No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring CAPWAP Tunnel Parameters

(Optional) Configuring CAPWAP Tunnel Parameters

Context

After an RU is powered on and obtains a central AP IP address, the RU begins to establish CAPWAP tunnels with the central AP.

The central AP sends management packets over the control tunnel to manage RUs in a centralized manner.To improve link reliability and prevent CAPWAP control tunnels from being terminated when the service traffic volume is high, configure a high priority for CAPWAP management packets.

CAPWAP tunnels use Datagram Transport Layer Security (DTLS) encryption sensitive information encryption integrity check, and heartbeat detection to ensure security.
  • DTLS encryption: When the RU establishes CAPWAP tunnels with the central AP, the RU determines whether to perform DTLS negotiation with the central AP. The DTLS protocol can be used to encrypt packets exchanged between the RU and central AP to ensure management packet integrity and privacy. Currently, the device can only encrypt management packets using the pre-shared key (PSK).
  • Sensitive information encryption: When sensitive information is transmitted between the RU and central AP, the information can be encrypted to ensure information security. Sensitive information includes the FTP user name, FTP password, RU login user name, RU login password, and service configuration key.
  • Integrity check: When CAPWAP packets are transmitted between the RU and central AP, these packets may be forged or tampered or attackers may construct malformed packets to launch attacks. Integrity check can protect CAPWAP packets between the RU and central AP.
  • Heartbeat detection: The RU and central AP periodically exchange Echo packets to determine whether the control tunnel is working properly and periodically exchange Keepalive packets to determine whether the data tunnel is working properly. If the RU or central AP does not receive any response from each other after Echo or Keepalive packets are sent for the specified number of times, the RU and central AP consider that the control or data tunnel is terminated. The tunnel needs to be re-established.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure CAPWAP tunnel parameters as required.

    Procedure

    Command

    Description

    Configure the priority of CAPWAP management packets.

    capwap control-link-priority { local | remote } priority-value

    By default, the priority of CAPWAP management packets is 7.

    A larger priority value indicates a higher priority and link reliability. The default value 7 is recommended.

    NOTICE:

    Configure priority 4 to 7 for CAPWAP management packets from a Central AP to an RU, preventing the CAPWAP management tunnel from being interrupted due to large traffic.

    Configure DTLS encryption.

    Allow the RU to establish a DTLS session with the central AP using the default PSK.

    capwap dtls psk-mandatory-match enable

    By default, an RU is disabled to establish a DTLS session with a Central AP using the default pre-shared key.

    An RU can use a default or configured PSK to establish a DTLS session with a central AP.

    If an RU is allowed to use the default PSK to establish a DTLS session with a central AP, and a PSK is configured for DTLS encryption, the following situations occur:
    • The RU uses the default PSK during login and uses the configured PSK for re-login after being restarted.
    • When the RU and central AP have different PSKs, the RU uses the default PSK to establish a DTLS session with the central AP after three consecutive attempts to establish a DTLS session.

    It is recommended that you change the pre-shared key in a timely manner to ensure device security.

    Configure the PSK used for DTLS encryption.

    capwap dtls psk psk-value

    By default, the pre-shared key used for DTLS encryption is huawei_seccwp.

    Enable DTLS encryption for control tunnels.

    capwap dtls control-link encrypt

    By default, the function of encrypting the CAPWAP control tunnel using DTLS is disabled.

    Configure sensitive information encryption.

    Configure the PSK used for sensitive information encryption.

    capwap sensitive-info psk

    The default PSK used for sensitive information encryption is WLAN-KEYSTRING-AES256.

    -

    Configure integrity check.

    Enable integrity check of CAPWAP packets.

    undo capwap message-integrity check disable

    By default, integrity check of CAPWAP packets is enabled.

    -

    Configure a PSK for checking integrity of CAPWAP packets.

    capwap message-integrity psk

    The default PSK for checking integrity of CAPWAP packets is huawei_seccwp.

    Set the CAPWAP heartbeat detection.

    Configure the heartbeat detection interval.

    capwap echo interval interval-value

    By default, the CAPWAP heartbeat detection interval is 25s.

    After the CAPWAP heartbeat detection interval is configured, the interval for sending Echo packets is configured.

    After the number of CAPWAP heartbeat detections is configured, the number of times for sending Echo packets is configured.

    If no response is received after packets are sent for the specified number of times, the RU or central AP considers the link between them is disconnected.

    If you set the CAPWAP heartbeat detection interval and the number of CAPWAP heartbeat detections smaller than the default values, the CAPWAP link reliability is degraded. Exercise caution when you set the values. The default values are recommended.

    Radio traffic statistics packets are sent and received together with Echo packets.

    Configure the number of CAPWAP heartbeat detections.

    capwap echo times times-value

    By default, a maximum number of six CAPWAP heartbeat detections can be performed.

Checking the Configuration

  • Run the display capwap configuration command to check CAPWAP configurations.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117988

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next