Access Control Lists

UniFi switches offer Access Control Lists (ACLs) to restrict Layer 2 (MAC-based) traffic and isolate devices within the same network/VLAN. These work to supplement Firewall Rules in order to create effective and precise security policies.


ACLs are supported on specific UniFi Switch models, primarily focusing on Layer 2 switches.

Supported models include:

  • UniFi Switch (excluding USW-Flex, USW-Flex-Mini, US-8, USW-Industrial, USW-Ultra, USW-Ultra-60W, and USW-Ultra-210W)

Note: ACLs are not available on the switch ports of UniFi Gateways or In-Wall Access Points.

What are Switch ACLs?

Switch ACLs work using Layer 2 MAC Addresses. This means that they are used to restrict traffic within a specific network/VLAN. This is in contrast to Firewall Rules which work at Layer 3 and above, meaning that they only apply to traffic between different networks/VLANs or between a local network and the Internet.

For more information on practical implementation of Switch ACLs, see our article on Network and Client Isolation.

Switch ACLs vs. Firewall Rules

Switch ACLs should be used in two scenarios:

  1. To isolate clients or restrict traffic within the same network/VLAN.
  2. To isolate a network/VLAN running on a Layer 3 switch from other networks/VLANs.

For everything else, we recommend using Firewall Rules.

For more information on implementing network and client isolation policies, click here.


Was this article helpful?
1 out of 1 found this helpful