Network Infrastructure Rollout
Network infrastructure rollout encompasses the physical installation, configuration, and validation of networking equipment across one or more sites. This task covers three common rollout scenarios: general network equipment deployment, Voice over IP system cutover, and Software-Defined Wide Area Network implementation. Each scenario requires careful sequencing to maintain service continuity while transitioning to new infrastructure.
Prerequisites
Before beginning any network infrastructure rollout, confirm the following requirements are satisfied:
| Requirement | Verification method | Acceptance criteria |
|---|---|---|
| Design documentation | Review network design document | Topology, IP addressing, VLAN assignments, routing design approved |
| Equipment procurement | Inventory check against bill of materials | All hardware received, serial numbers recorded, no damage |
| Site preparation | Physical inspection | Rack space available, power circuits installed, cable pathways clear |
| Change approval | Change management system | CAB approval recorded, implementation window confirmed |
| Rollback plan | Document review | Rollback procedures documented, previous configuration backed up |
| Stakeholder notification | Communication log | Users, management, and dependent teams notified of timeline |
| Vendor support | Support ticket or engagement | TAC case opened for critical deployments, escalation path confirmed |
For VoIP deployments, additional prerequisites apply:
| Requirement | Verification method | Acceptance criteria |
|---|---|---|
| Number porting authorisation | Letter of authorisation signed | Current provider notified, porting date confirmed |
| SIP trunk provisioning | Provider portal or email | Trunk credentials received, inbound routing configured |
| Quality of Service design | QoS policy document | Voice traffic classification and prioritisation defined |
| Handset inventory | Asset tracking system | Handsets received, MAC addresses recorded, provisioning templates ready |
For SD-WAN deployments, verify:
| Requirement | Verification method | Acceptance criteria |
|---|---|---|
| Underlay connectivity | Circuit installation confirmation | Internet or MPLS circuits active at each site |
| Controller/orchestrator access | Portal login | SD-WAN management platform accessible, licences applied |
| Security policy design | Policy document | Application policies, security zones, and breakout rules defined |
| Certificate infrastructure | PKI readiness check | Device certificates issued or automatic enrolment configured |
Ensure you have administrative access to all devices and systems involved. For physical work, coordinate with facilities management for site access, especially outside normal business hours.
Procedure
The rollout procedure divides into phases that apply across deployment types, with specific sub-procedures for VoIP and SD-WAN scenarios.
Phase 1: Physical installation
Physical installation establishes the hardware foundation for the network. This phase involves rack mounting, cabling, and power verification.
Unpack and inventory all equipment against the bill of materials
Compare received items to the procurement order. Record serial numbers in your asset management system. Photograph any shipping damage before proceeding and file claims with the carrier.
Install equipment in designated rack positions
Mount devices according to the rack elevation diagram from the design documentation. Install switches at appropriate heights for cable management, placing core/distribution switches centrally with access switches above or below based on cable run directions.
For a typical two-post rack installation:
+------------------------------------------+ | U42 | Patch panel (voice) | | U41 | Patch panel (data) | | U40 | Cable management | | U39 | Access switch 1 (48-port) | | U38 | Access switch 2 (48-port) | | U37 | Cable management | | U36 | Distribution switch (24-port) | | U35 | Router/SD-WAN edge | | U34 | Firewall | | U33 | UPS management | | ... | | | U1-4 | UPS units | +------------------------------------------+Connect power supplies
Attach primary power cables to the A-side power distribution unit and redundant power supplies to the B-side PDU. For devices with single power supplies, connect to the UPS-backed circuit. Verify power LED illumination on each device before proceeding.
Install uplink and inter-switch cabling
Connect inter-switch links using the cable types specified in the design. For 10 Gigabit connections between switches, use either DAC cables for short runs under 5 metres or appropriate SFP+ transceivers with LC fibre for longer distances.
Label every cable at both ends using a consistent scheme:
Format: [Source device]-[Port] to [Dest device]-[Port] Example: CORE-SW1-Gi1/0/49 to ACC-SW1-Gi1/0/49Connect WAN circuits
Attach carrier handoff cables to router or SD-WAN edge device WAN interfaces. Record the interface assignment:
Circuit Provider Handoff type Device Interface Primary Internet Acme ISP Ethernet 100M RTR-01 GigabitEthernet0/0 Backup Internet Regional Tel Ethernet 50M RTR-01 GigabitEthernet0/1 MPLS Enterprise WAN Ethernet 1G RTR-01 GigabitEthernet0/2 Verify physical layer connectivity
Confirm link lights on all connected ports. For fibre connections, verify transmit and receive light levels are within acceptable range using the transceiver diagnostic commands on your switch platform:
# Cisco IOS-XE show interfaces transceiver
# Juniper Junos show interfaces diagnostics optics
# Aruba/HPE show interfaces transceiver allAcceptable optical power ranges for short-reach SFP+ modules: transmit -1 to -8 dBm, receive -1 to -12 dBm. Values outside these ranges indicate fibre issues requiring inspection and cleaning.
Phase 2: Base configuration deployment
Base configuration establishes device identity, management access, and security foundations before deploying service-specific settings.
Connect to device console for initial configuration
Use a USB or RJ45 console cable with terminal emulation software configured for 9600 baud, 8 data bits, no parity, 1 stop bit. Factory-default devices typically present a setup wizard or blank prompt.
Apply hostname and domain configuration
# Cisco IOS example hostname SITE01-ACC-SW1 ip domain-name internal.example.orgConfigure management interface and default gateway
Assign the management IP from your allocated range:
interface Vlan1 ip address 10.1.100.11 255.255.255.0 ip default-gateway 10.1.100.1Enable secure management protocols
Disable Telnet and enable SSH with a minimum key length of 2048 bits:
crypto key generate rsa modulus 2048 ip ssh version 2 line vty 0 15 transport input ssh login localConfigure authentication
Create local administrator accounts and configure RADIUS or TACACS+ for centralised authentication where your identity infrastructure supports it:
username netadmin privilege 15 secret <strong-password> aaa new-model aaa authentication login default group radius local radius server RADIUS-01 address ipv4 10.1.100.50 auth-port 1812 acct-port 1813 key <shared-secret>- Apply standard security hardening
service password-encryption no ip http server ip http secure-server banner login ^ Authorised access only. All activity monitored and recorded. ^Configure time synchronisation
Point devices to your NTP servers:
ntp server 10.1.100.1 prefer ntp server 10.1.100.2 clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00- Save configuration and verify management connectivity
copy running-config startup-configTest SSH access from your management workstation to confirm remote access functions before disconnecting the console cable.
Phase 3: Service configuration deployment
Service configuration implements VLANs, routing, quality of service, and other service-layer functionality.
- Create VLANs according to the design
vlan 10 name DATA vlan 20 name VOICE vlan 30 name MANAGEMENT vlan 40 name GUEST vlan 99 name NATIVE- Configure trunk ports for inter-switch links
interface GigabitEthernet1/0/49 description Uplink to CORE-SW1 switchport mode trunk switchport trunk native vlan 99 switchport trunk allowed vlan 10,20,30,40 switchport nonegotiateConfigure access ports with appropriate VLANs
For data ports supporting IP phones with passthrough:
interface range GigabitEthernet1/0/1-24 description User data port switchport mode access switchport access vlan 10 switchport voice vlan 20 spanning-tree portfast spanning-tree bpduguard enableEnable routing protocols on layer 3 devices
For OSPF in a single area design:
router ospf 1 router-id 10.1.0.1 network 10.1.0.0 0.0.255.255 area 0 passive-interface default no passive-interface GigabitEthernet0/0Configure Quality of Service policies
Define class maps and policy maps for traffic prioritisation:
class-map match-any VOICE match dscp ef match dscp cs5 class-map match-any VIDEO match dscp af41 class-map match-any NETWORK-CONTROL match dscp cs6 match dscp cs7
policy-map QOS-POLICY class VOICE priority percent 30 class VIDEO bandwidth percent 20 class NETWORK-CONTROL bandwidth percent 5 class class-default fair-queue
interface GigabitEthernet0/0 service-policy output QOS-POLICYApply access control lists
Implement ACLs based on your security design. At minimum, restrict management access:
ip access-list standard MGMT-ACCESS permit 10.1.100.0 0.0.0.255 deny any log
line vty 0 15 access-class MGMT-ACCESS inEnable monitoring protocols
Configure SNMP for network management system integration:
snmp-server community <read-community> RO snmp-server host 10.1.100.60 version 2c <read-community> snmp-server enable trapsConfigure syslog forwarding:
logging host 10.1.100.61 logging trap informational logging source-interface Vlan30VoIP cutover procedure
Voice over IP cutover requires precise coordination to minimise telephony downtime. The procedure uses parallel running to validate the new system before committing.
Number porting timing
Number porting typically requires 5-10 business days lead time. Confirm the porting date with your provider and have a fallback plan for delays.
+---------------------------------------------------------------------------------+| VoIP CUTOVER TIMELINE |+---------------------------------------------------------------------------------+| || Day -14 Day -7 Day -3 Day 0 Day +1 Day +7 || | | | | | | || v v v v v v || +--------+ +--------+ +---------+ +--------+ +--------+ +--------+ || |Handset | |Training| |Parallel | |Cutover | |Monitor | |Legacy | || |deploy | |sessions| |running | | | | | |decom | || +--------+ +--------+ +---------+ +--------+ +--------+ +--------+ || |+---------------------------------------------------------------------------------+Deploy and provision handsets
Install IP phones at user locations. Connect phones to switch ports configured with voice VLAN. Phones should obtain IP addresses via DHCP with option 150 (Cisco) or option 66 (generic) pointing to the provisioning server:
ip dhcp pool VOICE network 10.1.20.0 255.255.255.0 default-router 10.1.20.1 option 150 ip 10.1.100.70 lease 8Verify each phone registers with the call control system. Check registration status in the phone system administration interface or via CLI:
# Asterisk/FreePBX asterisk -rx "pjsip show endpoints"
# 3CX (PowerShell) Get-3CXPhoneStatusConfigure user extensions and call routing
Program extensions matching the existing numbering plan where possible. Create hunt groups, call queues, and auto-attendants according to the design. Configure outbound route patterns:
Pattern Route Description 9NXXNXXXXXX Primary SIP trunk UK geographic 90NXXXXXXXXX Primary SIP trunk UK mobile 900XXXXXXXX Primary SIP trunk UK non-geographic 9011. International SIP trunk International 999/112 Primary SIP trunk Emergency Conduct user training
Train users on new handset operation, voicemail access, and any changed dialling procedures. Provide quick reference guides covering common operations: transferring calls, setting up conference calls, accessing voicemail, and forwarding.
Enter parallel running period
Configure temporary call forwarding from the legacy system to the new system for testing. During parallel running, inbound calls arrive on the legacy system and forward to the VoIP system. This validates inbound routing without committing to cutover.
Test the following call flows:
- Inbound calls to main number reach auto-attendant
- Extension-to-extension calls connect with acceptable audio quality
- Outbound calls to geographic, mobile, and international numbers complete
- Emergency calls route correctly (coordinate with your provider for test procedures)
- Call transfer, hold, and conference functions operate
Execute number porting cutover
On the scheduled porting date, the carrier transfers number ownership to your SIP trunk provider. The timing is coordinated but exact cutover time varies. Monitor the following:
# Watch SIP trunk registration asterisk -rx "pjsip show registrations"
# Monitor inbound call attempts tail -f /var/log/asterisk/full | grep INVITEPlace test calls to your main number from mobile phones to verify calls now arrive directly on the new system.
Validate post-cutover operation
Confirm all expected call flows work in production:
- Inbound calls from PSTN
- Outbound calls to all number types
- Internal extension dialling
- Voicemail delivery and notification
- Call recording (if implemented)
- Integration with CRM or other business systems
Decommission legacy system
After 7 days of stable operation, disconnect and decommission the legacy PBX. Export call detail records and voicemail archives before shutdown. Update asset records to reflect disposal or reallocation.
SD-WAN deployment procedure
SD-WAN deployment overlays software-defined networking on existing WAN circuits. The deployment proceeds site-by-site, starting with a pilot location before broader rollout.
+------------------------------------------------------------------------+| SD-WAN OVERLAY ARCHITECTURE |+------------------------------------------------------------------------+| || +------------------+ || | SD-WAN | || | Controller | || | (Cloud/DC) | || +--------+---------+ || | || +--------------------+--------------------+ || | | | || v v v || +--------+--------+ +--------+--------+ +--------+--------+ || | Site A | | Site B | | Site C | || | Edge Device | | Edge Device | | Edge Device | || +--------+--------+ +--------+--------+ +--------+--------+ || | | | || +------+------+ +------+------+ +------+------+ || | | | | | | | | | || v v v v v v v v v || MPLS Inet1 Inet2 MPLS Inet1 LTE MPLS Inet1 Inet2 || |+------------------------------------------------------------------------+Prepare the SD-WAN orchestrator
Access the SD-WAN management portal and configure organisation-level settings:
- Network segments or VPNs
- Global policy templates
- Certificate authority integration
- Logging and analytics destinations
Create site and device templates matching your design. For Cisco SD-WAN (Viptela), define feature templates for each component:
System template: Site ID: variable System IP: variable Hostname: variable Console baud rate: 9600
VPN 0 (Transport): Interface: GigabitEthernet0/0 IP: DHCP or static variable Tunnel interface: enabled Color: mpls/biz-internet/public-internet
VPN 1 (Service): Interface: GigabitEthernet0/1 IP: variable OSPF: enabledStage edge devices
Before shipping to sites, bootstrap edge devices with controller connectivity information. For zero-touch provisioning, register device serial numbers in the orchestrator. For manual bootstrap:
system host-name SITE01-SDWAN system-ip 10.255.0.1 site-id 100 organization-name example-org vbond vbond.example.orgDeploy pilot site
Install the first edge device at a pilot location with low user impact. Connect WAN interfaces to existing circuits. The device should establish control connections to the orchestrator and form data plane tunnels to other sites.
Verify overlay tunnel formation:
show bfd sessions show omp peers show control connectionsExpected output shows established BFD sessions to peer sites and active OMP peering with controllers.
Configure application policies
Define application-aware routing policies. Create SLA classes matching your quality requirements:
SLA class Latency Jitter Loss Use case Real-time <150ms <30ms <1% Voice, video Business-critical <300ms <50ms <2% ERP, CRM Default Best effort Best effort <5% General traffic Apply application policies that steer traffic based on SLA:
policy app-route-policy VOICE-VIDEO sequence 10 match app-list VOICE-APPS action sla-class REALTIME strict sequence 20 match app-list VIDEO-APPS action sla-class REALTIME strictValidate pilot site operation
Test application performance across the SD-WAN fabric:
- Verify voice and video quality using test calls
- Confirm business application response times
- Test failover by disconnecting primary circuit
- Validate direct internet breakout (if configured)
- Check security policy enforcement
Run performance tests during business hours for at least one week before proceeding.
Execute phased site rollout
Deploy remaining sites in waves, grouping sites by region or business unit:
Wave Sites Timeline Rollback window 1 HQ, Regional hub 1 Week 1 48 hours 2 Regional hub 2, Offices A-D Week 2 48 hours 3 Offices E-L Week 3 48 hours 4 Field offices, remote sites Week 4-5 48 hours For each site:
- Ship pre-staged edge device
- Coordinate installation with local contact
- Verify tunnel establishment and policy application
- Validate user connectivity
- Document completion
Optimise and tune
After all sites are deployed, analyse fabric-wide analytics:
- Identify applications needing policy adjustment
- Review bandwidth utilisation and consider circuit changes
- Tune SLA thresholds based on observed performance
- Optimise application identification signatures
Decommission legacy WAN infrastructure
Once the SD-WAN fabric operates stably for 30 days, plan legacy router decommissioning:
- Verify no traffic traverses legacy paths
- Coordinate circuit disconnection with providers
- Remove legacy devices from racks
- Update network documentation
Phase 4: Testing and validation
Validation confirms the deployment meets design specifications and operational requirements.
Execute connectivity tests
From endpoints on each VLAN, verify connectivity to local gateway, cross-VLAN destinations, and WAN destinations:
# Local gateway ping -c 5 10.1.10.1
# Cross-VLAN (assuming routing configured) ping -c 5 10.1.20.1
# WAN destination (headquarters) ping -c 5 10.0.0.1
# Internet ping -c 5 8.8.8.8Verify routing table correctness
On layer 3 devices, confirm expected routes are present:
show ip route show ip ospf neighbor show ip bgp summaryRoutes should match the design documentation. Missing routes indicate protocol misconfiguration or connectivity issues.
Test quality of service
Generate marked traffic and verify queuing behaviour:
# From a Linux host, send DSCP EF traffic ping -Q 0xb8 -c 100 10.0.0.1On the router, verify traffic matches the expected class:
show policy-map interface GigabitEthernet0/0The VOICE class should show matched packets.
Validate failover behaviour
For redundant designs, test failover by disconnecting primary links:
- Disconnect primary uplink, verify traffic fails over to secondary
- Measure failover time (should be under 30 seconds for most designs)
- Reconnect primary, verify traffic returns (if designed for failback)
- Repeat for WAN circuits if dual-homed
Perform throughput testing
Use iperf3 to measure achievable bandwidth between sites:
# On server iperf3 -s
# On client iperf3 -c <server-ip> -t 30 -P 4Compare results against circuit capacity. Throughput should achieve at least 90% of provisioned bandwidth.
Document test results
Record all test results in a validation checklist. Flag any deviations from expected behaviour for investigation. Do not proceed to production handoff until all critical tests pass.
Phase 5: Documentation and handover
Update network documentation
Revise the following documents to reflect as-built state:
- Network topology diagrams
- IP address allocation records
- VLAN assignments
- Device inventory with serial numbers and locations
- Configuration backup locations
Export final configurations
Save running configurations to your configuration management system:
# Using RANCID or similar tool rancid-run
# Manual backup copy running-config tftp://10.1.100.80/SITE01-ACC-SW1.cfgTransfer to operations
Brief the operations team on:
- New device locations and functions
- Monitoring alerts and expected thresholds
- Known issues or workarounds
- Vendor support contacts and contract details
Close change record
Update the change management system with implementation outcome, any deviations from plan, and lessons learned.
Verification
Confirm successful rollout by validating each layer of the implementation:
Physical layer verification:
show interfaces statusshow interfaces counters errorsAll connected ports show “connected” status. Error counters remain at zero or show minimal increment under load.
Data link layer verification:
show spanning-tree summaryshow mac address-table countSpanning tree shows expected root bridge and no topology changes. MAC address table populates from connected endpoints.
Network layer verification:
show ip interface briefshow ip route summaryAll interfaces show up/up status with correct IP addresses. Route table contains expected number of routes via expected protocols.
Application layer verification:
For VoIP deployments, verify call quality metrics:
- Mean Opinion Score (MOS) above 4.0 for internal calls
- One-way latency below 150ms
- Jitter below 30ms
- Packet loss below 1%
Check these in your voice platform’s CDR or quality monitoring:
# Asteriskasterisk -rx "pjsip show channelstats"For SD-WAN deployments, verify fabric health:
show bfd sessionsshow omp peersshow control connectionsAll expected tunnels and control connections show “up” state.
Troubleshooting
| Symptom | Possible cause | Resolution |
|---|---|---|
| Switch port shows “notconnect” | Cable fault, port disabled, speed mismatch | Test cable with certifier, check port configuration with show run interface, verify endpoint NIC settings |
| SFP shows “not present” | Incompatible transceiver, not fully seated | Verify transceiver compatibility with switch model, reseat module, check for DOM support with show interfaces transceiver |
| OSPF neighbour stuck in EXSTART | MTU mismatch, duplicate router ID | Verify MTU matches on both ends, check router IDs are unique with show ip ospf |
| BGP session flapping | Hold timer expiry, route policy rejection | Check show ip bgp neighbor for last reset reason, verify route policies permit expected prefixes |
| Phones not registering | DHCP options missing, firewall blocking | Verify DHCP scope includes option 150/66, check firewall permits SIP (5060/5061) and RTP (10000-20000) |
| One-way audio on calls | NAT traversal failure, RTP port blocking | Configure STUN/TURN servers, verify symmetric RTP, check firewall permits RTP port range |
| Poor voice quality | Insufficient bandwidth, QoS not applied | Check interface utilisation, verify DSCP marking with packet capture, confirm QoS policy attached to correct interface |
| SD-WAN tunnel not forming | Firewall blocking DTLS/IPsec, NAT issues | Verify UDP 12346-12446 and IP protocol 50 permitted, check for NAT-T enablement, review control connection status |
| Application SLA violations | Incorrect policy, circuit congestion | Review application identification accuracy, check circuit utilisation, adjust SLA thresholds if unrealistic |
| Intermittent connectivity | Spanning tree reconvergence, duplex mismatch | Check spanning tree topology changes with show spanning-tree detail, verify duplex settings on all links |
| Slow iperf throughput | TCP window size, intermediate device bottleneck | Increase TCP window with -w flag, test segment by segment to isolate bottleneck |
| Configuration not persisting | Not saved to startup, insufficient storage | Run copy running-config startup-config, check available flash with show flash: |
VoIP-specific troubleshooting
When calls fail to complete, collect SIP trace information:
# Asteriskasterisk -rvvvvvExamine INVITE transactions for 4xx or 5xx error responses. Common errors:
| SIP response | Meaning | Resolution |
|---|---|---|
| 401/407 | Authentication required/failed | Verify credentials in trunk configuration |
| 403 | Forbidden | Check provider ACL permits your IP, verify caller ID configuration |
| 404 | Not found | Check dialled number format matches provider expectations |
| 480 | Temporarily unavailable | Destination not answering, verify called number is valid |
| 503 | Service unavailable | Provider issue, check trunk status with provider |
SD-WAN-specific troubleshooting
For tunnel formation issues, check control plane connectivity first:
show control connectionsshow certificate installedshow orchestrator connectionsIf control connections fail, verify:
- DNS resolution for controller FQDN
- UDP 12346 outbound permitted
- System clock accurate (certificate validation fails with clock skew)
For traffic not following expected path, examine OMP routes and policies:
show omp routesshow policy from-vsmartshow app-route statsRollback
If critical issues arise during cutover, execute rollback within the approved window.
For physical deployments, reconnect original equipment and restore previous configurations:
copy tftp://10.1.100.80/SITE01-ACC-SW1-BACKUP.cfg startup-configreloadFor VoIP cutover, reconfigure call forwarding from legacy system or contact provider to reverse number porting (requires 5-10 business days for port-back).
For SD-WAN, disable the overlay by removing edge devices from the fabric and restoring direct routing on legacy equipment. Keep edge devices registered with the controller to preserve configuration for re-deployment.