Principal Network Engineer — Network Automation

I operate the network and build the software that runs it.

Thirty years designing and running enterprise and service-provider networks — MPLS, BGP, and EVPN/VXLAN across Arista, Juniper, and Cisco. Five years turning that operational experience into production-grade automation: open-source repositories, pip packages other engineers install, and every networking tool validated against real multi-vendor hardware before it ships.

Operator ProfileREV 2026
Experience30 yrs network eng
Primary langPython
Also shipsGo · C#/.NET · JS/TS
DomainDatacenter · Peering · SP
VendorsArista · Juniper · Cisco
CertsCCNP · CCIP · JNCIS
BaseLittleton, Colorado
How these tools are built

Every networking tool here was validated against real multi-vendor hardware — Arista, Juniper, and Cisco gear running real routing tables and real failure scenarios in a dedicated lab — before it was trusted in production. Nothing was tested first against mocked data.

That discipline comes from four years of formal QA network automation: Robot Framework and pyATS suites triggered from GitLab CI against datacenter hardware, where a bad parse or a missed edge case had operational consequences. Design intent is defined upfront, implementation is systematic, and validation is continuous. These tools work because they were tested where failure matters.

Hardware-validated Multi-vendor QA-driven development Inheritable code · no exotic dependencies
§ 01

Technical deep dives

Three tools, taken apart. Each is a small system with one non-obvious engineering decision at its center — and the three share a foundation, which is the point.

FIG.01 Python · PyQt6 · GPLv3 Cisco · Arista · Juniper
Secure Cartography
SSH-based multi-vendor discovery that turns a live network into documented topology.
Secure Cartography architecture diagram ⤢ Enlarge
Fig. 01 — Layered architecture. Left rail: reusable libraries. Center: discovery pipeline. Right: the seed artifact fanning out to consumers.

Point it at a seed device and it crawls the network over SSH and SNMP, reading CDP/LLDP neighbors, fingerprinting each device, and emitting a normalized topology map. Downstream, that map becomes Draw.io and GraphML diagrams and a security-posture audit — but the map is written once and consumed at import time, with no runtime coupling between discovery and its consumers.

The architecture is deliberately layered so the hard parts are reusable on their own: a Paramiko SSH client hardened for legacy gear (invoke-shell only, old ciphers and KEX, ANSI filtering, prompt detection), an encrypted credential vault (PBKDF2-HMAC-SHA256 key derivation, Fernet at rest), a resolver that finds working credentials per device, and a parsing engine that selects its own templates — FIG.02.

What makes it different

It's built from libraries you could hand to another engineer tomorrow. The SSH client, the vault, and the parser each stand alone — and the same SSH client is the one powering fibtrace (FIG.03). The topology map is a seed artifact: the file is the contract, so anything can consume it without importing the tool that made it.

ParamikoSNMP + SSHTextFSMPBKDF2 · FernetDraw.io / GraphML pip install secure-cartography
FIG.02 Python · SQLite · TextFSM 15+ vendor families
tfsm-fire
Multi-vendor CLI parsing where the output selects the template — not the engineer.
tfsm-fire architecture diagram ⤢ Enlarge
Fig. 02a — The inversion and the scoring pipeline. Raw output plus a loose hint in; the highest-scoring parse out.

Conventional TextFSM makes you pick the right template up front. Guess wrong and you get silent garbage, and every new command or vendor means another hand-wired selection branch. tfsm-fire inverts that: hand it raw CLI output and a loose hint, and it runs every candidate template, scoring each parse on a 100-point rubric — record count, field richness, population rate, and consistency — then returns the best match. There is no selection logic to maintain.

tfsm-fire scoring a live Cisco IOS capture ⤢ Enlarge
Fig. 02b — The rubric, live: a Cisco IOS show interfaces capture scored and parsed into structured records.
What makes it different

The four bars in the screenshot — records, fields, population, consistency — are the exact scoring factors from the diagram, running against a real capture. The engine scales to 1,200+ templates across 15+ vendor families with zero per-command mapping, and it's the parsing core inside Secure Cartography. Thread-safe by construction, so it parses a whole fleet in parallel.

FIG.03 Python · FastAPI · MIT Cisco · Arista · Juniper
fibtrace
Hop-by-hop forwarding-plane validation from the device's own perspective. Not a traceroute.
fibtrace architecture diagram ⤢ Enlarge
Fig. 03 — The BFS walk and the four forwarding questions, feeding a directed graph of every path a packet can take.

A traceroute probes from the outside with ICMP and sees hop IPs. It's blind to RIB-versus-FIB divergence, incomplete ARP, and any ECMP path it didn't happen to hash into. fibtrace goes inside-out: it SSHes into each device and reads that device's own forwarding tables, asking four questions at every hop — is there a route, is it in the FIB, is the next-hop resolved, is the link healthy — and identifies devices by CLI-prompt hostname rather than IP, because in real networks the management address rarely matches the forwarding plane.

The result is a directed graph of every path a packet can take from source to destination — ECMP fan-out, convergence points, and terminal nodes included. No agents, no controllers; just SSH and a browser.

What makes it different — fibtrace.diff

Load a pre-change graph and a post-change graph and get quantified impairment — paths, edges, ECMP width — with a CRITICAL / WARN / OK triage band across the top. Hover any path and it renders on both graphs at once, so you're not mentally diffing two pictures. Export JSON for automation, SVG/PNG for a MOP or an incident write-up. Change validation you can hand to a reviewer.

FastAPIECMP / FIB3-tier parse: JSON → TextFSM → regexDAG pip install fibtrace
One foundation

Two systems, one foundation

Secure Cartography discovers what exists; fibtrace validates how it forwards. They aren't the same tool, but they rest on the same three ideas — which is why building the second one was fast. The same hardened SSH client drives both (fibtrace's copy still carries the original module path in its docstring). Both let structure win where they can get it, rather than hand-wiring parser selection. And both treat a structured JSON file as the interface between stages, so downstream tools consume the artifact without importing the producer.

Shared SSH client Structure-first parsing JSON artifact as contract
§ 02

Experience

Principal and architect roles across datacenter, peering, and tier-1 service-provider networks — plus four years building network test automation for a datacenter QA org.

Current
Oct 2024 — Present
Principal Infrastructure Engineer

Datacenter and peering infrastructure on Arista and Juniper. Circuit turn-ups and PNI implementations.

BGP peer migrations — pre-flight validation, state auditing, cutover execution.

Columbia Sportswear
Mar 2022 — Oct 2024
Principal Infrastructure Engineer

Enterprise network across 600+ retail locations, datacenters, and corporate sites — Cisco, Aruba, Palo Alto.

Built a device-state collection platform (Flask/FastAPI, MySQL) for auditing and compliance.

Charter
2019 — 2022
Principal Engineer — Datacenter QA Network Automation

Built network test automation from the ground up in Robot Framework and pyATS — Python suites running against real Arista and Cisco datacenter hardware, triggered from GitLab CI on every config and image change.

VXLAN/EVPN fabric validation, leaf-spine verification, control-plane and data-plane convergence testing.

Level 3 / TW Telecom
2012 — 2019
Architect — IP Edge Engineering

IP services architecture across a tier-1 backbone — MPLS L3VPN, VPLS, IPVPN, converged voice/data, managed internet.

Anycast DNS, syslog infrastructure, and NetFlow collection and analysis at carrier scale.

Cricket (AT&T)
2006 — 2012
Architect III

Mobile carrier network architecture — MPLS core with OSPF-TE, VPLS, MVNO peering. Datacenter fabrics up to ~300 switches.

§ 03

Capabilities

Platforms & protocols
Cisco IOS / IOS-XE / NX-OS, Arista EOS, Juniper Junos, Palo Alto, Aruba/HPE, F5 · BGP, MPLS L3VPN, VPLS, EVPN/VXLAN, OSPF/IS-IS, SD-WAN
Languages
Python, Go, C#/.NET, JavaScript/TypeScript, Shell · PyQt6, Fyne, FastAPI, Flask, Textual
Automation & test
Netmiko, NAPALM, TextFSM, Nornir, pyATS, Robot Framework, Ansible, PySNMP, Paramiko · GitLab CI
Infrastructure
Git/GitLab CI, Docker, Linux, MySQL, SQLite, Redis, WebSocket services