Ethernet-VPN vs IP-VPN

What's the pro's and con's of an Ethernet VPN compared with an IP-based VPN?

The answer to this actually depends if you have a switch based network, or a router based network. An Ethernet VPN is equivalent to two switches communicating securely, thus creating a private LAN. An IP-based VPN is equivalent to two routers communicating securely, thus creating secure connection between two different subnets.

An Ethernet VPN is going to be copying more data (the ethernet headers). On the other hand, you can do some neat things with MAC layer filtering. (This doesn't really add to security because it's easy to fake, but whatever.) And you can run obsolete protocols like DecNet or IPX/SPX. And you will get Ethernet broadcasts over the wire. (This is a bad thing, since computers are quite chatty.)

IP VPNs are used far more widely. Presumably, this makes them more secure (i.e. battle tested). I'd say go with IP VPN unless you have a really compelling reason to copy that lower layer around.

However, I'm not sure we are comparing apples to apples here. An ethernet "VPN" is just an isolated broadcast domain carried across multiple carriers. This could be VPLS or Tunneled VLAN's. If you want to encrypt you are going to use SSL or IPSec or similar, which makes it an IP-based VPN over Ethernet.

An IP-based VPN is just that, an encrypted channel across a shared IP segment. Unless, of course, you are using VPN to refer to an MPLS network sans encryption.

In either case, I would look at the cost and the SLA associated with each. Since they are both doing the same thing, essentially, pick the provider with the better terms and conditions.

Also, if you're doing voice services you might want to consider IP instead of Ethernet so you have more control over jitter, provided your IP provider allows you to set QOS across the network.

