Configuring IP Services

Filtering IP Packets Using Access Lists

Verifying Turbo ACLs

Use the show access-list compiled EXEC command to verify that the Turbo ACL feature has been successfully configured on your router. This command also displays the memory overhead of the Turbo ACL tables for each access list. The command output contains the following states:

Operational—The access list has been compiled by Turbo ACL, and matching to this access list is performed through the Turbo ACL tables at high speed.

Unsuitable—The access list is not suitable for compiling, perhaps because it has time-range enabled entries, evaluate references, or dynamic entries.

Deleted—No entries are in this access list.

Building—The access list is being compiled. Depending on the size and complexity of the list, and the load on the router, the building process may take a few seconds.

Out of memory—An access list cannot be compiled because the router has exhausted its memory. The following is sample output from the show access-lists compiled EXEC command:

Router# show access-lists compiled

 

 

 

 

Compiled ACL statistics:

 

 

 

 

 

 

12 ACLs loaded, 12 compiled tables

 

 

 

 

ACL

State

Tables

Entries

Config

Fragment

Redundant

Memory

1

Operational

1

2

1

0

0

1Kb

2

Operational

1

3

2

0

0

1Kb

3

Operational

1

4

3

0

0

1Kb

4

Operational

1

3

2

0

0

1Kb

5

Operational

1

5

4

0

0

1Kb

9

Operational

1

3

2

0

0

1Kb

20

Operational

1

9

8

0

0

1Kb

21

Operational

1

5

4

0

0

1Kb

101

Operational

1

15

9

7

2

1Kb

102

Operational

1

13

6

6

0

1Kb

120

Operational

1

2

1

0

0

1Kb

199

Operational

1

4

3

0

0

1Kb

First

level lookup

tables:

 

 

 

Block

Use

 

Rows

Columns

Memory used

0

TOS/Protocol

 

6/16

12/16

66048

1

IP Source (MS)

10/16

12/16

66048

2

IP Source (LS)

27/32

12/16

132096

3

IP Dest (MS)

 

3/16

12/16

66048

4

IP Dest (LS)

 

9/16

12/16

66048

5

TCP/UDP Src Port

1/16

12/16

66048

6

TCP/UDP Dest

Port

3/16

12/16

66048

7

TCP Flags/Fragment

3/16

12/16

66048

Applying Time Ranges to Access Lists

You can implement access lists based on the time of day and week using the time-rangeglobal configuration command. To do so, first define the name and times of the day and week of the time range, then reference the time range by name in an access list to apply restrictions to the access list.

Currently, IP and Internetwork Packet Exchange (IPX) named or numbered extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. The time-rangekeyword is referenced in the named and numbered extended access list task tables in the previous sections “Creating Standard and Extended Access Lists Using Numbers” and “Creating Standard and Extended Access Lists Using Names.” The

Cisco IOS IP Configuration Guide

IPC-97

Page 142 Page 144
Page 143
Image 143
Cisco Systems 78-11741-02 manual Applying Time Ranges to Access Lists, Verifying Turbo ACLs, IPC-97
Page 142 Page 144
Top Page Image Contents