銀行網(wǎng)絡(luò)應(yīng)急方案

XX股份有限公司

網(wǎng)絡(luò)與安全服務(wù)部

2012年2月

目錄

一、銀行網(wǎng)絡(luò)結(jié)構(gòu)拓撲2

二、骨干網(wǎng)通信故障3

1.故障處理人員3

2.電信、聯(lián)通網(wǎng)絡(luò)通信故障3

3.通信故障恢復(fù)3

4.到總行路由器故障3

5.路由器故障處理3

三、核心交換機故障應(yīng)急5

1.一臺4506交換機故障應(yīng)急5

2.當核心交換同時癱瘓在20分鐘內(nèi)保證業(yè)務(wù)正常運作6

四、第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急18

1.第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急18

2.其它第三方業(yè)務(wù)區(qū)網(wǎng)絡(luò)應(yīng)急46

五、聯(lián)系方式：55

銀行網(wǎng)絡(luò)結(jié)構(gòu)拓撲

二、骨干網(wǎng)通信故障

1.故障處理人員

參與人：XX、XX、XX

2.電信、聯(lián)通網(wǎng)絡(luò)通信故障

根據(jù)到總行的兩臺cisco7206路由器的日志以及實際登陸設(shè)備使用show

intATM4/0.1、ping對端地址、showiproute>showlog,查看上述相關(guān)設(shè)

備和線路是否有反復(fù)重起、誤碼率高、異常路由、錯誤連接等情況即可確認故障。

3?通信故障恢復(fù)

恢復(fù)步驟：

1）重啟故障新路相連路由器，看是否能夠自動恢復(fù)

2）斷電重起無法解決故障的，停止使用故障設(shè)備和線路，防止其影響網(wǎng)絡(luò)

其他部分。

3）如系線路故障通知各有關(guān)方面（逐項對照處理）：

?如為中國電信線路故障，向31000000報修，并通知分行辦公室相關(guān)人員。

?如為中國聯(lián)通線路故障，向XXXX報修，并通知分行辦公室相關(guān)人員。

4.到總行路由器故障

查看日志，檢查沒備故障前的異常日志信息；登陸路由器使用showlog,

showipintbrie,showprocesscpuhis,showiproute,ping對端地址等命令來確認

故障。

5.路由器故障處理

一旦發(fā)現(xiàn)到總行7206路由器故障可按以下步驟來處理：

?聯(lián)系XX公司，并啟動原廠商保修服務(wù)備件更換程序。

?因為兩臺7206路由器是互為備份的，一臺發(fā)生故障不影響實際業(yè)務(wù)，不調(diào)

用庫房備件和集成商備件更換，等待原廠商備件到達。

?對于能夠在線殖拔的接口模塊、有standby的引擎和電源，優(yōu)先使用在

線更換方式。在線更換的具體操作流程如下:

三、核心交換機故障應(yīng)急

1.一臺4506交換機故障應(yīng)急

查看日志，檢查沒備故障前的異常日志信息；登陸交換機使用showlog,

showipintbrie,showprocesscpuhis,showiproute,ping對端地址，showvlan

brie,showvtpstat,showprocessmem,showmodul,showdiag,showipeigrpnei,

showcdpnei等一系列命令來查找、確認故障。

因為兩臺4506核心交換機完全是熱備的雙機，所以一臺發(fā)生故障并不影響

業(yè)務(wù)運行。對于配置問題要制定正確的更改配置腳本，備份當前配置以后實施更

改；對于線路問題的要制作新網(wǎng)線，替換故障的網(wǎng)線；對于硬件問題要練習(xí)XX

公司，申請硬件故障維修。

對于能夠在線插拔的接口模塊、有standby的引擎和電源，優(yōu)先使用在線更

換方式。在線更換的具體操作流程如下：

a）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Console上，啟動Console監(jiān)控和記錄;

b）準備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當前系統(tǒng)配置；

c）對故障模塊上連接的線纜做好標記，小心拔下；

d）做好安全接地，拔下故障模塊；

e）檢查設(shè)備和模塊狀態(tài)，確認是否影響整個設(shè)備或其他模塊正常運行，

standby模塊是否正常接管；

f）做好安全接地，插上更換的備件模塊；

g）檢查設(shè)備和模決狀態(tài)，確認是否能夠正常識別新模塊，是否影響其他模

塊運行；

h）按原樣插上線纜；

i）檢查線纜連接狀態(tài)正常；

j）確認備件更換成功。

1對于機箱、不能在線插拔的接口模塊、或者沒有standby的引擎和電源,

采用下電更換方式。下電更換的具體操作流程如下：

a）準備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當前系統(tǒng)配置；

b）準備好原先使用的系統(tǒng)軟件，備用；

C）故障設(shè)備下電；

d）對需要拔除的線纜做好標記，小心拔下。如果機箱或引擎更換，需拔除

所有連接線纜；

e）更換備件；

f）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Console上，啟動Console監(jiān)控和記錄;

g）設(shè)備上電;

h）檢查系統(tǒng)自檢情況，確認無硬件故障；

i）安裝系統(tǒng)軟件；

j）恢復(fù)系統(tǒng)配置；

k）冷啟動，確認軟硬件正常工作；

1）對于交換機要將VTP設(shè)置為Client模式，首先連接上行線纜，確認VTP

復(fù)制正確：

m）按原樣插上其他線纜；

n）檢查線纜連接狀態(tài)正常；

。）確認備件更換成功。

2.當核心交換同時癱瘓在20分鐘內(nèi)保證業(yè)務(wù)正常運作

現(xiàn)有2臺備用的cisco3550,在兩臺核心cisco4506同事癱瘓后，將其作為核

心交換來保證業(yè)務(wù)的正常運作，同時保持原有的網(wǎng)絡(luò)拓撲及網(wǎng)絡(luò)核心的安全策略

和qoso

3550核心交換配置定義

設(shè)備命名

hostnameproduction

設(shè)備軟件版本

使用支持動態(tài)路由協(xié)議的IOS：c3550-i5k212q3-mz.l21-13.EAla.bin

Vian定義

defaultactiveFaO/1,FaO/2,FaO/35,

FaO/36

FaO/37,FaO/38,

FaO/39,Fa0/40

FaO/41,FaO/42,

FaO/43,FaO/44

FaO/45,FaO/46,

FaO/47,FaO/48

2vIan0002activeFaO/lO,FaO/21,FaO/25,

FaO/34

GiO/1,GiO/2

3vlan0003activeFaO/5,FaO/8,FaO/11,

FaO/12

FaO/17,FaO/19,

Fa0/20,FaO/22

FaO/28,FaO/29,

FaO/3O,FaO/32

4vlan0004activeFaO/13,FaO/18,FaO/27

5vlan0005activeFaO/7

6vlan()006active

10vlanOOK)activeFaO/4,FaO/6,FaO/14

20vIan0020active

30vlanOO3Oactive

40vlan0040active

50VLAN0050active

60VLAN0060active

63vlan()063active

128vlan0128activeFaO/3,FaO/24,FaO/26,

Fa0/31

FaO/33

195vlanl95activeFaO/16,FaO/23

196vlanl96active

255VLAN0255activeFaO/9,FaO/15

Ip地址分配及hsrp

interfaceVlanl

noipaddress

noipredirects

shutdown

standby10priority100

standby10preempt

i

interfaceVlan2

ipaddress

ipaccess-group101in

noipredirects

standby20ip

standby20priority150

standby20preempt

i

interfaceVlan3

ipaddress

ipaccess-group101in

noipredirects

standby30ip

standby30priority150

standby30prccmpl

interfaceVlan4

ipaddress692

noipredirects

standby40ip5

standby40priority150

standby40preempt

interfaceVlan5

ipaddress92

noipredirects

standby50ip

standby50priority150

standby50preempt

interfaceVlan6

noipaddress

noipredirects

shutdown

standby60ip

standby60priority150

standby60preempt

i

interfaceVian1()

ipaddress

ipaccess-group103in

noipredirects

standby100ip

standby100timers515

standby100priority200

standby10()preempt

standby100trackVian1050

i

interfaceVlan20

noipaddress

noipredirects

standby110timers515

standby110priority150

standby110preempt

standby110trackVlan2050

i

interfaceVlan30

noipaddress

ipaccess-group101in

noipredirects

shutdown

standby120ip00

standby12()timers515

standby120priority200

standby120preempt

standby120trackVlan3050

i

interfaceVlan40

noipaddress

ipaccess-group101in

noipredirects

shutdown

standby130ip00

standby130timers515

slandby130priority150

standby13()preempt

standby130trackVlan4050

interfaceVlan50

ipaddress

iphelper-address0

noipredirects

standby150ip

standby150timers515

standby150priority150

standby15()preempt

standby15()trackVian150

i

interfaceVlan63

noipaddress

noipredirects

i

interfaceVianI2X

ipaddress

ipaccess-group101in

noipredirects

standby160ip

standby160timers515

standby160priority15()

standby160preempt

standby160trackVian12850

i

interfaceVian150

noipaddress

shutdown

interfaceVian195

ipaddress

noipredirects

standby195ip

standby195priority150

standby195preempt

interfaceVian196

noipaddress

noipredirects

shutdown

standby196ip

standby196priority100

standby196preempt

i

interfaceVlan255

ipaddress

noipredirects

standby255ip

standby255priority200

standby255preempt

路由策略

routereigrp2()

redistributestatic

network55

noauto-summary

noeigrplog-neighbor-changes

iproute8

iproute558

iproute11558

iproute8

iproute8

iproute45558

iproute555

iproute556

iproute557

iproute1558

iproute2558

iproute3558

iproute4558

interfaceVlan2

ipaddress

ipaccess-group101in

interfaceVlan3

ipaddress

ipaccess-group101in

interfaceVlan30

noipaddress

ipaccess-group101in

interfaceVlan40

noipaddress

ipaccessgroup101in

interfaceVian128

ipaddress

ipaccess-group101in

access-list101permitiphost40host46

access-list101permitiphost40host45

accesb-lisl101denyip5555

access-list101denyip5555

access-list101denyip5555

access-list101denyip5555

access-list101denyip5555

access-list101denyip5555

access-list101permitipanyany

interfaceVian10

ipaddress

ipaccess-group103in

access-list103permitiphost45host0

access-list103permitiphost4()host0

access-list103permitiphost40host46

access-list103permitiphost40host45

access-list103permitiphost45host8

access-list103permitiphost40host8

access-list103permitiphost45host2

access-list103permitiphost40host

access-list103permitiphost1host0

access-list103permitip55host

access-list103permitip55host

access-list103permitip55host

access-list103permitip55host0

access-list103permitip55host3

accesslist103permitip55host5

access-list103permitip55host6

access-list103permitip55host0

access-list103permitip55host3

access-list103permitip55host3

access-list103permitip55host7

access-list103permitiphost45host9

access-list103permitiphost40host9

access-list103denyip5555

access-list103denyip5555

access-list103denyip5555

access-list103denyip5555

access-list103denyip5555

access-list103denyip5555

access-list103permitipanyany

Qos

作為核心交換機無需在此配置qos

安全策略

aaanew-model

aaaauthenticationloginspdh-acsgrouptacacs+enable

aaaaccountingexecspdb-acsstart-stopgrouptacacs+

aaaaccountingcommands0spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands1spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands2spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands3spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands4spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands5spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands6spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands7spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands8spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands9spdbacsstartstopgrouptacacs+

aaaaccountingcommands1()spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands11spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands12spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands13spdb-acsstart-stopgrouptacacs+

aaaaccountingcommands14spdb-acsstart-stopgrouptacacs+

aaaaccouiilingcomniands15spdb-acsslarl-blopgrouplucacs十

iptacacssource-interfaceLoopbackO

tacacs-serverhost7

tacacs-serverhost4

tacacs-serverkeys9y8

loggingtrapdebugging

loggingsource-interfaceLoopbackO

logging4

logging5

linevty04

cxcc-timcout50

accountingcommands0spdb-acs

accountingcommands1spdb-acs

accountingcommands2spdb-acs

accountingcommands3spdb-acs

accountingcommands4spdb-acs

accountingcommands5spdb-acs

accountingcommands6spdb-acs

accountingcommands7spdb-acs

accountingcommands8spdb-acs

accountingcommands9spdb-acs

accountingcommands10spdb-acs

accountingcommands11spdb-acs

accountingcommands12spdb-acs

accountingcommands13spdbacs

accountingcommands14spdb-acs

accountingcommands15spdb-acs

accountingexecspdb-acs

loginauthenlicationspdb-acs

網(wǎng)管配置

access-list10permit8

access-list1()permit9

access-list10permit6

access-list10permit7

access-list10permit5

snmp-servercommunitypublicRO

snmp-servcrcommunityreadRO10

snmp-servertrap-sourceLoopbackO

snmp-serverenabletrapssnmpauthenticationwarmstart

snmp-serverenabletrapsconfig

snmp-serverenabletrapsentity

snmp-serverenabletrapsrtr

snmp-serverenabletrapsvtp

snmp-serverhost4public

snmp-serverhost5read

其他配置

servicetimestampsdebugdatetimelocaltimeshow-timezone

servicetimestampslogdatetimelocaltimeshow-timezone

sendeepassword-encryption

noipdomain-lookup

ipcefload-sharingalgorithmoriginal

clocktimezoneBJT8

ntpsourceLoopbackO

ntpserver0

monitorsession1sourcevlan1,1(),192rx

monitorsession1destinationinterfaceFa()/5

網(wǎng)絡(luò)實施

前期準備

一、8條交叉線(2條做trunk,6條連向樓層交換機)

二、將樓層交換機的faO/47和48口空出來，并做好相應(yīng)的配置

實施步驟

第一步：兩臺355()上架并加電啟用(預(yù)計3分鐘)

第二步：將連接hp小機的光纖接口連到3550上(預(yù)計1分鐘)

cisco4506主的gigabitl/1對應(yīng)3550主的gigabitO/1

cisco4506主的gigabit2/2對應(yīng)3550主的gigabitO/2

cisco4506備的gigabitl/1對應(yīng)3550主的gigabitO/1

cisco4506備的gigabit2/2對應(yīng)3550主的gigabitO/2

第三步：將現(xiàn)成的交叉線在3550主備之間互連做elher—channel（預(yù)計1分

鐘)

355()主的fa()/47對應(yīng)355()備的faO/47

355()主的fa()/48對應(yīng)355()備的faO/48

第四步：將連在cisco4506上所有的電口都挪向3550上(預(yù)計5分鐘)

cisco4506主的fa2/3對應(yīng)3550主的fa0/3

cisco4506主的fa2/4對應(yīng)3550主的faO/4

以此類推

cisco4506主的fa2/34對應(yīng)3550主的faO/34

cisco4506備的fa2/3對應(yīng)355()備的fa()/3

cisco4506備的fa2/4對應(yīng)3S5O備的faO/4

以此類推

cisco4506備的fa2/34對應(yīng)3550備的faO/34

第五步：3臺樓層交換機與3550之間的互連(預(yù)計3分鐘)

3550主的faO/41對應(yīng)255.15的fa0；47

355()主的faO/43對應(yīng)255.16的fa()；47

355()主的faO/45對應(yīng)255.17的fa()；47

3550備的faO/41對應(yīng)255.15的fa0；48

3550備的faO/43對應(yīng)255.16的fa0；48

3550備的faO/45對應(yīng)255.17的fa0；48

四、第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急

1.第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急

線路故障：發(fā)生故障時，登陸ASA防火墻、交換機、路由器通過showlog,

showipintbrie,showinterface,ping,showiproute,showroute等命令來確認相

關(guān)接口在故障發(fā)生前和發(fā)生時的狀態(tài)，找出問題線路。

如果是內(nèi)部網(wǎng)絡(luò)線路，在線更換的具體操作流程如下：

a）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Console上，啟動Console監(jiān)控和記錄;

b）準備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當前系統(tǒng)配置；

c）對故障模塊上連接的線纜做好標記，小心拔下；

d）做好安全接地，插上更換的新網(wǎng)線

e）檢查線纜連接狀態(tài)正常；

f）確認線纜更換成功。

如果是外部線纜，則確認故障后，由XX打保修電話，聯(lián)系聯(lián)通、移動公司

人員前來維修。

設(shè)備故障：由于銀聯(lián)區(qū)所有的設(shè)備都是雙機熱備，所以一臺發(fā)生故障并不

影響業(yè)務(wù)運行。對于配置問題要制定正確的更改配置腳本，備份當前配置以后實

施更改：對于硬件問題要練習(xí)XX公司，申請硬件故障維修.

兩臺設(shè)備故障：使用1臺ASA5540防火墻備份ASA防火墻的配置、使用

1臺cisco1841路由器備份連接銀聯(lián)方路由器的配置，任意1臺交換機無需配置

用來備份銀聯(lián)區(qū)交換機。

ASA防火墻配置：

spdbsyasa#shrun

:Saved

ASAVersion8.2（1）

!

liosliiamcspdbsyasa

enablepassword2KFQnbNIdL2KYOUencrypted

passwd2KFQnbNIdL2KYOUencrypted

names

i

interfaceGigabitEthernetO/O

speed10（）

duplexfull

nameifoutside

security-level0

ipaddress8

i

interfaceGigabitEthernetO/1

nameifinside

security-level100

ipaddress8

i

interfaceGigabitEthcrnctO/2

nameifdmz

security-level50

ipaddress

j

interfaceGigabitEthernetO/3

descriptionLANFailoverInterface

i

interfaceManagementO/O

shutdown

nonameif

nosecurity-level

noipaddress

i

ftpmodepassive

access-listIPP_PATextendedpermitiphost1host5

access-listIPP_PATextendedpermitiphost2host5

access-listIPP_PATextendedpermitiphost3host5

access-listIPP_PATextendedpermitiphost1host8

access-list1PP_PA1'extendedpermitiphost2host8

access-listIPP_PATextendedpermitiphost3host8

access-listOUTSIDE_INextendedpermiticmpanyany

access-listOUTSIDE_INextendedpermittcphost1hosteq21428

access-listOUTSIDE_INextendedpermittcphost1cq21428host

access-listOUTSIDEJNextendedpermittcphost1hosteq23428

access-listOUTSIDE_INextendedpermittcphost1eq23428host

access-listOUTSIDEJNextendedpermittcphost3hosteq21428

access-listOUTSIDEJNextendedpermittcphost3eq21428host

access-listOUTSIDE_INextendedpermittcphost3hosteq23428

access-listOUTSIDE_INextendedpermittcphost3cq23428host

acccss-listOUTSIDEJNextendedpermittcphost31cq6060host

2

access-listOUTSIDEJNextendedpermitudp4

48eqsnmptrap

access-listOUTSIDEJNextendedpermitudp4

48eqsyslog

access-listOUTSIDEJNextendedpermitudphost

4eqradius

access-listOUTSIDEINextendedpermitudphost

4eqradius-acct

access-listOUTSIDEINextendedpermitudphost

10.1(X).64.54eq1812

access-listOUTSIDEJNextendedpermitudphost

4cq1813

access-listOUTSIDEJNextendedpermithost

4eqtacacs

access-listOUTSIDEINextendedpermitudphost

10.1(X).64.57eqradius

access-listOUTSIDEINextendedpermitudphost

1().1(X).64.57eqradius-acct

access-listOUTSIDEINextendedpermithost

10.1(X).64.57eq1812

access-listOUTSIDE_INextendedpermitudp10.20.210,0host

7eq1813

access-listOUTSIDE_INextendedpermittephost

7eqtacacs

access-listOUTSIDE_iNextendedpermitudphost

0

access-listOUTSIDE」Nextendedpermittephost

0

acccss-listINSIDE_OUTextendedpermitiempanyany

access-listINSIDE_OUTextendedpermittephost1host5cq

21428

access-listINSIDE_OUTextendedpermittephost1eq21428host

5

access-listINSIDE_OUTextendedpermittephost1host5eq

23428

access-listINSIDE_OUTextendedpermittephost1cq23428host

5

access-listINSIDE_OUTextendedpermittephost1host8eq

21428

access-listINSIDE_OUTextendedpermittophost1eq21428host

8

auucss-lislINSIDE_OUTextendedpumiiituphost1liosl8cq

23428

access-listINSIDE_OUTextendedpermittephost1eq23428host

8

access-listINSIDE_OUTextendedpermittephost2host5eq

21428

access-list1NS1DE_OL)1extendedpermittephost2eq21428host

5

access-listINSIDE_OUTextendedpermittcphost2host5eq

23428

access-listINSIDE_OUTextendedpermittcphost2cq23428host

5

access-listINSIDE_OUTextendedpermittcphost2host8eq

21428

access-listINSIDE_OUTextendedpermittcphost2eq21428host

8

access-listINSIDE_OUTextendedpermittcphost2host8cq

23428

access-listINSIDE_O(JTextendedpermittcphost2cq23428host

8

access-listINSIDE_OUTextendedpermittcphost3host5eq

21428

access-listINSIDE_OUTextendedpermittcphost3eq21428host

5

access-listINSIDE_OUTextendedpermittcphost3host5eq

23428

access-listINSIDE_OUTextendedpermittcphost3eq23428host

5

access-listINSIDE_OUTextendedpermittcphost3host8eq

21428

auucss-lislINSIDE_OUTextendedpermittupIIONI3cq21428host

8

access-listINSIDE_OUTextendedpermittcphost3host8eq

23428

access-listINSIDE_OUTextendedpermittcphost3eq23428host

8

access-list1NS1DE_OU'1'extendedpermittcphost45host10.20.1X4.12eq

6060

access-listINSIDE.OUTextendedpermitip448any

access-listINSIDE_OUTextendedpermitiphost4any

access-listINSIDE_OUTextendedpermitiphost7any

access-listINSIDE_OUTextendedpermitudphost0anyeqntp

access-listINSIDE_OUTextendedpermitudphost2anyeqntp

pagerlines24

mtuoutside1500

mtuinside15(X)

mtudmz1500

failover

failoverIanunitprimary

failoverIaninterfacefailoverlanGigabitEthernetO/3

failoverpolkimeunitmsec500holdtime5

failoverinterfaceipfailoverlanstandby

iempunreachablerate-limit1burst-size1

noasdinhistoryenable

arptimeoutM400

global(outside)2

nat(inside)2access-listIPP_PAT

static(inside,outside)tep21428321428netmask

55

static(inside,outside)tep23428323428netmask

55

static(inside,outside)teptelnet3telnetnetmask

55

static(outside,inside)51netmask55

static(outside,inside)83netmask55

static(inside,outside)245netmask55

static(outside,inside)231netmask55

static(inside,outside)00netmask55

static(inside,outside)22netmask55

static(inside,outside)55netmask55

static(inside,outside)66netmask55

static(inside,outside)77netmask55

static(inside,outside)88netmask55

static(inside,outside)99netmask55

static(inside,outside)44netmask55

static(inside,outside)77netmask55

access-groupOUTSIDE_INininterfaceoutside

acccss-groupINSIDE_OUTininterfaceinside

routeoutside15551

routeoutside35551

routeinside01

routeoutside51

routeinside44801

routeoutside315551

timeoutxlatc3:00:00

timeoutconn1:00:00half-closed0:10:00udp0:02:03iemp0:00:02

timeoutsunrpe0:10:00h3230:05:00h2251:00:00mgep0:05:00mgep-pat0:05:00

timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00

timeoutsip-provisional-media0:02:00uauth():()5:()()absolute

timeouttcp-proxy-reassenibly0:01:00

dyiiaiiiiu-acucss-poliuy-ruuoidDfllAuucssPoliuy

aaa-serverTACACS+protocoltacacs+

aaa-serverRADIUSprotocolradius

aaa-serverspdb-acsprotocoltacacs+

aaa-serverspdb-acs(inside)host7

keys9y8

aaa-serverspdb-acs(inside)host4

keys9y9

aaaauthenticationsshconsolespdb-acs

snmp-serverhostinside5communityread

snmp-serverhostinside6pollcommunityread

snnip-serverhostinside7pollcommunityread

snmp-serverhostinside8pollcommunityread

snmp-serverhostinside9pollcommunityread

nosnmp-serverlocation

nosnmp-servercontact

snmp-servercommunity*****

snmp-scrvcrenabletrapssnmpauthenticationlinkuplinkdowncoldstart

snmp-scrvcrenabletrapssyslog

cryptoipsecsecurity-associationlifetimeseconds28SOO

cryptoipsecsecurity-associationlifetimekilobytes4608000

telnetinside

telnetinside

telnettimeout5

sshtimeout5

consoletimeout0

threat-detectionbasic-threat

threat-detectionstatisticsaccess-list

nothreat-detectionstatisticstcp-inlercept

!

class-mapiuspuulioii_dcfauk

matchdefault-inspection-traffic

i

I

policy-maptypeinspectdnspreset_dns_map

parameters

message-lengthmaximum512

policy-mapglobal_policy

classinspection_default

inspectdnspreset_dns_map

inspectftp

inspecth323h225

inspecth323ras

inspectnelbios

inspectrsh

inspectrtsp

inspectskinny

inspectesmtp

inspectsqlnct

inspectsunrpe

inspect(ftp

inspectsip

inspectxdmcp

i

servicepolicyglobal_policyglobal

prompthostnamecontext

Cryptochecksum:bO171b7af7453023bce0c7ebfafb273e

:end

spdbsyasa#

路由器配置：

Rl#shrun

Buildingconfiguration...

Currentconfiguration:4554bytes

version12.4

servicetimestampsdebugdatetimemsec

servicetimestampslogdatetimemsec

noservicepassword-encryption

hostnameRI

boot-start-marker

boot-end-marker

i

loggingmessage-countersyslog

enablepasswordcisco

i

aaancw-modcl

!

i

aaaauthenticationloginspdb-acsgrouptacacs+enable

aaaaccountingexecspdb-acs

action-typestart-stop

grouptacacs+

I

aaaaccountingcommands0spdb-acs

action-typestart-stop

grouptacacs+

aaaaccountingcommands1spdb-acs

action-typestart-stop

grouptacacs+

aaaaccountingcommands2spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands3spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands4spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands5spdb-acs

action-typestart-stop

grouptacacs+

!

aaaaccountingcommands6spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands7spdb-acs

aulioii-lypuslarl-slop

grouptacacs+

i

aaaaccountingcommands8spdb-acs

action-typestart-stop

grouptacacs+

aaaaccountingcommands9spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands1()spdb-acs

action-typestart-stop

grouptacacs+

aaaaccountingcommands11spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands12spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands13spdb-acs

actiontypestartstop

grouptacacs+

i

aaaaccountingcommands14spdb-acs

action-typestart-stop

grouptacacs+

I

aaaaccountingcommands15spdb-acs

action-typestart-stop

grouptacacs+

aaasession-idcommon

dotlIsyslog

ipsource-route

ipcef

noipdomainlookup

noipv6cef

multilinkbundle-nameauthenticated

voice-card0

archive

logconfig

hidekeys

track1ipsla1reachability

interfaceLoopbackO

ipaddress5155

interfaceFastEthernetO/O

noipaddress

shutdown

duplexauto

speedauto

!

interfaceFastEthcrnctO/l

noipaddress

shutdown

duplexauto

speedauto

interfaceFastEthernet0/3/0

i

interfaceFastF.thernetO/3/1

i

interfaceFastEthernetO/3/2

interfaceFastEthernetO/3/3

i

interfaceSerialO/l/O

descriptiontoYinlian

ipaddress0652

ipnatinside

ipvirtual-reassembly

encapsulationppp

nosliuidowii

clockrate200()()()0

i

interfaceSerial0/1/l

noipaddress

shutdown

clockrate2000000

interfaceVlanl

ipaddress0940secondary

ipaddress51

ipnatoutside

ipvirtual-reassembly

standby184ip5

standby184priority105

standby184preempt

standby184track1decrement10

i

ipforward-protocolnd

iproute15505

iproute35505

iproute8

iproute558

iproute2558

iproute315505

noiphttpserver

noiphttpsecure-server

ipnatpoolyinlianpool1010netmask

ipnatpuolpospoul1313nclinask

ipnatoutsidesourcelist105poolyinlianpool

ipnatoutsidesourcelist106poolpospool

ipsla1

icmp-echo05source-interfaceSerialO/l/O

frequency5

ipslaschedule1lifeforeverstart-timenow

access-list105permitiphosthost1

access-list105permitiphosthost3

access-list106permitiphost2host31

tacacs-serverhost4

tacacs-serverhost7

tacacs-serverkeys9yS

i

control-plane

linecon0

exec-timeout00

loggingsynchronous

lineaux0

linevty04

cxcc-timcout00

passwordcisco

accountingcommands0spdb-acs

accountingcommands1spdb-acs

accountingcommands2spdb-acs

accountingcommands3spdb-acs

accountingcommands4spdb-acs

accountingcommands5spdb-acs

accountingcommands6spdb-acs

accountingcommands7spdb-acs

accountingcommands8spdb-acs

accountingcommands9spdb-acs

accountingcommands10spdh-acs

accountingcommands11spdb-acs

accountingcommands12spdb-acs

accountingcommands13spdb-acs

accountingcommands14spdb-acs

accountingcommands15spdb-acs

accountingexecspdbacs

loggingsynchronous

loginauthenticationspdb-acs

i

schedulerallocate200001000

ntpsourceLoopbackO

nipserver0

end

RI#

R2#shrun

Buildingconfiguration...

Currentconfiguration:4533bytes

i

version12.4

servicetimestampsdebugdatetimemsec

servicetimestampslogdatelimemsec

noservicepassword-encryption

hostnameR2

boot-start-marker

boot-end-marker

loggingmessage-countersyslog

enablepasswordcisco

!

aaanew-model

i

i

aaaauthenticationloginspdb-acsgrouptacacs+enable

aaaaccountingexecspdb-acs

aulioii-lypuslarl-slop

grouptacacs+

i

aaaaccountingcommands0spdb-acs

action-typestart-stop

grouptacacs+

aaaaccountingcommands1spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands2spdb-acs

action-typestart-stop

grouptacacs+

aaaaccountingcommands3spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands4spdb-acs

action-typestart-stop

grouptacacs+

i

aaaaccountingcommands5spdb-ac