Solved: Thank you very much Scott,

alaugros2 · ‎12-02-2015

Hello !

I would like to connect a Cisco 2700 AP located in a Russian site to a central 8540 WLC located in France in flexconnect local switching mode. Other AP located in other European countries will also join the central controller the same way.

I would like to know what happens considering CAPWAP control plane encryption if I do that.

I have read that Russian laws do not permit encryption. What should I do to respect these laws ? Should I buy a DTLS license for my central WLC (even if it is located in France) to access DTLS commands and use them to disable control plane traffic encryption only for russian AP ? Is it possible to disable DTLS control plane traffic encryption permanently (even after an AP reboot) for the russian AP with this DTLS licence ?

Thanks a lot for your help !

Arthur

Scott Fella · ‎12-03-2015

The DTLS license is free. If you issue a show version, look for this to determine if you already have DTLS:

DATA + WPS + LDPE == LDPE = no capwap Data encryption, need DTLS license to get the encyrption.

DATA + WPS == non LDPE = capwap Data encryption already available, no need to install DTLS license.

https://supportforums.cisco.com/discussion/11421191/2504-wlc-dtls-license

You will have to disable the data encryption for the ssid.

The control traffic is encrypted normally and you can't disable that. This is fine in Russia, it's data that they don't want encrypted. You can open a TAC case just to inquire more info in regards to the laws in Russia.

hope this helps

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎12-02-2015

DTLS is configured on the WLAN advanced tab. What you can do is create a new WLAN profile with WLAN ID 17 or higher and specify a different profile name but use the same SSID. Then you would create an AP group for the Russia AP's and use that WLAN without DTLS encryption enabled.

Hope this answers your question.

-Scott

-Scott
*** Please rate helpful posts ***

alaugros2 · ‎12-03-2015

Thank you for your answer Scott.

If I understood you well:

1) I will need to buy a DTLS license for my controller in France to enable DTLS commands.

2) Then I will have to disable DTLS encryption for a specific WLAN only used for Russia

3) This way, nor data neither control plane traffic will be encrypted in my CAPWAP tunnel between russian AP and my central controller. Thus I will respect russian laws.

Am I right on these 3 points ?

Thanks again !

Arthur

Scott Fella · ‎12-03-2015

The DTLS license is free. If you issue a show version, look for this to determine if you already have DTLS:

DATA + WPS + LDPE == LDPE = no capwap Data encryption, need DTLS license to get the encyrption.

DATA + WPS == non LDPE = capwap Data encryption already available, no need to install DTLS license.

https://supportforums.cisco.com/discussion/11421191/2504-wlc-dtls-license

You will have to disable the data encryption for the ssid.

The control traffic is encrypted normally and you can't disable that. This is fine in Russia, it's data that they don't want encrypted. You can open a TAC case just to inquire more info in regards to the laws in Russia.

hope this helps

-Scott

-Scott
*** Please rate helpful posts ***

alaugros2 · ‎12-04-2015

Thank you very much Scott, this helps !

Arthur

Scott Fella · ‎12-04-2015

Glad to help!

-Scott

-Scott
*** Please rate helpful posts ***

Flexconnect russia DTLS