What is an MPLS network?
An MPLS (Multiprotocol Label Switching) network forwards data packets using short labels instead of long IP addresses. Routers read these labels to send traffic along pre-determined paths, delivering predictable performance with built-in Quality of Service. MPLS has been the backbone of enterprise WANs for over two decades, but SD-WAN is now taking its place for most mid-market organisations.
MPLS has connected branch offices and data centres since the late 1990s. If you have managed a multi-site network in Europe, you have almost certainly dealt with an MPLS contract from Proximus, KPN, BT or Orange Business. The technology delivered exactly what IT teams needed at the time: reliable, low-latency connectivity with guaranteed bandwidth between fixed locations.
That era is ending. Cloud applications now account for the majority of enterprise traffic, remote work is standard, and the cost gap between MPLS circuits and business-grade internet keeps widening. This guide explains how MPLS works, where it still makes sense, and why SD-WAN has become the default choice for organisations that need secure, flexible connectivity across multiple sites.
How MPLS works
Traditional IP routing requires every router in the chain to inspect the destination address and perform a lookup in its routing table. MPLS simplifies this by attaching a short label to each packet at the network edge.
Here is the process, step by step:
- A packet enters the MPLS network and hits a Label Edge Router (LER). The LER reads the destination IP address, assigns the packet to a Forwarding Equivalence Class (FEC), and attaches a label.
- The packet follows a Label Switched Path (LSP) through the provider’s network. Each intermediate router, called a Label Switch Router (LSR), reads only the label, swaps it for a new one, and forwards the packet. No IP lookup required.
- At the exit point, the egress LER removes the label and delivers the original IP packet to its destination.
Think of it like a motorway system with dedicated lanes. Once your car enters the motorway at the on-ramp, a transponder (the label) determines which lane you travel in. Every toll booth along the way reads the transponder instantly instead of checking your registration documents. You arrive faster because nobody stops to look anything up.
MPLS sits between Layer 2 (Ethernet) and Layer 3 (IP) in the network stack. This “Layer 2.5” position means it can carry multiple types of traffic, including IP, Ethernet frames, and even legacy protocols.
For mid-market organisations, the most common MPLS configuration is a Layer 3 VPN, where the provider handles all routing between sites. Your offices appear to sit on a single private network, even though traffic crosses the provider’s shared infrastructure. Some organisations with specific needs use VPLS (Virtual Private LAN Service), which extends a Layer 2 Ethernet segment across locations for full routing control.
What MPLS does well
MPLS earned its dominance for good reasons. Understanding its strengths helps explain why migration decisions require careful evaluation rather than blanket replacement.
Guaranteed Quality of Service. MPLS supports traffic prioritisation through experimental bits in the label header. A VoIP call gets higher priority than a file transfer. For organisations running real-time applications, this meant consistent call quality and stable video conferencing long before cloud-based alternatives existed.
Traffic Engineering. Network administrators can define exactly which path traffic takes through the provider’s backbone. If the shortest route is congested, traffic can be steered to an alternative path with available capacity. This level of control is difficult to achieve on the public internet.
Predictable performance. Because MPLS runs on the provider’s private backbone, it avoids the congestion and variable latency of the public internet. Packet loss is minimal. Jitter stays within tight tolerances. For applications that cannot tolerate fluctuation, like high-frequency trading or real-time telemetry, this matters.
Strict SLAs. European carriers like Proximus, KPN and BT offer MPLS contracts with financially-backed uptime guarantees, defined latency ceilings and compensation clauses for missed targets. Standard broadband connections come with best-effort terms at most.
| Strength | What it means in practice |
|---|---|
| QoS prioritisation | VoIP and video get dedicated bandwidth, even during peak hours |
| Traffic engineering | Administrators control exact paths through the carrier backbone |
| Private backbone | Traffic never touches the public internet |
| Hard SLAs | Contractual performance guarantees with financial penalties |
| Protocol flexibility | Carries IP, Ethernet and legacy protocols across a single infrastructure |
Where MPLS falls short in 2026
The world MPLS was designed for no longer exists. Applications have moved to the cloud. Users work from anywhere. And the economics have shifted decisively.
Cost. MPLS circuits in Western Europe typically run between €1,100 and €1,300 per month for a 1 Gbps connection. A comparable Dedicated Internet Access (DIA) line costs €700 to €900. Business broadband with similar throughput costs a fraction of that. For organisations with five or ten sites, the annual difference is substantial. Older copper-based MPLS lines can cost up to 14 times more per Mbps than modern fibre connections.
The cloud backhaul problem. Most mid-market organisations now run 50% or more of their traffic to SaaS platforms like Microsoft 365, Salesforce or cloud-hosted ERP systems. In a classic hub-and-spoke MPLS setup, that traffic must travel from the branch to the central data centre, get inspected by the central firewall, and then go out to the internet. This detour, called backhauling or hairpinning, adds unnecessary latency, wastes expensive MPLS bandwidth on simple internet traffic, and creates bottlenecks at the central gateway. An employee in Ghent accessing a Microsoft 365 server in Amsterdam has their traffic routed through Brussels first. That adds 80 to 120 ms of latency for no security benefit.
Deployment speed. Adding a new location to an MPLS network means ordering a carrier circuit. In Europe, lead times of four to twelve weeks are normal. Temporary sites, pop-up offices or acquisitions that need immediate connectivity simply cannot wait that long. SD-WAN can bring a site online in hours using any available internet connection or 4G/5G modem.
No native encryption. MPLS itself does not encrypt traffic. It relies on the assumption that the provider’s backbone is private and therefore trusted. If your compliance framework requires encryption of data in transit, which NIS2 and GDPR increasingly demand, you need to add IPsec or TLS on top of MPLS. That is another layer of complexity and cost.
Vendor lock-in. MPLS contracts typically run three to five years with significant early-termination penalties. Switching providers means ordering entirely new circuits and migrating the network from scratch. This creates a dependency that limits your negotiating position and your ability to respond to changing business needs.
Why SD-WAN is replacing MPLS
The global shift is unmistakable. According to TeleGeography data, MPLS was present on 82% of enterprise WAN sites in 2018. By 2024, that number had dropped to 41%, with internet-based connections (DIA and broadband) taking the majority share at 49%. Projections put MPLS below 20% by 2030, while the SD-WAN market is expected to grow from roughly USD 8.8 billion in 2024 to USD 42 billion in 2030.
SD-WAN replaces the rigid, label-based forwarding of MPLS with software-controlled routing that adapts in real time.
Application-aware routing. Where MPLS prioritises traffic using static labels, SD-WAN recognises the application itself. A Zoom call, a SharePoint sync and a firmware download each get routed over the most appropriate link based on current conditions. If the primary fibre link degrades, critical traffic shifts to a 4G backup without anyone noticing.
Any transport, any connection. SD-WAN runs encrypted overlay tunnels across whatever internet connection is available: fibre, cable, broadband, 4G, 5G or a mix. You are no longer tied to a single carrier’s backbone. This flexibility also means new sites come online faster and at a fraction of the cost.
Direct cloud access. Instead of backhauling all traffic through a central data centre, SD-WAN sends cloud-bound traffic directly to the nearest internet breakout point. Microsoft 365 traffic from Ghent goes straight to the Amsterdam data centre. Latency drops. User experience improves. The central gateway is no longer a bottleneck.
Built-in encryption. SD-WAN tunnels are encrypted by default using AES-256 or equivalent. Unlike MPLS, you do not need a separate encryption layer to meet compliance requirements.
The SASE dimension. Standalone SD-WAN solves the connectivity problem, but it does not address security. This is where the shift from SD-WAN to SASE (Secure Access Service Edge) becomes relevant. A SASE platform like Jimber integrates SD-WAN with Zero Trust Network Access, Secure Web Gateway, and Firewall-as-a-Service in a single cloud-managed console. You replace not just MPLS, but also the branch firewalls, VPN concentrators and web gateways that came with it. For mid-market organisations managing five to fifteen sites with a small IT team, that consolidation eliminates the Frankenstack problem of juggling separate tools that do not share data.
Gartner estimates that by 2026, 60% of new SD-WAN purchases will be part of a single-vendor SASE offering. The trend is clear: SD-WAN without integrated security is becoming the exception, not the rule. Jimber’s SASE architecture is built around this principle, combining connectivity and security under one policy framework so that routing decisions and security enforcement happen at the same point.
| Factor | MPLS | SD-WAN (within SASE) |
|---|---|---|
| Monthly cost (1 Gbps, Western Europe) | €1,100 – €1,300 | €400 – €800 (internet + platform) |
| New site deployment | 4-12 weeks | Hours to days |
| Cloud traffic handling | Backhauled through central DC | Direct local breakout |
| Encryption | Not included, requires overlay | Built-in by default |
| Security integration | Separate appliances required | Integrated (ZTNA, SWG, FWaaS) |
| Management | Provider-dependent, limited visibility | Single cloud console |
| Contract flexibility | 3-5 year lock-in | Monthly or annual, transport-agnostic |
For organisations running VPN architectures alongside MPLS, the shift to SASE eliminates both legacy dependencies at once. Jimber’s SD-WAN connects sites securely over standard internet links while ZTNA replaces the VPN for remote access. One platform, one console, one policy model.
Is MPLS completely dead?
No. And claiming it is would be dishonest.
MPLS still has a role in specific scenarios. High-frequency trading desks need sub-millisecond latency guarantees that the public internet cannot reliably provide. Some legacy applications with hardcoded network dependencies are expensive to re-architect. Regulated environments like SWIFT messaging in financial services sometimes mandate private circuits as part of their compliance framework. A Belgian wealth management firm that migrated to Jimber’s SASE platform retained a dedicated MPLS circuit specifically for SWIFT traffic while moving everything else to SD-WAN.
In regions where internet infrastructure is unreliable, MPLS provides a stability baseline that SD-WAN cannot fully match. Parts of rural Europe and some African markets still benefit from MPLS for mission-critical links.
But for the vast majority of mid-market organisations in the Benelux and Western Europe, the equation is settled. Fibre adoption is high. Internet quality is excellent. The performance gap between MPLS and business-grade DIA is negligible for standard enterprise workloads. The cost gap, however, keeps growing.
The practical approach for most organisations is a phased migration. Start with sites where MPLS contracts are expiring. Deploy SD-WAN on standard internet connections. Validate performance. Then extend to remaining sites. Attempting a big-bang replacement of all circuits at once introduces unnecessary risk. Jimber’s SD-WAN guide covers the deployment process in detail, including how to run MPLS and SD-WAN in parallel during the transition.
For a full comparison of how SASE, SSE and SD-WAN relate to each other, and which approach fits your specific situation, that guide breaks down the decision framework.
What is the difference between MPLS and SD-WAN?
MPLS forwards packets using labels along fixed paths through a carrier’s private backbone. SD-WAN uses software to route traffic dynamically across any available internet connection based on real-time performance. MPLS requires carrier-specific circuits and long-term contracts. SD-WAN runs on commodity broadband, fibre or mobile connections from any provider.
Is MPLS more secure than SD-WAN?
Not inherently. MPLS traffic is isolated on the provider’s backbone but not encrypted. SD-WAN encrypts all traffic by default using AES-256 tunnels. Within a SASE framework, SD-WAN adds Zero Trust access controls, web filtering and firewall policies on top of encryption, providing a more complete security posture than MPLS alone.
How much does MPLS cost compared to SD-WAN?
In Western Europe, a 1 Gbps MPLS circuit typically costs €1,100 to €1,300 per month. Equivalent SD-WAN connectivity over Dedicated Internet Access runs €700 to €900, and business broadband costs significantly less. Organisations migrating from MPLS to SD-WAN typically report 30 to 60% savings on network costs.
Can SD-WAN replace MPLS completely?
For most mid-market organisations with standard enterprise workloads, yes. SD-WAN matches or exceeds MPLS performance for cloud applications, VoIP and video. Exceptions include ultra-low-latency use cases like trading platforms and specific regulated flows such as SWIFT messaging. Most organisations adopt a hybrid approach during transition, keeping MPLS for select links while migrating the bulk of traffic to SD-WAN.
What does MPLS stand for?
MPLS stands for Multiprotocol Label Switching. “Multiprotocol” refers to its ability to carry different types of network traffic (IP, Ethernet, legacy protocols). “Label Switching” describes the forwarding mechanism: routers read short labels instead of performing full IP address lookups.
How long does it take to migrate from MPLS to SD-WAN?
A typical mid-market migration takes 3 to 12 months, depending on the number of sites and contract obligations. Individual sites can go live on SD-WAN within hours using zero-touch provisioning. The overall timeline is usually driven by MPLS contract expiry dates rather than technical complexity.
Ready to move beyond MPLS? Jimber’s SASE platform combines SD-WAN, Zero Trust Network Access, Secure Web Gateway and Firewall-as-a-Service in one cloud-managed console built for European mid-market organisations. Book a demo to map your current network and design a migration path that fits your team’s capacity and timeline.
