Flow-based isolation can be provided in a service network that is implemented over a software-defined network, and particularly in a dynamic open-access network environment. End user premises devices can be configured with one or more service network isolation flows that apply to communications within the service network. Such service network isolation flows can define rules for dropping any outgoing communication that is destined for an IP address within the service network. Such service network isolation flows can also define rules for dropping any incoming communication that originated from an IP address within the service network. By employing service network isolation flows on the end user premises devices to block communications on the service network between end user premises devices, service isolation over the software-defined network and customer isolation within the service network can be provided without the inherent limitations of S-Tag/C-Tag techniques that hinder the scaling of software-defined networks.