We have some customers with offices on our campus and we're looking at how to provide them with wired internet connectivity.
Current thinking is to have a dedicated VLAN per customer trunked across our switch infrastructure back to IT into a central firewall router on a stick style.
Where I'm thinking about options and best practises is just how to handle the separation of customers on whatever firewall we go with.
I know vendors all use slightly different terminology but would you typically go with a separate security zone per customer each with a single VLAN assigned, or use a single zone with all the VLANs assigned and intra-zone traffic forwarding disabled?
Current thinking is that we'd likely assign each customer their own private /24 and NAT behind the firewall's public IP.
Let's assume only outbound connectivity is required.