Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1076
Views
0
Helpful
4
Replies

IP Accounting Overhead on Cisco Routers

bianderson
Level 1
Level 1

‎12-16-2003 02:00 AM - edited ‎03-02-2019 12:22 PM

Hi,

I was wondering if anyone can help. We have a situation where a customer is experiencing some virus outbreaks and we can usually identify where it's happening by patterns in the IP accounting database. The customer has a VPN based network managed by us, and a corporate network managed by a third party, and the third party management company are concerned that the application of the "ip accounting" command may cause too much cpu overhead.

I personally have never had any real issues with IP accounting causing any major overhead problems, as the default max size of 512 entries seems to get hit quite early in a virus situation, but can anyone help me quantify how much load on the CPU would be added by having IP accounting enabled?

The routers are mainly 2610 (not XM) with fairly early 12.0 IOS.

As far as I am aware, the maximum entry parameter fixes the max size of the database to around 12k, so memory shouldn't be an issue.

Any help would be appreciated.

Cheers.

Bill.

Labels:
0 Helpful
4 Replies 4

umedryk
Level 5
Level 5

‎12-22-2003 08:21 AM

Hi Bill,

As dCEF does not support IP accounting, you will see increase in cpu utilization

0 Helpful

bratager
Level 1
Level 1

‎12-22-2003 03:57 PM

We also run ip accounting pretty regularly as well, the impact I've seen is negligible. Unless your CPU utilization is already fairly high (80% or more), I wouldn't be too concerned. Another alternative to ip accounting that is a litle less processor intensive is turning on netflow with the interface command below. This will also give a breakdown of overall protocol traffic as well as more detailed flows including port information.

ip route-cache flow

To see output:

sh ip cache flow

0 Helpful

v-nguyen
Level 1
Level 1

‎12-22-2003 06:11 PM

Is there any chance that you can explain further on how you would identify virus patterns in the IP accounting table? I'm currently seeing columns Source, Destination, Packets and Bytes whenever I issue "show ip account" command. Thanks.

0 Helpful

bratager
Level 1
Level 1
In response to v-nguyen

‎12-23-2003 05:55 AM

It depends on the virus, but during the last outbreak we were able to tell by excessive traffic being sent from one host to multiple destinations which were all incremental (x.x.x.1, .2, .3, and so on) in the desination column which we knew was not normal flow or legitimate traffic.

That being said, ip accounting is probably not the best tool for detecting a virus, but you can use it if you are monitoring realtime and understand the traffic flows on the interface you are monitoring.

0 Helpful
Customers Also Viewed These Support Documents