The most secure and simple thing you can do is to get a 5505 set it up towards the internet and set up switches and APs for the Guestvlan behind that.
why is this the best solution in most cases ?
There is nothing to gain for the "guests" to try to attack your systems over the guest system then over the internet, with one exeption, the speed towards your 5510 will most likely be faster than over the internet.
It is easy to control and monitor.
An agressor can not exhaust any resources in your production switching environment
An agressor can not capitalise on any software bugs in your production environment.
An agressor can not se what equipment you are using for your production environment.
An agressor can not capitalise on configuration errors in the production equipment/environment.
The negative side is that it will cost a little money for hardware for you to set this up.
The positive side is that it is basically impossible to mess up this setup to make a security concern out of it.
Message was edited by: hobbe