银行网络应急方案样本.doc

1、银行网络应急方案XX股份网络和安全服务部2月目录一、银行网络结构拓扑3二、骨干网通信故障31.故障处理人员32.电信、联通网络通信故障33.通信故障恢复34.到总行路由器故障45.路由器故障处理4三、关键交换机故障应急51.一台4506交换机故障应急52.当关键交换同时瘫痪在20分钟内确保业务正常运作7四、第三方外联区网络应急191.第三方业务银联区网络应急192.其它第三方业务区网络应急46五、联络方法：56一、 银行网络结构拓扑二、 骨干网通信故障1. 故障处理人员 参与人：XX、XX、XX2. 电信、联通网络通信故障依据到总行两台cisco 7206路由器日志和实际登陆设备使用show

2、int ATM4/0.1 、ping对端地址、show ip route、show log，查看上述相关设备和线路是否有反复重起、误码率高、异常路由、错误连接等情况即可确定故障。3. 通信故障恢复恢复步骤：1）重启故障新路相连路由器，看是否能够自动恢复2) 断电重起无法处理故障，停止使用故障设备和线路，预防其影响网络其它部分。3) 如系线路故障通知各相关方面（逐项对照处理）： 如为中国电信线路故障，向31000000 报修，并通知分行办公室相关人员。 如为中国联通线路故障，向XXXX 报修，并通知分行办公室相关人员。4. 到总行路由器故障查看日志，检验设备故障前异常日志信息；登陆路由器使用sh

3、ow log，show ip int brie , show process cpu his , show ip route , ping对端地址等命令来确定故障。5. 路由器故障处理一旦发觉到总行7206路由器故障可按以下步骤来处理：联络XX企业，并开启原厂商保修服务备件更换程序。因为两台7206路由器是互为备份，一台发生故障不影响实际业务，不调用库房备件和集成商备件更换，等候原厂商备件抵达。 对于能够在线插拔接口模块、有standby 引擎和电源，优先使用在线更换方法。在线更换具体操作步骤以下：a) 用笔记本电脑连接在网络设备Console 上，开启Console 监控和统计；b) 准备好

4、存档系统配置，备用。如有可能，同时保留目前系统配置；c) 对故障模块上连接线缆做好标识，小心拔下；d) 做好安全接地，拔下故障模块；e) 检验设备和模块状态，确定是否影响整个设备或其它模块正常运行，standby 模块是否正常接管；f) 做好安全接地，插上更换备件模块；g) 检验设备和模块状态，确定是否能够正常识别新模块，是否影响其它模块运行；h) 按原样插上线缆；i) 检验线缆连接状态正常；j) 确定备件更换成功。l 对于机箱、不能在线插拔接口模块、或没有standby 引擎和电源，采取下电更换方法。下电更换具体操作步骤以下：a) 准备好存档系统配置，备用。如有可能，同时保留目前系统配置；b

5、) 准备好原先使用系统软件，备用；c) 故障设备下电；d) 对需要拔除线缆做好标识，小心拔下。假如机箱或引擎更换，需拔除全部连接线缆；e) 更换备件；f) 用笔记本电脑连接在网络设备Console 上，开启Console 监控和统计；g) 设备上电；h) 检验系统自检情况，确定无硬件故障；i) 安装系统软件；j) 恢复系统配置；k) 冷开启，确定软硬件正常工作； l) 按原样插上其它线缆；m) 检验线缆连接状态正常；n) 确定备件更换成功。三、 关键交换机故障应急1. 一台4506交换机故障应急查看日志，检验设备故障前异常日志信息；登陆交换机使用show log，show ip int bri

6、e , show process cpu his , show ip route , ping对端地址，show vlan brie , show vtp stat , show process mem , show modul , show diag , show ip eigrp nei , show cdp nei等一系列命令来查找、确定故障。因为两台4506关键交换机完全是热备双机，所以一台发生故障并不影响业务运行。对于配置问题要制订正确更改配置脚本，备份目前配置以后实施更改；对于线路问题要制作新网线，替换故障网线；对于硬件问题要练习XX企业，申请硬件故障维修。对于能够在线插拔接口模块

7、、有standby 引擎和电源，优先使用在线更换方法。在线更换具体操作步骤以下：a) 用笔记本电脑连接在网络设备Console 上，开启Console 监控和统计；b) 准备好存档系统配置，备用。如有可能，同时保留目前系统配置；c) 对故障模块上连接线缆做好标识，小心拔下；d) 做好安全接地，拔下故障模块；e) 检验设备和模块状态，确定是否影响整个设备或其它模块正常运行，standby 模块是否正常接管；f) 做好安全接地，插上更换备件模块；g) 检验设备和模块状态，确定是否能够正常识别新模块，是否影响其它模块运行；h) 按原样插上线缆；i) 检验线缆连接状态正常；j) 确定备件更换成功。l

8、对于机箱、不能在线插拔接口模块、或没有standby 引擎和电源，采取下电更换方法。下电更换具体操作步骤以下：a) 准备好存档系统配置，备用。如有可能，同时保留目前系统配置；b) 准备好原先使用系统软件，备用；c) 故障设备下电；d) 对需要拔除线缆做好标识，小心拔下。假如机箱或引擎更换，需拔除全部连接线缆；e) 更换备件；f) 用笔记本电脑连接在网络设备Console 上，开启Console 监控和统计；g) 设备上电；h) 检验系统自检情况，确定无硬件故障；i) 安装系统软件；j) 恢复系统配置；k) 冷开启，确定软硬件正常工作；l) 对于交换机要将VTP 设置为Client 模式，首先连

9、接上行线缆，确定VTP 复制正确；m) 按原样插上其它线缆；n) 检验线缆连接状态正常；o) 确定备件更换成功。2. 当关键交换同时瘫痪在20分钟内确保业务正常运作现有2台备用cisco3550，在两台关键cisco4506同事瘫痪后，将其作为关键交换来确保业务正常运作，同时保持原有网络拓扑及网络关键安全策略和qos。3550关键交换配置定义设备命名hostname production设备软件版本使用支持动态路由协议IOS：c3550-i5k2l2q3-mz.121-13.EA1a.binVlan定义1 default active Fa0/1, Fa0/2, Fa0/35, Fa0/36

10、Fa0/37, Fa0/38, Fa0/39, Fa0/40 Fa0/41, Fa0/42, Fa0/43, Fa0/44 Fa0/45, Fa0/46, Fa0/47, Fa0/482 vlan0002 active Fa0/10, Fa0/21, Fa0/25, Fa0/34 Gi0/1, Gi0/23 vlan0003 active Fa0/5, Fa0/8, Fa0/11, Fa0/12 Fa0/17, Fa0/19, Fa0/20, Fa0/22 Fa0/28, Fa0/29, Fa0/30, Fa0/324 vlan0004 active Fa0/13, Fa0/18, Fa0/2

11、75 vlan0005 active Fa0/76 vlan0006 active 10 vlan0010 active Fa0/4, Fa0/6, Fa0/1420 vlan0020 active 30 vlan0030 active 40 vlan0040 active 50 VLAN0050 active 60 VLAN0060 active 63 vlan0063 active 128 vlan0128 active Fa0/3, Fa0/24, Fa0/26, Fa0/31 Fa0/33195 vlan195 active Fa0/16, Fa0/23196 vlan196 acti

12、ve 255 VLAN0255 active Fa0/9, Fa0/15Ip地址分配及hsrpinterface Vlan1 no ip address no ip redirects shutdown standby 10 priority 100 standby 10 preempt!interface Vlan2 ip address 10.20.191.2 255.255.255.0 ip access-group 101 in no ip redirects standby 20 ip 10.20.191.1 standby 20 priority 150 standby 20 pr

13、eempt! interface Vlan3 ip address 10.20.189.2 255.255.255.0 ip access-group 101 in no ip redirects standby 30 ip 10.20.189.1 standby 30 priority 150 standby 30 preempt!interface Vlan4 ip address 10.20.187.66 255.255.255.192 no ip redirects standby 40 ip 10.20.187.65 standby 40 priority 150 standby 4

14、0 preempt!interface Vlan5 ip address 10.20.187.2 255.255.255.192 no ip redirects standby 50 ip 10.20.187.1 standby 50 priority 150 standby 50 preempt!interface Vlan6 no ip address no ip redirects shutdown standby 60 ip 10.20.185.3 standby 60 priority 150 standby 60 preempt!interface Vlan10 ip addres

15、s 10.20.0.2 255.255.255.0 ip access-group 103 in no ip redirects standby 100 ip 10.20.0.1 standby 100 timers 5 15 standby 100 priority 200 standby 100 preempt standby 100 track Vlan10 50!interface Vlan20 no ip address no ip redirects standby 110 timers 5 15 standby 110 priority 150 standby 110 preem

16、pt standby 110 track Vlan20 50!interface Vlan30 no ip address ip access-group 101 in no ip redirects shutdown standby 120 ip 10.20.198.100 standby 120 timers 5 15 standby 120 priority 200 standby 120 preempt standby 120 track Vlan30 50!interface Vlan40 no ip address ip access-group 101 in no ip redi

17、rects shutdown standby 130 ip 10.20.197.100 standby 130 timers 5 15 standby 130 priority 150 standby 130 preempt standby 130 track Vlan40 50!interface Vlan50 ip address 10.20.1.2 255.255.255.0 ip helper-address 10.20.0.10 no ip redirects standby 150 ip 10.20.1.1 standby 150 timers 5 15 standby 150 p

18、riority 150 standby 150 preempt standby 150 track Vlan150!interface Vlan63 no ip address no ip redirects!interface Vlan128 ip address 10.20.128.4 255.255.255.0 ip access-group 101 in no ip redirects standby 160 ip 10.20.128.8 standby 160 timers 5 15 standby 160 priority 150 standby 160 preempt stand

19、by 160 track Vlan128 50!interface Vlan150 no ip address shutdown!interface Vlan195 ip address 10.20.195.2 255.255.255.0 no ip redirects standby 195 ip 10.20.195.1 standby 195 priority 150 standby 195 preempt!interface Vlan196 no ip address no ip redirects shutdown standby 196 ip 10.20.196.1 standby

20、196 priority 100 standby 196 preempt!interface Vlan255 ip address 10.20.255.2 255.255.255.0 no ip redirects standby 255 ip 10.20.255.1 standby 255 priority 200 standby 255 preempt路由策略router eigrp 20 redistribute static network 10.20.0.0 0.0.255.255 no auto-summary no eigrp log-neighbor-changesip rou

21、te 0.0.0.0 0.0.0.0 10.20.191.18ip route 10.20.9.1 255.255.255.255 10.20.191.18ip route 10.20.9.111 255.255.255.255 10.20.191.18ip route 10.20.184.0 255.255.255.0 10.20.191.18ip route 10.20.186.0 255.255.255.0 10.20.191.18ip route 10.20.186.245 255.255.255.255 10.20.191.18ip route 10.20.210.3 255.255

22、.255.255 10.20.255.15ip route 10.20.210.4 255.255.255.255 10.20.255.16ip route 10.20.210.5 255.255.255.255 10.20.255.17ip route 10.20.210.11 255.255.255.255 10.20.191.18ip route 10.20.210.12 255.255.255.255 10.20.191.18ip route 10.20.210.13 255.255.255.255 10.20.191.18ip route 10.20.210.14 255.255.2

23、55.255 10.20.191.18interface Vlan2 ip address 10.20.191.2 255.255.255.0 ip access-group 101 ininterface Vlan3 ip address 10.20.189.2 255.255.255.0 ip access-group 101 ininterface Vlan30 no ip address ip access-group 101 ininterface Vlan40 no ip address ip access-group 101 ininterface Vlan128 ip addr

24、ess 10.20.128.4 255.255.255.0 ip access-group 101 inaccess-list 101 permit ip host 10.20.0.240 host 10.20.186.246access-list 101 permit ip host 10.20.0.240 host 10.20.186.245access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255access-list 101 deny ip 192.168.0.0 0.0.255.255 172.16.

25、0.0 0.0.255.255access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255access-list 101 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255access-l

26、ist 101 permit ip any anyinterface Vlan10 ip address 10.20.0.2 255.255.255.0 ip access-group 103 inaccess-list 103 permit ip host 10.20.0.245 host 10.20.184.10access-list 103 permit ip host 10.20.0.240 host 10.20.184.10access-list 103 permit ip host 10.20.0.240 host 10.20.186.246access-list 103 perm

27、it ip host 10.20.0.240 host 10.20.186.245access-list 103 permit ip host 10.20.0.245 host 10.20.184.18access-list 103 permit ip host 10.20.0.240 host 10.20.184.18access-list 103 permit ip host 10.20.0.245 host 10.20.184.12access-list 103 permit ip host 10.20.0.240 host 10.20.184.5access-list 103 perm

28、it ip host 10.20.0.21 host 10.20.184.20access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.3access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.4access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.7access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.30access-list

29、103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.15access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.16access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.20access-list 103 permit ip 10.20.2.0 0.0.0.255 host 10.20.184

30、.13access-list 103 permit ip 10.20.3.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.17access-list 103 permit ip host 10.20.0.245 host 10.20.184.19access-list 103 permit ip host 10.20.0.240 host 10.20.184.19access-list 103 deny ip 192.168.0.0 0.0.255.255 10.

31、0.128.0 0.255.63.255access-list 103 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255access-list 103 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255ac

32、cess-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255access-list 103 permit ip any anyQos作为关键交换机无需在此配置qos安全策略aaa new-modelaaa authentication login spdb-acs group tacacs+ enableaaa accounting exec spdb-acs start-stop group tacacs+aaa accounting commands 0 spdb-acs start-stop group tacac

33、s+aaa accounting commands 1 spdb-acs start-stop group tacacs+aaa accounting commands 2 spdb-acs start-stop group tacacs+aaa accounting commands 3 spdb-acs start-stop group tacacs+aaa accounting commands 4 spdb-acs start-stop group tacacs+aaa accounting commands 5 spdb-acs start-stop group tacacs+aaa

34、 accounting commands 6 spdb-acs start-stop group tacacs+aaa accounting commands 7 spdb-acs start-stop group tacacs+aaa accounting commands 8 spdb-acs start-stop group tacacs+aaa accounting commands 9 spdb-acs start-stop group tacacs+aaa accounting commands 10 spdb-acs start-stop group tacacs+aaa acc

35、ounting commands 11 spdb-acs start-stop group tacacs+aaa accounting commands 12 spdb-acs start-stop group tacacs+aaa accounting commands 13 spdb-acs start-stop group tacacs+aaa accounting commands 14 spdb-acs start-stop group tacacs+aaa accounting commands 15 spdb-acs start-stop group tacacs+ip taca

36、cs source-interface Loopback0tacacs-server host 10.100.64.57tacacs-server host 10.100.64.54tacacs-server key s9y8logging trap debugginglogging source-interface Loopback0logging 10.20.189.24logging 10.100.64.65line vty 0 4 exec-timeout 5 0 accounting commands 0 spdb-acs accounting commands 1 spdb-acs

37、 accounting commands 2 spdb-acs accounting commands 3 spdb-acs accounting commands 4 spdb-acs accounting commands 5 spdb-acs accounting commands 6 spdb-acs accounting commands 7 spdb-acs accounting commands 8 spdb-acs accounting commands 9 spdb-acs accounting commands 10 spdb-acs accounting commands

38、 11 spdb-acs accounting commands 12 spdb-acs accounting commands 13 spdb-acs accounting commands 14 spdb-acs accounting commands 15 spdb-acs accounting exec spdb-acs login authentication spdb-acs网管配置access-list 10 permit 10.100.64.68access-list 10 permit 10.100.64.69access-list 10 permit 10.100.64.6

39、6access-list 10 permit 10.100.64.67access-list 10 permit 10.100.64.65snmp-server community public ROsnmp-server community read RO 10snmp-server trap-source Loopback0snmp-server enable traps snmp authentication warmstartsnmp-server enable traps configsnmp-server enable traps entitysnmp-server enable

40、traps rtrsnmp-server enable traps vtpsnmp-server host 10.20.189.24 public snmp-server host 10.100.64.65 read其它配置service timestamps debug datetime localtime show-timezoneservice timestamps log datetime localtime show-timezoneservice password-encryptionno ip domain-lookupip cef load-sharing algorithm

41、originalclock timezone BJT 8ntp source Loopback0ntp server 10.100.64.70monitor session 1 source vlan 1 , 10 , 192 rxmonitor session 1 destination interface Fa0/5网络实施前期准备一、8条交叉线（2条做trunk，6条连向楼层交换机）二、将楼层交换机fa0/47和48口空出来，并做好对应配置实施步骤第一步：两台3550上架并加电启用（估计3分钟）第二步：将连接hp小机光纤接口连到3550上（估计1分钟） cisco4506主gigabit

42、1/1对应3550主gigabit0/1 cisco4506主gigabit2/2对应3550主gigabit0/2 cisco4506备gigabit1/1对应3550主gigabit0/1 cisco4506备gigabit2/2对应3550主gigabit0/2第三步：将现成交叉线在3550主备之间互连做etherchannel(估计1分钟) 3550主fa0/47对应3550备fa0/47 3550主fa0/48对应3550备fa0/48第四步：将连在cisco4506上全部电口全部挪向3550上（估计5分钟） cisco4506主fa2/3对应3550主fa0/3 cisco4506

43、主fa2/4对应3550主fa0/4 以这类推 cisco4506主fa2/34对应3550主fa0/34 cisco4506备fa2/3对应3550备fa0/3 cisco4506备fa2/4对应3550备fa0/4 以这类推 cisco4506备fa2/34对应3550备fa0/34第五步：3台楼层交换机和3550之间互连（估计3分钟） 3550主fa0/41对应255.15fa0/47 3550主fa0/43对应255.16fa0/47 3550主fa0/45对应255.17fa0/47 3550备fa0/41对应255.15fa0/48 3550备fa0/43对应255.16fa0/48 3550备fa0/45对应255.17fa0/48四、 第三方外联区网络应急1. 第三方业务银联区网络应急线路故障：发生故障时，登陆ASA防火墙、交换机、路