I have a setup configured fairly simple, I think. We have a 4402 WLC at our corporate office. We also have 6 1131's split into two deployments at different offices. We have a common SSID structure across all of them (corporate and guest). Corporate works properly authenticating against Active Directory, and guest authenticates properly via the guest database. The thing I cannot get my mind around is the proper method for configuring these two SSID's to be on separate VLAN's. If it were all local, I think I'd have no problems. Do I need to configure a virtual interface on the controller? Do I need a separate one for each office? The VLAN won't exist in the corporate office (unless it needs to). My goal is to isolate guest access into it's own subnet and run it straight out to the Internet without touching the local satellite network. Thanks!