140 lines
6.8 KiB
Markdown
140 lines
6.8 KiB
Markdown
# UniFi SSID Cleanup Proposal — 2026-05-23
|
|
|
|
Purpose: turn the remaining SSID cleanup into an exact low-risk keep/retire proposal before any live Wi-Fi changes.
|
|
|
|
Status note:
|
|
- this remains useful as a keep/retire proposal, but the Protect chime portion must now be read together with `unifi-protect-doorbell-chime-current-state-2026-05-26.md`
|
|
- current known-good chime behavior is on Management/default `UniFi Wireless`, not on the Camera/Security lane
|
|
|
|
## Basis
|
|
Artifact-based planning only. No live SSID edits were made in this pass.
|
|
|
|
Artifacts used:
|
|
- `unifi-live-preflight-snapshot-2026-05-22.md`
|
|
- `unifi-readonly-recon-2026-05-22.md`
|
|
- `unifi-client-rehome-results-2026-05-22.md`
|
|
- `google-cast-pilot-result-2026-05-23.md`
|
|
- `unifi-legacy-cia-closeout-2026-05-23.md`
|
|
- `network-redesign-plan.md`
|
|
- `network-redesign-implementation-runbook.md`
|
|
|
|
## Current SSIDs seen in the last verified inventory
|
|
- `CIA Via` -> `Old IoT`
|
|
- `UNEF's Playhouse` -> `Camera`
|
|
- `Whiskey Neat Fuck Ice` -> `Trusted`
|
|
- `Yer a Wifi Harry` -> `Trusted`
|
|
|
|
## Steady-state target
|
|
Long-term, the network should converge on:
|
|
- one Trusted SSID
|
|
- one IoT SSID
|
|
- one Guest SSID
|
|
- one Security SSID
|
|
- no Legacy CIA SSID
|
|
- no duplicate Trusted SSIDs unless a real compatibility reason remains
|
|
|
|
## Exact keep / retire proposal
|
|
|
|
### 1) `Yer a Wifi Harry`
|
|
- Proposed role: `keep`
|
|
- Lane: `Trusted`
|
|
- Why:
|
|
- already one of the two Trusted SSIDs
|
|
- should become the single main human/operator SSID
|
|
- keeping this as the surviving Trusted SSID lets the duplicate Trusted SSID be retired later without renaming everything at once
|
|
- Preconditions to call it final:
|
|
- trusted phones/laptops are healthy here
|
|
- no critical household endpoint still depends on the other Trusted SSID for compatibility
|
|
|
|
### 2) `Whiskey Neat Fuck Ice`
|
|
- Proposed role: `temporary keep, then retire`
|
|
- Lane: `Trusted`
|
|
- Why:
|
|
- it is currently duplicate Trusted capacity, not a distinct policy lane
|
|
- the Google/cast pilot device `dc:e5:5b:8f:57:d2` was previously on this SSID and successfully landed on `IoT` / `CIA Via` via override
|
|
- duplicate Trusted SSIDs create policy ambiguity and make cleanup harder
|
|
- Retirement gate:
|
|
- confirm all remaining clients on this SSID are either:
|
|
- intentionally kept on Trusted and able to use `Yer a Wifi Harry`, or
|
|
- moved off Trusted entirely
|
|
- Safe retirement method:
|
|
1. inspect current client list on `Whiskey Neat Fuck Ice`
|
|
2. migrate or test any stragglers onto `Yer a Wifi Harry`
|
|
3. disable `Whiskey Neat Fuck Ice`
|
|
4. verify admin path and key household endpoints still behave
|
|
5. only then consider deletion later
|
|
|
|
### 3) `CIA Via`
|
|
- Proposed role: `temporary keep as quarantine/legacy bridge, then retire last`
|
|
- Lane: `Old IoT` / legacy quarantine
|
|
- Why:
|
|
- recent verified artifacts still show it serving the remaining Google/discovery-sensitive devices and the unidentified quarantine leftovers
|
|
- after the Google/cast pilot, the moved Google device reassociated and was seen on SSID `CIA Via` while logically landing on `IoT`; that means this SSID is still part of the current transition path and should not be yanked casually
|
|
- the legacy closeout explicitly keeps six unidentified devices quarantined on `Old IoT`
|
|
- Retirement gate:
|
|
- all intentionally kept devices have been moved to clean `IoT`, `Security`, or `Trusted` as appropriate
|
|
- any unclaimed leftovers are either retired/killed or deliberately left for a later maintenance window
|
|
- no household-critical Google/cast behavior still depends on this legacy SSID path
|
|
- Safe retirement method:
|
|
1. complete human validation of the existing Google/cast pilot from a laptop
|
|
2. decide whether more Google devices move to clean `IoT` now or stay deferred
|
|
3. confirm the six quarantine leftovers are the only residents, or reduce further
|
|
4. when `CIA Via` has no required clients left, disable it first
|
|
5. observe for complaints / breakage
|
|
6. delete only after a calm observation period
|
|
|
|
### 4) `UNEF's Playhouse`
|
|
- Proposed role: `keep`
|
|
- Lane: `Camera` / `Security`
|
|
- Why:
|
|
- it is already mapped to the security lane
|
|
- doorbell and Protect-chime estate justify a distinct security SSID
|
|
- keeping security separate from generic IoT matches the redesign intent and future camera growth plan
|
|
- Preconditions to call it final:
|
|
- doorbell/chimes remain healthy after explicit Protect validation on that lane
|
|
- no evidence that merging them into general IoT would be safer or simpler
|
|
- Current caution:
|
|
- treat the Security SSID as future-state design intent, not proof that the Wi-Fi chimes are safe there today
|
|
- the current known-good live path for the chimes is still Management/default `UniFi Wireless`
|
|
|
|
### 5) Guest SSID
|
|
- Proposed role: `create or enable separately when ready`
|
|
- Why:
|
|
- the target design calls for a true guest lane
|
|
- the last verified enabled-SSID list did not show a guest Wi-Fi SSID even though the Guest network object exists
|
|
- do not repurpose one of the current live SSIDs for Guest unless the live client list proves it is unused and the change window is calm
|
|
- Recommended approach:
|
|
- treat Guest as a separate controlled add, not part of the first retirement move
|
|
|
|
## Recommended cleanup order
|
|
This is the safest order based on current evidence:
|
|
|
|
1. Keep `Yer a Wifi Harry` as the surviving main Trusted SSID
|
|
2. Keep `UNEF's Playhouse` as the Security SSID
|
|
3. Validate the existing Google/cast pilot from the laptop and decide whether more Google devices can leave legacy paths
|
|
4. Leave `CIA Via` alive until the legacy/quarantine path is truly drained
|
|
5. Retire `Whiskey Neat Fuck Ice` before retiring `CIA Via`
|
|
6. Only after `CIA Via` is empty and no longer required, disable and later delete it
|
|
7. Add/enable a proper Guest SSID as a separate tidy-up step if still missing
|
|
|
|
## Things not to do
|
|
- do not delete `CIA Via` just because the easy-value IoT devices already moved
|
|
- do not disable both Trusted SSIDs in the same change block
|
|
- do not rename and repurpose a live SSID in one step if disabling/creating separately would be clearer
|
|
- do not infer that Google/cast is solved globally from one successful pilot reassociation
|
|
- do not collapse Security into generic IoT unless there is a deliberate design change
|
|
- do not assume that because `UNEF's Playhouse` exists, the Protect chimes are already proven safe on it
|
|
|
|
## Practical one-page operator version
|
|
If you want the shortest operator call:
|
|
- Keep now: `Yer a Wifi Harry`, `UNEF's Playhouse`, `CIA Via`
|
|
- Retire first: `Whiskey Neat Fuck Ice` once client list is clean
|
|
- Retire last: `CIA Via` only after Google/legacy drain is complete
|
|
- Add separately if needed: proper Guest SSID
|
|
|
|
## Resulting remaining live work
|
|
Before any actual SSID cleanup, still do:
|
|
- laptop-side Plex / cast / discovery validation for the existing Google pilot
|
|
- one last live SSID/client inventory pull from the controller
|
|
- a per-SSID client count check immediately before disable actions
|