sync: auto-sync from HOWARD-HOME at 2026-06-18 12:21:23

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-18 12:21:23

wiki/clients/cascades-tucson.md

@@ -203,7 +203,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
   - **Known hardware:** AP 108 (Floor 1) offline pending a new cable run (expected). Stale duplicate controller object ("108" vs "108U7 Pro") to clean up separately.
   - **Creds (vault refs only):** `infrastructure/uos-server-ssh-key` (SSH/Mongo), `infrastructure/uos-server-network-api-rw` (RW controller admin), `clients/cascades-tucson/unifi-ap-ssh` (per-AP device auth via site VPN), `clients/cascades-tucson/pfsense-firewall` (pfSense admin for pfsense-ssh.sh).
 - **VoIP (vendor: Vertical -- Richard Turner <RTurner@vertical.com>):** Two phone fleets -- **8 AudioCodes** (OUI `00:90:8f`, WIRED on USW-16-PoE ports 1-8, Default/main LAN) and **22 Poly** (OUI `48:25:67`, WiFi via CSCNet PPSK -> VLAN 20 Internal). The **Vertical-Remote management desktop** (`192.168.2.180`, MAC `e4:e7:49:52:3a:06`, WIRED USW-16-PoE port 16, Default LAN, **static IP, no ACG login**) is RDP-only (recon 2026-06-16 -- not a PBX). No on-prem SIP PBX found -> phones appear to register to a **cloud/hosted PBX** (Vertical). Infra must stay static.
-- **[PLANNED] Voice VLAN (VLAN 30) consolidation for the phones:** Segmentation left voice gear split (Poly on VLAN 20; AudioCodes + Vertical desktop on the main LAN), and main-LAN -> VLAN 20 is blocked at pfSense -- so the desktop can't reach the wireless phones and phone IPs drift. Fix: a dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30)** holding ALL phones + the Vertical desktop; internet egress allowed, firewalled off VLAN 20 / main LAN / PHI (HIPAA); Vertical's pfSense OpenVPN scoped to `10.0.30.0/24` via a Client-Specific-Override. Desktop is static + no ACG login -> Vertical sets it to DHCP (or grants temp access) at cutover; reserve `10.0.30.10`. Status: PLANNED -- vendor email sent 2026-06-16, awaiting Richard's confirm (cloud-PBX, desktop static, VPN cert CN) + a window. **Full runbook + recon: `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`.**
+- **[IN PROGRESS 2026-06-17] Voice VLAN (VLAN 30) consolidation for the phones:** dedicated isolated **VLAN 30 VOICE (`10.0.30.0/24`, gw `10.0.30.1`, pfSense igc1.30, DHCP `.100-.250`, DNS `8.8.8.8/1.1.1.1`)** holding ALL phones + the Vertical desktop; internet/cloud-PBX egress only, firewalled off VLAN 20 / main LAN / PHI / mgmt (HIPAA). **BUILT + VERIFIED:** isolation rules are a clone of the GUEST VLAN (the only actually-isolated net -- all Protocol=Any quick: block 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any; confirmed via `pfctl -sr`). UniFi VOICE network + CSCNet voice PPSK created (key vaulted `clients/cascades-tucson/wifi-voice-ppsk`). **Richard's confirmations (2026-06-17) simplified it:** desktop is **DHCP** (not static -> zero-touch, no reservation), and Vertical uses **LogMeIn not the pfSense OpenVPN** (so no OpenVPN CSO/cert -- desktop just needs internet egress). **Migration underway** (track in `docs/network/voice-phone-inventory.md`): Vertical desktop (10.0.30.201) + 2 Poly live -- Accounting Director / Lauren Hasselman (`48:25:67:64:8a:88`) **dial-tone + outbound call to cell VERIFIED**, and Life Enrichment office 132 (`48:25:67:d0:b8:ac`). **Remaining:** 8 AudioCodes (wired ports 1-8, flip + PoE power-cycle to re-DHCP) + ~20 Poly (re-key to voice PPSK), being moved by Howard. **KEY GOTCHA:** re-VLANing a wired port does NOT move the IP -- the device holds its old lease until the link is bounced (PoE power-cycle / disable-enable); a UniFi client block/unblock won't do it. **Full runbook: `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`; live inventory: `docs/network/voice-phone-inventory.md`.**
 
 ### External Vendors & Mail Senders
 
@@ -413,7 +413,7 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
 - ALIS app session timeout: lower from 20 to 15 min (Howard, ALIS admin) -- PENDING
 - **[CRITICAL] CS-SERVER degraded RAID-1 (2026-06-15):** OS mirror (C:) running on a single 320 GB laptop spindle, no redundancy. Plan SSD rebuild-then-swap (image C: first, AFTER backup verifies). DC migration is the real fix. Cloud backup installed/started 2026-06-15 -- **verify first full completes + confirm image-based + set retention before any drive work.**
 - **[CLEANUP] CS-SERVER agent sprawl:** remove the previous MSP's leftover Datto RMM (CentraStage) + Datto EDR (Infocyte) stack (thrashing the degraded disk).
-- **[PLANNED] Voice VLAN (VLAN 30) for Vertical phones + remote desktop:** vendor email sent 2026-06-16, awaiting Richard Turner's confirm (cloud-PBX confirmed via recon, desktop static, VPN cert CN) + maintenance window, then execute. Runbook: `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`.
+- **[IN PROGRESS 2026-06-17] Voice VLAN (VLAN 30) for Vertical phones + remote desktop:** Richard confirmed; VLAN built + verified (pfSense + UniFi), desktop is DHCP (not static), access is LogMeIn (not OpenVPN). Migration underway -- desktop + 2 Poly live (dial-tone verified), AudioCodes + remaining Poly being moved by Howard. Runbook: `docs/network/voice-vlan-cutover.md`; live inventory: `docs/network/voice-phone-inventory.md`.
 - **[IN PROGRESS] Wireless RF remediation (2.4 GHz):**
   - Phase A (power-down to Low): Floor-4 pilot APPLIED 2026-06-16 (retry 13.2->9.5%, no coverage loss). Remaining floors (1-3, 5-6 + floor-2/misc per-AP) = staged, awaiting go-ahead. Runbook: `clients/cascades-tucson/reports/2026-06-16-2.4ghz-remediation-runbook.md`.
   - Phase C (disable 9 redundant 2.4 radios): staged, awaiting Phase A validation + explicit go-ahead. APs 445/428 disables held; AP 128 disabled.