Mesh networks

View deployment scenarios for configuring access points as root, repeater, or bridge.

An access point which is configured to use the mesh network turns into a repeater and scans for the mesh network, if it fails to connect. If a mesh network is found, the access point joins it as a client. An access point can be configured as root, repeater (mesh), or bridge. The role of access points gets determined on the network.

We recommend that you set the root access point to 5 GHz and client to 2.4 GHz. The maximum throughput of a mesh client, configured with 5 GHz, gets reduced by 50% per hop. This happens because data packets sent to the access point are forwarded to other access points which adds up to the airtime.

Deployment possibilities

In mesh mode, you can configure multiple mesh (repeater) access points with one root access point. There can be multiple root access points. A mesh access point can broadcast the SSID from the root access point to cover a larger area without using cables.


Network repeater diagram

A mesh network can also be used to bridge Ethernet networks without laying cables. To run a wireless bridge, you have to plug in your second Ethernet segment into the Ethernet interface of the mesh access point. The first Ethernet segment is the one on which the root access point connects to Sophos Central.


Network bridge diagram

Good to know

There are some things you should know about mesh networks:

  • You can create a mesh network only with Sophos access points.
  • For setting up a mesh network, you must create a new SSID.
  • You can have only one mesh SSID.
  • At least one access point must have a LAN connection.
  • Mesh access points must be on the same channel.
  • Avoid using dynamic channel selection as channels of access points may differ after a restart.
  • The mesh network may need up to five minutes to be available after configuration.
  • There is no automatic takeover of the root access point. The connection to a mesh occurs during a boot.
  • For APX access points, there is no need to specify the mesh role. If the mesh-enabled SSID is pushed to 2 APXs, the one with the existing ethernet connection becomes the root AP. Once the mesh-enabled SSIDs are pushed to the APXs, we recommend that you reboot them. During the boot sequence, if the AP has ethernet connectivity, then it becomes the root and the one without ethernet becomes the mesh client.
  • Mesh networks can only be created between access points of the same series. For example, APX access points can only create a mesh network with other APX access points.