You don’t have to eliminate all the CMMmicros to do this. just enable SM isolation in the AP, enable AP isolation in the CMMmicro, give the BH a uplink port in the CMMmicro, and terminate all BH’s into a layer 3 switch with VLAN’s. This way all SM traffic will have to go directly to the Layer 3 switch or router and all broadcast, multicast traffic will be dropped. No SM to SM traffic will be allowed.
As for PPPoE the answer is yes the SM if in NAT, or a router if not, must authenticate with a Radius server to allow traffic to flow to the SM creating a tunnel between the SM and gateway basucally doing the same thing as the built in features I mentioned above. If you are not running Prizm for authentication then PPPoE is a good way to secure the network, But the drawback is more overhead.