We are in the process of setting up a serviced office. It could have up to 100 customers therefore 100 separate VLANs + other management and public VLANs.
These customer VLANs should not be able to access one another (obviously devices on the same customer VLAN should). However there will be public VLANs that all customer VLANs need to access as well.
There will of course also be an Internet Router/Firewall on another VLAN, that naturally all VLANs need access to for Internet Access. This VLAN also needs access to ALL vlans in case we need to NAT traffic into a device on any VLAN.
What is the best way to achieve this segregation? Using ACLs seems impossible due to the scale (and on the N4000 there is a 100 ACL limit), so what options are available to achieve the above, while ensuring all routing is handled by the swtiching itself.
Core (L3) switches -> N4032 (stacked)
Access (in L2 mode) -> N2048 (stacked)