We've recently setup a WLAN infrastructure using a WLC2504 and Aironet 1261 LWAP's; two SSID's are configured on the WLC; one configured for Guest [using lobby ambasador] and one configured for Internal use.
The requirement to deploy the Aironet 600 seris AP's has arisen due to the need to be more flexible with our telewokers.
I've read through the community posts on the subject, Aironet 600 Series OfficeExtend Access Point Configuration Guide and reviewed the capabilities of the WLC2504 yet I'm still a little hazy as to if we can support OfficeExtend with the current infrastructure equipment or if we need to review the design as a whole.
From what I've gathered OfficeExtend is supported on WLC2504's but they cannot be configured as guest anchor controller, also the 2500 series cannot terminate guest traffic outside the firewall only originate guest tunnels.
Does this mean I need to deploy a annother WLC swhich can be cnfigured as an anchor / EoIP such as WLC5508 as guest anchor controller /Office Extend controller in the DMZ with EoIP to the existing 2504?
The reason I ask is I couldn't find documentation with OfficeExtend referenced in context with an existing single WLC deployment, the configuration guide shows a WLC situated in the DMZ with a publicly reachable IP address and UDP ports 5246 and 5247 open - our solution currently consists of 1x WLC2504 on the internal LAN which presumably we can't just relocate this to the DMZ as internal AP's won't be able to authenticate?.
Wouldn't this pose a secuirty risk? effectively we would be allowing external devices to directly access the corporate network albeit on specific ports.
Just wondering regarding best practices for solution design - I couldn't find any mention of OfficeExtend or OEAP in the SRND; realistically we could do this for our environment but in the case of most of our customers they wouldn't want any device to be able to register with the internal controller - I guess we're portentially two controllers in these cases.