Customer needs: Virtualize Management and AC (formerly netsight and nac) and WLAN.
A must have: guest traffic must not break out in the virtual "management" environment where Netsight, NAC and WLAN resides (should reside in future).
The "bridge building" competitor (cisco) solves this with a so called "guest anchor" in the dmz which is an additional wlan-controller.
-> The guest SSID is more or less bridged at "guest anchor" controller in DMZ.
L2 security -> A separate VLAN from "virtual management environment" to DMZ is (as far as I know) no option for the customer.
From the technical point of view I do have a different opinion - however
Does anybody have an idea how to resolve this requirement?
Maybe within a special mobility setting?
Many Thanks in advance
now I have a running anchor solution with EWCs and it works fine.
The setup is quite easy. For example if you have one wireless Controller in the DMZ and one in the productive LAN (if you have two on both places enable availability and sync for the the same result) you have do to the following steps:
Bring your Controllers in one mobility Group Create a complete VNS (as usual) on the Anchor-Controller in the DMZ with a B@EWC or routed topology. In the Advanced Options on the WLAN Service select "Remotable" Now you create a WLAN Service (not a hole VNS!) on the Controller in the productive LAN. For this, select "Remote" as Service Type and select the SSID created on the Anchor (automatically created by the mobility feature) . Create a Virtual Network for the new WLAN Service and a suitable Role (e. g. Access Control allow) Thats all. Know you have a SSID on the APs in the productive LAN which is tunneled to the Anchor-Controller.
In this case you will have no APs on the Anchor only in the productive LAN. So you need no additional licenses on the Anchor EWC.
Please be aware Anchor Controller is only a Cisco wording. We call this Feature "Centralized Mobility".
If our customer will not buy the "bridge building - wlan solution (competitor cisco) I will install this solution and can report to you. But I am sure this will not happen before April 2017 ...