Wireless Access

I have a scenario with master-master controller on central locatiopn and many branches with APs in CAP mode. Branches are connected to central location over IPSec. 

But customer wants to use bridge mode cause he has local sccm server on each branch and doesn't want to ehxhaust his WAN links with downloading patches from central location instead from local SCCM server. And also wants that wifi client on each location hes the address from the subnet on each location so bridge mode is the only solution.

But I want to use different VLAN for unhealthy client so how to configure trunk port on bridged AP.

APs are 305s. If i put on AP group -> AP -> Eth 0 (or 1???which one) -> trunk (native vlan - 1 (all branches are on vlan 1) and allowd vlans (1, 10 - quarantine vlan on each branch)

Will that make my AP port on btanch side trunk port?

You cannot do VLAN derivation (change VLANs based on a condition) on a bridged SSID.  You should look into getting Instant APs for those sites, instead.

are You 100% .. what does mean the option TRUNK on ap group --> AP --> ETH 0 or 1

http://community.arubanetworks.com/t5/Controller-Based-WLANs/Which-of-the-derived-vlans-take-priority-if-UDR-MAC-auth-and/ta-p/177432

"VLAN derivation is not supported for Split-Tunnel and Bridge forward mode"

The trunk is to configure enet1 to accept a client like a phone or a switch that would tag packets coming IN to the access point.

Thank You very much..