Wireless Design steps (CWDP) overview

Wireless design steps (High-level)

First the problems with not designing a wireless network  properly

  • Insufficient wireless coverage: without sufficient coverage dead spots(no signal) and low data rates occur (take longer to perform user wireless requirements)
  • Insufficient capacity: not designing a wireless network based on the support clients (IPADS, Laptops, smartphones) and the their required TCP/IP throughput requirements
    • With sufficient coverage and insufficient capacity the WLAN still fails.
  • No scalability
  • Lack of require functionality: focusing only the RF and miss the need capabilities on the network, such as the required configurations need on the Cisco wireless LAN controller

Problem with cookie cutter designs

  • Increase hardware cost
  • Poor performance


The Wireless Design process is similar to most  methodologies.

  • Define
    • Requirements analysis
    • Understand solution and customer needs
  • In-depth knowledge of WLAN technology
  • In-depth knowledge of Wired LAN technology
  • Information gathering
  • Pre-site survey checklists
  • Design
    • Wireless site surveys and the design of the WLAN
    • Determine AP locations
    • Wired-infrastructure services, power provisioning, AP settings, controller settings, QoS, etc.
    • BoM 
  • Implement
    • Configure and installe
    • Configure infrastructure
    • DNS, DHCP etc.
    • Provision power and network access
    • Configure and install AP’s
  • Validate
  • Ensure the it meets the requirements in the define phase. Many times have implement some form of automatic channel management to help with issues such’s as AP power , and channel management, this is not replacement for a validation survey
  • The validation process is basically an active site survey performed after the installation. And the following should be verified:
  • Coverage : Ensures that a sufficient signal is available in all required areas
  • Capacity: Ensures that the WLAN can provide the needed throughput defined in the requirements, channel and AP power requirements
  • Capabilities: Include features like fast secure roaming, guest registration, on boarding, security etc.

The Validate phase is critical as we  can make adjustments to channels to reduce potential interference issues.  Adjust power requirements of AP’s



CWDP Certified Wireless Design Professional Official Study Guide. Certitrek Publishing.

Kindle Edition.


CWNP (CWAP, CWSP, & CWDP) Certifications worth it

Is it worth undertaking the time and effort to achieve any of the CWNP Professional certification such’s as CWAP,CWSP and CWDP?

YES it is, without a doubt worth it.

After I complete my CWNA, I was wondering what certification track to embark on next, I was looking into CCNP wireless as I already hold a CCNA Wireless, and the company I work for is a Cisco shop.

However I decided to embark on the CWDP certification, as I was currently doing a great deal of wireless site surveys and designs, I also was very luck to have the opportunity to work on a project with a 2x CCIE and CWNE, which motivated me to not only study for my CWDP but also achieve the other 2 certifications and go for my CWNE, as he offered to endorse me, ( part of the application process to become a CWNE requires 3x endorsement one of is highly recommend to be current CWNE) after 7 months of study I pass all 3 CWNP exams first time with 85% pass on all of them.

The order I completed the exams was CWDP , CWAP and CWSP this is not the most recommend way to complete the exams but suited my strengths and interests which is what I suggest.

The study time line is as follows

  • CWDP: just under 2 months
  • CWAP: just over 3 months
  • CWSP: just over 2 months

I spent on average 2-3hrs a day studying for these exams, while juggling university studies, family and work life.

my average Mon-Friday day consisted of the following while studying

  • 3:50am wake Up (caffeine lots of it)
  • 4:00am study  CWNP study
  • 5:00am  Exercise
  • 5:45am family/work routing
  • 7:00am study CWNP on train 50mins
  • 12:00pm lunch study CWNP 15mins
  • 4:30pm study on strain 50mins
  • 7:30pm study on CWNP and uni
  • 9:30pm Bed


  • 5:00am wake Up (caffeine lots of it)
  • 5:15am study CWNP study
  • 8am-6:30pm family time/ go to the gym for 1hr
  • 7pm Uni study
  • 9:30pm Bed

when I had university assignments and exams coming up my daily routine was different as well life, work and kids always make things interesting but the above is the average.

The CWNP study guides are excellent and some of the best I have read. Exams as straight forward and if you know the material the question wont trick you up like some exams.

I actually found the CWSP exam the hardest out of all them, most say they find the CWAP the hardest, but for me it was not the case.

I can honestly say I really enjoyed studying for the CWNP certifications, as there is nothing worse  than having to read something you couldn’t give a rats ass about.

The knowledge and skills I learnt from this have greatly assisted me with ever aspect in my job as a Wireless network engineer and I recommend the certifications to anyone.

Now that I have completed the CWNP track I will be applying for my CWNE which deserve a blog post on its own.

Wireless QoS

QoS for a wireless networks is based on the 802.11e (QoS) amendment that is part of 802.11-2012 standard,  It implemented a layer 2 QoS solution for the wireless link. It is responsibility of the wired devices (AP’s or controllers) to convert the 802.11e markings to 802.1p and /or DSCP marking for communications on the wired side.

The 802.11e (QoS) mentions the use of  the following access methods  for QoS frames called Enhanced distributed coordination access (EDCA) and (HCCA) HCF controlled channel access, as of today HCCA is not used.

EDCA defines four access categories, based on the eight user priorities that are mapped to CoS values for the wired side.

The four access categories from lowest priority to highest priority are:

  • AC_BK (Background),
  • AC_BE (Best Effort),
  • AC_VI (Video), and
  • AC_VO (Voice).

Frames with the highest-priority access category have the lowest backoff (timer) values and therefore are more likely to get a transmit opportunity.

Screen Shot 2017-11-29 at 7.11.28 pm.pngNow EDCA  does not provide guarantee access to the wireless medium but provides a probabilistic prioritisation( frames should be prioritised for delivery but still contend for the medium).The reason for this is  802.11 wireless is  a half-duplex medium , before a device can transmit it must check to see if the medium is busy or in use. All wireless Stations (devices) including AP’s must contend for the wireless medium, It uses CSMA/CA (Collision avoidance)  which is a  bunch of mechanism and values used to decrease the chance that two stations will try to transmit at the same time. Once it has determine the medium is available, it is able to transmit, if the medium is busy or a collision occurs it resets its timers and starts the contention process again. So regardless of priority it cannot always gain access to the medium before a lower priority frame.

Where we can get reallyunstuck is that wireless is an unlicensed, uncontrolled  medium so the above issue can become a really problem in a high density( multiple devices and 802.11 networks) environment so correct wireless design and regularly monitoring is critical.

Please note the certain vendors do implement their own proprietary QoS settings but the contention process is still the same.


Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.


Configuring CISCO DHCP Option 60 & 43 for Cisco Lightweight AP’s

How to configure Cisco DHCP Option 60 & 43

Setup for this lab is as listed below

  • Windows 2008 R2 server running a DHCP server
  • AP Management DHCP scope is /24
  • WLC is resides with an IP address


  • WLC is configured
  • Console connection to LAP
  • LAP is able to ping WLC
  • DHCP server is configured with AP Management IP address scope
  • LAP has received IP address from DHCP server


Screen Shot 2017-11-14 at 11.26.17 am.png

Screen Shot 2017-11-14 at 11.26.30 am.png

Screen Shot 2017-11-14 at 11.26.38 am.png

Screen Shot 2017-11-14 at 11.42.42 am.png

Screen Shot 2017-11-14 at 11.26.51 am.png

Screen Shot 2017-11-14 at 11.27.00 am.png

Screen Shot 2017-11-14 at 11.27.10 am.png

Screen Shot 2017-11-14 at 11.27.16 am.png

Screen Shot 2017-11-14 at 11.27.24 am.png

Screen Shot 2017-11-14 at 11.27.30 am.png

Screen Shot 2017-11-14 at 11.27.39 am.png

Screen Shot 2017-11-14 at 11.27.45 am.png

Screen Shot 2017-11-14 at 11.27.51 am.png

Screen Shot 2017-11-14 at 11.44.52 am.png


Screen Shot 2017-11-14 at 11.42.59 am.png

Screen Shot 2017-11-14 at 11.43.05 am.png




Wireshark 802.11 Frame

The Frame Control field

Frame Control Field: Identifies the frame type and subtype(management, control or data and the subtype  (RTS, CTS)

The protocol “version” is set to 00 unless an incompatibility version is release, these bits can be used for notifications.

Screen Shot 2017-10-27 at 5.26.31 pm.png

DS Status:

Screen Shot 2017-10-27 at 5.26.38 pm.png

More Fragments:

Screen Shot 2017-10-27 at 5.26.48 pm.png

More Fragments subfield is used to indicate whether the current frame is part of a fragmented frame or not. When bit is set to 1, fragmentation is being used.

Fragmentation occurs based on the fragmentation threshold setting in the AP or client device. It is used to increase the probability that a transmitted frame will be received.

Retry: The Retry field is useful in tracking frame transmission errors.  If a frame is transmitted and no ACK frame is returned then the transmitting STA will resend the frame using the content process. If the Retry Field is set to 1 the frame has been retransmitted.

Screen Shot 2017-10-27 at 5.26.54 pm.png

The Power Management field is a 1 bit field indication whether power management is used by the STA. the Value of this field determines the mode in which the STA will operate after the completion of frame transmission.

On a AP is always set to 0  as it does not enter power save mode.

Also set to 0 in management frames that cannot be buffered and in frames sent to an AP by STA before it is associated.  All other frames may use the bit, set to 1, to indicate the intention to enter power save mode so that the AP knows to buffer frames for that STA until it wakes.

Screen Shot 2017-10-27 at 5.26.59 pm.png


The More Data field is used by the AP (or another STA in an IBSS) to indicate that more frames are buffered for that STA, so that it will not enter sleep mode.

When set to 1 it indicates that the AP or STA is holding more frames for the STA to which the current frame is targeted.

When a ST sends a frame to the AP and that frame includes the More Data ACK subfield of the QoS capability element set to 1, and the AP has frames buffered for the STA with Autpmatic Power Save Delivery (APSD) enable the4 AP will set the More Data field to 1 in the ACK frame that it sends back to that STA so that the STA knows the AP has frames buffered  for it.

Screen Shot 2017-10-27 at 5.27.04 pm.png

The Protected Frame field, which replaces older WEP field, indicate that the MSDU is encrypted in the frame if it is set to 1. when set to 0 no encryption is used at the 802.11 MAC sublayer.


Screen Shot 2017-10-27 at 5.27.11 pm.png

The Order field is used for two purposes:

  • It is set to 1 in a non-QoS data frame to indicate that it contains an MSDU.
  • It is set to 1 in a QoS data or management frame to indicate that the frame contains an HT Control field. This allows processing by HT devices that are aware of the decoding of the HT Control  field.

Screen Shot 2017-10-27 at 5.27.18 pm.png

Duration/ID field is used for two purposes.

  • It may contain the duration of the frame
  • It may contain the association identifier (AID) of the STA that transmitted the frame.

Screen Shot 2017-10-27 at 5.27.24 pm.png

When a PS-Poll frame is transmitted by a STA, the Duration/ID field contains the AID of the STA so that the AP knows that it is awake and can send buffered frames.

In both non-QoS and QoS data frames, it contains the duration of the frame.

In control frames it contains the duration of the frame exchange. When containing the duration, it is used to set the NAV timer for the CSMA/CA operations.


Address 1, 2, 3, and 4

802.11 general frame format specifies four address fields

Screen Shot 2017-10-27 at 5.27.36 pm.png

Screen Shot 2017-10-27 at 5.27.29 pm.png

Receive address: is always the immediate recipient of the Frame

Destination address is the ultimate target of the frame

Source address is always the original source of the frame,

Transmitter address is the address of the STA that transmitted the frame onto the medium.


The 16 bit Sequence control field is used with fragmentation and for the removal of duplicate frames should they occur. It is divided into a 4-bit fragment number and a 12 bit sequence number. When an MSDU is fragment, all fragments have the same sequence number and the fragment number is incremented by 1 (while starting at 0) for each frame until all fragments are delivered. Starts at 0 and is increment for each new frame or set of frames with fragmentation until it reaches 4095 , at which point it simply reset to 0 and begins again. The primary use of this analyse is the detection of fragmented frames  and the analysis of in  or out of sequence frame delivery.

Screen Shot 2017-10-27 at 5.27.41 pm.png


The QoS control field is a 16 bit filed that identifies the category to which the frame belongs for queuing purposes.

Screen Shot 2017-10-27 at 5.27.57 pm.png

The most important factor in this field for most analysis is the user priority (UP) information for the frame. In the standard, this is referenced as the traffic identifier (TID) subfield. Given that EDCA is implemented in QoS WLANs based on the wireless multi-media  (WMM) certification by the WiFi alliance, the bits 0-3 in the QoS control field are mapped with possible values from 0 to 7. below table list the mapping of WMM access categories (ACs) to 802.1d tags

Screen Shot 2017-10-27 at 5.28.02 pm.png


WWM operates based on queues created for various Acs. Example a STA will have a queue for AC-VO, another for ACV-VI, and so on . The highest priority queue gets to take  advantage of a transmit opportunity  (TxOP) before the lower priority queues.


The key to understanding the probabilistic priorities provided by WMM is the contention windows (CW) . Without WMM (o EDCA), the CW has a minimum value (aCWmin) of 0 and a maximum value (aCWmac) 1023. this changes the with WMM. Table below lists the  default EDCA or WMM CW parameters

Screen Shot 2017-10-27 at 5.28.09 pm.png

The above table makes it clear that random selection of a backoff timer from the CW will be a higher value more often than not for AC_BE and  AC_BK frames than for AC_VO and AC_VI frames.

HT Control

HT control field is used to specify various parameters related to the HT operations and VHT operations.


There is an HT variant and a VHT variant of the HT control field. The below table shows the HT Control field in 802.11-2012 standard before 802.11ac ratified.

Screen Shot 2017-10-27 at 5.28.14 pm.png

Figure 3.13 shows the link adaptation control subfield details from 802.11-2012

Note that in the above figure, bit 0 is reserved. That is, of the 16bits in the Link Adaptation Control field, only 15 are used and the first bit is reserved.

The below figure shows the HT Control field in 802.11ac, that the format seems to have changed entirely from figure 3.12 however the format has not change nearly as much as it appears. The VHT subfield is simply utilising the reserved bit 0 from the Link Adaptation Control subfield as it existed in 802.11-2012 to determine the format of the next 29bits(now the HT Control Middle Subfield) in  the HT Control field.

Screen Shot 2017-10-27 at 5.28.20 pm.png

From these images, you can see that the VHT subfield now determines whether the HT Control Middle bits are formatted for HT communications (VHT=0) or VHT communications (VHT=1). This VHT subfield was simply a reserved field in  pervious editions of the 802.11 standard.

The HT Control field is used for communications related to antenna selection and beamforming.
Frame Body

Contains the actual MSDU payload to transmitted. It incurs overhead if encryption is used and may include extra information in a mesh BSS. When mesh control field is include in the frame body. It is encrypted as part of the data.

TKIP/RCS incurs 20 bytes of overhead and CCMP/AES incurs 16 bytes of overhead.


Finale field  is the frame check sequence field, which is a 4 byte or 32 bit field. It is calculated against the MAC header and frame body and is used to detected errors in communication


Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.

Wireshark 802.11 Management frames

Management Frames: are those used to manage access to the WLAN, announce information about it and perform certain actions. The Following wireshark captures show and explain the type of management frames used:


Beacon:  is a management frame (0) subtype(8) used to announce information about the BSS by the AP.

Screen Shot 2017-10-27 at 5.15.48 pm.png

Beacon frames by default are transmitted by the AP every 100 time units(TU’s), or at the same interval for STA’s in an IBSS. The default TU is 1024mircosecond or 102.4 milliseconds (ms). Beacon intervals can be adjust but do very little length the Tus with the exception with high SSID count in networks. Beacon frames contain a great deal of information

Beacon frames serve many purpose including

  • Announce the existing of a BSS
  • Provide information required by client STAs to determine ability to connect to the BSS
  • Provide power management information related to buffered frames
  • Indicate the security required to participate in the BSS
  • Provide signal strength information to client STA’s to select the best AP’s for connections
  • Quickly identify the existing AP’s and the SSID’s they server using a Wi-Fi scanner or protocol analyser


The following Wireshark commands  are used for filitering  beacon frames

To filter on beacon frames: wlan.fc.type_subtype==0x08

To filter out beacon frames: wlan.fc.type_subtype!=0x08

Beacon frame timing beacons are sent at a target beacon transmission time(TBTT).they are configured by default to be transmitted every 100TUs, at times the beacon frame cannot be sent every 100TUs due to other frames that are on the WM but will be sent as soon as possible after 100TUs

Beacon frames must contend for the WM like other frames.

Probe request and probe response frames

Probe request:  is a management frame (0) subtype(4) used by the client to locate a BSS based on an SSID to which they may connect

Screen Shot 2017-10-27 at 5.15.59 pm.png

Probe Response: is a management frame (0) subtype(5) used by the AP to respond to a client probe request

Screen Shot 2017-10-27 at 5.16.13 pm.png

Probe request and probe response frames are used for active scanning. The STA sends a probe request and the AP responds with a Probe Response. If  STA sends a Probe Request with a broadcast SSID, all Aps respond with a Probe response on the Channel. This allows a STA to immediately request  listing of all AP’s available without wiating for Beacon  Frames.

To filter on Probe request and Probe response: wlan.fc.type_subtype==0x4 or wlan.fc.type_subtype==0x5

To filter out probe request and probe responses wlan.fc.type_subtype!=0x4 and wlan.fc.type_subtype_!=0x5


Association Request and Association Response

Association request: is a management frame (0) subtype(0)used to association with an AP and begin communication through it.

Screen Shot 2017-10-27 at 5.16.32 pm.png

Association Response: is a management frame(0) subtype (1)

Screen Shot 2017-10-27 at 5.16.38 pm.png

Disassociation: is a management frame (0) subtype(10)used to remove an association from an AP.

Screen Shot 2017-10-27 at 5.16.44 pm.png

Association and Disassociation  Frames: Association request and response process is a simple four frame exchange (authentication request, ACK, authentication response, ACK) used to enter the authenticated and associated state with the AP. After achieving this state, the STA may either use the network(open system authentication with no added security) or begin the 802.1X/EAP authentication process if used on the WLAN.

The disassociation frame is used to change from the authenticated and associated state to the authenticated not associated state. Disassociation frames are very simple,. They contain a reason for disassociation, vendor-specific informationm, and an integrity check when management frame protection is in used. The deuathentication frame is similar and uses the same basic structure. These two frames are in the managemnt category and are both considered announcement frames. The conecpt of an announcement or notifiacation frame is that the receiver cannot reject ther request(unless management frame protection is enablke and the security checks fail.) the receiver simply processes the requrest and either dissassociates or deauthenticates the STA.

To filter on association request and association response frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x0 or wlan.fc.type_subtype = = 0x1

To filter out association request and association response frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x0 or wlan.fc.type_subtype != 0x1

Reassociation Request and Response frames

Reassociation request: is a management frame (0) subtype(2)

Screen Shot 2017-10-27 at 5.16.56 pm.png

Reassociation response: is a management frame (0) subtype(3)

Screen Shot 2017-10-27 at 5.17.06 pm.png

Reassociating Request  and response frames are used to roam to anther AP within the extend service set (ESS) or to reconnect to an AP from which the STA has briefly disconnected, the AP must still contain authentication information about the STA. the reassociation request  frame is acknowledged frame and works in concert with the reassociation response frame, which simply allows the association or disallows it.

The reassociation response frame will also include an association ID(AID) for the STA and a status code indicating a reassociation success or failure, and includes additional option fields are referenced in IEEE802.11-2012.

To filter on reassociation request and reassociation response frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x2 or wlan.fc.type_subtype = = 0x3

To filter out reassociation request and reassociation response frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x2 or wlan.fc.type_subtype

Authentication and deauthentication frames:

Authentication: is a Management frame(0) subtype(11) used to authenticate to an AP to prepare for association or roaming

Screen Shot 2017-10-27 at 5.17.24 pm.png

Deauthenticaion: is a management frame (0) subtype(12)used to remove the AID  and deauthenticate with the AP.

Screen Shot 2017-10-27 at 5.17.37 pm.png

Authentication and deauthentication frames:  Authentication frames are used to enter the authenticated state with an AP. Once frame is sent from the STA to the AP and another is sent back from the AP to the STA.

Deauthentication frame are used to end the authentication stat with the AP. The can be sent in either direction to remove the authentication state. If a deauthentication(deauth) frame is transmitted, it removes the STA from the associated stat, as a STA cannot be associate if it is not authenticated.

To filter on authentication frames: wlan.fc.type_subtype==0xb

To filter out authentication frames: wlan.fc.type_subtype!=0xb

802.11w introduced management frame protection which protects deauth frames as well as disassociation, QoS action and Radio measurement action frame. Thie protection is the same as that for data frames in that the Frame

Action Frames

Action: is a management frame (0) subtype(13)used for spectrum management, fast BSS transition and other actions taken within a BSS

Screen Shot 2017-10-27 at 5.17.52 pm.png

Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.

Wireshark 802.11 Data frame

Data Frames: Carry data or may be used for control functions related to power management when the null data frame is used.

 Screen Shot 2017-10-27 at 5.13.15 pm.png

Null Data frames:

Are used to notify an AP that a STA is awake and able to receive frames. The Null data frame is simply a data frame with no data in the frame body field;

Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 . Certitrek Publishing. Kindle Edition.

Wireshark 802.11 Control frames

Control Frames: Are use to control access to the medium for STAs that are connect to an AP or the WLAN. Below is the Wireshark captures control frame subtypes

Acknowledgement (ACK): is a control frame (1) subtype (13) used to signal receipt of a frame.

Screen Shot 2017-10-27 at 5.00.27 pm.png

ACK Frames are sent immediately after data and management frames to inform the transmitter that the frame was received. Without an ACK frame, the transmitter assumes the frame was lost due to corruption  and will retransmits the frame. At each retransmission, the random backoff timer length is increased until it reaches it maximum of 1023. this prevents a STA from consuming excessive airtime without doing the right thing-lowering the data rate so that the frame can get through

The ACK frame contains  the frame control, duration RA and the FCS subfields.

The ACK frame may be involved in a communication where more fragments are to come. It will set the druation field vaue based on the following

Duration value of pervious frame  + ACK time + SIFS time

To filter on RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x1b or wlan.fc.type_subtype = = 0x1c

To filter out RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x1b or wlan.fc.type_subtype =! 0x1c

BlockAckReqq Frame: is a control frame(1) subtype (8)that is used to request block acknowledgement

Screen Shot 2017-10-27 at 5.00.35 pm.pngBlockAck Frame:  is a control frame (1) subtype (9)Block acknowledgement for multiple frames in a bust

Screen Shot 2017-10-27 at 5.00.41 pm.png

Rquest to Send (RTS) and Clear to send (CTS) frames

Screen Shot 2017-10-27 at 5.00.52 pm.pngRequest to Send (RTS): is a control frame (1) subtype (11) used to request the target STA to send a CTS frame.

Screen Shot 2017-10-27 at 5.00.52 pm.png

Clear to Send(CTS): is a control frame (1) subtype(12) used to clear the medium for transmission of another frame.

Screen Shot 2017-10-27 at 5.01.03 pm.pngRTS and CTS frames: are used to clear the medium for transmission of larger frames. In enviroments with many collisions(typically detected with high retry rates), it can improve efficiency to enable RTS/CTS for communications. The RTD frame is transmitted by the STA desiring to send a larger frame. The CTS frame is sent back as a  response .

Below is the RTS and CTS frame  structure.

Screen Shot 2017-10-27 at 5.01.12 pm.png

The duration field in RTS.CTS frames is very important. In RTS frame it is a time in microseconds represented by

Data or management frame duration + CTS duration + one ACK duration + three SIFS

This formula allows the medium to be cler for the entire duration of the data frame transmission. The CTS response frame has a duration in microseconds represent by:

Value of the duration field from the preceding RTS frame -CTS duration – one SIFS.

CTS-to-Self is a CTS frame sent without a preceding RTS frame. It is called this as the RA field is set to its own address, but all STA within range will hear the frame and set their NAV timers accordingly from the duration field of the CTS frame. The Duration field of a CTS-to-Self frame is represent by

Data or management frame duration + two SIFS +one ACK

The formal assumes the data or management frame requires an ACK . If it does not, simply remove the ACK to determine the duration field value.

To filter on RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x1b or wlan.fc.type_subtype = = 0x1c

To filter out RTS/ CTS frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x1b or wlan.fc.type_subtype =! 0x1c

Control Wrapper:  Control frame(1) subtype(7) used to carry other control frames while including an HT Control field.

Screen Shot 2017-10-27 at 5.01.18 pm.pngPS-Poll Frames

Screen Shot 2017-10-27 at 5.01.23 pm.png

Are used to notify the AP that the client STA is awake and available for buffered frames. PS-Poll frames use the format shown below

Screen Shot 2017-10-27 at 5.01.30 pm.png

STAs indicate the power save mode using the  Power management (PM) bit in the Frame Control field. When a STA is in PM mode( PM bit = 1), it alternates between awake and dozing states. In this case the AP buffers all unicast traffic destined to the PS STA. When one STA in the BSS is in PS mode, all group address traffic is also buffered until after the DTIM beacon. The client wakes up at every listen interval (a client Setting) to listen for Beacon frames. In Beacon frames, the client checks AID 0 (for group traffic) and its own unique AID to check for buffered data. If it finds buffered data (indicated by a 1 bit for its AID,) its sends a PS-Poll frame requesting that the AP sends unicast buffered traffic one frame at a time. The data sent by the AP to the STA has more data bit set to 1 if there is more buffered data. If so the client will send a new PS-Poll each time. Of there are no more buffered frames, the client STA may return to sleep.

Trigger frames are data frames that are acknowledged by the AP. One of the important enhancements of WMM as allowing a data frame to be a trigger frame.  In this way, the client can send data to the AP while also triggering delivery of the AP’s buffered frames for the client. When the AP has multiple buffered frames for the client, the data frames can be sent during an EDCA transmit opportunity (TxOP) burst with interleaved ACKs. WMM-PS address the inefficiencies of legacy PS while adding enhancement for performance offered by WMM.

The 802.11 specification defines both scheduled(for either contention-free or contention-based access) unscheduled service periods, but the WMM-PS program uses only unscheduled service periods. The terms delivery- and trigger-enabled relate to a client STA’s ability to trigger(with a data frame) the downlink delivery of buffered frames.

WMM-PS has multiple advantages over legacy power save, including:

■ No need to wait for Beacon frames. Application requirements can dictate how often the STA will wake up.

■ Downlink frames can be sent in a burst instead of requiring a separate trigger frame for each downlink frame.

■ The trigger frame can be a data frame instead of requiring a PS-Poll control frame.

■ Applications experience lower latency when power-saving features are used.

■ The client spends more time sleeping, thus it has better power save efficiency.

To filter on PS-Poll frames in Wireshark, use the following filter: wlan.fc.type_subtype = = 0x1a

To filter out PS-Poll frames in Wireshark, use the following filter: wlan.fc.type_subtype != 0x1a

Carpenter, Tom. CWAP® Certified Wireless Analysis Professional Official Study Guide: CWAP-402 (. Certitrek Publishing. Kindle Edition.




Mgig interface and Wave 2 AP’s

I was asked in a work team meeting by one of the network engineers part of the network refresh project about the Mgig interface on the new Wave 2 AP’s and if we should upgrade the switch interface to benefit from the information provided by the vendor data sheets

The below paragraphs is my attempt to explain to him and anyone else that would listen in the meeting that yes upgrading the switch and APs is a great idea, however based on good enterprise wireless design requirements and the nature of 802.11, we would not be able to achieve the theoretical wireless throughput rate of up to 5.2Gbp as per vendors data sheet.

To even come close to achieve this theoretical wireless data rate the AP requires to be configured with dual 5GHz radios (2.6Gbps per radio), both using 160MHz wide channels, and ideal RF conditions (RSSI greater the -48dBm and a Signal to noise ratio of above 40dB).

The major problem with this theoretical data rate is the channel width. In the 5GHz band we only have 25 20MHz wide non overlapping channels to play with (when using DFS Channels), If we where to utilise 160Mhz wide it only leaves us with 2.

Wireless is half duplex and given the mechanisms that an 802.11 device use to determine if the medium is free before sending traffic, having only 2 channels makes avoiding interference issue impossible. Client devices operating in a noise environment reduces the aggregate wireless throughput, due to the excess amount management traffic caused by corrupted frames being retransmitted ( more management traffic equals less data traffic).

When we design Enterprise wireless networks, a major design consideration is how to best design based on the RF spectrum available, frequency reuse, amount/type of client devices and data SLA, with these requirements identified we can determine the number of APs, placement and channel plan in order to avoid or reduce wireless issues such’s as co-channel, adjacent channel and overlapping basic service set interference.

Below are   some other reason why 160MHz wide via it not viable and won’t get the benefits of that Mgig interface in Enterprise Wireless deployment.

–           Currently no client devices support 160MHz wide channels

–           No normal wireless client device requires that amount of data throughput

–             Wireless Management and control traffic is sent a legacy data rates

–             Wireless is half duplex

–             TCP/IP overhead

–            Dual 5GHz AP deployments won’t work due to continued support for 2.4GHz clients.

–             When using the other radio as a 2.4GHz radio with a max 20MHz wide channel it has a  data rate of 288.9Mbps

–           Recommendations by a vendor for a dual 5GHz AP is 100Mhz spacing between channels, cannot use dual    160MHz wide channels are not able to be deployed.

–          Unrealistic RSSI and SNR values to achieve the MCS9 VHT Data rates

–         Multi-user multiple in multiple out (mu-mimo) but device need to capable and its only on the downlink.