Eth-trunk sub-interface was not a member of the security domain, that caused it can not ping

Publication Date:  2012-11-27 Views:  197 Downloads:  0
Issue Description

The subinterface address from the S9300 on pingSACG device can not ping.
Alarm Information
Handling Process

1, Address on S9300 can ping NE40-E address. It proved that between s9300 and NE40-E is no problem;

2, NE40-E cannot ping SACG subinterface address. Check the route on NE40, the S9300, sacg, there was no problem; it proved that the problem is on NE40-E sacg.

3, View arp learning on NE40-E and sacg, it can learn, it  proved that the link between the two devices is no problem.

4, Delete the subinterface configuration on NE40-E and sacg, directly use the main interface configuration. who can communicate with each other.

5, Checks the configuration found sub-eth-trunk interface on SACG is not added to the security domain, leading to the problem.

6, Add the handle interface to the security domain, the problem is solved.
Root Cause
1 Link problem;

2, The routing problem;

3, Device problems;

4, The configuration problem;
When the firewall is enabled subinterface, Do not forget add the interface that actual participation packet forwarding to the security domain.