VPLS (Virtual Private LAN Service) connects multiple geographically separate sites over an MPLS backbone so they all behave as a single Layer 2 network. Devices at different locations can communicate as if plugged into the same switch.
How VPLS Works
Traditional VPNs operate at Layer 3 - they route IP packets between sites. VPLS operates at Layer 2, forwarding Ethernet frames. The provider's MPLS network acts as a giant virtual switch.
The core components:
- CE (Customer Edge): Your router or switch at each site
- PE (Provider Edge): The ISP's MPLS-capable router that connects to your site
- P (Provider Core): Interior MPLS routers that carry the traffic
Each PE router maintains a MAC address table per VPLS instance. When a frame arrives from a CE, the PE looks up the destination MAC, encapsulates the frame in an MPLS label stack, and forwards it across the core to the correct remote PE - which strips the labels and delivers the original Ethernet frame to the destination CE.
Unknown MACs trigger a flood to all PE nodes in the VPLS instance, exactly like a real switch would flood unknown unicast traffic.
VPLS vs. Other WAN Technologies
| Feature | VPLS | MPLS L3VPN | VXLAN |
|---|---|---|---|
| Layer | L2 | L3 | L2 over L3 |
| Routing required | No | Yes | No |
| Broadcast domain | Shared | Separate | Shared |
| Scalability | Limited | High | High |
| Typical use | LAN extension | Site interconnect | Data center overlay |
Two VPLS Signaling Standards
RFC 4761 (BGP-based): PE routers use BGP to auto-discover peers and distribute labels. Scales better, less manual config.
RFC 4762 (LDP-based): PE routers use LDP to signal pseudowires between each PE pair. Simpler but requires full-mesh pseudowire configuration - gets complex fast with many sites.
Most enterprise deployments use BGP-based VPLS for anything beyond three or four sites.
Where VPLS Is Used
- Connecting branch offices that run Layer 2 protocols (VPLS passes STP, CDP, LLDP transparently)
- Extending VLANs across data centers before VXLAN became standard
- Carrier Ethernet services sold by ISPs as transparent LAN services (TLS)
- Legacy applications that require Layer 2 adjacency between servers
Limitations to Know
Broadcast traffic floods across all sites - poor design or a broadcast storm at one location affects every site in the VPLS instance. MAC table scale is also a concern; large deployments with many endpoints can overwhelm PE routers. EVPN (RFC 7432) has largely replaced VPLS in modern deployments because it handles MAC learning via BGP control plane instead of data plane flooding.
Bottom Line
VPLS is the right tool when you need true Layer 2 connectivity between sites and your provider runs MPLS. It's transparent, flexible, and widely supported - but it doesn't scale like EVPN and broadcast-heavy environments can cause problems. If you're designing something new, evaluate EVPN first; VPLS is still worth understanding for existing deployments and legacy environments.