What Is MPLS?

What Is MPLS? Definition, Pros/Cons and Alternatives

Multiprotocol Label Switching (MPLS) was originally developed in the 1990s to enable high speed network connections for enterprise networks. It began as a proprietary protocol, and was standardized by the Internet Engineering Task Force (IETF) in 2001, as RFC 3031.

The public Internet works by forwarding packets from one router to the next until the packets reach their destination. MLPS, on the other hand, sends packets along a given network path. This means the router spends less time deciding where to forward each packet, and the packets follow the same path each time. MPLS operates between layer 2 (the network layer) and layer 3 (the data link layer) of the OSI network model. 

MPLS is widely used in enterprise networks, but is falling out of favor as an exclusive solution for network connectivity. MPLS infrastructure is expensive and complex to set up, and is also inflexible, making it difficult to support changes to organizational structure and new edge locations. MPLS will continue to have a role in the future, alongside other connectivity options such as SD-WAN and broadband Internet.

How Does MPLS Routing Work?

When traffic enters an MPLS network, the ingress MPLS router adds an MPLS header to it. This encapsulates the data, making it easy to forward to any underlying protocol. 

The MPLS router assigns a forwarding equivalence class (FEC), which is expressed by adding a label (a short sequence of bits) to the packet. The FEC defines routing criteria that create a predetermined traffic route in the MPLS network. This is called the label-switched path (LSP). Routes are unidirectional, and return traffic is sent through a separate LSP.

The MPLS header or label stack has four fields:

  • First 20 bits—the label that determines where the packet is forwarded.
  • Next 3 bits—used for quality of service (QoS) priority and explicit congestion notification (ECN), an extension to the IP protocol that allows networks to deal with congestion without dropping packets.
  • Next 1 bit—this is the “bottom of the stack” field. When it is set, it indicates that the packet has reached the end of the MPLS network route.
  • Last 8 bits—Time To Live (TTL).

The main goal of MPLS is to improve the performance and reliability of network traffic. However, it may also have security benefits. Although MPLS links are unencrypted by default, they are usually isolated from the rest of the network, creating a separate virtual tunnel in a somewhat similar fashion to Virtual Private Network (VPN)—learn more in our comparison between MPLS and VPN below.

Learn more about MPLS routing

How Is MPLS Used in Organizations?

Service providers and organizations use MPLS to implement network connectivity with predictable QoS. They do this by defining LSPs (predetermined network paths) that meet the required levels of traffic delay, jitter, packet loss, and downtime. 

For example, an MPLS network can have three service levels that prioritize different types of traffic: level 1 with the highest QoS for voice or video conferencing, level 2 for time sensitive traffic, and level 3 for  “best effort” traffic.

MPLS also supports traffic isolation and creation of virtual private networks (VPNs), virtual private LAN (VLAN) services, and virtual leased lines.

Related content: Read our guide to affordable MPLS alternatives

MPLS Network Pros and Cons

One of the most important benefits of MPLS is that it supports and manages multiple protocols and transmission mediums. It supports communication over IP, Ethernet, Asynchronous Transfer Mode (ATM) and Frame Relay.  You can use any of these protocols to create LSPs. 

Other benefits of MPLS include:

  • Suitable for real-time applications that require very low latency.
  • Suitable for mission critical data transmissions that require high reliability.
  • Ability to manage multiple voice and data applications on the same MPLS network.
  • Ability to manage different types of data transfer with different priorities and service levels.
  • Ability to allocate a specific percentage of bandwidth for different data types.
  • Ability to scale up the network by provisioning additional bandwidth.

Disadvantages of MPLS include:

  • Highly expensive, compared to other methods of connectivity, because it is designed to ensure high bandwidth, high performance, and competitive SLAs. 
  • Typically uses private connections, which require extensive resources to deploy and upgrade. 
  • Does not have a central point of operations for deploying or reconfiguring new locations.
  • Built for point-to-point connectivity, which is not supportive of cloud environments. 
  • Requires dedicated infrastructure, and can only operate where that infrastructure is deployed. This means MPLS is not relevant for many edge locations, and cannot be used to support remote users or SaaS applications.

MPLS Alternatives

MPLS vs. Internet Connectivity

Both the Internet and MPLS are core enterprise connectivity options. The Internet is the lower-cost option but has drawbacks, while MPLS offers more reliable connectivity at a premium. Both MPLS and Internet networks support full-mesh inter-site communication and various Layer 1 mediums (e.g., T1, DSL, Ethernet). 

The main differences between MPLS and Internet connectivity are:

  • Carrier—MPLS connectivity relies on a single carrier, while the Internet is unrestricted and can communicate via different carriers. 
  • Prioritization—MPLS providers guarantee packet priority and delivery, but the Internet does not.
  • Voice and video use cases—MLPS is the preferred option for voice and video communication because it prioritizes packet delivery.
  • SLAs—MPLS has a defined service level agreement with high service, while Internet SLAs vary.
  • Cost—MPLS is more expensive than Internet connectivity.
  • Security—MPLS is considered private and more secure than the public internet.


A virtual private network (VPN) enables connectivity from remote locations to an organization’s network using encrypted data transmission.

VPNs use various encryption standards, such as RSA, TripleDES and EAS. VPNs mask the user’s public IP address, replacing it with a private IP address. They ensure confidentiality and integrity via a cryptographic tunneling protocol and sender authentication. VPNs use various security protocols such as IPsec, PPTP, and LT2P.

The main differences between MPLS and VPN connectivity are:

  • Speed—high speed Internet is often available at significantly lower cost than MPLS, making VPN favorable for high throughput applications. However, Internet connectivity is also less reliable than MPLS connections.
  • Security—MPLS is considered a private network with insulated routing protocols and infrastructure. As such, it does not have encryption by default, so any security fault in the network could easily compromise all the data. VPN on the other hand relies on the public and insecure internet, and therefore will always include authentication and encryption, which in the end provides better security.
  • Data protection—VPNs use multiple security means to protect private data. It is difficult for an attacker to penetrate the virtual tunnel and break the encryption. Data encryption means that even if attackers tap into network traffic, they cannot read or make use of  the data. 
  • Cost—VPNs tend to be less expensive, since MPLS requires dedicated infrastructure.

While MPLS and VPN technology are often regarded as competitors, they can also work together. For example, an enterprise with a hybrid cloud can use MPLS to reliably connect their physical locations, and VPN to securely connect their cloud datacenters. In such a scenario, each resource is connected with the optimal technology. The downside is inconsistency and greater infrastructure complexity. 

Learn more about MPLS vs. VPN

MPLS vs. IPsec

IPsec is a set of protocols used to establish encrypted connections between devices. It helps keep data transmitted over public networks secure. IPsec is commonly used to set up VPNs and works by encrypting IP packets and verifying their origin.

The name IPsec refers to “Internet Protocol (IP) security”. The Internet Protocol is the primary routing protocol used on the Internet. Networks use IP addresses to specify where data should be sent. IPsec adds encryption and authentication to this process.


  • MPLS is considered a private network that doesn’t require encryption.
  • IPsec requires an encrypted tunnel between every two edges of the network, so a network of 10 edges will require 100 tunnels. This increases the cost of the appliances used for establishing and maintaining the IPsec tunnels. It also requires a highly qualified team to manage and maintain hardware and networks.


  • MPLS is considered secure even when data transmitted over an MPLS network is unencrypted, because it is based on a private link. However, individuals with physical access to the MPLS link could intercept communications.
  • IPsec VPN data is always encrypted. However, because it traverses the public Internet, it faces a greater risk of interception and eavesdropping.


  • MPLS lines are private networks that come with a clear SLA that focuses on reliability and availability as the core value of the service.
  • IPsec connections rely on internet infrastructure, and are therefore less reliable and subject to the instability and unpredictability of the public Internet.


  • MPLS allows users to prioritize specific traffic on the network. This is useful if your organization uses VoIP or other latency-sensitive applications.
  • IPsec also allows QoS, but since the underlying infrastructure is the Internet, disconnections are a common problem that QoS cannot solve.


Software Defined Wide Area Networking (SD-WAN) is a technology that uses the concept of Software Defined Networking to distribute network traffic over a wide area network (WAN). SD-WAN automatically determines the most efficient way to route application traffic between branch and data center sites based on configured policies.

Bandwidth use

  • SD-WAN efficiently uses all available network bandwidth. SD-WAN-connected sites can be easily upgraded by adding new links.
  • MPLS requires expensive private links to scale up the available bandwidth.


  • SD-WAN can create dynamic, direct connections between branch offices, cloud datacenters, and the Internet, making it much more efficient than MPLS.
  • MPLS connects branch offices to a central data center via a hub-and-spoke WAN model, with each remote location connected via a single MPLS connection. As a result, access to the Internet and cloud services, must first be backhauled to a central data centers, and from there to its final destination, adding latency and consuming valuable MPLS bandwidth


  • SD-WAN reduces costs by combining use of MPLS and the Internet to build the wide area network. Using the internet for less sensitive applications allows a lower cost per Mbps
  • MPLS has high cost because it relies on a private and dedicated infrastructure and is coupled with a reliability and high availability SLA.


  • MPLS networks are considered secure, because they are based on a private link infrastructure.
  • SD-WAN uses encrypted communication, since the data is transmitted over the public Internet.

Learn more in our detailed guide to MPLS alternatives

The Shift from MPLS and SD-WAN to SASE

MPLS offers low latency, minimal packet loss, predictable performance, and centralized management. However, MPLS also has drawbacks, including cost, capacity constraints, and time-consuming provisioning. Internet links have always been a cheaper, lower-quality alternative to MPLS, but they don’t offer a dedicated connection’s uptime and performance guarantees. 

In the early days of MPLS, organizations often used it for active workloads alongside Internet links for passive backups. Security depended on a firewall. Over time, WAN became expensive and complex, lacking agility. Admins have to deploy and configure appliances manually, pushing up operational costs. Today, this setup is too cumbersome to maintain.

SD-WAN aimed to help fill the functional gaps of public Internet and MPLS. SD-WAN provides automated multi-link connectivity, expanding the network’s overall capacity and accelerating the provisioning process. It can automatically adapt to dynamic network conditions to optimize connectivity costs.

While SD-WAN is a flexible, cost-efficient option, it is not enough to offer a full WAN transformation by itself. SD-WAN cannot provide the mobility, security, and cloud readiness needed to support digital businesses. It connects directly to the Internet and bypasses traditional security measures. IT teams often face technological silos due to poorly integrated, individually managed products. 

Secure Access Service Edge (SASE) is a further evolution of SD-WAN that incorporates a cloud-based security approach. SASE can be used to replace both MPLS and SD-WAN capabilities, helping address changing enterprise connectivity and security needs. It is also a security platform, not just a networking system—it provides the network optimization of SD-WAN and cloud security as a managed service. 

This converged security and connectivity approach, provided through a cloud service, eliminates the need to backhaul traffic through a central location. SASE platforms are geographically distributed, helping reduce latency for remote users and applications while always inspecting content and centrally enforcing security policies.