cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2488
Views
10
Helpful
5
Replies

Mobility control & data encryption

Murinos
Level 1
Level 1

Hi everybody!

Found this paper:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_encrypted_tunnel_deployment_guide.html

 

It says that:

"In release 8.7 end-to-end Tunnel encrypted between Anchor and Foreign Controllers"

by issuing commands:

config mobility group member add

config mobility encryption enable

(i'm not mentioning adding mobility peers)

 

But in Configuration Guide it's more complicated:

config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt enable | disable}

config mobility group member data-dtls peer-mac-addr enable | disable}

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/encrypted_mobility_tunnel.html

 

1) Which commands are true?

2) Will both control (port 16666) and data (port 16667) flows will be encrypted after enabling this feature? 

3) When deploying Foreign-Anchor scenario with this encryption, is it enough to open ports 16666 & 16667 on the firewalls for mobility messaging and user traffic to be tunneled between foreign and anchor? Or is it required to open 5246/5247 for CAPWAP traffic for Anchor also? (not mentioning everything else, like https, snmp etc.)

 

Thanks in advance!

Artem

1 Accepted Solution

Accepted Solutions

In release 8.7 end-to-end Tunnel encrypted between Anchor and Foreign Controllers"

by issuing commands:

config mobility group member add

config mobility encryption enable

(i'm not mentioning adding mobility peers)

 

But in Configuration Guide it's more complicated:

config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt enable | disable}

config mobility group member data-dtls peer-mac-addr enable | disable}

 

1) Which commands are true?

 

"config mobility group member add" is not the full command syntax. What you see in config guide is full syntax of that command. In other deployment guide, it just give the stating section of that command.

 

Mobility peer encryption introduced in 8.5MR1 release. So in that version you have to enable it globally (note that WLC will reboot once you enable it ) . See this Ciscolive presentation (below image from it - slide 16)

encrypted-mobility.JPG

 

(WLC-1) >config mobility ?

dscp Configures the Mobility inter controller DSCP value.
encryption Configures tunnel(control/data) encryption in mobility flat architecture.
group Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
new-architecture Configure the controller to switch between old and new mobility architecture.
statistics Resets the mobility statistics

 

(WLC-1) >config mobility encryption enable


Enabling encryption would change the data and control channel of mobility tunnel from unencrypted to encrypted !!!
Configuration changes will be saved and System will be rebooted. !!!
Are you sure you want to continue? (y/n)
y


Mobility tunnel encryption is enabled for flat architecture.
The system has unsaved changes.
Configuration saved!
System will now restart!

 

Later versions, you do not have option to enable it like that. You can enable it per mobility member. Here is a controller running on 8.10 configuration options.

 

(WLC-3) >config mobility ?

dscp Configures the Mobility inter controller DSCP value.
group Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
statistics Resets the mobility statistics. 

 

(WLC-3) >config mobility group member ?

add Add/Change a Mobility group member to the list.
data-dtls Optional data-dtls configuration for mobility peer. Default is enabled
delete Delete a Mobility group member from the list.
hash Configure hash key for authorization. Applicable only if member is a Virtual Controller in the same domain.

 

(WLC-3) >config mobility group member add 28:94:0f:ae:42:e0 10.5.x.x mildura encrypt ?

disable Disables secure communication to peer
enable Enables secure communication to peer

 

(WLC-3) >config mobility group member add 28:94:0f:ae:42:e0 10.5.x.x mildura encrypt enable

 

2.  Yes, both control & data will be encrypted. You can disable "data-dtls" if you want

 

(WLC-3) >config mobility group member data-dtls 28:94:0f:ae:42:e0 ?

 

enable Optional data-dtls enable or disable for member
disable Optional data-dtls enable or disable for member

 

(WLC-3) >config mobility group member data-dtls 28:94:0f:ae:42:e0 enable

data-dtls already configured

 

3. Still mobility messages use UDP 16666 & 16667 in outer headers, however inner traffic (control & data) is encrypted.

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame
I don’t think this is necessary in your own environment, maybe in a shared environment. Mobility only uses 16666 and 16667 and you don’t need the ports for AP’s open unless for some reason you have AP’s joined to those controllers.
-Scott
*** Please rate helpful posts ***

Thanks, Scott!

It's customer's requirement. We need to either confirm or refuse that both flows encrypted when speaking with their security department. It will not affect the design though, just want to be sure when speaking with them.

 

Okay… one thing that is important and is something to discuss with them are: is this for guest and if so, why not make is as simple as possible for the end user. If they want PSK, then only do WPA2-PSK and not use a portal. You will not be able to do both together and that is frustrating for an end user whom has to do both if it was even available. Give them the choice of one or the other:)
-Scott
*** Please rate helpful posts ***

In release 8.7 end-to-end Tunnel encrypted between Anchor and Foreign Controllers"

by issuing commands:

config mobility group member add

config mobility encryption enable

(i'm not mentioning adding mobility peers)

 

But in Configuration Guide it's more complicated:

config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt enable | disable}

config mobility group member data-dtls peer-mac-addr enable | disable}

 

1) Which commands are true?

 

"config mobility group member add" is not the full command syntax. What you see in config guide is full syntax of that command. In other deployment guide, it just give the stating section of that command.

 

Mobility peer encryption introduced in 8.5MR1 release. So in that version you have to enable it globally (note that WLC will reboot once you enable it ) . See this Ciscolive presentation (below image from it - slide 16)

encrypted-mobility.JPG

 

(WLC-1) >config mobility ?

dscp Configures the Mobility inter controller DSCP value.
encryption Configures tunnel(control/data) encryption in mobility flat architecture.
group Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
new-architecture Configure the controller to switch between old and new mobility architecture.
statistics Resets the mobility statistics

 

(WLC-1) >config mobility encryption enable


Enabling encryption would change the data and control channel of mobility tunnel from unencrypted to encrypted !!!
Configuration changes will be saved and System will be rebooted. !!!
Are you sure you want to continue? (y/n)
y


Mobility tunnel encryption is enabled for flat architecture.
The system has unsaved changes.
Configuration saved!
System will now restart!

 

Later versions, you do not have option to enable it like that. You can enable it per mobility member. Here is a controller running on 8.10 configuration options.

 

(WLC-3) >config mobility ?

dscp Configures the Mobility inter controller DSCP value.
group Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
statistics Resets the mobility statistics. 

 

(WLC-3) >config mobility group member ?

add Add/Change a Mobility group member to the list.
data-dtls Optional data-dtls configuration for mobility peer. Default is enabled
delete Delete a Mobility group member from the list.
hash Configure hash key for authorization. Applicable only if member is a Virtual Controller in the same domain.

 

(WLC-3) >config mobility group member add 28:94:0f:ae:42:e0 10.5.x.x mildura encrypt ?

disable Disables secure communication to peer
enable Enables secure communication to peer

 

(WLC-3) >config mobility group member add 28:94:0f:ae:42:e0 10.5.x.x mildura encrypt enable

 

2.  Yes, both control & data will be encrypted. You can disable "data-dtls" if you want

 

(WLC-3) >config mobility group member data-dtls 28:94:0f:ae:42:e0 ?

 

enable Optional data-dtls enable or disable for member
disable Optional data-dtls enable or disable for member

 

(WLC-3) >config mobility group member data-dtls 28:94:0f:ae:42:e0 enable

data-dtls already configured

 

3. Still mobility messages use UDP 16666 & 16667 in outer headers, however inner traffic (control & data) is encrypted.

 

HTH

Rasika

*** Pls rate all useful responses ***

Thank you very much, Rasika!
It's exactly what I needed to know.
Review Cisco Networking for a $25 gift card