I want to thank Craig Weinhold for sending me an email pointing out that in my ASA Order of Operation post, I referred to the old IOS order-of-operation document and in fact he sent me an updated and very detailed IOS Order of Operation list. I have posted Craig’s complete email below….Thanks again Craig!

Thanks for posting the ASA order-of-operation — it’ll come in handy. You refer to the old IOS order-of-operation document — useful but very dated. David Smith and Greg Schudel have an updated version in their CiscoPress book “Router Security Strategies: Securing IP Network Traffic Planes”, but it neglected to touch on NVI’s, crypto clear-text ACLs, virtual reassembly, and other esoteric details. I worked with them last summer to come up with a more authoritative IOS order-of-operation for 12.4/12.4T. It’s necessarily incomplete, but it sheds light on many esoteric feature interactions. It’s attached below:

===========================================================================

Big caveat: Some variations in feature ordering may occur in specific router platforms, IOS software releases, and switching paths (i.e.,CEF versus process-switched).

Ingress Features

1. Virtual Reassembly *
2. IP Traffic Export (RITE)
3. QoS Policy Propagation through BGP (QPPB)
4. Ingress Flexible NetFlow *
5. Network Based Application Recognition (NBAR)
6. Input QoS Classification
7. Ingress NetFlow *
8. Lawful Intercept
9. IOS IPS Inspection (inbound)
10. Input Stateful Packet Inspection (IOS FW) *
11. Check reverse crypto map ACL
12. Input ACL (unless existing NetFlow record was found)
13. Input Flexible Packet Matching (FPM)
14. IPsec Decryption (if encrypted)
15. Crypto inbound ACL check (if packet had been encrypted)
16. Unicast RPF check
17. Input QoS Marking
18. Input Policing (CAR)
19. Input MAC/Precedence Accounting
20. NAT Outside-to-Inside *
21. Policy Routing
22. Input WCCP Redirect

Routing Features

1. Routing table lookup (if packet isn’t marked with a PBR next-hop)
2. tcp adjust-mss

Egress Features

1. Output IOS IPS Inspection
2. Output WCCP Redirect
3. NM-CIDS
4. NAT Inside-to-Outside or NAT Enable *
5. Network Based Application Recognition (NBAR)
6. BGP Policy Accounting
7. Lawful Intercept
8. Check crytpo map ACL and mark for encryption
9. Output QoS Classification
10. Output ACL check (if not marked for encryption)
11. Crypto outbound ACL check (if marked for encryption)
12. Output Flexible Packet Matching (FPM)
13. DoS Tracker
14. Output Stateful Packet Inspection (IOS FW) *
15. TCP Intercept
16. Output QoS Marking
17. Output Policing (CAR)
18. Output MAC/Precedence Accounting
19. IPsec Encryption
20. Output ACL check (if encrypted)
21. Egress NetFlow *
22. Egress Flexible NetFlow *
23. Egress RITE
24. Output Queuing (CBWFQ, LLQ, WRED)

* A note about virtual-reassembly

Virtual-reassembly causes the router to internally reassemble fragmented packets. It is enabled when an interface is configured with NAT, CBAC, or “ip virtual reassembly”. Operations above marked with a * will process the reassembled version of a packet. All other operations process the individual fragments. After virtual reassembly is complete, the router forwards the original fragments, albeit in proper order. This behavior is very different from PIX/ASA/FWSM and ACE which forward the reassembled packet.

Thus, even if virtual-reassembly is turned on, ACLs used for input access-groups and QoS still need to be aware of how ACLs interact with fragments (http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml).