[c-nsp] NetFlow for Bandwidth Billing
Bill Nash
billn at billn.net
Wed May 2 01:04:20 EDT 2007
On Tue, 1 May 2007, TCIS List Acct wrote:
> We are a Co-lo provider looking to improve how we do usage-based bandwidth
> billing on a per IP/subnet basis. We can't do SNMP monitoring per-port (we
> exclude local LAN traffic, traffic between our two Data Centers, etc), so we are
> considering doing bandwidth billing via NetFlow from our 72xx core routers.
> What are the pros/cons of using NetFlow for usage-based billing? I've seen some
> discussion regarding NetFlow's accuracy/completeness, so any advice would be
> appreciated.
>
Scope and scale are the two big factors when dealing with netflow
accounting.
You will need full IP address accounting for your customers, ie knowing
which customers have been issued which address space.
You will need an understanding of how many flows per second a given
customer generates.
You will need to determine how and where it's possible to aggregate flows
together, based on the level of detail you need. This can be done at the
router level[1] or at the analyzer level[2]. Router sourced flow
aggregation may not work in a colocation environment if you're issuing
single ip's to different customers in the same subnet. Others may have
more expertise in this area than I. I couldn't figure out a good way to do
it, and it was easier (for me) to do on the analyzer side.
[1] Depending on scale and architecture, this may not be healthy for your
router.
[2] Depending on flow volume and analyzer design, this may require some
CPU horsepower.
There are a lot of factors that come into play when working with netflow,
and flow volume is definitely a type of monkey. It can be a cute little
bugger with a diaper, or it can be an eight hundred pound gorilla that
eats you. A lot depends on the vendor implementation of netflow. Cisco is
at least (mostly) consistent.
If generating flows from the router isn't a viable option for resource
reasons, you can also use softflowd on SPAN taps, depending on your
switch topology.
As for completeness, I've not run into many cases where the flow volume
wasn't accurate. The netflow capable platform I worked with was c6509 (as
recently as last year), rocking a Perl analyzer that tossed about ~18k
flows a minute through Mysql, to the tune of about 400 million flows per
day, including LAN chatter, on about 8 gigs of egress capacity.
There is no netflow solution that's perfect for every network, so you'll
want to do some legwork. Despite my experience, I can't personally
recommend any particular toolset, since I've always rolled my own. (No, I
don't currently have a flow analyzer that I can release.)
- billn
More information about the cisco-nsp
mailing list