Configuring IP Services

Configuring IP Accounting

The IP source address of an ICMP packet must match the gateway address used by the host in the packet that triggered the ICMP packet, otherwise the host will reject the ICMP redirect packet. An HSRP router uses the destination MAC address to determine the gateway IP address of the host. If the HSRP router is using the same MAC address for multiple IP addresses then it is not possible to uniquely determine the gateway IP address of the host and the redirect message is not sent.

The following is sample output from the debug standby events icmp EXEC command if HSRP could not uniquely determine the gateway used by the host:

10:43:08: SB: ICMP redirect not sent to 20.0.0.4 for dest 30.0.0.2

10:43:08: SB: could not uniquely determine IP address for mac 00d0.bbd3.bc22

Configuring HSRP Support for ICMP Redirect Messages

By default, HSRP filtering of ICMP redirect messages is enabled on routers running HSRP. To reenable this feature on your router if it is disabled, use the following command in interface configuration mode:

Command

Purpose

 

 

Router (config-if)#standby redirects [enable disable]

Enables HSRP filtering of ICMP redirect

[timers advertisement holddown] [unknown]

messages

 

 

Configuring IP Accounting

Cisco IP accounting support provides basic IP accounting functions. By enabling IP accounting, users can see the number of bytes and packets switched through the Cisco IOS software on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the software or terminating in the software is not included in the accounting statistics. To maintain accurate accounting totals, the software maintains two accounting databases: an active and a checkpointed database.

Cisco IP accounting support also provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data also indicates that you should verify IP access list configurations. To make this feature available to users, you must enable IP accounting of access list violations using the ip accounting access-violationsinterface configuration command. Users can then display the number of bytes and packets from a single source that attempted to breach security against the access list for the source destination pair. By default, IP accounting displays the number of packets that have passed access lists and were routed.

To enable IP accounting, use one of the following commands for each interface in interface configuration mode:

Command

Purpose

 

 

Router(config-if)# ip accounting

Enables basic IP accounting.

 

 

Router(config-if)# ip accounting

Enables IP accounting with the ability to identify IP traffic that fails IP

access-violations

access lists.

 

 

Cisco IOS IP Configuration Guide

IPC-108

Page 153 Page 155
Page 154
Image 154
Cisco Systems 78-11741-02 manual Configuring IP Accounting, Configuring Hsrp Support for Icmp Redirect Messages, IPC-108
Page 153 Page 155
Top Page Image Contents