We have been using Cisco WLC based wireless architechture for both secure and guest wireless access for over 5 years now. We have about 30 sites globally each site with at least one contoller (larger sites with at least two controllers per site) and up to 40 APs per location.
We have originally designed this solution a few years ago, at that time if my memory serves right, it was Cisco recommended design as well. We have Guest SSIDs and Secure SSIDs in each location on the same controller. However, Guest WLANs map to WLC interfaces that connect to DMZ switch and recieve IP Addresses in the IP Range assigned for DMZ subnets. As such the guest users will not have access to Internal resources with the Firewall Interface controlling the DMZ is modified to explicitly permit that traffic.
Is there any security risks associated with this design? I am hearing all this talk about Guest Anchor wireless controllers. Since we are a global company and have many sites, to add 30 WLCs for guest access is cost prohibitive.
Can somebody please comment on this and point me to any document that discusses the pitfalls of design that is similar to our setup. Am i making this up or our design a recommended design by Cisco in the past and now changed.