Exam 300-425 topic 1 question 83 discussion

A/B are capwap ports for AP-WLC connection. The question is asking for WLC-WLC D and E is correct

inter-controller roaming is using UDP/16666 and UDP/16667 CAPWAP tunnels.

The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667). The control path is DTLS encrypted by default. Data path DTLS can be enabled when you add the mobility peer.

D and E are correct

The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667). The control path is DTLS encrypted by default. Data path DTLS can be enabled when you add the mobility peer. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/mobility.html

16666 and 16667 used for legacy platforms using EoIP

A&B, just googled the answer, CAPWAP talks on these two ports for data and control

The only intercontroller CAPWAP ports are 16666 and 16667 https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html

a+b is correct CAPWAP uses 5246 + 5247 for both APs + WLC 16666 is used with EoIP Legacy

Update to below: https://community.cisco.com/t5/wireless/question-about-udp-16667/td-p/1399015

"Ensure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and 12223) are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller." https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-6/config-guide/b_cg86/ap_connectivity_to_cisco_wlc.html#capwap

Matrix Page https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html Source----Dest.------Protocol-----Dest. Port------Src. Port-----Description WLC--------WLC-------UDP------------16666-----------16666----------Mobility - non-secured WLC--------WLC-------UDP------------16666------------N/A-------------Mobility - secured - removed in 5.2 WLC -------AP----------UDP------------5246-5247-----N/A-------------CAPWAP Ctl/Data

D & E As per this official Cisco Document https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/mobility_groups.html If you have a firewall b/w your mobility group members, open UDP port 16666 and IP protocol 97. If you are using encrypted mobility, open UDP port 5246 and 5247. If you are using New Mobility, UDP port 16666, 16667, and 16668 are used. For information about protocols and port numbers that must be used for management and operational purposes, see the Matrix Site Further more looking at the Matrix Page https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html Source Dest. Protocol Dest. Port Src. Port Description WLC WLC UDP 16666 16666 Mobility - non-secured WLC WLC UDP 16667 n/a Mobility - secured - removed in 5.2 WLC AP UDP 5246-5247 n/a CAPWAP Ctl/Data Since the question is related to controllers between each site (WLC < --- > WLC) then D & E is the most logical answer here.

its not really clear https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-2/config-guide/b_wl_17_2_cg/mobility.html says: "The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667)" https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/mobility_groups.html says: "If you have a firewall b/w your mobility group members, open UDP port 16666 and IP protocol 97. If you are using encrypted mobility, open UDP port 5246 and 5247."

I think D&E. Based on Cisco ENWLSD book - UDP/5246-47 is used for CAPWAP traffic between AP and WLC (5246 for Controll, and 5247 for Data traffic) - this book says: Test mobility control messaging over UDP port 16666 mping <ip-address> So, I think the right answers are D&E

Explanation: Two different building on a campus --> to different IP address ranges --> WLC1 and WLC2 ARE NOT in te same ip address range It will be a Layer 3 inter controller roam with anchor and foreign controller. The most recent platforms, such as the Catalyst 9800, transport mobility control messages over encrypted CAPWAP tunnels. Client data traffic is also transported over CAPWAP tunnels, but encryption is optional. Legacy controller platforms that are based on AireOS software prior to release 8.5 transport mobility messages over Ethernet-over-IP (EoIP) tunnels (IP protocol 97) and UDP port 16666. AireOS platforms running release 8.5 or later support encrypted CAPWAP. (16667) Reference: Cert. guide "CCNP Enterprise ENWLSD 300-425 ENWLSI 300-430 Official Cert Guide", page 169f and page 175

The answer is A & B CAPWAP Control Channel: Uses UDP port 5246 CAPWAP Data Channel: Uses port 5247 and encapsulates (tunnels) the client's 802.11 frames