Good day Everyone,

I have a router, and eight switches connected directly to that router. Each switch is a separate IP subnet.

 I will have one Domain Controllers per in each subnet. This would all be one logical AD domain.

The Active DIrectory site will be a HUB and Spoke design, meaning that there will be one "hub" DC and seven DCs in different subnets replicating ONLY to that "hub" DC. 

Plus all users in all non-hub networks must be  able to authenticate in their own subnet DC (local to them) and to "hub" DC in "main" subnet (in case local one fails).

SO I need ACL to allow two way replication between "hub" DC and each DC in subnets and one way AD authentication.from all subnets to "hub" DC. Plus the DNS replication an DNS name resolution requests should be allowed between spoke and hub site.

I googled couple of solutions (below) but not sure  which one will do the job, and do the job in most secure way:

access-list 100 permit ip host x.x.x.x host y.y.y.y

access-list 200 permit ip host y.y.y.y host x.x.x.x

OR

access-list 100 permit tcp host x.x.x.x host y.y.y.y eq domain

access-list 100 permit udp host x.x.x.x host y.y.y.y eq domain

access-list 100 permit tcp host x.x.x.x host y.y.y.y eq ldap

access-list 100 permit udp host x.x.x.x host y.y.y.y eq ldap

access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 53

access-list 100 permit udp host x.x.x.x host y.y.y.y eq 53

access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 88

access-list 100 permit udp host x.x.x.x host y.y.y.y eq 88      (88- Kerberos Authentication and 53 - DNS)

I would really appreciate if someone could help me with that setup and explain where should I implement the ACL on router (inbound or outbound interface facing corresponding networks).

Thanks,

Kamil.