Cisco Press Network Management Accounting And Performance Strategies Jun 2007 ISBN 1587051982 (1)

  Network Management: Accounting and Performance Strategies

  by Benoit Claise - CCIE No. 2686; Ralf Wolter Publisher: Cisco Press Pub Date: June 20, 2007

  Print ISBN-10: 1-58705-198-2 Print ISBN-13: 978-1-58705-198-2

  Pages: 672


Network Management: Accounting and Performance Strategies

  The definitive guide to collecting usage information from Cisco networks Benoit Claise, CCIE® No. 2868 Ralf Wolter Understanding network performance and effectiveness is now crucial to business success. To ensure user satisfaction, both service providers and enterprise IT teams must provide service- level agreements (SLA) to the users of their networksâand then consistently deliver on those commitments. Now, two of the Cisco® leading network performance and accounting experts bring together all the knowledge network professionals need to do so.


Network Management: Accounting and Performance Strategies

  imparts a deep understanding of Cisco IOS® embedded management for monitoring and optimizing performance, together with proven best strategies for both accounting and performance management.

  Benoit Claise and Ralf Wolter begin by introducing the role of accounting and performance management in today's large-scale data and voice networks. They present widely accepted performance standards and definitions, along with today's best practice methodologies for data collection.

  Next, they turn to Cisco devices and the Cisco IOS Software, illuminating embedded management and device instrumentation features that enable you to thoroughly characterize performance, plan network enhancements, and anticipate potential problems and prevent them. Network standards, technologies, and Cisco solutions covered in depth include Simple Network Management Protocol (SNMP) and Management Information Bases (MIB), Remote Monitoring (RMON), IP accounting, NetFlow, BGP policy accounting, AAA Accounting, Network Based Application Recognition (NBAR), and

  IP SLA (formerly known as SAA). For each, the authors present practical examples and hands-on techniques. The book concludes with chapter-length scenarios that walk you through accounting and performance management for five different applications: data network monitoring, capacity planning, billing, security, and voice network performance. Network Management: Accounting and Performance Strategies will be indispensable to every professional concerned with network performance, effectiveness, or profitability, especially NMS/OSS architects, network and service designers, network administrators, and anyone responsible for network accounting or billing. Benoit Claise, CCIE® No. 2868, is a Cisco Distinguished Engineer working as an architect for embedded management and device instrumentation. His area of expertise includes accounting, performance, and fault management. Claise is a contributor to the NetFlow standardization at the IETF in the

  IPFIX and PSAMP Working Groups. He joined Cisco in 1996 as a customer support engineer in the Technical Assistance Center network management team and became an escalation engineer

  Ralf Wolter is a senior manager, consulting engineering at Cisco. He leads the Cisco Core and NMS/OSS consulting team for Europe, works closely with corporate engineering, and supports large-scale customer projects. He specializes in device instrumentation related to accounting and performance management.

  Compare accounting methods and choose the best approach for you Apply network performance best practices to your network Leverage built-in Cisco IOS network management system components to quantify performance Uncover trends in performance statistics to help avoid service degradation before it occurs Identify under use of network paths, so you can improve overall network efficiency Walk through hands-on case studies that address monitoring, capacity planning, billing, security, and voice networks Understand Cisco network performance, deliver on your SLAs, and improve accounting and billing

  This book is part of the Networking Technology Series from Cisco Press®, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

  Network Management: Accounting and Performance Strategies

  by Benoit Claise - CCIE No. 2686; Ralf Wolter Publisher: Cisco Press Pub Date: June 20, 2007

  Print ISBN-10: 1-58705-198-2 Print ISBN-13: 978-1-58705-198-2

  Pages: 672












Copyright Network Management

  Benoit Claise, CCIE No. 2686, Ralf Wolter Copyright© 2007 Cisco Systems, Inc.

  Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.

  Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing June 2007

  ISBN-13: 978-1-58705-198-2 Library of Congress Cataloging-in-Publication Data Claise, Benoit.

  Network management / Benoit Claise, Ralf Wolter. p. cm.

  ISBN 978-1-58705-198-2 (hardcover)

  1. Computer networks-- Management. I. Wolter, Ralf, 1926- II. Title. TK5105.5.C544 2007 004.6068--dc22 2007018567

  Warning and Disclaimer and performance strategies for network management. Every effort has been made to make this book as complete and accurate as possible, but no warranty or fitness is implied. The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.

Corporate and Government Sales

  The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:

  U.S. Corporate and Government Sales


   For sales outside the United States please contact: International Sales

Trademark Acknowledgments

  All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

  In addition, this book includes excerpts from the following copyrighted documents: RFC 3954, Cisco Systems NetFlow Services Export Version 9. Copyright © The Internet Society, 2004. RFC 2863, The Interfaces Group MIB. Copyright © The Internet Society, 2000. RFC 2924, Accounting Attributes and Record Formats. Copyright © The Internet Society, 2000. RFC 2578, Structure of Management Information Version 2 (SMIv2). Copyright © The Internet Society, 1999. RFC 1213, Management Information Base for Network

  Management of TCP/IP-based Internets: MIB-II. Copyright ©

  The Internet Society, 1991 RFC 3813, Multiprotocol Label Switching (MPLS) Label Switching

  Router (LSR) Management Information Base (MIB). Copyright © The Internet Society, 2004.

  RFC 3812, Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Management Information Base (MIB). Copyright © The Internet Society, 2004. RFC 4293, Management Information Base for the Internet Protocol (IP). Copyright © The Internet Society, 2006.

  RFC 2932, IPv4 Multicast Routing MIB. Copyright © The Internet Society, 2000. RFC 2579, Textual Conventions for SMIv2. Copyright © The Internet Society, 1999. RFC 3919, Remote Network Monitoring (RMON) Protocol Identifiers for IPv6 and Multi Protocol Label Switching (MPLS). Copyright © The Internet Society, 2004. RFC 4149, Definition of Managed Objects for Synthetic Sources

  Internet Society, 2005. RFC 4150, Transport Performance Metrics MIB. Copyright © The Internet Society, 2005.

  RFC 4710, Real-time Application Quality-of-Service Monitoring

  (RAQMON) Framework. Copyright © The Internet Society, 2006.

  RFC 2869, RADIUS Extensions. Copyright © The Internet Society, 2000. RFC 2865, Remote Authentication Dial In User Service (RADIUS). Copyright © The Internet Society, 2000. Additional material in this book has been reproduced by kind permission of the ITU-T, TMF, and IPDR.

Feedback Information

  At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members of the professional technical community. Reader feedback is a natural continuation of this process. If you have any comments about how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at . Please be sure to include the book title and ISBN in your message.

  We greatly appreciate your assistance.

  Publisher Paul Boger Associate Publisher Dave Dusthimer Cisco Representative Anthony Wolfenden

  Manager Executive Editor Mary Beth Ray Managing Editor Patrick Kanouse Senior Development Editor

  Christopher Cleveland Senior Project Editor San Dee Phillips Copy Editor Gayle Johnson Technical Editors Alexander Clemm, Chris

  Elliot, Simon Leinen, John Strassner, Emmanuel Tychon, Jan Bollen, Michael Behringer

  Editorial Assistant Vanessa Evans Book and Cover Designer

  Louisa Adair Composition Mark Shirar Indexer Tim Wright Proofreader Molly Proue

  Americas Headquarters Cisco Systems, Inc.

  170 West Tasman Drive San Jose, CA 95134-1706 USA


  Tel: 408 526-4000

  800 553-NETS (6387) Fax: 408 527-0883

  Asia Pacific Headquarters Cisco Systems Inc.

  168 Robinson Road #28-01 Capital Tower Singapore 068912


  Tel: +65 6317 7777 Fax: +85 6317 7799

  Europe Headquarters

  Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands


  Tel: +31 0 800 020 0791 Fax: +31 0 20 357 1100 Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at


  © 2006 Cisco Systems, Inc. All rights reserved. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream,

  Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

  All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0609R)



  First, and most important, I would like to thank my family for their ongoing support during the very long journey of writing this book. Expressed differently: "Lore, Julien, and Jocelyne, please accept my apologies for the multiple evenings and weekends I should have spent with you." I also would like to thank Luc David and Frank Van Steenwinkel —respectively, my manager and director when I was at the Technical Assistance Center—for giving me the freedom to do what is important.

  Finally, I express my gratitude to the numerous people who encouraged me during the first stage of the project and throughout the completion of the book: some by reviewing the text, some by testing in the lab, and some simply for offering kind words. Special thanks for the always-positive attitude of Ralf, my coauthor.


  First, I thank my wife Miriam for her love and patience during the course of this book. Without her commitment to me and the kids, I would not have been able to succeed in my professional it became real! I also want to thank my children, Lydia and Henry, for releasing me during uncountable weekend hours. I'm looking forward to the day when they can read and understand this book.

  Next, I want to thank my coauthor, Benoit, for his commitment and for constantly reminding me that quality and consistency cannot be neglected, even for the price of missing a deadline. Taking this journey together is an experience I will never forget. Finally, and certainly most important of all, I give all thanks to God the Father, the Son, and the Holy Spirit for all that I am.

About the Authors

  Benoit Claise, CCIE No. 2686, is a Cisco Distinguished

  Engineer working as an architect for embedded management and device instrumentation. His area of expertise includes accounting, performance, and fault management. Claise is a contributor to the NetFlow standardization at the IETF in the

  IPFIX and PSAMP working groups. He joined Cisco in 1996 as a customer support engineer in the Technical Assistance Center network management team. He then became an escalation engineer before joining the engineering team.

  Ralf Wolter is a senior manager, Consulting Engineering at

  Cisco Systems. He leads the Core and NMS/OSS consulting team for Europe and works closely with corporate engineering, as well as supporting large customer projects. His special field of interest is device instrumentation, related to accounting and performance management. He joined Cisco in 1996 as a systems engineer. He has provided technical leadership for many large network management projects in Europe, the Middle East, and Africa. Before his current position, he worked as a networking consultant at AT&T/NCR, focusing on the design and management of data networks.

About the Technical Reviewers


Dr. Alexander Clemm is a senior architect with Cisco. He has

  been involved with integrated management of networked systems and services since 1990. He has provided technical leadership for many leading-edge network management development, architecture, and engineering efforts, from conception to delivery to the customer. His current responsibilities involve embedded management and instrumentation of devices for management purposes. Outside Cisco, Clemm is on the organizing or technical committees of the major IEEE management-related conferences. He is the author of the Cisco Press book Network Management Fundamentals.

  Chris Elliott, CCIE No. 2013 in Routing and Switching, has

  recertified in NMS and security, among other topics. He has extensive expertise in all aspects of networking, starting 30 years ago with ARPAnet. He has focused on network management for the last 17 years and is involved in several

  IETF protocol standardization efforts. He is the author of the book Performance and Fault Management. In addition, he is the developer and presenter of several in-depth technology discussions presented at NetWorld+Interop, Networkers at Cisco Live, NANOG, and elsewhere.

  Simon Leinen has been working since 1996 as a network

  engineer for SWITCH, the Swiss education and research network operator. He helps build network monitoring and accounting systems. He has participated in several joint European research projects. Other activities include IETF standardization work—in particular, in the IPFIX and NETCONF working groups—and the development of the Performance Enhancement and Response Team (PERT), a service addressing end-to-end performance issues experienced by research network users.


John Strassner is a Motorola fellow. He is also the Director of

  Autonomic Computing Research at Motorola, where he is responsible for directing Motorola's efforts in autonomic computing, policy management, knowledge engineering and identity management. Previously, John was the chief strategy officer for Intelliden and a former Cisco fellow. John invented DEN (Directory Enabled Networks) and DEN-ng as a new paradigm for managing and provisioning networks and networked applications. John is the chair of the ACF and vice- chair of the Reconfigurability and Autonomics working group of the WWRF. He is the past chair of the TMF's NGOSS metamodel, policy, and Shared Information and Data modeling work groups, as well as being active in the ITU, OMG, and OASIS. He has authored two books (Directory Enabled Networks and Policy Based Network Management), written chapters for three other books, and has authored over 145 refereed journal and conference publications. Finally, he is an associate professor at Waterford Institute of Technology in Ireland.


  This book is the result of a team effort, finally during the writing and before throughout years of teamwork and cooperation in driving the technology. We would like to acknowledge those who made it possible to write this book.

  A big thank-you goes to several Cisco colleagues for their support, encouragement, and constructive feedback during the reviews, especially Marisol Palmero for the Data-Collection MIB, Bulk-MIB, and NBAR; Emmanuel Tychon for IP SLA; Alex Clemm for the scenarios; Jan Bollen for voice management; Michael Behringer for security; Chris Elliot for SNMP; Greg Weber for

  IPDR; and Stuart Parham for lab support. Their professional input helped add the missing pieces. We would like to say a special thank you to Simon Leinen and John Strassner for their due diligence and encouragement during the writing and reviewing of the book. We really appreciate your constructive feedback! A special thanks to our senior development editor, Christopher Cleveland, for the right combination of pushing and patience, and to our executive editor, Mary Beth Ray, for being flexible and always supportive and encouraging.


Icons Used in This Book

[View full size image]

Command Syntax Conventions

  The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:


Bold indicates commands and keywords that are entered

  literally as shown. In configuration examples and output (not general command syntax), bold indicates commands that are manually input by the user (such as a show command).

  Italic indicates arguments for which you supply actual values.

  Vertical bars (|) separate alternative, mutually exclusive elements. Square brackets ([ ]) indicate an optional element. Braces ({ }) indicate a required choice. Braces within brackets ([{ }]) indicate a required choice within an optional element.


  For today's network operators, understanding the performance and effectiveness of their networks is critical to business success. The age of largely overprovisioning networks to boost bandwidth already seems like the distant past. The economic climate has moved toward maximizing the return on investment into the network infrastructure. At the same time, as the wide adoption of network applications seamlessly converges business-critical data, voice, and video into the same network infrastructure, any performance degradation and downtime can cost businesses tens of thousands of dollars each hour. In addition to performance issues caused by failures, outages, and misconfigurations, peer-to-peer traffic increases almost daily.

  From a business perspective, enterprises need to ensure that business-critical applications receive proper treatment, defined by a service-level agreement (SLA), and keep the networking infrastructure in an appropriate balance between costs and benefits. Service providers generate revenue by delivering connectivity, potentially bundled with value-added services. They can differentiate themselves either through cheaper prices or by offering their customers better SLAs, proactively monitoring them, and notifying customers about outages and potential bottlenecks. From the enterprise perspective, this is a major step toward increasing application reliability and organizational efficiency and productivity.

  Accounting and performance management applications are vital to network efficiency. For example, these tools can identify underused network paths or nodes, the most active routes through the network, and points where the network is overloaded. For optimal use, operators need to tune their networks and corresponding service parameters based on a detailed picture of the networks' characteristics, achieved through accounting and performance management. There is a close relationship between accounting and performance areas in this book. This book's focus is on accounting and performance device instrumentation. It delves into the details of the Cisco device features related to accounting and performance management, with limited emphasis on applications, mediation devices, and higher-level functions. Accounting and performance management help you understand these data collection concepts and distinguish the different methods. In addition, detailed guidance and scenarios help you apply these concepts.

Goals and Methods

  Why should you read this book? The objective is to set the foundation for understanding performance and accounting principles, provide guidance on how to do accounting and performance management, and to illustrate these with real- world examples and scenarios so that you can apply this knowledge in your own network.

  This book can be a reference for experts as well as a "read it all" book for beginners. Its objectives are as follows: To help you understand the relationship between accounting and performance and to teach you how to use them in conjunction with each other. To address both enterprises and service providers. Basically, both groups can collect similar types of data with potentially the same accounting features, while targeting different goals. An example is gathering NetFlow data for monitoring purposes for an enterprise customer while a service provider collects similar NetFlow records for billing purposes. To offer guidance in choosing the "right" features and applying them using best practices. To provide an in-depth description and comparison of the various accounting and performance methods. This helps you clearly distinguish the various methods and choose the right method for your network and the problems you need to solve.

  To briefly describe accounting and performance scenarios and examples, such as IP telephony, security, traffic engineering, and billing.

Who Should Read This Book?

  To get the most out of this book, you should have a basic understanding of NMS and OSS concepts and be familiar with the command-line interface of Cisco devices. The primary audience for this book includes the following:

  NMS/OSS architects and network designers, operations people, service designers, network management administrators, accounting and billing operations/IT department, capacity planning department, security department Students with a general interest in network management and a special interest in accounting and performance strategies

How This Book Is Organized

  When developing the outline for this book, we had two different groups of readers in mind: beginners and experts. You can read this book from cover to cover and get a good understanding of accounting and performance management. You also will learn how to implement the described solutions in your network. The chapter structure follows a logical path for newcomers to accounting and performance management. If you are already familiar with the basic technologies and are more interested in the implementation details and how to apply them, you can jump directly to the chapter of your main interest. Last but not least, we would like this book to become a reference and "dictionary" for performance and accounting techniques, allowing an easy comparison of features.


provides a map to help you quickly make your way

through the large amount of information provided.

  Figure I-1. How to Read This Book [View full size image] This book's overall structure is as follows:


, "Data Collection and Methodology Standards," addresses the generic concepts of data collection for accounting and performance purposes. It also describes some typical scenarios and discusses related standards.

   Accounting and Performance Management,"

  discusses the basic concepts of accounting and performance management, distinguishes the two areas, and applies the relevant parts of both technologies to network design and applications.


  discusses relevant questions for any accounting or performance management project: What type of information should you collect? What level of detail is required in the data records? How should you meter, collect, and process the data records?

   "Accounting and Performance Standards and Definitions," covers details about

  architectures, standards definitions, and protocols related to performance and accounting. It also provides an overview of the different standards bodies and architectures, along with the concepts and principles of each protocol.


, "Implementations on the Cisco Devices," drills

  into the implementation specifics of accounting and performance features of Cisco network elements. Each chapter describes the principles first, followed by implementation details, and concludes with command-line examples, including MIB examples where appropriate.


  capabilities of the different SNMP protocol versions on Cisco network elements. SNMP and MIB configuration examples as well as feature comparison tables help you understand and apply the information. The chapter also summarizes the most relevant accounting and performance MIBs.

   Remote Monitoring (RMON) series of MIBs. A command-

  line reference plus SNMP MIB details and configuration examples make the chapter content quickly applicable.


  accounting features in Cisco IOS. It covers the different

  IP accounting functions and includes a command-line reference as well as SNMP MIB details.

   Cisco IOS. It covers the different NetFlow versions, the

  latest NetFlow features, and the natural NetFlow evolution toward IPFIX. Platform-specific details also are discussed, along with some command-line references, examples, and SNMP MIB details.

  • "BGP Policy Accounting," describes

  BGP Policy Accounting features in Cisco IOS. You'll see how to apply the features for a source- and destination- sensitive billing scheme, as well as the practical configuration details on the routers. Furthermore, you will understand the similarities between BGP Policy Accounting and the "Destination-Sensitive Billing" feature.

   Authentication, Authorization, and Accounting (AAA),

  with an emphasis on accounting. The chapter starts with a general introduction to AAA, RADIUS, and Diameter. The various standards are discussed, and a dedicated section covers voice-specific extensions. You will be able to identify which AAA functions to use for which requirements and what Cisco has implemented.

   Network-Based Application Recognition (NBAR) feature in Cisco IOS. This will enable you to decide in which situations NBAR is the appropriate mechanism for accounting and performance management. Based on concrete examples, you will be able to identify the appropriate CLI commands and MIB functions and quickly get NBAR setups operational.


  is an embedded feature set in Cisco IOS Software that allows you to analyze service-level agreements for protocols, applications, and services.

   Methodology," summarizes the high-level technical

  characteristics of the features covered in through

   It provides a way to structure, categorize,

  and compare the features. In addition, this chapter offers an entry point into the accounting and performance features. It can be used as an introduction to the features of interest.

   , "Assigning Technologies to Solutions,"

  applies the details from

   to real-world scenarios, such

  as monitoring, capacity planning, voice, security, and billing.


  series of questions that network operators ask themselves: "How should I check the device's health in the network?", "How do I evaluate the link capacity?", "When should links be upgraded?", "How should I verify network connectivity?", "How can I evaluate the response time between the locations?", "How can I ensure VoIP quality?", "How can I determine the application types in the network?", and "How do I discover the traffic sent to and received from the Internet?"

   covers link capacity planning and network-wide capacity planning. It describes the requirements and relationships with network performance monitoring, peering agreements, and traffic engineering.


  in the area of the Cisco voice accounting and performance measurement. It describes the technical background of voice accounting and performance management, which combines the device instrumentation features from


  security scenario that is closely related to accounting and performance measurement. It describes how to leverage metering information to identify and block security attacks and to use performance management to proactively secure the network.


  accounting and performance management technologies can be used for billing. It applies technologies and products associated with accounting and performance management.


Part I: Data Collection and Methodology

Standards Accounting and Performance Standards and Definitions

Chapter 1. Understanding the Need for Accounting and Performance Management This chapter defines the foundation for this book and answers

  the following general questions: What is accounting management? What is performance management? What is the relationship between accounting and performance management? Why do networks require accounting and performance management? Why is accounting almost a stealth area within network management? Which problems do accounting and performance management solutions solve? How can the business use this information for network planning, redesign, and billing? What aspects make up accounting and performance monitoring (data collection, data analysis, reporting, billing, and so on)?

  By the end of this chapter, you will be able to grasp the basic concepts of accounting and performance management, distinguish the two areas, and apply the relevant part of both technologies to network design and applications.

  During the last decade, the Internet has changed our ways of communicating more than anything else. The Internet is almost ubiquitous today, and we take connectivity for granted until for some reason we cannot connect. At that point, we suddenly feel isolated. These days we expect Internet connectivity to be available anytime, anywhere. Most of us realize that this is impossible without intelligent systems managing the network. This leads us to technologies, processes, and applications in the area of Network Management and Network Management Systems and Operations Support Systems (NMS-OSS). NMS was a set of niche applications for quite some time, until businesses realized that their performance depended on the network. Then, suddenly, network downtime became a business issue instead of just a minor problem. Therefore, notions such as service level agreements (SLA) are imposed on the network to support specific business application requirements. Nobody questions the need for fault and security management these days, and there is obviously a need for performance statistics, but still some questions are left open: "Do I really need accounting?" "Is accounting the same as billing?" "What can accounting do for me?" In this chapter, you will find answers to these questions and understand how accounting relates to performance management. In a nutshell, accounting describes the process of gathering usage data records at network devices and exporting those records to a collection server, where processing takes place. Then the records are presented to the user or provided to another application, such as performance management, security management, or billing. An example is collecting usage records to identify security attacks based on specific traffic patterns or measuring which applications consume the most bandwidth in the network. This book focuses on accounting, but because accounting is so closely related to performance, this chapter also discusses performance aspects in detail and identifies how accounting and performance can be used together to support each other. Because many more networks have deployed performance management than accounting solutions, this chapter starts with

performance area, where you will learn the relationship between performance management and service level agreements. The objective is to enable you to distinguish between accounting, performance management, service level monitoring, and fault management. This chapter briefly introduces management standards and concepts to help you understand common areas and demarcations between accounting and performance management.

  "Accounting and Performance Standards and Definitions," describes these concepts in more detail and also describes the roles of the various standards bodies, along with their main objectives and directions.

  Most network administrators ask themselves whether they need accounting when looking at the Fault, Configuration, Accounting, Performance, and Security (FCAPS) management model. The FCAPS model is an international standard defined by the International Telecommunication Union (ITU) that describes the various network management areas.

  The FCAPS model was chosen as a structure even though other models exist, such as FAB and eTOM (which are introduced in


describes the main objectives of each functional area

in the FCAPS model. Table 1-1. ITU-T FCAPS Model Management Management Function Functional Area Set Groups (MFA)

  Fault Alarm surveillance, fault localization and correlation, testing, trouble administration, network recovery

  Configuration Network planning, engineering, and installation; service planning and negotiation; discovery; provisioning; status and control

  Accounting Usage measurement, collection, aggregation, and mediation; tariffing and pricing

  Performance Performance monitoring and control, performance analysis and trending, quality assurance

  Security Access control and policy; customer profiling; attack detection, prevention, containment, and recovery; security administration

  See ITU-T M.3400 and ISO/IEC 7498-4 (Open Systems Interconnection—Basic Reference Model, Part 4: Management Framework) Fault management is compulsory for managing networks proactively. Unless you want to configure all devices sequentially via Telnet or Secure Shell (SSH), an application is required to configure multiple devices in parallel and automate actions such as backup, rollback, and inventory. A new virus hits the Internet almost every day, so the need for security management is critical. Measuring and monitoring network performance is required in today's complex networks; still, the importance of accounting is not as well understood.

  One of the reasons the ITU was formed in 1865 was in recognition of the need to agree on a common method of dividing the revenues from international telegraph services between the originating and destination countries. According to the billing paradigm in those days, a network element either could account for data to be transmitted or would drop it. For example, phone calls were set up only if charging and billing could be achieved. Accounting was solely considered the task of collecting usage data, preprocessing it, and feeding it into a billing application. Service providers usually developed their own accounting and billing applications, and most enterprises were not interested in accounting information. With the introduction of data networks and the Internet Protocol (IP) becoming ubiquitous, the billing paradigm changed quickly. Internet access was only billed on access time, and services on the Internet were offered free of charge. Over time, accounting in the IP world was almost forgotten, even for network management experts. This was exacerbated by the roots of accounting, which was considered no more than a billing component. This also increased the isolation of accounting. Hence, this book's approach is to distinguish between accounting and billing, to identify areas where accounting can be used (billing is just one of them), and to discover how accounting and performance management relate to each other.

  You should also consider accounting's potential levels of complexity. Although collecting interface counters is quite simple, mediation and correlation of large accounting records for a billing application can be difficult. It requires detailed knowledge of the underlying network architecture and technology, because collecting usage records from a legacy voice network is a completely different task than collecting usage records in data networks. Content switches generate a different set of records than an IP phone does. Likewise, there is not much similarity between an accounting record from an authentication server and the retrieval of a device interface counter, even though all of these are valid accounting sources.

  shows different networking devices and the various

  accounting records created. Do not be concerned by the figure's alphabet soup; it is used solely to represent the various accounting sources and different transport mechanisms. The following chapters describe each mechanism in detail, with emphasis on how they relate to each other.


Figure 1-1. Accounting Sources/Usage Data Generation

[View full size image]

  In addition, we distinguish between connectionless Layer 3 IP communications, connection-oriented Layer 2 services, session- oriented communication (for example, dialup) and legacy voice calls. All data records generated in these examples are different. For example, the Cisco IP device would export a Cisco NetFlow record. A Layer 2 Asynchronous Transfer Mode (ATM) switch stores connection details in a text log file and stores voice call results in a Signaling System 7 (SS7) record for legacy voice or call data records for voice over IP (VoIP). In a scenario of accounting for a phone call, each of the collected data sets describes a "phone call," but the technologies used are completely different. This causes the resulting records to be merged. Instead, understanding this data requires complex processing. Otherwise, instead of obtaining meaningful information, we end up with independent sets of unrelated data. No general accounting standard exists across the various technologies just described. Therefore, the network architect needs to understand the different accounting technologies, compare and relate them to each other, and design a solution that solves the business requests. The trend toward IP as the unique communication protocol will certainly reduce the described complexity in the future, but this will take another couple of years. Therefore, it is important to understand the different accounting techniques and also identify the various sources in the network for generating usage data records.

  Previously, the level of complexity combined with the close association of accounting and billing drew little attention from network administrators and operators. Although legacy telephony services are still charged on call duration, new broadband data services offer customers flat-rate billing. The advantage for the service provider is the simple business model. One price fits all, and it does not take a lot of additional equipment to collect usage data, because neither the user's total online time nor the transmitted volume is an input parameter for the monthly bill. Unfortunately, this model generates only limited and fixed revenue and provides no unique positioning or competitive advantage. Some providers have changed their billing model to be volume- or destination- sensitive, but these are still exceptions. A solid business model is required to justify the level of complexity and required investments, both for capital expenditures (CAPEX) and operational expenditures (OPEX) related to usage-based billing. In the future, it is much more likely that providers will increase their focus on accounting. This is because competition is rapidly increasing, and providers need ways to differentiate their service offerings. Providing multiple offerings under a "one price fits all" model does not enable this to be accomplished. To answer the question "What benefits do I get from accounting?", we have to expand our perspective. We should not limit the focus to service providers. We should consider the historically close linkage between accounting and billing. The outsourcing trend at the enterprises often results in independent IT groups, which are moving from a cost center to a profit center, offering services to internal customers. Other departments are using these services and either get a flat bill or are charged based on the usage of the service. The flat model is not different from the described service provider model and can be addressed in a similar manner. The usage-based model requires the collection of usage data, which means that suddenly accounting becomes relevant for enterprises, even though a full-blown billing application is not required. Instead, these enterprises only want to assign costs per department—for instance, having the ability to charge back the cost of Internet connectivity to the different departments that used the service. Challenged to reduce operational expenditures, IT departments are investigating accounting solutions from both a performance and billing perspective. Questions such as "How do I efficiently track network and application resource usage?" and "Which applications are active in the network?" and "Who is using the network, what is the traffic's destination, and when is the network utilized?" are becoming increasingly relevant. End users, on the other hand, are unwilling to pay the bill for other users and departments. Instead, they want to be charged for exactly the resources and services they have been using.

  Network planners ask, "How do I plan the allocation and deployment of resources and services most efficiently?" Network operators realized that collected accounting data records are not limited to billing applications. In addition, they can also be used as input for other applications such as performance monitoring, checking that a configuration change fixed a problem, or even security analysis. This is in reality a paradigm change, because suddenly the "A" part of the FCAPS model can be used in conjunction with Fault, Performance, Security, and even Configuration. For example, if the administrator has configured the network so that business- critical data should go via one path and best-effort traffic should take another path, accounting can verify if this policy is applied and otherwise notify the fault and configuration tools. The previous "stealth area" of accounting now becomes a major building block for network and application design and deployment. This is the reason for the increasing interest in accounting technologies. Today, Cisco NetFlow records are becoming an extremely important source of security applications in detecting DoS attacks. Performance applications combine active and passive monitoring techniques to provide information that is more accurate. Traffic engineering applications rely on accurate usage data in real time to calculate the best routes through the network. The described flexibility is probably the biggest advantage of collecting accounting information. If a network architect designs the framework correctly, you can collect accounting data once and use it as input for various applications.illustrates a three-tier accounting architecture. Notice the clear separation between the different functions accomplished at each tier. This also relates to the FCAPS model that was chosen to structure the various network management areas. By identifying the possible usage scenarios, accounting becomes an integral part of the NMS.