WRKLOG-2026-03-07

Summary

Friday. VyOS migration from pfSense continues. WLC-01 migrated to kvm-02 (cross-hypervisor XML transformation). AP join fixed via VyOS firewall + DHCP Option 43. BIND ACL updated for all VLANs. Documentation sprint on all affected runbooks.

Today’s Priority Tasks

Priority Task Status Notes

P0

VyOS DHCP cutover validation

[x] DONE

DATA/IOT VLANs getting IPs from vyos-02

P0

AP not joining WLC

[x] FIXED

Firewall rule + Option 43

P0

BIND ACL for VyOS DHCP clients

[x] DONE

All VLANs added to allow-query

P1

WLC-01 migration to kvm-02

[x] DONE

Cross-hypervisor XML fixes

P1

Documentation updates

[x] DONE

kvm-operations, vyos-quick-ref, wlc-vyos-integration, CLAUDE.md

P2

WLC HA SSO (version match)

[ ] BLOCKED

WLC-01 needs 17.15.4d upgrade

Carried Over from 2026-03-06

Professional (CHLA)

Priority Task Status

P0

Linux SSH issue (Xianming Ding) - AD-joined Linux SSH troubleshooting

[ ] CARRY-OVER

P1

iPSK Manager DB replication

[ ] CARRY-OVER

P1

ISE 3.4 Patch 9 or 3.5 migration planning

[ ] CARRY-OVER

P2

Monad Security Pipeline evaluation (CISO priority)

[ ] CARRY-OVER

Personal Infrastructure

Priority Task Status

P0

VyOS migration complete cutover

[ ] IN PROGRESS

P1

kvm-01 bridge VLAN persistence (libvirt hook)

[ ] CARRY-OVER

P1

WLC-01 upgrade to 17.15.4d (match WLC-02)

[ ] NEW

P2

kvm-01 reimage to Rocky Linux

[ ] FUTURE

P2

vyos-01 HA establishment

[ ] FUTURE

Learning Tracks

  • RHCSA study session (Thursdays)

  • DELE C1 Spanish tutor prep

VyOS Migration Status

Systems Cutover Checklist

System DHCP Source DNS Resolution Status

vyos-02

VyOS (self)

Gateway

modestus-razer

VyOS

Admin workstation

bind-01

Static

Self

DNS primary

ise-02

Static

ISE active node

home-dc01

Static

Self

AD DC

vault-01

Static

PKI/SSH CA

kvm-01

Static

✓ (fixed)

Hypervisor

kvm-02

Static

Hypervisor

nas-01

Static

Storage

wlc-01

Static

WLC active

wlc-02

Static

WLC standby

keycloak-01

Static

IdP

ipa-01

Static

Self

FreeIPA

k3s-master-01

Static

k3s control plane

DHCP Pools Active (vyos-02)

Pool Subnet Option 43 Status

MGMT

10.50.1.0/24

N/A

Active

DATA

10.50.10.0/24

0a320128

Active

IOT

10.50.40.0/24

0a320128

Active

GUEST

10.50.110.0/24

-

Active

SERVERS

10.50.120.0/24

-

Active

Session Log

Session 1: WLC-01 Cross-Hypervisor Migration

Time: Early Morning

Problem: WLC-01 XML from kvm-01 (Arch) failed import to kvm-02 (RHEL 7).

Issues and Fixes:

Issue Cause Fix

"Start tag expected"

Shell prompt hook injected ANSI codes into SSH redirect

grep -v "session active" filter

"Cannot check QEMU binary"

Different paths: /usr/bin/qemu-system-x86_64 (Arch) vs /usr/libexec/qemu-kvm (RHEL)

sed -i 's|/usr/bin/qemu-system-x86_64|/usr/libexec/qemu-kvm|'

"Emulator does not support machine type"

pc-i440fx-10.1 unavailable in QEMU 2.x

sed -i "s|machine='pc-i440fx-10.1'|machine='pc'|"

Commands:

# Export from kvm-01 (filter shell noise)
ssh kvm-01 "sudo virsh dumpxml 9800-WLC-01" | grep -v "session active" > /tmp/wlc-01.xml
# Transform for kvm-02
sed -i 's|/usr/bin/qemu-system-x86_64|/usr/libexec/qemu-kvm|' /tmp/wlc-01.xml
sed -i "s|machine='pc-i440fx-10.1'|machine='pc'|" /tmp/wlc-01.xml
# Import to kvm-02
scp /tmp/wlc-01.xml kvm-02:/tmp/
ssh kvm-02 "sudo virsh define /tmp/wlc-01.xml && sudo virsh start 9800-WLC-01"

Session 2: AP Not Joining WLC

Time: Morning

Symptom: APs on DATA VLAN not joining WLC after VyOS migration.

Diagnosis:

# On AP console
ping 10.50.1.40
# Success - network path works

# On VyOS
show firewall statistics
# No hits on CAPWAP rule - rule missing!

Root Cause: Two issues:

  1. VyOS firewall missing CAPWAP rule (UDP 5246/5247)

  2. DHCP Option 43 not configured for AP VLAN

Fixes:

# VyOS firewall - add CAPWAP rule
configure
set firewall ipv4 name DATA_IN rule 20 action accept
set firewall ipv4 name DATA_IN rule 20 description "CAPWAP to WLC"
set firewall ipv4 name DATA_IN rule 20 destination port 5246,5247
set firewall ipv4 name DATA_IN rule 20 protocol udp
commit
save
# VyOS DHCP - add Option 43
configure
set service dhcp-server shared-network-name DATA subnet 10.50.10.0/24 option vendor-option cisco suboption 241 hex-string '0a320128'
commit
save

Verification:

# Show Option 43 configured
show configuration commands | grep vendor-option

# After AP reboot/DHCP renewal
ssh wlc-01 "show ap summary"
# AP appears in list

Session 3: BIND ACL for VyOS DHCP Clients

Time: Morning

Problem: DNS queries from DATA/IOT VLANs failing despite VyOS forwarding to bind-01.

Symptom:

# On vyos-02
dig @10.50.1.90 ise-01.inside.domusdigitalis.dev
# REFUSED

Root Cause: BIND allow-query only had MGMT subnet (10.50.1.0/24).

Fix:

# On bind-01
sudo sed -i '/allow-query/s|{ localhost; 10.50.1.0/24; }|{ localhost; 10.50.1.0/24; 10.50.10.0/24; 10.50.20.0/24; 10.50.40.0/24; 10.50.110.0/24; 10.50.120.0/24; }|' /etc/named.conf
sudo systemctl reload named

Verification:

dig @10.50.1.90 ise-01.inside.domusdigitalis.dev +short
# 10.50.1.20

Session 4: Documentation Sprint

Time: Afternoon

Files Updated:

File Changes

kvm-operations.adoc

Added "Cross-Hypervisor XML Migration" section

vyos-operations-quick-ref.adoc

Added "DHCP Option 43 (Cisco AP WLC Discovery)" section

wlc-vyos-integration.adoc

Added Option 43 warning to AP troubleshooting

.claude/CLAUDE.md

Session notes with WLC migration table, BIND ACL fix, key learnings

Session 5: VyOS LOCAL_DATA Firewall Root Cause

Time: Evening

Problem: Workstation on DATA VLAN (10.50.10.106) could reach internet (8.8.8.8) but NOT VyOS gateway (10.50.10.1) or MGMT zone hosts.

Diagnosis:

# From workstation
ping 8.8.8.8          # SUCCESS - internet via NAT
ping 10.50.10.1       # FAIL - VyOS gateway
ping 10.50.1.99       # FAIL - kvm-01

# ARP shows gateway is learned
ip neigh | grep 10.50.10.1
# 10.50.10.1 dev enp2s0f0 lladdr 52:54:00:31:eb:e3 STALE

Root Cause:

VyOS zone-based firewall missing from LOCAL policy for DATA zone:

Direction Status Effect

DATA → LOCAL

✓ DATA_LOCAL exists

Requests reach VyOS

LOCAL → DATA

❌ LOCAL_DATA missing

VyOS cannot respond

Zone default-action 'drop' blocks all responses (ICMP reply, DHCP reply, DNS reply).

Diagram Created:

images/diagrams/vyos-zone-topology.d2 - Complete zone topology with traffic flows and problem annotation.

Fix Applied:

configure
set firewall ipv4 name LOCAL_DATA default-action 'accept'
set firewall zone DATA from LOCAL firewall name 'LOCAL_DATA'
commit
save

Verification:

# From DATA VLAN client (10.50.10.x)
ping 10.50.10.1
# 64 bytes from 10.50.10.1: icmp_seq=1 ttl=64 time=0.409 ms

Result: DATA zone now has bidirectional communication with VyOS. DHCP, DNS, and gateway response all working.

Session 6: EAP-TLS Certificate Inspection for ISE Policy Documentation

Time: Evening

Objective: Document certificate fields used by ISE for authorization policy matching. Preparation for packet capture analysis.

Switch Port Status (802.1X):

LAB-3560CX-01#show access-session interface g1/0/2 details
            Interface:  GigabitEthernet1/0/2
          MAC Address:  98bb.1e1f.a713
         IPv4 Address:  10.50.1.251
            User-Name:  modestus-razer.inside.domusdigitalis.dev
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
      Session timeout:  28800s (server), Remaining: 28796s
       Current Policy:  PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Server Policies:
           Vlan Group:  Vlan: 100
              ACS ACL:  xACSACLx-IP-DACL_ADMIN_FULL-696eef58

Method status list:
      Method            State
      dot1x              Authc Success

Certificate Inspection Commands:

# Find EAP-TLS certificate
ls -la /etc/ssl/certs/*razer*.pem /etc/ssl/certs/*eaptls*.pem 2>/dev/null
# Extract key fields with openssl + awk
openssl x509 -in /etc/ssl/certs/modestus-razer-eaptls.pem -noout \
  -subject -issuer -dates -ext subjectAltName,keyUsage,extendedKeyUsage 2>/dev/null | awk '
/^subject=/ {print "SUBJECT:", $0}
/^issuer=/ {print "ISSUER:", $0}
/^notBefore=/ {print "VALID_FROM:", $2, $3, $4}
/^notAfter=/ {print "VALID_TO:", $2, $3, $4}
/DNS:/ {print "SAN:", $0}
/Key Usage/ {getline; print "KEY_USAGE:", $0}
/Extended Key Usage/ {getline; print "EKU:", $0}'

Output:

SUBJECT: subject=O=Domus-Infrastructure, OU=Domus-Admins, CN=modestus-razer.inside.domusdigitalis.dev
ISSUER: issuer=CN=DOMUS-ISSUING-CA
VALID_FROM: 16 05:10:27 2026
VALID_TO: 16 05:10:57 2027
KEY_USAGE:     Digital Signature, Key Encipherment, Key Agreement
KEY_USAGE:     TLS Web Server Authentication, TLS Web Client Authentication
SAN:     DNS:modestus-razer.inside.domusdigitalis.dev

JSON Output with openssl + jq (no external tools):

# Convert certificate to JSON structure
CERT="/etc/ssl/certs/modestus-razer-eaptls.pem"
openssl x509 -in "$CERT" -noout -subject -issuer -dates -serial \
  -ext subjectAltName,keyUsage,extendedKeyUsage 2>/dev/null | awk '
BEGIN { print "{" }
/^subject=/ {
  gsub(/subject=/, "");
  split($0, parts, ", ");
  for (i in parts) {
    split(parts[i], kv, " = ");
    if (kv[1] == "O") org = kv[2];
    if (kv[1] == "OU") ou = kv[2];
    if (kv[1] == "CN") cn = kv[2];
  }
  printf "  \"subject\": {\"O\": \"%s\", \"OU\": \"%s\", \"CN\": \"%s\"},\n", org, ou, cn
}
/^issuer=/ { gsub(/issuer=CN=/, ""); printf "  \"issuer\": \"%s\",\n", $0 }
/^serial=/ { gsub(/serial=/, ""); printf "  \"serial\": \"%s\",\n", $0 }
/^notBefore=/ { gsub(/notBefore=/, ""); printf "  \"not_before\": \"%s\",\n", $0 }
/^notAfter=/ { gsub(/notAfter=/, ""); printf "  \"not_after\": \"%s\",\n", $0 }
/DNS:/ { gsub(/^[[:space:]]+DNS:/, ""); printf "  \"san\": \"%s\",\n", $0 }
/Digital Signature/ { printf "  \"key_usage\": \"%s\",\n", $0 }
/TLS Web/ { gsub(/^[[:space:]]+/, ""); printf "  \"eku\": \"%s\"\n", $0 }
END { print "}" }
' | jq .

Output (JSON):

{
  "subject": {
    "O": "Domus-Infrastructure",
    "OU": "Domus-Admins",
    "CN": "modestus-razer.inside.domusdigitalis.dev"
  },
  "issuer": "DOMUS-ISSUING-CA",
  "serial": "5A:3B:...",
  "not_before": "Feb 16 05:10:27 2026 GMT",
  "not_after": "Feb 16 05:10:57 2027 GMT",
  "san": "modestus-razer.inside.domusdigitalis.dev",
  "key_usage": "Digital Signature, Key Encipherment, Key Agreement",
  "eku": "TLS Web Server Authentication, TLS Web Client Authentication"
}

jq Queries for Policy Matching:

# Extract just the OU (determines VLAN assignment)
... | jq -r '.subject.OU'
# Output: Domus-Admins

# Check if admin cert
... | jq -r 'if .subject.OU == "Domus-Admins" then "MGMT VLAN 100" else "DATA VLAN 10" end'

# Validate issuer trust
... | jq -r 'if .issuer == "DOMUS-ISSUING-CA" then "✓ Trusted" else "✗ Untrusted" end'

Install step CLI (optional - cleaner JSON output):

# Arch Linux
sudo pacman -S step-cli

# Then use:
step certificate inspect /etc/ssl/certs/modestus-razer-eaptls.pem --format json | jq '{
  subject: .subject.common_name,
  ou: .subject.organizational_unit,
  san: .extensions.subject_alt_name,
  issuer: .issuer.common_name,
  serial: .serial_number,
  not_before: .validity.not_before,
  not_after: .validity.not_after,
  key_usage: .extensions.key_usage,
  eku: .extensions.extended_key_usage
}'

Certificate Fields for ISE Policy Matching:

Field Value ISE Use

CN

modestus-razer.inside.domusdigitalis.dev

User-Name identity

OU

Domus-Admins

Group matching → VLAN 100 + DACL_ADMIN_FULL

O

Domus-Infrastructure

Organization filter

Issuer

DOMUS-ISSUING-CA

Trust validation

SAN

DNS:modestus-razer.inside.domusdigitalis.dev

Alternative identity

Key Usage

Digital Signature, Key Encipherment, Key Agreement

EAP-TLS requirements

EKU

TLS Web Client Authentication

Client auth capability

Validity

2026-02-16 → 2027-02-16

1-year cert from Vault PKI

ISE Authorization Policy Logic:

IF Certificate.Subject-OU == "Domus-Admins"
   AND Certificate.Issuer == "DOMUS-ISSUING-CA"
THEN
   VLAN = 100 (MGMT)
   dACL = DACL_ADMIN_FULL
ELSE IF Certificate.Subject-OU == "Domus-Users"
   VLAN = 10 (DATA)
   dACL = DACL_USER_RESTRICTED

Packet Capture Fields (Wireshark EAP-TLS):

EAP-TLS Handshake:
├── Client Certificate
│   ├── Subject: O=Domus-Infrastructure, OU=Domus-Admins, CN=modestus-razer...
│   └── Issuer: CN=DOMUS-ISSUING-CA
└── Server validates → RADIUS Access-Accept with:
    ├── Tunnel-Type: VLAN
    ├── Tunnel-Private-Group-ID: 100
    └── Filter-Id: DACL_ADMIN_FULL

Session 7: Zero-Trust Architecture Validation

Time: Evening

Test: Verify DATA zone isolation from MGMT zone (by design).

# Infrastructure reachability check from DATA VLAN
HOSTS=(
  bind-01.inside.domusdigitalis.dev
  wlc-02.inside.domusdigitalis.dev
  vyos-02.inside.domusdigitalis.dev
  ise-01.inside.domusdigitalis.dev
  vault-01.inside.domusdigitalis.dev
  # ... full list
)

printf "%-45s %-15s %s\n" "HOSTNAME" "IP" "STATUS"
for h in "${HOSTS[@]}"; do
  ip=$(dig +short +time=2 "$h" 2>/dev/null | head -1)
  if [[ -n "$ip" ]]; then
    if timeout 1 bash -c "echo >/dev/tcp/$ip/22" 2>/dev/null; then
      status="✓ SSH"
    else
      status="○ DNS only — unreachable"
    fi
    printf "%-45s %-15s %s\n" "$h" "$ip" "$status"
  else
    printf "%-45s %-15s %s\n" "$h" "-" "✗ NXDOMAIN"
  fi
done

Result:

HOSTNAME                                      IP               STATUS
bind-01.inside.domusdigitalis.dev             10.50.1.90       ✓ DNS
vault-01.inside.domusdigitalis.dev            10.50.1.60       ○ DNS only — unreachable
ise-02.inside.domusdigitalis.dev              10.50.1.21       ○ DNS only — unreachable
kvm-01.inside.domusdigitalis.dev              10.50.1.99       ○ DNS only — unreachable
... (13 hosts unreachable)

Analysis: This is correct behavior - zero-trust working as designed.

Zone Access From DATA Rationale

MGMT (10.50.1.x)

DNS only (port 53)

Infrastructure protected

DATA (10.50.10.x)

Full (same zone)

Peer communication

WAN (internet)

Full outbound

NAT for internet access

Zero-Trust Architecture:

Need Action Result

Regular work

Connect normally

DATA VLAN (10.50.10.x) - internet + DNS only

Infrastructure admin

802.1X with admin cert (OU=Domus-Admins)

MGMT VLAN (10.50.1.x) - full access

ISE enforces the security boundary - certificate OU determines VLAN assignment. No firewall rule exceptions needed.

Infrastructure DNS Verification Loop

Improved pattern for checking infrastructure:

HOSTS=(
  vault-01.inside.domusdigitalis.dev
  bind-01.inside.domusdigitalis.dev
  ise-02.inside.domusdigitalis.dev
  home-dc01.inside.domusdigitalis.dev
  kvm-01.inside.domusdigitalis.dev
  kvm-02.inside.domusdigitalis.dev
  nas-01.inside.domusdigitalis.dev
  keycloak-01.inside.domusdigitalis.dev
  ipa-01.inside.domusdigitalis.dev
  k3s-master-01.inside.domusdigitalis.dev
  wlc-01.inside.domusdigitalis.dev
  wlc-02.inside.domusdigitalis.dev
  vyos-01.inside.domusdigitalis.dev
  vyos-02.inside.domusdigitalis.dev
)

printf "%-45s %-15s %s\n" "HOSTNAME" "IP" "STATUS"
printf "%s\n" "$(printf '=%.0s' {1..70})"

for h in "${HOSTS[@]}"; do
  ip=$(dig +short +time=2 "$h" 2>/dev/null | head -1)
  if [[ -n "$ip" ]]; then
    if timeout 1 bash -c "echo >/dev/tcp/$ip/22" 2>/dev/null; then
      status="\e[32m✓ SSH\e[0m"
    else
      status="\e[33m○ DNS only\e[0m"
    fi
    printf "%-45s %-15s %b\n" "$h" "$ip" "$status"
  else
    printf "%-45s %-15s %b\n" "$h" "-" "\e[31m✗ NXDOMAIN\e[0m"
  fi
done

Session 8: kvm-01 Rocky Linux Rebuild (In Progress)

Time: Late Evening

Objective: Rebuild kvm-01 with Rocky Linux 9 to match kvm-02 configuration, enabling vyos-01 deployment.

Phase 1: Extract kvm-02 Config (COMPLETE)

# NetworkManager bridge configs extracted from kvm-02
sudo nmcli -g all connection show br-mgmt > br-mgmt.conf
sudo nmcli -g all connection show br-mgmt-port > br-mgmt-port.conf
sudo nmcli -g all connection show br-wan > br-wan.conf
sudo nmcli -g all connection show br-wan-port > br-wan-port.conf

# Libvirt hook and VLAN state
sudo cat /etc/libvirt/hooks/qemu > libvirt-hook.sh
bridge vlan show > bridge-vlan.txt

# Saved to NAS
sudo cp *.conf *.sh *.txt /mnt/nas/backups/kvm-01-rebuild/

Phase 2: Backup kvm-01 VMs (COMPLETE)

10 VMs exported from kvm-01:

VM Status

9800-WLC-01

Migrated to kvm-02

bind-01

Exported XML

certmgr-01

Exported XML

home-dc01

Exported XML

ipa-01

Exported XML

ipsk-manager

Exported XML

ise-01

Exported XML

k3s-master-01

Exported XML

keycloak-01

Exported XML

pfSense-FW01

Exported XML (will decommission)

 
# Exported all XML definitions
sudo -i
for vm in $(virsh list --all --name); do
  echo "Exporting: $vm"
  virsh dumpxml "$vm" > /mnt/nas/backups/kvm-01-rebuild/vm-definitions/"$vm".xml
done

Phase 3: Rocky Linux Install (IN PROGRESS)

  • Boot from USB (Samsung Flash Drive FIT 1100)

  • Interface: eno8 = LAN trunk (10G to switch Te1/0/2)

  • Static IP: 10.50.1.110/24 during install

  • Gateway: 10.50.1.1

  • DNS: 10.50.1.1, 10.50.1.90

Documentation Updated:

  • kvm-01-rocky-rebuild.adoc - Added executive summary, progress tracker, related runbooks

  • domusdigitalis-vyos-migration.adoc - Linked kvm-01 runbooks to master

Next Phases:

  • Phase 4: Apply br-mgmt + br-wan config from kvm-02 templates

  • Phase 5: Configure VLAN filtering + libvirt hook

  • Phase 6: Import VMs from NAS, update network to br-mgmt

  • Phase 7: Start VMs, verify VRRP, redistribute for HA

Key Learnings

DHCP Option 43 for Cisco AP WLC Discovery

CRITICAL: Without Option 43, APs cannot discover WLC and will not join.

IP to Hex Conversion:

WLC IP Octets Hex

10.50.1.40

10 / 50 / 1 / 40

0a320128

Cross-Hypervisor VM Migration

When migrating VMs between different Linux distros:

  1. QEMU path - varies by distro (Arch vs RHEL vs Debian)

  2. Machine type - newer QEMU versions have different pc-* types

  3. Shell prompt hooks - can corrupt SSH redirect output

BIND ACL Must Include All VLAN Subnets

When VyOS forwards DNS queries to BIND, the source IP is VyOS (10.50.X.1), not the original client. But for clients querying directly, BIND needs all subnets in allow-query.

VyOS Zone-Based Firewall: Bidirectional Policies Required

CRITICAL: Each zone pair requires policies in BOTH directions.

Rule Meaning

set firewall zone DATA from MGMT firewall name 'MGMT_DATA'

Traffic FROM MGMT TO DATA uses MGMT_DATA rules

set firewall zone DATA from LOCAL firewall name 'LOCAL_DATA'

Traffic FROM LOCAL (VyOS) TO DATA uses LOCAL_DATA rules

If missing: Zone default-action 'drop' blocks all traffic in that direction.

Symptom: Clients can send requests (e.g., DHCP DISCOVER) but never receive responses (DHCP OFFER) because VyOS cannot send into the zone.

Remaining Environment Cutover

Still on pfSense DHCP

VLAN Subnet Action Needed

VOICE

10.50.20.0/24

Move to VyOS

STORAGE

10.50.50.0/24

Move to VyOS (if used)

DMZ

10.50.100.0/24

Move to VyOS

pfSense Services to Migrate

Service Current Target

Firewall (WAN)

pfSense

VyOS HA (vyos-01 + vyos-02)

NAT

pfSense

VyOS

VPN (WireGuard)

pfSense

VyOS (or keep separate)

DNS resolver

pfSense (unbound)

VyOS → bind-01

CHLA Work Owed

Item Details Due

Xianming Ding Linux SSH

AD-joined Linux SSH troubleshooting - GSSAPI/Kerberos

Overdue

iPSK Manager DB replication

Primary/secondary DB sync broken

Ongoing

ISE 3.4 → 3.5 planning

Patch 9 first, then 3.5 evaluation

Q2

MSCHAPv2 migration

Migrate from PEAP-MSCHAPv2 to EAP-TLS

Q2

Switch upgrades

IOS-XE version standardization

Q2

Monad evaluation

Security data pipeline for SIEM cost reduction

CISO priority

Tomorrow (2026-03-08)

Personal Infrastructure - kvm-01 Rebuild (Priority)

  • Phase 4: Apply br-mgmt + br-wan config on kvm-01

  • Phase 5: Configure VLAN filtering + libvirt hook

  • Phase 6: Import VMs from NAS, update network to br-mgmt

  • Phase 7: Start VMs, verify, Vault SSH CA for kvm-01

  • vyos-01 deployment on kvm-01

VyOS/WLC

  • Complete VyOS DHCP migration (remaining VLANs)

  • WLC-01 upgrade to 17.15.4d

  • Test WLC HA SSO after version match

CHLA

  • Xianming Ding Linux SSH (priority)

  • Monad demo request

  • iPSK DB replication investigation