Designing guest access with all guest users tunneled directly into the DMZ has two main advantages: it simplifies the network configuration and it enhances the security of the internal network. A DMZ is a demilitarized zone, which is a separate network segment that isolates the public-facing services from the private network. A DMZ provides a buffer zone between the Internet and the internal network, where potential attacks can be detected and prevented.
By tunneling all guest users directly into the DMZ, the network configuration is simplified because there is no need to segment and filter the guest traffic across the internal LAN. The guest traffic is encapsulated and routed to the DMZ controller, which acts as the anchor point for the guest WLAN. The guest traffic is then decrypted and forwarded to the Internet or the DMZ services. This way, the guest traffic does not mix with the internal traffic, and there is no need to apply VLANs, ACLs, or firewall rules to separate them.
Another advantage of tunneling all guest users directly into the DMZ is that it enhances the security of the internal network. By keeping the guest traffic in the DMZ, the internal network is protected from any potential threats or attacks that may originate from the guest users. The guest users have no visibility or access to the internal network resources, and they are subject to the security policies and controls of the DMZ. The border firewall configuration will not require any additional rules to pass guest traffic to the DMZ controller, because the guest traffic is already encapsulated and tunneled. This reduces the complexity and the risk of misconfiguration of the firewall rules. References: CWNP, CWDP Certified Wireless Design Professional Official Study Guide, Cisco Unified Wireless Guest Access Services, What Is a DMZ Network and Why Would You Use It?, Wireless Guest Access FAQ
