Jump to content

IP Accounting (Top Talkers)


Recommended Posts

A helpful tool on the Cisco Layer 3 hardware to assist in troubleshooting bandwidth concerns is to run ip accounting.

IP Accounting is a very useful accounting feature in Cisco IOS, but it’s not as well known as other features, such as NetFlow.

IP Accounting (Layer 3) collects the number of bytes and packets processed by the network element on a source and destination IP address basis. Only transit traffic that enters and leaves the router is measured, and only on an outbound basis.

To provide the operator with the opportunity of “snapshot†collections in the network, IP Accounting (Layer 3) maintains two accounting databases: an active database and a checkpoint database. The active collection process always updates the active database and therefore constantly increments the counters while packets pass the router. To get a snapshot of the traffic statistics, a CLI command or SNMP request can be executed to copy the current status from the active database to the checkpoint database. This copy request can be automated across the network to be executed at the same time, and a Network Management application can later retrieve the accounting details from the checkpoint database to present consistent accounting data to the operator. The checkpoint database offers a “frozen†snapshot of the complete network. Trying to achieve the same result by synchronously polling entire MIB tables across multiple network elements would introduce some inaccuracies, and hence no real “frozen†snapshots. The collected data can be used for performance and trending applications that require collections at regular intervals. The snapshot function is unique to IP Accounting.

router(config-if)# ip accounting output-packets

enables IP Accounting (Layer 3) for output traffic on the interface.

router(config)# ip accounting-list [ip address:0a1776f5] [ip address mask:0a1776f5][/code]

defines filters to control the hosts for which IP Accounting (Layer 3) information is kept. The filters are similar to an aggregation scheme and can be used to reduce the number of collected records. If filters are applied, details such as number of packets and bytes are kept only for the traffic that matches the filters, while all others are aggregated into “transit records.â€

router(config)# ip accounting-transits count

controls the number of transit records that are stored in the IP Accounting (Layer 3) database. Transit entries are those that do not match any of the filters specified by the global configuration command ip accounting-list. If no filters are defined, no transit entries are possible. The default number of transit records that are stored in the IP Accounting (Layer 3) database is 0.

Note that the term “transit†in this case refers to packets that are not matched by the filter statements. In the IP Accounting (Layer 3) definition, “transit†refers to packets that traverse the router, compared to traffic that is generated at the router or destined for the router.

router(config)# ip accounting-threshold count

sets the maximum number of accounting entries to be created. The accounting threshold defines the maximum number of entries (source and destination address pairs) that are accumulated. The default accounting threshold is 512 entries, which results in a maximum table size of 12,928 bytes. The threshold counter applies to both the active and checkpoint tables.

The threshold value depends on the traffic mix, because different traffic types create different records for the source and destination address pairs. Whenever the table is full, the new entries (overflows) are not accounted. However, show ip accounting displays the overflows: “Accounting threshold exceeded for X packets and Y bytes.†Alternatively, these values are available in the MIB: actLostPkts (lost IP packets due to memory limitations) and actLostByts (total bytes of lost IP packets). You should monitor the overflows number, at least during the deployment phase, to find the right balance between the number of entries and memory consumption.

router# show ip accounting  output-packets 

displays the active accounting or checkpoint database.

router# clear ip accounting

copies the content of the active database to the checkpoint database and clears the active database afterward.

router# clear ip accounting checkpoint 

clears the checkpoint database.

The IP Accounting (Layer 3) configuration is straightforward:

router(config)#int serial 0/0

router(config-if)#ip accounting output-packets


After configuring IP Accounting (Layer 3), the active database populates:

router#show ip accounting output-packet

For this example, IP Accounting ACL is configured in addition to IP Accounting (Layer 3); however, it can be configured independently of IP Accounting (Layer 3). An access list is inserted, which blocks the traffic coming from the source IP address and going to the destination IP address

router(config)#access-list 107 deny ip host host

router(config)#access-list 107 permit ip any any

router(config)#int serial 0/0

router(config-if)#ip accounting output-packets

router(config-if)#ip accounting access-violations

router(config-if)#ip access-group 107 out


Afterwards, the following results can be retrieved from the router:

router#show ip accounting access-violations

Source Destination Packets Bytes ACL

Accounting data age is 3

Link to comment
Share on other sites


  • Create New...