Sie sind auf Seite 1von 20


Wi-Fi Basics
802.11 Fundamentals

Table of Contents
Introduction ........................................................................................................... 2
WLAN Organizations ................................................................................................. 2
802.11 Networking Basics .......................................................................................... 4
Layer 1 - Physical Layer: RF ....................................................................................... 5
Channel Design and Site Survey .................................................................................. 7
Layer 2 - Data-Link/MAC Sublayer: 802.11 Frames ........................................................... 8
WLAN Toplogies and Terminology ............................................. Error! Bookmark not defined.
Client Isolation: Upper Layer Design ..............................................................................
Wi-Fi Security ..................................................................... Error! Bookmark not defined.
Client Isolation: Upper Layer Design ..............................................................................

In 1997, the Institute of Electrical and Electronics Engineers (IEEE) ratified the original 802.11 standard that
defined communication mechanisms for wireless local area networking (WLAN). Since the original ratification, the
IEEE has amended the standard many times over to enhance the WLAN speeds and reliability. The technology
was eventually given the marketing name of Wi-Fi which is a marketing term recognized worldwide by billions of
people as referring to 802.11 wireless networking. Since 1997, Wi-Fi has become part of our worldwide culture
and everyday life.
Although Wi-Fi has been around for over a decade, confusion stills exists regarding some of the terminology and
basic operations of 802.11 wireless networking. The purpose of this white paper is to explain some of the basics
of Wi-Fi and the associated terminology. When designing and troubleshooting any enterprise WLAN; a proper
understanding of the basics of Wi-Fi operations is an often overlooked yet necessary skill-set that any IT
administrator should possess.

WLAN Organizations
At least three organizations guide the various aspects of the Wi-Fi industry:

Spectrum management regulatory domain authority: The International Telecommunication Union

Radiocommunication Sector (ITU-R) and local entities such as the Federal Communications Commission
(FCC) set the rules for what the user can do with a radio transmitter. These organizations manage and
regulate frequencies, power levels, and transmission methods. Essentially, the FCC and other regulatory
bodies set the rules for what the user can do regarding radio frequency (RF) transmissions. The FCC and
the respective controlling agencies in the other countries typically regulate two categories of wireless
communications: licensed and unlicensed. The difference is that unlicensed users do not have to go
through any license application procedures in order to install a wireless system. In most countries, the
RF transmissions used for Wi-Fi occur in the unlicensed frequency bands of 2.4 GHz and 5 GHz.

One main advantage of an unlicensed frequency is that permission to transmit on the frequency is free.
Although there are no financial costs, you still must abide by transmission regulations and other restrictions.
In other words, transmitting in an unlicensed frequency may be free, but there still are rules. It is important to
understand that communications are regulated differently in many regions and countries. For example,
European RF regulations are very different from the regulations used in North America. When deploying a

Wi-Fi Basics
WLAN, please take the time to learn about rules and policies of the countrys local regulatory domain

IEEE: The Institute of Electrical and Electronics Engineers (IEEE) creates standards for compatibility and
coexistence between networking equipment. Networking professionals are all familiar with the IEEE
802.3 wired networking standard that defines Ethernet networking. The technical standard for Wi-Fi
communications is the 802.11 standard for wireless local area networking (WLAN). Other wireless
standards such as 802.15 also exist but they do not pertain to Wi-Fi communications. Any wireless IEEE
standards must adhere to the rules of the spectrum management organizations, such as the FCC.
The original 802.11 standard was published in June 1997, however, over the years, many
amendments have been proposed and ratified in order to enhance the security, reliability and
performance of the WLAN technology. Table 1 shows a simple comparison of some of the
various 802.11 amendments in regards to data rates and frequency bands supported. 802.11g
radios are backward compatible with older 802.11b radios. Please note that 802.11b/g radios can
only transmit in the 2.4 GHz frequency band while 802.11a radios can only transmit in the 5 GHz
frequency band. 802.11n radios can transmit on both frequency bands and are backward
compatible with 802.11a/b/g radios.
Table 1: 802.11 Amendments
802.11 legacy

Supported Data Rates

1, 2 Mbps

2.4 GHz

5 GHz

RF technology



1, 2, 5.5, 11 Mbps
6 - 54 Mbps
6-54 Mbps
6 - 600 Mbps*





* All Aerohive HiveAPs use 802.11n compliant radios. The 802.11n High Throughput (HT)
amendment defined new PHY layer and MAC layer enhancements to achieve data rates as high
as 600 Mbps. Current 802.11n chipsets support data rates of 450 Mbps. 802.11n radios operate
in both the 2.4 GHz and 5 GHz frequency bands.
DSSS = Direct Sequencing Spread Spectrum
FHSS = Frequency Hopping Spread Spectrum
OFDM = Orthogonal Frequency Division Multiplexing
HT = High Throughput
SISO = Single Input, Single Output
MIMO = Multiple Input, Multiple Output
More detailed information about the IEEE 802.11 standard and amendments can be found at:

Wi-Fi Alliance: The Wi-Fi Alliance is a global, non-profit industry association that is devoted to promoting
the growth of Wi-Fi technology. The Wi-Fi Alliance markets the Wi-Fi brand and raises consumer
awareness of any new 802.11 technologies as they become available. The primary task of the Wi-Fi
Alliance is to provide certification testing to make sure wireless networking equipment conforms to the
802.11 WLAN communication guidelines, similar to the IEEE 802.11 standards. Testing of vendor Wi-Fi
products is performed within independent authorized test laboratories worldwide. The guidelines for
interoperability for each Wi-Fi CERTIFIED program are usually based on key components and
functions that are defined in the IEEE 802.11-2007 standard and various 802.11amendments. In fact,
many of the same engineers who belong to 802.11 task groups are also contributing members of the WiFi Alliance. However, it is important to understand that the IEEE and the Wi-Fi Alliance are two separate
organizations. The IEEE 802.11 task group defines the WLAN standards, and the Wi-Fi Alliance defines

Copyright 2011, Aerohive Networks, Inc.

interoperability certification programs. Devices certified by the Wi-Fi Alliance carry the Wi-Fi CERTIFIED
logo shown in Figure 1. More information about the Wi-Fi Alliance can be found at
Aerohive Networks is a proud member of the Wi-Fi Alliance.
Figure 1: Wi-Fi CERTIFIED logo

802.11 Networking Basics

The seven layers of the OSI model has long been the cornerstone of data communications. Acquiring an
understanding of the OSI model is a necessary and fundamental task that any networking professional must
undertake. In addition to understanding the OSI model and basic networking concepts, a basic understanding of
the fundamentals of Wi-Fi is paramount to properly design, deploy, administer and troubleshoot an 802.11
wireless network properly. The IEEE only defines communication mechanisms at the first two layers of the OSI
model: the Physical layer and the MAC sublayer of the Data-Link layer.
Various wired networking standards define the Physical layer (layer 1) operations using a transmission medium
such as copper or fiber optic cabling. The IEEE defines a wide variety of complex radio frequency (RF)
communications for the wireless physical medium used in Wi-Fi. WLAN radio cards use different types of
modulation methods to represent data bits as they are delivered via an RF signal.
The IEEE also defines data delivery at the Data-Link layer (layer 2) which is divided into two sublayers. The upper
portion is the IEEE 802.2 Logical Link Control (LLC) sublayer, which is identical for all 802-based networks,
although not used by all of them. The bottom portion of the Data-Link layer is the Media Access Control (MAC)
sublayer, which is identical for all 802.11-based networks. The IEEE 802.11 standard defines operations at the
MAC sublayer for datagram frame transmissions.
It is important to understand that Wi-Fi communications only operate at layer 1 and layer 2 of the OSI model. As a
matter of fact, layers 3-7 operations are not defined at all by the IEEE for any 802.11 WLAN communications.
When you troubleshoot a Wi-Fi network, you should troubleshoot it just like you would troubleshoot a wired
network. In other words, you should move up the OSI stack when troubleshooting. The majority of problems in
any type of network occur at layer 1. Any Wi-Fi administrator will testify to how many times the end-user simply
did not have the radio card enabled on a laptop, thus preventing Wi-Fi communications to even get started.
WLAN radio card drivers have long been one of the main causes of connectivity problems between access points
(APs) and client devices. Other Physical layer problems are caused by RF interference or improperly designed
WLANs. Layer 2 MAC sublayer problems often occur due to misconfigured AP or client device settings.
If you are troubleshooting a WLAN and can properly determine that root cause of network connectively is not
occurring at either layer 1 or layer 2, then the problem is not a Wi-Fi problem and it exists at the upper layers.
Enterprise Wi-Fi networks very often get blamed for recurrent problems that have nothing to do with the properly
deployed WLAN infrastructure. If a Wi-Fi network administrator can properly determine that a problem is not
occurring at either layer 1 or 2, then the problem is usually an IP networking problem and/or an application-based
Although Wi-Fi only operates at the first two layers of the OSI model, by no means are the upper layers of the OSI
model to be ignored. To properly administer an Ethernet network, a deep comprehension of TCP/IP, bridging,

Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics
switching, and routing is required and the same holds true for any enterprise Wi-Fi deployment. The purpose of
am 802.11 WLAN is to provide client mobility and to provide a secure wireless portal into a pre-existing network
infrastructure. In other words, when designing and deploying an 802.11 WLAN, there will always be upper-layer
design considerations

Layer 1 - Physical layer: RF

As stated earlier, the physical medium used for Wi-Fi communications is electro-magnetic RF communications.
Wired communications travel across what is known as bounded medium. An example of a bounded medium
would be an Ethernet cable that contains or confines the signal (small amounts of signal leakage can occur).
Wireless communications travel across what is known as unbounded medium. Unbounded medium does not
contain the signal, which is free to radiate into the atmosphere in all directions (unless restricted or redirected by
some outside influence). Because of the unbounded nature of RF communications, the different physical
environments in every indoor or outdoor deployment will result in different coverage and capacity capabilities that
are unique to the site. Unlike a bounded wired cable, RF is an ever-changing physical medium that will change
along with the physical environment in which RF propagates. The good news is that RF communications still do
abide by the laws of physics, meaning that a functional WLAN can be designed with the proper knowledge of RF
characteristics and behaviors.
An RF signal starts out as an electrical alternating current (AC) signal that is originally generated by a transmitter.
This AC signal is radiated out of an antenna element in the form of an electromagnetic wave. An RF signal is an
alternating current (AC) that continuously changes between a positive and negative voltage which can be
represented as a sine wave. An oscillation, or cycle, of this alternating current is defined as a single change from
up to down to up, or as a change from positive to negative to positive.
All RF signals are defined by various characteristics including wavelength, frequency, amplitude and phase.
Phase, frequency and amplitude shifts can all be used by transmitting radios to modulate data.

Wavelength: A wavelength is the distance between the two successive crests (peaks) or two successive
troughs (valleys) of a wave pattern, as pictured in Figure 2. In simpler words, a wavelength is the
distance that a single cycle of an RF signal actually travels.
Figure 2: Wavelength

Frequency: Frequency is the number of times a specified event occurs within a specified time interval.
The standard measurement of frequency is hertz (Hz). An event that occurs once in 1 second is equal to
1 Hz. An event that occurs 2.4 billion times in 1 second is measured as 2.4 GHz. The frequency at which

Copyright 2011, Aerohive Networks, Inc.

electromagnetic waves cycle is also measured in hertz. As shown in Figure 3, the number of times an
RF signal cycles in 1 second is the frequency of that signal.
Figure 3: Frequency

An inverse relationship exists between wavelength and frequency. The three components of this inverse
relationship are frequency, wavelength and the speed of light. A simplified explanation is that the lower
the frequency of an RF signal, the larger the wavelength of that signal. The smaller the wavelength of an
RF signal, the higher the frequency of that signal. As RF signals travel through space and matter, they
lose signal strength (attenuate). Higher frequency signals with a smaller wavelength will attenuate faster,
than lower frequency signals with a larger wavelength.

Phase: The relationship between two or more signals that share the same frequency. Phase can be
measured in distance, time, or degrees. If the peaks of two signals with the same frequency are in exact
alignment at the same time, they are said to be in phase. Conversely, if the peaks of two signals with the
same frequency are not in exact alignment at the same time, they are said to be out of phase.
The way in which RF waves move (also known as propagation) will vary drastically due to the existing
environment and any materials in the path of a signal. Depending on the materials, an RF signal may
reflect, refract, diffract, scatter or be absorbed. These propagation behaviors will can cause an RF
phenomenon known as multipath as well as affect the received amplitude of an RF signal. Multipath is a
propagation phenomenon that results in two or more paths of a signal arriving at a receiving antenna at
the same time or within nanoseconds of each other. The propagation behaviors of reflection, scattering,
diffraction, and refraction will occur differently in dissimilar environments. These propagation behaviors
can all result in multiple paths of the same signal. Multiple paths of the same signal will usually result in a
phase difference between the two signals at the receiving radio. The effects of multipath can either be
constructive or destructive. High instances of multipath can cause data corruption with legacy
802.11a/b/g radios, however, multipath is actually beneficial to the performance of the 802.11n MIMO

Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics

Amplitude: The amplitude of an RF signal, which can be characterized simply as the signals strength, or
power. When discussing signal strength in a WLAN, amplitude is usually referred to as either transmit
amplitude or received amplitude. Transmit amplitude is typically defined as the amount of initial amplitude
that leaves the radio transmitter. For example, if you configure an access point to transmit at 10 milliwatts
(mW), that is the transmit amplitude. Antennas are then used to passive amplify the original transmit
amplitude. When a radio receives an RF signal, the received signal strength to as received amplitude.
While the majority of Wi-Fi radio can transmit anywhere between 1 mW and 100 mW, most Wi-Fi radios
can receive an RF signal as low as billionths of a milliwatt. As an RF signal propagates away from the
original transmitter, the signal will attenuate (lose amplitude). All RF signals lose amplitude as function of
distance; caused by a natural phenomenon known as free space path loss (FSPL). The surrounding
environment also attenuates the amplitude of an RF signal as it passes through different physical
mediums such as concrete or drywall.
The amplitude of a signal can be measured as either a relative measurement or an absolute
measurement. An absolute measurement of power such as milliwatts represents the transmit amplitude
of a signal or the received amplitude of an RF signal. A milliwatt (mW) is an absolute measurement of a
unit of power. A relative measurement represents change in power as an RF signal moves from one
point in space to another point in space. A decibel (dB) is a relative measurement that is a unit of
comparison as opposed to a unit of power. A dB is a logarithmic comparison measurement based on the
change in power between a transmitter and a receiver. An approximation of the gain or loss measured by
dBs is can expressed by what is known as the rule of 10s and 3s. Every 3 dB of loss, halves the absolute
power while every 3 dB of gain doubles the absolute power. Every 10 dB of loss, divides the absolute
power by a factor of 10, while every 10 dB of gain multiplies the absolute power by a factor of 10. For
example, if a Wi-Fi radio is transmitting at 50 mW and the antenna adds 3 dB of gain to the signal, then
the amount of absolute power that would exit the head of the antenna is 100 mW. If a 50 mW signal lost
10 dB due to attenuation, then the received signal would be 5 mW.
The most common way to measure received amplitude is an absolute unit of power called dBm which
means decibels referenced to 1 milliwatt. The reference point is 1 milliwatt because 0 dBm = 1 mW.
Table 2 shows the relationship between milliwatts and dBms

Table 2: dBm and Milliwatt Conversions



+20 dBm
+10 dBm
0 dBm
10 dBm
20 dBm
30 dBm
40 dBm
50 dBm
60 dBm
70 dBm
80 dBm
90 dBm

100 mW
10 mW
1 mW
.01 mW
.001 mW
.001 mW
.0001 mW
.00001 mW
.000001 mW
.0000001 mW
.00000001 mW
.000000001 mW

1/10th of 1 Watt
1/100th of 1 Watt
1/1,000th of 1 Watt
1/10th of 1 milliwatt
1/100th of 1 milliwatt
1/1,000th of 1 milliwatt
1/10,000th of 1 milliwatt
1/100,000th of 1 milliwatt
1 millionth of 1 milliwatt
1 ten-millionth of 1 milliwatt
1 hundred-millionth of 1 milliwatt
1 billionth of 1 milliwatt

Most Wi-Fi radios have the receive sensitivity to understand a very strong received signal of- 30 dBm to very
weak received signal of -110 dBM signal in the billionths of 1 milliwatt.

Copyright 2011, Aerohive Networks, Inc.

Channel design and Site Survey

802.11bgn radios can transmit in the 2.4 GHZ band with a total of fourteen available channels. In the US only
eleven of those channels are legally available and only 13 are available in Europe. Figure 4 depicts a spectrum
analyzer view of the frequency space occupied by these fourteen channels.

Figure 4: 2.4 GHz Frequency Band

Please note that within the 2.4 GHz band, only three channels have non-overlapping frequency space: channels
one, six and eleven. When designing a WLAN, overlapping RF cell coverage is necessary to provide for seamless
roaming. However, non-overlapping frequency space within the same coverage zone is also necessary to prevent
data corruption caused by adjacent cell interference. RF is a half-duplex medium that allows for the transmission
of only a single radio on any frequency channel, therefore when three or more 2.4 GHz APs are needed to cover
an enterprise facility, only the non-overlapping channels of one, six and three should be used . Figure 5 shows
floorplan using six APs to provide coverage. Note that only the non-overlapping channels of 1, 6 and 11 are used.
Figure 5: 2.4 GHz Non-overlapping Channels

Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics

Figure 6 shows an improper channel design using the same six APS. Note that channels 1 -7 are used and all
the channels share overlapping frequency space. The improper channel reuse design shown in Figure 6 causes
what is often known as adjacent cell interference. Data corruption is caused by your own APs transmitting at the
same tome over shared frequency space. The end result is decreased throughput and increased latency.
Adjacent cell interference is simply RF interference caused by your own APs due to improper channel design.

Figure 6: Adjacent Cell Interference

One of the most common mistakes many businesses make when first deploying a WLAN is to configure multiple
access points all on the same channel as shown in Figure 7. If all of the APs are on the same channel,
unnecessary medium contention overhead occurs. Wi-Fi uses a listen-before -you-talk technology called the clear

Copyright 2011, Aerohive Networks, Inc.

channel assessment (CCA) to ensure that that only one radio can transmit on the same channel at any given
time. As shown in Figure 7, if an AP on channel 1 is transmitting, all nearby access points and clients on the
same channel will defer transmissions. The result is that throughput is adversely affected: Nearby APs and clients
have to wait much longer to transmit because they have to take their turn. The unnecessary medium contention
overhead that occurs because all the APs are on the same channel is called co-channel interference (CCI). In
reality, the 802.11 radios are operating exactly as defined by the CCA mechanisms, and this behavior should
really be called co-channel cooperation. The unnecessary medium contention overhead caused by co-channel
interference is a result of improper channel reuse design.
Figure 7: Co-channel cooperation

At 2.4 GHz, there will always be a certain amount of co-channel cooperation due to the fact that only three
channels are available and some channel bleed over will occur. For that reason, sometimes a four-channel reuse
plan of channels 1, 5, 9 and 13 is used in Europe to limit the instances of co-channel cooperation. However, it
should be noted that any North American client device will not be able to connect to an AP transmitting on
channel thirteen.
802.11an radios transmit in the four Unlicensed National Information Infrastructure (UNII bands) that exist at 5
GHz, As shown in Figure 8, a total of 23
non-overlapping channels exist, the UNII-1,
2 and 3 bands all have four channels each
while the UNII 2E band has 11 channels.
Depending on the country in which you
reside, many more channels are available at
5 GHz than at 2.4 GHz meaning a variety of
different channel reuse patterns can be
designed to completely avoid adjacent cell
interference as well as eliminate
occurrences of co-channel cooperation.

Figure 8: 5 GHz UNII Bands


Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics
In many countries the radios in the UNII-2 and UNII-2E 5 GHZ bands are required by law to use dynamic
frequency selection (DFS) technology to detect radar pulses and automatically changes channels to avoid
interfering with government radar installations. In areas were radar might exist or if there is a worry about false
positive radar pulse detection, many enterprise deployments choose an 8-channel reuse plan using the channels
in the UNII-1 and UNII-2 bands as shown in Figure 9. Please note that the 4 channels in UNII-3 are not available
for use in Europe.
Figure 9: Eight channel reuse plan - 5 GHz

The good news is that Aerohives Wi-Fi planner tool will always helps use choose a proper channel plan for both
2.4 GHz and 5 GHz. Always keep in mind that Wi-Fi is not two-dimensional and that RF signals can propagate
between floors in a building. Aerohives Wi-Fi planner tool has multiple floor planning capabilities as shown in
Figure 10, channel reuse designs must exist between floors in order to avoid adjacent cell interference and
unnecessary co-channel cooperation.
Figure 10: Multiple floor channel design

Copyright 2011, Aerohive Networks, Inc.


Most Aerohive Hive APs off dual-frequency radio capabilities and planning is necessary for both frequencies.
However, always plan for the 5 GHz coverage first because more APS will be needed due to the fact that the
smaller wavelength 5 GHz signals will attenuate faster than 2.4 GHz signal.
Aerohive also uses a cooperative-control protocol called Automatic Channel Selection Protocol (ASCP) that
allows HiveAPs to cooperatively communicate with each other about their individual power and channel settings.
After a proper channel and power settings have been chosen, it may be necessary to adjust the power levels and
transmit channels of individual APs based of changes in the existing environment. ASCP can will make these
power and channel adjustments as pre-scheduled events or can change dynamically based on RF interference
Because ever site is different, proper coverage analysis and planning is necessary to make sure that every Wi-Fi
client can receive a strong and reliable signal. A site survey should always be considered mandatory when
designing an enterprise Wi-Fi network. Site surveys are necessary for spectrum analysis, channel design and
coverage analysis. Coverage analysis requires guaranteeing a minimum amount of coverage provided by an
access point based of the received signal amplitude from the clients perspective. Every
building and environment is different and there it is necessary to account for the various
attenuation values of the unique materials in each building. As RF signals passes through
different mediums, the signal can be absorbed into the medium, which in turn causes a loss
of amplitude. Different materials typically yield different attenuation results. As shown in
Figure 11, the Aerohive Wi-Fi Planner tool allows you to designate to proper attenuation
values to the floorplan being evaluated for proper coverage. A school building made
entirely of brick walls will require more APs than a building made mostly of drywall.
Figure 11: Material Attenuation Properties

So what type of received signal amplitude should you plan on providing to offer a quality experience in terms of
throughput and reliability for the Wi-Fi end-user? Client radios will shift between data rates based on received
signal strength indications (RSSI) thresholds. These thresholds may take into account multiple variables, however
received amplitude is usually the main variable. For example, an 802.11b Wi-Fi client receiving a signal of -70
dBm from an AP may then transmit at a rate of 11 Mbps, however if a client moves further away from the AP and
receives a weaker signal of only -85 dBm, the client may shift down to a lower date rate of 2 Mbps using a less
complex modulation scheme. When designing for higher data-rate communications, coverage of -70dBm or
greater is recommended. Keep in mind that the received signal is always from the clients perspective.
Another important concept to understand is signal-to-noise (SNR) ratio. The signal-to-noise ratio is simply the
difference in decibels between the received signal and the background ambient noise known as the noise floor.
Most Wi-Fi radio can measure ambient noise floor which is created by any other nearby electromagnetic devices.
For example, if a radio receives a signal of 85 dBm and the noise floor is measured at 100 dBm, the difference
between the received signal and the background noise is 15 dB. The SNR is 15 dB. Data transmissions can
become corrupted with a very low SNR. If the amplitude of the noise floor is too close to the amplitude of the
received signal, data corruption will occur and result in layer 2 retransmissions. An SNR of 25 dB or greater is
considered good signal quality, and an SNR of 10 dB or lower is considered poor signal quality
A high SNR is even more important when designing coverage for time-sensitive applications such as voice which
are more susceptible to data corruption cause by a low SNR. It is a good idea to guarantee coverage of -67 dBm
or better when designing for voice. Even if the noise floor was as high as -90 dBm, a received signal of -63 dBm
would still guarantee an SNR of 23 dB and hopefully very little data corruption.
In the past, coverage analysis site surveys were performed manually using the old AP-on-a-stick method. Most
coverage analysis site surveys use predictive modeling. Aerohive Wi-Fi Planner tool provides the user with all
necessary tools needed to create an accurate predictive coverage model. The Aerohive Wi-Fi Planner tool is built


Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics
into all versions of the Aerohive HiveManager network management platform solution. Additionally, Aerohive WiFi Planner is always available only for free at
Capacity is another issue that should always be addressed when planning for a Wi-Fi network. In areas where
there is a high density of Wi-Fi users, more HiveAPs may be necessary. As shown in Figure 12, Aerohive offers
High density WLAN capabilities that can be applied to the radio profiles of any group of HiveAPs. High density
WLAN capabilities include suppression and thinning of certain types of 802.11 management frames, cooperative
load-balancing of clients between HiveAPs and automatic band-steering of clients to the preferred 5 GHz WLAN.
Figure 12: High Density

WLAN Topologies and Terminology

A networking topology is defined simply as the physical and/or logical layout of nodes in a computer network. Any
individual who has taken a networking basics class is already familiar with bus, ring, and star topologies that are
often used in wired networks. An 802.11 WLAN topology is known as a service set. The following terms are often
used in discussions about Wi-Fi topologies.
BSS: The basic service set (BSS) is the cornerstone topology of an 802.11 network. The simple definition of a
BSS is single access point with one or more Wi-Fi client devices communicating through the AP. Client stations
join the APs wireless domain and begin communicating through the AP. Stations that are members of a BSS
have a layer 2 connection and are called associated. Figure 13 depicts a standard 802.11 basic service set.

Figure 13: Basic Service Set (BSS)

BSSID: The 48-bit (6-octet) MAC address of an access points radio card is known as the basic
service set identifier (BSSID). The MAC address that is the layer 2 identifier of the basic service set (BSS). The
BSSID is the MAC address of an access points radio or is derived from the MAC address of the APs radio if
multiple basic service sets exist.
SSID: The service set identifier (SSID) is a logical name used to identify a WLAN. The SSID wireless network
name is comparable to a Windows workgroup name. The SSID can be made up of as many as 32 characters
and is case sensitive.

Copyright 2011, Aerohive Networks, Inc.


DS: Access points are meant to be portal devices so that traffic can be forwarded from an 802.11 WLAN medium
to another type of medium. The majority of 802.11 deployments use an access point as a portal into an 802.3
Ethernet backbone, which serves as a distribution system (DS) medium. Access points are usually connected to a
switched Ethernet network, which often also offers the advantage of supplying power to the access points via
Power over Ethernet (PoE).
ESS: The term extended service set (ESS) is often used to describe one or more basic service sets connected by
a distribution system medium. Usually an extended service set is a collection of multiple access points and their
associated client stations, all united by a single 802.3 Ethernet backbone. In most cases the HiveAPs that belong
to the same ESS will have overlapping Wi-Fi coverage cells to provide client mobility. As shown in Figure 14,
HiveAPs in an ESS where roaming is required must all share the same logical name (SSID), but have unique
layer 2 identifiers (BSSIDs) for each unique BSS coverage cell. The logical network name of an ESS is often
called an extended service set identifier (ESSID) and is essentially synonymous with the term SSID.
Figure 14: Extended Service Set (ESS)

WDS: The 802.11standard defines a mechanism known as a wireless distribution system (WDS) for wireless
communication using a four-MAC-address frame format. Although the DS normally uses a wired Ethernet
backbone, it is possible to use a wireless connection instead. A WDS forwards user traffic between access points
using a method that is referred to as a wireless backhaul. Real-world examples of WDS include WLAN bridging
between buildings and mesh networks. HiveAPs can be deployed as a WDS to provide for both client coverage
and wireless backhaul. HiveAPs can be deployed in either a traditional mesh environment or as a mesh failover
solution. Wireless mesh network connections can be used to create redundant paths between access points,
enabling the WLAN to route around wired network failures ensuring there is no single point of failure within the
wireless or the wired infrastructure. The dynamic wireless mesh network redundancy allows for this capability
without dedicating a radio for this mesh resiliency, preserving two radios for user access during normal operation.
When required to route around a failure in the wired network, a wireless mesh network connection is dynamically
and gracefully established between neighboring HiveAPs.

Layer 2 - Data-Link/MAC Sublayer: 802.11 Frames

The 802.11 Data-Link layer is divided into two sublayers. The top section is the IEEE 802.2 Logical Link Control
(LLC) sublayer, which is identical for all 802-based networks. The bottom section of the Data-Link layer is the
Media Access Control (MAC) sublayer. The 802.11 WLAN standard defines operations at the MAC sublayer.


Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics
When the Network layer (layer 3) sends data to the Data-Link layer, that data is handed off to the LLC and
becomes known as the MAC Service Data Unit (MSDU). The MSDU contains data from the LLC and layers 37.
A simple definition of the MSDU is that it is the data payload that contains the IP packet plus some LLC data.
When the LLC sends the MSDU to the MAC sublayer, the MAC header information is added to the MSDU to
identify it. The MSDU is now encapsulated in a MAC Protocol Data Unit (MPDU). A simple definition of an MPDU
is that it is a frame. An 802.11 frame consists of the following three basic components:

MAC Header: Contains frame control information, duration information, addressing, and sequence
control information.
Frame Body: The body can be variable in size and also contains information that is different depending
on the frame type and frame subtype.
Frame Check Sequence (FCS): Comprises 32-bit cyclic-redundancy check (CRC) that is used to
validate the integrity of received frames.

802.11 frames are unlike many frames used by wired network standards such as IEEE 802.3, which uses a single
data frame type. The IEEE 802.11 standard defines three major frame types: management, control, and data.
These frame types are further subdivided into multiple subtypes.
Data Frames: Most 802.11 data frames carry the actual MSDU data that is passed down from the higher-layer
protocols. The upper layer 3-7 MSDU payload is normally encrypted for data privacy reasons. The payload found
in most 802.11 data frames is the client user traffic that is destined to and from the wired-side network. Each
Aerohive HiveAP is responsible for the 802.11 to 802.3 frame format translation and for all data forwarding of user
traffic at the edge of the network between the wired and wireless mediums.
Management Frames: 802.11 management frames make up a majority of the frame transmissions in a WLAN.
Management frames are used by client stations to join and leave the basic service set (BSS). Management
frames have a MAC header, a frame body and a trailer; however, management frames do not carry any upperlayer information. There is no MSDU encapsulated in the management frame body, which carries only MAC layer
information. Because there is no upper layer payload in an 802.11 management frame, they are not encrypted.
Control frames: 802.11 control frames assist with the delivery of the data frames. Control frames must be able to
be heard by all stations; therefore, they must be transmitted at one of the basic rates. Control frames are also
used to clear the channel, acquire the channel, and provide unicast frame acknowledgments. They contain only
header information and a trailer. Control frames do not have a frame body and therefore they are not encrypted.
Another difference between 802.3 and 802.11 frames is the addressing fields found in the MAC header.. 802.3
frames have only a source address (SA) and destination address (DA) in the MAC header. 802.11 frames have
four address fields in the MAC header. 802.11 frames typically use only three of the MAC address fields.
However, an 802.11 frame sent within a wireless distribution system (WDS) requires all four MAC addresses. The
contents of these four fields can include the following MAC addresses: receiver address (RA), transmitter address
(TA), basic service set identifier (BSSID), destination address (DA), and source address (SA). Certain frames may
not contain some of the address fields. Even though the number of address fields is different, both 802.3 and
802.11 identify a source address and a destination address, and use the same MAC address format. The first
three octets are known as the Organizationally Unique Identifier (OUI), and the last three octets are known as the
extension identifier.
Figure 15: Packet Capture
As shown in Figure 15, Aerohives HiveManager management server
allows an administrator to run captures of WLAN frames from any
HiveAP and save the data troubleshooting purposes. The packet capture
tool can capture management, control, and data frames for both transmit
and receive streams from the HiveAP. A network protocol analyzer

program, such as Wireshark can then be used to view the data. Any

HiveAP can also accept remote connections from Wireshark for realtime packet capturing.

Copyright 2011, Aerohive Networks, Inc.


Mobility and Roaming Basics

In todays world, end-users demand the freedom provided by WLAN mobility. Corporations also realize
productivity increases if end-users can access network resources wirelessly. Mobility requires that Wi-Fi client
stations have the ability to roam from one access point to another while maintaining network connectivity for
Upper-layer applications. This roaming ability is a MAC layer process known as reassociation. Because this
reassociation process allows for a client station to move from one basic service set (BSS) to another BSS, a more
technical term often used for roaming is BSS transition. Although the MAC layer roaming processes are clearly
defined by the IEEE, the 802.11 standard does not define client roaming thresholds and AP-to-AP handoff
Wi-Fi client stations always initiate the reassociation process at the MAC layer. In simpler words, clients make the
roaming decision and access points do not tell the client when to roam. What causes the client station to roam is
a set of proprietary rules determined by the manufacturer of the wireless card, usually defined by received signal
strength indicator (RSSI) thresholds. RSSI thresholds usually involve signal strength, noise level, and bit-error
rates. Even if a client is already associated with an access point, the client will continue to look for other access
points by sending out probe request frames. The probing client can evaluate the received signal strength of any
nearby access points that reply back to the client with a probe response frame. As shown in Figure 16, as the
client station moves away from the original access point with which it is associated and the signal drops below a
predetermined threshold, the client station will attempt to connect to a new target access point that has a stronger
signal. The client sends a frame, called the reassociation request frame to a target access point, to start the
roaming process. Wi-Fi client radios will have different thresholds that kick off the client reassociation process.
The bottom line is that clients make the roaming decision, and all client roaming thresholds are proprietary.

A target access point can welcome a potential client station to the BSS by responding with reassociation
response frame. However, as the station roams, the original access point and the target access point must
communicate with each other across the distribution system (DS) which is normally a wired Ethernet network.
AP-to-AP communications help to provide for a clean transition between the two APs. The backend AP-to-AP
communications that occurs is
proprietary to all Wi-Fi vendors. A target
access point can inform the original
access point that the client is roaming.
The original AP also can forward any of
the clients buffered packets to the
target access point. Most Wi-Fi vendors
must involve a WLAN controller that is
deployed way back in the core of the
network to accomplish these AP-AP
communications. Aerohive uses a
distributed cooperative-control protocol
called Aerohive Mobility Routing
Protocol (AMRP) between HiveAPs at
the edge of the network to speed up the
There is also a relationship that exists
between client security and roaming.
The 802.1X/EAP and PSK
authentication process both produce a
pairwise master key (PMK) that is later used to create final encryption keys that
Figure 16: Roaming
are unique to each client radio and the access point to which the client is
associated. Fast secure roaming methods are needed to distribute a client station
PMK between access points so that an 802.1X/EAP client will not have to reauthenticate with a RADIUS server


Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics
every time a client roams. Whether connected via the wired LAN or wireless mesh, HiveAPs cooperate with each
other using AMRP to predictively exchange client authentication
state, identity information, and encryption key information to neighboring HiveAPs, allowing clients to perform fast
and secure roaming.
Even though roaming occurs at layer 2, what
happens if client roams to AP that does not support
the same management and/ or user VLANs?
Mobility in typical IP networks is challenging
because as a user moves from subnet to subnet,
their IP settings change, which usually makes IPbased sessions or applications fail. As pictured in
Figure 17, if a client roams across layer 3
boundaries, the client traffic must be tunneled back
to the clients original subnet, which allows the
client to preserve its IP address settings and
maintain preserve application sessions. Aerohive
uses a protocol called Dynamic Network Extension
Protocol (DNXP) that tunnels user traffic between
HiveAPs at the edge on the network instead of
tunneling all the user traffic back to a WLAN

Figure 17: Layer 3 Roaming

Wi-Fi Security
When discussing Wi-Fi security, the two topics that are most often brought up are data privacy and authentication.
Since wireless is unbounded, and the signal can essentially be heard by anyone within listening range, measures
need to be taken to secure the transmission so that only the intended recipients can understand the message.
Therefore, data privacy should be considered mandatory. All essential user data must be encrypted prior to
transmission and then decrypted after being received. Layer 2 encryption is needed to protect the layers 3-7
MSDU payload that is encapsulated inside of 802.11 data frames.
The main purpose of an enterprise Wi-Fi network is to act as a wireless portal into a pre-existing wired network
and provide access to network resources. It is therefore necessary to protect the wireless portal with strong
authentication measures so that only authorized clients with proper credentials are provided with access to
network resources.
The IEEE 802.11 standard provides for what is known as a robust security network (RSN). An access point and a
client station must establish a procedure to authenticate and associate with each other as well as create unique
dynamic encryption keys through a process known as the 4-Way Handshake. Once a user authenticates a
pairwise master key (PMK) is created to act as the seed material for the 4-Way Handshake process that is used
to produce the final unique keys.
The Wi-Fi Alliance maintains the current Wi-Fi Protected Access 2 (WPA2) security certification that requires
CCMP/AES dynamic encryption key generation. The Wi-Fi Alliance WPA-2 Enterprise certification calls for the
use 802.1X/EAP authentication which requires RADIUS server deployment and skills. The WPA-2 Personal
certification calls for the use of simpler preshared key (PSK) authentication in a SOHO environment.
Client Connectivity Troubleshooting.
Aerohives client monitoring feature allows an admin you to monitor the authentication process a wireless client
goes through when connecting with a HiveAP as well as other ongoing client activity. This tool is useful in
troubleshooting issues where a client cannot complete the initial network connection process or is unable to roam
between HiveAPs. Very often the cause of the problem is mismatched authentication credentials. Figure 18

Copyright 2011, Aerohive Networks, Inc.


shows a screen capture of client using PSK authentication that failed to complete the 4-Way Handshake which is
used to produce unique dynamic encryption keys between an access point and a client. Because PSK
authentication provides a master seed key for the 4-Way Handshake to be completed, the PSK must match on
both the access point and the client. The Aerohive client monitoring tool can also be used to troubleshoot more
advances 802.1X/EAP authentication problems such as SSL certificate errors.
Figure 18: Client Monitor

Authentication Troubleshooting tools

802.1X/EAP requires communications between
HiveAPs and a RADIUS server to validate client
credentials. As shown in Figure 19, Aerohive
offers a RADIUS test tool to test the backend
communications between any HiveAP and a
RADIUS server database. If backend
communications are solid, the most likely cause
of the problem is a Wi-Fi client with
misconfigured EAP security credentials. All
HiveAPs can also function as an enterprise
RADIUS server which fully integrates with
Active Directory or any LDAP compliant
database. Aerohives HiveManager
management solution also provides AD/LDAP
integration test tools for troubleshooting.

Figure 19: RADIUS Test Tool

Private PSK

Client Isolation: Upper Layer Design


Copyright 2011, Aerohive Networks, Inc.

Wi-Fi Basics
The purpose of am 802.11 WLAN is to provide client mobility and to provide a secure wireless portal into a preexisting network infrastructure. The authentication security solutions we have discussed are used to initially guard
the WLAN portal by requiring the proper authorization credentials from the client users. Access to network
resources can be restricted further with the use of VLANs and firewall policies. In other words, when designing
and deploying an 802.11 WLAN, there will always be upper-layer design considerations.
Virtual local area networks (VLANs) are used to create separate broadcast domains in a layer 2 network and are
often used to restrict access to network resources without regard to
the physical topology of the network. VLANs are used extensively in switched 802.3 networks for both security
and segmentation purposes. In a Wi-Fi
environment, individual SSIDs can be mapped
Figure 20: Client
to individual VLANs. User traffic can be isolated
by the SSID/VLAN pair, while communicating
through a single access point. Each SSID can
then be configured with unique security
As shown in Figure 20, a common strategy is to
isolate wireless user traffic into separate VLANs
for data, voice and guest traffic. The SSID
mapped to the data VLAN will have normally
use strong 802.1X/EAP authentication security.
The voice VLAN SSID might be using a
different security solution such a PSK or Private
PSK authentication and the VoWiFi client phone
traffic is routed via a SIP gateway. An SSID
mapped to the Guest VLAN uses captive portal
authentication and all users are restricted away
from network resources and routed off to an
Internet gateway.
Every WLAN has a logical name (SSID), and
each WLAN BSS has a unique layer 2 identifier,
the basic service set identifier (BSSID). The BSSID is typically the MAC address of the access points radio card;
however, access points have the capability of creating multiple virtual BSSIDs. WLAN vendors allow for the
creation of virtual WLANs, each with a unique logical identifier (SSID) that is also assigned to a specific VLAN.
Because the BSSID is the MAC address of the AP and because multiple virtual WLANs can be supported from
the same physical AP, each virtual WLAN is typically linked with a unique virtual BSSID. This capability as
multiple basic service set identifier (MBSSID). As shown in Figure 20, the MBSSIDs are usually increments of the
original MAC address of the APs radio. Within each APs coverage area, multiple virtual WLANs can exist. Each
virtual WLAN has a logical name (SSID) and a unique virtual layer 2 identifier (BSSID), and each WLAN is
mapped to a unique layer 3 virtual local area network (VLAN). In other words, multiple layer 2/3 domains can exist
within one layer 1 domain. Try to envision multiple basic service sets (BSSs) that are linked to multiple VLANs,
yet they all exist within the same coverage area of a single access point.
Aerohive Networks provides User Profile configuration settings to allow administers to isolate user traffic into
separate VLANs per SSID and/or by location. Furthermore, RADIUS attributes can also be leveraged to assign
end-users from different Active Directory user groups into separate VLANs.
Client access to network resources can also be further restricted by implementing user traffic security policies.
Security policies for user traffic can be based on the identity of a user, or by SSID. Security policies give an
administrator the ability to enforce MAC address filters, MAC (layer 2) firewall policies, and IP (layer 3/layer 4)
firewall polices. Each HiveAP is capable of stateful deep packet inspection which allows for policy enforcement at
the edge on the network. When a client opens an application session, any open firewall state for that client will
follow the client as it roams between HiveAPs.

Copyright 2011, Aerohive Networks, Inc.


Every WLAN administrator should have an understanding of the basic of Wi-Fi. Knowledge of how Wi-Fi operates
at layers 1 and 2 and integrates into the upper layers is necessary for proper design, deployment, administration
and troubleshooting. The goal of this paper has been to give you a very brief introduction to these concepts. We
highly suggest the vendor-neutral Certified Wireless Networking Professional (CWNP) program which offers
career certifications and training in enterprise Wi-Fi technologies from beginner to expert levels. More information
can be found at

Additional Recommended Reading:

CWNA: Certified Wireless Network Administrator Official Study Guide: by David D. Coleman
and David A. Westcott - Sybex Publishing - ISBN# 0470438908

CWSP: Certified Wireless Security Professional Official Study Guide: by David D. Coleman,
Bryan Harkins, Shawn Jackman and David A. Westcott - Sybex Publishing - ISBN# 0470438916

802.11 Wireless Networks: The Definitive Guide, Second Edition by Matthew Gast - OReilly
Media - ISBN#0596100523

802.11n Technology Primer White Paper: by Aerohive


Copyright 2011, Aerohive Networks, Inc.