Optimize Rules

Optimize Rules

The ACL implementation on a device interface might degrade the traffic performance of the device for the following reasons:

• Each packet arriving at the interface is matched against all the ACL rules until a match is found.
• All the rules are matched in a certain order. A larger number of rules may lead to more matching attempts and therefore a longer time.

Rule optimization improves both of the above processes. Sorting rules reasonably and removing unnecessary ones to improve the traffic performance of the device. ACL Management can provide suggestions on improving ACL implementation efficiency and simplify configurations according to the configured rules.

ACL Management provides the following optimization functions:

• Removing coverable rules: If the coverage of a rule includes that of another rule, the former rule overwrites the latter one. The default rule is permit all.
• Removing duplicated rules: If some rules are the same, only one is left.
• Merging rules with mask-identified address segments: If some rules have the same parameter values (including the address mask) except the address segment, they are merged through proper mask settings.
• Merging rules with coverable port ranges: If some rules have the same parameter values except the port number, they are merged through proper port range settings.
• Removing redundant rules: If the coverage of a rule is included in that of a preceding rule, this rule is removed.
• Putting the most frequently matched rules first: Sort the rules by matching frequency.

In addition, ACL Management prompts you for the rules that may jeopardize the device-the system connections. You can decide whether to remove the rules. However, such notices are not recorded by system.

Precautions

• When configuring an ACL rule set, click Optimize in the Configure Rule page. After confirmation, ACL Management saves the rule configuration.
• You can optimize only the rule sets whose match order is Config.
• The rules used by a service cannot be optimized.
• The rules that contains dynamic parameters cannot be optimized.