Hello there!

So, I have a couple of Cisco Aironet 1832i access points in company, where I work. The target is to set a Mobility Express with two WLANs - one for management and second for normal users. We don't want let users to have access to management interface (so they can't ping management IP and access it via web browser).

Here is configuration, that I used.

On Cisco ASA I made two interfaces, so they can act as gateways and DHCP servers:

- USER (port 1) 192.168.1.1 with DHCP pool in this subnet

- MGMT (port 2) 192.168.2.1 with DHCP pool in this subnet

On switch:

- port 1 (plugged USER interface from ASA) Link Type: access, PVID: 50

- port 2 (plugged MGMT interface from ASA) Link Type: access, PVID: 1

- port 3 (plugged access point) Link Type: trunk, tagged: 50, PVID: 1

On controller:

Interfaces:

- management - VLAN: untagged, IP address: 192.168.2.111/24, gate: 192.168.2.1, Type: static, Ap Mgr: Yes

- users - VLAN: 50, IP address: 192.168.1.111/24, gate: 192.168.1.1, Type: dynamic, Ap Mgr: No

WLANs:

- WLANMGT - interface: management

- WLANUSR - interface: users, VLAN: 50

So, here is the thing:

When I connect to WLANMGT, I get IP address from DHCP (192.168.2.1 subnet). I can ping management interface (192.168.2.111) on controller and access it via web browser.

When I connect to WLANUSR, I get IP address from other DHCP (192.168.1.1 subnet), but I can still ping management interface and access it via web browser.

My question is: what else I need to configure, so when user connect to WLANUSR, gets IP address from 192.168.1.1 subnet and won't be able to access management interface? Is it even possible?

Thank you in advance for your answer,

Regards, Paweł Leja