Skip to main content
Cisco Meraki Documentation

Wireless Mesh Networking

In a wireless mesh deployment, multiple Access points (with or without Ethernet connections) communicate over wireless interfaces to form a single network. This wireless communication between Access points is called Mesh Networking. Meraki's mesh networking functionality is automatic, self-healing and available on all access points.


A detailed article on designing wireless Mesh networks can be found here.

Mesh Network Components

In a mesh network, access points can be in one of two states: Gateway, or Repeater.


Gateway access points are connected directly to the wired network, granting it an uplink to the Internet. If a gateway loses its Internet connection, it will look for a nearby gateway and automatically fail over to acting as a repeater, without dropping active wireless client connections.


Meraki determines whether a device should be a repeater or a gateway on boot when the unit sends out a DHCP request. If it receives a DHCP reply from a device on the wired network, it assumes that it has a valid LAN connection and will become a gateway access point. If a gateway access point is unable to reach the LAN gateway/upstream router, the access point will fail over to repeater mode.


Repeater access points are not directly connected to the wired network, instead relying on wireless mesh links to reach the Internet. As long as the repeater has power and a strong (unobstructed, line-of-sight) wireless connection to another repeater or gateway, it will form a mesh link.


Please note, it is not possible to configure a static IP address for a repeater access point; doing so will automatically designate the device as a gateway instead of a repeater.

Note: Both gateways and repeaters can serve wireless clients. It is possible to have multiple gateways in a mesh network, and repeaters will automatically choose the gateway to which it has the strongest connection.

Note: Only Cisco Meraki access points can function as repeaters and gateways. Wireless MX security appliances, Z-Series teleworker gateways, and third-party access points cannot participate in a wireless mesh.

Identifying a Repeater access point vs Gateway access point

  1. Navigate to Wireless > Monitor > Access points

  2. Click the Gear icon on the right-hand side and make sure the Gateway option is selected:




  1. A gateway access point will be listed as "(self)" under the Gateway column, while a repeater access point will list some other access point in the network (denoting that it is using that access point as its gateway):




  1. An additional way to identify a gateway or repeater access point is by checking the LAN IP section on the access point's details page.

  2. A gateway access point will show a LAN IP address and give you the ability to assign an IP address:




  1. A repeater access point will leave the LAN IP section blank:




  1. A repeater's details page also shows information about its route to the mesh gateway. This information is displayed on the Summary tab under the Live Data and Historical device data:



Meraki Mesh Algorithm

Meraki devices in a mesh network configuration communicate using a proprietary routing protocol designed by Meraki. This protocol is designed specifically for wireless mesh networking and accounts for several unique characteristics of wireless networks (including variable link quality caused by noise or multi-path interference, as well as the performance impact of routing traffic through multiple hops). This protocol is also designed to provide ease of deployment while maintaining low channel overhead.


As part of the self-healing nature of meshing, the access points will automatically detect each other and select the best route to a wired gateway. All Cisco Meraki access points that support meshing will automatically try to mesh if they lose their wired connection, or be available for connections from repeaters if connected as a gateway. To that end, it is generally recommended to allow auto-channel selection in networks with repeaters.


Screen Shot 2015-07-05 at 8.59.16 PM.png


Each access point in the Meraki mesh network constantly updates its routing tables with the optimal path to network gateways. If the ideal path changes due to node failure or route metric, traffic will flow via the best-known path. Data traffic sent between devices in a Cisco Meraki network is encrypted using the Advanced Encryption Standard (AES) algorithm.  

In the event of a mesh gateway failure or the emergence of a new mesh gateway with a better routing metric (lower metric equals better route), all new traffic flows will be routed to the new mesh gateway. The current route to a given mesh gateway may change over time, to adapt to network conditions.

Mesh and Repeater Modes

When the access point boots up initially it will always try to get an IP address over the wired interface. If the access point does not get an IP address, the access point will then go into mesh mode and starts looking for the gateway. The access point continues to request IP address via DHCP on the wired interface even though the access point is in the mesh mode.

If an access point gets an IP address it gets into the gateway mode and starts broadcasting mesh probes.

Mesh Probes

Each Meraki access point sends out link probe packets (known as mesh probes) at different bit rates and varying sizes. Because these packets are sent as broadcast frames, no ACK frames are needed from receiving stations. Four different types of probes at different data rates are sent in a batch of 15 seconds on both (2.4 /5 GHz) bands. All access points listen to the mesh probes and depending on the number of mesh probes correctly received, come up with a link quality metric as shown in dashboard.

Gateway Selection

Once the access point goes in the mesh mode, The access point scans all channels to collect info from all neighbors. If a valid neighbor (in-network access point or Meraki access point) is found, it goes to that channel. The configured channel has higher precedence if a valid neighbor is found on it. If no valid neighbor is found at all from all channels, it stays on the configured channel.

Based on the scan results, the repeater access point develops a table of all the detected gateways and their corresponding link quality metrics. Additionally, the number of hops are also considered and preference is given to gateways with lower hops. Once the access point hears all the neighboring access points, it finalizes a route based on the link quality and the number of hops.

While it is not possible to select which frequency band should be used for meshing, it is possible to manually adjust channel selections to direct the access point toward a desired behavior. To do this, refer to the article on manually changing channels in a mesh network. If it is desired for two access points to mesh on 5Ghz as opposed to 2.4Ghz, then the access points should both be set to the same 5Ghz channel, but different 2.4Ghz channels. Keep in mind though that a frequency band cannot be allocated specifically for meshing, and both bands will still be available for servicing clients unless the SSID is configured to use the 5Ghz band only.

When meshing with an out of network Meraki access point, the repeater just reached out to Meraki dashboard and no client traffic is sent using this mesh connection. The idea being that the repeater can reach out to dashboard to check for any config updates.

New Gateway Selection Logic

A repeater starts looking for an access point in two cases:

  1. When a gateway is down: If a gateway is not reachable for 3 minutes gateway is marked as down. Immediately after a gateway is marked as down the access point starts scanning for new gateways. Will scan the entire spectrum (including 2.4 GHz and 5 GHz) and then select the best one that is available based on metrics. Higher preference is given to the configured static channel.

If an access point received ARPs from the upstream gateway, access point will not go into mesh mode.

  1. Repeater finds a better gateway: A repeater constantly evaluates the current channel it is operating on for better gateways but each access point will send mesh info every 15 seconds. If the repeater finds an access point with a better link quality metric of even 1 the access point will move to the new gateway.

Gateway Change Process

In most cases, when the repeater changes gateway there are existing traffic flows that need to be considered and the repeater needs to ensure that the new gateway does not provide a degraded performance. To ensure seamless transfer of data flow and a good user experience, a repeater does not move traffic flows immediately. Existing traffic flows use the old route for 5 seconds before being transferred to the new route using the new gateway.

Impact of Meshing on Throughput

Due to the half-duplex nature of wireless communication and that signals being passed through a repeater access point must be retransmitted to the next hop, throughput is greatly reduced when using a repeater. While many factors impact wireless throughput, it is safe to assume that the addition of meshing can reduce throughput by approximately 50%, with that reduction being applied for each subsequent repeater that must be traversed to reach a gateway. Therefore, it is advised to minimize the number of hops between a client and gateway.

Advantages of Cisco Meraki Mesh Networks

Each repeater access point in a Cisco Meraki network transmits and receives the signal it receives from its gateway (Wired) access point so that other unwired access points (repeaters) in the network can share the connection and extend the range. Meraki repeaters use a mesh algorithm to determine the best route between access points to a gateway access point that is physically connected to your LAN.

Data traffic sent between devices in a Cisco Meraki network is encrypted using the Advanced Encryption Standard (AES) algorithm. 

Monitoring Mesh

Mesh monitoring tools are located at the bottom of every access point detail page, which can be accessed by navigating to Wireless > Monitor > Access Points, then clicking on an Access Point.

The image below shows an example access point acting as a repeater. The time selector at the top right-hand corner will adjust the timeframe of all of the UI components in the mesh monitoring section of the UI.

The time selector may select data from:

  • 2 Hours

  • 1 day

  • 1 week

  • 1 month




Mesh Routes

The Routes Table shows the routes used by different flows over time. As new routes are selected, they are added to the routes table. The overall amount of traffic per-route over the time period selected is shown in the Usage column. The Metric is also displayed in this table, representing a combination of loss and packet delivery times. Avg. Mbps throughput values are also provided for customers to gauge the capacity of that particular mesh route.

Mesh Neighbors

The Mesh Neighbors table can be found on the Summary Tab on the access point details page and shows the access points that have been discovered automatically. The link quality is a metric that takes into account signal strength and packet delivery success rates in each direction. A link quality of 70% or higher is recommended for a strong link.

Disabling Mesh

Meraki allows the ability to disable mesh on the Meraki Access Points. The toggle is a network-wide setting and is configured under Network-wide > Configure > General > Device configuration

Screenshot 2023-08-21 at 4.21.15 PM.png

Disabling mesh will stop the access points from broadcasting the Mesh SSID to save airtime. 

New Mesh Features in MR 29.1+ Firmware

Mesh Encryption Improvements

MR 29.1 firmware supports robust WPA3 equivalent encryption with SHA256 key for data packets between the mesh peers in 2.4/5GHz bands, while previous MR firmware versions (MR 27.X MR 28.X) support AES-CCM (SHA1) for mesh encryption. 

Please refer to the table below for the correlation between access point product families and models.


Product Family


Wi-Fi 5 Wave 2 

MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74. MR84

Wi-Fi 6

MR28, MR36, MR36H, MR44, MR46, MR56, MR46E, MR76, MR78, MR86

Wi-Fi 6E

MR57, CW9162-MR, CW9164-MR, CW9166-MR


Please refer to the table below to compare different MR generations and mesh encryption types in MR 29 firmware.

MR Generation

Mesh Band

Mesh Encryption

Wi-Fi 6E

2.4/5 GHz

AES CCM (SHA1* / SHA256)

Wi-Fi 6

2.4/5 GHz


Wi-Fi 5 Wave 2

2.4/5 GHz



* Used as a fallback mechanism if a mesh peer does not support SHA256. 

Preferred Gateway Configuration


The preferred gateway feature allows configuring a single preferred gateway for a repeater, creating a more predictable mesh topology.

Warning: When an access point, acting as a repeater, receives the preferred gateway configuration, the repeater will briefly disconnect all clients and mesh connections, which may result in a loss of connectivity to the Meraki dashboard.

For the above reasons, we recommend setting the preferred gateway as part of the repeater pre-staging process when the access point has a good wired uplink connection. In this case, the preferred gateway configuration will be saved and used when this access point loses its wired uplink and becomes a repeater.

Preferred Gateway Logic

Before the MR 29.X release, we recommended setting both the gateway and repeater to the same band and channel as part of pre-staging. However, if the preferred gateway is used, this is no longer necessary, as the repeater will automatically "tune in" to the channel/band where the preferred gateway is available.

Note: This feature is intended to work with one-hop mesh only. If the preferred gateway selected in the Meraki dashboard is the repeater itself, no preference is given to this preferred gateway when forming a mesh link.

Once the preferred gateway configuration is received, an access point will check if it can hear this gateway. If it can, the access point will use the band and channel where the gateway is available to negotiate the mesh link. If the negotiation process is successful, the mesh link is formed. However, if the mesh link fails to form, the access point will "blacklist" this band and channel combination for 10 minutes. This logic prevents a loop where the preferred gateway is reachable, but the mesh link repeatedly fails to form with the preferred gateway, and the process repeats indefinitely.

Regarding the band, the first preference is given to the 5GHz (if available for meshing). If an access point cannot form a mesh link with a preferred gateway on 5GHz after 5 minutes of trying, the access point will try to form the mesh on 2.4GHz. If this mesh formation fails again after 5 minutes, the access point will try creating a mesh link with other available (non-preferred) gateways nearby. This logic ensures that the repeater access point will not get stranded if the configured preferred gateway is not available or has inferior link quality.

If a preferred gateway is configured, but the repeater forms a mesh with an alternative (non-preferred) gateway, the repeater will try establishing the mesh with the preferred gateway when the mesh link with an alternative (non-preferred) gateway is lost upon rebooting.


To configure a preferred gateway, please follow these steps:

  • Navigate to the Wireless > Monitor > Access points and select the access point you want to configure with a preferred gateway.
  • Click on the pencil next to the preferred gateway setting and pick the preferred gateway from a dropdown list.

Screenshot at Mar 20 14-47-44.png

  • Click Save