Professional Documents
Culture Documents
Tolly.
2 Solution Overview 5
5 Cybersecurity 29
5.1 Defense Configuration 30
6 Network Openness 32
6.1 Interoperability with Aruba ClearPass 33
6.2 Interoperability with Cisco ISE 33
6.3 Interoperability with SolarWinds 33
6.4 Interoperability with Cisco Switches 33
6.5 Endpoint Compatibility 33
Network O&M and experience assurance: Both Huawei CloudCampus CampusInsight and Cisco DNA Assurance
support the use of AI algorithm-based machine learning capabilities to ensure network experience. Huawei CampusInsight can
also predict potential faults and optimize the network, and can mine deeper and more comprehensive data than Cisco DNA
Assurance.
Cybersecurity: Huawei CloudCampus and Cisco DNA both support basic network security capabilities and automatic
security policy provisioning. In contrast to Cisco DNA, Huawei CloudCampus is able to proactively deceive and defend against
network threats using deception, while also offering a simplified architecture.
Network openness: Huawei CloudCampus delivers comprehensive compatibility with industry applications, third-party
systems and network devices, and network endpoints.
• User access issue diagnosis based on always-on • Network anomaly identification and root cause
O&M protocol tracing analysis
• User experience issue diagnosis based on KPI • Protocol tracing is not supported. Packets need
Anomaly Identification correlation analysis to be captured for manual user access fault
and Root Cause Analysis • Precise inference based on the fault knowledge analysis
base
• Group fault analysis based on the integrated
topology
Basic Security IPS, antivirus, URL filtering, and more IPS, antivirus, URL filtering, and more
Big Data Security Security protection based on big data analytics Security protection based on big data analytics
Security
• Encrypted communication analytics (ECA) • Encrypted traffic analytics (ETA)
Advanced Security
• Proactive threat deception
Interoperability with Supported, for example, commercial Wi-Fi, Not tested
NA
Third-party Applications electronic shelf label (ESL), asset management, etc.
Interoperability with Supported, for example, Cisco ISE and SolarWinds Not tested
NA
Openness Third-party Systems
Interconnection with Supported Not tested
NA
Other Vendors’ Devices
Endpoint Compatability Supported Not tested NA
1.The Cisco DNA solution does not include security devices such as firewalls. Instead, it uses security policies on SD-WAN routers for SD-WAN security. In this evaluation, it is
assumed that the network environment requires deployment and management of firewall devices. 2. Estimated time in the lab environment. The actual deployment time is
subject to the network environment and scale. 3. A complete green circle means strong capabilities, while a hollow circle means weak capabilities. 4. Solution evaluation is based
on test items mentioned in the table above. Test items do not necessarily cover the complete capabilities of Huawei and Cisco solutions.
Full-lifecycle • Huawei CloudCampus delivers full-lifecycle network • Cisco DNA also supports full-lifecycle network services
Network services from network planning, design, deployment, from network planning, design, deployment, and
and policy provisioning, to intelligent O&M and policy provisioning, to intelligent O&M and network
Services network security management security management
Deployment • Agile Controller V3.0 supports both on-premises • Cisco DNA Center only supports on-premises
Mode deployment and cloud hosting mode deployment. Cloud hosting is not supported. Cisco
vManage supports both on-premises and cloud
• Hierarchical tenant and MSP management architecture hosting modes
is also supported
• Cisco's cloud hosting mode uses its Meraki portfolio.
DNA Center does not support hierarchical tenant and
MSP management architecture
This test report compares and analyzes both the Huawei CloudCampus solution and the Cisco DNA solution. The following
sections elaborate on the differences between each in terms of automated network management, intelligent O&M and
experience assurance, network security, and network openness.
According to the networking test performed by Tolly, it was determined that both the Huawei CloudCampus solution and the
Cisco DNA solution are capable of automated network management. However, the Huawei solution supports more network
design and planning scenarios, more efficient underlay and overlay automated deployment, and more refined policies.
The following table compares the Huawei CloudCampus and Cisco DNA solutions in terms of automated deployment.
Campus Network Agile Controller V3.0 supports: Cisco DNA Center supports site creation and design, including general
Design • Online site creation and design, including indoor floor plan, outdoor GIS templates and resource pool creation. However, it does not support
identification, general authentication templates, and resource pool device and link planning, import, and pre-configuration. Devices can be
creation configured only after automatic discovery during deployment
• Planning and importing devices and links using an Excel template
• Pre-creating a fabric: Specify the pre-imported devices in the fabric,
specify the role of each device in the fabric, configure extended access,
and specify the access type of each port on each device
Automated Underlay 1 hour1 1.5 hours1
Network Deployment
Agile Controller V3.0 implements automated underlay network Cisco DNA Center implements automated underlay network
deployment in three steps: deployment in five steps:
1. Configure DHCP (including option 148) on the gateway 1. Connect and power on all switches according to the planning
2. Connect and power on all switches according to the planning. The 2. Install and power on WLAN APs
underlay network will be automatically deployed 3. Add one or two seed switches in the DNA Center
3. Install and power on WLAN APs: scan barcodes using the mobile 4. LAN switches are automatically discovered, and devices are named
Huawei CloudCampus APP to deploy APs after powering them on (you using an Excel template (binding the serial numbers of the devices).
can also pre-import APs using serial numbers)
5. Bind the devices to a site and deliver public site configuration data
to the devices
Automated Overlay 1 hour1 1 hour1
Network Deployment
Agile Controller V3.0 implements automated overlay network deployment Cisco DNA Center implements automated overlay network deployment
in two steps: in four steps:
1. Create a VN (logical network), specifying the external gateway and the 1. Create a VN in the Policy page
interface corresponding to the DHCP server 2. Create group-based access control in the Policy page
2. Configure access permission policies for UCL user groups 3. Create a fabric and configure Fabric Infrastructure in the Provision
page
• Decoupling of security access policies from IP addresses and VLANs 4. In the fabric created on the Provision page, configure Host
• Two-level network segmentation: Onboarding and specify the access type of each port on each device
a. VN isolation
b. The VN uses user security groups (UCL groups) to implement • Cisco also supports VN-based network segmentation and user security
free mobility. Users obtain the same access permission group-based access control
regardless of where they log in from and which IP address they • No VN mutual access settings are found on the Cisco DNA Center GUI.
obtain Configuring a shared egress gateway for different VNs is not
• Isolation or mutual access between VNs; refined special scenarios such supported
as independent or shared egress gateway configuration for VNs • Cisco DNA also supports the reuse of legacy devices as extension
• Legacy Huawei switches that do not support the VXLAN feature can be nodes
reused as extended access devices, implementing VLAN-VXLAN hybrid
networking using policy association
Automated SD-WAN Agile Controller V3.0 supports: An additional vManage system is required to manage SD-WAN and SD-
Deployment • Zero-touch provisioning (ZTP) of AR series routers WAN security
• Configuration of intelligent traffic steering and application-based traffic
control for AR series routers
• SD-WAN security (including security settings on the firewall)
• One system to manage both LAN and WAN
Automated Policy Agile Controller V1.0 functions as the RADIUS authentication server, and Cisco DNA Center can integrate Cisco ISE to invoke user security groups
Deployment access policies can be configured for UCL user groups2. from ISE and configure user access policies
1. Estimated time in the lab environment. Actual deployment time varies depending on network environment and scale. 2. Agile Controller V1.0 needs to be used as the RADIUS
authentication server to configure user security groups and corresponding policies. Huawei disclosed that these functions will soon be incorporated into Agile Controller V3.0. All
other functions in this report use Agile Controller V3.0.
Huawei CloudCampus
WLAN Planning:
Huawei uses the web application WLAN Planner (https://serviceturbo-cloud.huawei.com/serviceturbocloud/#/Home?lang=en)
and the mobile app CloudCampus APP for WLAN planning. The following uses indoor WLAN planning as an example to
describe the specific procedure:
1. Import a floor plan (supporting images and CAD drawings) into the WLAN Planner.
2. Log in to the CloudCampus APP and perform site survey (for example, take photos and mark obstacles and interference
sources on the floor plan, such as microwave ovens). Site survey marks and photos will be automatically synchronized to
the cloud.
3. On the WLAN Planner GUI, lay out the interference sources on the floor plan according to the site survey marks and define
their types. Then draw obstacles and define the obstacle type.
4. Select the area to be covered, and the area where APs can be deployed.
5. Automatically or manually deploy APs in the floor plan.
6. Generate a signal simulation heatmap to simulate the signal-to-noise ratio (SNR) and connection rate of Wi-Fi clients.
7. Export the WLAN planning file.
8. Import the exported network planning file to Agile Controller V3.0 for later use. The floor plan and devices will be
automatically imported.
Huawei WLAN Planner also provides a number of unique features, such as automatic deployment of APs in multi-story
buildings, and simulation of 3D roaming tracks. This tool also supports planning for outdoor AP deployment. Based on maps,
Huawei WLAN Planner can simulate the signals of outdoor WLAN APs and generate heatmaps after obstacles such as trees and
buildings are drawn. Outdoor WLAN planning results can also be exported.
Huawei WLAN Planner Indoor WLAN Planning Huawei WLAN Planner Outdoor WLAN Planning
Fabric Creation
Distributed Gateways
When pre-creating a fabric, administrators can activate the automated configuration of the underlay network with one click.
With pre-imported devices and pre-created fabric from the planning process, the actual deployment of physical devices and
underlay & overlay network services will be easy.
Huawei CloudCampus
Huawei's underlay network is automatically deployed in only three steps, as follows:
1. Configure the gateway as the DHCP server with IP pools to assign management IP addresses to new switches and WLAN
APs. Configure DHCP Option 148 on the gateway to deliver the Agile Controller V3.0 address to new switches so that the
new switches can go online on Agile Controller V3.0.
2. Connect and power on all switches as planned. Huawei Agile Controller V3.0 automatically extracts VLAN resources and IP
network segments from the underlay resource pool based on the devices in the pre-configured fabric. Agile Controller V3.0
then automatically delivers OSPF configurations to these devices to enable Layer 3 communication between all devices. In
addition, all devices go online and are managed by Agile Controller V3.0 through the management VLAN.
3. Log in to the CloudCampus APP on a mobile phone. Then, connect to Agile Controller V3.0 to obtain the floor plan and AP
information that have been exported from the WLAN Planner. When deploying an AP, engineers can find the AP's icon in
the topology on the CloudCampus APP based on the AP's physical location. Next, touch "Install here", and scan the barcode
on the back of the AP. The AP then goes online and is managed by Agile Controller V3.0. Deployment by scanning barcodes
is intuitive and perfectly matches WLAN planning. In addition, the APs on the floor plan on Agile Controller V3.0 accurately
map the actual physical APs, facilitating subsequent O&M. Huawei Agile Controller V3.0 also supports import of WLAN APs
by binding ESNs.
Naming devices by
importing a CSV file with
device serial numbers
5. On the Provision page, bind each device to a site and apply common configurations of the site to devices.
Huawei CloudCampus
Huawei fabric has been pre-created in the campus network design phase. After devices go online and BGP EVPN and VXLAN
configurations are automatically delivered, Huawei overlay network can be automatically deployed in only two steps (no specific
order is required):
1. Create VNs (logical networks) and perform access configurations.
Configurations of access
ports (authentication
profiles and VLANs)
2. Configure user security groups and access permission policies in a matrix to implement free mobility.
Fabrics in the Huawei CloudCampus solution are more flexible. For example, the fabrics support VN isolation or mutual access
between VNs in special scenarios. In addition, Huawei fabrics support independent or shared egress gateways between VNs.
Fabrics in the Huawei CloudCampus solution support the reuse of network devices. Even if some older generation access
switches do not support VXLAN, they can be used as extended access switches and can connect to upstream edge devices.
Through association between VLANs and policies, users and WLAN APs can connect to extended access switches, implementing
network segmentation of fabrics and user access control. Extended access switches are also automatically deployed through
Agile Controller V3.0.
3. Create a fabric on the Provision tab and configure the fabric infrastructure.
4. On the fabric created on the Provision tab, configure Host Onboarding and set the access type of each port.
Cisco DNA solution also supports the reuse of network devices. Older generation Cisco access switches that do not support
fabric configuration can be configured as extended nodes.
Source: Huawei
User-level Experience Huawei CampusInsight provides whole-journey Cisco DNA Assurance supports online evaluation of user
Visibility and Evaluation experience visibility of each user at any time. For experience. The supported data types are less than those
example, CampusInsight displays the time when a user supported by Huawei CampusInsight. Cisco DNA
connects to a WLAN AP, which WLAN AP the user Assurance does not support evaluation of roaming fault
connects to, what the access experience is (including the causes and air-interface packet loss rate
access time consumed, average negotiated rate, air-
interface packet loss rate, latency, total traffic, and signal
strength), how the user roams, what problems the user
encounters, and whether the problems are caused by the
network or client
Application-level Huawei CampusInsight supports visualization and Cisco DNA Assurance provides similar capabilities
Experience Visibility and evaluation of video and audio application experiences
Evaluation
Anomaly Identification and Huawei CampusInsight supports the following functions: Cisco DNA Assurance supports network anomaly
Root Cause Analysis 1. Identifies user access issues through protocol tracing identification and root cause analysis, and provides
and analyzes root causes. remediation suggestions
Fault Prediction Huawei CampusInsight supports prediction of optical Cisco DNA Assurance does not provide similar functions
module faults, displays the status of network-wide
optical modules in the optical link view, and predicts the
optical link fault probability based on expert experience
Network Troubleshooting Huawei CampusInsight provides the intelligent radio The radio calibration function is available, but the
and Optimization calibration function that enables real-time simulation simulation feedback and predictive optimization
feedback of WLAN AP channels, big data-based functions are not found
predictive WLAN calibration without manual
intervention, and comparison of gains before and after
calibration
Huawei CloudCampus
Huawei CampusInsight provides a quality evaluation system based on seven indicator dimensions (namely, access success rate,
access time consumed, roaming fulfillment rate, coverage signal strength, capacity fulfillment rate, throughput fulfillment rate,
and device in-service rate) in four categories. CampusInsight can learn based on AI-powered dynamic baselines to intuitively
score the overall network quality. While focusing on user experience, Huawei CampusInsight supports in-depth mining of
technical indicators from each user experience dimension, and identifies the cause of poor experience through analysis and
comparison in space and time.
• User access: It covers the access success rate and access time consumed. Huawei CampusInsight analyzes the success rate
and time consumption of clients in the authentication, association, and DHCP-based IP address acquisition phases, and
displays the total success rate and time consumption after statistics collection. In terms of experience evaluation,
CampusInsight focuses not only on the access success rate but also on the access speed.
• Air interface performance: CampusInsight evaluates air interface performance from the perspectives of the signal strength,
capacity fulfillment rate, and throughput fulfillment rate. It also analyzes the signal strength of campus WLANs, average
number of connected clients and channel usage of WLAN APs, air interface congestion fulfillment rate of WLAN AP radios,
proportion of interfered clients, and proportion of clients connected through non-5G signals.
• Roaming: CampusInsight displays the client roaming fulfillment rate, and analyzes the roaming success rate and roaming
time consumed.
• Device in-service rate: CampusInsight displays the in-service rate of network devices including wireless access controllers,
WLAN APs, and switches.
Mining and analyzing the “association success rate” technical indicator in the “user
access success rate” indicator dimension
Trend
Issue Analysis: analyze and locate the AP, client, configuration, or air interface environment that causes
each issue
Faulty AP / Issue Cause / Faulty Client (displaying AP in this figure)
DNA Assurance focuses on device health and does not score experience
Cisco DNA Assurance – Data Statistics
Displays the entire user access process: to which AP the user was connected,
experience status (including the average negotiated rate, packet loss rate,
latency, total traffic, and RSSI), and whether a problem had occurred
Huawei CloudCampus
Huawei CampusInsight makes a difference by providing the powerful protocol tracing function that records detailed
information about every time a user accesses the WLAN. In this way, the administrator can quickly pinpoint at which step the
fault occurred, and then locate and rectify the fault based on the remediation suggestions provided by CampusInsight.
Association
Fault
Root Cause
Analysis
Huawei CloudCampus
Huawei CampusInsight offers the following functions for anomaly identification and root cause analysis:
• Accurately infers fault scenarios based on the fault knowledge base.
• Identifies four issue categories (network access, air interface performance, roaming, and device issues) and root causes.
• Provides remediation suggestions.
Each issue category contains multiple specific issue types. For example, the network access issue category includes
authentication failure, authentication timeout, slow authentication, association failure, slow association, DHCP failure, and slow
DHCP address acquisition. The air interface performance issue category covers weak signal coverage, high interference, high
channel utilization, air interface congestion, non-5G-priority access, and client capacity threshold-crossing.
Impacted vendor, SSID, AP, switch, client, and root cause analysis
Associated Events
Possible Causes
Huawei CloudCampus
Huawei CampusInsight is designed with the intelligent radio calibration feature that provides two key functions:
• Offers fast simulation feedback during WLAN deployment and provides channel suggestions on a per-AP basis.
• Delivers predictive calibration during WLAN operations. Based on the historical big data collected through Telemetry,
Huawei CampusInsight can identify and analyze edge APs, predict APs that will be highly loaded, and predictively auto-
optimize the network. In the following example, after predictive calibration is performed, CampusInsight shows that the
average downlink bandwidth for clients increases by 58%; average uplink bandwidth for clients increases by 54%; average
interference rate (the lower, the better) decreases by 49%; and average channel usage (the lower, the better) decreases by
36%.
Simulation
status & score
on the floor
after suggested
calibration
Calibration suggestion to each AP,
including the current channel and the
suggested channel
Predictive calibration result of the H2 building (pre-calibration value in green, post-calibration value in blue, magnified below)
Mbps Mbps
Time Time
Calibration Details
AP Name Radio Channel Before/After Calibration Frequency Bandwidth
Before/After Calibration
Cybersecurity Comparison
Huawei CloudCampus Cisco DNA
Basic Security Capabilities IPS, anti-virus, and URL filtering IPS, anti-virus, and URL filtering
Huawei CloudCampus
Proactive threat deception is achieved through collaboration between Huawei campus switches, Agile Controller V3.0, and CIS.
Tolly engineers verified two types of proactive threat deception:
• When an attacker attempts to scan the network and ping a nonexistent IP address (no device is using this IP address),
Huawei campus switches redirect the ping request to Huawei CIS. CIS then simulates an endpoint reply to this ping request
and records the attack event.
• When an attacker attempts to scan the network and access an HTTP page with a nonexistent IP address, Huawei campus
switches redirect the access request to Huawei CIS. CIS then simulates a website reply to this access request and records the
attack event.
Support of third-party industry applications Supports commercial Wi-Fi, electronic shelf label (ESL), asset management, AGV,
(such as retail, manufacturing, and enterprise and UWB applications
office applications)
Interoperability with third-party systems (such Interoperates with Aruba ClearPass, Cisco ISE, and SolarWinds systems
as AAA, NMS, and network planning systems)
Interoperability with other vendors' devices on Interoperates with Cisco switches on network protocols, including Layer 2 basic
network protocols protocols, Layer 2 high availability protocols, link aggregation protocols, routing
protocols, Layer 3 high availability protocols, MPLS VPN protocols, Layer 3
multicast routing protocols, and NTP protocols
Interoperability with a wide variety of Interoperates with and provides PoE power supply to IP phones (including those
endpoints from ATCOM, AudioCodes, Avaya, Cisco, Mitel, Polycom, and Yealink), WLAN APs
(for example, Aruba, Cisco, D-LINK, Fortinet, H3C, Huawei, Motorola, Ruckus,
Ruijie, SUNDRAY, and TP-LINK brands), and IP cameras (IPCs) (such as Dahua,
Hikvision, and Huawei IPCs)
Alternatively, go to Huawei's interoperability web page to download the preceding reports at:
https://e.huawei.com/en/related-page/solutions/business-needs/enterprise-network/campus-network/partners/
Interconnection-and-interworking
CampusInsight V100R019C00
Terms of Usage
This document is provided, free-of-charge, to help you understand whether a given product, technology or service merits additional
investigation for your particular needs. Any decision to purchase a product must be based on your own assessment of suitability
based on your needs. The document should never be used as a substitute for advice from a qualified IT or business professional. This
evaluation was focused on illustrating specific features and/or performance of the product(s) and was conducted under controlled,
laboratory conditions. Certain tests may have been tailored to reflect performance under ideal conditions; performance may vary
under real-world conditions. Users should run tests based on their own real-world scenarios to validate performance for their own
networks.
Reasonable efforts were made to ensure the accuracy of the data contained herein but errors and/or oversights can occur. The test/
audit documented herein may also rely on various test tools the accuracy of which is beyond our control. Furthermore, the
document relies on certain representations by the sponsor that are beyond our control to verify. Among these is that the software/
hardware tested is production or production track and is, or will be, available in equivalent or better form to commercial customers.
Accordingly, this document is provided "as is", and Tolly Enterprises, LLC (Tolly) gives no warranty, representation or undertaking,
whether express or implied, and accepts no legal responsibility, whether direct or indirect, for the accuracy, completeness, usefulness
or suitability of any information contained herein. By reviewing this document, you agree that your use of any information contained
herein is at your own risk, and you accept all risks and responsibility for losses, damages, costs and other consequences resulting
directly or indirectly from any information or material available on it. Tolly is not responsible for, and you agree to hold Tolly and its
related affiliates harmless from any loss, harm, injury or damage resulting from or arising out of your use of or reliance on any of the
information provided herein.
Tolly makes no claim as to whether any product or company described herein is suitable for investment. You should obtain your
own independent professional advice, whether legal, accounting or otherwise, before proceeding with any investment or project
related to any information, products or companies described herein. When foreign translations exist, the English document is
considered authoritative. To assure accuracy, only use documents downloaded directly from Tolly.com. No part of any document may
be reproduced, in whole or in part, without the specific written permission of Tolly. All trademarks used in the document are owned
by their respective owners. You agree not to use any trademark in or as the whole or part of your own trademarks in connection with
any activities, products or services which are not ours, or in a manner which may be confusing, misleading or deceptive or in a
manner that disparages us or our information, projects or developments.