Introduction
This document describes a scenario where Network Address Translation for Virtual Interface (NAT NVI) causes high CPU utilization. NAT NVI was designed to allow NAT between Virtual Route Forwarding (VRF) contexts, but has been seen to be deployed in non VRF scenarios.
IP Input High CPU with Non-VRF NAT NVI
In some of these Non-VRF scenarios, NAT NVI can cause process switching which can lead to high cpu due to the IP Input process and reduced throughput. Process Switching is seen when NAT NVI is done along with interface overload or the NAT pool that contains IP addresses that are within the subnet of a local interface. When this happens, show process cpu sorted command shows high utilization due to the IP Input process.
Router#show process cpu sorted
CPU utilization for five seconds: 84%/37%; one minute: 30%; five minutes: 11%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
112 189988000 137290092 1383 45.91% 13.97% 4.05% 0 IP Input
show ip cef switching statistics feature shows a large and increased number of punts due to Packet destined for us:
Router#show ip cef switching statistics
Reason Drop Punt Punt2Host
RP LES Packet destined for us 0 1402039546 0
RP LES Total 0 1402039546 0
All Total 0 1402039546 0
Solution
Replace NAT NVI with Legacy NAT (ip nat inside or ip nat outside) as shown here:
1. Add in the new legacy NAT statements for dynamic and static entries.
(config)#ip nat inside source list 100 interface GigabitEthernet0/0 overload
2. Add ip nat inside or ip nat outside as appropriate to the NAT interfaces.
(config)#interface gigabitethernet0/0
(config-if)#ip nat inside
(config)#interface gigabitethernet0/1
(config-if)#ip nat outside
3. Remove ip nat enable from all interfaces.
(config)#interface gigabitethernet0/0
(config-if)#no ip nat enable
(config)#interface gigabitethernet0/1
(config-if)#ip nat enable
4. Remove dynamic and static NAT NVI entries. This might require you to use the "forced" keyword in order to remove the entries currently in use.
(config)#no ip nat source list 100 int gigabitEthernet 0 overload
Note: Configuration guide for NAT NVI can be found here for reference.