IOS image is 12.4

So you should have the support for numbered access-lists.

Thanks. I know I have support for the line numbering in the access list. What I am looking is the information stated in my first post pertaining to how the lookup table works when matching packets and the other items I stated in my post.

Hello,

This is a most interesting question.

First, in the URL that you posted it is clearly stated that "The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements". The original ACL is transformed, but it is a mandatory requirement for the actually used data structures to behave exactly as expected by the familiar with normal ACLs network operator. Else, we are in trouble and cannot configure what we want.

Second, the Turbo ACL feature takes care of the redundant entries for you. Even if redundant entries do exist in your original ACL, the data structures actually used at the forwarding path do not do redundant checks (to the extent possible). So, from a performance perspective you are quite ok. I suppose you would like some output to tell you which entries are redundant, so you can remove them. I don't know if this is possible or whether it cannot be easily done for some reason.

As far as I know, this feature is based on research work done at Stanford University

"Packet Classification on Multiple Fields" by Gupta and McKeown (1999). (I attach this .pdf that I had dowloaded some time ago because right now it is hard if impossible to browse it from the citeseer website.) In the acknowledgements section you will see that there has been collaboration with people from Cisco. The actual algorithm in Cisco routers might not be exactly the same, but I believe the paper is indicative of the general idea.

This is research paper, so do not expect it to be very easy reading, although I can say that it is much more easy to read than other types of papers. If you are curious for more, just ignore the mathematical formalities. (I once had to present this in class and now I can grasp only the simple stuff :-) Search for the terms backward and forward redundancy, if you are interested. If you have any questions, please do not hesitate to ask.

Kind Regards,

Maria

Ugh. Thanks for the paper. Just did a quick scan of the file and it made my brain glaze over.

Sorry about that. Anyway, the line in the ACL does matter when other data structures are used. Preserving initial ACL semantics is mandatory. The redundancies are taken care of by the feature, so you do not have to do the checks yourself (the guys from Standford and Cisco thought this through and the router does it for you). I hope this is clear.

Hello,

Sorry about messing up with your head. My only excuse is that you seemed to be exploring the Turbo ACL concept very deep. I will try to explain the concept as simply as I can.

The idea is to gradually map a packet (incoming or outgoing) to an action (permit or deny). Let's consider only incoming packets.

We have an ACL with 3 entries (4 with the implicit deny at the end).

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1

access-list 101 permit udp host 10.1.1.2 host 172.16.1.1

For the particular ACL we have :

2 options for source address (10.1.1.2 or any other)

2 options for destination address (172.16.1.1 or any other)

3 options for protocol (tcp, udp, any other)

2 options for port (telnet or any other)

Now, a packet arrives. What would you check first? I would check the protocol (shorter than IP address). Let's say this is UDP packet. We directly know this packet can match the last ACL entry or the implicit deny. Let's say we check the source IP and doesn't match 10.1.1.2. We drop packet and are done. No more checks needed. (Compare this to checking competely one entry after the other and imagine an ACL with 1000 entries.)

The algorithm can be more complicated than the example above, but this is the basic idea.

Hope this helps,

M.