You only need to connect the Zone Director to a Trunk port carrying WLAN service VLAN's if you plan to tunnel traffic from the AP's to the ZD. In general tunnel is only useful to solve some specific Layer 3 issues or if you require all data be sent to the data center.
Normally WLAN's/SSID's are configure for local breakout so that traffic from clients connected to those WLAN's exit the AP directly into the local network. In this case if you plan to segregate client traffic into different VLANs then the AP's must be connected to Trunk ports that carry these VLAN's as tagged. When you configure a WLAN/SSID with a VLAN client traffic sent to the AP will be tagged on egress into the AP and will be forwarded out the WAN port (normally the Ethernet port except with mesh which is always a trunk connection) tagged as configured.
For simplified installation it is best to leave the AP management as untagged. This will put AP management traffic, including ZD control, into the switch port on the native VLAN. This can be tagged in the switch if needed by network design, but requiring AP's to tag management traffic makes installing AP's and dealing with factory defaulted AP's more complicated as by default AP management traffic is untagged.
Those AP models are supported on ZD version 10.1.1.0. Which AP's are supported on a given version of ZD code can be determined by reading the Release notes for each ZD version. Release notes are available on the support site.
Once AP's Discover the ZD (by being in same IP subnet/vlan, using DHCP option43 or using manual command set director ip they will automatically be upgraded to the same version of code running on the ZD. Usually the bundled AP version is the same as the ZD version but it can be different. This can be checked on ZD from the Administer::Upgrade page using the "click here" link in the text
Your current software version is 10.0.1.0 build 35. To see the access points that can be managed, click here
I hope this answers your questions.
Thanks for choosing Ruckus Networks, an Arris company.
Thanks for such a detailed approach, though am trying to upgrade R500 to stand alone firmware using the zipped file from RUckus Portal of Release_220.127.116.11.194_All_AP_Images.zip but am getting an error Upgrade/Downgrade from FSI to UI is not allowed.
To improve security Ruckus introduced certificate sighed firmware image to prevent introducing a hacked version of code into the AP.
There are 3 types of firmware versions: UI -Unsigned Image - original type without certificate signed ISI - Intermediate signed certificate - a bridge between UI and FSI allowing upgrade or downgrade to either. FSI - Fully Signed Certificate
The rules are you can only upgrade or downgrade from FSI to ISI or from UI to ISI
AP standalone code 100.x is UI code so you cannot download an FSI image.
Starting in version 104.x AP images are ISI.
So try using a newer version of AP code (104 or above)
To verify which type of AP firmware you have you can use the: fw show allcommand from the AP CLI
ZD AP code 9.13. and Unleashed 200.2 introduced as ISI, either of these version can be used as bridges to newer FSI version of firmware or to go back to older UI versions of code.
This data should be available in the Release notes for each version
The main reason people tunnel traffic back to the ZD is for Guest traffic so that across an L3 network guest traffic is in a tunnel and then dumped out of the ZD onto a vlan that is then untagged onto a port on the firewall as a DMZ so that it cannot touch the corporate network. So unless you are tunneling traffic back to the ZD then normally the port connected to the ZD is an access port or untagged on the vlan you want it to be on for management and the same one the AP's are untagged on (normally).