Optimizing VoIP Performance on Cisco Meraki MX Firewalls with TELAIR

Optimizing VoIP Performance on Cisco Meraki MX Firewalls with TELAIR

This knowledge base article provides a comprehensive guide to configuring Quality of Service (QoS) and other network optimizations on a Cisco Meraki MX firewall to ensure high-quality Voice over IP (VoIP) performance with TELAIR as the VoIP provider. By following these steps, you can minimize common VoIP issues such as dropped calls, choppy audio, jitter, echoing, or one-way audio.

Introduction

Voice over IP (VoIP) is a critical communication technology in modern enterprise networks, enabling phone calls over IP networks. TELAIR, a leading Canadian VoIP provider, offers cloud-based Hosted PBX (MyPBX) and Business SIP solutions. VoIP traffic is highly sensitive to latency, jitter, and packet loss. The Cisco Meraki MX firewall offers robust tools to prioritize VoIP traffic, ensuring clear and reliable communication. This article outlines best practices for configuring QoS, VLANs, and firewall settings to optimize VoIP performance with TELAIR and troubleshoot quality issues.

Prerequisites

• Access to the Meraki Dashboard with administrative privileges.
• Access to TELAIR’s customer portal (e.g., MyPBX Web Admin Portal) for configuration details.
• Knowledge of TELAIR’s network requirements (e.g., IP addresses, ports, or protocols). Contact TELAIR Support for specific IP blocks.
• Bandwidth details for your WAN connection(s).
• A separate VLAN for VoIP traffic (recommended but optional).
• VoIP devices (e.g., TELAIR-supported Polycom VVX Series IP Phones, Yealink handsets, or TELAIR Connect app) already deployed or planned.

Step-by-Step Configuration

Step 1: Run Bandwidth Tests

To configure QoS effectively, you need accurate information about your WAN bandwidth.

1. Disable Existing Traffic Shaping/Firewall Rules: Temporarily disable any existing traffic shaping or firewall rules to avoid skewed results.
2. Perform Bandwidth Tests: Go to speedtest.net and run three consecutive tests outside business hours to minimize interference. Note the lowest upload and download speeds.
3. Set Conservative Bandwidth Limits: In the Meraki Dashboard, navigate to Security & SD-WAN > Configure > Traffic Shaping. Click the Details link for your WAN uplink (e.g., WAN1) and enter speeds slightly lower than the lowest test results (e.g., if 100 Mbps down/20 Mbps up, set to 95 Mbps down/18 Mbps up). This prevents oversaturation.

Step 2: Configure a Voice VLAN

Segregating VoIP traffic into a dedicated VLAN improves performance by isolating it from other network traffic.

1. Create a Voice VLAN:

• Navigate to Security & SD-WAN > Configure > Addressing & VLANs.
• Enable VLANs if not already enabled.
• Add a new VLAN (e.g., VLAN 100, named “VOICE”) with a unique subnet (e.g., 192.168.100.0/24) and set the MX gateway IP (e.g., 192.168.100.1).

2. Assign Voice VLAN to Devices:

• For Meraki MS switches, configure access ports to advertise the Voice VLAN via LLDP or CDP. Navigate to Switches > Configure > Switch Ports, select the port, and set the Voice VLAN.
• Ensure TELAIR-supported devices (e.g., Polycom VVX Series IP Phones or TELAIR Connect app) are configured to use the Voice VLAN, either automatically via LLDP/CDP or manually per TELAIR’s documentation.

3. Verify Inter-VLAN Routing: If the MX handles inter-VLAN routing, ensure the Voice VLAN can communicate with TELAIR’s SIP servers or Hosted PBX. Avoid restricting inter-VLAN traffic unnecessarily.

Step 3: Configure QoS and Traffic Shaping

QoS prioritizes VoIP traffic to minimize latency and jitter.

1. Enable Traffic Shaping:

• Go to Security & SD-WAN > Configure > Traffic Shaping.
• Select the SSID or WAN uplink and enable Shape traffic on this SSID/network.

2. Create a VoIP Traffic Shaping Rule:

• Click Create a new rule and select All VoIP & video conferencing from the Add + menu. For TELAIR-specific traffic, define a custom rule using the IP blocks and ports provided by TELAIR Support, as TELAIR’s SIP servers and Hosted PBX use specific IP ranges. Contact TELAIR Support via the customer portal to obtain these IP blocks. Contact TELAIR Support
• Set Per-client bandwidth limit to Ignore SSID per-client limit (unlimited) to ensure VoIP traffic isn’t throttled.
• Set Priority to High and DSCP tag to 46 (EF) for expedited forwarding.

3. Apply DSCP to CoS Mapping (if using Meraki MS switches):

• Navigate to Switches > Configure > Switch Settings.
• Under Quality of Service, add a QoS rule to trust incoming DSCP tags for the Voice VLAN (e.g., DSCP 46 maps to CoS queue 3).

4. Save Changes: Ensure all rules are saved to apply immediately.

Step 4: Configure Firewall Rules

Ensure VoIP traffic to TELAIR’s servers can pass through the firewall without being blocked.

1. Allow Necessary Ports and IP Blocks:

• Navigate to Security & SD-WAN > Configure > Firewall.
• Add outbound Layer 3 rules to allow:
  • SIP: UDP ports 5060-5061 (or alternative ports if specified by TELAIR, as changing the SIP port may be supported to avoid ghost calls).
  • RTP: UDP ports 10000-65535, 4000-4999 (or as specified by TELAIR Support).
  • HTTPS/TLS: TCP 443 (for secure SIP or TELAIR Connect app).
  • IPSec: UDP 500 and 4500 (for Wi-Fi calling or VPN-based VoIP).
• Specify TELAIR’s IP blocks for SIP and RTP traffic. Since TELAIR’s specific IP ranges are not publicly listed, contact TELAIR Support through the MyPBX portal to obtain the exact IP addresses for their SIP servers and Hosted PBX infrastructure. Contact TELAIR Support
• To prevent phantom or ghost calls, configure firewall rules to whitelist only TELAIR’s IP blocks for SIP traffic (port 5060 or custom ports) and block all other sources. This reduces vulnerabilities from port scans.

2. Avoid Load Balancing for VoIP: If using dual WAN uplinks, disable load balancing for VoIP traffic to prevent jitter. Set uplink preferences under Traffic Shaping to send TELAIR VoIP traffic over a single WAN.
3. Disable ALG if Needed: TELAIR’s Hosted PBX or Business SIP may require disabling Application Layer Gateway (ALG) for proper NAT traversal. Check with TELAIR Support and disable ALG under Security & SD-WAN > Configure > Firewall if recommended.

Step 5: Optimize Wi-Fi for VoIP (if applicable)

For wireless VoIP devices, such as TELAIR Connect app on smartphones or tablets, additional optimizations are required.

1. Enable WMM: Meraki MR access points support Wireless Multimedia (WMM) to prioritize voice traffic. Ensure WMM is enabled under Wireless > Configure > Radio Settings.
2. Configure SSID for VoIP:

• Go to Wireless > Configure > Firewall & Traffic Shaping.
• Select the SSID used for TELAIR VoIP devices, create a rule for All VoIP & video conferencing or a custom rule with TELAIR’s IP blocks (contact TELAIR Support for details), and set Per-client bandwidth limit to unlimited with a DSCP tag of 46 (EF).

3. Ensure Wi-Fi Calling Support: Allow TCP 443, UDP 500, and UDP 4500 for IPSec tunnels used by Wi-Fi calling or TELAIR Connect app.

Step 6: Monitor and Troubleshoot

After configuration, monitor the network to identify and resolve any VoIP quality issues with TELAIR’s services.

1. Use Packet Captures:

• Navigate to Security & SD-WAN > Appliance Status > Packet Capture to capture VoIP traffic to TELAIR’s servers. Analyze for packet loss, jitter, or latency.

2. Check VoIP Health (if using Meraki Insight):

• Enable VoIP Health monitoring under Network-Wide > Monitor > VoIP Health to measure call quality to TELAIR’s servers. Contact TELAIR Support for specific server IPs to monitor. Contact TELAIR Support

3. Verify Bandwidth Usage: Monitor bandwidth usage in the Meraki Dashboard to ensure TELAIR VoIP traffic isn’t competing with other applications. Adjust QoS rules if necessary.
4. Common Issues and Fixes:

• Dropped Calls: Check for circuit saturation or microbursts. Increase VoIP priority or reduce per-client bandwidth limits for non-VoIP traffic.
• Choppy Audio/Jitter: Ensure TELAIR VoIP traffic is on a dedicated VLAN and prioritized. Verify WAN uplink stability and confirm correct IP blocks with TELAIR Support. Contact TELAIR Support
• One-Way Audio: Check NAT settings and ensure ALG is disabled if required by TELAIR’s PBX. Verify firewall rules allow TELAIR’s IP blocks.
• Echoing: Adjust QoS to prioritize TELAIR VoIP traffic and reduce latency. Check for device-specific issues (e.g., headset or phone settings).
• Phantom/Ghost Calls: Ensure firewall rules whitelist only TELAIR’s IP blocks for SIP traffic to prevent port scans. Verify devices are synced with TELAIR’s secure configuration servers. Contact TELAIR Support to confirm proper device provisioning.

Best Practices

• Segregate VoIP Traffic: Always use a dedicated Voice VLAN to prevent interference from data traffic.
• Whitelist TELAIR IP Blocks: Define firewall and QoS rules using TELAIR’s specific IP blocks to enhance security and performance. Contact TELAIR Support for these details.
• Avoid Overcomplicating QoS: For small networks with no reported issues, QoS may not be necessary unless bandwidth is limited.
• Regularly Test Bandwidth: Re-run bandwidth tests periodically to ensure QoS settings align with current WAN performance.
• Leverage TELAIR Support: TELAIR offers dedicated support for Canadian businesses. Use their customer portal for IP blocks, port details, or troubleshooting assistance. Contact TELAIR Support
• Secure Against Ghost Calls: Use TELAIR’s secure configuration servers for device provisioning to prevent phantom calls. Ensure firewall rules block non-TELAIR SIP traffic.

Additional Resources

• Cisco Meraki: VoIP F.A.Q. and Troubleshooting Tips

Conclusion

By configuring QoS, VLANs, and firewall settings on your Meraki MX firewall with TELAIR-specific IP blocks and ports, you can significantly improve VoIP call quality and reduce issues like dropped calls, jitter, or echoing. Contact TELAIR Support to obtain precise IP blocks for their SIP servers and Hosted PBX to ensure accurate firewall and QoS rules. Regularly monitor your network and adjust settings as needed to maintain optimal performance. If issues persist, leverage TELAIR’s support team or consult Meraki support for further assistance.