top of page

IP Accounting

When enabled on the interface of Cisco router it  creates a database of accounting information containing number of bytes that passed the router  between pairs of IP addresses. There are actually more types of accounting  but here I’ll talk about 2 types only: IP accounting and  IP access-list violations accounting. The first gathers statistics  for the traffic passing the Cisco router – entering and leaving it (means traffic that destined for or originating from the router itself is not accounted for). The 2nd type gathers info about traffic that is being rejected by the router according to applied ACLs. Both types can be enabled for physical/logical interfaces only (so to say VTY is not in the pack).

​

Both types share the same database memory space. And talking about memory –
by default router keeps 512 records, after these are exhausted no new accounting info is recorded. As usual , this is configurable (see later). The ip accounting buffer is circular - after it is exhausted, the old entries get replaced by new data.

IP accounting

Here is a sneak preview of accounting at work:

​

Source           Destination              Packets               Bytes
122.94.42.91     62.20.179.36                       2                 223

 

What you see is Ip addresses spotted in the IP packet header as source/destination, number of packets and bytes. The database is updated continuously as traffic passes the Cisco router.

IP accounting configuration

​

– enable on the interface of interest (only outbound traffic is recorded),
i.e traffic leaving interface
– if desired tune number of kept records
– see in CLI gathered info
– see info through SNMP agent (won’t cover here)
– clear active accounting database and copy snapshot to checkpoint  database
(done at once)
– see later at any time snapshot in checkpoint database or active records in real-time

​

So here is our CLI:
1) Enable on interface


Cisco-router(config)#int fa0/1
Cisco-router(config-if)#ip accounting [output-packets]

​

2) [Optional] Tune maximum records value if desired (default 512, maximum 4294967295):


Cisco-router(config)#ip accounting-threshold 1200

​

3) See the active records in the database:

​

Cisco-router#sh ip account


Source                 Destination                  Packets               Bytes
68.146.13.6         162.30.79.36                       1                 129
79.82.168.224     162.30.79.36                       1                 126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22          162.30.79.36                       1                 129
118.181.13.61         162.30.79.36                       4                 360

​

4) Copy active database to checkpoint database and wipe out active db records:

​

Cisco-router#clear ip account


Cisco-router#sh ip accounting checkpoint

​

Source                 Destination                   Packets               Bytes
68.146.13.6         162.30.79.36                        1                   129
79.82.168.224     162.30.79.36                       1                   126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22           162.30.79.36                       1                 129
118.181.13.61         162.30.79.36                       4                 360

Usage tip: What is this good for ? As I stated in the previuos post I use such info to provide some insight for the client of what is going on (or rather going in/out) in his network at the given moment. So, all these commands I do on the client’s perimeter equipment which we manage. I have no slightest inclination to do this for client/whoever on my backbone gear, and you would be advised not too. Just try to enable accounting on the router passing gigabits of traffic and you’ll have some ‘splaning to do
afterwards ;).  And in general be advised that many of the posts in my blog come from Service Provider view  and not of the end-client enterprise (no matter how big it is) standpoint.

​

5.5) Some extra-bonus configs though – you may configure ACL that will filter for what IP addresses to gather accounting info only. While trying to catch who is loading your network would be counter-productive to use such filtering, for monitoring long-time  it makes sense:

Cisco-router(config)#ip accounting-list 19.90.14.59 0.0.0.0

​

Then to  database will be written only records involving this IP(s):

​

Cisco-router#sh ip account


Source           Destination              Packets               Bytes
19.90.14.59    162.30.79.37                       7                2912

​

IP access-list violations accounting.

​

This accounts for traffic blocked by ACL(s) applied to the interface(s)
– To enable :


Cisco-router(config-if)#ip accounting access-violations


Accounting will exclude mls traffic when mls is enabled.

–  To see the records:


Cisco-router#sh ip accounting access-violations


Source           Destination              Packets               Bytes   ACL

Accounting data age is 8

​

* Of course to see something you need to have some blocking ACL applied to the interface(s) beforehand. As I have no ACL on any interface this db is empty.

​

bottom of page