Networks with more stringent QoS requirements might use IPSec-over-Internet for non-real-time traffic and MPLS for real-time and mission-critical traffic
Basic MPLS, how it works:
A good explanation is at:
customer router-1/packets-> PE-ingress -> P-router -> … ->P-router ->PE-egress –> customer A router2
The PE-ingress will use routing information (FEC) to put the right label on the incoming packets
The P routers will do either swap, or push or pop operation on it based on the label
Finally the PE-egress will pop label and then forward packtes based on normal routing.
The key is: those label-switched path ( LSP or virtual circuits) are setup/pre-determined by LDP or other signalling bae on FEC. Thus it is much faster than normal routing.
LSPs are unidirectional, since bidirectional communication is typically desired, the aforementioned dynamic signaling protocols can set up an LSP in the other direction to compensate for this.
usually use VRF to setup MPLS VPN
The PE-router will setup VRF ( including Router-distinguisher (RD) and Router-target (RT)) with customer router , and exchange routing info using: RIP/EIGRP/OSPF( even BGP).
good explain of RD and RT are at:
The PE-routers will need to exchange those vpn4 route using iBGP ( redistribute normal routes into iBGP, and redistribute iBGP route to custoerm router)
good explain and sample config is at: