You need working switch level filtering, many implementations can be bypassed / will never be fixed: https://blog.champtar.fr/VLAN0_LLC_SNAP/