My basic query is whether a dot1q trunk carrying 2 VLANs (guest wireless and corporate LAN) can still be firewalled using the zone based firewall on an IOS firewall on a 1941 ISR.
Here's more background:
It's for a number of branch sites that will have the ISR as the site WAN router and perimeter firewall, corporate access will go via the WAN MPLS HWIC and internet access will go via an ADSL interface. The concern is the LAN side. Whilst the 1941 has 2 onboard LAN interfaces, the guest wireless is combined with corporate wireless so LAN access will need to be via a trunk link and so ultimately the two VLANs need to be separated via firewall rules.
I know that this wouldn't be an issue on the ASA but I'm not sure whether the zone based firewall on the router would be the same.
Does anyone know whether what I'm trying to acheive is possible on the ISR? I'll try and knock up a diagram and upload if that helps.