Cisco Systems 78-11741-02 Enabling Turbo Access Control Lists, Configuring Turbo ACLs, IPC-96

Configuring IP Services

Filtering IP Packets Using Access Lists

Enabling Turbo Access Control Lists

The Turbo Access Control Lists (Turbo ACL) feature processes access lists more expediently than conventional access lists. This feature enables Cisco 7200 and 7500 series routers, and Cisco 12000 series Gigabit Switch Routers, to evaluate ACLs for more expedient packet classification and access checks.

ACLs are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing needs and requirements for security filtering and packet classification, ACLs can expand to the point that searching the ACL adds a substantial amount of time and memory when packets are being forwarded. Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is necessary for searching an access list with several entries.

The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include the following:

•For ACLs larger than three entries, the CPU load required to match the packet to the predetermined packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the access list, allowing for larger ACLs without incurring any CPU overhead penalties. The larger the access list, the greater the benefit.

•The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially in the case of large access lists) and, more importantly, consistent, allowing better network stability and more accurate transit times.

Note Access lists containing specialized processing characteristics such as evaluate and time-range entries are excluded from Turbo ACL acceleration.

The Turbo ACL builds a set of lookup tables from the ACLs in the configuration; these tables increase the internal memory usage, and in the case of large and complex ACLs, tables containing 2 MB to 4 MB of memory are usually required. Routers enabled with the Turbo ACL feature should allow for this amount of memory usage. The show access-list compiled EXEC command displays the memory overhead of the Turbo ACL tables for each access list.

To configure the Turbo ACL feature, perform the tasks described in the following sections. The task in the first section is required; the task in the remaining section is optional:

•Configuring Turbo ACLs (Required)

•Verifying Turbo ACLs (Optional)

Configuring Turbo ACLs

To enable the Turbo ACL feature, use the following command in global configuration mode:

Cisco IOS IP Configuration Guide

IPC-96