Overview
VPWS and VPLS are both Layer 2 VPN technologies that carriers can use to transport Ethernet over an MPLS core. In this article we’ll look at the similarities and differences between the two.
What is VPWS
VPWS stands for Virtual Private Wire Service. It is one of the technologies that providers can use to implement an E-Line. E-Line is a type of Ethernet Virtual Connection (EVC) defined in MEF standards. The E-Line standard specifies a point-to-point private Ethernet connection between customer locations.
Technically an E-Line could be implemented using several types of Leased Lines. VPWS specifically allows the implementation of E-Lines over a provider’s Layer 3 MPLS core. This minimizes the need for specialized layer 1 equipment like multiplexers and helps carriers converge different services onto the same core infrastructure.
How Does VPWS Work
VPWS works through the configuration of Pseudowires on MPLS-enabled edge routers. A Pseudowire is a type of Layer 2 tunnel which uses an MPLS label to keep traffic segregated and private. Pseudowires on the ingress and egress PE router are configured with a pw-id that must match (unless BGP signaled). The neighbor command is used to tell the PE router where the other end of the VPN is.
What happens when a router participating in VPWS receives a frame on an interface assigned to a Pseudowire? First, it encapsulates that frame with an MPLS pseudowire label. Then, it looks up the neighbors IP address in its MPLS forwarding table. There it will find the appropriate transport label and add that to the frame as well. Then the fully encapsulated frame is forwarded out the next hop interface.
It’s important to note that there are two layers of MPLS encapsulation here. On the outside is the transport label, and then there is the Pseudowire label. The fully encapsulated frame looks like this.
[Transport Label] [Pseudowire Label] [Ethernet Frame]
The provider core routers will swap the transport label as they forward the frame along its path. However, the Pseudowire label will not be touched until it reaches the other PE router with the matching Pseudowire configuration. There, the Pseudowire label will be removed and the frame will be forwarded out the egress interface.
VPWS does not learn MAC addresses from the customer LANs. Instead, it acts like a virtual Ethernet wire, just carrying the frame over MPLS instead of a physical wire. Because of this, the VPWS VPN is completely transparent to the customer. For a demonstration of a VPWS VPN, see How to Build a Layer 2 VPN (VPWS) in Cisco Modeling Labs.
What is VPLS
VPLS stands for Virtual Private LAN Service. It is one of the technologies that providers can use to implement an E-LAN. E-LAN is a type of Ethernet Virtual Connection (EVC) defined in MEF standards. The E-LAN standard specifies a multipoint-to-multipoint private Ethernet connection between customer locations.
Like VPWS, VPLS is built with pseudowires and data is transported through MPLS. Unlike VPWS, VPLS enabled edge routers do learn MAC addresses from the customer LANs. Let’s take a look at why and how this works.
How Does VPLS Work
The foundation of VPLS is a full mesh of Pseudowires between each PE router in the E-LAN. Like VPWS, these pseudowires share an ID and use MPLS labels to encapsulate frames. The difference is that VPLS has multiple entry and exit points since it is a multipoint topology.
Because VPLS is multipoint, we need to think about Ethernet switching. If we always forwarded every frame from each site to each site, we are wasting bandwidth and adding unnecessary congestion. Say our customer has offices in Atlanta, New York, and Chicago. They have an ERP server in New York that the other sites connect to and are sending millions of frames to. There’s no reason to send traffic destined to the New York server from Chicago to Atlanta or vice versa. This is the issue we would have if VPLS didn’t learn MAC addresses like VPWS.
Instead, VPLS acts like a giant virtual Ethernet switch. Each PE router acts like a switch port and maintains a MAC address table. This allows the PE router to learn which Pseudowire a MAC address belongs to and perform unicast forwarding of frames. This conserves bandwidth and resources for both the carrier and the customer.
VPLS still has one big issue which is scaling. It still relies on a Pseudowire mesh between each and every PE router. This means that as customers add sites, the number of Pseudowires increases rapidly. More Pseudowires means more resource usage and a more complicated configuration. This is why VPLS has mostly been replaced with the more modern equivalent, EVPN, which uses BGP to advertise MAC addresses. EVPN eliminates the need for PE routers to learn MAC addresses solely through Layer 2 flooding and significantly reduces the scaling limitations of traditional VPLS.
Conclusion
VPLS and VPWS are similar in their use of Pseudowires to establish Layer 2 VPNs. VPLS learns MAC addresses and acts as an Ethernet switch through the provider’s network. VPWS doesn’t learn MAC addresses and instead acts like a virtual wire. VPWS is still a good method for point-to-point Layer 2 VPNs. VPLS has mostly been replaced with EVPN for scalability reasons.
| Feature | VPWS | VPLS |
|---|---|---|
| Topology | Point-to-Point | Multipoint-to-Multipoint |
| MEF Service Type | E-Line | E-LAN |
| MAC Learning | No | Yes |
| Acts Like | Virtual Ethernet Wire | Virtual Ethernet Switch |
| Pseudowire Architecture | Single Point-to-Point Pseudowire | Full Mesh of Pseudowires |
| Scalability | Good | Limited |
| Modern Status | Still Widely Deployed | Largely Replaced by EVPN |