Traffic Accountant and Flow Accounting Server
Business managers require the network infrastructure to
support their business operations. Network equipment and
services can maximize a firm’s profit and lower operating
costs, while simultaneously improving organizational
efficiency. Network accounting provides business managers with
historical information to help them understand how the network
is being utilized, project future bandwidth demands, and
monitor changes in network resource usage as a result of
corporate directives.
Overview
A primary concern of IT managers today is providing fast
access to network resources while controlling the increasing
costs of expensive, high-speed connections to the network. The
easiest and most common method of improving application
performance and response time is usually to throw more
bandwidth at the problem. Analysis later in this document,
however, reveals the immense costs associated with providing
increased bandwidth allocation.
Contrary to the belief of many employees who use the
network, bandwidth is not a free resource. How can a large
corporation change the behavior of network users to reduce
bandwidth consumption? One solution is to apply policy
controls such as access filters. However, this is a
time-consuming task, and assumes that the IT manager
understands traffic patterns and the network topology in order
to apply the appropriate access control filters. Another
option is to collect data over a period of time, which
measures the amount of traffic transmitted by a user,
department or corporate division. This information can then be
used to generate an actual bill, or proxy report, which lets
department head managers look at network usage over the
previous month.
It is beneficial for business managers to receive reports
on the type of applications and percent of traffic consumed by
that application. For example, SAP R/3 or Oracle transactions
may be starved for bandwidth because of excessive, less
important web traffic. The monthly bill can be formatted to
provide the department manager with information on consumption
patterns for each hour, day and week. By assigning a cost to
each megabyte transmitted, the manager can now correlate the
impact that his employees are having on overall network
demand. The costing reports may be used to develop, for
example a plan to curb web surfing during business hours. The
data can also be used to generate performance reports to serve
as a source of information for planning future capital
expenditures on network equipment and services.
Case Studies of Business Applications
Intelligent Buildings
The three most important words in commercial real estate today
are location, location and bandwidth. Companies that rely on
high-speed extranet access are demanding increased bandwidth
and telecommunications in their buildings. Newly established
firms that lease commercial property are attracted to
landlords or Real Estate Investment Trusts (REIT) that provide
not only office space, but the network infrastructure to allow
the voice, video and data access necessary to conduct
business. The obvious benefit to the small, entrepreneurial
tenant is to preserve cash for inventory, labor and services.
In addition, the high cost of installing and maintaining the
network is transferred to the REIT. While the Regional Bell
Operating Companies (RBOC) in particular have made great
strides in providing and maintaining ISDN Internet access, it
still only provides 128 kbps of bandwidth, far too slow for
the serious commercial user. As a result, a new trend is
emerging in the real estate marketplace.
Developers in urban areas such as New York, Boston, Chicago
and San Francisco are installing and marketing high-tech
building connectivity. Restoring old buildings is becoming
more prevalent in the downtown sector where it is as common
for owners to advertise high-speed Internet access as it once
was to promote views of the river and proximity to a health
club. Commercial landlords that provide DS3, T1 and Fast
Ethernet connections over category 5 copper or multimode fiber
have invested in the best technology available. To maintain
profitability and continue to invest in new technology, the
REIT must pass the cost of network infrastructure charges to
the tenants. Network usage for some applications will require
a higher priority than less business-critical applications. As
such, higher monthly service charges or tariffs can be billed
to those tenants that require guaranteed data channels. Lower
charges may be applied on a best-effort data delivery.
REITs need a mechanism to measure and report on network
traffic usage. Enterasys developed the NetSight Flow
Accounting Server (FAS) to help companies such as REITs
understand traffic patterns and the network costs associated
with data transactions.
Internet Commerce
Many corporations are experiencing explosive growth on local
and wide area networks because of full-motion video and other
multicast-based applications. Furthermore, most companies are
investing in e-commerce to market, sell and support a growing
customer base that wants to do business on the web. One area
of stellar growth in the electronic-commerce market is online
brokerage firms. Individual investors are opening accounts
online to perform research, get real-time quotes and track
their portfolio. Millions of customers expect to get service
24 hours a day, seven days a week from firms such as E*Trade,
Ameritrade and Charles Schwab. In September of 1996, E*Trade
held $2.7 billion in customer assets. Just two years later, it
held $15.2 billion in customer assets, an increase of over 560
percent.
From 1995 to 1998, the amount of money Fidelity Investments
spent on bandwidth doubled from $36 million to $75 million,
according to data from InformationWeek published
October 19, 1998. At that rate, spending on bandwidth will
reach $156 million by the year 2001. Throughout Fidelity
Investments’ history, the company’s focus on technology
has enhanced its ability to offer both institutional clients
and individual investors superior service. This year alone,
Fidelity will invest some $500 million in hardware, software
and systems that will enable it to analyze and research
virtually all the world’s markets. Furthermore, this allows
Fidelity to provide its customers with the most
up-to-the-minute information necessary to make sound financial
decisions.
Given the growth rates experienced by both E*Trade and
Fidelity for web server access, both firms must predict when
electronic transactions will overload the web hosting servers.
The best way to predict capacity constraints is to measure
network transactions, latency and host system performance. The
Flow Accounting Server and Traffic Accountant applications
provide a cost-effective solution to baseline traffic flows,
and can record network usage over a period of months or years.
Analyzing the Data Collection Process
Sources of packet flows originate from devices on the
network. Most traffic originates from a workstation, PC or
server, but routers and bridges also generate traffic to
maintain route tables or exchange BPDUs. The technical issues
of data collection and reporting include data extraction, data
integrity, storage, flow association and billing criteria.
Data extraction— The connection flow must be
extracted from the network device. If the data is stored in
the Management Information Base (MIB) of the device, a network
protocol such as Simple Network Management Protocol (SNMP) can
be used to get the data.
Data integrity— The extracted data flow must be
reconciled to eliminate duplicate records prior to data
storage. This requires that either a flow identifier exist or
that the administrator carefully select the transport layer
device (switch) to enable data collection.
Storage— The call record must be stored in a
database.
Flow association— Classification of source to
destination pairs requires that the transport layer device
inspect the header information of the packet, and also
requires deeper data portion inspection to classify IP pairs
and application port. Layer 2 flows work well in a flat
bridged or switched environment, however WAN access or flows
which extend beyond the Layer 2 domain through a router
require Layer 3 associations. High-speed networks which are
being designed and built today will require hardware-based
switch-routers that can classify data at Layer 4, providing
end-to-end application visibility throughout the entire
network infrastructure.
Billing Criteria— Applying a cost for voice, video
or data applications will be the responsibility of the IT
administrator, ISP or carrier based on their business model.
For example, a premium service offering may require a
dedicated circuit that delivers a guaranteed throughput rate
over a specified period of time. The accounting system must be
flexible so that tariffs could be applied to peak usage hours,
or credits applied if service-level agreements are not
maintained.
Types of Packet Flows
Different levels of packet flows exist and can be measured
on the network.
Interface/Port statistics are all the data sent or
received for a physical or logical interface on a device. This
includes the bytes in or bytes out, broadcast, multicast,
unicast, and errors.
Layer 2 address is all the frames sent or received
for the duration of a flow defined by the destination and
source MAC address. Other classifications of Layer 2 include
DLCI used in frame relay and VPI/VCI used in asynchronous
transfer mode.
Layer 3 address is all the frames sent or received
for the duration of a flow defined by the destination and
source IP address.
Layer 4 address is all the frames sent or received
for the duration of a flow defined by the UDP/TCP port.
Architectural Components
Agents must be present to enable or disable the
feature and to act as the lowest level collection points to
provide data to the collection aggregator. The agent may exist
at the originating point (PC or server) or on the switch,
router or other intermediary device which provides transport
services to network endpoints. The communication protocol
between the agent and the collection aggregator is necessary
to transfer data records. Standard and proprietary protocols
exist to perform the task, operating at the application layer
and using TCP/IP for message transport.
Protocols
SNMP—The Simple Network Management Protocol uses get
or get next request to retrieve data from an agent device
which typically caches information in volatile memory.
Although it is a popular protocol, it is not efficient because
devices must be polled periodically and SNMP get next request
may overload the agent device CPU with excessive request for
data.
CMIP—The Common Management Information Protocol
uses the ISO standard for defining variables to be controlled
(known as a MIB). Its operation is similar to SNMP, yet it has
not been embraced by the data networking community. The
protocol is used more in Telco environments and may reveal
some of the same limitations as SNMP.
LFAP—The Lightweight Flow Admission Protocol
exists as an informational RFC 2124 that uses flow update
notifications sent from the agent device to the aggregator.
The benefit of this protocol implementation is that the agent
device CPU can transmit data to the aggregator during off-peak
CPU cycles. The LFAP protocol is also more efficient because
it does not require the overhead of putting data into a MIB
structure.
Collection Aggregator—This component accumulates
all packet flows from the collection of agents on the network.
The collection aggregator can be thought of as middleware
component, which should be fault tolerant to eliminate the
loss of any data due to a network or host system failure.
Centralized Repository—Data from one or more CAs
are sent to a database. At this point data can then be
retrieved from a back-end application to compile and report
information to senior management or IS personnel.
Solutions From Enterasys
Enterasys’ Traffic Accountant application and Flow
Accounting Server provide businesses with the ability to
report network traffic usage on an individual, department
and/or application level. IS managers can now identify,
monitor and control network bandwidth usage within an
organization and on outside links to the Internet. Cost
reports can be generated on wide area network interfaces,
which provide top talkers. This provides IS managers with a
record of network usage and justification for adding
additional capacity. Critical resources such as web hosting,
e-commerce or payroll servers can be tracked for bandwidth
usage, connection duration and the source of the request. This
provides network managers with an audit trail to troubleshoot
problems or detect improper use of network resources.
Enterasys developed this application to help managers reduce
capital expenditures, increase network performance and provide
an understanding of traffic patterns, as well as to reduce the
network costs associated with data transactions.
Enterasys developed the FAS to collect flows that transit
the SmartSwitch Router. The FAS was designed to be a scalable,
fault-tolerant service-layer component. Each FAS is capable of
maintaining status on a million active flows, and in the event
of a FAS failure, active flow accounting updates can be
rerouted for recording to secondary servers. The data can be
exported to a corporate database, or to an Enterasys-provided
Traffic Accountant application.
The Traffic Accountant allows IT managers to generate cost
and performance reports. Data can then be easily accessed for
viewing and updating through queries, which make it possible
to access data from viewpoints that are meaningful to the
administrator. Traffic Accountant also includes a directory
management module which allows IT managers to define the
organizational hierarchy, and assign workstations to users for
more detailed charge-back purposes.
Open Interface
The Traffic Accountant provides an open interface to export
data to other applications, and supports the Microsoft Open
Database Connectivity (ODBC) to provide transparent access of
data, such as traffic patterns, employee directories and
application usage. Enterasys is also developing a Lightweight
Directory Access Protocol (LDAP v.3) client, enabling the FAS
to dynamically associate a user to address binding for
accurate report analysis. For quick report generation, Traffic
Accountant will also generate an HTML format for posting to an
organization’s web site.
Network Accounting Components
Three essential components are necessary to deploy a
network accounting solution. The system must support a:
- Transport layer device, such as Enterasys’ SmartSwitch
Router, that maintains a table of application flows.
- Collection aggregator, such as the FAS, to accept flow
updates from one or more transport layer devices.
- Reporting application, such as the Traffic Accountant,
to store historical data and generate reports on network
usage activity.
SmartSwitch Router
The SmartSwitch Router (SSR) provides wire-speed performance,
full Layer 2 switching, IP/IPX routing and Layer 4 application
switching. The SSR 8600 will route more than 30 million
packets per second, and provides of table capacities provide
250,000 routes and 4,000,000 application flows. The SSR 8600
was designed to serve as a backbone switch router. The SSR
2000 series was designed to serve as a wiring closet switch
router. Both models support a variety of WAN interfaces.
The SSR can be configured to collect information on an
entire interface or on a specific host-to-host application
flow. No degradation in performance will occur while
collecting accounting statistics. The Layer 4 table statistics
are transmitted to the FAS using a push technology. Enterasys
developed a technology for network accounting protocols, known
as Lightweight Flow Accounting Protocol (LFAP), to optimize
the delivery of large accounting data from the switch to the
FAS. Originally submitted to the Internet Engineering Task
Force (IETF) Network Working Group as informational RFC 2124,
Enterasys has extended the capabilities of the protocol, and
will be resubmitting the changes to the IETF. The benefit of
LFAP is the ability to transfer up to 64 flow sessions in a
single message unit, thereby optimizing the use of the
network. In addition, the SSR central processor unit (CPU)
does not need to be burdened with excessive SNMP queries, but
can instead handle updates during less intensive CPU cycles.
Flow Accounting Server
The FAS acts as a flow collector for one or more SSR
devices. One or more FAS systems will act in concert to
collect data from SSRs. New flows originate from Flow Admit
Request (FAR) messages sent from the SSR. Periodically, the
SSR will transmit a Flow Update Request (FUN) on each active
flow, which contains data on the number of bytes transmitted
and received for a particular session. A FUN inactive message
results in the termination of a call record.
The FAS is a distributed, fault tolerant and scalable
system. A single FAS system will maintain over one million
active flows and perform over 500 FARs and 500 FUNs per
second. The administrator can tune the system to compress a
maximum of 64 flow pairs in a single FUN update. This type of
architecture delivers the ability to record 32,000 data flows
per second for a single FAS. The benefit of this design
provides administrators with the ability to collect large
volumes of data over an extended period of time in an network.
Traffic Accountant
The Traffic Accountant provides a low-cost, NT-based,
back-end database and reporting application. For example, a
specific report may be generated for a time period (weekly or
monthly) which will itemize the data transmitted for a
workgroup or IP subnet range.
The Traffic Accountant includes report templates to
simplify the process of creating custom reports. The different
report templates allow the administrator to create precise
information summary reports.
1. Call Record report templates are used to create
reports that detail and condense call records. This includes
reports by cost category, directory name, and organization
level.
2. Performance report templates are used to create
reports that contain the information necessary to improve the
performance and cost effectiveness of your network. The
reports show statistics such as minimum and maximum call
volume, minimum and maximum call duration, and call charges.
Information can be organized by different criteria, such as
date, time and duration.
3. Exception report templates are used to create
reports that list abnormal network usage. The administrator
will define the parameters for these reports. For example,
exceeded byte transfers for specified multicast sessions could
be the parameter used for an exception report.
Feature Summary
End-to-end data collection
- Layer 3 IP address pairs
- Layer 4 service type
- Fault tolerant flow aggregation
- Call duration
- Bytes and packets
- Efficient delivery protocol
Expense Appropriation
- Bill departments or groups
- Usage reports for users
- Aggregate bandwidth consumption by application
- Capacity and growth planning
|
Directory Association
- Cost can be assigned to individual users
- Import, add, modify or remove entries
Exporting Data
- Reports can be generated and emailed on a
scheduled intervalODBC compliant
- Built-in OLE integration with Microsoft Office
applications
Usability
- Application provides 31 performance reports and
six different cost reports.
- Icon-driven to provide results quickly and
efficiently
|
Minimum Hardware Requirements
Flow Accounting Server
- Sun Ultra 5 Workstation
- 270 MHz UltraSPARC-IIi, 256KB cache
- 256 MB RAM
- 400 MB disk space reserved for application code and data
store.
- Solaris 2.6 Operating System
Traffic Accountant*
- Pentium II 350 MHz, 512KB cache
- 256 MB RAM
- 100 MB disk space reserved for application code.
- Network Interface Card
- CD ROM drive
- Microsoft NT 4.0, Service pack 3
- Microsoft Internet Explorer 4.0
- * More intensive data collection and reporting will
require a SCSI drive to boost disk performance. It is also
recommended that a redundant array of independent drives
(RAID) be configured using Windows NT RAID Level 5.
|
E-Mail
Related