资源描述
银行网络应急方案
XX股份
网络和安全服务部
2月
目录
一、 银行网络结构拓扑 3
二、 骨干网通信故障 3
1. 故障处理人员 3
2. 电信、联通网络通信故障 3
3. 通信故障恢复 3
4. 到总行路由器故障 4
5. 路由器故障处理 4
三、 关键交换机故障应急 5
1. 一台4506交换机故障应急 5
2. 当关键交换同时瘫痪在20分钟内确保业务正常运作 7
四、 第三方外联区网络应急 19
1. 第三方业务银联区网络应急 19
2. 其它第三方业务区网络应急 46
五、 联络方法: 56
一、 银行网络结构拓扑
二、 骨干网通信故障
1. 故障处理人员
参与人:XX、XX、XX
2. 电信、联通网络通信故障
依据到总行两台cisco 7206路由器日志和实际登陆设备使用show int ATM4/0.1 、ping对端地址、show ip route、show log,查看上述相关设备和线路是否有反复重起、误码率高、异常路由、错误连接等情况即可确定故障。
3. 通信故障恢复
恢复步骤:
1)重启故障新路相连路由器,看是否能够自动恢复
2) 断电重起无法处理故障,停止使用故障设备和线路,预防其影响网络其它部分。
3) 如系线路故障通知各相关方面(逐项对照处理):
● 如为中国电信线路故障,向31000000 报修,并通知分行办公室相关人员。
● 如为中国联通线路故障,向XXXX 报修,并通知分行办公室相关人员。
4. 到总行路由器故障
查看日志,检验设备故障前异常日志信息;登陆路由器使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址等命令来确定故障。
5. 路由器故障处理
一旦发觉到总行7206路由器故障可按以下步骤来处理:
●联络XX企业,并开启原厂商保修服务备件更换程序。
●因为两台7206路由器是互为备份,一台发生故障不影响实际业务,不调用库房备件和集成商备件更换,等候原厂商备件抵达。
● 对于能够在线插拔接口模块、有standby 引擎和电源,优先使用在线更换方法。在线更换具体操作步骤以下:
a) 用笔记本电脑连接在网络设备Console 上,开启Console 监控和统计;
b) 准备好存档系统配置,备用。如有可能,同时保留目前系统配置;
c) 对故障模块上连接线缆做好标识,小心拔下;
d) 做好安全接地,拔下故障模块;
e) 检验设备和模块状态,确定是否影响整个设备或其它模块正常运行,standby 模块是否正常接管;
f) 做好安全接地,插上更换备件模块;
g) 检验设备和模块状态,确定是否能够正常识别新模块,是否影响其它模块运行;
h) 按原样插上线缆;
i) 检验线缆连接状态正常;
j) 确定备件更换成功。
l 对于机箱、不能在线插拔接口模块、或没有standby 引擎和电源,采取下电更换方法。下电更换具体操作步骤以下:
a) 准备好存档系统配置,备用。如有可能,同时保留目前系统配置;
b) 准备好原先使用系统软件,备用;
c) 故障设备下电;
d) 对需要拔除线缆做好标识,小心拔下。假如机箱或引擎更换,需拔除全部连接线缆;
e) 更换备件;
f) 用笔记本电脑连接在网络设备Console 上,开启Console 监控和统计;
g) 设备上电;
h) 检验系统自检情况,确定无硬件故障;
i) 安装系统软件;
j) 恢复系统配置;
k) 冷开启,确定软硬件正常工作;
l) 按原样插上其它线缆;
m) 检验线缆连接状态正常;
n) 确定备件更换成功。
三、 关键交换机故障应急
1. 一台4506交换机故障应急
查看日志,检验设备故障前异常日志信息;登陆交换机使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址,show vlan brie , show vtp stat , show process mem , show modul , show diag , show ip eigrp nei , show cdp nei等一系列命令来查找、确定故障。
因为两台4506关键交换机完全是热备双机,所以一台发生故障并不影响业务运行。对于配置问题要制订正确更改配置脚本,备份目前配置以后实施更改;对于线路问题要制作新网线,替换故障网线;对于硬件问题要练习XX企业,申请硬件故障维修。
对于能够在线插拔接口模块、有standby 引擎和电源,优先使用在线更换方法。在线更换具体操作步骤以下:
a) 用笔记本电脑连接在网络设备Console 上,开启Console 监控和统计;
b) 准备好存档系统配置,备用。如有可能,同时保留目前系统配置;
c) 对故障模块上连接线缆做好标识,小心拔下;
d) 做好安全接地,拔下故障模块;
e) 检验设备和模块状态,确定是否影响整个设备或其它模块正常运行,standby 模块是否正常接管;
f) 做好安全接地,插上更换备件模块;
g) 检验设备和模块状态,确定是否能够正常识别新模块,是否影响其它模块运行;
h) 按原样插上线缆;
i) 检验线缆连接状态正常;
j) 确定备件更换成功。
l 对于机箱、不能在线插拔接口模块、或没有standby 引擎和电源,采取下电更换方法。下电更换具体操作步骤以下:
a) 准备好存档系统配置,备用。如有可能,同时保留目前系统配置;
b) 准备好原先使用系统软件,备用;
c) 故障设备下电;
d) 对需要拔除线缆做好标识,小心拔下。假如机箱或引擎更换,需拔除全部连接线缆;
e) 更换备件;
f) 用笔记本电脑连接在网络设备Console 上,开启Console 监控和统计;
g) 设备上电;
h) 检验系统自检情况,确定无硬件故障;
i) 安装系统软件;
j) 恢复系统配置;
k) 冷开启,确定软硬件正常工作;
l) 对于交换机要将VTP 设置为Client 模式,首先连接上行线缆,确定VTP 复制正确;
m) 按原样插上其它线缆;
n) 检验线缆连接状态正常;
o) 确定备件更换成功。
2. 当关键交换同时瘫痪在20分钟内确保业务正常运作
现有2台备用cisco3550,在两台关键cisco4506同事瘫痪后,将其作为关键交换来确保业务正常运作,同时保持原有网络拓扑及网络关键安全策略和qos。
3550关键交换配置定义
设备命名
hostname production
设备软件版本
使用支持动态路由协议IOS:c3550-i5k2l2q3-mz.121-13.EA1a.bin
Vlan定义
1 default active Fa0/1, Fa0/2, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47, Fa0/48
2 vlan0002 active Fa0/10, Fa0/21, Fa0/25, Fa0/34
Gi0/1, Gi0/2
3 vlan0003 active Fa0/5, Fa0/8, Fa0/11, Fa0/12
Fa0/17, Fa0/19, Fa0/20, Fa0/22
Fa0/28, Fa0/29, Fa0/30, Fa0/32
4 vlan0004 active Fa0/13, Fa0/18, Fa0/27
5 vlan0005 active Fa0/7
6 vlan0006 active
10 vlan0010 active Fa0/4, Fa0/6, Fa0/14
20 vlan0020 active
30 vlan0030 active
40 vlan0040 active
50 VLAN0050 active
60 VLAN0060 active
63 vlan0063 active
128 vlan0128 active Fa0/3, Fa0/24, Fa0/26, Fa0/31
Fa0/33
195 vlan195 active Fa0/16, Fa0/23
196 vlan196 active
255 VLAN0255 active Fa0/9, Fa0/15
Ip地址分配及hsrp
interface Vlan1
no ip address
no ip redirects
shutdown
standby 10 priority 100
standby 10 preempt
!
interface Vlan2
ip address 10.20.191.2 255.255.255.0
ip access-group 101 in
no ip redirects
standby 20 ip 10.20.191.1
standby 20 priority 150
standby 20 preempt
!
interface Vlan3
ip address 10.20.189.2 255.255.255.0
ip access-group 101 in
no ip redirects
standby 30 ip 10.20.189.1
standby 30 priority 150
standby 30 preempt
!
interface Vlan4
ip address 10.20.187.66 255.255.255.192
no ip redirects
standby 40 ip 10.20.187.65
standby 40 priority 150
standby 40 preempt
!
interface Vlan5
ip address 10.20.187.2 255.255.255.192
no ip redirects
standby 50 ip 10.20.187.1
standby 50 priority 150
standby 50 preempt
!
interface Vlan6
no ip address
no ip redirects
shutdown
standby 60 ip 10.20.185.3
standby 60 priority 150
standby 60 preempt
!
interface Vlan10
ip address 10.20.0.2 255.255.255.0
ip access-group 103 in
no ip redirects
standby 100 ip 10.20.0.1
standby 100 timers 5 15
standby 100 priority 200
standby 100 preempt
standby 100 track Vlan10 50
!
interface Vlan20
no ip address
no ip redirects
standby 110 timers 5 15
standby 110 priority 150
standby 110 preempt
standby 110 track Vlan20 50
!
interface Vlan30
no ip address
ip access-group 101 in
no ip redirects
shutdown
standby 120 ip 10.20.198.100
standby 120 timers 5 15
standby 120 priority 200
standby 120 preempt
standby 120 track Vlan30 50
!
interface Vlan40
no ip address
ip access-group 101 in
no ip redirects
shutdown
standby 130 ip 10.20.197.100
standby 130 timers 5 15
standby 130 priority 150
standby 130 preempt
standby 130 track Vlan40 50
!
interface Vlan50
ip address 10.20.1.2 255.255.255.0
ip helper-address 10.20.0.10
no ip redirects
standby 150 ip 10.20.1.1
standby 150 timers 5 15
standby 150 priority 150
standby 150 preempt
standby 150 track Vlan150
!
interface Vlan63
no ip address
no ip redirects
!
interface Vlan128
ip address 10.20.128.4 255.255.255.0
ip access-group 101 in
no ip redirects
standby 160 ip 10.20.128.8
standby 160 timers 5 15
standby 160 priority 150
standby 160 preempt
standby 160 track Vlan128 50
!
interface Vlan150
no ip address
shutdown
!
interface Vlan195
ip address 10.20.195.2 255.255.255.0
no ip redirects
standby 195 ip 10.20.195.1
standby 195 priority 150
standby 195 preempt
!
interface Vlan196
no ip address
no ip redirects
shutdown
standby 196 ip 10.20.196.1
standby 196 priority 100
standby 196 preempt
!
interface Vlan255
ip address 10.20.255.2 255.255.255.0
no ip redirects
standby 255 ip 10.20.255.1
standby 255 priority 200
standby 255 preempt
路由策略
router eigrp 20
redistribute static
network 10.20.0.0 0.0.255.255
no auto-summary
no eigrp log-neighbor-changes
ip route 0.0.0.0 0.0.0.0 10.20.191.18
ip route 10.20.9.1 255.255.255.255 10.20.191.18
ip route 10.20.9.111 255.255.255.255 10.20.191.18
ip route 10.20.184.0 255.255.255.0 10.20.191.18
ip route 10.20.186.0 255.255.255.0 10.20.191.18
ip route 10.20.186.245 255.255.255.255 10.20.191.18
ip route 10.20.210.3 255.255.255.255 10.20.255.15
ip route 10.20.210.4 255.255.255.255 10.20.255.16
ip route 10.20.210.5 255.255.255.255 10.20.255.17
ip route 10.20.210.11 255.255.255.255 10.20.191.18
ip route 10.20.210.12 255.255.255.255 10.20.191.18
ip route 10.20.210.13 255.255.255.255 10.20.191.18
ip route 10.20.210.14 255.255.255.255 10.20.191.18
interface Vlan2
ip address 10.20.191.2 255.255.255.0
ip access-group 101 in
interface Vlan3
ip address 10.20.189.2 255.255.255.0
ip access-group 101 in
interface Vlan30
no ip address
ip access-group 101 in
interface Vlan40
no ip address
ip access-group 101 in
interface Vlan128
ip address 10.20.128.4 255.255.255.0
ip access-group 101 in
access-list 101 permit ip host 10.20.0.240 host 10.20.186.246
access-list 101 permit ip host 10.20.0.240 host 10.20.186.245
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255
access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255
access-list 101 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255
access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255
access-list 101 permit ip any any
interface Vlan10
ip address 10.20.0.2 255.255.255.0
ip access-group 103 in
access-list 103 permit ip host 10.20.0.245 host 10.20.184.10
access-list 103 permit ip host 10.20.0.240 host 10.20.184.10
access-list 103 permit ip host 10.20.0.240 host 10.20.186.246
access-list 103 permit ip host 10.20.0.240 host 10.20.186.245
access-list 103 permit ip host 10.20.0.245 host 10.20.184.18
access-list 103 permit ip host 10.20.0.240 host 10.20.184.18
access-list 103 permit ip host 10.20.0.245 host 10.20.184.12
access-list 103 permit ip host 10.20.0.240 host 10.20.184.5
access-list 103 permit ip host 10.20.0.21 host 10.20.184.20
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.3
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.4
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.7
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.30
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.13
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.15
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.16
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.20
access-list 103 permit ip 10.20.2.0 0.0.0.255 host 10.20.184.13
access-list 103 permit ip 10.20.3.0 0.0.0.255 host 10.20.184.13
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.17
access-list 103 permit ip host 10.20.0.245 host 10.20.184.19
access-list 103 permit ip host 10.20.0.240 host 10.20.184.19
access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255
access-list 103 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255
access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255
access-list 103 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255
access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255
access-list 103 permit ip any any
Qos
作为关键交换机无需在此配置qos
安全策略
aaa new-model
aaa authentication login spdb-acs group tacacs+ enable
aaa accounting exec spdb-acs start-stop group tacacs+
aaa accounting commands 0 spdb-acs start-stop group tacacs+
aaa accounting commands 1 spdb-acs start-stop group tacacs+
aaa accounting commands 2 spdb-acs start-stop group tacacs+
aaa accounting commands 3 spdb-acs start-stop group tacacs+
aaa accounting commands 4 spdb-acs start-stop group tacacs+
aaa accounting commands 5 spdb-acs start-stop group tacacs+
aaa accounting commands 6 spdb-acs start-stop group tacacs+
aaa accounting commands 7 spdb-acs start-stop group tacacs+
aaa accounting commands 8 spdb-acs start-stop group tacacs+
aaa accounting commands 9 spdb-acs start-stop group tacacs+
aaa accounting commands 10 spdb-acs start-stop group tacacs+
aaa accounting commands 11 spdb-acs start-stop group tacacs+
aaa accounting commands 12 spdb-acs start-stop group tacacs+
aaa accounting commands 13 spdb-acs start-stop group tacacs+
aaa accounting commands 14 spdb-acs start-stop group tacacs+
aaa accounting commands 15 spdb-acs start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.100.64.57
tacacs-server host 10.100.64.54
tacacs-server key s9y8
logging trap debugging
logging source-interface Loopback0
logging 10.20.189.24
logging 10.100.64.65
line vty 0 4
exec-timeout 5 0
accounting commands 0 spdb-acs
accounting commands 1 spdb-acs
accounting commands 2 spdb-acs
accounting commands 3 spdb-acs
accounting commands 4 spdb-acs
accounting commands 5 spdb-acs
accounting commands 6 spdb-acs
accounting commands 7 spdb-acs
accounting commands 8 spdb-acs
accounting commands 9 spdb-acs
accounting commands 10 spdb-acs
accounting commands 11 spdb-acs
accounting commands 12 spdb-acs
accounting commands 13 spdb-acs
accounting commands 14 spdb-acs
accounting commands 15 spdb-acs
accounting exec spdb-acs
login authentication spdb-acs
网管配置
access-list 10 permit 10.100.64.68
access-list 10 permit 10.100.64.69
access-list 10 permit 10.100.64.66
access-list 10 permit 10.100.64.67
access-list 10 permit 10.100.64.65
snmp-server community public RO
snmp-server community read RO 10
snmp-server trap-source Loopback0
snmp-server enable traps snmp authentication warmstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps rtr
snmp-server enable traps vtp
snmp-server host 10.20.189.24 public
snmp-server host 10.100.64.65 read
其它配置
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no ip domain-lookup
ip cef load-sharing algorithm original
clock timezone BJT 8
ntp source Loopback0
ntp server 10.100.64.70
monitor session 1 source vlan 1 , 10 , 192 rx
monitor session 1 destination interface Fa0/5
网络实施
前期准备
一、8条交叉线(2条做trunk,6条连向楼层交换机)
二、将楼层交换机fa0/47和48口空出来,并做好对应配置
实施步骤
第一步:两台3550上架并加电启用(估计3分钟)
第二步:将连接hp小机光纤接口连到3550上(估计1分钟)
cisco4506主gigabit1/1对应3550主gigabit0/1
cisco4506主gigabit2/2对应3550主gigabit0/2
cisco4506备gigabit1/1对应3550主gigabit0/1
cisco4506备gigabit2/2对应3550主gigabit0/2
第三步:将现成交叉线在3550主备之间互连做ether-channel(估计1分钟)
3550主fa0/47对应3550备fa0/47
3550主fa0/48对应3550备fa0/48
第四步:将连在cisco4506上全部电口全部挪向3550上(估计5分钟)
cisco4506主fa2/3对应3550主fa0/3
cisco4506主fa2/4对应3550主fa0/4
以这类推
cisco4506主fa2/34对应3550主fa0/34
cisco4506备fa2/3对应3550备fa0/3
cisco4506备fa2/4对应3550备fa0/4
以这类推
cisco4506备fa2/34对应3550备fa0/34
第五步:3台楼层交换机和3550之间互连(估计3分钟)
3550主fa0/41对应255.15fa0/47
3550主fa0/43对应255.16fa0/47
3550主fa0/45对应255.17fa0/47
3550备fa0/41对应255.15fa0/48
3550备fa0/43对应255.16fa0/48
3550备fa0/45对应255.17fa0/48
四、 第三方外联区网络应急
1. 第三方业务银联区网络应急
线路故障:发生故障时,登陆ASA防火墙、交换机、路
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
