Information about Encrypted Mobility Tunnel
A secure link in which data is encrypted using CAPWAP DTLS protocol can be established between two controllers. This secured link is called Encrypted Mobility Tunnel.
If encrypted mobility tunnel is in enabled state, the data traffic is encrypted and the controller uses UDP port 16667, instead of EoIP, to send the data traffic.
To ensure that controllers with expired MIC certificates are able to join the encrypted mobility tunnel enabled network, an existing CLI is used to disable the MIC certificate date validation.
Note |
This command disables the date validation check during Cisco AP join and encrypted mobility tunnel creation. When the config ap cert-expiry-ignore CLI is enabled, the lifetime check is disabled. |
Restrictions for Encrypted Mobility Tunnel
-
This feature is supported on Cisco 3504, 5520, and 8540 controllers only.
Note
The Cisco 5508 and 8510 Wireless Controllers do not support tunnel encryption protocols. They support IRCM with unencrypted mobility tunnels only.
-
Native IPv6 is not supported.
-
Mobility Multicast for an encrypted tunnel is not supported.
-
The Encrypted Mobility Tunnel feature should be enabled on all the mobility peers in the network to have the tunnel created. The default state is set to disabled.
-
If the packets passing through the controller after L3 roaming are greater than the MTU size of the controller in secure mobility, along with secure mobility, data encryption functionality must be enabled for the fragmented packets to be forwarded through a secure mobility tunnel.
-
Only MIC certificate is supported to create the tunnel.
-
When using Cisco 3504 controller as an anchor, we recommend reducing the client load by 30% of the controller's maximum load capability.
Configuring Mobility Groups for Inter-Release Controller Mobility (IRCM) (GUI)
Procedure
Step 1 |
Choose Static Mobility Group Members page. to open the
|
||||
Step 2 |
Click New to open the page. |
||||
Step 3 |
Add a controller to the mobility group as follows:
|
Configuring Mobility Groups for Inter-Release Controller Mobility (IRCM) (CLI)
Procedure
Step 1 |
Add a peer controller in the mobility group by entering this command: config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt { enable | disable} |
||
Step 2 |
(Optional) Configure the peer controller data traffic encryption by entering this command: config mobility group member data-dtls peer-mac-addr { enable | disable} Default value is Enabled. |
||
Step 3 |
(Optional) Configure high cipher encryption to enable DTLS 1.2 protocol by entering this command: config mobility group member add member-switch-mac-addr member-switch-ip-addr grp-name encrypt enable high-cipher-option enable Default value is Disabled. |
||
Step 4 |
Configure the SSC hash of the Cisco Catalyst 9800 Series Wireless Controllers by entering this command: config mobility group member hash peer-ip-addr 40-digit-ssc-hash-key
|
||
Step 5 |
View the peer to peer mobility encryption status by entering this command: show mobility summary encryption |
||
Step 6 |
To see the hash key of mobility group members in the same domain, enter this command: show mobility group member hash |
||
Step 7 |
View mobility DTLS connection status by entering this command: show mobility dtls connections |
||
Step 8 |
View mobility statistics by entering this command: show mobility statistics |