Best Practices for Managing MPLS Traffic and MPLS Security

Best practices for MPLS security and traffic management

Your edge router is similar to a critical intersection of local roads and ramps to highways, where your local traffic is managed and passed onto the WAN (Wide Area Network) side of the network. In most enterprise network architectures today, it is common to see both high-performance, yet expensive MPLS connectivity, as well as cost effective and high bandwidth broadband WAN connectivity. Today’s edge routers have the responsibility to intelligently manage the inbound and outbound traffic. A critical part of this traffic management task is the MPLS traffic management.

MPLS traffic uses layer2 labeling as opposed to layer3 IP routing (nice discussion about the differences here) and therefore can only be sent over the MPLS connection. Usually MPLS traffic will be limited to packets that are highly sensitive to latency and therefore needs to be transmitted through the expensive “reserved” road. MPLS is similar to an HOV lane, where you can expect to see less cross traffic, primarily because of the cost associated with carrying traffic over MPLS. So, in our analogy, it is more like a toll-road HOV, than a normal HOV lane.

If your organization also relies on these types of cost-based infrastructures, you need to intelligently manage and orchestrate your broadband WAN lines as well as your MPLS network. Most enterprises today are opting in for taking advantage of the orders of magnitude lower price points of business class broadband lines (such as Cable, DSL, ADSL and VDSL) and limiting their MPLS costs. It is also becoming common to see enterprises migrate over to broadband based WAN architectures, provided that their edge router supports Broadband Bonding and advanced Virtual Network Functions (VNFs) that can elevate the broadband lines to high performance links. However, if keeping the MPLS link is unavoidable, then the MPLS traffic can be engineered to have strong redundancy and high up-time beyond what a single service provider can provide. 

At the core of this idea is the ability for the edge router to fail-over live MPLS traffic onto a broadband bonding WAN tunnel without losing the session, as well as keeping transparency to the MPLS transmitter and/or receiver. With this type of MPLS traffic management, a branch office can lose its MPLS link and still be able to send and receive MPLS traffic (albeit going over the broadband bonded overlay tunnel). This is done essentially via encapsulating the MPLS traffic within IP headers so that they can be routed intelligently to the destination MPLS site, and then stripping off the headers at the receiving end prior to dropping the packets into the MPLS network. This process is also known as IP tunneling. Even though fairly simple design-wise, a seamless and correct implementation of this technology requires modern SD-WAN routers that can do the job without adding complexity to the network.

Another important component of managing the failover of the MPLS traffic is the security component. In most cases, since MPLS is over a private network, encryption can be a second thought or even intentionally avoided. Therefore, it is important to have an encryption option over the broadband bonded tunnels as when the MPLS traffic does failover, it can go through the encrypted IP tunnel.


Mushroom Networks is the provider of SD-WAN (Software Defined WAN) and NFV solutions capable of Broadband Bonding that enables self-healing WAN networks that route around network problems such as latency, jitter and packet loss.


© 2004 – 2024 Mushroom Networks Inc. All rights reserved.

Let’s chat. Call us at +1 (858) 452-1031 or fill the form: