UniFi Switch - Device and Network Isolation

Device Isolation and Network Isolation are UniFi Switch features that automatically add Access Lists (ACLs) to block traffic between devices on the same or different virtual networks (VLANs). 

Requirements

Device Isolation and Network Isolation are supported on all UniFi Switch models with a few exceptions. ACLs are not supported on UniFi Gateways and Access Points, even those with integrated switches. The following devices do not support ACLs:

  • USW-Flex
  • USW-Flex-Mini
  • US-8
  • USW-Industrial
  • USW-Ultra
  • USW-Ultra-60W
  • USW-Ultra-210W
  • All UniFi Gateways
  • All UniFi Access Points (including In-Wall models)

Available Options

There are different options available to suit different needs:

  • L3 Network Isolation (ACL) - Automatically blocks all IPv4 traffic between devices in different networks.
  • Device Isolation (ACL) - Automatically blocks all traffic between devices in the same network.

L3 Network Isolation (ACL)

Enable Network Isolation to block all IPv4 traffic between devices in different virtual networks (VLANs). Network Isolation automatically creates IPv4 Access Lists to block traffic in both directions between the subnets associated with each network.

Network Isolation can be configured to:

  • Combine a single Source network and multiple other Isolate From networks.
  • The Source network is isolated from the Isolate From networks in both directions.
  • Create multiple combinations to isolate different networks from each other.

Network Isolation cannot be configured on networks when:

  • UniFi Network Server is present on either of the networks.
  • UniFi Cloud Key is present on either of the networks.

Note: Network Isolation does not apply to IPv6 traffic.

Device Isolation (ACL)

Enable Device Isolation to block all traffic between devices in the same virtual networks (VLANs). Device Isolation automatically creates MAC Access Lists to block traffic between the devices inside each network with the exception of traffic to the UniFi Gateway and UniFi Cloud Key.

Device Isolation cannot be configured on networks when:

  • UniFi Network Server is present.
  • Third Party Gateway is used.

Note: Multiple networks selected under Device Isolation are not isolated from each other. Configure Network Isolation to block traffic between different networks.

Frequently Asked Questions

1. How does Device Isolation differ from Network Isolation?

Device Isolation blocks traffic between devices on the same Virtual Network (VLAN) whereas Network Isolation blocks IPv4 traffic between VLANs.

2. How do Device and Network Isolation (ACLs) differ from Firewall Rules?

Device and Network Isolation (ACLs) apply to UniFi Switches and Firewall Rules apply to UniFi Gateways. Network Isolation also applies to IPv4 traffic whereas Firewall Rules apply to both IPv4 and IPv6 traffic.

3. I want to block IPv4 traffic between my Virtual Networks. Should I use Firewall Rules or ACLs?

When using Layer 3 Routing on a UniFi Switch, use Network Isolation instead of Traffic and Firewall Rules to limit the traffic. This is necessary because the traffic is routed between VLANs on the UniFi Switch, not on the UniFi Gateway.

If Layer 3 Routing is not used and the UniFi Gateway is routing the traffic between VLANs, either Network Isolation or Firewall Rules can be used to limit the traffic.

4. I want to block traffic between devices on the same Virtual Network. Should I use Firewall Rules or ACLs?

With Firewall Rules on UniFi Gateways, it is not possible to block traffic inside the same VLAN as this passes through the switch. Use Device Isolation to block this traffic. 
Was this article helpful?
11 out of 20 found this helpful