Virtual Private LAN Service (Any-to-Any Layer-2, Managed & SLA-Backed)
VPLS (Virtual Private LAN Service) gives you a carrier-managed, any-to-any Layer-2 Ethernet fabric across sitesβbehaving like a single LAN over the providerβs backbone.
Itβs perfect when you need L2 adjacency between locations (legacy apps, VM mobility, storage replication, OT/ICS) with contracted SLAs and no optical gear to run.
- π (888) 765-8301
- βοΈ contact@solveforce.com
Related options: π MPLS L3VPN β MPLS β’ π‘ Lit Fiber (E-LAN/EPL/EVPL) β Lit Fiber β’ π Dark Fiber β Dark Fiber β’ π Wavelength (L1) β Wavelength Services
Catalog: π Connectivity β’ π§ Networks & Data Centers
π― Outcomes (Why choose VPLS)
- Any-to-any L2 β sites appear on the same Ethernet broadcast domain (carefully bounded).
- Simplicity β provider runs the core; you get Ethernet handoffs with SLA for latency/jitter/loss/MTTR.
- Compatibility β supports protocols that require L2 adjacency (some clustering/storage/OT).
- Flexible topology β full-mesh E-LAN or hub-and-spoke EVPL-like behaviors via EVCs.
- Audit-ready β turn-up baselines, SLA reports, and change evidence exported to SIEM.
π§ Scope (What we deliver)
- UNI handoffs β 1/10/100/400 GbE optical/electrical, single or QinQ (802.1ad) tagging.
- EVCs β point-to-multipoint circuits with Class of Service (CoS) options per flow.
- Coverage β metro, regional, and many long-haul routes via carrier backbone; diverse POPs available.
- Redundancy β protected rings (sub-50 ms) or dual diverse UNIs/paths.
Need a Layer-3 private WAN with QoS and segmentation? See MPLS.
Need deterministic Layer-1 without managing optics? See Wavelength Services.
𧱠Technical Building Blocks (Spelled out)
- Provider core β MPLS/EVPN-based E-LAN; customer sees Ethernet frames over the EVC.
- VLAN strategy β single or multiple VLANs transported; QinQ for per-site segregation.
- MTU β confirm payload/overhead (jumbo frames for storage/replication).
- CoS/QoS β map EF/AF/BE classes for voice/video/critical apps; police/buffer as contracted.
- Loop protection β providerβs split-horizon in core; you handle STP/RSTP/MSTP prudently at the edge (or avoid L2 loops by design).
- MAC scale β watch MAC table limits; segment with multiple EVCs if needed.
β οΈ Design Considerations (Read this first)
- Donβt stretch a giant L2 everywhere. Use VPLS where L2 adjacency is required, then route (L3) near the edge to limit blast radius.
- Contain broadcasts/ARP/ND. Use storm control, ARP throttling/inspection, and limit L2 domains per app or site group.
- Bound failure domains. Prefer many small EVCs over a single massive E-LAN; place L3 boundaries close to users.
- Mind MTU. Storage/replication and VXLAN/ENCAP need consistent end-to-end MTU.
- Security. VPLS is private, not encrypted: add MACsec/IPsec if policy requires crypto. β Encryption
π§° Reference Patterns (Pick your fit)
A) Campus/Metro E-LAN (Any-to-Any L2)
- Multiple sites share one EVC with CoS; STP carefully pruned or disabled in favor of routed edges.
- Use cases: campus expansion, L2-dependent legacy apps.
B) Hub-and-Spoke EVPL (L2 Edge, L3 Core)
- Branches get L2 to a hub; route at the hub; add SD-WAN for app-aware L3 across Internet/MPLS underlays.
β SD-WAN β’ MPLS
C) Storage/Replication L2
- Dedicated VPLS EVC for SAN/NAS traffic; jumbo frames; storm control; separate from user VLANs.
- Consider Wavelength for deterministic latency if distances are larger. β Wavelength Services
D) OT/ICS Isolation
- Profiled VLANs per function; minimal any-to-any; L3 firewalls between zones; NDR watch for anomalies.
β NDR
E) Cloud On-Ramp via Colo
- Terminate VPLS at colocation, then route into Direct Connect/ExpressRoute/Interconnectβavoid raw L2 stretch into cloud.
β Colocation β’ Direct Connect
π Security & Boundary Controls
- Edge firewalls/WAF for north-south; microsegmentation for east-west. β Cybersecurity β’ Microsegmentation
- Encryption on top when required: MACsec (L2) or IPsec (L3). β Encryption
- Identity-first access for users (no flat VPN): ZTNA/SASE. β ZTNA β’ SASE
- Network access posture at ports/SSIDs: NAC with EAP-TLS. β NAC
- Evidence β performance/fault logs β SIEM; SOAR playbooks for block/rollback/escalate. β SIEM / SOAR
π SLO Guardrails (Typical VPLS targets)
| Metric | Metro (Class A) | Regional (Class B) | Notes |
|---|---|---|---|
| One-way latency | β€ 1β3 ms | β€ 8β20 ms | Route-dependent |
| Jitter | β€ 1 ms | β€ 3 ms | With CoS honored |
| Packet loss (sustained) | < 0.1% | < 0.1% | SLA-backed |
| Availability | 99.95β99.99% | 99.9β99.95% | With protection/diversity |
| MTTR | β€ 4 hours | β€ 4β8 hours | Contracted |
We publish SLO dashboards and open carrier tickets on breach.
β Circuit Monitoring β’ NOC Services
π΅ Commercials (What drives cost)
- Port/speed (1/10/100/400 GbE), EVC count, and CoS tiers.
- Distance/route β metro vs regional; protected vs unprotected paths.
- Diversity β secondary UNI/POP and physically diverse laterals.
- Term β 12/24/36+ months; NRC install + MRC service; cross-connect fees at colos. β Colocation
π§ͺ Turn-Up & Acceptance (What we test)
1) Provisioning β UNI/EVC build, VLAN/QinQ tags, CoS mapping.
2) Baselines β RFC 2544 / ITU-T Y.1564 throughput/latency/jitter/loss by class.
3) Diversity β validate path/POP diversity (route letters/maps on request).
4) Monitoring β add to NOC; thresholds, alarms, escalation trees.
β NOC Services β’ SIEM / SOAR
Artifacts (test reports, SLA measures, routes) are stored and exported to SIEM for audits.
π Integrations (Make it a system, not a silo)
- Routing & policy β BGP/OSPF at the CE if you mix L2 and L3 domains. β BGP Management
- SD-WAN β use VPLS as an underlay; steer per-app via SLOs. β SD-WAN
- Cloud β route at the colo edge to on-ramps; avoid uncontrolled L2 stretch. β Direct Connect
- Users & devices β ZTNA/NAC for identity- and posture-aware access. β ZTNA β’ NAC
π οΈ Implementation Blueprint (No-Surprise Rollout)
1) Inventory endpoints β sites/DCs/colos/on-ramp POPs; VLAN plan; MTU requirements.
2) Choose topology β E-LAN (full mesh) vs EVPL-like (hub-and-spoke) per app/zone.
3) CoS policy β EF/AF/BE classes; policing/shaping rules and CIR/EIR per EVC.
4) L2 blast radius β bound broadcast domains; place L3 gateways near users.
5) Security β edge FW/WAF; MACsec/IPsec overlays if required.
6) Turn-up tests β RFC 2544/Y.1564; store baselines with change tickets.
7) Operate β onboard to NOC; perf alarms; monthly SLA reviews; carrier escalation playbooks.
β Cybersecurity β’ NOC Services β’ Circuit Monitoring
π Where VPLS Fits (Recursive View)
1) Grammar β a managed L2 transport in Connectivity.
2) Syntax β underlay for Cloud paths, DCI, and campus meshes.
3) Semantics β Cybersecurity preserves integrity (segmentation, crypto, evidence).
4) Pragmatics β telemetry drives SD-WAN steering and SolveForce AI insights.
5) Foundation β consistent terminology via Primacy of Language.
6) Map β indexed in the SolveForce Codex & Knowledge Hub.
π Order VPLS / Design a Safe L2 Fabric
- π (888) 765-8301
- βοΈ contact@solveforce.com
Related pages:
MPLS β’ Lit Fiber β’ Wavelength Services β’ Dark Fiber β’ SD-WAN β’ VPN Services β’ BGP Management β’ Circuit Monitoring β’ NOC Services β’ Connectivity β’ Networks & Data Centers β’ Cloud β’ Cybersecurity β’ Knowledge Hub