cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
948
Views
0
Helpful
8
Replies
Highlighted
Beginner

Cisco Packet Processing Sequence

Hi everyone,

I have a question about Cisco Packet Processing Sequence given below.

Inside-to-Outside (LAN to WAN)

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • policy routing
  • routing
  • redirect to web cache
  • WAAS application optimization
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • MPLS VRF tunneling (if MPLS WAN deployed)

Let's suppose we have 3 routers, A, B and C. Router A encrypts the IPSec traffic and sends to router C. Now lets examine the packet processing sequence above with regards to router B. When the traffic arrives at router B from router A, by the above sequence, router B will check for IPSec input access list and then decrypt the traffic. Why would router B decrypt the traffic and then encrypt is again before sending it out when the traffic is actually meant to go to router C?

 

I am sure I am missing a very simple point here. Could someone please explain?

 

Thanks,

 

H

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Why does router A have to decrypt that traffic?

It doesn't.

Notice the first step says "if IPSEC .."

But the traffic coming in from the inside to router A is not IPSEC ie. it is plaintext traffic. So it does not match and the decryption step is skipped.

If you notice further down in the list just after NAT it then checks the crypto map and if the unencrypted traffic matches then it does a few other steps and then encrypts the traffic and sends it down the tunnel.

Jon

View solution in original post

8 REPLIES 8
Highlighted
Hall of Fame Guru

Firstly your order is inside to outside and when router B receives it the traffic will be from outside to inside (presumably) and that is a different order.

But even if it wasn't its not clear what you mean by traffic is meant for router C.

If the IPSEC tunnel is established between router A and router C then router B won't have any crypto configuration so that step would be bypassed.

It would simply forward the traffic to router C.

The order of operations doesn't mean every step is applied on every router. It depends on what configuration you have on the router.

So no IPSEC configuration on router B means no IPSEC processing.

Jon

Highlighted

OK - Thanks.

One more question. Let's take the first two steps of the process.

  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec

Assuming traffic going from router A to C.

Why would router A see traffic as IPSec, is it not supposed to build the tunnel up first? 

OK let's assume the packet comes in when the IPSec tunnel is already up between router A and C then why step 2? Why does router A have to decrypt that traffic? 

Highlighted

Why does router A have to decrypt that traffic?

It doesn't.

Notice the first step says "if IPSEC .."

But the traffic coming in from the inside to router A is not IPSEC ie. it is plaintext traffic. So it does not match and the decryption step is skipped.

If you notice further down in the list just after NAT it then checks the crypto map and if the unencrypted traffic matches then it does a few other steps and then encrypts the traffic and sends it down the tunnel.

Jon

View solution in original post

Highlighted

OK. Makes perfect sense now.

Thanks!

Highlighted
VIP Mentor

It should be mentioned that this OOO-table is pretty much outdated and not valid any more for actual IOS-versions. Especially the ACL-check for IPsec-packets was removed in 12.3T, that was nearly a decade ago.

Highlighted

Hi Karsten,

Could you please point me to the latest OOO-table?

Thanks,

H

Highlighted

I'm not aware of any updated table on cisco.com, but a quick internet-search gives the following blog-post on etherealmind.com: http://etherealmind.com/cisco-ios-order-of-operation/

Highlighted

Thank you so much!!!!


H