Edit post Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology

Cisco IOS Order of Operation

January 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Here we found information on the order of operation of the different features on an interface and the packet traverses the IOS software from Cisco.com, which may not suitable for every case table. Anyway, check it whether is suitable or not.

Inside-to-Outside Outside-to-Inside

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • policy routing
  • routing
  • redirect to web cache
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • redirect to web cache
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

All right, the above we delivered is the “official version”. But there are others that were provided by some professional network engineers are pretty complete.

See the following for a larger diagram.


More notes: Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e. CEF versus process-switched).

Ingress Features

Egress Features

1. Virtual Reassembly *

1. Output IOS IPS Inspection

2. IP Traffic Export (RITE)

2. Output WCCP Redirect

3. QoS Policy Propagation through BGP (QPPB)


4. Ingress Flexible NetFlow *

4. NAT Inside-to-Outside or NAT Enable *

5. Network Based Application Recognition (NBAR)

5. Network Based Application Recognition (NBAR)

6. Input QoS Classification

6. BGP Policy Accounting

7. Ingress NetFlow *

7. Lawful Intercept

8. Lawful Intercept

8. Check crytpo map ACL and mark for encryption

9. IOS IPS Inspection (inbound)

9. Output QoS Classification

10. Input Stateful Packet Inspection (IOS FW) *

10. Output ACL check (if not marked for encryption)

11. Check reverse crypto map ACL

11. Crypto outbound ACL check (if marked for encryption)

12. Input ACL (unless existing NetFlow record was found)

12. Output Flexible Packet Matching (FPM)

13. Input Flexible Packet Matching (FPM)

13. DoS Tracker

14. IPsec Decryption (if encrypted)

14. Output Stateful Packet Inspection (IOS FW) *

15. Crypto inbound ACL check (if packet had been encrypted)

15. TCP Intercept

16. Unicast RPF check

16. Output QoS Marking

17. Input QoS Marking

17. Output Policing (CAR)

18. Input Policing (CAR)

18. Output MAC/Precedence Accounting

19. Input MAC/Precedence Accounting

19. IPsec Encryption

20. NAT Outside-to-Inside *

20. Output ACL check (if encrypted)

21. Policy Routing

21. Egress NetFlow *

22. Input WCCP Redirect

22. Egress Flexible NetFlow *


23. Egress RITE


24. Output Queuing (CBWFQ, LLQ, WRED)

* A note about virtual-reassembly

Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet.


Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and QoS still need to be aware of how ACLs interact with fragments



Routing Features

1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mss

NOTE: Order of Operation for IOS 12.3(8)T and Later


---Reference from http://etherealmind.com/cisco-ios-order-of-operation/

More Notes: A Related Best Cisco Book

Router Security Strategies: Securing IP Network Traffic Planes


Router Security Strategies: Securing IP Network Traffic Planes provides a comprehensive approach to understand and implement IP traffic plane separation and protection on IP routers. This book details the distinct traffic planes of IP networks and the advanced techniques necessary to operationally secure them. This includes the data, control, management, and services planes that provide the infrastructure for IP networking. 


The first section provides a brief overview of the essential components of the Internet Protocol and IP networking. At the end of this section, you will understand the fundamental principles of defense in depth and breadth security as applied to IP traffic planes. Techniques to secure the IP data plane, IP control plane, IP management plane, and IP services plane are covered in detail in the second section.


The final section provides case studies from both the enterprise network and the service provider network perspectives. In this way, the individual IP traffic plane security techniques reviewed in the second section of the book are brought together to help you create an integrated, comprehensive defense in depth and breadth security architecture.


“Understanding and securing IP traffic planes are critical to the overall security posture of the IP infrastructure.  The techniques detailed in this book provide protection and instrumentation enabling operators to understand and defend against attacks. As the vulnerability economy continues to mature, it is critical for both vendors and network providers to collaboratively deliver these protections to the IP infrastructure.”

–Russell Smoak, Director, Technical Services, Security Intelligence Engineering, Cisco


Gregg Schudel, CCIE No. 9591, joined Cisco in 2000 as a consulting system engineer supporting the U.S. service provider organization. Gregg focuses on IP core network security architectures and technology for interexchange carriers and web services providers.


David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting system engineer supporting the service provider organization. David focuses on IP core and edge architectures including IP routing, MPLS technologies, QoS, infrastructure security, and network telemetry.

  • Understand the operation of IP networks and routers
  • Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services
  • Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles
  • Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks
  • Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques
  • Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques
  • Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques

 This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Note: More Reviews about this book you can see ciscopress.com

More Related Tips:

What’s the Order of Operations for Cisco IOS?

More Cisco and Networking Tips you can referto http://blog.router-switch.com/

Share this post
To be informed of the latest articles, subscribe:
Comment on this post