Security

If I run show acl acl-table, I get the following

Total ACE entries in use = 7261
Total free ACE entries = 419
Free ACE entries at the bottom = 415
Next ACE entry to use = 7265 (table 0)
Ace entries reused 4 times
ACL count 225, tunnel acl 0

The concerning bit is the amount of entries re-used, we are obviously not making efficient use of our ace allocation.

Typically I would create a server goup with 2 hosts

I would then define the services and create the access list

I then would apply that access list to the user roles (usually 4 roles, sometimes 6)

We currently have 189 policies, I going through them now for a spring clean, but most of them are still valid..

Is there a more efficient way to do this so I can increase my ACE entries re-used count

I want to say that only you can answer that question.  If you NEED all of those ACLs, you need them.  The best way you can reduce the usage is to make the usage more efficient.  If you do not need all of them, or if they are currently duplicating an existing function, you can reduce the ones you do not need.

Is it more efficient to add an ACL with 2 hosts in a group and apply that ACL to 4 roles and then repeat for other servers or is it better to create a group and add servers to it and then apply it to the relevant roles?

initially Im thnking I could have a group for server access-staff and then server access-students and add servers to the groups as needed. It isn't a failsafe as there would still be servers that both groups need access to, but would that be more efficient and use less ACE's

Does a server host object use 1 ace iff applied to 4 roles or does it use 4?

Are there any useful cmds to check to see where Im usuing my ACE's as looking through the GUI, Im surprised that we are using 7043 ACE, so any CLI cmd's I can run to get a better idea of where we can be more efficient

As you can see from the first post I have had a clear out but we are still sailng close to the wind...

Total ACE entries in use = 7043
Total free ACE entries = 637
Free ACE entries at the bottom = 38
Next ACE entry to use = 7642 (table 1)
Ace entries reused 115 times
ACL count 204, tunnel acl 0

I don't know what version of ArubaOS you are using, but the output of "show acl acl-table" shows me the summary in addition to what roles those ACLs are used in, 6.3.1.6.

6.3.1.5

I have been looking at the show acl acl-table command, I cross referencing it with the output of a show run as well

show datapath dpe acl doesn't work on my AOS version

mmacleod,

If you are using Airwave to manage your config on your controller, it provides an easy way to see what ACLs, polices are applied to what roles.

Ha Ha, Airwave is but a distant dream for us my friend :-)

You can request a 90-day evaluation and you should be able to clean up your configs with that.  I am sure it would not take 90 days for you to do that..