How high is your flow-data rate ?

Hello Tak,

1) Successfull with the last two major release versions of NTA.

2) Haven't scoped the flow rate so I can't give you an precise or estimate, but the number of NetFlow and sFlow sources total 167, many of which are 10Gig backbone.

3) Keeping it standard.

4) Two standalone servers both with RAID10 storage for OS and APP. 16 logical cores, 64GB RAM.

5) Properly configured SQL 2008R2 Std. Removed graphs from the NTA dashboard resources.

Regards,

Deltona

Hello Deltona,

Thank you for providing your experience.

Anyone else ?

It is not my organization's case but I would like to see

if anyone tried to let NTA receive 10,000 flows/sec or 20,000 flows/sec

with the Top Talker Optimization was set at 100 %.

Regards,

Tak

I have found NTA to be almost unusable with Top Talker Optimization at 100%, and we peak at around 3,000 flows/sec.

What type of hardware though? If you spec for the environment this isn't an issue.

NTA and its performance relates to what type of hardware power and resources that you have available for it..  Higher end setups and configurations like Deltona posted can certainly handle 100% Optimization and only seeing 3,000flows/sec.  As he mentioned he is collection flows from 167 devices, and I can say without a doubt he is surpassing 3,000 flows/sec.  A 6509E with a SUP 720 can handle 250,000 flow/sec

My setup is very similar to the one Deltona posted and query performance is miserable at 100% retention. No problems with write performance, problems on the poller, etc., but query performance is the thing that users care about. If I drop it to 97% it's acceptable.

Not sure what you're getting at with respect to the Cat 6K. The Sup 720s have either a 128k or 256k entry NetFlow TCAM size depending on the model, but the flows/sec will be a lot lower; it depends on your flow-cache expiration timers.

Hello Richard,

Thank you for the information.

Have you ever run NTA in your site ?

Can you share your experience (server config, flow sources, data rates) with us if possible.

Regards,

Tak

Hello jswan,

Thank you for the input. Can you please let me confirm the following things:

1) Without doing the queries to NTA database (only storing and performing retentions for flow-data)

your NTA server may be possible to handle more than 3,000 flows/sec (you haven't tried it, though...)

I think, to achieve "without doing the queries", Deltona did remove graphs from NTA dashboard resource.

2) Could you describe how miserable your NTA query performance at Top Talker Optimization = 100% ?

Tyoshida:

1) As far as I can tell we aren't anywhere close to having resource problems with writing to the NTA DB at 3,000 flows/sec.

2) At 100% a query with Flow Navigator takes minutes to complete and sometimes fails to complete at all. Some reports never complete. I don't see why you would want to run at 100%, since NTA really isn't designed as a forensic flow analytics tool at this point; Solarwinds is very clear about 95% being the recommended value. Even if you could get it to work at 100%, most of the NTA queries in the GUI will return a maximum of the top 100 flows, so there's no way to find extremely small flows unless a) you know what you're looking for in advance, and b) there are fewer than 100 flows that match your search terms.

Tak,

Yes, we currently are finishing a POC with Riverbed Cascade at our site, and Boeing who we are owned by runs Lancope.  Both in my opinion blow NTA out of the water for the amount of flows we receive (I have run NTA in a much smaller environment with less emphasis on security and it was a Great product) , and allow you to get really deep for good forensic analysis and I don't have a single query issue running either of these, but they aren't built on a SQL back end either which in my opinion again is a weaker DB for the amount of Data being pushed to the analyzer and the type of queries you can run (this again is my opinion).

I don't have the flow/sec data in front of me for our information, but I can promise you it's very high.

I can post some information on our stuff once we finish out the POC and fully implement it in production.  I can't post any of the information from Boeing though for security reasons. I'm sure you can understand why since they have a foot in the Government/Defense sectors.

jswan,

Thank you for sharing your experiences and thoughts.

Tak