I am going to deploy a wireless newtork that will include a Guest anchor controller in a DMZ. I am trying tio draw up a list of firewall rules I will need for this to give the fireall admin ti implement. The question is what is the source of the LWAPP tunnel for guest access is it the APs or is it the controllers on the corporate network that they APs have registerd to ? I guess what I am saying is with mobilty groups with a gurst anchor on a DMZ is there a single tunnel for guest access direct from the AP to the guest anchor or are their two one form the AP to the controler then another from that controller to the guest anchor controller ?
When using mobility anchoring the mobility and EoIP packets are sent to/from the management interfaces of the controllers.
If you are looking at filtering traffic between the AP and the controller its joined to you would use the manager and ap-manager interface. The AP needs to talk to the management interface to join. After its joined joined the AP talks to the ap-manager interface.