Best Practices for Deploying SolarWinds Real-Time Bandwidth Monitor

Best Practices for Deploying SolarWinds Real-Time Bandwidth MonitorDeploying SolarWinds Real-Time Bandwidth Monitor (RTBM) effectively requires planning, correct configuration, and ongoing maintenance. The goal is to get accurate, actionable bandwidth data with minimal performance overhead and clear alerts that reduce mean time to resolution (MTTR). This article walks through practical best practices from preparation and deployment through tuning, visualizations, and ongoing operations.

---

1. Understand what RTBM does and its limitations

SolarWinds RTBM is a lightweight tool designed to provide real-time bandwidth usage on network interfaces. It polls SNMP-enabled devices to read interface counters and presents live throughput, often in 1-second or similar short intervals. It is excellent for quick troubleshooting and spotting traffic spikes but has limitations:

• Not a full packet-capture tool — it reports flow/throughput metrics, not packet-level details.
• Dependent on SNMP counters — accuracy can be impacted by devices with unreliable counters or 32-bit counter wrap on high-speed links.
• Best used alongside NetFlow/sFlow/IPFIX for historical trends and per-flow analysis.

Keep these constraints in mind when designing monitoring coverage.

---

2. Plan coverage and scope

• Inventory devices and interfaces you care about: core routers, distribution switches, WAN links, and critical application servers. Focus on choke points and internet/DMZ uplinks first.
• Prioritize interfaces with business impact: VPN concentrators, SD-WAN links, ISP circuits, virtual appliance uplinks.
• Define goals: quick troubleshooting, SLA verification, capacity planning inputs, alerting thresholds. Clear goals help set polling intervals, retention, and alert strategy.

Example scope tiers:

• Tier 1 (always monitored): Internet uplinks, core router interfaces, VPN gateways.
• Tier 2 (selected): Distribution switches, DMZ links.
• Tier 3 (on-demand): Access switches, lab equipment.

---

3. Prepare devices and SNMP

• Ensure SNMP is enabled and configured consistently on devices. Prefer SNMPv3 for authentication and encryption; if SNMPv3 is not possible, use SNMPv2c with secure community strings and network access controls.
• Confirm devices report 64-bit interface counters (if supported) to avoid wrap issues on high-speed links. Many modern devices use 64-bit ififs.
• Verify polling credentials and test access from the SolarWinds polling node(s) before deploying at scale.
• Use read-only community/credential and restrict SNMP access via ACLs to only the SolarWinds collector(s).

---

4. Right-size polling frequency

• RTBM is designed for near-real-time views; common polling values are 1–5 seconds for troubleshooting interfaces and 30–60 seconds for general monitoring to reduce load.
• Keep in mind trade-offs:
  • Faster polling gives better spike visibility but increases CPU/network load on the collector and target device.
  • Slower polling reduces load but can miss short traffic bursts.

A practical approach:

• Critical uplinks: 1–5s during incidents or scheduled brief windows; otherwise 15–30s.
• General infrastructure: 30–60s.
• Avoid global 1s polling for many devices — concentrate high-frequency polling on a small set of critical interfaces.

---

5. Deploy collectors and scale correctly

• Use the SolarWinds platform’s distributed polling architecture if monitoring many devices or geographically dispersed sites. Deploy remote pollers (additional Orion Polling Engines) near device clusters to lower latency and reduce cross-site traffic.
• Monitor resource utilization on pollers (CPU, memory, network). High-frequency polling can require significant resources.
• Test at scale in a lab or staging environment to measure collector performance and SNMP response behavior before rolling out globally.

---

6. Configure dashboards and visualizations for quick action

• Create focused dashboards that surface top talkers, top interfaces by utilization, and per-interface trend graphs. Visuals that show real-time spikes and recent history are most useful.
• Use widgets that combine numerical current throughput, percentage utilization, and small trend sparkline.
• Include contextual info: interface name, device, location, contract/SLA, and owner contact to speed troubleshooting.

Example dashboard panels:

• Live Top 10 Interfaces by Bandwidth (1-minute average)
• Last 5 Minutes: Interface Utilization Heatmap
• Selected Interface: 1s, 1m, 15m graphs side-by-side

---

7. Set meaningful thresholds and alerts

• Avoid generic alerts. Define thresholds tied to business impact (e.g., 80% utilization sustained for 5 minutes on an ISP link) rather than single-sample peaks.
• Use multi-condition alerts: combine utilization threshold with duration, error rates, or packet drops to reduce false positives.
• Differentiate alert severities: warning at 70–80%, critical at 90–95% (adjust to link and business needs).
• Integrate alert notifications with runbooks and escalation paths; include suggested immediate actions in alerts (e.g., “Check VPN concentrator sessions” or “Run NetFlow on this interface”).

---

8. Correlate RTBM with other data sources

• Use NetFlow/IPFIX, sFlow, or packet capture for per-flow or packet-level analysis when RTBM shows unusual spikes.
• Correlate RTBM spikes with application performance monitoring, firewall logs, or server metrics to find root cause faster.
• Automate context gathering: when RTBM triggers an alert, fetch recent NetFlow top-talkers and relevant syslog entries into the incident ticket.

---

9. Handle high-speed interfaces and counter issues

• For 10GbE and above, ensure devices support 64-bit counters; otherwise, polling intervals and interpretation must account for counter wrap.
• Where SNMP counters are unreliable, consider sampling via sFlow/NetFlow or using vendor-specific APIs (e.g., Cisco IOS XE telemetry, Juniper JTI, RESTCONF/gNMI) for more accurate metrics.
• If packet loss or interface errors accompany high utilization, flag those in alerts since they change remediation steps.

---

10. Security and access control

• Limit SolarWinds access and ensure role-based access control (RBAC) inside the platform so viewers see only the devices relevant to them.
• Encrypt SNMPv3 credentials and secure communications between pollers and the central server.
• Keep the SolarWinds platform patched and follow vendor hardening guidance; monitor audit logs for unusual activity.

---

11. Test runbooks and incident playbooks

• Create short playbooks for common bandwidth incidents: ISP saturation, broadcast storms, misconfigured backup jobs, DDoS suspicion.
• Run tabletop exercises to validate detection, alerting, and response steps. Update playbooks based on findings.
• Include escalation contacts and automated data collection steps (e.g., capture NetFlow top talkers, start packet capture on affected interface).

---

12. Maintain and tune over time

• Review dashboards, alerts, and polling frequency quarterly. Adjust based on observed false positives, changing topology, or new business priorities.
• Archive raw high-frequency data if retention needs are low; store aggregated metrics for long-term capacity planning.
• Track interface baseline trends to spot gradual shifts that indicate capacity upgrades are needed.

---

13. Reporting and capacity planning

• Use RTBM short-term metrics combined with flow/historical data for capacity planning reports.
• Produce monthly reports showing utilization percentiles (e.g., 95th), peak usage times, and recurring heavy flows.
• Translate those reports into procurement or architecture decisions (add bandwidth, re-route flows, apply QoS).

---

14. Common pitfalls and how to avoid them

• Over-polling: Don’t set 1s polling globally. Limit high-frequency polling to a small set of critical interfaces.
• Relying solely on RTBM: Complement with flow and packet data for root-cause.
• Poor SNMP hygiene: Inconsistent SNMP versions or misconfigured community strings lead to gaps; standardize SNMP configuration.
• No validation: Validate counter types (32-bit vs 64-bit), and test alert logic under simulated load.

---

15. Example deployment checklist

• Inventory devices and map critical interfaces.
• Validate SNMPv3 (or v2c) access and 64-bit counter support.
• Define polling intervals per tier.
• Deploy remote pollers where needed.
• Build focused dashboards and alert rules.
• Create incident playbooks and automation for contextual data collection.
• Test at scale, then go live with phased rollout.
• Review and tune after ⁄₉₀ days.

---

Conclusion

Applying these best practices will help you get reliable, actionable real-time bandwidth data from SolarWinds RTBM, reduce false alerts, and accelerate troubleshooting. Use RTBM as part of a broader monitoring strategy that includes flows and packet tools for full visibility, and continually tune polling, dashboards, and alerts to match business needs.