Professional Documents
Culture Documents
the current location of a device and provides information resources and basic
services for the device through the mobile Internet.
2. ABC
1. User identity authentication request: A terminal sends the user credential to an
admission device.
2. User identity authentication: The admission device sends the user credential to the
admission server for authentication.
3. User identity verification: The admission server stores user identity information and
manages users. After receiving the user credential of the terminal, the admission
server verifies the identity of the terminal, and delivers the verification result and
corresponding policy to the admission device.
• Users can determine the authentication mode between the access device and
authentication server based on the client support and network protection
requirements.
▫ EAP termination mode: The access device terminates EAP packets and encapsulates
them into RADIUS packets. The authentication server then uses the standard
RADIUS protocol to implement authentication, authorization, and accounting.
▫ EAP relay mode: The access device directly encapsulates the received EAP packets
into EAP over RADIUS (EAPoR) packets, and then transmits these packets over a
complex network to the authentication server.
• EAPoL defines EAP encapsulation on IEEE 802 (such as 802.3 and 802.11) networks.
EAPoL only transmits EAP packets between 802.1X clients and access devices, and does
not implement authentication.
• Typical EAP authentication protocols include EAP-TLS, EAP-TTLS, EAP-PEAP, and EAP-
MD5.
• The EAP relay mode simplifies the processing on the access device and supports various
authentication methods. However, the authentication server must support EAP and
have high processing capability. The commonly used authentication modes include
EAP-TLS, EAP-TTLS, and EAP-PEAP. EAP-TLS has the highest security because it
requires a certificate to be loaded on both the client and authentication server. EAP-
TTLS and EAP-PEAP are easier to deploy since the certificate needs to be loaded only
on the authentication server, but not the client.
• The NAC bypass mechanism grants specified network access rights to users when the
authentication server is Down or to users who fail the authentication or are in pre-
connection state. The bypass solutions vary according to the authentication modes.
Some bypass solutions are shared by all authentication modes, while some are
supported only in specific authentication modes. For details, see "NAC Escape
Mechanism" in the product documentation.
• Note:
▫ MAC address authentication supports only user logout control by the access
device and server.
▫ Portal authentication allows both the authentication server and Portal server to
control user logout.
• In addition to low security, moving authentication points upwards may cause the
following problems:
▫ An administrator does not know access positions of users, making fault locating
difficult.
▫ The gateway cannot immediately detect user logout in real time, and the detection
process increases workload on the gateway.
• User login process:
1. The authentication control device establishes a CAPWAP tunnel with the
authentication access device.
2. When detecting the access of a new user, the authentication access device creates a
user association entry to record basic information such as the user and access
interface.
3. The authentication access device sends a user association request to the
authentication control device.
4. The authentication control device creates a user association entry to save the
mapping between the user and authentication access device, and sends a user
association response to notify the authentication access device of successful
association.
5. The user initiates an authentication request to the authentication control device. The
authentication access device forwards the authentication packets between the user
and authentication control device.
6. The authentication control device deletes the user association entry. When the
authentication succeeds, the authentication control device generates a complete
user entry, and sends a user authorization request to the authentication access
device, and delivers the network access policy for the user.
7. The authentication access device updates the user association entry, grants the
specified network access rights to the user, and sends a user authorization response
to the authentication control device.
8. The user accesses the specified network resources.
• Decoupling of service policies from IP addresses
▫ iMaster NCE introduces the concept of security group. Administrators can
dynamically allocate end users to different security groups based on 5W1H
conditions in the authentication process and define control policies based on security
groups on switches. When a policy enforcement point (switch) matches service
packets with a given policy, it first matches the source/destination security group
based on the source/destination IP address of the packets, and then matches the
inter-group policy predefined by the administrator based on the source/destination
security group of the packets.
▫ With this innovative solution, all user- and IP address-based service policies on
traditional networks can be migrated to security group-based ones. When
predefining service policies, administrators do not need to consider the IP addresses
actually used by users, implementing complete decoupling between service policies
and IP addresses.
• Centralized management of user information
▫ iMaster NCE can centrally manage user authentication and onboarding information
and obtain the mappings between network-wide users and IP addresses.
• Centralized policy management
▫ iMaster NCE is not only the authentication center of the campus network, but also
the management center of service policies. Administrators can manage network-
wide policies on the iMaster NCE web UI. Service policies can be automatically
delivered to network-wide policy enforcement points after being configured only
once.
• Additional information about the policy enforcement point
▫ The policy enforcement point is responsible for enforcing security group-based
service policies. To enforce these service policies, the policy enforcement point must
be able to identify the source/destination security group information of packets. The
mapping between IP addresses and security groups can be obtained through
authentication, static configuration, or push by iMaster NCE.
▫ The authentication point and policy enforcement point are two device roles. Based
on the administrator's configuration and device capabilities, a physical device can
play either or both of the two roles.
• The administrator can define users and security groups on iMaster NCE in a unified
manner. Security groups can be defined based on network services for configuring
inter-group control policies.
• The administrator defines inter-group control policies in a matrix on iMaster NCE and
deploys the policies on policy enforcement points as needed.
• When a user is being authenticated, iMaster NCE associates the user with a security
group based on the user login conditions. After the user is authenticated successfully,
iMaster NCE delivers the authorization result containing the security group to which
the user belongs to the authentication point. During 802.1X authentication, if a
terminal has not obtained an IP address, the authentication point automatically detects
the actual IP address of the user after the user is successfully authenticated and
obtains an IP address, and reports the user's actual IP address to iMaster NCE.
• A user sends service traffic. When a packet reaches the policy enforcement point, the
device identifies the security group that matches the source and destination IP
addresses of the packet and enforces the corresponding inter-group policy.
• When the authentication point and policy enforcement point are separated, the policy
enforcement point needs to obtain the mapping between terminal IP addresses and
security groups (that is, IP-security group entries) to identify the source and destination
security groups of traffic during policy enforcement. Therefore, users need to configure
the IP-security group entry subscription function for the specific device. After the
configuration is complete, iMaster NCE pushes IP-security group entries to the device in
real time so that the device can obtain the security group information about an end
user even if the user is not authenticated on the device.
• Answers:
1. D
2. ACD
• According to the free-space signal attenuation model, the signal strength is
related to the frequency and distance. A higher frequency indicates a larger
signal attenuation. As the distance increases, the signal attenuation increases.
• Radio calibration is triggered when a new AP is connected to the network, an AP
is out of service, or the external radio environment deteriorates.
• In addition to radio calibration, channel adjustment can also be used in dynamic
frequency selection (DFS). In some regions, radar systems work on the 5 GHz
frequency band, which may interfere with radio signals of APs working on the 5
GHz frequency band. The DFS function enables APs to automatically switch to
other channels when they detect interference on their working channels.
• An AP's transmit power determines its radio coverage area. APs with higher
power have larger coverage areas. A traditional method to control the radio
power is to set the transmit power to the maximum value to maximize the radio
coverage area. However, a high transmit power level may cause interference with
other wireless devices. Therefore, the optimal power is required to balance the
coverage range and signal quality.
• Power adjustment enables APs to dynamically adjust their transmit power based
on the real-time radio environment.
• The DFA algorithm is used to automatically identify and adjust redundant 2.4
GHz radios. This algorithm processes a redundant radio as follows:
▫ After identifying a redundant radio, the DCA algorithm switches the radio to
the 5 GHz or monitor mode based on the channels, bandwidth, and
interference of other radios on the network.
▫ After the redundant radio is switched to the 5 GHz mode, it works on the
default 5 GHz channel. In this case, the DCA algorithm is used again to adjust
the radio channel.
▫ During this process, if a coverage hole is detected on 2.4 GHz radios, the 5
GHz radio is switched back to the 2.4 GHz mode.
▫ If the WAC restarts, the APs go online again with the original configurations
before the WAC restart, including the channel, power, frequency band, and
radio status. If an AP goes online after a long period of time, the WAC
determines redundant radios and allocates bands to radios again.
▫ When the DFA function is disabled, the redundant radio configuration is
restored. For example, the radio in 5 GHz or monitor mode will be restored to
the 2.4 GHz mode.
• Redundant radios on a WLAN not only generate co-channel interference but also
waste the network capacity. Therefore, the following policies are available to
process redundant radios:
▫ Switching to the 5 GHz mode: If 5 GHz channel resources are available, a
redundant radio can be switched to the 5 GHz mode, increasing the maximum
capacity of 5 GHz radios.
▫ Switching to the monitor mode: If no more 5 GHz channel resources are
available, a redundant radio can be switched to the monitor mode and used
for scanning services.
DBS algorithm:
▫ After global radio calibration is enabled on the WAC, the WAC instructs each
AP to perform neighbor probing periodically.
▫ The WAC delivers calibration results to the APs. After the WAC implements
global radio calibration for the first time, it starts the next global radio
calibration until it receives neighbor information from all APs. The WAC
continuously implements global radio calibration to obtain optimal and
accurate calibration results.
• On live networks, most STAs support both 2.4 GHz and 5 GHz frequency bands.
When attempting to join a WLAN, some of the STAs associate with the 2.4 GHz
radio of APs by default. As a result, the 2.4 GHz frequency band with fewer
channels is congested, heavily-loaded, and has severe interference. The 5 GHz
frequency band with more channels and less interference is not well used. When
the 2.4 GHz frequency band has a large number of users or severe interference,
the 5 GHz frequency band can provide better access services for wireless users.
Users must manually select the 5 GHz radio to connect to it.
• 5G-prior access
▫ A STA preferentially accesses the 5 GHz frequency band before the number of
access STAs on an AP reaches the start threshold for 5G-prior access during
band steering.
• Intra-AP load balancing
▫ If the number of access STAs on an AP exceeds the start threshold for 5G-prior
access, new STAs and some 5 GHz STAs are steered to the 2.4 GHz radio of
the AP, implementing load balancing between different radios of the AP.
• If an AP does not receive any response from a STA after three attempts regarding
the instruction of connecting to the 5 GHz frequency band, the AP will send a
request to the STA, instructing it to connect to the 2.4 GHz frequency band.
• If an AP always steers 5 GHz STAs to its 5 GHz radio without comparing loads on
the 2.4 GHz and 5 GHz frequency bands, the 5 GHz frequency band may be
heavily loaded while the 2.4 GHz frequency band may be lightly loaded. Huawei
provides the band steering feature to achieve load balancing between the 2.4
GHz and 5 GHz radios. After band steering is enabled, an AP determines whether
to preferentially steer STAs to the 5 GHz or 2.4 GHz radio based on loads on the
two radios.
▫ The AP first checks whether the number of access STAs on the AP exceeds the
start threshold for load balancing. If not, the STA can preferentially access the
5 GHz radio.
▫ If the number of access STAs exceeds the start threshold for load balancing,
the AP calculates the load difference between the two radios using the
following formula: (Number of access STAs on the 5 GHz radio – Number of
access STAs on the 2.4 GHz radio)/Number of access STAs on the 5 GHz radio
x 100%. The AP compares the load difference with the load difference
threshold for load balancing between radios, and then determines the radio to
which the STA can connect.
• For example, after band steering is enabled for an AP, if a STA requests to
associate with the AP at the 2.4 GHz radio but the number of access STAs on the
2.4 GHz radio has exceeded the start threshold for load balancing, the AP
implements load balancing between the 2.4 GHz and 5 GHz radios based on the
load difference between the radios. If the value calculated using the formula
[(Number of access STAs on the 5 GHz radio – Number of access STAs on the 2.4
GHz radio)/Number of access STAs on the 5 GHz radio x 100%] is greater than
the load difference threshold for load balancing between radios, the AP
preferentially steers the STA to the 2.4 GHz radio; otherwise, the AP preferentially
steers the STA to the 5 GHz radio.
• On large- and medium-sized WLANs, some APs have a large number of STAs
connected, while some other APs have a small number of STAs connected. Since
the Wi-Fi air interface provides contention-based multi-address access services,
more access STAs on the same radio cause higher contention overheads, lower
air interface throughput, and poorer user experience. This means that deploying
more APs cannot improve user experience.
• If a lightly-loaded AP does not receive any response from a STA regarding its
association requests for three consecutive times, another heavily-loaded AP will
send an association request to the STA.
• Static load balancing can be implemented when the following conditions are
met:
▫ An AP radio can join only one load balancing group. The APs in the above
figure are single-band APs. That is, each AP has only one 2.4 GHz or 5 GHz
radio. If an AP has multiple radios, traffic is load balanced among radios on
the same frequency band. This means that a dual-band AP can join two load
balancing groups.
▫ HAC: WAC in a mobility group with which a STA associates before roaming
• Intra-WAC roaming: A STA associates with the same WAC before and after
roaming.
• Inter-WAC roaming: A STA associates with different WACs before and after
roaming.
• Layer 2 roaming: When a STA moves between APs, the STA disconnects from the
currently associated AP and connects to another AP. This process is called
roaming. The service VLAN and gateway of the APs remain unchanged before
and after STA roaming.
• Layer 3 roaming: The service VLANs of the SSIDs are different before and after
roaming, and APs provide different Layer 3 service networks with different
gateways. In this case, to ensure that the IP address of a roaming STA remains
unchanged, the STA's traffic needs to be sent back to the AP on the initial access
network segment to implement inter-VLAN roaming.
• In some cases, two subnets have the same VLAN ID but belong to different
network segments. Based only on the VLAN ID, the system may incorrectly
consider that a STA roams at Layer 2 when the STA roams between two subnets.
To prevent this, a roaming domain can be configured to determine whether the
STA roams within the same subnet. A STA is considered roaming at Layer 2 only
when the STA roams within the same VLAN and the same roaming domain;
otherwise, the STA roams at Layer 3.
• Intra-WAC roaming: A STA roams between APs connected to the same WAC. As
shown in the above figure, intra-WAC roaming occurs when the STA roams from
the HAP to the FAP.
Mobility server
• When a STA roams between WACs, a WAC is selected as the mobility server to
maintain the membership table of the mobility group and delivers member
information to other WACs in the group. In this way, WACs in the same mobility
group can identify each other and set up inter-WAC tunnels.
▫ The mobility server can be a WAC outside or inside a mobility group.
▫ A WAC can function as the mobility server of multiple mobility groups, but can
be added only to one mobility group.
• In tunnel forwarding mode, service packets exchanged between the HAP and
HAC are encapsulated in the CAPWAP tunnel, and the HAP and HAC can be
considered in the same subnet. Instead of forwarding the packets back to the
HAP, the HAC directly forwards the packets to the upper-layer network.
• In direct forwarding mode, service packets exchanged between the HAP and HAC
are not encapsulated in the CAPWAP tunnel; therefore, whether the HAP and
HAC reside in the same subnet cannot be determined. Packets are sent back to
the HAP for forwarding by default. If the HAP and HAC reside in the same
subnet, the HAC with higher performance can be configured as the home agent.
This reduces traffic load on the HAP and improves data forwarding efficiency.
• In direct forwarding mode, service packets exchanged between the HAP and HAC
are not encapsulated in the CAPWAP tunnel; therefore, whether the HAP and
HAC reside in the same subnet cannot be determined. Packets are sent back to
the HAP for forwarding by default. If the HAP and HAC reside in the same
subnet, the HAC with higher performance can be configured as the home agent.
This reduces traffic load on the HAP and improves data forwarding efficiency.
1. When a STA is connected to the Internet through AP1 for the first time, the STA
is authenticated by the WAC and a PMK is generated. The STA and WAC save
the PMK. Each PMK has a PMK-ID, which is calculated based on the PMK, SSID,
STA's MAC address, and BSSID.
2. During roaming, the STA sends AP2 a Reassociation Request frame that carries
the PMK-ID.
3. After receiving the Reassociation Request frame, AP2 notifies the WAC that the
STA needs to roam from AP1 to AP2.
4. The WAC searches the PMK caching table for the PMK corresponding to the STA
based on the PMK-ID in the Reassociation Request frame. If the matched PMK is
found, the WAC considers that the STA has passed 802.1X authentication and
uses the cached PMK for key negotiation.
Intra-WAC 802.11r fast roaming:
1. When a STA is connected to the network through AP1 for the first time, the STA
is authenticated by the WAC and a PMK is generated.
▫ Based on the PMK, the WAC generates PMK-R0 (calculated based on the SSID,
MDID, WAC's MAC address, and STA's MAC address) and each AP's PMK-R1
(calculated based on PMK-R0, AP's MAC address, and STA's MAC address),
and delivers PMK-R1 to AP1.
▫ The STA and WAC generate and install a pairwise transient key (PTK) and a
group temporal key (GTK) through four-way and two-way handshakes,
respectively.
2. During roaming, the STA initiates an FT authentication request to AP2 and
delivers PMK-R1 to AP2.
3. After receiving the request, AP2 generates and installs a PTK based on PMK-R1
and information contained in the request. At the same time, AP2 starts the
reassociation timer, and sends an FT authentication response to the STA.
4. After receiving the response, the STA generates and installs a PTK based on the
information contained in the response. Then the STA sends a reassociation
request to AP2.
5. After receiving the reassociation request, AP2 stops the reassociation timer, and
then sends a reassociation response to the STA.
6. After receiving the response, the STA completes roaming.
Inter-WAC 802.11r fast roaming:
1. When a STA is connected to the network through AP1 for the first time, the STA
is authenticated by WAC1 and a PMK is generated.
▫ Based on the PMK, WAC1 generates PMK-R0 (calculated based on the SSID,
MDID, WAC1's MAC address, and STA's MAC address) and AP1's PMK-R1
(calculated based on PMK-R0, AP1's MAC address, and STA's MAC address),
and delivers PMK-R1 to AP1.
▫ The STA and WAC1 generate and install a PTK and a GTK through four-way
and two-way handshakes, respectively.
▫ WAC1 synchronizes the PMK information to WAC2 through the inter-WAC
tunnel.
▫ WAC2 generates PMK-R0 and PMK-R1 corresponding to AP2 based on the
PMK, and delivers PMK-R1 to AP2.
1. During roaming, the STA initiates an FT authentication request to AP2.
2. After receiving the request, AP2 generates and installs a PTK based on PMK-R1
and information contained in the request. At the same time, AP2 starts the
reassociation timer, and sends an FT authentication response to the STA.
3. After receiving the response, the STA generates and installs a PTK based on the
information contained in the response. Then the STA sends a reassociation
request to AP2.
4. After receiving the reassociation request, AP2 stops the reassociation timer, and
then sends a reassociation response to the STA.
5. After receiving the response, the STA completes roaming.
• Different applications have different network requirements. Traditional WLANs
are mainly used to transmit data due to a low transmission rate.
• With the development of new WLAN technologies, WLANs have been widely
applied to media, financial service, education, and enterprise sectors. In addition
to data traffic, WLANs also transmit delay-sensitive multimedia data, such as
voice and video data.
• The UP indicates the priority of 802.11 packets. It is carried in the QoS field of the
MAC header of 802.11 packets. The UP ranges from 0 to 7. WMM defines the
mapping between ACs and UPs. WMM classifies packets into four ACs, each of
which maps to two UPs. An AP determines the AC of a data packet based on the
UP in the packet, and then forwards the packet according to the AC.
• Generally, the ACs of voice and video services in video conferences are AC_VO
and AC_VI, respectively, and the AC of voice and video services of social apps is
AC_BE.
• WMM defines a set of EDCA parameters for each AC. The following describes the
EDCA parameters:
▫ AIFSN: In 802.11 protocols, the DCF interframe space (DIFS) has a fixed value.
WMM allows configuration of different DIFS values for different ACs. A larger
AIFSN value indicates a longer waiting time for a STA.
▫ ECWmin and ECWmax: They together determine the average backoff time.
Larger ECWmin and ECWmax values mean a longer average backoff time for
a STA.
▫ TXOPLimit: determines the maximum duration in which a STA can occupy a
channel each time. A larger value indicates a longer duration. If this
parameter is set to 0, a STA can send only one packet each time it occupies a
channel.
▫ WMM defines two ACK policies: normal ACK and no ACK.
▪ The no ACK policy is applicable to environments with high communication
quality and little interference. The receiver does not need to return ACK
frames after receiving packets. The no ACK policy can effectively improve
the packet transmission efficiency. However, if the no ACK policy is used in
environment with poor communication quality, the sender does not
retransmit packets even if the receiver does not receive the packets. As a
result, the packet loss rate is high.
▪ The normal ACK policy indicates that the receiver must return an ACK
frame each time it receives a unicast packet.
• The AIFSN determines the channel idle time. A greater AIFSN value indicates a
longer channel idle time. Different AIFSN values can be configured for different
ACs.
• In the uplink direction, the STA converts 802.3 frames sent by its wireless network
adapter into 802.11 frames. After receiving 802.11 frames from the STA, the AP
performs priority mapping for the 802.11 frames as follows:
• In the downlink direction, the WAC forwards 802.3 frames received from the
Internet to the AP directly or through the CAPWAP tunnel. After receiving the
802.3 frames, the AP maps the DSCP or 802.1p priorities of the 802.3 frames to
UPs of 802.11 frames and then sends the 802.11 frames to the STA.
• On a WLAN, STAs' actual packet transmission rates differ greatly due to different
radio modes supported by the STAs or radio environments where the STAs reside.
If the STAs with lower packet transmission rates occupy channels for a long time,
user experience on the entire WLAN is affected.
• To ensure that the user who accesses the network first can occupy the channel
for data transmission subsequently and all access users have the same weight for
channel occupation, the device periodically clears all users' channel occupation
time.
• After WMM is enabled on the device and STAs, user packets are scheduled based
on service types (including VI, VO, BE, and BK). For example, voice packets are
only scheduled together with other voice packets, and video packets are only
scheduled together with other video packets.
• The two application scenarios differ in service deployment. Voice or video service
optimization can be deployed only on WACs and takes effect only for services
forwarded through CAPWAP tunnels. QoS policies can be configured for
applications except voice and video applications. The SAC function can be
configured on different devices based on the data forwarding mode.
• In high-density scenarios (such as exhibition halls and stadiums), a limit is usually
imposed on the maximum number of users who can associate with a radio and
VAP so as to improve user experience. In addition, preferential access of VIP users
is deployed to ensure that new VIP users can still access the network even if the
number of access users has reached the threshold. This function improves user
experience of VIP users.
• Identification of VIP users
▫ A device identifies users in the VIP user group as VIP users. The priority field is
added to the user authorization structure. After users are added to the VIP
user group and the authorization information is delivered to the VIP user
group, users in the VIP user group inherit the priority of the VIP user group.
• Preferential access of VIP users
▫ After preferential access of VIP users is configured on a device, if the number
of access users on a VAP reaches the maximum or the user Call Admission
Control (CAC) threshold, the network access attempt of a new user will
undergo the following process: The user will first be authenticated. Then the
system checks whether the user is a VIP user in the authorization phase. If the
user is a VIP user, the system forcibly disconnects an online non-VIP user and
allows the VIP user to access the network. If the user is not a VIP user, the
system denies the user's network access attempt.
▫ In Portal authentication scenarios, priorities of users in pre-connection state
cannot be determined. These users are considered high-priority users and will
not be forcibly disconnected when VIP users attempt to access the WLAN.
• Preferential service guarantee for VIP users
▫ After a user is identified as a VIP user in the user authorization process:
▪ The user's services will not be rate-limited.
▪ The user's services will be scheduled preferentially.
▪ The service priority will be re-marked.
• 1. ABCD
• 2. CD
• Currently, campus networks are moving from the PC era to the cloud era. In the
PC era, campus networks are mainly used for office services and connecting
wired terminals. Campus applications are deployed locally, and terminals directly
access applications through the local campus network. Therefore, most traffic on
a campus network is transmitted from terminals to local servers. In addition,
most terminals are fixed terminals that use wired access mode, and there are
only a small number of wireless terminals.
• In the cloud era, enterprises are gradually migrating applications from their local
servers to the cloud. More and more enterprises tend to deploy applications on
public clouds, private clouds, or even hybrid clouds. This brings a great change to
the data traffic model on campus networks. Different from the PC era where
traffic is mainly transmitted within a campus, the cloud era is witnessing more
traffic from the campus egress to the cloud. The new traffic model poses new
challenges to the campus egress and WAN access side. In addition, production
applications and production terminals are widely used, making the campus
network even more important, because it must deliver a better performance in
stability, reliability, convenience, and security. As services are migrated to the
cloud and wireless terminals are growing in popularity, enterprises are now
attaching increasing importance to Wi-Fi access and user experience. Many
enterprises even propose the concept of fully-wireless, in which scenario wireless
access becomes the mainstream access mode. This tendency accelerates the
mobility of users and terminals they use, making continuous networking and
high-quality roaming experience of Wi-Fi a fundamental requirement.
• Campus networks designed for the cloud era are called cloud campus networks,
which must have the following four characteristics:
▫ Autonomous driving:
▪ With the maturity and large-scale deployment of SDN technologies, SDN is
no longer strange to enterprise users; instead, SDN support is almost a
factor that must be considered when they build a new campus network. On
a cloud campus network, SDN must be supported over the wired switching
network (that is, LAN), WAN, and WLAN. SDN eliminates the need to
manage, operate, or maintain a network using traditional network
management and O&M methods, but instead, it enables network service
provisioning and network policy deployment to be carried out in a
centralized and simplified manner.
▪ Cloud campus networks also support AI-based intelligent O&M, making
networks more intelligent. For example, trends or faults can be predicted
based on historical network data. In addition, users' network experience
must be visualized on cloud campus networks. For example, if a Wi-Fi
experience problem is detected, the customer journey needs to be displayed
in an end-to-end manner, or intelligent analysis needs to be provided to
illustrate why: Is the poor user experience caused by problems in the access
authentication process or address assignment process? What are possible
root causes and the corresponding solutions? Suggestions must be provided
in all these aspects.
• To address the problems faced by the traditional network architecture, Huawei
launched the simplified "Solar System" network architecture. With this
architecture, network deployment and operations become more efficient, and the
entire network becomes more intelligent and eco-friendly.
• A central switch functions as the RU manager, and the RUs work as the extended
ports of the central switch. RUs can go online in zero touch provisioning mode.
This distributed access model looks like stars and asteroids in galaxies. That is
why we call it the "Solar System" network architecture.
• iMaster NCE-Campus is a web-based centralized management and control
system used in the CloudCampus Solution. It delivers a wide range of functions,
including network service management, network security management, user
access management, network monitoring, network quality analysis, network
application analysis, alarm management, and report management. It also
provides big data analytics capability and open application programming
interfaces (APIs) that facilitate integration with other platforms. On iMaster NCE-
Campus, enterprise users can perform service configuration and routine O&M,
thereby centrally managing large numbers of devices.
• For details about iMaster NCE-Campus, see the iMaster NCE-Campus Product
Documentation, available at https://support.huawei.com/enterprise/en/network-
management-and-analysis-software/imaster-nce-campus-pid-250852420/doc.
• In the following part of this course, iMaster NCE-Campus will be abbreviated as
iMaster NCE.
• As-Is: current situation. To-Be: ideal state in the future.
• In the big data era, the traditional specified rule-based O&M methods can no
longer meet users' network O&M requirements, and the lack of automatic O&M
capabilities becomes increasingly prominent. This urgently calls for intelligent
O&M that can use a large amount of data generated on the network to improve
the O&M efficiency.
• After customers input their network intents on the cloud, the cloud recommends
a network solution and generates the corresponding solution package. Customers
can import the solution package to the controller deployed in any form. Equipped
with an intent parsing engine, the controller then automatically parses the
solution package and deploys a network as planned. This cloud-premise synergy
implements one-click deployment, which improves the deployment efficiency,
reduces controller learning costs, and minimizes manual configuration errors and
workloads of configuring large networks.
• On a large multi-service campus network, a campus network usually needs to
carry multiple services at the same time, and data of different services needs to
be isolated from each other. The CloudCampus VXLAN-based virtualized campus
network solution can meet these requirements.
• In this solution, a network consists of underlay and overlay. Underlay is the
underlying bearer network that implements basic connectivity between network-
wide devices and provides connection capabilities for the upper-layer overlay
service network. Overlay is a logical network (virtual network) abstracted from
the underlay. Users can create multiple virtual networks (VNs), such as OA VN
and R&D VN. These VNs are isolated from each other and all VN data is
encapsulated using VXLAN when being forwarded on the underlay network.
• To ensure that overlay service data can be properly forwarded on the network, IP
addresses and routing protocols must be configured on underlay network devices
such as physical switches. The CloudCampus Solution provides a complete set of
automation solutions, in which devices support plug-and-play. This means that
an administrator can complete network planning on iMaster NCE first, and
devices can then automatically obtain configurations after they are onboarded.
Alternatively, an administrator can onboard devices first, and then complete
network configuration on iMaster NCE. iMaster NCE can also automatically
complete IP address and routing protocol configuration of the underlay network
without manual intervention.
• CloudCampus uses virtualization technologies to divide the network layer into the
physical network (underlay) and virtual network (overlay). Overlay is a virtual
network built on top of a physical network using virtualization technologies. This
solution applies to higher education, government campus, commercial building,
and other scenarios where VNs need to be created to isolate multiple services or
tenants.
• Multi-purpose network:
▫ Virtual Extensible LAN (VXLAN): VXLAN is the key to campus network
virtualization. It encapsulates a data packet received from a source host
into a UDP packet, encapsulates the IP and MAC addresses used on the
physical network in the packet outer header, and then sends the packet
over an IP network. The VXLAN tunnel endpoint (VTEP) then decapsulates
the packet and sends it to the destination host.
▫ BGP EVPN: In the initial VXLAN solution (RFC 7348), no control plane is
defined. Instead, VXLAN tunnels are manually configured and host
addresses are learned through traffic flooding. Although the flood-and-
learn approach is simple, it causes a large amount of flooded traffic on the
network and makes the network difficult to expand. To address these
problems, Ethernet Virtual Private Network (EVPN) is introduced as the
VXLAN control plane. By referring to the BGP/MPLS IP VPN mechanism,
EVPN defines several types of BGP EVPN routes by extending BGP. It
advertises routes on the network to implement automatic VTEP discovery
and host address learning.
• The free mobility solution allows a user to obtain the same network access policy
regardless of the user's location and IP address change on a campus network.
When configuring a policy, the administrator does not need to pay attention to IP
address ranges of different users, but only needs to focus on the logical access
relationships between users and servers.
• Different from traditional IP address-based ACLs, free mobility is a user
language-based solution that logically divides different types of network objects
with distinct permissions into different security groups. Each security group maps
one user type or one server type. An administrator can define security groups to
describe and organize the sources or destinations of network traffic. Security
group planning determines the number of security groups to be created.
• OPEX means the operating expense, which is the sum of the maintenance cost,
marketing expense, labor cost, and depreciation expense during the enterprise
operations.
• Application identification: Application identification is a technology that identifies
the enterprise application to which network traffic belongs based on the
characteristics of the traffic. Enterprise applications have varying requirements on
link quality as well as corresponding optimization measures. Applications must be
identified before application experience assurance measures can be applied.
▫ Subnet reachability verification: You can select a snapshot and verify the
reachability between subnets in the snapshot.
▫ Terminal access verification: You can select a snapshot and verify network
reachability for a terminal in the snapshot.
• Big data-based calibration leverages historical big data analytics results and uses
intelligent algorithms to implement intelligent radio calibration, optimizing signal
coverage and load transmission efficiency at the edge of an area.
• CSS/iStack can be used with Eth-Trunk to form a logical tree topology. This
simplified network topology prevents Layer 2 loops and improves network
reliability.
• Remote modules (RUs) work as expansion ports of a central switch, and are
configuration- and maintenance-free. RUs are centrally managed by the central
switch.
• RUs can automatically discover the topology through the XLDP protocol.
• Networking mode reliability: The entire series can run the spanning tree protocol
to prevent loops caused by unauthorized devices.
• User access security: RU ports support isolation and non-isolation modes, which
can be flexibly selected based on the site scenario (by default, an RU port works
in non-isolation mode).
• Conventionally, switches and APs are connected using twisted pairs, which can
function as media for PoE power supply to APs and data transmission between
switches and APs. However, as Wi-Fi technologies continue to develop, they pose
increasingly higher requirements on cable performance. For example, as Wi-Fi 6
is commercially used on a large scale, it requires the cable to deliver up to 10
Gbit/s bandwidth. The future-oriented Wi-Fi 7 standards further require the cable
to deliver a maximum of 40 Gbit/s bandwidth while supporting PoE power supply
to APs over long distances. In most cases, APs are installed in complex
environments and require PoE power supply over a distance of more than 100 m.
In some special scenarios, the power supply distance will be much longer. For
example, APs in some stadiums require 300 m or even longer-distance power
supply. The conventional twisted pairs, however, can only support PoE power
supply over a distance of up to 100 m. All of this proves that hybrid cables are
the best choice for connecting switches and APs.
• A hybrid cable incorporates optical fibers and copper cables, meeting both data
transmission and power supply requirements of devices. This is why hybrid cables
are typically used to connect switches and APs or RUs on campus networks. As
future-proof WLAN technologies, such as Wi-Fi 6 and Wi-Fi 7, gain momentum,
the conventional twisted pairs cannot keep pace with the bandwidth needs of
these technologies. Not only this, optical fibers cannot be used for PoE power
supply. This is where the hybrid cable comes in. As introduced above, a hybrid
cable incorporates optical fibers and copper wires within the same jacket. It
transmits data signals through optical fibers and electrical signals through copper
wires, enabling long-distance power supply while ensuring high-speed data
transmission. You may be wondering why hybrid cables support long-term
bandwidth evolution and long-distance PoE power supply, but twisted pairs and
optical fibers do not.
• In the CloudCampus Solution, the virtualized campus network sub-solution allows
a user network to be used for multiple purposes. One network for multiple
purposes, or multi-purpose network, means that a physical network carries a
variety of services (such as office and R&D services), and virtualization
technologies are used to create multiple logically isolated VNs on top of the
physical network, each for an independent service.
• On a large- or medium-sized campus network, the virtualization solution may be
used to decouple services from the network, so as to build a multi-purpose
network and achieve flexible, fast service deployment without changing the
network infrastructure. Using such a solution means that the virtualized campus
network architecture must be different from the traditional network architecture.
The virtualized campus network sub-solution uses the VXLAN technology to
encapsulate and logically isolate service data. The entire network can be divided
into two layers: physical network (underlay) and virtual network (overlay). The
underlay network provides basic connection services for the campus network. The
overlay network is built on top of the physical network using virtualization
technologies.
• The centralized SDN controller, iMaster NCE, manages network-wide devices in a
unified manner, builds models based on the network topology, and deploys the
underlay and overlay networks through the GUI. The entire process is
automatically completed by iMaster NCE. After a virtual network is built, service
policies can be configured based on users or service units. For example, users and
resources can be divided into groups, based on which mutual access control can
be implemented. Service policy provisioning can be configured on the GUI of
iMaster NCE, which can automatically deliver the configurations.
• The multi-campus interconnection solution is a sub-solution provided in the
CloudCampus Solution for the interconnection between branch campuses and
between branches and the HQ or DCs. With SD-WAN functions integrated, the
multi-campus interconnection solution provides two models for WAN
interconnection: static IPsec VPN and EVPN-based VPN.
▫ An IPsec VPN is a type of static VPN, in which IPsec tunnels are established
between devices at different sites to create VPN channels. Traffic is diverted
to the VPN tunnels based on the configured static network segments so
that service traffic between sites is transmitted through IPsec VPN tunnels.
• Load balancing-based traffic steering: If an enterprise has multiple links, you can
configure load balancing-based traffic steering to fully utilize link bandwidth.
During service forwarding, the devices can select different links for different
applications based on link weights, thereby improving the bandwidth utilization.
• Application priority–based traffic steering: If multiple types of service packets are
transmitted on the same link, traffic of high-priority applications is preferentially
processed in the case of congestion, ensuring user experience of high-priority
applications. For example, voice, video, and file transfer services are carried over
an MPLS link. If the link bandwidth is insufficient, traffic of voice and video
services is preferentially transmitted to guarantee the service experience.
2. False
• From the perspective of functions, the overall architecture of Huawei SD-WAN
Solution consists of the network layer, control layer, and management layer.
These layers are associated with each other through standards-compliant
interfaces and communication protocols.
▫ Control layer: The controller works with the distributed control component
to advertise routes between different sites in a region, implementing inter-
region network interconnection.
▫ Network layer: The overlay technology is used together with cost-effective
network devices to connect branches, HQ, and the cloud platform, thereby
achieving on-demand full-network connectivity by fully leveraging all types
of links such as the Internet and traditional private lines.
• Multiple RRs can be deployed under a tenant and are fully meshed on the control
plane.
• A gateway's role varies depending on the service scenario. For example, a
gateway connecting SD-WAN sites to legacy sites is an interworking gateway
(IWG). A gateway connecting SD-WAN sites to a cloud is called a cloud gateway.
In addition, gateways can provide other functions. A gateway that connects Point
of Presence (PoPs) for building a PoP network is referred to as a PoP gateway.
• The same IP address or domain name must be configured for the active and
standby controller clusters in the northbound and southbound directions.
• The administrator accesses the controller through the domain name (based on
the DNS record) or IP address, and the network uses BGP to control access
traffic.
• ZTP: Multiple ZTP modes are available to enable CPEs to quickly register with
iMaster NCE.
• Forwarding-control separation, achieving flexible networking: CPEs establish
management channels with iMaster NCE through NETCONF, and iMaster NCE
delivers configurations to CPEs to establish IP overlay tunnels.
• Application optimization, making services controllable and visible: The service
awareness technology is used to identify applications. TCP flow performance
measurement (FPM) and IP FPM technologies are used to implement
application-based quality measurement. The IP FPM technology can also be used
for link quality measurement. Smart policy routing (SPR) implements intelligent
link switchover based on the application quality.
• Data channel:
▫ Data channels are established between CPEs.
▫ Data is forwarded over GRE or GRE over IPsec data tunnels. The extended
GRE header carries VN IDs to differentiate tenants or departments, so that
data of multiple VNs can be transmitted over the same data tunnel.
• A TNP is a WAN port connecting a CPE to a transport network. Key information
of a TNP includes the site ID, CPE router ID, transport network ID, public IP
address, private IP address, and tunnel encapsulation mode.
• For details about SA and SPR, refer to HA Technologies.
• Improvement of the 5G link value
• ABC
• Hello, everyone. I'm an MO from NCE-Campus. Today, I'd like to introduce NCE-
Campus.
• iMaster NCE-Campus is Huawei‘s next-generation autonomous driving network
management and control system for campus networks. It is a platform that
integrates management, control, and analysis. It covers four phases of network
planning, construction, maintenance, and optimization, helping enterprises
reduce OPEX and O&M costs,accelerating Enterprise Cloudification and Digital
Transformation
• 学习完本次课程,将可以了解NCE-Campus在园区网络中的位置、整体架构、整体能
力、应用场景。
• After completing this course, you will be able to understand the positioning of
NCE (Campus) on a campus network, overall architecture, overall capabilities,
and application scenarios of NCE-Campus.
• 主要分为9个部分进行介绍,包括整体方案介绍,iMaster NCE-Campus的主要应用场
景和部署模式。
• This section describes the overall solution and main application scenarios and
deployment modes of iMaster NCE (Campus).
• First, let's look at the overall CloudCampus solution. The bottom-up architecture
of the solution includes the network layer and governance. The network layer
consists of CE switches, APs, firewalls, and NetEngine ARs. For details about
device capabilities, see device documents. At the application layer, the APIs
provided by NCE (Campus) interconnect with external application platforms to
provide applications for various industries. iMaster NCE mainly implements
automatic deployment and intelligent O&M of wired, wireless, and WAN
networks at the management and control layer.
• 首先我们看一下CloudCampus整体解决方案,方案从下到上的结构包括网络层、管
控,在网络层主要包括CE交换机、AP、防火墙、NetEngine AR等设备,关于设备侧
的能力在这里就不做重复展开了,大家可以通过设备侧材料进行了解,在应用层,主
要是通过NCE-Campus提供的API对接外部应用平台提供各行业对应的应用,iMaster
NCE是主要在管控层,实现有线、无线、广域等网络部署自动化和运维智能化。
• As the network management and control layer, the controller covers four
network construction phases: planning, construction, maintenance, and
optimization. It provides network management, policy control, data, and fault
analysis capabilities, including automatic SDN network delivery and intelligent
analysis capabilities.
• 作为网络管理层,控制器覆盖”规划+建设+维护+优化“四个网络建设阶段,提供网
络管理、策略控制、数据与故障分析的能力,这当然包括SDN网络自动化下发与智能
分析能力。
Here, it's the related functional features.
• 那么,哪些场景可以使用campus呢?从普通的单园区网络连通和用户认证到网络复
杂,楼宇众多的大型多业务园区再到多分支互联的SDWAN业务以及NE等骨干网业务
均可管理,因此我们称之为全场景融合控制器。
This is the campus network management panorama, including planning, construction,
maintenance, and optimization,
• In the planning part, wireless and wired networks are planned using other tools.
NCE-Campus plans network resources, such as VLANs and VNIs.
• The main focus is network construction, including network deployment and policy
provisioning. The network deployment layer is divided into four aspects: small-scale
campus, medium- and large-scale campus, LAN-WAN interconnected campus, and
automatic virtual network provisioning. Policy provisioning focuses on access
authentication, VIP experience assurance, and SD-WAN policies.
• In terms of O&M and optimization, the eSight network is integrated. Therefore, the
eSight network provides routine network monitoring, including terminal, topology,
alarm, and WAN monitoring. Routine maintenance is convenient, including device
upgrade, inspection, report, and system O&M. In terms of intelligent O&M, NCE-
CampusInsight is integrated through SSO.
• 目前看到的就是园区网络管理的全景图,包括规建维优四部分内容,
• 在规划部分,无线和有线网络的规划通过其他工具类完成,NCE-Campus主要是对网
络资源进行整体规划,如vlan、VNI等信息;
• 主体还是聚焦在网络建设方面,包括网络部署和策略发放,网络部署层面又分为小型
园区、中大型园区、LAN-WAN互联园区及虚拟网络自动化发放四个方面,在策略发
放主要是聚焦在接入认证、VIP体验保障和SD-WAN策略;
• 在运维和优化层面,因为已经集成了esight network的能力,因此有网络的日常监控,
包括终端、拓扑、告警、WAN侧等的监控,在例行维护方便,包括有设备升级、巡检、
报表、自身系统运维等能力,智能运维方面,通过单点登录集成NCE-CampusInsight
来提供。
• Next, let's look at six typical application scenarios.
• 接下来,我们看下六大典型应用场景
• Basic capabilities: network management and access authentication
• SDN capability: One network for multiple purposes and LAN-WAN convergence.
• 基础能力:网络管理和接入认证
• 提升体验能力:业务随行、终端管理
• SDN能力:一网多用、LAN-WAN融合。
• Next, let's talk about network device management.
• 接下来我们依次介绍下,首先是网络设备管理
In terms of network resource planning, NCE (Campus) uses preset models to
implement automatic networking and service design for small-scale simple-service
campus networks.
It is used to improve the deployment efficiency of multi-branch sites. It not only
eliminates command lines, but also eliminates complex page configurations.
The application scenario is a simple service campus with multiple branches. The
networking is simple, but the number of sites is large and the service model is the
same. For example, retail stores, hotel chains, and general education. The current
version supports pre-configuration for medium- and large-sized stores.
Based on scenario-based experience, automatic preconfiguration of a single site
takes only 5 minutes, and templates can be directly applied to multiple sites in
batches.
Let's take a look at how it's done.
在网络资源规划层面,NCE-Campus首先针对小型简单业务园区,通过预置模型实现自动组
网和业务设计。
• 它的作用是提升多分支站点的开局效率,它不仅消灭命令行,还消灭繁琐的页面配置。
• 应用场景是多分支的简单业务园区,组网简单,但是站点数量多,业务模型都一样。
比如零售门店、连锁酒店、普教。目前的版本中支持中大型门店场景的预配置操作。
通过基于场景的经验总结,单站点自动预配置只需要5分钟,多站点可批量直接应用模
板
下面我们看一下是如何做到的
• Step 1: Prefabricated four common scenarios: office, retail, general
education, and user-defined. Customers can select scenarios based on
business intentions.
• 第一步:预制办公/零售/普教/自定义4大类常用场景,客户可以基于业务意图选择
• 第二步:NCE-Campus利用协同推荐算法进行网络精准映射
• 第三步:为业务意图精准推荐拓扑、选型等网络模型
• The preceding solution solves the network planning of a single campus. When
there are multiple campuses, we provide batch capabilities. A customer defines a
campus template that can be replicated to N similar campuses to implement fast
network provisioning.
• 以上,解决了单园区的网络规划,当多园区时,我们提供批量能力,客户定义一个园
区模板,可以复制到N个类似的园区,实现网络快速开通。
• This is a graphical operation and configuration web page. Customize a
deployment template in two steps.
• 这个是图形化操作配置界面 ,两步完成开局模板定制
• To ensure the accuracy of network provisioning and adjustment, we provides the
intelligent verification capability.
• Compare snapshots before and after the configuration.
• 通过子网互访完成网络全面性 连通性验证;
• 通过网络环境100%数学建模,实时精准模拟校验终端接入权限是否精准,使网络安
全可信,
• 最终实现让业务上线和变更“0”差错
• In terms of device monitoring, IP devices are monitored from seven dimensions:
basic information, event logs, locations, tools, resources, fault alarms, and entry
query. View the version, online and offline time, running status, network
connectivity, resource usage, and alarm information to comprehensively
understand the running status of the device.
• 设备监控方面,对IP设备通过基本信息、事件日志、位置、工具、资源、故障告警和
表项查询等7大维度全面监控设备,查看版本,上下线时间、运行状态、网络连通性、
资源使用率、告警等信息,全面掌握设备的运行情况。
• NCE (Campus) supports device upgrade. Users can upload device upgrade
software packages and patches, and specify upgrade policies, such as the
download time, restart time, and upgrade mode. After the policies are set,
devices are automatically upgraded. Users can view the upgrade status in real
time, including upgrade completion status and status statistics. Cancel upgrade
and re-upgrade. All graphical management can significantly reduce problems
caused by manual upgrade operations.
• NCE-Campus支持设备升级,支持上传设备升级软件包、补丁,指定升级策略,如下
载时间、重启时间、升级方式等策略,设置完成后,设备自动完成升级,升级的情况
可以实时查看,查看升级完成情况,各种状态统计,取消升级及重新升级等,全部图
形化管理,可显著减少因人为操作升级而导致的问题。
• NCE (Campus) fully integrates the authentication capabilities of the Agile
Controller-Campus, supports built-in RADIUS and Portal servers, and supports
802.1x authentication, Portal authentication, and MAC address authentication. It
also supports interconnection with external social media such as QQ, Sina Weibo,
WeChat, Facebook, and Twitter. Different from the original authentication system,
NCE-Campus has lower requirements on the network. Portal authentication can
be performed across the Internet, eliminating the need for intranet access,
further improving network adaptability. In addition, Passcode and PPSK
authentication capabilities are added.
• 在精细化策略管控方面,NCE-Campus基于5W1H的策略条件,匹配用户身份、接入
位置、接入时间、终端类型、设备属性和接入方式进行条件过滤,从而更明确的匹配
到具体用户信息,根据这些用户信息,设置精细化的权限控制,如权限、带宽、QoS、
应用、安全等各方面的精细化控制,如在权限方面可通过VLAN、ACL、业务随行的
安全组及VIP用户等信息进行匹配,带宽方面可以设置上行下行带宽,DSCP等。通过
多种策略条件和精细化的权限分配,从而完成对用户策略的精细化控制。
• At the same time, the system provides a portal page editor and provides multiple
controls. You can add controls to the customized page by dragging them.
Currently, nine pages can be customized. Note that the original version does not
support full-screen countdown ads and video controls. This feature is fully
supported in the new version. The Portal page editor can meet the customization
requirements of most projects. The customer has no learning cost. Therefore, the
Portal page editor can meet the requirements of quick customization of
personalized pages.
• 同时系统提供所见所得的Portal页面编辑器,提供多种控件,直接通过拖拽即可将控
件加入到定制页面中,目前可以完成9个页面的定制,需要特别指出的是在原版本中
不支持的全屏倒计时广告及视频控件,在新版本中已全面支持。Portal页面编辑器基
本上能满足大部分项目定制需要,客户侧基本上没有学习成本,能满足项目快速定制
个性化页面的需要。
• Supports full-lifecycle guest management. For example, when we go to a
restaurant, we need to use a wireless network and log in to the network through
an SMS verification code for authentication. This is a guest.
• The biggest difference between guest accounts and employee accounts is that
guest accounts are temporary and need to be reclaimed and cleared periodically.
NCE (Campus) manages guest accounts in terms of registration, approval,
distribution, authentication, audit, and deregistration. Guests can apply for
registration by themselves or employees. After the registration is approved, the
accounts are delivered through SMS messages, emails, or information is
displayed on the registration success page. Multiple authentication modes are
supported. In addition, the system automatically saves guest login and logout
information, automatically deregisters guests, and periodically deletes accounts.
• 支持访客的全生命周期管理能力,什么是访客,比如咱们去餐厅吃饭,需要使用无线
网络,通过短信验证码登录网络进行认证,这就是访客。
• 访客和员工账号最大的不同是,访客的账号是临时的,需要定期收回和清理,NCE-
Campus从访客账号的注册、审批、分发、认证及审计和注销各方面来完成访客的管
理。访客的注册可以通过自身或员工申请,审批后通过短信、邮件或注册成功页面直
接返回信息等方式下发账号,认证支持多种方式,同时系统自动保存访客的上下线信
息,自动注销及定时清理账号。
• Let's look at the device monitoring content. With more than 20 indicators, the
device access status is displayed, such as the user IP address, MAC address, online
duration, packet loss rate, uplink and downlink rates, signal-to-noise ratio, and
retransmission rate. From the information, you can view the usage status of the
terminal connected to the network in real time, so as to see whether the terminal
is good or faulty.
• 我们来看下终端监控的内容,通过20+以上指标的统计,全面展示出终端接入的情况,
如用户IP、MAC、在线时长,丢包率,上下行速率,信噪比,重传率等,从这些信
息中,那实时查看到终端接入网络的使用状态,从而看到终端使用的到底是好还是有
问题。
• In addition, the system provides statistical analysis and terminal behavior analysis
capabilities to collect statistics on the number of online users, traffic, network
connection information, and application statistics at a site. Note that the
application statistics are not based on a single terminal, but on the entire site. On
the terminal behavior analysis page, you can view the access quantity statistics
and passenger traffic trend information, and analyze the passenger traffic to
distinguish the access and stay duration of visitors, passers-by, and employees,
providing first-hand analysis data for subsequent management and marketing.
• 同时提供了统计分析和终端行为分析能力,统计站点中的在线用户数、流量情况、网
络连接信息,应用统计信息等,注意这里的应用统计不是基于单个终端的,而是基于
整体站点情况统计,在终端行为分析中可以查看到接入数量统计信息,客流量趋势信
息,提供客流量分析,区分出访客、路人、员工等接入及驻留时长,为后续管理和营
销提供第一手分析数据。
With the maturity and promotion of wireless network and remote access
technologies, the office location of enterprise employees can be no longer limited to
fixed physical locations. Allowing employees to access the office from any location
will improve the efficiency of collaborative work throughout the enterprise.
In the context of free mobility and random access, how to ensure that employees'
experience (such as forwarding priorities and bandwidths) and security (such as
network access rights and security policies) are consistent wherever they go is a
major challenge for enterprises and free mobility needs to be resolved.
NCE (Campus) supports free mobility, allowing users to access networks anytime
and anywhere, ensuring consistent service policies and network experience.
随着无线网络和远程接入技术的成熟和推广,企业员工的办公地点可以不再局限于固定
的物理位置。允许员工在任意位置接入办公,将提高整个企业的协同工作效率。
如何在自由移动,任意接入的大背景下,保证员工不管走到哪里,接入企业网络之后的
体验(如转发优先级、带宽)和安全(如网络访问权限、安全策略)都保持一致,是企
业主要面临的挑战和业务随行要解决的问题。
NCE-Campus支持业务随行能力,实现用户随时随地接入网络,用户的业务策略和网络
体验能够保持一致。
• Let's first look at the journey that the business has gone through. Free Mobility
1.0 was launched in 2014 to implement group policy control. Authentication
points and policy points cannot be separated. Cross-gateway groups are isolated
from each other. Firewalls must be bypassed and third-party networks are not
compatible. Free Mobility 2.0 will be launched in 2018. It supports region-specific
policy setting and VXLAN networking, but is not compatible with third-party
networking. In 2020, Free Mobility 3.0 uses the IP-Group capability to separate
authentication points from policy points and is compatible with third-party
networks.
• 我们首先看一下业务随行走过的历程,2014年业务随行1.0推出,实现了组策略控制,
要求有很多,认证点与策略点不可分离,跨网关组间隔离,要求绕行防火墙,同时不
兼容第三方组网,到2018年业务随行2.0推出,支持区域差异化策略设置,支持
Vxlan组网,仍然不兼容第三方组网,2020年业务随行3.0通过IP-Group能力解决了
认证点和策略点可分离问题,同时可以兼容第三方组网。
Why do enterprises need the IP-group capability? In IP-Group mode, NCE (Campus)
periodically synchronizes association information between user IP addresses and
groups to switches. All switches supporting free mobility on the entire network can
know the association information, separating authentication points from policy
points. To simply synchronize entries, you can set which devices require and which
devices do not require synchronization.
Why does the IP-group synchronization capability make free mobility applicable to a
wide range of scenarios?
The IP-group capability eliminates the need for authentication and policy
enforcement on Huawei devices on the network. In this way, hybrid networking with
third-party devices is supported. In the scenario where ME60s coexist in colleges and
universities, the ME60s can be used as authentication points and S series switches
can be used as policy enforcement point. In this way, the functions of switches on
the network can be highlighted, and the problem that firewalls must be bypassed
for control in cross-gateway networking is resolved.
为什么需要IP-Group的能力?IP-Group是NCE-Campus将定期向交换机同步用户IP地址
和Group的关联信息,全网支持业务随行的交换机都能知道关联信息,实现了认证点和
策略点的分离,当然为简单同步表项压力,可以设置哪些设备需要,哪些设备不需要同
步,IP-group同步能力使得业务随行适用场景更广泛,为什么这么说?
通过IP-Group能力,网络中不必要求必须在华为侧设备进行认证和策略执行,从而能支
持和第三方混合组网场景,同时在高校ME60并存场景中,可以将ME60做认证点,S系
列交换机做策略执行点,能更突出交换机在网络中的作用,并且解决了原来跨网关组网
中控制必须绕行防火墙进行控制的问题。
• Different from other networks, a campus network has various types of terminals.
It is common for different terminals to access different networks and obtain
different permissions. For example, mobile phones can connect to the Internet
but cannot connect to the office network, and computers can only connect to the
office network. Terminal management and policy division are time-consuming
and labor-intensive. Therefore, NCE (Campus) provides the plug-and-play
function for terminals.
• 在园区网络中和其他网络不同的地方在于,网络中有各种类型的终端接入,不同的终
端进入不同的网络,获取不同的权限是常见的场景,比如手机能连接internet,不能
连入办公网络,电脑只能接入办公网络等,对终端进行管理及策略划分是一项费时费
力的工作,为此,NCE-Campus提供了终端即插即用功能。
终端即插即用功能是基于终端类型识别,NCE-Campus内置了业务最全的终端指纹库,
根据网络中的终端信息报文,识别出终端的类型及操作系统等信息。
• 可以完成终端识别-我是谁,认证授权-我能做什么,流量统计-我做了什么,仿冒检测-
我被替换了,这四个能力,提高网络的安全性。
• Currently, the terminal update and iteration speed is fast. Some new
terminals are not in our fingerprint database. So how should we deal with
this type of terminal? This requires the terminal AI clustering recognition
technology.
• 我们先看一下具体的组网情况,在多业务园区网络中,有个重要的角色,即border和
edge设备,这两个设备可以类比数据中心网络中的spine和leaf结构,同样在border
和edge设备之间组成虚拟vxlan网络,华为的方案和其他厂家不同的是,在edge设备
侧是一个放大的概念,并不是传统方案的简单的汇聚能力,在edge侧可以下面下联接
入交换机,就是左侧的这种情形,也可以下联用户终端,就是中间的这种场景,还可
以下联AP设备,就是右侧这种场景,非常灵活。在左侧下联接入交换机的这种场景下,
如果是华为的接入层设备,可以实现策略联动,将管控下放到接入层设备。右侧下联
AP的场景下,无须AP设备支持vxlan协议,可以充分利旧。根据L3网关的位置的不同
分为集中式网关和分布式网关两种方案,可根据项目实际需要确定使用何种方案。
• How is the solution compatible with third-party devices? Let's take a look at the
figure. The devices marked in colors in the figure represent devices from other
vendors. The border and edge devices must be Huawei devices. The other devices
include egress routers, firewalls, and transmission devices between the border
and edge devices. Access switches, wireless APs, and WAC devices can be devices
of other vendors. In the case of network reconstruction, the existing devices on
the network can be fully reused. If non-Huawei devices are used at the access
layer, Huawei-specific policy association capabilities cannot be implemented with
edge devices. You need to manually configure access devices to isolate ports.
Wireless APs and ACs use third-party devices and need to be statically deployed
to access the virtual network. Local forwarding is required.
• 那么方案对第三方设备的兼容如何呢,我们看一下这个图,图中标颜色的设备代表其
他厂家设备,可以看到除了Border和edge这两个设备需要是华为设备,其余包括出口
的路由器、防火墙,Border和edge间的传输设备,接入交换机、无线AP和WAC设备
都可以是其他厂家设备,如果是网络改造,可以充分利旧网络中的现有设备。当然如
果在接入层设备采用其他厂家设备,就无法和edge设备实现华为独有的策略联动能力,
需要在接入层设备有些手动的配置,实现端口隔离。无线AP和AC采用第三方设备,
需要通过静态部署进入虚拟网络,需本地转发。
• On a virtual network, multiple services are isolated at two layers. At the macro
level, virtual network VNs are logically isolated and cannot communicate with
each other. The switch or firewall on the BorderBorder node is responsible for
policy execution. The second layer of policy is at the micro level, within each
virtual network. Free mobility is used to divide user rights. Different user groups
have different access rights. Different user groups can access each other or not.
The edge aggregation node switch is responsible for policy execution. The two-
layer isolation policy implements logical isolation of network policies and refined
management and control of user rights, ensuring network security.
• 在虚拟网络中,多种业务的隔离有两个层面的隔离,一是宏观层面,各个虚拟网络
VN之间是天然逻辑隔离的,各个VN间不能互访,主要是在BorderBorder节点交换
机或防火墙负责策略执行;第二层策略属于微观层面,在各个虚拟网络内部,通过业
务随行进行用户权限划分,不同用户组访问权限不同,不同的用户组之间可设置互访
或不互访,由edge汇聚节点交换机负责策略执行。通过两层隔离策略,可以实现网
络策略的逻辑隔离和用户的权限精细化管控,网络安全性能得到更充分的保障。
• Now, let's look at how NCE (Campus) automates the construction of multi-
branch campuses.
• 下面我们来看一下NCE-Campus如何实现多分支互联园区的建设自动化
• The NCE-Campus multi-campus interconnection automation solution includes
physical network deployment automation and service policy provisioning
automation. It implements quick deployment of network devices, automatic
policy provisioning and management, and application intelligent traffic steering.
It provides a management platform for GUI convergence. E2E configuration
streamlining improves management efficiency by two times and reduces
deployment costs.
• NCE-Campus的多园区互联自动化方案,包括物理网络部署自动化和业务策略发放自
动化,实现网络设备的快速开局部署及完成策略的自动发放和管控,以及应用的智能
选路,提供一个管理平台即可完成界面融合,配置端到端拉通,提升2倍管理效率,
同时降低部署成本。
There are two typical scenarios for multi-campus interconnection. One is direct
interconnection through IPSec VPN. In this scenario, data is transmitted in encrypted
mode to improve data transmission security. ARs and firewalls are supported.
Currently, firewalls are used in this mode. Full mesh/Hub-Spoke networking is
supported. Third-party devices can be interconnected to implement intelligent traffic
steering based on packet loss and delay. Note that intelligent link selection is not
based on applications.
• 多分支互联,即LAN-WAN融合,采用4步配置即可完成,在NCE-Campus页面上有引
导页,直接根据引导页进行相关配置即可,主要是WAN出口互联,配置WAN组网结
构,站点互联通道等,第二步是设置总部和分支内的LAN园区配置,根据实际需要配
置网络即可,包括SSID、交换机端口等,第3步,设置LAN-WAN接口路由,实现
LAN-WAN 业务互联互通,第4步设置WAN侧流量策略,如智能选路、本地上网等,
通过以上4步即可完成LAN-WAN互联业务开通。
• In terms of routine monitoring, monitoring information is displayed in an end-to-
end manner. Displays the network access status of terminals, such as the
duration and packet loss rate. The version, interface, running status, alarm
statistics, alarm clearance, device health status, and device topology are
displayed on the device side. WAN links and WAN application information can be
displayed on the WAN side. Therefore, LAN-WAN convergence needs to be
configured for WAN-side capability display.
• 日常监控方面,端到端呈现监控信息,从终端信息,展示出终端接入网络的状况,如
时长,丢包率等,设备侧显示出版本、接口、运行状态,告警统计,告警消除,显示
出站点内设备健康度、设备拓扑等,在WAN侧能显示WAN链路,WAN应用情况信
息,需要注意的是WAN侧能力呈现,需要配置LAN-WAN融合才行。
• During site and topology monitoring, you can monitor device health status,
detailed information, device status, and WAN statistics in a unified manner. The
topology displays IP+POL device information, including network connection,
device information, and link information. You can quickly switch to the detailed
monitoring page of an independent device through the topology.
• 站点及拓扑监控中,支持对设备健康度、详细信息、设备状态、WAN统计信息等进
行全面统一监控,拓扑中呈现IP+POL设备信息,展示网络连接情况、设备信息,链
路信息等,可通过拓扑结构快速跳转到独立设备详细监控页面。
• The PMI capability integrates Huawei's years of data communication network
PMI expert experience library to detect potential network problems. Note that
only the MSP administrator can perform this function. After the inspection is
complete, an inspection report is generated. In the report, you can view the basic
information, problem analysis, and description of the devices on the current
network. You can adjust the network in time based on the suggestions in the
report to avoid problems.
• 巡检能力,集成华为多年数据通信网络巡检专家经验库,可发现网络潜在问题,注意
这个能力只有MSP管理员这一层级能操作,巡检完成后,生成巡检报告,可以在报告
中查看目前网络中设备的基本情况,问题分析及说明,可根据报告中的建议及时调整
网络,规避问题发生。
In addition, NCE (Campus) provides comprehensive O&M, including system
monitoring, fault diagnosis, backup, and restoration, to quickly handle system
problems and reduce the impact on services.
同时NCE-Campus提供完善的自身运维,能对自身系统问题快速处理,减少对业务影响
• 主要包括系统监控、故障诊断、备份和恢复
• 系统监控中,支持节点监控,对NCE-Campus集群中各节点状态监控。
• 服务监控:对服务资源监控。
• 中间件监控:对中间件的关键指标监控。
• 业务监控:对产品业务关键指标监控。
• 故障诊断中,支持
• 故障诊断:包括故障预测、故障分析、历史问题匹配、资源变更查询。
• 健康检查:对硬件、操作系统、数据库、网络及业务进行检查和评估。
• 数据采集:按故障场景、微服务、目录采集故障数据
• 在备份和恢复中包括
• 备份:手工或定时备份产品数据、应用程序、数据库应用程序。
• 恢复:可以 恢复数据库、应用程序、产品数据等
• In terms of deployment, NCE supports direct deployment on physical machines
and virtualized deployment. You are advised to install the EularOS operating
system on x86 servers and virtualization on x86 servers and install the EularOS
operating system on software.
• 部署方面,NCE支持物理机直接部署和虚拟化部署。优先推荐X86服务器加软件自带
EularOS操作系统安装和X86服务器进行虚拟化加软件自带EularOS操作系统安装
• Campus can be deployed in multiple modes. How do we select a deployment
mode suitable for customers?
• The following figure shows the number of managed devices, number of access
authentication users, and advanced capabilities of the controller, such as LAN-
WAN convergence, plug-and-play, and SRv6.
• Campus的部署模式有多种,那么我们一般如何选择适合客户的部署模式呢?
• 如下图所示,主要从纳管设备数量,准入认证接入用户数量,以及一些控制器的高级
能力,如LAN-WAN融合、终端即插即用、SRv6等。
• Answer: ABCD
• In the following part of this course, iMaster NCE-CampusInsight will be
abbreviated as CampusInsight.
• Answer: ABCD
• The detailed drawing of the coverage area must be available.
• The number of access users provides reference for determining the number of
access STAs.
• For areas with few coverage requirements, coverage is not provided. Typical
areas include the bathrooms, staircases, equipment rooms, and archive rooms.
• Generally, the dual-band power for indoor coverage must be greater than –65
dBm, and that for outdoor coverage must be greater than –70 dBm.
• The number of access users provides reference for determining the number of
access STAs.
• The number of access users provides reference for determining the number of
access STAs.
• Place the test AP (as the signal source) at a proper position and power on it.
Keep a certain distance between the AP and the obstacle and ensure that there is
no blocking between them. Do not place the AP too close to the obstacle. This is
because the signal strength fluctuates greatly near the signal source, which
affects the test accuracy.
• Use a signal scanning tool to test the field strength on both sides of the obstacle.
The signal attenuation of the obstacle is the difference between the field
strength values obtained on both sides.
• For example, as shown in the figure above, deploy a Fat AP as the test AP. The
field strength values of 2.4 GHz and 5 GHz signals are both –50 dBm at test
point 1, but –60 dBm and –65 dBm respectively at test point 2. Therefore, the
signal attenuation of the obstacle is 10 dB at 2.4 GHz and 15 dB at 5 GHz.
• SISO
▫ In SISO, there is a unique path between the TX antenna and the RX
antenna. Apparently, such transmission is unreliable and rate limited. To
address this issue, we add more antennas on the receiver (STA) so that two
or more signals can be received concurrently, that is, single-input multiple-
output (SIMO).
• SIMO
▫ There are two paths between the TX antenna and RX antennas. Data is sent
from the same TX antenna, and therefore only one signal is transmitted,
doubling reliability. This mode is also known as receive diversity.
• MISO
▫ There are two paths between TX antennas and the RX antenna. Only one
RX antenna exists, and therefore the TX antennas can send only the same
data along the two paths. The effect is similar to that of SIMO. This mode
is also known as transmit diversity.
• MIMO
▫ MIMO technology allows multiple antennas to send and receive spatial
streams (multiple signals) simultaneously and to differentiate the signals
sent to or received from different spaces. By leveraging technologies such
as spatial reuse (SR) and space diversity (SD), MIMO boosts system
capacity, coverage scope, and SNR without increasing the occupied
bandwidth.
27013721 Omni-directional Antenna,2400~2500MHz&5150~5850MHz,4/7dBi,linear
polarized,5W,N-male,without mounting parts (H: omnidirectional; V: 30°/15°)
▫ In normal cases, the length of an Ethernet cable cannot exceed 100 m due to
signal attenuation. In actual projects, Ethernet cables are often used to supply
power to APs. If an Ethernet cable is longer than 80 m, the network quality
will be affected. Therefore, it is recommended that the length of Ethernet
cables in actual projects do not exceed 80 m.
• The azimuth and downtilt of an antenna can be adjusted based on the mounting
bracket.
▫ 2. ABD
• A leader AP cannot be deployed together with a WAC. If a WAC is deployed on
the network, it is recommended that the leader AP be switched to the Fit mode
and be managed by the WAC.
• A leader AP can manage Fit APs running the same VxxxRxxxCxx version as itself
and Fit APs of the earlier two R versions. For example, a leader AP running
V200R020C10 can manage Fit APs running V200R010C00.
• Leader AP is an extended Fat AP mode. If an AP works in Fit mode, you need to
switch its working mode to the Fat mode, restart the AP, and restore its factory
settings.
• Obtain the Huawei Wi-Fi 6 Leader AP Technology White Paper from
https://e.huawei.com/en/material/networking/campus-
network/wlan/4ae75e7ea95a4da0b5567e0f3bbe8ecf.
• A leader AP functions like a WAC. In independent networking, the NCE
management platform is not used, and the leader AP can manage only a small
number of Fit APs. In the cloud management architecture, NCE manages APs in a
unified manner. One AP is elected as a leader AP that provides WAC functions
and implements roaming. The specifications of the leader AP are higher than
those in independent networking. The management specifications are as follows
in ascending order: Leader AP + APs < NCE + APs < WAC + APs. The configuration
management capability of the leader AP in independent networking is different
from that of NCE.
• A leader AP cannot connect to iMaster NCE-CampusInsight or eSight.
• The Fat AP architecture is also called autonomous network architecture. It does
not require a dedicated device for centralized control, and can implement
functions such as wireless user access, service data encryption, and service data
packet forwarding.
• The increase in the WLAN coverage area and the number of access users requires
more and more Fat APs. No unified control device is available for these
independently working Fat APs. Therefore, it is difficult to manage and maintain
the Fat APs. For example, to upgrade the software version of APs, you must
upgrade each Fat AP separately, which is time-consuming and labor-intensive.
The Fat AP architecture cannot meet the roaming requirements of STAs in a
larger coverage area. Additionally, the Fat AP architecture cannot support
complex services, such as priority policy control based on different data types of
network users.
• In Layer 3 networking, the WAC and Fit APs are located in different network
segments, making the configuration complex. The intermediate network must
ensure that the WAC and Fit APs are reachable to each other. Additional
configurations are required to enable the Fit APs to discover the WAC. Layer 3
networking is suitable for large- and medium-sized networks. For example, on a
large campus network, APs are deployed in each building for wireless coverage,
and the WAC is deployed in the core equipment room for unified management
and control. In this case, a complex Layer 3 network must be deployed between
the WAC and Fit APs. When the WAC and APs are connected through a Layer 3
network and the APs discover the WAC in DHCP or DNS mode (the WAC
functioning as a DHCP server), the devices between the WAC and APs must
support the DHCP relay function.
• In-path networking:
▫ CAPWAP management tunnels are established between the WAC and APs,
through which the WAC centrally manages and controls the APs. Service data
of wireless users can be forwarded between the WAC and APs over CAPWAP
data tunnels (in tunnel forwarding mode) or be directly forwarded by APs (in
direct forwarding mode).
▫ Since the WAC is deployed in in-path mode, the direct forwarding mode is
used in most cases and users' service data is forwarded by APs.
▫ The WAC manages APs, and management flows are encapsulated and
transmitted over CAPWAP tunnels. Data service flows can be forwarded by the
WAC over CAPWAP data tunnels, or forwarded to the upper-layer network by
the aggregation switch without passing through the WAC.
▫ The APs deployed within the management scope of the aggregation switch
are managed by the WAC connected to the aggregation switch in off-path
mode. The WACs are centrally deployed. This networking mode applies to
scenarios where APs are scattered across hot spots.
▫ The off-path networking mode rarely changes the existing network structure
and can be deployed quickly. The direct or tunnel forwarding mode can be
selected according to networking requirements. Tunnel forwarding is
recommended for most enterprise networks, which is commonly used for
overlay network deployment.
• In direct forwarding mode, service data of wireless users is translated from 802.3
packets into 802.11 packets on APs, which are then forwarded by the upstream
aggregation switch.
• The WAC only manages APs, and service data is directly forwarded. Management
flows of APs are encapsulated in CAPWAP tunnels and terminated on the WAC.
Service flows of APs are directly forwarded to switching devices without being
encapsulated in CAPWAP tunnels.
• This networking mode is commonly used. Service data of wireless users does not
need to be processed by the WAC, eliminating the bandwidth bottleneck and
facilitating the usage of existing security policies. Therefore, this networking
mode is recommended for integrated network deployment.
• Local forwarding of data packets
▫ The WAC only manages APs, and service data is directly forwarded.
Management flows of APs are encapsulated in CAPWAP tunnels and
terminated on the WAC. Service flows of APs are directly forwarded to
switching devices without being encapsulated in CAPWAP tunnels.
• Centralized forwarding of data packets
▫ Service data packets are encapsulated by APs and then transmitted to the
WAC for forwarding. The WAC manages the APs and forwards traffic of APs.
Management flows and data flows are encapsulated in CAPWAP tunnels and
then transmitted to the WAC.
• A local AC occupies four AP management licenses on the Navi AC.
• When a large enterprise deploys a WLAN to provide access services for
employees, the WLAN also needs to provide wireless access services for guests.
However, guest data may pose security threats to the network. To solve this
problem, Huawei provides the Navi AC networking architecture. With this
architecture, the enterprise can divert guest traffic to the Navi AC in the DMZ for
centralized management, thereby implementing security isolation between
employees and guests.
• HSB service backup in real time involves backup of the following information:
▫ User data information
▫ AP entries
▫ Unified O&M: All cloud managed NEs are monitored and managed on the
cloud management platform in a unified manner.
▫ Tools: Cloud solutions usually provide various tools on the cloud, reducing the
OPEX. For example, Huawei CloudCampus Solution provides end-to-end cloud
tools, such as the CloudCampus APP.
• iMaster NCE-Campus is Huawei's cloud management platform and a core
component of Huawei CloudCampus Solution. It centrally manages Huawei
network devices, such as APs, ARs, switches, and firewalls. iMaster NCE-Campus
not only implements unified multi-tenant management, plug-and-play of
network devices, and batch deployment of network services, but also provides
APIs for interconnection with third-party platforms to expand more VASs.
• Cloud APs have the same core algorithm logic for radio calibration as traditional
WACs. To be specific, APs detect and collect information about neighboring
radios and interference, and report the information to the calibration computing
engine. After the computing is complete, the calibration computing engine
delivers the allocated channel and power configuration to each AP.
• Different from the traditional network where the calibration computing engine is
deployed on the WAC, the cloud managed network has the calibration
computing engine deployed on the leader AP.
• Radio calibration of cloud APs depends on the leader AP elected in the AP group.
The number of APs that the leader AP can manage is limited and varies
according to the AP model. For example, the AP4050DN-E can manage a
maximum of 50 APs and the AP6050DN can manage a maximum of 128 APs. If
the number of APs exceeds the management capability of the leader AP, network
planning is required. Management VLANs need to be planned for AP grouping.
When there are a large number of APs in a management VLAN, the APs are
automatically divided into multiple groups.
• Radio calibration is performed on a WLAN in a continuous area. Therefore, it is
recommended that APs be grouped by area, such as by floor, to ensure that APs
in a group are in the same area. This maximizes the calibration effect.
• Cloud APs have the same core algorithm logic for radio calibration as traditional
WACs. To be specific, APs detect and collect information about neighboring
radios and interference, and report the information to the calibration computing
engine. After the computing is complete, the calibration computing engine
delivers the allocated channel and power configuration to each AP.
• Different from the traditional network where the calibration computing engine is
deployed on the WAC, the cloud managed network has the calibration
computing engine deployed on the leader AP.
• Roaming neighbor: An AP detects neighboring APs through the air interface. If
two APs at the same site use the same SSID, they can detect each other and are
roaming neighbors to each other. (An AP can have up to 64 roaming neighbors.)
• Each AP establishes CAPWAP control tunnels with its roaming neighbors through
wired links for transmitting roaming information.
• When a STA goes online on AP1, AP1 synchronizes the STA's MAC address to all
its roaming neighbors (such as AP2). The roaming neighbors save the STA's MAC
address. When the STA goes offline or roams, the MAC address is changed
accordingly.
• When the STA roams from AP1 to AP2, AP2 searches the roaming table to
determine whether the STA is a roaming STA and the AP from which it roams.
After obtaining the information about the AP from which the STA roams, AP2
obtains the STA information (such as the VLAN ID, IP address, authentication
result, and authorization group) from the AP and generates a user entry.
• After the STA roams to AP2, AP2 notifies its neighboring APs of the STA
information so that the STA can roam from AP2 to another AP. AP1 instructs its
neighbors to delete the STA information.
• The APs through which a STA roams are on the same Layer 2 network. After the
STA roams to a new AP, the AP can directly forward the STA's packets.
• Roaming neighbor: An AP detects neighboring APs through the air interface. If
two APs at the same site use the same SSID, they are roaming neighbors to each
other. The link establishment and STA information synchronization processes in
Layer 3 roaming are the same as those in Layer 2 roaming.
• HAP selection: The HAP is selected among the neighboring APs in the same
service VLAN. Multiple APs can be selected as the HAPs to prevent the STA's
traffic from being sent back to the same AP after Layer 3 roaming, which may
cause a performance bottleneck.
• When the STA goes online on an AP, the AP selects an HAP among its Layer 2
neighbors (in the same service VLAN) for the STA using the hash algorithm.
When the STA roams at Layer 3, the STA's traffic is sent to the HAP through the
tunnel.
• When the STA roams, the HAP obtains the STA information from the original AP,
including the HAP information of the STA. If the STA roams at Layer 3, the new
AP establishes a CAPWAP data tunnel with the HAP. The STA's traffic is sent back
to the HAP selected when the STA goes online.
• Each time the STA roams at Layer 3, the STA establishes a tunnel with the
original HAP. No matter where the STA roams, its traffic is sent back to the
initially selected HAP.
• If the STA roams back to the original Layer 2 domain, the HAP information is still
migrated with the roaming entry. However, the STA's traffic does not need to be
forwarded to the HAP, and can be directly forwarded by the new AP.
• Note:
Customer flow analysis requires APs to periodically report STA information
(such as the MAC address, IP address, access AP, SSID, and signal strength) to
iMaster NCE. Therefore, you need to enable the function of reporting STA
locations in the settings of the site where the APs reside on iMaster NCE. If
using STA information may pose data security threats, disable this function.
By default, customer flow analysis is performed by site. To check customer
flow analysis results of some devices at a site, mark APs with tags. One AP can
be marked with multiple tags to facilitate result check from different
dimensions. For example, in shopping mall A, an AP at the entrance of store B
can be marked with the tag A/B/entrance. AP check and terminal behavior
analysis can then be performed based on such tags.
Huawei CloudCampus Solution for small- and medium-sized campus networks
can be interconnected with third-party terminal behavior management
software to provide more detailed services such as terminal profiling and
behavior analysis. This solution provides APIs for interconnection. Third-party
software can adapt to the APIs to provide customer behavior analysis based
on big data for commercial promotion. If necessary, contact Huawei engineers.
• In the IoT field, Huawei WLAN builds a pipe-based technology platform and
ecosystem to fully leverage advantages of IoT partners, implement multi-network
convergence, and maximize benefits for customers.
Huawei IoT cloud APs provide pipe-layer capabilities. Specifically, they provide
standard Mini PCIe expansion slots and USB ports for connecting to IoT
modules, and provide uplink data channels.
Partners provide access-layer capabilities. Specifically, they provide IoT cards
that comply with Huawei's port specifications and connect to Huawei IoT
cloud APs through Mini PCIe ports or USB ports.
Partners provide terminal-layer capabilities, including tags and wristbands, to
interact with IoT cards.
Huawei IoT cloud APs only forward uplink and downlink data of IoT cards, but
do not process data of specific IoT service protocols.
• Compared with traditional IoT solutions, Huawei Wi-Fi & IoT convergence
solution offers the following advantages:
IoT base stations and APs are deployed at the same site, and the Wi-Fi and IoT
networks are converged, facilitating site planning and power supply while
reducing deployment costs.
APs provide uplink data channels for a unified entry and unified management,
simplifying deployment.
APs provide pipe-layer capabilities, providing high flexibility and scalability.
• As new technologies such as IoT, big data, cloud computing, and AI are applied
across industries, enterprises are undergoing digital transformation in their
operation and production models. Enterprise campus networks that bridge the
physical and digital worlds face new challenges. To meet the requirements of
increasing data and applications, campus networks must be deployed more
simply and quickly, run more securely and reliably, and be more intelligent in
management and O&M. To cope with the impact and challenges brought by
digital transformation to campus networks and adapt to the development trend
of future campus networks, Huawei proposes a next-generation campus network
architecture — CloudCampus network architecture. The core concepts of the
CloudCampus network architecture include ultra-broadband, simplicity,
intelligence, security, and openness. It is hoped that these concepts can help
network professionals understand future trends of campus networks.
• Devices report KPI information to the WLAN Maintaining Insight (WMI) server
for analysis and monitoring.
• BC
• The detailed drawing of the coverage area must be available.
• The number of access users provides reference for determining the number of
access STAs.
• The number of access users provides reference for determining the number of
access STAs.
• If outdoor APs are used to provide indoor coverage, WLAN signals may be
blocked by obstacles made of different materials, such as glass, brick walls, or
wooden doors. In this case, penetration loss of these obstacles must be taken into
account for evaluating the link budget to ensure the signal strength in indoor
coverage areas.
• Select an obstacle to be tested, which can be a typical indoor obstacle or an
obstacle made of uncertain materials. If necessary, test the signal attenuation of
the ceiling and floor.
• Place the test AP (as the signal source) at a proper position and power on it.
Keep a certain distance between the AP and the obstacle and ensure that there is
no blocking between them. Do not place the AP too close to the obstacle. This is
because the signal strength fluctuates greatly near the signal source, which
affects the test accuracy.
• Use a signal scanning tool to test the field strength on both sides of the obstacle.
The signal attenuation of the obstacle is the difference between the field
strength values obtained on both sides.
• For example, as shown in the figure above, deploy a Fat AP as the test AP. The
field strength values of 2.4 GHz and 5 GHz signals are both –50 dBm at test
point 1, but –60 dBm and –65 dBm respectively at test point 2. Therefore, the
signal attenuation of the obstacle is 10 dB at 2.4 GHz and 15 dB at 5 GHz.
• Before planning a project, communicate with the customer to determine the
WLAN coverage areas based on the onsite environment and drawings.
• Key coverage areas include office areas and meeting rooms.
• The classification of coverage areas must be confirmed with the customer and
marked on the drawing provided by the customer for subsequent WLAN planning.
• For details about antenna gain, see the AP product documentation.
• The transmission attenuation values of 2.4 GHz and 5 GHz signals need to be
calculated separately.
• The maximum number of concurrent STAs (single-radio) is calculated assuming
that the radio works on the 5 GHz frequency band.
• The maximum number of concurrent STAs (dual-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other on the 5 GHz
frequency band.
• The maximum number of concurrent STAs (triple-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other two on the 5
GHz frequency band.
• The table above describes the specifications of an AP (802.11ax, 8x8 MIMO,
HE20). For details about other specifications, see the WLAN Planning
Specifications.
• The specifications in the following slides are based on this kind of AP and assume
that STAs conform to 802.11ax and support dual spatial streams.
• The total number of people refers to the total number of users connected to the
WLAN in this scenario (number of access users).
• Concurrency rate x Total number of access users = Number of concurrent users,
which is the number of users on the WLAN that are transmitting data at the
same time.
• The concurrency rate is usually an empirical value.
• EIRP: Effective Isotropic Radiated Power
▫ Query the available channels in the channel compliance table, and confirm
with the customer.
▫ For example, in China, channels 1, 6, and 11 are available on the 2.4 GHz
frequency band.
▫ Channels 149, 153, 157, 161, and 165 are available on the 5 GHz frequency
band.
▫ Some channels may be reserved in different countries or regions. Therefore,
confirm available channels before planning.
• Avoid co-channel interference.
▫ Do not use the same channel on two neighboring APs in any direction.
▫ In the case of multiple floors, avoid overlapping with channels of APs at the
same or adjacent floors.
▫ If channel overlapping cannot be avoided, reduce AP power to minimize the
overlapping areas.
• Cabling design rules:
▫ In normal cases, the length of an Ethernet cable cannot exceed 100 m due
to signal attenuation. In actual projects, Ethernet cables are often used to
supply power to APs. If an Ethernet cable is longer than 80 m, the network
quality will be affected. Therefore, it is recommended that the length of
Ethernet cables in actual projects do not exceed 80 m.
▫ An experience rate is the target rate that can be achieved in 95% of areas
according to SpeedTest on a light-loaded network where the channel
utilization is less than 20%.
• Service-assured rate: guaranteed rate under a heavy network load
• 2.4 GHz @ HT20 indicates that the 2.4 GHz frequency band uses 20 MHz
bandwidth, and 5 GHz @ HT40 indicates that the 5 GHz frequency band uses 40
MHz bandwidth.
• B, A, and C
• Sticky STAs: Some STAs are insensitive to roaming and stay associated with the
original AP even if the AP has poor signal quality and an AP with better signal
quality is available. This phenomenon is called stickiness and these STAs are
called sticky STAs.
• The detailed drawing of the coverage area must be available.
• The number of access users provides reference for determining the number of
access STAs.
• The number of access users provides reference for determining the number of
access STAs.
• If outdoor APs are used to provide indoor coverage, WLAN signals may be
blocked by obstacles made of different materials, such as glass, brick walls, or
wooden doors. In this case, penetration loss of these obstacles must be taken into
account for evaluating the link budget to ensure the signal strength in indoor
coverage areas.
• Select an obstacle to be tested, which can be a typical indoor obstacle or an
obstacle made of uncertain materials. If necessary, test the signal attenuation of
the ceiling and floor.
• Place the test AP (as the signal source) at a proper position and power on it.
Keep a certain distance between the AP and the obstacle and ensure that there is
no blocking between them. Do not place the AP too close to the obstacle. This is
because the signal strength fluctuates greatly near the signal source, which
affects the test accuracy.
• Use a signal scanning tool to test the field strength on both sides of the obstacle.
The signal attenuation of the obstacle is the difference between the field
strength values obtained on both sides.
• For example, as shown in the figure above, deploy a Fat AP as the test AP. The
field strength values of 2.4 GHz and 5 GHz signals are both –50 dBm at test
point 1, but –60 dBm and –65 dBm respectively at test point 2. Therefore, the
signal attenuation of the obstacle is 10 dB at 2.4 GHz and 15 dB at 5 GHz.
• Before planning a project, communicate with the customer to determine the
WLAN coverage areas based on the onsite environment and drawings.
• Key coverage areas include dorm rooms, libraries, classrooms, lobbies, meeting
rooms, offices, and exhibition halls.
• The classification of coverage areas must be confirmed with the customer and
marked on the drawing provided by the customer for subsequent WLAN
planning.
• For details about antenna gain, see the AP product documentation.
• The transmission attenuation values of 2.4 GHz and 5 GHz signals need to be
calculated separately.
• The maximum number of concurrent STAs (single-radio) is calculated assuming
that the radio works on the 5 GHz frequency band.
• The maximum number of concurrent STAs (dual-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other on the 5 GHz
frequency band.
• The maximum number of concurrent STAs (triple-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other two on the 5
GHz frequency band.
• The table above describes the specifications of an AP (802.11ax, 8x8 MIMO,
HE20). For details about other specifications, see the WLAN Planning
Specifications.
• The specifications in the following slides are based on this kind of AP and assume
that STAs conform to 802.11ax and support dual spatial streams.
• The total number of people refers to the total number of users connected to the
WLAN in this scenario (number of access users).
• Concurrency rate x Total number of access users = Number of concurrent users,
which is the number of users on the WLAN that are transmitting data at the
same time.
• The concurrency rate is usually an empirical value.
• EIRP: Effective Isotropic Radiated Power
▫ Query the available channels in the channel compliance table, and confirm
with the customer.
▫ For example, in China, channels 1, 6, and 11 are available on the 2.4 GHz
frequency band.
▫ Channels 149, 153, 157, 161, and 165 are available on the 5 GHz frequency
band.
▫ Some channels may be reserved in different countries or regions. Therefore,
confirm available channels before planning.
• Avoid co-channel interference.
▫ Do not use the same channel on two neighboring APs in any direction.
▫ In the case of multiple floors, avoid overlapping with channels of APs at the
same or adjacent floors.
▫ If channel overlapping cannot be avoided, reduce AP power to minimize the
overlapping areas.
• Local power supply is inconvenient, and exposed power cables bring security risks.
• PoE modules save the need of local power supply, but bring potential fault risks
and are hard to maintain.
• The PoE power supply mode facilitates installation and provides convenient,
stable, and secure power supply.
• Hybrid copper-fiber cable (hybrid cable for short): Data is transmitted over the
optical fiber in the hybrid cable, with the network port providing power supply.
The power supply distance can reach 200 m.
Advantages: one-off cabling, low cost, and long service life; applicable to long-
distance power supply scenarios with fewer distance limitations on PoE power
supply.
Disadvantages: Hybrid optical-electrical switches are required, which are costly.
Optical modules are expensive, and one hybrid cable needs to be connected to
one optical port and one electrical port, occupying a lot of switch port resources.
Select a power supply mode based on the AP power requirements:
PoE power supply standards:
▫ PoE: IEEE 802.3af, with the maximum power supply of 12.95 W
▫ PoE+: IEEE 802.3at, with the maximum power supply of 25.5 W
▫ PoE++: IEEE 802.3bt, with the maximum power supply of 81.6 W
Wi-Fi 6 APs require 802.3bt power supply.
Local power supply using a power module (Power supply requirements of Wi-Fi 5
and Wi-Fi 6 need to be considered.)
Local AC power supply
• Cabling design rules:
▫ In normal cases, the length of an Ethernet cable cannot exceed 100 m due to
signal attenuation. In actual projects, Ethernet cables are often used to supply
power to APs. If an Ethernet cable is longer than 80 m, the network quality
will be affected. Therefore, it is recommended that the length of Ethernet
cables in actual projects do not exceed 80 m.
▫ An experience rate is the target rate that can be achieved in 95% of areas
according to SpeedTest on a light-loaded network where the channel
utilization is less than 20%.
• Service-assured rate: guaranteed rate under a heavy network load
▫ A service-assured rate is the target rate that can be achieved in 90% of time
according to SpeedTest in a multi-user concurrency scenario where the
network load is less than 80%.
Answer: B
• Network cloudification
▫ Cloud computing has completely changed the production mode of enterprises
over the past decade. A large number of services are deployed and operate on
the cloud, enabling enterprises to quickly launch new services. Thanks to the
evolution of the cloud architecture, enterprises can focus on services without
the need to pay too much attention to the IT architecture construction.
▫ As the pipe, the most important part in the cloud-pipe-device architecture, the
network plays a decisive role in user experience. To support service
cloudification, enterprises need to create a ubiquitous, intelligent, controllable,
and on-demand network. The traditional network architecture cannot adapt
to cloud transformation. The network needs to become more a service than a
solution, which is not only the business value brought by network
cloudification to enterprises but also the trend of network cloudification.
▫ Network cloudification is an important method to build service-based
networks. With infrastructure as a service (IaaS), enterprises no longer need to
repeatedly construct infrastructure. Similarly, with network cloudification,
enterprises simply need to consider the functions networks need to provide
and no longer need to care about the architecture, location, or function
implementation of the networks. In this way, enterprises can fully focus on
services.
• Huawei CloudCampus Solution migrates local network management to the
cloud, implementing automated and centralized management of multiple
branches based on the Internet. In addition, the solution enables the cloud
network management to be characterized by multi-tenancy, ultra-large scale,
and elastic scalability, and provides data collection and analysis capabilities that
cannot be provided by traditional networks. The solution can also restrict the
overall traffic of access users, the traffic of certain applications, and the uniform
resource locators (URLs) accessible to users.
1. Plug-and-play of network devices improves deployment efficiency.
▪ iMaster NCE-Campus centrally delivers configurations of multiple
sites, reducing onsite configuration and commissioning workload and
improving deployment efficiency. Network devices are plug-and-play
and able to be expanded on demand, requiring low costs for
upgrades.
2. Centralized cloud O&M simplifies O&M of multiple sites.
▪ iMaster NCE-Campus centrally manages scattered campus branches
on the cloud through the Internet, and integrates multiple
automation tools for troubleshooting, monitoring, and other
management operations, so as to implement remote automated
O&M.
3. Open APIs accelerate integration of business applications.
▪ With open APIs and big data analytics capabilities, iMaster NCE-
Campus can interconnect with multiple management systems to
achieve unified network management. It is able to provide diversified
value-added applications to help digital transformation of enterprises.
• Huawei CloudCampus Solution for small- and medium-sized campus networks
uses cloud computing technology to implement automatic and centralized
network management, and provides data collection and analysis capabilities that
are unavailable on traditional networks, so as to achieve network (LAN/WLAN)
as a service (NaaS).
• The roadmap of designing the architecture of Huawei CloudCampus Solution for
small- and medium-sized campus networks is as follows:
1. Construct a cloud campus communication network that features unified
bearing, on-demand definition, and elastic scaling. Then determine the
networking scheme of the multi-tenant network based on user
requirements and application scenarios, and conduct the network design
according to the actual service requirements of users, including the
physical network design, basic network service design, WLAN service
design, and user access control design.
▫ Reliability of egress links: In most scenarios, there is only one egress link, and
therefore no link redundancy needs to be considered. In scenarios where high
reliability is required, more than one egress link needs to be deployed, so
active and standby links must be configured.
▫ Reliability of links internal to a campus network: Typically, Eth-Trunk
technology is adopted to ensure link reliability. It is recommended that inter-
device Eth-Trunks be used to ensure link reliability of switch stacks.
• The internal routing design of the campus network must meet the
communication requirements of devices and terminals on the campus network
and enable interaction with external routes. As the campus network is small in
size, the network structure is simple.
• The egress routing design must be able to support Internet and WAN access of
users. To achieve this, you are advised to configure static routes on the egress
device connected to the Internet or WAN.
• Network planning is important for WLAN project implementation. WLAN
planning consists of the following parts:
▫ Network coverage design: Determine the requirements and principles for
signal coverage.
▫ Network capacity design: Determine the bandwidth requirements of a
single user based on the service model and terminal behavior, and then
determine the number of APs based on the AP capability.
▫ AP and switch deployment design: Determine installation positions based
on the deployment principles.
▫ AP channel design: Properly plan channels for APs in neighboring areas to
minimize co-channel and adjacent-channel interference.
▫ AP power supply and cabling design.
• This document does not describe the WLAN design from the preceding
dimensions. For details about the WLAN design, visit
https://e.huawei.com/en/material/networking/campus-
network/699b63ddae1543f1b91dd014e799e3e0.
• Huawei provides an online cloud-based WLAN Planner to guide users through
WLAN network planning in simple steps.
• Cloud APs have the same core algorithm logic for radio calibration as traditional
ACs. To be specific, APs detect and collect information about neighboring radios
and interference, and report the information to the calibration computing engine.
After the computing is complete, the computing engine delivers the allocated
channel and power configuration to each AP.
• Different from the traditional network where the calibration computing engine is
deployed on the WAC, the cloud managed network has the calibration
computing engine deployed on the leader AP.
• A site ID is used as the next hop for addressing and forwarding during user
routing.
• CPE router IDs are used to establish BGP peer relationships between different
sites.
• The public and private IP addresses are used as the source or destination IP
addresses of control and data channels.
▫ Some CPEs are deployed behind the NAT device. The post-NAT public IP
address is required for the establishment of data channels between CPEs.
▪ CPEs typically use the Session Traversal Utilities for NAT (STUN)
technology to detect public IP addresses.
• Tunnels are enumerated before data channels are established to ensure that all
available data channels are established.
• Tunnels can be enumerated only when the following conditions are met:
• The IP address of an edge device's loopback interface is used as the edge device's
router ID.
• Tunnel interfaces are used to establish management channels, which use GRE
over IPsec encapsulation.
• Basic BGP configurations are also delivered by iMaster NCE to instruct edge
devices to establish BGP peer relationships with the RR through loopback
interfaces.
• Site IDs are generally allocated to edge devices in ascending order based on the
sequence in which they go online.
• The process of establishing a control channel is as follows:
1. An edge device establishes a DTLS channel with the RR based on the TNP
information delivered by iMaster NCE.
2. The edge device and RR exchange TNP and IPsec SA information through
the DTLS channel, and establish an EVPN tunnel based on the TNP and
IPsec SA information.
▪ The edge device and RR send BGP packets to each other to exchange
the TNP and IPsec SA information required for establishing a data
channel.
• The process of exchanging TNP and IPsec SA information is as follows:
1. Through a BGP control channel, an edge device sends local TNP and IPsec
SA information to the RR through a BGP route.
▪ The public and private IP addresses are used as the source and
destination IP addresses of a data tunnel.
▪ The site ID is used for traffic steering. The functions of a site ID will be
described later.
2. The RR sends the BGP route received from the edge device to all edge
devices associated with the RR.
• The site ID is mainly used for route selection. The functions of the site ID will be
described in the following sections.
• Data channels use GRE over IPsec encapsulation.
▫ The VPN field is added to the ExtGRE header to identify the service (VPN) to
which data belongs during data forwarding.
• Different services may use different overlay topologies.
• Because an RR reflects service routes of all edge devices associated with it, the RR
can change the next-hop site ID of service routes to control the overlay topology.
• When the hub-spoke topology is used, the RR only needs to change the next-hop
site ID of service routes to the site ID of the hub site.
• When the full-mesh topology is used, a full-mesh network can be built without
requiring the RR to change the next-hop site ID of service routes.
• When the partial-mesh topology is used, only the next-hop site ID of some
service routes needs to be changed.
• An RR is also known as an area controller because it can control the overlay
topology.
• STUN, defined in RFC 3489, is a complete NAT traversal solution.
• The STUN server obtains the source IP address and port number from the STUN
binding request, and sends a STUN binding response to the STUN client.
• The STUN client obtains an IP address and a port number from the STUN binding
response, and compares the obtained IP address and port number with the
source IP address and port number carried in the STUN binding request. If they
are different, a NAT device is used between the STUN client and STUN server.
• STUN clients learn each other's TNP information (including the pre-NAT and
post-NAT IP addresses and port numbers) through BGP routes.
• After the preceding STUN packets are exchanged, a data channel is established
between the STUN clients so that packets can traverse the NAT devices based on
the hole punching mechanism.
• If a site has only one CPE, LAN-side connections are simple.
▫ For small sites, for example, SOHO sites, LAN-side interfaces can be directly
connected to terminals at the sites.
• If a site has two CPEs, VRRP is typically deployed on the CPEs to prevent the
dual-CPE architecture from affecting the LAN-side network.
▫ Multiple LAN-side switches can be deployed to form a stack. If two CPEs are
deployed at a site, they can be interconnected directly or through the LAN-
side network.
▫ If the two CPEs are directly interconnected, an interlink needs to be
established between them to forward service packets. The interlink can be an
Eth-Trunk.
• For a large enterprise site, the site network has a complex structure and complex
network facilities (for example, Layer 3 core devices). Therefore, egress routers
need to connect or dual-homed to Layer 3 devices. BGP, OSPF, and static routing
are supported.
• In the Layer 3 interconnection scenario, if only one CPE is deployed, only routing
protocol needs to be configured based on the requirements of LAN-side devices.
If a CPE needs to interconnect with two LAN-side devices, the LAN-side devices
must be stacked to function as a single device.
• This solution can be used when BGP is deployed on the user-side network of a
dual-gateway site and users want to transmit the original BGP community
attributes of private network routes between two SD-WAN sites. (These
community attributes may be used in routing policies on user networks for route
control.)
• If OSPF is deployed on the interlink between two gateways, BGP community
attributes of user routes may be lost when the routes are transmitted through
the interlink.
• In this case, IBGP can be deployed on the interlink, so that the original BGP
community attributes carried in private network routes are not lost when these
routes are transmitted between the gateways.
• To improve the reliability of egress links, multiple links are usually provided, that
is, one active link and one standby link are used. This design is simple and
reliable. The standby link is in standby state and does not forward network traffic
in normal cases. Therefore, enterprise customers need to pay extra fees for
reliability.
• Huawei's SD-WAN Solution does not use this link backup mode. Instead, multiple
uplinks of a site are active at the same time and services can be load balanced
among the links according to a preconfigured traffic scheduling policy. If a link
fails, the link failure or link quality deterioration can be detected within sub-
seconds. Then, services can be switched from the failed link to an operational
link. This mechanism ensures link reliability and maximizes the efficiency of
enterprises' link resources, providing high access bandwidth and facilitating
interconnection between enterprise sites.
• Hub-spoke networking
• Partial-mesh networking
• Hierarchical networking
• When local Internet access is enabled, the default route on the underlay WAN
needs to be configured. The default route can be a static route (mainly for
Internet access through the Internet network interface) or a BGP/OSPF route
(mainly for Internet access through the MPLS network interface).
• If hub sites function as centralized Internet access gateways, the active and
standby hub sites can be selected. If branch or aggregation sites function as
centralized Internet access gateways, only one branch or aggregation site can be
selected.
• If hub sites function as centralized Internet access gateways, the active and
standby hub sites can be selected. If branch or aggregation sites function as
centralized Internet access gateways, only one branch or aggregation site can be
selected.
• If hub sites function as centralized Internet access gateways, the active and
standby hub sites can be selected. If branch or aggregation sites function as
centralized Internet access gateways, only one branch or aggregation site can be
selected.
• A dedicated link is established between user-side interfaces on both the legacy
edge and SD-WAN edge devices. The dedicated link runs a protocol such as BGP
or OSPF to exchange routes between the legacy MPLS network and SD-WAN
network. In this way, users on the two networks can communicate with each
other through the dedicated link.
• Multiple traffic models are supported in this scenario, and you can choose one
based on your service requirements.
▫ Distributed local access: This model applies if all SD-WAN sites can
communicate with legacy sites over the underlay MPLS network through
local breakout. In this model, traffic of each site is directly forwarded
through the local site without being forwarded through overlay tunnels.
▫ This mode is applicable when an enterprise wants to deploy and manage its
own internal network. The system administrator can create multiple tenants
to isolate and manage networks of different departments or subsidiaries.
Each tenant can create an administrator to manage the tenant's network.
• MSP mode: The system administrator creates an MSP, and then the MSP
administrator creates tenants.
• If a tenant authorizes an MSP to manage the tenant network, the MSP can also
manage devices of the tenant.
• RRs added by an MSP are shared RRs, and can be shared by multiple tenants.
Shared RRs are used to reduce investment costs.
• RRs added by a tenant are exclusive RRs, and cannot be shared by other tenants.
Exclusive RRs are used to improve stability.
• Email-based deployment applies only to devices with factory settings.
• 2. False
• This course is based on Huawei's SD-WAN Solution.
• For details about SA and SPR, see HA Technologies.
• After receiving a service packet, a CPE processes the packet as follows:
▪ If no session table exists, the CPE identifies the service type of the packet
based on the SA signature database or through FPI, performs application-
based traffic steering, and sets up a session table.
▪ If intelligent traffic steering is not configured, the CPE searches the routing
table for a route to forward the packet.
• For example, an enterprise leases three links: MPLS, Internet1, and Internet2. It
expects to reserve certain bandwidth resources for high-value VoIP services to
ensure user experience of VoIP services, while fully utilizing the MPLS link. In this
case, bandwidth-based traffic steering can be configured. Bandwidth conditions
can be configured for low-value applications (such as email and FTP) to select
the MPLS link. For example, when the bandwidth utilization of the MPLS link
exceeds 50%, new traffic is not transmitted over the MPLS link; when the
bandwidth utilization of the MPLS link exceeds 70%, existing traffic on the MPLS
link needs to be dynamically switched to other links.
• The scheduling following function is supported only when Inter-TN Policy is set
to Load balance. Dynamic primary/secondary switchover is not supported.
• An enterprise usually has multiple departments of different importance, which
require traffic isolation and differentiated bandwidths.
▫ A specified bandwidth quota is assigned to each department to meet its
service requirements.
▫ If some departments do not fully use their bandwidth quotas, idle
bandwidth resources can be used by other departments with insufficient
bandwidth.
▫ The bandwidth for accessing the Internet or legacy sites needs to be limited
separately.
• Traffic can be classified based on one or a combination of the following:
▫ 5-tuple information
▫ DSCP values
▫ DSCP re-marking
• FEC optimization technology is used to mitigate packet loss by specifying data
flows based on 5-tuple information through an agent. The FEC agent obtains
specified data flows, adds verification information to packets, and performs
verification at the receive end. If a packet is lost or damaged on the network, the
packet can be recovered based on the verification information.
• On the basis of FEC, A-FEC can automatically adjust the FEC redundancy rate to
save bandwidth at a low packet loss rate. When the packet loss rate increases
sharply in a short period of time, the FEC redundancy rate can be increased
adaptively to offset the impact of packet loss on the network.
▫ A-FEC can dynamically adjust the redundancy rate to reduce bandwidth waste
and mitigate continuous packet loss.
• 1. ABCD
• 2. False
• The LAN-WAN converged management model of the CloudCampus Solution
delivers the following benefits:
▫ Easy deployment: iMaster NCE, also called the cloud management
platform, manages campus networks of all sizes. It supports LAN and LAN-
WAN convergence scenarios, and can be flexibly deployed.
▫ Simplified configuration: WAN and LAN services can be configured on one
set of GUIs. This solution supports both the traditional IPsec VPN
interconnection and SD-WAN interconnection. It also supports flexible
networking, simplifying the configuration and improving service
provisioning efficiency.
▫ Forwarding-control separation: The control plane is separated from the
forwarding plane and is centrally managed, improving network routing and
topology flexibility and network scalability.
▫ Simplified O&M: One set of GUIs is used for O&M status monitoring of
branches of all sizes and network-wide service data presentation,
facilitating network-wide monitoring and analysis.
▫ EVPN is a type of dynamic VPN that can establish tunnels between sites on
demand and dynamically advertise routes. EVPN establishes GRE tunnels
between sites to establish VPN tunnels and uses IPsec encryption on GRE
tunnels to secure data transmission over the tunnels. In addition, the SD-
WAN interconnection solution offers application- and policy-based
intelligent traffic steering, allowing high-quality links to be chosen based on
applications and policies for data transmission.
• In the IPsec VPN interconnection solution, point-to-point (P2P) or point-to-
multipoint (P2MP) IPsec VPN tunnels are created between sites, and service
traffic between sites is transmitted through the IPsec tunnels. The detailed
process is described as follows:
1. On iMaster NCE, create sites, record device information, and configure
service deployment information for the devices. The devices then register
with iMaster NCE.
2. Define the subnet segments that can access VPN services.
3. On iMaster NCE, orchestrate the site VPNs and define the IPsec VPN
interconnection model (hub-spoke or full-mesh). If the hub-spoke model is
used, specify the spoke and hub nodes. Non-cloud devices can be deployed
as hub nodes.
4. When adding devices to site VPNs, specify the subnet segment. During
IPsec tunnel establishment, the subnet segment is sent to the peer end to
generate static UNRs. This ensures that traffic can be properly transmitted
between sites.
5. In the hub-spoke model, configure the IPsec template mode for the hub
sites to monitor the link establishment requests from the spoke sites. In
this way, IPsec VPN tunnels are established between the HQ and branches.
The spoke sites proactively send link establishment requests to the hub
sites.
• UNRs are used to implement return routes of multiple branch sites and
implement inter-site communication.
• Flexible overlay network based on the hybrid WAN
▫ Hybrid WAN implements interconnection of enterprise branches through
various WAN connection technologies such as MPLS and Internet. As the
Internet improves in terms of quality and coverage, it becomes more
suitable for use as a WAN technology. That is, in addition to deploying
MPLS private lines provided by carriers, enterprises can select the Internet
for WAN branch interconnection to implement hybrid WAN interconnection.
• Service-orientation, implementing network orchestration and automatic
provisioning
▫ Traditionally, network services are provisioned through manual
configuration. Such an approach requires engineers to have a thorough
understanding of networks, especially when the network is complex. The
SD-WAN interconnection solution uses the centralized controller iMaster
NCE to abstract, orchestrate, and automatically provision services on
demand.
▫ iMaster NCE abstracts and models network services while shielding users
from technical implementation details of the network through model
abstraction, exposing only service-oriented interfaces and parameters.
▫ Additionally, iMaster NCE provides service GUIs or programmable APIs, with
which end users can drive iMaster NCE to orchestrate and automatically
provision network services based on their service requirements.
• Intelligent traffic steering, ensuring application experience
• WAN link: A WAN link refers to a link connecting to a WAN interface. The IP
address obtaining mode, link negotiation rate, and subscribed bandwidth can be
configured for a WAN link.
• If dual CPEs are deployed, VRRP is generally deployed on the CPEs to prevent
them from affecting the LAN. The VRRP virtual IP address is used as the gateway
address of the network to transparently provide the redundancy function.
Multiple switches can be deployed on the LAN side to form a stack. If two CPEs
are deployed at a site, they can be interconnected directly or through the LAN. If
the two CPEs are directly interconnected, the interconnection links can be added
to an Eth-Trunk. In the VRRP group, the master CPE forwards service packets.
However, in the actual environment, service packets may need to be transmitted
through the egress link on the backup CPE. In this case, the master CPE needs to
forward service packets to the backup CPE first, which then sends the packets out
over the EVPN tunnel. Therefore, an interconnection link needs to be set up
between the master and backup CPEs to forward service packets between them.
• For a large enterprise site, the site network has a complex structure and complex
network facilities (for example, Layer 3 core devices). Therefore, the egress
routers need to connect or dual-homed to Layer 3 devices. BGP, OSPF, and static
routing are supported.
• In hybrid Internet access mode, NAT in Easy IP mode can also be enabled on the
outbound interface for local Internet access.
• This Internet access mode is applicable to scenarios where centralized security
control is required for Internet access traffic but Internet access traffic of
specified services is routed out from the local site to minimize the access delay.
• Precisely identifying applications on a network is a prerequisite and a basis for
network services such as intelligent traffic steering, QoS, application optimization,
and security. Service policies can be applied in subsequent service processes only
after applications are identified.
• For FPI and SA, the FPI signature database and SA signature database are
preconfigured on CPEs before delivery. The CPEs can identify common
applications based on the application definition (port number, signature, and
behavior) in the signature database. In addition, FPI and SA can also identify
customized applications. You can customize applications whose signatures are
not in the signature databases.
• Static identification
• For applications with fixed IP addresses, port numbers, and protocol types, their
3-tuple information is recorded in a static identification table. When the first
packet of a data flow arrives at a device, the device searches the static
identification table for its 3-tuple information. If a match is found, the application
type corresponding to the entry is identified. This method is mainly used to
identify customized applications.
• Advantages:
▫ The site deployment is simple. Deployment engineers do not need to master
any professional skills or carry tools such as PCs. (A USB flash drive is required
for onsite deployment.)
• Disadvantages:
▫ The administrator needs to manually create a configuration file based on
CPEs. The configuration file contains command configurations, which are
complex and error-prone.
▫ CPEs may be incorrectly delivered if the ESNs are bound to incorrect sites.
• In DHCP-based deployment mode, the network administrator configures ZTP for
a site on iMaster NCE, and configures the IP address to be allocated to the CPE's
WAN-side interface, gateway, as well as the southbound IP address and port
number of iMaster NCE on the DHCP server. The WAN-side interface of the CPE
at the site must apply for an IP address from the DHCP server through DHCP.
When allocating an IP address to the CPE, the DHCP server also sends the
iMaster NCE information to the CPE through Option fields in DHCP messages.
After obtaining an IP address and accessing the underlay network, the CPE
automatically registers with iMaster NCE to complete the deployment.
• Advantages:
▫ Devices are plug-and-play, and no deployment terminal is required for
deployment.
• Disadvantages: