Or perhaps use a VLAN trunk to the switch with the devices you want to isolate 
on different VLANs.  This gives you a different interface/subnet per VLAN for 
more natural control.

