[c-nsp] NetFlow for Bandwidth Billing

Bill Nash billn at billn.net
Wed May 2 01:04:20 EDT 2007 

On Tue, 1 May 2007, TCIS List Acct wrote:

> We are a Co-lo provider looking to improve how we do usage-based bandwidth 
> billing on a per IP/subnet basis.  We can't do SNMP monitoring per-port (we 
> exclude local LAN traffic, traffic between our two Data Centers, etc), so we are 
> considering doing bandwidth billing via NetFlow from our 72xx core routers. 
> What are the pros/cons of using NetFlow for usage-based billing?  I've seen some 
> discussion regarding NetFlow's accuracy/completeness, so any advice would be 
> appreciated.
> 

Scope and scale are the two big factors when dealing with netflow 
accounting.

You will need full IP address accounting for your customers, ie knowing 
which customers have been issued which address space.

You will need an understanding of how many flows per second a given 
customer generates.

You will need to determine how and where it's possible to aggregate flows 
together, based on the level of detail you need. This can be done at the 
router level[1] or at the analyzer level[2]. Router sourced flow 
aggregation may not work in a colocation environment if you're issuing 
single ip's to different customers in the same subnet. Others may have 
more expertise in this area than I. I couldn't figure out a good way to do 
it, and it was easier (for me) to do on the analyzer side.

[1] Depending on scale and architecture, this may not be healthy for your 
router.

[2] Depending on flow volume and analyzer design, this may require some 
CPU horsepower.

There are a lot of factors that come into play when working with netflow, 
and flow volume is definitely a type of monkey. It can be a cute little 
bugger with a diaper, or it can be an eight hundred pound gorilla that 
eats you. A lot depends on the vendor implementation of netflow. Cisco is 
at least (mostly) consistent. 

If generating flows from the router isn't a viable option for resource 
reasons, you can also use softflowd on SPAN taps, depending on your 
switch topology. 

As for completeness, I've not run into many cases where the flow volume 
wasn't accurate. The netflow capable platform I worked with was c6509 (as 
recently as last year), rocking a Perl analyzer that tossed about ~18k 
flows a minute through Mysql, to the tune of about 400 million flows per 
day, including LAN chatter, on about 8 gigs of egress capacity.

There is no netflow solution that's perfect for every network, so you'll 
want to do some legwork. Despite my experience, I can't personally 
recommend any particular toolset, since I've always rolled my own. (No, I 
don't currently have a flow analyzer that I can release.)

- billn

More information about the cisco-nsp mailing list