We have configured an inbound IP access list and applied it to the radio interface subinterface corresponding to the guest vlan. The access list seems to work. I thought however,that the subinterfaces on the radio side were bridged (not routed) to the corresponding subinterface on the lan side , so I don't understand why you can apply an IP access list that permits or denys certain tcp or udp services on a bridged interface. Are there any documents that explain why this works on the Aironet 1200's? Does the Aironet have special capabilites that allow it to inspect packets at layer 3 and 4 even though the packets are transiting a bridged interface?