Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

question about UDP 16667

I have a quick question about UDP 16667, it is said in configuration guide that:

“IPSec encryption can also be configured for the inter-controller mobility messages, in which case port 16667 is used.”

My question is how to configure IPSec to support it? I can’t find any document describe this. Thanks for any input!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: question about UDP 16667

That is the only command required if you want to enable secure mobility.  So UPD port 16667 will need to be allowed, but 16666 doesn't need to be since you are using secure mobility.  Now depending on how your setup, you will need other ports allowed if required:

Q. What ports do I need to permit for Lightweight Access Point Protocol (LWAPP) communication when there is a firewall in the network?

A. You must enable these ports:

  • Enable these UDP ports for LWAPP traffic:

    • Data - 12222

    • Control - 12223

  • Enable these UDP ports for Mobility traffic:

    • 16666 - Secured Mode

    • 16667 - Unsecured Mode

Mobility and data messages are usually exchanged through EtherIP packets. IP protocol 97 must be allowed on the firewall to allow EtherIP packets. If you use ESP to encapsulate mobility packets, you have to permit ISAKMP through the firewall when you open UDP port 500. You also have to open the IP protocol 50 to allow the encrypted data to pass through the firewall.

These ports are optional (depending on your requirements):

  • TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])

  • UDP 69 for TFTP

  • TCP 80 and/or 443 for HTTP or HTTPS for GUI access

  • TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access

-Scott
*** Please rate helpful posts ***
5 REPLIES
Hall of Fame Super Silver

Re: question about UDP 16667

That might be a good question for TAC or one of the Cisco engineers on this forum.  I have seen that listed in the 3.2 code docs way back when and really have not seen any supporting documents on how to configure this feature if it even exist:)

-Scott
*** Please rate helpful posts ***
Bronze

Re: question about UDP 16667

What I can find is to use “config mobility secure-mode enable” to use 16667 instead of 16666, however nothing talked about IPSec itself. Usually IPSec has a lot of parameters tunable, but I can't find out any document describing how to configure them. It seems for WLC all the parameters are fixed and not changable; all the IPSec packets are encapsulated with UDP 16667, we don't need to configure anything else in the WLC other than the above command, for all the network equipments(for example Firewall) between the two WLC, only need to allow UDP 16667.  I just want to confirm this.

Hall of Fame Super Silver

Re: question about UDP 16667

That is the only command required if you want to enable secure mobility.  So UPD port 16667 will need to be allowed, but 16666 doesn't need to be since you are using secure mobility.  Now depending on how your setup, you will need other ports allowed if required:

Q. What ports do I need to permit for Lightweight Access Point Protocol (LWAPP) communication when there is a firewall in the network?

A. You must enable these ports:

  • Enable these UDP ports for LWAPP traffic:

    • Data - 12222

    • Control - 12223

  • Enable these UDP ports for Mobility traffic:

    • 16666 - Secured Mode

    • 16667 - Unsecured Mode

Mobility and data messages are usually exchanged through EtherIP packets. IP protocol 97 must be allowed on the firewall to allow EtherIP packets. If you use ESP to encapsulate mobility packets, you have to permit ISAKMP through the firewall when you open UDP port 500. You also have to open the IP protocol 50 to allow the encrypted data to pass through the firewall.

These ports are optional (depending on your requirements):

  • TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])

  • UDP 69 for TFTP

  • TCP 80 and/or 443 for HTTP or HTTPS for GUI access

  • TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access

-Scott
*** Please rate helpful posts ***
Bronze

Re: question about UDP 16667

Thanks Scott! Does UDP16667 means ESP will be used and the firewall not only need to allow UDP 16667/IP protocol 97, but also UDP 500 and IP protocol 50?

Hall of Fame Super Silver

Re: question about UDP 16667

No problem... just open UDP 16667 on the FW from WLC to WLC.  ESP is that whole thing about securing mobility messages using ipsec:)

-Scott
*** Please rate helpful posts ***
1750
Views
0
Helpful
5
Replies