Creating specialized servers is a good and easy way to go.
The other way could be to use client specific overrides to provide each client a fixed IP that can be used in firewall rules to deny/allow access to special devices.
The other way could be to use client specific overrides to provide each client a fixed IP that can be used in firewall rules to deny/allow access to special devices.