VPLS

VPLS (Virtual Private LAN Service)

Virtual Private LAN Service (VPLS) provides layer 2 VPN functionality by emulating a LAN segment across an MPLS infrastructure. VPLS appears as a single broadcast domain to connected devices, with Ethernet frames transported across the MPLS network using label-switched paths. Customer sites connect to VPLS instances through Ethernet interfaces, with the VPLS instance managing MAC learning and frame forwarding across the MPLS core.

VPLS combines the benefits of MPLS transport with layer 2 transparency, enabling enterprises to connect geographically dispersed sites as if they were on the same LAN. The service supports all layer 2 protocols including STP, LLDP, and multicast traffic without requiring layer 3 configuration. RouterOS VPLS supports both manual LDP-based configuration and MP-BGP-based autodiscovery for simplified provisioning.

Overview

VPLS creates Ethernet tunnels between customer sites using pseudowire (PW) tunnels over a Multiprotocol Label Switching (MPLS) packet switching network. Each VPLS instance establishes full mesh or hub-and-spoke connectivity between customer sites, appearing as a single switch to the customer. The service operates at layer 2, meaning customer devices communicate using standard Ethernet frames without awareness of the underlying MPLS transport.

The fundamental architecture consists of Provider Edge (PE) routers that connect customer sites to the MPLS backbone. Each PE router maintains a VPLS instance with pseudowire connections to other PE routers in the same VPLS domain. When a customer frame enters a PE router, the router learns the source MAC address and associates it with the incoming interface. The frame is then encapsulated with MPLS labels and forwarded across the MPLS network to the appropriate destination PE based on the learned MAC address table.

VPLS vs Traditional Layer 3 VPNs

VPLS differs from Layer 3 VPNs (MPLS IP VPN) in several fundamental ways. Layer 3 VPNs operate at the network layer, exchanging routing information between customer sites and transporting IP packets. VPLS operates at the data link layer, transporting complete Ethernet frames including all layer 2 protocols. This makes VPLS suitable for customers requiring transparent LAN services, protocol support beyond IP, or migration of existing layer 2 networks to MPLS infrastructure.

Feature	VPLS (Layer 2 VPN)	MPLS IP VPN (Layer 3 VPN)
Encapsulation	Ethernet frames	IP packets
Protocols	All layer 2 protocols	IP only
Address space	Shared broadcast domain	Isolated VRFs
Routing	Customer controls	Provider or customer
Scalability	Full mesh complexity	Route reflection
Use cases	LAN extension, VLAN migration	IP interconnect

When to Use VPLS

VPLS is appropriate in several deployment scenarios where layer 2 transparency is required. Enterprises migrating from legacy LAN infrastructures often use VPLS to preserve existing network designs without IP renumbering. Organizations requiring support for non-IP protocols such as IPX, AppleTalk, or proprietary protocols benefit from VPLS transport. Service providers offering transparent LAN services to customers use VPLS to deliver Ethernet connectivity across metropolitan or wide area networks.

Consider VPLS deployment when customers need to span a single broadcast domain across multiple geographic locations, when existing layer 2 applications cannot be easily converted to layer 3, when protocol transparency is required beyond IP, or when customers prefer to maintain control of their own addressing and routing schemes.

VPLS Prerequisites

Before deploying VPLS, ensure the underlying MPLS infrastructure is operational. VPLS requires functioning label distribution through LDP or RSVP-TE, with label-switched paths established between all PE routers participating in VPLS instances.

Required Components

The following components must be configured before VPLS deployment:

1. MPLS enabled on core interfaces - Each router interface connecting to other PE or P routers must have MPLS enabled
2. LDP or RSVP-TE operational - Label distribution protocol must be running and exchanging labels between all routers
3. IP connectivity between PE routers - Loopback addresses must be reachable across the MPLS network
4. BGP (optional for autodiscovery) - If using BGP-based VPLS, BGP must be configured between PE routers

Minimum L2MTU Requirements

VPLS encapsulation adds overhead to Ethernet frames, increasing the effective packet size. Network interfaces must support sufficient L2MTU to carry VPLS traffic without fragmentation:

Configuration	Minimum L2MTU
Standard Ethernet	1508 bytes
Single VLAN tag	1518 bytes
Double VLAN tag	1534 bytes

If network path L2MTU is insufficient, enable the VPLS Control Word for fragmentation support. See VPLS Control Word for details.

Configuration

VPLS configuration involves enabling MPLS, establishing the underlying label distribution, and creating VPLS instances with appropriate settings.

Enable MPLS

First, ensure MPLS is enabled on all routers in the path:

# Enable MPLS globally
/mpls set enabled=yes

# Enable MPLS on core interfaces
/mpls interface add interface=ether1
/mpls interface add interface=ether2
/mpls interface add interface=ether3

Configure LDP

Label Distribution Protocol (LDP) establishes label-switched paths for VPLS transport:

# Enable LDP with loopback address as transport address
/mpls ldp set enabled=yes transport-address=10.255.255.1

# Add LDP interfaces (typically core interfaces)
/mpls ldp interface add interface=ether1 transport-address=10.255.255.1
/mpls ldp interface add interface=ether2 transport-address=10.255.255.1

# Verify LDP neighbor adjacency
/mpls ldp neighbor print

VPLS Instance Configuration

Sub-menu: /mpls vpls

Create VPLS instances to establish layer 2 VPN services:

Property	Type	Description	Default
enabled	yes | no	Enable VPLS instance	no
name	string	VPLS instance name
remote-peers	list	Comma-separated addresses of peer routers
vpls-id	integer	VPLS identifier for autodiscovery
mtu	integer: 64..65535	VPLS interface MTU	1500
mac-address	MAC address	Auto-generated MAC address	auto
arp	proxy | local | disabled	ARP handling mode	proxy
pw-type	vpls | vpls-ether	Pseudowire type	vpls
encryption	yes | no	Enable pseudowire encryption	no

# Enable VPLS globally (required before creating instances)
/mpls vpls set enabled=yes

# Create VPLS instance with manual peer configuration
/mpls vpls add name=customer-a remote-peers=10.0.0.2,10.0.0.3 mtu=1500

# Configure with specific VPLS ID for BGP autodiscovery
/mpls vpls add name=customer-b vpls-id=100 remote-peers=10.0.0.2

# Disable ARP proxy for direct bridged operation
/mpls vpls add name=customer-c remote-peers=10.0.0.2 arp=local

VPLS Interface

Sub-menu: /interface vpls

VPLS interfaces represent the customer-facing attachment to the VPLS service. Each VPLS instance creates a corresponding interface that connects to the bridge or customer equipment:

# VPLS interface is created automatically with the instance
# View VPLS interfaces
/interface vpls print

# Monitor VPLS tunnel status
/interface vpls monitor customer-a

The VPLS interface supports additional configuration parameters:

Property	Type	Description
use-control-word	enabled | disabled | default	Control Word for fragmentation
pw-l2mtu	integer	L2MTU advertised to remote peer
cisco-static-id	integer	Cisco-style static pseudowire ID
force-ip	yes | no	Force IP encapsulation

VPLS BGP Autodiscovery

BGP-based VPLS autodiscovery simplifies VPLS provisioning by using BGP to distribute VPLS membership information. When configured, routers discover other VPLS participants through BGP updates rather than manual peer configuration, enabling dynamic addition of sites without modifying existing router configurations.

BGP VPLS Configuration

# Configure BGP instance for VPLS
/routing bgp instance set default vpls-as=65000 vpls-l3-vni=0

# Add BGP peer for VPLS exchange
/routing bgp peer add name=vpls-peers remote-address=10.0.0.0/24 remote-as=65000 address-family=vpls

# Create VPLS with BGP autodiscovery (no manual peers needed)
/mpls vpls add name=auto-vpls vpls-id=200

BGP VPLS uses extended communities to signal VPLS membership and pseudowire parameters. The vpls-id serves as the VPLS identifier for autodiscovery, with BGP advertising this value to all configured BGP peers.

VPLS MAC Table

Sub-menu: /mpls vpls mac

The VPLS MAC table displays learned MAC addresses and their associated pseudowires. MAC learning ensures frames are forwarded only to the appropriate site rather than flooded across all pseudowires.

# View VPLS MAC table
/mpls vpls mac print

# View MAC addresses for specific VPLS instance
/mpls vpls mac print where vpls=customer-a

# Flush learned MAC addresses (may be needed after topology changes)
/mpls vpls mac flush

MAC Learning Behavior

RouterOS VPLS implements split horizon forwarding to prevent loops in the full mesh topology. When a MAC address is learned on one pseudowire, traffic destined for that MAC is forwarded only through that specific pseudowire rather than flooded to all pseudowires. This behavior mimics a learning switch and prevents the broadcast storms that would occur in a naive full mesh.

The MAC address learning process operates as follows:

1. When a frame arrives from a customer interface, the source MAC is learned and associated with the incoming pseudowire
2. When a frame needs to be forwarded, the destination MAC is looked up in the MAC table
3. If the destination MAC is known, the frame is forwarded only to the associated pseudowire
4. If the destination MAC is unknown, the frame is flooded to all pseudowires except the source

MAC Address Limits

Each VPLS instance maintains a MAC address table with hardware-dependent limits. Monitor MAC table utilization to ensure sufficient capacity:

# Check resource usage for MAC tables
/resource print

VPLS Statistics

Sub-menu: /mpls vpls statistics

VPLS statistics provide visibility into pseudowire traffic and errors for monitoring and troubleshooting:

# View VPLS statistics
/mpls vpls statistics print

# Monitor specific VPLS instance
/mpls vpls statistics print where name=customer-a

Key statistics include:

• rx-packets / tx-packets - Packet counts
• rx-bytes / tx-bytes - Byte counts
• rx-dropped / tx-dropped - Dropped packet counts
• rx-error / tx-error - Error counts

Practical Examples

Example 1: Basic LDP VPLS Between Two Sites

Deploy VPLS to connect two customer sites across an MPLS backbone:

Router A (Site 1):

# Enable MPLS and LDP
/mpls set enabled=yes
/mpls ldp set enabled=yes transport-address=10.255.255.1
/mpls ldp interface add interface=ether1 transport-address=10.255.255.1

# Enable VPLS globally
/mpls vpls set enabled=yes

# Create VPLS to Router B
/mpls vpls add name=site-a-vpls remote-peers=10.255.255.2 mtu=1500 disabled=no

# Add VPLS interface to customer bridge
/interface bridge add name=br-customer protocol-mode=none
/interface bridge port add bridge=br-customer interface=ether2
/interface bridge port add bridge=br-customer interface=vpls-site-a-vpls

Router B (Site 2):

# Enable MPLS and LDP
/mpls set enabled=yes
/mpls ldp set enabled=yes transport-address=10.255.255.2
/mpls ldp interface add interface=ether1 transport-address=10.255.255.2

# Enable VPLS globally
/mpls vpls set enabled=yes

# Create VPLS to Router A
/mpls vpls add name=site-b-vpls remote-peers=10.255.255.1 mtu=1500 disabled=no

# Add VPLS interface to customer bridge
/interface bridge add name=br-customer protocol-mode=none
/interface bridge port add bridge=br-customer interface=ether2
/interface bridge port add bridge=br-customer interface=vpls-site-b-vpls

Verify the connection:

# Check VPLS tunnel status on both routers
/interface vpls print

# Verify MAC learning across VPLS
/mpls vpls mac print

# Test connectivity from customer devices

Example 2: Three-Site Full Mesh VPLS

Connect three customer sites in a full mesh topology:

Router A:

/mpls vpls add name=customer-full-mesh remote-peers=10.255.255.2,10.255.255.3 mtu=1500

Router B:

/mpls vpls add name=customer-full-mesh remote-peers=10.255.255.1,10.255.255.3 mtu=1500

Router C:

/mpls vpls add name=customer-full-mesh remote-peers=10.255.255.1,10.255.255.2 mtu=1500

Each router maintains two pseudowire connections, one to each remote site. MAC learning ensures traffic flows directly between sites without unnecessary flooding.

Example 3: VPLS with VLANs

Transport VLAN-tagged traffic across VPLS:

# Create VPLS with VLAN support
/mpls vpls add name=customer-vlan remote-peers=10.255.255.2 pw-type=vpls-ether mtu=1504

# Configure bridge with VLAN filtering
/interface bridge add name=br-vlan protocol-mode=none vlan-filtering=yes

# Add customer port with VLAN tagging
/interface bridge vlan add bridge=br-vlan tagged=ether2 vlan-ids=100

# Add VPLS port (trunk carries all VLANs)
/interface bridge vlan add bridge=br-vlan tagged=vpls-customer-vlan vlan-ids=100,200,300

# Add ports to bridge
/interface bridge port add bridge=br-vlan interface=ether2
/interface bridge port add bridge=br-vlan interface=vpls-customer-vlan

Example 4: Hub-and-Spoke VPLS Topology

Deploy hub-and-spoke topology where all traffic flows through a central site:

Hub Router:

# Enable VPLS globally
/mpls vpls set enabled=yes

# Create spoke VPLS instances
/mpls vpls add name=spoke-1 remote-peers=10.255.255.2
/mpls vpls add name=spoke-2 remote-peers=10.255.255.3
/mpls vpls add name=spoke-3 remote-peers=10.255.255.4

Spoke Routers:

# Each spoke connects only to hub
/mpls vpls add name=to-hub remote-peers=10.255.255.1

This topology reduces the number of pseudowires required (O(n) instead of O(n²)) but requires the hub to forward all inter-site traffic.

Troubleshooting

Common VPLS Issues

VPLS tunnel not establishing:

1. Verify MPLS is operational:

   /mpls interface print
   /mpls ldp neighbor print

2. Check LDP session status:

   /mpls ldp neighbor print detail

3. Verify IP connectivity between peers:

   /ping 10.255.255.2

4. Check firewall allows LDP traffic (UDP port 646)

VPLS up but no traffic:

1. Verify MAC learning:

   /mpls vpls mac print

2. Check bridge configuration:

   /interface bridge port print

3. Verify MTU settings match on both ends

Intermittent connectivity:

1. Monitor VPLS statistics for errors:

   /interface vpls monitor customer-a

2. Check for MPLS label exhaustion:

   /mpls label-range print

3. Verify LDP session stability

Diagnostic Commands

# View all VPLS interfaces and status
/interface vpls print detail

# Monitor VPLS tunnel in real-time
/interface vpls monitor [name]

# Check MPLS forwarding table
/mpls fib print

# View LDP bindings
/mpls ldp bindings print

# Check routing to remote peer
/ip route print where dst-address ~ "10.255.255"

Command Reference

/mpls vpls

Property	Description
enabled	Enable or disable VPLS globally
name	VPLS instance name
remote-peers	List of remote PE router addresses
vpls-id	VPLS identifier for BGP autodiscovery
mtu	Interface MTU
mac-address	MAC address for the VPLS interface
arp	ARP mode: proxy, local, or disabled
pw-type	Pseudowire type
encryption	Enable pseudowire encryption

/interface vpls

Property	Description
use-control-word	Enable Control Word for fragmentation
pw-l2mtu	L2MTU advertised to peer
cisco-static-id	Cisco-style static PW identifier
vpls-id	VPLS identifier
remote-peer	Remote peer address
disabled	Disable the VPLS interface

/mpls vpls mac

Property	Description
mac	Learned MAC address
vpls	VPLS instance name
interface	Local interface
age	MAC entry age

Related Information

RFC References

RFC	Title	Relevance
RFC 4761	BGP-Based VPLS Signaling	BGP autodiscovery and signaling
RFC 4762	VPLS Using LDP Signaling	LDP-based VPLS tunnel establishment
RFC 4623	PWE3 Fragmentation and Reassembly	Control Word for fragmentation
RFC 4447	L2VPN Signaling (FEC Type 0x80)	Cisco-style static VPLS

Related Topics

• MPLS Overview - MPLS configuration and concepts
• LDP Configuration - Label Distribution Protocol
• VPLS Control Word - Control Word for MTU handling
• RSVP-TE - Traffic engineering for explicit paths
• MPLS IP VPN - Layer 3 VPN alternatives