I've got the following scenario (image attached).
each site has a Vlan for Restricted PC's. These PC's should have access to their own site file server and printers. I don't want them to access anyone else's site, except for DNS lookups and AD login into a virtual DC.
I realize I could let the layer3 switch handle the ACL, but the downside is that if they want to access a file off a server at their own site, they would need to route 1st through the layer 3 to get back to their own server. Not really a problem since the inter-site links are 1000mbps fiber, but if a line was cut, they would loose connectivity to their own files.
The other option was to set static IP's for these restricted PC's in the same VLAN/Subnet as their file server and then create an ACL on the layer3, but then I need to restrict NIC permissions and manually add users. I'd rather let DHCP assign them an IP.
I'm looking for some other optinos based on the equipment in place.
Thanks!