[Cisco] IOS Order of Operations

Interface input/output oder-of-operation

Ingress Features Egress Features
1. Virtual Reassembly * 1. Output IOS IPS Inspection
2. IP Traffic Export (RITE) 2. Output WCCP Redirect
3. QoS Policy Propagation through BGP (QPPB) 3. NM-CIDS
4. Ingress Flexible NetFlow * 4. NAT Inside-to-Outside or NAT Enable *
5. Network Based Application Recognition (NBAR) 5. Network Based Application Recognition (NBAR)
6. Input QoS Classification 6. BGP Policy Accounting
7. Ingress NetFlow * 7. Lawful Intercept
8. Lawful Intercept 8. Check crytpo map ACL and mark for encryption
9. IOS IPS Inspection (inbound) 9. Output QoS Classification
10. Input Stateful Packet Inspection (IOS FW) * 10. Output ACL check (if not marked for encryption)
11. Check reverse crypto map ACL 11. Crypto outbound ACL check (if marked for encryption)
12. Input ACL (unless existing NetFlow record was found) 12. Output Flexible Packet Matching (FPM)
13. Input Flexible Packet Matching (FPM) 13. DoS Tracker
14. IPsec Decryption (if encrypted) 14. Output Stateful Packet Inspection (IOS FW) *
15. Crypto inbound ACL check (if packet had been encrypted) 15. TCP Intercept
16. Unicast RPF check 16. Output QoS Marking
17. Input QoS Marking 17. Output Policing (CAR)
18. Input Policing (CAR) 18. Output MAC/Precedence Accounting
19. Input MAC/Precedence Accounting 19. IPsec Encryption
20. NAT Outside-to-Inside * 20. Output ACL check (if encrypted)
21. Policy Routing 21. Egress NetFlow *
22. Input WCCP Redirect 22. Egress Flexible NetFlow *
23. Egress RITE
24. Output Queuing (CBWFQ, LLQ, WRED)

* A note about virtual-reassembly

Credit h**p://http://etherealmind.com/cisco-ios-order-of-operation/

[Cisco] BGP Order of Operation

For inbound updates the order of preference is:
  - route-map
  - filter-list
  - prefix-list, distribute-list

For outbound updates the order of preference is:
  - prefix-list, distribute-list
  - filter-list
  - route-map

Note: The attributes prefix-list and distribute-list are mutually exclusive, and only one command (neighbor prefix-list or neighbor distribute-list) can be applied to each inbound or outbound direction for a particular neighbor.

[Cisco] NAT Order of Operation

Inside-to-Outside

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing

Outside-to-Inside

  • If IPSec then check input access list
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing