Archives
All the articles I've archived.
-
Parser accepted it but runtime behavior still broke
Technical deep dive into Parser accepted it but runtime behavior still broke
-
veth is not free just because it is virtual
Technical deep dive into veth is not free just because it is virtual
-
Intended Attach Graph vs the Programs Actually Live
Technical deep dive into Intended Attach Graph vs the Programs Actually Live
-
Microbursts, NAPI Budget, and Fast-Path Tradeoffs
Technical deep dive into Microbursts, NAPI Budget, and Fast-Path Tradeoffs
-
VIP Failover Without Session Ownership
Technical deep dive into VIP Failover Without Session Ownership
-
Refusal behavior needs regression gates too
Technical deep dive into Refusal behavior needs regression gates too
-
Normalize Before Approval or You Review Noise
Technical deep dive into Normalize Before Approval or You Review Noise
-
How slow can policy CI get at scale
Technical deep dive into How slow can policy CI get at scale
-
Session affinity intent versus real backend stickiness
Technical deep dive into Session affinity intent versus real backend stickiness
-
Telemetry-backed verdicts for copilot regression cases
Technical deep dive into Telemetry-backed verdicts for copilot regression cases
-
Safely disabling topology hints during a live incident
Technical deep dive into Safely disabling topology hints during a live incident
-
Tuning Approval Thresholds by Measured Cost
Technical deep dive into Tuning Approval Thresholds by Measured Cost
-
Diff normalization to kill false canary alarms
Technical deep dive into Diff normalization to kill false canary alarms
-
Why readiness goes green while forwarding stays dead
Technical deep dive into Why readiness goes green while forwarding stays dead
-
Generating parsers from samples without blind trust
Technical deep dive into Generating parsers from samples without blind trust
-
Breakouts, subinterfaces, and LAGs as first-class data
Technical deep dive into Breakouts, subinterfaces, and LAGs as first-class data
-
When shared peer-group policy leaks into IX sessions
Technical deep dive into When shared peer-group policy leaks into IX sessions
-
Bridge OVS or macvlan for external ports
Technical deep dive into Bridge OVS or macvlan for external ports
-
ACL canaries with shadow counters first
Technical deep dive into ACL canaries with shadow counters first
-
Baked configs versus mounts versus generated startup
Technical deep dive into Baked configs versus mounts versus generated startup
-
Packet-walk replay cases for overlay blackholes
Technical deep dive into Packet-walk replay cases for overlay blackholes
-
Migrating tc classifiers to XDP with rollback discipline
Technical deep dive into Migrating tc classifiers to XDP with rollback discipline
-
When failed rollback leaks a tenant across one leaf
Technical deep dive into When failed rollback leaks a tenant across one leaf
-
Hairpin service failures when a Pod calls itself
Technical deep dive into Hairpin service failures when a Pod calls itself
-
PromQL patterns for stuck link-state sessions
Technical deep dive into PromQL patterns for stuck link-state sessions
-
Split-brain triage with CLI, pipeline, and AI
Technical deep dive into Split-brain triage with CLI, pipeline, and AI
-
Safe batch size for ACL pushes
Technical deep dive into Safe batch size for ACL pushes
-
Dry Run Passed but Route Containment Failed
Technical deep dive into Dry Run Passed but Route Containment Failed
-
Convergence under brownouts not just clean link downs
Technical deep dive into Convergence under brownouts not just clean link downs
-
Scan loop or failover triaging a neighbor spike
Technical deep dive into Scan loop or failover triaging a neighbor spike
-
Two-Pass Generation for Safer NetOps Agents
Technical deep dive into Two-Pass Generation for Safer NetOps Agents
-
More NIC queues do not mean linear scaling
Technical deep dive into More NIC queues do not mean linear scaling
-
North south return path after anycast gateway ingress
Technical deep dive into North south return path after anycast gateway ingress
-
One-Way EVPN Traffic With Conflicting Clues
Technical deep dive into One-Way EVPN Traffic With Conflicting Clues
-
Conntrack expiration replays for action-happy models
Technical deep dive into Conntrack expiration replays for action-happy models
-
Safe devmap Target Swaps Without Transient Blackholes
Technical deep dive into Safe devmap Target Swaps Without Transient Blackholes
-
The Static Host Route That Escapes Its Blast Radius
Technical deep dive into The Static Host Route That Escapes Its Blast Radius
-
Did BFD Flap First or Did the Host Stall
Technical deep dive into Did BFD Flap First or Did the Host Stall
-
Symbolic analysis versus packet probes for policy CI
Technical deep dive into Symbolic analysis versus packet probes for policy CI
-
Bad config or bad gate or bad sample
Technical deep dive into Bad config or bad gate or bad sample
-
Default-Gateway Community Is Not Reachability
Technical deep dive into Default-Gateway Community Is Not Reachability
-
Expiring set elements caused the intermittent deny
Technical deep dive into Expiring set elements caused the intermittent deny
-
Brownfield reconciliation without a golden model
Technical deep dive into Brownfield reconciliation without a golden model
-
From Screen-Scraping Runbooks to Typed Diagnostic Tools
Technical deep dive into From Screen-Scraping Runbooks to Typed Diagnostic Tools
-
LLM generated hypotheses inside routing CI with hard guardrails
Technical deep dive into LLM generated hypotheses inside routing CI with hard guardrails
-
Updates-only and suppress-redundant in real alert pipelines
Technical deep dive into Updates-only and suppress-redundant in real alert pipelines
-
High Confidence Is Not a Remediation Gate
Technical deep dive into High Confidence Is Not a Remediation Gate
-
Canarying a live trunk into containerlab safely
Technical deep dive into Canarying a live trunk into containerlab safely
-
Measuring safe pause intervals between change batches
Technical deep dive into Measuring safe pause intervals between change batches
-
Dual-writer IPAM caused address overlap
Technical deep dive into Dual-writer IPAM caused address overlap
-
When ndots turns service discovery into a DNS storm
Technical deep dive into When ndots turns service discovery into a DNS storm
-
ge and le edits that reopen aggregate holes
Technical deep dive into ge and le edits that reopen aggregate holes
-
Aging out zombie inventory with last-seen signals
Technical deep dive into Aging out zombie inventory with last-seen signals
-
Client-to-client reflection and IX loop risk
Technical deep dive into Client-to-client reflection and IX loop risk
-
Rollback plans need their own gates
Technical deep dive into Rollback plans need their own gates
-
Rendered subscriptions versus actual observed coverage
Technical deep dive into Rendered subscriptions versus actual observed coverage
-
Nested labs and the virtio single-queue cliff
Technical deep dive into Nested labs and the virtio single-queue cliff
-
Migrating NAT Rules to nftables Without Session Damage
Technical deep dive into Migrating NAT Rules to nftables Without Session Damage
-
From tcpdump hunts to a reproducible service-path lab
Technical deep dive into From tcpdump hunts to a reproducible service-path lab
-
Graceful Restart through reflectors during edge isolation
Technical deep dive into Graceful Restart through reflectors during edge isolation
-
Local-pref tiers without permanent hot potato surprises
Technical deep dive into Local-pref tiers without permanent hot potato surprises
-
Can AI help with lab-host preflight drift
Technical deep dive into Can AI help with lab-host preflight drift
-
Calico precedence traps during cross-zone canaries
Technical deep dive into Calico precedence traps during cross-zone canaries
-
Reading 503 flags when the application is innocent
Technical deep dive into Reading 503 flags when the application is innocent
-
From manual spot checks to leak regression CI
Technical deep dive into From manual spot checks to leak regression CI
-
eBPF Does Not Magically Remove Conntrack Cost
Technical deep dive into eBPF Does Not Magically Remove Conntrack Cost
-
Failed policy test with three plausible causes
Technical deep dive into Failed policy test with three plausible causes
-
Aggregate withdrawal races that create transient loops
Technical deep dive into Aggregate withdrawal races that create transient loops
-
Tcpdump Cut the Ceiling in Half
Technical deep dive into Tcpdump Cut the Ceiling in Half
-
Why cloned images lose tcpdump and raw sockets
Technical deep dive into Why cloned images lose tcpdump and raw sockets
-
AI workbench for ECMP drift proof
Technical deep dive into AI workbench for ECMP drift proof
-
Translating access requests into canonical policy specs
Technical deep dive into Translating access requests into canonical policy specs
-
Safe delete workflows for config that cannot be undeleted
Technical deep dive into Safe delete workflows for config that cannot be undeleted
-
Telemetry architecture for containing cascades
Technical deep dive into Telemetry architecture for containing cascades
-
From brittle netns shell to a clean lab harness
Technical deep dive into From brittle netns shell to a clean lab harness
-
eBPF tracing for resolver path forensics
Technical deep dive into eBPF tracing for resolver path forensics
-
Where VXLAN actually burns CPU in Linux labs
Technical deep dive into Where VXLAN actually burns CPU in Linux labs
-
Kubernetes DNAT with nft backend gone sideways
Technical deep dive into Kubernetes DNAT with nft backend gone sideways
-
ECMP failover across unequal policy domains
Technical deep dive into ECMP failover across unequal policy domains
-
Deterministic Enough Means Defining a Repeatability Contract
Technical deep dive into Deterministic Enough Means Defining a Repeatability Contract
-
Telemetry lag or real stability after a phase
Technical deep dive into Telemetry lag or real stability after a phase
-
Normalizing BGP summaries without flattening peer state
Technical deep dive into Normalizing BGP summaries without flattening peer state
-
Semantic diffs beat line diffs for review
Technical deep dive into Semantic diffs beat line diffs for review
-
Partial rollback leaves sessions half-alive
Technical deep dive into Partial rollback leaves sessions half-alive
-
Why CPU based HPA misses real DNS collapse
Technical deep dive into Why CPU based HPA misses real DNS collapse
-
Congestion, Bad Optics, or a Sick ECMP Member
Technical deep dive into Congestion, Bad Optics, or a Sick ECMP Member
-
Why tcpdump in the Pod Sees Nothing
Technical deep dive into Why tcpdump in the Pod Sees Nothing
-
xDS lag that preserves dead upstreams in one zone
Technical deep dive into xDS lag that preserves dead upstreams in one zone
-
The real CPU cost of bridge hairpin loops
Technical deep dive into The real CPU cost of bridge hairpin loops
-
AI summaries versus deterministic packet walks
Technical deep dive into AI summaries versus deterministic packet walks
-
The observability tax of per session BFD telemetry
Technical deep dive into The observability tax of per session BFD telemetry
-
CLI Grep Structured Query or LLM Triage
Technical deep dive into CLI Grep Structured Query or LLM Triage
-
The regex route-map that matched the whole customer table
Technical deep dive into The regex route-map that matched the whole customer table
-
Retry Budgets, Hysteresis, and Kill Switches for Self-Healing
Technical deep dive into Retry Budgets, Hysteresis, and Kill Switches for Self-Healing
-
IRB blackhole or just the wrong VNI
Technical deep dive into IRB blackhole or just the wrong VNI
-
Intended SLO signal versus packet truth
Technical deep dive into Intended SLO signal versus packet truth
-
The lab says multi-queue, the host says not really
Technical deep dive into The lab says multi-queue, the host says not really
-
Sidecars, Host NAT, and Split Return Ownership
Technical deep dive into Sidecars, Host NAT, and Split Return Ownership
-
ARP storm FHRP flap or duplicate gateway
Technical deep dive into ARP storm FHRP flap or duplicate gateway
-
Timer alignment as a resilience decision
Technical deep dive into Timer alignment as a resilience decision
-
Hairpin NAT on a Linux bridge
Technical deep dive into Hairpin NAT on a Linux bridge
-
Free-Form Parsing vs Typed Extraction
Technical deep dive into Free-Form Parsing vs Typed Extraction
-
Intended queue telemetry versus what the kernel exports
Technical deep dive into Intended queue telemetry versus what the kernel exports
-
When Endpoint Scale Forces a Type-2 Rethink
Technical deep dive into When Endpoint Scale Forces a Type-2 Rethink
-
The Evidence Bundle That Proves the Real Hook
Technical deep dive into The Evidence Bundle That Proves the Real Hook
-
ifAlias drift destroys long-term interface history
Technical deep dive into ifAlias drift destroys long-term interface history
-
DSR versus SNAT service modes across zones
Technical deep dive into DSR versus SNAT service modes across zones
-
tc flower offload worked until it silently did not
Technical deep dive into tc flower offload worked until it silently did not
-
Telemetry That Separates IMET from Endpoint Failure
Technical deep dive into Telemetry That Separates IMET from Endpoint Failure
-
Where the parser belongs in an AI NetOps stack
Technical deep dive into Where the parser belongs in an AI NetOps stack
-
NAT expiry that looks like chronic packet loss
Technical deep dive into NAT expiry that looks like chronic packet loss
-
Container restart silently detached the veth tooling
Technical deep dive into Container restart silently detached the veth tooling
-
Training assistants on real DNS failure traces
Technical deep dive into Training assistants on real DNS failure traces
-
Two-person rollback for high-risk domains
Technical deep dive into Two-person rollback for high-risk domains
-
Bringing mirrored production traffic into a lab safely
Technical deep dive into Bringing mirrored production traffic into a lab safely
-
Deny-by-default exceptions without opening the subnet
Technical deep dive into Deny-by-default exceptions without opening the subnet
-
Why the workbench picked the wrong fix
Technical deep dive into Why the workbench picked the wrong fix
-
Kernel stage timing versus application p99
Technical deep dive into Kernel stage timing versus application p99
-
AI guardrails for deprecated node kinds and images
Technical deep dive into AI guardrails for deprecated node kinds and images
-
Trust Boundaries in Cross Domain Incident Timelines
Technical deep dive into Trust Boundaries in Cross Domain Incident Timelines
-
Bootstrapping hardware in CI before container tests
Technical deep dive into Bootstrapping hardware in CI before container tests
-
Terminal-native workbenches versus sidecar web consoles
Technical deep dive into Terminal-native workbenches versus sidecar web consoles
-
When port isolation fails to contain the blast
Technical deep dive into When port isolation fails to contain the blast
-
How Do You Know Recovery Is Actually Done
Technical deep dive into How Do You Know Recovery Is Actually Done
-
Upstream packet loss or local ring starvation
Technical deep dive into Upstream packet loss or local ring starvation
-
DF inconsistency in a partially degraded multihomed segment
Technical deep dive into DF inconsistency in a partially degraded multihomed segment
-
Which metric actually proves load balance
Technical deep dive into Which metric actually proves load balance
-
Do recurring incidents need a bpftrace workbench
Technical deep dive into Do recurring incidents need a bpftrace workbench
-
Conntrack pressure as silent path symptom
Technical deep dive into Conntrack pressure as silent path symptom
-
Deduplicating prefix lists without deleting the exception
Technical deep dive into Deduplicating prefix lists without deleting the exception
-
From diff-only pipelines to four-state reconciliation
Technical deep dive into From diff-only pipelines to four-state reconciliation
-
Pre-change capacity gates from PromQL
Technical deep dive into Pre-change capacity gates from PromQL
-
Replacing the Wrong Pinned Program During a Fast-Path Rollout
Technical deep dive into Replacing the Wrong Pinned Program During a Fast-Path Rollout
-
IPv6 link-local recursion after an interface flap
Technical deep dive into IPv6 link-local recursion after an interface flap
-
MED surprises across inconsistent neighbor groups
Technical deep dive into MED surprises across inconsistent neighbor groups
-
Route Reflector Restarts and Path Hunting Waves
Technical deep dive into Route Reflector Restarts and Path Hunting Waves
-
gRPC UNAVAILABLE during cert rotation, not application failure
Technical deep dive into gRPC UNAVAILABLE during cert rotation, not application failure
-
Layered controls can still create default-allow islands
Technical deep dive into Layered controls can still create default-allow islands
-
Telemetry-First Evidence Chains for Session Reset Storms
Technical deep dive into Telemetry-First Evidence Chains for Session Reset Storms
-
Correlation Gates for High Risk Rollbacks
Technical deep dive into Correlation Gates for High Risk Rollbacks
-
Line-by-line APIs and the illusion of atomic change
Technical deep dive into Line-by-line APIs and the illusion of atomic change
-
A control-plane workbench for stuck-state triage
Technical deep dive into A control-plane workbench for stuck-state triage
-
A safe VXLAN-to-Geneve migration plan
Technical deep dive into A safe VXLAN-to-Geneve migration plan
-
Ambiguous tickets need competing-hypothesis regression tests
Technical deep dive into Ambiguous tickets need competing-hypothesis regression tests
-
Policy counters say match but bestpath says otherwise
Technical deep dive into Policy counters say match but bestpath says otherwise
-
Shadow reflectors and phased client cutover
Technical deep dive into Shadow reflectors and phased client cutover
-
Image provenance gates before CI lab execution
Technical deep dive into Image provenance gates before CI lab execution
-
One flow through a first-hop split-brain
Technical deep dive into One flow through a first-hop split-brain
-
PERMISSIVE mode is not a harmless staging area
Technical deep dive into PERMISSIVE mode is not a harmless staging area
-
Escalating from Diagnosis to Access Change
Technical deep dive into Escalating from Diagnosis to Access Change
-
Rollback windows on non-transactional network devices
Technical deep dive into Rollback windows on non-transactional network devices
-
Collapsing per-neighbor policy into peer groups safely
Technical deep dive into Collapsing per-neighbor policy into peer groups safely
-
Property tests before pushing prefix limits and community rewrites
Technical deep dive into Property tests before pushing prefix limits and community rewrites
-
UDP service loss under load with too many suspects
Technical deep dive into UDP service loss under load with too many suspects
-
Convergence SLOs in CI for BFD changes
Technical deep dive into Convergence SLOs in CI for BFD changes
-
Subscription paths that pass tests but miss breakout ports
Technical deep dive into Subscription paths that pass tests but miss breakout ports
-
Higher overall accuracy does not mean safer
Technical deep dive into Higher overall accuracy does not mean safer
-
Hook priorities that silently reorder your firewall
Technical deep dive into Hook priorities that silently reorder your firewall
-
Safe remediation sandboxes for tool-using models
Technical deep dive into Safe remediation sandboxes for tool-using models
-
Designing a tool-callable incident replay harness
Technical deep dive into Designing a tool-callable incident replay harness
-
Designing Evidence Graphs for Network Diagnostic Agents
Technical deep dive into Designing Evidence Graphs for Network Diagnostic Agents
-
From raw CLI to stable entity graphs
Technical deep dive into From raw CLI to stable entity graphs
-
TextFSM, parsers, and LLMs on the same CLI mess
Technical deep dive into TextFSM, parsers, and LLMs on the same CLI mess
-
From flood and learn to proxy resolution
Technical deep dive into From flood and learn to proxy resolution
-
When a hidden bridge loop outruns storm control
Technical deep dive into When a hidden bridge loop outruns storm control
-
Why only large DNS answers fail behind policy
Technical deep dive into Why only large DNS answers fail behind policy
-
Pod to CoreDNS packet walk that explains silent lookup failure
Technical deep dive into Pod to CoreDNS packet walk that explains silent lookup failure
-
Walking a SYN through every stall point
Technical deep dive into Walking a SYN through every stall point
-
A minimal loss forensics kit in bpftrace
Technical deep dive into A minimal loss forensics kit in bpftrace
-
Walking one TCP segment to the real delay
Technical deep dive into Walking one TCP segment to the real delay
-
MTU intent vs dataplane reality across namespaces
Technical deep dive into MTU intent vs dataplane reality across namespaces
-
Are these retransmissions real or capture artifacts
Technical deep dive into Are these retransmissions real or capture artifacts
-
Tracing MSS collapse through stacked overlays
Technical deep dive into Tracing MSS collapse through stacked overlays
-
One Packet Through Namespace, Bridge, Conntrack, NAT
Technical deep dive into One Packet Through Namespace, Bridge, Conntrack, NAT
-
64-byte PPS Is Not 1500-byte Throughput
Technical deep dive into 64-byte PPS Is Not 1500-byte Throughput
-
One elephant flow through qdisc and counters
Technical deep dive into One elephant flow through qdisc and counters
-
When NIC offloads make counters disagree
Technical deep dive into When NIC offloads make counters disagree
-
Microbursts that disappear between scrapes
Technical deep dive into Microbursts that disappear between scrapes
-
Route-policy rollouts without recursive next-hop surprises
Technical deep dive into Route-policy rollouts without recursive next-hop surprises
-
Retrying after an SSH timeout without double-applying state
Technical deep dive into Retrying after an SSH timeout without double-applying state
-
Where a transaction should stop in network automation
Technical deep dive into Where a transaction should stop in network automation
-
Walking the Management Packet Through NAT
Technical deep dive into Walking the Management Packet Through NAT
-
One Packet Through a Leaking VRF
Technical deep dive into One Packet Through a Leaking VRF
-
Expected Next Hop Versus Resolved Next Hop
Technical deep dive into Expected Next Hop Versus Resolved Next Hop
-
Migrating from YAML inventories without losing rollback
Technical deep dive into Migrating from YAML inventories without losing rollback
-
Custom fields, tags, or plugins
Technical deep dive into Custom fields, tags, or plugins
-
Intended state is not rendered config
Technical deep dive into Intended state is not rendered config
-
Migrating from flat to hierarchical reflectors safely
Technical deep dive into Migrating from flat to hierarchical reflectors safely
-
Where path hiding starts in dual-layer reflector fabrics
Technical deep dive into Where path hiding starts in dual-layer reflector fabrics
-
Migrating to Symmetric IRB Without Semantic Drift
Technical deep dive into Migrating to Symmetric IRB Without Semantic Drift
-
The Missing Type-2 on Silent Hosts
Technical deep dive into The Missing Type-2 on Silent Hosts
-
Type-2 vs Type-5 at Anycast IRB
Technical deep dive into Type-2 vs Type-5 at Anycast IRB
-
Migrating from standard to large communities safely
Technical deep dive into Migrating from standard to large communities safely
-
Designing a large-community schema that survives growth
Technical deep dive into Designing a large-community schema that survives growth
-
Why local-pref beats a shorter AS_PATH
Technical deep dive into Why local-pref beats a shorter AS_PATH
-
Recursive next-hop resolution that selects a dead exit
Technical deep dive into Recursive next-hop resolution that selects a dead exit
-
eBGP multihop over loopbacks without session roulette
Technical deep dive into eBGP multihop over loopbacks without session roulette
-
Session up, prefixes zero, and the silent policy mismatch
Technical deep dive into Session up, prefixes zero, and the silent policy mismatch
-
Why Idle, Connect, and Active keep repeating
Technical deep dive into Why Idle, Connect, and Active keep repeating
-
How a Withdrawn Pod Route Lingers in Calico BGP
Technical deep dive into How a Withdrawn Pod Route Lingers in Calico BGP
-
Measuring the Encapsulation Tax in Real Clusters
Technical deep dive into Measuring the Encapsulation Tax in Real Clusters
-
Cilium Same-Node Pod Packet Walk
Technical deep dive into Cilium Same-Node Pod Packet Walk
-
Stopping startup storms with phased boot gates
Technical deep dive into Stopping startup storms with phased boot gates
-
Host sysctl preflight for big Containerlab runs
Technical deep dive into Host sysctl preflight for big Containerlab runs
-
veth, TAP, and TUN under small-packet load
Technical deep dive into veth, TAP, and TUN under small-packet load
-
Was it rp_filter, nftables, or policy routing
Technical deep dive into Was it rp_filter, nftables, or policy routing
-
Userspace routers change the TUN packet path
Technical deep dive into Userspace routers change the TUN packet path
-
One packet from netns process to host socket
Technical deep dive into One packet from netns process to host socket
-
Tracing Prompt-to-Command Drift in NetDevOps Loops
Technical deep dive into Tracing Prompt-to-Command Drift in NetDevOps Loops
-
Scaling a Self-Healing Containerlab Pipeline
Technical deep dive into Scaling a Self-Healing Containerlab Pipeline
-
Designing an Open WebUI Front End for a Network Copilot
Technical deep dive into Designing an Open WebUI Front End for a Network Copilot
-
Why Topology-Aware Telemetry Beats Generic LLM Prompting
Technical deep dive into Why Topology-Aware Telemetry Beats Generic LLM Prompting
-
Modeling OSPF Convergence as Macro-Control
Technical deep dive into Modeling OSPF Convergence as Macro-Control
-
BGP Path Selection as Risk Management
Technical deep dive into BGP Path Selection as Risk Management
-
An AI Test Harness for Broken OSPF Adjacencies
Technical deep dive into An AI Test Harness for Broken OSPF Adjacencies
-
Why Python and Netmiko Beat Heavy Orchestrators
Technical deep dive into Why Python and Netmiko Beat Heavy Orchestrators
-
BGP State Mismatch in Containerlab
Technical deep dive into BGP State Mismatch in Containerlab
-
OSPF ExStart Loops from MTU Drift
Technical deep dive into OSPF ExStart Loops from MTU Drift