05-04-2020 09:51 AM - edited 07-05-2021 12:01 PM
Good day!
I wonder, what does "High Cipher" option do in Mobility Group member setup? This is 8.10.105 release.
Please, look at the screenshot attached.
I could not find any mention of it neither in the configuration guide for release 8.10 nor anywhere else...
Thanks!
Solved! Go to Solution.
05-05-2020 06:07 PM - edited 05-05-2020 06:09 PM
Thank you for reminding me of that old thread.
You are right about documentation about that "high cipher option", I cannot find anything on cisco.com about it either.
Here is what I think, it is for cipher suites support for a key length longer than 128 bits.
Again, Cisco should provide more context around what exactly that feature means to avoid confusion. If I get anything else, I will keep you posted here.
Thank you
Rasika
05-04-2020 02:00 PM
This will enable encrypted mobility messaging (CAPWAP DTLS based) instead of unencrypted EoIP
HTH
Rasika
*** Pls rate all useful responses ***
05-05-2020 10:42 AM - edited 05-05-2020 10:55 AM
@Rasika Nayanajith Thank you for the reply! I appreciate it a lot.
I'll try to be more specific.
As you have already mentioned here https://community.cisco.com/t5/other-wireless-mobility-subjects/mobility-control-amp-data-encryption/m-p/3955950/highlight/true#M101919 , encrypted mobility messaging via CAPWAP DTLS is enabled by 2 commands:
config mobility group member add peer-mac-addr peer-ip-addr group-name encrypt { enable | disable} (which is Secure Mobility - Enabled in GUI)
config mobility group member data-dtls peer-mac-addr { enable | disable} (which is Data Tunnel Encryption - Enabled in GUI)
The same is described in the configuration guide for 8-10 you provided earlier https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/encrypted_mobility_tunnel.html .
I believe these 2 commands will make the WLCs to use CAPWAP DTLS instead of EoIP for Mobility Data traffic indeed.
What I am asking about is "High Cipher" selection. Please look at the screenshot. I've highlighted additional 3rd option we can use with the previous 2 commands. But I can't find it's description anywhere and this is what I'm asking about.
05-05-2020 06:07 PM - edited 05-05-2020 06:09 PM
Thank you for reminding me of that old thread.
You are right about documentation about that "high cipher option", I cannot find anything on cisco.com about it either.
Here is what I think, it is for cipher suites support for a key length longer than 128 bits.
Again, Cisco should provide more context around what exactly that feature means to avoid confusion. If I get anything else, I will keep you posted here.
Thank you
Rasika
06-02-2020 03:15 AM
@Rasika Nayanajith You were right, I've asked TAC about it and they confirmed your version. They created a bug to fix this docomentation, so waiting for announce in next version of Deployment Guide. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu45944
06-02-2020 01:35 PM - edited 05-30-2023 11:50 AM
Thank you for the bug to fix that documentation & give more clear information about those DTLS high ciphers options
Rasika
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: