NAT Support on Mobility Groups

Information About NAT Support on Mobility Groups

The Network Address Translation (NAT) on Mobility Groups feature supports the establishment of mobility tunnels between peer controllers when one or both peers are behind a NAT. This is achieved by translating the public and private IP addresses of the peers (see figure below). Depending on the placement and number of NATs, translation might be required at one or both ends of the tunnel.

Figure 1. Mobility NAT

When configuring a NATed mobility peer, both the private IP address (address in the network before the NAT device) and the public IP address (address in the public network) have to be configured. Also, if you are using a firewall, ensure that the ports listed below can be accessed through the firewall:

  • Port 16666 for mobility control messages

  • Port 16667 for mobility data messages

Restrictions for NAT Support on Mobility Groups

  • Only 1:1 (static) NAT entries can exist for the controller peers that form the mobility tunnels.

  • Configuring multiple peers with the same public IP address is not supported.

  • Private IP addresses of the configured peers must be unique.

  • Port Address Translation (PAT) is not supported.

  • If peer controllers of different types, for example, Cisco AireOS and Cisco Catalyst 9800 Series) are placed behind NAT, Inter-Release Controller Mobility (IRCM) is not supported for client roaming.

  • IPv6 address translation is not supported.

Functionalities Supported on Mobility NAT

The following table lists the functionalities supported on mobility NAT:

Table 1. Functionalities Supported on Mobility NAT

Two controllers, with the foreign controller behind a NAT device (1to1 NAT only)

Yes

Two controllers, with the anchor controller behind a NAT device (1to1 NAT only)

Yes

Two controllers, with the anchor and foreign controller behind a NAT device (1to1 NAT only)

Yes

Multiple foreign and anchor controllers behind NATs (1to1 NAT only)

Yes

Supported Cisco Catalyst 9800 Series Wireless Controllers

  • Cisco Catalyst 9800-40 Wireless Controller

  • Cisco Catalyst 9800-80 Wireless Controller

  • Catalyst 9800 Wireless Controller for Cloud

  • Cisco Catalyst 9800-L Wireless Controller

Number of peers supported

72

Manageability using SNMP, Yang, and web UI

Yes

IRCM support for mobility

Yes

SSO

Yes

Client roaming (Layer 2 and Layer 3) between Cisco Catalyst 9800 Series Wireless Controllers

Yes

Client roaming (Layer 2 and Layer 3) between Cisco Catalyst 9800 Series Wireless Controller and AireOS controller

No

Supported applications on the mobility tunnel

  • Native profiling

  • AP list

  • PMK cache

  • Mesh AP

Configuring a Mobility Peer

Before you begin

Ensure that the private and public IP addresses of a mobility peer are of the same type, either IPv4 or IPv6.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless mobility group member mac-address peer_mac ip peer_private_ip[ public-ip peer_public_ip] group group_name

Example:

Device(config)# wireless mobility group member mac-address 001e.494b.04ff ip 11.0.0.2 public-ip 4.0.0.112 group dom1

Adds a mobility peer to the list with an optional public IP address.

Note

 

You cannot configure multiple peers with the same private or public IP address.

Step 3

exit

Example:

Device(config)# exit

Returns to privileged EXEC mode.

Verifying NAT Support on Mobility Groups

To display the mobility information of a client, use the following command:

Device# show wireless client mac-address 000a.bd15.0010 detail

Client MAC Address : 000a.bd15.0010
Client IPv4 Address : 100.100.0.2
Client Username: N/A
AP MAC Address : 000a.ad00.0800
AP Name: SIM-AP-7
AP slot : 1
.
.
.

To display mobility peer information using a private peer IP address, use the following command:

Device# show wireless mobility peer ip 21.0.0.2

Mobility Peer Info
===================
Ip Address : 21.0.0.2
Public Ip Address : 3.0.0.22
MAC Address : cc70.ed02.c3b0
Group Name : dom1
.
.
.