Open the following ports on the firewall to allow communication between the Foreign (internal) and anchor (DMZ) controllers:
Legacy mobility: IP Protocol 97 for user data traffic, UDP Port 16666
New mobility: UDP Port 16666 and 16667
For optional management, these firewall ports need to be open:
SSH - TCP Port 22
TFTP - UDP Port 69
NTP - UDP Port 123
SNMP - UDP Ports 161 (gets and sets) and 162 (traps)
HTTPS/HTTP - TCP Port 443/80
Syslog - TCP Port 514
RADIUS Auth/Account UDP Port 1812 and 1813
If your 9800 WLCs are set in an HA pair, it is mandatory to configure a mobility MAC address. The default mobility group name is “default,” but it can be customized to a desired value. Remember that you must configure the same Mobility Group Name on 9800 WLCs where roaming between them is expected.
“Configure the mobility group name on the “foreign” and “anchor” controllers.
Foreign
Anchor
Configure the mobility tunnel between the foreign and anchor controllers
Foreign
Anchor
The following scenario depicts what occurs when the firewall rules are NOT in place.
LA 9800 (foreign) WLC
Anchor WLC
LA WLC – The control path is down
Anchor (DMZ) WLC
Firewall logs
The firewall logs validate that the Anchor controller cannot initiate traffic from the DMZ controller unless firewall rules are in place.
What does this mean?
An SSID configured as a “mobility anchor” cannot terminate and pass traffic into the DMZ. The wireless user’s IP point of presence SHOULD NOT be on the internal network. Therefore, a valid layer 3 interface is NOT required on the policy profile.
How is the issue resolved?
Opening UDP ports 16666 and 16667 between the foreign (internal) and anchor (DMZ) controllers allows the mobility tunnel to form.