On the AP you want to allow tagged and untagged, but only untagged on the SM.
The only time you would ever allow tagged traffic to cross the SM ethernet port is if you are managing the vlans downstream from the SM, or if you really, really trust your customer’s equipment to do it right (and if they snoop into your other VLANs, that’s because you didn’t take control!)
f you put all of your customers into vlans other than 1 for both usage and management vlans, then you can set the AP to tagged only.
vlan 1 is typically untagged with most equipment (normal traffic) although you can configure ciscos (for instance) to make any vlan # the ‘native’ vlan
As far as vlan security, it’s all dependant on the SM doing the right thing. If the customer alters their SM, either in configuration or hacking it or whatever, then they can do whatever they want on any VLAN. Ultimately, motorola would be a lot better off it there was strong authentication from AP<->SM and if the AP enforced vlan controls on a per-client and per-packet basis.
As far as my diplomacy skills,… Well Jerry, I’m sorry that I called your idea retarded. Silly might be a nicer way to put it.