dbd517b279
- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains - Omit embedded publish git dirs and empty placeholders from index Made-with: Cursor
2.1 KiB
2.1 KiB
VLAN migration runbook — flat 11 → segmented
Current: Single broadcast domain 192.168.11.0/24 (VLAN 11).
Target segments: Documented in NETWORK_CONFIGURATION_MASTER.md (e.g. 110–112, 120, 160, 200–203).
Policy: Enforce IP uniqueness and automated drift before cutover (SANKOFA_IT_OPERATIONS_CONTROLLER_SPEC.md section 4).
Preconditions
bash scripts/it-ops/export-live-inventory-and-drift.shexits 0 (noduplicate_ipsfor different guest names).- Backup UDM/UniFi and Proxmox network configs.
- Maintenance window announced for default gateway moves.
Ordered segments (do not reorder without risk review)
| Step | Segment | Intent |
|---|---|---|
| 1 | Out-of-band / IPMI (if any) | Isolate management before touching data plane |
| 2 | Tenant-facing VLANs (200+) | Reduce blast radius for external-facing workloads |
| 3 | Besu validators / RPC | High sensitivity; coordinate with Chain 138 ops |
| 4 | Sankofa app tier | Portal, Keycloak, NPM upstreams |
Executable checklist
Run the shell helper (dry-run by default):
bash scripts/it-ops/vlan-segmentation-ordered-checklist.sh
bash scripts/it-ops/vlan-segmentation-ordered-checklist.sh --apply
--apply only records completion timestamps in a local state file under reports/status/; it does not configure switches. Use it as an operator log.
Per-step tasks (manual)
- Create VLANs on UDM/UniFi; assign subnets (no overlap with existing static leases).
- Add tagged ports on switches; update Proxmox bridges / CT
net0VLAN tags incrementally. - Re-run IPAM export after each wave; fix drift before the next wave.
- Update ALL_VMIDS_ENDPOINTS.md and
config/ip-addresses.confafter live matches intent.
Rollback
- Keep previous UDM backup; revert trunk tagging if a segment loses gateway.
- Document actual vs planned in
reports/status/for the IT controller audit log (Phase 3).