VPLS

VPLS (Virtual Private LAN Service)

Virtual Private LAN Service (VPLS) provides Layer 2 VPN connectivity by emulating an Ethernet LAN segment across an MPLS network. Each VPLS instance appears as a shared broadcast domain to connected devices, with Ethernet frames transported across label-switched paths (LSPs). Provider Edge (PE) routers terminate VPLS pseudowires and bridge customer traffic across them.

RouterOS 7 supports LDP-signaled VPLS (RFC 4762) and BGP-signaled VPLS (RFC 4761). VPLS interfaces appear under /interface vpls.

Overview

A VPLS instance creates one or more pseudowire connections between PE routers. Each pseudowire is represented as a regular interface in RouterOS and can be added to a bridge along with customer-facing Ethernet interfaces. The bridge handles MAC learning and forwarding; the VPLS pseudowire carries the encapsulated frames to the remote PE.

VPLS vs Layer 3 VPN

Feature	VPLS (Layer 2)	MPLS IP VPN (Layer 3)
Encapsulation	Ethernet frames	IP packets
Protocols	All Layer 2	IP only
Address space	Shared broadcast domain	Isolated VRFs
Routing	Customer-controlled	Provider or customer

Pseudowire Types

RouterOS 7 supports two pseudowire encapsulation types, set with pw-type=:

Value	Description
`raw-ethernet`	Transports raw Ethernet frames including the frame check sequence (default)
`tagged-ethernet`	Preserves VLAN tags — use when customer traffic carries 802.1Q tags

Prerequisites

Before configuring VPLS:

IGP underlay — OSPF or IS-IS must advertise loopback /32 addresses of all PE routers
MPLS enabled on core interfaces — /mpls interface must include all backbone-facing interfaces
LDP operational — /mpls ldp must have an active instance with an LSR-ID reachable by all peers
IP reachability between PE loopbacks — verify with /ping before enabling VPLS

Do not enable MPLS or LDP on the management interface (typically ether1).

L2MTU Requirements

VPLS encapsulation adds overhead. Core interfaces must support sufficient L2MTU:

Payload	Minimum L2MTU
Standard Ethernet	1508 bytes
Single VLAN tag (802.1Q)	1518 bytes
Double VLAN tag (QinQ)	1534 bytes

Configuration

Step 1: Enable MPLS on Core Interfaces

Enable MPLS on each backbone-facing interface of every PE router:

/mpls interface add interface=ether2
/mpls interface add interface=ether3

Step 2: Configure LDP

In RouterOS 7, /mpls ldp is a list with one entry per VRF. A default entry (index 0) is created automatically. Configure the LSR-ID and transport address:

/mpls ldp set 0 lsr-id=1.1.1.1 transport-addresses=1.1.1.1
/mpls ldp interface add interface=ether2
/mpls ldp interface add interface=ether3

lsr-id — the router’s unique MPLS label-switching router identifier, typically the loopback /32 address
transport-addresses — address used for LDP TCP sessions, must match lsr-id

Step 3: Create VPLS Interfaces

Sub-menu: /interface vpls

Each VPLS pseudowire is created as an interface with a remote peer address and a VPLS identifier:

/interface vpls add name=cust-a peer=2.2.2.2 vpls-id=65000:100

Property	Description
`name`	Interface name (used when adding to a bridge)
`peer`	Remote PE loopback address (LDP transport address)
`vpls-id`	VPLS identifier in `AS:ID` format (e.g., `65000:100`) — must match on all PEs in the same VPLS
`pw-type`	Pseudowire type: `raw-ethernet` (default) or `tagged-ethernet`
`mtu`	Interface MTU (default: 1500)
`mac-address`	Auto-assigned; override if needed
`disabled`	`yes` or `no`

For full-mesh topologies, create one /interface vpls entry per remote peer:

# PE1 connecting to PE2 and PE3
/interface vpls add name=cust-a-to-pe2 peer=2.2.2.2 vpls-id=65000:100
/interface vpls add name=cust-a-to-pe3 peer=3.3.3.3 vpls-id=65000:100

Step 4: Bridge VPLS with Customer Interface

Add the VPLS interface and the customer-facing port to a bridge:

/interface bridge add name=br-cust-a protocol-mode=none
/interface bridge port add bridge=br-cust-a interface=ether4
/interface bridge port add bridge=br-cust-a interface=cust-a-to-pe2
/interface bridge port add bridge=br-cust-a interface=cust-a-to-pe3

Use protocol-mode=none to disable STP on the VPLS bridge unless explicitly needed.

Complete Example: Two-Site LDP VPLS

Two PE routers (PE1 loopback 1.1.1.1, PE2 loopback 2.2.2.2) connected via a core router. Customer traffic enters on ether3 at each PE.

PE1:

# Loopback and IGP (assumed pre-configured)
# MPLS on core interface (not management ether1)
/mpls interface add interface=ether2

# LDP
/mpls ldp set 0 lsr-id=1.1.1.1 transport-addresses=1.1.1.1
/mpls ldp interface add interface=ether2

# VPLS pseudowire to PE2
/interface vpls add name=cust-a peer=2.2.2.2 vpls-id=65000:100 disabled=no

# Bridge: customer port + VPLS interface
/interface bridge add name=br-cust-a protocol-mode=none
/interface bridge port add bridge=br-cust-a interface=ether3
/interface bridge port add bridge=br-cust-a interface=cust-a

PE2:

/mpls interface add interface=ether2

/mpls ldp set 0 lsr-id=2.2.2.2 transport-addresses=2.2.2.2
/mpls ldp interface add interface=ether2

/interface vpls add name=cust-a peer=1.1.1.1 vpls-id=65000:100 disabled=no

/interface bridge add name=br-cust-a protocol-mode=none
/interface bridge port add bridge=br-cust-a interface=ether3
/interface bridge port add bridge=br-cust-a interface=cust-a

BGP-Signaled VPLS

RouterOS 7 supports BGP-based VPLS autodiscovery (RFC 4761), which eliminates manual peer configuration. Dynamically discovered VPLS interfaces are shown with the B flag (bgp-signaled) or C flag (cisco-bgp-signaled) in /interface vpls print.

BGP VPLS requires a BGP connection configured with the L2VPN-VPLS address family. Refer to the BGP Configuration documentation for BGP connection setup.

Verification

Check VPLS interface status:

/interface vpls print detail

A healthy VPLS interface shows the R (running) flag. The X flag indicates the interface is disabled.

Check LDP neighbor sessions:

/mpls ldp neighbor print detail

An operational LDP session shows the O flag. If missing, check IGP reachability to the remote LSR-ID.

Check MPLS label forwarding:

/mpls forwarding-table print

Check bridge MAC table:

/interface bridge host print where bridge=br-cust-a

Verify MPLS interface state:

/mpls interface print
/mpls ldp print detail

Troubleshooting

VPLS interface not running (no `R` flag)

Verify LDP session is established with the remote peer:
```
/mpls ldp neighbor print detail
```

Confirm IGP reachability to the peer loopback:

/ping 2.2.2.2
/ip route print where dst-address=2.2.2.2/32

Check MPLS is enabled on the correct core interfaces (not the management interface):
```
/mpls interface print
/mpls ldp interface print
```
Confirm vpls-id matches on both PE routers — mismatched IDs cause pseudowire negotiation failure.

LDP neighbors not forming

Check firewall allows LDP traffic — UDP/646 for discovery, TCP/646 for sessions:
```
/ip firewall filter print
```

Verify the lsr-id is reachable via IGP:

/mpls ldp print detail
/mpls ldp neighbor print

Confirm LDP interfaces are on backbone links (not management):
```
/mpls ldp interface print
```

Traffic bridged locally but not crossing VPLS

Check the VPLS interface is a bridge port:
```
/interface bridge port print
```
Verify mtu is consistent on both ends and core L2MTU is sufficient.

Check bridge host table for MAC learning:

/interface bridge host print where bridge=br-cust-a

Common RouterOS 6 → 7 Migration Errors

RouterOS 6 (invalid in v7)	RouterOS 7 replacement
`/mpls vpls add ...`	`/interface vpls add ...`
`remote-peers=10.0.0.2`	`peer=10.0.0.2` (one peer per interface)
`/mpls ldp set enabled=yes`	`/mpls ldp set 0 lsr-id=... transport-addresses=...`
`/mpls label-range print`	(not available in RouterOS 7)
`/mpls fib print`	`/mpls forwarding-table print`
`/mpls vpls mac print`	`/interface bridge host print`
`pw-type=vpls`	`pw-type=raw-ethernet`
`pw-type=vpls-ether`	`pw-type=tagged-ethernet`