Historic legacy data center designs include a layer-3 network in the core or aggregation layer and layer-2 network having virtual local area networks (VLANs) southbound to the access layer, to which host devices are connected. In this design, service devices are deployed physically at the layer-3 to layer-2 boundary or on service aggregation devices attached on the boundary. Network traffic for specific VLANs always go through the configured service devices at the network boundary, presenting challenges as to how to scale out the service devices, for example, to add more firewall capacity. Additionally, any service devices and associated security policies can only exist at the network perimeter, and historic designs do not present any opportunity to implement network level security policies between hosts within the same layer-2 domain.