// reference · wlan architectures · cwna ch.9

WLAN Architecture Reference

The IEEE 802.11 standard defines precise terms for WLAN topology. Every enterprise deployment is an ESS. Understanding the building blocks - BSS, BSSID, DS, distribution service - is the foundation for roaming, QoS, and security design. CWNA-109 Chapter 9.

// 802.11 service set hierarchy - ieee 802.11-2020 §5

BSS Basic Service Set

Definition

The fundamental building block. One AP + all associated client stations form a BSS. All devices in a BSS share the same channel. Communication between clients is always relayed through the AP - never directly between clients (unlike IBSS).

Detail

BSSID: The Layer 2 identifier of the BSS. In infrastructure mode = the AP's radio MAC address. BSA (Basic Service Area): The physical coverage area of the BSS - the "cell." SSID: The human-readable network name. Multiple BSSes can share the same SSID (same SSID across multiple APs = same ESS). Multiple BSSID: One AP can advertise multiple SSIDs on one radio. Each SSID gets a unique BSSID derived from the AP MAC. Every additional SSID adds beacon overhead - keep SSIDs per radio to 3-4 maximum.

wlan.bssid, wlan.ssid - visible in every beacon, probe response, association frame

IBSS Independent Basic Service Set

Definition

Ad hoc or peer-to-peer mode. No AP. Client stations communicate directly with each other. The first station that creates an IBSS generates a random BSSID (not a real MAC address). IBSS does not provide access to a wired DS. Scales poorly beyond 8-10 devices. Rarely used in enterprise.

Detail

Use cases: Direct device-to-device file transfer. Military/field environments with no infrastructure. PBSS (Personal BSS): 802.11ad (WiGig 60 GHz) variant. One device acts as PCP (PBSS Control Point) to coordinate direct communication. Not the same as IBSS. Security concern: IBSS mode bypasses AP-based access control. Wireless IPS systems monitor for IBSS frames as potential rogue activity.

wlan.fc.type_subtype shows management frames without DS bits. No wlan.bssid matching a real AP MAC.

ESS Extended Service Set

Definition

Two or more BSSes connected by a common Distribution System (DS). The same SSID across multiple APs forms an ESS. All APs in an ESS share the same SSID - clients can roam between BSSes without changing SSID. The ESS is what most enterprise deployments actually are.

Detail

DS (Distribution System): The logical system connecting BSSes. In practice = the wired Ethernet backbone + switches. The 802.11 standard is intentionally vague about DS implementation - it just defines the services. ESS-transition: Client moves from one BSS to another BSS in the same ESS. The 802.11 standard DOES NOT guarantee session continuity on ESS-transition - that's what 802.11r, k, v add. BSS-transition: Same as ESS-transition. The client roams from AP1 to AP2 within the same ESS.

wlan.bssid changes between reassoc frames. wlan.fc.type_subtype == 0x02 (Reassoc Request) has Previous AP field = old BSSID.

// ap deployment architectures - three models

Autonomous AP (Fat AP)

All 802.11 intelligence runs locally on each AP. The AP makes all decisions independently: authentication, encryption, QoS, channel selection. No controller required. Management is per-AP - each AP has its own web interface. Deployed widely in small offices and some legacy enterprise environments.

Pros

+ No controller SPOF

+ Simple to understand

+ Works with any switch

Cons

- No centralized roaming optimization

- No uniform policy enforcement

- Config changes must be made per-AP

- No RF management across APs

Examples: Meraki (cloud-managed but functionally autonomous), small business setups, legacy Cisco autonomous IOS APs

Controller-Based AP (Split-MAC)

MAC layer is split: real-time MAC functions (acknowledgements, retransmissions, frame timing) stay at the AP. Control MAC functions (authentication, association, roaming decisions, QoS policies) are handled by the controller over CAPWAP tunnel. The AP is "lightweight" (thin/lean) - it cannot operate without the controller.

Pros

+ Centralized roaming (sub-50ms)

+ Uniform policy across all APs

+ Centralized RF management (RRM)

+ Single point of management

Cons

- Controller is a SPOF (mitigated by HA pairs)

- CAPWAP tunnel adds latency for control frames

- License costs per AP

Examples: Cisco WLC (9800 series), Aruba Mobility Controller, Ruckus SmartZone, Juniper Mist (cloud controller)

Cloud-Managed AP

Hybrid model. The AP is functionally autonomous (data plane is local - traffic does not backhaul to cloud). Management, policy, and analytics are delivered from a cloud controller via HTTPS. The AP downloads policy on boot and operates independently if cloud connectivity drops.

Pros

+ No on-premises controller

+ Automatic firmware updates

+ Multi-site management from single pane

+ Lower upfront cost

Cons

- Requires reliable internet - some features degrade offline

- Cloud subscription cost

- Less real-time control than on-prem controller

Examples: Cisco Meraki (MX+MR), Aruba Central, Juniper Mist (AI-driven), Ubiquiti UniFi, Ruckus One

// split-mac architecture - what stays at the ap vs what goes to the controller

At the AP (local MAC)

802.11 frame transmit/receive

ACK frame generation (timing-critical)

PHY layer operations

Beacon transmission

Probe response

RTS/CTS exchange

A-MPDU aggregation / Block ACK

RSSI measurement + radiotap

At the controller (control MAC)

Authentication (802.1X/RADIUS proxy)

Association decision

Roaming decision + fast roam

QoS policy enforcement

ACL and firewall rules

Channel and power management (RRM)

Client load balancing

Mobility anchor for L3 roaming

Rogue AP detection + containment

CAPWAP (RFC 5415): The tunnel between AP and controller. Control plane and data plane both travel in CAPWAP. Some controllers use FlexConnect / OfficeExtend to allow local data plane breakout at remote sites - critical for branch AP deployments where backhauling all traffic to a central controller would be impractical.

// distribution system services (DSS) - ieee 802.11-2020 §6

Association

Maps STA to AP. Required before data frames can flow. AP informs DS of client location.

Reassociation

Client moves to new AP. New AP informs DS. Old AP releases association.

Disassociation

Terminates association. Either party can initiate. STA or AP sends Disassoc frame.

Authentication

Proves STA identity to AP. Open System Auth in 802.11; real security = 802.1X.

Deauthentication

Terminates authentication. Stronger than disassociation - resets to State 1.

Distribution

Delivers MSDUs between BSSes via the DS. The core function.

Integration

Delivers MSDUs between DS and non-802.11 networks (Ethernet). Via a portal.

See association and roaming in your PCAP

WiFi Analyser decodes every BSS transition, BSSID change, and DS service frame - shows state machine transitions per client.

try it free ↗