QUICK SUMMARY
Many growing VoIP providers fall into the “All-in-One” trap, forcing a feature-rich PBX (Class 5) to handle high-volume routing and security. This works for 500 users, but fails at 50,000.
This blog talks about the important role of the Class 4 softswitch for VoIP in optimizing margins and the necessity of SBC VoIP mechanisms for protecting your network core. It details how separating these layers prevents revenue leakage and enables seamless rolling upgrades.
If you are running a VoIP platform, you likely started with a single goal: get the phones ringing. In the early days, efficiency is everything. You spin up a FreeSWITCH cluster or an Asterisk server, and you make it do everything. It registers users, handles voicemail, bridges conference calls, and routes traffic to the carriers. It is a monolith, and for a while, it works beautifully.
But as you scale from 1,000 users to 10,000, or as you start onboarding wholesale traffic, cracks begin to appear. You notice that a sudden burst of sales calls makes the phones lag. You realize that you are losing margin because your routing logic isn’t smart enough to pick the cheapest carrier for a specific area code.
The reality is that “All-in-One” architectures are not built for carrier-grade scale. To grow without collapsing, you need to separate your concerns. You need a dedicated brain for routing (Class 4) and a dedicated shield for security (SBC).
Why PBX Can’t Handle Wholesale Routing
The most common question growing providers ask is, “Why do I need another server? My PBX handles routing just fine.” To answer this, we have to look at how a PBX uses resources compared to a dedicated switch.
A Class 5 Softswitch (your PBX) is designed to be “State-Heavy.” It is obsessed with the user. It needs to know if User A is on ‘Do Not Disturb’, if they have a voicemail waiting, if they are part of a ring group, or if they have call recording enabled. This requires significant memory and database interaction for every single call leg.
A Class 4 softswitch for VoIP, on the other hand, is “State-Light” but “Route-Heavy.” It doesn’t care about user features. Its only job is to take a call setup request (SIP INVITE), look up the destination number, check a list of 50 carriers to find the cheapest reliable path (LCR), and forward the packet. It does this in milliseconds, processing thousands of calls per second (CPS) without touching a user database.
Class 4 Softswitch vs. Class 5 Softswitch Resource Usage
| Feature | Class 5 Softswitch (PBX) | Class 4 Softswitch (Wholesale) |
| Primary Focus | User Features (Voicemail, IVR, BLF) | Routing & Billing (LCR, CPS) |
| State Management | High (Tracks user status, registrations) | Low (Tracks active sessions only) |
| Throughput | Low to Moderate | Extremely High |
| Routing Logic | Static (Simple rules) | Dynamic (Rate decks, profit margins) |
| Failure Impact | User features degrade | Network-wide revenue loss |
If you force your PBX to handle carrier routing, you are wasting expensive CPU cycles (designed for complex media processing) on simple packet forwarding. Worse, if a carrier has an outage and your PBX tries to re-route 500 active calls instantly, the CPU spike caused by that routing logic can crash the user-facing services. Your customers lose their phone service because your carrier’s logic got overwhelmed.
Stop routing wholesale traffic through a feature server.
How to Stop Revenue Leakage with Class 4 Softswitch Logic?
For a VoIP carrier, the difference between profit and loss is often measured in fractions of a cent. If you are routing traffic based on static rules (e.g., “Send all calls to Carrier A because they are usually good”), you are almost certainly losing money. This is where secure VoIP switching transitions from an operational necessity to a financial engine.
A PBX generally lacks the sophistication to handle “Rate Decks.” A Rate Deck is a spreadsheet from a carrier listing the cost to call every area code in the world. These prices change frequently (sometimes daily).
The Power of Least Cost Routing (LCR)
A Class 4 softswitch for VoIP is built to ingest these massive rate sheets from multiple providers. When a call comes in, it doesn’t just look at the destination; it performs a real-time auction.
A Class 4 switch automatically selects Carrier B. If Carrier B fails (returns a 503 Service Unavailable), it instantly fails over to Carrier C.
Jurisdictional Routing
In regions like the US, the cost of a call depends on jurisdiction.
- Is the call “Intrastate” (same state) or “Interstate” (cross-border)?
- Is it “Inter-LATA” or “Local”? A PBX rarely understands these distinctions.
A Class 4 switch analyzes the ANI (Caller ID) and DNIS (Destination Number) to categorize the call correctly. This ensures you aren’t paying a premium Interstate rate for a local call, plugging a major source of revenue leakage.
Secure your edge against fraud and topology attacks.
How an SBC Protects Your Network
In the “All-in-One” model, your PBX often sits directly on the public internet to accept registrations. This is akin to putting your bank vault in the middle of the street. Scanners like SIPVicious constantly trawl public IP ranges, looking for open port 5060s to launch brute-force attacks or attempt toll fraud.
This is where SBC VoIP security becomes non-negotiable. The Session Border Controller (SBC) acts as a specialized firewall for voice traffic. Unlike a standard network firewall that simply opens and closes ports, an SBC understands the SIP protocol. It opens the packet, inspects the headers, and decides if the traffic is legitimate before letting it inside your network.
One of the most critical functions of an SBC is “Topology Hiding.”
- Without SBC: When your PBX sends a SIP message, the headers often reveal the internal IP addresses of your application servers, database shards, and media relays. A sophisticated attacker uses this map to target your specific internal vulnerabilities.
- With SBC: The SBC acts as a Back-to-Back User Agent (B2BUA). It terminates the connection from the outside world and creates a completely new connection to your internal core. The headers are stripped and rewritten. To the outside world, your entire network looks like a single IP address (the SBC). The internal architecture remains invisible.
The Scary Cost of Network Breaches
VoIP security breaches cost organizations an average of USD 4.4 million (this year) in compliance penalties, legal settlements, and incident response. Without proper SBC protection, this risk is imminent.
Common VoIP Threats and SBC Mitigations
| Threat Type | How It Works | SBC Mitigation Strategy |
| Toll Fraud | Attackers guess passwords to route expensive calls through your system. | Rate limiting, geo-blocking, and analysis of “User-Agent” headers to block known scanner signatures. |
| Registration Storm | Thousands of devices reconnect at once (e.g., after an ISP outage). | Edge caching of registrations reduces load on the core database. |
| SIP DoS Attack | Flooding the server with malformed INVITE packets to crash the CPU. | The SBC validates syntax and silently drops malformed packets at a kernel level before they hit the software layer. |
The Architecture That Enables Zero-Downtime Maintenance
Beyond security and cost, the biggest operational risk in a monolithic architecture is the “Maintenance Window.” If your routing, security, and user features all live on one server, how do you upgrade it?
Usually, you don’t. You wait until 3:00 AM on a Sunday, you announce a downtime, and you pray. Even then, restarting a PBX drops every active call. For a 24/7 carrier, this is unacceptable.
Decoupling for Rolling Upgrades
When you separate the layers, you gain the ability to perform rolling upgrades without dropping a single packet.
- The Setup: You have two PBX nodes (Node A and Node B) behind a pair of SBCs.
- The Drain: You want to upgrade Node A. You tell the SBC, “Stop sending new calls to Node A.”
- The Wait: Existing calls on Node A continue until the users hang up naturally. The SBC routes all new calls to Node B.
- The Upgrade: Once Node A is empty (0 calls), you patch it, reboot it, and test it.
- The Restore: You tell the SBC, “Node A is healthy.” Traffic begins to flow back.
The end-user never experiences an outage. They don’t know you patched the system. This level of resilience is impossible if your SBC and PBX are in the same box.
Ecosmob Expert Tip
Most carriers keep their Class 4 and SBC separate for years before realizing they’re not talking to each other. Your SBC sees a sketchy IP and passes it through. Your Class 4 routes it to your most expensive carrier because it has no context about the threat. Build a data bridge between them: let your SBC send risk signals (fraud score, geo flags, registration anomalies) to your Class 4 in real-time. Your Class 4 can then route high-risk calls to cheaper carriers as a loss-leader, or reject them entirely. This single integration often recovers more margin than LCR optimization alone.
Every successful VoIP provider goes through a maturity curve. You begin with the “All-in-One” server because it is cheap and easy. But as you grow, that asset becomes a liability. The “All-in-One” model creates a ceiling on your growth: a limit defined by CPU capacity, security vulnerability, and static routing costs.
Moving to a tiered architecture (with SBC VoIP handling the edge defense and Class 4 softswitch for VoIP handling the routing intelligence) removes that ceiling. It allows you to:
- Scale volume without degrading user quality.
- Secure your network against the sophisticated threats targeting carriers today.
- Optimize margins dynamically, ensuring every call is profitable.
If you are serious about moving from a “provider” to a “carrier,” separating your routing logic from your feature logic is one of THE business requirements.
Is your routing logic eating your margins?
Contact our expert network architects!
FAQs
What is the difference between a Class 4 and a Class 5 switch?
A Class 5 switch (PBX) is like a "Retail Store". It interacts with customers, handling features like voicemail and call waiting. Whereas, a Class 4 switch is like the "Distribution Warehouse". It connects cities and countries, moving massive volumes of goods (calls) efficiently between providers.
Do you need a Class 4 switch if you already have a feature-rich PBX?
Yes. A feature-rich PBX is optimized to do a hundred things well (voicemail, conferencing, call recording, IVR). Routing wholesale traffic through it is like using a surgical knife to chop wood. Your PBX will get the calls to the right place eventually, but you'll waste cycles on state lookups, user feature checks, and database queries that have nothing to do with routing. A Class 4 switch finishes the same routing decision in microseconds while your PBX is still parsing user preferences. At scale, this difference compounds into massive operational costs.
How to know if our current setup is leaking revenue?
Start by auditing your actual call routes. Pick a sample of calls and check: for each destination, did you use the cheapest available carrier? For intrastate calls, did you avoid paying interstate rates? Did you route during peak hours to less-congested carriers?
Most PBXs with static routing rules fail a significant percentage of these checks. A Class 4 switch with proper LCR would pass almost all of them. Calculate the per-call cost difference and multiply by your monthly volume.
Can you implement SBC and Class 4 separately, or do they need to be integrated?
You can deploy them as separate components, but they perform better integrated. An SBC without Class 4 logic just forwards all calls to your PBX; it protects the edge but doesn't optimize routing. A Class 4 without an SBC leaves your network exposed to fraud. The real power comes when they work together: your SBC can apply fraud confidence scores to incoming calls and pass them to the Class 4, which then makes routing decisions based on both cost and risk.
What are the operational risks of mixing security and routing logic?
If your PBX handles both, you create a single point of failure with dual vulnerabilities. A routing loop can crash your PBX, causing a denial-of-service to all users. A security vulnerability means an attacker can potentially route calls through your system for toll fraud. If you separate these layers, a routing bug affects call paths but not security; a security issue gets caught at the SBC edge before reaching the PBX. You also can't update one without risking the other. Separate layers give you independent patch cycles and failure domains.












