Any clues as to how one might go about isolating a subnet from the network when traffic is entering the network from the internet? Basically the arrows point to the financial vlan/subnet that needs to be separated from the rest of the network. Also the network is using BGP which is dual multi-homed. I’m thinking NAT and or route-mapping?
It depends on various things. One option is if you have several public IP addresses available, you can have a particular external IP address that can be configured to route all incoming traffic to the specific internal VLAN. If you only have a single public IP address, another option is to use port forwarding to an internal router that will route all that traffic to the VLAn you require.
Keep in mind that allowing access to internal networks from the Internet should be done with caution and with the appropriate security precautions on the edge device. It is a good idea to use a firewall such as an ASA with the DMZ functionality, but this of course depends on your requirements and the internal topology of your network. Take a look at this lesson to find out more about DMZ:
I hope this has been helpful!