Wednesday, 27 April 2016

Delivering Packets from the Wireless to Wired Network

Step-1 Client A wants to send traffic to Client B.
Step-2 Client A determines that the IP address of Client B is not on the same subnet.
Step-3 Client A decides to send the traffic to the default gateway of 10.99.99.5.
Step-4 Client A looks in its ARP table for a mapping to the gateway, but it is not there.
Step-5 Client A creates an ARP request and sends to the AP 
ARPing for the Gateway
on a wired network, the header has only two MAC addresses: the source address and the destination address.
An 802.11 frame can have four addresses:
Source address (SA)
Destination address (DA)
Transmitter address (TA)
Receiving address (RA)

In this situation, the SA is the MAC of the client sending the ARP request, the DA is broadcast (for the ARP), and the RA is the AP. No TA is present in this example. 
 
The AP receives the ARP and sees its MAC address. Then
Step-6 AP verifies the frame check sequence (FCS) in the frame and wait for the short interframe space (SIFS) time
Step-7 When the SIFS time expires, it sends an ACK back to the wireless client that sent the ARP request.
Step-8  The AP then forwards the frame to the WLC using the Lightweight Access Point Protocol (LWAPP) 
 

Step-9 LWAPP encapsulates 802.11 frame inside a 6-byte header. The new 6-byte header has the AP IP and MAC address as the source and the WLC IP and MAC address as the destination.

Step-10 When the WLC receives the LWAPP frame, it opens the frame (the ARP request) and rewrites the ARP request in an 802.3 frame that can be sent across the wired network.
Step-11 The first address from the 802.11 frame is dropped, the second address is placed as the source address in the new 802.3 frame, and the third address, the broadcast address, is placed as the destination address.
Step-12 WLC then forwards the ARP request, in 802.3 format, across the wired network 
Step-13 As switches receive the ARP request, they read the destination MAC address, which is a broadcast, and flood the frame out all ports except the one it came in on. The exception to this rule is if VLANs are in use, in which case the frame would be flooded to all ports that are members of the same VLAN.
Step-14 The frame will be received by a Layer 3 device, hopefully the default gateway. The router(Default GW)has received the ARP request and will respond to it with its MAC address.
Step-15 That ARP response is sent back as a unicast message, so the switches in the path are going to forward it directly to the port that leads back to the wireless client, rather than flooding the frame out all ports.
Step-16 Eventually the frame is received by the WLC, and it must be rebuilt as an 802.11 frame. When the WLC rewrites the frame, it places the DA as address 1, the SA as address 3, and the TA as address 2, which is the SSID of the AP.
Step -17 The newly formed 802.11 frame is placed inside an LWAPP header where the AP IP and MAC is the destination and the WLC IP and MAC is the source. The LWAPP frame is forwarded to the AP. 
Step-18 The AP must remove the LWAPP header, exposing the 802.11 frame. The 802.11 frame is buffered, and the process of sending a frame on the wireless network begins.
Step-19 AP starts a back-off timer and begins counting down. If a wireless frame is heard during the countdown, the reservation in the heard frame is added to the countdown and the AP continues. 
Step-20 When the timer expires, and the frame can be sent an 802.11 frame. The client, upon receiving the frame, sends an ACK after waiting the SIFS value.
 
WLC Receives ARP Reply from Gateway and Converts It to LWAPP


Frequency Bands Used in WLANs


   Electromagnetic Spectrum

ELF : Extremely Low Frequency , 
ULF : Ultra Low Frequency
SLV : Super Low Frequency ,   
VLF : Very Low Frequency

 Usable Frequency Bands in Europe , USA and Japan  

Band Used 
900Mhz:
Range : 902 MHz to 928 MHz
Used :Cordless phone
2.4 GHz:
Range : 2.400 GHz to 2.4835 GHz
Used :Wlan (802.11b, 802.11g and 802.11n)
Possible Channels : 11
Non overlapping : 3
5Ghz
Range : 5.18 GHz to 5.8 GHz
Used :Wlan (802.11a,8021.11n and 802.11ac)
Possible Channels : 24




2.4Ghz Band   

Non Overlapping Channels For 2.4Ghz Wlan

5Ghz channel uses  




Controller Discovery and Association

How AP Joins WLC – 1 

Light Weight access points cannot act independently . They are managed by controller .
2 step Process
Discover  (Discover the controller)
Register (Register or join with controller)
How AP Joins WLC – 2  
The management interface handles the discovery, whereas the AP-Manager handles the join.

 
Note : Some Controller have only one interface , which acts both  as Management and AP Manager
Type Of Discovery
1.Broadcast
2.Local NVRAM
3.OTAP
4.DHCP Option 43 (Dynamic host configuration Protocol 43)
5.DNS (Domain name system)
 
Broadcast 
1.Layer 2 LWAPP WLC Discovery Algorithm: The LAPs that support Layer 2 LWAPP mode broadcast a LWAPP discovery request message in a Layer 2 LWAPP frame, If there is a WLC in the network configured for Layer 2 LWAPP mode, the controller responds with a discovery response . Most of the LAP and WLC not supporting Layer 2 LWAPP.
2.Layer 3 LWAPP WLC Discovery Algorithm: If layer 2 LWAPP discovery FAILED then LAP uses Layer 3 LWAPP . The Layer 3 LWAPP WLC discovery algorithm is used to build a controller list. After a controller list is built, the AP selects a WLC and attempts to join the WLC. The LWAPP Layer 3 WLC discovery algorithm repeats until at least one WLC is found and joined.
3.Process Involves :
4.After the LAP gets an IP address from the DHCP server, the LAP begins this discovery process:
5.The LAP broadcasts a Layer 3 LWAPP discovery message on the local IP subnet. WLC configured for Layer 3 LWAPP mode and is connected to the same local subnet receives the Layer 3 LWAPP discovery message.
6.Each of the WLCs that receives the LWAPP discovery message replies with a unicast LWAPP discovery response message to the LAP.


Debug  :

For Debugging Layer 2 LWAPP process command used in controller :
(Cisco Controller) >debug lwapp events enable
Mon May 22 12:00:21 2006: Received LWAPP DISCOVERY REQUEST from AP 00:0b:85:5b:fb:d0 to ff:ff:ff:ff:ff:ff on port '1' Mon May 22 12:00:21 2006: Successful transmission of LWAPP Discovery-Response to AP 00:0b:85:5b:fb:d0 on Port 1
For Debugging Layer 3 LWAPP process command used in controller :
(Cisco Controller) >debug lwapp packet enable
Tue May 23 12:37:50 2006: Start of Packet
Tue May 23 12:37:50 2006: Ethernet Source MAC (LRAD): 00:0B:85:51:5A:E0
Tue May 23 12:37:50 2006: Msg Type :
Tue May 23 12:37:50 2006: DISCOVERY_REQUEST
Tue May 23 12:37:50 2006: Msg Length : 31
Tue May 23 12:37:50 2006: Msg SeqNum : 0
Tue May 23 12:37:50 2006: IE : UNKNOWN IE 58
Tue May 23 12:37:50 2006: IE Length : 1
Tue May 23 12:37:50 2006: Decode routine not available, Printing Hex Dump
Tue May 23 12:37:50 2006: 00000000: 00

How to identify Discovery type  
 
The value of the IE 58 parameter indicates the discovery type:
1.Broadcast
2.Configured
3.OTAP
4.DHCP server
5.DNS


  OTAP - 1 
The OTAP feature is disabled by default . It is applicable for some of the WLC .This is the discovery process when OTAP is enabled:
1.The LAPs that are already registered to the WLC can advertise the WLC IP address to the LAPs (in an attempt to find the WLC) with the use of neighbor messages that are sent over the air.
2.New LAPs that attempt to discover WLCs hear these messages and then unicast LWAPP discovery request messages to the WLCs.
3.WLCs that receive the LWAPP discovery message reply with a unicast LWAPP discovery response message to the LAP.
Debug :
(Cisco Controller) >debug lwapp packet enable
Tue May 23 14:21:55 2006: Start of Packet Tue May 23 14:21:55 2006: Ethernet Source MAC (LRAD): 00:D0:58:AD:AE:CB Tue May 23 14:21:55 2006: Msg Type : Tue May 23 14:21:55 2006: DISCOVERY_REQUEST
Tue May 23 14:21:55 2006: Msg Length : 31
Tue May 23 14:21:55 2006: Msg SeqNum : 0 Tue May 23 14:21:55 2006:
IE : UNKNOWN IE 58 Tue May 23 14:21:55 2006: IE Length : 1
Tue May 23 14:21:55 2006: Decode routine not available, Printing Hex Dump
Tue May 23 14:21:55 2006: 00000000: 02 .
Tue May 23 14:21:55 2006:
Note - OTAP was removed from the wireless controller feature set in code version 6.0.170.0 due to a vulnerability.

NVRAM 
If the LAP was registered to a WLC in a previous deployment, the LAP maintains the list of WLC IP addresses locally in NVRAM. This is the discovery process:
1.LAPs send a unicast Layer 3 LWAPP discovery request to each of the WLC IP addresses that the LAP has in its NVRAM.
2.WLCs that receive the LWAPP discovery message reply with a unicast LWAPP discovery response message to the LAP.
3.Note: If you use the clear ap-config ap_name command in order to reset the LAP to the factory defaults, all the LAP configurations are reset. The configurations that are reset include the WLC IP addresses that are stored in NVRAM. In this case, the LAP must use some other method in order to discover the WLC.


Debug:
(Cisco Controller) >debug lwapp packet enable
Tue May 23 14:45:36 2006: Start of Packet
Tue May 23 14:45:36 2006: Ethernet Source MAC (LRAD): 00:D0:58:AD:AE:CB
Tue May 23 14:45:36 2006: Msg Type :
Tue May 23 14:45:36 2006: DISCOVERY_REQUEST
Tue May 23 14:45:36 2006: Msg Length : 31
Tue May 23 14:45:36 2006: Msg SeqNum : 0
Tue May 23 14:45:36 2006: IE : UNKNOWN IE 58
Tue May 23 14:45:36 2006: IE Length : 1
Tue May 23 14:45:36 2006: Decode routine not available, Printing Hex Dump Tue May 23 14:45:36 2006: 00000000: 01 . Tue May 23 14:45:36 2006:
  DHCP 43 

1.The IP address that should be configured as DHCP option 43 is the address of the controller Management interface.
2.This is the discovery process:
3.When an LAP gets an IP address from the DHCP server, the LAP looks for WLC IP addresses in the option 43 field of the DHCP offer.
4.The LAP sends a Layer 3 LWAPP discovery request to each of the WLCs that are listed in the DHCP option 43.
5.WLCs that receive the LWAPP discovery message reply with a unicast LWAPP discovery response message to the LAP.
6.Note: You can use DHCP option 43 when the LAPs and the WLCs are in different subnets.


  Configuration for DHCP- 43 

Enter configuration mode at the Cisco IOS CLI.
Create the DHCP pool, which includes the necessary parameters, such as the default router and server name.
This is an example DHCP scope:
ip dhcp pool <pool name>
  network <ip network> <netmask>
  default-router <default-router IP address>
  dns-server <dns server IP address>
  Add the Option 43 line with this syntax:
  option 43 hex <hexadecimal string>
The hexadecimal string in step 3 is assembled Like( TLV ) Type + Length + Value.
Type = 0xf1(Fixed)
Length = Number of controller management IP addresses times 4 in hex.
Value = IP address of the controller listed sequentially in hex.

For example, suppose there are two controllers with management interface IP addresses, 192.168.10.5 and 192.168.10.20. so
Type :  0xf1.(T)  Length : 2 * 4 = 8 = 0x08. (L)
The IP addresses translate to c0a80a05 (192.168.10.5) and c0a80a14 (192.168.10.20). When the string is assembled, it yields f108c0a80a05c0a80a14. The Cisco IOS command that is added to the DHCP scope
option 43 hex f108c0a80a05c0a80a14

 
Debug:
(Cisco Controller) >debug lwapp packet enable
Tue May 23 16:14:32 2006: Start of Packet
Tue May 23 16:14:32 2006: Ethernet Source MAC (LRAD): 00:D0:58:AD:AE:CB
Tue May 23 16:14:32 2006: Msg Type :
Tue May 23 16:14:32 2006: DISCOVERY_REQUEST
Tue May 23 16:14:32 2006: Msg Length : 31
Tue May 23 16:14:32 2006: Msg SeqNum : 0
Tue May 23 16:14:32 2006: IE : UNKNOWN IE 58
Tue May 23 16:14:32 2006: IE Length : 1
Tue May 23 16:14:32 2006: Decode routine not available, Printing Hex Dump Tue May 23 16:14:32 2006: 00000000: 03 .
Tue May 23 16:14:32 2006:

DNS 

You can also use the DNS server in order to return WLC IP addresses to the LAP. This is the discovery process:
The LAP attempts to resolve the DNS name "CISCO-LWAPP-CONTROLLER.localdomain.”
When the LAP is able to resolve this name to one or more WLC IP addresses, the LAP sends a unicast Layer 3 LWAPP discovery request to each of the WLCs.
The WLCs that receive the LWAPP discovery message reply with a unicast LWAPP discovery response message to the AP
Note: The AP is informed of this domain name through DHCP option 15. DHCP option 15 specifies the domain name that the AP should use for DNS resolution. Therefore, it is necessary that DHCP option 15 be configured with the domain name information in DHCP configuration. This allows the DHCP server that sends the IP address of the DNS server.


 
Debug: (Cisco Controller) >debug lwapp packet enable
Tue May 23 16:14:32 2006: Start of Packet Tue May 23 16:14:32 2006: Ethernet Source MAC (LRAD): 00:D0:58:AD:AE:CB
 Tue May 23 16:14:32 2006: Msg Type :
Tue May 23 16:14:32 2006: DISCOVERY_REQUEST
Tue May 23 16:14:32 2006: Msg Length : 31 Tue May 23 16:14:32 2006: Msg SeqNum : 0
Tue May 23 16:14:32 2006: IE : UNKNOWN IE 58
Tue May 23 16:14:32 2006: IE Length : 1 Tue May 23 16:14:32 2006: Decode routine not available, Printing Hex Dump Tue May 23 16:14:32 2006: 00000000: 04 .
Tue May 23 16:14:32 2006:



After Discovery , Join Request 

LAP selects a WLC from the candidate WLC list and sends that WLC an LWAPP join request. To join the controller, the access point and controller perform the following process:
1.      AP sends Join Request
a.       Random Session ID
b.      X.509 Certificate of LWAPP
2.      Controller Verification
a.       Verifies LWAPP X.509 Certificate was signed by a trusted CA
b.      Generates random AES encryption key for LWAPP Control traffic
c.       Encrypts AES key using LWAPP Public Key
d.      Concatenates key ciphertext with the Session ID from LWAPP Join Request
e.       Encrypts concatenated string with Controller’s Private Key
3.      Controller sends Join Response
a.       Ciphertext (Session ID, encrypted AES key)
b.      Controller’s X.509 Certificate

  Join Request

 

4.      LWAPP Verification
a.       Verifies Controller X.509 Certificate was signed by a trusted CA
b.      Decrypts concatenated string using Controller’s Public Key
c.       Validates the Session ID
d.      Decrypts the AES key using LWAPP’s Private Key
5.      Join Process is now completed
6.      AES Key Lifetime timer is 8 hours
a.       LWAPP sends LWAPP Key Update Request (contains new Session ID)
b.      Controller generates new AES key and encrypts as stated above.
c.       Controller sends LWAPP Key Update Response

How Controller and AP works

Discover and join the controller
LWAPP message exchange
AP initiates a firmware download from the WLC (if there is a version mismatch between the AP and WLC).
Then, WLC provisions the LAP with the configurations that are specific to the WLANs so that the LAP can accept client associations.
  It includes :
1.Service set identifier (SSID)
2.Security parameters
3.Data rate
4.Radio channels
5.Power levels
 CPAWAP vs LWAPP 

Light Weight Access Point Protocol (LWAPP) :
Fragmentation/Re-assembly : Relies on IpV4
Path-MTU Discovery:  Not supported
Control Channel Encryption between AP and WLC:  Yes (using AES)
Data Channel Encryption between AP and WLC:       No
UDP Ports: 12222, 12223
Control And Provisioning of Wireless Access Points(CAPWAP) : It is build on top of LWAPP
Fragmentation/Re-assembly: CAPWAP itself does both
Path-MTU Discovery:  Has a robust P-MTU discovery mechanism,  can also detect dynamic MTU changes.
Control Channel Encryption between AP and WLC:   Yes (Using DTLS)
Data Channel Encryption between AP and WLC:   Yes (using DTLS)
UDP Ports: 5246 (ctrl) 5247 (data)




802.11 Association process explained

Access points are bridges that bridge traffic between mobile stations and other devices on the network. Before a mobile station can send t...