SupportDocumentationEnterprise Network SolutionIndustry SolutionsGovernment & Public SecurityConfiguration & CommissioningDeployment and Maintenance Guide

Secure SD-WAN Portfolio Solution V100R024C00 Deployment and Maintenance Guide

Secure SD-WAN includes SD-WAN and integrates the Next-Generation Firewall (NGFW) to provide security functions such as attack detection and protection, anti-DDoS, and IDS/IPS. In V100R024C00, the Secure SD-WAN Portfolio Solution supports the SD-WAN scenarios that are not supported by the SD-WAN Solution and HiSec SASE Solution. These scenarios combine ARs and USG firewalls.

Secure SD-WAN includes SD-WAN and integrates the Next-Generation Firewall (NGFW) to provide security functions such as attack detection and protection, anti-DDoS, and IDS/IPS. In V100R024C00, the Secure SD-WAN Portfolio Solution supports the SD-WAN scenarios that are not supported by the SD-WAN Solution and HiSec SASE Solution. These scenarios combine ARs and USG firewalls.

Deployment Configurations for Tenant Branch Sites

Deployment Configurations for Tenant Branch Sites

Configurations Before Deployment

Configuring the Scenario View

The Secure SD-WAN Portfolio Solution requires that iMaster NCE-Campus work in the LAN-WAN convergence scenario. The configuration process is as follows:

  1. Log in to iMaster NCE-Campus using a tenant account, change the password as prompted, and click Apply.

    Figure 5-22 iMaster NCE-Campus login as a tenant administrator
    Figure 5-23 Changing the password of a tenant

    The tenant password must be changed upon first login.

  2. Set the device administrator password and click OK.

    • After a tenant device goes online at a new site, the device administrator password set here automatically takes effect to ensure device security.
    • The default administrator user name of devices running V600 is administrator, and that of devices running V300 is admin.

  3. Select LAN-WAN Convergence and click Start.

Configuring Global Parameters

Context

  • Global configuration parameters related to a tenant network include:
    • Parameters for physical networks: routing domain, transport network, IPsec encryption, device activation security, link connectivity detection, intelligent traffic steering, and NTP configurations.
    • Parameters for virtual networks: routing, IP address pool, DNS, and port configurations.
    • Collection configuration: application traffic, application quality, WAN link traffic, and third-party NetStream
  • For details about how to configure global parameters for AR tenants, see "Deployment > Deployment Guide > Site Deployment > Configuration Before Deployment > Using an MSP RR Site > Configuration Before Deployment by Tenants > Setting Global Parameters" in the SD-WAN Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.
  • For details about how to configure global parameters for firewall tenants, see "Deployment > Network and Security Service Solution Deployment Guide > Site Deployment > Configuration Before Deployment > Configuration Before Deployment > Setting Global Parameters" in the HiSec SASE Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.

Parameter Plan

Table 5-16 describes the global parameter plan in this example. Retain default values for the parameters that are not configured.

Table 5-16 Key global parameter plan

Tab

Function Item

Configuration Item

Value

Parameter Description

Physical Network

RR Source

RR Source

MSP

MSP RR used by a tenant.

Device Activation Security

Email-based deployment URL encryption key

Huawei123

Key for encrypting the URL in a deployment email. Email-based deployment will be successful only after you click the URL in the received email on your PC and enter this key. After the encryption key is changed, the deployment URL is encrypted using the new encryption key when a deployment email is sent to any account of the tenant. After configuring the key, keep it secure to prevent email-based deployment from being affected.

The key must contain 8 to 12 digits and letters. If Compatibility obsolete devices is selected, the key complexity requirements will decrease. Exercise caution when performing this operation.

Web login

Enable

Whether the URL for email-based deployment carries web user information. This configuration specifies the web user name used to log in to the device to deliver deployment configurations.

Web login Username

root123

Web username.

Web login Password

Huawei@123

Web user password

NTP

Default NTP configuration

Enable

The customer needs to provide the IP address of the NTP server, which must be reachable to the controller and CPEs. The time zone and time of the CPEs must be the same as those on the controller.

Time zone

(UTC+02:00)Cairo

NTP client mode

Manual

NTP server IP address

6.8.2.102

NTP authentication

Disable

Virtual Network

Routing

AS number

65001

Each tenant uses a unique internal BGP AS number. All sites deployed through iMaster NCE-Campus using the same tenant account belong to this AS. This parameter is used by BGP EVPN routes in the SD-WAN solution and cannot be modified.

Community pool configuration

Disable

When the RR source is set to MSP, all community attributes are allocated from the community attribute pool configured by the MSP.

IPv4 Dual-Gateway Interconnection Protocol

OSPF

IPv4 dual-gateway interconnection protocol.

Routing policy delay

Disable

Whether to enable Routing policy delay.

Discard unencrypted packets

Disable

Whether to toggle on the Discard unencrypted packets switch to enable the function of discarding unencrypted packets.

BGP route keepalive duration enable

Disable

Whether to enable the BGP route keepalive function. After this function is enabled, you can configure Maximum keepalive duration. When an RR is offline on the network, BGP routes are not withdrawn within the specified duration, services on the peer device connected to the RR are not affected, and data is properly forwarded on the forwarding plane.

IP Pool

Mode selection

Simple

You can select Simple or Advanced for an IPv4 address pool. If Simple is selected, all addresses are assigned from the same address pool. If Advanced is selected, addresses can be assigned from IP pool, Interworking tunnel, and Interlink address pools.

IP pool

20.1.0.0/16

When iMaster NCE-Campus automatically orchestrates services such as overlay tunnels, overlay WAN routes, and site Internet access, IP addresses need to be allocated. The addresses to be configured include tunnel interface addresses, interworking tunnel addresses, CPE addresses, and addresses of interlinks.

Collection Configuration

-

Application traffic

Enable

Whether to enable global traffic statistics collection. After this function is enabled, inter-site traffic and inter-site application traffic at all sites are collected.

Application quality

Enable

Whether to enable inter-site traffic monitoring. After this function is enabled, traffic passing all inter-site links is monitored in real time.

WAN link traffic

Enable

Whether to enable tenant devices to report their information to third-party platforms through NetStream. Firewall gateways do not support this function.

Third-party NetStream

Disable

Whether to enable tenant devices to report their information to third-party platforms through NetStream.

SAC Configuration

-

Application identification

Enable

Application identification: is also referred to as service awareness (SA). It identifies an application by matching multiple packets of the application.

FPI

Enable

FPI: identifies an application by matching the first packet of the application.

IP-based application identification

Enable

IP-based application identification: identifies an application by matching the IP address of an application packet.

Procedure

The procedure for configuring key global parameters in this example is as follows:

  1. Log in to iMaster NCE-Campus as a tenant administrator, choose Deploy > SD-WAN > Global Configuration. The global parameter configuration page is displayed.

  2. Set parameters on the Physical Network tab page and click OK. For details about the key parameters, see Table 5-16.

    1. Set RR Source to MSP.

    2. Set parameters in the Device Activation Security area.

    3. Set parameters in the NTP area.

    • To perform email-based deployment for devices, you must enable Encryption and Web login in the Device Activation Security area.
    • The web user information configured in the global configuration takes effect only for newly deployed devices. You can choose Network Configuration > Site Configuration > Site Configuration, select the corresponding site, and choose Site > Device Login Configuration > Local User to configure web user information.

  3. Set parameters on the Virtual Network tab page and click OK. For details about the key parameters, see Table 5-16.

    1. Configure a route.

    2. Configure an IP address pool.

  4. Set parameters on the Collection Configuration tab page and click OK. For details about the key parameters, see Table 5-16.

  5. Set parameters on the SAC Configuration tab page. For details about the key parameters, see Table 5-16.

Creating a Site

Context

Site Plan

Table 5-17 describes the site plan in this example. Retain default values for the parameters that are not configured.

Table 5-17 Site plan

Tenant

Site Name

Southbound IP Service Name

Device Type

ESN-Free Deployment

Site Description

AR tenant

Site1

Public Default South Access

AR

Yes

AR tenant branch site

Site2

Public Default South Access

AR

Yes

AR tenant branch site

Site3

Public Default South Access

AR

Yes

AR tenant branch site

Firewall tenant

Site4

Public Default South Access

Firewall

Yes

Firewall tenant branch site

Site5

Public Default South Access

Firewall

Yes

Firewall tenant branch site

Procedure

The procedure for configuring a site in this example is as follows:

  1. Log in to iMaster NCE-Campus as a tenant administrator and choose Deploy > SD-WAN > Site Management from the main menu. On the site configuration page that is displayed, click Create to create a site.

  2. Configure site information and click OK. The site is created. For details about the key parameters, see Table 5-17.

    Figure 5-24 Configuring site information

  3. Repeat steps 1 and 2 to create other sites.

Adding a Device

Context

Device Plan

Table 5-18 describes the device plan in this example. Retain default values for the parameters that are not configured.

Table 5-18 Device plan

Tenant

Device Name

Role

Site

Device Model

Remarks

AR tenant

CPE1-1

Gateway

Site1

AR5710-S8T2XE-LTE4EA-T

The device is added by device model.

CPE1-2

Gateway

Site1

AR5710-S8T2XE-LTE4EA-T

The device is added by device model.

CPE2

Gateway

Site2

AR617VW-LTE4EA

The device is added by device model.

CPE3

Gateway

Site3

AR617VW-LTE4EA

The device is added by device model.

Firewall tenant

CPE4

Gateway

Site4

USG6510F-D

The device is added by device model.

CPE5

Gateway

Site5

USG6510F-D

The device is added by device model.

If you select Add to add devices, two modes are available. For details, see Table 5-19.

Table 5-19 Methods of adding devices and application scenarios (manual device addition)

Method

Application Scenario

By ESN

This mode can be used in all deployment modes.

By device model

A device with a 12-digit ESN can be added only in this mode.

Procedure

The procedure for adding a device is as follows:

  1. Log in to iMaster NCE-Campus as a tenant administrator and choose Deploy > SD-WAN > Device Management from the main menu. On the device configuration page that is displayed, select a site on the left and choose Add device > Add to add a device.

  2. Configure device information and click OK. The device is added. For details about the key parameters, see Table 5-18.

  3. Repeat steps 1 and 2 to add devices to other sites.

Configuring a WAN Link

Context

Parameter Plan

Table 5-20 describes the WAN link parameter plan for tenant sites.

Table 5-20 WAN link parameter plan for tenants

Parameter

Value

Tenant

AR tenant

Firewall tenant

Site

Site1

Site2

Site3

Site4

Site5

Link name

Internet

Internet1

Internet

Internet

Internet

Internet

Transport network

Internet

Internet

Internet

Internet

Internet

Internet

Role

Active

Active

Active

Active

Active

Active

Device

CPE1-1

CPE1-2

CPE2

CPE3

CPE4

CPE5

Interface

GE0/0/1

GE0/0/1

GE0/0/1

GE0/0/1

GE0/0/1

GE0/0/1

Sub-interface

OFF

OFF

OFF

OFF

OFF

OFF

VN instance

underlay_Internet

underlay_Internet

underlay_Internet

underlay_Internet

underlay_Internet

underlay_Internet

IPv4

ON

ON

ON

ON

ON

ON

Interface protocol

IPoE

IPoE

IPoE

IPoE

IPoE

IPoE

IP address assignment mode

Static

Static

Static

Static

Static

Static

IPv4 address/mask

194.1.3.2

194.1.4.2

194.1.5.2

194.1.6.2

194.1.7.2

194.1.8.2

Subnet mask

24

24

24

24

24

24

IPv4 gateway

194.1.3.1

194.1.4.1

194.1.5.1

194.1.6.1

194.1.7.1

194.1.8.1

IPv4 overlay tunnel

ON

ON

ON

ON

ON

ON

NAT traversal

ON

ON

ON

ON

ON

ON

URL-based deployment

ON

ON

ON

ON

ON

ON

Southbound access address

OFF

OFF

OFF

OFF

OFF

OFF

Southbound Access Service1

ON

ON

ON

ON

ON

ON

Controller southbound access service

Private Default South Access

Public Default South Access

Private Default South Access

Private Default South Access

Private Default South Access

Private Default South Access

Southbound Access Service Priority

Low

Low

Low

Low

Low

Low

IPv6

OFF

OFF

OFF

OFF

OFF

OFF

Uplink bandwidth (Mbit/s)

1000

1000

1000

1000

1000

1000

Downlink bandwidth (Mbit/s)

1000

1000

1000

1000

1000

1000

Interlink

Use LAN-side Layer 2 interfaces

OFF

-

None

VLAN ID

2-300

-

None

Device Interface

GE0/0/2

GE0/0/2

-

None
  • NAT traversal: If a NAT device is deployed between the site on a private network and the WAN side, enable the NAT traversal function to set up overlay tunnels with other sites and RRs.

Procedure

The procedure for configuring a WAN link is as follows:

  1. Log in to iMaster NCE-Campus as a tenant administrator and choose Deploy > SD-WAN > ZTP from the main menu. On the ZTP configuration page that is displayed, select the site to be configured on the left and click Create to create a WAN link for the corresponding device.

  2. Configure the WAN link and click OK. For details about key parameters, see Table 5-20.

    Figure 5-25 Creating a physical interface for a WAN link (1)
    Figure 5-26 Creating a physical interface for a WAN link (2)
    Figure 5-27 Configuring a WAN link (1)
    Figure 5-28 Configuring a WAN link (2)

    For details about how to configure physical interfaces, see "Deployment > Deployment Guide > Site Deployment > Configuration Before Deployment > Using an MSP RR Site > Configuration Before Deployment by Tenants > Configuring a Physical Interface" in the SD-WAN Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.

  3. Repeat steps 1 and 2 to configure WAN links for other sites.

Configuring NTP

Context

  • When an AR router reports performance data, it carries timestamps in packets. If the time of the AR router is inconsistent with that of the controller, the time in performance data is inconsistent with the actual time. As a result, the site traffic and quality data cannot be displayed. Therefore, you need to configure NTP on iMaster NCE-Campus to ensure that the time of site devices is the same as that on iMaster NCE-Campus.
  • You are advised to configure an RR site as a client to synchronize its clock with an NTP server on the public network. In addition, configure the RR site as the NTP server, so that branch sites synchronize their clocks with the RR site.
  • For details about how to configure NTP for an AR tenant, see "Deployment > Deployment Guide > Site Deployment > Configuration Before Deployment > Using an MSP RR Site > Configuration Before Deployment by Tenants > Configuring NTP" in the SD-WAN Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.
  • For details about how to configure NTP for a firewall tenant, see "Deployment > Network and Security Service Solution Deployment Guide > Site Deployment > Configuration Before Deployment > Configuration Before Deployment > Configuring NTP" in the HiSec SASE Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.

Parameter Plan

Table 5-21 describes the NTP parameter plan for tenant sites.

Table 5-21 Tenant NTP parameter plan

Parameter

Value

Tenant

AR tenant

Firewall tenant

Site

Site1

Site2

Site3

Site4

Site5

Time zone

(UTC+02:00)Cairo

(UTC+02:00)Cairo

(UTC+02:00)Cairo

(UTC+02:00)Cairo

(UTC+02:00)Cairo

(UTC+02:00)Cairo

DST

OFF

OFF

OFF

OFF

OFF

OFF

NTP client mode

Synchronize with the RR Site

Synchronize with the RR Site

Synchronize with the RR Site

Synchronize with the RR Site

Synchronize with the RR Site

Synchronize with the RR Site

Procedure

The procedure for configuring NTP is as follows:

  1. Log in to iMaster NCE-Campus as a tenant administrator and choose Deploy > SD-WAN > ZTP from the main menu. On the ZTP configuration page that is displayed, select the site to be configured on the left and click the NTP tab.

  2. Click Import default NTP to import the global default NTP configuration. In the warning dialog box that is displayed, click OK. Then, click OK on the NTP page.

    If the default NTP configuration is enabled in the global configuration, the site uses the default time zone specified in the global configuration. A branch site can synchronize its clock with its associated RR site, and the RR site can synchronize its clock with an external clock source.

  3. Repeat steps 1 and 2 to configure NTP for other sites.

Configuring Association with MSP RR Sites

Context

Parameter Plan

Table 5-22 describes the RR association parameter plan for tenant sites.

Table 5-22 RR association parameter plan for tenants

Parameter

Value

Tenant

AR tenant

Firewall tenant

Site Name

Site1

Site2

Site3

Site4

Site5

Group Name

MSP-RR2,MSP-RR1

MSP-RR2,MSP-RR1

MSP-RR2,MSP-RR1

MSP-RR2,MSP-RR1

MSP-RR2,MSP-RR1

MSP-RR2,MSP-RR1

Procedure

The procedure for configuring association with an MSP RR site in this example is as follows:

  1. Log in to iMaster NCE-Campus as a tenant administrator and choose Deploy > SD-WAN > Connect to RR. On the ZTP configuration page that is displayed, select the site to be configured and click Connect.

  2. Select all MSP RR groups and click Detect. After the detection is successful, click OK to complete association with the MSP RR site.

Deployment Configuration

Context

Huawei Secure SD-WAN Portfolio Solution supports email-based and USB-based deployment, which greatly simplifies the deployment operations. Email-based deployment, also called URL-based deployment. After a network administrator completes ZTP configuration on iMaster NCE-Campus, iMaster NCE-Campus automatically generates a deployment email or ZTP file carrying the deployment information in URL parameters, such as the encryption parameters that provide the WAN interface configurations required by devices to register with iMaster NCE-Campus. After receiving the deployment email or ZTP file, a deployment engineer clicks the URL in the email or ZTP file to start the deployment process. Subsequently, devices automatically complete the deployment.

Two email-based deployment modes are supported:

  • Sending an email: The URL containing deployment information is sent to the deployment engineer by email.
  • Downloading the ZTP file: The URL containing deployment information is sent to the deployment engineer in the ZTP file. In this mode, no email server is required.

For details about the deployment parameters and configuration procedure for deploying ARs, see "Deployment > Deployment Guide > Site Deployment > Deployment Configuration" in the SD-WAN Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.

For details about the deployment parameters and configuration procedure for deploying firewalls, see "Deployment > Network and Security Service Solution Deployment Guide > Site Deployment > Deployment Configuration" in the HiSec SASE Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.

The following uses email-based deployment as an example.

Email-based Deployment Process

Figure 5-29 shows the process of topology information collection.

  1. Configure the email server.
  2. Configure the email content on iMaster NCE-Campus, which then sends the email to the specified email address.
  3. Obtain the URL containing deployment parameters in the email. The URL carries encrypted network configuration of the CPE.
  4. Power on the device and obtain the configurations in the URL.
    1. After the device is installed and started, connect the device to a deployment terminal in wired or wireless mode and click the URL in the deployment email or ZTP file to start the deployment process.
    2. The device resolves the URL information and pushes the Portal page to the deployment terminal. After the deployment engineer confirms deployment on the Portal page, the CPE automatically completes the configurations (including interface, network access, and VPN configurations) based on the parameters in the URL.
  5. The device is connected to the WAN and automatically registers with iMaster NCE-Campus.
    • If the CPE is registered successfully, iMaster NCE-Campus delivers all the service data that is configured offline to the device.
    • If the CPE fails to be registered, it initiates registration with iMaster NCE-Campus again after the fault causing the registration failure is eliminated.
Figure 5-29 Email-based deployment process

Configuration Process

The email-based deployment process in this example is as follows:

  1. Configure the email server. For details, see "Deployment > Deployment Guide > Site Deployment > Deployment Configuration > Email-based Deployment > Configuring an Email Server" in the SD-WAN Solution V100R024C00 & iMaster NCE-Campus V300R024C00 Product Documentation.
  2. Log in to iMaster NCE-Campus as a tenant administrator and choose Deploy > SD-WAN > ZTP. On the ZTP configuration page that is displayed, click Send Email to send a deployment email.

    1. Access the email-based deployment page.

    2. Select the sites to be deployed.

    3. Configure information about email recipients.

    4. Configure the email content.

    5. Send the email.

  3. Restore a site device to its factory settings, connect the PC to the management network port of the device, click the URL in the deployment email on the PC, and confirm the deployment.

    1. Receive the deployment email.

    2. Click the deployment URL.

    3. Access the URL page.

    4. Click Confirm Deployment.

    • If the CPE is a firewall, the default address of the management network port is 192.168.0.1 and the subnet mask is 255.255.255.0.
    • If the CPE is an AR, the default address of the management network port is 192.168.1.1 and the subnet mask is 255.255.255.0.
    • Ensure that the PC is on the same network segment as the CPE's management network port.

  4. Wait several minutes and check the deployment result.

    Figure 5-30 Successful deployment

Favorite
Download
Update Date:2025-06-23
Document ID:EDOC1100425790
Views:5310
Downloads:37
Average rating:0.0Points

Related Documents

Digital Signature File

digtal sigature tool