Here is the second part of the config for using PSPF;
Configuring Protected Ports
To prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected. Follow these steps to set up protected ports on your switch:
Beginning in privileged EXEC mode, follow these steps to define a port on your switch as a protected port:
Enter global configuration mode.
Enter interface configuration mode, and enter the type and number of the switchport interface to configure, such as gigabitethernet0/1.
Configure the interface to be a protected port.
Return to privileged EXEC mode.
show interfaces interface-id switchport
Verify your entries.
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable protected port, use the no switchport protected interface configuration command.
just to add more into the mix. The user VLAN will be layer 3 so presumably the users will be able to communicate via the SVI? Can you use an ACL to prevent users in the same vlan communicating or will I need to move over to Private VLANs?
Also there would be two interconnected switches in the same user vlan.