CR-2026-04-15: SRT Research VLAN Deployment

SRT Research VLAN — Switch Config + ISE 802.1X Integration

Research devices in the SRT building are currently on the general data VLAN alongside production workstations. An existing research VLAN — currently unused — will be repurposed and extended across SRT building switches. The VLAN is shared across buildings given low research device count, avoiding IP waste. Research endpoints will be moved onto this segment with 802.1X closed mode enforcement, reducing lateral movement risk and enabling granular ISE authorization policies.

Implementers:
- Tony Sun: VLAN creation on SRT access switches, trunk allowed-VLAN additions, Nexus distribution uplink
- Evan Rosado: ISE authorization profile, authorization rule in Wired 802.1X Closed Mode policy set

Tester: David Ntashamaje — endpoint connectivity, 802.1X auth, VLAN assignment confirmation

Requested By: Rosado, Evan
Manager: Clizer, Sarah
Director: Band, Conrad

Tony Sun (Network), Evan Rosado (ISE/NAC)

Start Date: 2026-04-15 08:00
End Date:   2026-04-15 11:00
Down Time Required: No
Affected Users: Research staff in SRT building

Network segmentation — isolate research devices from production data VLAN, reduce lateral movement risk, enforce 802.1X closed mode on dedicated segment.

Phase 1 — Switch Configuration (Tony Sun):
1a. Extend existing research VLAN to SRT access switches where not yet present (verify first, add where missing)
1b. Add VLAN to trunk allowed lists between access switches and Nexus distribution
1c. Create VLAN on Nexus distribution and verify trunk propagation
1d. Verify: show vlan id, show interfaces trunk, show spanning-tree vlan

Phase 2 — ISE Configuration (Evan Rosado):
2a. Create Authorization Profile with research VLAN assignment (reuse existing DACL)
2b. Create Authorization Rule in Wired 802.1X Closed Mode policy set
2c. Verify: RADIUS Live Logs confirm correct AuthZ Profile and VLAN assignment

Phase 3 — Validation (David Ntashamaje):
3a. Connect research endpoint to SRT switch port
3b. Verify 802.1X authentication, VLAN assignment, DHCP, DACL, network reachability

ISE Rollback (Evan Rosado):
1. Delete authorization rule from Wired 802.1X Closed Mode policy set
2. Delete authorization profile
3. Endpoints fall through to default policy

Switch Rollback (Tony Sun):
1. Remove VLAN from trunk allowed lists on each SRT access switch
2. Remove VLAN from Nexus distribution
3. Delete VLAN from each switch
4. Verify: show vlan id (expected: not found), show interfaces trunk (expected: no output)

Pre-CAB: VLAN ID confirmed available on all SRT switches, DHCP scope verified, ISE backup taken, switch configs backed up, test endpoint identified.

Post-Production: Connect research endpoint → verify 802.1X auth → verify VLAN assignment (show authentication sessions) → verify DHCP → verify DACL → verify RADIUS Live Logs.

Pre-CAB Validation By: David Ntashamaje
Post-Production Validation By: David Ntashamaje
Post-Production Validation Date: 2026-04-15 (same day)

2026-04-14 (day before): Email stakeholders — change window, expected impact (none to existing services), contact info
2026-04-15 08:00: Begin implementation — Tony starts switch config, Evan prepares ISE
2026-04-15 (during): Teams/Slack updates as each phase completes
2026-04-15 11:00: Completion notification with validation results

1. VLAN ID conflict (Low) — Verify show vlan brief on all switches before implementation
2. Trunk pruning blocks propagation (Medium) — Explicitly add VLAN to allowed list, don't rely on allow-all
3. ISE rule order causes wrong VLAN (Low) — Position rule precisely, test with David first
4. DHCP scope not ready (Medium) — Confirm scope exists before change window
5. STP topology change (Low) — New VLAN addition does not trigger STP recalculation for existing VLANs