The Pros And Cons Of Replacing MPLS With SD-WANs

The SD-WAN concept needs further refinement before becoming a fully viable replacement for MPLS


Software-Defined Wide Area Networks (SD-WANs) promise to address many of the shortcomings of private Multiprotocol Label Switching (MPLS) services.

Although they have the potential to significantly reduce a business's bandwidth costs, SD-WANs come with their own set of limitations, including mobility and security concerns.

Here are the pros and cons of each:

MPLS: cons

As anyone who has acquired MPLS bandwidth for their company will happily tell you, bandwidth cost remains the single biggest limitation for MPLS subscriptions.

The great per-megabit price structure that most MPLS services necessitate is firmly out of kilter with today's consumer preference for bandwidth-heavy, multimedia-driven content.

Spending bandwidth routing traffic back to an Internet hub that is centralized makes little economic sense for either providers or customers.

MPLS services are also notoriously rigid to set up, often requiring an initial provisioning period that can take up to have a year, depending on who the service provider is. Simply upgrading bandwidth can take weeks.

Both are extremely long compared to waiting times for regular internet services, which can be both provisioned and upgraded in days or hours at most.

Benefits of MPLS

As managed services, MPLS subscriptions are supported by Service Level Agreements (SLAs) that govern acceptable standards of performance, such as latency, time to repair, uptime, and more. The services also typically enjoy very high uptimes - around 99.99% a year.

Although internet performance has exponentially improved over the past fifteen years (packet loss rates have dropped by an average of 88%, according to one estimate), problems remain in the path performance consistency. In a survey of 700 IT, security, and networking executives, 43% said that latency was their top WAN (wide area network) concern.

Internet-based routing is designed to provide the best economic return for the Internet Service Providers (ISPs). They, therefore, often dump packets on peering networks as economic necessities dictate.

MPLS providers, however, optimize for performance and are able to minimize latency by running their own routing end-to-end, offering significantly improved application performance.

In a bid to overcome the limitations of standard WAN performance without adversely impacting the bottom line, many tech executives are turning to SD-WANs.

SD-WANs: what it promises

Providers of SD-WAN make the case that their services allow IT departments to supplement and sometimes, entirely replace MPLS by using Internet-based services.

Through data services like xDSL, 4G, private services (such as MPLS circuits), SD-WAN nodes form an encrypted overlay.

As traffic comes into the network, routing algorithms utilizing application-based policies direct traffic across the optimal path. The algorithms check the end-to-end performance of the paths between source and destination, selecting the ideal path which is based on application constraints, business needs, and other requirements.

One common example is to direct email replication and additional latency-tolerant, bandwidth-heavy applications across the Internet, while voice and video – sensitive to the extreme changes of jitter and packet loss found on the Internet - may be routed across a private network, such as an MPLS service.

The benefits over MPLS

While it may be possible to enjoy similar benefits with IP routing, such an approach would come with more complexity than you’d find in an SD-WAN. With IP routing, you would need to have the engineering expertise to combine Dynamic Multipoint VPN (DMVPN), Cisco Performance Routing (PfR), high-quality real-time measurements, and more. SD-WANs streamline this process.

It is also much easier for enterprises to take advantage of dormant connection with SD-WANs. Leveraging secondary connections with MPLS means thinking through various routing issues. Even then, switchover times may lead to sessions timeouts.

By comparison, employing these connections in SD-WANs is trivially simple.

Only small policy configurations are necessary to distribute traffic across connections and in case of a blackout or brownout, further policy details manage access to the primary link. Failover can be done fast enough to preserve an application’s session.

Internet services lack the availability of MPLS, but that can be addressed with good WAN engineering. Dual-homing locations with two completely separate wiring plants give offices uptime almost equivalent to MPLS. And while true dual-homing was difficult to achieve as even different providers of the same technology invariably shared common wiring ducts and other infrastructures, the spread of alternative access technologies has solved that problem. Different technologies, such as xDSL and 4G from various suppliers, rarely (if ever) share infrastructure.

The possibilities for the new WAN

Changing over to a virtual overlay from a physical WAN is a vital first move towards creating a WAN that meets modern enterprise requirements.

But SD-WAN solutions don’t quite cut it. Aside from failing to address current security, mobility, and cloud obstacles, SD-WANs lock the enterprise into MPLS. The day-to-day fluctuations that Internet connections experience in terms of packet loss rates and latency are too great for delivering consistent performance to latency - and loss-sensitive mission-critical applications. Enterprises remain reliant on MPLS services for these applications.

SD-WANs haven't adapted

When the first MPLS-based infrastructures were built, WAN meant the same thing as site-to-site connectivity. Applications were in data centres and sites were under control.

But due to mobility and the cloud, now the network perimeter is no longer relevant as a concept. Almost 50% of all businesses still require that mobile users connect to a device at a particular location to access public cloud resources. IT managers cannot compromise on security, performance, and control when offering these resources to mobile users.

The majority of SD-WANs, however, cannot adequately address the unique security concerns of mobile workers and the cloud.

For mobile users, there isn’t a dedicated client for teleworkers to securely connect to an SD-WAN from.

Most can’t locate SD-WAN nodes in or even close to the data centre, in the cloud.

Enterprises are therefore forced to miss out on the benefits of SD-WAN - user traffic might have to be unencrypted and policy configurations and management remain fragmented across multiple environments.

SD-WANs also lack the necessary tools to deal with cyber security risks, such as local Internet access. Essential cyber security features, such as firewalling and malware protection, are not considered to be a part of the SD-WAN. When these features need to be installed separately, the SD-WAN's apparent savings over MPLS reduce considerably.

Bottom line

Even though SD-WANs could be a good first step towards a more efficiently used and managed WAN, businesses adopting them need to be ready to find solutions for their security and deployment limitations for office, mobile, and cloud users.


Ofir Agasi is Director of Product Marketing at Cato Networks with over 12 years of network security expertise in systems engineering, product management, and research and development. Prior to Cato Networks, Ofir was a product manager at Check Point Software Technologies, where he led mobile security, cloud security, remote access and data protection product lines. Ofir holds a B.Sc. degree in Communication Systems Engineering.

Big data hype small

Read next:

Is Big Data Still Overhyped?