ch06lev1sec3.html

IP Accounting MAC Address

IP Accounting MAC Address is comparable to the IP Accounting (Layer 3) feature. However, MAC addresses are collected instead of IP addresses, and there is no concept of a checkpoint database. IP Accounting MAC Address calculates the total number of packets and bytes for IP traffic on LAN interfaces, based on the source and destination MAC addresses. It also records a time stamp for the last packet received or sent. This feature helps the operator determine how much traffic is exchanged with various peers at Layer 2 exchange points, such as an Internet peering point. IP Accounting MAC Address collects individual MAC addresses, so it can be used to identify a specific user for usage-based billing. It also helps security administrators identify a sender's MAC address in case of an attack with faked IP addresses.

The maximum number of MAC addresses that can be stored at the network element for each physical interface is 512 entries for input and an additional 512 MAC addresses for output traffic. After the maximum is reached, subsequent MAC addresses are ignored. To keep addresses from not being taken into account, you should constantly check the number of available entries in the network element's local database and clear entries if it's getting close to 512.

IP Accounting MAC Address Principles

The principles of IP Accounting MAC Address can be summarized as follows:

Inbound and outbound traffic statistics are collected per MAC address.
Only LAN interfaces and subinterfaces (Ethernet, FastEthernet, FDDI, and VLAN) are supported.
A time stamp is recorded (or updated) when the last packet is sent or received.
When IP Accounting MAC Address is enabled, header compression is turned off so that the MAC information can be extracted from the header. When IP Accounting MAC Address is turned off, header compression is enabled.
There is no concept of a checkpoint database.
The maximum number of entries per physical interface and per direction (incoming or outgoing) is 512.
Collection data is accessible via CLI and SNMP. However, all configuration changes must be done via CLI, because the CISCO-IP-STAT-MIB has no read-write parameters. To retrieve the collection results via SNMP, you need to enable SNMP on the network element first. For more details about SNMP configuration, see Chapter 4.
The MIB contains 32-bit and 64-bit SNMP counters.

Supported Devices and IOS Versions

The following devices and Cisco IOS Software releases support IP Accounting MAC Address:

IP Accounting MAC Address was introduced in IOS 11.1CC.
It is supported on Ethernet, FastEthernet, FDDI, and VLAN interfaces. It works in conjunction with Cisco Express Forwarding (CEF), distributed Cisco Express Forwarding (dCEF), flow, and optimum switching.
It is supported on all routers, including the MSFC, but not the RSM.
On the Cisco 12000 router, it is supported only by the 3-port Gigabit Ethernet line cards.

CLI Operations

Notable commands for configuring, verifying, and troubleshooting IP Accounting MAC Address are as follows:

router(config-if)# ip accounting mac-address {input | output}, where:
- input performs accounting based on the source MAC address on received packets.
- output performs accounting based on the destination MAC address on transmitted packets.
router# show interface [type number] mac-accounting
displays information for all interfaces configured for MAC accounting. To display information for a single interface, use the appropriate information for the type number arguments.
router# clear counters [interface-type interface-number]
clears all the interface counters. Because the IP Accounting MAC Address entries are stored per interface, the clear counters command clears the number of bytes and packets for each IP Accounting MAC Address entry in the output of show interface [type number] mac-accounting. However, the clear counters command does not remove any IP Accounting MAC Address entries. In the output from show interface [type number] mac-accounting, clear counters keeps the value of the time stamp for the last packet sent or received for that entry. The clear counters command does not clear the MIB counters, because SNMP counters can never be cleared, and it does not remove any IP Accounting MAC Address entries in the MIB table. An analogy is the clear counters command that clears the number of bytes and packets in the output of show interface while the SNMP counters in the ifTable are not cleared. Note also that the clear counters command is applicable globally for all interfaces or for a single interface.

SNMP Operations

IP Accounting MAC Address uses the Cisco IP Statistics MIB to collect incoming and outgoing packets and bytes per MAC address. There is a maximum of 512 entries per physical interface per direction (ingress or egress). You have to use the CLI to enable and disable IP Accounting MAC Address. Entries can be read but not deleted via SNMP. They can be deleted using the CLI command clear counters instead. The CISCO-IP-STAT-MIB (Cisco IP Statistics MIB) was updated to support 32-bit and 64-bit counters. For high-speed interfaces, 64-bit counters are relevant, because on a 1-Gigabit interface, a 32-bit counter wraps after 34 seconds.

The IP Accounting MAC Address part of the MIB consists of two tables with separate 32-bit counters and 64-bit counters, plus an extra table for the number of free entries in the database:

cipMacTable is the MAC table for 32-bit counters, where an entry is created for each unique MAC address that sends or receives IP packets. It contains four variables:
- cipMacDirection is the object's data source.
- cipMacAddress is the MAC address.
- cipMacSwitchedPkts is the counter in packets with respect to cipMacAddress.
- cipMacSwitchedBytes is the counter in bytes with respect to cipMacAddress.
The table indexes are ifIndex, cipMacDirection, and cipMacAddress.
cipMacXTable is the extended MAC table for 64-bit counters, which contains only two entries.
- cipMacHCSwitchedPkts is the high-capacity counter in packets with respect to cipMacAddress. This object is the 64-bit version of cipMacSwitchedPkts.
- cipMacHCSwitchedBytes is the high-capacity counter in bytes with respect to cipMacAddress. This object is the 64-bit version of cipMacSwitchedBytes.
The table indexes are ifIndex, cipMacDirection, and cipMacAddress.
cipMacFreeTable specifies the number of available entries in the database.
cipMacFreeCount is the number of items in the MAC free space.

The table indexes are ifIndex and cipMacFreeDirection.

Examples (CLI and SNMP)

The following example provides a systematic introduction to configuring and monitoring IP Accounting MAC Address and displays the results for both CLI and SNMP.

Initial Configuration

Initially, there are no IP Accounting MAC Address entries.

In this configuration, both IP Accounting MAC Address input and output are enabled:

router(config-if)#interface fastethernet 0/0
router(config-if)#ip accounting mac-address input
router(config-if)#ip accounting mac-address output
router(config-if)#exit

Collection Monitoring

The entries populate:

Router#show interface mac-accounting
FastEthernet1/0 Eth -> Nms-bb-1: Port 4/20
      Input (504 free)
0010.8305.c421(115): 7 packets, 590 bytes, last: 95924ms ago.
.
.
.
                  Total:  111 packets, 10290 bytes
      Output  (504 free)
0800.2087.66c1(8 ): 2 packets, 375 bytes, last: 8520ms ago
.
.
.
                  Total:  39 packets, 5536 bytes

For clarity, only the first input and output entries are displayed. The corresponding MIB table shows the identical entries, only one of which is displayed:

SERVER % snmpwalk -c public -v 2c martel cipMacTable
cipMacSwitchedPkts.9.input.0.16.131.5.196.33 : Counter: 7
cipMacSwitchedBytes.9.input.0.16.131.5.196.33 : Counter: 590

The table indexes are as follows:

ifIndex is 9 in this case, which represents fastethernet 1/0:

Router #show snmp mib ifmib ifIndex fastethernet 1/0
    Interface = fastethernet 1/0, ifIndex =9

cipMacDirection is input or output.
cipMacAddress, where 0.16.131.5.196.33 is the MAC address, such as 0010.8305.c421.

This SNMP entry corresponds to the following entry in the show command:

0010.8305.c421(115): 7 packets, 590 bytes, last: 95924ms ago.

Note

The information about the last time a packet was observed from/to the specific MAC address is not available in the MIB—only from the show command.

The SNMP request confirms that 504 entries are available:

SERVER % snmpwalk -c public -v 2c <router> cipMacFreeTable
CISCO-IP-STAT-MIB::cipMacFreeCount.9.input = Gauge32: 504
CISCO-IP-STAT-MIB::cipMacFreeCount.9.output = Gauge32: 504

In a situation where the counters are small, polling cipMacXTable, which contains the high-capacity counter counter64, would return the same results as polling cipMacTable.

Finally, the IP MAC address counters can be cleared, either specifically for the interface or globally for all interfaces, but no entries are deleted:

Router(config)#clear counters [fastethernet 1/0]
Router#show interface mac-accounting
FastEthernet1/0 Eth -> Nms-bb-1: Port 4/20
      Input  (504 free)
0010.8305.c421(115): 0 packets, 0 bytes, last: 125876ms ago

In the preceding example, the counters for packets and bytes are reset to 0. All other entries, along with the content of the "last" field, are preserved. The clear counters CLI command has no effect on the MIB's content.

Note

The clear counters command affects both the IP Accounting Precedence and IP Accounting MAC Address counters. This could be considered a limitation when enabled on the same interface.