View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Cisco IOS Order of OperationHere we found information on the order of operation of the different features on aninterface and the packet traverses the IOS software from Cisco.com, which may notsuitable for every case table. Anyway, check it whether is suitable or not.Inside-to-Outside Outside-to-Inside If IPSec then check input access list decryption – for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting policy routing routing redirect to web cache NAT inside to outside (local to global translation) crypto (check map and mark for encryption) check output access list inspect (Context-based Access Control (CBAC)) TCP intercept encryption Queueing If IPSec then check input access list decryption – for CET or IPSec check input access list check input rate limits input accounting NAT outside to inside (global to local translation) policy routing routing redirect to web cache crypto (check map and mark for encryption) check output access list inspect CBAC TCP intercept encryption QueueingAll right, the above we delivered is the “official version”. But there are others thatwere provided by some professional network engineers are pretty complete.See the following for a larger diagram. http://blog.router-switch.com/
More notes:Some variations in feature ordering may occur in specific routerplatforms, IOS software releases, and switching paths (i.e.CEF versusprocess-switched). Ingress Features Egress Features 1. Virtual Reassembly * 1. Output IOS IPS Inspection 2. IP Traffic Export (RITE) 2. Output WCCP Redirect 3. QoS Policy Propagation through BGP 3. NM-CIDS (QPPB) 4. NAT Inside-to-Outside or NAT 4. Ingress Flexible NetFlow * Enable * 5. Network Based Application 5. Network Based Application Recognition (NBAR) Recognition (NBAR) 6. Input QoS Classification 6. BGP Policy Accounting 7. Ingress NetFlow * 7. Lawful Intercept 8. Check crytpo map ACL and mark 8. Lawful Intercept for encryption 9. IOS IPS Inspection (inbound) 9. Output QoS Classification http://blog.router-switch.com/
10. Input Stateful Packet Inspection 10. Output ACL check (if not marked (IOS FW) * for encryption) 11. Crypto outbound ACL check (if 11. Check reverse crypto map ACL marked for encryption) 12. Input ACL (unless existing NetFlow 12. Output Flexible Packet Matching record was found) (FPM) 13. Input Flexible Packet Matching 13. DoS Tracker (FPM) 14. Output Stateful Packet Inspection 14. IPsec Decryption (if encrypted) (IOS FW) * 15. Crypto inbound ACL check (if 15. TCP Intercept packet had been encrypted) 16. Unicast RPF check 16. Output QoS Marking 17. Input QoS Marking 17. Output Policing (CAR) 18. Output MAC/Precedence 18. Input Policing (CAR) Accounting 19. Input MAC/Precedence Accounting 19. IPsec Encryption 20. NAT Outside-to-Inside * 20. Output ACL check (if encrypted) 21. Policy Routing 21. Egress NetFlow * 22. Input WCCP Redirect 22. Egress Flexible NetFlow * 23. Egress RITE 24. Output Queuing (CBWFQ, LLQ, WRED)* A note about virtual-reassemblyVirtual-reassembly causes the router to internally reassemble fragmented packets. Itis enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”.Operations above marked with a * will process the reassembled version of a packet.All other operations process the individual fragments. After virtual reassembly iscomplete, the router forwards the original fragments, albeit in proper order. Thisbehavior is very different from PIX/ASA/FWSM and ACE which forward thereassembled packet.Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and http://blog.router-switch.com/
QoS still need to be aware of how ACLs interact with fragments(http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml).Routing Features1. Routing table lookup (if packet isn’t marked with a PBR next-hop) 2. tcp adjust-mssNOTE:Order of Operation for IOS 12.3(8)T and LaterMore Notes: A Related Best Cisco BookRouter Security Strategies: Securing IP Network Traffic PlanesRouter Security Strategies: Securing IP Network Traffic Planes provides acomprehensive approach to understand and implement IP traffic plane separationand protection on IP routers. This book details the distinct traffic planes of IPnetworks and the advanced techniques necessary to operationally secure them. Thisincludes the data, control, management, and services planes that provide theinfrastructure for IP networking.The first section provides a brief overview of the essential components of theInternet Protocol and IP networking. At the end of this section, you will understand http://blog.router-switch.com/
the fundamental principles of defense in depth and breadth security as applied to IPtraffic planes. Techniques to secure the IP data plane, IP control plane, IPmanagement plane, and IP services plane are covered in detail in the second section.The final section provides case studies from both the enterprise network and theservice provider network perspectives. In this way, the individual IP traffic planesecurity techniques reviewed in the second section of the book are brought togetherto help you create an integrated, comprehensive defense in depth and breadthsecurity architecture.“Understanding and securing IP traffic planes are critical to the overall securityposture of the IP infrastructure. The techniques detailed in this book provideprotection and instrumentation enabling operators to understand and defend againstattacks. As the vulnerability economy continues to mature, it is critical for bothvendors and network providers to collaboratively deliver these protections to the IPinfrastructure.”–Russell Smoak, Director, Technical Services, Security Intelligence Engineering, CiscoGregg Schudel, CCIENo. 9591, joined Cisco in 2000 as a consulting system engineersupporting the U.S. service provider organization. Gregg focuses on IP core networksecurity architectures and technology for interexchange carriers and web servicesproviders.David J. Smith, CCIE No. 1986, joined Cisco in 1995 and is a consulting systemengineer supporting the service provider organization. David focuses on IP core andedge architectures including IP routing, MPLS technologies, QoS, infrastructuresecurity, and network telemetry. Understand the operation of IP networks and routers Learn about the many threat models facing IP networks, Layer 2 Ethernet switching environments, and IPsec and MPLS VPN services Learn how to segment and protect each IP traffic plane by applying defense in depth and breadth principles Use security techniques such as ACLs, rate limiting, IP Options filtering, uRPF, QoS, RTBH, QPPB, and many others to protect the data plane of IP and switched Ethernet networks Secure the IP control plane with rACL, CoPP, GTSM, MD5, BGP and ICMP techniques and Layer 2 switched Ethernet-specific techniques Protect the IP management plane with password management, SNMP, SSH, NTP, AAA, as well as other VPN management, out-of-band management, and remote access management techniques Secure the IP services plane using recoloring, IP fragmentation control, MPLS label control, and other traffic classification and process control techniques This security book is part of the Cisco PressNetworking Technology Series. Securitytitles from Cisco Press help networking professionals secure critical data and http://blog.router-switch.com/
resources, prevent and mitigate network attacks, and build end-to-endself-defending networks.---Resource from ciscopress.comMore Related Tips:What’s the Order of Operations for Cisco IOS? http://blog.router-switch.com/