A&B, just googled the answer, CAPWAP talks on these two ports for data and control

The only intercontroller CAPWAP ports are 16666 and 16667 https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html

inter-controller roaming is using UDP/16666 and UDP/16667 CAPWAP tunnels.

a+b is correct CAPWAP uses 5246 + 5247 for both APs + WLC 16666 is used with EoIP Legacy

A/B are capwap ports for AP-WLC connection. The question is asking for WLC-WLC D and E is correct

Update to below: https://community.cisco.com/t5/wireless/question-about-udp-16667/td-p/1399015

"Ensure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and 12223) are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller." https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-6/config-guide/b_cg86/ap_connectivity_to_cisco_wlc.html#capwap

Matrix Page https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html Source----Dest.------Protocol-----Dest. Port------Src. Port-----Description WLC--------WLC-------UDP------------16666-----------16666----------Mobility - non-secured WLC--------WLC-------UDP------------16666------------N/A-------------Mobility - secured - removed in 5.2 WLC -------AP----------UDP------------5246-5247-----N/A-------------CAPWAP Ctl/Data

D & E As per this official Cisco Document https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/mobility_groups.html If you have a firewall b/w your mobility group members, open UDP port 16666 and IP protocol 97. If you are using encrypted mobility, open UDP port 5246 and 5247. If you are using New Mobility, UDP port 16666, 16667, and 16668 are used. For information about protocols and port numbers that must be used for management and operational purposes, see the Matrix Site Further more looking at the Matrix Page https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html Source Dest. Protocol Dest. Port Src. Port Description WLC WLC UDP 16666 16666 Mobility - non-secured WLC WLC UDP 16667 n/a Mobility - secured - removed in 5.2 WLC AP UDP 5246-5247 n/a CAPWAP Ctl/Data Since the question is related to controllers between each site (WLC < --- > WLC) then D & E is the most logical answer here.

its not really clear https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-2/config-guide/b_wl_17_2_cg/mobility.html says: "The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667)" https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/mobility_groups.html says: "If you have a firewall b/w your mobility group members, open UDP port 16666 and IP protocol 97. If you are using encrypted mobility, open UDP port 5246 and 5247."

I think D&E. Based on Cisco ENWLSD book - UDP/5246-47 is used for CAPWAP traffic between AP and WLC (5246 for Controll, and 5247 for Data traffic) - this book says: Test mobility control messaging over UDP port 16666 mping <ip-address> So, I think the right answers are D&E

Explanation: Two different building on a campus --> to different IP address ranges --> WLC1 and WLC2 ARE NOT in te same ip address range It will be a Layer 3 inter controller roam with anchor and foreign controller. The most recent platforms, such as the Catalyst 9800, transport mobility control messages over encrypted CAPWAP tunnels. Client data traffic is also transported over CAPWAP tunnels, but encryption is optional. Legacy controller platforms that are based on AireOS software prior to release 8.5 transport mobility messages over Ethernet-over-IP (EoIP) tunnels (IP protocol 97) and UDP port 16666. AireOS platforms running release 8.5 or later support encrypted CAPWAP. (16667) Reference: Cert. guide "CCNP Enterprise ENWLSD 300-425 ENWLSI 300-430 Official Cert Guide", page 169f and page 175

The answer is A & B CAPWAP Control Channel: Uses UDP port 5246 CAPWAP Data Channel: Uses port 5247 and encapsulates (tunnels) the client's 802.11 frames

A + B - The Official Cisco Cert Guide does not contain the word 16667 or 8443. It does say AirOS, but this question does not. "AireOS software prior to release 8.5 transport mobility messages over Ethernet-over-IP (EoIP) tunnels (IP protocol 97) and UDP port 16666"

The Cisco Catalyst 9800 Series Wireless Controller mobility tunnel is a CAPWAP tunnel with control path (UDP 16666) and data path (UDP 16667). The control path is DTLS encypted by default. Data path DTLS can be enabled when you add the mobility peer.

The reference in the question is about two WLC mobility or roaming and what is being sought is about the inter-controller for CAPWAP. Inter-controller use 16666,16667 when a client roam between two APs registered to two controllers, but if the reference is about intra-controller, client roam between APs on the same controller using port 5246 & 5247 for mobility. Mobility Group - enables inter-controller wireless LAN roam and controller redundancy

D and E The question is related to intercontroller capwap, not between AP and controller. https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107458-wga-faq.html "On any firewall between the guest anchor controller and the remote controllers, these ports need to be open: Legacy mobility: IP Protocol 97 for user data traffic, UDP Port 16666 New mobility: UDP Port 16666 and 16667"