NAT activates NBAR

A few days ago I had an “interesting” experience on a router that was running low on memory: when I enabled NAT, it immediately ran out of memory although it had over 4 MB free memory before that (and since I was doing the tests in a lab, I wasn't worried about that … in a production network, 4 MB of free memory is something to worry about).

It took me a while to figure out what was going on: the moment you enable NAT in IOS release 12.4, it activates Network Based Application Recognition (NBAR) even when CEF is disabled (and supposedly NBAR requires CEF to run).

Here's a sample test: the moment I've configured a loopback interface to be NAT inside interface (and it was the only NAT-enabled interface in the box), NBAR consumed 4.5 MB of memory:
R2(config)#int loop 0
R2(config-if)#ip nat inside
R2(config-if)#do show ip nbar resources
NBAR memory usage for tracking Stateful sessions
   System link age : 30 secs
   Initial memory : 4455 KBytes
   Max initial memory : 14852 KBytes
   Memory expansion : 112 KBytes
   Max memory expansion : 112 KBytes
   Memory in use : 4455 KBytes
   Max memory allowed : 29705 KBytes
   Active links : 0
   Total links : 39784

7 comments:

  1. Maybe cisco thought NBAR was a better choice to perform session tracking? Do you also get full NBAR stats reporting?
  2. Can you then disable NBAR?
  3. @rawcode: No, you have to enable NBAR on individual interfaces to get protocol discovery running.

    @richard: You cannot disable NBAR as long as NAT is configured.
  4. My thoughts on this was application fixup. A number of protocols (active FTP, DNS, SQLNET, RTSP and others) either embed IP addresses or do port changes, which NAT would have to detect and fixup. A quick google found this cisco doc, http://tinyurl.com/64m9sr, which indicates that Application Level Gateways are used. It wouldn't surprise me if ALGs use NBAR to do its dirty work.
  5. This comment has been removed by the author.
  6. NBAR also generates high cpu on my cisco router while applying to tow interfaces with total of volume traffic : 80 Mbps.
  7. (G)"no ip nat service nbar" could help.
    according to cisco.com the command was introduced in 12.4
Add comment
Sidebar