> From gert@greenie.muc.de Mon Mar 19 13:35:31 2001
> Date: Mon, 19 Mar 2001 19:35:19 +0100
> From: Gert Doering <gert@greenie.muc.de>
> To: George Robbins <grr@shandakor.tharsis.com>, gert@greenie.muc.de,
> marcus@ri.st, sthaug@nethelp.no
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] Experience with NSE-1 and IOS 12.0S?
> References: <200103191828.NAA27836@shandakor.tharsis.com>
> In-Reply-To: <200103191828.NAA27836@shandakor.tharsis.com>; from George Robbins on Mon, Mar 19, 2001 at 01:28:08PM -0500
> X-mgetty-docs: http://alpha.greenie.net/mgetty/
>
> Hi,
>
> On Mon, Mar 19, 2001 at 01:28:08PM -0500, George Robbins wrote:
> > It may vary depending on the architecuture.
> >
> > My learning experience was on a 3640, which had been stable, but started
> > maxing out CPU days after I'd turned on IP accounting with a large number
> > of entries and forgotten about it. It was doing mostly newsfeeds and
> > getting news traffic from one of the "newer" entries in the list would
> > max out the CPU.
> >
> > More recent experience during attacks seems to confirm a fairly direct
> > linkage bettween the size of the accounting list and CPU utiization/
> > survivability.
>
> Ah - this may very well be. We don't use the accounting list at all - we
> have to do ip accounting for *all* traffic that passes through our
> network, legitimate traffic (customers) and illegitimate (something people
> dump at us at exchange points, for example).
>
> If there would be a way to make entries like
>
> 195.30.0.1 <foreign> 17 12314
> <foreign> 195.30.0.1 28 12334
> <foreign> <foreign>
>
> (<foreign> being shown for every entry not on the ip accounting list)
> then using the ip accounting list would make much more sense for us.
>
> [..]
> > Ip accounting is fairly useless except as a debugging tool,
>
> Umm, actually, it works nicely for exactly that: ip accounting :-)
>
> > it would
> > be nice if you could specify a source/dest mask so that you could
> > bucket by class-C (for example) vs. specific addresses.
>
> This can be done with Netflow, but the problem with netflow is the way
> the data is exported (UDP - if the collector host is down, or a link
> in between is saturated, you drop accounting packets, that is, drop
> money...).
>
> gert
Well, in an ISP environment, there's no way we could have a large
enough accounting list to track all packets. Depending how many
buckets you need to create, you can get 100% byte-tracking with
rate-limit clauses (that don't actually limit) or precedence
accounting. Both are limited to about 10 buckets.
The other thing you might want to look at is "bgp policy accounting",
but that also has limited buckets, and if your setup is farily static,
there's not much difference between what you can do with that vs. the
rate limiting.
Another approach would be "ip cef accounting" which is supposed to
count by destination prefix, but if you need source/dest tracking
that's not going to do you much good.
George
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:32 EDT