Still not following what you are saying.  Are you wanting to have wireless clients associate to "different" SSIDs, thus "different"  VLANs so their traffic is separated?  The info I posted above still applies.

Can you be more specific about what you are wanting to achieve?  You can always give everyone helmets so that nobody gets hurt during the attack.

thank you for your reply.

actually, i am trying to set up a wirelss controller with 20 aps in one apartment, providing shared internet access only, with a few vlans. 

Planning to buy 2504 wlc, an esw switch and aironet 1042.

what is the best way to protect all the tenants?

You still haven't described how you want this to work.  Remember, the controller is not a router.  You cannot just create VLANs and L3 interfaces to route those VLANS "on" the WLC.  These need to be defined on a L3 device elsewhere.

1. 20 APs in "one apartment"?  I assume you mean at one apartment "complex", but that's not the point of concern, yet

2. You say shared internet access only, "with a few vlans".  Are you wanting multiple guest WLANS, each on their own VLAN, or to provide the same SSID to "ALL" of these clients needing internet?  If so, a few VLANs aren't needed for this pool of clients on a single WLAN; just one, unless you are talking about using interface groups, but that's another story.

3. If you are just saying "how do you protect tenants that are using the same shared guest WLAN from one another" that's not really up to you to deal with.  Clients should be educated on steps to take to ensure their machines are protected, such as windows/software firewall, security applications, etc.  Once they are all on the same guest network, the chickens are in the ring; so if a client is trying to mess with another guest, there isn't much you can do.

i know the key word i want to ask finally,

1 guest vlan and maybe 1 vlan for tenant and 1vlan for management

Does 2504 suppor CLIENT ISOLATION? Will client isolation protect them from other tenants?

if i enable the p2p bloack action, will this prevent tenant 1 from attacking or hacking to tenant 2's computer?

Loon Phang,

There is a feature called Peer-to-Peer blocking that can be enabled. But Davids comments above still hold, there must be a L3 device, i.e. router, that the wlan controller connects to. Other wise the traffic for any of your wlans/vlans will only be in the controller and not routed to the internet.

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_wlan.html#wp1209597

Loon,

p2p blocking will do what you are asking. This feature can be enabled per wlan to prevent clients of that wlan talking to each other.  I do not know if you can prevent clients from different wlans talking to each other though (especially if its two wlans, but the same vlan).

As far as what everyone else is saying, the WLC is just a device that puts clients in whatever vlan you say.  The assumption is that you have a switch and router upstream that are handling these tasks.  The WLC is not like your consumer home all in one router.....

I'm going to assume you do have upstream router/switch, since you are deploying 20 APs....

.