1. Cisco IOS Order of Operation
Here we found information on the order of operation of the different features on an
interface and the packet traverses the IOS software from Cisco.com, which may not
suitable for every case table. Anyway, check it whether is suitable or not.
Inside-to-Outside Outside-to-Inside
If IPSec then check input access list
decryption – for CET (Cisco Encryption Technology) or IPSec
check input access list
check input rate limits
input accounting
policy routing
routing
redirect to web cache
NAT inside to outside (local to global translation)
crypto (check map and mark for encryption)
check output access list
inspect (Context-based Access Control (CBAC))
TCP intercept
encryption
Queueing
If IPSec then check input access list
decryption – for CET or IPSec
check input access list
check input rate limits
input accounting
NAT outside to inside (global to local translation)
policy routing
routing
redirect to web cache
crypto (check map and mark for encryption)
check output access list
inspect CBAC
TCP intercept
encryption
Queueing
All right, the above we delivered is the “official version”. But there are others that
were provided by some professional network engineers are pretty complete.
See the following for a larger diagram.
http://blog.router-switch.com/
2. More notes:Some variations in feature ordering may occur in specific router
platforms, IOS software releases, and switching paths (i.e.CEF versus
process-switched).
Ingress Features Egress Features
1. Virtual Reassembly * 1. Output IOS IPS Inspection
2. IP Traffic Export (RITE) 2. Output WCCP Redirect
3. QoS Policy Propagation through BGP
3. NM-CIDS
(QPPB)
4. NAT Inside-to-Outside or NAT
4. Ingress Flexible NetFlow *
Enable *
5. Network Based Application 5. Network Based Application
Recognition (NBAR) Recognition (NBAR)
6. Input QoS Classification 6. BGP Policy Accounting
7. Ingress NetFlow * 7. Lawful Intercept
8. Check crytpo map ACL and mark
8. Lawful Intercept
for encryption
9. IOS IPS Inspection (inbound) 9. Output QoS Classification
http://blog.router-switch.com/
3. 10. Input Stateful Packet Inspection 10. Output ACL check (if not marked
(IOS FW) * for encryption)
11. Crypto outbound ACL check (if
11. Check reverse crypto map ACL
marked for encryption)
12. Input ACL (unless existing NetFlow 12. Output Flexible Packet Matching
record was found) (FPM)
13. Input Flexible Packet Matching
13. DoS Tracker
(FPM)
14. Output Stateful Packet Inspection
14. IPsec Decryption (if encrypted)
(IOS FW) *
15. Crypto inbound ACL check (if
15. TCP Intercept
packet had been encrypted)
16. Unicast RPF check 16. Output QoS Marking
17. Input QoS Marking 17. Output Policing (CAR)
18. Output MAC/Precedence
18. Input Policing (CAR)
Accounting
19. Input MAC/Precedence Accounting 19. IPsec Encryption
20. NAT Outside-to-Inside * 20. Output ACL check (if encrypted)
21. Policy Routing 21. Egress NetFlow *
22. Input WCCP Redirect 22. Egress Flexible NetFlow *
23. Egress RITE
24. Output Queuing (CBWFQ, LLQ,
WRED)
* A note about virtual-reassembly
Virtual-reassembly causes the router to internally reassemble fragmented packets. It
is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”.
Operations above marked with a * will process the reassembled version of a packet.
All other operations process the individual fragments. After virtual reassembly is
complete, the router forwards the original fragments, albeit in proper order. This
behavior is very different from PIX/ASA/FWSM and ACE which forward the
reassembled packet.
Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and
http://blog.router-switch.com/
4. QoS still need to be aware of how ACLs interact with fragments
(http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a0
0800949b8.shtml).
Routing Features
1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss
NOTE:Order of Operation for IOS 12.3(8)T and Later
More Notes: A Related Best Cisco Book
Router Security Strategies: Securing IP Network Traffic Planes
Router Security Strategies: Securing IP Network Traffic Planes provides a
comprehensive approach to understand and implement IP traffic plane separation
and protection on IP routers. This book details the distinct traffic planes of IP
networks and the advanced techniques necessary to operationally secure them. This
includes the data, control, management, and services planes that provide the
infrastructure for IP networking.
The first section provides a brief overview of the essential components of the
Internet Protocol and IP networking. At the end of this section, you will understand
http://blog.router-switch.com/
5. the fundamental principles of defense in depth and breadth security as applied to IP
traffic planes. Techniques to secure the IP data plane, IP control plane, IP
management plane, and IP services plane are covered in detail in the second section.
The final section provides case studies from both the enterprise network and the
service provider network perspectives. In this way, the individual IP traffic plane
security techniques reviewed in the second section of the book are brought together
to help you create an integrated, comprehensive defense in depth and breadth
security architecture.
“Understanding and securing IP traffic planes are critical to the overall security
posture of the IP infrastructure. The techniques detailed in this book provide
protection and instrumentation enabling operators to understand and defend against
attacks. As the vulnerability economy continues to mature, it is critical for both
vendors and network providers to collaboratively deliver these protections to the IP
infrastructure.”
–Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco
Gregg Schudel, CCIENo. 9591, joined Cisco in 2000 as a consulting system engineer
supporting the U.S. service provider organization. Gregg focuses on IP core network
security architectures and technology for interexchange carriers and web services
providers.
David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system
engineer supporting the service provider organization. David focuses on IP core and
edge architectures including IP routing, MPLS technologies, QoS, infrastructure
security, and network telemetry.
Understand the operation of IP networks and routers
Learn about the many threat models facing IP networks, Layer 2 Ethernet
switching environments, and IPsec and MPLS VPN services
Learn how to segment and protect each IP traffic plane by applying defense in
depth and breadth principles
Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF,
QoS, RTBH, QPPB, and many others to protect the data plane of IP and
switched Ethernet networks
Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP
techniques and Layer 2 switched Ethernet-specific techniques
Protect the IP management plane with password management, SNMP, SSH,
NTP, AAA, as well as other VPN management, out-of-band management, and
remote access management techniques
Secure the IP services plane using recoloring, IP fragmentation control, MPLS
label control, and other traffic classification and process control techniques
This security book is part of the Cisco PressNetworking Technology Series. Security
titles from Cisco Press help networking professionals secure critical data and
http://blog.router-switch.com/
6. resources, prevent and mitigate network attacks, and build end-to-end
self-defending networks.
---Resource from ciscopress.com
More Related Tips:
What’s the Order of Operations for Cisco IOS?
http://blog.router-switch.com/