What Is MPLS? Why Enterprises Still Use It and When to Replace It

What Is MPLS?

Multiprotocol Label Switching (MPLS) is a private wide-area network (WAN) technology that routes traffic using short numeric labels rather than long IP address lookups. Instead of each router inspecting a packet's destination IP and consulting a routing table at every hop, an MPLS network assigns a label at the network edge and forwards traffic at high speed along a pre-determined path—no IP lookup required at intermediate hops.

MPLS operates between Layer 2 (data link) and Layer 3 (network) in the OSI model, which is why it's sometimes called a "Layer 2.5" protocol. It's transport-agnostic—it runs over fiber, Ethernet, ATM, or whatever physical medium the carrier uses—which is what the "Multiprotocol" part of the name refers to.

Enterprises don't deploy MPLS themselves. They buy MPLS VPN service from a carrier—AT&T, Lumen (formerly CenturyLink), Verizon, Comcast Business, or regional providers. The carrier maintains the MPLS backbone. You get a private virtual network connecting your sites, with service-level agreements (SLAs) covering uptime, latency, and jitter.

MPLS was the dominant enterprise WAN architecture from roughly 2000 through the mid-2010s. It's still widely deployed in 2026—but its market share has been eroding steadily as SD-WAN, cloud connectivity, and broadband economics have shifted the math.

How MPLS Works

To understand MPLS, you need to understand two key concepts: labels and label-switched paths.

Labels: When a packet enters an MPLS network at an edge router (called a Label Edge Router, or LER), the router examines the packet's IP header and assigns a short, fixed-length label—typically a 20-bit number. This label is inserted into a "shim header" between the Layer 2 and Layer 3 headers. From that point forward, intermediate routers (called Label Switching Routers, or LSRs) forward the packet purely based on the label, swapping it for a new label at each hop according to a pre-built label forwarding table (LFIB). At the far edge, the label is removed and the original IP packet is delivered.

Label-Switched Paths (LSPs): An LSP is the pre-defined route a packet follows through the MPLS network. LSPs are established using signaling protocols—LDP (Label Distribution Protocol) or RSVP-TE (Resource Reservation Protocol - Traffic Engineering). Once an LSP is set up, all traffic using that label follows the same path, regardless of changing IP routing conditions. This is fundamentally different from traditional IP routing, where each packet is independently forwarded based on current routing table state.

Traffic Engineering (TE): MPLS enables traffic engineering—the ability to control exactly which path traffic takes through the network, independent of what the shortest IP path would be. An operator can route voice traffic over a low-latency path and bulk data over a high-bandwidth path even if IP routing would send both over the same route. RSVP-TE extends this with bandwidth reservation: you can reserve capacity on an LSP, guaranteeing that a specific traffic class will always have the bandwidth it needs.

VPNs on MPLS: Most enterprise MPLS services are delivered as MPLS Layer 3 VPNs (L3VPN, defined in RFC 4364) or MPLS Layer 2 VPNs (L2VPN). In an L3VPN, the carrier runs BGP between your CE (customer edge) routers and their PE (provider edge) routers. Your sites share a private routing table (called a VRF—Virtual Routing and Forwarding instance). You see each other's subnets; you don't see the carrier backbone or other customers' traffic. The MPLS labels provide the segregation that keeps your traffic private.

The result is a private network that behaves like a dedicated infrastructure, even though the carrier's physical backbone is shared among many customers.

Why Enterprises Built Networks on MPLS

For the better part of two decades, MPLS was the right answer for enterprise WAN. Here's why it dominated.

QoS Guarantees: MPLS supports class-of-service (CoS) markings that ensure voice, video, and latency-sensitive applications get priority treatment. A carrier can guarantee that your VoIP traffic experiences no more than 20ms one-way latency and less than 1% packet loss—and back that with SLA credits. On public internet, you get no such guarantee. Traffic is best-effort, and when a link is congested, your RTP audio packets compete with someone's software update on equal footing.

Predictable Latency: Because MPLS traffic follows pre-determined label-switched paths—not dynamically re-routed IP paths—latency is consistent and predictable. Jitter (variation in latency) is low. For real-time applications like unified communications, industrial control systems, and financial trading, predictable sub-20ms latency is not a nice-to-have; it's a requirement.

Private Network—No Public Internet Exposure: MPLS traffic never touches the public internet. Your data travels over the carrier's private backbone. There's no encryption required (though you can add it), no exposure to DDoS attacks, and no risk of traffic being intercepted between your sites. For organizations handling sensitive data—financial records, healthcare information, legal documents—this was, and for some still is, a compelling argument.

SLA-Backed Reliability: MPLS carriers offer formal SLAs with uptime commitments (typically 99.9% to 99.99%), latency bounds, and jitter guarantees. If they miss the SLA, you get credits. The circuits are provisioned as dedicated capacity—not shared broadband—so the SLAs are backed by actual network engineering, not marketing copy.

Hub-and-Spoke and Any-to-Any Topologies: MPLS naturally supports both hub-and-spoke (all branch traffic routes through headquarters) and any-to-any (branches communicate directly with each other) topologies. In the early 2000s, when most enterprise applications lived in central data centers, hub-and-spoke MPLS was architecturally clean: branches sent all traffic to HQ, HQ had the servers, everyone was happy.

The Limitations of MPLS in 2026

The same properties that made MPLS excellent in 2005 have become liabilities in 2026.

Cost: MPLS is expensive. A typical enterprise branch site pays $300 to $1,500+ per month per location for an MPLS circuit, depending on bandwidth (typically 10–100 Mbps), geography, and carrier. A 50-site enterprise might spend $500,000 to $1,500,000 per year on MPLS circuits alone. For comparison, a business fiber broadband connection at the same location might cost $100–$300/month for 500 Mbps to 1 Gbps. The bandwidth-per-dollar gap has widened dramatically.

Slow Provisioning: MPLS circuits take weeks to months to provision. Carriers must physically extend their private MPLS network to your site—often requiring last-mile construction, carrier dispatch, and multiple handoffs. Four to twelve weeks is typical. Sixteen weeks is not unusual in less-served markets. In an era when a software-defined branch can be spun up in days, MPLS provisioning timelines are a strategic constraint.

Rigid Topology: MPLS was designed for a world where applications lived in central data centers. In 2026, your applications live in AWS, Microsoft 365, Salesforce, Zoom, and dozens of SaaS platforms—all accessed over the public internet. Routing SaaS traffic through an MPLS hub (your headquarters or data center) before it reaches the cloud provider adds unnecessary latency and cost. A branch in Portland routing Microsoft Teams traffic through HQ in Chicago before it reaches Microsoft's network is adding 40–80ms of latency for no security or performance benefit.

Not Cloud-Optimized: Cloud workloads require internet connectivity. MPLS doesn't provide internet—it provides private site-to-site connectivity. To give your MPLS network internet access, you must break out at a central location and route internet traffic over your MPLS backbone, or add local internet access at each site. Either approach adds cost and complexity. SD-WAN was partly invented to solve this problem.

Carrier Lock-In: MPLS is a carrier-specific private service. You can't mix MPLS from AT&T with MPLS from Lumen on the same VPN—they're separate networks. Migrating from one carrier to another requires careful cutover planning and often expensive parallel-run periods. This lock-in reduces your negotiating leverage at renewal.

MPLS vs. SD-WAN: What's Actually Different

SD-WAN and MPLS are often framed as direct competitors. The reality is more nuanced: they solve different problems, and many enterprises use both.

What SD-WAN is: Software-Defined Wide-Area Networking is an overlay technology. SD-WAN appliances at each site create an encrypted tunnel network that can run over any underlying transport—MPLS, broadband internet, 4G/5G LTE, cable, DSL, or any combination. The SD-WAN controller centrally manages routing policy: it can send latency-sensitive traffic over the best available path in real time, fail over between circuits in milliseconds, and apply application-level QoS policy without requiring router-by-router configuration.

What MPLS is: A private carrier circuit with SLA-backed performance. MPLS is the transport; it has no inherent intelligence about what application is using it.

Key differences:

• Transport independence: SD-WAN overlays any transport; MPLS is a specific carrier service. An SD-WAN deployment can use MPLS as one of its transports.
• Application awareness: SD-WAN platforms (Cisco Viptela, VMware SD-WAN, Fortinet, Arista) identify applications by deep packet inspection and route them intelligently. MPLS applies CoS markings but doesn't understand that Zoom traffic should behave differently from backup replication.
• Cloud connectivity: SD-WAN platforms include direct-to-cloud breakout—traffic to Microsoft 365 exits directly to the internet from the branch, not backhauled through a hub. MPLS requires explicit internet breakout architecture.
• Provisioning: SD-WAN branches can be provisioned in hours using zero-touch provisioning (ZTP)—ship a box to a location, it phones home and self-configures. MPLS provisioning is measured in weeks.
• Cost: SD-WAN over broadband can cost 50–80% less per site than equivalent MPLS. The tradeoff is that broadband internet has no SLA-backed performance guarantees—though SD-WAN mitigates this with path selection and failover.
• Security: MPLS traffic is private by nature of the carrier's network segregation. SD-WAN encrypts traffic in tunnel (IPsec or TLS) over any transport, including public internet.

Comparison table: MPLS vs. SD-WAN vs. Internet VPN

When to Keep MPLS

MPLS is not obsolete. There are specific use cases where it remains the right architecture in 2026.

Financial services and regulated industries: Banks, broker-dealers, and insurance companies often face regulatory requirements or auditor expectations around network segregation. Examiners may want to see that your network traffic does not traverse the public internet, regardless of encryption. MPLS satisfies this requirement cleanly. While encrypted SD-WAN over broadband is technically equivalent in security to MPLS in most respects, demonstrating compliance is sometimes easier with a private carrier network that auditors have decades of familiarity with.

Real-time manufacturing and industrial control systems: Manufacturing plants running SCADA systems, PLCs, or robotic automation may have hard real-time requirements—sub-5ms deterministic latency between control systems and sensors. MPLS with RSVP-TE bandwidth reservation can provide this. SD-WAN over broadband internet cannot guarantee deterministic latency; path selection mitigates but does not eliminate the problem. If your factory floor depends on timing precision, MPLS may still be the right WAN technology for those specific links.

Latency-sensitive financial trading: High-frequency trading (HFT) and algorithmic trading operations require the lowest possible, most consistent latency between trading systems and exchange co-location facilities. For these use cases, dedicated private circuits—sometimes dark fiber, sometimes MPLS—remain the architecture of choice. Microseconds matter; SD-WAN path selection adds overhead.

Existing multi-year contracts: If you have 24 or 36 months remaining on an MPLS contract with meaningful early termination liabilities, the business case for replacing it before contract expiration is often weak. Run the math: if the savings from switching to SD-WAN are $5,000/month but the ETF is $120,000, you need 24 months just to break even, and that's before transition costs.

Locations where broadband is unreliable: In rural or secondary markets where business broadband is inconsistent—DSL, satellite, or congested cable—MPLS may provide superior reliability to SD-WAN over broadband. If SD-WAN's path selection algorithm has only one real option, SD-WAN doesn't add much value.

When to Replace MPLS

For most enterprises in 2026, the migration from MPLS to SD-WAN or a hybrid architecture is already underway or overdue. Here are the clearest signals to move.

Heavy cloud and SaaS usage: If your users spend most of their day in Microsoft 365, Salesforce, Zoom, ServiceNow, or other cloud platforms, your MPLS network is working against you. MPLS routes traffic through private circuits to a hub location—but your SaaS applications are on the public internet. Backhauling cloud traffic through MPLS adds 30–100ms or more of latency, degrades video call quality, and increases your MPLS bandwidth costs. SD-WAN with direct cloud breakout solves this immediately.

Multiple small branch offices: MPLS pricing is per-site. If you have 30 small branches each paying $600/month for a 20 Mbps MPLS circuit, you're spending $18,000/month for connectivity that a combination of fiber broadband and SD-WAN could provide for $4,000–$6,000/month at higher bandwidth. The ROI case is straightforward.

Cost is the primary concern: SD-WAN over broadband is typically 40–70% cheaper than equivalent MPLS on a per-Mbps basis. If your WAN spend is a budget line you need to cut, MPLS replacement is one of the highest-ROI telecom optimization moves available.

Rapid branch expansion: If you're opening new locations frequently—retail rollouts, franchise expansions, acquisitions—MPLS provisioning timelines are a business constraint. Zero-touch SD-WAN provisioning enables you to open a location network-ready in days instead of weeks.

Your MPLS contract is expiring: Renewal time is the right time to evaluate. Most enterprises that renew MPLS without evaluating SD-WAN alternatives are leaving money on the table. Even if MPLS is the right answer for some sites, a hybrid architecture (MPLS for critical sites, SD-WAN over broadband for smaller locations) almost always reduces total spend.

MPLS Pricing Reality

MPLS pricing is opaque and highly negotiable. Carriers don't publish list prices, and the same circuit can vary 200–400% depending on negotiation leverage, contract term, and the carrier's existing infrastructure on a given route.

Typical MPLS circuit costs in 2026:

• 10 Mbps MPLS, small market: $350–$600/month
• 50 Mbps MPLS, metro market: $500–$900/month
• 100 Mbps MPLS, major metro: $700–$1,400/month
• 1 Gbps MPLS, major metro: $1,500–$3,500/month
• Multi-site MPLS VPN, 20 sites: $8,000–$25,000/month aggregate

What drives MPLS cost: Bandwidth tier is the primary driver, but geography matters as much. A 50 Mbps MPLS circuit in a rural market where the carrier has limited footprint may cost twice what the same circuit costs in a major metro. Competition is the best cost lever—having two viable MPLS carriers quote the same circuit can reduce pricing by 20–40%.

MPLS contract terms: Carriers push for 36-month terms. Two-year terms are achievable. One-year terms are rare and expensive. Early termination fees are typically 100% of remaining contract value—read this clause carefully before signing. MPLS contracts also commonly include auto-renewal provisions (sometimes 60- or 90-day notification windows) that lock you in for another full term if you miss the window.

The comparison that matters: Before renewing MPLS, run a total cost of ownership comparison against SD-WAN over broadband. Include the cost of SD-WAN hardware or licensing ($50–$200/site/month), broadband circuits, and any transition costs. In most cases, the break-even is 12–18 months, with ongoing savings of 40–60% thereafter.

ITG's take: We see enterprises routinely renewing MPLS at the same or higher rates because no one ran the comparison before the renewal window closed. The carriers know this and rely on it. The best time to start an MPLS evaluation is 12 months before your contract ends—not 60 days before.

Frequently Asked Questions

Is MPLS the same as a VPN?

MPLS and VPNs are related but not the same thing. MPLS is a network forwarding technology—a method carriers use to move traffic across their backbone efficiently. An MPLS VPN (specifically an MPLS L3VPN) uses MPLS infrastructure to provide a private, logically separated network for enterprise customers. It's technically a VPN in that your traffic is segregated from other customers, but unlike IPsec or SSL VPNs, MPLS VPNs do not use cryptographic encryption—privacy comes from logical network separation within the carrier's infrastructure. Internet VPNs (IPsec tunnels, SD-WAN overlays) use encryption over public networks. MPLS VPNs use private carrier infrastructure without encryption.

Can MPLS and SD-WAN coexist?

Yes, and this is the most common migration path. Most enterprises deploying SD-WAN retain MPLS for some period—often 12 to 36 months—running it as one of multiple transports in their SD-WAN overlay. The SD-WAN controller routes latency-sensitive traffic over MPLS and sends cloud/internet traffic out broadband paths. Over time, as confidence in SD-WAN performance grows, organizations reduce MPLS bandwidth or terminate MPLS at smaller sites. The hybrid approach avoids the risk of a hard cutover and lets you build operational experience before fully committing to broadband-only connectivity.

How long does it take to migrate from MPLS to SD-WAN?

A 10-to-30-site migration typically takes 3 to 9 months from kickoff to full cutover. The timeline is driven by several factors: broadband circuit provisioning (2–6 weeks per site in most markets), SD-WAN hardware procurement and staging, application testing and QoS policy tuning, and cutover scheduling. Larger enterprises with 100+ sites should plan 12 to 24 months for a complete migration. The most common delay is underestimating the time needed to audit existing MPLS contracts for termination liabilities and notification windows.

What is MPLS traffic engineering?

MPLS Traffic Engineering (MPLS-TE) is the capability to explicitly control the path traffic follows through an MPLS network, independent of normal IP routing. Using RSVP-TE as a signaling protocol, network operators can reserve bandwidth on specific links for specific LSPs (label-switched paths), reroute traffic around congested or failed links in sub-second time, and guarantee that high-priority traffic classes always have dedicated capacity. MPLS-TE is one of the primary reasons financial services and telecommunications providers still run MPLS in their core networks—it provides deterministic, engineered control over traffic flow that BGP-based IP routing cannot match without additional protocols.

Does MPLS support IPv6?

Yes. Modern MPLS implementations support IPv6 through several mechanisms: 6PE (IPv6 Provider Edge), which tunnels IPv6 traffic over an MPLS/IPv4 backbone using labeled paths; 6VPE, which extends MPLS L3VPN to carry IPv6 prefixes; and native IPv6 MPLS, where both the MPLS control plane and IP addresses are IPv6. However, not all carrier MPLS networks have fully upgraded their infrastructure and support contracts for IPv6 MPLS VPN. If IPv6 support is a requirement, confirm it explicitly with your carrier before signing a contract.