Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=wireless-SSID-mesh-networks

Mesh networks

A mesh network is a group of access points connected through a backhaul SSID. Together, they act as a single wireless access point by broadcasting the same fronthaul SSID that wireless devices connect to.

Overview

You can configure Sophos APX or AP6 series access points with a mesh network. A mesh network allows access points to create a backhaul SSID to communicate with each other wirelessly. A backhaul SSID is a private SSID visible only to other access points configured with the same mesh network. The access points wirelessly connect different segments of the network. You can use mesh networks for environments where physical cabling isn't available for all access points. You can manage mesh networks from Sophos Central or using the local GUI on AP6 series access points.

Root and node access points

Access points have one of two roles within a mesh network:

  • Root: The root access point controls and manages the configuration updates to all other nodes in the mesh network. The Root Node requires a physical Ethernet connection to the network.
  • Node: Node access points connect to the root access point within the mesh network. Nodes don't need a physical connection to the network.

Backhaul

Node access points communicate with the root through the backhaul, which can be wireless, wired, or a mix of both. The only difference between them is the method the mesh access points use to communicate with each other. Wireless features and functionality remain the same.

Wireless backhaul

AP6 mesh networks with wireless backhauls support up to five node access points.

A wireless backhaul lets node access points communicate with the root using the 2.4 GHz, 5 GHz, or 6 GHz frequency bands. All mesh and device traffic is sent wirelessly to the root.

A wireless backhaul is convenient because the node access points don't require you to run cabling to them, other than PoE. This makes it ideal for environments where pulling cabling is costly, difficult, or impossible. The lack of cabling lets you rapidly expand a mesh network to areas without coverage or cabling. You can also use a wireless backhaul to connect network segments across large, open areas, such as streets and courtyards, using directional antennas.

While a wireless backhaul is convenient, it's affected by wireless and co-channel interference. When planning a mesh deployment with a wireless backhaul, you must make sure the nodes have a clear line of sight to each other and the root. You must also plan your channel selection and transmitting power accordingly to keep the backhaul channel clear of interference. When you've determined the best channels to use, turn off autochannel and set them manually to prevent them from changing.

Wired backhaul

AP6 mesh networks with wired backhauls support up to eight node access points.

If all node access points have a wired connection to the network, you can create a wired backhaul. In this scenario, all communication between access points takes place over the wired LAN. This maximizes bandwidth by reserving the wireless radios entirely for wireless devices. A wired backhaul is also significantly more reliable than a wireless backhaul and requires less preparation and configuration to avoid interference.

A limitation of a wired backhaul is the cabling required to set it up. Not all environments require network cabling to be run to every mesh node. You must also make sure you configure the network hardware connecting the nodes with the appropriate VLANs and protocols, such as STP, to prevent network loops.

Mesh network types

Mesh networks take one of two forms:

  • Network repeater: A mesh access point can broadcast the SSID from the root access point to cover a larger area without cables. You can configure multiple node access points with one root access point. There can be multiple root access points.

Network repeater diagram.

  • Network bridge: A mesh network can bridge Ethernet networks without laying cables. To create a wireless bridge, you have to plug in your second network segment into the Ethernet interface of the node access point. The first Ethernet segment is the one on which the root access point connects to Sophos Central.

Network bridge diagram.

Add and remove mesh networks

You can add and remove mesh networks from the access point details page. See Assigned SSIDs.

Restrictions

Mesh networks have the following restrictions:

  • When setting up a mesh network, you must create a new backhaul SSID.
  • You must connect all access points to a LAN network during the initial setup of the mesh deployment.
  • An access point can have only one mesh backhaul SSID.
  • The root access point must have a LAN connection.
  • Mesh access points must be on the same channel. We recommend disabling autochannel and manually setting the backhaul radio to the desired channel.
  • There's no automatic takeover of the root access point. The connection to a mesh network occurs during startup.