From d4347bc45f0dd14a56161fd406ee6167e439fadd Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Fri, 19 Jun 2026 13:15:44 -0700 Subject: [PATCH] cascades: Kitchen server phone bad/removed; Bistro phone relocated to Kitchen; Bistro replacement pending (28 active Poly, 37 voice devices) --- .../docs/network/voice-phone-inventory.md | 17 ++++++++++------- wiki/clients/cascades-tucson.md | 9 +++++---- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/clients/cascades-tucson/docs/network/voice-phone-inventory.md b/clients/cascades-tucson/docs/network/voice-phone-inventory.md index eb3ba8da..718d309e 100644 --- a/clients/cascades-tucson/docs/network/voice-phone-inventory.md +++ b/clients/cascades-tucson/docs/network/voice-phone-inventory.md @@ -38,17 +38,20 @@ vault `clients/cascades-tucson/wifi-voice-ppsk`. | 10.0.30.233 | 48:25:67:64:95:62 | Poly (WiFi, CSCNet voice PPSK) | **Recreation room phone** — room 132 | On VOICE; re-keyed 2026-06-19 | | 10.0.30.234 | 48:25:67:64:8a:67 | Poly (WiFi, CSCNet voice PPSK) | **Movie Theater room phone** — 2nd floor | On VOICE; re-keyed 2026-06-19 | | 10.0.30.235 | 48:25:67:64:92:89 | Poly (WiFi, CSCNet voice PPSK) | **Library phone** — 4th floor | On VOICE; re-keyed 2026-06-19 | -| 10.0.30.236 | 48:25:67:64:94:84 | Poly (WiFi, CSCNet voice PPSK) | **Bistro phone** (Dining area) | On VOICE; re-keyed 2026-06-19 | +| 10.0.30.236 | 48:25:67:64:94:84 | Poly (WiFi, CSCNet voice PPSK) | **Kitchen server phone** (RELOCATED -- was the Bistro phone; moved to replace the bad Kitchen server phone 2026-06-19) | On VOICE; now at the Kitchen AP | | 10.0.30.237 | 48:25:67:64:93:d3 | Poly (WiFi, CSCNet voice PPSK) | **John Trozzi** — room 422 (AP 421, 4th fl) | On VOICE; new phone re-keyed 2026-06-19 | -| 10.0.30.x (IP refreshing) | 48:25:67:64:95:7a | Poly (WiFi, CSCNet voice PPSK) | **Kitchen server's phone** | On VOICE (controller `vlan:30` confirmed; cached display IP still 192.168.1.126, refreshes on next renew) | +| ~~removed~~ | ~~48:25:67:64:95:7a~~ | Poly (WiFi) | ~~Kitchen server's phone (original)~~ | **BAD / REMOVED 2026-06-19** -- John reported it defective; pulled. Its slot is covered by the relocated Bistro phone (.236). | ## Migration COMPLETE (2026-06-19) -- **Poly (WiFi): 29 of 29 on VOICE (VLAN 30).** All wireless handsets re-keyed to the voice PPSK. The 6 - stragglers found 2026-06-18 + 2 added onsite were all migrated 2026-06-19 (Zachary Nelson .232, - Recreation room .233, Movie Theater .234, Library .235, Bistro .236, John Trozzi rm422 .237, Kitchen - server). GOTCHA: the controller's per-client IP field CACHES — verify VLAN membership via the client's - `vlan` field (or pfSense lease), not the displayed IP (which lagged on the Kitchen server phone). +- **Poly (WiFi): 28 active on VOICE (VLAN 30).** All wireless handsets re-keyed to the voice PPSK 2026-06-19. +- **[HARDWARE CHANGE 2026-06-19] Kitchen server phone was BAD.** John (Trozzi) reported the original Kitchen + server phone (`48:25:67:64:95:7a`) defective and pulled it; he **relocated the Bistro phone (`.236`, + `48:25:67:64:94:84`) to the Kitchen** to cover it. So the **Bistro now has NO phone** -- a **replacement is + pending** (set it up + re-key to the voice PPSK when it arrives). Net active Poly = 28 (29 re-keyed, 1 + removed bad). +- GOTCHA: the controller's per-client IP field CACHES — verify VLAN membership via the client's `vlan` field + (or pfSense lease), not the displayed IP (it lagged on the Kitchen-server phone before it was swapped out). - **AudioCodes (8, wired USW-16-PoE ports 1-8): DONE** — all 8 on VOICE (`.224-.231`) after a physical power-cycle (externally powered; PoE/controller bounce is a no-op). - **Vertical mgmt desktop** (`10.0.30.201`, wired port 16): on VOICE (power it on if it shows offline). diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 94b10fef..df10d2b1 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -228,8 +228,8 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **Config flags:** 6 APs with 2.4 min-RSSI OFF (615, 608, 505, 517, 622, salon); 4 APs off the 1/6/11 plan (128 disabled, 108 offline, 108U7 Pro auto, salon auto). - **Known hardware:** AP 108 (Floor 1) offline pending a new cable run (expected). Stale duplicate controller object ("108" vs "108U7 Pro") to clean up separately. - **Creds (vault refs only):** `infrastructure/uos-server-ssh-key` (SSH/Mongo), `infrastructure/uos-server-network-api-rw` (RW controller admin), `clients/cascades-tucson/unifi-ap-ssh` (per-AP device auth via site VPN), `clients/cascades-tucson/pfsense-firewall` (pfSense admin for pfsense-ssh.sh). -- **VoIP (vendor: Vertical -- Richard Turner ):** Two phone fleets -- **8 AudioCodes** (OUI `00:90:8f`, WIRED on USW-16-PoE ports 1-8, externally powered / PoE OFF) and **29 Poly** (OUI `48:25:67`, WiFi via CSCNet PPSK). **As of 2026-06-19 ALL on VOICE VLAN 30: 29 Poly (`.202-.223`, `.232-.237`) + 8 AudioCodes (`.224-.231`) + Vertical desktop (`.201`) = 38 devices.** Phones confirmed marking **DSCP EF (46)** for voice. (Verify VLAN membership via the controller client `vlan` field, NOT the displayed IP -- that field caches and lagged on the Kitchen-server phone.) The **Vertical-Remote management desktop** (`10.0.30.201`, MAC `e4:e7:49:52:3a:06`, WIRED USW-16-PoE port 16, VOICE VLAN 30, **DHCP** -- confirmed not static, LogMeIn remote access, no pfSense OpenVPN) is live on VLAN 30. No on-prem SIP PBX found -> phones appear to register to a **cloud/hosted PBX** (Vertical). -- **[2026-06-18 CUTOVER COMPLETE] Voice VLAN (VLAN 30) consolidation:** dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30, DHCP `.100-.250`, DNS `8.8.8.8/1.1.1.1`)** holding ALL phones + the Vertical desktop; internet/cloud-PBX egress only, firewalled off VLAN 20 / main LAN / PHI / mgmt (HIPAA). Isolation rules verified via `pfctl -sr` (clone of GUEST VLAN -- the only actually-isolated net). Voice PPSK key on CSCNet -> VOICE: vaulted `clients/cascades-tucson/wifi-voice-ppsk`. **Migration COMPLETE 2026-06-19: 38 devices on VOICE (29 Poly + 8 AudioCodes + Vertical desktop). Live inventory: `docs/network/voice-phone-inventory.md`:** +- **VoIP (vendor: Vertical -- Richard Turner ):** Two phone fleets -- **8 AudioCodes** (OUI `00:90:8f`, WIRED on USW-16-PoE ports 1-8, externally powered / PoE OFF) and **Poly** (OUI `48:25:67`, WiFi via CSCNet PPSK) -- **28 active** (29 re-keyed 2026-06-19, 1 removed bad). **All on VOICE VLAN 30: 28 Poly + 8 AudioCodes (`.224-.231`) + Vertical desktop (`.201`) = 37 devices.** Phones mark **DSCP EF (46)**. **[2026-06-19 hardware change] John (Trozzi) reported the Kitchen server phone (`48:25:67:64:95:7a`) BAD and pulled it; the Bistro phone (`.236`, `48:25:67:64:94:84`) was relocated to the Kitchen to cover it -- so the BISTRO now has NO phone (replacement pending, set up + re-key when it arrives).** (Verify VLAN via the client `vlan` field, NOT the cached display IP.) The **Vertical-Remote management desktop** (`10.0.30.201`, MAC `e4:e7:49:52:3a:06`, WIRED USW-16-PoE port 16, VOICE VLAN 30, **DHCP** -- confirmed not static, LogMeIn remote access, no pfSense OpenVPN) is live on VLAN 30. No on-prem SIP PBX found -> phones appear to register to a **cloud/hosted PBX** (Vertical). +- **[2026-06-18 CUTOVER COMPLETE] Voice VLAN (VLAN 30) consolidation:** dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30, DHCP `.100-.250`, DNS `8.8.8.8/1.1.1.1`)** holding ALL phones + the Vertical desktop; internet/cloud-PBX egress only, firewalled off VLAN 20 / main LAN / PHI / mgmt (HIPAA). Isolation rules verified via `pfctl -sr` (clone of GUEST VLAN -- the only actually-isolated net). Voice PPSK key on CSCNet -> VOICE: vaulted `clients/cascades-tucson/wifi-voice-ppsk`. **Migration COMPLETE 2026-06-19: 37 devices on VOICE (28 Poly + 8 AudioCodes + Vertical desktop; 1 Poly removed bad 2026-06-19 -- Bistro phone relocated to Kitchen, Bistro replacement pending). Live inventory: `docs/network/voice-phone-inventory.md`:** - Vertical-Remote desktop (port 16): DONE -- `10.0.30.201`. Re-VLANing a wired port requires bouncing the link (port disable/enable via controller API using CSRF token); a UniFi client block/unblock is MAC-filter only, not a link bounce. - **ALL 29 Poly WiFi phones: DONE (2026-06-19)** -- on `10.0.30.202-.223` + `.232-.237`. The 6 stragglers found 2026-06-18 (on VLAN 20 / the .1 net) were identified onsite by Howard + re-keyed to the voice PPSK, plus 2 phones added during the walk. Named per-phone roster in `docs/network/voice-phone-inventory.md` (Zachary Nelson .232, Recreation room .233, Movie Theater .234, Library .235, Bistro .236, John Trozzi rm422 .237, Kitchen server). A phone landing back on the .1 net = it got the regular CSCNet key, not the voice PPSK. - **8 AudioCodes (wired, USW-16-PoE ports 1-8): ALL DONE** -- on `10.0.30.224-.231`. **Gotcha: AudioCodes are externally powered (PoE OFF on those ports), so a UniFi PoE power-cycle AND a controller port disable/enable are both no-ops -- they held their old main-LAN DHCP leases. Required a full physical power-off/on** before they re-DHCP'd onto VOICE. @@ -471,7 +471,7 @@ Full plan: `docs/network/network-optimization-master-plan.md`. Goal: fix the *sy - **Backup gap closed (2026-06-15):** Mike installed ACG cloud backup (MSP360/CloudBerry -> ACG-backup server) on CS-SERVER. Verify first full backup completes and set retention; confirm image-based / bare-metal + system-state for DC recoverability. - **Restored 7 deleted mailboxes (2026-04-25)** for HIPAA SS164.316(b)(2) 7-year retention. - **Termination policy established:** Convert to shared mailbox, hide from GAL, retain 7 years. -- **Voice VLAN 30 (HIPAA-isolated):** All voice gear (phones + Vertical desktop) on an isolated network with internet/cloud-PBX egress only; blocked from PHI/LAN/VLAN20/mgmt. **Migration COMPLETE 2026-06-19: 38 devices on VOICE (29 Poly + 8 AudioCodes + desktop).** +- **Voice VLAN 30 (HIPAA-isolated):** All voice gear (phones + Vertical desktop) on an isolated network with internet/cloud-PBX egress only; blocked from PHI/LAN/VLAN20/mgmt. **Migration COMPLETE 2026-06-19: 37 devices on VOICE (28 Poly + 8 AudioCodes + desktop).** --- @@ -483,7 +483,8 @@ Syncro live pull 2026-06-18: **0 open tickets.** No hours drawn from the 2026-06 - **[URGENT] Order replacement workstation for Lupe Sanchez (DESKTOP-TRCIEJA).** Decision made 2026-06-18. EOL Gateway ZX6971 / i3-2120 / 8 GB / Win11-unsupported. On new machine: provision GuruRMM + Bitdefender only; do NOT carry over the Datto stack. - **[URGENT] Rotate exposed Synology Cloud Signin Portal credential.** Vault commit 1fbc0e1 committed it plaintext; encrypted go-forward but credential is exposed in git history. Also verify MDM service account + WiFi CSCNet from that same commit were never plaintext. -- **[DONE 2026-06-19] Voice VLAN (VLAN 30) migration COMPLETE -- 38 devices on VOICE** (29 Poly `.202-.223`+`.232-.237`, 8 AudioCodes `.224-.231`, Vertical desktop `.201`). All Poly stragglers + 2 onsite-added phones re-keyed by Howard. RF optimized too (2.4 power->medium, 5 GHz on clean DFS, 5G retry halved). +- **[DONE 2026-06-19] Voice VLAN (VLAN 30) migration COMPLETE -- 37 devices on VOICE** (28 Poly, 8 AudioCodes `.224-.231`, Vertical desktop `.201`). All Poly re-keyed by Howard. RF optimized too (2.4 power->medium, 5 GHz on clean DFS, 5G retry halved). Billed: ticket #32444 (7h prepaid -- 4 onsite + 3 remote). +- **[PENDING - hardware] Bistro phone replacement.** The Kitchen server phone was bad (John pulled it 2026-06-19); the Bistro phone was relocated to the Kitchen to cover it, so the **Bistro has no phone**. Set up + re-key the replacement to the voice PPSK when it arrives. - **[WAITING ON VERTICAL - the last voice item] Set Poly handsets to 5 GHz-only.** The residual dropped-calls are a band-selection problem: phones sit on saturated 2.4 GHz despite strong 5 GHz-capable signal, and controller band-steering (already on) won't hold the Poly fleet on 5 GHz. Phone-side 5 GHz lock is the fix -- request sent to Richard Turner 2026-06-19 (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), **awaiting their response**. After they push it: re-pull per-phone data + confirm all on 5 GHz. (Lauren `.202`, the worst original case, already went 2.4/50% -> 5GHz/12% from the RF work.) - **[INVESTIGATE] Phone `.210`** -- on 5 GHz at -65 dBm (good signal) but ~64% retry on a clean channel; anomalous (AP-217 or per-phone), separate from the band-selection issue. - **[PENDING - build] Voice QoS for VLAN 30** (pfSense HFSC 3-queue on both WANs matching `10.0.30.0/24` + UniFi WMM/switch QoS). Design done, not built (Howard drives pfSense GUI). Blocker for sizing: the WAN2 coax upload number. QoS is insurance (WAN has headroom); RF is the everyday fix. Design: `docs/network/phase1-voice-qos-design.md`.