
Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 23 of 24

Cisco ip accounting to begin with

First of all, Happy New year to All !
As I promised before (last year 🙂 I’ll look at ip accounting in Cisco world. I’ll say it at the start already – accounting being with us since IOS 10.0 nowadays is getting pushed aside by the powerful Netflow feature.And while it is nowhere being depreciated/end-of-lifed by Cisco , it is presented as being “not enough”for the modern enterprise. I will agree that Netflow indeed provides lots of additional statistics and info , but will remind that it demands from device and the user substantially more as well.
And therefore for many cases is just plain overkill.

So lets look at accounting closer.
When enabled on the interface it  creates database of accounting information
containing number of bytes that passed the router  between pairs of IP addresses. There are actually more types of accounting  but here I’ll talk about 2 types only: IP accounting and  IP access-list violations accounting. The first gathers statistics  for the traffic passing the router – entering and leaving it (means traffic that destined for or originating from the router itself is not accounted for). The 2nd type gathers info about traffic that is being rejected by the router according to applied ACLs. Both types can be enabled for physical/logical interfaces only (so to say VTY is not in the pack).

Both types share the same database memory space. And talking about memory –
by default router keeps 512 records, after these are exhausted no new accounting info is recorded. As usual , this is configurable (see later).

IP accounting

Here is a sneak preview of accounting at work:

Source           Destination              Packets               Bytes                       2                 223

What you see is Ip addresses spotted in the IP packet header as source/destination
, number of packets and bytes. The database is updated continuously as traffic
passes the router.

IP accounting condifuration

– enable on the interface of interest (only outbound traffic is recorded),
i.e traffic leaving interface
– if desired tune number of kept records
– see in CLI gathered info
– see info through SNMP agent (won’t cover here)
– clear active accounting database and copy snapshot to checkpoint  database
(done at once)
– see later at any time snapshot in checkpoint database or active records
in real-time

So here is our CLI:
1) Enable on interface
Router(config)#int fa0/1
Router(config-if)#ip accounting [output-packets]

2) [Optional] Tune maximum records value if desired (default 512, maximum 4294967295):
Router(config)#ip accounting-threshold 1200

3) See the active records in the database:

Router#sh ip account
Source           Destination              Packets               Bytes                       1                 129                       1                 126                    9237              423360                       1                 129                       4                 360

4) Copy active database to checkpoint database and wipe out active db records:

Router#clear ip account
Router#sh ip accounting checkpoint

Source           Destination              Packets               Bytes                       1                 129                       1                 126                    9237              423360                       1                 129                       4                 360

Usage tip: What is this good for at all? As I started in the previuos post
I use such info to provide some insight to the client of what is going on
(or rather going in/out) in his network at the given moment. So, all these
commands I do on the client’s perimeter equipment which we manage. I have
no slightest inclination to do this for client/whoever on my backbone
gear, and you would be advised not too. Just try to enable accounting on the
router passing gigabits of traffic and you’ll have some ‘splaning to do
afterwards ;).  And in general be advised that many of the posts in my blog come
from Service Provider view  and not of the end-client enterprise
(no matter how big it is) standpoint.

5.5) Some extra-bonus configs though – you may configure ACL that will filter
for what IP addresses to gather accounting info only. While trying to catch
who is loading your network would be counter-productive to use such filtering,
for monitoring long-time  it makes sense:

Router(config)#ip accounting-list

Then to  database will be written only records involving this IP(s):

Router#sh ip account
Source           Destination              Packets               Bytes                       7                2912

IP access-list violations accounting.

This accounts for traffic blocked by ACL(s) applied to the interface(s)
– To enable :
Router(config-if)#ip accounting access-violations
Accounting will exclude mls traffic when mls is enabled.

–  To see the records:
Router#sh ip accounting access-violations
Source           Destination              Packets               Bytes   ACL

Accounting data age is 8

* Of course to see something you need to have some blocking ACL applied to the
interface(s) beforehand. As I have no ACL on any interface this db is empty.

USAGE TIP 2: If you use this feature to spot most loading flow, you’ll love this
one-liner that after  you pass to it (through std input) print out of
the show ip accounting will sort data by bytes passed in ascending order:

*Hint  Darkstar is Linux machine, not router itself .
root@DarkStar:~# sort -n -k4,4
<NOW COPY PASTE OUTPUT FROM ROUTER HERE …>                       1                 129                       1                 126                    9237              423360                       1                 129                       4                 360                       1                 126                       1                 129                       1                 129                       4                 360                    9237              423360

To even further improve on the one-liner above below is again one-liner
that not only sorts accounting data by Bytes field but also sums up bytes per
Ip address (here in the 2nd field, but you can esaily modify to your needs):

root@DarkStar:~# sort -n -k4,4 | awk '{ips[$2] += $4} END { for (x in ips) print x,ips[x]}'                       3                 120                       3                 417                       1                 177                       1                 234                       1                 126                       1                 126                       9                 377                       9                 377                       7                 304                       8                 364                      24                 994                       5                 227                      72                3077                       4                 160                      15                 797

0 304 1321 5396 629 227

Here I’ll wrap up my short (if you ask me) memo with few links for those interested to deep digger :

1) The whole book dedicated to knowing your network better :

Network Management: Accounting and Performance Strategies
by Benoit Claise – CCIE No. 2686; Ralf Wolter


Cisco IOS command reference:


PS Next post I am planning to do on Netflow , the beast of accounting to be tamed.

Finding the station/IP using/abusing most of the bandwidth – PIX/ASA

[showmyads]Here is a short how-to I wrote some (well ,long) time ago for the newcomers  to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.
Usually it starts with client complaining about slow internet, or users that already work in net are ok but new ones can’t connect, sometimes PIX crashes periodically (depends on case – every few hours), seldom but client directly asks what station in LAN is bombing the PIX with connections.
Here are the steps to try to see what is going on:
1) Always worth knowing the current state of the PIX, lots of connections consume lots of memory
and this  after all causes crash/slowness of processing/
 Mambo# show memory
Free memory:        42557840 bytes
Used memory:        24551024 bytes
————-     —————-
Total memory:       67108864 bytes
2) as you may know PIX is a NAT machine – every connection (outbound/inbound)
should pass NAT translation, which creates (every connection) xlate entry (in IOS it is called
NAT table) (ASA note:you may disabel NAT ,not to say it may work in Transparent mode)
Mambo# show xlate count
1613 in use, 5246 most used
; In abused PIX you would see dozens of thousands of xlate entries, e.g. 55550
; beyond xlate entry, every connection creates conn entry in PIX memory to enable stateful
;inspection, to see their count use :
Mambo# show conn count
5271 in use, 34824 most used
; next command will show on which interface there is more traffic – to know what side of the PIX is being attacked
Mambo# show traffic
        received (in 980818.730 secs):
                1113941822 packets      498552059 bytes
                1004 pkts/sec   0 bytes/sec
        transmitted (in 980818.730 secs):
                1170564303 packets      2054434346 bytes
                1000 pkts/sec   2002 bytes/sec
        received (in 980818.730 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 980818.730 secs):
                76 packets      4560 bytes
                0 pkts/sec      0 bytes/sec
        received (in 980818.730 secs):
                186616723 packets       3287127501 bytes
                1 pkts/sec      3001 bytes/sec
        transmitted (in 980818.730 secs):
                196403614 packets       1465915834 bytes
Now the main part – how to find out which IP is abusing the resources:
Mambo#  show local-host  |  incl host|count|embryonic
local host: <>, conn(s)/limit = 0/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <>, conn(s)/limit = 106/0
            embryonic(s)/limit = 106/0, incomplete(s) = 0
local host: <>, conn(s)/limit = 14/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <>, conn(s)/limit = 4/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <>, conn(s)/limit = 4/0
            embryonic(s)/limit = 1/0, incomplete(s) = 0
local host: <>, conn(s)/limit = 22/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <>, conn(s)/limit = 1/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host     :  Local IP of station in LAN
conn(s)/limit  :   number of conn entries (connections) and their possible limit for this IP
embryonic(s)/limit  :  number of embryonic (half-open) connections to this IP and their limit
Looking at this output we could easily find station with most connections.
Next, to get more info (if needed)
 Mambo#  sh local-host
Interface Inside: 73 active, 96 maximum active, 0 denied
local host: <>, conn(s)/limit = 105/0
            embryonic(s)/limit = 45/0, incomplete(s) = 0
    PAT Global Local
    PAT Global Local
    PAT Global Local
    PAT Global Local
    PAT Global Local
    PAT Global Local
    PAT Global Local
;NOTE – here is IP of outside interface of PIX
To temporary block some station – it will not be able to create new connections
and exsiting ones will be deleted. This block is active until next reboot.
  Mambo#  shun
To see active shuns:
  Mambo#  show shun
To disable shun
  Mambo#  no shun
Personal NOTE: Such call is a sure sign of unordered/amateurish network administration . And it always starts with the key phrase – “Your line is down, we have no Internet”. On my answer, after I look at MRTG
graphs of the client line and see 100% usage, that “Of course , you are using up  all your bandwidth” they reply “It is impossible, can you tell me who is abusing the line ?” While I may spend 10 mins
 explaing this ‘sysadmin’ that PIX/ASA/etc is not a statistics/monitoring device and other solutions exist for that and MRTG is free etc., I usually give up on them and save myself 10
 mins of my time and just give them what they want . In the next post I will write about doing the same in Cisco router.

Clear ARP table in Checkpoint

Yesterday my colleague asked how to clear all entries in the ARP table of the
NGX in question (Splat). I thought the arp command of the Linux would include some switch for that case too – but it didn’t. To delete ARP entry from the ARP  cache you use #arp -d <IP address to be deleted> , and it has no provision for deleting multiple entries in one go. So here is the one-liner
that does just that – clears all entries in ARP cache. I found it in Google and
slightly rearranged for brevity (note- it is one line of text) :

for ip in $(awk '/([[:digit:]]\.)+/ {print $1}' /proc/net/arp) ; do  arp -d $ip ; done

Guarding against brute force attack on VTY in Cisco IOS

Cisco starting IOS 12.3 introduced a simple but powerful feature to guard against brute force password guessing attack on remote access. The usual template followed when configuring VTY access is:
1) Configure ACL containing management IPs to be allowed to access the router through VTY
2) (Optional) Restrict VTY access protocol to ssh only (transport input ssh)
3) Apply this ACl to VTY : (config-line)# access-class <ACL>  in
4) (Optional)  SIngle out one VTY line for a special remote access IP to be used if all VTY lines
are currently in use: (config)# line vty 4
Now I enhanced this template with following features:
#Blocks login for 300 seconds after 5 failed logins within  50 seconds time interval

login block-for 300 attempts 5 within 50
#apply specified ACl to VTY line when above event occurs, it is meant to exempt
#your managemnt IP form being blocked. After timed block expires this ACL gets removed
#from VTY and previous ACL that was applied before the event is reapplied back

login quiet-mode access-class anti-DOS

#Logging rate-limitation to prevent cluttering logs with failed attempts
login on-failure log every 10

ip access-list standard anti-DOS
 remark Deny VTY access to anyone else if brute-force logins take up all VTY lines
Another nice feature is delay between login attempts:
Sacramento(config)#login delay 2
Delay login is in seconds

Then in logs you will see the following failed attempts:

*May 2 02:04:14.105: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source:] [localport: 22] [Reason: Login Authentication Failed] at 05:04:14 Sat May 2 2009
*May 2 02:04:22.112: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 22 secs, [user: ] [Source:] [localport: 22] [Reason: Login Authentication Failed] [ACL: anti-DOS] at 05:04:22 Sat May 2 2009
*May 2 02:09:22.091: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 05:09:22 Sat May 2 2009

Manage VPN tunnels smartly: forget vpn tu,enter the vpn shell

Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is vpn tu that neveretheless has always had a very annoying bug (feature?) – you can delete ALL VPN tunnels at a time and none individually !!  It indeed presents option to delete
” Delete all IPsec SAs for a given peer (GW)” – but it just plain doesn’t work. And once confronted with this problem that could make debug  more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this
vpn shell, that provides acceptable means of managing tunnels. Here are details:
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that.
To enter this shell :
[Expert@gw1]# vpn shell
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data

After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type show and hit Enter:
VPN shell:[/] > show
 ?             – This help
 ..            – Go up one level
[interface   ] – Show interface(s) and their status
[tunnels     ] – Show SA(s)
VPN shell:[/show] >

Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:
VPN shell:[/show] > ..
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] >

In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:

e.g. To see all IKE tunnels:
[Expert@gw1]# vpn shell
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] > tunnels show IKE all

Peer 193.x.x.x:

        1. IKE SA <8755c7fb24a52e9b,5d46b29d0f0bb5b7>:
VPN shell:[/] >
e.g. 2 To delete IKE SAs for specific peer:
VPN shell:[/] > tunnels delete IKE peer

NOTE: interface subtree is for dealing with VTI interfaces.

And finally to leave the vpn shell to SSH shell:
Get to the root by typing .. as many times as needed and then quit:

VPN shell:[/show/tunnels/IKE] > ../../..
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] > quit

Autologin Expect scripts for telnet/ssh

Tired of typing over and over  your username/password when using
telnet/ssh ? Here are Expect http://expect.nist.gov/ scripts to autologin by Telnet and ssh
– Yes, it is not secure to keep you username/password saved somewhere, so know
what you do . In my opinion  as long as this
is a dedicated for remote logins server, that has no access from outside, and hardened accordingly
(pertinent to the scripts – only owner/root can read user’s home folder, etc.,) the risk is acceptable.

Note 2: password is saved in a file named “sword”

cat tel
#!/usr/local/bin/expect   Change to the location of your Expect package
proc Usage {} {
  puts “\n tel <equipment to enter> \n”

set  argnumber  [llength $argv]
if {$argnumber==0} {
      puts “You need to specify at least one piece of equipment to log into\n”
   }  elseif {$argnumber>1}  {
       puts “You specified too many arguments, only one please\n”
set hostName [lindex $argv 0]
 puts “Entering $hostName”
 set username “myusername”
 set HANDL [open “sword”]
 set password [gets $HANDL]
 close $HANDL
 spawn telnet $hostName
 expect {[Uu]sername*} {
  send “$username\r”
 expect {[Pp]assword:} {
 send “$password\r”

#Cisco specific block – to enter enable level, you may remove this block if not needed
 expect {*#}  {
 send “enable\r”  }
 expect {[Pp]assword:} {
 send “$password\r”
 #End of Cisco specific block


Now SSH login script
> cat essh
#!/usr/local/bin/expect   Change to the location of your Expect package
proc Usage {} {
  puts “\n essh  <equipment to enter> \n”

set  argnumber  [llength $argv]
if {$argnumber==0} {
      puts “You need to specify at least one piece of equipment to log into\n”
   }  elseif {$argnumber>1}  {
       puts “You specified too many arguments, only one please\n”
set hostName [lindex $argv 0]
 puts “Entering $hostName”
 set username “myusername”
 set HANDL [open “sword”]
 set password [gets $HANDL]
 spawn ssh $hostName
 expect {[Pp]assword:} {
 send “$password\r”

#Again goes Cisco – specific block , remove if not needed
 expect {*#}  {
 send “enable\r”  }
 expect {[Pp]assword:} {
 send “$password\r”
 #End of Cisco – specific block


SSH session timeout in Checkpoint NG/NGX

Ever got swearing when in the middle of fw monitor / debug session you got abruptly thrown on session timeout ??  Me too. While thinking naively ssh timeout is managed by sshd/ssh configs I was suprised to know CP did it their way.

Turned out here we get definitions for interactive session : cat /etc/bashrc

# By default, log out the user after three minutes of unattended prompt
export TMOUT=180
export SHELL=/bin/bash
# Take into account idle setting of cpshell, if available
if [ -f /etc/cpshell/cpshell.state ]; then
   idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//`
   if [ $idle”UNDEFINED” = “UNDEFINED” ]; then
   export TMOUT=`expr $idle \* 60`


So to change the default timeout for ssh session you can:

1) Set idle variable in /etc/cpshell/cpshell.state to be later multiplied

cat /etc/cpshell/cpshell.state

2) Change last export directly to whatever you wish:

export TMOUT=7000  ; in seconds

I personally when working on client’s firewall am setting it manually  when long  debug session is expected:

[Expert@cp]# TMOUT=700
[Expert@cp]# export TMOUT

« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑