I’m a junior network tech and struggling to understand something. What are the pros of having an SD-WAN solution integrated on top of am existing MPLS solution?
The company I work for has two datacentre locations and 8 branch locations, all connected together through dual-MPLS links from a centralised Service Provider in a hub and spoke topology. Each site also has two dedicated Internet links for direct internet access, and each site has their own firewall.
This is all working great. But now we’re apparently going to be getting an SD-WAN solution integrated over the top of all these internet and MPLS links, with one of the datacentres serving as the hub.
Can anyone explain to me the benefit of having SD-WAN placed on top of MPLS? Is this common practise? The answers I’m finding suggest you wouldn’t typically do this, you’d have MPLS OR SD-WAN, not both tied together.
The internet is a shared medium. In any day it can be a drastically different experience. MPLS links generally are wrapped up with an SLA from the service provider.
Most companies I’ve seen keep MPLS when running SDWAN use it as a “premium” path for the apps that need it. Then internet for all bulk traffic. (Generally the project is also lowering the MPLS bandwidth to reduce the costs)
SD-WAN can be thought of as a combination of a few different technologies, but its goal is basically to know what upstream connections it has and send + prioritise what upstream connections it sends different traffic types down. The more upstream connections you make available to SD-WAN, the more flexibility and control you have.
Let’s say you’ve got a particularly latency sensitive application, but it’s only internal and doesn’t need to be able to reach the Internet. You might decide that this traffic is sent over your MPLS link rather than the site-to-site VPN. But other less latency sensitive applications might just stick it on the VPN as it’s probably higher bandwidth.
So you might say, “okay, but if MPLS is private anyway, why bother encrypting the traffic?” That’s the thing, you don’t typically encrypt the traffic going over MPLS, at least not above the datagram headers. There is no VPN across the MPLS, only the public Internet.
When I was deploying SD-WAN for a customer, they were in the process if shutting down their MPLS connections, so SD-WAN could be used to replace expensive MPLS connections with cheaper commodity Internet connections.
TL:DR - For the majority of customers, it’s pointless. Use public WAN (internet) instead of private WAN.
In theory, MPLS services from telcos is better quality of circuit with bandwidth and service guarantees. In reality, most telcos do not deliver on those guarantees and have very poor packet forwarding performance.
In order to guarantee bandwidth, the MPLS services only offer very limited bandwidth. For example, we can buy 10Gigabit Internet service for half the price of a 1G MPLS service. Most often you can buy two services , each with ten times the bandwidth for the same price as a single 1G MPLS service. OFC YMMV depending the local telco competitiveness.
In networking, bandwidth solves ALL problems. Better latency, less drops and retransmissions, ↑ capacity and so on. I like to say that ten times the bandwidth means fifty times the performance.
It’s quite common for people have a false belief around MPLS circuits and their “quality”. In theory MPLS services are carefully engineered and have SLAs. In reality, the carrier networks are >90% allocated to internet already, so the MPLS uses the same equipment and cables. The reliability of internet services are the generally the same as MPLS in 2024 (YMMV, do you own research)
While there are a few use cases where MPLS bandwidth makes sense, the majority of SD-WAN deployment are on public WAN. If you get are afraid, or the telco sales rep spreads FUD, then get a MPLS and Internet services, run SDWAN over it. Everyone quickly realises that the MPLS isn’t worth it and cancels it with in a year.
We do SDWAN with one MPLS and one Internet. At critical sites we keep both MPLS and offload Internet locally. Stuff like Office365 and AWS apps don’t need to ride back through the corporate network.
MPLS is a lot more expensive so you bring in SD-WAN to offload whatever traffic you can, decrease your MPLS commits while keeping dedicated QoS for what’s needed.
To give you an idea of how much more expensive I quoted a project to transition from MPLS only to MPLS + sdwan using dual dia and multiple sites and the break even point was ~6 months including licensing and some equipment (other equipment was already sdwan capable). Ongoing operations cost would be reduced by ~75% but bandwidths were more than doubled. After we tested it we did a test of all traffic across sdwan and it worked so well immediately folks started asking why keep MPLS at all
depends on the kind of sd-wan. if your sd-wan is basically dmvpn then no there’s literally no point in doing it, all you’re doing is adding on ipsec overhead for no result. if you’re involving things like wan accelerators eg. riverbed steelheads, then fair play.
My guess is that the sdwan on top should give you some control over the traffic flow aka traffic engineering. Also active monitoring and probing can be done with a good sdwan solution.
Long term your boss might phase out one of the redundant mpls links to save on cost.
SD-WAN vendors love to sell themselves as over the top overlay of anything and say that they can.
It does have some amazing selling points send the traffic where you want it, local breakout instead of HO breakout.
Advanced traffic pathing, send SIP over your MPLS, send file transfers over Internet. Shape things at different speeds at different times. Have consistant policy from a single pane of glass.
Its pretty great when it works, just make sure you go into doing things the sd-wan way, trying to throw some traditional routing ideas and policies on top will send you in circles and often break it.
It is common practice, MPLS has tighter SLA and does allow you to run end-to-end QoS. In general it is considered more reliable than regular IP internet circuit with NAT and IPSec, which is then considered more reliable than LTE. Usually site might have some combination of these type of circuits. SD-WAN allows us to dynamically switch between circuits per application basis to ensure high QoE for users.
The MPLS provides a low latency path back to our data center for internal apps, the DIA let’s cloud/internet traffic exit locally.
We can lose either circuit and traffic will fail over appropriately.
If you don’t have lots of internal apps, or they aren’t latency sensitive then there’s not much benefit to keeping the MPLS circuits. It would be cheaper to get too fat DIAs from different provider and just IPSEC back to the Datacenter for what’s needed. (Or you could go full Zero Trust and ditch the site2site vpns entirely)
SD-WAN is efficient in cost, but in very select circumstances, leased lines give you latency control. There are very few of these today, but if you care about milliseconds, you may still have MPLS ssomewhere.
Think of it like an aggregation of your ISP links. My company previously had all MPLS but when we started rolling out SD-WAN, we ordered a third link into our sites and then as contracts expired we got rid of our MPLS and then used other tools to handle traffic as we wanted.
As far as using both, you could for example shift all your Internet traffic over a public link and filter it using some sort of solution like ZScaler or backhaul to your HQ and then strictly use MPLS for internal traffic. Ultimately it will give you more flexibility and redundancy, you just need to understand what you are purchasing.
Even with SD-WAN you should have routes to both data centers.
Frankly, I don’t see the extra cost of MPLS + DIA over SDWAN.
I’d just do multiple DIA over SDWAN, and save the extra $ from the MPLS. Often, I’ve seen that the DIA links are cheaper and higher bandwidth than MPLS.