yep, I have a 48-max and it also does not run telnet. It's sad that Ubiquiti is moving farther and farther away from an "enterprise" brand. LED replaces CLI, what a shame...

@@hz777 My opinion is the CLI this fetur that the swiches makes so good. But witout then is a Dlink Switch DGS-1510 better have for the one Switch more Fetures. But Unifi have the good network controller , that have't dlink and that you use more Switches is the Unifi universus much Better.

I agree with what you said regarding the MAC address. It's very easy to be faked. I think there is a potential reason for Ubiquiti to put more limitations on the UI for IP ACL rule: it's easier to prevent users from doing stupid things for gateway and cloud key. If I remember it correctly, you can only select client Mac address, instead of UniFi device Mac address when defining Mac ACL rules. To limit the same on ip ACL rules will be much more complicated.

@@hz777 I guess If I want to focus on Limiting device access to my network (IoT devices, guest, etc) I could: 1. Networks>L3 Network Isolation (ACL) enable this for the vlans I want to restrict 2. Networks>L3 Device Isolation (ACL) enable this on each of the vlans that is important (ie: IoT and Guest Networks) 3. Security>ACL Rules - Using this I could "ALLOW" using MAC addresses certain IoT devices to talk to each other (for example, a google home to communicate with a thermostat) - I am assuming that these rules come before the other 2 - could you confirm that for me? It is not the best security as it is "Security thorough Obscurity" - the hacker would have to KNOW what the MAC address is of the devices are that are allowed to talk to each other, and even then the rules would only allow the hacker to access or impersonate those devices . . . . That's not so bad, but if it was a NAS device, then that could be problematic . . . but they'd still need to GUESS what the MAC address of the NAS is. Again, not the best. Does that sound like I am thinking about this correctly?

@@Greg.M - The first step can be replaced with firewall rules in most cases, and I personally prefer firewall rules. - The second step is for MAC ACL if I understand you correctly. If so it's not L3. Yes, it's the best way to achieve isolation in the same vlan. - Yes, "alow-rules" should be treated as exceptions, and yes they will be executed first in the generated access lists in the switch. In fact, for this step if firewall rules work (i.e. not the same vlan or not L3 switch vlan) I would prefer firewall rules.

@@hz777 Can you confirm that the router is set as your gateway and not the switch . . . or would it matter? I am not sure what you meant when you said ". . . not L3 switch vlan).

I mean a vlan has a switch as the "router" by "L3 Switch VLAN"