Joseph W. Doherty Thu, 11/13/2008 - 13:07

NBAR isn't supported on many switches. Within the 6500 series, some WAN cards, for the card only, support it (e.g. FlexWAN). Also for the 6500 series, the sup32-PISA FPM, I believe, might be able to match similar to NBAR, but don't recall what its features are compared to NBAR.

For the ASR, don't know for sure, but likely it doesn't support NBAR at all.

Joseph W. Doherty Thu, 11/13/2008 - 14:09

Your right, it does mention NBAR (FPM too)!

Perhaps ASR is more akin to 7200 or 7300 vs. 6500/7600 or 4500 series.

If there isn't any published performance for NBAR impact on an ASR, you might be able hope its impact is similar to what's been documented for other network devices.

I'm batting zero on ASRs and NBAR, but I recall NBAR isn't real, real heavy against performance. It may have been generally under 10%, but take that with a grain of salt. I think there are some whitepapers on Cisco's site documenting NBAR performance for some devices.

cedar_lee Thu, 11/13/2008 - 14:46

I agree. Performance is the main concern stopping me from enabling NBAR on production. That's why I am looking for some test report to back me up if I use NBAR.

Joseph W. Doherty Thu, 11/13/2008 - 16:57

Just tried to find some info concerning the impact of NBAR, but only got 1, yes just 1, hit against the whole Cisco site searching on just "nbar"!?

If the ASRs support FPM and/or NBAR, like sup32-PISA supports FPM, I recall the latter takes quite a performance hit, so you're correct to be concerned about performance.

I use NBAR on many software routers, along with considerable QoS. On those I haven't seen a really significant performance hit. This makes sense because for some of NBAR it's often just a pretty face for some port matching ACLs. Some NBAR, though, can be stateful and/or dig into the packet. This might be much more system usage intensive. For instance, NBAR that examines HTTP URLs might be such, although I haven't used that kind of NBAR.

What you might try is to ease into NBAR with one match type at a non-peak time and watch what happens. Also, not 100% positive, but activation of flow caching might limit some NBAR analysis to just the first packet of some flows.

cedar_lee Fri, 11/14/2008 - 07:10

You are right. It really depends on the types of inspections. And according to the NBAR test report on the first message, Cisco claimed there would be no packet drop or significant speed reduce if the NDR traffic load were under certain number, such as 60%. The most significant impact would be CPU usage. If it is true, it would be very easy to test because just need to focus on CPU usage. It would be interesting to do a small test.



