diff --git a/builtin/providers/cloudstack/resource_cloudstack_network.go b/builtin/providers/cloudstack/resource_cloudstack_network.go
index 458a768fe..b19ba5bca 100644
--- a/builtin/providers/cloudstack/resource_cloudstack_network.go
+++ b/builtin/providers/cloudstack/resource_cloudstack_network.go
@@ -11,7 +11,26 @@ import (
 	"github.com/xanzy/go-cloudstack/cloudstack"
 )
 
+const none = "none"
+
 func resourceCloudStackNetwork() *schema.Resource {
+	aclidSchema := &schema.Schema{
+		Type:          schema.TypeString,
+		Optional:      true,
+		Default:       none,
+		ConflictsWith: []string{"aclid"},
+	}
+
+	aclidSchema.StateFunc = func(v interface{}) string {
+		value := v.(string)
+
+		if value == none {
+			aclidSchema.ForceNew = true
+		}
+
+		return value
+	}
+
 	return &schema.Resource{
 		Create: resourceCloudStackNetworkCreate,
 		Read:   resourceCloudStackNetworkRead,
@@ -82,12 +101,7 @@ func resourceCloudStackNetwork() *schema.Resource {
 				Deprecated: "Please use the `vpc_id` field instead",
 			},
 
-			"acl_id": &schema.Schema{
-				Type:          schema.TypeString,
-				Optional:      true,
-				Computed:      true,
-				ConflictsWith: []string{"aclid"},
-			},
+			"acl_id": aclidSchema,
 
 			"aclid": &schema.Schema{
 				Type:       schema.TypeString,
@@ -177,7 +191,7 @@ func resourceCloudStackNetworkCreate(d *schema.ResourceData, meta interface{}) e
 		if !ok {
 			aclid, ok = d.GetOk("acl")
 		}
-		if ok {
+		if ok && aclid != none {
 			// Set the acl ID
 			p.SetAclid(aclid.(string))
 		}
@@ -232,11 +246,12 @@ func resourceCloudStackNetworkRead(d *schema.ResourceData, meta interface{}) err
 	_, vpc := d.GetOk("vpc")
 	if vpcID || vpc {
 		d.Set("vpc_id", n.Vpcid)
-	}
 
-	_, aclID := d.GetOk("acl_id")
-	_, acl := d.GetOk("aclid")
-	if aclID || acl {
+		// Since we're in a VPC, also update the ACL ID. If we don't
+		// have an ACL ID make sure we set the default value instead.
+		if n.Aclid == "" {
+			n.Aclid = none
+		}
 		d.Set("acl_id", n.Aclid)
 	}
 
diff --git a/website/source/docs/providers/cloudstack/r/network.html.markdown b/website/source/docs/providers/cloudstack/r/network.html.markdown
index 5d40a43cf..580deefbe 100644
--- a/website/source/docs/providers/cloudstack/r/network.html.markdown
+++ b/website/source/docs/providers/cloudstack/r/network.html.markdown
@@ -56,9 +56,12 @@ The following arguments are supported:
 * `vpc` - (Optional, Deprecated) The name or ID of the VPC to create this network
     for. Changing this forces a new resource to be created.
 
-* `acl_id` - (Optional) The network ACL ID that should be attached to the network.
+* `acl_id` - (Optional) The ACL ID that should be attached to the network or
+    `none` if you do not want to attach an ACL. You can dynamically attach and
+    swap ACL's, but if you want to detach an attached ACL and revert to using
+    `none`, this will force a new resource to be created. Defaults to `none`.
 
-* `aclid` - (Optional, Deprecated) The ID of a network ACL that should be attached
+* `aclid` - (Optional, Deprecated) The ID of a ACL that should be attached
     to the network.
 
 * `project` - (Optional) The name or ID of the project to deploy this