|
|
Verifying Turbo ACL
Monitoring and Maintaining Turbo ACL
Configuration Examples
Command Reference
access-list compiled
This feature module describes the Turbo Access Control Lists (Turbo ACL) feature. The Turbo ACL feature processes access lists more expediently, providing faster functionality for routers equipped with the feature. This feature module includes information on the benefits of the new feature, supported platforms, related documents, and so forth.
This document includes the following sections:
This feature enables Cisco 7200 and 7500 series routers, and Cisco 12000 series Gigabit Switch Routers to evaluate access control lists (ACLs) for more expedient packet classification and access checks.
Access control lists (ACLs) are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing needs and requirements for security filtering and packet classification, ACLs can expand to the point that searching the ACL adds a significant amount of time and memory when packets are being forwarded. Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is necessary for searching an ACL with several entries.
The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include:
ACLs containing specialized processing characteristics such as evaluate and time-range entries are excluded from Turbo ACL acceleration.
The Turbo ACL feature improves the performance of access lists. For information on access control lists, see the Access Control Lists: Overview and Guidelines document on CCO.
No new or modified MIBs are supported by this feature.
No new or modified RFCs are supported by this feature.
No new or modified Standards for this feature.
The Turbo ACL feature builds a set of lookup tables from the ACLs in the configuration; these tables increase the internal memory usage, and in the case of large and complex ACLs, tables containing 2 to 4 megabytes of memory are usually required. Routers enabled with the Turbo ACL feature should allow for this amount of memory usage. The show access-list compiled command displays the memory overhead of the Turbo ACL tables for each ACL.
See the following sections for configuration tasks for the Turbo Access Control Lists feature. Each task in the list indicates if the task is optional or required.
Use the show access-list compiled command to verify that the Turbo ACL feature has been succesfully configured on your router. The command output contains the following states, which are defined below:
Below is sample output from the show access-lists compiled command:
This section provides a Turbo ACL configuration example. The access-list compiled command output indicates that Turbo ACL is enabled:
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
The Turbo ACL feature has added or modified the following commands:
In Cisco IOS Release 12.0(1)T or later, you can search and filter the output for show and more commands. This functionality is useful when you need to sort through large amounts of output, or if you want to exclude output that you do not need to see.
To use this functionality, enter a show or more command followed by the "pipe" character (|), one of the keywords begin, include, or exclude, and an expression that you want to search or filter on:
command | {begin | include | exclude} regular-expression
Following is an example of the show atm vc command in which you want the command output to begin with the first line where the expression "PeakRate" appears:
For more information on the search and filter functionality, refer to the Cisco IOS Release 12.0(1)T feature module titled CLI String Search.
Use the access-list compiled command to enable the Turbo ACL feature. To disable the Turbo ACL feature, use the no form of this command.
This command has no arguments or keywords.
By default, the Turbo ACL feature is disabled. When Turbo ACL is disabled, the normal ACL processing is enabled, and no ACL acceleration occurs.
When the Turbo ACL feature is enabled using the access-lists compiled command, the ACLs in the configuration are scanned and, if suitable, compiled for Turbo ACL acceleration. This scanning and compilation may take a few seconds when the system is processing large and complex ACLs, or when the system is processing a configuration that contains a large number of ACLs.
Any configuration change to an ACL that is being accelerated, such as the addition of new ACL entries or the deletion of the ACL, triggers a recompilation of that ACL.
When Turbo ACL tables are being built (or rebuilt) for a particular ACL, the normal sequential ACL search is used until the new tables are ready for installation.
The following example enables the Turbo ACL feature:
To display the contents of current access lists, use the show access-lists EXEC command.
show access-lists [access-list-number | name]
Enhancements have been made to the show access-lists command. The enhancement to the output of this command is that each access list displayed using this command indicates whether the access list is running as a compiled access list.
The show access-lists command is used to display the current ACLs operating in the router. Each access list is flagged using the Compiled indication if it is operating as an accelerated ACL.
The display also shows how many packets have been matched against each entry in the ACLs, enabling the user to monitor the particular packets that have been permitted or denied.
The following is sample output of the show access-lists command when Turbo ACL is configured on all of the following access lists.
To display a table showing Turbo ACLs, use the show access-list compiled command.
This command has no arguments or keywords.
This command is used to display the status and condition of the Turbo ACL tables associated with each ACL. The memory usage is displayed for each table; large and complex ACLs may require significant amounts of memory. If the memory usage is greater than the memory available, the user can disable the Turbo ACL feature so that memory exhaustion does not occur, but the acceleration of the ACLs is not then enabled.
The following is a partial sample output of the show access-list compiled command:
ACL—Access control list. ACLs are individual filtering rules grouped together in a single list. They are generally used to provide security filtering, though they may be used to provide a generic packet classification facility.
ACE—Access control element. Each individual filtering rule that is part of an ACL is termed an ACE. A group of ACEs forms an access list.
QoS—Quality of service. Selected packet types are handled differently within the network to provide a differentiated level of reliability, cost, and so forth.
ToS—Type of service. A set of flags and values that are part of the IP packet header indicating various parameters related to handling the packet in the network.
Posted: Fri May 2 00:00:13 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.