|
|
These topics describe optimization and how you can optimize your ACLs for better performance:
When an ACL is used on one or more interfaces in a network device, network traffic performance through the device can be degraded for the following reasons:
To safeguard against problems, the ACL Optimizer minimizes the number of ACEs that must be compared, and the ACL Hits Optimizer arranges ACEs in an order in which the most frequent conditions are examined first.
The goal of the ACL Optimizer is to minimize the number of ACEs in an ACL. It accomplishes this by:
| Original ACEs | Optimized ACEs |
|---|---|
permit ip from host 205.178.18.5 | permit ip from 205.178.18.0/0.0.0.255 |
| Original ACEs | Optimized ACEs |
|---|---|
permit ip from host 205.178.18.8 | permit ip from 205.178.18.8/0.0.0.7 |
| Original ACEs | Optimized ACEs |
|---|---|
permit tcp gt 25 from host 205.178.18.5 | permit tcp between 0 and 65535 from 205.178.18.5 |
| Original ACEs | Optimized ACEs |
|---|---|
permit ip from any | permit ip from any |
| Original ACEs | Optimized ACEs |
|---|---|
permit ip from host 205.178.18.5 | permit ip from host 205.178.18.5
|
The goal of the ACL Hits Optimizer is to place the most frequently "hit" ACEs ahead of the less frequently "hit" ACEs. A "hit" occurs when an ACE statement matches a network packet; IOS tracks the number of times a statement is hit. ACL Manager reorders the ACE accordingly, as follows:
| Original ACEs (# Hits) | Optimized ACEs |
|---|---|
permit ip from host 205.178.18.5 (300) | deny ip from host 205.178.18.100 |
Reordering ACEs is performed only if the new order does not change ACL semantics. For example, ACL Manager would not reorder ACEs in the following manner:
| Original ACEs (# Hits) | Incorrectly Reordered ACEs |
|---|---|
deny ip from host 205.178.18.5 (300) | permit ip from 205.178.18.0/0.0.0.255 |
ACL Manager would not perform this reorder because doing so would change the ACL semantics, which were to deny packets from host 205.178.18.5 and allow them from the rest of the subnet.
Use the ACL Optimizer to minimize the number of ACEs in an ACL and improve router performance.
Step 1 From the ACL Manager main window, select the ACL to optimize. In Figure 9-1, ACL 7 is selected.
Step 2 Select Optimizer from the ACL pop-up window. The Optimizer completes optimization and a high-level report is displayed (see Figure 9-3).
Step 3 Click Details to view more information (see Figure 9-3).
Step 4 If you are satisfied with the optimization, click Done to return to the previous display.
Step 5 Click Apply to apply the optimization.
Use the ACL Hits Optimizer to place the most frequently "hit" ACEs ahead of the less frequently "hit" ACEs, improving network traffic throughput.
When you create a new ACL and initiate logging, you should reset the hit optimizer counter to zero.
Step 1 From the ACL Manager main window, select the ACL to optimize. In Figure 9-4, ACL 100 is selected.
Step 2 Right-click and select Hits Optimizer. The Hits Optimizer completes optimization and a high-level report is displayed (see Figure 9-5).
Step 3 Click Details to view more information (see Figure 9-6).
Step 4 If you are satisfied with the optimization, click Done to return to the previous display.
Step 5 Click Apply to apply the optimization.
You can reset the hit counters to zero from Essentials.
Step 1 From Essentials, select
Administration > ACL Management > Reset Hit Counter (see Figure 9-7).
Step 2 Select All Devices, then select those devices for which you want the hit counter reset to zero.
Step 3 Click Finish.
Posted: Fri Sep 29 08:26:08 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.