Filter
Top Products
Configuring IP Services
Filtering IP Packets Using Access Lists
IPC-97
Cisco IOS IP Configuration Guide
Verifying Turbo ACLs
Use the show access-list compiled EXEC command to verify that the Turbo ACL feature has been
successfully configured on your router. This command also displays the memory overhead of the Turbo
ACL tables for each access list. The command output contains the following states:
• Operational—The access list has been compiled by Turbo ACL, and matching to this access list is
performed through the Turbo ACL tables at high speed.
• Unsuitable—The access list is not suitable for compiling, perhaps because it has time-range enabled
entries, evaluate references, or dynamic entries.
• Deleted—No entries are in this access list.
• Building—The access list is being compiled. Depending on the size and complexity of the list, and
the load on the router, the building process may take a few seconds.
• Out of memory—An access list cannot be compiled because the router has exhausted its memory.
The following is sample output from the show access-lists compiled EXEC command:
Router# show access-lists compiled
Compiled ACL statistics:
12 ACLs loaded, 12 compiled tables
ACL State Tables Entries Config Fragment Redundant Memory
1 Operational 1 2 1 0 0 1Kb
2 Operational 1 3 2 0 0 1Kb
3 Operational 1 4 3 0 0 1Kb
4 Operational 1 3 2 0 0 1Kb
5 Operational 1 5 4 0 0 1Kb
9 Operational 1 3 2 0 0 1Kb
20 Operational 1 9 8 0 0 1Kb
21 Operational 1 5 4 0 0 1Kb
101 Operational 1 15 9 7 2 1Kb
102 Operational 1 13 6 6 0 1Kb
120 Operational 1 2 1 0 0 1Kb
199 Operational 1 4 3 0 0 1Kb
First level lookup tables:
Block Use Rows Columns Memory used
0 TOS/Protocol 6/16 12/16 66048
1 IP Source (MS) 10/16 12/16 66048
2 IP Source (LS) 27/32 12/16 132096
3 IP Dest (MS) 3/16 12/16 66048
4 IP Dest (LS) 9/16 12/16 66048
5 TCP/UDP Src Port 1/16 12/16 66048
6 TCP/UDP Dest Port 3/16 12/16 66048
7 TCP Flags/Fragment 3/16 12/16 66048
Applying Time Ranges to Access Lists
You can implement access lists based on the time of day and week using the time-range global
configuration command. To do so, first define the name and times of the day and week of the time range,
then reference the time range by name in an access list to apply restrictions to the access list.
Currently, IP and Internetwork Packet Exchange (IPX) named or numbered extended access lists are the
only functions that can use time ranges. The time range allows the network administrator to define when
the permit or deny statements in the access list are in effect. Prior to this feature, access list statements
were always in effect once they were applied. The time-range keyword is referenced in the named and
numbered extended access list task tables in the previous sections “Creating Standard and Extended
Access Lists Using Numbers” and “Creating Standard and Extended Access Lists Using Names.” The