CR-2026-04-15: SRT Research VLAN Deployment
iTrack Reference
Change: 26828 (Logged) — Created 2026-04-10 by erosado
iTrack Fields — Copy/Paste
Summary
SRT Research VLAN — Switch Config + ISE 802.1X IntegrationDescription
Research devices in the SRT building are currently on the general data VLAN alongside production workstations. An existing research VLAN — currently unused — will be repurposed and extended across SRT building switches. The VLAN is shared across buildings given low research device count, avoiding IP waste. Research endpoints will be moved onto this segment with 802.1X closed mode enforcement, reducing lateral movement risk and enabling granular ISE authorization policies.
Implementers:
- Tony Sun: VLAN creation on SRT access switches, trunk allowed-VLAN additions, Nexus distribution uplink
- Evan Rosado: ISE authorization profile, authorization rule in Wired 802.1X Closed Mode policy set
Tester: David Ntashamaje — endpoint connectivity, 802.1X auth, VLAN assignment confirmationRequested By / Manager / Director
Requested By: Rosado, Evan
Manager: Clizer, Sarah
Director: Band, ConradImplementer(s)
Tony Sun (Network), Evan Rosado (ISE/NAC)Schedule
Start Date: 2026-04-15 08:00
End Date: 2026-04-15 11:00
Down Time Required: No
Affected Users: Research staff in SRT buildingBenefits Of Change
Network segmentation — isolate research devices from production data VLAN, reduce lateral movement risk, enforce 802.1X closed mode on dedicated segment.Detailed Implementation Plan
Phase 1 — Switch Configuration (Tony Sun):
1a. Extend existing research VLAN to SRT access switches where not yet present (verify first, add where missing)
1b. Add VLAN to trunk allowed lists between access switches and Nexus distribution
1c. Create VLAN on Nexus distribution and verify trunk propagation
1d. Verify: show vlan id, show interfaces trunk, show spanning-tree vlan
Phase 2 — ISE Configuration (Evan Rosado):
2a. Create Authorization Profile with research VLAN assignment (reuse existing DACL)
2b. Create Authorization Rule in Wired 802.1X Closed Mode policy set
2c. Verify: RADIUS Live Logs confirm correct AuthZ Profile and VLAN assignment
Phase 3 — Validation (David Ntashamaje):
3a. Connect research endpoint to SRT switch port
3b. Verify 802.1X authentication, VLAN assignment, DHCP, DACL, network reachabilityDetailed Backout Plan
ISE Rollback (Evan Rosado):
1. Delete authorization rule from Wired 802.1X Closed Mode policy set
2. Delete authorization profile
3. Endpoints fall through to default policy
Switch Rollback (Tony Sun):
1. Remove VLAN from trunk allowed lists on each SRT access switch
2. Remove VLAN from Nexus distribution
3. Delete VLAN from each switch
4. Verify: show vlan id (expected: not found), show interfaces trunk (expected: no output)Detailed Testing Plan
Pre-CAB: VLAN ID confirmed available on all SRT switches, DHCP scope verified, ISE backup taken, switch configs backed up, test endpoint identified.
Post-Production: Connect research endpoint → verify 802.1X auth → verify VLAN assignment (show authentication sessions) → verify DHCP → verify DACL → verify RADIUS Live Logs.
Pre-CAB Validation By: David Ntashamaje
Post-Production Validation By: David Ntashamaje
Post-Production Validation Date: 2026-04-15 (same day)Detailed Communication Plan
2026-04-14 (day before): Email stakeholders — change window, expected impact (none to existing services), contact info
2026-04-15 08:00: Begin implementation — Tony starts switch config, Evan prepares ISE
2026-04-15 (during): Teams/Slack updates as each phase completes
2026-04-15 11:00: Completion notification with validation resultsRisk Analysis/Mitigation Plan
1. VLAN ID conflict (Low) — Verify show vlan brief on all switches before implementation
2. Trunk pruning blocks propagation (Medium) — Explicitly add VLAN to allowed list, don't rely on allow-all
3. ISE rule order causes wrong VLAN (Low) — Position rule precisely, test with David first
4. DHCP scope not ready (Medium) — Confirm scope exists before change window
5. STP topology change (Low) — New VLAN addition does not trigger STP recalculation for existing VLANsChange Request
| Field | Value |
|---|---|
CR ID |
CR-2026-04-15-srt-research-vlan |
Title |
SRT Research VLAN — Switch Configuration and ISE Policy Integration |
Requested By |
<REQUESTER_NAME> |
Date Submitted |
2026-04-10 |
Priority |
High — research device segmentation (time-sensitive) |
Category |
Network Infrastructure / NAC Policy |
Environment |
Production — SRT Building |
Schedule
| Field | Value |
|---|---|
Change Window |
2026-04-15 08:00 – 11:00 PDT |
Duration |
3 hours |
Maintenance Type |
Scheduled |
Impact |
Minimal — new VLAN addition, no disruption to existing VLANs |
Affected Systems |
SRT access switches, Nexus distribution, ISE policy sets |
Personnel
| Role | Name | Responsibility |
|---|---|---|
Implementer (Network) |
Tony Sun |
VLAN creation on SRT access switches, trunk allowed-VLAN additions, Nexus distribution uplink configuration |
Implementer (ISE/NAC) |
Evan Rosado |
Authorization profile creation, authorization rule in Wired 802.1X Closed Mode policy set, VLAN assignment verification |
Tester / Validator |
David Ntashamaje |
Endpoint connectivity validation, 802.1X authentication test, VLAN assignment confirmation on research endpoints |
Business Justification
Research devices in the SRT building are currently on the general data VLAN alongside production workstations. This creates unnecessary lateral movement risk and violates network segmentation best practices. An existing research VLAN — currently unused — will be repurposed and extended across the SRT building switches. The VLAN will be shared across buildings given the low research device count, avoiding IP waste from provisioning a new subnet. Research endpoints (Linux workstations, data collectors, and other research devices) will be moved onto this segment with 802.1X closed mode enforcement, reducing the blast radius of any compromise and enabling granular access control through ISE authorization policies.
Scope
In Scope
-
Extend existing (unused) research VLAN to SRT building access-layer switches where not yet present
-
Trunk port modifications to allow new VLAN between:
-
SRT access switches <→ Nexus distribution upstream
-
-
ISE configuration:
-
New Authorization Profile (VLAN assignment to research VLAN)
-
New Authorization Rule in the Wired 802.1X Closed Mode policy set
-
Existing DACL (reused — no new DACL required)
-
Out of Scope
-
DHCP scope creation (separate request if not already provisioned)
-
Firewall rule modifications
-
Wireless policy changes
-
Endpoint onboarding / certificate provisioning
Pre-Change Data Collection
SRT Access Switches (Catalyst IOS-XE)
show cdp neighbors detail | include Device|IP|Platform|Interface
show vlan brief
show interfaces trunk
show interfaces status
show spanning-tree summary
show spanning-tree vlan <VLAN_ID>
show run | section ^interface|switchport|allowed
show run | section aaa|radius-server|dot1x|authentication
show access-session
show access-session interface <INT> details
show authentication sessions
show ip dhcp snooping binding
show mac address-table dynamic
show ip arp
show etherchannel summary
show run | include hostname
show version | include uptime|Software|Model
show env allNexus Distribution (NX-OS + Linux shell)
show vlan brief
show vlan id <VLAN_ID>
show interface trunk
show interface trunk | json | python3 -c "import sys,json; d=json.load(sys.stdin); [print(f'{i[\"interface\"]} vlans: {i[\"allowed_vlans\"]}') for i in d['TABLE_interface']['ROW_interface']]"
show vpc brief
show vpc consistency-parameters global
show port-channel summary
show hsrp brief
show ip route vrf all
show run | section ^interface | awk '/^interface/{intf=$0} /allowed vlan/{print intf, $0}'
show system resources
show spanning-tree summary
show fex
show mac address-table dynamic | awk '{print $3}' | sort | uniq -c | sort -rn | head -20
show ip arp | awk 'NR>1{print $3}' | sort | uniq -c | sort -rn
show logging last 50ISE — via netapi
# Endpoints in SRT
netapi cisco ise endpoints --filter "location=SRT" --format json \
| jq '[.[] | {mac, ip, profile, identityGroup}]'
# Authorization profiles — find existing research DACL
netapi cisco ise authz-profiles --format json \
| jq '[.[] | select(.name | test("research|dacl"; "i")) | {name, dacl: .daclName, vlan: .vlan}]'
# Policy sets — wired closed mode rules
netapi cisco ise policies wired --format json \
| jq '[.[] | {name, condition, profile}]'
# Active sessions on SRT switches
netapi cisco ise sessions --filter "nas=SRT" --format json \
| jq '[.[] | {mac, ip, nas: .nasIpAddress, vlan: .assignedVlan, authzProfile}]'
# Network devices — confirm SRT switch registration in ISE
netapi cisco ise network-devices --format json \
| jq '[.[] | select(.name | test("SRT"; "i")) | {name, ip, location, profileName}]'ISE — via ERS API (direct curl)
# List all authorization profiles
curl -sk -u "${ISE_USER}:${ISE_PASS}" \
-H "Accept: application/json" \
"https://${ISE_HOST}:9060/ers/config/authorizationprofile" \
| jq '[.SearchResult.resources[] | {name: .name, id: .id[:12]}]'
# Get full profile detail (VLAN + DACL)
curl -sk -u "${ISE_USER}:${ISE_PASS}" \
-H "Accept: application/json" \
"https://${ISE_HOST}:9060/ers/config/authorizationprofile/<PROFILE_ID>" \
| jq '{name: .AuthorizationProfile.name, vlan: .AuthorizationProfile.vlan, dacl: .AuthorizationProfile.daclName}'
# Endpoint identity groups — find research group
curl -sk -u "${ISE_USER}:${ISE_PASS}" \
-H "Accept: application/json" \
"https://${ISE_HOST}:9060/ers/config/endpointgroup" \
| jq '[.SearchResult.resources[] | select(.name | test("research"; "i"))]'Network-Wide Discovery (from workstation)
# Build VLAN inventory across all switches
netapi cisco ise network-devices --format json \
| jq -r '.[].ip' \
| while read ip; do
printf "=== %s ===\n" "$ip"
ssh admin@"$ip" "show vlan brief" 2>/dev/null \
| awk 'NR>2 && /^[0-9]/{printf " VLAN %-6s %s\n", $1, $2}'
done
# Find which switches already have the research VLAN
netapi cisco ise network-devices --format json \
| jq -r '.[].ip' \
| while read ip; do
result=$(ssh admin@"$ip" "show vlan id <VLAN_ID>" 2>/dev/null | grep -c "active")
[[ $result -gt 0 ]] && printf "%-15s HAS VLAN\n" "$ip" || printf "%-15s MISSING\n" "$ip"
done
# Trunk VLAN comparison across all switches
netapi cisco ise network-devices --format json \
| jq -r '.[].ip' \
| while read ip; do
printf "=== %s ===\n" "$ip"
ssh admin@"$ip" "show interfaces trunk" 2>/dev/null \
| awk '/^[A-Z]/{port=$1} /allowed/{print " " port " → " $0}'
doneOutput Storage (age-encrypted baseline)
All output is age-encrypted and stored in data/cr-baseline/. Plaintext never touches git.
BASELINE=~/atelier/_bibliotheca/domus-captures/data/cr-baseline/CR-2026-04-15-srt-research-vlan
AGE_RCPT=~/.age/recipients/self.txtCapture access switch data:
ssh admin@<SRT-SW-01> "show vlan brief; show interfaces trunk; show cdp neighbors detail; show access-session; show authentication sessions; show ip arp; show mac address-table dynamic" \
| age -e -R "${AGE_RCPT}" -o "${BASELINE}/access/srt-sw-01.txt.age"Capture Nexus distribution data:
ssh admin@<NEXUS-DIST> "show vlan brief; show vpc brief; show interface trunk; show port-channel summary; show hsrp brief; show ip route vrf all" \
| age -e -R "${AGE_RCPT}" -o "${BASELINE}/nexus/nexus-dist.txt.age"Capture ISE data via netapi:
netapi cisco ise authz-profiles --format json \
| age -e -R "${AGE_RCPT}" -o "${BASELINE}/ise/authz-profiles.json.age"
netapi cisco ise network-devices --format json \
| age -e -R "${AGE_RCPT}" -o "${BASELINE}/ise/network-devices.json.age"
netapi cisco ise endpoints --filter "location=SRT" --format json \
| age -e -R "${AGE_RCPT}" -o "${BASELINE}/ise/srt-endpoints.json.age"Decrypt during change window:
age -d -i ~/.age/identities "${BASELINE}/access/srt-sw-01.txt.age"
# Pipe to awk/jq for analysis
age -d -i ~/.age/identities "${BASELINE}/ise/authz-profiles.json.age" \
| jq '[.[] | {name, dacl: .daclName, vlan: .vlan}]'Commit encrypted baselines:
git -C ~/atelier/_bibliotheca/domus-captures add data/cr-baseline/CR-2026-04-15-srt-research-vlan/
git -C ~/atelier/_bibliotheca/domus-captures commit -m "$(cat <<'EOF'
data(CR-2026-04-15): pre-change baseline — access, nexus, ISE (age-encrypted)
EOF
)"