You have one interface that is only allowing certain vlans and the other is not pruning.

Sent from my iPhone

Ok I removed the pruning statement from both the 5/5 interface and the port-channel-interface....I was in a meeting for the last 2 hours and was told that the wireless was going down every 15mins. I also noticed that all of my Ap's have moved to the non LAG Controller.  Not sure if the mismatched pruning caused this or if there is something else wrong

Ok after making that change the Ap's all migrated back to the correct WLC. I think the "cycling" must have been the ap's trying to reconnect to the LAG controller and then failing because of the pruning and then switching back....guess Ill know in a half hour or so.

Robert,

Did you get it to work? 

Yes I think it was the pruning on one port that was causing the issues. All Ap's are on the main WLC now and LAG is enabled and running. Now I have to create a dedicated DMZ and bring up the 2nd Controller in there to handle the Guest Wlan. Will keep you posted. Thanks again for your help, much appreciated.

Cool... Keep us posted in case you need help.

Sent from my iPhone

OK I now have the DMZ set up and a WLC in it. I created a guest WLAN on both controllers configured exactly dy the same and configured the DMZ as an anchor for the guest Wlan and the corp WLC as the foreign controller each in their own mobility group. I opened 16666 and 16667 to each contoller to the other.I also enabled Ether_IP both ways. Not sure its all correct though, when I open each mobility management on the controllers themselves under mobility groups, both controllers are listed but the other one always says "control path down". i.e on the DMZ controller the Corp controller shows "control path down" and vice versa.

It Actually seemed to be working there for a whil but now something is wrong. I suspect with the mobilty anchoring. I can attach to the guest network and it does redirect me to the login screen but after I log in I have access to the corp system still.

Robert,

If you have control path down, then its not working right.  You are proably connecting to you foreign WLC and not to your anchor.

Can you post your shor run-conifg for both WLC's.

>OK I got rid of the control path down message and they are both up. The guest access is working except that I get an IP from the regular wireless network and can still see the local resources. I set up the internal dhcp server on the Guest access controller and created a scope within that range but clients are still getting corp wireless ip addys.

Having trouble trying to paste configs on this site.

Can you just attach the text file. I want to verify your SSID anchoring. Your foreign wlc (internal) guest SSID should be anchored to the guest wlc. The anchor wlc (dmz) guest SSID should be anchored to itself. Check that.

Sent from my iPhone

***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast IP    Status 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0          Up 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0          Up (Cisco Controller) >

So under the Guest WLan (advanced) on the Guest controller add the other controller as a foreign controller mapping ...correct?

No.. On the WLAN tab that list your SSIDs, there is a blue triangle all the way to the right of each SSID. Click on that for the guest SSID and then click mobility anchor. That is where you do the SSID anchoring.

Sent from Cisco Technical Support iPhone App

OK on both controllers the WLC guest ip is listed data and control path are both up.

On the Guest WLC it says local

on the Corp WLC is has the guest WLC ip.

Mobility summaries attached