I&#39;d argue handling it at the layer 3 level to be preferable than splitting every customer into their own vlan.<br><br>If you split into vlans like that, if you have single-box customers, you&#39;ll have to have subnet boundaries for every /30...<br>
<br>OTOH, vlan isolation for customers is pretty much the norm, as long as you&#39;ve got the IP&#39;s to waste, why not..<br><br>Peter<br><div class="gmail_quote">On Sat, Dec 19, 2009 at 8:42 AM, Les Mikesell <span dir="ltr">&lt;<a href="mailto:lesmikesell@gmail.com">lesmikesell@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">Peter Serwe wrote:<br>
&gt; So basically, you&#39;re saying you&#39;d want to allow or disallow traffic<br>
&gt; based on mac address?  Seems like you could put mac filters on a number<br>
&gt; switches, Cisco being the most easily documented by Mr. Google.<br>
&gt;<br>
&gt; Be a lot faster than any kernel, and a total waste of BSD.  If you can<br>
&gt; do it on Linux via some other mechanism, go for it.<br>
&gt;<br>
<br>
</div>Or perhaps use a VLAN trunk to the switch with the devices you want to isolate<br>
on different VLANs.  This gives you a different interface/subnet per VLAN for<br>
more natural control.<br>
<div class="im"><br>
--<br>
   Les Mikesell<br>
    <a href="mailto:lesmikesell@gmail.com">lesmikesell@gmail.com</a><br>
_______________________________________________<br>
</div><div><div></div><div class="h5">CentOS mailing list<br>
<a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>
<a href="http://lists.centos.org/mailman/listinfo/centos" target="_blank">http://lists.centos.org/mailman/listinfo/centos</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Serwe<br><a href="http://truthlightway.blogspot.com/">http://truthlightway.blogspot.com/</a><br>