Cisco routers ip accounting to see most bandwidth abusing connections

First of all, Happy New year everyone !
As I promised before (last year :) I'll look at ip accounting in Cisco world. I'll say it at the start - accounting being with us since IOS 10.0 is getting pushed aside by the powerful Netflow feature. And while it is nowhere being depreciated/end-of-lifed by Cisco , it is presented as being "not enough"for the modern enterprise.

So lets look at accounting closer.
When enabled on the interface it creates database of accounting information containing number of bytes that passed the router between pairs of IP addresses. There are actually more types of accounting but here I'll talk about 2 types only: IP accounting and IP access-list violations accounting. The first gathers statistics for the traffic passing the router - entering and leaving it (means traffic that destined for or originating from the router itself is not accounted for). The 2nd type gives info about traffic that is being rejected by the router according to applied ACLs. Both types can be enabled for physical/logical interfaces only (so to say VTY is not in the pack).

Both types share the same database memory space. And talking about memory - by default router keeps 512 records, after these are exhausted no new accounting info is recorded. As usual , this is configurable (see later).

IP accounting

Here is a sneak preview of accounting at work:

Source           Destination              Packets               Bytes122.94.42.91     62.20.179.36                       2                 223

What you see is Ip addresses spotted in the IP packet header as source/destination , number of packets and bytes. The database is updated continuously as traffic passes the router.

IP accounting configuration:

enable on the interface of interest (only outbound traffic is recorded), i.e traffic leaving interfaceif desired tune number of kept recordssee in CLI gathered infosee info through SNMP agent (won't cover here)clear active accounting database and copy snapshot to checkpoint database (done at once)see later at any time snapshot in checkpoint database or active records in real-time

So here is our CLI:1. Enable on interface

``` Router(config)#int fa0/1 Router(config-if)#ip accounting [output-packets]

2. [Optional] Tune maximum records value if desired (default 512, maximum 4294967295):

Router(config)#ip accounting-threshold 1200

3. See the active records in the database:

Router#sh ip accountSource           Destination              Packets               Bytes68.146.13.6       162.30.79.36                       1                 12979.82.168.224     162.30.79.36                       1                 126142.53.125.103    162.30.79.36                    9237              42336083.171.0.22       162.30.79.36                       1                 129118.181.13.61     162.30.79.36                       4                 360

4. Copy active database to checkpoint database and wipe out active db records:

Router#clear ip accountRouter#sh ip accounting checkpointSource           Destination              Packets               Bytes68.146.13.6       162.30.79.36                       1                 12979.82.168.224     162.30.79.36                       1                 126142.53.125.103    162.30.79.36                    9237              42336083.171.0.22       162.30.79.36                       1                 129118.181.13.61     162.30.79.36                       4                 360

Usage tip: What is this good for at all? As I started in the previuos post I use such info to provide some insight to the client of what is going on (or rather going in/out) in his network at the given moment. So, all these commands I do on the client's perimeter equipment which we manage. I have no inclination to do this for client/whoever on my backbone gear, and you would be advised not to.5.5) Some extra-bonus configs though - you may configure ACL that will filter for what IP addresses to gather accounting info only. While trying to catch who is loading your network would be counter-productive to use such filtering, for monitoring long-time  it makes sense:

Router(config)#ip accounting-list 19.90.14.59 0.0.0.0

Then to  database will be written only records involving this IP(s):

Router#sh ip accountSource           Destination              Packets               Bytes19.90.14.59    162.30.79.37                       7                2912

```IP access-list violations accounting.

This accounts for traffic blocked by ACL(s) applied to the interface(s)- To enable :

Router(config-if)#ip accounting access-violations

Accounting will exclude mls traffic when mls is enabled.

- To see the records:

Router#sh ip accounting access-violationsSource           Destination              Packets               Bytes   ACLAccounting data age is 8

Of course to see something you need to have some blocking ACL applied to theinterface(s) beforehand. As I have no ACL on any interface this db is empty.

USAGE TIP 2: If you use this feature to spot most bandwidth abusing flow, you'll love thisone-liner that after you pass to it (through std input) output ofthe show ip accounting will sort data by bytes passed in ascending order:Hint Darkstar is Linux machine, not router itself .

root@DarkStar:~# sort -n -k4,4<NOW COPY PASTE OUTPUT FROM ROUTER HERE ...>68.146.13.6       162.30.79.36                       1                 12979.82.168.224     162.30.79.36                       1                 126142.53.125.103    162.30.79.36                    9237              42336083.171.0.22       162.30.79.36                       1                 129118.181.13.61     162.30.79.36                       4                 36079.82.168.224     162.30.79.36                       1                 12683.171.0.22       162.30.79.36                       1                 12968.146.13.6       162.30.79.36                       1                 129118.181.13.61     162.30.79.36                       4                 360142.53.125.103    162.30.79.36                    9237              423360

USAGE TIP 3:
To even further improve on the one-liner above below here is another one-liner that not only sorts accounting data by Bytes field but also sums up bytes per Ip address (here in the 2nd field, but you can esaily modify to your needs):

[root@DarkStar](mailto:root@DarkStar):~# sort -n -k4,4 | awk '{ips[$2] += $4} END { for (x in ips) print x,ips[x]}'122.53.125.103   162.30.79.36                       3                 12059.44.58.120     162.30.79.36                       3                 417123.203.142.106  162.30.79.36                       1                 17782.144.177.32    162.30.79.36                       1                 234218.103.137.105  162.10.79.36                       1                 12680.37.83.120     162.10.79.36                       1                 12679.182.121.216   162.10.79.36                       9                 377207.191.202.251  162.30.79.36                       9                 37784.195.248.47    162.20.79.36                       7                 304201.95.211.8     162.40.79.36                       8                 36479.180.14.184    162.30.79.36                      24                 994124.64.176.192   162.70.79.36                       5                 22762.219.133.44    162.30.79.36                      72                307791.196.214.6     162.40.79.36                       4                 160125.125.227.168  162.40.79.36                      15                 7970162.20.79.36 304162.40.79.36 1321162.30.79.36 5396162.10.79.36 629162.70.79.36 227[root@DarkStar](mailto:root@DarkStar):~#

Here I'll wrap up my short memo with few links for those interested to deep digger :

http://www.ciscopress.com/bookstore/product.asp?isbn=1587051982

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1091971

PS Next post I am planning to do on Netflow.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.

Fish AI Reader

FishAI

联系邮箱 441953276@qq.com

相关标签