Definition

Email-based deployment, also called URL-based deployment. After a network administrator completes ZTP configuration on iMaster NCE-Campus, iMaster NCE-Campus automatically generates a deployment email or ZTP file carrying the deployment information in URL parameters, such as the encryption parameters that provide the WAN interface configurations required by devices to register iMaster NCE-Campus. After receiving the deployment email or ZTP file, a deployment engineer clicks the URL in the email or ZTP file to start the deployment process. Subsequently, devices automatically complete the deployment.

Application Scenarios

The email-based deployment mode is used when a CPE is installed at a site and deployment needs to be performed onsite. Email-based deployment greatly simplifies the operation process of a deployment engineer. The deployment engineer can start the deployment process with one click on the web UI. Then, the deployment can be completed automatically. This lowers skill requirements for the deployment engineer, minimizes labor costs, and shortens the deployment time.

When you perform email-based deployment for a CPE using a mobile phone through a Wi-Fi network, you are advised to disable the mobile data connection function on the mobile phone and then connect the mobile phone to the Wi-Fi network of the CPE.

Email-based Deployment Modes

Email-based deployment can be performed in either of the following two modes:

• Sending an email: The URL containing deployment information is sent to the deployment engineer by email.
• Downloading the ZTP file: The URL containing deployment information is sent to the deployment engineer in the ZTP file. In this mode, no email server is required.

Automatic Recording of ESNs

Email-based deployment applies to the scenario where ESNs are not bound to CPEs and are automatically recorded on iMaster NCE-Campus after deployment.

If only the CPE model is specified but the ESN of the CPE is not specified when a CPE is allocated to a site on iMaster NCE-Campus, iMaster NCE-Campus automatically allocates a token to the CPE when generating a deployment email for the site. When the deployment engineer deploys the CPE, the CPE sends the token, ESN, and other registration information to iMaster NCE-Campus for registration. iMaster NCE-Campus then associates the CPE with the ESN based on the token to complete the registration of the CPE.

Deployment Process

Figure 2-17 shows the email-based deployment process.

Figure 2-17 Email-based deployment process

The following describes the email-based deployment process:

1. Configure an email server.

   This step is mandatory if you require email-based deployment in email sending mode. If you require email-based deployment in ZTP file downloading mode, skip this step.

2. Configure network parameters, and then send a deployment email or download the ZTP file.
   1. On iMaster NCE-Campus, add the device (CPE) to be deployed, create a site, and set network deployment parameters for the device.
   2. Perform as follows based on the deployment mode:
      • Sending an email: Configure the email content on iMaster NCE-Campus, which then sends the email to the specified email address. The URL in the email carries encrypted network configurations of the CPE.
      • Downloading the ZTP file: Obtain the ZTP file from iMaster NCE-Campus. The URL in the file carries encrypted network configurations of the CPE.
3. Obtain the URL containing deployment parameters through the email or ZTP file.
   Perform as follows based on the deployment mode:

   • Sending an email: Log in to the mailbox, check the received deployment email, and carry it to the customer site.
   • Downloading the ZTP file: Obtain the ZTP file, verify that the ZTP file is available, and carry it to the customer site.
4. Power on the device and obtain the configurations in the URL.
   1. After the device is installed and started, connect the device to a deployment terminal in wired or wireless mode and click the URL in the deployment email or ZTP file to start the deployment process.
   2. The device resolves the URL information and pushes the Portal page to the deployment terminal. After the deployment engineer confirms deployment on the Portal page, the device automatically completes configurations (including interface, network access, and VPN configurations) based on the parameters in the URL.
5. The device is connected to the WAN and registers with iMaster NCE-Campus.

   The device automatically registers with iMaster NCE-Campus based on the address and port number of iMaster NCE-Campus in the URL.

   • If the CPE is registered successfully, iMaster NCE-Campus delivers all the service data that is configured offline to the device.
   • If the CPE fails to be registered, it initiates registration with iMaster NCE-Campus again after the fault causing the registration failure is eliminated.

Device Requirements

Email-based deployment is supported on AR600&6100&6200&6300&SRG series and AR5700&6700&8000 series devices.

Feature Requirements

Application Scenario

If iMaster NCE-Campus needs to send emails to users, you need to configure an email server first.

iMaster NCE-Campus needs to send emails in the following scenarios:

• If the system administrator, MSP administrator, or tenant administrator forgets the password, iMaster NCE-Campus needs to send a reset password to the administrator through an email.
• After the system administrator configures alarm settings on iMaster NCE-Campus, iMaster NCE-Campus sends alarm notifications to users via email.
• When the system administrator deletes ESNs or devices, iMaster NCE-Campus sends a notification email to the tenant administrator.
• If a tenant administrator wants to use the email-based deployment function, iMaster NCE-Campus sends a deployment email to deployment personnel.
• iMaster NCE-Campus sends a notification email to a tenant if a tenant license is about to expire.
• When Portal authentication is configured for guests, iMaster NCE-Campus sends a notification email to approvers or guests.

Feature Requirements

• If the email server uses a non-official CA certificate, you are advised to toggle off Validate server certificate.
• There must be reachable routes between the email server and iMaster NCE-Campus nodes.

Procedure

1. Upload an email server certificate.
   1. Contact the email server provider to obtain a certificate file.
   2. Log in to iMaster NCE-Campus as the system administrator and choose System > Security Management > Certificate Management from the main menu.
   3. Choose Service Certificate Management from the navigation pane. On the Services page, click CampusBaseServiceServerConfigMoudle.
   4. Click the Trust Certificate tab and click Import. On the displayed page, enter the certificate information, select the desired email server certificate, and click Submit to upload the certificate to iMaster NCE-Campus.

2. Choose from the main menu and click the Email Server tab.
3. Set parameters for interconnection with the email server.

4. Click Test to verify the email sending function.
   • If the message "The test succeeds" is displayed and the mailbox receives the test email, the configuration is successful. Click Save.
   • If the message "The test succeeds" is displayed but the mailbox does not receive the test email, check whether the email function of the SMTP server is normal.
   • If the message "Failed to connect to the email server" is displayed, check whether the above parameters are correctly configured.
   • Affected by the performance of the SMTP server and network quality, the time of receiving test emails will be delayed for at most two minutes.
   • Some SMTP providers set right control for third-party application access. If the test fails, check whether third-party application access control is enabled on the SMTP server and set password to the authentication password of the SMTP server.
   • Limited by security policies of email service providers, administrators may fail to receive emails in some scenarios. If this occurs, log in to the email service website or contact the email service provider to check whether the email is returned or any other exception occurs. Alternatively, configure interconnection between iMaster NCE-Campus and another email server, and try again

Parameter Description

Procedure

1. Choose from the main menu and click the WAN Template tab.
2. Click the Email Template tab.
3. Click Create to create an email template.

   In normal cases, you only need to set Email Template, Subject, and Content. You can set other parameters as needed.

4. Click OK.

Parameter Description

Prerequisites

1. Ensure that the device to be deployed uses its factory settings. If the device has other configurations, the deployment will fail.
   • On an AR5700&6700&8000 series device, run the following command to clear the configuration file for next startup and restart the device to restore factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restart the device, clear the service configuration and data files on the device, and restore the device to its factory settings.

        reset factory-configuration

   • For AR600&6100&6200&6300 series devices, run the following commands to clear the configuration file used for next startup, and then restart the devices to restore the factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restore the factory settings after the device restarts:

        factory-configuration reset

     3. Run the following command to restart the system and restore the factory settings of the device:

        reboot fast

2. An email server has been configured. For details, see Configuring an Email Server.
3. To perform email-based deployment for AR5700&6700&8000 series devices, enable Encryption and Web login in WAN Global Configuration. For details, see 2.e.
4. The network access mode has been configured for the site where devices need to be deployed, and the ZTP mode has been set to URL/U Disk. For details, see Configuring ZTP.
5. You have obtained the following tools before performing email-based deployment onsite.

   Tool	Description
   PC or laptop	Used to receive deployment emails. After a PC or laptop is connected to a CPE, deployment personnel can perform deployment operations.
   Network cable	Used to connect the PC or laptop to a CPE.

Procedure

1. Create a site and add devices to the site on iMaster NCE-Campus. For details, see Adding an AR Device.
   Check the state of each device to be deployed. Ensure that all the devices to be deployed have been added successfully and are in Unregistered state.

   1. Choose from the main menu of iMaster NCE-Campus.
   2. On the device page that is displayed, check whether Status of each device is Unregistered.

      If the device is in a state other than the Unregistered state, the device has been deployed and goes online.

2. Choose from the main menu, click the ZTP tab, select the site to be activated, check its configuration.
3. Use the email server configured on the controller to send deployment emails to deployment personnel.
   1. Click Send Email.
   2. On the Send Email page, select the target site and set the email content.
      1. In the Select Site area, select the site to which the deployment email is to be sent. You can search for sites by site name, template name, or activation status.
      2. Click and then click Next.
      3. Enable certificate authentication as needed.

         Enable certificate authentication: After certificate authentication is enabled, the URL in the deployment email contains certificate application information. During URL-based deployment, a device applies for a certificate based on the certificate application information in the URL and then registers with the controller.

         Certificate authentication type: Set this parameter to ESN or Controller Address based on the serial number source of the voucher file generated by the system administrator.

         Certificate authentication info: This parameter can be configured when Certificate authentication type is set to Controller Address. Select the corresponding device certificate.

      4. Set the email addresses of recipients on the email sending page.
      5. Set the email addresses of CC recipients in CC.
      6. Select an email template from the Email Template drop-down list.
      7. Enter the subject and content of the email.

   3. Click OK.
   4. After the deployment email is sent successfully (indicating that the site is activated), the icon on the right of the site is displayed as .

4. Check all deployment emails and carry emails to the customer site.

5. If a SIM card is inserted into a device at the deployed site, check whether the SIM card is inserted into slot 1. If so, the device cannot register with iMaster NCE-Campus after being restarted, causing a deployment failure.
6. Install CPEs at the customer site and perform email-based deployment. You can select either of the following methods to deploy the CPEs as required.
   • To deploy a CPE in wired mode, perform the following operations:
     1. Install, connect, and power on CPEs.
     2. Use an Ethernet cable to connect a PC to the management network port of each CPE.
     3. Configure an IP address for the PC. This address must be on the network segment that contains the IP address of the CPE's management network port. As such, the PC can set up a logical connection with this network segment.
        1. Choose Control Panel > Network and Internet > Network and Sharing Center. In the dialog box that is displayed, click Connection for the active network.
        2. In the Local Area Connections Status dialog box, click Properties.
        3. In the dialog box that is displayed, select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
        4. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following IP address, and enter the IP address and subnet mask planned for the PC. Then, click OK.
           • The default IP address of the CPE's management network port is 192.168.1.1 and the subnet mask is 255.255.255.0.
           • Ensure that the PC is on the same network segment as the CPE's management network port.

        A device's management network port is often marked with the management or MGMT silkscreen. For models without these silkscreens, see the product documentation of the corresponding model (for example, see section "Get to Know the Product > Hardware Description > Chassis" in the NetEngine AR Product Documentation).

   • To deploy a CPE in wireless mode, perform the following operations:

     In factory settings of a CPE, the SSID of the deployment Wi-Fi network is a character string that consists of PnP_ and the last six digits of the device's ESN, in the PnP_xxxxxx format. The password for the deployment Wi-Fi network is a character string that consists of AR and the last six digits of the network SSID, in the ARxxxxxx format.

     The deployment engineer uses a deployment terminal to search for the deployment Wi-Fi network SSID and enters the password to access the device. When the deployment terminal has been connected to the specified deployment Wi-Fi network and obtained an IP address, this deployment terminal has been connected to the device.

     You can only use this mode to access devices with the AP mode as the default WLAN mode.

7. Perform email-based deployment.
   1. Open the deployment email on the PC and copy the deployment URL to the address box of a browser or directly click the URL in the email.

      Only the latest URL can be used for deployment. If iMaster NCE-Campus repeatedly generates URLs, the old URLs become invalid. You need to use the latest URL for deployment and use the URL within the validity period.

   2. In the displayed browser window, enter the password as prompted. The password must be the same as the URL encryption key set in the global parameter configuration on iMaster NCE-Campus. The login page of AR600&6100&6200&6300&SRG series devices is different from that of AR5700&6700&8000 series devices.
      Figure 2-18 AR600&6100&6200&6300&SRG series
      
      Figure 2-19 AR5700&6700&8000 series
      
   3. Click Check Parameters to check automatically parsed parameters and click Confirm Deployment. The page of AR600&6100&6200&6300&SRG series devices is different from that of AR5700&6700&8000 series devices.

      Check the parameter values in Check Parameters. Modify them only when the data is incorrect.

      Figure 2-20 AR600&6100&6200&6300&SRG series
      
      Figure 2-21 AR5700&6700&8000 series
      

8. Wait one to two minutes and check the deployment result. In normal cases, you need to wait for 1 to 2 minutes. The deployment duration varies according to the actual situation.

   If Deployment Security Check is enabled when devices are added to the controller, select devices on the device management page of the controller and click Deploy to deliver configurations to them.

   1. If the deployment is successful, a deployment success message is displayed.
   2. Choose from the main menu of iMaster NCE-Campus. Find the CPEs deployed through email-based deployment and check their status.

      If Status of a CPE is Normal, the CPE has been successfully registered with iMaster NCE-Campus and is online.

   3. Determine the deployment status of the device based on the CTRL indicator:
      • Steady green: The device has been connected to the controller.
      • Blinking green: The device is being deployed. (Some device models do not support this indicator status.)
      • Steady off: The device is not connected to the controller.
   4. If the deployment fails, rectify the fault based on the failure cause displayed on the page. For details, see Email-based Deployment Failures.

      If the CPE needs to be deployed again, click Restore Factory Settings and then perform email-based deployment again.

Prerequisites

1. Ensure that the device to be deployed uses its factory settings. If the device has other configurations, the deployment will fail.
   • On an AR5700&6700&8000 series device, run the following command to clear the configuration file for next startup and restart the device to restore factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restart the device, clear the service configuration and data files on the device, and restore the device to its factory settings.

        reset factory-configuration

   • For AR600&6100&6200&6300 series devices, run the following commands to clear the configuration file used for next startup, and then restart the devices to restore the factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restore the factory settings after the device restarts:

        factory-configuration reset

     3. Run the following command to restart the system and restore the factory settings of the device:

        reboot fast

2. The network access mode has been configured for the site where devices need to be deployed, and the ZTP mode has been set to URL/U Disk. For details, see Configuring ZTP.
3. You have obtained the following tools before performing email-based deployment:

   Tool	Description
   PC or laptop	Used to receive deployment emails. After a PC or laptop is connected to a CPE device, deployment personnel can perform deployment operations.
   Ethernet cable	Used to connect the PC or laptop to the CPE device.

Procedure

1. Choose from the main menu, click the ZTP tab, select the site to be activated, check its configuration.
2. Download the ZTP file.
   1. Click Download ZTP File.

   2. In the Download ZTP File window that is displayed, select the site to be deployed, click to add the site to the lower area, and click OK.

      Enable certificate authentication: After certificate authentication is enabled, the ZTP file contains certificate application information. After loading the ZTP file, the device applies for a certificate based on the certificate application information in the ZTP file and then registers with the controller.

      Certificate authentication type: Set this parameter to ESN or Controller Address based on the serial number source of the voucher file generated by the system administrator.

      Certificate authentication info: This parameter can be configured when Certificate authentication type is set to Controller Address. Select the corresponding device certificate.

      If the downloaded CSV file contains the fields starting with the at sign (@), hyphen (-), plus sign (+), or equal sign (=), CSV injection risks may exist.

   3. The system automatically downloads the ZTP file ZTP_xxxx.csv to the default download path of the browser.

3. Open the ZTP file on the PC, confirm the information, and submit the file to the deployment personnel.

4. If a SIM card is inserted into a device at the deployed site, check whether the SIM card is inserted into slot 1. If so, the device cannot register with iMaster NCE-Campus after being restarted, causing a deployment failure.
5. The deployment personnel perform the following operations on each device to be deployed according to the content in the ZTP file:
   1. Use an Ethernet cable to connect your PC to the management network port of the CPE. Configure an IP address for the PC. This address must be on the network segment that contains the IP address of the CPE's management network port. As such, the PC can set up a logical connection with this network segment.
      1. Choose Control Panel > Network and Internet > Network and Sharing Center. In the dialog box that is displayed, click Connection for the active network.
      2. In the Local Area Connections Status dialog box, click Properties.
      3. In the dialog box that is displayed, select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
      4. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following IP address, and enter the IP address and subnet mask planned for the PC. Then, click OK.
         • The default IP address of the CPE's management network port is 192.168.1.1 and the subnet mask is 255.255.255.0.
         • Ensure that the PC is on the same network segment as the CPE's management network port.

      A device's management network port is often marked with the management or MGMT silkscreen. For models without these silkscreens, see the product documentation of the corresponding model (for example, see section "Get to Know the Product > Hardware Description > Chassis" in the NetEngine AR Product Documentation).

   2. Open the ZTP file on the PC and copy the deployment URL to the address box of a browser or directly click the URL in the ZTP file.

      Only the latest URL can be used for deployment. If iMaster NCE-Campus repeatedly generates URLs, the old URLs become invalid. You need to use the latest URL for deployment and use the URL within the validity period.

   3. In the displayed browser window, enter the password as prompted. The password must be the same as the URL encryption key set in the global parameter configuration on iMaster NCE-Campus. The login page of AR600&6100&6200&6300&SRG series devices is different from that of AR5700&6700&8000 series devices.
      Figure 2-22 AR600&6100&6200&6300&SRG series
      
      Figure 2-23 AR5700&6700&8000 series
      
   4. Click Check Parameters to check automatically parsed parameters and click Confirm Deployment. The page of AR600&6100&6200&6300&SRG series devices is different from that of AR5700&6700&8000 series devices.

      Check the parameter values in Check Parameters. Modify them only when the data is incorrect.

      Figure 2-24 AR600&6100&6200&6300&SRG series
      
      Figure 2-25 AR5700&6700&8000 series
      

6. Wait one to two minutes and check the deployment result. In normal cases, you need to wait for 1 to 2 minutes. The deployment duration varies according to the actual situation.

   If Deployment Security Check is enabled when devices are added to the controller, select devices on the device management page of the controller and click Deploy to deliver configurations to them.

   1. If the deployment is successful, a deployment success message is displayed.
   2. Choose from the main menu of iMaster NCE-Campus. Find the CPEs deployed through email-based deployment and check their status.

      If Status of a CPE is Normal, the CPE has been successfully registered with iMaster NCE-Campus and is online.

   3. Determine the deployment status of the device based on the CTRL indicator:
      • Steady green: The device has been connected to the controller.
      • Blinking green: The device is being deployed. (Some device models do not support this indicator status.)
      • Steady off: The device is not connected to the controller.
   4. If the deployment fails, rectify the fault based on the failure cause displayed on the page. For details, see Email-based Deployment Failures.

      If the CPE needs to be deployed again, click Restore Factory Settings and then perform email-based deployment again.

Definition

During USB-based deployment (refers to streamlined USB-based in this document), after the network administrator completes the ZTP configuration for a site on iMaster NCE-Campus, iMaster NCE-Campus automatically generates the ZTP files (configuration file and index file) that record the CPE deployment configuration. The deployment engineer saves these files in a USB flash drive and inserts the USB flash drive into the CPE to complete the deployment.

AR routers support two USB-based deployment modes: USB-based deployment and streamlined USB-based deployment. The following describes their differences:

• USB-based deployment: An index file is manually made for deployment. After the deployment is complete, the device needs to be restarted.
• Streamlined USB-based deployment: ZTP files (configuration file and index file) are generated on iMaster NCE-Campus. After the deployment is complete, the device does not need to be restarted.

Currently, the SD-WAN Solution supports only streamlined USB-based deployment.

Application Scenarios

USB-based deployment is mainly used in batch deployment scenarios. The device administrator of a system integrator or an enterprise inserts the USB flash drive that contains ZTP files to a CPE in the warehouse and then dispatches the CPE to a site for installation and deployment.

Deployment Process

Figure 2-26 USB-based deployment process

Device Requirements

USB-based deployment applies only to AR600&6100&6200&6300&SRG series devices.

Feature Requirements

Prerequisites

1. Ensure that the device to be deployed uses its factory settings. If the device has other configurations, the deployment will fail.
   • For AR600&6100&6200&6300 series devices, run the following commands to clear the configuration file used for next startup, and then restart the devices to restore the factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restore the factory settings after the device restarts:

        factory-configuration reset

     3. Run the following command to restart the system and restore the factory settings of the device:

        reboot fast

2. The network access mode has been configured for the site where devices need to be deployed, and the ZTP mode has been set to URL/U Disk. For details, see Configuring ZTP.

Procedure

1. Choose from the main menu, click the ZTP tab, select the site to be activated, check its configuration.
2. Click Download ZTP File.
3. In the Download ZTP File dialog box that is displayed, select the site where USB-based deployment needs to be performed and enable U Deploy.

   Enable certificate authentication: After certificate authentication is enabled, the ZTP file contains certificate application information. After loading the ZTP file, the device applies for a certificate based on the certificate application information in the ZTP file and then registers with the controller.

   Certificate authentication type: Set this parameter to ESN or Controller Address based on the serial number source of the voucher file generated by the system administrator.

   Certificate authentication info: This parameter can be configured when Certificate authentication type is set to Controller Address. Select the corresponding device certificate.

4. Click OK. The system then automatically downloads the configuration file ZTP.INI and the index file USB_AR.INI to the default download path of the browser.
5. Save the index file USB_AR.INI and configuration file ZTP.INI to the root directory of the USB flash drive.
6. Perform USB-based deployment.
   1. If a SIM card is inserted into a device at the deployed site, check whether the SIM card is inserted into slot 1. If so, the device cannot register with iMaster NCE-Campus after being restarted, causing a deployment failure.

   2. Power on a CPE.

   3. Install the prepared USB flash drive to the USB port on the CPE. The CPE automatically starts the USB-based deployment process.

   4. During deployment, the CPE obtains the configuration file from the USB flash drive based on the description in the index file and saves the configuration file to the default storage medium. The deployment configuration in the configuration file is delivered to the CPE if its ESN matches. The CPE then saves the configuration to the configuration file for next startup.

   5. Observe the USB indicator on the CPE to check the progress of USB-based deployment. After USB-based deployment succeeds, remove the USB flash drive.

      • If the indicator is steady yellow, the USB-based deployment has not started yet and the interface card is to be registered.

        • Only the AR1610-X6 supports the steady yellow status.
        • Some AR models do not have a USB indicator. To check the status of such a CPE, wait for about 5 minutes until the deployment completes, choose from the main menu of iMaster NCE-Campus, and find the CPE deployed in USB-based mode. If Status is Normal, the CPE has been successfully registered with iMaster NCE-Campus and onboarded.

      • If the indicator is blinking green, USB-based deployment is ongoing.

      • If the indicator is steady green, USB-based deployment is successful.

      • If the indicator is steady red, USB-based deployment fails.

Definition

During DHCP option-based deployment, the network administrator completes the ZTP configuration for a site on iMaster NCE-Campus, and configures an IP address and gateway for a CPE's interface as well as the southbound IP address and port number of iMaster NCE-Campus on the DHCP server. The CPE's interface obtains an IP address from the DHCP server through DHCP. When allocating an IP address to the CPE, the DHCP server also sends iMaster NCE-Campus information to the CPE through an Option field in DHCP messages. After obtaining an IP address and accessing the underlay network, the CPE automatically registers with iMaster NCE-Campus to complete the deployment.

DHCP Option-based Deployment Modes

Two DHCP option-based deployment modes are supported:

• Through Option 148: This mode is used when an IPv4 network is deployed on the WAN side.
• Through Option 17: This mode is used when an IPv6 network is deployed on the WAN side.

Deployment Process

DHCP option-based deployment can be implemented in either of the following ways based on the networking:

1. The CPE communicates with the DHCP server through a WAN-side Layer 3 interface.

   Figure 2-27 shows the deployment process, in which each number corresponds to the same number in Table 2-107.

   In this scenario, after being powered on, the CPE obtains a temporary IP address for its WAN-side Layer 3 interface from the DHCP server and sends a registration request to iMaster NCE-Campus. After the registration succeeds, iMaster NCE-Campus allocates a new IP address to the interface on the CPE. Assume that the DHCP server assigns the IP address 10.1.1.1 to the WAN-side interface GE1/0/1 on the CPE and you have configured 10.1.1.2 for this interface in the ZTP configuration on iMaster NCE-Campus. The CPE first uses the IP address 10.1.1.1 to register with iMaster NCE-Campus. After successful registration, iMaster NCE-Campus delivers the ZTP configuration to the CPE, which then uses 10.1.1.2 in the ZTP configuration as the IP address for GE1/0/1.

   Figure 2-27 Deploying a CPE in DHCP option-based mode (through a WAN-side Layer 3 interface)
   
2. The CPE communicates with the DHCP server through a non-WAN Layer 3 interface.

   Figure 2-28 shows the deployment process, in which each number corresponds to the same number in Table 2-107.

   In this scenario, after being powered on, the CPE obtains an IP address for its non-WAN Layer 3 interface from the DHCP server, connects to the management network through this interface, and sends a registration request to iMaster NCE-Campus. After the registration succeeds, iMaster NCE-Campus assigns an IP address to a WAN-side Layer 3 interface on the CPE. Assume that the DHCP server assigns the IP address 192.168.1.1 to GE1/0/6, which is a non-WAN interface, on the CPE and you have configured 10.1.1.2 for this interface in the ZTP configuration on iMaster NCE-Campus. The CPE first uses the IP address 192.168.1.1 to register with iMaster NCE-Campus. After successful registration, iMaster NCE-Campus delivers the ZTP configuration to the CPE, which then uses 10.1.1.2 in the ZTP configuration as the IP address for the WAN-side interface GE1/0/1.

   Figure 2-28 Deploying a CPE in DHCP option-based mode (through a non-WAN Layer 3 interface)
   

Device Requirements

DHCP Option-based deployment is applicable only to AR600&6100&6200&6300&SRG series and AR5700&6700&8000 series devices.

Feature Requirements

Context

After an unconfigured CPE is powered on, it automatically sends a request to apply for an IP address from a DHCP server. Therefore, a network administrator needs to configure the DHCP server before powering on the CPE. The DHCP server not only assigns an IP address to an interface on the CPE for network access, but also notifies the CPE of the iMaster NCE-Campus information, such as the address, through a DHCP option.

Procedure (Configuring a DHCPv4 Server)

When the WAN is an IPv4 network, you need to configure a DHCPv4 server.

1. Log in to a DHCPv4 server.
2. Enable the DHCP function.

   The configuration of a router running V300 is slightly different from that of a router running V600.

   • For a router running V300:

     system-view     //Enter the system view.
      dhcp enable     //Enable the DHCP function in the system view.

   • For a router running V600:

     system-view     //Enter the system view.
      dhcp enable ipv4     //Enable the DHCPv4 function in the system view.

3. Configure the DHCPv4 server.
   • If the DHCPv4 server and the CPE reside on different network segments, configure the DHCP server to use a global address pool.
     1. Create a global DHCPv4 address pool, which is used for assigning IPv4 addresses to CPEs.

        ip pool ip-pool-name  //Create a global address pool and enter the global address pool view.
         network ip-address mask mask-length   //Configure the range of IP addresses that can be assigned dynamically in the global address pool view.

     2. Configure the gateway address. If a relay server is deployed on the network, the gateway address is the IP address of the interface enabled with the DHCP relay function.

        gateway-list ip-address      //Configure the gateway address in the global address pool view.

     3. Configure Option 148. For details, see Table 2-109.
        The configuration of a router running V300 is slightly different from that of a router running V600.

        • For a router running V300:

          option 148 ascii agilemode=agilemode;agilemanage-mode=mode;agilemanage-domain=domain;agilemanage-port=port;     //Configure Option 148 in the global address pool view.
          force insert option 148 //Configure the DHCPv4 server to insert Option 148 into response packets.
          quit      //Return to the system view.

        • For a router running V600:

          option 148 ascii agilemanage-domain=domain;agilemanage-port=port; //Configure Option 148 in the global address pool view.
          force insert option 148 //Configure the DHCPv4 server to insert Option 148 into response packets.
          quit      //Return to the system view.

     4. Enable the DHCPv4 server function on an interface.

        interface interface-type interface-number [.subinterface-number ]    //In the system view, run this command to enter the interface or sub-interface view.
         ip address ip-address mask      //Configure an IP address for the interface that provides the DHCPv4 server function.
         dhcp select global       //Configure the interface to use the global IP address pool for providing the DHCPv4 server function.

        If the DHCPv4 server function is enabled on a sub-interface, you also need to configure the sub-interface to terminate single-tagged packets. The value of low-pe-vid must be the same as the sub-interface VLAN ID set when you configure a link for ZTP deployment.

        dot1q termination vid low-pe-vid      //In the sub-interface view, configure the sub-interface to terminate single-tagged packets.

   • If the DHCPv4 server and the CPE reside on the same network segment, configure the DHCP server to use an interface address pool.
     1. Configure a DHCPv4 interface address pool, which is used for assigning IPv4 addresses to CPEs.

        interface interface-type interface-number [.subinterface-number ]    //In the system view, run this command to enter the interface or sub-interface view.
         ip address ip-address mask      //Configure an IP address for the interface that provides the DHCP server function. The network segment where the interface is located is the interface address pool.

     2. Enable the DHCPv4 server function on the interface.

        interface interface-type interface-number [.subinterface-number ]    //In the system view, run this command to enter the interface or sub-interface view.
         dhcp select interface       //Configure the interface to use the interface address pool for providing the DHCPv4 server function.

        If the DHCPv4 server function is enabled on a sub-interface, you also need to configure the sub-interface to terminate single-tagged packets. The value of low-pe-vid must be the same as the sub-interface VLAN ID set when you configure a link for ZTP deployment.

        dot1q termination vid low-pe-vid      //In the sub-interface view, configure the sub-interface to terminate single-tagged packets.

     3. Configure the gateway address.

        dhcp server gateway-list ip-address      //In the interface or sub-interface view, set the gateway address to the IP address of the interface enabled with the DHCP server function.

     4. Configure Option 148. For details, see Table 2-109.
        The configuration of a router running V300 is slightly different from that of a router running V600.

        • For a router running V300:

          dhcp server option 148 ascii agilemode=agilemode;agilemanage-mode=mode;agilemanage-domain=domain;agilemanage-port=port;     //Configure Option 148 in the interface or sub-interface view.
          force insert option 148 //Configure the DHCPv4 server to insert Option 148 into response packets.
          quit      //Return to the system view.

        • For a router running V600:

          dhcp server option 148 ascii agilemanage-domain=domain;agilemanage-port=port; //Configure Option 148 in the interface view or sub-interface view.
          force insert option 148 //Configure the DHCPv4 server to insert Option 148 into response packets.
          quit      //Return to the system view.

   Table 2-109 Parameters in Option 148

   Field	Meaning	Value Description	Example
   agilemode	Management mode.	tradition: uses the traditional management mode. Select this mode when an AR device running V300 functions as a DHCP client. When a device running V600 functions as a DHCP client, you do not need to set this parameter.	Assume that the southbound IP address and port number of iMaster NCE-Campus are 10.1.1.1 and 10020, respectively, and the site authentication code of the site to be deployed is 9cc1171d782cddd4. When an AR6300 series device functions as a DHCP client, set Option 148 on the DHCP server as follows: agilemode=tradition;agilemanage-mode=ip;agilemanage-domain=10.1.1.1;agilemanage-port=10020;sitecode=9cc1171d782cddd4. When an AR6700 series device functions as a DHCP client, set Option 148 on the DHCP server as follows: agilemanage-domain=10.1.1.1;agilemanage-port=10020;sitecode=9cc1171d782cddd4.
   agilemanage-mode	Whether the agilemanage-domain field is set to an IP address or a domain name.	ip: indicates that the value of the agilemanage-domain field is an IP address. domain: indicates that the value of the agilemanage-domain field is a domain name. NOTE: This parameter does not need to be set when a device running V600 functions as a DHCP client. In this case, the agilemanage-domain field is set to the southbound IP address of the controller by default.
   agilemanage-domain	Southbound IP address or domain name of iMaster NCE-Campus, which is obtained by the CPE for controller registration. You can configure one or more IP addresses. Use ampersands (&) to separate multiple IP addresses.	If agilemanage-mode is set to ip, set this parameter to an IP address. If agilemanage-mode is set to domain, set this parameter to the southbound domain name of iMaster NCE-Campus, starting with http:// or https://. HTTPS is recommended because it is more secure than HTTP.
   agilemanage-port	Port number of iMaster NCE-Campus.	The port number of iMaster NCE-Campus is 10020. agilemanage-domain and agilemanage-port must be set together. The number of IP addresses or domain names specified by agilemanage-domain must be the same as the number of port numbers specified by agilemanage-port.
   sitecode	Site authentication code. This parameter needs to be set when the ESN is not used as the CPE identifier.	After you create a site and enable ESN-free switch, iMaster NCE-Campus automatically allocates a site authentication code.

Procedure (Configuring a DHCPv6 Server)

When the WAN is an IPv6 network, you need to configure a DHCPv6 server. The following uses commands on a device running V300 as an example.

1. Log in to a DHCPv6 server.
2. Enable the DHCP function.

   system-view     //Enter the system view.
    dhcp enable     /Enable the DHCP function in the system view.

3. Create an IPv6 address pool, which is used for assigning IPv6 addresses to CPEs. You can only configure a global address pool for a DHCPv6 server.

   dhcpv6 pool pool-name     //Create a global IPv6 address pool and enter the IPv6 address pool view.
    address prefix ipv6-prefix/ipv6-prefix-length     //Configure an IPv6 prefix and the prefix length.
    excluded-address start-ipv6-address [ to end-ipv6-address]     //Configure the range of IPv6 addresses that cannot be automatically assigned.
    dns-server ipv6-address      //Configure the IPv6 address of a DNS server.

4. Configure Option 17. Run the vendor-specific command to enter the vendor-defined mode and configure a vendor-defined DHCPv6 option. vendor-id indicates the vendor ID, which is uniformly allocated by the Internet Assigned Numbers Authority (IANA). The vendor ID of Huawei is 2011. For details about other parameters, see Table 2-110.

   vendor-specific vendor-id      //Configure a vendor-defined option for the IPv6 address pool and enter the vendor-defined mode view.
    suboption suboption-code ascii agilemode=agilemode;agilemanage-mode=mode;agilemanage-domain=domain;agilemanage-port=10020;     //Configure a vendor-defined DHCPv6 sub-option in the vendor-defined mode view.

   Table 2-110 Parameters in Option 17

   Field	Meaning	Value Description	Example
   suboption-code	Code of a vendor-defined DHCPv6 sub-option.	The value is an integer that ranges from 1 to 65535.	-
   agilemode	Management mode.	tradition: uses the traditional management mode. Select this mode when an AR device running V300 functions as a DHCP client. When a device running V600 functions as a DHCP client, you do not need to set this parameter.	Assume that the southbound IP address and port number of iMaster NCE-Campus are 2001:0db8:1::1 and 10020. When an AR6300 series device functions as a DHCP client, set Option 17 on the DHCP server as follows: agilemode=tradition;agilemanage-mode=ip;agilemanage-domain=2001:0db8:1::1;agilemanage-port=10020;sitecode=9cc1171d782cddd4.
   agilemanage-mode	Whether the agilemanage-domain field is set to an IP address or a domain name.	ip: indicates that the value of the agilemanage-domain field is an IP address. domain: indicates that the value of the agilemanage-domain field is a domain name. NOTE: This parameter does not need to be set when a device running V600 functions as a DHCP client. In this case, the agilemanage-domain field is set to the southbound IP address of the controller by default.
   agilemanage-domain	Southbound IP address or domain name of iMaster NCE-Campus, which is obtained by the CPE for controller registration. You can configure one or more IP addresses. Use ampersands (&) to separate multiple IP addresses.	If agilemanage-mode is set to ip, set this parameter to an IP address. If agilemanage-mode is set to domain, set this parameter to the southbound domain name of iMaster NCE-Campus, starting with http:// or https://. HTTPS is recommended because it is more secure than HTTP.
   agilemanage-port	Port number of iMaster NCE-Campus.	The default port number of iMaster NCE-Campus is 10020. agilemanage-domain and agilemanage-port must be set together. The number of IP addresses or domain names specified by agilemanage-domain must be the same as the number of port numbers specified by agilemanage-port.
   sitecode	Site authentication code. This parameter needs to be set when the ESN is not used as the CPE identifier.	After you create a site and enable ESN-free switch, iMaster NCE-Campus automatically allocates a site authentication code.

5. Enable the DHCPv6 server function in the interface view.

   interface interface-type interface-number [.subinterface-number ]    //In the system view, run this command to enter the interface or sub-interface view.
    ipv6 enable     //Enable the IPv6 function on the interface.
    ipv6 address ipv6-prefix/ipv6-prefix-length     //Configure a global unicast IPv6 address for the interface.
    undo ipv6 nd ra halt     //Enable the CPE to send RA messages.
    ipv6 nd autoconfig managed-address-flag     //Configure the M flag of stateful autoconfiguration in an RA message.
    ipv6 nd autoconfig other-flag      //Configure the "other configuration" flag (O flag) of stateful autoconfiguration in an RA message.
    dhcpv6 server pool-name     //Enable the DHCPv6 server function for the interface.

   If the DHCPv6 server function is enabled on a sub-interface, you also need to configure the sub-interface as a Dot1q VLAN termination sub-interface to terminate single-tagged packets and enable this sub-interface to send NS multicast packets. The value of low-pe-vid must be the same as the sub-interface VLAN ID set when you configure a link for ZTP deployment.

   dot1q termination vid low-pe-vid      //In the sub-interface view, configure the sub-interface to terminate single-tagged packets.
   ipv6 nd ns multicast-enable //In the sub-interface view, enable the Dot1q VLAN termination sub-interface to send NS multicast packets.

Context

DHCP option-based deployment applies only to WAN-side interfaces that work in Layer 3 mode by default. This function is not supported on WAN-side interfaces whose working mode is switched from Layer 2 to Layer 3. ARs of different models must connect to the DHCP server through specified interfaces, as shown in Table 2-111. Otherwise, DHCP option-based deployment will fail. For details about other AR models, see the "Components" sheet of the corresponding model in the "Chassis" section of the device documentation.

Prerequisites

1. ZTP has been configured and the ZTP mode has been set to DHCP Option. For details, see Configuring ZTP.
2. A DHCP server has been configured and Option parameters have been set on the DHCP server.
3. Ensure that the device to be deployed uses its factory settings. If the device has other configurations, the deployment will fail.
   • On an AR5700&6700&8000 series device, run the following command to clear the configuration file for next startup and restart the device to restore factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restart the device, clear the service configuration and data files on the device, and restore the device to its factory settings.

        reset factory-configuration

   • For AR600&6100&6200&6300 series devices, run the following commands to clear the configuration file used for next startup, and then restart the devices to restore the factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restore the factory settings after the device restarts:

        factory-configuration reset

     3. Run the following command to restart the system and restore the factory settings of the device:

        reboot fast

Procedure

1. Check the device status. Ensure that the device to be deployed has been added successfully, its ESN has been set, and the device status is unregistered.
   1. Log in to iMaster NCE-Campus as a tenant administrator and choose from the main menu.
   2. On the Device page that is displayed by default, check the device ESN.

      If a value is displayed in the ESN column, verify that the ESN is correct and go to the next step. If no value is displayed in the ESN column, click . On the Modify Device tab page, enter the ESN and go to the next step.

      For an AR5700&6700&8000 series device, run the following command to check the device ESN:

      display device esn

      For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check the device ESN:

      display esn

   3. On the Device page that is displayed by default, check the device status.

      If the device status is not unregistered, the device has been deployed and goes online.

2. Choose from the main menu, click the ZTP tab, select the site to be activated, check its configuration.
3. If a SIM card is inserted into a device at the deployed site, check whether the SIM card is inserted into slot 1. If so, the device cannot register with iMaster NCE-Campus after being restarted, causing a deployment failure.
4. (Optional) When a sub-interface is used as the interface of the deployment link, create *.defcfg and usb.ini files and save them to the root directory of the USB flash drive before the deployment.
   1. Configure the following commands in the *.defcfg file:

      interface interface-type interface-number.subinterface-number //Run this command in the system view to enter the sub-interface view.
       encapsulation dot1q-termination //Configure the sub-interface as a Dot1q VLAN tag termination sub-interface.
       dot1q termination vid low-pe-vid //Run this command in the sub-interface view to configure the sub-interface to terminate single-tagged frames. The value of low-pe-vid must be the same as the VLAN ID configured for the sub-interface of the deployment link.

   2. For details about how to configure the usb.ini file, see section "Intermediate File Format" in the corresponding device documentation.
   3. Save the *.defcfg and usb.ini files to the root directory of the USB flash drive, and insert the USB flash drive into the device that has been restored to factory settings.

5. Power on the CPE and connect it to the DHCP server so that the CPE can obtain an IP address and iMaster NCE-Campus information through the DHCP option to connect to the WAN and register with iMaster NCE-Campus.
6. Wait 1 to 2 minutes and check the deployment result. In normal cases, you need to wait for 1 to 2 minutes. The deployment duration varies according to the actual situation.
   1. Determine the deployment status of the device based on the CTRL indicator:
      • Steady green: The device has been connected to the controller.
      • Blinking green: The device is being deployed. (Some device models do not support this indicator status.)
      • Steady off: The device is not connected to the controller.
   2. Choose from the main menu of iMaster NCE-Campus. Find the CPE that has been deployed and check its status.
      1. (Optional) If Mode is set to Device Model when you add a device, check whether the ESN of the device has been identified. If the device is not added based on the device model, skip this step.
      2. If Status is Normal, the device has been successfully registered with iMaster NCE-Campus and is online.

Configuring DHCP Option 148

A device functioning as a DHCPv4 server can allocate vendor-defined network parameters to clients (that is, CPEs to be deployed), such as WAN interface IP address and gateway information. In addition, the DHCPv4 server can use a DHCP option to deliver the iMaster NCE-Campus information to the CPEs, including the southbound IP address and port number of iMaster NCE-Campus. As such, the CPEs can register with iMaster NCE-Campus based on the information obtained from this option. DHCP Option 148 is such a field applicable to the scenario where an external DHCPv4 server is deployed.

Networking Requirements

In Figure 2-29, DeviceA functions as a DHCPv4 server, and the CPE on the network segment 10.1.1.0/24 needs to be deployed.

Figure 2-29 Network diagram of configuring a DHCPv4 server allocating addresses from a global address pool (using a Layer 3 Ethernet interface)

Configuration Roadmap

The configuration roadmap is as follows:

1. Enable the DHCP service on DeviceA.
2. Configure interface 10GE0/0/1 on DeviceA to work in Layer 3 mode and configure an IP address for this interface.
3. Configure a DHCP address pool on DeviceA.
4. Enable the DHCPv4 server function on 10GE0/0/1 of DeviceA.

Procedure

1. Enable DHCPv4.

   <DeviceA> system-view
   [DeviceA] dhcp enable

2. Set the IPv4 address of interface 10GE 0/0/1 to 10.1.1.1/24.

   [DeviceA] interface 10ge 0/0/1
   [DeviceA-10GE0/0/1] undo portswitch
   [DeviceA-10GE0/0/1] ip address 10.1.1.1 24
   [DeviceA-10GE0/0/1] quit

3. Create a DHCPv4 address pool named pool1. Assuming that the southbound IP address of iMaster NCE-Campus is 192.168.1.1 and the port number is 10020, run the following commands:

   [DeviceA] ip pool pool1
   [DeviceA-ip-pool-pool1] network 10.1.1.0 mask 24
   [DeviceA-ip-pool-pool1] gateway-list 10.1.1.1
   [DeviceA-ip-pool-pool1] option 148 ascii agilemode=agilemode;agilemanage-mode=ip;agilemanage-domain=192.168.1.1;agilemanage-port=10020;
   [DeviceA-ip-pool-pool1] quit

4. Configure the Layer 3 Ethernet interface enabled with the DHCPv4 server function to use the global address pool.

   [DeviceA] interface 10ge 0/0/1
   [DeviceA-10GE0/0/1] dhcp select global
   [DeviceA-10GE0/0/1] quit

5. Run the display ip pool command to check the address pool configuration and address assignment information. Check for the Used field, which displays the number of assigned IPv4 addresses.

   [DeviceA] display ip pool name pool1
    
     Pool-name        : pool1                                                                                                          
     Pool-No          : 7                                                                                                              
     Lease            : -                                                                                      
     Domain-name      : -                                                                                                     
     DNS-server0      : -                                                                                                       
     NBNS-server0     : -                                                                                                              
     Netbios-type     : -                                                                                                              
     Position         : Local                                                                                                          
     Status           : Unlocked                                                                                                       
     Gateway-0        : 10.1.1.1                                                                                                       
     Network          : 10.1.1.0                                                                                                       
     Mask             : 255.255.255.0                                                                                                  
     VPN instance     : --                                                                                                             
     Logging          : Disable                                                                                                        
     Conflicted address recycle interval: -                                                                                            
     Address Statistic: Total       :253       Used        :1                                                                          
                        Idle        :252       Expired     :0                                                                          
                        Conflict    :0         Disabled    :0                                                                          
    
    -------------------------------------------------------------------------------------                                              
     Network section                                                                                                                   
            Start           End       Total    Used Idle(Expired) Conflict Disabled                                                    
    -------------------------------------------------------------------------------------                                              
           10.1.1.1      10.1.1.254     253       1        252(0)       0     0                                                        
    ------------------------------------------------------------------------------------- 

6. Run the display ip interface brief command on the CPE to check IPv4 addresses of its interfaces. The command output shows that interface 10GE0/0/1 has obtained an IPv4 address.

   <HUAWEI> display ip interface brief
   *down: administratively down
   (l): loopback
   (s): spoofing
   (d): Dampening Suppressed
   (ed): error down
   The number of interface that is UP in Physical is 3
   The number of interface that is DOWN in Physical is 0
   The number of interface that is UP in Protocol is 3
   The number of interface that is DOWN in Protocol is 0
   Interface                   IP Address/Mask    Physical Protocol VPN
   10GE0/0/1                   10.1.1.13/24         up       up       --
   MEth0/0/0                   192.168.190.129/16  up       up       --
   NULL0                       unassigned          up       up(s)    --

Definition

During deployment through the registration query center, the network administrator configures the interconnection with Huawei's registration query center on iMaster NCE-Campus and configures ZTP for sites. The WAN interface of a CPE at a site applies for an IP address from the DHCP server in DHCP mode. In addition, the DNS server is used to resolve the domain name of the registration query center. After obtaining an IP address and connecting to the underlay network, the CPE sends a query request to the registration query center to obtain the IP address and port number of iMaster NCE-Campus. Then, the CPE automatically registers with iMaster NCE-Campus to complete the deployment.

Application Scenarios

This deployment mode is applicable to scenarios where iMaster NCE-Campus can connect to Huawei's registration query center, including Huawei public cloud, MSP-owned cloud, and on-premises scenarios.

Deployment Process

Figure 2-30 shows the process of deployment through the registration query center.

Figure 2-30 Process of deployment through the registration query center

iMaster NCE-Campus can be deployed in the following scenarios:

• Huawei public cloud scenario: The unique domain name of the registration query center is provided to cloud managed devices. You only need to write the domain name into cloud managed devices upon factory delivery to implement plug-and-play of cloud managed devices.
• MSP-owned cloud scenario: iMaster NCE-Campus can interconnect with Huawei registration query center to provide the unique domain name of the registration query center to cloud managed devices. You only need to write the domain name into cloud managed devices upon factory delivery to implement plug-and-play of cloud managed devices.
• On-premises scenario: iMaster NCE-Campus can interconnect with Huawei registration query center. However, the southbound addresses of iMaster NCE-Campus vary. Cloud managed devices can go online only after the default iMaster NCE-Campus address is manually changed and the domain name of the registration query center is written to implement plug-and-play of cloud managed devices.

Device Requirements

Only AR600 (AR650 sub-series) and AR6100&6200&6300 (AR6280/AR6300+SRU-400H and AR6280/AR6300+SRU-600H) series routers can be deployed through the registration query center.

Feature Requirements

Application Scenario

If the registration query center is used for deployment, you need to connect iMaster NCE-Campus to the registration query center. Huawei provides a unique registration query center address. By default, the registration query center address is configured on a device before delivery. After connecting iMaster NCE-Campus to the registration query center, you can perform device deployment through the registration query center to manage the device, implementing plug-and-play.

Among devices running V600, switches can connect to the registration query center only when they run a version later than V600R22C10 and iMaster NCE-Campus runs V300R022C00SPC130 or later version.

Procedure

1. Configure network connectivity between iMaster NCE-Campus and the registration query center. On iMaster NCE-Campus, configure the service NIC of the iMaster NCE-Campus node to access the domain name (register.naas.huawei.com) and corresponding ports of the registration query center.
   1. Connect iMaster NCE-Campus to the registration query center.

      Log in to the server node and run the following commands to change the DNS server address (x.x.x.x) on the server node for accessing the registration query center. Then, restart the network service.

      vi /etc/resolv.conf
      nameserver X.X.X.X
      service network restart

      Run the following command to check the network connectivity:

      ping register.naas.huawei.com

   2. Connect iMaster NCE-Campus to ports of the registration query center.

      Connect the service NIC of the NCE-Campus node to ports 26335 and 31943 corresponding to the domain name of the registration query center.

   3. Check whether the account on the registration query center is in normal status. If the account is not interconnected for a long time, it is automatically disabled. As a result, the interconnection verification fails. In this case, contact the administrator of the registration query center.

2. Import the certificate of the registration query center on iMaster NCE-Campus.
   1. Contact the administrator to obtain the account, password, and trust certificate of the registration query center.

      By default, the northbound certificate of the registration query center is a Huawei PKI certificate signed by Huawei CA. You can download the Huawei CA certificate from the Huawei PKI website as the trust certificate.

      1. Log in to Huawei PKI website, choose CA Certificate Download from the navigation pane, and download the root certificate Huawei Equipment Root CA and level-2 CA certificate Huawei Enterprise Network Product CA.
      2. Copy the content in the Huawei_Enterprise_Network_Product_CA.cer file to a place behind the -----END CERTIFICATE----- line in the Huawei_Equipment_Root_CA.der file and save the file as RegisterCenterTrust.cer.
   2. Log in to iMaster NCE-Campus as the system administrator and choose from the main menu.
   3. Choose Service Certificate Management from the navigation pane. On the Services page, click RegisterCenter.
   4. On the Trust Certificate tab page, click Import, enter information about the certificate file to upload, select the certificate file, and click Submit to upload the certificate file to iMaster NCE-Campus.
      • According to standards, the trust certificate of the registration query center is named as RegisterCenterTrust.cer. If the obtained trust certificate does not have a standard name, correct the name before you upload it.

3. Configure interconnection between iMaster NCE-Campus and the registration query center.
   Choose and click the Registration Center Settings tab. Set Registration center address, Account, and Password, and select the registration query center's certificate file. Then click Test.

   The address of the registration query center is register.naas.huawei.com.

   • If the authentication is successful, the system displays a dialog box, indicating that the configuration is successful.
   • If the account or password is incorrect, the system displays a dialog box, indicating that the account or password is wrong. In this case, check whether the account and password are correct.
   • If a network exception occurs, the system displays a dialog box, indicating that the network is abnormal. In this case, check the network connection.

Parameters

Prerequisites

1. To ensure successful deployment, ensure that the device uses factory settings, has no console port input, and has no user login.
2. The system administrator has configured a registration query center on iMaster NCE-Campus. For details, see Configuring Interconnection with the Registration Query Center.
3. The tenant administrator has performed the following operations:
   1. Configure an IP address pool for assigning IP addresses to devices and other required network configurations on a DHCP server.
   2. Configure a DNS server, so that devices can resolve the IP address corresponding to the domain name of the registration query center.

Procedure

1. Check the device status. Ensure that the device to be deployed has been added successfully, is in Unregistered state, and its ESN has been entered.
   1. Choose from the main menu of iMaster NCE-Campus.
   2. On the Device page that is displayed, verify that the Status of the device is Unregistered.
      • Ensure that the device to be deployed has been added to the target site. Devices not added to any sites cannot register and go online.
      • Ensure that the ESN of the device to be deployed has been identified. If not, the device cannot register with the controller and go online.

2. If a SIM card is inserted into a device at the deployed site, check whether the SIM card is inserted into slot 1. If so, the device cannot register with iMaster NCE-Campus after being restarted, causing a deployment failure.
3. After a device is powered on and connected to the network, the device connects to the registration query center through the preset address of the registration query center and obtains the domain name and port number of iMaster NCE-Campus from the registration query center using the device ESN.
4. After a device is powered on and connected to the network, hold down the reset button on the device for more than five seconds. The device switches to the cloud management mode, restarts, and sends a connection request to iMaster NCE-Campus based on the domain name.
5. Wait 1 to 2 minutes and check the deployment result. After the device is registered with and managed by iMaster NCE-Campus, iMaster NCE-Campus delivers configurations to the device based on the ESN.
   1. Determine the deployment status of the device based on the CTRL indicator:
      • Steady green: The device has been connected to the controller.
      • Blinking green: The device is being deployed. (Some device models do not support this indicator status.)
      • Steady off: The device is not connected to the controller.
   2. Choose from the main menu of iMaster NCE-Campus. Find the device that has been deployed and check its status.
      1. (Optional) If Mode is set to Device Model when you add a device, check whether the device's ESN has been identified. If the device is not added based on the device model, skip this step.
      2. (Optional) If devices have been added to the controller before interconnection with a registration query center is configured, perform operations in (Optional) Data Synchronization from the Registration Query Center on the controller to manually synchronize device information to the interconnected registration query center.
      3. If Status is Normal, the device has been successfully registered with iMaster NCE-Campus and is online.

Context

The registration query center checks device ESNs to identify potential errors that may occur when users manually enter device information. When the ESN of a device to be synchronized is the same as an existing one in the registration query center, the device's information fails to be synchronized to the registration query center. In this case, check the device information based on the MAC address. Device information will be synchronized to the registration query center only when both the device ESN and MAC address are correct.

Prerequisites

The function of synchronizing device information to the registration query center has been enabled. This function is enabled by default when a tenant administrator adds devices.

Procedure

1. Choose from the main menu, click the Management Settings tab, and choose Registration Center Synchronization from the navigation pane, and check whether there are devices whose information fails to be synchronized.

   If a device is added based on the device type (no ESN recorded in the system), the device is not displayed on the Registration Center Synchronization page before the device ESN is entered.

2. If device information fails to be synchronized, click Resynchronize to synchronize the device information to the registration query center again.

   If the ESN of a device is the same as that of an existing device in the registration query center, click Verify MAC Address in the Operation column of the device to confirm and enter the MAC address that matches the ESN.

Definition

In cloud site deployment, the network administrator plans the networking environment on the public cloud, configures the vCPE to be managed by iMaster NCE-Campus, and completes the ZTP configuration for the cloud site.

Application Scenario

Cloud site deployment applies to scenarios where the vCPE needs to be installed and deployed on Huawei Cloud or AWS, and greatly simplifies the deployment operations. After planning the network on the public cloud and uploading the image file, the deployment personnel can complete the deployment by performing operations only on iMaster NCE-Campus, without the need to perform configurations on the public cloud or device. This greatly reduces the deployment labor and time costs.

Deployment Process

Figure 2-31 shows the cloud site deployment process.

Figure 2-31 Cloud site deployment process

1. The user obtains the AS/SK on the public cloud and creates cloud network credentials on iMaster NCE-Campus.
2. The user uploads the required device image files to the public cloud.
3. The tenant administrator creates a vCPE and adds it to a site on iMaster NCE-Campus.
4. The tenant administrator configures ZTP on iMaster NCE-Campus. iMaster NCE-Campus invokes cloud APIs through cloud network credentials to provide available public cloud image files, VM specifications, VPC network parameter settings, and WAN-side link settings.
5. After the configuration is complete, the vCPE automatically registers with iMaster NCE-Campus to complete the deployment. iMaster NCE-Campus automatically generates an ESN, invokes the cloud API to start the vCPE, and applies the ESN to the vCPE.

Device Requirements

Cloud site deployment applies only to AR1000Vs on Huawei public cloud or AWS.

Context

Deployment personnel need to create cloud network credentials to configure interconnection between iMaster NCE-Campus and public clouds. By invoking public cloud APIs, iMaster NCE-Campus can automatically deploy cloud sites. iMaster NCE-Campus can successfully invoke public cloud APIs only after you have obtained an access key from the public cloud and has created a cloud network credential on iMaster NCE-Campus.

A pair of an access key ID (AK) and a secret access key (SK) is used as a long-term identity credential to sign requests for public cloud APIs.

The following procedure uses Huawei Cloud as an example. The operations on AWS are similar. For details, see the corresponding AWS guide.

Prerequisites

You have obtained a public cloud account.

Procedure

1. Use a Huawei account to log in to the Huawei Cloud console (at https://console.huaweicloud.com/console/).
2. Purchase a public NAT gateway. If you have purchased a public NAT gateway, skip this step.
   1. Click on the left and choose NAT Gateway > Public NAT Gateways from the navigation pane. In the upper right corner of the Public NAT Gateways page, click Buy Public NAT Gateway.

   2. Set the parameters of the public network NAT gateway as required and click Next.

3. Purchase an EIP. If you have purchased an EIP, skip this step.
   1. Click on the left of the page and choose Elastic IP and Bandwidth > ElPs from the navigation pane. In the upper right corner of the page, click Buy EIP.

   2. Set EIP parameters as required and click Next.

4. Configure SNAT rules for the public NAT gateway.
   1. Click on the left, choose NAT Gateway > Public NAT Gateways from the navigation pane, and click the name of the public NAT gateway to be configured.
   2. Click the SNAT Rules tab and click Add SNAT Rule.
   3. Configure an SNAT rule, including the application scenario, CIDR block, and EIP.

   4. Click OK.

5. Obtain the access key for accessing public cloud APIs from the public cloud.
   1. Click the login account in the upper right corner and choose My Credential.

   2. Click the Access Key tab and click Add Access Key to create an AK.

   3. In the dialog box that is displayed, click Download to download the access key file. The access key file can be downloaded only once.
   4. Keep the key file properly and obtain the values of Access Key Id (AK) and Secret Access Key (SK) in the file.

6. Log in to iMaster NCE-Campus as a tenant administrator and create a cloud network credential. After the configuration is complete, the controller can invoke public cloud APIs successfully.
   1. Choose System > System Settings > Third-party Service from the main menu.
   2. Click the Credential Management tab. The page for creating a cloud network credential is displayed.
   3. Click Create. On the page that is displayed, select a public cloud, set Account Name, and set AK and SK based on the values obtained from Huawei Cloud.

   4. Click OK. The cloud network credential is created.

Context

To implement automated deployment of sites on a public cloud, you need to create or obtain image files on the public cloud. Image files on public cloud are classified into private, shared, and marketplace images.

• Private image: A private image created on a public cloud is visible only to the user who created it.
• Shared image: A shared image is a private image shared by another user.
• Marketplace image: A marketplace image is provided by a cloud service provider or a third party.

The following procedure uses Huawei Cloud as an example. The operations on AWS are similar. For details, see the corresponding AWS guide.

Procedure (Huawei Cloud Private Image)

1. Obtain the required image file. The following uses the AR1000V as an example.
   1. Obtain the image file of devices to be deployed at cloud sites at the following websites:

      To obtain the AR1000V image file, visit https://support.huawei.com/enterprise/en/routers/ar1000v-pid-21768212/software.

   2. Select the desired version and download the corresponding image file.

      The name of the AR1000V image file applicable to Huawei Cloud is AR1000V-ALLINONE-HWCLOUD-version.img.

      The name of the AR1000V image file applicable to the AWS cloud is AR1000V-ALLINONE-AWS-version.img.

2. Upload the image file.
   1. Use a Huawei account to log in to the Huawei Cloud console (at https://console.huaweicloud.com/console/).
   2. Choose Storage > Object Storage Service under Service List.
   3. Click Create Bucket to create a bucket as needed.
      Table 2-114 Parameters for creating a bucket

      Parameter	Description
      Region	Select the region where the image file is to be uploaded.
      Data Redundancy Policy	Set this parameter based on user requirements.
      Bucket Name	Set a bucket name.
      Default Storage Class	Set this parameter based on user requirements.
      Bucket Policy	Set this parameter based on user requirements.
      Default Encryption	Set this parameter based on user requirements. This parameter is optional. You are advised to select Enable to ensure key data security.
      Direct Reading	Set this parameter based on user requirements. This parameter is optional.
      Tags	Set this parameter based on user requirements. This parameter is optional.

   4. Go to the Object Storage Service page and click the name of the created bucket to go to the object overview page.

   5. Click the Objects tab and then click Upload Object.

      Upload the image file of the cloud device to Huawei Cloud. When the status reaches 100%, the file is uploaded successfully.

3. Create a private image.
   1. Use a Huawei account to log in to the Huawei Cloud console (at https://console.huaweicloud.com/console/).
   2. Choose Compute > Image Management Service under Service List.
   3. Click Create image in the upper right corner. Select the name of the bucket where the image file is located and select the image file.
      Table 2-115 Parameters for creating a private image

      Parameter	Description
      Type	Select Import Image.
      Region	The value is determined by the region where the image file is uploaded. You do not need to set this parameter.
      Image Type	Select System disk image.
      Select Image File	Click an image file that has been uploaded to the bucket.
      Enable automatic configuration	Clear this check box.
      Function	Select ECS system disk image.
      Architecture	Select x86.
      Boot Mode	Select BIOS.
      OS	Select Other and Linux(64 bit).
      System Disk (GB)	This example uses 40 GB. The minimum size is 10 GB. You can select a value based on the actual requirements.
      Name	Set a name.
      Encryption	Set this parameter based on user requirements. This parameter is optional.
      Tags	Set this parameter based on user requirements. This parameter is optional.
      Description	Set this parameter based on user requirements. This parameter is optional.

   4. After the image is created, you can view the status of the new image on the Image Management Service page.

Procedure (Huawei Cloud Shared Image)

1. Share a private image with other users.
   1. Use a Huawei account to log in to the Huawei Cloud console (at https://console.huaweicloud.com/console/).
   2. Choose Compute > Image Management Service under Service List.
   3. On the Private Images tab page, locate the row that contains the image to be shared, click More in the Operation column, and select Share.

   4. Enter the project ID of another user with whom the selected private image is to be shared. (To obtain the project ID, choose My Credentials > API Credentials and obtain the project ID in the same region.)

2. Receive the shared image as the user with whom the image is shared.
   1. Log in to the Huawei Cloud console as the user with whom the image is shared and choose Compute > Image Management Service.
   2. Choose Compute > Image Management Service under Service List.
   3. On the Shared Images tab page, you can view the status of the image shared by other users.

Context

In Huawei Cloud and AWS scenarios, CA and AR1000V device certificates can be automatically imported to iMaster NCE-Campus. In other scenarios, before manually registering an AR1000V with iMaster NCE-Campus and onboarding the device, the system administrator needs to apply for and download CA and device certificates from iMaster NCE-Campus, create a certificate update task, and load the certificates on the device.

Procedure

1. Create a CA certificate.
   1. Log in to iMaster NCE-Campus as the admin user and choose .
   2. Choose PKI Management > CA from the navigation pane and click New.
   3. Set Signature algorithm, Certificate profile, and Country/Region(C). Click Next.
      • RSASSA-PSS is more secure than RSA. Currently, only TLS 1.3 supports certificates signed by RSASSA-PSS. TLS 1.2 and earlier versions do not support certificates signed by RSASSA-PSS.
      • RSA (with a 2047-bit or shorter key) is an insecure encryption algorithm. You are advised to use RSA (with a 3072-bit or longer key).
   4. Select an end entity profile to be associated as needed and set it as the default profile. Click Next.

   5. Set parameters related to the CA certificate and verify the configuration.

      Set Signature algorithm and Certificate profile. After the configuration is completed, click Submit. On the page that is displayed, click Restart Later.

   6. View information about the created CA certificate on the CA page. Click Download CA Certificate, set File format to PEM, and click Submit to download the created CA certificate file (.pem) to the local PC.

2. Apply for a device certificate.
   1. Log in to iMaster NCE-Campus as the admin user and choose .
   2. On the Certificate Authority Service page, choose Certificate Application > Certificate Application from the navigation pane, and set parameters on the Apply by Basic Info tab page.

      Set Associated CA to the CA certificate created in Step 1. Set Certificate profile to the certificate profile associated in 1.d. Set Country/Region(C) to the value specified in Step 1 and click Submit.

   3. Go to the Application List page, click , and click Download Certificate.
      • File name: Set this parameter as needed. The file name can be a string of 1 to 20 characters, including digits, uppercase letters, lowercase letters, underscores (_), and hyphens (-), but cannot be null or all (case-insensitive).
      • File format: Select PKCS#12.
      • File password: Set a password for the certificate file, which will be used when the certificate is imported to the target device. The password can be a string of 8 to 32 characters and contains at least three types of the following: digits, uppercase letters, lowercase letters, and special characters. In addition, the password cannot contain more than two consecutive identical characters.

   4. On the Application List page, click Download Certificate in the Operation column. In the displayed dialog box, enter the file password configured in 3 as prompted, and click Submit to download the certificate file (.p12).

3. Configure CA proxy.
   1. Choose System > Security Management > CA Proxy Service and choose CA Server Connection.
   2. Click New. On the Create CA Server Connection Settings page, click the Local CA tab, set the following parameters as prompted, and click Submit.
      • Name: Set this parameter as planned.
      • CA name: Select the CA certificate created in Step 1.
      • Profile name: Select the profile associated in 1.d.

4. Update certificates online.
   1. Log in to iMaster NCE-Campus as the admin user and choose .
   2. On the Certificate Management page, choose Online Certificate Update > Certificate Update Tasks and click Create. On the Create Task page, set Template to default, CA Server to the created CA server, and Certificate format to PEM, and set other parameters as planned. It is recommended that Key length be the same as that configured in 1.d. After configuration is completed, click OK.

   3. On the Certificate Update Tasks page, find the created certificate update task and click . On the Select Service page, select CampusBaseServiceDeviceMoudle__thirdparty_cert and click OK.
      • After a certificate is applied to a service, the functions dependent on the service may be unavailable. Exercise caution when performing this operation.
      • Before selecting CampusBaseServiceDeviceMoudle__thirdparty_cert, ensure that no certificate has been applied to the service. Otherwise, other devices cannot go online.

5. Check the binding status between the certificate and service.
   1. Log in to iMaster NCE-Campus as the admin user and choose .
   2. Choose Service Certificate Management from the navigation pane, select CampusBaseServiceDeviceMoudle__thirdparty_cert, and check whether the information about the service's identity and trust certificates is correct.

Context

The AR1000V supports automated deployment on Huawei Cloud and the AWS. That is, the controller can invoke public cloud APIs to automatically configure vCPEs, VPCs, subnets, and BGP on the cloud, implementing automated deployment of cloud sites.

1. Charged resources are created on public clouds during automated cloud site deployment. For the pricing details, see the official website of the corresponding public cloud.
2. If a user's balance is insufficient, the user's cloud server will be shut down due to arrears and cloud sites will go offline. After the user renews services and restarts the cloud server, cloud sites will automatically go online again.

Prerequisites

1. You have obtained the access key for invoking public cloud APIs and configured a cloud network credential on iMaster NCE-Campus. For details, see Configuring a Cloud Network Credential.
2. You have created an image for devices to be deployed at a public cloud site. For details, see Creating an Image File.

Procedure

1. The deployment personnel log in to iMaster NCE-Campus and configure cloud site deployment.
   1. Choose from the main menu and click the ZTP tab.
   2. Choose the cloud site to be deployed from the navigation pane, and click Click to Deploy under Cloud Site.

   3. In the Site Configuration area, set the cloud network type for the cloud site. Select a cloud network type based on the actual situation.

   4. Set parameters in the Configuration on the Cloud area.
      1. Set parameters in the Basic Config area. Set parameters based on your selected public cloud resources.

         Select a flavor based on the public cloud requirements. Select c3ne.xxxx.2 or c6.xxxx.2 for Huawei Cloud and c4.xxxx for the AWS cloud. The performance value set here must be the same as that set when devices are added to the site.

      2. Set parameters in the Certificate Configuration area. Configure a temporary device identity certificate for devices to go online on the controller.
         • Compatible with Earlier Versions of Devices: If devices running versions earlier than V300R022C00 are deployed, toggle on this item. Otherwise, the devices cannot go online. If devices running V300R022C00 and later versions are deployed, toggle off this item.
         • Certificate Validity Period: specifies the validity period of the certificate. The default validity period is 7 days. Upload a formal certificate before the validity period of the temporary certificate ends. Otherwise, devices need to go online again. For details, see Loading an AR1000V Certificate.
         • Private Key: specifies the private key required for loading the temporary device identity certificate. You can set a private key as needed.
         • Country/Region, Province/State, City, Company, and Department: Set these parameters based on the certificate update task parameters set by the system administrator on the page.

      3. Set parameters in the Network Configuration area.
         • If VPC Mode is set to Create a VPC, the controller creates a VPC on the public cloud. You can also set this parameter to Select an existing VPC.
         • Set Subnet Network to a subnet in the VPC subnet. It cannot conflict with existing subnets on the public cloud.
         • When Cloud Network Type is set to HUAWEI, you can set Public Address Type, Charging mode, and Select Bandwidth to select the access mode of the public IP address, charging mode for the public cloud elastic IP address (EIP), and bandwidth.

         • When Cloud Network Type is set to AWS, Public Address Type, Charging mode, and Select Bandwidth are not configurable.

      4. Set parameters in the Link Config area. Select a cloud site device and click Create. In the Link Config window, set WAN link parameters and click OK.

      5. Click Deploy and wait until the cloud site deployment is completed. The time required for deploying a cloud site varies depending on the network environment. The overall deployment duration is about 5 to 15 minutes.

         iMaster NCE-Campus automatically generates an ESN, invokes the cloud API to start the vCPE, and applies the ESN to the vCPE.

2. Verify that devices at the site go online successfully.
   1. Choose from the main menu.
   2. Click the Device tab to view the status of devices at the site. If the status of a device is normal, the device goes online successfully.

3. Verify that the site configuration is delivered successfully.
   1. Choose from the main menu.
   2. Click the Configuration Result tab, choose the site from the navigation pane, and check whether the device configuration status is Success or Info. If so, service deployment is successful.

Parameter Description

Device Requirements

AR600&6100&6200&6300 series, AR5700&6700&8000 series, and AR1000V support manual deployment.

Feature Requirements

Context

AR600&6100&6200&6300 series devices support both email-based deployment and manual deployment. Manual deployment is complex and inefficient. Email-based deployment is recommended. Devices can register with and be managed by iMaster NCE-Campus only after the following configurations are complete on iMaster NCE-Campus and the devices.

Prerequisites

1. Ensure that the device to be deployed uses its factory settings. If the device has other configurations, the deployment will fail.
   For AR600&6100&6200&6300 series devices, run the following commands to clear the configuration file used for next startup and RDB file, and then restart the devices to restore the factory settings.

   1. Run the following command in the user view to delete the RDB file:

       delete /un *.rdb

   2. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

      reset saved-configuration

   3. Run the following command to restore the factory settings after the device restarts:

      factory-configuration reset

   4. Run the following command to restart the system and restore the factory settings of the device:

      reboot fast

2. The network access mode has been configured for the site where devices need to be deployed, and the ZTP mode has been set to URL/U Disk. For details, see Configuring ZTP.

Procedure

1. Check the device status. Ensure that the device to be deployed has been added successfully, its ESN has been set, and the device status is unregistered.
   1. Log in to iMaster NCE-Campus as a tenant administrator and choose from the main menu.
   2. On the Device page that is displayed by default, check the device ESN.

      If a value is displayed in the ESN column, verify that the ESN is correct and go to the next step. If no value is displayed in the ESN column, click . On the Modify Device tab page, enter the ESN and go to the next step.

      For an AR5700&6700&8000 series device, run the following command to check the device ESN:

      display device esn

      For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check the device ESN:

      display esn

   3. On the Device page that is displayed by default, check the device status.

      If the device status is not unregistered, the device has been deployed and goes online.

2. Choose Provision > Physical Network > WAN Physical Network from the main menu. Click the ZTP tab, select the site to be activated, and check the configuration.
3. If a SIM card needs to be inserted into a device at the deployment site, you are advised to insert the SIM card into slot 1 instead of other slots. Otherwise, the device may fail to register after being restarted, causing a deployment failure.
4. Create a VPN instance on the device and configure an address family. The VPN instance must be the same as that in the step "Configure WAN-side links for the site." in the section "Configuring ZTP." The VPN route distinguisher does not need to be configured.

   If the user network is an IPv4 network, run the following commands:

   ip vpn-instance vpn-instance
    ipv4-family

   If the user network is an IPv6 network, run the following commands:

   ip vpn-instance vpn-instance
    ipv6-family

5. Configure an IP address for the interface and bind it to a VPN instance. ip-address specifies the IP address of the interface, which is used for interconnection with iMaster NCE-Campus. If the WAN interface is a Layer 2 interface, run the undo portswitch command to switch its working mode to Layer 3.

   If the user network is an IPv4 network, run the following commands:

   interface interface-type interface-number
    ip binding vpn-instance vpn-instance
    ip address ip-address mask 

   If the user network is an IPv6 network, run the following commands:

   interface interface-type interface-number
    ipv6 enable
    ip binding vpn-instance vpn-instance
    ipv6 address ipv6-address prefix-length 

   After the preceding commands are configured, you can run the following command to check whether the interface address is reachable to the gateway address: In the following command, ip-address indicates the gateway address of the device.

   ping -vpn-instance vpn-instance ip-address

6. Configure a route on the device to ensure connectivity between the device and iMaster NCE-Campus. ac_south_ip(v6)-address indicates the southbound IP address of iMaster NCE-Campus.

   If the user network is an IPv4 network, run the following commands:

   ip route-static vpn-instance vpn-instance ac_south_ip-address mask nexthop-address

   If the user network is an IPv6 network, run the following commands:

   ipv6 route-static vpn-instance vpn-instance ac_south_ipv6-address prefix-length nexthop-ipv6-address

7. (Optional) Configure the IP address or domain name, and port number of the bootstrap server and specify the voucher verification mode based on the bootstrap service configuration performed by the system administrator. The value of host must be the same as the controller address in the bootstrap service configuration. You can configure ESN-based or verification code-based verification based on the serial number source in the bootstrap service configuration.
   • Configure bootstrap server information and ESN-based verification.

     agile controller bootstrap host host port 10020 vpn-instance vpn-instance verifytype esn

   • Configure bootstrap server information and verification code-based verification. Set verifycode to the southbound IP address of iMaster NCE-Campus.

     agile controller bootstrap host host port 10020 vpn-instance vpn-instance verifytype code verifycode verifycode

8. Set parameters on the device for interconnection with iMaster NCE-Campus based on the ZTP configuration that has been performed by the tenant administrator. ac_south_ip-address indicates the southbound IP address of iMaster NCE-Campus.

   agile controller host ac_south_ip-address port 10020 vpn-instance vpn-instance

   When deploying AR600&6100&6200&6300 series devices, you need to configure interconnection with iMaster NCE-Campus on the devices so that the devices can be managed by iMaster NCE-Campus.

9. Save all configurations to the configuration file.

   save

   If the device is online on the controller, running this command will not save the device's configuration. You need to save the device's configuration on the Maintenance > Configuration Maintenance > Configuration Save page. For details, see Saving Device Configurations.

10. Determine the deployment status of the device based on the CTRL indicator:
    • Steady green: The device has been connected to the controller.
    • Blinking green: The device is being deployed. (Some device models do not support this indicator status.)
    • Steady off: The device is not connected to the controller.

Context

AR5700/AR6700/AR8000 series devices support manual deployment. Devices can register with and be managed by iMaster NCE-Campus only after the following configurations are complete.

Prerequisites

1. Ensure that the device to be deployed uses its factory settings. If the device has other configurations, the deployment will fail.
   • On an AR5700&6700&8000 series device, run the following command to clear the configuration file for next startup and restart the device to restore factory settings.
     1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

        reset saved-configuration

     2. Run the following command to restart the device, clear the service configuration and data files on the device, and restore the device to its factory settings.

        reset factory-configuration

2. A CA certificated has been imported to the device to be deployed. Otherwise, the device cannot register with iMaster NCE-Campus successfully.
   1. Before deployment, perform the following operations to check or import a CA certificate to the device.

      display pki certificate ca realm default

      Run the following command to check the CA certificate on the device. If a CA certificate is found, proceed with the deployment process and skip the following step. If no CA certificate is found, proceed to the next step to import a CA certificate.

   2. Run the following command to import the preset CA certificate to the default domain. After the CA certificate is imported, perform the previous step again to verify certificate information. If the CA certificate fails to be imported, contact Huawei technical support.

      pki import-certificate default_ca realm default

3. The network access mode has been configured for the site where devices need to be deployed, and the ZTP mode has been set to URL/U Disk. For details, see Configuring ZTP.

Procedure

1. Check the device status. Ensure that the device to be deployed has been added successfully, its ESN has been set, and the device status is unregistered.
   1. Log in to iMaster NCE-Campus as a tenant administrator and choose from the main menu.
   2. On the Device page that is displayed by default, check the device ESN.

      If a value is displayed in the ESN column, verify that the ESN is correct and go to the next step. If no value is displayed in the ESN column, click . On the Modify Device tab page, enter the ESN and go to the next step.

      For an AR5700&6700&8000 series device, run the following command to check the device ESN:

      display device esn

      For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check the device ESN:

      display esn

   3. On the Device page that is displayed by default, check the device status.

      If the device status is not unregistered, the device has been deployed and goes online.

2. Choose from the main menu, click the ZTP tab, select the site to be activated, check its configuration.
3. If a SIM card is inserted into a device at the deployed site, check whether the SIM card is inserted into slot 1. If so, the device cannot register with iMaster NCE-Campus after being restarted, causing a deployment failure.
4. Log in to the device CLI and perform the following configurations:
   1. Enable NETCONF.

      snetconf server enable

   2. Create an SSH user.

      ssh user huawei
      ssh user huawei authentication-type x509v3-rsa
      ssh user huawei assign pki default
      ssh user huawei service-type snetconf

      The username must be huawei. Otherwise, the device cannot go online, causing a deployment failure.

   3. Specify the source interface for an SSH server.

      ssh server-source all-interface

      When the following information is displayed, type y and press Enter.

      Warning: SSH server source configuration will take effect in the next login. Continue? [Y/N]:y

   4. Configure an SSH authentication mode.

      ssh server assign pki default

      Configure the authorization type for SSH connections.

      ssh authorization-type default root

      Set the public key algorithm of the SSH server to X509-SSH-RSA.

      ssh server publickey x509v3-ssh-rsa

5. Choose from the main menu, click the ZTP tab, select the site to be activated, check its configuration.
6. Log in to the device and configure interconnection with iMaster NCE-Campus. When deploying a device, you need to configure interconnection with iMaster NCE-Campus on the device. As such, the device can be managed by iMaster NCE-Campus.
   • Configure a common physical interface for a WAN link.
     1. Create a VPN instance on the device.

        If the user network is an IPv4 network, run the following commands:

        ip vpn-instance vpn-instance
         ipv4-family

        If the user network is an IPv6 network, run the following commands:

        ip vpn-instance vpn-instance
         ipv6-family

     2. Optional: (Optional) Configure a route distinguisher (RD) and import or export VPN targets for the VPN instance address family.

        route-distinguisher route-distinguisher
        vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

     3. Configure an IP address for a WAN interface and bind a VPN instance to the interface. ip-address specifies the IP address of the interface, which is used for interconnection with iMaster NCE-Campus. If the WAN interface is a Layer 2 interface, run the undo portswitch command to switch its working mode to Layer 3.

        If the user network is an IPv4 network, run the following commands:

        interface interface-type interface-number
         ip binding vpn-instance vpn-instance
         ip address ip-address mask 

        If the user network is an IPv6 network, run the following commands:

        interface interface-type interface-number
         ipv6 enable
         ip binding vpn-instance vpn-instance
         ipv6 address ipv6-address prefix-length

        After the preceding commands are configured, you can run the following command to check whether the interface address is reachable to the gateway address: In the following command, ip-address indicates the gateway address of the device.

        ping -vpn-instance vpn-instance ip-address

     4. Configure a route on the device to ensure connectivity between the device and iMaster NCE-Campus. ac_south_ip(v6)-address indicates the southbound IP address of iMaster NCE-Campus.

        If the user network is an IPv4 network, run the following commands:

        ip route-static vpn-instance vpn-instance ac_south_ip-address mask nexthop-address

        If the user network is an IPv6 network, run the following commands:

        ipv6 route-static vpn-instance vpn-instance ac_south_ipv6-address prefix-length nexthop-ipv6-address

     5. Set parameters for interconnection with iMaster NCE-Campus on the device based on the ZTP configuration that has been performed on iMaster NCE-Campus. The callhome name must be set to default-callhome, and ac_south_ip-address must be set to the southbound IP address of iMaster NCE-Campus. For details about how to set interface-name_ac_south_ip-address, see the endpoint naming rules in the following note.

        netconf
         callhome default-callhome
         endpoint interface-name_ac_south_ip-address 
         peer-ip ac_south_ip-address port 10020 vpn-instance vpn-instance

        The endpoint name must be in the format of name of the WAN link interface used to register with iMaster NCE-Campus_controller southbound IP address, for example:

        • Assume that the WAN link uses interface GE0/0/1 and the controller southbound IP address is 192.168.10.10. Set the endpoint name to GE0/0/1_192.168.10.10.
        • Assume that the WAN link uses interface XGE0/0/1 and the controller southbound IP address is 192.168.10.10. Set the endpoint name to 10GE0/0/1_192.168.10.10.
   • Use an LTE interface on a WAN link to connect to the Internet through 5G signals. Currently, LTE interfaces are supported only on IPv4 networks.
     1. Configure the automatic dial-up function and IP address obtaining function on the interface. interface-number specifies the interface number. When using an LTE interface on a WAN link, use an LTE sub-interface.

        interface cellular interface-number
         ip address modem-alloc

     2. Configure a default route on the device to ensure connectivity between the device and iMaster NCE-Campus.

        ip route-static 0.0.0.0 0 cellular interface-number

     3. Set parameters for interconnection with iMaster NCE-Campus on the device based on the ZTP configuration that has been performed on iMaster NCE-Campus. The callhome name must be set to default-callhome, and ac_south_ip-address must be set to the southbound IP address of iMaster NCE-Campus. For details about how to set interface-name_ac_south_ip-address, see the endpoint naming rules in the following note.

        netconf
         callhome default-callhome
         endpoint interface-name_ac_south_ip-address 
         peer-ip ac_south_ip-address port 10020

     The endpoint name must be in the format of name of the WAN link interface used to register with iMaster NCE-Campus_controller southbound IP address, for example:

     Assume that the WAN link uses interface LTE1/0/0:1 and the controller southbound IP address is 192.168.10.10. Set the endpoint name to LTE1/0/0.1_192.168.10.10.

   • Configure an Eth-Trunk interface for the device's WAN link. Currently, Eth-Trunk interfaces are supported only on IPv4 networks.
     1. Create a VPN instance on the device.

        ip vpn-instance vpn-instance
         ipv4-family

     2. Create an Eth-Trunk interface on the device, for example, Eth-Trunk 1, and add member interfaces to the Eth-Trunk interface.

        interface Eth-Trunk 1    
         trunkport interface-name1                                                        
         trunkport interface-name2 

     3. Configure an IP address for the interface and bind a VPN instance to it. ip-address specifies the IP address of the interface, which is used for interconnection with iMaster NCE-Campus. If the WAN link interface is a Layer 2 interface, run the undo portswitch command to switch its working mode to Layer 3.

        interface Eth-Trunk 1
         ip binding vpn-instance vpn-instance
         ip address ip-address mask 

     4. Configure a route to ensure that the device can communicate with iMaster NCE-Campus. Set ac_south_ip-address to the southbound IP address of iMaster NCE-Campus.

        ip route-static vpn-instance vpn-instance ac_south_ip-address mask nexthop-address

     5. Set parameters for interconnection with iMaster NCE-Campus on the device based on the ZTP configuration that has been performed on iMaster NCE-Campus. The callhome name must be set to default-callhome, and ac_south_ip-address must be set to the southbound IP address of iMaster NCE-Campus. For details about how to set interface-name_ac_south_ip-address, see the endpoint naming rules in the following note.

        netconf
         callhome default-callhome
         endpoint interface-name_ac_south_ip-address 
         peer-ip ac_south_ip-address port 10020 vpn-instance vpn-instance

        The endpoint name must be in the format of name of the WAN link interface used to register with iMaster NCE-Campus_controller southbound IP address, for example:

        • Assume that the WAN link uses the Eth-Trunk 1 interface and the controller southbound IP address is 192.168.10.10. Set the endpoint name to Eth-Trunk1_192.168.10.10.
   • Configure an Eth-Trunk sub-interface for the device's WAN link. Currently, Eth-Trunk sub-interfaces are supported only on IPv4 networks.
     1. Create a VPN instance on the device.

        ip vpn-instance vpn-instance
         ipv4-family

     2. Create an Eth-Trunk interface on the device, for example, Eth-Trunk 1, and add member interfaces to the Eth-Trunk interface.

        interface Eth-Trunk 1    
         trunkport interface-name1                                                        
         trunkport interface-name2 

     3. Create an Eth-Trunk sub-interface, for example, Eth-Trunk 1.1, and configure the sub-interface to terminate user VLANs. The sub-interface and VLAN IDs for termination must be the same as the sub-interface number and VLAN IDs specified on the ZTP page of the controller. Configure an IP address for the interface and bind a VPN instance to it. ip-address specifies the IP address of the interface, which is used for interconnection with iMaster NCE-Campus. If the WAN link interface is a Layer 2 interface, run the undo portswitch command to switch its working mode to Layer 3.

        interface Eth-Trunk 1.1
         dot1q termination vid vlan_id
         ip binding vpn-instance vpn-instance
         ip address ip-address mask 

     4. Configure a route to ensure that the device can communicate with iMaster NCE-Campus. Set ac_south_ip-address to the southbound IP address of iMaster NCE-Campus.

        ip route-static vpn-instance vpn-instance ac_south_ip-address mask nexthop-address

     5. Set parameters for interconnection with iMaster NCE-Campus on the device based on the ZTP configuration that has been performed on iMaster NCE-Campus. The callhome name must be set to default-callhome, and ac_south_ip-address must be set to the southbound IP address of iMaster NCE-Campus. For details about how to set interface-name_ac_south_ip-address, see the endpoint naming rules in the following note.

        netconf
         callhome default-callhome
         endpoint interface-name_ac_south_ip-address 
         peer-ip ac_south_ip-address port 10020 vpn-instance vpn-instance

        The endpoint name must be in the format of name of the WAN link interface used to register with iMaster NCE-Campus_controller southbound IP address, for example:

        • Assume that the WAN link uses the Eth-Trunk 1.1 interface and the controller southbound IP address is 192.168.10.10. Set the endpoint name to Eth-Trunk1.1_192.168.10.10.

7. Save all configurations to the configuration file.

   save

   If the device is online on the controller, running this command will not save the device's configuration. You need to save the device's configuration on the Maintenance > Configuration Maintenance > Configuration Save page. For details, see Saving Device Configurations.

8. Determine the deployment status of the device based on the CTRL indicator:
   • Steady green: The device has been connected to the controller.
   • Blinking green: The device is being deployed. (Some device models do not support this indicator status.)
   • Steady off: The device is not connected to the controller.

Context

It is recommended that AR1000Vs be deployed in cloud site mode on Huawei Cloud and AWS, and be deployed in manual mode on other cloud platforms. Before manual deployment, you need to perform required configurations on the target devices and iMaster NCE-Campus, so that the devices can go online and be managed by iMaster NCE-Campus.

Prerequisites

1. AR1000V devices have been installed on the public cloud. For details about how to install an AR1000V, see "AR1000V Installation Guide" in the NetEngine AR1000V V300R022 Product Documentation.
2. Ensure that the device to be deployed uses its factory settings. If the device has other configurations, the deployment will fail.
   For an AR1000V, run the following commands to clear the configuration file for next startup, and then restart the device to restore the factory settings.

   1. Run the following command in the user view to clear the configuration file used for next startup and cancel the setting of specifying a configuration file for next startup, thereby restoring the default device settings:

      reset saved-configuration

   2. Run the following command to restore the factory settings after the device restarts:

      factory-configuration reset

   3. Run the following command to restart the system and restore the factory settings of the device:

      reboot fast

3. You have applied for a CA certificate (a .pem file) and a device identity certificate (a .p12 file) on iMaster NCE-Campus and updated the certificates on iMaster NCE-Campus. For details, see Loading an AR1000V Certificate.
4. The network access mode has been configured for the site where devices need to be deployed, and the ZTP mode has been set to URL/U Disk. For details, see Configuring ZTP.

Procedure

1. Check the device status. Ensure that the device to be deployed has been added successfully, its ESN has been set, and the device status is unregistered.
   1. Log in to iMaster NCE-Campus as a tenant administrator and choose from the main menu.
   2. On the Device page that is displayed by default, check the device ESN.

      If a value is displayed in the ESN column, verify that the ESN is correct and go to the next step. If no value is displayed in the ESN column, click . On the Modify Device tab page, enter the ESN and go to the next step.

      For an AR5700&6700&8000 series device, run the following command to check the device ESN:

      display device esn

      For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check the device ESN:

      display esn

   3. On the Device page that is displayed by default, check the device status.

      If the device status is not unregistered, the device has been deployed and goes online.

2. Log in to the device on the public cloud console or directly log in to the device for configuration.

   If a public IP address has been set for an AR1000V device when the AR1000V device is created and the SSH function has been configured during the device initial configuration, you can directly log in to the AR1000V to perform operations, without the need to use the public cloud console for device login.

3. Load required certificates on the device. A device can successfully register with iMaster NCE-Campus only after the device has the CA certificate and device identity certificate loaded.

   If iMaster NCE-Campus running a version other than V300R022C00 is used together with the AR1000V running V300R022C00, certificates cannot be manually imported. To prevent this problem, ensure that the software version of iMaster NCE-Campus is the same as that of the AR1000V.

   1. Upload the CA certificate (a .pem file) and device identity certificate (a .p12 file) to the root directory of the flash memory of the device through FTP or SFTP. SFTP is recommended, because it is more secure than FTP.
   2. In the system view, run the following command to import the CA certificate. In the command, realm-name indicates the domain name of the certificate, which is set to default in this example; filename indicates the certificate name, which is the name of the obtained .pem file.

      pki import-certificate ca realm realm-name pem filename filename

   3. In the system view, run the following commands to import the RSA key pair and device identity certificate.
      1. Import the RSA key pair to the device memory:
         • key-name in the command indicates the name of the RSA key pair on the device and can be customized.
         • file-name in the command indicates the name of the file that stores the RSA key pair. In this example, it is the name of the obtained .p12 file.
         • password in the command indicates the file password configured when the device identity certificate is downloaded.

           pki import rsa-key-pair key-name pkcs12 file-name password password

      2. Import the device identity certificate to the device memory:
         • realm-name in the command indicates the domain name of the certificate, which is set to default in this example.
         • file-name in the command indicates the name of the certificate file to be imported. In this example, it is the name of the obtained .p12 file.
         • password in the command indicates the file password configured when the device identity certificate is downloaded.

           pki import-certificate local realm realm-name pkcs12 filename file-name password password

4. Create a VPN instance on the device.

   If the user network is an IPv4 network, run the following commands:

   ip vpn-instance vpn-instance //The vpn-instance name must be the same as that configured for ZTP.
    ipv4-family 

   If the user network is an IPv6 network, run the following commands:

   ip vpn-instance vpn-instance //The vpn-instance name must be the same as that configured for ZTP.
    ipv6-family 

5. Configure an IP address for an interface and bind a VPN instance to the interface. ip-address specifies the IP address used by the device to register with iMaster NCE-Campus.

   If the user network is an IPv4 network, run the following commands:

   interface interface-type interface-number
    ip binding vpn-instance vpn-instance
    ip address ip-address mask 

   If the user network is an IPv6 network, run the following commands:

   interface interface-type interface-number
    ipv6 enable
    ip binding vpn-instance vpn-instance
    ipv6 address ipv6-address prefix-length

6. Configure a route to ensure connectivity between the device and iMaster NCE-Campus. You are advised to configure a host route. ip(v6)-address is the southbound IP address of iMaster NCE-Campus, and nexthop-address is the IP address of the next hop connected to the WAN interface.
   If the user network is an IPv4 network, run the following commands:

   ip route-static vpn-instance vpn-instance ip-address 32 nexthop-address

   If the user network is an IPv6 network, run the following commands:

   ipv6 route-static vpn-instance vpn-instance ipv6-address 128 nexthop-ipv6-address

7. (Optional) Configure the IP address or domain name, and port number of the Bootstrap server and specify the voucher verification mode based on the Bootstrap service configuration performed by the system administrator. The value of host must be the same as the controller address in the Bootstrap service configuration. You can configure ESN-based or verification code-based verification based on the serial number source in the Bootstrap service configuration.
   • Configure Bootstrap server information and ESN-based verification.

     agile controller bootstrap host host port 10020 vpn-instance vpn-instance verifytype esn

   • Configure Bootstrap server information and verification code-based verification. Set verifycode to the southbound IP address of iMaster NCE-Campus.

     agile controller bootstrap host host port 10020 vpn-instance vpn-instance verifytype code verifycode verifycode

8. Set parameters for interconnection with iMaster NCE-Campus on the device based on the ZTP configuration performed by the tenant administrator. Set ip-address to the southbound IP address of iMaster NCE-Campus and set port to the fixed value 10020.

   agile controller host ip-address port 10020 vpn-instance vpn-instance

9. Save all configurations to the configuration file.

   save

   If the device is online on the controller, running this command will not save the device's configuration. You need to save the device's configuration on the Maintenance > Configuration Maintenance > Configuration Save page. For details, see Saving Device Configurations.