iMaster NCE-Campus V300R022C00 Product Overview
iMaster NCE-Campus V300R022C00
Product Overview
Page 0 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Foreword
• With the rapid development of cloud computing, the on-demand cloud service mode
becomes more popular, resulting in great changes in traditional network management.
Against this backdrop, cloud-based network management has become a trend, as well
as a new model for enterprise network construction, operations and maintenance
(O&M).
• This course mainly introduces the overall architecture, software components, and key
service features of iMaster NCE-Campus in Huawei CloudCampus Solution.
Page 1 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Objectives
• Upon completion of this course, you will be able to:
▫ Understand the positioning and functions of iMaster NCE-Campus in Huawei CloudCampus
Solution.
▫ Understand the system architecture of iMaster NCE-Campus.
▫ Understand the key features of iMaster NCE-Campus used in Huawei CloudCampus Solution.
▫ Master the main configurations of iMaster NCE-Campus.
Page 2 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. iMaster NCE-Campus Introduction and Architecture
2. iMaster NCE-Campus Key Features
Page 3 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Huawei CloudCampus Solution Overview
Application
layer
…
iMaster NCE is a system that integrates the manager,
controller, and analyzer. It supports interconnections among
simple-service campus networks, virtual campus networks,
Cloud app
and multi-branch campus networks, and includes the Self-service portal VAS store
following components: Open APIs
• iMaster NCE-Campus:
It provides management and control functions, such as Management and
management of cloud-based and traditional devices, control layer
traditional device management function, automated
configuration, one-click redirection to iMaster NCE- Authentication
CampusInsight by using the proxy service.
NCE-Campus & NCE-CampusInsight component
• iMaster NCE-Campus authentication component: Manager + Controller + Analyzer
An authentication component is integrated into iMaster
NCE-Campus as a service. A maximum of 20
authentication components can be deployed at remote NETCONF/SNMP/HTTP/2/HTTPS/TCP……
branches to provide local authentication. Authentication Network layer
components and iMaster NCE-Campus can automatically
synchronize user authentication and terminal
identification information between each other through
Medium- and large-sized campuses
TCP channels. Site interconnection
• iMaster NCE-CampusInsight: SMB
It is an intelligent network analysis platform. Based on
existing O&M data (such as device performance indicators
and client logs), iMaster NCE-CampusInsight uses big data WAN/Internet
technology, AI algorithms, and other advanced analysis
technologies to digitize user experience. It assists
customers in detecting network issues in a timely manner, Office VN IoT VN
improving user experience. It is an independent
component and is not described in this course.
• Campus devices:
Campus devices include switches, routers, WLAN access
controllers (WACs), access points (APs) and firewalls.
iMaster NCE-Campus can manage devices through
Network Configuration Protocol (NETCONF) and
traditional Simple Network Management Protocol
(SNMP).
Page 4 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Introduction
• iMaster NCE-Campus serves as a cloud management platform in Huawei CloudCampus Solution. It
provides service configuration, O&M, and monitoring capabilities for cloud managed devices (can be
APs, firewalls, ARs, and switches) and traditional devices. It can also serve as an authentication
server to implement user access control.
• Product positioning
▫ iMaster NCE-Campus is a management and control system designed for Huawei CloudCampus Solution. It
supports functions that include network service management, network security management, user admission
management, network monitoring, network quality analysis, network application analysis, and alarm and
report management. It also provides big data analytics and open application programming interfaces (APIs) to
facilitate interconnection with other platforms. On a multi-tenant network, enterprise users can use iMaster
NCE-Campus to perform service configuration and routine maintenance for their respective tenant networks,
making it possible to manage large numbers of devices on the cloud.
Page 5 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Highlights
• Highlights
• Simplified
▪ Simplified network planning
▪ Simplified network deployment
▫ Elastic
▪ On-demand network expansion
▪ On-demand management expansion
▫ Open
▪ Open network data
▪ Open network platform
Page 6 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Product & Tenant Network
Architecture
iMaster NCE-Campus
Device Admission Performance Big data
management service collection service
service service
ISP
network
Tenant
network AP Central RRU AP Switch Firewall
AP
Site 1 Site 2 Site
Tenant A Tenant B
Page 7 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Product Architecture
Page 8 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Key Functions
Function Description
For small- and medium-sized campuses with simple network configurations, iMaster NCE-Campus provides diversified functions,
Network configuration
such as site-based network element (NE) management, topology management, interface and link management, configuration of
management
underlay services, simplified deployment specific to scenarios, and configuration template binding.
For large- and medium-sized campuses with complex network configurations, iMaster NCE-Campus can automatically orchestrate
Network automation Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) configurations for setting up a VXLAN, simplifying network
management and changes.
iMaster NCE-Campus supports various authentication protocols, such as Portal 2.0 and RADIUS, and can authenticate and manage
Network admission
for network end users.
iMaster NCE-Campus can collect performance data from devices through HTTP/2, and send the collected data to FusionInsight (big
O&M monitoring
data analysis component), which then saves and analyzes the data and provides data analysis reports.
Big data service iMaster NCE-Campus uses Huawei-developed FusionInsight as a big data service for data storage, analysis, and merging.
Ngnix iMaster NCE-Campus uses Ngnix to load balance HTTP traffic.
iMaster NCE-Campus uses Linux Virtual Server (LVS) to build a virtual server cluster that provides one IP address for southbound
LVS
and northbound planes.
Page 9 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Cluster Architecture
ETCD GaussDB Redis DMQ
Database
cluster
FusionInsight cluster
NCE-Campus cluster
Portal server CampusBase/NetconfClient OamService/ACUpgrade Kafka
Key data exchange channels:
RESTful APIs 1 and 2: Portal authentication channel
3 NETCONF–based
device 3: Channel for device registration and alarm
4 HTTP/2: device
management location and reporting
ACANginx Portal GW API GW performance data
master/slave master/slave master/slave reporting 4: Device performance reporting channel
eSight 5: Device upgrade channel
2
HTTP/2: user 6: Channel for logging in to the iMaster NCE-
LVS master/slave
authentication HTTP:
5 device Campus Web UI
update
1 HTTPS–Portal authentication page 7: Channel for calling third-party APIs
6 HTTPS: Web UI
MSP/Tenant 8 Traditional device management
administrator
7 HTTPS: NBI
Third-party system
Page 10 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Deployment Mode
LAN management LAN-WAN convergence
… LAN WAN LAN
Hotels General Large
Branch
education enterprises HQ
Maximum Maximum Maximum
Deployment Number of Number Deployment Number of Number of Maximum Number of
Number of Number of Number of
Mode Servers of VMs Mode Servers VMs Managed NEs
Managed NEs Online Users Online Users
Number of LAN-side devices +
Single-node Single-node
1 1 5000 20,000 1 1 Number of WAN-side devices 20,000
system system x 10 ≤ 5000
Minimum Number of LAN-side devices +
Single-node 3 3 Number of WAN-side devices 50,000
cluster x 5 ≤ 15,000
system (with NCE- 1 2 4000 20,000
CampusInsight 6-node Number of LAN-side devices +
) (two VMs on a
distributed 3 6 Number of WAN-side devices 100,000
server) x 5 ≤ 30,000
Minimum cluster 3 3 30,000 100,000 cluster
9-node Number of LAN-side devices +
(two VMs on a
9-node distributed 5 (two VMs on a distributed 5 9 Number of WAN-side devices 300,000
9 60,000 300,000 server)
cluster server) cluster x 5 ≤ 60,000
17-node Number of LAN-side devices +
17-node (two VMs on a (two VMs on a Number of WAN-side devices 700,000
9 17 200,000 700,000 distributed 9 17
distributed cluster server) server) x 5 ≤ 200,000 & Number of
cluster WAN-side devices ≤ 20,000
Page 11 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Deployment Mode
POL convergence LAN-WAN + POL convergence
…
LAN WAN LAN
General Large
education enterprises Branch HQ
Maximum Maximum
Maximum Maximum Deployment Number Number
Deployment Number Number Number of Number of
Number of Number of Mode of Servers of VMs
Mode of Servers of VMs Managed NEs Online Users
Managed NEs Online Users
Number of LAN-
side devices + POL
Single-node
Single-node 1 1 devices + Number 20,000
1 1 5000 20,000 system
system of WAN-side
devices x 10 ≤ 5000
Minimum Number of LAN-
cluster 3 3 30,000 100,000 side devices + POL
Minimum devices + Number
3 3 100,000
cluster of WAN-side
devices x 10 ≤
Distributed
None 15,000
cluster
Distributed None (The distributed cluster is not supported in the POL
cluster convergence scenario.)
Page 12 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Service Node Deployment
Management Scale (Cloud
Solution Deployment Mode Supported Functions Expansion Supported or Not
Managed Device)
Single-node system (LAN) 5000 The PON and WAN features are not available. Cold migration to 3-node cluster
5000 (POL devices are
Single-node system (LAN + POL) The PON feature is available and the WAN feature is unavailable. Not supported
Single-node system included)
Single-node system (LAN-WAN + LAN-side devices + 10 x WAN-
The PON and WAN features are available. Not supported
POL) side devices ≤ 5000
3-node cluster (LAN-only, PM
30,000 (POL devices are The expansion to 3-node cluster in the
deployment is recommended.) The PON feature is available and the WAN feature is unavailable.
included) LAN-WAN scenario is supported.
Minimum cluster
3-node cluster (LAN-WAN, PM
LAN-side devices + 5 x WAN-
deployment is recommended.) The PON and WAN features are available. Not supported
side devices ≤ 15,000
LAN-side devices + 5 x WAN- The expansion to 9-node cluster is
6-node cluster The WAN feature is available and the PON feature is unavailable.
side devices ≤ 30,000 supported.
LAN-side devices + 5 x WAN- Cold migration to the maximum scale of
9-node cluster The WAN feature is available and the PON feature is unavailable.
side devices ≤ 60,000 17-node cluster
Distributed cluster
LAN-side devices + 5 x WAN-
17-node cluster side devices ≤ 200,000 & The WAN feature is available and the PON feature is unavailable. Not supported
WAN-side devices ≤ 12,000
Huawei Cloud 200,000 The WAN feature is available and the PON feature is unavailable. Not supported
Authentication authentication component
N/A The authentication feature is supported. Not supported
component deployment
Large-capacity and Independent management plane N/A N/A N/A
multiple clusters Global node N/A Unified login for a multi-cluster system is supported. Not supported
Automatic switchover with a third arbitration site in disaster recovery (DR)
Third-party arbitration Independent arbitration node N/A Not supported
solutions.
Page 13 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Value-added Features
Deployment
Type Feature Description Deployment Requirement License Control
Advanced network iMaster NCE-Campus supports centralized management on network-wide security policies and security This feature is supported in all deployment scenarios and
Firewall management licenses
security policy service orchestration to rapidly provision security services. service nodes do not need to be added.
iMaster NCE-Campus manages PON devices in access networks through SNMP. It supports automatic
This feature is supported in single-node systems and
service deployment specific to scenarios and can display performance, topology, and alarm information of
PON management minimum clusters, and service nodes do not need to be POL management licenses
devices in a unified manner, implementing management and visualization of resources and networks, as
added.
well as fault diagnosis visualization.
Campus VXLAN uses overlay virtualization technology to bear multiple virtual networks on a single
Basic value-added Automatic virtual
underlay network and support flexible service deployment. Based on SDN and cloud technologies, This feature is supported in all deployment scenarios and Automatic virtual network
features network
Campus VXLAN implements automatic deployment of virtual networks, and automation of user-oriented service nodes do not need to be added. management licenses
management
and application-oriented policy management.
Terminal iMaster NCE-Campus can automatically identify the information about vendor, operating system, and This feature is supported in all deployment scenarios and
Terminal plug-and-play licenses
identification type of terminals, and then can control terminal access based on the identified information. service nodes do not need to be added.
Network Data plane verification (DPV) technology is used to implement network-wide snapshot management,
This feature is supported in all deployment scenarios and
configuration subnet reachability verification, and terminal access verification, building up comprehensive intelligent --
service nodes do not need to be added.
verification verification capabilities.
This feature is supported in minimum clusters. To support
this feature, one more PM (with a memory of 128 GB)
AI-based terminal Based on model training and inference technology of AI engines, iMaster NCE-Campus analyzes needs to be added.
fingerprint characteristics of unknown terminals and automatically generates the corresponding identification rules This feature is supported in distributed clusters. To --
identification to improve terminal identification. support this feature, one more PM (with a memory of
128 GB) needs to be added.
This feature is not supported in single-node systems.
Advanced value-
added features This feature is not supported in the single-node system
LAN-WAN deployment scenario and service nodes do not
Based on the SRv6 TE Policy tunneling technology, iMaster NCE-Campus provides the end-to-end (E2E)
need to be added.
optimal path computation and service optimization for one unified WAN, supports centralized
This feature is supported in distributed clusters. To
SRv6 configuration and management for network topologies and tunnel constraints, aiming to maximize SRv6 function package licenses
support this feature, one more PM (with a memory of
network bandwidth utilization and leverage the full potential of network resources. In addition, iMaster
256 GB) needs to be added.
NCE-Campus supports traffic forwarding in SRv6 BE mode in the case of tunnel failures.
This feature is not supported in minimum clusters and in
the single-node system LAN-only deployment scenario.
Remote attestation: provides the full-lifecycle file integrity protection from startup to running to storage
for embedded NEs.
This feature is supported in distributed clusters. To
Security situational awareness (SSA): provides real-time security data analysis and overall security
Value-added Advanced security support this feature, three more PMs (with a memory of
situation prediction capabilities for network devices to help security O&M personnel quickly make --
security features features 64 GB each) need to be added.
decisions and trace sources.
This feature is not supported in single-node systems.
Device security configuration check: provides visualized security management capabilities for network
devices and supports device security status check, security risk warning, and security hardening guidance.
Page 14 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Server Installation Networking
Currently, iMaster NCE-Campus can have at most four planes, including the
internal communication plane, service plane, southbound plane, and
northbound plane. Their functions are as follows:
• Internal communication plane: used for communication between
service nodes in an iMaster NCE-Campus cluster, including FusionInsight
and GaussDB nodes.
• Service plane: used to provision southbound and northbound services of
iMaster NCE-Campus. For example, administrators can use a load
Management port balancer (LB) to distribute service traffic to multiple nodes.
• Northbound plane: used to receive northbound service traffic, for
example, using a browser to access the management plane of iMaster
NCE-Campus.
• Southbound plane: used to receive southbound service traffic, for
Internal communication/
Management network example, communicating with network devices through NETCONF.
Based on customer networking requirements, some network planes can be
Cable for internal communication combined. The following networking modes are supported:
• Two-plane networking: includes the internal communication plane and
Service network Cable for the service network the integrated plane that combines the service, southbound, northbound
planes. The southbound and northbound public IP addresses can be
Cable for the northbound network
translated on the firewall.
Cable for the southbound network • Three-plane networking: includes the internal communication plane,
Northbound the service plane, and the integrated southbound and northbound plane.
network
• Four-plane networking: includes the internal communication plane,
service plane, northbound and southbound plane.
Southbound Note:
network The IP addresses of network interface cards (NICs) need to be assigned in
independent VLAN, which cannot be the same as the VLANs for other
irrelevant products.
Ports can be enabled on firewalls as needed. For details, see the
Communication Matrix.
PC where EasySuite resides
Page 15 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Homepage
Menu bar
Logo Selected view Alarm area Search, account and
Overview page help area
Area for rotating product
carousel images
Navigation path for entering
network scenario apps
Navigation path for entering advanced feature apps
Page 16 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. iMaster NCE-Campus Introduction and Architecture
2. iMaster NCE-Campus Key Features
Page 17 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Site Management Overview
• iMaster NCE-Campus configures and monitors devices by site. The site management feature
provides the functions of adding, deleting, modifying, and querying sites. iMaster NCE-
Campus can manage not only sites containing devices of a single type, such as APs, WACs,
ARs, switches, or firewalls, but also sites containing devices of various types.
• iMaster NCE-Campus also supports organization- and tag-based site management to display
sites in a hierarchical mode. When creating organizations, administrators can specify a parent
organization to define a hierarchy (supports nesting in five layers at most).
Page 18 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Site Management Configuration
• Click Design > Site Design > Site Management to view the site list, and create, delete, or modify sites.
• Click Provision > Device > Batch Deployment > Site to view site templates.
Page 19 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Topology Management
NCE-Campus
Feature SNMP NETCONF
Topology layout toolkit
Toolbar in topological view: move,
update, save positions, lock, Topology Unified Unified
display settings, export
(picture/Visio), full screen display Device management Unified Unified
Link management Unified Unified
Device management Unified Unified
Third-party device
Supported Not supported
management
NCE-Campus
Toolbar in topological view:
Display topology and Display alarm, auto fit zoom,
devices for each site and zoom in/out The toolbar classifies function options, which is easy to use.
The shortcut menu can be customized to shield redundant
information.
Click Design > Network Design > Physical Topology to view site topologies.
Page 20 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)
Background:
The following problems exist in office, education, and
hotel scenarios:
As-is To-be Cabling is complicated.
Compared with the POL solution, the current
Campus core campus network solution requires higher network
css css Campus core
equipment room construction costs.
equipment room
Access devices are connected to users through
10 km (optical cables) network cables, which do not meet the requirements
of the fiber-to-edge trend.
Aggregation Scenarios:
switch in a 10 km (optical cables)
building Desktop: A central device can connect to multiple
remote units (RUs) that located in different offices,
300 m (optical fibers) open-plan desks, and classrooms.
Device replacement in equipment or extra low
Central device voltage (ELV) rooms without site relocations: A
ELV room on a central device can connect to multiple RUs to allow
ELV room floor/building
on a floor access of cameras, APs, and wired terminals.
Building A Building B/C 60 m optical 60 m optical
65 m 65 m fibers fibers Benefits:
network network Maximize the use of chip forwarding capability.
cables cables RU
Desk Dramatically reduce the network construction cost
for customers. In addition, the cost for desktop
Building A
Building B/C
5 m network 5 m network scenarios is predicted to be reduced by more than
cables cables 50%.
Innovate the network architecture, decrease the
number of NEs, and reduce the management cost.
Page 21 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)
• Management capability: iMaster NCE-
Campus allows users to query
information about RUs connected to a
central switch, including the ESNs,
models, online status, interfaces that
directly connect to the central switch,
and port list information of the RUs.
• Control capability: iMaster NCE-Campus
allows user to configure port isolation
for a particular interface on a central
switch. The configuration takes effect for
all RUs connected to the interface.
Page 22 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)
• Monitoring capability: iMaster NCE-Campus
allows users to check the memory usage, disk
space usage, and temperature of an RU, as well
as the running status, rate, traffic statistics,
packet statistics, and bandwidth utilization of an
RU interface.
• O&M capabilities: iMaster NCE-Campus allows
users to restart RUs. In addition, iMaster NCE-
Campus can receive alarms from RUs if they fail
to be upgraded.
Page 23 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Scenario Introduction)
• Background: To ensure the service continuity of V5 devices and construct an open ecosystem of the next-generation embedded
service-oriented architecture, the following brand-new LAN switches (LSWs) and ARs are launched based on the next-generation
YunShan platform: S8700/S6730/S5750/AR8140/AR6710. With these devices, iMaster NCE-Campus can build the next-generation
CloudCampus YunShan ecosystem.
Evaluation-required: YunShan + V5 Pilot: YunShan device
Recommended: V5 device standard
device hybrid networking independent networking
networking
(large-sized) (small- and medium-sized)
Internet WAN Internet WAN Internet WAN
AR6000/AR600 AR8140/AR6000 AR8140/AR6710
S12700E S12700E S8700
9700- WAC 9700-M
M/6508/6805 /6508/6805
S7700/S6730-H S8700/S6730-H S5750-L/S5750-S
S5731/S5732 S5750-L/S5750-S
AP 8760/6760/5760 AP 8760/6760/5760 AP 8760/6760/5760
Page 24 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Differences Between V5
and YunShan Devices)
Management Configuration Alarm O&M Monitoring Service layer
Service
AOC 1.0 AOC 3.0 adaptation layer
NETCONF SSH HTTP/2 Telemetry Channel
protocol layer
Management: V5 and YunShan devices are both managed through NETCONF
channels.
YunShan
Configuration: Configurations of both V5 and YunShan devices are delivered
through NETCONF channels; however, the YANG models are different. YunShan
devices use the YANG 2.0 model and complete configurations based on the
SND/GND model of AOC 3.0 built on the application platform as a service
(aPaaS).
V5 V5
Alarm: Alarm services of both V5 and YunShan devices are implemented
through NETCONF channels. However, the YANG models are different.
YunShan devices use the YANG 2.0 model.
O&M: O&M operations on both V5 and YunShan devices are implemented
through SSH channels.
Monitoring: V5 devices are monitored through HTTP/2 channels, while
YunShan devices are monitored through telemetry channels (gRPC).
Page 25 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Differences Between V5
and YunShan Devices)
Key Feature Not Supported
Device type Impact Description Workaround
(Compared with V5)
Deploy switches manually or using the zero touch
Wired/wireless management VLAN auto-negotiation to implement device plug-
Management VLAN auto- provisioning (ZTP) function through the management
YunShan LSW and-play is not supported. In addition, Eth-Trunk auto-negotiation is also not
negotiation VLAN (that is, VLAN 1). In addition, deploy APs connected
supported.
to the switch by using the sensor ap function.
Registration center-based
Device plug-and-play through the registration center is not supported. Use the DHCP option-based deployment solution.
deployment
Scan barcodes to record device ESNs or manually import
ESN-free deployment ESN-free deployment is not supported.
device ESNs.
Portal authentication Portal authentication based on HTTP/2 or HACA is not supported. Use V5 devices as authentication devices instead.
Wireless authentication Wireless authentication is not supported. Use off-path WACs for wireless authentication.
Terminal identification Terminal identification is not supported. Use V5 devices as access devices instead.
Application identification Application identification and application statistics collection are not supported. N/A
Application experience analysis eMDI application experience analysis is not supported. N/A
HQoS VIP user policies cannot be configured. N/A
Certificate management Offline and online certificate management functions are not supported. Log in to devices for configuration.
Log in to the device command line interface (CLI)
SWEB Redirection to the switch web system for service configuration is not supported.
through SSH to configure services.
YunShan AR Wi-Fi Wireless access services are not supported. N/A
YunShan ARs cannot function as the devices for communication between the HQ
Inter-site interconnection N/A
site and branch sites.
Traffic statistics Traffic statistics collection based on NetStream is not supported. N/A
Log in to the device CLI through SSH to configure
SWEB Redirection to the AR web system for service configuration is not supported.
services.
Page 26 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Configuration
Consistency Verification)
iMaster NCE- iMaster NCE-Campus Local
Local user
Campus user
get-config NETCONF
Configuration
edit-config CLI/ Web system Web-based
NETCONF get-config change
copy-config platform/eSight management CLI/eSight
edit-config notification
platform/eSight
V5 device (AR/LSW/AP) YunShan device (AR/LSW)
NaaS VRP5 NBI
NETCONF SNMP CLI
running current-cfg
copy-config
save
CMF
CDBR
startup Startup cfg CMF Centralized data
storage and DB
configuration
Category V5 Device YunShan Device
Configurations are stored in a single database. Configurations delivered through NETCONF and SNMP and performed in the CLI
are stored in the same database. However, currently, the NETCONF-based configuration capability provided by devices is inferior
There are two types of databases for configuration data storage: NETCONF-based to the CLI-based configuration capability, in the following aspects:
Configuration data storage database (which stores only configurations delivered through NETCONF) and CLI/SNMP- 1. A feature cannot be configured through NETCONF, and can be configured only through the CLI.
based database (which stores full configurations). 2. A feature supports NETCONF-based configuration for all involved parameters.
3. A feature supports CLI-based configuration for all involved parameters but NETCONF-based configuration for selective
parameters.
1. Delivering the save command through NETCONF saves the configuration in the
Configuration storage running configuration database to the startup configuration database every two hours.
Same as V5 devices.
mechanism 2. Running the save command in the device CLI saves the configuration in the current-
cfg database to the Startup cfg database.
1. Full configuration delivery in copy-config mode is not supported. Configurations delivered through NETCONF overwrite those
Full configuration delivery in copy-config mode is supported. Configurations delivered
NETCONF performed in the CLI.
through NETCONF do not overwrite those performed in the CLI.
Page 27 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved. 2. Configuration changes can be triggered through CLI/SNMP and change notification messages can be sent to the controller.
YunShan Device Management (Configuration
Consistency Verification)
Configuration consistency verification upon first rollout: When
a device goes online for the first time, the controller delivers
full configurations to the device. Since the device may be
configured through other methods, such as through the local
device CLI, configuration inconsistencies may occur. Therefore,
after the full delivery, the controller automatically performs
consistency verification and synchronizes configurations from
the device if any differences are discovered.
Configuration consistency verification upon subsequent
rollouts: When a device goes online not for the first time, only
the flow IDs of the controller and device are checked. If the
flow IDs are inconsistent, configuration consistency
verification is triggered. If any inconsistencies are found,
manual synchronization or reconciliation is required to
eliminate the inconsistencies; otherwise, all the northbound
configuration requests cannot be delivered, which may lead to
service security risks, for example, the risk of overwritten
configurations.
Manual configuration consistency verification: Immediate
verification can be triggered manually to check full
configurations. In addition, scheduled verification tasks can be
created (daily, weekly, or monthly). If any inconsistencies are
found, manual synchronization or reconciliation is required to
eliminate the inconsistencies.
This function can be configured on the Maintenance >
Configuration Maintenance > Data Consistency page.
• Click Inconsistency Discovery to check the differences of the configuration between the controller and devices. In
addition, configurations can be synchronized and reconciled on a per-device or per-feature basis.
Page 28 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Configuration
Consistency Verification)
Configure the synchronization/reconciliation mechanism
Controller-to-Device
Scenario Controller Data Device Data Configuration Source Device-to-Controller Synchronization
Reconciliation
The configurations on the controller and
E2E/ECS
A configuration exists on device remain unchanged. The controller delivers the
the controller but not on VLAN 200 N/A configuration in incremental
the device. None The controller deletes this configuration. mode to the device.
If the function of deleting
inconsistent configurations
The controller synchronizes the
during reconciliation is enabled,
A configuration exists on inconsistent configuration from the
the configuration on the device
the device but not on the N/A VLAN 200 N/A device to its southbound configuration
is deleted. If the preceding
controller. library as an empty-source
function is disabled, the
configuration.
configurations on the controller
and device remain unchanged.
The configuration on the
The configurations on the controller and
E2E/ECS controller overwrites that on
device remain unchanged.
the device.
A configuration exists on If the function of deleting
both the controller and inconsistent configurations
VLAN 10 VLAN 10
the device, but the during reconciliation is enabled,
name xxx name yyy
configuration data is the configuration on the
The configuration on the device
different. None controller overwrites that on
overwrites that on the controller.
the device. If the preceding
function is disabled, the
configurations on the controller
and device remain unchanged.
Page 29 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission Overview
• User admission is a key feature provided by iMaster NCE-Campus to control user access.
iMaster NCE-Campus not only supports 802.1X authentication, Portal authentication, and
MAC address authentication on its own, but also supports interconnection with a third-
party authentication server (a Portal or an AAA server) in all the previous authentication
modes.
• iMaster NCE-Campus can function as a relay agent and interconnect with a third-party
Portal or RADIUS server in API or RADIUS relay mode to implement authentication.
Page 30 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission Scenario
Social media authentication: meeting customers'
Diversified authentication modes
business requirements
Various social media
Authentication Portal Configuration Portal platforms are supported.
system system management
Cloud system Tencent QQ, WeChat, Sina,
platform Facebook and Twitter
HTTP/2 NETCONF
Customer's
network
• Supports various authentication modes: 802.1X
authentication, Portal authentication (anonymous
authentication, username and password Social media authentication process:
authentication, private pre-shared key (PPSK) 1. Connect a mobile phone to a Wi-Fi network.
authentication, and SMS authentication), MAC 2. Open a browser, and then click Log In.
address authentication, and social media 3. Interconnect with diversified social media platforms to
authentication. implement social media authentication. The following
• Supports protocols suitable for data social media platforms are supported:
transmission: Authentication data is transmitted a) WeChat: can be used for WeChat URL-based
through HTTP/2 (HACA) or RADIUS, while and QR code-based authentication
configuration data is transmitted through b) Tencent QQ
NETCONF.
c) Sina Weibo
• Open authentication solutions: Interconnection
d) Facebook and Twitter
Page 31 Copyright with© 2023 a third Huawei-party Technologies Portal server Co., is supported. Ltd. All rights reserved.
Sources in different
scenarios
Various User Authentication Sources for
Unified User Management
User Identity Source Description Used by
Username/Password, MAC account, and self-registered Enterprise employees, guests, and O&M
Local accounts
guest account personnel
Social media WeChat, Tencent QQ, Sina Weibo, Facebook, and Twitter Guests
Microsoft AD, Novell Edirectory, IBM Tivoli, Sun One, JIT
AD/LDAP server Enterprise employees and guests
Galaxy, Open LDAP
Third-party HTTP server Requiring an HTTP server authentication URL Enterprise employees and guests
Third-party RADIUS server iMaster NCE-Campus as a RADIUS relay agent Enterprise employees
RSA SecurID and DaVinci password-based dynamic
Token server Enterprise employees
identity authentication system
Interconnection with a certificate server (X509 certificates
Certificate authentication Enterprise employees
are supported)
Page 32 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Sources in different
scenarios
Full-lifecycle Guest Management in
Diverse Scenarios
Register Approve Distribute Authenticate Audit and deregister
. Employee . Approval . SMS . Anonymous authentication . User login and logout audit
application exemption . Email . Username and password . Automatic account deregistration
. Guest self- . Approval by . Web authentication after expiration
registration administrators . SMS authentication . Scheduled account deregistration
. Approval by . Social media authentication
receptionists
Public places
Enterprises and government agencies Approval-free accounts, simple and flexible user admission, easy-to-use
Strict control for guest account approval and access permission account assignment, automatic logout
Supermarket
Cafe
School Government Shopping
Restaurant
mall
Scientific Customer Stadium
Enterprise research Hotel service Exhibition
institute center hall
Page 33 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (1/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
You can select a language template (such as an English
template) for Portal pages and a Portal authentication
template type (such as SMS authentication).
• You can choose Admission > Admission Resources > Page Management from the main menu, click Page Customization to
customize Portal pages, and click Portal Page Push Policy to create a Portal page push policy. If page customization is not required,
you can skip this step.
• You can also modify Portal pages. The system allows up to 1000 tenants in total to customize Portal pages, of which each can
customize at most 20 sets of Portal pages (including six default sets).
Page 34 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (2/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission
Resources > External Data Source > Social
Media Parameters from the main menu.
On the Social Media Parameters page, you
can decide whether to configure
interconnection with a social media
platform. If this is not required, you can
skip this step.
Page 35 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (3/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• When site templates are used: Take wireless authentication configuration as an example. You can choose Provision > Device > Batch Deployment > Site
from the main menu and select a site template, access the SSID configuration page of APs and other required devices. Then configure the basic settings,
security authentication, and policy control of SSIDs.
• When site templates are used: Take wireless authentication configuration as an example. You can choose Provision > Device > Site Configuration from
the main menu, select a site, and access the SSID configuration page of APs and other required devices. Then configure the basic settings, security
authentication, and policy control of SSIDs.
Page 36 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (4/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission Resources > Page
Management > Portal Page Push Policy from the main
menu, and then click the Portal Page Push Policy tab to
customize a Portal page push policy. If you use the default
policy, skip this step.
Page 37 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (5/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission Policy > Authentication and Authorization from the main menu, and then click the Authentication Rule,
Authorization Result, and Authorization Rule, respectively, to customize an authentication policy.
Page 38 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (6/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission Resources > User Management from the main
menu and click User Management or Guest Management. On the User Management
page, you can create accounts for end users. If social media accounts are used for
authentication, you can skip this step.
Page 39 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
5G Authentication Scenario
IoT Center (Optional)
1
5GC
3
SMF
Smart electricity meter
4
2
Robot
5G CPE
Gas sensor 5
Data
5G Dongle center
CNC
Enterprise intranet resources
Temperature sensor
Application scenario Functions of each component
5G networks have been rapidly developed and used in a wide range of 5GC: manages the 5G core network, which involves many components. One of them is the
scenarios. They feature high-speed mobility and wide coverage, access-related SMF.
making them an ideal complement to campus networks. Currently, 5G SMF: refers to Session Management Function that provides the session management, policy
terminals (any devices with 5G modules) can access campus networks control, and QoS functions.
only through a wired network or Wi-Fi. Using 5G networks to allow IoT center: maintains information about 5G terminals and synchronizes the information to
for 5G terminal access will extend the physical boundary of terminal iMaster NCE-Campus.
access and reduce enterprise network construction and maintenance 5G CPE and 5G Dongle: are the main 5G terminals for access currently.
costs. iMaster NCE-Campus: performs authentication and authorization on terminals.
Firewall or switch: manages network access rights of terminals.
Page 40 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
5G Authentication Scenario
1
5GC IoT center
IPsec encryption
AUSF UDM
2
AMF SMF
Enterprise administrator
3 4
-
NCE- Enterprise servers
VAS
MEP
Third Campus
UPF
5 partyapp
MEC PaaS
MEC IaaS MSCG
IoT terminal
5G macro base MEC Hardware
station/indoor distributed
base station MEC
Enterprise campus
Access procedure Constraint
1. The enterprise administrator purchases SIM cards and terminals in a unified The authentication requires terminal IMSIs or IMEIs, which are personal
manner, and imports the IMSIs and IMEIs to the IoT center. information. Currently, only IoT terminals are supported.
2. The IoT center synchronizes information including IMSIs and IMEIs to iMaster The RADIUS CHAP/PAP scheme is used between the SMF and
NCE-Campus. controller, which is insecure. Therefore, a secure channel is required to
3. Terminals (with SIM cards) access the 5G network based on 5G-AKA ensure data security.
authentication, and initiate Protocol Data Unit (PDU) session establishment.
4. The SMF triggers RADIUS Password Authentication Protocol Dependency
(PAP)/Challenge-Handshake Authentication Protocol (CHAP) authentication, The carrier provides APNs on the 5GC for enterprises.
and sends terminal information such as IMSIs and IMEIs to iMaster NCE- The carrier's SMF must support RADIUS with extended 3rd Generation
Campus for authentication. Communication between the SMF and the Partnership Project (3GPP) attributes.
enterprise's AAA server involves sensitive information. Therefore, the data
flow between them is transmitted through a leased line and encrypted by
IPsec.
5. When the authentication succeeds, the terminals have access to enterprise
intranet resources.
Page 41 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Application Scenarios of IoT Sensing Networks
As is To be
Air conditioning Water supply Lighting
and ventilation and drainage system
Application layer IoT applications
system system
Platform layer
IoT PKI
digital
Platform layer certificate
platform system
Network layer LAN
Network layer IoT gateway LAN
Policy Network
enforcement controller engine
Logic
IoT device layer orchestration
DDC DDC
IoT device layer
Sensor
Sensor
RS485 bus IP access RS485 bus IP access
Closed vertical systems: It is incompatible with other vendors, has high costs, Unified IoT digital platform: It defines thing models of different systems and
and is unable to expand applications. provides open interfaces for third-party applications to build an ecosystem.
RS485 bus: The network has many RS485 connections, the RS485 bandwidth IP-based desktop delivery controller (DDC): It reduces investment in physical
is insufficient, and lacks the intelligent O&M capability. connections and enhances visualized O&M capabilities.
Page 42 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal Access on IoT Sensing Networks
1. The function of delivering IoT tags to APs is enabled on the controller. In the wireless access scenario, the APs provide SSIDs
with IoT tags. iConnect terminals proactively search for SSIDs with IoT tags and automatically connect to such an SSID once
discovering one.
2. Certificate authentication can be used for security access. Terminals need to pass MAC address authentication on the
controller, apply to the controller for certificates (which can be issued by the built-in CA server or a third-party CA server),
and then initiate certificate authentication.
3. PPSK authentication can be used as well. Terminals need to pass MAC address authentication on the controller, apply to the
controller for PPSKs, and then initiate PPSK authentication. In this process, the controller needs to allocate PPSK accounts
and then deliver PPSKs to terminals. PPSK accounts can be allocated to terminals in either of the following ways: The
controller can allocate the PPSK accounts that have been bound to MAC accounts based on the terminal MAC addresses, or
allocate PPSK accounts from the pre-configured PPSK resource pool and then bind these PPSK accounts with the terminal
MAC addresses.
Page 43 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management
Application scenario
Unified O&M and management Unified management of Wi-Fi CPEs is required in
scenarios such as industrial manufacturing, Internet
healthcare, and smart livestock farming.
Network
iMaster NCE Certificate server WAC
administrator
• Management: iMaster NCE- • Management: iMaster NCE-
Seamless access of Wi-Fi CPEs:
Campus supports unaware Campus can manage Wi- Fi
Wi-Fi CPEs access the network authentication of Wi-Fi CPEs in a unified manner.
1 through the SSID CPEs, but cannot manage
3 to connect to the controller. them as NEs. • Monitoring: iMaster NCE-
Wi-Fi CPEs apply for certificates Campus can remotely monitor
2 Wi-Fi CPEs.
from the controller. • Monitoring: iMaster NCE- >>
Wi-Fi CPEs have secure access to the Campus cannot monitor the
• O&M: iMaster NCE-Campus can
2 1 3 network after passing 802.1X working states of Wi-Fi >>
authentication by using applied CPEs and detect faults on remotely upgrade Wi-Fi CPEs in
certificates. their downlink interfaces. batches and deliver commands
to them.
• O&M: A local FTP server
needs to be set up for
Constraints: This function is
upgrading Wi-Fi CPE
applicable only to Wi-Fi CPEs
versions. You can run
in WAC + Fit AP scenarios
commands on Wi-Fi CPEs to
and is not applicable to Wi-Fi
restart and upgrade them.
AGV Production line AOI CPEs connected to cloud APs.
Page 44 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management
Manage Wi-Fi CPEs
in a unified manner
• iMaster NCE-Campus supports unified management of Wi-Fi CPEs. It monitors and displays information
about Wi-Fi CPEs, such as MAC addresses, IP addresses, states (online or offline), connected APs, connected
SSIDs, traffic statistics, uplink and downlink rates, packet loss rates, and online duration.
Page 45 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management
Upgrading Wi-Fi Delivering commands
CPEs in batches to Wi-Fi CPEs
• iMaster NCE-Campus can upgrade firmware of Wi-Fi CPEs in batches, deliver commands to them, and displays
command outputs.
Page 46 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Authentication
component
Authentication Component Networking
Authentication components authenticate terminals as follows:
• When authentication components are installed, the southbound IP address of iMaster
NCE-Campus to which the authentication components connect is specified.
• After installation, the authentication components automatically send registration
requests to iMaster NCE-Campus to establish TCP persistent connections.
• iMaster NCE-Campus manages the authentication components based on their ESNs.
Upon the receipt of registration requests from the authentication components, iMaster
NCE-Campus verifies whether the ESNs of the authentication components exist. The
authentication components and iMaster NCE-Campus verify the certificates of each
other, and are connected after the verification succeeds.
• A tenant administrator configures authentication policies on iMaster NCE-Campus,
such as authentication rules, authorization rules, authorization results, online duration
and traffic policies, and guest accounts. iMaster NCE-Campus automatically
synchronizes these configurations to the authentication components through the data
synchronization channels.
• When delivering authentication configurations to devices, the tenant administrator can
configure the authentication components as Portal or RADIUS servers.
• When connecting to the network, an end user sends an authentication request to an
authentication component. After the authentication component verifies the user's
account, it authorizes the user and allows the user to go online.
• The authentication component reports online user information to iMaster NCE-
Campus. Then, the tenant administrator can view information about all online users on
iMaster NCE-Campus.
Page 47 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Authentication
component
Authentication Component Application Scenario
• For an enterprise with multiple branches, an independent authentication component can be deployed
for each branch, improving the rate and reliability of authentication at the branches.
• In the scenario where a large number of terminals initiate authentication requests at the same time
and high reliability is required, authentication components can be deployed in active/standby and load
balancing mode. In this case, if a single authentication component fails, authentication services are not
affected, improving authentication reliability. Authentication components working in active/standby
mode implement disaster recovery (DR) and thus ensures the continuity of authentication services.
Page 48 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-level
RADIUS relay
Multi-level RADIUS Relay
*.cn
radiusRelayDis0 • To set up a hierarchical educational
*.fdu.cn private network with multi-level
RADIUS relay authentication, multiple
radiusRelayDis1 *.edu.cn
radiusRelayDis2 copies of controllers can be deployed as
RADIUS relay servers at different
domain levels. As such, teachers can
access the educational private network
using the same account by connecting
to RADIUS relay servers in different
regions. (Eduroam scenarios)
*.guangxi.fdu.cn *.hainan.edu.cn *.Jiangsu.edu.cn Username:
radiusRelayDis3 radiusRelayDis4 radiusRelayDis5 xiaoming.guangxi.fdu.cn
Page 49 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Terminal Identification for Terminal Plug-and-Play
Built-in industry's
most comprehensive
Requirements & Camera Packets of terminal terminal fingerprint
Challenges information database
IP phone Packets of Packets of
A higher education institution terminal terminal
Printer information information
50+ types
Smart terminals
PC
Terminal information collected by
level-2 colleges Laptop
Difficult and error-prone MAC
Mobile
address collection
phone
>>
Terminal Authentication Traffic statistics Terminal
An automobile enterprise identification and authorization collection anti-spoofing
10+ days Who am I What can I do What have I done I am replaced by a
• spoofed terminal
Reported authentication faults Terminal type, OS, … PCs/Laptops can access Traffic size, online
the internal network. duration, … Alarm, isolation
• Mobile phones can
Difficult to locate bogus terminals
access the security
zone.
…
Page 50 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Terminal Type Identification Based on Industry's Most
Comprehensive Terminal Fingerprint Database
Identification
Type Technical Description Application Scenario
Method
All terminals. This method can
Fingerprint The first three bytes of a MAC
MAC OUI identify only terminal
address represent the manufacturer.
database manufacturers.
Industry's most comprehensive
A browser's User-Agent string
fingerprint database Mobile phones, tablets, PCs,
HTTP User- contains the manufacturer, terminal
workstations, and intelligent
Agent type, OS, browser type, and other
audio/video terminals (TV sticks).
Information Proactive information.
reporting scanning Some options in a terminal's DHCP
Information Mobile phones, tablets, PCs,
packets can be used to classify
reporting DHCP option workstations, IP cameras, IP
terminals, for example, DHCP
phones, printers, etc.
Options 55, 60, and 12.
Link Layer Discovery Protocol data
IP phones, IP cameras, network
LLDP units (LLDPDUs) carry terminal
devices, etc.
model information.
mDNS packets contain terminal Apple devices, printers, IP
mDNS
model and service information. cameras, etc.
This method obtains identification
information by querying device
SNMP query Network devices and printers.
information-related objects among
Proactive SNMP MIB objects.
scanning
Nmap is used to scan the OS and
PCs, workstations, printers,
Nmap services of terminals to obtain
phones, IP cameras, etc.
terminal model and OS information.
Page 51 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Automatic Expansion of the Terminal Identification
Fingerprint Database – On-Premises AI Fingerprint Learning
NCE-Campus BERT information
Key information
Packet protocol extraction and terminal
extraction
TerminalTerminal identification character string identification result
2. Report the unknown 5. Check the (BERT-NER)
terminal fingerprints fingerprint validity mapping
Terminalidentification fingerprint Customized terminal
management fingerprint database Google AI Research
Institute proposes a
Customized identification Model inference mining algorithm
rule management management
that can be applied
4. Report the fingerprint to natural language
3. Infer terminal identification rules 1. Synchronize processing (NLP).
fingerprints and mine the model files
identification rules to the NAIE
platform
NAIE platform
Integrated with the Network AI Engine (NAIE), NCE-
Inference execution Model management
Campus can infer fingerprints of unknown terminals.
Identification Mining model
rule mining management In addition, NCE-Campus mines the keywords in
fingerprint data identified through HTTP User-Agent,
DHCP option, and other methods to abstract new
fingerprint rules based on data model.
Page 52 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Automatic Expansion of the Terminal Identification
Fingerprint Database – Cloud-Premises Collaborative
Fingerprint Learning
Fingerprint algorithm engineer
(O&M personnel)
NAIE 3. Data labeling, training, evaluation, and publishing
4. Send to Huawei
Training Model
Data lake AI marketplace Security Center
platform evaluation
(sec.huawei.com)
Fingerprint data Rule mining Rule mining
labeling Rule mining Model evaluation Model publishing sec.huawei.com
Model training
(BERT)
Fingerprint data
import into the
lake
Cloud Devices report terminal fingerprint data to NCE-Campus.
On-premises Then NCE-Campus summarizes the unidentified terminal
2. Report terminal fingerprints to the cloud. fingerprint data and reports the data to the NAIE on the
cloud.
The NAIE on the cloud mines the keywords in the
5. Manual or scheduled
NCE-Campus fingerprint data identified through HTTP User-Agent,
update of terminal
DHCP option, and other methods to generate new
Terminal Terminal identification fingerprint database
identification fingerprint rules based on the data model. After being
Terminal fingerprint Terminal fingerprint verified by professionals, the fingerprint data is sent to
management database
Huawei's fingerprint database.
NCE-Campus interconnects with Huawei's fingerprint
database for real-time database updates.
1. Report fingerprints of unknown terminals
Page 54 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Automatic Expansion of the Terminal Identification
Fingerprint Database – Cloud-Premises Collaborative
Fingerprint Learning
Tenant administrators enable
the function of uploading the
fingerprint data of unknown
terminals to the cloud.
Tenant administrators
configure the function of
manual or scheduled
upgrade of the terminal
fingerprint database.
Page 55 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access: Zero Unauthorized
Access, Enhancing Network Security
Scenario
Unauthorized network access is found in a project and the customer wants to protect the network.
description
iMaster NCE-Campus:
Rule Type Description Result
• Unauthorized access
Only the whitelisted terminals are authorized. Other terminals All non-whitelisted terminals are
Whitelist
identification including unidentified terminals are unauthorized. unauthorized.
• Definition
Alarms and blocking All blacklisted terminals are
Blacklisted terminals are unauthorized. Other terminals including
Blacklist unauthorized and other terminals are
unidentified terminals are authorized.
authorized.
Information Proactive
reporting scanning Identification
Application Scope Details Scheduled Scanning
Method
Terminal Authenticated Terminal information identification
Not required. Authentication is triggered.
Network device side: identification terminals during authentication
Identification
• Authentication or Unauthenticated Nmap- and SNMP-based scanning by IP Required. The scanning period can be set
Scheduled scanning
scanning terminals address segment to once, daily, weekly, etc.
• Terminal
information Processing Application Automatic or
Description Later Operations Others
reporting Method Scope Not
No, manual When a terminal connects to
Access blocking operations are a different access device upon
MAC address–
based on MAC Wireless/Wired required for Cancel blocking its second-time access, an
based blocking
addresses batch alarm is generated and the
processing. terminal access is blocked.
Blocking No, manual • Cancel blocking When a terminal connects to
Access blocking operations are • Enabling it on the a different access device upon
Port shutdown through port Wired required for device its second-time access, only
shutdown batch configuration an alarm is generated and the
processing. page terminal can access network.
Page 56 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access: Implementing
Access Control on Unauthorized Terminal After
Terminal Identification
iMaster NCE-Campus defines rules for identifying
unauthorized terminals, based on the terminal type,
vendor, model, OS, and serial number. After the
unauthorized terminal access control function is enabled,
if an identified terminal matches an unauthorized
terminal rule, the terminal's access is defined.
Access of unauthorized
terminals can be blocked
based on MAC addresses
or by shutting down
access ports.
Page 57 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
MDM Association Networking
1. An administrator configures interconnection between iMaster NCE-Campus and a mobile
device management (MDM) server. iMaster NCE-Campus provides dedicated interfaces
for interconnection with MDM systems from Ivanti and QI-ANXIN, respectively, and
provides unified standard interfaces for interconnection with MDM servers from Leagsoft
Internet NCE-Campus and Wonders Information.
0. An administrator 2. The administrator configures the MDM server, API for querying information from the
configures the controller
and an MDM server. MDM server, and MDM authorization rules and results on iMaster NCE-Campus.
5. Return the 3. The administrator configures an MDM terminal security check policy on the MDM server.
authentication
result. 4. Query the
terminal status 4. A terminal downloads an MDM app from the MDM server, installs it, and uses this app to
from the MDM
server. register with the MDM server. (MDM app downloading and installation must be
3. The terminal connects considered during networking design. You can deploy a dedicated Huawei-Init SSID for
to the Wi-Fi network
and initiates 802.1X terminals to download the MDM app by referring to the Huawei CloudCampus Wi-Fi
authentication. networking solution.)
5. The terminal connects to the Wi-Fi network and initiates 802.1X authentication.
1. A terminal downloads an MDM app
from the MDM server, installs it, and 6. iMaster NCE-Campus interworks with the MDM server to proactively query terminal status
AC registers with the MDM server.
or receive terminal status information through notifications sent by the MDM server.
When authorizing the terminal, iMaster NCE-Campus invokes an API to query the status
2. The MDM app periodically checks the and information of a terminal, including whether the terminal has registered with the
terminal security status and reports the check
result. MDM server, whether the terminal is compliant, and the basic terminal information, from
Mobile terminal the MDM server based on the terminal MAC address. Alternatively, the MDM server
invokes the synchronization API of iMaster NCE-Campus to synchronize terminal
information to iMaster NCE-Campus. If the terminal is not compliant, iMaster NCE-
Campus will match the terminal with the authorization result of MDM isolation and
isolate the terminal. After authorization, iMaster NCE-Campus sends the authentication
result (authentication success, MDM isolation, or authentication failure) to the WAC, and
delivers the corresponding ACL, AAA user group, or VLAN based on the matching
authorization result to limit the resources accessible to the terminal.
Page 58 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Interconnection with HiSec Insight, Enhancing
Terminal Security Protection
Scenario In a project that requires high terminal security and has HiSec Insight deployed, configure iMaster NCE-Campus to
description interwork with HiSec Insight to improve terminal security protection.
3 Checks terminal scores
through an API
4 Sends terminal scores
1 Checks terminal scores
at an interval
2 Sends terminal
scores Configuring MDM conditions on iMaster NCE-Campus
Disconnects a terminal if it
2 5 3 is not compliant
Sends an Delivers control policies to
authentication allow network access only
request of compliant terminals
Fundamentals
Interconnect iMaster NCE-Campus with HiSec Insight.
Configure an MDM condition for HiSec Insight, for example, a condition matching terminals
whose scores are 92.
1 6 4 Disconnects the user Configure authentication and authorization rules to perform authentication and authorization
Initiates Has access to the based on the MDM condition. If an access terminal matches the condition, it is allowed
authentication network successfully network access. If not, its access is denied.
Prerequisites
iMaster NCE-Campus can query terminal scores in batches from HiSec Insight at a specific interval.
HiSec Insight synchronizes terminal score changes to iMaster NCE-Campus.
Page 59 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Precise Authorization Based on Terminal Trust
Scores on HiSec Insight
Configure
interconnection with
HiSec Insight.
Configure an MDM condition based
on terminal trust scores which are
queried from HiSec Insight.
Apply the MDM condition
to an authorization rule to
implement precise terminal
authorization.
Page 60 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: User- and Application-based QoS Policies
User- and Application-based QoS Policies Guarantee
Requirements & Experience of Key Users and Applications
Challenges
① • Define who are VIP users.
• Define application priorities.
QoS policies are ineffective
for video services. ③ Native WAC and
standalone WAC support The S12700E supports a 40 x
large buffer and four 25GE card and a 4 GB buffer.
levels of queues. The AirEngine 9700-M supports
a 512 MB buffer.
② Two-level
(Example) Building >> scheduling:
user queue and Constraints:
monitoring scenario: application • Tunnel forwarding mode is required for wireless networks.
An increase in wireless video queue. • Only 40 x 25GE cards on the S12700E support HQoS. In
addition, the S5731/32-H provides a 25Gbit/s uplink
services leads to the excessive bandwidth.
amounts of bandwidth • It is recommended that the proportion of VIP users be no
more than 10%.
resources occupation, so that • Application scheduling templates need to be created on the
downlink congestion occurs WAC's web system.
in some scenarios. Specifications:
• The S12700E supports 16,000 VIP users on one board, while
the AirEngine 9700-M supports 1800 users on one board.
Video • A maximum of 31 application scheduling templates can be
Camera
surveillance configured on NCE-Campus.
VIP users Other Users
Page 61 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: Native WAC/Standalone WAC: FQ +
SQ + GQ + DP, 4-Level Queue
Priority-based traffic scheduling for each application and user and four-level queues for traffic buffering and shaping,
implementing refined management and control.
Flow Queue (FQ) Subscriber Queue (SQ) AP Queue (GQ)
Port Shaping (DP)
(Priority-based traffic scheduling and (Priority-based traffic (Traffic shaping on each AP)
shaping for each application.) scheduling for each subscriber.)
VIP user 1
Application 1 2 MB Queue CS7 PQ
Application 2 2 MB Queue CS6 PQ VIP user 1
Application 3 2 MB Queue EF PQ AP 1
SQ1
Application 4 15 MB Queue AF4 DRR: 15
DRR VIP user 1
Application 5 15 MB Queue AF3 DRR: 15 1:1 Traffic
Common shaping
Application 6 30 MB Queue AF2 DRR: 10 VIP user 2 user 3 300 MB
Common GQ 1
Application 7 40 MB Queue AF1 DRR: 10 user 4
SQ 2
Application 8 30 MB Queue BE DRR: 10 SP
Shaping
DRR
VIP user 2 (bypass)
1:1 DP 1
Common AP 2
Common user 3 user group
Common user 4 Maximum
traffic shaping VIP user 2 Traffic
Common user 5 value shaping
SQ 3 Common 200 MB
user 5 GQ 2
Switches and WACs support multi-level queue scheduling through large buffers.
Page 62 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: Service/User Priority-based
Scheduling on Wireless Networks
User group–based Air interface slicing- Application
scheduling based scheduling scheduling
Voice services
based
VR services -
Common
VIP user
user
Video
services
Web services Application
bandwidth allocation bandwidth
Common user VIP user
Services of high-priority users Air interface slicing reduces the
are preferentially scheduled. transmission latency to 10 ms.
Page 63 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
VIP Access Assurance: Prioritized VIP User Access
As is To be
1. When the number of access users reaches the 1. The access of VIP users is prioritized in high-
upper limit, the access of VIP users cannot be density campus office scenarios.
guaranteed.
2. Extra devices are deployed in areas where VIP 2. No extra devices are required, reducing costs.
users are located, increasing costs.
1. Authenticate and
authorize users as VIP
users, and enable radio
and SSID guarantee for
VIP users compete with VIP users.
common users for resources,
and the access of VIP users 2. Adjust the EDCA
cannot be prioritized. parameters on the AP to
change the packet
exchange priority on air
interfaces to ensure the
access of VIP users.
Common users VIP users Common users VIP users
EDCA: Enhanced Distributed Channel Access
Page 64 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Bandwidth Reservation for VIP Users: Guaranteeing
Sufficient Bandwidth
• Define who are VIP users.
Requirements & Challenges • Define the percentage of
Percentage of bandwidth to be bandwidth to be reserved OFDMA spectrum resource
reserved for VIP users
Random swarm traffic for VIP users. reservation for VIP users
Wi-Fi 6 AP
(Example) Conference room scenario:>>
With a sharp increase of users, office
terminals preempt air interface resources, 20%
deteriorating wireless experience of
conference terminals. Bandwidth
reservation
Conference Other office On-demand bandwidth reservation:
• When no VIP user is connected to
terminal terminals
an AP, no bandwidth is reserved.
•
VIP user - conference Common users Sufficient bandwidth resources are
terminal reserved for VIP users.
Page 65 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Free mobility
Free Mobility – User Group–based Access Control
Define security groups Define inter-group policies
>>
>> >>
NETCONF/YANG
Page 66 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Free mobility
Free Mobility – Anytime and Anywhere Access with
Consistent Permission
Username User Group Access Mode Access Location Access Duration Security Group Access Permission
Scientific research resources,
Mark Department of Physics Wired Dormitory 8:00 to 22:00 Security group 1
Internet, and material sharing
Scientific research resources,
Economic Research
Joy Wired Office area All day Security group 2 Internet, OA, management, and
Institute
materials
Terry Other university Wired/Wireless Anywhere 8:00 to 18:00 Security group 3 Public material sharing
Administrative
Jim Principal Wired/Wireless All day Security group 4 All
building
Configure and deliver security groups and inter-
1
group control policies to the entire network.
2 Authenticate users
who attempt to
access the network. Map users to security groups
3 based on 5W1H conditions and
deliver the mapping entries to
devices.
WAN/Internet DC/Internet
4 Control user access permissions (permit
or deny).
Page 67 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Network Service Configuration Overview
One of the key features of iMaster NCE-Campus is to provide the configuration and
management functions for cloud managed devices, including APs, WACs (WACs and cloud APs
cannot be deployed together at a single site), ARs, FWs, and SWs. For details about the
supported device models, refer to the device mapping table in the related product
documentation.
Page 68 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intent-driven Orchestration (1/2) – Solution
Package Creation
• On the iMaster NCE-Campus homepage, click Intent-Driven Deployment and create solution packages on the
Intent-driven Orchestration page.
Page 71 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intent-driven Orchestration (2/2) – Solution
Package Import
• On the iMaster NCE-Campus homepage, click Intent-Driven Deployment and execute the solution packages created in the
preceding step. In addition, parameter values can be set as needed during solution package execution.
Page 72 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (1/4)
• On the iMaster NCE-Campus homepage, click the advanced feature Intent-Driven Deployment. On the
displayed page, click Intent-Driven Deployment > Scenario-specific Deployment to create a scenario
template.
Page 73 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (2/4)
• In the scenario template, set networking parameters, plan a network topology, and configure wireless services.
Page 74 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (3/4)
• Click Advanced Settings to configure DNS and perform network settings.
Page 75 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (4/4)
• Create a site to which the scenario template is to be applied, and click Deploy to deploy the site. After
deployment is completed, you can view deployment details.
Page 76 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Improved Configuration Efficiency
of Similar Site Parameters
Scenario There are several sites on different hierarchies — A large number of partially identical configurations and many different
description customized configurations exist on different hierarchies. As such, the configuration efficiency needs to be improved.
Improving one-time configuration efficiency
After the local site configurations are modified, the configurations
of other sites will not be affected.
Site
configurations
After a local site template is modified, the configurations of all sites
bound to the template will be modified in batches.
Local site
template
After a parent template is modified, the configurations of all child
Upper-level templates will be modified.
site template
Priority: upper-level site template < local site template < site configurations
Page 77 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Child Templates Can Inherit
Configurations from Parent Templates or Have
Customized Configurations
A child template can inherit the configurations of
its parent template and allow users to customize
configurations as needed.
Parent template Child template
A child template can inherit the SSID
Inherited
An SSID for secure configuration from its parent
networks is configured template, and allow users to modify
in the parent template. the inherited configuration or
configure a new SSID as needed.
Customized
Page 78 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Sites Inherit Configurations from
Site Templates or Have Configuration Customized
Sites can use configurations
inherited from templates, or
have customized ones.
Customized site
Template configuration
configuration
After having the template applied, a
site can inherit the SSID configuration
Configure an SSID Inherited from the template. Alternatively, users
for secure networks can modify the inherited configuration,
in a site template. or configure a new SSID as needed.
Customized
Page 79 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Virtualized Fabric Campus Networks
Campus Virtual Extensible LAN (VXLAN) uses the overlay virtualization iMaster NCE-Campus HiSec Insight CampusInsight
technology to bear multiple virtual networks (VNs) in unified manner and
supports flexible service deployment. Tenant administrators are responsible
for VN setup and service provisioning. The iMaster NCE-Campus VXLAN
solution brings the following benefits:
1. VN automation: Routing node
• Supports automatic provisioning of VNs on the overlay network and a
large Layer 2 network covering campuses and branches, and supports FW node
Fabric border node
the BGP-EVPN control plane.
• Divides a physical campus network into VNs vertically and horizontally.
• Supports multi-tenant management mode on campus networks. Fabric domain
(Overlay) Fabric transparent
• Supports IPv6 access. node
2. Abundant egress capabilities:
• Supports external networks with different egress types, including Layer 3
shared egress, Layer 2 shared egress, and Layer 3 exclusive egress.
• Supports one border node at the egress. VXLAN
• Supports multiple border nodes at the egress, working in active/standby Fabric edge node
or load balancing mode. This feature is available only on a VXLAN with
distributed gateways.
• Supports NQA and monitoring groups to ensure egress reliability.
Access domain
3. Unified automated authentication for wired and wireless access: (Underlay)
• Supports automated orchestration of secure access during VN Underlay network
configuration.
• Supports seamless integration of wired and wireless access (wireless
access needs to be pre-planned).
4. Unified topology-based O&M:
• Displays physical topologies and monitors NEs and ports.
• Displays logical topologies of VNs. Access node Access node (wireless)
(wired)
Page 80 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Underlay Route Automation
Underlay route automation is supported in the following networking modes:
Border node 1
Border node Border node 2 Border node
Edge node 1
Edge node 1 Edge node 2
Transparent Transparent Transparent
node 1 node 2 node 3
Edge node 2 Edge node 3
Extended Extended
node 1 node 2
Edge node 1 Edge node 2 Edge node 3
Extended node 3 Extended node 1 Extended node 2
Extended node 1 Extended node 2 Extended node 3
Tree networking Ring networking for border and transparent nodes Ring networking for edge nodes
Page 81 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Virtualized Fabric Campus Networks
Border
Provision VNs and deliver VLAN, VXLAN
Create VNs and 2 DHCP, and static routing
1
Network subnets. configurations.
Perform 802.1X
administrator 5
authentication.
4 Deliver security groups and
inter-group policies.
Edge
Create security groups and
3 Deliver authorization VLAN information to
corresponding inter-group 6 Perform RADIUS Perform policy 8
policies. authentication. 10 control based on the access switch to allow the user to
access the network.
Send a message indicating that security groups.
7
authentication succeeds. The Enable the 802.1X authentication port and
message also carries deliver authorization VLAN information, so
9
information about the security that the user can go online and access the
group and authorization VLAN. network.
5 Send an authentication request for
network access.
Page 82 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Network Service Configuration Summary
• Only the most frequently used configurations are described here. Other configurations are
similar.
• Configurations can be performed specific to a site or device type.
• Configurations specific to a site take effect on all devices at the site.
• Configurations specific to a device type take effect on devices only of this device type at the
current site.
• Besides basic site and device configurations, iMaster NCE-Campus supports quick deployment
driven by intents or specific to scenarios.
• iMaster NCE-Campus supports automation configuration of virtual networks on VXLAN
networks.
Page 83 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play Overview
• The device plug-and-play function simplifies management and configuration of devices
on traditional networks. To implement the plug-and-play function, the following tasks
must be completed in advance:
▫ Upload licenses to the controller.
▫ Add devices to the controller (or discover devices by using ESN-free deployment).
▫ Configure network services on the controller based on network plans.
▫ Connect devices to the Internet. You can either connect devices to a gateway that has access
to the Internet or by configuring device WAN interfaces on the device web system.
Page 84 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – Deployment Through the
Registration Center
• Scenario Description
▫ Purpose: Simplify the operations to implement plug-and- Registration
NCE-Campus
center WLAN Planner
play of cloud managed devices if no ICT professionals are
Device ESN Planning files
available. synchronization import
▫ Participant: Tenant administrators, installation engineers,
Tenant administrator
and commissioning engineers.
Deployment by
scanning barcode
▫ Prerequisites: The MSP administrator has created tenants. Single-point
acceptance
Roaming acceptance
iMaster NCE-Campus is working properly, and cloud Network-wide
acceptance
managed devices have been delivered to the target site. CloudCampus APP
Select a site and record device installation locations.
▫ Results:
▪ Expected result: Cloud managed devices are successfully Installation and
commissioning engineer
managed, and services are running properly on the devices.
▪ Fault handling suggestion: If a cloud managed device cannot be
started, it is recommended that this cloud managed device be
replaced.
Page 85 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – DHCP-based Deployment
• Scenario Description
▫ Purpose: Simplify the operations to implement plug-and-
NCE-Campus WLAN Planner
play of cloud managed devices if no ICT professionals are
Import planning
available. files
▫ Participant: Tenant administrators, installation engineers,
Tenant administrator
and commissioning engineers. Configure a DHCP option to carry the
controller information.
Deployment by
▫ Prerequisites: The MSP administrator has created tenants. scanning barcode
Single-point acceptance
Roaming acceptance
iMaster NCE-Campus is working properly, and cloud Network-wide
acceptance
managed devices have been delivered to the target site.
CloudCampus APP
Select a site and record device installation locations.
▫ Results:
Installation and
▪ Expected result: Cloud managed devices are successfully managed, commissioning engineer
and services are running properly on the devices.
▪ Fault handling suggestion: If a cloud managed device cannot be
started, it is recommended that this cloud managed device be
replaced.
Page 86 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – ESN-Free Deployment
Scenario A myriad of devices at branch sites need to access the network. The administrator wants to
description reduce ESN recording to improve deployment efficiency.
ESN-free deployment 1.0 (LLDP-based scanning) ESN-free deployment 2.0 (DHCP-based deployment)
① Root device (gateway) The administrator approves
configuration and the discovered neighboring
going online devices to go online.
1. Generate a token. 5. Verify the token and allow
the device to go online.
② ③
2. Configure the root device
(gateway) to go online and
④ ⑤ configure it as a DHCP server.
>> Add the token configurations to
First DHCP option 148.
layer
>> 3. Obtain the address of
⑥ ⑦ iMaster NCE-Campus and 4. Send a registration
token to perform DHCP- request with the
Second AP AP AP AP
based deployment. token to iMaster NCE-
layer
Campus to go online.
AP AP AP AP
② ④ ⑥ LLDP-based neighboring device discovery
③ ⑤ ⑦ Device ESN obtainment, registration, and onboarding
Constraints Improvements
ARs can function as root devices. Their neighboring devices, including LSWs, ARs, and firewalls can function as root devices.
switches, ARs, and APs, can be discovered, but not firewalls. LSWs and APs support automatic network-wide access.
Devices can be scanned only layer by layer while automatic network-wide
Page 87scanningCopyright is not supported.© 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play 1.0 – ESN-Free Deployment
• Scenario description
▫ Purpose: ESN information is not available on the live network. As such, device ESNs are imported through barcode scanning, which has low
efficiency. With ESN-free deployment 1.0, devices directly connected to a root device are automatically added to the controller. As such, other
devices on the live network are scanned layer by layer and then added to the controller.
▫ Participant: Tenant administrators, installation engineers, and commissioning engineers
▫ Prerequisites: The MSP administrator has created tenants, iMaster NCE-Campus is working properly, and cloud managed devices have been
delivered to the target site.
Page 88 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
ESN-Free Deployment 2.0: Automatic Network-Wide
Scanning, Improving Deployment Efficiency
Devices are discovered
automatically and can
be added to the site
after being approved.
ESN-free is enabled
during site creation.
Then the site generates
a random site code.
• Scenario description
▫ Purpose: Compared with 1.0, ESN-free deployment 2.0 does not need to scan devices layer by layer. Specifically, the controller delivers a site code to
devices at the site to be deployed through DHCP packets. As such, when a root device at the site is added to the controller, other devices at the site can
be added automatically, free of ESNs. In addition, the approval function is provided.
▫ Participants: Tenant administrators, installation engineers, and commissioning engineers
▫ Prerequisites: The MSP administrator has created tenants, iMaster NCE-Campus is working properly, and cloud managed devices have been delivered to
Page 89 Copyrightthe target© 2023 site. Huawei Technologies Co., Ltd. All rights reserved.
PON management
POL Campus Networking
• A passive optical LAN (POL) is a flat access network that uses the • Campus deployment modes and applicable scenarios
PON technology, and consists of OLTs, ONUs, and a passive optical
NCE-
distribution network (ODN).
IP networking Campus POL networking
Core switch
WAC
ONU ODN OLT
OLT OLT
Aggregation
switch
Drop
NCE- 1 2 ODN 3 ODN
fibers Campus
Optical splitter
Access
Access Access terminals switch
SFP ONU
Access
switch SFP ONU ONU
Or ONU
IPC PC AP PC AP AP ONT PC Phone IPC
Page 90 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
POL Device Management
• The controller can manage POL devices in a centralized manner and allows users to manually add OLTs.
Click Add Device > Add on
the Device tab page of the
Device Management page
to add devices.
The device list displays basic
information about IP devices
(switches and APs) and PON
devices (OLTs and ONUs).
Page 91 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Adding OLTs
• OLTs can be added to the controller for management through SNMP.
Currently, OLTs can be managed only
through SNMP. Therefore, you need
to select the SNMP protocol when
adding an OLT.
To distinguish PON devices from
traditional network devices, you need
to click the PON Device tab when
adding an OLT and enter the IP address
and SNMP parameters.
Page 92 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
360 Monitoring - OLT
• The controller can display OLT resources and status information in a centralized manner, helping users
learn the resource status at any time.
Click Synchronize to synchronize
the latest data from OLTs, such
as information about Ethernet
ports, GPON ports, and ONUs.
Click an OLT name to go
to the OLT details page.
Page 93 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
360 Monitoring - ONU
• The controller can display ONU resources and status information in a centralized manner, helping users
Click WLAN
learn the resource status at any time. Configuration Import
to set Wi-Fi parameters
for ONUs in batches.
Click ONU Alias
Configuration to import
ONU aliases in batches,
facilitating subsequent
ONU maintenance.
Click an ONU name to go
to the ONU details page.
Page 94 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
OLT Details
• The controller can display OLT details, including basic OLT information, resource overview, and KPIs.
Displays basic OLT
information, including the
OLT status, IP address, MAC
address, type, and version.
Displays the running statistics of
Ethernet and GPON ports on
OLTs and the running statistics
of ONUs for user fast detection.
Displays device KPIs,
helping users learn about
the running status of OLTs.
Page 95 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
ONU Details
• The controller can display ONU details, including basic ONU information, port overview, and KPIs.
Displays basic ONU
information, including the
ONU status, SN, type, version,
and dying gasp information.
Displays the running
statistics of Ethernet and
POTS ports on ONUs for
user fast detection.
Displays device KPIs, helping
users learn about the running
status of ONUs.
Page 96 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Service Provisioning Process
1 On-demand pre-
NCE- configuration ONUs support plug-and-play and visualized
Create a ZTP policy on NCE-
Campus Campus and bind the policy batch configuration. One site visit, no
to a scenario template.
human intervention after power-on.
2 ONU installation and power-
on
After an ONU is installed and
powered on, it will be discovered The ONU deployment efficiency is improved by
by an OLT. The OLT then sends
a notification to NCE-Campus. 10 times. The time required for installing and
commissioning a single ONU is reduced from
Automatic configuration
3 delivery 30 minutes to 3 minutes.
After receiving the notification,
NCE-Campus delivers service
configurations to the OLT.
On-demand deployment reduces skill requirements
Device activation
PoE PoE 4
The OLT automatically activates and workloads, lowering delivery costs.
the ONU and delivers
configurations to it. Services
then take effect on the ONU
IP phone Laptop automatically.
Page 97 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Unified and Multi-Dimensional O&M Methods
Displays the device
network topology.
Displays complete
performance information.
Displays alarms of all
devices.
Page 98 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Homepage in the LAN-WAN Convergence View
1. Tenant administrators can Tenant administrators can select a view
select a view upon first login. when logging in to the system. The
following views are available: Intelligent
Cloud Campus (applicable to the LAN
scenario), WAN Interconnection
(applicable to the WAN scenario), and LAN-
WAN Convergence (applicable to LAN and
WAN scenarios).
Menu names and layouts are unified in the
three views. However, available menus and
tab pages in the views differ, so that users
can focus on functional menus applicable to
their actual scenarios.
2. After a view is selected, the homepage is displayed,
with menus applicable to this view. Tenant administrators need to select a view
upon their first login. After selecting a view,
the system automatically loads the menus
available in this view, and this view is used
by default upon subsequent logins. The
selected view can be changed under the
System menu.
3. The view can be changed under the System menu.
Page 99 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Unified Menus in the LAN-WAN Convergence View
The menus in the LAN-WAN convergence view are unified, through the combination of NCE-Campus and NCE-WAN menus.
The menus related to SD-WAN are optimized according to the menus on NCE-WAN, guaranteeing user experience.
Menus are adjusted to help users find paths for configuring their desired services more easily.
Each menu focuses on a certain function and provides user-oriented apps to guide users through configurations.
For, example, the tabs under the WAN Physical Network menu
in the LAN-WAN convergence view are the same as those on
NCE-WAN.
Page 100 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
LAN-WAN Interconnection Configuration in the LAN-
WAN Convergence Scenario
The controller provides a dedicated menu for the LAN-WAN interconnection configuration and moves the original
orchestration wizard to the homepage, as an app.
Interconnection model
Page 101 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Four-Step Configuration Wizard for LAN-
WAN Convergence
WAN egress interconnection LAN campus configuration Routes for LAN-WAN WAN traffic policy, such as
interconnection intelligent traffic steering
Page 102 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Differentiated Application Management and Control
Based on ACLs
① ACL policies can be configured for overlay LAN interfaces
and underlay WAN interfaces.
② A blocking policy can be configured on an interface in the
inbound direction and can be configured to take effect within a
specified period of time.
Generally, the ACL policy (blocking policy) configuration is applicable to online behavior management. These
policies can be configured based on the application type and protocol.
Page 103 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
QoS Guarantees Bandwidth Resources for Key
Applications
Traffic can be classified based on application types
and protocols.
Traffic priority, traffic policing, and traffic shaping
policies are supported. When the function of
configuring traffic priorities is enabled, DSCP values of
traffic need to be set (which can be customized).
Traffic priority, traffic shaping,
and traffic policing
MPLS/
Internet
CPE CPE
Traffic with the highest priority
Traffic with the medium priority
Traffic with the lowest priority
Page 104 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Intelligent Traffic Steering Policy Guarantees Service
Experience of Key Applications
Select a traffic steering scenario.
① Set traffic steering metrics (jitter,
delay, and packet loss rate).
MPLS 1
MPLS 2
MPLS 1
MPLS 2 ② Set link priorities. You can set priorities for
two MPLS links and two Internet links.
③ Set parameters for link quality-
CPE Internet 1
CPE based and bandwidth-based traffic
steering.
Configuration channel Internet 2
④ Set the load balancing mode for traffic
Primary link steering as needed.
Secondary link ⑤ Set the time period during which the
traffic steering policy takes effect.
Page 105 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Quick Configuration of Internet Access, Facilitating
Internet Access Policy Management
Supports local Internet access, applicable to scenarios where site traffic does not
need to be managed or controlled.
Supports centralized Internet access, applicable to scenarios where no Internet
link is available or enterprise's Internet access traffic needs to be centrally
managed and controlled.
Supports local Internet access + centralized Internet access, applicable to
scenarios with high reliability requirements. Local Internet access is used
preferentially.
Supports centralized Internet access + local Internet access for specified
applications, applicable to scenarios where Internet access traffic needs to be
centrally managed and controlled, but Internet access traffic of specific
applications needs to be routed out in local mode to minimize the delay.
Local Internet access
Configure an Internet access policy.
Internet
① Configure a centralized Internet access policy.
FW
Branch
CPE
HQ
CPE
MPLS
Centralized ② Configure a local Internet access policy.
Internet access
Page 106 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Connection to Legacy MPLS Networks, Smooth
Evolution of Private Line Services
Configure a policy for connecting to a legacy MPLS network.
Local access
MPLS
PE CPE
Legacy site iMaster NCE-
WAN site
Centralized Local access: An SD-WAN site communicates with a legacy site through the local CPE.
access Internet That is, the CPE at the SD-WAN site acts as a customer edge (CE) device and
communicates with the provider edge (PE) device at the peer legacy site on an MPLS
CPE network.
iMaster NCE-
WAN HQ Centralized access: An SD-WAN site and a legacy site communicate with each other
through a centralized gateway. The centralized gateway, which is a hub device, acts as
a CE device and communicates with the PE device at the peer legacy site on an MPLS
network.
Page 107 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN Convergence
Diversified Security Policies for Differentiated
Access Control
URL filtering policy
• URL whitelist and blacklist, as well as user-defined URL
policies can be configured.
• Category-specific URL filtering policies can be configured
based on the predefined signature database, which contains
about 200,000 signatures.
Firewall policy
• Firewall policies for permitting or denying incoming and
outgoing traffic, and for controlling access between zones
can be configured (packet-based filtering).
• By default, the traffic from the Trust zone to the Untrust zone
is permitted, and the traffic from the Untrust zone to the
Trust zone is denied.
IPS&AV policy
• IPS&AV policies can be configured to defend against threat
traffic.
• IPS&AV policies can be configured based on the predefined
IPS&AV signature database.
Page 108 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN
NCE-Campus NCE-IP
Branch/Outlet AR/NE
AR NE
Hub DC
Hub NE NE vSwitch
AR V
Access WAN R M
V
M
V
Tier-1 branch M
R Backbone WAN R
R
Access WAN vSwitch
AR Hub V
M
V
M
V
M
vSwitch
V
VM
VM
M
SRv6 SRv6
Option A
Hierarchical management by NCE-Campus and NCE-IP
Backbone and access WANs are managed separately.
NCE-IP manages the backbone network set up by NE devices whereas NCE-Campus manages branch access networks set up by ARs and NE devices.
SRv6 TE tunnels can be established between ARs, between ARs and NE devices, and between NE devices, and service paths can be adjusted globally
and dynamically. NCE-Campus and NCE-IP cooperate to orchestrate network services across domains, implementing end-to-end service provisioning
and maintenance. As such, a unified SRv6 network is ready for enterprise WANs.
Page 109 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN
Provides the SRv6 tunnel mode for tenants.
Provides agile configurations, which allows
quick deployment of underlay and overlay
configurations, as well as SRv6 BE
configurations.
Page 110 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN
Support the configuration of SR Policies, BFD for link connectivity detection, and
IFIT-based link quality measurement and visualization.
Page 111 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
Multi-Cloud Interconnection
Lifecycle management of VNFs and transit VPCs/TGWs on clouds
Tenant/Carrier Portal
RESTful • vCPE startup, release, status monitoring, reliability protection, and
dynamic scale-in and scale-out
Northbound network service layer
• Transit VPC startup, configuration, and release
VPN/Traffic Multi-cloud
O&M
steering/QoS/Security/WOC orchestration • TGW creation and configuration
Unified orchestration of networks and services on clouds and
Southbound NE layer unified network and application orchestration APIs for the upper
layer, with API and implementation differences between public
2.1 2.2 2.3 and private clouds being shielded
3.2 3.3 • vCPE management
Third-party VAS • Underlay network orchestration on the cloud
EMS vRR • Overlay network orchestration on the cloud
• VAS orchestration on the cloud
Cloud-based O&M
V V V
N N
N F F • Unified topology display
F C C VPC/vDC
VPC/vDC Public •
Internet VPC Unified connectivity detection and link quality measurement
cloud
vCPE • Fault locating and recovery
uCPE
Cloud-based vCPE deployment
•
MPLS Private Automated deployment on Huawei Cloud, China Telecom e-Cloud,
cloud and AWS Cloud
Legacy Layer 3 CPE
• Manual deployment on Azure and Tencent clouds
Branch/Campus IWG Cloud/DC
Page 112 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
Multi-Cloud Interconnection
Configure credentials for accessing Huawei
Cloud and AWS Cloud and establish HTTP
connection channels.
Deploy AR1000V devices by invoking cloud APIs and start
services. Service-related underlay and overlay configurations
are not mentioned here.
Page 113 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
NCE-Campus Upgrade Policy
Deployment
Single-node System Minimum Cluster Distributed Cluster
Scenario
Before
1 x 128 GB (LAN) 3 x 128 GB 4 x 128 GB (LAN-WAN) 5 x 256 GB (LAN) 9 x 256 GB (LAN)
upgrade N/A
1 x 128 GB (LAN + POL) (LAN) 4 x 128 GB (LAN + POL) 6 x 256 GB (LAN-WAN) 12 x 256 GB (LAN-WAN)
(Campus)
Before
upgrade N/A N/A 3 x 128 GB (WAN) 3 x 256 GB (WAN) N/A N/A
(WAN)
3 x 128 GB 3 x 128 GB (LAN-WAN + 3 x 256 GB (LAN-
After upgrade 1 x 128 GB (LAN + POL) 5 x 256 GB (LAN-WAN) 9 x 256 GB (LAN-WAN)
(LAN + POL) POL) WAN)
No matter whether
No matter whether the the SD-WAN No matter whether the SD- No matter whether the SD-
SD-WAN feature is feature is deployed WAN feature is deployed WAN feature is deployed
Feature
N/A N/A deployed before upgrade, before upgrade, this before upgrade, this feature before upgrade, this feature
adjustment
this feature is deployed feature is deployed is deployed after upgrade is deployed after upgrade by
after upgrade by default. after upgrade by by default. default.
default.
If the cluster with 6 x 256 If the cluster with 12 x 256
GB servers is to be GB servers is to be upgraded,
If the cluster with 4 x 128
upgraded, one server with three servers with a total of
GB servers is to be
two controller nodes (one four controller nodes (one
upgraded, one server with
VM service node and one service node and three
N/A N/A one controller service N/A
adjustment middleware node, with middleware nodes, with
node (service plane tag
service plane tags deleted) service plane tags deleted)
deleted) is idle after
and one FusionInsight node and three FusionInsight
upgrade.
(with tag deleted) is idle nodes (with tags deleted)
after upgrade. are idle after upgrade.
Page 114 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0
CampusInsight NCE-Campus
iPCA 2.0 configuration
iPCA 2.0 • Configure NCE-Campus to monitor flows based on applications
configuration
/security groups, deliver the configuration to APs and LSWs,
Flow data reporting
based on applications enable iPCA 2.0 on LSWs along flow forwarding paths, and
and security groups iPCA 2.0 + coloring
configuration configure in-point devices to color flows.
iPCA 2.0 Flow statistics reporting
• LSWs and APs periodically report statistics about flows
identified based on applications/security groups to
CampusInsight for analysis.
Flow statistics analysis
• CampusInsight performs E2E packet loss and delay analysis on
Wireless Wired
access access the monitored flows hop by hop, and displays analysis results.
Flow identification
• Flows to be monitored can be identified based on 5-tuple
information, applications, security groups, or applications +
Configuring flows Automatically identifying flows security groups.
to be monitored to be monitored
Page 115 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0
Configure a flow identification template to identify Configure hop-by-hop flow measurement
flows to be measured based on the 5-tuple based on the flow identification template and
information, applications, security groups, or configure in-point devices to color flows.
applications + security groups.
Page 116 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0
CampusInsight can display the forwarding path of a specified flow and
packet statistics on each device port along the path.
Page 117 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Agile Report
Agile Report
Feature SNMP NETCONF
Device vendor report Unified Unified
Port usage statistics report Unified Unified
Widgets Device type report Unified Unified
Device model report Unified Unified
Smart alarm reports, including:
Network device alarm event type graphic
report
Network device alarm distribution graphic Unified Unified
report
Network device alarm severity report
Top N device alarm report by severity
Manually created reports
Depending on
terminal
Proportion chart of identified terminal types Supported
identification
data
Depending on
terminal
NCE-Campus Top N vendors of identified terminals Supported
identification
A unified navigation path is available for creating dashboards and reports, which is more flexible. data
Preset widgets can be reused. Widgets are automatically created and maintained by the system.
Depending on
No manual operation is required.
terminal
Top N OSs of identified terminals Supported
The page layout can be customized in drag-and-drop mode and all panels can be flexibly zoomed identification
in and out. data
The visualization effect is enhanced. The refresh frequency and background effect can be
Trend chart of authenticated online
customized. Supported Supported
terminals
Trend chart of authenticated online users Supported Supported
Choose Monitoring > Report > Agile Report to access the agile report page. RADIUS authentication log statistics chart Supported Supported
Page 118 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved. Port authentication log statistics chart Supported Supported
Proactive SLA
Management
Proactive SLA Management and Pre-Warning
Enterprise HQ Branch
WAN
Voice
Voice service service
gateway gateway
Devices send simulated voice flows.
Campus Generate a pre-warning
Display test results in graphs.
Create periodic voice-based service level notice in time by email or
agreement (SLA) tasks and specify simulation SMS message when the
voice streams to be sent by devices. Display service quality in digital way. metric threshold is exceeded.
Display measuring metrics in graphs.
Page 119 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Proactive SLA
Management
Proactive SLA Management and Pre-Warning
The SLA is a network performance
measurement and diagnosis tool that
provides the following capabilities:
SLA overview
SLA task management
SLA service management
SLA fast diagnosis
Page 120 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Service Deployment: Configuration File Management
Feature SNMP NETCONF
Main functions of
configuration file Unified Unified
management
Supported (Restoration is not
allowed, which may lead to
Backup and restoration of
Supported inconsistencies between
running configurations
configurations from different
sources.)
Not supported
Backup and restoration of
Supported This feature is supported only
startup configurations
on YunShan devices.
Choose Maintenance > Device Maintenance > Configuration File Management to back up
and restore device configuration files, compare configuration files to discover changes, and
configure backup tasks.
Page 121 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Data Reporting
The controller can display logs reported by devices, such as
terminal onboarding and disconnection logs and configuration
command logs, facilitating device maintenance, fault locating,
and performance monitoring. This function is applicable only to
LSWs, AR, and APs.
Available configurations:
Configure cloud managed devices to report data to NCE-
Campus through HTTP.
Configure devices to report data to NCE-CampusInsight
through HTTP.
Configure SNMP-managed devices to report data to NCE-
Campus through SNMP and SFTP.
Procedure:
Choose Monitoring > Monitoring Settings > Data
Collection Configuration from the main menu, select a site
and a device type, and select types of the logs to be reported.
Page 122 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Alarm Management
• Alarm management receives, stores, and monitors alarms, and enables users to query and perform
operations on alarms. It supports full-lifecycle management of alarms, helping O&M personnel quickly
rectify faults based on alarm information.
Configures alarm rules.
Monitor alarms.
Handle alarms.
• Alarm status:
Acknowledgement: identifies the user who handles an alarm to avoid one alarm being handled by multiple users.
Clearance: identifies whether the fault that causes an alarm is rectified.
• The detailed configuration is described in the O&M training course.
Page 123 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Performance Monitoring and Management
Performance Management (PM) is used to monitor and collect the following
information from cloud managed devices: performance data (such as CPU and
memory usages), access terminal information, terminal locations, and application
data accessed by terminals. By analyzing data and generating relevant reports, the
system can provide reference data for decision makers.
The detailed monitoring capabilities are described in the O&M training course.
Page 124 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Upgrade Management
HOUP
1
2
3
Device upgrade process
1. The controller obtains the software package for upgrading a device.
① Online mode: The controller can obtain the device software package of the recommended latest stable version from the software library of the Huawei
online upgrade platform (HOUP), which can be accessed at https://houp.huawei.com/download.
② Package import: An administrator can download the required software package from Huawei Support Website and import the package to the controller.
2. The administrator configures an upgrade or downgrade policy to manually or automatically upgrade or downgrade the device.
3. When receiving an upgrade task, the device downloads the required package from the specified address and performs an upgrade.
Page 125 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Upgrade Management
Interconnection with HOUP Device upgrade policy
Note: The username must be set to the one used for logging in to the Huawei enterprise technical support website
(https://support.huawei.com/e).
Page 126 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management
• A device certificate is a digital file signed and issued by an authority. It contains a public key,
information about the owner of the public key, issuer information, validity period, and certain extension
information. A device certificate is used when a device and a server need to set up a Secure Sockets
Layer (SSL) channel to ensure security for communication between the two ends.
• If a device certificate does not meet the current security requirements or has expired, it needs to be
replaced with a new one to ensure device security.
Page 127 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management
Update a device certificate
in offline mode Update a device certificate
in online mode
Page 128 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management
iMaster NCE-Campus displays certificate information.
Page 129 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools
iMaster NCE-Campus provides diversified fault locating tools, including the following:
Ping: verifies connectivity between the controller and clients.
Trace: displays the access path from a device to a destination address.
RF ping: detects the quality of the air interface between a device and a client.
Cable test: tests the length of network cables connected to an interface and the status of each
twisted pair. This tool can quickly detect network cable faults to facilitate fault locating and reduce
the impact on services.
Page 130 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools - Specifications
Feature Supported Device
Ping AP, AR, FW, SW
Trace AP, AR, FW, SW
Cable test SW, AR
Ping: verifies connectivity between the controller and clients.
Trace: displays the path from a device to a destination address.
RF ping: tests the quality of the air interface between a device and a client.
Cable test: tests the length of network cables connected to an interface and the status of each twisted
pair. This tool can quickly detect network cable faults to facilitate fault locating and reduce the impact
on services.
Page 131 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools - Application Scenarios
If a fault cannot be rectified based on fault diagnostic information collected from devices, tenants or O&M
personnel need to use other troubleshooting methods to further rectify the fault.
The controller provides diversified fault locating tools to ensure that faults can be located timely. It can use ping and
trace tests to detect network connectivity of devices and allows agile cable tests without assistance of other tools.
Connectivity test:
Ping and trace tests: These tests are applicable only to cloud managed devices (switches, WACs, ARs, and firewalls) that support
the two functions, as well as the controller.
Packet analysis
Packet obtaining (applicable to APs, switches, WACs, ARs, firewalls, and the controller)
Air interface quality detection for APs
RF ping (applicable to APs and the controller)
Page 132 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Process
Choose Monitoring > Monitoring > Device 360 from the main menu, select a site, and select a device from the
site's device list. On the device details page that is displayed, you can select a fault locating tool from the Select a
tool drop-down list box.
Page 133 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Introduction
If tenant administrators need to locate network faults during the service operation process, they can
use the controller to obtain packet headers from specified devices.
After they set parameters for obtaining packet headers on a device, such as the target device, port
where packet headers need to be obtained, packet header obtaining duration, filter conditions, and file
names, packet header obtaining files are generated on the device. The device uploads the generated
files to the directory specified on the controller. The controller then displays a message to instruct
tenant administrators to download the files to their local hosts, and generates the corresponding
operation log.
There might be many packet exchanges between devices on the live network. The controller provides
necessary prompts based on device types, to improve the packet header obtaining accuracy.
Page 134 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Application Scenarios
Packet headers can be obtained on wired interfaces and wireless radio interfaces. Packet
headers of a fixed length are obtained, rather than complete packets. The controller can
analyze packet headers to help users locate faults.
Page 135 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Process
Choose Maintenance > Fault Diagnosis > Diagnosis Tools > Packet Head Getting from the main menu, select the
Pagedevice 136 whereCopyright packet © 2023 Huaweiheaders Technologies need to Co.,be Ltd.obtained, All rights andreserved. set parameters for packet header obtaining.
IP Address Management
Choose Maintenance > IP Address Management from the main menu. The IP address management overview page is displayed,
showing the IP address assignment rate, exception statistics, and top N statistics.
IP address management provides the following capabilities: IP address group management, IP subnet management, IP address
management, IP address assignment, idle IP address detection, and IP address reclaiming.
Page 137 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification
On the iMaster NCE-Campus homepage, open the Network Intelligent Verification app.
Intelligent network verification provides the following capabilities: snapshot management, subnet reachability verification, and
terminal access verification. In addition, verification tasks can be managed on iMaster NCE-Campus.
Page 138 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Snapshot
Management (1/2)
iMaster NCE-Campus collects device data on the network in read-only mode, performs data plane
modeling, and generates snapshots.
Snapshots are the basis of the intelligent network verification feature. The system can verify subnet
reachability and terminal access by leveraging snapshots.
Page 139 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Snapshot
Management (2/2)
• The snapshot management module also provides the snapshot comparison function. By comparing two snapshots,
the network administrator can quickly find the differences between devices, configuration files, interface link states,
and IP routing tables at two time points, providing valuable information for quick fault locating.
Page 140 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Subnet
Reachability Verification (1/2)
After a snapshot is created, network administrators can
verify connectivity between every two service subnets on
the entire network in this snapshot.
The verification results are presented in a matrix,
including reachability and multi-path information. The
matrix explicitly displays subnet reachability.
Page 141 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Subnet
Reachability Verification (2/2)
Network administrators can select two specific service subnets to view the traffic paths between the subnets.
The traffic path information helps quickly locate network reachability faults.
Page 142 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Terminal Access
Verification
Intelligent network verification provides the terminal access verification capability. Network administrators can simulate a
terminal in a snapshot and verifies its access to network resources. With this function, network administrators can check
whether the services accessible to the terminal are as expected.
Intelligent network verification also provides the verification task management function. A verification task contains the source
and destination information and the expected result. It is equivalent to a network verification case.
Page 143 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification –
Subnet Reachability on Fabrics
Intelligent network verification is
applicable to the fabric scenario. In this
scenario, reachability between overlay
subnets can be verified and verification
results can be displayed in a matrix.
Page 144 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – Remote Attestation (RA)
Download and import
reference values
Huawei
NCE-Campus Support
(RA server)
1. Send a challenge request
Reference
2. Challenge values
2. Return PCR status values RA
server 3. Verify
RA
client 3. Return Portal
RA measurement logs O&M
client personnel
1. Measure
Device (YunShan LSWs and ARs):
Connects to NCE-Campus to report its information and receive configurations.
Receives RA requests from NCE-Campus and uploads platform configuration register (PCR)
values to NCE-Campus.
NCE-Campus:
Manages and configures devices.
Downloads PCR baseline files consisting of reference values from the Huawei Support website.
Sends challenge requests to NEs to collect measured information and evaluates the campus
security based on the collected information.
Huawei Support website:
Saves RA baselines of devices.
Page 145TheCopyright RA process © 2023 Huawei involves Technologies three Co., steps Ltd. All: measurement, rights reserved. challenge, and verification.
Advanced Security Feature – RA
NE trustworthiness dashboard
Page 146 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE/NMS Security
Situational Awareness
iMaster NCE-Campus
HiSec situation analysis component
Abnormal
Situation
event SOAR Zero trust Single-domain security
presentation
detection management Single-domain security
• Device/NMS intrusion O&M personnel
detection
NMS AAA NE log module Device (YunShan LSWs and ARs):
Connects to NCE-Campus and reports NE O&M logs.
NCE-Campus:
Receives O&M logs from devices and reports the logs to HiSec for exception detection and situation
analysis.
Receives O&M logs from the NMS and reports the logs to HiSec for exception detection and
situation analysis.
Device
(YunShan LSWs and ARs) Supported device-oriented situational awareness capabilities:
Rule-based abnormal login behavior detection: brute force cracking, login from blacklisted IP
Host security addresses, unauthorized accounts, or compromised accounts, and login through uncommon paths
Intrusion detection AI-based abnormal login behavior detection: login at unusual time, login using uncommon IP
addresses or zombie accounts, abnormal number of login accounts, and abnormal login frequency
Abnormal behavior detection: unauthorized account creation, unauthorized password change,
unauthorized account activation (detected when the product has activation logs), password change
violation, unauthorized account deletion, unauthorized user permission change, unauthorized
operation attempt (detected if NEs record authentication failure logs)
Agent-based detection: file permission escalation, key file tampering, Rootkit attack, unauthorized
superuser, and shell file tampering
Supported NMS-oriented situational awareness capabilities:
Rule-based abnormal login behavior detection: brute force cracking, login from blacklisted IP
addresses, unauthorized accounts, or compromised accounts, and login through uncommon paths
Exception handling based on zero-trust evaluation, for example, blacklisting abnormal accounts
Page 147 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE/NMS Security
Situational Awareness
NE security event
Page 148 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE Security Configuration
Check
The controller can verify device security configurations, including insecure protocols, weak algorithms, and security
configuration items, to ensure NE security.
a. Insecure protocol: such as Telnet
b. Weak algorithm: such as the MD5 encryption algorithm
c. Insecure configuration: such as password authentication using SSH on port 22
Page 149 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
IPv4/IPv6 Capability of iMaster NCE-Campus
Scenario IPv6 is becoming more popular, which is required in deployment and management scenarios. iMaster NCE-
description Campus supports the following three scenarios: IPv4 single stack, IPv6 single stack, and IPv4/IPv6 dual stack.
Upgrade from
IPv6 on
Pre- the Original
Scenario Device Model Authentication Management
installation Deployment
Channel Or Not
Version
IPv4 single
IPv4 single stack, IPv4/IPv6 dual stack, All devices All supported Not supported Supported Supported
and IPv6 single stack stack
• Supported by all devices
in V5 (IPv4-based device
Internet interaction, IPv6-based Portal Supported, but
authentication and 802.1X depends on
authentication) Not supported
IPv4/IPv6 All devices . device-side Not
(only supported
dual-stack • YunShan devices do not capabilities. supported
support IPv6-based (Only ARs and YunShan by new versions)
LSWs support this
Portal authentication function.)
but support IPv6-based
802.1X authentication.
IPv6 IPv4
WAC
Supported, but
• AR devices
(supported in V5 • YunShan devices do not depends on
and in YunShan support IPv6-based device-side Not supported
IPv6 single since R22.0) Not
Portal authentication capabilities. (only supported
stack • LSWs supported
but support IPv6-based (Only ARs and YunShan by new versions)
(supported in LSWs support this
YunShan since 802.1X authentication. function.)
R22.0)
Page 150 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
IPv4/IPv6 Deployment Scenarios
IPv4 address IPv6 address
IPv4 single stack IPv6 single stack IPv4/IPv6 dual-stack
IPv4 site IPv6 site
Page 151 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Supported IPv6 Functions
V5 LSW YunShan LSW
Supported in Non- Supported in
Function Category Feature Supported in Non-Virtualization Supported in Virtualization
Virtualization Scenarios Virtualization Scenarios
Scenarios Or Not Scenarios Or Not
Or Not Or Not
IPv6 gateway N Y Y Y
IP service DHCPv6 client/server N N Y N
DHCPv6 relay N Y Y Y
IPv6 static routing N Y Y Y
Routing OSPFv3 N N Y N
BGP4+ N Y Y Y
ACL6 Y N/A Y N/A
ACL6 in traffic classifiers Y N/A Y N/A
Traffic policy
Next-hop IPv6 address in traffic behaviors N N/A Y N/A
ACL6 default permit rule Y Y N N
Reliability NQA IPv6 N Y N Y
DNS DNSv6 server N N/A Y N/A
Device management NETCONF-based IPv6 device management N Y
IPv6 RADIUS server N Y
Dynamic ACL6 authorization Y Y
Authentication IPv6 AD/LDAP server Y Y
IPv6 authentication components N Y
IP-security group channels on IPv6 networks N Y
IPv6 device upgrade channels N Y
Packet header obtaining supports IPv6 channels N Y
IPv6 channels for device file systems N Y
IPv6 channels for activating license files N Y
O&M IPv6 channels for file management configuration N Y
IPv6 channels for inspection N Y
IPv6 channels for SSH-based CLI login N Y
IPv6 channels for collecting device fault information N Y
IPv6 ping and trace N Y
Monitoring IPv6 HTTP/2 and telemetry channels N Y
Others Analyzer interconnection through IPv6 N Y
Page 152 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster System
With service development, an increasing number of devices and users are connected to
iMaster NCE-Campus. A single cluster cannot provide sufficient performance for service
development needs. Horizontal capacity expansion from a single-cluster system to a multi-
cluster system is needed to allow access of more devices and users.
Page 153 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster Solution
The multi-cluster solution consists of a global node and two regional clusters.
Region Function Description
The global node receives the mappings among users, tenants, and IP addresses from each regional cluster. It provides a unified login
Global page for all the clusters. Users do not need to select a region upon login. After successful login, the user is automatically redirected to
the selected regional cluster.
Each region is an independent cluster, without a login page. Users can log in to each regional cluster only through the login page of
the global node, and are allowed to log in through their respective regional cluster only when the global node is faulty.
Region A regional cluster reports the mappings among users, tenants, and the regional cluster IP address to the global node. It is also
responsible for user service design, configuration, and maintenance.
Tenant migration is not supported between regional clusters. Services of a single tenant cannot be deployed across regional clusters.
Page 154 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster Management
By default, each regional cluster reports the mappings among users, tenants, and the regional cluster IP
address to the global node in real time. The global node also collects the mappings at a specified time
every day.
In addition, the mappings can be manually synchronized from regional clusters to the global node.
Choose System > System Management > Multi-Cluster Management from the main menu. Click
Synchronize Immediately to synchronize regional cluster information to the global node and then
check whether the synchronization is complete.
Page 155 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Disaster Recovery - Background
With expanding enterprise scales, simple data backup is unable to meet the requirements of mission-critical services on
system availability, real-time performance, and security. More importantly, backup data may be damaged due to
various factors such as earthquakes and fire disasters, and even be lost. Any service interruption or data loss will cause
serious losses to enterprises. How to improve system availability has become a major concern of enterprises. The top
priority is to design highly available software.
Disaster recovery (DR) is the ability to recover from a disaster. The DR solution is achieved by a standby system in a
different place. The active and standby systems monitor each other's health status and take over services from each
other. If one system is unavailable due to an unexpected event such as a fire or earthquake, another system can take
over the services of the faulty system to ensure service continuity.
To improve the reliability of iMaster NCE-Campus, the DR design is adopted.
Page 156 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Disaster Recovery - Introduction
The primary and secondary clusters communicate with each other through heartbeat links and detect each other’s status in real time. The product in the active
cluster synchronizes data to the product in the standby cluster in real time through the data replication link to ensure data consistency between the two
clusters.
If a fault occurs in the cluster that is providing services, users can manually switch the services from the faulty cluster to the other cluster. Automatic
switchover is provided if the arbitration service is deployed. This ensures service continuity and reduces the loss caused by disastrous incidents.
DR objectives
1. Primary and secondary clusters are installed separately. The installation sequence does not matter.
2. After a DR system is created, one cluster functions as the active cluster and the other functions as the standby cluster. The active cluster provides services
for external systems. The standby cluster does not provide external services and only synchronizes data from the active cluster.
3. If the active cluster is unavailable due to a disaster, services can be manually or automatically switched to the standby cluster to ensure service continuity.
4. CampusInsight does not support DR. After a DR switchover, if CampusInsight functions are required, you need to reinstall CampusInsight (or pre-install two
copies of CampusInsight before a controller DR switchover) and synchronize data from the controller to CampusInsight. The analysis data on CampusInsight
will be lost after a controller DR switchover.
Differences between manual and automatic DR switchovers
1. In both modes, primary and secondary clusters must be installed and set up a DR system. In the automatic DR scenario, an arbitration node needs to be
deployed at a third site and arbitration needs to be configured through EasySuite.
2. To manually trigger DR switchovers, administrators need to log in to the management plane to manually switch active and standby cluster roles. To
configure automatic DR switchovers, administrators only need to create arbitration tasks in advance. If switchover conditions are met, an automatic DR
switchover is performed, without manual intervention.
3. The two modes have different requirements on public networks. In the manual switchover scenario, administrators can detect the switchover and then can
manually re-configure the controller IP address visible to public networks. In the automatic switchover scenario, customer networks must be able to
automatically detect the active/standby controller status in each cluster of the DR system, for example, through a F5 load balancer, through NQA to detect
the internal floating IP address of the controller, or by connecting the controllers in primary and secondary clusters to external networks at Layer 2 in both
north and south directions.
Page 157 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Manual DR Switchover
Manual DR switchover
Manual switchover:
The controller advertises northbound and southbound routes in Layer
3 mode. In the NAT scenario, the controller's southbound and
northbound IP addresses after NAT in the primary cluster are the
same as those in the secondary cluster. In this way, tenants, network
devices, and access terminals are unaware of active/standby
controller switchovers.
The heartbeat link and data replication link are located on
the internal communication plane. Therefore, network
connectivity must be ensured between the internal
communication planes of the primary and secondary clusters.
Route priority-based manual switchover:
On the egress router, routes destined for the active and standby
clusters are configured with different priorities. Only the active
cluster provides services for external networks and the standby
cluster only synchronizes data from the active cluster.
If the network is abnormal or the active site is faulty, administrators
can access the O&M plane and issues a DR switchover command to
manually trigger a DR switchover.
Page 158 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Automatic DR Switchover
Automatic DR switchover Arbitration-based automatic switchover:
The arbitration service periodically checks the connectivity between
the primary, secondary, and third sites, and saves the check results.
If the network connection is abnormal or the active site is faulty, the
Primary Heartbeat Secondary arbitration service selects the optimal site in the network to perform
Data an active/standby switchover.
replication Note: The HBase database of FusionInsight does not support automatic switchovers and
needs to be manually synchronized. If the database is not synchronized, device
performance data display is affected. Customers can determine whether to synchronize the
HBase database.
Arbitration Arbitration
data data
Arbitration The arbitration service is deployed on five nodes, among which
node two are deployed at the primary site, two at the secondary site, and
one at the third site.
The heartbeat link, arbitration heartbeat link, data sharing link, and
data replication link are located on the internal communication
plane. Therefore, the internal communication network between the
active and standby sites must be connected.
Page 159 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
DR Switchover - Layer 2 Southbound and Northbound
Connectivity Between Primary and Secondary Clusters
Layer 2
DC1 communication link DC2
Router Router
Heartbeat link Why is a Layer 2 network used?
A Layer 2 network is used for switchovers between the primary and
Data secondary clusters. Host IP addresses are in the same ARP broadcast
Switch replication link Switch domain, which are easily advertised.
Cluster Cluster Cluster Cluster Cluster Cluster
node node node node node node
Arbitration
node
DC3
Solution features:
1. Install DC1 and DC2 clusters. The two clusters use the same southbound and northbound IP addresses. Because the two clusters are on the same Layer 2
network, the southbound and northbound IP addresses of the secondary cluster need to be hidden.
2. Set up a DR system, for example, with DC1 and DC2 as the active and standby clusters, respectively. The active cluster automatically enables its southbound
and northbound IP addresses, whereas the standby cluster does not.
3. This solution applies to the scenario where devices on external networks can be managed by customers. Connecting southbound and northbound Layer 2
networks of the active and standby clusters has high requirements on customer networks.
4. The solution with an arbitration node can avoid dual active clusters. Therefore, if southbound and northbound Layer 2 networks of the active and standby
clusters are connected, manual switchovers at the expanse of the arbitration node are not recommended.
Note:
NAT is supported in this scenario. In the NAT scenario, Layer 2 interconnection is required on the planes where the southbound and northbound virtual IP
addresses reside, and the virtual IP addresses are mapped into a public IP address using NAT.
Page 160 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
DR Switchover - Unified Virtual IP Address based on
NQA
Solution features:
Backbone ring
DC1 DC2 1. Install DC1 and DC2 clusters which provide the same southbound and northbound IP addresses
network for external networks.
2. Install an HA arbitration node. (By default, the HA arbitration node is deployed in a third data
center and is reachable to the primary and secondary clusters at Layer 3.)
OSPF... OSPF... 3. Add a DR configuration instance and set up a DR system, for example, with DC1 and DC2 as the
Core active and standby clusters, respectively. The DR heartbeat and data replication links are created
at the same time.
Static Static 4. Configure an NQA policy on the core device of each DC cluster to detect its own DIP. If the DIP is
route
NQA route NQA reachable, the public southbound and northbound IP addresses of the controller are advertised.
The DIP of the active cluster is automatically enabled, and that of the standby cluster is not.
Layer 3 network Layer 3 network 5. Disaster scenario: If the original active cluster encounters a disaster and the heartbeat between
management management the active and standby clusters is interrupted, the arbitration node checks whether the standby
switch switch cluster can switch to the active cluster. If so, after the original standby cluster becomes the new
active cluster, its southbound and northbound IP addresses and DIP addresses take effect. In
addition, NQA automatically advertises the public southbound and northbound IP addresses of
External IP External IP the new active cluster after verifying that the DIP of the new active cluster is reachable.
Heartbeat
1 link 6. In this solution, manual switchovers can be performed at the expense of the arbitration node.
Primary Secondary 2
DIP 1 Data
cluster cluster DIP 2
replication Note:
link 1. This solution requires that the customer's core devices have the NQA detection capability and
can be associated with static routes for automatic detection. The core devices must be reachable
to the DIP addresses of controller clusters. The overall switchover time depends on the NQA
detection time as well as time required by route advertisement and convergence.
2. NAT is supported in this scenario. In the NAT scenario, the external IP address is located on the
NAT device and mapped to the LVS virtual IP address of the controller. Similarly, the core device
Arbitration determines whether to advertise this external IP address based on NQA detection results.
node 3
Page 161 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
DR Configuration
The management plane of iMaster NCE-Campus
provides the configuration and O&M pages for the DR
function. You can view the DR system status and data
synchronization status, modify DR configurations, and
trigger a DR switchover on these pages.
If the active cluster is faulty and cannot be recovered, a
forcible switchover can be performed for the standby
cluster to take over services.
If two active clusters exist, a forcible switchover can be
performed to switch a cluster to the standby cluster to
restore the active/standby relationship.
Page 162 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multiple Southbound Cluster Addresses: Improving
Remote DR Reliability and Reducing Network
Requirements
Scenario In remote disaster recovery (DR) scenarios, two southbound IP addresses are configured for the active and standby clusters,
description improving reliability and network adaptation capabilities, as well as reducing network requirements.
Active DC cluster Standby DC cluster Active DC cluster Standby DC cluster
Data Data
synchronization synchronization
… … … …
Southbound IP Southbound IP Southbound IP Southbound IP
address: 41.1.1.208 address: 41.1.1.208 address: 41.1.1.208 address: 42.2.2.210
Same southbound >>
address Different
southbound
>> addresses
AP AP AP AP AP AP AP AP
Constraints Constraints Benefits
The southbound IP address of the active and standby clusters must be the same. IPv6 addresses and domain names are not supported. Fast cluster switchover and convergence
Cluster switchover and convergence are slow due to specific network requirements. As such, remote DR cannot be This feature applies only to LSWs and APs in V5 and to ARs in SD-WAN Reduced network requirements
met in some networking modes. (If the active and standby clusters are not in the same area, their southbound IP scenarios. ARs in LAN scenarios and firewalls do not support this feature. An upgrade does not lead to any service
addresses are not the same. In addition, these clusters cannot communicate with each other through Layer 2 The following features are not supported in this scenario: free mobility, interruption because an active/standby
heartbeat links.) HACA Portal authentication, TACACS authentication, authentication switchover can be triggered to upgrade the
component, SNMP-based device management, interconnection with the active and standby clusters separately.
registration query center, and CloudCampus APP
Page 163 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Summary
This course describes the deployment schemes and component functions of iMaster NCE-Campus in
the CloudCampus solution.
This course describes the key features of iMaster NCE-Campus and their configuration methods.
Through these introductions, you should have a deep understanding of the main application scenarios
of iMaster NCE-Campus.
Page 164 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Thank You
www.huawei.com
Page 165 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Product Overview
Page 0 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Foreword
• With the rapid development of cloud computing, the on-demand cloud service mode
becomes more popular, resulting in great changes in traditional network management.
Against this backdrop, cloud-based network management has become a trend, as well
as a new model for enterprise network construction, operations and maintenance
(O&M).
• This course mainly introduces the overall architecture, software components, and key
service features of iMaster NCE-Campus in Huawei CloudCampus Solution.
Page 1 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Objectives
• Upon completion of this course, you will be able to:
▫ Understand the positioning and functions of iMaster NCE-Campus in Huawei CloudCampus
Solution.
▫ Understand the system architecture of iMaster NCE-Campus.
▫ Understand the key features of iMaster NCE-Campus used in Huawei CloudCampus Solution.
▫ Master the main configurations of iMaster NCE-Campus.
Page 2 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. iMaster NCE-Campus Introduction and Architecture
2. iMaster NCE-Campus Key Features
Page 3 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Huawei CloudCampus Solution Overview
Application
layer
…
iMaster NCE is a system that integrates the manager,
controller, and analyzer. It supports interconnections among
simple-service campus networks, virtual campus networks,
Cloud app
and multi-branch campus networks, and includes the Self-service portal VAS store
following components: Open APIs
• iMaster NCE-Campus:
It provides management and control functions, such as Management and
management of cloud-based and traditional devices, control layer
traditional device management function, automated
configuration, one-click redirection to iMaster NCE- Authentication
CampusInsight by using the proxy service.
NCE-Campus & NCE-CampusInsight component
• iMaster NCE-Campus authentication component: Manager + Controller + Analyzer
An authentication component is integrated into iMaster
NCE-Campus as a service. A maximum of 20
authentication components can be deployed at remote NETCONF/SNMP/HTTP/2/HTTPS/TCP……
branches to provide local authentication. Authentication Network layer
components and iMaster NCE-Campus can automatically
synchronize user authentication and terminal
identification information between each other through
Medium- and large-sized campuses
TCP channels. Site interconnection
• iMaster NCE-CampusInsight: SMB
It is an intelligent network analysis platform. Based on
existing O&M data (such as device performance indicators
and client logs), iMaster NCE-CampusInsight uses big data WAN/Internet
technology, AI algorithms, and other advanced analysis
technologies to digitize user experience. It assists
customers in detecting network issues in a timely manner, Office VN IoT VN
improving user experience. It is an independent
component and is not described in this course.
• Campus devices:
Campus devices include switches, routers, WLAN access
controllers (WACs), access points (APs) and firewalls.
iMaster NCE-Campus can manage devices through
Network Configuration Protocol (NETCONF) and
traditional Simple Network Management Protocol
(SNMP).
Page 4 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Introduction
• iMaster NCE-Campus serves as a cloud management platform in Huawei CloudCampus Solution. It
provides service configuration, O&M, and monitoring capabilities for cloud managed devices (can be
APs, firewalls, ARs, and switches) and traditional devices. It can also serve as an authentication
server to implement user access control.
• Product positioning
▫ iMaster NCE-Campus is a management and control system designed for Huawei CloudCampus Solution. It
supports functions that include network service management, network security management, user admission
management, network monitoring, network quality analysis, network application analysis, and alarm and
report management. It also provides big data analytics and open application programming interfaces (APIs) to
facilitate interconnection with other platforms. On a multi-tenant network, enterprise users can use iMaster
NCE-Campus to perform service configuration and routine maintenance for their respective tenant networks,
making it possible to manage large numbers of devices on the cloud.
Page 5 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Highlights
• Highlights
• Simplified
▪ Simplified network planning
▪ Simplified network deployment
▫ Elastic
▪ On-demand network expansion
▪ On-demand management expansion
▫ Open
▪ Open network data
▪ Open network platform
Page 6 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Product & Tenant Network
Architecture
iMaster NCE-Campus
Device Admission Performance Big data
management service collection service
service service
ISP
network
Tenant
network AP Central RRU AP Switch Firewall
AP
Site 1 Site 2 Site
Tenant A Tenant B
Page 7 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Product Architecture
Page 8 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Key Functions
Function Description
For small- and medium-sized campuses with simple network configurations, iMaster NCE-Campus provides diversified functions,
Network configuration
such as site-based network element (NE) management, topology management, interface and link management, configuration of
management
underlay services, simplified deployment specific to scenarios, and configuration template binding.
For large- and medium-sized campuses with complex network configurations, iMaster NCE-Campus can automatically orchestrate
Network automation Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) configurations for setting up a VXLAN, simplifying network
management and changes.
iMaster NCE-Campus supports various authentication protocols, such as Portal 2.0 and RADIUS, and can authenticate and manage
Network admission
for network end users.
iMaster NCE-Campus can collect performance data from devices through HTTP/2, and send the collected data to FusionInsight (big
O&M monitoring
data analysis component), which then saves and analyzes the data and provides data analysis reports.
Big data service iMaster NCE-Campus uses Huawei-developed FusionInsight as a big data service for data storage, analysis, and merging.
Ngnix iMaster NCE-Campus uses Ngnix to load balance HTTP traffic.
iMaster NCE-Campus uses Linux Virtual Server (LVS) to build a virtual server cluster that provides one IP address for southbound
LVS
and northbound planes.
Page 9 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Cluster Architecture
ETCD GaussDB Redis DMQ
Database
cluster
FusionInsight cluster
NCE-Campus cluster
Portal server CampusBase/NetconfClient OamService/ACUpgrade Kafka
Key data exchange channels:
RESTful APIs 1 and 2: Portal authentication channel
3 NETCONF–based
device 3: Channel for device registration and alarm
4 HTTP/2: device
management location and reporting
ACANginx Portal GW API GW performance data
master/slave master/slave master/slave reporting 4: Device performance reporting channel
eSight 5: Device upgrade channel
2
HTTP/2: user 6: Channel for logging in to the iMaster NCE-
LVS master/slave
authentication HTTP:
5 device Campus Web UI
update
1 HTTPS–Portal authentication page 7: Channel for calling third-party APIs
6 HTTPS: Web UI
MSP/Tenant 8 Traditional device management
administrator
7 HTTPS: NBI
Third-party system
Page 10 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Deployment Mode
LAN management LAN-WAN convergence
… LAN WAN LAN
Hotels General Large
Branch
education enterprises HQ
Maximum Maximum Maximum
Deployment Number of Number Deployment Number of Number of Maximum Number of
Number of Number of Number of
Mode Servers of VMs Mode Servers VMs Managed NEs
Managed NEs Online Users Online Users
Number of LAN-side devices +
Single-node Single-node
1 1 5000 20,000 1 1 Number of WAN-side devices 20,000
system system x 10 ≤ 5000
Minimum Number of LAN-side devices +
Single-node 3 3 Number of WAN-side devices 50,000
cluster x 5 ≤ 15,000
system (with NCE- 1 2 4000 20,000
CampusInsight 6-node Number of LAN-side devices +
) (two VMs on a
distributed 3 6 Number of WAN-side devices 100,000
server) x 5 ≤ 30,000
Minimum cluster 3 3 30,000 100,000 cluster
9-node Number of LAN-side devices +
(two VMs on a
9-node distributed 5 (two VMs on a distributed 5 9 Number of WAN-side devices 300,000
9 60,000 300,000 server)
cluster server) cluster x 5 ≤ 60,000
17-node Number of LAN-side devices +
17-node (two VMs on a (two VMs on a Number of WAN-side devices 700,000
9 17 200,000 700,000 distributed 9 17
distributed cluster server) server) x 5 ≤ 200,000 & Number of
cluster WAN-side devices ≤ 20,000
Page 11 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Deployment Mode
POL convergence LAN-WAN + POL convergence
…
LAN WAN LAN
General Large
education enterprises Branch HQ
Maximum Maximum
Maximum Maximum Deployment Number Number
Deployment Number Number Number of Number of
Number of Number of Mode of Servers of VMs
Mode of Servers of VMs Managed NEs Online Users
Managed NEs Online Users
Number of LAN-
side devices + POL
Single-node
Single-node 1 1 devices + Number 20,000
1 1 5000 20,000 system
system of WAN-side
devices x 10 ≤ 5000
Minimum Number of LAN-
cluster 3 3 30,000 100,000 side devices + POL
Minimum devices + Number
3 3 100,000
cluster of WAN-side
devices x 10 ≤
Distributed
None 15,000
cluster
Distributed None (The distributed cluster is not supported in the POL
cluster convergence scenario.)
Page 12 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Service Node Deployment
Management Scale (Cloud
Solution Deployment Mode Supported Functions Expansion Supported or Not
Managed Device)
Single-node system (LAN) 5000 The PON and WAN features are not available. Cold migration to 3-node cluster
5000 (POL devices are
Single-node system (LAN + POL) The PON feature is available and the WAN feature is unavailable. Not supported
Single-node system included)
Single-node system (LAN-WAN + LAN-side devices + 10 x WAN-
The PON and WAN features are available. Not supported
POL) side devices ≤ 5000
3-node cluster (LAN-only, PM
30,000 (POL devices are The expansion to 3-node cluster in the
deployment is recommended.) The PON feature is available and the WAN feature is unavailable.
included) LAN-WAN scenario is supported.
Minimum cluster
3-node cluster (LAN-WAN, PM
LAN-side devices + 5 x WAN-
deployment is recommended.) The PON and WAN features are available. Not supported
side devices ≤ 15,000
LAN-side devices + 5 x WAN- The expansion to 9-node cluster is
6-node cluster The WAN feature is available and the PON feature is unavailable.
side devices ≤ 30,000 supported.
LAN-side devices + 5 x WAN- Cold migration to the maximum scale of
9-node cluster The WAN feature is available and the PON feature is unavailable.
side devices ≤ 60,000 17-node cluster
Distributed cluster
LAN-side devices + 5 x WAN-
17-node cluster side devices ≤ 200,000 & The WAN feature is available and the PON feature is unavailable. Not supported
WAN-side devices ≤ 12,000
Huawei Cloud 200,000 The WAN feature is available and the PON feature is unavailable. Not supported
Authentication authentication component
N/A The authentication feature is supported. Not supported
component deployment
Large-capacity and Independent management plane N/A N/A N/A
multiple clusters Global node N/A Unified login for a multi-cluster system is supported. Not supported
Automatic switchover with a third arbitration site in disaster recovery (DR)
Third-party arbitration Independent arbitration node N/A Not supported
solutions.
Page 13 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Value-added Features
Deployment
Type Feature Description Deployment Requirement License Control
Advanced network iMaster NCE-Campus supports centralized management on network-wide security policies and security This feature is supported in all deployment scenarios and
Firewall management licenses
security policy service orchestration to rapidly provision security services. service nodes do not need to be added.
iMaster NCE-Campus manages PON devices in access networks through SNMP. It supports automatic
This feature is supported in single-node systems and
service deployment specific to scenarios and can display performance, topology, and alarm information of
PON management minimum clusters, and service nodes do not need to be POL management licenses
devices in a unified manner, implementing management and visualization of resources and networks, as
added.
well as fault diagnosis visualization.
Campus VXLAN uses overlay virtualization technology to bear multiple virtual networks on a single
Basic value-added Automatic virtual
underlay network and support flexible service deployment. Based on SDN and cloud technologies, This feature is supported in all deployment scenarios and Automatic virtual network
features network
Campus VXLAN implements automatic deployment of virtual networks, and automation of user-oriented service nodes do not need to be added. management licenses
management
and application-oriented policy management.
Terminal iMaster NCE-Campus can automatically identify the information about vendor, operating system, and This feature is supported in all deployment scenarios and
Terminal plug-and-play licenses
identification type of terminals, and then can control terminal access based on the identified information. service nodes do not need to be added.
Network Data plane verification (DPV) technology is used to implement network-wide snapshot management,
This feature is supported in all deployment scenarios and
configuration subnet reachability verification, and terminal access verification, building up comprehensive intelligent --
service nodes do not need to be added.
verification verification capabilities.
This feature is supported in minimum clusters. To support
this feature, one more PM (with a memory of 128 GB)
AI-based terminal Based on model training and inference technology of AI engines, iMaster NCE-Campus analyzes needs to be added.
fingerprint characteristics of unknown terminals and automatically generates the corresponding identification rules This feature is supported in distributed clusters. To --
identification to improve terminal identification. support this feature, one more PM (with a memory of
128 GB) needs to be added.
This feature is not supported in single-node systems.
Advanced value-
added features This feature is not supported in the single-node system
LAN-WAN deployment scenario and service nodes do not
Based on the SRv6 TE Policy tunneling technology, iMaster NCE-Campus provides the end-to-end (E2E)
need to be added.
optimal path computation and service optimization for one unified WAN, supports centralized
This feature is supported in distributed clusters. To
SRv6 configuration and management for network topologies and tunnel constraints, aiming to maximize SRv6 function package licenses
support this feature, one more PM (with a memory of
network bandwidth utilization and leverage the full potential of network resources. In addition, iMaster
256 GB) needs to be added.
NCE-Campus supports traffic forwarding in SRv6 BE mode in the case of tunnel failures.
This feature is not supported in minimum clusters and in
the single-node system LAN-only deployment scenario.
Remote attestation: provides the full-lifecycle file integrity protection from startup to running to storage
for embedded NEs.
This feature is supported in distributed clusters. To
Security situational awareness (SSA): provides real-time security data analysis and overall security
Value-added Advanced security support this feature, three more PMs (with a memory of
situation prediction capabilities for network devices to help security O&M personnel quickly make --
security features features 64 GB each) need to be added.
decisions and trace sources.
This feature is not supported in single-node systems.
Device security configuration check: provides visualized security management capabilities for network
devices and supports device security status check, security risk warning, and security hardening guidance.
Page 14 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Server Installation Networking
Currently, iMaster NCE-Campus can have at most four planes, including the
internal communication plane, service plane, southbound plane, and
northbound plane. Their functions are as follows:
• Internal communication plane: used for communication between
service nodes in an iMaster NCE-Campus cluster, including FusionInsight
and GaussDB nodes.
• Service plane: used to provision southbound and northbound services of
iMaster NCE-Campus. For example, administrators can use a load
Management port balancer (LB) to distribute service traffic to multiple nodes.
• Northbound plane: used to receive northbound service traffic, for
example, using a browser to access the management plane of iMaster
NCE-Campus.
• Southbound plane: used to receive southbound service traffic, for
Internal communication/
Management network example, communicating with network devices through NETCONF.
Based on customer networking requirements, some network planes can be
Cable for internal communication combined. The following networking modes are supported:
• Two-plane networking: includes the internal communication plane and
Service network Cable for the service network the integrated plane that combines the service, southbound, northbound
planes. The southbound and northbound public IP addresses can be
Cable for the northbound network
translated on the firewall.
Cable for the southbound network • Three-plane networking: includes the internal communication plane,
Northbound the service plane, and the integrated southbound and northbound plane.
network
• Four-plane networking: includes the internal communication plane,
service plane, northbound and southbound plane.
Southbound Note:
network The IP addresses of network interface cards (NICs) need to be assigned in
independent VLAN, which cannot be the same as the VLANs for other
irrelevant products.
Ports can be enabled on firewalls as needed. For details, see the
Communication Matrix.
PC where EasySuite resides
Page 15 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Homepage
Menu bar
Logo Selected view Alarm area Search, account and
Overview page help area
Area for rotating product
carousel images
Navigation path for entering
network scenario apps
Navigation path for entering advanced feature apps
Page 16 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. iMaster NCE-Campus Introduction and Architecture
2. iMaster NCE-Campus Key Features
Page 17 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Site Management Overview
• iMaster NCE-Campus configures and monitors devices by site. The site management feature
provides the functions of adding, deleting, modifying, and querying sites. iMaster NCE-
Campus can manage not only sites containing devices of a single type, such as APs, WACs,
ARs, switches, or firewalls, but also sites containing devices of various types.
• iMaster NCE-Campus also supports organization- and tag-based site management to display
sites in a hierarchical mode. When creating organizations, administrators can specify a parent
organization to define a hierarchy (supports nesting in five layers at most).
Page 18 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Site Management Configuration
• Click Design > Site Design > Site Management to view the site list, and create, delete, or modify sites.
• Click Provision > Device > Batch Deployment > Site to view site templates.
Page 19 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Topology Management
NCE-Campus
Feature SNMP NETCONF
Topology layout toolkit
Toolbar in topological view: move,
update, save positions, lock, Topology Unified Unified
display settings, export
(picture/Visio), full screen display Device management Unified Unified
Link management Unified Unified
Device management Unified Unified
Third-party device
Supported Not supported
management
NCE-Campus
Toolbar in topological view:
Display topology and Display alarm, auto fit zoom,
devices for each site and zoom in/out The toolbar classifies function options, which is easy to use.
The shortcut menu can be customized to shield redundant
information.
Click Design > Network Design > Physical Topology to view site topologies.
Page 20 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)
Background:
The following problems exist in office, education, and
hotel scenarios:
As-is To-be Cabling is complicated.
Compared with the POL solution, the current
Campus core campus network solution requires higher network
css css Campus core
equipment room construction costs.
equipment room
Access devices are connected to users through
10 km (optical cables) network cables, which do not meet the requirements
of the fiber-to-edge trend.
Aggregation Scenarios:
switch in a 10 km (optical cables)
building Desktop: A central device can connect to multiple
remote units (RUs) that located in different offices,
300 m (optical fibers) open-plan desks, and classrooms.
Device replacement in equipment or extra low
Central device voltage (ELV) rooms without site relocations: A
ELV room on a central device can connect to multiple RUs to allow
ELV room floor/building
on a floor access of cameras, APs, and wired terminals.
Building A Building B/C 60 m optical 60 m optical
65 m 65 m fibers fibers Benefits:
network network Maximize the use of chip forwarding capability.
cables cables RU
Desk Dramatically reduce the network construction cost
for customers. In addition, the cost for desktop
Building A
Building B/C
5 m network 5 m network scenarios is predicted to be reduced by more than
cables cables 50%.
Innovate the network architecture, decrease the
number of NEs, and reduce the management cost.
Page 21 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)
• Management capability: iMaster NCE-
Campus allows users to query
information about RUs connected to a
central switch, including the ESNs,
models, online status, interfaces that
directly connect to the central switch,
and port list information of the RUs.
• Control capability: iMaster NCE-Campus
allows user to configure port isolation
for a particular interface on a central
switch. The configuration takes effect for
all RUs connected to the interface.
Page 22 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)
• Monitoring capability: iMaster NCE-Campus
allows users to check the memory usage, disk
space usage, and temperature of an RU, as well
as the running status, rate, traffic statistics,
packet statistics, and bandwidth utilization of an
RU interface.
• O&M capabilities: iMaster NCE-Campus allows
users to restart RUs. In addition, iMaster NCE-
Campus can receive alarms from RUs if they fail
to be upgraded.
Page 23 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Scenario Introduction)
• Background: To ensure the service continuity of V5 devices and construct an open ecosystem of the next-generation embedded
service-oriented architecture, the following brand-new LAN switches (LSWs) and ARs are launched based on the next-generation
YunShan platform: S8700/S6730/S5750/AR8140/AR6710. With these devices, iMaster NCE-Campus can build the next-generation
CloudCampus YunShan ecosystem.
Evaluation-required: YunShan + V5 Pilot: YunShan device
Recommended: V5 device standard
device hybrid networking independent networking
networking
(large-sized) (small- and medium-sized)
Internet WAN Internet WAN Internet WAN
AR6000/AR600 AR8140/AR6000 AR8140/AR6710
S12700E S12700E S8700
9700- WAC 9700-M
M/6508/6805 /6508/6805
S7700/S6730-H S8700/S6730-H S5750-L/S5750-S
S5731/S5732 S5750-L/S5750-S
AP 8760/6760/5760 AP 8760/6760/5760 AP 8760/6760/5760
Page 24 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Differences Between V5
and YunShan Devices)
Management Configuration Alarm O&M Monitoring Service layer
Service
AOC 1.0 AOC 3.0 adaptation layer
NETCONF SSH HTTP/2 Telemetry Channel
protocol layer
Management: V5 and YunShan devices are both managed through NETCONF
channels.
YunShan
Configuration: Configurations of both V5 and YunShan devices are delivered
through NETCONF channels; however, the YANG models are different. YunShan
devices use the YANG 2.0 model and complete configurations based on the
SND/GND model of AOC 3.0 built on the application platform as a service
(aPaaS).
V5 V5
Alarm: Alarm services of both V5 and YunShan devices are implemented
through NETCONF channels. However, the YANG models are different.
YunShan devices use the YANG 2.0 model.
O&M: O&M operations on both V5 and YunShan devices are implemented
through SSH channels.
Monitoring: V5 devices are monitored through HTTP/2 channels, while
YunShan devices are monitored through telemetry channels (gRPC).
Page 25 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Differences Between V5
and YunShan Devices)
Key Feature Not Supported
Device type Impact Description Workaround
(Compared with V5)
Deploy switches manually or using the zero touch
Wired/wireless management VLAN auto-negotiation to implement device plug-
Management VLAN auto- provisioning (ZTP) function through the management
YunShan LSW and-play is not supported. In addition, Eth-Trunk auto-negotiation is also not
negotiation VLAN (that is, VLAN 1). In addition, deploy APs connected
supported.
to the switch by using the sensor ap function.
Registration center-based
Device plug-and-play through the registration center is not supported. Use the DHCP option-based deployment solution.
deployment
Scan barcodes to record device ESNs or manually import
ESN-free deployment ESN-free deployment is not supported.
device ESNs.
Portal authentication Portal authentication based on HTTP/2 or HACA is not supported. Use V5 devices as authentication devices instead.
Wireless authentication Wireless authentication is not supported. Use off-path WACs for wireless authentication.
Terminal identification Terminal identification is not supported. Use V5 devices as access devices instead.
Application identification Application identification and application statistics collection are not supported. N/A
Application experience analysis eMDI application experience analysis is not supported. N/A
HQoS VIP user policies cannot be configured. N/A
Certificate management Offline and online certificate management functions are not supported. Log in to devices for configuration.
Log in to the device command line interface (CLI)
SWEB Redirection to the switch web system for service configuration is not supported.
through SSH to configure services.
YunShan AR Wi-Fi Wireless access services are not supported. N/A
YunShan ARs cannot function as the devices for communication between the HQ
Inter-site interconnection N/A
site and branch sites.
Traffic statistics Traffic statistics collection based on NetStream is not supported. N/A
Log in to the device CLI through SSH to configure
SWEB Redirection to the AR web system for service configuration is not supported.
services.
Page 26 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Configuration
Consistency Verification)
iMaster NCE- iMaster NCE-Campus Local
Local user
Campus user
get-config NETCONF
Configuration
edit-config CLI/ Web system Web-based
NETCONF get-config change
copy-config platform/eSight management CLI/eSight
edit-config notification
platform/eSight
V5 device (AR/LSW/AP) YunShan device (AR/LSW)
NaaS VRP5 NBI
NETCONF SNMP CLI
running current-cfg
copy-config
save
CMF
CDBR
startup Startup cfg CMF Centralized data
storage and DB
configuration
Category V5 Device YunShan Device
Configurations are stored in a single database. Configurations delivered through NETCONF and SNMP and performed in the CLI
are stored in the same database. However, currently, the NETCONF-based configuration capability provided by devices is inferior
There are two types of databases for configuration data storage: NETCONF-based to the CLI-based configuration capability, in the following aspects:
Configuration data storage database (which stores only configurations delivered through NETCONF) and CLI/SNMP- 1. A feature cannot be configured through NETCONF, and can be configured only through the CLI.
based database (which stores full configurations). 2. A feature supports NETCONF-based configuration for all involved parameters.
3. A feature supports CLI-based configuration for all involved parameters but NETCONF-based configuration for selective
parameters.
1. Delivering the save command through NETCONF saves the configuration in the
Configuration storage running configuration database to the startup configuration database every two hours.
Same as V5 devices.
mechanism 2. Running the save command in the device CLI saves the configuration in the current-
cfg database to the Startup cfg database.
1. Full configuration delivery in copy-config mode is not supported. Configurations delivered through NETCONF overwrite those
Full configuration delivery in copy-config mode is supported. Configurations delivered
NETCONF performed in the CLI.
through NETCONF do not overwrite those performed in the CLI.
Page 27 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved. 2. Configuration changes can be triggered through CLI/SNMP and change notification messages can be sent to the controller.
YunShan Device Management (Configuration
Consistency Verification)
Configuration consistency verification upon first rollout: When
a device goes online for the first time, the controller delivers
full configurations to the device. Since the device may be
configured through other methods, such as through the local
device CLI, configuration inconsistencies may occur. Therefore,
after the full delivery, the controller automatically performs
consistency verification and synchronizes configurations from
the device if any differences are discovered.
Configuration consistency verification upon subsequent
rollouts: When a device goes online not for the first time, only
the flow IDs of the controller and device are checked. If the
flow IDs are inconsistent, configuration consistency
verification is triggered. If any inconsistencies are found,
manual synchronization or reconciliation is required to
eliminate the inconsistencies; otherwise, all the northbound
configuration requests cannot be delivered, which may lead to
service security risks, for example, the risk of overwritten
configurations.
Manual configuration consistency verification: Immediate
verification can be triggered manually to check full
configurations. In addition, scheduled verification tasks can be
created (daily, weekly, or monthly). If any inconsistencies are
found, manual synchronization or reconciliation is required to
eliminate the inconsistencies.
This function can be configured on the Maintenance >
Configuration Maintenance > Data Consistency page.
• Click Inconsistency Discovery to check the differences of the configuration between the controller and devices. In
addition, configurations can be synchronized and reconciled on a per-device or per-feature basis.
Page 28 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Configuration
Consistency Verification)
Configure the synchronization/reconciliation mechanism
Controller-to-Device
Scenario Controller Data Device Data Configuration Source Device-to-Controller Synchronization
Reconciliation
The configurations on the controller and
E2E/ECS
A configuration exists on device remain unchanged. The controller delivers the
the controller but not on VLAN 200 N/A configuration in incremental
the device. None The controller deletes this configuration. mode to the device.
If the function of deleting
inconsistent configurations
The controller synchronizes the
during reconciliation is enabled,
A configuration exists on inconsistent configuration from the
the configuration on the device
the device but not on the N/A VLAN 200 N/A device to its southbound configuration
is deleted. If the preceding
controller. library as an empty-source
function is disabled, the
configuration.
configurations on the controller
and device remain unchanged.
The configuration on the
The configurations on the controller and
E2E/ECS controller overwrites that on
device remain unchanged.
the device.
A configuration exists on If the function of deleting
both the controller and inconsistent configurations
VLAN 10 VLAN 10
the device, but the during reconciliation is enabled,
name xxx name yyy
configuration data is the configuration on the
The configuration on the device
different. None controller overwrites that on
overwrites that on the controller.
the device. If the preceding
function is disabled, the
configurations on the controller
and device remain unchanged.
Page 29 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission Overview
• User admission is a key feature provided by iMaster NCE-Campus to control user access.
iMaster NCE-Campus not only supports 802.1X authentication, Portal authentication, and
MAC address authentication on its own, but also supports interconnection with a third-
party authentication server (a Portal or an AAA server) in all the previous authentication
modes.
• iMaster NCE-Campus can function as a relay agent and interconnect with a third-party
Portal or RADIUS server in API or RADIUS relay mode to implement authentication.
Page 30 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission Scenario
Social media authentication: meeting customers'
Diversified authentication modes
business requirements
Various social media
Authentication Portal Configuration Portal platforms are supported.
system system management
Cloud system Tencent QQ, WeChat, Sina,
platform Facebook and Twitter
HTTP/2 NETCONF
Customer's
network
• Supports various authentication modes: 802.1X
authentication, Portal authentication (anonymous
authentication, username and password Social media authentication process:
authentication, private pre-shared key (PPSK) 1. Connect a mobile phone to a Wi-Fi network.
authentication, and SMS authentication), MAC 2. Open a browser, and then click Log In.
address authentication, and social media 3. Interconnect with diversified social media platforms to
authentication. implement social media authentication. The following
• Supports protocols suitable for data social media platforms are supported:
transmission: Authentication data is transmitted a) WeChat: can be used for WeChat URL-based
through HTTP/2 (HACA) or RADIUS, while and QR code-based authentication
configuration data is transmitted through b) Tencent QQ
NETCONF.
c) Sina Weibo
• Open authentication solutions: Interconnection
d) Facebook and Twitter
Page 31 Copyright with© 2023 a third Huawei-party Technologies Portal server Co., is supported. Ltd. All rights reserved.
Sources in different
scenarios
Various User Authentication Sources for
Unified User Management
User Identity Source Description Used by
Username/Password, MAC account, and self-registered Enterprise employees, guests, and O&M
Local accounts
guest account personnel
Social media WeChat, Tencent QQ, Sina Weibo, Facebook, and Twitter Guests
Microsoft AD, Novell Edirectory, IBM Tivoli, Sun One, JIT
AD/LDAP server Enterprise employees and guests
Galaxy, Open LDAP
Third-party HTTP server Requiring an HTTP server authentication URL Enterprise employees and guests
Third-party RADIUS server iMaster NCE-Campus as a RADIUS relay agent Enterprise employees
RSA SecurID and DaVinci password-based dynamic
Token server Enterprise employees
identity authentication system
Interconnection with a certificate server (X509 certificates
Certificate authentication Enterprise employees
are supported)
Page 32 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Sources in different
scenarios
Full-lifecycle Guest Management in
Diverse Scenarios
Register Approve Distribute Authenticate Audit and deregister
. Employee . Approval . SMS . Anonymous authentication . User login and logout audit
application exemption . Email . Username and password . Automatic account deregistration
. Guest self- . Approval by . Web authentication after expiration
registration administrators . SMS authentication . Scheduled account deregistration
. Approval by . Social media authentication
receptionists
Public places
Enterprises and government agencies Approval-free accounts, simple and flexible user admission, easy-to-use
Strict control for guest account approval and access permission account assignment, automatic logout
Supermarket
Cafe
School Government Shopping
Restaurant
mall
Scientific Customer Stadium
Enterprise research Hotel service Exhibition
institute center hall
Page 33 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (1/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
You can select a language template (such as an English
template) for Portal pages and a Portal authentication
template type (such as SMS authentication).
• You can choose Admission > Admission Resources > Page Management from the main menu, click Page Customization to
customize Portal pages, and click Portal Page Push Policy to create a Portal page push policy. If page customization is not required,
you can skip this step.
• You can also modify Portal pages. The system allows up to 1000 tenants in total to customize Portal pages, of which each can
customize at most 20 sets of Portal pages (including six default sets).
Page 34 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (2/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission
Resources > External Data Source > Social
Media Parameters from the main menu.
On the Social Media Parameters page, you
can decide whether to configure
interconnection with a social media
platform. If this is not required, you can
skip this step.
Page 35 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (3/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• When site templates are used: Take wireless authentication configuration as an example. You can choose Provision > Device > Batch Deployment > Site
from the main menu and select a site template, access the SSID configuration page of APs and other required devices. Then configure the basic settings,
security authentication, and policy control of SSIDs.
• When site templates are used: Take wireless authentication configuration as an example. You can choose Provision > Device > Site Configuration from
the main menu, select a site, and access the SSID configuration page of APs and other required devices. Then configure the basic settings, security
authentication, and policy control of SSIDs.
Page 36 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (4/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission Resources > Page
Management > Portal Page Push Policy from the main
menu, and then click the Portal Page Push Policy tab to
customize a Portal page push policy. If you use the default
policy, skip this step.
Page 37 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (5/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission Policy > Authentication and Authorization from the main menu, and then click the Authentication Rule,
Authorization Result, and Authorization Rule, respectively, to customize an authentication policy.
Page 38 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (6/6)
Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user
• You can choose Admission > Admission Resources > User Management from the main
menu and click User Management or Guest Management. On the User Management
page, you can create accounts for end users. If social media accounts are used for
authentication, you can skip this step.
Page 39 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
5G Authentication Scenario
IoT Center (Optional)
1
5GC
3
SMF
Smart electricity meter
4
2
Robot
5G CPE
Gas sensor 5
Data
5G Dongle center
CNC
Enterprise intranet resources
Temperature sensor
Application scenario Functions of each component
5G networks have been rapidly developed and used in a wide range of 5GC: manages the 5G core network, which involves many components. One of them is the
scenarios. They feature high-speed mobility and wide coverage, access-related SMF.
making them an ideal complement to campus networks. Currently, 5G SMF: refers to Session Management Function that provides the session management, policy
terminals (any devices with 5G modules) can access campus networks control, and QoS functions.
only through a wired network or Wi-Fi. Using 5G networks to allow IoT center: maintains information about 5G terminals and synchronizes the information to
for 5G terminal access will extend the physical boundary of terminal iMaster NCE-Campus.
access and reduce enterprise network construction and maintenance 5G CPE and 5G Dongle: are the main 5G terminals for access currently.
costs. iMaster NCE-Campus: performs authentication and authorization on terminals.
Firewall or switch: manages network access rights of terminals.
Page 40 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
5G Authentication Scenario
1
5GC IoT center
IPsec encryption
AUSF UDM
2
AMF SMF
Enterprise administrator
3 4
-
NCE- Enterprise servers
VAS
MEP
Third Campus
UPF
5 partyapp
MEC PaaS
MEC IaaS MSCG
IoT terminal
5G macro base MEC Hardware
station/indoor distributed
base station MEC
Enterprise campus
Access procedure Constraint
1. The enterprise administrator purchases SIM cards and terminals in a unified The authentication requires terminal IMSIs or IMEIs, which are personal
manner, and imports the IMSIs and IMEIs to the IoT center. information. Currently, only IoT terminals are supported.
2. The IoT center synchronizes information including IMSIs and IMEIs to iMaster The RADIUS CHAP/PAP scheme is used between the SMF and
NCE-Campus. controller, which is insecure. Therefore, a secure channel is required to
3. Terminals (with SIM cards) access the 5G network based on 5G-AKA ensure data security.
authentication, and initiate Protocol Data Unit (PDU) session establishment.
4. The SMF triggers RADIUS Password Authentication Protocol Dependency
(PAP)/Challenge-Handshake Authentication Protocol (CHAP) authentication, The carrier provides APNs on the 5GC for enterprises.
and sends terminal information such as IMSIs and IMEIs to iMaster NCE- The carrier's SMF must support RADIUS with extended 3rd Generation
Campus for authentication. Communication between the SMF and the Partnership Project (3GPP) attributes.
enterprise's AAA server involves sensitive information. Therefore, the data
flow between them is transmitted through a leased line and encrypted by
IPsec.
5. When the authentication succeeds, the terminals have access to enterprise
intranet resources.
Page 41 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Application Scenarios of IoT Sensing Networks
As is To be
Air conditioning Water supply Lighting
and ventilation and drainage system
Application layer IoT applications
system system
Platform layer
IoT PKI
digital
Platform layer certificate
platform system
Network layer LAN
Network layer IoT gateway LAN
Policy Network
enforcement controller engine
Logic
IoT device layer orchestration
DDC DDC
IoT device layer
Sensor
Sensor
RS485 bus IP access RS485 bus IP access
Closed vertical systems: It is incompatible with other vendors, has high costs, Unified IoT digital platform: It defines thing models of different systems and
and is unable to expand applications. provides open interfaces for third-party applications to build an ecosystem.
RS485 bus: The network has many RS485 connections, the RS485 bandwidth IP-based desktop delivery controller (DDC): It reduces investment in physical
is insufficient, and lacks the intelligent O&M capability. connections and enhances visualized O&M capabilities.
Page 42 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal Access on IoT Sensing Networks
1. The function of delivering IoT tags to APs is enabled on the controller. In the wireless access scenario, the APs provide SSIDs
with IoT tags. iConnect terminals proactively search for SSIDs with IoT tags and automatically connect to such an SSID once
discovering one.
2. Certificate authentication can be used for security access. Terminals need to pass MAC address authentication on the
controller, apply to the controller for certificates (which can be issued by the built-in CA server or a third-party CA server),
and then initiate certificate authentication.
3. PPSK authentication can be used as well. Terminals need to pass MAC address authentication on the controller, apply to the
controller for PPSKs, and then initiate PPSK authentication. In this process, the controller needs to allocate PPSK accounts
and then deliver PPSKs to terminals. PPSK accounts can be allocated to terminals in either of the following ways: The
controller can allocate the PPSK accounts that have been bound to MAC accounts based on the terminal MAC addresses, or
allocate PPSK accounts from the pre-configured PPSK resource pool and then bind these PPSK accounts with the terminal
MAC addresses.
Page 43 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management
Application scenario
Unified O&M and management Unified management of Wi-Fi CPEs is required in
scenarios such as industrial manufacturing, Internet
healthcare, and smart livestock farming.
Network
iMaster NCE Certificate server WAC
administrator
• Management: iMaster NCE- • Management: iMaster NCE-
Seamless access of Wi-Fi CPEs:
Campus supports unaware Campus can manage Wi- Fi
Wi-Fi CPEs access the network authentication of Wi-Fi CPEs in a unified manner.
1 through the SSID CPEs, but cannot manage
3 to connect to the controller. them as NEs. • Monitoring: iMaster NCE-
Wi-Fi CPEs apply for certificates Campus can remotely monitor
2 Wi-Fi CPEs.
from the controller. • Monitoring: iMaster NCE- >>
Wi-Fi CPEs have secure access to the Campus cannot monitor the
• O&M: iMaster NCE-Campus can
2 1 3 network after passing 802.1X working states of Wi-Fi >>
authentication by using applied CPEs and detect faults on remotely upgrade Wi-Fi CPEs in
certificates. their downlink interfaces. batches and deliver commands
to them.
• O&M: A local FTP server
needs to be set up for
Constraints: This function is
upgrading Wi-Fi CPE
applicable only to Wi-Fi CPEs
versions. You can run
in WAC + Fit AP scenarios
commands on Wi-Fi CPEs to
and is not applicable to Wi-Fi
restart and upgrade them.
AGV Production line AOI CPEs connected to cloud APs.
Page 44 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management
Manage Wi-Fi CPEs
in a unified manner
• iMaster NCE-Campus supports unified management of Wi-Fi CPEs. It monitors and displays information
about Wi-Fi CPEs, such as MAC addresses, IP addresses, states (online or offline), connected APs, connected
SSIDs, traffic statistics, uplink and downlink rates, packet loss rates, and online duration.
Page 45 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management
Upgrading Wi-Fi Delivering commands
CPEs in batches to Wi-Fi CPEs
• iMaster NCE-Campus can upgrade firmware of Wi-Fi CPEs in batches, deliver commands to them, and displays
command outputs.
Page 46 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Authentication
component
Authentication Component Networking
Authentication components authenticate terminals as follows:
• When authentication components are installed, the southbound IP address of iMaster
NCE-Campus to which the authentication components connect is specified.
• After installation, the authentication components automatically send registration
requests to iMaster NCE-Campus to establish TCP persistent connections.
• iMaster NCE-Campus manages the authentication components based on their ESNs.
Upon the receipt of registration requests from the authentication components, iMaster
NCE-Campus verifies whether the ESNs of the authentication components exist. The
authentication components and iMaster NCE-Campus verify the certificates of each
other, and are connected after the verification succeeds.
• A tenant administrator configures authentication policies on iMaster NCE-Campus,
such as authentication rules, authorization rules, authorization results, online duration
and traffic policies, and guest accounts. iMaster NCE-Campus automatically
synchronizes these configurations to the authentication components through the data
synchronization channels.
• When delivering authentication configurations to devices, the tenant administrator can
configure the authentication components as Portal or RADIUS servers.
• When connecting to the network, an end user sends an authentication request to an
authentication component. After the authentication component verifies the user's
account, it authorizes the user and allows the user to go online.
• The authentication component reports online user information to iMaster NCE-
Campus. Then, the tenant administrator can view information about all online users on
iMaster NCE-Campus.
Page 47 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Authentication
component
Authentication Component Application Scenario
• For an enterprise with multiple branches, an independent authentication component can be deployed
for each branch, improving the rate and reliability of authentication at the branches.
• In the scenario where a large number of terminals initiate authentication requests at the same time
and high reliability is required, authentication components can be deployed in active/standby and load
balancing mode. In this case, if a single authentication component fails, authentication services are not
affected, improving authentication reliability. Authentication components working in active/standby
mode implement disaster recovery (DR) and thus ensures the continuity of authentication services.
Page 48 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-level
RADIUS relay
Multi-level RADIUS Relay
*.cn
radiusRelayDis0 • To set up a hierarchical educational
*.fdu.cn private network with multi-level
RADIUS relay authentication, multiple
radiusRelayDis1 *.edu.cn
radiusRelayDis2 copies of controllers can be deployed as
RADIUS relay servers at different
domain levels. As such, teachers can
access the educational private network
using the same account by connecting
to RADIUS relay servers in different
regions. (Eduroam scenarios)
*.guangxi.fdu.cn *.hainan.edu.cn *.Jiangsu.edu.cn Username:
radiusRelayDis3 radiusRelayDis4 radiusRelayDis5 xiaoming.guangxi.fdu.cn
Page 49 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Terminal Identification for Terminal Plug-and-Play
Built-in industry's
most comprehensive
Requirements & Camera Packets of terminal terminal fingerprint
Challenges information database
IP phone Packets of Packets of
A higher education institution terminal terminal
Printer information information
50+ types
Smart terminals
PC
Terminal information collected by
level-2 colleges Laptop
Difficult and error-prone MAC
Mobile
address collection
phone
>>
Terminal Authentication Traffic statistics Terminal
An automobile enterprise identification and authorization collection anti-spoofing
10+ days Who am I What can I do What have I done I am replaced by a
• spoofed terminal
Reported authentication faults Terminal type, OS, … PCs/Laptops can access Traffic size, online
the internal network. duration, … Alarm, isolation
• Mobile phones can
Difficult to locate bogus terminals
access the security
zone.
…
Page 50 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Terminal Type Identification Based on Industry's Most
Comprehensive Terminal Fingerprint Database
Identification
Type Technical Description Application Scenario
Method
All terminals. This method can
Fingerprint The first three bytes of a MAC
MAC OUI identify only terminal
address represent the manufacturer.
database manufacturers.
Industry's most comprehensive
A browser's User-Agent string
fingerprint database Mobile phones, tablets, PCs,
HTTP User- contains the manufacturer, terminal
workstations, and intelligent
Agent type, OS, browser type, and other
audio/video terminals (TV sticks).
Information Proactive information.
reporting scanning Some options in a terminal's DHCP
Information Mobile phones, tablets, PCs,
packets can be used to classify
reporting DHCP option workstations, IP cameras, IP
terminals, for example, DHCP
phones, printers, etc.
Options 55, 60, and 12.
Link Layer Discovery Protocol data
IP phones, IP cameras, network
LLDP units (LLDPDUs) carry terminal
devices, etc.
model information.
mDNS packets contain terminal Apple devices, printers, IP
mDNS
model and service information. cameras, etc.
This method obtains identification
information by querying device
SNMP query Network devices and printers.
information-related objects among
Proactive SNMP MIB objects.
scanning
Nmap is used to scan the OS and
PCs, workstations, printers,
Nmap services of terminals to obtain
phones, IP cameras, etc.
terminal model and OS information.
Page 51 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Automatic Expansion of the Terminal Identification
Fingerprint Database – On-Premises AI Fingerprint Learning
NCE-Campus BERT information
Key information
Packet protocol extraction and terminal
extraction
TerminalTerminal identification character string identification result
2. Report the unknown 5. Check the (BERT-NER)
terminal fingerprints fingerprint validity mapping
Terminalidentification fingerprint Customized terminal
management fingerprint database Google AI Research
Institute proposes a
Customized identification Model inference mining algorithm
rule management management
that can be applied
4. Report the fingerprint to natural language
3. Infer terminal identification rules 1. Synchronize processing (NLP).
fingerprints and mine the model files
identification rules to the NAIE
platform
NAIE platform
Integrated with the Network AI Engine (NAIE), NCE-
Inference execution Model management
Campus can infer fingerprints of unknown terminals.
Identification Mining model
rule mining management In addition, NCE-Campus mines the keywords in
fingerprint data identified through HTTP User-Agent,
DHCP option, and other methods to abstract new
fingerprint rules based on data model.
Page 52 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Automatic Expansion of the Terminal Identification
Fingerprint Database – Cloud-Premises Collaborative
Fingerprint Learning
Fingerprint algorithm engineer
(O&M personnel)
NAIE 3. Data labeling, training, evaluation, and publishing
4. Send to Huawei
Training Model
Data lake AI marketplace Security Center
platform evaluation
(sec.huawei.com)
Fingerprint data Rule mining Rule mining
labeling Rule mining Model evaluation Model publishing sec.huawei.com
Model training
(BERT)
Fingerprint data
import into the
lake
Cloud Devices report terminal fingerprint data to NCE-Campus.
On-premises Then NCE-Campus summarizes the unidentified terminal
2. Report terminal fingerprints to the cloud. fingerprint data and reports the data to the NAIE on the
cloud.
The NAIE on the cloud mines the keywords in the
5. Manual or scheduled
NCE-Campus fingerprint data identified through HTTP User-Agent,
update of terminal
DHCP option, and other methods to generate new
Terminal Terminal identification fingerprint database
identification fingerprint rules based on the data model. After being
Terminal fingerprint Terminal fingerprint verified by professionals, the fingerprint data is sent to
management database
Huawei's fingerprint database.
NCE-Campus interconnects with Huawei's fingerprint
database for real-time database updates.
1. Report fingerprints of unknown terminals
Page 54 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Automatic Expansion of the Terminal Identification
Fingerprint Database – Cloud-Premises Collaborative
Fingerprint Learning
Tenant administrators enable
the function of uploading the
fingerprint data of unknown
terminals to the cloud.
Tenant administrators
configure the function of
manual or scheduled
upgrade of the terminal
fingerprint database.
Page 55 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access: Zero Unauthorized
Access, Enhancing Network Security
Scenario
Unauthorized network access is found in a project and the customer wants to protect the network.
description
iMaster NCE-Campus:
Rule Type Description Result
• Unauthorized access
Only the whitelisted terminals are authorized. Other terminals All non-whitelisted terminals are
Whitelist
identification including unidentified terminals are unauthorized. unauthorized.
• Definition
Alarms and blocking All blacklisted terminals are
Blacklisted terminals are unauthorized. Other terminals including
Blacklist unauthorized and other terminals are
unidentified terminals are authorized.
authorized.
Information Proactive
reporting scanning Identification
Application Scope Details Scheduled Scanning
Method
Terminal Authenticated Terminal information identification
Not required. Authentication is triggered.
Network device side: identification terminals during authentication
Identification
• Authentication or Unauthenticated Nmap- and SNMP-based scanning by IP Required. The scanning period can be set
Scheduled scanning
scanning terminals address segment to once, daily, weekly, etc.
• Terminal
information Processing Application Automatic or
Description Later Operations Others
reporting Method Scope Not
No, manual When a terminal connects to
Access blocking operations are a different access device upon
MAC address–
based on MAC Wireless/Wired required for Cancel blocking its second-time access, an
based blocking
addresses batch alarm is generated and the
processing. terminal access is blocked.
Blocking No, manual • Cancel blocking When a terminal connects to
Access blocking operations are • Enabling it on the a different access device upon
Port shutdown through port Wired required for device its second-time access, only
shutdown batch configuration an alarm is generated and the
processing. page terminal can access network.
Page 56 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access: Implementing
Access Control on Unauthorized Terminal After
Terminal Identification
iMaster NCE-Campus defines rules for identifying
unauthorized terminals, based on the terminal type,
vendor, model, OS, and serial number. After the
unauthorized terminal access control function is enabled,
if an identified terminal matches an unauthorized
terminal rule, the terminal's access is defined.
Access of unauthorized
terminals can be blocked
based on MAC addresses
or by shutting down
access ports.
Page 57 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
MDM Association Networking
1. An administrator configures interconnection between iMaster NCE-Campus and a mobile
device management (MDM) server. iMaster NCE-Campus provides dedicated interfaces
for interconnection with MDM systems from Ivanti and QI-ANXIN, respectively, and
provides unified standard interfaces for interconnection with MDM servers from Leagsoft
Internet NCE-Campus and Wonders Information.
0. An administrator 2. The administrator configures the MDM server, API for querying information from the
configures the controller
and an MDM server. MDM server, and MDM authorization rules and results on iMaster NCE-Campus.
5. Return the 3. The administrator configures an MDM terminal security check policy on the MDM server.
authentication
result. 4. Query the
terminal status 4. A terminal downloads an MDM app from the MDM server, installs it, and uses this app to
from the MDM
server. register with the MDM server. (MDM app downloading and installation must be
3. The terminal connects considered during networking design. You can deploy a dedicated Huawei-Init SSID for
to the Wi-Fi network
and initiates 802.1X terminals to download the MDM app by referring to the Huawei CloudCampus Wi-Fi
authentication. networking solution.)
5. The terminal connects to the Wi-Fi network and initiates 802.1X authentication.
1. A terminal downloads an MDM app
from the MDM server, installs it, and 6. iMaster NCE-Campus interworks with the MDM server to proactively query terminal status
AC registers with the MDM server.
or receive terminal status information through notifications sent by the MDM server.
When authorizing the terminal, iMaster NCE-Campus invokes an API to query the status
2. The MDM app periodically checks the and information of a terminal, including whether the terminal has registered with the
terminal security status and reports the check
result. MDM server, whether the terminal is compliant, and the basic terminal information, from
Mobile terminal the MDM server based on the terminal MAC address. Alternatively, the MDM server
invokes the synchronization API of iMaster NCE-Campus to synchronize terminal
information to iMaster NCE-Campus. If the terminal is not compliant, iMaster NCE-
Campus will match the terminal with the authorization result of MDM isolation and
isolate the terminal. After authorization, iMaster NCE-Campus sends the authentication
result (authentication success, MDM isolation, or authentication failure) to the WAC, and
delivers the corresponding ACL, AAA user group, or VLAN based on the matching
authorization result to limit the resources accessible to the terminal.
Page 58 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Interconnection with HiSec Insight, Enhancing
Terminal Security Protection
Scenario In a project that requires high terminal security and has HiSec Insight deployed, configure iMaster NCE-Campus to
description interwork with HiSec Insight to improve terminal security protection.
3 Checks terminal scores
through an API
4 Sends terminal scores
1 Checks terminal scores
at an interval
2 Sends terminal
scores Configuring MDM conditions on iMaster NCE-Campus
Disconnects a terminal if it
2 5 3 is not compliant
Sends an Delivers control policies to
authentication allow network access only
request of compliant terminals
Fundamentals
Interconnect iMaster NCE-Campus with HiSec Insight.
Configure an MDM condition for HiSec Insight, for example, a condition matching terminals
whose scores are 92.
1 6 4 Disconnects the user Configure authentication and authorization rules to perform authentication and authorization
Initiates Has access to the based on the MDM condition. If an access terminal matches the condition, it is allowed
authentication network successfully network access. If not, its access is denied.
Prerequisites
iMaster NCE-Campus can query terminal scores in batches from HiSec Insight at a specific interval.
HiSec Insight synchronizes terminal score changes to iMaster NCE-Campus.
Page 59 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Precise Authorization Based on Terminal Trust
Scores on HiSec Insight
Configure
interconnection with
HiSec Insight.
Configure an MDM condition based
on terminal trust scores which are
queried from HiSec Insight.
Apply the MDM condition
to an authorization rule to
implement precise terminal
authorization.
Page 60 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: User- and Application-based QoS Policies
User- and Application-based QoS Policies Guarantee
Requirements & Experience of Key Users and Applications
Challenges
① • Define who are VIP users.
• Define application priorities.
QoS policies are ineffective
for video services. ③ Native WAC and
standalone WAC support The S12700E supports a 40 x
large buffer and four 25GE card and a 4 GB buffer.
levels of queues. The AirEngine 9700-M supports
a 512 MB buffer.
② Two-level
(Example) Building >> scheduling:
user queue and Constraints:
monitoring scenario: application • Tunnel forwarding mode is required for wireless networks.
An increase in wireless video queue. • Only 40 x 25GE cards on the S12700E support HQoS. In
addition, the S5731/32-H provides a 25Gbit/s uplink
services leads to the excessive bandwidth.
amounts of bandwidth • It is recommended that the proportion of VIP users be no
more than 10%.
resources occupation, so that • Application scheduling templates need to be created on the
downlink congestion occurs WAC's web system.
in some scenarios. Specifications:
• The S12700E supports 16,000 VIP users on one board, while
the AirEngine 9700-M supports 1800 users on one board.
Video • A maximum of 31 application scheduling templates can be
Camera
surveillance configured on NCE-Campus.
VIP users Other Users
Page 61 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: Native WAC/Standalone WAC: FQ +
SQ + GQ + DP, 4-Level Queue
Priority-based traffic scheduling for each application and user and four-level queues for traffic buffering and shaping,
implementing refined management and control.
Flow Queue (FQ) Subscriber Queue (SQ) AP Queue (GQ)
Port Shaping (DP)
(Priority-based traffic scheduling and (Priority-based traffic (Traffic shaping on each AP)
shaping for each application.) scheduling for each subscriber.)
VIP user 1
Application 1 2 MB Queue CS7 PQ
Application 2 2 MB Queue CS6 PQ VIP user 1
Application 3 2 MB Queue EF PQ AP 1
SQ1
Application 4 15 MB Queue AF4 DRR: 15
DRR VIP user 1
Application 5 15 MB Queue AF3 DRR: 15 1:1 Traffic
Common shaping
Application 6 30 MB Queue AF2 DRR: 10 VIP user 2 user 3 300 MB
Common GQ 1
Application 7 40 MB Queue AF1 DRR: 10 user 4
SQ 2
Application 8 30 MB Queue BE DRR: 10 SP
Shaping
DRR
VIP user 2 (bypass)
1:1 DP 1
Common AP 2
Common user 3 user group
Common user 4 Maximum
traffic shaping VIP user 2 Traffic
Common user 5 value shaping
SQ 3 Common 200 MB
user 5 GQ 2
Switches and WACs support multi-level queue scheduling through large buffers.
Page 62 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: Service/User Priority-based
Scheduling on Wireless Networks
User group–based Air interface slicing- Application
scheduling based scheduling scheduling
Voice services
based
VR services -
Common
VIP user
user
Video
services
Web services Application
bandwidth allocation bandwidth
Common user VIP user
Services of high-priority users Air interface slicing reduces the
are preferentially scheduled. transmission latency to 10 ms.
Page 63 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
VIP Access Assurance: Prioritized VIP User Access
As is To be
1. When the number of access users reaches the 1. The access of VIP users is prioritized in high-
upper limit, the access of VIP users cannot be density campus office scenarios.
guaranteed.
2. Extra devices are deployed in areas where VIP 2. No extra devices are required, reducing costs.
users are located, increasing costs.
1. Authenticate and
authorize users as VIP
users, and enable radio
and SSID guarantee for
VIP users compete with VIP users.
common users for resources,
and the access of VIP users 2. Adjust the EDCA
cannot be prioritized. parameters on the AP to
change the packet
exchange priority on air
interfaces to ensure the
access of VIP users.
Common users VIP users Common users VIP users
EDCA: Enhanced Distributed Channel Access
Page 64 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Bandwidth Reservation for VIP Users: Guaranteeing
Sufficient Bandwidth
• Define who are VIP users.
Requirements & Challenges • Define the percentage of
Percentage of bandwidth to be bandwidth to be reserved OFDMA spectrum resource
reserved for VIP users
Random swarm traffic for VIP users. reservation for VIP users
Wi-Fi 6 AP
(Example) Conference room scenario:>>
With a sharp increase of users, office
terminals preempt air interface resources, 20%
deteriorating wireless experience of
conference terminals. Bandwidth
reservation
Conference Other office On-demand bandwidth reservation:
• When no VIP user is connected to
terminal terminals
an AP, no bandwidth is reserved.
•
VIP user - conference Common users Sufficient bandwidth resources are
terminal reserved for VIP users.
Page 65 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Free mobility
Free Mobility – User Group–based Access Control
Define security groups Define inter-group policies
>>
>> >>
NETCONF/YANG
Page 66 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Free mobility
Free Mobility – Anytime and Anywhere Access with
Consistent Permission
Username User Group Access Mode Access Location Access Duration Security Group Access Permission
Scientific research resources,
Mark Department of Physics Wired Dormitory 8:00 to 22:00 Security group 1
Internet, and material sharing
Scientific research resources,
Economic Research
Joy Wired Office area All day Security group 2 Internet, OA, management, and
Institute
materials
Terry Other university Wired/Wireless Anywhere 8:00 to 18:00 Security group 3 Public material sharing
Administrative
Jim Principal Wired/Wireless All day Security group 4 All
building
Configure and deliver security groups and inter-
1
group control policies to the entire network.
2 Authenticate users
who attempt to
access the network. Map users to security groups
3 based on 5W1H conditions and
deliver the mapping entries to
devices.
WAN/Internet DC/Internet
4 Control user access permissions (permit
or deny).
Page 67 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Network Service Configuration Overview
One of the key features of iMaster NCE-Campus is to provide the configuration and
management functions for cloud managed devices, including APs, WACs (WACs and cloud APs
cannot be deployed together at a single site), ARs, FWs, and SWs. For details about the
supported device models, refer to the device mapping table in the related product
documentation.
Page 68 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intent-driven Orchestration (1/2) – Solution
Package Creation
• On the iMaster NCE-Campus homepage, click Intent-Driven Deployment and create solution packages on the
Intent-driven Orchestration page.
Page 71 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intent-driven Orchestration (2/2) – Solution
Package Import
• On the iMaster NCE-Campus homepage, click Intent-Driven Deployment and execute the solution packages created in the
preceding step. In addition, parameter values can be set as needed during solution package execution.
Page 72 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (1/4)
• On the iMaster NCE-Campus homepage, click the advanced feature Intent-Driven Deployment. On the
displayed page, click Intent-Driven Deployment > Scenario-specific Deployment to create a scenario
template.
Page 73 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (2/4)
• In the scenario template, set networking parameters, plan a network topology, and configure wireless services.
Page 74 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (3/4)
• Click Advanced Settings to configure DNS and perform network settings.
Page 75 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (4/4)
• Create a site to which the scenario template is to be applied, and click Deploy to deploy the site. After
deployment is completed, you can view deployment details.
Page 76 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Improved Configuration Efficiency
of Similar Site Parameters
Scenario There are several sites on different hierarchies — A large number of partially identical configurations and many different
description customized configurations exist on different hierarchies. As such, the configuration efficiency needs to be improved.
Improving one-time configuration efficiency
After the local site configurations are modified, the configurations
of other sites will not be affected.
Site
configurations
After a local site template is modified, the configurations of all sites
bound to the template will be modified in batches.
Local site
template
After a parent template is modified, the configurations of all child
Upper-level templates will be modified.
site template
Priority: upper-level site template < local site template < site configurations
Page 77 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Child Templates Can Inherit
Configurations from Parent Templates or Have
Customized Configurations
A child template can inherit the configurations of
its parent template and allow users to customize
configurations as needed.
Parent template Child template
A child template can inherit the SSID
Inherited
An SSID for secure configuration from its parent
networks is configured template, and allow users to modify
in the parent template. the inherited configuration or
configure a new SSID as needed.
Customized
Page 78 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Sites Inherit Configurations from
Site Templates or Have Configuration Customized
Sites can use configurations
inherited from templates, or
have customized ones.
Customized site
Template configuration
configuration
After having the template applied, a
site can inherit the SSID configuration
Configure an SSID Inherited from the template. Alternatively, users
for secure networks can modify the inherited configuration,
in a site template. or configure a new SSID as needed.
Customized
Page 79 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Virtualized Fabric Campus Networks
Campus Virtual Extensible LAN (VXLAN) uses the overlay virtualization iMaster NCE-Campus HiSec Insight CampusInsight
technology to bear multiple virtual networks (VNs) in unified manner and
supports flexible service deployment. Tenant administrators are responsible
for VN setup and service provisioning. The iMaster NCE-Campus VXLAN
solution brings the following benefits:
1. VN automation: Routing node
• Supports automatic provisioning of VNs on the overlay network and a
large Layer 2 network covering campuses and branches, and supports FW node
Fabric border node
the BGP-EVPN control plane.
• Divides a physical campus network into VNs vertically and horizontally.
• Supports multi-tenant management mode on campus networks. Fabric domain
(Overlay) Fabric transparent
• Supports IPv6 access. node
2. Abundant egress capabilities:
• Supports external networks with different egress types, including Layer 3
shared egress, Layer 2 shared egress, and Layer 3 exclusive egress.
• Supports one border node at the egress. VXLAN
• Supports multiple border nodes at the egress, working in active/standby Fabric edge node
or load balancing mode. This feature is available only on a VXLAN with
distributed gateways.
• Supports NQA and monitoring groups to ensure egress reliability.
Access domain
3. Unified automated authentication for wired and wireless access: (Underlay)
• Supports automated orchestration of secure access during VN Underlay network
configuration.
• Supports seamless integration of wired and wireless access (wireless
access needs to be pre-planned).
4. Unified topology-based O&M:
• Displays physical topologies and monitors NEs and ports.
• Displays logical topologies of VNs. Access node Access node (wireless)
(wired)
Page 80 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Underlay Route Automation
Underlay route automation is supported in the following networking modes:
Border node 1
Border node Border node 2 Border node
Edge node 1
Edge node 1 Edge node 2
Transparent Transparent Transparent
node 1 node 2 node 3
Edge node 2 Edge node 3
Extended Extended
node 1 node 2
Edge node 1 Edge node 2 Edge node 3
Extended node 3 Extended node 1 Extended node 2
Extended node 1 Extended node 2 Extended node 3
Tree networking Ring networking for border and transparent nodes Ring networking for edge nodes
Page 81 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Virtualized Fabric Campus Networks
Border
Provision VNs and deliver VLAN, VXLAN
Create VNs and 2 DHCP, and static routing
1
Network subnets. configurations.
Perform 802.1X
administrator 5
authentication.
4 Deliver security groups and
inter-group policies.
Edge
Create security groups and
3 Deliver authorization VLAN information to
corresponding inter-group 6 Perform RADIUS Perform policy 8
policies. authentication. 10 control based on the access switch to allow the user to
access the network.
Send a message indicating that security groups.
7
authentication succeeds. The Enable the 802.1X authentication port and
message also carries deliver authorization VLAN information, so
9
information about the security that the user can go online and access the
group and authorization VLAN. network.
5 Send an authentication request for
network access.
Page 82 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Network Service Configuration Summary
• Only the most frequently used configurations are described here. Other configurations are
similar.
• Configurations can be performed specific to a site or device type.
• Configurations specific to a site take effect on all devices at the site.
• Configurations specific to a device type take effect on devices only of this device type at the
current site.
• Besides basic site and device configurations, iMaster NCE-Campus supports quick deployment
driven by intents or specific to scenarios.
• iMaster NCE-Campus supports automation configuration of virtual networks on VXLAN
networks.
Page 83 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play Overview
• The device plug-and-play function simplifies management and configuration of devices
on traditional networks. To implement the plug-and-play function, the following tasks
must be completed in advance:
▫ Upload licenses to the controller.
▫ Add devices to the controller (or discover devices by using ESN-free deployment).
▫ Configure network services on the controller based on network plans.
▫ Connect devices to the Internet. You can either connect devices to a gateway that has access
to the Internet or by configuring device WAN interfaces on the device web system.
Page 84 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – Deployment Through the
Registration Center
• Scenario Description
▫ Purpose: Simplify the operations to implement plug-and- Registration
NCE-Campus
center WLAN Planner
play of cloud managed devices if no ICT professionals are
Device ESN Planning files
available. synchronization import
▫ Participant: Tenant administrators, installation engineers,
Tenant administrator
and commissioning engineers.
Deployment by
scanning barcode
▫ Prerequisites: The MSP administrator has created tenants. Single-point
acceptance
Roaming acceptance
iMaster NCE-Campus is working properly, and cloud Network-wide
acceptance
managed devices have been delivered to the target site. CloudCampus APP
Select a site and record device installation locations.
▫ Results:
▪ Expected result: Cloud managed devices are successfully Installation and
commissioning engineer
managed, and services are running properly on the devices.
▪ Fault handling suggestion: If a cloud managed device cannot be
started, it is recommended that this cloud managed device be
replaced.
Page 85 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – DHCP-based Deployment
• Scenario Description
▫ Purpose: Simplify the operations to implement plug-and-
NCE-Campus WLAN Planner
play of cloud managed devices if no ICT professionals are
Import planning
available. files
▫ Participant: Tenant administrators, installation engineers,
Tenant administrator
and commissioning engineers. Configure a DHCP option to carry the
controller information.
Deployment by
▫ Prerequisites: The MSP administrator has created tenants. scanning barcode
Single-point acceptance
Roaming acceptance
iMaster NCE-Campus is working properly, and cloud Network-wide
acceptance
managed devices have been delivered to the target site.
CloudCampus APP
Select a site and record device installation locations.
▫ Results:
Installation and
▪ Expected result: Cloud managed devices are successfully managed, commissioning engineer
and services are running properly on the devices.
▪ Fault handling suggestion: If a cloud managed device cannot be
started, it is recommended that this cloud managed device be
replaced.
Page 86 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – ESN-Free Deployment
Scenario A myriad of devices at branch sites need to access the network. The administrator wants to
description reduce ESN recording to improve deployment efficiency.
ESN-free deployment 1.0 (LLDP-based scanning) ESN-free deployment 2.0 (DHCP-based deployment)
① Root device (gateway) The administrator approves
configuration and the discovered neighboring
going online devices to go online.
1. Generate a token. 5. Verify the token and allow
the device to go online.
② ③
2. Configure the root device
(gateway) to go online and
④ ⑤ configure it as a DHCP server.
>> Add the token configurations to
First DHCP option 148.
layer
>> 3. Obtain the address of
⑥ ⑦ iMaster NCE-Campus and 4. Send a registration
token to perform DHCP- request with the
Second AP AP AP AP
based deployment. token to iMaster NCE-
layer
Campus to go online.
AP AP AP AP
② ④ ⑥ LLDP-based neighboring device discovery
③ ⑤ ⑦ Device ESN obtainment, registration, and onboarding
Constraints Improvements
ARs can function as root devices. Their neighboring devices, including LSWs, ARs, and firewalls can function as root devices.
switches, ARs, and APs, can be discovered, but not firewalls. LSWs and APs support automatic network-wide access.
Devices can be scanned only layer by layer while automatic network-wide
Page 87scanningCopyright is not supported.© 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play 1.0 – ESN-Free Deployment
• Scenario description
▫ Purpose: ESN information is not available on the live network. As such, device ESNs are imported through barcode scanning, which has low
efficiency. With ESN-free deployment 1.0, devices directly connected to a root device are automatically added to the controller. As such, other
devices on the live network are scanned layer by layer and then added to the controller.
▫ Participant: Tenant administrators, installation engineers, and commissioning engineers
▫ Prerequisites: The MSP administrator has created tenants, iMaster NCE-Campus is working properly, and cloud managed devices have been
delivered to the target site.
Page 88 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
ESN-Free Deployment 2.0: Automatic Network-Wide
Scanning, Improving Deployment Efficiency
Devices are discovered
automatically and can
be added to the site
after being approved.
ESN-free is enabled
during site creation.
Then the site generates
a random site code.
• Scenario description
▫ Purpose: Compared with 1.0, ESN-free deployment 2.0 does not need to scan devices layer by layer. Specifically, the controller delivers a site code to
devices at the site to be deployed through DHCP packets. As such, when a root device at the site is added to the controller, other devices at the site can
be added automatically, free of ESNs. In addition, the approval function is provided.
▫ Participants: Tenant administrators, installation engineers, and commissioning engineers
▫ Prerequisites: The MSP administrator has created tenants, iMaster NCE-Campus is working properly, and cloud managed devices have been delivered to
Page 89 Copyrightthe target© 2023 site. Huawei Technologies Co., Ltd. All rights reserved.
PON management
POL Campus Networking
• A passive optical LAN (POL) is a flat access network that uses the • Campus deployment modes and applicable scenarios
PON technology, and consists of OLTs, ONUs, and a passive optical
NCE-
distribution network (ODN).
IP networking Campus POL networking
Core switch
WAC
ONU ODN OLT
OLT OLT
Aggregation
switch
Drop
NCE- 1 2 ODN 3 ODN
fibers Campus
Optical splitter
Access
Access Access terminals switch
SFP ONU
Access
switch SFP ONU ONU
Or ONU
IPC PC AP PC AP AP ONT PC Phone IPC
Page 90 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
POL Device Management
• The controller can manage POL devices in a centralized manner and allows users to manually add OLTs.
Click Add Device > Add on
the Device tab page of the
Device Management page
to add devices.
The device list displays basic
information about IP devices
(switches and APs) and PON
devices (OLTs and ONUs).
Page 91 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Adding OLTs
• OLTs can be added to the controller for management through SNMP.
Currently, OLTs can be managed only
through SNMP. Therefore, you need
to select the SNMP protocol when
adding an OLT.
To distinguish PON devices from
traditional network devices, you need
to click the PON Device tab when
adding an OLT and enter the IP address
and SNMP parameters.
Page 92 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
360 Monitoring - OLT
• The controller can display OLT resources and status information in a centralized manner, helping users
learn the resource status at any time.
Click Synchronize to synchronize
the latest data from OLTs, such
as information about Ethernet
ports, GPON ports, and ONUs.
Click an OLT name to go
to the OLT details page.
Page 93 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
360 Monitoring - ONU
• The controller can display ONU resources and status information in a centralized manner, helping users
Click WLAN
learn the resource status at any time. Configuration Import
to set Wi-Fi parameters
for ONUs in batches.
Click ONU Alias
Configuration to import
ONU aliases in batches,
facilitating subsequent
ONU maintenance.
Click an ONU name to go
to the ONU details page.
Page 94 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
OLT Details
• The controller can display OLT details, including basic OLT information, resource overview, and KPIs.
Displays basic OLT
information, including the
OLT status, IP address, MAC
address, type, and version.
Displays the running statistics of
Ethernet and GPON ports on
OLTs and the running statistics
of ONUs for user fast detection.
Displays device KPIs,
helping users learn about
the running status of OLTs.
Page 95 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
ONU Details
• The controller can display ONU details, including basic ONU information, port overview, and KPIs.
Displays basic ONU
information, including the
ONU status, SN, type, version,
and dying gasp information.
Displays the running
statistics of Ethernet and
POTS ports on ONUs for
user fast detection.
Displays device KPIs, helping
users learn about the running
status of ONUs.
Page 96 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Service Provisioning Process
1 On-demand pre-
NCE- configuration ONUs support plug-and-play and visualized
Create a ZTP policy on NCE-
Campus Campus and bind the policy batch configuration. One site visit, no
to a scenario template.
human intervention after power-on.
2 ONU installation and power-
on
After an ONU is installed and
powered on, it will be discovered The ONU deployment efficiency is improved by
by an OLT. The OLT then sends
a notification to NCE-Campus. 10 times. The time required for installing and
commissioning a single ONU is reduced from
Automatic configuration
3 delivery 30 minutes to 3 minutes.
After receiving the notification,
NCE-Campus delivers service
configurations to the OLT.
On-demand deployment reduces skill requirements
Device activation
PoE PoE 4
The OLT automatically activates and workloads, lowering delivery costs.
the ONU and delivers
configurations to it. Services
then take effect on the ONU
IP phone Laptop automatically.
Page 97 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Unified and Multi-Dimensional O&M Methods
Displays the device
network topology.
Displays complete
performance information.
Displays alarms of all
devices.
Page 98 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Homepage in the LAN-WAN Convergence View
1. Tenant administrators can Tenant administrators can select a view
select a view upon first login. when logging in to the system. The
following views are available: Intelligent
Cloud Campus (applicable to the LAN
scenario), WAN Interconnection
(applicable to the WAN scenario), and LAN-
WAN Convergence (applicable to LAN and
WAN scenarios).
Menu names and layouts are unified in the
three views. However, available menus and
tab pages in the views differ, so that users
can focus on functional menus applicable to
their actual scenarios.
2. After a view is selected, the homepage is displayed,
with menus applicable to this view. Tenant administrators need to select a view
upon their first login. After selecting a view,
the system automatically loads the menus
available in this view, and this view is used
by default upon subsequent logins. The
selected view can be changed under the
System menu.
3. The view can be changed under the System menu.
Page 99 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Unified Menus in the LAN-WAN Convergence View
The menus in the LAN-WAN convergence view are unified, through the combination of NCE-Campus and NCE-WAN menus.
The menus related to SD-WAN are optimized according to the menus on NCE-WAN, guaranteeing user experience.
Menus are adjusted to help users find paths for configuring their desired services more easily.
Each menu focuses on a certain function and provides user-oriented apps to guide users through configurations.
For, example, the tabs under the WAN Physical Network menu
in the LAN-WAN convergence view are the same as those on
NCE-WAN.
Page 100 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
LAN-WAN Interconnection Configuration in the LAN-
WAN Convergence Scenario
The controller provides a dedicated menu for the LAN-WAN interconnection configuration and moves the original
orchestration wizard to the homepage, as an app.
Interconnection model
Page 101 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Four-Step Configuration Wizard for LAN-
WAN Convergence
WAN egress interconnection LAN campus configuration Routes for LAN-WAN WAN traffic policy, such as
interconnection intelligent traffic steering
Page 102 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Differentiated Application Management and Control
Based on ACLs
① ACL policies can be configured for overlay LAN interfaces
and underlay WAN interfaces.
② A blocking policy can be configured on an interface in the
inbound direction and can be configured to take effect within a
specified period of time.
Generally, the ACL policy (blocking policy) configuration is applicable to online behavior management. These
policies can be configured based on the application type and protocol.
Page 103 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
QoS Guarantees Bandwidth Resources for Key
Applications
Traffic can be classified based on application types
and protocols.
Traffic priority, traffic policing, and traffic shaping
policies are supported. When the function of
configuring traffic priorities is enabled, DSCP values of
traffic need to be set (which can be customized).
Traffic priority, traffic shaping,
and traffic policing
MPLS/
Internet
CPE CPE
Traffic with the highest priority
Traffic with the medium priority
Traffic with the lowest priority
Page 104 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Intelligent Traffic Steering Policy Guarantees Service
Experience of Key Applications
Select a traffic steering scenario.
① Set traffic steering metrics (jitter,
delay, and packet loss rate).
MPLS 1
MPLS 2
MPLS 1
MPLS 2 ② Set link priorities. You can set priorities for
two MPLS links and two Internet links.
③ Set parameters for link quality-
CPE Internet 1
CPE based and bandwidth-based traffic
steering.
Configuration channel Internet 2
④ Set the load balancing mode for traffic
Primary link steering as needed.
Secondary link ⑤ Set the time period during which the
traffic steering policy takes effect.
Page 105 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Quick Configuration of Internet Access, Facilitating
Internet Access Policy Management
Supports local Internet access, applicable to scenarios where site traffic does not
need to be managed or controlled.
Supports centralized Internet access, applicable to scenarios where no Internet
link is available or enterprise's Internet access traffic needs to be centrally
managed and controlled.
Supports local Internet access + centralized Internet access, applicable to
scenarios with high reliability requirements. Local Internet access is used
preferentially.
Supports centralized Internet access + local Internet access for specified
applications, applicable to scenarios where Internet access traffic needs to be
centrally managed and controlled, but Internet access traffic of specific
applications needs to be routed out in local mode to minimize the delay.
Local Internet access
Configure an Internet access policy.
Internet
① Configure a centralized Internet access policy.
FW
Branch
CPE
HQ
CPE
MPLS
Centralized ② Configure a local Internet access policy.
Internet access
Page 106 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Connection to Legacy MPLS Networks, Smooth
Evolution of Private Line Services
Configure a policy for connecting to a legacy MPLS network.
Local access
MPLS
PE CPE
Legacy site iMaster NCE-
WAN site
Centralized Local access: An SD-WAN site communicates with a legacy site through the local CPE.
access Internet That is, the CPE at the SD-WAN site acts as a customer edge (CE) device and
communicates with the provider edge (PE) device at the peer legacy site on an MPLS
CPE network.
iMaster NCE-
WAN HQ Centralized access: An SD-WAN site and a legacy site communicate with each other
through a centralized gateway. The centralized gateway, which is a hub device, acts as
a CE device and communicates with the PE device at the peer legacy site on an MPLS
network.
Page 107 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN Convergence
Diversified Security Policies for Differentiated
Access Control
URL filtering policy
• URL whitelist and blacklist, as well as user-defined URL
policies can be configured.
• Category-specific URL filtering policies can be configured
based on the predefined signature database, which contains
about 200,000 signatures.
Firewall policy
• Firewall policies for permitting or denying incoming and
outgoing traffic, and for controlling access between zones
can be configured (packet-based filtering).
• By default, the traffic from the Trust zone to the Untrust zone
is permitted, and the traffic from the Untrust zone to the
Trust zone is denied.
IPS&AV policy
• IPS&AV policies can be configured to defend against threat
traffic.
• IPS&AV policies can be configured based on the predefined
IPS&AV signature database.
Page 108 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN
NCE-Campus NCE-IP
Branch/Outlet AR/NE
AR NE
Hub DC
Hub NE NE vSwitch
AR V
Access WAN R M
V
M
V
Tier-1 branch M
R Backbone WAN R
R
Access WAN vSwitch
AR Hub V
M
V
M
V
M
vSwitch
V
VM
VM
M
SRv6 SRv6
Option A
Hierarchical management by NCE-Campus and NCE-IP
Backbone and access WANs are managed separately.
NCE-IP manages the backbone network set up by NE devices whereas NCE-Campus manages branch access networks set up by ARs and NE devices.
SRv6 TE tunnels can be established between ARs, between ARs and NE devices, and between NE devices, and service paths can be adjusted globally
and dynamically. NCE-Campus and NCE-IP cooperate to orchestrate network services across domains, implementing end-to-end service provisioning
and maintenance. As such, a unified SRv6 network is ready for enterprise WANs.
Page 109 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN
Provides the SRv6 tunnel mode for tenants.
Provides agile configurations, which allows
quick deployment of underlay and overlay
configurations, as well as SRv6 BE
configurations.
Page 110 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN
Support the configuration of SR Policies, BFD for link connectivity detection, and
IFIT-based link quality measurement and visualization.
Page 111 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
Multi-Cloud Interconnection
Lifecycle management of VNFs and transit VPCs/TGWs on clouds
Tenant/Carrier Portal
RESTful • vCPE startup, release, status monitoring, reliability protection, and
dynamic scale-in and scale-out
Northbound network service layer
• Transit VPC startup, configuration, and release
VPN/Traffic Multi-cloud
O&M
steering/QoS/Security/WOC orchestration • TGW creation and configuration
Unified orchestration of networks and services on clouds and
Southbound NE layer unified network and application orchestration APIs for the upper
layer, with API and implementation differences between public
2.1 2.2 2.3 and private clouds being shielded
3.2 3.3 • vCPE management
Third-party VAS • Underlay network orchestration on the cloud
EMS vRR • Overlay network orchestration on the cloud
• VAS orchestration on the cloud
Cloud-based O&M
V V V
N N
N F F • Unified topology display
F C C VPC/vDC
VPC/vDC Public •
Internet VPC Unified connectivity detection and link quality measurement
cloud
vCPE • Fault locating and recovery
uCPE
Cloud-based vCPE deployment
•
MPLS Private Automated deployment on Huawei Cloud, China Telecom e-Cloud,
cloud and AWS Cloud
Legacy Layer 3 CPE
• Manual deployment on Azure and Tencent clouds
Branch/Campus IWG Cloud/DC
Page 112 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
Multi-Cloud Interconnection
Configure credentials for accessing Huawei
Cloud and AWS Cloud and establish HTTP
connection channels.
Deploy AR1000V devices by invoking cloud APIs and start
services. Service-related underlay and overlay configurations
are not mentioned here.
Page 113 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
NCE-Campus Upgrade Policy
Deployment
Single-node System Minimum Cluster Distributed Cluster
Scenario
Before
1 x 128 GB (LAN) 3 x 128 GB 4 x 128 GB (LAN-WAN) 5 x 256 GB (LAN) 9 x 256 GB (LAN)
upgrade N/A
1 x 128 GB (LAN + POL) (LAN) 4 x 128 GB (LAN + POL) 6 x 256 GB (LAN-WAN) 12 x 256 GB (LAN-WAN)
(Campus)
Before
upgrade N/A N/A 3 x 128 GB (WAN) 3 x 256 GB (WAN) N/A N/A
(WAN)
3 x 128 GB 3 x 128 GB (LAN-WAN + 3 x 256 GB (LAN-
After upgrade 1 x 128 GB (LAN + POL) 5 x 256 GB (LAN-WAN) 9 x 256 GB (LAN-WAN)
(LAN + POL) POL) WAN)
No matter whether
No matter whether the the SD-WAN No matter whether the SD- No matter whether the SD-
SD-WAN feature is feature is deployed WAN feature is deployed WAN feature is deployed
Feature
N/A N/A deployed before upgrade, before upgrade, this before upgrade, this feature before upgrade, this feature
adjustment
this feature is deployed feature is deployed is deployed after upgrade is deployed after upgrade by
after upgrade by default. after upgrade by by default. default.
default.
If the cluster with 6 x 256 If the cluster with 12 x 256
GB servers is to be GB servers is to be upgraded,
If the cluster with 4 x 128
upgraded, one server with three servers with a total of
GB servers is to be
two controller nodes (one four controller nodes (one
upgraded, one server with
VM service node and one service node and three
N/A N/A one controller service N/A
adjustment middleware node, with middleware nodes, with
node (service plane tag
service plane tags deleted) service plane tags deleted)
deleted) is idle after
and one FusionInsight node and three FusionInsight
upgrade.
(with tag deleted) is idle nodes (with tags deleted)
after upgrade. are idle after upgrade.
Page 114 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0
CampusInsight NCE-Campus
iPCA 2.0 configuration
iPCA 2.0 • Configure NCE-Campus to monitor flows based on applications
configuration
/security groups, deliver the configuration to APs and LSWs,
Flow data reporting
based on applications enable iPCA 2.0 on LSWs along flow forwarding paths, and
and security groups iPCA 2.0 + coloring
configuration configure in-point devices to color flows.
iPCA 2.0 Flow statistics reporting
• LSWs and APs periodically report statistics about flows
identified based on applications/security groups to
CampusInsight for analysis.
Flow statistics analysis
• CampusInsight performs E2E packet loss and delay analysis on
Wireless Wired
access access the monitored flows hop by hop, and displays analysis results.
Flow identification
• Flows to be monitored can be identified based on 5-tuple
information, applications, security groups, or applications +
Configuring flows Automatically identifying flows security groups.
to be monitored to be monitored
Page 115 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0
Configure a flow identification template to identify Configure hop-by-hop flow measurement
flows to be measured based on the 5-tuple based on the flow identification template and
information, applications, security groups, or configure in-point devices to color flows.
applications + security groups.
Page 116 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0
CampusInsight can display the forwarding path of a specified flow and
packet statistics on each device port along the path.
Page 117 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Agile Report
Agile Report
Feature SNMP NETCONF
Device vendor report Unified Unified
Port usage statistics report Unified Unified
Widgets Device type report Unified Unified
Device model report Unified Unified
Smart alarm reports, including:
Network device alarm event type graphic
report
Network device alarm distribution graphic Unified Unified
report
Network device alarm severity report
Top N device alarm report by severity
Manually created reports
Depending on
terminal
Proportion chart of identified terminal types Supported
identification
data
Depending on
terminal
NCE-Campus Top N vendors of identified terminals Supported
identification
A unified navigation path is available for creating dashboards and reports, which is more flexible. data
Preset widgets can be reused. Widgets are automatically created and maintained by the system.
Depending on
No manual operation is required.
terminal
Top N OSs of identified terminals Supported
The page layout can be customized in drag-and-drop mode and all panels can be flexibly zoomed identification
in and out. data
The visualization effect is enhanced. The refresh frequency and background effect can be
Trend chart of authenticated online
customized. Supported Supported
terminals
Trend chart of authenticated online users Supported Supported
Choose Monitoring > Report > Agile Report to access the agile report page. RADIUS authentication log statistics chart Supported Supported
Page 118 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved. Port authentication log statistics chart Supported Supported
Proactive SLA
Management
Proactive SLA Management and Pre-Warning
Enterprise HQ Branch
WAN
Voice
Voice service service
gateway gateway
Devices send simulated voice flows.
Campus Generate a pre-warning
Display test results in graphs.
Create periodic voice-based service level notice in time by email or
agreement (SLA) tasks and specify simulation SMS message when the
voice streams to be sent by devices. Display service quality in digital way. metric threshold is exceeded.
Display measuring metrics in graphs.
Page 119 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Proactive SLA
Management
Proactive SLA Management and Pre-Warning
The SLA is a network performance
measurement and diagnosis tool that
provides the following capabilities:
SLA overview
SLA task management
SLA service management
SLA fast diagnosis
Page 120 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Service Deployment: Configuration File Management
Feature SNMP NETCONF
Main functions of
configuration file Unified Unified
management
Supported (Restoration is not
allowed, which may lead to
Backup and restoration of
Supported inconsistencies between
running configurations
configurations from different
sources.)
Not supported
Backup and restoration of
Supported This feature is supported only
startup configurations
on YunShan devices.
Choose Maintenance > Device Maintenance > Configuration File Management to back up
and restore device configuration files, compare configuration files to discover changes, and
configure backup tasks.
Page 121 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Data Reporting
The controller can display logs reported by devices, such as
terminal onboarding and disconnection logs and configuration
command logs, facilitating device maintenance, fault locating,
and performance monitoring. This function is applicable only to
LSWs, AR, and APs.
Available configurations:
Configure cloud managed devices to report data to NCE-
Campus through HTTP.
Configure devices to report data to NCE-CampusInsight
through HTTP.
Configure SNMP-managed devices to report data to NCE-
Campus through SNMP and SFTP.
Procedure:
Choose Monitoring > Monitoring Settings > Data
Collection Configuration from the main menu, select a site
and a device type, and select types of the logs to be reported.
Page 122 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Alarm Management
• Alarm management receives, stores, and monitors alarms, and enables users to query and perform
operations on alarms. It supports full-lifecycle management of alarms, helping O&M personnel quickly
rectify faults based on alarm information.
Configures alarm rules.
Monitor alarms.
Handle alarms.
• Alarm status:
Acknowledgement: identifies the user who handles an alarm to avoid one alarm being handled by multiple users.
Clearance: identifies whether the fault that causes an alarm is rectified.
• The detailed configuration is described in the O&M training course.
Page 123 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Performance Monitoring and Management
Performance Management (PM) is used to monitor and collect the following
information from cloud managed devices: performance data (such as CPU and
memory usages), access terminal information, terminal locations, and application
data accessed by terminals. By analyzing data and generating relevant reports, the
system can provide reference data for decision makers.
The detailed monitoring capabilities are described in the O&M training course.
Page 124 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Upgrade Management
HOUP
1
2
3
Device upgrade process
1. The controller obtains the software package for upgrading a device.
① Online mode: The controller can obtain the device software package of the recommended latest stable version from the software library of the Huawei
online upgrade platform (HOUP), which can be accessed at https://houp.huawei.com/download.
② Package import: An administrator can download the required software package from Huawei Support Website and import the package to the controller.
2. The administrator configures an upgrade or downgrade policy to manually or automatically upgrade or downgrade the device.
3. When receiving an upgrade task, the device downloads the required package from the specified address and performs an upgrade.
Page 125 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Upgrade Management
Interconnection with HOUP Device upgrade policy
Note: The username must be set to the one used for logging in to the Huawei enterprise technical support website
(https://support.huawei.com/e).
Page 126 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management
• A device certificate is a digital file signed and issued by an authority. It contains a public key,
information about the owner of the public key, issuer information, validity period, and certain extension
information. A device certificate is used when a device and a server need to set up a Secure Sockets
Layer (SSL) channel to ensure security for communication between the two ends.
• If a device certificate does not meet the current security requirements or has expired, it needs to be
replaced with a new one to ensure device security.
Page 127 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management
Update a device certificate
in offline mode Update a device certificate
in online mode
Page 128 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management
iMaster NCE-Campus displays certificate information.
Page 129 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools
iMaster NCE-Campus provides diversified fault locating tools, including the following:
Ping: verifies connectivity between the controller and clients.
Trace: displays the access path from a device to a destination address.
RF ping: detects the quality of the air interface between a device and a client.
Cable test: tests the length of network cables connected to an interface and the status of each
twisted pair. This tool can quickly detect network cable faults to facilitate fault locating and reduce
the impact on services.
Page 130 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools - Specifications
Feature Supported Device
Ping AP, AR, FW, SW
Trace AP, AR, FW, SW
Cable test SW, AR
Ping: verifies connectivity between the controller and clients.
Trace: displays the path from a device to a destination address.
RF ping: tests the quality of the air interface between a device and a client.
Cable test: tests the length of network cables connected to an interface and the status of each twisted
pair. This tool can quickly detect network cable faults to facilitate fault locating and reduce the impact
on services.
Page 131 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools - Application Scenarios
If a fault cannot be rectified based on fault diagnostic information collected from devices, tenants or O&M
personnel need to use other troubleshooting methods to further rectify the fault.
The controller provides diversified fault locating tools to ensure that faults can be located timely. It can use ping and
trace tests to detect network connectivity of devices and allows agile cable tests without assistance of other tools.
Connectivity test:
Ping and trace tests: These tests are applicable only to cloud managed devices (switches, WACs, ARs, and firewalls) that support
the two functions, as well as the controller.
Packet analysis
Packet obtaining (applicable to APs, switches, WACs, ARs, firewalls, and the controller)
Air interface quality detection for APs
RF ping (applicable to APs and the controller)
Page 132 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Process
Choose Monitoring > Monitoring > Device 360 from the main menu, select a site, and select a device from the
site's device list. On the device details page that is displayed, you can select a fault locating tool from the Select a
tool drop-down list box.
Page 133 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Introduction
If tenant administrators need to locate network faults during the service operation process, they can
use the controller to obtain packet headers from specified devices.
After they set parameters for obtaining packet headers on a device, such as the target device, port
where packet headers need to be obtained, packet header obtaining duration, filter conditions, and file
names, packet header obtaining files are generated on the device. The device uploads the generated
files to the directory specified on the controller. The controller then displays a message to instruct
tenant administrators to download the files to their local hosts, and generates the corresponding
operation log.
There might be many packet exchanges between devices on the live network. The controller provides
necessary prompts based on device types, to improve the packet header obtaining accuracy.
Page 134 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Application Scenarios
Packet headers can be obtained on wired interfaces and wireless radio interfaces. Packet
headers of a fixed length are obtained, rather than complete packets. The controller can
analyze packet headers to help users locate faults.
Page 135 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Process
Choose Maintenance > Fault Diagnosis > Diagnosis Tools > Packet Head Getting from the main menu, select the
Pagedevice 136 whereCopyright packet © 2023 Huaweiheaders Technologies need to Co.,be Ltd.obtained, All rights andreserved. set parameters for packet header obtaining.
IP Address Management
Choose Maintenance > IP Address Management from the main menu. The IP address management overview page is displayed,
showing the IP address assignment rate, exception statistics, and top N statistics.
IP address management provides the following capabilities: IP address group management, IP subnet management, IP address
management, IP address assignment, idle IP address detection, and IP address reclaiming.
Page 137 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification
On the iMaster NCE-Campus homepage, open the Network Intelligent Verification app.
Intelligent network verification provides the following capabilities: snapshot management, subnet reachability verification, and
terminal access verification. In addition, verification tasks can be managed on iMaster NCE-Campus.
Page 138 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Snapshot
Management (1/2)
iMaster NCE-Campus collects device data on the network in read-only mode, performs data plane
modeling, and generates snapshots.
Snapshots are the basis of the intelligent network verification feature. The system can verify subnet
reachability and terminal access by leveraging snapshots.
Page 139 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Snapshot
Management (2/2)
• The snapshot management module also provides the snapshot comparison function. By comparing two snapshots,
the network administrator can quickly find the differences between devices, configuration files, interface link states,
and IP routing tables at two time points, providing valuable information for quick fault locating.
Page 140 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Subnet
Reachability Verification (1/2)
After a snapshot is created, network administrators can
verify connectivity between every two service subnets on
the entire network in this snapshot.
The verification results are presented in a matrix,
including reachability and multi-path information. The
matrix explicitly displays subnet reachability.
Page 141 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Subnet
Reachability Verification (2/2)
Network administrators can select two specific service subnets to view the traffic paths between the subnets.
The traffic path information helps quickly locate network reachability faults.
Page 142 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Terminal Access
Verification
Intelligent network verification provides the terminal access verification capability. Network administrators can simulate a
terminal in a snapshot and verifies its access to network resources. With this function, network administrators can check
whether the services accessible to the terminal are as expected.
Intelligent network verification also provides the verification task management function. A verification task contains the source
and destination information and the expected result. It is equivalent to a network verification case.
Page 143 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification –
Subnet Reachability on Fabrics
Intelligent network verification is
applicable to the fabric scenario. In this
scenario, reachability between overlay
subnets can be verified and verification
results can be displayed in a matrix.
Page 144 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – Remote Attestation (RA)
Download and import
reference values
Huawei
NCE-Campus Support
(RA server)
1. Send a challenge request
Reference
2. Challenge values
2. Return PCR status values RA
server 3. Verify
RA
client 3. Return Portal
RA measurement logs O&M
client personnel
1. Measure
Device (YunShan LSWs and ARs):
Connects to NCE-Campus to report its information and receive configurations.
Receives RA requests from NCE-Campus and uploads platform configuration register (PCR)
values to NCE-Campus.
NCE-Campus:
Manages and configures devices.
Downloads PCR baseline files consisting of reference values from the Huawei Support website.
Sends challenge requests to NEs to collect measured information and evaluates the campus
security based on the collected information.
Huawei Support website:
Saves RA baselines of devices.
Page 145TheCopyright RA process © 2023 Huawei involves Technologies three Co., steps Ltd. All: measurement, rights reserved. challenge, and verification.
Advanced Security Feature – RA
NE trustworthiness dashboard
Page 146 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE/NMS Security
Situational Awareness
iMaster NCE-Campus
HiSec situation analysis component
Abnormal
Situation
event SOAR Zero trust Single-domain security
presentation
detection management Single-domain security
• Device/NMS intrusion O&M personnel
detection
NMS AAA NE log module Device (YunShan LSWs and ARs):
Connects to NCE-Campus and reports NE O&M logs.
NCE-Campus:
Receives O&M logs from devices and reports the logs to HiSec for exception detection and situation
analysis.
Receives O&M logs from the NMS and reports the logs to HiSec for exception detection and
situation analysis.
Device
(YunShan LSWs and ARs) Supported device-oriented situational awareness capabilities:
Rule-based abnormal login behavior detection: brute force cracking, login from blacklisted IP
Host security addresses, unauthorized accounts, or compromised accounts, and login through uncommon paths
Intrusion detection AI-based abnormal login behavior detection: login at unusual time, login using uncommon IP
addresses or zombie accounts, abnormal number of login accounts, and abnormal login frequency
Abnormal behavior detection: unauthorized account creation, unauthorized password change,
unauthorized account activation (detected when the product has activation logs), password change
violation, unauthorized account deletion, unauthorized user permission change, unauthorized
operation attempt (detected if NEs record authentication failure logs)
Agent-based detection: file permission escalation, key file tampering, Rootkit attack, unauthorized
superuser, and shell file tampering
Supported NMS-oriented situational awareness capabilities:
Rule-based abnormal login behavior detection: brute force cracking, login from blacklisted IP
addresses, unauthorized accounts, or compromised accounts, and login through uncommon paths
Exception handling based on zero-trust evaluation, for example, blacklisting abnormal accounts
Page 147 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE/NMS Security
Situational Awareness
NE security event
Page 148 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE Security Configuration
Check
The controller can verify device security configurations, including insecure protocols, weak algorithms, and security
configuration items, to ensure NE security.
a. Insecure protocol: such as Telnet
b. Weak algorithm: such as the MD5 encryption algorithm
c. Insecure configuration: such as password authentication using SSH on port 22
Page 149 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
IPv4/IPv6 Capability of iMaster NCE-Campus
Scenario IPv6 is becoming more popular, which is required in deployment and management scenarios. iMaster NCE-
description Campus supports the following three scenarios: IPv4 single stack, IPv6 single stack, and IPv4/IPv6 dual stack.
Upgrade from
IPv6 on
Pre- the Original
Scenario Device Model Authentication Management
installation Deployment
Channel Or Not
Version
IPv4 single
IPv4 single stack, IPv4/IPv6 dual stack, All devices All supported Not supported Supported Supported
and IPv6 single stack stack
• Supported by all devices
in V5 (IPv4-based device
Internet interaction, IPv6-based Portal Supported, but
authentication and 802.1X depends on
authentication) Not supported
IPv4/IPv6 All devices . device-side Not
(only supported
dual-stack • YunShan devices do not capabilities. supported
support IPv6-based (Only ARs and YunShan by new versions)
LSWs support this
Portal authentication function.)
but support IPv6-based
802.1X authentication.
IPv6 IPv4
WAC
Supported, but
• AR devices
(supported in V5 • YunShan devices do not depends on
and in YunShan support IPv6-based device-side Not supported
IPv6 single since R22.0) Not
Portal authentication capabilities. (only supported
stack • LSWs supported
but support IPv6-based (Only ARs and YunShan by new versions)
(supported in LSWs support this
YunShan since 802.1X authentication. function.)
R22.0)
Page 150 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
IPv4/IPv6 Deployment Scenarios
IPv4 address IPv6 address
IPv4 single stack IPv6 single stack IPv4/IPv6 dual-stack
IPv4 site IPv6 site
Page 151 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Supported IPv6 Functions
V5 LSW YunShan LSW
Supported in Non- Supported in
Function Category Feature Supported in Non-Virtualization Supported in Virtualization
Virtualization Scenarios Virtualization Scenarios
Scenarios Or Not Scenarios Or Not
Or Not Or Not
IPv6 gateway N Y Y Y
IP service DHCPv6 client/server N N Y N
DHCPv6 relay N Y Y Y
IPv6 static routing N Y Y Y
Routing OSPFv3 N N Y N
BGP4+ N Y Y Y
ACL6 Y N/A Y N/A
ACL6 in traffic classifiers Y N/A Y N/A
Traffic policy
Next-hop IPv6 address in traffic behaviors N N/A Y N/A
ACL6 default permit rule Y Y N N
Reliability NQA IPv6 N Y N Y
DNS DNSv6 server N N/A Y N/A
Device management NETCONF-based IPv6 device management N Y
IPv6 RADIUS server N Y
Dynamic ACL6 authorization Y Y
Authentication IPv6 AD/LDAP server Y Y
IPv6 authentication components N Y
IP-security group channels on IPv6 networks N Y
IPv6 device upgrade channels N Y
Packet header obtaining supports IPv6 channels N Y
IPv6 channels for device file systems N Y
IPv6 channels for activating license files N Y
O&M IPv6 channels for file management configuration N Y
IPv6 channels for inspection N Y
IPv6 channels for SSH-based CLI login N Y
IPv6 channels for collecting device fault information N Y
IPv6 ping and trace N Y
Monitoring IPv6 HTTP/2 and telemetry channels N Y
Others Analyzer interconnection through IPv6 N Y
Page 152 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster System
With service development, an increasing number of devices and users are connected to
iMaster NCE-Campus. A single cluster cannot provide sufficient performance for service
development needs. Horizontal capacity expansion from a single-cluster system to a multi-
cluster system is needed to allow access of more devices and users.
Page 153 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster Solution
The multi-cluster solution consists of a global node and two regional clusters.
Region Function Description
The global node receives the mappings among users, tenants, and IP addresses from each regional cluster. It provides a unified login
Global page for all the clusters. Users do not need to select a region upon login. After successful login, the user is automatically redirected to
the selected regional cluster.
Each region is an independent cluster, without a login page. Users can log in to each regional cluster only through the login page of
the global node, and are allowed to log in through their respective regional cluster only when the global node is faulty.
Region A regional cluster reports the mappings among users, tenants, and the regional cluster IP address to the global node. It is also
responsible for user service design, configuration, and maintenance.
Tenant migration is not supported between regional clusters. Services of a single tenant cannot be deployed across regional clusters.
Page 154 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster Management
By default, each regional cluster reports the mappings among users, tenants, and the regional cluster IP
address to the global node in real time. The global node also collects the mappings at a specified time
every day.
In addition, the mappings can be manually synchronized from regional clusters to the global node.
Choose System > System Management > Multi-Cluster Management from the main menu. Click
Synchronize Immediately to synchronize regional cluster information to the global node and then
check whether the synchronization is complete.
Page 155 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Disaster Recovery - Background
With expanding enterprise scales, simple data backup is unable to meet the requirements of mission-critical services on
system availability, real-time performance, and security. More importantly, backup data may be damaged due to
various factors such as earthquakes and fire disasters, and even be lost. Any service interruption or data loss will cause
serious losses to enterprises. How to improve system availability has become a major concern of enterprises. The top
priority is to design highly available software.
Disaster recovery (DR) is the ability to recover from a disaster. The DR solution is achieved by a standby system in a
different place. The active and standby systems monitor each other's health status and take over services from each
other. If one system is unavailable due to an unexpected event such as a fire or earthquake, another system can take
over the services of the faulty system to ensure service continuity.
To improve the reliability of iMaster NCE-Campus, the DR design is adopted.
Page 156 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Disaster Recovery - Introduction
The primary and secondary clusters communicate with each other through heartbeat links and detect each other’s status in real time. The product in the active
cluster synchronizes data to the product in the standby cluster in real time through the data replication link to ensure data consistency between the two
clusters.
If a fault occurs in the cluster that is providing services, users can manually switch the services from the faulty cluster to the other cluster. Automatic
switchover is provided if the arbitration service is deployed. This ensures service continuity and reduces the loss caused by disastrous incidents.
DR objectives
1. Primary and secondary clusters are installed separately. The installation sequence does not matter.
2. After a DR system is created, one cluster functions as the active cluster and the other functions as the standby cluster. The active cluster provides services
for external systems. The standby cluster does not provide external services and only synchronizes data from the active cluster.
3. If the active cluster is unavailable due to a disaster, services can be manually or automatically switched to the standby cluster to ensure service continuity.
4. CampusInsight does not support DR. After a DR switchover, if CampusInsight functions are required, you need to reinstall CampusInsight (or pre-install two
copies of CampusInsight before a controller DR switchover) and synchronize data from the controller to CampusInsight. The analysis data on CampusInsight
will be lost after a controller DR switchover.
Differences between manual and automatic DR switchovers
1. In both modes, primary and secondary clusters must be installed and set up a DR system. In the automatic DR scenario, an arbitration node needs to be
deployed at a third site and arbitration needs to be configured through EasySuite.
2. To manually trigger DR switchovers, administrators need to log in to the management plane to manually switch active and standby cluster roles. To
configure automatic DR switchovers, administrators only need to create arbitration tasks in advance. If switchover conditions are met, an automatic DR
switchover is performed, without manual intervention.
3. The two modes have different requirements on public networks. In the manual switchover scenario, administrators can detect the switchover and then can
manually re-configure the controller IP address visible to public networks. In the automatic switchover scenario, customer networks must be able to
automatically detect the active/standby controller status in each cluster of the DR system, for example, through a F5 load balancer, through NQA to detect
the internal floating IP address of the controller, or by connecting the controllers in primary and secondary clusters to external networks at Layer 2 in both
north and south directions.
Page 157 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Manual DR Switchover
Manual DR switchover
Manual switchover:
The controller advertises northbound and southbound routes in Layer
3 mode. In the NAT scenario, the controller's southbound and
northbound IP addresses after NAT in the primary cluster are the
same as those in the secondary cluster. In this way, tenants, network
devices, and access terminals are unaware of active/standby
controller switchovers.
The heartbeat link and data replication link are located on
the internal communication plane. Therefore, network
connectivity must be ensured between the internal
communication planes of the primary and secondary clusters.
Route priority-based manual switchover:
On the egress router, routes destined for the active and standby
clusters are configured with different priorities. Only the active
cluster provides services for external networks and the standby
cluster only synchronizes data from the active cluster.
If the network is abnormal or the active site is faulty, administrators
can access the O&M plane and issues a DR switchover command to
manually trigger a DR switchover.
Page 158 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Automatic DR Switchover
Automatic DR switchover Arbitration-based automatic switchover:
The arbitration service periodically checks the connectivity between
the primary, secondary, and third sites, and saves the check results.
If the network connection is abnormal or the active site is faulty, the
Primary Heartbeat Secondary arbitration service selects the optimal site in the network to perform
Data an active/standby switchover.
replication Note: The HBase database of FusionInsight does not support automatic switchovers and
needs to be manually synchronized. If the database is not synchronized, device
performance data display is affected. Customers can determine whether to synchronize the
HBase database.
Arbitration Arbitration
data data
Arbitration The arbitration service is deployed on five nodes, among which
node two are deployed at the primary site, two at the secondary site, and
one at the third site.
The heartbeat link, arbitration heartbeat link, data sharing link, and
data replication link are located on the internal communication
plane. Therefore, the internal communication network between the
active and standby sites must be connected.
Page 159 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
DR Switchover - Layer 2 Southbound and Northbound
Connectivity Between Primary and Secondary Clusters
Layer 2
DC1 communication link DC2
Router Router
Heartbeat link Why is a Layer 2 network used?
A Layer 2 network is used for switchovers between the primary and
Data secondary clusters. Host IP addresses are in the same ARP broadcast
Switch replication link Switch domain, which are easily advertised.
Cluster Cluster Cluster Cluster Cluster Cluster
node node node node node node
Arbitration
node
DC3
Solution features:
1. Install DC1 and DC2 clusters. The two clusters use the same southbound and northbound IP addresses. Because the two clusters are on the same Layer 2
network, the southbound and northbound IP addresses of the secondary cluster need to be hidden.
2. Set up a DR system, for example, with DC1 and DC2 as the active and standby clusters, respectively. The active cluster automatically enables its southbound
and northbound IP addresses, whereas the standby cluster does not.
3. This solution applies to the scenario where devices on external networks can be managed by customers. Connecting southbound and northbound Layer 2
networks of the active and standby clusters has high requirements on customer networks.
4. The solution with an arbitration node can avoid dual active clusters. Therefore, if southbound and northbound Layer 2 networks of the active and standby
clusters are connected, manual switchovers at the expanse of the arbitration node are not recommended.
Note:
NAT is supported in this scenario. In the NAT scenario, Layer 2 interconnection is required on the planes where the southbound and northbound virtual IP
addresses reside, and the virtual IP addresses are mapped into a public IP address using NAT.
Page 160 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
DR Switchover - Unified Virtual IP Address based on
NQA
Solution features:
Backbone ring
DC1 DC2 1. Install DC1 and DC2 clusters which provide the same southbound and northbound IP addresses
network for external networks.
2. Install an HA arbitration node. (By default, the HA arbitration node is deployed in a third data
center and is reachable to the primary and secondary clusters at Layer 3.)
OSPF... OSPF... 3. Add a DR configuration instance and set up a DR system, for example, with DC1 and DC2 as the
Core active and standby clusters, respectively. The DR heartbeat and data replication links are created
at the same time.
Static Static 4. Configure an NQA policy on the core device of each DC cluster to detect its own DIP. If the DIP is
route
NQA route NQA reachable, the public southbound and northbound IP addresses of the controller are advertised.
The DIP of the active cluster is automatically enabled, and that of the standby cluster is not.
Layer 3 network Layer 3 network 5. Disaster scenario: If the original active cluster encounters a disaster and the heartbeat between
management management the active and standby clusters is interrupted, the arbitration node checks whether the standby
switch switch cluster can switch to the active cluster. If so, after the original standby cluster becomes the new
active cluster, its southbound and northbound IP addresses and DIP addresses take effect. In
addition, NQA automatically advertises the public southbound and northbound IP addresses of
External IP External IP the new active cluster after verifying that the DIP of the new active cluster is reachable.
Heartbeat
1 link 6. In this solution, manual switchovers can be performed at the expense of the arbitration node.
Primary Secondary 2
DIP 1 Data
cluster cluster DIP 2
replication Note:
link 1. This solution requires that the customer's core devices have the NQA detection capability and
can be associated with static routes for automatic detection. The core devices must be reachable
to the DIP addresses of controller clusters. The overall switchover time depends on the NQA
detection time as well as time required by route advertisement and convergence.
2. NAT is supported in this scenario. In the NAT scenario, the external IP address is located on the
NAT device and mapped to the LVS virtual IP address of the controller. Similarly, the core device
Arbitration determines whether to advertise this external IP address based on NQA detection results.
node 3
Page 161 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
DR Configuration
The management plane of iMaster NCE-Campus
provides the configuration and O&M pages for the DR
function. You can view the DR system status and data
synchronization status, modify DR configurations, and
trigger a DR switchover on these pages.
If the active cluster is faulty and cannot be recovered, a
forcible switchover can be performed for the standby
cluster to take over services.
If two active clusters exist, a forcible switchover can be
performed to switch a cluster to the standby cluster to
restore the active/standby relationship.
Page 162 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Multiple Southbound Cluster Addresses: Improving
Remote DR Reliability and Reducing Network
Requirements
Scenario In remote disaster recovery (DR) scenarios, two southbound IP addresses are configured for the active and standby clusters,
description improving reliability and network adaptation capabilities, as well as reducing network requirements.
Active DC cluster Standby DC cluster Active DC cluster Standby DC cluster
Data Data
synchronization synchronization
… … … …
Southbound IP Southbound IP Southbound IP Southbound IP
address: 41.1.1.208 address: 41.1.1.208 address: 41.1.1.208 address: 42.2.2.210
Same southbound >>
address Different
southbound
>> addresses
AP AP AP AP AP AP AP AP
Constraints Constraints Benefits
The southbound IP address of the active and standby clusters must be the same. IPv6 addresses and domain names are not supported. Fast cluster switchover and convergence
Cluster switchover and convergence are slow due to specific network requirements. As such, remote DR cannot be This feature applies only to LSWs and APs in V5 and to ARs in SD-WAN Reduced network requirements
met in some networking modes. (If the active and standby clusters are not in the same area, their southbound IP scenarios. ARs in LAN scenarios and firewalls do not support this feature. An upgrade does not lead to any service
addresses are not the same. In addition, these clusters cannot communicate with each other through Layer 2 The following features are not supported in this scenario: free mobility, interruption because an active/standby
heartbeat links.) HACA Portal authentication, TACACS authentication, authentication switchover can be triggered to upgrade the
component, SNMP-based device management, interconnection with the active and standby clusters separately.
registration query center, and CloudCampus APP
Page 163 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Summary
This course describes the deployment schemes and component functions of iMaster NCE-Campus in
the CloudCampus solution.
This course describes the key features of iMaster NCE-Campus and their configuration methods.
Through these introductions, you should have a deep understanding of the main application scenarios
of iMaster NCE-Campus.
Page 164 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Thank You
www.huawei.com
Page 165 Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.
Note: The preview effect may be slightly different from the source document. You can download the document and view it on your PC.