VPLS - Virtual Private LAN Service
VPLS - Virtual Private LAN Service
Section titled “VPLS - Virtual Private LAN Service”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”Create a Layer 2 tunnel over MPLS to bridge remote sites transparently.
Prerequisites: MPLS backbone with LDP already configured and running.
# Create VPLS tunnel to remote PE router/interface vpls add name=vpls-site2 remote-peer=10.255.255.2 vpls-id=100:1 disabled=no
# Add to bridge with local LAN/interface bridge port add interface=vpls-site2 bridge=bridge-lanVerify with:
/interface vpls monitor vpls-site2Look for local-label and remote-label values (indicates tunnel is established).
Overview
Section titled “Overview”What this does: VPLS (Virtual Private LAN Service) creates Layer 2 tunnels over an MPLS backbone, enabling transparent Ethernet bridging between geographically separated sites. Remote sites appear to be on the same LAN segment.
When to use this:
- Connecting multiple sites at Layer 2 over an MPLS network
- Extending VLANs across WAN connections
- Service provider Layer 2 VPN offerings
- When you need better performance than EoIP (~60% faster)
How it works:
- VPLS uses two MPLS labels: tunnel label (identifies VPLS instance) and transport label (delivers to remote endpoint)
- LDP or BGP signals the pseudowire between PE routers
- Ethernet frames are encapsulated in MPLS and forwarded across the backbone
- Remote PE router decapsulates and delivers to local bridge
Prerequisites:
- RouterOS Level 4+ license (MPLS features)
- MPLS enabled globally on backbone routers
- LDP (or RSVP-TE/static labels) configured and running
- IGP routing protocol (OSPF/IS-IS) for label distribution
- IP reachability to remote peer loopback addresses
Network Topology
Section titled “Network Topology”Site A MPLS Backbone Site B[LAN] --- [PE Router] -------- [P Routers] -------- [PE Router] --- [LAN] 10.255.255.1 10.255.255.2
<-------- VPLS Tunnel (vpls-id=100:1) -------->Configuration Steps
Section titled “Configuration Steps”Step 1: Configure Loopback Interface
Section titled “Step 1: Configure Loopback Interface”Create a loopback for MPLS transport addressing:
/interface bridge add name=loopback/ip address add address=10.255.255.1/32 interface=loopbackStep 2: Configure IGP Routing
Section titled “Step 2: Configure IGP Routing”OSPF is required for LDP label distribution. Configure OSPF on backbone interfaces:
/routing ospf instance add name=default router-id=10.255.255.1/routing ospf area add name=backbone area-id=0.0.0.0 instance=default/routing ospf interface-template add area=backbone interfaces=ether1,loopbackStep 3: Enable MPLS
Section titled “Step 3: Enable MPLS”Enable MPLS globally and on backbone interfaces:
/mpls settings set enabled=yes/mpls interface add interface=ether1Step 4: Configure LDP
Section titled “Step 4: Configure LDP”Enable LDP with transport address set to loopback:
/mpls ldp set enabled=yes lsr-id=10.255.255.1 transport-addresses=10.255.255.1/mpls ldp interface add interface=ether1 transport-addresses=10.255.255.1Step 5: Verify LDP Neighbors
Section titled “Step 5: Verify LDP Neighbors”Before creating VPLS, verify LDP sessions are established:
/mpls ldp neighbor printExpected: Remote peer appears with transport address.
Step 6: Create VPLS Interface
Section titled “Step 6: Create VPLS Interface”Create the VPLS tunnel to the remote PE router:
/interface vpls add name=vpls-site2 remote-peer=10.255.255.2 vpls-id=100:1 disabled=noKey parameters:
remote-peer: Loopback IP of remote PE routervpls-id: Must match on both ends (format: AS:number or IP:number)
Step 7: Add VPLS to Bridge
Section titled “Step 7: Add VPLS to Bridge”Bridge the VPLS tunnel with local LAN interface:
/interface bridge add name=bridge-lan/interface bridge port add interface=ether2 bridge=bridge-lan/interface bridge port add interface=vpls-site2 bridge=bridge-lanStep 8: Verify VPLS Tunnel
Section titled “Step 8: Verify VPLS Tunnel”Monitor the VPLS interface:
/interface vpls monitor vpls-site2Expected output:
local-label: 16 remote-label: 17 transport: 10.255.255.2 imposed-labels: 17,18 remote-status:Common Scenarios
Section titled “Common Scenarios”Scenario: Multi-Site VPLS (Hub and Spoke)
Section titled “Scenario: Multi-Site VPLS (Hub and Spoke)”Connect multiple sites to a central hub:
Hub Router (10.255.255.1):
/interface vpls add name=vpls-spoke1 remote-peer=10.255.255.2 vpls-id=100:1 disabled=no/interface vpls add name=vpls-spoke2 remote-peer=10.255.255.3 vpls-id=100:1 disabled=no/interface vpls add name=vpls-spoke3 remote-peer=10.255.255.4 vpls-id=100:1 disabled=no
/interface bridge add name=bridge-vpls/interface bridge port add interface=vpls-spoke1 bridge=bridge-vpls/interface bridge port add interface=vpls-spoke2 bridge=bridge-vpls/interface bridge port add interface=vpls-spoke3 bridge=bridge-vpls/interface bridge port add interface=ether2 bridge=bridge-vplsScenario: Cisco Interoperability
Section titled “Scenario: Cisco Interoperability”Connect MikroTik to Cisco using static pseudowire ID:
/interface vpls add name=vpls-cisco remote-peer=10.255.255.2 \ cisco-static-id=100 pw-type=vpls disabled=noScenario: BGP-Signaled VPLS (Large Networks)
Section titled “Scenario: BGP-Signaled VPLS (Large Networks)”For autodiscovery in larger deployments:
# Configure BGP with L2VPN address family/routing bgp connection add name=pe-ibgp remote.address=10.255.255.10 \ local.role=ibgp address-families=l2vpn as=65000
# Create VPLS with BGP signaling/interface vpls add name=vpls-bgp vpls-id=100:1 \ import-route-targets=65000:100 export-route-targets=65000:100 \ use-bgp-signaling=yes disabled=noScenario: VPLS over RSVP-TE Tunnel
Section titled “Scenario: VPLS over RSVP-TE Tunnel”Use traffic-engineered paths instead of LDP:
# Create TE tunnel first/mpls traffic-eng tunnel-path add name=to-site2 use-cspf=yes
# VPLS uses TE tunnel for transport/interface vpls add name=vpls-te remote-peer=10.255.255.2 vpls-id=100:1 disabled=noScenario: Tagged VLAN over VPLS
Section titled “Scenario: Tagged VLAN over VPLS”Transport specific VLAN over VPLS:
/interface vpls add name=vpls-vlan100 remote-peer=10.255.255.2 vpls-id=100:1 \ pw-type=tagged-ethernet disabled=noMTU Configuration
Section titled “MTU Configuration”MPLS adds overhead to packets. Configure MTU properly to avoid fragmentation:
# Interface MTU (L2 payload)/interface ethernet set ether1 mtu=1500
# MPLS MTU (must exceed interface MTU + label overhead)/mpls interface set [find interface=ether1] mpls-mtu=1522Rule: MPLS MTU = Interface MTU + 22 bytes (for 2 labels + control word)
Verification
Section titled “Verification”Check 1: Verify VPLS Interface Status
Section titled “Check 1: Verify VPLS Interface Status”/interface vpls printExpected: Shows R (running) flag for active tunnels.
Check 2: Monitor VPLS Tunnel
Section titled “Check 2: Monitor VPLS Tunnel”/interface vpls monitor vpls-site2Expected: Shows local-label, remote-label, and imposed-labels.
Check 3: Verify LDP Neighbors
Section titled “Check 3: Verify LDP Neighbors”/mpls ldp neighbor printExpected: Remote peer listed with transport address.
Check 4: Check MPLS Forwarding Table
Section titled “Check 4: Check MPLS Forwarding Table”/mpls forwarding-table printExpected: Labels for remote loopbacks.
Check 5: Verify Bridge Ports
Section titled “Check 5: Verify Bridge Ports”/interface bridge port print where bridge=bridge-lanExpected: VPLS interface listed with status=active.
Check 6: Test End-to-End Connectivity
Section titled “Check 6: Test End-to-End Connectivity”From a host on Site A, ping a host on Site B (same subnet):
/tool ping 192.168.1.100Expected: Successful replies indicating L2 connectivity.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| VPLS tunnel not coming up | LDP not configured or no route to peer | Verify LDP sessions with /mpls ldp neighbor print; check routing |
| Tunnel running but no traffic | VPLS not added to bridge | Add VPLS interface to bridge |
| Large packets dropped | MTU mismatch | Set MPLS MTU at least 22 bytes larger than interface MTU |
| LDP session won’t establish | Transport address not specified | Add transport-addresses to LDP interface config |
| VPLS won’t establish with summary route | Some implementations need /32 routes | Ensure specific /32 routes exist for peer loopbacks |
| v6 config doesn’t work in v7 | MPLS/routing syntax changed | Review v7 documentation; update configuration |
| BGP-signaled VPLS issues (v7.16+) | Known bug with L2VPN | Check MikroTik support; may need workaround |
Common Mistakes
- Missing LDP on loopback - LDP needs transport address on loopback interface
- Summary routes insufficient - Use /32 routes to peer loopbacks for reliable VPLS
- MTU not configured - MPLS MTU must exceed interface MTU + label overhead
- Forgetting to add VPLS to bridge - VPLS interface alone doesn’t bridge traffic
- Mismatched vpls-id - Both ends must use identical vpls-id value
VPLS vs EoIP Comparison
Section titled “VPLS vs EoIP Comparison”| Feature | VPLS | EoIP |
|---|---|---|
| Performance | ~60% faster | Slower |
| Overhead | Lower (MPLS) | Higher (GRE) |
| Requirements | MPLS backbone | IP connectivity |
| Complexity | Higher | Lower |
| Scalability | Better | Limited |
| Fragmentation | Handled by VPLS | IP fragmentation |
Properties Reference
Section titled “Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
name | string | (required) | Interface name |
remote-peer | IP | (required) | Remote PE router address (loopback) |
vpls-id | AS:num or IP:num | (required) | VPLS identifier (must match both ends) |
pw-type | enum | raw-ethernet | Pseudowire type: raw-ethernet, tagged-ethernet, vpls |
mtu | integer | 1500 | Maximum transmission unit |
disabled | yes/no | yes | Interface state |
pw-control-word | yes/no | varies | Use control word in pseudowire |
cisco-static-id | integer | - | Cisco-style static pseudowire ID |
use-bgp-signaling | yes/no | no | Use BGP for autodiscovery |
import-route-targets | RT list | - | BGP route targets to import |
export-route-targets | RT list | - | BGP route targets to export |
Related Topics
Section titled “Related Topics”- MPLS Overview - MPLS fundamentals and configuration
- LDP Configuration - Label Distribution Protocol setup
- Bridge Configuration - Bridging for VPLS integration
- EoIP Tunnels - Simpler Layer 2 tunneling alternative
- BGP Configuration - BGP for VPLS autodiscovery
Reference
Section titled “Reference”- MikroTik VPLS Documentation
- MikroTik MPLS Overview
- RFC 4762 - Virtual Private LAN Service Using LDP Signaling
- RFC 4447 - Pseudowire Setup and Maintenance Using LDP
Command Reference
Section titled “Command Reference”| Command | Description |
|---|---|
/interface vpls add | Create a VPLS tunnel interface |
/interface vpls print | List all VPLS interfaces with status |
/interface vpls monitor | Real-time monitoring of tunnel |
/interface vpls set | Modify existing VPLS configuration |
/interface vpls remove | Delete a VPLS interface |
/mpls settings set | Enable/configure MPLS globally |
/mpls interface add | Enable MPLS on an interface |
/mpls ldp set | Configure LDP globally |
/mpls ldp interface add | Enable LDP on an interface |
/mpls ldp neighbor print | Show LDP neighbor sessions |
/mpls forwarding-table print | Show MPLS label bindings |
Summary
Section titled “Summary”VPLS creates Layer 2 tunnels over MPLS for transparent site-to-site bridging:
- Configure loopback with /32 address for MPLS transport
- Enable OSPF (or other IGP) for label distribution
- Enable MPLS globally and on backbone interfaces
- Configure LDP with transport address on loopback
- Create VPLS interface with matching
vpls-idon both ends - Add to bridge to connect VPLS with local LAN
Key points:
- Requires MPLS backbone with LDP (or BGP/RSVP-TE) for label distribution
- ~60% faster than EoIP with lower overhead
- Use /32 routes to peer loopbacks (summary routes may not work)
- MPLS MTU must exceed interface MTU by at least 22 bytes
- License Level 4+ required for MPLS features
- For Cisco interop, use
cisco-static-idparameter - BGP signaling available for larger networks (autodiscovery)