銀行網(wǎng)絡(luò)應(yīng)急預(yù)案

1、銀行網(wǎng)絡(luò)應(yīng)急方案XX股份有限公司網(wǎng)絡(luò)與安全服務(wù)部2012年2月目錄一、銀行網(wǎng)絡(luò)結(jié)構(gòu)拓?fù)涠⒐歉删W(wǎng)通信故障匕故障處理人員電信、聯(lián)通網(wǎng)絡(luò)通信故障通信故障恢復(fù)到總行路由器故障路由器故障處理三、核心交換機(jī)故障應(yīng)急一臺(tái)4506交換機(jī)故障應(yīng)急當(dāng)核心交換同時(shí)癱瘓?jiān)?0分鐘內(nèi)保證業(yè)務(wù)正常運(yùn)作四、第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急其它第三方業(yè)務(wù)區(qū)網(wǎng)絡(luò)應(yīng)急五、聯(lián)系方式：一、銀行網(wǎng)絡(luò)結(jié)構(gòu)拓?fù)涠?、骨干網(wǎng)通信故障故障處理人員參與人：XX、XX、XX電信、聯(lián)通網(wǎng)絡(luò)通信故障根據(jù)到總行的兩臺(tái)cisco 7206路由器的日志以及實(shí)際登陸設(shè)備使用 show int ATM4/0.1、ping對(duì)端地址、show ip r

2、oute、show log，查看上述相關(guān)設(shè)備和線路是否 有反復(fù)重起、誤碼率高、異常路由、錯(cuò)誤連接等情況即可確認(rèn)故障。通信故障恢復(fù)恢復(fù)步驟：1）重啟故障新路相連路由器，看是否能夠自動(dòng)恢復(fù)2）斷電重起無(wú)法解決故障的，停止使用故障設(shè)備和線路，防止其影響網(wǎng)絡(luò)其他部分。3）如系線路故障通知各有關(guān)方面（逐項(xiàng)對(duì)照處理）：如為中國(guó)電信線路故障，向報(bào)修，并通知分行辦公室相關(guān)人員。如為中國(guó)聯(lián)通線路故障，向XXXX報(bào)修，并通知分行辦公室相關(guān)人員。到總行路由器故障查看日志，檢查設(shè)備故障前的異常日志信息；登陸路由器使用show log，show ip int brie , show process cpu his ,

3、show ip route , ping 對(duì)端地址等命令來(lái)確認(rèn)故障。路由器故障處理一旦發(fā)現(xiàn)到總行7206路由器故障可按以下步驟來(lái)處理：聯(lián)系XX公司，并啟動(dòng)原廠商保修服務(wù)備件更換程序。因?yàn)閮膳_(tái)7206路由器是互為備份的，一臺(tái)發(fā)生故障不影響實(shí)際業(yè)務(wù)，不調(diào)用庫(kù)房 備件和集成商備件更換，等待原廠商備件到達(dá)。對(duì)于能夠在線插拔的接口模塊、有standby的引擎和電源，優(yōu)先使用在線更換方 式。在線更換的具體操作流程如下：a）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Console上，啟動(dòng)Console監(jiān)控和記錄;b）準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時(shí)保存當(dāng)前系統(tǒng)配置；c）對(duì)故障模塊上連接的線纜做好標(biāo)記，小心拔下；

4、d）做好安全接地，拔下故障模塊；e）檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否影響整個(gè)設(shè)備或其他模塊正常運(yùn)行，standby模 塊是否正常接管；f）做好安全接地，插上更換的備件模塊；g）檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否能夠正常識(shí)別新模塊，是否影響其他模塊運(yùn)行；h）按原樣插上線纜；i）檢查線纜連接狀態(tài)正常；j）確認(rèn)備件更換成功。l對(duì)于機(jī)箱、不能在線插拔的接口模塊、或者沒(méi)有standby的引擎和電源，采用下 電更換方式。下電更換的具體操作流程如下：a）準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時(shí)保存當(dāng)前系統(tǒng)配置；b）準(zhǔn)備好原先使用的系統(tǒng)軟件，備用；c）故障設(shè)備下電；d）對(duì)需要拔除的線纜做好標(biāo)記，小心拔下。如果機(jī)箱或引

5、擎更換，需拔除所有連接 線纜；e）更換備件；f）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Console上，啟動(dòng)Console監(jiān)控和記錄；g）設(shè)備上電；h）檢查系統(tǒng)自檢情況，確認(rèn)無(wú)硬件故障；i）安裝系統(tǒng)軟件；j）恢復(fù)系統(tǒng)配置；k）冷啟動(dòng)，確認(rèn)軟硬件正常工作；l）按原樣插上其他線纜；m）檢查線纜連接狀態(tài)正常；n）確認(rèn)備件更換成功。三、核心交換機(jī)故障應(yīng)急一臺(tái)4506交換機(jī)故障應(yīng)急查看日志，檢查設(shè)備故障前的異常日志信息；登陸交換機(jī)使用show log, show ip int brie , show process cpu his , show ip route , ping 對(duì)端地址，show vlan bri

6、e , show vtp stat , show process mem , show modul , show diag , show ip eigrp nei , show cdp nei等一系列命令來(lái)查找、確認(rèn)故障。因?yàn)閮膳_(tái)4506核心交換機(jī)完全是熱備的雙機(jī)，所以一臺(tái)發(fā)生故障并不影響業(yè)務(wù)運(yùn) 行。對(duì)于配置問(wèn)題要制定正確的更改配置腳本，備份當(dāng)前配置以后實(shí)施更改；對(duì)于線路 問(wèn)題的要制作新網(wǎng)線，替換故障的網(wǎng)線；對(duì)于硬件問(wèn)題要練習(xí)XX公司，申請(qǐng)硬件故障維 修。對(duì)于能夠在線插拔的接口模塊、有standby的引擎和電源，優(yōu)先使用在線更換方式。 在線更換的具體操作流程如下：a）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備

7、的Console上，啟動(dòng)Console監(jiān)控和記錄；b）準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時(shí)保存當(dāng)前系統(tǒng)配置；c）對(duì)故障模塊上連接的線纜做好標(biāo)記，小心拔下；d）做好安全接地，拔下故障模塊；e）檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否影響整個(gè)設(shè)備或其他模塊正常運(yùn)行，standby模 塊是否正常接管；f）做好安全接地，插上更換的備件模塊；g）檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否能夠正常識(shí)別新模塊，是否影響其他模塊運(yùn)行；h）按原樣插上線纜；i）檢查線纜連接狀態(tài)正常；j）確認(rèn)備件更換成功。l對(duì)于機(jī)箱、不能在線插拔的接口模塊、或者沒(méi)有standby的引擎和電源，采用下 電更換方式。下電更換的具體操作流程如下：a）準(zhǔn)備好

8、存檔的系統(tǒng)配置，備用。如有可能，同時(shí)保存當(dāng)前系統(tǒng)配置；b）準(zhǔn)備好原先使用的系統(tǒng)軟件，備用；c）故障設(shè)備下電；d）對(duì)需要拔除的線纜做好標(biāo)記，小心拔下。如果機(jī)箱或引擎更換，需拔除所有連接 線纜；e）更換備件；f）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Console上，啟動(dòng)Console監(jiān)控和記錄；g）設(shè)備上電；h）檢查系統(tǒng)自檢情況，確認(rèn)無(wú)硬件故障；i）安裝系統(tǒng)軟件；j）恢復(fù)系統(tǒng)配置；k）冷啟動(dòng)，確認(rèn)軟硬件正常工作；l）對(duì)于交換機(jī)要將VTP設(shè)置為Client模式，首先連接上行線纜，確認(rèn)VTP復(fù)制正 確；m）按原樣插上其他線纜；n）檢查線纜連接狀態(tài)正常；o）確認(rèn)備件更換成功。當(dāng)核心交換同時(shí)癱瘓?jiān)?0分鐘內(nèi)保證業(yè)

9、務(wù)正常運(yùn)作現(xiàn)有2臺(tái)備用的cisco3550，在兩臺(tái)核心cisco4506同事癱瘓后，將其作為核心交換 來(lái)保證業(yè)務(wù)的正常運(yùn)作，同時(shí)保持原有的網(wǎng)絡(luò)拓?fù)浼熬W(wǎng)絡(luò)核心的安全策略和qos。3550核心交換配置定義設(shè)備命名hostname production設(shè)備軟件版本使用支持動(dòng)態(tài)路由協(xié)議的 IOS： c3550-i5k2l2q3-mz.121-13.EA1a.binVlan定義1 defaultactive Fa0/1, Fa0/2, Fa0/35,Fa0/36Fa0/37, Fa0/38, Fa0/39,Fa0/40Fa0/41, Fa0/42, Fa0/43,Fa0/44Fa0/45, Fa0/46

10、, Fa0/47,Fa0/482vlan0002activeFa0/10, Fa0/21, Fa0/25,Fa0/34Gi0/1, Gi0/23vlan0003activeFa0/5, Fa0/8, Fa0/11,Fa0/12Fa0/17, Fa0/19, Fa0/20,Fa0/22Fa0/28, Fa0/29, Fa0/30,Fa0/324vlan0004activeFa0/13, Fa0/18, Fa0/275vlan0005activeFa0/76vlan0006active10vlan0010activeFa0/4, Fa0/6, Fa0/1420vlan0020active30vla

11、n0030active40vlan0040active50VLAN0050active60VLAN0060active63vlan0063active128vlan0128activeFa0/3, Fa0/24, Fa0/26,Fa0/31Fa0/33195vlan195activeFa0/16, Fa0/23196vlan196active255VLAN0255activeFa0/9, Fa0/15Ip地址分配及hsrpinterface Vlanlno ip redirectsshutdownstandby 10 priority 100standby 10 preempt!interfa

12、ce Vlan2ip access-group 101 inno ip redirectsstandby 20 priority 150standby 20 preempt!interface Vlan3ip access-group 101 inno ip redirectsstandby 30 priority 150standby 30 preempt!interface Vlan4no ip redirectsstandby 40 priority 150standby 40 preempt!interface Vlan5no ip redirectsstandby 50 priori

13、ty 150standby 50 preemptinterface Vlan6no ip addressno ip redirectsshutdownstandby 60 priority 150standby 60 preempt!interface Vlan10ip address 10.20.0ip access-group 103 inno ip redirectsstandby 100 ip standby 100 timers 5 15standby 100 priority 200standby 100 preemptstandby 100 track Vlan10 50 !in

14、terface Vlan20no ip addressno ip redirectsstandby 110 timers 5 15standby 110 priority 150standby 110 preemptstandby 110 track Vlan20 50 !interface Vlan30no ip addressip access-group 101 inno ip redirectsshutdownstandby 120 timers 5 15standby 120 priority 200standby 120 track Vlan30 50interface Vlan4

15、0no ip addressip access-group 101 inno ip redirectsshutdownstandby 130 timers 5 15standby 130 priority 150standby 130 preemptstandby 130 track Vlan40 50!interface Vlan50ip address 10.20.1ip helper-address 0no ip redirectsstandby 150 ip standby 150 timers 5 15standby 150 priority 150standby 150 preem

16、ptstandby 150 track Vlan150!interface Vlan63no ip addressno ip redirects!interface Vlan128ip access-group 101 inno ip redirectsstandby 160 timers 5 15standby 160 priority 150standby 160 preemptstandby 160 track Vlan128 50 !interface Vlan150no ip addressshutdown!interface Vlan195no ip redirectsstandb

17、y 195 priority 150standby 195 preempt !interface Vlan196no ip addressno ip redirectsshutdownstandby 196 priority 100standby 196 preempt !interface Vlan255no ip redirectsstandby 255 priority 200standby 255 preempt路由策略router eigrp 20redistribute staticnetwork 10.20.0no auto-summaryno eigrp log-neighbo

18、r-changesip route 0.0.0ip route 10.20.9ip route 10.20.9interface Vlan2ip access-group 101 ininterface Vlan3ip access-group 101 ininterface Vlan30no ip addressip access-group 101 ininterface Vlan40no ip addressip access-group 101 ininterface Vlan128ip access-group 101 inaccess-list 101 permit ip host

19、 10.20.0access-list 101 permit ip host 10.20.0access-list101denyip10.0.0access-list101denyip10.0.0access-list101denyip10.0.0access-list101permitipany anyinterface Vlan10ip address 10.20.0ip access-group 103 inaccess-list 103 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103

20、 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103 permit ip 10.20.0access-list 103

21、permit ip 10.20.0access-list 103 permit ip 10.20.0access-list 103 permit ip 10.20.0access-list 103 permit ip 10.20.0access-list 103 permit ip 10.20.0access-list 103 permit ip 10.20.0access-list 103 permit ip 10.20.0access-list 103 permit ip 10.20.2access-list 103 permit ip 10.20.3access-list 103 per

22、mit ip 10.20.0access-list 103 permit ip host 10.20.0access-list 103 permit ip host 10.20.0access-list 103 deny ip 10.0.0access-list 103 deny ip 10.0.0access-list 103 deny ip 10.0.0access-list 103 permit ip any anyQos作為核心交換機(jī)無(wú)需在此配置qos安全策略aaa new-modelaaa authentication login spdb-acs group tacacs+ ena

23、bleaaa accounting exec spdb-acs start-stop group tacacs+aaa accountingcommands0spdb-acsstart-stopgrouptacacs+aaa accountingcommands1spdb-acsstart-stopgrouptacacs+aaa accountingcommands2spdb-acsstart-stopgrouptacacs+aaa accountingcommands3spdb-acsstart-stopgrouptacacs+aaa accountingcommands 4 spdb-ac

24、s start-stopgrouptacacs+aaa accountingcommands 5 spdb-acs start-stopgrouptacacs+aaa accountingcommands 6 spdb-acs start-stopgrouptacacs+aaa accountingcommands 7 spdb-acs start-stopgrouptacacs+aaa accountingcommands 8 spdb-acs start-stopgrouptacacs+aaa accountingcommands 9 spdb-acs start-stopgrouptac

25、acs+aaa accountingcommands 10 spdb-acs start-stopgrouptacacs+aaa accountingcommands 11 spdb-acs start-stopgrouptacacs+aaa accountingcommands 12 spdb-acs start-stopgrouptacacs+aaa accountingcommands 13 spdb-acs start-stopgrouptacacs+aaa accountingcommands 14 spdb-acs start-stopgrouptacacs+aaa account

26、ingcommands 15 spdb-acs start-stopgrouptacacs+ip tacacs source-interface Loopback0 tacacs-server key s9y8 logging trap debugginglogging source-interface Loopback0 line vty 0 4exec-timeout 5 0accounting commands 0 spdb-acsaccounting commands 1 spdb-acsaccounting commands 2 spdb-acsaccounting commands

27、 3 spdb-acsaccounting commands 4 spdb-acsaccounting commands 5 spdb-acsaccounting commands 6 spdb-acsaccounting commands 7 spdb-acsaccounting commands 8 spdb-acsaccounting commands 9 spdb-acs accounting commands 10 spdb-acs accounting commands 11 spdb-acsaccounting commands 12 spdb-acsaccounting com

28、mands 13 spdb-acsaccounting commands 14 spdb-acsaccounting commands 15 spdb-acsaccounting exec spdb-acslogin authentication spdb-acs網(wǎng)管配置snmp-server community public ROsnmp-server community read RO 10snmp-server trap-source Loopback0snmp-server enable traps snmp authentication warmstartsnmp-server en

29、able traps configsnmp-server enable traps entitysnmp-server enable traps rtrsnmp-server enable traps vtp其他配置service timestamps debug datetime localtime show-timezoneservice timestamps log datetime localtime show-timezoneservice password-encryptionno ip domain-lookupip cef load-sharing algorithm orig

30、inalclock timezone BJT 8ntp source Loopback0monitor session 1 source vlan 1 , 10 , 192 rxmonitor session 1 destination interface Fa0/5網(wǎng)絡(luò)實(shí)施前期準(zhǔn)備一、8條交叉線（2條做trunk，6條連向樓層交換機(jī)）二、將樓層交換機(jī)的fa0/47和48 口空出來(lái)，并做好相應(yīng)的配置實(shí)施步驟第一步：兩臺(tái)3550上架并加電啟用（預(yù)計(jì)3分鐘）第二步：將連接hp小機(jī)的光纖接口連到3550上（預(yù)計(jì)1分鐘）cisco4506 主的 gigabit1/1 對(duì)應(yīng) 3550 主的 gigabi

31、t0/1cisco4506 主的 gigabit2/2 對(duì)應(yīng) 3550 主的 gigabit0/2cisco4506 備的 gigabit1/1 對(duì)應(yīng) 3550 主的 gigabit0/1cisco4506 備的 gigabit2/2 對(duì)應(yīng) 3550 主的 gigabit0/2第三步：將現(xiàn)成的交叉線在3550主備之間互連做ether channel（預(yù)計(jì)1分鐘）3550 主的 fa0/47 對(duì)應(yīng) 3550 備的 fa0/473550 主的 fa0/48 對(duì)應(yīng) 3550 備的 fa0/48第四步：將連在cisco4506上所有的電口都挪向3550上（預(yù)計(jì)5分鐘）cisco4506 主的 fa2/

32、3 對(duì)應(yīng) 3550 主的 fa0/3cisco4506 主的 fa2/4 對(duì)應(yīng) 3550 主的 fa0/4以此類(lèi)推cisco4506 主的 fa2/34 對(duì)應(yīng) 3550 主的 fa0/34cisco4506 備的 fa2/3 對(duì)應(yīng) 3550 備的 fa0/3cisco4506 備的 fa2/4 對(duì)應(yīng) 3550 備的 fa0/4以此類(lèi)推cisco4506 備的 fa2/34 對(duì)應(yīng) 3550 備的 fa0/34第五步：3臺(tái)樓層交換機(jī)與3550之間的互連（預(yù)計(jì)3分鐘）3550 主的 fa0/41 對(duì)應(yīng) 255.15 的 fa0/473550 主的 fa0/43 對(duì)應(yīng) 255.16 的 fa0/473

33、550 主的 fa0/45 對(duì)應(yīng) 255.17 的 fa0/473550 備的 fa0/41 對(duì)應(yīng) 255.15 的 fa0/483550 備的 fa0/43 對(duì)應(yīng) 255.16 的 fa0/483550 備的 fa0/45 對(duì)應(yīng) 255.17 的 fa0/48四、第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急1.第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急線路故障：發(fā)生故障時(shí)，登陸ASA防火墻、交換機(jī)、路由器通過(guò)show log , show ip int brie , show interface , ping , show ip route , show route等命令來(lái)確認(rèn)相關(guān) 接口在故障發(fā)生前和發(fā)生時(shí)的狀態(tài)，找出問(wèn)題線路。如果

34、是內(nèi)部網(wǎng)絡(luò)線路，在線更換的具體操作流程如下：a）用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Console上，啟動(dòng)Console監(jiān)控和記錄；b）準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時(shí)保存當(dāng)前系統(tǒng)配置；c）對(duì)故障模塊上連接的線纜做好標(biāo)記，小心拔下；d）做好安全接地，插上更換的新網(wǎng)線e）檢查線纜連接狀態(tài)正常；f）確認(rèn)線纜更換成功。如果是外部線纜，則確認(rèn)故障后，由XX打保修電話，聯(lián)系聯(lián)通、移動(dòng)公司人員前來(lái) 維修。設(shè)備故障：由于銀聯(lián)區(qū)所有的設(shè)備都是雙機(jī)熱備，所以一臺(tái)發(fā)生故障并不影響業(yè)務(wù) 運(yùn)行。對(duì)于配置問(wèn)題要制定正確的更改配置腳本，備份當(dāng)前配置以后實(shí)施更改；對(duì)于硬 件問(wèn)題要練習(xí)XX公司，申請(qǐng)硬件故障維修。兩臺(tái)設(shè)備故

35、障：使用1臺(tái)ASA 5540防火墻備份ASA防火墻的配置、使用1臺(tái)cisco 1841路由器備份連接銀聯(lián)方路由器的配置，任意1臺(tái)交換機(jī)無(wú)需配置用來(lái)備份銀聯(lián)區(qū)交 換機(jī)。ASA防火墻配置：spdbsyasa# sh run:SavedASA Version 8.2（1）!hostname spdbsyasaenable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesinterface GigabitEthernet0/0speed 100 duplex full nameif outside sec

36、urity-level 0 !interface GigabitEthernet0/1nameif insidesecurity-level 100!interface GigabitEthernet0/2nameif dmzsecurity-level 50!interface GigabitEthernet0/3description LAN Failover Interface !interface Management0/0shutdownno nameifno security-levelno ip address!ftp mode passiveaccess-list OUTSID

37、E_IN extended permit icmp any any access-list INSIDE_OUT extended permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500failoverfailover lan unit primaryfailover lan interface failoverlan GigabitEthernet0/3failover polltime unit msec 500 holdtime 5icmp unreachable rate-limi

38、t 1 burst-size 1no asdm history enablearp timeout 14400nat (inside) 2 access-list IPP_PATaccess-group OUTSIDE_IN in interface outsideaccess-group INSIDE_OUT in interface insideroute inside 10.20.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:1

39、0:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server TACACS+ p

40、rotocol tacacs+aaa-server RADIUS protocol radiusaaa-server spdb-acs protocol tacacs+key s9y8key s9y9aaa authentication ssh console spdb-acsno snmp-server locationno snmp-server contactsnmp-server community *snmp-server enable traps snmp authentication linkup linkdown coldstartsnmp-server enable trap

41、s syslogcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-intercept !class-map inspec

42、tion_defaultmatch default-inspection-traffic!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect

43、 esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcpservice-policy global_policy globalprompt hostname contextCryptochecksum:b0171b7af7453023bce0c7ebfafb273e:endspdbsyasa#路由器配置：R1#sh runBuilding configuration.Current configuration : 4554 bytes !version 12.4service timestamps debug

44、datetime msecservice timestamps log datetime msecno service password-encryption!hostname R1!boot-start-markerboot-end-marker!logging message-counter syslogenable password cisco!aaa new-model!aaa authentication login spdb-acs group tacacs+ enableaction-type start-stopgroup tacacs+!aaa accounting comm

45、ands 0 spdb-acs action-type start-stopgroup tacacs+!aaa accounting commands 1 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 2 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 3 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 4 spdb-a

46、cs action-type start-stop group tacacs+!aaa accounting commands 5 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 6 spdb-acs action-type start-stopaaa accounting commands 7 spdb-acsaction-type start-stopgroup tacacs+aaa accounting commands 8 spdb-acs action-type start-stop grou

47、p tacacs+!aaa accounting commands 9 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 10 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 11 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 12 spdb-acs action-type start-stop group tacacs+

48、!aaa accounting commands 13 spdb-acs action-type start-stop group tacacs+action-type start-stopgroup tacacs+aaa accounting commands 15 spdb-acsaction-type start-stopgroup tacacs+aaa session-id commondotll syslogip source-routeip cefno ip domain lookupno ipv6 cef!multilink bundle-name authenticatedvo

49、ice-card 0archivelog confighidekeystrack 1 ip sla 1 reachabilityinterface Loopback0interface FastEthernet0/0 no ip address shutdown duplex auto speed auto!interface FastEthernet0/1no ip addressshutdownduplex autospeed auto!interface FastEthernet0/3/0!interface FastEthernet0/3/1 !interface FastEthern

50、et0/3/2 !interface FastEthernet0/3/3 !interface Serial0/1/0description to Yinlianip nat insideip virtual-reassembly encapsulation pppno shutdownclock rate 2000000!interface Serial0/1/1no ip addressshutdownclock rate 2000000!interface Vlan1ip nat outsideip virtual-reassemblystandby 184 priority 105st

51、andby 184 preemptstandby 184 track 1 decrement 10!ip forward-protocol ndip route 10.0.0no ip http serverno ip http secure-server!ip nat outside source list 105 pool yinlianpoolip nat outside source list 106 pool pospool!ip sla 1frequency 5ip sla schedule 1 life forever start-time nowtacacs-server ke

52、y s9y8control-planeline con 0exec-timeout 0 0logging synchronousline aux 0line vty 0 4exec-timeout 0 0password ciscoaccounting commands 0 spdb-acs accounting commands 1 spdb-acs accounting commands 2 spdb-acs accounting commands 3 spdb-acs accounting commands 4 spdb-acsaccounting commands 5 spdb-acs

53、 accounting commands 6 spdb-acs accounting commands 7 spdb-acsaccounting commands 9 spdb-acsaccounting commands 10 spdb-acsaccounting commands 11 spdb-acsaccounting commands 12 spdb-acsaccounting commands 13 spdb-acsaccounting commands 14 spdb-acsaccounting commands 15 spdb-acsaccounting exec spdb-a

54、cslogging synchronouslogin authentication spdb-acs !scheduler allocate 20000 1000ntp source Loopback0endR1#R2#sh runBuilding configuration.Current configuration : 4533 bytes !version 12.4service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !hostn

55、ame R2!boot-start-markerboot-end-markerlogging message-counter syslogenable password cisco!aaa new-model!aaa authentication login spdb-acs group tacacs+ enableaaa accounting exec spdb-acsaction-type start-stopgroup tacacs+!aaa accounting commands 0 spdb-acsaction-type start-stopgroup tacacs+!aaa acc

56、ounting commands 1 spdb-acsaction-type start-stopgroup tacacs+!aaa accounting commands 2 spdb-acsaction-type start-stopgroup tacacs+!aaa accounting commands 3 spdb-acsaction-type start-stopgroup tacacs+!aaa accounting commands 4 spdb-acsaction-type start-stopgroup tacacs+aaa accounting commands 5 sp

57、db-acsaction-type start-stopgroup tacacs+aaa accounting commands 6 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 7 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 8 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 9 spdb-acs action-t

58、ype start-stop group tacacs+!aaa accounting commands 10 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 11 spdb-acs action-type start-stop group tacacs+aaa accounting commands 12 spdb-acsaction-type start-stopgroup tacacs+!aaa accounting commands 13 spdb-acs action-type start-s

59、top group tacacs+!aaa accounting commands 14 spdb-acs action-type start-stop group tacacs+!aaa accounting commands 15 spdb-acs action-type start-stop group tacacs+aaa session-id commonclock timezone BJT 8dot11 syslogip source-routeip cefno ip domain lookupno ipv6 cefmultilink bundle-name authenticat

60、edvoice-card 0archivelog confighidekeysinterface Loopback0 !interface FastEthernet0/0no ip addressduplex autospeed auto!interface FastEthernet0/1no ip addressshutdownduplex autospeed auto!interface FastEthernet0/3/0!interface FastEthernet0/3/1 !interface FastEthernet0/3/2interface FastEthernet0/3/3i