Can you configure guest wireless with a single controller...all the docs I find have an anchor controller
any help or links would be appreciated
Sure thing, this is how we have it. It all depends on how security-paranoid you're :-)
Here is the way we have it done. All the following configuration is on Core controllers....Dynamic Interface for guest traffic and WLAN for guest SSID. Dynamic Interface uses VLAN ID which is trunked from Core Controller back to our Layer 2 switches.
This VLAN is trunked to our Firewall where security policy exists to allow services we want to allow for guests...
Be aware that guests get IP address prior to authentication and your Core Controller acts as DHCP relay, so your Firewall needs to allow DHCP relay traffic from IP address configured on Controller under Dynamic Interface to your DHCP servers.... It's a bit of a security concern cause you allow some traffic prior to authentication and even worth back to your Corporate network....
The other solution is internal DHCP server on the controller, but we wanted centralized IP management....again depends on your security posture.