The order of operations is hard coded into Cisco IOS and tells the router how to process traffic according to the configuration of different router functions and features. While we cant’ make you think like a router, it is likely you have already picked up on some of these. When configuring features such as Network Address Translation (NAT), Quality of Service (QoS), and encryption, it’s essential to understand the order of operations in order to configure these features successfully.
QoS Order of Operations
Here’s the order of operations for inbound traffic to the router:
1. QoS Policy Propagation through Border Gateway Protocol (BGP) or QPPB
2. Input common classification
3. Input ACL’s
4. Input marking – class-based marking or Committed Access Rate (CAR)
5. Input policing – through a class-based policer or CAR
6. IPSec
7. Cisco Express Forwarding (CEF) or Fast Switching
Here’s the order of operations for outbound traffic from the router:
1. CEF or Fast Switching
2. Output common classification
3. Output ACL’s
4. Output marking
5. Output policing through a class-based policer or CAR
6. Queueing – Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)) and Weighted Random Early Detection (WRED)
NAT Order of Operations
We assume understanding of NAT basic operations. If the packet is from a NAT inside-designated interface, it uses the inside-to-outside list. If the packet is from an outside-to-inside interface, it uses that list.
Here’s the order of operations for the inside-to-outside list:
1. If IPSec, then check input access list
2. Decryption for Cisco Encryption Technology (CET) or IPSec
3. Check input access list
4. Check input rate limits
5. Input accounting
6. Policy routing
7. Routing
8. Redirect to Web cache
9. NAT inside to outside (local to global translation)
10. Crypto (check map and mark for encryption)
11. Check output access list
12. Inspect context-based access control (CBAC)
13. TCP intercept
14. Encryption
Here’s the order of operations for the outside-to-inside list:
1. If IPSec, then check input access list
2. Decryption for CET or IPSec
3. Check input access list
4. Check input rate limits
5. Input accounting
6. NAT outside to inside (global to local translation)
7. Policy routing
8. Routing
9. Redirect to Web cache
10. Crypto (check map and mark for encryption)
11. Check output access list
12. Inspect CBAC
13. TCP intercept
14. Encryption
Let’s say that you have an IP packet coming in from an outside-to-inside interface. When translating that packet, you want to use an access control list to block traffic from certain IP addresses. Which IP address should you put in the ACL the IP address before the packet’s translation (i.e., the public IP address), or the IP address after the packet’s translation (i.e., the private address)?
By checking the order of operations, you can determine that the “NAT outside to inside” operation occurs after the “Check input access list” task. Therefore, you would use the public IP address in the ACL because the packet hasn’t gone through NAT.
On the other hand, what if you want to create a static route for traffic going through NAT? In this case, you would use the private (inside) IP address because the traffic has already gone through NAT when it gets to the “Routing” operation.
We hope this helps you to understand the Order of Operations and impact of these orders in Cisco IOS.