Optimizing the rules in a rule set – H3C Technologies H3C Intelligent Management Center User Manual

881

Optimizing the rules in a rule set

ACLs can have a profound effect on the performance of networks. ACL Management automatically

evaluates the effectiveness of rules and their effect on overall network performance as you add rules to
a rule set, but you can also initiate an analysis of a rule set and optimize its effect on network

performance using the Optimize feature.
There are essentially two causes for performance degradation related to ACLs. First, every packet that

arrives at an interface is matched against all the ACL rules until a match is found. The more rules there are,
the longer it takes to process every packet. Second, all rules are matched in a certain order and more

rules lead to more time processing the matching requirements of every rule and leads to more time

processing every packet.
ACL Management's rule optimization algorithms improve both causes for performance degradation for
ACLs that use Config as the Match Order because the sorting rules remove unnecessary rules and

determine the applicable rules to reduce the effect of ACLs and to improve the overall performance of the

device. In addition, ACL Management provides suggestions for efficient ACL implementation and

simplified configurations based on the configured rules and the relations between them.
ACL Management optimizes the rules in the following ways:

•

Removing coverable rules: If the coverage of a rule includes the coverage of another rule, the
former overwrites the latter. The default rule is Permit All.

•

Removing duplicate rules: If several rules perform the same function, the rule set is reduced to one
rule that performs the same function.

•

Merging rules with mask-identified address segments: If several rules have the same parameter
values (including the address mask) with the exception of the IP or MAC address range, these rules

are merged using appropriate mask settings.

•

Merging rules with duplicate port assignments: If several rules have the same parameter values
with the exception of the port, the rules are merged using appropriate port range settings.

•

Removing redundant rules: If the coverage of a rule is included in the coverage of a preceding rule,
the former rule is removed.

•

Reordering the rule set: ACL Management reorders rule sets by placing the most commonly
matched rules first.

In addition optimizing rule sets, ACL Management also notifies you of rules that may jeopardize device

to IMC connections. To optimize a rule set:

1.

Navigate to ACL Resource:

a.

Click the Service tab from the tabular navigation system on the top.

b.

Click ACL Management section of the navigation tree on the left.

c.

Click the ACL Resource link located under ACL Management on the navigation tree on the left.
The ACL Resource list displays in the main pane of the ACL Resource page.

2.

Click the ACL Identifier of the ACL for which you want to optimize a rule set.
ACL Management can optimize rule sets for ACLs that use Config as the Match order. Rule sets that
use the Match order Auto cannot be optimized.
In addition, rule sets that use Services to define the port assignments for a rule cannot be
optimized.
The Rule Set List for the selected ACL displays in the main pane of the ACL Resource > <ACL
Resource Name (ACL Identifier)> page.

3.

Click the icon in the Modify field associated with the rule set you want to optimize.