Network Design

CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Network Design

Setting Global Parameters

This section describes how to set global parameters related to a tenant network.

You can configure the following features only when the tunnel mode is set to EVPN on the Design > Basic Network Design > Network Settings > Tunnel Mode page.

Context

Global configuration parameters related to a tenant network include:

Parameters for physical networks: transport network, IPsec encryption parameters, device activation security configuration, link failure detection configuration, traffic steering policy configuration.
Parameters for virtual networks: routing configuration, IP address pool and DNS configuration.

Procedure

Choose Design > Basic Network Design > Network Settings > Global Configuration from the main menu.
Click the Physical Network tab, and set global parameters related to physical networks.
1. Configure a transport network to define a unified transport network type for communication between sites on the entire network.
  In EVPN tunnel mode, iMaster NCE-Campus provides the following transport networks by default: Internet, Internet1, MPLS, and MPLS1.
  
  If the default transport networks cannot meet requirements, you can click Create to create a transport network as desired.
  
  When MSP RR is selected and a new transport network is created, tenants can view and apply user-defined routing domains created by the MSP from the Routing Domain drop-down list.
2. (Optional) If packets forwarded by IPsec tunnels need to be encrypted, configure the IPsec tunnel encryption algorithm.
  After the configuration is complete, all IPsec tunnels that are configured to encrypt packets use the same encryption mode.
  
  In EVPN tunnel mode, set Encryption algorithm, Life Time and IPSec SA Generation Mode in the IPSec Encryption Parameters area.
3. Configure email-based deployment as needed.
  In the Device Activation Security Settings area, set URL encryption key and URL Opening validity period.
4. (Optional) To detect link failures of a site, set link failure detection parameters.
  In EVPN tunnel mode, set Detection packet sending interval, Number of failed detections and Priority of detection packets.
5. (Optical) Set traffic steering parameters.
  
  Exercise caution when setting traffic steering parameters because modifying these parameters affects the real-time intelligent traffic steering. You are advised to modify these parameters when no service traffic is transmitted.
  
  In EVPN tunnel mode, set Modify period parameters, Switching period, Statistics Period, Flapping suppression, Maximum bandwidth utilization, and Symmetric forward.
6. Click Apply.
Click the Virtual Network tab, and set global parameters related to virtual networks.
1. Set BGP parameters.
  In EVPN tunnel mode, set AS number and Community Pool.
2. Configure an IP address pool. You can configure different address pool segments for different network segment scales.
  
  When configuring an IP address pool, ensure that the IP addresses of WAN interfaces are not in the network segment of the IP address pool.
  
  In EVPN tunnel mode, set IP pool in the IP Pool area.
3. Configure a DNS server group and IP addresses for DNS servers.
  In the DNS area, set DNS Server Group Name and DNS server IP Address.
4. Click Apply.

Parameter Description

Table 5-27 Parameters on the Global Parameters page

Parameter			Description
Physical Network	Transport Network	Transport Network	Type of the transport network to which a WAN-side physical link belongs. This parameter describes the transport networks with the same link quality attributes. It is used to identify networks of the same type provided by an ISP. The network connected by each physical link on the WAN side of a site maps a transport network.
		Routing Domain	Routing domain to which a transport network belongs. Transport networks can communicate with each other in the same routing domain. iMaster NCE-Campus provides the following types of routing domains by default: MPLS: MPLS leased line, which carries normal services of users in wired mode. Internet: public Internet, which carries normal services of users in wired mode. Escape: best-effort link, which is mainly used for escape in wireless mode. This link takes effect when all the other links fail. NOTE: The Escape routing domain is supported only in the DSVPN tunnel mode. If the default types of routing domains cannot meet requirements, set a routing domain according to actual situations.
		IPSec Encryption	Whether to enable IPsec encryption. The options are as follows: : IPsec encryption is disabled. In this case, enable protocol 47 of all devices on the firewall. : IPsec encryption is enabled. In this case, use the encryption algorithm and password that are set in IPSec Encryption Parameters for encryption.
	IPSec Encryption Parameters	Protocol	Security protocol. The default value is ESP.
		Authentication algorithm	Authentication algorithm. The default value is SHA2-256.
		Encryption algorithm	Encryption mode of a link. AES128 and AES256 encryption algorithms are supported. AES256 is recommended. The key length of the AES-256 encryption algorithm is 256 bits, and the security level is higher than AES-128.
		Life Time	The lifetime enables IPsec encryption to be updated in real time, reducing the risk of being cracked and improving security.
		IPSec SA Generation Mode	Whether to enable the IPsec SA generation mode. By default, the mode is disabled.
		DH Group	Diffie-Hellman (DH) public key algorithm. It is used to dynamically negotiate encryption keys between two sites to prevent traffic monitoring between tenants in the same RR in multi-tenant scenarios. After the IPSec SA Generation Mode is enabled, you can select the DH Group. Currently, this parameter can be set to GROUP19, GROUP20, or GROUP21. The DH Group security levels are as follows: GROUP21 > GROUP20 > GROUP19.
	Device Activation Security Settings	URL encryption key	Key for encrypting the URL in a deployment email. Email-based deployment will be successful only after you click the URL in the received email on your PC and enter this key.
	Device Activation Security Settings	URL Opening validity period	Validity period for a device to register its ESN with iMaster NCE-Campus. The timer starts once a deployment email is sent. If the device ESN is not obtained, the device is added to iMaster NCE-Campus based on the device model. After a site is created and a deployment email is sent, the device checks whether the token URL is valid. If so, the device registers its ESN with the iMaster NCE-Campus.
	Link Failure Detection Parameter Configuration	Modify detection parameters	Whether to modify detection parameters. Link detection is periodically performed between gateways of WAN sites under a certain tenant. In the DSVPN tunnel mode, BFD packets are sent to detect link connectivity. In the EVPN tunnel mode, GRE packets are sent to detect link connectivity. If this function is disabled, the device sends detection packets at the default interval. If the number of detection failures exceeds the default value, the link is considered faulty. If this function is enabled, you can define the interval for sending detection packets and the maximum number of detection failures permitted. Generally, you do not need to set this parameter. Use the default value.
		Detection packet sending interval	Interval at which an AR sends detection packets, in milliseconds. The value is in the range 10 to 2000. If Modify detection parameters is disabled, the default value of this parameter is 1000 milliseconds.
		Number of failed detections	Number of detection failures permitted before an AR automatically switches the link. The value is in the range 3 to 50. If Modify detection parameters is disabled, the default value of this parameter is 6.
		Priority of detection packets	Priority in the IP header of a detection packet. A numerically higher value indicates a higher priority. This parameter is available only when the EVPN tunnel mode is selected.
	Traffic Steering Policy Global Configuration	Enable to enhance functionality	The enhanced functions are: Multiple primary transport networks can be configured. Traffic can be load balanced among primary transport networks. Multiple primary transport networks can be arranged in descending order of priority. Traffic can be steered based on the link bandwidth usage. Traffic can be steered based on the application priority To ensure the version's forward compatibility, you can select whether to enhance functionality in DSVPN tunnel mode. In EVPN tunnel mode, functionality enhancement is enabled by default.
		Modify period parameters	Whether to customize the intelligent traffic steering policy. Exercise caution when setting this parameter because the modification affects real-time route selection in the intelligent traffic steering policy. You are advised to modify this parameter when no service traffic is available.
		Switching period	Period after which the traffic is switched to another link. If the quality of a link cannot meet requirements of a certain service or the bandwidth usage exceeds the threshold, the CPE starts the link switching timer. When the timer times out, the service traffic is switched to another link. The default value of the switching period is 5 seconds.
		Statistics Period	Interval for checking link quality. The value of this parameter ranges from 1 to 65535 and must be less than or equal to the value of Switching period.
		Flapping suppression	Flapping suppression to prevent frequent link switchovers. If a network is unstable, service traffic is switched over links frequently, which degrades service experience. Flapping suppression on the CPE can prevent this problem. The flapping suppression period does not take effect by default. The flapping suppression timer starts only after a link switchover occurs. After the flapping suppression period ends, if the current link (that is, the link used after the switchover) meets service requirements, the service traffic is still transmitted over this link. If the current link cannot meet service requirements, the service traffic is switched to another link or the original link. The default value of the flapping suppression period is 30 seconds.
		Maximum bandwidth utilization	This parameter applies to the load balancing routing scenario of the intelligent traffic steering policy. When the service traffic of a link reaches the maximum bandwidth utilization, load balancing can be used for route selection. You can set the maximum bandwidth usage as required. By default, the maximum bandwidth utilization is 95%. The value ranges from 50% to 100%.
		Symmetric forward	Check whether the paths selected during traffic sending and receiving are the same. This parameter is enabled by default. In symmetric routing mode, the sending and receiving paths are the same during route selection. The master/slave relationship is determined based on the default rule (bandwidth condition/site type). The secondary site follows the route selection result of the primary site to ensure that the same service flow is forwarded along the same path. Asymmetric path selection means that the two sites that communicate with each other independently select a forwarding path. In this case, the transmit and receive paths of the same service flow between two sites are different. For example, during LB route selection, the MPLS line from site1 to site2 is not congested for the application of A, MPLS line transmission is selected. When the MPLS line between site2 and site1 is congested and the Internet is not congested, the Internet line is selected to transmit A traffic.
Virtual Network	Routing	AS number	Local AS number. Under the same tenant account, the sites that are deployed using iMaster NCE-Campus belong to the same AS.
	Routing	Community Pool	This is a resource management pool. You can configure community pool to assign the community attribute values to services. The current community pool mainly involves WAN network iBGP, RR management, Internet access, mutual access, area management, and multi-tenant IWG. When the community pool is insufficient, a maximum of 10 community attribute pools can be added. After the configuration, the community pool that has been used cannot be updated or deleted. The unused community pool can be deleted. When RR Source is set to MSP RR, all community pools are allocated based on the MSP. The community pool value of a tenant is dimmed by default and cannot be configured. By default, the community pool value of the MSP is displayed.
	IP Pool	Network scale (based on CPEs)	Approximate number of sites. This parameter is available only when the DSVPN tunnel mode is selected.
	IP Pool	IP pool	Reserved addresses. A reserved address can be the address of a local breakout, a CPE, or an internal link between dual gateways. Plan address pools based on the network scale. The number of required address pools increases with the number of sites. For details about the relationship between them, click Details. After a user enters reserved addresses, iMaster NCE-Campus automatically assigns an address segment according to the following rules: One or more IP address pools can be configured and the IP addresses in these address pools are automatically divided into multiple address segments, which are used by the following interfaces: Loopback interface on a CPE. Interface of a local breakout. Interface of an internal link between dual gateways. Interface of a tunnel. Interface of an EVPN tunnel in the EVPN tunnel mode.
	DNS	DNS Server Group Name	Domain Name System (DNS) used for domain name resolution. The DNS server is usually deployed on a public network. A maximum of 16 DNS groups can be configured for a tenant, and each group can be configured with a maximum of six DNS server IP addresses.
	DNS	DNS Server IP Address	You can plan multiple DNS server IP addresses. A DNS server IP address is used when a LAN interface is configured. If a CPE is enabled as the DHCP server, you can select a DNS server group name for the CPE. The DNS server address is sent to a client on the LAN side via a DHCP response.

Creating a Site

Context

Devices on the same tenant network can be deployed at the same site to facilitate device management and improve service deployment efficiency.

A tenant administrator can create different organizations and set a site to belong to one organization. Currently, a maximum of five organizations can be created.

You can create sites on iMaster NCE-Campus for unified O&M and management. Either of the following modes is available for you to create a site:

Creating sites one by one: You can create sites one by one when a small number of sites need to be added.
Creating sites in batches: You can create sites in batches when a large number of sites need to be added.

On iMaster NCE-Campus, you can create a site by cloning an existing site to reduce repeated configurations.

In deep clone mode, both site configuration and deployed sites are cloned. Currently, only the sites containing firewalls only or containing APs and firewalls support the deep cloning function. After cloning, only the device ESNs at the source and destination sites are different. It is required that a site with less than 50 firewalls can be cloned. You can use either of the following methods to create a site in deep clone mode:

Site by site: If a small number of sites need to be cloned, you can clone them one by one.
Batch clone: When a large number of sites need to be cloned, you can clone them in batches.

The following features are available for deep cloning:

Table 5-28 Features that support deep cloning

Device	Feature
FW	Network (DHCP address pool, uplink management, NAT, and DNS)
	Physical interface
	IPsec VPN
	Security policy
	Traffic policy
AP	SSID (802.1X authentication)
	Radio frequency (radio optimization, radio advanced settings, and channel planning on a per-site basis)
	Advanced blacklist and whitelist (MAC address filtering)
General configuration	NTP, SNMP, O&M configuration, and local user management

Procedure

Choose Design > Site Agile Deployment > Site Management from the main menu.
Click Create. Set parameters on the displayed page.
- After the value of Device type is set, the device type can be added only but cannot be replaced. If only APs are deployed at the original site, you can add firewalls to the site for management. However, you cannot change a site that contains only APs to a site that contains only firewalls. When LSWs are used as WACs, you need to select both the LSW and WAC types.
- When creating a site, you can clone the configuration of an existing site for use with the new site, reducing repeated configurations. Currently, this function is available for the following features:
  Domain, time zone, NTP, SNMP, local user, login restriction, HWTACACS, LLDP, HTTP service, public key-free upon first authentication of SSH client, AP installation location setting, AP PSK, IPv6, NETCONF, global CLI, global security compliance, global NAT (FW), ASPF, DNS, VLANIF (local Internet), global interface management, SSID, global radio, portal authentication, security policy, traffic policy, authentication and authorization policy, policy for limiting the online duration or traffic volume, portal page pushing rules, monitoring configuration, voice STA OUI, VLAN information, WLAN security, attack defense, global IoT, Bluetooth, DHCP, storm suppression, MAC blacklist/whitelist, NAT logs, and SA upgrade policy.
- To create a site in deep clone mode, set Device type to FW and Configuration Source Type to Deep clone. After cloning, only the ESNs of the firewalls at the source and destination sites are different. Only a site with less than 50 firewalls can be cloned.
(Optional) Under Add Device, add devices to a site.
You can add devices to a site by device model or ESN. Alternatively, you can also add devices to a site after the site is created.

When adding a device, you need to set the device role. Set the device role as needed. The recommended roles for each device type are as follows:
- AP: Gateway, Access, AP
- LSW: Core, WAC, Aggregation, Access
- FW: Gateway, Gateway+Core, Firewall
- AR: Gateway, Gateway+Core, Gateway+RR
  
  A site with an AR attached with the Gateway or Gateway+Core role is an edge site whereas a site with an AR router attached with the Gateway+RR role is an RR site.
- WAC: WLAN AC
If you do not set the device role when adding a device, the device role defaults to Access.

A maximum of 5000 devices can be deployed at a site.
Set the initial configuration of a site.
1. Set Configuration mode.
  You can set this parameter to Default or Configuration file. If this parameter is set to Configuration file, you need to prepare device configuration files in advance, and choose Maintain > File Management > Simplified deployment to import and deliver the configuration files to devices.
  When you create a site in Configuration File mode, the following constraints exist:
  - Sites created in configuration file mode do not support functions such as site configuration, fabric configuration, admission configuration, third-party server configuration, and device upgrade.
  - Devices under the sites created in configuration file mode can be switched to other sites created in the same mode. You cannot switch the devices under the sites created in configuration file mode to another site created in default mode or move the devices out of the current site.
  - Devices under the sites created in configuration file mode cannot be added to stacks after being configured using configuration files.
  - Sites created in configuration file mode can use only specific northbound interfaces.
2. Set Configuration Source Type. This parameter is configurable when Configuration mode is set to Default.
  The options are Default Configuration and Clone from Existing Site.
Click Apply.

Follow-up Procedure

Create sites in batches.
You can click Batch Create to download the site configuration template, enter information about all sites in the template, and import the template to the system. Then you can create all required sites at a time.

Change the organization to which a site belongs.
To change the organization to which a site belongs, select the target site and then click Change Organization.
Filter sites by organization.
To create a lower-level organization of the current organization, click an organization name on the left and click .

Currently, at most five-layer organizations can be created.
In EVPN tunnel mode, after a site is created and activated, by exporting and importing site configurations, you can:
- Quickly configure a new site based on configured sites.
  You can export and modify the configuration of a deployed site and import the modified configuration to quickly deploy a new site. If the site name changes, you need to manually create a site with the changed name and import the configuration again.
- Modify site configurations in batches.
  After exporting configurations of multiple sites, you can modify some parameters and import them to modify sites in batches. You can add, delete, and modify site configurations.
- Restore site configurations.
  You can periodically export site configurations. If an error occurs during subsequent configuration, you can import the previous configuration to restore the site.
1. Choose Provision > Physical Network > ZTP from the main menu. Click the Export And Import tab.
2. Click the Export tab.
3. Click Click here to add site. Select the target site whose configurations need to be exported and click OK.
  
  The configurations of up to 100 sites can be exported in batches.
4. Click Export. Open the exported .xls file and modify the site configuration based on the site requirements. Currently, only the WAN link and NTP configurations can be modified.
5. Save the modified .xls file. Click the Import tab on iMaster NCE-Campus.
6. Select the site configuration file to be imported, and click Import next to Upload file.
  
  The configuration files for up to 100 sites can be imported in batches.
7. Check the import result in the Import Result area, including the task name, task creation time, end time, status, total number of tasks, and number of successfully executed tasks.
  - If Success is displayed in the Task Status column, the site configuration file is imported successfully.
  - If Fail is displayed in the Task Status column, the site configuration file fails to be imported. You can check the specific failure cause.
  A maximum of 10 records can be displayed in Import Result.

Parameter Description

Table 5-29 Key parameters about site creation

Parameter	Description
Site Name	Set the site name.
Device type	You can select one or more from AP, AR, FW, LSW and WAC.
Add Device	Device addition method. The options are as follows: Select Device: Deploy existing devices to the site. By Model: Add devices to the site by device model. After adding a device, you need to enter the device ESN. This mode is recommended. By ESN: Add devices to the site by ESN.
Configuration mode	Default or Configuration File can be chosen. When you select Configuration File mode, you need to prepare the configuration file of the device. You can complete the configuration of the device by importing the configuration file and sending it to the device in the menu of Maintenance > File Management > Simplified Deployment.
Configuration source type	Site configuration method. The options are as follows: Default settings: Create a site. The initial configuration of the new site uses the default values. Clone from existing site: Create a copy based on a specified site. The initial configuration of the new site is the same as that of the source site. You can modify the configuration of the new site as required.

Adding Devices

Context

An administrator can configure and manage devices only after adding the devices to iMaster NCE-Campus.

At a tenant site, you can use the Scan Barcode function of the CloudCampus APP installed on your Android phone to record the ESNs of cloud managed devices (including cloud firewalls, switches, ARs, and APs) to iMaster NCE-Campus. In addition, the Deployment function provided by the CloudCampus APP allows you to bring cloud APs online.
You can download the CloudCampus APP by scanning the QR code on the iMaster NCE-Campus login page.
You are advised not to add switches directly connected to iMaster NCE-Campus servers to iMaster NCE-Campus through NETCONF.

Stack

A stack has two or more switches connected through cables to work as a logical device. After switches set up a stack, one switch is the master switch, and the others are slave switches. Each switch has an ID.

You can use the stacking function to combine multiple switches into a logical switch, improving network reliability and scalability.

iMaster NCE-Campus supports stack configuration on the following switches:

S5720-LI and S5720-SI series switches of V200R012C00SPC600 and later versions.
All cloud management-capable switches of V200R013C00 and later versions.

WAC Group

You can add WACs to a WAC group to implement N+1 WAC backup. In N+1 backup mode, one WAC functions as a backup WAC to provide backup services for multiple master WACs. In normal cases, an AP sets up links only with the master WAC to which it associates. When the master WAC fails or the link between the master WAC and AP is faulty, the backup WAC establishes a link with the AP to manage and provide services for the AP.

AP Grouping Recommendations

In normal cases, APs at the same site are automatically assigned to a management group that is automatically created. The APs provide radio calibration and load balancing functions based on settings of this management group. Due to limitations of the AP specifications, it is recommended that the number of APs to be added to a site do not exceed the number specified in Table 5-30. If APs of different models exist at a site, the recommended number for APs with higher performance takes effect.

Table 5-30 Recommended number of APs at a site

AP Model	Recommended Number
AP1050DN-S	≤ 50
AP2050DN/AP2050DN-S/AP2050DN-E/AP2051DN-S/AP2051DN-E/AP2051DN/AP2051DN-L-S	≤ 50
AP3050DE	≤ 128
AP4050DN-E/AP4050DN-HD/AP4050DN/AP4050DN-S/AP4051DN/AP4151DN/AP4051DN-S/AP4051TN	≤ 50
AP4050DE-B-S/AP4050DE-M/AP4050DE-M-S	≤ 128
AP5030DN-C	≤ 25
AP5510-W-GP	≤ 50
AP5050DN-S	≤ 128
AP6050DN/AP6150DN/AP6052DN	≤ 128
AP7050DN-E/AP7050DE/AP7052DN/AP7152DN/AP7052DE/AP7060DN	≤ 128
AP8050DN/AP8150DN/AP8050DN-S/AP8030DN/AP8130DN/AP8050TN-HD	≤ 50
AP8082DN/AP8182DN	≤ 128
AD9430DN-24/12	The following conditions must be met: Number of central APs ≤ 8 Number of RUs ≤ 300

When both AD9430DN-24/12 and cloud APs are deployed on the same network, it is recommended that the following requirements be met:

At least two AD9430DN-24/12 are recommended. On a large-scale network, at least four AD9430DN-24/12 are recommended.
It is recommended that the number of cloud APs do not exceed the upper limit in Table 5-30.
Number of RUs + Number of cloud APs ≤ 300.

For example, on a network with AD9430DN-24s and AP6052DNs, it is recommended that a maximum of eight AD9430DN-24s and a maximum of 128 AP6052DNs be deployed. In addition, the number of AP6052DNs and RUs does not exceed 300.

The AD9431DN-24X is responsible for roaming, radio calibration, and load balancing of RUs only in the management group to which it belongs.

If more APs than recommended are deployed, they will be randomly assigned to multiple automatically created management groups. As a result, neighboring APs or APs on the same floor may be in different management groups, as shown in Figure 5-2. If this occurs, the expected radio calibration and load balancing effects cannot be achieved.

Radio calibration is performed in each management group separately. If neighboring APs belong to different management groups, radio calibration cannot achieve the optimal effect.
Load balancing cannot be implemented for APs in different management groups. If neighboring APs belong to different management groups, the number of access users cannot be balanced.

As shown in Figure 5-2, 125 APs deployed on floors 1 to 3 are randomly assigned to multiple automatically created management groups. As a result, neighboring APs or APs on the same floor may be in different management groups. If this occurs, the expected radio calibration and load balancing effects cannot be achieved.

Figure 5-2 Example of random grouping

If you need to add more APs than recommended to the same site, make more detailed network planning and manually divide the APs into different management groups according to the following principles. Figure 5-3 shows AP grouping by management VLAN.

Determine the number of groups based on the number of floors or physical areas. (For details about the number of APs supported by each group, see Table 5-30.) Add APs in the same floor or physical area to the same group.
Plan a management VLAN for each group. (Generally, configure PVIDs on the upstream access switch and use them as the management VLANs of the APs).

In Figure 5-3, three management groups are planned based on the AP floor distribution, and the corresponding management VLANs are planned. After you add APs to the correct management VLAN, they are assigned to the management group corresponding to the floor. This improves radio calibration and load balancing effects.

Figure 5-3 Example of grouping by management VLAN

The division of management groups and management VLANs affects only radio calibration and load balancing services. It does not affect network division for Layer 2 and Layer 3 roaming.
Do not configure port isolation based on management VLANs for APs. Otherwise, APs in the same VLAN cannot create a management group using broadcast packets.
You are advised to configure broadcast rate limiting on the upstream access switch of the APs to prevent broadcast flooding.

Adding Devices

On iMaster NCE-Campus, you can add cloud-managed devices through NETCONF and add traditional devices through SNMP. After the devices are added, administrators can configure and manage them on the network. You can add devices to iMaster NCE-Campus in the following three methods:

Manual addition: applies to the scenario where a small number of devices need to be added to the same site.
Batch import: applies to the scenario where a large number of devices need to be added. A maximum of 1000 devices can be imported at a time.
Automatic discovery: applies to the scenario where traditional devices need to be added. In this method, the system automatically discovers traditional devices in every subnet at a specified interval.

Prerequisites

If a switch running V200R008C00 or an earlier version is added using NETCONF, you need to enable the port of the old device for certificates on the iMaster NCE-Campus management plane.

Log in to the management plane.
Choose Product > Software Management > Deploy Product Software from the main menu, click More > Modify Configurations, set DEVICE_OLD_CERT_ENABLE(enable device old cert or not) to true, and click OK.
Click in the upper right corner to check whether the configuration is successful.
Wait for about 10 minutes, choose Product > System Monitoring from the main menu, click the Service tab, and search for CampusBaseService . Check whether CampusBaseService is successfully restarted. If the service is running properly, configure other parameters for pushing portal pages to end users.

Procedure

Choose Design > Site Agile Deployment > Device Management from the main menu.
Click Add Device on the Device page.

The system provides three methods for device addition: Add, Import in batches and Automatic discovery.

Add cloud-managed devices manually.
1. Select a desired site. You may also choose not to add devices to a site.
2. Choose Add Device > Add.
3. Select NETCONF protocol.
4. Add devices by Device Model. Set Device Type, Model, Number, and Role. Then click OK.
5. Import device ESNs.
  - Devices added by Device Model can go online after the device ESNs are added to iMaster NCE-Campus.
  - If the ESN of a device is used and the device cannot be added, contact the system administrator or MSP administrator to clear the ESN.
6. Click OK.
  For a device that has been online, you can click the device name to view the device status. In addition, you can also reboot the device or click Command Line to run commands on the device.
  - The web UI display varies according to different devices.
  - Only firewalls, ARs and WACs support the Device Configuration function. This enables users to log in to the web NMS of the devices through iMaster NCE-Campus. A maximum of 20 device's web NMSs can be opened together.
  - If a user opens the web system of a device through this function and then opens the web system of another device, the session information of the first device will be overwritten and the user will be logged out from the web system of the first device when the user opens the web system of the second device. This is because different devices use the same IP address to forward sessions using SSH. If you need to open the web system of two devices at the same time, open a non-trace page or use another browser to log in to iMaster NCE-Campus, and then switch to the web system of the devices.

Click Manually add to add traditional devices.

Select a desired site. You may also choose not to add devices to a site.
Choose Add Device > Add.
Select SNMP protocol.

Set basic information, SNMP parameters (optional), and Telnet parameters.

SNMP parameters can be configured in either of the following ways:

Select an SNMP parameter template.
Select an SNMP parameter template from the template list. If no proper template is available, choose Design > Basic Network Design > Template Management > SNMP Template to create a template as needed.

Set SNMP parameters.

Set SNMP parameters based on the site requirements. The parameter settings must be the same as those on devices.

Table 5-31 SNMP parameters

Protocol Version	Parameter	Description
SNMPv3	Security Name	User security name.
	Authentication protocol	Protocol used for message authentication. Only HMAC-SHA2-256 is supported.
	Authentication password	Password used for message authentication.
	Encryption protocol	Encryption protocol used for data encapsulation. Advanced encryption standards include AES_128, AES_192, and AES_256.
	Encryption password	Encryption password if an encryption protocol is specified.
	NE port number	Destination port of a network device.
	Timeout interval (s)	Time out interval for a message sent to a device. A response to the message must be sent within the specified period. Otherwise, the message times out.

Table 5-32 Telnet parameters

Protocol Version	Parameter	Description
STelnet	Authentication	Authentication mode for accessing a network device. The options are as follows: Password Key Password and key
	Username	Username for logging in to a device.
	Password	Password for logging in to a device. This parameter must be specified if Authentication is set to Password or Password and Key.
	Key	Key for logging in to a device. This parameter must be specified if Authentication is set to Key or Password and Key.
	NE port number	Destination port of a network device.
	Timeout interval (s)	Timeout interval for a message sent to a device. A response to the message must be sent within the specified period. Otherwise, the message times out.

Click Confirm.

Add cloud-managed devices in batches.
1. Select a desired site. You may also choose not to add devices to a site.
2. Choose Add Device > Import in batches.
3. Select NETCONF protocol.
Download and fill in the template. After all settings are complete, upload the template. Select the devices to which the template will be uploaded in the Import Result window and click OK.
Add traditional devices in batches.
1. Select a desired site. You may also choose not to add devices to a site.
2. Choose Add Device > Import in batches.
3. Select SNMP protocol.
  
  Download and fill in the template.
4. Click Create.
  If the imported device information is displayed in Result.
Add traditional devices through device discovery. For details, see Creating an Automatic Discovery Task.

For APs and switches, the value of Device Name is delivered to the devices as the hostname (sysname). To prevent hostname delivery failures due to restrictions on the devices, the value of Device Name can contain only uppercase letters, lowercase letters, digits, spaces, and the following special characters: ! " # $ % & ' ( ) * + , - . / : ; < = > @ [ \ ] ^ _ ` { | } ~
To add more than 25 APs to a site, read AP Grouping Recommendations.
You can manually modify sites for successfully added devices. On the device management page, select a device and click Switch Site to deploy the device at another site or remove the device from the current site. Note that a fit AP will becomes a cloud AP if it is removed from a WAC site.
When there is no user currently online, if a cloud AP or a central AP goes offline unexpectedly and remains offline for 24 hours, iMaster NCE-Campus restarts and restores the AP.

Follow-up Procedure

After devices are installed, connected, and powered on, they need to register with and go online on iMaster NCE-Campus so that they can be managed by iMaster NCE-Campus. Then iMaster NCE-Campus can deploy services and deliver configurations to the devices as well as monitor them. It takes two steps for a device to register with and go online on iMaster NCE-Campus:

The device connects to the Internet.
The device switches to the cloud-based management mode, obtains the IP address or URL and port number of iMaster NCE-Campus, and registers with iMaster NCE-Campus.
- Firewalls, switches, and APs can work in traditional or cloud-based management mode. They can be managed by iMaster NCE-Campus only when they work in cloud-based management mode.
- ARs can work only in traditional mode. They can work properly as long as they can be managed by iMaster NCE-Campus.

Related Tasks

Restart a device and restore the device configuration.
After selecting an added device, you can use the Factory Reset, Reset to Deployment State (only for AR routers), and Reboot functions to restore default settings or restart the device.

This operation has high risks and cannot be rolled back. Exercise caution when you perform this operation.

Switch the site to which the device belongs.
Select a device and click Change Site to switch the device to the selected site or move the device from the current site. You can filter sites by organizations.
1. When moving a device between sites, you can decide whether to delete the device-specific configurations of the source site from the device, including subnets and interfaces.
2. If an AP works in another mode after being moved between sites of different types, the controller will forcibly delete all original configurations from the AP and delivers service configurations of the destination site to it.
3. Performing this operation will impact existing services and may take several minutes. Exercise caution when you perform this operation.

View sites in an organization.
To view sites in an organization, select the target organization from the Organization drop-down list on the Cloud-based Device page. Among the displayed sites, select the desired one and view the devices at this site. You can also view sites that are not assigned to an organization and devices under the sites.
Configure SNMP.
On the Device page, select an SNMP-supporting device and choose More Operations > Setting SNMP to set SNMP parameters or select an SNMP template. For details about the parameters, see Table 5-31.
Configure Telnet.
On the Device page, select an SNMP-supporting device and choose More Operations > Setting SNMP to set SNMP parameters or select an SNMP template. For details about the parameters, see Table 5-31.
Configure a standalone switch to a single-switch stack.
On the Device page, select a switch, click , configure stack parameters, and click OK. After a standalone switch is configured as a single-switch stack, the switch goes offline.

SNMP-Managed Device Models

Table 5-33 SNMP-managed device models

Device Type	Device Model
ME60	ME60-X16A-DC,ME60-X16A,ME60-X8A-DC,ME60-X8A
S5300	S5320-36C-EI-28S-AC, S5320-36C-EI-28S-DC, S5320-56C-EI-48S-AC, S5320-56C-EI-48S-DC, S5320-36C-EI-AC, S5320-36C-EI-DC, S5320-56C-EI-AC, S5320-56C-EI-DC, S5320-32X-EI-24S-AC, S5320-32X-EI-24S-DC, S5320-50X-EI-46S-AC, S5320-50X-EI-46S-DC, S5320-32X-EI-AC, S5320-52X-EI-AC, S5320-28P-SI-AC, S5320-28X-PWR-SI-AC, S5320-28X-SI-AC, S5320-52X-PWR-SI-AC, S5320-52X-SI-AC, S5321-28P-SI-AC, S5321-28X-SI-AC, S5321-28X-SI-DC, S5321-52X-SI-AC, S5321-52X-SI-DC, S5320-28X-SI-DC, S5320-52X-SI-DC, S5320-12TP-LI-AC, S5320-12TP-PWR-LI-AC, S5320-28P-LI-AC, S5320-28P-PWR-LI-AC, S5320-28P-SI-DC, S5320-28X-LI-24S-AC, S5320-28X-LI-24S-DC, S5320-28X-LI-AC, S5320-28X-LI-DC, S5320-28X-PWR-LI-AC, S5320-28X-PWR-SI-DC, S5320-52P-LI-AC, S5320-52X-LI-AC, S5320-52X-LI-DC, S5320-52X-PWR-LI-AC, S5320-12TP-LI-DC, S5320-28X-SI-24S-AC, S5320-28X-SI-24S-DC, S5320-12X-PWR-LI-AC, S5320-52X-LI-48S-AC, S5320-52X-LI-48S-DC, S5320-52X-SI-48S, S5331-H24T4XC, S5331-H24P4XC, S5331-H48T4XC, S5331-H48P4XC, S5332-H24S6Q, S5332-H48S6Q, S5335-L24P4X-A, S5335-L32ST4X-A, S5335-S32ST4X, S5335-S24T4X, S5335-S24P4X, S5335-S48T4X, S5335-S48P4X, S5335-S48S4X, S5335-L24T4X-A, S5335-L12P4S-A, S5335-L12T4S-A
S5700	S5720-36C-EI-28S-AC, S5720-56C-EI-48S-AC, S5720-36C-EI-AC, S5720-36PC-EI-AC, S5720-56C-EI-AC, S5720-56PC-EI-AC, S5720-36C-PWR-EI-AC, S5720-56C-PWR-EI-AC, S5720-56C-PWR-EI-AC1, S5720-32X-EI-24S-AC, S5720-32X-EI-AC, S5720-32P-EI-AC, S5720-52X-EI-AC, S5720-52P-EI-AC, S5720-28P-SI-AC, S5720-28X-PWR-SI-AC, S5720-28X-SI-AC, S5720-52P-SI-AC, S5720-52X-PWR-SI-AC, S5720-52X-PWR-SI-ACF, S5720-52X-SI-AC, S5720S-28P-SI-AC, S5720S-28X-SI-AC, S5720S-52P-SI-AC, S5720S-52X-SI-AC, S5720-52X-PWR-SI-DC, S5720-28X-SI-DC, S5720-56C-EI-DC, S5720-36C-EI-28S-DC, S5720-56C-EI-48S-DC, S5720-12TP-LI-AC, S5720-12TP-PWR-LI-AC, S5720-28P-LI-AC, S5720-28P-PWR-LI-AC, S5720-28TP-LI-AC, S5720-28TP-PWR-LI-AC, S5720-28TP-PWR-LI-ACL, S5720-28X-LI-24S-AC, S5720-28X-LI-24S-DC, S5720-28X-LI-AC, S5720-28X-LI-DC, S5720-28X-PWR-LI-AC, S5720-28X-SI-24S-AC, S5720-28X-SI-24S-DC, S5720S-12TP-LI-AC, S5720S-12TP-PWR-LI-AC, S5720-52P-LI-AC, S5720-52P-PWR-LI-AC, S5720-52X-LI-AC, S5720-52X-PWR-LI-AC, S5720S-28P-LI-AC, S5720S-28P-PWR-LI-AC, S5720S-28X-LI-24S-AC, S5720S-28X-LI-AC, S5720S-28X-PWR-LI-AC, S5720S-52P-LI-AC, S5720S-52P-PWR-LI-AC, S5720S-52X-LI-AC, S5720S-52X-PWR-LI-AC, S5720-28X-PWH-LI-AC, S5721-28X-SI-24S-AC, S5720-52X-PWR-LI-ACF, S5720-16X-PWH-LI-AC, S5730-48C-PWR-SI-AC, S5730-48C-SI-AC, S5730-68C-PWR-SI, S5730-68C-SI-AC, S5730S-48C-EI-AC, S5730S-68C-EI-AC, S5720I-12X-SI-AC, S5720I-12X-PWH-SI-DC, S5720I-28X-SI-AC, S5720I-28X-PWH-SI-AC, S5730-36C-HI, S5730-44C-HI, S5730-36C-PWH-HI, S5730-44C-PWH-HI, S5730-60C-HI, S5730-68C-HI, S5730-60C-PWH-HI, S5730-68C-PWH-HI, S5730-44C-HI-24S, S5720SV2-28P-LI-AC, S5720SV2-52P-LI-AC, S5730-60C-HI-48S, S5730-68C-HI-48S, S5730-36C-HI-24S, S5720I-10X-PWH-SI-AC, S5720I-6X-PWH-SI-AC, S5720-52X-LI-48S-AC, S5720-52X-SI-48S, S5731-S24T4X, S5731S-S24T4X-A, S5731-S24P4X, S5731S-S24P4X-A, S5731-S48T4X, S5731S-S48T4X-A, S5731-S48P4X, S5731S-S48P4X-A, S5732-H24S6Q, S5732-H48S6Q, S5731S-H24T4XC-A, S5731S-H48T4XC-A, S5731-H48P4XC, S5731-H48T4XC, S5731-H24P4XC, S5731-H24T4XC, S5735-L24T4S-A, S5735S-L24T4S-A, S5735S-L24T4S-MA, S5735S-L24FT4S-A, S5735-L12T4S-A, S5735S-L12T4S-A, S5735-L24P4S-A, S5735S-L24P4S-A, S5735S-L24P4S-MA, S5735-L24P4X-A, S5735S-L24P4X-A, S5735-L32ST4X-A, S5735S-L32ST4X-A, S5735-S32ST4X, S5735S-S32ST4X-A, S5735-L48T4S-A, S5735S-L48T4S-A, S5735S-L48FT4S-A, S5735-S24T4X, S5735-S24P4X, S5735-S48T4X, S5735-S48P4X, S5735-L48P4X-A, S5735S-L48P4X-A, S5735-S48S4X, S5731S-H24T4S-A, S5731S-H48T4S-A, S5735-L24T4X-A, S5735S-L24T4X-A, S5735-L12P4S-A, S5735S-L12P4S-A, S5735-L48T4X-A, S5735S-L48T4X-A, S5735S-S24T4S-A, S5735S-S48T4S-A, S5735S-L48P4S-A, S5735-S4T2X-IA150G1, S5735-S8P2X-IA200G1
S6300	S6320-30C-EI-24S-AC, S6320-30C-EI-24S-DC, S6320-54C-EI-48S-AC, S6320-54C-EI-48S-DC, S6320-26Q-EI-24S-AC, S6320-26Q-EI-24S-DC, S6320-32C-PWH-SI, S6330-H24X6C, S6330-H48X6C
S6700	S6720-30C-EI-24S-AC, S6720-54C-EI-48S-AC, S6720S-26Q-EI-24S-AC, S6720-30C-EI-24S-DC, S6720-54C-EI-48S-DC, S6720-16X-LI-16S-AC, S6720-26Q-LI-24S-AC, S6720-26Q-SI-24S-AC, S6720-32C-PWH-SI, S6720-32C-SI-AC , S6720-32C-SI-DC , S6720-32X-LI-32S-AC, S6720S-16X-LI-16S-AC, S6720S-26Q-LI-24S-AC, S6720S-26Q-SI-24S-AC, S6720-52X-PWH-SI, S6720-56C-PWH-SI, S6720-50L-HI-48S, S6720-30L-HI-24S, S6730-S24X6Q, S6730S-S24X6Q-A, S6730-H24X6C, S6730-H48X6C
S7700	S7703, S7706, S7712
S9300	S9303, S9306, S9312, S9300X-4, S9300X-8, S9300X-12
S12700	S12700E-4, S12700E-8, S12700E-12
S600-E	S652-E, S652X-E
WAC	AC6800V, AC6508, AC6805, AC6507S, AirEngine9700S-S, AirEngine9700-M
Fit AP	AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP4050DN-E, AP4050DN-HD, AP4051DN, AP4151DN, AP4051DN-S , AP4050DN, AP4050DN-S, AP8050DN, AP8050DN-S, AP8150DN, AP1050DN-S, AD9431DN-24X, AP7152DN, AP6052DN, AP8082DN, AP8182DN, AP8050TN-HD, AP7052DN,R250D, AP5050DN-S, AP2051DN-E, AP2051DN, AP2051DN-S,R251D,R251D-E, AP4050DE-M, AP4050DE-M-S, AP7060DN, AP2051DN-L-S, AP4050DE-B-S, AP3050DE, AP5510-W-GP, AirEngine5760-10, AP6750-10T
Fat AP	AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP4050DN-E, AP4050DN-HD, AP4051DN, AP4151DN, AP4051DN-S , AP4050DN, AP4050DN-S, AP8050DN, AP8050DN-S, AP8150DN, AP1050DN-S, AD9431DN-24X, AP7152DN, AP6052DN, AP8082DN, AP8182DN, AP8050TN-HD, AP7052DN,R250D, AP5050DN-S, AP2051DN-E, AP2051DN, AP2051DN-S,R251D,R251D-E, AP4050DE-M, AP4050DE-M-S, AP7060DN, AP2051DN-L-S, AP4050DE-B-S, AP3050DE, AP5510-W-GP, AirEngine5760-10, AP6750-10T
AR1200	AR1220E
AR2200	AR2220E, AR2204-27GE-P
AR6100	AR6120
AR6200	AR6280
AR100	AR109, AR129CGVW-L, AR129CVW, AR101-S, AR101W-S
AR160	AR161, AR161EW
AR600	AR651C
Eudemon200E-G	Eudemon200E-G8-AC,Eudemon200E-G8-DC, Eudemon200E-G85-DC,Eudemon200E-G85-AC
Eudemon200E-N	Eudemon200E-N1D,Eudemon200E-N3,Eudemon200E-N5,Eudemon200E-N1,Eudemon200E-N2
Eudemon1000E-N	Eudemon1000E-N3,Eudemon1000E-N5,Eudemon1000E-N6,Eudemon1000E-N7,Eudemon1000E-N7E
Eudemon1000E-G	Eudemon1000E-G3-AC,Eudemon1000E-G3-DC,Eudemon1000E-G5-AC,Eudemon1000E-G5-DC,Eudemon1000E-G8-AC,Eudemon1000E-G8-DC,Eudemon1000E-G12-AC,Eudemon1000E-G12-DC,Eudemon1000E-G16-AC,Eudemon1000E-G16-DC, Eudemon1000E-G25-DC,Eudemon1000E-G25-AC,Eudemon1000E-G15-DC,Eudemon1000E-G15-AC,Eudemon1000E-G55-DC,Eudemon1000E-G55-AC,Eudemon1000E-G35-DC,Eudemon1000E-G35-AC
USG6500	USG6530,USG6550,USG6570,USG6507,USG6510,USG6510-WL, USG6515E,USG6510E,USG6510E-POE,USG6530E,USG6550E,USG6560E,USG6580E, USG6585E-AC,USG6565E-AC,USG6555E-AC,USG6525E-AC
USG6600	USG6620,USG6630,USG6650,USG6660,USG6670,USG6680, USG6630E-AC,USG6630E-DC,USG6650E,USG6680E, USG6625E-AC,USG6615E-AC,USG6655E-AC,USG6635E-DC,USG6635E-AC
USG6700	USG6712E,USG6716E
USG6300	USG6306,USG6308,USG6310,USG6320,USG6330,USG6350,USG6360,USG6370,USG6380,USG6390,USG6305,USG6305-W,USG6310S,USG6310S-W,USG6310S-WL,USG6310S-WL-OVS,USG6390E, USG6306E,USG6308E,USG6311E,USG6312E,USG6322E,USG6350E, USG6307E,USG6331E,USG6332E,USG6395E-AC,USG6385E-AC,USG6365E-AC,USG6355E-AC,USG6335E-AC,USG6325E-AC,USG6315E-AC,USG6309E-AC,USG6305E-AC

For details about the specifications of other third-party devices that can be managed, contact Huawei technical support.

Creating a Stack

Prerequisites

A stack has been configured on devices.
The configuration for devices to go online is complete. For details, see Huawei CloudCampus Solution Product Documentation.
The ESNs of stack members have been added to iMaster NCE-Campus so that iMaster NCE-Campus can configure the stack members.

Currently, only switches can set up stacks. To check whether the models and versions of the switches managed by iMaster NCE-Campus can set up a stack:

For fixed switches, see Stack Version and Model Requirements in the product documentation.
For modular switches, see CSS Version Requirements in the product documentation.

For details about how to perform configurations on switches, see Stack & SVF Assistant.

Procedure

Choose Design > Site Agile Deployment > Device Management from the main menu.
Click the Stack on Device Group tab, and click Create Stack.
1. Set Stack Name and select Site.
2. Set Stack Role. The role must be set to be the same as that configured when the device is added.
3. Set the mode for adding stack member devices.
  - From Detected Stacks: The system automatically detects the stacks that have been set up on devices. You can create a stack on iMaster NCE-Campus and directly add member devices to the stack based on the discovered stack.If the stack member information fails to be obtained, click From Detected Stacks again to refresh the stack member information.
  - Manually: Click Add to add devices to the stack.
    Only switches of the same series can set up a stack.
    Modular switches (S12704/S12708/S12710/S12712/S7706/S7710/S7712) running V200R013C00 or later can be added to a stack. All modular switches that need to be added to a stack must set up a stack before they go online. Otherwise, the stack cannot go online on iMaster NCE-Campus.
4. (Optional) Click in the Member column to modify the stack ID and priority. Click to save the modification.
  The stack ID is in the range from 0 to 8 and cannot be the same as the ID of any member device in the stack. The stack ID of a stack consisting of modular switches is in the range from 1 to 2.
  
  The priority is in the range from 1 to 255 and the default value is 100. A larger value indicates a higher priority.
  
  If switches have set up a stack and have services configured, it is recommended that the stack IDs and stack priorities of stack members specified on iMaster NCE-Campus be the same as those configured on the stack members. Since the stack IDs and stack priorities delivered by iMaster NCE-Campus will overwrite the existing settings on stack members, if the values delivered by iMaster NCE-Campus are different from those on stack members, the services that take effect on stack members will be inconsistent with those in configuration files. You can run the following commands on stack members to check the stack ID and stack priority:
  
  Run the display esn command to check the ESN and stack ID of each stack member.
  
  If modular switches set up a cluster switch system (CSS), run the display css configuration command to check the stack ID and stack priority of each CSS member.
  
  If fixed switches set up a stack, run the display stack command to check the stack ID and stack priority of each stack member.
5. Click OK.
  - When a stack goes online, iMaster NCE-Campus checks the status of member devices in the stack and delivers configurations only after all the member devices in the stack go online. This prevents a configuration delivery failure due to some member switches being offline.
  - After all member devices in a stack go online, if a member device goes offline, the stack fails to be configured.
  - After a stack goes online, when a member device where an uplink port of the stack resides is removed from the stack and then added to the stack again, if the slot ID of the member device is changed, the stack may fail to go online. To ensure that other member devices in the stack can go online, the stack must have other available uplinks before a member device where an uplink port of the stack resides is removed from the stack.
  - When a master/standby switchover occurs in a stack, the member devices in the stack will go online again.
View and manage stacks.
Click next to a stack name to display the stack members in the stack. You can also maintain the stack.
- Maintain a stack member.
  Click Configure Stack Port. The Switch > Interface page is displayed. You can configure ports for member devices in a stack.
  
  Click next to a member device in the stack to change the priority of the switch.
  
  Click next to a member device in the stack to replace the member switch with another device.
  
  Click next to the name of a member device in the stack to remove the device from the stack.
  
  In the Detected Stack Member area, you can view the stacks that have been set up on devices. Then, you can create a stack on iMaster NCE-Campus, and directly add member devices to the stack based on the discovered stack.
- Modify or delete a stack.
  Click next to the name of a stack to change the stack name or stack role. Click to delete the stack.
If the status of a stack device is displayed as Unregistered or Offline, locate the fault based on device login and logout logs. Possible causes are as follows:
- The license is expired.
  When device licenses are insufficient, import a license file if a global perpetual license or global subscription license is used, or import a new activation code or entitlement ID if a tenant subscription license is used.
- The stack status of member devices displayed on iMaster NCE-Campus is inconsistent with that displayed on the member devices. The following two situations may occur:
  - According to the query result on iMaster NCE-Campus, member devices have set up a stack. However, according to the query result on the devices, they do not set up a stack.
  - According to the query result on iMaster NCE-Campus, a certain device is not a stack member. However, the command output on this device shows that the device is a stack member.
    To rectify the fault, modify configurations on member devices or iMaster NCE-Campus to ensure that the stack status displayed is consistent on them. For details about related commands on devices, see "Configuration Examples for Stacks" in related switch product documentation.
- Stack member information displayed on iMaster NCE-Campus is inconsistent with that on the device. The following two situations may occur:
  - The ID and priority of a stack member displayed on iMaster NCE-Campus and on the device are inconsistent. The information will be synchronized after the device goes online again.
  - Some devices are not added to the stack. In this case, check whether the stack members displayed on iMaster NCE-Campus are the same as those queried on stack members.
    If login and logout logs do not explain the reason why a device is offline, the possible cause is that the device does not register with iMaster NCE-Campus. In this case, check the network between the device and iMaster NCE-Campus or check whether the device is added to the stack.
    
    To rectify the fault, modify configurations on devices or iMaster NCE-Campus to ensure that the stack information displayed on them is consistent. For details about how to run commands to configure a stack, see "Configuration Examples for Stacks" in the corresponding switch product documentation.
- The device is not in the ESN whitelist.
  Using an ESN whitelist, you can restrict the devices that can register with iMaster NCE-Campus and go online. After this function is enabled, devices whose ESNs are not in the whitelist are regarded as unauthorized devices.
  
  In this case, the system administrator needs to check whether the ESN of a device is in the ESN whitelist. If not, add the device ESN to the ESN whitelist.

Related Tasks

Switch a single device to a stack device.
To switch a single device to a stack device, click in the row of the desired device on the Cloud-based Device page.
- This function is supported for fixed switches only.
- Devices that are not added to a site cannot be switched to a stack, created or added to a stack.
- After a single device is switched into a stack, the configuration of the device applies to the new stack, and the device goes offline automatically. The device can go online successfully only after stack setup is performed on the device.
View stacked devices.
Click Stack to view the stacks of all or one organization.

Parameter Description

Table 5-34 Stack

Parameter	Description
Stack name	Name of a stack.
Stack role	Role that is reported to iMaster NCE-Campus based on the switch settings. The options are as follows:
Slot ID	ID of a switch in a stack. The value is in the range from 0 to 8. The switch IDs in the same stack must be unique.
Priority	Priority of a switch in a stack. The value is in the range from 1 to 255 and the default value is 100. A larger value indicates a higher priority.

Creating a WAC Group

Procedure

Choose Design > Site Agile Deployment > Device Management from the main menu.
Select the site to configure, click the WAC Group on Device Group tab, and click Create.
1. Set Stack Name.
2. Click Add to add member WACs to the WAC group.
3. Click OK.
- The WACs of the same model deployed at different sites can be added to a WAC group.
- A maximum of eight member WACs can be added to a WAC group. You can bind the fit APs managed by a member WAC to any other member WACs in the WAC group. iMaster NCE-Campus delivers the same configuration to all member WACs in a WAC group.
- After a WAC is added to a WAC group, the existing configuration on the WAC is not cleared. If the WAC group already has member WACs, the configuration of the new member is combined with the configuration of the existing members, and then the combined configuration is delivered to all members in the WAC group. Before removing a member, clear its configuration. When a member is added, the full configuration is automatically delivered to the new member.

Creating an Automatic Discovery Task

iMaster NCE-Campus can automatically search for devices that meet specific criteria and add them to the system. This reduces manual intervention and operation costs.

Procedure

Choose Design > Site Agile Deployment > Device Management.
On the Device tab page, choose Add Device > Automatic discovery, and then click Create Discovery Task. You can either select or not select a site when adding devices.
In the Basic Settings area on the Set Parameters page, set the IP protocol version, start IP address, end IP address, and subnet where devices to be added.
In the Task Settings area, set the task name, user group to which email notifications are sent, execution frequency, and task description.
- If you set Frequency to Hourly, Daily, Weekly, or Monthly but do not select Instant execution, the automatic discovery task will not run immediately after being created.
- If you select Automatically add discovered devices and click Next, the system will automatically go to the Results page.
In the Protocol Settings area, select a protocol type.
Click Next. The Discover Devices page is displayed. The system starts to discover devices.
Add the discovered devices to the system.
- To add all discovered devices, click Add All.
- To add some discovered devices, select desired devices and click Add Selected.
On the Add Devices page, check the devices you have added.
Click Next. The Results page is displayed.
The result of the automatic discovery task is displayed. Click Success or Fail in the Discovered Devices or Added Devices area to view details in the lower pane.

Related Tasks

On the Management Settings tab page, choose Discovery Task Management from the navigation pane and click the Task List tab. On the Task List tab page, you can start, create, modify, delete, and view automatic discovery tasks.
On the Management Settings tab page, choose Discovery Task Management from the navigation pane and click the Exclusion List tab. On the Exclusion List tab page, you can add and delete excluded subnets or IP addresses.
- When configuring an excluded subnet, set start and end IP addresses in the Add to Exclusion List dialog box.
- When configuring an excluded IP address, set a start IP address in the Add to Exclusion List dialog box.

AP Grouping Recommendations

In normal cases, APs at the same site are automatically assigned to a management group that is automatically created. The APs provide radio calibration and load balancing functions based on settings of this management group. Due to limitations of the AP specifications, it is recommended that the number of APs to be added to a site do not exceed the number specified in Table 5-35 . If APs of different models exist at a site, the recommended number for APs with higher performance takes effect.

Table 5-35 Recommended number of APs at a site

AP Model	Recommended Number
AP1050DN-S	≤ 50
AP2050DN/AP2050DN-S/AP2050DN-E/AP2051DN-S/AP2051DN-E/AP2051DN/AP2051DN-L-S	≤ 50
AP3050DE	≤ 128
AP4050DN-E/AP4050DN-HD/AP4050DN/AP4050DN-S/AP4051DN/AP4151DN/AP4051DN-S/AP4051TN	≤ 50
AP4050DE-B-S/AP4050DE-M/AP4050DE-M-S	≤ 128
AP5030DN-C	≤ 25
AP5510-W-GP	≤ 50
AP5050DN-S	≤ 128
AP6050DN/AP6150DN/AP6052DN	≤ 128
AP7050DN-E/AP7050DE/AP7052DN/AP7152DN/AP7052DE/AP7060DN	≤ 128
AP8050DN/AP8150DN/AP8050DN-S/AP8030DN/AP8130DN/AP8050TN-HD	≤ 50
AP8082DN/AP8182DN	≤ 128
AD9430DN-24/12	The following conditions must be met: Number of central APs ≤ 8 Number of RUs ≤ 300

When both AD9430DN-24/12 and cloud APs are deployed on the same network, the following requirements must be met:

At least two AD9430DN-24/12 are recommended. On a large-scale network, at least four AD9430DN-24/12 are recommended.
It is recommended that the number of cloud APs do not exceed the upper limit in Table 5-35.
Number of RUs + Number of cloud APs ≤ 300.

For example, on a network with AD9430DN-24s and AP6052DNs, a maximum of eight AD9430DN-24s and a maximum of 128 AP6052DNs are deployed. In addition, the number of AP6052DNs and RUs does not exceed 300.

The AD9431DN-24X is responsible for roaming, radio calibration, and load balancing of RUs only in the management group to which it belongs.

If more APs than recommended are deployed, they will be randomly assigned to multiple automatically created management groups. As a result, neighboring APs or APs in the same floor may be in different management groups, as shown in Figure 5-4. If this occurs, the expected radio calibration and load balancing effects cannot be achieved.

Radio calibration is performed in each management group separately. If neighboring APs belong to different management groups, radio calibration cannot achieve the optimal effect.
Load balancing cannot be implemented for APs in different management groups. If neighboring APs belong to different management groups, the number of access users cannot be balanced.

As shown in Figure 5-4, 125 APs deployed in floors 1 to 3 are randomly assigned to multiple automatically created management groups. As a result, neighboring APs or APs in the same floor may be in different management groups. If this occurs, the expected radio calibration and load balancing effects cannot be achieved.

Figure 5-4 Example of random grouping

Determine the number of groups based on the number of floors or physical areas. (For details about the number of APs supported by each group, see Table 5-35.) Add APs in the same floor or physical area to the same group.
Plan a management VLAN for each group. (Generally, configure PVIDs on the upstream access switch and use them as the management VLANs of the APs).

In Figure 5-5, three management groups are planned based on the AP floor distribution, and the corresponding management VLANs are planned. After you add APs to the correct management VLAN, they are assigned to the management group corresponding to the floor. This improves radio calibration and load balancing effects.

Figure 5-5 Example of grouping by management VLAN

The division of management groups and management VLANs affects only radio calibration and load balancing services. It does not affect network division for Layer 2 and Layer 3 roaming.
Do not configure port isolation based on management VLANs for APs. Otherwise, APs in the same VLAN cannot create a management group using broadcast packets.
You are advised to configure broadcast rate limiting on the upstream access switch of the APs to prevent broadcast flooding.

Configuring a Network Plan

Context

A network plan defines the underlay network topology, such as devices, cards, and links at sites. After a network plan is imported to iMaster NCE-Campus, related information is automatically imported, improving manual configuration efficiency.

You need to create a site before planning the network topology of the site.

Procedure

Choose Design > Basic Network Design > Import Network Plan from the main menu.
Click Template on the right of Select a file to download the network plan template.
Double-click the downloaded template TopoPlan_en.xls.
Edit and save the template. Set device information in the template.
- Device planning
- Card planning
- Link planning
Click on the right of Select a file, and select the template created in the previous step. Click Upload.
In the Upload Result area, check whether the device, card, and link information is correct.
Click Import. Import network plan data.
After the planning data is uploaded to iMaster NCE-Campus, you can view the import progress. You can also click Refresh Result in the Import Result area to refresh the import result.

Configuring a LAN Resource Pool

Context

In actual network configuration, multiple IP address segments can be configured on a network. Therefore, you need to plan IP resources in advance. The planned subnet can be used on devices such as firewalls, routers, and switches at a site or created at a site. Alternatively, you can configure IP address segments when configuring sites.

Procedure

Choose Design > Basic Network Design > Network Settings > LAN Resource Pool from the main menu.
Click Create and set parameters based on the network planning.
Click .

Parameters

Table 5-36 LAN resource parameters

Parameter	Description
Name	Resource pool name.
Description	Resource pool description.
Start Network Address	Start network segment of the LAN subnet. The value is a unicast IP address in dotted decimal notation. The subnet that takes effect is the subnet where the network address of the start IP address resides.
End Network Address	End network segment of the LAN subnet. The value is a unicast IP address in dotted decimal notation. The subnet that takes effect is the subnet where the network address of the start IP address resides.
Mask	Subnet mask. The value is an integer in the range from 17 to 30.
Reserved IP Segments	Reserved subnet. Separate multiple subnets by commas (,).

Configuring a Fabric Global Resource Pool

Before creating VNs, you need to configure global resources, including the resource pools of loopback interface IP addresses, VLANs, VNIs, and BDs. During VN creation, iMaster NCE-Campus automatically allocates resources from resource pools.

Prerequisites

You have to perform the following operations before deploying LAN services on iMaster NCE-Campus:

A site has been created on iMaster NCE-Campus, and devices to be managed have been added to iMaster NCE-Campus. A switch can go online as a standalone device or a stacked device.
VLANIF interfaces, loopback interfaces, VTEP IP addresses, and routes have been configured on border and edge devices to implement interconnection between endpoint devices on the LAN. If all devices to be deployed on a fabric network are managed by iMaster NCE-Campus, you can enable automatic routing domain orchestration when creating the fabric network. In this case, iMaster NCE-Campus will automatically configure interfaces and routes on the fabric network.
A RADIUS template and AAA function have been configured on edge devices to implement authentication on the LAN.
Free mobility has been enabled for edge devices as required.

Context

The following figure shows the layers of loopback interface, VLAN, VNI, and BD resources on the network and the relationships among the resources.

Procedure

Choose Design > Basic Network Design > Network Settings > Fabric Global Resource Pool from the main menu.
Set parameters, and click to make the settings take effect.

A service VLAN resource pool is required if you need to configure external gateway interconnection VLANs, network service resource interconnection VLANs, CAPWAP management VLANs, and VN access VLANs for user terminals. When planning VLANs, ensure that the desired VLANs are not used by non-Fabric services. For example, the VLAN ID of the planned management VLAN cannot be included in the VLAN pool. Otherwise, services may be interrupted.

Related Operations

Select the resource to be deleted and click to delete the resource.
Click to refresh resources displayed on the page.

Parameters

Table 5-37 Global fabric resource parameters

Parameter	Description
VLAN	VLAN resource pool for end users accessing the network.
Loopback interface IP address	IP address pool for Loopback interfaces. This parameter is configurable when VNs connect to network resource services, such as DHCP and RADIUS.
Bridge Domain	On a VXLAN network, VNIs can be mapped to BDs in 1:1 mode so that a BD can function as a VXLAN entity to transmit traffic.
VXLAN Network Identifier	A VNI is similar to a VLAN ID and identifies a VXLAN segment.

Configuring an Underlay Automated Resource Pool

When you create fabric networks, you can enable automated routing domain orchestration. This implements automatic deployment of the underlay network. After this function is enabled, iMaster NCE-Campus automatically provisions configurations, such as VLANIF interfaces, loopback interfaces, VTEP IP addresses, and routes, required for BGP-EVPN on fabric networks. iMaster NCE-Campus automatically allocates resources from the underlay automated resource pool to devices.

Context

The following figure shows the layers where device interconnection IP address and VLAN resources reside on the network and the relationships between the resources.

Procedure

Choose Design > Basic Network Design > Network Settings > Underlay Automated Resource Pool from the main menu.
Set parameters, and click to make the settings take effect.

Related Operations

Select the resource to be deleted and click to delete the resource.
Click to refresh resources displayed on the page.

How Do I Configure Underlay Automation in the Multi-Site Scenario?

By configuring automated routing domain orchestration on the underlay network, routes between border nodes and edge nodes on a fabric network can be automatically configured. The interconnection links between border nodes and between border nodes and edge nodes are configured to ensure that the VTEP IP addresses on the entire network are reachable to each other through OSPF routes.

If transparent transmission devices are deployed on the underlay network under a fabric network, it is recommended that the device role of border nodes be set as core, that of edge nodes be set as aggregation, that of transparent transmission devices (not deployed on the fabric network) between border nodes and edge nodes be set to core. Currently, only one layer of transparent transmission devices can be deployed between border nodes and edge nodes.

When a fabric network spans multiple sites, you need to configure correct device roles and ensure that the sites are reachable to each other through OSPF routes.

The following describes automatic underlay deployment in the multi-site scenario and in a three-layer networking.

Scenario 1: A fabric network spans multiple sites, and only one site has a border node, as shown in the following figure.
Figure 5-6 Multi-site scenario

Perform the following operations to configure automatic underlay deployment:
1. Choose Design > Site Agile Deployment > Device Management from the main menu and change the role of Edge2 to Core.
2. Check the OSPF areas automatically orchestrated by the border node, choose Provision > Physical Network > Site Configuration from the main menu, click the Switch > Route > Interface OSPF tab, and manually configure the routes between interconnection interfaces on the border node and Edge2 to ensure that they are reachable to each other.
Scenario 2: A fabric network has three layers of devices, including a border node, edge nodes, and an access device, as shown in the following figure.
Figure 5-7 Three-layer fabric networking

Perform the following operations to configure automatic underlay deployment:
1. Choose Design > Site Agile Deployment > Device Management from the main menu and change the role of edge node 2 to Aggregation.
2. Change the role of the access device on the fabric network to Edge.

Parameters

Table 5-38 Underlay automation resource parameters

Parameter	Description
Interconnection VLAN	VLAN resource pool for device interconnection. This parameter is configurable when border and edge devices are interconnected on the underlay fabric network.
Interworking IP	IP address resource pool for device interconnection. This parameter is configurable when border and edge devices are interconnected on the underlay fabric network.

Template Management

Configuring an SNMP Template

By configuring SNMP parameters, communication between devices and iMaster NCE-Campus can be guaranteed. You can use a template to configure SNMP parameters for multiple devices in a unified manner.

Prerequisites

The HMAC corresponding to the required authentication protocol is supported on the device. For example, if the SHA2-256 authentication protocol is required, HMAC192SHA256 is supported on the device.
You have obtained the information about NE port number, Authentication, Authentication password, Data encryption, Encryption password, Username, Context and Engine ID from the device side.

Context

Protocol template: Protocol parameters are configured in templates (for example, SNMP parameter template) so that iMaster NCE-Campus can uniformly configure protocol parameters for multiple devices.
Table 5-39 shows the mapping between the authentication protocol and HMAC.
Table 5-39 Mapping between the authorization authentication protocol and HMAC
Authentication Protocol

HMAC

SHA2-256

HMAC192SHA256

SHA2-384

HMAC256SHA384

SHA2-512

HMAC384SHA512

Authentication Protocol	HMAC
SHA2-256	HMAC192SHA256
SHA2-384	HMAC256SHA384
SHA2-512	HMAC384SHA512

Procedure

Choose Design > Basic Network Design > Template Management > SNMP Protocol Template from the main menu.
Click Create.

Set SNMP parameters according to Table 5-40.

Table 5-40 Parameters for creating an SNMP template

Parameter	Description
Template name	Name of the SNMP template, which can be customized.
NE port number	Port used for communication between the specified devices. The value range is 1 to 65535.
SNMP version	Version number of the SNMP. The default value is SNMPv3.
Security level	Security level of SNMP, the default value is With authentication and encryption.
Authentication	Message authentication protocol.
Authentication password	Password for the authentication protocol.
Data encryption	Encryption protocol used in data encapsulation.
Encryption password	Password for the data encryption protocol.
Username	Username for accessing the device.
Context	Name of the environment engine.
Engine ID	Unique ID of the SNMP engine.
Timeout period (s)	Upper limit of the time that iMaster NCE-Campus takes to perform an SNMP operation on an NE. If the time that CloudSOP takes to perform an SNMP operation on an NE reaches the value of this parameter, CloudSOP abandons this operation. The default value is 10. NOTE: If the quality of the network between iMaster NCE-Campus and the NE is low, you can set this parameter to a large value to improve the success rate of the SNMP operation.
Polling interval (s)	Interval between two polling operations of the SNMP. The default value is 1800.
Maximum retry times	Maximum number of SNMP operations that iMaster NCE-Campus performs on an NE. If number of SNMP operations that iMaster NCE-Campus performs on the NE reaches the value of this parameter, CloudSOP abandons this operation. The default value is 5. NOTE: If the quality of the network between iMaster NCE-Campus and the NE is low, you can set this parameter to a large value to improve the success rate of the SNMP operation.
Access mode	Access mode of the protocol template. The default value is Public. Public: indicates that all users can access the protocol template. Private: indicates that the template creator and users with the admin permission can access the protocol template.

Click OK.

Related Tasks

Modify an SNMP template.

Users with the admin permission can modify all protocol templates. Common users can modify the protocol templates created by themselves and the protocol templates whose access modes are public.

To modify an added SNMP template, click in the Operation column of the SNMP template.
Delete an SNMP template.

Users with the admin permission can delete all protocol templates. Common users can delete the protocol templates created by themselves and the protocol templates whose access modes are public.

To delete an added SNMP template, click in the Operation column of the SNMP template.
View the number of devices associated with the SNMP template and device information.
To view the number of devices associated with an SNMP template and device information, click the value in the Associated Devices column of the SNMP template in the SNMP template list.

Enabling Insecure Parameter Options

This section describes how to enable insecure parameter options in Protocol Template. You can enable insecure protocol templates, security levels, authorization and authentication protocols, and data encryption algorithms as required. For security purposes, you are advised to use the secure parameter options provided by default.

Insecure parameter options in SNMP NBI are as follows:

Protocol version: SNMPv1 and SNMPv2c
Security level: Not authenticated nor encrypted or Authenticated but not encrypted
Authentication protocol: MD5, SHA, and SHA2-224
Date encryption protocol: DES and 3DES

Prerequisites

You have obtained the management IP address of a node where the drivermgmtservice process of DrvMgmt resides. For details, see How Do I Query the IP Address of the Node Where a Service Resides?.

Procedure

Use PuTTY to log in to a node where the drivermgmtservice process of DrvMgmt resides, as the sopuser user in SSH mode.
Run the following command to switch to the ossuser user:
su - ossuser
```
Password:password for the ossuser user
```
Run the following command to go to the directory where modifyCustomConfig.sh is stored:
cd /opt/oss/NCECAMPUS/apps/DriverMgmtService/bin
Run the following command to enable all insecure options of the parameters:
sh modifyCustomConfig.sh -on

The following information is displayed. Read the information carefully and confirm whether to continue.
```
The protocols/algorithms/security levels are insecure. Are you sure you want to continue? [y/n]
```
- If yes, enter y and press Enter.
  If "Operation successful." is displayed, the modification is successful. Otherwise, contact Huawei technical support.
- If no, enter n and press Enter. No further action is required

Customizing a Policy Template

Context

To simplify configurations and unify management, iMaster NCE-Campus adds the following parameter sets into a template. When related services are configured, the template can be referenced to apply parameter values in this template to the target object.

ACL
Dynamic ACL
URL category
RADIUS server
HWTACACS server
Portal server
URL parameters
RADIUS relay server
Authentication parameters
Escape policy
Traffic Classification
Traffic Behavior
Self-defined Application
Application Scheduling

Procedure

Customize an ACL template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select ACL.
2. Click Create, click the IPv4 or IPv6 tab, set parameters, and click OK.
Customize a dynamic ACL template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Dynamic ACL.
2. Click Create, set parameters, and click OK.

Customize a URL category template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select URL Category Template.
2. Click Create User-defined Category, set information of the customized URL category template, and click OK.
  You can create up to 64 customized URL category templates for a tenant.
  
  To delete a customized URL category template that has been delivered to a device, select the desired template and click Delete. Then choose Maintenance > Configuration Maintenance > Configuration Result from the main menu, set the filter criteria to filter devices on which the URL category template to be deleted is applied, and click Deliver All to delete the customized URL category template from the devices.

Customize a RADIUS template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select RADIUS Server.
2. Click Create, set parameters, and click OK.
  - When configuring an SSID for authentication based on a RADIUS server, you can select this template to specify the RADIUS server associated with the SSID. For details, see Configuring an SSID.
  - Only APs running V200R008C10 and later versions support the Disable RADIUS attributes parameter. The RADIUS attributes supported vary with the AP model. If this parameter is configured in the selected RADIUS template, ensure that the model and version of the target AP meet requirements. Otherwise, the SSID-related service configuration will fail to be delivered. To view RADIUS attributes supported by a device, run the display radius-attribute command in the system view of the device.
  - Only APs running V200R009C00 and later versions support the Set called-station-id attribute value parameter.
  - Only APs running V200R008C00 and later versions support the Real-time accounting parameter.

Customize a HWTACACS server template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select HWTACACS Server.
2. Click Create, set parameters, and click OK.
Customize a portal server template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Portal Server.
2. Click Create, set parameters, and click OK.
Customize a URL template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select URL Template.
2. Click Create, set parameters, and click Confirm.
  
  URL templates are configurable for only APs running V200R008C10 and later versions.
Customize a RADIUS relay server template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select RADIUS Relay Template.
2. Click Create, set parameters, and click OK.
Customize an authentication template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Authentication Template.
2. Click Create, set parameters, and click OK.
Customize an escape policy template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Bypass Policy Template.
2. Click Create, set parameters, and click OK.
Customize a traffic classification template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Traffic Classifier Template.
2. Click Create, set parameters, and click OK.
Customize a traffic behavior template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Traffic Behavior Template.
2. Click Create, set parameters, and click OK.
Customize a custom application template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Custom Application.
2. Click Create, set parameters, and click OK.
Customize an application scheduling template.
1. Choose Design > Basic Network Design > Template Management > Policy Template from the main menu, and select Application Scheduling Template.
2. Click Create, set parameters, and click OK.

Parameter Description

Table 5-41 Policy template (ACL)

Parameter			Description
Name			Unique identifier of an ACL template.
ACL Type			Type of an ACL. For an advanced ACL, the value ranges from 3001 to 3999. For a user ACL, the value ranges from 6000 to 6031. If domain names are specified as the matching condition in an ACL, a maximum of 128 rules can be configured in an ACL. If IP addresses are specified as the matching condition in an ACL, a maximum of 32 rules can be configured in an ACL. Only the IPv4 supports user ACL.
ACL Number			ACL number delivered to the device.
Rule List	-	-	Click Add, customize rules in the ACL template, and click OK.
	User	IP/Domain	Matching rule of the IP address or domain name corresponding to the ACL.
		Protocol	Protocol corresponding to the ACL. Any TCP UDP
		Port	Destination port number corresponding to the ACL. This parameter is valid only when the protocol is TCP or UDP.
	Advance	Priority	Priority of a rule in the ACL template. A smaller value indicates a higher priority.
		Strategy	Traffic transmission policy. Permit: permits packets that match the rule to pass. Reject: rejects packets that match the rule to pass.
		Protocol	Traffic matchmaking protocol.
		Source IP Address	Source IP address of packets.
		Source Port	Source port number of packets.
		Destination IP Address	Destination IP address of packets.
		Destination Port	Destination port of packets.

Table 5-42 Policy template (Dynamic ACL)

Parameter		Description
Name		Unique identifier of a dynamic ACL template.
Rule list	-	Click Add, customize rules in the dynamic ACL template, and click OK.
	Rule No.	Number of an ACL rule. The value is an integer in the range from 10000 to 10999.
	Destination IP Address	Matching rule of the IP address corresponding to the ACL.
	Protocol	Traffic matching protocol, including ALL, TCP and UDP.
	Port	Destination port of packets.
	Control Type	Control type of packets. The option can be Permit or Deny.

Table 5-43 Policy template (URL category)

Parameter	Description
Name	Unique identifier of a URL category template.
URL	List of URLs to be filtered. Multiple URLs are separated by line breaks. The asterisk () can be used for fuzzy match of URLs. The list supports a maximum of 32 fuzzy match rules and 512 exact match rules (duplicate items are not counted). If the filtering target is an address starting with https* (for example, https://www.xxx.com/example), you need to enter only the domain name (www.xxx.com) of the URL.
Domain name	List of domain names to be filtered. Multiple domain names are separated by line breaks. The asterisk (*) can be used for fuzzy match of domain names. The list supports a maximum of 32 fuzzy match rules and 512 exact match rules (duplicate items are not counted).

Parameter

Description

Name

Unique identifier of a URL category template.

URL

List of URLs to be filtered. Multiple URLs are separated by line breaks.

The asterisk (*) can be used for fuzzy match of URLs. The list supports a maximum of 32 fuzzy match rules and 512 exact match rules (duplicate items are not counted).

If the filtering target is an address starting with https (for example, https://www.xxx.com/example), you need to enter only the domain name (www.xxx.com) of the URL.

Domain name

List of domain names to be filtered. Multiple domain names are separated by line breaks.

The asterisk (*) can be used for fuzzy match of domain names. The list supports a maximum of 32 fuzzy match rules and 512 exact match rules (duplicate items are not counted).

Table 5-44 Policy template (RADIUS server)

Parameter		Description
Name		Unique identifier of a RADIUS server template.
Using Built-in Server		Whether to configure iMaster NCE-Campus as a RADIUS server. If this function is enabled, you can configure either the service manager (SM) or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters.
Primary authentication server address/Port		IP address and port number of the active and standby authentication servers.
Secondary authentication server address/Port
Primary accounting server address/Port		IP address and port number of the active and standby accounting servers.
Secondary accounting server address/Port
Real-time accounting		Whether to enable real-time accounting. After this function is enabled, you can configure a real-time accounting interval. By default, this function is disabled.
Billing reporting cycle		Real-time accounting interval.
Key		Shared key of the RADIUS server. You are advised to periodically change the shared key.
Disable RADIUS attributes		Whether to filter specific attributes in the packets exchanged between the device and the RADIUS server. The default value is OFF, indicating that specific attributes are not filtered.
Disable attributes	-	Click Create and configure a filtering policy.
	Attribute name	Click ... and select the names of attributes to be filtered in the displayed dialog box.
	Prohibit Sending	The device is disabled from sending packets containing specified RADIUS attributes to the RADIUS server.
	Prohibit Receiving	The device is disabled from receiving packets containing specified RADIUS attributes from the RADIUS server.
Service-Type	-	The value of the same RADIUS attribute may vary on RADIUS servers from different vendors. Therefore, RADIUS attribute values need to be modified, so that a Huawei device can successfully communicate with a third-party RADIUS server.
	Attribute value	Specifies the value of service-type attribute to be modified.
	Option	Sets the user authentication mode to MAC address authentication.
called-station-id	-	After this function is enabled, you can set the called-station-id attribute value, which specifies content encapsulated in the called-station-id attribute of RADIUS packets. Currently, only APs support this function. By default, this function is disabled.
	Attribute separator	Content encapsulated in the called-station-id attribute. The value can be ap-mac or ap-location.
	Carry SSID attribute	After this function is enabled, the content encapsulated in the called-station-id attribute contains the SSID. By default, this function is disabled.
	Attribute delimiter	Delimiter before the SSID when the content encapsulated in the called-station-id attribute contains the SSID. The value is of enumerated type, and can be \, /, :, <, >, \|, @, ', %, *, +, -, &, !, #, ^, and ~. The default value is :.
MAC address format setting		MAC address format in RADIUS packets. The following formats are supported: Mac address case MAC address separator Mac address format

Table 5-45 Policy template (HWTACACS server)

Parameter	Description
Name	Unique identifier of a HWTACACS server template.
Using Built-in Server	Whether to configure iMaster NCE-Campus as a HWTACACS server. If this function is enabled, you can configure either the SM or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters.
Primary authentication server IP address/Port	IP address and port number of the primary and secondary authentication servers. NOTE: If the IP address and port number of the master authentication server is configured and the IP address and port number of the master accounting server is not configured, the user only has the default permission of the device, which can be referred to in the product documentation of the device.
Secondary authentication server IP address/Port
Primary authorization server IP address/Port	IP address and port number of the primary and secondary authorization servers.
Secondary authorization server IP address/Port
Primary accounting server IP address/Port	IP address and port number of the primary and secondary accounting servers.
Secondary accounting server IP address/Port
Include domain name	By default, this field is disabled. Whether the domain name is included in the username carried in request packets sent by devices to the HWTACACS server. If this function is enabled, the domain name is included in the username and the default domain name is default_admin. If this function is disabled, devices do not encapsulate the domain name in the username when sending packets to a HWTACACS server.
Key	Shared key of the HWTACACS server.

Table 5-46 Policy template (portal server)

Parameter	Description
Name	Unique identifier of the portal server template.
Using Built-in Server	Specify iMaster NCE-Campus as the portal server. If this function is enabled, you can configure either the service manager (SM) or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters. The default protocol for pushing portal pages is HTTPS. To use HTTP, enable the HTTP port.
IP address	IP address of a third-party portal server. Use commas (,) to separate multiple IP addresses.
Port	Port of a third-party portal server.
URL	Interface URL of a third-party portal server.
Portal user synchronization	Whether to synchronize user information between devices and iMaster NCE-Campus. You can enable this function when Portal 2.0 authentication is configured. The synchronization interval and maximum allowable number of synchronization failures can be set. The synchronization interval is in the range from 20 to 65535, in seconds, and its default value is 300. The maximum allowable number of synchronization failures is in the range from 2 to 255 and its default value is 3. The synchronization interval multiplied by the maximum allowable number of synchronization failures must be greater than the interval at which the portal server sends synchronization packets to devices. Otherwise, devices will log out users if they do not receive any synchronization packet from the portal server after the maximum allowable number of synchronization failures is reached. The built-in portal server of iMaster NCE-Campus sends synchronization packets at an interval of 3600 seconds.
Key	Shared key of a portal server.
URL parameter profile	URL template (with related parameters specified) associated with a portal server. If an SSID is associated with a Portal server template, the SSID is also associated with this URL template.

Table 5-47 Policy template (URL)

Parameter		Description
Name		Unique identifier of a URL template.
Template Type		The options are Relay authentication by cloud platform and Third-party authentication.
Parameters in template	-	Click Create, customize rules in the URL template, and click .
	Parameter Name	Parameters required for authentication through a third-party Portal server.
	Value Assignment Mode	Replace the existing value of the controller: Select the existing parameters of iMaster NCE-Campus. User-defined: Set parameters based on your requirements. Only when Template Type is set to Relay authentication by cloud platform, the value assignment mode configured takes effect.
	Parameter Content

Table 5-48 Policy template (RADIUS relay server)

Parameter		Description
Name		Unique identifier of a RADIUS relay server template.
Portal Authentication	Authentication server address	Click Add, and configure the priority, IP address, port, and key information about the authentication server. You can add up to three authentication servers.
	Authentication protocol	Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP). CHAP is more secure and recommended.
	NAS identifier	NAS identifier attribute carried in RADIUS relay packets. Controller identification: When iMaster NCE-Campus sends RADIUS relay packets, the value of NAS-Identifier in the packets is Huawei Agile Controller-Campus. Device MAC: When iMaster NCE-Campus sends RADIUS relay packets, the value of NAS-Identifier in the packets is the device MAC address.
	Accounting server address	Click Add, and configure the priority, IP address, port, and key information about the accounting server. You can add up to three accounting servers.
	Timeout period	Negotiation time for connection to the authentication server and accounting server. After the timeout period is exceeded, the current connection fails.
	Resend tries	Number of times a client connects to the authentication server and accounting server.
	Load balancing mode	Policy specifying the server to which clients connect if multiple authentication servers or accounting servers are configured. Strict accordance with priority: Clients connect to servers strictly based on server priorities. Only when the server within a higher priority is unreachable, the server with a lower priority is connected. Cycle: Clients connect to servers based on server priorities in cycle mode.
	MAC address format setting	MAC address format in RADIUS packets. The following formats are supported: MAC address case MAC address connector MAC address format
RADIUS Authentication	Authentication server address	Click Add, and configure the priority, IP address, port, and key information about the authentication server. You can add up to three authentication servers.
	Accounting server address	Click Add, and configure the priority, IP address, port, and key information about the accounting server. You can add up to three accounting servers.
	Timeout period	Negotiation time for connection to the authentication server and accounting server. After the timeout period is exceeded, the current connection fails.
	Resend tries	Number of times a client connects to the authentication server and accounting server.
	Load balancing mode	Policy specifying the server to which clients connect if multiple authentication servers or accounting servers are configured. Strict accordance with priority: Clients connect to servers strictly based on server priorities. Only when the server within a higher priority is unreachable, the server with a lower priority is connected. Cycle: Clients connect to servers based on server priorities in cycle mode.
	Advanced	In a RADIUS relay scenario, authorization information contains the authorization result of the relay server. Dynamic authorization cannot be directly performed by the controller. Dynamic authorization needs to be triggered on the relay server. Transfer authorization results: The controller forwards authorization results from the external RADIUS server to target devices. Incremental authorization: The attributes in the packets returned by the external RADIUS server are used as conditions to match authorization rules, and the matched authorization result is applied.

Table 5-49 Policy template (authentication)

Parameter	Description
Name	Name of an authentication template.
Authentication mode	The options are Portal, MAC, and 802.1X. You can set this parameter as needed. NOTE: If users require the portal authentication mode using dynamically-authorized VLANs, you need to select the combination mode of MAC authentication and Portal authentication.
RADIUS server template	Select the RADIUS server template that has been set.
Portal server template/Secondary portal server template	Select the Portal server template that has been set. This parameter is configurable only when Authentication Mode is set to Portal.
IPv6 terminal authentication	If the terminal to be authenticated uses the IPv6 protocol, after this function is enabled, you need to set an IPv6 URL for the page pushed by the portal server. In such cases, IPv4 URLs are not supported.
Domain	You can use the default value.
IP phone Authentication	You can set this parameter as needed.
RADIUS dynamic authorization	The options are Default and Custom. You can set this parameter as needed.
RADIUS dynamic server address	This parameter is configurable only when RADIUS dynamic authorization is set to Custom.
Key	Key for RADIUS dynamic authorization. This parameter is configurable only when RADIUS dynamic authorization is set to Custom.
User access mode	User access mode of an interface. The options are as follows: multi-authen: This is the default mode. Allows multiple users to go online through an interface. In this mode, the device performs access authentication for each user. If the authentication succeeds, the device grants independent network access rights to the user. After a user goes offline, other users are not affected. single-voice-with-data: The specified interface allows only one data user and one voice user to go online. This mode is used when a data user accesses the network through a voice terminal. single-terminal: The specified interface allows only one user to go online.
RADIUS bypass policy	Set the RADIUS bypass policy and specify the VLAN or bypass policy template used by users to bypass.
VLAN
Bypass policy template
Automatic re-authentication	Whether to re-authenticate a terminal if the terminal failed to be authenticated. If this function is enabled, after a period of time specified in Re-authentication time, iMaster NCE-Campus authenticates terminals that failed to be authenticated previously. The re-authentication interval ranges from 30 to 7200, in seconds.

Table 5-50 Policy template (bypass policy)

Parameter		Description
Name		Name of a bypass policy template.
VLAN ID		VLAN used by users who bypass authentication.
Security Group		Security group authorized to users who bypass authentication.
IPv4 Rule /IPv6 Rule	Protocol	Network access rights granted to users who bypass authentication. The protocol type, IP address, and port number are defined in ACL rules. The port number is configurable only when the protocol is TCP or UDP.
	IP
	Port

Table 5-51 Policy template (security group)

Parameter	Description
Name	Name of a security group.
Description	Security group description.

Table 5-52 Policy template (traffic classifier)

Parameter		Description
Name		Unique identifier of a traffic classifier.
Description		Description of the traffic classifier.
Rule type		Relationship between rules in a traffic classifier. The options are as follows: And: indicates that the relationship between rules in a traffic classifier is AND. That is, packets match a traffic classifier only when they match all rules in the traffic classifier. Or: indicates that the relationship between rules in a traffic classifier is OR. That is, packets match a traffic classifier as long as they match one or more rules in the traffic classifier.
IPv4 Rule	Priority	Rule priority in a traffic classifier. A smaller value indicates a higher priority. The priority value must be unique.
	Protocol	Protocol corresponding to the rule. The options are as follows: TCP UDP ICMP Any
	Source IP Address	Source IP address specified in the rule.
	Destination IP Address	Destination IP address specified in the rule.
	Source Port	Source port number specified in the rule. This parameter is configurable only when the protocol is set to TCP or UDP.
	Destination Port	Destination port number specified in the rule. This parameter is configurable only when the protocol is set to TCP or UDP.
VLAN	Start VLAN ID	Start outer VLAN ID.
VLAN	End VLAN ID	End outer VLAN ID. The end outer VLAN ID must be greater than the start outer VLAN ID.

Table 5-53 Policy template (traffic behavior)

Parameter			Description
Name			Unique identifier of a traffic behavior.
Description			Description of a traffic behavior.
Action	Traffic limit	CIR (kbit/s)	Committed information rate (CIR): indicates the rate at which tokens are put into bucket C, that is, the average traffic rate that bucket C allows.
		PIR (kbit/s)	Peak information rate (PIR): indicates the rate at which tokens are put into bucket P, that is, the maximum traffic rate that bucket P allows. The PIR is greater than the CIR.
		CBS (Byte)	Committed Burst Size (CBS): indicates the capacity of bucket C, that is, the maximum volume of burst traffic that bucket C allows.
		PBS (Byte)	Peak burst size (PBS): indicates the capacity of bucket P, that is, the maximum volume of burst traffic that bucket P allows.
	Priority	Local priority	Internal precedence of the device, which identifies the class of service (CoS) of packets.
		DSCP precedence	DSCP precedence used to specify the QoS priority of packets on IPnetworks.
		802.1p priority	802.1p priority used to specify the QoS priority of packets on VLAN networks.

Table 5-54 Policy template (custom Application)

Parameter		Description
Name		Unique identifier of a user-defined application template.
Description		Description of the user-defined application template.
Rule list	IP/Domain	IP address or domain name of a user-defined application.
	Protocol	TCP UDP ALL
	Port	Port used by the user-defined application. This parameter needs to be set if you set the protocol to TCP or UDP.

Table 5-55 Policy template (application scheduling)

Parameter		Description
Name		Unique identifier of an application scheduling template.
Description		Description of the application scheduling template.
Application scheduling queue	Guaranteed bandwidth	Minimum bandwidth assured for an application.

Configuring a Site Template

Configuring a LAN-side Site Template

Context

A site template records service configurations such as the SSID, radio settings, SNMP parameters, and terminal information protection policies. When you bind a site template to a site (group of devices), the service configurations specified in this site template apply to the site. This realizes automatic configuration of sites. If you need to configure the same service configurations for multiple sites, you can use this method to improve efficiency.

A maximum of 100 site templates can be configured for a tenant.

After a site template is bound to a site, iMaster NCE-Campus automatically delivers the service configurations specified in the site template to all devices at the site.
After a site template is unbound from a site, iMaster NCE-Campus automatically restores the service configurations at the site to default values.

After a site template is deleted, the binding relationship between site and site template is automatically removed. In this case, the service configurations of the site will be restored to default values.
One site template can be bound to a maximum of 2,000 sites.

Procedure

Choose Provision > Physical Network > Site Configuration Template from the main menu.
Click Site Template.
On the Site Template page, click Create to create a site template as prompted.

Template function displays all features. If the SecoManager is not installed, do not select Security Policy under FW.

The template type is automatically configured based on the selected functions.

If the site template is displayed in the list on the Site Template page, the site template is created successfully.
Click in the row of the desired site template or click the desired template name in the list to set parameters carried in the template.
After the configuration is complete, click Apply to save the configuration. Then, click the icon of the site template in the upper left to return to the site template page.
On the Site Template page, select the desired site template. In the window on the right, click Bind.
In the displayed dialog box, select the sites to be bound with the site template, and click OK.

If a device of any device type specified in the filter criteria is deployed at a site, the site will be filtered out and displayed in the list.

Follow-up Procedure

After a site template is bound to a site, the service configurations carried in the site template will be delivered to all devices of the corresponding type (firewall, switch, AP, or AR) at the target site.

You cannot select APs by tag when configuring an SSID based on a site template, and only one VLAN can be specified for the SSID.
You can only configure basic radio parameters in site templates. To configure radio calibration parameters, navigate to the AP > Radio page of the target site.

Parameter Description

Table 5-56 Site template for LAN

Parameter	Description
Template name	Site template name. The parameter value is a string of 1 to 64 characters, and cannot be the same as an existing site template name.
Template type	Device type of a site template, including firewall, LAN switch, AR, and AP. Multiple device types can be selected.
Template function	Service that can be configured using the site template. (This parameter is valid only when Feature customization is set to On.)

Table 5-57 Site > Service Parameters > Basic Info

Parameter	Description
Time zone	Default time zone for all devices at the current site. This setting is applicable to firewalls, switches, and APs only.
DST	Daylight saving time for devices at the current site. This setting is applicable to switches, APs, and ARs only.
NTP server IP address	NTP server IP address for the current site. This setting is applicable to firewalls, switches, and APs only.

Table 5-58 Site > Service Parameters > Device Management

Parameters		Description
Local user	User name	User name for logging in to a device. The user name is in the username or username@domainname format. The value is case-insensitive and cannot contain spaces or the following special characters: *, ?, ". If HWTACACS authentication bypass is enabled, an authentication account same as the local user account must be configured.
	Password	Password of the user account. The password must meet the following requirements: Contains 8 to 16 characters. Contains at least three of the following: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters (for example, !, @, #, $, %). Question marks or spaces are not supported. The same character is not repeated consecutively two or more times. The password cannot be the same as the username or reverse of the username.
	Role	Priority of a local user. After uses of different levels log in to a device, they can use only the commands of the same or a lower level than their own levels. Monitor: Level 1 Administrator: Level 15
	Service type	Access mode of a local user. HTTP(S): If this option is selected, the user can log in to the WebUI of a device from the browser using the HTTP(S) protocol. SSH: If this option is selected, the user can log in to the CLI of a device from the SSH client.
BootROM password		BootROM password of a switch or an AP. When you do not set this parameter: The password set on the System > System Management > Device Password Configuration page before you create a site becomes the default BootROM password of the switch or AP. The default BootROM password on the switch or AP takes effect if you do not set the BootROM password on the System > System Management > Device Password Configuration page before creating a site.

Table 5-59 Site > Service Parameters > SNMP

Parameter		Description
Protocol version		SNMP version. SNMPv3 is recommended, because it is more secure than SNMPv1 and SNMPv2c.
Configuration in the scenario where Version is set to V1 or V2C	Read community name	Group of NMSs and SNMP agents. A community name functions as the password for authentication when devices in the community communicate with each other. An NMS can access an SNMP agent only if the community name carried in the SNMP request sent by the NMS is the same as that configured on the SNMP agent. A community name consists of a read community name and a write community name. Currently, iMaster NCE-Campus can only interconnect with SNMP through the read community name. The parameter value consists of 1 to 32 characters including digits, letters, or special characters.
	Allowed IP addresses	IP address whitelist of NMS servers. The whitelist defines NMS servers' IP addresses, improving the system security. If the whitelist is left empty, an NMS server with any IP address can access devices.
	Alarm Server	WIndicates whether to configure alarm servers for devices. Through this function, alarms generated on a device can be sent to the NMS server in a timely manner, implementing effective management on devices. The IP addresses must be of Class A, B, or C. Multiple IP addresses need to be separated with line breaks, and up to 20 IP addresses can be entered. Class A IP addresses: 1.0.0.0-126.255.255.255 Class B IP addresses: 128.0.0.0-191.255.255.255 Class C IP addresses: 192.0.0.0-223.255.255.255
	Alarm server list	Alarm server IP address. The IP addresses must be of Class A, B, or C. Multiple IP addresses need to be separated with line breaks, and up to 20 IP addresses can be entered.
Configuration in the scenario where Version is set to V3	User List	Click Add and add the account information. To implement the bidirectional communication in the following scenarios, ensure that User name, Encryption Password, and Authentication Password are the same as those on the NMS server: When a device reports an alarm to the NMS server, the user account and password set here are used for authentication and verification on the NMS server. The device can successfully report the alarm only after successful verification. When the NMS server proactively accesses a device, the NMS server performs authentication and verification on the device. The NMS server can successfully access the device only after successful verification.
	Allowed IP addresses	IP address whitelist of NMS servers. The whitelist defines NMS servers' IP addresses, improving the system security. If the whitelist is left empty, an NMS server with any IP address can access devices. The IP addresses must be of Class A, B, or C. Multiple IP addresses need to be separated with line breaks, and up to 20 IP addresses can be entered.
	Alarm Server	Whether to configure alarm servers for devices. Through this function, alarms generated on a device can be sent to the NMS server in a timely manner, implementing effective management on devices.
	Alarm server list	Click Add, add an alarm server, and select corresponding accounts from the drop-down list box. The alarm server IP addresses must be of Class A, B, or C, and up to 20 IP addresses can be added.

Table 5-60 Site > O&M parameters

Parameter	Description
Terminal access record storage time	Number of days for storing client access data. The value ranges from 1 to 90, and the default value is 90. The data that has been stored for more than the specified days is automatically cleared.
Anonymous terminal information	Whether to hide the terminal information (such as the MAC addresses, IP addresses, and user names). By default, this field is set to ON.

Table 5-61 AP > SSID > Basic settings

Parameter		Description
Basic Settings	SSID Name	SSID when a STA connects to a wireless network. NOTE: If the SSID name contains Chinese characters, it may be displayed as garbled characters on terminals running Windows.
	Working status	The default value is ON. If the value is set to OFF, the SSID is unavailable.
	Scheduled switch-on	Time range during which the SSID is enabled. The SSID is disabled beyond the time range. This improves the network security and saves energy. If the preconfigured time policy cannot meet flexibility requirements, click . In the displayed window, create a user-defined time template. NOTE: If both scheduled radio switch-on and scheduled SSID switch-on are enabled on an AP, users can access the SSID only in the period when both the SSID and radio are enabled. Only APs running V200R008C10 or a later version support scheduled SSID switch-on. On an AP that does not support scheduled SSID switch-on, the SSID is enabled all the time.
	Effective radio	Triple-frequency bands are used by default. The default value is recommended. NOTE: Only the AP4051TN and AP8050TN-HD support 5G (wlan-radio 0/0/2).
	AP tags	The label specifies the AP where the SSID is configured. If the value is empty, the SSID is configured on all APs in the site. Otherwise, you need to add a label for the AP as prompted.
	Network connection mode	If STAs connect to the AP used only for Layer 2 forwarding, select Layer 2 forwarding. You also need to configure the VLAN ID based on the label. If STAs connect to the AP used as the DHCP server, select NAT.
	VLAN	This parameter is available only when the value of Network connection mode is Layer 2 forwarding. The VLAN ID of an AP is assigned to a STA that is associated with an SSID based on the label. NOTE: If the same AP has multiple labels that correspond to different VLAN IDs, the VLAN ID with the smallest priority takes effect.
Advanced Configuration	SSID hiding	By default, this function is disabled. After this function is enabled, SSIDs are invisible.
	MDNS Snooping	By default, this function is disabled. After this function is enabled, the access device can parse service information in mDNS packets sent by wireless terminals and identify the terminals.
	Disable AP after AP disconnection	By default, this function is disabled. After this function is enabled, the SSID will be automatically disabled if the AP uplink is disconnected. This ensures that the device can automatically connect to other APs.
	Band steering (5G-prioritized)	By default, this function is enabled. The band steering function enables an AP to steer STAs to the 5 GHz frequency band first, which reduces load and interference on the 2.4 GHz frequency band. User experience is therefore improved.
	Transmit rate of 2.4G Beacon frames (Mbit/s)	Transmit rate of 2.4 GHz Beacon frames and 5 GHz Beacon frames, in Mbit/s. Only APs running V200R009C00 or a later version support these parameters.
	Transmit rate of 5G Beacon frames (Mbit/s)
	Limit access of traditional terminals	By default, this function is disabled. After this function is enabled, 802.11a, 802.11b, and 802.11g traditional terminals cannot be connected.
	Maximum number of users	Maximum number of STAs connected to the SSID.
	Access threshold policy	New users are not allowed to access the network When the number of STAs connected to the RF reaches the threshold, new users are not allowed to access the network. New users are not allowed to access the network and the SSID is hidden When the number of STAs connected to a radio reaches the threshold, new STAs are not allowed to access the network, and all SSIDs of the radio are automatically hidden. VIP subscribers preferentially access the network When the number of terminals connected to the RF reaches the threshold, VIP users preferentially access the network and replace common users. You need to authorize VIP users on the Admission > Admission Policy > Authentication and Authorization Policy page.
	User isolation	By default, this function is enabled. After this function is enabled, STAs connected to the SSID of a certain AP are isolated from each other.
	Isolation mode	All isolated Layer 2 user isolation
	IGMP-Snooping	By default, this function is disabled. After IGMP snooping is enabled, multicast data can be forwarded and controlled at the data link layer.
	Disable broadcast or multicast	By default, this function is disabled. After this function is enabled, WLAN sharing and broadcast or multicast discovery is disabled, and the Bonjour transparent transmission parameter becomes configurable.
	Multicast-to-unicast conversion	By default, this function is disabled. After this function is enabled on an AP, the AP listens on Report and Leave messages to maintain multicast-to-unicast entries. When sending multicast packets to the client, the AP converts the multicast data packets to unicast data packets based on the multicast-to-unicast entries to improve multicast traffic transmission efficiency. After adaptive multicast-to-unicast conversion is enabled, when the air interface performance encounters a bottleneck during multicast-to-unicast conversion, an AP automatically switches the multicast group containing the minimum number of STAs to the multicast mode. After the air interface performance is improved and keeps being improved for a period of time, the AP automatically switches the multicast group containing the maximum number of STAs to the unicast mode. In this way, the air interface performance is automatically adjusted without manual intervention, improving wireless user experience.
	Bonjour transparent transmission	By default, this function is disabled. Bonjour is a Zeroconf solution proposed by Apple and applies to Layer 2 broadcast domains. It allows network devices in a Layer 2 broadcast domain to obtain IP addresses and discover services.
	U-APSD	By default, this function is disabled. U-APSD is a new energy saving mode defined for WMM, which can improve the energy-saving capability of STAs. Some STAs may not well support U-APSD. In this case, you need to disable U-APSD.
	WMM scenario	Set the WMM parameter based on the network requirements to enable high-priority data packets to occupy wireless channels, namely, adjusting the forwarding priority of video and voice service traffic. To make the WMM function take effect, you need to enable the WMM function switch among the radio parameters. The options of this parameter are as follows: Default: No priority is assigned. Voice: Priority is assigned to voice service traffic. Voice and Video: Priority is assigned to voice and video service traffic. Customize. NOTE: Only APs running V200R008C10 or a later version support WMM function.
	Terminal MAC address filtering	By default, this function is disabled. After this function is enabled, the system filters the MAC addresses of the devices connected to the network according to the blacklist or whitelist. Blacklist: Devices with the MAC address specified in the list are denied to access the network. Complete MAC addresses are matched against the list. Whitelist: Devices with the MAC address specified in this list are allowed to access the network. Either complete MAC addresses or OUIs can be matched against this list. The OUI is the first 24 bits of a MAC address of a device.
	Audio quality analysis	By default, this function is disabled. If this function is enabled and the SIP port is configured, the system will enable the SIP protocol. In this case, devices can capture SIP packets and analyze the service type of the packets, such as the voice service. If iMaster NCE-Campus allows devices to report performance data to the analyzer, the analyzer can obtain the performance data of the voice service and analyze the voice call quality.
	802.11r Fast Roaming Enable	Whether to enable 802.11r fast roaming function. The options are as follows: Adaptive Enable: After this function is enabled, you need to set the reassociation timeout interval. The default value is 1 second. Disable NOTE: Security policies supported by 802.11r include open system, WPA2+PSK+AES, WPA2+PPSK+AES, and WPA2+802.1X+AES.
	802.11r over the DS	802.11r fast roaming mode. If this parameter is enabled, 802.11r fast roaming in over-the-DS mode is configured. If this parameter is disabled, 802.11r fast roaming in over-the-Air mode is configured.
	Reassociation timeout interval(s)	Timeout period for reassociation. The default value is 1 second.
	Device-pipe synergy roaming	Whether to enable device-pipe collaborative roaming. This function is disabled by default.
	Service assurance mode	Performance first Reliability first
	Mobile game acceleration	Whether to enable the mobile game acceleration function. The default value is enable. This function is supported on the following mobile game applications: PlayerUnknown's Battlegrounds (PUBG), PUBG Mobile, Crossfire, Knives Out, Honor of Kings, DNF, Fantasy Westward Journey, League of Legends, Fortnite, and Identity V. After this function is enabled, the uplink and downlink rates will be accelerated for the mobile game applications that support this function.
	Suppressing UE power saving	Whether to enable the function of preventing terminals from entering energy-saving mode. After the function is enabled, the terminals consume more power and extra bandwidth. If no terminal unexpectedly enters energy-saving state, you are advised to disable the function. This function is disabled by default.
	MU-MIMO	Whether to enable MU-MIMO optimization. In an environment with less interference, the MU-MIMO optimization function meets user requirements for high downlink throughput of APs. This function is enabled by default.
	Terminal aging time (minutes)	Time when weak-signal terminals are forced offline. To prevent user experience deterioration when a large number of weak-signal STAs access the network, you can reduce the aging time of these STAs.

Table 5-62 AP > SSID > Secure network

Parameter	Description
RADIUS server	It runs on the central computer or workstation and maintains user authentication and network service access information. It receives user connection requests, authenticates users, and returns all required information (such as accepting or rejecting authentication requests) to clients.
Enable traffic statistics	After this function is enabled, the system provides the traffic statistics function.
CoA/DM in NAT scenarios	After this function is enabled, the system provides a mechanism for dynamically modifying the rights of online users or forcing users to go offline. The switch takes effect only for subscribers who are activated after the switch is turned on.
Automatic re-authentication	Re-authentication is enabled for online users.
Re-authentication time (s)	Interval for re-authenticating online users.
Escape policy	The system grants specific network access rights to users to meet their basic network access requirements.

Table 5-63 AP > SSID > Policy control

Parameter		Description
SSID-based rate limiting		Limit the uplink or downlink bandwidth of a single SSID.
Static terminal rate limiting		Whether to configure static rate limiting for a single terminal to limit its uplink and downlink bandwidths separately. If both static and dynamic terminal rate limiting functions are enabled, static terminal rate limiting takes effect.
Dynamic terminal rate limiting		Whether to enable dynamic rate limiting for a single terminal. If this function is enabled, the uplink and downlink bandwidths of each terminal are limited separately. If both static and dynamic terminal rate limiting functions are enabled, static terminal rate limiting takes effect.
Advanced Configuration	IPV6	Whether to enable IPv6 for the SSID.
	ACL	Configure ACL-based packet filtering to permit or reject the packets matching ACL rules. You can select an ACL from the drop-down list box. NOTE: Choose Design > Basic Network Design > Template Management > Policy Template from the main menu. You can manage ACL templates in a centralized manner.
	Application traffic statistics collection	After this function is enabled, APs parse packets from users to collect the network usage statistics about each user application. NOTE: AP2050DN, AP2050DN-E, AP2050DN-S, AP4050DN-E, AP4050DN-HD, AP6050DN(256M), AP6150DN(256M), AP7050DE(256M), AP8030DN, AP8130DN, R230D, R240D, R250D, R250D-E, R251D, R251D-E, R450D and the AirEngine series(excluding AP7060DN and AirEngine5760-10) do not support application traffic statistics collection.
	APP filtering list	Configure blocking, CAR, and DSCP marking policies for network packets of certain applications. If you want to learn supported applications in the AP signature database, visit https://support.huawei.com/enterprise/en/doc/EDOC1000183795. NOTE: AP2050DN, AP2050DN-E, AP2050DN-S, AP4050DN-E, AP4050DN-HD, AP6050DN(256M), AP6150DN(256M), AP7050DE(256M), AP8030DN, AP8130DN, R230D, R240D, R250D, R250D-E, R251D, R251D-E, R450D and the AirEngine series(excluding AP7060DN and AirEngine5760-10) do not support APP filtering.
	URL filtering	By default, this function is disabled. After enabling this function, configure a URL filtering policy to limit network resources accessed by STAs. Blacklist filtering mode: rejects access to the websites in the URL list. Whitelist filtering mode: permits access to the websites in the URL list. NOTE: Central APs do not support URL filtering. If the browser used by the terminal accesses websites using the proxy, the blacklist and whitelist configurations do not take effect because the URLs in the data packets are not the URLs of the target websites.
	IPSEC ACL	Use ACLs to configure IPsec policies to implement priority-based processing of data packets meeting related conditions.

Table 5-64 Basic Settings

Parameter	Description
Country/Region	Region where the tenant network belongs. After Region is selected based on the region where the AP is deployed, the AP resets the working channel and power of the radio based on local laws and regulations and adjusts the configurable channel range and power.
Schedule for enabling radio	Time range during which the radio is enabled. The radio is disabled beyond the time range. This improves the network security and saves energy. If the preconfigured time policy cannot meet flexibility requirements, click . In the displayed window, create a user-defined time template.
Calibration mode	Radio calibration mode. You are advised to use Timing mode and set the optimization time to off-peak hours (for example, 00:00-06:00 at the local time). Manual: An AP does not actively perform calibration. Default start time 03:00:00, interval 1440min. Automatic: An AP performs calibration based on the configured start time and period. Timing: An AP performs calibration at the specified time point.
Calibration policy	The calibration policy takes effect only in automatic radio calibration mode. You are advised to use scheduled optimization and set the optimization time to off-peak hours (for example, 00:00-06:00). Rogue AP policy: When rogue APs (out of control by a WAC) exist on a network, set the radio calibration policy to rogue-ap. The device then immediately takes actions to avoid interference. This policy may lead to frequency channel switchovers. You are advised to use this policy under the instruction of technical support personnel. Non Wi-Fi policy: When non-Wi-Fi interference occurs on a network, the device immediately takes actions to avoid interference. Noise: When the noise floor of APs is high due to special external interference, service experience may deteriorate. With this radio calibration policy, the device takes actions to avoid interference. When detecting that the noise floor of the current channel exceeds the threshold for three consecutive times, an AP notifies the AC of the high noise floor. The AC then allocates another channel to the AP and does not allocate the current channel to the AP in 30 minutes.
AI-powered calibration	This function is enabled by default and takes effect when the system connects to the CampusInsight. If the CampusInsight is not connected, the device automatically uses the original mode for optimization. After the AI optimization function takes effect, the device automatically optimizes the AI algorithm based on the historical data of the device within seven days. If the interference source around the device changes during the day and night, this function has good optimization effect.
RF mode	Radio mode of the AP.

Table 5-65 Advanced settings

Parameter		Description
2.4GHz	DCA channel set (20MHz)	Channel set used by an AP to transmit wireless signals at the 2.4 GHz frequency band. To reduce AP co-channel or adjacent-channel interference, the system selects a channel from the channel set based on the neighbor relationship between APs and allocates a channel to each AP based on Dynamic Channel Allocation (DCA). 1,6,11 1,5,9,13
	GI mode	Set the guard interval (GI) mode. This parameter is valid for APs running V200R009C00 or a later version. Default: The default value is used. short: short GI (400 ns) normal: normal GI (800 ns)
	TPC cap threshold calibration (dBm)	Transmit power range after radio calibration is completed, in dBm. The default value is 9 dBm to 127 dBm. If the lower threshold is too low, the power may be low and cannot meet radio coverage requirements after radio calibration is performed. If the upper threshold is too high, the power may be high and interferences occur between APs after radio calibration is performed.
	TPC floor threshold calibration (dBm)
	Access user count limit	Set the maximum number of STAs that can access the AP on the 2.4 GHz frequency band. The default value is 64. Access threshold policy: New users are not allowed to access the network. When the number of STAs connected to the RF reaches the threshold, new users are not allowed to access the network. New users are not allowed to access the network and the SSID is hidden. When the number of STAs connected to a radio reaches the threshold, new STAs are not allowed to access the network, and all SSIDs of the radio are automatically hidden. VIP users preferentially access the network. When the number of terminals connected to the RF reaches the threshold, VIP users preferentially access the network and replace common users. You need to authorize VIP users on the Admission > User Admission > Admission Policy > Authentication Rule page.
	Upper threshold of access users
	Access threshold policy
	Radio coverage threshold	Transmit Power Control (TPC) threshold, in dBm. The default value is -60 dBm. The threshold is adjusted based on the AP deployment height and distance to achieve optimal coverage after radio calibration is performed. A higher threshold indicates higher power adjusted by TPC.
	Multicast transmit rate	The configured multicast transmit rate must be in the basic rate set or supported rate set, and supported by the STA. Otherwise, the STA cannot receive multicast data.
	Base rate (Mbit/s)	2.4 GHz.
	Support rate (Mbit/s)	2.4 GHz.
	Kick off weak-signal terminals	Whether to kick off weak-signal terminals. After this function is enabled, APs kick off detected weak-signal terminals.
	Scene	After Kick off weak-signal terminals is enabled, APs check connected terminals based on Signal-to-noise Ratio Threshold and Detection Cycle. If Scene is set to Normal or High Density, values are predefined for Signal-to-noise Ratio Threshold and Detection Cycle on iMaster NCE-Campus. Therefore, you do not need to configure them again. You can select a scene as required. If Scene is set to User-defined, you need to manually specify Signal-to-noise Ratio Threshold and Detection Cycle. NOTE: The SNR threshold for AirEngine series devices is affected by the device version. In V200R019C00 and earlier versions, the value ranges from 5 to 25. In versions later than V200R019C00, the value ranges from 5 to 45.
	Signal-to-noise Ratio Threshold (dB)
	Detection Cycle (ms)
	Dual-band dynamic adjustment	Whether to enable dual-band dynamic adjustment. This function is disabled by default.
	Interference rate environment deterioration threshold	The environment deteriorates if the interference rate exceeds the threshold.
	Number of times that the threshold is exceeded	Number of times that the interference rate exceeds the threshold.
	Redundant 2.4G radio adjustment mode	Processing mode of the redundant radio. This parameter is valid only when Dynamic switch frequency is set to On. Auto Switch to 5G: The redundant 2.4G radio is automatically switched to the 5G radio. If no channel is available on the 5G radio or the current radio cannot switch to the 5G radio, switch to the monitor mode. Auto 2.4G Shutdown: The redundant 2.4G radio is automatically shut down.
	Ultimate power	If obstacles exist or signals are not covered, the signals with higher power are used to implement signal coverage. Auto Enable Disable
	Bandwidth reservation ratio for VIPs	Ratio of the bandwidth reserved for VIP users. This parameter is configured to guarantee the bandwidth for VIP users. The air interface bandwidth reservation algorithm for VIP users is implemented based on RU allocation in downlink and uplink OFDMA transmission mode. This algorithm evaluates the spectrum resources required by users in real time and reserves or allocates spectrum resources for VIP users to meet their service requirements. When the option Normal is selected, there are four bandwidth guarantee modes available: Disable, Default mode (20%), Enhanced mode (50%), and Extreme mode (100%). You can select a mode as needed. When the option User-defined is selected, you need to manually configure the bandwidth reservation ratio for VIP users. The default value is 20%.
5GHz	Calibration bandwidth	DCA channel bandwidth used by an AP to transmit wireless signals at the 5 GHz frequency band. A higher-bandwidth channel indicates a higher transmission rate.
	Channel set	Channel set used by an AP to transmit wireless signals at the 5 GHz frequency band. To achieve optimal calibration, use three or more than three optional channels. NOTE: When configuring the calibration bandwidth, ensure that enough calibration channels are available for use. When configuring optimization, you need to consider the matching relationship between the calibration bandwidth and the calibration channel.
	Basic rate (Mbit/s)	5 GHz base rates.
	Supported rate (Mbit/s)	5 GHz supported rates.
	GI mode	Set the guard interval (GI) mode. This parameter is valid for APs running V200R009C00 or a later version. Default: The default value is used. short: short GI (400 ns) normal: normal GI (800 ns)
	TPC cap threshold calibration (dBm)	Transmit power range after radio calibration is completed, in dBm. The default value is 12 dBm to 127 dBm. If the lower threshold is too low, the power may be low and cannot meet radio coverage requirements after radio calibration is performed. If the upper threshold is too high, the power may be high and interferences occur between APs after radio calibration is performed.
	TPC floor threshold calibration (dBm)
	Access user count limit	Set the maximum number of STAs that can access the AP on the 5 GHz frequency band. The default value is 64. Access threshold policy: New users are not allowed to access the network When the number of STAs connected to the RF reaches the threshold, new users are not allowed to access the network. New users are not allowed to access the network and the SSID is hidden When the number of STAs connected to a radio reaches the threshold, new STAs are not allowed to access the network, and all SSIDs of the radio are automatically hidden. VIP subscribers preferentially access the network When the number of terminals connected to the RF reaches the threshold, VIP users preferentially access the network and replace common users. You need to authorize VIP users on the Admission > User Admission > Admission Policy > Authentication Rule page.
	Upper threshold of access users
	Access threshold policy
	Radio coverage threshold	Transmit Power Control (TPC) threshold, in dBm. The default value is -60 dBm. The threshold is adjusted based on the AP deployment height and distance to achieve optimal coverage after radio calibration is performed. A higher threshold indicates higher power adjusted by TPC.
	A-MSDU	Enable the MAC Protocol Data Unit (MPDU) aggregation function.
	Maximum number of subframes	Maximum number of subframes that can be aggregated into an A-MSDU at one time.
	Multicast transmit rate	Configure the maximum length of an A-MPDU.
	Kick off weak-signal terminals	Whether to kick off weak-signal terminals. After this function is enabled, APs kick off detected weak-signal terminals.
	Scene	After Kick off weak-signal terminals is enabled, APs check connected terminals based on Signal-to-noise Ratio Threshold and Detection Cycle. If Scene is set to Normal or High Density, values are predefined for Signal-to-noise Ratio Threshold and Detection Cycle on iMaster NCE-Campus. Therefore, you do not need to configure them again. You can select a scene as required. If Scene is set to User-defined, you need to manually specify Signal-to-noise Ratio Threshold and Detection Cycle.
	Signal-to-noise Ratio Threshold (dB)
	Detection Cycle (ms)
	Interference rate environment deterioration threshold	The environment deteriorates if the interference rate exceeds the threshold.
	Number of times that the threshold is exceeded	Number of times that the interference rate exceeds the threshold.
	Ultimate power	If obstacles exist or signals are not covered, the signals with higher power are used to implement signal coverage. Auto Enable Disable
	Bandwidth reservation ratio for VIPs	Ratio of the bandwidth reserved for VIP users. This parameter is configured to guarantee the bandwidth for VIP users. The air interface bandwidth reservation algorithm for VIP users is implemented based on RU allocation in downlink and uplink OFDMA transmission mode. This algorithm evaluates the spectrum resources required by users in real time and reserves or allocates spectrum resources for VIP users to meet their service requirements. When the option Normal is selected, there are four bandwidth guarantee modes available: Disable, Default mode (20%), Enhanced mode (50%), and Extreme mode (100%). You can select a mode as needed. When the option User-defined is selected, you need to manually configure the bandwidth reservation ratio for VIP users. The default value is 20%.
General parameters	Beacon interval (TUs)	Interval at which an AP sends Beacon frames. The default value of 100 ms is recommended. An AP sends Beacon frames at intervals to notify STAs of an existing 802.11 network. After an STA receives a Beacon frame, it can modify parameters used to connect to the 802.11 network. A long interval for sending Beacon frames lengthens the dormancy time of STAs, while a short interval for sending Beacon frames increases air interface costs.
	RTS-CTS mode	Working mode of Request To Send/Clear To Send (RTS-CTS). RTS-CTS prevents data transmission failures caused by channel conflicts. The default value cts-to-self is recommended. cts-to-self: The sender notifies neighboring devices of stopping data sending before data transmission. This mode uses a small network cost to prevent data transmission conflicts. This mode applies to most application environments. rts-cts: The sender and receiver notify neighboring devices of stopping data sending before data transmission. This mode can better prevent conflicts, but the network cost is high. Excess advertisement frames may occupy the channel bandwidth. disable: Advertisement packets are not sent before data transmission. Data transmission may fail due to conflicts.
	Airtime fair scheduling	Airtime fair scheduling preferentially schedules users who occupy the channel for a short time. In this way, each user is assigned equal time to occupy the channel, ensuring fairness in channel usage. By default, this function is enabled.
	Packet-based power control	Packet-based power control technology detects the signal strength of STAs in real time to conserve energy. If an AP detects that the signal strength of a STA is strong (for example, the STA is close to the AP), the AP reduces its transmit power when sending packets. If an AP detects that the signal strength of a STA is weak (for example, the STA is far away from the AP), the AP uses the normal transmit power to send radio signals. By default, this function is enabled.
	Beamforming	Beamforming can enhance signals at an angle (for target users), attenuate signals at another angle (for non-target users or obstacles), and control the signal transmission direction and coverage area. By default, this function is disabled. NOTE: For details about beamforming requirements, see "beamforming enable" page in related AP product documentation.
	Load balance	In scenarios where APs are close to each other and there is a high degree of overlap between APs' coverage ranges, you can configure load balancing to evenly distribute user traffic to different APs and ensure wireless network experience of each STA. When a STA attempts to connect to a WLAN, the AP that receives the access request of the AP evaluates the current load based on the number of online STAs and its maximum capability. If the load is much higher than the average load of a neighboring AP in the same AP group, the AP rejects the access request.
	Smart roaming	Enables smart roaming. When STAs connected to an AP have weak signals, their network access rates are low. In this situation, if many low-rate STAs connect to the AP, air interface occupation time of other STAs is reduced. As a result, the AP throughput decreases, degrading user experience. To prevent this situation, configure forced logout of weak-signal STAs. When detecting that the SNR or access rate of a STA is lower than the specified threshold, the AP sends a Disassociation packet to the STA to force the STA offline so that the STA can reconnect to the WLAN. After enabling smart roaming and configuring the smart roaming threshold, APs forcibly disconnect STAs with SNR or access rate lower than the threshold.
	Scan duration (ms)	Duration during which an AP continuously scans the air interface. The AP continuously scans surrounding radio signals during the duration. After the scanning is complete, the AP sends collected information to iMaster NCE-Campus for radio calibration and spectrum analysis. A longer scanning time indicates more collected data and more accurate data analysis result. However, scanning for a long time consumes too many system resources, which may affect normal services. Therefore, you are advised to use the default value of 60 ms.
	Scan interval (ms)	Interval at which an AP scans the air interface. The default value of 10000 ms is recommended.
	Channel to scan	Channel set where an AP scans the air interface. The default value is Channel in region. Channel in region: scans all channels supported by the selected country code in region. Calibration Channel: scans all channels in the calibration channel set. Working Channel: scans only the current working channel.
	WMM	Whether to enable the Wi-Fi Multimedia (WMM) function. NOTE: Only APs running V200R008C10 or a later version support WMM function.
	Channel contention parameters	WMM classifies packets into four access categories (ACs): AC_VO (voice), AC_VI (video), AC_BE (best effort), and AC_BK (background). Each AC queue defines a set of EDCA parameters, which determine the capability of occupying channels. These parameters ensure that a higher-priority AC queue has a higher probability to preempt channels than a lower-priority AC queue. EDCA parameters are as follows: Arbitration interframe spacing number (AIFSN): determines the channel idle time. A larger AIFSN value indicates a longer channel idle time and a lower priority. Exponent form of CWmin (ECWmin): A larger value indicates a lower priority. The value of ECWmin must be smaller than that of ECWmax. Exponent form of CWmax (ECWmax): A larger value indicates a lower priority. Transmission opportunity limit (TXOPLimit): determines the maximum duration in which a STA can occupy a channel. A larger value indicates a longer duration. ACK policy: Normal ACK: The receiver must return an ACK frame each time it receives a unicast packet. No ACK: The receiver does not need to return ACK frames after receiving packets. This mode is applicable to environments with high communication quality and little interference.
	Dynamic BE optimization	Dynamic optimization of the Best Effort (BE) service. After this function is enabled, the AP dynamically reduces the air interface resources consumed by terminals based on the number of access users by using algorithm. This saves more resources for the BE service, improving user experience. In the BE service, packets arriving first are forwarded first. However, the BE service does not ensure the delay, jitter, packet loss rate, or reliability of transmission.
	BE optimization threshold (packets/second)	Threshold for BE optimization algorithm. You are advised to retain the default value.
	Multimedia dynamic optimization	After this function is enabled, the AP dynamically reduces the air interface resources consumed by terminals based on the number of access users by using algorithm. This saves more resources for audio and video applications, improving user experience.
	Audio optimization threshold (packets/second)	Optimization thresholds for audio and video applications. You are advised to retain the default value.
	Video optimization threshold (packets/second)
	Scene	This parameter is displayed when both Dynamic BE optimization and Multimedia dynamic optimization are disabled. Set the WMM parameter based on the network requirements to enable high-priority data packets to occupy wireless channels, namely, adjusting the forwarding priority of video and voice service traffic. To make the WMM function take effect, you need to enable the WMM function switch among the radio parameters. The options of this parameter are as follows: Default: No priority is assigned. Voice: Priority is assigned to voice service traffic. Voice and Video: Priority is assigned to voice and video service traffic.

Table 5-66 AP > Advance > DHCP

Parameter	Description
DHCP enable	Enable DHCP and set DHCP parameters. This parameter is enabled by default.
IP	Default gateway and subnet mask of the DHCP client. The gateway IP address and subnet mask determine the IP address range (DHCP address pool) that DHCP clients may obtain.
Mask
Log records	This switch is turned off by default. When this switch is turned on, it takes effect when the system connects to the CampusInsight. This function is used to record DHCP Server configuration success or failure logs and report the logs to the CampusInsight for data analysis and display.
Third-party URL Filtering	URL filtering by third-party software. After this function is enabled, third-party software can be used to implement URL filtering.
Lease	Lease of an IP address that a DHCP client automatically obtains. After the IP address lease expires, an IP address is assigned again.
Master WINS	Primary and secondary WINS server addresses assigned to a DHCP client.
Slave WINS
Static address binding	Binding between IP addresses and MAC addresses. A fixed IP address is assigned to a DHCP client with a specified MAC address.
VLAN ID	Configuring a VLAN ID. A LAN-side VLAN cannot be a service VLAN in use, and NAT and IPsec users will go offline if this VLAN is modified. The LAN VLAN cannot be the same as the management VLAN. Otherwise, the configuration delivery may fail.

Table 5-67 DNS under Firewall > Network > WAN

Parameter	Description
DNS Configuration	Whether to enable or disable the DNS function on the firewall: DNS relay: The value ON indicates that the DNS relay is enabled. DNS proxy: The value ON indicates that the DNS proxy is enabled. Dynamic DNS: If the value is set to ON, the DNS server address is obtained from the uplink interface. If both the DNS relay and DNS proxy are enabled, the DNS proxy takes effect.
DNS server configurations	DNS server for the firewall. You can add a maximum of six DNS servers in descending order of priorities. Multiple IP addresses need to be separated by line breaks. Duplicate IP addresses are invalid and automatically filtered out before being committed.
DNS Local Domain Configuration	DNS local domain. Click Create to add the mapping between domain names and IP addresses in the local domain name cache table, and click OK to save the configuration.

Parameter

Description

DNS Configuration

Whether to enable or disable the DNS function on the firewall:

DNS relay: The value ON indicates that the DNS relay is enabled.
DNS proxy: The value ON indicates that the DNS proxy is enabled.
Dynamic DNS: If the value is set to ON, the DNS server address is obtained from the uplink interface.
If both the DNS relay and DNS proxy are enabled, the DNS proxy takes effect.

DNS server configurations

DNS server for the firewall.

You can add a maximum of six DNS servers in descending order of priorities.

Multiple IP addresses need to be separated by line breaks. Duplicate IP addresses are invalid and automatically filtered out before being committed.

DNS Local Domain Configuration

DNS local domain. Click Create to add the mapping between domain names and IP addresses in the local domain name cache table, and click OK to save the configuration.

Table 5-68 Firewall > Network > LAN

Parameter	Description
Subnet name	Subnet Name.
VLAN ID	VLAN ID. The value is the same as the VLAN ID of the firewall that is directly connected to intranet devices.
IP address	IP address of the VLANIF interface, which is used as the default gateway address of DHCP clients.
Mask	Subnet mask of an IP address that a DHCP client automatically obtains. The gateway IP address and subnet mask determine the IP address range (DHCP address pool) that DHCP clients may obtain.
Ping	Whether to enable the Ping function.
DHCP	Whether to enable the DHCP function.
DHCP mode	DHCP working mode of the firewall: Server: The firewall functions as the DHCP server to dynamically assign IP addresses to intranet users. Relay: The firewall functions as a DHCP relay agent.
DNS service	DNS server address specified for DHCP clients: System DNS Setting: The DNS server address is obtained from the uplink interface. Customized: The DNS server address is configured independently. This parameter is available only when the value of DHCP mode is Server.
Primary DNS / Secondary DNS	IP address of the DNS server. This parameter needs to be set when DNS Service is set to Customized.
AP mode	Mode of an AP in the subnet. The options are Cloud AP and Fit AP. NOTE: When configuring Branch connection, you need to set parameters such as AP mode and Automatically negotiates the controller address only when you select Multi-branch interconnection. The AP mode of the current subnet can be specified only when the AP is managed by iMaster NCE-Campus for the first time. If the AP device is not configured with the initial configuration or has been executed, the AP mode cannot be changed.
Automatically negotiates the controller address	When the function is enabled, the DHCP server of the current subnet automatically generates Option 148. Devices (switches or cloud-based APs) in the subnet can obtain the iMaster NCE-Campus address through Option 148 to register with iMaster NCE-Campus.
Controller address type	Type of the iMaster NCE-Campus address. The value can be an IP address or a domain name. If the iMaster NCE-Campus address is set to a domain name, ensure that the DNS function is configured on the live network to resolve the iMaster NCE-Campus domain name. Otherwise, devices fail to register with iMaster NCE-Campus.
DHCP option	DHCP option that is delivered to a DHCP client with an IP address. When cloud platform address(148) is selected, the value of the text type should be set to agilemode=xxx;agilemanage-mode=xxx;agilemanage-domain=xxxx.xxx;agilemanage-port=xxx. For example, agilemode=agile-cloud;agilemanage-mode=domain;agilemanage-domain=device-naas.huawei.com;agilemanage-port=10020. When requesting IP addresses through DHCP, Intranet cloud devices can obtain the address and port of the iMaster NCE-Campus server through this option. agilemode: The value is agile-cloud (default mode), tradition (mode can be switched by an external DHCP server through Option 148) or tradition-fit (indicates a special Fit mode of APs. This parameter is used to switch the AP Fit mode in WAC scenarios). agilemanage-mode: The value is ip or domain, which mean the value of agilemanage-domain is an IP address or domain. agilemanage-domain: IP or Domain of iMaster NCE-Campus. agile-port: Number type which means the port of iMaster NCE-Campus.
Lease period	Lease of an IP address that a DHCP server dynamically allocates to a DHCP client. This parameter is available only when the value of DHCP mode is Server. After the lease is reached, the DHCP server reclaims the IP address. The reclaimed IP address can still be assigned to another DHCP client.
Primary WINS	WINS server address allocated to DHCP clients.
Secondary WINS	WINS server address allocated to DHCP clients.
Reserved IP	Reserved IP address range. The firewall does not allocate IP addresses in the IP address range to intranet devices. This parameter is available only when the value of DHCP mode is Server.
Static address binding	Fixed IP address allocated to a specified terminal. This parameter is available only when the value of DHCP mode is Server.
DHCP server IP address	DHCP server IP address. This parameter is available only when the value of DHCP mode is Relay. When the firewall functions as the DHCP relay agent, the third-party DHCP server must be specified.

Table 5-69 Firewall > SSID > Basic Settings

Parameter	Description
Name	SSID when a STA connects to a wireless network.
Working status	Working status of the SSID. The default value is ON. If the value is set to OFF, the SSID is unavailable.
Effective radio	2.4 GHz/5 GHz radio is used by default. The default value is recommended.
VLAN ID	Service VLAN for STA access. Ensure that the network with the same VLAN ID as that for the SSID has been created.
SSID hiding	By default, this function is disabled. After this function is enabled, the SSID is invisible.
Maximum user count	Maximum number of STAs connected through the SSID.

Table 5-70 Firewall > SSID > Security Authentication

Parameter	Description
Authentication mode	SSID authentication mode.
Encryption mode	PSK encryption mode. This parameter is valid only when Authentication mode is set to PSK. The options are as follows: WEP WPA WPA2 WPA and WPA2
Key	PSK key. This parameter is valid only when Authentication mode is set to PSK.

Parameter

Description

Authentication mode

SSID authentication mode.

Encryption mode

PSK encryption mode. This parameter is valid only when Authentication mode is set to PSK. The options are as follows:

WEP
WPA
WPA2
WPA and WPA2

Key

PSK key. This parameter is valid only when Authentication mode is set to PSK.

Table 5-71 Access Policy

Parameter	Description
Control conditions	The authenticated STA matches a policy when matching all control conditions. Source address: indicates the source address of traffic. Destination address: indicates the destination IP address of traffic. Service: list of permitted or denied service configurations. Click Create and enter the valid protocol, source port number, and destination port number, and click . Application: type of the permitted or denied application, including some specific programs. Click Create and select multiple application types. Time: indicates the time range where the access policy takes effect. Security group: indicates the security group where the policy takes effect. NOTE: Firewall models supported by the current applications are as follows: V500R001C30 USG6320, USG6507, USG6530, USG6550, USG6570, USG6510, USG6510-WL, USG6330, USG6350, USG6360, USG6370, USG6380, USG6390, USG6390E, USG6305, USG6305-W, USG6310S, USG6310S-W, USG6310S-WL, USG6310S-WL-OVS, USG6306, USG6308, and USG6310 V500R001C60, V500R001C80, and V500R005C00 USG6320, USG6507, USG6530, USG6550, USG6570, USG6510, USG6510-WL, USG6330, USG6350, USG6360, USG6370, USG6380, USG6390, USG6390E, USG6305, USG6305-W, USG6310S, USG6310S-W, USG6310S-WL, USG6310S-WL-OVS, USG6306, USG6308, USG6310, USG6620, USG6630, USG6650, USG6660, USG6670, and USG6680 V500R002C20, V500R002C30, and V500R005C00 Eudemon200E-N1D, Eudemon200E-N1, Eudemon200E-N2, Eudemon200E-N3, Eudemon200E-N5, Eudemon1000E-N3, Eudemon1000E-N5, Eudemon1000E-N6, Eudemon1000E-N7, and Eudemon1000E-N7E
Traffic Policy	Parameters for configuring a traffic policy. The parameters are as follows: Terminal traffic rate limiting dimensions: The options are Base on IP and Base on User. Station rate limiting speed: rate-limits the upstream and downstream traffic of STAs. Overall traffic rate limit: rate-limits the overall upstream and downstream traffic. DSCP: sets a DSCP policy. Traffic forwarding priority: sets the forwarding priority of traffic.

Parameter

Description

Control conditions

The authenticated STA matches a policy when matching all control conditions.

Source address: indicates the source address of traffic.
Destination address: indicates the destination IP address of traffic.
Service: list of permitted or denied service configurations. Click Create and enter the valid protocol, source port number, and destination port number, and click .
Application: type of the permitted or denied application, including some specific programs. Click Create and select multiple application types.
Time: indicates the time range where the access policy takes effect.
Security group: indicates the security group where the policy takes effect.

NOTE:

Firewall models supported by the current applications are as follows:

V500R001C30
USG6320, USG6507, USG6530, USG6550, USG6570, USG6510, USG6510-WL, USG6330, USG6350, USG6360, USG6370, USG6380, USG6390, USG6390E, USG6305, USG6305-W, USG6310S, USG6310S-W, USG6310S-WL, USG6310S-WL-OVS, USG6306, USG6308, and USG6310

V500R001C60, V500R001C80, and V500R005C00
USG6320, USG6507, USG6530, USG6550, USG6570, USG6510, USG6510-WL, USG6330, USG6350, USG6360, USG6370, USG6380, USG6390, USG6390E, USG6305, USG6305-W, USG6310S, USG6310S-W, USG6310S-WL, USG6310S-WL-OVS, USG6306, USG6308, USG6310, USG6620, USG6630, USG6650, USG6660, USG6670, and USG6680

V500R002C20, V500R002C30, and V500R005C00
Eudemon200E-N1D, Eudemon200E-N1, Eudemon200E-N2, Eudemon200E-N3, Eudemon200E-N5, Eudemon1000E-N3, Eudemon1000E-N5, Eudemon1000E-N6, Eudemon1000E-N7, and Eudemon1000E-N7E

Traffic Policy

Parameters for configuring a traffic policy. The parameters are as follows:

Terminal traffic rate limiting dimensions: The options are Base on IP and Base on User.
Station rate limiting speed: rate-limits the upstream and downstream traffic of STAs.
Overall traffic rate limit: rate-limits the overall upstream and downstream traffic.
DSCP: sets a DSCP policy.
Traffic forwarding priority: sets the forwarding priority of traffic.

Table 5-72 Parameters for creating security policies

Parameter	Description
Policy Information
Action	The action of a security policy can be: Permit: The device permits the traffic matching a security policy. Deny: The device denies the traffic matching a security policy.
Policy group	A group of one or more security policies.
Policy Matching Condition
User	A user indicates from whom traffic is originated. The policy matching condition can be user, user group, or security group, but now only security group is supported. Users and user groups reflect the vertical organizational structure. Users and security groups reflect the horizontal organization structure. You can configure users and user groups based on company departments or add users from different departments to one security group for management.
Source addresses/Region	The source address or source region group of traffic. If the attribute of a packet matches one of the previous values, the packet meets this condition.
Destination addresses/Region	The destination address or destination region group of traffic. If the attribute of a packet matches one of the previous values, the packet meets this condition.
Services	Protocol type of the traffic. You can also define services or protocol types by specifying information, such as port numbers. Three types of services are defined. For TCP, UDP, or SCTP packets, protocol types are identified through a series of ports or port ranges. For ICMP or ICMPv6 packets, packet types are identified through ICMP/ICMPv6 type names or through the combination of ICMP/ICMPv6 type number and code fields. For IP packets, you must specify the protocol number in the IP header.
Application	Application of the traffic. A service may be used by multiple applications.
Schedule	The time range during which a security policy is applied.
Security Profile
URL Filter	Specifies the required security profile.
Antivirus
IPS
Other Configuration
Record log	If Enable session log is selected, the sessions that match the policies will be logged. If Enable policy matching log is selected, the traffic matching security policies is logged.
Session aging time	On actual networks, some special services do not have packets exchanged in a long period. In this case, firewalls clear idle connections to ensure performance. However, some connections, such as database connections, must be maintained even when they are idle to avoid service interruption. Therefore, the firewalls support policy-based aging time to keep some connections alive.
User-defined persistent connection	The persistent connection function takes effect only on TCP application packets that match policies. This function supports longer session keepalive time than Session aging time. You can select the Enable check box next to User-defined persistent connection to configure a user-defined persistent connection and the keepalive time.

(Optional) Configuring a WAN-side Site Template

You can configure the following features only when the tunnel mode is set to EVPN on the Design > Basic Network Design > Network Settings > Tunnel Mode page.

Context

When creating multiple sites, generally, you need to configure the same gateway type, the same number of WAN links, and the same transport network for them. To improve efficiency, you can customize a link template to cover the repeated information and apply the link template to sites during site configuration. Sites can be classified based on link templates. When configuring a policy or a policy template, you can quickly find a site by specifying a link template. Once a link template is applied to a site, only the template name and description can be modified. You need to properly plan the data specified in a link template.

Table 5-73 describes the default link templates provided by iMaster NCE-Campus. If the default templates can meet your requirements, you do not need to customize a template by yourself. Otherwise, you can create a link template as desired.

The default template cannot be modified or deleted. You can only copy the template.

Table 5-73 Default link templates provided by iMaster NCE-Campus

Template Name	Template Description	WAN Link (Device, Port, Transport Network)	Inter-CPE Link (Device, Port)
Single_gateway_mixed_links	Single gateway with an Internet link and an MPLS link	Internet (Device1, GE0/0/0, Internet) MPLS (Device1, GE0/0/1, MPLS)	-
Single_gateway_mpls_link	Single gateway with an MPLS link	MPLS (Device1, GE0/0/0, MPLS)	-
Single_gateway_internet_link	Single gateway with an Internet link	Internet (Device1, GE0/0/0, Internet)	-
Single_gateway_dual_internet_links	Single gateway with dual Internet links	Internet1 (Device1, GE0/0/0, Internet) Internet2 (Device1, GE0/0/1, Internet)	-
Dual_gateways_mixed_links	Dual gateways with an MPLS link and an Internet link respectively	Internet (Device1, GE0/0/0, Internet) MPLS (Device2, GE0/0/0, MPLS)	Device1: GE0/0/1, Device2: GE0/0/1

If you configure the same transport network for physical links, communicate with each other through the links. It is because that, after the same transport network is configured, iMaster NCE-Campus generates logical links for physical links of the same type between devices at parent and child sites, implementing site interconnection.

Prerequisites

Global parameters of sites have been configured. For details, see Setting Global Parameters.

Procedure

Choose Design > Basic Network Design > Template Management from the main menu.
Click WAN Link Template.
Click Create to create a site template.
Set Template name to the name of the site template to be created.
Set Gateway to the desired gateway type.
Specifies whether to enable the function of Multiple sub-interfaces.
In the WAN Link area, click Create to create a link between a gateway and the WAN.
The parameters that need to be set for the link between the gateway and WAN include the link name, device, port, transport network of the WAN link, and link role.

At most ten links can be created for a single gateway, and at most twenty links can be created for dual gateways.
If Gateway is set to Dual Gateways, configure an interlink between dual gateways. Otherwise, skip this step.
1. If the LAN-side Layer 2 ports need to be reused for establishing an interlink between the dual gateways, set Use LAN-side L2 interface to .
  STP is enabled on CPEs by default. If an interlink between dual gateways uses two Layer 2 ports, the two ports are added to the same VLAN. If a loop occurs, STP sets one port to the Block state. In this case, if a user uses this blocked port on the LAN side, the user traffic may be interrupted. Therefore, the ports used by the interlink between dual gateways must be different from those transmitting user service traffic on the LAN side.
  If an interlink between dual gateways uses Layer 3 ports, you do not need to enable Use LAN-side L2 interface.
2. Set a VLAN ID. This parameter specifies the VLAN to which Layer 2 ports at both ends of an interlink need to be added.
3. Click Create, configure an interlink between dual gateways, and configure the ports at both ends of the interlink.
  At most two interlinks can be created between dual gateways.
Click OK.

Follow-up Procedure

Table 5-74 Follow-up procedure of WAN link template configuration

Function	Operation Scenario and Constraint	Procedure
Modifying a WAN link template	The template name, gateway type, WAN link information need to be modified. If a WAN link template is applied to a site, only the template name and description can be modified. The default templates provided by iMaster NCE-Campus cannot be modified.	Click in the Operation column of the WAN link template list to modify the target template.
Deleting a WAN link template	WAN link templates that are not applied to sites can be directly deleted whereas WAN link templates that are applied to sites can be deleted only after the templates are disassociated from the sites. The default templates provided by iMaster NCE-Campus cannot be deleted.	Click in the Operation column of the WAN link template list to delete the target template.
Cloning a WAN link template	You can quickly create a WAN link template by cloning an existing template. This improves configuration efficiency. If you perform the following operations after cloning a template, the cloned template may fail to be applied to sites associated with the source template: Modify the gateway type. Modify or delete WAN links. Modify inter-CPE links.	Click in the Operation column of the WAN link template list to clone the target template.

Function

Operation Scenario and Constraint

Procedure

Modifying a WAN link template

The template name, gateway type, WAN link information need to be modified. If a WAN link template is applied to a site, only the template name and description can be modified.

The default templates provided by iMaster NCE-Campus cannot be modified.

Click in the Operation column of the WAN link template list to modify the target template.

Deleting a WAN link template

WAN link templates that are not applied to sites can be directly deleted whereas WAN link templates that are applied to sites can be deleted only after the templates are disassociated from the sites.

The default templates provided by iMaster NCE-Campus cannot be deleted.

Click in the Operation column of the WAN link template list to delete the target template.

Cloning a WAN link template

You can quickly create a WAN link template by cloning an existing template. This improves configuration efficiency.

If you perform the following operations after cloning a template, the cloned template may fail to be applied to sites associated with the source template:

Modify the gateway type.
Modify or delete WAN links.
Modify inter-CPE links.

Click in the Operation column of the WAN link template list to clone the target template.

Parameter Description

Table 5-75 Parameters on the Template > WAN Link Template tab page

Parameter		Description
Template name		Name of a site template.
Gateway		Type of the gateway at a site. Single Gateway Dual Gateways
Multiple sub-interfaces		Whether to enable the multiple sub-interfaces function. After this function is enabled, a maximum of 10 sub-interfaces can be created on a single gateway, and a maximum of 20 sub-interfaces can be created on two gateways.
WAN Link	Name	Name of a WAN link.
	Device	Name of the gateway at a site.
	Interface	Type and number of a physical interface used by a WAN-side link. Type of a physical interface includes: GE FE XGE LTE xDSL (ATM) xDSL (PTM) E1-IMA (ATM) Ima-group Serial
	Sub Interface	Whether to enable the sub-interface of the device.
	Overlay Tunnel	Whether to enable the overlay tunnel function. If this function is enabled, an overlay tunnel is created on the WAN link.
	Sub Interface Index	Index of the sub-interface. This parameter is available only after Sub Interface is enabled.
	Transport Network	Type of the transport network to which a WAN-side physical link belongs. Transport networks of the same type must have the same link quality attributes. It identifies a type of networks provided by the same ISP. The network connected by each physical link on the WAN side of a site maps a transport network. Transport network. If the transport network type does not meet the requirements, create a transport network on the Global Parameters page.
	Role	Active or standby link. With the active and standby links are configured, data travels only along the active link by default. If the active link fails, data moves to the standby link. In the dual-gateway scenario, the role of all WAN links is active by default, and the active role needs to be configured for at least one WAN link.
	Advanced parameters	Click Configuration to configure iMaster NCE Southbound interface service. The default options of iMaster NCE Southbound interface service are Southbound load balancing floating IP and Southbound service IP address configured during installation planning. If the system administrator has enabled customized other southbound access services, you can select other access services in the site template. For the same device, the values of iMaster NCE Southbound interface service must be the same. NOTICE: In the NAT scenario, the file server IP address in the installation plan must be the same as the southbound service IP address. If the value of iMaster NCE Southbound interface service is set to be different from that of the file server, the system sends the IP address of iMaster NCE-Campus to the device based on the value of iMaster NCE Southbound interface service.
Inter-CPE Link	Use LAN-side L2 interface	Whether to reuse Layer 2 physical interfaces on the LAN side as the physical interfaces of internal links between two gateways. This parameter is available only when Gateway is set to Dual Gateways. If no direct link is configured between two gateways, links on the LAN side need to be reused. iMaster NCE-Campus creates a logical link for each VPN. If direct links are configured between two gateways, links on the LAN side do not need to be reused.
	VLAN ID	VLAN ID for internal links between two gateways. This parameter is available only when Use LAN-side L2 interface is enabled. In a dual-gateway scenario, iMaster NCE-Campus creates a separate sub-interface for each VPN on the interfaces of internal links between the two gateways to isolate the VPNs. The number of VLANs must be the same as that of VPNs. The value ranges from 1 to 4094.
	Device1 Interface	Physical interface used by internal links between two gateways. If two interfaces on a gateway are used to connect to the peer gateway, the two interfaces must be of the same type. The interface on a gateway and that on the peer gateway, which are used for connecting the two gateways, must be of the same type. The interface type varies according to whether a direct link exists between two gateways: If a direct link exists between two gateways (that is, Use LAN-side L2 interface is disabled), Layer 3 interfaces must be used. After two links are created, iMaster NCE-Campus automatically binds the two links into an Eth-Trunk to ensure link reliability. If no direct link exists between two gateways (that is, Use LAN-side L2 interface is enabled), Layer 2 interfaces must be used.
	Device2 Interface

Configuring the Network Access Mode for a Site

Before email-based deployment, you have to configure WAN-side links at sites. After sites are configured or activated, you can add or delete WAN links as needed.

You can configure the following features only when the tunnel mode is set to EVPN on the Design > Basic Network Design > Network Settings > Tunnel Mode page.

Context

Table 5-76 lists possible status of a site after the site is created based on a template.

Table 5-76 Site status

Site Status	Description
Configuration status : Unconfigured : Configured	Whether WAN-side links of the site have been configured.
Activation status : Inactivated : Activated	Whether a deployment email has been sent to the site gateway or whether the ZTP file of the site gateway has been downloaded.

Site Status

Description

Configuration status

: Unconfigured
: Configured

Whether WAN-side links of the site have been configured.

Activation status

: Inactivated
: Activated

Whether a deployment email has been sent to the site gateway or whether the ZTP file of the site gateway has been downloaded.

Prerequisites

A site has been created successfully. For details, see Creating a Site.
Global parameters of the site have been configured. For details, see Setting Global Parameters.

Procedure

Choose Provision > Physical Network > ZTP from the main menu.
Click the ZTP tab. The WAN-side link configuration page is displayed.
Select a site for which you need to configure the network access mode.
1. Select Unconfigured from the drop-down list next to Site List.
2. Click the site for which the network access mode needs to be configured.
Configure the WAN-side links for the site.
1. Click the WAN Link tab.
2. Select a template in the WAN link template area.
  You can select a WAN link template in either of the following two ways:
  - Select a template from the drop list on the right.
  - Click . Select a template on the displayed Select WAN Link Template page.
3. If Gateway is set to Dual Gateways in the template, set Device1 and Device2.
4. Select the ZTP mode.
  - URL/U Disk: This mode is selected during url-based or email-based deployment.
  - DHCP: This mode is selected during DHCP-based deployment.
5. Select the link to be configured, and click in the Operation column.
6. On the Set WAN Link tab page, set parameters about the WAN-side link according to the interface type.
7. Click OK.
8. Click Apply.
  After WAN links are configured, the icon on the right of the site is displayed as .

Follow-up Procedure

Table 5-77 Follow-up procedure of WAN link configuration after the site is activated

Function

Operation Scenario and Constraint

Procedure

Add a WAN link

After a site is activated, you can add or delete WAN links by applying another link template to the site.

Before applying another link template, ensure that a new WAN link template has been created.

NOTE:

When you apply another link template to a site, only a WAN link template of the same gateway type can be applied. For a dual-gateway link template, active/standby switchover and interlink configuration modification are not supported.
If a WAN link is used by a service (such as underlay route, NTP, underlay ACL, Internet access, or mutual access between sites), the WAN link cannot be deleted.
If a WAN link is manually configured for an NTP client, verification is required during the configuration, and the WAN link cannot be deleted. Otherwise, you can delete the WAN link. In this case, you need to clear the time synchronization configuration automatically generated on the NTP client corresponding to the WAN link to be deleted.

Choose Provision > Physical Network > ZTP from the main menu.
Click the ZTP tab. The WAN link configuration page is displayed.
Select the site where the WAN link is to be added or deleted, and click the WAN Link tab.
In the WAN link template, select the link template to be applied, and configure WAN links.
Click OK.
Click Apply. The system displays a message indicating that modifying a site template may cause AR routers to be unreachable.
Enter yes to apply another link template to the site.

Delete a WAN Link

Parameter Description

Table 5-78 Parameters on the WAN Link tab page

Parameter	Description
Link name	Name of a WAN link. If a WAN link is created using the default site template, the link name is Internet or MPLS. If a WAN link is created using a customized site template, the link name is specified when the template is created. The parameter value cannot be changed.
Transport Network	Type of the transport network to which a WAN-side physical link belongs. The parameter value cannot be changed, and the value of this parameter is the same as that of Transport Network in Customizing a Template of WAN Link.
Device	Device to which a WAN-side physical link belongs. The parameter value cannot be changed.
Interface	Type and number of a physical interface used by the current link. The parameter value cannot be changed. NOTICE: Ensure that the interface is a Layer 3 interface. If the interface is not a Layer 3 interface, log in to the device and switch the interface to a Layer 3 interface. Otherwise, the configuration fails to be delivered.
Port Description	Description of a port.
iMaster NCE Southbound interface service	IP address of the southbound access service. This parameter is configurable only when iMaster NCE Southbound interface service is set in the site template. The default southbound access service applies for WAN links in the pre-defined site template. This parameter cannot be changed after deployment.
VN instance	VN instance name.
APN	Multi-APN function of an LTE cellular interface used to implement data and VoIP communication. This parameter is available only when Interface is set to LTE.
PVC	PVC with a specified virtual path identifier (VPI) or VCI. This parameter is available only when Interface is set to xDSL (ATM)/E1-IMA (ATM)/Ima-group.
VLAN ID	VLAN ID of a sub-interface. This parameter is available only when Sub Interface is enabled in Site Template.
Interface protocol	Interface protocol type of the physical link between a CPE and the WAN. This parameter is available only when Interface is set to GE, FE, XGE, xDSL (PTM), xDSL (ATM), E1-IMA (ATM), Ima-group, or Serial. GE, FE, XGE, and xDSL (PTM) interfaces support the following protocols: IPoE PPPoE xDSL (ATM), E1-IMA (ATM), and Ima-group interfaces support the following protocols: IPoA IPoEoA PPPoA PPPoEoA Serial interfaces support the following protocols: PPP HDLC FR
IP address access mode	IP address assignment mode of the interface connecting a CPE to the WAN. This parameter is available only when Interface protocol is set to IPoE or IPoEoA. The options are as follows: Static: static IP address configuration. DHCP: dynamic IP address assignment mode using DHCP.
IP address	IP address statically assigned to the interface connecting a CPE to the WAN and corresponding subnet mask. In the NAT scenario, the IP address must be set to the private IP address (corresponding to Public IP) of the CPE for the RR or Edge site. These parameters are available only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.
Subnet mask
Default gateway	IP address of the interface used by a PE on the WAN side to communicate with a site. This parameter is available only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.
Mapping peer IP	Peer IP address that is mapped to the PVC. An IP address cannot be mapped to different ATM interfaces on the device; otherwise, forwarding is interrupted. This parameter is available only when Interface is set to xDSL (ATM)/E1-IMA (ATM)/Ima-group and Interface protocol is set to IPoA.
User name	User name and password allocated by the carrier to connect to the WAN. These parameters are available only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.
Password
Negotiation mode	Negotiation mode. This parameter is available only when Interface is set to GE, FE, or XGE. Interfaces at both ends of a link must use the same negotiation mode. If an interface frequently alternates between Up and Down with auto-negotiation enabled, disable auto-negotiation and set the same rate and duplex mode on both interfaces.
Working mode	Interface working mode. Only combo interfaces support both optical and electrical interface modes. You can select either of the two modes based on networking requirements. For the other types of interfaces, select a proper working mode supported by the interfaces. NOTE: If an interface cannot work as an optical interface but Working mode is set to Fiber, the configuration fails to take effect after being delivered to the CPE.
Duplex mode	Duplex mode. Interfaces at both ends of a link must use the same duplex mode. An optical interface works in full duplex mode by default. You can select the full-duplex or half-duplex mode for an electrical interface according to the actual specifications.
Speed	Interface rate. Interfaces at both ends of a link must use the same rate. This parameter is available only when Negotiation mode is set to non-autonegotiation.
Optical Module Type	Type of an optical module. Set this parameter based on the transmission rate requirements. GE and 10GE types are available. A GE optical module transmits traffic at a rate of 1000 Mbit/s, and a 10GE optical module transmits traffic at a rate of 10,000 Mbit/s. If 10GE is selected, the negotiation mode cannot be configured. Ensure that the optical module types at both ends of the link are the same. This parameter is available only when Interface is set to XGE.
Public IP	IP address used by a CPE to connect to the WAN. In the EVPN tunnel mode, only RRs need to be configured. The public IP address can be accessed by external systems. An edge site can register with an RR site through this address. In the enterprise network scenario, an enterprise administrator selects one public IP address from the network segment assigned by the carrier. In NAT scenarios, Public IP must be set.
NAT traversal	Whether NAT traversal is enabled. After this parameter is enabled, external network users can access the internal server and internal network users can access the external network in the NAT scenario.
Access type	Type of the sub-interface. P2P: Point to point P2MP: Point-to-multipoint This parameter is available only when Interface is set to Serial, Sub Interface is enabled and Interface protocol is set to FR when you configure the site template.
Authentication mode	Authentication mode. The options are CHAP and PAP. This parameter needs to be set only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.
Uplink bandwidth	Maximum uplink and downlink transmission rates, which need to be configured based on the actual link bandwidths.
Downlink bandwidth
URL-based Deployment	Whether to enable URL-based deployment for the current link. If this function is enabled, the configured parameters on interfaces need to be loaded to devices through URL-based deployment. If this function is not enabled, the configured parameters on interfaces are delivered to devices through NETCONF. NOTE: This configuration item can be enabled only when the ZTP mode is set to URL/U Disk. URL-based deployment can be configured on a maximum of three links for each device. If a site in URL-based deployment mode is selected, at least one link must be selected for URL-based deployment on a single gateway.
Link ID	The ID of a WAN link.

Configuring Time Synchronization for a Site

Context

When an AR reports performance data, the timestamp is carried. If the system time of the AR is inconsistent with that of iMaster NCE-Campus, the actual time when performance data is reported is inconsistent with that displayed on iMaster NCE-Campus. As a result, the site traffic and quality data cannot be displayed. Therefore, you need to configure NTP on iMaster NCE-Campus so that the system time of devices at sites is consistent with that of iMaster NCE-Campus

In EVPN tunnel mode, an edge site synchronizes its clock with that of an RR site, and an RR site synchronizes its clock with the external clock source. An RR site can function as an NTP client or an NTP server.

Procedure

Choose Provision > Physical Network > ZTP from the main menu.
Click the ZTP tab.
Select a site for which you need to configure time synchronization.
Click the NTP tab.
Select a time zone from the Time zone drop-down list.
Set whether to enable the DST of the time zone.
When a site functions as an NTP client, set parameters of the NTP client, including NTP client mode.
Click Apply.

Parameter Description

Table 5-79 Parameters on the NTP tab page

Parameter			Description
Time zone			Time zone of devices at a site.
DST			Daylight saving time (DST). This parameter specifies whether to set DST.
Configurations of a site when it functions as an NTP client	NTP client mode		Mode in which a site functions as an NTP client: Manual configuration: A site functions as an NTP client and the NTP server needs to be manually specified. In the EVPN tunnel mode, you are advised to configure an RR as an NTP client and synchronize the clock with the NTP server on the public network. Automatic synchronization with parent node: A site functions as an NTP client and its parent site functions as the NTP server. This mode is the default setting. In the EVPN tunnel mode, edge sites are enabled with this mode by default. Disabled: A site does not function as an NTP client and does not perform clock synchronization.
	NTP client (These parameters are available only when NTP client mode is set to Manual Configuration.)	Device	CPE that functions as an NTP client.
		WAN Link	WAN-side link connecting a site to the NTP server.
		NTP Server Type	Type of the NTP server. The value can be IPv4.
		NTP Server IP Address	IP address of the NTP server.
		Authentication	Whether to enable the authentication function. If NTP identity authentication is enabled on the NTP server, the authentication function must also be enabled on the NTP client. Otherwise, clock synchronization cannot be performed.
		Authentication Mode	Authentication mode, which can be MD5 or HMAC-SHA256. The authentication mode selected must be the same as that enabled on the NTP server. The MD5 authentication mode may pose potential security risks. As such, the HMAC-SHA256 authentication mode is recommended.
		Authentication Password	Password used for NTP identity authentication.
		Authentication Key ID	Key ID used for NTP identity authentication.

Associating an Edge Site with an RR Site

You can configure the following features only when the tunnel mode is set to EVPN on the Design > Basic Network Design > Network Settings > Tunnel Mode page.

Context

In EVPN tunnel mode, an edge site needs to be associated with an RR site.

Tenant administrators need to associate an edge site with an RR site on iMaster NCE-Campus. After the configuration is complete, CPEs go online and automatically register with the target RRs under the orchestration of iMaster NCE-Campus. A public IP address needs to be assigned to each RR so that CPEs can communicate with target RRs. After the CPEs are registered, they establish IBGP peer relationships with a pair of target RRs, and the RRs reflect routes between the CPEs so that the CPEs can learn the routes from each other.

All RRs in an RR group are interconnected in full-mesh topology model by default. It is recommended that RR sites be deployed in different geographical areas.

When associating an edge site with an RR site, adhere to the following rules:

An edge site can be associated with a maximum of two RR sites. If two RR sites are associated with an edge site, it is recommended that one RR site be deployed in the same physical area with the edge site to minimize delay, and the other RR site be deployed in another physical area to ensure service reliability through geographic redundancy.
One RR site can manage multiple edge sites, and the number of edge sites associated with each RR site should be balanced.

Prerequisites

An edge site and an RR site have been created and activated successfully. For details, see Creating a Site and Configuring the Network Access Mode for a Site.

Procedure

Choose Provision > Physical Network > Inter-site Networking from the main menu.
Select an edge site, and click Connect.
On the Connect page, select the RR site to be associated with the edge site. Click Detect.
Click OK. The value Update succeeded is displayed in the result page.
Click OK.

Viewing the Device Topology

Context

iMaster NCE-Campus presents network information in topology views, marks NEs with different colors to present NE alarm statuses, and displays alarm statistics. This visualizes the running status of the entire network and facilitates real-time monitoring.

Prerequisites

You have enabled LLDP on devices in the Other area on the Site > Service Parameters page. This is because the content on the device topology page is based on the physical topology and the topology is dynamically discovered through the LLDP protocol.

Device versions which support this function:

AR: V200R010C10 and later versions
Firewall: V600R006C00 and later versions
Switch: V200R013C00 and later versions
AP: V200R010C00 and later versions
WAC: V200R010C00 and later versions

Procedure

Choose Design > Basic Network Design > Physical Topology from the main menu.
The physical topology of each level is displayed.
iMaster NCE-Campus provides the following functions on the topology page:
- Displays physical topologies dynamically discovered on a per-site basis.
- Displays devices in different icons based on the device types, and displays device status in different colors.
- Displays information about a device, including the device name, ESN, model, role, and status when the cursor is moved over the device icon.
- Allows you to view details of online cloud-managed devices when you right-click a device, (on the displayed device details page), to view device alarms, or to set the device role when you right-click a device.
- Displays the information about links between devices, including the names of end devices, interfaces and link status if the cursor is moved over the links.
  
  If the upper-layer device connected to Fit APs and distributed APs (RRUs) is not managed by iMaster NCE-Campus, upstream and downstream rates of interfaces and links cannot be viewed in the topology view.
  
  The upstream and downstream rates of interfaces on a WAC cannot be viewed.
- Allow you to create a connection between two devices, set the background image, and save the current topology as a Visio file or image when you right-click the topology background.
(Optional) Click on the left to expand the left pane, and set the topology.
- On the Resource Tree tab page, the collected structure of the organizations and sites of the current tenant is displayed.
- On the Legend & Filter tab page, you can filter topology information by object name, subnet type, and device status.
- On the Layout tab page, you can adjust the topology display layout.
(Optional) Click icons on the toolbar in the upper right corner of the topology view to perform some shortcut operations.
Move the cursor to the corresponding button to display the shortcut key.
- : Create a link.
- : Move the topology view.
- : Refresh the topology view.
- : Lock the topology view.
- : Set the topology display style, such as the theme, node style, connection style, subnet style, network display settings, label display, and alarm display settings. You can also save the preceding settings by using this shortcut.
- : Set the topology link display content.
- : Print the topology view.
- : Expand the view to the full screen.

Managing Links

Overview

Users can manage and maintain network-wide links in a unified manner. Links between devices can be automatically discovered or manually created, and can be displayed in a topology on iMaster NCE-Campus. Users can monitor the link status to better understand the network topology and changes of the monitored network.

Discovering a Link

iMaster NCE-Campus can discover only Layer 2 links between Link Layer Discovery Protocol (LLDP)-capable devices that are directly connected. If an automatically discovered link has been manually deleted from iMaster NCE-Campus, the link can still be displayed in the link list and physical topology after you perform automatic discovery.

Prerequisites

LLDP has been enabled on devices in the Other area on the Site > Service Parameters page. This is because the content on the link management page is displayed based on the physical topology, and the topology is dynamically discovered through the LLDP protocol.

Procedure

Choose Design > Basic Network Design > Link Management from the main menu.
Click Discover Link.
Click Discover, select devices by device type or subnet, and click OK.
After the discovery is complete, the links discovered are displayed in the list.
Click Return to view link information in the link list.

Creating a Link

Only Layer 2 links between LLDP-capable devices that are directly connected can be automatically discovered by iMaster NCE-Campus. If physical links between two devices cannot be automatically discovered, you can manually create links between the devices to show the logical relationship between the devices.

Procedure

Choose Design > Basic Network Design > Link Management from the main menu.
Click Create Link.
Set link information.
- Name: Enter the link name as prompted.
- Type: Select a link type from the drop-down list.
- End A NE: Click and select the source NE of the link from the list.
- End A Port: Click and select the source port of the link from the list.
- End Z NE: Click and select the sink NE of the link from the list.
- End Z Port: Click and select the destination port of the link from the list.
Click OK.
After the link is successfully created, the link list displays the created link.

Parameter Description

Table 5-80 Creating the Link

Parameter		Description
Name		The link name.
Type	Cable	A cable connects two devices that form a link.
	Layer 2 Link	Link between two physical ports
	IP Link	The IP addresses for interfaces at both ends of an IP link contain a 30-bit subnet mask.
	General Link	The links that are not of the preceding types.

Configuring a Link

When a link between devices changes, you can adjust the link configuration as needed. This helps O&M personnel view and manage links in a timely manner.

Link configuration includes viewing and exporting link information, hiding links, viewing and restoring hidden links, deleting links, and configuring link name display rules.

Prerequisites

Links have been created.

Procedure

Choose Design > Basic Network Design > Link Management from the main menu.
Configure link information in the link list.
- Viewing link information
  View the link details in the link list, for example, link status, name, type, names of NEs at both ends, and port names.
  
  You can click in the upper right corner of the list to set the fields to be displayed in the link list.
- Exporting link information
  - Export Selected: In the link list, select the link to be exported and click Export link > Export Selected to export the selected link information.
  - Export All: Click Export link > Export All to export all link information in the list.
- Hiding links
  Select the link to be hidden from the link list, click in the upper right corner, and select Hide. After a message is displayed indicating that the link is successfully hidden, the link information is not displayed in the link list or topology.
- Viewing and restoring hidden links
  1. Click in the upper right corner of the page and choose View hidden link. The list of hidden links is displayed.
  2. Select the link to be restored and click Restore. After a message is displayed indicating the restoration is successful, the link information is displayed in the link list and topology.
- Deleting links
  - Single deletion: Click in the Operation column of the link to be deleted.
  - Batch deletion: Select the links to be deleted and click Delete.
- Configuring rules for link name display
  1. Click in the upper right corner of the page and select Name display rule.
  2. Select the fields to be displayed for the link name and click OK. After the operation is successful, the link names in the list are displayed according to the preset fields.

Viewing the Links

You can monitor the running status of links in real time based on the link status icons displayed in the link list. This feature enables users to restore abnormal links in a timely manner, improving O&M efficiency.

The link status is affected by the device status and port status (normal or faulty) at both ends of the link. Table 5-81 shows the relationships between the link status, link icon colors, and port status.

Table 5-81 Relationships between link status, link status icons, and port status at both ends of a link

Link Status	End A Port Management Status	End A Port Operating Status	End Z Port Management Status	End Z Port Operating Status
Normal	Normal	Normal	Normal	Normal
Offline	When the device at one end is offline, the link is offline regardless of the port status.
Unknown	If a link is not in the preceding states, the link status is unknown.

If the link status is abnormal, perform the following operations to rectify the fault:

If the link icon is , at least one device at the two ends of the link is offline. Further analysis is required. Table 5-82 lists the possible causes and solutions.
Table 5-82 Possible causes and handling methods for offline devices
Possible Cause

Troubleshooting Method
Power off the device.

Power on the device again.
The device IP address is changed.

Remove the device.
Add the device again.
If the link icon is , at least one device at the two ends of the link is faulty. Rectify the device fault and check whether the link status is normal. If the link is abnormal, delete the link and create a new one. If the fault persists, contact Huawei technical support.

Translation

简体中文

Download

Updated: 2021-04-29

Document ID: EDOC1100141248

Downloads: 586

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Possible Cause	Troubleshooting Method
Power off the device.	Power on the device again.
The device IP address is changed.	Remove the device. Add the device again.

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Setting Global Parameters

Context

Procedure

Parameter Description

Creating a Site

Context

Procedure

Follow-up Procedure

Parameter Description

Adding Devices

Context

Stack

WAC Group

AP Grouping Recommendations

Adding Devices

Prerequisites

Procedure

Follow-up Procedure

Related Tasks

SNMP-Managed Device Models

Creating a Stack

Prerequisites

Procedure

Related Tasks

Parameter Description

Creating a WAC Group

Procedure

Creating an Automatic Discovery Task

Procedure

Related Tasks

AP Grouping Recommendations

Configuring a Network Plan

Context

Procedure

Configuring a LAN Resource Pool

Context

Procedure

Parameters

Configuring a Fabric Global Resource Pool

Prerequisites

Context

Procedure

Related Operations

Parameters

Configuring an Underlay Automated Resource Pool

Context

Procedure

Related Operations

How Do I Configure Underlay Automation in the Multi-Site Scenario?

Parameters

Template Management

Configuring an SNMP Template

Prerequisites

Context

Procedure

Related Tasks

Enabling Insecure Parameter Options

Customizing a Policy Template

Context

Procedure

Parameter Description

Configuring a Site Template

Configuring a LAN-side Site Template

Context

Procedure

Follow-up Procedure

Parameter Description

(Optional) Configuring a WAN-side Site Template

Context

Prerequisites

Procedure

Follow-up Procedure

Parameter Description

Configuring the Network Access Mode for a Site