Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Using the access-list compiled command

Hi, I have a PIX525 with 6.3(4) with some large ACL's. I'd like to use the 'access-list compiled' command, but will this cause any disruption to traffic running through my production firewall?

4 REPLIES

Re: Using the access-list compiled command

Hi David,

The 'access-list compiled' (also known as turbo access-list) is meant to speed-up (improve) verification of passing traffic against huge ACL entries. It will not affect your firewall operation. Firewall read ACL entries based on 'top-down' mode (read from the 1st ACL down to the last statement).

You can apply it to individual ACL name or all ACLs.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1034390

Hope this helps!

Rgds,

AK

Re: Using the access-list compiled command

Use TurboACL only on PIX Firewall platforms that have 16 MB or more of Flash memory. Consequently, TurboACL is not supported on the PIX 501 because it has 8 MB of Flash memory.

If TurboACL is configured, some access control list or access control list group modifications can trigger regeneration of the TurboACL internal configuration. Depending on the extent of TurboACL configuration(s), this could noticeably consume CPU resources. Consequently, we recommend modifying turbo-complied access lists during non-peak system usage hours.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1067755

Rgds,

AK

New Member

Re: Using the access-list compiled command

Thanks AK for your answer. I'm really interested in knowing if there will be any disruption in traffic flow as a result of applying the 'access-list compiled'command for the first time.

Re: Using the access-list compiled command

Based on my own experienced, I do not see any immediate impact, e.g access suddenly become slow, session get disconnected/dropped and so on.

The firewalls (x2) had closed to 3000 lines of ACLs. I purposely applied the 'access-list compiled' on the 1st box during office hour and with many users/sessions, but so far, no hiccup.

I am not sure about your environment. Maybe it's better to do it after office hour, midnight or weekend to minimize interruption, plus plenty of time to do troubleshooting.

When you apply access-list compiled, Firewall will do some kind of indexing to the ACLs. It will not hold/prevent the ACL's to do traffic filtering processes.

Rgds,

AK

309
Views
8
Helpful
4
Replies
CreatePlease to create content