No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

As the SACG, the USG Uses the Subinterface to Connect to the Peer Device and the Configuration of the Policy-based Route

Publication Date:  2012-07-25  |   Views:  2  |   Downloads:  0  |   Author:  anliku  |   Document ID:  EKB1000012801


Issue Description

As the SACG, the USG2220 is connected to the customer's core switch H3C 5500. Since there are not enough physical interfaces, the subinterface is adopted. However, the USG2220 and H3C 5500 are configured, directly-connected addresses cannot be pinged through.

Alarm Information


Handling Process

1. Add two Vlanif interfaces (namely, VLAN 501 and 502) on the H3C 5500, and configure the physical interface in Trunk mode, allowing the communication of VLAN 501 and 502. Configure VLAN 501 (IP address: and VLAN 502 (IP address: on the Layer-3 interface.
2. Configure G0/0/0.1 to encapsulate VLAN 501 (IP address: and G0/0/0.2  to encapsulate VLAN 502 (IP address: on the USG2220.
Namely, the physical interface on the peer device acts as the Trunk interface, and Vlanif and Trunk interfaces are configured to allow VLAN communication. However, the VLAN ID of the subinterface on the USG2220 must be consistent with that on the peer device.

Root Cause

1. The interface G1/0/0 through which H3C 5500 is connected to the USG2220 is not configured as the Trunk interface, but the primary and secondary addresses on the Layer-2 Vlanif interface are adopted.
2. When the subinterface of the USG2220 is configured, the VLAN ID (such as vlan-type dot1q 501) encapsulated by the subinterface must be configured. Therefore, the corresponding VLAN ID must be configured on the peer device.
3. If VLAN 501 and 502 are configured on H3C 5500 to connect to the USG2220 and the VLAN ID encapsulated on the subinterface of the USG2220 is inconsistent with that on the peer device, communication fails.


1. The Industrial Bank uses the Eudemon 1000E as the SACG, and some offices adopt subinterfaces. In the scenario where the SACG has subinterfaces, it is recommended that the policy-base route be enabled, ensuring that the traffic goes back to the switch from which the traffic comes. See the following configuration:
traffic classifier TSM_1
 if-match acl 3001
traffic classifier TSM_2
 if-match acl 3002
traffic behavior secospace_1
  remark ip-nexthop 103.46.70 output-interface GigabitEthernet1/0/0.2
traffic behavior secospace_2
  remark ip-nexthop output-interface GigabitEthernet1/0/1.2
qos policy secospaceTSM_1
 classifier TSM_1 behavior secospace_1
qos policy secospaceTSM_2
 classifier TSM_2 behavior secospace_2
2. As shown in the following, the policy-based route of the Eudemon can be applied to zones.
firewall zone trust
 set priority 85
 qos apply policy secospaceTSM_1 outbound
 add interface GigabitEthernet1/0/0.1
3. However, the policy-based route of the USG can be applied only to Vlanif interfaces, but not zones. See the following:
interface Vlanif30
 ip address
                                          qos apply policy T0-switch-2 outbound