I left out the situation as it can be hard to describe that is why I posed the question pertaining to a large segment with the use of Local mode AP's CAPWAPing traffic back to the WLC. Using EAP-TLS on one WLAN and PEAP on the other. ISE is used for the EAP-TLS WLAN, an NPS server used for the PEAP WLAN. Certs/settings are pushed via an AD group to the devices for both WLAN's(different AD domain's). Both WLAN's are WPA2-Enterprise/AES. Our scenario is WLC's(HA pairs) that are in 2 separate data centre's. Each WLC having different WLAN's client segments. WLC's/AP's are in a separate management VRF(for security) and can talk to each other. The request to me is to make a WLAN residing on WLC-A, available on WLC-B and vice versa. I am not interested in using mobility groups or foreign/anchor controllers so I am going to mirror image the WLAN on each WLC(hopefully that makes sense). For nothing more than ease, I was going to use a /21. I could use a /22 but I want to allow for growth or an unexpected large amount of clients for short times. I only require support, at this time for approx 1000 clients/wlan. I also preferred not to use interface groups to minimize overhead for any firewall rules that need to be enforced etc. Thanks for the link I did not get a chance to read it yet but I am hoping it will answer my "broadcast" traffic question. As for your questions, I am not sure if I answered all of them or not.
Thank you

Shaun

That link explains how it works nicely. Thank you

Shaun

you are welcome, to you security description above, I have sent you a private message.

 

Thank you