Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Wireless Mesh and Bridging


A wireless mesh is useful when you have a hard to reach area that needs network coverage. In this case, you can have one or more access point hops provide wireless service to the remote area. For more information about wireless mesh and bridging, see Understanding Wireless Mesh and Understanding Wireless Bridging.

Wireless Mesh is not supported by the Network Director 1.0 release.

This topic describes:

Create a Mesh SSID and Radio Profile for Access Point Portal Radios

Create a mesh SSID in a WLAN Service profile to be used by one of two radios on all mesh portal access points. This SSID is used for mesh link communications with the switch and other portals. It is not used for client associations. You must also have a unique Radio profile for mesh services.

  1. Configure a WLAN Service profile for mesh services, giving the SSID a name recognizable as a mesh connection. See Creating and Managing a WLAN Service Profile for directions. When creating the WLAN Service profile:
    • Enable Mesh on the Basic Settings tab. If this mesh will be a bridge, between buildings for example, also enable Bridging.

    • Do not associate an Authorization profile on the Basic Settings tab. Mesh does not work with this kind of authorization.

    • Select the security encryption WPA2 with the CCMP cipher on the Security tab. Also select PSK authentication on the Security tab and provide a passphrase. The passphrase must be the same one configured on the mesh access points.

  2. You must have a unique Radio profile for mesh services. Create a Radio profile, linking the mesh SSID WLAN that you created. For directions, see Creating and Managing a Radio Profile. In the profile, disable auto channel. Do not enable auto-tune power.

You will assign this SSID to the access points once they are configured.

Create an SSID and Radio Profile for Access Point Mesh Radios

Radios that do not serve as portals use a regular WLAN Service profile that you would use on any other access point. You can use an existing WLAN Service profile for these mesh radios or create a new one following the directions Creating and Managing a WLAN Service Profile.

Mesh radios can also use a Radio profile that you use on other access points. Either use an existing Radio profile for these mesh radios or create a new one following the directionsCreating and Managing a Radio Profile. Assign the Radio profile to all radios that are not serving as mesh portals. For directions, see Assigning a Radio Profile to Radios

Configure the Mesh Access Points

You need at least one access point portal, and can optionally have more portals and mesh access points. The difference between a mesh portal access point and a mesh access point is that a portal dedicates one radio to passing traffic back and forth from the switch. For this reason, you must use dual-radio access points for all mesh portals so that one radio can be used for mesh link communications (using the SSID reserved for this purpose) while the other radio is used for client associations.

Configure the mesh access points while they are connected to the controller—you will untether them after they are configured, then place them in the mesh. Use these CLI commands to configure the mesh access points:


For this release, you cannot configure mesh access points in Network Director. Mesh access points and bridging must be configured from the CLI.


To configure mesh access points:

  1. Attach the access points to your controller, apply power, and allow the access point to boot as a regular access points.
  2. Once the access point has booted, use the following CLI command to enable mesh services on the mesh access points.
    set ap apnum boot-configuration mesh mode enable
  3. Use the following CLI command to specify the pre-shared key on each access point—be sure that you used the same key you identified in the mesh SSID:
    set ap apnum boot-configuration mesh {psk-phrase pass-phrase | psk-raw raw-pass}

    When a pass-phrase is specified, it is converted into a raw hexadecimal key and stored in the access point boot configuration.

  4. The communication link between a access point and a controller is divided into TAPA and CAPWAP packets. The TAPA packets contain control traffic information and the CAPWAP packets contain client data. Use the following CLI command to set the TAPA control channel timeout on the access point.
    set ap apnum time-out

    The default timeout is 10 seconds but you should increase the timeout depending on the length of the mesh link. If DFS is enabled, you might want to increase the timeout to 140 seconds to allow the radio to scan channels.

  5. Use Network Director to assign the mesh SSID (WLAN Service profile) to one radio on each mesh portal access point. For directions, see Assigning a Radio Profile to Radios.
  6. Use Network Director to assign the regular SSID (WLAN Service profile) to the second radio on dual-radio access points and the single radio on single-radio access points. For directions, see Assigning a Radio Profile to Radios.

When using external antennas in conjunction with mesh configurations, enable mesh mode before configuring the external antenna. After adding and configuring the external antenna, reboot the access point.

Physically Set Up the Mesh Access Points

Disconnect all of the configured mesh access points from the controller and deploy them in the final location. Be sure a mesh portal access point (not just a mesh access point) is connected to the switch so the radio with the mesh SSID used for communications can connect the mesh to the switch. For a sample illustration of a mesh setup, see Understanding Wireless Mesh .


The mesh portal access point must be within radio range of any other mesh portal or mesh access point.

After the Mesh is Set Up

Mesh authentication uses the pre-shared key (PSK) information. If there are multiple mesh portals advertising the mesh SSID, the mesh access point selects the mesh portal with the strongest received signal strength indicator (RSSI) value. Once authentication is complete, the mesh access point searches for a switch using the identical control packet exchanges as do non-mesh access points on the network.

The mesh link is an authenticated encrypted radio link between mesh access points, and once the link is established, the mesh access point does not switch to another mesh portal unless the access point loses contact with the original mesh portal. When a mesh SSID is specified, the regulatory domain of the switch and the power restrictions are copied to the access point flash memory. This prevents the mesh access point from operating outside of regulatory limits after booting and before receiving a complete configuration from the switch. Consequently, it is important that the regulatory and antenna information specified on the switch reflects the locale where the mesh access point is to be deployed, in order to avoid regulatory violations.

Make Any Further Changes to Mesh Access Points From the Switch

After the mesh access points are installed in a final location, and establish a connection to the mesh portal, you can do any further configuration from the switch CLI.