Wednesday, October 24, 2012

Walk on the Wild Side: VoIP over VPN over Internet

Over the years I've seen or heard a lot of snide or offhand comments (from vendors, at conferences, on Twitter, etc.) regarding running voice over Internet VPNs in the enterprise environment. It's often taken for granted that people will pay for MPLS VPNs just to be able to control voice quality, and people who don't do so are sometimes assumed to be either too dumb to know better, or at least "deserving" of what they get.

At the company for which I work, we've migrated over the last several years from a WAN consisting mostly of leased circuits and MPLS VPNs to running almost entirely on IPSec VPNs over the Internet. The biggest reason is cost: we work in what I only half-jokingly refer to on Twitter as #ExtremeRuralNetworking. Many of our WAN sites are in remote locations served by only one small rural LEC, with extremely long distances from the central office. Provisioning MPLS VPNs through nationwide carriers to these sites can be unbelievably expensive, sometimes 20-30 times the cost of a DSL circuit or an Internet T1, or even more. Frequently the only service available is based on some kind of long-range wireless technology. Sometimes local providers will sell you (or a nationwide MPLS provider) something that claims to be a terrestrial T1 but actually includes microwave hops. Occasionally a MPLS provider's backhaul network doubles or even triples the latency compared to an Internet path.

Our experience has been this: VoIP performance over Internet VPNs is almost as good as over MPLS VPNs with dedicated service planes. There is definitely a small percentage of the time that voice quality suffers, but when we asked our business units if they would rather have better voice quality or pay substantially larger WAN bills, the choice was easy. I would go so far as to say that 99+% of the time, most people can't distinguish between Internet VPN voice versus MPLS VPN voice.

Keeping in mind that we deal with relatively low call volume (i.e., we're not running call centers over Internet VPNs!), here are a few things I've learned in setting up VPNs for the best voice-over-VPN-over-Internet quality:
  • Set up your QoS mostly the same way you would over private circuits or MPLS VPNs: put voice in a priority queue, reserve bandwidth for call control, use a scavenger class, etc.
  • Shape your traffic to the physical capacity of the link; if you have a 1.5 Mb contract with a 100 Mb physical link, make sure you shape to 1.5 Mb.
  • Avoid radically asymmetric circuits if the "up" speed is very slow. We had several sites with a 12 Mb "down" speed and a 768 kbps "up" speed; this proved to be mostly unworkable given our traffic patterns.
  • Use the same providers where possible, and consider the number of AS hops between you and the target AS. This makes for better consistency between sites and streamlines troubleshooting. It also usually results in small reductions in latency, which make a big difference in voice quality.
  • Latency is usually the biggest variable in VoIP over VPN setups. The modern Internet combined with good voice codecs is surprisingly good at dealing with packet loss and jitter, but latency is often highly variable, and as I said above, makes a bigger difference than I would have thought.
  •  Simple and consistent configurations make things easier, as always. We use Cisco DMVPN, which makes for a pretty easy configuration template.
  • If you have more than one uplink, choose the one with the lowest latency as your primary, and check it periodically. Small providers frequently change their transit providers, and it's not uncommon to see big changes performance through the same small provider several times a year.
  • Set user expectations. If your business knows you're saving them money and the price is that they have to switch to cell phones, long distance PSTN dialing, or POTS lines a few times a year, they'll deal with it.
Your mileage may vary.

7 comments:

Billy Carter said...

Nice post. What CODEC do you use over the VPN?

jswan said...

Mostly g729. I've noticed that conference phones seem to work better with g711. Looking forward to working more with ILBC as we get enough phones that support it; most of ours are pretty old.

Billy Carter said...

With all the money you are saving, you could put in a router/transcoder at HQ to let you do G.729-to-G.711 conferencing.

I am looking forward to trying ILBC soon.

Originull Networks said...

You are 100 percent right on. To small offices internet VPN's will offer higher throuput for way lower cost than traditional point to point or MPVL links at a way lower cost like you already mentioned. The biggest driver for this is to take a look at your business. If your company makes money off the telephones MPLS VPN's are just a cost of doing bussiness as times of high latency and delay will be unnaceptalbe. If some locations are just a warehouse or something of that nature your VOIP calls over internet VPN's are completely acceptable. I would also consider looking into ILBC codec as it was designed with the internet in mind.

Jean-Philippe Papillon said...

In our company, we are using Cisco phones 7965 that tunnels to an ASA in French headquarters. Codec iLBC works great from all over the world to give isolated workers (sometimes public work engineers in the fields) a link to their teams, with just an Internet connection.

James said...

I think a lot of small businesses are choosing VoIP because the quality is decent and the price is right. The right phones make conferencing easy and the mobile features are great on the road.

voip vpn said...

pptp is dead, it's cracked. Less than a day in the cloud to recover password, length and complexity don't matter.