A third option (for RAP3s and 155s or any Instant AP) is to use Instant + VPN as documented in the Instant user guide.
Essentially, you move from a L2 extension in the RAP mode (note all the broadcast and multicast knobs per best practice in Chris's link to our VRD) to a L3 extension with routable subnets per RAP. There are major architectural differences but for scaling purposes, please consider using our RAPs as Instant APs and enabling an IPSec tunnel to a mobility controller.
The benefits are:
1. < 1 minute failover as you can enable two IPSec tunnels to two controllers.
2. L3 connectivity vs. L2 connectivity meaning the RAP clients' gateway is the RAP. Each home/remote site is its own subnet. Think broadcast containment, etc...
3. Plug and play (since it's instant) for adding another AP or two. Also note that IF the demark in the home is NOT in an optimal spot, with Instant, we can enable "wifi uplink" whereby you have an AP where the modem is and you can form a wireless link to another AP where the user may be physically located.
4. No AP/PEF licensing on the controllers (recommend PEF-V however)
5. Scalability numbers well north of AP capacity limits on controllers as all intelligence (control and mangement planes) are distributed.
There are many more but at scale, Instant + VPN is a much more robust solution we have been working on and now have in place for a little while now...