Multi-protocol label switching (MPLS) is a routing technique used in carrier backbones and in enterprise networks to connect branch offices and enterprises that need quality of service (QoS) for real-time applications. Instead of using complex lookups in a routing table like that used in IP networks, MPLS directs traffic using path labels rather than long network addresses, thus the name label switching.
MPLS is multi-protocol, i.e. it was designed as an overlay and is able to encapsulate other network protocols. This packet switching technique groups transmitted data as it enters the MPLS network into packets with a header and a payload. Along the path, a label in the header is used by MPLS routers to direct the packet to its destination, where the payload is then extracted and used by application software.
When traffic enters the MPLS network, an ingress MPLS router will add an MPLS header to it. This assigns a forwarding equivalence class (FEC), indicated by appending a short bit sequence (the label) to the packet.
The MPLS header or label stack contains 4 fields:
By encapsulating data, MPLS separates forwarding mechanisms that can be used to create forwarding tables for any underlying protocol. The FEC defines routing criteria that are used to create a predetermined path to route traffic through the MPLS network, which is called a label-switched path (LSP). These paths are unidirectional, and return traffic is sent over its own LSP.
The primary goal of MPLS is to improve the performance and reliability of network traffic. However, it does have some security benefits as well. While MPLS links are not encrypted, they are partitioned from the rest of the Internet, providing security similar to a virtual private network (VPN).
MPLS provides certain performance benefits, but it has its downsides as well. Some of the limitations of MPLS include:
MPLS is designed to implement a high-performance, reliable WAN. However, these benefits come at a significant cost and force organizations to accept the limitations of MPLS.
As these MPLS drawbacks begin to hinder the achievement of business goals, Software-defined WAN (SD-WAN) is an MPLS alternative that allows organizations to more cheaply and easily create a flexible, high-performance, and reliable corporate WAN.
Rather than relying on dedicated links, SD-WAN works by optimizing the use of available transport media. SD-WAN appliances aggregate various transport media (broadband, MPLS, mobile networks, etc.) and select routes based upon application-specific policies. This enables expensive, high-performance bandwidth (like MPLS links) to be reserved for application traffic that requires these features, while less important traffic (like web browsing) is routed over less expensive links.
By decreasing an organization’s dependence on MPLS circuits, SD-WAN not only decreases costs but also improves network flexibility. SD-WAN can use transport media that lack the same geographic restrictions as MPLS and can be deployed more quickly and cheaply. This allows traffic to be routed anywhere, not just where MPLS links are available.
MPLS provides high-performance, reliable connectivity at the cost of a high price tag and decreased flexibility. As enterprise networks evolve, SD-WAN provides an alternative that better fits enterprise business needs.
When selecting an SD-WAN solution, it is important to choose one that meets both networking and security requirements. By default, SD-WAN lacks encryption and integrated security just like MPLS. However, some SD-WAN solutions offer built-in software-defined protection to secure the traffic flowing over the corporate WAN.
Check Point’s SD-WAN Security solutions integrate with all major SD-WAN solutions. To learn more about deploying a Secure SD-WAN solution, check out this buyer’s guide. Then, request a demo to see how Check Point solutions integrate with your preferred SD-WAN solution.