Resume

Brownfield fabric discovery and automation pipeline for multi-state hospital network upgrade; found the outage root cause before either vendor team did.

• Engagement: large multi-state hospital system brownfield network upgrade; Extreme Networks discovery and design-ready artifact generation targeting Cisco replacement.

• Identified root cause of production outage during SPBM-to-Cisco core migration — traced failure to ECT multicast export gap at SPBM/Cisco boundary; documented findings and issued recommendations to both vendor teams.

• TextFSM template corpus authored against five OS families; NTC-templates integration with bespoke fallthrough; preflight coverage reporting with per-site gap analysis; documented TextFSM authoring failure modes not in project documentation. Releasing to internal colleagues.

Platform owner across campus fabric, BGP operations, threat automation, and observability — designed and defended architecture with full consequence chain for a decade.

• August 2024: diagnosed campus-wide CDN access loss as inbound traffic-steering prefix leak via Internet2 customer misconfiguration; formed root-cause hypothesis overnight, obtained external corroboration from Google network engineer before 8am, withstood management objection, restored CDN access via peer shutdown within minutes. Followed with RPKI/ROA registration for ARIN-delegated prefixes in collaboration with Internet2 Sr. Engineer — authoritative origin validation now in place. Redesigned BGP advertisement architecture: /16 universal to all peers, /19s for inbound sector steering, no more-specifics exposed to any peer with commodity internet adjacency — eliminates the leak vector class permanently.

  Read the full story →

• 2024 campus fabric overhaul: enforced NNI-only boundary on core switches against organizational pushback — collapsing edge ports onto core merges failure domains (edge outage becomes simultaneous transit loss across all distribution layers), destroys deterministic troubleshooting reasoning, and inflates routine access changes into high-scrutiny core change events; held design position to completion.

• Guided distribution-layer VRF design; provided architectural clarity on isolated FIB sharing a common SPBM backbone when team struggled to visualize L3 separation model.

• 2023 ASR border consolidation: learned IOS-XR l2transport to collapse discrete L2 breakout switch into ASR subinterfaces — eliminated dedicated switch, reduced capex, cleaned stack at LEARN provider boundary (original boundary also personally designed, 2013).

• Deployed 100G infrastructure: border-to-core and core-to-research/HPC DMZ; border staged for future 100G ISP upgrade.

• Authored full infrastructure ACL strategy solo during Cisco platform migration: restricted external IPs from management plane ports on all routed interfaces; philosophy: defer inline policy enforcement to Palo Alto for granular logging, not ACLs.

• Built multi-source Grafana observability stack at zero budget and own initiative: Statseeker via vendor API shim (interface I/O, link utilization); Palo Alto XML/REST API Perl pipeline into InfluxDB (dataplane CPU, session counts across 4x HA pairs PA 5K series plus 2x PA 3K singles); DHCP pool utilization pipeline — own Perl glue around dhcpd-pools open-source parser feeding InfluxDB, intermediate file persisted for auditability; CA Spectrum asset data via XML/REST API. Session count panel color-coding detected unexpected HA failover events 5-6 times over five years of operation. DHCP pool alerting at 95% threshold triggered wireless admin workflow to rebalance APs across WLC HA pairs.

• Designed and implemented RTBH threat automation: infosec-originated daily threat report (50+ flagged hosts) processed via custom Perl controller — email body parsing, Quagga vtysh CLI wrapper, /32 blackhole injection via iBGP to dual ASR 9K border routers; uRPF loose mode enforces bidirectional data-plane drop without management plane load; replaced multi-step approval/firewall-change workflow with single-operator paste operation; adopted as primary border host-enforcement mechanism.

• Directional prefix integrity enforcement on ARIN-delegated /16: routes originated from incorrect direction dropped at border — eliminates spoofed ingress by design.

• Network architecture advisor on NSX-v deployment and subsequent NSX-T transformation; SME for VXLAN-to-Geneve encapsulation migration — encapsulation model change and underlay implications.

• ASR border RPL policy marks DSCP on ISP ingress (IOS-XR) — authoritative classification point at campus edge. Procera appliance deployed as L2 bump-in-the-wire at security/distribution boundary: DSCP reader, not marker; provided per-ISP inbound utilization telemetry not otherwise visible at that boundary (retired 2023 during 100G deployment, Procera not rated for line rate). Telemetry fed manual BGP advertisement strategy across multihomed ISP peers: /16 split into subnet advertisement ratios per ISP to bias inbound load distribution without policy routing on the forwarding plane.

• Lead infrastructure designer for venue silo (stadium, basketball venue, visitor center) — grew into separate infrastructure silo; consistently pushed back against cookie-cutter vendor proposals in favor of operational nuance. Routing advisory role in later years after venue champion handoff.

Built homegrown NMS/IPAM that Baylor replaced with a commercial product upon departure; designed carrier WAN boundary still in operation at exit.

• Full-stack ownership of homegrown NMS: Linux administration, PHP application layer, SQL schema design, Perl polling backend, SSL cert maintenance, DHCP policy, and SQL-to-DHCP config translation layer.

• Integrated SNMP polling, ARP table dumps (~60K entries per 5-minute cron snapshot, 100K+ cumulative), FDB tables, and LLDP/CDP adjacencies — all correlated in SQL for real-time DHCP lease-to-edge-port visibility.

• No commercial product existed for this use case at the time; Baylor purchased Efficient IP to replace it upon departure — validates production-grade utility.

• CA Spectrum (asset management) as source of truth: asset enumeration via XML/REST API seeded SNMP library.

• Designed LEARN/tx-learn.net provider boundary (2013): MPLS R&E network providing Internet2, commodity Internet, and L2 transport; 2x10G port-channel handoff carrying DIA (eBGP session 1), Internet2 (eBGP session 2), L2 transport to Nursing School campus ~90 miles via wireless mgmt VLAN and routed wired hop, and DR VLAN cluster to TAMU data center ~90 miles opposite direction.

• Astound/Grande metro Ethernet (provider QinQ internal transport): ~20 sites, 1,000+ clients across regional campus; Baylor handoff via straight 802.1q — 10G TLS and DIA; provider-owned gear on campus.

• OSPF and iBGP adjacencies at border: OSPF to dual Cat9K core over dedicated 100G interfaces; iBGP routed hop to second border ASR 9K over 100G.

• Splunk integration: SplunkQL embedded in Perl library; ISM ticketing system integration; NAT layer peeling to identify edge users from BYOD networks.

Designed authenticating gateway from a NASA whitepaper and a spare workstation — impact was enough that the CIO moved me into networking without an interview.

• Seattle HQ F5 training, Feb 2008. Built multiple generations of F5 configuration personally before hiring dedicated SME; retained architectural leadership after SME hire — SME deferred to Jeffrey on novel point solutions.

• baylor.edu identity/HTTP architecture: domain authentication and public HTTP FQDN required simultaneous resolution against same hostname — pre-best-practice era, no clean separation. Solution: L4 policy routing tcp/80+443 to F5 VIP with pass-through for remaining traffic; iRule URI multiplexing per marketing strategy; Palo NAT + F5 iRules + DNS + SSL SAN cert stack in unified ownership. Architecture held production from implementation through Jan 2026 departure; student body grew 16K to 20K, ISP handoff scaled 1G to 2x10G over the same period.

• Full solution ownership exercised through cross-domain informal authority — no organizational mandate over AD, DNS, firewall, or SSL teams; execution delegated based on reputation and trust across all domains simultaneously.

• Developed Perl-based ruleset auditing tool: parsed exported CheckPoint rulesets to validate coverage parity and identify gaps before production cutover — architectural/audit role assisting primary firewall admin.

• Palo Alto / Panorama architectural operations; Palo Alto XML and REST API consumption into InfluxDB observability pipeline.

• Designed and implemented authenticating gateway from NASA IT whitepaper and a spare Dell Precision workstation — no commercial product existed. OpenBSD/pf, dual NIC, ISC DHCP. PHP frontend authenticated against AD via RADIUS; correlation engine bound browser IP to MAC via ARP table and DHCP lease state. RADIUS client found online was RFC non-compliant — read RFC to byte level, manually repacked UDP payload to fix encoding.

• Residential gateway (rfg) served 1,000-2,500+ students at peak (Fall 2003 through 2008+) across multiple major rewrites. Patched MySQL calls into ISC dhcpd C source — internal fork — so lease state updated SQL tables live. Built Unix daemon (UDP localhost command protocol: ADDRULE/DELRULE) to push authenticated IPs into pf firewall state on successful RADIUS auth; added Perl SNMP pollers for ARP and FDB from downstream routers into SQL. Full stack became direct technical foundation for WebDHCP/IPAM.

• Project impact and operational footprint led to CIO-intervened transfer to networking without formal interview.