If I have a customer who co-locates on my network with a couple of servers and I configure a subnet, what's the best way to allow them access via teamviewer or similar just to their particular servers and no other devices on my network?

So, it would look something like this (topology only)

Customer servers --> Layer 2 switch --> Core (Gateway) --> Upstream core --> Internet --> Customer