Large ACL
ACL comprises multiple access controls elements (ACEs), and they are processed sequentially in top-down fashion. So it is very important to configure the entries that are most likely to be matched toward the top of the access list. The performance impact of an access list increases linearly with the increase in the number of ACEs. So, try summarizing the address ranges of the ACEs as much as possible. The smaller the list is, the lesser the CPU utilization and time to sequentially search for an entry. If you have a huge number of ACEs even after summarization, configure turbo ACL. Note that the turbo ACL feature is available on only 7200, 7500, and 12000 series routers. To turn on turbo ACL, simply execute the access-list compiled command after creating the ACL. The turbo ACL feature compiles the ACL ACEs into a set of special lookup tables while maintaining the first-match requirement. These tables allow for making permit or deny decisions quickly and consistently, which boosts performance dramatically. Keep in mind, however, the following caution: if you have less than five ACEs, a standard or extended ACL may perform better than turbo ACL. This is because, the turbo ACL compilation may take more CPU cycles than the CPU cycles gained with finding a faster match. Additionally, try to use netflow with ACL to boost the performance, because when net flow is enabled, only the first packet in a given flow goes through ACL checking. The rest of the packets bypass ACL checks. Netflow can be turned on in the Cisco router with the ip route-cache flow command under the interface configuration mode.