When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller. This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
I've use both designs and had success with both. There are obvious benefits to installation in the 2 legged model because you don't need to open up the pinholes through the firewall for management etc.
Cisco originally recommended that solution in environments where the FW may tend to disconnect sessions for packet inspection.
The WLC is not a router so we didn't have a security problem with the 2 arm method, but some people prefer to have the anchor entirely in the DMZ.
Using the LAG approach with everything in the DMZ has also function well for us. It did require the rules in the FW but once this is accomplished the end result is the same.
I do have an issue with some distant locations with high latency - they were able to anchor when I had the 2 legged approach with the management on the private lan - now they are unable to anchor with the entire connection in the DMZ.
That is a unique situation with ~300 ms latency.. the other sites are running fine.