Network Upgrade Checklist

Export current configs from every switch, router, and firewall (Meraki, FortiGate, Cisco Catalyst, etc.). Capture VLAN assignments, subnet ranges, OSPF/BGP neighbors, and trunk configurations. Pull a current diagram from Auvik, NetBox, or Visio — most environments have drift between the diagram and reality.

Confirm SKUs, transceiver types (SFP+/SFP28/QSFP), PoE budget on new switches, and licensing tier (Meraki Enterprise vs. Advanced, FortiGate UTP vs. ATP). Flag long-lead items — Cisco and Meraki licensing co-terms are a common scheduling gotcha.

Submit a change request (RFC) to the Change Advisory Board. Most network upgrades are normal changes requiring CAB approval; standard pre-approved templates apply only for like-for-like swaps. Capture the approved change window and any client-facing maintenance notification requirements.

Check 802.1x/RADIUS, NAC, VoIP QoS markings, printer DHCP reservations, and any hardcoded device IPs against the new platform. WireGuard or IPsec VPN cipher suites and SD-WAN overlay compatibility are common breakage points when replacing a firewall.

Send the notification one week ahead and again 24 hours before. Include start/end times in user-local timezone, expected impact, and the IT escalation contact. For MSP clients, route through the account manager and PSA notification template.

Pull running-config and startup-config from every device in scope. Store in version control (Git) or the config backup tool (RANCID, Oxidized, SolarWinds NCM). Two copies, one offsite — config files are tiny; there is no excuse for losing them.

Load the backup onto a spare or virtual instance (EVE-NG, GNS3, or a lab switch) and confirm it boots clean. A backup nobody has ever restored is a hypothesis, not a backup.

Document the named rollback decision point and time budget — typically 30 minutes from window start. Include exact commands to revert configs, console cable pinouts, OOB/iDRAC access notes, and the named on-call engineer authorized to call rollback.

Console cables, USB-to-serial adapters, laptop with TFTP server, cellular hotspot for OOB access if the upgrade kills primary internet. Verify iDRAC/iLO/IPMI credentials work — if you lock yourself out mid-window, the cellular hotspot is your only path back in.

Page PagerDuty/Opsgenie that the window is open so monitoring alerts route correctly and don't wake the wrong engineer. Confirm the NOC has eyes on the affected sites in PRTG, Auvik, or LogicMonitor.

Mount the device, label patch cables to match the cutsheet, and load the pre-staged config via console. Verify management VLAN reachability before cutting any user traffic over.

Apply VLAN trunking, OSPF/BGP neighbors, and firewall policy in the order documented in the upgrade plan. Watch for any-any rules being recreated as a shortcut — that's how flat networks happen.

Test DNS, DHCP, AD authentication, M365 reachability, VPN client connection, and at least one VoIP call. Verify QoS markings survive the new switch — softphones drop voice quality fast when DSCP gets stripped.

If smoke tests fail and remediation will exceed the change window, restore the prior configs from backup and reseat the legacy hardware. Notify the CAB chair and the affected stakeholders that rollback was invoked. A clean rollback is a successful change; a partial cutover that limps into Monday morning is not.

Confirm SNMP, syslog, and NetFlow exports land in the SIEM and monitoring platform (Splunk, Sentinel, PRTG, Auvik). Devices the NOC can't see are devices the NOC can't fix.

Update IT Glue, Hudu, or Confluence with new asset tags, IPs, serial numbers, and warranty terms. Refresh the topology diagram. Stale docs cost the next on-call engineer an hour at 2am.

Summarize for the CAB and stakeholders: window duration, deviations from plan, incidents triggered, rollback invoked or not, lessons learned. Required artifact for SOC 2 change-management evidence.

Pull the helpdesk ticket queue (ConnectWise, Freshservice, Jira Service Management) for any tickets tagged to the upgrade window. Slow-WiFi and printer-can't-find-server tickets often show up Day 2, not Day 1.

Hold a 30-day review with the network team and (for MSP engagements) the vCIO. Review monitoring trends, ticket volume, and any deferred follow-up items from the post-change report.