This guide walks you through configuring a Cisco Meraki network (MX firewall, MR access points, MS switches) to fully support Webex Calling, Meetings, Messaging, and Webex Devices. Follow each section in order, then validate with the CScan tool at the end.
Separate voice/video traffic from data traffic using dedicated VLANs. This is critical for QoS to work properly.
| VLAN | Name | Subnet Example | Purpose |
|---|---|---|---|
| 100 | Voice | 10.0.100.0/24 | Desk phones, ATAs, Webex Calling devices |
| 110 | Video/Meetings | 10.0.110.0/24 | Webex Room devices, Board, Desk series |
| 200 | Corporate | 10.0.200.0/24 | Desktops, laptops (Webex App runs here) |
| 300 | Guest | 10.0.300.0/24 | Guest Wi-Fi (no Webex access needed) |
In Meraki Dashboard: Go to Security & SD-WAN > Addressing & VLANs (MX) and create each VLAN. For switches, go to Switch > Routing & DHCP and configure trunk ports with all voice/data VLANs tagged.
QoS ensures voice and video packets are prioritized over bulk data. Configure these DSCP markings on your MX firewall:
| Traffic Type | DSCP Value | DSCP Name | Ports |
|---|---|---|---|
| Voice (Audio) | 46 | EF (Expedited Forwarding) | UDP 8500-8599, 19560-19661 |
| Video | 34 | AF41 (Assured Forwarding) | UDP 8600-8699, 52200-52299 |
| Signaling (SIP) | 24 | CS3 (Class Selector 3) | TCP 5062, 8934 |
| Data / Default | 0 | Best Effort | Everything else |
In Meraki Dashboard: Go to Security & SD-WAN > SD-WAN & traffic shaping. Create traffic shaping rules for each traffic class above. Set the Voice VLAN source to “High” priority with “Speed Limit: Unlimited” and DSCP tag 46.
Allow outbound traffic to all Webex service endpoints. These rules go in Security & SD-WAN > Firewall > Layer 3 Outbound Rules.
| Protocol | Dest Port | Destination | Description |
|---|---|---|---|
| TCP | 5062 | 23.89.0.0/16, 170.72.0.0/16, 128.177.14.0/24 | SIP TLS (cert-based) |
| TCP | 8934 | 23.89.0.0/16, 170.72.0.0/16, 128.177.14.0/24 | SIP TLS (registration) |
| Protocol | Dest Port | Destination | Description |
|---|---|---|---|
| UDP | 5004 | 23.89.0.0/16, 170.72.0.0/16, 150.253.128.0/17 | STUN/TURN |
| UDP | 8500-8699 | 23.89.0.0/16, 170.72.0.0/16, 150.253.128.0/17 | Webex App audio & video |
| UDP | 19560-19661 | 23.89.0.0/16, 170.72.0.0/16 | Cisco IP Phone media |
| UDP | 52050-52099, 52200-52299 | 23.89.0.0/16, 170.72.0.0/16 | Webex Room device audio & video |
| Protocol | Dest Port | Destination | Description |
|---|---|---|---|
| TCP | 443 | *.webex.com, *.cisco.com, *.wbx2.com | Webex services (HTTPS) |
| TCP | 80, 443, 6970 | activate.cisco.com, binaries.webex.com | Device activation & firmware |
| UDP | 123 | Any NTP server | Time sync (required for TLS) |
| UDP/TCP | 53 | DNS servers | DNS resolution (HTTPS & SRV) |
Important: For the full list of IP subnets, see Webex Calling Port Reference.
SIP Application Layer Gateway (ALG) modifies SIP packets as they pass through the firewall. This breaks Webex Calling. Cisco explicitly states: “If a router or firewall is SIP Aware, we recommend you turn off this functionality.”
In Meraki Dashboard: Meraki MX does not have a traditional SIP ALG setting — it uses Meraki’s flow-based firewall which does not perform SIP inspection by default. However, if you have a third-party firewall upstream or in the path, verify SIP ALG is disabled there.
Cisco recommends maintaining the default MTU of 1500 bytes for all IP packets. Do not lower MTU unless required by your WAN connection (e.g., PPPoE which typically uses 1492). Fragmented packets degrade call quality.
Webex Calling works through NAT — no inbound port forwarding is needed. However:
If users will make calls on Webex App via Wi-Fi, or if you have Wi-Fi-enabled Webex devices:
In Meraki Dashboard: Go to Wireless > Configure > SSIDs for SSID setup, and Wireless > Configure > Radio settings for band steering and channel width.
Each concurrent call requires approximately:
| Call Type | Bandwidth per Call | Notes |
|---|---|---|
| Audio only | 100 Kbps up + 100 Kbps down | G.711 codec, ~50 pps per leg |
| Video call (720p) | 1.5 Mbps up + 1.5 Mbps down | Per participant |
| Video call (1080p) | 3 Mbps up + 3 Mbps down | Meetings with screen share |
| Screen sharing only | 2 Mbps up + 2 Mbps down | Content sharing stream |
Example: An office with 25 users where 10 might be on calls simultaneously needs at minimum: 10 × 100 Kbps = 1 Mbps for audio, plus headroom for video and data. Recommend 50 Mbps+ symmetrical for 25 Webex users.
For Cisco IP Phones connected to Meraki MS switches:
In Meraki Dashboard: Go to Switch > Configure > Ports and configure each phone port.
If you use Meraki content filtering or AMP, whitelist these domains to prevent Webex traffic from being blocked:
In Meraki Dashboard: Go to Security & SD-WAN > Content filtering and add these to the whitelist.
After completing all configuration, run the Cisco CScan tool to verify your network is ready:
| Metric | Target | Acceptable | Poor |
|---|---|---|---|
| Latency (RTT) | < 100 ms | 100-200 ms | > 200 ms |
| Jitter | < 20 ms | 20-40 ms | > 40 ms |
| Packet Loss | < 1% | 1-3% | > 3% |
| Port 8934 | Open | — | Blocked (calls will fail) |
Note: CScan cannot test QoS/DSCP marking, VLAN configuration, or Wi-Fi quality. Those must be verified separately in the Meraki Dashboard.
| Symptom | Likely Cause | Fix |
|---|---|---|
| Calls drop after 30 sec | SIP ALG rewriting packets | Disable SIP ALG on upstream firewall |
| One-way audio | UDP media ports blocked | Allow UDP 5004, 8500-8699 outbound |
| Phone won’t register | TCP 8934 blocked or DNS failing | Check firewall rules & DNS resolution |
| Choppy/robotic audio | Jitter > 40ms or packet loss > 3% | Enable QoS, check Wi-Fi congestion |
| Phone won’t activate | activate.cisco.com blocked | Whitelist activate.cisco.com on port 443 |
| CScan fails port test | Content filter blocking cscan.webex.com | Whitelist *.webex.com |