Access Control Lists Turbo ACLs

Turbo ACLs use a technique that takes a standard or extended ACL, creates a set of data tables, and compiles them for runtime processing. For this reason, Turbo ACLs also are referred to as compiled ACLs. Turbo ACLs do not change the "first match wins" characteristic of all ACLs. Instead, they reduce the number of CPU operations to find a match, allowing for larger ACLs to be used without an increase in packet latency. This provides ISPs with a tool to allow large ACLs without a significant performance impact on the router.

As seen in Figure 4-13, when a Turbo ACL is activated in a router, it takes the standard ACL input, creates tables based on the ACLs entries, and compiles the tables to allow an arrayed match. The result is that a match is achieved in five steps, no matter what the size of the ACL is. This also means that a Turbo ACL's advantages become clear only when the ACL is longer than five entries. So ACLs with 3 or 5 lines would outperform Turbo ACLs, but Turbo ACLs with 300 to 500 lines would outperform sequentially searched ACLs. Figure 4-14 shows the result of one study on the performance difference between sequential ACLs and Turbo ACLs. As the length of the ACL increases, the time that it takes a sequential ACL to match increases (assuming a last-line match). Turbo ACLs provide consistency throughout the length of the ACL. The limit in the length of a Turbo ACL has more to do with the hardware performance envelope; memory, TCAM size, ASIC size, buffering, and CPU cycles are all factors that limit the maximum size of a Turbo ACL.

Was this article helpful?

0 0

Post a comment