Turbo ACL Configuration Details and References

To activate Turbo ACLs in a Cisco router, the following global command is used:

access-list compiled

This applies Turbo ACLs to all ACLs on the router, no matter what their size is. Turbo ACLs were introduced in IOS Software Release 12.0(6)S. Keyword searches on Cisco.com or

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limi t/120s/120s6/turboacl.ht will provide configuration information on Turbo ACLs.

Full details of how Turbo ACLs work were given by author Andrew McRae ([email protected]), in the paper "High-Speed Packet Classification," presented at the Australian UNIX Users Group national conference in September 1999 (http://www.employees.org/~amcrae/papers/packet class/).

ASIC-Based ACLs

As the bandwidth and PPS rates increased, hardware vendors started to consider other packet-filtering technologies. Until quite recently, all packet filtering was done in software based around a CPU. This could be a centrally switched architecture (such as a Cisco 72XX) or a distributed switch architecture with line cards that were CPU-based (such as a Cisco 75XX with VIP cards, a Cisco 76XX with flex WAN cards, or a Cisco 12XXX with Engine 0 line cards). The alternative to doing packet filtering in software loaded on a CPU is to microcode the ACL onto an ASIC.

ASIC-based ACLs use the strengths of specifically designed hardware to accelerate the resolution of an ACL. Some ASICs could be mission-specific, with ACLs added as a supplement (for example, Salsa on the Cisco 12000's Engine 1 line cards). Other ASICs are very specific and are optimized just for ACL lookup (for example, TCAMs on the Cisco 7600 and future products). The impact is that ACLs in ASIC have different performance characteristics than ACLs processed by general software on a CPU:

• The first difference is performance, which shows a dramatic improvement. For some, it is an increase in the rate of PPS but is impacted by the depth of the ACL (as mentioned earlier, the depth of an ACL impacts the performance of some ACLs, taking longer to reach a match). Others show no PPS impact, allowing full switching up to the maximum depth of the ACL (this is 15,000 lines in a 7600's TCAM).

• The second characteristic difference is that some capabilities of the ACL are limited. For example, ASIC-based ACLs usually require a precompilation on the router before it is loaded into the ASIC. This precompilation happens behind the scenes after an ACL has been updated. However, by compiling the ACL, some per-ACE information is lost. For example, an operator can get the aggregate counters on most ASIC-based ACLs but cannot get the per-ACE counters (ACE stands for access control entry, a single line in an access control list).

• Finally, ASIC-based ACLs have an ACE depth limit. Software-based ACLs can rely on shared memory of a line card or a route processor, but hardware-based ACLs are restricted to the memory design size of the ASIC. Therefore, the number of ACEs in a software-based ACL potentially can be very large: whereas, the size of the hardware ACE potentially is limited. This puts a max limit on the number of line (ACEs) that an ACL can handle. For some ASICs, this number is low—the 12000's Engine 2 PSA ASIC can up to 448 ACEs. For other ASICs, it is high—the 7600's TCAM can go up to 15,000 ACEs.

Taken together, these ASIC-based ACL characteristics offer the operator new strengths but also new limitations. (It is a common security principle that no new level of security comes without new limitation.) Operators need to be mindful of these limitations as they use ACLs in their system of applying policy and security through their networks.

Was this article helpful?

0 0

Post a comment