(Optional) Configuring CAPWAP Tunnel Parameters

Context

After an AP is powered on and obtains an AC IP address, the AP begins to establish CAPWAP tunnels with the AC. CAPWAP tunnels include control and data tunnels.

The AC sends management packets over the control tunnel to manage APs in a centralized manner. Data packets of users are all forwarded to the AC for centralized processing through the data tunnel. To improve link reliability and prevent CAPWAP control tunnels from being terminated when the service traffic volume is high, configure a high priority for CAPWAP management packets.

CAPWAP tunnels use Datagram Transport Layer Security (DTLS) encryption and sensitive information encryption and integrity check and heartbeat detection to ensure security.

DTLS encryption: When an AP establishes CAPWAP tunnels with an AC, the AP determines whether to perform DTLS negotiation with the AC. The DTLS protocol can be used to encrypt packets exchanged between the AP and AC to ensure integrity and privacy of management packets. Currently, the device can only encrypt management packets using the pre-shared key (PSK).
Sensitive information encryption: When sensitive information is transmitted between an AP and an AC, the information can be encrypted to ensure information security. Sensitive information includes the FTP user name, FTP password, AP login user name, AP login password, and service configuration key.
Integrity check: When CAPWAP packets are transmitted between an AP and an AC, these packets may be forged or tampered or attackers may construct malformed packets to launch attacks. Integrity check can protect CAPWAP packets between the AP and AC.
Heartbeat detection: The AP and AC periodically exchange Echo packets to determine whether the control tunnel is working properly and periodically exchange Keepalive packets to determine whether the data tunnel is working properly. If the AP or AC does not receive any response from each other after Echo or Keepalive packets are sent for the specified number of times, the AP and AC consider that the control or data tunnel is terminated. The tunnel needs to be re-established.

Procedure

Run system-view
The system view is displayed.

Configure CAPWAP tunnel parameters as required.

Procedure		Command	Description
Configure the priority of CAPWAP management packets.		capwap control-link-priority { local \| remote } priority-value By default, the priority of CAPWAP management packets is 7.	A larger priority value indicates a higher priority and link reliability. The default value 7 is recommended. NOTICE: Configure priority 4 to 7 for CAPWAP management packets from an AC to an AP, preventing the CAPWAP management tunnel from being interrupted due to large traffic.
Configure DTLS encryption.	Allow the AP to establish a DTLS session with the AC using the default PSK.	capwap dtls psk-mandatory-match enable By default, an AP is disabled to establish a DTLS session with an AC using the default pre-shared key.	An AP can use a default or configured PSK to establish a DTLS session with an AC. If an AP is allowed to use the default PSK to establish a DTLS session with an AC, and a PSK is configured for DTLS encryption, the following situations occur: The AP uses the default PSK during login and uses the configured PSK for re-login after being restarted. When the AP and AC have different PSKs, the AP uses the default PSK to establish a DTLS session with the AC after three consecutive attempts to establish a DTLS session. It is recommended that you change the PSK in a timely manner to ensure device security.
	Configure the PSK used for DTLS encryption.	capwap dtls psk psk-value By default, the pre-shared key used for DTLS encryption is huawei_seccwp.
	Enable DTLS encryption for control tunnels.	capwap dtls control-link encrypt By default, the function of encrypting the CAPWAP control tunnel using DTLS is disabled.
Encrypt sensitive information.	Configure a PSK for encrypting sensitive information.	capwap sensitive-info psk The default PSK used for sensitive information encryption is WLAN-KEYSTRING-AES256.	-
Configure integrity check.	Enable integrity check of CAPWAP packets.	undo capwap message-integrity check disable By default, integrity check of CAPWAP packets is enabled.	-
Configure integrity check.	Configure a PSK for checking integrity of CAPWAP packets.	capwap message-integrity psk The default PSK for checking integrity of CAPWAP packets is huawei_seccwp.	-
Set the CAPWAP heartbeat detection.	Configure the heartbeat detection interval.	capwap echo interval interval-value By default, the CAPWAP heartbeat detection interval is 25s.	After the CAPWAP heartbeat detection interval is configured, the interval for sending Echo packets is configured. After the number of CAPWAP heartbeat detections is configured, the number of times for sending Echo packets is configured. If no response is received after packets are sent for the specified number of times, the AP or AC considers the link between them is disconnected. If you set the CAPWAP heartbeat detection interval and the number of CAPWAP heartbeat detections smaller than the default values, the CAPWAP link reliability is degraded. Exercise caution when you set the values. The default values are recommended. If dual-link backup is enabled, the CAPWAP heartbeat detection interval is 25s and the number of CAPWAP heartbeat detections is 3. When the Wireless Distribution System (WDS) is required in dual-link backup configuration, the WDS link may be unstable and users may not access the network. You need to run this command to set the interval for CAPWAP heartbeat detection to 25 seconds and the number of CAPWAP heartbeat detections to 6. Radio traffic statistics packets are sent and received together with Echo packets.
Set the CAPWAP heartbeat detection.	Configure the number of CAPWAP heartbeat detections.	capwap echo times times-value By default, a maximum number of six CAPWAP heartbeat detections can be performed. If dual-link backup is enabled, a maximum of three CAPWAP heartbeat detections can be performed.
Configure the Echo packet process trace and diagnostic log record functions.		capwap echo-timeout trace logging By default, the Echo packet process trace and diagnostic log record functions are enabled upon AP Echo packet timeout.	-

Verifying the Configuration

Run the display capwap configuration command to check CAPWAP configurations.