<div dir="ltr">Hi there,<div><br></div><div>Have you had a look at Juniper SRX's? The bigger Datacentre models allow you to use "logical-systems" to multi-tenant a router. They allow you to configure what commands they user can or can't use. So you could allow changing the firewall/NAT/VPN entries but not anything else.</div><div><br></div><div>Cisco ASA also allow a similar feature through the use of firewall contexts.</div><div><br></div><div>Each have their pros and cons.</div><div><br></div><div><br></div><div>Cheers,</div><div><br></div><div>Hamish</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 26, 2015 at 4:32 PM, Nathan Brookfield <span dir="ltr"><<a href="mailto:Nathan.Brookfield@simtronic.com.au" target="_blank">Nathan.Brookfield@simtronic.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
<div>Ben,</div>
<div><br>
</div>
<div>The best way to do this is as you suggested VLAN's with /31 routed interfaces to minimize IP use out of your subnet.</div>
<div><br>
</div>
<div>This means you can separate everyone and remove the chance of someone think they're smarter than they actually are :)<br>
<br>
Nathan Brookfield
<div>Chief Executive Officer</div>
<div><br>
</div>
<div>Simtronic Technologies Pty Ltd</div>
<div><a href="http://www.simtronic.com.au" target="_blank">http://www.simtronic.com.au</a></div>
</div><div><div class="h5">
<div><br>
On 26 Aug 2015, at 14:29, Ben Thompson <<a href="mailto:ben@benthompson.id.au" target="_blank">ben@benthompson.id.au</a>> wrote:<br>
<br>
</div>
<div>
<div>
<p class="MsoNormal">Hi all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Facing a challenge and looking for some ideas to get this right.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We have some customers who we want to let use some Cisco CSR1000V routers (or maybe Vyatta, haven’t decided exactly which to go with yet), but I am struggling to work out a way to ensure a customer can login to the device if they want to
do things like configure NAT or VPN, but not be able to change their external interface settings in a way that be able to impact other customers, as these would be on a common public network segment (by impact I mean things like using IP’s we haven’t allocated
to them, or rogue proxy ARP messages, etc.)<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I would like to try and do it in a scalable way, as we are thinking we may have to allocate each customer a VLAN instead of using a common VLAN, but just wanted to see if anyone had any thoughts on other ways to do this?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Ben<u></u><u></u></p>
</div>
</div>
</div></div><div><span>_______________________________________________</span><br>
<span>AusNOG mailing list</span><br>
<span><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a></span><br>
<span><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a></span><br>
</div>
</div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Cheers,<div><br></div><div>Hamish</div></div></div>
</div>