An IP-VPN is a private network service that allows organizations to interconnect their sites in a secure and predictable way using the service provider’s backbone. Although the concept has existed for many years, it remains one of the most stable, manageable and performance-consistent WAN solutions. This article explains the architecture of an IP-VPN, the components that enable it, and why VRFs and MPLS routing are essential.
What Is an IP-VPN?
An IP-VPN is a Layer-3 private network where traffic between customer locations is isolated from all other traffic within the provider’s network. Unlike site-to-site VPNs over the public internet, encryption is not a default component; isolation is achieved through MPLS (Multiprotocol Label Switching).
Why MPLS?
MPLS adds a label to every data packet. This label instructs routers in the provider network how to forward the packet, independent of traditional IP-routing. This creates predictable paths (Label Switched Paths), enables QoS enforcement, and guarantees complete separation between customers.
The Role of VRFs (Virtual Routing and Forwarding)
A key building block of any IP-VPN is the VRF. A VRF is essentially a separate routing and forwarding instance within a router.
How a VRF works
- Each customer receives one or more VRFs on the Provider Edge (PE) router.
- The VRF contains routing information for all sites belonging to that customer.
- Traffic from one VRF can never reach another VRF.
Why multiple VRFs?
Organizations often segment by:
- Production
- Guest networks
- OT / industrial environments
- Security-sensitive departments
VRFs enable strict segmentation without requiring additional physical infrastructure.
MPLS Routing and Label Switching
Step 1: CE sends traffic to the PE
The Customer Edge router sends packets to the Provider Edge router. The CE does not need to understand MPLS.
Step 2: The PE applies an MPLS label
Based on the VRF, the PE attaches a label indicating how the packet should travel through the provider’s backbone.
Step 3: Switching through the provider network
Within the backbone, routers forward the packet solely based on its label. They do not inspect the IP packet again.
Step 4: Decapsulation
The final PE removes the label and forwards the packet to the customer site.
Topology and Design Considerations
Hub-and-spoke
Centralized applications continue to drive this architecture, with all traffic routed via a central site.
Full mesh
Every site can communicate directly with every other site, reducing latency and improving application performance.
Hybrid designs
Common in larger networks, combining centralized functions with decentralized traffic flows.
QoS and CoS in IP-VPN Environments
QoS is one of the major advantages of IP-VPNs. Providers can prioritize real-time or business-critical traffic over general data traffic.
Common traffic classes:
- Real-time (voice/video)
- Business-critical
- Best-effort
These classes allow bandwidth guarantees and predictable performance even under congestion.
How IP-VPN Differs From Internet-Based VPNs
| IP-VPN | Internet VPN |
|---|---|
| No encryption required | Encryption mandatory |
| Predictable latency & QoS | Latency varies widely |
| Provider-managed | Often self-managed |
| No reliance on the public internet | Dependent on ISP quality |
IP-VPN remains popular for environments where reliability and deterministic performance are more important than dynamic cloud integration.
When Multiple VRFs Make Sense
- Strict departmental separation
- OT environments requiring dedicated routing domains
- Compliance-driven segmentation
- High-security architectures
VRFs remain a clean, robust method for separating traffic without complex overlays.
Conclusion
An IP-VPN is a mature and proven WAN architecture that delivers predictable performance through MPLS, VRF separation and advanced QoS capabilities. While SD-WAN and cloud-native networking are increasingly common, IP-VPNs remain highly relevant for organizations that require reliable, stable and well-governed private connectivity.
