MPLS / Networking / SD-WAN / WAN
When Should MPLS Be Maintained During an SD-WAN Transition?
It’s high time we gave you all an overview on this topic. When so many businesses are considering migrating from an MPLS network to SD-WAN, aiming to cut costs and increase network flexibility, it’s worth learning about what can be gained from combining the two solutions.
[Note for the network nerds – we’re going to be taking it fairly easy on the tech geekery here. This blog is intended for a general audience, so if you need to get into this at an engineer or network professional level, reach out to us here at Lightyear and we’ll have as many in-depth, intense conversations as you’ll need to fully understand the concept.]
We’re going to go through both of these network topologies in a little more detail, looking at how they operate and their main differences.
Once we’ve established the key features, we’ll take a look at some IRL use cases we’ve facilitated, when folding an MPLS network into an SD-WAN migration has created the perfect solution for the business in question.
What Is MPLS?
The widely accepted definition of a Multiprotocol Label Switching Wide Area Network (MPLS WAN) is “a networking technology that routes traffic using the shortest path based on labels, rather than networking addresses, to handle forwarding over private wide-area networks.”
Anybody want that in English? No problem, let’s break it down, starting with those “labels.”
What Are Labels?
Data is transferred across networks in packets. Each packet has a “header” which contains vital information about the data, to make sure it goes to the right place.
Labels are an additional feature included in the packet header when those packets are sent across an MPLS network.
MPLS labels use a tagging system known as Quality of Service (QoS) policy, which allows different types of data to be prioritized for transfer across the network.
When the network’s busy and things get congested, QoS policies help avoid bottlenecks between busy nodes, by giving preferential treatment to the most important traffic.
A QoS policy will usually sort the data according to the following hierarchy:
Highest QoS = Voice and Video
Middle QoS = Business Critical Applications
Lowest QoS = Internet Browsing
So, that’s labels, ranking your data in order of importance. The other part of the definition we could break down is the “private wide area network.”
What Is a Private Wide Area Network (PWAN)?
The internet is basically one great big public network. It’s wide open, so everyone can see everyone else, and your data traffic is visible to anyone with the know-how and tools to open it up.
If that thought makes you shudder, you’re not alone. That’s why many businesses invest in a PWAN. If you need to send data securely across a wider geographical area, a private wide area network provides you with private links for your traffic that aren’t visible to the public internet.
Also known as node-to-node or site-to-site, you’re effectively routing your traffic without using the public internet. If your perimeter security is up to scratch, then a PWAN is going to give you network protection that’s pretty much bulletproof.
MPLS also allows threats like DDoS attacks to be identified and labeled, providing an additional layer of security within the MPLS network architecture.
What Is SD-WAN?
“The SD-WAN standard describes requirements for an application-aware, over-the-top WAN connectivity service that uses policies to determine how application flows are directed over multiple underlay networks irrespective of the underlay technologies or service providers who deliver them.”
So, what do we learn from this, other than to avoid MEF reps at house parties?
Again, there’s some terminology that could use a breakdown.
First up, “application aware/application flows.” At the risk of pitching you down a gigantic rabbit hole, it might be handy to mention the Open Systems Interconnection (OSI) model here. Summarized, the OSI model is an ascending scale of network complexity. Layer 1 is the physical wire, and as we pass through layers 2 to 7 we add more hardware, then software and other non-physical elements. By the time we get to Layer 7, we’re talking about applications, and this is where SD- WAN equipment hangs out, interacting with the different applications and assigning them to different routes through the network.
“underlay networks” – if we keep that OSI layer model in mind, the underlay networks are the basic internet service – nodes and pathways that the SD-WAN uses to build its own configurations.
“over-the-top WAN connectivity” – your SD-WAN-enabled devices go “over-the-top” of the underlaid internet service, and create network configurations using VPN connections between the nodes.
The Key Differences Between SD-WAN and MPLS
As you’d imagine, there are some pretty major differences between these two distinct topologies. Bear in mind that we’re talking about each network type in its “purest” form, so we can understand what each solution brings to the table. As we’ve said already, there’s a lot to be gained from combining topologies, under the right circumstances.
Here’s some of the main points to digest.
How sites “learn” about each other for routing. SD-WAN uses a centralized control or management portal, which is accessed via a web browser. The SD-WAN vendor hosts the control portal. Each individual SD-WAN router on the network reaches back to this centralized portal for the data it needs to work with the other nodes on the VPN.
MPLS routers require a little more TLC – each node needs specific, case-by-case protocols to be programmed in for each and every other node it has to “learn” about.
There’s some standard overarching protocols that take some of the weight, though. Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), which transmits between neighboring nodes, and uses algorithmic learning to dynamically calculate the shortest path between sites, provides a background level of efficiency.
How Is Equipment Managed? Again, the SD-WAN centralized control portal takes care of much of the equipment management. Once a device is brought onto the network, it registers itself to the control portal, and is then affiliated by a configuration policy – basically a piece of code which sets all the rules for each device.
This centralized policy makes it really convenient if the network needs to be reconfigured. An administrator need only log into the portal and make the necessary changes, and the policy will push the changes out to each device automatically.
In contrast, MPLS networks require the network administrator to attend to each router individually, in order to make any changes (with the exception of global routing announcements, which can be rolled out with the BGP and OSPF protocols mentioned previously).
If an admin wants to make device-level changes, they’ll access the node via one of the following methods:
Command-line interface (CLI), via a secure telnet terminal
Secure Shell (SSH) – similar to the above method, but with a greater emphasis on encryption
In-person, via a physical console cable. Although not always logistically feasible, this offers the most secure approach to MPLS equipment management.
Carrier Neutrality. SD-WAN isn’t fussy. The only criteria is that each node is able to establish an internet connection with the central management portal. Beyond that, as long as there’s access to the public internet, the choice of internet service provider, or providers, is irrelevant.
MPLS networks require a single carrier to provide a virtual routing and forwarding (VRF) network. There's often a requirement for additional ISPs to provide "last-mile" connectivity at the site-level. This off-net or Type 2 access, can involve complex ethernet transport configurations to provide access to the VRF network, and can present additional management difficulties for network administrators.
These off-net complexities (and associated costs) are often cited as one of the main reasons MPLS solutions are expensive.
Security. As we’ve mentioned, a MPLS WAN uses private, node-to-node connectivity to keep your data securely partitioned off from the public internet.
SD-WAN networks overlaid on the public internet are obviously more at risk. Security protocols and network firewalls are typically required at each site on the network to keep things safe.
Layered security architecture will create strong protections that should help you weather most threats – procuring SD-WAN with a Secure Access Service Edge (SASE) will result in a secure solution without the need for a separate cyber-security service provision.
Packet Loss. The two topologies diverge significantly here. MPLS combines labels with the QoS hierarchy to allow preferential treatment for priority traffic. In addition to faster routing, the hierarchy also governs packet loss, with high QoS packets granted priority.
In situations where packet loss can be expected to occur (during periods of high traffic, when a particular network route is overutilized), lower priority traffic will be deemed “discard eligible.” Any instances of packet loss will then occur only among the low QoS traffic.
This produces extremely reliable and predictable QoS for the high-priority traffic, with data transmission problems only occurring in the event of a physical fault in the circuit, e.g. a defective router.
SD-WAN can’t offer preferential treatment to different types of data in this way, because the public internet used by SD-WAN doesn’t “read” or interact with MPLS labels or hierarchical header information like QoS – on the public internet, almost every packet is “discard eligible.”
SD-WAN addresses packet loss issues through network analytics, optimizing the system by balancing overall loads between multiple connections. In this way, SD-WAN steers traffic away from poorly performing or overloaded circuits.
Carrier Diversity. MPLS reliance on a single provider for the central VRF network can leave you operationally vulnerable – if that provider suffers an outage, schedules maintenance work, or winds up offering below-par levels of performance, your site-to-site traffic will be unavoidably affected.
SD-WAN is designed with diversity in mind, which immunizes your network against these operational vulnerabilities. It’s standard practice to build your SD-WAN nodes with at least two different internet service providers – your SD-WAN router is then configured to provide failover functionality and notify the network admin, should one of your providers start experiencing problems.
Even if the centralized management portal goes down, network operations are unaffected – you won’t be able to reconfigure or push updates to the nodes until it’s fixed, but normal service will continue.
Cost. One of the main drivers of SD-WAN transition from MPLS is cost. In almost all cases, SD-WAN is cheaper.
When the Telecommunications Act came into effect, back in ’96, it really hit MPLS providers hard. The main providers had been sitting pretty on network infrastructure that ran coast to coast – offering dedicated private networks was barely an inconvenience.
Post ’96, the market flooded with competitors at both the local and national level, driving up network costs, and it got a lot harder (and more expensive) to offer private wide area networks.
Inevitably, the cost of those dedicated private lines gets passed on to the customer, along with the cost of the off-grid last mile connections required to provide wide area enterprise-standard connectivity.
SD-WAN leverages these market factors to create a cost-effective solution, based on mutually advantageous local agreements between the many ISP providers operating in the space.
The agility of the SD-WAN carrier-diverse network architecture is neatly mirrored by the SD- WAN business model, which allows you to pay a much lower cost per Mbps than you would for an equivalent MPLS service.
So When Does It Make Sense to Combine MPLS and SD-WAN?
As we’ve outlined, both topologies have attractive features. And it really doesn’t have to be one or the other – the strengths and weaknesses of both systems can be harnessed to complement each other.
Here are three recent examples of Lightyear clients who’ve found network nirvana through folding an MPLS into their SD-WAN.
The DoD government contractor. Some data just can’t go via the public internet – thankfully, that still includes classified data from the Department of Defense. We worked with a government contractor to ensure that their cost-effective, SD- WAN network still met contractual obligations by embedding an MPLS network to carry the top-secret stuff.
The multinational finance data-center solution. Financiers are always going to love an economically attractive solution – and these Wall Street whizzes were no exception. However, in the world of finance, milliseconds can make a big difference to share prices. They needed to keep super-low latency connections between their corporate servers and their primary and secondary data centers. This allows them to run real-time replication processes, which are notoriously sensitive to transmission issues like latency, jitter, and packet loss. A combination MPLS/SD-WAN network solution provided the speed and consistency they needed, with the resilient carrier diversity and affordability SD-WAN offers.
The “out of band” parallel network. One of our IT clients was looking for an "out of band" solution, to ensure remote access to console servers at every branch office – allowing mission-critical equipment to be rebooted, even if their SD-WAN network went down. Minimal throughput was required, so they settled on a stripped back MPLS network, running in parallel, that offered guaranteed out of band access to the branch console servers in the event of a network outage.
That’s just three examples, but there are plenty more. MPLS may well have had its day as the network infrastructure of choice, but it still has a part to play.
If you’re considering the transition from MPLS to SD-WAN, it’s by no means a foregone conclusion that you’re finished with your old system. There’s plenty of use cases where you could still really benefit from MPLS staying in the mix.
There’s also plenty of situations where adding this trusty old topology to an SD-WAN setup will provide the perfect outcome.
If you’re thinking about switching up, or you’ve got questions, we’d love to work with you on your network journey. Get in touch, and we can schedule in your free network consultation.
Want to learn more about how Lightyear can help you?
Let us show you the product and discuss specifics on how it might be helpful.