SlideShare a Scribd company logo

Cisco ios order of operation

Download as DOCX, PDF
IT Tech
IT Tech

Cisco ios order of operation

1 of 6
Cisco IOS Order of Operation Here we found information on the order of operation of the different features on an interface and the packet traverses the IOS software from Cisco.com, which may not suitable for every case table. Anyway, check it whether is suitable or not. Inside-to-Outside Outside-to-Inside  If IPSec then check input access list  decryption – for CET (Cisco Encryption Technology) or IPSec  check input access list  check input rate limits  input accounting  policy routing  routing  redirect to web cache  NAT inside to outside (local to global translation)  crypto (check map and mark for encryption)  check output access list  inspect (Context-based Access Control (CBAC))  TCP intercept  encryption  Queueing  If IPSec then check input access list  decryption – for CET or IPSec  check input access list  check input rate limits  input accounting  NAT outside to inside (global to local translation)  policy routing  routing  redirect to web cache  crypto (check map and mark for encryption)  check output access list  inspect CBAC  TCP intercept  encryption  Queueing All right, the above we delivered is the “official version”. But there are others that were provided by some professional network engineers are pretty complete. See the following for a larger diagram. http://blog.router-switch.com/
More notes:Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e.CEF versus process-switched). Ingress Features Egress Features 1. Virtual Reassembly * 1. Output IOS IPS Inspection 2. IP Traffic Export (RITE) 2. Output WCCP Redirect 3. QoS Policy Propagation through BGP 3. NM-CIDS (QPPB) 4. NAT Inside-to-Outside or NAT 4. Ingress Flexible NetFlow * Enable * 5. Network Based Application 5. Network Based Application Recognition (NBAR) Recognition (NBAR) 6. Input QoS Classification 6. BGP Policy Accounting 7. Ingress NetFlow * 7. Lawful Intercept 8. Check crytpo map ACL and mark 8. Lawful Intercept for encryption 9. IOS IPS Inspection (inbound) 9. Output QoS Classification http://blog.router-switch.com/
10. Input Stateful Packet Inspection 10. Output ACL check (if not marked (IOS FW) * for encryption) 11. Crypto outbound ACL check (if 11. Check reverse crypto map ACL marked for encryption) 12. Input ACL (unless existing NetFlow 12. Output Flexible Packet Matching record was found) (FPM) 13. Input Flexible Packet Matching 13. DoS Tracker (FPM) 14. Output Stateful Packet Inspection 14. IPsec Decryption (if encrypted) (IOS FW) * 15. Crypto inbound ACL check (if 15. TCP Intercept packet had been encrypted) 16. Unicast RPF check 16. Output QoS Marking 17. Input QoS Marking 17. Output Policing (CAR) 18. Output MAC/Precedence 18. Input Policing (CAR) Accounting 19. Input MAC/Precedence Accounting 19. IPsec Encryption 20. NAT Outside-to-Inside * 20. Output ACL check (if encrypted) 21. Policy Routing 21. Egress NetFlow * 22. Input WCCP Redirect 22. Egress Flexible NetFlow * 23. Egress RITE 24. Output Queuing (CBWFQ, LLQ, WRED) * A note about virtual-reassembly Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet. Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and http://blog.router-switch.com/
QoS still need to be aware of how ACLs interact with fragments (http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a0 0800949b8.shtml). Routing Features 1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss NOTE:Order of Operation for IOS 12.3(8)T and Later More Notes: A Related Best Cisco Book Router Security Strategies: Securing IP Network Traffic Planes Router Security Strategies: Securing IP Network Traffic Planes provides a comprehensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand http://blog.router-switch.com/
the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. “Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.” –Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIENo. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco PressNetworking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and http://blog.router-switch.com/
resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. ---Resource from ciscopress.com More Related Tips: What’s the Order of Operations for Cisco IOS? http://blog.router-switch.com/

Recommended

DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusРазвитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusCisco Russia
 
Squire Technologies: Signalling Gateway
Squire Technologies: Signalling GatewaySquire Technologies: Signalling Gateway
Squire Technologies: Signalling GatewaySquire Technologies
 
Chapter 19 : single-area ospf
Chapter 19 : single-area ospfChapter 19 : single-area ospf
Chapter 19 : single-area ospfteknetir
 
FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?SeanDuBois3
 
Chapter 20 : access control lists
Chapter 20 : access control listsChapter 20 : access control lists
Chapter 20 : access control liststeknetir
 
Day 18 2 serial point to-point encapsulation
Day 18 2 serial point to-point encapsulationDay 18 2 serial point to-point encapsulation
Day 18 2 serial point to-point encapsulationCYBERINTELLIGENTS
 
Catalyst 3550 tutorial
Catalyst 3550 tutorialCatalyst 3550 tutorial
Catalyst 3550 tutorialPhani Kuamr
 

Recommended

DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusРазвитие операционной системы NX-OS коммутаторов для ЦОД Cisco Nexus
Развитие операционной системы NX-OS коммутаторов для ЦОД Cisco NexusCisco Russia
 
Squire Technologies: Signalling Gateway
Squire Technologies: Signalling GatewaySquire Technologies: Signalling Gateway
Squire Technologies: Signalling GatewaySquire Technologies
 
Chapter 19 : single-area ospf
Chapter 19 : single-area ospfChapter 19 : single-area ospf
Chapter 19 : single-area ospfteknetir
 
FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?FOSDEM 2020: How can we make WebRTC Easier?
FOSDEM 2020: How can we make WebRTC Easier?SeanDuBois3
 
Chapter 20 : access control lists
Chapter 20 : access control listsChapter 20 : access control lists
Chapter 20 : access control liststeknetir
 
Day 18 2 serial point to-point encapsulation
Day 18 2 serial point to-point encapsulationDay 18 2 serial point to-point encapsulation
Day 18 2 serial point to-point encapsulationCYBERINTELLIGENTS
 
Catalyst 3550 tutorial
Catalyst 3550 tutorialCatalyst 3550 tutorial
Catalyst 3550 tutorialPhani Kuamr
 
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking ProtocolSamsung Open Source Group
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 
WebRTC eduCONF
WebRTC eduCONFWebRTC eduCONF
WebRTC eduCONFMihály Mészáros
 
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIOLF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIOLF_OpenvSwitch
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsMihály Mészáros
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewMichelle Holley
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLETariq Sheikh
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLinaro
 
Chapter 21 : DHCP
Chapter 21 : DHCPChapter 21 : DHCP
Chapter 21 : DHCPteknetir
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilotMihály Mészáros
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkSamsung Open Source Group
 
Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzleMihály Mészáros
 
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9Nil Menon
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceSamsung Open Source Group
 
Introduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationIntroduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationSamsung Open Source Group
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
I pv6 mrtg_20111025
I pv6 mrtg_20111025I pv6 mrtg_20111025
I pv6 mrtg_20111025itsuki810
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 

More Related Content

What's hot

Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANSamsung Open Source Group
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)Motonori Shindo
 
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIOLF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIOLF_OpenvSwitch
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsMihály Mészáros
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewMichelle Holley
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLETariq Sheikh
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLinaro
 
Chapter 21 : DHCP
Chapter 21 : DHCPChapter 21 : DHCP
Chapter 21 : DHCPteknetir
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelNetronome
 
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9Nil Menon
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceSamsung Open Source Group
 
Introduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationIntroduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationSamsung Open Source Group
 

What's hot (18)

Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPANLinux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
Linux Kernel Status Report for IEEE 802.15.4 & 6LoWPAN
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco Routers
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol
 
L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)L2 over l3 ecnaspsulations (english)
L2 over l3 ecnaspsulations (english)
 
WebRTC eduCONF
WebRTC eduCONFWebRTC eduCONF
WebRTC eduCONF
 
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIOLF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML Federations
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
 
LAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted ProtocolLAS16-306: Exploring the Open Trusted Protocol
LAS16-306: Exploring the Open Trusted Protocol
 
Chapter 21 : DHCP
Chapter 21 : DHCPChapter 21 : DHCP
Chapter 21 : DHCP
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream KernelOpen vSwitch Offload: Conntrack and the Upstream Kernel
Open vSwitch Offload: Conntrack and the Upstream Kernel
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
Webrtc puzzle
Webrtc puzzleWebrtc puzzle
Webrtc puzzle
 
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
Introduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationIntroduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential Collaboration
 

Similar to Cisco ios order of operation

IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
I pv6 mrtg_20111025
I pv6 mrtg_20111025I pv6 mrtg_20111025
I pv6 mrtg_20111025itsuki810
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersIT Tech
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
TechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessTechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessRobb Boyd
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01mrmr2010i
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
Cisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers DatasheetCisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers Datasheet美兰 曾
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Presentaion SDWAN ECOBANK -Juil - 21.pdf
Presentaion SDWAN ECOBANK -Juil - 21.pdfPresentaion SDWAN ECOBANK -Juil - 21.pdf
Presentaion SDWAN ECOBANK -Juil - 21.pdfJeanJacquesBely
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015ICT PRISTINE
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network EvolutionCisco Canada
 
cisco-vs-s720-10g-3c-datasheet.pdf
cisco-vs-s720-10g-3c-datasheet.pdfcisco-vs-s720-10g-3c-datasheet.pdf
cisco-vs-s720-10g-3c-datasheet.pdfHi-Network.com
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security DeploymentCisco Canada
 

Similar to Cisco ios order of operation (20)

IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
I pv6 mrtg_20111025
I pv6 mrtg_20111025I pv6 mrtg_20111025
I pv6 mrtg_20111025
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
 
NetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routers
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
TechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessTechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined Access
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
Cisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers DatasheetCisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers Datasheet
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
CCNA Icnd110 s06l01
CCNA Icnd110 s06l01 CCNA Icnd110 s06l01
CCNA Icnd110 s06l01
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
Presentaion SDWAN ECOBANK -Juil - 21.pdf
Presentaion SDWAN ECOBANK -Juil - 21.pdfPresentaion SDWAN ECOBANK -Juil - 21.pdf
Presentaion SDWAN ECOBANK -Juil - 21.pdf
 
6lowpan
6lowpan6lowpan
6lowpan
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
 
cisco-vs-s720-10g-3c-datasheet.pdf
cisco-vs-s720-10g-3c-datasheet.pdfcisco-vs-s720-10g-3c-datasheet.pdf
cisco-vs-s720-10g-3c-datasheet.pdf
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security Deployment
 

More from IT Tech

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 

More from IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Cisco ios order of operation

  • 1. Cisco IOS Order of Operation Here we found information on the order of operation of the different features on an interface and the packet traverses the IOS software from Cisco.com, which may not suitable for every case table. Anyway, check it whether is suitable or not. Inside-to-Outside Outside-to-Inside  If IPSec then check input access list  decryption – for CET (Cisco Encryption Technology) or IPSec  check input access list  check input rate limits  input accounting  policy routing  routing  redirect to web cache  NAT inside to outside (local to global translation)  crypto (check map and mark for encryption)  check output access list  inspect (Context-based Access Control (CBAC))  TCP intercept  encryption  Queueing  If IPSec then check input access list  decryption – for CET or IPSec  check input access list  check input rate limits  input accounting  NAT outside to inside (global to local translation)  policy routing  routing  redirect to web cache  crypto (check map and mark for encryption)  check output access list  inspect CBAC  TCP intercept  encryption  Queueing All right, the above we delivered is the “official version”. But there are others that were provided by some professional network engineers are pretty complete. See the following for a larger diagram. http://blog.router-switch.com/
  • 2. More notes:Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e.CEF versus process-switched). Ingress Features Egress Features 1. Virtual Reassembly * 1. Output IOS IPS Inspection 2. IP Traffic Export (RITE) 2. Output WCCP Redirect 3. QoS Policy Propagation through BGP 3. NM-CIDS (QPPB) 4. NAT Inside-to-Outside or NAT 4. Ingress Flexible NetFlow * Enable * 5. Network Based Application 5. Network Based Application Recognition (NBAR) Recognition (NBAR) 6. Input QoS Classification 6. BGP Policy Accounting 7. Ingress NetFlow * 7. Lawful Intercept 8. Check crytpo map ACL and mark 8. Lawful Intercept for encryption 9. IOS IPS Inspection (inbound) 9. Output QoS Classification http://blog.router-switch.com/
  • 3. 10. Input Stateful Packet Inspection 10. Output ACL check (if not marked (IOS FW) * for encryption) 11. Crypto outbound ACL check (if 11. Check reverse crypto map ACL marked for encryption) 12. Input ACL (unless existing NetFlow 12. Output Flexible Packet Matching record was found) (FPM) 13. Input Flexible Packet Matching 13. DoS Tracker (FPM) 14. Output Stateful Packet Inspection 14. IPsec Decryption (if encrypted) (IOS FW) * 15. Crypto inbound ACL check (if 15. TCP Intercept packet had been encrypted) 16. Unicast RPF check 16. Output QoS Marking 17. Input QoS Marking 17. Output Policing (CAR) 18. Output MAC/Precedence 18. Input Policing (CAR) Accounting 19. Input MAC/Precedence Accounting 19. IPsec Encryption 20. NAT Outside-to-Inside * 20. Output ACL check (if encrypted) 21. Policy Routing 21. Egress NetFlow * 22. Input WCCP Redirect 22. Egress Flexible NetFlow * 23. Egress RITE 24. Output Queuing (CBWFQ, LLQ, WRED) * A note about virtual-reassembly Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet. Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and http://blog.router-switch.com/
  • 4. QoS still need to be aware of how ACLs interact with fragments (http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a0 0800949b8.shtml). Routing Features 1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss NOTE:Order of Operation for IOS 12.3(8)T and Later More Notes: A Related Best Cisco Book Router Security Strategies: Securing IP Network Traffic Planes Router Security Strategies: Securing IP Network Traffic Planes provides a comprehensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand http://blog.router-switch.com/
  • 5. the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. “Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.” –Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIENo. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco PressNetworking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and http://blog.router-switch.com/
  • 6. resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. ---Resource from ciscopress.com More Related Tips: What’s the Order of Operations for Cisco IOS? http://blog.router-switch.com/