Wireless & Wired Client Isolation Overview

Summary

Wireless and Wired Client Isolation prevent client?to?client communication on the same WLAN or AP Ethernet ports while still allowing access to upstream resources such as gateways and the internet. This enhances security in guest and shared environments. A known limitation is that Auto Gateway Whitelisting learns the gateway MAC only during enablement; gateway changes require manual or toggle?based relearning.

Question

What is the use of Wireless & Wired Client Isolation?

Customer Environment

Customer is using Ruckus Smart zone running on 6.1.2.487

Root Cause

Understanding how Wireless and Wired Client Isolation work and how they secure client networks.

Resolution

Wireless Client Isolation Overview

Wireless Client Isolation prevents WLAN clients from communicating with each other directly while still allowing access to upstream services such as:

  • Gateway
  • DHCP
  • DNS
  • Internet

This is commonly used in:

  • Guest networks
  • Public Wi?Fi deployments
  • Hospitality environments
  • Shared enterprise SSIDs

Traffic isolation can be customized for unicast, multicast, and broadcast packets.

Configuration – Wireless Client Isolation

  1. Navigate to the WLAN configuration page.
  2. Enable Wireless Client Isolation.
    • Unicast isolation is enabled by default.
    • Multicast/Broadcast isolation can be configured as needed.
  3. Enable VRRP/HSRP support if redundancy protocols are used.

    User-added image

Isolation Whitelist

Devices added to this list bypass isolation (e.g., printers, shared resources).

User-added image

Auto Gateway Whitelisting

Automatically adds the gateway to the whitelist when the feature is first enabled.

? Current Limitation – Auto Gateway Whitelisting

Auto Gateway Whitelisting only learns the gateway’s MAC address at the time of enablement.
If the gateway device is replaced later:

  • The new gateway MAC will not be learned automatically
  • Wireless clients may experience loss of connectivity to the gateway

How to Recover

To relearn the new gateway MAC:

  1. Toggle Client Isolation OFF ? ON in the WLAN profile, or
  2. Manually whitelist the new gateway MAC address

This limitation should be considered in networks where gateway hardware changes are expected.

Wired Client Isolation Overview

Wired Client Isolation provides similar protection for APs with multiple Ethernet ports.
Clients connected via Ethernet ports can reach upstream networks but cannot communicate with each other.

Typical use cases include:

  • Hotel rooms
  • Dormitories
  • Co?working spaces
  • Enterprise offices with shared wired access

Configuration – Wired Client Isolation

  1. Go to: Services ? Tunnels and Ports ? Ethernet Port
  2. Create a new Ethernet Port Profile (e.g., Wired Isolation)

    User-added image

  3. Enable Wired Client Isolation

User-added image

  1. Configure unicast/multicast/broadcast traffic and VRRP handling

    User-added image

  2. Apply the port profile to specific AP models under Zone ? AP Model Configuration
    User-added image
  3. Reboot the AP when prompted

This ensures that selected LAN ports (e.g., LAN2) operate with the same isolation behavior as wireless clients.

Related Articles

000006355, 000009959, 000013922

Article Number:
000014743

Updated:
January 09, 2026 09:10 AM (14 days ago)

Tags:
Configuration, Troubleshooting, SZ144, SZ300, SZ100

Votes:
1

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close