Thanks for the responses. I do not manage the largest wireless network...I only expect it to grow to about 200 APs. I have a great demand for guest wireless access, but I expect it to be limited to less than, say 20 users at any single time organization wide.
I do take advantage of the anchoring feature...I use it to tunnel the wireless networks of other agencies through the wireless network that I manage. For the most part, it works great. However, for my organization, one centrally switched guest WLAN would work just fine.
Another approach to guest access that I can think of (without using an internal VLAN with an ACL or an anchor controller) would be to create another DMZ interface on the firewall and cable it over to either a separate interface on the wireless controller or cable it directly to an unrouted VLAN allowed to reach my controllers.
I am running dual 5508 controllers in a failover configuration. I use only two ports on each controller in LAG mode. If I recall, since I have chosen to use LAG, I can use the other ports separately? Am I correct?
I am beginning to believe that a DMZ approach may not be the most beneficial for my organization as getting the content filtering mechanism to work may be a challenge...however, it would bring the guest traffic outside the interior network.
At this point, I am leaning towards an internal VLAN with a properly configured ACL and the use of an outside public DNS server.
Would this be a sound approach to what I am trying to accomplish?