I am a big fan of IP Accounting as it enables me to keep long term-ish statistics on a per src/dst prefix basis. I am able to work out my weekly or monthly bandwidth usage and can see how much data each host on my network uses. I can see that I have used a total of 4.7GB in the last 5 days and the majority of that has been towards my Apple TV. A lot of people are probably thinking this is probably achieved better using a more scalable solution like NetFlow, but I like the ability to query this data on-box and not have to use a collector.
Having my network IPv6 enabled at home with an IPv4 tunnel providing IPv6 services, I was curious to know how much data was being delivered over IPv6. To my dismay I discovered that IP Accounting isn’t supported for IPv6. With a little help from the kind people at the cisco-nsp mailing list I discovered Flexible NetFlow with permanent caches.
NetFlow is a valuable tool in providing per flow traffic statistics on your network. It allows you to aggregate and export data to external collectors in a scalable and flexible way. However, due to the amount of data that NetFlow can collect, it likes to get the data off the router fairly quickly. With Flexible NetFlow, Cisco have introduced permanent caches which aren’t exported and remain on the router for the purpose of accounting and security.
To confiure Flexible Netflow to provide IP Accounting type statistics, we start by configuring a flow record which defines what information you wish to aggregate on and what information you wish to collect:
flow record IPv6-FLOW-RECORD match ipv6 source address match ipv6 destination address collect counter bytes collect counter packets !
In the above example we want to match “ipv6 source address” and “ipv6 destination address”, the match statement defines what you are aggregating on. For every unique instance of source and destination address an aggregate will be formed that counts the bytes and number of packets. Once we have defined our flow record, we need to define a flow monitor which actually looks at the traffic:
flow monitor IPv4-MONITOR record IPv4-FLOW-RECORD cache type permanent cache entries 131072 !
In the flow monitor, we specify our flow record that we defined previously and we also set the cache type to “permanent” which means flows aren’t exported or expire. One of the key elements is the cache size which is defined using the “cache entries” command. This defines how many entries you can store – the bigger the value the more memory required. An important note – once you have filled your cache you won’t be able to add new flows – new data which matches previously flows will be added, but no new flows. You will need to ensure you set your cache big enough to store the amount of data for the time period required. Finally, we need to apply our flow monitor to the interface we wish to monitor:
interface Vlan199 ipv6 flow monitor IPv6-MONITOR output !
Once you have left this for a while you should have accumulated some data in your cache. To view the data you can use the following command:
Router# show flow monitor IPv6-MONITOR cache format table Cache type: Permanent Cache size: 131072 Current entries: 4 High Watermark: 4 Flows added: 4 Updates sent ( 1800 secs) 36 IPV6 SRC ADDR IPV6 DST ADDR bytes long perm pkts long perm ========================= =================== ==================== ==================== 2A01:4F8:100:2281::3 2001:..:F8BE 1477 10 2001:200::44D7 2001:..:E20 66703 54 2A00:1450:400C:C02::68 2001:..:E20 176957 161 2001:A18:1:20::42 2001:..:E20 9586 21
As well as showing this information in a tabular format, you also have the option of specifying “csv” as the format to make it easier to import the data into Excel or similar. You also have the ability to manipulate the data on the router to drill down into the statistics – the following shows how you can display the top bandwidth consumers by destination:
Router# show flow monitor IPv6-MONITOR cache aggregate ipv6 destination address sort highest counter bytes Processed 4 flows Aggregated to 2 flows Showing the top 2 flows IPV6 DST ADDR flows bytes long perm pkts long perm ========================= ========== ==================== ==================== 2001:..:E20 3 253246 236 2001:..:F8BE 1 1477 10
Finally, to clear the statistics in the cache you can use the “clear flow monitor IPv6-MONITOR” command which will allow you to start collecting new statistics. To determine when the cache was last cleared you can multiply the “updates sent” with the “update interval” to get a value +/- the “update interval”. The same theory works for traditional IPv4 as well which allows me to remove IP Accounting in favour of Flexible NetFlow.