Thanks for the information. Looks like I will add some more ACLs :)
Something else to note that I not well noted, you should always add ACLs to block clients from using any IPs of any core services on your network, so all gateways, routers, switches, etc. We have all our core servers on a single subnet so we restrict our clients from using that entire subnet. But it is very important if you are using Vlans with discrete gateways that you add those gateway IPs to the client ACL blacklist as well.
We have a fairly dense deployment of 64 APs, and usually see no more than 12-15 clients on an AP at any time. I think we may re-evaluate HT for next year, but seeing what we have already seen, it seems removing HT means your lowest denominator clients will still be able to connect without problems. I think I would rather add APs then deal with BYOD connectivity/reliability issues.
I find it interesting how you have all these wifi vendors all stating (to schools) how their technology will fix everything wrong with wifi, but in reality you are dealing with limitations of the wireless spec, and not so much the hardware. Having a quality ARM platform seems to be key with any deployment especially a dense one...
Going back to the original subject (sorry for the hijack), should we just drop broadcast/multicast :) I know this is what our local aruba engineer sugests, and we have seen no issues since...