Power save methods allow battery-operated devices to save power by shutting down their wireless radios. While devices are in a sleep state, the AP buffers frames destined for it. The legacy power management methods were defined in the original 802.11 standard; however, major improvements have been added in both 802.11e-2005 and 802.11n-2009 amendments. There are also mentions of power save enhancements in both 802.11ac-2013 and 802.11ax-2018 amendments.
This post covers the information that you will be expected to know for the CWNA-107 and CWAP-403 exams. The objectives below specifically mention power save methods; it is also important, for both exams, to understand the types of frames used and where to find the fields/subfields.
CWNA-107 Objectives covered:
- 3.5 Explain 802.11 channel access methods
- 3.5.11 Power Save Modes
CWAP-403 Objectives covered:
- 5.1 Understand 802.11 contention algorithms in-depth and know how they impact WLANs
- 5.1.3 Wi-Fi Multimedia (WMM)
- WMM Power Save
- 5.1.3 Wi-Fi Multimedia (WMM)
- 6.5 Analyze behavior and resolve problems related to MAC layer operations
- 6.5.1 Power Save Operations
Legacy Power Management – 802.11–1997
Prior to 802.11e (2005), STAs used the PS-Poll control frame to request buffered frames from the AP after waking up. This method was inefficient because there was a PS-Poll frame sent for each buffered frame, when the client received a buffered frame that had the “more data” bit set to 1, it sends another PS-Poll until the value is 0. The STA must confirm receipt of buffered frames before they are removed from the APs buffer. Another way to describe this is that the TXOP is 0 for the STA requesting frames; after polling and receiving a frame, the STA must once again contend for the medium. Within the PS-Poll frame, the STA will include its own Association ID (AID). In the association request frame, a STA will indicate a listen interval; this value indicates how often the STA will wake to hear a beacon that includes a Traffic Indication Map (TIM) information element. The TIM is a list of all STAs in the BSS that have undelivered frames buffered on the AP. Delivery Traffic Indication Maps (DTIM) are used to send out group traffic (multicast/broadcast). All devices must be awake to “hear” the beacon that is marked as a DTIM.
Awake – the client station can receive frames and transmit frames.
Doze – the client station cannot receive or transmit any frames and operates in a very low power state to conserve power.
PS-Poll – A control frame the STA sends to an AP after receiving a beacon containing the STAs association ID (AID) in the TIM. The STA will send PS-Poll frames to the AP until it receives a frame from the AP with the “More Data” bit set to 0. A STA may not go back to sleep until its AID is clear from the TIM whereas APs may choose to delay response to the PS-Poll frame; this is vendor specific.
WMM-PS – 802.11e-2005
802.11e-2005 added many improvements to how traffic could be delivered. For both exams, 802.11e is a Chicago deep dish pizza with extra cheese. You need to know how it works, why it works, when it works, and what to look for in all 3 types of frames. What we care about right now is some of the sauce of our figurative pizza.
802.11e introduced Wi-Fi Multimedia (WMM) and Automatic Power Save Delivery (APSD) in two varieties, scheduled and unscheduled. Unscheduled (U-APSD) gets all the attention, it is the method that WMM-PS is based on; scheduled (S-APSD) is not in the objectives of either the CWNA or CWAP exam. The goal of APSD is to be more efficient than the PS-Poll method used previously. This is accomplished by replacing PS-Poll frames with trigger frames. The trigger frame can be ANY data frame; this increases the efficiency of the entire BSS by avoiding the use of the PS-Poll control frame altogether. When the AP sees that the STA is awake, it can send buffered frames in a TXOP burst. The client can also spend more time in a power save mode because it doesn’t have to stay awake, contending for the medium for each frame. The STA also benefits because it doesn’t have to wait for the beacon frame and look for its AID in the TIM, it can send a trigger frame as soon as it wakes up, after it acquires control of the medium, of course. The AP then checks for frames buffered for the previously sleeping STA and sends multiple buffered frames in a burst at its next TXOP (the next time it can gain control of the medium). The STA will once again send a null data frame with PWR MGT bit set to 1 to indicate it is going back to sleep. Note that, in 802.11ac networks, all data frames are sent as QoS data frames. Trigger frames will include an access category which they are requesting buffered frames from.
Below are the two primary “QoS Null function (No data)” frames sent by STAs to indicate that they are going to sleep and wake up.
This QoS Null Data frame with the PWR MGT set to 1 is the STA informing the AP that is now sleeping. The STA must receive an ACK before going to sleep. Frames destined for this STA will now be buffered until the AP receives a trigger frame.
This QoS Null Data frame with the PWR MGT set to 0 and QoS Control Field specifying the AC_VO access category is a trigger frame requesting buffered frames in the voice AC.
The figure below shows the WMM-PS frame exchange process.
Default TXOP values for each Access Category (AC)
The TXOP is the amount of time a STA can transmit without having to contend for the medium. It is important to understand what these values mean. A TXOP of 0 results in a STA only being able to send a single frame before being required to contend again. With default values (I have never changed TXOP values from the defaults in any deployment), any traffic sent in the BE or BK AC will only send one frame at a time. This is also true of the burst of buffered frames that the AP sends back to a previously sleeping STA.
802.11n introduced two additional power management methods. Both revolve around STAs partially powering off some of their radios to save power. We’ll cover the basics here. I found it more important to focus on the legacy and WMM-PS power management methods in my studies.
SM-PS – Spatial Multiplexing Power Save
With SM-PS, a device will power down all but one radio. This greatly reduces the data-rates achievable. The STA then becomes a 1×1:1 device, no longer supporting MIMO and many of the enhancements that come with 802.11n. STAs notify the AP they are connected to that they are powering off/on radios using a SM Power Save action frame. SM-PS has two modes of operation:
Static – Device uses SM Power Save action frames to notify AP when it powers on/off radios.
Dynamic – In dynamic mode, the device can power its radios back on before receiving a transmission using multiple streams or one that is part of a MIMO transmission. The STA will indicate in the SM Power Save action frame that is in dynamic mode. Before transmitting a frame, the AP will send an RTS frame to the STA. The STA will power up its radios and respond with a CTS.
PSMP – Power Save Multi-Poll
PSMP has scheduled and unscheduled modes, similar to APSD. The idea is that PSMP action frames are used to schedule up/downlink transmissions.
VHT TXOP PS – 802.11ac-2013
VHT TXOP Power Save was introduced in 802.11ac. The process is simple, if a STA sees that another STA has a TXOP it will power down its radio during the duration of the transmission. The longer the TXOP, the longer the sleep time, the more battery saved.
More information on 802.11n-2009 and 802.11ac-2013 can be found here.
Parts and Pieces
Traffic Indication Map (TIM) – Information element sent with every beacon; contains information about devices that have buffered unicast frames waiting to be sent. The AID of STAs with buffered frames are found in the Partial Virtual Bitmap. TIMs are part of both the legacy and WMM-PS implementations of power management.
Delivery Traffic Indication Map (DTIM) – A special type of TIM used to ensure all sleeping stations are awake to hear upcoming multicast/broadcast traffic. This interval can typically be configured on the AP/Controller. The AP will follow the normal TIM procedures of including AIDs of STAs that have unicast buffered frames that need to be transmitted. The DTIM interval is in the TIM information element. DTIMs are part of both the legacy and WMM-PS implementations of power management.
Power Management Subfield – Within the Frame Control Field, there is a one-bit subfield called the “Power Management Subfield”. That bit is either 0 – Awake or 1 – Sleeping after the transmission of the frame including the bit. This subfield is considered “reserved” (unable to be used) in transmissions from the AP and when a STA is transmitting to an AP before it is associated (such as probe requests). This subfield is used in both the legacy and WMM-PS implementations of power management.
WMM-PS Stations use null data frames with the PWR MGT flag set to 1, as shown below:
Listen Interval – Value sent in the Wireless Management field of association requests. Indicates how frequently the STA will wake to listen for TIM(s). Larger listen intervals enable devices to save more power by sleeping longer but tax APs by requiring them to buffer more frames during that time. The value used by the client indicates how many TIMs it will wait before waking up. A STA that uses a listen interval of 2 will “wake up” for every other TIM; an interval value of 3 will wake for every third TIM. Recall that every beacon frame is a TIM and that, in Cisco Wireless Controllers, the default DTIM value is 1, meaning every TIM is a DTIM.
Association ID (AID) – value found in the Association Response frame that is unique to a STA and is used for BSS management/control by the AP.
Within Wireshark, the following filter can be used to only show frames that have the Power Management bit set to 1:
wlan.fc.pwrmgt == 1
- PS-Poll is a control frame.
- Action frames are a type of management frame.
- WMM-PS uses null data trigger frames to request buffered frames.
- STAs will always use “More Data” = 0 in the Frame Control Field.
- APs will always use “PWR MGT” = 0 in the Frame Control Field.
- The default DTIM value on Cisco WLCs is 1; recommended values are either 1 or 2.
- The TBTT default is 100 TUs, or 102.4ms. APs must contend for the medium before transmitting beacons.
- WMM-PS trigger frames request buffered frames from a certain access category.
- Cisco wireless controllers apply QoS per-WLAN. In these networks, trigger frames will always include the access category of the QoS applied to the “SSID” (WLAN)
- Some devices that enter a software “power save” state may also disable entire radio chains to save power. This could take a 2×2:3 laptop to 1×1:1 which greatly reduces the data rates achievable during that time. This is unique per OS.
There are some clear improvements that have been made to power save methods since the legacy method in 1997. What I quickly picked up on is that, without QoS configured, most of the major benefits introduced with 802.11e WMM-PS are not realized. I consider the improvements in two ways, the first is the benefit of the device saving battery and the second is the benefit to the BSS becoming more efficient. With target beacon transmit times (TBTT) being 102.4ms, we can multiply 102.4ms by a device listen interval to understand how long a device will go to sleep for. Using my Google Pixel 3 XL to test, I found that it has a listen interval of 1 meaning that it will wake up for every beacon to review the TIM; this didn’t change when I enabled/disabled battery saver mode. For BSS efficiency, power save techniques moved to removing the use of the PS-Poll control frame, introduced the concept of trigger frames, and allowed the AP to send buffered frames in a burst. The trigger frame concept is a no-brainer; if the STA wakes up and begins to transmit, the AP sees that the STA is now awake and knows to send buffered frames. The process of sending buffered frames in burst adds most of the efficiency to the process. Instead of transmitting one frame at a time like the legacy method, send in a burst when the AP can get control of the medium. Only devices that send/receive frames in the AC_VO or AC_VI access categories will also benefit from this AP burst. This is because AC_BE and AC_BK have a default TXOP of 0.
I hope this explanation of power save/management helps you better understand and remember the parts and processes. I know I learned something new just from writing this post! It is one thing to know the concepts for the exam, it is another to understand how/when it works and what to expect in the real world. I’ve attached a PCAP below that shows some of the basic frame exchanges mentioned in this post. Feel free to share feedback! Thanks for reading!