CAPWAP Operation
CAPWAP (Control and Provisioning of Wireless Access Points), is an IEEE standard protocol that enables a Wireless LAN Controller (WLC) to manage and configure multiple Access Points and Wireless Local Area Networks.
CAPWAP will handle all the encapsulation and forwarding of client traffic between an Access Point and a Wireless LAN Controller (WLC)
Such protocol is based on the LWAPP Protocol but with added additional security using DTLS (Datagram Transport Layer Security). CAPWAP establishes tunnels on UDP Ports 5246 and 5247 for both IPv4 and IPv6, however, such tunnels use different IP protocols in the frame header. IPv4 operates on IP protocol 17 and IPv6 operates on IP protocol 136.
Split MAC Architecture
CAPWAP operates on the concept of a split MAC (Media Access Control). This concept does all the functions usually performed by autonomous Access Points and distributes them between 2 functional components as per below:
| 1. AP MAC Functions |
|---|
| Beacon and Probe Responses |
| Packet Acknowledgements and Re-transmissions |
| Frame Queueing and Packet Prioritization |
| MAC Layer Data Encryption and Decryption |
| 2. WLC MAC Functions |
|---|
| Authentication |
| Association and Re-association of Roaming Clients |
| Frame Translation to other Protocols |
| Termination of 802.11 traffic on a wired interface |
DTLS Encryption
Datagram Transport Layer Security (DTLS), is a protocol that provides security between Access Points (APs) and Wireless Lan Controllers (WLCs). DTLS will allow communication between the two, allowing them to operate using encryption and preventing eavesdropping and/or tampering.
DTLS is enabled by default to secure the CAPWAP Control channel, but is also disabled by default on the Data channel.
All CAPWAP Management and Control traffic exchanged between an AP and a WLC is encrypted by default to provide control plane privacy and protect against Man In The Middle (MITM) attacks.
On the other hand, data encryption whilst using CAPWAP is optional and can be enabled per AP. To enable Data encryption, a DTLS License is required on the be installed on the WLC before being installed on any Access Points. If enabled, all the Wireless client traffic will be encrypted at the AP before forwarding it to the WLC and vice-versa.
FlexConnect Access Points
FlexConnect is a Wireless solution for branch and/or remote office deployments. FlexConnect will allow you to configure and control APs in remote branch offices from the primary head office through a WAN Link, without the need for deploying a single controller in each and every branch office.
FlexConnect provides 2 Modes of operation:
| Connected Mode |
| The WLC is reachable. When in such mode, the FlexConnect Access Point will have CAPWAP connectivity with its WLC and is able to send traffic through the CAPWAP tunnel. The WLC will perform all CAPWAP functions. |
| Standalone Mode |
| The WLC is unreachable. When in such mode, the FlexConnect Access Point has lost or failed to establish CAPWAP connectivity with its WLC. A FlexConnect AP can assume some of the WLC functions like for example switching data traffic locally and performing local client authentication. |