In this scenario, the wireless user is using a Web Auth WLAN and associates to an access point connected to the Foreign Controller. As you configure a Mobility Anchor on both the Foreign and the Anchor for the Web Auth WLAN, the wireless user is sent to the Anchor controller, gets its IP address from there, and starts its IP journey from the Anchor. In this classical scenario, the wireless user is limited to Internet access: the wireless laptop gets an IP address in the DMZ scope (10.10.10.0/24 in this example), from a DHCP somewhere in the DMZ. The Firewall is its gateway, and only allows traffic to the Internet, forbidding traffic back to the internal network.
Fine. But what if the network design is like this?
In this design, your firewall is integrated into your edge router, and the "DMZ" just relies on subnets on the main switch.
In this configuration, your mission, if you accept it, is to design a non-routed WLAN... what is that? A config that will prevent the wireless user, sent to the Anchor controller, from getting to your corporate network... no ACLs allowed on the main switch...
This is how it works. You still create the same WLAN on the Foreign controller and on the DMZ controller, put them on the same mobility list (but in different mobility groups!), and set the Anchor as the Anchor controller.
What is different here is the IP assignment. Your must configure your main switch only with Layer 2 awareness of the DMZ VLAN. So if DMZ is network 10.10.10.0/24, VLAN 10, create VLAN 10 on the main switch, but not the Layer 3 SVI interface. As the main switch does not know subnet 10.10.10.0/24, it cannot route this subnet. The link from the main switch to the corporate network, configured as trunk, would allow all VLANs except vlan 10. For example:
description --- to internal network
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan except 10
Perfect. Now how does this wireless client get an IP address? The easiest way in this simple scenario (you saw that we even removed the DHCP server from the DMZ) is to provide the IP address from the DMZ controller. This implies 3 elements:
1. When you create the interface associated to the WLAN on the Anchor controller, the DHCP server IP address is the Anchor Controller Management IP address, like this:
The DMZ controller obviously has an IP address it this subnet. So, again, the DHCP server IP address is the controller Management Interface IP address (not the VLAN 10 controller dynamic interface IP address).
2. The gateway is the edge router, that is supposed to have an IP address in this DMZ subnet (10.10.10.254 in this example).
3. Create a DHCP scope on the Anchor controller for this 10.10.10.0/24 subnet.
This is it!