I know general Cisco design shows WLCs connected on the internal LAN and then connected to guest anchor in DMZ over EOIP tunnel. Our security folks have a problem with this and asked if it is possible to have all the WLCs in the DMZ. They are worried that if something gets misconfigured by mistake on internal WLC then all guests would have access to internal resources - not good!
Any ideas about this? Pros and cons?