Chapter 7


Chapter 7


Learn the differences between Software-defined wide area networks (SD-WAN) and Multiprotocol Label Switching (MPLS) protocol in supporting your multi-site connectivity. In this article, we provide tabular side-by-side comparison, and explain the pros, cons and benefits of each solution.


This article is meant to help the network administrators faced with a decision to choose between MPLS and SD-WAN to connect remote office or data center locations. We begin with an overview of each before we compare the pros and cons of each service and help you select the technology that is right for your needs and budget. Let us start with some background information.

In the second half of the 2010s, “software-defined” architectures led to several major changes in the networking industry. In simple terms, “software-defined” refers to the virtualization and programmatic configuration of network infrastructure, which can greatly improve network performance, agility, and monitoring capabilities.

Software-defined separates the control plane management of network devices from the data plane (also called underlay) that forwards network traffic. The control plane consists of controllers (the name varies based on the vendor) that have a complete view of the network and can program the underlay network devices.

Software-defined networking creates a software overlay network that abstracts away the underlying hardware used to transport traffic between endpoints. There are multiple applications for the software-defined technology in the network space:

  • Software-defined networking (SDN) - Used to reduce costs and increase the agility of LAN connectivity by abstracting the hardware layer.
  • Software-defined mobile network (SDMN) - Used to transform mobile networks.
  • Software-defined local area network (SD-LAN) -  Used to enable policy-driven architectures for wired and wi-fi networks.
  • Software-defined data center (SDDC) - Used to allow virtualization of the network, CPU, storage, and security to be provided as a service.
  • Software-defined wide area network (SD-WAN) - Used to reduce the costs and increase the agility of WAN connectivity by abstracting the hardware layer.

The last technology in the list, SD-WAN, has begun to displace the once-dominant Multi-protocol Label Switching (MPLS) as the go-to WAN connectivity solution for many organizations. However, MPLS is far from a thing of the past, and in some cases, SD-WAN and MPLS can be used in tandem.

To help you better understand the modern WAN landscape and decide which solution is right for you, this article explores the pros and cons of MPLS and SD-WAN. But before we get too far, let’s take a high-level look at how the two stack up:

Reliability Very reliable. Dedicated links from carriers. Very reliable. Simple to configure failover and use multiple underlays, including MPLS.
Security Generally secure. Links are dedicated/private. Encrypting traffic is still recommended. Generally secure. Some solutions include built-in security features.
Performance The most reliable performance Equivalent performance but with fewer guarantees
Cost Expensive. Less expensive than MPLS for equivalent performance and reliability.
Time to deploy Can take weeks/months to provision. Software-defined nature and flexibility in underlays make deployment time much faster (often less than one day).
Transport independence MPLS lines are inherently dedicated lines. Complete flexibility in the underlay transport method.
Application steering policies Limited flexibility, may need to use additional appliances. Built-in to SD-WAN control plane.
Adoption Widely adopted. Mature technology. Adoption is growing and SD-WAN is becoming common. Not as mature as MPLS.

What is MPLS?

MPLS is a routing technique that is based on simple labels and operates “between” Layer 2 and Layer 3 of the OSI (open systems interconnection) Model.

To get a better idea of how MPLS works, let’s take a step back and look at how “traditional” routing works.

When a packet -- which inherently has a source and destination address -- traverses a network, routers check their routing tables to see what the next-hop IP is from the destination IP in the packet header. Once it is known, the packet is forwarded to the next-hop router, and the process repeats until the packet reaches its destination.

MPLS streamlines this process and allows the devices to forward the packets based on the label present on the packet. The label has an associated path through the network which allows better control of the traffic flow. Based on the information found in the MPLS header, different classes of service characteristics can be applied to the traffic identified by the label.

Because of its performance advantages and the fact MPLS vendors provide private dedicated circuits to route traffic over, MPLS became a popular technology for WAN connectivity beginning in the 1990s. For enterprises looking to provision connectivity between multiple WAN locations at scale, MPLS was the go-to solution.

To better conceptualize why MPLS links are considered “private”, take a look at the diagram below. It shows an MPLS network where two customers, A and B, have separate circuits. The red links are isolated to customer A and the blue links are isolated to customer B.

What Is SD-WAN?

Software defined wide area network (SD-WAN) is a software-defined approach to WAN connectivity.

With SD-WAN, you are given the flexibility to use multiple types of underlying connections: MPLS, broadband, and LTE. SD-WAN then creates a control plane “over the top” of these underlay technologies that abstract away the hardware. This allows for streamlined provisioning, simple failover, and significant operational flexibility. Additionally, application visibility and advanced network performance monitoring give SD-WAN an edge for WAN connectivity compared to other solutions.

Problems SD-WAN Solves

In the past, the role of the WAN was to allow the users from branches or campuses to access the applications hosted in the data center. For this to happen in a reliable and secure way, MPLS circuits were commissioned from service providers.

Legacy WAN architectures also consist of Internet circuits which sometimes work in active/backup mode with MPLS circuits. With this kind of architecture, Internet connections are present only in central points of the network, most likely the data centers through which users can access the Internet.

However, the rise of cloud-computing and remote work lead to challenges that MPLS could not elegantly nor economically solve. Moreover, the high-costs of MPLS bandwidth at a time when bandwidth consumption was growing rapidly led to demand for reliable alternatives. This is where SD-WAN comes in.

The MPLS problems SD-WAN solutions aim to solve include:

  • Poor cloud performance - MPLS was designed with site-to-site connectivity within the same enterprise in mind. Cloud connectivity breaks this paradigm and often requires backhauling of internet-bound traffic that can create performance issues with cloud-based infrastructure such as popular SaaS apps like Office 365, SalesForce, and Google Workspace. As more and more enterprises depend on cloud apps, this problem becomes increasingly  pronounced.
  • Lack of detailed application visibility and control - Because SD-WAN provides a software overlay to the underlying infrastructure, it provides users with the ability to capture deeper insights on network performance and further optimize traffic with policy-based routing and traffic shaping techniques.
  • Limited operational agility - Provisioning MPLS circuits can take weeks. Provisioning SD-WAN with public-Internet links can be significantly faster, with provisioning of a single site taking minutes or hours with some vendors.
  • High costs - MPLS bandwidth is expensive. Public internet bandwidth is cheap. SD-WAN allows users to leverage affordable Internet bandwidth without sacrificing reliability because they can configure failover between multiple links. Additionally, by switching away from MPLS, organizations are no longer paying for dedicated provider circuits and services.

How Does SD-WAN Work?

SD-WAN is a virtual WAN architecture formed by establishing encrypted tunnels between sites. These tunnels form the overlay.

While specific implementations vary, each SD-WAN solution includes:

  • Edge devices - These devices are the points between which the overlay tunnels are established. Their name varies by vendor, but they all have the same role: to receive the user traffic in the SD-WAN overlay.
  • Controller devices - These devices are part of the control plane and they must fulfill several roles. The characteristics of the roles can be consolidated in a single box based on the vendor:
    -Management role - The actual management platform that is used to manage the solution in the daily operations which includes configuration, monitoring and troubleshooting.
    - Keeper of routing information role - A role that allows users to distribute routing information in the overlay network (to the edge devices).
    - Onboarding role - When first the edge devices come online, they need to retrieve their configuration. The controller with this role can provide the initial or complete configuration to the edge device.
    - Analytics role - Aggregates the statistics received from the edge devices and provides the ability to export them to third parties or to create dashboards with relevant information that can be used during monitoring or troubleshooting.

The diagram below shows a standard SD-WAN topology where communication between branches and the data center can happen via MPLS or broadband connections and the branches can access cloud applications directly.

Every SD-WAN solution has a centralized management from which configuration policies are pushed to the edge devices to accomplish the intended operation of the network. The policies can be applied globally or per device.

For instance, the operator might decide that for a certain type of traffic, a specific link must be used if it meets specific requirements in terms of latency, packet loss or other criteria that is available with that SD-WAN solution. This is called dynamic path selection and allows the traffic steering based on the link conditions.

SD-WAN Benefits

At this point, some of the upsides of SD-WAN should be clear. To see why it is becoming such a popular choice in the era of cloud connectivity, remote work, and bandwidth-hungry apps, let’s take a closer look at the benefits we have not yet delved into.

Reduced WAN Cost

MPLS circuits are expensive. While MPLS circuits have their place in the WAN, most of them can be decommissioned and replaced with other types of connections: broadband or LTE. The price of MPLS circuits is considerably higher compared to other transport mediums. Further, geographical location can drive the price of MPLS circuits up even more.

Increased WAN Availability and Bandwidth

With SD-WAN, all the underlying transport methods can be used concurrently by load balancing traffic across all the available links. This not only increases the available bandwidth, but also provides high availability and active-active failover capabilities.

Faster Cloud Access

Many applications used on a daily basis are hosted in the cloud. SD-WAN allows direct internet access at the branch avoiding the traffic to be backhauled to a central location before it can exit to the Internet. Not only is bandwidth saved for other critical applications that can only be accessed in the datacenter, but also you also improve performance by having lower latency.

Application Visibility and Control

To control the traffic, you need to know what your traffic is. With SD-WAN, packet inspection enables deep network visibility. Further, the software-defined nature means it is simple to make granular changes to routing policies and optimize traffic based on specific requirements.

SD-WAN Use Cases

Common SD-WAN use cases include:

  • MPLS replacement
    Secure connection between branches, data centers, and cloud over public and private networks.
  • Direct Internet access
    Local Internet breakout at branch level.
  • WAN performance optimization
    Achieved via application aware routing.
    - Quality of Service.
    - Forward Error Correction and Packet Duplication.
    - TCP optimization.
  • Multi-cloud connectivity
    Allows the connectivity to the cloud applications (IaaS or SaaS) over an optimal path.

MPLS Pros and Cons

Now that we’ve explored MPLS and SD-WAN in-depth, let’s take a look at the pros and cons of each WAN connectivity solution.


  • Reliability - Dedicated MPLS links have a reputation for reliability and are often backed by provider service level agreements (SLAs). Additionally, with built-in high-availability features, in many cases MPLS can quickly restore service in the event an outage occurs (if Fast Rerouting is used, it can be less than 50ms).
  • Security/privacy - Considering that forwarding is done using labels, one of the label stacks of the packet can identify a specific customer/VPN which allows complete segregation of the traffic for multiple customers. The traffic of one customer cannot mix with the traffic of another customer. However, it is important to note that MPLS traffic is not inherently encrypted! More on this in the “MPLS Cons” section below.
  • Performance - Considering that MPLS is a service that is managed by a service provider, it is the job of that entity to guarantee the bandwidth and the quality. Normally,  a service provider will upgrade its network to make sure that the sum of all customer contracted MPLS services does not oversubscribe the network capacity. Additionally, with QoS, customer traffic can be assigned priorities to help ensure reliable delivery of mission-critical traffic (e.g. VoIP calls).


  • Cost - Considering that SLA is provided for MPLS circuits, the service providers need to make sure that they meet the SLA. That means they cost more. The cost only goes up due to the constant increase of bandwidth demand, so they cannot be used for any kind of large traffic volume.
  • Security/encryption - While one customer’s traffic is segregated from another customer’s traffic, MPLS traffic is not encrypted. If you completely trust the MPLS carrier, this may not be seen as a problem. However, complete trust isn’t a great security practice and it is often a wise-choice to only use encrypted communications methods even over MPLS links.
  • Time to deploy - MPLS circuits usually take a significant amount of time to provision. In some cases, they are provided to a customer via a third party, which can compound delays.

SD-WAN Pros and Cons

Now let’s take a look at the pros and cons of SD-WAN.


  • Performance - SD-WAN can take advantage of all the WAN links and load balance the traffic across all of them and at the same time keep the high availability in case of any of the WAN links failure. Further, SD-WAN far outstrips MPLS when it comes to cloud workloads.
  • Deployment times and operational efficiencies- It is much faster to provision sites using SD-WAN architectures than MPLS-based architectures. Further, SD-WAN makes it easier to quickly connect remote users and devices as needed.
  • Scalability - New links can be added any time and the traffic will start going over the links immediately.
  • Transport independence - An SD-WAN edge device can have different types of links connected, MPLS, broadband, and LTE.
  • Cost - Any type of links can be used with SD-WAN. Broadband connections are far more cheaper than MPLS circuits. In some parts of the world, broadband circuits are as reliable as the MPLS making the overall value proposition an easy choice from a business perspective.
  • Security - While the SD-WAN overlay can be established over MPLS and Internet, the traffic going over both transport domains can be secured in the same way. Traffic can be inspected and cleaned at branch level without requiring it to be inspected in a central point in the network, usually the data center.
  • Application specific policies - SD-WAN can detect the user traffic which allows granular routing and security policies to be applied to it. Specific traffic can be inspected and forwarded over a specific WAN interface while other types of traffic can be load balanced across all the WAN links and not inspected.
  • Decentralization - While all the edge devices are managed in a centralized way, the networking and security functionalities can be implemented at branch level. Direct Internet access feature allows the traffic to exit to the Internet directly from the branch and have it inspected locally.


  • Vendor dependence - Each SD-WAN solution is unique. Today, there is no standard across the SD-WAN solutions. Although all of them work in similar ways, you can’t take an appliance from one vendor and use it with another vendor.
  • Adoption - MPLS is mature and engineers are very comfortable with it. Although it is rapidly growing in popularity, the adoption of any given SD-WAN solution (remember they vary from vendor to vendor) isn’t as widespread.
  • Security - Although not applicable for most SD-WAN solutions, some of them are not able to provide integrated security.

Conclusion: finding the right solution

So, should you choose SD-WAN or MPLS?

Frankly, in many cases SD-WAN far outstrips MPLS if you’re starting from scratch. However, while that is true in most cases, it is far from an absolute.

There are situations when MPLS is required to ensure business continuity. Some use cases simply need an SLA and can justify the additional MPLS costs to get it. As reliable as the Internet is today, it is still a best effort service. In those cases, it may make sense to stick with MPLS or -- even better from an operational standpoint -- use it as an underlay for SD-WAN.

Remember, there’s never a one-size-fits-all answer. Weigh the pros and cons of each of these popular WAN connectivity solutions, and make the right decision for your business.

Continue Reading this Series
Back To Top