Cisco Unified Wireless Network Protocol and Port Matrix
Table of Contents
Introduction
Background Information
Terms Used
Network Overview
Protocol and Port Number Information
Table 1 - WCS/NCS/PI Protocols and Ports
Table 2 - MSE - AwIPS Protocols
Table 3 - MSE - Context Protocols
Table 4 - WLC Protocols
Table 5 - AP Protocols
Table 6 - OEAP600 Firewall Protocols
Introduction
Background Information
Terms Used
Network Overview
Protocol and Port Number Information
Table 1 - WCS/NCS/PI Protocols and Ports
Table 2 - MSE - AwIPS Protocols
Table 3 - MSE - Context Protocols
Table 4 - WLC Protocols
Table 5 - AP Protocols
Table 6 - OEAP600 Firewall Protocols
Introduction
This document provides information about protocols and port numbers used across the entire product series as they interact in a comprehensive Cisco Unified Wireless Network (CUWN) deployment. This information is based on Software Version 7.0.220.0 series code release train. This information is not meant to replace or supersede specific product documentation found in existing configuration guides, but only to serve as a consolidated source of information available at the time this document was created.
Background Information
The main purpose of this document is to provide a consolidated source of communication protocols that incorporate a CUWN solution. Goals are to implement appropriate firewall and security policies based on this information to properly secure the CUWN infrastructure.
Terms Used
Here is a list of terms used in this document:
- WCS - Wireless Control System
- NCS - Network Control System
- PI -
- WLC - Wireless LAN Controller
- MSE - Mobility Services Engine
- OS - Operating System
- AP - Access Point
- SSH - Secure Shell
- SMTP - Simple Mail Transfer Protocol
- AAA - Authentication, Authorization, and Accounting
- DNS - Domain Name System
- ISE - Identity Services Engine
- NTP - Network Time Protocol
- SOAP - Simple Object Access Protocol
- HA - High Availability
- QoS - Quality of Service
- DB - Database
- RDP - Remote Desktop Protocol
- VNC - Virtual Network Computing
- TLS - Transport Layer Security
- LOCP -
- ICMP - Internet Control Message Protocol
- SNMP - Simple Network Management Protocol
- NMSP - Network Mobility Services Protocol
- AwIPS -
- EoIP - Ethernet over IP
- RDLP -
- CAPWAP - Control and Provisioning of Wireless Access Points
- LWAPP - Light Weight Access Point Protocol
- NSI - Network Spectrum Interface
- OEAP - OfficeExtend Access Point
Network Overview
Protocol and Port Number Information
Here is a list of tables in this document:
Table 1 - WCS/NCS/PI Protocols and Ports
| WCS/NCS/PI Protocols | ||||
|---|---|---|---|---|
| Source Device | Destination Device | Protocol | Destination Port | Description |
| WCS/NCS/PI | WLC and MSE | TCP | 21 | FTP - Used to transfer files to/from devices |
| Various Management Stations | WCS Host Server OS-Linux | TCP | 22 | SSH - Used for remote Linux Host Access |
| WCS/NCS/PI | Cisco aIOS® AP | TCP | 23 | Telnet - Used for Cisco aIOS AP Configuration |
| WCS/NCS/PI | SMTP mail servers | TCP | 25 | SMTP - used for fault notifications |
| AAA Servers / ISE | WCS/NCS/PI | TCP/UDP | 49 | TACACS+ |
| WCS/NCS/PI | aIOS AP | UDP | 53 | DNS - used for Cisco aIOS AP Configuration |
| WLC | WCS/NCS/PI | UDP | 69 | TFTP - Used to transfer files to/from devices |
| Various Management Stations | WCS/NCS/PI | TCP | 80 | HTTP (Configurable at install time) |
| NTP Server | WLC | UDP | 123 | NTP |
| WLC and MSE | WCS/NCS/PI | UDP | 161 | SNMP discovery, inventory Cisco aIOS AP and others |
| WLC and MSE | WCS/NCS/PI | UDP | 162 | SNMP Trap Receiver |
| Various Management Stations | WCS/NCS/PI | TCP | 443 | HTTPS (Configurable at install time) |
| MSE | WCS/NCS/PI | TCP | 443 | SOAP/XML (SOAP used for MSE Management |
| WLC | WCS/NCS/PI | UDP | 514 | Syslog (Optional) |
| Local only | WCS/NCS/PI | TCP | 1299 | RMI Registry port (local only) |
| Various and HA Server | WCS/NCS/PI | TCP | 1315 | Database Server HA (QoS) |
| WCS HA Server | WCS/NCS/PI | TCP | 1316-1320 | HA DB Ports |
| AAA Servers / ISE | WCS/NCS/PI | UDP | 1812 / 1645 | RADIUS |
| AAA Servers / ISE | WCS/NCS/PI | UDP | 1813 / 1646 | RADIUS |
| Various Management Stations | WCS Host Server OS-Microsoft Windows | TCP / UDP | 3389 | RDP - Microsoft Windows Remote Desktop (Optional) |
| Various | WCS/NCS/PI | TCP | 5001 | Apache Axis SOAP Monitoring: Java Listener |
| Various Management Stations | WCS Host Server OS-Microsoft Windows | TCP | 5500 | VNC - (Optional) Used for remote Microsoft Windows Host Access |
| Various Management Stations | WCS Host Server OS-Microsoft Windows | TCP | 5800 | VNC - (Optional) Used for remote Microsoft Windows Host Access |
| Various Management Stations | WCS Host Server OS-Microsoft Windows | TCP / UDP | 5900 | VNC - (Optional) Used for remote Microsoft Windows Host Access |
| Local only | WCS/NCS/PI | TCP | 6789 | RMI Server Port (local only) |
| MSE-Location Appliance | WCS/NCS/PI | TCP | 8001 | Location Server Data Sync. Communication Port |
| Local only | WCS/NCS/PI | TCP | 8005 | Tomcat Shutdown Port |
| Local only | WCS/NCS/PI | TCP | 8009 | Web Server / Java Server Connector (local only) |
| HA Web Server | WCS/NCS/PI | TCP | 8082 | HA Web Server Port: Health Monitor for WCS HA |
| Various Management Stations | WCS/NCS/PI | TCP | 8456 | HTTP Connector |
| Various Management Stations | WCS/NCS/PI | TCP | 8457 | HTTP Redirect |
| Various Management Stations | WCS/NCS/PI | TCP | 16113 | LOCP TLS Port |
| WLC | WCS/NCS/PI | UDP | 29001-29005 | TFTP Child threads |
| Various | AP | ICMP | ICMP - Optional | |
Table 2 - MSE - AwIPS Protocols
| MSE - AwIPS Protocols | ||||
|---|---|---|---|---|
| Source Device | Destination Device | Protocol | Destination Port | Description |
| WCS/NCS/PI | MSE | TCP | 21 | FTP - Used to transfer files to/from devices |
| Various Management Stations | MSE Host Server OS-Linux | TCP | 22 | SSH - Used for remote Linux Host Access |
| WCS/NCS/PI | MSE | TCP | 80 | HTTP (Configurable at install time) |
| NTP Server | WLC | UDP | 123 | NTP |
| WCS/NCS/PI | MSE | UDP | 161 | SNMP |
| MSE | WCS/NCS/PI | UDP | 162 | SNMP Trap Receiver |
| WCS/NCS/PI | MSE | TCP | 443 | HTTPS (Configurable at install time) |
| WCS/NCS/PI | MSE | TCP | 443 | SOAP/XML |
| WCS/NCS/PI | MSE | TCP | 8001 | HTTPS (Configurable at install time) |
| WLC | MSE and Spectrum Expert | TCP | 16113 | NMSP |
| Various | AP | ICMP | ICMP - Optional | |
Table 3 - MSE - Context Protocols
|
MSE - Context-Aware and AwIPS Protocols
|
||||
| Source Device | Destination Device | Protocol | Destination Port | Description |
| WCS/NCS/PI | MSE | TCP | 21 | FTP - Used to transfer files to/from devices |
| Various Management Stations | MSE Host Server OS-Linux | TCP | 22 | SSH - Used for remote Linux Host Access |
| WCS/NCS/PI | MSE | TCP | 80 | HTTP (Configurable at install time) |
| NTP Server | WLC | UDP | 123 | NTP |
| WCS/NCS/PI | MSE | UDP | 161 | SNMP |
| MSE | WCS/NCS/PI | UDP | 162 | SNMP Trap Receiver |
| WCS/NCS/PI | MSE | TCP | 443 | HTTPS (Configurable at install time) |
| WCS/NCS/PI | MSE | TCP | 443 | SOAP/XML |
| WCS/NCS/PI | MSE | TCP | 8001 | HTTPS (Configurable at install time) |
| WLC and Catalyst LAN Switches | MSE and Spectrum Expert | TCP | 16113 | NMSP |
| Various | AP | ICMP | ICMP - Optional | |
Table 4 - WLC Protocols
| WLC Protocols | ||||
|---|---|---|---|---|
| Source Device | Destination Device | Protocol | Destination Port | Description |
| WCS/NCS/PI | WLC | TCP | 21 | FTP - Used to transfer files to/from devices |
| WCS and Various Management Stations | WLC | TCP | 22 | SSH - Used for remote Management (optional) |
| WCS and Various Management Stations | WLC | TCP | 23 | Telnet - Used for remote Management (optional) |
| AAA Servers / ISE | WLC | TCP/UDP | 49 | TACACS+ |
| WCS and Various Management Stations | WLC | UDP | 69 | TFTP - Used to transfer files to/from devices |
| Various Management Stations | WLC | TCP | 80 | HTTP (Configurable at install time) |
| WLC | WLC | TCP | 91 | |
| WLC Mobility Group members | WLC | EoIP IP Protocol 97 | EoIP IP Protocol 97 | EoIP Tunnel - Client Anchor/Tunneling traffic |
| NTP Server | WLC | UDP | 123 | NTP |
| WCS/NCS/PI | WLC | UDP | 161 | SNMP |
| WCS/NCS/PI | WLC | UDP | 162 | SNMP Trap Receiver |
| Various Management Stations | WLC | TCP | 443 | HTTPS (Configurable at install time) |
| WLC and Various Syslog Servers | WLC | UDP | 514 | Syslog (Optional) |
| AAA Servers / ISE | WLC | UDP | 1812 / 1645 | RADIUS |
| AAA Servers / ISE | WLC | UDP | 1813 / 1646 | RADIUS |
| AP | WLC | UDP | 6352 | RDLP |
| Various Management Stations (MSE, Spectrum Expert) | WLC | TCP | 16113 | LOCP TLS Port NMSP |
| WLC | WLC | UDP | 16666 | Mobility - non-secured |
| WLC | WLC | UDP | 16667 | Mobility - secured ** In release. 5.2+ feature was removed |
| AP | WLC | UDP | 5246-5247 | CAPWAP Ctl/Data |
| AP | WLC | UDP | 5248 | CAPWAP Mcast. |
| AP | WLC | UDP | 12222-12223 | LWAPP Ctl/Data |
| AP | WLC | UDP | 12224 | LWAPP Mcast. |
| Various | AP | ICMP | ICMP - Optional | |
Table 5 - AP Protocols
| AP CAPWAP-LWAPP Protocols | ||||
|---|---|---|---|---|
| Source Device | Destination Device | Protocol | Destination Port | Description |
| Various | AP | UDP | 69 | TFTP - used for remote code update |
| Various | AP | TCP | 22 | SSH - used for optional remote troubleshooting access. Can be administratively disabled. |
| Various | AP | TCP | 23 | Telnet - used for optional remote troubleshooting access. Can be administratively disabled. |
| AP | DNS Server | TCP/UDP | 53 | DNS |
| AP | DHCP Server | UDP | 68 | DHCP |
| AP | Various | UDP | 514 | Syslog - Destination configurable. Default is 255.255.255.255 |
| WLC | AP | UDP | 1024 - 65535 * | CAPWAP Ctl/Data |
| WLC | AP | UDP | 5248 | CAPWAP Mcast. |
| AP | WLC | UDP | 6352 | RDLP |
| WLC | AP | UDP | 12222-12223 | LWAPP Ctl/Data |
| WLC | AP | UDP | 12224 | LWAPP Mcast. |
| AP | Monitor PC | TCP | 37540 for 2.4 GHz 37550 for 5GHz | NSI Protocol for SE-Connect |
| Various | AP | ICMP | ICMP - Optional | |
* - Arbitrary port number is assigned to every AP from range 1024 - 65535 when the AP joins the WLC. The WLC uses the number as the Destination Port for CAPWAP Ctl/Data as long as the AP is connected.
Table 6 - OEAP600 Firewall Protocols
|
AP CAPWAP-LWAPP Protocols
|
||||
| Source Device | Destination Device | Protocol | Destination Port | Description |
| WLC | AP | UDP | 5246-5247 | CAPWAP Ctl/Data |
Source: