[nsp] NAT spiking CPU

Bob Collie bob at ena.com
Mon Sep 8 14:21:52 EDT 2003


We're seeing this same trouble with our network and have not yet found a
way to limit NAT translations.  What we're seeing specifically is that a
site with a 2610 where we're running NAT gets infected by one of the
DDOS attacks (be it ICMP, etc.) and the sheer volume of dynamic,
outbound NAT translations makes the router unusable.  

Has anyone found a way to limit this?  We tried using CAR but it didn't
make much of a difference when applied against excessive and randomized
ICMP traffic.

-Bob

-----Original Message-----
From: Streiner, Justin [mailto:streiner at stargate.net] 
Sent: Monday, September 08, 2003 12:04 PM
To: Christopher J. Wolff
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NAT spiking CPU


On Mon, 8 Sep 2003, Christopher J. Wolff wrote:

> Just ran into an interesting situation where, when the public side of 
> a NAT connection goes down, the router CPU spikes to 100%, effectively

> restricting all traffic flow inside the network.  This is a 2611XM 
> router.  Has anyone seen this happen?  Thank you in advance.

I've seen things like this happen in the past on a variety of platforms,
all had CEF or dCEF fully enabled. 6400/NRP2 7507 2650 3640

To me, it appears that the router can handle NAT without major issues
until some threshold is crossed.  That could be total number of active
NAT translations, translations per second, bits/packets per second, I
don't know.  Below this limit, the router would operate normally, but
once it was crossed, the CPU would almost immediately spike to near
100%, but I recall the amount of time spent handling interrupt requests
to be fairly low.

As the opportunity permits, I'm trying to chip away at the NAT issue,
but it's pretty slow going...

jms
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list