Turbo ACLs

Software release 6.2 introduced a new feature called turbo ACLs . Turbo ACLs decrease the time it takes to scan through large access lists. Large access lists take longer to process because every entry might need to be scanned for a possible match. The longer it takes to scan the access list, the slower your traffic will be.

Turbo ACLs create a compiled index against large access lists that contain 19 or more entries. This index is similar to a database index or an index in a book. The PIX scans the index for a match instead of the list itself. This reduces the time it takes to search for possible matches in an ACL, making your throughput faster.

Some of the requirements needed for turbo ACLs are as follows :

• Software release 6.2 and above

• Minimum of 2.1MB of available flash

• A PIX firewall that has 16MB or more flash memory

• Access lists with 19 or more entries

Turbo ACLs speed things up but are very memory intensive , requiring 2.1MB of free memory. Therefore, smaller PIX firewalls such as the 501 cannot use turbo ACLs because they don't have enough free memory in flash.

Turbo ACLs are simple to create and work on all models of the PIX except the 501. The 501 does not support turbo ACLs ”turbo ACLs are typically not used on smaller firewall models because they use too much memory.

The turbo ACLs command is access-list compile , and the following is an example of compiling all your access lists:

 Pixfirewall(config)# access-list compiled 

You can also be selective on which access lists you compile by placing the name of the ACL in the command, as shown here:

 Pixfirewall(config)# access-list Let-Peter-In compiled 

To view turbo ACLs, you use the show access-list command; to delete a compiled access list, you use the no access-list compiled .

Turbo ACLs work best on access lists with 19 or more entries. If a list has fewer than 19 entries, you really don't get any speed increase by reading the index instead of the list itself.