How to Configure MPLS on Windows Server 2016

How to Configure Windows Server 2016 Multiprotocol Label Switching

Multiprotocol Label Switching (MPLS) is a high-performance routing technique that directs data from one node to the next based on short path labels rather than long network addresses. It has traditionally been the domain of service provider networks, but with the evolution of software-defined networking (SDN), MPLS concepts are increasingly relevant in enterprise datacenter environments. Windows Server 2016 does not ship with a native MPLS forwarding implementation in the traditional sense, but it provides the foundational components — BGP, GRE tunnelling, and the SDN stack — to implement label-switched path behaviour and MPLS-like forwarding through the Network Controller and RAS Gateway infrastructure.

This tutorial explores how to leverage Windows Server 2016’s SDN features to approximate MPLS functionality, configure BGP-based label distribution, and integrate tunnel-based label switching in your environment.

Understanding MPLS in the Context of Windows Server 2016

Traditional MPLS operates at layer 2.5, inserting labels between Ethernet and IP headers. Windows Server 2016 does not directly expose a kernel-level MPLS dataplane. However, using the SDN Network Controller and Hyper-V Network Virtualisation (HNV), you can achieve policy-based traffic steering, traffic engineering, and isolation that mirrors what MPLS provides in service provider networks. BGP with MPLS VPN concepts can be approximated using the Route Target and Route Distinguisher concepts within the SDN stack.

Prerequisites

You need a functioning Windows Server 2016 SDN deployment including the Network Controller, Software Load Balancer, and RAS Gateway. Install the required features:

Install-WindowsFeature RemoteAccess, Routing, Hyper-V -IncludeManagementTools

The Network Controller should be deployed and accessible. Verify connectivity:

$uri = "https://nc.contoso.com"
Invoke-WebRequest -Uri "$uri/networking/v1/discover" -UseDefaultCredentials

Step 1 — Configure BGP with Route Distinguishers

In MPLS VPN environments, Route Distinguishers (RD) and Route Targets (RT) are used to distinguish routes from different VPNs. On the RAS Gateway, configure the BGP router with an appropriate AS number:

Add-BgpRouter `
  -BgpIdentifier "10.10.0.1" `
  -LocalASN 65001 `
  -IPv6Routing Disabled

Add BGP peers for each VPN or tenant network you want to associate with an MPLS-like VRF:

Add-BgpPeer `
  -Name "MPLS-PE1" `
  -LocalIPAddress "10.10.0.1" `
  -PeerIPAddress "10.10.0.2" `
  -PeerASN 65001 `
  -PeeringMode Automatic `
  -OperationMode Mixed

Step 2 — Create VRF-Like Isolation with Hyper-V Network Virtualisation

Hyper-V Network Virtualisation (HNV) provides the isolation layer analogous to MPLS VRFs. Each tenant’s traffic is encapsulated using NVGRE or VXLAN, maintaining separation across a shared physical fabric. Use the Network Controller REST API to define a virtual network:

$headers = @{ "Content-Type" = "application/json" }
$body = @{
  properties = @{
    addressSpace = @{ addressPrefixes = @("10.50.0.0/16") }
    dhcpOptions = @{ dnsServers = @("10.50.0.10") }
    logicalNetwork = @{ resourceRef = "/logicalNetworks/HNVProvider" }
  }
} | ConvertTo-Json -Depth 5

Invoke-RestMethod `
  -Uri "https://nc.contoso.com/networking/v1/virtualNetworks/Tenant1VNet" `
  -Method Put `
  -Body $body `
  -Headers $headers `
  -UseDefaultCredentials

Step 3 — Define Traffic Engineering Policies

Traffic engineering in MPLS allows you to constrain how traffic uses network resources. In Windows Server 2016, you achieve this using BGP routing policies. Create a policy that influences path selection by manipulating Local Preference:

Add-BgpRoutingPolicy `
  -Name "PreferPrimary" `
  -PolicyType ModifyAttribute `
  -NewLocalPref 200 `
  -MatchPrefix "10.50.0.0/16"

Apply the policy to the relevant BGP peer:

Add-BgpRoutingPolicyForPeer `
  -PeerName "MPLS-PE1" `
  -PolicyName "PreferPrimary" `
  -Direction Ingress

Step 4 — Establish GRE Tunnels as Label-Switched Paths

GRE tunnels in Windows Server 2016 can function analogously to MPLS Label-Switched Paths (LSPs) by providing a pre-determined, encapsulated path through the network fabric. Configure tunnel interfaces between gateway nodes:

Add-VpnS2SInterface `
  -Name "LSP-to-PE2" `
  -Protocol GRE `
  -Destination "10.10.0.3" `
  -GreKey 1001 `
  -IPv4Subnet "10.50.0.0/16:100" `
  -Persistent

Step 5 — Verify Routing Table and Forwarding

Check that routes are being correctly installed in the routing table:

Get-BgpRouteInformation -Type All | Format-Table -AutoSize

netsh interface ipv4 show route

Confirm that traffic destined for tenant networks is being forwarded through the correct tunnel interfaces, simulating MPLS label-switched forwarding behaviour.

Step 6 — Quality of Service Configuration

MPLS networks commonly use traffic classes to provide differentiated QoS. In Windows Server 2016, configure QoS policies using Group Policy or PowerShell to mark and queue traffic appropriately:

New-NetQosPolicy `
  -Name "VoIP-Priority" `
  -DSCPAction 46 `
  -IPProtocol Both `
  -IPSrcPortStart 5060 `
  -IPSrcPortEnd 5060

Conclusion

While Windows Server 2016 does not expose a native MPLS kernel dataplane, its combination of BGP routing, GRE tunnelling, Hyper-V Network Virtualisation, and SDN Network Controller provides powerful building blocks to implement MPLS-like traffic separation, engineering, and forwarding in software. For organisations looking to bring service-provider-grade networking capabilities into their on-premises datacenter, the SDN stack in Windows Server 2016 offers a compelling and manageable platform.