This is more of an academic question.
I'm setting up a new Guest WiFi at my office and using APXs managed by SC and it seems to be working. I have it set to NAT rather than Bridged, but I'm puzzled by how it gets through the XGS. The APX's DHCP Server hands a client an address, and I don't see that address (or network) in the gateway anywhere, but clients can get out to the internet, so it must be going through the gateway ... somewhere.
Does it use some sort of VLAN but hidden from admins to isolate the traffic? Would any XGS firewall rules apply?
NAT in Guest networks will basically use the APX IP to NAT the traffic. So you do not have any way to separate this on a firewall level.
It is more likely for the smaller deployments or the deployments without a firewall product at all.
Better to use the Bridge approach, as it will bridge the IP (DHCP) to the client. So to speak. And the APX will do a only firewalling.
Thank you. I wasn't looking to do anything specific. I just was curious how the traffic got through the gateway when there's no evidence of that network even existing on the gateway.