I need to provide internet connectivity for multiple tenants (about 70) of a building that will be sharing one large internet connection. Every tenant needs to have their own public IP address, which we will assign from the block given by the ISP. The ISP is providing a copper layer 2 handoff.
Due to wiring constraints (distance, cost), we have to use coax cable to each unit. The coax goes to an endpoint device in each unit, which then converts back to CAT5 ethernet. The coax cables get aggregated back to master units, which would then go to an ethernet switch (haven't purchased one yet).
I am trying to figure out how to isolate the tenants from each other. I don't see what prevents a tenant from misconfiguring their router, possibly using the IP address given to a different tenant. Even worse, I don't see what stops someone from connecting a laptop and ARP spoofing the gateway and sniffing everyone's traffic. In reality, this probably won't happen, but the fact that it could gives me pause.
What can I do to prevent this possibility? I was thinking of a layer 3 switch and VLANS, but I'm not entirely sure how I would apply it. The coax endpoint units (in the tenants offices) can supposedly handle VLANS.
Any suggestions regarding either design or equipment? Thanks.