收藏 分销(赏)
立即下载 开通VIP

银行网络应急方案.doc

上传人:胜**** 文档编号:663715 上传时间:2024-01-25 格式:DOC 页数:86 大小:186KB
下载 相关 举报
银行网络应急方案.doc_第1页
第1页 / 共86页
银行网络应急方案.doc_第2页
第2页 / 共86页
银行网络应急方案.doc_第3页
第3页 / 共86页
银行网络应急方案.doc_第4页
第4页 / 共86页
银行网络应急方案.doc_第5页
第5页 / 共86页
点击查看更多>>
资源描述

1、银行网络应急方案862020年4月19日文档仅供参考银行网络应急方案XX股份有限公司网络与安全服务部 2月目录一、银行网络结构拓扑3二、骨干网通信故障31.故障处理人员32.电信、联通网络通信故障33.通信故障恢复34.到总行路由器故障45.路由器故障处理4三、核心交换机故障应急51.一台4506交换机故障应急52.当核心交换同时瘫痪在20分钟内保证业务正常运作7四、第三方外联区网络应急191.第三方业务银联区网络应急192.其它第三方业务区网络应急46五、联系方式:56一、 银行网络结构拓扑二、 骨干网通信故障1. 故障处理人员 参与人:XX、XX、XX2. 电信、联通网络通信故障根据到总行

2、的两台cisco 7206路由器的日志以及实际登陆设备使用show int ATM4/0.1 、ping对端地址、show ip route、show log,查看上述相关设备和线路是否有重复重起、误码率高、异常路由、错误连接等情况即可确认故障。3. 通信故障恢复恢复步骤:1)重启故障新路相连路由器,看是否能够自动恢复2) 断电重起无法解决故障的,停止使用故障设备和线路,防止其影响网络其它部分。3) 如系线路故障通知各有关方面(逐项对照处理): 如为中国电信线路故障,向31000000 报修,并通知分行办公室相关人员。 如为中国联通线路故障,向XXXX 报修,并通知分行办公室相关人员。4. 到

3、总行路由器故障查看日志,检查设备故障前的异常日志信息;登陆路由器使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址等命令来确认故障。5. 路由器故障处理一旦发现到总行7206路由器故障可按以下步骤来处理:联系XX公司,并启动原厂商保修服务备件更换程序。因为两台7206路由器是互为备份的,一台发生故障不影响实际业务,不调用库房备件和集成商备件更换,等待原厂商备件到达。 对于能够在线插拔的接口模块、有standby 的引擎和电源,优先使用在线更换方式。在线更换的具体操作流程如下:a) 用笔记本电

4、脑连接在网络设备的Console 上,启动Console 监控和记录;b) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;c) 对故障模块上连接的线缆做好标记,小心拔下;d) 做好安全接地,拔下故障模块;e) 检查设备和模块状态,确认是否影响整个设备或其它模块正常运行,standby 模块是否正常接管;f) 做好安全接地,插上更换的备件模块;g) 检查设备和模块状态,确认是否能够正常识别新模块,是否影响其它模块运行;h) 按原样插上线缆;i) 检查线缆连接状态正常;j) 确认备件更换成功。l 对于机箱、不能在线插拔的接口模块、或者没有standby 的引擎和电源,采用下电更换方式

5、。下电更换的具体操作流程如下:a) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;b) 准备好原先使用的系统软件,备用;c) 故障设备下电;d) 对需要拔除的线缆做好标记,小心拔下。如果机箱或引擎更换,需拔除所有连接线缆;e) 更换备件;f) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;g) 设备上电;h) 检查系统自检情况,确认无硬件故障;i) 安装系统软件;j) 恢复系统配置;k) 冷启动,确认软硬件正常工作; l) 按原样插上其它线缆;m) 检查线缆连接状态正常;n) 确认备件更换成功。三、 核心交换机故障应急1. 一台4506交换机故障

6、应急查看日志,检查设备故障前的异常日志信息;登陆交换机使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址,show vlan brie , show vtp stat , show process mem , show modul , show diag , show ip eigrp nei , show cdp nei等一系列命令来查找、确认故障。因为两台4506核心交换机完全是热备的双机,因此一台发生故障并不影响业务运行。对于配置问题要制定正确的更改配置脚本,备份当前配置以后实施更改;

7、对于线路问题的要制作新网线,替换故障的网线;对于硬件问题要练习XX公司,申请硬件故障维修。对于能够在线插拔的接口模块、有standby 的引擎和电源,优先使用在线更换方式。在线更换的具体操作流程如下:a) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;b) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;c) 对故障模块上连接的线缆做好标记,小心拔下;d) 做好安全接地,拔下故障模块;e) 检查设备和模块状态,确认是否影响整个设备或其它模块正常运行,standby 模块是否正常接管;f) 做好安全接地,插上更换的备件模块;g) 检查设备和模块状态,

8、确认是否能够正常识别新模块,是否影响其它模块运行;h) 按原样插上线缆;i) 检查线缆连接状态正常;j) 确认备件更换成功。l 对于机箱、不能在线插拔的接口模块、或者没有standby 的引擎和电源,采用下电更换方式。下电更换的具体操作流程如下:a) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;b) 准备好原先使用的系统软件,备用;c) 故障设备下电;d) 对需要拔除的线缆做好标记,小心拔下。如果机箱或引擎更换,需拔除所有连接线缆;e) 更换备件;f) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;g) 设备上电;h) 检查系统自检情况,确认无

9、硬件故障;i) 安装系统软件;j) 恢复系统配置;k) 冷启动,确认软硬件正常工作;l) 对于交换机要将VTP 设置为Client 模式,首先连接上行线缆,确认VTP 复制正确;m) 按原样插上其它线缆;n) 检查线缆连接状态正常;o) 确认备件更换成功。2. 当核心交换同时瘫痪在20分钟内保证业务正常运作现有2台备用的cisco3550,在两台核心cisco4506同事瘫痪后,将其作为核心交换来保证业务的正常运作,同时保持原有的网络拓扑及网络核心的安全策略和qos。3550核心交换配置定义设备命名hostname production设备软件版本使用支持动态路由协议的IOS:c3550-i5

10、k2l2q3-mz.121-13.EA1a.binVlan定义1 default active Fa0/1, Fa0/2, Fa0/35, Fa0/36 Fa0/37, Fa0/38, Fa0/39, Fa0/40 Fa0/41, Fa0/42, Fa0/43, Fa0/44 Fa0/45, Fa0/46, Fa0/47, Fa0/482 vlan0002 active Fa0/10, Fa0/21, Fa0/25, Fa0/34 Gi0/1, Gi0/23 vlan0003 active Fa0/5, Fa0/8, Fa0/11, Fa0/12 Fa0/17, Fa0/19, Fa0/20,

11、 Fa0/22 Fa0/28, Fa0/29, Fa0/30, Fa0/324 vlan0004 active Fa0/13, Fa0/18, Fa0/275 vlan0005 active Fa0/76 vlan0006 active 10 vlan0010 active Fa0/4, Fa0/6, Fa0/1420 vlan0020 active 30 vlan0030 active 40 vlan0040 active 50 VLAN0050 active 60 VLAN0060 active 63 vlan0063 active 128 vlan0128 active Fa0/3, F

12、a0/24, Fa0/26, Fa0/31 Fa0/33195 vlan195 active Fa0/16, Fa0/23196 vlan196 active 255 VLAN0255 active Fa0/9, Fa0/15Ip地址分配及hsrpinterface Vlan1 no ip address no ip redirects shutdown standby 10 priority 100 standby 10 preempt!interface Vlan2 ip address 10.20.191.2 255.255.255.0 ip access-group 101 in no

13、 ip redirects standby 20 ip 10.20.191.1 standby 20 priority 150 standby 20 preempt! interface Vlan3 ip address 10.20.189.2 255.255.255.0 ip access-group 101 in no ip redirects standby 30 ip 10.20.189.1 standby 30 priority 150 standby 30 preempt!interface Vlan4 ip address 10.20.187.66 255.255.255.192

14、 no ip redirects standby 40 ip 10.20.187.65 standby 40 priority 150 standby 40 preempt!interface Vlan5 ip address 10.20.187.2 255.255.255.192 no ip redirects standby 50 ip 10.20.187.1 standby 50 priority 150 standby 50 preempt!interface Vlan6 no ip address no ip redirects shutdown standby 60 ip 10.2

15、0.185.3 standby 60 priority 150 standby 60 preempt!interface Vlan10 ip address 10.20.0.2 255.255.255.0 ip access-group 103 in no ip redirects standby 100 ip 10.20.0.1 standby 100 timers 5 15 standby 100 priority 200 standby 100 preempt standby 100 track Vlan10 50!interface Vlan20 no ip address no ip

16、 redirects standby 110 timers 5 15 standby 110 priority 150 standby 110 preempt standby 110 track Vlan20 50!interface Vlan30 no ip address ip access-group 101 in no ip redirects shutdown standby 120 ip 10.20.198.100 standby 120 timers 5 15 standby 120 priority 200 standby 120 preempt standby 120 tra

17、ck Vlan30 50!interface Vlan40 no ip address ip access-group 101 in no ip redirects shutdown standby 130 ip 10.20.197.100 standby 130 timers 5 15 standby 130 priority 150 standby 130 preempt standby 130 track Vlan40 50!interface Vlan50 ip address 10.20.1.2 255.255.255.0 ip helper-address 10.20.0.10 n

18、o ip redirects standby 150 ip 10.20.1.1 standby 150 timers 5 15 standby 150 priority 150 standby 150 preempt standby 150 track Vlan150!interface Vlan63 no ip address no ip redirects!interface Vlan128 ip address 10.20.128.4 255.255.255.0 ip access-group 101 in no ip redirects standby 160 ip 10.20.128

19、.8 standby 160 timers 5 15 standby 160 priority 150 standby 160 preempt standby 160 track Vlan128 50!interface Vlan150 no ip address shutdown!interface Vlan195 ip address 10.20.195.2 255.255.255.0 no ip redirects standby 195 ip 10.20.195.1 standby 195 priority 150 standby 195 preempt!interface Vlan1

20、96 no ip address no ip redirects shutdown standby 196 ip 10.20.196.1 standby 196 priority 100 standby 196 preempt!interface Vlan255 ip address 10.20.255.2 255.255.255.0 no ip redirects standby 255 ip 10.20.255.1 standby 255 priority 200 standby 255 preempt路由策略router eigrp 20 redistribute static netw

21、ork 10.20.0.0 0.0.255.255 no auto-summary no eigrp log-neighbor-changesip route 0.0.0.0 0.0.0.0 10.20.191.18ip route 10.20.9.1 255.255.255.255 10.20.191.18ip route 10.20.9.111 255.255.255.255 10.20.191.18ip route 10.20.184.0 255.255.255.0 10.20.191.18ip route 10.20.186.0 255.255.255.0 10.20.191.18ip

22、 route 10.20.186.245 255.255.255.255 10.20.191.18ip route 10.20.210.3 255.255.255.255 10.20.255.15ip route 10.20.210.4 255.255.255.255 10.20.255.16ip route 10.20.210.5 255.255.255.255 10.20.255.17ip route 10.20.210.11 255.255.255.255 10.20.191.18ip route 10.20.210.12 255.255.255.255 10.20.191.18ip r

23、oute 10.20.210.13 255.255.255.255 10.20.191.18ip route 10.20.210.14 255.255.255.255 10.20.191.18interface Vlan2 ip address 10.20.191.2 255.255.255.0 ip access-group 101 ininterface Vlan3 ip address 10.20.189.2 255.255.255.0 ip access-group 101 ininterface Vlan30 no ip address ip access-group 101 ini

24、nterface Vlan40 no ip address ip access-group 101 ininterface Vlan128 ip address 10.20.128.4 255.255.255.0 ip access-group 101 inaccess-list 101 permit ip host 10.20.0.240 host 10.20.186.246access-list 101 permit ip host 10.20.0.240 host 10.20.186.245access-list 101 deny ip 192.168.0.0 0.0.255.255 1

25、0.0.128.0 0.255.63.255access-list 101 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255access-list 101 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255

26、access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255access-list 101 permit ip any anyinterface Vlan10 ip address 10.20.0.2 255.255.255.0 ip access-group 103 inaccess-list 103 permit ip host 10.20.0.245 host 10.20.184.10access-list 103 permit ip host 10.20.0.240 host 10.20.184.10acce

27、ss-list 103 permit ip host 10.20.0.240 host 10.20.186.246access-list 103 permit ip host 10.20.0.240 host 10.20.186.245access-list 103 permit ip host 10.20.0.245 host 10.20.184.18access-list 103 permit ip host 10.20.0.240 host 10.20.184.18access-list 103 permit ip host 10.20.0.245 host 10.20.184.12ac

28、cess-list 103 permit ip host 10.20.0.240 host 10.20.184.5access-list 103 permit ip host 10.20.0.21 host 10.20.184.20access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.3access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.4access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184

29、.7access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.30access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.15access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.16access-list 103 permit ip 10.20.0.0 0.0.0.255

30、host 10.20.184.20access-list 103 permit ip 10.20.2.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.3.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.17access-list 103 permit ip host 10.20.0.245 host 10.20.184.19access-list 103 permit ip host 10.

31、20.0.240 host 10.20.184.19access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255access-list 103 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255

32、.63.255access-list 103 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255access-list 103 permit ip any anyQos作为核心交换机无需在此配置qos安全策略aaa new-modelaaa authentication login spdb-acs group tacacs+ enableaaa accounting exec spdb-acs star

33、t-stop group tacacs+aaa accounting commands 0 spdb-acs start-stop group tacacs+aaa accounting commands 1 spdb-acs start-stop group tacacs+aaa accounting commands 2 spdb-acs start-stop group tacacs+aaa accounting commands 3 spdb-acs start-stop group tacacs+aaa accounting commands 4 spdb-acs start-sto

34、p group tacacs+aaa accounting commands 5 spdb-acs start-stop group tacacs+aaa accounting commands 6 spdb-acs start-stop group tacacs+aaa accounting commands 7 spdb-acs start-stop group tacacs+aaa accounting commands 8 spdb-acs start-stop group tacacs+aaa accounting commands 9 spdb-acs start-stop gro

35、up tacacs+aaa accounting commands 10 spdb-acs start-stop group tacacs+aaa accounting commands 11 spdb-acs start-stop group tacacs+aaa accounting commands 12 spdb-acs start-stop group tacacs+aaa accounting commands 13 spdb-acs start-stop group tacacs+aaa accounting commands 14 spdb-acs start-stop gro

36、up tacacs+aaa accounting commands 15 spdb-acs start-stop group tacacs+ip tacacs source-interface Loopback0tacacs-server host 10.100.64.57tacacs-server host 10.100.64.54tacacs-server key s9y8logging trap debugginglogging source-interface Loopback0logging 10.20.189.24logging 10.100.64.65line vty 0 4 e

37、xec-timeout 5 0 accounting commands 0 spdb-acs accounting commands 1 spdb-acs accounting commands 2 spdb-acs accounting commands 3 spdb-acs accounting commands 4 spdb-acs accounting commands 5 spdb-acs accounting commands 6 spdb-acs accounting commands 7 spdb-acs accounting commands 8 spdb-acs accou

38、nting commands 9 spdb-acs accounting commands 10 spdb-acs accounting commands 11 spdb-acs accounting commands 12 spdb-acs accounting commands 13 spdb-acs accounting commands 14 spdb-acs accounting commands 15 spdb-acs accounting exec spdb-acs login authentication spdb-acs网管配置access-list 10 permit 10

39、.100.64.68access-list 10 permit 10.100.64.69access-list 10 permit 10.100.64.66access-list 10 permit 10.100.64.67access-list 10 permit 10.100.64.65snmp-server community public ROsnmp-server community read RO 10snmp-server trap-source Loopback0snmp-server enable traps snmp authentication warmstartsnmp

40、-server enable traps configsnmp-server enable traps entitysnmp-server enable traps rtrsnmp-server enable traps vtpsnmp-server host 10.20.189.24 public snmp-server host 10.100.64.65 read其它配置service timestamps debug datetime localtime show-timezoneservice timestamps log datetime localtime show-timezon

41、eservice password-encryptionno ip domain-lookupip cef load-sharing algorithm originalclock timezone BJT 8ntp source Loopback0ntp server 10.100.64.70monitor session 1 source vlan 1 , 10 , 192 rxmonitor session 1 destination interface Fa0/5网络实施前期准备一、8条交叉线(2条做trunk,6条连向楼层交换机)二、将楼层交换机的fa0/47和48口空出来,并做好相

42、应的配置实施步骤第一步:两台3550上架并加电启用(预计3分钟)第二步:将连接hp小机的光纤接口连到3550上(预计1分钟) cisco4506主的gigabit1/1对应3550主的gigabit0/1 cisco4506主的gigabit2/2对应3550主的gigabit0/2 cisco4506备的gigabit1/1对应3550主的gigabit0/1 cisco4506备的gigabit2/2对应3550主的gigabit0/2第三步:将现成的交叉线在3550主备之间互连做etherchannel(预计1分钟) 3550主的fa0/47对应3550备的fa0/47 3550主的fa

43、0/48对应3550备的fa0/48第四步:将连在cisco4506上所有的电口都挪向3550上(预计5分钟) cisco4506主的fa2/3对应3550主的fa0/3 cisco4506主的fa2/4对应3550主的fa0/4 以此类推 cisco4506主的fa2/34对应3550主的fa0/34 cisco4506备的fa2/3对应3550备的fa0/3 cisco4506备的fa2/4对应3550备的fa0/4 以此类推 cisco4506备的fa2/34对应3550备的fa0/34第五步:3台楼层交换机与3550之间的互连(预计3分钟) 3550主的fa0/41对应255.15的fa0/47 3550主的fa0/43对应255.16的fa0/47 3550主的fa0/45对应255.17的fa0/47 3550备的fa0/41对应25

展开阅读全文
部分上传会员的收益排行 01、路***(¥15400+),02、曲****(¥15300+),
03、wei****016(¥13200+),04、大***流(¥12600+),
05、Fis****915(¥4200+),06、h****i(¥4100+),
07、Q**(¥3400+),08、自******点(¥2400+),
09、h*****x(¥1400+),10、c****e(¥1100+),
11、be*****ha(¥800+),12、13********8(¥800+)。
相似文档                                   自信AI助手自信AI助手
搜索标签

当前位置:首页 > 应用文书 > 其他

移动网页_全站_页脚广告1

关于我们      便捷服务       自信AI       AI导航        获赠5币

©2010-2025 宁波自信网络信息技术有限公司  版权所有

客服电话:4008-655-100  投诉/维权电话:4009-655-100

gongan.png浙公网安备33021202000488号   

icp.png浙ICP备2021020529号-1  |  浙B2-20240490  

关注我们 :gzh.png    weibo.png    LOFTER.png 

客服