Thank you ableousov. I appreciate your answer.

I did lag on both core. 

I'm planning to create 3 ssids & interfaces. Can you advice me how to route traffic from & to.

1) Ssid A- corporate users route traffic through core.

2) Ssid B - limited Guest users route traffic through core.

3) said C- BYOD users route to direct internet. Not through core switch. 

How can I do through controller to pass it? 

Great! 

WLC do not route traffic (this is not usual router). It takes packet from wireless client and put in to VLAN with this manner: SSID1 -> VLAN1, SSID2->VLAN2. The core switches need to provide first-hop unicast and multicast routing for each wireless VLAN (if they route traffic). See blow:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/cuwn.html#65102

I think in your case , core need to route ssidA(vlanA) and ssidB (vlanB) traffic directly and pass through itself ssidC(vlanC) traffic to internet gateway (router) without routing by 802.1q trunk. 

So with this manner, Do i have to create same VLANs on core switch & do i have to give respective ip to this vlans? and where i can configure Gatway ip? so i can place on controller to send it there?

thank you, 

I suppose, you can physically connect WLC to core, but logically - to FW. Gateway will be on FW. Core will pass through VLANs from WLC, these VLAN will go to "outside" interface (you need to create same VLANs on core, but shold not create IP interface for this VLAN on core). VLANs from FW you can route on core, because they will be "inside". 

All traffic goes through WLC by default (central switching). 

CAPWAP provides the configuration and management of APs and WLANs in addition to encapsulation and forwarding of WLAN client traffic between an AP and a WLAN controller (WLC).

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/cuwn.html#45944

Thanks Abelousov!

Can you share information to how can i apply lag setting from 2port 10g fiber wlc5520 to both N9k cores?

thanks,

On WLC you just need to configure "config lag enable " and reboot it. On N9K you need to configure VPC and static etherchannel. Try to google configuration guide on cisco.com. All guides are in public access. 

Thank you Alexey,

Here is another thing,We change topology and see attachment below.

Can we still perform LAG? if it is, then how can i configure with one wlc interface to core & another interface with checkpoint FW?

According to topology design, Internet traffic are handover through AP>wlc>fw>internet & corp traffic are AP>wlc>core>

If you share with me how to configure each ssid & it's vlan interface with wlc to fw respectively?

thanks,

Hello!

Can we still perform LAG

Yes, if you configure VPC on core. 

if it is, then how can i configure with one wlc interface to core & another interface with checkpoint FW?

You need to do this on core. VLAN 11,15-16 go tgrough core to FW (L3 Gateway). for  VLAN 12,20 L3 Gateway - Core. 

If you share with me how to configure each ssid & it's vlan interface with wlc to fw respectively?

Look here:

https://mrncciew.com/2013/02/27/configuring-dynamic-interfaces-on-wlc/

In your case, I think, I would put all interfaces WLC behind FW  (FW will be L3 gateway for all WLC interfaces). And FW then would control all traffic flows.

I agree with you Alexey, But Can we place

1) One WLC interface to Core 1 switch

2) second WLC interface directly to checkpoint FW?

thanks,

I would connect both WLC physical interfaces to core (for LAG) and forward all VLANs from WLC through core on L2 OSI Layer (without L3 interfaces on core).