802.11 PROTOCOL INTELLIGENCE

Device Roles - Network Infrastructure

Understanding what each device actually does - and doesn't do - at the 802.11/802.3 layer is foundational for troubleshooting, design, and certification. A gateway is not just a router. An AP is not a router. A mesh node is not a repeater. The distinctions matter in the PCAP.

IEEE 802.3 / 802.11-2020 CWNA / CWDP Domain Beginner → Expert

OSI Layer Mapping

L7 App

Gateway (VoIP, email)

L3 Network

Router

Gateway

L2 Data Link

Switch

Bridge

Mesh MAP

L1 Physical

Hub

Modem

ONT

Repeater

Layer determines what the device reads and acts on. A switch only reads MAC addresses (L2) - it never looks at IP headers. A router reads IP addresses (L3) but passes L4–L7 data unchanged. An AP bridges 802.11 MAC frames to 802.3 Ethernet - L2 only. Everything above L2 is opaque to the AP unless it also routes.

Wired Devices - The Network Foundation

Hub L1 - Physical Obsolete

Multi-port repeater. Receives a bit stream on one port and immediately repeats it to ALL other ports.

Does:

+Zero MAC intelligence - no CAM table

+One collision domain for all ports

+Half-duplex only - CSMA/CD required

+10 Mbps max; electrically obsolete since ~2005

Does NOT:

−Filter by MAC address

−Support VLANs

−Provide full-duplex

PCAP NOTE

Every frame sent by any device appears on every port. Capture on one port = capture everything on the hub.

Switch L2 - Data Link

Multi-port bridge with a CAM (Content Addressable Memory) table. Delivers frames only to the correct port.

Does:

+MAC address learning: builds BSSID→port table

+Unicast forwarding to correct port only (flood on unknown)

+Full-duplex per port - zero collisions

+VLANs (802.1Q) for logical segmentation

+PoE (802.3af/at/bt) for powering APs

Does NOT:

−Route IP packets

−Perform NAT

−See SSID or 802.11 MAC headers (only 802.3 Ethernet headers on wired side)

PCAP NOTE

Port mirroring (SPAN) lets you capture traffic from another port. Switch only forwards Ethernet frames - 802.11-specific fields invisible.

Router L3 - Network

Routes IP packets between different networks using a routing table. Each interface is a separate broadcast domain.

Does:

+Reads destination IP → consults routing table → forwards to next-hop

+NAT: maps private IPs (RFC 1918) to public IP

+DHCP server (typically)

+ACL packet filtering

+Routing protocols: OSPF, BGP, EIGRP

Does NOT:

−Examine above L3 (payload is opaque unless deep packet inspection enabled)

−Bridge L2 frames between interfaces without routing

PCAP NOTE

Router = broadcast domain boundary. ARP stays within a subnet. DHCP discover broadcast cannot cross a router without DHCP relay.

Gateway L3–L7 - Multi-layer

Protocol translator between incompatible systems. In home networking, "gateway" = combined modem + router + AP in one device.

Does:

+Protocol translation: IPv4↔IPv6, SIP↔PSTN, email protocol conversion

+In home networking: modem + NAT router + Wi-Fi AP combined

+Default gateway = the router address hosts use for external traffic

Does NOT:

−Just route - a gateway performs actual protocol translation, not just forwarding

PCAP NOTE

Home gateway PCAP captures all traffic from associated Wi-Fi clients. The "default gateway" IP (e.g. 192.168.1.1) is what every host sends non-local traffic to first.

Access Point Architectures - Fat, Thin, Cloud, Mesh

An AP bridges 802.11 wireless clients to the wired 802.3 network at L2. But "AP" describes the role, not the architecture. The same hardware may operate as a fat AP, thin AP, or cloud-managed AP depending on how it's deployed.

Autonomous (Fat AP)

Full 802.11 MAC stack runs ON the AP. The AP handles association, auth (RADIUS client), DHCP, routing, and RF decisions locally. No controller required.

Pros:

+Simple - no controller dependency

+Low cost for small deployments

+Works standalone

Cons:

−No central management

−Per-AP config = nightmare at scale (100+ APs)

−No fast roaming without additional config

Home routers, Ubiquiti UniFi (without controller), small branch office APs

Thin AP (Controller)

802.11 MAC is SPLIT between AP (real-time RF) and WLC (policy, auth, mobility). AP tunnels client traffic to WLC via CAPWAP (UDP 5246/5247). Data plane: local or central bridging.

Pros:

+Central management of thousands of APs

+Fast roaming (controller holds PTK/GTK keys)

+Consistent policy across all APs

Cons:

−Controller is a single point of failure (mitigated by HA)

−CAPWAP tunnel adds latency if central bridging

Cisco WLC + Catalyst APs, Aruba AOS + IAP with controller, HPE Aruba Central

Cloud-Managed

AP phones home to vendor cloud over HTTPS. Config, firmware, and analytics managed from dashboard. Data plane stays LOCAL - only management traverses cloud.

Pros:

+Zero-touch provisioning (claim by serial number)

+No on-site controller

+Globally distributed management

Cons:

−Dependent on internet/cloud availability for management

−Less protocol-level visibility than on-prem controller

Cisco Meraki, Juniper Mist AI, Ubiquiti UniFi Cloud, Aruba Central

SD-WAN / Virtual Controller

Controller function runs as a VM in the cloud or on-site server. APs discover controller automatically. Hybrid: data plane local, control plane virtual.

Pros:

+Controller scalability without dedicated hardware

+Flexible deployment (on-prem or cloud)

Cons:

−Virtual controller resource sizing matters for scale

Aruba Virtual Mobility Controller, Cisco vWLC, HPE Aruba Central with on-prem cluster

Mesh Roles - MP, MAP, MPP (802.11s)

IEEE 802.11s-2011 (now incorporated into 802.11-2020) defines a mesh network using the HWMP routing protocol. Three roles determine what a node does in the mesh. Every home mesh system (Eero, Google Nest, Orbi) implements these roles, though vendors often rename them.

MP MP (Mesh Point)

The basic mesh node. Participates in HWMP path selection, forwards mesh traffic via the Airtime Link Metric. Has no BSS - cannot connect regular 802.11 clients directly. Pure backhaul node.

Wireless backhaul relay point, range extender with no client radio

MAP MAP (Mesh Access Point)

Mesh Point that ALSO runs a BSS - can serve regular 802.11 clients while simultaneously participating in the mesh backhaul. The typical home mesh node. Combines AP and mesh functions on different radios (or same radio time-sliced).

Eero node, Google Nest WiFi point, Orbi satellite - most consumer mesh nodes are MAPs

MPP MPP (Mesh Portal)

Mesh Point with uplink to the wired Distribution System (Ethernet to router/switch). Acts as the gateway between the mesh domain and the rest of the network. MUST have at least one MPP in every mesh. Usually the root/primary node plugged into the ISP router.

Primary Eero node (wired to router), root Nest WiFi Hub, Orbi Router (base unit)

REPEATER vs MESH NODE - CRITICAL DISTINCTION

A repeater (range extender) receives a signal and re-transmits it on the SAME channel - halving throughput because it must both receive and transmit using the same airtime. A mesh node uses a dedicated backhaul radio (or separate backhaul channel) so the client-facing radio is unaffected. If a device only has one radio, it is a half-duplex repeater, not a mesh node - regardless of marketing. Always check: how many radios? Is backhaul wireless or wired? Wired backhaul = fastest, zero airtime penalty.

Common Misconceptions

✗ "The gateway assigns IP addresses"

✓ Reality

A DHCP server assigns IPs - which often runs ON the gateway but is a separate service. Enterprise networks often have a dedicated DHCP server (Windows DHCP, ISC dhcpd) that the AP/controller queries via DHCP relay.

✗ "An AP connects you to the internet"

✓ Reality

An AP bridges 802.11 to 802.3. The router/gateway connects to the internet. Without a working default gateway route, the AP gives you "connected, no internet" even with perfect RF.

✗ "A switch is a smarter hub"

✓ Reality

A switch and hub operate at completely different layers. A switch creates dedicated collision domains per port with full-duplex - structurally different from a hub, not just faster.

✗ "A mesh extender is always better than a repeater"

✓ Reality

A two-radio mesh node with wireless backhaul may still halve throughput if both radios share the same frequency band (2.4 GHz backhaul + 2.4 GHz client). Tri-band mesh (dedicated 5 GHz backhaul) avoids this. Wired backhaul is always better.

✗ "Cloud-managed APs need the cloud to work"

✓ Reality

Cloud-managed APs (Meraki, Mist) cache their last-known config locally. If the cloud is unreachable, existing clients continue working. NEW associations may require the controller for full auth policy - depends on the vendor.

✗ "The AP does the 802.1X authentication"

✓ Reality

The AP is the 802.1X Authenticator - a passthrough proxy. The RADIUS server is the Authentication Server. The AP never sees the password, only the EAP exchange. Authentication decision is made by RADIUS.

// related reference

WLAN Architectures →802.1X / EAP →Roaming (k/v/r) →Frame Sequences →NAV & RTS/CTS →