Virtual Private LAN Service (Any-to-Any Layer-2, Managed & SLA-Backed)
VPLS (Virtual Private LAN Service) gives you a carrier-managed, any-to-any Layer-2 Ethernet fabric across sites—behaving like a single LAN over the provider’s backbone.
It’s perfect when you need L2 adjacency between locations (legacy apps, VM mobility, storage replication, OT/ICS) with contracted SLAs and no optical gear to run.
Related options: 🔀 MPLS L3VPN → MPLS • 💡 Lit Fiber (E-LAN/EPL/EVPL) → Lit Fiber • 🌑 Dark Fiber → Dark Fiber • 🔀 Wavelength (L1) → Wavelength Services
Catalog: 🌐 Connectivity • 🖧 Networks & Data Centers
🎯 Outcomes (Why choose VPLS)
- Any-to-any L2 — sites appear on the same Ethernet broadcast domain (carefully bounded).
- Simplicity — provider runs the core; you get Ethernet handoffs with SLA for latency/jitter/loss/MTTR.
- Compatibility — supports protocols that require L2 adjacency (some clustering/storage/OT).
- Flexible topology — full-mesh E-LAN or hub-and-spoke EVPL-like behaviors via EVCs.
- Audit-ready — turn-up baselines, SLA reports, and change evidence exported to SIEM.
🧭 Scope (What we deliver)
- UNI handoffs — 1/10/100/400 GbE optical/electrical, single or QinQ (802.1ad) tagging.
- EVCs — point-to-multipoint circuits with Class of Service (CoS) options per flow.
- Coverage — metro, regional, and many long-haul routes via carrier backbone; diverse POPs available.
- Redundancy — protected rings (sub-50 ms) or dual diverse UNIs/paths.
Need a Layer-3 private WAN with QoS and segmentation? See MPLS.
Need deterministic Layer-1 without managing optics? See Wavelength Services.
🧱 Technical Building Blocks (Spelled out)
- Provider core — MPLS/EVPN-based E-LAN; customer sees Ethernet frames over the EVC.
- VLAN strategy — single or multiple VLANs transported; QinQ for per-site segregation.
- MTU — confirm payload/overhead (jumbo frames for storage/replication).
- CoS/QoS — map EF/AF/BE classes for voice/video/critical apps; police/buffer as contracted.
- Loop protection — provider’s split-horizon in core; you handle STP/RSTP/MSTP prudently at the edge (or avoid L2 loops by design).
- MAC scale — watch MAC table limits; segment with multiple EVCs if needed.
⚠️ Design Considerations (Read this first)
- Don’t stretch a giant L2 everywhere. Use VPLS where L2 adjacency is required, then route (L3) near the edge to limit blast radius.
- Contain broadcasts/ARP/ND. Use storm control, ARP throttling/inspection, and limit L2 domains per app or site group.
- Bound failure domains. Prefer many small EVCs over a single massive E-LAN; place L3 boundaries close to users.
- Mind MTU. Storage/replication and VXLAN/ENCAP need consistent end-to-end MTU.
- Security. VPLS is private, not encrypted: add MACsec/IPsec if policy requires crypto. → Encryption
🧰 Reference Patterns (Pick your fit)
A) Campus/Metro E-LAN (Any-to-Any L2)
- Multiple sites share one EVC with CoS; STP carefully pruned or disabled in favor of routed edges.
- Use cases: campus expansion, L2-dependent legacy apps.
B) Hub-and-Spoke EVPL (L2 Edge, L3 Core)
- Branches get L2 to a hub; route at the hub; add SD-WAN for app-aware L3 across Internet/MPLS underlays.
→ SD-WAN • MPLS
C) Storage/Replication L2
- Dedicated VPLS EVC for SAN/NAS traffic; jumbo frames; storm control; separate from user VLANs.
- Consider Wavelength for deterministic latency if distances are larger. → Wavelength Services
D) OT/ICS Isolation
- Profiled VLANs per function; minimal any-to-any; L3 firewalls between zones; NDR watch for anomalies.
→ NDR
E) Cloud On-Ramp via Colo
- Terminate VPLS at colocation, then route into Direct Connect/ExpressRoute/Interconnect—avoid raw L2 stretch into cloud.
→ Colocation • Direct Connect
🔒 Security & Boundary Controls
- Edge firewalls/WAF for north-south; microsegmentation for east-west. → Cybersecurity • Microsegmentation
- Encryption on top when required: MACsec (L2) or IPsec (L3). → Encryption
- Identity-first access for users (no flat VPN): ZTNA/SASE. → ZTNA • SASE
- Network access posture at ports/SSIDs: NAC with EAP-TLS. → NAC
- Evidence — performance/fault logs → SIEM; SOAR playbooks for block/rollback/escalate. → SIEM / SOAR
📐 SLO Guardrails (Typical VPLS targets)
| Metric | Metro (Class A) | Regional (Class B) | Notes |
|---|---|---|---|
| One-way latency | ≤ 1–3 ms | ≤ 8–20 ms | Route-dependent |
| Jitter | ≤ 1 ms | ≤ 3 ms | With CoS honored |
| Packet loss (sustained) | < 0.1% | < 0.1% | SLA-backed |
| Availability | 99.95–99.99% | 99.9–99.95% | With protection/diversity |
| MTTR | ≤ 4 hours | ≤ 4–8 hours | Contracted |
We publish SLO dashboards and open carrier tickets on breach.
→ Circuit Monitoring • NOC Services
💵 Commercials (What drives cost)
- Port/speed (1/10/100/400 GbE), EVC count, and CoS tiers.
- Distance/route — metro vs regional; protected vs unprotected paths.
- Diversity — secondary UNI/POP and physically diverse laterals.
- Term — 12/24/36+ months; NRC install + MRC service; cross-connect fees at colos. → Colocation
🧪 Turn-Up & Acceptance (What we test)
1) Provisioning — UNI/EVC build, VLAN/QinQ tags, CoS mapping.
2) Baselines — RFC 2544 / ITU-T Y.1564 throughput/latency/jitter/loss by class.
3) Diversity — validate path/POP diversity (route letters/maps on request).
4) Monitoring — add to NOC; thresholds, alarms, escalation trees.
→ NOC Services • SIEM / SOAR
Artifacts (test reports, SLA measures, routes) are stored and exported to SIEM for audits.
🔗 Integrations (Make it a system, not a silo)
- Routing & policy — BGP/OSPF at the CE if you mix L2 and L3 domains. → BGP Management
- SD-WAN — use VPLS as an underlay; steer per-app via SLOs. → SD-WAN
- Cloud — route at the colo edge to on-ramps; avoid uncontrolled L2 stretch. → Direct Connect
- Users & devices — ZTNA/NAC for identity- and posture-aware access. → ZTNA • NAC
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Inventory endpoints — sites/DCs/colos/on-ramp POPs; VLAN plan; MTU requirements.
2) Choose topology — E-LAN (full mesh) vs EVPL-like (hub-and-spoke) per app/zone.
3) CoS policy — EF/AF/BE classes; policing/shaping rules and CIR/EIR per EVC.
4) L2 blast radius — bound broadcast domains; place L3 gateways near users.
5) Security — edge FW/WAF; MACsec/IPsec overlays if required.
6) Turn-up tests — RFC 2544/Y.1564; store baselines with change tickets.
7) Operate — onboard to NOC; perf alarms; monthly SLA reviews; carrier escalation playbooks.
→ Cybersecurity • NOC Services • Circuit Monitoring
🔄 Where VPLS Fits (Recursive View)
1) Grammar — a managed L2 transport in Connectivity.
2) Syntax — underlay for Cloud paths, DCI, and campus meshes.
3) Semantics — Cybersecurity preserves integrity (segmentation, crypto, evidence).
4) Pragmatics — telemetry drives SD-WAN steering and SolveForce AI insights.
5) Foundation — consistent terminology via Primacy of Language.
6) Map — indexed in the SolveForce Codex & Knowledge Hub.
📞 Order VPLS / Design a Safe L2 Fabric
Related pages:
MPLS • Lit Fiber • Wavelength Services • Dark Fiber • SD-WAN • VPN Services • BGP Management • Circuit Monitoring • NOC Services • Connectivity • Networks & Data Centers • Cloud • Cybersecurity • Knowledge Hub