WIRELESS LOGIC (ENG)

📢IMPORTANT: True growth comes from questioning, not agreeing. I invite you to challenge my views in the comments. Let's learn from debate, not from echo chambers.

In a previous document, we saw how the wireless transmission works, so this time we need to go deep into the logic.

BASIC CONCEPTS

First, the IEEE defined the 802.11 standard, and several companies formed the Wi-Fi Alliance to develop devices compatible with it.

802.11 WLANs operate in half-duplex mode, meaning devices cannot transmit and listen simultaneously, nor can they do so when another device is using the channel. To avoid collisions, CSMA/CA (Collision Avoidance Mode) is used. This protocol checks if the medium is free; if it is, it waits a random amount of time and listens again; if it remains free, it transmits the data.

To establish these connections, we need a Basic Service Set (BSS). The BSS is a concept based on the 802.11 standard that includes, at its core, at least one access point and a client device connected to the access point.

This BSS needs a unique identifier to distinguish it from other BSSs. For this, we use the BSSID (Basic Service Set Identifier), which is the MAC address of the access point's (AP) radio.

This identifier is used for devices, but we also need another human-readable identifier to select the network we want to connect to. This is the Service Set Identifier (SSID), and it's the name of the wireless network we can select from our client device. We can configure multiple SSIDs on the same access point and link each SSID to a different VLAN. When a client connects to the SSID, the access point sends that client's traffic with an 802.1q tag to the distribution network. This means that the link between the access point and the wired network must be a backbone link.

The coverage area of the access point is called the Basic Service Area (BSA). This is the area that the radio waves from our access point can cover.

This is the wireless network we usually have at home, with an access point (usually included in the internet provider's router).

CONNECTING CLIENTS

Discover

Before attempting any connection, our client device needs to know which networks are available. This can be done in two ways:

• From the access point: The access point sends information about its characteristics to any device within the network's service area (BSA); this is called a beacon, and these frames are used to create the list of available networks near the client.

• From the client: The client device sends a signal, contacting the access point configured on it. This is called a “Probe Request”. If the access point is nearby, it responds with a “Probe Response”.

These frames send information about the BSS, such as BSSID, security, channel, SSID, etc. With this information, our devices can begin connecting to the APs.

Authentication

In this step, the device presents itself to the AP and requests open system authentication.

Open System Authentication is a method to enter the Access Point and start presenting the credentials. This is not a negotiation of credentials; it is only the permission to ingress to the AP, and in most modern wireless networks is only a formality.

Association

Following this, the device sends a partnership request, which is a list of its capabilities. The access point can accept and send its own capabilities. The lower-level capabilities are what define the connection.

At this point, the client is accepted at the access point and can initiate the four-way handshake to verify the password. This process varies depending on the password type, as we will see in a future document.

SCALING THE NETWORK

Now imagine what happens if we need to cover a large area, such as in a business. We would need more access points to reach all the spaces. If we use different SSIDs for each access point, our client device would have to negotiate the connection with each one as it crosses different zones, which could severely affect real-time connections, such as VoIP, streaming, etc. To solve this, we have an Extended Service Set (ESS) with an Extended Service Set Identifier (ESSID). This resolves the problem of sharing the SSID between access points. To know which access point it is connected to, the client device uses the BSSID.

ROAMING ON LAYER 2

The Extended Services Suite (ESS) requires a concept called roaming. In this case, it's Layer 2 roaming, which allows the client to connect to a nearby access point without interruption. Imagine you're walking down a large hallway; to cover this area, we might use two or three access points with the same SSID. In this scenario, if you're on a video call, you need a stable connection on the other side of the hallway; this is what roaming provides.

After this document, we will analyze client association in more detail, but to understand how roaming works, the device connects to the nearest AP, and when the device hears a stronger signal with the same SSID, it sends a re-association request, and if the AP approves it, the client connects to the new AP.

ROAMING ON LAYER 3

Roaming can also operate at Layer 3; it's more complex, but the function is the same: to keep the device connected.

How does it work? Imagine a campus with two buildings, each with its own network, but both sharing a central management system for their wireless devices (a wireless LAN controller). To maintain wireless network consistency between the buildings, we have the same SSID, called "MY_NETWORK," but in Building 1, the SSID is linked to VLAN 10, and in Building 2, to VLAN 20. This presents a problem because, although Layer 2 roaming allows the device to remain connected, its IP address doesn't match the VLAN of Building 2's network.

If the device had to renegotiate its IP address, this could cause service interruptions due to DHCP negotiation. To avoid this, the central administrator uses a concept called "Mobility Anchor."

The WLC is set as the device session anchor point with the IP address of VLAN 10. When the device attempts to connect to AP2, it sends traffic to the WLC, which identifies the device's IP address and creates a tunnel to send the traffic to VLAN 10. This way, even if the device is connected to AP2, it will have an IP address in VLAN 10.

FAST ROAMING

Before discussing roaming, it's worth mentioning that it allows you to connect to an ESS (Electrical Service Provider) without service interruptions. However, this can sometimes be complicated, so to optimize it, we have special standards called Fast Roaming.

• Special Standards
• 802.11k → Radio Resource Measurement: In classic roaming, your device must search for other access points (APs). This standard informs the client device about nearby APs, making roaming more efficient.
• 802.11v → BSS Transition Management: This standard recommends that the client device connect to AP2, which offers a good signal, indicating: "You are too far away."
• 802.11r → Fast BSS Transition: In classic roaming, the client must complete the four-way handshake to reconnect to another AP. This standard pre-calculates security keys, and when the device sends a reassociation request, AP2 includes the security information in the response, significantly improving roaming and enabling this transition in less than 50 ms.

For an optimal experience, it is recommended that the devices (AP and client) support all three standards.

WIRELESS ARCHITECTURES

There are two main topologies for wireless networks: Standalone and Split-MAC.

Each architecture has different operating modes; a table summarizing them is shown below.

• Autonomous Architecture: This topology is characterized by the use of Autonomous Access Points (AAPs), meaning that each AP must be configured individually. It is typically used in small networks that do not require many APs, such as SOHO networks.

• Split-MAC Architecture:

This topology is divided into three subcategories. Before going into detail, it's necessary to understand a device (and a concept) called a WLC (Wireless LAN Controller) and another called a LAP (Lightweight Access Point).

LAPs are access points without management capabilities, which can only be configured from a WLC.

The main function of the WLC is to manage the LAPs, allowing us to connect to all the LAPs on our network and modify their configuration. WLCs have a graphical user interface (GUI) that provides information about our LAPs and the clients connected to them. It functions as a control center for all our wireless networks. Let's now look at the three subcategories.

• Centralized Local Topology: This topology uses the WLC as the core of the wireless network, managing all the LAPs on our network from this device.

This topology uses CAPWAP tunnels to manage the LAPs. It is similar to a VPN between the WLC and the LAP, and has two tunnel usage modes: Flexconnect Mode and Centralized Mode.

• Cloud-managed topology: In this case, centralized cloud software allows for the management of devices from multiple locations, such as Cisco Meraki. This topology does not send data traffic to the cloud; access points (APs) send it directly to the wired network. The AP is specific to Meraki. Other manufacturers offer their own versions of cloud-managed wireless networks.

• Converged Access Topology: If you have multiple buildings, such as a campus, using a wireless LAN controller (WLC) can be problematic, and cloud management can be expensive. In these cases, we can use an integrated WLC. This is an access switch with WLC functionalities, which reduces costs and simplifies the network.

• Ad-Hoc Topology: Another less common topology is the ad hoc topology (IBSS, Independent Basic Service Set). This involves a connection between client devices; in this mode, both clients act as peers and do not require an access point.

LAP CONNECTION TO WLC

When we connect a LAP to our network for the first time, it must establish a connection with its wireless LAN controller (WLC). To do this, the LAP uses several methods:

• Broadcast: The LAP sends a broadcast request: "Is there a WLC on this network?". If the WLC is on the same broadcast domain, it sends a response.
• Memory: If the access point (AP) was previously connected to a network, it queries its memory to find the IP address of a previously connected WLC.
• DHCP Option 43: This is the preferred method for new devices. The LAP requests an IP address from the DHCP server and makes an "Option 43" request. If our DHCP server is configured, it assigns an IP address to the LAP and responds to the Option 43 request with the WLC's IP address.
• DNS: If Option 43 doesn't work, the device requests the IP address of "CISCO-CAPWAP-CONTROLLER.domain.local" from the DNS server. If the DNS can resolve the request, it responds with the WLC's IP address.
• Broadcast: If something fails, the LAP sends a broadcast request: "Is there a WLC on this network?" If the WLC is in the same broadcast domain, it sends a response.
• If something fails, the AP restarts and repeats the process.

After discovering the WLC, the LAP must establish the CAPWAP tunnel to secure the connection.

• DTLS Negotiation
• The LAP initiates a DTLS (Datagram Transport Layer Security) handshake with the WLC. This creates a secure connection similar to SSL/TLS, but for UDP.
• The AP and WLC share their certificates to prove their authenticity and prevent rogue APs or WLCs.
• CAPWAP Join Request
• The WLC receives the request, verifies if the LAP is authorized to join and if it is compatible.
• If everything is correct, the WLC sends a CAPWAP join response. With this response, the WLC sends the complete configuration to the LAP.
• Final Connection
• The AP receives the configuration, applies it, and confirms it to the WLC.
• The DTLS tunnel is transformed into a CAPWAP tunnel and is ready to send management and data traffic

💡The CAPWAP tunnel uses UDP port 5246 for management traffic and UDP port 5247 for data traffic.

All these topologies can also have different connection modes; here are some of those:

Autonomous Architecture Modes

• Access point: The access point operates autonomously and only sends data traffic to the network.

• Bridge: Used to create point-to-point (PtP) or point-to-multipoint (PtMP) connections, such as between two locations to join two wired networks.

• WGB/uWGB: The WorkGroup Bridge is used to connect wired devices using a wireless device (the Universal WorkGroup Bridge is used to connect access points from different providers).

• Repeater: The access point mode that connects to the main access point in bridge mode. This mode reduces speed by 50% because it operates in half-duplex, so it cannot transmit while listening.

• Rogue Detector: Detects Rogue APs in the area

Split MAC Architecture Modes (CLOUD-BASED)

• Access Point: The access point sends only management traffic to the cloud system, using a tunnel such as a VPN (this may vary depending on the provider).

• Bridge/Mesh: This is used to create connections with other access points and extend the range of our wireless network. We need to define a gateway access point and repeaters. The gateway sends all management traffic from the repeaters to the cloud and data traffic to the network.

• WGB/uWGB: This mode is used to connect endpoints via a wired connection and functions as a bridge.

• Repeater: This is the mode we use on the "client" side of the bridge.

• Rogue Detector (Air Marshall): Detects Rogue APs in the area

Split MAC Architecture Modes (WLC)

• Local: The access point sends all traffic to the wireless LAN controller (WLC) through a CAPWAP tunnel, and the WLC sends the data to the network.

• FlexConnect: In this mode, the access point (AP) sends only management traffic to the wireless LAN controller (WLC) and data directly to the distribution network. This configuration is especially useful when the WLC is in a different location, which could cause connectivity problems if the local access point (LAP) loses its connection to the WLC. With FlexConnect, even if the connection to the WLC is lost, clients can still connect to the internet because their data traffic does not pass through the WLC.

• Bridge/Mesh Mode: This mode is used to create connections with other access points (APs) and extend the range of your wireless network. It requires configuring a root access point (RAP) and mesh access points (MAPs). This mode functions similarly to Flex-Connect and only sends management traffic to the wireless LAN controller (WLC).

• Flex+Bridge: This mode is typically used when the RAP is located elsewhere. It functions exactly like bridge/mesh mode, sending management traffic to the WLC.

• Monitor: This mode is used to analyze environmental signals. The LAP sends data to the WLC, which can then configure the other LAPs to their optimal frequencies based on this data. This mode also allows for the detection of unauthorized access points.

• Sniffer: In this mode, the LAP can read all available 802.11 packets and send them to a network analyzer.

• Rogue Detector: Detect Rogue APs in the area

• SE-Connect: Analyze the RF Spectrum to find interferences

WIRELESS CAPABILITIES

The 802.11 standard is not a fixed rule; it evolves over time, adapting to new technologies, and, of course, this evolution leads to changes in the standard's name. These evolutions are defined by different acronyms. We can divide them into two categories based on their characteristics: Legacy and Modern.

Legacy

• 802.11 → This is the original standard, the starting point for wireless networks, with speeds between 1 and 2 Mbps.
• 802.11b → Up to 11 Mbps, using the 2.4 GHz band and DSSS for data distribution across the network. It is known as Wi-Fi 1 and popularized wireless networks.
• 802.11a → This is the enterprise standard, released simultaneously with 802.11b. It uses the 5 GHz band, reaches up to 54 Mbps, and was the first to use OFDM. Called Wi-Fi 2
• 802.11g → This standard is called Wi-Fi 3, with a 2.4 GHz band, speeds up to 54 Mbps, and incorporates OFDM in the 2.4 GHz band. This makes Wi-Fi an excellent option for most users.

Modern

• 802.11n → Wi-Fi 4, the first dual-band standard, uses the 2.4 and 5 GHz bands, with a theoretical speed of 600 Mbps and includes MIMO and Channel Bonding up to 40 MHz (which explains its significant speed increase).
• 802.11ac → Wi-Fi 5, using only the 5 GHz band, with a theoretical speed of 1.3 to 3.5 Gbps and 80 and 160 MHz channel bonding. Dense 256-QAM modulation and MU-MIMO (download).
• 802.11ax → Wi-Fi 6, dual-band 2.4 and 5 GHz, 1024-QAM, MU-MIMO (upload and download), and the star feature of this standard: OFDMA.
• 802.11ax → Wi-Fi 6 Extended, the same as Wi-Fi 6 but operating on the 6 GHz band.
• 802.11be → Wi-Fi 7, the most recent standard, tri-band 2.4, 5, and 6 GHz. 320 MHz channel aggregation, 4096-QAM, and The most outstanding feature of this standard: MLO (Multi-Link Operation), which allows our device to connect to the 5 and 6 GHz bands simultaneously and combine both speeds.