Cisco ios order of operation
Download as DOCX, PDF1 like2,491 views
The document discusses the order of operations for packets traversing the Cisco IOS software on an interface. It provides a table outlining the various features a packet will undergo inside-to-outside and outside-to-inside, including checking access lists, decryption, rate limiting, accounting, routing, NAT, inspection, encryption and queuing. It notes some variation may occur between platforms and releases. Related resources on virtual reassembly and a recommended book on securing network traffic planes are also provided.
Cisco ios order of operation
- 1. Cisco IOS Order of Operation Here we found information on the order of operation of the different features on an interface and the packet traverses the IOS software from Cisco.com, which may not suitable for every case table. Anyway, check it whether is suitable or not. Inside-to-Outside Outside-to-Inside If IPSec then check input access list decryption – for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting policy routing routing redirect to web cache NAT inside to outside (local to global translation) crypto (check map and mark for encryption) check output access list inspect (Context-based Access Control (CBAC)) TCP intercept encryption Queueing If IPSec then check input access list decryption – for CET or IPSec check input access list check input rate limits input accounting NAT outside to inside (global to local translation) policy routing routing redirect to web cache crypto (check map and mark for encryption) check output access list inspect CBAC TCP intercept encryption Queueing All right, the above we delivered is the “official version”. But there are others that were provided by some professional network engineers are pretty complete. See the following for a larger diagram. http://blog.router-switch.com/
- 2. More notes:Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e.CEF versus process-switched). Ingress Features Egress Features 1. Virtual Reassembly * 1. Output IOS IPS Inspection 2. IP Traffic Export (RITE) 2. Output WCCP Redirect 3. QoS Policy Propagation through BGP 3. NM-CIDS (QPPB) 4. NAT Inside-to-Outside or NAT 4. Ingress Flexible NetFlow * Enable * 5. Network Based Application 5. Network Based Application Recognition (NBAR) Recognition (NBAR) 6. Input QoS Classification 6. BGP Policy Accounting 7. Ingress NetFlow * 7. Lawful Intercept 8. Check crytpo map ACL and mark 8. Lawful Intercept for encryption 9. IOS IPS Inspection (inbound) 9. Output QoS Classification http://blog.router-switch.com/
- 3. 10. Input Stateful Packet Inspection 10. Output ACL check (if not marked (IOS FW) * for encryption) 11. Crypto outbound ACL check (if 11. Check reverse crypto map ACL marked for encryption) 12. Input ACL (unless existing NetFlow 12. Output Flexible Packet Matching record was found) (FPM) 13. Input Flexible Packet Matching 13. DoS Tracker (FPM) 14. Output Stateful Packet Inspection 14. IPsec Decryption (if encrypted) (IOS FW) * 15. Crypto inbound ACL check (if 15. TCP Intercept packet had been encrypted) 16. Unicast RPF check 16. Output QoS Marking 17. Input QoS Marking 17. Output Policing (CAR) 18. Output MAC/Precedence 18. Input Policing (CAR) Accounting 19. Input MAC/Precedence Accounting 19. IPsec Encryption 20. NAT Outside-to-Inside * 20. Output ACL check (if encrypted) 21. Policy Routing 21. Egress NetFlow * 22. Input WCCP Redirect 22. Egress Flexible NetFlow * 23. Egress RITE 24. Output Queuing (CBWFQ, LLQ, WRED) * A note about virtual-reassembly Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet. Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and http://blog.router-switch.com/
- 4. QoS still need to be aware of how ACLs interact with fragments (http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a0 0800949b8.shtml). Routing Features 1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss NOTE:Order of Operation for IOS 12.3(8)T and Later More Notes: A Related Best Cisco Book Router Security Strategies: Securing IP Network Traffic Planes Router Security Strategies: Securing IP Network Traffic Planes provides a comprehensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand http://blog.router-switch.com/
- 5. the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section. The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture. “Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure. The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.” –Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco Gregg Schudel, CCIENo. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers. David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco PressNetworking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and http://blog.router-switch.com/
- 6. resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. ---Resource from ciscopress.com More Related Tips: What’s the Order of Operations for Cisco IOS? http://blog.router-switch.com/