networkingwannetwork-plusIntermediate21 min read

What Is Multiprotocol Label Switching in Networking?

Also known as: MPLS, Multiprotocol Label Switching, MPLS definition, MPLS CCNA, MPLS Network+

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

MPLS is a way of sending data across a wide area network using short labels rather than looking up the full destination address at every stop. It works like putting a priority sticker on a package so routers know exactly where to send it next without opening the box. Because labels are shorter than IP addresses, forwarding is faster and more predictable. MPLS can handle many different types of traffic — even older protocols — which is why it is called "multiprotocol."

Must Know for Exams

On the Cisco CCNA exam, MPLS appears primarily in the context of WAN technologies and VPNs. The current CCNA (200-301) objectives include an understanding of MPLS, its benefits over traditional routed WANs, and basic configuration concepts. You should know that MPLS uses labels between Layer 2 and Layer 3, that LDP distributes labels, and that MPLS can carry IP, IPv6, and other protocols. The exam may present a scenario where a company switches from a point-to-point leased line to an MPLS VPN and ask you to identify the advantages — such as any-to-any connectivity, lower cost, and built-in redundancy.

For CompTIA Network+ (N10-008/009), MPLS is covered under WAN technologies (domain 1.3). You need to know that MPLS is a high-performance WAN protocol that operates at the OSI Layer 2.5, that it is connection-oriented, and that it provides traffic engineering and QoS capabilities. The exam may ask you to compare MPLS with other WAN technologies like Frame Relay, ATM, or VPN over internet. You could see a question like: "Which WAN technology uses labels to forward packets and can prioritize voice traffic?" with MPLS being the correct answer.

At the professional level, the CCNP Enterprise core exam (350-401 ENCOR) dives deeper into MPLS. You must understand MPLS forwarding mechanics, LDP session establishment, MPLS VPN architecture (both Layer 3 and Layer 2 VPNs), and MPLS Traffic Engineering. The exam expects you to troubleshoot MPLS label distribution, verify LSPs using show commands, and identify incorrect router configurations that prevent label advertisement.

In all these exams, the key is to focus on concepts rather than memorizing proprietary commands. Understand the label-swapping mechanism, the role of LERs versus LSRs, and how MPLS differs from pure IP routing. Practice reading MPLS traceroute outputs and interpreting label stacks. Also remember that MPLS is not a replacement for routing; it is an enhancement that sits underneath the IP routing table.

Simple Meaning

Imagine you are sending a letter through a giant postal system. In the traditional internet, every post office (router) would open your letter, read the street address (IP address), and use a giant map to figure out where to send it next. That takes time and every post office repeats the whole map-reading process, even if the letter is just passing through on its way across the country.

MPLS changes this by giving your letter a sticky label as soon as it enters the postal system. This label contains a short code that tells each post office exactly which sorting track to use, without needing to re-read the address every time. The label is placed on the letter at the very first post office, and subsequent post offices simply look at the label and forward the letter along the correct track.

This makes the entire journey faster and more consistent. MPLS is called "multiprotocol" because it works for letters written in any language (IP, IPv6, and even older networking protocols). "Label switching" refers to how the label is swapped or updated at each hop to guide the packet along its predetermined path.

In networking terms, MPLS sits between Layer 2 (the data link layer, like Ethernet) and Layer 3 (the network layer, like IP). It does not replace IP routing; instead, it adds a high-speed forwarding plane that sits underneath. Service providers use MPLS to build private WAN connections for businesses, ensuring reliable performance for voice, video, and data traffic.

Think of it as a high-speed express lane on a highway, where your packets have a VIP pass that lets them bypass traffic jams and toll booths.

Full Technical Definition

MPLS operates by attaching a small 32-bit label header to each packet as it enters the MPLS network at an ingress Label Edge Router (LER). This label header contains four fields: a 20-bit label value (used for forwarding decisions), a 3-bit Traffic Class (formerly EXP) field for QoS, a 1-bit bottom-of-stack indicator, and an 8-bit Time-to-Live field. The label is inserted between the Layer 2 header and the Layer 3 payload, which is why MPLS is often described as a Layer 2.5 protocol.

Once labeled, the packet travels through a series of Label Switching Routers (LSRs). Each LSR examines only the top label in the stack, uses it to perform a lookup in its Label Information Base (LIB), and then swaps the incoming label with an outgoing label before forwarding the packet out the correct interface. This label-swap operation is deterministic and extremely fast because it requires only a single table lookup, not a longest-prefix match on a full IP routing table.

Path determination in MPLS is based on Label Switched Paths (LSPs). LSPs can be established in two primary ways: hop-by-hop using a label distribution protocol (LDP) or explicitly using Resource Reservation Protocol with Traffic Engineering (RSVP-TE). LDP automatically distributes labels for every known destination based on the IGP (OSPF or IS-IS) routing table. RSVP-TE allows network engineers to engineer explicit paths for traffic engineering purposes, such as avoiding congested links or guaranteeing bandwidth.

MPLS also supports several advanced features. MPLS VPNs use a two-label stack: the inner label identifies the VPN customer and the outer label is used for transport across the provider backbone. MPLS Traffic Engineering (MPLS-TE) enables the creation of tunnels that can follow paths different from the IGP shortest path, allowing network operators to balance load across multiple links. MPLS fast reroute (FRR) provides sub-50-millisecond protection switching by precomputing backup LSPs around link or node failures.

In real IT environments, MPLS is deployed extensively by ISPs and large enterprises to connect branch offices to data centers. It provides predictable performance, strict service-level agreements (SLAs), and the ability to carry mixed traffic types (IPv4, IPv6, Ethernet, ATM, Frame Relay) over a unified core. Modern MPLS networks often run on top of Layer 3 IP/MPLS cores with BGP as the control plane for VPN signaling.

Real-Life Example

Think of a busy airport — specifically, the baggage handling system. When you check in for a flight, your suitcase gets a printed label with a barcode and a destination code (like LAX, LHR, or NRT). That label is the only thing the conveyor belts and sorting machines look at. They do not open your suitcase to read the address tag you wrote inside. They just scan the barcode, read the three-letter airport code, and send the suitcase down the correct chute. The label might be updated at certain transfer points — maybe a new barcode is added for a connecting flight — but the process is always the same: read the label, decide which track, swap the label if needed, and forward.

Now map this to MPLS. Your check-in counter is the ingress LER. It takes your data packet and adds a label (the barcode). The conveyor belts and sorting arms are the LSRs. They do not inspect the contents of the packet. They simply read the label, perform a quick lookup (which chute to use), swap the old label for a new one, and push the packet along. The final destination (your baggage claim) is the egress LER, which removes the label and delivers the packet to its final network location. The beauty of the system is that every sorting machine along the way only needs to understand label-based forwarding — it does not care if the bag contains clothes, electronics, or fragile items. That is the "multiprotocol" part: MPLS works with any type of payload, whether it is IP, IPv6, or legacy protocols like Frame Relay.

Just as airport baggage systems can handle thousands of bags per hour without delays, MPLS can forward millions of packets per second with minimal latency because label lookups are faster than IP routing table lookups. And if a conveyor belt breaks, the airport can reroute bags using pre-planned backup chutes (fast reroute) without losing a suitcase.

Why This Term Matters

In real IT work, MPLS matters because it solves a fundamental problem: making a wide area network fast, reliable, and predictable. When you connect company offices across cities or countries, you cannot rely on standard internet connections for everything. Standard IP routing means every packet takes the best path at that moment, which can lead to variable latency, packet loss during congestion, and no guaranteed performance. MPLS gives network engineers a way to create virtual private WANs with hard performance guarantees.

For system administrators and cloud architects, MPLS is often the backbone that connects on-premises data centers to cloud providers through direct peering or MPLS VPNs. It enables traffic engineering, meaning you can explicitly control which links carry voice traffic versus bulk data transfer, preventing one application from starving another. MPLS also supports Quality of Service (QoS) marking, so you can prioritize real-time traffic like VoIP and video conferencing over file transfers.

From a security perspective, MPLS VPNs provide isolation between customer traffic without the overhead of IPSec encryption for every site-to-site tunnel (though encryption can still be added). Many organizations use MPLS for their internal corporate network, relying on the provider's backbone to ensure uptime and performance. When you troubleshoot a network, understanding MPLS helps you interpret traceroute output that shows label-switched paths, identify MPLS MTU issues, and configure CoS mappings.

For certification learners, MPLS is a core technology on the CCNA and Network+ exams because it represents how modern service provider networks actually work. Knowing MPLS means you understand the difference between a simple home router network and a carrier-grade infrastructure. It also connects to broader concepts like BGP, OSPF, VLANs, and VPNs, making it a central piece of the networking puzzle.

How It Appears in Exam Questions

Exam questions on MPLS fall into several patterns. First are definition and comparison questions: "Which WAN technology adds a label between the Layer 2 and Layer 3 headers to speed up packet forwarding?" Answer: MPLS. Or "What is a key advantage of MPLS over Frame Relay?" Answer: MPLS supports any-to-any connectivity without requiring a full mesh of virtual circuits.

Second are scenario questions where you must identify the best WAN technology for a given situation. For example: "A company with 50 branch offices needs to connect all sites securely and prioritize VoIP traffic. The solution must support any-to-any communication and allow traffic engineering. Which WAN technology should be used?" The correct answer is MPLS VPN.

Third are troubleshooting questions, often at the CCNA or CCNP level. They might show an MPLS ping or traceroute output and ask: "Why is the MPLS path not working between R1 and R5?" Or: "Given the label distribution table, which LSP path will be taken for traffic to 10.1.1.0/24?" These require you to read label bindings and understand label swap operations.

Fourth are configuration and verification questions. On the CCNP exam, you might be asked to complete a partial MPLS configuration: "Which command enables MPLS on an interface under Cisco IOS?" The answer is "mpls ip." Or: "Which protocol is used to exchange label bindings between MPLS routers?" Answer: LDP.

Fifth are true/false or multiple-choice questions about MPLS characteristics: "MPLS routers always perform a routing table lookup for every packet. (True/False)" Answer: False. MPLS routers (LSRs) forward packets based on label lookups, not routing table lookups.

Last are design questions: "In an MPLS VPN, which router performs the encapsulation and decapsulation of the MPLS label?" Answer: The Provider Edge (PE) router. The Customer Edge (CE) router does not participate in MPLS and only sends standard IP packets.

Practise Multiprotocol Label Switching Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company, BlueWave Logistics, has 12 branch offices across the United States and a main data center in Chicago. They currently use site-to-site IPSec VPNs over the internet to connect each branch to Chicago. The IT team is frustrated because voice calls over the VPN often drop or have poor quality during peak hours, and adding a new branch requires creating a new VPN tunnel and configuring every other site if they want any-to-any communication.

BlueWave decides to migrate to an MPLS WAN provided by a tier-1 ISP. Each branch gets a single connection to the ISP's network. The ISP assigns a label to traffic entering their MPLS backbone. Now when the San Francisco office sends a packet to the New York office, the ingress LER in the ISP's network attaches an MPLS label. The packet travels across the ISP's core using label switching, never being routed by IP until it reaches the egress LER near New York, which removes the label and delivers the standard IP packet to BlueWave's New York router. Because the ISP has engineered the MPLS paths for minimal latency, BlueWave's voice calls now have consistent quality. Adding a new branch in Dallas is simple: the IT team just orders a new MPLS circuit from the ISP, and the ISP configures the new site into the same VPN so it can talk to all other branches automatically. No tunnels to configure, no routing table redesign. BlueWave also enables QoS marking on their routers so that VoIP traffic gets a higher priority label, ensuring it stays ahead of bulk data.

Common Mistakes

Thinking MPLS is a replacement for IP routing.

MPLS does not replace IP routing. It adds a label-switching layer that works alongside IP routing. IP routing protocols (OSPF, BGP) still run to build the routing table, and LDP uses that routing table to distribute labels.

Understand that MPLS is a high-speed forwarding mechanism that sits below IP routing. The control plane uses IP routing protocols; the data plane uses label switching.

Confusing MPLS labels with MAC addresses.

MAC addresses are Layer 2 addresses used within a single broadcast domain. MPLS labels are per-hop forwarding identifiers that are swapped at every router along the path. They are not globally unique like MAC addresses.

Remember that MAC addresses are flat and hardware-based, while MPLS labels are locally significant and swapped at each hop.

Assuming MPLS only works with IP traffic.

MPLS is called 'multiprotocol' because it can carry many different types of traffic, including IP, IPv6, IPX, and even Ethernet frames. The label insertion works regardless of the Layer 3 protocol.

Think of MPLS as a protocol-agnostic transport. It does not care what is inside the payload.

Believing that MPLS routers always know the full destination IP address.

Label Switching Routers (LSRs) in the core of the MPLS network do not examine the IP header at all. They only look at the top label to make forwarding decisions. Only the edge routers handle IP lookups.

Distinguish between Label Edge Routers (LERs) that do IP lookups and Label Switching Routers (LSRs) that do label lookups only.

Thinking MPLS provides encryption.

MPLS itself does not provide encryption. It offers traffic isolation using labels (MPLS VPNs), but data is transmitted in the clear unless additional encryption (like IPSec) is applied.

Use MPLS for performance and traffic engineering; add encryption separately if confidentiality is needed.

Exam Trap — Don't Get Fooled

A question asks: 'Which layer of the OSI model does MPLS operate at?' and gives options like Layer 2, Layer 3, Layer 2.5, or Layer 4. Many learners pick 'Layer 3' because MPLS deals with labels and path selection.

Memorize that MPLS inserts a label between the Layer 2 header (like Ethernet) and the Layer 3 payload (IP). This makes it a Layer 2.5 protocol. The OSI model does not officially define a Layer 2.

5, but the networking industry uses that term to describe MPLS. Always associate MPLS with Layer 2.5.

Commonly Confused With

Multiprotocol Label SwitchingvsVPN (Virtual Private Network)

A VPN creates an encrypted tunnel over a public network (often the internet) to provide privacy. MPLS does not encrypt traffic; instead, it uses labels to isolate traffic within a service provider's backbone. MPLS can be used to build VPNs (MPLS VPNs), but the two concepts are not the same.

Think of a VPN as a secure armored truck that drives through regular city streets, while MPLS is an express lane on a private highway where only authorized vehicles are allowed, but the vehicles are not locked.

Multiprotocol Label SwitchingvsVLAN (Virtual Local Area Network)

VLANs segment traffic within a single Layer 2 network using 802.1Q tags. MPLS segments traffic across a WAN using labels. VLANs are local to a switch network; MPLS spans multiple routers across a service provider core.

VLANs are like different rooms in one office building. MPLS is like a tunnel system connecting buildings in different cities.

Multiprotocol Label SwitchingvsBGP (Border Gateway Protocol)

BGP is a path-vector routing protocol used to exchange routing information between autonomous systems. MPLS is a forwarding mechanism. They often work together: BGP carries VPN routes, and MPLS carries the traffic across the provider backbone.

BGP is the map that tells you how to get from one city to another. MPLS is the high-speed train that actually takes you there using that map.

Multiprotocol Label SwitchingvsFrame Relay

Frame Relay is an older WAN technology that creates virtual circuits using Data Link Connection Identifiers (DLCIs). MPLS is more flexible, supports any-to-any connectivity without a full mesh of virtual circuits, and provides better traffic engineering and QoS.

Frame Relay is like a set of permanent taxi routes between specific points. MPLS is a ride-sharing network where any car can take you to any destination, using efficient shortcuts.

Step-by-Step Breakdown

1

Packet arrival at ingress LER

A standard IP packet arrives at the Provider Edge (PE) router, also called the ingress Label Edge Router. This router performs a full IP routing table lookup to determine which VPN or destination the packet belongs to.

2

Label push

Using information from the LDP or BGP VPNv4 table, the ingress LER pushes (adds) an MPLS label onto the packet. This label is placed between the Layer 2 header and the IP packet. The label stack may have multiple labels — for example, an outer label for transport and an inner label for VPN identification.

3

Label-based forwarding at first LSR

The labeled packet arrives at the first core Label Switching Router (LSR). The LSR reads only the top label. It performs a lookup in its Label Information Base (LIB). The LIB entry tells the LSR which outgoing interface to use and which new label to swap in.

4

Label swap at each subsequent LSR

Each LSR along the LSP continues the same process: read top label, lookup in LIB, swap the old label with a new label, and forward the packet out the correct interface. The IP header is never examined during this process.

5

Penultimate Hop Popping (PHP)

The second-to-last LSR (often called the penultimate hop) pops the outer label before sending the packet to the egress LER. This offloads the label removal work from the edge router and reduces the size of the packet slightly, allowing faster processing.

6

Egress LER processes the packet

The egress LER receives the packet with either the inner label or no label (after PHP). It performs an IP routing lookup or VPN lookup to determine the final destination. It then removes any remaining labels and forwards the standard IP packet out to the customer edge (CE) router or local network.

Practical Mini-Lesson

MPLS is more than a theoretical concept — it is a technology you will configure, monitor, and troubleshoot as a network professional. Let us walk through a practical implementation scenario. Imagine you are a network engineer for an MPLS service provider. You have two PE routers (PE1 and PE2) connected to a core of P routers (P1, P2). You need to enable MPLS so that customers can have VPN connectivity between their branch offices.

First, you enable Cisco Express Forwarding (CEF) on all routers because MPLS depends on CEF for its forwarding table. Then you configure the loopback interfaces and an IGP like OSPF or IS-IS across the entire MPLS domain. The IGP ensures all routers know how to reach each other's loopback addresses. Next, you enable MPLS on each core-facing interface using the "mpls ip" command under the interface configuration. This tells the router to process incoming and outgoing MPLS labels on that link.

Now you configure LDP. On Cisco routers, LDP is enabled by default once MPLS is enabled on an interface. But you need to verify that LDP sessions form between routers. Use "show mpls ldp neighbor" to confirm. LDP automatically assigns labels for every route in the IGP routing table. You can see these bindings with "show mpls forwarding-table." This is the forwarding table that LSRs use to make label-swapping decisions.

Once MPLS is functional, you can build an MPLS Layer 3 VPN. This requires creating a VRF (Virtual Routing and Forwarding) instance on the PE routers for the customer, running MP-BGP between the PE routers to exchange VPNv4 routes, and redistributing customer routes into the VRF. The BGP route carries the VPN label (inner label) that identifies the customer's VPN. The IGP label (outer label) is used to transport the packet across the core.

What can go wrong? Common issues include LDP session failure (often due to mismatched interface MTU or missing loopback reachability), MPLS TTL expiry leading to packet loss in ping tests, and misconfigured VRFs that cause traffic to leak between customers. Troubleshooting typically starts with "ping mpls" commands to test LSP connectivity and "show mpls ldp bindings" to verify label distribution. Always check that CEF is enabled globally and on the interfaces, as MPLS forwarding relies on it.

MPLS connects to broader concepts like QoS (marking the Traffic Class field), BGP (carrying VPN routes), and network automation (using MPLS-TE for bandwidth optimization). Understanding MPLS deeply gives you the skills to design and manage carrier-grade networks, which is a highly valued expertise in the industry.

Memory Tip

MPLS = My Packets Love Shortcuts — labels are shorter than IP addresses, so packets find faster paths through the network.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Frequently Asked Questions

Is MPLS faster than IP routing?

MPLS is generally faster at forwarding packets because label lookups are simpler than longest-prefix-match IP routing table lookups. However, the overall speed depends on the hardware and network design.

Does MPLS require special hardware?

Many modern routers support MPLS, but some older or low-end devices do not. Service provider-grade routers almost always have MPLS support built in.

Can MPLS be used over the internet?

MPLS is typically deployed within a service provider's private backbone, not over the public internet. However, some providers offer 'MPLS over IP' solutions that encapsulate MPLS in IP tunnels.

What is the difference between an MPLS VPN and a traditional VPN?

An MPLS VPN uses labels to isolate traffic within the provider network, while a traditional VPN (like IPSec VPN) encrypts traffic over the public internet. MPLS VPNs offer better performance but no built-in encryption.

How do I see MPLS labels in a packet trace?

Tools like Wireshark can decode MPLS headers. In a Cisco router, you can use 'show mpls forwarding-table' to see label bindings and 'traceroute mpls' to trace an LSP.

Is MPLS obsolete?

No, MPLS is still widely used in service provider networks. However, newer technologies like Segment Routing (SR-MPLS) and SD-WAN are gaining popularity as alternatives or enhancements to traditional MPLS.

Do I need to know MPLS for the Network+ exam?

Yes, CompTIA Network+ includes MPLS as a WAN technology. You should know its purpose, basic operation, and that it operates at Layer 2.5.

What is the role of LDP in MPLS?

The Label Distribution Protocol (LDP) automatically assigns and distributes labels to all routers in the MPLS domain based on the IGP routing table. It enables the creation of label-switched paths without manual configuration.

Summary

Multiprotocol Label Switching is a powerful WAN technology that uses short labels to forward packets quickly and efficiently across a service provider network. It operates at Layer 2.5, inserting a label between the Layer 2 header and the Layer 3 payload.

By performing label-based forwarding instead of IP routing table lookups at every hop, MPLS reduces latency and enables traffic engineering, QoS, and VPN services. For IT certification exams like CCNA and Network+, you need to understand MPLS concepts such as label switching, LER and LSR roles, label distribution protocols, and the benefits over traditional WAN technologies. MPLS remains a core building block of modern carrier networks, and mastering it prepares you for advanced topics like MPLS VPNs, Segment Routing, and network automation.

Remember that MPLS does not replace IP routing — it enhances the forwarding plane while the control plane still relies on protocols like OSPF and BGP.