A wireless engineer must design mobility between two buildings at a campus site. The engineer has one controller at each site. The engineer is investigating inter- controller CAPWAP data and control traffic. Which two ports must be open? (Choose two.)
To ensure inter-controller CAPWAP data and control traffic in a campus site where there are two controllers, one at each site, the required ports that must be open are UDP ports 16666 and 16667. Port 16666 is used for the control path of CAPWAP tunnels in Cisco's inter-controller communication, and port 16667 is used for the data path. This ensures that mobility control messages and client data traffic between the controllers can be properly communicated.
A/B are capwap ports for AP-WLC connection. The question is asking for WLC-WLC D and E is correct
inter-controller roaming is using UDP/16666 and UDP/16667 CAPWAP tunnels.
5246 is for control and 5247 for data inorder for Ap to join a WLC
• Ensure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and 12223) are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller
Matrix Page https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html Source----Dest.------Protocol-----Dest. Port------Src. Port-----Description WLC--------WLC-------UDP------------16666-----------16666----------Mobility - non-secured WLC--------WLC-------UDP------------16666------------N/A-------------Mobility - secured - removed in 5.2 WLC -------AP----------UDP------------5246-5247-----N/A-------------CAPWAP Ctl/Data
The reference in the question is about two WLC mobility or roaming and what is being sought is about the inter-controller for CAPWAP. Inter-controller use 16666,16667 when a client roam between two APs registered to two controllers, but if the reference is about intra-controller, client roam between APs on the same controller using port 5246 & 5247 for mobility. Mobility Group - enables inter-controller wireless LAN roam and controller redundancy
Sorry, I also changed my mind. Really A and B are correct Explanation: 16666& 16667 are both "Control" traffic 5246 & 5247 are protocol for data and control traffic
16666 & 16667 - The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667)
The answer is A & B CAPWAP Control Channel: Uses UDP port 5246 CAPWAP Data Channel: Uses port 5247 and encapsulates (tunnels) the client's 802.11 frames
Explanation: Two different building on a campus --> to different IP address ranges --> WLC1 and WLC2 ARE NOT in te same ip address range It will be a Layer 3 inter controller roam with anchor and foreign controller. The most recent platforms, such as the Catalyst 9800, transport mobility control messages over encrypted CAPWAP tunnels. Client data traffic is also transported over CAPWAP tunnels, but encryption is optional. Legacy controller platforms that are based on AireOS software prior to release 8.5 transport mobility messages over Ethernet-over-IP (EoIP) tunnels (IP protocol 97) and UDP port 16666. AireOS platforms running release 8.5 or later support encrypted CAPWAP. (16667) Reference: Cert. guide "CCNP Enterprise ENWLSD 300-425 ENWLSI 300-430 Official Cert Guide", page 169f and page 175
D & E As per this official Cisco Document https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/mobility_groups.html If you have a firewall b/w your mobility group members, open UDP port 16666 and IP protocol 97. If you are using encrypted mobility, open UDP port 5246 and 5247. If you are using New Mobility, UDP port 16666, 16667, and 16668 are used. For information about protocols and port numbers that must be used for management and operational purposes, see the Matrix Site Further more looking at the Matrix Page https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html Source Dest. Protocol Dest. Port Src. Port Description WLC WLC UDP 16666 16666 Mobility - non-secured WLC WLC UDP 16667 n/a Mobility - secured - removed in 5.2 WLC AP UDP 5246-5247 n/a CAPWAP Ctl/Data Since the question is related to controllers between each site (WLC < --- > WLC) then D & E is the most logical answer here.
a+b is correct CAPWAP uses 5246 + 5247 for both APs + WLC 16666 is used with EoIP Legacy
The only intercontroller CAPWAP ports are 16666 and 16667 https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html
D and E The question is related to intercontroller capwap, not between AP and controller. https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107458-wga-faq.html "On any firewall between the guest anchor controller and the remote controllers, these ports need to be open: Legacy mobility: IP Protocol 97 for user data traffic, UDP Port 16666 New mobility: UDP Port 16666 and 16667"
Sorry, I changed my mind. Really A and B are correct
D and E are correct
The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667). The control path is DTLS encypted by default. Data path DTLS can be enabled when you add the mobility peer.
as it is intercontroller answer is D and E
A + B - The Official Cisco Cert Guide does not contain the word 16667 or 8443. It does say AirOS, but this question does not. "AireOS software prior to release 8.5 transport mobility messages over Ethernet-over-IP (EoIP) tunnels (IP protocol 97) and UDP port 16666"
I think D&E. Based on Cisco ENWLSD book - UDP/5246-47 is used for CAPWAP traffic between AP and WLC (5246 for Controll, and 5247 for Data traffic) - this book says: Test mobility control messaging over UDP port 16666 mping <ip-address> So, I think the right answers are D&E
its not really clear https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-2/config-guide/b_wl_17_2_cg/mobility.html says: "The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667)" https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/mobility_groups.html says: "If you have a firewall b/w your mobility group members, open UDP port 16666 and IP protocol 97. If you are using encrypted mobility, open UDP port 5246 and 5247."
"Ensure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and 12223) are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller." https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-6/config-guide/b_cg86/ap_connectivity_to_cisco_wlc.html#capwap
Update to below: https://community.cisco.com/t5/wireless/question-about-udp-16667/td-p/1399015
A&B, just googled the answer, CAPWAP talks on these two ports for data and control
Changing my answer to DE, CyborgXCZ has a great answer below. This is a mobility tunnel, there for it uses UDP 16666 and UDP 16667
16666 and 16667 used for legacy platforms using EoIP
The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667). The control path is DTLS encrypted by default. Data path DTLS can be enabled when you add the mobility peer. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/mobility.html
The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667). The control path is DTLS encrypted by default. Data path DTLS can be enabled when you add the mobility peer.