Configure ACLs and Content Filters
Turbo ACLs

An ACL typically consists of multiple ACL entries, which are organized internally by the PIX Security Appliance as a linked list. As Figure illustrates, when a packet is subjected to access list control, the PIX searches this linked list in a linear way to find a matching element. The matching element is then examined to determine if the packet is to be transmitted or dropped. The disadvantage to this method is that with a linear search, the average search time increases proportionally to the size of the ACL.

Turbo ACLs were created to improve the average search time for ACLs containing a large number of entries. They do this by causing the PIX Security Appliance to compile tables for ACLs, as shown in Figure . This feature can be enabled globally and then disabled for specific ACLs. It can also be enabled only for the specific ACLs. For short ACLs, the Turbo ACL feature does not improve performance. A Turbo ACL search of an ACL of any length requires about the same amount of time as a regular search of an ACL consisting of approximately 12 to 18 entries. For this reason, even when enabled, the Turbo ACL feature is only applied to ACLs with 19 or more entries.

The Turbo ACL feature requires significant amounts of memory and is most appropriate for high-end PIX Security Appliance models, such as the PIX 525 or 535. The minimum memory required for Turbo ACL support is 2.1 MB, and approximately 1 MB of memory is required for every 2000 ACL elements. The actual amount of memory required depends not only on the number of ACL elements, but also on the complexity of the entries. Furthermore, when adding or deleting an element from a turbo-enabled ACL, the internal data tables associated with the ACL must be regenerated. This produces an appreciable load on the PIX CPU.

Turbo ACLs can be configured globally or on a per-ACL basis. Use the access-list compiled command to configure Turbo ACLs on all ACLs having 19 or more entries. This command causes the Turbo ACL process to scan through all existing ACLs. During the scanning, it marks every ACL to be turbo-configured, and compiles any ACL that has nineteen or more access control entries and has not yet been compiled.

The Turbo ACL feature can be applied to individual ACLs with the access-list acl_ID compiled command. The no form of this command can be used to disable the Turbo ACL feature for specific ACLs after Turbo ACLs are globally configured.

The command no access-list compiled, which is the default, causes the PIX Security Appliance Turbo ACL process to scan through all compiled ACLs and mark each one as non-turbo. It also deletes all existing Turbo ACL structures.