Welcome to the networking world. This will be the basic process for you to add an isolated guest wireless VLAN to your setup.
- Identify where the default gateway for this subnet is going to be. You CANNOT put this as a layer 3 interface on the switch. The layer 3 switch interfaces get direct acces to each other as the switch is NOT a firewall. So you will need an upstream firewall that will have the guest wireless default gateway and this VLAN on the switches will be strictly layer 2.
- On the firewall create the gateway interface and zone for the guest wireless. Likely this will also be where you will do DHCP for this zone. Create the security access rules for the guest wireless zone
- On the switch connected to the firewall: Select a new VLAN tag for wireless and add this tag to the trunk port facing the firewall.
- On the switch ports facing the other two swiches from this switch add the VLAN tag to the trunk port
- On the ports connected to the WAPs: Add a tagged VLAN sub interface with this same VLAN for the guest traffic
- On the WAP: Create the mgmt address on the untagged VLAN in the range of your default VLAN for mgmt on your network
Create the SSID and assign to the VLAN tag created