It appears that currently the option under Network " Management VLAN Access" when set to just wireless still allows management VLAN tagging from the ethernet port upstream to all ip's except for the SMs. (IE: I can set my VLAN on my PC to the management VLAN of the SM and can then reach upstream targets of the SM on all ip's in that management vlan except for the local SMs IP. The expected behavior is similar to the PMP4xx line where any data with the management VLAN would not pass upstream if wireless only is selected.)
This feature is working more like an IP ACL and not actually blocking that specific management vlan.
We tested this on 4.3.1 with Force 300-25
Config attached with "redacted info" replacing some sensative/ip/password info in the config file.
Thanks for reporting. We will investigate this problem.
I checked this in a lab and indeed if you are not using Data VLAN then you are able to access the entire management VLAN from behind SM. "Management VLAN Access" do not block the entire VLAN but just access to this particular device. I would say this is expected behavior. You can block access with L2 firewall if you need to restrict specific VLAN or use Data VLAN to block all tagged traffic from behind SM.
This is definitly not the behavior that the 4xx platform has and would pose a significant security risk to management VLAN if your not using a data vlan also. The setting "wireless only" should logically allow only that VLAN access wirelessly not via wired ethernet unless the "wireless and ethernet" option is selected.
The idea that there might be a device you might want to manage behind the SM in the management VLAN(eg client router).
Still we have multiple ways to block it.