what about default router for the guest network, will it be local ISP or will it have from DC?

4 VLAN's should have default router from Dc and 1 VLAN from local ISP, is this possible.

 

Is you dont select the vlan to be in vpn, it will use the default  route to your  primary  local WAN 

will there be any issues in terms of security, if i dont have adv sec ? 

its guest traffic, but what to know will there be any sec issues.

Hi @satyamothukuri if you are just sending guests out on a guest VLAN that is not part of the VPN, that's your call if you want to leverage the Advanced Security license to turn on IPS, AMP and content filtering for example. Generally speaking that's a common practice to leverage those features even for the guest VLAN. The split tunnel / full tunnel toggle is a hub by hub setting, not VLAN by VLAN. So as @ww mentioned just don't include the Guest VLAN in the VPN, and use full tunnel back to your hub. If you check the "default route" box for a given hub, that is then full tunnel, unchecked gives you split tunnel. It may be less of a technical question and more of a policy question specific to your organization to decide if you'll need to leverage the Adv Sec features for the Guest subnet.