I was wondering if anyone can help. We have a situation where a customer is experiencing some virus outbreaks and we can usually identify where it's happening by patterns in the IP accounting database. The customer has a VPN based network managed by us, and a corporate network managed by a third party, and the third party management company are concerned that the application of the "ip accounting" command may cause too much cpu overhead.
I personally have never had any real issues with IP accounting causing any major overhead problems, as the default max size of 512 entries seems to get hit quite early in a virus situation, but can anyone help me quantify how much load on the CPU would be added by having IP accounting enabled?
The routers are mainly 2610 (not XM) with fairly early 12.0 IOS.
As far as I am aware, the maximum entry parameter fixes the max size of the database to around 12k, so memory shouldn't be an issue.
We also run ip accounting pretty regularly as well, the impact I've seen is negligible. Unless your CPU utilization is already fairly high (80% or more), I wouldn't be too concerned. Another alternative to ip accounting that is a litle less processor intensive is turning on netflow with the interface command below. This will also give a breakdown of overall protocol traffic as well as more detailed flows including port information.
Is there any chance that you can explain further on how you would identify virus patterns in the IP accounting table? I'm currently seeing columns Source, Destination, Packets and Bytes whenever I issue "show ip account" command. Thanks.
It depends on the virus, but during the last outbreak we were able to tell by excessive traffic being sent from one host to multiple destinations which were all incremental (x.x.x.1, .2, .3, and so on) in the desination column which we knew was not normal flow or legitimate traffic.
That being said, ip accounting is probably not the best tool for detecting a virus, but you can use it if you are monitoring realtime and understand the traffic flows on the interface you are monitoring.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...