TurboACL
Traditional ACLs are composed of a series of permit or deny
statements each with one or more test criteria, such as source and destination
addresses and possibly protocols. These statements are processed sequentially
from top to bottom, based on the order of creation. Logically, the longer the
list of statements and the more elements that must be matched, the longer it can
take to process. When an ACL statement is processed by the device, each line
must be processed by a command interpreter that converts the text into computer
code.
Long ago, programmers learned that text instructions can be
compiled by a computer one time to put the same information in a form that can
be processed much more quickly. The real benefit to compiling is when the same
instructions are used frequently. The PIX Firewall version 6.2 introduced TurboACL, which compiles ACLs into a set of binary lookup
tables, while maintaining first-match requirements. Because compiling only makes
significant improvements on larger ACLs, TurboACL only works on ACLs with 19 or
more statements and supports access lists with up to 16,000 statements.
The TurboACL feature requires significant memory resources,
including a minimum of 2.1MB, plus approximately 1MB of memory for every 2,000
ACL statements. The feature requiring a minimum of 16MB of Flash combined with
the memory requirements is designed for the high-end PIX Firewall models, such
as the PIX 525 or the PIX 535.
Global Compiling
TurboACL can either be configured globally, in which case it
tags all ACLs with 19 elements or more for compiling, or it can be configured on
a per ACL basis. Use the following syntax to configure the feature globally. Use
the no form of the command to turn off the feature.
Pix(config)# access-list compiled
Pix(config)# no access-list compiled the default
status
Individual ACL Compiling
Use the following command syntax to enable/disable compiling
individual ACLs when TurboACL isn’t globally enabled or, if globally configured,
to disable compiling individual ACLs.
Pix(config)# access-list [acl_id]
compiled
Pix(config)# no access-list [acl_id] compiled
The following output shows enabling global TurboACL, and then
turning the feature off specifically for ACL 105. Any ACLs with less than 19
elements also wouldn’t be compiled.
Pix(config)# access-list compiled
Pix(config)# no access-list 105 compiled
Pix(config)# access-list 101 permit icmp any any echo-reply
Pix(config)# access-list 101 permit icmp any any time-exceeded
Pix(config)# access-list 101 permit icmp any any unreachable
Pix(config)# access-list 101 permit tcp any host 1.1.1.3 eq www
Pix(config)# access-list 101 permit tcp any host 1.1.1.4 eq ftp
Pix(config)# access-list 101 permit tcp any host 1.1.1.5 eq smtp
Pix(config)# access-group 101 in interface outside
(additional lines omitted)
Verifying and Monitoring TurboACL
The standard show access-list command
displays the memory use of each compiled ACL and the shared memory use for all
the turbo-compiled ACLs. The command shows the number of ACEs, the individual
ACEs, and activity. The hit count (hitcnt=) is the same information as the
“matches” displayed for regular ACLs. The debug access-list
turbo command allows real-time monitoring.
Pix# show access list
TurboACL statistics:
ACL State Memory (KB)
--------------------- ----------- ----------
test1_acl Operational 5
test2_acl Operational 2
Shared memory usage: 2046 KB
access-list compiled
access-list test1_acl turbo-configured; 19 elements
access-list test1_acl permit tcp any host 10.1.2.3 (hitcnt=19)
access-list test1_acl permit tcp any host 10.1.2.4 (hitcnt=7)
access-list test1_acl permit tcp any host 10.1.2.5 (hitcnt=0)
access-list test1_acl permit tcp any host 10.1.1.1 eq telnet (hitcnt=8)
access-list test1_acl permit udp any host 10.1.2.3 (hitcnt=4)
(additional lines omitted)
Sections
Comments (0 posted)
Syndication
