The capwap dtls inter-controller control-link encrypt command enables DTLS encryption for an inter-AC control tunnel.
The undo capwap dtls inter-controller control-link encrypt command disables DTLS encryption for an inter-AC control tunnel.
By default, DTLS encryption for an inter-AC control tunnel is disabled.
capwap dtls inter-controller control-link encrypt
undo capwap dtls inter-controller control-link encrypt
Usage Scenario
At the discovery stage of inter-AC tunnel establishment, the AC obtains the IP address of another AC through the discovery mechanism. After that, the ACs enter the DTLS negotiation stage, in which the ACs use DTLS to set up a tunnel and encrypt UDP packets forwarded in the tunnel.
After the capwap dtls inter-controller control-link encrypt command is executed, packets transmitted over an inter-AC control tunnel are encrypted using DTLS. The ACs implement DTLS negotiation in PSK encryption mode. If DTLS negotiation fails, the inter-AC tunnel cannot be set up.
Precautions
If you modify the DTLS configuration after an inter-AC tunnel is set up, the modification takes effect at the next tunnel setup.
When DTLS encryption is enabled for an inter-AC control tunnel on the server-side AC, the inter-AC tunnel can be set up only when this function is enabled on client-side AC. When DTLS encryption is enabled for an inter-AC control tunnel on the client-side AC, the inter-AC tunnel can be set up if even this function is disabled on the server-side AC.
If the default PSK is used when this function is enabled, run the capwap dtls inter-controller psk command to modify the PSK to improve security.