Can a separate IP address be created for device management when using the VC address for NATing local DHCP assigned addresses? Or, conversely, can a non-VC NAT address be used for locally assigned DHCP addresses?
Here's the issue: when using local DHCP server on the IAP the DHCP assigned client addresses are NATed to the VC address, so, outside the IAP, all clients have the same IP address as the VC. But the VC address is also the address used to manage the device, so any rules created in corporate firewalls to allow management of the IAP also apply to the clients. Wireless clients should not have the same IP address as the management address of the device.
I understand that internal to the IAP access rules can be applied to the clients that would not apply to the VC, so, on paper, it might look like security has been applied, blocking clients from the enterprise management stations, but, Enterprise Security will not, and should not, consider that a viable security solution. (for one reason, doing so would place corporate security policy enforcement outside of the Security Organization's control)
Is there a way to separate the client IP address from the device management IP address?
-ScottD