APC UPS, PDU & Power Strip Inventory — WDC Office¶
Classification: CONFIDENTIAL — Internal Use Only Document:
architecture/wdc/power/apc-ups-inventory.md· v1.1 · 2026-05-13 · GPUS-IT
Naming convention
WDC power infrastructure follows an herb-themed naming convention for managed devices. Managed PDUs (AP7900B): Chicory, Fennel, Plantain, Rosemary, Clover, Knotweed. UPS: Pickle (active), Thyme (decommissioned — swollen battery). Unmanaged extension: Purslane (UPS extension fed from Pickle). Decommissioned (2026-05-13): Power Strip 1, Power Strip 2, Power Strip 3 — all loads migrated to managed PDUs.
1. Purpose¶
System-of-record for power infrastructure in the WDC office. Every IT appliance must be traceable to a UPS, PDU, or power strip listed here, with a documented power path back to a UPS.
Supports:
- CIS Controls v8 — Control 1 (Inventory of Enterprise Assets) and Control 12 (Network Infrastructure Management).
- NIST CSF 2.0 — PR.DS-08 (integrity of hardware), PR.IR-01 (network resilience).
- PCI-DSS v4.0 — Requirement 9.5 (physical security of media and systems).
2. Managed PDU Inventory (APC AP7900B)¶
| Name | MAC | Port | Mgmt IP | Notes | Dashlane | Email Alerts | What's Plugged In |
|---|---|---|---|---|---|---|---|
| Chicory | 28:29:86:6c:1c:eb |
37 | 192.168.122.96 | — | shared | Yes | 1 × Stone, 1 × Visuals Storage Expansion 2, 1 × Visuals Storage Expansion 3, 1 × DUNE, 1 × Synology NAS (A-feed), 1 × Fire (A-feed), 1 × Edge 1 |
| Fennel | 00:c0:b7:4e:8d:9f |
38 | 192.168.122.91 | OLD PDU MODEL | — | No | 1 × GL5 Firewall, 1 × Water, 1 × Flower (B-feed), 1 × Synology NAS (B-feed), 2 × Synology Controller (dual cable, single logical device) |
| Plantain | 28:29:86:6d:67:6c |
39 | 192.168.122.92 | — | shared | Yes | 1 × Secondary Firewall, 1 × Edge 2, 1 × Fire (B-feed), 1 × Flower (A-feed), 1 × WDC Stack 4, 1 × WDC Stack 5, 1 × WDC Stack 6 |
| Rosemary | 28:29:86:6c:1d:7a |
40 | 192.168.122.93 | — | shared | Yes | 1 × Visuals Storage Main, 1 × Water, 1 × Stone, 1 × Visuals Storage Expansion 1, 1 × WDC Stack 0, 1 × WDC Stack 1, 1 × WDC Stack 2, 1 × WDC Stack 3 |
| Clover | 28:29:86:6c:1d:5b |
41 | 192.168.122.94 | — | shared | Yes | 1 × Visuals Storage Main, 1 × Visuals Storage Expansion 1, 1 × Visuals Storage Expansion 2, 1 × Visuals Storage Expansion 3, 1 × GL5 Firewall, KVM Switch, 1 × DUNE, 1 × unlabeled hypervisor |
| Knotweed | 28:29:86:6c:1d:e1 |
42 | 192.168.122.95 | — | None | Yes | KVM Switch, Small Synology Storage Bay, monitor used for testing hypervisors, 2 × PCs housed in server room, unlabeled hypervisor, 2 power cables going into DUNE |
3. UPS Inventory¶
| Name | MAC | Port | Mgmt IP | Notes | Dashlane | Email Alerts | What's Plugged In |
|---|---|---|---|---|---|---|---|
| Pickle | 28:29:86:73:c0:23 |
43 | 192.168.122.90 | — | shared | Yes | Powers Purslane UPS Extension (downstream chain — see §5) |
4. Unmanaged Power Strips & Extensions¶
| Name | What's Plugged In |
|---|---|
| Purslane UPS Extension | Primary Firewall, Thyme*, Knotweed, Clover, Rosemary, Plantain, Chicory, Fennel — gets power from Pickle |
*Thyme is decommissioned (see §5).
Power Strips 1/2/3 decommissioned 2026-05-13
Three unmanaged power strips that previously fed the WDC switch stack,
Fire, Flower, the Synology NAS, both edge switches, and the secondary
firewall were retired in the 2026-05-13 inventory revision. All those
loads are now on managed PDUs (Chicory, Fennel, Plantain, Rosemary).
See §5 for status and §11 for the change-log entry. Inventory entries
are retained (monitoring_status: decommissioned) so historical power
paths remain searchable.
5. Decommissioned / Hazard Items¶
| Name | Type | Status | Action Required |
|---|---|---|---|
| Thyme | UPS | No longer plugged in. Swollen battery. | Safety hazard. Tag, isolate, and arrange e-waste pickup with a vendor certified for sealed lead-acid / Li-ion disposal. Do not leave in the rack. Track in KACE ticket. |
| Power Strip 1 | Unmanaged strip | Removed from active power chain 2026-05-13. Historical loads (Synology NAS, Flower) now on Chicory/Fennel/Plantain. | Confirm physical disposition (removed vs. present-but-unused) and update inventory monitoring_status if still racked. |
| Power Strip 2 | Unmanaged strip | Removed from active power chain 2026-05-13. Historical loads (Edge 2, Secondary Firewall, WDC Stack 0/1/3, Fire PSU1) now on Plantain/Rosemary/Chicory. | Same as above. |
| Power Strip 3 | Unmanaged strip | Removed from active power chain 2026-05-13. Historical loads (Fire PSU2, WDC Stack 2/4/5/6, Edge 1) now on Plantain/Rosemary/Chicory. | Same as above. |
Pending physical verification
Power Strip 1, 2, and 3 are marked decommissioned based on the 2026-05-13 spreadsheet revision showing no remaining loads on them. Physical rack presence has not been verified — the walk-around checklist will confirm whether they have been pulled or are still installed.
Swollen battery — handle with care
A swollen UPS battery indicates thermal runaway risk. Do not puncture, charge, or stack the unit. Move to a fireproof container or non-combustible area away from servers until pickup.
6. Power Path Diagram¶
flowchart TB
Utility([Utility Power]) --> Pickle[Pickle UPS<br/>192.168.122.90 / Port 43]
Pickle --> Purslane[Purslane UPS Extension]
Purslane --> FW[Primary Firewall]
Purslane --> Thyme[Thyme UPS<br/>DECOMMISSION<br/>swollen battery]
Purslane --> Chicory
Purslane --> Fennel
Purslane --> Plantain
Purslane --> Rosemary
Purslane --> Clover
Purslane --> Knotweed
Chicory --> Stone1[Stone]
Chicory --> VSE2[Visuals Storage Exp 2]
Chicory --> VSE3[Visuals Storage Exp 3]
Chicory --> DUNE1[DUNE]
Chicory --> NasA[Synology NAS A-feed]
Chicory --> FireA[Fire A-feed]
Chicory --> Edge1[Edge 1]
Fennel --> GL5[GL5 Firewall]
Fennel --> Water[water.wdc.us.gl3]
Fennel --> FlowerB[Flower B-feed]
Fennel --> NasB[Synology NAS B-feed]
Fennel --> synology_controller[Synology Controller<br/>2 × cables]
Plantain --> SecFW[Secondary Firewall]
Plantain --> Edge2[Edge 2]
Plantain --> FireB[Fire B-feed]
Plantain --> FlowerA[Flower A-feed]
Plantain --> Stack4[WDC Stack 4]
Plantain --> Stack5[WDC Stack 5]
Plantain --> Stack6[WDC Stack 6]
Rosemary --> VSM1[Visuals Storage Main]
Rosemary --> Water2[Water]
Rosemary --> Stone2[Stone]
Rosemary --> VSE1[Visuals Storage Exp 1]
Rosemary --> Stack0[WDC Stack 0]
Rosemary --> Stack1[WDC Stack 1]
Rosemary --> Stack2[WDC Stack 2]
Rosemary --> Stack3[WDC Stack 3]
Clover --> VSMc[Visuals Storage Main]
Clover --> VSE1c[Visuals Storage Exp 1]
Clover --> VSE2c[Visuals Storage Exp 2]
Clover --> VSE3c[Visuals Storage Exp 3]
Clover --> GL5c[GL5 Firewall]
Clover --> KVM1[KVM Switch]
Clover --> DUNE2[DUNE]
Clover --> Unlabeled1[Unlabeled Hypervisor]
Knotweed --> KVM2[KVM Switch]
Knotweed --> Synbay[Small Synology Storage Bay]
Knotweed --> Mon[Hypervisor Test Monitor]
Knotweed --> PC2[2 × Server Room PCs]
Knotweed --> Unlabeled2[Unlabeled Hypervisor]
Knotweed --> DUNE3[DUNE x2 cables]
classDef ups fill:#E76F51,stroke:#333,color:#fff;
classDef pdu fill:#1F3A5F,stroke:#333,color:#fff;
classDef strip fill:#6B7280,stroke:#333,color:#fff;
classDef hazard fill:#8B0000,stroke:#333,color:#fff;
classDef legacy fill:#B7791F,stroke:#333,color:#fff;
class Pickle ups;
class Chicory,Plantain,Rosemary,Clover,Knotweed pdu;
class Fennel legacy;
class Purslane strip;
class Thyme hazard;7. Findings & Risks¶
7.1 Fennel — legacy PDU, no email alerts, expanded load¶
Fennel is the older AP7900B-generation unit, has no email alerts configured, and no Dashlane entry. After the 2026-05-13 revision Fennel carries Water, GL5 Firewall, the Synology NAS B-feed, the Flower B-feed, and the Synology Controller (2 cables, dual PSU). Several of those loads are critical and rely on Fennel for their B-leg of A+B redundancy.
Remediation:
- Replace Fennel with a current-generation managed PDU with NMC, SNMPv3, and email alerts.
- Until replacement: bump Fennel polling cadence in Wazuh, add manual daily health check, document Dashlane credential.
7.2 Pickle UPS feeds the entire PDU chain¶
Pickle → Purslane → all six managed PDUs → most of the rack. Pickle is the single point of failure for everything downstream of it.
Remediation:
- Add a second UPS in parallel for A+B feed on dual-PSU devices.
- Document Pickle runtime at current load (currently undocumented).
- Schedule quarterly runtime calibration.
7.3 Thyme — swollen battery hazard¶
See §5. Open a KACE ticket today.
7.4 Unlabeled hypervisor¶
Clover and Knotweed both feed an "unlabeled hypervisor." Identify, label, and add to the IAR. Until identified, treat as a potential rogue asset.
7.5 Knotweed — no Dashlane entry¶
Knotweed has no Dashlane credential record. Add one.
7.6 Visuals Storage cross-PDU dependency¶
Visuals Storage Main / Expansion 1 / 2 / 3 each appear on both Rosemary and Clover. Verify whether this is intentional A+B feed (good) or duplicate labeling (bad). If A+B, document it. If duplicate, clean up the inventory.
7.7 Fire and Flower achieve A+B redundancy on managed PDUs (positive)¶
After the 2026-05-13 revision:
- Fire is fed from Chicory (A) + Plantain (B) — both managed AP7900B PDUs, both with Dashlane credentials and email alerts. SNMPv3 polling and graceful-shutdown signaling will work end-to-end.
- Flower is fed from Plantain (A) + Fennel (B) — A+B confirmed with the operator (the final spreadsheet's "What's plugged in" column was incomplete for Flower). Half the redundancy depends on Fennel, so this finding is positive but contingent on resolving §7.1.
Action: validate PCNS shutdown ordering for both hypervisors against the new feed paths once Water is online (see §8).
7.8 WDC Stack split across Rosemary (0-3) and Plantain (4-6) — verify per-switch redundancy¶
The seven-member WDC switch stack is now split: members 0-3 on Rosemary, members 4-6 on Plantain. The final spreadsheet does not clarify whether each switch has dual PSUs running to both PDUs (proper A+B, where a PDU failure costs zero ports) or whether each switch is single-PSU and the split is at the stack level only (where losing one PDU still kills 3-4 switches' worth of ports).
Action — walk-around verification required:
- For each stack member, confirm whether C13 inlets number 1 or 2.
- If single-PSU, request a quote for dual-PSU replacement units or document the partial-redundancy gap explicitly in the risk register.
8. Graceful Shutdown Configuration¶
Once Water is online, configure APC PowerChute Network Shutdown (PCNS) to react to events on Pickle UPS (the only UPS upstream of the cluster):
| Host | Trigger (from Pickle) | Action | Priority |
|---|---|---|---|
ocean.wdc.us.gl3 (KACE SMA) |
Battery runtime ≤ 5 min OR on-battery ≥ 10 min | Application-graceful shutdown via vCenter | 1 (first) |
| Other VMs on Water | Same trigger | vCenter-orchestrated guest shutdown | 2 |
water.wdc.us.gl3 (ESXi) |
Same trigger | Maintenance mode → host shutdown | 3 (last) |
| Visuals Storage Main / Expansions | Same trigger | Native shutdown | Before Water powers off |
| Meraki devices | n/a | Run to battery exhaustion (low draw) | — |
PCNS signaling now reachable for ex-strip loads (2026-05-13)
With Power Strips 1/2/3 retired, every previously-stranded load is now downstream of a managed PDU and can be brought under PCNS once Water is online. Note: PCNS reachability ≠ A+B redundancy. Only Fire (Chicory + Plantain) and Flower (Plantain + Fennel) are confirmed dual-feed at this revision. The Synology NAS is also dual-feed (Chicory + Fennel). The edge switches, Secondary Firewall, WDC Stack members, and Synology Controller remain single-PDU loads — losing their feeding PDU is still a hard outage for those devices (see §7.8 for the stack walk-around action). Walk-around confirmation of physical strip disposition is also outstanding — see §11.
9. Monitoring & Alerting¶
- SNMPv3 polling from Wazuh and Splunk against every managed PDU/UPS NMC at the IPs in §2 / §3.
- Alert thresholds:
- Pickle on-battery event → immediate Slack page to
#wdc-ops. - Any unit reporting battery health < 80% → KACE ticket auto-created.
- Self-test failure → high-severity Wazuh alert.
- Fennel-specific: heightened polling cadence until replaced.
- Pickle on-battery event → immediate Slack page to
- Status page: piped to
status.greenpeace.us.
10. Maintenance Schedule¶
| Task | Frequency | Owner |
|---|---|---|
| Self-test (automated) | Weekly | Device firmware |
| Visual inspection (LEDs, fans, cabling, battery swelling) | Monthly | IT Operations |
| Battery runtime calibration | Quarterly | IT Operations |
| Firmware update review | Semi-annual | Cyber Security |
| Battery replacement | Per vendor EOL (3–5 yr typical) | IT Operations |
| Load recalculation | After any device add/remove | Cyber Security |
| Dashlane credential audit | Quarterly | Cyber Security |
| Email-alert delivery test | Quarterly | IT Operations |
11. Change Log¶
| Date | Change | By |
|---|---|---|
| 2026-05-12 | Inventory populated from spreadsheet (managed PDUs + UPS + 3 power strips). Risks logged for Fennel, power strips, Pickle SPOF, Thyme, unlabeled hypervisor, Knotweed Dashlane, Visuals Storage cross-PDU. | R. Chhetry |
| 2026-05-13 | Final spreadsheet revision applied. Plantain no longer spare; Power Strips 1/2/3 decommissioned; Synology Controller added as new entity; Fire and Flower confirmed A+B across managed PDUs. WDC Stack split (Rosemary 0-3 / Plantain 4-6) — per-switch dual-PSU coverage still requires walk-around verification. | R. Chhetry |