Help with discriminating wifi AP traffic please

First - what you need is not a "managed" switch, but a switch that supports VLANs, which most managed switches can do - if you're using a managed layer 2 switch, you will also need a router than understands VLANs. The M4100 series is a fully managed switch which allows interVLAN routing, so it will make your task easier. For the sake of discussion ... Let's say you're going to have an office VLAN and a guest VLAN, so you start by configuring the switch with those VLANs, one port of the switch is going to be a member of both VLANs and must be configured to passed "tagged" packets (this is known as a "trunk" port in some circles - the access point will connect to this port.. The wireless access point MUST support multiple SSIDs and understand VLAN tagging, and you will configure two SSIDs, for ease of discussion an office SSID and a guest SSID, and you will configure those SSIDs to be a part of the respective VLANs. At this point you should be able to ping a computer connected to an office VLAN port on the switch, from a computer on any other office VLAN port, or connected to the office SSID - BUT NOT from a computer connected to a guest VLAN port or the guest SSID. The next step will be to configure interVLAN routing on the switch and then set your access lists to prevent the guest VLAN from accessing the office VLAN. Assuming that you will be NATting the internet traffic (sharing a single public WAN ip address) you will need a router that can NAT multiple subnets.