sync: auto-sync from HOWARD-HOME at 2026-06-24 17:37:00
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-24 17:37:00
This commit is contained in:
@@ -112,13 +112,31 @@ Notable: three `98:17:3c:*` devices clustered on one AP at strong signal (-39/-4
|
||||
| Laptop3 | c0:35:32:66:46:af | 192.168.2.156 | caregiver |
|
||||
| Laptop4 | 70:08:94:90:26:85 | 169.254.1.9 | caregiver (APIPA — DHCP issue, check) |
|
||||
|
||||
### Printers (11) — we reconfigure to the staff/internal network
|
||||
Canon: `canona93684` (9c:50:d1, .2.67), `canoncbdf73-2` (10:98:c3, .3.232), `canonfb04b5`
|
||||
(80:a5:89, .3.227), `Canonf46423` (20:0b:74, .3.52).
|
||||
Brother: `brwc8a3e8dc60fd` (.3.10, 5 GHz), `BRW2C9C5828EC9E` (.3.44), `BRWC8A3E8A2DD9E` (.2.53),
|
||||
`brw283a4d1ad571` (.2.75), `brw5cea1d4e96af` (.2.145), `brw90324b15f558` (.3.88).
|
||||
Epson: `EPSON822B7A` (dc:cd:2f, .2.147).
|
||||
(10 of 11 are on 2.4 GHz — these drop on a 5 GHz-only flip; relocate first.)
|
||||
### Printers (11) — relocate to CSCNet (keeps 2.4 GHz). 2.4-only band assessment
|
||||
|
||||
CSC ENT is going 5 GHz-only, so every printer here moves to **CSCNet** (which retains 2.4+5) — the
|
||||
2.4-only ones *require* it. **Operationally the action is identical for all 11** (all -> CSCNet);
|
||||
the model lookup below only labels which physically cannot do 5 GHz.
|
||||
|
||||
| Hostname | MAC | IP | Brand | Now on | Band capability | Model |
|
||||
|---|---|---|---|---|---|---|
|
||||
| brwc8a3e8dc60fd | c8:a3:e8:dc:60:fd | 192.168.3.10 | Brother | **5 GHz** | **DUAL-BAND (confirmed — it's on 5 GHz)** | TBD |
|
||||
| BRW2C9C5828EC9E | 2c:9c:58:28:ec:9e | 192.168.3.44 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
|
||||
| BRWC8A3E8A2DD9E | c8:a3:e8:a2:dd:9e | 192.168.2.53 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
|
||||
| brw283a4d1ad571 | 28:3a:4d:1a:d5:71 | 192.168.2.75 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
|
||||
| brw5cea1d4e96af | 5c:ea:1d:4e:96:af | 192.168.2.145 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
|
||||
| brw90324b15f558 | 90:32:4b:15:f5:58 | 192.168.3.88 | Brother | 2.4 | likely 2.4-only (SOHO) | TBD |
|
||||
| canona93684 | 9c:50:d1:aa:f8:9a | 192.168.2.67 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
|
||||
| canoncbdf73-2 | 10:98:c3:da:33:80 | 192.168.3.232 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
|
||||
| canonfb04b5 | 80:a5:89:f6:71:9b | 192.168.3.227 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
|
||||
| Canonf46423 | 20:0b:74:b2:29:08 | 192.168.3.52 | Canon | 2.4 | likely 2.4-only (PIXMA-class) | TBD |
|
||||
| EPSON822B7A | dc:cd:2f:82:2b:7a | 192.168.2.147 | Epson | 2.4 | likely 2.4-only (WorkForce-class) | TBD |
|
||||
|
||||
**Status:** 1 confirmed dual-band (it's literally on 5 GHz); 10 on 2.4, brand patterns suggest
|
||||
2.4-only, but **models not yet confirmed** — the authoritative probe (CS-SERVER `Get-Printer`
|
||||
DriverName + per-IP HTTP/SNMP) was **blocked 2026-06-24** by loss of the Howard-Home -> 172.16.3.x
|
||||
network path (RMM/UOS/coord all unreachable). Re-run when connectivity returns to fill `Model` +
|
||||
confirm 2.4-only. Bottom line unaffected: all 11 -> CSCNet.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -40,10 +40,18 @@ WiFi5 and is the correct network for them to use."*). This plan formalizes and e
|
||||
|
||||
- **Helpany is WPA2-only** — explicitly **NOT** WPA3 or hybrid WPA2/WPA3 (*"we don't support
|
||||
hybrid, only WPA2"*). The device SSID must stay WPA2-PSK.
|
||||
- **5 GHz has shorter range** than 2.4 GHz. Both vendors warn: a device with weak 5 GHz signal
|
||||
will fall back to 2.4 GHz or be orphaned. **Per-room 5 GHz coverage must be verified before
|
||||
transitioning** (Cascades is 6 floors with steel hallway walls). Leave any weak-signal device
|
||||
on 2.4 rather than force it.
|
||||
- **Neither vendor can pin a device to 5 GHz from their side** (confirmed: Poly/Vertical AND
|
||||
Helpany support, 2026-06-24). The handsets/Pauls choose the band themselves, and band steering
|
||||
doesn't hold them. **Therefore a 5 GHz-only SSID (2.4 disabled) is the ONLY mechanism** — you
|
||||
remove 2.4 as an option so the device has nowhere else to associate. This is the whole basis of
|
||||
the plan.
|
||||
- **Consequence — 5 GHz coverage is now a HARD GATE, with no safety net.** On a 5 GHz-only SSID
|
||||
there is **no 2.4 fallback**: a Paul/phone in a weak-5 GHz spot will simply **fail to connect**
|
||||
(not drop to 2.4). 5 GHz has shorter range and Cascades has steel walls. So per-room 5 GHz
|
||||
coverage must be **verified and remediated** (AP placement/power/channel) BEFORE cutover — you
|
||||
cannot "leave a weak device on 2.4," because 2.4 won't exist on this SSID. The 42 Pauls already
|
||||
holding 5 GHz prove coverage in those spots; the **26 Pauls currently on 2.4** (+ any 2.4 phones)
|
||||
are the risk set to survey first.
|
||||
- **Reprogramming is painful on Helpany's side** — they can't reach offline devices, and key
|
||||
rotations need **72 h notice + the new key**. The SSID/password must be right and stable.
|
||||
- **Helpany bandwidth is negligible:** < 0.04 Mbps per Paul device; whole fleet ~0.38 Mbps low /
|
||||
@@ -107,17 +115,28 @@ are the visible-impact set — they need a relocation/reconnection plan before t
|
||||
|
||||
## Execution sequence
|
||||
|
||||
0. **Evacuate the ~79 non-Helpany clients off CSC ENT** to their correct networks (staff -> CSCNet/
|
||||
INTERNAL via domain migration; printers -> internal; resident TVs/IoT/phones -> CSCNet resident
|
||||
PPSK or a dedicated resident SSID). Complete the registry with `stat/alluser` first so offline
|
||||
resident TVs aren't missed. **This is the gating sub-project** — see the inventory doc.
|
||||
0. **Remove the ~79 non-Helpany clients from CSC ENT onto EXISTING networks — we do NOT build new
|
||||
VLANs for them** (scope decision, Howard 2026-06-24): staff PCs -> CSCNet/INTERNAL (domain
|
||||
migration); resident TVs/IoT/phones -> CSCNet (resident PPSK / per-room). Only the **phones and
|
||||
Helpany** get dedicated VLANs (30 / 40); internal + resident devices are simply relocated, not
|
||||
segmented.
|
||||
- **2.4-only devices must land on a 2.4-capable SSID (CSCNet), because CSC ENT is losing 2.4.**
|
||||
~10 of the 11 wireless printers are on 2.4 today and several are likely 2.4-only hardware
|
||||
(SOHO Brother/Canon) — move those to CSCNet (which keeps 2.4+5). Verify model if unsure;
|
||||
default 2.4 printers to CSCNet.
|
||||
- Complete the registry with `stat/alluser` first so offline resident TVs aren't missed. **This
|
||||
is the gating sub-project** — see the inventory doc.
|
||||
1. **Build VLAN 40** on pfSense (igc1.40, DHCP scope, DNS) + firewall egress rules above; mirror
|
||||
VLAN 30 isolation.
|
||||
2. **Enable PPSK on CSC ENT**; add keys: `Ftfd85710#` -> VLAN 40, new voice key -> VLAN 30.
|
||||
3. **[ONSITE GATE] Verify 5 GHz coverage** in the rooms where Pauls + phones live (per-floor,
|
||||
account for steel walls). Use `unifi-wifi` skill (`live-stats.sh --clients`, `watch-ap.sh`).
|
||||
4. **Flip CSC ENT to 5 GHz-only** (`apply-wlan.sh <site> bands 5g --wlan <CSC ENT>`), coordinated
|
||||
with both vendors during a change window.
|
||||
4. **Disable 2.4 GHz on CSC ENT (-> 5 GHz-only)** (`apply-wlan.sh <site> bands 5g --wlan <CSC ENT>`),
|
||||
coordinated with both vendors during a change window. **ORDER MATTERS:** 26 of the 68 Pauls (and
|
||||
any 2.4 phones) are on 2.4 today; once 2.4 is off CSC ENT there is **no 2.4 fallback** — a Paul
|
||||
with weak 5 GHz signal goes OFFLINE. So Helpany must verify 5 GHz coverage + move those 26 to
|
||||
5 GHz FIRST; only then disable 2.4. Likewise confirm no 2.4-only device (printer/IoT) is still on
|
||||
CSC ENT before flipping.
|
||||
5. **Vendors transition their devices:**
|
||||
- **Helpany** remotely moves the Pauls to 5 GHz (we hand them: SSID `CSC ENT`, key
|
||||
`Ftfd85710#` — unchanged; they confirm strong 2.4 signal per-device first).
|
||||
|
||||
@@ -118,6 +118,42 @@ For each area, fill the four input fields: **Responsible person**, **Estimated/a
|
||||
|
||||
---
|
||||
|
||||
## Part 6 — Cost estimates (verified via live web lookup 2026-06-24)
|
||||
|
||||
> Per ACG policy these are verified against current vendor/retail pricing, not estimated from
|
||||
> memory. Sources cited below the table. "ACG labor" draws the prepaid block (48.25 hrs @ $175/hr)
|
||||
> unless quoted as a separate project.
|
||||
|
||||
| Item | Area | Qty | Cost (verified) | Notes |
|
||||
|---|---|---|---|---|
|
||||
| R610 redundant power supply (refurb, RN442 717W) | Hardware / DR | 1 | **~$99 one-time** | Restores lost PSU redundancy; cheap, do soon |
|
||||
| Enterprise SSD 480 GB (Samsung PM893) | Hardware | 2 | **~$320–350 (already purchased)** | Sunk cost; planned install on a maintenance window |
|
||||
| **M365 Business Premium relicense (31 users)** | Software | 31 | **likely $0 new spend** | Our records show 31 Premium seats already owned + free; reassign the 31 suspended-Standard users to them and drop Standard. If those seats are NOT a paid subscription: $22/user/mo = **$682/mo (~$8,184/yr)**. **Verify subscription status.** |
|
||||
| Windows Home → Pro upgrade | Software | 5 | **~$495** (~$99/device; ACG to source via CSP, may be lower) | Howard handling keys |
|
||||
| Replacement workstations (OptiPlex i5 / 16 GB / 512 NVMe, Win 11 Pro) | Hardware | 2 | **~$1,400–1,900** (~$700–950 ea) | Lupe Sanchez EOL + spare for new hire (#32194) |
|
||||
| Break-glass FIDO2 YubiKeys (5-series) | Confidentiality | 2 | **~$110** (already ordered per records) | Approximate |
|
||||
| Azure audit-log retention (Log Analytics 90 d + 6 yr archive) | Security | — | **~$50–120/mo** consumption (log-volume dependent) + one-time ACG build | Firm up after measuring actual audit-log volume |
|
||||
| Managed antivirus, all devices incl. server | Virus protection | — | **Included in existing ACG Bitdefender managed security** + ACG labor to enroll server / remove legacy Datto agents | **Client (Mike) is deploying AV** |
|
||||
| DR written plan + system-image confirm + restore test | DR | — | **ACG labor (prepaid block)** | Restore test **deferred** per client (revisit after AV + basic items) |
|
||||
| Security risk assessment (dated package) + file-share audit logging | Security | — | **ACG labor (prepaid block); no license cost** | |
|
||||
| **Long-term server replacement (PowerEdge T360-class)** | Hardware / DR | 1 | **~$4,000–7,000 configured (formal quote required)** | Depends on spec + Windows Server licensing + CALs; separate project |
|
||||
|
||||
**One-time hardware/licensing subtotal (excludes the optional server replacement):**
|
||||
~$2,300–2,950, of which ~$320–350 (the SSDs) is already spent. Plus ~$50–120/mo Azure. The
|
||||
server replacement is a separate ~$4–7k project to quote when you're ready.
|
||||
|
||||
**Pricing sources (2026-06-24):**
|
||||
[M365 Business Premium $22/user/mo](https://www.microsoft.com/en-us/microsoft-365/business/microsoft-365-plans-and-pricing) ·
|
||||
[M365 July 2026 price changes (Premium unchanged)](https://www.stmicro.net/blog/microsoft-365-price-increase-2026/) ·
|
||||
[Samsung PM893 480 GB ~$160–175](https://www.marigoldsystems.com/products/b-samsung-pm893-480gb-enterprise-sata-ssd-1dwpd-b) ·
|
||||
[Windows 11 Home→Pro upgrade ~$99](https://learn.microsoft.com/en-us/answers/questions/3923910/how-much-does-it-cost-to-upgrade-to-windows-11-pro) ·
|
||||
[Azure Log Analytics $2.30/GB ingest, ~$0.10/GB/mo retention, ~$0.02/GB/mo archive](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs) ·
|
||||
[Dell R610 717W redundant PSU refurb ~$99](https://store.flagshiptech.com/dell-poweredge-r610-redundant-power-supply-717w-rn442/) ·
|
||||
[Dell PowerEdge T360 tower (from ~$1,900 base)](https://www.dell.com/en-us/shop/servers-storage-and-networking/poweredge-t360/spd/poweredge-t360/pe_t360_tm_vi_vp_sb) ·
|
||||
[Dell OptiPlex business desktop i5/16 GB](https://www.dell.com/en-us/shop/desktop-computers/optiplex-tower/spd/optiplex-7020t-desktop)
|
||||
|
||||
---
|
||||
|
||||
## What we do once you return this
|
||||
1. Build the final **CARF Technology and System Plan** (Cascades-branded, ACG as preparer) in CARF
|
||||
action-document format, complete with your owners/costs/dates.
|
||||
|
||||
@@ -295,3 +295,52 @@ before the 5×$99 Cascades invoice.
|
||||
- Vault: `infrastructure/windows-pro-mak` (credentials.product_key), `clients/cascades-tucson/meredith-kuhn`.
|
||||
- Generic Pro key VK7JG-NPHTM-C97JM-9MPGT-3V66T (edition flip); MAK in vault (activation).
|
||||
- Cron job ad0a56a9 @ 18:00 2026-06-24.
|
||||
|
||||
---
|
||||
|
||||
## Update: 17:36 PT — M365 relicense assessment (Workstream 4): seat shortfall + cleanup opportunity
|
||||
|
||||
### Session Summary (continued)
|
||||
|
||||
Started the plan's Workstream 4 (M365 relicense) remotely. Pulled the LIVE license state via the
|
||||
remediation-tool (investigator/Graph token, tenant 207fa277-e9d8-4eb7-ada1-1064d2221498) before
|
||||
touching anything. The plan's "relicense 31 Standard->Premium" is **blocked by a 3-seat shortfall**
|
||||
and surfaced a licensing-cleanup opportunity.
|
||||
|
||||
**Live SKU state:** SPB (Business Premium) Enabled 34 seats, 6 consumed -> **28 free**.
|
||||
O365_BUSINESS_PREMIUM (the legacy-named "Business Standard") **SUSPENDED**, **31 users still
|
||||
assigned**. Also EXCHANGE_S_ESSENTIALS SUSPENDED with 5 users (separate cleanup). AAD_PREMIUM_P2
|
||||
suspended (1).
|
||||
|
||||
**Per-user overlap (decisive):** all **31** Standard users, and **0 of them already hold SPB** -> all
|
||||
31 need a NEW SPB seat. 31 needed vs 28 free = **3 short** for a straight 1:1 migration.
|
||||
|
||||
**Cleanup opportunity:** ~8 of the 31 are shared/role accounts (accounting@, accountingassistant@,
|
||||
frontdesk@, hr@, security@, memcarereceptionist@, boadmin@, Training@, dax.howard@?) that likely
|
||||
should be UNLICENSED shared mailboxes, not $22/mo Premium users. The 22 clearly-real people fit in
|
||||
the 28 free seats with room to spare -> converting the true shared mailboxes to unlicensed both
|
||||
removes the shortfall AND drops ~8 paid licenses. Caveat: any "shared" account that is actually an
|
||||
interactive login (e.g. frontdesk@ / memcarereceptionist@ signing into shared reception PCs) must
|
||||
keep a license (shared mailboxes can't sign in). Presented both paths to Howard; **awaiting his
|
||||
decision** on which flagged accounts are shared mailboxes vs login accounts (path 1, recommended) vs
|
||||
buy 3 more SPB seats (path 2). Nothing changed — assessment only.
|
||||
|
||||
### Key Decisions (continued)
|
||||
- Did NOT bulk-assign SPB — live data showed a 3-seat shortfall the wiki/plan didn't capture; a blind
|
||||
"assign 28, strand 3" would be wrong. Surfaced the shared-mailbox cleanup as the better fix.
|
||||
|
||||
### Configuration Changes (continued)
|
||||
- No changes this segment (read-only M365 license assessment).
|
||||
|
||||
### Pending / Incomplete Tasks (continued)
|
||||
- **M365 relicense (Workstream 4) — BLOCKED on Howard's decision:** path 1 (unlicense the true shared
|
||||
mailboxes among accounting@/accountingassistant@/frontdesk@/hr@/security@/memcarereceptionist@/
|
||||
boadmin@/Training@/dax.howard@, then assign SPB to the 22 real people — fits 28 free) vs path 2
|
||||
(buy 3 more SPB, migrate all 31 as-is). Then execute via user-manager tier.
|
||||
- **5 users on suspended EXCHANGE_S_ESSENTIALS** — assess/clean up next.
|
||||
- 6PM cron ad0a56a9 (Home->Pro) still pending its fire.
|
||||
|
||||
### Reference Information (continued)
|
||||
- SKU IDs: SPB cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46; O365_BUSINESS_PREMIUM (Standard, suspended) f245ecc8-75af-4f8e-b61f-27d8114de5f3; EXCHANGE_S_ESSENTIALS e8f81a67-bd96-4074-b108-cf193eb9433b.
|
||||
- 22 real people on Standard needing SPB: Allison Reibschied, Shelby Trozzi, Alyssa Brooks, Ashley Jensen, Christina DuPras, Christine Nyanzunda, Crystal Rodriguez, JD Martin, Jodi Ramstack, John Trozzi, Karen Rossini, Lauren Hasselman, Lois Lane, Lupe Sanchez, Matthew Brooks, Megan Hiatt, Meredith Kuhn, Ramon Castaneda, Sharon Edwards, Susan Hicks, Tamra Matthews, Veronica Feller.
|
||||
- Tenant 207fa277-e9d8-4eb7-ada1-1064d2221498 (cascadestucson.com).
|
||||
|
||||
Reference in New Issue
Block a user