Basic concept of CAPWAP
CAPWAP stands for Control and Provisioning of Wireless Access Points Protocol Specification
The main function of the CAPWAP protocol
1. AP can automatically discover AC through CAPWAP
2. The AC manages the AP through the CAPWAP protocol and delivers service configurations
3. STA data is forwarded by encapsulating CAPWAP
Port number of the CAPWAP tunnel
CAPWAP tunnels are mainly divided into control tunnels and data tunnels
Control tunnel for interaction between AP and AC; management AP
AP's UDP port ↔ AC's UDP 5246
Used for AC to deliver AP configuration and version information
Data tunnel is used for the interaction between wireless users and AC; forwarding user business data
AP's UDP port ↔ AC's UDP 5247
Transmission of data for wireless users to access the Internet and data for wireless users to connect to wireless signals
Forwarding mode of CAPWAP tunnel
CAPWAP tunnel mainly has two modes: direct forwarding and tunnel forwarding
Understand some basic concepts first
Management VLAN
AC establishes the source VLAN of the CAPWAP tunnel
The Vlan where the IP address of the AP is located (APs can be assigned by ACs, switches, and routers)
If the AC assigns an IP address to the AP, the Vlan where the IP address of the AP is located is the Vlan where the AC establishes the tunnel source.
If the AC does not assign an IP address to the AP, the IP address of the AP and the source of the tunnel established by the AC are not on the same network segment (not in the same VLAN)
Business Vlan
Vlan where the STA address is located (can be assigned by AC, switch, router)
Direct forwarding (local forwarding)
The AC only manages the AP, and the wireless service data does not need to be encapsulated by CAPWAP to the AC, and is directly forwarded locally
The Tag carried by the STA data from the AP is the business Vlan, and the source and destination IP is its own source plus destination address (that is, the data packet has not changed )
The interface between AC and SWB is a trunk port, and the management Vlan is released
The interface connecting SWA and SWB is a Trunk port, allowing the management Vlan and business Vlan to pass through
The interface connecting the SWA to the AP is the Trunk port, and the PVID is the management Vlan, allowing the management Vlan and business Vlan to pass through.
The SWB connects to the Router interface as a Trunk port, allowing the service Vlan to pass through
Tunnel forwarding (centralized forwarding)
In addition to managing APs, the AC also serves as the forwarding center for wireless service traffic.
Service data packets are uniformly encapsulated by the AP and sent to the AC, and then decapsulated by the AC and sent out to achieve forwarding
The tag carried by the STA data from the AP is the Vlan where the AP is located, the source IP is the address of the AP, and the destination IP is the tunnel source address of the AC
The interface between AC and SWB is a trunk port, which allows business Vlan and management Vlan to pass through
The interface connecting SWA and SWB is a trunk port, and the management Vlan is released
The interface connecting the SWA to the AP is the Access port, and the PVID is the management Vlan
The SWB connects to the Router interface as a Trunk port, allowing the service Vlan to pass through
The difference between the two ways
direct forwarding
High forwarding efficiency, convenient fault location, packets do not need to be encapsulated and decapsulated multiple times
Insufficient security, business data is not convenient for centralized management and control
tunnel forwarding
Business data is encrypted by CAPWAP DTLS, which has high security, and business data is convenient for centralized management and control;
Service data must be forwarded by the AC, resulting in low forwarding efficiency and inconvenient fault location
CAPWAP Tunnel Establishment
The AC uses the tunnel address to establish a tunnel with the AP, and the tunnel address needs to be configured on the AC.
锐捷:默认使用的隧道地址时Loop0接口地址
ac-controller
capwap ctrl-ip 192.168.1.1 通过此命令更改隧道源为指定地址
华为
capwap source int vlanif 100 通过此命令更改隧道源为此Vlanif的地址(此Vlan就是管理Vlan)The process of establishing a CAPWAP tunnel
1. The AP interface obtains the IP address
IP address can be obtained through static, DHCP, SLAAC (IPV6 stateless address automatic configuration)
The default AP interface obtains an IP address through DHCP
Explanation of DHCP and DHCPv6
2. AP discovers AC (Discover message)
The AP can obtain the address of the AC through static, DHCP, DNS, broadcast, and multicast (224.0.1.140) methods
When using DHCP, Huawei uses the option43 field to transmit the AC’s IP address, and Ruijie uses option138 to transmit the AC’s IP address (Ruijie’s subsequent devices support 43 transmission)
The AP sends Discover packets through broadcast, multicast, and unicast to discover the AC.
If the AC responds to the Discover message, the AP will add the address of this AC to the AC list and assign different priorities to it (the smaller the priority); then the AP will select the best AC to establish a CAPWAP tunnel
The AC address dynamically obtained through DHCP and the response from this AC has a priority of 8
Pass the address of the statically specified AC, and get a response from this AC, with a priority of 7
ACs discovered through broadcast and multicast, with a priority of 9
Configuration of AP Obtaining IP Address
Ruijie
Ruijie statically configures the IP address of the AP and the IP address of the AC (configured on the AP)
apip ipv4 192.168.1.2 255.255.255.0 192.168.1.1
acip ipv4 1.1.1.1
Ruijie dynamically configures the IP address of the AC (configured on the AC)
ip dhcp pool pool1
option 138 ip 1.1.1.1
3. AP and AC perform DTLS handshake
The AP establishes a CAPWAP tunnel with the optimal AC. At this stage, it mainly negotiates whether DTLS encryption is required.
If DTLS is encrypted, subsequent message information can be transmitted through DTLS encryption
Control Packet Encryption
Huawei devices are enabled by default
Huawei Device Changes the DTLS Password for Control Packet Encryption
AC side: capwap dtls psk admin configure DTLS password
capwap dtls control-link encrypt Enable control packet encryption
AP side: capwap dtls psk cipher admin configure DTLS password
Ruijie devices are enabled by default
datagram encryption
Huawei devices are not enabled by default
DTLS encryption of the data channel can be enabled through capwap dtls data-link encrypt
Ruijie devices are enabled by default
4. AP joins AC to request access control (Join message)
The AP sends a Join message to request to join the AC, and the AC responds with a Join message after confirming that the AP has passed the authentication
During the interaction process, the Join message responded by the AC will carry information such as the upgrade version number of the AP requested by the user, the priority of the control message, etc.
AC authentication AP mode: MAC authentication, SN authentication, non-authentication
5. AP version upgrade (Image date message)
After the AP joins the AC, the AP checks whether its own version is the latest version according to the AC’s Join message information (if the AC has the AP’s version, and it is turned on to automatically upgrade, the AC will send the software version to the AP through the Image Data message to update)
After the AP is upgraded (regardless of success), restart, and then repeat the process of discovering the AC, establishing a CAPWAP tunnel, and joining the AC
Notice
The AC sends the upgrade version to the AP through CAPWAP control packets instead of CAPWAP data packets
6. The AP requests the AC to deliver the configuration (Configuration message)
The Configuration message sent by the AP contains the existing configuration of the AP
If the current configuration of the AP does not meet the requirements of the AC, the AC will notify the AP through Configuration
7. AP configuration confirmation (Data Check message)
After the AP receives the Configuration message from the AC, it changes its own configuration.
After the AP configuration change is completed, send a Data Check to the AC (which contains information such as radio, result, code, etc.)
AC responds to the Data Check message after receiving it;
8. The data tunnel is established successfully (Keepalive message)
The AP sends a Keepalive message, and the AC responds to the Keepalive message after receiving it, indicating that the data tunnel is established successfully.
At this time, the AP enters the normal state and starts to work normally.
9. The control tunnel is established successfully (Echo message)
After the AP enters the Run data, it sends an Echo message to the AC, announcing the establishment of a CAPWAP control tunnel
The AC responds to the Echo message after receiving the Echo, and the CAPWAP control tunnel is established successfully.
10. CAPWAP tunnel maintenance (Keepalive, Echo message)
Service plane: Use Kepplive packets to keep sending every 30 seconds (different vendors may be different)
Control plane: use Echo message to keep sending every 30 seconds (different manufacturers may be different)
Precautions
AP can discover multiple ACs, but can only join one AC
Status of CAPWAP tunnel establishment
IDLE
initialization state
Discovery
The status of the AP discovering the AC (if the AP statically specifies the AC, this status can be skipped)
The AP sends a Discovery Request message to the Discovery state
After receiving the Discovery Request message, the AC is in the Discovery state and sends a Discovery Response message
DTLS status
After the AP receives the Discovery Response message, the DTLS handshake starts between the AP and the AC, and both enter the DTLS state; which is subdivided into DTLS Setup state, Authorize state, and DTLS Connect state
DTLS Setup status: DTLS has started to be established
Authorize state: DTLS session for certificate authentication
DTLS Connect state: DTLS authentication passed, enter the DTL connection state
Join status
The DTLS handshake between the AP and the AC succeeds, and the AP enters the Join state and sends a Join Request message
The AC receives the Join Request message sent by the AP, the AC enters the Join state , and responds with the Join Response message.
Image Data status
After the AP receives the Join Response message, it first compares whether the currently running software version is consistent with the software version required by the AC. If they are inconsistent, it sends an Image Data Request message to request automatic upgrade, and enters the Image Data state (the version is the same or from the Join It is found in the message that the AC does not check the software version and directly jumps to the Config state)
After receiving the Image Data Request message, the AC enters the Image Data state, responds with the Image Data Response message, and sends the version information of the AP
Config state
After the AP is upgraded, it restarts (or the AP version is the latest and has not been upgraded). After receiving the Join Response message from the AC, the AP sends a Config Status Request message and enters the Config state.
After receiving the Config Status Request message, the AC enters the Config state and responds with a Config Status Response message
Data Check Status
After receiving the Config Status Response message, the AP enters the Data Check state and sends a Change State Event Request message
AC receives the Change State Event Request message and changes to the Data Check state , and responds to the Change State Event Response message
Run state
After the AP receives the Change State Event Response message, it turns to Run; it starts to create a data tunnel, and sends a data channel keep-alive message Keepalive at regular intervals
AC receives the first Keepalive message and enters the Run state, and responds to the Keepalive message
After the AP and AC successfully establish a data tunnel, they exchange Echo messages to establish a control tunnel and keep it alive.
Troubleshooting the Thin AP Fails to Go Online
1. Whether the AP has obtained the IP address (directly connect the computer to the AP to check, or connect the computer instead of the AP to the corresponding network to check whether the computer has obtained the address)
2. Whether the AP has obtained the address of the AC (log in to the AP to check through commands, or check whether DHCP has configured option 138, Option 43)
3. Check whether the AP and AC can communicate with each other; whether the tunnel address configured on the AC is consistent with the AC address obtained on the AP
4. Check whether there is a problem with the authorization of the AC (whether the number of managed APs is upper limit)
5. Whether the software version of the AP meets the requirements
4. Whether there is a firewall in the middle, and whether the corresponding UDP port of CAPWAP is open