So lets look at accounting closer.
When enabled on the interface it  creates database of accounting information
containing number of bytes that passed the router  between pairs of IP addresses. There are actually more types of accounting  but here I’ll talk about 2 types only: IP accounting and  IP access-list violations accounting. The first gathers statistics  for the traffic passing the router – entering and leaving it (means traffic that destined for or originating from the router itself is not accounted for). The 2nd type gathers info about traffic that is being rejected by the router according to applied ACLs. Both types can be enabled for physical/logical interfaces only (so to say VTY is not in the pack).

Both types share the same database memory space. And talking about memory -
by default router keeps 512 records, after these are exhausted no new accounting info is recorded. As usual , this is configurable (see later).

IP accounting

Here is a sneak preview of accounting at work:

   Source           Destination              Packets               Bytes
122.94.42.91     62.20.179.36                       2                 223

What you see is Ip addresses spotted in the IP packet header as source/destination
, number of packets and bytes. The database is updated continuously as traffic
passes the router.

IP accounting condifuration

- enable on the interface of interest (only outbound traffic is recorded),
i.e traffic leaving interface
- if desired tune number of kept records
- see in CLI gathered info
- see info through SNMP agent (won’t cover here)
- clear active accounting database and copy snapshot to checkpoint  database
(done at once)
- see later at any time snapshot in checkpoint database or active records
in real-time

So here is our CLI:
1) Enable on interface
Router(config)#int fa0/1
Router(config-if)#ip accounting [output-packets]

2) [Optional] Tune maximum records value if desired (default 512, maximum 4294967295):
Router(config)#ip accounting-threshold 1200

3) See the active records in the database:

Router#sh ip account
   Source           Destination              Packets               Bytes
68.146.13.6       162.30.79.36                       1                 129
79.82.168.224     162.30.79.36                       1                 126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360

4) Copy active database to checkpoint database and wipe out active db records:

Router#clear ip account
Router#sh ip accounting checkpoint

  Source           Destination              Packets               Bytes
68.146.13.6       162.30.79.36                       1                 129
79.82.168.224     162.30.79.36                       1                 126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360

Usage tip: What is this good for at all? As I started in the previuos post
I use such info to provide some insight to the client of what is going on
(or rather going in/out) in his network at the given moment. So, all these
commands I do on the client’s perimeter equipment which we manage. I have
no slightest inclination to do this for client/whoever on my backbone
gear, and you would be advised not too. Just try to enable accounting on the
router passing gigabits of traffic and you’ll have some ‘splaning to do
afterwards .  And in general be advised that many of the posts in my blog come
from Service Provider view  and not of the end-client enterprise
(no matter how big it is) standpoint.

5.5) Some extra-bonus configs though – you may configure ACL that will filter
for what IP addresses to gather accounting info only. While trying to catch
who is loading your network would be counter-productive to use such filtering,
for monitoring long-time  it makes sense:

  Router(config)#ip accounting-list 19.90.14.59 0.0.0.0

Then to  database will be written only records involving this IP(s):
 
  Router#sh ip account
   Source           Destination              Packets               Bytes
19.90.14.59    162.30.79.37                       7                2912

IP access-list violations accounting.

This accounts for traffic blocked by ACL(s) applied to the interface(s)
- To enable :
Router(config-if)#ip accounting access-violations
Accounting will exclude mls traffic when mls is enabled.

-  To see the records:
Router#sh ip accounting access-violations
  Source           Destination              Packets               Bytes   ACL

Accounting data age is 8

* Of course to see something you need to have some blocking ACL applied to the
interface(s) beforehand. As I have no ACL on any interface this db is empty.

USAGE TIP 2: If you use this feature to spot most loading flow, you’ll love this
one-liner that after  you pass to it (through std input) print out of
the show ip accounting will sort data by bytes passed in ascending order:

*Hint  Darkstar is Linux machine, not router itself .
  root@DarkStar:~# sort -n -k4,4
<NOW COPY PASTE OUTPUT FROM ROUTER HERE …>
68.146.13.6       162.30.79.36                       1                 129
79.82.168.224     162.30.79.36                       1                 126
142.53.125.103    162.30.79.36                    9237              423360
83.171.0.22       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360

79.82.168.224     162.30.79.36                       1                 126
83.171.0.22       162.30.79.36                       1                 129
68.146.13.6       162.30.79.36                       1                 129
118.181.13.61     162.30.79.36                       4                 360
142.53.125.103    162.30.79.36                    9237              423360

USAGE TIP 3:
To even further improve on the one-liner above below is again one-liner
that not only sorts accounting data by Bytes field but also sums up bytes per
Ip address (here in the 2nd field, but you can esaily modify to your needs):

root@DarkStar:~# sort -n -k4,4 | awk ‘{ips[$2] += $4} END { for (x in ips) print x,ips[x]}’
122.53.125.103   162.30.79.36                       3                 120
59.44.58.120     162.30.79.36                       3                 417
123.203.142.106  162.30.79.36                       1                 177
82.144.177.32    162.30.79.36                       1                 234
218.103.137.105  162.10.79.36                       1                 126
80.37.83.120     162.10.79.36                       1                 126
79.182.121.216   162.10.79.36                       9                 377
207.191.202.251  162.30.79.36                       9                 377
84.195.248.47    162.20.79.36                       7                 304
201.95.211.8     162.40.79.36                       8                 364
79.180.14.184    162.30.79.36                      24                 994
124.64.176.192   162.70.79.36                       5                 227
62.219.133.44    162.30.79.36                      72                3077
91.196.214.6     162.40.79.36                       4                 160
125.125.227.168  162.40.79.36                      15                 797

0
162.20.79.36 304
162.40.79.36 1321
162.30.79.36 5396
162.10.79.36 629
162.70.79.36 227
root@DarkStar:~#

Here I’ll wrap up my short (if you ask me) memo with few links for those interested to deep digger :

1) The whole book dedicated to knowing your network better :

Network Management: Accounting and Performance Strategies
by Benoit Claise – CCIE No. 2686; Ralf Wolter

http://www.ciscopress.com/bookstore/product.asp?isbn=1587051982

Cisco IOS command reference:

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1091971

PS Next post I am planning to do on Netflow , the beast of accounting to be tamed.

login block-for 300 attempts 5 within 50
#apply specified ACl to VTY line when above event occurs, it is meant to exempt
#your managemnt IP form being blocked. After timed block expires this ACL gets removed
#from VTY and previous ACL that was applied before the event is reapplied back

login quiet-mode access-class anti-DOS

#Logging rate-limitation to prevent cluttering logs with failed attempts
login on-failure log every 10

ip access-list standard anti-DOS
 permit 193.193.193.33
 remark Deny VTY access to anyone else if brute-force logins take up all VTY lines
 
Another nice feature is delay between login attempts:
Sacramento(config)#login delay 2
Delay login is in seconds

Then in logs you will see the following failed attempts:


*May 2 02:04:14.105: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 62.141.52.141] [localport: 22] [Reason: Login Authentication Failed] at 05:04:14 Sat May 2 2009
*May 2 02:04:22.112: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 22 secs, [user: ] [Source: 62.141.52.141] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 05:04:22 Sat May 2 2009
*May 2 02:09:22.091: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 05:09:22 Sat May 2 2009