To back up a bit - what I am trying to do is secure the port so that I can use RAP's on what is effectively an internal network so it is not really related to wired clients. I need the RAPs' to access the controller via the address on vlan x but what happens is, when provisioning a RAP108, the controller provides its address on its management interface as the location for ftp download of the AP image. The download works because the controller internally routes between vlan x and the management interface. The problem is that if someone were to unplug the RAP and connect a laptop to vlan x they can access all controller interfaces because the controller routes to them. I wanted to turn off inter-vlan routing but I think this will prevent the AP image being downloaded by the RAP.
I noticed on the port channel interface that I can add a VLAN firewall policy. Can I add a policy on the RAP vlan that just allows 4500 and dhcp that will not affect any other vlans in the same port channel? Do I have to make vlan x untrusted?
Secondly, I want to restrict access to the controller GUI to only our management vlan - can I apply a firewall policy to the port channel in addition to a firewall vlan policy?