How to count management messages between AC and AP on the switch:

If AP cannot register online in AC, or frequently disconnects, you can initially conclude that there is packet loss in the intermediate device by checking the wlan-capwap message interaction or viewing the generated AP-dag.txt (ping AC record when disconnecting). At this time, how to troubleshoot the packet loss in the intermediate device (mainly the switch between AC and AP) becomes the key to the next troubleshooting step. Packet statistics can help troubleshoot link data packet loss. Therefore, for the management message interaction between AC and AP, such as AP unable to register online/frequent disconnections, how to count management messages, you can refer to the following configuration.

If the AP (MAC address: b044-14bf-4a2) cannot be registered on the AC, enable debugging wlan CAPWAP on the AC and AP, and it was found that the AP sent a discovery request, but did not receive a discovery response from the AC. 

Therefore, it is necessary to perform traffic statistics on the switches between the AC and AP (usually there are multiple switches between the AC and AP, but the configuration principles are similar). First, CAPWAP controls (manages messages) the registration of the AP on the AC and the disconnection of the AP. It belongs to UDP messages. During the interaction process, the AC uses port 5246, while the AP uses a random port.Therefore, when performing traffic statistics, specify port 5246 as the source port or destination port, and add the MAC address of the AP, in order to perform bi-directional message statistics on the interaction of management messages between the AC and AP. If the AP registers at the second layer, because the second layer registration usually does not configure options 43 or 138 to specify the IP address of the AC, the AP usually discovers the AC through broadcast or multicast. Therefore, the source and destination IP addresses in the CAPWAP management message discovery request may not necessarily be the IP addresses of the AC and AP. Therefore, it is not recommended to specify the IP addresses of the AC and AP in the ACL for filtering, but to specify the MAC address of the AP as the filtering condition.. 

You can refer to the following configuration:

#
acl advanced 3010
rule 0 permit udp destination-port eq 5246
#
acl advanced 3011
 rule 0 permit udp source-port eq 5246
#
traffic classifier ap-in operator and
 if-match acl 3010 if-match source-mac b044-14bf-4a20
#
traffic classifier ap-out operator and
 if-match acl 3011 if-match destination-mac b044-14bf-4a20
#
traffic behavior ap-in
 accounting packet
# traffic behavior ap-out
 accounting packet
#
qos policy ap-in
 classifier ap-in behavior ap-in
#
qos policy ap-out
 classifier ap-out behavior ap-out
#
interface GigabitEthernet1/0/2
 port access vlan 100
 qos apply policy ap-out inbound
 qos apply policy ap-in outbound
#
interface GigabitEthernet1/0/7
 port link-type trunk port trunk permit vlan 1 100 300
 port trunk pvid vlan 100
 qos apply policy ap-in inbound
 qos apply policy ap-out outbound
 poe enable
#
If AP is registered in three layers, AP generally discovers AC through unicast discover request. At this time, due to the routing forwarding of three layers, the source and destination MAC addresses of discover request or response and subsequent management messages will change when crossing VLAN at the gateway. Therefore, it is recommended to use the IP addresses of AC and AP as filtering conditions. At this time, the filtering conditions should no longer carry the MAC address of AP, and the ACL can be changed to:
#
 
acl advanced 3010
 rule 0 permit udp source [AP-ip] 0 destination [AC-ip] 0 destination-port eq 5246
#
acl advanced 3011
 rule 0 permit udp source [AC-ip] 0 destination [AP-ip] 0 source-port eq 5246
#
traffic classifier ap-in operator and
 if-match acl 3010 if-match       // AP"s MAC address cannot be carried here anymore.
#
traffic classifier ap-out operator and
 if-match acl 3011 if-match            // AP"s MAC address cannot be carried here anymore.
#

View flow statistics command: 

[SW] dis qos policy interface g 1/0/2 

[SW] dis qos policy interface g 1/0/7 

[SW] dis qos policy interface inbound 

[SW] dis qos policy interface outbound

#

Note: Clear corresponding port traffic statistics before viewing flow statistics: 

reset counters int g 1/0/2 

reset counters int g 1/0/7