IP Input High CPU with Non-VRF NAT NVI

Available Languages

Updated:July 10, 2018

Document ID:200098

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

IP Input High CPU with Non-VRF NAT NVI

Solution

Introduction

This document describes a scenario where Network Address Translation for Virtual Interface (NAT NVI) causes high CPU utilization. NAT NVI was designed to allow NAT between Virtual Route Forwarding (VRF) contexts, but has been seen to be deployed in non VRF scenarios.

IP Input High CPU with Non-VRF NAT NVI

In some of these Non-VRF scenarios, NAT NVI can cause process switching which can lead to high cpu due to the IP Input process and reduced throughput. Process Switching is seen when NAT NVI is done along with interface overload or the NAT pool that contains IP addresses that are within the subnet of a local interface. When this happens, show process cpu sorted command shows high utilization due to the IP Input process.

Router#show process cpu sorted
CPU utilization for five seconds: 84%/37%; one minute: 30%; five minutes: 11%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process 
 112   189988000   137290092       1383 45.91% 13.97%  4.05%   0 IP Input

show ip cef switching statistics feature shows a large and increased number of punts due to Packet destined for us:

Router#show ip cef switching statistics
       Reason                          Drop       Punt  Punt2Host
RP LES Packet destined for us             0 1402039546          0
RP LES Total                              0 1402039546          0

All    Total                              0 1402039546          0

Solution

Replace NAT NVI with Legacy NAT (ip nat inside or ip nat outside) as shown here:

1. Add in the new legacy NAT statements for dynamic and static entries.

(config)#ip nat inside source list 100 interface GigabitEthernet0/0 overload

2. Add ip nat inside or ip nat outside as appropriate to the NAT interfaces.

(config)#interface gigabitethernet0/0
(config-if)#ip nat inside
(config)#interface gigabitethernet0/1
(config-if)#ip nat outside

3. Remove ip nat enable from all interfaces.

(config)#interface gigabitethernet0/0
(config-if)#no ip nat enable
(config)#interface gigabitethernet0/1
(config-if)#ip nat enable

4. Remove dynamic and static NAT NVI entries. This might require you to use the "forced" keyword in order to remove the entries currently in use.

(config)#no ip nat source list 100 int gigabitEthernet 0 overload

Note: Configuration guide for NAT NVI can be found here for reference.

Contributed by Cisco Engineers

Brett Sitomer
Cisco TAC Engineer

IP Input High CPU with Non-VRF NAT NVI

Available Languages

Bias-Free Language

Contents

Introduction

IP Input High CPU with Non-VRF NAT NVI

Solution

Contributed by Cisco Engineers

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products