Hi Everyone,

I'm wondering if someone may have encountered a similar issue in the past with the following configuration on a ME3600. Below is a description of what I'm currently seeing.

Attached is a topology of what is currently built. 

Site A can reach to Site B without any issues in both directions.

Site B can reach to Sites C-D-E without any issues in both directions

Sites C-D-E can reach to Site A 

Site A doesn't appear to reach Sites C-D-E correctly

All 5 sites are currently built using a single VLAN and have L3 established.

If I initiate a Source ping from an Internal SVI at Site C to the WAN SVI which terminated at Site A it works

If I initiate a Source ping from an Internal SVI at Site C to the Internal SVI at Site A, it doesn't.

I can however do the reverse and it will work correctly. So from Site A to Site C.

While going through the packet capture, it appears like the failing traffic is being lost along the way

Any thoughts?

Below are the relevant configs.

Switch-B Configs:

interface gig0/12

description To Switch-A (GigE0/12)

switchport trunk allowed vlan 100

switchport mode trunk

spanning-tree bpdufilter enable

!

interface gig0/23

description To Customer (Site A)

switchport mode trunk

switchport trunk allowed vlan 100

no cdp enable

no lldp transmit

no lldp receive

!

Switch-A configs (ME3600):

interface gig0/12

description To Switch-B

mtu 9216

switchport mode trunk

switchport trunk allowed vlan none

spanning-tree bpdufilter enable

ethernet dot1ad uni c-port

 service instance 100 ethernet

 description To Switch-B (VLAN 100)

 encapsulation dot1q 100

 bridge-domain 100

!

interface Ten0/1

desc 3rd Party NNI

mtu 9216

switchport mode trunk

switchport trunk allowed vlan none

service instance 1 ethernet

description To Site-C

encapsulation dot1ad 2101 dot1q 100

rewrite ingress tag pop 1 symmetric

bridge-domain 100

!

service instance 1 ethernet

description To Site-D

encapsulation dot1ad 2102 dot1q 100

rewrite ingress tag pop 1 symmetric

bridge-domain 100

!

service instance 1 ethernet

description To Site-E

encapsulation dot1ad 2103 dot1q 100

rewrite ingress tag pop 1 symmetric

bridge-domain 100

!

interface Ten0/2

description To Site-B

mtu 9216

switchport mode trunk

switchport trunk allowed vlan none

service instance 1 ethernet

description To Site-B

encapsulation dot1q 100

bridge-domain 100

!

I know that best practice should be to have a rewrite in place for all the service instances, however when I tried to do that, the End customer lost all connectivity.

Now some of the things I've tried are:

- Remove "ethernet dot1ad uni c-port" on Switch-A GigE0/12

- Add "ethernet dot1ad nni" to Switch-A Ten0/1

- Rebuilt the bridge-domain

- Tried using "rewrite ingress tag pop 2 symmetrical", however the following error message was displayed:

Invalid EFP Config: conflict with existing efp configuration
Invalid EFP config: egress filtering beyond 2nd vlan in packet is not supported
TenGigabitEthernet 0/1 service instance 1: Unable to add to bridge-domain 100

** To note, there is another customer on this same 3rd party network and it is functioning correctly. The only difference is there is no second tag on the encapsulation part. Only the initial dot1ad tag.

All outside interface (IE: WAN interfaces) can all talk to each other with out any issues. Also, as an additional odd behaviour, if a tunnel is built between the Site A - SiteC/D/E, inside traffic works correctly.

Would anyone have any thoughts.

Thanks.

--Dominique