Thanx Seth.
I am not worried about broadcast/Multicast as i am dropping them at the Wlan level (broadcast filter all).
I am more worried about the mac address exhaustion in my switches (worried or a little paranoid :) )
L3 distributed would not take care of problem number #1 as the client macs would appear in the switch.
I am also worried about having the L3 (in this case the Default GW and a DHCP server) of a open WLAN at the IAP when the same IAP has also a corporate WLAN as this could be a vector for a exploit (probably being paranoid again...)..
After some reading i now know that it would be a little tricky to do the "attack" to overload the Mac table, but with aircrack-ng i could probably generate a lot off auth/deauth packets with different Macs in the Guest Wlan and do it (have to test it in a lab...) .
So i am going to test the scenario with Central L2 where i have all the IAP´s creating a GRE tunnel to the controller (so i guess there is no need for the Vlan associated with the Guest Wlan to be on the switch connected to the IAPs) and only worry about the dedicated switch on the central controller side.