Choosing the Right Equipment
This section describes the equipment choices available to you. It includes the following sections:
When determining what kind of equipment you need at each site—whether that site is a data center, a branch office, or a large building on a corporate campus—answer the following questions:
• What kind of information do I want to know about this location? Do I need response-time information, optimization information, WAN link bandwidth information, and application usage and performance information?
• Do I have an extensive virtualized environment already in place?
• How many users and how much traffic am I expecting at this location, now and several years into the future?
• What kind of physical resources do I have at this location? Are there technicians that can help maintain the hardware?
• What kind of network resources do I have at this location? Can my switch provide Switched Port Analyzer (SPAN) or mirror traffic? Do I have a packet broker that I can use to aggregate and process packets. Can my switches and routers provide flow information?
• Do I have sufficient bandwidth to transfer flow data between this location and the NetProfiler?
• How much visibility do I need at this location?
• Do I need packet-level visibility to view object calls and individual transactions within the application?
The following table shows additional NetProfiler solutions for several reporting attributes you might want to capture.
Environment Types | NetProfiler Solution |
Small-size environments needing a single appliance solution with packet capture. | NetExpress 470 |
Medium-size to large-size environments. | Standard NetProfiler |
Large-size to enterprise-size environments. | Enterprise NetProfiler |
Virtualized environments with limited flow requirements. | NetExpress-v 470 |
Virtualized environment in medium-size to large-size environments with large capacity VMware hosts. | NetProfiler-v |
Calculate basic NetFlow v9 data from packet data. | NetShark or NetShark-v |
The following table shows additional SteelCentral solutions for several reporting attributes you might want to capture.
Tasks | SteelCentral Appliance Solutions |
Accurately calculate response-time information for nonoptimized flows. | NetShark or NetExpress |
Accurately calculate response-time information for optimized flows. | SteelHead with either a NetShark or NetExpress providing packet-level visibility on the server side |
Report on and monitor link bandwidth information: for example, to monitor percent utilization. | Flow Gateway, NetExpress, and one of either Enterpise NetProfiler or Standard NetProfiler |
Obtain detailed packet information: for example, to analyze network traffic in case of a security violation. | Physical or virtual NetShark or NetExpress 470 |
Gain visibility into virtualized environments. | NetShark-v or NetExpress-v 470 |
In choosing the right equipment, you want to make sure that the data you receive is the data you need. The following table describes some of the different flow formats supported by SteelCentral and specifies the features available within these formats.
Flow Format | Flow Data | SteelHead | NetShark |
Source of data for the NetProfiler | x | x | x |
Source and destination IP number, IP protocol ingress interface, IP type of service, number of bytes and packets, start and end times of flow, and TCP flags | x | x | x |
Connection throughput for nonoptimized connections | | | x |
Monitor traffic from a SPAN or TAP | | | x |
Performance metrics | | x | x |
Throughput of 1 Gbps and 10 Gbps | | | x |
Deep-packet inspection (DPI) | x | x | x |
Layer-7 application fingerprinting | x | x | x |
VoIP metrics | x | x | x |
Web transaction timing (object load times) | | | x |
Full and continuous packet capture, TB storage | | | x |
Remote management module | | x | x |
In most environments different sites have varying numbers of users and volume of network traffic. A site with 10 users transferring large files all day generates many fewer flows than a site with 200 users making extensive use of web-based applications. For calculation purposes, Riverbed recommends that you use 40 to 60 fpm as the estimated average flows per minute per IP endpoint. Exact flows per minute depend on the traffic characteristics in your environment and can vary beyond the estimates.
Use multiplication to estimate the maximum number of flows per minute. For example, 100 users that each generate 50 fpm produce an approximate flow rate of 5,000 fpm. However, if the site has servers that are accessed from remote locations, the overall flow rate is likely to increase, potentially by a large amount. If you have used flow tools in the past, you might already have some flow estimates. You can also look at session counts on SteelHeads, firewalls, or load balancers to assist in obtaining flow estimates.
You must have the appropriate number of technical staff on site. In a small remote office of only a few non-technical people, deploying a virtual version of an appliance might make more sense than installing one or more physical appliances.
Consider other network equipment that is already installed at a site when you decide which SteelCentral product to install. If an office site contains multiple large switches capable of generating NetFlow or SPAN and port mirror traffic, a NetShark or Flow Gateway might make sense. Conversely, if a small office contains only a wireless internet router with no other network infrastructure, you have limited options for deploying visibility solutions; it is possible you might not need a SteelCentral solution in this location.
If you have a site that reports significant quantities of data across a WAN, consider the bandwidth used by SteelCentral for the transfers. Typical WAN bandwidth use is approximately 1.5 percent of monitored traffic. SteelCentral products report flows once per minute. If reporting multiple megabytes of traffic per minute seriously impedes the performance of WAN links, you might need a different solution: for example, restricting the amount of data being monitored.
Choosing a NetProfiler Model
The NetProfiler is licensed on a flow-per-minute basis, with the number of flows counted after all flows have been deduplicated. You want to choose the right NetProfiler model so that you do not receive inaccurate results as a result of receiving excessive numbers of flows. Consider the following factors when you are deciding which type and model of NetProfiler to install:
• The size of the current network you want to monitor
• The planned expansion of coverage expected during the lifetime of the product
NetExpress
There are two models of the NetExpress: NetExpress 470 and NetExpress-v 470. The functionality of the appliance and virtual editions is the same. Each version shares the same licensed capacities and maximum packet storage capabilities.
After deduplication, NetExpress 470 has flow rates ranging from 15,000 to 120,000 fpm. The NetExpress is best suited for smaller organizations or a small subsection of a larger network. Because the NetExpress can forward the flows it receives and processes directly to a different model of NetProfiler, this deployment can make sense for sites in which there is a need for local visibility and broader enterprise-wide visibility.
The NetExpress includes functionality similar to that of the NetProfiler, NetShark, and Flow Gateway. You can install a more compact deployment by combining the functionality into a single physical or virtual appliance.
The following table shows the NetExpress model options. Most features are available in the base unit. The NetExpress is 1U high, and you can upgrade in the field to the next-higher flow-rate version. If you want to analyze traffic within a software-defined network, you can add a software-defined network license.
Base Unit and Flow License | Deduplicate Flow Rate | Included Ports | Optional Expansion Ports |
NetExpress 470 F1 | Up to 15,000 fpm | Primary 10/100/1000 for management Provides up to 4Tb of packet storage Provides up the 3Tb of flow storage | 4 x 1 Gbps Copper 4 x 1 Gbps Fiber (SFP) 2 x 10 Gbps Fiber (SFP) |
NetExpress 470 F2 | Up to 30,000 fpm |
NetExpress 470 F3 | Up to 60,000 fpm |
NetExpress 470 F4 | Up to 90,000 fpm |
NetExpress 470 F5 | Up to 120,000 fpm |
NetExpress-v 470 F1 | Up to 15,000 fpm | — | — |
NetExpress-v 470 F2 | Up to 30,000 fpm |
NetExpress-v 470 F3 | Up to 60,000 fpm |
NetExpress-v 470 F4 | Up to 90,000 fpm |
NetExpress-v 470 F5 | Up to 120,000 fpm |
The Standard NetProfiler
The Standard NetProfiler is available as both a physical and virtual appliance. The primary difference between the two models is the amount of deduplicated fpm and available flow record storage that is available. The physical appliance limit is 10 Tb, and the for virtual appliance this limit is 50 Tb. The NetProfiler-v provides a broader range of flow limits.
The Standard NetProfiler has flow limits ranging from 200,000 to 1,000,000 fpm, and the NetProfiler-v has flow limits ranging from 15,000 to 2,000,000 fpm. The physical models are suited for medium-size organizations with between 4,000 and 20,000 hosts, and the virtual models with between 3,000 and 40,000 hosts assuming an average of 50 fpm per host.
The Standard NetProfiler and the NetProfiler-v cannot forward flows to other NetProfilers, nor can the Standard NetProfiler and the NetProfiler-v receive flows directly from flow sources (with the exception of NetShark). Because the Flow Gateways and NetSharks can forward flows to five distinct NetProfilers, you can use the Standard NetProfiler to monitor a small subset of a larger network. You can send the flows from the NetSharks and Flow Gateways to the local Standard NetProfiler monitoring a network subset and up to four additional NetProfiler or NetExpress systems.
The following table shows the Standard NetProfiler model options. Most features are available in the base unit. Each physical appliance is 2U high, and you can upgrade in the field to the next-higher flow-rate version through a software license. If you want to analyze traffic within a software-defined network, you can add a software-defined network license.
Base Unit and Flow License | Deduplicate Flow Rate | Included Ports | Optional Expansion Ports |
NetProfiler-F1 | Up to 200,000 fpm | Primary 10/100/1000 for management | Storage area network (SAN) card (two fiber host bus adapter [HBA] ports) |
NetProfiler-F2 | Up to 400,000 fpm |
NetProfiler-F3 | Up to 600,000 fpm |
NetProfiler-F4 | Up to 800,000 fpm |
NetProfiler-F5 | Up to 1,000,000 fpm |
NetProfiler-v-F1 | Up to 15,000 fpm | — | — |
NetProfiler-v-F2 | Up to 30,000 fpm |
NetProfiler-v-F3 | Up to 60,000 fpm |
NetProfiler-v-F4 | Up to 90,000 fpm |
NetProfiler-v-F5 | Up to 200,000 fpm |
NetProfiler-v-F6 | Up to 400,000 fpm |
NetProfiler-v-F7 | Up to 600,000 fpm |
NetProfiler-v-F8 | Up to 800,000 fpm |
NetProfiler-v-F9 | Up to 1,000,000 fpm |
NetProfiler-v-F10 | Up to 2,000,000 fpm |
Enterprise NetProfiler
The Enterprise NetProfiler has a minimum flow limit of 1,000,000 fpm; you can increase the flow limit with Expansion modules up to a maximum of 10,000,000 fpm. Each module provides support for an additional 1,000,000 fpm (until you reach the maximum of 10,000.000 fpm supported). In terms of hosts, an Enterprise NetProfiler can support at least 20,000 hosts, assuming an average of 50 fpm per host. Each additional Expansion module adds support for another 20,000 hosts using the same assumptions.
The following table shows the Enterprise NetProfiler model options. Most features are available in the base unit. The base Enterprise NetProfiler is composed of two 1U units and one 2U unit. Each Expansion module is an additional 2U unit. If you want to analyze traffic within a software-defined network, you can add a software-defined network license.
Base Unit and Flow License | Deduplicate Flow Rate | Included Ports | Optional Expansion Ports |
Enterprise NetProfiler-UI (required) | Part of base system | Primary 10/100/1000 for management Out-of-band management | — |
Enterprise NetProfiler-DB (required) | Part of base system | Primary 10/100/1000 for management Out-of-band management | — |
Enterprise NetProfiler-AN (required) | Base system, up to 1,000 K fpm | Primary 10/100/1000 for management Out-of-band management | SAN card (two fiber HBA ports) |
Enterprise NetProfiler-EX (optional; add 0-9) | Expansion unit, each one adding 1,000 K FPM | Primary 10/100/1000 for management Out-of-band management | SAN card (two fiber HBA ports) |
Enterprise NetProfiler-DP (required only when you have five or more Expansion modules) | N/A: used to balance flows on larger systems | A Primary 10/100/1000 interface for management and a secondary 10/100/1000 interface that can be bonded to the primary for high performance environments. Out-of-band management | — |
Note: If you are using a storage area network (SAN) with an Enterprise NetProfiler cluster, you must have the SAN option for each Analyzer (AN) and Expansion (EX) modules. You cannot mix SAN and non-SAN storage in a single Enterprise NetProfiler cluster.
To plan for future expansion, you must know the current estimated number of flows per minute and the expected flows per minute in the timeframe being planned for. For example, if the network currently has 6,000 hosts and is expected to grow to 14,000 hosts in the next two years, a Standard NetProfiler is sufficient to handle the growth. A software license and hardware upgrade enable a Standard NetProfiler licensed for 400,000 fpm to be upgraded to 800,000 fpm.
Another example is a network currently providing service to 14,000 hosts and expected to grow to 25,000 in the next year. In this situation, an Enterprise NetProfiler is a better choice. The Standard NetProfiler is sufficient in a 14,000-host network, but it is unlikely to provide adequate performance and capacity to manage the network when it grows to 25,000 hosts.
Take the same considerations when you plan for virtual deployments and physical appliances. While the NetProfiler-v might have higher overall flow capacities, it still has upper limits. When you deploy virtual solutions, make sure you do not overrun both the maximum licensed capacities and the maximum available hardware on the virtual platform.
To provide visibility into a subset of the network and a full overview of the entire network, you can install a smaller capacity NetProfiler (such as NetProfiler-v or a NetExpress, or a Standard NetProfiler sufficient for local traffic flow) in combination with a larger capacity NetProfiler (such as a Standard or Enterprise NetProfiler sufficient for overall traffic flow). This combination ensures that the system meets both the immediate and planned growth needs.
While all the NetProfiler and NetExpress devices including the standard, enterprise cluster, and virtual appliances can be supplied with dual network interfaces, those interfaces are not designed for high availability (HA) or other forms of redundancy. You might be able to add a second IP address to the interface; however this is not a supported function and there is no guarantee that the address will remain through a system reboot or upgrade. Changes from version to version can change the functionality of the secondary interface. The only exception to this change is the Dispatcher module on the Enterprise Cluster where the two interfaces may be bonded to provide improved performance on large capacity systems.
Choosing a Flow Gateway Model
The Flow Gateway is available as both a physical and virtual model. The primary difference between the two options is ease of deployment. A single physical Flow Gateway is sufficient to manage a large number of devices. Both Flow Gateway and Flow Gateway-v provide up to 2,000,000 deduplicated flows per minute.
The upgrade from the smallest to the largest Flow Gateway within a class family (virtual or physical) requires only a license change.
The following table shows the available Flow Gateway models.
Flow Gateway Model | Deduplicate Flow Rate |
Flow Gateway-F1 | Up to 200,000 fpm |
Flow Gateway-F2 | Up to 400,000 fpm |
Flow Gateway-F3 | Up to 600,000 fpm |
Flow Gateway-F4 | Up to 800,000 fpm |
Flow Gateway-F5 | Up to 1,000,000 fpm |
Flow Gateway-F6 | Up to 2,000,000 fpm |
Flow Gateway-v-F1 | Up to 15,000 fpm |
Flow Gateway-v-F2 | Up to 30,000 fpm |
Flow Gateway-v-F3 | Up to 60,000 fpm |
Flow Gateway-v-F4 | Up to 90,000 fpm |
Flow Gateway-v-F5 | Up to 200,000 fpm |
Flow Gateway-v-F6 | Up to 400,000 fpm |
Flow Gateway-v-F7 | Up to 600,000 fpm |
Flow Gateway-v-F8 | Up to 800,000 fpm |
Flow Gateway-v-F9 | Up to 1,000,000 fpm |
Flow Gateway-v-F10 | Up to 2,000,000 fpm |
Consider the following requirements when you deploy the Flow Gateway:
• The flows sent to the Flow Gateway are within the licensed limits.
• The geographic coverage is appropriate.
• The flow capacity of the NetProfiler is not exceeded by the total deduplicated capacity of the devices sending data.
• There are sufficient VMware resources available, if you choose to deploy Flow Gateway-v.
• The amount of deduplication in flows being sent from different sources.
For a medium-size organization with multiple disparate geographic locations, a single 2,000,000 fpm Flow Gateway might be able to manage the overall load; however, this configuration might not make sense if a significant amount of your corporate WAN bandwidth is consumed with the transmission of flow data: for example, from remote sites to a centrally located Flow Gateway. Because flow data is usually transmitted through UDP, an unreliable protocol, the likelihood of packet loss is increased the further a packet travels. In this sort of environment, Riverbed recommends that you deploy multiple smaller Flow Gateways or Flow Gateway-vs at major locations.
All the Flow Gateways (both physical and virtual) are supplied with dual network interfaces that are not designed for high availability (HA) or other forms of redundancy. You can assign an address to the secondary (AUX) interface. You can only use the AUX interface for receiving flows from flow sources. You cannot manage the device through this interface.
Choosing a NetShark Model
The NetShark is available as both a physical and virtual model. The primary difference between the two is packet storage capacity and packet processing speed (including write to disk speed). You must choose the appropriate NetShark platform to ensure that you can store the desired quantity of packets and that they are available for analysis. Capture cards are separately ordered items and you must make sure the cards ordered meet the needs of your network.
Deploy the NetShark with one or more capture cards. With the NetShark 6170 series you can have one or more 48 TB or 72 TB storage modules. If you have multiple modules, they must be identical capacities.
Note: In NetShark 10.9 and later, support for more then 72 TB of packet storage is achieved by daisy-chaining multiple storage units to a single NetShark 6170.
If you store every packet traversing a heavily loaded 10-Gbps network, the 72 TB of space on a NetShark 6170 with a a 72-TB storage unit allows approximately 23 hours of storage (assuming a throughput of 7 Gbps). The 576 TB of space allows approximately 184 hours of storage (assuming a throughput of 7 Gbps).
If you store every packet traversing a heavily loaded 1-Gbps network, the 32 TB of space on a NetShark 4170 allows approximately 163 hours of storage (assuming a throughput of 1 Gbps).
The following table shows the NetShark models.
NetShark Base | Form Factor | Storage | Maximum Capture Cards | FPM Exported |
NetShark 2170 | 1U | 8 TB | 1 (4 x 1 Gbps Cu, 4 x 1 Gbps Fiber, 2 x 10 Gbps Fiber) | 400,000 |
NetShark 4170 | 2U | 32 TB | 2 (4 x 1 Gbps Cu, 4 x 1Gbps Fiber, 2 x 10Gbps Fiber, 4 x 10Gbps Fiber) | 800,000 |
NetShark 6170 | 2U | 48 to 576 TB | 2 (4 x 1Gbps Cu, 4 x1 Gbps Fiber, 2 x 10 Gbps Fiber, 4 x 10 Gbps Fiber) | 1,200,000 |
Note: Only the licensed maximum flow rate is guaranteed.
The following table shows the NetShark-v models.
Model | Storage | Capture Interfaces | Export to the NetProfiler |
VSK-00050 | 50 GB | 4 | 50,000 fpm |
VSK-00200 | 1 TB | 4 | 50,000 fpm |
VSK-00400 | 2 TB | 4 | 50,000 fpm |
Note: Only the licensed maximum flow rate is guaranteed.
For more information about installing and configuring NetShark-v, see the appropriate documentation on the Riverbed Support site.
Choosing a NetShark Module on AppResponse
If you have deployed an AppResponse in your network, you can deploy a NetShark-based module directly on that appliance. This module provides most of the NetShark appliance analysis functionality to packets that are detected by the AppResponse. The NetShark module on AppResponse can build and forward traffic flows to a NetProfiler or NetExpress with no additional licensing requirements. For more advanced analysis and access to packet data (for example, using Packet Analyzer), you must purchase a NetShark license separately from any existing AppResponse licenses. With a full NetShark license you can access the entire packet store on the AppResponse through Packet Analyzer and perform most Packet Analyzer functions against those packets. Currently, access using the REST API is not supported on the NetShark module running on AppResponse.
The NetShark module running on AppResponse through version 9.0.3 is based on NetShark 10.0.6 code and is missing any of the newer functionality available with more recent versions of NetShark.
Choosing NetShark-v on SteelHead EX
In RiOS 8.5 or later, you can deploy NetShark-v directly on the SteelHead EX platform on VSP. The NetShark-v has most of the functionality of a physical NetShark except that it does not perform Layer-7 DPI. The NetShark performs Layer-7 DPI using the same engine as the SteelHead EX and therefore performing Layer-7 DPI analysis with the NetShark-v on the SteelHead EX is redundant. To make sure you are receiving Layer-7 DPI information, export SteelFlow Net from the SteelHead EX in addition to deploying the NetShark.
Riverbed recommends that you deploy the NetShark-v on the SteelHead EX in branch environments in which you want additional visibility but deploying additional hardware is challenging. For NetShark-v on the SteelHead EX to receive packets, you must configure the packets to flow through either the primary or auxiliary interface on the SteelHead EX.
Choosing Packet Analyzer
When you deploy Packet Analyzer, you must consider only how many users must perform deep-packet analysis. Packet Analyzer is Windows client software and can be licensed as follows:
• Per installed machine - Requires a license for each system on which you install Packet Analyzer. That license is permanently associated with that system and can only be used by the Packet Analyzer installed on that system. You must purchase a different license for each system on which Packet Analyzer is installed.
• Concurrent licensing - Provides a pool of licenses from which a Packet Analyzer instance can draw a license. For concurrent licensing to work properly you must have a license server—a NetProfiler of any flavor (NetExpress/Standard/Enterprise Cluster, physical appliance or virtual) or NetShark of any flavor (physical appliance or virtual) and network access between the Packet Analyzer installation and license server. A license is checked out and is associated with a particular Packet Analyzer installation for 24 hours or until it is released by the client software. you cannot release a license from the server.
Packet Analyzer can analyze traffic from either a virtual or physical NetShark, an Embedded SteelCentral NetShark probe, the NetShark module on AppResponse, or any standard packet capture files. You do not need Packet Analyzer for NetProfiler-level analysis and troubleshooting.