TurboACLs

TurboACLs are a new feature in PIX firewall software version 6.2. The general principal behind TurboACLs is that a long or complex access list is compiled, or indexed, to enable faster processing of traffic through the access list.

TurboACLs do not speed up short access lists; in fact, even if configured, the PIX will not enable this feature on an access list unless it is over 18 lines. With longer access lists, the TurboACL feature creates something similar to an index in a book that enables the PIX to read through and process the long access list at a fast rate.

The index created by a TurboACL takes up a fair amount of resources. For this reason, Cisco recommends that TurboACLs should not be configured on anything lower than a 525 series firewall. To enable the TurboACL feature on all access lists of the PIX, use the access-list compiled command, as shown:

PIX1(config)# access-list compiled 

To verify that the TurboACLs are indeed turned on, issue a show access-list command:

PIX1(config)# show access-list access-list compiled access-list inside_public turbo-configured; 3 elements access-list inside_public permit ip 10.1.1.0 255.255.255.0 any (hitcnt=0) access-list inside_public permit ip 10.1.2.0 255.255.255.0 any (hitcnt=0) access-list inside_public permit ip 10.1.3.0 255.255.255.0 any (hitcnt=0)

If you choose not to enable them at a global level, TurboACLs can be turned on and off for individual access lists. This feature can be very useful if you only have a few access lists that need to be optimized. To configure a single access list to use the TurboACL feature, the syntax is:

access-list <acl-name> compiled 

If a PIX has more than one access list and only the access list applied to the outside interface needs to use the TurboACL feature, the commands to turn off all TurboACLs except the one on the outside interface are:

PIX1(config)# no access-list compiled PIX1(config)# access-list outside_in compiled