Reducing CPU usage due to ACLS on Catalyst Switches.

Based on the following documentation from Cisco I feel that if we implement “no ip unreachables” and Optimized ACL Logging, we will reduce some CPU load on the catalyst 6500 switches. Please let me know your thoughts. We may also take advantage of compiled (turbo) access-lists. This feature will index the ACLs and reduce the time taken to go through ACL linear matching and filtering process.


• ACL flows that match a "deny" statement in standard and extended ACLs (input and output) are dropped in hardware if "ip unreachables" is disabled.
• ACL flows that match a "permit" statement in standard and extended ACLs (input and output) are processed in hardware.
• Unless you configure optimized ACL logging (OAL), flows that require logging are processed in software without impacting nonlogged flow processing in hardware .
• When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware

By default, the MSFC sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group.
With the ip unreachables command enabled (which is the default), the supervisor engine drops most of the denied packets in hardware and sends only a small number of packets to the MSFC to be dropped (10 packets per second, maximum), which generates ICMP-unreachable messages.
To eliminate the load imposed on the MSFC CPU by the task of dropping denied packets and generating ICMP-unreachable messages, you can enter the no ip unreachables interface configuration command to disable ICMP unreachable messages, which allows all access group-denied packets to be dropped in hardware.
Thank you.