One of the topics that I haven’t written about so far was VPLS but I had already written some posts which lay the foundation for this VPLS setup. On this post, I will try to explain how VPLS is configured and verified on Junos particulary on packet mode Juniper SRX.  I believe it will be useful for those who don’t know anything about VPLS too. The way I explain VPLS here is how I have experienced it so far. Let’s get started by simplifying some stuff;

VPLS (Virtual Private Lan Service) is a L2VPN technology by which you can turn an ISP cloud consisting of numerous routers connecting different locations into an Ethernet Switch i.e it is a switch in the global network. Not yet clear? Let explain it by a simple example;


Above is a simplified view of two devices’ communication through an ISP network and both of these devices are in the same subnet and WebServer has a L2 connection towards the DatabaseServer e.g you can ping your database server from Webserver device and MAC address of Database Server will be in the ARP cache of Webserver device after a succesful ARP Request/Reply. This was the simplified view.

Before getting into the details, I need to list the prerequisites:

  • On this setup, for VPLS to work properly, you need to have a working MPLS clould which means IGP and RSVP should be running properly. To prepare the same MPLS cloud, you can take a look at my MPLS series posts here
  • Your MPLS LSPs must already been setup to create our L2 pipe.
  • For this setup, VLANs used on both side of the pipe must be the same

Now we will zoom in to this ISP network and see how VPLS is configured and verified but for this I need to put the ISP topology in detail and here it is;



First I need to explain this setup a little. It is a single autonomous system with ASN 8500 on this lab. I also drew a rectangle to show the boundaries of this ISP network in other words our so-called L2 switch. Routers J40 and J35 are crossed by this rectangle as they represent the trunk ports of our switch since they are the PE routers in our ISP.

On this post, I will enable two devices on the west J39 (  and on the east side J37 ( to communicate via this L2VPN. As you can see their IP addresses are on the same subnet.

As this is a free BGP core network, we running BGP only on J40 and J35 PE devices.

and our ingress and egress LSPs are also established.

Now we can start VPLS configuration:

J39 site is connected to our J40 PE router on its ge-0/0/3 interface. We will start with the east side first.

As you can see we are using encapsulation vlan-vpls and interface is tagged hence we will accept tagged traffic on this interface. Let’s check if we have any VPLS connection or not.

hmm, nothing yet as we haven’t configured the remote PE router J35 yet. Now we configure the remote side;

If everything is correct, then we should have the VC up.

Yesss… we have brought the channel UP.

Now it is time to do a ping test from J39 to J37 which are located on two different sides of the ISP network.

Bingo!!! we have now L2VPN up and running and we are passing traffic.

We can also check the mac table on our PE router

I think I have achieved what I wanted to explain so far. VPLS is ready and passing traffic. If you do see any mistake or feedback, please drop your comments!

One thought on “VPLS on SRX

  1. Héctor Altafim

    Hi, Hope you reed this, It is possible to somehow remove the tagged vlan in the vpls and deliver to the custommer as untagged?


You have a feedback?