Security

Reply
Occasional Contributor II
Posts: 20
Registered: ‎10-07-2011

Efficient use of ACE???

 

If I run show acl acl-table, I get the following

 

 

 

Total ACE entries in use = 7261
Total free ACE entries = 419
Free ACE entries at the bottom = 415
Next ACE entry to use = 7265 (table 0)
Ace entries reused 4 times
ACL count 225, tunnel acl 0

 

 

The concerning bit is the amount of entries re-used, we are obviously not making efficient use of our ace allocation.

 

Typically I would create a server goup with 2 hosts

I would then define the services and create the access list

I then would apply that access list to the user roles (usually 4 roles, sometimes 6)

 

We currently have 189 policies, I going through them now for a spring clean, but most of them are still valid..

 

Is there a more efficient way to do this so I can increase my ACE entries re-used count

 

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Efficient use of ACE???

I want to say that only you can answer that question.  If you NEED all of those ACLs, you need them.  The best way you can reduce the usage is to make the usage more efficient.  If you do not need all of them, or if they are currently duplicating an existing function, you can reduce the ones you do not need.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 20
Registered: ‎10-07-2011

Re: Efficient use of ACE???

Is it more efficient to add an ACL with 2 hosts in a group and apply that ACL to 4 roles and then repeat for other servers or is it better to create a group and add servers to it and then apply it to the relevant roles?

 

initially Im thnking I could have a group for server access-staff and then server access-students and add servers to the groups as needed. It isn't a failsafe as there would still be servers that both groups need access to, but would that be more efficient and use less ACE's

 

Does a server host object use 1 ace iff applied to 4 roles or does it use 4?

 

 

Occasional Contributor II
Posts: 20
Registered: ‎10-07-2011

Re: Efficient use of ACE???

[ Edited ]

Are there any useful cmds to check to see where Im usuing my ACE's as looking through the GUI, Im surprised that we are using 7043 ACE, so any CLI cmd's I can run to get a better idea of where we can be more efficient

As you can see from the first post I have had a clear out but we are still sailng close to the wind...

 

Total ACE entries in use = 7043
Total free ACE entries = 637
Free ACE entries at the bottom = 38
Next ACE entry to use = 7642 (table 1)
Ace entries reused 115 times
ACL count 204, tunnel acl 0

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Efficient use of ACE???

[ Edited ]

I don't know what version of ArubaOS you are using, but the output of "show acl acl-table" shows me the summary in addition to what roles those ACLs are used in, 6.3.1.6.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Efficient use of ACE???

Show datapath dpe acl will show you the expanded ACL with netdests

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 20
Registered: ‎10-07-2011

Re: Efficient use of ACE???

6.3.1.5

 

I have been looking at the show acl acl-table command, I cross referencing it with the output of a show run as well

show datapath dpe acl doesn't work on my AOS version

 

 

 

 

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Efficient use of ACE???

mmacleod,

 

If you are using Airwave to manage your config on your controller, it provides an easy way to see what ACLs, polices are applied to what roles.

 

policies.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 20
Registered: ‎10-07-2011

Re: Efficient use of ACE???

Ha Ha, Airwave is but a distant dream for us my friend :-)

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Efficient use of ACE???

You can request a 90-day evaluation and you should be able to clean up your configs with that.  I am sure it would not take 90 days for you to do that..

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: