Cisco Systems 78-11741-02 Enabling Turbo Access Control Lists

Configuring IP Services

Filtering IP Packets Using Access Lists

IPC-96

Cisco IOS IP Configuration Guide

Enabling Turbo Access Control Lists

The Turbo Access Control Lists (Turbo ACL) feature processes access lists more expediently than

conventional access lists. This feature enables Cisco 7200 and 7500 series routers, and Cisco 12000

series Gigabit Switch Routers, to evaluate ACLs for more expedient packet classification and access

checks.

ACLs are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to

take this factor into account. Because of the increasing needs and requirements for security filtering and

packet classification, ACLs can expand to the point that searching the ACL adds a substantial amount of

time and memory when packets are being forwarded. Moreover, the time taken by the router to search

the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is

necessary for searching an access list with several entries.

The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match

requirements. Packet headers are used to access these tables in a small, fixed number of lookups,

independently of the existing number of ACL entries. The benefits of this feature include the following:

•For ACLs larger than three entries, the CPU load required to match the packet to the predetermined

packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the access list,

allowing for larger ACLs without incurring any CPU overhead penalties. The larger the access list,

the greater the benefit.

•The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially

in the case of large access lists) and, more importantly, consistent, allowing better network stability

and more accurate transit times.

Note Access lists containing specialized processing characteristics such as evaluate and time-range entries

are excluded from Turbo ACL acceleration.

The Turbo ACL builds a set of lookup tables from the ACLs in the configuration; these tables increase

the internal memory usage, and in the case of large and complex ACLs, tables containing 2MB to 4 MB

of memory are usually required. Routers enabled with the Turbo ACL feature should allow for this

amount of memory usage. The show access-list compiled EXEC command displays the memory

overhead of the Turbo ACL tables for each access list.

To configure the Turbo ACL feature, perform the tasks described in the following sections. The task in

the first section is required; the task in the remaining section is optional:

•Configuring Turbo ACLs (Required)

•Verifying Turbo ACLs (Optional)

To enable the Turbo ACL feature, use the following command in global configuration mode:

Command Purpose

Router(config)# access-list compiled Enables the Turbo ACL feature.