The MS switches can do ipv4 ACLs also - just keep in mind it's not stateful. CIDR would work for isolating your OUs - just setup dhcp scopes per OU to match whatever your vlans for each OU are and you should be good to go. I've done that where I am now a for a few networks and it's working well. You have to know what traffic needs to get to where so you can configure the static routing but as long as the network isn't sprawling it's not too bad.
... View more
