Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Turbo (compiled) access lists

hi all,

Can anyone tell me how compiled access lists make the descision on how they segment the access lists into the first level lookup tables

I am not looking for a PhD thesis on how it works but a general overview of how it decides and tabulates.

regards

Scott

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Turbo (compiled) access lists

Scott,

OK, definetly a 10,000 foot view here as reading the spec made my brain hurt ;)

Essentially, what we do with Turbo ACL's is we take the internal set of access-lists and build a set of data tables. Each ACE in the ACl gets an "index" value assigned to it. This index value is computed based on an algorithm that looks at the source IP, dest IP, protocol, L4 port, etc... When a packet comes into a PIX that has turbo ACL's configured, this same "indexing" occurs and a value is determined. We then use that value that is computed for the new packet and compare it to the values assigned to the individual ACE's in the data tables to find the ACE that the new packet would match and then process the packet accordingly.

This lookup process has been shown to be MUCH faster than the standard linear lookup used with a linked list ACL (normal).

Anyway, that is more or less the crux of it. Hope this helps shed some light.

Scott

4 REPLIES
Gold

Re: Turbo (compiled) access lists

Hi Scott -

Might be of help on TACLs (Turbo ACLs):

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dttacl.htm

Thanks - Jay.

New Member

Re: Turbo (compiled) access lists

Thanks Jay,

Unfortunately I had already looked over that one and all it seems to tell me is that the access lists are compiled. It doesn't cover how it tabulates or how it matches the packets as them come in.

I am assuming that it summarises the lists into a table but is that it? Is it that each ACL is tabulated and that looing up the table is faster then sequentially going through the list?

It's not life or death I am just curious really.

Scott

New Member

Re: Turbo (compiled) access lists

I second this request, and actually, I am looking for the phd version. Any technical information would be greatly appreciated.

Re: Turbo (compiled) access lists

Scott,

OK, definetly a 10,000 foot view here as reading the spec made my brain hurt ;)

Essentially, what we do with Turbo ACL's is we take the internal set of access-lists and build a set of data tables. Each ACE in the ACl gets an "index" value assigned to it. This index value is computed based on an algorithm that looks at the source IP, dest IP, protocol, L4 port, etc... When a packet comes into a PIX that has turbo ACL's configured, this same "indexing" occurs and a value is determined. We then use that value that is computed for the new packet and compare it to the values assigned to the individual ACE's in the data tables to find the ACE that the new packet would match and then process the packet accordingly.

This lookup process has been shown to be MUCH faster than the standard linear lookup used with a linked list ACL (normal).

Anyway, that is more or less the crux of it. Hope this helps shed some light.

Scott

123
Views
4
Helpful
4
Replies
This widget could not be displayed.