In our ongoing 6GHz AP Discovery series, we’ve examined various ‘in-band discovery‘ methods outlined below:

1. FILS (Fast Initial Link Setup)
2. UPR (Unsolicited Probe Responses )
3. PSC (Preferred Scanning Channel)

In this post, we will explore the ‘out-of-band discovery’ method named “RNR – Reduced Neighbor Report“. Reduced Neighbor Report (RNR) introduced with IEEE-802.11k amendment where client STA can request AP to provide neighborhood APs in order to faster discovery (rather actively scan all channels).

Our test topology evolved a bit over time, During the last post, I created a total of 9 WLANs in the 6GHz radio band (of C9166 AP). Note that security settings have been changed (per the below diagram) for those SSIDs even though the name remains as ‘mrn-psk[X]’

To explore ‘out of band discovery,’ I have created another SSID, ‘mrn-5GHz,’ which is only enabled on the 5GHz radio [CH165]. The idea is that clients can discover 6GHz SSIDs using 2.4GHz or 5.0GHz beacon frames.

Let’s examine a PCAP (airtool_multi_C9166_RNR_before.pcapng) without the 5GHz SSID enabled. As we discussed in previous posts in this series, Cisco 9166 uses FILS discovery frames to advertise the 6GHz SSID, in addition to doing so in Beacon frames. Since multiple SSIDs are available, it uses the ‘multiple BSSID’ feature to aggregate all of those SSIDs’ configurations into a single beacon frame.

Now let’s enable 5GHz SSID and take a PCAP (airtool_multi_C9166_RNR_after1.pcapng) on CH165[20 MHz] and 53[80 MHz]. You noticed then no more ‘FILS Discovery’ or any in-band discovery methods being used. If you look at the 5GHz SSID ‘mrn-5GHz’ beacon frames, you will notice the special information element ‘Reduced Neighbor Report–RNR‘ included. You can verify those short SSID values using CRC-32 calculators.

You can refer to IEEE-802.11-2022 sec 9.4.2.170.2 for the exact frame format (as shown in the below image)

1. TBTT Information Count – Number of TBTT of the neighbor AP minus 1 (in our case 7 means there are 8 BSSIDs)
2. TBTT Information Length – Length of each TBTT information field included (1,2,5,6,7,8,9,11,12 & 13). In our case, it is 13 which means information includes Neighbor AP TBTT offset [1B], BSSID [6B], short SSID [4B], BSS parameter [1B], and 20MHz PSD [1B]
3. Operating Class – indicates a channel starting frequency that, together with the Channel Number field, indicates the primary channel of the BSSs of the APs in this Neighbor AP Information field. In our case, channel 53 with Operating class 133 indicates it is 80MHz with the Primary channel on 53.
   131 – 20 MHz (starting freq 5950)
   132 – 40 MHz (starting freq 5950)
   133 – 80 MHz (starting freq 5950)
   134 – 160 MHz (starting freq 5950)
   135 – 80 MHz (starting freq 6425)
   136 – 20 MHz (starting freq 5925)
   137-179 Reserved
4. TBTT Offset – TBTT of an AP’s BSS from the immediately prior TBTT of the AP that transmits this element.
   254 – an offset of 254 TUs or higher
   255 – unknown offset value
   

If you are a tri-band (6GHz supported) client, now you get to know about all 6GHz SSID available using a 2.4/5GHz beacon frame. This will keep the 6GHz band less congested without all those ‘in-band discovery’ frames (FILS or UPR).

Look at below, now my Apple MBP shows me those 6GHz SSIDs and I can connect to them.

You can filter by my MBP mac address (5c:e9:1e:97:66:d9) and BSSID (for ‘mrn-psk’ SSID), you can see successful client associations as shown below. Since the Apple client learns about ‘mrn-psk’ BSSID through RNR, it goes directly probe for that SSID (frame#12504). AP responds with broadcast Probe Response (frame#12505) with Multiple BSSID elements to provide all other SSIDs available on 6GHz. Client followed by WPA3-Personal (SAE) security and connected to SSID.

Even though my Apple device is able to discover 6GHz SSID using RNR, now it appears my Netgear USB adapter is finding it difficult to consistently discover 6GHz SSID without FILS frame. I noticed those 6GHz SSIDs appear and disappear from time to time.

In summary, this RNR –Reduced Neighbor Report is the method going to be most widely adopted by all 6GHz client devices. Still, you have to test it out and see what is clients’ behavior as it can be inconsistent.

In the next post, we will summarize the 6GHz AP Discovery methods and behavior of Cisco 9800, Meraki, and Netgear APs (those are the APs I got in my lab setup) to conclude this blog series.