Virtual private LAN service (VPLS) is a type of WAN configuration that uses an IP/MPLS backbone to connect remote sites.
After reading this article you will be able to:
Copy article link
Virtual private LAN service (VPLS) is a type of virtual private network (VPN) technology that uses a provider-managed IP/MPLS backbone to connect many remote sites into one shared Ethernet broadcast domain. This technology is used by organizations with multiple branch locations because it simplifies network management and provides a high-performance connection experience. Essentially, VPLS makes it look like all of a company's separated offices are plugged directly into the same local network, regardless of their physical location.
VPLS is often used as a wide area network (WAN) solution that uses the scalability and reliability of a service provider's core MPLS network. Since it operates at layer 2 of the OSI model, VPLS handles Ethernet frames (a unit of data at layer 2, analogous to packets) without needing complex routing setups at customer sites. It allows businesses to connect their various local area networks (LANs) using secure, high-speed tunnels. It is particularly relevant for organizations that need to minimize latency for real-time applications like voice and video.
VPLS relies on the service provider's network infrastructure, specifically the provider edge (PE) routers at the network perimeter and customer edge (CE) devices at the customer's site. The PE routers learn the customer's Media Access Control (MAC) addresses, similar to how a large switch operates. These routers set up a "full mesh" of virtual connections, known as pseudowires, across the core MPLS network to ensure any-to-any connectivity between all customer sites.
Since VPLS works at layer 2 (the data link layer), it transparently bridges Ethernet frames across the WAN. This means customer network traffic can cross the VPLS without knowing about the underlying MPLS transport network. The provider uses MPLS labels to logically separate traffic and route customer data securely within their private backbone.
Key technical aspects of VPLS implementation:
Configured in hardware, VPLSrouting policies and capacity are essentially set in stone. While it effectively connects branch locations, remote workforces and cloud computing may introduce performance degradation. Network traffic may take less-than-ideal paths to and from destinations outside the branches, because VPLS is built for site-to-site traffic. Traffic to a SaaS app often has to leave the VPLS at a central hub or data center. Central hubs may become chokepoints that get overwhelmed when traffic exceeds bandwidth, further degrading service.
VPLS also creates lateral movement risks, since it does not have native segmentation or zero trust controls. Organizations with a VPLS network have essentially adopted a "castle-and-moat" model for security, in which they defend the network perimeter, but attackers inside the network (over the moat, as it were) can roam freely.
Software-defined wide area networking (SD-WAN) is a model that incorporates multiple connectivity types, including leased lines, 5G, the public Internet, and cloud network routes. It therefore has greater flexibility than VPLS and may better support modern business needs than VPLS. SD-WAN reduces dependence on central hubs for network traffic. SD-WAN adoption can also be part of a move towards a secure access service edge (SASE) model, in which zero trust security is natively integrated with networking services.
| VPLS | SASE |
| Site-to-site traffic | Users can be located anywhere |
| Traffic flows through central hubs | Flexible routing |
| Bandwidth set in stone | Bandwidth not limited by hardware |
| Lateral movement risks | Zero trust security |
Virtual private LAN service (VPLS) is a type of virtual private network (VPN) technology that connects multiple remote locations into a single, shared Ethernet broadcast domain.
Companies with several branch offices often use VPLS because it simplifies network management and provides a high-performance connection.
VPLS relies on provider edge (PE) routers and customer edge (CE) devices. The PE routers learn customer Media Access Control (MAC) addresses and establish a full mesh of virtual connections, known as pseudowires, to ensure any-to-any connectivity between all sites.
Service providers use MPLS labels to logically separate traffic and route data securely within their private backbone. However, VPLS lacks built-in zero trust controls, which can create risks for lateral movement if an attacker gains access to the network through compromised user accounts or malware-infected devices.
Unlike VPLS, software-defined wide area networking (SD-WAN) uses multiple connectivity types, such as 5G and the public Internet, to provide greater flexibility. SD-WAN reduces the need for central hubs, which makes for better cloud compatibility. SD-WAN can more easily integrate zero trust security as part of a secure access service edge (SASE) deployment.