1.5 Procedure

                          Step 1     On switche 1 and switch 2: Configure CSSs.

1.       Connect CSS cards through cables.

In the following figure, the S12700 switches have the CSS cards EH1D2VS08000 installed. An S12700 has a maximum number of MPUs, SFUs, and CSS cards installed. Each chassis must have at least one MPU and one SFU installed. You are advised to install two SFUs and two CSS cards in each chassis.

Figure 1-1 CSS card connections

l  The two chassis are connected by at least one CSS cable.

l  One CSS card can only be connected to one CSS card in the other chassis but not the local chassis.

l  An interface in group 1 of a CSS card can only be connected to any interface in group 1 of the CSS card on the other chassis. The requirements for interfaces in group 2 are the same.

l  CSS cards have the same number of cluster cables connected. (If the CSS cards have different numbers of cluster cables connected, the total cluster bandwidth depends on the cluster with the least cluster cables connected.) In addition, interfaces on CSS cards are connected based on interface numbers.

2.       Configure clustering on Switch 1.

# Set the cluster mode to CSS card (the default value does not need to be configured). Retain the default cluster ID 1 (the default value does not need to be configured) and set the priority to 100.

<HUAWEI> system-view
[HUAWEI] set css mode css-card  //Default setting. You do not need to run this command. The step is used for reference.
[HUAWEI] set css id 1   //Default setting. You do not need to run this command. The step is used for reference.
[HUAWEI] set css priority 100  //The default CSS priority is 1. Change the priority of the master switch to be higher than that of the backup switch.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is CSS-card. Reboot now? [Y/N]:y//Restart the switch.

3.       Configure clustering on Switch 2.

Set the cluster mode to CSS card (the default value does not need to be configured). Set the CSS ID to 2 and retain the default priority 1 (the default value does not need to be configured).

<HUAWEI> system-view
[HUAWEI] set css id 2  //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is CSS-card. Reboot now? [Y/N]:y//Restart the switch.

4.       Check the CSS status after the switches restart.

−          On Switch 1, the active switch of the CSS, the MASTER indicator on the active MPU is steady green. (Figure 1)

−          On Switch 1, the CSS ID indicators numbered 1 on both MPUs are steady green. On Switch2, the CSS ID indicators numbered 2 on both MPUs are steady green. (Figure 1)

−          The LINK/ALM indicators of interfaces on all CSS cards connected to cluster cables are steady green. (Figure 2)

−          The MASTER indicators on all CSS cards in the active chassis are steady green, and the MASTER indicators on all CSS cards in the standby chassis are off. (Figure 2)

l  After the CSS is established, subsequent operations will be performed on the master switch (switch 1) and data will be automatically synchronized to the standby switch (switch 2).

l  The interface name in a CSS is in the format like 10GE1/4/0/0. The leftmost part indicates the CSS ID.

                          Step 2     On switch 1: Configure the inter-chassis Eth-Trunks between CSS and FWs and between CSS and routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.

1.       Configure an inter-chassis Eth-Trunk between switches and routers. Configure VLANIF interfaces and assign IP addresses to them.

# In the CSS, create Eth-Trunk1 to connect to Router1 and add member interfaces to Eth-Trunk1.

<HUAWEI> system-view
[HUAWEI] sysname CSS  //Rename the CSS.
[CSS] interface Eth-Trunk 1
[CSS-Eth-Trunk1] quit
[CSS] interface XGigabitethernet 1/4/0/0  //Add an interface on the master switch to Eth-Trunk1.
[CSS-XGigabitEthernet1/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet1/4/0/0] quit
[CSS] interface XGigabitethernet 2/4/0/0  //Add an interface on the backup switch to Eth-Trunk1.
[CSS-XGigabitEthernet2/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet2/4/0/0] quit
 

# In the CSS, create Eth-Trunk2 to connect to Router2 and add member interfaces to Eth-Trunk2.

[CSS] interface Eth-Trunk 2
[CSS-Eth-Trunk2] quit
[CSS] interface XGigabitethernet 1/4/0/1  //Add an interface on the master switch to Eth-Trunk2.
[CSS-XGigabitEthernet1/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet1/4/0/1] quit
[CSS] interface XGigabitethernet 2/4/0/1  //Add an interface on the backup switch to Eth-Trunk2.
[CSS-XGigabitEthernet2/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet2/4/0/1] quit
 

# Create VLANIF interfaces and assign IP addresses to them.

[CSS] vlan batch 10
[CSS] interface Eth-Trunk 1  //Add Eth-Trunk1 to VLAN 10.
[CSS-Eth-Trunk1] port link-type trunk
[CSS-Eth-Trunk1] port trunk allow-pass vlan 10
[CSS-Eth-Trunk1] quit
[CSS] interface Eth-Trunk 2  //Add Eth-Trunk2 to VLAN 10.
[CSS-Eth-Trunk2] port link-type trunk
[CSS-Eth-Trunk2] port trunk allow-pass vlan 10
[CSS-Eth-Trunk2] quit
[CSS] interface Vlanif 10  //Create VLANIF 10 for the CSS to communicate with Router1 and Router2.
[CSS-Vlanif10] ip address 10.10.4.1 24
[CSS-Vlanif10] quit

2.       Configure the inter-chassis Eth-Trunks between switches and FWs and between CSS and routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.

# In the CSS, create Eth-Trunk4 to connect Public to FW1 and add member interfaces to Eth-Trunk4.

[CSS] interface Eth-Trunk 4
[CSS-Eth-Trunk4] quit
[CSS] interface Gigabitethernet 1/1/0/7  //Add an interface on the master switch to Eth-Trunk4.
[CSS-Gigabitethernet1/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet1/1/0/7] quit
[CSS] interface Gigabitethernet 2/1/0/7  //Add an interface on the backup switch to Eth-Trunk4.
[CSS-Gigabitethernet2/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet2/1/0/7] quit
 

# In the CSS, create Eth-Trunk5 to connect VRF-A to FW1 and add member interfaces to Eth-Trunk5.

[CSS] interface Eth-Trunk 5
[CSS-Eth-Trunk5] quit
[CSS] interface Gigabitethernet 1/1/0/8  //Add an interface on the master switch to Eth-Trunk5.
[CSS-Gigabitethernet1/1/0/8] Eth-Trunk 5
[CSS-Gigabitethernet1/1/0/8] quit
[CSS] interface Gigabitethernet 2/1/0/8  //Add an interface on the backup switch to Eth-Trunk5.
[CSS-Gigabitethernet2/1/0/8] Eth-Trunk 5
[CSS-Gigabitethernet2/1/0/8] quit
 

# In the CSS, create Eth-Trunk6 to connect Public to FW2 and add member interfaces to Eth-Trunk6.

[CSS] interface Eth-Trunk 6
[CSS-Eth-Trunk6] quit
[CSS] interface Gigabitethernet 1/2/0/7  //Add an interface on the master switch to Eth-Trunk6.
[CSS-Gigabitethernet1/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet1/2/0/7] quit
[CSS] interface Gigabitethernet 2/2/0/7  //Add an interface on the backup switch to Eth-Trunk6.
[CSS-Gigabitethernet2/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet2/2/0/7] quit
 

# In the CSS, create Eth-Trunk7 to connect VRF-A to FW2 and add member interfaces to Eth-Trunk7.

[CSS] interface Eth-Trunk 7
[CSS-Eth-Trunk7] quit
[CSS] interface Gigabitethernet 1/2/0/8  //Add an interface on the master switch to Eth-Trunk7.
[CSS-Gigabitethernet1/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet1/2/0/8] quit
[CSS] interface Gigabitethernet 2/2/0/8  //Add an interface on the backup switch to Eth-Trunk7.
[CSS-Gigabitethernet2/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet2/2/0/8] quit
 

# Create VLANIF interfaces and assign IP addresses to them.

[CSS] vlan batch 20 30
[CSS] interface Eth-Trunk 4  //Add Eth-Trunk4 to VLAN 20.
[CSS-Eth-Trunk4] port link-type trunk
[CSS-Eth-Trunk4] port trunk allow-pass vlan 20
[CSS-Eth-Trunk4] quit
[CSS] interface Eth-Trunk 6  //Add Eth-Trunk6 to VLAN 20.
[CSS-Eth-Trunk6] port link-type trunk
[CSS-Eth-Trunk6] port trunk allow-pass vlan 20
[CSS-Eth-Trunk6] quit
[CSS] interface Vlanif 20  //Create VLANIF 20 for Public to connect to FW1 and FW2.
[CSS-Vlanif20] ip address 10.10.2.1 24
[CSS-Vlanif20] quit
[CSS] interface Eth-Trunk 5  //Add Eth-Trunk5 to VLAN 30.
[CSS-Eth-Trunk5] port link-type trunk
[CSS-Eth-Trunk5] port trunk allow-pass vlan 30
[CSS-Eth-Trunk5] quit
[CSS] interface Eth-Trunk 7  //Add Eth-Trunk7 to VLAN 30.
[CSS-Eth-Trunk7] port link-type trunk
[CSS-Eth-Trunk7] port trunk allow-pass vlan 30
[CSS-Eth-Trunk7] quit
[CSS] interface Vlanif 30  //Create VLANIF 30 for VRF-A to connect to FW1 and FW2.
[CSS-Vlanif30] ip address 10.10.3.1 24
[CSS-Vlanif30] quit

3.       Configure inter-chassis Eth-Trunks between switches and service networks. Configure VLANIF interfaces and assign IP addresses to them.

# In the CSS, create Eth-Trunk8 to connect to service network 1 and add member interfaces to Eth-Trunk8.

[CSS] interface Eth-Trunk 8
[CSS-Eth-Trunk8] quit
[CSS] interface Gigabitethernet 1/3/0/1  //Add an interface on the master switch to Eth-Trunk8.
[CSS-Gigabitethernet1/3/0/1] Eth-Trunk 8
[CSS-Gigabitethernet1/3/0/1] quit
[CSS] interface Gigabitethernet 2/3/0/1  //Add an interface on the backup switch to Eth-Trunk8.
[CSS-Gigabitethernet2/3/0/1] Eth-Trunk 8
[CSS-Gigabitethernet2/3/0/1] quit
 

# In the CSS, create Eth-Trunk9 to connect to service network 2 and add member interfaces to Eth-Trunk9.

[CSS] interface Eth-Trunk 9
[CSS-Eth-Trunk9] quit
[CSS] interface Gigabitethernet 1/3/0/2  //Add an interface on the master switch to Eth-Trunk9.
[CSS-Gigabitethernet1/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet1/3/0/2] quit
[CSS] interface Gigabitethernet 2/3/0/2  //Add an interface on the backup switch to Eth-Trunk9.
[CSS-Gigabitethernet2/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet2/3/0/2] quit

# Create VLANIF interfaces and assign IP addresses to them.

[CSS] vlan batch 100 200
[CSS] interface Eth-Trunk 8  //Add Eth-Trunk8 to VLAN 100.
[CSS-Eth-Trunk8] port link-type trunk
[CSS-Eth-Trunk8] port trunk allow-pass vlan 100
[CSS-Eth-Trunk8] quit
[CSS] interface Vlanif 100  //Create VLANIF 100 for CSS to connect to service network 1.
[CSS-Vlanif100] ip address 10.10.100.1 24
[CSS-Vlanif100] quit
[CSS] interface Eth-Trunk 9  //Add Eth-Trunk9 to VLAN 200.
[CSS-Eth-Trunk9] port link-type trunk
[CSS-Eth-Trunk9] port trunk allow-pass vlan 200
[CSS-Eth-Trunk9] quit
[CSS] interface Vlanif 200  //Create VLANIF 200 for CSS to connect to service network 2.
[CSS-Vlanif200] ip address 10.10.200.1 24
[CSS-Vlanif200] quit

                          Step 3     On routers: Configure the interfaces between routers and CSS.

# Configure Router1, create Eth-Trunk1 on Router1, and add member interfaces to Eth-Trunk1.

<Huawei> system-view
[Huawei] sysname Router1
[Router1] interface Eth-Trunk 1  
[Router1-Eth-Trunk1] quit
[Router1] interface XGigabitethernet 1/0/1  
[Router1-XGigabitEthernet1/0/1] undo shutdown
[Router1-XGigabitEthernet1/0/1] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/1] quit
[Router1] interface XGigabitethernet 1/0/2  
[Router1-XGigabitEthernet1/0/2] undo shutdown
[Router1-XGigabitEthernet1/0/2] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/2] quit

# Configure the Dot1q termination subinterface for VLAN 10 and assign an IP address to the subinterface.

[Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] ip address 10.10.4.2 24
[Router1-Eth-Trunk1.100] dot1q termination vid 10
[Router1-Eth-Trunk1.100] quit

# The configuration procedure on Router2 is the same as that on Router1 except that the interface addresses are different.

                          Step 4     On firewalls: Configure interfaces and zones.

# Configure interfaces and zones on FW1.

<USG> system-view
[USG] sysname FW1
[FW1] interface Eth-Trunk 4  //Configure the interface connected to CSS and assign an IP address to it.
[FW1-Eth-Trunk4] ip address 10.10.2.2 24
[FW1-Eth-Trunk4] quit
[FW1] interface Gigabitethernet 1/0/0  //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/0] Eth-Trunk 4
[FW1-GigabitEthernet1/0/0] quit
[FW1] interface Gigabitethernet 1/0/1  //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/1] Eth-Trunk 4
[FW1-GigabitEthernet1/0/1] quit
 
[FW1] interface Eth-Trunk 5  //Configure the interface connected to CSS and assign an IP address to it.
[FW1-Eth-Trunk5] ip address 10.10.3.2 24
[FW1-Eth-Trunk5] quit
[FW1] interface Gigabitethernet 1/1/0  //Add an interface to Eth-Trunk5.
[FW1-GigabitEthernet1/1/0] Eth-Trunk 5
[FW1-GigabitEthernet1/1/0] quit
[FW1] interface Gigabitethernet 1/1/1  //Add an interface to Eth-Trunk5.
[FW1-GigabitEthernet1/1/1] Eth-Trunk 5
[FW1-GigabitEthernet1/1/1] quit
 
[FW1] interface Eth-Trunk 1  //Configure the interface connecting FW1 to FW2.
[FW1-Eth-Trunk1] ip address 10.1.1.1 24
[FW1-Eth-Trunk1] quit
[FW1] interface Gigabitethernet 2/0/0  //Add an interface to Eth-Trunk1.
[FW1-GigabitEthernet2/0/0] Eth-Trunk 1
[FW1-GigabitEthernet2/0/0] quit
[FW1] interface Gigabitethernet 2/0/1  //Add an interface to Eth-Trunk1.
[FW1-GigabitEthernet2/0/1] Eth-Trunk 1
[FW1-GigabitEthernet2/0/1] quit
 
[FW1] firewall zone trust
[FW1-zone-trust] add interface Eth-Trunk 5  //Add Eth-Trunk5 connected to the intranet to a trusted zone.
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface Eth-Trunk 4  //Add Eth-Trunk4 connected to the extranet to an untrusted zone.
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface Eth-Trunk 1  //Add the interface between FW1 and FW2 to the DMZ.
[FW1-zone-dmz] quit

# Configure interfaces and zones on FW2.

<USG> system-view
[USG] sysname FW2
[FW2]  interface Eth-Trunk 6  //Configure the interface connected to CSS and assign an IP address to it.
[FW2-Eth-Trunk6] ip address 10.10.2.3 24
[FW2-Eth-Trunk6] quit
[FW2] interface Gigabitethernet 1/0/0  //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/0] Eth-Trunk 6
[FW2-GigabitEthernet1/0/0] quit
[FW2] interface Gigabitethernet 1/0/1  //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/1] Eth-Trunk 6
[FW2-GigabitEthernet1/0/1] quit
 
[FW2]  interface Eth-Trunk 7  //Configure the interface connected to CSS and assign an IP address to it.
[FW2-Eth-Trunk7] ip address 10.10.3.3 24
[FW2-Eth-Trunk7] quit
[FW2] interface Gigabitethernet 1/1/0  //Add an interface to Eth-Trunk7.
[FW2-GigabitEthernet1/1/0] Eth-Trunk 7
[FW2-GigabitEthernet1/1/0] quit
[FW2] interface Gigabitethernet 1/1/1  //Add an interface to Eth-Trunk7.
[FW2-GigabitEthernet1/1/1] Eth-Trunk 7
[FW2-GigabitEthernet1/1/1] quit
 
[FW2]  interface Eth-Trunk 1  //Configure the interface between FW2 and FW1.
[FW2-Eth-Trunk1] ip address 10.1.1.2 24
[FW2-Eth-Trunk1] quit
[FW2] interface Gigabitethernet 2/0/0  //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/0] Eth-Trunk 1
[FW2-GigabitEthernet2/0/0] quit
[FW2] interface Gigabitethernet 2/0/1  //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/1] Eth-Trunk 1
[FW2-GigabitEthernet2/0/1] quit
 
[FW2] firewall zone trust
[FW2-zone-trust] add interface Eth-Trunk 7  //Add Eth-Trunk7 connected to the intranet to the trusted zone.
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface Eth-Trunk 6  //Add Eth-Trunk6 connected to the extranet to the untrusted zone.
[FW2-zone-untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface Eth-Trunk 1  //Add the interface between FW1 and FW2 to the DMZ.
[FW2-zone-dmz] quit

                          Step 5     On routers: Configure VRRP. Configure Router1 as the VRRP master and Router2 as the VRRP backup.

# Configure Router1.

[Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100  //Configure the VRRP virtual IP address.
[Router1-Eth-Trunk1.100] vrrp vrid 1 priority 120  //Increase the priority of Router1 to make Router1 become the Master.
[Router1-Eth-Trunk1.100] quit

# Configure Router2.

[Router2] interface Eth-Trunk 1.100
[Router2-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100  //Configure the VRRP virtual IP address.
[Router2-Eth-Trunk1.100] quit

After the configuration is complete, a VRRP group should have been set up between Router1 and Router2. You can run the display vrrp command to view the VRRP status of Router1 and Router2.

# Check the VRRP status of Router1. The status is master.

[Router1] display vrrp
  Eth-Trunk1.100 | Virtual Router 1
    State : Master
    Virtual IP : 10.10.4.100
    Master IP : 10.10.4.2
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2015-05-18 06:53 UTC-05:13
    Last change time : 2015-05-18 06:53 UTC-05:13

# Check the VRRP status of Router2. The status is backup.

[Router2] display vrrp
  Eth-Trunk1.100 | Virtual Router 1
    State : Backup
    Virtual IP : 10.10.4.100
    Master IP : 10.10.4.2
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2015-05-18 06:53 UTC-05:13
    Last change time : 2015-05-18 06:53 UTC-05:13

                          Step 6    Configure routes between CSS and FWs and between CSS and routers.

1.       Configure OSPF between switches and routers.

# Create VPN instance Public on CSS and bind the interfaces connected to routers and firewalls to Public.

[CSS] ip vpn-instance Public  //Create the VPN instance Public.
[CSS-vpn-instance-Public] ipv4-family
[CSS-vpn-instance-Public-af-ipv4] route-distinguisher 100:2
[CSS-vpn-instance-Public-af-ipv4] vpn-target 222:2 both
[CSS-vpn-instance-Public-af-ipv4] quit
[CSS-vpn-instance-Public] quit
[CSS] interface Vlanif 10
[CSS-Vlanif10] ip binding vpn-instance Public  //Bind VLANIF 10, which connects the CSS to router, to Public.
[CSS-Vlanif10] ip address 10.10.4.1 24   //Reconfigure an IP address for VLANIF 10, because the preceding operation has deleted the original IP address.
[CSS-Vlanif10] quit
[CSS] interface Vlanif 20
[CSS-Vlanif20] ip binding vpn-instance Public  //Bind VLANIF 20, which connects the CSS to firewall's upstream interface, to Public.
[CSS-Vlanif20] ip address 10.10.2.1 24   //Reconfigure an IP address for VLANIF 20, because the preceding operation has deleted the original IP address.
[CSS-Vlanif20] quit

# Configure a static route in Public to forward upstream traffic. Set the next hop of the route to the VRRP virtual IP address of routers.

[CSS] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100   //Configure a default route for Public and set the next hop as the VRRP virtual IP address of the router.

# Configure OSPF between CSS and routers to forward downstream traffic. Routers can learn the return routes to service networks using OSPF.

[CSS] ospf 100 router-id 1.1.1.1
[CSS-ospf-100] area 0
[CSS-ospf-100-area-0.0.0.0] network 10.10.100.0 0.0.0.255   //Advertise the routes on the network segment of service network 1 to OSPF.
[CSS-ospf-100-area-0.0.0.0] network 10.10.200.0 0.0.0.255   //Advertise the routes on the network segment of service network 2 to OSPF.
[CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255   //Advertise the routes on the network segment connected to Router to OSPF.
[CSS-ospf-100-area-0.0.0.0] quit
[CSS-ospf-100] import-route static      //Import the static route to OSPF.
[CSS-ospf-100] quit

Configure OSPF on Router1 and Router2.

# Configure Router1.

[Router1] ospf 100 router-id 2.2.2.2
[Router1-ospf-100] area 0
[Router1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255   //Advertise the routes on the network segment connected to CSS to OSPF.
[Router1-ospf-100-area-0.0.0.0] quit
[Router1-ospf-100] quit      

# Configure Router2.

[Router2] ospf 100 router-id 3.3.3.3
[Router2-ospf-100] area 0
[Router2-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255   //Advertise the routes on the network segment connected to CSS to OSPF.
[Router2-ospf-100-area-0.0.0.0] quit
[Router2-ospf-100] quit      

# After the configurations are complete, CSS, Router1, and Router2 can set up neighbor relationships. For example, when you view OSPF neighbor information on the CSS, you can find that Router1 and Router2 have set up OSPF neighbor relationships with CSS and the neighbor status is Full.

[CSS] display ospf peer
           OSPF Process 100 with Router ID 1.1.1.1
             Neighbors 
 
 
       Area 0.0.0.0 interface 10.10.4.1(Vlanif10)'s neighbors
       Router ID: 2.2.2.2          Address: 10.10.4.2
         State: Full  Mode:Nbr is  Master  Priority: 1
         DR: 10.10.4.1  BDR: 10.10.4.2  MTU: 0    
         Dead timer due in 31  sec 
         Retrans timer interval: 5 
         Neighbor is up for 00:13:23     
         Authentication Sequence: [ 0 ] 
 
      Router ID: 3.3.3.3          Address: 10.10.4.3 
        State: Full  Mode:Nbr is  Master  Priority: 1
        DR: 10.10.4.1  BDR: 10.10.4.2  MTU: 0    
       Dead timer due in 37  sec 
        Retrans timer interval: 5
        Neighbor is up for 00:00:52   
        Authentication Sequence: [ 0 ]

2.       Configure static routes between switches and FWs.

# Create VRF-A on the CSS to forward upstream traffic, and bind the interfaces connected to service networks and downstream interfaces of firewalls to VRF-A. The default route of VRF-A is the downstream VRRP virtual IP address (VRID2) of firewalls.

[CSS] ip vpn-instance VRF-A  //Create VRF-A.
[CSS-vpn-instance-VRF-A] ipv4-family
[CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[CSS-vpn-instance-VRF-A-af-ipv4] quit
[CSS-vpn-instance-VRF-A] quit
[CSS] interface Vlanif 100
[CSS-Vlanif100] ip binding vpn-instance VRF-A  //Bind VLANIF 100, which connects the CSS to service network 1, to VRF-A.
[CSS-Vlanif100] ip address 10.10.100.1 24   //Reconfigure an IP address for VLANIF 100, because the preceding operation has deleted the original IP address.
[CSS-Vlanif100] quit
[CSS] interface Vlanif 200
[CSS-Vlanif200] ip binding vpn-instance VRF-A  //Bind VLANIF 200, which connects the CSS to service network 2, to VRF-A.
[CSS-Vlanif200] ip address 10.10.200.1 24   //Reconfigure an IP address for VLANIF 200, because the preceding operation has deleted the original IP address.
[CSS-Vlanif200] quit
[CSS] interface Vlanif 30
[CSS-Vlanif30] ip binding vpn-instance VRF-A  //Bind VLANIF 30, which connects the CSS to the firewall's downstream interface, to VRF-A.
[CSS-Vlanif30] ip address 10.10.3.1 24   //Reconfigure an IP address for VLANIF 30, because the preceding operation has deleted the original IP address.
[CSS-Vlanif30] quit

# Configure a default route in VRF-A. The next hop is the downstream VRRP 2 virtual IP address (VRID2) of firewalls.

[CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5

# Configure a static route in Public to forward downstream traffic. Set the next hop of the route to the upstream VRRP 1 virtual IP address (VRID1) of firewalls.

[CSS] ip route-static vpn-instance Public 10.10.100.0 255.255.255.0 10.10.2.5   //The destination address is on service network 1 and the next hop is the VRID2 virtual IP address of the two FWs.

[CSS] ip route-static vpn-instance Public 10.10.200.0 255.255.255.0 10.10.2.5   //The destination address is on service network 2 and the next hop is the VRID2 virtual IP address of the two FWs.

3.       Configure static routes on firewalls.

# Configure a static route on FW1.

[FW1] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1  //For upstream traffic, the next hop of the default route is the IP address of VLANIF 20 on Public.
[FW1] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1  //For downstream traffic, the destination address is on service network 1 and the next hop is the IP address of VLANIF 30 on VRF-A.
[FW1] ip route-static 10.10.200.0 255.255.255.0 10.10.3.1  //For downstream traffic, the destination address is on service network 2 and the next hop is the IP address of VLANIF 30 on VRF-A.

# Configure a static route on FW2.

[FW2] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1  //For upstream traffic, the next hop of the default route is the IP address of VLANIF 20 on Public.
[FW2] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1  //For downstream traffic, the destination address is on service network 1 and the next hop is the IP address of VLANIF 30 on VRF-A.
[FW2] ip route-static 10.10.200.0 255.255.255.0 10.10.3.1  //For downstream traffic, the destination address is on service network 2 and the next hop is the IP address of VLANIF 30 on VRF-A.

# After the configuration is complete, an OSPF neighbor relationship should have been established between Router 1and Router 2. You can run the display ospf peer command to view the OSPF neighbor status. The following uses the display on CSS switches as an example. You can view that the OSPF neighbor status is Full.

4.       Verify the configuration.

# Check the routing table on CSS.

[CSS] display ip routing-table vpn-instance VRF-A    
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF-A
         Destinations : 7        Routes : 7        
 
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 
        0.0.0.0/0   Static  60   0          RD   10.10.3.5       Vlanif30
      10.10.3.0/24  Direct  0    0           D   10.10.3.1       Vlanif30
      10.10.3.1/32  Direct  0    0           D   127.0.0.1       Vlanif30
    10.10.100.0/24  Direct  0    0           D   10.10.100.1     Vlanif100
    10.10.100.1/32  Direct  0    0           D   127.0.0.1       Vlanif100
    10.10.200.0/24  Direct  0    0           D   10.10.200.1     Vlanif200
    10.10.200.1/32  Direct  0    0           D   127.0.0.1       Vlanif200

In the routing table on VRF-A, the first line indicates that the next hop for the traffic destined for the Internet is the VRRP VRID 2 virtual IP address (10.10.3.5) of firewalls. This indicates that upstream traffic is forcibly directed to firewalls for filtering.

[CSS] display ip routing-table vpn-instance Public    
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 7        Routes : 7        
 
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 
        0.0.0.0/0   Static  60   0          RD   10.10.4.100       Vlanif10
      10.10.2.0/24  Direct  0    0           D   10.10.2.1       Vlanif20
      10.10.2.1/32  Direct  0    0           D   127.0.0.1       Vlanif20
      10.10.4.0/24  Direct  0    0           D   10.10.4.1       Vlanif10
      10.10.4.1/32  Direct  0    0           D   127.0.0.1       Vlanif10
      10.10.100.0/24  Static  60   0          RD   10.10.2.5       Vlanif20
      10.10.200.0/24  Static  60   0          RD   10.10.2.5       Vlanif20

In the routing table on Public, the first line indicates that the next hop for the traffic destined for the Internet is the VRRP VRID 1 virtual IP address (10.10.4.100) of routers.

The fifth and sixth lines indicate that the next hop for the traffic destined for service networks is the VRRP VRID 1 virtual IP address (10.10.3.5) of firewalls. This indicates that downstream traffic is forcibly directed to firewalls for filtering.

                          Step 7     Configure HRP on firewalls.

# Configure HRP on FW1 and set FW1 as master.

[FW1] interface Eth-Trunk 4
[FW1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master  //Configure VRRP group 1 on the upstream interface and set it status to master.
[FW1-Eth-Trunk4] quit
[FW1] interface Eth-Trunk 5
[FW1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master  //Configure VRRP group 2 on the downstream interface and set it status to master.
[FW1-Eth-Trunk5] quit
[FW1] hrp interface Eth-Trunk 1 remote 10.1.1.2  //Configure the heartbeat interface and enable HRP.
[FW1] firewall packet-filter default permit interzone local dmz
[FW1] hrp enable
HRP_M[FW1]

# Configure HRP on FW2 and set FW2 as slave.

[FW2] interface Eth-Trunk 6
[FW2-Eth-Trunk6] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave  //Configure VRRP group 1 on the upstream interface and set it status to slave.
[FW2-Eth-Trunk6] quit
[FW2] interface Eth-Trunk 7
[FW2-Eth-Trunk7] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave   //Configure VRRP group 2 on the downstream interface and set it status to slave.
[FW2-Eth-Trunk7] quit
[FW2] hrp interface Eth-Trunk 1 remote 10.1.1.1  //Configure the heartbeat interface and enable HRP.
[FW2] firewall packet-filter default permit interzone local dmz
[FW2] hrp enable
HRP_M[FW2]

# Check VRRP status. FW1 is the master and FW2 is the slave.

HRP_M[FW1] display vrrp
  Eth-Trunk4 | Virtual Router 1
     VRRP Group : Master
    State : Master
    Virtual IP : 10.10.2.5
    Virtual MAC : 0000-5e00-0101
    Primary IP : 10.10.2.2
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES
    
Eth-Trunk5 | Virtual Router 2
     VRRP Group : Master
    State : Master
    Virtual IP : 10.10.3.5
    Virtual MAC : 0000-5e00-0102
    Primary IP : 10.10.3.2
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES

HRP_M[FW2] display vrrp
  Eth-Trunk7 | Virtual Router 2
     VRRP Group : Slave
    State : Backup
    Virtual IP : 10.10.3.5
    Virtual MAC : 0000-5e00-0102
    Primary IP : 10.10.3.3
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES
    
Eth-Trunk6 | Virtual Router 1
     VRRP Group : Slave
    State : Backup
    Virtual IP : 10.10.2.5
    Virtual MAC : 0000-5e00-0101
    Primary IP : 10.10.2.3
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES

# Check HRP status.

HRP_M[FW1] display hrp state
 The firewall's config state is: MASTER
 
 Current state of virtual routers configured as master:
                       Eth-Trunk4    vrid   1 : master
           (gigabitEthernet1/0/0)             : up  
           (gigabitEthernet1/0/1)             : up  
                       Eth-Trunk5    vrid   2 : master
           (gigabitEthernet1/1/0)             : up  
           (gigabitEthernet1/1/1)             : up

After HRP is configured, the configurations and sessions on the active firewall are synchronized to the standby firewall; therefore, you only need to perform the following configurations on the active firewall FW1.

                          Step 8     Configure security policies on firewalls.

Only the connection configurations between firewalls and switches and the HRP configurations on firewalls are provided in the following procedure. For the security service plan on the firewalls and security policies, attack defense, bandwidth management, and IPSec on the campus network, see Firewall Configuration Examples.

                          Step 9     Verify the configuration.

After the configurations are complete, check whether the CSS and routers can ping each other.

# Ping Eth-Trunk1.100 of Router1 from the CSS to check the uplink connectivity.

<CSS> ping 10.10.4.2
 
Ping 10.10.4.2: 32 data bytes, Press Ctrl_C to break
    Reply From 10.10.4.2: bytes=32 seq=1 ttl=126 time=140 ms
    Reply From 10.10.4.2: bytes=32 seq=2 ttl=126 time=235 ms
    Reply From 10.10.4.2: bytes=32 seq=3 ttl=126 time=266 ms
    Reply From 10.10.4.2: bytes=32 seq=4 ttl=126 time=140 ms
    Reply From 10.10.4.2: bytes=32 seq=5 ttl=126 time=141 ms
 
--- 10.10.200.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 140/184/266 ms

You can find that the CSS and Router1 can ping each other.

# Ping the VRF-A VLANIF 100 on the CSS from Router1 to check the downlink connectivity.

<Router1> Ping 10.10.100.1
 
Ping 10.10.100.1: 32 data bytes, Press Ctrl_C to break
    Reply From 10.10.100.1: bytes=32 seq=1 ttl=253 time=235 ms
    Reply From 10.10.100.1: bytes=32 seq=2 ttl=253 time=109 ms
    Reply From 10.10.100.1: bytes=32 seq=3 ttl=253 time=79 ms
    Reply From 10.10.100.1: bytes=32 seq=4 ttl=253 time=63 ms
    Reply From 10.10.100.1: bytes=32 seq=5 ttl=253 time=63 ms
 
--- 202.10.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 63/109/235 ms

You can find that Router1 and CSS VLANIF 100 can ping each other.

----End

good!