UniFi Switches and Access Control Lists (ACLs)
UniFi switches have Access Control Lists (ACLs), useful for isolating device traffic on the same VLAN. Networks with high-performance requirements can also use them to manage inter-VLAN routing, rather than rely on a gateway or firewall.
Requirements
ACLs are standard on all UniFi switches except for: Flex & FlexMini; US-8; USW Industrial; and USW Ultra, Ultra-60W & Ultra-210W.
Note: ACLs are not available on the switch ports of UniFi Gateways or In-Wall Access Points.
Switch ACLs vs. Firewall Rules
Firewall rules are the standard method of controlling traffic between VLANs, or to and from the internet. Learn more here.
The two primary use cases for Switch ACLs include:
- Device isolation within the same network/VLAN (MAC ACLs): Firewall Rules only apply to traffic routed between VLANs or to/from external networks. Switch ACLs are required to manage traffic within a single VLAN.
- Performance-driven network design (IP ACLs): Although not required in most deployments, this may save several milliseconds of latency because inter-VLAN traffic restrictions can be applied at the switch, instead of traversing upstream through the gateway.
UniFi’s Simplified ACLs
We have created two settings to simplify common ACL implementations (found in Settings > Networks):
- L3 Network Isolation: Block all IPv4 traffic between devices in different networks.
- Client Device Isolation: Block all communication between devices in the same network.
For more comprehensive information on implementing network and device isolation, go here.
How do ACLs Work?
When creating ACLs, keep the following logic in mind:
- ACL rules are processed top-to-bottom.
- Place specific "allow" rules before more general "block all" rules.
- Create allow rules first, especially when using a "block all" rule with source: Any and destination: Any.
- MAC ACLs are applied before IP ACLs.
- It is not possible to add MAC ACLs to networks used to manage UniFi devices.
Examples of ACLs
MAC ACL Example
- Allow clients to communicate with the UniFi Gateway for internet access.
- Block clients from communicating with each other.
Rule 1 - Allow traffic from the UniFi Gateway to all devices on the Employees network.
- Action: Allow
- Switch: All Switches
- VLAN / Network: Employees
- Source Type: MAC Address
- Source: ab:cd:ef:12:34:56 (UniFi Gateway's MAC address)
- Destination Type: Any
Rule 2 - Allow traffic from all devices on the Employees network to the UniFi Gateway.
- Action: Allow
- Switch: All Switches
- VLAN / Network: Employees
- Source Type: Any
- Destination Type: MAC Address
- Destination: ab:cd:ef:12:34:56 (UniFi Gateway's MAC address)
Rule 3 - Block all other traffic on the Employees network.
- Action: Block
- Switch: All Switches
- VLAN / Network: Employees
- Source Type: Any
- Destination Type: Any
IP ACL Example
In this scenario, regular client devices are present on the Default network and there is an IoT network which contains other client devices. This set of two IP ACLs blocks traffic between all devices on the Default and IoT networks.
Rule 1 - Block traffic from all devices on the Default network to the IoT network.
- Action: Block
- Switch: All Switches
- Protocol: All
- Source Type: Network
- Source: Default
- Destination Type: Network
- Destination: IoT
Rule 2 - Block traffic from all devices on the IoT network to the Default network.
- Action: Block
- Switch: All Switches
- Protocol: All
- Source Type: Network
- Source: IoT
- Destination Type: Network
- Destination: Default