Wireless LAN Topologies PDF
Document Details
Uploaded by InvigoratingCarnelian5090
null
Tags
Summary
This document details various wireless LAN topologies, including Wireless Wide Area Networks (WWANs), Wireless Metropolitan Area Networks (WMANs), Wireless Personal Area Networks (WPANs), and Wireless Local Area Networks (WLANs). It also describes components like access points and client stations, and different service set types within the 802.11 standard.
Full Transcript
Handout 7 Wireless LAN Topologies Course Name: Wireless Networks Course Code: CSN 405 Notes appended and modified to those accompanying “CWNA Certified Wireless Network Administrator: Official Study Guide”, D. Coleman & D. Westcott, John Wiley & Sons - Sybex, 6th Ed., 2021, Ch. 7 WLAN Topologies...
Handout 7 Wireless LAN Topologies Course Name: Wireless Networks Course Code: CSN 405 Notes appended and modified to those accompanying “CWNA Certified Wireless Network Administrator: Official Study Guide”, D. Coleman & D. Westcott, John Wiley & Sons - Sybex, 6th Ed., 2021, Ch. 7 WLAN Topologies • • • • • Wireless networking topologies 802.11 stations 802.11 service sets 802.11 draft amendments 802.11 configuration modes 2 Wireless Networking Topologies • A wireless wide area network (WWAN) also covers broad geographical boundaries but obviously uses a wireless medium instead of a wired medium. • WWANs typically use cellular telephone technologies or proprietary licensed wireless bridging technologies. • Some examples of these cellular technologies are general packet radio service (GPRS), code division multiple access (CDMA), time division multiple access (TDMA), Long Term Evolution (LTE), and Global System for Mobile Communications (GSM). Data can be carried to a variety of devices, such as smartphones, tablet PCs, and cellular USB modems. 3 Wireless Networking Topologies • A wireless metropolitan area network (WMAN) provides RF coverage to a metropolitan area, such as a city and the surrounding suburbs. • WMANs have been created for some time by matching different wireless technologies, and recent advancements have made this more practical. • One wireless technology that is often associated with a WMAN is defined by the 802.16 standard and is sometimes referred to as Worldwide Interoperability for Microwave Access (WiMAX). 4 Wireless Networking Topologies • A wireless personal area network (WPAN) is a wireless computer network used for communication between computer devices within close proximity of a user. • Devices such as laptops, gaming devices, tablet PCs, and smartphones can communicate with each other by using a variety of wireless technologies. • The most common technologies in WPANs are Bluetooth and infrared. Infrared is a light-based medium, whereas Bluetooth is a radiofrequency medium that uses frequency-hopping spread spectrum (FHSS) technology. 5 Wireless Networking Topologies • A wireless local area network (WLAN) provides wireless networking for a building or campus environment. • The 802.11 wireless medium is a perfect fit for local area networking simply because of the range and speeds that are defined by the 802.11-2020 standard and future amendments. • The majority of 802.11 wireless network deployments are indeed LANs that provide access at businesses and homes. 6 802.11 Stations Access Point (AP) station MAC address: C413E2039F40 MAC address: 0C51019C6BFD Client station • The main component of an 802.11 wireless network is the radio, which is referred to by the 802.11 standard as a station (STA). • The radio can reside inside an access point or be used as a client station. All stations are identified by a unique MAC address. 7 Client STA Client station MAC address: 0C51019C6BFD • Any radio that is not used in an access point is typically referred to as a client station or a nonAP station. • Client station radios can be used in laptops, tablets, scanners, smartphones, and many other mobile devices. • Client stations must contend for the half-duplex RF medium in the same manner that an access point radio contends for the RF medium. • When client stations have a layer 2 connection with an access point, they are known as associated. 8 AP STA Access Point (AP) station MAC address: C413E2039F40 • An 802.11 access point (AP) station is a radio that functions as a wireless portal from which other client stations can communicate. • In general, an AP has all the same capabilities as a client station. • However, a key difference between an AP station and a client station is the portal functionality. 9 AP STA 802.3 Ethernet Access Point (AP) station MAC address: C413E2039F40 Client station • An access point provides a portal functionality allowing associated client stations to communicate via the wireless medium to another physical medium, such as an 802.3 Ethernet network. • The technical term for this portal functionality is distribution system access function (DSAF). MAC address: 0C51019C6BFD 10 802.11 Stations: Integration Service • The 802.11-2020 standard defines an integration service (IS) that enables delivery of MSDUs (Mac Service Data Unit) between the distribution system (DS) and a non-IEEE-802.11 LAN via a portal. • A simpler way of defining the integration service is to characterize it as a frame format transfer method. • The portal is usually either an access point or a WLAN controller. The payload of a wireless 802.11 data frame is the layer 3–7 information known as the MAC service data unit (MSDU). 11 802.11 Stations: Distribution System 802.3 Ethernet • The 802.11-2020 standard defines a distribution system (DS) that is used to interconnect a set of basic service sets via integrated LANs to create an extended service set (ESS). • Wireless traffic can be destined back onto the wireless medium or forwarded to the integration service. • The distribution system (DS) consists of two main components. Access Point (AP) station MAC address: C413E2039F40 Client station MAC address: 0C51019C6BFD 12 802.11 Stations: Distribution System 802.3 Ethernet Access Point (AP) station MAC address: C413E2039F40 Client station MAC address: 0C51019C6BFD The distribution system (DS) consists of two main components: 1. Distribution System Medium A logical physical medium used to connect access points is known as a distribution system medium (DSM). The most common example is an 802.3 medium. 2. Distribution System Service - The distribution system service uses the layer 2 addressing of the 802.11 MAC header to eventually forward the layer 3–7 information (MSDU) either to the integration service or to another wireless client station. A full understanding of (DSS) is beyond the scope of the CWNA exam. 13 Wireless Distribution System (WDS) • As shown in the previous slide, the most common real-world example of a WDS is when access points function in a mesh deployment to provide both coverage and backhaul. • Another real-world example of a WDS is an 802.11 outdoor bridge link used to provide wireless backhaul connectivity between two buildings. 14 802.11 Service Sets • The 802.11-2020 standard defines multiple 802.11 topologies, known as service sets, which describe how these radios may be used to communicate with each other. • These 802.11 topologies are known as: 1. basic service set (BSS) 2. extended service set (ESS) 3. independent basic service set (IBSS) 4. personal basic service set (PBSS) 5. mesh basic service set (MBSS) 6. QoS basic service set (QBSS) 15 Service Set Identifier (SSID) • The service set identifier (SSID) is a logical name used to identify an 802.11 wireless network. • The SSID wireless network name is comparable to a Windows workgroup name. • SSID is a configurable setting on all 802.11 radios, including access points and client stations. • The SSID can be made up of as many as 32 characters and is case sensitive. 16 Basic Service Set (BSS) • The basic service set (BSS) is the cornerstone topology of an 802.11 network. • The communicating devices that make up a BSS consist of one AP radio with one or more client stations. • Client stations join the AP wireless domain and begin communicating through the AP. • Stations that are members of a BSS have a layer 2 connection and are called associated. 17 Basic Service Area (BSA) • The physical area of coverage provided by an access point in a BSS is known as the basic service area (BSA). • Client stations can move throughout the coverage area and maintain communications with the AP as long as the received signal between the radios remains above received signal strength indicator (RSSI) thresholds. 18 Basic Service Set Identifier (BSSID) • The 48-bit (6-octet) MAC address of an access point’s radio is known as the basic service set identifier (BSSID). • The simple definition of a BSSID is that it is the MAC address of the radio network interface in an access point. • The correct definition is that the BSSID address is the layer 2 identifier of each individual BSS. 19 Multiple BSSDs • The BSSID can be the physical MAC address of the access point radio, however, multiple BSSIDs may be created for a radio interface using sub-interfaces. • The multiple BSSIDs are usually increments of the original MAC address of the AP’s radio. 20 Multiple BSSIDs • Multiple WLANs can exist within each AP’s coverage area. • Each WLAN has a unique logical name (SSID) and a unique layer 2 identifier (BSSID), and each SSID is usually mapped to a unique virtual local area network (VLAN), which is mapped to a unique subnet (layer 3). • In other words, multiple layer 2/3 domains can exist within one layer 1 domain. 21 Extended Service Set (ESS) • An extended service set (ESS) is two or more identically configured basic service sets connected by a distribution system medium • Usually an extended service set is a collection of multiple access points and their associated client stations, all united by a single DSM (normally Ethernet) 22 Extended Service Set – Seamless Roaming • The extended service area (ESA) is the coverage area of the ESS in which all clients can communicate and roam. • The most common example of an ESS has access points with overlapping coverage to provide seamless roaming to the client stations. • Coverage overlap is really duplicate coverage from the perspective of a Wi-Fi client station. 23 Extended Service Set – Nomadic Roaming • A method of station mobility between disjointed cells is sometimes referred to as nomadic roaming. • A client station that leaves the basic service area (BSA) of the first access point will lose connectivity. • The client station will later reestablish connectivity as it moves into the coverage cell of the second access point. 24 Extended Service Set Identifier (ESSID) • The logical network name of an ESS is often called an extended service set identifier (ESSID). • The terminology of ESSID and SSID is synonymous. – Access points in an ESS where roaming is required must all share the same logical name (SSID) and security configuration settings, but must have unique layer 2 identifiers (BSSIDs) for each unique BSA coverage cell. 25 Independent Basic Service Set (IBSS) • The third service set topology defined by the 802.11 standard is an independent basic service set (IBSS). • The radios that make up an IBSS network consist solely of client stations (STAs), and no access point is deployed. • An IBSS network that consists of just two STAs is analogous to a wired crossover cable. 26 Personal Basic Service Set (PBSS) 802.11ad client 802.11ad client • Similar to the IBSS, a personal basic service set (PBSS) is an 802.11 WLAN topology in which 802.11ad stations communicate directly with each other. 60 GHz 802.11ad client 802.11ad client • A PBSS can be established only by directional multi-gigabit (DMG) radios that transmit the 60 GHz frequency band. 27 Personal Basic Service Set 802.11ad client 60 GHz 802.11ad client PBSS control point (PCP) 802.11ad client 802.11ad client • Similar to an IBSS, there is no centralized access point that functions as a portal to the wired network. • In contrast to an IBSS, one client assumes the role of the PBSS control point (PCP). • The PCP client uses DMG Beacon and Announce frames to provide for synchronized medium contention between all clients participating within the PBSS. 28 Mesh Basic Service Set (MBSS) • The mesh functions are used to provide wireless distribution of network traffic, and the set of APs that provide mesh distribution form a mesh basic service set (MBSS). 29 Mesh Basic Service Set • Any mesh AP connected to the upstream wired medium is known as a mesh portal. Mesh portal Mesh point • The 802.11 technical terminology for a mesh portal station is mesh gate, so it is sometimes referred to as a mesh gateway. • Mesh APs that are not connected to the upstream wired infrastructure are known as mesh points. 30 Mesh Basic Service Set • The backhaul connection between a mesh point and a mesh portal is considered to be a wireless distribution system (WDS). 5 GHz 2.4 GHz Mesh portal Mesh point • Client stations that are associated to the mesh points have their traffic forwarded through the wireless backhaul. • Usually the MBSS uses the 5 GHz radios for backhaul communications. 31 QoS Basic Service Set (QBSS) • Quality of service (QoS) mechanisms can be implemented within all of the 802.11 service sets. • Any 802.11 enterprise access point manufactured in the past 10 years supports WMM QoS mechanisms by default. • Therefore, each basic service set in most enterprise deployments is considered to be a QoS basic service set (QBSS). 32 Configuration Modes - AP • The default configuration of some WLAN vendor access points is known as root mode. • The main purpose of an AP is to serve as a portal to a wired network. • Not all vendors have the same names for this mode of operation. For example, many Wi-Fi vendors use the term AP mode or access mode instead of root mode. 33 Configuration Modes - AP Other optional operational modes in which an AP may be configured: • • Mesh Mode The AP radio operates as a wireless backhaul radio for a mesh environment. Depending on the vendor, the backhaul radio may also allow for client access. Mesh mode is sometimes also referred to as repeater mode. Sensor Mode The AP radio is converted into a sensor radio, allowing the AP to integrate into a wireless intrusion detection system (WIDS) architecture. An AP in sensor mode is in a continuous listening state while scanning between multiple channels. Sensor mode is also often referred to as monitor mode or scanner mode. 34 Configuration Modes - AP Other optional operational modes in which an AP may be configured: • • • Bridge Mode The AP radio is converted into a wireless bridge. This typically adds extra MAC-layer intelligence to the device and gives the AP the capability to learn and maintain tables about MAC addresses from the wired side of the network. Workgroup Bridge Mode The AP radio is transformed into a workgroup bridge, providing wireless backhaul for connected 802.3 wired clients. AP as a Client Mode The AP radio functions as a client device that can then associate to other APs. This operational mode is sometimes used for troubleshooting purposes. 35 Configuration Modes - Clients • A client station may operate in one of two states. • The default mode for an 802.11 client radio is typically infrastructure mode. • When running in infrastructure mode, the client station will allow communication via an access point. • Infrastructure mode allows for a client station to participate in a basic service set or an extended service set. 36 Configuration Modes - Clients • The second client station mode is called ad hoc mode. • Other client vendors may refer to this as peer-to-peer mode. • 802.11 client stations set to ad hoc mode participate in an IBSS topology and do not communicate via an access point. • Many client stations, such as tablets and smartphones, may not be configurable for ad hoc communications. 37 Questions Home Work 1. Open your book and go through all the review questions at the end of the chapter. 2. Review the answers by using Appendix A. 38 Handout 8 802.11 Medium Access Course Name: Wireless Networks Course Code: CSN 405 Notes appended and modified to those accompanying “CWNA Certified Wireless Network Administrator: Official Study Guide”, D. Coleman & D. Westcott, John Wiley & Sons - Sybex, 6th Ed., 2021, Ch. 8 802.11 Medium Access • • • • • • CSMA/CA versus CSMA/CD Distributed Coordination Function (DCF) Point Coordination Function (PCF) Hybrid Coordination Function (HCF) Wi-Fi Multimedia (WMM) Airtime Fairness 2 Medium Contention • Network communication requires a set of rules to provide controlled and efficient access to the network medium. • Medium access control (MAC) is the generic term used when discussing the concept of access. • Two forms of contention that are heavily used in today’s networks are: 1. Carrier Sense Multiple Access with Collision Detection (CSMA/CD) 2. Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) 3 CSMA/CD • CSMA/CD is well known and is used for 802.3 Ethernet networks. • Ethernet networks use CSMA/CD because they can hear network collisions over the Ethernet cable. 4 CSMA/CD • A CSMA/CD wired node first checks whether another node is transmitting. If no other wired node is transmitting on the Ethernet medium, the node sends the first bit of information. • If no collision is detected, the node continues to send the other bits of information while continuously checking whether a collision has been detected. • If a collision is detected, the wired node calculates a random amount of time to wait before starting the process again. 5 CSMA/CA Overview Carrier sense determines whether the medium is busy. Multiple access ensures that every radio gets a fair shot at the medium (but only one at a time). Collision avoidance means only one radio gets access to the medium at any given time, hopefully avoiding collisions. • 802.11 wireless radios are not capable of transmitting and receiving at the same time, so they are not capable of detecting a collision during their transmission. • For this reason, 802.11 wireless networking uses CSMA/CA instead of CSMA/CD to try to avoid collisions. 6 Unicast Acknowledgment Transmitting radio sends a unicast frame CRC passes Receiver radio sends L2 ACK frame • 802.11 radios cannot transmit and receive at the same time and therefore cannot detect collisions. • So, if they cannot detect a collision, how do they know whether one occurred? 7 Unicast Acknowledgment Transmitting radio sends a unicast frame No ACK frame sent by receiver CRC fails Transmitting radio sends L2 retransmission 8 Distributed Coordination Function (DCF) CSMA/CA • Four main components of CSMA/CA protocol, as defined by DCF: 1. Physical carrier sense 2. Virtual carrier sense 3. Pseudo-random backoff timer 4. Interframe spaces • Distributed Coordination Function (DCF) is the fundamental access method of 802.11 communications, and the CSMA/CA process is the foundation of the DCF. – Four main components that are part of the CSMA/CA process. – Think of these four components as checks and balances that work together at the same time to ensure that only one 802.11 radio is transmitting on the halfduplex medium. 9 1. CSMA/CA – Physical Carrier Sense • Physical carrier sense has two purposes: 1. The first purpose is to determine whether a frame transmission is inbound for a station to receive. If the medium is busy, the radio will attempt to synchronize with the transmission. 2. The second purpose is to determine whether the medium is busy before transmitting. The medium must be clear before a station can transmit. 10 Clear Channel Assessment (CCA) 20 MHz • 802.11 radios use two separate CCA thresholds when listening to the RF medium: CCA: SD = 4 dB SNR ED = SD + 20 dB 1. Signal Detect (SD) threshold is statistically a 4 dB signal-to-noise ratio (SNR) to detect 802.11 preamble 2. Energy Detect (ED) threshold is 20 dB above the signal detect threshold • Approximately 4 microseconds is needed for both the signal and energy detect assessments during the CCA. 11 Clear Channel Assessment Thresholds 12 Clear Channel Assessment (CCA) 20 MHz CCA: SD = 4 dB SNR ED = SD + 20 dB The definition of both of these CCA thresholds is somewhat vague in the 802.11-2020 standard, which has often resulted in a misunderstanding of the actual threshold values. • The interpretation of these thresholds by WLAN manufacturers of 802.11 client and AP radios will often differ. • To complicate matters further, please remember that the receive sensitivity capabilities between radios can vary widely. • Because of the difference in receive sensitivity, the perception of the noise floor can be quite different between 802.11 radios. • Therefore, the two CCA thresholds may also vary due to differences in radio receive sensitivity. 13 2. Virtual Carrier Sense • Physical carrier sense occurs at layer 1 of the OSI model. • Virtual carrier sense is another component of CSMA/CA that occurs at layer 2 of the OSI model. 14 Virtual Carrier Sense • One of the fields in the MAC header of an 802.11 frame is the Duration/ID field. • When a client transmits a unicast frame, the Duration/ID field contains a value from 0 to 32,767. 15 Duration Value: SIFS + ACK The Duration/ID value represents the time, in microseconds, that is required to transmit an active frame exchange process so that other radios do not interrupt the process. 16 Virtual Carrier Sense • Virtual carrier sense uses a timer mechanism known as the network allocation vector (NAV). • The NAV timer maintains a prediction of future traffic on the medium based on Duration value information seen in a previous frame transmission. 17 Virtual Carrier Sense • This process essentially allows the transmitting 802.11 radio to notify the other stations that the medium will be busy for a period of time (Duration/ID value): – The stations that are not transmitting listen and hear the Duration/ID, set a countdown timer (NAV), and wait until their timer hits 0 before they can contend for the medium and eventually transmit on the medium. – A station cannot contend for the medium until its NAV timer is 0, nor can a station transmit on the medium if the NAV timer is set to a nonzero value. 18 3. Pseudo-Random Backoff Timer • An 802.11 station may contend for the medium during a window of time known as the backoff time. • At this point in the CSMA/CA process, the station selects a random backoff value using a pseudo-random backoff algorithm. • The station chooses a random number from a range called a contention window (CW) value. • After the random number is chosen, the number is multiplied by the slot time value. This starts a pseudo-random backoff timer. 19 Pseudo-Random Backoff Timer • Please do not confuse the backoff timer with the NAV timer. • As mentioned earlier, the NAV timer is a virtual carrier sense mechanism used to reserve the medium for further transmissions. • The pseudo-random backoff timer is the final timer used by a station before it transmits. 20 Pseudo-Random Backoff Timer • The station’s backoff timer begins to count down ticks of a clock known as slots. • When the backoff timer is equal to zero, the client can reassess the channel and, if it is clear, begin transmitting. 21 Pseudo-Random Backoff Timer • The whole point of the backoff procedure is that all 802.11 radios get a chance to transmit on the RF medium; however, a pseudo-random process is needed to ensure that they all take turns. • A good analogy would be to write down the numbers 0–15 on 16 pieces of paper and put all the pieces of paper in a hat. • Then four people would each choose one piece of paper from the hat. The person with the lowest number would get to transmit on the medium first. 22 Exponential Increase of Contention Window • What if a frame transmission is corrupted and a retransmission is necessary? • Unsuccessful transmissions cause the CW size to increase exponentially up to a maximum value after each retransmission. 23 4. Interframe Space Interframe space (IFS) is a period of time that exists between transmissions of wireless frames. There are ten types of interframe space. Following is a partial list, from shortest to longest: 1. Reduced interframe space (RIFS)—highest priority 2. Short interframe space (SIFS)—second highest priority 3. PCF interframe space (PIFS)—middle priority 4. DCF interframe space (DIFS)—lowest priority 5. Arbitration interframe space (AIFS)—used by QoS stations 6. Extended interframe space (EIFS)—used after receipt of corrupted frames 24 SIFS and DIFS The two most common are the SIFS and DIFS. • Example: the ACK frame is the highest-priority frame, and the use of a SIFS ensures that it will be transmitted first, before any other type of 802.11 frame. • Stations use SIFS to maintain control of the medium during a frameexchange sequence. • Most other 802.11 frames follow a longer period of time, called a DIFS. 25 Point Coordination Function (PCF) • • • • • • • Optional 802.11 media access method Uses a form of polling AP acts as Point Coordinator (PC) Will only work with BSS or ESS (not IBSS) Both AP and station must support PCF AP will alternate between PCF and DCF mode When functioning in PCF mode, it is known as the contention-free period (CFP) • When functioning in DCF mode, it is known as contention period (CP) • PCF has yet to implemented by any vendors 26 Hybrid Coordination Function • The 802.11e quality-of-service amendment added a new coordination function to 802.11 medium contention, known as Hybrid Coordination Function (HCF). • The 802.11e amendment and HCF have since been incorporated into the 802.11-2020 standard. HCF enhances DCF with QoS capabilities: Enhanced Distributed Channel Access (EDCA) 27 Hybrid Coordination Function • HCF defines the ability for an 802.11 radio to send multiple frames when transmitting on the RF medium. • When an HCF-compliant radio contends for the medium, it receives an allotted amount of time to send frames. This period of time is called a transmit opportunity (TXOP). • During this TXOP, an 802.11 radio may send multiple frames in what is called a frame burst. • A short interframe space (SIFS) is used between each frame to ensure that no other radios transmit during the frame burst. 28 EDCA and 802.1D Priority Tags • EDCA defines four access categories, based on the eight UPs. • The four access categories, from lowest priority to highest priority, are AC_BK (Background), AC_BE (Best Effort), AC_VI (Video), and AC_VO (Voice). • For each access category, an enhanced version of DCF known as Enhanced Distributed Channel Access Function (EDCAF) is used to contend for a TXOP. • Frames with the highest-priority access category have the lowest backoff values and therefore are more likely to get a TXOP. 29 WMM Access Categories • The 802.11e amendment defined the layer 2 MAC methods needed to meet the QoS requirements for timesensitive applications over IEEE 802.11 wireless LANs. • The Wi-Fi Alliance introduced the Wi-Fi Multimedia (WMM) certification as a partial mirror of the 802.11e amendment. 30 WMM Access Categories • Because WMM is based on EDCA mechanisms, 802.1D priority tags from the Ethernet side are used to direct traffic to four access-category priority queues. • The WMM certification provides for traffic prioritization via four access categories 31 WMM Access Category Timing • The whole point of WMM is to prioritize different classes of application traffic during the mediumcontention process. • For example, the voice access category has better odds when contending for the medium during the backoff process. 32 Airtime Fairness • Vendor-specific mechanisms used to ensure that priority was given to higher data rate transmissions. • Instead of allocating equal access to the network between devices, the goal of airtime fairness is to allocate equal time, as opposed to equal opportunity. 33 Questions Home Work 1. Open your book and go through all the review questions at the end of the chapter. 2. Review the answers by using Appendix A. 34 Handout 9 802.11 MAC Architecture Course Name: Wireless Networks Course Code: CSN 405 Notes appended and modified to those accompanying “CWNA Certified Wireless Network Administrator: Official Study Guide”, D. Coleman & D. Westcott, John Wiley & Sons - Sybex, 6th Ed., 2021, Ch. 9 802.11 MAC • • • • • • • Packets, Frames, Bits Data-Link layer Physical layer 802.11 MAC header 802.11 frame body 802.11 trailer 802.11 state machine Management frames Control frames Data frames Power management 2 Packets, Frames, Bits 7 Application • At the Network layer, an IP header is added to the data that came from layers 4–7. 6 Presentation 5 Session 4 Transport 3 Network • A layer 3 IP packet, or datagram, encapsulates the data from the higher layers. packet 2 Data Link 1 Physical 3 Packets, Frames, Bits 7 Application • At the Data-Link layer, a MAC header is added and the IP packet is encapsulated inside a frame. 6 Presentation 5 Session 4 Transport • Ultimately, when the frame reaches the Physical layer, a PHY header with more information is added to the frame. 3 Network 2 Data Link frame 1 Physical 4 Packets, Frames, Bits 7 Application 6 Presentation 5 Session • Data is eventually transmitted as individual bits at the Physical layer. • A bit is a binary digit, taking a value of either 0 or 1. Binary digits are a basic unit of communication in digital computing. 4 Transport 3 Network • A byte of information consists of 8 bits. An octet is another name for a byte of data. 2 Data Link 1 Physical bits 5 Data-Link Layer 7 Application The 802.11 Data-Link layer is divided into two sublayers: 6 Presentation • 5 Session 4 Transport • 3 Network 2 Data Link 1 Physical • LLC The upper portion is the IEEE 802.2 Logical Link Control (LLC) sublayer, which is identical for all 802-based networks, although it is not used by all IEEE 802 networks. The bottom portion of the Data-Link layer is the Media Access Control (MAC) sublayer. The 802.11 standard defines operations at the MAC sublayer. MAC 6 MAC Service Data Unit (MSDU) • Upper Layer Protocols LLC & Layers 3 -7 MSDU payload: 0 -2304 Bytes • • When the Network layer (layer 3) sends data to the Data-Link layer, that data is handed off to the LLC and becomes known as the MAC service data unit (MSDU). The MSDU contains data from the LLC and layers 3–7. A simple definition of the MSDU is that it is the data payload that contains the IP packet plus some LLC data. The 802.11-2020 standard states that the maximum size of the MSDU is 2,304 bytes. 7 MAC Protocol Data Unit (MPDU) • Upper Layer Protocols LLC & Layers 3 -7 MAC Header Trailer • MSDU payload: 0 -2304 Bytes • When the LLC sublayer sends the MSDU to the MAC sublayer, the MAC header information is added to the MSDU to identify it. The MSDU is now encapsulated in a MAC protocol data unit (MPDU). A simple definition of an 802.11 MPDU is that it is an 802.11 frame. Frame Body 8 MAC Protocol Data Unit (MPDU) Upper Layer Protocols LLC & Layers 3 -7 MAC Header Trailer MSDU payload: 0 -2304 Bytes Frame Body An 802.11 MPDU consists of: • MAC Header: – Frame control information, duration information, MAC addressing, sequence control, QoS control information, and HT control information are all found in the MAC header. • Frame Body: – The frame body component can vary in size and contains information that is different depending on the frame type and frame subtype. The MSDU upper-layer payload is encapsulated in the frame body. The MSDU layer 3–7 payload is protected when using encryption. 9 MAC Protocol Data Unit (MPDU) Upper Layer Protocols LLC & Layers 3 -7 MAC Header Trailer MSDU payload: 0 -2304 Bytes An 802.11 MPDU consists of: • Frame Check Sequence: – The trailer of the frame is known as the the frame check sequence (FCS). – The FCS comprises a 32-bit cyclic redundancy check (CRC) that is used to validate the integrity of received frames. Frame Body 10 Physical Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical The 802.11 Physical layer is divided into two sublayers: • The upper portion of the Physical layer is known as the Physical Layer Convergence Procedure (PLCP). – The PLCP prepares the frame for transmission by taking the frame from the MAC sublayer and creating the PLCP protocol data unit (PPDU). • The lower portion is known as the Physical Medium Dependent (PMD) sublayer. PLCP – The PMD sublayer then modulates and transmits the data as bits. PMD 11 Data-Link and Physical Layers Flowchart that shows the upper-layer information moving between the Data-Link and Physical layers. 12 802.11 MAC Header • Every 802.11 frame contains a MAC header that contains layer 2 information. • The layer 2 information is not encrypted and is always visible when viewed with a protocol analyzer. • The 802.11 MAC header has nine major fields, four of which are used for addressing. 13 Frame Control Field • The first two bytes of the MAC header consists of 11 subfields within the Frame Control field. • These subfields include Protocol Version, Type, Subtype, To DS, From DS, More Fragments, Retry, Power Management, More Data, Protected Frame, and +HTC/Order. 14 802.11 Frame Types 15 Type and Subtype Fields • The Type field and Subtype field are used together to identify the function of the frame. • Because there are many different kinds of management, control, and data frames, a 4-bit Subtype field is needed. • In this example the Subtype field indicates that the frame is a beacon management frame. 16 Retry Field • The Retry field is a single significant bit of information found in all 802.11 MAC headers. • The Retry field comprises a single bit of the Frame Control field and is perhaps one of the most important fields in the MAC header. • If the Retry bit has a value of 0, an original transmission of the frame is occurring. • If the Retry bit is set to a value of 1 in either a management or data frame, the transmitting radio is indicating that the frame being sent is a retransmission. 17 Duration/ID Field As you learned in Chapter 8, the Duration/ID field value represents the time, in microseconds, that is required to transmit an active frame exchange process so that other radios do not interrupt the process. 18 802.11 MAC Addressing Much like in an 802.3 Ethernet frame, the header of an 802.11 frame contains MAC addresses. A MAC address is one of the following two types: • Individual Address: Individual addresses are assigned to unique stations on the network (also known as a unicast address). • Group Address: A multiple-destination address (group address) could be used by one or more stations on a network. There are two kinds of group addresses: – Multicast-Group Address: An address used by an upper-layer entity to define a logical group of stations is known as a multicast-group address. – Broadcast Address: A group address that indicates all stations that belong to the net- work is known as a broadcast address. A broadcast address, all bits with a value of 1, defines all stations on a local area network. In hexadecimal, the broadcast address would be FF:FF:FF:FF:FF:FF. 19 802.11 MAC Addressing Unlike 802.3 frames which only have two addresses, 802.11 frames can have as many as four MAC addresses with five different possible meanings 1. Source Address (SA) The MAC address of the original sending station is known as the source address (SA). The source address can originate from either a wireless station or the wired network. 2. Destination Address (DA) The MAC address that is the final destination of the layer 2 frame is known as the destination address (DA). The final destination may be a wireless station or a destination on the wired network, such as a server. 3. Transmitter Address (TA) The MAC address of an 802.11 radio that is transmitting the frame onto the half-duplex 802.11 medium is known as the transmitter address (TA). 4. Receiver Address (RA) The MAC address of the 802.11 radio that is intended to receive the incoming transmission from the transmitting station is known as the receiver address (RA). 5. Basic Service Set Identifier (BSSID) This is the MAC address that is the layer 2 identifier of the basic service set (BSS). The basic service set identifier (BSSID) is the MAC address of the AP’s radio or is derived from the MAC address of the AP’s radio if multiple basic service sets exist. 20 802.11 MAC Addressing • Unlike 802.3 frames which only have two addresses, 802.11 frames can have as many as four MAC addresses with five different possible meanings. • The To DS field and the From DS field are each 1 bit and are used in combination to change the meaning of the four MAC addresses in an 802.11 header. • These two bits also indicate the flow of the 802.11 data frames between a WLAN environment and the distribution system (DS). 21 To DS:0 From DS:0 – Probe Request • Access Point RA (DA): 00:19:77:06:1D:90 • Probe Request • Client To DS: 0 From DS: 0 TA (SA): D4:9A:20:78:85:10 When both bits are set to 0, several different scenarios can exist. The most common scenario is that these are management or control frames. Management and control frames do not have an MSDU payload, so their final destination is never the distribution system (DS). Address #1: RA (DA): 00:19:77:06:1D:90 Address #2: TA (SA): D4:9A:20:78:85:10 Address #3: BSSID: 00:19:77:06:1D:90 22 To DS:0 From DS:0 – Probe Response Access Point TA (SA): 00:19:77:06:1D:90 Probe Response Client To DS: 0 From DS: 0 Address #1: RA (DA): D4:9A:20:78:85:10 Address #2: TA (SA): 00:19:77:06:1D:90 Address #3: BSSID: 00:19:77:06:1D:90 RA (DA): D4:9A:20:78:85:10 When both bits are set to 0, several different scenarios can exist. The most common scenario is that these are management or control frames. Management and control frames do not have an MSDU payload, so their final destination is never the distribution system (DS). 23 To DS:0 From DS:0 - IBSS Client #1 Client #2 TA (SA): D4:9A:20:78:85:30 RA (DA): D4:9A:20:78:85:55 • Another scenario when both DS bits are set to 0 is a direct data frame transfer from one STA to another STA within an independent basic service set (IBSS), more commonly known as an ad hoc network. • The third scenario involves what is known as a stationto-station link (STSL), which involves a data frame being sent directly from one client station to another client station that belongs to the same BSS, thereby bypassing the AP. 24 Downlink Traffic Server SA: 00:0A:E4:DA:92:F7 Access Point TA (BSSID): 00:19:77:06:1D:90 Client RA (DA): D4:9A:20:78:85:10 To DS: 0 From DS: 1 Address #1: RA (DA): D4:9A:20:78:85:10 Address #2: TA (BSSID): 00:19:77:06:1D:90 Address #3: SA: 00:0A:E4:DA:92:F7 25 Uplink Traffic DA: 00:0A:E4:DA:92:F7 Server RA (BSSID): 00:19:77:06:1D:90 Access Point Client TA (SA): D4:9A:20:78:85:10 To DS: 1 From DS: 0 Address #1: RA (BSSID): 00:19:77:06:1D:90 Address #2: TA (SA): D4:9A:20:78:85:10 Address #3: DA: 00:0A:E4:DA:92:F7 26 Mesh Server • • • When the To DS bit and the From DS bit are both set to 1, this is the only time that a data frame uses the fouraddress format. Although the standard does not define procedures for using this format, WLAN vendors often implement what is known as a wireless distribution system (WDS). Examples of a WDS include WLAN bridges and mesh networks. DA: 00:0A:E4:DA:92:F7 Mesh Portal To DS: 1 From DS: 1 Address #1: RA: 00:19:77:06:1D:90 Address #2: TA: 00:19:77:06:1D:95 Address #3: DA: 00:0A:E4:DA:92:F7 Address #4: SA: D4:9A:20:78:85:10 RA: 00:19:77:06:1D:90 Mesh Point Client TA: 00:19:77:06:1D:95 SA: D4:9A:20:78:85:10 2.4 GHz coverage 27 Bridge Link 28 Sequence Control Field • The Sequence Control field is a 16-bit field comprising two subfields and is used when 802.11 MSDUs are fragmented. • The 802.11-2020 standard allows for fragmentation of frames. Fragmentation breaks an 802.11 frame into smaller pieces known as fragments, adds header information to each fragment, and transmits each fragment individually. 29 802.11 Frame Body Not all 802.11 frames carry a body: • Management frames carry a layer 2 payload in the frame body – Another name for an 802.11 management frame is a management MAC protocol data unit (MMPDU). – Management frames have a MAC header, a frame body, and a trailer; however, management frames do not carry any upper-layer information. – There is no MSDU encapsulated in the MMPDU frame body, which carries only layer 2 information fields and information elements. 30 802.11 Frame Body Not all 802.11 frames carry a body: • Management frames carry a layer 2 payload in the frame body – Information fields are fixed-length mandatory fields in the body of a management frame. – Information elements are variable in length and are optional. One example of an information element would be the RSN information element, which contains information about the type of authentication and encryption being used within a BSS. – The payload in an MMPDU frame body is not encrypted. 31 802.11 Frame Body Not all 802.11 frames carry a body: • Control frames are used to clear the channel, acquire the channel, and provide unicast frame acknowledgments. – They contain only header information and a trailer. – Control frames do not have a frame body. • Only 802.11 Data frames carry an upper-layer MSDU payload in the frame body. – When encryption is used, the MSDU payload is protected. – Please note that certain subtypes of data frames, such as the null function frame, do not have a frame body. 32 802.11 Trailer FCS calculated from MAC header and Frame body • The main purpose of the 802.11 trailer is to carry data integrity check information for the entire frame. • Found in every 802.11 trailer is the frame check sequence (FCS), also known as the FCS field, which contains a 32-bit cyclic redundancy check (CRC) that is used to validate the integrity of received frames. 33 802.11 State Machine • The 802.11-2020 standard defines four states of client connectivity. • These four states are often referred to as the 802.11 state machine. • • 802.11 management frame communications are used between a client station and an AP as a client transitions between the four states towards established layer 2 connectivity. 34 Management Frames 14 management frame subtypes include: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Association request Association response Reassociation request Reassociation response Probe request Probe response Beacon ATIM Disassociation Authentication Deauthentication Action Action No ACK Timing advertisement • Within any BSS, a large percentage of the WLAN traffic consists of 802.11 management frames. • Management frames are used by wireless stations to join and leave the basic service set (BSS). • They are not necessary on wired networks, since physically connecting or disconnecting the network cable performs this function. • Another name for an 802.11 management frame is management MAC protocol data unit (MMPDU). 35 Passive Scanning • The beacon frame contains all the necessary information for a client station to learn about the parameters of the basic service set before joining the BSS. • Beacons are transmitted at a targeted time of every 102.4 milliseconds, which means an AP transmits the beacon about 10 times per second. Seconds Beacon 0.0000 Beacon 0.1024 Beacon 0.2048 Beacon 0.3072 Beacon 0.4096 Beacon 0.5120 Beacon 0.6144 Beacon 0.7168 Beacon 0.8192 Beacon 0.9216 Beacon 1.0240 36 Active Scanning • Discovering a WLAN by scanning all possible channels and listening to beacons is not an efficient method for a client to find all APs on all channels. • To enhance this discovery process, client stations also use what is called active scanning. • In active scanning, the client station transmits management frames known as probe requests. SSID: red SSID: blue SSID: green probe responses null probe request A probe request without SSID information is known as a null probe request. 37 Directed Probe Request SSID: blue SSID: red A probe request with specific SSID information is known as a directed probe request. SSID: green probe response SSID: blue directed probe request SSID: blue 38 Multiple Channels • A client will sequentially send probe requests on each of the supported channels. • It is common for a client station that is already associated to an AP and transmitting data to go off-channel and continue to send probe requests every few seconds across other channels. SSID: blue SSID: blue Channel 36 Channel 40 SSID: blue Channel 44 probe responses SSID: blue directed probe requests SSID: blue 39 Multiple Channels SSID: blue SSID: blue • The main purpose of off-channel probing is so that a client station can find other APs to potentially roam to. • By continuing to actively scan and send probe requests across multiple channels, a client station can maintain and update a list of known APs. Channel 36 Channel 40 SSID: blue Channel 44 probe responses SSID: blue directed probe requests SSID: blue 40 Joining the BSS – Authentication • Open System authentication provides authentication without performing any type of client verification. • It is essentially an exchange of hellos between the client and the AP. • It is considered a null authentication because no exchange or verification of identity takes place between the devices. • Open System authentication occurs with an exchange of frames between the client and the AP. Beacon Probe request State 1 Probe response Authentication request State 2 Authenication response Association request Association response State 3 41 Joining the BSS – Association • After the station has authenticated with the AP, the next step is for it to associate with the AP. Beacon Probe request • When a client station associates, it becomes a member of a basic service set (BSS). State 1 Probe response Authentication request State 2 Authentication response • Association means that the client station has established layer 2 connectivity with the AP and joined the BSS. Association request Association response State 3 42 Basic and Supported Rates • Specific data rates can be configured for any AP as required rates. • The 802.11-2020 standard defines required rates as basic rates. • Please understand that an AP will transmit all management frames at the lowest configured basic rate. • Data frames can be transmitted at much higher supported data rates. 43 Basic and Supported Rates • In order for a client station to successfully associate with an AP, the station must be capable of communicating by using the configured basic rates that the AP requires. • If the client station is not capable of communicating with all of the basic rates, the client station will not be able to associate with the AP and will not be allowed to join the BSS. 44 Basic and Supported Rates • In addition to the basic rates, the AP defines a set of supported rates. (optional) • This set of supported rates is advertised by the AP in the beacon frame and is also in some of the other management frames. • The supported rates are data rates that the AP offers to a client station, but the client station does not have to support all of them. 45 Reassociation • • • When a client station decides to roam to a new AP, it will send a reassociation request frame to the new AP. Reassociation frames are used by a client station to transition from an original BSS to a new BSS. A reassociation request frame is effectively a roaming request sent from a client station to a target AP. 46 Action Frame • An action frame is a type of management frame used to trigger specific actions in a BSS. • Action frames can be sent by access points or client stations. The action frame provides information and direction for what to do. • Action frames were first introduced in 802.11h because the subtype for management frames had been exhausted. • An action frame is sometimes referred to as a “management frame that can do anything.” 47 Action Frame • A complete list of all the current action frames can be found in section 9.6 of the 802.11-2020 standard. • One example of an action frame is neighbor report requests and responses that 802.11k–compliant radios can use. • Client stations use neighbor report information to gain information from the associated AP about potential roaming neighbors. 48 Control Frames 12 control frame subtypes include: 1. Beamforming report poll 2. HT NDP announcement 3. Control frame extension 4. Control wrapper 5. Block ACK request (BAR) 6. Block ACK (BlockAck) 7. Power save-poll (PS-Poll) 8. Request-to-send (RTS) 9. Clear-to-send (CTS) 10. Acknowledgment (ACK) 11. Contention Free-End (CF-End) 12. CF-End + CF-ACK • 802.11 control frames assist with the delivery of the data frames and are transmitted at one of the basic rates. • Control frames are also used to clear the channel, acquire the channel, and provide unicast frame acknowledgments. • As previously mentioned, control frames have only a MAC header and a trailer; they do not have a frame body. • Information found in the MAC header is sufficient for accomplishing the tasks defined for 802.11 control frames. 49 ACK Frame • The ACK frame is one of the 12 control frames and one of the key components of the 802.11 CSMA/CA medium access control method. • Since 802.11 is a wireless medium that cannot guarantee successful data transmission, the only way for a station to know that a frame it transmitted was properly received is for the receiving station to notify the transmitting station. • This notification is performed using an ACK. 50 ACK Frame Transmitting radio sends a unicast frame CRC passes Receiver radio sends L2 ACK frame • Every unicast frame must be followed by an ACK frame. • If for any reason the unicast frame is corrupted, the 32-bit CRC known as the frame check sequence (FCS) will fail and the receiving station will not send an ACK. • If a unicast frame is not followed by an ACK, it is retransmitted. • With a few rare exceptions, broadcast and multicast frames do not require acknowledgment. 51 Block ACK • • • The 802.11e amendment introduced a Block acknowledgment (BA) mechanism that is now defined in the 802.11-2020 standard. A Block ACK improves channel efficiency by aggregating several acknowledgments into one single acknowledgment frame. Block ACKs were initially intended to be used with a “frame burst,” as shown in this slide. However, Block ACKs are more commonly used with A-MPDU frame aggregation. (Discussed in Chapter 10) 52 RTS/CTS Frame Exchange • Request-to-send/clear-to-send (RTS/CTS) is a mechanism that performs a NAV distribution and helps prevent collisions from occurring. • This NAV distribution reserves the medium prior to the transmission of the data frame. 53 RTS/CTS Duration Values 54 Protection Mechanism: RTS/CTS 2.4 GHz RTS (HR-DSSS) Duration = 400 us CTS (HR-DSSS) Duration = 350 us DATA (ERP-OFDM) Duration = 50 us ACK (ERP-OFDM) Duration = 0 us 802.11g AP 802.11g client 802.11b client If hear RTS, reset NAV timer for 400 us If hear CTS, reset NAV timer for 350 us 55 Protection Mechanism: CTS-to-Self 2.4 GHz CTS-to-self (HR-DSSS) Duration = 350 us 802.11g AP DATA (ERP-OFDM) Duration = 50 us ACK (ERP-OFDM) Duration = 0 us 802.11g client 802.11b client Hear CTS-to-self, reset NAV timer for 350 us 56 Data Frames 15 data frame subtypes include: 1. Data (simple data frame) 2. Null (no data) 3. QoS Data 4. QoS Null (no data) 5. Data + CF-ACK [PCF only] 6. Data + CF-Poll [PCF only] 7. Data + CF-ACK + CF-Poll [PCF only] 8. CF-ACK (no data) [PCF only] 9. CF-ACK + CF-Poll (no data) [PCF only] 10. CF-Poll (no data) [PCF only] 11. QoS Data + CF-ACK [HCCA only] 12. QoS Data + CF-Poll [HCCA only] 13. QoS Data + CF-ACK + CF-Poll 14. [HCCA only] QoS CF-Poll (no data) [HCCA only] 15. QoS CF-ACK + CF-Poll (no data) [HCCA only] • Most 802.11 data frames carry the actual data that is passed down from the higher-layer protocols. • The layer 3–7 MSDU payload is normally encrypted for data privacy reasons. • However, some 802.11 data frames carry no MSDU payload at all but do have a specific MAC control purpose within a BSS. • Any data frames that do not carry an MSDU payload are not encrypted, because a layer 3–7 data payload does not exist. 57 Data Frames 15 data frame subtypes include: 1. Data (simple data frame) 2. Null (no data) 3. QoS Data 4. QoS Null (no data) 5. Data + CF-ACK [PCF only] 6. Data + CF-Poll [PCF only] 7. Data + CF-ACK + CF-Poll [PCF only] 8. CF-ACK (no data) [PCF only] 9. CF-ACK + CF-Poll (no data) [PCF only] 10. CF-Poll (no data) [PCF only] 11. QoS Data + CF-ACK [HCCA only] 12. QoS Data + CF-Poll [HCCA only] 13. QoS Data + CF-ACK + CF-Poll [HCCA only] 14. QoS CF-Poll (no data) [HCCA only] 15. QoS CF-ACK + CF-Poll (no data) [HCCA only] • There are a total of 15 data frame subtypes. • The two most common data frames are the data subtype (usually referred to as the simple data frame) and the QoS data subtype. • The difference between the two is that QoS data frames carry class of service information in the QoS Control field. • Simple data frames are sometimes also referred to as non-QoS data frames. 58 Data Frames 15 data frame subtypes include: 1. Data (simple data frame) 2. Null (no data) 3. QoS Data 4. QoS Null (no data) Data + CF-ACK [PCF only] Data + CF-Poll [PCF only] Data + CF-ACK + CF-Poll [PCF only] CF-ACK (no data) [PCF only] CF-ACK + CF-Poll (no data) [PCF only] CF-Poll (no data) [PCF only] QoS Data + CF-ACK [HCCA only] QoS Data + CF-Poll [HCCA only] QoS Data + CF-ACK + CF-Poll [HCCA only] QoS CF-Poll (no data) [HCCA only] QoS CF-ACK + CF-Poll (no data) [HCCA only] • In reality, most of the 15 data frame subtypes do not really exist. • In Chapter 8 of the textbook, you learned about two 802.11 medium access control methods: Point Coordination Function (PCF) and HCF Controlled Channel Access (HCCA). • Both access methods defined mechanisms were the AP controls the medium via polling. • As of this writing, we do not know of any WLAN vendor that supports either PCF or HCCA. 59 QoS and Non-QoS Data Frames • • • • QoS mechanisms are a requirement for the Wi-Fi Multimedia (WMM) certification; this is strictly enforced by the WiFi Alliance. Any 802.11 enterprise access point and most WLAN clients manufactured in the last 10 years support WMM QoS mechanisms by default. Therefore, each basic service set in most enterprise deployments is considered to be a quality of service basic service set (QBSS), and most modern-day radios are considered to be QoS stations. QoS stations are capable of transmitting both QoS data frames and non-QoS data frames. 60 Legacy Power Management • For buffered unicast traffic on an AP, legacy power management uses the traffic indication map (TIM) in a beacon frame. • Clients with buffered data will see their association identifier (AID) in the beacon frame. • Clients can then use PS-Poll frames to request buffered data from the AP. 61 DTIM • In addition to unicast traffic, network traffic includes multicast and broadcast traffic. • Because multicast and broadcast traffic is directed to all stations, the BSS needs to provide a way to make sure that all stations are awake to receive these frames. • A delivery traffic indication map (DTIM) is used to ensure that all stations using power management are awake when multicast or broadcast traffic is sent. 62 WMM-PS • The main focus of the 802.11e amendment, which is now part of the 802.11-2020 standard, is quality of service. • However, the IEEE 802.11e amendment also introduced an enhanced power-management method called automatic power save delivery (APSD). • The Wi-Fi Alliance’s WMM-Power Save (WMM-PS) certification is based on U-APSD. 63 WMM-PS • WMM-PS uses a trigger mechanism to receive buffered unicast traffic based on WMM access categories. • The client station sends a trigger frame related to a WMM access category to inform the AP that the client is awake and ready to download any frames that the AP may have buffered for that access category. 64 Questions Home Work 1. Open your book and go through all the review questions at the end of the chapter. 2. Review the answers by using Appendix A. 65
