For the past decade, the Army has fought a relatively static fight. We have lived and worked on FOBs. When a unit would come in, they would replace an existing unit who was already managing an existing network over the course of a week or two; We had time to make sure that things went as planned. As the Army shifts from fighting a static fight to a mobile, fluid, and dynamic decisive action fight, we must adjust how we manage our network.
One of NETOPS’ key jobs is to manage the network. In order to do that, we must have visibility of the network. When we were fighting a COIN fight, time was on our side but in a decisive action environment, time can be critical. Because of that, it is important that we are able to “see” the network as quickly as possible so that we can accurately advise the battle captain, commander, and other senior leaders on their ability to communicate.
When the JNN first came out, the Net Tech’s WAN manager resided on VLAN 222 (the Management VLAN). The default gateway for this network resides on the JNN’s Tier 2 router which meant that it was available for use as soon as the JNN was powered on and operational.
Sometime over the last few years though PM WIN-T made the decision to move the WAN Manager and other NETOPS systems off of VLAN 222 and onto a separate VLAN of its own, VLAN 70. While this would normally not be a big deal, the problem occurs with the fact that VLAN 70 exists on an external “management” switch case which then connects to the JNN’s Tier 2 Switch via VLAN 74. In order for us to make use of VLAN 70, we must power-up and connect an external switch case. This normally doesn’t happen until at the very least the S6 tent is up, and has power which can take hours from the time after the unit arrives and long after the JNN is operational. This needlessly extends the already extended period of time where NETOPS has no visibility of the network during a jump.
So why did WIN-T make this change? My best guess is that they wanted to allow NETOPS to be able to operate out of any location which is why VLAN 74 operates in a plug and play type configuration very similar to VLAN 6 meaning you can take your stack to pretty much any other node, plug it in, and be up and running. It’s a great idea on paper but in reality outside of possibly at the TAC (and only in one or two instances with that), I have never seen NETOPS even try to operate out of an alternative location which makes the cost/benefit equation pretty lopsided.
So how do we fix the problem? First let me preface this with two things:
- This is my personal opinion and goes against the design released by PM WIN-T. As best and I can tell it doesn’t affect security of the network in any way.
- I realize that this isn’t a problem for WIN-T Inc 2 units, but the Army is still a long way from fully fielding the force with Inc 2.
I recommend that you simply move the VLAN 70 interface from the management switch to the JNN’s Tier 2 Switch. This means that as soon as the JNN is operational, you can plug your WAN manager into a port on the Tier 2 Switch and have visibility of the entire network.
Some people would suggest that you already have this capability just by using the JNN’s management computer. While I agree that this is possible, it is not likely. In my experience, most JNN management laptops don’t have their SNMPc configured to look at all of the networks in the way that we want to as NETOPS. This means that we may not be able to see critical parts of the network. By moving VLAN 70 we make a pretty minor change to the system configuration but gain a lot in speed of access and visibility of the network.