Network Upgrade Checklist

Export current configs from every switch, router, and firewall (Meraki, FortiGate, Cisco Catalyst, etc.). Capture VLAN assignments, subnet ranges, OSPF/BGP neighbors, and trunk configurations. Pull a current diagram from Auvik, NetBox, or Visio — most environments have drift between the diagram and reality.

Confirm SKUs, transceiver types (SFP+/SFP28/QSFP), PoE budget on new switches, and licensing tier (Meraki Enterprise vs. Advanced, FortiGate UTP vs. ATP). Flag long-lead items — Cisco and Meraki licensing co-terms are a common scheduling gotcha.

Submit a change request (RFC) to the Change Advisory Board. Most network upgrades are normal changes requiring CAB approval; standard pre-approved templates apply only for like-for-like swaps. Capture the approved change window and any client-facing maintenance notification requirements.

Check 802.1x/RADIUS, NAC, VoIP QoS markings, printer DHCP reservations, and any hardcoded device IPs against the new platform. WireGuard or IPsec VPN cipher suites and SD-WAN overlay compatibility are common breakage points when replacing a firewall.

Pull running-config and startup-config from every device in scope. Store in version control (Git) or the config backup tool (RANCID, Oxidized, SolarWinds NCM). Two copies, one offsite — config files are tiny; there is no excuse for losing them.

Load the backup onto a spare or virtual instance (EVE-NG, GNS3, or a lab switch) and confirm it boots clean. A backup nobody has ever restored is a hypothesis, not a backup.

Document the named rollback decision point and time budget — typically 30 minutes from window start. Include exact commands to revert configs, console cable pinouts, OOB/iDRAC access notes, and the named on-call engineer authorized to call rollback.

Page PagerDuty/Opsgenie that the window is open so monitoring alerts route correctly and don't wake the wrong engineer. Confirm the NOC has eyes on the affected sites in PRTG, Auvik, or LogicMonitor.

Mount the device, label patch cables to match the cutsheet, and load the pre-staged config via console. Verify management VLAN reachability before cutting any user traffic over.

Apply VLAN trunking, OSPF/BGP neighbors, and firewall policy in the order documented in the upgrade plan. Watch for any-any rules being recreated as a shortcut — that's how flat networks happen.

Test DNS, DHCP, AD authentication, M365 reachability, VPN client connection, and at least one VoIP call. Verify QoS markings survive the new switch — softphones drop voice quality fast when DSCP gets stripped.

Confirm SNMP, syslog, and NetFlow exports land in the SIEM and monitoring platform (Splunk, Sentinel, PRTG, Auvik). Devices the NOC can't see are devices the NOC can't fix.

Update IT Glue, Hudu, or Confluence with new asset tags, IPs, serial numbers, and warranty terms. Refresh the topology diagram. Stale docs cost the next on-call engineer an hour at 2am.

Summarize for the CAB and stakeholders: window duration, deviations from plan, incidents triggered, rollback invoked or not, lessons learned. Required artifact for SOC 2 change-management evidence.

Pull the helpdesk ticket queue (ConnectWise, Freshservice, Jira Service Management) for any tickets tagged to the upgrade window. Slow-WiFi and printer-can't-find-server tickets often show up Day 2, not Day 1.