COMPARE NOW
Christian M. 6 min read

MPLS for businesses: How Multiprotocol Label Switching works

Multiprotocol Label Switching (MPLS) is an enterprise-grade networking technology used by global corporations, payment systems, and public institutions such as the NHS.

MPLS networks consist of ultra fast, low latency connections ideal for connecting key institutional assets such as offices, data centres and warehouses.

This guide explains how MPLS works, its benefits and limitations, as well as SD-WAN integration, security, and deployment considerations.

Contents:

What is MPLS and why do businesses use it?

Multiprotocol Label Switching (MPLS) is an enterprise-grade networking technology used to form the high-performance backbone networks of corporations and national and multinational organisations.

It works by creating ‘fast track’ or priority queues for labelled traffic at network nodes (i.e. switches and routers), helping to avoid bottlenecks at these critical junction points.

In other words, it gives VIP status to key institutional traffic such as data travelling between supermarkets, large offices, financial institutions, hospitals, data centres, and more.

MPLS makes networks so reliable that service providers can offer strict Service Level Agreements (SLAs) that guarantee latencies as low as 10ms and uptimes above 99.99%.

As a well established technology that has been in use for decades, MPLS networks span internationally, allowing UK providers to deliver global backbone connectivity through cross-border partnerships.

While impressive, MPLS on its own is not suitable for most businesses due to its high cost and complexity. Remote workers or temporary sites can’t easily benefit from it, and security isn’t included by default, requiring additional investment.

To bridge this gap, MPLS is increasingly being paired with SD-WAN solutions, which can secure, further optimise, and integrate traffic with non-MPLS connections, including those for remote workers, IoT, and temporary sites, at a much lower cost.

How does MPLS work?

Put simply, MPLS creates pathways through a long-distance network where selected traffic is given priority, allowing it to bypass bottlenecks and avoid the delays that affect regular internet data. Traffic on MPLS lanes doesn’t flow faster; it simply flows uninterrupted.

This section explains how the core components of MPLS work together to create networks of “fast-track” lanes, followed by a step-by-step breakdown of how a labelled data packet moves through the network.

Key components of MPLS

A diagram showing the key components of an MPLS network, namely LSPs, LERs and LSRs.

There are three key infrastructure components in any MPLS network:

Label Switched Path (LSP)

A Label Switched Path (LSP) is any predefined route within the MPLS network that data packets follow. These pathways are set up between MPLS-enabled routers and switches based on the labels applied to those packets.

Label Edge Routers (LERs)

Label Edge Routers (LERs) are business broadband routers at the edge of the MPLS network (e.g. offices, shops, etc.) that act as on and off-ramps to the MPLS network.

They are gateways between these local area networks and the long-distance MPLS network that connects your sites together.

Label Switch Routers (LSRs)

The network switches or junction points within the MPLS network that manage the transit of labelled packets. At each junction, a Label Switch Router (LSR) reads the MPLS label, swaps it for a new one, and sends the packet to the next hop along the predefined path.

LSRs are typically operated by MPLS or broadband providers (for regional or national MPLS networks), with partner providers managing any international MPLS pathways. Large enterprises or institutions with private dark fibre infrastructure manage their own LSRs.

Journey of a data packet across MPLS network

Here are the three key steps in the journey of a data packet across an MPLS network.

Journey of a VoIP data packet across an MPLS network.

1. Entering (Ingress) the MPLS network

Say a UK-wide business has connected its offices with an MPLS network. An employee at the head office calls a colleague in a branch office using the business VoIP phone system.

The calls’ data packets leave the device, travel across the local network, and access the MPLS network at the site’s router (a Label Edge Router because it sits at the boundary of the MPLS network).

The Label Edge Router (LER) examines the packets’ destination (IP header) and characteristics (data type and application) to classify them into a Forwarding Equivalence Class (FEC), which groups data based on their handling requirements.

For example, data packets from the call may be labelled as: “FEC-VoIP-HQ-Branch01“.

The LER also assigns these data packets with temporary ingress labels, which indicate its priority (e.g., Class 1) up until the next hop (switch) in the MPLS network.

This short MPLS label is inserted above the IP header, allowing MPLS-aware nodes to prioritise routing based on label data instead of IP lookups:

FieldBit SizeDescription
Label Value20 bitsIdentifies the packet’s path.
Traffic Class3 bitsUsed for Quality of Service (QoS) to prioritise certain types of traffic.
Bottom of Stack (BoS) Bit1 bitIndicates whether this is the last label in the stack.
Time to Live (TTL)8 bitsPrevents packets from circulating indefinitely by limiting the number of hops.

2. Forwarding and swapping: Navigating the MPLS network

The labelled VoIP packets move uninterrupted across the MPLS network, receiving priority pass at each network hop or Label Switch Router (LSR).

This is because the LSRs simply:

  1. Reads the packet’s short label, which contains the data’s priority level and its assigned next hop.
  2. Assigns a new short label.
  3. Sends the packet over its assigned Label Switched Path (LSP) without having to do a time-consuming IP inspection.

3. Exit (Egress) the MPLS Network

When the packet reaches the branch office’s edge router (LER), the MPLS label is ‘popped’ (removed) and is forwarded to the colleague’s VoIP device using standard IP routing within the local network.

MPLS integration with SD-WAN

SD-WAN routes and secures traffic across both MPLS and non-MPLS pathways, increasing resiliency at a lower cost.

MPLS powers many backbone wide area networks in the UK, delivering exceptional consistency and reliability.

However, these benefits are limited to the label-switched network itself, leaving remote workers, temporary sites, and many cloud connections outside its scope.

MPLS also lacks built-in encryption and advanced security features, meaning businesses must pay extra for adequate protection.

Enter SD-WAN, a cloud-based routing optimiser and encrypter that brings all your business networks under one umbrella. From the MPLS backbone to the ancillary links connecting remote workers, temporary sites, rural locations, and more.

SD-WAN unifies all networks by controlling both MPLS and non-MPLS routers and switches via API, extending its route optimisation,  encryption capabilities, and other SD-WAN security features across all pathways.

By combining MPLS with this powerful engine, businesses can benefit from four key enhancements:

Auto-failover and load balancing for MPLS

MPLS networks have built-in redundancy and failover, but unlike SD-WAN, this requires manual setup and can only redirect traffic through predefined Label Switched Paths.

SD-WAN automates failover and network load balancing, intelligently redirecting traffic based on real-time congestion and application priority. Traffic can be redirected across any redundant business broadband connection, whether it’s a wireless leased line, Starlink, or a basic SoGEA broadband connection.

This significantly enhances network resiliency at a much lower cost and without the complexity of new MPLS links.

During network congestion, critical applications such as VoIP, UCaaS, and cybersecurity monitoring can continue to rely on MPLS routes for uninterrupted service. In contrast, less-sensitive traffic, like guest networks, is offloaded to secondary connections.

Improved performance for remote work

Traditionally, remote workers access company resources via a fixed VPN tunnel to a designated office location. Once inside the business network, their traffic is routed through MPLS pathways to reach internal systems or cloud services.

While this setup is secure, it’s too rigid. It can’t adapt to real-time network conditions or optimise the path for latency-sensitive applications like VoIP or video conferencing.

SD-WAN enhances the remote work experience by:

  • Dynamically steering traffic to the optimal MPLS edge or access point based on real-time performance, rather than locking users into a single VPN entry.
  • Prioritising business-critical applications, such as remote VoIP, Teams, or Zoom calls, to ensure low latency and high reliability even on variable broadband connections.
  • Extending end-to-end encryption and security beyond the VPN gateway, applying consistent policies and protections across the entire remote access path.

Scaling networks at a lower cost

MPLS delivers top-tier performance, but its dedicated circuits are expensive (both to deploy and operate), inflexible and time-consuming to implement. Some business applications require MPLS-grade reliability, but this level of performance isn’t always necessary.

Today, many businesses are scaling their networks more affordably by using multiple redundant broadband or Ethernet links, managed through SD-WAN, rather than relying on MPLS extensions.

Large-scale MPLS migrations into SD-WAN

SD-WAN and its security-focused counterpart SASE are proving so disruptive that many UK enterprises and public institutions are migrating away from traditional MPLS networks entirely.

MPLS remains powerful, but its high cost and complexity are no longer justified for supporting modern applications.

These migrations are largely driven by the need to cut costs, increase flexibility, and modernise network architecture to support cloud-first strategies.

The shift is also being fuelled by:

  • The rapid improvements of business broadband speeds and Ethernet WAN availability, even in remote areas.
  • The rise of Zero Trust Network Access (ZTNA), which prioritises user and application-level security over network perimeter control.
  • A growing need for agile, cloud-native connectivity, particularly for SaaS, IaaS, and hybrid work environments

Enhanced MPLS security

MPLS is more secure than public internet connections as it operates on a private, provider-managed network, but it lacks built-in encryption and advanced security controls.

This makes it reliable but not inherently secure against modern cyber threats. SD-WAN delivers all of this not only across MPLS links, but across the entire business WAN, including remote and cloud connections.

See our section on MPLS security for more information.

How to set up MPLS

MPLS has many benefits, but a simple implementation isn’t one of them. The process can take weeks to months, with network engineers required on-site(s) at various stages. Here are the key steps to implementing MPLS:

1. Assessment and planning

Before deploying MPLS, businesses must assess whether it aligns with their network needs, budget, and long-term strategy. Key considerations include:

  • Why is MPLS needed? Is it for multi-site connectivity, compliance, or application performance gaps? Perhaps financial transactions are experiencing slow finality, or VoIP call quality is too often too poor? MPLS is particularly beneficial for linking multiple locations into a unified, high-performance network.
  • Replacement or integration? Will MPLS replace an existing Ethernet-over-VPN setup, or will it be integrated with SD-WAN to complement other network solutions?
  • Is MPLS affordable? MPLS is usually only warranted for serious scaling or when low latency is non-negotiable, such as in financial transaction settlement.
  • Is MPLS practical? Rural businesses or those far from MPLS provider access points face unreasonably long installation times and high costs.

2. Choosing an MPLS network provider

MPLS is available through two main types of providers:

MPLS network operators

Large business broadband providers, such as BT and Virgin Media, offer wholesale access to their extensive MPLS backbones to enterprises and public institutions.

Gaining access directly via these root operators may be cost effective but requires significant in-house IT resources to ensure it is managed appropriately.

Managed MPLS service providers

These providers aggregate MPLS services from multiple network operators to offer fully managed MPLS networks.

It’s essentially MPLS-as-a-Service, so it comes at a higher cost but with fully outsourced management. They can offer multi-carrier MPLS, enhanced SLAs, security, and network add-ons, such as SD-WAN integration, at a more competitive price.

When selecting a provider, businesses should evaluate:

  • Network coverage and capacity: Ensure the provider covers all business locations and has nearby Points of Presence (PoPs) for optimal performance.
  • Service Level Agreements (SLAs): Look for guarantees such as 99.99% uptime, low latency (<20ms between UK sites), and compensation for downtime.
  • Pricing: Costs vary based on bandwidth, distance, and infrastructure type (e.g., MPLS over copper vs fibre optic cables).
  • Scalability: Some providers support rapid bandwidth upgrades and new site additions without excessive costs.
  • Security: Consider the provider’s offerings for firewalls, VPNs, encryption, etc.
  • MPLS cloud connectivity: Consider a provider with the necessary on-ramps or integrations with your required cloud and business VoIP phone providers.
  • Installation times: MPLS installation may take between 4 weeks to 6+ months, depending on infrastructure requirements and PoPs.

3. Network design and configuration

MPLS is the motorway system of a business WAN, and it’s only as good as how well it’s designed and configured to efficiently connect all of your sub-networks. Consider the following:

  • Topology: This is the shape of your MPLS. Do all MPLS links lead to the headquarters or the data centre (i.e. Hub and spoke)? Or is there a need for MPLS links between all sites and cloud services (i.e. mesh network)?
  • Redundancy and failover: This is the resilience of your MPLS network. It’s easier to implement with an SD-WAN overlay, but it requires all your sites to have failover business broadband connections.
  • LAN-MPLS coordination: The MPLS and LAN logics must be consistent. For example, local VLANs must align with MPLS labelling to ensure coordination across your entire network. SD-WAN greatly simplifies this by centralising network policies.

4. Deployment and testing

MPLS deployment requires a structured rollout to minimise downtime and ensure performance meets SLAs.

  • Site surveys and infrastructure preparation: Engineers assess each site to ensure it has the necessary cabling, equipment, and power requirements before installation.
  • Circuit provisioning and equipment setup: The provider installs the necessary fibre connections and integrates them into their MPLS core network. Businesses must configure routers, firewalls, and SD-WAN appliances (if applicable).
  • Testing: IT teams conduct latency, QoS, and failover tests before full migration.
  • Phased migration: Instead of switching all locations at once, many businesses deploy MPLS at a few test sites before expanding network-wide.

5. Ongoing management and optimisation

MPLS requires continuous monitoring and adjustment to maintain optimal performance, security, and cost efficiency.

  • Continuous monitoring: Businesses use provider dashboards or third-party network monitoring tools to track latency, bandwidth usage, and traffic patterns.
  • Adjusting QoS and bandwidth. As network needs change, MPLS QoS policies and bandwidth allocations must be reviewed and adjusted.
  • Security and compliance updates: Organisations handling sensitive data (e.g., financial services, healthcare, and government) must ensure MPLS remains compliant with evolving cybersecurity regulations.
  • Reviewing provider SLAs: Businesses should conduct periodic performance assessments with their provider to discuss upgrades, scalability, and potential cost optimisations.

Benefits of MPLS

Despite the evolution of networking technologies, MPLS remains relevant thanks to a range of enterprise-grade benefits:

Guaranteed performance

SLAs backing MPLS connections commonly offer >99.99% uptime, <10ms latency, and negligible packet loss.

Advanced traffic optimisation (QoS)

MPLS enables application-aware traffic prioritisation across multiple sites through its labelling system, albeit limited to its network.

Provider-backed security and privacy

MPLS operates within a provider’s private network (outside public pathways), mitigating several cybersecurity threats.

Enterprise-grade backbone

MPLS backbones are among the most reliable and consistent, forming the core network of global telecoms providers, global cloud infrastructure, and global financial trading.

Global MPLS networks

MPLS enables global site-to-site connections through partner providers such as Orange (France), T-Mobile (Germany), and AT&T (US).

Direct cloud & SaaS access

Providers now have dedicated MPLS links to AWS, Azure, Google Cloud, VoIP services, and key business SaaS platforms, enabling seamless integration.

SD-WAN & SASE compatibility

MPLS is fully compatible with the new suite of intelligent, cloud-based networking overlays, such as SD-WAN and SASE, which are ideal for connecting remote workers, temporary sites, and more.

Limitations of MPLS

MPLS remains limited to specific businesses and institutions due to its many inherent limitations:

High costs

MPLS circuits are more costly to provision and maintain than other networking solutions. It’s now considered a premium, legacy solution exclusive for niche connectivity.

Limited flexibility

MPLS is performant but rigid. It is not ideal for dynamic, cloud-first environments or remote work scenarios where a combination of broadband, Ethernet, VPN and SD-WAN offer significantly greater agility.

Slow deployment

Setting up new MPLS circuits can take weeks or even months, delaying network expansion. In contrast, Ethernet can be rolled out in days, while SD-WAN in minutes.

No built-in encryption

MPLS does not encrypt data by default, requiring additional security layers like SD-WAN, VPNs, or IPsec to add this basic security element.

Provider lock-ins

Businesses are often locked into long-term contracts with a single MPLS provider, making changes or switching providers complex and costly.

MPLS security

MPLS technology is designed for low latency and high reliability, but it is not necessarily optimised for security.

It offers basic protections, such as traffic isolation and private routing, but lacks essential features, including encryption, traffic inspection, and access control.

These must be layered on top, and who is responsible for doing so depends on whether you contract a managed MPLS provider or get access through a network operator.

In-built MPLS security features

MPLS does provide some basic security advantages over public internet routing:

  • Traffic isolation: Layer 3 VPNs (L3VPNs) keep each customer’s traffic separate within the provider’s backbone. Each business has a dedicated Label Switched Path (LSP).
  • Avoids public internet exposure: MPLS paths avoid the open internet, reducing the attack surface for DDoS, spoofing, and eavesdropping.
  • End-to-end path control: Label-switched paths (LSPs) are statically configured, limiting exposure to route hijacking or dynamic routing threats.
  • Quality of Service (QoS): Application-aware traffic prioritisation ensures performance and helps limit disruption from congestion-based attacks.

Does MPLS need additional security?

MPLS lacks essential security features, requiring businesses to implement additional protections:

  • Encryption: MPLS traffic is unencrypted by default, meaning data could be intercepted if the provider’s network is compromised. Businesses must add IPsec, SSL, VPNs, or SD-WAN to secure sensitive data.
  • Traffic inspection: Firewalls and advanced threat detection systems (i.e. intrusion detection, malware filtering and deep packet inspection) are missing and required to monitor and block malicious activity.
  • Access control: MPLS doesn’t handle user or device authentication. You’ll need to implement solutions like ZTNA or identity-based policies to enforce who can access what.

Who is responsible for MPLS security?

MPLS security is a shared responsibility, but how it’s divided depends on how you get access to MPLS:

  • The MPLS network operator (e.g. BT, Virgin) is responsible for securing the core backbone, including traffic isolation, routing integrity, and physical infrastructure.
  • When you get direct access through the operator, your business is responsible for securing everything beyond the provider’s network, including user access, encryption, endpoints, and integration with cloud or internet services.

If you’re using a managed MPLS service provider, many offer end-to-end security management, including encryption, access control, monitoring, and compliance support, which reduces your operational burden without compromising your overall accountability.

 

Best practices for securing MPLS

Your approach to MPLS security should reflect who manages the service:

  • With a managed MPLS solution: Validate what’s covered, such as encryption, threat detection, and compliance, and ensure responsibilities are clearly defined in your SLA.
  • With an MPLS network operator: Secure edge devices, add encryption (e.g. IPsec), and integrate SD-WAN or SASE to enforce consistent policy and gain visibility.
  • In all cases: Don’t treat MPLS as inherently secure. Layer security around it based on your architecture, risk level, and regulatory requirements.

Multiprotocol Label Switching (MPLS) FAQs

Our business networking experts answer commonly asked questions on MPLS business networks:

Does MPLS work in any type of internet connection?

Yes. MPLS is an overlay technology, meaning it can run over various connection types, including fibre, copper, and even wireless technologies like 5G business broadband and satellite business broadband.

However, its performance depends on the quality of the underlying connection, so it’s typically deployed over high-performance circuits like leased lines rather than standard SoGEA or even contended full fibre business broadband.

What are the cost considerations for implementing MPLS?

MPLS is more expensive than WANs running over the public internet via permanent VPN connections because it requires:

  • Dedicated infrastructure, such as business leased line broadband or dark fibre.
  • Extensive configuration and maintenance by providers.
  • Strict SLAs guaranteeing uptime, latency, and service quality.

Costs depend on bandwidth, distance, SLA requirements, network complexity, and bundled services.

What’s the difference between Ethernet and MPLS?

Terms like “Business Ethernet” and “Business MPLS” are often used interchangeably by service providers to describe enterprise-grade wide area networks, even though they actually mean different things.

Ethernet is a Layer 2 technology that provides the fundamental framework for networking. It defines the rules, hardware, and protocols that enable data transmission over LANs and WANs. Ethernet can run over various transport mediums, including fibre and copper wires.

MPLS is a Layer 3 technology that operates on top of Ethernet to improve routing efficiency. It adds an intelligent overlay using label switching, which enables faster, more reliable, and traffic-prioritised connectivity across large networks.

Can MPLS work over wireless broadband?

Yes, but it is rarely deployed this way due to higher latency and variable performance. Wireless connections like mobile broadband and satellite are less stable than fibre, making it difficult for MPLS providers to offer strict SLAs.

However, MPLS over 5G backhaul is expected to become more viable as 5G network coverage and performance improve, particularly for industries needing low-latency connectivity in remote locations.

What’s the difference between MPLS and standard IP routing?

Standard IP routing requires routers to inspect each packet’s IP header at every hop to determine its next destination. This process slows down traffic and can cause congestion under heavy loads.

In contrast, MPLS traffic bypasses these repeated lookups by carrying pre-determined ‘fast-track’ labels. Both methods may use the same fibre infrastructure, but MPLS ensures lower latency and more consistent performance by avoiding bottlenecks.

What is MPLS used for in the UK?

MPLS is primarily used by large enterprises, financial institutions, and public sector organisations that require secure, high-performance connectivity.

Common UK use cases include:

  • Financial services: Low-latency connections to stock exchanges and trading platforms.
  • Healthcare: Secure interconnectivity between hospitals and NHS data centres.
  • Public sector: Compliance with data segregation and cybersecurity regulations.

MPLS is less common for SMEs due to its higher costs, but some still use it for business-critical applications.

Is MPLS essential for 5G private networks?

No, MPLS is not essential, but it can improve performance when connecting multiple private 5G sites or ensuring low-latency backhaul to data centres and cloud services.

In reality, businesses can achieve similar results with SD-WAN, 5G “slicing”, or uncontended leased lines.

Find out more on our 5G private networks page.

What is MPLS Cloud?

“MPLS cloud” is simply another name for the private MPLS backbone operated by an MPLS service provider.

It doesn’t refer to MPLS connections to cloud infrastructure (such as AWS or Azure), but rather uses the word “cloud” to reflect the abstracted nature of the network, hiding the complexity of label-switched paths, routers, and the underlying transport.

Are there affordable MPLS business services?

Not as affordable as combining modern networking technologies.

MPLS is inherently a premium, legacy technology,  built for a time when the internet was unreliable, cloud didn’t exist, and businesses hosted everything in private data centres.

Some providers offer “lower-cost” MPLS options, but these are still more expensive than modern alternatives and often come with rigid contracts and long provisioning times.

Does T-Mobile offer access to Multiprotocol Label Switching?

No. T-Mobile UK merged with EE between 2010 and 2012 and no longer offers MPLS services under the T-Mobile name. However, its parent company EE/BT does offer MPLS backbone services.

Back to blog Back to broadband guides
Talk to a Networking Specialist

Related

ISDN phone Integrated Services Digital Network (ISDN) explained

ISDN is a legacy phone and internet system that revolutionised business telecoms by supporting simultaneous phone calls and 128 Kbps internet access. While internet connectivity has since moved on to fibre, mobile, and even satellite broadband, thousands of UK businesses still rely on ISDN multi-line phone systems for voice communication, even as a nationwide switch-off…

Cloud native WAN What are cloud-based WANs? A business guide to modern, cloud-delivered networking

A cloud-based WAN is an all-in-one service that delivers wide area networking capabilities from the cloud, with minimal on-site infrastructure and no manual setup. It combines cloud technologies like SD-WAN, SASE, ZTNA and FWaaS into a single managed service, designed for agile organisations with significant remote users and heavy use of cloud apps. This article…

We use cookies to give you a better experience of our site and to analyse traffic. Click to view our Privacy Policy or Manage Cookie Choices.
Accept all Reject all