Subscriber (or user) devices, such as broadband subscribers (e.g., metro Ethernet), are often connected to a computer network via a service provider's access network that collects residential and business subscriber traffic, e.g., often a ring topology. For security purposes, it is generally expected for traffic to be controlled in an access network so that subscriber-to-subscriber communication is prevented.
Service providers have used various methods, as well as various technologies and protocols for isolating broadband subscribers. For instance, certain devices may implement a UNI/NNI functionality, where traffic is forwarded based on its type: traffic coming on a user-to-network interface (UNI) is forwarded only to network-to-network interfaces (NNIs). While this isolates subscribers on a same network device, it is not appropriate for subscriber isolation across multiple devices. Network devices may also be configured to implement a Private VLAN (virtual local area network) functionality to provide the desired traffic control across multiple devices; however certain limitations apply to implementing PVLANs, such as where certain hardware configurations do not allow for the use of PVLANs.