I am sitting here in Singapore finishing up the final leg of a two-week journey. I was invited to come to India for 10 days to geek out with engineers, conduct eight workshops and speak at Interop Mumbai. I really had a great time and met some awesome folks.
However, when it comes to communicating, most folks that speak native English have a difficult time with my surfer hillbilly slang. I was concerned if I would fall flat in another country. That happened to me in Germany where folks just didn't get my humor and thought I was real goober-schnitzel with a few tech tips thrown in.
But when the markers hit the paper, and I pulled the IT language out, the playing field was leveled and the real fun began! It's free form time! We started getting into IT issues that were regionally specific and how we as engineers could address them. I was armed with Flexible Netflow so when questions like; "How do we find the Top 10 folks sending the most traffic" come out I could lay the old...er, I mean new!:
TWTVRouter# show flow monitor cache aggregate ipv4 source address sort highest counter bytes top 10
Of course that question never came out (since I was ready for it). What they wanted to know was how to find the top 20 sources that sent only one packet. Hmmm... Well, Flexible Netflow does offer a filter counter option so that command would be:
TWTVRouter# show flow monitor cache filter counter packet 1 aggregate ipv4 source address sort highest flow packet top 20
But if they are wondering about one packet flows, I am surprised that nobody mentioned anything about low TTL counts. This has been a CPU hog for awhile now and is a great way to starve the device of vital cycles. I addressed this to the crowd and went over the construction of a ttl counter using Flexible NetFlow with EEM (these two features are quickly becoming favorites of mine due to the incredible power they have). First, let's config the flow records:
flow record (my-record)
match ipv4 ttl
match ipv4 source address
match ipv4 destination address
flow exporter (my-exporter)
flow monitor (my-monitor)
record (my-record) exporter (my-exporter)
Now a very simple EEM applet to detect if a TTL is <5 then send a message to the syslog server.
event manager applet security-applet
event nf monitor-name "(my-monitor)" event-type create event1 entry-value "5" field ipv4 ttl entry-op lt
action 1.0 syslog msg “flow record with low TTL"
Since that time just days ago, I have received 28 e-mails from folks that tracked down resource hogs on the network. IT is truly the language we can speak to the world not only node to node and site to site, but engineer to engineer.
I have seen some amazing things on this trip. Stuff I thought a barefoot dude out of Tennessee would never see. Now it's your turn!
How about a trip around the world to visit one of the 7 Wonders of the World! Hey, this is no timeshare pitch! Cisco has decided to man up and promote our massive Borderless 3 launch. On October 05, point your browser to:
We have an engineers challenge in 3D!! Now since it is 3D you need to register as soon as possible. Are you ready to pit your knowledge against the rest of the world?? Imagine; YOU bringing home the geek gold medal as the Star Trek theme plays in the background, banners flying, geeks bowing at the hip as you pass. To honor your achievement you ain't going to Disney baby with overpriced and undercooked food, you and a guest (I am available by the way...) are flying off to one of the Wonders of the World!!! This is a geeks only challenge that could win you the trip of a lifetime! There is some cool stuff coming out in this launch that will REALLY change the way we build out networks! I have been messin' around with it for a while. I promise you'll dig it! Get your tail on over to:
As for me, I hear the chili crabs calling down at East Coast pier before I fly back home. Oops...looks like I forgot the Gas-X...this should be an interesting trip back...
Jimmy Ray Purser
Trivia File Transfer Protocol
India is the Largest democracy in the world, the 6th largest country in the world AND one of the most ancient and living civilizations (at least 10, 000 years old).
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.