Open the following ports on the firewall to allow communication between the Foreign (internal) and anchor (DMZ) controllers:

Legacy mobility: IP Protocol 97 for user data traffic, UDP Port 16666

New mobility: UDP Port 16666 and 16667

For optional management, these firewall ports need to be open:

SSH - TCP Port 22

TFTP - UDP Port 69

NTP - UDP Port 123

SNMP - UDP Ports 161 (gets and sets) and 162 (traps)

HTTPS/HTTP - TCP Port 443/80

Syslog - TCP Port 514

RADIUS Auth/Account UDP Port 1812 and 1813

If your 9800 WLCs are set in an HA pair, it is mandatory to configure a mobility MAC address. The default mobility group name is “default,” but it can be customized to a desired value. Remember that you must configure the same Mobility Group Name on 9800 WLCs where roaming between them is expected.

“Configure the mobility group name on the “foreign” and “anchor” controllers.

Foreign

Anchor

Configure the mobility tunnel between the foreign and anchor controllers

Foreign

---

Anchor

---

The following scenario depicts what occurs when the firewall rules are NOT in place.

LA 9800 (foreign) WLC

Anchor WLC

LA WLC – The control path is down

Anchor (DMZ) WLC

Firewall logs

The firewall logs validate that the Anchor controller cannot initiate traffic from the DMZ controller unless firewall rules are in place.

What does this mean?

An SSID configured as a “mobility anchor” cannot terminate and pass traffic into the DMZ. The wireless user’s IP point of presence SHOULD NOT be on the internal network. Therefore, a valid layer 3 interface is NOT required on the policy profile.

How is the issue resolved?

Opening UDP ports 16666 and 16667 between the foreign (internal) and anchor (DMZ) controllers allows the mobility tunnel to form.

LA tunnels down:

EAST DC tunnels down:

DMZ Anchor tunnels down:

Updated firewall rules

Mobility tunnels after the firewall change: