Got it

[From Beginner to Expert - WLAN Fundamentals] Section 7 AP Goes Online Highlighted

Latest reply: Jul 29, 2019 17:09:54 4001 3 1 0 0

The previous sections described Fat AP and Fit AP. A Fat AP can control wireless user access and encrypts and forwards user data independently. A Fit AP must work with an AC to perform those functions. To work with an AC, a Fit AP must go online on the AC first. This section describes how a Fit AP goes online.

Before going online on an AC, a Fit AP must obtain an IP address so that the AC can communicate with it. Therefore, the Fit AP applies for an IP address from a DHCP server.

IP Address Acquisition

The Fit AP broadcasts a message that tells DHCP servers "I need an IP address". These messages are referred to as discovery messages. Multiple DHCP servers respond by sending IP address lease offer messages, which let the Fit AP know that the DHCP servers can offer an IP address. The Fit AP accepts the first offer it receives. Then, the DHCP server sends the Fit AP information encapsulated in an acknowledgment (ACK) packet, including the IP address, lease duration, gateway address, and IP address of the DNS server. This lets the Fit AP know what its newly assigned IP address is.

[From Beginner to Expert - WLAN Fundamentals] Section 7 AP Goes Online-1841193-1

The IP address of the Fit AP can be manually configured, or dynamically obtained on the DHCP server.
The previous procedure is for dynamically obtaining IP address on the DHCP server.

The ACK packet has an Option 43 field which can contain the IP address of an AC. The Option 43 field will be described later in detail.

When the Fit AP and DHCP server are not in the same VLAN, the AP cannot discover the DHCP server by broadcasting discovery messages. In this case, a DHCP Relay is used to help the AP discover the DHCP server. The procedure is as follows:
[From Beginner to Expert - WLAN Fundamentals] Section 7 AP Goes Online-1841193-2

The DHCP Relay forwards messages between the AP and DHCP server. 

The communication between the DHCP client and DHCP server will not be further covered in this section. You can refer to the DHCP feature description document for details.

After obtaining an IP address, the Fit AP can discover an AC.

AC Discovery Phase

The AP sees that the Option 43 field of the ACK packet from the DHCP server contains the IP address of an AC. The AP tries to contact the AC using the IP address.

However, the AC does not respond. Then the AP broadcasts AC discovery messages, and receives responses from multiple ACs. The AP selects a suitable AC.

An AP can discover an AC in static or dynamic mode.

Static mode

An AC IP address list is preconfigured on the AP. When the AP goes online, the AP unicasts a Discovery Request packet to each AC whose IP address is specified in the preconfigured AC IP address list. After receiving the Discovery Request packet, the ACs send Discovery Response packets to the AP. The AP then selects an AC to establish a CAPWAP tunnel according to the received Discovery Response packets.

Dynamic mode

If no AC IP address list is preconfigured on the AP, the AP selects unicast mode or broadcast mode to discover an AC.

First, the AP checks whether the Option 43 field in the ACK packet sent by the DHCP server for responding the AP's IP address request contains an AC IP address. If it contains an AC IP address, the AP sends a unicast Discovery Request packet to this IP address. If the AC and network work properly, the AC replies the AP with a Discovery Response packet. At this time, the AP discovers the AC. This AC discovery mode is known as DHCP mode.

Another AC discovery mode, DNS mode, is similar to the DHCP mode. The difference is that the ACK packet sent by the DHCP server contains an AC domain name and IP address of the DNS server instead of an AC IP address. The AC domain name is carried in the Option 15 field. After obtaining the AC domain name, the AP sends a request to the DNS server to obtain the IP address corresponding to the AC domain name. The AP then unicasts a Discovery Request packet to the AC. The subsequent procedures are the same as those in the DHCP mode.

Both the DHCP mode and DNS mode are unicast modes. That is, the AP sends unicast packets to the AC.

If no static AC IP address list is preconfigured on the AP, or the ACK packet sent by the DHCP server does not contain AC information, or the unicast Discovery Request packets sent by the AP are not responded, then the AP will broadcast Discovery Request packets to discover an AC. All the ACs on the same network segment as the AP will respond to the AP's request. After receiving the Discover Response packet, the AP compares information in the packet and selects an AC to establish a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel. (The AP selects the AC with the highest priority first. If the ACs have the same priority, the AP selects the AC with a lower load. If the ACs' loads are also the same, the AP selects the AC with a smaller IP address.)
[From Beginner to Expert - WLAN Fundamentals] Section 7 AP Goes Online-1841193-3

Note: If a Layer 2 network is deployed between the AC and AP, Option 43 is not necessary. The AP can broadcast discovery packets to discover the AC if the AP fails to discover the AC in the unicast mode. However, if a Layer 3 network is deployed between the AC and AP, broadcast packets cannot be sent to the AC directly. Option 43 is used to inform the AP of the AC IP address.

CAPWAP Tunnel Establishment

After the AP discovers an AC, the AP and AC need to negotiate a security mechanism to protect information exchanged between them. CAPWAP tunnel is the most common security mechanism in the WLAN field.

CAPWAP is an encapsulation and transmission mechanism defined in RFC 5415 to implement communication between APs and ACs. CAPWAP tunnels include control tunnels and data tunnels. The control tunnels transmit control packets, service configurations, and packets used to synchronize states of ACs and APs. The data tunnels transmit service data only in CAPWAP tunnel forwarding mode (also called centralized forwarding).

After discovering an AC, the AP starts to establish a CAPWAP tunnel with the AC.

AP Access Control

After a CAPWAP tunnel is established, the AC will check the validity of the AP to prevent rogue APs from accessing the AC. In addition, the AC also checks whether the AP version matches the AC version. Only authorized APs in the correct version can access the AC.

[From Beginner to Expert - WLAN Fundamentals] Section 7 AP Goes Online-1841193-4

The AP sends a Joint Request packet carrying the AP version and AP mode (Fat or Fit AP) to the AC. (If datagram transport layer security (DTLS) encryption is enabled over the CAPWAP tunnel, a DTLS link is established first. Subsequently, all CAPWAP control packets are encrypted and decrypted through DTLS.) Upon receiving the Join Request, the AC determines whether to allow the AP to access and sends a Join Response packet to the AP. If the AC has upgrade configurations, the Join Response packet carries AP upgrade information such as upgrade mode and AP version.

The flowchart in the following figure shows how the AC determines whether the AP is allowed to access.

[From Beginner to Expert - WLAN Fundamentals] Section 7 AP Goes Online-1841193-5

AP Software Upgrade

The AP determines whether its system software version is the same as that specified in the received Join Response packet. If the two versions are different, the AP upgrades its software. After the AP is upgraded, the AP restarts automatically and repeats all the previous authentication steps. If the two versions are the same or no version is specified in the Join Response packet, the AP does not need to upgrade its software.

CAPWAP Tunnel Maintenance

The AP and AC exchange Keepalive packets to monitor the data tunnel connectivity.

The AP and AC exchange Echo packets to monitor the control tunnel connectivity.

AC Configuration Delivery

After CAPWAP tunnels are established, the AC delivers service configurations to the AP. The AP then can provide WLAN services according to the service configurations.

The post is synchronized to: From Beginner to Expert-WLAN Fundamentals

  • x
  • convention:

Created Jun 25, 2016 02:25:58

Thank you.
View more
  • x
  • convention:

MVE Created Apr 11, 2018 10:13:36

useful document, thanks
View more
  • x
  • convention:

Created Jul 29, 2019 17:09:54

Thanks for sharing.
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.