In one embodiment, a network device may have its network interfaces identified as either network-to-network interfaces (NNIs) configured to communicate with other network devices in a first computer network, or user-to-network interfaces (UNIs) configured to provide service to the first computer network for user devices. Based on determining at least one NNI for forwarding upstream traffic to an aggregation device of the first network that connects the first network to a second network, any NNI that is not used for forwarding upstream traffic is deemed a novel “NNI alternate” (NNI-ALT). The forwarding of traffic at the network device may be controlled to provide user isolation between network devices by denying traffic forwarding between UNIs and NNI-ALTs as well as between NNI-ALTs and NNI-ALTs, while permitting traffic forwarding between NNIs and NNI-ALTs.