top of page



Enterprises have relied on MPLS for WAN services for nearly two decades. MPLS services are mature, predictable, consistent, and are backed by SLAs. With all of these positive attributes, why would anyone look for an alternative? Consider four reasons to augment or replace MPLS services:


Paying MPLS rates for Internet traffic is a waste. MPLS services are notoriously expensive compared to Internet circuits. Traditional MPLS networks funnel all Internet-destined traffic over the MPLS network to reach the secure Internet access portal in the datacenter. While this method makes providing security more manageable, a lot of precious MPLS bandwidth is used for ordinary Internet traffic.


Backhauling traffic to a secure point is ineffective.  In addition to wasting bandwidth, backhauling to a regional hub or datacenter often adds latency, resulting in poor Internet performance.


MPLS takes a long time to deploy. It can take months from first placing an order to provisioning. Making changes to existing circuits can take days.


MPLS is not mobile and cloud compatible. The cloud does not support MPLS connections, so organizations must find other ways to access the cloud. MPLS also doesn’t address mobile user connectivity, which again requires an alternative connection method.

The Alternative: SD-WAN

Software Defined WAN (SD-WAN) is a mesh of encrypted tunnels — the overlay — that rides across the underlay — any data service that can support an IP connection. Policies are configured and implemented in the overlay, allowing SD-WAN to use the optimum transport for every application. More specifically, SD-WAN addresses issues MPLS has with today’s enterprise requirements with the following:

Redundancy for good service

SD-WAN’s overlay technology allows locations to use multiple, diversely routed connections providing last-mile uptime, in particular, that is competitive and even better than MPLS. With redundant connections and its intelligent overlay, SD-WAN solutions can route traffic to better performing connections should there be a brownout or failover in the event of blackout.

Saving on expensive MPLS bandwidth

SD-WAN sends traffic over the Internet, saving on expensive MPLS bandwidth. SD-WAN can use a variety of affordable Internet services such as cable, xDSL, and 4G/LTE. For those looking to augment their MPLS network with SD-WAN, non-critical and Internet traffic can be routed over SD-WAN to avoid wasting MPLS bandwidth.

No need to reroute traffic

SD-WAN can automatically route application traffic based on real-time monitoring of changing conditions.

SD-WAN is quick to deploy

Because SD-WAN can use a variety of Internet transports, locations can be initially be connected with broadband or 3G/4G for rapid deployment, and then migrated to a higher-performing dedicated Internet access (DIA) connection when available and if necessary. With zero-touch provisioning of the SD-WAN appliance, sites are up and running quickly.

Mobile and cloud compatibility

Some SD-WAN solutions like Cato Cloud unify physical and cloud datacenters into a single, flat, and secure network. For example,  mobile users can connect to the nearest Cato Cloud Network PoP for seamless access to every resource regardless of the user’s location.

Security Considerations

Many people consider MPLS to be secure by nature because it’s a private network. In reality, MPLS is a shared medium that provides segregation of traffic from other MPLS customers. And MPLS circuits are usually not encrypted. With MPLS’ network having been designed for data traffic services and not security, there are security considerations that must be addressed when looking to connect locations directly to the Interne

Appliance Sprawl

An enterprise has two choices when connecting locations to the Internet: provide Internet access at each location, or backhaul the traffic to a regional hub or datacenter to reach the Internet.


When choosing to allow Internet access locally, it saves expensive MPLS bandwidth from being wasted on Internet traffic. However, each Internet connection at each location must then be protected by a full security stack, which can include a firewall, URL filter, and an anti-malware solution to ensure secure Internet access. The initial cost and follow on maintenance can be a burden on any organization. Even with the introduction of UTM security appliances, which are supposed to help reduce the branch office security stack footprint, capacity and security capabilities can be limiting.


If choosing to backhaul traffic to a central location, a full security stack can be centralized to secure Internet access. But backhauling Internet traffic over MPLS is costly and wastes bandwidth. Compounding the issue, cloud-based applications make Internet traffic an ever growing percentage of backhaul traffic.

Securing Mobile and Cloud

Mobile users and cloud applications present another obstacle to enterprise security. As cloud and mobile use become increasingly common, the impact to the network infrastructure must be considered. As Gartner analyst Joe Skorupa notes, “When businesses decide to move to the cloud, the network tends to be an afterthought.”


With cloud applications, mobile users can directly access these resources from the Internet. However, this bypasses enterprise security, which then forces mobile users to use VPN to ensure their traffic passes through the security stack. This creates an indirect path to the resources which can result in performance issues and a poor end user experience.


The use of cloud services and infrastructure continues to grow, which makes the traditional MPLS security architecture less effective. Cloud providers don’t support MPLS connections, so the traffic must find its way to the cloud over the Internet or a secured Internet connection on the enterprise network. And therefore a security solutions package for cloud access must be provisioned in addition to the MPLS security.

bottom of page