Re: [nsp] ip accounting-transit?

From: Gert Doering (gert@greenie.muc.de)
Date: Tue Jun 19 2001 - 17:00:40 EDT


Hi,

On Tue, Jun 19, 2001 at 10:35:53AM +0200, Ray Davis wrote:
> > On the way I found another interesting command,
> > "ip accounting-transits count"
> > described as:
> > Control the number of transit records that
> > will be stored in the IP accounting
> > database"
> >
> > now what's this? What is considered a "transit record"? It sounds
> > similar to "ip accounting-threshold", but I can't see where it fits in?
> > Maybe it goes together with "ip accounting-list" (which I don't use
> > 'cause it isn't too useful for us)?
>
> As I understand it 'ip accounting-threshold' limits the number of records
> stored for entries that match your 'ip accounting-list' commands and
> 'ip accounting-transits' limits the number of records stored for entries
> that do not match your 'ip accounting-list' commands.

That would make sense. It doesn't work that way, though. On my test
router, I have set "ip accounting-transits 100", and I see "just a
handful" of things that are not matched by the ip accounting-list:

cisco#sh run | include accounting
ip accounting-list 193.149.48.161 0.0.0.0
ip accounting-list 195.30.1.100 0.0.0.0
ip accounting-transits 100
cisco#sh ip account | exclude 193.149.48.161
(note: 195.30.1.100 manually removed)
   Source Destination Packets Bytes
 195.30.0.7 193.149.48.164 2 168
 193.149.48.164 195.30.0.7 2 168
 193.149.48.180 195.30.254.160 16 832
 195.30.254.160 193.149.48.180 21 10660
 195.30.0.126 193.149.48.180 1 76
 193.149.48.180 195.30.0.126 1 76
 193.149.44.10 193.149.48.180 20 9938
 193.149.48.180 193.149.44.10 25 3440
 193.149.48.13 193.149.48.180 4 429
 193.149.48.180 193.149.48.13 4 445
 193.149.48.180 193.149.48.8 4 445

- that's all there is, and it is definitely lacking some ongoing TCP
sessions. For example, 193.149.48.164 <-> 195.30.0.7 is a news server
connection. Two packets have been recorded in 24h, but a number of
Mbytes have actually been exchanged.

So this remains a mystery...

> > Also, I just found that I don't understand "ip accounting-list" either - I
> > thought it would restrict the IP addresses that go into accounting, but
> > it doesn't work (with 12.2(2)T) - I have set "ip accounting-list" entries
> > for two single hosts, and "show ip account" shows everything that passes
> > through this router.
>
> Try setting ip accounting-transits to 0 (the default).

This *does* suppress these extra lines, so it explains, to an extent,
what the command does does.

It doesn't really explain why those lines, if they are appear in the first
place, are incomplete... seems this feature is just buggy in 12.2(2)T.

(Interestings side question: has anybody done any "accounting" with IPv6
yet?)

> > Does someone have a working sample for *this*?
> No idea if this snippet is optimal, but it works for me:
>
> ip accounting-threshold 4098
> ip accounting-list 123.123.237.32 0.0.0.15
> ip accounting-list 123.123.238.48 0.0.0.7
[..]
> ip accounting-transits 1024

So does this mean you really get up to 1024 "foreign" entries, and *all*
of the traffic for those IPs? Could you test this?

[..]
> Every 15 minutes a unix box uses expect to login to the router and do:
>
> term len 0
> clear ip accounting
> show ip accounting checkpoint

Yes - standard procedure :-)

> Then another script parses the checkpoint file and stuffs the data
> into a postgres database. Postgres is great since you can make
> queries using cidr syntax:
>
> destination_addr << 123.123.240.192/26

Nice. Can it do IPv6 as well?

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:42 EDT