An ACL typically consists of multiple ACL entries, which are
organized internally by the PIX Security Appliance as a linked list. As Figure
illustrates,
when a packet is subjected to access list control, the PIX searches this linked
list in a linear way to find a matching element. The matching element is then
examined to determine if the packet is to be transmitted or dropped. The
disadvantage to this method is that with a linear search, the average search
time increases proportionally to the size of the ACL.
Turbo ACLs were
created to improve the average search time for ACLs containing a large number
of entries. They do this by causing the PIX Security Appliance to compile
tables for ACLs, as shown in Figure
. This
feature can be enabled globally and then disabled for specific ACLs. It can
also be enabled only for the specific ACLs. For short ACLs, the Turbo ACL
feature does not improve performance. A Turbo ACL search of an ACL of any
length requires about the same amount of time as a regular search of an ACL
consisting of approximately 12 to 18 entries. For this reason, even when
enabled, the Turbo ACL feature is only applied to ACLs with 19 or more
entries.
The Turbo ACL feature requires significant amounts of memory and
is most appropriate for high-end PIX Security Appliance models, such as the PIX
525 or 535. The minimum memory required for Turbo ACL support is 2.1 MB, and
approximately 1 MB of memory is required for every 2000 ACL elements. The
actual amount of memory required depends not only on the number of ACL
elements, but also on the complexity of the entries. Furthermore, when adding
or deleting an element from a turbo-enabled ACL, the internal data tables
associated with the ACL must be regenerated. This produces an appreciable load
on the PIX CPU.
Turbo ACLs can be configured globally or on a per-ACL
basis. Use the access-list compiled command to configure
Turbo ACLs on all ACLs having 19 or more entries. This command causes the Turbo
ACL process to scan through all existing ACLs. During the scanning, it marks
every ACL to be turbo-configured, and compiles any ACL that has nineteen or
more access control entries and has not yet been compiled.
The Turbo ACL
feature can be applied to individual ACLs with the access-list
acl_ID compiled command. The no form of
this command can be used to disable the Turbo ACL feature for specific ACLs
after Turbo ACLs are globally configured.
The command no
access-list compiled, which is the default, causes the PIX Security
Appliance Turbo ACL process to scan through all compiled ACLs and mark each one
as non-turbo. It also deletes all existing Turbo ACL structures.