Virtual Private LAN Service (VPLS) emulates a LAN segment across the Multiprotocol Label Switching backbone across pseudowires or virtual circuits. VPLS creates one or more LANs for each customer who is using the service from the service provider. Each LAN, of course, is completely separate from the other emulated LAN segments—hence the “P” for “Private” in VPLS. When the customer with different Ethernet sites connects to an Multiprotocol Label Switching backbone where VPLS is deployed, it appears as if all the sites are interconnected through a virtual Ethernet switch. Two options are available to interconnect these Ethernet sites: either Spanning Tree Protocol (STP) bridge protocol data units (BPDU) are not allowed to pass through the virtual switch, or they are allowed to pass. In the first case, the spanning tree in each Ethernet site terminates at the provider edge (PE) router. In the second case, the spanning tree crosses the Multiprotocol Label Switching backbone (the virtual switch), and one STP runs through all sites.

An Ethernet LAN is a Layer 2 domain. As such, Ethernet frames are transported across the Multiprotocol Label Switching backbone. This is the same as for Ethernet over Multiprotocol Label Switching (EoMultiprotocol Label Switching). However, EoMultiprotocol Label Switching is a service that is point-to-point in nature, whereas VPLS—emulating a LAN—is point-to-multipoint in nature and as such must support replicating broadcast and multicast frames. Finally, VPLS must perform some features that are inherent to an Ethernet switch—such as MAC address learning and aging—if the virtual switch is to be emulated.

The Need for VPLS

VPLS is a service that emulates an Ethernet LAN. The need for VPLS arose because Multiprotocol Label Switching Virtual Private Network is a service that is IP centric. No other Layer 3 traffic can be carried across the Multiprotocol Label Switching backbone with this service. Any Transport over Multiprotocol Label Switching (AToM) allows you to carry all Layer 3 protocols as AToM carries the Layer 2 frames across the Multiprotocol Label Switching backbone; thus, AToM is not limited to carrying IP. The disadvantage of AToM is that it is point-to-point. Between each pair of PE routers is a pseudowire (two Label Switch Routerss, one for each direction) that carries the Layer 2 frames.

Metro Ethernet networks have seen a tremendous rise in popularity in the past few years because Ethernet is cheap, flexible, omnipresent, and easy to provision. If a customer wants to connect his Ethernet segments from different sites across an Multiprotocol Label Switching backbone from a service provider, he could use the EoMultiprotocol Label Switching service, but that would connect the segments in a point-to-point fashion. If the different Ethernet sites are located in proximity, the customer could connect them by deploying an Ethernet switch between the segments. The Ethernet switch would forward the unicast frames and replicate the packets to different outgoing ports for the forwarding of multicast and broadcast frames. If the different sites are not in close proximity, a switch could not be put directly between the different sites to interconnect the sites at Layer 2. VPLS would provide that functionality by emulating an Ethernet LAN or acting as a logical bridge over Multiprotocol Label Switching. The different LAN segments are interconnected by the service provider that runs the VPLS service. The VPLS service that runs over Multiprotocol Label Switching emulates an Ethernet switch that has different ports leading to the different Ethernet sites. A port can be a physical Ethernet port or a pseudowire.

VPLS Architecture

A VPLS service emulates a LAN or the functionality of an Ethernet switch. An Ethernet switch has the following characteristics:

■ Forwarding of Ethernet frames

■ Forwarding of unicast frames with an unknown destination MAC address

■ Replication of broadcast and multicast frames to more than one port

■ Loop prevention

■ Dynamic learning of MAC addresses

■ MAC address aging

VPLS should also have these characteristics. Ethernet frames receive two Multiprotocol Label Switching labels before they are forwarded across the Multiprotocol Label Switching backbone. This forwarding of Ethernet frames is the same as in The tunnel label is the top label that indicates how the frame is forwarded from the ingress PE to the egress PE router. If the PE router receives a frame that has an unknown destination MAC address, the frame is replicated and forwarded to all ports that belong to that LAN segment. The LAN segment on an Ethernet switch might be a collection of ports belonging to the same VLAN. When configuring VPLS, you must specify which VPLS instance a particular port or VLAN belongs to. The frames with unknown destination MAC addresses are forwarded to all ports belonging to that VPLS instance.

On a true Ethernet switch, the port would just be a physical interface. However, with VPLS, it might be a physical interface, but it could also be a pseudowire to another PE router. The customer has several sites, all of which are connected to a PE router. The PE routers have pseudowires between them to carry the Ethernet frames. Each pseudowire consists of two label switched paths (Label Switch Routerss), one for each direction. If the CE router or switch sends a broadcast frame to the PE router, the frame is replicated and forwarded to all physical ports on that PE router belonging to that VPLS instance, but also to all pseudowires associated with that VPLS instance. Multicast frames are replicated and forwarded to all physical ports that are part of the multicast group and to all pseudowires (the underlying WAN ports).

When forwarding broadcast frames, it is important to flood the frame throughout the broadcast domain. If the PE routers are not fully meshed for one VPLS instance, a spanning tree protocol is required to keep the Layer 2 topology loop free. However, a simpler mechanism was chosen to keep the forwarding free of loops. The PE routers need to be in a full mesh of pseudowires, and the PE routers perform split-horizon in Layer 2 forwarding. Split-horizon here means that a flooded frame that is received on one pseudowire will never be forwarded to other pseudowires. As with Ethernet switches, the PE routers of the VPLS network should perform MAC address learning and aging. This means that the PE routers will notice the source address of received frames and associate them with a physical port or pseudowire. Similar to an Ethernet switch, the MAC addresses are aged out after a certain period of not receiving a frame from that MAC address. The aging time is refreshed after receiving a frame.

VPLS Signaling

VPLS requires a full mesh of pseudowires between PE routers for each VPLS instance. When you configure the VPLS instance on the PE router, you must also specify the VPLS neighbors of this PE router. That means you must specify all the remote PE routers for this PE router for that one VPLS instance. The PE routers then form a targeted Label Distribution Protocol session between them in a full mesh. The targeted Label Distribution Protocol session signals each VC or pseudowire between a pair of PE routers and advertises the VC labels. If a VPLS instance is assigned to a VLAN interface on the local PE router, a local VC ID is assigned to the VPLS instance. The VC ID is the Virtual Private Network Identifier (Virtual Private Network ID) that you must assign to a VPLS instance by means of configuration. Each pseudowire between a pair of PE routers for that VPLS instance has that VC ID. However, the local VC label that the router assigns for that VPLS instance is different for each pseudowire.

Tunneling Spanning Tree Protocol

By default, VFI does not forward the STP BPDUs on the PE routers. As such, the STP tree in the metro Ethernet site stops at the PE router. The data frames are forwarded across the Multiprotocol Label Switching network. The frames cannot loop, however, because of the Layer 2 split-horizon rule imposed by the PE routers, which do not forward frames onto the pseudowires if the frames were received from the pseudowires. Because of this split-horizon rule, all PE routers must be in a full mesh for each particular VPLS instance. If the VPLS network were a hub-and-spoke design, certain frames would need to be received and forwarded on the pseudowires, which would not allow for the splithorizon rule to be enforced. To keep such a network loop free, the service provider needs to resort to a protocol such as STP to do the job. STP is not needed in the service provider network because the split-horizon is on by default. In some cases, you need to enable end-to-end STP. The CE routers then run STP across the Multiprotocol Label Switching backbone. For instance, multihomed customer sites to two PE routers or more require the end-toend enabling of STP to keep the network loop free. To have end-to-end STP, you need to configure the PE routers to tunnel the STP BPDUs. To tunnel the STP BPDUs, configure the following interface command on the PE routers on the physical Ethernet interfaces.