Showing results for 
Search instead for 
Did you mean: 

vSZ-D - behaviour of wireless clients connected to the same SSID

New Contributor II


I couldn't find an answer to this anywhere so I suspect it might be an obvious answer.

Theoretical Scenario:

  • 10 x APs at local site - One WLAN. One VLAN for AP management and and the other is the access VLAN on the single WLAN.
  • vSZ-E and vSZ-D hosted at a remote site - tunelling enabled on the WLAN.


  1. If two wireless clients are connected to the same AP at the local site, will traffic between them be forwarded via the data plane at the remote site or will it remain local?
  2. If two wireless clients are connected to different APs at the local site, will traffic between them be forwarded via the data plane at the remote site or will it remain local?

Bonus question: Can the wireless clients recieve DHCP leases from a DHCP server at the local site subnet? Or will they be forced to go via the Data Plane?

From what I've read, the Split Tunnel Profile may facilitate in keeping local traffic local but I could have issues with DHCP?

Licensing wise, the scenario above would require a license for vSZ-E, vSZ-D, 10 x APs, 10 x tunnels. Anything else?



RUCKUS Team Member

Hello ToastE,

My colleague forwarded your questions to me. Here are the answers for your questions

For your question 1: 

I assume the wireless clients in this case are on the same IP subnet, if so, traffic between these 2 wireless clients will be on the Wireless side and will not be seen at AP WAN port.

My Wireless packet capture shows the packets are sending to clients directly via AP WLAN interface and nothing at AP port or at vDP.

For your questions 2:

Traffic between wireless clients will be tunneling to vDP because AP just knows its current associated wireless clients.

My vDP packet capture shows:

Wireless client 1 ==== AP 1 ==== vDP==== AP 2 ==== Wireless client 2, and vice-versa.

For your Bonus question:

WLAN tunneling is the prerequisite for Spit-tunnel feature. Without checking the option WLAN Tunneling, the Split-Tunnel option will not display. This means wireless client MUST receive IP address from DHCP server behind the tunnel.


View solution in original post



Dear ToastE,

if the Tunnel is used or not is based on the settings in the SSID if you set tunnel mode on or off.

If you bridge traffic only without tunnel mode, you can access the local dhcp server on the network depending which vlan you use. In "tunnel mode" all traffic from the specific SSID is tunneled to the vdp and broke out there to default vlan or the vlan you set. 

That means the client does not hit your network in any way except out of the dataplane.

It is a very common use case for a guest wifi where you need to make sure that the "guest" cannot harm your network in any way.



PS: Please read through the vdp requirements. It is a modded kernel and drive the vCPUs assigned to over 80% (1 is management restart are forwarding CPUs). That means you throw in minimal configuration 3 real cores of your cpu and vm host away.

New Contributor II

Thanks for the reply.

So to clarify, in tunnel mode, all traffic between clients will transit the virtual data plane instance?

In bridge mode (the normal, default mode?) the tunnel is never used and so traffic never transits the virtual data plane instance?


Dear ToastE,

this is correct and but it depends on setting that wifi clients can see each other in that specific SSID in tunnel mode or not. But if you mean if they can see a client on the other side of tunnel this is correct.

So they would be able to use a DHCP Server in that specific SSID that you put in WiFi if no wireless client isolation is set, but I would not recommend to put such a essential service on WiFi if not really needed. I would Position the dhcp service on other side behind the vdp.



Dear ToastE,

another thing. I never traced down the exact traffic flow from tunneled SSID. But I am pretty sure that between different APs it is exchanged via vdp. As the clients will never hit any switch till they go out of vdp. I am just not sure with several cleints on same AP.