It’s easy to understand why you need to be able to track usage for billing purposes if you work for a Service Provider, but why do you need this information if your users are all internal?

Even if your organisation doesn’t do cross-departmental billing, it’s important for you to know who the major users of your bandwidth and services are. We looked at traffic profiles in a bit more detail in the performance management feature but there are several aspects that relate directly to the realms of accounting even if no hard cash actually changes hands.

Your network is an asset, which means you have to justify the operational and capital expense involved in keeping it going. To do that you have to be able to show that people use the expensive infrastructure you have put in place.

If the network is regarded as a shared service that is internally attributed to all departments then you will have to be able to prove to them that they are getting what they pay for. It’s not unknown for business units to deploy their own network because they don’t believe they are being fairly charged internally for what they use. This is a waste of money and resources - who wants to go back to the days of multiple discrete networks to manage?

When you request an upgrade, often that capital expense will be divided up, on the books at least, amongst internal departments - your customers. With everyone pushing to cut costs, if you can’t prove that a department accounts for a third of the network bandwidth, for instance, they may well refuse to have a third of the cost directly allocated to their cost code.

With the joys of Quality of Service-enabled networks, which the vendors have insisted we can’t live without, becoming prevalent, it’s even more complicated. If you’re offering different service levels or prioritised traffic to certain departments, should they be charged internally more than their less-demanding colleagues? QoS provision and management is a whole other issue that we will deal with in a lot more detail over the next few weeks, but you get the picture.

Identifying Traffic
So how do you provide the statistics to back up your claims of who is using what?

At the most basic, you can count how many network ports each department has, and pro-rata costs based on that, but that doesn’t actually tell you about the traffic levels. As network design guidelines have changed, it’s not so common now to have a subnet per workgroup—instead VLANs and subnets tend to be more geographically than logically allocated so that’s not the clean division it was. Instead you’ll have to look deeper into the packets, to the application level, to determine who the traffic belongs to.

It’s easy if you have server-based apps that are used only by one department, such as HR or payroll. Then you can get IP accounting information pretty easily from your network devices showing the relative percentages of traffic to and from those servers and therefore associated with that department.

Where all services are shared—the e-mail server, for instance—or you have peer-to-peer traffic, it’s not so easy. You’ll probably have to increase the granularity of the information you collect to encompass individual users for complete accuracy. While the amount of effort in getting exact stats probably isn’t worth it unless you have a formal billing process, it is possible to get extremely detailed information if you put the time in.

If you can get RMON stats from your switches, you’ll be able to tell how much traffic is going to and from a network port, but for more detailed information you’ll need to install RMON probes and network analysers. Once you’ve set them up to monitor your network, they will tell you on an ongoing basis every conversation between end stations, down to a per-port basis, so that you can distinguish between applications if you want to. This tells you exactly who is talking to who and how much data is being exchanged, and you can use this information not just for billing purposes but to in effect police your network to make sure that your users aren’t using all your network bandwidth in playing network Doom, or exchanging music videos. We’ll cover the ways of managing this in a later article.

In addition to dedicated probes, IP Accounting facilities on your routers can let you see what traffic flows you have over your wide area. Typically you’ll be more concerned about usage of your WAN bandwidth as it is more expensive and less plentiful. Cisco’s Netflow and Juniper’s Cflowd are vendor-specific network applications that produce ready-made stats on where the data in your network is flowing, giving you source and destination IP addresses, port numbers, QoS settings if required, and amount of data sent.

Whether you use RMON, analysers or the likes of Cflowd, the data you will get will show you which hosts are talking to each other, which applications are involved (via the port numbers the flows are between) and how much actual data is involved. You probably want to restrict yourself to looking at the ‘top talkers’, so that you are studying say 70 to 90 percent of the traffic. If you try and get down to identifying every last kbit/s of user data, you’ll probably spend more time investigating it than is worthwhile.

You will then have to identify which hosts and users belong to which departments and you can produce reports that clearly show who is using up your bandwidth and needs to be charged accordingly.

Service Provider Billing
If you do work for a carrier or service provider, then billing is a much more exact science. Chances are you will have specialised billing applications that require very granular and exact traffic details, and you will probably have to identify all traffic, not just the majority of flows. But then, since your customers will normally be geographically dispersed, separating them is easier from an accounting point of view.

In this case you probably just need to measure the amount of traffic coming from their site, whether it’s over a Frame Relay link, dial up connection or MPLS spoke. You don’t really care which host addresses the users are talking to - if you are billing them for network usage then packets shifted is all you need to worry about. The same holds true if you are lucky enough to have your corporate users housed in separate buildings according to job function but in reality this isn’t the case for most enterprises.

The level of granularity to which you need to identify your users and their respective traffic usage depends on the amount of financial culpability they have. However, even if you aren’t billing your users for their network usage, it’s important that you do have a reasonable understanding of who is making most use of your network, to aid you in network profiling and capacity planning.