Mobility traffic ports

Jerome BERTHIER · ‎03-15-2024

[Edited on March 16th to add details]

Hello

I was a bit confused about the traffic ports used by mobility on WLC AireOS or IOS-XE.

Trying a quick review of traffic ports used by mobility :

AireOS IRCM other than 8.5 IRCM or 8.8.111 and later
- since this documentation : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010011.html#info-encrypted-mobility-tunnel
- control : port UDP 16666 - with or without encryption option to add DTLS
- data :
  - protocol 97 EoIP
  - but UDP 16667 with encryption option to add DTLS
- encryption option not supported on WLC 5508 and 8510
AireOS IRCM 8.5 IRCM or 8.8.111 and later
- since this documentation : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/ConfiguringIRCM/b-configuring-inter-release-controller-mobility-in-wireless-deployments-supporting-aireos-and-catalyst-9800-controllers/m-ircm-support-for-brownfield-deployme...
- control port UDP 16666 - option encrypt to secure traffic control with the peer (mandatory if IOS-XE peer)
- data
  - with AireOS peer (L2 mobility) : protocol 97 EoIP
  - with AireOS IRCM peer (L2 / L3 mobility): port UDP 16667 - with option data-dtls to secure data traffic with the peer
  - with IOS-XE peer (L3 mobility) : port UDP 16667 - with or without option data-dtls to secure data traffic with the peer
IOS-XE
- control port UDP 16666 - always encrypted (needs encrypt option on AireOS 8.5 IRCM or 8.8.111 and later)
- data port UDP 16667 - with or without option data-link-encryption to secure data traffic with the peer

I also found this matrix : https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html#toc-hId--1639616132

About CAPWAPP between APs and controllers, it seems limited to UDP 5246 and UDP 5247 (encrypted).

But why this documentation from AireOS 8.10 states that if using secure mobility, we need UDP 5246-5247 ports ? I tough it was limited to CAPWAPP between controlers and APs :

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/mobility_groups.html

I edited this post on March 16th to add details. Am I wrong ?

Regards

Rich R · ‎05-12-2024

> if using secure mobility, we need UDP 5246-5247 ports
I think that's probably a mistake. Use the feedback option to report it. Sometimes, eventually, the document will be corrected. If you're lucky it can even happen within 2 weeks.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Jerome BERTHIER · ‎05-12-2024

Feedback posted. I'll get back with Cisco answer.

Regards

Jerome BERTHIER · ‎06-18-2024

Hi

I had a feedback. The documentation has been fixed. Now it states :

"UDP port 5246 and 5247 are for CAPWAP between AP and controller. Encrypted mobility uses UDP 16666 for control and UDP 16667 for data (either encrypted or plain). EoIP IP 97 is for old mobility."

Documentation link: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/mobility_groups.html#ID148

Regards