I’m going through the blueprint and now I checked off IP accounting. The feature is very simple, it lets us see which source destination pairs that are sending traffic to each other. We can also configure to look what precedence values that are in the packets. There is also an option to look at the MAC-addresses of the packets passing through and also packets that are being denied by an access-list. The topology is dead simple, see below.
Configure your routing protocol of choice to get reachability. I’m using OSPF, it does not matter at all as long as you have connectivity. Now lets say that we are interested in which source and destination pairs that are sending traffic THROUGH the router (transit). Packets destined TO the router will not be seen in the accounting. I’ll configure accounting on R2’s interface to R1 and then initiate a ping from R1 to R3. I’ll send traffic both to the loopback and R3’s FastEthernet interface to see two different source/destination pairs.
OK, lets ping.
Now we will check the accounting database with the show ip accounting command.
So that shows us what sources/destinations are sending traffic to each other, interesting! We can also see the number of packets and number of bytes. If we want to check statistics for only certain hosts we can use the global ip accounting-list command to define what hosts we are interested in. We define hosts/networks as in ACL with network/wilcard combination.
Storing entries in the IP accounting database requires some memory, there could be a risk of exhaustion if we have too many entries but the default is set to max 512 entries. We can define this with the global ip accounting-threshold command.
So now we want to check what IP precedence values pass through our interfaces and also what MAC addresses that are sending/receiving traffic. Lets configure this.
Then we send some pings from R1, I will send with a ToS of 128, what IP precedence/DSCP is that? Think quick.
Lets verify at R2 if we see anything, the command to use is show interface precedence.
So a ToS of 128 was a IP prec of 4 but you already figured that, right? 🙂 What is that traffic with IP prec 6? Mysterious…We are running routing so that is OSPF which is marked with an IP precedence of 6 automatically by the router itself. We can also check what MAC addresses have been learned.
Here we also see OSPF represented by the MAC address 01-00-5E-00-00-05. We can also see when the last packet was sent which is quite handy. Now we will turn on accounting for access-lists as well, first we will define an ACL denying ICMP to 188.8.131.52 which is the loopback of R3. Note that we need the log keyword in the ACL.
Now we send traffic from R1 to 184.108.40.206.
For some reason I don’t see anything with the show ip accounting access-violations. Maybe this is a software issue? I tried turning off CEF as well. If any of my readers get this working I would be interested.
Lastly lets have a brief look at how traceroute works in IOS. Cisco devices uses UDP traceroute compared to ICMP used by Windows. The router sends packets with TTL of 1 and then N+1 the further away the probe goes. Traceroute sends three packets for every hop. The first hop will have a destination port of 33435, the second one will have 33436 and so on. If we want a router to not respond to traceroute we can turn off IP unreachables. Note that this will not hinder traceroute for which this router is not the final destination. Only the final device will send an ICMP unreachable (port unreachable) which is ICMP code 3. The other routers will send time exceeded which is ICMP code 11.
If we did want to block traceroute going through the router we could block this with an ACL denying packets that have ttl-exceeded or all packets lower than a certain TTL. If we need to find ICMP codes we can reference the ASA library. This should be available at the lab. You can find the reference by following this path.
Products > Security > Firewalls > Firewall Appliances > Cisco ASA 5500 Series Adaptive Security Appliances > Configure > Configuration Guides > Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 > Reference > Addresses, Protocols, and Ports > ICMP types
So this is just another feature that is handy to have.
6 thoughts on “Quick post on IP applications”
Try using a numbered ACL, and then see if ip accounting access-violations works. I seem to recall seeing that limitation listed somewhere
That worked. Thanks for pointing it out 🙂 How’s your prep going?
It’s a bit of a weird limitation. I think it’s in one of the INE labs – maybe around lab 15 or something?
Prep…well after my first attempt last year, I then had a long break with getting married, honeymoon, etc. I needed the break anyway. Getting back into the swing of study now, circling back around over some lower level topics to get into it, and refresh a few of the details.
Going to sit around the middle of the year, not rushing it, want to have _some_ time when I don’t have to study, rather than trying to do too much in too short a time as I was doing last year.
That is awesome
I didn’t know about that
You’re welcome 🙂 Always cool when you learn some new stuff. Studying anything specific right now dlots?
This can come in handy somewhere…