Guest Anchor with DHCP

I am using an external DHCP server for corporate as well as for Guest ( making a separate pool from guest vlan). This is the server which sits internal and my Anchor is setup an EOPIP tunnel and mobility domains etc correctly.

Anchor is placed in DMZ-internet zone. Inside Anchor controller guest interface configured with vlan and IP address and external DHCP server IP. Now I have two doubts -

1. Where should I create vlans ( L2 / L3) for guests and associated sub interfaces ? In switch or in Firewall?

2. Since DHCP placed in inside network, how guest users will get the IPs from same DHCP server? In that case Anchor and Foreign controllers both will act as a DHCP relay ?

Or is it something like Anchor has to communicate through Foreign controller over an EOIP tunnel?

BR, Milan

