This report documents the current performance of the Network Based Application Recognition (NBAR) classification engine on Cisco 2600-XM, 3700, 7206, 7300, and 7500 Series Routers. It includes a description of the testbed, the testing methodology, and the benchmarks that were used for performance testing. Detailed results are provided for each benchmark. Cisco IOS Software® Release 12.3(10) was used for all performance measurements. The purpose of this document is to provide field engineers with performance guidelines for the NBAR feature on these platforms.
Overview
NBAR is an intelligent classification engine in Cisco IOS Software that can recognize a wide variety of applications, including Web-based and client/server applications. Once the applications are recognized, the network can invoke required services for that particular application.
NBAR performs the following two functions:
1. Identification of applications and protocols (Layer 4 to Layer 7)
2. Protocol discovery
Identification of Applications and Protocols (Layer 4 to Layer 7)
NBAR can classify applications that use:
• Statically assigned Transfer Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers
• Non-UDP and non-TCP IP protocols
• Dynamically assigned TCP and UCP port numbers negotiated during connection establishment; Stateful inspection is required for classification of applications and protocols. This is the ability to discover data connections that will be classified, by passing the control connections over the data connection port where assignments are made.
• Sub-port classification; Classification of HTTP (URLs, mime or host names) and Citrix applications Independent Computing Architecture (ICA) traffic based on published application name)
• Classification based on deep packet inspection and multiple application-specific attributes. Real-Time Transport Protocol (RTP) Payload Classification is based on this algorithm, in which the packet is classified as RTP, based on multiple attributes in the RTP header.
Protocol Discovery
Protocol Discovery (PD) is a commonly used NBAR feature that collects application and protocol statistics (packet counts, byte counts and bit rates) per interface. GUI based management tools can graphically display this information, by polling Simple Network Management Protocol (SNMP) statistics from the NBAR PD Management Information Base (MIB).
As with any networking feature, it is important to understand the performance and scalability characteristics before deploying the feature into a production network. On software based platforms, the metrics that are considered are CPU utilization impact and the sustainable data rate while this feature is enabled.
What Does NBAR Performance Depend On?
Several factors can impact NBAR performance in software-based execution.
A. Router Configuration
1. Number of protocols being matched against it
2. Number of regular expressions being used
3. The complexity of packet inspection logic required
B. Traffic Profile (Packet Protocol Sequence)
1. The number of flows
2. Long duration flows are less expensive than shorter duration flows
3. Stateful protocol matches are more performance impacting than static port applications
A traffic mix consisting of a high volume of short-lived flows requires a higher level of resources to classify new flows which soon "expire" from the flow cache. Conversely, a lower level of resources is required with a traffic mix of fewer and longer-lived flows, since these flow entries would be in the cache for a longer amount of time.
Things That do not Impact NBAR
1. Post match actions (such as queuing, tagging, etc.)
2. Link speed (NBAR is interface agnostic)
3. Having NBAR on multiple interfaces (packets already classified are cached, no reclassification will take place)
4. Inbound vs. outbound packet matches (using NBAR on service policy input instead of service policy output)
Since NBAR is a feature used in a variety of network environments, it will be enabled on a variety of Cisco platforms. This white paper provides performance data for the following Cisco IOS Software routing platforms:
• Cisco 2600-XM Series Router
• Cisco 3745 Series Router
• Cisco 7206- NPE G1 Series Router
• Cisco 7301 Series Router
• Cisco 7505- RSP4 / VIP680 Series Router
Test Methodology
A common test setup was created for measuring NBAR performance on the selected platforms using the same test equipment and traffic load. The IXIA traffic generator was used to replicate real network traffic flows. These traffic flows were created by capturing actual client and server session traffic for a particular protocol. Once captured, the flows were replayed back on the test network via the IXIA devices. The Device Under Test (DUT) was subjected to the test traffic under four different scenarios-first a baseline test without NBAR enabled, then three performance tests with the NBAR features enabled in the following order-protocol discovery, match protocol, and both protocol discovery and match protocol. All the tests were run under varying traffic loads expressed as a percentage of the maximum load. This maximum load is also called the No Drop Rate (NDR) load. Once the load exceeds NDR, the router would begin to drop packets. For the performance and baseline tests, the offered traffic load would be 20% NDR, 40% NDR, 60% NDR and 100% NDR. This comparison provides a basis for anticipating the effect enabling NBAR will have on an existing system.
For all tests, the following measurements were recorded:
• Throughput in Mbps
• Average CPU utilization after 5 minutes
All tests were run for 10 minutes.
Traffic Profile
The traffic types used in this test plan include a mixture of typical Enterprise traffic (EMIX) including HTTP GET requests and RTP. This section provides a description of the traffic profile and the associated NBAR protocol match conditions. The EMIX traffic profile was built from individual session captures of each protocol, and these sessions were repeated to reach the desired percentage of each protocols contribution to the EMIX traffic profile. The following table represents the mix of traffic included in this test effort including the number the packets in each flow.
Table 1. Test Traffic
Application/Protocol
Packets per Flow
Percentage of Total Traffic (by packet count)
Average Packet Size (in bytes)
RTP
217
9%
81
Telnet
158
7%
114
HTTP - URL
473
20%
452
FTP
216
9%
72
SMTP
96
4%
101
Citrix ICA
360
15%
254
SAP
216
9%
358
WinMX
118
5%
267
eDonkey
220
9%
253
Unclassifiable Traffic
300
13%
256
Total
2374
100%
256
The match criteria specified via the CLI is shown below:
match protocol ftp
match protocol telnet
match protocol smtp
match protocol rtp video
match protocol citrix ica-tag 2
match protocol sap-app
match protocol winmx
match protocol edonkey
match protocol http url "*"
Note: In addition to the Packet Description Language Modules (PDLMs) native to Release 12.3(10), the SAP, Citrix, WinMX and eDonkey PDLMs were also loaded on the devices under test to facilitate NBAR matches for the respective application traffic.
Summary of Test Results
The test results are presented per platform. For each performance test, a graph is used to compare the baseline no NDR (with no NBAR enabled) CPU utilization to the feature NDR (with NBAR enabled) CPU utilization.
