Sometimes it proves useful to collect statistics on traffic flows, to account for network usage. This process may be useful for traffic engineering, as well as for billing network users based on usage. You can enable basic IP accounting on router interfaces. Packet source and destination are listed, as well as the number of bytes and packets transmitted between the two nodes. NetFlow offers a more thorough accounting functionality. In addition to source, destination, packet, and byte count, protocol and AS information is included. The NetFlow data can be aggregated in various ways, including by autonomous system, by subnet prefixes, and by protocol type. NetFlow is discussed further in the section titled "NetFlow." IP AccountingIP accounting provides basic accounting services. Packets that traverse the router are counted and are maintained on a source/destination basis. Packets that are sourced from or destined to the router itself are not counted. The accounting occurs on outbound interfaces. IP accounting disables autonomous switching and SSE switching on the interface. Packets that pass access lists and are actually routed through the router are counted. Optionally, accounting can be enabled for packets that do not pass access lists. A large number of access list violations may indicate an attempted network attack or a misconfigured router. You can enable accounting on outbound interfaces using the ip accounting command. To display the results of enabling accounting on outbound interfaces, use the show ip accounting [ checkpoint ] [ access-violations ] command. Example 9-25 displays IP accounting data collected on an Ethernet interface. Example 9-25 IP Accounting Is Enabled on an Ethernet Interface; the show ip accounting Command Displays Multicast Packets Being Sent Out the InterfaceBowler(config)# int e 0 Bowler(config-if)# ip accounting Bowler(config-if)# ^Z Bowler# show ip accounting Source Destination Packets Bytes 10.1.1.88 228.13.20.216 45 24611 Accounting data age is 0 Bowler# show ip accounting Source Destination Packets Bytes 10.1.1.88 224.2.127.254 1 229 10.1.1.88 228.13.20.216 133 73689 Accounting data age is 0 Bowler# show ip accounting Source Destination Packets Bytes 10.1.1.88 224.2.127.254 1 229 10.1.1.88 228.13.20.216 173 95952 Accounting data age is 0 IP accounting is enabled on Ethernet 0 of router Bowler. Packets routing out the Ethernet port are counted. Three subsequent displays of the accounting table show the source address 10.1.1.88 multicasting packets to both 224.2.127.254 and 228.13.20.216. You can clear the accounting table with the clear ip accounting command. IP accounting can provide valuable information about traffic exiting an interface. Note, however, that performance degradation may occur when you implement it. Because IP accounting disables autonomous switching and SSE switching on the interface, the packets will be switched through the interface using a less-efficient mechanism than may have been designed into the network. In addition, maintaining the accounting database utilizes the router's memory. Do not enable IP accounting if the router is running low on memory. The command ip accounting-threshold threshold defines the number of entries that can be stored in an accounting database. The default value is 512 source/destination pairs. This default results in a maximum of 12,928 bytes of memory usage for each of the databases, active and check pointed. If you modify and set the threshold too high, all the available memory could be consumed. Enabling IP accounting on an interface is a quick way to view outbound traffic by source and destination address, but there is no built-in mechanism to get the data to a server that can parse the data and make it useful over time. NetFlow provides this functionality, in addition to providing more information about the traffic flows. NetFlowNetFlow switching identifies traffic flows and performs switching and access list processing within a router. In addition, because the flows are identified, statistics regarding the flows can be exported to an accounting server. While the flow is active, data about the flow is maintained in a NetFlow cache. When the flow expires , it can be added to an aggregation cache and can be exported to a management station. The default size of the NetFlow cache can contain 64 K flow cache entries. NOTE NetFlow switching consumes more memory and CPU resources than other switching modes. Understand the resources required on your router before enabling NetFlow. To enable NetFlow switching, use the interface subcommand ip route-cache flow. To define the IP address and UDP port number of the flow collector that receives the data, use the following global commands: ip flow-export destination ip-address udp-port ip flow-export [ version 1 version 5 [ origin-as peer-as ]] The version number must match the version that the flow collector is expecting. version 1 is the default. The origin-as option specifies that the exported data include the BGP origin AS for the source and destination. The peer-as option specifies that the exported data include the BGP peer AS of the router collecting the data, rather than the traffic's actual AS for the source and destination. Figure 9-2 shows a simple network running BGP and collecting NetFlow data on router Hummer. Figure 9-2. BGP Network Running NetFlow for Flow Accounting
NetFlow is enabled on router Hummer. The router is configured to collect information on flows on both interfaces. Example 9-26 shows the configuration for Hummer. Example 9-26 Configuring Router Hummer in Figure 9-2 to Collect Information on Flows on Both Ethernet Interfacesinterface Ethernet1/2 ip address 1.1.7.5 255.255.255.0 ip route-cache flow ! interface Ethernet1/3 ip address 1.1.5.5 255.255.255.0 ip route-cache flow ! ip flow-export version 5 peer-as ip flow-export destination 1.1.3.250 125 In the configuration in Example 9-26, the data includes the peer AS, rather than the origin AS. The show ip flow export command displays the data exporting parameters, whereas the show ip cache flow command displays the flow cache. Example 9-27 shows the flow export parameters and a sample of the flow cache of router Hummer. Example 9-27 NetFlow Flow Information Displayed Using Commands show ip flow export and show ip cache flowHummer# show ip flow export Flow export is enabled Exporting flows to 1.1.3.250 (125) Exporting using source IP address 1.1.7.5 Version 5 flow records, peer-as 527 flows exported in 18 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues Hummer# show ip cache flow IP packet size distribution (51719 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .131 .000 .034 .000 .000 .000 .490 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .343 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes 68 active, 65468 inactive, 1080 added 22140 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds last clearing of statistics 00:08:35 Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 19 0.0 90 70 3.3 0.0 15.5 TCP-WWW 596 1.1 40 220 46.7 0.0 15.4 UDP-DNS 397 0.7 3 28 2.3 0.0 15.5 Total: 1012 1.9 26 201 52.4 0.0 15.4 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et1/3 1.1.2.13 Et1/2 1.1.3.13 06 0403 0015 17K Et1/3 1.1.2.12 Et1/2 1.1.3.12 06 042D 0017 90 Et1/3 1.1.2.11 Et1/2 1.1.3.11 06 099E 0050 40 Et1/3 1.1.2.21 Et1/2 1.1.3.21 11 07D3 0035 3 Et1/3 1.1.2.21 Et1/2 1.1.3.21 11 07D2 0035 3 Et1/3 1.1.2.21 Et1/2 1.1.3.21 11 07D1 0035 3 Et1/3 1.1.2.21 Et1/2 1.1.3.21 11 07D0 0035 3 You can see how much more information is included with NetFlow than with IP accounting ”packet size distribution, summary information, information by protocol, and by individual flows. You can aggregate and group flow information in various ways: into groups based on autonomous system numbers , source and destination prefixes, and by protocol ports. Aggregation caches enable the router to aggregate some of the NetFlow data before it is exported to a flow collector. The flow data is entered in each of the enabled aggregation caches as they expire in the main NetFlow cache. Flow aggregation uses a NetFlow version 8 aggregation cache only. Version 8 allows the aggregated caches to be exported. A version 5 main cache needs to be configured with the peer-as or origin-as option specified. Cisco Express Forwarding (CEF) and NetFlow switching must be enabled before configuring flow aggregation. Enabling CEF populates the forwarding cache with source and destination addresses of the packets, which are used in the aggregation data. NOTE See Cisco Express Forwarding Overview in the 12.1 Configuration Guide, switching services configuration guide, on CCO, for more information on CEF. Globally enabling CEF using the ip cef command enables CEF route-cache on all interfaces that support it. The following global command defines an aggregation cache: ip flow-aggregation cache { autonomous_system destination-prefix prefix protocol-port source-prefix } Table 9-4 documents some commands that you can apply to the cache. All these commands are entered in the aggregation cache configuration mode. Table 9-4. cache Commands
AS aggregation groups flows with the same source BGP AS, destination BGP AS, input interface, and output interface. The number of flows, packets, and bytes summarized by the aggregated record is included in the exported data. Example 9-28 shows Hummer configured with AS aggregation. Example 9-28 Router Hummmer from Figure 9-2 Is Configured with AS Aggregationip cef ! ip flow-export version 5 origin-as ip flow-export destination 1.1.3.250 125 ip flow-aggregation cache as cache entries 2046 cache timeout inactive 200 cache timeout active 45 export destination 1.1.3.250 9991 enabled ! Example 9-29 shows the AS aggregation cache, using the command show ip cache flow aggregation as. Example 9-29 Contents of the AS Aggregation Cache as Viewed with the Command show ip cache flow aggregation as Hummer# show ip cache flow aggregation as IP Flow Switching Cache, 135048 bytes 1 active, 2043 inactive, 3 added 167 ager polls, 0 flow alloc failures Active flows timeout in 45 minutes Inactive flows timeout in 200 seconds Src If Src AS Dst If Dst AS Flows Pkts B/Pk Active Et1/3 400 Et1/2 100 357 42K 848 407.6 There are 357 flows associated with source interface Ethernet 1/3, source AS 400, destination interface Ethernet 1/2, and destination AS 100. Enable prefix aggregation to take this a step further. Prefix aggregation groups traffic based on the same data as AS aggregation, source and destination BGP AS, and input and output interface, and further groups it by source and destination prefix and source and destination prefix masks. Destination-prefix aggregation groups data flows with the same destination prefix, destination prefix mask, destination BGP AS, and output interface. Use this to examine traffic traversing a NetFlow router by destination information. The configuration in Example 9-30 is added to Hummer. Example 9-30 Configuring Router Hummer from Figure 9-2 with Destination-Prefix Aggregationip flow-aggregation cache destination-prefix cache entries 2046 cache timeout inactive 200 cache timeout active 45 export destination 1.1.3.250 9991 enabled Example 9-31 displays the destination prefix aggregation cache. Example 9-31 The Destination Prefix Aggregation Cache Is Viewed with the Command show ip cache flow aggregation destination-prefixHummer# show ip cache flow aggregation destination-prefix IP Flow Switching Cache, 135048 bytes 1 active, 2045 inactive, 1 added 240 ager polls, 0 flow alloc failures Active flows timeout in 45 minutes Inactive flows timeout in 200 seconds Dst If Dst Prefix Msk AS Flows Pkts B/Pk Active Et1/2 1.1.3.0 /24 100 324 11K 442 239.5 There are 324 flows associated with destination interface Ethernet 1/2, destination prefix 1.1.3.0, mask /24, and destination AS 100. You also can examine traffic by source information, using the source-prefix aggregation scheme. This scheme groups data by source prefix, source prefix mask, source BGP AS, and input interface. The configuration in Example 9-32 is added to Hummer. Example 9-32 Configuring Router Hummer from Figure 9-2 with Source-Prefix Aggregationip flow-aggregation cache source-prefix cache entries 2046 cache timeout inactive 200 cache timeout active 45 export destination 1.1.3.250 9991 enabled Example 9-33 shows the source prefix aggregated flows. Example 9-33 The Source Prefix Aggregation Cache Is Viewed with the Command show ip cache flow aggregation source-prefixHummer# show ip cache flow aggregation source-prefix IP Flow Switching Cache, 135048 bytes 2 active, 2044 inactive, 3 added 440 ager polls, 0 flow alloc failures Active flows timeout in 45 minutes Inactive flows timeout in 200 seconds Src If Src Prefix Msk AS Flows Pkts B/Pk Active Et1/3 1.1.2.0 /24 400 181 4813 200 42.0 Et1/2 1.1.7.0 /24 0 1 1 44 0.0 There are 181 flows associated with the source interface Ethernet 1/3, source prefix 1.1.2.0, mask /24, and source AS 400. If you want to examine flows by traffic type, enable protocol-port aggregation. Flows with the same IP protocol, source port number, and destination port number are grouped. To configure protocol-port aggregation, add the configuration in Example 9-34 to Hummer. Example 9-34 Configuring Router Hummer from Figure 9-2 with Protocol-Port Aggregationip flow-aggregation cache protocol-port cache entries 2046 cache timeout inactive 200 cache timeout active 45 export destination 1.1.3.250 9991 enabled Example 9-35 displays the protocol-port aggregation cache. Example 9-35 Protocol Port Aggregation Cache Is Viewed with the Command show ip cache flow aggregation protocol-port Hummer# show ip cache flow aggregation protocol-port IP Flow Switching Cache, 135048 bytes 14 active, 1972 inactive, 74 added 882 ager polls, 0 flow alloc failures Active flows timeout in 45 minutes Inactive flows timeout in 200 seconds Protocol Source Port Dest Port Flows Packets Bytes/Packet Active 0x06 0x0401 0x0017 1 90 70 0.0 0x06 0x0400 0x0017 1 90 70 0.0 0x11 0x0404 0x0035 1 3 28 0.0 0x11 0x0405 0x0035 1 3 28 0.0 0x11 0x0406 0x0035 1 3 28 0.0 0x11 0x0407 0x0035 1 3 28 0.0 0x11 0x0400 0x0035 1 3 28 0.0 0x11 0x0414 0x0035 1 3 28 0.0 0x11 0x0415 0x0035 1 3 28 0.0 0x06 0x040B 0x0050 1 40 220 0.0 0x06 0x0408 0x0050 1 40 220 0.0 0x06 0x0409 0x0050 1 40 220 0.0 0x06 0x0436 0x0050 1 40 220 0.0 0x06 0x0437 0x0050 1 40 220 0.0 There are 14 different protocol port flows. They are grouped by IP protocol, source ports, and destination ports. The various aggregation caches provide a lot of flexibility with the way data about traffic flows is aggregated. This information can facilitate traffic analysis and even billing. Table 9-5 lists the maximum number of flow records per UDP datagram and the maximum UDP packet size for each aggregation scheme. Table 9.5. A Listing of the Maximum Number of Flow Records and Maximum UDP Packet Sizes for Each NetFlow Aggregation Scheme
Cisco NetFlow FlowCollector is an application that collects and reports on the NetFlow data. FlowCollector aggregates data coming from multiple Cisco routers (and switches) exporting NetFlow data. You can filter and group the data to suit the needs of the network manager. NOTE You can find detailed information about Cisco FlowCollector on CCO at www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/index.htm |