CAPWAP
Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) to communicate with the controller and other lightweight access points on the network.
CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage a collection of wireless access points. CAPWAP is implemented in controller for these reasons:
-
To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products that use CAPWAP
-
To manage RFID readers and similar devices
-
To enable controllers to interoperate with third-party access points in the future
LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless. For example, the controller discovery process and the firmware downloading process when using CAPWAP are the same as when using LWAPP. The one exception is for Layer 2 deployments, which are not supported by CAPWAP.
You can deploy CAPWAP controllers and LWAPP controllers on the same network. The CAPWAP-enabled software allows access points to join either a controller running CAPWAP or LWAPP.
The following are some guidelines that you must follow for access point communication protocols:
-
If your firewall is currently configured to allow traffic only from access points using LWAPP, you must change the rules of the firewall to allow traffic from access points using CAPWAP.
-
Ensure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP ports 12222 and 12223) are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller.
-
If access control lists (ACLs) are in the control path between the controller and its access points, you need to open new protocol ports to prevent access points from being stranded.
This section contains the following subsections:
Restrictions for Access Point Communication Protocols
-
On virtual controller platforms, per-client downstream rate limiting is not supported in FlexConnect central switching.
-
Rate-limiting is applicable to all traffic destined to the CPU from either direction (wireless or wired). We recommend that you always run the controller with the default config advanced rate enable command in effect to rate limit traffic to the controller and protect against denial-of-service (DoS) attacks. You can use the config advanced rate disable command to stop rate-limiting of Internet Control Message Protocol (ICMP) echo responses for testing purposes. However, we recommend that you reapply the config advanced rate enable command after testing is complete.
-
Ensure that the controllers are configured with the correct date and time. If the date and time configured on the controller precedes the creation and installation date of certificates on the access points, the access point fails to join the controller.
Viewing CAPWAP Maximum Transmission Unit Information
See the maximum transmission unit (MTU) for the CAPWAP path on the controller by entering this command:
show ap config general Cisco_AP
The MTU specifies the maximum size of any packet (in bytes) in a transmission.
Information similar to the following appears:
Cisco AP Identifier.............................. 9
Cisco AP Name.................................... Maria-1250
Country code..................................... US - United States
Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-A
AP Country code.................................. US - United States
AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A
Switch Port Number .............................. 1
MAC Address...................................... 00:1f:ca:bd:bc:7c
IP Address Configuration......................... DHCP
IP Address....................................... 1.100.163.193
IP NetMask....................................... 255.255.255.0
CAPWAP Path MTU.................................. 1485
Debugging CAPWAP
Use these commands to obtain CAPWAP debug information:
-
debug capwap events {enable | disable} —Enables or disables debugging of CAPWAP events.
-
debug capwap errors {enable | disable} —Enables or disables debugging of CAPWAP errors.
-
debug capwap detail {enable | disable} —Enables or disables debugging of CAPWAP details.
-
debug capwap info {enable | disable} —Enables or disables debugging of CAPWAP information.
-
debug capwap packet {enable | disable} —Enables or disables debugging of CAPWAP packets.
-
debug capwap payload {enable | disable} —Enables or disables debugging of CAPWAP payloads.
-
debug capwap hexdump {enable | disable} —Enables or disables debugging of the CAPWAP hexadecimal dump.
-
debug capwap dtls-keepalive {enable | disable} —Enables or disables debugging of CAPWAP DTLS data keepalive packets.