MPLS to SD-WAN Migration
Faster, Cheaper, More Secure
Replace expensive MPLS circuits with application-aware SD-WAN. Ogma designs, deploys, and manages your SD-WAN transformation — from architecture planning through branch rollout to MPLS decommission.
MPLS Was Built for a Different Era
MPLS was designed when applications lived in the data centre and internet traffic was minimal. Today, 70-80% of branch traffic is SaaS-bound — Microsoft 365, Salesforce, SAP S/4HANA, Zoom. MPLS forces this traffic through the data centre (hair-pinning), adding latency and wasting expensive bandwidth.
MPLS circuits take 60-90 days to provision, cannot scale on demand, and cost 5-10x more per Mbps than broadband. Adding a new branch to an MPLS network means a new circuit order, router deployment, and weeks of waiting.
SD-WAN solves all of this — application-aware routing over any transport (broadband, LTE, DIA, MPLS), direct cloud access at the branch, encrypted overlays, and centralised management for hundreds of sites.
MPLS vs SD-WAN — Architecture Comparison
Side-by-side technical comparison of traditional MPLS and modern SD-WAN architectures.
| Capability | Traditional MPLS | SD-WAN (FortiGate) |
|---|---|---|
| Transport | Dedicated MPLS circuits from single provider | Any transport — broadband, DIA, LTE/5G, MPLS |
| Cost per Mbps | High (dedicated bandwidth pricing) | Low (commodity internet pricing) |
| SaaS Access | Backhauled through data centre (added latency) | Direct internet breakout at branch |
| Application Awareness | Basic QoS (DSCP marking) | Deep packet inspection, per-app SLA steering |
| Encryption | None (private but not encrypted) | IPsec AES-256 on all tunnels |
| Security | Separate firewall/IPS at each site | Integrated NGFW + IPS + SSL inspection |
| New Site Provisioning | 60-90 days (circuit installation) | Hours (zero-touch provisioning) |
| Bandwidth Scaling | Contract upgrade (weeks to months) | Add links dynamically (broadband, LTE) |
| Centralised Management | Provider-managed, limited visibility | FortiManager — full config, monitoring, analytics |
| Failover | Secondary MPLS or no redundancy | Sub-second failover across any transport |
Migration Methodology
WAN Assessment & Discovery
Inventory all sites, MPLS circuits, bandwidth utilisation, application traffic patterns, and SLA requirements. Identify critical applications, latency-sensitive traffic, and compliance constraints. Map existing router configurations and routing topology.
Architecture Design
Design the SD-WAN overlay topology — hub-spoke, full-mesh, or regional hub. Define SLA policies for each application class. Plan transport diversity per site (dual broadband, broadband + LTE, or broadband + MPLS hybrid). Size FortiGate appliances per branch throughput.
ISP Procurement & Staging
Order broadband/DIA circuits from diverse ISPs per site. Procure and pre-stage FortiGate appliances with base configuration, firmware, and zero-touch provisioning templates. Configure FortiManager for centralised deployment. Build lab validation environment.
Pilot Deployment
Deploy SD-WAN at 2-3 pilot branches (hub + spoke). Run in parallel with MPLS for 2-4 weeks. Validate application SLA performance, failover behaviour, and security policy enforcement. Measure latency, jitter, and packet loss versus MPLS baseline. Refine policies based on findings.
Branch Rollout
Ship pre-staged appliances to remaining branches. On-site or remote technicians connect WAN links and power on. Zero-touch provisioning pulls configuration from FortiManager automatically. Each branch goes live in under 60 minutes. Rollout 5-10 branches per week at scale.
MPLS Decommission & Optimise
Once all branches are stable on SD-WAN, begin MPLS circuit disconnection in coordination with provider contract terms. Optimise SD-WAN policies based on 30-60 days of production traffic analytics. Hand over to your NOC with runbooks, monitoring dashboards, and escalation procedures.
FortiGate SD-WAN — Key Capabilities
Application-Aware Routing
First-packet identification of 5,000+ applications. SLA-based steering measures latency, jitter, and packet loss per link in real-time. Traffic is routed to the best-performing path for each application class.
Integrated NGFW Security
Firewall, IPS, application control, web filtering, antivirus, and SSL deep inspection — all on the same appliance. No separate security stack at the branch. Powered by FortiGuard threat intelligence with real-time updates.
Cloud On-Ramp
Direct internet breakout for SaaS applications at the branch. Built-in connectors for Azure, AWS, and GCP for optimal cloud path selection. FortiSASE integration for remote users accessing the same overlay.
Auto-VPN & Mesh
ADVPN builds dynamic spoke-to-spoke tunnels on demand — no need for full-mesh configuration. Spoke branches communicate directly without routing through the hub, reducing latency for inter-branch traffic.
Centralised Orchestration
FortiManager provides single-pane management for hundreds of branches. Template-based provisioning, firmware management, policy push, and compliance auditing. FortiAnalyzer adds traffic analytics, SLA reporting, and historical trending.
WAN Optimisation
Built-in protocol optimisation, byte caching, and TCP optimisation reduce bandwidth consumption by 40-60% for repetitive traffic patterns. Forward error correction (FEC) recovers packets without retransmission on lossy links.
ROI That Justifies Itself
Typical cost comparison for a 20-branch enterprise WAN.
MPLS-Only WAN (Annual)
- 20x MPLS circuits (10 Mbps each) High
- Branch routers + maintenance Medium
- Separate branch firewalls Medium
- No SaaS optimisation Latency Cost
- Total effective cost Baseline
SD-WAN (Annual)
- 20x dual broadband (100 Mbps each) 60-70% less
- FortiGate SD-WAN + licensing Included
- Integrated NGFW (no separate FW) Included
- Direct SaaS breakout Productivity Gain
- Total effective cost 40-70% savings
Exact savings depend on current MPLS contract rates and regional broadband pricing. We provide a detailed TCO analysis during assessment.
Common Migration Scenarios
Multi-Branch Retail & BFSI
50-500 branches with standardised configurations. Zero-touch provisioning and template-based deployment make rollout efficient. Integrated security replaces separate branch firewalls. LTE/5G backup ensures uptime for PoS and core banking.
Manufacturing & Warehouses
Remote factories and distribution centres with limited ISP options. SD-WAN aggregates multiple low-cost links (broadband + LTE) to match MPLS-level reliability. OT segmentation keeps SCADA traffic isolated from IT traffic on the same appliance.
SaaS-Heavy Enterprises
Organisations where 80%+ traffic is SaaS-bound (M365, Salesforce, Workday, SAP). Direct internet breakout at the branch eliminates data centre backhaul latency. Application steering ensures consistent user experience across all locations.
Hybrid Cloud Connectivity
Branches needing direct connectivity to Azure, AWS, or GCP workloads. FortiGate SD-WAN Cloud On-Ramp provides optimised paths to cloud regions. Virtual FortiGate in the cloud extends the SD-WAN overlay into IaaS environments seamlessly.
Frequently Asked Questions
Ready to Replace MPLS with SD-WAN?
Get a free WAN assessment with traffic analysis, ROI projection, and a phased migration plan tailored to your branch network.