If I use acces-points in H-Reap mode, is guest-traffic still encapsulated in CAPWAP?
I think so, but I'm not really shure.
Those are two mutually exclusive topics...
If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.
If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....
You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).
So what are you trying to do?
If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...
If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")