date\n!data\n|-\n|colspan=\"5\"|description\n|-\n|colspan=\"6\"|\n|-\n!rowspan=\"2\"|notify\n!device\n!admin/admin\n!vokacpet\n!2010\n! -\n|-\n|colspan=\"5\"|po\u0161li mail spr\u00e1vci subnetu (p\u0159\u00edpadn\u011b na zadanou adresu) pokud se toto za\u0159\u00edzen\u00ed objev\u00ed na s\u00edti\n|-\n!rowspan=\"2\"|ad\n!device\n!admin/god\n!vokacpet\n! -\n!DN\n|-\n|colspan=\"5\"|automaticky nastavovan\u00fd p\u0159\u00edznak podle za\u0159azen\u00ed po\u010d\u00edta\u010de joinut\u00e9ho do AD\n|-\n!rowspan=\"2\"|pxe\n!device\n!admin/admin\n!vokacpet\n!2010\n![147.32.9.2 [/gpxelinux.0 [xx:xx:xx:xx:xx:xx]]]\n|-\n|colspan=\"5\"|zkonfiguruj DHCP server, aby pos\u00edlal informace o s\u00ed\u0165ov\u00e9m bootov\u00e1n\u00ed ze serveru 147.32.9.2 (default) a jeho souboru /gpxelinux.0 (default) p\u0159\u00edstupn\u00e9m p\u0159es TFTP protokol (p\u0159\u00ed existenc\u00ed v\u00edce s\u00ed\u0165ov\u00fdch rozhran\u00ed lze specifikovat konkr\u00e9tn\u00ed MAC adresu rozhran\u00ed, kter\u00e9 m\u00e1 pou\u017e\u00edt tuto konfiguraci)\n|-\n!rowspan=\"2\"|pxe\n!device\n!admin/admin\n!vokacpet\n!2010\n!template_name [xx:xx:xx:xx:xx:xx]\n|-\n|colspan=\"5\"|zkonfiguruj DHCP server, aby pos\u00edlal informace o s\u00ed\u0165ov\u00e9m bootov\u00e1n\u00ed podle p\u0159eddefinovan\u00fdch \u0161ablon s voliteln\u00fdm v\u00fdb\u011brem konkr\u00e9tn\u00edho s\u00ed\u0165ov\u00e9ho rozhran\u00ed\ndostpn\u00e9 \u0161ablony:\n* default ('147.32.9.2', '2001:718:2:1900::2', '/gpxelinux.0')\n* efi ('147.32.9.2', '2001:718:2:1900::2', '/shim.efi')\n|-\n!rowspan=\"2\"|voip\n!device\n!admin/admin\n!vokacpet\n!2016\n!\"nothing\"|template_name|address1 [address2 [...]]\n|-\n|colspan=\"5\"|specifikace TFTP serveru pro IP telefony odkud budou stahovat konfiguraci Cisco Call Manager (CCM), nespecifikujete-li \u017e\u00e1dnou hodnotu pak se pou\u017eije standardn\u00ed \"default\" \u0161ablona s IPv4 a IPv6 adresami \u010cVUT CCM. M\u016f\u017eete tak\u00e9 uv\u00e9st v\u00edce IPv4 resp. IPv6 adres odd\u011blen\u00fdch mezerami. Pokud u registrovan\u00e9ho za\u0159\u00edzen\u00ed nastav\u00edte v\u00edce p\u0159\u00edznak\u016f \"voip\" potom bude v\u00fdsledn\u00fd seznam obsahovat sjednocen\u00ed v\u0161ech zadan\u00fdch adres. Pro IP telefony od Cisco identifikuj\u00edc\u00ed se jako \"Cisco Systems, Inc. IP Phone\" resp. \"Cisco IP Phone\" bude i bez konfigurace p\u0159\u00edznaku \"voip\" automaticky pos\u00edl\u00e1n seznam \u010cVUT CCM TFTP adres.\ndostupn\u00e9 \u0161ablony:\n* default [ '147.32.240.199', '147.32.240.200', '2001:718:2:2201::199', '2001:718:2:2201::200' ]\n|-\n!rowspan=\"2\"|wpad\n!device\n!admin/admin\n!vokacpet\n!2024\n!\"nothing\"|template_name|URL\n|-\n|colspan=\"5\"|specifikace URL s konfigurac\u00ed HTTP proxy serveru\ndostupn\u00e9 \u0161ablony:\n* default: http://nms.fjfi.cvut.cz/wpad.dat\n|}\n\n=\u0158e\u0161en\u00ed st\u00ed\u017enosti / blokac\u00ed=\n\n* neplatn\u00e9 \u00fadaje\n* IDS detekce\n* st\u00ed\u017enost od abuse@cvut.cz\n** p\u0159ich\u00e1z\u00ed do konference <tt>nightwatch@lists.fjfi.cvut.cz</tt>\n** podle informac\u00ed o [https://nms.fjfi.cvut.cz/user/?p=ipstat&sp=arping b\u011b\u017e\u00edc\u00edch] ([https://nms.fjfi.cvut.cz/user/?p=ipstat&sp=ulog NATovan\u00fdch]) a [https://nms.fjfi.cvut.cz/user/?p=admin&sp=mac registrovan\u00fdch] za\u0159\u00edzen\u00ed je pot\u0159eba dohledat vin\u00edka\n*** u probl\u00e9m\u016f se za\u0159\u00edzen\u00edmi ze s\u00edt\u011b Eduroam \u0159e\u0161\u00edme incidenty pouze pro u\u017eivatele z <tt>@fjfi.cvut.cz</tt> realm\n*** u ostatn\u00edch realm toti\u017e nem\u00e1me (spolehlivou) informaci o prav\u00e9 vnit\u0159n\u00ed identit\u011b\n*** pro realmy z dom\u00e9ny <tt>cz</tt> spr\u00e1vce Eduroam po\u0161le incident p\u0159\u00edmo na spr\u00e1vce dan\u00e9 real podle informac\u00ed z [http://caas.cesnet.cz CAAS]\n*** pro u\u017eivatele z ciziny lze je mo\u017en\u00e9 odpov\u011bd\u011bt pouze zp\u011bt CESNETu, at jako spr\u00e1vce n\u00e1rodn\u00edho Eduroamu vykomunikuje dan\u00fd incident s cizinou (je pot\u0159eba p\u0159ilo\u017eit p\u0159\u00edslu\u0161n\u00e9 logy lok\u00e1ln\u00edho Eduroam RADIUS serveru vztahuj\u00edc\u00ed se k IP problematick\u00e9ho za\u0159\u00edzen\u00ed)\n** p\u0159eposlat do\u0161lou st\u00ed\u017enost vin\u00edkovi s po\u017eadavkem na n\u00e1pravu a do kopie v\u017edy d\u00e1t <tt>nightwatch@lists.fjfi.cvut.cz</tt>, aby byla dohledateln\u00e1 informace, \u017ee se incident \u0159e\u0161\u00ed\n** v p\u0159\u00edpad\u011b st\u00ed\u017enost\u00ed, kter\u00e9 maj\u00ed p\u0159i\u0159azen\u00fd CESNET ticket je pot\u0159eba neprodlen\u011b informovat i <tt>certs@cesnet.cz</tt> o \u0159e\u0161en\u00ed incidentu (max 1-2 dny)\n** u\u017eivatelsk\u00e1 za\u0159\u00edzen\u00ed s CESNET ticketem blokovat (a tak si vynutit reakci u\u017eivatele)\n** informaci o incidentu p\u0159\u00edpadn\u011b datum zablokov\u00e1n\u00ed/odblokov\u00e1n\u00ed poznamenat do pozn\u00e1mky v registraci za\u0159\u00edzen\u00ed\n\n=Mo\u017enosti zabezpe\u010den\u00ed proti neopr\u00e1vn\u011bn\u00e9mu p\u0159\u00edstupu=\n\n*sou\u010dasn\u00e9 \u0159e\u0161en\u00ed + informace o problematick\u00fdch registrac\u00ed z [[arpmon|monitorovac\u00edho daemona]] [https://gitlab.fjfi.cvut.cz/comp/arpmon arpmon]\n*povolen\u00ed routovan\u00ed na CISCO pouze adres p\u0159id\u011blen\u00fdch od DHCP (nutn\u00e9 precizn\u00ed za\u0159azen\u00ed do VLAN - netrivi\u00e1ln\u00ed resp. tro\u0161ku pracn\u00e9, ale mo\u017en\u00e9 realizovat)\n*autentizace LAN klient\u016f p\u0159es RADIUS (nemo\u017en\u00e9 realizovat bez switch\u016f s podporou RADIUS autentizace)" } ] }, "1566": { "pageid": 1566, "ns": 0, "title": "Roc.fjfi.cvut.cz", "revisions": [ { "contentformat": "text/x-wiki", "contentmodel": "wikitext", "*": "{{Servers}}\n\n=Z\u00e1kladn\u00ed informace=\n\n;Spr\u00e1vce : [http://nms.fjfi.cvut.cz/user/who.php?uid=vokacpet Petr Vok\u00e1\u010d]\n;HW : \n;OS : [http://www.centos.org CentOS7]\n;Vyu\u017eit\u00ed :\n;Konto : -\n\n=Instalace a konfigurace=\n\n==Konfigurace ZFS==\n\n cat > /etc/modprobe.d/zfs.conf <<EOF\n # limit size of ARC cache to 8GB\n options zfs zfs_arc_max=8589934592\n EOF\n \n zpool create -f -o ashift=12 -m /mnt/data data mirror ata-WDC_WD6003FFBX-68MU3N0_V8G4DZXM ata-WDC_WD6003FFBX-68MU3N0_V8G4TBZM\n \n zpool add data cache nvme-Samsung_SSD_970_EVO_2TB_S464NB0K700355Z-part6\n zpool add data log nvme-Samsung_SSD_970_EVO_2TB_S464NB0K700355Z-part7\n \n zfs set xattr=sa data\n #zfs set acltype=posixacl data\n #zfs set compression=lz4 data\n zfs set atime=off data\n zfs set relatime=off data\n \n zfs create data/test\n zfs create -V 1g data/block\n zfs create -s -V 1g data/thinvol" } ] } } } }