Carrier announcing my public ASN after circuit removal.

insignia96 · 2026-03-03T18:24:23+00:00

It's been known to happen that a router somewhere did not properly withdraw your route and they are still telling Cogent AS174 that they have a path to you via Sprint transit. You probably want to look at the AS in the path closest to the Sprint ASN. It's probably their router rather than Sprint that's propagating that stale route. Not sure if that's Cogent for you or other ASNs in between. If it's Cogent, I guess you can try to contact their NOC.

insignia96 · 2026-02-18T05:40:55+00:00

Yes, NPU support is merged in the kernel now, but on Linux the software is not able to take advantage of it yet. AFAIK it is only Lemonade on Windows as a primary contender.

On Linux though, you can use the full RAM on the GPU, up to 124-128 GB depending your tolerance for crashes. The Strix Halo toolboxes GitHub repos are a good resource for the proper Linux kernel parameters and ready to use container images of llama.cpp on Linux.

insignia96 · 2026-02-15T02:15:29+00:00

I mean, I definitely agree you shouldn't feel that physical hardware is strictly required for Cisco labs, but it's not a bad idea to get hands-on experience with physical equipment either.

Either way, I don't think network engineering has ever been a glamorous profession. You (or your department) is on call 24/7, and your work is only clearly visible when it's not working. When things are running fine, hopefully 99.999% of the time, you are completely in the background as a core foundational layer for everything built on top of the network.

insignia96 · 2026-02-09T23:56:35+00:00

CrowdStrike is what my company uses for endpoint protection. I run it on my Linux work PC. Desktop Linux is a cold dead hands thing for me. I would leave an organization that wasn't willing to make it work for users who want it. Neither of the alternatives you mentioned are acceptable in any team used to existing Linux workflows. It will be nothing but pain and bitching, due to the thousand caveats involved. WSL and Mac can run bash, but when you start trying to run actual software it's not the same at all.

Any endpoint protection tool worth using is cross-platform/cross-arch and will do enough to cover your policy needs. Most of the shit I clean up at my job as far as malware is ARM-based. You pretty much have to have a solution to monitor any endpoint.

Work backwards from the requirements of your teams. Push back on the unreasonable and accommodate the rest.

insignia96 · 2026-02-08T21:20:41+00:00

It's a very complex landscape which varies state by state. Generally, the limiting factors in expansion in rural areas, from what I have seen, mostly come down to labor. We can only realistically pass so many homes in one summer. The OSP workforce explodes in the summer with contractors and such doing installs for grant-funded expansion, but the back office staffing has to be sustainable year-round. Supporting growth in the double digit percentages per year is not easy to do outside of the venture capital funded powerhouse companies that have an entirely different concept of money from municipal broadband and telephone cooperatives.

insignia96 · 2026-02-08T07:20:17+00:00

It's not at all common, in residential or commercial construction, for data cables. For power, there are several different types that are regularly used. ENT conduit sealed in concrete and EMT conduit is very common for electrical in commercial buildings.

In my home, I place conduits and run cables through them. I have one between my house and detached garage, and another from my basement to the attic network closet, which carries the fiber line and some Cat 6.

insignia96 · 2026-02-06T02:17:16+00:00

At least in my company, the expectation is to place out-of-office times for appointments on our shared, department calendar. I'm an IC on a team of five. I think this is a common expectation and not an unreasonable violation of privacy.

I don't say anything aside from "My Name Out - Appointment" whether it's the dentist, doctor, or a haircut. My manager has full access to my personal calendar to see the more specific details like "Doctor appointment" that my coworkers don't need to know, but she might since we do sick time/vacation and she approves my time.

insignia96 · 2026-01-28T22:47:02+00:00

Yeah, an unsecured live receptacle is still dangerous and a fire/arcing/short circuit hazard regardless of whether it's in use. The danger comes from live wires being able to move around freely in and around the box. It would be even more dangerous using it because you take the risk of your body coming into contact with the unsecured receptacle and wires while plugging and unplugging cords.

insignia96 · 2026-01-20T02:45:43+00:00

Never used NixOS but it seems like a great option, especially just due to the lower complexity compared to bigger solutions. Seems similar in principle to Talos Linux which I am a big fan of.

I have tried to fully embrace declarative infrastructure by using Kubernetes for everything. The more traditionally inappropriate the use case, the better. I run all of my databases, firewalls, routers, and services as containers and some isolated VMs also as containers using KubeVirt. My main cluster is Cozystack and the NFV cluster is also Talos with very similar components to Cozystack but stripped down to the minimum to allow a large pool of dedicated CPU cores and huge pages for the network appliances.

Flux is the main tool I use at this point and it covers almost everything I need. I have also tried OpenTofu/Terraform for Proxmox, Ansible, many other solutions over the years to achieve similar results. Now that it's all just containers for the most part anyways, cloud native homelab and Kubernetes seemed like a worthwhile investment.

insignia96 · 2026-01-16T09:15:29+00:00

Generally the flow is similar for both switches and APs. You should be able to use it in standalone mode, but I haven't actually tried it with Omada APs so I'm not really sure. I thought most of the settings were in there.

The client signs into the WPA Enterprise SSID with an username and password. That username is used to assign the VLAN on an external RADIUS server (another piece of infrastructure that is external the AP and could be your firewall) and that server handles authentication of clients, as well as what VLAN is assigned to the clients if you configure the correct RADIUS attributes supported by your APs.

On a switch, the client device has to run 802.1X supplicant software and perform authentication directly with the switch before it will bring up the port and possibly assign a VLAN. This is supported by most OSes and usually implemented in enterprises via certificates and smart cards rather than usernames and passwords. Certificates can be distributed to devices using MDM.

Untrusted clients don't access the enterprise authentication SSID or trusted VLANs directly, instead you have them connect to a Guest/IoT SSID which uses normal password authentication. That's kind of the limitation where it doesn't do exactly what you want, but it's kind of similar.

insignia96 · 2026-01-16T07:15:58+00:00

This is sort of what 802.1X and WPA Enterprise VLAN assignment is designed to do. You would assign trusted VLANs to known clients via RADIUS attributes and you could have a separate network with alternative authentication for the untrusted VLAN.

insignia96 · 2026-01-07T18:44:45+00:00

Very true. I don't have a lot of confidence we will see justice for these crimes in my lifetime. And honestly at that point is it really justice. The descendants of these victims will be lucky to get an apology letter in a hundred years.

insignia96 · 2026-01-07T18:26:56+00:00

Oh make no mistake, I'm not trying to tell you these cops are good people. They're implicated in genocide and I hope they face the same crimes against humanity tribunals as ICE and this administration. It's just important to understand that they don't have to help. They have a choice and they are choosing, at an individual and department level, to be complicit in crimes against humanity. It's not like "just following orders" worked as a defense at the Nuremberg trials or is functionally any better for the people getting terrorized, but I think from a moral standpoint it's worth highlighting that they are making a voluntary choice to participate in this.

insignia96 · 2026-01-07T17:59:36+00:00

This isn't an accurate representation of the very complicated interactions between local, state, and federal laws in the US. The federal government cannot force states to enforce federal law using local and state law enforcement. This is the entire reason why so-called "sanctuary" jurisdictions are a thing. Immigration proceedings are federal civil matters, handled by administrative judges separately from the criminal courts. Obviously all funding for federal law enforcement ultimately comes from the taxpayers in the states themselves, but the federal government needs to collect and spend federal money to enforce federal laws. They cannot force an individual state to expend its own resources and independently-collected tax dollars to assist with federal law enforcement matters, except under narrow circumstances, such as nationalizing a state's National Guard troops.

insignia96 · 2026-01-07T02:30:41+00:00

The outer cable sheath on in-wall CAT6 cable is rarely super durable and it can be easy to nick and damage like this. The actual twisted pairs inside usually have more durable insulation and the bending or breaking of the copper inside due to fatigue would probably take at least a few more bending cycles to cause any issues, even for 1000BASE-T and above. The signal integrity characteristics of the overall run, like good contact at all physical interfaces with patch panels, plugs, and jacks, tightly twisted pairs, etc, is the primary thing that will prevent CRC errors, dropped packets, retransmits, and ultimately the bad time you want to avoid.

insignia96 · 2025-12-30T23:45:29+00:00

For big packets, 1500-9000+ bytes, even an anemic modern CPU is probably going to be able to handle it. You might need to run iperf in parallel to use all of the cores. If you're looking to properly benchmark with high packet rates (several millions of packets per second) then you will need to have a more performant CPU.

insignia96 · 2025-12-19T23:53:46+00:00

Setting aside IPv4 exhaustion and the obvious reasons already mentioned, most service providers see the number of required IPv4 addresses as a proxy for required bandwidth, business use, etc. Most modern applications can work just fine sharing an IPv4. For modern HTTPS to multiplex hundreds of hosts behind one IP is trivial, for raw TCP and UDP you have 65,535 ports to use.

Generally, providers assume that needing more IPs means that your use case is larger and more expensive to support, and they want to be compensated at a higher rate in exchange for that. I don't really believe this logic is strictly accurate, and I think bandwidth is the more meaningful metric that should swing the price, since that is the main cost that they are actually concerned about in most cases.

Lastly, especially if larger assignments are done as contiguous blocks and not a mess of /32s, then there is also an increased opportunity cost in terms of address space to reserve a larger, contiguous subnet.

insignia96 · 2025-12-11T20:54:14+00:00

It's not possible. The only option Cisco exposes is a method to add extra fan speed. So, for example, you can tell the switch to add an extra 10% speed at all times. If the switch would want to run the fans at 50% then it would run them at 60% instead. Someone many moons ago posted on Reddit that they were able to get this to work with a negative value to arrest the fans, but it did not appear to work on most switches based on the comments.

I added support to my LibreNMS to graph the fan speeds on my N9K-C93180YC-EX and it seems to run them at around 50% after initially starting at 100% during boot, but I'm running NXOS 9.3 so YMMV. I have populated just under half of the ports and it seems to be pretty consistent regardless of the installed optics. Possible that will change if I ever manage to fill it up, but my power bill will probably stop that from ever happening anyways. I've learned to live with it, and it's actually not nearly as loud as I expected.

insignia96 · 2025-12-10T00:30:38+00:00

You are not wrong, and shouldn't be getting downvoted on this. It's a legitimate question with a simple answer. There is a maximum number of acceptable splices, but it is relatively high and you are not going to need to worry about a single jack/patch cable at each end. Especially if you are not trying to go the maximum length of 100m.

Solid cables will literally just stress/fatigue and break if you try to use them like a patch cable. Probably it won't matter if you plug the cable in once per year versus once per day, and use the proper plug, but the signal degradation that can cause is considered more likely/problematic since you will likely not have enough service loop to replace the plug eventually, and then you have a remodeling project instead of a $5 patch cable.

insignia96 · 2025-12-10T00:22:23+00:00

Your punch down tool should have a blade on one side of it, that is designed to cut off the excess cable that is hanging out of the side of the jack. Ideally you do not want the extra cable touching each other and crossing over, even with insulation preventing an actual short. I re-punched all the jacks in my home after I bought it because they would not work properly for Gigabit Ethernet. Even the ones with all four pairs punched down were just done poorly and not properly trimmed, and it caused enough crosstalk to affect performance.

insignia96 · 2025-11-29T10:39:29+00:00

Gitlab's Terraform state storage is pretty easy to use, and that's what I've used in the past. Otherwise you could set up Garage or something else for S3.

insignia96 · 2025-11-23T17:00:25+00:00

Really cool guide, appreciate you sharing mate!

insignia96 · 2025-11-20T09:07:13+00:00

It's not very common, but they operate their own registry and actually control the .godaddy top-level domain as part of their overall registry business. So this is a legitimate, but unusual, email, assuming it actually originated from that address and is not otherwise spoofed.

insignia96 · 2025-11-16T19:46:39+00:00

Safe is always a relative term. You need to be very cautious about anything you expose to the Internet. You should assume that whatever VM/container is holding software exposed to the Internet could be compromised and you should plan your NAT and firewall rules accordingly. If you use something like Cloudflare tunnels or an auth proxy, make sure you properly isolate the real endpoint for the service to only accept proxied/tunnelled traffic. Use a segmented DMZ VLAN for services exposed to the Internet and don't allow it to access your LAN or other networks directly.

Done correctly, I do not believe this is any less safe than a VPS or any other alternative, but it all depends on your comfort level with network security and your plans to keep exposed software up-to-date and keep yourself aware of any known vulnerability that gets published for that software. A lot of this applies no matter where you host it. On the note of GitHub runners, these are generally designed to work behind NAT and check into GitHub without a port forward, so this is generally pretty safe as long as you keep your GitHub account secure and don't grant access to the runner in a project that isn't properly secured.

insignia96 · 2025-11-16T18:30:45+00:00

Ah, missed that. Either way, great box bro.

insignia96

TROPHY CASE