Networking and Unix

Cisco IOS: IPv6 Accounting using Flexible Netflow

 September 8th, 2011Sep 8th, 2011        1

I am a big fan of IP Accounting as it enables me to keep long term-ish statistics on a per src/dst prefix basis. I am able to work out my weekly or monthly bandwidth usage and can see how much data each host on my network uses. I can see that I have used a total of 4.7GB in the last 5 days and the majority of that has been towards my Apple TV. A lot of people are probably thinking this is probably achieved better using a more scalable solution like NetFlow, but I like the ability to query this data on-box and not have to use a collector.

Having my network IPv6 enabled at home with an IPv4 tunnel providing IPv6 services, I was curious to know how much data was being delivered over IPv6. To my dismay I discovered that IP Accounting isn’t supported for IPv6. With a little help from the kind people at the cisco-nsp mailing list I discovered Flexible NetFlow with permanent caches.

NetFlow is a valuable tool in providing per flow traffic statistics on your network. It allows you to aggregate and export data to external collectors in a scalable and flexible way. However, due to the amount of data that NetFlow can collect, it likes to get the data off the router fairly quickly. With Flexible NetFlow, Cisco have introduced permanent caches which aren’t exported and remain on the router for the purpose of accounting and security.

To confiure Flexible Netflow to provide IP Accounting type statistics, we start by configuring a flow record which defines what information you wish to aggregate on and what information you wish to collect:

flow record IPv6-FLOW-RECORD
 match ipv6 source address
 match ipv6 destination address
 collect counter bytes
 collect counter packets

In the above example we want to match “ipv6 source address” and “ipv6 destination address”, the match statement defines what you are aggregating on. For every unique instance of source and destination address an aggregate will be formed that counts the bytes and number of packets. Once we have defined our flow record, we need to define a flow monitor which actually looks at the traffic:

flow monitor IPv6-MONITOR
 record IPv6-FLOW-RECORD
 cache type permanent
 cache entries 131072

In the flow monitor, we specify our flow record that we defined previously and we also set the cache type to “permanent” which means flows aren’t exported or expire. One of the key elements is the cache size which is defined using the “cache entries” command. This defines how many entries you can store – the bigger the value the more memory required. An important note – once you have filled your cache you won’t be able to add new flows – new data which matches previously flows will be added, but no new flows. You will need to ensure you set your cache big enough to store the amount of data for the time period required. Finally, we need to apply our flow monitor to the interface we wish to monitor:

interface Vlan199
 ipv6 flow monitor IPv6-MONITOR output

Once you have left this for a while you should have accumulated some data in your cache. To view the data you can use the following command:

Router# show flow monitor IPv6-MONITOR cache format table
  Cache type:                            Permanent
  Cache size:                               131072
  Current entries:                               4
  High Watermark:                                4

  Flows added:                                   4
  Updates sent            (  1800 secs)         36

IPV6 SRC ADDR              IPV6 DST ADDR             bytes long perm        pkts long perm
=========================  ===================  ====================  ====================
2A01:4F8:100:2281::3       2001:..:F8BE                         1477                    10
2001:200::44D7             2001:..:E20                         66703                    54
2A00:1450:400C:C02::68     2001:..:E20                        176957                   161
2001:A18:1:20::42          2001:..:E20                          9586                    21

As well as showing this information in a tabular format, you also have the option of specifying “csv” as the format to make it easier to import the data into Excel or similar. You also have the ability to manipulate the data on the router to drill down into the statistics – the following shows how you can display the top bandwidth consumers by destination:

Router# show flow monitor IPv6-MONITOR cache aggregate ipv6 destination address sort highest counter bytes
Processed 4 flows
Aggregated to 2 flows
Showing the top 2 flows

IPV6 DST ADDR                   flows       bytes long perm        pkts long perm
=========================  ==========  ====================  ====================
2001:..:E20                         3                253246                   236
2001:..:F8BE                        1                  1477                    10

Finally, to clear the statistics in the cache you can use the “clear flow monitor IPv6-MONITOR” command which will allow you to start collecting new statistics. To determine when the cache was last cleared you can multiply the “updates sent” with the “update interval” to get a value +/- the “update interval”. The same theory works for traditional IPv4 as well which allows me to remove IP Accounting in favour of Flexible NetFlow.

General Cisco IPv6

Thoughts on "Cisco IOS: IPv6 Accounting using Flexible Netflow"...

by andy on September 17, 2012 at 21:20

Great article.. I tried this however on an ASR1002 and no permanent cache is available. Can I achieve the same by increasing the active and inactive timeout without any issues?

ROUTER(config-flow-monitor)#cache type ?
normal Normal flow removal from the Flow Cache