Private Network Services: MPLS, Dedicated Lines, and Leased Circuits
Private network services connect enterprise locations, data centers, and remote sites over carrier-managed infrastructure that is isolated from the public internet. This page covers the three dominant technologies — Multiprotocol Label Switching (MPLS), dedicated lines, and leased circuits — including how each is constructed, where each fits operationally, and how organizations choose between them. Understanding these distinctions is foundational to any WAN architecture decision and directly affects network performance, compliance posture, and long-term cost structure.
Definition and scope
Private network services, in the context of enterprise WAN procurement, refer to connectivity solutions in which bandwidth and routing infrastructure are not shared with arbitrary third-party traffic. The carrier reserves capacity explicitly for the contracting organization, delivering predictable latency, packet loss, and jitter characteristics that public internet paths cannot guarantee.
Three principal service types define this category:
- MPLS (Multiprotocol Label Switching): A carrier-provisioned WAN technology that routes traffic using short path labels rather than IP destination addresses. Defined in IETF RFC 3031, MPLS creates label-switched paths (LSPs) across a provider's backbone, enabling traffic engineering, quality-of-service (QoS) classes, and any-to-any site connectivity within a single virtual private network.
- Dedicated lines (point-to-point circuits): Fixed-bandwidth connections between exactly two endpoints, provisioned over carrier facilities. Common implementations include DS1 (1.544 Mbps), DS3 (44.736 Mbps), and OC-n optical circuits defined under SONET/SDH standards published by the ITU-T G.707 recommendation.
- Leased circuits: A broader commercial category encompassing any carrier circuit contracted on a term basis — ranging from low-bandwidth copper T1 lines to high-capacity Ethernet private lines (EPL) defined under MEF standard MEF 6.
The scope of private network services typically excludes SD-WAN services and cloud networking services, although those technologies often ride over private underlay circuits.
How it works
Each technology operates through a distinct forwarding and provisioning mechanism.
MPLS forwarding process:
- A customer edge (CE) router connects to a provider edge (PE) router at the carrier's point of presence (PoP).
- The PE router assigns a label to incoming packets based on their Forwarding Equivalence Class (FEC) — a grouping determined by destination prefix, QoS marking, or VPN membership.
- Core label switch routers (LSRs) forward packets by swapping labels, without examining IP headers, along pre-computed label-switched paths.
- The egress PE router removes the label stack and delivers native IP packets to the destination CE router.
- QoS policies — typically mapped to Differentiated Services Code Point (DSCP) values per IETF RFC 2474 — allow voice, video, and data to traverse separate traffic classes with distinct drop and queuing behaviors.
Dedicated line provisioning:
A dedicated point-to-point circuit is provisioned end-to-end by the carrier, often using time-division multiplexing (TDM) on copper or optical fiber. The full contracted bandwidth (e.g., 1.544 Mbps for a T1) is reserved exclusively for the customer. No label processing occurs; the circuit is transparent to the IP layer and can carry any Layer 2 or Layer 3 protocol.
Leased circuit (Ethernet private line) provisioning:
Modern Ethernet private lines use carrier Ethernet transport as defined by MEF. A port-based EPL connects two sites at speeds from 10 Mbps to 100 Gbps, with the carrier mapping customer frames across its optical or packet-switched backbone. Unlike MPLS VPNs, EPL services present a single logical connection, not a meshed multi-site topology.
For a broader view of how these circuits fit within network infrastructure services categories, the MEF and ITU-T documentation frameworks are the primary normative references.
Common scenarios
Private network services are deployed across a defined set of operational patterns:
- Multi-site enterprise WAN: An organization with 12 regional offices uses MPLS to create any-to-any connectivity, applying QoS Class of Service (CoS) tiers so VoIP traffic receives priority queuing. This avoids the hub-and-spoke bottlenecks of dedicated line topologies.
- Healthcare and financial data segregation: Regulated industries subject to HIPAA (45 CFR Part 164) or PCI DSS requirements use dedicated leased circuits to carry sensitive data between facilities because the physical separation satisfies certain network segmentation control requirements without relying on overlay encryption. The HHS Office for Civil Rights recognizes physical network isolation as a technical safeguard mechanism (HHS HIPAA Security Rule guidance).
- Latency-sensitive trading and industrial control: High-frequency trading firms and industrial SCADA environments contract dedicated point-to-point OC-3 or OC-12 circuits to achieve deterministic sub-5ms latency between two fixed endpoints, where MPLS label-processing overhead and shared backbone paths are unacceptable.
- Primary-plus-backup architecture: A primary MPLS connection carries production traffic; a leased Ethernet private line or dedicated DS3 serves as a diverse-path failover — a topology covered in depth under network redundancy and failover services.
Decision boundaries
Choosing among MPLS, dedicated lines, and leased circuits follows a structured set of criteria:
| Criterion | MPLS VPN | Dedicated Line | Leased Ethernet Circuit |
|---|---|---|---|
| Topology | Any-to-any mesh | Point-to-point only | Point-to-point or point-to-multipoint (EVPL) |
| Bandwidth scalability | Moderate (carrier PoP dependent) | Fixed at provisioning | High (10 Mbps–100 Gbps) |
| QoS / CoS support | Native, multi-class | None (transparent pipe) | Limited (MEF CoS profiles) |
| Geographic reach | National/global carrier backbone | Local loop + IXC span | Metro and long-haul fiber routes |
| Typical contract term | 3–5 years | 1–5 years | 1–3 years |
| Regulatory isolation | Logical (VPN separation) | Physical | Physical or logical (carrier-dependent) |
Organizations whose network compliance and regulatory requirements mandate physical layer separation typically favor dedicated lines or leased circuits over MPLS VPNs, because MPLS logical isolation relies on provider-side label management rather than dedicated physical infrastructure.
When site count exceeds 5 and traffic patterns are unpredictable, MPLS generally outperforms a hub-and-spoke dedicated line topology in both cost and operational complexity. For exactly 2 sites with deterministic throughput requirements, a dedicated leased circuit eliminates the variable of shared provider backbone congestion.
The network services pricing models reference covers how carriers structure port fees, usage charges, and bandwidth commitment tiers across these service categories.
References
- IETF RFC 3031 — Multiprotocol Label Switching Architecture
- IETF RFC 2474 — Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers
- ITU-T Recommendation G.707 — Network Node Interface for the Synchronous Digital Hierarchy
- MEF 6.3 — Ethernet Services Definitions, Phase 3
- HHS — HIPAA Security Rule: Technical Safeguards
- HHS — 45 CFR Part 164 Security and Privacy
- NIST Special Publication 800-77 — Guide to IPsec VPNs (network isolation context)
On this site
- Types of Networking Services: A Complete Reference
- Managed Network Services: What They Include and How They Work
- Network Infrastructure Services: Components and Considerations
- Cloud Networking Services: Connectivity and Architecture Options
- Enterprise Networking Services: Scope, Scale, and Selection Criteria
- Networking Services for Small Businesses: What to Look For
- Wide Area Network (WAN) Services: Types and Provider Comparison
- Local Area Network (LAN) Services: Setup, Management, and Support
- SD-WAN Services: How Software-Defined WAN Changes Networking
- Network Security Services: Firewalls, VPNs, and Threat Management
- Wireless Networking Services: Wi-Fi Design, Deployment, and Support
- Network Monitoring Services: Tools, Metrics, and Provider Options
- Managed Detection and Response for Networks: Service Breakdown
- VoIP and Unified Communications Networking Services
- Network Consulting Services: Assessment, Design, and Strategy
- Network Design and Architecture Services: What Providers Deliver
- Network Installation Services: Cabling, Hardware, and Configuration
- Network Support and Maintenance Services: SLAs and Coverage Models
- Network as a Service (NaaS): Definition, Use Cases, and Providers
- Fiber Optic Networking Services: Infrastructure and Provider Selection
- Data Center Networking Services: Connectivity and Colocation Considerations
- Network Virtualization Services: SDN, NFV, and Virtual Overlays
- IoT Networking Services: Connectivity for Connected Devices
- Multicloud Networking Services: Interconnecting Multiple Cloud Environments
- Outsourcing Network Management: Key Considerations and Trade-offs
- How to Evaluate and Select a Network Service Provider
- Network Services Pricing Models: Understanding Contracts and Costs
- Network Services Compliance: HIPAA, PCI-DSS, and Federal Requirements
- Network Redundancy and Failover Services: Ensuring Uptime and Resilience
- Network Performance Optimization Services: Latency, Throughput, and QoS
- Networking Services for Healthcare Organizations: Requirements and Providers
- Networking Services for Educational Institutions: K-12 and Higher Ed
- Networking Services for Government Agencies: Federal, State, and Local
- Networking Services Glossary: Key Terms and Definitions
- Industry Standards Governing Networking Services: IEEE, IETF, and Beyond
- Zero Trust Network Services: Architecture, Principles, and Implementation
- Frequently Asked Questions About Networking Services