Is it possible to provide wireless guest access over the WAN from another office via the WLC. I have WLC 5508 in a central office and have other remote offices that have one Access Point in each office that are autonomous; I will be converting these to LWAPP. Is it possible to route guest traffic back to the WLC then forward this traffic out to the internet? How would I route this traffic out as well? I see from some documents that they advise to install a secondary WLC in the DMZ and use anchor points. I only have one WLC
Your 5508 contains licence for upto 12 aps by default, so provided the 2 remote ap's you want to connect don't exceed this you should be fine, when converting them to LWAPP define your 5508 as the default controller, and provided there's no firewall in between (if so you'll need to add some rules) you should be ok (assuming there's a valid IP path/route from the AP's to your controller).
Initially your Ap's should connect up to the 5508 in LOCAL mode, if you change this to HREAP mode and define a guest WLAN, you should be cooking on gas. Have a hunt on the Cisco website regarding wireless guest access and most of what your after should be there. I am assuming you will have the 5508 setup as an anchor controller here.
Topology wise typically you'll end up with something like this (I am assuming your anchor is in a DMZ here):
Remote AP (HREAP mode) --> WAN --> Central Office DMZ (firewalled?) --> 5508 Controller --> Internet
I have x1 WLC with 50 AP license as this provides corporate connectivity and Guest Wireless connectivity. I have not setup the WLC as an anchor. I guess the configuration you mentioned would be if I was using Guest access only. Sorry I'm not familair with WLC and anchors. I was looking at the WLC ACL's on the guest WLAN and directing all traffic out via the firewall. Do you think this is not the right solution?
I have read that Cisco advise on placing a WLC in the DMZ and have a second WLC tunnel guest traffic out to it.
I have two internal wlc at separate locations. One is primary and the second is a backup. The Internet connection is at a third location. Is my only option for guest access is to have a third wlc in the dmz using the anchor option?
I have setup a guest access as a test that has a ACL applied on the wlc which restricts access and only points to the firewall then out to the internet. Not ideal. What do you think?
It's really up to you.. Having an anchor to me makes things simple. Webauth page, certificate and user login I'm a single wlc. It comes down I cost. You can always have guest access in each wlc, but you just need to create acl's to prevent them access on your network. I'm talking about acl's on your layer 3 device and not on the wlc.
Just to clarify, If I have a controller in my head office that is configured to provide guest access via our DMZ and provide direct internet access, If I deploy a HREAP AP into a branch office that is controlled by the head office controller. Is the clients able to receive an IP address via dhcp from the controller and tunnel this traffic back to controller then out to the DMZ or do I have to create a different dhcp scope for each branch office for Guest access?