The USG as SACG uses suinterface to connect peer end equipment and policy-based routing case

Publication Date:  2012-09-26 Views:  193 Downloads:  0
Issue Description
USG2220 as SACE connects the core switch H3C5500 of client,because there isn’t enough physical interface,we need use subinterface.But after both sided finishing configuration,it cannot ping direct connection address
Alarm Information
None.
Handling Process
1、 Add two VLAN-IF(501,502)on the H3C switch,make physical interface turn to TRUNK mode  at the same time and allow vlan 501,502 to communicate each other;layer three interfaces configure VLAN 501 IP:10.1.1.1/30;VLAN 502 IP:10.1.1.5/30;
2、 Configure G0/0/0.1 to encapsulate VLAN501 on the USG,corresponding IP is 10.1.1.2/30 and G0/0/0.2 to encapsulate VLAN502 on the USG,corresponding IP is 10.1.1.6/30;The physical interface must be TRUNK mode,configure VLAN-IF, TRUNK allow corresponding VLAN to communicate each other;but configuration namuber of VALN huawei USG subinterface must be the same with the peer end;
Root Cause
1、 The connection interface G1/0/0 between H3C equipment and huawei USG equipment doesn’t configure TRUNK,it creates host address and sub address at the layer three interface VLAN-IF
2、 If USG configures subinterface ,it must configure VLAN ID which is encapsulated by subinterface,such as vlan-type dot1q 501;So the peer end equipment must keep the corresponding VLAN ID;
3、 If we add VLAN 501,501 to connect USG subinterface on the H3C swtich;but the USG corresponding VLAN ID of subinterface is not the same with peer end equipment,it will lead the communication disconnects.
Suggestions
1、 Xinye bank uses EUDEMON 1000E to be SACG ,some office use suinterface.Under the situation of the SACG having subinterface,we suggest to undo policy-based routing,ensure that the traffic reinject to the switch which the traffic has passed.refer the configuration;
traffic classifier TSM_1
if-match acl 3001
traffic classifier TSM_2
if-match acl 3002
#
traffic behavior secospace_1
remark ip-nexthop 103.46.70 output-interface GigabitEthernet1/0/0.2
traffic behavior secospace_2
remark ip-nexthop 10.3.46.86 output-interface GigabitEthernet1/0/1.2
#
qos policy secospaceTSM_1
classifier TSM_1 behavior secospace_1
qos policy secospaceTSM_2
classifier TSM_2 behavior secospace_2
2、 The policy-based routing of EUDEMON can be used in application zone;
firewall zone trust
set priority 85
qos apply policy secospaceTSM_1 outbound
add interface GigabitEthernet1/0/0.1
3、 The policy-based routing of USG cannot be used in zone,it can be used in Vlan-if interface ,as follows;
interface Vlanif30
ip address 192.168.1.9 255.255.255.252
qos apply policy T0-switch-2 outbound

END