Accounting

Previous page
Table of content
Next page
 

Sometimes it proves useful to collect statistics on traffic flows, to account for network usage. This process may be useful for traffic engineering, as well as for billing network users based on usage.

You can enable basic IP accounting on router interfaces. Packet source and destination are listed, as well as the number of bytes and packets transmitted between the two nodes. NetFlow offers a more thorough accounting functionality. In addition to source, destination, packet, and byte count, protocol and AS information is included. The NetFlow data can be aggregated in various ways, including by autonomous system, by subnet prefixes, and by protocol type. NetFlow is discussed further in the section titled "NetFlow."

IP Accounting

IP accounting provides basic accounting services. Packets that traverse the router are counted and are maintained on a source/destination basis. Packets that are sourced from or destined to the router itself are not counted. The accounting occurs on outbound interfaces. IP accounting disables autonomous switching and SSE switching on the interface. Packets that pass access lists and are actually routed through the router are counted. Optionally, accounting can be enabled for packets that do not pass access lists. A large number of access list violations may indicate an attempted network attack or a misconfigured router.

You can enable accounting on outbound interfaces using the ip accounting command.

To display the results of enabling accounting on outbound interfaces, use the show ip accounting [ checkpoint ] [ access-violations ] command.

Example 9-25 displays IP accounting data collected on an Ethernet interface.

Example 9-25 IP Accounting Is Enabled on an Ethernet Interface; the show ip accounting Command Displays Multicast Packets Being Sent Out the Interface 
 Bowler(config)#  int e 0  Bowler(config-if)#  ip accounting  Bowler(config-if)#  ^Z  Bowler#  show ip accounting  Source           Destination              Packets              Bytes  10.1.1.88        228.13.20.216                   45              24611 Accounting data age is 0 Bowler#  show ip accounting  Source           Destination              Packets              Bytes  10.1.1.88        224.2.127.254                    1                229  10.1.1.88        228.13.20.216                  133              73689 Accounting data age is 0 Bowler#  show ip accounting  Source           Destination              Packets              Bytes  10.1.1.88        224.2.127.254                    1                229  10.1.1.88        228.13.20.216                  173              95952 Accounting data age is 0

IP accounting is enabled on Ethernet 0 of router Bowler. Packets routing out the Ethernet port are counted. Three subsequent displays of the accounting table show the source address 10.1.1.88 multicasting packets to both 224.2.127.254 and 228.13.20.216.

You can clear the accounting table with the clear ip accounting command.

IP accounting can provide valuable information about traffic exiting an interface. Note, however, that performance degradation may occur when you implement it. Because IP accounting disables autonomous switching and SSE switching on the interface, the packets will be switched through the interface using a less-efficient mechanism than may have been designed into the network. In addition, maintaining the accounting database utilizes the router's memory. Do not enable IP accounting if the router is running low on memory.

The command ip accounting-threshold threshold defines the number of entries that can be stored in an accounting database. The default value is 512 source/destination pairs. This default results in a maximum of 12,928 bytes of memory usage for each of the databases, active and check pointed. If you modify and set the threshold too high, all the available memory could be consumed.

Enabling IP accounting on an interface is a quick way to view outbound traffic by source and destination address, but there is no built-in mechanism to get the data to a server that can parse the data and make it useful over time. NetFlow provides this functionality, in addition to providing more information about the traffic flows.

NetFlow

NetFlow switching identifies traffic flows and performs switching and access list processing within a router. In addition, because the flows are identified, statistics regarding the flows can be exported to an accounting server. While the flow is active, data about the flow is maintained in a NetFlow cache. When the flow expires , it can be added to an aggregation cache and can be exported to a management station. The default size of the NetFlow cache can contain 64 K flow cache entries.

NOTE

NetFlow switching consumes more memory and CPU resources than other switching modes. Understand the resources required on your router before enabling NetFlow.


To enable NetFlow switching, use the interface subcommand ip route-cache flow.

To define the IP address and UDP port number of the flow collector that receives the data, use the following global commands: 

  ip flow-export destination   ip-address udp-port   ip flow-export  [  version 1   version 5  [  origin-as   peer-as  ]]

The version number must match the version that the flow collector is expecting. version 1 is the default.

The origin-as option specifies that the exported data include the BGP origin AS for the source and destination.

The peer-as option specifies that the exported data include the BGP peer AS of the router collecting the data, rather than the traffic's actual AS for the source and destination.

Figure 9-2 shows a simple network running BGP and collecting NetFlow data on router Hummer.

Figure 9-2. BGP Network Running NetFlow for Flow Accounting

graphics/09fig02.gif

NetFlow is enabled on router Hummer. The router is configured to collect information on flows on both interfaces. Example 9-26 shows the configuration for Hummer.

Example 9-26 Configuring Router Hummer in Figure 9-2 to Collect Information on Flows on Both Ethernet Interfaces 
  interface Ethernet1/2   ip address 1.1.7.5 255.255.255.0   ip route-cache flow   !   interface Ethernet1/3   ip address 1.1.5.5 255.255.255.0   ip route-cache flow   !   ip flow-export version 5 peer-as   ip flow-export destination 1.1.3.250 125

In the configuration in Example 9-26, the data includes the peer AS, rather than the origin AS.

The show ip flow export command displays the data exporting parameters, whereas the show ip cache flow command displays the flow cache.

Example 9-27 shows the flow export parameters and a sample of the flow cache of router Hummer.

Example 9-27 NetFlow Flow Information Displayed Using Commands show ip flow export and show ip cache flow 
 Hummer#  show ip flow export  Flow export is enabled   Exporting flows to 1.1.3.250 (125)   Exporting using source IP address 1.1.7.5   Version 5 flow records, peer-as   527 flows exported in 18 udp datagrams   0 flows failed due to lack of export packet   0 export packets were sent up to process level   0 export packets were dropped due to no fib   0 export packets were dropped due to adjacency issues Hummer#  show ip cache flow  IP packet size distribution (51719 total packets):    1-32   64  96  128  160  192  224  256  288  320  352  384  416 448  480    .131 .000 .034 .000 .000 .000 .490 .000 .000 .000 .000 .000 .000 .000 .000     512  544  576 1024 1536 2048 2560 3072 3584 4096 4608    .000 .000 .000 .000 .343 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes   68 active, 65468 inactive, 1080 added   22140 ager polls, 0 flow alloc failures   Active flows timeout in 30 minutes   Inactive flows timeout in 15 seconds   last clearing of statistics 00:08:35 Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec) --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow    /Flow TCP-Telnet          19      0.0        90    70      3.3       0.0   15.5 TCP-WWW            596      1.1        40   220     46.7       0.0   15.4 UDP-DNS            397      0.7         3    28      2.3       0.0   15.5 Total:            1012      1.9        26   201     52.4       0.0   15.4 SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP  DstP  Pkts Et1/3         1.1.2.13        Et1/2         1.1.3.13        06 0403 0015    17K Et1/3         1.1.2.12        Et1/2         1.1.3.12        06 042D 0017    90 Et1/3         1.1.2.11        Et1/2         1.1.3.11        06 099E 0050    40 Et1/3         1.1.2.21        Et1/2         1.1.3.21        11 07D3 0035     3 Et1/3         1.1.2.21        Et1/2         1.1.3.21        11 07D2 0035     3 Et1/3         1.1.2.21        Et1/2         1.1.3.21        11 07D1 0035     3 Et1/3         1.1.2.21        Et1/2         1.1.3.21        11 07D0 0035     3

You can see how much more information is included with NetFlow than with IP accounting ”packet size distribution, summary information, information by protocol, and by individual flows.

You can aggregate and group flow information in various ways: into groups based on autonomous system numbers , source and destination prefixes, and by protocol ports. Aggregation caches enable the router to aggregate some of the NetFlow data before it is exported to a flow collector. The flow data is entered in each of the enabled aggregation caches as they expire in the main NetFlow cache.

Flow aggregation uses a NetFlow version 8 aggregation cache only. Version 8 allows the aggregated caches to be exported. A version 5 main cache needs to be configured with the peer-as or origin-as option specified.

Cisco Express Forwarding (CEF) and NetFlow switching must be enabled before configuring flow aggregation. Enabling CEF populates the forwarding cache with source and destination addresses of the packets, which are used in the aggregation data.

NOTE

See Cisco Express Forwarding Overview in the 12.1 Configuration Guide, switching services configuration guide, on CCO, for more information on CEF.


Globally enabling CEF using the ip cef command enables CEF route-cache on all interfaces that support it. The following global command defines an aggregation cache: 

  ip flow-aggregation cache  {  autonomous_system   destination-prefix   prefix   protocol-port   source-prefix  }

Table 9-4 documents some commands that you can apply to the cache. All these commands are entered in the aggregation cache configuration mode.

Table 9-4. cache Commands
Command What It Does
cache entries number_of_entries Sets the maximum number of cache entries, which ranges from 1024 to 524,288. The default is 4096.
cache timeout inactive seconds Defines the number of seconds that an inactive entry remains in the cache before timing out. The range is from 10 to 600 seconds. The default is 15 seconds.
cache timeout active minutes Defines the number of minutes that an active entry remains active. The range is from 1 to 60 minutes. The default is 30 minutes.
export destination ip_address udp_port Specifies the export destination under the aggregation cache configuration mode, and specifies the IP address and UDP port number of the aggregation cache flow collector. This collector will receive the version 8 flow records.
enabled Enables the aggregation cache.

AS aggregation groups flows with the same source BGP AS, destination BGP AS, input interface, and output interface. The number of flows, packets, and bytes summarized by the aggregated record is included in the exported data.

Example 9-28 shows Hummer configured with AS aggregation.

Example 9-28 Router Hummmer from Figure 9-2 Is Configured with AS Aggregation 
  ip cef   !   ip flow-export version 5 origin-as   ip flow-export destination 1.1.3.250 125   ip flow-aggregation cache as   cache entries 2046   cache timeout inactive 200   cache timeout active 45   export destination 1.1.3.250 9991   enabled   !

Example 9-29 shows the AS aggregation cache, using the command show ip cache flow aggregation as.

Example 9-29 Contents of the AS Aggregation Cache as Viewed with the Command show ip cache flow aggregation as 
 Hummer#  show ip cache flow aggregation as  IP Flow Switching Cache, 135048 bytes   1 active, 2043 inactive, 3 added   167 ager polls, 0 flow alloc failures   Active flows timeout in 45 minutes   Inactive flows timeout in 200 seconds Src If       Src AS  Dst If       Dst AS  Flows   Pkts  B/Pk  Active  Et1/3        400    Et1/2         100     357     42K   848   407.6

There are 357 flows associated with source interface Ethernet 1/3, source AS 400, destination interface Ethernet 1/2, and destination AS 100.

Enable prefix aggregation to take this a step further. Prefix aggregation groups traffic based on the same data as AS aggregation, source and destination BGP AS, and input and output interface, and further groups it by source and destination prefix and source and destination prefix masks.

Destination-prefix aggregation groups data flows with the same destination prefix, destination prefix mask, destination BGP AS, and output interface. Use this to examine traffic traversing a NetFlow router by destination information.

The configuration in Example 9-30 is added to Hummer.

Example 9-30 Configuring Router Hummer from Figure 9-2 with Destination-Prefix Aggregation 
  ip flow-aggregation cache destination-prefix   cache entries 2046   cache timeout inactive 200   cache timeout active 45   export destination 1.1.3.250 9991   enabled

Example 9-31 displays the destination prefix aggregation cache.

Example 9-31 The Destination Prefix Aggregation Cache Is Viewed with the Command show ip cache flow aggregation destination-prefix 
 Hummer#  show ip cache flow aggregation destination-prefix  IP Flow Switching Cache, 135048 bytes   1 active, 2045 inactive, 1 added   240 ager polls, 0 flow alloc failures   Active flows timeout in 45 minutes   Inactive flows timeout in 200 seconds Dst If         Dst Prefix      Msk  AS    Flows  Pkts B/Pk  Active  Et1/2          1.1.3.0         /24  100    324    11K  442   239.5

There are 324 flows associated with destination interface Ethernet 1/2, destination prefix 1.1.3.0, mask /24, and destination AS 100.

You also can examine traffic by source information, using the source-prefix aggregation scheme. This scheme groups data by source prefix, source prefix mask, source BGP AS, and input interface.

The configuration in Example 9-32 is added to Hummer.

Example 9-32 Configuring Router Hummer from Figure 9-2 with Source-Prefix Aggregation 
  ip flow-aggregation cache source-prefix   cache entries 2046   cache timeout inactive 200   cache timeout active 45   export destination 1.1.3.250 9991   enabled

Example 9-33 shows the source prefix aggregated flows.

Example 9-33 The Source Prefix Aggregation Cache Is Viewed with the Command show ip cache flow aggregation source-prefix 
 Hummer#  show ip cache flow aggregation source-prefix  IP Flow Switching Cache, 135048 bytes   2 active, 2044 inactive, 3 added   440 ager polls, 0 flow alloc failures   Active flows timeout in 45 minutes   Inactive flows timeout in 200 seconds Src If         Src Prefix      Msk  AS    Flows  Pkts B/Pk  Active  Et1/3          1.1.2.0         /24  400    181  4813   200    42.0  Et1/2          1.1.7.0         /24  0        1    1    44     0.0

There are 181 flows associated with the source interface Ethernet 1/3, source prefix 1.1.2.0, mask /24, and source AS 400.

If you want to examine flows by traffic type, enable protocol-port aggregation. Flows with the same IP protocol, source port number, and destination port number are grouped.

To configure protocol-port aggregation, add the configuration in Example 9-34 to Hummer.

Example 9-34 Configuring Router Hummer from Figure 9-2 with Protocol-Port Aggregation 
  ip flow-aggregation cache protocol-port   cache entries 2046   cache timeout inactive 200   cache timeout active 45   export destination 1.1.3.250 9991   enabled

Example 9-35 displays the protocol-port aggregation cache.

Example 9-35 Protocol Port Aggregation Cache Is Viewed with the Command show ip cache flow aggregation protocol-port 
 Hummer#  show ip cache flow aggregation protocol-port  IP Flow Switching Cache, 135048 bytes   14 active, 1972 inactive, 74 added   882 ager polls, 0 flow alloc failures   Active flows timeout in 45 minutes   Inactive flows timeout in 200 seconds Protocol  Source Port  Dest Port  Flows  Packets  Bytes/Packet  Active   0x06       0x0401      0x0017      1       90        70          0.0   0x06       0x0400      0x0017      1       90        70          0.0   0x11       0x0404      0x0035      1        3        28          0.0   0x11       0x0405      0x0035      1        3        28          0.0   0x11       0x0406      0x0035      1        3        28          0.0   0x11       0x0407      0x0035      1        3        28          0.0   0x11       0x0400      0x0035      1        3        28          0.0   0x11       0x0414      0x0035      1        3        28          0.0   0x11       0x0415      0x0035      1        3        28          0.0   0x06       0x040B      0x0050      1       40       220          0.0   0x06       0x0408      0x0050      1       40       220          0.0   0x06       0x0409      0x0050      1       40       220          0.0   0x06       0x0436      0x0050      1       40       220          0.0   0x06       0x0437      0x0050      1       40       220          0.0

There are 14 different protocol port flows. They are grouped by IP protocol, source ports, and destination ports.

The various aggregation caches provide a lot of flexibility with the way data about traffic flows is aggregated. This information can facilitate traffic analysis and even billing.

Table 9-5 lists the maximum number of flow records per UDP datagram and the maximum UDP packet size for each aggregation scheme.

Table 9.5. A Listing of the Maximum Number of Flow Records and Maximum UDP Packet Sizes for Each NetFlow Aggregation Scheme
Aggregation Scheme Maximum Number of Flow Records per UDP Datagram Maximum UDP Packet Size
BGP autonomous system 51 1456 bytes
Destination-prefix 44 1436 bytes
Prefix 35 1428 bytes
Protocol-port 51 1456 bytes
Source-prefix 44 1436 bytes

Cisco NetFlow FlowCollector is an application that collects and reports on the NetFlow data. FlowCollector aggregates data coming from multiple Cisco routers (and switches) exporting NetFlow data. You can filter and group the data to suit the needs of the network manager.

NOTE

You can find detailed information about Cisco FlowCollector on CCO at www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/index.htm



Previous page
Table of content
Next page
Routing TCP[s]IP (Vol. 22001)
Routing TCP[s]IP (Vol. 22001)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 182
BUY ON AMAZON
Building Web Applications with UML (2nd Edition)
The Complete Cisco VPN Configuration Guide
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy