If the WLCs in the same mobility group are separated by Network Address Translation (NAT) boundaries, can they communicate mobility messages with each other?
A. In controller software releases earlier than 4.2, mobility between controllers in the same Mobility Group does not work if one of the controllers is behind a network address translation (NAT) device. This behavior creates a problem for the guest anchor feature where one controller is expected to be outside the firewall. Mobility message payloads carry IP address information about the source controller. This IP address is validated with the source IP address of the IP header. This behavior poses a problem when a NAT device is introduced in the network because it changes the source IP address in the IP header. Hence, in the guest WLAN feature, any mobility packet that is routed through a NAT device is dropped because of the IP address mismatch. In controller software release 4.2 and later, the Mobility Group lookup is changed to use the MAC address of the source controller. Because the source IP address is changed due to the mapping in the NAT device, the Mobility Group database is se
