Ch. 2 – 802.

11 and NICs
Part 2 – 802.11 MAC

Cisco Fundamentals of Wireless LANs version 1.1

Rick Graziani
Cabrillo College
Spring 2005
802.11 Overview and MAC Layer
Part 1 – 802.11 MAC and Cisco • 2.4 – 2.6 Online Curriculum
Client Adapters – Client Adapters
• (Separate Presentation) – Aironet Client Utility (ACU)
• 2.1 Online Curriculum
– ACU Monitoring and
– 802.11 Standards
Troubleshooting Tools
• Overview of WLAN Topologies
– IBSS
– BSS Part 2 – 802.11 MAC
– ESS • 802.11 Data Frames and
– Access Points Addressing
• 802.11 Medium Access • 802.11 MAC Layer Operations
Mechanisms – Station Connectivity
– DCF Operations – Power Save Operations
– Hidden Node Problem – 802.11 Frame Formats
– RTS/CTS • Non-standard devices (Brief)
– Frame Fragmentation
Rick Graziani [email protected] 2
Recommended Reading and Sources for
this Presentation

Pejman Roshan Matthew S. Gast

Jonathan Leary
ISBN:
ISBN: 0596001835
1587050773

• To understand WLANs it is important to understand the 802.11

protocols and their operations.
• These two books do an excellent job in presenting this information and
is used throughout this and other presentations.

Rick Graziani [email protected] 3

Acknowledgements

• Thanks to Pejman Roshan and Jonathan Leary at Cisco Systems,

authors of 802.11 Wireless LAN Fundamentals for allowing me to use
their graphics and examples for this presentation.
• Also thanks to Matthew Gast for author of 802.11 Wireless Networks,
The Definitive Guide for allowing me to use their graphics and
examples for this presentation.

Rick Graziani [email protected] 4

802.11 Frames – This isn’t Ethernet!

802.11 Frames • Management Frames

• Data Frames (most are PCF) – Beacon
– Data – Probe Request
– Null data – Probe Response
– Data+CF+Ack – Authentication
– Data+CF+Poll – Deauthentication
– Data+CF+Ac+CF+Poll – Association Request
– CF-Ack – Association Response
– CF-Poll – Reassociation Request
– CF-Cak+CF-Poll – Reassociation Response
• Control Frames – Disassociation
– RTS – Announcement Traffic
– CTS Indication
– ACK
– CF-End
– CF-End+CF-Ack
Rick Graziani [email protected] 5
 802.11 Data Frames and
Addressing

Helps to understand this because it is not dependent upon the

802.11 Physical layer.
Ethernet MAC Addressing

X
xxx
Y yyy
Distribution System (DS)

Access Point 1 Access Point 2

B C
A D

xxx yyy Pseudo MAC address of hosts

xxx yyy
IP Packet

Rick Graziani [email protected] 7

802.11 MAC Addressing

The LLC encapsulation will be

explained later in this presentation.

General 802.11 Frame

• Four address fields

• The number and function of the address fields is dependent upon the
source and destination for the 802.11 frame.
• Before we look at how these addresses are used, lets look at the
different source and destination options.
• Address 4 is optional and not commonly used, except for WDS
(wireless distribution system, bridge to bridge).

Rick Graziani [email protected] 8

802.11 MAC Addressing - DS

X
Y
Distribution System (DS)

Access Point 1 Access Point 2

A C
B D

• Distribution System (DS)

– “The distribution system is the logical component of 802.11 used to
forward frames to their destination. 802.11 does not specify any
particular technology for the distribution system.” Matthew Gast
– The DS is the exiting network from the AP. (For purposes of this
discussion.)
– It can be a wired network (Ethernet) or a wireless network (wireless
bridge) or something else.
– We will assume it is a wired network for these discussions.
Rick Graziani [email protected] 9
802.11 MAC Addressing –
Frame Control Field
General 802.11 Frame

• To DS: indicates if frame is destined for the DS or AP (1 bit).

• From DS: indicates if frame is sourced from the DS or AP (1bit).

Rick Graziani [email protected] 10

802.11 MAC Addressing –
Frame Control Field
General 802.11 Frame

Note: Some
Function ToDS FromDS documentation is
IBSS (no AP) 0 0 misleading stating that the
ToDS is set to 1 only
To AP 1 0
when the destination is on
From AP 0 1 the wired side of the AP.
Wireless bridge to bridge
Rick Graziani [email protected]
1 1 11
802.11 MAC Addressing –
Frame Control Field

Rick Graziani [email protected] 12

802.11 MAC Addressing

X
xxx
Y
Distribution System (DS)

Access Point 1 Access Point 2

111
A C
aaa B D
bbb
aaa bbb 111 Pseudo MAC address of hosts and BSSID
of AP1
• Let’s look at these options:
– Host A to Host B
– Host A to Host X
– Host X to Host A
• Frames to and from a BSS (Basic Service Set) must go via the access point.
• The access point is a layer 2 bridge (translation bridge) between the 802.11
network and the 802.3 network.
Rick Graziani [email protected] 13
802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

The BSSID Access Point 1 Access Point 2

111
A C
B D
aaa
General 802.11 Frame bbb

• Each BSS is assigned a BSSID.

– Not to be confused with SSID or ESSID.
• BSSID – 48 bit identifier which distinguishes it from other BSSs in the
network, used for filtering.
• In a BSS, the BSSID is the MAC address of the wireless interface.
• Remember, normal switches (bridges) may have MAC addresses, but
these addresses are only used for management purposes and not for
layer 2 frame forwarding (addressing).

Rick Graziani [email protected] 14

802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

The BSSID Access Point 1 Access Point 2

111
A C
B D
aaa bbb
General 802.11 Frame

• Besides the BSSID MAC address, the access point has a MAC
address for other interfaces.
– Ethernet (LAN)
– Ethernet (WAN)
– 802.11a for dual mode APs

Rick Graziani [email protected] 15

BSSID – Cisco 1200

MAC address for

AP’s IP address
(ARP tables)

BSSID BSSID for 802.11a WLAN

Rick Graziani [email protected] 16
Linksys WRT54G

Router Information
• IP Address: (received via DHCP)
• MAC Address: 00:0F:66:09:4E:10

Local Network
• MAC Address: 00:0F:66:09:4E:0F
• IP Address: 192.168.1.1 MAC address for
AP’s IP address

Wireless
• MAC Address: 00:0F:66:09:4E:11
BSSID
• SSID: GuidoNet2
• DHCP Server: Enabled
• Channel: 11
• Encryption Function: Enabled
Rick Graziani [email protected] 17
802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

Host A to Host B Access Point 1 Access Point 2

111
A C
B D
aaa
General 802.11 Frame bbb

• Address 1 – Receiver address

• Address 2 – Transmitter address
• Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID

• Transmitter: Sends a frame on to the wireless medium, but may not

be the original source (didn’t necessarily create the frame), i.e. AP
• Receiver: Receives a frame on the wireless medium, but may not be
the final destination, i.e. AP
Rick Graziani [email protected] 18
 802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

Host A to Host B Access Point 1 Access Point 2

111
A C
B D
aaa
Host A to AP 1 Rec. Trans. DA bbb
111 aaa bbb

1 0

AP1 to Host B Rec. Trans. SA

bbb 111 aaa

0 1

• Address 1 – Receiver address

• Address 2 – Transmitter address
• Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID
Rick Graziani [email protected] 19
802.11 MAC Addressing

Distribution System (DS)

IP Packet

General 802.11 Frame

L IP Packet
L
C

• Access Points are translation bridges.

• From 802.11 to Ethernet, and from Ethernet to 802.11
• The “data/frame body” is re-encapsulated with the proper layer 2 frame
(Ethernet or 802.11).
• Certain addresses are copied between the two types of frames.
Rick Graziani [email protected] 20
 802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

Host A to Host X Access Point 1 Access Point 2

111
A C
aaa
B D
Host A to AP 1
Rec. Trans. DA bbb
802.11 Frame 111 aaa xxx

1 0

copied
Host A to AP 1
xxx aaa

• The Ethernet DA and SA are the source and destination addresses just like on
traditional Ethernet networks.
– Destination Address – Host X
– Source Address – Host A
Rick Graziani [email protected] 21
 802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

Host A to Host X Access Point 1 Access Point 2

111
A C
aaa B D
Host A to AP 1 bbb
Rec. Trans. DA
802.11 Frame 111 aaa xxx

1 0 copied

xxx aaa Host A to AP 1

• The AP (bridge) knows which MAC address on on its wireless interface and
maintains a table with those MAC addresses. (from the Association process – later)
• When the AP receives an 802.11 frame, it examines the Address 3 address.
• If Address 3 is not in its table of wireless MACs it knows it needs to translate the
frame to an Ethernet frame.
• The AP copies the Address 3 address to the Ethernet Destination Address, and
Address
Rick 2 (Transmitter address) is copied to the Ethernet Source Address.
Graziani [email protected] 22
802.11 MAC
Addressing
Host X to Host A

X
xxx
Y
Distribution System (DS)

111
Access Point 1 Access Point 2

A B C
bbb
D
aaa

Rick Graziani [email protected] 23

 802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

Host X to Host A Access Point 1 Access Point 2

111
A C
B D
aaa
Host X to AP 1 bbb
aaa xxx
Destination Address –
Host X
Source Address – Host A
copied

AP 1 to Host A
Rec. Trans. SA
802.11 Frame aaa 111 xxx

0 1

Rick Graziani [email protected] 24

 802.11 MAC X
Addressing xxx
Distribution System (DS)
Y

Host X to Host A Access Point 1 Access Point 2

111
A C
aaa
B D
Host X to AP 1
bbb
aaa xxx

Destination Address –
Host X
AP 1 to Host A copied Source Address – Host A
Rec. Trans. SA
802.11 Frame aaa 111 xxx

0 1

• The AP (bridge) knows which MAC address on on its wireless interface and
maintains a table with those MAC addresses. (via Association process – later)
• When the AP receives an Ethernet frame, it examines the Destination address.
• If Destination Address is in its table of wireless MACs it knows it needs to translate the frame
to an 802.11 frame.
• The AP copies the Destination address to the 802.11 Address 1, and Ethernet Source is
copied to the Address 3 address (SA in this case). (Flood out all ports unless in Source
Address
Rick Graziani Table.)
[email protected] 25
 802.11 MAC Addressing

xxx 1

2
xxx aaa

111

aaa

• So how do Ethernet switches know where the wireless stations are?

• Just like wired stations – using the source address of frames that came
from the wireless station via the access point.
• Here the switch learns from the incoming Ethernet frame that Source
Address aaa is on port 2 and enters that in its MAC address table.
• Any frames coming into the switch (ex. port 1) with a Destination Address
of aaa, the switch knows to forward those frames out port 2 (towards the
AP).
Rick Graziani [email protected] 26
 LLC – Logical Link Control

General 802.11 Frame

L IP Packet
L
C

• The IP Packet is in an LLC frame which is encapsulated in a MAC frame.

• 802.11 does not include a protocol type field.
• An 8 byte SNAP field is added to the LLC to indicate the layer 3 data
being carried in the data field.
• The rest of the information within the LLC is not really relevant.

Rick Graziani [email protected] 27

LLC – Logical Link Control

• The only word of caution is that there are two types of LLC encapsulation, RFC
1042 and 802.1h.
• On a rare occasion, you might find a problem with a client associating to an AP
when their LLCs do not match.

Rick Graziani [email protected] 28

LLC – Logical Link Control

Rick Graziani [email protected] 29

802.11 Overview and MAC Layer
Part 1 – 802.11 MAC and Cisco • 2.4 – 2.6 Online Curriculum
Client Adapters – Client Adapters
• (Separate Presentation) – Aironet Client Utility (ACU)
• 2.1 Online Curriculum
– ACU Monitoring and
– 802.11 Standards
Troubleshooting Tools
• Overview of WLAN Topologies
– IBSS
– BSS Part 2 – 802.11 MAC
– ESS • 802.11 Data Frames and
– Access Points Addressing
• 802.11 Medium Access • 802.11 MAC Layer Operations
Mechanisms – Station Connectivity
– DCF Operations – Power Save Operations
– Hidden Node Problem – 802.11 Frame Formats
– RTS/CTS • Non-standard devices
– Frame Fragmentation
Rick Graziani [email protected] 30
802.11 MAC Layer Operations

Station Connectivity
Power Save Operations
802.11 Frame Formats
Station Connectivity

Rick Graziani [email protected] 32

 Station Connectivity

• Earlier we stated, at a minimum a client station and the access point

must be configured to be using the same SSID.
• How does the client find these APs?
• Before connecting to any network, you must find it.
• Ethernet, the cable does that for you, but of course there is no cable
with wireless.
• There are various applications and utilities that will do it, but what is
actually happening in the 802.11 MAC operations?
• Let’s take a look…
Rick Graziani [email protected] 33
Station Connectivity
Successful Successful
Authentication Association

State 1 State 2 State 3

Unauthenticated Authenticated Authenticated
Unassociated Unassociated Associated
Deauthentication Disassociation

• Station connectivity is a explanation of how 802.11 stations select and

communicate with APs.

Rick Graziani [email protected] 34

Station Connectivity

Probe Authentication Association

process process process
Successful Successful
Authentication Association

State 1 State 2 State 3

Unauthenticated Authenticated Authenticated
Unassociated Unassociated Associated
Deauthentication Disassociation

• We will look at three processes:

– Probe Process (or scanning)
– The Authentication Process
– The Association Process
• Only after a station has both authenticated and associated with the
access point can it use the Distribution System (DS) services and
communicate with devices beyond the access point.
Rick Graziani [email protected] 35
Station Connectivity – Probe Process

• The Probe Process (Scanning)

done by the wireless station
– Passive - Beacons
– Active – Probe Requests

• Depends on device drive of wireless

adapter or the software utility you are
using.
• Cisco adapters do active scanning
when associating, but use passive
scanning for some tests.
• In either case, beacons are still
received and used by the wireless
stations for other things besides
scanning (coming).
Rick Graziani [email protected] 36
 Station Connectivity – Passive Scanning
• Passive Scanning
– Saves battery power
– Station moves to each channel and
waits for Beacon frames from the
AP.
– Records any beacons received.
• Beacon frames allow a station to find
out every thing it needs to begin
communications with the AP including:
– SSID
– Supported Rates
• Kismet/KisMAC uses passive scanning

Rick Graziani [email protected] 37

Station Connectivity – Passive Scanning

Rick Graziani [email protected] 38

 Station Connectivity – Passive Scanning

Note: Most of these

beacons are
received via normal
operations and not
through passive
scanning.

Rick Graziani [email protected] 39

Station Connectivity – Passive Scanning

• Passive scans, carried out by listening to Beacons from APs, are not
usually displayed by a network analyzer (Ethereal, Airopeek, etc.) but
can be.
• Microsecond – millionth of a second
• Millisecond – thousandth of a second
• A common beacon interval is 100 time units.
• Beacon interval is the number of time units between beacon
transmissions.
– One unit of time is 1,024 microseconds or about 1 millisecond.
– A beacon interval of 100 is equivalent to 100 milliseconds or 0.1
seconds.
– That would be 10 beacons per second.
Rick Graziani [email protected] 40
Setting the beacon interval on an AP (later)

Rick Graziani [email protected] 41

Rick Graziani [email protected] 42
Station Connectivity – Passive Scanning

• AP features (options)
– The SSID can be “hidden” or “cloaked” in the beacon frame (can
be done on Cisco APs)
– Do not send AP broadcast beacons (not an option with Cisco APs)
• From some mailing lists:
– “SSID cloaking and beacon hiding isn't necessarily a bad thing, but too
many places use it as the only protection because it leads to a false sense
of security.”
– “Obscurity != security. Too many companies blindly trust that no beaconing
or hiding their SSID means they're automatically safe.”
Rick Graziani [email protected] 43
 Station Connectivity – Active Scanning
• Active Scanning: Probe Request
– This process is not mandatory on with
802.11.
– A Probe Request frame is sent out on
every channel (1 – 11) by the client.
– APs that receive Probe Requests must
reply with a Probe Response frame if:
• SSID matches or
• Probe Request had a broadcast
SSID (0 byte SSID)
• NetStumber uses active scanning
From the client

Rick Graziani [email protected] 44

From the client

Source address is
the client (host)

The SSID can also

be a broadcast
SSID which
triggers a Probe
Response from all
APs in the area.

Rick Graziani [email protected] 45

 Station Connectivity – Active Scanning
• Active Scanning: Probe Response
– On BSSs the AP is responsible for
replying to Probe Requests with Probe
Responses.
– Probe Responses are unicast frames.
– Probe Responses must be
ACKnowledged by the receiver (client). 1
• Like a beacon, Probe Response frames 3
allow a station to find out every thing it needs
to begin communications with the AP 2
including:
– SSID
– Supported Rates

From the AP

Rick Graziani [email protected] 46

 From the AP
Destination Address is the
client who issued the Probe
Request
Source address is the AP
(same as the BSSID)

• The beacon contains certain

information that lets a station
know if it can continue to
attempt to join this network:
– SSID
– Supported Rates
– Privacy:
– WEP
– None (open)

Rick Graziani [email protected] 47

Capturing the Probe
Response

Rick Graziani [email protected] 48

Station Connectivity – Multiple APs

Most likely Vivian will

communicate with AP 2,
which matches her SSID
and has the stronger
signal strength.

• How a station chooses an AP is not specified in 802.11.

• It is left up to the vendor.
• It could be, Matching SSIDs, Signal Strength, Supported data rates.

Rick Graziani [email protected] 49

Station Connectivity
Hey, I didn’t
do anything
and I am on
the Internet!

No SSID
Probe Request
Broadcast (no) SSID Probe Response
SSID = tsunami
ACK
• Access Points can be configured whether or not to allow clients with broadcast
SSIDs to continue the connectivity process.
– If there is no authentication on the AP, then the client will most likely
“associate” and be on their network!
• Cisco APs use a default SSID of tsunami known as the “guest mode” SSID.
(coming)
• Unless this feature is disabled or authentication is enabled, anyone can easily
associate with your AP and access your network (or the Internet).
Rick Graziani [email protected] 50
Station Connectivity

Probe Authentication Association

process process process
Successful Successful
Authentication Association

State 1 State 2 State 3

Unauthenticated Authenticated Authenticated
Unassociated Unassociated Associated
Deauthentication Disassociation

• Station connectivity processes:

– Probe Process (or scanning)
– The Authentication Process
– The Association Process
• Only after a station has both authenticated and associated with the
access point can it use the Distribution System (DS) services and
communicate with devices beyond the access point.
Rick Graziani [email protected] 51
Authentication Process

• On a wired network, authentication is implicitly provided by the

physical cable from the PC to the switch.
• Authentication is the process to ensure that stations attempting to
associate with the network (AP) are allowed to do so.
• 802.11 specifies two types of authentication:
– Open-system
– Shared-key (makes use of WEP)

Rick Graziani [email protected] 52

Authentication Process – Open-System

• Open-system authentication really “no authentication”.

• Open-system authentication is the only method required by 802.11
– You could buy an AP that doesn’t support Shared-key
• The client and the station exchange authentication frames.
Rick Graziani [email protected] 53
 Frame Control omitted in this Authentication Response

• The client:
– Sets the Authentication Algorithm Number to 0 (open-system)
– Set Authentication Transaction Sequence Number to 1
• The AP:
– Sets the Authentication Algorithm Number to 0 (open-system)
– Set Authentication Transaction Sequence Number to 2
– Status Code set to 0 (Successful)
Rick Graziani [email protected] 54
Authentication Process – Shared-Key

• Shared-key authentication uses WEP (Wired Equivalent Privacy) and can

only be used on products that support WEP.
• WEP is a Layer 2 encryption algorithm based on the RC4 algorithm.
• 802.11 requires any stations that support WEP to also support shared-key
authentication.
• WEP and WPA will be examined more closely when we discuss security.
• For now both the client and the AP must have a shared-key, password.

Rick Graziani [email protected] 55

Authentication Process – Shared-Key

• The client:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 1
• The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 2
– Status Code set to 0 (Successful)
– Challenge Text (later)
• The client:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 3
– Challenge Text (later)
• The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 4
– Status Code set to 0 (Successful)
Rick Graziani [email protected] 56
Authentication Process

• We’ll look at the configuration of the client and AP later!

• Example of open-system authentication.
• Note: On “some” systems you can configure authentication (WEP) and
WEP encryption separately. On the ACU you can have open-system
authentication and also have WEP encryption. However, if you have
Shared-key (WEP) authentication, you must use WEP encryption.
Rick Graziani [email protected] 57
Authentication Process

• Authentication
– Open-System
– Shared-Key (WEP)

• Encryption
– None only
or
– WEP

Rick Graziani [email protected] 58

Station Connectivity Hey, I REALLY
didn’t do
anything and I
am on the
Internet!

Beacon
Authentication SSID = tsunami
Request Authentication
Response
(Open-system)
• If not configured specifically to look for a network, some client utilities
will automatically join the network that meets their vendor’s criteria (not
specified in 802.11) such as signal strength and open-system
authentication.
• How a station chooses an AP is not specified in 802.11.
•RickOr just find the open-system network and join.
Graziani [email protected] 59
Station Connectivity

Probe Authentication Association

process process process
Successful Successful
Authentication Association

State 1 State 2 State 3

Unauthenticated Authenticated Authenticated
Unassociated Unassociated Associated
Deauthentication Disassociation

• Station connectivity processes:

– Probe Process (or scanning)
– The Authentication Process
– The Association Process
• Only after a station has both authenticated and associated with the
access point can it use the Distribution System (DS) services and
communicate with devices beyond the access point.
Rick Graziani [email protected] 60
Association Process

1. Association Request
2. Association
Response

• The association process is logically equivalent to plugging into a wired

network.
• Once this process is completed, the wireless station can use the DS
and connect to the network and beyond.
• A wireless station can only associate with one AP (802.11 restriction)
• During the 802.11 association process the AP maps a logical port
known as the Association Identifier (AID) to the wireless station.
– The AID is equivalent to a port on a switch and is used later in
Power Save Options.
• The association process allows the DS to keep track of frames
destined for the wireless station, so they can be forwarded.
Rick Graziani [email protected] 61
Association Process

• Association Request Frame (From client)

– Listen Interval – This value is used by the Power Save Operation (later).
Informs AP how often it will wake-up to receive buffered
frames.
– Supported Rates – What data rates the client station supports.
• Association Response Frame (From AP)
– Status Code – Indicates success or reason for failure.
– AID – A value assigned to this station for the Power Save Operation (later).
– Supported Rates - What data rates the AP supports.
Rick Graziani [email protected] 62
Association Process

• Association Request Frame (From client)

– At this point the AP adds the source address of the wireless client
to its Source Address Table.
– This is how the AP knows to forward frames destined to the client
out the wireless interface (802.11) and not the wired interface
(802.3/Ethernet).
– The AP usually learns the wireless client’s Source Address sooner,
either in the Probe Request or Authentication Request frames, but
this is where is “officially” adds the wireless client to it MAC table.
Rick Graziani [email protected] 63
Station Connectivity

Probe Authentication Association

process process process
Successful Successful
Authentication Association

State 1 State 2 State 3

Unauthenticated Authenticated Authenticated
Unassociated Unassociated Associated
Deauthentication Disassociation

• Traffic can now flow between the client and the AP.
• Disassociation and deauthentication can be due to:
– Inactivity
– The AP cannot handle all currently associated stations
– Station has left BSS
– etc.

Rick Graziani [email protected] 64

Labs and Station Connectivity
Configuring
AP1 is easy!

Hey, what AP1

happened to my
settings on AP2!

AP2

• In the lab we will need to take steps to make sure you are configuring
and connected to the AP that you think you are!
• We will first connect via a wired interface, change the SSID and IP
addressing on the AP, different from what the labs show.
Rick Graziani [email protected] 65
802.11 Overview and MAC Layer
Part 1 – 802.11 MAC and Cisco • 2.4 – 2.6 Online Curriculum
Client Adapters – Client Adapters
• (Separate Presentation) – Aironet Client Utility (ACU)
• 2.1 Online Curriculum
– ACU Monitoring and
– 802.11 Standards
Troubleshooting Tools
• Overview of WLAN Topologies
– IBSS
– BSS Part 2 – 802.11 MAC
– ESS • 802.11 Data Frames and
– Access Points Addressing
• 802.11 Medium Access • 802.11 MAC Layer Operations
Mechanisms – Station Connectivity
– DCF Operations – Power Save Operations
– Hidden Node Problem – 802.11 Frame Formats
– RTS/CTS • Non-standard devices
– Frame Fragmentation
Rick Graziani [email protected] 66
Power Save (PS) Operations

• A key factor in wireless is mobility, which implies batteries.

• To preserve battery power the 802.11 specification provides for power
saving operations on the wireless clients.
• 802.11 categories for power savings refer to:
– Unicast frames
– Broadcast/Multicast frames
Rick Graziani [email protected] 67
Power Save (PS) Operations

• The Cisco ACU has three options for Power Saving:

– CAM (Constantly Awake Mode)
– MAX PSP (Max Power Savings)
– Fast PSP (Fast Power Saving Mode)
• More on this later.
Rick Graziani [email protected] 68
Power Save (PS) Operations
I’m awake. Let me listen for
a beacon to see if there is
any traffic for me.
If not, I can go back to sleep.

beacon

• A client enters low-power mode by turning off its radio.

• The AP buffers (holds) frames destined for that station while it is in PS
mode.
• At a certain interval the client wakes up to listen for a beacon from the
AP.
• The beacon contains information on whether or not there are frames
for this station at the AP.
• If there are no frames buffered for this station it can return to PS mode.
Rick Graziani [email protected] 69
Power Save (PS) Operations

There are frames for me!

Please send them to me.

Beacon (frames buffered)

PS-Poll (send them to me)

Frame 1
ACK

The basics:
• If there are frames buffered for this station it will poll the AP for those
frames.
• The AP will then send the frames to the station.

Rick Graziani [email protected] 70

Unicast Power Save Operations

1. Association Request
2. Association
Response

• When a client associates with an AP it specifies listen interval.

• Listen interval – The number of beacons the client waits while in sleep mode
before transitioning to active (awake) mode.
• The number of beacons per second may vary between APs, but the beacon
frame has told the client how often those beacons are sent with the beacon
interval, so the client knows when it needs to wake up.
Rick Graziani [email protected] 71
Unicast Power Save Operations

There are frames for me!

Please send them to me.

Beacon (frames buffered)

PS-Poll (send them to me)

Frame 1
ACK

• For example:
– If the listening interval on the client is 200 the client wakes up every
200 beacons.
– If the AP beacon interval is 100 (10 beacons per second)
– The client will wake up every 20 seconds.to see if there are any frames
buffered for it.

Rick Graziani [email protected] 72

Power Save (PS) Operations

• How does an AP know if a station is in PS mode?

• Various frames contain this information, from the Station Connectivity
Process, PS-Polling and Data Frames as the user may change this
status any time.
• This information is contained in the Power Management sub-field of
the Frame Control field which is in most 802.11 frames.
– 0 = Active mode, 1 = Power Save Mode
– Frames
Rick Graziani from AP always have a value of 0 (it cannot sleep)
[email protected] 73
Power Save (PS) Operations

Rick Graziani [email protected] 74

FYI –
A little more detail on Unicast PS Operations
The AP tells
me I am AID 1. Association Request
29. 2. Association
Response AID = 29

• Remember the Association Identifier (AID) in the Association

Response, equivalent to a port on a switch.
• Each station receives a unique AID during the association phase.
• The TIM (Time Indication Map) in the beacon tells the station if there
are any frames buffered for it in the AP.
• If the “flag” = 0 there are no frames buffered, “flag” = 1 there are
frames being buffered.
Rick Graziani [email protected] 75
FYI –
A little more detail on Unicast PS Operations
The AP told During Assoc.
me I am AID 1. Association Request Process
29. I see in 2. Association
the beacon Response AID = 29
that there Beacon
are frames
waiting for
PS-Poll (send them to me)
me. Let me
ask for
them.
Frame 1
ACK

• The station sends a PS-Poll with is AID to get the frames.

• Much of the detail has been left out and if you are interested, see the
two books I recommended at the beginning of the presentation.

Rick Graziani [email protected] 76

FYI –
A little more detail on Unicast PS Operations

Rick Graziani [email protected] 77

FYI –
A little more detail on Unicast PS Operations

• You won’t find an exact match here between the protocol decode and
the TIM.
• See the Cisco Press book 802.11 Wireless LAN Fundamentals if you
are interested in how this works.
Rick Graziani [email protected] 78
Broadcast/Multicast Power Save Operations

• Broadcast and multicast traffic is buffered at the AP for all stations (including
non-PS stations) when at least one associated station is in PS mode.
• The network administrator defines the interval for the client to wake up to
receive broadcast and multicast traffic.
• A special TIM, known as a DTIM (Delivery Traffic Indication Map) indicates
whether or not there is broadcast/multicast traffic buffered on the AP.
• If the TIM’s, DTIM Count field is 0, the AP has broadcast/multicast frames.
• DTIM information is not sent in every beacon, but on every DTIM count period
(10th beacon in this example), and “getting in sync” depends on vendor.
• Rest of details can be found in Matthew Gast’s book if you are interested.
Rick Graziani [email protected] 79
802.11 Frame Formats
802.11 Frame Formats (Some of them)

• The following diagrams are FYI and from Cisco Press book 802.11 Wireless LAN
Fundamentals by Pejman Roshan and Jonathan Leary.
802.11 Frames • Management Frames
• Data Frames (most are PCF) – Beacon
– Data – Probe Request
– Null data – Probe Response
– Data+CF+Ack – Authentication
– Data+CF+Poll – Deauthentication
– Data+CF+Ac+CF+Poll – Association Request
– CF-Ack – Association Response
– CF-Poll – Reassociation Request
– CF-Cak+CF-Poll – Reassociation Response
• Control Frames – Disassociation
– RTS – Announcement Traffic Indication
– CTS
– ACK
– CF-End
– CF-End+CF-Ack
Rick Graziani [email protected] 81
802.11 Data Frame

Rick Graziani [email protected] 82

Rick Graziani [email protected] 83
Rick Graziani [email protected] 84
Rick Graziani [email protected] 85
Non-standard 802.11 Devices
Non-standard 802.11
devices

• These devices either

extend or fall outside the
802.11 standard and will
be discussed in more
detail in later sections:
– Repeater APs
– Universal Clients
(Workgroup Bridges)
– Wireless Bridges

Rick Graziani [email protected] 87

 Ch. 2 – 802.11 and NICs
Part 2 – 802.11 MAC

Cisco Fundamentals of Wireless LANs version 1.1

Rick Graziani
Cabrillo College