Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Cupertino 17.7.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: December 6, 2021

Chapter: NAT Support on Mobility Groups

NAT Support on Mobility Groups
Information About NAT Support on Mobility Groups
Restrictions for NAT Support on Mobility Groups
Functionalities Supported on Mobility NAT
Configuring a Mobility Peer
Verifying NAT Support on Mobility Groups

NAT Support on Mobility Groups

Information About NAT Support on Mobility Groups

The Network Address Translation (NAT) on Mobility Groups feature supports the establishment of mobility tunnels between peer controllers when one or both peers are behind a NAT. This is achieved by translating the public and private IP addresses of the peers (see figure below). Depending on the placement and number of NATs, translation might be required at one or both ends of the tunnel.

When configuring a NATed mobility peer, both the private IP address (address in the network before the NAT device) and the public IP address (address in the public network) have to be configured. Also, if you are using a firewall, ensure that the ports listed below can be accessed through the firewall:

Port 16666 for mobility control messages
Port 16667 for mobility data messages

Restrictions for NAT Support on Mobility Groups

Only 1:1 (static) NAT entries can exist for the controller peers that form the mobility tunnels.
Configuring multiple peers with the same public IP address is not supported.
Private IP addresses of the configured peers must be unique.
Port Address Translation (PAT) is not supported.
If peer controllers of different types, for example, Cisco AireOS and Cisco Catalyst 9800 Series) are placed behind NAT, Inter-Release Controller Mobility (IRCM) is not supported for client roaming.
IPv6 address translation is not supported.

Functionalities Supported on Mobility NAT

The following table lists the functionalities supported on mobility NAT:

Table 1. Functionalities Supported on Mobility NAT
Two controllers, with the foreign controller behind a NAT device (1to1 NAT only)	Yes
Two controllers, with the anchor controller behind a NAT device (1to1 NAT only)	Yes
Two controllers, with the anchor and foreign controller behind a NAT device (1to1 NAT only)	Yes
Multiple foreign and anchor controllers behind NATs (1to1 NAT only)	Yes
Supported Cisco Catalyst 9800 Series Wireless Controllers	Cisco Catalyst 9800-40 Wireless Controller Cisco Catalyst 9800-80 Wireless Controller Catalyst 9800 Wireless Controller for Cloud Cisco Catalyst 9800-L Wireless Controller
Number of peers supported	72
Manageability using SNMP, Yang, and web UI	Yes
IRCM support for mobility	Yes
SSO	Yes
Client roaming (Layer 2 and Layer 3) between Cisco Catalyst 9800 Series Wireless Controllers	Yes
Client roaming (Layer 2 and Layer 3) between Cisco Catalyst 9800 Series Wireless Controller and AireOS controller	No
Supported applications on the mobility tunnel	Native profiling AP list PMK cache Mesh AP

Configuring a Mobility Peer

Before you begin

Ensure that the private and public IP addresses of a mobility peer are of the same type, either IPv4 or IPv6.

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless mobility group member mac-address peer_mac ip peer_private_ip[ public-ip peer_public_ip] group group_name

Example:

Device(config)# wireless mobility group member mac-address 001e.494b.04ff ip 11.0.0.2 public-ip 4.0.0.112 group dom1

Adds a mobility peer to the list with an optional public IP address.

Note

You cannot configure multiple peers with the same private or public IP address.

Step 3

exit

Example:

Device(config)# exit

Returns to privileged EXEC mode.

Verifying NAT Support on Mobility Groups

To display the mobility information of a client, use the following command:

Device# show wireless client mac-address 000a.bd15.0010 detail

Client MAC Address : 000a.bd15.0010
Client IPv4 Address : 100.100.0.2
Client Username: N/A
AP MAC Address : 000a.ad00.0800
AP Name: SIM-AP-7
AP slot : 1
.
.
.

To display mobility peer information using a private peer IP address, use the following command:

Device# show wireless mobility peer ip 21.0.0.2

Mobility Peer Info
===================
Ip Address : 21.0.0.2
Public Ip Address : 3.0.0.22
MAC Address : cc70.ed02.c3b0
Group Name : dom1
.
.
.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)