CloudCampus Solution V100R022C00 Design and Deployment Guide for Multi-Campus Network Interconnection

Configuration Before Deployment

Introduction
Configuration Procedure Before Deployment
Using an MSP RR Site
- Configuration Before Deployment by MSPs
- Configuration Before Deployment by Tenants
Using a Tenant RR Site

Introduction

NTP Clock Synchronization

When a CPE sends packets to register with and report performance data to iMaster NCE-Campus, the packets carry timestamps. If the time of the CPE is incorrect, many issues may occur. For example, the registration fails and the time of performance data is inconsistent with the actual time. To prevent these issues, NTP is configured on iMaster NCE-Campus to synchronize the time of devices at sites.

NTP can be configured independently for each site in the following sequence: external clock > parent site > branch site.

On a network that requires high security, NTP authentication needs to be enabled. Password authentication is configured between a client and a server to ensure that the client only synchronizes its clock with a server that is successfully authenticated, which improves network security.

Link

Escape Link

An escape link, which refers to the last available link, has the lowest priority. If both active and standby links fail, traffic is transmitted over the escape link, which enhances reliability. An escape link is selected according to WAN link roles and is typically an LTE or 5G link.

Roles of WAN links

The following two roles are defined for WAN links:

Active link: In normal cases, service traffic is transmitted through active links, over which overlay tunnels are set up. Keepalive packets are sent over the overlay tunnels to detect their connectivity. When there are multiple active links, you can enable the intelligent traffic steering function so that active links are selected to transmit service traffic and the others function as backup links. If the active links fail, service traffic is switched to a backup link, and can be switched back after the active links are recovered.
Standby link: It is typically used as an escape link, which is an LTE or 5G link in most cases. A standby link has the lowest priority. Only when all active links fail, overlay tunnels are set up over standby links for traffic forwarding, and their connectivity is detected through Keepalive packets. As long as one active link recovers, traffic is switched back to the active link. At least one active link must be configured at a single-gateway site with multiple WAN links and at a dual-gateway site.

5G Link

5G links can be configured as active or standby links. The differences are as follows:

1. When 5G links are configured as active links: Similar to physical links, overlay tunnels are set up over 5G links. An SD-WAN network can use the intelligent traffic steering function to distribute some traffic to 5G links. If 5G links are not matched against intelligent traffic steering policies, data usage on 5G links is still charged since Keepalive packets are sent to detect the connectivity of overlay tunnels set up over the 5G links.

2. When 5G links are configured as standby links: Only when all active links fail, overlay tunnels are set up over 5G links. When active links are running properly, 5G links are idle and data usage is not charged.

NAT Traversal

When an SD-WAN network is built, CPEs at sites may be on different private networks. NAT devices are deployed on the WAN side to translate private addresses into public addresses so that sites can properly access the public network. When BGP is used to exchange routing information between sites for setting up overlay tunnels, packets contain private addresses instead of public addresses, resulting in tunnel setup failures. Session Traversal Utilities for NAT (STUN), also referred to as NAT traversal, provides a solution.

STUN uses the client/server model and consists of a STUN server and STUN clients. Figure 2-6 shows the typical STUN networking on an SD-WAN network.

Figure 2-6 Typical STUN networking

STUN client: An edge site functions as a STUN client. It sends STUN binding requests and receives STUN binding responses.
STUN server: A route reflector (RR) functions as the STUN server. It sends STUN binding responses and receives STUN binding requests.

After exchanging packets with the STUN server, a STUN client can detect a NAT device and determine the IP address and port number allocated by the NAT device. After a data channel is established between two STUN clients, an overlay tunnel can be established between the sites where the STUN clients are located.

Site

Site Overview

Multiple sites are deployed to build an SD-WAN network. From the perspective of services, enterprises sites can be classified into enterprise branch sites, headquarters site (HQ), data center site (DC), and cloud-based IT infrastructure.

RR and Edge Sites

To exchange overlay routes between sites, CPEs at sites need to establish routing neighbor relationships. Typically, an enterprise has a large number of sites, and the number of neighbors of a CPE cannot be estimated. To improve network scalability, Router Reflectors (RRs) are introduced.

An SD-WAN network has two types of sites: RR and edge sites.

RR site: A CPE at an RR site functions as an RR and distributes EVPN routes to CPE gateways at edge sites based on the VPN topology policy. An edge site can establish IBGP peer relationships with two RRs. The two RRs back up each other. Multiple RRs can be deployed under a tenant and are fully meshed on the control plane. That is, a control channel is set up between any two RRs for direct communication.
Edge site: A CPE at an edge site is used as the edge router on the WAN side. It sets up a control channel with an RR which controls route advertisement. Secure data channels are established between edge sites.

CPEs at RR and edge sites are managed by iMaster NCE-Campus. Control channels are established between RRs and between RRs and CPEs at edge sites. The RRs work under instructions of iMaster NCE-Campus and control the route sending and receiving of sites based on the overlay network topology model.

RR

Introduction to RR

As a part of the SD-WAN controller, an RR controls and advertises virtual private network (VPN) routes and topology information on the entire network. RR works with iMaster NCE-Campus to distribute VPN routes and topology information between CPEs based on user-defined policies. This implements secure and on-demand interconnection between CPEs at different sites, such as on-demand provisioning of network topologies (hub-spoke, full-mesh, partial-mesh, and hierarchical networking). Tenant administrators need to associate an edge site with an RR site on iMaster NCE-Campus. After the configuration is complete, CPEs at the edge site go online and automatically register with the target RRs based on the orchestration of iMaster NCE-Campus. A public IP address needs to be assigned to each RR so that CPEs at edge sites can communicate with their associated RRs. After the registration is complete, CPEs at edge sites establish IBGP peer relationships with their associated RRs. Then, the RRs reflect routes between the CPEs so that the CPEs can learn routes from each other.

Tenants configure one or more pairs of RRs based on their service needs. Each pair or two pairs of RRs manage a service area. Each CPE at an edge site must establish BGP peer relationships with at least one pair of RRs to ensure the reliability on the control plane. RRs have different cluster IDs. They establish non-client full-mesh BGP peer relationships to synchronize routes with each other.

RR Deployment Mode

An RR supports two deployment modes: independent deployment and co-deployment.

Independent deployment: A CPE is independently deployed in the data center as an RR, without LAN-side service configurations.
Figure 2-7 RR independent deployment
Co-deployment: A midsize or large edge site on the network is configured as an RR site. This site can have a single gateway or two gateways.
Figure 2-8 Co-deployment of edge sites and RR sites

WAN Link Template

Multiple sites are deployed to build an SD-WAN network. To prevent repeated configuration of parameters for each site, configuration information, such as the number of gateways and WAN links, is abstracted into a WAN link template. If multiple sites have the same configurations, including the number of gateways, number and type of WAN links, WAN link interfaces, transport networks, and interconnection links between dual gateways, the same WAN link template can be used.

WAN Model

In the SD-WAN network design, two or more links are selected as egress links of a site to transmit key traffic over the preferred WAN link. After the preferred link is selected, other links are used to provide more bandwidth resources for non-key traffic. To ensure reliability, you can use the single-router design or dual-router redundancy design. A maximum of 10 WAN links can be configured for a single gateway, and a maximum of 20 WAN links can be configured for dual gateways. Table 2-15 provides single-gateway WAN models. Dual-gateway WAN models can be obtained based on the combination of single-gateway link types.

Table 2-15 WAN models

Gateway Type	WAN Link	Link Diagram
Single gateway	One MPLS link
	One Internet link
	One MPLS link and one Internet link
	One MPLS link and one LTE/5G link
	Two Internet links
	Two MPLS links
	One MPLS link, one Internet link, and one LTE or 5G link
Dual gateways	One MPLS link
Dual gateways	One Internet link

Links for Interconnection Between Two Gateways

For a dual-gateway site, you need to configure links between the two gateways (CPEs). The two CPEs can be connected through a Layer 2 link or a Layer 3 link. By default, a Layer 3 link is used. You need to specify a VLAN ID for interconnection between the two CPEs. They communicate with each other through Layer 3 sub-interfaces if a Layer 3 link is used, whereas they communicate each other through VLANIF interfaces if a Layer 2 link is used.

Layer 3 link
- Interconnection through a single link: An interconnection interface needs to be specified on each CPE.
- Interconnection through dual links: Two interconnection interfaces need to be specified on each CPE. The system then automatically bundles the two interfaces into an Eth-Trunk interface.
Layer 2 link
- Interconnection through Layer 2 direct links: Similar to the situations of Layer 3 links, if only one interconnection interface is specified on each CPE, the two CPEs are connected through a single link; if two interconnection interfaces are specified on each CPE, the system automatically bundles the two interfaces into an Eth-Trunk interface to form a dual-link connection.
- Interconnection through a LAN-side Layer 2 link: If each CPE has a Layer 2 link connected to the same LAN switch and no independent link is planned for interconnection between the CPEs, you can configure a VLAN for communication between the CPEs, so that the two CPEs communicate with each other through the VLANIF interfaces of the specified VLAN and use the LAN-side Layer 2 link as the data forwarding channel between them. The data between CPEs and the data from the LAN side to the CPEs are isolated through VLANs, without affecting each other.

Configuration Procedure Before Deployment

No.	Task Summary		Task Name	Description
1	Scenario 1: When multi-tenant IWG networking or RR sites deployed by an MSP need to be used, the MSP administrator needs to create RR sites, and tenant administrators create edge sites. Both MSP and tenant administrators need to complete ZTP configuration based on the network model.	An MSP administrator creates RR sites and completes the ZTP configuration based on the network model.	Logging In to iMaster NCE-Campus as an MSP Administrator	-
2			Setting Global Parameters	Before creating a site, an MSP administrator needs to configure global parameters of the network, including: Physical network: transport network, IPsec encryption, device activation security, link connectivity detection, and global traffic steering policy parameters. Virtual network: routes, address pools, and DNS.
3			Adding IWGs and RRs	-
4			(Optional) Configuring the Device Access Capability	-
5			Creating an RR Site	-
6			(Optional) Creating an IWG Site	An IWG needs to be configured only in the multi-tenant IWG networking scenario. The internet work gateway (IWG) functions as a centralized access site to enable communication between the SD-WAN network and legacy MPLS VPN.
7			(Optional) Configuring a WAN Link Template	-
8			(Optional) Configuring an Email Template	-
9			Configuring a Physical Interface	-
10			Configuring the Network Access Mode for RR/IWG Sites	-
11			Configuring NTP	-
12			Associating an IWG Site with an RR Site	-
13			Creating an RR/IWG Group	-
14			Configuring the WAN	-
15			General Configuration	-
16			Configuring Interconnection Between SD-WAN and MPLS Networks	-
17			Configuring Tenant Access	-
18			Viewing RR Access Statistics	-
19			Viewing Gateway Access Statistics	-
20			Checking the Configuration Status of an RR/Gateway Site	-
21		A tenant administrator creates edge sites and completes the ZTP configuration based on the network model.	Logging In to iMaster NCE-Campus as a Tenant Administrator and Selecting a Scenario View	-
22			Setting Global Parameters	Before creating a site, a tenant administrator needs to configure global parameters of the network, including: Physical network: transport network, IPsec encryption, device activation security, link connectivity detection, and global traffic steering policy parameters. Virtual network: routes, address pools, and DNS.
23			Adding an AR Device	-
24			Creating a Site	-
25			(Optional) Configuring a WAN Link Template	A WAN site template can be used for multiple sites with the same design and planning, which simplifies operations during creation of batch sites. A WAN site template is used to specify the WAN-side model and WAN-side links of a site.
26			Configuring a Physical Interface	-
27			Configuring ZTP	-
28			Configuring NTP	-
29	Scenario 2: When RR sites deployed by a tenant are used, the tenant administrator needs to create sites and complete ZTP configuration based on the network model.	The tenant administrator creates edge sites and RR sites based on the site model, and completes the ZTP configuration for the edge sites and RR sites based on the planned network model.	Logging In to iMaster NCE-Campus as a Tenant Administrator and Selecting a Scenario View	-
30			Setting Global Parameters	-
31			Adding an AR Device	-
32			Creating a Site	-
33			(Optional) Configuring a WAN Link Template	-
34			Configuring a Physical Interface	-
35			Configuring ZTP	-
36			(Optional) Expanding a Single-Gateway Site to a Dual-Gateway Site	-
37			Configuring NTP	-

Using an MSP RR Site

Configuration Before Deployment by MSPs

Logging In to iMaster NCE-Campus as an MSP Administrator

Context

An MSP administrator can use a web browser to log in to the iMaster NCE-Campus web UI to perform system management and maintenance operations. The following web browsers are supported:

Google Chrome 85 or later
Microsoft Edge 89 or later (64-bit)

Procedure

Open a browser.
Enter https://iMaster NCE-Campus server IP address:port number in the address box, and press Enter.
- The IP address of the iMaster NCE-Campus server is the controller node IP address, which is specified during iMaster NCE-Campus installation.
- The port number is 18008. The port number used for the login must be the same as that specified during the installation.
Ignore the security certificate warning and access the login page.

When you log in to iMaster NCE-Campus using a browser, the browser performs unidirectional authentication on iMaster NCE-Campus based on the ER certificate. The Huawei ER certificate has been pre-configured during iMaster NCE-Campus installation. This certificate is used only for temporary communication and is not for commercial use. You need to apply for a new ER certificate to update the pre-configured ER certificate to improve iMaster NCE-Campus communication security. In addition, you are advised to periodically update the certificate to prevent system security risks caused by certificate expiration. After the ER certificate is updated, the message indicating a security certificate error will not be displayed.
- Google Chrome: Choose Advanced > Proceed to ... (unsafe).
Enter the default administrator name and password and click Login.
(Optional) Upon the first login, change the password as prompted. Skip this step if it is not your first login.

For security purposes, do not allow your browser to keep your passwords.
(Optional) Perform two-factor authentication. If a mobile number has been set, click Obtain Verification Code and enter the received verification code. You can log in to iMaster NCE-Campus after the verification succeeds. This step is not required if username and password authentication is selected when the system administrator creates the MSP administrator.
(Optional) Sign the privacy statement and user terms.
If the system administrator selects the privacy statement and user terms when creating a root MSP administrator, the root MSP administrator needs to sign the privacy statement and user terms when logging in to iMaster NCE-Campus for the first time.

If the root MSP administrator has signed the privacy statement, the sub-MSP administrators created by the root MSP administrator also need to sign the privacy statement and user terms when logging in to iMaster NCE-Campus for the first time.

The login will fail if the administrator does not sign the privacy statement or user terms.
(Optional) Set the device administrator password. This step is displayed only when you log in to the device for the first time.
After a device goes online at a new site, the administrator password of the device is automatically set to the password to ensure device security.

Setting Global Parameters

Context

You need to set global parameters for devices managed by the MSP, including routing domains, transport networks, routing, IP address pools, IPsec encryption, ports, device activation security, link failure detection, device administrator passwords, and statistics collection.

Procedure

Choose Design > Site Design > Network Settings from the main menu.
Set global parameters for a network where multiple tenants share an IWG.
1. Configure a routing domain and determine whether to enable IPsec encryption for the routing domain.
  
  By default, iMaster NCE-Campus provides Internet and MPLS routing domains. The default routing domains cannot be deleted. If the default routing domains cannot meet your requirements, click Create to create a routing domain as needed.
2. Configure a transport network to define the type of the network connecting MSP-managed and tenant-managed devices. By default, iMaster NCE-Campus provides the following transport networks: Internet, Internet1, MPLS, and MPLS1. The default transport networks cannot be deleted.
  
  If the default transport networks cannot meet your requirements, click Create to create a transport network as needed.
3. Set BGP parameters. AS number is mandatory.
  
  When a tenant is associated with an MSP RR, the BGP AS number on an edge device must be the same as that configured by the MSP administrator.
4. Configure an IP address pool.
  Simple mode:
  
  Advanced mode:
  
  The IP address pool created by an MSP administrator is mainly used for configurations irrelevant to tenant services, and currently is mainly used to establish BGP peer relationship with RRs. The IP addresses in the IP address pool can be used as:
  - System IP addresses
  - IP addresses in public VPNs
  The number of IP addresses in the IP address pool depends on the number of IWGs, RRs, and tenant edge sites. It is recommended that eight IP addresses be planned for each site.
5. (Optional) If packets forwarded by IPsec tunnels need to be encrypted, configure the IPsec tunnel encryption algorithm, life time, and IPsec SA generation mode.
  After the configuration is complete, all tunnels that are configured to encrypt packets use the same encryption mode.
  
  The IPsec encryption mode configured by an MSP administrator and a tenant administrator takes effect only on their respective transport networks.
6. Configure ports as needed.
  After toggling on Custom Port Configuration, you can set DTLS Server Port and STUN Server Port and determine whether to toggle on Connection Source Port. If Connection Source Port is toggled on, you can set Scanning Start Port, Scanning Times, and Scanning Increment.
  - If the port checked by the DTLS server (that is, DTLS Server Port) has been configured on devices, before modifying this port number, you need to delete rdb files from the devices and restart them. In this case, the modification can take effect on the devices. In a scenario where a device has been deployed in RDB mode, after changing the DTLS service port, you need to restore the device to its factory defaults and deploy the device again.
  - After the DTLS service port is changed, the change does not take effect immediately on non-V600 devices at RR sites. As a result, services are interrupted.
  - When changing the port checked by the DTLS server on AR600&6100&6200&6300&SRG series, ensure that the port to be configured is not in use. You can run the following command in the diagnostic view on a device to check the current port checked by the DTLS server:
    display dtls server status
  - If you modify Connection Source Port settings, the modified settings take effect only at the sites to be activated subsequently and do not take effect at sites that have been activated.
7. Configure email-based deployment if this function is required.
  In the Device Activation Security Settings area, toggle on Encryption and set URL encryption key and URL opening validity period.
8. Set link failure detection parameters.
9. Click OK.
Click the Collection Configuration tab and set global parameters for statistics collection.
Determine whether to toggle on WAN link Traffic. If this item is toggled on, traffic over all inter-site links is monitored in real time.

Click OK.

Parameter Description

Table 2-16 Parameters on the Network Settings page

Parameter		Description
Routing Domain	Routing Domain	A routing domain defines whether routes between different transport networks are reachable. Transport networks in the same routing domain are reachable to each other. WANs provided by different Internet service providers (ISPs) are usually constructed independently and cannot communicate with each other. Sometimes, the WANs provided by different ISPs can communicate with each other. In this case, the WANs belong to the same routing domain. iMaster NCE-Campus provides the following routing domains by default: MPLS: MPLS leased line, which carries normal services of users in wired mode. Internet: public Internet, which carries normal services of users in wired mode. If the default routing domains do not meet your requirements, you can configure routing domains as needed.
Routing Domain	IPSec encryption	Whether to enable IPsec encryption in a routing domain: Toggled off: IPsec encryption is disabled. In this case, enable protocol 47 of all devices on the firewall. Toggled on: IPsec encryption is enabled. In this case, the encryption algorithm and password that are set in IPSec Encryption Parameters are used for encryption.
Transport Network	Transport Network	Type of the transport network to which a WAN-side physical link belongs. It describes transport networks with the same link quality attribute. It is used to identify a type of networks provided by the same ISP. Each physical WAN link of a site belongs to a transport network.
Routing	Routing protocol	Routing protocol used by IWGs to establish BGP peer relationships with RRs.
	AS number	Local AS number. It takes effect for RRs and IWGs added by the MSP administrator and also takes effect for the tenant devices that manage MSP RRs. When a tenant is associated with an MSP RR, the BGP AS number on an edge device must be the same as that configured by the MSP administrator.
	Community pool	A community attribute pool is a resource management pool. Community attributes can be configured and allocated to services. Currently, the community pool is mainly used in the following configurations: IBGP on the WAN, RR management, Internet access, mutual access, area management, and multi-tenancy IWG. When the current community attribute pools are insufficient, you can add new ones as needed. A maximum of 10 community attribute pools can be configured. After the configuration, the community attribute pools that have been used cannot be updated or deleted. Unused community attribute pools can be deleted.
IP Pool		The IP address pool created by an MSP administrator is mainly used for configurations irrelevant to tenant services, and currently is mainly used to establish BGP peer relationship with RRs. The IP addresses in the IP address pool can be used as: System IP addresses IP address of public VPNs The number of IP addresses in the IP address pool depends on the number of IWGs, RRs, and tenant edge sites. Plan address pools based on the network scale. The number of required addresses increases with the number of sites. For details about the relationship between them, click Details. You can select Simple mode or Advanced mode for an address pool. In simple mode, IP addresses are assigned from the same address pool. In advanced mode, IP addresses can be assigned by setting IP pool, Interworking Tunnel, or Interlink.
IPSec Encryption Parameters	Protocol	Security protocol. The default value is ESP.
	Authentication algorithm	Authentication algorithm. The value can be SHA2-256 or SM3. The default value is SHA2-256.
	Encryption algorithm	Encryption mode of a link. The AES-128, AES-256, and SM4 algorithms are supported. If the authentication algorithm is set to SM3, the encryption algorithm can only be set to SM4. If the authentication algorithm is set to SHA2-256, you are advised to select the AES-256 encryption algorithm. This is because the key of AES-256 contains 256 bits, having a higher security level than AES-128.
	Life time	Global IPsec SA lifetime. A security association (SA) defines the encryption algorithm, digest, and keys for secure data transmission between IPsec peers. You can configure the IPsec SA lifetime to update the SA in real time. This reduces the risk of SA cracking and enhances security.
	IPSec SA generation mode	Whether to configure the IPsec SA generation mode. By default, this item is toggled off.
	DH Group	Diffie-Hellman (DH) public key algorithm. It is used to dynamically negotiate encryption keys between two sites to prevent traffic monitoring between tenants connected to the same RR in multi-tenant scenarios. After IPSec SA generation mode is toggled on, you can select a DH group. Currently, DH Group can be set only to GROUP19, GROUP20, or GROUP21. The DH group security levels are as follows: GROUP21 > GROUP20 > GROUP19.
Port Configuration	DTLS Server Port	Port number checked by the DTLS server. CPEs and RRs set up control channels over DTLS connections for TNP information exchange. When an RR goes online, iMaster NCE-Campus delivers the command for configuring the port checked by the DTLS server to the RR. As such, the RR can set up control channels with CPEs. By default, the port checked by the DTLS server is 55100. You can modify this setting as needed.
	STUN Server Port	In most cases, an RR is configured as a STUN server and the CPE functioning as a branch gateway is configured as a STUN client. To detect whether a NAT device is deployed between the RRs and CPEs, you need to enable the STUN server function on the RRs and configure the IP address and UDP port number to be checked by the STUN server for STUN messages. By default, the port checked by the STUN server is 3478. You can modify this setting as needed.
	Connection Source Port	After this item is toggled on, you can specify the scanning start port, scanning times, and scanning increment for NAT detection, hole punching, and Keepalive (KA) packets.
Device Activation Security Settings	URL encryption key	Key for encrypting the URL in a deployment email. Email-based deployment will be successful only after you click the URL in the received email on your PC and enter this key.
Device Activation Security Settings	URL opening validity period (day)	Validity period for a device to register its ESN with iMaster NCE-Campus. The timer starts once a deployment email is sent. If you do not obtain the device ESN, you can add the device to iMaster NCE-Campus based on the device model. After a site is created and a deployment email is sent, the device checks whether the URL is valid. If so, the device registers its ESN with iMaster NCE-Campus.
Link Failure Detection Parameter Configuration	Detection packet sending interval	Interval at which an AR sends detection packets, in milliseconds. The default value is 1000 milliseconds.
	Number of failed detections	Number of detection failures permitted before an AR automatically switches the link. The default value is 6.
	Priority of detection packets	Priority in the IP header of a detection packet. A numerically higher value indicates a higher priority.

Adding IWGs and RRs

Context

MSP administrators can add interworking gateways (IWGs) and route reflectors (RRs) to iMaster NCE-Campus (with ESNs as unique identifiers) for unified management and O&M. You can add devices in either of the following modes:

Adding devices one by one: applies to scenarios where a few devices need to be added.
Adding devices in batches: applies to scenarios where a large number of devices need to be added.

A device can be added based on either of the following:

ESN: If you have obtained the ESN of the device to be added, you can add the device by ESN.
Device model: If you do not obtain the ESN of the device to be added, you can add the device by device model. This mode is used for pre-configuration in most cases. The selected device model must be the same as the actual device model.

Feature Requirements

You are advised to configure AR6300 or AR1000V devices as RRs or IWGs. Devices running V600 cannot be configured as RRs or IWGs. For details about the devices that can function as RRs or IWGs, see Device Specifications Website.

Procedure (Adding Devices One by One)

Choose from the main menu.
Click Add Device > Add.
Select a mode for adding devices. Currently, you can add devices based on either of the following:
- By ESN
  Set Mode to ESN.
- By device model
  Set Mode to Device Model.
  - For an AR5700&6700&8000 series device, run the following command to check the device ESN:
    display device esn
  - For an AR600&6100&6200&6300&SRG series or AR1000V device, run the following command to check the device ESN:
    display esn
On the right of Device information, click Add and set parameters of the devices to be added.
The parameters to be set vary according to the mode of adding devices. Set parameters as prompted.
- Adding devices by ESN
  Set device information, including the device ESN, and click OK.
- Adding devices by device model
  Set Type to AR. Select the desired AR model from the Model drop-down list box. In the Quantity text box, enter the number of devices to be added. Select a device role. Click OK.
  
  When adding AR1000Vs running V300R020C10 and earlier versions, you need to set Performance to 0. The controller displays performance values of AR1000Vs running V300R020C10 and earlier versions as 0, of AR1000Vs running versions later than V300R020C10 as the configured values, and of other devices as --.
  When adding an AR1000V, ensure that the actual performance value of the device is less than or equal to the configured Performance value on the controller. Otherwise, the AR1000V cannot go online.
  To ensure network security, you are advised to enable deployment verification.
  When deployment verification is enabled, the controller does not deliver configurations to devices after they go online. Deployment to be confirmed is displayed in the Administrative Status column on the device management page. To allow the controller to deliver configurations to online devices, select the corresponding devices on the device management page and click Confirm Deployment.
  When deployment verification is disabled, the controller automatically delivers configurations to devices when they go online for the first time.
Click OK.

Procedure (Adding Devices in Batches)

Choose from the main menu.
Click Add Device > Import in batches.
Click Template above Upload file to download the device import template.
Double-click the downloaded template BatchImportTemplate_en_lanwan.xls.
Fill in device information and save the template. The parameters to be set vary according to the mode of adding devices. Set parameters as prompted.
- Adding devices by ESN: Set ESN, Device Name, and Description.
- Adding devices by device model: Set Device Name, Device Model, and Description.
Click on the right of Upload file, select the saved Excel template, and click Start importing to upload the template.
In the Import Result area, check the imported data, select the imported devices, and click OK.

Follow-up Procedure

Table 2-17 Follow-up procedure of device management

Function	Operation Scenario and Constraint	Procedure
Viewing devices	View detailed information about a site.	Choose Design > Site Design > Device Management from the main menu. Select a site from the navigation pane to view devices at the site. Click All Devices to view all devices. Click Not in Any Sites to view all devices that have not been added to any sites. Click All Sites to view all devices at all sites. Click a site under All Sites to view all devices at the selected site.
Restoring a device to its deployment configurations	After a device is restored to its deployment configurations, only deployment-related configurations (interface and sub-interface configurations, including their IP addresses) are retained on the device and other configurations are deleted from the device. You need to use this function in the following situations: After a site is deleted, the controller only deletes related configurations from the database and does not delete related configurations from devices at the site. In this case, you need to use this function to restore the devices at the deleted site to their deployment configurations. You need to re-deliver configurations to a device.	Choose Design > Site Design > Device Management from the main menu. Select the device to be restored to its deployment configurations. Click More > Restore Deployment Configurations.
Modifying devices	Modify the name, ESN, or other information of a device. NOTE: Device names cannot contain Chinese characters. The controller cannot deliver devices names with Chinese characters to CPEs. If device names are used to uniquely identify devices, you are not allowed to modify device names.	Choose Design > Site Design > Device Management from the main menu. Click in the Operation column in the row of the device to be modified.
Deleting devices	Delete unnecessary devices.	Choose Design > Site Design > Device Management from the main menu. Click in the Operation column in the row of the device to be deleted.

Parameter Description

Table 2-18 Parameters for adding devices

Parameter		Description
Addition method		Method of adding a device.
Mode		Mode of adding a device. The following modes are supported: ESN: If you have obtained the ESN of the device to be added, you can add the device by ESN. Device model: If you do not obtain the ESN of the device to be added, you can add the device by device model. This mode is used for pre-configuration in most cases. The selected device model must be the same as the actual device model.
Device information	ESN	ESN of a device. It is the unique identifier of a device. You can obtain the device ESN from the factory configuration list of the device or from the display esn command output if the device version is V300R022C00. (To view the ESN of a device running V600R022C00, run the display device esn command.)
	Name	Unique name of a device. It is recommended that the site name be included in the device name. If the value is left empty, the device name is the same as the ESN by default. A device name can contain a maximum of 64 characters.
	Deployment Verification	If this function is enabled, you need to manually confirm deployment on the device management page after a device goes online for the first time. After that, the controller can deliver configurations to the device. If this function is disabled, the controller automatically delivers configurations to devices after they go online for the first time.

(Optional) Configuring the Device Access Capability

When devices are deployed as IWGs or RRs, the numbers of tenants/VNs and sites that they can access need to be pre-configured on iMaster NCE-Campus.

Context

Table 2-19 lists the IWG and RR access capabilities pre-configured on iMaster NCE-Campus.

Table 2-19 IWG and RR access capabilities pre-configured on iMaster NCE-Campus

Model	Device Role	Number of Tenants/VNs	Site Count
AR6300	RR	50	1000
AR1000V	RR	50	1000
AR6300	IWG	300	200
AR1000V	IWG	300	200

The third column of Table 2-19 indicates the number of tenants that an RR can access or the number of VNs (departments) that an IWG can access. In the IWG scenario, a tenant department requires two VRF instances.

The device access capability can be adjusted as needed.

Procedure

Choose Design > Site Design > Device Capabilities and Statistics from the main menu and click the Device Capability tab.
Click Create to configure the RR or IWG access capability.
- Configuring the RR access capability
- Configuring the IWG access capability
Click OK.

Follow-up Procedure

Table 2-20 Follow-up procedure of device access capability configuration

Function	Operation Scenario and Restriction	Procedure
Viewing device capability configuration	View detailed information about a site.	On the Device Capability page, view devices and their access capability configurations.
Modifying device capability configuration	Modify the number of tenants and sites that a device can access.	Click in the Operation column on the Device Capability page.
Deleting device capability configuration	Delete unnecessary devices.	Click in the Operation column on the Device Capability page.

Parameter Description

Table 2-21 Parameters for configuring device capabilities

Parameter	Description
Device Model	Model of a device.
Type	Role attached to the device: RR IWG
Tenant Count/VN Count	If Type is set to RR, this parameter specifies the number of tenants that the RR can access. The maximum value is 50. If Type is set to IWG, this parameter specifies the number of tenant departments that the IWG can access. The maximum value is 300.
Site Count	Number of sites that the device can access. If Type is set to RR, this parameter specifies the number of sites that the RR can access. The maximum value is 1000. If Type is set to IWG, this parameter specifies the number of sites that the IWG can access. The maximum value is 200.

Creating an RR Site

Context

An RR is an independent CPE. It distributes EVPN routes between CPEs based on VPN topology policies.

An RR must be a high-performance device model. You are advised to enable the RR function at the site with the highest device performance.

Prerequisites

A device has been added. For details, see Adding IWGs and RRs.
Global parameters have been set. For details, see Setting Global Parameters.
If the device added to a site is not an AR6300 device, ensure that you have configured the device access capability. For details, see (Optional) Configuring the Device Access Capability.

Procedure

Choose from the main menu.
Click Create to create an RR site and configure basic RR information. Enter the RR site name, location, southbound IP server name, and other parameters as needed.

An MSP administrator can select a southbound IP service created by the system administrator for Southbound IP service name and view available southbound IP services on the page.
(Optional) Expand More and set Description, Responsible person, Email, Phone number, Postcode and Address for the site.
In the Add Device area, configure a device that functions as an RR.
Click OK.

Follow-up Procedure

Table 2-22 Follow-up procedure of creating a site

Function	Operation Scenario and Restriction	Procedure
Modifying a site	A site can be modified when it is not activated and cannot be modified after being activated.	Click in the Operation column in the row of the site to be modified. Modifying site configuration Click OK.
Deleting a site	A site cannot be deleted in any of the following situations: A site has sub-sites. A site is configured with a centralized Internet access policy.	Click in the Operation column in the row of the site to be deleted. Click OK.

Function

Operation Scenario and Restriction

Procedure

Modifying a site

A site can be modified when it is not activated and cannot be modified after being activated.

Click in the Operation column in the row of the site to be modified.
Modifying site configuration
Click OK.

Deleting a site

A site cannot be deleted in any of the following situations:

A site has sub-sites.
A site is configured with a centralized Internet access policy.

Click in the Operation column in the row of the site to be deleted.
Click OK.

Parameter Description

Table 2-23 Parameters for configuring an RR site

Parameter		Description	Data Plan in Advance
Site Name		Name of a site. It is recommended that you name a site in the format of Site role_Geographical location.	Y
Location		Geographical location of the RR site.	Y
Southbound IP service name		Southbound IP service to be configured for the site. Select a southbound IP service that has been configured. In the IPv6 single-stack or IPv4/IPv6 dual-stack scenario, southbound IPv6 addresses are displayed on the Select Southbound IP Service Name page.	Y
More	Description	Site-related information.	Y
	Responsible person	Responsible person of the site.	Y
	Email	Email address to which a deployment email is to be sent. By default, this email address is automatically associated during email-based deployment.	Y
	Phone number	Phone number of the responsible person.	-
	Postcode	Postcode of the site.	-
	Address	Geographic location of the site.	-
Add Device	Device Model	Model of an AR to be added to the site. Select the model of a device that has been added to the device list.	Y
Add Device	ESN	ESN of the AR to be added to the site.	Y

(Optional) Creating an IWG Site

Context

iMaster NCE-Campus can use an IWG as a centralized access site to communicate with the legacy MPLS VPN network.

Prerequisites

A device has been added. For details, see Adding IWGs and RRs.
Global parameters have been set. For details, see Setting Global Parameters.
If the device added to a site is not an AR6300 device, ensure that you have configured the device access capability. For details, see (Optional) Configuring the Device Access Capability.

Procedure

Choose .
Click Create to create a gateway site and configure basic gateway information. Enter the gateway site name, location, southbound IP address, and other information.
(Optional) Expand More and set Description, Responsible person, Email, Phone number, Postcode and Address for the site.
In the Add Device area, configure a device to function as a gateway.
Click OK.

Follow-up Procedure

Table 2-24 Follow-up procedure of creating a site

Function	Operation Scenario and Restriction	Procedure
Modifying a site	A site can be modified when it is not activated and cannot be modified after being activated.	Click in the Operation column in the row of the site to be modified. Modifying site configuration Click OK.
Deleting a site	A site cannot be deleted in any of the following situations: A site has sub-sites. A site is configured with a centralized Internet access policy.	Click in the Operation column in the row of the site to be deleted. Click OK.

Function

Operation Scenario and Restriction

Procedure

Modifying a site

A site can be modified when it is not activated and cannot be modified after being activated.

Click in the Operation column in the row of the site to be modified.
Modifying site configuration
Click OK.

Deleting a site

A site cannot be deleted in any of the following situations:

A site has sub-sites.
A site is configured with a centralized Internet access policy.

Click in the Operation column in the row of the site to be deleted.
Click OK.

Parameter Description

Table 2-25 Parameters for configuring a gateway site

Parameter		Description
Site Name		Name of a site. It is recommended that you name a site in the format of Site role_Geographical location.
Location		Geographical location of the IWG site.
Southbound IP		Southbound IP service to be configured for the site. Select a southbound IP service that has been configured. In the IPv6 single-stack or IPv4/IPv6 dual-stack scenario, southbound IPv6 addresses are displayed on the Select Southbound IP Service Name page.
More	Description	Site-related information.
	Responsible person	Responsible person of the site.
	Email	Email address to which a deployment email is to be sent. By default, this email address is automatically associated during email-based deployment.
	Phone number	Phone number of the responsible person.
	Postcode	Postcode of the site.
	Address	Geographic location of the site.
Add Device	Device Model	Model of an AR to be added to the site. Select the model of a device that has been added to the device list.
Add Device	ESN	ESN of the AR to be added to the site.

(Optional) Configuring a WAN Link Template

Context

To reduce repeated configurations when adding multiple sites with the same gateway type, the same number of WAN links, and the same transport networks, you can configure a link template to cover the configurations shared by these sites. By customizing a link template, you can modularize repeated configurations.

iMaster NCE-Campus provides default link templates, as listed in Table 2-26. If the default link templates can meet your requirements, you do not need to customize a template by yourself. Otherwise, you can create a link template as required.

WAN link templates are not required during cloud site deployment or deployment through the registration query center. In these scenarios, you can skip this section.

You are not allowed to modify or delete the default templates, and can only copy these templates.

Table 2-26 Default link templates

Template Name	Template Description	WAN Link (Device, Port, Transport Network)	Inter-CPE Link (Device, Port)
Single_gateway_mixed_links	Single gateway with an Internet link and an MPLS link	Internet (Device1, GE0/0/0, Internet) MPLS (Device1, GE0/0/1, MPLS)	-
Single_gateway_mpls_link	Single gateway with an MPLS link	MPLS (Device1, GE0/0/0, MPLS)	-
Single_gateway_internet_link	Single gateway with an Internet link	Internet (Device1, GE0/0/0, Internet)	-
Single_gateway_dual_internet_links	Single gateway with dual Internet links	Internet1 (Device1, GE0/0/0, Internet) Internet2 (Device1, GE0/0/1, Internet)	-
Dual_gateways_mixed_links	Dual gateways with an Internet link and an MPLS link respectively	Internet (Device1, GE0/0/0, Internet) MPLS (Device2, GE0/0/0, MPLS)	Device1: GE0/0/1, Device2: GE0/0/1

Prerequisites

Global site parameters have been set. For details, see Setting Global Parameters.

Procedure

Choose Provision > Physical Network > ZTP from the main menu. Click the WAN Link Template tab.
Create a WAN link template. Click Create to access the page for creating a WAN link template.
1. Set parameters for a WAN Link template.
  1. Set Template name.
  2. Set Gateway as needed.
  3. Determine whether to enable Multiple sub-interfaces. If this function is enabled, multiple sub-interfaces can be configured for a physical interface.
2. Configure WAN links. In the WAN Link area, click Create to configure a WAN link. The following parameters need to be set in a WAN link template: Name, Device, Interface, Sub Interface, Overlay Tunnel, Transport Network, and Role.
  You can create multiple WAN links for each gateway. At most 256 sub-interfaces can be created for a single gateway, and at most 512 sub-interfaces can be created for dual gateways.
  
  Click Configuration in the Advanced parameters column to select a southbound access service and set its priority.
If Gateway is set to Dual gateways, configure an interlink connecting the dual gateways. Otherwise, skip this step.
1. If LAN-side Layer 2 physical interfaces are required on both ends of the interlink, set Use LAN-side L2 interface to .
  - Spanning Tree Protocol (STP) is enabled on CPEs by default. If dual gateways are connected through two interlinks with Layer 2 physical interfaces on both ends, these interfaces are added to the same VLAN. In this case, if a loop occurs, STP sets one physical interface to the Block state. At this time, if the blocked physical interface is used by LAN-side services, user traffic may be interrupted. Therefore, it is recommended that the physical interfaces used by an interlink between dual gateways be different from those used by user services on the LAN side.
  - If an interlink between dual gateways uses Layer 3 physical interfaces, you do not need to enable Use LAN-side L2 interface.
2. Configure a VLAN ID. Interfaces on both ends of an interlink connecting dual gateways will be added to this VLAN.
3. Click Create. Configure an interlink between dual gateways and set the physical interfaces on both ends of the interlink.
  At most two interlinks can be created between dual gateways.
Click OK.

Follow-up Procedure

Table 2-27 Follow-up procedure of configuring a WAN link template

Function	Operation Scenario and Constraint	Procedure
Importing or exporting WAN link templates in batches	WAN link templates can be imported or exported using Excel files in batches.	Click Import or Export to configure WAN link templates in batches.
Modifying a WAN link template	The template name, gateway type, WAN link information can be modified. The default templates provided by the system cannot be modified.	Click in the Operation column on the WAN Link Template page to modify a template.
Deleting a WAN link template	WAN link templates can be deleted. The default templates provided by the system cannot be deleted.	Click in the Operation column on the WAN Link Template page to delete a template.
Copying a WAN link template	You can quickly create a WAN link template by copying an existing template, which improves the configuration efficiency. If you perform the following operations after copying a template, the copied template may fail to be applied to sites associated with the source template: Modify Gateway. Modify or delete settings in the WAN Link area. Modify parameters in the Inter-CPE Link area.	Click in the Operation column on the WAN Link Template page to copy a template.

Parameter Description

Table 2-28 Parameters on the WAN Link Template page

Parameter		Description	Data Plan Required or Not
Template name		Name of a WAN link template.	Y
Gateway		Gateway type of the site where the link template is to be applied. Single Gateway: Select this option for sites with light gateway service traffic and low reliability requirements. Dual Gateways: Select this option for sites with high reliability requirements.	Y
Multiple sub-interfaces		Whether to enable the multiple sub-interfaces function on a device. If a device requires multiple sub-interfaces on a WAN link for WAN-side communication, you need to enable this function on the device. After this function is enabled, a maximum of 256 sub-interfaces can be created for a single gateway, and a maximum of 512 sub-interfaces can be created for dual gateways.	Y
WAN Link	Name	Name of a WAN link.	Y
	Device	Name of the gateway at the site.	Y
	Interface	Type and number of a physical interface used by the WAN link. The following interface types are supported: GE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface FE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface XGE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface LTE: 3G, 4G, and 5G interfaces xDSL (ATM): ADSL interface, and G.SHDSL interface (working in ATM mode by default) xDSL (PTM): VDSL interface (working in PTM mode by default) E1-IMA (ATM): G.SHDSL interface (working in ATM mode by default), E1-IMA interface, and E1-IMA sub-interface Ima-group: G.SHDSL interface (working in ATM mode by default), E1-IMA interface, and Ima-group sub-interface Serial: Serial interface and FR sub-interface Eth-Trunk interface Loopback interface NOTE: Loopback interfaces can be used only as transport network ports (TNPs) and cannot be configured with any services. By default, the overlay tunnel function is enabled on virtual links with loopback interfaces at both ends and cannot be disabled.	Y
	Sub Interface	Whether to enable the sub interface function on the device.	-
	Overlay Tunnel	Whether to enable the overlay tunnel function. If this function is enabled, an overlay tunnel is created on the WAN link.	Y
	Sub Interface Index	Number of the sub interface. The parameter is available only when Sub Interface is enabled.	-
	Transport Network	Type of the transport network to which a WAN-side physical link belongs. It describes transport networks with the same link quality attribute. It is used to identify a type of networks provided by the same ISP. Each physical WAN link of a site belongs to a transport network. If the available transport network types do not meet your requirements, create a transport network as needed on the WAN Global Configuration page.	Y
	Role	Role of the link. You can set this parameter to active or standby. After active and standby links are configured, data travels only through the active link by default. If the active link fails, data moves to the standby link. For a single-gateway site with multiple WAN links, specify each WAN link as active or standby. At least one active link must be configured. A maximum of one standby link (usually, an LTE or 5G link) can be used as the escape link and has the lowest priority. If all active links fail, traffic is forwarded through the escape link. For a dual-gateway site, all WAN links are active by default. In addition, a single-gateway site must have at least one active link.	Y
	Advanced parameters	Click Configuration and set Controller Southbound interface service and Southbound access priority in the displayed dialog box. During the controller installation, an iMaster NCE-Campus southbound IP address is configured so that CPEs can communicate with iMaster NCE-Campus using this IP address. If iMaster NCE-Campus and some sites are on a private network while other sites are on a public network, two southbound IP addresses need to be configured so that sites on different networks can access iMaster NCE-Campus. As shown in the following figure, iMaster NCE-Campus and site 1 are on a private network, and site 2 is on a public network. iMaster NCE-Campus can access the public network only through the NAT device, and site 2 has access only to a public IP address after NAT. Therefore, two southbound IP addresses need to be configured during the installation: one is a private IP address, the other is a public IP address after NAT. When configuring a WAN link for site 1, specify the private IP address as the southbound IP address of iMaster NCE-Campus. When configuring a WAN link for site 2, specify the public IP address after NAT as the southbound IP address of iMaster NCE-Campus. In addition to the default southbound IP address provided by the system, you can also use a southbound access service configured by the system administrator to specify the southbound IP address used by CPEs to communicate with the controller.	Y
	Controller Southbound interface service	The southbound access services that have been configured during controller installation planning are used as default options for this parameter. If the system administrator has enabled a customized southbound access service, you can select this customized service in the WAN link template. Tenant administrators can view all available southbound access services on the page. The system administrators can create southbound access services as needed on the page.	Y
	Southbound access priority	Priority of a controller southbound access service. This parameter is configurable after Southbound interface service is set. The priority can be High, Medium, or Low. The default value is Low. For AR5700&6700&8000 series devices, the priority takes effect only for performance channels and is supported in V600R022C00 and later versions. NOTE: If a device has multiple WAN links, you can configure Southbound access priority for each WAN link. After the device starts, it can select a WAN link based on the priority to register with iMaster NCE-Campus. Assume that a device has both Internet and LTE links, and needs to use the Internet link as the active link and the LTE link as the backup link. When configuring ZTP, you can set Southbound access priority of the Internet link to High and that of the LTE link to Medium or Low. As such, the device preferentially selects the Internet link when it attempts to register with iMaster NCE-Campus, and automatically switches to the LTE link for registration if the Internet link is faulty.	Y
Inter-CPE Link (required only when Gateway is set to Dual Gateways)	Use LAN-side L2 interface	Whether to use Layer 2 physical LAN interfaces on the interlinks between two gateways. If no direct link is configured between two gateways, LAN-side links need to be used for communication between dual gateways. If direct links are configured between two gateways, LAN-side links do not need to be used.	Y
	VLAN ID	VLAN ID used by interlinks for communication between two gateways and used for VPN communication. The number of VLAN IDs must be greater than that of VPNs. In the dual-gateway scenario, iMaster NCE-Campus configures a VLAN for each VPN on interlink interfaces between two gateways. This implements VPN isolation. The start VLAN ID must be in the range from 1 to 4086 and the end VLAN ID must be in the range from 9 to 4094. The difference between the start and end VLAN IDs must be greater than or equal to 8 and less than or equal to 300. A maximum of 16 VLAN ranges can be configured, and the total number of VLANs cannot exceed 301.	-
	Device1 Interface	Physical interfaces used by interlinks between two gateways. If two interlinks are required, the types of the two interlink interfaces on the same device must be the same. The types of the interfaces on both ends of an interlink must be the same. The interface type varies according to whether a direct link exists between two gateways: If a direct link exists between two gateways (that is, Use LAN-side L2 interface is disabled), use Layer 3 interfaces at both ends of an interlink. If only one interlink is required, Layer 3 sub-interfaces need to be created for the interfaces directly connecting the two gateways and be used as interlink interfaces. If multiple interlinks are required, iMaster NCE-Campus automatically configures the interfaces of these links as an Eth-Trunk sub-interface on each end to ensure link reliability. If no direct link is configured between two gateways (that is, Use LAN-side L2 interface is enabled), use Layer 2 interfaces at both ends of an interlink. If each of the two gateways directly connects to the same LAN switch using a Layer 2 link, a VLAN ID needs to be specified so that the gateways can communicate with each other through the corresponding VLANIF interfaces.	-
	Device2 Interface		-

(Optional) Configuring an Email Template

Context

In the email-based deployment scenario, deployment emails need to be configured for multiple CPEs, with the same subject and body format. To reduce repeated operations, you can configure an email template. When configuring email-based deployment parameters for each device, you can reference the email template. Then parameters are set automatically.

iMaster NCE-Campus provides a default email template ZTP email template. If the default email template can meet the requirements or the email-based deployment scenario is not involved, you can skip this section. Otherwise, you need to configure an email template as needed.

Procedure

Choose Provision > Physical Network > ZTP from the main menu.
Click the Email Template tab.
Click Create to create an email template.
In normal cases, you only need to set the email template name, subject, and content. You can modify other parameters as needed.
Click OK.

Configuring a Physical Interface

Prerequisites

Global parameters have been set. For details, see Setting Global Parameters.
IWGs and RRs have been added. For details, see Adding IWGs and RRs.

Procedure (Configuring a Physical Interface)

Choose Provision > Physical Network > Physical Interface from the main menu.
Click the Physical Interface tab.
Select a device name from the device list on the left and click Create.
On the Create Interface page, configure an interface as needed. The parameters to be set vary according to the interface type.
Click OK.

Procedure (Configuring an Eth-Trunk Interface)

When creating an Eth-Trunk interface on a V600 device, you can select only Layer 3 interfaces as physical member interfaces.
The AR631I-LTE4EA and AR631I-LTE4CN do not support Eth-Trunk interfaces.

Choose Provision > Physical Network > Physical Interface from the main menu.
Click the Eth-Trunk tab.
Select a device name from the device list on the left and click Create.
Configure an Eth-Trunk interface as needed.
Click OK.

Parameter Description

Table 2-29 Parameters for configuring a physical interface

Parameter		Description
Device		Device name.
Interface type		Type of the LAN or WAN interface to be configured. The value can be L3 or L2. You can set Interface type to L3 or L2 only for GE, FE, and XGE interfaces. Other interfaces are L3 interfaces by default.
Interface		Type and number of the physical interface. Similar to the device name, the values cannot be modified.
Interface bandwidth (for AR1000Vs only)		Bandwidth of a physical interface. The value ranges from 1 to 1000000, in Mbit/s.
APN (This parameter needs to be set only when Interface is set to LTE.)		Multi-Access Point Name (APN) function of an LTE cellular interface used to implement data and VoIP communication.
PVC (VPI/VCI) (configurable only when Interface is set to xDSL (ATM))		PVC with specified VPI or VCI values.
Negotiation mode (This parameter needs to be set only when Interface is set to GE, FE, or XGE.)		Interfaces on both ends of a link must use the same negotiation mode. If an interface working in auto-negotiation mode frequently alternates between Up and Down, disable auto-negotiation and set the same rate and duplex mode on interfaces at both ends of a link.
Working mode (This parameter needs to be set when Negotiation mode to set to Manual.)		Whether an interface works as an optical or electrical interface. Only combo interfaces support both Copper and Fiber modes. You can select either of the two modes for combo interfaces based on networking requirements. For interfaces of other types, set this parameter based on the working mode supported by the interfaces. NOTE: If an interface cannot work as an optical interface but its working mode is set to the optical mode, the configuration fails to take effect after being delivered to the CPE where the interface is located.
Duplex mode (This parameter needs to be set only when Negotiation mode to set to Manual.)		Interfaces on both ends of a link must have the same duplex mode. For optical interfaces, the duplex mode is fixed at the full duplex mode. For electrical interfaces, you can select the full-duplex or half-duplex mode according to the actual situation.
Speed (This parameter needs to be set only when Negotiation mode to set to Manual.)		Interface rate. Interfaces on both ends of a link must have the same rate.
Optical Module Type (This parameter needs to be set only when Interface is set to XGE.)		Set this parameter based on the transmission rate requirements. GE and 10GE types are available. A GE optical module transmits traffic at a rate of 1000 Mbit/s, and a 10GE optical module transmits traffic at a rate of 10000 Mbit/s. If 10GE is selected, the negotiation mode cannot be configured. The optical modules on the interfaces at both ends of a link must be of the same type.
STP enable (configurable only when Interface type is set to L2)		Whether to enable STP on the interface.

Table 2-30 Parameters for configuring an Eth-Trunk interface

Parameter	Description
Device	Site gateway on which an Eth-trunk interface is created.
Eth-Trunk ID	ID of an Eth-Trunk interface. In the dual-gateway scenario, if the two gateways are connected through two Layer 3 physical links, the system automatically creates the Eth-Trunk 0 interface on each of the two gateways. In this case, you cannot create an Eth-Trunk interface with the ID of 0. NOTE: The value range of the Eth-Trunk ID varies depending on the AR model: AR120 and AR160 series: 1 - 3 AR1200 series, AR2201-48FE, AR2204-27GE, AR2204-27GE-P, AR2204-51GE-P, AR2204-51GE, AR2204-51GE-R, AR2204E, AR2204E-D and AR2202-48FE: 1 - 7 AR2204, AR2220E, AR1610-X6, AR651-X8, AR651W-X4: 1 - 14 AR2220, AR2240C, AR2240, AR6140-16G4XG, AR3200 series, AR3600 series: 1 - 63 AR6300 series and AR6280 series: 1 - 31 AR6120 series, AR651, AR651C, AR651W, AR657, AR657W, AR651U-A4 and AR651F-Lite: 1 - 7 SRG1300: 1 - 7
Eth-Trunk type	Whether the Eth-Trunk interface works in Layer 2 or Layer 3 mode.
Physical interface	Member interface of the Eth-Trunk interface. A maximum of eight member interfaces can be added. NOTE: The physical member interfaces of an Eth-Trunk interface must be of the same type. For example, an Eth-Trunk cannot contain both GE and XGE member interfaces. For devices running V300, only physical interfaces of the same type as Eth-Trunk type can be configured as member interfaces. For example, if Eth-Trunk type is L2, only L2 physical interfaces can be configured as member interfaces. For devices running V600, only L3 physical interfaces can be configured as member interfaces. That is, no matter whether Eth-Trunk type is L2 or L3, the Eth-Trunk member interfaces can only be L3 interfaces.

Configuring the Network Access Mode for RR/IWG Sites

Context

Before site deployment, you need to configure WAN-side physical links. MSP administrators can perform only email-based, USB-based, and manual deployment.

Prerequisites

RR and IWG sites have been created. For details, see Creating an RR Site and (Optional) Creating an IWG Site.

Procedure

Choose from the main menu.
Click the ZTP tab. The WAN link configuration page is displayed.
Select an RR or IWG site for which the network access mode needs to be configured.
1. Select Unconfigured in the site list.
2. Click the site to be configured.
Determine the deployment mode based on the deployment scenario and device model. For details, see Table 2-31.

Table 2-31 Deployment modes supported by different device models
Deployment Mode/Device Model

AR6300

AR1000V

Email-based deployment

Supported

Not supported

USB-based deployment

Supported

Not supported

Manual deployment

Supported

Supported
Configure a WAN link for the RR/IWG site.
1. Click the WAN Link tab.
2. Click Create.
3. In the Set WAN Link dialog box, set WAN link parameters.
  Pay attention to the following points when configuring interfaces:
  - WAN link interfaces must be different from LAN interfaces used for user services. Otherwise, the deployment fails.
  - To configure an LTE interface for a WAN link, configure an LTE sub-interface.
  - The supported deployment modes vary according to the interface type.
4. Click OK.
Click OK. The WAN link is configured.

Deployment Mode/Device Model	AR6300	AR1000V
Email-based deployment	Supported	Not supported
USB-based deployment	Supported	Not supported
Manual deployment	Supported	Supported

Follow-up Procedure

After the site configuration is completed, Table 2-32 describes the available site states after site configuration is completed and Table 2-33 describes the follow-up operations after sites are activated.

Table 2-32 Site Status

Configuration Status	Description
RR/IWG configuration status : not configured : configured	Specifies whether a WAN link has been configured for the RR/IWG site.
RR/IWG activation status : not activated : activated	Specifies whether a deployment email has been sent to the gateway of the RR/IWG site.

Configuration Status

Description

RR/IWG configuration status

: not configured
: configured

Specifies whether a WAN link has been configured for the RR/IWG site.

RR/IWG activation status

: not activated
: activated

Specifies whether a deployment email has been sent to the gateway of the RR/IWG site.

Table 2-33 Follow-up procedures after a site is activated

Function	Operation Scenario and Constraint	Procedure
Adding a WAN link	After a site is activated, you can add WAN links to the site.	Choose from the main menu and click the ZTP tab. In the left pane, select the site for which you want to add a WAN link. The WAN link configuration page is then displayed. Click Create and set WAN link parameters. Click OK.
Deleting a WAN link	After a site is activated, you can delete WAN links of the site as needed.	Choose from the main menu and click the ZTP tab. In the left pane, select the site from which you want to delete a WAN link. The WAN link configuration page is then displayed. Select the link to be deleted and click Delete. In the displayed Warning dialog box, click OK.
Modifying a WAN link	You can modify WAN links of activated sites, for example, changing the IP address of a WAN link interface. Changing the interface IP address of a link used for deployment on a device will disconnect the device for a period of time.	Choose from the main menu and click the ZTP tab. In the left pane, select the site where a WAN link needs to be modified. The WAN link configuration page is then displayed. Select the link to be modified and click in the Operation column. In the Set WAN Link dialog box that is displayed, modify the parameters that are not dimmed. For example, you can modify the IP address of the WAN link interface.
Clearing WAN configurations	After clearing WAN configurations of a site, you can delete this site and restore devices at this site to the undeployed state. This function is not applicable to a site connected to an RR, added to a VN, or configured with a policy.	Choose from the main menu. Select a site that has been configured and click Clear WAN Configurations. After the site's WAN configurations are cleared, you can delete the site or deploy it again.
Sending an email	You can configure the controller to send a deployment email to deployment personnel to implement email-based deployment. After ZTP is configured on iMaster NCE-Campus, iMaster NCE-Campus automatically generates a deployment email or ZTP file. The URL in the email or ZTP file carries deployment information.	Choose from the main menu. Select a site that has been configured and click Send Email. The deployment personnel can then click the URL in the email for deployment.
Downloading a ZTP file	You can download ZTP files to implement email-or USB-based deployment.	Choose from the main menu. Select a site that has been configured and click Download ZTP File. The deployment personnel can click the URL in the downloaded ZTP file to perform email-based deployment. Select a site that has been configured, click Download ZTP File, and enable USB-based Deployment. The deployment personnel can then download USB-based deployment files for USB-based deployment.

Parameter Description

Table 2-34 ZTP parameters

Parameter	Description	Data Plan in Advance
Link name	Link name of a WAN interface at the current MSP site. The WAN link name in the site template is used when a site template is used to create a site. This parameter cannot be modified after being configured.	Y
Transport network	WAN-side network to be accessed. The transport networks you have configured in the global configuration are used as options for this parameter. You can select either Internet or MPLS. This parameter cannot be modified after being configured.	Y
Interface	Gateway interface to which the WAN link connects. This parameter cannot be modified after being configured. The following interface types are supported: GE/FE/XGE: including Ethernet interfaces and Ethernet sub-interfaces xDSL(ATM): including ADSL interfaces, G.SHDSL interfaces (working in ATM mode by default), and their sub-interfaces xDSL(PTM): including VDSL interfaces (working in PTM mode by default) and their sub-interfaces LTE: including 3G/4G/5G interfaces and their sub-interfaces NOTICE: Ensure that the interface is a Layer 3 interface. If the interface is not a Layer 3 interface, log in to the device and switch the interface to a Layer 3 interface. Otherwise, the configuration fails to be delivered.	Y
Sub-interface (This parameter is configurable only when Interface is set to GE, FE, XGE, LTE, xDSL(ATM), or xDSL(PTM).)	Whether to use sub-interfaces. Set Dot1q VLAN sub-interfaces when Interface is set to GE, FE, XGE, xDSL (ATM), or xDSL (PTM). When Interface is set to LTE, you need to set Number. In addition to the access protocol parameters that need to be set for interfaces, you also need to plan the following parameters: Ethernet sub-interface: Select a sub-interface depending on whether a VLAN needs to be terminated on a sub-interface. Sub-interface number: You need to plan a number for a sub-interface. The sub-interface number is used as the name of the sub-interface. For example, if the sub-interface number is set to 10 for WAN interface GE0/0/0, sub-interface GE0/0/0.10 is created on the CPE. Dot1q VLAN: You need to plan the VLAN ID of the sub-interface. If this parameter is specified, a Dot1q sub-interface is created for the parent interface and removes the tag of the specified VLAN. The VLAN ID on the local end must be the same as that configured on the peer end. LTE link sub-interface Sub-interface number: You need to plan a number for a sub-interface. A maximum of two sub-interfaces can be created. One LTE link is divided into two logical links for dialup to access the LTE network. The CPE at the site needs to support dialup through two channels on the LTE interface. ATM sub-interface Sub-interface number: You need to plan a number for a sub-interface. Public IP address Public IP address used by an edge site to access an RR site. Interface uplink and downlink capacity The uplink and downlink bandwidths of an interface need to be configured based on the actual requirements. The unit is Mbit/s. If the configured bandwidths are too small, packet loss occurs when the outgoing traffic exceeds the configured values, interrupting services. Link ID You can plan a unique ID for each link in an SD-WAN network. This helps you query link information by ID during maintenance.	Y
VLAN ID (This parameter is configurable only when Sub-interface is enabled.)	VLAN ID of a sub-interface. NOTE: The system automatically generates sub-interface names on devices. The name is in the format of Parent interface name.sub-interface number automatically generated by the system, instead of Parent interface name.VLAN ID set for the sub-interface.	-
VN instance	VN instance name. It specifies the name of the VN instance on the underlay network to which the interface is to be added. The value is a character string starting with underlay_, for example, underlay_1.	Y
IPv4 Overlay tunnel	Whether to enable the overlay tunnel function. If this function is enabled, an overlay tunnel is created on the WAN link.	-
APN (This parameter needs to be set only when Interface is set to LTE.)	Multi-Access Point Name (APN) function of an LTE cellular interface used to implement data and VoIP communication.	-
PVC(VPI/VCI) (This parameter needs to be set only when Interface is set to xDSL(ATM).)	PVC with specified VPI or VCI values.	-
Interface protocol (This parameter needs to be set only when Interface is set to GE, FE, XGE, xDSL(PTM), xDSL(ATM), or Eth-Trunk.)	Interface protocol used by the physical link between the CPE and WAN. WAN link parameters to be planned vary according to the interface type specified in the site plan. GE, FE, XGE, and xDSL (PTM) interfaces support the following protocols: IPoE PPPoE xDSL (ATM) interfaces support the following protocols: IPoA IPoEoA PPPoA PPPoEoA Eth-Trunk interfaces support the following protocol: IPoE	Y
IP address access mode (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA.)	Mode for assigning an IP address for the interface connecting the CPE to the WAN. The following options are supported: Static: You need to configure a static IP address for the interface. DHCP: DHCP is used to dynamically allocate IP addresses.	-
IP address (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.)	IP address statically assigned to the interface connecting the CPE to the WAN. In the NAT scenario, for RR or edge sites, this parameter must be set to the private IP address of the device corresponding to the public IP address.	-
Subnet mask (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static.)		-
Gateway (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static.)	IP address of the interface used by the PE on the WAN side to communicate with the current site.	-
Mapping peer IP (This parameter needs to be set only when Interface is set to xDSL(ATM) and Interface protocol is set to IPoA.)	Peer IP address mapped to the PVC. Different ATM interfaces or sub-interfaces on a device cannot be configured with the same mapped IP address. Otherwise, traffic forwarding fails.	-
User name (This parameter needs to be set only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)	User name and password allocated by the carrier to connect to the WAN.	-
Password (This parameter needs to be set only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)		-
Negotiation mode	You need to pay attention to the negotiation mode only for Ethernet interfaces. Interfaces on both ends of a link must use the same negotiation mode. If an interface working in auto-negotiation mode frequently alternates between Up and Down, disable auto-negotiation and set the same rate and duplex mode on interfaces at both ends of a link. Auto-negotiation: The interface rate and duplex mode are determined through negotiation with the peer interface. Manual: In non-auto-negotiation mode, you need to adjust the following configurations according to the actual interface status: Interface working mode: An interface can be configured to work as an electrical or optical interface. Duplex mode: An interface can work in either full-duplex or half-duplex mode. Rate: An interface can work at a rate of 10, 100, or 1000, in Mbit/s.	Y
Working mode (This parameter needs to be set when Negotiation mode to set to Manual.)	Whether an interface works as an optical or electrical interface. Only combo interfaces support both optical and electrical interface modes. You can select either of the two modes for combo interfaces based on networking requirements. For interfaces of other types, set this parameter based on the working mode supported by the interfaces. NOTE: If an interface cannot work as an optical interface but its working mode is set to the optical mode, the configuration fails to take effect after being delivered to the CPE where the interface is located.	-
Duplex mode (This parameter needs to be set only when Negotiation mode to set to Manual.)	Interfaces on both ends of a link must have the same duplex mode. For optical interfaces, the duplex mode is fixed at the full duplex mode. For electrical interfaces, you can select the full-duplex or half-duplex mode according to the actual situation.	-
Speed (This parameter needs to be set only when Negotiation mode to set to Manual.)	Interface rate. Interfaces on both ends of a link must have the same rate.	-
Optical Module Type (This parameter needs to be set only when Interface is set to XGE.)	Set this parameter based on the transmission rate requirements. GE and 10GE types are available. A GE optical module transmits traffic at a rate of 1000 Mbit/s, and a 10GE optical module transmits traffic at a rate of 10000 Mbit/s. If 10GE is selected, the negotiation mode cannot be configured. The optical modules on the interfaces at both ends of a link must be of the same type.	-
Public IP (This parameter needs to be set only when Interface is set to GE, FE, or XGE.)	IP address used by the CPE to connect to the WAN. In the EVPN tunnel mode, this parameter needs to be set only at RR sites. The public IP address is an external accessible IP address on the current link. An edge site can register with an RR site through this address. In a carrier network scenario, this parameter is allocated by the carrier in a unified manner. In enterprise network scenarios, an enterprise administrator selects one public IP address from the network segment assigned by the carrier. In NAT scenarios, this parameter must be set to a public IP address that is mapped to external networks.	-
NAT traversal	Whether to enable NAT traversal. This parameter needs to be configured only for links at IWG sites. After this function is enabled, external network users can access internal servers and internal network users can access the external network in the NAT scenario.	-
Uplink bandwidth	Maximum uplink and downlink rates. Set the parameters based on the actual link bandwidth.	-
Downlink bandwidth		-
URL-based deployment	Whether to enable URL-based deployment for the current link. If this function is enabled, the interface parameter settings are loaded to the device through URL-based deployment. If this function is disabled, interface parameter settings are delivered to devices through NETCONF. By default, URL-based deployment is enabled for all links configured for the first time at the current site, and is disabled for links added later.	-
Set as southbound device access address (This parameter needs to be set only when URL-based deployment is enabled.)	Whether to use the primary IP address of the controller southbound access service specified for the link as the controller southbound IP address to be delivered in deployment emails for the device to register with the controller. If the southbound access services configured for links on a single device are different, you can toggle on Set as southbound device access address for only one link. In this way, the device can register with the controller by using the primary cluster's IP address of the controller southbound access service configured only for the link enabled with Set as southbound device access address.	-
Southbound interface service	Southbound access service. By default, the southbound IP address used during controller installation is used. If the system administrator has customized and enabled other southbound access services, you can select customized access services for the WAN links as needed. The southbound access services applied to WAN links cannot be changed after deployment.	-
Link ID	ID of a WAN link.	-

Configuring NTP

Context

When an AR router reports performance data, it carries timestamps in packets. If the time of the AR router is inconsistent with that of the controller, the time in performance data is inconsistent with the actual time. As a result, the site traffic and quality data cannot be displayed. Therefore, you need to configure NTP on iMaster NCE-Campus to ensure that the system time of devices at sites is consistent with that of iMaster NCE-Campus.

You are advised to configure an RR site as a client to synchronize its clock with an NTP server on the public network. In addition, configure the RR site as the NTP server, so that edge sites synchronize their clocks with the RR site.

Procedure

Choose Provision > Physical Network > ZTP from the main menu.
Select an RR or IWG site for which you need to configure time synchronization.
Click the NTP tab.
Select the time zone where devices at the RR or IWG site are located from the Time zone drop-down list box.
Decide whether to enable the daylight saving time (DST) of the time zone. Select a configuration mode if DST is enabled.
When an RR site functions as an NTP server, set NTP server parameters,
including NTP authentication.
When an RR or IWG site functions as an NTP client, set NTP client parameters,
including NTP client mode.
Click OK. The NTP configuration is completed.

Parameter Description

Table 2-35 Parameters for configuring NTP

Parameter			Description
Time zone			Time zone of devices at a site.
DST			Whether to enable DST of the time zone.
Configure mode (configurable when DST is enabled)			The options include Auto and Manual. When Manual is selected, manually set Name, Offset, Time type, Start time, and End time.
Configurations of a site when it functions as an NTP server	NTP authentication		Whether to enable a site as an NTP server and enable NTP authentication. On a network that requires high security, NTP authentication needs to be enabled. During authentication, the authentication password and authentication ID configured on the client are matched with those on the server. If they are the same, the authentication succeeds. You can configure password authentication between the NTP client and NTP server, so that the NTP client only synchronizes with authenticated servers, improving network security. By default, the system uses the HMAC-SHA256 encryption algorithm because it is more secure.
	Authentication password		Password used for NTP authentication.
	Authentication key ID		Key ID used for NTP authentication. When a site functions as both the NTP client and server, the authentication key ID for the NTP server and that for the NTP client must be different.
Configurations of a site when it functions as an NTP client	NTP client mode		Mode in which a site functions as an NTP client: Manual Configuration: A site functions as an NTP client and the NTP server needs to be manually specified. In EVPN tunnel mode, configure an RR site as an NTP client which synchronizes its clock with the NTP server on the public network. Synchronize with the RR Site: A site functions as an NTP client and its parent site functions as the NTP server. By default, this mode is used. Retain the default setting for edge sites in EVPN tunnel mode. Disabled: A site does not function as an NTP client and does not perform clock synchronization.
	NTP client (These parameters are configurable only when NTP client mode is set to Manual Configuration.)	Device	CPE that functions as an NTP client.
		Server Network	Network where the NTP server is located. Set this parameter based on the actual situation. By default, Underlay is selected.
		WAN Link(VN Instance)	WAN-side link connecting the site to the NTP server.
		NTP Server Type	Type of the NTP server. The value can be IPv4.
		NTP Server IP Address	NTP server address.
		Preferential NTP Server	Whether the NTP server is specified as the preferred server. If multiple NTP servers are specified as preferred servers, the system randomly selects a preferred NTP server.
		Authentication	Whether to enable authentication. If NTP authentication is enabled on the NTP server, the authentication function must also be enabled on the NTP client. Otherwise, clock synchronization cannot be performed.
		Authentication Mode	Authentication mode, which can be MD5 or HMAC-SHA256. The authentication mode selected here must be the same as that enabled on the NTP server. HMAC-SHA256 is recommended, because it is more secure than MD5.
		Authentication Password	Password used for NTP authentication. The rules for verifying the authentication password are as follows: For AR600&6100&6200&6300&SRG series and AR1000V devices, the authentication password can contain 6 to 255 characters and must contain at least two types of the following characters: special characters (\"`!@#$%^&()_+=-[]{},.;), uppercase letters (A to Z), lowercase letters (a to z), and digits (0 to 9).
		Authentication Key ID	Key ID used for NTP authentication. This authentication ID is irrelevant to the NTP server. The authentication ID configured for an NTP client must be different from that for the NTP server. The rules for verifying the authentication ID are as follows: For AR600&6100&6200&6300&SRG series and AR1000V devices, if NTP Server Type is set to IPv4, the value must be in the range from 1 to 4294967295.

Associating an IWG Site with an RR Site

Context

In EVPN tunnel mode, an IWG site needs to be associated with an RR site. By default, all RRs in an RR group are connected in full-mesh mode. It is recommended that RR sites be deployed in different geographical areas.

When associating an IWG site with an RR site, adhere to the following rules:

An IWG site can be associated with a maximum of four RR sites. If an IWG site is associated with four RR sites, it is recommended that one RR site be in the same physical area as the IWG site to ensure low latency and the other three RR sites be in different physical areas to ensure service reliability. Generally, it is recommended that each IWG site be associated with two RR sites to ensure high availability of the RR sites. If an IWG site is associated with too many RR sites, too many resources such as BGP peers and routes at the RR sites will be consumed. If an IWG site needs to be associated with more than two RR sites, evaluate whether resources at the RR sites are sufficient.

The number of CPEs to which an RR can connect varies according to the RR device model. Therefore, associate IWG sites with RR sites based on RR capabilities.

Table 2-36 RR access capabilities of some device models

Device Model	Number of CPEs That Can Connect to an RR
AR6280+SRU-400H	1000
AR6280+SRU-600H	1000
AR6300+SRU-400H	1000
AR6300+SRU-600H	1000
AR1000V(4vCPU)	500
AR1000V(8vCPU)	1000
AR1000V(16vCPU)	1000
AR8140-12G10XG	6000
AR8140-T-12G10XG	6000

Prerequisites

An IWG site has been activated. For details, see Configuring the Network Access Mode for RR/IWG Sites.

Procedure

Choose Provision > Physical Network > Connect to RR from the main menu.
Select an IWG site and click Connect.
On the Connect page, select the RR site to be associated with the IWG site, and click Detect. A message is displayed, indicating that the detection is successful.
Click OK.

Creating an RR/IWG Group

Context

An MSP administrator can create IWG/RR groups for IWG/RR management. RR/IWG groups are mainly presented to tenants. A tenant's edge site connect to the desired RR and IWG by connecting to an RR/IWG group.
An administrator can create an RR group, an IWG group, or a group that functions as both an RR group and an IWG group. A group can contain multiple RR/IWG sites. Each tenant edge site is associated with only one RR/IWG site. Multiple RR/IWG sites cannot work in active/standby mode.
After an RR/IWG group is created, the system displays descriptions of the RRs/IWGs in the group as well as the number of managed RRs/IWGs.

Prerequisites

Global parameters have been set. For details, see Setting Global Parameters.
IWGs and RRs have been added. For details, see Adding IWGs and RRs.
The mode for IWG/RR sites to access the network has been configured. For details, see Configuring the Network Access Mode for RR/IWG Sites.
If an IWG group needs to be configured, IWG sites must be associated with RR sites first. For details, see Associating an IWG Site with an RR Site.

Procedure

Choose Provision > Physical Network > Group Management from the main menu.
Click Create. In the Create Group dialog box that is displayed, configure basic information about an RR/IWG group.
Click Next. On the navigation bar, select the IWG/RR site to be added to the group and click .
Click OK.

Configuring the WAN

Configuring a WAN Interface

Prerequisites

Global parameters have been set. For details, see Setting Global Parameters.
IWGs and RRs have been added. For details, see Adding IWGs and RRs.
The mode for IWG/RR sites to access the network has been configured. For details, see Configuring the Network Access Mode for RR/IWG Sites.

Procedure

Choose from the main menu.
Select the RR or IWG to be configured.
Click the WAN Interface tab and set parameters of a WAN interface of the RR or IWG.
In the Operation column, click and modify WAN interface parameters.

Negotiation mode, Uplink Bandwidth, and Downlink Bandwidth are automatically set to the same values as those in Configuring the Network Access Mode for RR/IWG Sites. You can modify these parameter values as needed.
Click OK. The configuration is completed.
Click OK to make the configuration take effect.

Parameter Description

Table 2-37 Parameters for configuring a WAN interface

Parameter	Description
Link name	The descriptions of the parameters are the same on the ZTP configuration pages. After a site is deployed, the WAN interface parameters can be modified here.
Device-interface
Access type
Negotiation mode
Uplink bandwidth
Downlink bandwidth
MTU	MTU of a WAN interface at a site.
MSS	MSS of a TCP packet on a WAN interface at a site.

Configuring WAN-side Routing

This section describes how to configure OSPF, BGP and static routes on the WAN side.

Prerequisites

Global parameters have been set. For details, see Setting Global Parameters.
IWGs and RRs have been added. For details, see Adding IWGs and RRs.
The mode for IWG/RR sites to access the network has been configured. For details, see Configuring the Network Access Mode for RR/IWG Sites.

Procedure

Choose Provision > Physical Network > WAN Configuration from the main menu.
Select the site for which WAN-side routing needs to be configured.
Click the WAN Route tab.
Configure OSPF.
1. Click Click Here to Add Routing Protocol.
2. Select OSPF from the Add Routing Protocol drop-down list box and click OK.
3. On the OSPF tab page, click Create, and set OSPF parameters.
4. Click OK.
Configure BGP.
1. Click or Click Here to Add Routing Protocol.
2. Select BGP from the Add Routing Protocol drop-down list box and click OK.
3. On the BGP tab page, click Create, and set BGP parameters.
4. Click OK.
Configure static routing.
1. Click or Click Here to Add Routing Protocol.
2. Select IPv4 Static or IPv6 Static from the Add Routing Protocol drop-down list box and click OK.
3. On the Static tab page, click Create, and set static routing parameters.
4. Click OK.

Follow-up Procedure

Table 2-38 Follow-up procedure of configuring WAN-side routing

Function	Operation Scenario and Constraint	Procedure
Modifying a WAN-side route	-	On the tab page of the desired routing protocol, select the target route to be modified, and click in the Operation column. Modify the route as needed. Click OK.
Deleting a WAN-side route	-	On the WAN Route tab page, click the tab of the desired routing protocol, and click in the Operation column of the row where the route to be modified is located. Click OK.

Parameter Description

Table 2-39 Parameters for configuring OSPF on the WAN Route tab page

Parameter				Description
Device				CPE where OSPF is to be configured.
Process ID				ID of an OSPF process. In EVPN tunnel mode, if OSPF routes are deployed on an underlay network, the process ID must be in the range from 20001 to 30000. If OSPF routes are deployed on an overlay network, the process ID must be in the range from 1 to 20000.
WAN Link				WAN link where OSPF is to be configured. After a WAN link is specified, OSPF is enabled on the interfaces of the WAN link. An interface can be bound to only one OSPF process.
Common Parameter	Default route advertisement			Whether to advertise default routes to common OSPF areas. After this function is enabled, the device keeps advertising OSPF default routes.
	Default route cost			Cost of advertised OSPF default routes.
	External route type			External route type of advertised default routes. Type 1 external route Type 1 external routes offer higher reliability than Type 2 external routes. Their costs are approximately the same as those of AS internal routes and are comparable with the costs of routes generated by OSPF. Cost of a Type 1 external route = Cost of the route from the local device to an ASBR + Cost of the route from the ASBR to the destination Type 2 external route Type 2 external routes offer lower reliability. Their costs are considered to be much greater than the cost of any internal route to an ASBR by OSPF. Therefore, OSPF only considers the cost of the route from the ASBR to a destination outside the AS. Cost of a Type 2 external route = Cost of the route from an ASBR to the destination
	Internal preference			Priority of an OSPF route (excluding AS external routes). A smaller value indicates a higher priority.
	ASE preference			Priority of an OSPF AS external route. A smaller value indicates a higher priority.
Interface Parameter	Area ID			OSPF area ID.
	Interface Name			Name of an interface with OSPF enabled. You do not need to set this parameter. The system will automatically set this parameter based the value of WAN Link.
	Authentication Mode			Authentication mode. OSPF packets must be authenticated before a neighbor relationship can be established. Authentication mode to be used in the OSPF area. The following authentication modes are supported: None: Authentication is not performed on OSPF packets. Simple: A password needs to be configured. Cryptographic: The MD5, HMAC-MD5, or HMAC-SHA256 authentication mode can be selected. NOTE: The simple, MD5, and HMAC-MD5 authentication modes may pose potential security risks. As such, the HMAC-SHA256 authentication mode is recommended.
	Key (This parameter needs to be set only when Authentication Mode is set to Cryptographic.)			Key for interface ciphertext authentication.
	Password (This parameter needs to be set when Authentication Mode is set to Simple or Cryptographic.)			Password for ciphertext authentication.
	Hello Timer			Interval at which an interface sends Hello packets, in seconds.
	DR Priority			Priority of an interface that participates in Designated Router (DR) election. The DR priority of an interface determines whether the interface participates in DR election. If the DR priority is 0, the router where the interface is located cannot be elected as a DR or BDR.
	Cost			OSPF cost of an interface. The cost specified here will be added to the costs of OSPF routes learned on the interface.
Route Redistribute	Protocol			Protocol of routes to be imported. Static, OSPF, BGP, UNR, and direct routes can be imported.
	Process ID (This parameter needs to be set only when Protocol is set to OSPF.)			ID of the OSPF process whose routes need to be redistributed.
	Cost			Cost of an imported route. The value of this parameter will overwrite the cost in the original route.
Routing Policy	Export	Export		When an SD-WAN site needs to communicate with a legacy site, OSPF can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the advertisement of underlay OSPF routes. Controlled by such a policy, a site advertises only the routes it wants to advertise or the routes required by the neighbor. As such, the access of the legacy site to the LAN side of the SD-WAN site is restricted.
		Match	Match	Currently, routes to be advertised can be filtered based on IP prefixes or tags. Either of the two filtering methods can be used.
			IP prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less-equal: maximum mask length
			Tag	Route tag. The routes to be advertised can be filtered based on the tag. The value must be in the range from 0 to 4294967295. Route tags can be used to classify routes as needed. You can attach a tag to routes of the same type so that the routes can be flexibly controlled and managed based on the tag through a routing policy.
		Apply	Filtering type	Mode for filtering OSPF routes. After this parameter is set, the current site does not advertise OSPF routes in a specified network segment to the underlay network. Blacklist: Only OSPF routes not in the network segment specified by IP Prefix List can be advertised. Whitelist: Only OSPF routes in the network segment specified by IP Prefix List can be advertised.
			Cost (This parameter needs to be set only when Filter Type is set to Whitelist.)	Cost to be set for the routes matching the routing policy. This value is used as the cost of OSPF routes to be advertised. The value must be in the range from 0 to 4294967295.
			Tag (This parameter needs to be set only when Filter Type is set to Whitelist.)	Route tag. A tag is attached to the routes matching the filter criteria. The value must be in the range from 0 to 4294967295. The modified tag value will overwrite the original tag value. If this parameter is not set, the original tag value is retained. This parameter is available only when Filtering type is set to Whitelist.
	Import	Import		When an SD-WAN site needs to communicate with a legacy site, OSPF can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the import of underlay OSPF routes. Controlled by the policy, a site receives only the routes that it wants to receive. As such, the access of the SD-WAN site to the LAN side of the legacy site is restricted.
		Match	Match	Currently, routes to be received can be filtered based on IP prefixes or tags. Either of the two filtering methods can be used.
			IP prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less-equal: maximum mask length
			Tag	Route tag. The routes to be received can be filtered based on the tag. The value must be in the range from 0 to 4294967295.
		Apply	Filtering type	Mode for filtering OSPF routes. After this parameter is set, the current site does not receive OSPF routes in a specified network segment from the underlay network. Blacklist: Only OSPF routes not in the network segment specified in the IP prefix list can be received. Whitelist: Only OSPF routes in the network segment specified in the IP prefix list can be received.

Table 2-40 Advanced parameters for configuring BGP on the WAN Route > BGP tab page

Parameter	Description
External preference	Preference of a route received from an EBGP peer. You can set different preferences for routes received from different devices. For a dual-gateway site, you can specify a separate EBGP route preference for each gateway.
Default route redistribution	Whether to import the default routes in the local routing table to the BGP routing table.
Route redistribution	Protocol of routes to be imported. UNR, static and direct routes can be imported.
Aggregation route	Route obtained by summarizing specific routes in the local BGP routing table. The device advertises only the summary route, and suppresses the advertisement of all summarized specific routes. You can specify IP addresses and masks of multiple summary routes.

Table 2-41 Parameters for configuring BGP on the WAN Route tab page

Parameter				Description
Device				CPE where BGP is to be configured.
Peer IP				IP address of the peer device. In most cases, a BGP peer relationship is established with a legacy site.
Peer AS				AS number of the peer device.
Local AS				Fake AS number of the local device. If this parameter is not configured, the AS number in the global configuration is used by default. Typically, a device supports only one BGP process. That is, a device supports only one AS number. In some special cases, for example, when AS numbers need to be changed during a network migration, you can set a fake AS number for a specified peer to ensure successful network migration.
Keepalive time (s)				Interval for sending Keepalive messages to the peer. After establishing a BGP connection, two peers periodically send Keepalive messages to each other to detect the status of the BGP connection. If a device receives no Keepalive message or any other type of message from its peer within the specified hold time, the device considers the BGP connection interrupted and tears down the BGP connection.
Hold time (s)				Interval after which a device, having not received a Keepalive message, declares a BGP peer dead. The hold time needs to be at least three times the Keepalive time.
Authentication type	Keychain			Whether to enable keychain authentication between BGP peers. Keychain authentication can improve TCP connection security and protect devices from attacks. SHA256 and HMAC-SHA256 encryption algorithms are recommended in keychain authentication. NOTE: Keychain authentication must be pre-configured on devices using CLI. The keychain name configured here must be the same as that configured on the devices.
	MD5 Encrypt			Whether to enable MD5 authentication between BGP peers. If this function is enabled, you need to enter a password in ciphertext. MD5 is an insecure encryption algorithm. To reduce security risks that may occur when MD5 is used, you are advised to periodically change the MD5 authentication password.
	No Encrypt			Authentication information between BGP peers is not encrypted. This mode is not recommended.
WAN link				Link used to establish EBGP peer relationships.
Advertise community attributes				Whether to enable the function of advertising community attributes.
Enable BFD	Interval for sending packets			Interval for sending BFD packets. If session services, such as intelligent traffic steering, SAC application identification, URL filtering, IPS/AV, NAT, ASPF, TCP FPM, and network traffic monitoring, are deployed on a device, you are advised to set the minimum BFD detection period to a value greater than 200 ms, that is, set both Interval for sending packets and Interval for receiving packets to values greater than 200 ms.
	Interval for receiving packets			Interval for receiving BFD packets.
	Local detection multiplier			Local detection multiplier of a BFD session. On a stable link, you can set the BFD local detection multiplier to a large value to avoid frequent link detection. On an unstable link, if the local detection multiplier is small, the BFD session may flap. It is recommended that a larger local detection multiplier be used.
Routing Policy	Export	Export		When an SD-WAN site needs to communicate with a legacy site, BGP can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the advertisement of underlay BGP routes. Controlled by such a policy, a site advertises only the routes it wants to advertise or the routes required by the peer. As such, the access of the legacy site to the LAN side of the SD-WAN site is restricted.
		Match	Type	Currently, routes can be filtered only based on IP prefixes.
		Match	IP prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less-equal: maximum mask length
		Apply	Filtering type	Mode for filtering BGP routes. After this parameter is set, the current site does not advertise BGP routes in a specified network segment to the underlay network. Blacklist: Only BGP routes not in the network segment specified by IP Prefix List can be advertised. Whitelist: Only BGP routes in the network segment specified by IP Prefix List can be advertised.
			MED (This parameter is available only when Filtering type is set to Whitelist.)	MED value to be set for BGP routes in the network segment specified by IP Prefix List. Similar to the cost (or metric) used by an IGP, the MED is used to determine the optimal route when traffic enters an AS. When a BGP-enabled device receives multiple routes to the same destination address but with different next hops from EBGP peers, it selects the route with the smallest MED value as the optimal route.
			Community (This parameter needs to be set only when Filtering type is set to Whitelist.)	Community attribute to be added to BGP routes in the network segment specified by IP Prefix. The community attribute is a private BGP attribute. It is transmitted between BGP peers and is not restricted within an AS. The community attribute allows a group of BGP-enabled devices in multiple ASs to share the same routing policies. This allows routing policies to be flexibly used and makes it simple to maintain and manage routing policies.
			AS_Path (This parameter is available only when Filtering type is set to Whitelist.)	AS_Path value to be set for BGP routes in the network segment specified in IP Prefix List. The AS_Path attribute records the numbers of all ASs that a route passes through, from the source to the destination, in the vector order. You can configure the AS_Path attribute to implement flexible route selection.
	Import	Import		When an SD-WAN site needs to communicate with a legacy site, BGP can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the import of underlay BGP routes. Controlled by the policy, a site receives only the routes that it wants to receive. As such, the access of the SD-WAN site to the LAN side of the legacy site is restricted.
		Match	Type	Currently, routes can be filtered only by IP prefix.
		Match	IP Prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less-equal: maximum mask length
		Apply	Filtering type	Mode for filtering BGP routes. After this parameter is set, the current site does not receive BGP routes in a specified network segment from the underlay network. Blacklist: Only BGP routes not in the network segment specified in the IP prefix list can be received. Whitelist: Only BGP routes in the network segment specified in the IP prefix list can be received.

Table 2-42 Parameters for configuring a static route on the WAN Route tab page

Parameter		Description
Device		CPE where static routing is to be configured.
Priority		Priority of a static route. The value is an integer from 1 to 255, and a smaller value indicates a higher priority. If you specify the same priority for static routes with the same destination, load balancing can be implemented among these routes. If you specify different priorities for multiple static routes with the same destination, backup can be implemented among these routes.
WAN Link		Link where a static route is to be deployed.
Destination address/mask		Destination network segment and mask of an IPv4 or IPv6 static route.
Next-Hop	Next-hop type	Type of the next hop in a static route. IP address Outbound interface black_hole: indicates that the packets destined for the destination network segment will be discarded. For example, it can be used to block packets destined for a particular Internet website.
	IP address (This parameter needs to be set only when Next-hop type is set to IP address.)	Next-hop IP address of the static route.
	Track (This parameter needs to be set only when Next-hop type is set to IP Address or Outbound interface.)	Whether to associate the static route with a network quality analysis (NQA) test instance.
	Target	If a static route is associated with an NQA test instance, only ICMP test instances can be used to check whether there are reachable routes between the source and destination. This parameter specifies the destination address of an NQA test instance.

General Configuration

Configuring a Device Account

The password for the admin user on a device that is manually added to the controller is automatically reset to a random password after the device goes online. You can configure a password for the admin user on iMaster NCE-Campus. This password will be used as the device administrator password on subsequent onboarding devices. You can also create a device administrator account and set a password.

When you create a site, admin and accampus users are automatically created on managed devices at the site. The password for the accampus user is randomly generated by the system. This user password can be changed as needed.
If you want to delete the admin user, ensure that another administrator account has been created.
When an MSP administrator logs in to iMaster NCE-Campus for the first time, a dialog box is displayed for setting the initial password for the admin user on devices. After the initial password for the admin user on devices is set, when the MSP administrator creates a site, the admin user on devices at the site uses this password by default. The password can be changed on this page as needed.
The user used for device O&M varies according to the device type:
- New sites: By default, the accampus and admin users are available. Use the accampus user preferentially.
- Upgraded sites: If the accampus user is unavailable, use the admin user for device O&M.
Device O&M is unavailable if both admin and accampus users are deleted.

Prerequisites

Global parameters have been set. For details, see Setting Global Parameters.
IWGs and RRs have been added. For details, see Adding IWGs and RRs.
The mode for IWG/RR sites to access the network has been configured. For details, see Configuring the Network Access Mode for RR/IWG Sites.

Configuring a Site-Level Device Account

Context

You can create a site-level device account to monitor or manage devices. The account takes effect on all devices at a specified site. When a device account is configured for a specific site and another device account is configured for a specific device at this site, the site-level account does not take effect on this device.

The admin account can be used for device login through console ports. For devices running V600R021C00 and later versions, if the username of a device account is set to admin, it is delivered as administrator. If the administrator user has been created on the controller, this user does not take effect on the preceding devices. The accampus account is the dedicated account used by the controller to interact with devices. If you need to manually log in to a device, you are advised to use the admin or another account.

Procedure

Choose Provision > Physical Network > Common Configuration from the main menu.
Select a site and click the Device Account tab.
On the Device Account tab page, click the Site-Level tab.
Click Create and set local user parameters.
Click OK.
To reset the user password, click in the Operation column, set a new password, and click OK.

Parameters

Table 2-43 Creating a local user

Parameter	Description
Username	Username of a device administrator account.
Password	Password of the device administrator account. The latest password takes effect.
Role	Role of the created user. If Monitor is selected, the user has the device monitoring permission. If Administrator is selected, the user has the device management permission.
Service type	Service type supported by the device administrator account. The options include HTTP(S), SSH, and Terminal.

Configuring a Device-Level Device Account

Context

You can create a device administrator account that takes effect on a specific device.

Procedure

Choose Provision > Physical Network > Common Configuration from the main menu.
Select a site and click the Device Account tab.
On the Device Account tab page, click the Device-Level tab.
Click and select the device for which an account is to be created from the drop-down list box.
Click Create and set local user parameters.
Click OK.
To change the user password, click in the Operation column, set a new password, and click OK.
(Optional) Click to delete an account. If a site-level device account has been configured for the site where the device is located, the site-level account takes effect on this device after the device-level account is deleted.

Parameters

Table 2-44 Creating a local user

Parameter	Description
User name	Username of a device administrator account.
Password	Password of the device administrator account. The latest password takes effect.
Permission level	Privilege level of the device administrator account. A larger value indicates a higher privilege level. The value range is from 0 (low) to 15 (high).
Service type	Service type supported by the device administrator account. The options include HTTP(S), SSH, and Terminal.
Account status	Status of the device administrator account. The options include Activate and Blocking. An activated account can be used for device login, but a blocked account cannot.
Deadline	Time when the device administrator account expires. By default, the account is permanently valid and its expiration time cannot be changed after the account is created.
Specified range	Time period during which the account can be used for login. The value ranges from 00:00 to 23:59 and cannot be changed after the account is created.
Idle timeout	Idle timeout period of the account, in seconds.

Modifying the STUN Connection Source Port

Context

You can modify the source port for STUN connection which has been configured on a device.

Procedure

Choose Provision > Physical Network > Common Configuration from the main menu. Click the Connection Source Port tab.
Select a site from the list on the right, enable Connection source port, and modify the connection source port information.

The modified configuration will be delivered only to devices at the selected site.
Click OK.

Configuring Interconnection Between SD-WAN and MPLS Networks

To interconnect an SD-WAN network and an MPLS network, BGP VPNv4 peer relationships need to be established between PEs. BGP peer and routing policy configuration need to be performed.

Currently, an IWG and a PE can be interconnected in three modes: OptionB, OptionA (VXLAN), and OptionA (VLAN).

Prerequisites

Global parameters have been set. For details, see Setting Global Parameters.
IWGs and RRs have been added. For details, see Adding IWGs and RRs.
The mode for IWG/RR sites to access the network has been configured. For details, see Configuring the Network Access Mode for RR/IWG Sites.

Procedure

Choose Provision > Physical Network > Interworking Configuration from the main menu.
Select an IWG from an IWG group.
In the Interworking mode area, click Select a type and select OptionB, OptionA (VLAN) or OptionA (VXLAN) as needed. Click OK.
When Interworking mode is set to OptionB, you can configure L3 Interface, Route, and BGP VPNV4.
1. Configure a Layer 3 interface for an edge site to communicate with a VPC.
  1. Click the L3 Interface tab and click Create.
  2. On the Create L3 Interface tab page, configure a Layer 3 interface.
  3. Click OK. The interface configuration is complete.
  4. Click OK.
2. Configure routes.
  1. Click the Route tab and click Click Here to Add Routing Protocol.
  2. In the Add Routing Protocol dialog box, select Static and click OK.
  3. On the Static tab page, click Create, and set static routing parameters.
  4. Click OK.
  5. Click OK.
3. Configure BGP VPNv4 to implement interconnection between SD-WAN and MPLS networks.
  1. Click the BGP VPNV4 tab and click Create.
  2. On the Create BGP tab page, set BGP parameters.
  3. Click OK.
  4. Click OK.
When Interworking mode is set to OptionA (VXLAN), configure Layer 3 interfaces, LAN interface, routes, and VXLAN.
1. Configure Layer 3 interfaces. For details, see 4.a.
2. Configure a LAN interface.
  1. Click the LAN Interface tab and click Create.
  2. In the Create VLAN dialog box, set VLAN parameters.
  3. Click OK.
  4. Click OK.
3. Configure routes. For details, see 4.b.
4. Set VXLAN parameters.
  Set Local VTEP IP as needed. The options include Interface and IP.
  - If Local VTEP IP is set to Interface, select an existing Layer 3 interface and set Peer VTEP IP.
  - When Local VTEP IP is set to IP, set IP and Peer VTEP IP.
  Click OK.
When Interworking mode is set to OptionA (VLAN), you can configure an interconnection interface.
To configure an interconnection interface, set Interface and Interface Mode on the Interconnection Interface tab page.

Parameter Description

Table 2-45 Parameters for creating a Layer 3 interface

Parameter		Description
Interface		Name of a Layer 3 interface.
Sub-interface	Sub-interface	Whether to create a sub-interface.
Sub-interface	VLAN ID	The value ranges from 1 to 4094 for Layer 3 sub-interfaces. The value of Dot1q Vlan is the number of a sub-interface.
IP address		IP address of an interface or a sub-interface.
MTU		Maximum transmission unit (MTU) of an interface. This parameter cannot be configured for xDSL physical interfaces. The size of data packets sent each time is limited at the network layer. When a network layer device receives an IP packet, it determines the outbound interface and obtains the MTU supported by the interface. The device then compares the IP packet length with the MTU. If the IP packet length is longer than the MTU, the device fragments the IP packet. Each fragment has a length less than or equal to the MTU. If the MTU is too small whereas the packet size is large, the packet is probably fragmented to many pieces. Therefore, the packet may be discarded due to the insufficient QoS queue length. If the MTU is too large, packets are transmitted slowly or even lost.
MSS		Maximum segment size (MSS) of TCP packets on an interface. The MSS is an option defined in the TCP protocol and refers to the maximum length of TCP packets that can be received by a device. When setting up a TCP connection, the local and peer devices negotiate an MSS value. If the length of a TCP packet received from the peer device exceeds the negotiated MSS value, the packet is fragmented. NOTICE: To prevent TCP packets from being fragmented, you must configure a proper MSS based on the MTU. The MTU is an option used to determine whether IP packets will be fragmented. If the size of an IP packet sent by a peer device exceeds the MTU, the IP packet will be fragmented. To properly transmit a packet, ensure that the MSS value plus all the header lengths (TCP header and IP header) does not exceed the MTU. For example, the default MTU of an Ethernet interface is 1500 bytes. To prevent packets from being fragmented, set the MSS to a value equal to or smaller than 1460 bytes [1500 – 20 (minimum length of the TCP header) – 20 (minimum length of the IP header)]. You are advised to set the MSS to 1200 bytes.

Table 2-46 Parameters for configuring BGP on the BGP VPNv4 tab page

Parameter				Description
Peer IP				IP address of the peer device. In most cases, a BGP peer relationship is established with a legacy site.
Peer AS				AS number of the peer device.
Local AS				Fake AS number of the local device. If this parameter is not configured, the AS number in the global configuration is used by default. Typically, a device supports only one BGP process. That is, a device supports only one AS number. In some special cases, for example, when AS numbers need to be changed during a network migration, you can set a fake AS number for a specified peer to ensure successful network migration.
Keepalive time				Interval for sending Keepalive messages to the peer. After establishing a BGP connection, two peers periodically send Keepalive messages to each other to detect the status of the BGP connection. If a device receives no Keepalive message or any other type of message from its peer within the specified hold time, the device considers the BGP connection interrupted and tears down the BGP connection.
Hold time (s)				Interval after which a device, having not received a Keepalive message, declares a BGP peer dead. The hold time needs to be at least three times the Keepalive time.
Authentication type				Authentication type for BGP packets. Keychain: Keychain authentication is used. Keychain authentication must be pre-configured on devices using CLI. The keychain name must be the same as that configured on the devices. MD5 Encrypt: MD5 authentication is used. If this function is enabled, you need to enter a password in ciphertext. MD5 is an insecure encryption algorithm. To reduce security risks that may occur when MD5 is used, you are advised to periodically change the MD5 authentication password. No Encryption: No authentication is performed. NOTE: To ensure BGP security, you are advised to enable keychain authentication.
Routing policy	Routing Policy	Export		When an SD-WAN site needs to communicate with a legacy site, BGP can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the advertisement of underlay BGP routes. Controlled by such a policy, a site advertises only the routes it wants to advertise or the routes required by the peer. As such, the access of the legacy site to the LAN side of the SD-WAN site is restricted.
		Index	Index	Index of a routing policy. Currently, routes can be filtered only by IP prefix.
		Index	Goto Index	After this parameter is set, routes to match the routing policy first match the conditions with Index as this specific Goto Index value. The Goto Index value must be larger than the Index value. NOTE: This parameter is configurable after at least two indexes are set.
		Match	IP Prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less-equal: maximum mask length
		Match	Community Filter	Community filter. Name: specifies the name of a community filter. Whole Match: When this function is enabled, the route matches the filter only when all community attributes are met. Match Mode: specifies matching mode of the community filter. It can be either permit or deny. Members: specifies a community number.
		Apply	Filtering type	Mode for filtering BGP routes. After this parameter is set, the current site does not advertise BGP routes in a specified network segment to the underlay network. Blacklist: The site is allowed to advertise only BGP routes not in the network segment specified by IP prefix. Whitelist: Only BGP routes in the network segment specified by IP Prefix can be advertised.
			MED (This parameter is available only when Filtering type is set to Whitelist.)	MED value to be set for BGP routes in the network segment specified by IP Prefix. Similar to the cost (or metric) used by an IGP, the MED is used to determine the optimal route when traffic enters an AS. When a BGP-enabled device receives multiple routes to the same destination address but with different next hops from EBGP peers, it selects the route with the smallest MED value as the optimal route.
			Community (This parameter needs to be set only when Filtering type is set to Whitelist.)	Community attribute to be added to BGP routes in the network segment specified by IP Prefix. The community attribute is a private BGP attribute. It is transmitted between BGP peers and is not restricted within an AS. The community attribute allows a group of BGP-enabled devices in multiple ASs to share the same routing policies. This allows routing policies to be flexibly used and makes it simple to maintain and manage routing policies.
			ExtCommunity (This parameter is available only when Filtering type is set to Whitelist.)	Extended community filter.
			Local Preference (This parameter is available only when Filtering type is set to Whitelist.)	Default local preference to be set for BGP routes.
			AS_Path (This parameter is available only when Filtering type is set to Whitelist.)	AS_Path value to be set for BGP routes in the network segment specified by IP Prefix. The AS_Path attribute records the numbers of all ASs that a route passes through, from the source to the destination, in the vector order. You can configure the AS_Path attribute to implement flexible route selection.
	Import	Import		When an SD-WAN site needs to communicate with a legacy site, BGP can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the import of underlay BGP routes. Controlled by the policy, a site receives only the routes that it wants to receive. As such, the access of the SD-WAN site to the LAN side of the legacy site is restricted.
		Index	Index	Index of a routing policy. Currently, routes can be filtered only by IP prefix.
		Index	Goto Index	After this parameter is set, routes to match the routing policy first match the conditions with Index as this specific Goto Index value. The Goto Index value must be larger than the Index value. NOTE: This parameter is configurable after at least two indexes are set.
		Match	IP Prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less-equal: maximum mask length
		Match	Community Filter	Community filter. Name: specifies the name of a community filter. Whole Match: When this function is enabled, the route matches the filter only when all community attributes are met. Match Mode: specifies matching mode of the community filter. It can be either permit or deny. Members: specifies a community number.
		Apply	Filtering type	Mode for filtering BGP routes. After this parameter is set, the current site does not receive BGP routes in a specified network segment from the underlay network. Blacklist: Only BGP routes not in the network segment specified by IP Prefix can be received. Whitelist: Only BGP routes in the network segment specified by IP Prefix can be received.
			MED (This parameter is available only when Filtering type is set to Whitelist.)	MED value to be set for BGP routes in the network segment specified by IP Prefix. Similar to the cost (or metric) used by an IGP, the MED is used to determine the optimal route when traffic enters an AS. When a BGP-enabled device receives multiple routes to the same destination address but with different next hops from EBGP peers, it selects the route with the smallest MED value as the optimal route.
			Community (This parameter needs to be set only when Filtering type is set to Whitelist.)	Community attribute to be added to BGP routes in the network segment specified by IP Prefix. The community attribute is a private BGP attribute. It is transmitted between BGP peers and is not restricted within an AS. The community attribute allows a group of BGP-enabled devices in multiple ASs to share the same routing policies. This allows routing policies to be flexibly used and makes it simple to maintain and manage routing policies.
			ExtCommunity (This parameter is available only when Filtering type is set to Whitelist.)	Extended community filter.
			Local Preference (This parameter is available only when Filtering type is set to Whitelist.)	Default local preference to be set for BGP routes.
			AS Path (This parameter is available only when Filtering type is set to Whitelist.)	AS_Path value to be set for BGP routes in the network segment specified by IP Prefix. The AS_Path attribute records the numbers of all ASs that a route passes through, from the source to the destination, in the vector order. You can configure the AS_Path attribute to implement flexible route selection.

Table 2-47 Parameters for creating a static route

Parameter		Description
Priority		Priority of a static route. The value is an integer from 1 to 255, and a smaller value indicates a higher priority. If you specify the same priority for static routes with the same destination, load balancing can be implemented among these routes. If you specify different priorities for multiple static routes with the same destination, backup can be implemented among these routes.
Destination address/mask		Destination network segment and mask of the static route.
Next-Hop	Next-hop type	Type of the next hop in a static route. IP address black_hole: indicates that the packets destined for the destination network segment will be discarded. For example, it can be used to block packets destined for a particular Internet website.
	IP address (This parameter needs to be set only when Next-hop type is set to IP address.)	Next-hop IP address of the static route.
	Track (This parameter needs to be set only when Next-hop type is set to IP address.)	Whether to associate the static route with a network quality analysis (NQA) test instance.
	Target	If a static route is associated with an NQA test instance, only ICMP test instances can be used to check whether there are reachable routes between the source and destination. This parameter specifies the destination address of an NQA test instance.

Table 2-48 Parameters for creating a LAN interface

Parameter		Description
VLAN ID		This VLAN is used for Layer 2 communication between the site and the LAN network. The value cannot be the same as the VLAN ID of the WLAN or the VLAN ID of the interlink between dual gateways. The system automatically creates VLANIF interfaces based on VLAN IDs. For a dual-gateway site, if the CPEs are directly connected to a Layer 2 switch in the downstream direction, to implement the VRRP function on the LAN side, the two CPEs must use the VLANIF interfaces with the same VLAN ID to communicate with the LAN side.
Physical interfaces		Type of the interface to be added and its number (for example, 0 or 0/0/0). Tag and Untag options are available. Tag: The interface allows packets with VLAN tags to pass through. Untag: The interface allows untagged packets to pass through and adds VLAN tags to the packets before forwarding them.
IP address		IP address to be set for the VLANIF interface.
Advanced Settings	MTU	MTU of the interface. This parameter cannot be configured for xDSL physical interfaces. The size of data packets sent each time is limited at the network layer. When a network layer device receives an IP packet, it determines the outbound interface and obtains the MTU supported by the interface. The device then compares the IP packet length with the MTU. If the IP packet length is longer than the MTU, the device fragments the IP packet. Each fragment has a length less than or equal to the MTU. If the MTU is too small whereas the packet size is large, the packet is probably fragmented to many pieces. Therefore, the packet may be discarded due to the insufficient QoS queue length. If the MTU is too large, packets are transmitted slowly or even lost.
Advanced Settings	MSS	MSS of TCP packets on an interface. The MSS is an option defined in the TCP protocol and refers to the maximum length of TCP packets that can be received by a device. When setting up a TCP connection, the local and peer devices negotiate an MSS value. If the length of a TCP packet received from the peer device exceeds the negotiated MSS value, the packet is fragmented. NOTICE: To prevent TCP packets from being fragmented, you must configure a proper MSS based on the MTU. The MTU is an option used to determine whether IP packets will be fragmented. If the size of an IP packet sent by a peer device exceeds the MTU, the IP packet will be fragmented. To properly transmit a packet, ensure that the MSS value plus all the header lengths (TCP header and IP header) does not exceed the MTU. For example, the default MTU of an Ethernet interface is 1500 bytes. To prevent packets from being fragmented, set the MSS to a value equal to or smaller than 1460 bytes [1500 – 20 (minimum length of the TCP header) – 20 (minimum length of the IP header)]. You are advised to set the MSS to 1200 bytes.

Table 2-49 Parameters for configuring VXLAN

Parameter	Description
Local VTEP IP	Local VTEP IP address of the VXLAN tunnel. The options include Interface and IP.
Select Interface (needs to be set only when Local VTEP IP is set to Interface)	Select an existing Layer 3 interface.
IP (needs to be set only when Local VTEP IP is set to IP)	VTEP IP address on the local end
Peer VTEP IP	VTEP IP address on the peer end.

Table 2-50 Parameters for configuring an interconnection interface

Parameter	Description
Interface	Interconnection interface type and number. In VLAN interconnection mode, set interconnection interface parameters. Currently, GE, FE, xGE, and Eth-Trunk interfaces are supported.
Interface Mode	Mode in which an interconnection interface works. An interconnection interface can work as a Layer 3 interface or a Layer 2 interface.

Configuring Tenant Access

You can manage the sites to which a tenant can have access to, that is, decide which tenants can connect to an IWG or RR site.

Prerequisites

Global parameters have been set. For details, see Setting Global Parameters.
IWGs and RRs have been added. For details, see Adding IWGs and RRs.
An RR/IWG group has been configured. For details, see Creating an RR/IWG Group.
To configure tenant access to IWG sites, ensure that interconnection between SD-WAN and MPLS networks has been configured. For details, see Configuring Interconnection Between SD-WAN and MPLS Networks.
A tenant has been created.

Configuring Tenant Access to RR Sites

You can configure whether tenants can access RR sites.

Procedure

Choose Provision > Managed Service > RR Service from the main menu. Select a tenant.
Enable the RR service for the tenant if the tenant requires the RR service.
Set Share mode.
- Share: Multiple tenants share an RR site.
- Exclusive: A tenant uses an RR site exclusively.
  When Share mode is set to Exclusive, click Create, select an RR group and an RR site in this group to assign this RR site to the tenant for exclusive use.
Click OK.
Click OK. The configuration is completed.

Configuring Tenant Access to IWG Sites

You can configure whether tenants can access IWG sites. The selected interworking mode must be the same as the interworking mode in the interconnection configuration.

Procedure

Choose Provision > Managed Service > GW Service from the main menu and click Interworking GW Service.
Select a tenant. Enable the IWG service for the tenant if the tenant requires the IWG service.
Set Interworking mode. The options include OptionB, OptionA(VXLAN), and OptionA(VLAN).
Select Share mode.
Share: An IWG is shared by multiple tenants.

Exclusive: An IWG is exclusively used by a tenant.
Configure FEC optimization. Enabling FEC optimization can improve network communication quality.

The following device models support the FEC optimization function:

AR651, AR651-LTE6EA, AR651K, AR651W, AR651W-8P, AR651U-A4, AR657, AR657W, AR6120, AR6120-VW, AR6120-S, AR6121, AR6121E, AR6121K, AR6140-9G-2AC, AR6140-9G-R-2AC, AR6140-S, AR6140-16G4XG, AR6140E-9G-2AC, AR6140K-9G-2AC, AR6280, AR6280K, AR6300, AR6300-S, AR6300K, AR6710-L26T2X4, AR6710-L26T2X4-T, AR6710-L50T2X4, AR6710-L50T2X4-T, SRG1321, SRG1340-9G, SRG1340-16G4XG, and AR1000V running V300R021C10 and later versions
Perform the following operations based on the interworking mode and sharing mode:
- When Interworking mode is set to OptionB:
  - In Share mode, multiple tenants share an IWG site.
    In this mode, you need to configure a non-SD-WAN VPN.
    
    Click Create and set parameters, including the VPN name and import and export VPN targets, to assign an IWG site from an IWG group to be shared by multiple tenants.
    
    When an IWG accesses a non-SD-WAN VPN, the import and export VPN targets set for the non-SD-WAN VPN must be opposite to those on a PE. That is, the import VPN target on the PE must be the same as the export VPN target set for the non-SD-WAN VPN, and the export VPN target on the PE must be the same as the import VPN target set for the non-SD-WAN VPN.
  - In Exclusive mode, a tenant uses an IWG site exclusively.
    In this mode, you need to allocate a specific IWG site to each tenant and configure a non-SD-WAN VPN. The non-SD-WAN VPN configuration is the same as that in sharing mode. For details, see the configuration in sharing mode. To configure IWG distribution, perform the following steps:
    
    Click Create, set IWG Group Selection and Interworking GW to assign a specific IWG site from the selected IWG group to the tenant for exclusive use.
- When Interworking mode is set to OptionA (VXLAN):
  - In Share mode, multiple tenants share an IWG site. In this mode, you need to allocate an IWG site to multiple tenants and configure a non-SD-WAN VPN.
    - Configure a non-SD-WAN VPN.
      Click Create and set VPN Name and VNI. A VXLAN Network Identifier (VNI) identifies a VXLAN network.
    - Allocate an IWG site to tenants.
      Click Create and select an IWG group.
      
      Click in the Operation column on the IWG allocation page to edit an IWG.
      Select an IWG site.
      On the right of Network Config, click +add to set network configuration parameters.
      Click OK. The IWG configuration is completed.
  - In Exclusive mode, a tenant uses an IWG site exclusively.
    In this mode, you need to allocate a specific IWG site to each tenant and configure a non-SD-WAN VPN. The non-SD-WAN VPN and IWG allocation configurations are the same as those in sharing mode. For details, see the configuration in sharing mode.
- When Interworking mode is set to OptionA (VLAN):
  - In Share mode, multiple tenants share an IWG site. In this mode, you need to allocate an IWG site to multiple tenants and configure a non-SD-WAN VPN.
    - Configure a non-SD-WAN VPN.
      Click Create and set VPN Name and VLAN ID.
    - Allocate an IWG site to tenants.
      Click Create and select an IWG group.
      
      Click in the Operation column on the IWG allocation page to edit an IWG.
      Select an IWG site.
      On the right of Network Config, click +add to set network configuration parameters.
      Click OK. The IWG configuration is completed.
  - In Exclusive mode, a tenant uses an IWG site exclusively.
    In this mode, you need to allocate a specific IWG site to each tenant and configure a non-SD-WAN VPN. The non-SD-WAN VPN and IWG allocation configurations are the same as those in sharing mode. For details, see the configuration in sharing mode.
Click OK.
Click OK. The configuration is completed.

Follow-up Procedure

Table 2-51 Follow-up procedure of configuring tenant access

Function	Operation Scenario and Constraint	Procedure
Modifying tenant access configurations	An RR or IWG service has been created.	Select the site whose configuration needs to be deleted and click in the Operation column. Modify tenant access configurations. Click OK.
Deleting tenant access configurations	An RR or IWG service has been created.	Select the site whose configuration needs to be deleted and click in the Operation column. Click OK.
Checking tenants enabled with the RR or IWG service	When an MSP manages multiple tenants, the MSP can quickly collect statistics about and view tenants enabled with the RR or IWG service.	Click RR Service or Interworking GW Service. Select Enabled from the drop-down list box from the navigation pane.
Checking tenants disabled with the RR or IWG service	When an MSP manages multiple tenants, the MSP can quickly collect statistics and view tenants disabled with the RR or IWG service.	Click RR Service or Interworking GW Service. Select Disabled from the drop-down list box from the navigation pane.

Parameter Description

Table 2-52 Parameters for creating a non-SD-WAN VPN

Parameter	Description
VPN Name	Name of an MPLS network.
Import VPN Target	Import VPN target of the legacy network.
Export VPN Target	Export VPN target of the legacy network.

Table 2-53 Parameters for configuring BGP

Parameter				Description
Peer IP				IP address of the peer device. In most cases, a BGP peer relationship is established with a legacy site.
Peer AS				AS number of the peer device.
Local AS				Fake AS number of the local device. In the IBGP scenario, the local and peer AS numbers set here must be the same as those in the global configuration. Typically, a device supports only one BGP process. That is, a device supports only one AS number. In some special cases, for example, when AS numbers need to be changed during a network migration, you can set a fake AS number for a specified peer to ensure successful network migration.
Keepalive time (s)				Interval for sending Keepalive messages to the peer. After establishing a BGP connection, two peers periodically send Keepalive messages to each other to detect the status of the BGP connection. If a device receives no Keepalive message or any other type of message from its peer within the specified hold time, the device considers the BGP connection interrupted and tears down the BGP connection.
Hold time (s)				Interval after which a device, having not received a Keepalive message, declares a BGP peer dead. The hold time needs to be at least three times the Keepalive time.
MD5 encrypt				Whether to enable MD5 authentication between BGP peers. If this function is enabled, you need to enter a password in ciphertext. MD5 is an insecure encryption algorithm. To reduce security risks that may occur when MD5 is used, you are advised to periodically change the MD5 authentication password.
ReflectClient				This function can be enabled when the RR function is enabled in advanced settings. This IWG can function as an RR.
Routing Policy	Export	Export		When an SD-WAN site needs to communicate with a legacy site, BGP can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the advertisement of underlay BGP routes. Controlled by such a policy, a site advertises only the routes it wants to advertise or the routes required by the peer. As such, the access of the legacy site to the LAN side of the SD-WAN site is restricted.
		Match	Type	Currently, routes can be filtered only based on IP prefixes.
		Match	IP Prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less Equal: maximum mask length
		Apply	Filter	Mode for filtering BGP routes. After this parameter is set, the current site does not advertise BGP routes in a specified network segment to the underlay network. Blacklist: Only BGP routes not in the network segment specified by IP Prefix List can be advertised. Whitelist: Only BGP routes in the network segment specified by IP Prefix List can be advertised.
			MED (This parameter is available only when Filtering type is set to Whitelist.)	MED value to be set for BGP routes in the network segment specified by IP Prefix List. Similar to the cost (or metric) used by an IGP, the MED is used to determine the optimal route when traffic enters an AS. When a BGP-enabled device receives multiple routes to the same destination address but with different next hops from EBGP peers, it selects the route with the smallest MED value as the optimal route.
			Community (This parameter needs to be set only when Filtering type is set to Whitelist.)	Community attribute to be added to BGP routes in the network segment specified by IP Prefix. The community attribute is a private BGP attribute. It is transmitted between BGP peers and is not restricted within an AS. The community attribute allows a group of BGP-enabled devices in multiple ASs to share the same routing policies. This allows routing policies to be flexibly used and makes it simple to maintain and manage routing policies.
			AS-Path (This parameter needs to be set only when Filtering type is set to Whitelist.)	AS_Path value to be set for BGP routes in the network segment specified in IP Prefix List. The AS_Path attribute records the numbers of all ASs that a route passes through, from the source to the destination, in the vector order. You can configure the AS_Path attribute to implement flexible route selection.
	Import	Import		When an SD-WAN site needs to communicate with a legacy site, BGP can be used to control access paths. Ensure that a peer relationship has been established between an SD-WAN site and a legacy site. You can configure a routing policy to control the import of underlay BGP routes. Controlled by the policy, a site receives only the routes that it wants to receive. As such, the access of the SD-WAN site to the LAN side of the legacy site is restricted.
		Match	Type	Currently, routes can be filtered only based on IP prefixes.
		Match	IP Prefix	Range of the routes that match the routing policy. The parameter values must meet the following requirements: Mask ≤ Greater-equal ≤ Less-equal. IP Address/Mask: IP address and mask length Greater-equal: minimum mask length Less-equal: maximum mask length
		Apply	Filtering type	Mode for filtering BGP routes. After this parameter is set, the current site does not receive BGP routes in a specified network segment from the underlay network. Blacklist: Only BGP routes not in the network segment specified in the IP prefix list can be received. Whitelist: Only BGP routes in the network segment specified in the IP prefix list can be received.

Table 2-54 Advanced BGP configuration

Parameter	Description
External preference	Preference of a route received from an EBGP peer. You can set different preferences for routes received from different devices. For a dual-gateway site, you can specify a separate EBGP route preference for each gateway.
Internal preference	Protocol preference of routes received from an IBGP peer.
Default route redistribution	Whether to import the default routes in the local routing table to the BGP routing table.
Route redistribution	Protocol of routes to be imported. Static and direct routes can be imported.
Aggregation route	Route obtained by summarizing specific routes in the local BGP routing table. The device advertises only the summary route, and suppresses the advertisement of all summarized specific routes. You can specify IP addresses and masks of multiple summary routes.
Route Reflector	Whether to enable the RR function.
Cluster-id	Cluster ID of an RR. The value can be an integer in the range from 1 to 4294967295 or in the format of an IPv4 address.

Viewing RR Access Statistics

Procedure

Choose Design > Site Design > Device Capabilities and Statistics from the main menu.
Click the RR Access Statistics tab. View information about RR sites that have been configured, including Access Area, Sharing Mode, Access Edge Site Count/Total, and Access Tenant Count.

Viewing Gateway Access Statistics

Procedure

Choose Design > Site Design > Device Capabilities and Statistics from the main menu.
Click the Gateway Access Statistics tab. View information about gateways that have been configured, including Access Area, Sharing Mode, Consumed Bandwidth, Access Edge Site Count/Total, Access VPN Count/Total, and Access Tenant Count.

Checking the Configuration Status of an RR/Gateway Site

After configuring an RR/Gateway site, you can perform the following operations to view the site configuration status and IP resource pool information.

Procedure

Choose Maintenance > Provisioning Result > Site Configuration Status from the main menu.

Click the Configuration Result tab, select a site, and view Device Configuration Status of the selected site.
Click the Generate Configuration tab. If Successful is displayed in the Device Configuration Status column for all records, the network deployment is successful.

Only the current device configuration status (success or failure) is displayed, and the status is displayed after a certain delay.
(Optional) Click the Total Site Result Statistics tab to view the device configuration status of all sites.

Configuration Before Deployment by Tenants

Logging In to iMaster NCE-Campus as a Tenant Administrator and Selecting a Scenario View

Context

A tenant administrator can use a browser to log in to iMaster NCE-Campus to perform system management and maintenance operations in the graphical web UI. The following web browsers are supported:

Google Chrome 85 or later
Microsoft Edge 89 or later (64-bit)

Procedure

Open a browser.
Enter https://iMaster NCE-Campus server IP address:port number in the address box, and press Enter.
- The IP address of the iMaster NCE-Campus server is the controller node IP address, which is specified during iMaster NCE-Campus installation.
- The port number is 18008. The port number used for the login must be the same as that specified during the installation.
Ignore the security certificate warning and access the login page.

When you log in to iMaster NCE-Campus using a browser, the browser performs unidirectional authentication on iMaster NCE-Campus based on the ER certificate. The Huawei ER certificate has been pre-configured during iMaster NCE-Campus installation. This certificate is used only for temporary communication and is not for commercial use. You need to apply for a new ER certificate to update the pre-configured ER certificate to improve iMaster NCE-Campus communication security. In addition, you are advised to periodically update the certificate to prevent system security risks caused by certificate expiration. After the ER certificate is updated, the message indicating a security certificate error will not be displayed.
- Google Chrome: Choose Advanced > Proceed to ... (unsafe).
Enter the administrator's username and password and click Log In.
(Optional) Upon the first login, change the password as prompted. Skip this step if it is not your first login.

For security purposes, do not allow your browser to keep your passwords.
(Optional) Perform two-factor authentication. If a mobile number has been associated with your account, click Obtain Verification Code and enter the received verification code. You can log in to iMaster NCE-Campus after the verification succeeds. Tenant administrators do not need to perform two-factor authentication if username and password authentication is selected when the MSP administrator creates the tenant administrators.
(Optional) Sign the privacy statement and user terms.
If the MSP administrator selects the privacy statement and user terms when creating a tenant administrator, the tenant administrator needs to sign the privacy statement and user terms when logging in to iMaster NCE-Campus for the first time.

If a tenant administrator has signed the privacy statement or user terms, the users created by the tenant administrator also need to sign the privacy statement or user terms when logging in to iMaster NCE-Campus for the first time.

The login will fail if the administrator does not sign the privacy statement or user terms.
(Optional) Set the device administrator password and password used to access the device BootROM menu. This step is required only upon your first login.
To ensure device security, after a device goes online at a site, the two passwords set here will automatically take effect on the device.

If the system administrator toggles off The device BootROM password can be configured, tenant administrators cannot set the BootROM password. For details about how to disable tenant administrators from setting the BootROM password, see Configuring a BootROM Password Policy.
Select a scenario view. Select a view based on your application scenario and start planning and deployment. After a view is selected, the SD-WAN scenario (GRE tunnel) tunnel mode is used by default.
The menus and tab pages vary depending on the view. Exercise caution when selecting a scenario view and perform operations by referring to the corresponding documents. Once a scenario view is selected, you are advised not to switch to another view.
- For the SD-WAN solution, select the WAN Interconnection view. For details, see SD-WAN Solution V100R022C00 and iMaster NCE-Campus V300R022C00 Product Documentation.
- For the CloudCampus solution in the LAN scenario, select the Intelligent Cloud Campus view. For details, see CloudCampus Solution V100R022C00 & iMaster NCE-Campus V300R022C00 Product Documentation.
- For the CloudCampus solution in the LAN-WAN convergence scenario, select the LAN-WAN Convergence view. For details, see CloudCampus Solution V100R022C00 & iMaster NCE-Campus V300R022C00 Product Documentation.

Setting Global Parameters

This section describes how to set global parameters for a tenant network.

You can configure the following features when the tunnel mode is set to SD-WAN scenario (GRE tunnel) on the page.

Context

Global configuration parameters related to a tenant network include:

Parameters for physical networks: routing domain, transport network, IPsec encryption, device activation security, link connectivity detection, intelligent traffic steering, and NTP configurations.
Parameters for virtual networks: routing, IP address pool, DNS, and port configurations.
Collection configuration: application traffic, application quality, and WAN link traffic.

Procedure

Choose from the main menu.
Click the WAN Global Configuration tab, click the Physical Network tab, and set global parameters for the physical network.
1. Select the RR source.
  - Tenant RR: Select this option if a tenant requires site interconnection only on the WAN side and uses its own RR.
  - MSP RR: Select this option if a tenant requires communication between the WAN network and legacy MPLS VPN network.
2. Configure a routing domain and determine whether to enable IPsec encryption for the routing domain. iMaster NCE-Campus enables IPsec encryption by default. The Internet and MPLS routing domains are provided by default. If these routing domains cannot meet your requirements, create other routing domains as required.
3. Configure a transport network to define a unified transport network type for communication between sites on the entire network. iMaster NCE-Campus provides the following default transport networks: Internet, Internet1, MPLS, and MPLS1. Transport Network: defines the type of a physical WAN link of a site and is determined by the type of a WAN access network provided by carriers. In most cases, a type of network provided by a carrier is defined as a transport network. For example, the Internet of carrier A is defined as transport network Internet, and the Internet of carrier B is defined as transport network Internet1.
  - If the default transport networks cannot meet requirements, you can click Create to create a transport network as desired.
  - When the MSP RR is selected as the RR source and an MSP creates transport networks, tenants can view and use the user-defined routing domains created by the MSP in the routing domain drop-down list box.
4. (Optional) If packets forwarded by IPsec tunnels need to be encrypted, configure an IPsec tunnel encryption algorithm. After the configuration is complete, all IPsec tunnels that are configured to encrypt packets use the same encryption algorithm. In the IPSec Encryption Parameters area, configure the authentication algorithm, encryption algorithm, life time, and IPsec SA generation mode.
  If a site has only devices other than AR5700&6700&8000 series devices, IPsec SA generation mode can be toggled on. If AR5700&6700&8000 series devices are added to the site, you need to upgrade other devices to V300R021C00 or a later version.
  
  Modifying IPsec encryption parameters may result in network disconnection for a short period of time.
5. Configure email-based deployment if this function is required. In the Device Activation Security Settings area, toggle on Encryption and set URL encryption key and URL opening validity period.
  - If devices running V600R022C00 and later versions need to be deployed through emails, Encryption and Web login must be enabled.
  - The web user information configured in the global configuration takes effect only for newly deployed devices. For devices that have been deployed, choose and choose Site > Device Login Configuration > Local User to modify the web user information. For details, see Configuring Device Login.
6. (Optional) To check the link connectivity of a site, set link connectivity detection parameters. If a tenant has AR5700&6700&8000 series devices, Detection packet sending interval should be in the range from 10 ms to 2000 ms. Otherwise, the link connectivity detection function does not take effect.
  You can set Detection packet sending interval, Number of failed detections, and Priority of detection packets as needed.
7. (Optional) Set traffic steering parameters. You can set the following parameters: Modify period parameters, Bandwidth usage detection, Maximum bandwidth utilization (%), Symmetric forward, Same Transport Network prioritized, Coloring rule, and Smaller site ID prioritized.
  - After the Modify period parameters is toggled on, you can set intelligent traffic steering policy parameters as needed. Exercise caution when you set the global parameters for traffic steering policies because they affect the real-time route selection of the intelligent traffic steering policy. You are advised to modify these parameters when no service traffic is transmitted.
  - Bandwidth usage detection takes effect for intelligent traffic steering only in Load balance mode and does not take effect in Preference mode.
  - After Maximum bandwidth utilization (%) is set, when the service traffic of a link has occupied the maximum bandwidth, the traffic is steered in load balancing mode. This function is applicable to intelligent traffic steering in load balancing mode.
  - After Symmetric forward is enabled, the service receiving site forwards services based on the route selection result of the sending site, without proactively selecting a route. Symmetric forward is enabled by default. Tenants can disable this function. After this function is disabled, devices at both ends select routes based on route selection rules.
  - After Same Transport Network prioritized is toggled on, if two sites set up multiple tunnel connections, the tunnel with both ends in the same TN is colored as the active tunnel whereas the tunnel with both ends in different TNs is colored as the standby tunnel. Active tunnels are preferentially selected during intelligent traffic steering. This function takes effect for intelligent traffic steering only in the Preference mode and does not take effect in Load balance mode.
  - Configure Coloring rule. The active party for coloring tunnels is determined based on the following factors in the descending order of priority: TNP bandwidth > Site role > TN priority. You can modify the priorities as needed by clicking .
  - After Smaller site ID prioritized is toggled on, the active party for coloring tunnels is determined preferentially based on Coloring rule. If the active party for coloring tunnels cannot be determined after all rules are applied, the site with a smaller site ID colors tunnels.
8. (Optional) Configure NTP. Set global NTP parameters, including Time zone, NTP Server IP Address, and NTP authentication. If Config Default NTP is enabled globally, all sites use the globally configured time zone. By default, Config Default NTP is disabled.
9. Click OK.
Click the Virtual Network tab, and set global parameters related to virtual networks.
1. Set BGP parameters. Set AS number, Community pool, and IPv4 Dual-Gateway Interconnection Protocol as needed. These parameters are mandatory.
  - If the MSP RR is selected as the RR source, the AS number of the tenant must be the same as that of the MSP.
  - If IPv4 Dual-Gateway Interconnection Protocol is set to IBGP, a community attribute pool must be configured. If the community attribute pool is empty, IPv4 Dual-Gateway Interconnection Protocol cannot be modified after ZTP is completed at the site. When configuring a community attribute pool, enter a value in the community attribute pool text box and click , so that the specified value can take effect. If site-to-Internet and site-to-site access functions have been configured for a dual-gateway site before a controller upgrade, related policies will not be re-orchestrated and delivered to the gateways after the controller is upgraded. Therefore, in the upgrade scenario, you need to delete these policies and re-configure the two functions after the upgrade.
  - If Routing policy delay configuration is enabled, you need to set Routing policy delay to a value in the range from 1 to 180.
2. Configure an IP address pool. The network segment of an address pool varies according to the network scale. When configuring an IP address pool, enter a value in the IP address pool text box and click , so that the specified value can take effect.
  - The network segments where device IP addresses in an iMaster NCE-Campus cluster are located cannot be included in an address pool. Otherwise, databases may be unavailable, affecting normal running of devices.
  - Even if an IPv6 network is deployed, the IPv4 address pool cannot be empty.
  IPv4 and IPv6 address pools can be configured. An IPv4 address pool can be configured either in simple mode or advanced mode.
  
  Configuring an IPv4 address pool in simple mode
  
  Configuring an IPv4 address pool in advanced mode
  
  (Optional) Configure an IPv6 address pool.
3. (Optional) Configure a DNS server group and DNS server IP addresses.
  In the DNS area, set DNS Server Group Name and DNS server IP Address.
4. (Optional) Set port numbers as needed. Toggle on Custom Port Configuration, set DTLS Server Port and STUN Server Port, toggle on Connection Source Port, and set Scanning Start Port, Scanning Times, and Scanning Increment.
  - If the port checked by the DTLS server has been configured on devices, before modifying this port number, you need to delete rdb files from the devices and restart them. In this case, the modified port number can take effect on the devices. In a scenario where a device has been deployed in RDB mode, after changing the port checked by the DTLS server, you need to restore the device to its factory defaults and deploy the device again.
  - After the port checked by the DTLS server is changed, the change does not take effect immediately for non-V600 devices at RR sites. As a result, services are interrupted.
  - When changing the port checked by the DTLS server, ensure that the new port number has not been used on devices. You can check the current port checked by the DTLS server in the diagnostic view of a device.
    For AR600&6100&6200&6300&SRG series devices, run the following command:
    display dtls server status
    
    For AR5700&6700&8000 series devices, run the following command:
    
    display dtls server
  - The modified Connection Source Port setting takes effect only at newly activated sites and does not take effect at sites that have been activated.
5. Click OK.
(Optional) Click the Collection Configuration tab and set global parameters for statistics collection.
1. Decide whether to enable the functions of collecting application traffic, application quality, and WAN link traffic statistics.
2. Click OK.

Parameter Description

Table 2-55 Parameters on the WAN Global Configuration page

Parameter			Description	Data Plan in Advance
Physical Network	Select the RR source.		Tenant RR: Select this option if a tenant requires site interconnection only on the WAN side and uses its own RR. The tenant RR is deployed at an edge site. MSP RR: Select this option if a tenant requires communication between the WAN network and legacy MPLS VPN network. The MSP RR is deployed at an independent RR site.	Y
	Routing Domain	Routing Domain	A routing domain defines whether routes between different transport networks are reachable. Physical links of different transport networks that belong to the same routing domain are reachable to each other. Generally, if the transport networks that are of the same type and are provided by different carriers can communicate with each other, they are defined in the same routing domain. For example, the Internet of carrier A and that of carrier B can be defined in the same routing domain. iMaster NCE-Campus provides the following types of routing domains by default: MPLS: MPLS leased line, which carries normal services of users in wired mode. Internet: public Internet, which carries normal services of users in wired mode. If the default types of routing domains cannot meet requirements, set a routing domain according to actual situations.	Y
	Routing Domain	IPSec Encryption	Whether to enable IPsec encryption for the current routing domain. The options are as follows: OFF: indicates that IPsec encryption is disabled. In this case, enable protocol 47 of all devices on the firewall. ON: indicates that IPsec encryption is enabled. In this case, the encryption algorithm and password set in IPSec Encryption Parameters are used for encryption. NOTE: IPsec encryption must be enabled in the NAT traversal scenario.	Y
	Transport Network		Type of the transport network to which a WAN-side physical link belongs. This parameter describes the transport networks with the same link quality attributes. It is used to identify networks of the same type provided by an ISP. A transport network defines the physical network between a site and the WAN. The following lists the data to be planned for each transport network. The defined transport network name can be directly referenced when physical links are specified for site WAN links and policies. Transport Network: defines the type of a physical WAN link of a site and is determined by the type of a WAN access network provided by carriers. Generally, a type of network provided by a carrier is defined as a transport network. For example, the Internet of carrier A is defined as a transport network, and the Internet of carrier B is defined as another transport network. Routing Domain: specifies the routing domain to which the transport network belongs. Priority: specifies the priority of the transport network. It is used as a metric for tunnel coloring in intelligent traffic steering. By default, the system provides the following transport networks: Internet, Internet1, MPLS, and MPLS1. The Internet transport networks belong to the Internet routing domain, and the MPLS transport networks belong to the MPLS routing domain. If the MSP RR is selected, the transport networks defined by the MSP are automatically displayed for selection. If the preset transport networks do not meet your requirements, you can create a transport network as needed.	-
	IPSec Encryption Parameters	Protocol	Security protocol. The default value is ESP.	Y
		Authentication algorithm	Authentication algorithm. Both SHA2-256 and SM3 are supported. SHA2-256 is used by default.	Y
		Encryption algorithm	Encryption mode of a link. AES128, AES256, and SM4 are supported. When the authentication algorithm is set to SM3, the encryption algorithm can only be SM4. If the authentication algorithm is set to SHA2-256, you are advised to select the AES-256 encryption algorithm. This is because the key length of AES-256 is 256 bits, having a higher security level than AES-128.	Y
		Life time	Global IPsec SA lifetime. A security association (SA) defines the encryption algorithm, digest, and keys for secure data transmission between IPsec peers. You can configure the IPsec SA lifetime to update the SA in real time. This reduces the risk of SA cracking and enhances security.	Y
		IPSec SA generation mode	Whether to enable the IPsec SA generation mode. By default, the mode is disabled.	Y
		DH group	Diffie-Hellman (DH) public key algorithm. It is used to dynamically negotiate encryption keys between two sites to prevent traffic monitoring between tenants in the same RR in multi-tenant scenarios. After IPSec SA generation mode is toggled on, you can select a DH group. Currently, DH group can be set only to GROUP19, GROUP20, or GROUP21. The DH group security levels are as follows: GROUP21 > GROUP20 > GROUP19.	-
	Device Activation Security Settings	Encryption	Whether to encrypt the URL for email-based deployment. You are advised to enable this function. This function must be enabled if email-based deployment needs to be used for deploying AR5700&6700&8000 series devices.	Y
		URL encryption key	Key for encrypting the URL in a deployment email. Email-based deployment will be successful only after you click the URL in the received email on your PC and enter this key. After configuring the key, keep it secure to prevent email-based deployment from being affected.	Y
		URL opening validity period	Validity period for a device to register its ESN with iMaster NCE-Campus. The timer starts once a deployment email is sent. If the device ESN is not obtained, the device is added to iMaster NCE-Campus based on the device model. After a site is created and a deployment email is sent, the device checks whether the URL is valid. If so, the device registers its ESN with iMaster NCE-Campus.	Y
		Web login	Whether the URL for email-based deployment carries web user information. NOTE: If devices running V600R022C00 and later versions need to be deployed through emails, Encryption and Web login must be enabled. The web user information configured in the global configuration takes effect only for newly deployed devices. For devices that have been deployed, choose and choose Site > Device Login Configuration > Local User to modify the web user information. For details, see Configuring Device Login.	-
		Username	Web username A username must contain at least six characters.	Y
		Password	Password of the web user. The password must meet the following requirements: Must contain at least eight characters, and can contain digits, uppercase letters, lowercase letters, and special characters. Cannot be the same as the username or the reverse of the username. Cannot be the same as any of the most recent 10 passwords.	Y
	Link Failure Detection Parameter Configuration	Modify detection parameters	Gateways at WAN sites of the same tenant periodically send Keepalive packets to detect link connectivity. If this function is disabled, a device sends Keepalive packets at the default interval. If the number of detection failures exceeds the default value, the link is considered faulty. If this function is enabled, you can define the interval for sending Keepalive packets and the maximum number of detection failures permitted.	-
		Detection packet sending interval	Interval at which the master device of an overlay tunnel sends Keepalive packets. The value ranges from 10 to 10000 ms for AR600&6100&6200&6300&SRG series and AR1000V devices and from 10 to 2000 ms for AR5700&6700&8000 series devices. The value must be an integer multiple of 10. The default interval is 1000 ms. NOTICE: When the interval for sending keepalive packets is changed, the change may not take effect on all devices on the network at the same time. As a result, service flapping may occur within a short period of time. In addition, the change will affect the number of established EVPN connections, which may interrupt services if the number of EVPN connections cannot meet the network scale requirements. In normal cases, the default value is used. Mappings Between Keepalive Packet Sending Interval and Device EVPN Connection Specifications describes the mappings between the device EVPN connection specifications and the interval for sending Keepalive packets. Before changing this setting, ensure that the EVPN connection specifications of all devices meet the requirements of the live network. The rules for establishing EVPN connections between sites on the live network are as follows: An EVPN connection is established between every two ports that belong to the same routing domain but different sites. An EVPN connection cannot be established between two ports that are not in the same routing domain. The number of EVPN connections on a device at a dual-gateway site is the total number of device connections at the site. For example, if the default number of EVPN connections is 1000 and the required number of EVPN connections on a device is 512, ensure that the number of EVPN connections on the device is greater than or equal to 512 after the interval for sending probe packets is changed. For a hub-spoke network, pay attention to the EVPN connection specifications of the hub site. On a full-mesh network, pay attention to the EVPN connection specifications of all sites.	Y
		Number of failed detections	After sending a Keepalive packet, the master device checks whether it receives a Keepalive packet from the slave device at intervals. If the master device does not receive Keepalive packets from the slave device for the consecutive number of times, the master device considers the overlay tunnel faulty and sets the overlay tunnel status to Down. Number of detection failures permitted before an AR automatically switches the link. The value ranges from 3 to 10. If Modify detection parameters is disabled, the default value of this parameter is 6.	Y
		Priority of detection packets	Priority in the IP header of a Keepalive packet. A numerically higher value indicates a higher priority.	Y
	Traffic Steering Policy Configuration	Modify period parameters	Whether to customize parameters in intelligent traffic steering policies. Exercise caution when you set the global parameters for traffic steering policies because they affect the real-time route selection of the intelligent traffic steering policy. You are advised to modify these parameters when no service traffic is transmitted.	-
		Switching period	If the quality of a link cannot meet requirements of a certain service or the bandwidth usage exceeds the threshold, the CPE starts the link switching timer. When the timer times out, the service traffic is switched to another link. The default value of the switching period is 5 seconds.	Y
		Statistics period	Interval for checking link quality. The value of this parameter ranges from 1 to 3600 and must be less than or equal to the value of Switching period.	-
		Flapping suppression	Unstable network link quality may result in frequent link switchovers at the sites where an intelligent traffic steering policy is applied. To prevent this situation, the system requires that services be transmitted on a new link for at least one flapping suppression period before the services are switched back from the new link to the original link. The value range is from 2 to 131070, and the default value is 30 seconds. The value must be at least twice the switching period.	Y
		Enhanced flapping suppression	After this function is enabled, service traffic is switched back only when the link quality meets the switchback requirements in every measurement period before the flapping suppression period ends. This reduces network flapping caused by frequent switchovers. This function is disabled by default. V300 series devices support this function since V300R022C00SPC100. V600 series devices do not support this function. Assume that in the global traffic steering configuration, the flapping suppression period is set to 30s, and both the measurement period and switchover period are set to 5s. Take a site with an Internet link and an MPLS link as example. When the quality of the site's Internet link deteriorates and fails to meet requirements, service traffic is switched to the MPLS link. After the switchover, iMaster NCE-Campus calculates the Internet link's quality at an interval of 5s (measurement period) until the flapping suppression period ends. With enhanced flapping suppression disabled, as long as the Internet link's quality calculated in the last measurement period meets requirements, service traffic is switched back to the Internet link. With enhanced flapping suppression enabled, only if the Internet link's quality calculated in all the six measurement periods before the flapping suppression period ends meets requirements, service traffic is switched back to the Internet link. NOTE: To make enhanced flapping suppression take effect, in addition to enabling this function here, you need to set Switchover mode to Pre-emptive in an intelligent traffic steering policy on the Overlay tab page under .	-
		Bandwidth usage detection	Whether to detect bandwidth utilization of links. For AR5700&6700&8000 series devices, this function is enabled by default. Enabling or disabling this function does not take effect on these devices. For AR600&6100&6200&6300&SRG series devices running V300R021C10 and later versions, Maximum bandwidth utilization (%) does not take effect after this function is disabled. AR600&6100&6200&6300&SRG series devices running a version earlier than V300R021C10 do not support this function. This function takes effect when the Load balance mode is configured for intelligent traffic steering, and does not take effect in the Preference mode.	Y
		Maximum bandwidth utilization (%)	This parameter applies to intelligent traffic steering in load balancing mode. When the service traffic of a link has occupied the maximum bandwidth, the traffic is steered in load balancing mode. You can set the maximum bandwidth usage as required. By default, the maximum bandwidth usage is 95%. The value ranges from 50% to 100%. V600 devices support this function since V600R22C00.	Y
		Symmetric forward	To prevent link congestion in the inbound direction and ensure a single path for incoming and outgoing traffic, intelligent traffic steering supports symmetric routing. The service receiving site forwards services based on the route selection result of the sending site, without proactively selecting a route. Symmetric routing is enabled by default. Tenants can disable symmetric routing. After symmetric routing is disabled, devices at both ends select paths based on traffic steering rules. This function determines whether the forward and return traffic is forwarded along the same path. Symmetric routing: A packet traverses from a source to a destination in one path and takes the same path when it returns to the source. The master or slave role of a site is determined based on the global network configuration on iMaster NCE-Campus. The slave site follows the route selection result of the master site to ensure that the same service flow is forwarded and returned along the same path. Asymmetric routing: Two communicating sites independently select a forwarding path. In this case, the transmit and receive paths of the same service flow between two sites are different. For example, in the load balancing scenario, the MPLS link in the direction from site1 to site2 is not congested for application A. As such, traffic of application A is forwarded over this MPLS link from site1 to site2. However, when the MPLS link is congested in the direction from site2 to site1 and the Internet link is not congested, the Internet link is selected to transmit traffic of application A from site2 to site1. NOTE: When branch sites and IWGs are interconnected and branch sites are selected as the master for route selection, the symmetric routing function does not take effect. Devices running V600 do not support symmetric routing.	Y
		Same Transport Network prioritized	If two sites set up multiple tunnel connections, the tunnel connection with both ends in the same TN is colored as the active one whereas the tunnel connection with both ends in different TNs is colored as the standby one. Active tunnel connections are preferentially selected for intelligent traffic steering. If Same Transport Network prioritized is toggled off, tunnel connections are selected for traffic steering as follows in the descending order of priority: active tunnel connection with a high priority > standby tunnel connection with a high priority > active tunnel connection with a low priority > standby tunnel connection with a low priority. If Same Transport Network prioritized is toggled on, tunnel connections are selected for traffic steering as follows in the descending order of priority: active tunnel connection with a high priority > active tunnel connection with a low priority > standby tunnel connection with a high priority > standby tunnel connection with a low priority. By default, Same Transport Network prioritized is toggled off. This function takes effect only in preferential occupation mode and does not take effect in load balancing mode. Figure 2-9 shows an example. TN1 (blue-colored) has a higher priority than TN2 (red-colored) and the hub site determines tunnel colors. If Same Transport Network prioritized is toggled off, tunnel connections are selected for traffic steering as follows in the descending order of priority: blue-colored active tunnel connection > blue-colored standby tunnel connection > red-colored active tunnel connection > red-colored standby tunnel connection. If Same Transport Network prioritized is toggled on, the tunnel connections are selected for traffic steering as follows in the descending order of priority: blue-colored active tunnel connection > red-colored active tunnel connection > blue-colored standby tunnel connection > red-colored standby tunnel connection. Figure 2-9 Tunnel connection coloring	-
		Coloring rule	Tunnel connection colors are determined by the TNP bandwidth, site role, and TN priority. TNP bandwidth: Tunnel connections can be colored based on the TNP bandwidth. You can configure tunnel connections with larger or smaller TNP bandwidths to be preferentially colored as active. The bandwidth here refers to the TNP outbound bandwidth. Site role: Tunnel connections can be colored preferentially by hub or spoke sites. AR5700&6700&8000 series devices do not support the function of coloring tunnel connections preferentially by spoke sites. TN priority: Tunnel connections can be colored based on the TN priority. You can configure the site with a larger TN priority value to preferentially color tunnel connections. By default, tunnel connections are colored based on the following attributes in the descending order of priority: TNP bandwidth > site role > TN priority. You can modify the priorities by clicking .	Y
		Smaller site ID prioritized	By default, this function is enabled, that is, the site with a smaller site ID colors tunnel connections for traffic steering. When this function is disabled, the site with a larger site ID colors tunnel connections. As shown in the following figure, the hub site has only one uplink and the spoke site has two uplinks, and the hub site determines tunnel connection colors by default. In this situation, the hub site colors the tunnel connections set up with the spoke site in the same color and thereby the tunnel connections have the same priority. As such, the spoke site cannot forward traffic of different applications through different links. To implement traffic steering in this scenario, you are advised to toggle off Smaller site ID prioritized to configure the spoke site to color tunnel connections, so that the tunnel connections can be colored differently. Figure 2-10 Tunnel connection coloring by different sites NOTE: You can configure coloring rules as follows: If multiple TNs are available between sites, configure tunnel coloring based on the following three attributes whose priorities can be set as needed: TNP bandwidth: Tunnel connections can be colored based on the TNP bandwidth. You can configure tunnel connections with larger or smaller TNP bandwidths to be preferentially colored as active. The bandwidth here refers to the TNP outbound bandwidth. Site role: Tunnel connections can be colored preferentially by hub or spoke sites. AR5700&6700&8000 series devices do not support the function of coloring tunnel connections preferentially by spoke sites. TN priority: Tunnel connections can be colored based on the TN priority. You can configure the site with a larger TN priority value to preferentially color tunnel connections. If the preceding attributes are the same, the site ID determines the site to color tunnels. By default, the site with a smaller site ID colors tunnels.	-
	NTP	Time zone	Time zone of devices at a site. If DST is observed in the time zone, you can choose whether to apply DST rules to the time zone. You can select a DST rule in either of the following ways: Use the DST rule preset on the system for each time zone, or configure a DST rule by specifying the DST offset, start time, and end time.	Y
		NTP client mode	Manual Configuration: The current site functions as an NTP client and an NTP server needs to be manually specified. You can configure the RR as a client to synchronize its clock with the NTP server on the public network. Disabled: The current site does not function as an NTP client and does not perform clock synchronization.	Y
		NTP server IP address	IP address of the NTP server.	Y
		NTP authentication	This parameter is optional and indicates whether to enable NTP authentication when the gateway at a specified site functions as an NTP server. If NTP authentication is enabled, you need to set an authentication password and an authentication ID. If the gateway at a specified site functions as an NTP client, the authentication password and authentication ID must be the same as those at the parent site of the NTP server. Otherwise, the authentication fails and NTP clock synchronization fails.	Y
		Authentication mode	Authentication mode, which can be MD5 or HMAC-SHA256. The authentication mode selected must be the same as that enabled on the NTP server. The MD5 authentication mode may pose potential security risks. As such, the HMAC-SHA256 authentication mode is recommended.	Y
		Authentication password	Password used for NTP identity authentication.	Y
		Authentication key ID	Key ID for NTP authentication, which must be a number other than 0. The authentication ID is irrelevant to the NTP server. The authentication ID used when the site functions as a client must be different from the authentication ID configured for the NTP server.	Y
Virtual Network	Routing	AS number	Local AS number. Sites that are deployed by the same tenant account on iMaster NCE-Campus belong to the same AS. The default value is 65001. You do not need to change the value in most cases. If you need to change the AS number in BGP, for example, if the new AS number conflicts with the AS number planned for an existing device on the network, do not use the default AS number.	Y
		Routing protocol	Only BGP is supported.	Y
		Community pool	This is a resource management pool. You can configure community pool to assign the community attribute values to services. Currently, the community pool is mainly used in the following configurations: IBGP on the WAN, RR management, Internet access, mutual access, and area management. When the community pool is insufficient, a maximum of 10 community attribute pools can be added. After the configuration, the community pool that has been used cannot be updated or deleted. Unused community pools can be deleted. When the RR source is set to MSP RR, all community attributes are allocated from the community attribute pool configured by the MSP.	Y
		IPv4 Dual-Gateway Interconnection Protocol	Protocol used to connect dual gateways. In the dual-gateway scenario, you can configure a routing protocol (OSPF or IBGP) for exchanging routing information between the two gateways. iMaster NCE-Campus automatically orchestrates route configurations based on the selected routing protocol and delivers the configurations to CPEs. Figure 2-11 Dual-gateway networking NOTE: Changing the dual-gateway interconnection protocol does not affect existing sites under the tenant, and applies only to newly created sites. This configuration takes effect on devices when the sites where they belong are added to VPNs. Once a site is added to a VPN, iMaster NCE-Campus delivers the dual-gateway interconnection protocol specified in the global configuration to devices at the site. Changing this configuration does not affect sites that have been added to VPNs.	Y
		Routing policy delay configuration	Whether to make routing policies take effect after a specified delay. Devices running V300R021C10 and later versions support this function. AR5700&6700&8000 series devices do not support this function. A network often has multiple cooperative routing policies. By default, the change of a single routing policy takes effect immediately. However, the overall routing policy modification is not completed. In this situation, route flapping occurs, which results in network instability. To prevent this problem, you can configure a delay for a modified routing policy to take effect.	Y
		Routing policy delay	Delay after which routing policies take effect. The value ranges from 1 to 180, in seconds.	Y
	IP Pool	IPv4 pool	When iMaster NCE-Campus automatically orchestrates services such as overlay tunnels, overlay WAN routes, and site Internet access, IP addresses need to be allocated. Plan address pools based on the network scale. The number of required addresses increases with the number of sites. For details about the relationship between them, click Details. The addresses to be configured include tunnel interface addresses, interworking tunnel addresses, CPE addresses, and interface addresses of an interlink between dual gateways. After you set reserved IP addresses, iMaster NCE-Campus automatically assigns an IP address according to the following rules: One or more IP address pools can be configured and the IP addresses in these address pools are automatically divided into multiple address segments, which are used by the following interfaces: Loopback interfaces of CPEs Interfaces of interworking tunnels Interfaces of interlinks EVPN tunnel interfaces You can select Simple mode or Advanced mode for an address pool. If Simple mode is selected, all addresses are assigned from the same address pool. If Advanced mode is selected, addresses can be assigned from IP pool, Interworking Tunnel, and Interlink. For a network as shown in the following figure, in advanced mode, IP addresses in IP pool are assigned to loopback interfaces and EVPN tunnel interfaces on CPEs; IP addresses in Interworking Tunnel are assigned to interfaces at both ends of a tunnel connecting underlay and overlay domains on a single device; IP addresses in Interlink are assigned to interfaces at both ends of an interlink connecting dual gateways. Determine the mask length of an address pool based on the site quantity. The mask length determines the number of addresses in the address pool.	Y
	IP Pool	IPv6 pool	IPv6 address pool. If IPv6 is required on CPEs, interworking tunnels, and interlinks, you need to configure an IPv6 address pool. Interworking address pool: allocates unique IPv6 addresses to interfaces of interworking tunnels. Addresses in this pool must be located on the IPv6 address segment with the prefix of FD00::/8. Interlink address pool: allocates IPv6 addresses to interfaces of interlinks connecting dual gateways. Addresses in this pool must be located on the IPv6 address segment with the prefix of FD00::/8. Link-local address pool: allocates link-local addresses to CPEs. Addresses in this pool must be located on the IPv6 address segment with the prefix of FE80::/10. After an interface obtains a link-local address, it can implement neighbor discovery and automatically configure a global unicast address or a unique local address. The prefix of IP addresses in the interworking and interlink address pools must be FD00::/8, and the prefix of IP address in the link-local address pool must be FE80::/10.	Y
	DNS	DNS Server Group Name	Domain Name System (DNS) used for domain name resolution. The DNS server is usually deployed on a public network. A maximum of 16 DNS groups can be configured for a tenant. A maximum of six DNS server IP addresses can be configured in each group.	Y
	DNS	DNS Server IP Address	You can plan multiple DNS server IP addresses. A DNS server IP address is used when a LAN interface is configured. If a CPE is enabled as the DHCP server, you can select a DNS server group name for the CPE. The DNS server address is sent to a client on the LAN side via a DHCP response.	Y
	Custom Port Configuration	DTLS Server Port	Listening port for a DTLS server. A CPE registers with an RR through DTLS. An RR establishes a DTLS connection with a CPE to set up a control channel for TNP information exchange between them. When an RR goes online, iMaster NCE-Campus delivers the command for configuring the port checked by the DTLS server to the RR. As such, the RR can set up control channels with CPEs. By default, the port checked by the DTLS server is 55100. You can modify this setting as needed.	Y
		STUN Server Port	In most cases, an RR is configured as a STUN server and the CPE functioning as a branch gateway is configured as a STUN client. To detect whether a NAT device is deployed between the RR and CPE, enable the STUN server function on the RR and configure the IP address and UDP port number listened by the STUN server. By default, the port checked by the STUN server is 3478. You can modify this setting as needed.	Y
		Connection Source Port	After this item is toggled on, you can specify the scanning start port, scanning times, and scanning increment for NAT detection, hole punching, and Keepalive (KA) packets.	Y
Collection Configuration	Application traffic		Whether to enable global traffic statistics collection. After this function is enabled, inter-site traffic and inter-site application traffic at all sites are collected.	-
	Application quality		Whether to enable application quality statistics collection. After this function is enabled, AQM distribution statistics of all applications are collected and worst 5 applications by AQM are listed.	-
	WAN link traffic		Whether to enable inter-site traffic monitoring. After this function is enabled, traffic passing all inter-site links is monitored in real time.	-

Table 2-56 Mapping between mask lengths and network scales

Network Scale/Number of Sites	Recommended Configuration (Single Network Segment)
2-10	/23
11-30	/22
31-60	/21
61-120	/20
121-250	/19
251-500	/18
501-1000	/17
1000+	/16

Adding an AR Device

Context

An administrator can configure and manage devices only after adding the devices to iMaster NCE-Campus.

Feature Requirements

A tenant can manage a maximum of 8000 devices (in a six-node cluster).
Add devices that meet the model and version requirements to iMaster NCE-Campus. Otherwise, iMaster NCE-Campus may fail to deliver configurations to the devices. If you add a device running an unsupported version and directly upgrade it to a supported version, iMaster NCE-Campus may fail to deliver configurations to the device, either. If you delete a device running an unsupported version first, upgrade it, and then add it to iMaster NCE-Campus, the configurations can be delivered to the device successfully.

Procedure

Choose from the main menu.
Click Add on the Device Management tab page

The system provides multiple methods for you to add devices: Add, Import in batches and Automatic discovery.

The manual addition mode is typically used when a small number of devices need to be added to the same site.

Currently, two modes are supported. For details about the application scenarios of each mode, see Table 2-57.

Table 2-57 Methods of adding devices and application scenarios

Method	Scenario
By ESN	This mode can be used in all deployment modes. This mode must be used in DHCP option-based deployment, USB-based batch deployment, and manual deployment scenarios.
By device model	A device with a 12-digit ESN can be added only in this mode. This mode can be used in all deployment modes except DHCP option-based deployment, USB-based batch deployment, and manual deployment.

Adding devices by device model
1. Select NETCONF protocol.
2. Set Site. By default, Not in any sites is selected. To add a device to an existing site, click and select the target site.
3. Set Mode to Device Model, and set Type, Model, Quantity, and Deployment Security Check, and Role of the device to add. Then, click OK.
  - If the RR source is set to MSP RR in the global configuration, tenants do not need to add devices with the Gateway+RR role.
  - When adding an AR1000V, ensure that the actual performance value of the device is less than or equal to the configured Performance value. Otherwise, the AR1000V cannot go online.
  - To ensure network security, you are advised to enable Deployment Security Check.
    If this parameter is toggled on, iMaster NCE-Campus does not deliver configurations to devices after they go online. After a device goes online, its Administrative Status displays Awaiting deployment confirmation on the device management page. To deliver configurations to specific devices, select target devices on the device management page and click Deploy.
    If Deployment Security Check is disabled, configurations are automatically delivered to devices after they go online for the first time.
  - The AR role is determined by the site type. When adding a device to an edge site, set the device role to Gateway. When adding a device to an RR site, set the device role to Gateway+RR. When adding a device to a site that functions as an edge site and an RR site at the same time, set the device role to Gateway+RR.
4. Import device ESNs. In DHCP-based deployment, USB-based batch deployment, and manual deployment scenarios, device ESNs need to be entered.
  - In email-based deployment, USB-based deployment, and cloud site deployment scenarios, you do not need to set device ESNs.
  - If a device cannot be added because its ESN has been set on the system, contact the system administrator or MSP administrator to delete the device ESN.
5. (Optional) After the system administrator configures interconnection with the registration center, the function of synchronizing information to the registration center is enabled on devices added to sites by default. After this function is enabled, deployment through the registration center is supported.
6. Click OK. For an onboarded device, you can click its name to view the device status. In addition, you can also reboot the device or access its CLI through the controller.
  
  After a DR switchover, the connection between the original online device and iMaster NCE-Campus becomes unavailable. As a result, iMaster NCE-Campus disconnects the device. In this case, the device will automatically go online again and becomes normal after 10 to 20 minutes.

Adding devices by ESN
1. Select NETCONF protocol.
2. Set Site.
3. Set Mode to ESN, set the device ESN, name, role, deployment confirmation, description, asset number, and performance, and click OK.
  For an AR5700&6700&8000 series device, run the following command to check its ESN:
```
display device esn
```
  For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check its ESN:
```
display esn
```

Batch Import is typically used when a large number of devices need to be added. A maximum of 1000 devices can be imported at a time.
1. Select NETCONF protocol.
2. Download and fill in the template, and upload the template. Then, select the devices to be added in the Import Result window, and click OK.
Automatic discovery applies when gateways or core devices have been managed by iMaster NCE-Campus. You can collect information about neighboring devices of the gateways or core devices, and obtain ESNs and models of the discovered devices. This method helps you create a large number of devices in batches with one click.
1. Choose from the main menu.
2. On the Device tab page, click In Sites or Not in Any Sites, click Add Device, and choose Automatic discovery from the short-cut menu. On the displayed page, select the NETCONF protocol as the device discovery protocol. Then click Select Devices to Scan and select the devices to be scanned.
3. Wait for the scanning to complete, and click OK.
4. Set the name, role, and site for each discovered device, select the devices to be added, click Add Selected Devices, and click OK.

After the device is added, you can view the device information on the device management page.

Follow-up Procedure

Restart a device and restore the device configuration.
You can select an online device, and click Reset to Deployment State to restore the device to its factory defaults or click Restart to restart the device.

This operation has high risks and cannot be rolled back. Exercise caution when you perform this operation.
View device details.
You can click the name of an online device to view its detailed information. For details, see Viewing and Exporting Device Information.

Parameter Description

Table 2-58 Parameters on the Add Device page

Parameter		Description
Addition method		Method of adding a device. You can manually add devices, import devices in batches, or configure automatic device discovery.
Mode		Mode of adding a device. The following modes are supported: ESN: If you have obtained the device ESN, you can add the device by ESN. Device model: If the device ESN is not obtained, you can add a device by device model. This mode is used for pre-configuration in most cases. The selected device model must be the same as the actual device model. Currently, you are advised to add devices by device model.
Device information	ESN	Device ESN, which is the unique identifier of a device. You can obtain the ESN of a device from the device's factory configuration list. Alternatively, you can run the display esn command on an AR600&6100&6200&6300&SRG series device (or the display device esn command on an AR5700&6700&8000 series device) to obtain the device ESN.
	Name	Unique name of a device. When you add a device by device model, the system automatically generates a device name after you select a device model. When you add a device by ESN and leave the device name empty, the system uses the device ESN as the device name by default. A device name can contain a maximum of 64 characters.
	Role	When the device type is set to AR, the role can be Gateway or Gateway+RR. NOTE: If a device has its role changed after deployment, you need to deploy the device again. Otherwise, there may be residual configurations on the device and services may be abnormal. After the deployment is complete, do not change device roles unless necessary.
	Performance (This parameter can be configured only when the device model is AR1000V.)	Forwarding performance supported by the device. Set this parameter based on the N1 software package you have purchased for the AR1000V. 1G: After an N1 software package is loaded, the device performance can reach 1 Gbit/s. If no N1 software package is loaded, the device performance is 10 Mbit/s by default. 5G: After an N1 software package is loaded, the device performance can reach 5 Gbit/s. If no N1 software package is loaded, the device performance is 10 Mbit/s by default. 10G: After an N1 software package is loaded, the device performance can reach 10 Gbit/s. If no N1 software package is loaded, the device performance is 10 Mbit/s by default.

Creating a Site

Application Scenario

To facilitate device management and improve service deployment efficiency, devices on the same network of the same tenant can be added to the same site.

A tenant administrator can create different organizations and add a site to one organization. Currently, up to five-layer organizations can be created.

You can create sites on iMaster NCE-Campus for unified O&M and management. Either of the following modes is available for you to create a site:

Creating sites one by one: You can create sites one by one when a small number of sites need to be created.
Creating sites in batches: You can create sites in batches when a large number of sites need to be created. This mode is currently not applicable to cloud sites.

Feature Requirements

Each tenant can manage a maximum of 20000 sites if iMaster NCE-Campus is deployed as a distributed cluster, 20000 sites if iMaster NCE-Campus is deployed as a minimum cluster, and 5000 sites if iMaster NCE-Campus is deployed as a single-cluster system.
If the number of sites exceeds 2000, area interconnection is not supported.

Procedure

Choose .
Click Create and set parameters as prompted.
Set parameters in the Basic Site Information area, such as Site Name, Location, and Device type. In IPv6 single-stack or IPv4/IPv6 dual-stack deployment scenarios, select a southbound IP service as needed.
- A tenant administrator can select a southbound IP service created by the system administrator for Southbound IP service name and view available southbound IP services on the page.
- After Device type is set, you can only add device types but cannot replace device types. For example, you can add ARs to a site that contains only APs. However, you cannot change a site that contains only APs to a site that contains only ARs. When LSWs are deployed as WACs, you need to select both LSW and WAC.
- If OLTs and ONUs need to be managed by iMaster NCE-Campus, install the PON network management feature during iMaster NCE-Campus installation; otherwise, iMaster NCE-Campus cannot manage OLTs and ONUs.
- APs and WACs cannot be deployed together at a site.
(Optional) In the Basic Site Information area, expand More, and determine whether to toggle on ESN-free. After ESN-free switch is toggled on, you do not need to enter device ESNs for iMaster NCE-Campus to manage the devices. Instead, iMaster NCE-Campus can automatically discover devices and add them to the approval-required list. After being approved by users, the devices are managed by iMaster NCE-Campus successfully. You can enable Exempt from approval to improve deployment efficiency.
- Validity period of site authentication code: This parameter specifies the time period during which when devices can be added free of ESNs. If you toggle on ESN-free switch for a site, iMaster NCE-Campus generates a unique authentication code for the site. This code is displayed in the Site Code column on the site information page. When the authentication code of a site expires, you cannot add devices to the site free of ESNs. The default validity period of a site authentication code is 7 days. You can extend the validity period for a maximum of 30 days.
- Exempt from approval: After this function is enabled, iMaster NCE-Campus can manage devices directly, without the need of waiting for device approvals. iMaster NCE-Campus automatically adds new devices to the device list and consumes corresponding licenses. Before enabling this function, ensure that there is no unknown device on the current network. After devices are added successfully, disable this function in a timely manner.
  - Currently, stacks cannot be managed free of ESNs and the following devices can be managed free of ESNs:
    APs and WACs running V200R022C00 and later versions
    V200 switches running V200R022C00 and later versions
    V600 switches running V600R022C00 and later versions
  - When iMaster NCE-Campus manages devices using the approval-free function, the devices automatically assume the Access role. After a device is managed, you can modify the device role on the Device tab page under .

Set parameters in the Site Configuration area.

Set Configuration mode.
You can set this parameter to Default or Configuration File. When Configuration File is selected, the system delivers configurations to devices through device configuration files. This mode is applicable only to LSWs and WACs.

When Configuration File is selected, you need to prepare device configuration files in advance and then import and deliver the files to target devices on the page to complete device configuration.
When you create a site in Configuration File mode, the following constraints apply:
- Sites created in Configuration File mode do not support the following functions: site configuration, VXLAN fabric configuration, admission configuration, third-party server configuration, and device upgrade.
- Devices at sites created in Configuration File mode can be migrated to other sites created in the same mode. Such devices cannot be migrated to other sites created in Default mode or be removed from the current sites.
- Devices at sites created in Configuration File mode cannot be added to stacks after being configured using configuration files.
- Sites created in Configuration File mode can use only specific northbound interfaces.

Set Configuration source type.

You need to set Configuration source type when Configuration mode is set to Default. The following options are available: Deep clone, Default settings, and Clone from an existing site

Default settings: You can configure sites as needed.
Clone from an existing site: When creating a site, you can clone the configuration of an existing site for use with the new site, reducing repeated configurations. This mode is applicable to all site-level features.

Deep clone: Currently, only the sites containing firewalls only or containing APs and firewalls support the deep cloning function. On iMaster NCE-Campus, you can clone selected data of sites and devices from existing sites.

In deep clone mode, sites can be cloned one by one or in batches. If a small number of sites need to be cloned, you can clone them one by one. When a large number of sites need to be cloned, you can clone them in batches.

Table 2-59 Features that support deep cloning

Device	Feature
FW	Network (subnet, uplink management, NAT, and DNS)
	Physical interface
	IPsec VPN
	Security policy
	Traffic policy
AP	SSID (802.1X authentication)
	Radio (radio calibration, radio advanced settings, and channel planning on a per-device basis)
	Blacklist and whitelist (MAC address-based filtering)
Universal configuration	NTP, SNMP, and local user management

A site with less than 50 firewalls can be used as the source site for cloning.

Add devices to the site. Click Select Device to add existing devices on the system to the site for management.
- For new devices that have not been added to iMaster NCE-Campus, you can add them to a site by ESN or device model.
  For an AR5700&6700&8000 series device, run the following command to check its ESN:
  display device esn
  For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check its ESN:
  display esn
- If two AR devices need to be added to a site, you are advised to add devices of the same model.
(Optional) In the Add Device area, add devices to the site.
You can add devices to a site by device model or ESN. Alternatively, you can also add devices to a site after the site is created.

When adding a device to an on-premises site, you need to set the device role based on the site requirements. The recommended roles for each device type are as follows:
- AP: Gateway, Access, or AP
- LSW: Core, WAC, Aggregation, or Access
- FW: Gateway, Gateway+Core, or Firewall
- WAC: WAC
- AR: Gateway, Gateway+Core, or Gateway+RR
  A site's type varies according to the AR device role and networking model.
  - On a hub-spoke network:
    If ARs assume the Gateway+Core role, the site is a hub site.
    
    If ARs assume the Gateway role, the site is a spoke site.
    
    If ARs assume the Gateway+RR role, the site is an RR site. If a site needs to function as a hub site and an RR site at the same time, set the AR device role of this site to Gateway+RR.
  - On a full-mesh network:
    If ARs assume the Gateway role, the site is a branch site.
    
    If ARs assume the Gateway+RR role, the site is an RR site.
  Site roles are classified into edge sites and RR sites only when the SD-WAN value-added feature has been installed and the GRE tunnel mode for SD-WAN scenarios is selected on the page.
  - Edge site: An edge site is a WAN-side router. It establishes secure data channels with multiple remote edge sites.
  - RR: An RR is an independent CPE. It distributes EVPN routes between CPEs based on VPN topology policies.
If you do not specify a role when adding an AP, the AP automatically assumes the AP role. If you do not specify a role when adding a device of another type, the device automatically assumes the Access role.

When adding a device to a cloud site, you need to set the device role. Configure roles for devices based on the site requirements.
Click OK. The site is created and configurations are delivered.
You can click Apply and Deploy to go to the Branch Network page to perform deployment configurations. For details, see Branch Network.

Follow-up Procedure

Create sites in batches.
You can click Batch Create, download the site configuration template, enter information about all sites in the template, and import the template to the system. Then you can create all required sites at a time.
Create a site template.
Choose . On the Site Template page, click Create to create a site template. Then you can bind the created template to sites on the current page.
Change the organization to which a site belongs.
To change the organization to which a site belongs, select the target site and then click Change Organization.

Filter sites by organization.
To create a lower-level organization of the current organization, click an organization name on the left and click . Currently, at most five-layer organizations can be created.

You can click an organization name to view sites under the organization.
Delete a site.
Select a site and click Delete or in the Operation column.
Configurations of devices at a deleted site cannot be cleared accordingly. If you want to re-deploy the devices at another site, perform the following operations:
- If the deployment configurations of the new site are different from those of the deleted site, you need to restore the devices to their factory defaults onsite, and then re-deploy them.
- If the deployment configuration of a new site is the same as that of the deleted site, you only need to select the devices on the device management page of iMaster NCE-Campus, click Restore Deployment Configurations, and add them to the new site.
Export and import site configurations after sites are created and activated when the tunnel mode SD-WAN scenario (GRE tunnel) is used. For details, see Importing and Exporting Site Configurations.
- Quickly configure a new site based on configured sites.
  You can export and modify the configuration of a deployed site and import the modified configuration to quickly deploy a new site. If the site name changes, you need to manually create a site with the changed name and import the configuration again.
- Modify site configurations in batches.
  After exporting configurations of multiple sites, you can modify some parameters and import them to modify sites in batches. You can add, delete, and modify site configurations.
- Restore site configurations.
  You can periodically export site configurations. If an error occurs during subsequent configuration, you can import the previous configuration to restore the site.
After ESN-free is toggled on, you can view, modify, or extend the validity period of site authentication codes.
- Viewing the site authentication code
  Choose to view the site authentication code that is automatically allocated.
- Modifying the site authentication code
  Click . The site information configuration page is displayed. Click to modify the site authentication code.
- Extending the validity period of the site authentication code
  Click . The site information configuration page is displayed. Click Click here to extend the validity period of the site authentication code.
After ESN-free is toggled on, devices can be managed by iMaster NCE-Campus only after being approved.
1. Choose .
2. Click Approve. The device approval page is displayed.
3. Select a device and click Pass.

Parameter Description

Table 2-60 Key parameters for creating a site

Parameter	Description	Data Plan in Advance
Site Name	Name of the site to be created.	Y
Southbound IP service name	Select a southbound IP service that has been configured. In the IPv6 or IPv4/IPv6 dual-stack scenario, southbound IPv6 addresses are displayed on the Select Southbound IP Service Name page.	-
ESN-free	Whether to enable the ESN-free device management function. After this function is enabled, you do not need to enter device ESNs for iMaster NCE-Campus to manage the devices. Instead, iMaster NCE-Campus can automatically discover devices and add them to the approval list. After being approved by users, the devices are managed by iMaster NCE-Campus successfully.	Y
Validity period of site authentication code (configurable when ESN-free is toggled on)	iMaster NCE-Campus generates a unique authentication code for each site. The code is valid for 7 days by default. You can configure the code to be valid for 1 day, 7 days, or 30 days. After the site authentication code expires, the ESN-free device management function is automatically disabled and logs are recorded. After the ESN-free device management function is enabled again, a new site authentication code is generated.	Y
Exempt from approval (configurable when ESN-free is toggled on)	Whether to enable device approval exemption. After this function is enabled, iMaster NCE-Campus can manage devices directly, without the need of waiting for device approvals. iMaster NCE-Campus automatically adds new devices to the device list and consumes corresponding licenses.	Y
Add Device	Select Device: Add devices that have been managed by iMaster NCE-Campus to the site.	-
Device type	Types of devices that can be added to the site. The options include AR, AP, FW, LSW, WAC, OLT, ONU, and NE. You can select one or more of the preceding options. Constraints: After Device type is set, you can only add device types but cannot replace device types. For example, you can add ARs to a site that contains only APs. However, you cannot change a site that contains only APs to a site that contains only ARs. When LSWs are deployed as WACs, you need to select both LSW and WAC. If iMaster NCE-Campus needs to manage OLTs and ONUs, install the PON management feature when installing iMaster NCE-Campus. Otherwise, iMaster NCE-Campus cannot manage OLTs and ONUs. APs and WACs cannot be deployed together at a site.	Y
Role	Constraints: ARs configured with the Gateway or Gateway+Core role can be added only to edge sites. ARs configured with the Gateway+RR role can be added only to RR sites. Value range: AP: Gateway, Access, or AP LSW: Core, WAC, Aggregation, or Access FW: Gateway, Gateway+Core, or Firewall AR: Gateway, Gateway+Core, or Gateway+RR WAC: WAC If you do not set the device role when adding a device, the system sets the device role to Access by default.	Y
Add Device	Select Device: Add devices that have been managed by iMaster NCE-Campus to the site. By Model: Add devices by device model. After devices are added in this mode, you need to enter their ESNs on the system later. This method is recommended. By ESN: Add devices by ESN.	Y
Configuration mode	Value range: The options include Default and Configuration File. Constraints: When Configuration File is selected, you need to prepare device configuration files in advance and then import and deliver the files to target devices on the Maintenance > Device Maintenance > Configuration File Management page to complete device configuration. Sites created in Configuration File mode do not support the following functions: site configuration, VXLAN fabric configuration, admission configuration, third-party server configuration, and device upgrade. Devices at sites created in Configuration File mode can be migrated to other sites created in the same mode. Such devices cannot be migrated to other sites created in Default mode or be removed from the current sites. Devices at sites created in Configuration File mode cannot be added to stacks after being configured using configuration files. Sites created in Configuration File mode can use only specific northbound interfaces.	Y
Configuration source type	Default settings Meaning: With this option selected, you need to configure the site manually. Clone from an existing site Meaning: With this option selected, you can clone the configuration of an existing site for use with the new site, reducing repeated configurations. Constraints: This mode applies to all site-level features. Deep clone: Meaning: One or more sites can be cloned at a time. If a small number of sites need to be cloned, you can clone them one by one. If a large number of sites need to be cloned, you can clone them in batches. Constraints: Currently, only the sites containing firewalls only or containing APs and firewalls support the deep cloning function. You can create a site by cloning selected site and device data from an existing site on iMaster NCE-Campus.	Y

(Optional) Managing Templates

(Optional) Configuring a WAN Link Template

You can configure this feature only when the tunnel mode is set to SD-WAN scenario (GRE tunnel) on the page.

Context

iMaster NCE-Campus provides default link templates, as listed in Table 2-61. If the default link templates can meet your requirements, you do not need to customize a template by yourself. Otherwise, you can create a link template as required.

WAN link templates are not required during cloud site deployment or deployment through the registration query center. In these scenarios, you can skip this section.

You are not allowed to modify or delete the default templates, and can only copy these templates.

Table 2-61 Default link templates

Template Name	Template Description	WAN Link (Device, Port, Transport Network)	Inter-CPE Link (Device, Port)
Single_gateway_mixed_links	Single gateway with an Internet link and an MPLS link	Internet (Device1, GE0/0/0, Internet) MPLS (Device1, GE0/0/1, MPLS)	-
Single_gateway_mpls_link	Single gateway with an MPLS link	MPLS (Device1, GE0/0/0, MPLS)	-
Single_gateway_internet_link	Single gateway with an Internet link	Internet (Device1, GE0/0/0, Internet)	-
Single_gateway_dual_internet_links	Single gateway with dual Internet links	Internet1 (Device1, GE0/0/0, Internet) Internet2 (Device1, GE0/0/1, Internet)	-
Dual_gateways_mixed_links	Dual gateways with an Internet link and an MPLS link respectively	Internet (Device1, GE0/0/0, Internet) MPLS (Device2, GE0/0/0, MPLS)	Device1: GE0/0/1, Device2: GE0/0/1

Prerequisites

Global parameters have been set for the site. For details, see Setting Global Parameters.

Procedure

Choose from the main menu. Click the WAN Template tab.
Click the WAN Link Template tab.
Create a WAN link template. Click Create to access the page for creating a WAN link template.
1. Set parameters for a WAN Link template.
  1. Set Template name.
  2. Set Gateway as needed.
  3. Determine whether to enable Multiple sub-interfaces. If this function is enabled, multiple sub-interfaces can be configured for a physical interface.
2. Configure WAN links. In the WAN Link area, click Create to configure a WAN link. The following parameters need to be set in a WAN link template: Name, Device, Interface, Sub Interface, Overlay Tunnel, Transport Network, and Role.
  You can create multiple WAN links for each gateway. At most 256 sub-interfaces can be created for a single gateway, and at most 512 sub-interfaces can be created for dual gateways.
  
  Click Configuration in the Advanced parameters column to select a southbound access service and set its priority.
If Gateway is set to Dual gateways, configure an interlink connecting the dual gateways. Otherwise, skip this step.
1. If LAN-side Layer 2 physical interfaces are required on both ends of the interlink, set Use LAN-side L2 interface to .
  - Spanning Tree Protocol (STP) is enabled on CPEs by default. If dual gateways are connected through two interlinks with Layer 2 physical interfaces on both ends, these interfaces are added to the same VLAN. In this case, if a loop occurs, STP sets one physical interface to the Block state. At this time, if the blocked physical interface is used by LAN-side services, user traffic may be interrupted. Therefore, it is recommended that the physical interfaces used by an interlink between dual gateways be different from those used by user services on the LAN side.
  - If an interlink between dual gateways uses Layer 3 physical interfaces, you do not need to enable Use LAN-side L2 interface.
2. Configure a VLAN ID. Interfaces on both ends of an interlink connecting dual gateways will be added to this VLAN.
3. Click Create. Configure an interlink between dual gateways and set the physical interfaces on both ends of the interlink.
  At most two interlinks can be created between dual gateways.
Click OK.

Follow-up Procedure

Table 2-62 Follow-up procedure of configuring a WAN link template

Function	Operation Scenario and Constraint	Procedure
Importing or exporting WAN link templates in batches	WAN link templates can be imported or exported using Excel files in batches.	Click Import or Export to configure WAN link templates in batches.
Modifying a WAN link template	The template name, gateway type, WAN link information can be modified. The default templates provided by the system cannot be modified.	Click in the Operation column on the WAN Link Template page to modify a template.
Deleting a WAN link template	WAN link templates can be deleted. The default templates provided by the system cannot be deleted.	Click in the Operation column on the WAN Link Template page to delete a template.
Copying a WAN link template	You can quickly create a WAN link template by copying an existing template, which improves the configuration efficiency. If you perform the following operations after copying a template, the copied template may fail to be applied to sites associated with the source template: Modify Gateway. Modify or delete settings in the WAN Link area. Modify parameters in the Inter-CPE Link area.	Click in the Operation column on the WAN Link Template page to copy a template.

Parameter Description

Table 2-63 Parameters on the WAN Link Template page

Parameter		Description	Data Plan Required or Not
Template name		Name of a WAN link template.	Y
Gateway		Gateway type of the site where the link template is to be applied. Single Gateway: Select this option for sites with light gateway service traffic and low reliability requirements. Dual Gateways: Select this option for sites with high reliability requirements.	Y
Multiple sub-interfaces		Whether to enable the multiple sub-interfaces function on a device. If a device requires multiple sub-interfaces on a WAN link for WAN-side communication, you need to enable this function on the device. After this function is enabled, a maximum of 256 sub-interfaces can be created for a single gateway, and a maximum of 512 sub-interfaces can be created for dual gateways.	Y
WAN Link	Name	Name of a WAN link.	Y
	Device	Name of the gateway at the site.	Y
	Interface	Type and number of a physical interface used by the WAN link. The following interface types are supported: GE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface FE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface XGE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface LTE: 3G, 4G, and 5G interfaces xDSL (ATM): ADSL interface, and G.SHDSL interface (working in ATM mode by default) xDSL (PTM): VDSL interface (working in PTM mode by default) E1-IMA (ATM): G.SHDSL interface (working in ATM mode by default), E1-IMA interface, and E1-IMA sub-interface Ima-group: G.SHDSL interface (working in ATM mode by default), E1-IMA interface, and Ima-group sub-interface Serial: Serial interface and FR sub-interface Eth-Trunk interface Loopback interface NOTE: Loopback interfaces can be used only as transport network ports (TNPs) and cannot be configured with any services. By default, the overlay tunnel function is enabled on virtual links with loopback interfaces at both ends and cannot be disabled.	Y
	Sub Interface	Whether to enable the sub interface function on the device.	-
	Overlay Tunnel	Whether to enable the overlay tunnel function. If this function is enabled, an overlay tunnel is created on the WAN link.	Y
	Sub Interface Index	Number of the sub interface. The parameter is available only when Sub Interface is enabled.	-
	Transport Network	Type of the transport network to which a WAN-side physical link belongs. It describes transport networks with the same link quality attribute. It is used to identify a type of networks provided by the same ISP. Each physical WAN link of a site belongs to a transport network. If the available transport network types do not meet your requirements, create a transport network as needed on the WAN Global Configuration page.	Y
	Role	Role of the link. You can set this parameter to active or standby. After active and standby links are configured, data travels only through the active link by default. If the active link fails, data moves to the standby link. For a single-gateway site with multiple WAN links, specify each WAN link as active or standby. At least one active link must be configured. A maximum of one standby link (usually, an LTE or 5G link) can be used as the escape link and has the lowest priority. If all active links fail, traffic is forwarded through the escape link. For a dual-gateway site, all WAN links are active by default. In addition, a single-gateway site must have at least one active link.	Y
	Advanced parameters	Click Configuration and set Controller Southbound interface service and Southbound access priority in the displayed dialog box. During the controller installation, an iMaster NCE-Campus southbound IP address is configured so that CPEs can communicate with iMaster NCE-Campus using this IP address. If iMaster NCE-Campus and some sites are on a private network while other sites are on a public network, two southbound IP addresses need to be configured so that sites on different networks can access iMaster NCE-Campus. As shown in the following figure, iMaster NCE-Campus and site 1 are on a private network, and site 2 is on a public network. iMaster NCE-Campus can access the public network only through the NAT device, and site 2 has access only to a public IP address after NAT. Therefore, two southbound IP addresses need to be configured during the installation: one is a private IP address, the other is a public IP address after NAT. When configuring a WAN link for site 1, specify the private IP address as the southbound IP address of iMaster NCE-Campus. When configuring a WAN link for site 2, specify the public IP address after NAT as the southbound IP address of iMaster NCE-Campus. In addition to the default southbound IP address provided by the system, you can also use a southbound access service configured by the system administrator to specify the southbound IP address used by CPEs to communicate with the controller.	Y
	Controller Southbound interface service	The southbound access services that have been configured during controller installation planning are used as default options for this parameter. If the system administrator has enabled a customized southbound access service, you can select this customized service in the WAN link template. Tenant administrators can view all available southbound access services on the page. The system administrators can create southbound access services as needed on the page.	Y
	Southbound access priority	Priority of a controller southbound access service. This parameter is configurable after Southbound interface service is set. The priority can be High, Medium, or Low. The default value is Low. For AR5700&6700&8000 series devices, the priority takes effect only for performance channels and is supported in V600R022C00 and later versions. NOTE: If a device has multiple WAN links, you can configure Southbound access priority for each WAN link. After the device starts, it can select a WAN link based on the priority to register with iMaster NCE-Campus. Assume that a device has both Internet and LTE links, and needs to use the Internet link as the active link and the LTE link as the backup link. When configuring ZTP, you can set Southbound access priority of the Internet link to High and that of the LTE link to Medium or Low. As such, the device preferentially selects the Internet link when it attempts to register with iMaster NCE-Campus, and automatically switches to the LTE link for registration if the Internet link is faulty.	Y
Inter-CPE Link (required only when Gateway is set to Dual Gateways)	Use LAN-side L2 interface	Whether to use Layer 2 physical LAN interfaces on the interlinks between two gateways. If no direct link is configured between two gateways, LAN-side links need to be used for communication between dual gateways. If direct links are configured between two gateways, LAN-side links do not need to be used.	Y
	VLAN ID	VLAN ID used by interlinks for communication between two gateways and used for VPN communication. The number of VLAN IDs must be greater than that of VPNs. In the dual-gateway scenario, iMaster NCE-Campus configures a VLAN for each VPN on interlink interfaces between two gateways. This implements VPN isolation. The start VLAN ID must be in the range from 1 to 4086 and the end VLAN ID must be in the range from 9 to 4094. The difference between the start and end VLAN IDs must be greater than or equal to 8 and less than or equal to 300. A maximum of 16 VLAN ranges can be configured, and the total number of VLANs cannot exceed 301.	-
	Device1 Interface	Physical interfaces used by interlinks between two gateways. If two interlinks are required, the types of the two interlink interfaces on the same device must be the same. The types of the interfaces on both ends of an interlink must be the same. The interface type varies according to whether a direct link exists between two gateways: If a direct link exists between two gateways (that is, Use LAN-side L2 interface is disabled), use Layer 3 interfaces at both ends of an interlink. If only one interlink is required, Layer 3 sub-interfaces need to be created for the interfaces directly connecting the two gateways and be used as interlink interfaces. If multiple interlinks are required, iMaster NCE-Campus automatically configures the interfaces of these links as an Eth-Trunk sub-interface on each end to ensure link reliability. If no direct link is configured between two gateways (that is, Use LAN-side L2 interface is enabled), use Layer 2 interfaces at both ends of an interlink. If each of the two gateways directly connects to the same LAN switch using a Layer 2 link, a VLAN ID needs to be specified so that the gateways can communicate with each other through the corresponding VLANIF interfaces.	-
	Device2 Interface		-

Customizing Policy Template

Context

To simplify configurations and unify management, iMaster NCE-Campus adds the following parameter sets into a template. When configuring related services, you can import a template and bind parameters in this template to the configuration object.

ACL Template

Fundamentals

ACLs are mainly applied to QoS, route filtering, and user access.

Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.
Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.

Application Scenarios

An ACL policy defines rules based on information about IPv4 or IPv6 packets to implement packet filtering. Such information includes source IP addresses, destination IP addresses, IP protocol types, TCP source/destination port numbers, and UDP source/destination port numbers. Advanced ACL templates are applicable to overlay ACL and underlay ACL policies.

Procedure

, and choose ACL from the navigation pane.
Click Create, click the IPv4 or IPv6 tab, set parameters, and click OK.
- When you create an advanced IPv4 ACL template, the source and destination IP addresses in the rule list can be configured in the format of an IP address with a mask or an IP address with a wildcard mask.
- ACL rules with IP addresses and wildcard masks are applicable only to switches.
Export or import ACL templates in batches.
- Export ACL templates.
  1. Click the IPv4 or IPv6 tab and select the name of the template to be exported.
  2. Click Export to export the selected templates and view ACL rules.
- Import ACL templates.
  - Download a template and import ACL configurations.
    1. Click the IPv4 or IPv6 tab and click Import.
    2. Click Template.xls to download the configuration template.
    3. Set parameters as needed in the downloaded template. For details about the parameters, see Table 2-64.
    4. Click next to Upload File and select the template saved on the local PC.
    5. Click OK and wait until the upload is complete.
  - Update ACL templates.
    1. Click the IPv4 or IPv6 tab and select the name of the template to be exported.
    2. Click Export to export the selected template and modify ACL rules.
    3. Click next to Upload File and select the template updated on the local PC.
    4. Click OK and wait until the upload is complete.

Parameter Description

Table 2-64 Policy Template (ACL)

Parameter			Description
Name			Meaning: Unique identifier of an ACL template.
ACL type			Value range: User ACL: The ACL number range is from 6000 to 6031. Advanced ACL: The ACL number range is from 3001 to 3999. Constraints: When ACL type is set to User, the total number of rules with Address type set to IP/Mask and Address type set to Domain cannot exceed 128. User ACLs are configurable only on the IPv4 tab page. When ACL type is set to Advanced, a maximum of 1024 rules can be configured.
ACL number			ACL number delivered to the target device.
Rule list	-	-	Click Add, create rules in the ACL template, and click OK. Constraints: Devices running V600R022C00 do not support user ACLs.
	User ACL	IP/Domain	IP address or domain name of the packets matching the ACL.
		Protocol	Value range: Any TCP: This protocol is recommended. UDP: This protocol is not secure and is not recommended.
		Port	Meaning: Destination port number of the packets matching the ACL. Constraints: This parameter is configurable only when Protocol is set to TCP or UDP.
	Advanced ACL	Priority	Priority of a rule in the ACL template. A smaller value indicates a higher priority.
		Action	Action to take on packets matching the rule. Permit: permits the packets matching the rule. Deny: denies the packets matching the rule.
		Protocol	Value range: Any TCP: This protocol is recommended. UDP: This protocol is not secure and is not recommended. ICMP: It is recommended that ICMP be used to forward control messages between IP hosts and routers.
		TCP Flag (This parameter is configurable only when ACL type is set to IPv4 and Protocol is set to TCP.)	TCP flag of the packets to be matched. You can select one or more options or leave this parameter empty. When the TCP protocol is specified in an advanced ACL, the device filters packets based on the TCP flag. A TCP packet has six flag bits: SYN: 000010, which is the synchronization flag. It is used in first step of connection establishment. ACK: 010000, which is the acknowledgement flag. It is used to acknowledge that the acknowledgement number field contains a valid acknowledgement number. PSH: 001000, which is the push flag. It indicates that the packet should be passed on to the application layer for processing. FIN: 000001, which is the finish flag. It indicates that there is no more data from the sender. RST: 000100, which is the reset flag. It is used to reset the TCP connection. URG: 100000, which is the urgent flag. It is used to notify the receiver to process the urgent packets before processing all other packets. It identifies the packet that contains data that needs to be processed urgently. established: indicates that the ACK (010000) or RST flag (000100) is set to 1. Only packets sent when a TCP connection is up can have either of the two flag bits set to 1. The established flag cannot be selected together with any other flags.
		Source IP Address	Source IP address of the packets matching the rule.
		Source Port	Source port number of the packets matching the rule.
		Destination IP Address	Destination IP address of the packets matching the rule.
		Destination Port	Destination port number of the packets matching the rule.

Create a WAN RADIUS policy template

Context

To use a RADIUS server to authenticate access users, you need to configure interconnection between iMaster NCE-Campus and the RADIUS server.

Procedure

Choose Design > Network Design > Template Management and click the Police Template tab.
Choose WAN RADIUS Server from the navigation pane and click Create. On the Create RADIUS Server page, set the IP address and port number of the primary authentication server. You are advised to set the IP address and port number of the secondary authentication server if a secondary server is available. Then, set the IP addresses and port numbers of the primary and secondary accounting servers, and decide whether to enable Include domain name as needed.
Click Set next to Key to configure a key for the RADIUS server, and click OK.
Click OK.

HWTACACS Server Template

Application Scenario

HWTACACS protects a network from unauthorized access and supports command-line authorization. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control.

Procedure

Choose HWTACACS Server from the navigation pane.
Click Create, set parameters, and click OK.

Parameter Description

Table 2-65 Policy Template (HWTACACS server)

Parameter	Description
Name	Unique identifier of an HWTACACS server template.
Use the built-in server	Meaning: Whether to configure iMaster NCE-Campus as an HWTACACS server. If this function is enabled, you can configure either the SM or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters.
Primary authentication server address/Port	Meaning: IP addresses and port numbers of the primary and secondary authentication servers. Constraints: If only the address and port number of the primary authentication server are configured and those of the primary authorization server are not specified, authenticated users only have the default device permissions, which can be referred to in the corresponding device product documentation.
Secondary authentication server address/Port
Primary authorization server address/Port	IP addresses and port numbers of the primary and secondary authorization servers.
Secondary authorization server address/Port
Primary accounting server address/Port	IP addresses and port numbers of the primary and secondary accounting servers.
Secondary accounting server address/Port
Include domain names in usernames	Meaning: Whether to encapsulate domain names in usernames carried in request packets sent by devices to the TACACS server. If this function is enabled, devices encapsulate domain names in usernames when sending packets to a TACACS server. The default domain name is default_admin. If this function is disabled, devices do not encapsulate domain names in usernames when sending packets to a TACACS server. Default setting: disabled
Device source IP address	After the function is enabled, you need to configure a device source IP address on the Provision > Physical Network > Site Configuration > Site Configuration > Switch > Advanced > Device Source IP Address Configuration page.
Key	Meaning: Shared key of the HWTACACS server. Value range: The value is string of 1 to 16 characters, and can contain letters, digits, and special characters. Constraints: The value cannot contain spaces and question marks (?), and cannot contain only asterisks (*). For security purposes, it is recommended that the key contain at least six characters and contain at least two types of the following: lowercase letters, uppercase letters, digits, and special characters.

Configuring an SNMP Template

Fundamentals

Protocol template: Protocol parameters are configured in templates (for example, SNMP parameter template) so that iMaster NCE-Campus can uniformly configure protocol parameters for multiple devices.
Table 2-66 shows the mapping between authentication protocols and HMAC.
Table 2-66 Mapping between the authentication protocol and HMAC
Authentication Protocol

HMAC

SHA2-256

HMAC192SHA256

SHA2-384

HMAC256SHA384

SHA2-512

HMAC384SHA512

Feature Requirements

Users with the admin permission can delete all protocol templates. Common users can delete the protocol templates created by themselves and the protocol templates whose access modes are public.
By default, only SNMPv3 and the corresponding security algorithm are enabled on iMaster NCE-Campus. After the insecure SNMP algorithm is enabled, you can select an insecure algorithm corresponding to SNMPv1, SNMPv2c, or SNMPv3. Insecure SNMP protocols or algorithms have security risks. Exercise caution when using them.

Prerequisites

The HMAC corresponding to the required authentication protocol is supported on the device. For example, if the SHA2-256 authentication protocol is required, HMAC192SHA256 is supported on the device.
You have obtained the information about NE port number, Authentication, Authentication password, Data encryption, Encryption password, Username, Context and Engine ID from devices.

Application Scenario

This section describes how to configure SNMP parameters for the communication between devices and iMaster NCE-Campus. You can use a template to configure SNMP parameters for multiple devices in a unified manner.

Procedure

Choose from the main menu.
Click Create.

Set SNMP parameters according to Table 2-67.

Table 2-67 Parameters for creating an SNMP template

Parameter	Description
Template name	Meaning: Name of an SNMP template, which can be customized.
NE port number	Meaning: Port used for communication between devices. Value range: 1 to 65535
SNMP version	SNMP version. Default value: SNMPv3
Security level	Security level of SNMP, the default value is With authentication and encryption.
Authentication	Meaning: Protocol used for message authentication. Value range: SHA-512 SHA-384 SHA-256
Authentication password	The password must meet the following requirements: Contain 8 to 64 characters. The password must contain at least three of the following types: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters. (Space! "# $%&'()*+,-./:;<=>?@[]^`{_\|}~ etc.).
Data encryption	Meaning: Encryption protocol used for data encapsulation. Value range: AES-256 AES-192 AES-128
Encryption password	The password must meet the following requirements: Contain 8 to 64 characters. The password must contain at least three of the following types: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters. (Space! "# $%&'()*+,-./:;<=>?@[]^`{_\|}~ etc.).
Username	Username for accessing the device.
Context	Name of the environment engine.
Engine ID	Unique ID of the SNMP engine.
Timeout period (s)	Meaning: Upper limit of the time that iMaster NCE-Campus takes to perform an SNMP operation on a device. If the time that iMaster NCE-Campus takes to perform an SNMP operation on a device reaches the value of this parameter, iMaster NCE-Campus abandons this operation. Constraints: If the quality of the network between iMaster NCE-Campus and the device is low, you can set this parameter to a large value to improve the success rate of SNMP operations. Default value: 10
Polling interval (s)	Meaning: Interval between two polling operations of SNMP. Default value: 1800
Maximum retry times	Meaning: Maximum number of times that iMaster NCE-Campus attempts to perform an SNMP operation on a device. If the number of times that iMaster NCE-Campus attempts to perform an SNMP operation on a device reaches the value of this parameter, iMaster NCE-Campus abandons this operation. Constraints: If the quality of the network between iMaster NCE-Campus and the device is low, you can set this parameter to a large value to improve the success rate of SNMP operations. Default value: 5
Access mode	Whether the SNMP template is private or public. Public: indicates the template can be modified and deleted by all users. Private: indicates the template can be modified and deleted by the current user and administrator.

Click OK.

Related Tasks

Modify an SNMP template.
To modify an added SNMP template, click in the Operation column of the SNMP template.
Delete an SNMP template.
To delete an added SNMP template, click in the Operation column of the SNMP template.
View the number of devices associated with the SNMP template and device information.
To view the number of devices associated with an SNMP template and device information, click the value in the Associated Devices column of the SNMP template in the SNMP template list.
Enable insecure SNMP configuration items.
Log in to iMaster NCE-Campus as a system administrator. Choose System > System Management > Configuration Item Management Item Management and choose SNMP Configuration to enable insecure SNMP configurations.
- By default, only the SNMPv3 protocol and corresponding security algorithms are enabled on the iMaster NCE-Campus. After the insecure SNMP algorithm is enabled, you can select an insecure algorithm corresponding to SNMPv1, SNMPv2c, or SNMPv3.
- Using insecure SNMP protocols or algorithms has security risks. Exercise caution when using them.

Configuring a Parameter Set

You can add variable parameters in a template to a parameter set. In this way, when applying the same template, you can directly use this parameter set, without the need to customize variable parameters repeatedly.

Creating a Parameter Set

Choose and click the Parameter Set Management tab.
Click Create, enter parameter set name, click Add, and set parameter values. Parameter values with Encrypted enabled are not displayed in plaintext.
Click OK.

Importing a Parameter Set

Click Import and enter Parameter set name.
Click template.xls to download a template, set parameters, and save the template to the local host.
Click , select the template file saved in the local host, and click Upload.
Click OK.

Exporting a Parameter Set

Select the parameter set to be exported and click Export. The parameter set is exported to an .xls file.

Deleting Parameter Sets

Click in the Operation column of a user-defined parameter set, or select multiple user-defined parameter sets and click Delete.

Modifying a Parameter Set

Click Edit in the Operation column of a parameter set and modify the parameter set.

Creating an IPsec Template

Context

If IPsec is required to transmit service traffic between SD-WAN site devices and other network devices to enhance security, you can configure IPsec profiles to set up IPsec tunnels.

Devices at SD-WAN sites can set up IPsec tunnels in multiple scenarios, as shown in the following figure:

When enterprise branches run IPv6 networks, an SD-WAN branch site and a legacy branch site can set up an IPv6 over IPv4 GRE over IPsec tunnel to communicate with each other.
An SD-WAN branch site and a legacy branch site can set up an IPsec tunnel to communicate with each other.
An SD-WAN branch site can set up an IPsec tunnel with a VPN gateway on a public cloud.
An SD-WAN cloud site can set up IPsec tunnels with VPCs on a public cloud. An SD-WAN offline site can connect to an SD-WAN cloud site through an SD-WAN overlay tunnel and then accesses applications on the cloud through IPsec tunnels.

Figure 2-12 IPsec tunnel application scenarios

Procedure

Choose from the main menu. Click the WAN Template tab.
Click the WAN IPsec Template tab.
Click Create.

A maximum of 1024 IPsec templates can be created.
In the Create IPSec Template window that is displayed, set IPsec parameters as needed.
Click OK.

Follow-up Procedure

Table 2-68 Follow-up processing of the IPsec template

Function	Operation Scenario and Constraint	Procedure
Deleting an IPsec template	An IPsec template that is not bound to any GRE tunnel can be deleted.	On the WAN IPsec Template tab page, select the IPsec template to be deleted and click in the Operation column to delete it.
Modifying an IPsec template	An IPsec template that is not bound to any GRE tunnel can be modified.	On the WAN IPsec Template tab page, select the IPsec template to be modified and click in the Operation column to modify it.

Parameter Description

Table 2-69 Parameters on the Create IPSec Template tab page under WAN IPsec Template.

Parameter		Description	Data Plan in Advance
Template name		Name of an IPsec template.	Y
IKE Configuration	IKE version	Version of the IKE protocol. IKEv1 and IKEv2 are available. NOTE: IKEv2 is recommended.	Y
	Authentication mode	Authentication method for setting IKE. Currently, only the pre-shared key (PSK) authentication is available.	Y
	PSK	PSK used by IKE negotiation for the authentication. You need to configure the same PSK on the local and remote devices.	Y
	Confirm PSK	Confirm the PSK used by IKE negotiation.	-
	Authentication algorithm	Authentication algorithm used in IKE negotiation. SHA1: specifies HMAC-SHA1 as the authentication algorithm. SHA2-256: specifies SHA-256 as the authentication algorithm. SHA2-384: specifies SHA-384 as the authentication algorithm. SHA2-512: specifies SHA-512 as the authentication algorithm. SM3: specifies SM3 as the authentication algorithm. NOTE: The SM3 algorithm is only available for IKEv1. SHA1 uses a 160-bit key SHA-256, SHA-384, and SHA-512 use 256-bit, 384-bit, and 512-bit keys, respectively. A larger number of key bits indicate a more secure algorithm but a slower calculation speed. By default, the SHA2-256 authentication algorithm is used. You are advised to use an authentication algorithm rather than SHA1, because SHA1 is not secure enough.	Y
	Exchange mode	Configure the IKEv1 exchange mode: Main mode: separates the key exchange information from the identity authentication information. This separation protects identity information, thereby providing higher security. Aggressive mode: Identity authentication is not performed. It applies to some specified network environments. If the IP address of the negotiation initiator is unknown or unstable and the two ends expect to set up IKE SAs using the pre-shared key, the aggressive mode is used.	-
	PRF	Algorithm of the pseudo random number generation function used by an IKE proposal: AES-XCBC-128: indicates the AES-XCBC-128 authentication algorithm is used. MD5: indicates the MD5 authentication algorithm. SHA1: indicates the SHA1 authentication algorithm. SHA2-256: indicates the SHA2-256 authentication algorithm. SHA2-384: indicates the SHA2-384 authentication algorithm. SHA2-512: indicates the SHA2-512 authentication algorithm. NOTE: The PRF parameter needs to be set only when IKEv2 is used. You are advised to use an authentication algorithm rather than SHA1 and MD5, because they are not secure enough.	-
	Integrity algorithm	Integrity algorithm used in IKE negotiation: AES-XCBC-96 MD5 SHA1 SHA2-256 SHA2-384 SHA2-512 NOTE: An integrity algorithm needs to be selected only when IKEv2 is used. You are advised to use an authentication algorithm rather than SHA1 and MD5, because they are not secure enough.	-
	Encryption algorithm	Authentication algorithm used in IKE negotiation. AES-128: indicates that the IKE proposal uses the AES encryption algorithm with a 128-bit key. AES-192: indicates that the IKE proposal uses the AES encryption algorithm with a 192-bit key. AES-256: indicates that the IKE proposal uses the AES encryption algorithm with a 256-bit key. SM4: SM4 is an encryption algorithm released by the State Encryption Administration of China. By default, ESP encryption algorithm is set to AES-256. NOTE: The SM4 algorithm is supported only in IKEv1 negotiation.	Y
	DH Group	Diffie-Hellman (DH) group used in IKE negotiation. group 1: 768-bit Diffie-Hellman group. group 2: 1024-bit Diffie-Hellman group. group 5: 1536-bit Diffie-Hellman group group 14: 2048-bit Diffie-Hellman group. group 19: 256-bit Elliptic Curve Groups modulo a Prime (ECP) Diffie-Hellman group group 20: 384-bit ECP Diffie-Hellman group. group 21: 521-bit ECP Diffie-Hellman group. group 24: 2048-bit Diffie-Hellman group that includes a 256-bit sub-group is used during IKE negotiation. Group 1 provides the weakest encryption and Group 14 provides the strongest encryption. High-security DH group is recommended. By default, Group 14 is used.	Y
	Ike sa duration	IKE SA lifetime. Before the lifetime expires, a new SA is negotiated to replace the old one. By default, the life time of an IKE SA is 86400 seconds.	-
IPsec Configuration	Security protocol	Security protocol used in IPsec: ESP: Encapsulating Security Payload (ESP) protocol AH: Authentication Header (AH) protocol AH-ESP: Encapsulating Security Protocol and Authentication Header (AH-ESP)	Y
	ESP authentication algorithm	Authentication algorithm used by the ESP protocol: SHA1 SHA2-256 SHA2-384 SHA2-512 SM3 NOTE: The SM3 algorithm is only available on IKEv1. If the authentication algorithm is set to SM3 or SHA1, the ESP encryption algorithm must be set to SM4. By default, ESP uses the SHA2-256 authentication algorithm. You are advised to use an authentication algorithm rather than SHA1, because SHA1 is not secure enough.	Y
	ESP authentication algorithm	Encryption algorithm used by the ESP protocol. The options are as follows: AES-128: indicates that the IKE proposal uses the AES encryption algorithm with a 128-bit key. AES-192: indicates that the IKE proposal uses the AES encryption algorithm with a 192-bit key. AES-256: indicates that the IKE proposal uses the AES encryption algorithm with a 256-bit key. SM4: SM4 is an encryption algorithm released by the State Encryption Administration of China. NOTE: The following algorithms are supported only in IKEv1 negotiation: SM4. When the ESP encryption algorithm is set to SM4, the ESP authentication algorithm must be set to SHA1 or SM3. By default, ESP uses the AES-256 encryption algorithm.	Y
	AH authentication algorithm	Authentication algorithm used by the AH or AH-ESP protocol: SHA1: SHA1 authentication SHA-256: SHA2-256 authentication SHA-384: SHA2-384 authentication SHA-512: SHA2-512 authentication SM3: SM3 authentication NOTE: You are advised to use an authentication algorithm rather than SHA1, because it is not secure enough. The SM3 algorithm is supported only in IKEv1 negotiation. When the SM3 algorithm is used, the padding mode for RSA signatures cannot be PSS.	-
	PFS	NONE: The PFS function is not used. group1: 768-bit DH group is used during negotiation. group2: 1024-bit DH group is used during negotiation. group5: 1536-bit DH group is used during negotiation. group14: 2048-bit DH group is used during negotiation. group19: 256-bit ECP DH group is used during negotiation. group20: 384-bit ECP DH group is used during negotiation. group21: 521-bit ECP DH group is used during negotiation. group24: 2048-bit DH group that contains 256-bit sub-groups is used during negotiation.	-
IPsec SA Aging Management	Time-based (s)	Lifetime of an IPsec SA since it is established.	-
	Flow-based (KB)	Maximum traffic allowed by the IPsec SA.	-
	DPD	Whether to enable dead peer detection (DPD).	-
		Detection mode: Send periodically: If the local end does not receive any packet from the remote peer for a long time, it sends DPD packets at intervals to check whether the remote peer is available. Send if necessary: If the local end does not receive any packet from the remote peer within the specified period, it sends DPD packets to check whether the remote peer is available.	-
		Detection interval (s): specifies the interval at which DPD packets are sent. The default interval at which DPD packets are sent is 30 seconds.	-
		Retransmission interval (s): specifies the interval for retransmitting DPD packets. By default, the interval for retransmitting DPD packets is 15 seconds.	-

Configuring a Feature Template

Overview

You can configure feature templates applicable to different device types as needed and use such templates to deliver configurations to multiple devices in batches, implementing device-level service provisioning.

Context

To deploy WAN features in batches, you need to configure a feature template. By using a feature template, you can deploy WAN features in batches on devices.

Procedure

Choose from the main menu. Click the Feature Template tab.
Click Create. The Create Feature Template page is displayed.
Configure basic information about the feature template, including Template name and Template description.
In the feature list, click Add a feature. In the dialog box that is displayed, click to expand the feature list, select the features to be configured, and click . The selected features are then displayed in the list on the right. After selecting required features, click OK. The following figure shows how to add SSH to Feature List.
Click OK. The selected features are added to the feature list.
Select a feature. On the Select Parameter page, select the parameters to be set for the selected feature. The parameter values set in the template are used as the default values and cannot be changed when the template is delivered.
Click Next and set the parameters selected in the previous step.
(Optional) To change parameters that need to be set when you configure a feature, click . This operation will clear the parameter values that have been entered.
Click OK to complete the configuration of the feature template.
On the Feature Template page, view the created template.

Related Operations

Delivering a template: You can click Deliver to access the Feature page under Batch Deployment and select the devices where the template needs to be delivered. As such, you can configure the features in the template on the target devices in batches.
Modifying a template: You can click Edit to access the Modify Feature Template page and modify the template as needed.
Viewing a template: You can click View to access the View Packet page and view the delivered packets for configuring features in the template to the target devices.
Deleting a template: You can click Delete to delete a template.

Configuring a Physical Interface

When a site gateway connects to a WAN-side device, the interconnection mode of physical interfaces needs to be planned. When a site gateway connects to a LAN-side device and the interface on the LAN-side device works in non-auto-negotiation mode, the gateway's LAN interface used for interconnection needs to work in non-auto-negotiation mode.

An Eth-Trunk interface is a logical interface formed by bundling multiple Ethernet interfaces to increase the link bandwidth and reliability.

To connect a site to a transport network through an Eth-Trunk interface, you need to configure an Eth-Trunk interface for the site. Eth-Trunks can be configured for connections with LAN- and WAN-side devices in multiple VNs of a site. In addition, an Eth-Trunk can be configured to connect dual gateways at a site. Eth-Trunk interfaces can be classified into Layer 2 and Layer 3 Eth-Trunk interfaces. You can configure Layer 2 or Layer 3 Eth-Trunk interfaces based on your network requirements.

Prerequisites

Global parameters have been set for the site. For details, see Setting Global Parameters.
Devices have been added. For details, see Adding Devices.

Procedure (Configuring a Physical Interface)

Choose from the main menu.
Click the Physical Interface tab.
Select a device name from the device list on the left and click Create.
On the Create Interface page, configure an interface as needed. The parameters to be set vary according to the interface type.
- If a GE combo port on an AR5700&6700&8000 series device is configured to work as an optical port in non-auto-negotiation mode, the non-auto-negotiation configuration as well as the specified port rate will not be delivered to the device.
- After iMaster NCE-Campus detects that a new board is inserted on an AR6700/AR8000 series device, you can create interfaces on this board after 10 minutes.
Click Confirm.

Procedure (Configuring an Eth-Trunk Interface)

Choose from the main menu.
Click the Physical Interface tab.
Click the Eth-Trunk tab.
Select a device name from the device list on the left and click Create.
Configure an Eth-Trunk interface as needed.
- When creating an Eth-Trunk interface on a V600 device, you can select only Layer 3 interfaces as physical member interfaces.
- The AR631I-LTE4EA and AR631I-LTE4CN do not support Eth-Trunk interfaces.
Click OK.

Parameter Description

Table 2-70 Parameters for configuring a physical interface

Parameter		Description
Device		Device name.
Interface type		Type of the LAN or WAN interface to be configured. The value can be L3 or L2. L2 indicates a Layer 2 interface and L3 indicates a Layer 3 interface. The former runs a data link layer protocol and has only Layer 2 switching capabilities. The latter runs a network layer protocol and has Layer 3 switching capabilities. For GE, FE, and XGE interfaces, you can select L3 or L2. For other interfaces, L3 is used by default. Only GE, FE, and XGE interfaces can be used as LAN interfaces.
Interface		Type and number of the physical interface. Similar to the device name, the values cannot be modified. The following types of interfaces are supported: Gigabit Ethernet (GE) interface Fast Ethernet (FE) interface X Gigabit Ethernet (XGE) interface: is a 10GE interface. Long Term Evolution (LTE) interface: is an LTE-capable physical interface that provides wireless WAN access services. xDSL(ATM) interface: is a broadband access interface in asynchronous transfer mode (ATM). xDSL(PTM) interface: is a broadband access interface in packet transfer mode (PTM). E1-IMA (ATM) interface: uses the inverse multiplexing for ATM (IMA) technology to distribute ATM cell streams to multiple E1-IMA links for transmission. IMA-group: is a bundled group of E1-IMA interfaces, which helps increase link bandwidth. Serial: is one of the commonly used WAN interfaces. It can work in synchronous or asynchronous mode.
Physical type		Physical type of an interface. For example, the physical type of a GE interface is Ethernet, and the physical type of an LTE interface is Cellular. After selecting an interface type, you can view its corresponding physical type.
Interface bandwidth (for AR1000Vs only)		Bandwidth of a physical interface. The value ranges from 1 to 1000000, in Mbit/s.
APN (This parameter is configurable only when Interface is set to LTE.)		Enabling the multi-Access Point Name (APN) function of an LTE cellular interface helps provide data and VoIP services.
PVC(VPI/VCI) (This parameter is configurable only when Interface is set to xDSL(ATM), E1-IMA(ATM), or Ima-group.)		Permanent virtual channel (PVC), which is specified by a virtual path identifier (VPI) and virtual channel identifier (VCI).
Negotiation mode (This parameter needs to be set only when Interface is set to GE, FE, or XGE.)		Negotiation mode of the interface. Interfaces at both ends of a link must use the same negotiation mode. If an interface working in auto-negotiation mode frequently alternates between Up and Down, disable auto-negotiation and set the same rate and duplex mode on the interfaces at both ends of the link.
Working mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface working mode. Only combo interfaces support both optical and electrical working modes. You can select either of the two modes based on networking requirements. For interfaces of other types, set this parameter based on their supported working mode. NOTE: If an interface cannot work as an optical interface but its working mode is set to the optical mode, the configuration fails to take effect after being delivered to the CPE where the interface is located.
Duplex mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Duplex mode of the interface. Interfaces at both ends of a link must use the same duplex mode. For optical interfaces, the duplex mode is fixed at the full duplex mode. For electrical interfaces, you can select the full-duplex or half-duplex mode according to the actual situation.
Speed (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface rate. Interfaces at both ends of a link must work at the same rate.
Optical Module Type (This parameter needs to be set only when Interface is set to XGE.)		Type of the optical module. Set this parameter based on the transmission rate requirements. Currently, GE and 10GE types are available. A GE optical module transmits traffic at a rate of 1000 Mbit/s, and a 10GE optical module transmits traffic at a rate of 10,000 Mbit/s. If 10GE is selected, the negotiation mode cannot be configured. The optical modules on the interfaces at both ends of a link must be of the same type.
STP enable (This parameter needs to be set only when Interface type is set to L2.)		Whether to enable STP on the interface.
Trust enable (This parameter is configurable only when Interface is set to GE or XGE.)		Whether to enable priority mapping on packets based on DSCP priorities.

Table 2-71 Parameters for configuring an Eth-Trunk interface

Parameter	Description
Device	Site gateway on which an Eth-trunk interface is to be created.
Eth-Trunk ID	ID of an Eth-Trunk interface. In the dual-gateway scenario, if the two gateways are connected through two Layer 3 physical links, the system automatically creates the Eth-Trunk 0 interface on each of the two gateways. In this case, you cannot create an Eth-Trunk interface with the ID of 0. NOTE: The value range of the Eth-Trunk ID varies depending on the AR model: AR120 and AR160 series: 1 to 3 AR1200 series, AR2201-48FE, AR2204-27GE, AR2204-27GE-P, AR2204-51GE-P, AR2204-51GE, AR2204-51GE-R, AR2204E, AR2204E-D, and AR2202-48FE: 1 to 7 AR2204, AR2220E, AR1610-X6, AR651-X8, AR651W-X4: 1 to 14 AR2220, AR2240C, AR2240, AR6140 series, AR3200 series, and AR3600 series: 1 to 63 AR6300 series and AR6280 series: 1 to 31 AR6120 series, AR651, AR651C, AR651W, AR657, AR657W, AR651U-A4, and AR651F-Lite: 1 to 7 SRG1300: 1 to 7 AR5700 series: 1 to 7 AR6700 series: 1 to 15 AR8000 series: 1 to 63
Eth-Trunk type	Whether the Eth-Trunk interface works in Layer 2 or Layer 3 mode.
Eth-Trunk mode	Working mode of the Eth-Trunk interface. Load-balance: indicates that the Eth-Trunk interface works in manual load balancing mode. If one of the devices at both ends of an Eth-Trunk does not support LACP, you can configure the Eth-Trunk interface to work in manual load balancing mode. In addition, you can add multiple member interfaces to increase the bandwidth and improve the reliability of the Eth-Trunk. In this mode, traffic is load balanced among all Eth-Trunk member links. LACP-static: indicates that the Eth-Trunk interface works in static LACP mode. If two devices that are directly connected by an Eth-Trunk both support LACP, you can configure the Eth-Trunk interfaces to work in static LACP mode. Eth-Trunk interfaces working in static LACP mode exchange LACPDUs to determine member links for load balancing. NOTE: AR5700/AR6700/AR8000 series devices do not support this parameter. Eth-Trunk interfaces on these devices work in manual load balancing mode by default. To ensure that an Eth-Trunk interface works properly, the working modes of the Eth-Trunk interfaces at both ends must be the same. The static LACP mode is supported only in V300R022C00 and later versions.
LACP preemption (This parameter is configurable only when Eth-Trunk mode is set to LACP-static.)	Whether to enable LACP preemption for the Eth-Trunk in static LACP mode. After LACP preemption is enabled, the interfaces with higher priorities are preferentially selected as active interfaces. Each Eth-Trunk interface can contain a maximum of eight member interfaces and can contain up to eight active interfaces by default. As such, all member interfaces on the Actor are selected as active interfaces. After an Eth-Trunk in static LACP mode is established, the end with a higher system priority is selected as the Actor. After the Actor is determined, both ends select active interfaces based on the interface priorities on the Actor. If the devices on both ends of an Eth-Trunk are not configured with system priorities, the devices use the default system priority (32768). In this case, the Actor is selected according to the system MAC address. That is, the device with the smaller system MAC address becomes the Actor. NOTE: To ensure that an Eth-Trunk works properly, enable or disable LACP preemption on both ends of the Eth-Trunk.
LACP timeout interval (This parameter is configurable only when Eth-Trunk mode is set to LACP-static.)	Timeout period for the Eth-Trunk interface in LACP mode to receive LACPDUs. Slow: indicates that the timeout period for an Eth-Trunk in static LACP mode to receive LACPDUs is 90 seconds. If Slow is selected, the remote device sends an LACPDU every 30 seconds. In this mode, the local device responds to LACPDUs from the remote device slowly but consumes fewer system resources compared with the situation where the fast mode is configured. The timeout period on the two ends can be different. To facilitate maintenance, you are advised to set the same timeout period at both ends. Fast: indicates that the timeout period for an Eth-Trunk interface in static LACP mode to receive LACPDUs is 3 seconds. If Fast is selected, the remote device sends an LACPDU every 1s. In this mode, the local device responds to the LACPDUs from the remote device rapidly but consumes more system resources compared with the situation where the slow mode is configured.
User-defined interval (This parameter needs to be set only when LACP timeout interval is set to Fast.)	Timeout period for an Eth-Trunk interface to receive LACPDUs when Fast is selected. The value is an integer from 3 to 90, in seconds. The default value is 3.
Physical interface	Member interface of the Eth-Trunk interface. A maximum of eight member interfaces can be added. NOTE: The physical member interfaces of an Eth-Trunk interface must be of the same type. For example, an Eth-Trunk cannot contain both GE and XGE member interfaces. For devices running V300, only physical interfaces of the same type as Eth-Trunk type can be configured as member interfaces. For example, if Eth-Trunk type is L2, only L2 physical interfaces can be configured as member interfaces. For devices running V600, only L3 physical interfaces can be configured as member interfaces. That is, no matter whether Eth-Trunk type is L2 or L3, the Eth-Trunk member interfaces can only be L3 interfaces.

Configuring ZTP

Context

WAN-side physical links must be configured before site deployment. ZTP does not need to be configured in scenarios where sites need to be deployed through the registration query center or cloud sites need to be deployed, and you can skip this section. ZTP needs to be configured in other deployment scenarios.

After a site completes the ZTP process or is activated successfully, you can add, delete, and modify WAN links as needed.

Prerequisites

A site has been created. For details, see Creating a Site.
Global site parameters have been set. For details, see Setting Global Parameters.
(Optional) If IPv6 addresses need to be configured for WAN links, ensure that you have performed the following operations to configure the IPv6 address of the management plane:
1. Log in to the management plane.
2. Choose Product > Software Management > Deploy Product Software from the main menu and choose More > Modify Configurations. Set FILE_SERVER_IPV6 and SOUTH_ADDRESS_IPV6(SOUTH_ADDRESS_IPV6). The two parameters specify the file server IPv6 address and southbound IPv6 address, respectively.
3. Choose Maintenance > Operation and Maintenance Management > Panoramic Monitoring from the main menu, choose Service Monitoring from the navigation pane, and click the Processes tab. On the page that is displayed, search for SDWANCfgService in the process list, select SDWANCfgService processes of all microservices, click Stop, and then click Start.
4. Check the Status column of the SDWANCfgService processes in the process list. Ensure that the processes are in the running state.

Procedure

Choose from the main menu. Click the ZTP tab to access the ZTP configuration page.
Select a site to be deployed in ZTP mode and click Click to Deploy in the Physical Site area.
1. Select Unconfigured from the Site List drop-down list.
2. Click the site to be configured.
3. Click Click to Deploy.
Determine the deployment mode based on the deployment scenario and device model. For details, see Table 2-102.

Configure ZTP for the site.

Select the ZTP mode.
- URL/U Disk: Select this mode if USB-based, email-based, or manual deployment is required.
- DHCP Option: Select this mode if DHCP option-based deployment is required.
Choose whether to enable Multiple sub-interfaces. After this function is enabled, multiple sub-interfaces can be configured on a device's physical interface. If this function is disabled, only one sub-interface can be configured.

Choose whether to enable RDB-based deployment. By default, RDB-based deployment is disabled. This function cannot be disabled once being enabled.

After RDB-based deployment is enabled, the WAN link for URL-based deployment can be modified and deleted online. After the WAN link configuration is updated, the system delivers the updates to the target device. The device does not need to be deployed again.

Determine whether to enable RDB-based deployment based on the deployment mode and device model. For details, see Table 2-72.

Table 2-72 Mapping between device models and functions

Function/Device Model		AR600&6100&6200&6300&SRG series	AR1000V	AR5700&6700&8000 series
RDB-based deployment		This function is disabled in USB-based deployment and manual deployment scenarios and is optional in the email-based deployment scenario.	This function is disabled in manual deployment scenarios.	This function is enabled by default and is not displayed on the GUI.

Configure WAN links for devices.

Click Select Template. On the Select WAN Link Template page, select a WAN link template and click OK.
If the existing template does not meet your requirements, click Create to create a WAN link.

A maximum of two ARs can be deployed as gateways. Otherwise, ZTP will fail.
If Gateway is set to Dual Gateways, set parameters for Device1 and Device2, respectively.
Select the link to be configured, and click in the Operation column.

On the Set WAN Link tab page, set WAN link parameters.

When configuring links for devices, you are advised to use wired WAN links to register devices with the controller.

Pay attention to the following points when configuring interfaces:

WAN link interfaces must be different from LAN interfaces used for user services. Otherwise, the deployment fails.
To configure an LTE interface for a WAN link on an AR5700&6700&8000 series device, configure an LTE sub-interface.

Different interface types support different deployment modes. For details, see Table 2-73.

Table 2-73 Device interface types and their supported deployment modes

Deployment Mode/Interface Type	Loopback Interface	Eth-Trunk Interface
Email-based deployment	Not supported	Not supported
USB-based deployment	Not supported	Not supported
DHCP-based deployment	Not supported	Not supported
Manual deployment	Supported	Supported

When a site is activated for the first time, iMaster NCE-Campus cannot deliver the Eth-Trunk interface configuration of WAN links to devices at the site. You need to manually configure Eth-Trunk interfaces on the devices and then configure the interfaces in the same way on iMaster NCE-Campus. If you need to configure new Eth-Trunk interfaces for WAN link expansion at the activated site, you only need to configure the interfaces on iMaster NCE-Campus which will then deliver the configuration to the target devices.

(Optional) If the selected interface cannot meet your requirements, click next to Interface to access the physical interface configuration page and configure an interface. For details, see Configuring a Physical Interface.
Enable IPv4 or IPv6 based on the site's network plan and set related parameters. IPv4 and IPv6 can be enabled at the same time.
- If the WAN is an IPv4 network, IPv4 must be enabled.
- If the WAN is an IPv6 network, IPv6 must be enabled.
Set Uplink bandwidth and Downlink bandwidth of the device. The values must be the same as the actual bandwidths of the device. Otherwise, the bandwidth usage will be abnormal.
Set Link ID. You can plan a unique ID for each link in an SD-WAN network. This helps you query link information by ID during maintenance.
Click OK to complete the WAN link configuration. Check whether the configuration status of the device is Configured.

(Mandatory in dual-gateway scenarios) Configure interlinks connecting dual gateways at a site.
VLAN ID: The number of VLAN IDs must be greater than that of departments. A maximum of 16 VLAN ranges can be configured, and the total number of VLANs cannot exceed 301. After the deployment is completed, you can change the VLAN ID.

MTU: It is recommended that the MTU value for Layer 3 sub-interfaces and Eth-Trunk sub-interfaces of physical interfaces that directly connect the dual gateways be less than or equal to 8996, and the MTU value for Layer 2 VLANIF interfaces that connect the dual gateways be less than or equal to 1600.

MSS: It is recommended that the MSS value for Layer 3 sub-interfaces and Eth-Trunk sub-interfaces of physical interfaces that directly connect the dual gateways be less than or equal to 2048, and the MSS value for Layer 2 VLANIF interfaces that connect the dual gateways be less than or equal to 1560.

Device 1 Interface and Device 2 Interface must be the physical interfaces of the interlink connecting dual gateways. If two interlinks are required, the types of the two interlink interfaces on the same device must be the same. The types of the interfaces on both ends of an interlink must be the same.
Click OK. The ZTP configuration is completed.

Follow-up Procedure

After the site configuration is completed, Table 2-75 describes the available site states after site configuration is completed and Table 2-74 describes the follow-up procedures after sites are activated.

Table 2-74 Site status

Site Status

Description

Configuration status

: not configured
: configured

Whether WAN links of the site have been configured.

Activation status

: not activated
: activated

Whether a deployment email has been sent to the gateway at the site or the ZTP file of the gateway has been downloaded.

Table 2-75 Follow-up procedures after a site is activated

Function	Operation Scenario and Constraint	Procedure
Adding a WAN link	After a site is activated, you can add WAN links to the site.	Choose from the main menu and click the ZTP tab. In the left pane, select the site for which you want to add a WAN link. The WAN link configuration page is then displayed. Click Create and set WAN link parameters. Click OK.
Deleting a WAN link	After a site is activated, you can delete WAN links of the site as needed. NOTE: The WAN link used by a service (such as underlay routing, NTP, underlay ACL, Internet access, or site-to-site access) cannot be deleted. If a WAN link is used by an NTP client that is manually configured, verification is required and the WAN link cannot be deleted. If a WAN link is not used by the NTP client, you can delete this WAN link and need to clear the NTP client configuration automatically generated when the WAN link is configured. Adding or deleting WAN links at a site may cause ARs to be disconnected from the controller. If the link for URL-based deployment at a site is deleted, the site needs to be re-deployed. If an Eth-Trunk is deleted, you need to manually delete the Eth-Trunk configurations from the related devices. Otherwise, a configuration conflict may occur.	Choose from the main menu and click the ZTP tab. In the left pane, select the site from which you want to delete a WAN link. The WAN link configuration page is then displayed. Select the link to be deleted and click Delete. In the displayed Warning dialog box, click OK.
Modifying a WAN link	After a site is activated, you can modify the WAN link that has been configured at the site, for example, changing the IP address of the WAN link interface. NOTE: Only GE, FE, XGE, and LTE interfaces and their sub-interfaces can be modified. The enabling status of the IPv4 or IPv6 protocol cannot be modified. For example, if the IPv6 protocol has been enabled, it cannot be disabled. Changing the interface IP address of the link used for deployment on a device will disconnect the device for a period of time. For AR1000V and AR600&6100&6200&6300&SRG series devices, only V300R022C00 and later versions support WAN link modification.	Choose from the main menu and click the ZTP tab. In the left pane, select the site where a WAN link needs to be modified. The WAN link configuration page is then displayed. Select the link to be modified and click in the Operation column. In the Set WAN Link dialog box that is displayed, modify the parameters that are not dimmed. For example, you can modify the IP address of the WAN link interface. To modify the deployment link of an AR1000V or AR600&6100&6200&6300&SRG series device, click OK or Update Deployment Configuration after the modification is completed. If you click OK: After the configurations are modified on iMaster NCE-Campus, the modified configurations, excluding those related to URL-based deployment, are synchronized to the device. If you click Update Deployment Configuration: After the configurations are modified on iMaster NCE-Campus, the modified configurations are synchronized to the device. To modify configurations of other devices or links not used for deployment, click OK. NOTE: After modifying network interconnection parameters of a device link used for URL-based deployment, click Update Deployment Configuration or deploy the device again for the modified configuration to take effect.
Changing the link used by a device for controller registration	You can change the link used by a device for controller registration if the device has multiple WAN links, if the quality of the current link used for controller registration is poor, or if a new link needs to be selected for controller registration. NOTE: Changing the link used by a device for controller registration may disconnect the device for a period of time. Only ARs running V300R019C13 and later versions support this function. If the link switchover fails, you can view the failure cause in the registration link switchover area.	Choose from the main menu and click the ZTP tab. In the left pane, select the site where a WAN link switchover is required. The WAN link configuration page is then displayed. Select the current registration link and click Switch. In the dialog box that is displayed, select a new link and click OK.
Clearing WAN configurations	After clearing WAN configurations of a site, you can delete this site and restore devices at this site to the undeployed state. This function is not applicable to a site that has been connected to an RR, added to a VN, or configured with a policy.	Choose from the main menu and click the ZTP tab. Select a deployed site and click Clear WAN Configurations. After the site's WAN configurations are cleared, you can delete the site or deploy it again.

Parameter Description

Table 2-76 Parameters of configuring sites and devices

Parameter		Description	Data Plan Required or Not
ZTP Mode		URL-, USB-, and DHCP option-based deployment modes are supported. The system selects an orchestration scheme based on the deployment mode. The options are as follows: URL-/USB-based deployment: iMaster NCE-Campus generates a deployment file that contains IP address and VPN information about WAN interfaces and sends this file to the CPE to be deployed. After the CPE registers with iMaster NCE-Campus successfully, iMaster NCE-Campus automatically delivers information such as the device IP address and interface rate to the CPE. DHCP option-based deployment: No deployment files are generated in this mode. After a CPE registers with iMaster NCE-Campus successfully, iMaster NCE-Campus delivers IP address and VPN configurations for WAN interfaces to the CPE.	Y
Multiple sub-interfaces		Whether a single physical interface can be configured with multiple sub-interfaces.	Y
RDB-based deployment (This parameter is configurable when an AR600&6100&6200&6300&SRG series or AR1000V device is to be deployed.)		For an AR1000V or AR600&6100&6200&6300&SRG series device, the configurations delivered by iMaster NCE-Campus are stored as RDB files. For non-V600 devices, URL-based deployment in RDB based can be enabled only for links with GE, FE, or XGE physical interfaces. For a device running V300R022C00 or a later version: If RDB-based deployment is disabled for URL-based deployment, after the deployment, WAN links for URL-based deployment can be modified online, for example, the link's IP address can be changed. However, these WAN links cannot be deleted. (The WAN links can be deleted on the iMaster NCE-Campus GUI, but the deletion operation is not delivered to the corresponding devices.) To delete WAN links for URL-based deployment from devices, you need to re-deploy the devices. If RDB-based deployment is enabled for URL-based deployment, after the deployment, WAN links for URL-based deployment can be modified and deleted online. For a device running V300R019C13 or a later version and earlier than V300R022C00: If RDB-based deployment is disabled for URL-based deployment, after the deployment, WAN links for URL-based deployment cannot be modified and deleted online. (The WAN links can be deleted on the iMaster NCE-Campus GUI, but the deletion operation is not delivered to the corresponding devices.) To modify and delete WAN links for URL-based deployment on devices, you need to re-deploy the devices. If RDB-based deployment is enabled for URL-based deployment, after the deployment, WAN links for deployment can be modified and deleted online. NOTE: RDB-based deployment is not supported when the WAN link for URL-based deployment uses an IPv6 address. After iMaster NCE-Campus is upgraded from a version earlier than V300R022C00 to V300R022C00, devices deployed in enhanced mode before the upgrade of iMaster NCE-Campus will have RDB-based deployment enabled on the controller. Before configuring URL-based deployment in RDB mode for a device, the device must be restored to factory settings.	Y
Select Template		Site template used to specify the gateway and WAN link configuration for a site.	-
Link name		Name of a WAN link. If a WAN link is created using the default site template, the link name is Internet or MPLS. If a WAN link is created using a customized site template, the link name is specified when the template is created. This setting cannot be modified after the WAN link configuration is completed.	Y
Transport network		Type of the transport network to which a WAN link belongs. This value cannot be modified when you modify a WAN link. It specifies the WAN-side network to be accessed. The value is specified by Transport network created on the WAN Global Configuration tab page. For details about how to configure transport networks in the WAN global configuration, see Configuring a Transport Network.	Y
Role		Link role. Active: In normal cases, service traffic is transmitted through active links, over which overlay tunnels are set up. Keepalive packets are sent to detect connectivity of overlay tunnels. When there are multiple active links, you can enable the intelligent traffic steering function so that active links are selected to transmit service traffic and the others function as backup links. If the active links fail, service traffic is switched to a backup link, and can be switched back after the active links are recovered. Standby: It is typically used as an escape link, which is an LTE or 5G link in most cases. When active links are functioning properly, tunnels are not set up over standby links and standby links do not participate in intelligent traffic steering. In addition, no data usage is charged on standby links. A standby link has the lowest priority. Only when all active links fail, overlay tunnels are set up over standby links for traffic forwarding, and their connectivity is detected through Keepalive packets. As long as one active link recovers, traffic is switched back to the active link. At least one active link must be configured at a single-gateway site with multiple WAN links and at a dual-gateway site.	-
Alarm for standby links (This parameter can be configured only when Role is set to Standby.)		After this item is toggled on, when a tunnel is established over the standby link and traffic is switched to this tunnel for forwarding, an alarm indicating that the standby link is used is reported. This item is toggled on by default. NOTE: This parameter is applicable only to devices running V300R022C00SPC100 and later versions. AR5700&6700&8000 series do not support this parameter.	Y
Device		Gateway to which a WAN link connects. This setting cannot be modified after the WAN link configuration is completed.	Y
Interface		WAN link parameters to be planned vary according to the interface type specified in the site plan. Type and number of the physical interface used by the current link, which cannot be modified after the WAN link configuration is completed. You can select a physical WAN interface or a virtual interface (that is, a loopback interface). When iMaster NCE-Campus is deployed on the LAN side of a DC, multiple WAN interfaces and one virtual interface can be configured for a site. The site uses physical interfaces to connect iMaster NCE-Campus and other sites and uses the virtual interface to transmit overlay traffic. The physical and virtual interfaces must belong to the same VN instance. NOTICE: When configuring a physical interface for a WAN link, ensure that the interface works in Layer 3 mode. If not, switch the interface to work in Layer 3 mode. Otherwise, the configuration fails to be delivered. If two WAN links are configured, one with a virtual interface and the other with a physical interface, the overlay tunnel function cannot be enabled on the WAN link using the physical interface. If a loopback interface is configured for a WAN link, the link and application bandwidth usage trends on the overlay network at a site and between sites are displayed as 0. This is because the uplink and downlink bandwidths of the loopback interface cannot be set. If an Eth-Trunk interface needs to be configured for a WAN link, create this Eth-Trunk interface in advance. For details, see Configuring a Physical Interface.	Y
Sub-interface (This parameter is configurable only when Interface is set to GE, FE, XGE, LTE, xDSL(ATM), xDSL(PTM), E1-IMA(ATM), Ima-group, or Eth-Trunk, or when Interface is set to Serial and Interface protocol is set to FR.)		Whether to use sub-interfaces. Currently, only Dot1q sub-interfaces are supported. When Interface is set to GE, FE, XGE, xDSL(ATM), xDSL(PTM), or Eth-Trunk, configure a Dot1q VLAN sub-interface. When Interface is set to LTE, set Number as required. When Interface is set to E1-IMA(ATM), Ima-group, or when Interface is set to Serial and Interface protocol is set to FR, set a sub-interface number as required. The sub-interface numbers on the local and peer devices must be the same. Consider the following points when planning sub-interfaces: IPv4 Ethernet or xDSL (PTM) sub-interface: If a VLAN needs to be terminated, select either of the two interfaces. Sub-interface number: You need to plan a number for a sub-interface. The sub-interface name consists of the parent interface name (for example, GE0/0/0) followed by a period and then by the specified sub-interface number. For example, you can create a sub-interface for the WAN interface GE0/0/0 named GE0/0/0.10, where 10 indicates the sub-interface number. Dot1q VLAN: You need to plan a VLAN ID for a sub-interface. If this parameter is specified, a Dot1q sub-interface is created for the parent interface and removes the tag of the specified VLAN. The VLAN ID set for the Dot1q termination sub-interface on the local device must be the same as that set for the peer device. NOTE: AR5700&6700&8000 series devices support Eth-Trunk sub-interfaces since V600R022C00. LTE sub-interface Sub-interface number: You need to plan a number for a sub-interface. When two sub-interfaces are configured for the LTE interface on an LTE link, the LTE link is divided into two logical links for dialup to access the LTE network. Before creating two sub-interfaces for an LTE interface on a CPE, make sure that the CPE at the site supports dialup through two channels on the LTE interface. NOTE: To use an LTE interface on the WAN link of an AR5700&6700&8000 series device, you need to create a sub-interface. The sub-interface number ranges from 1 to 4 on AR5700&6700&8000 series devices and ranges from 1 to 2 on devices of other series. xDSL link (ATM), E1-IMA, and IMA group sub-interfaces Sub-interface number: You need to plan a number for a sub-interface. Serial sub-interface using the FR protocol Sub-interface number: You need to plan a number for a sub-interface. Access type: This parameter can be set to P2P or P2MP. If Access type is set to P2P: A P2P sub-interface connects to a single remote device. Only one PVC needs to be configured for a sub-interface, and a unique remote device can be determined without configuring static address mapping. If Access type is set to P2MP: A P2MP sub-interface connects to multiple remote devices. Multiple PVCs can be configured for a sub-interface, and each PVC is mapped to the IP address of a remote device. In this way, different PVCs can connect to different remote devices.	Y
Port description		Interface description. You can centrally plan WAN links of a site and describe the CPE and site to which the interface belongs. The deployment email can contain the interface description so that deployment personnel can determine whether the site they are going to deploy is the planned one based on the interface description.	Y
Number (This parameter is configurable only after Sub-interface is enabled.)		Sub-interface number, which is used to identify a sub-interface. The value is in the range from 1 to 4094. You need to plan a number for a sub-interface. The sub-interface number is used as the name of the sub-interface. IPv4 Ethernet or xDSL (PTM) sub-interface: You need to plan a number for a sub-interface. The sub-interface name consists of the parent interface name (for example, GE0/0/0) followed by a period and then by the specified sub-interface number. For example, you can create a sub-interface for the WAN interface GE0/0/0 named GE0/0/0.10, where 10 indicates the sub-interface number. LTE sub-interface: You need to plan a number for a sub-interface. When two sub-interfaces are configured for the LTE interface on an LTE link, the LTE link is divided into two logical links for dialup to access the LTE network. To create two sub-interfaces for an LTE interface on a CPE, make sure that the CPE at the site supports dialup through two channels on the LTE interface. xDSL (ATM) link, E1-IMA, or IMA group sub-interface: You need to plan a number for a sub-interface. Serial sub-interface using the FR protocol: You need to plan a number for a sub-interface.	Y
Number (This parameter needs to be set only when Interface is set to LTE and Sub-interface is enabled.)		Number of an LTE cellular interface.	Y
VN instance		Name of the VN instance on the underlay network to which the interface is to be added. The value is a character string starting with underlay_, for example, underlay_1.	Y
PVC(VPI/VCI) (This parameter is configurable only when Interface is set to xDSL(ATM), E1-IMA(ATM), or Ima-group.)		Virtual path identifier (VPI) and virtual channel identifier (VCI) of a PVC, for example, 1/101.	Y
VLAN ID (This parameter is configurable only when Sub-interface is enabled)		VLAN ID of a sub-interface. The value is in the range from 1 to 4094. If a sub-interface is used as the interface of a deployment link, you need to plan a VLAN ID for the sub-interface. The VLAN ID must be the same as that configured on the interconnected device.	Y
IPv4	Interface protocol (This parameter needs to be set only when Interface is set to GE, FE, XGE, xDSL(PTM), xDSL(ATM), E1-IMA(ATM), Ima-group, Serial, Eth-Trunk, or LoopBack.)	Interface protocol used by the physical interface connecting a CPE to the WAN. GE, FE, XGE, and xDSL (PTM) interfaces support the following protocols: IPoE PPPoE xDSL (ATM), E1-IMA (ATM), and Ima-group interfaces support the following protocols: IPoA IPoEoA PPPoA PPPoEoA Serial interfaces support the following protocols: PPP HDLC FR Eth-Trunk interfaces support the following protocol: IPoE Loopback interfaces support the following protocol: IPoE	Y
	IP address access mode (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA.)	Mode for assigning an IP address for the interface connecting a CPE to the WAN. The following modes are supported: Static: A static IP address is assigned. This mode is recommended for central sites and aggregation sites. Dynamic: DHCP is used to dynamically allocate IP addresses. This mode is recommended for branch sites.	Y
	IPv4 address (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.)	IP address statically assigned to the interface connecting a CPE to the WAN. At a central or an aggregation site, this IP address must be the same as the public IP address. In the NAT scenario, for central, aggregation, RR, and edge sites, this address must be set to the private IP address mapping Public IP.	Y
	Subnet mask (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.)		Y
	IPv4 gateway (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.)	IP address of the interface on a WAN-side PE to communicate with the current site.	Y
	IPv4 Public IP address	IP address used by a CPE to connect to the WAN. In the EVPN tunnel mode, this parameter needs to be set only for RR sites. The public IP address is an external accessible IP address on the current link. An edge site can register with an RR site through this address. In a carrier network scenario, this parameter is allocated by the carrier in a unified manner. On an enterprise network, an enterprise administrator selects IP addresses from the network segment assigned by the carrier as public IP addresses. In NAT scenarios, this parameter must be set to a public IP address mapped to an address on an external network.	-
	Active APN (This parameter is configurable only when Interface is set to LTE.)	Whether to enable multi-Access Point Name (APN) function of an LTE cellular interface, which is used to implement data and VoIP communication.	Y
	User name (This parameter needs to be set only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)	Username and password allocated by the carrier to connect to the WAN.	Y
	Password (This parameter needs to be set only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)		Y
	Priority	Priority of an APN. The priority value is an integer from 1 to 255. The default value is 100. A larger value indicates a higher priority. In the dual-SIM card scenario, primary and secondary APNs are configured for the same cellular interface or LTE/5G channel interface and associated with different SIM cards. You can set different priorities for the APNs to configure LTE/5G network access through a specific SIM card. AR5700&6700&8000 series devices do not support this parameter.	Y
	Track	Whether to enable APN switching based on NQA probe results. If this function is enabled, the device performs NQA probes on the 3G/LTE/5G network after successful dial-up through the cellular interface or cellular channel interface. If three consecutive probes fail, iMaster NCE-Campus considers the APN unavailable and uses the secondary APN for next dial-up. AR5700&6700&8000 series devices do not support this function.	Y
	Destination IP address (This parameter needs to be set only when Track is enabled.)	Destination address of an NQA test instance.	Y
	Standby APN (This parameter is configurable only when Interface is set to LTE.)	Parameters of the standby APN, including the APN ID, username, password, priority, and whether to enable the track function. For details about the parameters, see the description of the parameters for configuring the active APN. You can configure a standby APN only when an active APN has been configured. The standby APN configuration cannot be delivered during email-based deployment. This configuration is automatically delivered to the target device after it goes online. AR5700&6700&8000 series devices do not support the standby APN configuration. NOTICE: The standby APN function can be configured only for devices with dual SIM cards. When a standby APN is configured for a device with a single SIM card, the SIM card and the APN information do not match. As a result, the LTE interface module on the device is abnormal, causing APN dial-up failures. The standby APN function is available in V300R022C00 and later versions.	Y
	Auth type (This parameter needs to be set only when Interface is set to LTE and URL-based deployment is disabled, or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)	Authentication mode of the APN information. The options include CHAP and PAP. NOTE: CHAP is recommended, because it is more secure than PAP.	Y
	Automatic switchback (This parameter is configurable only after Standby APN is configured.)	Whether to enable automatic APN switchback. After Track is toggled on, when the active APN fails or is unavailable, the standby APN is used for dial-up. If Automatic switchback is enabled, the device automatically switches back to the active APN after a specified time period. This function is disabled by default. NOTE: If a device switches to the standby APN because the active APN is faulty and Automatic switchback is toggled on, the device will switch back to the active APN after the specified time period. If iMaster NCE-Campus detects that the active APN is still faulty or unavailable when the device switches back to the active APN, the device switches back to the standby APN again. In this case, frequent SIM card switchovers occur, resulting in service interruption. Therefore, if the active APN cannot recover within a short period of time, you are advised to disable the automatic switchback function or modify the time period after which a switchback occurs.	Y
	Time	Period after which an automatic APN switchback occurs. The default value is 60, in minutes. The value ranges from 1 to 65535.	Y
	IPv4 Overlay tunnel	Whether to enable the overlay tunnel function. If this function is enabled, an overlay tunnel is created over the WAN link.	-
	NAT traversal	Whether to enable NAT traversal on the WAN. If a NAT device is deployed between the site on a private network and the WAN side, enable the NAT traversal function to set up overlay tunnels with other sites and RRs. NAT traversal does not need to be configured for IPv6 WAN links. After this parameter is enabled, external users can access internal servers and internal users can access external networks in the NAT scenario. NOTE: If NAT traversal is enabled, IPsec encryption must be enabled for transport networks in routing domains. For details about how to enable IPsec encryption, see Setting Global Parameters.	Y
	URL-based deployment	Whether to enable URL-based deployment for the current link. If this function is enabled, the interface's IPv4 settings are loaded to the target device through URL-based deployment. If this function is disabled, the interface's IPv4 settings are delivered to the target device through NETCONF. NOTE: This parameter is configurable only when ZTP Mode is set to URL/U Disk. A device can have URL-based deployment enabled for a maximum of three links. For a single-gateway site that uses the URL-based deployment mode, enable URL-based deployment for at least one link.	-
	Set as southbound device access address (This parameter needs to be set only when URL-based deployment is enabled.)	When configuring a WAN link, you need to set Southbound interface service. If Set as southbound device access address is toggled on, the primary IP address of the specified southbound access service is used as the onboarding IP address in the deployment email. If WAN links are configured with the same southbound access service, you do not need to toggle on this parameter. If WAN links are configured with different southbound access services, you need to toggle on Set as southbound device access address for one link.	-
	Southbound interface service	IP address of an iMaster NCE-Campus southbound access service. By default, WAN links in the predefined site template use the default southbound access service. If the system administrator has customized and enabled other southbound access services, you can select customized access services for the WAN links as needed. The southbound access services applied to WAN links cannot be changed after deployment.	-
	Southbound access priority	Priority of a controller southbound access service. This parameter is configurable after Southbound interface service is set. The priority can be High, Medium, or Low. The default value is Low. For AR5700&6700&8000 series devices, the priority takes effect only for performance channels and is supported in V600R022C00 and later versions. NOTE: If a device has multiple WAN links, you can configure Southbound access priority for each WAN link. After the device starts, it can select a WAN link based on the priority to register with iMaster NCE-Campus. Assume that a device has both Internet and LTE links, and needs to use the Internet link as the active link and the LTE link as the backup link. When configuring ZTP, you can set Southbound access priority of the Internet link to High and that of the LTE link to Medium or Low. As such, the device preferentially selects the Internet link when it attempts to register with iMaster NCE-Campus, and automatically switches to the LTE link for registration if the Internet link is faulty.	Y
IPv6	Interface protocol	Only IPoE is supported when IPv6 is enabled.	Y
	IP address access mode	Mode for assigning an IPv6 address to the WAN-side interface. Currently, IPv6 addresses can be configured only for FE, GE, and XGE interfaces using the IPoE protocol, including their sub-interfaces. Static: A static IPv6 address is assigned. Dynamic: DHCP is used to dynamically allocate IPv6 addresses. ND: An IPv6 address is automatically generated through Neighbor Discovery Protocol (NDP).	Y
	IPv6 address (This parameter needs to be set only when IP address access mode is set to Static.)	IPv6 address statically assigned to the interface connecting a CPE to the WAN. NOTE: IPv6 addresses can be configured only for GE, FE, and XGE interfaces. Device interfaces at RR sites can be configured only with static addresses.	Y
	Subnet prefix length (This parameter needs to be set only when IP address access mode is set to Static.)	Prefix length of the IPv6 address.	Y
	IPv6 gateway (This parameter needs to be set only when IP address access mode is set to Static.)	Default IPv6 gateway address of the interface.	Y
	IPv6 Overlay tunnel	Whether to enable the IPv6 overlay tunnel function. If this function is enabled, an IPv6 overlay tunnel is created over the WAN link.	-
	URL-based deployment	Whether to enable URL-based deployment for the current link. If this function is enabled, the interface's IPv6 settings are loaded to the target device through URL-based deployment. If this function is disabled, the interface's IPv6 settings are delivered to the target device through NETCONF. NOTE: This parameter is configurable only when ZTP Mode is set to URL/U Disk. A device can have URL-based deployment enabled for a maximum of three links. For a single-gateway site that uses the URL-based deployment mode, enable URL-based deployment for at least one link.	-
	Set as southbound device access address (This parameter needs to be set only when URL-based deployment is enabled.)	When configuring a WAN link, you need to set Southbound interface service. If Set as southbound device access address is toggled on, the primary IP address of the specified southbound access service is used as the onboarding IP address in the deployment email. If WAN links are configured with the same southbound access service, you do not need to toggle on this parameter. If WAN links are configured with different southbound access services, you need to toggle on Set as southbound device access address for one link.	Y
	Connected IPv6 southbound address	IPv6 address of an iMaster NCE-Campus southbound access service. By default, WAN links in the predefined site template use the default southbound access service. If the system administrator has enabled the IPv6 address of a customized southbound access service, you can select this customized access service for WAN links as needed. The southbound access services applied to WAN links cannot be changed after deployment.	-
	Southbound interface service	IP address of an iMaster NCE-Campus southbound access service. By default, WAN links in the predefined site template use the default southbound access service. If the system administrator has customized and enabled other southbound access services, you can select customized access services for the WAN links as needed. The southbound access services applied to WAN links cannot be changed after deployment.	-
	Southbound access priority	Priority of a controller southbound access service. This parameter is configurable after Southbound interface service is set. The priority can be high, medium, or low. The default value is low. For AR5700&6700&8000 series devices, the priority takes effect only for performance channels and is supported in V600R022C00 and later versions. NOTE: If a device has multiple WAN links, you can configure Southbound access priority for each WAN link. After the device starts, it can select a WAN link based on the priority to register with iMaster NCE-Campus. Assume that a device has both Internet and LTE links, and needs to use the Internet link as the active link and the LTE link as the backup link. When configuring ZTP, you can set Southbound access priority of the Internet link to High and that of the LTE link to Medium or Low. As such, the device preferentially selects the Internet link when it attempts to register with iMaster NCE-Campus, and automatically switches to the LTE link for registration if the Internet link is faulty.	-
Mapping peer IP (This parameter needs to be set only when Interface is set to xDSL (ATM), E1-IMA (ATM), or Ima-group and Interface protocol is set to IPoA.)		Peer IP address mapped to the PVC. Different ATM interfaces or sub-interfaces on a device must be configured with different mapped IP address. Otherwise, traffic forwarding fails.	Y
Negotiation mode (This parameter needs to be set only when Interface is set to GE, FE, or XGE.)		Negotiation mode of the interface. Interfaces at both ends of a link must use the same negotiation mode. If an interface working in auto-negotiation mode frequently alternates between Up and Down, disable auto-negotiation and set the same rate and duplex mode on the interfaces at both ends of a link.	Y
Working mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface working mode. Only combo interfaces support both optical and electrical working modes. You can select either of the two modes based on networking requirements. For interfaces of other types, set this parameter based on their supported working mode. NOTE: If an interface cannot work as an optical interface but its working mode is set to the optical mode, the ZTP configuration fails to take effect after being delivered to the CPE where the interface is located.	Y
Duplex mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Duplex mode of the interface. Interfaces at both ends of a link must use the same duplex mode. For optical interfaces, the duplex mode is fixed at the full duplex mode. For electrical interfaces, you can select the full-duplex or half-duplex mode according to the actual situation.	Y
Speed (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface rate. Interfaces at both ends of a link must work at the same rate.	Y
Optical Module Type (This parameter needs to be set only when Interface is set to XGE.)		Type of the optical module. Set this parameter based on the transmission rate requirements. Currently, GE and 10GE types are available. A GE optical module transmits traffic at a rate of 1000 Mbit/s, and a 10GE optical module transmits traffic at a rate of 10,000 Mbit/s. If 10GE is selected, the negotiation mode cannot be configured. The optical modules on the interfaces at both ends of a link must be of the same type.	-
Public IP		IP address used by the CPE to connect to the WAN. This parameter needs to be configured only for RR sites. This IP address is accessible to external users. Edge sites can register with RR sites through this address. On a carrier network, the carrier set public IP addresses in a unified manner. On an enterprise network, an enterprise administrator selects IP addresses from the network segment assigned by the carrier as public IP addresses. Public IP is mandatory in a NAT scenario.	Y
Access type (This parameter needs to be set only when Interface is set to Serial, Sub Interface is enabled, and Interface protocol is set to FR.)		Access type of a sub-interface. If Access type is set to P2MP: A P2MP sub-interface connects to multiple remote devices. Multiple PVCs can be configured for a sub-interface, and each PVC is mapped to the IP address of a remote device. In this way, different PVCs can connect to different remote devices. If Access type is set to P2P: A P2P sub-interface connects to a single remote device. Only one PVC needs to be configured for a sub-interface, and a unique remote device can be determined without configuring static address mapping. This parameter is configurable only when Interface is set to Serial and Sub-interface is enabled in the WAN link template.	Y
Uplink bandwidth (Mbit/s)		Maximum uplink and downlink bandwidth limits. Set the parameters based on the actual link bandwidths. Set uplink and downlink bandwidth limits for an interface based on the actual requirements. If the configured value is less than the actual bandwidth and the actual traffic rate exceeds the configured value, packet loss occurs and services are affected. NOTE: If traffic distribution or QoS for incoming traffic on the overlay network is not configured, the downlink bandwidth limit does not take effect.	Y
Downlink bandwidth (Mbit/s)			Y
Link ID		ID of a WAN link. You can plan a unique ID for each link in an SD-WAN network. This helps you query link information by ID during maintenance.	Y
Inter-CPE link (This parameter needs to be set for a dual-gateway site.)	Use LAN-side L2 interface	Whether to use Layer 2 physical LAN interfaces on the interlink connecting the two gateways. If no direct link is configured between two gateways, LAN-side links are used for communication between dual gateways. If direct links are available between the two gateways, LAN-side links do not need to be used.	Y
	VLAN ID	VLAN IDs used by interlinks for communication between two gateways and used for VPN communication. The number of VLAN IDs must be greater than that of VPNs. In the dual-gateway scenario, iMaster NCE-Campus configures a VLAN for each VPN on interlink interfaces between two gateways. This implements VPN isolation. The start VLAN ID must be in the range from 1 to 4086 and the end VLAN ID must be in the range from 9 to 4094. The difference between the start and end VLAN IDs must be greater than or equal to 8 and less than or equal to 300. A maximum of 16 VLAN ranges can be configured, and the total number of VLANs cannot exceed 301. NOTE: The VLAN ID can be modified after deployment.	Y
	MTU	MTU for the interface. The maximum transmission unit (MTU) is an option defined in the data link layer to determine whether IP packets will be fragmented. If the length of an IP packet sent by the peer device exceeds the MTU, the packet will be fragmented. By default, the MTU is 1500 bytes.	-
	MSS	MSS for the interface. The maximum segment size (MSS) is an option defined in the TCP protocol and refers to the maximum segment size of TCP packets that can be received by a peer device. When setting up a TCP connection, the local and peer devices negotiate an MSS value to determine the maximum data length of TCP packets. If the length of TCP packets sent from the peer device exceeds the MSS value, the packets are fragmented. To properly transmit a packet, ensure that the MSS value plus all the header lengths (such as TCP and IP headers) does not exceed the MTU. By default, the MSS is 1200 bytes.	-
	Device1 Interface	Physical interfaces of the interlinks between two gateways. If two interlinks are required, the types of the two interlink interfaces on the same device must be the same. The types of the interfaces at both ends of an interlink must be the same. The interface type varies according to whether a direct link exists between two gateways: If a direct link exists between two gateways (that is, Use LAN-side L2 interface is disabled), use Layer 3 interfaces at both ends of an interlink. If only one interlink is required, Layer 3 sub-interfaces need to be created for the interfaces directly connecting the two gateways and be used as interlink interfaces. If multiple interlinks are required, iMaster NCE-Campus automatically configures the interfaces of these links as an Eth-Trunk sub-interface on each end to ensure link reliability. If no direct link is configured between two gateways (that is, Use LAN-side L2 interface is enabled), use Layer 2 interfaces at both ends of an interlink. If each of the two gateways directly connects to the same LAN switch using a Layer 2 link, a VLAN ID needs to be specified so that the gateways can communicate with each other through VLANIF interfaces.	-
	Device2 Interface		-

Configuring NTP

Context

When an AR router reports performance data, it carries timestamps in packets. If the time of the AR router is inconsistent with that of iMaster NCE-Campus, the time in performance data is inconsistent with the actual time. As a result, the site traffic and quality data cannot be displayed. Therefore, you need to configure NTP on iMaster NCE-Campus to ensure that the time of site devices is the same as that of iMaster NCE-Campus.

You are advised to configure an RR site as a client to synchronize its clock with an NTP server on the public network. In addition, configure the RR site as the NTP server and edge sites as clients, so that the edge sites can synchronize their clocks with the RR site.

Prerequisites

A site has been created. For details, see Creating a Site.
Global parameters have been set for the site. For details, see Setting Global Parameters.
WAN link parameters have been configured for the site. For details, see Configuring ZTP.

Procedure

Choose from the main menu.
Then click the ZTP tab.
Select a site for which clock synchronization needs to be configured.
Click the NTP tab.
Configure NTP for an RR site.
- (Optional) Click Import default NTP to import the global NTP server information configured on the page.
- In the Time zone area, set the time zone for devices at the site. If the default NTP configuration is enabled in the global configuration, the site uses the default time zone configured in the global configuration. That is, an edge site synchronizes its clock with the associated RR site, and the RR site synchronizes its clock with an external clock source.
- (Optional) Enable or disable DST of the time zone as required.
- (Optional) Set parameters such as NTP authentication for the NTP server. By default, an RR site functions as an NTP server for edge sites to synchronize their clocks. The encryption algorithm is not configurable for an NTP server. By default, an NTP server uses the HMAC-SHA256 encryption algorithm.
- When a site functions as an NTP client, configure the NTP client mode for the site.
  - Manual Configuration: The current site functions as an NTP client and an NTP server needs to be manually specified. Configure the RR site as an NTP client, so that it can synchronize its clock with an NTP server on the public network.
    Set Server Network based on the deployment location of the NTP server.
    - If the NTP server is deployed on the internal network, select Overlay to implement communication between the NTP server and RR sites through overlay links.
    - If the NTP server is deployed on an external network, select Underlay to implement communication between the NTP server and RR sites through underlay links.
  - Disabled: The current site does not function as an NTP client and does not perform clock synchronization.
Configure NTP for an edge site.
- (Optional) Click Import default NTP to import the global NTP server information configured on the page.
- In the Time zone area, set the time zone for devices at the site. If the default NTP configuration is enabled in the global configuration, the site uses the default time zone configured in the global configuration. That is, an edge site synchronizes its clock with the associated RR site, and the RR site synchronizes its clock with an external clock source.
- (Optional) Enable or disable DST of the time zone as required.
- When a site functions as an NTP client, configure the NTP client mode for the site.
  - Synchronization with the RR Site: The current site functions as a client, and the RR site functions as the NTP server. The site synchronizes its clock with the RR site. This option is selected by default. You are advised to retain the default configuration for edge sites.
  - Manual Configuration: The current site functions as a client and an NTP server needs to be manually specified. The current site synchronizes its clock with the specified NTP server.
  - Disabled: The current site does not function as an NTP client and does not perform clock synchronization.
    When a single-gateway site is expanded to a dual-gateway site, the NTP client mode of the new gateway varies in the following situations:
    If NTP client mode of the original gateway is Synchronize with the RR site, the NTP configuration will be delivered to the new gateway during expansion, and the new gateway uses the same NTP client mode as the original gateway.
    If NTP client mode of the original gateway is Manual Configuration or Disabled, the NTP configuration will not be delivered to the new gateway during expansion. You need to manually configure NTP for the new gateway.
Click OK. The NTP configuration is completed.

Parameter Description

Table 2-77 Parameters on the NTP tab page

Parameter			Description	Data Plan Required or Not
Time zone			Time zone of devices at a site. If DST is observed in the time zone, you can choose whether to apply DST rules to the time zone. You can select a DST rule in either of the following ways: Use the DST rule preset on the system for each time zone, or configure a DST rule by specifying the DST offset, start time, and end time.	Y
DST			Whether to enable DST.	-
Configure mode (configurable when DST is enabled)			The options include Auto and Manual. When Manual is selected, manually set Name, Offset, Time type, Start time, and End time.	-
Configurations of a site when it functions as an NTP server (The parameters are configurable when the device role is Gateway+RR.)	NTP authentication		Whether to enable a site as an NTP server and enable NTP authentication. On a network that requires high security, NTP authentication needs to be enabled. During authentication, the authentication password and authentication ID configured on the NTP client are matched with those on the NTP server. If they are the same, the authentication succeeds. You can configure password authentication between the NTP client and NTP server, so that the NTP client only synchronizes with the server successfully authenticated, improving network security. The encryption algorithm is not configurable for an NTP server. By default, an NTP server uses the HMAC-SHA256 encryption algorithm.	Y
	Authentication password		Password used for NTP authentication.	-
	Authentication key ID		Key ID used for NTP authentication. When a site functions as both the NTP client and server, the authentication key ID for the NTP server and that for the NTP client must be different.	-
NTP parameters	NTP client mode		Mode of a site when it functions as an NTP client. The options are as follows: Synchronize with the RR Site: The current site functions as an NTP client and the RR site functions as the NTP server. By default, this option is used. Retain the default setting for edge sites in SD-WAN scenarios (GRE tunnel mode). Manual Configuration: The current site functions as an NTP client and an NTP server needs to be manually specified. In SD-WAN scenarios where GRE tunnels are used, configure the RR site as a client to synchronize its clock with an NTP server on the public network. Disabled: The current site does not function as an NTP client and does not perform clock synchronization.	Y
	NTP parameters (These parameters need to be set only when NTP client mode is set to Manual Configuration.)	Device	CPE that functions as an NTP client.	-
		Server Network	Select Underlay or Overlay based on the network where the NTP server is deployed.	-
		WAN Link(VN Instance)	WAN-side link of a site connecting to the NTP server.	-
		NTP Server Type	Type of the NTP server.	-
		NTP Server IP Address	IP address of the NTP server.	Y
		Preferential NTP Server	Whether the NTP server is specified as the preferred server. If multiple NTP servers are specified as preferred servers, the system randomly selects a preferred NTP server.	-
		VPN Name (This parameter is configurable only when Server Network is set to Overlay.)	Select a VPN.	-
		Source Interface (This parameter needs to be set only when Server Network is set to Overlay)	Source interface used by the device to send NTP packets.	-
		Authentication	Whether to enable the authentication function. If NTP authentication is enabled on the NTP server, the authentication function must also be enabled on the NTP client. Otherwise, clock synchronization cannot be performed.	-
		Authentication Mode	Authentication mode, which can be MD5 or HMAC-SHA256. The authentication mode selected here must be the same as that enabled on the NTP server. HMAC-SHA256 is recommended, because it is more secure than MD5. AR5700&6700&8000 series devices do not support MD5 authentication.	Y
		Authentication password	Password used for NTP authentication. The rules for verifying the authentication password are as follows: For AR600&6100&6200&6300&SRG series and AR1000V devices, the authentication password can contain 6 to 255 characters and must contain at least two types of the following characters: special characters (\"`!@#$%^&()_+=-[]{},.;), uppercase letters (A to Z), lowercase letters (a to z), and digits (0 to 9). For AR5700&6700&8000 series devices, the authentication password can contain 12 to 255 characters, including uppercase letters, lowercase letters, digits, and special characters (\"`!@#$%^&()_+=-[]{},.;).	Y
		Authentication key ID	Key ID used for NTP authentication. This authentication ID is irrelevant to the NTP server. The authentication ID configured for an NTP client must be different from that for the NTP server. The rules for verifying the authentication ID are as follows: For AR600&6100&6200&6300&SRG series and AR1000V devices, if NTP Server Type is set to IPv4 or IPv6, the value must be in the range from 1 to 4294967295. For AR5700&6700&8000 series devices, if NTP Server Type is set to IPv4, the value must be in the range from 1 to 4294967295. If NTP Server Type is set to IPv6, the value must be in the range from 1 to 65535.	Y

Importing and Exporting Site Configurations

Context

You can import and export WAN-side physical link configuration and NTP configuration of sites in batches.

Prerequisites

Before importing site configurations, the sites whose configurations need to be imported must have been created on iMaster NCE-Campus and devices have been added to the sites.

Feature Requirements

Data of a maximum of 100 sites can be exported in batches. If data of more than 100 sites need to be exported, the first 100 sites are automatically selected for export.
Data of cloud sites cannot be exported.

Procedure

Choose from the main menu. Click the Export And Import tab.
Click the Export tab.
Click Click here to add site. Select the target sites whose configurations need to be exported and click OK.
Click Export. Open the exported .xls file and modify the site configuration based on the site requirements. Currently, only the WAN link and NTP configurations can be modified.
Save the modified .xls file. Click the Import tab on iMaster NCE-Campus.
Select the site configuration file to be imported, and click Import next to Upload file.
1. The configuration file for up to 100 sites can be imported in batches.
2. If the site configuration to be imported contains the Eth-Trunk interface configuration, you need to create Eth-Trunk interfaces at the target sites in advance. Otherwise, the import fails. For details about how to create an Eth-Trunk interface, see Configuring a Physical Interface.
Check the import result in the Import Result area, including the task name, task creation time, end time, status, total number of tasks, and number of successfully executed tasks.
1. If Success is displayed in the Task Status column, the site configuration file is imported successfully.
2. If Fail is displayed in the Task Status column, the site configuration file fails to be imported. You can check the specific failure cause.
A maximum of 10 records can be displayed in Import Result.

Using a Tenant RR Site

Logging In to iMaster NCE-Campus as a Tenant Administrator and Selecting a Scenario View

Context

A tenant administrator can use a browser to log in to iMaster NCE-Campus to perform system management and maintenance operations in the graphical web UI. The following web browsers are supported:

Google Chrome 85 or later
Microsoft Edge 89 or later (64-bit)

Procedure

Open a browser.
Enter https://iMaster NCE-Campus server IP address:port number in the address box, and press Enter.
- The IP address of the iMaster NCE-Campus server is the controller node IP address, which is specified during iMaster NCE-Campus installation.
- The port number is 18008. The port number used for the login must be the same as that specified during the installation.
Ignore the security certificate warning and access the login page.

When you log in to iMaster NCE-Campus using a browser, the browser performs unidirectional authentication on iMaster NCE-Campus based on the ER certificate. The Huawei ER certificate has been pre-configured during iMaster NCE-Campus installation. This certificate is used only for temporary communication and is not for commercial use. You need to apply for a new ER certificate to update the pre-configured ER certificate to improve iMaster NCE-Campus communication security. In addition, you are advised to periodically update the certificate to prevent system security risks caused by certificate expiration. After the ER certificate is updated, the message indicating a security certificate error will not be displayed.
- Google Chrome: Choose Advanced > Proceed to ... (unsafe).
Enter the administrator's username and password and click Log In.
(Optional) Upon the first login, change the password as prompted. Skip this step if it is not your first login.

For security purposes, do not allow your browser to keep your passwords.
(Optional) Perform two-factor authentication. If a mobile number has been associated with your account, click Obtain Verification Code and enter the received verification code. You can log in to iMaster NCE-Campus after the verification succeeds. Tenant administrators do not need to perform two-factor authentication if username and password authentication is selected when the MSP administrator creates the tenant administrators.
(Optional) Sign the privacy statement and user terms.
If the MSP administrator selects the privacy statement and user terms when creating a tenant administrator, the tenant administrator needs to sign the privacy statement and user terms when logging in to iMaster NCE-Campus for the first time.

If a tenant administrator has signed the privacy statement or user terms, the users created by the tenant administrator also need to sign the privacy statement or user terms when logging in to iMaster NCE-Campus for the first time.

The login will fail if the administrator does not sign the privacy statement or user terms.
(Optional) Set the device administrator password and password used to access the device BootROM menu. This step is required only upon your first login.
To ensure device security, after a device goes online at a site, the two passwords set here will automatically take effect on the device.

If the system administrator toggles off The device BootROM password can be configured, tenant administrators cannot set the BootROM password. For details about how to disable tenant administrators from setting the BootROM password, see Configuring a BootROM Password Policy.
Select a scenario view. Select a view based on your application scenario and start planning and deployment. After a view is selected, the SD-WAN scenario (GRE tunnel) tunnel mode is used by default.
The menus and tab pages vary depending on the view. Exercise caution when selecting a scenario view and perform operations by referring to the corresponding documents. Once a scenario view is selected, you are advised not to switch to another view.
- For the SD-WAN solution, select the WAN Interconnection view. For details, see SD-WAN Solution V100R022C00 and iMaster NCE-Campus V300R022C00 Product Documentation.
- For the CloudCampus solution in the LAN scenario, select the Intelligent Cloud Campus view. For details, see CloudCampus Solution V100R022C00 & iMaster NCE-Campus V300R022C00 Product Documentation.
- For the CloudCampus solution in the LAN-WAN convergence scenario, select the LAN-WAN Convergence view. For details, see CloudCampus Solution V100R022C00 & iMaster NCE-Campus V300R022C00 Product Documentation.

Setting Global Parameters

This section describes how to set global parameters for a tenant network.

You can configure the following features when the tunnel mode is set to SD-WAN scenario (GRE tunnel) on the page.

Context

Global configuration parameters related to a tenant network include:

Parameters for physical networks: routing domain, transport network, IPsec encryption, device activation security, link connectivity detection, intelligent traffic steering, and NTP configurations.
Parameters for virtual networks: routing, IP address pool, DNS, and port configurations.
Collection configuration: application traffic, application quality, and WAN link traffic.

Procedure

Choose from the main menu.
Click the WAN Global Configuration tab, click the Physical Network tab, and set global parameters for the physical network.
1. Select the RR source.
  - Tenant RR: Select this option if a tenant requires site interconnection only on the WAN side and uses its own RR.
  - MSP RR: Select this option if a tenant requires communication between the WAN network and legacy MPLS VPN network.
2. Configure a routing domain and determine whether to enable IPsec encryption for the routing domain. iMaster NCE-Campus enables IPsec encryption by default. The Internet and MPLS routing domains are provided by default. If these routing domains cannot meet your requirements, create other routing domains as required.
3. Configure a transport network to define a unified transport network type for communication between sites on the entire network. iMaster NCE-Campus provides the following default transport networks: Internet, Internet1, MPLS, and MPLS1. Transport Network: defines the type of a physical WAN link of a site and is determined by the type of a WAN access network provided by carriers. In most cases, a type of network provided by a carrier is defined as a transport network. For example, the Internet of carrier A is defined as transport network Internet, and the Internet of carrier B is defined as transport network Internet1.
  - If the default transport networks cannot meet requirements, you can click Create to create a transport network as desired.
  - When the MSP RR is selected as the RR source and an MSP creates transport networks, tenants can view and use the user-defined routing domains created by the MSP in the routing domain drop-down list box.
4. (Optional) If packets forwarded by IPsec tunnels need to be encrypted, configure an IPsec tunnel encryption algorithm. After the configuration is complete, all IPsec tunnels that are configured to encrypt packets use the same encryption algorithm. In the IPSec Encryption Parameters area, configure the authentication algorithm, encryption algorithm, life time, and IPsec SA generation mode.
  If a site has only devices other than AR5700&6700&8000 series devices, IPsec SA generation mode can be toggled on. If AR5700&6700&8000 series devices are added to the site, you need to upgrade other devices to V300R021C00 or a later version.
  
  Modifying IPsec encryption parameters may result in network disconnection for a short period of time.
5. Configure email-based deployment if this function is required. In the Device Activation Security Settings area, toggle on Encryption and set URL encryption key and URL opening validity period.
  - If devices running V600R022C00 and later versions need to be deployed through emails, Encryption and Web login must be enabled.
  - The web user information configured in the global configuration takes effect only for newly deployed devices. For devices that have been deployed, choose and choose Site > Device Login Configuration > Local User to modify the web user information. For details, see Configuring Device Login.
6. (Optional) To check the link connectivity of a site, set link connectivity detection parameters. If a tenant has AR5700&6700&8000 series devices, Detection packet sending interval should be in the range from 10 ms to 2000 ms. Otherwise, the link connectivity detection function does not take effect.
  You can set Detection packet sending interval, Number of failed detections, and Priority of detection packets as needed.
7. (Optional) Set traffic steering parameters. You can set the following parameters: Modify period parameters, Bandwidth usage detection, Maximum bandwidth utilization (%), Symmetric forward, Same Transport Network prioritized, Coloring rule, and Smaller site ID prioritized.
  - After the Modify period parameters is toggled on, you can set intelligent traffic steering policy parameters as needed. Exercise caution when you set the global parameters for traffic steering policies because they affect the real-time route selection of the intelligent traffic steering policy. You are advised to modify these parameters when no service traffic is transmitted.
  - Bandwidth usage detection takes effect for intelligent traffic steering only in Load balance mode and does not take effect in Preference mode.
  - After Maximum bandwidth utilization (%) is set, when the service traffic of a link has occupied the maximum bandwidth, the traffic is steered in load balancing mode. This function is applicable to intelligent traffic steering in load balancing mode.
  - After Symmetric forward is enabled, the service receiving site forwards services based on the route selection result of the sending site, without proactively selecting a route. Symmetric forward is enabled by default. Tenants can disable this function. After this function is disabled, devices at both ends select routes based on route selection rules.
  - After Same Transport Network prioritized is toggled on, if two sites set up multiple tunnel connections, the tunnel with both ends in the same TN is colored as the active tunnel whereas the tunnel with both ends in different TNs is colored as the standby tunnel. Active tunnels are preferentially selected during intelligent traffic steering. This function takes effect for intelligent traffic steering only in the Preference mode and does not take effect in Load balance mode.
  - Configure Coloring rule. The active party for coloring tunnels is determined based on the following factors in the descending order of priority: TNP bandwidth > Site role > TN priority. You can modify the priorities as needed by clicking .
  - After Smaller site ID prioritized is toggled on, the active party for coloring tunnels is determined preferentially based on Coloring rule. If the active party for coloring tunnels cannot be determined after all rules are applied, the site with a smaller site ID colors tunnels.
8. (Optional) Configure NTP. Set global NTP parameters, including Time zone, NTP Server IP Address, and NTP authentication. If Config Default NTP is enabled globally, all sites use the globally configured time zone. By default, Config Default NTP is disabled.
9. Click OK.
Click the Virtual Network tab, and set global parameters related to virtual networks.
1. Set BGP parameters. Set AS number, Community pool, and IPv4 Dual-Gateway Interconnection Protocol as needed. These parameters are mandatory.
  - If the MSP RR is selected as the RR source, the AS number of the tenant must be the same as that of the MSP.
  - If IPv4 Dual-Gateway Interconnection Protocol is set to IBGP, a community attribute pool must be configured. If the community attribute pool is empty, IPv4 Dual-Gateway Interconnection Protocol cannot be modified after ZTP is completed at the site. When configuring a community attribute pool, enter a value in the community attribute pool text box and click , so that the specified value can take effect. If site-to-Internet and site-to-site access functions have been configured for a dual-gateway site before a controller upgrade, related policies will not be re-orchestrated and delivered to the gateways after the controller is upgraded. Therefore, in the upgrade scenario, you need to delete these policies and re-configure the two functions after the upgrade.
  - If Routing policy delay configuration is enabled, you need to set Routing policy delay to a value in the range from 1 to 180.
2. Configure an IP address pool. The network segment of an address pool varies according to the network scale. When configuring an IP address pool, enter a value in the IP address pool text box and click , so that the specified value can take effect.
  - The network segments where device IP addresses in an iMaster NCE-Campus cluster are located cannot be included in an address pool. Otherwise, databases may be unavailable, affecting normal running of devices.
  - Even if an IPv6 network is deployed, the IPv4 address pool cannot be empty.
  IPv4 and IPv6 address pools can be configured. An IPv4 address pool can be configured either in simple mode or advanced mode.
  
  Configuring an IPv4 address pool in simple mode
  
  Configuring an IPv4 address pool in advanced mode
  
  (Optional) Configure an IPv6 address pool.
3. (Optional) Configure a DNS server group and DNS server IP addresses.
  In the DNS area, set DNS Server Group Name and DNS server IP Address.
4. (Optional) Set port numbers as needed. Toggle on Custom Port Configuration, set DTLS Server Port and STUN Server Port, toggle on Connection Source Port, and set Scanning Start Port, Scanning Times, and Scanning Increment.
  - If the port checked by the DTLS server has been configured on devices, before modifying this port number, you need to delete rdb files from the devices and restart them. In this case, the modified port number can take effect on the devices. In a scenario where a device has been deployed in RDB mode, after changing the port checked by the DTLS server, you need to restore the device to its factory defaults and deploy the device again.
  - After the port checked by the DTLS server is changed, the change does not take effect immediately for non-V600 devices at RR sites. As a result, services are interrupted.
  - When changing the port checked by the DTLS server, ensure that the new port number has not been used on devices. You can check the current port checked by the DTLS server in the diagnostic view of a device.
    For AR600&6100&6200&6300&SRG series devices, run the following command:
    display dtls server status
    
    For AR5700&6700&8000 series devices, run the following command:
    
    display dtls server
  - The modified Connection Source Port setting takes effect only at newly activated sites and does not take effect at sites that have been activated.
5. Click OK.
(Optional) Click the Collection Configuration tab and set global parameters for statistics collection.
1. Decide whether to enable the functions of collecting application traffic, application quality, and WAN link traffic statistics.
2. Click OK.

Parameter Description

Table 2-78 Parameters on the WAN Global Configuration page

Parameter			Description	Data Plan in Advance
Physical Network	Select the RR source.		Tenant RR: Select this option if a tenant requires site interconnection only on the WAN side and uses its own RR. The tenant RR is deployed at an edge site. MSP RR: Select this option if a tenant requires communication between the WAN network and legacy MPLS VPN network. The MSP RR is deployed at an independent RR site.	Y
	Routing Domain	Routing Domain	A routing domain defines whether routes between different transport networks are reachable. Physical links of different transport networks that belong to the same routing domain are reachable to each other. Generally, if the transport networks that are of the same type and are provided by different carriers can communicate with each other, they are defined in the same routing domain. For example, the Internet of carrier A and that of carrier B can be defined in the same routing domain. iMaster NCE-Campus provides the following types of routing domains by default: MPLS: MPLS leased line, which carries normal services of users in wired mode. Internet: public Internet, which carries normal services of users in wired mode. If the default types of routing domains cannot meet requirements, set a routing domain according to actual situations.	Y
	Routing Domain	IPSec Encryption	Whether to enable IPsec encryption for the current routing domain. The options are as follows: OFF: indicates that IPsec encryption is disabled. In this case, enable protocol 47 of all devices on the firewall. ON: indicates that IPsec encryption is enabled. In this case, the encryption algorithm and password set in IPSec Encryption Parameters are used for encryption. NOTE: IPsec encryption must be enabled in the NAT traversal scenario.	Y
	Transport Network		Type of the transport network to which a WAN-side physical link belongs. This parameter describes the transport networks with the same link quality attributes. It is used to identify networks of the same type provided by an ISP. A transport network defines the physical network between a site and the WAN. The following lists the data to be planned for each transport network. The defined transport network name can be directly referenced when physical links are specified for site WAN links and policies. Transport Network: defines the type of a physical WAN link of a site and is determined by the type of a WAN access network provided by carriers. Generally, a type of network provided by a carrier is defined as a transport network. For example, the Internet of carrier A is defined as a transport network, and the Internet of carrier B is defined as another transport network. Routing Domain: specifies the routing domain to which the transport network belongs. Priority: specifies the priority of the transport network. It is used as a metric for tunnel coloring in intelligent traffic steering. By default, the system provides the following transport networks: Internet, Internet1, MPLS, and MPLS1. The Internet transport networks belong to the Internet routing domain, and the MPLS transport networks belong to the MPLS routing domain. If the MSP RR is selected, the transport networks defined by the MSP are automatically displayed for selection. If the preset transport networks do not meet your requirements, you can create a transport network as needed.	-
	IPSec Encryption Parameters	Protocol	Security protocol. The default value is ESP.	Y
		Authentication algorithm	Authentication algorithm. Both SHA2-256 and SM3 are supported. SHA2-256 is used by default.	Y
		Encryption algorithm	Encryption mode of a link. AES128, AES256, and SM4 are supported. When the authentication algorithm is set to SM3, the encryption algorithm can only be SM4. If the authentication algorithm is set to SHA2-256, you are advised to select the AES-256 encryption algorithm. This is because the key length of AES-256 is 256 bits, having a higher security level than AES-128.	Y
		Life time	Global IPsec SA lifetime. A security association (SA) defines the encryption algorithm, digest, and keys for secure data transmission between IPsec peers. You can configure the IPsec SA lifetime to update the SA in real time. This reduces the risk of SA cracking and enhances security.	Y
		IPSec SA generation mode	Whether to enable the IPsec SA generation mode. By default, the mode is disabled.	Y
		DH group	Diffie-Hellman (DH) public key algorithm. It is used to dynamically negotiate encryption keys between two sites to prevent traffic monitoring between tenants in the same RR in multi-tenant scenarios. After IPSec SA generation mode is toggled on, you can select a DH group. Currently, DH group can be set only to GROUP19, GROUP20, or GROUP21. The DH group security levels are as follows: GROUP21 > GROUP20 > GROUP19.	-
	Device Activation Security Settings	Encryption	Whether to encrypt the URL for email-based deployment. You are advised to enable this function. This function must be enabled if email-based deployment needs to be used for deploying AR5700&6700&8000 series devices.	Y
		URL encryption key	Key for encrypting the URL in a deployment email. Email-based deployment will be successful only after you click the URL in the received email on your PC and enter this key. After configuring the key, keep it secure to prevent email-based deployment from being affected.	Y
		URL opening validity period	Validity period for a device to register its ESN with iMaster NCE-Campus. The timer starts once a deployment email is sent. If the device ESN is not obtained, the device is added to iMaster NCE-Campus based on the device model. After a site is created and a deployment email is sent, the device checks whether the URL is valid. If so, the device registers its ESN with iMaster NCE-Campus.	Y
		Web login	Whether the URL for email-based deployment carries web user information. NOTE: If devices running V600R022C00 and later versions need to be deployed through emails, Encryption and Web login must be enabled. The web user information configured in the global configuration takes effect only for newly deployed devices. For devices that have been deployed, choose and choose Site > Device Login Configuration > Local User to modify the web user information. For details, see Configuring Device Login.	-
		Username	Web username A username must contain at least six characters.	Y
		Password	Password of the web user. The password must meet the following requirements: Must contain at least eight characters, and can contain digits, uppercase letters, lowercase letters, and special characters. Cannot be the same as the username or the reverse of the username. Cannot be the same as any of the most recent 10 passwords.	Y
	Link Failure Detection Parameter Configuration	Modify detection parameters	Gateways at WAN sites of the same tenant periodically send Keepalive packets to detect link connectivity. If this function is disabled, a device sends Keepalive packets at the default interval. If the number of detection failures exceeds the default value, the link is considered faulty. If this function is enabled, you can define the interval for sending Keepalive packets and the maximum number of detection failures permitted.	-
		Detection packet sending interval	Interval at which the master device of an overlay tunnel sends Keepalive packets. The value ranges from 10 to 10000 ms for AR600&6100&6200&6300&SRG series and AR1000V devices and from 10 to 2000 ms for AR5700&6700&8000 series devices. The value must be an integer multiple of 10. The default interval is 1000 ms. NOTICE: When the interval for sending keepalive packets is changed, the change may not take effect on all devices on the network at the same time. As a result, service flapping may occur within a short period of time. In addition, the change will affect the number of established EVPN connections, which may interrupt services if the number of EVPN connections cannot meet the network scale requirements. In normal cases, the default value is used. Mappings Between Keepalive Packet Sending Interval and Device EVPN Connection Specifications describes the mappings between the device EVPN connection specifications and the interval for sending Keepalive packets. Before changing this setting, ensure that the EVPN connection specifications of all devices meet the requirements of the live network. The rules for establishing EVPN connections between sites on the live network are as follows: An EVPN connection is established between every two ports that belong to the same routing domain but different sites. An EVPN connection cannot be established between two ports that are not in the same routing domain. The number of EVPN connections on a device at a dual-gateway site is the total number of device connections at the site. For example, if the default number of EVPN connections is 1000 and the required number of EVPN connections on a device is 512, ensure that the number of EVPN connections on the device is greater than or equal to 512 after the interval for sending probe packets is changed. For a hub-spoke network, pay attention to the EVPN connection specifications of the hub site. On a full-mesh network, pay attention to the EVPN connection specifications of all sites.	Y
		Number of failed detections	After sending a Keepalive packet, the master device checks whether it receives a Keepalive packet from the slave device at intervals. If the master device does not receive Keepalive packets from the slave device for the consecutive number of times, the master device considers the overlay tunnel faulty and sets the overlay tunnel status to Down. Number of detection failures permitted before an AR automatically switches the link. The value ranges from 3 to 10. If Modify detection parameters is disabled, the default value of this parameter is 6.	Y
		Priority of detection packets	Priority in the IP header of a Keepalive packet. A numerically higher value indicates a higher priority.	Y
	Traffic Steering Policy Configuration	Modify period parameters	Whether to customize parameters in intelligent traffic steering policies. Exercise caution when you set the global parameters for traffic steering policies because they affect the real-time route selection of the intelligent traffic steering policy. You are advised to modify these parameters when no service traffic is transmitted.	-
		Switching period	If the quality of a link cannot meet requirements of a certain service or the bandwidth usage exceeds the threshold, the CPE starts the link switching timer. When the timer times out, the service traffic is switched to another link. The default value of the switching period is 5 seconds.	Y
		Statistics period	Interval for checking link quality. The value of this parameter ranges from 1 to 3600 and must be less than or equal to the value of Switching period.	-
		Flapping suppression	Unstable network link quality may result in frequent link switchovers at the sites where an intelligent traffic steering policy is applied. To prevent this situation, the system requires that services be transmitted on a new link for at least one flapping suppression period before the services are switched back from the new link to the original link. The value range is from 2 to 131070, and the default value is 30 seconds. The value must be at least twice the switching period.	Y
		Enhanced flapping suppression	After this function is enabled, service traffic is switched back only when the link quality meets the switchback requirements in every measurement period before the flapping suppression period ends. This reduces network flapping caused by frequent switchovers. This function is disabled by default. V300 series devices support this function since V300R022C00SPC100. V600 series devices do not support this function. Assume that in the global traffic steering configuration, the flapping suppression period is set to 30s, and both the measurement period and switchover period are set to 5s. Take a site with an Internet link and an MPLS link as example. When the quality of the site's Internet link deteriorates and fails to meet requirements, service traffic is switched to the MPLS link. After the switchover, iMaster NCE-Campus calculates the Internet link's quality at an interval of 5s (measurement period) until the flapping suppression period ends. With enhanced flapping suppression disabled, as long as the Internet link's quality calculated in the last measurement period meets requirements, service traffic is switched back to the Internet link. With enhanced flapping suppression enabled, only if the Internet link's quality calculated in all the six measurement periods before the flapping suppression period ends meets requirements, service traffic is switched back to the Internet link. NOTE: To make enhanced flapping suppression take effect, in addition to enabling this function here, you need to set Switchover mode to Pre-emptive in an intelligent traffic steering policy on the Overlay tab page under .	-
		Bandwidth usage detection	Whether to detect bandwidth utilization of links. For AR5700&6700&8000 series devices, this function is enabled by default. Enabling or disabling this function does not take effect on these devices. For AR600&6100&6200&6300&SRG series devices running V300R021C10 and later versions, Maximum bandwidth utilization (%) does not take effect after this function is disabled. AR600&6100&6200&6300&SRG series devices running a version earlier than V300R021C10 do not support this function. This function takes effect when the Load balance mode is configured for intelligent traffic steering, and does not take effect in the Preference mode.	Y
		Maximum bandwidth utilization (%)	This parameter applies to intelligent traffic steering in load balancing mode. When the service traffic of a link has occupied the maximum bandwidth, the traffic is steered in load balancing mode. You can set the maximum bandwidth usage as required. By default, the maximum bandwidth usage is 95%. The value ranges from 50% to 100%. V600 devices support this function since V600R22C00.	Y
		Symmetric forward	To prevent link congestion in the inbound direction and ensure a single path for incoming and outgoing traffic, intelligent traffic steering supports symmetric routing. The service receiving site forwards services based on the route selection result of the sending site, without proactively selecting a route. Symmetric routing is enabled by default. Tenants can disable symmetric routing. After symmetric routing is disabled, devices at both ends select paths based on traffic steering rules. This function determines whether the forward and return traffic is forwarded along the same path. Symmetric routing: A packet traverses from a source to a destination in one path and takes the same path when it returns to the source. The master or slave role of a site is determined based on the global network configuration on iMaster NCE-Campus. The slave site follows the route selection result of the master site to ensure that the same service flow is forwarded and returned along the same path. Asymmetric routing: Two communicating sites independently select a forwarding path. In this case, the transmit and receive paths of the same service flow between two sites are different. For example, in the load balancing scenario, the MPLS link in the direction from site1 to site2 is not congested for application A. As such, traffic of application A is forwarded over this MPLS link from site1 to site2. However, when the MPLS link is congested in the direction from site2 to site1 and the Internet link is not congested, the Internet link is selected to transmit traffic of application A from site2 to site1. NOTE: When branch sites and IWGs are interconnected and branch sites are selected as the master for route selection, the symmetric routing function does not take effect. Devices running V600 do not support symmetric routing.	Y
		Same Transport Network prioritized	If two sites set up multiple tunnel connections, the tunnel connection with both ends in the same TN is colored as the active one whereas the tunnel connection with both ends in different TNs is colored as the standby one. Active tunnel connections are preferentially selected for intelligent traffic steering. If Same Transport Network prioritized is toggled off, tunnel connections are selected for traffic steering as follows in the descending order of priority: active tunnel connection with a high priority > standby tunnel connection with a high priority > active tunnel connection with a low priority > standby tunnel connection with a low priority. If Same Transport Network prioritized is toggled on, tunnel connections are selected for traffic steering as follows in the descending order of priority: active tunnel connection with a high priority > active tunnel connection with a low priority > standby tunnel connection with a high priority > standby tunnel connection with a low priority. By default, Same Transport Network prioritized is toggled off. This function takes effect only in preferential occupation mode and does not take effect in load balancing mode. Figure 2-13 shows an example. TN1 (blue-colored) has a higher priority than TN2 (red-colored) and the hub site determines tunnel colors. If Same Transport Network prioritized is toggled off, tunnel connections are selected for traffic steering as follows in the descending order of priority: blue-colored active tunnel connection > blue-colored standby tunnel connection > red-colored active tunnel connection > red-colored standby tunnel connection. If Same Transport Network prioritized is toggled on, the tunnel connections are selected for traffic steering as follows in the descending order of priority: blue-colored active tunnel connection > red-colored active tunnel connection > blue-colored standby tunnel connection > red-colored standby tunnel connection. Figure 2-13 Tunnel connection coloring	-
		Coloring rule	Tunnel connection colors are determined by the TNP bandwidth, site role, and TN priority. TNP bandwidth: Tunnel connections can be colored based on the TNP bandwidth. You can configure tunnel connections with larger or smaller TNP bandwidths to be preferentially colored as active. The bandwidth here refers to the TNP outbound bandwidth. Site role: Tunnel connections can be colored preferentially by hub or spoke sites. AR5700&6700&8000 series devices do not support the function of coloring tunnel connections preferentially by spoke sites. TN priority: Tunnel connections can be colored based on the TN priority. You can configure the site with a larger TN priority value to preferentially color tunnel connections. By default, tunnel connections are colored based on the following attributes in the descending order of priority: TNP bandwidth > site role > TN priority. You can modify the priorities by clicking .	Y
		Smaller site ID prioritized	By default, this function is enabled, that is, the site with a smaller site ID colors tunnel connections for traffic steering. When this function is disabled, the site with a larger site ID colors tunnel connections. As shown in the following figure, the hub site has only one uplink and the spoke site has two uplinks, and the hub site determines tunnel connection colors by default. In this situation, the hub site colors the tunnel connections set up with the spoke site in the same color and thereby the tunnel connections have the same priority. As such, the spoke site cannot forward traffic of different applications through different links. To implement traffic steering in this scenario, you are advised to toggle off Smaller site ID prioritized to configure the spoke site to color tunnel connections, so that the tunnel connections can be colored differently. Figure 2-14 Tunnel connection coloring by different sites NOTE: You can configure coloring rules as follows: If multiple TNs are available between sites, configure tunnel coloring based on the following three attributes whose priorities can be set as needed: TNP bandwidth: Tunnel connections can be colored based on the TNP bandwidth. You can configure tunnel connections with larger or smaller TNP bandwidths to be preferentially colored as active. The bandwidth here refers to the TNP outbound bandwidth. Site role: Tunnel connections can be colored preferentially by hub or spoke sites. AR5700&6700&8000 series devices do not support the function of coloring tunnel connections preferentially by spoke sites. TN priority: Tunnel connections can be colored based on the TN priority. You can configure the site with a larger TN priority value to preferentially color tunnel connections. If the preceding attributes are the same, the site ID determines the site to color tunnels. By default, the site with a smaller site ID colors tunnels.	-
	NTP	Time zone	Time zone of devices at a site. If DST is observed in the time zone, you can choose whether to apply DST rules to the time zone. You can select a DST rule in either of the following ways: Use the DST rule preset on the system for each time zone, or configure a DST rule by specifying the DST offset, start time, and end time.	Y
		NTP client mode	Manual Configuration: The current site functions as an NTP client and an NTP server needs to be manually specified. You can configure the RR as a client to synchronize its clock with the NTP server on the public network. Disabled: The current site does not function as an NTP client and does not perform clock synchronization.	Y
		NTP server IP address	IP address of the NTP server.	Y
		NTP authentication	This parameter is optional and indicates whether to enable NTP authentication when the gateway at a specified site functions as an NTP server. If NTP authentication is enabled, you need to set an authentication password and an authentication ID. If the gateway at a specified site functions as an NTP client, the authentication password and authentication ID must be the same as those at the parent site of the NTP server. Otherwise, the authentication fails and NTP clock synchronization fails.	Y
		Authentication mode	Authentication mode, which can be MD5 or HMAC-SHA256. The authentication mode selected must be the same as that enabled on the NTP server. The MD5 authentication mode may pose potential security risks. As such, the HMAC-SHA256 authentication mode is recommended.	Y
		Authentication password	Password used for NTP identity authentication.	Y
		Authentication key ID	Key ID for NTP authentication, which must be a number other than 0. The authentication ID is irrelevant to the NTP server. The authentication ID used when the site functions as a client must be different from the authentication ID configured for the NTP server.	Y
Virtual Network	Routing	AS number	Local AS number. Sites that are deployed by the same tenant account on iMaster NCE-Campus belong to the same AS. The default value is 65001. You do not need to change the value in most cases. If you need to change the AS number in BGP, for example, if the new AS number conflicts with the AS number planned for an existing device on the network, do not use the default AS number.	Y
		Routing protocol	Only BGP is supported.	Y
		Community pool	This is a resource management pool. You can configure community pool to assign the community attribute values to services. Currently, the community pool is mainly used in the following configurations: IBGP on the WAN, RR management, Internet access, mutual access, and area management. When the community pool is insufficient, a maximum of 10 community attribute pools can be added. After the configuration, the community pool that has been used cannot be updated or deleted. Unused community pools can be deleted. When the RR source is set to MSP RR, all community attributes are allocated from the community attribute pool configured by the MSP.	Y
		IPv4 Dual-Gateway Interconnection Protocol	Protocol used to connect dual gateways. In the dual-gateway scenario, you can configure a routing protocol (OSPF or IBGP) for exchanging routing information between the two gateways. iMaster NCE-Campus automatically orchestrates route configurations based on the selected routing protocol and delivers the configurations to CPEs. Figure 2-15 Dual-gateway networking NOTE: Changing the dual-gateway interconnection protocol does not affect existing sites under the tenant, and applies only to newly created sites. This configuration takes effect on devices when the sites where they belong are added to VPNs. Once a site is added to a VPN, iMaster NCE-Campus delivers the dual-gateway interconnection protocol specified in the global configuration to devices at the site. Changing this configuration does not affect sites that have been added to VPNs.	Y
		Routing policy delay configuration	Whether to make routing policies take effect after a specified delay. Devices running V300R021C10 and later versions support this function. AR5700&6700&8000 series devices do not support this function. A network often has multiple cooperative routing policies. By default, the change of a single routing policy takes effect immediately. However, the overall routing policy modification is not completed. In this situation, route flapping occurs, which results in network instability. To prevent this problem, you can configure a delay for a modified routing policy to take effect.	Y
		Routing policy delay	Delay after which routing policies take effect. The value ranges from 1 to 180, in seconds.	Y
	IP Pool	IPv4 pool	When iMaster NCE-Campus automatically orchestrates services such as overlay tunnels, overlay WAN routes, and site Internet access, IP addresses need to be allocated. Plan address pools based on the network scale. The number of required addresses increases with the number of sites. For details about the relationship between them, click Details. The addresses to be configured include tunnel interface addresses, interworking tunnel addresses, CPE addresses, and interface addresses of an interlink between dual gateways. After you set reserved IP addresses, iMaster NCE-Campus automatically assigns an IP address according to the following rules: One or more IP address pools can be configured and the IP addresses in these address pools are automatically divided into multiple address segments, which are used by the following interfaces: Loopback interfaces of CPEs Interfaces of interworking tunnels Interfaces of interlinks EVPN tunnel interfaces You can select Simple mode or Advanced mode for an address pool. If Simple mode is selected, all addresses are assigned from the same address pool. If Advanced mode is selected, addresses can be assigned from IP pool, Interworking Tunnel, and Interlink. For a network as shown in the following figure, in advanced mode, IP addresses in IP pool are assigned to loopback interfaces and EVPN tunnel interfaces on CPEs; IP addresses in Interworking Tunnel are assigned to interfaces at both ends of a tunnel connecting underlay and overlay domains on a single device; IP addresses in Interlink are assigned to interfaces at both ends of an interlink connecting dual gateways. Determine the mask length of an address pool based on the site quantity. The mask length determines the number of addresses in the address pool.	Y
	IP Pool	IPv6 pool	IPv6 address pool. If IPv6 is required on CPEs, interworking tunnels, and interlinks, you need to configure an IPv6 address pool. Interworking address pool: allocates unique IPv6 addresses to interfaces of interworking tunnels. Addresses in this pool must be located on the IPv6 address segment with the prefix of FD00::/8. Interlink address pool: allocates IPv6 addresses to interfaces of interlinks connecting dual gateways. Addresses in this pool must be located on the IPv6 address segment with the prefix of FD00::/8. Link-local address pool: allocates link-local addresses to CPEs. Addresses in this pool must be located on the IPv6 address segment with the prefix of FE80::/10. After an interface obtains a link-local address, it can implement neighbor discovery and automatically configure a global unicast address or a unique local address. The prefix of IP addresses in the interworking and interlink address pools must be FD00::/8, and the prefix of IP address in the link-local address pool must be FE80::/10.	Y
	DNS	DNS Server Group Name	Domain Name System (DNS) used for domain name resolution. The DNS server is usually deployed on a public network. A maximum of 16 DNS groups can be configured for a tenant. A maximum of six DNS server IP addresses can be configured in each group.	Y
	DNS	DNS Server IP Address	You can plan multiple DNS server IP addresses. A DNS server IP address is used when a LAN interface is configured. If a CPE is enabled as the DHCP server, you can select a DNS server group name for the CPE. The DNS server address is sent to a client on the LAN side via a DHCP response.	Y
	Custom Port Configuration	DTLS Server Port	Listening port for a DTLS server. A CPE registers with an RR through DTLS. An RR establishes a DTLS connection with a CPE to set up a control channel for TNP information exchange between them. When an RR goes online, iMaster NCE-Campus delivers the command for configuring the port checked by the DTLS server to the RR. As such, the RR can set up control channels with CPEs. By default, the port checked by the DTLS server is 55100. You can modify this setting as needed.	Y
		STUN Server Port	In most cases, an RR is configured as a STUN server and the CPE functioning as a branch gateway is configured as a STUN client. To detect whether a NAT device is deployed between the RR and CPE, enable the STUN server function on the RR and configure the IP address and UDP port number listened by the STUN server. By default, the port checked by the STUN server is 3478. You can modify this setting as needed.	Y
		Connection Source Port	After this item is toggled on, you can specify the scanning start port, scanning times, and scanning increment for NAT detection, hole punching, and Keepalive (KA) packets.	Y
Collection Configuration	Application traffic		Whether to enable global traffic statistics collection. After this function is enabled, inter-site traffic and inter-site application traffic at all sites are collected.	-
	Application quality		Whether to enable application quality statistics collection. After this function is enabled, AQM distribution statistics of all applications are collected and worst 5 applications by AQM are listed.	-
	WAN link traffic		Whether to enable inter-site traffic monitoring. After this function is enabled, traffic passing all inter-site links is monitored in real time.	-

Table 2-79 Mapping between mask lengths and network scales

Network Scale/Number of Sites	Recommended Configuration (Single Network Segment)
2-10	/23
11-30	/22
31-60	/21
61-120	/20
121-250	/19
251-500	/18
501-1000	/17
1000+	/16

Adding an AR Device

Context

An administrator can configure and manage devices only after adding the devices to iMaster NCE-Campus.

Feature Requirements

A tenant can manage a maximum of 8000 devices (in a six-node cluster).
Add devices that meet the model and version requirements to iMaster NCE-Campus. Otherwise, iMaster NCE-Campus may fail to deliver configurations to the devices. If you add a device running an unsupported version and directly upgrade it to a supported version, iMaster NCE-Campus may fail to deliver configurations to the device, either. If you delete a device running an unsupported version first, upgrade it, and then add it to iMaster NCE-Campus, the configurations can be delivered to the device successfully.

Procedure

Choose from the main menu.
Click Add on the Device Management tab page

The system provides multiple methods for you to add devices: Add, Import in batches and Automatic discovery.

The manual addition mode is typically used when a small number of devices need to be added to the same site.

Currently, two modes are supported. For details about the application scenarios of each mode, see Table 2-80.

Table 2-80 Methods of adding devices and application scenarios

Method	Scenario
By ESN	This mode can be used in all deployment modes. This mode must be used in DHCP option-based deployment, USB-based batch deployment, and manual deployment scenarios.
By device model	A device with a 12-digit ESN can be added only in this mode. This mode can be used in all deployment modes except DHCP option-based deployment, USB-based batch deployment, and manual deployment.

Adding devices by device model
1. Select NETCONF protocol.
2. Set Site. By default, Not in any sites is selected. To add a device to an existing site, click and select the target site.
3. Set Mode to Device Model, and set Type, Model, Quantity, and Deployment Security Check, and Role of the device to add. Then, click OK.
  - If the RR source is set to MSP RR in the global configuration, tenants do not need to add devices with the Gateway+RR role.
  - When adding an AR1000V, ensure that the actual performance value of the device is less than or equal to the configured Performance value. Otherwise, the AR1000V cannot go online.
  - To ensure network security, you are advised to enable Deployment Security Check.
    If this parameter is toggled on, iMaster NCE-Campus does not deliver configurations to devices after they go online. After a device goes online, its Administrative Status displays Awaiting deployment confirmation on the device management page. To deliver configurations to specific devices, select target devices on the device management page and click Deploy.
    If Deployment Security Check is disabled, configurations are automatically delivered to devices after they go online for the first time.
  - The AR role is determined by the site type. When adding a device to an edge site, set the device role to Gateway. When adding a device to an RR site, set the device role to Gateway+RR. When adding a device to a site that functions as an edge site and an RR site at the same time, set the device role to Gateway+RR.
4. Import device ESNs. In DHCP-based deployment, USB-based batch deployment, and manual deployment scenarios, device ESNs need to be entered.
  - In email-based deployment, USB-based deployment, and cloud site deployment scenarios, you do not need to set device ESNs.
  - If a device cannot be added because its ESN has been set on the system, contact the system administrator or MSP administrator to delete the device ESN.
5. (Optional) After the system administrator configures interconnection with the registration center, the function of synchronizing information to the registration center is enabled on devices added to sites by default. After this function is enabled, deployment through the registration center is supported.
6. Click OK. For an onboarded device, you can click its name to view the device status. In addition, you can also reboot the device or access its CLI through the controller.
  
  After a DR switchover, the connection between the original online device and iMaster NCE-Campus becomes unavailable. As a result, iMaster NCE-Campus disconnects the device. In this case, the device will automatically go online again and becomes normal after 10 to 20 minutes.

Adding devices by ESN
1. Select NETCONF protocol.
2. Set Site.
3. Set Mode to ESN, set the device ESN, name, role, deployment confirmation, description, asset number, and performance, and click OK.
  For an AR5700&6700&8000 series device, run the following command to check its ESN:
```
display device esn
```
  For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check its ESN:
```
display esn
```

Batch Import is typically used when a large number of devices need to be added. A maximum of 1000 devices can be imported at a time.
1. Select NETCONF protocol.
2. Download and fill in the template, and upload the template. Then, select the devices to be added in the Import Result window, and click OK.
Automatic discovery applies when gateways or core devices have been managed by iMaster NCE-Campus. You can collect information about neighboring devices of the gateways or core devices, and obtain ESNs and models of the discovered devices. This method helps you create a large number of devices in batches with one click.
1. Choose from the main menu.
2. On the Device tab page, click In Sites or Not in Any Sites, click Add Device, and choose Automatic discovery from the short-cut menu. On the displayed page, select the NETCONF protocol as the device discovery protocol. Then click Select Devices to Scan and select the devices to be scanned.
3. Wait for the scanning to complete, and click OK.
4. Set the name, role, and site for each discovered device, select the devices to be added, click Add Selected Devices, and click OK.

After the device is added, you can view the device information on the device management page.

Follow-up Procedure

Restart a device and restore the device configuration.
You can select an online device, and click Reset to Deployment State to restore the device to its factory defaults or click Restart to restart the device.

This operation has high risks and cannot be rolled back. Exercise caution when you perform this operation.
View device details.
You can click the name of an online device to view its detailed information. For details, see Viewing and Exporting Device Information.

Parameter Description

Table 2-81 Parameters on the Add Device page

Parameter		Description
Addition method		Method of adding a device. You can manually add devices, import devices in batches, or configure automatic device discovery.
Mode		Mode of adding a device. The following modes are supported: ESN: If you have obtained the device ESN, you can add the device by ESN. Device model: If the device ESN is not obtained, you can add a device by device model. This mode is used for pre-configuration in most cases. The selected device model must be the same as the actual device model. Currently, you are advised to add devices by device model.
Device information	ESN	Device ESN, which is the unique identifier of a device. You can obtain the ESN of a device from the device's factory configuration list. Alternatively, you can run the display esn command on an AR600&6100&6200&6300&SRG series device (or the display device esn command on an AR5700&6700&8000 series device) to obtain the device ESN.
	Name	Unique name of a device. When you add a device by device model, the system automatically generates a device name after you select a device model. When you add a device by ESN and leave the device name empty, the system uses the device ESN as the device name by default. A device name can contain a maximum of 64 characters.
	Role	When the device type is set to AR, the role can be Gateway or Gateway+RR. NOTE: If a device has its role changed after deployment, you need to deploy the device again. Otherwise, there may be residual configurations on the device and services may be abnormal. After the deployment is complete, do not change device roles unless necessary.
	Performance (This parameter can be configured only when the device model is AR1000V.)	Forwarding performance supported by the device. Set this parameter based on the N1 software package you have purchased for the AR1000V. 1G: After an N1 software package is loaded, the device performance can reach 1 Gbit/s. If no N1 software package is loaded, the device performance is 10 Mbit/s by default. 5G: After an N1 software package is loaded, the device performance can reach 5 Gbit/s. If no N1 software package is loaded, the device performance is 10 Mbit/s by default. 10G: After an N1 software package is loaded, the device performance can reach 10 Gbit/s. If no N1 software package is loaded, the device performance is 10 Mbit/s by default.

Creating a Site

Application Scenario

To facilitate device management and improve service deployment efficiency, devices on the same network of the same tenant can be added to the same site.

A tenant administrator can create different organizations and add a site to one organization. Currently, up to five-layer organizations can be created.

You can create sites on iMaster NCE-Campus for unified O&M and management. Either of the following modes is available for you to create a site:

Creating sites one by one: You can create sites one by one when a small number of sites need to be created.
Creating sites in batches: You can create sites in batches when a large number of sites need to be created. This mode is currently not applicable to cloud sites.

Feature Requirements

Each tenant can manage a maximum of 20000 sites if iMaster NCE-Campus is deployed as a distributed cluster, 20000 sites if iMaster NCE-Campus is deployed as a minimum cluster, and 5000 sites if iMaster NCE-Campus is deployed as a single-cluster system.
If the number of sites exceeds 2000, area interconnection is not supported.

Procedure

Choose .
Click Create and set parameters as prompted.
Set parameters in the Basic Site Information area, such as Site Name, Location, and Device type. In IPv6 single-stack or IPv4/IPv6 dual-stack deployment scenarios, select a southbound IP service as needed.
- A tenant administrator can select a southbound IP service created by the system administrator for Southbound IP service name and view available southbound IP services on the page.
- After Device type is set, you can only add device types but cannot replace device types. For example, you can add ARs to a site that contains only APs. However, you cannot change a site that contains only APs to a site that contains only ARs. When LSWs are deployed as WACs, you need to select both LSW and WAC.
- If OLTs and ONUs need to be managed by iMaster NCE-Campus, install the PON network management feature during iMaster NCE-Campus installation; otherwise, iMaster NCE-Campus cannot manage OLTs and ONUs.
- APs and WACs cannot be deployed together at a site.
(Optional) In the Basic Site Information area, expand More, and determine whether to toggle on ESN-free. After ESN-free switch is toggled on, you do not need to enter device ESNs for iMaster NCE-Campus to manage the devices. Instead, iMaster NCE-Campus can automatically discover devices and add them to the approval-required list. After being approved by users, the devices are managed by iMaster NCE-Campus successfully. You can enable Exempt from approval to improve deployment efficiency.
- Validity period of site authentication code: This parameter specifies the time period during which when devices can be added free of ESNs. If you toggle on ESN-free switch for a site, iMaster NCE-Campus generates a unique authentication code for the site. This code is displayed in the Site Code column on the site information page. When the authentication code of a site expires, you cannot add devices to the site free of ESNs. The default validity period of a site authentication code is 7 days. You can extend the validity period for a maximum of 30 days.
- Exempt from approval: After this function is enabled, iMaster NCE-Campus can manage devices directly, without the need of waiting for device approvals. iMaster NCE-Campus automatically adds new devices to the device list and consumes corresponding licenses. Before enabling this function, ensure that there is no unknown device on the current network. After devices are added successfully, disable this function in a timely manner.
  - Currently, stacks cannot be managed free of ESNs and the following devices can be managed free of ESNs:
    APs and WACs running V200R022C00 and later versions
    V200 switches running V200R022C00 and later versions
    V600 switches running V600R022C00 and later versions
  - When iMaster NCE-Campus manages devices using the approval-free function, the devices automatically assume the Access role. After a device is managed, you can modify the device role on the Device tab page under .

Set parameters in the Site Configuration area.

Set Configuration mode.
You can set this parameter to Default or Configuration File. When Configuration File is selected, the system delivers configurations to devices through device configuration files. This mode is applicable only to LSWs and WACs.

When Configuration File is selected, you need to prepare device configuration files in advance and then import and deliver the files to target devices on the page to complete device configuration.
When you create a site in Configuration File mode, the following constraints apply:
- Sites created in Configuration File mode do not support the following functions: site configuration, VXLAN fabric configuration, admission configuration, third-party server configuration, and device upgrade.
- Devices at sites created in Configuration File mode can be migrated to other sites created in the same mode. Such devices cannot be migrated to other sites created in Default mode or be removed from the current sites.
- Devices at sites created in Configuration File mode cannot be added to stacks after being configured using configuration files.
- Sites created in Configuration File mode can use only specific northbound interfaces.

Set Configuration source type.

Default settings: You can configure sites as needed.
Clone from an existing site: When creating a site, you can clone the configuration of an existing site for use with the new site, reducing repeated configurations. This mode is applicable to all site-level features.

Table 2-82 Features that support deep cloning

Device	Feature
FW	Network (subnet, uplink management, NAT, and DNS)
	Physical interface
	IPsec VPN
	Security policy
	Traffic policy
AP	SSID (802.1X authentication)
	Radio (radio calibration, radio advanced settings, and channel planning on a per-device basis)
	Blacklist and whitelist (MAC address-based filtering)
Universal configuration	NTP, SNMP, and local user management

A site with less than 50 firewalls can be used as the source site for cloning.

Add devices to the site. Click Select Device to add existing devices on the system to the site for management.
- For new devices that have not been added to iMaster NCE-Campus, you can add them to a site by ESN or device model.
  For an AR5700&6700&8000 series device, run the following command to check its ESN:
  display device esn
  For an AR600&6100&6200&6300 series or AR1000V device, run the following command to check its ESN:
  display esn
- If two AR devices need to be added to a site, you are advised to add devices of the same model.
(Optional) In the Add Device area, add devices to the site.
You can add devices to a site by device model or ESN. Alternatively, you can also add devices to a site after the site is created.

When adding a device to an on-premises site, you need to set the device role based on the site requirements. The recommended roles for each device type are as follows:
- AP: Gateway, Access, or AP
- LSW: Core, WAC, Aggregation, or Access
- FW: Gateway, Gateway+Core, or Firewall
- WAC: WAC
- AR: Gateway, Gateway+Core, or Gateway+RR
  A site's type varies according to the AR device role and networking model.
  - On a hub-spoke network:
    If ARs assume the Gateway+Core role, the site is a hub site.
    
    If ARs assume the Gateway role, the site is a spoke site.
    
    If ARs assume the Gateway+RR role, the site is an RR site. If a site needs to function as a hub site and an RR site at the same time, set the AR device role of this site to Gateway+RR.
  - On a full-mesh network:
    If ARs assume the Gateway role, the site is a branch site.
    
    If ARs assume the Gateway+RR role, the site is an RR site.
  Site roles are classified into edge sites and RR sites only when the SD-WAN value-added feature has been installed and the GRE tunnel mode for SD-WAN scenarios is selected on the page.
  - Edge site: An edge site is a WAN-side router. It establishes secure data channels with multiple remote edge sites.
  - RR: An RR is an independent CPE. It distributes EVPN routes between CPEs based on VPN topology policies.
If you do not specify a role when adding an AP, the AP automatically assumes the AP role. If you do not specify a role when adding a device of another type, the device automatically assumes the Access role.

When adding a device to a cloud site, you need to set the device role. Configure roles for devices based on the site requirements.
Click OK. The site is created and configurations are delivered.
You can click Apply and Deploy to go to the Branch Network page to perform deployment configurations. For details, see Branch Network.

Follow-up Procedure

Create sites in batches.
You can click Batch Create, download the site configuration template, enter information about all sites in the template, and import the template to the system. Then you can create all required sites at a time.
Create a site template.
Choose . On the Site Template page, click Create to create a site template. Then you can bind the created template to sites on the current page.
Change the organization to which a site belongs.
To change the organization to which a site belongs, select the target site and then click Change Organization.

Filter sites by organization.
To create a lower-level organization of the current organization, click an organization name on the left and click . Currently, at most five-layer organizations can be created.

You can click an organization name to view sites under the organization.
Delete a site.
Select a site and click Delete or in the Operation column.
Configurations of devices at a deleted site cannot be cleared accordingly. If you want to re-deploy the devices at another site, perform the following operations:
- If the deployment configurations of the new site are different from those of the deleted site, you need to restore the devices to their factory defaults onsite, and then re-deploy them.
- If the deployment configuration of a new site is the same as that of the deleted site, you only need to select the devices on the device management page of iMaster NCE-Campus, click Restore Deployment Configurations, and add them to the new site.
Export and import site configurations after sites are created and activated when the tunnel mode SD-WAN scenario (GRE tunnel) is used. For details, see Importing and Exporting Site Configurations.
- Quickly configure a new site based on configured sites.
  You can export and modify the configuration of a deployed site and import the modified configuration to quickly deploy a new site. If the site name changes, you need to manually create a site with the changed name and import the configuration again.
- Modify site configurations in batches.
  After exporting configurations of multiple sites, you can modify some parameters and import them to modify sites in batches. You can add, delete, and modify site configurations.
- Restore site configurations.
  You can periodically export site configurations. If an error occurs during subsequent configuration, you can import the previous configuration to restore the site.
After ESN-free is toggled on, you can view, modify, or extend the validity period of site authentication codes.
- Viewing the site authentication code
  Choose to view the site authentication code that is automatically allocated.
- Modifying the site authentication code
  Click . The site information configuration page is displayed. Click to modify the site authentication code.
- Extending the validity period of the site authentication code
  Click . The site information configuration page is displayed. Click Click here to extend the validity period of the site authentication code.
After ESN-free is toggled on, devices can be managed by iMaster NCE-Campus only after being approved.
1. Choose .
2. Click Approve. The device approval page is displayed.
3. Select a device and click Pass.

Parameter Description

Table 2-83 Key parameters for creating a site

Parameter	Description	Data Plan in Advance
Site Name	Name of the site to be created.	Y
Southbound IP service name	Select a southbound IP service that has been configured. In the IPv6 or IPv4/IPv6 dual-stack scenario, southbound IPv6 addresses are displayed on the Select Southbound IP Service Name page.	-
ESN-free	Whether to enable the ESN-free device management function. After this function is enabled, you do not need to enter device ESNs for iMaster NCE-Campus to manage the devices. Instead, iMaster NCE-Campus can automatically discover devices and add them to the approval list. After being approved by users, the devices are managed by iMaster NCE-Campus successfully.	Y
Validity period of site authentication code (configurable when ESN-free is toggled on)	iMaster NCE-Campus generates a unique authentication code for each site. The code is valid for 7 days by default. You can configure the code to be valid for 1 day, 7 days, or 30 days. After the site authentication code expires, the ESN-free device management function is automatically disabled and logs are recorded. After the ESN-free device management function is enabled again, a new site authentication code is generated.	Y
Exempt from approval (configurable when ESN-free is toggled on)	Whether to enable device approval exemption. After this function is enabled, iMaster NCE-Campus can manage devices directly, without the need of waiting for device approvals. iMaster NCE-Campus automatically adds new devices to the device list and consumes corresponding licenses.	Y
Add Device	Select Device: Add devices that have been managed by iMaster NCE-Campus to the site.	-
Device type	Types of devices that can be added to the site. The options include AR, AP, FW, LSW, WAC, OLT, ONU, and NE. You can select one or more of the preceding options. Constraints: After Device type is set, you can only add device types but cannot replace device types. For example, you can add ARs to a site that contains only APs. However, you cannot change a site that contains only APs to a site that contains only ARs. When LSWs are deployed as WACs, you need to select both LSW and WAC. If iMaster NCE-Campus needs to manage OLTs and ONUs, install the PON management feature when installing iMaster NCE-Campus. Otherwise, iMaster NCE-Campus cannot manage OLTs and ONUs. APs and WACs cannot be deployed together at a site.	Y
Role	Constraints: ARs configured with the Gateway or Gateway+Core role can be added only to edge sites. ARs configured with the Gateway+RR role can be added only to RR sites. Value range: AP: Gateway, Access, or AP LSW: Core, WAC, Aggregation, or Access FW: Gateway, Gateway+Core, or Firewall AR: Gateway, Gateway+Core, or Gateway+RR WAC: WAC If you do not set the device role when adding a device, the system sets the device role to Access by default.	Y
Add Device	Select Device: Add devices that have been managed by iMaster NCE-Campus to the site. By Model: Add devices by device model. After devices are added in this mode, you need to enter their ESNs on the system later. This method is recommended. By ESN: Add devices by ESN.	Y
Configuration mode	Value range: The options include Default and Configuration File. Constraints: When Configuration File is selected, you need to prepare device configuration files in advance and then import and deliver the files to target devices on the Maintenance > Device Maintenance > Configuration File Management page to complete device configuration. Sites created in Configuration File mode do not support the following functions: site configuration, VXLAN fabric configuration, admission configuration, third-party server configuration, and device upgrade. Devices at sites created in Configuration File mode can be migrated to other sites created in the same mode. Such devices cannot be migrated to other sites created in Default mode or be removed from the current sites. Devices at sites created in Configuration File mode cannot be added to stacks after being configured using configuration files. Sites created in Configuration File mode can use only specific northbound interfaces.	Y
Configuration source type	Default settings Meaning: With this option selected, you need to configure the site manually. Clone from an existing site Meaning: With this option selected, you can clone the configuration of an existing site for use with the new site, reducing repeated configurations. Constraints: This mode applies to all site-level features. Deep clone: Meaning: One or more sites can be cloned at a time. If a small number of sites need to be cloned, you can clone them one by one. If a large number of sites need to be cloned, you can clone them in batches. Constraints: Currently, only the sites containing firewalls only or containing APs and firewalls support the deep cloning function. You can create a site by cloning selected site and device data from an existing site on iMaster NCE-Campus.	Y

(Optional) Managing Templates

(Optional) Configuring a WAN Link Template

You can configure this feature only when the tunnel mode is set to SD-WAN scenario (GRE tunnel) on the page.

Context

iMaster NCE-Campus provides default link templates, as listed in Table 2-84. If the default link templates can meet your requirements, you do not need to customize a template by yourself. Otherwise, you can create a link template as required.

WAN link templates are not required during cloud site deployment or deployment through the registration query center. In these scenarios, you can skip this section.

You are not allowed to modify or delete the default templates, and can only copy these templates.

Table 2-84 Default link templates

Template Name	Template Description	WAN Link (Device, Port, Transport Network)	Inter-CPE Link (Device, Port)
Single_gateway_mixed_links	Single gateway with an Internet link and an MPLS link	Internet (Device1, GE0/0/0, Internet) MPLS (Device1, GE0/0/1, MPLS)	-
Single_gateway_mpls_link	Single gateway with an MPLS link	MPLS (Device1, GE0/0/0, MPLS)	-
Single_gateway_internet_link	Single gateway with an Internet link	Internet (Device1, GE0/0/0, Internet)	-
Single_gateway_dual_internet_links	Single gateway with dual Internet links	Internet1 (Device1, GE0/0/0, Internet) Internet2 (Device1, GE0/0/1, Internet)	-
Dual_gateways_mixed_links	Dual gateways with an Internet link and an MPLS link respectively	Internet (Device1, GE0/0/0, Internet) MPLS (Device2, GE0/0/0, MPLS)	Device1: GE0/0/1, Device2: GE0/0/1

Prerequisites

Global parameters have been set for the site. For details, see Setting Global Parameters.

Procedure

Choose from the main menu. Click the WAN Template tab.
Click the WAN Link Template tab.
Create a WAN link template. Click Create to access the page for creating a WAN link template.
1. Set parameters for a WAN Link template.
  1. Set Template name.
  2. Set Gateway as needed.
  3. Determine whether to enable Multiple sub-interfaces. If this function is enabled, multiple sub-interfaces can be configured for a physical interface.
2. Configure WAN links. In the WAN Link area, click Create to configure a WAN link. The following parameters need to be set in a WAN link template: Name, Device, Interface, Sub Interface, Overlay Tunnel, Transport Network, and Role.
  You can create multiple WAN links for each gateway. At most 256 sub-interfaces can be created for a single gateway, and at most 512 sub-interfaces can be created for dual gateways.
  
  Click Configuration in the Advanced parameters column to select a southbound access service and set its priority.
If Gateway is set to Dual gateways, configure an interlink connecting the dual gateways. Otherwise, skip this step.
1. If LAN-side Layer 2 physical interfaces are required on both ends of the interlink, set Use LAN-side L2 interface to .
  - Spanning Tree Protocol (STP) is enabled on CPEs by default. If dual gateways are connected through two interlinks with Layer 2 physical interfaces on both ends, these interfaces are added to the same VLAN. In this case, if a loop occurs, STP sets one physical interface to the Block state. At this time, if the blocked physical interface is used by LAN-side services, user traffic may be interrupted. Therefore, it is recommended that the physical interfaces used by an interlink between dual gateways be different from those used by user services on the LAN side.
  - If an interlink between dual gateways uses Layer 3 physical interfaces, you do not need to enable Use LAN-side L2 interface.
2. Configure a VLAN ID. Interfaces on both ends of an interlink connecting dual gateways will be added to this VLAN.
3. Click Create. Configure an interlink between dual gateways and set the physical interfaces on both ends of the interlink.
  At most two interlinks can be created between dual gateways.
Click OK.

Follow-up Procedure

Table 2-85 Follow-up procedure of configuring a WAN link template

Function	Operation Scenario and Constraint	Procedure
Importing or exporting WAN link templates in batches	WAN link templates can be imported or exported using Excel files in batches.	Click Import or Export to configure WAN link templates in batches.
Modifying a WAN link template	The template name, gateway type, WAN link information can be modified. The default templates provided by the system cannot be modified.	Click in the Operation column on the WAN Link Template page to modify a template.
Deleting a WAN link template	WAN link templates can be deleted. The default templates provided by the system cannot be deleted.	Click in the Operation column on the WAN Link Template page to delete a template.
Copying a WAN link template	You can quickly create a WAN link template by copying an existing template, which improves the configuration efficiency. If you perform the following operations after copying a template, the copied template may fail to be applied to sites associated with the source template: Modify Gateway. Modify or delete settings in the WAN Link area. Modify parameters in the Inter-CPE Link area.	Click in the Operation column on the WAN Link Template page to copy a template.

Parameter Description

Table 2-86 Parameters on the WAN Link Template page

Parameter		Description	Data Plan Required or Not
Template name		Name of a WAN link template.	Y
Gateway		Gateway type of the site where the link template is to be applied. Single Gateway: Select this option for sites with light gateway service traffic and low reliability requirements. Dual Gateways: Select this option for sites with high reliability requirements.	Y
Multiple sub-interfaces		Whether to enable the multiple sub-interfaces function on a device. If a device requires multiple sub-interfaces on a WAN link for WAN-side communication, you need to enable this function on the device. After this function is enabled, a maximum of 256 sub-interfaces can be created for a single gateway, and a maximum of 512 sub-interfaces can be created for dual gateways.	Y
WAN Link	Name	Name of a WAN link.	Y
	Device	Name of the gateway at the site.	Y
	Interface	Type and number of a physical interface used by the WAN link. The following interface types are supported: GE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface FE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface XGE: Ethernet interface, Ethernet sub-interface, and Layer 3 Eth-Trunk interface LTE: 3G, 4G, and 5G interfaces xDSL (ATM): ADSL interface, and G.SHDSL interface (working in ATM mode by default) xDSL (PTM): VDSL interface (working in PTM mode by default) E1-IMA (ATM): G.SHDSL interface (working in ATM mode by default), E1-IMA interface, and E1-IMA sub-interface Ima-group: G.SHDSL interface (working in ATM mode by default), E1-IMA interface, and Ima-group sub-interface Serial: Serial interface and FR sub-interface Eth-Trunk interface Loopback interface NOTE: Loopback interfaces can be used only as transport network ports (TNPs) and cannot be configured with any services. By default, the overlay tunnel function is enabled on virtual links with loopback interfaces at both ends and cannot be disabled.	Y
	Sub Interface	Whether to enable the sub interface function on the device.	-
	Overlay Tunnel	Whether to enable the overlay tunnel function. If this function is enabled, an overlay tunnel is created on the WAN link.	Y
	Sub Interface Index	Number of the sub interface. The parameter is available only when Sub Interface is enabled.	-
	Transport Network	Type of the transport network to which a WAN-side physical link belongs. It describes transport networks with the same link quality attribute. It is used to identify a type of networks provided by the same ISP. Each physical WAN link of a site belongs to a transport network. If the available transport network types do not meet your requirements, create a transport network as needed on the WAN Global Configuration page.	Y
	Role	Role of the link. You can set this parameter to active or standby. After active and standby links are configured, data travels only through the active link by default. If the active link fails, data moves to the standby link. For a single-gateway site with multiple WAN links, specify each WAN link as active or standby. At least one active link must be configured. A maximum of one standby link (usually, an LTE or 5G link) can be used as the escape link and has the lowest priority. If all active links fail, traffic is forwarded through the escape link. For a dual-gateway site, all WAN links are active by default. In addition, a single-gateway site must have at least one active link.	Y
	Advanced parameters	Click Configuration and set Controller Southbound interface service and Southbound access priority in the displayed dialog box. During the controller installation, an iMaster NCE-Campus southbound IP address is configured so that CPEs can communicate with iMaster NCE-Campus using this IP address. If iMaster NCE-Campus and some sites are on a private network while other sites are on a public network, two southbound IP addresses need to be configured so that sites on different networks can access iMaster NCE-Campus. As shown in the following figure, iMaster NCE-Campus and site 1 are on a private network, and site 2 is on a public network. iMaster NCE-Campus can access the public network only through the NAT device, and site 2 has access only to a public IP address after NAT. Therefore, two southbound IP addresses need to be configured during the installation: one is a private IP address, the other is a public IP address after NAT. When configuring a WAN link for site 1, specify the private IP address as the southbound IP address of iMaster NCE-Campus. When configuring a WAN link for site 2, specify the public IP address after NAT as the southbound IP address of iMaster NCE-Campus. In addition to the default southbound IP address provided by the system, you can also use a southbound access service configured by the system administrator to specify the southbound IP address used by CPEs to communicate with the controller.	Y
	Controller Southbound interface service	The southbound access services that have been configured during controller installation planning are used as default options for this parameter. If the system administrator has enabled a customized southbound access service, you can select this customized service in the WAN link template. Tenant administrators can view all available southbound access services on the page. The system administrators can create southbound access services as needed on the page.	Y
	Southbound access priority	Priority of a controller southbound access service. This parameter is configurable after Southbound interface service is set. The priority can be High, Medium, or Low. The default value is Low. For AR5700&6700&8000 series devices, the priority takes effect only for performance channels and is supported in V600R022C00 and later versions. NOTE: If a device has multiple WAN links, you can configure Southbound access priority for each WAN link. After the device starts, it can select a WAN link based on the priority to register with iMaster NCE-Campus. Assume that a device has both Internet and LTE links, and needs to use the Internet link as the active link and the LTE link as the backup link. When configuring ZTP, you can set Southbound access priority of the Internet link to High and that of the LTE link to Medium or Low. As such, the device preferentially selects the Internet link when it attempts to register with iMaster NCE-Campus, and automatically switches to the LTE link for registration if the Internet link is faulty.	Y
Inter-CPE Link (required only when Gateway is set to Dual Gateways)	Use LAN-side L2 interface	Whether to use Layer 2 physical LAN interfaces on the interlinks between two gateways. If no direct link is configured between two gateways, LAN-side links need to be used for communication between dual gateways. If direct links are configured between two gateways, LAN-side links do not need to be used.	Y
	VLAN ID	VLAN ID used by interlinks for communication between two gateways and used for VPN communication. The number of VLAN IDs must be greater than that of VPNs. In the dual-gateway scenario, iMaster NCE-Campus configures a VLAN for each VPN on interlink interfaces between two gateways. This implements VPN isolation. The start VLAN ID must be in the range from 1 to 4086 and the end VLAN ID must be in the range from 9 to 4094. The difference between the start and end VLAN IDs must be greater than or equal to 8 and less than or equal to 300. A maximum of 16 VLAN ranges can be configured, and the total number of VLANs cannot exceed 301.	-
	Device1 Interface	Physical interfaces used by interlinks between two gateways. If two interlinks are required, the types of the two interlink interfaces on the same device must be the same. The types of the interfaces on both ends of an interlink must be the same. The interface type varies according to whether a direct link exists between two gateways: If a direct link exists between two gateways (that is, Use LAN-side L2 interface is disabled), use Layer 3 interfaces at both ends of an interlink. If only one interlink is required, Layer 3 sub-interfaces need to be created for the interfaces directly connecting the two gateways and be used as interlink interfaces. If multiple interlinks are required, iMaster NCE-Campus automatically configures the interfaces of these links as an Eth-Trunk sub-interface on each end to ensure link reliability. If no direct link is configured between two gateways (that is, Use LAN-side L2 interface is enabled), use Layer 2 interfaces at both ends of an interlink. If each of the two gateways directly connects to the same LAN switch using a Layer 2 link, a VLAN ID needs to be specified so that the gateways can communicate with each other through the corresponding VLANIF interfaces.	-
	Device2 Interface		-

Customizing Policy Template

Context

ACL Template

Fundamentals

ACLs are mainly applied to QoS, route filtering, and user access.

Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.
Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.

Application Scenarios

Procedure

, and choose ACL from the navigation pane.
Click Create, click the IPv4 or IPv6 tab, set parameters, and click OK.
- When you create an advanced IPv4 ACL template, the source and destination IP addresses in the rule list can be configured in the format of an IP address with a mask or an IP address with a wildcard mask.
- ACL rules with IP addresses and wildcard masks are applicable only to switches.
Export or import ACL templates in batches.
- Export ACL templates.
  1. Click the IPv4 or IPv6 tab and select the name of the template to be exported.
  2. Click Export to export the selected templates and view ACL rules.
- Import ACL templates.
  - Download a template and import ACL configurations.
    1. Click the IPv4 or IPv6 tab and click Import.
    2. Click Template.xls to download the configuration template.
    3. Set parameters as needed in the downloaded template. For details about the parameters, see Table 2-87.
    4. Click next to Upload File and select the template saved on the local PC.
    5. Click OK and wait until the upload is complete.
  - Update ACL templates.
    1. Click the IPv4 or IPv6 tab and select the name of the template to be exported.
    2. Click Export to export the selected template and modify ACL rules.
    3. Click next to Upload File and select the template updated on the local PC.
    4. Click OK and wait until the upload is complete.

Parameter Description

Table 2-87 Policy Template (ACL)

Parameter			Description
Name			Meaning: Unique identifier of an ACL template.
ACL type			Value range: User ACL: The ACL number range is from 6000 to 6031. Advanced ACL: The ACL number range is from 3001 to 3999. Constraints: When ACL type is set to User, the total number of rules with Address type set to IP/Mask and Address type set to Domain cannot exceed 128. User ACLs are configurable only on the IPv4 tab page. When ACL type is set to Advanced, a maximum of 1024 rules can be configured.
ACL number			ACL number delivered to the target device.
Rule list	-	-	Click Add, create rules in the ACL template, and click OK. Constraints: Devices running V600R022C00 do not support user ACLs.
	User ACL	IP/Domain	IP address or domain name of the packets matching the ACL.
		Protocol	Value range: Any TCP: This protocol is recommended. UDP: This protocol is not secure and is not recommended.
		Port	Meaning: Destination port number of the packets matching the ACL. Constraints: This parameter is configurable only when Protocol is set to TCP or UDP.
	Advanced ACL	Priority	Priority of a rule in the ACL template. A smaller value indicates a higher priority.
		Action	Action to take on packets matching the rule. Permit: permits the packets matching the rule. Deny: denies the packets matching the rule.
		Protocol	Value range: Any TCP: This protocol is recommended. UDP: This protocol is not secure and is not recommended. ICMP: It is recommended that ICMP be used to forward control messages between IP hosts and routers.
		TCP Flag (This parameter is configurable only when ACL type is set to IPv4 and Protocol is set to TCP.)	TCP flag of the packets to be matched. You can select one or more options or leave this parameter empty. When the TCP protocol is specified in an advanced ACL, the device filters packets based on the TCP flag. A TCP packet has six flag bits: SYN: 000010, which is the synchronization flag. It is used in first step of connection establishment. ACK: 010000, which is the acknowledgement flag. It is used to acknowledge that the acknowledgement number field contains a valid acknowledgement number. PSH: 001000, which is the push flag. It indicates that the packet should be passed on to the application layer for processing. FIN: 000001, which is the finish flag. It indicates that there is no more data from the sender. RST: 000100, which is the reset flag. It is used to reset the TCP connection. URG: 100000, which is the urgent flag. It is used to notify the receiver to process the urgent packets before processing all other packets. It identifies the packet that contains data that needs to be processed urgently. established: indicates that the ACK (010000) or RST flag (000100) is set to 1. Only packets sent when a TCP connection is up can have either of the two flag bits set to 1. The established flag cannot be selected together with any other flags.
		Source IP Address	Source IP address of the packets matching the rule.
		Source Port	Source port number of the packets matching the rule.
		Destination IP Address	Destination IP address of the packets matching the rule.
		Destination Port	Destination port number of the packets matching the rule.

Create a WAN RADIUS policy template

Context

To use a RADIUS server to authenticate access users, you need to configure interconnection between iMaster NCE-Campus and the RADIUS server.

Procedure

Choose Design > Network Design > Template Management and click the Police Template tab.
Choose WAN RADIUS Server from the navigation pane and click Create. On the Create RADIUS Server page, set the IP address and port number of the primary authentication server. You are advised to set the IP address and port number of the secondary authentication server if a secondary server is available. Then, set the IP addresses and port numbers of the primary and secondary accounting servers, and decide whether to enable Include domain name as needed.
Click Set next to Key to configure a key for the RADIUS server, and click OK.
Click OK.

HWTACACS Server Template

Application Scenario

Procedure

Choose HWTACACS Server from the navigation pane.
Click Create, set parameters, and click OK.

Parameter Description

Table 2-88 Policy Template (HWTACACS server)

Parameter	Description
Name	Unique identifier of an HWTACACS server template.
Use the built-in server	Meaning: Whether to configure iMaster NCE-Campus as an HWTACACS server. If this function is enabled, you can configure either the SM or a remote server as the primary or secondary authentication component. The SM is the controller deployed at the headquarters.
Primary authentication server address/Port	Meaning: IP addresses and port numbers of the primary and secondary authentication servers. Constraints: If only the address and port number of the primary authentication server are configured and those of the primary authorization server are not specified, authenticated users only have the default device permissions, which can be referred to in the corresponding device product documentation.
Secondary authentication server address/Port
Primary authorization server address/Port	IP addresses and port numbers of the primary and secondary authorization servers.
Secondary authorization server address/Port
Primary accounting server address/Port	IP addresses and port numbers of the primary and secondary accounting servers.
Secondary accounting server address/Port
Include domain names in usernames	Meaning: Whether to encapsulate domain names in usernames carried in request packets sent by devices to the TACACS server. If this function is enabled, devices encapsulate domain names in usernames when sending packets to a TACACS server. The default domain name is default_admin. If this function is disabled, devices do not encapsulate domain names in usernames when sending packets to a TACACS server. Default setting: disabled
Device source IP address	After the function is enabled, you need to configure a device source IP address on the Provision > Physical Network > Site Configuration > Site Configuration > Switch > Advanced > Device Source IP Address Configuration page.
Key	Meaning: Shared key of the HWTACACS server. Value range: The value is string of 1 to 16 characters, and can contain letters, digits, and special characters. Constraints: The value cannot contain spaces and question marks (?), and cannot contain only asterisks (*). For security purposes, it is recommended that the key contain at least six characters and contain at least two types of the following: lowercase letters, uppercase letters, digits, and special characters.

Configuring an SNMP Template

Fundamentals

Protocol template: Protocol parameters are configured in templates (for example, SNMP parameter template) so that iMaster NCE-Campus can uniformly configure protocol parameters for multiple devices.
Table 2-89 shows the mapping between authentication protocols and HMAC.
Table 2-89 Mapping between the authentication protocol and HMAC
Authentication Protocol

HMAC

SHA2-256

HMAC192SHA256

SHA2-384

HMAC256SHA384

SHA2-512

HMAC384SHA512

Feature Requirements

Users with the admin permission can delete all protocol templates. Common users can delete the protocol templates created by themselves and the protocol templates whose access modes are public.
By default, only SNMPv3 and the corresponding security algorithm are enabled on iMaster NCE-Campus. After the insecure SNMP algorithm is enabled, you can select an insecure algorithm corresponding to SNMPv1, SNMPv2c, or SNMPv3. Insecure SNMP protocols or algorithms have security risks. Exercise caution when using them.

Prerequisites

The HMAC corresponding to the required authentication protocol is supported on the device. For example, if the SHA2-256 authentication protocol is required, HMAC192SHA256 is supported on the device.
You have obtained the information about NE port number, Authentication, Authentication password, Data encryption, Encryption password, Username, Context and Engine ID from devices.

Application Scenario

Procedure

Choose from the main menu.
Click Create.

Set SNMP parameters according to Table 2-90.

Table 2-90 Parameters for creating an SNMP template

Parameter	Description
Template name	Meaning: Name of an SNMP template, which can be customized.
NE port number	Meaning: Port used for communication between devices. Value range: 1 to 65535
SNMP version	SNMP version. Default value: SNMPv3
Security level	Security level of SNMP, the default value is With authentication and encryption.
Authentication	Meaning: Protocol used for message authentication. Value range: SHA-512 SHA-384 SHA-256
Authentication password	The password must meet the following requirements: Contain 8 to 64 characters. The password must contain at least three of the following types: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters. (Space! "# $%&'()*+,-./:;<=>?@[]^`{_\|}~ etc.).
Data encryption	Meaning: Encryption protocol used for data encapsulation. Value range: AES-256 AES-192 AES-128
Encryption password	The password must meet the following requirements: Contain 8 to 64 characters. The password must contain at least three of the following types: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters. (Space! "# $%&'()*+,-./:;<=>?@[]^`{_\|}~ etc.).
Username	Username for accessing the device.
Context	Name of the environment engine.
Engine ID	Unique ID of the SNMP engine.
Timeout period (s)	Meaning: Upper limit of the time that iMaster NCE-Campus takes to perform an SNMP operation on a device. If the time that iMaster NCE-Campus takes to perform an SNMP operation on a device reaches the value of this parameter, iMaster NCE-Campus abandons this operation. Constraints: If the quality of the network between iMaster NCE-Campus and the device is low, you can set this parameter to a large value to improve the success rate of SNMP operations. Default value: 10
Polling interval (s)	Meaning: Interval between two polling operations of SNMP. Default value: 1800
Maximum retry times	Meaning: Maximum number of times that iMaster NCE-Campus attempts to perform an SNMP operation on a device. If the number of times that iMaster NCE-Campus attempts to perform an SNMP operation on a device reaches the value of this parameter, iMaster NCE-Campus abandons this operation. Constraints: If the quality of the network between iMaster NCE-Campus and the device is low, you can set this parameter to a large value to improve the success rate of SNMP operations. Default value: 5
Access mode	Whether the SNMP template is private or public. Public: indicates the template can be modified and deleted by all users. Private: indicates the template can be modified and deleted by the current user and administrator.

Click OK.

Related Tasks

Modify an SNMP template.
To modify an added SNMP template, click in the Operation column of the SNMP template.
Delete an SNMP template.
To delete an added SNMP template, click in the Operation column of the SNMP template.
View the number of devices associated with the SNMP template and device information.
To view the number of devices associated with an SNMP template and device information, click the value in the Associated Devices column of the SNMP template in the SNMP template list.
Enable insecure SNMP configuration items.
Log in to iMaster NCE-Campus as a system administrator. Choose System > System Management > Configuration Item Management Item Management and choose SNMP Configuration to enable insecure SNMP configurations.
- By default, only the SNMPv3 protocol and corresponding security algorithms are enabled on the iMaster NCE-Campus. After the insecure SNMP algorithm is enabled, you can select an insecure algorithm corresponding to SNMPv1, SNMPv2c, or SNMPv3.
- Using insecure SNMP protocols or algorithms has security risks. Exercise caution when using them.

Configuring a Parameter Set

Creating a Parameter Set

Choose and click the Parameter Set Management tab.
Click Create, enter parameter set name, click Add, and set parameter values. Parameter values with Encrypted enabled are not displayed in plaintext.
Click OK.

Importing a Parameter Set

Click Import and enter Parameter set name.
Click template.xls to download a template, set parameters, and save the template to the local host.
Click , select the template file saved in the local host, and click Upload.
Click OK.

Exporting a Parameter Set

Select the parameter set to be exported and click Export. The parameter set is exported to an .xls file.

Deleting Parameter Sets

Click in the Operation column of a user-defined parameter set, or select multiple user-defined parameter sets and click Delete.

Modifying a Parameter Set

Click Edit in the Operation column of a parameter set and modify the parameter set.

Creating an IPsec Template

Context

If IPsec is required to transmit service traffic between SD-WAN site devices and other network devices to enhance security, you can configure IPsec profiles to set up IPsec tunnels.

Devices at SD-WAN sites can set up IPsec tunnels in multiple scenarios, as shown in the following figure:

When enterprise branches run IPv6 networks, an SD-WAN branch site and a legacy branch site can set up an IPv6 over IPv4 GRE over IPsec tunnel to communicate with each other.
An SD-WAN branch site and a legacy branch site can set up an IPsec tunnel to communicate with each other.
An SD-WAN branch site can set up an IPsec tunnel with a VPN gateway on a public cloud.
An SD-WAN cloud site can set up IPsec tunnels with VPCs on a public cloud. An SD-WAN offline site can connect to an SD-WAN cloud site through an SD-WAN overlay tunnel and then accesses applications on the cloud through IPsec tunnels.

Figure 2-16 IPsec tunnel application scenarios

Procedure

Choose from the main menu. Click the WAN Template tab.
Click the WAN IPsec Template tab.
Click Create.

A maximum of 1024 IPsec templates can be created.
In the Create IPSec Template window that is displayed, set IPsec parameters as needed.
Click OK.

Follow-up Procedure

Table 2-91 Follow-up processing of the IPsec template

Function	Operation Scenario and Constraint	Procedure
Deleting an IPsec template	An IPsec template that is not bound to any GRE tunnel can be deleted.	On the WAN IPsec Template tab page, select the IPsec template to be deleted and click in the Operation column to delete it.
Modifying an IPsec template	An IPsec template that is not bound to any GRE tunnel can be modified.	On the WAN IPsec Template tab page, select the IPsec template to be modified and click in the Operation column to modify it.

Parameter Description

Table 2-92 Parameters on the Create IPSec Template tab page under WAN IPsec Template.

Parameter		Description	Data Plan in Advance
Template name		Name of an IPsec template.	Y
IKE Configuration	IKE version	Version of the IKE protocol. IKEv1 and IKEv2 are available. NOTE: IKEv2 is recommended.	Y
	Authentication mode	Authentication method for setting IKE. Currently, only the pre-shared key (PSK) authentication is available.	Y
	PSK	PSK used by IKE negotiation for the authentication. You need to configure the same PSK on the local and remote devices.	Y
	Confirm PSK	Confirm the PSK used by IKE negotiation.	-
	Authentication algorithm	Authentication algorithm used in IKE negotiation. SHA1: specifies HMAC-SHA1 as the authentication algorithm. SHA2-256: specifies SHA-256 as the authentication algorithm. SHA2-384: specifies SHA-384 as the authentication algorithm. SHA2-512: specifies SHA-512 as the authentication algorithm. SM3: specifies SM3 as the authentication algorithm. NOTE: The SM3 algorithm is only available for IKEv1. SHA1 uses a 160-bit key SHA-256, SHA-384, and SHA-512 use 256-bit, 384-bit, and 512-bit keys, respectively. A larger number of key bits indicate a more secure algorithm but a slower calculation speed. By default, the SHA2-256 authentication algorithm is used. You are advised to use an authentication algorithm rather than SHA1, because SHA1 is not secure enough.	Y
	Exchange mode	Configure the IKEv1 exchange mode: Main mode: separates the key exchange information from the identity authentication information. This separation protects identity information, thereby providing higher security. Aggressive mode: Identity authentication is not performed. It applies to some specified network environments. If the IP address of the negotiation initiator is unknown or unstable and the two ends expect to set up IKE SAs using the pre-shared key, the aggressive mode is used.	-
	PRF	Algorithm of the pseudo random number generation function used by an IKE proposal: AES-XCBC-128: indicates the AES-XCBC-128 authentication algorithm is used. MD5: indicates the MD5 authentication algorithm. SHA1: indicates the SHA1 authentication algorithm. SHA2-256: indicates the SHA2-256 authentication algorithm. SHA2-384: indicates the SHA2-384 authentication algorithm. SHA2-512: indicates the SHA2-512 authentication algorithm. NOTE: The PRF parameter needs to be set only when IKEv2 is used. You are advised to use an authentication algorithm rather than SHA1 and MD5, because they are not secure enough.	-
	Integrity algorithm	Integrity algorithm used in IKE negotiation: AES-XCBC-96 MD5 SHA1 SHA2-256 SHA2-384 SHA2-512 NOTE: An integrity algorithm needs to be selected only when IKEv2 is used. You are advised to use an authentication algorithm rather than SHA1 and MD5, because they are not secure enough.	-
	Encryption algorithm	Authentication algorithm used in IKE negotiation. AES-128: indicates that the IKE proposal uses the AES encryption algorithm with a 128-bit key. AES-192: indicates that the IKE proposal uses the AES encryption algorithm with a 192-bit key. AES-256: indicates that the IKE proposal uses the AES encryption algorithm with a 256-bit key. SM4: SM4 is an encryption algorithm released by the State Encryption Administration of China. By default, ESP encryption algorithm is set to AES-256. NOTE: The SM4 algorithm is supported only in IKEv1 negotiation.	Y
	DH Group	Diffie-Hellman (DH) group used in IKE negotiation. group 1: 768-bit Diffie-Hellman group. group 2: 1024-bit Diffie-Hellman group. group 5: 1536-bit Diffie-Hellman group group 14: 2048-bit Diffie-Hellman group. group 19: 256-bit Elliptic Curve Groups modulo a Prime (ECP) Diffie-Hellman group group 20: 384-bit ECP Diffie-Hellman group. group 21: 521-bit ECP Diffie-Hellman group. group 24: 2048-bit Diffie-Hellman group that includes a 256-bit sub-group is used during IKE negotiation. Group 1 provides the weakest encryption and Group 14 provides the strongest encryption. High-security DH group is recommended. By default, Group 14 is used.	Y
	Ike sa duration	IKE SA lifetime. Before the lifetime expires, a new SA is negotiated to replace the old one. By default, the life time of an IKE SA is 86400 seconds.	-
IPsec Configuration	Security protocol	Security protocol used in IPsec: ESP: Encapsulating Security Payload (ESP) protocol AH: Authentication Header (AH) protocol AH-ESP: Encapsulating Security Protocol and Authentication Header (AH-ESP)	Y
	ESP authentication algorithm	Authentication algorithm used by the ESP protocol: SHA1 SHA2-256 SHA2-384 SHA2-512 SM3 NOTE: The SM3 algorithm is only available on IKEv1. If the authentication algorithm is set to SM3 or SHA1, the ESP encryption algorithm must be set to SM4. By default, ESP uses the SHA2-256 authentication algorithm. You are advised to use an authentication algorithm rather than SHA1, because SHA1 is not secure enough.	Y
	ESP authentication algorithm	Encryption algorithm used by the ESP protocol. The options are as follows: AES-128: indicates that the IKE proposal uses the AES encryption algorithm with a 128-bit key. AES-192: indicates that the IKE proposal uses the AES encryption algorithm with a 192-bit key. AES-256: indicates that the IKE proposal uses the AES encryption algorithm with a 256-bit key. SM4: SM4 is an encryption algorithm released by the State Encryption Administration of China. NOTE: The following algorithms are supported only in IKEv1 negotiation: SM4. When the ESP encryption algorithm is set to SM4, the ESP authentication algorithm must be set to SHA1 or SM3. By default, ESP uses the AES-256 encryption algorithm.	Y
	AH authentication algorithm	Authentication algorithm used by the AH or AH-ESP protocol: SHA1: SHA1 authentication SHA-256: SHA2-256 authentication SHA-384: SHA2-384 authentication SHA-512: SHA2-512 authentication SM3: SM3 authentication NOTE: You are advised to use an authentication algorithm rather than SHA1, because it is not secure enough. The SM3 algorithm is supported only in IKEv1 negotiation. When the SM3 algorithm is used, the padding mode for RSA signatures cannot be PSS.	-
	PFS	NONE: The PFS function is not used. group1: 768-bit DH group is used during negotiation. group2: 1024-bit DH group is used during negotiation. group5: 1536-bit DH group is used during negotiation. group14: 2048-bit DH group is used during negotiation. group19: 256-bit ECP DH group is used during negotiation. group20: 384-bit ECP DH group is used during negotiation. group21: 521-bit ECP DH group is used during negotiation. group24: 2048-bit DH group that contains 256-bit sub-groups is used during negotiation.	-
IPsec SA Aging Management	Time-based (s)	Lifetime of an IPsec SA since it is established.	-
	Flow-based (KB)	Maximum traffic allowed by the IPsec SA.	-
	DPD	Whether to enable dead peer detection (DPD).	-
		Detection mode: Send periodically: If the local end does not receive any packet from the remote peer for a long time, it sends DPD packets at intervals to check whether the remote peer is available. Send if necessary: If the local end does not receive any packet from the remote peer within the specified period, it sends DPD packets to check whether the remote peer is available.	-
		Detection interval (s): specifies the interval at which DPD packets are sent. The default interval at which DPD packets are sent is 30 seconds.	-
		Retransmission interval (s): specifies the interval for retransmitting DPD packets. By default, the interval for retransmitting DPD packets is 15 seconds.	-

Configuring a Feature Template

Overview

Context

To deploy WAN features in batches, you need to configure a feature template. By using a feature template, you can deploy WAN features in batches on devices.

Procedure

Choose from the main menu. Click the Feature Template tab.
Click Create. The Create Feature Template page is displayed.
Configure basic information about the feature template, including Template name and Template description.
In the feature list, click Add a feature. In the dialog box that is displayed, click to expand the feature list, select the features to be configured, and click . The selected features are then displayed in the list on the right. After selecting required features, click OK. The following figure shows how to add SSH to Feature List.
Click OK. The selected features are added to the feature list.
Select a feature. On the Select Parameter page, select the parameters to be set for the selected feature. The parameter values set in the template are used as the default values and cannot be changed when the template is delivered.
Click Next and set the parameters selected in the previous step.
(Optional) To change parameters that need to be set when you configure a feature, click . This operation will clear the parameter values that have been entered.
Click OK to complete the configuration of the feature template.
On the Feature Template page, view the created template.

Related Operations

Delivering a template: You can click Deliver to access the Feature page under Batch Deployment and select the devices where the template needs to be delivered. As such, you can configure the features in the template on the target devices in batches.
Modifying a template: You can click Edit to access the Modify Feature Template page and modify the template as needed.
Viewing a template: You can click View to access the View Packet page and view the delivered packets for configuring features in the template to the target devices.
Deleting a template: You can click Delete to delete a template.

Configuring a Physical Interface

An Eth-Trunk interface is a logical interface formed by bundling multiple Ethernet interfaces to increase the link bandwidth and reliability.

Prerequisites

Global parameters have been set for the site. For details, see Setting Global Parameters.
Devices have been added. For details, see Adding Devices.

Procedure (Configuring a Physical Interface)

Choose from the main menu.
Click the Physical Interface tab.
Select a device name from the device list on the left and click Create.
On the Create Interface page, configure an interface as needed. The parameters to be set vary according to the interface type.
- If a GE combo port on an AR5700&6700&8000 series device is configured to work as an optical port in non-auto-negotiation mode, the non-auto-negotiation configuration as well as the specified port rate will not be delivered to the device.
- After iMaster NCE-Campus detects that a new board is inserted on an AR6700/AR8000 series device, you can create interfaces on this board after 10 minutes.
Click Confirm.

Procedure (Configuring an Eth-Trunk Interface)

Choose from the main menu.
Click the Physical Interface tab.
Click the Eth-Trunk tab.
Select a device name from the device list on the left and click Create.
Configure an Eth-Trunk interface as needed.
- When creating an Eth-Trunk interface on a V600 device, you can select only Layer 3 interfaces as physical member interfaces.
- The AR631I-LTE4EA and AR631I-LTE4CN do not support Eth-Trunk interfaces.
Click OK.

Parameter Description

Table 2-93 Parameters for configuring a physical interface

Parameter		Description
Device		Device name.
Interface type		Type of the LAN or WAN interface to be configured. The value can be L3 or L2. L2 indicates a Layer 2 interface and L3 indicates a Layer 3 interface. The former runs a data link layer protocol and has only Layer 2 switching capabilities. The latter runs a network layer protocol and has Layer 3 switching capabilities. For GE, FE, and XGE interfaces, you can select L3 or L2. For other interfaces, L3 is used by default. Only GE, FE, and XGE interfaces can be used as LAN interfaces.
Interface		Type and number of the physical interface. Similar to the device name, the values cannot be modified. The following types of interfaces are supported: Gigabit Ethernet (GE) interface Fast Ethernet (FE) interface X Gigabit Ethernet (XGE) interface: is a 10GE interface. Long Term Evolution (LTE) interface: is an LTE-capable physical interface that provides wireless WAN access services. xDSL(ATM) interface: is a broadband access interface in asynchronous transfer mode (ATM). xDSL(PTM) interface: is a broadband access interface in packet transfer mode (PTM). E1-IMA (ATM) interface: uses the inverse multiplexing for ATM (IMA) technology to distribute ATM cell streams to multiple E1-IMA links for transmission. IMA-group: is a bundled group of E1-IMA interfaces, which helps increase link bandwidth. Serial: is one of the commonly used WAN interfaces. It can work in synchronous or asynchronous mode.
Physical type		Physical type of an interface. For example, the physical type of a GE interface is Ethernet, and the physical type of an LTE interface is Cellular. After selecting an interface type, you can view its corresponding physical type.
Interface bandwidth (for AR1000Vs only)		Bandwidth of a physical interface. The value ranges from 1 to 1000000, in Mbit/s.
APN (This parameter is configurable only when Interface is set to LTE.)		Enabling the multi-Access Point Name (APN) function of an LTE cellular interface helps provide data and VoIP services.
PVC(VPI/VCI) (This parameter is configurable only when Interface is set to xDSL(ATM), E1-IMA(ATM), or Ima-group.)		Permanent virtual channel (PVC), which is specified by a virtual path identifier (VPI) and virtual channel identifier (VCI).
Negotiation mode (This parameter needs to be set only when Interface is set to GE, FE, or XGE.)		Negotiation mode of the interface. Interfaces at both ends of a link must use the same negotiation mode. If an interface working in auto-negotiation mode frequently alternates between Up and Down, disable auto-negotiation and set the same rate and duplex mode on the interfaces at both ends of the link.
Working mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface working mode. Only combo interfaces support both optical and electrical working modes. You can select either of the two modes based on networking requirements. For interfaces of other types, set this parameter based on their supported working mode. NOTE: If an interface cannot work as an optical interface but its working mode is set to the optical mode, the configuration fails to take effect after being delivered to the CPE where the interface is located.
Duplex mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Duplex mode of the interface. Interfaces at both ends of a link must use the same duplex mode. For optical interfaces, the duplex mode is fixed at the full duplex mode. For electrical interfaces, you can select the full-duplex or half-duplex mode according to the actual situation.
Speed (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface rate. Interfaces at both ends of a link must work at the same rate.
Optical Module Type (This parameter needs to be set only when Interface is set to XGE.)		Type of the optical module. Set this parameter based on the transmission rate requirements. Currently, GE and 10GE types are available. A GE optical module transmits traffic at a rate of 1000 Mbit/s, and a 10GE optical module transmits traffic at a rate of 10,000 Mbit/s. If 10GE is selected, the negotiation mode cannot be configured. The optical modules on the interfaces at both ends of a link must be of the same type.
STP enable (This parameter needs to be set only when Interface type is set to L2.)		Whether to enable STP on the interface.
Trust enable (This parameter is configurable only when Interface is set to GE or XGE.)		Whether to enable priority mapping on packets based on DSCP priorities.

Table 2-94 Parameters for configuring an Eth-Trunk interface

Parameter	Description
Device	Site gateway on which an Eth-trunk interface is to be created.
Eth-Trunk ID	ID of an Eth-Trunk interface. In the dual-gateway scenario, if the two gateways are connected through two Layer 3 physical links, the system automatically creates the Eth-Trunk 0 interface on each of the two gateways. In this case, you cannot create an Eth-Trunk interface with the ID of 0. NOTE: The value range of the Eth-Trunk ID varies depending on the AR model: AR120 and AR160 series: 1 to 3 AR1200 series, AR2201-48FE, AR2204-27GE, AR2204-27GE-P, AR2204-51GE-P, AR2204-51GE, AR2204-51GE-R, AR2204E, AR2204E-D, and AR2202-48FE: 1 to 7 AR2204, AR2220E, AR1610-X6, AR651-X8, AR651W-X4: 1 to 14 AR2220, AR2240C, AR2240, AR6140 series, AR3200 series, and AR3600 series: 1 to 63 AR6300 series and AR6280 series: 1 to 31 AR6120 series, AR651, AR651C, AR651W, AR657, AR657W, AR651U-A4, and AR651F-Lite: 1 to 7 SRG1300: 1 to 7 AR5700 series: 1 to 7 AR6700 series: 1 to 15 AR8000 series: 1 to 63
Eth-Trunk type	Whether the Eth-Trunk interface works in Layer 2 or Layer 3 mode.
Eth-Trunk mode	Working mode of the Eth-Trunk interface. Load-balance: indicates that the Eth-Trunk interface works in manual load balancing mode. If one of the devices at both ends of an Eth-Trunk does not support LACP, you can configure the Eth-Trunk interface to work in manual load balancing mode. In addition, you can add multiple member interfaces to increase the bandwidth and improve the reliability of the Eth-Trunk. In this mode, traffic is load balanced among all Eth-Trunk member links. LACP-static: indicates that the Eth-Trunk interface works in static LACP mode. If two devices that are directly connected by an Eth-Trunk both support LACP, you can configure the Eth-Trunk interfaces to work in static LACP mode. Eth-Trunk interfaces working in static LACP mode exchange LACPDUs to determine member links for load balancing. NOTE: AR5700/AR6700/AR8000 series devices do not support this parameter. Eth-Trunk interfaces on these devices work in manual load balancing mode by default. To ensure that an Eth-Trunk interface works properly, the working modes of the Eth-Trunk interfaces at both ends must be the same. The static LACP mode is supported only in V300R022C00 and later versions.
LACP preemption (This parameter is configurable only when Eth-Trunk mode is set to LACP-static.)	Whether to enable LACP preemption for the Eth-Trunk in static LACP mode. After LACP preemption is enabled, the interfaces with higher priorities are preferentially selected as active interfaces. Each Eth-Trunk interface can contain a maximum of eight member interfaces and can contain up to eight active interfaces by default. As such, all member interfaces on the Actor are selected as active interfaces. After an Eth-Trunk in static LACP mode is established, the end with a higher system priority is selected as the Actor. After the Actor is determined, both ends select active interfaces based on the interface priorities on the Actor. If the devices on both ends of an Eth-Trunk are not configured with system priorities, the devices use the default system priority (32768). In this case, the Actor is selected according to the system MAC address. That is, the device with the smaller system MAC address becomes the Actor. NOTE: To ensure that an Eth-Trunk works properly, enable or disable LACP preemption on both ends of the Eth-Trunk.
LACP timeout interval (This parameter is configurable only when Eth-Trunk mode is set to LACP-static.)	Timeout period for the Eth-Trunk interface in LACP mode to receive LACPDUs. Slow: indicates that the timeout period for an Eth-Trunk in static LACP mode to receive LACPDUs is 90 seconds. If Slow is selected, the remote device sends an LACPDU every 30 seconds. In this mode, the local device responds to LACPDUs from the remote device slowly but consumes fewer system resources compared with the situation where the fast mode is configured. The timeout period on the two ends can be different. To facilitate maintenance, you are advised to set the same timeout period at both ends. Fast: indicates that the timeout period for an Eth-Trunk interface in static LACP mode to receive LACPDUs is 3 seconds. If Fast is selected, the remote device sends an LACPDU every 1s. In this mode, the local device responds to the LACPDUs from the remote device rapidly but consumes more system resources compared with the situation where the slow mode is configured.
User-defined interval (This parameter needs to be set only when LACP timeout interval is set to Fast.)	Timeout period for an Eth-Trunk interface to receive LACPDUs when Fast is selected. The value is an integer from 3 to 90, in seconds. The default value is 3.
Physical interface	Member interface of the Eth-Trunk interface. A maximum of eight member interfaces can be added. NOTE: The physical member interfaces of an Eth-Trunk interface must be of the same type. For example, an Eth-Trunk cannot contain both GE and XGE member interfaces. For devices running V300, only physical interfaces of the same type as Eth-Trunk type can be configured as member interfaces. For example, if Eth-Trunk type is L2, only L2 physical interfaces can be configured as member interfaces. For devices running V600, only L3 physical interfaces can be configured as member interfaces. That is, no matter whether Eth-Trunk type is L2 or L3, the Eth-Trunk member interfaces can only be L3 interfaces.

Configuring ZTP

Context

After a site completes the ZTP process or is activated successfully, you can add, delete, and modify WAN links as needed.

Prerequisites

A site has been created. For details, see Creating a Site.
Global site parameters have been set. For details, see Setting Global Parameters.
(Optional) If IPv6 addresses need to be configured for WAN links, ensure that you have performed the following operations to configure the IPv6 address of the management plane:
1. Log in to the management plane.
2. Choose Product > Software Management > Deploy Product Software from the main menu and choose More > Modify Configurations. Set FILE_SERVER_IPV6 and SOUTH_ADDRESS_IPV6(SOUTH_ADDRESS_IPV6). The two parameters specify the file server IPv6 address and southbound IPv6 address, respectively.
3. Choose Maintenance > Operation and Maintenance Management > Panoramic Monitoring from the main menu, choose Service Monitoring from the navigation pane, and click the Processes tab. On the page that is displayed, search for SDWANCfgService in the process list, select SDWANCfgService processes of all microservices, click Stop, and then click Start.
4. Check the Status column of the SDWANCfgService processes in the process list. Ensure that the processes are in the running state.

Procedure

Choose from the main menu. Click the ZTP tab to access the ZTP configuration page.
Select a site to be deployed in ZTP mode and click Click to Deploy in the Physical Site area.
1. Select Unconfigured from the Site List drop-down list.
2. Click the site to be configured.
3. Click Click to Deploy.
Determine the deployment mode based on the deployment scenario and device model. For details, see Table 2-102.

Configure ZTP for the site.

Select the ZTP mode.
- URL/U Disk: Select this mode if USB-based, email-based, or manual deployment is required.
- DHCP Option: Select this mode if DHCP option-based deployment is required.
Choose whether to enable Multiple sub-interfaces. After this function is enabled, multiple sub-interfaces can be configured on a device's physical interface. If this function is disabled, only one sub-interface can be configured.

Choose whether to enable RDB-based deployment. By default, RDB-based deployment is disabled. This function cannot be disabled once being enabled.

Determine whether to enable RDB-based deployment based on the deployment mode and device model. For details, see Table 2-95.

Table 2-95 Mapping between device models and functions

Function/Device Model		AR600&6100&6200&6300&SRG series	AR1000V	AR5700&6700&8000 series
RDB-based deployment		This function is disabled in USB-based deployment and manual deployment scenarios and is optional in the email-based deployment scenario.	This function is disabled in manual deployment scenarios.	This function is enabled by default and is not displayed on the GUI.

Configure WAN links for devices.

Click Select Template. On the Select WAN Link Template page, select a WAN link template and click OK.
If the existing template does not meet your requirements, click Create to create a WAN link.

A maximum of two ARs can be deployed as gateways. Otherwise, ZTP will fail.
If Gateway is set to Dual Gateways, set parameters for Device1 and Device2, respectively.
Select the link to be configured, and click in the Operation column.

On the Set WAN Link tab page, set WAN link parameters.

When configuring links for devices, you are advised to use wired WAN links to register devices with the controller.

Pay attention to the following points when configuring interfaces:

WAN link interfaces must be different from LAN interfaces used for user services. Otherwise, the deployment fails.
To configure an LTE interface for a WAN link on an AR5700&6700&8000 series device, configure an LTE sub-interface.

Different interface types support different deployment modes. For details, see Table 2-96.

Table 2-96 Device interface types and their supported deployment modes

Deployment Mode/Interface Type	Loopback Interface	Eth-Trunk Interface
Email-based deployment	Not supported	Not supported
USB-based deployment	Not supported	Not supported
DHCP-based deployment	Not supported	Not supported
Manual deployment	Supported	Supported

(Optional) If the selected interface cannot meet your requirements, click next to Interface to access the physical interface configuration page and configure an interface. For details, see Configuring a Physical Interface.
Enable IPv4 or IPv6 based on the site's network plan and set related parameters. IPv4 and IPv6 can be enabled at the same time.
- If the WAN is an IPv4 network, IPv4 must be enabled.
- If the WAN is an IPv6 network, IPv6 must be enabled.
Set Uplink bandwidth and Downlink bandwidth of the device. The values must be the same as the actual bandwidths of the device. Otherwise, the bandwidth usage will be abnormal.
Set Link ID. You can plan a unique ID for each link in an SD-WAN network. This helps you query link information by ID during maintenance.
Click OK to complete the WAN link configuration. Check whether the configuration status of the device is Configured.

(Mandatory in dual-gateway scenarios) Configure interlinks connecting dual gateways at a site.
VLAN ID: The number of VLAN IDs must be greater than that of departments. A maximum of 16 VLAN ranges can be configured, and the total number of VLANs cannot exceed 301. After the deployment is completed, you can change the VLAN ID.

MTU: It is recommended that the MTU value for Layer 3 sub-interfaces and Eth-Trunk sub-interfaces of physical interfaces that directly connect the dual gateways be less than or equal to 8996, and the MTU value for Layer 2 VLANIF interfaces that connect the dual gateways be less than or equal to 1600.

MSS: It is recommended that the MSS value for Layer 3 sub-interfaces and Eth-Trunk sub-interfaces of physical interfaces that directly connect the dual gateways be less than or equal to 2048, and the MSS value for Layer 2 VLANIF interfaces that connect the dual gateways be less than or equal to 1560.

Device 1 Interface and Device 2 Interface must be the physical interfaces of the interlink connecting dual gateways. If two interlinks are required, the types of the two interlink interfaces on the same device must be the same. The types of the interfaces on both ends of an interlink must be the same.
Click OK. The ZTP configuration is completed.

Follow-up Procedure

After the site configuration is completed, Table 2-98 describes the available site states after site configuration is completed and Table 2-97 describes the follow-up procedures after sites are activated.

Table 2-97 Site status

Site Status

Description

Configuration status

: not configured
: configured

Whether WAN links of the site have been configured.

Activation status

: not activated
: activated

Whether a deployment email has been sent to the gateway at the site or the ZTP file of the gateway has been downloaded.

Table 2-98 Follow-up procedures after a site is activated

Function	Operation Scenario and Constraint	Procedure
Adding a WAN link	After a site is activated, you can add WAN links to the site.	Choose from the main menu and click the ZTP tab. In the left pane, select the site for which you want to add a WAN link. The WAN link configuration page is then displayed. Click Create and set WAN link parameters. Click OK.
Deleting a WAN link	After a site is activated, you can delete WAN links of the site as needed. NOTE: The WAN link used by a service (such as underlay routing, NTP, underlay ACL, Internet access, or site-to-site access) cannot be deleted. If a WAN link is used by an NTP client that is manually configured, verification is required and the WAN link cannot be deleted. If a WAN link is not used by the NTP client, you can delete this WAN link and need to clear the NTP client configuration automatically generated when the WAN link is configured. Adding or deleting WAN links at a site may cause ARs to be disconnected from the controller. If the link for URL-based deployment at a site is deleted, the site needs to be re-deployed. If an Eth-Trunk is deleted, you need to manually delete the Eth-Trunk configurations from the related devices. Otherwise, a configuration conflict may occur.	Choose from the main menu and click the ZTP tab. In the left pane, select the site from which you want to delete a WAN link. The WAN link configuration page is then displayed. Select the link to be deleted and click Delete. In the displayed Warning dialog box, click OK.
Modifying a WAN link	After a site is activated, you can modify the WAN link that has been configured at the site, for example, changing the IP address of the WAN link interface. NOTE: Only GE, FE, XGE, and LTE interfaces and their sub-interfaces can be modified. The enabling status of the IPv4 or IPv6 protocol cannot be modified. For example, if the IPv6 protocol has been enabled, it cannot be disabled. Changing the interface IP address of the link used for deployment on a device will disconnect the device for a period of time. For AR1000V and AR600&6100&6200&6300&SRG series devices, only V300R022C00 and later versions support WAN link modification.	Choose from the main menu and click the ZTP tab. In the left pane, select the site where a WAN link needs to be modified. The WAN link configuration page is then displayed. Select the link to be modified and click in the Operation column. In the Set WAN Link dialog box that is displayed, modify the parameters that are not dimmed. For example, you can modify the IP address of the WAN link interface. To modify the deployment link of an AR1000V or AR600&6100&6200&6300&SRG series device, click OK or Update Deployment Configuration after the modification is completed. If you click OK: After the configurations are modified on iMaster NCE-Campus, the modified configurations, excluding those related to URL-based deployment, are synchronized to the device. If you click Update Deployment Configuration: After the configurations are modified on iMaster NCE-Campus, the modified configurations are synchronized to the device. To modify configurations of other devices or links not used for deployment, click OK. NOTE: After modifying network interconnection parameters of a device link used for URL-based deployment, click Update Deployment Configuration or deploy the device again for the modified configuration to take effect.
Changing the link used by a device for controller registration	You can change the link used by a device for controller registration if the device has multiple WAN links, if the quality of the current link used for controller registration is poor, or if a new link needs to be selected for controller registration. NOTE: Changing the link used by a device for controller registration may disconnect the device for a period of time. Only ARs running V300R019C13 and later versions support this function. If the link switchover fails, you can view the failure cause in the registration link switchover area.	Choose from the main menu and click the ZTP tab. In the left pane, select the site where a WAN link switchover is required. The WAN link configuration page is then displayed. Select the current registration link and click Switch. In the dialog box that is displayed, select a new link and click OK.
Clearing WAN configurations	After clearing WAN configurations of a site, you can delete this site and restore devices at this site to the undeployed state. This function is not applicable to a site that has been connected to an RR, added to a VN, or configured with a policy.	Choose from the main menu and click the ZTP tab. Select a deployed site and click Clear WAN Configurations. After the site's WAN configurations are cleared, you can delete the site or deploy it again.

Parameter Description

Table 2-99 Parameters of configuring sites and devices

Parameter		Description	Data Plan Required or Not
ZTP Mode		URL-, USB-, and DHCP option-based deployment modes are supported. The system selects an orchestration scheme based on the deployment mode. The options are as follows: URL-/USB-based deployment: iMaster NCE-Campus generates a deployment file that contains IP address and VPN information about WAN interfaces and sends this file to the CPE to be deployed. After the CPE registers with iMaster NCE-Campus successfully, iMaster NCE-Campus automatically delivers information such as the device IP address and interface rate to the CPE. DHCP option-based deployment: No deployment files are generated in this mode. After a CPE registers with iMaster NCE-Campus successfully, iMaster NCE-Campus delivers IP address and VPN configurations for WAN interfaces to the CPE.	Y
Multiple sub-interfaces		Whether a single physical interface can be configured with multiple sub-interfaces.	Y
RDB-based deployment (This parameter is configurable when an AR600&6100&6200&6300&SRG series or AR1000V device is to be deployed.)		For an AR1000V or AR600&6100&6200&6300&SRG series device, the configurations delivered by iMaster NCE-Campus are stored as RDB files. For non-V600 devices, URL-based deployment in RDB based can be enabled only for links with GE, FE, or XGE physical interfaces. For a device running V300R022C00 or a later version: If RDB-based deployment is disabled for URL-based deployment, after the deployment, WAN links for URL-based deployment can be modified online, for example, the link's IP address can be changed. However, these WAN links cannot be deleted. (The WAN links can be deleted on the iMaster NCE-Campus GUI, but the deletion operation is not delivered to the corresponding devices.) To delete WAN links for URL-based deployment from devices, you need to re-deploy the devices. If RDB-based deployment is enabled for URL-based deployment, after the deployment, WAN links for URL-based deployment can be modified and deleted online. For a device running V300R019C13 or a later version and earlier than V300R022C00: If RDB-based deployment is disabled for URL-based deployment, after the deployment, WAN links for URL-based deployment cannot be modified and deleted online. (The WAN links can be deleted on the iMaster NCE-Campus GUI, but the deletion operation is not delivered to the corresponding devices.) To modify and delete WAN links for URL-based deployment on devices, you need to re-deploy the devices. If RDB-based deployment is enabled for URL-based deployment, after the deployment, WAN links for deployment can be modified and deleted online. NOTE: RDB-based deployment is not supported when the WAN link for URL-based deployment uses an IPv6 address. After iMaster NCE-Campus is upgraded from a version earlier than V300R022C00 to V300R022C00, devices deployed in enhanced mode before the upgrade of iMaster NCE-Campus will have RDB-based deployment enabled on the controller. Before configuring URL-based deployment in RDB mode for a device, the device must be restored to factory settings.	Y
Select Template		Site template used to specify the gateway and WAN link configuration for a site.	-
Link name		Name of a WAN link. If a WAN link is created using the default site template, the link name is Internet or MPLS. If a WAN link is created using a customized site template, the link name is specified when the template is created. This setting cannot be modified after the WAN link configuration is completed.	Y
Transport network		Type of the transport network to which a WAN link belongs. This value cannot be modified when you modify a WAN link. It specifies the WAN-side network to be accessed. The value is specified by Transport network created on the WAN Global Configuration tab page. For details about how to configure transport networks in the WAN global configuration, see Configuring a Transport Network.	Y
Role		Link role. Active: In normal cases, service traffic is transmitted through active links, over which overlay tunnels are set up. Keepalive packets are sent to detect connectivity of overlay tunnels. When there are multiple active links, you can enable the intelligent traffic steering function so that active links are selected to transmit service traffic and the others function as backup links. If the active links fail, service traffic is switched to a backup link, and can be switched back after the active links are recovered. Standby: It is typically used as an escape link, which is an LTE or 5G link in most cases. When active links are functioning properly, tunnels are not set up over standby links and standby links do not participate in intelligent traffic steering. In addition, no data usage is charged on standby links. A standby link has the lowest priority. Only when all active links fail, overlay tunnels are set up over standby links for traffic forwarding, and their connectivity is detected through Keepalive packets. As long as one active link recovers, traffic is switched back to the active link. At least one active link must be configured at a single-gateway site with multiple WAN links and at a dual-gateway site.	-
Alarm for standby links (This parameter can be configured only when Role is set to Standby.)		After this item is toggled on, when a tunnel is established over the standby link and traffic is switched to this tunnel for forwarding, an alarm indicating that the standby link is used is reported. This item is toggled on by default. NOTE: This parameter is applicable only to devices running V300R022C00SPC100 and later versions. AR5700&6700&8000 series do not support this parameter.	Y
Device		Gateway to which a WAN link connects. This setting cannot be modified after the WAN link configuration is completed.	Y
Interface		WAN link parameters to be planned vary according to the interface type specified in the site plan. Type and number of the physical interface used by the current link, which cannot be modified after the WAN link configuration is completed. You can select a physical WAN interface or a virtual interface (that is, a loopback interface). When iMaster NCE-Campus is deployed on the LAN side of a DC, multiple WAN interfaces and one virtual interface can be configured for a site. The site uses physical interfaces to connect iMaster NCE-Campus and other sites and uses the virtual interface to transmit overlay traffic. The physical and virtual interfaces must belong to the same VN instance. NOTICE: When configuring a physical interface for a WAN link, ensure that the interface works in Layer 3 mode. If not, switch the interface to work in Layer 3 mode. Otherwise, the configuration fails to be delivered. If two WAN links are configured, one with a virtual interface and the other with a physical interface, the overlay tunnel function cannot be enabled on the WAN link using the physical interface. If a loopback interface is configured for a WAN link, the link and application bandwidth usage trends on the overlay network at a site and between sites are displayed as 0. This is because the uplink and downlink bandwidths of the loopback interface cannot be set. If an Eth-Trunk interface needs to be configured for a WAN link, create this Eth-Trunk interface in advance. For details, see Configuring a Physical Interface.	Y
Sub-interface (This parameter is configurable only when Interface is set to GE, FE, XGE, LTE, xDSL(ATM), xDSL(PTM), E1-IMA(ATM), Ima-group, or Eth-Trunk, or when Interface is set to Serial and Interface protocol is set to FR.)		Whether to use sub-interfaces. Currently, only Dot1q sub-interfaces are supported. When Interface is set to GE, FE, XGE, xDSL(ATM), xDSL(PTM), or Eth-Trunk, configure a Dot1q VLAN sub-interface. When Interface is set to LTE, set Number as required. When Interface is set to E1-IMA(ATM), Ima-group, or when Interface is set to Serial and Interface protocol is set to FR, set a sub-interface number as required. The sub-interface numbers on the local and peer devices must be the same. Consider the following points when planning sub-interfaces: IPv4 Ethernet or xDSL (PTM) sub-interface: If a VLAN needs to be terminated, select either of the two interfaces. Sub-interface number: You need to plan a number for a sub-interface. The sub-interface name consists of the parent interface name (for example, GE0/0/0) followed by a period and then by the specified sub-interface number. For example, you can create a sub-interface for the WAN interface GE0/0/0 named GE0/0/0.10, where 10 indicates the sub-interface number. Dot1q VLAN: You need to plan a VLAN ID for a sub-interface. If this parameter is specified, a Dot1q sub-interface is created for the parent interface and removes the tag of the specified VLAN. The VLAN ID set for the Dot1q termination sub-interface on the local device must be the same as that set for the peer device. NOTE: AR5700&6700&8000 series devices support Eth-Trunk sub-interfaces since V600R022C00. LTE sub-interface Sub-interface number: You need to plan a number for a sub-interface. When two sub-interfaces are configured for the LTE interface on an LTE link, the LTE link is divided into two logical links for dialup to access the LTE network. Before creating two sub-interfaces for an LTE interface on a CPE, make sure that the CPE at the site supports dialup through two channels on the LTE interface. NOTE: To use an LTE interface on the WAN link of an AR5700&6700&8000 series device, you need to create a sub-interface. The sub-interface number ranges from 1 to 4 on AR5700&6700&8000 series devices and ranges from 1 to 2 on devices of other series. xDSL link (ATM), E1-IMA, and IMA group sub-interfaces Sub-interface number: You need to plan a number for a sub-interface. Serial sub-interface using the FR protocol Sub-interface number: You need to plan a number for a sub-interface. Access type: This parameter can be set to P2P or P2MP. If Access type is set to P2P: A P2P sub-interface connects to a single remote device. Only one PVC needs to be configured for a sub-interface, and a unique remote device can be determined without configuring static address mapping. If Access type is set to P2MP: A P2MP sub-interface connects to multiple remote devices. Multiple PVCs can be configured for a sub-interface, and each PVC is mapped to the IP address of a remote device. In this way, different PVCs can connect to different remote devices.	Y
Port description		Interface description. You can centrally plan WAN links of a site and describe the CPE and site to which the interface belongs. The deployment email can contain the interface description so that deployment personnel can determine whether the site they are going to deploy is the planned one based on the interface description.	Y
Number (This parameter is configurable only after Sub-interface is enabled.)		Sub-interface number, which is used to identify a sub-interface. The value is in the range from 1 to 4094. You need to plan a number for a sub-interface. The sub-interface number is used as the name of the sub-interface. IPv4 Ethernet or xDSL (PTM) sub-interface: You need to plan a number for a sub-interface. The sub-interface name consists of the parent interface name (for example, GE0/0/0) followed by a period and then by the specified sub-interface number. For example, you can create a sub-interface for the WAN interface GE0/0/0 named GE0/0/0.10, where 10 indicates the sub-interface number. LTE sub-interface: You need to plan a number for a sub-interface. When two sub-interfaces are configured for the LTE interface on an LTE link, the LTE link is divided into two logical links for dialup to access the LTE network. To create two sub-interfaces for an LTE interface on a CPE, make sure that the CPE at the site supports dialup through two channels on the LTE interface. xDSL (ATM) link, E1-IMA, or IMA group sub-interface: You need to plan a number for a sub-interface. Serial sub-interface using the FR protocol: You need to plan a number for a sub-interface.	Y
Number (This parameter needs to be set only when Interface is set to LTE and Sub-interface is enabled.)		Number of an LTE cellular interface.	Y
VN instance		Name of the VN instance on the underlay network to which the interface is to be added. The value is a character string starting with underlay_, for example, underlay_1.	Y
PVC(VPI/VCI) (This parameter is configurable only when Interface is set to xDSL(ATM), E1-IMA(ATM), or Ima-group.)		Virtual path identifier (VPI) and virtual channel identifier (VCI) of a PVC, for example, 1/101.	Y
VLAN ID (This parameter is configurable only when Sub-interface is enabled)		VLAN ID of a sub-interface. The value is in the range from 1 to 4094. If a sub-interface is used as the interface of a deployment link, you need to plan a VLAN ID for the sub-interface. The VLAN ID must be the same as that configured on the interconnected device.	Y
IPv4	Interface protocol (This parameter needs to be set only when Interface is set to GE, FE, XGE, xDSL(PTM), xDSL(ATM), E1-IMA(ATM), Ima-group, Serial, Eth-Trunk, or LoopBack.)	Interface protocol used by the physical interface connecting a CPE to the WAN. GE, FE, XGE, and xDSL (PTM) interfaces support the following protocols: IPoE PPPoE xDSL (ATM), E1-IMA (ATM), and Ima-group interfaces support the following protocols: IPoA IPoEoA PPPoA PPPoEoA Serial interfaces support the following protocols: PPP HDLC FR Eth-Trunk interfaces support the following protocol: IPoE Loopback interfaces support the following protocol: IPoE	Y
	IP address access mode (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA.)	Mode for assigning an IP address for the interface connecting a CPE to the WAN. The following modes are supported: Static: A static IP address is assigned. This mode is recommended for central sites and aggregation sites. Dynamic: DHCP is used to dynamically allocate IP addresses. This mode is recommended for branch sites.	Y
	IPv4 address (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.)	IP address statically assigned to the interface connecting a CPE to the WAN. At a central or an aggregation site, this IP address must be the same as the public IP address. In the NAT scenario, for central, aggregation, RR, and edge sites, this address must be set to the private IP address mapping Public IP.	Y
	Subnet mask (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.)		Y
	IPv4 gateway (This parameter needs to be set only when Interface protocol is set to IPoE or IPoEoA and IP address access mode is set to Static or when Interface protocol is set to IPoA.)	IP address of the interface on a WAN-side PE to communicate with the current site.	Y
	IPv4 Public IP address	IP address used by a CPE to connect to the WAN. In the EVPN tunnel mode, this parameter needs to be set only for RR sites. The public IP address is an external accessible IP address on the current link. An edge site can register with an RR site through this address. In a carrier network scenario, this parameter is allocated by the carrier in a unified manner. On an enterprise network, an enterprise administrator selects IP addresses from the network segment assigned by the carrier as public IP addresses. In NAT scenarios, this parameter must be set to a public IP address mapped to an address on an external network.	-
	Active APN (This parameter is configurable only when Interface is set to LTE.)	Whether to enable multi-Access Point Name (APN) function of an LTE cellular interface, which is used to implement data and VoIP communication.	Y
	User name (This parameter needs to be set only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)	Username and password allocated by the carrier to connect to the WAN.	Y
	Password (This parameter needs to be set only when Interface is set to LTE or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)		Y
	Priority	Priority of an APN. The priority value is an integer from 1 to 255. The default value is 100. A larger value indicates a higher priority. In the dual-SIM card scenario, primary and secondary APNs are configured for the same cellular interface or LTE/5G channel interface and associated with different SIM cards. You can set different priorities for the APNs to configure LTE/5G network access through a specific SIM card. AR5700&6700&8000 series devices do not support this parameter.	Y
	Track	Whether to enable APN switching based on NQA probe results. If this function is enabled, the device performs NQA probes on the 3G/LTE/5G network after successful dial-up through the cellular interface or cellular channel interface. If three consecutive probes fail, iMaster NCE-Campus considers the APN unavailable and uses the secondary APN for next dial-up. AR5700&6700&8000 series devices do not support this function.	Y
	Destination IP address (This parameter needs to be set only when Track is enabled.)	Destination address of an NQA test instance.	Y
	Standby APN (This parameter is configurable only when Interface is set to LTE.)	Parameters of the standby APN, including the APN ID, username, password, priority, and whether to enable the track function. For details about the parameters, see the description of the parameters for configuring the active APN. You can configure a standby APN only when an active APN has been configured. The standby APN configuration cannot be delivered during email-based deployment. This configuration is automatically delivered to the target device after it goes online. AR5700&6700&8000 series devices do not support the standby APN configuration. NOTICE: The standby APN function can be configured only for devices with dual SIM cards. When a standby APN is configured for a device with a single SIM card, the SIM card and the APN information do not match. As a result, the LTE interface module on the device is abnormal, causing APN dial-up failures. The standby APN function is available in V300R022C00 and later versions.	Y
	Auth type (This parameter needs to be set only when Interface is set to LTE and URL-based deployment is disabled, or Interface protocol is set to PPPoE, PPPoA, or PPPoEoA.)	Authentication mode of the APN information. The options include CHAP and PAP. NOTE: CHAP is recommended, because it is more secure than PAP.	Y
	Automatic switchback (This parameter is configurable only after Standby APN is configured.)	Whether to enable automatic APN switchback. After Track is toggled on, when the active APN fails or is unavailable, the standby APN is used for dial-up. If Automatic switchback is enabled, the device automatically switches back to the active APN after a specified time period. This function is disabled by default. NOTE: If a device switches to the standby APN because the active APN is faulty and Automatic switchback is toggled on, the device will switch back to the active APN after the specified time period. If iMaster NCE-Campus detects that the active APN is still faulty or unavailable when the device switches back to the active APN, the device switches back to the standby APN again. In this case, frequent SIM card switchovers occur, resulting in service interruption. Therefore, if the active APN cannot recover within a short period of time, you are advised to disable the automatic switchback function or modify the time period after which a switchback occurs.	Y
	Time	Period after which an automatic APN switchback occurs. The default value is 60, in minutes. The value ranges from 1 to 65535.	Y
	IPv4 Overlay tunnel	Whether to enable the overlay tunnel function. If this function is enabled, an overlay tunnel is created over the WAN link.	-
	NAT traversal	Whether to enable NAT traversal on the WAN. If a NAT device is deployed between the site on a private network and the WAN side, enable the NAT traversal function to set up overlay tunnels with other sites and RRs. NAT traversal does not need to be configured for IPv6 WAN links. After this parameter is enabled, external users can access internal servers and internal users can access external networks in the NAT scenario. NOTE: If NAT traversal is enabled, IPsec encryption must be enabled for transport networks in routing domains. For details about how to enable IPsec encryption, see Setting Global Parameters.	Y
	URL-based deployment	Whether to enable URL-based deployment for the current link. If this function is enabled, the interface's IPv4 settings are loaded to the target device through URL-based deployment. If this function is disabled, the interface's IPv4 settings are delivered to the target device through NETCONF. NOTE: This parameter is configurable only when ZTP Mode is set to URL/U Disk. A device can have URL-based deployment enabled for a maximum of three links. For a single-gateway site that uses the URL-based deployment mode, enable URL-based deployment for at least one link.	-
	Set as southbound device access address (This parameter needs to be set only when URL-based deployment is enabled.)	When configuring a WAN link, you need to set Southbound interface service. If Set as southbound device access address is toggled on, the primary IP address of the specified southbound access service is used as the onboarding IP address in the deployment email. If WAN links are configured with the same southbound access service, you do not need to toggle on this parameter. If WAN links are configured with different southbound access services, you need to toggle on Set as southbound device access address for one link.	-
	Southbound interface service	IP address of an iMaster NCE-Campus southbound access service. By default, WAN links in the predefined site template use the default southbound access service. If the system administrator has customized and enabled other southbound access services, you can select customized access services for the WAN links as needed. The southbound access services applied to WAN links cannot be changed after deployment.	-
	Southbound access priority	Priority of a controller southbound access service. This parameter is configurable after Southbound interface service is set. The priority can be High, Medium, or Low. The default value is Low. For AR5700&6700&8000 series devices, the priority takes effect only for performance channels and is supported in V600R022C00 and later versions. NOTE: If a device has multiple WAN links, you can configure Southbound access priority for each WAN link. After the device starts, it can select a WAN link based on the priority to register with iMaster NCE-Campus. Assume that a device has both Internet and LTE links, and needs to use the Internet link as the active link and the LTE link as the backup link. When configuring ZTP, you can set Southbound access priority of the Internet link to High and that of the LTE link to Medium or Low. As such, the device preferentially selects the Internet link when it attempts to register with iMaster NCE-Campus, and automatically switches to the LTE link for registration if the Internet link is faulty.	Y
IPv6	Interface protocol	Only IPoE is supported when IPv6 is enabled.	Y
	IP address access mode	Mode for assigning an IPv6 address to the WAN-side interface. Currently, IPv6 addresses can be configured only for FE, GE, and XGE interfaces using the IPoE protocol, including their sub-interfaces. Static: A static IPv6 address is assigned. Dynamic: DHCP is used to dynamically allocate IPv6 addresses. ND: An IPv6 address is automatically generated through Neighbor Discovery Protocol (NDP).	Y
	IPv6 address (This parameter needs to be set only when IP address access mode is set to Static.)	IPv6 address statically assigned to the interface connecting a CPE to the WAN. NOTE: IPv6 addresses can be configured only for GE, FE, and XGE interfaces. Device interfaces at RR sites can be configured only with static addresses.	Y
	Subnet prefix length (This parameter needs to be set only when IP address access mode is set to Static.)	Prefix length of the IPv6 address.	Y
	IPv6 gateway (This parameter needs to be set only when IP address access mode is set to Static.)	Default IPv6 gateway address of the interface.	Y
	IPv6 Overlay tunnel	Whether to enable the IPv6 overlay tunnel function. If this function is enabled, an IPv6 overlay tunnel is created over the WAN link.	-
	URL-based deployment	Whether to enable URL-based deployment for the current link. If this function is enabled, the interface's IPv6 settings are loaded to the target device through URL-based deployment. If this function is disabled, the interface's IPv6 settings are delivered to the target device through NETCONF. NOTE: This parameter is configurable only when ZTP Mode is set to URL/U Disk. A device can have URL-based deployment enabled for a maximum of three links. For a single-gateway site that uses the URL-based deployment mode, enable URL-based deployment for at least one link.	-
	Set as southbound device access address (This parameter needs to be set only when URL-based deployment is enabled.)	When configuring a WAN link, you need to set Southbound interface service. If Set as southbound device access address is toggled on, the primary IP address of the specified southbound access service is used as the onboarding IP address in the deployment email. If WAN links are configured with the same southbound access service, you do not need to toggle on this parameter. If WAN links are configured with different southbound access services, you need to toggle on Set as southbound device access address for one link.	Y
	Connected IPv6 southbound address	IPv6 address of an iMaster NCE-Campus southbound access service. By default, WAN links in the predefined site template use the default southbound access service. If the system administrator has enabled the IPv6 address of a customized southbound access service, you can select this customized access service for WAN links as needed. The southbound access services applied to WAN links cannot be changed after deployment.	-
	Southbound interface service	IP address of an iMaster NCE-Campus southbound access service. By default, WAN links in the predefined site template use the default southbound access service. If the system administrator has customized and enabled other southbound access services, you can select customized access services for the WAN links as needed. The southbound access services applied to WAN links cannot be changed after deployment.	-
	Southbound access priority	Priority of a controller southbound access service. This parameter is configurable after Southbound interface service is set. The priority can be high, medium, or low. The default value is low. For AR5700&6700&8000 series devices, the priority takes effect only for performance channels and is supported in V600R022C00 and later versions. NOTE: If a device has multiple WAN links, you can configure Southbound access priority for each WAN link. After the device starts, it can select a WAN link based on the priority to register with iMaster NCE-Campus. Assume that a device has both Internet and LTE links, and needs to use the Internet link as the active link and the LTE link as the backup link. When configuring ZTP, you can set Southbound access priority of the Internet link to High and that of the LTE link to Medium or Low. As such, the device preferentially selects the Internet link when it attempts to register with iMaster NCE-Campus, and automatically switches to the LTE link for registration if the Internet link is faulty.	-
Mapping peer IP (This parameter needs to be set only when Interface is set to xDSL (ATM), E1-IMA (ATM), or Ima-group and Interface protocol is set to IPoA.)		Peer IP address mapped to the PVC. Different ATM interfaces or sub-interfaces on a device must be configured with different mapped IP address. Otherwise, traffic forwarding fails.	Y
Negotiation mode (This parameter needs to be set only when Interface is set to GE, FE, or XGE.)		Negotiation mode of the interface. Interfaces at both ends of a link must use the same negotiation mode. If an interface working in auto-negotiation mode frequently alternates between Up and Down, disable auto-negotiation and set the same rate and duplex mode on the interfaces at both ends of a link.	Y
Working mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface working mode. Only combo interfaces support both optical and electrical working modes. You can select either of the two modes based on networking requirements. For interfaces of other types, set this parameter based on their supported working mode. NOTE: If an interface cannot work as an optical interface but its working mode is set to the optical mode, the ZTP configuration fails to take effect after being delivered to the CPE where the interface is located.	Y
Duplex mode (This parameter needs to be set only when Negotiation mode is set to Manual.)		Duplex mode of the interface. Interfaces at both ends of a link must use the same duplex mode. For optical interfaces, the duplex mode is fixed at the full duplex mode. For electrical interfaces, you can select the full-duplex or half-duplex mode according to the actual situation.	Y
Speed (This parameter needs to be set only when Negotiation mode is set to Manual.)		Interface rate. Interfaces at both ends of a link must work at the same rate.	Y
Optical Module Type (This parameter needs to be set only when Interface is set to XGE.)		Type of the optical module. Set this parameter based on the transmission rate requirements. Currently, GE and 10GE types are available. A GE optical module transmits traffic at a rate of 1000 Mbit/s, and a 10GE optical module transmits traffic at a rate of 10,000 Mbit/s. If 10GE is selected, the negotiation mode cannot be configured. The optical modules on the interfaces at both ends of a link must be of the same type.	-
Public IP		IP address used by the CPE to connect to the WAN. This parameter needs to be configured only for RR sites. This IP address is accessible to external users. Edge sites can register with RR sites through this address. On a carrier network, the carrier set public IP addresses in a unified manner. On an enterprise network, an enterprise administrator selects IP addresses from the network segment assigned by the carrier as public IP addresses. Public IP is mandatory in a NAT scenario.	Y
Access type (This parameter needs to be set only when Interface is set to Serial, Sub Interface is enabled, and Interface protocol is set to FR.)		Access type of a sub-interface. If Access type is set to P2MP: A P2MP sub-interface connects to multiple remote devices. Multiple PVCs can be configured for a sub-interface, and each PVC is mapped to the IP address of a remote device. In this way, different PVCs can connect to different remote devices. If Access type is set to P2P: A P2P sub-interface connects to a single remote device. Only one PVC needs to be configured for a sub-interface, and a unique remote device can be determined without configuring static address mapping. This parameter is configurable only when Interface is set to Serial and Sub-interface is enabled in the WAN link template.	Y
Uplink bandwidth (Mbit/s)		Maximum uplink and downlink bandwidth limits. Set the parameters based on the actual link bandwidths. Set uplink and downlink bandwidth limits for an interface based on the actual requirements. If the configured value is less than the actual bandwidth and the actual traffic rate exceeds the configured value, packet loss occurs and services are affected. NOTE: If traffic distribution or QoS for incoming traffic on the overlay network is not configured, the downlink bandwidth limit does not take effect.	Y
Downlink bandwidth (Mbit/s)			Y
Link ID		ID of a WAN link. You can plan a unique ID for each link in an SD-WAN network. This helps you query link information by ID during maintenance.	Y
Inter-CPE link (This parameter needs to be set for a dual-gateway site.)	Use LAN-side L2 interface	Whether to use Layer 2 physical LAN interfaces on the interlink connecting the two gateways. If no direct link is configured between two gateways, LAN-side links are used for communication between dual gateways. If direct links are available between the two gateways, LAN-side links do not need to be used.	Y
	VLAN ID	VLAN IDs used by interlinks for communication between two gateways and used for VPN communication. The number of VLAN IDs must be greater than that of VPNs. In the dual-gateway scenario, iMaster NCE-Campus configures a VLAN for each VPN on interlink interfaces between two gateways. This implements VPN isolation. The start VLAN ID must be in the range from 1 to 4086 and the end VLAN ID must be in the range from 9 to 4094. The difference between the start and end VLAN IDs must be greater than or equal to 8 and less than or equal to 300. A maximum of 16 VLAN ranges can be configured, and the total number of VLANs cannot exceed 301. NOTE: The VLAN ID can be modified after deployment.	Y
	MTU	MTU for the interface. The maximum transmission unit (MTU) is an option defined in the data link layer to determine whether IP packets will be fragmented. If the length of an IP packet sent by the peer device exceeds the MTU, the packet will be fragmented. By default, the MTU is 1500 bytes.	-
	MSS	MSS for the interface. The maximum segment size (MSS) is an option defined in the TCP protocol and refers to the maximum segment size of TCP packets that can be received by a peer device. When setting up a TCP connection, the local and peer devices negotiate an MSS value to determine the maximum data length of TCP packets. If the length of TCP packets sent from the peer device exceeds the MSS value, the packets are fragmented. To properly transmit a packet, ensure that the MSS value plus all the header lengths (such as TCP and IP headers) does not exceed the MTU. By default, the MSS is 1200 bytes.	-
	Device1 Interface	Physical interfaces of the interlinks between two gateways. If two interlinks are required, the types of the two interlink interfaces on the same device must be the same. The types of the interfaces at both ends of an interlink must be the same. The interface type varies according to whether a direct link exists between two gateways: If a direct link exists between two gateways (that is, Use LAN-side L2 interface is disabled), use Layer 3 interfaces at both ends of an interlink. If only one interlink is required, Layer 3 sub-interfaces need to be created for the interfaces directly connecting the two gateways and be used as interlink interfaces. If multiple interlinks are required, iMaster NCE-Campus automatically configures the interfaces of these links as an Eth-Trunk sub-interface on each end to ensure link reliability. If no direct link is configured between two gateways (that is, Use LAN-side L2 interface is enabled), use Layer 2 interfaces at both ends of an interlink. If each of the two gateways directly connects to the same LAN switch using a Layer 2 link, a VLAN ID needs to be specified so that the gateways can communicate with each other through VLANIF interfaces.	-
	Device2 Interface		-

(Optional) Expanding a Single-Gateway Site to a Dual-Gateway Site

Context

As an enterprise develops, it has higher requirements on network quality and networking capability. The single-gateway site deployed at the early stage cannot meet the requirements, since it cannot provide backup and powerful networking capability. To address this issue, this single-gateway site needs to be expanded to a dual-gateway site.

Compared with a single-gateway site, a dual-gateway site has tunnel information synchronized between its dual gateways, so that the gateways share the same tunnel connection table. As such, the dual-gateway site can use all available tunnels set up with the destination site for traffic steering. In addition, the dual gateways back up each other. When one gateway at the site is faulty, services can be switched to the other gateway to ensure service continuity.

iMaster NCE-Campus assures you smooth transition from an existing single-gateway site to a dual-gateway site.

Prerequisites

A site has been created. For details, see Creating a Site.
WAN-side links have been configured for a single-gateway site. For details, see Configuring ZTP.
A new gateway has been added to the single-gateway site. For details, see Adding an AR Device.

When adding a new gateway to a single-gateway site, ensure that the role of the new gateway is the same as that of the existing gateway. You can add a new device to the single-gateway site by selecting the new device on the device list page or migrating the new device from another site.

Precautions

Currently, capacity expansion is not supported in the following scenarios:
1. Single-gateway sites of the following types cannot be expanded: RR sites, cloud sites (with AR1000Vs), sites with AR5700&6700&8000 series devices, and sites created by MSP administrators.
2. In the global configuration, IPv4 Dual-Gateway Interconnection Protocol is set to IBGP.
3. In the global configuration, Select the source of RR is set to MSP RR.
4. The site to be expanded is an IWG site and has been added to a topology.
5. The site to be expanded has an IPv6 link configured or has been added to an IPv6 VN.
6. The site to be expanded has been added to more than eight VNs.
7. The site to be expanded has an application quality monitoring task configured.
8. The site to be expanded has been associated with an uncommitted policy.

If a site requires capacity expansion, the devices at the site must run V300R022C00 or later versions. Otherwise, the controller may fail to deliver configurations to the devices.
Only the following models support capacity expansion. Some models support expansion only with the same model.
- The following device models support capacity expansion with devices of the same model:
  AR651C, AR651F-Lite, AR651K, AR651U-A4, AR651W, AR651W-8P, AR657W, AR6120, AR6120-VW, AR6121, AR6121E, AR6121K, AR6510-L11T1X2, AR5510-H8P2TW1, AR5510-H10T1
- The following device models support capacity expansion with devices of different models:
  AR6140-16G4XG, AR6140-9G-2AC, AR6140E-9G-2AC, AR6140K-9G-2AC, AR6280, AR6280K, AR6300, AR6300K, AR6500-10, AR6510-L5T4S4
Capacity expansion cannot be rolled back. That is, after a single-gateway site is expanded to a dual-gateway site, it cannot be deployed as a single-gateway site again.
Capacity expansion involves orchestration of multiple features. Therefore, you are advised not to perform unnecessary operations during capacity expansion to avoid conflicts. Do not configure the features that will be orchestrated when capacity expansion is ongoing.

Procedure

Choose from the main menu and click the ZTP tab.
On the WAN link information page of the original gateway, click Expand Gateway. The WAN link configuration page of the new gateway is displayed.
Configure a WAN-side link for the new gateway and an interlink connecting the dual gateways. For details, see Configuring ZTP.
Click OK.
After capacity expansion is completed, iMaster NCE-Campus delivers the configuration specific to the single-gateway site to the new gateway, but does not deliver the configuration specific to the existing gateway to the new gateway. Configurations such as interconnection interfaces and interconnection routing policies are synchronized to the existing gateway.

Configuring NTP

Context

Prerequisites

A site has been created. For details, see Creating a Site.
Global parameters have been set for the site. For details, see Setting Global Parameters.
WAN link parameters have been configured for the site. For details, see Configuring ZTP.

Procedure

Choose from the main menu.
Then click the ZTP tab.
Select a site for which clock synchronization needs to be configured.
Click the NTP tab.
Configure NTP for an RR site.
- (Optional) Click Import default NTP to import the global NTP server information configured on the page.
- In the Time zone area, set the time zone for devices at the site. If the default NTP configuration is enabled in the global configuration, the site uses the default time zone configured in the global configuration. That is, an edge site synchronizes its clock with the associated RR site, and the RR site synchronizes its clock with an external clock source.
- (Optional) Enable or disable DST of the time zone as required.
- (Optional) Set parameters such as NTP authentication for the NTP server. By default, an RR site functions as an NTP server for edge sites to synchronize their clocks. The encryption algorithm is not configurable for an NTP server. By default, an NTP server uses the HMAC-SHA256 encryption algorithm.
- When a site functions as an NTP client, configure the NTP client mode for the site.
  - Manual Configuration: The current site functions as an NTP client and an NTP server needs to be manually specified. Configure the RR site as an NTP client, so that it can synchronize its clock with an NTP server on the public network.
    Set Server Network based on the deployment location of the NTP server.
    - If the NTP server is deployed on the internal network, select Overlay to implement communication between the NTP server and RR sites through overlay links.
    - If the NTP server is deployed on an external network, select Underlay to implement communication between the NTP server and RR sites through underlay links.
  - Disabled: The current site does not function as an NTP client and does not perform clock synchronization.
Configure NTP for an edge site.
- (Optional) Click Import default NTP to import the global NTP server information configured on the page.
- In the Time zone area, set the time zone for devices at the site. If the default NTP configuration is enabled in the global configuration, the site uses the default time zone configured in the global configuration. That is, an edge site synchronizes its clock with the associated RR site, and the RR site synchronizes its clock with an external clock source.
- (Optional) Enable or disable DST of the time zone as required.
- When a site functions as an NTP client, configure the NTP client mode for the site.
  - Synchronization with the RR Site: The current site functions as a client, and the RR site functions as the NTP server. The site synchronizes its clock with the RR site. This option is selected by default. You are advised to retain the default configuration for edge sites.
  - Manual Configuration: The current site functions as a client and an NTP server needs to be manually specified. The current site synchronizes its clock with the specified NTP server.
  - Disabled: The current site does not function as an NTP client and does not perform clock synchronization.
    When a single-gateway site is expanded to a dual-gateway site, the NTP client mode of the new gateway varies in the following situations:
    If NTP client mode of the original gateway is Synchronize with the RR site, the NTP configuration will be delivered to the new gateway during expansion, and the new gateway uses the same NTP client mode as the original gateway.
    If NTP client mode of the original gateway is Manual Configuration or Disabled, the NTP configuration will not be delivered to the new gateway during expansion. You need to manually configure NTP for the new gateway.
Click OK. The NTP configuration is completed.

Parameter Description

Table 2-100 Parameters on the NTP tab page

Parameter			Description	Data Plan Required or Not
Time zone			Time zone of devices at a site. If DST is observed in the time zone, you can choose whether to apply DST rules to the time zone. You can select a DST rule in either of the following ways: Use the DST rule preset on the system for each time zone, or configure a DST rule by specifying the DST offset, start time, and end time.	Y
DST			Whether to enable DST.	-
Configure mode (configurable when DST is enabled)			The options include Auto and Manual. When Manual is selected, manually set Name, Offset, Time type, Start time, and End time.	-
Configurations of a site when it functions as an NTP server (The parameters are configurable when the device role is Gateway+RR.)	NTP authentication		Whether to enable a site as an NTP server and enable NTP authentication. On a network that requires high security, NTP authentication needs to be enabled. During authentication, the authentication password and authentication ID configured on the NTP client are matched with those on the NTP server. If they are the same, the authentication succeeds. You can configure password authentication between the NTP client and NTP server, so that the NTP client only synchronizes with the server successfully authenticated, improving network security. The encryption algorithm is not configurable for an NTP server. By default, an NTP server uses the HMAC-SHA256 encryption algorithm.	Y
	Authentication password		Password used for NTP authentication.	-
	Authentication key ID		Key ID used for NTP authentication. When a site functions as both the NTP client and server, the authentication key ID for the NTP server and that for the NTP client must be different.	-
NTP parameters	NTP client mode		Mode of a site when it functions as an NTP client. The options are as follows: Synchronize with the RR Site: The current site functions as an NTP client and the RR site functions as the NTP server. By default, this option is used. Retain the default setting for edge sites in SD-WAN scenarios (GRE tunnel mode). Manual Configuration: The current site functions as an NTP client and an NTP server needs to be manually specified. In SD-WAN scenarios where GRE tunnels are used, configure the RR site as a client to synchronize its clock with an NTP server on the public network. Disabled: The current site does not function as an NTP client and does not perform clock synchronization.	Y
	NTP parameters (These parameters need to be set only when NTP client mode is set to Manual Configuration.)	Device	CPE that functions as an NTP client.	-
		Server Network	Select Underlay or Overlay based on the network where the NTP server is deployed.	-
		WAN Link(VN Instance)	WAN-side link of a site connecting to the NTP server.	-
		NTP Server Type	Type of the NTP server.	-
		NTP Server IP Address	IP address of the NTP server.	Y
		Preferential NTP Server	Whether the NTP server is specified as the preferred server. If multiple NTP servers are specified as preferred servers, the system randomly selects a preferred NTP server.	-
		VPN Name (This parameter is configurable only when Server Network is set to Overlay.)	Select a VPN.	-
		Source Interface (This parameter needs to be set only when Server Network is set to Overlay)	Source interface used by the device to send NTP packets.	-
		Authentication	Whether to enable the authentication function. If NTP authentication is enabled on the NTP server, the authentication function must also be enabled on the NTP client. Otherwise, clock synchronization cannot be performed.	-
		Authentication Mode	Authentication mode, which can be MD5 or HMAC-SHA256. The authentication mode selected here must be the same as that enabled on the NTP server. HMAC-SHA256 is recommended, because it is more secure than MD5. AR5700&6700&8000 series devices do not support MD5 authentication.	Y
		Authentication password	Password used for NTP authentication. The rules for verifying the authentication password are as follows: For AR600&6100&6200&6300&SRG series and AR1000V devices, the authentication password can contain 6 to 255 characters and must contain at least two types of the following characters: special characters (\"`!@#$%^&()_+=-[]{},.;), uppercase letters (A to Z), lowercase letters (a to z), and digits (0 to 9). For AR5700&6700&8000 series devices, the authentication password can contain 12 to 255 characters, including uppercase letters, lowercase letters, digits, and special characters (\"`!@#$%^&()_+=-[]{},.;).	Y
		Authentication key ID	Key ID used for NTP authentication. This authentication ID is irrelevant to the NTP server. The authentication ID configured for an NTP client must be different from that for the NTP server. The rules for verifying the authentication ID are as follows: For AR600&6100&6200&6300&SRG series and AR1000V devices, if NTP Server Type is set to IPv4 or IPv6, the value must be in the range from 1 to 4294967295. For AR5700&6700&8000 series devices, if NTP Server Type is set to IPv4, the value must be in the range from 1 to 4294967295. If NTP Server Type is set to IPv6, the value must be in the range from 1 to 65535.	Y

Importing and Exporting Site Configurations

Context

You can import and export WAN-side physical link configuration and NTP configuration of sites in batches.

Prerequisites

Before importing site configurations, the sites whose configurations need to be imported must have been created on iMaster NCE-Campus and devices have been added to the sites.

Feature Requirements

Data of a maximum of 100 sites can be exported in batches. If data of more than 100 sites need to be exported, the first 100 sites are automatically selected for export.
Data of cloud sites cannot be exported.

Procedure

Choose from the main menu. Click the Export And Import tab.
Click the Export tab.
Click Click here to add site. Select the target sites whose configurations need to be exported and click OK.
Click Export. Open the exported .xls file and modify the site configuration based on the site requirements. Currently, only the WAN link and NTP configurations can be modified.
Save the modified .xls file. Click the Import tab on iMaster NCE-Campus.
Select the site configuration file to be imported, and click Import next to Upload file.
1. The configuration file for up to 100 sites can be imported in batches.
2. If the site configuration to be imported contains the Eth-Trunk interface configuration, you need to create Eth-Trunk interfaces at the target sites in advance. Otherwise, the import fails. For details about how to create an Eth-Trunk interface, see Configuring a Physical Interface.
Check the import result in the Import Result area, including the task name, task creation time, end time, status, total number of tasks, and number of successfully executed tasks.
1. If Success is displayed in the Task Status column, the site configuration file is imported successfully.
2. If Fail is displayed in the Task Status column, the site configuration file fails to be imported. You can check the specific failure cause.
A maximum of 10 records can be displayed in Import Result.

Introduction
Configuration Procedure Before Deployment
Using an MSP RR Site
- Configuration Before Deployment by MSPs
- Configuration Before Deployment by Tenants
Using a Tenant RR Site

Translation

Favorite

Download

Update Date：2023-05-05

Document ID：EDOC1100278215

Downloads：434

Average rating：0.0Points

Digital Signature File

digtal sigature tool

Authentication Protocol	HMAC
SHA2-256	HMAC192SHA256
SHA2-384	HMAC256SHA384
SHA2-512	HMAC384SHA512

CloudCampus Solution V100R022C00 Design and Deployment Guide for Multi-Campus Network Interconnection

Configuration Before Deployment

Introduction

NTP Clock Synchronization

Link

Escape Link

Roles of WAN links

5G Link

NAT Traversal

Site

Site Overview

Category

RR and Edge Sites

RR

Introduction to RR

RR Deployment Mode

WAN Link Template

WAN Link Template

WAN Model

Links for Interconnection Between Two Gateways

Configuration Procedure Before Deployment

Using an MSP RR Site

Configuration Before Deployment by MSPs

Logging In to iMaster NCE-Campus as an MSP Administrator

Context

Procedure

Setting Global Parameters

Context

Procedure

Parameter Description

Adding IWGs and RRs

Context

Feature Requirements

Procedure (Adding Devices One by One)

Procedure (Adding Devices in Batches)

Follow-up Procedure

Parameter Description

(Optional) Configuring the Device Access Capability

Context

Procedure

Follow-up Procedure

Parameter Description

Creating an RR Site

Context

Prerequisites

Procedure

Follow-up Procedure

Parameter Description

(Optional) Creating an IWG Site

Context

Prerequisites

Procedure

Follow-up Procedure

Parameter Description

(Optional) Configuring a WAN Link Template

Context

Prerequisites

Procedure

Follow-up Procedure

Parameter Description

(Optional) Configuring an Email Template

Context

Procedure

Configuring a Physical Interface

Prerequisites

Procedure (Configuring a Physical Interface)

Procedure (Configuring an Eth-Trunk Interface)

Parameter Description

Configuring the Network Access Mode for RR/IWG Sites

Context

Prerequisites

Procedure

Follow-up Procedure

Parameter Description

Configuring NTP

Context

Procedure

Parameter Description

Associating an IWG Site with an RR Site

Context