Guest

Cisco IOS Software Releases 12.2 S

Turbo Access Control Lists

Hierarchical Navigation

Downloads

Table Of Contents

Turbo Access Control Lists

Feature Overview

Benefits

Restrictions

Related Features and Technologies

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring Turbo ACL

Verifying Turbo ACL

Monitoring and Maintaining Turbo ACL

Configuration Examples

Command Reference

access-list compiled

show access-lists

show access-list compiled

Glossary


Turbo Access Control Lists

Feature History

Release
Modification

12.0(6)S

This feature was introduced.

12.1(1)E

This feature was integrated into Cisco IOS Release 12.1(1)E.

12.1(5)T

This feature was integrated into Cisco IOS Release 12.1(5)T.

12.1(4)E

This feature was implemented on Cisco 7100 series routers.

12.2(14)S

This feature was integrated into Cisco IOS Release 12.2(14)S.


This document describes the Turbo Access Control Lists (Turbo ACL) feature in Cisco IOS Release 12.0(6)S, 12.1(1)E, 12.1(5)T, 12.1(4)E and 12.2(14)S and includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Monitoring and Maintaining Turbo ACL

Configuration Examples

Command Reference

Glossary

Feature Overview

The Turbo ACL feature enables Cisco networking devices to evaluate access control lists (ACLs) for more expedient packet classification and access checks.

Benefits

ACLs are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing needs and requirements for security filtering and packet classification, ACLs can expand to the point that searching the ACL adds a substantial amount of time and memory use when packets are being forwarded. Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is necessary for searching an ACL with several entries.

The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include:

For ACLs longer than three entries, the CPU load required to match the packet to the predetermined packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the ACL, allowing for larger ACLs without incurring any CPU overhead penalties. The larger the ACL, the greater the benefit.

The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially in the case of large ACLs) and more importantly, consistent, allowing better network stability and more accurate transit times.

Restrictions

ACLs containing specialized processing characteristics such as evaluate and time-range entries are excluded from Turbo ACL acceleration.

Related Features and Technologies

The Turbo ACL feature improves the performance of access lists. For information on access control lists, see the Access Control Lists: Overview and Guidelines document on Cisco.com.

Supported Platforms

Cisco 7100 series

Cisco 7200 series

Cisco 7500 series

Cisco 12000 series

Note Cisco 7100 series and Cisco 12000 series routers are not supported in Cisco IOS Release 12.2(14)S.

Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://www.cisco.com/go/fn

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

No new or modified RFCs are supported by this feature.

Prerequisites

The Turbo ACL feature builds a set of lookup tables from the ACLs in the configuration; these tables increase the internal memory usage, and in the case of large and complex ACLs, tables containing 2 to 4 MB of memory are usually required. Routers enabled with the Turbo ACL feature should allow for this amount of memory usage. The show access-list compiled command displays the memory overhead of the Turbo ACL tables for each ACL.

Configuration Tasks

See the following sections for configuration tasks for the Turbo Access Control Lists feature. Each task in the list is identified as either required or optional.

Configuring Turbo ACL (required)

Verifying Turbo ACL (optional)

Configuring Turbo ACL

To configure Turbo ACL, use the following commands:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# access-list compiled

Enables the Turbo ACL feature.

Verifying Turbo ACL

Use the show access-list compiled command to verify that the Turbo ACL feature has been successfully configured on your router. The command output contains the following states, which are defined below:

Operational: The access list has been compiled by Turbo ACL, and matching to this access list is performed through the Turbo ACL tables at high speed.

Unsuitable: The access list is not suitable for compiling, perhaps because it has time-range enabled entries, evaluate references, or dynamic entries.

Deleted: No entries are in this access list.

Building: The access list is being compiled. Depending on the size and complexity of the list, and the load on the router, the building process may take a few seconds.

Out of memory: An access list cannot be compiled because the router has exhausted its memory.

The following is sample output from the show access-lists compiled command: 

Router# show access-lists compiled


Compiled ACL statistics:

12 ACLs loaded, 12 compiled tables

 ACL         State      Tables  Entries  Config  Fragment  Redundant  Memory

1           Operational    1        2        1         0          0      1Kb

2           Operational    1        3        2         0          0      1Kb

3           Operational    1        4        3         0          0      1Kb

4           Operational    1        3        2         0          0      1Kb

5           Operational    1        5        4         0          0      1Kb

9           Operational    1        3        2         0          0      1Kb

20          Operational    1        9        8         0          0      1Kb

21          Operational    1        5        4         0          0      1Kb

101         Operational    1       15        9         7          2      1Kb

102         Operational    1       13        6         6          0      1Kb

120         Operational    1        2        1         0          0      1Kb

199         Operational    1        4        3         0          0      1Kb

First level lookup tables:

Block      Use              Rows       Columns   Memory used

  0   TOS/Protocol            6/16     12/16      66048

  1   IP Source (MS)         10/16     12/16      66048

  2   IP Source (LS)         27/32     12/16      132096

  3   IP Dest (MS)            3/16     12/16      66048

  4   IP Dest (LS)            9/16     12/16      66048

  5   TCP/UDP Src Port        1/16     12/16      66048

  6   TCP/UDP Dest Port       3/16     12/16      66048

  7   TCP Flags/Fragment      3/16     12/16      66048

Monitoring and Maintaining Turbo ACL

Use the following commands in EXEC mode as needed to monitor and maintain Turbo ACL feature:

Command
Purpose 
Router# show access-lists

Displays information regarding access lists, including whether the access list is compiled. 

Router# show access-lists compiled

Displays information regarding compiled access lists, including the state of each compiled access list.


Configuration Examples

This section provides a Turbo ACL configuration example. The following access-list compiled command output indicates that Turbo ACL is enabled: 

Building configuration...


Current configuration:

!

version 12.0

...

interface Ethernet2/7

 no ip address

 ip access-group 20 out

 no ip directed-broadcast

 shutdown

!         

no ip classless

ip route 192.168.0.0 255.255.255.0 10.1.1.1

!

access-list compiled

access-list 1 deny   any

access-list 2 deny   192.168.0.0 0.0.0.255

access-list 2 permit any

Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

access-list compiled

show access-lists

show access-list compiled

access-list compiled

To enable the Turbo ACL feature use the access-list compiled command in global configuration mode. To disable the Turbo ACL feature, use the no form of this command.

access-list compiled

no access-list compiled

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

12.0(6)S

This command was introduced.

12.1(1)E

This command was implemented on the Cisco 7200 series.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.1(4)E

This command was implemented on the Cisco 7100 series.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.


Usage Guidelines

By default, the Turbo ACL feature is disabled. When Turbo ACL is disabled, the normal Access Control List (ACL) processing is enabled, and no ACL acceleration occurs.

When the Turbo ACL feature is enabled using the access-lists compiled command, the ACLs in the configuration are scanned and, if suitable, compiled for Turbo ACL acceleration. This scanning and compilation may take a few seconds when the system is processing large and complex ACLs, or when the system is processing a configuration that contains a large number of ACLs.

Any configuration change to an ACL that is being accelerated, such as the addition of new ACL entries or the deletion of the ACL, triggers a recompiling of that ACL.

When Turbo ACL tables are being built (or rebuilt) for a particular ACL, the normal sequential ACL search is used until the new tables are ready for installation.

Examples

The following example shows how to enable the Turbo ACL feature: 

access-list compiled

show access-lists

To display the contents of current access lists, use the show access-lists command in privileged EXEC mode.

show access-lists [access-list-number | name]

Syntax Description

access-list-number

(Optional) Access list number to display. The range is from 0 to 1199. The system displays all access lists by default.

name

(Optional) Name of the IP access list to display.


Defaults

This command is not configured by default.

Command Modes

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.

12.0(6)S

The output was modified to identify the compiled ACLs.

12.1(1)E

This command was implemented on the Cisco 7200 series.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.1(4)E

This command was implemented on the Cisco 7100 series.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.


Usage Guidelines

The show access-lists command is used to display the current ACLs operating in the router. Each access list is flagged using the Compiled indication if it is operating as an accelerated ACL.

The display also shows how many packets have been matched against each entry in the ACLs, enabling the user to monitor the particular packets that have been permitted or denied. This command also indicates whether the access list is running as a compiled access list.

Examples

The following is sample output from the show access-lists command when Turbo ACL is configured on all of the following access lists: 

Router# show access-lists          


Standard IP access list 1 (Compiled)

    deny   any

Standard IP access list 2 (Compiled)

    deny   192.168.0.0, wildcard bits 0.0.0.255

    permit any

Standard IP access list 3 (Compiled)

    deny   0.0.0.0

    deny   192.168.0.1, wildcard bits 0.0.0.255

    permit any

Standard IP access list 4 (Compiled)

    permit 0.0.0.0

    permit 192.168.0.2, wildcard bits 0.0.0.255

Related Commands

Command
Description

access-list (extended)

Provides extended access lists that allow more detailed access lists.

access-list (standard)

Creates a standard access list.

clear access-list counters

Clears the counters of an access list.

clear access-temp

Manually clears a temporary access list entry from a dynamic access list.

ip access-list

Defines an IP access list by name.

show ip access-list

Displays the contents of all current IP access lists.


show access-list compiled

To display a table showing Turbo Access Control Lists (ACLs), use the show access-list compiled command in privileged EXEC mode.

show access-list compiled

Syntax Description

This command has no arguments or keywords.

Defaults

This command is not configured by default.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(6)S

This command was introduced.

12.1(1)E

This command was implemented on the Cisco 7200 series.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.1(4)E

This command was implemented on the Cisco 7100 series.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.


Usage Guidelines

This command is used to display the status and condition of the Turbo ACL tables associated with each ACL. The memory usage is displayed for each table; large and complex ACLs may require substantial amounts of memory. If the memory usage is greater than the memory available, the user can disable the Turbo ACL feature so that memory exhaustion does not occur, but the acceleration of the ACLs is not then enabled.

Examples

The following is a partial sample output from the show access-list compiled command: 

Router# show access-list compiled


Compiled ACL statistics:

12 ACLs loaded, 12 compiled tables

 ACL         State      Tables  Entries  Config  Fragment  Redundant  Memory

1           Operational    1        2        1         0          0      1Kb

2           Operational    1        3        2         0          0      1Kb

3           Operational    1        4        3         0          0      1Kb

4           Operational    1        3        2         0          0      1Kb

5           Operational    1        5        4         0          0      1Kb

9           Operational    1        3        2         0          0      1Kb

20          Operational    1        9        8         0          0      1Kb

21          Operational    1        5        4         0          0      1Kb

101         Operational    1       15        9         7          2      1Kb

102         Operational    1       13        6         6          0      1Kb

120         Operational    1        2        1         0          0      1Kb

199         Operational    1        4        3         0          0      1Kb

First level lookup tables:

Block      Use              Rows       Columns   Memory used

  0   TOS/Protocol            6/16     12/16      66048

  1   IP Source (MS)         10/16     12/16      66048

  2   IP Source (LS)         27/32     12/16      132096

  3   IP Dest (MS)            3/16     12/16      66048

  4   IP Dest (LS)            9/16     12/16      66048

  5   TCP/UDP Src Port        1/16     12/16      66048

  6   TCP/UDP Dest Port       3/16     12/16      66048

  7   TCP Flags/Fragment      3/16     12/16      66048

Table 1 describes the significant fields shown in the display.

Table 1 show access-list compiled Field Descriptions

Field
Description

State

Describes the state of each Turbo ACL table.

Operational—The access list has been compiled by the Turbo ACL feature, and matching to this access list is performed through the Turbo ACL tables at high speed.

Other values in the State field are as follows:

Unsuitable—The access list is not suitable for compiling, perhaps because it has time-range enabled entries, evaluate references, or dynamic entries.

Deleted—No entries are in this access list.

Building—The access list is being compiled. Depending on the size and complexity of the list, and the load on the router, the building process may take a few seconds.

Out of memory—An access list cannot be compiled because the router has exhausted its memory.


Related Commands

Command
Description

access-list (extended)

Provides extended access lists that allow more detailed access lists.

access-list (standard)

Creates a standard access list.

clear access-list counters

Clears the counters of an access list.

clear access-temp

Manually clears a temporary access list entry from a dynamic access list.

ip access-list

Defines an IP access list by name.

show ip access-list

Displays the contents of all current IP access lists.


Glossary

ACL—access control list. ACLs are individual filtering rules grouped in a single list. They are generally used to provide security filtering, though they may be used to provide a generic packet classification facility.

ACE—access control element. Each individual filtering rule that is part of an ACL is termed an ACE. A group of ACEs forms an access list.

QoS—quality of service. Selected packet types are handled differently within the network to provide a differentiated level of reliability, cost, and so forth.

ToS—type of service. A set of flags and values that are part of the IP packet header indicating various parameters related to handling the packet in the network.