Since the frames from CE2 arrive to PE2 already tagged, there is no need to insert the /interface vlan name=“VPWS-1003 SERVICE END TO CE2” between ether2 and /interface bridge name=“VPWS-1003”; instead, you make ether2 directly a member (slave) port of that bridge. If you need to ensure that only frames tagged with VID 1003 will be forwarded fro CE2 to the VPLS tunnel, you need to set vlan-filtering=yes on the bridge and define the membership of the two ports in the VLAN. So the whole modification to your current setup would be the following:
/interface bridge port remove [find interface=“VPWS-1003 SERVICE END TO CE2”]
/interface vlan remove “VPWS-1003 SERVICE END TO CE2”
/interface bridge port add bridge=VPWS-1003 interface=ether2
/interface bridge vlan add bridge=VPWS-1003 vlan-ids=1003 tagged=ether2,“VPWS-1003 ENDOINT JUNIPER PE3”
/interface bridge set VPWS-1003 vlan-filtering=yes
/interface bridge set VPWS-1003 vlan-filtering=yes
This configuration works, but the problem is here
/interface bridge port add bridge=VPWS-1003 interface=ether2
we are assigning the entire interface to a single bridge which means it can not be re used again
My setup will involve adding multiple customers to ether2 with different vlan tags as ether2 will be connecting to a switch. I have tried adding the ether2 interface to another bridge for another customer and it throws an error
[admin@mkTik-c6r1] > interface bridge port add bridge=VPWS-1002 interface=ether2
failure: device already added as bridge port
The whole idea of vlan-filtering=yes is that you use the same bridge for several VLANs, and you permit each of them only on the necessary member ports of that bridge. So if the other customer uses e.g. VLAN 2005, you add his VPLS tunnel as another member port to the same bridge, but you add it to the tagged list only at the vlan-ids=2005 row in /interface bridge vlan, along with ether2 again.
However, I would personally prefer to send no tags inside the VPLS tunnels if each tunnel only transports a single VLAN, to save 4 bytes of the tag per frame for the payload. At Mikrotik side, this can be done simply by making the tunnels access ports to the individual VLANs on the bridge, but I don’t know whether you can do the same at the Juniper end. If you can, then your original concept with several /interface vlan attached to ether2 and a dedicated bridge for each VLAN and VPLS tunnel can also be used, but as you’ve asked for a solution at Mikrotik side, I’ve concluded that Juniper cannot provide the tagging/untagging on the path between the Ethernet interface and the VPLS tunnel.
Below is the setup for the variant with vlan-filtering=yes and VPLS tunnels as access ports:
Thank you for the very useful insight. I have been able to get it working as you suggested, however having the vpls interface untagged, does not work as both Juniper and Cisco (these are device on remote ends) expect tagged traffic as the encapsulation on those ends is vlan-ccc and eth-vlan respectively.
What I had originally intended is to add customers to the bridge with their respective vlan interfaces. I have been able to achieve this as well, the key is to add the vlan interface to the bridge as an access port, this solves the double tagging issues on outgoing packets