When the VPLS local site-range is less than the remote site-identifier, the VPLS connection will be signaled as 'down' due to 'remote site out of range'. However, VPLS connection from the remote site still appears 'Up'. This article explains the cause and why this behavior is expected.

Topology:

CE1 ---<xe-2/0/1> PE1 --- P1 --- P2 --- PE2<xe-2/0/2> --- CE2

When PE1's site-range configuration changes from 3 to 2, it causes PE1's VC to go down due to 'remote site out of range'. However, it is not signaled to PE2, which makes the VC in PE2 to stay in 'Up' status.

Normal behavior:

In the following example, PE1's site-range is 2, which is less than PE2's site-identifier.  This causes the VPLS connection to go down due to OR (out of range).

root@mx480xxx# show routing-instances 
TEST1 {
    instance-type vpls;
    interface xe-2/0/1.0;
    route-distinguisher 1.1.1.1:1;
    vrf-target target:10:60;
    protocols {
        vpls {
            traceoptions {
                file pe1-vpls-trace;
                flag all;
            }
            site-range 2;
            interface xe-2/0/1.0 {
                encapsulation-type ethernet;
            }
            no-tunnel-services;
            site xxx {
                site-identifier 1;
            }
        }
    }
}


root@mx480xxx# show routing-instances 
TEST2 {
    instance-type vpls;
    interface xe-2/0/2.0;
    route-distinguisher 6.6.6.6:1;
    vrf-target target:10:60;
    protocols {
        vpls {
            traceoptions {
                file pe2-vpls-trace;
                flag all;
            }
            site-range 10;
            interface xe-2/0/2.0 {
                encapsulation-type ethernet;
            }
            no-tunnel-services;
            site xxx {
                site-identifier 3;
            }
        }
    }
}

From PE1:

root@mx480xxx# run show vpls connections

Layer-2 VPN connections:

Legend for connection status (St)   
EI -- encapsulation invalid      NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch     WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down    NP -- interface hardware not present 
CM -- control-word mismatch      -> -- only outbound connection is up
CN -- circuit not provisioned    <- -- only inbound connection is up
OR -- out of range               Up -- operational
OL -- no outgoing label          Dn -- down                      
LD -- local site signaled down   CF -- call admission control failure      
RD -- remote site signaled down  SC -- local and remote site ID collision
LN -- local site not designated  LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status  IL -- no incoming label
MM -- MTU mismatch               MI -- Mesh-Group ID not available
BK -- Backup connection          ST -- Standby connection
PF -- Profile parse failure      PB -- Profile busy
RS -- remote site standby        SN -- Static Neighbor
LB -- Local site not best-site   RB -- Remote site not best-site
VM -- VLAN ID mismatch

Legend for interface status 
Up -- operational                       
Dn -- down

Instance: TEST1
Edge protection: Not-Primary
  Local site: xxx (1)
    connection-site           Type  St     Time last up          # Up trans
    3                         rmt   OR

Up behavior: The following output shows that VPLS connection is Up from PE2, even if the Virtual Circuit is singled to down.

From PE2:

root@mx480xxx# run show vpls connections    
Layer-2 VPN connections:

Legend for connection status (St)   
EI -- encapsulation invalid      NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch     WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down    NP -- interface hardware not present 
CM -- control-word mismatch      -> -- only outbound connection is up
CN -- circuit not provisioned    <- -- only inbound connection is up
OR -- out of range               Up -- operational
OL -- no outgoing label          Dn -- down                      
LD -- local site signaled down   CF -- call admission control failure      
RD -- remote site signaled down  SC -- local and remote site ID collision
LN -- local site not designated  LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status  IL -- no incoming label
MM -- MTU mismatch               MI -- Mesh-Group ID not available
BK -- Backup connection	         ST -- Standby connection
PF -- Profile parse failure      PB -- Profile busy
RS -- remote site standby	 SN -- Static Neighbor
LB -- Local site not best-site   RB -- Remote site not best-site
VM -- VLAN ID mismatch

Legend for interface status 
Up -- operational           
Dn -- down

Instance: TEST2
Edge protection: Not-Primary
  Local site: xxx (3)
    connection-site           Type  St     Time last up          # Up trans
    1                         rmt   Up     Mar 25 19:28:38 2016           1
      Remote PE: 2.2.2.2, Negotiated control-word: No
      Incoming label: 262145, Outgoing label: 262147
      Local interface: lsi.17826048, Status: Up, Encapsulation: VPLS
        Description: Intf - vpls TEST2 local site 3 remote site 1

As per the VPLS design, it is possible to have one end pseudowire in OR state and the other end in Up state, when the remote site ID do not fall in the locally configured site-range. This functionality is useful in hub-and-spoke VPLS with multihoming.

This behavior is intended according to VPLS design. In a hub-and-spoke VPLS with multihomed sites network, it needs to allow pseudowires to be established between the spoke routers and the hub router. However, it also needs to prevent pseudowires from being established between spoke routers directly. Refer to the VPLS Configuration Guide for more information.

Also, see KB30802 - [MX/PTX/TX] System does not warn of out-of-range situation after commit.