CWNA Chapter 9 – 802.11 MAC Architecture

My Notes from chapter 9 of the CWNA study guide

Packets, frames, and bits

  • Same as OSI Model data traverses through each layer to be transmitted to the receiver and then back up the layers

Data-Link layer

  • Layer 2 of the OSI Model
  • Divided into two sublayers:
    • MAC Service Data Unit (MSDU)
      • When the Network layer (layer 3) sends data to the Data-Link layer, that data is handed off to the LLC and becomes known as the MAC Service Data Unit (MSDU).
      • A simple definition of the MSDU is that it is the data payload that contains the IP packet plus some LLC data.
      • The 802.11-2012 standard states that the maximum size of the MSDU is 2,304 bytes
      • 802.11n-2009 amendment, aggregate MSDU (A-MSDU) was introduced.
        • A-MSDU, the maximum frame body size is determined by the maximum A-MSDU size of 3,839 or 7,935 octets, depending upon the STA’s capability, plus any overhead from encryption
    • MAC Protocol Data Unit (MPDU)
      • When the LLC sublayer sends the MSDU to the MAC sublayer, the MAC header information is added to the MSDU to identify it
      • A simple definition of an 802.11 MPDU is that it is an 802.11 frame
      • 802.11 MPDU consists of the following three basic components:
        • MAC Header
          • Frame control information, duration information, MAC addressing, and sequence control information are all found in the MAC header. QoS data frames contain specific QoS control information
        • Frame Body
          • The frame body component can be variable in size and contains information that is different depending on the frame type and frame subtype. The MSDU upper layer payload is encapsulated in the frame body. The MSDU layer 3–7 payload is protected when using encryption.
        • Frame Check Sequence (FCS)
          • The FCS comprises a 32-bit cyclic-redundancy check (CRC) that is used to validate the integrity of received frames.

Physical layer

  • Layer1 of the OSI Model
  • Divided into two sublayers:
    • PLCP Service Data Unit (PSDU)
      • Is a view of the MPDU from the Physical layer
    • PLCP Protocol Data Unit (PPDU)
      • When the PLCP receives the PSDU, it then prepares the PSDU to be transmitted and creates the PLCP Protocol Data Unit (PPDU).
      • PLCP adds a preamble and PHY header to the PSDU
      • The preamble is used for synchronization between transmitting and receiving 802.11 radios


802.11 and 802.3 interoperability

  • The portal is usually either an access point or a WLAN controller
  • Because the wired infrastructure is a different physical medium, an 802.11 data frame payload (MSDU) must be effectively transferred into an 802.3 Ethernet frame
  • All of the IEEE 802 frame formats share similar characteristics, including the 802.11 frame format
  • differences between 802.3 Ethernet and 802.11 wireless frames is the
  • This is rarely a problem thanks to the TCP/IP protocol suite. TCP/IP, the most common communications protocol used on networks, typically has an IP maximum transmission unit (MTU) size of  1,500 bytes frame size
  • The header of an 802.11 frame contains MAC addresses
  • A MAC address is one of the following two types:
    • Individual Address
      • also known as a unicast address
    • Group Address
      • multiple destination address
      • There are two kinds of group addresses
        • Multicast-Group Address
          • An address used by an upper-layer entity to define a logical group of stations is known as a multicast-group address
        • Broadcast Address
          • A group address that indicates all stations that belong to the network is known as a broadcast address

Three 802.11 frame types

  • Management frames
    • Make up a majority of the frame types in a WLAN
    • Another name for an 802.11 management frame is Management MAC Protocol Data Unit (MMPDU).
    • Do not carry any upper-layer information
    • 14 of the management frame subtypes as defined by the 802.11 standard and ratified amendments:
      • Association request
      • Association response
      • Reassociation request
      • Reassociation response
      • Probe request
      • Probe response
      • Beacon
      • Announcement traffic indication message (ATIM)
      • Disassociation
      • Authentication
      • Deauthentication
      • Action
      • Action No ACK
      • Timing advertisement
  • Control frames
    • Assist with the delivery of the data frames and are transmitted at one of the basic rates
    • Nine of the control frame subtypes as defined by the 802.11 standard:
      • Power Save Poll (PS-Poll)
      • Request to send (RTS)
      • Clear to send (CTS)
      • Acknowledgment (ACK)
      • Contention Free-End (CF-End) [PCF Only]
      • CF-End + CF-ACK [PCF Only]
      • Block ACK Request (BlockAckReq) [HCF Only]
      • Block ACK (BlockAck) [HCF Only]
      • Control wrapper
  • Data frames
    • Carry the actual data that is passed down from the higher-layer protocols
    • Some 802.11 data frames carry no MSDU payload at all but do have a specific MAC control purpose within a BSS.
    • 15 data frame subtypes
      • Data (simple data frame)
      • Null function (no data)
      • Data + CF-ACK [PCF only]
      • Data + CF-Poll [PCF only]
      • Data + CF-ACK + CF-Poll [PCF only]
      • CF-ACK (no data) [PCF only]
      • CF-Poll (no data) [PCF only]
      • CF-ACK + CF-Poll (no data) [PCF only]
      • QoS Data [HCF]
      • QoS Null (no data) [HCF]
      • QoS Data + CF-ACK [HCF]
      • QoS Data + CF-Poll [HCF]
      • QoS Data + CF-ACK + CF-Poll [HCF]
      • QoS CF-Poll (no data) [HCF]
      • QoS CF-ACK + CF-Poll (no data) [HCF]

Beacon management frame (beacon)

  • One of the most important frame types
  • Essentially the heartbeat of the wireless network
  • AP of a basic service set sends the beacons while the clients listen for the beacon frames
  • Client stations only transmit beacons when participating in an independent basic service set (IBSS)
  • Beacon contains a time stamp, which client stations use to keep their clocks synchronized with the AP

Passive scanning

  • In order for a station to be able to connect to an AP, it must first discover an AP.
  • A station discovers an AP by either listening for an AP (passive scanning) or searching for an AP (active scanning)
  • Passive scanning, the client station listens for the beacon frames that are continuously being sent by the APs
  • client station will listen for the beacons that contain the same SSID that has been preconfigured in the client station’s software utility
  • When the station hears one, it can then connect to that WLAN



  • The first of two steps required to connect to the 802.11 basic service set
  • When an 802.11 device needs to communicate, it must first authenticate with the AP or with the other stations if it is configured for Ad Hoc mode
  • Open System authentication
    • Provides authentication without performing any type of client verification.
    • essentially an exchange of hellos between the client and the AP
    • no exchange or verification of identity takes place between the devices
  • Shared Key authentication
    • Not used anymore
    • Shared Key authentication uses WEP when authenticating client stations and requires that a static WEP key be configured on both the station and the AP
    • Shared Key authentication is a four-way authentication frame exchange:
      1. The client station sends an authentication request to the AP.
      2. The AP sends a cleartext challenge to the client station in an authentication response.
      3. The client station then encrypts the cleartext challenge and sends it back to the AP in the body of another authentication request frame.
      4. The AP then decrypts the station’s response and compares it to the challenge text. If they match, the AP will respond by sending a fourth and final authentication frame the station, confirming the success. If they do not match, the AP will respond negatively. If the AP cannot decrypt the challenge, it will also respond negatively.
    • Successful, the same static WEP key that was used during the Shared Key authentication process will also be used to encrypt the 802.11 data frames.


  • After authenticated with the AP, the next step is for it to associate with the AP
  • When associated it becomes a member of a basic service set (BSS).
  • Association means that the client station can send data through the AP and on to the distribution system medium.
  • A client station sends an association request to the AP, seeking permission to join the BSS. The AP sends an association response to the client, either granting or denying permission to join the BSS.
  • Association occurs after Shared Key or Open System authentication

Authentication and association states

  • Authentication state: unauthenticated or authenticated
  • Association state: unassociated or associated


Basic and supported rates

  • Specific data rates can be configured for any AP as required rates.
  • The 802.11-2012 standard defines required rates as basic rates
  • In order for a client station to successfully associate with an AP, the station must be capable of communicating by using the configured basic rates that the AP requires
  • In addition to the basic rates, the AP defines a set of supported rates
  • The supported rates are data rates that the AP offers to a client station, but the client station does not have to support all of them.


  • The 802.11 standard provided the ability for the client stations to transition from one AP to another while maintaining network connectivity for the upper-layer applications
  • The 802.11 standard does not specifically define what roaming is
  • The decision to roam is currently made by the client station
  • A station can be authenticated to multiple APs but associated to only one AP
  • Some WLAN vendors attempt to encourage or discourage roaming by manipulating the client station with the use of management frames
  • As the client station roams, the original AP and the new AP should communicate with each other across the distribution system medium and help provide a clean transition between the two.


  • When a client station decides to roam to a new AP, it will send a Reassociation request frame to the new AP
  • you are reassociating to the SSID of the wireless network


  • is a notification, not a request
  • If a station wants to disassociate from an AP, or an AP wants to disassociate from stations, either device can send a disassociation frame.
  • This is a polite way of terminating the association
  • Disassociation cannot be refused by either party, except when management frame protection (defined in 802.11w) is negotiated and the message integrity check (MIC) fails.


  • is a notification and not a request
  • If a station wants to deauthenticate from an AP, or an AP wants to deauthenticate from stations, either device can send a Deauthentication frame
  • Deauthentication frame will automatically cause a disassociation to occur.
  • Cannot be refused by either party, except when management frame protection (defined in 802.11w) is negotiated and the message integrity check (MIC) fails.

ACK Frame

  • One of the nine control frames and one of the key components of the 802.11 CSMA/CA medium access control method
  • simple frame consisting of 14 octets of information
  • When a station receives data, it waits for a short period of time known as a short Interframe space (SIFS). The receiving station copies the MAC address of the transmitting station from the data frame and places it in the Receiver Address (RA) field of the ACK frame
  • Every unicast frame must be followed by an ACK frame
  • If a unicast frame is not followed by an ACK, it is retransmitted.
  • With a few rare exceptions, broadcast and multicast frames do not require acknowledgment.


  • The 802.11-2012 standard allows for fragmentation of frames
  • Fragmentation breaks an 802.11 frame into smaller pieces known as fragments, adds header information to each fragment, and transmits each fragment individually.
  • In a properly functioning 802.11 network, smaller fragments will actually decrease data throughput because of the MAC sublayer overhead of the additional header, SIFS, and ACK of each fragment

Protection Mechanism

  • In order for 802.11g, 802.11b, and legacy 802.11 stations to coexist within the same BSS, the 802.11g devices enable what is referred to as the protection mechanism,
  • Vendors often offer three configuration modes for 802.11g Aps:
    • 802.11b-Only Mode
      • Aggregate throughput will be the same as achieved in an 802.11b network
    • 802.11g-Only Mode
      • APs configured as g-only will communicate with only 802.11g client stations using ERP-OFDM technology
    • 802.11b/g Mode
      • The default operational mode of most 802.11g Aps
      • Support for DSSS, HR-DSSS, and OFDM is enabled
  • Vendor configurations are not part of the 802.11-2012 standard
  • The Standard mandates support for 802.11 Clause 16 devices, 802.11b Clause 17 devices, and 802.11g Clause 19 devices within the ERP basic service set
  • If an 802.11g device were to transmit a data frame, 802.11b devices would not be able to interpret the data frame or the Duration/ID value
  • The 802.11b devices would not set their NAV timers and could incorrectly believe that the medium is available.
  • To prevent this from happening, the 802.11g ERP stations switch into what is known as Protected mode.
  • In a mixed-mode environment, when an 802.11g device wants to transmit data, it will first perform a NAV distribution by transmitting a request to send/clear to send (RTS/CTS) exchange with the AP or by transmitting a CTS-to-Self using a data rate and modulation method that the 802.11b HR-DSSS stations can understand
  • The RTS/ CTS or CTS-to-Self will hopefully be heard and understood by all of the 802.11b and 802.11g stations
  • The RTS/CTS or CTS-to-Self will contain a Duration/ID value that will be used by all of the listening stations to set their NAV timers
  • After the RTS/CTS or CTS-to-Self has been used to reserve the medium, the 802.11g station can transmit a data frame by using OFDM modulation without worrying about collisions with 802.11b HR-DSSS or legacy 802.11 DSSS stations
  • The following are three scenarios that can trigger protection in an ERP basic service set:
    • An HR-DSSS (802.11b) client association will trigger protection.
    • An 802.11g AP hears a beacon frame from an 802.11 or 802.11b AP or ad hoc client
    • An ERP AP hears a management frame (other than a probe request) where the supported rate includes only 802.11 or 802.11b rates, the Non ERP Present bit may be set to 1

Request to send/clear to send (RTS/CTS)

  • If a station cannot hear the other stations, or cannot be heard by the other stations, there is a greater likelihood that a collision can occur
  • RTS/CTS is a mechanism that performs a NAV distribution and helps prevent collisions from occurring
  • This NAV distribution reserves the medium prior to the transmission of the data frame


  • Used strictly as a protection mechanism for mixed-mode environments
  • CTS notifies all other stations that they must wait until the DATA and ACK have been transmitted

Data Frames

  • 15 subtypes of data frames
  • most common data frame is the simple data frame, which has MSDU upper-layer information encapsulated in the frame body.
  • null function frame is used by client stations to inform the AP of changes in Power Save status by changing the Power Management bit

Power Management

  • Active Mode
    • A legacy power-management mode used by very old 802.11 stations
    • When a station is set for Active mode, the wireless station is always ready to transmit or receive data.
    • It provides no battery conservation
    • MAC header of an 802.11 frame, the Power Management field is 1 bit in length and is used to indicate the power-management mode of the station. A value of 0 indicates that the station is in Active mode
  • Power Save Mode
    • Optional mode for 802.11 stations
    • Client station is set for Power Save mode, it will shut down some of the transceiver components for a period of time to conserve power
    • The station indicates that it is using Power Save mode by changing the value of the Power Management bit to 1
    • AP is informed that the client station is using power management, and the AP buffers all of that client’s 802.11 frames.
  • Traffic Indication Map (TIM)
    • If a station is part of a basic service set, it will notify the AP that it is enabling Power Save mode by changing the Power Management field to 1.
    • If the AP then receives any data that is destined for the station in Power Save mode, the AP will store the information in a buffer.
    • Any time a station associates to an AP, the station receives an association identifier (AID).
    • If the AP is buffering data for a station in Power Save mode, when the AP transmits its next beacon, the AID of the station will be seen in a field of the beacon frame known as the traffic indication map (TIM).
    • TIM field is a list of all stations that have undelivered data buffered on the AP
    • Every beacon will include the AID of the station until the data is delivered.
    • After the station notifies the AP that it is in Power Save mode, the station shuts down part of its transceiver to conserve energy. A station can be in one of two states, either awake or doze:
      • During the awake state, the client station can receive frames and transmit frames.
      • During the doze state, the client station cannot receive or transmit any frames and operates in a very low power state to conserve power.
    • When the station receives the beacon, it checks to see whether its AID is set in the TIM, indicating that a buffered unicast frame waits.
    • If so, the station will remain awake and will send a PS-Poll frame to the AP.
    • When the AP receives the PS-Poll frame, it will send the buffered unicast frame to the station.
    • Each unicast frame contains a 1-bit field called the More Data field.
    • When the station receives a buffered unicast frame with the More Data field set to 1, the station knows that it cannot go back to sleep yet because there is some more buffered data that it has not yet received.
    • When the More Data field is set to 1, the station knows that it needs to send another PS-Poll frame and wait to receive the next buffered unicast frame.
    • After all of the buffered unicast frames have been sent, the More Data field in the last buffered frame will be set to 0, indicating that there is currently no more buffered data, and the station will go back to sleep
  • Delivery Traffic Indication Message (DTIM)
    • A delivery traffic indication map (DTIM) is used to ensure that all stations using power management are awake when multicast or broadcast traffic is sent
    • DTIM is a special type of TIM. A TIM or DTIM is transmitted as part of every beacon.
    • All stations will wake up in time to receive the beacon with the DTIM
    • If the AP has multicast or broadcast traffic to be sent, it will transmit the beacon with the DTIM and then immediately send the multicast or broadcast data.
    • A misconfigured DTIM interval would cause performance issues during a push-to-talk multicast
  • Announcement Traffic Indication Message (ATIM)
    • If a station is part of an IBSS, there is no central AP to buffer data while the stations are in Power Save mode
    • A station will notify the other stations that it is enabling Power Save mode by changing the Power Management field to 1.
    • When the station transmits a frame with this field set to 1, the other stations know to buffer any data that they may have for this station because this station is now in Power Save mode.
    • During the ATIM window, if a station has buffered data for another station, it will send a unicast frame known as an ATIM frame to the other station.
    • Do not confuse the ATIM frame with the TIM field. The ATIM is a frame used for power management by ad hoc clients not communicating through an AP
  • WMM Power Save and U-APSD
    • IEEE 802.11e amendment also introduced an enhanced power-management method called automatic power save delivery (APSD)
    • The two APSD methods that are defined are:
      • Scheduled automatic power save delivery (S-APSD)
      • Unscheduled automatic power save delivery (U-APSD).
        • The Wi-Fi Alliance’s WMM Power Save (WMM-PS) certification is based on U-APSD
        • The goal of WMM-PS is to have client devices spend more time in a doze state and consume less power
        • WMM-PS uses a trigger mechanism to receive buffered unicast traffic based on WMM access categories.
  • 802.11n Power Management
    • 802.11n-2009 amendment also defines two new power-management methods
      • Spatial multiplexing power save (SM power save)
        • The purpose of SM power save is to enable a MIMO 802.11n device to power down all but one of its radio chains
      • Power save multi-poll (PSMP)
        • PSMP is an extension of automatic power save delivery (APSD), which was defined by the 802.11e amendment.

One thought on “CWNA Chapter 9 – 802.11 MAC Architecture

  1. Chris

    Very nice notes!
    One thing I thought I’d point out that I recently discovered…regarding the .11b protection mechanisms – Not only will an .11b association cause protection, but even a FAILED association by an .11b STA will cause it too!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s