iMaster NCE-Campus V300R024C10 Product Overview

iMaster NCE-Campus V300R024C10
Product Overview

Page 0 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Foreword

l With the rapid development of cloud computing, the on-demand cloud service mode
becomes more popular, resulting in great changes in traditional network
management. Against this backdrop, cloud-based network management has become
a trend, as well as a new model for enterprise network construction, operations and
maintenance (O&M).


l This course mainly introduces the overall architecture, software components, and key
service features of iMaster NCE-Campus in Huawei CloudCampus Solution.


Page 1 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Objectives

l Upon completion of this course, you will be able to:

p Understand the positioning and functions of iMaster NCE-Campus in Huawei
CloudCampus Solution.

p Understand the system architecture of iMaster NCE-Campus.

p Understand the key features of iMaster NCE-Campus used in Huawei CloudCampus
Solution.

p Master the main configurations of iMaster NCE-Campus.


Page 2 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Contents

1. iMaster NCE-Campus Introduction and Architecture

2. iMaster NCE-Campus Key Features


Page 3 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Huawei CloudCampus Solution Overview

Application
iMaster NCE is a system that integrates the manager, controller, and layer
analyzer. It supports interconnections among simple-service campus ...
networks, virtual campus networks, and multi-branch campus
networks, and includes the following components:
Cloud app Self-service portal VAS store
l iMaster NCE-Campus:
It provides management and control functions, such as Open APIs
management of cloud-based and traditional devices, traditional
Management and
device management function, automated configuration, one-click
redirection to iMaster NCE-CampusInsight by using the proxy control layer
service. Authentication
l iMaster NCE-Campus authentication component: NCE-Campus & NCE-CampusInsight component
An authentication component is integrated into iMaster NCE- Manager + Controller + Analyzer
Campus as a service. A maximum of 20 authentication
components can be deployed at remote branches to provide local NETCONF, SNMP, HTTP/2, HTTPS, TCP...
authentication. Authentication components and iMaster NCE- Network layer
Campus can automatically synchronize user authentication and
terminal identification information between each other through
TCP channels. Medium- and large-sized campuses
Site interconnection
l iMaster NCE-CampusInsight: SMB
It is an intelligent network analysis platform. Based on existing
O&M data (such as device performance indicators and client
logs), iMaster NCE-CampusInsight uses big data technology, AI WAN/Internet
algorithms, and other advanced analysis technologies to digitize
user experience. It assists customers in detecting network issues Office VN IoT VN
in a timely manner, improving user experience. It is an
independent component and is not described in this course.

l Campus devices:
Campus devices include switches, routers, WLAN access
controllers (WACs), access points (APs) and firewalls. iMaster
NCE-Campus can manage devices through Network
Configuration Protocol (NETCONF) and traditional Simple
Network Management Protocol (SNMP).

Page 4 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Introduction


l iMaster NCE-Campus serves as a cloud management platform in Huawei CloudCampus Solution. It
provides service configuration, O&M, and monitoring capabilities for cloud managed devices (can be
APs, firewalls, ARs, and switches) and traditional devices. It can also serve as an authentication server
to implement user access control.

l Product positioning

p iMaster NCE-Campus is a management and control system designed for Huawei CloudCampus Solution. It
supports functions that include network service management, network security management, user admission
management, network monitoring, network quality analysis, network application analysis, and alarm and
report management. It also provides big data analytics and open application programming interfaces (APIs) to
facilitate interconnection with other platforms. On a multi-tenant network, enterprise users can use iMaster
NCE-Campus to perform service configuration and routine maintenance for their respective tenant networks,
making it possible to manage large numbers of devices on the cloud.


Page 5 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Highlights


l Highlights

l Simplified

n Simplified network planning

n Simplified network deployment

p Elastic

n On-demand network expansion

n On-demand management expansion

p Open

n Open network data

n Open network platform


Page 6 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Product & Tenant
Network Architecture


iMaster NCE-Campus

Device Admission Performance Big data
management service collection service
service service


ISP
network


Tenant
network AP Central RRU AP Switch Firewall
AP
Site 1 Site 2 Site
Tenant A Tenant B


Page 7 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Product Architecture


Page 8 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Key Functions


Function Description

For small- and medium-sized campuses with simple network configurations, iMaster NCE-Campus provides diversified functions,
Network configuration
such as site-based network element (NE) management, topology management, interface and link management, configuration of
management
underlay services, simplified deployment specific to scenarios, and configuration template binding.

For large- and medium-sized campuses with complex network configurations, iMaster NCE-Campus can automatically orchestrate
Network automation Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) configurations for setting up a VXLAN, simplifying network
management and changes.

iMaster NCE-Campus supports various authentication protocols, such as Portal 2.0 and RADIUS, and can authenticate and manage
Network admission
for network end users.
iMaster NCE-Campus can collect performance data from devices through HTTP/2, and send the collected data to FusionInsight (big
O&M monitoring
data analysis component), which then saves and analyzes the data and provides data analysis reports.

Big data service iMaster NCE-Campus uses Huawei-developed FusionInsight as a big data service for data storage, analysis, and merging.

Ngnix iMaster NCE-Campus uses Ngnix to load balance HTTP traffic.

iMaster NCE-Campus uses Linux Virtual Server (LVS) to build a virtual server cluster that provides one IP address for southbound
LVS
and northbound planes.


Page 9 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Cluster Architecture

ETCD GaussDB Redis DMQ

Database
cluster

FusionInsight cluster
NCE-Campus cluster
Portal server CampusBase/NetconfClient OamService/ACUpgrade Kafka
Key data exchange channels:

RESTful APIs ü 1 and 2: Portal authentication channel

3 NETCONF– ü 3: Channel for device registration and
based device
4 HTTP/2: device
management location and alarm reporting
ACANginx Portal GW API GW performance
master/slave master/slave master/slave data reporting ü 4: Device performance reporting channel
eSight ü 5: Device upgrade channel
2
HTTP/2: user
LVS master/slave ü 6: Channel for logging in to the iMaster
authentication HTTP:
device
5 update NCE-Campus Web UI
1
HTTPS–Portal authentication page ü 7: Channel for calling third-party APIs


6 HTTPS: Web UI 8 Traditional device management
MSP/Tenant
administrator
7 HTTPS: NBI
Third-party system


Page 10 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
iMaster NCE-Campus Deployment Mode R23C10
LAN & POL convergence
LAN-WAN and POL convergence


...
LAN WAN LAN
Hotels General education Large enterprises
Branch HQ

Maximum Number of Maximum Maximum
Number of Number Deployment Number of Number of Maximum Number of
Deployment Mode Managed Nes(Including Number of Number of
Servers of VMs Mode Servers VMs Managed NEs
LAN and POL) Online Users Online Users
Single-node Number of LAN/POL-side devices
Single-node lite 1 1 + Number of WAN-side devices x 20,000
1 500 (No POL) 300 system 10 ≤ 5000
system
Minimum Number of LAN/POL-side devices
Single-node system 1 1 5000 20,000 3 3 + Number of WAN-side devices x 50,000
cluster 5 ≤ 15,000

Single-node system 6-node Number of LAN/POL-side devices
3 (two VMs on a
1 2 4000 20,000 distributed 6 + Number of WAN-side devices x 100,000
(with NCE-CampusInsight) server)
cluster 5 ≤ 30,000

Minimum cluster 3 3 30,000 100,000 9-node Number of LAN/POL-side devices
5 (two VMs on a
distributed 9 + Number of WAN-side devices x 300,000
9-node distributed server)
5 (two VMs on 9 60,000 300,000 cluster 5 ≤ 60,000
cluster a server)
17-node Number of LAN/POL-side devices
9 (two VMs on a + Number of WAN-side devices x 700,000
17-node distributed 9 (two VMs on distributed 17
17 200,000 700,000 server) 5 ≤ 200,000 & Number of WAN-
cluster a server) cluster side devices ≤ 20,000

Page 11 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Service Node Updated in
Deployment R23C10
Management Scale (Cloud
Solution Deployment Mode Supported Functions Expansion Supported or Not
Managed Device)
Single-node lite system 500 The PON, WAN, and SecoManager features are not available. Not supported
Single-node system (LAN) 5000 The PON feature is available and the WAN feature is unavailable. Cold migration to 3-node cluster
Single-node
LAN-side devices + 10 x
Single-node system (LAN-WAN) The PON and WAN features are available. Not supported
WAN-side devices ≤ 5000

30,000 (POL devices are The expansion to 3-node cluster in the
3-node cluster (LAN-only, PM The PON feature is available and the WAN feature is unavailable.
included) LAN-WAN scenario is supported.
deployment is recommended.)
Minimum cluster
LAN-side devices + 5 x WAN-
3-node cluster (LAN-WAN, PM The PON and WAN features are available. Not supported
side devices ≤ 15,000
deployment is recommended.)
LAN-side devices + 5 x WAN- The expansion to 9-node cluster is
6-node cluster The PON and WAN features are available.
side devices ≤ 30,000 supported.

LAN-side devices + 5 x WAN- Cold migration to the maximum scale
9-node cluster The PON and WAN features are available.
side devices ≤ 60,000 of 17-node cluster
Distributed cluster
LAN-side devices + 5 x WAN-
17-node cluster side devices ≤ 200,000 & The PON and WAN features are available. Not supported
WAN-side devices ≤ 12,000

Huawei Cloud 200,000 The WAN feature is available and the PON feature is unavailable. Not supported
Authentication authentication component
N/A The authentication feature is supported. Not supported
component deployment

Large-capacity and Independent management plane N/A N/A N/A
multiple clusters
Global node N/A Unified login for a multi-cluster system is supported. Not supported
Third-party Automatic switchover with a third arbitration site in disaster
Independent arbitration node N/A Not supported
Pagearbitration 12 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.recovery (DR) solutions.
iMaster NCE-Campus Value-added Updated in
Features Deployment R23C10
Type Feature Description Deployment Requirement License Control
Advanced iMaster NCE-Campus supports centralized management on network-wide Firewall
Supported in the full deployment scenario. No
network security security policies and security service orchestration to rapidly provision management
service node needs to be added.
policy security services. (Mandatory in R23C10 and later versions) licenses
iMaster NCE-Campus manages PON devices in access networks through
SNMP. It supports automatic service deployment specific to scenarios and This feature is supported in all scenarios except the
PON POL management
can display performance, topology, and alarm information of devices in a single-server Lite and public cloud scenarios, and
management licenses
unified manner, implementing management and visualization of resources service nodes do not need to be added.
and networks, as well as fault diagnosis visualization.

Campus VXLAN uses overlay virtualization technology to bear multiple
Automatic virtual
Automatic virtual virtual networks on a single underlay network and support flexible service
This feature is supported in all deployment scenarios network
network deployment. Based on SDN and cloud technologies, Campus VXLAN
and service nodes do not need to be added. management
management implements automatic deployment of virtual networks, and automation of
licenses
user-oriented and application-oriented policy management.
Basic
iMaster NCE-Campus can automatically identify the information about
value- Terminal This feature is supported in all deployment scenarios Terminal plug-and-
vendor, operating system, and type of terminals, and then can control
added identification and service nodes do not need to be added. play licenses
terminal access based on the identified information.
features
Network Data plane verification (DPV) technology is used to implement network-wide
This feature is supported in all deployment scenarios
configuration snapshot management, subnet reachability verification, and terminal access --
and service nodes do not need to be added.
verification verification, building up comprehensive intelligent verification capabilities.

Runbook is a workflow orchestration oriented to service configuration based
In the single-node deployment scenario, if Runbook
on the model-driven concept. Different from traditional workflows, runbooks
Runbook and Network Configuration Verification Service are
are orchestrated based on models. Data input and data transfer between
workflow selected, 256 GB memory is required. In minimum
steps are implemented through model attribute assignment. In addition, the --
orchestration cluster deployment scenarios, Runbook and Network
Easy-Branch simplified deployment capability is provided. Users can
framework Configuration Verification Service cannot be selected
orchestrate intents based on Huawei preconfigured actions and workflows to
at the same time.
generate workflows that meet service requirements.
As an IoT management platform, NCE-IoT provides O&M management and In the single-node deployment scenario, the
IoT management
IOT application management services for IoT devices, and supports northbound memory must be greater than or equal to 192 GB if
function licenses
interfaces and page management. IoT Management is selected.
Page 13 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Value-added Updated in
Features Deployment R23C10
Type Feature Description Deployment Requirement License Control
Basic
Advanced iMaster NCE-Campus supports centralized management on network-wide Firewall
value- Supported in the full deployment scenario. No
network security security policies and security service orchestration to rapidly provision management
added service node needs to be added.
policy security services. (Mandatory in R23C10 and later versions) licenses
features
This feature is supported in minimum clusters. To
support this feature, one more PM (with a
AI-based Based on model training and inference technology of AI engines, iMaster memory of 128 GB) needs to be added.
terminal NCE-Campus analyzes characteristics of unknown terminals and This feature is supported in distributed clusters. To
--
fingerprint automatically generates the corresponding identification rules to improve support this feature, one more PM (with a
identification terminal identification. memory of 128 GB) needs to be added.
This feature is not supported in single-node
Advanced systems.
value-
added This feature is not supported in the single-node
features Based on the SRv6 TE Policy tunneling technology, iMaster NCE-Campus system LAN-WAN deployment scenario and service
provides the end-to-end (E2E) optimal path computation and service nodes do not need to be added.
optimization for one unified WAN, supports centralized configuration and This feature is supported in distributed clusters. To
SRv6 function
SRv6 management for network topologies and tunnel constraints, aiming to support this feature, one more PM (with a
package licenses
maximize network bandwidth utilization and leverage the full potential of memory of 256 GB) needs to be added.
network resources. In addition, iMaster NCE-Campus supports traffic This feature is not supported in minimum clusters
forwarding in SRv6 BE mode in the case of tunnel failures. and in the single-node system LAN-only
deployment scenario.
Remote attestation: provides the full-lifecycle file integrity protection from
startup to running to storage for embedded NEs.
Security situational awareness (SSA): provides real-time security data This feature is supported in distributed clusters. To
Value-
analysis and overall security situation prediction capabilities for network support this feature, three more PMs (with a
added Advanced
devices to help security O&M personnel quickly make decisions and trace memory of 64 GB each) need to be added. --
security security features
sources. This feature is not supported in single-node
features
Device security configuration check: provides visualized security systems.
management capabilities for network devices and supports device security
status check, security risk warning, and security hardening guidance.

Page 14 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Server Installation
Networking
Currently, iMaster NCE-Campus can have at most four planes,
including the internal communication plane, service plane,
southbound plane, and northbound plane. Their functions are as
follows:
• Internal communication plane: used for communication
between service nodes in an iMaster NCE-Campus cluster,
including FusionInsight and GaussDB nodes.
Management port • Service plane: used to provision southbound and northbound
services of iMaster NCE-Campus. For example, administrators
can use a load balancer (LB) to distribute service traffic to
multiple nodes.
Internal
communication/ • Northbound plane: used to receive northbound service traffic,
Management for example, using a browser to access the management plane
network
of iMaster NCE-Campus.
Cable for internal communication
• Southbound plane: used to receive southbound service traffic,
Service
network Cable for the service network for example, communicating with network devices through
Cable for the northbound network NETCONF.
Based on customer networking requirements, some network
Cable for the southbound network
Northbound planes can be combined. The following networking modes are
network supported:
• Two-plane networking: includes the internal communication
plane and the integrated plane that combines the service,
Southbound southbound, northbound planes. The southbound and
network northbound public IP addresses can be translated on the
firewall.
• Three-plane networking: includes the internal communication
Note:
plane, the service plane, and the integrated southbound and
The IP addresses of network interface cards (NICs) need to be
northbound plane.
assigned in independent VLAN, which cannot be the same as the
• Four-plane networking: includes the internal communication
VLANs for other irrelevant products.
PC where EasySuite resides plane, service plane, northbound and southbound plane.
Ports can be enabled on firewalls as needed. For details, see the
Communication Matrix.
Page 15 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
iMaster NCE-Campus Homepage R23C10
Shortcut Function Entry
Service Map Entry
Menu Bar


Smart
assistant


GIS
Map


Page 16 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Contents

1. iMaster NCE-Campus Introduction and Architecture

2. iMaster NCE-Campus Key Features


Page 17 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Site Management Overview

l iMaster NCE-Campus configures and monitors devices by site. The site management feature
provides the functions of adding, deleting, modifying, and querying sites. iMaster NCE-
Campus can manage not only sites containing devices of a single type, such as APs, WACs,
ARs, switches, or firewalls, but also sites containing devices of various types.

l iMaster NCE-Campus also supports organization- and tag-based site management to display
sites in a hierarchical mode. When creating organizations, administrators can specify a parent
organization to define a hierarchy (supports nesting in five layers at most).


Page 18 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Site Management Configuration


l Click Design > Site Design > Site Management to view the site list, and create, delete, or modify sites.

l Click Provision > Device > Batch Deployment > Site to view site templates.

Page 19 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
COAP Device Management New in R23C10

• Background of the COAP Device

Low-cost PoE switches are required to simplify management and reduce costs. Therefore, Huawei launches the S3510-S series
low-cost managed PoE switches, which can be managed by iMaster NCE-Campus.
The memory of these devices is small and cannot be managed using NETCONF. Therefore, the lightweight networking
protocol CoAP is required for management. The device can be managed only in the MSP cloud scenario.

• S3510-S series switch specifications

O&M Level-2 Features Feature Description
Deployment Supports deployment through the registration center and DHCP.
Name, ESN, manufacturer, device model, discovery protocol, management IP address, stack name,
Basic Management Basic Device Information
home device, MAC address, device software version, patch version, and license series
Information Collection LLDP and interface information collection and physical topology display are supported.
General Configuration Local user, time synchronization, and device name
Basic Configuration
Advanced Configuration Interface configuration and LBDT
Performance Data Terminal information: terminal MAC address, VLAN, and access port
Device O&M Remote upgrade, device restart, file download, and factory setting restoration
O&M Monitoring
Device Alarms Temperature, fan, optical module, and port packet loss
Device Reports Device information, device role, and device status

Page 20 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
COAP Device Management New in R23C10

• Adding devices

The method of adding a CoAP device is the same as that of adding a NETCONF device.


Select S3510-S devices
to be managed in
CoAP mode.


Page 21 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
M-LAG New in R23C10


l What Is M-LAG
M-LAG (Multichassis Link Aggregation Group) provides a technology for inter-device link aggregation. M-LAG aggregates links of two switches in the same
state, improving link reliability from the card level to the device level. In addition, M-LAG devices can be upgraded independently to ensure service traffic
stability, making M-LAG widely used in Campus and DC networks.

l Comparison between M-LAG and Stack
Stack and M-LAG are widely used horizontal virtualization technologies. They both implement redundant terminal access and link backup, improving network
reliability and scalability. However, compared with stack, M-LAG has higher reliability and independent upgrade advantages.
M-LAG is recommended for scenarios that require short service interruption time and high networking reliability during an upgrade.
Dimension Stack M-LAG (Recommends)
Reliability Minor: The control plane is centralized, and faults may spread on member devices. High: The control plane is independent, and the fault domain is isolated.
Configuration Complexity Simple: Logically, it is a device. Simple: Two devices are configured independently.
Costs Minor: Stack cables are required. Minor: Peer-link connections need to be deployed.
Performances Minor: The control plane of the master switch needs to control the forwarding High: Member switches forward packets independently, and the CPU load
planes of all stack members, increasing the CPU load. remains unchanged.
Upgrade Complexity High: The stack fast upgrade can reduce the service interruption time, but the Low: The two devices can be upgraded independently. The upgrade operation is
upgrade operation takes a long time and has high risks. simple and the risk is low.
Upgrade Interruption Relatively Long: The service interruption time is about 20 seconds to 1 minute in a Short: Traffic is interrupted in seconds.
Duration typical configuration networking, which is closely related to the service volume.
Network Design Relatively Simple: Stacked devices are logically considered as one device, and the Relatively Complex: M-LAG consists of two logical devices, and the network
network structure is simple. structure is complex.
Function Constraints Supported by V200 and V600 devices; Only V600 devices are supported;
Supported by VLAN and VXLAN networks automation; Only VLAN network automation is supported;
Supports application identification, application assurance, and access Application identification, application assurance, and access authentication are
authentication. not supported.
Applicable Scenarios There is no requirement on the service interruption time during the software version High requirements on service interruption time during software version upgrade;
upgrade; High requirements on network reliability;
Easy network maintenance. A certain degree of maintenance complexity is acceptable.

Page 22 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
M-LAG New in R23C10

l Creating an M-LAG Group


• Configure the M-LAG group name and select and add member devices


Select a site and enter Select and add member
the M-LAG group name. devices to the M-LAG.


Page 23 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
M-LAG New in R23C10

l Configuring the M-LAG Mode, Priority, DAD Link, Peer-Link, and M-LAG Member List


Set the initial configuration of
the M-LAG group, including the
mode, priority, dual-active
detection link, peer-link, and M-
LAG member interface list.


Page 24 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
M-LAG New in R23C10

l Hitless upgrade of an M-LAG in active-active mode

Select the M-LAG group
to be upgraded and
create an upgrade policy.


During the upgrade, traffic switching,
upgrade, and traffic restoration are
performed on member devices A and B
in sequence to achieve hitless service
upgrade.


Page 25 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Topology Management

NCE-Campus
Feature SNMP NETCONF
Topology layout toolkit
Toolbar in topological view: move,
update, save positions, lock, Topology Unified Unified
display settings, export
(picture/Visio), full screen display Device management Unified Unified
Link management Unified Unified
Device management Unified Unified
Third-party device
Supported Not supported
management

NCE-Campus
Toolbar in topological view:
Display topology and Display alarm, auto fit zoom,
devices for each site and zoom in/out The toolbar classifies function options, which is easy to use.
The shortcut menu can be customized to shield redundant
information.


l Click Design > Network Design > Physical Topology to view site topologies.


Page 26 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)

Background:
The following problems exist in office, education, and
hotel scenarios:

As-is To-be n Cabling is complicated.

n Compared with the POL solution, the current
Campus core css css campus network solution requires higher network
Campus core
equipment room construction costs.
equipment room
n Access devices are connected to users through
10 km (optical cables) network cables, which do not meet the requirements
of the fiber-to-edge trend.

Aggregation Scenarios:
switch in a 10 km (optical cables)
building n Desktop: A central device can connect to multiple
remote units (RUs) that located in different offices,
300 m (optical fibers) open-plan desks, and classrooms.
n Device replacement in equipment or extra low
Central device voltage (ELV) rooms without site relocations: A
ELV room on a central device can connect to multiple RUs to allow
ELV room floor/building
on a floor access of cameras, APs, and wired terminals.
Building A Building B/C 60 m optical 60 m optical
65 m 65 m fibers fibers Benefits:
network network n Maximize the use of chip forwarding capability.
cables cables RU
Desk n Dramatically reduce the network construction cost
for customers. In addition, the cost for desktop
Building A
5 m network 5 m network Building B/C scenarios is predicted to be reduced by more than
cables cables 50%.
n Innovate the network architecture, decrease the
number of NEs, and reduce the management cost.

Page 27 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)

• Management capability: iMaster NCE-
Campus allows users to query
information about RUs connected to a
central switch, including the ESNs,
models, online status, interfaces that
directly connect to the central switch,
port list information, and optical module
data of the RUs.


• Control capability: iMaster NCE-Campus
allows user to configure port isolation
and shutdown for a particular interface
on a central switch. The configuration
takes effect for all RUs connected to the
interface.

Page 28 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Distributed Switch (RU)

• Monitoring capability: iMaster NCE-
Campus allows users to check the
memory usage, disk space usage, and
temperature of an RU, as well as the Devices can be configured to report
RU logs (corresponding to the
running status, rate, traffic statistics, Distributed switch option) on the
packet statistics, and bandwidth O&M > Monitoring > Monitoring
Settings > Data Collection
utilization of an RU interface.
Configuration page of the controller.

• O&M capabilities: iMaster NCE-Campus
allows users to restart RUs. In addition,
iMaster NCE-Campus can receive alarms
from RUs if they fail to be upgraded.


Page 29 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
AR6700V-L: Edge Devices at Cloud Sites

The AR6700V-L can be automatically deployed on the Huawei Cloud or AWS and connect to SD-WAN
networks as a public cloud site.


Page 30 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
AR6700V-L: Edge Devices at Cloud Sites

1. The AR6700V-L can function as a cloud site to
communicate with services on the Huawei Cloud
and AWS in host VPC mode.


2. The AR6700V-L can function as a cloud site to communicate
with services on the AWS in transit VPC mode.


Page 31 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
AR6700V-L: Multi-Tenant IWG

Capabilities new for MSPs:

1.The AR6700V-L can
function as an IWG site
to communicate with
legacy PEs in Option B
mode.

2.The AR6700V-L can
function as an IWG site
to communicate with
legacy PEs in Option A
VLAN mode.

3.The AR6700V-L can
function as an IWG site
to communicate with
legacy PEs in Option A
VXLAN mode.


Page 32 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
AR6700V-L: Single-Tenant IWG and Hub
Networking

Capabilities new for tenants:

1. The AR6700V-L can function
as a single-tenant IWG site to
communicate with legacy PEs
in Option B mode.


2. The AR6700V-L can be
configured as an edge device or
both an edge device and RR at
an SD-WAN site. It can connect
to other SD-WAN sites in hub-
spoke or full-mesh mode.


Page 33 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
AR6700V-L: Single-Tenant IWG


The AR6700V-L can
function as a POP
and connects branch
sites to the network
in VXLAN mode.

Users can configure
VXLAN tunnels for
the AR6700V-L using
the GND function on
the controller.


Page 34 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
AR6700V: POP on SD-WAN

An MSP can configure
an AR6700V as an
IWG:

1.The AR6700V can
function as an IWG
site to communicate
with legacy PEs in
Option B mode.

2.The AR6700V can
function as an IWG
site to communicate
with legacy PEs in
Option A VXLAN
mode.


Page 35 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
V600 ARs as IWGs

MSPs can configure ARs running
V600 as IWG sites.
1. ARs running V600 can function as
IWG sites to communicate with
legacy PEs in Option B mode.
2. ARs running V600 can function as
IWG sites to communicate with
legacy PEs in Option A VLAN
mode.


Page 36 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Configuring a WLAN Radio R24C10

For WLAN-capable device models, you can configure radios, country
code, and 2.4G/5G radio parameters base on site configurations.


Page 37 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Newly added to V600 Models: Overlay Enhanced in
BGP4+ Configuration R24C10
Overlay BGP4+ configuration is newly added for V600 models.
Application scenario: Overlay IPv6 networking can support more routing protocols,
which better meets customers' networking requirements.


Page 38 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Newly added to V600 Models: VRRP Route Added in
Configuration on LAN Interfaces R24C10

VRRP routes can be configured on
LAN interfaces for V600 models.

Application scenario:
At a dual-gateway site, if the
Internet access WAN link and dual-
gateway interconnection link of the
VRRP master device are both faulty,
association with BFD and uplink
interfaces cannot ensure that
services can be switched to the
VRRP backup device.
In this case, you can configure
association with the route destined
for the peer loopback interface to
determine whether the network is
faulty and implement a switchover
between the active and standby
gateways.


Page 39 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Scenario
Introduction)
• Background: To ensure the service continuity of V5 devices and construct an open ecosystem of the next-generation embedded
service-oriented architecture, the following brand-new LAN switches (LSWs) and ARs are launched based on the next-generation
YunShan platform: S8700/S6730/S5750/S5735/S5755/S5331/S5335/ AR8140/AR6710/AR5710. With these devices, iMaster NCE-Campus
can build the next-generation CloudCampus YunShan ecosystem.
Evaluation-required: YunShan + V5 Pilot: YunShan device
Recommended: V5 device standard
device hybrid networking independent networking
networking (large-sized) (small- and medium-sized)

Internet WAN Internet WAN Internet WAN
AR6000/AR600 AR8140/AR6000 AR8140/AR6710

S12700E S12700E S8700

9700- WAC 9700-M
M/6508/6805 /6508/6805

S7700/S6730-H S8700/S6730-H S5750-L/S5750-S


S5731/S5732 S5750-L/S5750-S
AP AP AP
8760/6760/5760 8760/6760/5760 8760/6760/5760


Page 40 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Differences
Between V5 and YunShan Devices)


Management Configuration Alarm O&M Monitoring Service layer

Service
AOC 1.0 AOC 3.0 adaptation layer


NETCONF SSH HTTP/2 Telemetry Channel
protocol layer


l Management: V5 and YunShan devices are both managed through NETCONF
channels.
YunShan
l Configuration: Configurations of both V5 and YunShan devices are delivered
through NETCONF channels; however, the YANG models are different. YunShan
devices use the YANG 2.0 model and complete configurations based on the
SND/GND model of AOC 3.0 built on the application platform as a service
(aPaaS).
V5 V5
l Alarm: Alarm services of both V5 and YunShan devices are implemented
through NETCONF channels. However, the YANG models are different.
YunShan devices use the YANG 2.0 model.

l O&M: O&M operations on both V5 and YunShan devices are implemented
through SSH channels.

l Monitoring: V5 devices are monitored through HTTP/2 channels, while
YunShan devices are monitored through telemetry channels (gRPC).

Page 41 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Differences
Between V5 and YunShan Devices)

Key Feature Not Supported
Device type Impact Description Workaround
(Compared with V5)

Deploy switches manually or using the zero touch
Management VLAN auto- Wired/wireless management VLAN auto-negotiation to implement device plug-and- provisioning (ZTP) function through the management
YunShan LSW
negotiation play is not supported. In addition, Eth-Trunk auto-negotiation is also not supported. VLAN (that is, VLAN 1). In addition, deploy APs connected
to the switch by using the sensor ap function.

Registration center-based
Device plug-and-play through the registration center is not supported. Use the DHCP option-based deployment solution.
deployment
Scan barcodes to record device ESNs or manually import
ESN-free deployment ESN-free deployment is not supported.
device ESNs.
Portal authentication Portal authentication based on HTTP/2 or HACA is not supported. Use V5 devices as authentication devices instead.
Wireless authentication Wireless authentication is not supported. Use off-path WACs for wireless authentication.
Terminal identification Terminal identification is not supported. Use V5 devices as access devices instead.
Application identification Application identification and application statistics collection are not supported. N/A
Application experience analysis eMDI application experience analysis is not supported. N/A
HQoS VIP user policies cannot be configured. N/A
Certificate management Offline and online certificate management functions are not supported. Log in to devices for configuration.
Log in to the device command line interface (CLI) through
SWEB Redirection to the switch web system for service configuration is not supported.
SSH to configure services.
YunShan AR Wi-Fi Wireless access services are not supported. N/A
YunShan ARs cannot function as the devices for communication between the HQ
Inter-site interconnection N/A
site and branch sites.
Traffic statistics Traffic statistics collection based on NetStream is not supported. N/A
SWEB Redirection to the AR web system for service configuration is not supported. Log in to the device CLI through SSH to configure services.

Page 42 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management (Configuration
Consistency Verification)

iMaster NCE- iMaster NCE-Campus Local
Local user
Campus user

get-config NETCONF Web-based
Configuration management
edit-config CLI/ Web system
NETCONF get-config change platform/eSight
copy-config platform/eSight CLI/eSight
edit-config notification
V5 device (AR/LSW/AP) YunShan device (AR/LSW)

NaaS VRP5 NBI

NETCONF SNMP CLI
running current-cfg

copy-config
save

Startup CMF
CMF CDBR
startup Centralized data DB
cfg storage and
configuration

Category V5 Device YunShan Device
Configurations are stored in a single database. Configurations delivered through NETCONF and SNMP and performed in the CLI are stored in
the same database. However, currently, the NETCONF-based configuration capability provided by devices is inferior to the CLI-based
There are two types of databases for configuration data storage: NETCONF-based database (which
Configuration data configuration capability, in the following aspects:
stores only configurations delivered through NETCONF) and CLI/SNMP-based database (which
storage 1. A feature cannot be configured through NETCONF, and can be configured only through the CLI.
stores full configurations).
2. A feature supports NETCONF-based configuration for all involved parameters.
3. A feature supports CLI-based configuration for all involved parameters but NETCONF-based configuration for selective parameters.
1. Delivering the save command through NETCONF saves the configuration in the running
Configuration configuration database to the startup configuration database every two hours.
Same as V5 devices.
storage mechanism 2. Running the save command in the device CLI saves the configuration in the current-cfg
database to the Startup cfg database.
1. Full configuration delivery in copy-config mode is not supported. Configurations delivered through NETCONF overwrite those performed in
Full configuration delivery in copy-config mode is supported. Configurations delivered through
NETCONF the CLI.
NETCONF do not overwrite those performed in the CLI.
2. Configuration changes can be triggered through CLI/SNMP and change notification messages can be sent to the controller.

Page 43 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
V600 Device Management: Configuration Updated in
Consistency Verification (1/2) R24C10

The GUI-based The GUI-based
uApplication scenarios and benefits configurations change. configurations change.
In the cloud management scenario, iMaster NCE-Campus supports device configuration
inconsistency discovery. When detecting inconsistencies, iMaster NCE-Campus can block A A
delivery of the corresponding configurations. However, there are problems as follows (the b b c
contents in blue describe the benefits of this feature):
1.1 The device automatically generates default or collaboration configurations, which may NCE-Campus NCE-Campus

cause unnecessary configuration inconsistencies. Configuration State database Configuration State database
database database
Benefit: iMaster NCE-Campus manages only the configurations delivered by itself. The A A A A
collaboration configurations generated by devices are not considered as configuration b b b c b c
inconsistencies and do not affect subsequent service delivery by iMaster NCE-Campus. diff diff
Write-back Write-back
1.2 When a CLI command irrelevant to configurations on iMaster NCE-Campus is run on a Modify b Add c
device, unnecessary configuration inconsistencies (ignored by iMaster NCE-Campus) may
Merge Reply a message Merge Reply a message
be generated. b indicating the success. c indicating the success.
Benefit: iMaster NCE-Campus manages only the configurations delivered by itself. The
other configurations performed using the device CLI are not considered as configuration V600 device V600 device
inconsistencies and do not affect subsequent service delivery by iMaster NCE-Campus. Device configuration database Device configuration database
1.3 When iMaster NCE-Campus delivers configurations in replace mode to overwrite the A A
data, the node data configured using the CLI is overwritten or deleted by mistake. b C b c
Benefit: Configurations in the same YANG node are delivered by iMaster NCE-Campus in
If the configurations on the controller do not conflict with If the configurations on the controller conflict with device
merge mode. Therefore, the configurations in other YANG nodes that are not delivered by device configurations performed through other methods, configurations performed through other methods, the
iMaster NCE-Campus are not overwritten or modified, preventing configuration they both take effect. configurations on the controller take effect.
overwriting and deletion by mistake. uNotes and Constraints
1. This optimization solution is applicable only to V600 devices and does not support real-time conflict detection. Manual
inconsistency discovery can be performed on the GUI. For conflicting configurations, the configurations on iMaster NCE-
• The state database is introduced to minimize configurations to be delivered. The delivery Campus prevail by default upon configuration delivery.
interface delivers configurations in merge mode. 2. Configuration inconsistency discovery does not display configuration inconsistencies such as passwords and keys and
• If the configurations on the controller do not conflict with device configurations performed ignores these inconsistencies.
3. If a configuration fails to be deleted using the replace operation or has not been handled, this configuration will not be
through other methods, they both take effect.
deleted after the controller is upgraded and full delivery or re-delivery upon failures is performed. You are advised to
•
If the configurations on the controller conflict with device configurations performed handle all configuration failures and exceptions before the upgrade.
through other methods, the latest configurations on the controller take effect. 4. The controller deletes a configuration on the device and this is not saved on the device in a time manner. After the
• The need of delivering replace packets are eliminated, so that service security issues caused controller is upgraded and the device restarts, the deleted configuration on the device is restored. In this case, the
by mis-deletion of CLI-based configurations can be resolved. controller does not automatically delete this configuration after the device goes online again.
Page 44 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.5. In a scenario where a configuration on a device is both delivered by the controller and performed through another
method, the latest configuration on the device takes effect.
V600 Device Management: Configuration Updated in
Consistency Verification (2/2) R24C10


• Click Discover Inconsistencies to check the
configuration inconsistencies between the
controller and devices. In addition,
configurations can be reconciled on a per-
device or per-feature basis.
• Configuration consistency check can be
triggered manually or periodically
(daily/weekly/monthly) for all configurations.
If any inconsistency is found, you can use the
reconciliation function to eliminate the
configuration inconsistency.


Page 45 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
YunShan Device Management Updated in
(Configuration Consistency Verification) R24C10
Ø Configure the reconciliation mechanism

Scenario Controller Data Device Data Configuration Source Controller-to-Device Reconciliation

A configuration exists on the E2E/ECS The controller delivers the configuration
VLAN 200 N/A
controller but not on the device. None in incremental mode to the device.

If the function of deleting inconsistent
configurations during reconciliation is
enabled, the configuration on the device
A configuration exists on the
N/A VLAN 200 N/A is deleted. If the preceding function is
device but not on the controller.
disabled, the configurations on the
controller and device remain
unchanged.

The configuration on the controller
E2E/ECS
overwrites that on the device.

A configuration exists on both If the function of deleting inconsistent
the controller and the device, but VLAN 10 VLAN 10 configurations during reconciliation is
the configuration data is name xxx name yyy enabled, the configuration on the
different. None controller overwrites that on the device.
If the preceding function is disabled, the
configurations on the controller and
device remain unchanged.


Page 46 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
Non-V600 Device Management: Functions for R24C10
Protecting Core Configurations
Application scenario:
These functions enable the controller to detect multi-source
configurations in real time and block configuration delivery by
iMaster NCE-Campus. Without these functions, configuration
rollbacks caused by configuration conflicts may occur, leading to
device disconnection or service function unavailability.
Functions:
1. Inconsistency discovery: The controller detects multi-source
configuration inconsistencies reported by devices in real time and
Inconsistency discovery
allows users to view inconsistency details.
2. Configuration delivery blocking: After detecting inconsistencies,
the controller blocks the delivery of configurations related to the
corresponding features to prevent mistaken rollbacks caused by
configuration conflicts.
3. Inconsistency restoration: The controller can restore the
configurations that exist on devices but not on the controller.
Supported features:
Global VLAN, interface VLAN, interface IP address, interface
management status, Eth-Trunk, DHCP, and OSPF


Inconsistency details and restoration
Configuration delivery blocking

Page 47 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission Overview

l User admission is a key feature provided by iMaster NCE-Campus to control user access.
iMaster NCE-Campus not only supports 802.1X authentication, Portal authentication, and
MAC address authentication on its own, but also supports interconnection with a third-
party authentication server (a Portal or an AAA server) in all the previous authentication
modes.

l iMaster NCE-Campus can function as a relay agent and interconnect with a third-party
Portal or RADIUS server in API or RADIUS relay mode to implement authentication.


Page 48 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission Scenario

Diversified authentication modes Social media authentication: meeting customers' business requirements

Various social media
Authentication Portal Configuration Portal platforms are supported.
system system management
Cloud system Tencent QQ, WeChat, Sina,
platform Facebook and Twitter

HTTP/2 NETCONF


Customer's
network


• Supports various authentication modes: 802.1X Social media authentication process:
authentication, Portal authentication (anonymous 1. Connect a mobile phone to a Wi-Fi network.
authentication, username and password authentication,
2. Open a browser, and then click Log In.
private pre-shared key (PPSK) authentication, and SMS
authentication), MAC address authentication, and social 3. Interconnect with diversified social media platforms to implement social
media authentication. media authentication. The following social media platforms are
supported:
• Supports protocols suitable for data transmission:
Authentication data is transmitted through HTTP/2 a) WeChat: can be used for WeChat URL-based and QR code-based
(HACA) or RADIUS, while configuration data is authentication
transmitted through NETCONF. b) Tencent QQ
• Open authentication solutions: Interconnection with c) Sina Weibo
a third-party Portal server is supported. d) Facebook and Twitter

Page 49 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Sources in different
scenarios
Various User Authentication Sources for Unified
User Management

User Identity Source Description Used by

Username/Password, MAC account, and self-registered Enterprise employees, guests, and O&M
Local accounts
guest account personnel

Social media WeChat, Tencent QQ, Sina Weibo, Facebook, and Twitter Guests

Microsoft AD, Novell Edirectory, IBM Tivoli, Sun One, JIT
AD/LDAP server Enterprise employees and guests
Galaxy, Open LDAP

Third-party HTTP server Requiring an HTTP server authentication URL Enterprise employees and guests

Third-party RADIUS server iMaster NCE-Campus as a RADIUS relay agent Enterprise employees

RSA SecurID and DaVinci password-based dynamic
Token server Enterprise employees
identity authentication system

Interconnection with a certificate server (X509 certificates
Certificate authentication Enterprise employees
are supported)


Page 50 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Sources in different
Full-lifecycle Guest Management in scenarios
Diverse Scenarios

Register Approve Distribute Authenticate Audit and deregister

§ Employee § Approval § SMS § Anonymous authentication § User login and logout audit
application exemption § Email § Username and password § Automatic account deregistration
§ Guest self- § Approval by § Web authentication after expiration
registration administrators § SMS authentication § Scheduled account deregistration
§ Approval by § Social media authentication
receptionists

Public places
Enterprises and government agencies Approval-free accounts, simple and flexible user admission, easy-to-use
Strict control for guest account approval and access permission account assignment, automatic logout

Supermarket
Cafe
School Government Shopping
Restaurant
mall

Scientific Customer Stadium
Enterprise research Hotel service Exhibition
institute center hall


Page 51 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (1/6)

Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user


You can select a language template (such as an English
template) for Portal pages and a Portal authentication
template type (such as SMS authentication).


l You can choose Admission > Admission Resources > Page Management from the main menu, click Page Customization to
customize Portal pages, and click Portal Page Push Policy to create a Portal page push policy. If page customization is not required,
you can skip this step.

l You can also modify Portal pages. The system allows up to 1000 tenants in total to customize Portal pages, of which each can
customize at most 20 sets of Portal pages (including six default sets).

Page 52 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (2/6)

Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user

l You can choose Admission > Admission
Resources > External Data Source > Social
Media Parameters from the main menu.
On the Social Media Parameters page, you
can decide whether to configure
interconnection with a social media
platform. If this is not required, you can skip
this step.


Page 53 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (3/6)

Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user


l When site templates are used: Take wireless authentication configuration as an example. You can choose Provision > Device > Batch Deployment > Site
from the main menu and select a site template, access the SSID configuration page of APs and other required devices. Then configure the basic settings,
security authentication, and policy control of SSIDs.

l When site templates are used: Take wireless authentication configuration as an example. You can choose Provision > Device > Site Configuration from
the main menu, select a site, and access the SSID configuration page of APs and other required devices. Then configure the basic settings, security
authentication, and policy control of SSIDs.

Page 54 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (4/6)

Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user

l You can choose Admission > Admission Resources > Page
Management > Portal Page Push Policy from the main
menu, and then click the Portal Page Push Policy tab to
customize a Portal page push policy. If you use the default
policy, skip this step.


Page 55 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (5/6)

Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user


l You can choose Admission > Admission Policy > Authentication and Authorization from the main menu, and then click the Authentication Rule,
Authorization Result, and Authorization Rule, respectively, to customize an authentication policy.


Page 56 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
User Admission - Portal Authentication Configuration
Process (6/6)

Set social media Configure Configure an Configure an
Customize a Configure a page
interconnection security authentication account for
Portal page push policy
parameters authentication policy an end user


l You can choose Admission > Admission Resources > User Management from the main
menu and click User Management or Guest Management. On the User Management
page, you can create accounts for end users. If social media accounts are used for
authentication, you can skip this step.


Page 57 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
5G Authentication Scenario


IoT Center (Optional)
1

5GC
3
SMF
Smart electricity meter

4
2
Robot
5G CPE

Gas sensor 5

Data
5G Dongle center
CNC

Enterprise intranet resources
Temperature sensor
Application scenario Functions of each component
5G networks have been rapidly developed and used in a wide range of 5GC: manages the 5G core network, which involves many components. One of them is the
scenarios. They feature high-speed mobility and wide coverage, making access-related SMF.
them an ideal complement to campus networks. Currently, 5G terminals SMF: refers to Session Management Function that provides the session management, policy
(any devices with 5G modules) can access campus networks only control, and QoS functions.
through a wired network or Wi-Fi. Using 5G networks to allow for 5G IoT center: maintains information about 5G terminals and synchronizes the information to
terminal access will extend the physical boundary of terminal access and iMaster NCE-Campus.
reduce enterprise network construction and maintenance costs. 5G CPE and 5G Dongle: are the main 5G terminals for access currently.
iMaster NCE-Campus: performs authentication and authorization on terminals.
Firewall or switch: manages network access rights of terminals.
Page 58 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
5G Authentication Scenario

1
5GC IoT center
IPsec encryption
AUSF UDM
2
AMF SMF

Enterprise administrator
3 4


NCE- Enterprise servers
VAS
MEP

Third- Campus

5 UPF
party app

MEC PaaS

MEC IaaS MSCG
IoT terminal
5G macro base MEC Hardware
station/indoor distributed
base station MEC
Enterprise campus
Ø Access procedure Ø Constraint
1. The enterprise administrator purchases SIM cards and terminals in a unified ü The authentication requires terminal IMSIs or IMEIs, which are personal
manner, and imports the IMSIs and IMEIs to the IoT center. information. Currently, only IoT terminals are supported.
2. The IoT center synchronizes information including IMSIs and IMEIs to iMaster ü The RADIUS CHAP/PAP scheme is used between the SMF and
NCE-Campus. controller, which is insecure. Therefore, a secure channel is required to
3. Terminals (with SIM cards) access the 5G network based on 5G-AKA ensure data security.
authentication, and initiate Protocol Data Unit (PDU) session establishment.
4. The SMF triggers RADIUS Password Authentication Protocol (PAP)/Challenge- Ø Dependency
Handshake Authentication Protocol (CHAP) authentication, and sends terminal ü The carrier provides APNs on the 5GC for enterprises.
information such as IMSIs and IMEIs to iMaster NCE-Campus for ü The carrier's SMF must support RADIUS with extended 3rd Generation
authentication. Communication between the SMF and the enterprise's AAA Partnership Project (3GPP) attributes.
server involves sensitive information. Therefore, the data flow between them is
transmitted through a leased line and encrypted by IPsec.
5. When the authentication succeeds, the terminals have access to enterprise
intranet resources.

Page 59 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Application Scenarios of IoT Sensing Networks

As is To be
Air conditioning Water supply Lighting
and ventilation and drainage system
Application layer IoT applications
system system
Platform layer
IoT PKI
digital
Platform layer certificate
platform system

Network layer LAN

IoT gateway
Network layer LAN
Policy Network
enforcement controller engine

Logic
IoT device layer orchestration
DDC DDC
IoT device layer
Sensor

Sensor

RS485 bus IP access RS485 bus IP access

l Closed vertical systems: It is incompatible with other vendors, has high costs, l Unified IoT digital platform: It defines thing models of different systems and
and is unable to expand applications. provides open interfaces for third-party applications to build an ecosystem.
l RS485 bus: The network has many RS485 connections, the RS485 bandwidth l IP-based desktop delivery controller (DDC): It reduces investment in physical
is insufficient, and lacks the intelligent O&M capability. connections and enhances visualized O&M capabilities.

Page 60 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal Access on IoT Sensing Networks

1. The function of delivering IoT tags to APs is enabled on the controller. In the wireless access scenario, the APs provide SSIDs
with IoT tags. iConnect terminals proactively search for SSIDs with IoT tags and automatically connect to such an SSID once
discovering one.
2. Certificate authentication can be used for security access. Terminals need to pass MAC address authentication on the
controller, apply to the controller for certificates (which can be issued by the built-in CA server or a third-party CA server),
and then initiate certificate authentication.
3. PPSK authentication can be used as well. Terminals need to pass MAC address authentication on the controller, apply to the
controller for PPSKs, and then initiate PPSK authentication. In this process, the controller needs to allocate PPSK accounts
and then deliver PPSKs to terminals. PPSK accounts can be allocated to terminals in either of the following ways: The
controller can allocate the PPSK accounts that have been bound to MAC accounts based on the terminal MAC addresses, or
allocate PPSK accounts from the pre-configured PPSK resource pool and then bind these PPSK accounts with the terminal
MAC addresses.


Page 61 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management

Application scenario
Unified O&M and management Ø Unified management of Wi-Fi CPEs is required in
scenarios such as industrial manufacturing, Internet
healthcare, and smart livestock farming.
Network
iMaster NCE Certificate server WAC
administrator

• Management: iMaster NCE- • Management: iMaster NCE-
Seamless access of Wi-Fi CPEs:
Campus supports unaware Campus can manage Wi- Fi
Wi-Fi CPEs access the network authentication of Wi-Fi CPEs in a unified manner.
1 through the SSID CPEs, but cannot manage
3 to connect to the controller. them as NEs. • Monitoring: iMaster NCE-
Wi-Fi CPEs apply for certificates Campus can remotely monitor
2 Wi-Fi CPEs.
from the controller. • Monitoring: iMaster NCE- >>
Wi-Fi CPEs have secure access to Campus cannot monitor the
• O&M: iMaster NCE-Campus can
2 1 3 the network after passing 802.1X working states of Wi-Fi >>
authentication by using applied CPEs and detect faults on remotely upgrade Wi-Fi CPEs in
certificates. their downlink interfaces. batches and deliver commands
to them.
• O&M: A local FTP server
needs to be set up for
Ø Constraints: This function is
upgrading Wi-Fi CPE
applicable only to Wi-Fi CPEs
versions. You can run
in WAC + Fit AP scenarios
commands on Wi-Fi CPEs to
and is not applicable to Wi-Fi
restart and upgrade them.
AGV Production line AOI CPEs connected to cloud APs.


Page 62 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management


Manage Wi-Fi CPEs
in a unified manner


• iMaster NCE-Campus supports unified management of Wi-Fi CPEs. It monitors and displays information
about Wi-Fi CPEs, such as MAC addresses, IP addresses, states (online or offline), connected APs, connected
SSIDs, traffic statistics, uplink and downlink rates, packet loss rates, and online duration.

Page 63 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Unified Wi-Fi CPE Management


Upgrading Wi-Fi Delivering commands
CPEs in batches to Wi-Fi CPEs


• iMaster NCE-Campus can upgrade firmware of Wi-Fi CPEs in batches, deliver commands to them, and displays
command outputs.


Page 64 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Authentication
component
Authentication Component Networking

Authentication components authenticate terminals as follows:
• When authentication components are installed, the southbound IP address of
iMaster NCE-Campus to which the authentication components connect is specified.
• After installation, the authentication components automatically send registration
requests to iMaster NCE-Campus to establish TCP persistent connections.
• iMaster NCE-Campus manages the authentication components based on their
ESNs. Upon the receipt of registration requests from the authentication
components, iMaster NCE-Campus verifies whether the ESNs of the authentication
components exist. The authentication components and iMaster NCE-Campus verify
the certificates of each other, and are connected after the verification succeeds.
• A tenant administrator configures authentication policies on iMaster NCE-Campus,
such as authentication rules, authorization rules, authorization results, online
duration and traffic policies, and guest accounts. iMaster NCE-Campus
automatically synchronizes these configurations to the authentication components
through the data synchronization channels.
• When delivering authentication configurations to devices, the tenant administrator
can configure the authentication components as Portal or RADIUS servers.
• When connecting to the network, an end user sends an authentication request to
an authentication component. After the authentication component verifies the
user's account, it authorizes the user and allows the user to go online.
• The authentication component reports online user information to iMaster NCE-
Campus. Then, the tenant administrator can view information about all online
users on iMaster NCE-Campus.


Page 65 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Authentication
component
Authentication Component Application Scenario

• For an enterprise with multiple branches, an independent authentication component can be deployed
for each branch, improving the rate and reliability of authentication at the branches.

• In the scenario where a large number of terminals initiate authentication requests at the same time
and high reliability is required, authentication components can be deployed in active/standby and load
balancing mode. In this case, if a single authentication component fails, authentication services are not
affected, improving authentication reliability. Authentication components working in active/standby
mode implement disaster recovery (DR) and thus ensures the continuity of authentication services.


Page 66 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Multi-level
RADIUS relay
Multi-level RADIUS Relay

*.cn
radiusRelayDis0 • To set up a hierarchical educational
*.fdu.cn private network with multi-level
RADIUS relay authentication, multiple
radiusRelayDis1 *.edu.cn
radiusRelayDis2 copies of controllers can be deployed as
RADIUS relay servers at different
domain levels. As such, teachers can
access the educational private network
using the same account by connecting
to RADIUS relay servers in different
regions. (Eduroam scenarios)
*.guangxi.fdu.cn *.hainan.edu.cn *.Jiangsu.edu.cn Username:
radiusRelayDis3 radiusRelayDis4 radiusRelayDis5 xiaoming.guangxi.fdu.cn


Page 67 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play

Terminal Identification for Terminal Plug-and-Play


Built-in industry's
most comprehensive
Requirements & Camera Packets of terminal terminal fingerprint
Challenges information database
IP phone Packets of Packets of
A higher education institution terminal terminal
Printer information information
50+ types
Smart terminals
PC
Terminal information collected by
level-2 colleges Laptop
Difficult and error-prone MAC
Mobile
address collection
phone
>>

Terminal Authentication Traffic statistics Terminal
An automobile enterprise identification and authorization collection anti-spoofing

10+ days Who am I What can I do What have I done I am replaced by a
spoofed terminal
Reported authentication faults • PCs/Laptops can access Traffic size, online
Terminal type, OS, ...
the internal network. duration... Alarm, isolation
• Mobile phones can
Difficult to locate bogus terminals
access the security
zone.
...


Page 68 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Terminal Type Identification Based on Industry's Most
Comprehensive Terminal Fingerprint Database

Identification
Type Technical Description Application Scenario
Method
All terminals. This method can
Fingerprint The first three bytes of a MAC
MAC OUI identify only terminal
address represent the manufacturer.
database manufacturers.
Industry's most comprehensive
A browser's User-Agent string
fingerprint database Mobile phones, tablets, PCs,
HTTP User- contains the manufacturer, terminal
workstations, and intelligent
Agent type, OS, browser type, and other
audio/video terminals (TV sticks).
Information Proactive information.
reporting scanning Some options in a terminal's DHCP
Information Mobile phones, tablets, PCs,
packets can be used to classify
reporting DHCP option workstations, IP cameras, IP
terminals, for example, DHCP
phones, printers, etc.
Options 55, 60, and 12.
Link Layer Discovery Protocol data
IP phones, IP cameras, network
LLDP units (LLDPDUs) carry terminal
devices, etc.
model information.

mDNS packets contain terminal Apple devices, printers, IP
mDNS
model and service information. cameras, etc.

This method obtains identification
information by querying device
SNMP query Network devices and printers.
information-related objects among
Proactive SNMP MIB objects.
scanning
Nmap is used to scan the OS and
PCs, workstations, printers,
Nmap services of terminals to obtain
phones, IP cameras, etc.
terminal model and OS information.

Page 69 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
Identification of Top 3 Types of Office Terminals R24C00
from Top 5 Vendors

V200 device V600 device

After a device reports information, it is After a device reports information, it is
Information identified based on the fingerprint identified based on the fingerprint New in
reporting database through HTTP UserAgent/MAC database through HTTP UserAgent/MAC 24.0
OUI/DHCP Option/LLDP/mDNS. OUI/DHCP Option/LLDP/mDNS.

Top 3 Types Top 5 Vendors
Camera Hikvision, Dahua, Uniview,
Type Top 5 Vendors Huawei, TP-Link, and Tiandy Background: For terminals deployed
Proactive using static IP addresses (such as
IP phone Polycom, Yealink, Cisco, Asia,
scanning Camera Hikvision, Dahua, Uniview, cameras), the identification accuracy of
Huawei, and TP-Link and TREND Networks passive fingerprint-based identification is
Printer/Fax HP, Canon, Epson, Brothers, low. This is because fingerprints of those
machine Lenovo, Ricoh terminals cannot be obtained through
DHCP options (the most effective passive
terminal identification method). In
AI clustering identification (new function: addition, devices running stably do not
Unknown
AI clustering identification + manual communication port-based clustering send LLDP or mDNS packets to the
type
labeling for unknown terminals and recommendation) + manual labeling controller (LLDP is not supported for
identification for unknown terminals identifying cameras in most cases).


Page 70 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
AI-based terminal cluster identification, improving Updated in
the identification accuracy of unknown types R23C10

Knowledge base This knowledge base is developed based on
Huawei's years of experience in industries. It
contains port information about different types of
terminals, such as cameras, printers, IP phones,
and access control devices. This knowledge base is
updated with the version upgrade.
Port ID
High-weight
characteristics Port quantity
Unknown
terminal type 1 Digital signage
UA
Printer display (e-Class)
Printer Printer
Others
DHCP

Self-service
LLDP Unknown
Phone terminal type 2 machine
Phone Phone

mDNS
Original data
macOUI Clustering based on the priori knowledge Manual marking


l iMaster NCE-Campus delivers an in-depth l Terminals of the same model have high similarity in l For terminals that cannot be matched, the
scanning instruction to a device (manually protocol fingerprint data, while terminals of different system then performs clustering based on
triggered). models and types have low similarity in such data. protocol fingerprint data similarity.

l The device asynchronously reports terminal l Based on protocol fingerprint data similarity and a l The customer manually marks the category
port data obtained after in-depth scanning. priori knowledge base, the system identifies matched of each cluster of terminals. A cluster of
Such data is used as a type of terminal terminal info. and recommends terminal types terminals can be identified after the
fingerprint for terminal identification. accordingly. customer marks the category once.

Page 71 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Enhanced terminal identification: Identify Updated in
terminals based on proactive device scanning R23C10


Configure LSW scanning rules. The LSW
proactively scans terminals and reports
the identified terminal information to
NCE-Campus. NCE-Campus displays the
identification result on the terminal
management page.


Refined scanning scope: The LSW
gateway IP address can be used as the
source IP address to scan terminals in a
specified VLAN and IP address range.
Periodic scanning and real-time scanning
triggered by ARP packets of terminals


Page 72 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access 1.0:
Zero Unauthorized Access Prevention Based On Terminal Identification

Scenario Anti-Unauthorized Network Access 1.0 is a detection technology based on terminal identification. In this scenario, the
description customer needs to protect the network against unauthorized network access.

iMaster NCE-Campus:
Rule Type Description Result
• Unauthorized access
Only the whitelisted terminals are authorized. Other terminals All non-whitelisted terminals are
Whitelist
identification including unidentified terminals are unauthorized. unauthorized.
• Alarms and blocking Definition
All blacklisted terminals are
Blacklisted terminals are unauthorized. Other terminals including
Blacklist unauthorized and other terminals are
unidentified terminals are authorized.
authorized.

Information Proactive
Identification
Application Scope Details Scheduled Scanning
reporting scanning Method
Terminal Authenticated Terminal information identification
Not required. Authentication is triggered.
identification terminals during authentication
Identification
Unauthenticated Nmap- and SNMP-based scanning by IP Required. The scanning period can be set
Scheduled scanning
Network device side: terminals address segment to once, daily, weekly, etc.
• Authentication or
scanning
Processing Application Automatic or
• Terminal information Description Later Operations Others
reporting Method Scope Not
No, manual When a terminal connects to
Access blocking operations are a different access device upon
MAC address–
based on MAC Wireless/Wired required for Cancel blocking its second-time access, an
based blocking
addresses batch alarm is generated and the
processing. terminal access is blocked.
No, manual • Cancel blocking When a terminal connects to
Blocking Access blocking operations are • Enabling it on the a different access device upon
Port shutdown through port Wired required for device its second-time access, only
shutdown batch configuration an alarm is generated and the
processing. page terminal can access network.

Page 73 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access 1.0:
Management Based On Terminal Identification

iMaster NCE-Campus defines rules for identifying
unauthorized terminals, based on the terminal type,
vendor, model, OS, and serial number. After the
unauthorized terminal access control function is enabled,
if an identified terminal matches an unauthorized
terminal rule, the terminal's access is defined.


Access of unauthorized
terminals can be blocked
based on MAC addresses
or by shutting down
access ports.


Page 74 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Updated in
Anti-Unauthorized Network Access 2.0: Private Connection R23C10
Defense Based On Packet Features of Private Devices

Scenario In the project, there are private network connections, and the customer needs to protect the network. The Anti-Unauthorized
description Network Access 2.0 technology is a detection technology based on the packet characteristics of private devices.

iMaster NCE-Campus: Scenario Main Detection Technology Effect
• Private connection
alarm and display Preventing unauthorized hub Check whether the port has multiple IP 30 seconds identification
• Blocking access addresses with 100% accuracy
Preventing unauthorized router TCP/HTTP packet parsing and TTL/TCP 30 seconds identification
access SYN/UA/DNS feature determination with 100% accuracy
Identification Preventing unauthorized Wi-Fi Domain name parsing and UA and DNS 2 minutes identification with
Private connection access feature determination 90% accuracy
information
reporting
Processing Application Automatic Later
Description Others
Method Scope or Not Operations
On the network device side: When a terminal
•
Traffic behavior analysis No, manual connects to a different
• Access
Packet feature detection MAC address– operations are access device upon its
• blocking based Wireless/
Identifying private connections based required for Cancel blocking second-time access, an
on MAC Wired
blocking batch alarm is generated and
addresses
processing. the terminal access is
blocked.
When a terminal
• Cancel
Blocking No, manual connects to a different
Access blocking
operations are access device upon its
Port blocking • Enabling it
Wired required for second-time access, only
shutdown through port on the device
batch an alarm is generated
shutdown configuration
processing. and the terminal can
page
access network.

Page 75 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Updated in
Anti-Unauthorized Network Access 2.0: Principle of
Feature-based Detection of Privately Connected Devices R23C10

Preventing unauthorized hub access Preventing unauthorized router access Preventing unauthorized Wi-Fi access


Parses TCP/HTTP packets Win10 chrome107.0.0 Determines unauthorized Win10
Checks whether a port IP1 and determines Access access based on domain
Access name information (parsed
receives packets with unauthorized access based Win10 chrome105.0.0
Access from packets) UA, DNS, etc. iPhone
different IP addresses IP2 on TTL/TCP SYN/UA/DNS
characteristics.
iPhone OS 16_1 Android
IP3 DNS/HTTP packet
DNS/HTTP DNS/HTTP
TCP/HTTP/DNS packet TCP/HTTP/DNS packet
packet packet


IP packet IP packet

Authorized terminal Authorized terminal
Authorized terminal

Unauthorized terminals
Unauthorized terminals
Identification technology: Unauthorized terminals
Identification technology: TTL Identification technology:
Check whether a user port receives packets with different IP The initial TTL value varies between operating systems and can be 128, 64, 255, or 32. The initial In the scenario where the shared hotspot or proxy is enabled, the technologies and
and MAC addresses in a certain period. If yes, there is TTL value of a packet decrements by 1 each time NAT is performed on the packet by an characteristics (including the IP TTL, TCP SYN packet size, UA, and domain name) used for
unauthorized hub access. unauthorized router. When the device detects that the TTL value in the packet sent from a terminal detection of unauthorized Wi-Fi access are similar to those used for detection of unauthorized
This is because under normal situations, a port only receives is invalid (not the preceding initial TTL value) or the IP packet flow has multiple TTL values, the router access. The difference is that in the scenario where the shared hotspot and proxy are
packets of a single IP and MAC address in a certain period. device determines that unauthorized access occurs. enabled, the TCP/IP protocol stack characteristics of unauthorized terminals are masked, so
TCP SYN unauthorized Wi-Fi access cannot be detected based on the IP TTL and TCP SYN packet size.
The protocol stack, TCP SYN packet size, and TCP window size vary between operating systems. The UA
device can identify the terminal operating system based on the IP packet characteristics and check It is the User-Agent field in an HTTP header. This field contains information about the vendor,
whether the terminal operating system changes to detect unauthorized access. terminal type, operating system, and browser. The device can parse and extract operating
UA system characteristics from the User-Agent field and detect unauthorized access based on
It is the User-Agent field in an HTTP header. This field contains information about the vendor, these characteristics.
terminal type, operating system, and browser. The device can parse and extract operating system DNS
characteristics from the User-Agent field and detect unauthorized access based on these
When connecting to the network, the operating system performs operations such as
characteristics.
connectivity tests and update checks. The DNS packets sent during these operations contain
DNS
When connecting to the network, the operating system performs operations such as connectivity special domain names (including operating system information), which can be used to identify
tests and update checks. The DNS packets sent during these operations contain special domain operating system characteristics. The device uses public addresses to detect unauthorized
names (including operating system information), which can be used to identify operating system access.
characteristics. The device uses public addresses to detect unauthorized access.
Page 76 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access 2.0: Management
Based On Packet Features of Privately Connected Devices
Updated in
R23C10


Enable the anti-illegal connection
function and configure anti-illegal
connection based on the device port
and private connection type.


MAC address blocking and port
shutdown can be performed on
terminals connected without
authorization.


Page 77 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Anti-Unauthorized Network Access 2.0: Visualization
and management of privately connected terminals on
digital maps Updated in
R23C10


Displays the private
connection types and
access devices of private
terminals.
Private terminal
information displayed
on the digital map

MAC address blocking and port
shutdown can be performed on
terminals connected without
authorization.


Page 78 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
Connects to MDM security vendors to Updated in
enhance device security protection capabilities R24C10

Scenario The network has high security requirements. Therefore, terminal security needs to be associated to improve terminal security protection.
Description Outside China: Ivanti, MobileIron, Forescout, Microsoft Intune, and AirWatch; In China: QiAnXin, QiAnXin V10, Leagsoft, and VRV.


3 Checks terminal scores Applicable Scenarios
through an API
l Scenarios that have high security requirements and
4 Sends terminal scores require compliance check on terminals. Terminals
1 Checks terminal scores can access the network only after passing the check.
at an interval Third-party terminal
security vendors
2 Sends terminal
scores Solution Value

Disconnects a terminal if it l Interworking with third-party vendors to provide
2 5 3 is not compliant terminal security check capabilities
Sends an Delivers control policies to
authentication allow network access only
request of compliant terminals Solution Constraints
l The client of a third-party terminal security vendor
needs to be installed on the terminal.
l Currently, the following vendors can be
interconnected: Ivanti, MobileIron, Forescout,
Disconnects the user
1 6 4 Microsoft Intune, QiAnXin, Leagsoft, HiSec Insight,
Has access to the
Initiates QiAnXin V10, and AirWatch. (Huawei provides the AirWatch and
authentication network successfully QiAnXin V10 are
interface document, and the third-party vendor added in 24.1.
provides the interface for interconnection based on
the document.)

Page 79 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Terminal plug-and-play
MDM Association Networking


 1. The administrator configures the MDM server, MDM query API, MDM authorization rules,
and authorization results on iMaster NCE-Campus.
Internet NCE-Campus

0. An administrator 2. The administrator configures MDM terminal security check policies on the MDM server.
configures the controller
and an MDM server. 3. A terminal downloads the app client from the MDM server, installs the app client, and
5. Return the registers with the MDM server.
authentication
result. 4. Query the
terminal status
from the MDM (App distribution must be considered in the networking. You can deploy a dedicated Huawei-
server. Init SSID to distribute apps by referring to the Huawei Wi-Fi networking solution for campuses.)
3. The terminal connects
to the Wi-Fi network
and initiates 802.1X 4. The terminal connects to the Wi-Fi network and initiates 802.1X authentication.
authentication.
5. iMaster NCE-Campus interworks with MDM to obtain the MDM status through query and
1. A terminal downloads an MDM app notification.
from the MDM server, installs it, and
AC registers with the MDM server.
Query the MDM status and information (registration/unregistration/violation/non-
violation/basic information) of the terminal. During authorization, iMaster NCE-Campus uses

2. The MDM app periodically the MDM query API to check whether the terminal violates MDM rules based on the terminal
checks the terminal security
status and reports the check MAC address (or the MDM server invokes the synchronization interface of iMaster NCE-Campus
Mobile terminal result. to synchronize terminal information to iMaster NCE-Campus). If a violation has occurred,
iMaster NCE-Campus isolates the terminal (matching the authorization result of MDM
isolation). This process is similar to the terminal security check on iMaster NCE-Campus.
iMaster NCE-Campus returns the authentication result (authentication success/MDM
isolation/authentication failure) and delivers different ACLs/AAA user groups/VLANs based on
the matched authorization result to control the resources that the terminal can access.


Page 80 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Interconnecting with HiSec Endpoint for 802.1X Authentication R24C10

Previously, the campus solution outside China recommended the Leagsoft client since the solution does not provide a Huawei-developed client. However,
the solution faced delivery and maintenance issues, while Leagsoft lacks recognition abroad, making it challenging to open up the market. Currently, the
Description security product HiSec Endpoint client (EDR) has been launched. In R24.1, NAC authentication and the security compliance check capability are added to
HiSec Endpoint to implement access control and continuous security compliance check for Huawei-developed campus clients. In this way, the zero-trust
solution for campus intranets can be realized.

Enterprise DC Application scenario
Third-party
AD/LDAP server
CA Unified Portal l You can use Huawei-developed 802.1X clients to access the campus network.
This is a basic function of zero-trust campus intranet access.
Authenticating l Qiankun-OP triggers CoA after identifying at-risk terminals.
accounts
NCE-Campus Qiankun-OP
CA interaction Compliance
Authentication/ EDR Solution benefits
Built-in CA Compliance check
Authorization
check/notification Terminal management
Authentication l Qiankun-OP and iMaster NCE-Campus are deployed in converged mode,
Registration and enabling a unified account for login and providing a unified Portal for
Authentication/Authorization authentication
Campus network Reporting compliance configuring campus and security features.
Downloading information l Continuous awareness of network-wide environments and dynamic threats
certificates
Native WAC/Independent WAC
Solution constraints

l Qiankun-OP must be deployed independently and cannot be integrated with
iMaster NCE-Campus physically. They only share the same login and
configuration GUIs.
l Qiankun-OP loads the license for terminal compliance check. iMaster NCE-
Campus loads the terminal authentication license.
l CHAP (EAP-MD5), EAP-PEAP, EAP-TLS, EAP-GTC, EAP-PEAP-MSCHAPV2,
Terminal 802.1X authentication and EAP-TLS, EAP-PEAP-GTC, MD5, EAP-TTLS-PAP, and EAP-TTLS-GTC are
compliance check supported.

Page 81 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: User- and Application-based QoS Policies

User- and Application-based QoS Policies Guarantee
Requirements & Experience of Key Users and Applications
Challenges
① • Define who are VIP users.
• Define application priorities.
QoS policies are ineffective
for video services. ③ Native WAC and
standalone WAC support The S12700E supports a 40 x
large buffer and four 25GE card and a 4 GB buffer.
levels of queues. The AirEngine 9700-M supports
a 512 MB buffer.


Common


user 1 user
② Two-level VIP users
(Example) Building >> scheduling:
user queue and Constraints:
monitoring scenario: application • Tunnel forwarding mode is required for wireless networks.
queue. • Only 40 x 25GE cards on the S12700E support HQoS. In


An increase in wireless video ......
...... addition, the S5731/32-H provides a 25Gbit/s uplink
services leads to the excessive bandwidth.
amounts of bandwidth • It is recommended that the proportion of VIP users be no
more than 10%.
resources occupation, so that • Application scheduling templates need to be created on the
downlink congestion occurs WAC's web system.
in some scenarios. Specifications:
• The S12700E supports 16,000 VIP users on one board, while
the AirEngine 9700-M supports 1800 users on one board.
Video • A maximum of 31 application scheduling templates can be
Camera
surveillance configured on NCE-Campus.
VIP users Other Users

Page 82 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: Native WAC/Standalone WAC: FQ +
SQ + GQ + DP, 4-Level Queue
Priority-based traffic scheduling for each application and user and four-level queues for traffic buffering and shaping,
implementing refined management and control.
Flow Queue (FQ) Subscriber Queue (SQ) AP Queue (GQ)
Port Shaping (DP)
(Priority-based traffic scheduling and (Priority-based traffic (Traffic shaping on each AP)
shaping for each application.) scheduling for each subscriber.)
VIP user 1
Application 1 2 MB Queue CS7 PQ
Application 2 2 MB Queue CS6 PQ VIP user 1
Application 3 2 MB Queue EF PQ AP 1
Application 4 15 MB Queue AF4 DRR: 15 SQ1
DRR VIP user 1
Application 5 15 MB Queue AF3 DRR: 15 1:1 Traffic
Common shaping
Application 6 30 MB Queue AF2 DRR: 10 VIP user 2 user 3 300 MB
Common GQ 1
Application 7 40 MB Queue AF1 DRR: 10 user 4
SQ 2
Application 8 30 MB Queue BE DRR: 10 SP
Shaping
DRR
VIP user 2 (bypass)
1:1 DP 1
Common AP 2
Common user 3 user group
Common user 4 Maximum
traffic shaping VIP user 2 Traffic
Common user 5 value shaping
SQ 3 Common 200 MB
user 5 GQ 2

Switches and WACs support multi-level queue scheduling through large buffers.

Page 83 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent HQoS: Service/User Priority-based
Scheduling on Wireless Networks


User group–based Air interface slicing- Application
scheduling based scheduling scheduling

Voice services

VR services
Common
VIP user
user
Video
services


Web services Application-based
bandwidth allocation

Common user VIP user

Services of high-priority users Air interface slicing reduces the
are preferentially scheduled. transmission latency to 10 ms.


Page 84 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
VIP Access Assurance: Prioritized VIP User Access

As is To be
1. When the number of access users reaches the upper 1. The access of VIP users is prioritized in high-
limit, the access of VIP users cannot be guaranteed. density campus office scenarios.

2. Extra devices are deployed in areas where VIP 2. No extra devices are required, reducing costs.
users are located, increasing costs.


1. Authenticate and
authorize users as VIP
users, and enable radio
and SSID guarantee for
VIP users compete with VIP users.
common users for resources,
and the access of VIP users 2. Adjust the EDCA
cannot be prioritized. parameters on the AP to
change the packet
exchange priority on air
interfaces to ensure the
access of VIP users.

Common users VIP users Common users VIP users

EDCA: Enhanced Distributed Channel Access

Page 85 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Bandwidth Reservation for VIP Users: Guaranteeing
Sufficient Bandwidth

Requirements & Challenges • Define who are VIP users.
• Define the percentage of OFDMA spectrum resource
Percentage of bandwidth to be bandwidth to be reserved
Random swarm traffic reserved for VIP users for VIP users. reservation for VIP users


Wi-Fi 6 AP

(Example) Conference room
scenario: >>
With a sharp increase of users, office
terminals preempt air interface 20%
resources, deteriorating wireless
experience of conference terminals. Bandwidth
reservation


Conference Other office On-demand bandwidth reservation:
• When no VIP user is connected to
terminal terminals
an AP, no bandwidth is reserved.
•
VIP user - conference Common users Sufficient bandwidth resources are
terminal reserved for VIP users.

Page 86 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Free mobility
Free Mobility – User Group–based Access Control


Define security groups Define inter-group policies


>>
>> >>
NETCONF/YANG


Page 87 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Free mobility
Free Mobility – Anytime and Anywhere Access with
Consistent Permission

Username User Group Access Mode Access Location Access Duration Security Group Access Permission
Scientific research resources,
Mark Department of Physics Wired Dormitory 8:00 to 22:00 Security group 1
Internet, and material sharing
Scientific research resources,
Economic Research
Joy Wired Office area All day Security group 2 Internet, OA, management, and
Institute
materials
Terry Other university Wired/Wireless Anywhere 8:00 to 18:00 Security group 3 Public material sharing
Administrative
Jim Principal Wired/Wireless All day Security group 4 All
building

Configure and deliver security groups and inter-
1
group control policies to the entire network.
Authenticate users
2 who attempt to
access the network.
Map users to security groups based
3 on 5W1H conditions and deliver the
mapping entries to devices.


WAN/Internet DC/Internet


4 Control user access permissions (permit or deny).


Page 88 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Network Service Configuration Overview

One of the key features of iMaster NCE-Campus is to provide the configuration and
management functions for cloud managed devices, including APs, WACs (WACs and cloud APs
cannot be deployed together at a single site), ARs, FWs, and SWs. For details about the
supported device models, refer to the device mapping table in the related product
documentation.


Page 89 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intent-driven Orchestration (1/2) – Solution Package Creation


l On the iMaster NCE-Campus homepage, click Intent-Driven Deployment and create solution packages on the
Intent-driven Orchestration page.


Page 92 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intent-driven Orchestration (2/2) – Solution Package
Import

l On the iMaster NCE-Campus homepage, click Intent-Driven Deployment and execute the solution packages created in the
preceding step. In addition, parameter values can be set as needed during solution package execution.


Page 93 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (1/4)


l On the iMaster NCE-Campus homepage, click the advanced feature Intent-Driven Deployment. On the
displayed page, click Intent-Driven Deployment > Scenario-specific Deployment to create a scenario
template.


Page 94 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (2/4)


l In the scenario template, set networking parameters, plan a network topology, and configure wireless services.


Page 95 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (3/4)


l Click Advanced Settings to configure DNS and perform network settings.


Page 96 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Scenario-specific Deployment (4/4)


l Create a site to which the scenario template is to be applied, and click Deploy to deploy the site. After
deployment is completed, you can view deployment details.

Page 97 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Supplemented

Agile Configuration - Hierarchical Batch Management (1/7) in R24C10


l The controller provides hierarchical templates for batch configuration by device.


Parent template
Device account Time zone and Device
and password DST ...... 1 *


Level-1 child template (this template can be applied to devices):
Inherits the features and parameters from its parent template.
You can add other features or modify parameters as needed.

Device account Time zone and Login restriction
(inherited) DST (modified) (new) Device
1
O&M monitoring Network *
(new) reliability (new) ......


Level-2 child template (this template can be applied to devices):
Inherits the features and parameters from its level-1 child template.
You can add other features or modify parameters as needed.

Device account Time zone and DST Login restriction Device
(inherited) (Inherited) (inherited) 1 *

O&M monitoring Network reliability Static route Bind a template to multiple devices or batch
(inherited) (modified) (new) apply the template to multiple devices.

Page 98 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Supplemented

Agile Configuration - Hierarchical Batch Management (2/7) in R24C10

l Manage GND-based hierarchical templates and maintain the relationships between the
templates and devices.

l By default, the controller presets general device configurations. You can also customize device
configurations.

l Choose Network Configuration > Site Configuration > Batch Configuration from the main menu.


Page 99 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Supplemented

Agile Configuration - Hierarchical Batch Management (3/7) in R24C10

l Hierarchical templates can flexibly select features from GND packages. GND packages support
incremental deployment, and can be released with the version or not.


Page 100 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Agile Configuration - Hierarchical Batch Management (4/7) Added in
R24C10

l The inconsistency status between the parent and child templates can be displayed, and the
inconsistencies between the templates can be displayed in real time.

l Features can be previewed. You can view the device configurations affected by the delivered
features in advance.


Page 101 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Supplemented

Agile Configuration - Hierarchical Batch Management (5/7) in R24C10

l A GND-based hierarchical template can be delivered to a device, supporting one-time template
application and template binding.
l The one-time template application function will deliver the template configurations to the device once,
but will not bind the template to the device.
l After the template is bound to the device, the template configurations are delivered to the device and
the binding relationship between the template and device is created.


Page 102 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Supplemented
Agile Configuration - Hierarchical Batch Management (6/7) in R24C10

The one-time template application function supports variable template parameters. That is, you do not need to
specify parameter values when creating a template. Instead, you can set specific parameters when delivering the
template configurations to a device, thereby implementing differentiated configurations.


Page 103 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Agile Configuration - Hierarchical Batch Management (7/7) R24C10

Templates support domain-based management. Different template permissions can be assigned to
different users.


Page 104 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
Network Template Function R24C10


l Currently, the hierarchical template function delivers hierarchical configurations
based on devices. If an enterprise network is complex, for example, multiple types
of devices exist at the same site and services are differentiated, the hierarchical
configuration function cannot meet the requirements of batch service deployment,
resulting in low deployment efficiency.

l iMaster NCE-Campus delivers the template group function (network template
function) to group hierarchical templates of different device types and services.
Hierarchical template groups can implement hierarchical batch deployment of
devices at a site in networking scenarios where there are multiple device types and
services vary greatly at the same site, greatly improving deployment efficiency.

l A network template includes a template group and is applicable to sites of the
same type. A network template can be applied to multiple branch sites, and
configurations in the template can be customized for branch sites of different types.

l Domain-based template management is supported. Specifically, different users are
assigned different template permissions to implement refined management.


Page 105 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
Network Template: Copy & Create R24C00


1. Create a network template and select member templates for it.


2. Enter binding attributes for the member templates.


Page 106 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
Network Template: Delivery to Sites R24C00

2. Set parameters.


1. Select the site to be bound.


3. View the result.


Page 107 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Network Template - Domain-based Capability R24C10


1. Specify a network template for user management.


Page 108 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Improved Configuration Efficiency
of Similar Site Parameters

Scenario There are several sites on different hierarchies — A large number of partially identical configurations and many different
description customized configurations exist on different hierarchies. As such, the configuration efficiency needs to be improved.

Ø Improving one-time configuration efficiency


After the local site configurations are modified, the configurations
of other sites will not be affected.

Site
configurations
After a local site template is modified, the configurations of all sites
bound to the template will be modified in batches.
Local site
template

After a parent template is modified, the configurations of all child
Upper-level templates will be modified.
site template
Priority: upper-level site template < local site template < site configurations

Page 109 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Child Templates Can Inherit
Configurations from Parent Templates or Have
Customized Configurations


A child template can inherit the configurations
of its parent template and allow users to
customize configurations as needed.


Parent template Child template
A child template can inherit the SSID
Inherited configuration from its parent
An SSID for secure template, and allow users to modify
networks is configured the inherited configuration or
in the parent template. configure a new SSID as needed.
Customized

Page 110 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Template Hierarchy: Sites Inherit Configurations from
Site Templates or Have Configuration Customized


Sites can use configurations
inherited from templates, or
have customized ones.


Customized site
Template configuration
configuration

After having the template applied, a site
can inherit the SSID configuration from
Configure an SSID Inherited the template. Alternatively, users can
for secure networks modify the inherited configuration, or
in a site template. configure a new SSID as needed.

Customized

Page 111 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Virtualized Fabric Campus Networks

Campus Virtual Extensible LAN (VXLAN) uses the overlay virtualization HiSec
iMaster NCE-Campus CampusInsight
technology to bear multiple virtual networks (VNs) in unified manner and Insight
supports flexible service deployment. Tenant administrators are responsible
for VN setup and service provisioning. The iMaster NCE-Campus VXLAN
solution brings the following benefits:
1. VN automation: Routing node
• Supports automatic provisioning of VNs on the overlay network and a
large Layer 2 network covering campuses and branches, and supports FW node
Fabric border node
the BGP-EVPN control plane.
• Divides a physical campus network into VNs vertically and horizontally.
• Supports multi-tenant management mode on campus networks. Fabric domain
(Overlay) Fabric transparent
• Supports IPv6 access. node
2. Abundant egress capabilities:
• Supports external networks with different egress types, including Layer 3
shared egress, Layer 2 shared egress, and Layer 3 exclusive egress.
• Supports one border node at the egress. VXLAN
• Supports multiple border nodes at the egress, working in active/standby Fabric edge node
or load balancing mode. This feature is available only on a VXLAN with
distributed gateways.
• Supports NQA and monitoring groups to ensure egress reliability.
Access domain
3. Unified automated authentication for wired and wireless access: (Underlay)
• Supports automated orchestration of secure access during VN Underlay network
configuration.
• Supports seamless integration of wired and wireless access (wireless
access needs to be pre-planned).
4. Unified topology-based O&M:
• Displays physical topologies and monitors NEs and ports.
• Displays logical topologies of VNs. Access node (wired) Access node (wireless)

Page 112 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Uplink Selection on Firewalls

The firewall continuously performs a health check to detect link connectivity
and quality (delay, jitter, and packet loss rate). Links participate in global
route selection only if their quality meets the requirements. Policy-based
routing (PBR)-based uplink selection takes precedence over global route
selection. In PBR-based uplink selection, traffic requiring intelligent uplink
selection is matched based on multiple conditions, such as the inbound
interface, source security zone, source address, destination address, service,
application, user, user group, and DSCP priority. After that, traffic that meets
the matching conditions is forwarded based on the PBR configuration,
forwarded to a virtual system, or forwarded as-is (without PBR). If the
firewall finds multiple available outbound interfaces according to the PBR
configuration, it then uses the global route selection policy to select the
optimal one.

ISP link selection is a special PBR mode. It selects routes to forward traffic
based on destination addresses. In ISP link selection, the outbound interface
and next hop for the traffic destined for a specified ISP network need to be
specified. After that, traffic is transmitted through the ISP link to which the
destination address belongs. As such, traffic is forwarded along the shortest
path and forwarding efficiency is improved. When multiple outbound
interfaces are available for traffic in ISP link selection, the optimal outbound
interface is selected through PBR.

Page 113 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Uplink Selection on Firewalls

1. Based on GND/hierarchical templates, the following
conditions can be configured on firewalls running
V600 to specify traffic where PBR is to be
performed: inbound interface, source security zone,
source and destination IPv4 addresses, and protocol
(ICMP, TCP, UDP, or SCTP); the following PBR actions
can be configured: single-egress PBR action
(redirecting traffic to a specific outbound interface,
or redirecting traffic to a specific outbound interface
through a certain next hop), multi-egress PBR action
(performing uplink selection based on the
bandwidth, link weight, and link quality), and traffic
redirection without PBR. In addition, health check
and SLA profiles can be configured for intelligent
uplink selection.
2. ISP address libraries can be configured and
upgraded in local mode on the controller.
3. Policies can be configured to upgrade ISP address
libraries on devices.


Page 114 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Visualized Status of Tunnels Connecting Branches
with V600 Firewalls and the HQ

The topology of the VPN between a branch with V600 firewalls and the HQ is visualized on the controller.
Information, such as the device online status, interconnected link, link connectivity, and link delay, is
available on the O&M > Monitoring > Monitoring > Inter-Site page.


Page 115 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
R24C00
WAN Intelligent Dialing Test: Fast WAN Fault Demarcation for
Audio and Video Applications, 40% Higher Accuracy Than Other Vendors

Application scenarios Unique benefits

Slow
detection Periodic ping detection
In case of frequent packet loss, switching
Unable to detect and verify audio and video issues on the WAN; Fast to fast packet sending based on simulated
frequent audio and video freezing, causing user complaints S8700 (with high- detection application flow characteristics Applications
quality experience Teams, Webex, Zoom,
assurance board) Tencent Meeting, DingTalk,
A relevant Tolly test report will XYLink, Huawei Cloud
be released in September 2024. Meeting, Lark
Intra-campus WAN
iPCA-based application Unable to demarcate audio
demarcation and locating and video freezing issues WAN fault demarcation accuracy > 80%, 40% higher than that of vendor C

Campus WAN Cloud DC End-to-end visibility into
application quality


Switch
Tencent
Meeting

latency packet loss

Traditional ping detection: unaware of application characteristics; packet loss
detection accuracy: < 10%
Access Router Core Router Switch
Distinct characteristics of different audio and video applications (packet size,
burst packet quantity, and packet sending interval)

Page 116 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
Configuring Intelligent Dialing Tests R24C00

1.Select an S8700 switch in the digital map topology to perform an intelligent dialing test.
3.Select a source device on the digital map and view the dialing test task list of the device.


2.Select a source device on the digital map and create a dialing
test task instance for an application based on this device.


Page 117 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
View the Intelligent Dialing test result (1/2) R24C00

2. Switch the chart to view the historical data trend chart.
1. Click an intelligent dialing task to view the dialing test result.


3. Summarize data based on dialing test results and quickly
view abnormal results.


Page 118 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
View the Intelligent Dialing test result(2/2) R24C00

1. Click to view the hop-by-hop demarcation result.


2.On the Hop-by-Hop Demarcation page, click to view suspected
faulty nodes and complete fault locating. Select a record to associate
with the digital map topology.


Page 119 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Digital Map: One-Map Network Visibility Updated in
R24C00

The network digital map offers high visibility into the relationships between networks, applications,
and users/terminals on the entire network.
• Site location visibility: The network digital map displays sites
based on longitudes and latitudes on a GIS-based map, as well as
statistics of devices, applications, and users of the entire network.
• Site interconnection visibility: In the IPsec VPN and EVPN
interconnection scenarios, site interconnection information can be
displayed on the GIS map.
• Custom topology: Devices at multiple sites can be displayed in
one topology, and multiple custom topologies can be displayed on
the homepage.
• Resource statistics visibility: Statistics on tenant resources,
including sites, devices, applications, users, and terminals, are
presented.
1. Site statistics: The digital map displays a site list, where users
can check the total number of sites and manage them.
2. Device statistics: The digital map displays a device list, where
users can check the total number of devices and manage
them.
3. Application statistics: The digital map displays an application
list, where users can check the total number of applications.
4. User statistics: The digital map displays a user list, where users
can check the total number of users and view user details.
5. Terminal statistics: The digital map displays a terminal list,
where users can check the total number of terminals and view
terminal details.

Page 120 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Digital Map: One-Map Network Visibility

• Topology capability:
1. Supports automatic topology layout based
on device roles.
2. Expands and collapses lower-layer devices
based on the network layer of devices.
3. Displays terminals together with their access
devices.
4. Displays the WAN network of egress devices
in the topology.
5. Allows users to divide areas for devices at a
site.
• Statistics collection capability:
1. Collects statistics on the number of devices,
users, and terminals at a site.
2. Displays site details, including statistics on
device types, device states, device alarms,
and terminal types.
• Function integration:
1. Quick access to the site configuration page
2. Quick access to the site monitoring page
3. Access to common O&M tools, such as ping
and trace

Page 121 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Digital Map: Visualized Application Experience

The network digital map offers insights into the application experience and provides a unified entry for experience-centric O&M of key applications.


Key application assurance: The network Application experience visualization: The network digital map can proactively identify application experience
digital map supports the delivery of problems. It displays service flow details of a single application and highlights faulty links in the full-flow path topology.
assurance policies for key services. Conference network monitoring: The network digital map displays the network topology of a specified conference
and provides conference quality monitoring and O&M capabilities based on the topology. It assists administrators to
monitor the conference quality in real time throughout the conference.

Page 122 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Digital Map: Visualized User Experience

The network digital map offers insights into user experience. It provides a precise user profile throughout the user journey based on the user's Wi-Fi network
access process and Internet access experience, and analyzes and locates issues. This enables O&M personnel to easily handle faults reported by users and
proactively ensures user network experience.


VIP user assurance: Users and guests can be set as User experience display: The network digital map displays user tracks in the floor topology and performs
VIP users. Their wireless access can be preferentially modeling based on multi-dimensional parameters such as the user access delay, bandwidth, and packet
guaranteed and air interface bandwidth can be loss rate. As such, it can accurately detect the actual user experience, display single-user network quality
reserved for them. (evaluated through user network indicators), and analyze user network experience faults.

Page 123 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Digital Map: In-depth Integration with R24C10
Analyzer Pages

The analyzer pages such as application analysis and client journey can be deeply integrated into the controller. No browser
redirection is involved, so that customers are unaware of page changes of the controller.


Page 124 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Digital Map: Integrated Display of Network Issues R24C10

1. The To Be Handled area provided by the smart assistant displays network events in a unified manner. You can click Network
Events to access the event details list and click a specific event to view its details, including basic information and event analysis.
2. Network issues involve wired and wireless scenarios.


Page 125 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Digital Map: Integrated Display of Network KPIs R24C10

1. The indicator view of the digital map workbench supports KPI display. After clicking a specific KPI, you can view details
about it.
2. Network KPIs include the interference rate, channel utilization, person detection, signal strength, number of users,
inbound/outbound traffic of wireless devices, and energy consumption.


Page 126 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Digital Map: Visualization of Industrial Ring Network Status R24C10

1. Ring topologies can be displayed on the digital map. You can click Switch To Ring Layout to perform adaptation optimization for the
topology layout.
2. Right-click a V600 switch and choose View Ring Network Status from the shortcut menu. After a loop is specified, the real-time
query is triggered. In the query record, you can view the interface status of the devices on the ring network. The forwarding status of
the interface can be displayed in the digital map topology.


Page 127 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Easy-Branch Simplified Service Planning


Large hub site

Large hub site


Large hub site


Large hub site 3. Users can view
template details,
as well as
parameters in
templates.
Micro branch


Small branch
1. On the homepage, you can click Branch Deployment and select a template to
deploy the branch. Either a preset or customized template can be selected.
2. Currently, the controller is preset with five types of branch templates: micro
branch, mini branch, small branch, small and midsize branch, and large hub.

Page 128 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Easy-Branch Simplified Service Planning


1. Template parameter settings can be entered on
the GUI, or imported through an Excel file.


Page 129 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Easy-Branch Simplified Service Planning


Suzhou center


Create Site

Create AR

Create WAN Interface


Create WAN Link (60%) Detail


1. Users can enter a site name in the search box to 2. Tasks can be retried and rolled back.
check the site's longitude and latitude. The site's
location is marked on the map.

Page 130 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Easy-Branch Simplified Service Planning


1. Templates can be customized. Users can copy an
existing template or create one as needed to
define their own workflows.

2. Action packages of SD-WAN interfaces and
some interfaces related to LAN configuration
and user access authentication have been pre-
configured.


Page 131 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Underlay Route Automation


l Underlay route automation is supported in the following networking modes:


Border node 1
Border node Border node 2 Border node


Edge node 1

Edge node 1 Edge node 2
Transparent Transparent Transparent
node 1 node 2 node 3

Edge node 2 Edge node 3
Extended Extended
node 1 node 2

Edge node 1 Edge node 2 Edge node 3

Extended node 3 Extended node 1 Extended node 2


Extended node 1 Extended node 2 Extended node 3

Tree networking Ring networking for border and transparent nodes Ring networking for edge nodes

Page 132 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Virtualized Fabric Campus Networks


Border


Provision VNs and deliver VLAN, VXLAN
Create VNs and 2 DHCP, and static routing
1
Network subnets. configurations.
Perform 802.1X
administrator 5
authentication.

4 Deliver security groups and
inter-group policies.
Edge
Create security groups and
3 Deliver authorization VLAN information to
corresponding inter-group policies. 6 Perform RADIUS Perform policy 8
authentication. 10 control based on the access switch to allow the user to
access the network.
Send a message indicating that security groups.
7
authentication succeeds. The Enable the 802.1X authentication port and
message also carries deliver authorization VLAN information, so
9
information about the security that the user can go online and access the
group and authorization VLAN. network.

5 Send an authentication request for
network access.


Page 133 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
High-Quality Campus Network with the S8700

1. High assurance: S8700 switches can re-mark the priority of audio and video traffic to ensure preferential forwarding of such traffic,
and also supports traditional QoS solutions. This makes S8700 switches suitable for new and migrated networks.
2. Reduced costs: S8700 switches at the core layer can monitor applications and interwork with traffic analysis devices. This removes the
need for access switches to support application identification, reducing networking costs.
V300R023C00 focuses on guaranteeing the application experience of the following audio and video services: Teams, Webex, Zoom,
Xiaoyu Yilian, DingTalk, Huawei Cloud Conferencing, and Tencent Conferencing.


Page 134 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
High-Quality Campus Network with the S8700

Leveraging GND-based device configuration and hierarchical templates, the controller allows users to create and activate application
policies, configure application groups, configure devices to report traffic statistics, and enable application identification on interfaces.


Application statistics
collection can be enabled on 1. The admin user needs to configure signature database upgrade policies
the Monitoring > Monitoring for sites on iMaster NCE-Campus. After that, iMaster NCE-Campus
Settings > Data Collection automatically obtains signature database files from the Huawei security
Configuration page. center and saves them to a file server. Devices then obtain the files from
the file server to upgrade their signature databases. The signature
database upgrade process of S8700 switches is the same as that of ARs
running V600.
2. After a signature database policy is configured for a site, this policy not
only takes effect on existing devices at the site, but also takes effect on
devices newly added to the site.

Page 135 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in R23C10
V600 WAC Cloud Management


Scenario This solution is applicable to the wireless network independent O&M management scenario. In this scenario, independent WACs are deployed on the network to
Description manage and maintain APs on the network. Standalone WAC supports VRRP hot backup.

Device management

l Device display: Add WAC and Fit APs and display devices.
l Device registration: A NETCONF channel is established between the WAC and the Agile Controller. The
WAC registers with NCE-Campus. The Fit AP registers with the WAC through CAPWAP.
l License control: The WAC reports Fit AP information to NCE-Campus. The WAC then registers and obtains
licenses to go online, and manages the AP.

Performance Performance
Reporting Reporting Monitoring and O&M
NETCONF channel Channel Channel
l Diagnosis commands: supports common O&M diagnosis commands, such as ping and trace.
l Device management: performs routine O&M operations, such as restarting devices and restoring factory
settings.
WAC l Device monitoring: WAC and Fit APs report device performance data for monitoring and O&M.
l User monitoring: The WAC and Fit AP report user performance data for monitoring and O M.

Configuration delivery
CAPWAP channel
l Wireless service configuration: Common wireless configuration, including AC/AP (group) management,
SSID management, and user authentication configuration.
l Wired service configuration: Basic wired configuration, such as VLAN, DHCP, and DNS, ensures the normal
communication between devices and the normal running of wireless services.
AP AP AP AP l Batch configuration mechanism: Multiple WACs in a WAC group can be configured in batches through a
hierarchical template.
l Customized configuration mechanism: Fit APs must support customized configuration and deliver
configurations separately based on APs. (The WAC is still delivered to the WAC, and the WAC is delivered
to the AP.)
Constraints: This function is supported only by V600 WAC. The authentication server l Not supported: N+1 Scenario, Radio calibration, IPv6, Mesh, WIDS, inter-AC roaming, WLAN location,
supports only third-party servers. Currently, NCE is not supported. Bluetooth, and attack defense.

Page 136 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in R23C10
V600 WAC Single Device Configuration


l The portal for configuring a single WAC is as follows:


Page 137 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Cloud management capability configuration New in R23C10
details of the V600 WAC

System Management Time zone 　 　 Time zone
Interface management Interface management 　 Interface name, interface description, interface type, and interface management status
Ethernet Switching
VLAN Configuration Interface VLAN 　 Interface name, link type, default VLAN, allowed VLAN, tagged VLAN, and untagged VLAN
Configuration
　 　 Global VLAN VLAN ID, name, and description
　 　 VLAN resource pool 　 Name, VLAN Assignment Algorithm, VLAN ID
IP Service Configuration Basic IP Configuration IPv4 Configuration 　 IPv4 address and mask
　 DCHP Configuration DCHPv4 Configuration DHCPv4 Global Configuration Enable DHCP.
Address pool name, address pool type (global address pool or interface address pool): global address pool, network segment address (matching with the mask), mask, vendor-
　 　 　 DHCP address pool defined, and lease time (original design parameters: Lease, gateway list, unallocated address range, bound MAC address, interface used by the address pool (display and select
the current Layer 3 interface), DNS domain name, DNS IP (original design parameter: DNS list), and NetBIOS server address (original design parameter: WINS server)
Address pool type (global address pool/interface address pool): Interface address pool, Global attributes > DHCP mode, DHCP server, network segment address (matching the
mask), mask, user-defined option list, and lease time (original design parameters: lease), gateway list, unassigned address range list, statically bound IP address list, interface
　 　 Interface DHCP Configuration
used by the address pool (display and select the current Layer 3 interface), DNS domain name, DNS list, NetBIOS server address, user-defined option list, interface name,
interface address/mask, global attributes > DHCP mode Select DHCP relay and select Server Address List > Server Address.
IPv4 destination network segment/mask and next-hop address list (In the Create dialog box, set Next Hop Type to IP Address.)
. Next Hop Address List > Description (In the Create dialog box, set Next Hop Type to IP Address.) 1. Outbound interface list (In the Create dialog box, select the interface for
IP Route Configuration IPv4 static routes 　 　 the next hop type.) 1. Outbound interface list (In the Create dialog box, select the interface for the next hop type.). Outbound Interface List > Description (In the Create dialog
box, select the interface for the next hop type.). IP address + outbound interface list > Description (In the dialog box that is displayed, set Next Hop Type to IP address +
outbound interface.)
Reliability Configuration active/standby Configuration 　 　 Dual-system hot backup, authentication key, enabling preemption, interval for sending probe packets, interface name, interface IP address, and remote IP address
　 VRRP 　 　 VRID, interface name, interface IP address/mask, and virtual IP address/mask
WLAN Configuration AP Configuration AC source IP address 　 Source IP address type, source IP address type, and interface name
　 　 AP group configuration 　 AP group name and regulatory domain profile name
AP authentication mode, AP instance configuration, AP ID, AP MAC address, AP SN, AP name, AP group, AP group (adding the AP to the AP group), and regulatory domain
　 　 AP Instance Configuration 　
profile name
　 Wireless Configuration SSID configuration VAP profile Name, Forwarding Mode, Service VLAN, VLAN Pool, SSID Profile Name, Whether to Authenticate, Security Profile Name, Authentication Profile Name, and Traffic Profile Name
　 　 　 SSID Profile SSID profile name and SSID name
　 　 RF Configuration Domain management template Administrative domain profile name, country code, 2.4 GHz DCA channel set, bandwidth mode (auto, 20 MHz, 40 MHz, or 80 MHz), and 5 GHz DCA channel set
AP group name, radio ID, frequency band, working mode, radio status, automatic channel selection, bandwidth, channel, automatic bandwidth adjustment, automatic transmit
　 　 AP Group Radio Planning
power selection, EIRP (dBm), and 3D calibration
AP ID, radio ID, frequency band, working mode, radio status, automatic channel selection, bandwidth, channel, bandwidth adjustment, automatic transmit power selection, EIRP
Radio Planning for AP Instances
(dBm), and 3D calibration
　 WLAN QoS Configuration Traffic profile 　 Traffic profile name, single-user rate limit (upstream) and single-user rate limit (downstream)
　 WLAN Security Configuration Security Profile 　 Security profile name and authentication mode (PSK/PPSK/SAE/PSK-SAE)
User Access and Authentication AAA Configuration RADIUS server 　 Server name, server type, server IP address, server port, and shared key
Authentication scheme
　 　 　 Authentication scheme template name, first authentication mode, and second authentication mode
template
　 NAC Configuration Authentication template 　 Authentication template name, 802.1x template name, Portal template name, RADIUS template name, and authentication scheme template name
　 　 802.1X access profile 　 802.1X template name, encryption mode, WPA encryption algorithm, WPA2 encryption algorithm, WPA3 encryption algorithm, and RADIUS authentication server name
Configuring Portal
　 　 　 Portal protocol version, Portal template name, Portal authentication server name, server URL, server IP address, packet port, shared key, and local gateway address
Authentication

Page 138 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
IPv6 Management and Authentication for V600 WACs R24C10


V600 WACs and native WACs
support GND-based IPv6
configurations. The supported
configurations are as follows:
1. IPv6 subnet
2. IPv6 static route
3. IPv6 HWTACACS authentication
4. IPv6 RADIUS authentication
5. Third-party IPv6 Portal
authentication
6. IPv6 Portal HACA
authentication user
7. Strict IPv6 address learning


Page 139 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
Cloud-based Management of V600 APs (1/2) R24C00


Scenario Cloud-based management of cloud APs is supported and multiple branch sites can be managed in a unified manner. This improves O&M
usability.


The GUI for V600 APs is the
same as that for V5 APs.
You can configure V5 and
V600 cloud APs at the same
site and perform O&M
management for them.


Page 140 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
Cloud-based Management of V600 APs (2/2) R24C00

V5 APs and V600 APs have the following new capabilities:
1. A single site can manage a maximum of 1024 APs. In addition,
distributed wireless optimization, VLAN pool configuration for SSIDs,
and VLAN pool configuration for authorization VLANs are supported.

Compared with V5 APs, V600 APs have the following new
capability:
1. VIP FastPass


Page 141 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
Cloud-based Management of V600 APs R24C10

Configuration capabilities O&M capabilities
Level-1 Level-2
Remarks Function Remarks
For V600 APs, features such as Function Function
Plug-in This function is
Device system This function is supplemented in R24.1. The
SNMP
IoT, WIDS, mesh, terminal configuration alarm server configuration is not supported. deployment supplemented in R24.1.
User access RADIUS server Packet header This function is
identification, and spectrum This function is supplemented in R24.1.
configuration detection obtaining supplemented in R24.1.
In R24.1, automatic RADIUS server status
analysis are supplemented in This function is
detection, strict IPv6 address learning, DAI/IPSG, Device syslogs
Layer 3 roaming, Layer 2 user isolation, Portal
R24.1. SSID supplemented in R24.1.
2.0, DPSK, URL filtering, and RADIUS DTLS
Wireless non-
(interconnection with third-party RADIUS This function is
Wi-Fi servers) are supplemented. operating
supplemented in R24.1.
The new feature Hotspot 2.0 In R24.1, spectrum analysis, radio mode, antenna management
mode, antenna gain, and dynamic EDCA
Radio
needs to be configured in parameters are supplemented, and per-packet Monitoring capabilities
power control is newly added.
GND mode. WLAN security WIDS is supplemented in R24.1. Function Remarks
Security Wireless non- Spectrum This function is
operating This function is supplemented in R24.1.
management analysis supplemented in R24.1.
IoT card capabilities in R24.1: The PCIe serial port WIDS This function is
IoT card card, USB Ethernet port/serial port card, and monitoring supplemented in R24.1.
VAS container capabilities are added in R24.1.
Terminal location Mesh link This function is
This function is supplemented in R24.1.
reporting monitoring supplemented in R24.1.
Mesh This function is supplemented in R24.1. Terminal
AP installation This function is
This function is supplemented in R24.1. behavior
Advanced location supplemented in R24.1.
analysis
Tunnel The tunnel AC and split tunneling functions are
configuration supplemented in R24.1.
Terminal
　 This function is supplemented in R24.1.
identification
Hotspot 2.0 　 This function is newly added in R24.1.
Page 142 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
IPv6 Configurations Supported by V600 APs R24C10

V600 APs support the following
IPv6 configurations:
1. IPv6 NTP
2. IPv6 management VLAN
3. IPv6 subnet
4. IPv6 static route
5. IPv6 HWTACACS
authentication
6. IPv6 RADIUS authentication
7. IPv6 Portal (HTTP/HTTPS)
authentication
8. IPv6 Portal HACA
authentication user
9. IPv6 default permit rule
10. Strict IPv6 address learning
11. IPSGv6 and SAVI


Page 143 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in R24C10
PHY Protection (1/2)

Application scenario Deployment solution
Government, finance, and large enterprise scenarios pose strict requirements Anti-eavesdropping Anti-eavesdropping Anti-eavesdropping
on WLAN security, while open air interfaces are vulnerable to eavesdropping.
Therefore, packets need to be securely transmitted over air interfaces to ensure for key services in key areas for key users
WLAN security. Encryption can solve this problem. However, with the
For customers' key wireless For customers' key areas, such as VIP This solution can prevent wireless
improvement of computer performance and emergence of quantum computers, communication data from being
encrypted packets may still be cracked. PHY protection implements anti- services that have high areas and confidential areas
eavesdropped for VIP users when
eavesdropping through downlink physical scrambling over air interfaces. This security and confidentiality
ensures that malicious users cannot eavesdrop anything, which meets air requirements they access the network from
interface security requirements. Normal-SSID anywhere.
(PHY
Technical principles and performance verification protection)
Floor3:
Ø An AP calculates the weight (Wn) of the artificial noise orthogonal to the VIP Area
authorized user channel (H).
Ø Signals superimposed with noise are sent to users in the form of MU-MIMO, which
Normal-
only can be parsed by users at the transmission destination. SSID
HA->B Floor2:
Bob = (X+Wn) ・HA->B Normal Area
X ・ ・
Authorized X = X HA->B + Wn HA->B


signal ・
= X HA->B Security-SSID Normal-SSID Security-SSID Normal-SSID
user Original 0 Normal-

transmission SSID
￿ Can be received and
HA->E parsed properly
Floor1: VIP VIP
・
Wn Eve = (X+Wn) HA->E SSID-based deployment: Normal Area
Wn ・ ・
Unauthorized = X HA->B + Wn HA->E An independent SSID is planned for
Orthogonal
user noise signal Impossible to be Deployment based on the SSID and User-based deployment:
￿ high-security services. The PHY
parsed due to noise
protection license is loaded on APs APs in specific areas: Users are authorized as VIP users,
in the coverage area of the SSID, The PHY protection license is loaded on and their communication data is
Performance specifications: The performance of authorized users and the PHY protection function is APs in key areas, where the PHY protected against eavesdropping
deteriorates. enabled for the SSID. protection function is enabled for the when they access any SSIDs from
SSID. Communication data generated anywhere.
4T4R: single-user performance ↓ 20% Communication data generated
after any user accesses the SSID at after any user accesses the SSID at any
Performance for 4T4R: multi-user (30) performance ↓ 20%
any location is protected against location in the areas is protected
authorized users 2T2R: single-user performance ↓ 65%
eavesdropping. against eavesdropping.
2T2R: multi-user performance (30) ↓ 65%

Page 144 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
PHY Protection (2/2) R24C10

1. Load the license. The license loading page is scenario-specific. Version Status & Constraints in 24.1
• For this feature, the license fee is charged based on the number of APs.
• Two modes: (1) Security priority: Users who do not support MU-MIMO/PHY
protection cannot access this security SSID. (2) Service priority (default): Packets
are sent in the form of SU to users who do not support MU-MIMO/PHY protection.
• Capabilities supported by AP models:
Cloud AP WAC + Fit AP Ø The AirEngine 5776-26, AirEngine 5776I-X6H, AirEngine 5776I-X7H, AirEngine
2. Enable PHY protection based on service areas. You need to select the 5776I-X6EH, AirEngine 6776-X6H, and AirEngine6776-X6ETH are supported in
APs and the corresponding SSIDs and then enable this function. the 24.1.
• Constraints on supported terminals:
Ø 802.11b/a/g/n/11ac Wave 1 terminals are not supported.
Ø 802.11ac Wave 2 terminals (accounting for 30% of all terminals) and
802.11ax/be terminals (accounting for 30% of all terminals) are supported.
• Constraints on supported networking modes
Ø Fit AP + WAC networking is supported in 24.1.
(1) WAC running V200 + AP running V600: This networking is supported
Cloud APs are deployed based on WACs and Fit APs are deployed based regardless of whether NCE services are deployed.
SSIDs for key services and areas. on SSIDs for key services and areas.
(2) Standalone WAC running V600 + AP running V600: This networking is
3. Enable PHY protection based on VIP users. You need to enable this supported when iMaster NCE-Campus is used, and is not supported when
function on the radio page and then authorize users as VIP users. iMaster NCE-Campus is not used.
• PHY protection's impact on performance
Ø 4T4R radio throughput decreases by less than 20%, and 2T2R radio throughput
decreases by less than 65%. In normal cases, the lower the negotiated rate, the
greater the impact.
Ø When PHY protection is used together with VIP per-packet power control, the
throughput gain of VIP per-packet power control is offset by throughput
Cloud AP: WAC + Fit AP: reduction by PHY protection.
Prerequisites: Perform radio-based deployment. Prerequisites: Perform radio-based deployment.
Follow-up procedure: Authorize users as VIP users. Follow-up procedure: Authorize users as VIP users.
Page 145 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
CLI Template R24C10


1. CLI templates can be added,
deleted, modified, and queried.
2. Sensitive data in CLI templates
can be anonymized.
3. CLI templates support rights-
based management but not
domain-based management.
4. CLI templates can display the
command output of delivery
results.
5. No whitelist restriction is
imposed on CLI templates. That
is, all commands are supported.


Page 146 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Network Service Configuration Summary


l Only the most frequently used configurations are described here. Other configurations are similar.

l Configurations can be performed specific to a site or device type.

l Configurations specific to a site take effect on all devices at the site.

l Configurations specific to a device type take effect on devices only of this device type at the current
site.

l Besides basic site and device configurations, iMaster NCE-Campus supports quick deployment driven by
intents or specific to scenarios.

l iMaster NCE-Campus supports automation configuration of virtual networks on VXLAN networks.


Page 147 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play Overview


l The device plug-and-play function simplifies management and configuration of devices
on traditional networks. To implement the plug-and-play function, the following tasks
must be completed in advance:

p Upload licenses to the controller.

p Add devices to the controller (or discover devices by using ESN-free deployment).

p Configure network services on the controller based on network plans.

p Connect devices to the Internet. You can either connect devices to a gateway that has access
to the Internet or by configuring device WAN interfaces on the device web system.


Page 148 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – Deployment Through the
Registration Center

l Scenario Description

p Purpose: Simplify the operations to implement plug-and- Registration
NCE-Campus
center WLAN Planner
play of cloud managed devices if no ICT professionals are
Device ESN Planning files
available. synchronization import

p Participant: Tenant administrators, installation engineers,
Tenant administrator
and commissioning engineers.
Deployment by scanning barcode
Single-point acceptance
p Prerequisites: The MSP administrator has created tenants. Roaming acceptance
Network-wide acceptance
iMaster NCE-Campus is working properly, and cloud
managed devices have been delivered to the target site.
CloudCampus APP
Select a site and record device installation locations.
p Results:

Installation and
n Expected result: Cloud managed devices are successfully
commissioning engineer
managed, and services are running properly on the devices.

n Fault handling suggestion: If a cloud managed device cannot be
started, it is recommended that this cloud managed device be
replaced.

Page 149 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – DHCP-based Deployment

l Scenario Description

p Purpose: Simplify the operations to implement plug-and-
NCE-Campus WLAN Planner
play of cloud managed devices if no ICT professionals are
Import planning
available. files

p Participant: Tenant administrators, installation engineers,
Tenant administrator

and commissioning engineers. Configure a DHCP option to carry the
controller information.

p Deployment by
Prerequisites: The MSP administrator has created tenants. scanning barcode
Single-point acceptance
Roaming acceptance
iMaster NCE-Campus is working properly, and cloud Network-wide
acceptance
managed devices have been delivered to the target site.
CloudCampus APP
Select a site and record device installation locations.
p Results:

Installation and
n Expected result: Cloud managed devices are successfully managed,
commissioning engineer
and services are running properly on the devices.

n Fault handling suggestion: If a cloud managed device cannot be
started, it is recommended that this cloud managed device be
replaced.

Page 150 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play – ESN-Free Deployment

Scenario A myriad of devices at branch sites need to access the network. The administrator wants to
description reduce ESN recording to improve deployment efficiency.
ESN-free deployment 1.0 (LLDP-based scanning) ESN-free deployment 2.0 (DHCP-based deployment)
① Root device (gateway) The administrator approves
configuration and the discovered neighboring
going online devices to go online.

1. Generate a token. 5. Verify the token and allow
the device to go online.

② ③

2. Configure the root device
(gateway) to go online and
④ ⑤ configure it as a DHCP server.
First >> Add the token configurations to
layer DHCP option 148.

⑥ ⑦ >> 3. Obtain the address of
iMaster NCE-Campus and 4. Send a registration
Second AP AP AP AP token to perform DHCP- request with the
layer based deployment. token to iMaster NCE-
Campus to go online.

AP AP AP
②④ ⑥ LLDP-based neighboring device discovery AP
③⑤ ⑦ Device ESN obtainment, registration, and onboarding
Constraints
Ø ARs can function as root devices. Their neighboring devices, including switches, ARs, and Improvements
APs, can be discovered, but not firewalls. Ø LSWs, ARs, and firewalls can function as root devices.
Ø Devices can be scanned only layer by layer while automatic network-wide scanning is not Ø LSWs and APs support automatic network-wide access.
supported.
Page 151 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
ESN-Free Deployment via Offline Configuration: Configuration Planning R24C00
in Advance and Network Plug-and-Play

A large number of devices at branch sites need to be connected to the network. To reduce ESN input by the administrator, when devices go
Scenario onboarded, the planned device configurations are automatically matched. Configurations are delivered offline, improving deployment efficiency.
ESN-free deployment (based on DHCP) ESN-free deployment (based on DHCP & LLDP)
5. Verify the site code 5. Verify the site code.
1. Generate a site code.
and allow the device 6. Matching LLDP links: Match the link
to go onboarded. information reported by a device with the
planned link information to determine the
device location in the topology.
2. Configure the root device Steps 1–3 are the same
(gateway) to go onboarded and as a as those on the left.
DHCP server.
GE0/0/10
(The site code configuration is added
to DHCP Option 148 settings.) 4. Register and go GE0/0/2
onboarded carrying
the site code and GE0/0/4 GE0/0/5
LLDP information.
3. Obtain the iMaster 4. Register and GE0/0/1 GE0/0/1
NCE address and site go onboarded
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3 * If no match is found, an alarm
code information in carrying the site
the DHCP-based code information. is generated and the device
AP AP AP AP cannot go onboarded.
deployment process. AP AP AP AP

Improvement: After a device is powered on, it can automatically match the
planned topology location and support offline configuration.
Improved process: Onsite construction
ESN-free is decoupled from remote ESN-free and offline configuration
configuration. After power-on, Plug-and-play
Planning Implementation Planning Implementation
services do not need to be configured,
implementing plug-and-play.
Planning
Service pre-
Planning Construction Service (site creation, topology Construction and power-on
configuration
(site creation, etc.) and power-on configuration planning, etc.)

Page 152 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Plug-and-Play 1.0 – ESN-Free Deployment


l Scenario description

p Purpose: ESN information is not available on the live network. As such, device ESNs are imported through barcode scanning, which has low
efficiency. With ESN-free deployment 1.0, devices directly connected to a root device are automatically added to the controller. As such, other
devices on the live network are scanned layer by layer and then added to the controller.

p Participant: Tenant administrators, installation engineers, and commissioning engineers

p Prerequisites: The MSP administrator has created tenants, iMaster NCE-Campus is working properly, and cloud managed devices have been
delivered to the target site.


Page 153 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
ESN-Free Deployment 2.0: Automatic Network-Wide
Scanning, Improving Deployment Efficiency


Devices are discovered
automatically and can
be added to the site
after being approved.


ESN-free is enabled
during site creation.
Then the site generates
a random site code.


l Scenario description
p Purpose: Compared with 1.0, ESN-free deployment 2.0 does not need to scan devices layer by layer. Specifically, the controller delivers a site code to devices at the site
to be deployed through DHCP packets. As such, when a root device at the site is added to the controller, other devices at the site can be added automatically, free of
ESNs. In addition, the approval function is provided.
p Participants: Tenant administrators, installation engineers, and commissioning engineers
p Prerequisites: The MSP administrator has created tenants, iMaster NCE-Campus is working properly, and cloud managed devices have been delivered to the target site.

Page 154 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
POL Campus Networking


• A passive optical LAN (POL) is a flat access network that uses the l Campus deployment modes and applicable scenarios
PON technology, and consists of OLTs, ONUs, and a passive optical
distribution network (ODN). NCE-
IP networking Campus POL networking


Core switch
WAC
ONU ODN OLT
OLT OLT
Aggregation
switch

Drop NCE-
1 2 ODN 3 ODN
fibers Campus
Optical splitter
Access
Access terminals Access switch

SFP ONU
Access
switch SFP ONU ONU
Or ONU


IPC PC AP PC AP AP ONT PC Phone IPC

Page 155 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
POL Device Management

l The controller can manage POL devices in a centralized manner and allows users to manually add OLTs.


Click Add Device > Add on
the Device tab page of the
Device Management page
to add devices.
The device list displays basic
information about IP devices
(switches and APs) and PON
devices (OLTs and ONUs).


Page 156 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Adding OLTs


l OLTs can be added to the controller for management through SNMP.


Currently, OLTs can be managed only
through SNMP. Therefore, you need to
select the SNMP protocol when adding
an OLT.


To distinguish PON devices from
traditional network devices, you need to
click the PON Device tab when adding
an OLT and enter the IP address and
SNMP parameters.


Page 157 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
360 Monitoring - OLT

l The controller can display OLT resources and status information in a centralized manner, helping users
learn the resource status at any time.

Click Synchronize to synchronize
the latest data from OLTs, such as
information about Ethernet ports,
GPON ports, and ONUs.


Click an OLT name to go to
the OLT details page.


Page 158 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
360 Monitoring - ONU

l The controller can display ONU resources and status information in a centralized manner, helping users
learn the resource status at any time. Click WLAN
Configuration Import to
set Wi-Fi parameters for
ONUs in batches.


Click ONU Alias
Configuration to import
ONU aliases in batches,
facilitating subsequent ONU
maintenance.


Click an ONU name to go to
the ONU details page.


Page 159 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
OLT Details

l The controller can display OLT details, including basic OLT information, resource overview, and KPIs.
Displays basic OLT
information, including the
OLT status, IP address, MAC
address, type, and version.


Displays the running statistics
of Ethernet and GPON ports on
OLTs and the running statistics
of ONUs for user fast detection.


Displays device KPIs, helping
users learn about the
running status of OLTs.

Page 160 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
ONU Details

l The controller can display ONU details, including basic ONU information, port overview, and KPIs.


Displays basic ONU
information, including the
ONU status, SN, type, version,
and dying gasp information.


Displays the running
statistics of Ethernet and
POTS ports on ONUs for
user fast detection.


Displays device KPIs, helping
users learn about the running
status of ONUs.

Page 161 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Service Provisioning Process


On-demand pre-configuration
1 Create a ZTP policy on NCE-
NCE- l ONUs support plug-and-play and visualized
Campus and bind the policy to a
Campus scenario template. batch configuration. One site visit, no
human intervention after power-on.

ONU installation and power-on
2 After an ONU is installed and
powered on, it will be discovered
by an OLT. The OLT then sends a l The ONU deployment efficiency is improved by
notification to NCE-Campus.
10 times. The time required for installing and

Automatic configuration delivery commissioning a single ONU is reduced from 30
3 After receiving the notification, minutes to 3 minutes.
NCE-Campus delivers service
configurations to the OLT.


l On-demand deployment reduces skill requirements
4 Device activation
PoE PoE The OLT automatically and workloads, lowering delivery costs.
activates the ONU and delivers
configurations to it. Services
then take effect on the ONU
IP phone Laptop automatically.

Page 162 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
PON management
Unified and Multi-Dimensional O&M Methods


Displays the device
network topology.


Displays complete
performance information.


Displays alarms of all
devices.


Page 163 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence

Homepage in the LAN-WAN Convergence View


Ø Tenant administrators can select a view
1. Tenant administrators can
select a view upon first login. when logging in to the system. The
following views are available: Intelligent
Cloud Campus (applicable to the LAN
scenario), WAN Interconnection
(applicable to the WAN scenario), and LAN-
WAN Convergence (applicable to LAN and
WAN scenarios).

Ø Menu names and layouts are unified in the
three views. However, available menus and
tab pages in the views differ, so that users
can focus on functional menus applicable to
their actual scenarios.
2. After a view is selected, the homepage is displayed,
with menus applicable to this view. Ø Tenant administrators need to select a view
upon their first login. After selecting a view,
the system automatically loads the menus
available in this view, and this view is used
by default upon subsequent logins. The
selected view can be changed under the
System menu.

3. The view can be changed under the System menu.

Page 164 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Unified Menus in the LAN-WAN Convergence View


Ø The menus in the LAN-WAN convergence view are unified, through the combination of NCE-Campus and NCE-WAN menus.
The menus related to SD-WAN are optimized according to the menus on NCE-WAN, guaranteeing user experience.
Ø Menus are adjusted to help users find paths for configuring their desired services more easily.
Ø Each menu focuses on a certain function and provides user-oriented apps to guide users through configurations.


For, example, the tabs under the WAN Physical Network
menu in the LAN-WAN convergence view are the same as
those on NCE-WAN.


Page 165 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
LAN-WAN Interconnection Configuration in the LAN-
WAN Convergence Scenario

Ø The controller provides a dedicated menu for the LAN-WAN interconnection configuration and moves the original
orchestration wizard to the homepage, as an app.


Interconnection model


Page 166 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Four-Step Configuration Wizard for LAN-WAN
Convergence


WAN egress interconnection LAN campus configuration Routes for LAN-WAN WAN traffic policy, such as
interconnection intelligent traffic steering

Page 167 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Differentiated Application Management and Control
Based on ACLs

① ACL policies can be configured for overlay LAN interfaces and
underlay WAN interfaces.


② A blocking policy can be configured on an interface in the
inbound direction and can be configured to take effect within a
specified period of time.


Generally, the ACL policy (blocking policy) configuration is applicable to online behavior management. These
policies can be configured based on the application type and protocol.


Page 168 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
QoS Guarantees Bandwidth Resources for Key
Applications

q Traffic can be classified based on application types and
protocols.
q Traffic priority, traffic policing, and traffic shaping
policies are supported. When the function of
configuring traffic priorities is enabled, DSCP values of
traffic need to be set (which can be customized).


Traffic priority, traffic shaping,
and traffic policing


MPLS/
Internet CPE
CPE
Traffic with the highest priority

Traffic with the medium priority

Traffic with the lowest priority


Page 169 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Intelligent Traffic Steering Policy Guarantees Service
Experience of Key Applications

Select a traffic steering scenario.


① Set traffic steering metrics
(jitter, delay, and packet loss rate).
MPLS 1 MPLS 1
MPLS 2
MPLS 2 qos

② Set link priorities. You can set priorities
for two MPLS links and two Internet links.
CPE
Internet 1 CPE

③ Set parameters for link quality-based
Internet 2
Configuration channel and bandwidth-based traffic steering.

Primary link

Secondary link ④ Set the load balancing mode for
traffic steering as needed.
⑤ Set the time period during which
the traffic steering policy takes effect.

Page 170 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
New in R23C10
SaaS Traffic Steering - Scenarios and Principles


p Scenario p Principles
ü Quality detection is performed for each SaaS service on different egress links based on a specific URL
If there are multiple local Internet egresses, the optimal to calculate the quality of the SaaS application on different egress links and continuous detection is
egress link is selected for the specified SaaS application or performed.
load balancing is performed on multiple egress links that ü Traffic steering policies are configured for different SaaS applications, including load balancing policies
and link quality requirements.
meet the SLA. ü When a terminal initiates a SaaS DNS request, an AR hijacks the DNS packet, initiates a DNS request
on the selected link, and returns the result to the terminal. In this way, traffic steering is complete.

SaaS


p Specifications
ü The detection mode is HTTP or TCP ping. The delay and packet loss rate can be detected. The vQoE
Site1 score is calculated based on the delay and packet loss rate for link quality evaluation.
ü The optimal link can be selected or multiple links that meet the SLA requirements can be selected for
load balancing. A maximum of three links can be selected for load balancing.
New traffic ü When traffic steering changes and the established sessions are switched, NAT is performed again,
Old traffic causing service interruption. Therefore, during the traffic steering switchover, the established sessions
are not switched.
Links with ü The SaaS traffic steering scope depends on the capability of the application identification database. The
better quality application identification database is updated irregularly. It is estimated that 16 SaaS applications will
Links with poor quality be supported in July.
User ü Currently, the AR8700/AR8140/AR6700 series are supported.

Page 171 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
New in R23C10
SaaS Traffic Steering - Configuration and Query

1. Configure a SAAS traffic steering policy. 2. Change the preset detection URL. 3. Apply the policy to a site.


4. Specify egress links for traffic steering. 5. View policy information and traffic steering information.


Page 172 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Intelligent Policy Recommendation UC1: Recommended Traffic Steering PolicyNew in R23C10
Implements Optimal Load Balancing Among Multiple WAN Links

p Scenarios: p Solution principles p Effect

Network administrators do not know the ü The device has been running on the network for at Traffic changes on links and optimization of
specific traffic volume of services. The least one week, and the controller has collected bandwidth utilization differences between links
configured SPR policy cannot ensure application traffic statistics and bandwidth utilization can be displayed through simulation. A smaller
balanced bandwidth utilization among within this period. difference indicates a more balanced load on
multiple WAN links. links. After confirming the information, you can
ü Users configure traffic rule constraints, including which click Deliver.
Congested active link (MPLS) links can be selected for applications and link SLA
requirements. The controller calculates and
recommends a proper traffic steering policy based on
collected historical data. After confirming that the
Idle standby link (5G)
Link 2 policy is correct, users can click OK to deliver the
Link 1
idle recommended policy. The recommended optimal policy
congested is then deployed.

ü Currently, multi-VPN scenarios are not supported, and
QoS is not supported. (Packet loss caused by QoS
affects the policy recommendation accuracy.)

ü Policy recommendation can be deployed only on
branch CPEs. Symmetric routing needs to be deployed
on the hub side to follow the traffic steering result of
Low bandwidth branches. However, when recommending policies to
branches, the controller calculates the policies based
utilization on the outgoing traffic statistics of the hub.

Page 173 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
New in R23C10
Intelligent Policy Recommendation UC1: Configuration Mode

p Configure a policy recommendation task. p View the recommendation result. p Confirm information and click Deliver.

ü Specify the data of the specified period for ü Check the overview of the recommendation result. ü Confirm the information and click
reference. Deliver.


ü Specify the traffic steering conditions of an
ü Click the evaluation report to view the specific
application.
traffic changes.


ü Click Details to view the detailed recommendation
policy information.


Page 174 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Intelligent Policy Recommendation UC2: Helping Users AnalyzeNew Linkin R23C10
Bandwidth Utilization

p Scenarios p Solution principles p Effect

How to analyze traffic to provide ü If there are multiple WAN links, the
reference for scaling ü Help users analyze link bandwidth
capability of Scenario 1 is used to and provide recommended link
n How to analyze the current bandwidth balance traffic. bandwidth adjustment information.
utilization? Are there links congested or (This is the basis for scale-out.
wasted? ü The device has been running on the Exercise caution when performing
network for at least one week, and the scale-in.)
ü
n Is capacity expansion valuable? Does the controller has collected the link Based on the analysis report, you
can view the specific application
link reach the expected utilization?
bandwidth utilization within this and bandwidth information at the
period. peak time with the highest
n How to efficiently plan network-wide
bandwidth utilization, facilitating
bandwidth? ü Users can specify the upper threshold decision-making.

Link 1 Congestion of the bandwidth utilization and the

... percentage of the time when the

Link n Low link utilization bandwidth utilization exceeds the
threshold. The controller recommends
proper link bandwidth based on
Maximize ROI historical data, helping users make
decisions on link scaling.

Page 175 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
New in R23C10
Intelligent Policy Recommendation UC2: Configuration Mode

p Configure a bandwidth analysis task. p Check the recommendation result.
ü Configure a bandwidth analysis task.
ü The adjusted link bandwidth is provided based on user
expectations to guide link scale-out and scale-in. Exercise
caution when performing scale-in.

ü Reports display the time segment when the bandwidth
ü Specify the sites and links to be analyzed and user-expected
utilization exceeds the upper threshold and the specific
link bandwidth utilization parameters.
application at the peak point, helping users make
decisions.


Tolerable usage threshold. If the usage exceeds this
threshold for a long time, capacity expansion is considered.

Percentage of the bandwidth usage (based on historical data)
that is expected to be covered by the recommended bandwidth.

Page 176 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Intelligent Policy Recommendation UC3: Abnormal Traffic New in R23C10
Detection Tool

p Scenarios p Functions
ü The network is highly complex. How to gain ü Provide information about abnormal burst traffic based on the traffic data of the last
insight into traffic at any time? seven days.
ü Does abnormal traffic affect the accuracy of ü Configure QoS policies to eliminate abnormal traffic if you identify abnormal bursts
traffic steering policy recommendation and of some applications.
bandwidth analysis in Scenario 1 and
Scenario 2?
(1) Who uses the bandwidth? Is the
bandwidth utilization regular?
Multiple types of services are transmitted on the
private line. Are services and bandwidth
utilization regular?
(2) How to detect abnormal traffic?
Application-based anomaly detection needs to
process a large number of applications. How to
detect abnormal applications in real time?
(3) How to handle abnormal traffic?
Low-priority applications consume network
resources and bring low scale-out benefits. How
to limit the number of low-priority applications?

Difficult to detect
abnormal traffic

Page 177 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
New in
Intelligent Policy Recommendation UC4: QoS Policy R24C00
Recommendation for Devices

p Scenarios p Fundamentals
Low-priority services, heavy traffic, and frequent traffic bursts are the l Application bandwidth model: Calculates the stable bandwidth and
main problems faced by the live network. burst bandwidth based on traffic statistics.
l Abnormal traffic bursts and WAN network congestions occur. As a result, l QoS parameter recommendation: Recommends the maximum
packets of high-priority services are discarded, and user experience cannot be bandwidth for a specific application based on the bandwidth models
ensured. of all applications.
l Low-priority services consume large amounts of WAN bandwidth resources,
making it unworthy to expand WAN capacity.
On a WAN network, when a key service is affected, you can only analyze the
problem manually or expand the capacity of the WAN. This makes decision-
making difficult and the problem cannot be solved effectively.


Requirements:
Technologies such as exception detection are used to perform big data
analytic and modeling and dynamically adjust QoS shaping parameters for
low-priority services, ensuring zero packet loss for high-priority services.

Page 178 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
WAN Optimization: FEC for Devices Running V600

FEC policies for WAN optimization can be configured
for devices running V600. With FEC, devices can detect
packet loss on the network, and automatically adjust
the FEC redundancy rate to reduce bandwidth
consumption when the packet loss rate is low. If the
packet loss rate increases, devices increase the
redundancy rate accordingly to offset the impact of
packet loss on the network. FEC


Page 179 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Enhanced FEC Effect Display for Devices Running V600

The controller can display the effect after FEC configuration. It compares the packet loss
rates and traffic statistics before and after an FEC policy is applied.


Page 180 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Session Whitelist

Users can configure a session whitelist based on 5-tuple information, so that devices forward specified traffic flows
as-is, and do not perform specified services for these flows. This can save session entries for key SD-WAN services,
eliminating impacts on SD-WAN services.


Page 181 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Quick Configuration of Internet Access, Facilitating
Internet Access Policy Management

q Supports local Internet access, applicable to scenarios where site traffic does not
need to be managed or controlled.

q Supports centralized Internet access, applicable to scenarios where no Internet
link is available or enterprise's Internet access traffic needs to be centrally
managed and controlled.

q Supports local Internet access + centralized Internet access, applicable to
scenarios with high reliability requirements. Local Internet access is used
preferentially.

q Supports centralized Internet access + local Internet access for specified
applications, applicable to scenarios where Internet access traffic needs to be
centrally managed and controlled, but Internet access traffic of specific
applications needs to be routed out in local mode to minimize the delay.

Local Internet access

Configure an Internet access policy.
Internet
① Configure a centralized Internet access policy.
FW
Branch

CPE
HQ
CPE
MPLS
Centralized ② Configure a local Internet access policy.
Internet access


Page 182 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Connection to Legacy MPLS Networks, Smooth
Evolution of Private Line Services

Configure a policy for connecting to a legacy MPLS network.


Local access


MPLS
PE CPE
Legacy site iMaster NCE-
WAN site

q Local access: An SD-WAN site communicates with a legacy site through the local CPE. That
Centralized
is, the CPE at the SD-WAN site acts as a customer edge (CE) device and communicates
access Internet
with the provider edge (PE) device at the peer legacy site on an MPLS network.
CPE
iMaster NCE- q Centralized access: An SD-WAN site and a legacy site communicate with each other
WAN HQ through a centralized gateway. The centralized gateway, which is a hub device, acts as a CE
device and communicates with the PE device at the peer legacy site on an MPLS network.


Page 183 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
Diversified Security Policies for Differentiated Access
Control

1. Orchestrate inter-domain validation.
2. The LAN port is added to the user-defined security zone.
URL filtering policy

• URL whitelist and blacklist, as well as user-defined URL
policies can be configured.
• Category-specific URL filtering policies can be configured
based on the predefined signature database, which contains
about 200,000 signatures.

Firewall policy

• Firewall policies for permitting or denying incoming and
outgoing traffic, and for controlling access between zones
can be configured (packet-based filtering).
• By default, the traffic from the Trust zone to the Untrust zone
is permitted, and the traffic from the Untrust zone to the
Trust zone is denied.

IPS&AV policy

• IPS&AV policies can be configured to defend against threat
traffic.
• IPS&AV policies can be configured based on the predefined
IPS&AV signature database.
Page 184 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
New in R23C10
Traffic Statistics

Ø When overlay packet loss occurs on the network and needs to be demarcated, iMaster NCE-Campus provides the capability of configuring traffic statistics tasks
for sites in batches. (WAN interface, LAN interface, EVPN tunnel interface, and internal communication tunnel interface) Collects statistics in different directions,
displays statistics comparison results by flow, and analyzes packet loss.
Ø Configure an ACL-based traffic statistics collection task.


Ø Select a device to enable traffic statistics collection.


Ø View traffic statistics.


Page 185 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN convergence
New in R23C10
Sec SD-WAN: V600 FW supports SD-WAN.

Scenario
On the SD-WAN network, users at branch outlets access SaaS applications locally, which has special security requirements.
Description

Main capabilities of the FW as the
Single-hub-spoke network Full-Mesh Networking Dual-Hub-Spoke Networking
SD-WAN branch access point:
(FW as the Branch Access Point) (FW as the Branch Access Point) (FW as the Branch Access Point) 1. Functions as a branch access
point instead of a hub point.
Route advertisement
HQ site ServiceA ServiceB 2. Supports SD-WAN overlay


HQ site 1.1.1.1/24 Route advertisement OSPF
1.1.1.1/24 1.1.1.1/24 4.4.4.4/24 tunnel orchestration, SPR path
Route advertisement
HQ site1 selection, security policies, and
NAT policies.
Route
VRRP VRRP 3. The following networking modes
OSPF OSPF
VRRP VRRP advertisement are supported:
Ø Single Hub-Spoke Networking + Local

Route advertisement Internet Access
Ø Full-Mesh Networking + Centralized
Internet Access (Active+Standby)
Ø Dual-Hub-Spoke Networking + Service-
Route advertisement based Routing Policy Control
Ø Scenario Where a Hub Is Connected to a


Route advertisement Firewall in Bypass Mode

Constraints:
1. Only V600 FWs are supported, and
cannot function as hubs.
2. This feature is supported only in the OP
scenario and is not supported in the MSP-
owned cloud and public cloud scenarios.
2.2.2.2/24 3.3.3.3/24 2.2.2.2/24 3.3.3.3/24 2.2.2.2/24 3.3.3.3/24 3. The FW gateway site does not support
SiteB SiteC QoS, IPv6, IWG, application-based local
SiteB SiteC SiteB SiteC Internet access, 802.1X authentication,
application quality monitoring, SRv6, and
network slicing.

Page 186 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN


NCE-Campus NCE-IP


Branch/Outlet AR/NE
AR NE
Hub DC
Hub NE NE vSwitch
AR V
Access WAN R M
V
M
V
Tier-1 branch M

R Backbone WAN R


R
AR Access WAN Hub vSwitch
V
M
V
M
V
M
vSwitch

V
VM
VM
M
SRv6 SRv6
Option A

Ø Hierarchical management by NCE-Campus and NCE-IP

p Backbone and access WANs are managed separately.

p NCE-IP manages the backbone network set up by NE devices whereas NCE-Campus manages branch access networks set up by ARs and NE devices.
SRv6 TE tunnels can be established between ARs, between ARs and NE devices, and between NE devices, and service paths can be adjusted globally
and dynamically. NCE-Campus and NCE-IP cooperate to orchestrate network services across domains, implementing end-to-end service provisioning
and maintenance. As such, a unified SRv6 network is ready for enterprise WANs.


Page 187 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN


l Provides the SRv6 tunnel mode for tenants.


l Provides agile configurations, which allows
quick deployment of underlay and overlay
configurations, as well as SRv6 BE
configurations.


Page 188 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
One Unified WAN


l Support the configuration of SR Policies, BFD for link connectivity detection, and
IFIT-based link quality measurement and visualization.

Page 189 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Automatic Provisioning of EVPN VPLS over SRv6


1. In SRv6 tunnel mode, VPNs in BD mode can be
created.
2. NE devices can be added to VPNs using the BD mode.
3. Layer 2 access can be configured.
4. Traffic steering capabilities in EVPN VPLS over SRv6
are the same as those in L3EVPN. That is, traffic can
be redirected to tunnels, steered based on SPR
policies, and steered based on DSCP values.


Page 190 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
Multi-Cloud Interconnection


Ø Lifecycle management of VNFs and transit VPCs/TGWs on clouds
Tenant/Carrier Portal
RESTful • vCPE startup, release, status monitoring, reliability protection, and
dynamic scale-in and scale-out
Northbound network service layer
• Transit VPC startup, configuration, and release
VPN/Traffic Multi-cloud
O&M
steering/QoS/Security/WOC orchestration • TGW creation and configuration
Ø Unified orchestration of networks and services on clouds and
Southbound NE layer unified network and application orchestration APIs for the upper
layer, with API and implementation differences between public
2.1 2.2 2.3 and private clouds being shielded
3.2 3.3 • vCPE management

Third-party VAS • Underlay network orchestration on the cloud
EMS vRR • Overlay network orchestration on the cloud
• VAS orchestration on the cloud
Ø Cloud-based O&M
V V V
N N
N F F • Unified topology display
F C C VPC/vDC
VPC/vDC Public •
Internet VPC Unified connectivity detection and link quality measurement
cloud
vCPE • Fault locating and recovery
uCPE
Ø Cloud-based vCPE deployment
•
MPLS Private Automated deployment on Huawei Cloud, China Telecom e-Cloud,
cloud and AWS Cloud
Legacy Layer 3 CPE
• Manual deployment on Azure and Tencent clouds
Branch/Campus IWG Cloud/DC


Page 191 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
Multi-Cloud Interconnection


l Configure credentials for accessing Huawei Cloud and
AWS Cloud and establish HTTP connection channels.


l Deploy AR1000V devices by invoking cloud APIs and start
services. Service-related underlay and overlay configurations
are not mentioned here.

Page 192 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
LAN-WAN
Convergence
NCE-Campus Upgrade Policy


Deployment
Single-node System Minimum Cluster Distributed Cluster
Scenario

Before upgrade 1 x 128 GB (LAN) 3 x 128 GB 4 x 128 GB (LAN-WAN) 5 x 256 GB (LAN) 9 x 256 GB (LAN)
N/A
(Campus) 1 x 128 GB (LAN + POL) (LAN) 4 x 128 GB (LAN + POL) 6 x 256 GB (LAN-WAN) 12 x 256 GB (LAN-WAN)

Before upgrade
N/A N/A 3 x 128 GB (WAN) 3 x 256 GB (WAN) N/A N/A
(WAN)

3 x 128 GB 3 x 128 GB (LAN-WAN + 3 x 256 GB (LAN-
After upgrade 1 x 128 GB (LAN + POL) 5 x 256 GB (LAN-WAN) 9 x 256 GB (LAN-WAN)
(LAN + POL) POL) WAN)

No matter whether
No matter whether the SD- No matter whether the SD- No matter whether the SD-
the SD-WAN feature
WAN feature is deployed WAN feature is deployed WAN feature is deployed
Feature is deployed before
N/A N/A before upgrade, this feature before upgrade, this feature is before upgrade, this feature is
adjustment upgrade, this feature
is deployed after upgrade by deployed after upgrade by deployed after upgrade by
is deployed after
default. default. default.
upgrade by default.

If the cluster with 6 x 256 GB If the cluster with 12 x 256 GB
servers is to be upgraded, one servers is to be upgraded,
If the cluster with 4 x 128 GB
server with two controller three servers with a total of
servers is to be upgraded,
nodes (one service node and four controller nodes (one
one server with one
VM adjustment N/A N/A N/A one middleware node, with service node and three
controller service node
service plane tags deleted) middleware nodes, with service
(service plane tag deleted) is
and one FusionInsight node plane tags deleted) and three
idle after upgrade.
(with tag deleted) is idle after FusionInsight nodes (with tags
upgrade. deleted) are idle after upgrade.

Page 193 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0


CampusInsight NCE-Campus
Ø iPCA 2.0 configuration
iPCA 2.0 • Configure NCE-Campus to monitor flows based on applications
configuration
/security groups, deliver the configuration to APs and LSWs,
Flow data reporting
based on applications enable iPCA 2.0 on LSWs along flow forwarding paths, and
and security groups iPCA 2.0 + coloring
configuration configure in-point devices to color flows.
iPCA 2.0 Ø Flow statistics reporting
• LSWs and APs periodically report statistics about flows
identified based on applications/security groups to
CampusInsight for analysis.
Ø Flow statistics analysis
• CampusInsight performs E2E packet loss and delay analysis on
Wireless Wired
the monitored flows hop by hop, and displays analysis results.
access access
Ø Flow identification
• Flows to be monitored can be identified based on 5-tuple
information, applications, security groups, or applications +
Configuring flows Automatically identifying flows security groups.
to be monitored to be monitored

Page 194 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0


l Configure a flow identification template to identify l Configure hop-by-hop flow measurement
flows to be measured based on the 5-tuple based on the flow identification template and
information, applications, security groups, or configure in-point devices to color flows.
applications + security groups.


Page 195 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
iPCA 2.0
iPCA 2.0


l CampusInsight can display the forwarding path of a specified flow and
packet statistics on each device port along the path.


Page 196 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Agile Report
Agile Report


Feature SNMP NETCONF
Device vendor report Unified Unified
Port usage statistics report Unified Unified
Device type report Unified Unified
Widgets
Device model report Unified Unified

Smart alarm reports, including:
Network device alarm event type graphic
report
Network device alarm distribution graphic Unified Unified
report
Network device alarm severity report
Top N device alarm report by severity
Manually created reports
Depending on
Proportion chart of identified terminal
terminal Supported
types
identification data

Depending on
Top N vendors of identified terminals terminal Supported
NCE-Campus identification data
A unified navigation path is available for creating dashboards and reports, which is more flexible. Depending on
Preset widgets can be reused. Widgets are automatically created and maintained by the system. Top N OSs of identified terminals terminal Supported
No manual operation is required. identification data
The page layout can be customized in drag-and-drop mode and all panels can be flexibly zoomed
Trend chart of authenticated online
in and out. Supported Supported
terminals
The visualization effect is enhanced. The refresh frequency and background effect can be
customized. Trend chart of authenticated online users Supported Supported
RADIUS authentication log statistics chart Supported Supported
l Choose Monitoring > Report > Agile Report to access the agile report page. Port authentication log statistics chart Supported Supported

Page 197 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Proactive SLA
Management
Proactive SLA Management and Pre-Warning


Enterprise HQ Branch

WAN
Voice
Voice service service
gateway gateway
2 Devices send simulated voice flows.
Campus Generate a pre-warning
Display test results in graphs.
Create periodic voice-based service level 3 4 notice in time by email or
agreement (SLA) tasks and specify simulation SMS message when the
1 voice streams to be sent by devices. Display service quality in digital way. metric threshold is exceeded.


Display measuring metrics in graphs.


Page 198 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Proactive SLA
Management
Proactive SLA Management and Pre-Warning


The SLA is a network performance
measurement and diagnosis tool that
provides the following capabilities:

p SLA overview

p SLA task management

p SLA service management

p SLA fast diagnosis

Page 199 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Service Deployment: Configuration File Management


Feature SNMP NETCONF
Main functions of
configuration file Unified Unified
management

Supported (Restoration is not allowed,
Backup and restoration of which may lead to inconsistencies
Supported
running configurations between configurations from different
sources.)

Not supported
Backup and restoration of
Supported This feature is supported only on
startup configurations
YunShan devices.


l Choose Maintenance > Device Maintenance > Configuration File Management to back up
and restore device configuration files, compare configuration files to discover changes, and
configure backup tasks.

Page 200 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Data Reporting


l The controller can display logs reported by devices, such as
terminal onboarding and disconnection logs and configuration
command logs, facilitating device maintenance, fault locating,
and performance monitoring. This function is applicable only to
LSWs, AR, and APs.

l Available configurations:

p Configure cloud managed devices to report data to NCE-
Campus through HTTP.

p Configure devices to report data to NCE-CampusInsight
through HTTP.

p Configure SNMP-managed devices to report data to NCE-
Campus through SNMP and SFTP.

l Procedure:

p Choose Monitoring > Monitoring Settings > Data
Collection Configuration from the main menu, select a site
and a device type, and select types of the logs to be reported.
23.0 New Stack Failure Networking


Page 201 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Alarm Management


l Alarm management receives, stores, and monitors alarms, and enables users to query and perform
operations on alarms. It supports full-lifecycle management of alarms, helping O&M personnel quickly
rectify faults based on alarm information.

p Configures alarm rules.

p Monitor alarms.

p Handle alarms.

l Alarm status:

p Acknowledgement: identifies the user who handles an alarm to avoid one alarm being handled by multiple users.

p Clearance: identifies whether the fault that causes an alarm is rectified.

l The detailed configuration is described in the O&M training course.


Page 202 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Performance Monitoring and Management


l Performance Management (PM) is used to monitor and collect the following
information from cloud managed devices: performance data (such as CPU and
memory usages), access terminal information, terminal locations, and application
data accessed by terminals. By analyzing data and generating relevant reports, the
system can provide reference data for decision makers.

l The detailed monitoring capabilities are described in the O&M training course.


Page 203 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Upgrade Management


HOUP


1
2

3


Device upgrade process
1. The controller obtains the software package for upgrading a device.
① Online mode: The controller can obtain the device software package of the recommended latest stable version from the software library of the Huawei
online upgrade platform (HOUP), which can be accessed at https://houp.huawei.com/download.
② Package import: An administrator can download the required software package from Huawei Support Website and import the package to the controller.
2. The administrator configures an upgrade or downgrade policy to manually or automatically upgrade or downgrade the device.
3. When receiving an upgrade task, the device downloads the required package from the specified address and performs an upgrade.


Page 204 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Upgrade Management


Interconnection with HOUP Device upgrade policy

Note: The username must be set to the one used for logging in to the Huawei enterprise technical support website
(https://support.huawei.com/e).


Page 205 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Upgrade Management

The system, MSP, or tenant administrator can use an upload tool to upload device software packages, patch files, and feature packages
to iMaster NCE-Campus, and then configures an upgrade plan. After that, iMaster NCE-Campus delivers upgrade commands to involved
devices, which then obtain the required upgrade files from the file server to complete the upgrade.
Smooth upgrade for switch stacks is supported. Before performing a stack smooth upgrade, ensure that upgrade areas have been
configured on the Monitoring > Device 360 > Stack Upgrade Partition page.


Page 206 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management


l A device certificate is a digital file signed and issued by an authority. It contains a public key,
information about the owner of the public key, issuer information, validity period, and certain extension
information. A device certificate is used when a device and a server need to set up a Secure Sockets
Layer (SSL) channel to ensure security for communication between the two ends.

l If a device certificate does not meet the current security requirements or has expired, it needs to be
replaced with a new one to ensure device security.


Page 207 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management


Update a device certificate in offline mode

Update a device certificate
in online mode

Page 208 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Certificate Management


iMaster NCE-Campus displays certificate information.

Page 209 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools


l iMaster NCE-Campus provides diversified fault locating tools, including the following:

p Ping: verifies connectivity between the controller and clients.

p Trace: displays the access path from a device to a destination address.

p RF ping: detects the quality of the air interface between a device and a client.

p Cable test: tests the length of network cables connected to an interface and the status of each
twisted pair. This tool can quickly detect network cable faults to facilitate fault locating and reduce
the impact on services.


Page 210 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools - Specifications

Feature Supported Device
Ping AP, AR, FW, SW
Trace AP, AR, FW, SW
Cable test SW, AR
Only V600 ARs(except
Device Detection Task
AR6700V-L)

l Ping: verifies connectivity between the controller and clients.

l Trace: displays the path from a device to a destination address.

l Device Detection Task: Detecting the status of the device.

l RF ping: tests the quality of the air interface between a device and a client.

l Cable test: tests the length of network cables connected to an interface and the status of each twisted
pair. This tool can quickly detect network cable faults to facilitate fault locating and reduce the impact
on services.

Page 211 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Tools - Application Scenarios


l If a fault cannot be rectified based on fault diagnostic information collected from devices, tenants or O&M personnel
need to use other troubleshooting methods to further rectify the fault.

l The controller provides diversified fault locating tools to ensure that faults can be located timely. It can use ping and
trace tests to detect network connectivity of devices and allows agile cable tests without assistance of other tools.

l Connectivity test:

p Ping and trace tests: These tests are applicable only to cloud managed devices (switches, WACs, ARs, and firewalls) that support
the two functions, as well as the controller.

l Packet analysis

p Packet obtaining (applicable to APs, switches, WACs, ARs, firewalls, and the controller)

p Air interface quality detection for APs

p RF ping (applicable to APs and the controller)


Page 212 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Fault Locating Process


l Choose Monitoring > Monitoring > Device 360 from the main menu, select a site, and select a device from the
site's device list. On the device details page that is displayed, you can select a fault locating tool from the Select a
tool drop-down list box.

Page 213 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Introduction


l If tenant administrators need to locate network faults during the service operation process, they can
use the controller to obtain packet headers from specified devices.

l After they set parameters for obtaining packet headers on a device, such as the target device, port
where packet headers need to be obtained, packet header obtaining duration, filter conditions, and file
names, packet header obtaining files are generated on the device. The device uploads the generated
files to the directory specified on the controller. The controller then displays a message to instruct
tenant administrators to download the files to their local hosts, and generates the corresponding
operation log.

l There might be many packet exchanges between devices on the live network. The controller provides
necessary prompts based on device types, to improve the packet header obtaining accuracy.


Page 214 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Application Scenarios


l Packet headers can be obtained on wired interfaces and wireless radio interfaces. Packet
headers of a fixed length are obtained, rather than complete packets. The controller can
analyze packet headers to help users locate faults.


Page 215 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Packet Header Obtaining - Process


l Choose Maintenance > Fault Diagnosis > Diagnosis Tools > Packet Head Getting from the main menu, select the
device where packet headers need to be obtained, and set parameters for packet header obtaining.

Page 216 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Detection Task

Tenant administrators can create device Detection task on the Maintenance > Diagnosis Tools > Device
Detection Task page.


Page 217 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
IP Address Management


l Choose Maintenance > IP Address Management from the main menu. The IP address management overview page is displayed,
showing the IP address assignment rate, exception statistics, and top N statistics.

l IP address management provides the following capabilities: IP address group management, IP subnet management, IP address
management, IP address assignment, idle IP address detection, and IP address reclaiming.


Page 218 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification


l On the iMaster NCE-Campus homepage, open the Network Intelligent Verification app.

l Intelligent network verification provides the following capabilities: snapshot management, subnet reachability verification, and
terminal access verification. In addition, verification tasks can be managed on iMaster NCE-Campus.


Page 219 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Snapshot
Management (1/2)

l iMaster NCE-Campus collects device data on the network in read-only mode, performs data plane
modeling, and generates snapshots.

l Snapshots are the basis of the intelligent network verification feature. The system can verify subnet
reachability and terminal access by leveraging snapshots.


Page 220 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Snapshot
Management (2/2)

l The snapshot management module also provides the snapshot comparison function. By comparing two snapshots,
the network administrator can quickly find the differences between devices, configuration files, interface link states,
and IP routing tables at two time points, providing valuable information for quick fault locating.


Page 221 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Subnet Reachability
Verification (1/2)

l After a snapshot is created, network administrators can
verify connectivity between every two service subnets on
the entire network in this snapshot.

l The verification results are presented in a matrix,
including reachability and multi-path information. The
matrix explicitly displays subnet reachability.


Page 222 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Security Resource Pool

In the MSP scenario, to meet enterprise users' requirements for customizing security protection capabilities,
the Agile Controller delivers orchestration information about carrier tenant services and security NEs to
security resource pool devices to orchestrate security service chains.


Page 223 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Subnet Reachability
Verification (2/2)

l Network administrators can select two specific service subnets to view the traffic paths between the subnets.
The traffic path information helps quickly locate network reachability faults.


Page 224 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification - Terminal Access
Verification

l Intelligent network verification provides the terminal access verification capability. Network administrators can simulate a
terminal in a snapshot and verifies its access to network resources. With this function, network administrators can check
whether the services accessible to the terminal are as expected.

l Intelligent network verification also provides the verification task management function. A verification task contains the source
and destination information and the expected result. It is equivalent to a network verification case.


Page 225 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Network Verification – Subnet Reachability
on Fabrics


l Intelligent network verification is
applicable to the fabric scenario. In this
scenario, reachability between overlay
subnets can be verified and verification
results can be displayed in a matrix.


Page 226 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – Remote Attestation (RA)

Download and import
reference values
Huawei
NCE-Campus Support
(RA server)
1. Send a challenge request

Reference
2. Challenge values
2. Return PCR status values RA
server 3. Verify
RA
client 3. Return Portal
RA measurement logs O&M
client personnel
1. Measure
l Device (YunShan LSWs and ARs):

p Connects to NCE-Campus to report its information and receive configurations.

p Receives RA requests from NCE-Campus and uploads platform configuration register (PCR)
values to NCE-Campus.

l NCE-Campus:

p Manages and configures devices.

p Downloads PCR baseline files consisting of reference values from the Huawei Support website.

p Sends challenge requests to NEs to collect measured information and evaluates the campus
security based on the collected information.

l Huawei Support website:

p Saves RA baselines of devices.

PageThe 227 RA Copyrightprocess © 2025involves Huawei three Technologies steps: Co., measurement,Ltd. All rights reserved. challenge, and verification.
Advanced Security Feature – RA


l NE trustworthiness dashboard

Page 228 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE/NMS Security
Situational Awareness

iMaster NCE-Campus
HiSec situation analysis component

Abnormal
Situation
event SOAR Zero trust Single-domain security
presentation
detection management Single-domain security
• Device/NMS intrusion O&M personnel
detection

NMS AAA NE log module l Device (YunShan LSWs and ARs):
p Connects to NCE-Campus and reports NE O&M logs.
l NCE-Campus:
p Receives O&M logs from devices and reports the logs to HiSec for exception detection and
situation analysis.
p Receives O&M logs from the NMS and reports the logs to HiSec for exception detection and
situation analysis.
Device
(YunShan LSWs and ARs) l Supported device-oriented situational awareness capabilities:
p Rule-based abnormal login behavior detection: brute force cracking, login from blacklisted IP
Host security addresses, unauthorized accounts, or compromised accounts, and login through uncommon paths
Intrusion detection p AI-based abnormal login behavior detection: login at unusual time, login using uncommon IP
addresses or zombie accounts, abnormal number of login accounts, and abnormal login frequency
p Abnormal behavior detection: unauthorized account creation, unauthorized password change,
unauthorized account activation (detected when the product has activation logs), password
change violation, unauthorized account deletion, unauthorized user permission change,
unauthorized operation attempt (detected if NEs record authentication failure logs)
p Agent-based detection: file permission escalation, key file tampering, Rootkit attack, unauthorized
superuser, and shell file tampering
l Supported NMS-oriented situational awareness capabilities:
p Rule-based abnormal login behavior detection: brute force cracking, login from blacklisted IP
addresses, unauthorized accounts, or compromised accounts, and login through uncommon paths
p Exception handling based on zero-trust evaluation, for example, blacklisting abnormal accounts

Page 229 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE/NMS Security
Situational Awareness


l NE security event

Page 230 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Advanced Security Feature – NE Security Configuration
Check

l The controller can verify device security configurations, including insecure protocols, weak algorithms, and security
configuration items, to ensure NE security.
a. Insecure protocol: such as Telnet
b. Weak algorithm: such as the MD5 encryption algorithm
c. Insecure configuration: such as password authentication using SSH on port 22


Page 231 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Convergence of Agile Controller-IoT and iMaster
NCE-Campus
1. iMaster NCE-Campus manages IoT gateways and orchestrates networks
through NETCONF.
2. Agile Controller-IoT manages containers/apps, terminals (communication
modules), and FAN networks (PLC/RF) through MQTT.
System Service Function Protocol
Configuration of WAN and LAN networks
Network
It does not manage FAN networks, such as PLC NETCONF
management
iMaster and RF networks.
NCE- It manages IoT gateways and does not manage
Device
Campus non-NETCONF-managed devices, such as NETCONF
management
IOBOX and IoT terminals.
System
NETCONF
management

IoT Service Function Protocol
Container and Container and app installation and
application deployment, lifecycle management, and MQTT
management resource monitoring
Agile
FAN network configuration and query,
Controller- FAN management MQTT
including PLC and RF networks
IoT
IoT terminal Lightweight IOBOX
MQTT
management Third-party terminal
Data security
Data link service MQTT
Profile definition

Page 232 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Convergence of Agile Controller-IoT and iMaster
NCE-Campus

1. The IoT management feature is applicable only to a single-node system.
2. The IoT management feature is optional and can be expanded.


Page 233 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
IPv4/IPv6 Capability of iMaster NCE-Campus

Scenario IPv6 is becoming more popular, which is required in deployment and management scenarios. iMaster NCE-
description Campus supports the following three scenarios: IPv4 single stack, IPv6 single stack, and IPv4/IPv6 dual stack.

Upgrade from
IPv6 on
Pre- the Original
Scenario Device Model Authentication Management
installation Deployment
Channel Or Not
Version

IPv4 single
IPv4 single stack, IPv4/IPv6 dual stack, All devices All supported Not supported Supported Supported
and IPv6 single stack stack
• Supported by all devices
in V5 (IPv4-based device
Internet interaction, IPv6-based Portal Supported, but
authentication and 802.1X depends on
Not supported
IPv4/IPv6 All devices authentication). device-side Not
(only supported
dual-stack • YunShan devices do not capabilities. supported
support IPv6-based (Only ARs and YunShan by new versions)
Recommended LSWs support this
Portal authentication function.)
but support IPv6-based
802.1X authentication.
IPv6 IPv4
WAC
Supported, but
• AR devices
(supported in V5 • YunShan devices do not depends on
and in YunShan support IPv6-based device-side Not supported
IPv6 single since R22.0) Not
Portal authentication capabilities. (only supported
stack • LSWs supported
but support IPv6-based (Only ARs and YunShan by new versions)
(supported in LSWs support this
YunShan since 802.1X authentication. function.)
R22.0)


Page 234 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
IPv4/IPv6 Deployment Scenarios

IPv4 address IPv6 address
Ø IPv4 single stack Ø IPv6 single stack Ø IPv4/IPv6 dual-stack


IPv4 site IPv6 site


Page 235 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Supported IPv6 Functions


V5 LSW YunShan LSW
Function Category Feature Supported in Non- Supported in Virtualization Supported in Non- Supported in Virtualization
Virtualization Scenarios Or Not Scenarios Or Not Virtualization Scenarios Or Not Scenarios Or Not
IPv6 gateway N Y Y Y
DHCPv6 client/server N N Y N
IP service
DHCPv6 relay N Y Y Y
DHCPv6 Snooping N Y Y Y
IPv6 static routing N Y Y Y
Routing OSPFv3 N N Y N
BGP4+ N Y Y Y
ACL6 Y N/A Y N/A
ACL6 in traffic classifiers Y N/A Y N/A
Traffic policy
Next-hop IPv6 address in traffic behaviors N N/A Y N/A
ACL6 default permit rule Y Y N N
Reliability NQA IPv6 N Y N Y
DNS DNSv6 server N N/A Y N/A
Device management NETCONF-based IPv6 device management N Y
IPv6 RADIUS server N Y
Dynamic ACL6 authorization Y Y
Authentication IPv6 AD/LDAP server Y Y
IPv6 authentication components N Y
IP-security group channels on IPv6 networks N Y
IPv6 device upgrade channels N Y
Packet header obtaining supports IPv6 channels N Y
IPv6 channels for device file systems N Y
IPv6 channels for activating license files N Y
O&M IPv6 channels for file management configuration N Y
IPv6 channels for inspection N Y
IPv6 channels for SSH-based CLI login N Y
IPv6 channels for collecting device fault information N Y
IPv6 ping and trace N Y
Monitoring IPv6 HTTP/2 and telemetry channels N Y
Others Analyzer interconnection through IPv6 N Y

Page 236 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster System


l With service development, an increasing number of devices and users are connected to
iMaster NCE-Campus. A single cluster cannot provide sufficient performance for service
development needs. Horizontal capacity expansion from a single-cluster system to a multi-
cluster system is needed to allow access of more devices and users.


Page 237 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster Solution


l The multi-cluster solution consists of a global node and two regional clusters.


Region Function Description
The global node receives the mappings among users, tenants, and IP addresses from each regional cluster. It provides a unified login page for all the
Global
clusters. Users do not need to select a region upon login. After successful login, the user is automatically redirected to the selected regional cluster.

Each region is an independent cluster, without a login page. Users can log in to each regional cluster only through the login page of the global node,
and are allowed to log in through their respective regional cluster only when the global node is faulty.
A regional cluster reports the mappings among users, tenants, and the regional cluster IP address to the global node. It is also responsible for user
service design, configuration, and maintenance.
Region Tenant migration is not supported between regional clusters. Services of a single tenant cannot be deployed across regional clusters.
23.0
1. Independent management plane, supporting independent region upgrade (The global region is not upgraded, and the management plane and
service plane are incompatible with each other.)
2. A single cluster can be smoothly expanded to multiple clusters. A maximum of 10 regions are supported.

Page 238 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Multi-Cluster Management


l By default, each regional cluster reports the mappings among users, tenants, and the regional cluster IP
address to the global node in real time. The global node also collects the mappings at a specified time
every day.

l In addition, the mappings can be manually synchronized from regional clusters to the global node.

l Choose System > System Management > Multi-Cluster Management from the main menu. Click
Synchronize Immediately to synchronize regional cluster information to the global node and then
check whether the synchronization is complete.


Page 239 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Points-based Mode

• In points-based mode, you can log in to the controller as the system administrator and import license files, including
platform licenses and points-based licenses. The system administrator assigns its points-based license resources to
an MSP, and the MSP can further allocate its resources to tenants. Points-based license resources are deducted based
on the deduction coefficient, which varies depending on the capability package type and device model.


Page 240 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Points-based License Resources and Capability Packages

• Points-based license resources are deducted based on the deduction coefficient, which varies depending on the
capability package type and device model. Different capability packages include different capabilities. The
advanced package contains the advanced capabilities of the analyzer.


Page 241 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Added in
Signing the EULA R24C10

l Signing the EULA (global perpetual, global subscription, and points-based modes)

p The EULA needs to be signed when a license is uploaded for the first time, as shown in the
following figure.

p Click Agree to sign and upload the license.


Page 242 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Disaster Recovery - Background

With expanding enterprise scales, simple data backup is unable to meet the requirements of mission-critical services on
system availability, real-time performance, and security. More importantly, backup data may be damaged due to
various factors such as earthquakes and fire disasters, and even be lost. Any service interruption or data loss will cause
serious losses to enterprises. How to improve system availability has become a major concern of enterprises. The top
priority is to design highly available software.

Disaster recovery (DR) is the ability to recover from a disaster. The DR solution is achieved by a standby system in a
different place. The active and standby systems monitor each other's health status and take over services from each
other. If one system is unavailable due to an unexpected event such as a fire or earthquake, another system can take
over the services of the faulty system to ensure service continuity.

To improve the reliability of iMaster NCE-Campus, the DR design is adopted.


Page 243 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Disaster Recovery - Introduction

The primary and secondary clusters communicate with each other through heartbeat links and detect each other's status in real time. The product in the active
cluster synchronizes data to the product in the standby cluster in real time through the data replication link to ensure data consistency between the two
clusters.
If a fault occurs in the cluster that is providing services, users can manually switch the services from the faulty cluster to the other cluster. Automatic switchover
is provided if the arbitration service is deployed. This ensures service continuity and reduces the loss caused by disastrous incidents.
DR objectives
1. Primary and secondary clusters are installed separately. The installation sequence does not matter.
2. After a DR system is created, one cluster functions as the active cluster and the other functions as the standby cluster. The active cluster provides services
for external systems. The standby cluster does not provide external services and only synchronizes data from the active cluster.
3. If the active cluster is unavailable due to a disaster, services can be manually or automatically switched to the standby cluster to ensure service continuity.
4. CampusInsight does not support DR. After a DR switchover, if CampusInsight functions are required, you need to reinstall CampusInsight (or pre-install two
copies of CampusInsight before a controller DR switchover) and synchronize data from the controller to CampusInsight. The analysis data on CampusInsight
will be lost after a controller DR switchover.
Differences between manual and automatic DR switchovers
1. In both modes, primary and secondary clusters must be installed and set up a DR system. In the automatic DR scenario, an arbitration node needs to be
deployed at a third site and arbitration needs to be configured through EasySuite.
2. To manually trigger DR switchovers, administrators need to log in to the management plane to manually switch active and standby cluster roles. To
configure automatic DR switchovers, administrators only need to create arbitration tasks in advance. If switchover conditions are met, an automatic DR
switchover is performed, without manual intervention.
3. The two modes have different requirements on public networks. In the manual switchover scenario, administrators can detect the switchover and then can
manually re-configure the controller IP address visible to public networks. In the automatic switchover scenario, customer networks must be able to
automatically detect the active/standby controller status in each cluster of the DR system, for example, through a F5 load balancer, through NQA to detect
the internal floating IP address of the controller, or by connecting the controllers in primary and secondary clusters to external networks at Layer 2 in both
north and south directions.

Page 244 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Manual DR Switchover

Manual DR switchover
Manual switchover:
The controller advertises northbound and southbound routes in Layer
3 mode. In the NAT scenario, the controller's southbound and
northbound IP addresses after NAT in the primary cluster are the
same as those in the secondary cluster. In this way, tenants, network
devices, and access terminals are unaware of active/standby
controller switchovers.
The heartbeat link and data replication link are located on
the internal communication plane. Therefore, network
connectivity must be ensured between the internal
communication planes of the primary and secondary clusters.
Route priority-based manual switchover:
On the egress router, routes destined for the active and standby
clusters are configured with different priorities. Only the active cluster
provides services for external networks and the standby cluster only
synchronizes data from the active cluster.
If the network is abnormal or the active site is faulty, administrators
can access the O&M plane and issues a DR switchover command to
manually trigger a DR switchover.


Page 245 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Automatic DR Switchover


Automatic DR switchover Arbitration-based automatic switchover:
The arbitration service periodically checks the connectivity between
the primary, secondary, and third sites, and saves the check results.
If the network connection is abnormal or the active site is faulty, the
Primary Heartbeat Secondary arbitration service selects the optimal site in the network to perform
Data an active/standby switchover.
replication Note: The HBase database of FusionInsight does not support automatic switchovers and
needs to be manually synchronized. If the database is not synchronized, device
performance data display is affected. Customers can determine whether to synchronize the
HBase database.
Arbitration Arbitration
data data
Arbitration The arbitration service is deployed on five nodes, among which
node two are deployed at the primary site, two at the secondary site, and
one at the third site.
The heartbeat link, arbitration heartbeat link, data sharing link, and
data replication link are located on the internal communication
plane. Therefore, the internal communication network between the
active and standby sites must be connected.


Page 246 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
DR Switchover - Layer 2 Southbound and
Northbound Connectivity Between Primary and
Secondary Clusters

Layer 2
DC1 communication link DC2
Router Router

Heartbeat link Why is a Layer 2 network used?
A Layer 2 network is used for switchovers between the primary and
Data secondary clusters. Host IP addresses are in the same ARP broadcast
Switch replication link Switch domain, which are easily advertised.


Cluster Cluster Cluster Cluster Cluster Cluster
node node node node node node

Arbitration
node
Solution features: DC3
1. Install DC1 and DC2 clusters. The two clusters use the same southbound and northbound IP addresses. Because the two clusters are on the same Layer 2 network, the
southbound and northbound IP addresses of the secondary cluster need to be hidden.
2. Set up a DR system, for example, with DC1 and DC2 as the active and standby clusters, respectively. The active cluster automatically enables its southbound and northbound
IP addresses, whereas the standby cluster does not.
3. This solution applies to the scenario where devices on external networks can be managed by customers. Connecting southbound and northbound Layer 2 networks of the
active and standby clusters has high requirements on customer networks.
4. The solution with an arbitration node can avoid dual active clusters. Therefore, if southbound and northbound Layer 2 networks of the active and standby clusters are
connected, manual switchovers at the expanse of the arbitration node are not recommended.
Note:
NAT is supported in this scenario. In the NAT scenario, Layer 2 interconnection is required on the planes where the southbound and northbound virtual IP addresses reside, and
the virtual IP addresses are mapped into a public IP address using NAT.

Page 247 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
DR Switchover - Unified Virtual IP Address based on
NQA

Solution features:
Backbone ring
DC1 DC2 1. Install DC1 and DC2 clusters which provide the same southbound and northbound IP addresses
network for external networks.
2. Install an HA arbitration node. (By default, the HA arbitration node is deployed in a third data
center and is reachable to the primary and secondary clusters at Layer 3.)
OSPF... OSPF... 3. Add a DR configuration instance and set up a DR system, for example, with DC1 and DC2 as the
Core active and standby clusters, respectively. The DR heartbeat and data replication links are created
at the same time.
Static Static 4. Configure an NQA policy on the core device of each DC cluster to detect its own DIP. If the DIP is
route
NQA route NQA reachable, the public southbound and northbound IP addresses of the controller are advertised.
The DIP of the active cluster is automatically enabled, and that of the standby cluster is not.
Layer 3 network Layer 3 network 5. Disaster scenario: If the original active cluster encounters a disaster and the heartbeat between
management management the active and standby clusters is interrupted, the arbitration node checks whether the standby
switch switch cluster can switch to the active cluster. If so, after the original standby cluster becomes the new
active cluster, its southbound and northbound IP addresses and DIP addresses take effect. In
addition, NQA automatically advertises the public southbound and northbound IP addresses of
External IP External IP the new active cluster after verifying that the DIP of the new active cluster is reachable.
Heartbeat
1 link 6. In this solution, manual switchovers can be performed at the expense of the arbitration node.
Primary Secondary 2
DIP 1 Data
cluster cluster DIP 2
replication Note:
link 1. This solution requires that the customer's core devices have the NQA detection capability and
can be associated with static routes for automatic detection. The core devices must be reachable
to the DIP addresses of controller clusters. The overall switchover time depends on the NQA
detection time as well as time required by route advertisement and convergence.
2. NAT is supported in this scenario. In the NAT scenario, the external IP address is located on the
NAT device and mapped to the LVS virtual IP address of the controller. Similarly, the core device
Arbitration determines whether to advertise this external IP address based on NQA detection results.
node 3

Page 248 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
DR Configuration

The management plane of iMaster NCE-Campus
provides the configuration and O&M pages for the DR
function. You can view the DR system status and data
synchronization status, modify DR configurations, and
trigger a DR switchover on these pages.

If the active cluster is faulty and cannot be recovered, a
forcible switchover can be performed for the standby
cluster to take over services.

If two active clusters exist, a forcible switchover can be
performed to switch a cluster to the standby cluster to
restore the active/standby relationship.


Page 249 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
Multiple Southbound Cluster Addresses: Improving Remote DR Reliability and
Reducing Network Requirements R23C10


Scenario In remote disaster recovery (DR) scenarios, two southbound IP addresses are configured for the active and standby clusters,
description improving reliability and network adaptation capabilities, as well as reducing network requirements.
Active DC cluster Standby DC cluster Active DC cluster Standby DC cluster

Data Data
synchronization synchronization
... ... ... ...

Southbound IP Southbound IP Southbound IP Southbound IP
address: 41.1.1.208 address: 41.1.1.208 address: 41.1.1.208 address: 42.2.2.210
Same southbound >>
address Different southbound
addresses
>>


AP AP AP AP AP AP AP AP

Constraints Constraints Benefits
Ø Fast cluster switchover and convergence
Ø The southbound IP address of the active and standby clusters must be the same. Ø IPv6 and domain name address scenarios are not supported. Ø Reduced network requirements
Ø Cluster switchover and convergence are slow due to specific network requirements. As such, remote Ø Firewalls and WLAN devices of the V600 version are not supported. Ø An upgrade does not lead to any service
DR cannot be met in some networking modes. (If the active and standby clusters are not in the Ø HACA Portal authentication is not supported for ARs in LAN interruption because an active/standby
same area, their southbound IP addresses are not the same. In addition, these clusters cannot scenarios. switchover can be triggered to upgrade
communicate with each other through Layer 2 heartbeat links.) Ø CloudAPP is not supported. the active and standby clusters separately.

Page 250 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Updated in
Multiple Southbound Cluster Addresses: Improving Remote DR Reliability and
Reducing Network Requirements R24C00


V200 V200 V300 V300 V500 V600 V600 V600 V600 V600
Features
Ø If FWs exist on the network, multiple LSW WLAN AR(LAN) AR(WAN) FW LSW WLAN AR(LAN) AR(WAN) FW
southbound IP addresses cannot be configured
Device management Y Y Y Y N Y N Y Y N
for remote disaster recovery.
Ø Multiple southbound IP addresses cannot be Monitoring Y Y Y Y N Y N Y Y N
configured in the scenario where V600 O&M Y Y Y Y N Y N Y Y N
WAC+FitAP is deployed on the network. 802.1X
Y Y -- Y -- Y N -- Y --
Authentication
Ø
In the cloud campus scenario, if AR V300 is Portal2.0
Y Y -- -- N Y -- -- -- --
used as the egress and HACA Portal Authentication 24.0
HACA Portal
Y Y N -- N Y -- -- -- --
authentication is used, multiple southbound IP Authentication 24.0
HWTACACS
addresses cannot be configured for remote Y Y -- Y -- Y N -- Y --
Authentication
disaster recovery.
Free Mobility Y -- -- -- N Y -- -- -- N
Ø When the CloudCampus APP is used, multiple
Authentication
Y Y N Y N Y -- -- Y N
southbound IP addresses for geographic component
Multiple IP
redundancy cannot be configured.
addresses for
Y Y Y N -- Y N Y N --
Ø Multiple southbound IP addresses for DR analyzer
interconnection
cannot be configured when southbound IPv6
Registration center Y Y Y Y -- Y -- Y Y --
addresses are configured.
CloudAPP Deploying -- N -- -- -- -- -- -- -- --

SNMP management Y Y Y -- Y Y -- Y -- Y

Page 251 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Network Guard Agent: Proactively Protects Against Wireless Added in
Network Sub-health Problems R24C10

Proactive protection, supporting automatic handling of common wireless faults

1. Create protection targets
based on the network area.

2. Proactively protect against
wireless sub-health and push faults.


3. Fault detection, fault analysis, fault
decision-making, and fault handling
4. Visualize key KPIs to be
protected on one map.

Constraints: This function is supported only when iMaster NCE-Campus interconnects with iMaster NCE-CampusInsight and is applicable only to indoor
multi-partition scenarios (such as dormitories and hotels).

Page 252 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Device Detection Task Added in
R24C10

l Choose Network Maintenance > Network Diagnosis > Diagnosis Tools from the main menu, click the Device
Detection Task tab, and create a task to check the device status.


Page 253 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Security Resource Pool Added in
R24C10

l Usage Scenario:
l Principles
Enterprise users require multi-level security protection capabilities
that are customizable. To meet their requirements, we, driven by
Security resource pool orchestration solution: User traffic destined
carriers' cloud-network convergence, design the security capability
resource pool solution. for the target Internet address is diverted to the security resource

① Provide real-time security assurance for users through pool. Then, based on the service policies configured by users,
software-based and service-based security capabilities.
atomic security capabilities are introduced to process the diverted
② Manage and configure the required security capabilities in a
traffic through enabling security policies. Finally, the processed user
unified manner through the security management platform.
traffic is sent back to the target Internet address.
③ Support elastic scaling to improve resource utilization and
maximize performance.

l SFC configuration


Page 254 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Summary


l This course describes the deployment schemes and component functions of iMaster NCE-Campus in the
CloudCampus solution.

l This course describes the key features of iMaster NCE-Campus and their configuration methods.

l Through these introductions, you should have a deep understanding of the main application scenarios
of iMaster NCE-Campus.


Page 255 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.
Thank You
www.huawei.com


Page 256 Copyright © 2025 Huawei Technologies Co., Ltd. All rights reserved.