资源描述
银行网络应急方案
86
2020年4月19日
文档仅供参考
银行网络应急方案
XX股份有限公司
网络与安全服务部
2月
目录
一、 银行网络结构拓扑 3
二、 骨干网通信故障 3
1. 故障处理人员 3
2. 电信、联通网络通信故障 3
3. 通信故障恢复 3
4. 到总行路由器故障 4
5. 路由器故障处理 4
三、 核心交换机故障应急 5
1. 一台4506交换机故障应急 5
2. 当核心交换同时瘫痪在20分钟内保证业务正常运作 7
四、 第三方外联区网络应急 19
1. 第三方业务银联区网络应急 19
2. 其它第三方业务区网络应急 46
五、 联系方式: 56
一、 银行网络结构拓扑
二、 骨干网通信故障
1. 故障处理人员
参与人:XX、XX、XX
2. 电信、联通网络通信故障
根据到总行的两台cisco 7206路由器的日志以及实际登陆设备使用show int ATM4/0.1 、ping对端地址、show ip route、show log,查看上述相关设备和线路是否有重复重起、误码率高、异常路由、错误连接等情况即可确认故障。
3. 通信故障恢复
恢复步骤:
1)重启故障新路相连路由器,看是否能够自动恢复
2) 断电重起无法解决故障的,停止使用故障设备和线路,防止其影响网络其它部分。
3) 如系线路故障通知各有关方面(逐项对照处理):
● 如为中国电信线路故障,向31000000 报修,并通知分行办公室相关人员。
● 如为中国联通线路故障,向XXXX 报修,并通知分行办公室相关人员。
4. 到总行路由器故障
查看日志,检查设备故障前的异常日志信息;登陆路由器使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址等命令来确认故障。
5. 路由器故障处理
一旦发现到总行7206路由器故障可按以下步骤来处理:
●联系XX公司,并启动原厂商保修服务备件更换程序。
●因为两台7206路由器是互为备份的,一台发生故障不影响实际业务,不调用库房备件和集成商备件更换,等待原厂商备件到达。
● 对于能够在线插拔的接口模块、有standby 的引擎和电源,优先使用在线更换方式。在线更换的具体操作流程如下:
a) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;
b) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;
c) 对故障模块上连接的线缆做好标记,小心拔下;
d) 做好安全接地,拔下故障模块;
e) 检查设备和模块状态,确认是否影响整个设备或其它模块正常运行,standby 模块是否正常接管;
f) 做好安全接地,插上更换的备件模块;
g) 检查设备和模块状态,确认是否能够正常识别新模块,是否影响其它模块运行;
h) 按原样插上线缆;
i) 检查线缆连接状态正常;
j) 确认备件更换成功。
l 对于机箱、不能在线插拔的接口模块、或者没有standby 的引擎和电源,采用下电更换方式。下电更换的具体操作流程如下:
a) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;
b) 准备好原先使用的系统软件,备用;
c) 故障设备下电;
d) 对需要拔除的线缆做好标记,小心拔下。如果机箱或引擎更换,需拔除所有连接线缆;
e) 更换备件;
f) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;
g) 设备上电;
h) 检查系统自检情况,确认无硬件故障;
i) 安装系统软件;
j) 恢复系统配置;
k) 冷启动,确认软硬件正常工作;
l) 按原样插上其它线缆;
m) 检查线缆连接状态正常;
n) 确认备件更换成功。
三、 核心交换机故障应急
1. 一台4506交换机故障应急
查看日志,检查设备故障前的异常日志信息;登陆交换机使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址,show vlan brie , show vtp stat , show process mem , show modul , show diag , show ip eigrp nei , show cdp nei等一系列命令来查找、确认故障。
因为两台4506核心交换机完全是热备的双机,因此一台发生故障并不影响业务运行。对于配置问题要制定正确的更改配置脚本,备份当前配置以后实施更改;对于线路问题的要制作新网线,替换故障的网线;对于硬件问题要练习XX公司,申请硬件故障维修。
对于能够在线插拔的接口模块、有standby 的引擎和电源,优先使用在线更换方式。在线更换的具体操作流程如下:
a) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;
b) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;
c) 对故障模块上连接的线缆做好标记,小心拔下;
d) 做好安全接地,拔下故障模块;
e) 检查设备和模块状态,确认是否影响整个设备或其它模块正常运行,standby 模块是否正常接管;
f) 做好安全接地,插上更换的备件模块;
g) 检查设备和模块状态,确认是否能够正常识别新模块,是否影响其它模块运行;
h) 按原样插上线缆;
i) 检查线缆连接状态正常;
j) 确认备件更换成功。
l 对于机箱、不能在线插拔的接口模块、或者没有standby 的引擎和电源,采用下电更换方式。下电更换的具体操作流程如下:
a) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;
b) 准备好原先使用的系统软件,备用;
c) 故障设备下电;
d) 对需要拔除的线缆做好标记,小心拔下。如果机箱或引擎更换,需拔除所有连接线缆;
e) 更换备件;
f) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;
g) 设备上电;
h) 检查系统自检情况,确认无硬件故障;
i) 安装系统软件;
j) 恢复系统配置;
k) 冷启动,确认软硬件正常工作;
l) 对于交换机要将VTP 设置为Client 模式,首先连接上行线缆,确认VTP 复制正确;
m) 按原样插上其它线缆;
n) 检查线缆连接状态正常;
o) 确认备件更换成功。
2. 当核心交换同时瘫痪在20分钟内保证业务正常运作
现有2台备用的cisco3550,在两台核心cisco4506同事瘫痪后,将其作为核心交换来保证业务的正常运作,同时保持原有的网络拓扑及网络核心的安全策略和qos。
3550核心交换配置定义
设备命名
hostname production
设备软件版本
使用支持动态路由协议的IOS:c3550-i5k2l2q3-mz.121-13.EA1a.bin
Vlan定义
1 default active Fa0/1, Fa0/2, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47, Fa0/48
2 vlan0002 active Fa0/10, Fa0/21, Fa0/25, Fa0/34
Gi0/1, Gi0/2
3 vlan0003 active Fa0/5, Fa0/8, Fa0/11, Fa0/12
Fa0/17, Fa0/19, Fa0/20, Fa0/22
Fa0/28, Fa0/29, Fa0/30, Fa0/32
4 vlan0004 active Fa0/13, Fa0/18, Fa0/27
5 vlan0005 active Fa0/7
6 vlan0006 active
10 vlan0010 active Fa0/4, Fa0/6, Fa0/14
20 vlan0020 active
30 vlan0030 active
40 vlan0040 active
50 VLAN0050 active
60 VLAN0060 active
63 vlan0063 active
128 vlan0128 active Fa0/3, Fa0/24, Fa0/26, Fa0/31
Fa0/33
195 vlan195 active Fa0/16, Fa0/23
196 vlan196 active
255 VLAN0255 active Fa0/9, Fa0/15
Ip地址分配及hsrp
interface Vlan1
no ip address
no ip redirects
shutdown
standby 10 priority 100
standby 10 preempt
!
interface Vlan2
ip address 10.20.191.2 255.255.255.0
ip access-group 101 in
no ip redirects
standby 20 ip 10.20.191.1
standby 20 priority 150
standby 20 preempt
!
interface Vlan3
ip address 10.20.189.2 255.255.255.0
ip access-group 101 in
no ip redirects
standby 30 ip 10.20.189.1
standby 30 priority 150
standby 30 preempt
!
interface Vlan4
ip address 10.20.187.66 255.255.255.192
no ip redirects
standby 40 ip 10.20.187.65
standby 40 priority 150
standby 40 preempt
!
interface Vlan5
ip address 10.20.187.2 255.255.255.192
no ip redirects
standby 50 ip 10.20.187.1
standby 50 priority 150
standby 50 preempt
!
interface Vlan6
no ip address
no ip redirects
shutdown
standby 60 ip 10.20.185.3
standby 60 priority 150
standby 60 preempt
!
interface Vlan10
ip address 10.20.0.2 255.255.255.0
ip access-group 103 in
no ip redirects
standby 100 ip 10.20.0.1
standby 100 timers 5 15
standby 100 priority 200
standby 100 preempt
standby 100 track Vlan10 50
!
interface Vlan20
no ip address
no ip redirects
standby 110 timers 5 15
standby 110 priority 150
standby 110 preempt
standby 110 track Vlan20 50
!
interface Vlan30
no ip address
ip access-group 101 in
no ip redirects
shutdown
standby 120 ip 10.20.198.100
standby 120 timers 5 15
standby 120 priority 200
standby 120 preempt
standby 120 track Vlan30 50
!
interface Vlan40
no ip address
ip access-group 101 in
no ip redirects
shutdown
standby 130 ip 10.20.197.100
standby 130 timers 5 15
standby 130 priority 150
standby 130 preempt
standby 130 track Vlan40 50
!
interface Vlan50
ip address 10.20.1.2 255.255.255.0
ip helper-address 10.20.0.10
no ip redirects
standby 150 ip 10.20.1.1
standby 150 timers 5 15
standby 150 priority 150
standby 150 preempt
standby 150 track Vlan150
!
interface Vlan63
no ip address
no ip redirects
!
interface Vlan128
ip address 10.20.128.4 255.255.255.0
ip access-group 101 in
no ip redirects
standby 160 ip 10.20.128.8
standby 160 timers 5 15
standby 160 priority 150
standby 160 preempt
standby 160 track Vlan128 50
!
interface Vlan150
no ip address
shutdown
!
interface Vlan195
ip address 10.20.195.2 255.255.255.0
no ip redirects
standby 195 ip 10.20.195.1
standby 195 priority 150
standby 195 preempt
!
interface Vlan196
no ip address
no ip redirects
shutdown
standby 196 ip 10.20.196.1
standby 196 priority 100
standby 196 preempt
!
interface Vlan255
ip address 10.20.255.2 255.255.255.0
no ip redirects
standby 255 ip 10.20.255.1
standby 255 priority 200
standby 255 preempt
路由策略
router eigrp 20
redistribute static
network 10.20.0.0 0.0.255.255
no auto-summary
no eigrp log-neighbor-changes
ip route 0.0.0.0 0.0.0.0 10.20.191.18
ip route 10.20.9.1 255.255.255.255 10.20.191.18
ip route 10.20.9.111 255.255.255.255 10.20.191.18
ip route 10.20.184.0 255.255.255.0 10.20.191.18
ip route 10.20.186.0 255.255.255.0 10.20.191.18
ip route 10.20.186.245 255.255.255.255 10.20.191.18
ip route 10.20.210.3 255.255.255.255 10.20.255.15
ip route 10.20.210.4 255.255.255.255 10.20.255.16
ip route 10.20.210.5 255.255.255.255 10.20.255.17
ip route 10.20.210.11 255.255.255.255 10.20.191.18
ip route 10.20.210.12 255.255.255.255 10.20.191.18
ip route 10.20.210.13 255.255.255.255 10.20.191.18
ip route 10.20.210.14 255.255.255.255 10.20.191.18
interface Vlan2
ip address 10.20.191.2 255.255.255.0
ip access-group 101 in
interface Vlan3
ip address 10.20.189.2 255.255.255.0
ip access-group 101 in
interface Vlan30
no ip address
ip access-group 101 in
interface Vlan40
no ip address
ip access-group 101 in
interface Vlan128
ip address 10.20.128.4 255.255.255.0
ip access-group 101 in
access-list 101 permit ip host 10.20.0.240 host 10.20.186.246
access-list 101 permit ip host 10.20.0.240 host 10.20.186.245
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255
access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255
access-list 101 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255
access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255
access-list 101 permit ip any any
interface Vlan10
ip address 10.20.0.2 255.255.255.0
ip access-group 103 in
access-list 103 permit ip host 10.20.0.245 host 10.20.184.10
access-list 103 permit ip host 10.20.0.240 host 10.20.184.10
access-list 103 permit ip host 10.20.0.240 host 10.20.186.246
access-list 103 permit ip host 10.20.0.240 host 10.20.186.245
access-list 103 permit ip host 10.20.0.245 host 10.20.184.18
access-list 103 permit ip host 10.20.0.240 host 10.20.184.18
access-list 103 permit ip host 10.20.0.245 host 10.20.184.12
access-list 103 permit ip host 10.20.0.240 host 10.20.184.5
access-list 103 permit ip host 10.20.0.21 host 10.20.184.20
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.3
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.4
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.7
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.30
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.13
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.15
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.16
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.20
access-list 103 permit ip 10.20.2.0 0.0.0.255 host 10.20.184.13
access-list 103 permit ip 10.20.3.0 0.0.0.255 host 10.20.184.13
access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.17
access-list 103 permit ip host 10.20.0.245 host 10.20.184.19
access-list 103 permit ip host 10.20.0.240 host 10.20.184.19
access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255
access-list 103 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255
access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255
access-list 103 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255
access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255
access-list 103 permit ip any any
Qos
作为核心交换机无需在此配置qos
安全策略
aaa new-model
aaa authentication login spdb-acs group tacacs+ enable
aaa accounting exec spdb-acs start-stop group tacacs+
aaa accounting commands 0 spdb-acs start-stop group tacacs+
aaa accounting commands 1 spdb-acs start-stop group tacacs+
aaa accounting commands 2 spdb-acs start-stop group tacacs+
aaa accounting commands 3 spdb-acs start-stop group tacacs+
aaa accounting commands 4 spdb-acs start-stop group tacacs+
aaa accounting commands 5 spdb-acs start-stop group tacacs+
aaa accounting commands 6 spdb-acs start-stop group tacacs+
aaa accounting commands 7 spdb-acs start-stop group tacacs+
aaa accounting commands 8 spdb-acs start-stop group tacacs+
aaa accounting commands 9 spdb-acs start-stop group tacacs+
aaa accounting commands 10 spdb-acs start-stop group tacacs+
aaa accounting commands 11 spdb-acs start-stop group tacacs+
aaa accounting commands 12 spdb-acs start-stop group tacacs+
aaa accounting commands 13 spdb-acs start-stop group tacacs+
aaa accounting commands 14 spdb-acs start-stop group tacacs+
aaa accounting commands 15 spdb-acs start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.100.64.57
tacacs-server host 10.100.64.54
tacacs-server key s9y8
logging trap debugging
logging source-interface Loopback0
logging 10.20.189.24
logging 10.100.64.65
line vty 0 4
exec-timeout 5 0
accounting commands 0 spdb-acs
accounting commands 1 spdb-acs
accounting commands 2 spdb-acs
accounting commands 3 spdb-acs
accounting commands 4 spdb-acs
accounting commands 5 spdb-acs
accounting commands 6 spdb-acs
accounting commands 7 spdb-acs
accounting commands 8 spdb-acs
accounting commands 9 spdb-acs
accounting commands 10 spdb-acs
accounting commands 11 spdb-acs
accounting commands 12 spdb-acs
accounting commands 13 spdb-acs
accounting commands 14 spdb-acs
accounting commands 15 spdb-acs
accounting exec spdb-acs
login authentication spdb-acs
网管配置
access-list 10 permit 10.100.64.68
access-list 10 permit 10.100.64.69
access-list 10 permit 10.100.64.66
access-list 10 permit 10.100.64.67
access-list 10 permit 10.100.64.65
snmp-server community public RO
snmp-server community read RO 10
snmp-server trap-source Loopback0
snmp-server enable traps snmp authentication warmstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps rtr
snmp-server enable traps vtp
snmp-server host 10.20.189.24 public
snmp-server host 10.100.64.65 read
其它配置
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no ip domain-lookup
ip cef load-sharing algorithm original
clock timezone BJT 8
ntp source Loopback0
ntp server 10.100.64.70
monitor session 1 source vlan 1 , 10 , 192 rx
monitor session 1 destination interface Fa0/5
网络实施
前期准备
一、8条交叉线(2条做trunk,6条连向楼层交换机)
二、将楼层交换机的fa0/47和48口空出来,并做好相应的配置
实施步骤
第一步:两台3550上架并加电启用(预计3分钟)
第二步:将连接hp小机的光纤接口连到3550上(预计1分钟)
cisco4506主的gigabit1/1对应3550主的gigabit0/1
cisco4506主的gigabit2/2对应3550主的gigabit0/2
cisco4506备的gigabit1/1对应3550主的gigabit0/1
cisco4506备的gigabit2/2对应3550主的gigabit0/2
第三步:将现成的交叉线在3550主备之间互连做ether-channel(预计1分钟)
3550主的fa0/47对应3550备的fa0/47
3550主的fa0/48对应3550备的fa0/48
第四步:将连在cisco4506上所有的电口都挪向3550上(预计5分钟)
cisco4506主的fa2/3对应3550主的fa0/3
cisco4506主的fa2/4对应3550主的fa0/4
以此类推
cisco4506主的fa2/34对应3550主的fa0/34
cisco4506备的fa2/3对应3550备的fa0/3
cisco4506备的fa2/4对应3550备的fa0/4
以此类推
cisco4506备的fa2/34对应3550备的fa0/34
第五步:3台楼层交换机与3550之间的互连(预计3分钟)
3550主的fa0/41对应255.15的fa0/47
3550主的fa0/43对应255.16的fa0/47
3550主的fa0/45对应255.17的fa0/47
3550备的fa0/41对应25
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
