Out global network consist of many sites world wide where 75% of the sites having their own internet connection.
To streamline the wireless setup in our WLC's I have considered to run the LAP's in H-REAP mode and on the guest SSID use access control lists to prevent guest users to access internal IP's.
The guest's shall still be authenticated by our NAC guest server.
The guest traffic would then flow to the default gateway which is the nearest internet connection.
I know that the guest might be able to craft an ethernet packet with spoofed source address and there might fool the ACL, but besides of that is there any major security risk I am missing here?
In a perfect world I would isolate the guest traffic, but our network structure makes it hard to streamline that.
The idea was to use 3-4 centralized controllers each with the same configuration and the H-REAP LAP's could then connect the one with lowest delay time via the "Enable Least Latency Controller Join" under the officeExtent AP settings (?).
What am i missing here?