Some types of device meshes use a layer-2 network layer with a virtual local area network (VLAN). The layer-2 network layer may comprise a data link where data packets are encoded or decoded into bits. A Media Access Control (MAC) sublayer controls how devices access data, and controls permission for transmitting the data, such as where packets are sent to specific switch ports based on destination MAC addresses. The layer-2 network layer uses physical addressing, and thus instead of routing packets to local peers, a destination MAC address is resolved through an Address Resolution Protocol (ARP) to communicate with a local peer. VLAN tags, carried within internet protocol (IP) packets of the layer-2 network layer, may be used to provide isolation between devices. Providing isolation between certain devices can improve security of a device mesh. For example, devices on different VLANs may be isolated from one another to improve security between VLANs at the layer-2 network layer.