Assistance with Dot1q-tunnel

TrivialPants · ‎07-30-2025

Hey everyone - had a question about dot1q tunnel. I am trying to wrap my head around it for a customer handoff on a 3560 device, which hands off on a l2vpn between two nodes on my MPLS. The one end is at a branch of the customers, we are hoping to add an S-VLAN usinginterface gi1/0/1
switchport mode dot1q tunnel
switchport access vlan 10On the first mpls node/attachment circuit:I am matching on dot1q 10 and stripping that VLAN off, then sending the xconnect to the other device:interface gi0/0/10
...
service instance 2 ethernet
encapsulation dot1q 10
rewrite ingress tag pop 1 symmetric
xconnect <ip of next mpls device> vc <number> encapsulation mplsOn the mpls node that connects to the customer's main office:interface gi0/0/19
...
service instance 1 ethernet
encapsulation default
xconnect /<ip of first mpls device/> vc /<number/> encapsulation mplsthe xconnect is up, but it is only sending traffic that is being pushed into the untagged VLAN of 10. It doesn't seem to be working for the customer's tagged traffic.Am I missing something?

Some other things I have tried:
ensure that the system mtu of the 3560 and the xconnect MTU are larger than 1500 along the whole path

Joshqun Ismayilov · ‎07-30-2025

Hello,

Could you please change the config for gi0/0/19

interface gi0/0/19
service instance 1 ethernet
encapsulation untagged
rewrite egress tag push 1 symmetric
xconnect <ip> vc <id> encapsulation mpls

Thanks!

Joshqun Ismayilov · ‎07-30-2025

The reason is i can see: issue is likely on the egress PE (the second MPLS node). Since your ingress PE strips the outer VLAN 10 tag (rewrite ingress tag pop 1 symmetric), the inner (customer) VLAN tags go over the pseudowire. However, your egress PE is using the default encapsulation, which accepts all traffic but sends it out untagged, so tagged customer traffic may be dropped or mishandled.

Thanks!