<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body dir="auto">
<div>Ben,</div>
<div><br>
</div>
<div>The best way to do this is as you suggested VLAN's with /31 routed interfaces to minimize IP use out of your subnet.</div>
<div><br>
</div>
<div>This means you can separate everyone and remove the chance of someone think they're smarter than they actually are :)<br>
<br>
Nathan Brookfield
<div>Chief Executive Officer</div>
<div><br>
</div>
<div>Simtronic Technologies Pty Ltd</div>
<div><a href="http://www.simtronic.com.au">http://www.simtronic.com.au</a></div>
</div>
<div><br>
On 26 Aug 2015, at 14:29, Ben Thompson <<a href="mailto:ben@benthompson.id.au">ben@benthompson.id.au</a>> wrote:<br>
<br>
</div>
<div>
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Facing a challenge and looking for some ideas to get this right.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have some customers who we want to let use some Cisco CSR1000V routers (or maybe Vyatta, haven’t decided exactly which to go with yet), but I am struggling to work out a way to ensure a customer can login to the device if they want to
do things like configure NAT or VPN, but not be able to change their external interface settings in a way that be able to impact other customers, as these would be on a common public network segment (by impact I mean things like using IP’s we haven’t allocated
to them, or rogue proxy ARP messages, etc.)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I would like to try and do it in a scalable way, as we are thinking we may have to allocate each customer a VLAN instead of using a common VLAN, but just wanted to see if anyone had any thoughts on other ways to do this?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ben<o:p></o:p></p>
</div>
</div>
<div><span>_______________________________________________</span><br>
<span>AusNOG mailing list</span><br>
<span><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a></span><br>
<span><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a></span><br>
</div>
</body>
</html>