Path: utzoo!utgpu!watserv1!watmath!att!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!ncar!boulder!daemon From: pte900@jatz.aarnet.edu.au (Peter Elford) Newsgroups: comp.dcom.sys.cisco Subject: Re: Cisco IP accounting Message-ID: <29341@boulder.Colorado.EDU> Date: 7 Nov 90 04:26:57 GMT Sender: daemon@boulder.Colorado.EDU Lines: 73 >From: aggarwal@nisc.jvnc.net (Vikas Aggarwal) > >This is regarding the IP accounting feature in cisco r8.xx. > ... stuff deleted ... > >However, the entries in the accounting table are *not* sorted in any >manner, and the table is effectively a list of the *first* X number of >hosts who sent traffic its way. The table really offers very little by >means of *useable* information in a WAN that has a large number of hosts. Not quite true. If you retrieve the table via SNMP, you get it back ordered by source IP address. >I was hoping that the familiar "access-list" methodology would be used in >the accounting software too- it would be nice to be able to configure the >accounting for IP addresses using access lists which determine which >entries are recorded in the accounting table. That way, I could account >packets depending on the topology of my network and in a manner that was >more meaningful to me than a mere collection of host-address pairs and >packet counts. Over a period of time, I could make the accounting as >specific as I would want and not have to worry about not being able to get >info on a host because the host couldn't make it first into a slot in the >accounting table. This would be *EXTREMELY* useful. I find that just watching at our central hub router for a minute or so I get ~300 pairs of numbers. Some method of selecting out the interesting bits is definitely required. Perhaps it might be more useful to allow some sort of "masked" counting to be done, ie. so that totals can be collected on a per net or subnet basis, eg. ip access-list 801 permit ip 128.250.1.0 0.0.0.255 130.56.0.0 0.0.255.255 ip access-list 801 permit ip 0.0.0.0 255.255.255.255 130.56.0.0 0.0.255.255 ip access-list 801 permit ip 0.0.0.0 255.255.255.255 139.130.72.0 0.0.0.63 ip access-list 801 permit ip 0.0.0.0 255.255.255.255 139.130.104.0 0.0.0.63 ip accounting access-group 801 This would create only four accounting table entries (but see below). One for all packets from subnet 128.250.1.0 to network 130.56.0.0, one for all other packets destined for network 130.56.0.0 and one each for a count of all packets routed to a couple of subnets of 139.130.0.0 (which is subnetted with mask 255.255.255.192). Of course, you might still want to gather "the rest" on a per host or per net basis, so maybe ip accounting per-network ip accounting per-host would be useful as well. These would be mutually incompatible, and would act as wildcards for acess-lists, so that if no match was found in the access-list, or if no acess-list was present, then per-whatever accounting would be done. If neither per-network, nor per-host were on, then only the entries allowed by the access-list would apply. Of course the killer with all this is that performance might disappear down the plug hole ... but it is a pretty important feature. All of what I have described above is doable with NNstat (for example), but if your network backbone is a router rather than an Ethernet cable you need NNstat features inside the router (including per TCP/UDP port statistics). With regard to performance, perhaps a coprocessor, that gets passed packets from the main processor for inspection might be the way to go ... Peter Elford, e-mail: P.Elford@aarnet.edu.au Network Co-ordinator, phone: +61 6 249 3542 Australian Academic Research Network, fax: +61 6 247 3425 c/o, Computer Services Centre, post: PO Box 4 Australian National University Canberra 2601 Canberra, AUSTRALIA