Summary: Running log of all note creations, updates, and deletions in this vault. Updated automatically each time a note is created or edited.
- QRG-012 - Network Device Decommission Checklist — New QRG covering the full decommission workflow for IOS-XE switches/routers, FTD firewalls, Meraki devices and networks, WLC-managed APs, ISE/TACACS cleanup, Zabbix cleanup, and logistics.
-
KBA-040 - Cisco Catalyst and Meraki MS Switch Comparison — New note comparing Catalyst 9300 vs MS250/MS350 and 9200 vs MS225; verified against Meraki MS Family Datasheet. Stacking bandwidths corrected (MS225/MS250 = 80 Gbps, MS350 = 160 Gbps); MS225-48FP PoE corrected to 740W.
-
STN-DRAFT - Meraki Network Tagging Standard — New draft standard defining mandatory site_code:, region:, and environment:staging tags for all Meraki networks.
-
KBA-039 - Meraki MX75 and MX85 — Model Comparison — New note comparing the MX75 and MX85; fully verified against MX Family Datasheet (October 2025). MX75 is desktop/wall-mount (not rack), VPN throughput differs significantly (1 Gbps vs 2.5 Gbps), max VPN tunnels 75 vs 200, MX75 has 2× LAN PoE+, MX85 has 1× WAN PoE+. Licensing tiers corrected to SD-WAN Plus / Advanced Security / Enterprise.
- KBA-036 - Cisco Support and Licensing Agreements — Rewritten to focus on Cisco support models (SNTC, Solution Support, Catalyst licensing, Meraki subscription); added Meraki TAC vs Cisco TAC distinction and expanded comparison table.
-
KBA-037 - Cisco Enterprise Agreement — New note explaining the EA model, True Forward consumption mechanism, covered product families, and how it compares to per-device licensing.
-
KBA-038 - Cisco Secure Client VPN Authentication — SAML and Active Directory on FTD — New note explaining the architecture of SAML and AD-based VPN authentication on FTD, covering authentication vs authorisation, PHS/PTA/AD FS IdP modes, LDAP authorisation, DAP, and FMC configuration overview.
- KBA-036 - Cisco Support and Licensing Agreements — New note covering Smart Net Total Care, Catalyst/DNA software licensing tiers, and Meraki per-device licensing.
- STN-DRAFT - Structured Cabling Standard — New draft standard covering Cat6A copper deployment, SMF (OS2) and MMF (OM4/OM5) selection and use cases.
- CFG-002 - IOS-XE SNMP Configuration — Updated SNMPv3 config to use
auth sha256 (SHA-256) instead of auth sha (SHA-1, deprecated per NIST SP 800-131A). Added IOS-XE 16.9+ version requirement note. Strengthened minimum password guidance.
- CFG-002 - IOS-XE SNMP Configuration — New config snippet: SNMPv2c read-only and SNMPv3 auth+priv variants for IOS-XE.
-
KBA-034 - Meraki Firmware Lifecycle and Upgrade Management — New KBA covering firmware release tracks, upgrade scheduling, maintenance windows, firmware lock, upgrade behaviour per device type, and best practices.
-
KBA-035 - Meraki Dashboard — Cloud Management Architecture — New KBA covering cloud management architecture, control/data plane separation, protocols and ports, certificate-based device authentication, configuration delivery, cloud outage behaviour, and management channel security controls.
-
CFG-001 - IOS-XE NTP Configuration — First note in new Config Snippets section. Covers NTP server config with and without authentication, verification commands, and key considerations.
- Config Snippets section added — New vault folder
Config Snippets/ created. CFG-NNN prefix and cfg tag registered. section_for_path() updated in wikijs_publish.py to route Config Snippets to the ## Config Snippets index section. CLAUDE.md updated.
- QRG-011 - FTD Packet Tracer and Connection Events — new Quick Reference Guide covering Packet Tracer (CLI syntax, FMC GUI path, reading phase output) and Connection Events (FMC GUI filters and key columns, CLI active connections via show conn). Published to wiki.js.
- All vault notes — Added category prefix tag (
kba, qrg, stn, or draft) to frontmatter of all 42 notes that were missing it.
- QRG-008 - FTD Upgrade via FMC — new Quick Reference Guide covering the FTD upgrade process via FMC: pre-upgrade checklist, package upload, readiness check, standalone and HA pair upgrade sequencing, chassis-based platform caveat (FPR4100/9300 FXOS), and post-upgrade verification. Published to wiki.js.
- QRG-009 - FTD CLI Reference — new Quick Reference Guide covering FTD CLI modes (FTD CLI, diagnostic CLI, expert mode), system health, interfaces, routing, connections, NAT, VPN, packet tracer, packet capture, and expert mode commands. Published to wiki.js.
- QRG-010 - DNS Terms Reference — new Quick Reference Guide covering DNS record types, zone types, resolution concepts (recursive/iterative, TTL, NXDOMAIN, split-horizon, scavenging), DNSSEC terminology, and Active Directory DNS (SRV records, _msdcs zone, dynamic updates, GC, PDC Emulator). Published to wiki.js.
- KBA-024 - Meraki UAC — Uplink Auto Config — added Recommended Firmware section (17.15.5 as production baseline, CS firmware migration warning), Troubleshooting section (basic and UAC-specific checks), and References section (five Cisco/Meraki sources). Stale draft
meraki-uac-obsidian-note.md deleted from vault root. Republished to wiki.js.
- vault_rename.py — added
_remove_old_index_link() function; called after a successful pages.move to remove the old index link immediately, preventing dead links when a note is renamed.
- wiki.js — deleted three orphaned stale pages left over from the batch rename:
cisco-ios-xe-common-security-configurations, ios-xe-device-admin-mfa-ise-33-and-duo-integration, tacacs-best-practices-for-cisco-ios-xe-deployment.
-
QRG-006 - Tailscale Network and Firewall Guide — Renamed from 'QRG-006 - Tailscale — Network and Firewall Quick Reference'. Wikilinks updated in 0 note(s).
-
QRG-001 - Active Directory Firewall Rules — removed redundant 'Quick Reference Guide' suffix from title. Wikilinks and wiki.js updated.
-
QRG-004 - Meraki Packet Capture Filters — removed redundant 'Quick Reference Guide' suffix from title. Wikilinks and wiki.js updated.
-
QRG-007 - Wireshark Display Filters — removed redundant 'Quick Reference Guide' suffix from title. Wikilinks and wiki.js updated.
- STN-001 - Network Hardware Standards — promoted from
STN-DRAFT to approved standard. Status set to Approved, version bumped to 1.0, Approver set to Mike Jones, Approved Date 2026-04-29. Draft callout removed. Moved from Draft Notes/ to Standards/. wiki.js page moved to new slug and republished.
- STN-DRAFT - Network Port Allocations — new draft standard with placeholder content. Saved to
Draft Notes/. Published to wiki.js.
- wikijs_publish.py —
section_for_path() updated: General Technology folder now maps to ## Knowledge Based Articles index section.
- wiki.js index —
## General Technology section renamed to ## Knowledge Based Articles.
Applied KBA/QRG/STN numbering scheme to all 41 vault notes:
- STN-DRAFT - Network Hardware Standards — renamed from 'Network Hardware Standards'.
- QRG-001 - Active Directory Firewall Rules - Quick Reference Guide — renamed from 'Active Directory Firewall Rules - Quick Reference Guide'.
- QRG-002 - IOS-XE Privilege Levels — renamed from 'IOS-XE Privilege Levels'.
- QRG-003 - Meraki LED Status Lights — renamed from 'Meraki LED Status Lights'.
- QRG-004 - Meraki Packet Capture Filters — Quick Reference Guide — renamed from 'Meraki Packet Capture Filters — Quick Reference Guide'.
- QRG-005 - RADIUS vs TACACS+ Comparison — renamed from 'RADIUS vs TACACS+ Comparison'.
- QRG-006 - Tailscale — Network and Firewall Quick Reference — renamed from 'Tailscale — Network and Firewall Quick Reference'.
- QRG-007 - Wireshark Display Filters — Quick Reference Guide — renamed from 'Wireshark Display Filters — Quick Reference Guide'.
- KBA-001 - Active Directory Client Authentication — Network Perspective — renamed from 'Active Directory Client Authentication — Network Perspective'.
- KBA-002 - Active Directory Domain Services Overview — renamed from 'Active Directory Domain Services Overview'.
- KBA-003 - Active Directory Sites and Services — renamed from 'Active Directory Sites and Services'.
- KBA-004 - AnyConnect SAML Authentication with Entra ID — renamed from 'AnyConnect SAML Authentication with Entra ID'.
- KBA-005 - Building a P2P IPsec VPN on IOS-XE — renamed from 'Building a P2P IPsec VPN on IOS-XE'.
- KBA-006 - Cisco FTD — Access Control Policy Configuration — renamed from 'Cisco FTD — Access Control Policy Configuration'.
- KBA-007 - Cisco IOS-XE AAA Overview — renamed from 'Cisco IOS-XE AAA Overview'.
- KBA-008 - Cisco IOS-XE Security Configurations — renamed from 'Cisco IOS-XE Security Configurations'.
- KBA-009 - Cisco ISE TACACS+ Server Setup — renamed from 'Cisco ISE TACACS+ Server Setup'.
- KBA-010 - Clearing Broken Crypto Sessions - DMVPN and IPsec — renamed from 'Clearing Broken Crypto Sessions - DMVPN and IPsec'.
- KBA-011 - Configuring RODC for Branch Offices — renamed from 'Configuring RODC for Branch Offices'.
- KBA-012 - Configuring SSH on IOS-XE — renamed from 'Configuring SSH on IOS-XE'.
- KBA-013 - Enabling MFA with TACACS+ on IOS-XE — renamed from 'Enabling MFA with TACACS+ on IOS-XE'.
- KBA-014 - Enabling TACACS+ on a Cisco IOS-XE Switch — renamed from 'Enabling TACACS+ on a Cisco IOS-XE Switch'.
- KBA-015 - Firewall Rules for Active Directory — renamed from 'Firewall Rules for Active Directory'.
- KBA-016 - Group Policy Processing and Application — renamed from 'Group Policy Processing and Application'.
- KBA-017 - How to Use TCL Scripts on IOS-XE — renamed from 'How to Use TCL Scripts on IOS-XE'.
- KBA-018 - IOS-XE 9300 to Meraki 9200 LACP Port-Channel — renamed from 'IOS-XE 9300 to Meraki 9200 LACP Port-Channel'.
- KBA-019 - IOS-XE Device Admin MFA — ISE 3.3 and Duo Integration — renamed from 'IOS-XE Device Admin MFA — ISE 3.3 and Duo Integration'.
- KBA-020 - IOS-XE SVTI to Meraki VPN with RSA Authentication — renamed from 'IOS-XE SVTI to Meraki VPN with RSA Authentication'.
- KBA-021 - IOS-XE to Meraki Managed Mode Conversion — renamed from 'IOS-XE to Meraki Managed Mode Conversion'.
- KBA-022 - Kerberos Protocol Deep Dive — renamed from 'Kerberos Protocol Deep Dive'.
- KBA-023 - Meraki Safe and Unsafe Configurations — renamed from 'Meraki Safe and Unsafe Configurations'.
- KBA-024 - Meraki UAC — Uplink Auto Config — renamed from 'Meraki UAC — Uplink Auto Config'.
- KBA-025 - MPOE, MDF and IDF — US and European Equivalents — renamed from 'MPOE, MDF and IDF — US and European Equivalents'.
- KBA-026 - Native VLANs on Trunk Ports — renamed from 'Native VLANs on Trunk Ports'.
- KBA-027 - NTLM Authentication and Security Risks — renamed from 'NTLM Authentication and Security Risks'.
- KBA-028 - Restricting RPC Dynamic Port Range on Windows — renamed from 'Restricting RPC Dynamic Port Range on Windows'.
- KBA-029 - TACACS+ Best Practices - IOS-XE — renamed from 'TACACS+ Best Practices - IOS-XE'.
- KBA-030 - TCL Script to Update Default Route — renamed from 'TCL Script to Update Default Route'.
- KBA-031 - Troubleshooting DMVPN Spoke Sites — renamed from 'Troubleshooting DMVPN Spoke Sites'.
- KBA-032 - Troubleshooting FTD Connectivity to a Cisco 9300 Switch — renamed from 'Troubleshooting FTD Connectivity to a Cisco 9300 Switch'.
- KBA-033 - Troubleshooting P2P IPsec VPNs — renamed from 'Troubleshooting P2P IPsec VPNs'.
- Wireshark Display Filters — Quick Reference Guide — new Quick Reference Guide covering Wireshark display filter syntax: IP address, protocol, port, MAC, TCP flags, TCP analysis fields (retransmission, zero window, out-of-order), HTTP, DNS, DHCP, ICMP, and common troubleshooting combinations. Published to wiki.js.
- Meraki Packet Capture Filters — Quick Reference Guide — new Quick Reference Guide covering BPF/tcpdump filter syntax for the Meraki dashboard packet capture tool: host, network, protocol, port, MAC, VLAN, packet length, TCP flags, and common combinations. Published to wiki.js.
- wikijs_publish.py — updated
insert_link_in_index() to accept a section parameter and added section_for_path() to derive the correct index section from the vault subfolder. New notes now route to ## General Technology, ## Quick Reference Guides, ## Draft Notes, ## Standards, or ## Release Notes automatically. The stray ## Published Notes section was removed from the wiki.js index and the MPOE note link moved to ## General Technology.
- MPOE, MDF and IDF — US and European Equivalents — new General Technology note covering US/UK/European structured cabling terminology, standards bodies, and legal demarcation responsibilities. Published to wiki.js.
- Network Hardware Standards — rewritten to formal standards format: added Document Control table, Version History, Draft callout, and structured sections (Purpose, Scope, Requirements, Rationale, Exceptions). All technical tables retained. Saved to
Draft Notes/. Published to wiki.js.
- All 38 notes reorganised into category subfolders within
Cisco and Meraki/: Quick Reference Guides (5 notes), Draft Notes (1 note), General Technology (32 notes — includes all former Standards notes). ! Changelog.md remains at the vault root. default route change.tcl moved to General Technology/. Obsidian wikilinks are unaffected — Obsidian resolves [wikilinks](/obsidian-home/wikilinks) across subdirectories automatically. Publish scripts (wikijs_publish.py, vault_rename.py, vault_health_check.py) updated to search the vault recursively. Wiki.js index page updated to group notes by category. CLAUDE.md workspace layout and inventory updated.
- Network Hardware Standards — Draft equipment standards note covering preferred FTD models (FTD1220CX, FTD1230), Meraki MX models (MX75, MX95, vMX Large), and switching (C9300-M core, C9300X-M high-density core, C9200L-M access, MS150 access, MS130 mini). Includes HA posture, licensing, and stacking guidance. Wireless APs flagged as pending review. Marked as draft pending team sign-off.
- Active Directory Firewall Rules - Quick Reference Guide — Renamed from 'Active Directory Firewall Rules - Summary'. Wikilinks updated in 2 note(s).
- IOS-XE Etherchannel to Meraki AGGR0 — Removed as redundant. Procedure is covered in full by IOS-XE 9300 to Meraki 9200 LACP Port-Channel.
- IOS-XE to Meraki LACP — Removed as redundant. Config snippet is included in IOS-XE 9300 to Meraki 9200 LACP Port-Channel.
- Removed bold (text) from prose in 30 notes (341 instances). Bold is now only present in table cells and WARNING callout titles, per vault convention.
- Active Directory Client Authentication — Network Perspective — Renamed from hyphen to em-dash in filename (vault convention fix). Merged split INFO callout onto a single line. Converted
powershell fence to text. Updated wikilinks in six notes that referenced the old hyphenated filename.
- Firewall Rules for Active Directory — Merged split INFO callout onto a single line. Converted two
powershell fences to text.
- How to Use TCL Scripts on IOS-XE — Added See Also section.
- IOS-XE Etherchannel to Meraki AGGR0 — Converted bare wikilink at bottom to a proper See Also section with additional related notes.
- IOS-XE SVTI to Meraki VPN with RSA Authentication — Added See Also section.
- IOS-XE to Meraki LACP — Added See Also section.
- IOS-XE to Meraki Managed Mode Conversion — Converted bare wikilink at bottom to a proper See Also section with additional related notes.
- Meraki LED Status Lights — Added See Also section.
- Native VLANs on Trunk Ports — Added See Also section.
- TCL Script to Update Default Route — Added See Also section.
- Tailscale — Network and Firewall Quick Reference — Added See Also section.
- Meraki UAC — Uplink Auto Config — Revised preferred uplink version history: 17.15.4.1 introduced automatic fallback but it was not reliably functional; 17.15.5 is where it became fully reliable with the working automatic fallback checkbox and ARP-only probing. Table split to show 17.15.4.1 and 17.18.1/17.18.2 separately. Workarounds section updated to recommend upgrade to 17.15.5 as the primary fix and clarify that the dashboard checkbox is only dependable from 17.15.5 onwards.
- Meraki UAC — Uplink Auto Config — New note explaining what UAC is on hybrid IOS-XE Catalyst switches, how interface scoring (0–12) works, and the known preferred uplink issue on IOS-XE 17.15.4.1, 17.18.1, and 17.18.2 where UAC will not automatically return to the preferred uplink once it has moved away. Fix confirmed in 17.15.5. Covers automatic fallback checkbox, manual recheck button, UAC Allow List (17.18.2+), and verification commands.
- IOS-XE 9300 to Meraki 9200 LACP Port-Channel — Step-by-step procedure for forming an LACP port-channel between a Catalyst 9300 (IOS-XE) and a Catalyst 9200 (Meraki managed). Documents the order-sensitive sequence: clean both 9300 ports and shut one down, configure the LAG in the Meraki dashboard (brief outage), immediately apply LACP to the active 9300 port and bring up the Port-channel to restore connectivity, then add the second port to complete the bundle. Includes verification commands.
- IOS-XE to Meraki Managed Mode Conversion — Fixed H1 title to match filename (removed ": Requirements and Approach" subtitle that violated vault conventions and caused a wiki.js slug mismatch). Wiki.js page moved to correct slug via
pages.move.
- Meraki Safe and Unsafe Configurations — New note explaining how Meraki defines safe and unsafe configurations, the 30-minute cloud-connectivity timer that promotes a configuration to safe, device-specific revert behaviour (MX, MS, MR, MG), common real-world triggers for unsafe configurations, dashboard indicators, and operational considerations.
- IOS-XE Device Admin MFA — ISE 3.3 and Duo Integration — Corrected Phase 3 IOS-XE AAA configuration: added missing
aaa new-model (required before all other AAA commands); replaced default authorization and accounting lists with named lists (VTY_MFA, CON_LOCAL) to keep console break-glass fully independent of TACACS; applied authorization lists explicitly to line con 0 and line vty configs; updated break-glass username to use algorithm-type scrypt rather than default MD5 hashing.
- IOS-XE Device Admin MFA — ISE 3.3 and Duo Integration — Added Mermaid network flow diagram to Architecture Overview section replacing ASCII art. Diagram shows the full authentication flow between Network Engineer, IOS-XE device, ISE PSN nodes (US/UK), Active Directory, Duo Cloud, and Microsoft Authenticator, with numbered steps ①–⑦ and a flow legend.
- IOS-XE Device Admin MFA — ISE 3.3 and Duo Integration — New implementation plan for enabling MFA on a subset of IOS-XE devices using Cisco ISE and Cisco Duo with Microsoft Authenticator as TOTP provider. Uses direct ISE PSN-to-Duo Cloud integration (no Authentication Proxy required). ISE 3.3 Patch 1 is a hard prerequisite — direct Duo integration does not exist in ISE 3.2. Covers ISE upgrade procedure (Phase 0), Duo environment audit, ISE Duo identity source configuration with AD sync, NDG-scoped TACACS policy set, firewall requirements, IOS-XE AAA configuration (VTY MFA, console local-only), user enrolment, testing, rollback, and acronym glossary. Note title updated from "ISE 3.2" to "ISE 3.3" to reflect correct minimum version requirement.
- AnyConnect SAML Authentication with Entra ID — New note covering SAML 2.0 VPN authentication between Cisco FTD 7.x and Entra ID. Documents the full auth flow, Entra ID Enterprise App setup, FMC SAML IdP object, Group Policy configuration with split tunnelling, Connection Profile, and DAP rules for mapping Entra group Object ID GUIDs to Group Policies.
- Cisco IOS-XE Security Configurations — Fixed H1 title to match filename; corrected INFO callout to single-line format; fixed broken code fence closings throughout; added See Also section.
- TACACS+ Best Practices - IOS-XE — Fixed H1 title to match filename; removed broken wikilink to deleted TACACs Enablement note; replaced loose wikilinks with a proper See Also section.
- Active Directory Firewall Rules - Summary — Fixed INFO callout from two-line to single-line format.
- Native VLANs on Trunk Ports — Filename corrected from
Native VLANs on trunk ports.md to Title Case.
- All 35 vault notes — Bulk formatting pass: converted two-line
> **Summary:** text callouts to single-line > [!INFO] Summary text format for correct wiki.js rendering.
- TACACs Enablement — Removed from vault and wiki.js.
- wikijs_publish.py — Updated
obsidian_to_wikijs() regex to handle both one-line and two-line INFO callout formats.
- CLAUDE.md — Created persistent session context file for Bob in the tooling folder (
technical-notes/). Contains agent roster, workspace layout, vault conventions, wiki.js setup, working preferences, note inventory, and session history.
- Meraki LED Status Lights — Renamed from "Meraki LEDs"; wiki.js page moved to new slug via
pages.move mutation; index link updated.