1、某银行网络应急方案措施银行网络应急方案XX股份有限公司网络与安全服务部2012年2月一、 银行网络结构拓扑二、 骨干网通信故障1. 故障处理人员 参与人:XX、XX、XX2. 电信、联通网络通信故障根据到总行的两台cisco 7206路由器的日志以及实际登陆设备使用show int ATM4/0.1 、ping对端地址、show ip route、show log,查看上述相关设备和线路是否有反复重起、误码率高、异常路由、错误连接等情况即可确认故障。3. 通信故障恢复恢复步骤:1)重启故障新路相连路由器,看是否能够自动恢复2) 断电重起无法解决故障的,停止使用故障设备和线路,防止其影响网络其他
2、部分。3) 如系线路故障通知各有关方面(逐项对照处理): 如为中国电信线路故障,向31000000 报修,并通知分行办公室相关人员。 如为中国联通线路故障,向XXXX 报修,并通知分行办公室相关人员。4. 到总行路由器故障查看日志,检查设备故障前的异常日志信息;登陆路由器使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址等命令来确认故障。5. 路由器故障处理一旦发现到总行7206路由器故障可按以下步骤来处理:联系XX公司,并启动原厂商保修服务备件更换程序。因为两台7206路由器是互为备份的,
3、一台发生故障不影响实际业务,不调用库房备件和集成商备件更换,等待原厂商备件到达。 对于能够在线插拔的接口模块、有standby 的引擎和电源,优先使用在线更换方式。在线更换的具体操作流程如下:a) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;b) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;c) 对故障模块上连接的线缆做好标记,小心拔下;d) 做好安全接地,拔下故障模块;e) 检查设备和模块状态,确认是否影响整个设备或其他模块正常运行,standby 模块是否正常接管;f) 做好安全接地,插上更换的备件模块;g) 检查设备和模块状态,确认是否
4、能够正常识别新模块,是否影响其他模块运行;h) 按原样插上线缆;i) 检查线缆连接状态正常;j) 确认备件更换成功。l 对于机箱、不能在线插拔的接口模块、或者没有standby 的引擎和电源,采用下电更换方式。下电更换的具体操作流程如下:a) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;b) 准备好原先使用的系统软件,备用;c) 故障设备下电;d) 对需要拔除的线缆做好标记,小心拔下。如果机箱或引擎更换,需拔除所有连接线缆;e) 更换备件;f) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;g) 设备上电;h) 检查系统自检情况,确认无硬件故障
5、;i) 安装系统软件;j) 恢复系统配置;k) 冷启动,确认软硬件正常工作; l) 按原样插上其他线缆;m) 检查线缆连接状态正常;n) 确认备件更换成功。三、 核心交换机故障应急1. 一台4506交换机故障应急查看日志,检查设备故障前的异常日志信息;登陆交换机使用show log,show ip int brie , show process cpu his , show ip route , ping对端地址,show vlan brie , show vtp stat , show process mem , show modul , show diag , show ip eigrp
6、nei , show cdp nei等一系列命令来查找、确认故障。因为两台4506核心交换机完全是热备的双机,所以一台发生故障并不影响业务运行。对于配置问题要制定正确的更改配置脚本,备份当前配置以后实施更改;对于线路问题的要制作新网线,替换故障的网线;对于硬件问题要练习XX公司,申请硬件故障维修。对于能够在线插拔的接口模块、有standby 的引擎和电源,优先使用在线更换方式。在线更换的具体操作流程如下:a) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;b) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;c) 对故障模块上连接的线缆做好标记,小
7、心拔下;d) 做好安全接地,拔下故障模块;e) 检查设备和模块状态,确认是否影响整个设备或其他模块正常运行,standby 模块是否正常接管;f) 做好安全接地,插上更换的备件模块;g) 检查设备和模块状态,确认是否能够正常识别新模块,是否影响其他模块运行;h) 按原样插上线缆;i) 检查线缆连接状态正常;j) 确认备件更换成功。l 对于机箱、不能在线插拔的接口模块、或者没有standby 的引擎和电源,采用下电更换方式。下电更换的具体操作流程如下:a) 准备好存档的系统配置,备用。如有可能,同时保存当前系统配置;b) 准备好原先使用的系统软件,备用;c) 故障设备下电;d) 对需要拔除的线缆
8、做好标记,小心拔下。如果机箱或引擎更换,需拔除所有连接线缆;e) 更换备件;f) 用笔记本电脑连接在网络设备的Console 上,启动Console 监控和记录;g) 设备上电;h) 检查系统自检情况,确认无硬件故障;i) 安装系统软件;j) 恢复系统配置;k) 冷启动,确认软硬件正常工作;l) 对于交换机要将VTP 设置为Client 模式,首先连接上行线缆,确认VTP 复制正确;m) 按原样插上其他线缆;n) 检查线缆连接状态正常;o) 确认备件更换成功。2. 当核心交换同时瘫痪在20分钟内保证业务正常运作现有2台备用的cisco3550,在两台核心cisco4506同事瘫痪后,将其作为核
9、心交换来保证业务的正常运作,同时保持原有的网络拓扑及网络核心的安全策略和qos。3550核心交换配置定义设备命名hostname production设备软件版本使用支持动态路由协议的IOS:c3550-i5k2l2q3-mz.121-13.EA1a.binVlan定义1 default active Fa0/1, Fa0/2, Fa0/35, Fa0/36 Fa0/37, Fa0/38, Fa0/39, Fa0/40 Fa0/41, Fa0/42, Fa0/43, Fa0/44 Fa0/45, Fa0/46, Fa0/47, Fa0/482 vlan0002 active Fa0/10, F
10、a0/21, Fa0/25, Fa0/34 Gi0/1, Gi0/23 vlan0003 active Fa0/5, Fa0/8, Fa0/11, Fa0/12 Fa0/17, Fa0/19, Fa0/20, Fa0/22 Fa0/28, Fa0/29, Fa0/30, Fa0/324 vlan0004 active Fa0/13, Fa0/18, Fa0/275 vlan0005 active Fa0/76 vlan0006 active 10 vlan0010 active Fa0/4, Fa0/6, Fa0/1420 vlan0020 active 30 vlan0030 active
11、40 vlan0040 active 50 VLAN0050 active 60 VLAN0060 active 63 vlan0063 active 128 vlan0128 active Fa0/3, Fa0/24, Fa0/26, Fa0/31 Fa0/33195 vlan195 active Fa0/16, Fa0/23196 vlan196 active 255 VLAN0255 active Fa0/9, Fa0/15Ip地址分配及hsrpinterface Vlan1 no ip address no ip redirects shutdown standby 10 priori
12、ty 100 standby 10 preempt!interface Vlan2 ip address 10.20.191.2 255.255.255.0 ip access-group 101 in no ip redirects standby 20 ip 10.20.191.1 standby 20 priority 150 standby 20 preempt! interface Vlan3 ip address 10.20.189.2 255.255.255.0 ip access-group 101 in no ip redirects standby 30 ip 10.20.
13、189.1 standby 30 priority 150 standby 30 preempt!interface Vlan4 ip address 10.20.187.66 255.255.255.192 no ip redirects standby 40 ip 10.20.187.65 standby 40 priority 150 standby 40 preempt!interface Vlan5 ip address 10.20.187.2 255.255.255.192 no ip redirects standby 50 ip 10.20.187.1 standby 50 p
14、riority 150 standby 50 preempt!interface Vlan6 no ip address no ip redirects shutdown standby 60 ip 10.20.185.3 standby 60 priority 150 standby 60 preempt!interface Vlan10 ip address 10.20.0.2 255.255.255.0 ip access-group 103 in no ip redirects standby 100 ip 10.20.0.1 standby 100 timers 5 15 stand
15、by 100 priority 200 standby 100 preempt standby 100 track Vlan10 50!interface Vlan20 no ip address no ip redirects standby 110 timers 5 15 standby 110 priority 150 standby 110 preempt standby 110 track Vlan20 50!interface Vlan30 no ip address ip access-group 101 in no ip redirects shutdown standby 1
16、20 ip 10.20.198.100 standby 120 timers 5 15 standby 120 priority 200 standby 120 preempt standby 120 track Vlan30 50!interface Vlan40 no ip address ip access-group 101 in no ip redirects shutdown standby 130 ip 10.20.197.100 standby 130 timers 5 15 standby 130 priority 150 standby 130 preempt standb
17、y 130 track Vlan40 50!interface Vlan50 ip address 10.20.1.2 255.255.255.0 ip helper-address 10.20.0.10 no ip redirects standby 150 ip 10.20.1.1 standby 150 timers 5 15 standby 150 priority 150 standby 150 preempt standby 150 track Vlan150!interface Vlan63 no ip address no ip redirects!interface Vlan
18、128 ip address 10.20.128.4 255.255.255.0 ip access-group 101 in no ip redirects standby 160 ip 10.20.128.8 standby 160 timers 5 15 standby 160 priority 150 standby 160 preempt standby 160 track Vlan128 50!interface Vlan150 no ip address shutdown!interface Vlan195 ip address 10.20.195.2 255.255.255.0
19、 no ip redirects standby 195 ip 10.20.195.1 standby 195 priority 150 standby 195 preempt!interface Vlan196 no ip address no ip redirects shutdown standby 196 ip 10.20.196.1 standby 196 priority 100 standby 196 preempt!interface Vlan255 ip address 10.20.255.2 255.255.255.0 no ip redirects standby 255
20、 ip 10.20.255.1 standby 255 priority 200 standby 255 preempt路由策略router eigrp 20 redistribute static network 10.20.0.0 0.0.255.255 no auto-summary no eigrp log-neighbor-changesip route 0.0.0.0 0.0.0.0 10.20.191.18ip route 10.20.9.1 255.255.255.255 10.20.191.18ip route 10.20.9.111 255.255.255.255 10.2
21、0.191.18ip route 10.20.184.0 255.255.255.0 10.20.191.18ip route 10.20.186.0 255.255.255.0 10.20.191.18ip route 10.20.186.245 255.255.255.255 10.20.191.18ip route 10.20.210.3 255.255.255.255 10.20.255.15ip route 10.20.210.4 255.255.255.255 10.20.255.16ip route 10.20.210.5 255.255.255.255 10.20.255.17
22、ip route 10.20.210.11 255.255.255.255 10.20.191.18ip route 10.20.210.12 255.255.255.255 10.20.191.18ip route 10.20.210.13 255.255.255.255 10.20.191.18ip route 10.20.210.14 255.255.255.255 10.20.191.18interface Vlan2 ip address 10.20.191.2 255.255.255.0 ip access-group 101 ininterface Vlan3 ip addres
23、s 10.20.189.2 255.255.255.0 ip access-group 101 ininterface Vlan30 no ip address ip access-group 101 ininterface Vlan40 no ip address ip access-group 101 ininterface Vlan128 ip address 10.20.128.4 255.255.255.0 ip access-group 101 inaccess-list 101 permit ip host 10.20.0.240 host 10.20.186.246access
24、-list 101 permit ip host 10.20.0.240 host 10.20.186.245access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255access-list 101 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.192.0 0.255.63.255access-list 101 deny ip 10.0.0.0
25、0.255.63.255 10.0.128.0 0.255.63.255access-list 101 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255access-list 101 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255access-list 101 permit ip any anyinterface Vlan10 ip address 10.20.0.2 255.255.255.0 ip access-group 103 inaccess-list 103 perm
26、it ip host 10.20.0.245 host 10.20.184.10access-list 103 permit ip host 10.20.0.240 host 10.20.184.10access-list 103 permit ip host 10.20.0.240 host 10.20.186.246access-list 103 permit ip host 10.20.0.240 host 10.20.186.245access-list 103 permit ip host 10.20.0.245 host 10.20.184.18access-list 103 pe
27、rmit ip host 10.20.0.240 host 10.20.184.18access-list 103 permit ip host 10.20.0.245 host 10.20.184.12access-list 103 permit ip host 10.20.0.240 host 10.20.184.5access-list 103 permit ip host 10.20.0.21 host 10.20.184.20access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.3access-list 103 pe
28、rmit ip 10.20.0.0 0.0.0.255 host 10.20.184.4access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.7access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.30access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.15acces
29、s-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.16access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10.20.184.20access-list 103 permit ip 10.20.2.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.3.0 0.0.0.255 host 10.20.184.13access-list 103 permit ip 10.20.0.0 0.0.0.255 host 10
30、.20.184.17access-list 103 permit ip host 10.20.0.245 host 10.20.184.19access-list 103 permit ip host 10.20.0.240 host 10.20.184.19access-list 103 deny ip 192.168.0.0 0.0.255.255 10.0.128.0 0.255.63.255access-list 103 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255access-list 103 deny ip 192.1
31、68.0.0 0.0.255.255 10.0.192.0 0.255.63.255access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.128.0 0.255.63.255access-list 103 deny ip 10.0.0.0 0.255.63.255 172.16.0.0 0.0.255.255access-list 103 deny ip 10.0.0.0 0.255.63.255 10.0.192.0 0.255.63.255access-list 103 permit ip any anyQos作为核心交换机无需在此配置qos安全策略aaa new-modelaaa authenti
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1