From 60bfb314b8b4b2531ec7089c62a5e1441bee5af1 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Fri, 19 Jun 2026 10:53:51 -0700 Subject: [PATCH] wiki+log: cascades voice VLAN migration COMPLETE (38 devices); band-selection diagnosis; Vertical 5GHz-lock handoff (pending) --- ...migration-complete-and-vertical-handoff.md | 92 +++++++++++++++++++ wiki/clients/cascades-tucson.md | 18 ++-- wiki/index.md | 2 +- 3 files changed, 104 insertions(+), 8 deletions(-) create mode 100644 clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-voice-vlan-migration-complete-and-vertical-handoff.md diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-voice-vlan-migration-complete-and-vertical-handoff.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-voice-vlan-migration-complete-and-vertical-handoff.md new file mode 100644 index 00000000..a8adf62c --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-voice-vlan-migration-complete-and-vertical-handoff.md @@ -0,0 +1,92 @@ +# Cascades — voice VLAN migration COMPLETE (29/29 Poly) + per-phone diagnosis + Vertical 5 GHz handoff + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Daytime follow-on to the overnight RF optimization (see `2026-06-19-howard-cascades-rf-night-capstone.md` +and `...-5ghz-dfs-datadriven-applied.md`). Three things got done: (1) finished the voice VLAN migration — +every Poly handset is now on VLAN 30; (2) re-centered on the actual goal (clean voice calls) with a +per-phone diagnosis, which revealed the residual problem is band selection, not RF; (3) handed the band +fix to the VoIP vendor (Vertical) via a 5 GHz-only request, now pending their response. + +**Voice VLAN migration finished.** The 6 stragglers found 2026-06-18 (Poly phones still on VLAN 20 / the +.1 net) were identified onsite by Howard and re-keyed to the voice PPSK, plus 2 phones added during the +walk: Zachary Nelson (Accounting Asst, .232), Recreation room rm132 (.233), Movie Theater 2nd-fl (.234), +Library 4th-fl (.235), Bistro (.236), John Trozzi rm422 (.237), and the Kitchen server's phone. Final: +**29/29 Poly on VLAN 30 + 8/8 AudioCodes (.224-.231) + Vertical desktop (.201).** Full named inventory in +`docs/network/voice-phone-inventory.md`. + +**Per-phone voice diagnosis (the re-look Howard pushed for).** Fleet averages were misleading; the goal is +the Poly phones. Pulled live per-phone state and compared to the 2026-06-18 diagnostic. Most phones are +fine on the clean 5 GHz (Lauren .202, the worst original case, went 2.4/50% retry -> 5GHz/12%). BUT several +handsets are stuck on 2.4 GHz despite EXCELLENT signal (-50 to -60 dBm) at 36-96% retry — including two +(.209, .212) that were healthy on 5 GHz before our channel churn and got displaced to 2.4 and stuck. +**This is a band-selection problem, not RF/coverage — and controller-side band steering (no2ghz_oui, +already ON) is not holding the Poly fleet on 5 GHz.** No channel/power/min-rate tuning fixes which band a +phone chooses. + +**Vendor handoff.** Wrote + sent (Howard) a short request to Richard Turner (Vertical) to set the Poly +handsets to **5 GHz-only** (disable 2.4 GHz in provisioning) — the reliable fix to keep them on the clean +band. Letter: `docs/network/2026-06-19-vertical-5ghz-lock-request.md`. **Status: waiting on Vertical.** +Once pushed, the calls close out end-to-end (clean voice VLAN + clean 5 GHz band). + +Also confirmed (data-driven) that the 2.4 channel re-plan is NOT a useful lever here, and ran fleet +self-check to GREEN after pulling the b668430 baseline fixes. + +## Key Decisions + +- **5 GHz-only band lock is the #1 remaining voice action**, handled phone-side by Vertical — not more + controller tuning. Band steering is already on and isn't holding the Poly OUI (48:25:67) on 5 GHz. +- **2.4 channel re-plan: NOT worth doing.** Scan showed every 2.4 channel is 84-91% busy (external + saturation); our co-channel could go 31->7 but it's a thin slice of an already-full channel, so retry + won't move. Band-steering (already on) + the deferred min-rate raise are the only real 2.4 levers, and + even those are marginal against the external density. +- **Verify VLAN membership via the client `vlan` field, not the controller's displayed IP** — the IP field + caches/lags (the Kitchen server phone showed a stale 192.168.1.126 while actually on vlan:30). + +## Problems Encountered + +- **Misread the Kitchen server phone as off-voice** because I keyed on the controller's cached IP + (192.168.1.126) instead of its `vlan:30` field. Howard was right that it was on voice. Fix: check the + `vlan` field / pfSense lease, not the displayed IP. (Logged as the gotcha in the inventory.) +- **Two phones (.209, .212) regressed 5GHz->2.4** during the overnight channel churn and stuck on 2.4 — + underscoring that band selection needs the phone-side lock, not RF tuning. +- **My earlier 2.4 proposals were wrong on the facts** (proposed enabling band-steering that was already on; + proposed a min-rate value without checking it was already set to 1 Mbps). Corrected after pulling the + actual WLAN config. + +## Configuration Changes + +- **No controller config changes this session** — all reads/diagnosis. The phone re-keys were done + on-handset by Howard (voice PPSK). 29/29 Poly now on VLAN 30. +- **Docs:** `docs/network/voice-phone-inventory.md` updated to the full named 29-phone roster + completion; + `docs/network/2026-06-19-vertical-5ghz-lock-request.md` created (the Vertical letter). +- Earlier today (separate logs/commits): 2.4 power->medium + 5 GHz clean-DFS plan applied + validated; + `unifi-wifi` skill hardened (survey-report.py + data-driven channel-plan); self-check GREEN. + +## Credentials & Secrets +- No new credentials. Voice PPSK (Poly WiFi) is vaulted at `clients/cascades-tucson/wifi-voice-ppsk`. +- Used `infrastructure/uos-server-network-api-rw` (controller) + `clients/cascades-tucson/pfsense-firewall`. + +## Infrastructure & Servers +- VOICE VLAN 30 (`10.0.30.0/24`): 29 Poly (`.202-.223`, `.232-.237`) + 8 AudioCodes (`.224-.231`) + + Vertical desktop (`.201`). Controller `172.16.3.29` site `va6iba3v`. +- Poly OUI `48:25:67`; AudioCodes OUI `00:90:8f`. Band-steering `no2ghz_oui:true` on CSCNet + CSC ENT + (not holding Poly on 5 GHz). 2.4 min-rate = 1 Mbps / pref auto. 5 GHz = clean DFS 40 MHz. + +## Pending / Incomplete Tasks +- **Vertical: set Poly handsets 5 GHz-only** (request sent; awaiting Richard Turner). The last voice item. +- After Vertical pushes it: re-pull per-phone data, confirm every handset on 5 GHz + retry drops. +- Investigate `.210` anomaly (5 GHz, -65 dBm, ~64% retry on a clean channel — AP-217 or per-phone issue). +- (Lower priority, unchanged) 6 GHz blocked on WPA3; re-enable 3 AM AP auto-upgrade; DFS radar monitor; + MemCare min-RSSI after next week's new APs; fill the Kitchen-server/Library/Bistro display IPs on renew. + +## Reference Information +- Inventory: `docs/network/voice-phone-inventory.md`. Vertical letter: `docs/network/2026-06-19-vertical-5ghz-lock-request.md`. +- Voice-quality diagnostic (orig): `reports/2026-06-18-voice-quality-diagnostic.md`. +- Today's commits: 7ff723d (DFS plan), fb835fe (skill hardening), a5ce67b (wiki), 2a7253a (Vertical letter), + 5afe99e..a5d47be (voice inventory re-key updates). diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 18a0f7c8..94b10fef 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -84,6 +84,8 @@ sources: - clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-5ghz-attempt-and-rollback.md - clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-5ghz-dfs-datadriven-applied.md - clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-cascades-rf-night-capstone.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-19-howard-voice-vlan-migration-complete-and-vertical-handoff.md + - clients/cascades-tucson/docs/network/2026-06-19-vertical-5ghz-lock-request.md backlinks: - projects/gururmm - wiki/systems/uos-server @@ -226,12 +228,12 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **Config flags:** 6 APs with 2.4 min-RSSI OFF (615, 608, 505, 517, 622, salon); 4 APs off the 1/6/11 plan (128 disabled, 108 offline, 108U7 Pro auto, salon auto). - **Known hardware:** AP 108 (Floor 1) offline pending a new cable run (expected). Stale duplicate controller object ("108" vs "108U7 Pro") to clean up separately. - **Creds (vault refs only):** `infrastructure/uos-server-ssh-key` (SSH/Mongo), `infrastructure/uos-server-network-api-rw` (RW controller admin), `clients/cascades-tucson/unifi-ap-ssh` (per-AP device auth via site VPN), `clients/cascades-tucson/pfsense-firewall` (pfSense admin for pfsense-ssh.sh). -- **VoIP (vendor: Vertical -- Richard Turner ):** Two phone fleets -- **8 AudioCodes** (OUI `00:90:8f`, WIRED on USW-16-PoE ports 1-8, externally powered / PoE OFF) and **28 Poly** (OUI `48:25:67`, WiFi via CSCNet PPSK). As of 2026-06-18: all 8 AudioCodes + 22 Poly + the Vertical desktop are on VOICE VLAN 30 (31 devices); 6 Poly stragglers remain on VLAN 20/Default pending re-key. Phones confirmed marking **DSCP EF (46)** for voice (2026-06-18). The **Vertical-Remote management desktop** (`10.0.30.201`, MAC `e4:e7:49:52:3a:06`, WIRED USW-16-PoE port 16, VOICE VLAN 30, **DHCP** -- confirmed not static, LogMeIn remote access, no pfSense OpenVPN) is live on VLAN 30. No on-prem SIP PBX found -> phones appear to register to a **cloud/hosted PBX** (Vertical). -- **[2026-06-18 CUTOVER COMPLETE] Voice VLAN (VLAN 30) consolidation:** dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30, DHCP `.100-.250`, DNS `8.8.8.8/1.1.1.1`)** holding ALL phones + the Vertical desktop; internet/cloud-PBX egress only, firewalled off VLAN 20 / main LAN / PHI / mgmt (HIPAA). Isolation rules verified via `pfctl -sr` (clone of GUEST VLAN -- the only actually-isolated net). Voice PPSK key on CSCNet -> VOICE: vaulted `clients/cascades-tucson/wifi-voice-ppsk`. **31 devices on VOICE as of 2026-06-18 (live inventory: `docs/network/voice-phone-inventory.md`):** +- **VoIP (vendor: Vertical -- Richard Turner ):** Two phone fleets -- **8 AudioCodes** (OUI `00:90:8f`, WIRED on USW-16-PoE ports 1-8, externally powered / PoE OFF) and **29 Poly** (OUI `48:25:67`, WiFi via CSCNet PPSK). **As of 2026-06-19 ALL on VOICE VLAN 30: 29 Poly (`.202-.223`, `.232-.237`) + 8 AudioCodes (`.224-.231`) + Vertical desktop (`.201`) = 38 devices.** Phones confirmed marking **DSCP EF (46)** for voice. (Verify VLAN membership via the controller client `vlan` field, NOT the displayed IP -- that field caches and lagged on the Kitchen-server phone.) The **Vertical-Remote management desktop** (`10.0.30.201`, MAC `e4:e7:49:52:3a:06`, WIRED USW-16-PoE port 16, VOICE VLAN 30, **DHCP** -- confirmed not static, LogMeIn remote access, no pfSense OpenVPN) is live on VLAN 30. No on-prem SIP PBX found -> phones appear to register to a **cloud/hosted PBX** (Vertical). +- **[2026-06-18 CUTOVER COMPLETE] Voice VLAN (VLAN 30) consolidation:** dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30, DHCP `.100-.250`, DNS `8.8.8.8/1.1.1.1`)** holding ALL phones + the Vertical desktop; internet/cloud-PBX egress only, firewalled off VLAN 20 / main LAN / PHI / mgmt (HIPAA). Isolation rules verified via `pfctl -sr` (clone of GUEST VLAN -- the only actually-isolated net). Voice PPSK key on CSCNet -> VOICE: vaulted `clients/cascades-tucson/wifi-voice-ppsk`. **Migration COMPLETE 2026-06-19: 38 devices on VOICE (29 Poly + 8 AudioCodes + Vertical desktop). Live inventory: `docs/network/voice-phone-inventory.md`:** - Vertical-Remote desktop (port 16): DONE -- `10.0.30.201`. Re-VLANing a wired port requires bouncing the link (port disable/enable via controller API using CSRF token); a UniFi client block/unblock is MAC-filter only, not a link bounce. - - **22 of 22 migrated Poly WiFi phones: DONE** -- re-keyed to voice PPSK, on `10.0.30.202-.223`. Dial-tone + outbound calls verified. **NOTE: the Poly fleet is actually 28, not 22** -- **6 stragglers remain off VOICE** (5 on VLAN 20 `10.0.20.64/.65/.66/.67/.195`, one on `192.168.1.126`; `.20.66` Dining Room at 35% retry); re-key these to the voice PPSK so all phones are isolated + get voice QoS. + - **ALL 29 Poly WiFi phones: DONE (2026-06-19)** -- on `10.0.30.202-.223` + `.232-.237`. The 6 stragglers found 2026-06-18 (on VLAN 20 / the .1 net) were identified onsite by Howard + re-keyed to the voice PPSK, plus 2 phones added during the walk. Named per-phone roster in `docs/network/voice-phone-inventory.md` (Zachary Nelson .232, Recreation room .233, Movie Theater .234, Library .235, Bistro .236, John Trozzi rm422 .237, Kitchen server). A phone landing back on the .1 net = it got the regular CSCNet key, not the voice PPSK. - **8 AudioCodes (wired, USW-16-PoE ports 1-8): ALL DONE** -- on `10.0.30.224-.231`. **Gotcha: AudioCodes are externally powered (PoE OFF on those ports), so a UniFi PoE power-cycle AND a controller port disable/enable are both no-ops -- they held their old main-LAN DHCP leases. Required a full physical power-off/on** before they re-DHCP'd onto VOICE. - - **Quality caveat:** the VLAN move gives isolation + enables QoS but does NOT by itself fix call quality -- the dropped-calls/voice-breaks complaints are an **RF problem on the WiFi (Poly) phones** (the wired AudioCodes are clean). See the Wireless / Voice QoS patterns and the 2026-06-18 voice-quality diagnostic. + - **Quality caveat + the actual fix (2026-06-19):** the VLAN move does NOT by itself fix call quality. Per-phone re-look found the residual dropped-calls are a **band-selection problem, not RF/coverage** -- several Poly handsets sit on the saturated 2.4 GHz despite EXCELLENT 5 GHz-capable signal (-50 to -60 dBm, 36-96% retry), and controller band-steering (`no2ghz_oui`, already ON) is NOT holding the Poly OUI on 5 GHz. **No controller channel/power/min-rate tuning fixes which band a phone picks.** The fix is phone-side: **set the Poly handsets to 5 GHz-only via Vertical** -- request sent to Richard Turner 2026-06-19 (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), **awaiting Vertical**. Once pushed: clean voice VLAN + clean 5 GHz band = calls closed out. - **Full runbook:** `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`. Live inventory: `docs/network/voice-phone-inventory.md`. Voice-quality diagnostic: `reports/2026-06-18-voice-quality-diagnostic.md`. Holistic optimization plan: `docs/network/network-optimization-master-plan.md`; voice QoS design: `docs/network/phase1-voice-qos-design.md`. ### External Vendors & Mail Senders @@ -469,7 +471,7 @@ Full plan: `docs/network/network-optimization-master-plan.md`. Goal: fix the *sy - **Backup gap closed (2026-06-15):** Mike installed ACG cloud backup (MSP360/CloudBerry -> ACG-backup server) on CS-SERVER. Verify first full backup completes and set retention; confirm image-based / bare-metal + system-state for DC recoverability. - **Restored 7 deleted mailboxes (2026-04-25)** for HIPAA SS164.316(b)(2) 7-year retention. - **Termination policy established:** Convert to shared mailbox, hide from GAL, retain 7 years. -- **Voice VLAN 30 (HIPAA-isolated):** All voice gear (phones + Vertical desktop) migrated to an isolated network with internet/cloud-PBX egress only; blocked from PHI/LAN/VLAN20/mgmt. **Cutover complete 2026-06-18: 31 devices on VOICE (8 AudioCodes + 22 Poly + desktop);** 6 Poly stragglers still on VLAN 20/Default pending re-key. +- **Voice VLAN 30 (HIPAA-isolated):** All voice gear (phones + Vertical desktop) on an isolated network with internet/cloud-PBX egress only; blocked from PHI/LAN/VLAN20/mgmt. **Migration COMPLETE 2026-06-19: 38 devices on VOICE (29 Poly + 8 AudioCodes + desktop).** --- @@ -481,8 +483,9 @@ Syncro live pull 2026-06-18: **0 open tickets.** No hours drawn from the 2026-06 - **[URGENT] Order replacement workstation for Lupe Sanchez (DESKTOP-TRCIEJA).** Decision made 2026-06-18. EOL Gateway ZX6971 / i3-2120 / 8 GB / Win11-unsupported. On new machine: provision GuruRMM + Bitdefender only; do NOT carry over the Datto stack. - **[URGENT] Rotate exposed Synology Cloud Signin Portal credential.** Vault commit 1fbc0e1 committed it plaintext; encrypted go-forward but credential is exposed in git history. Also verify MDM service account + WiFi CSCNet from that same commit were never plaintext. -- **[DONE 2026-06-18] Voice VLAN (VLAN 30) cutover -- 31 devices on VOICE** (8 AudioCodes `.224-.231` + 22 Poly `.202-.223` + Vertical desktop `.201`). AudioCodes needed a physical power-off/on (externally powered; PoE/controller bounce was a no-op). **Remaining:** re-key the **6 Poly stragglers** still on VLAN 20/Default (`10.0.20.64/.65/.66/.67/.195`, `192.168.1.126`) to the voice PPSK. -- **[PENDING - voice quality] Dropped-calls/voice-breaks are an RF problem on the WiFi (Poly) phones, not the VLAN move.** 14 phones flagged 2026-06-18; worst Lauren `.202` (was 2.4GHz/50% retry -> locked to AP 103) and Shelby `.218` (2.4GHz/53%, MemCare -- deferred). Coverage gaps rooms 515/210/204. Fixes (none applied): voice QoS (#1), force voice phones off 2.4 GHz (#2), coverage/min-RSSI (#3), migrate 6 stragglers (#4), 5 GHz width/channel (#5). Diagnostic: `reports/2026-06-18-voice-quality-diagnostic.md`. +- **[DONE 2026-06-19] Voice VLAN (VLAN 30) migration COMPLETE -- 38 devices on VOICE** (29 Poly `.202-.223`+`.232-.237`, 8 AudioCodes `.224-.231`, Vertical desktop `.201`). All Poly stragglers + 2 onsite-added phones re-keyed by Howard. RF optimized too (2.4 power->medium, 5 GHz on clean DFS, 5G retry halved). +- **[WAITING ON VERTICAL - the last voice item] Set Poly handsets to 5 GHz-only.** The residual dropped-calls are a band-selection problem: phones sit on saturated 2.4 GHz despite strong 5 GHz-capable signal, and controller band-steering (already on) won't hold the Poly fleet on 5 GHz. Phone-side 5 GHz lock is the fix -- request sent to Richard Turner 2026-06-19 (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), **awaiting their response**. After they push it: re-pull per-phone data + confirm all on 5 GHz. (Lauren `.202`, the worst original case, already went 2.4/50% -> 5GHz/12% from the RF work.) +- **[INVESTIGATE] Phone `.210`** -- on 5 GHz at -65 dBm (good signal) but ~64% retry on a clean channel; anomalous (AP-217 or per-phone), separate from the band-selection issue. - **[PENDING - build] Voice QoS for VLAN 30** (pfSense HFSC 3-queue on both WANs matching `10.0.30.0/24` + UniFi WMM/switch QoS). Design done, not built (Howard drives pfSense GUI). Blocker for sizing: the WAN2 coax upload number. QoS is insurance (WAN has headroom); RF is the everyday fix. Design: `docs/network/phase1-voice-qos-design.md`. - **[PENDING - execute] Network optimization master plan (floors 1-4; MemCare deferred).** Sequenced P1 QoS -> P2a enable 6 GHz on CSCNet + P2b 2.4 Low->Medium -> P3 5 GHz 40 MHz + non-DFS + relieve AP 103 -> P4 fine-tune -> P5 physical. Open relief valves before constraining; per-zone, dry-run, gated on fleet metrics. Start = P2b (baseline capture + 2.4 Low->Medium). Pending Howard's go + evening window. Plan: `docs/network/network-optimization-master-plan.md`. (Supersedes the older "Wireless RF Phase 0 + Phase 1" item below -- same work, holistic framing.) - **[PENDING] Measure WAN2 (coax) upload** -- remote source-route test failed; get from a WAN2-routed host or the Cox bill (sizes the failover voice shaper). @@ -582,6 +585,7 @@ Syncro live pull 2026-06-18: **0 open tickets.** No hours drawn from the 2026-06 | 2026-06-18 | **Voice VLAN 30: all 22 Poly phones migrated; network-logging spec written.** Completed the Poly cutover live -- all 22 WiFi phones re-keyed to the voice PPSK onto `10.0.30.202-.223` (per-phone location inventory in `docs/network/voice-phone-inventory.md`); first phone (Lauren Hasselman) dial-tone + outbound call verified. Vertical desktop fixed via port-16 bounce (controller API + CSRF) -> `10.0.30.201`. AudioCodes (8, wired) still pending (flip + PoE power-cycle). Separately, found the UniFi controller retains **ZERO** client events for Cascades (drop/kick history not captured) -> wrote a network-logging spec (`docs/network/network-logging-plan.md`): Synology Log Center on-site collector, pfSense+UniFi syslog sources, client snapshotter. Plan only -- build later. | | 2026-06-18 | **Voice VLAN 30 cutover COMPLETE (8 AudioCodes added); voice-quality diagnosed; holistic all-device optimization master plan built.** AudioCodes finished -- they wouldn't re-DHCP via PoE/controller bounce (externally powered, PoE off); Howard physically power-cycled all 8 -> VOICE leases `.224-.231` (31 devices total on VLAN 30). Diagnosed the dropped-calls complaints: **the VLAN move does NOT fix call quality -- it's RF on the Poly WiFi phones** (wired AudioCodes clean). 14 Poly flagged; worst Lauren `.202` (2.4GHz/50% retry -> locked to AP 103) + Shelby `.218` (2.4GHz/53%, MemCare/deferred); coverage gaps rooms 515/210/204; found 6 unmigrated Poly stragglers (fleet is 28, not 22). Built `network-optimization-master-plan.md` (open-relief-valves-before-constraining sequence: QoS -> 6 GHz on CSCNet + 2.4 Low->Medium -> 5 GHz 40 MHz/non-DFS/relieve AP 103 -> fine-tune -> physical) with interdependency map + data-driven gate framework, floors 1-4 only. Designed Phase 1 voice QoS (`phase1-voice-qos-design.md`: pfSense HFSC + UniFi WMM, match `10.0.30.0/24`, phones mark DSCP EF; measured WAN1 up ~522 Mbps -> QoS is insurance, RF is the substance). Rigorous DFS re-verification (0 genuine radar/~1-day window) -> **decision: NON-DFS only**. **Decision: no dedicated voice SSID** (3-SSID cap, CSC ENT still 131 clients, QoS is SSID-independent). 6 GHz root-caused dark: CSCNet not broadcasting 6g. NO live network changes applied (per-change-go rule). | | 2026-06-19 | **FIRST PRODUCTION RF OPTIMIZATION applied (autonomous 2 AM window) -- 2.4 power fix + data-driven 5 GHz DFS plan; 5 GHz retry HALVED.** Howard pre-authorized an autonomous 2 AM run. Applied + validated + KEPT: (1) **2.4 power Low/full -> MEDIUM on 47 radios** (over-thinning fix floors 1-4 + MemCare 5/6 off full power; 24 disabled stayed disabled; per-AP targeting since `--zone` re-enables disabled), non-regressive. (2) **CSCNet BSS-transition ON.** 6 GHz attempted but **BLOCKED -- `Wpa3MandatoryFor6GHzBand`** (CSCNet is WPA2/PPSK; converting the 427-client SSID is a supervised decision, deferred to Howard). A first blind non-DFS 5 GHz reshuffle (3a/3b) was tried, did NOT validate (flat retry, voice scattered to 2.4), and was ROLLED BACK. **Howard's correction: scan FIRST, decide from data.** Completed the full channel survey (74/74) -> proved **DFS channels here are 4-5x cleaner (2-3% busy) than non-DFS (ch149=12%, ch157=28%)**; the non-DFS-only decision was reversed. Built a **data-driven clean-DFS plan** (8 clean DFS 40MHz channels, per-AP cleanest + neighbor graph-color + local-search -> 0 co-channel), applied to 72 non-mesh APs (mesh excluded), nudged voice back to 5 GHz. **Result: 5 GHz retry 8.7 -> 3.8 avg (median 8.2 -> 2.1), satisfaction median 99, voice 31/31, all 72 APs holding DFS, 0 radar vacates.** Also disabled the 3 AM AP auto-upgrade (left OFF). **Skill hardened:** added `survey-report.py` (fleet channel-congestion analysis) + made `channel-plan.sh` palette data-driven (`--channels`/`--dfs`, load-balance + local-search) -- killed the non-DFS bias that caused the first failed attempt. | +| 2026-06-19 | **Voice VLAN migration COMPLETE (29/29 Poly) + band-selection diagnosis + Vertical 5 GHz handoff.** Howard walked the building and re-keyed all remaining Poly handsets to the voice PPSK -- the 6 stragglers found 6/18 + 2 added onsite: Zachary Nelson .232, Recreation room .233, Movie Theater .234, Library .235, Bistro .236, John Trozzi rm422 .237, Kitchen server. Full named 38-device roster in `voice-phone-inventory.md` (29 Poly + 8 AudioCodes + Vertical desktop). Per-phone re-look (goal = clean calls, not fleet averages): most phones fine on the clean 5 GHz (Lauren .202 went 2.4/50% -> 5GHz/12%), but several stuck on 2.4 despite -50 to -60 dBm signal at 36-96% retry -- a **band-selection problem, not RF**; controller band-steering (already ON) isn't holding the Poly OUI on 5 GHz. Fix is phone-side: **5 GHz-only lock via Vertical** -- letter sent to Richard Turner (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), awaiting their response = the last voice item. Also: confirmed (data) the 2.4 channel re-plan is NOT a lever (every 2.4 channel 84-91% busy externally); GOTCHA logged: verify VLAN via the client `vlan` field, not the controller's cached IP (Kitchen-server phone read stale). Self-check GREEN (pulled b668430 baseline fixes; installed dev-alerts post-commit hook). | --- diff --git a/wiki/index.md b/wiki/index.md index 0ca0533d..c9ce2f1b 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | Article | Summary | Last Compiled | |---|---|---| -| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **55.75 hrs remaining** (live 2026-06-18); senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; caregiver restricted-access model PROVEN 2026-06-05: Hybrid Entra Join + CA allow-list + ALIS SSO validated on NURSESTATION-PC/pilot.test; GPO `CSC - Caregiver Workstation` (shortcuts + printers) built + validated; GPO `CSC - Caregiver Device Lockdown` deployed (HIPAA auto-logoff, activates on reboot); INTUNE_A PendingInput tenant-wide (MS case open; GPO path used instead); folder-redirection root cause fixed 2026-06-08 (fdeploy.ini); shared mailboxes grievances@/Surveys@ created + delegated 2026-06-12 (#32417); Monday cutover to real caregivers pending; #32383 (bill.com/BOK chris.knight) Resolved; UniFi wifi RF (77 U7-Pro APs/~587 clients via UOS controller): 2.4GHz over-coverage = primary pain; pfSense ruled out as cause; Floor-4 power-down pilot applied 2026-06-16 (retry 13.2->9.5%); coverage-thin disable plan + 2.4 remediation runbook staged; DFS empirically clean; 6GHz untapped; CS-SERVER OS RAID-1 degraded 2026-06-15 (data-loss risk; cloud backup now started); Voice VLAN (VLAN 30) consolidation planned 2026-06-16 for Vertical phones + remote desktop (CSCNet confirmed a shared PPSK SSID); KPI dashboard for Ashley Jensen scoped 2026-06-17 (Power BI + SharePoint phased plan, parked); Voice VLAN 30 built + 22/22 Poly cut over 2026-06-17 (AudioCodes 0/8 pending); building power outage 2026-06-17 (pfSense on UPS surge-only side) full site down + recovered; DESKTOP-TRCIEJA (Lupe Sanchez) slow Excel diagnosed 2026-06-18 = EOL i3-2120 hardware + dual real-time AV (leftover Datto stack) -> replace machine; network-logging spec written 2026-06-18 (on-site Synology Log Center; UniFi retains 0 client events -- drop/kick history not captured); **RF optimized 2026-06-19** (2.4 power Low/full->Medium + 5GHz moved to clean DFS channels via data-driven scan -> 5GHz retry halved; 6GHz blocked by WPA3); Syncro 0 open tickets | 2026-06-19 | +| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **55.75 hrs remaining** (live 2026-06-18); senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; caregiver restricted-access model PROVEN 2026-06-05: Hybrid Entra Join + CA allow-list + ALIS SSO validated on NURSESTATION-PC/pilot.test; GPO `CSC - Caregiver Workstation` (shortcuts + printers) built + validated; GPO `CSC - Caregiver Device Lockdown` deployed (HIPAA auto-logoff, activates on reboot); INTUNE_A PendingInput tenant-wide (MS case open; GPO path used instead); folder-redirection root cause fixed 2026-06-08 (fdeploy.ini); shared mailboxes grievances@/Surveys@ created + delegated 2026-06-12 (#32417); Monday cutover to real caregivers pending; #32383 (bill.com/BOK chris.knight) Resolved; UniFi wifi RF (77 U7-Pro APs/~587 clients via UOS controller): 2.4GHz over-coverage = primary pain; pfSense ruled out as cause; Floor-4 power-down pilot applied 2026-06-16 (retry 13.2->9.5%); coverage-thin disable plan + 2.4 remediation runbook staged; DFS empirically clean; 6GHz untapped; CS-SERVER OS RAID-1 degraded 2026-06-15 (data-loss risk; cloud backup now started); Voice VLAN (VLAN 30) consolidation planned 2026-06-16 for Vertical phones + remote desktop (CSCNet confirmed a shared PPSK SSID); KPI dashboard for Ashley Jensen scoped 2026-06-17 (Power BI + SharePoint phased plan, parked); Voice VLAN 30 built + 22/22 Poly cut over 2026-06-17 (AudioCodes 0/8 pending); building power outage 2026-06-17 (pfSense on UPS surge-only side) full site down + recovered; DESKTOP-TRCIEJA (Lupe Sanchez) slow Excel diagnosed 2026-06-18 = EOL i3-2120 hardware + dual real-time AV (leftover Datto stack) -> replace machine; network-logging spec written 2026-06-18 (on-site Synology Log Center; UniFi retains 0 client events -- drop/kick history not captured); **Voice VLAN migration COMPLETE 2026-06-19** (38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only). **RF optimized 2026-06-19** (2.4 power Low/full->Medium + 5GHz moved to clean DFS channels via data-driven scan -> 5GHz retry halved; 6GHz blocked by WPA3); Syncro 0 open tickets | 2026-06-19 | | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, 34.5 hrs remaining; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery + incomplete restore (files dropped across shares — migration-gap audit in progress); 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-04 SP1366 file recovery (19/20 PDFs restored from HGHAUBNER pre-attack backup); GuruRMM fleet 13→45 agents; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-04 | | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 | | [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-06-14 |