I am trying to create an ACL on a 5508 for the guest WLAN so it wont be able to access internal networks, such as 172.16.0.0 255.255.0.0 and 10.0.0.0 255.0.0.0. But, the traffic does have to go through these networks to get to the internet. I have tried to create the ACL a couple of ways but anytime I add a deny statement for the networks I get no Internet access.
I spoke with Cisco Support and was told I would need to have explicit deny statements for nodes we dont want the guests to get to. Is that true?