I have asked quite a few sources and technical people (even Cisco reps) these same questions and no one has ever been able to answered them directly. If you do not know the answers please do not respond with general information.

I am thinking of rolling out wireless to our users. Currently wireless only allows them to the Internet and they can they IPSEC back in to our domain.

I have purchased a 2504 (a while ago) and ordered new Cisco 3802 access points with 3850 switches. I ordered a 3850 switch that can handle up to 5 access points via the licensed controller for testing. This switch model also supports the mgb like the WAPS for speeds higher than 1GB.(up to 5 or 10Gb I think)

Here are my questions. Just reading overall it seems that the 2504 tunnels both the authentication and DATA over the CAPWAP. Since the 2504 only has a gb  connection it seems this is immediately a bottleneck once I start implementing a large number of 3802s. How does this actually work? Can I just  authenticate over the CAPWAP and then place the users data directly on the local swith vlan or does it have to travel to the 2504 (by routing) and be placed on a different vlan??  I read something called HEAP that seemed to possibly allow this setup but it did not go into much detail. Please explain if this is possible and if not how does this actually work?

If the user data must pass over the tunnel to the 2504 then that is not a viable solution as things expand and more APs get added. In this case I assume the 3850 would be the better approach (although they do not have an IP services switch with this feature). Assuming a 3850 is used, can the wireless users be placed in the same Vlan as wired users or do they need to be separated? I realize that only the APs cabled directly to the stack can be managed by the local stack so each stack would be a separate wireless controlling entity.

Thanks