• Location Based Service (LBS) uses various types of location technologies to obtain

the current location of a device and provides information resources and basic
services for the device through the mobile Internet.

• The Internet of Things, or IoT, is a data network comprised of various intelligent

terminals, such as smart household terminals, smart sensors, and card readers.
• Currently, campus networks are striding from the PC era to the cloud era. In the
PC era, campus networks are mainly used for office services and connect wired
terminals. On the one hand, campus applications are deployed locally, and
terminals directly access applications through local campus networks. Most traffic
on the campus networks is transmitted from terminals to local servers. On the
other hand, access terminals include mainly wired fixed terminals as well as a
few wireless terminals.
• In the cloud era, enterprises gradually migrate applications from local servers to
the cloud. More and more enterprises choose to deploy applications through
public clouds, private clouds, or even hybrid clouds, bringing huge changes to the
data traffic model on campus networks. The exchange between more and more
traffic is not limited within campus networks, but from the campus egress to the
cloud, thereby posing new challenges to the campus egress and WAN access side.
In addition, the introduction of production applications and production terminals
has increased the importance of campus networks that are required to be more
stable, reliable, convenient, and secure. As services are migrated to the cloud and
campus user terminals become wireless, more and more campus networks attach
importance to Wi-Fi access and user experience, leading to the emerging concept
of all-wireless access proposed by many enterprises. In the service cloudification
scenario, wireless access becomes the mainstream. In the trend of wireless access,
users and user terminals are becoming more mobile. In this case, continuous Wi-
Fi networking and high-quality roaming experience become a must-have.
• Campus networks oriented to the cloud era are called cloud campus networks,
which are characteristic of:
▫ Autonomous driving:
▪ With the maturity and large-scale deployment of software-defined
networking (SDN) technologies, enterprise users become familiar with SDN
and even hold the opinion that a new campus network must be SDN-
capable. In cloud campus networks, SDN shall be supported by LANs,
WANs, and WLANs. SDN enables users to manage, operate, or maintain a
network without using traditional network management and O&M
methods. In this way, service provisioning and policy deployment of
networks will become centralized and simple and challenges will be
mitigated.
▪ AI-based intelligent O&M is supported, making networks more intelligent
based on traditional network O&M. For example, trends or faults can be
predicted based on historical network data. In addition, networks need to
implement experience visualization. For example, experience visualization
needs to be implemented in terms of traditional Wi-Fi experience and
difficult fault locating; the user experience journey is displayed in an end-to-
end manner; or the root causes for poor-quality experience are analyzed in
an intelligent way to provide specific suggestions and solutions for different
problems, such as problems occurring in the access authentication process
or in the address allocation process of user terminals.
• Remote units (RUs), functioning as extended ports of the central switch, are free
of configuration and maintenance, and are managed by the central switch in a
unified manner.

• RUs can automatically discover topologies through X-Lean Discovery Protocol

(XLDP).
• Networking mode reliability: The entire series supports the Spanning Tree
Protocol (STP) protocol to prevent loops caused by unauthorized devices.

• Device access authentication: RUs can be authenticated based on certificates to

ensure the security of access switches.
• User access authentication: 802.1X authentication is used in high-security user
access scenarios. Authentication packets are transparently transmitted to the
central switch for packet processing.
• User access security: RU ports support isolated and non-isolated (used by default)
modes, which can be flexibly selected.
1. True

2. ABC
1. User identity authentication request: A terminal sends the user credential to an
admission device.

2. User identity authentication: The admission device sends the user credential to the
admission server for authentication.

3. User identity verification: The admission server stores user identity information and
manages users. After receiving the user credential of the terminal, the admission
server verifies the identity of the terminal, and delivers the verification result and
corresponding policy to the admission device.

4. User policy authorization: As a policy enforcement device, the admission device

implements policy control over the terminal according to the authorization result
received from the access server, for example, permitting or denying the terminal to
access the network, or performing more complex policy control on the terminal. The
complex policy control policy can be increasing or decreasing the forwarding priority
of the terminal or limiting the network access rate of the user.
• The Extensible Authentication Protocol (EAP) packets transmitted between the client
and access device are encapsulated in EAPoL format and transmitted across the LAN.

• Users can determine the authentication mode between the access device and
authentication server based on the client support and network protection
requirements.
▫ EAP termination mode: The access device terminates EAP packets and encapsulates
them into RADIUS packets. The authentication server then uses the standard
RADIUS protocol to implement authentication, authorization, and accounting.

▫ EAP relay mode: The access device directly encapsulates the received EAP packets
into EAP over RADIUS (EAPoR) packets, and then transmits these packets over a
complex network to the authentication server.

• EAPoL defines EAP encapsulation on IEEE 802 (such as 802.3 and 802.11) networks.
EAPoL only transmits EAP packets between 802.1X clients and access devices, and does
not implement authentication.
• Typical EAP authentication protocols include EAP-TLS, EAP-TTLS, EAP-PEAP, and EAP-
MD5.
• The EAP relay mode simplifies the processing on the access device and supports various
authentication methods. However, the authentication server must support EAP and
have high processing capability. The commonly used authentication modes include
EAP-TLS, EAP-TTLS, and EAP-PEAP. EAP-TLS has the highest security because it
requires a certificate to be loaded on both the client and authentication server. EAP-
TTLS and EAP-PEAP are easier to deploy since the certificate needs to be loaded only
on the authentication server, but not the client.

• The EAP termination mode is advantageous in that mainstream RADIUS servers

support Password Authentication Protocol (PAP) authentication and Challenge-
Handshake Authentication Protocol (CHAP) authentication, eliminating the need for
server upgrade. However, the workload on the access device is heavy because it needs
to extract client authentication information from the EAP packets sent by the client
and encapsulate the information using the standard RADIUS protocol. In addition, the
access device does not support other EAP authentication methods except MD5-
Challenge. The major difference between PAP and CHAP is that passwords in CHAP
authentication are transmitted in cipher text, whereas passwords in PAP authentication
are transmitted in plain text. In this aspect, CHAP provides higher security and is
recommended.
• EAP relay authentication process:
1. When a user needs to access an external network, the user starts the 802.1X
client, enters the applied and registered user name and password, and initiates a
connection request. The client then sends an authentication request packet
(EAPoL-Start) to the access device to start the authentication process.
2. After receiving the authentication request packet, the access device returns an
EAP-Request/Identity packet, requesting the client to send the previously entered
user name.
3. In response to the request sent by the access device, the client sends an EAP-
Response/Identity packet containing the user name to the access device.
4. The access device encapsulates the EAP-Response/Identity packet into a RADIUS
Access-Request packet and sends the RADIUS packet to the authentication
server.
5. After receiving the user name forwarded by the access device, the RADIUS server
searches the user name table in the local database for the corresponding
password, encrypts the password with a randomly generated MD5 challenge,
and sends a RADIUS Access-Challenge packet containing the MD5 challenge to
the access device.
6. The access device forwards the MD5 challenge received from the RADIUS server
to the client.
7. Upon receipt of the MD5 challenge, the client encrypts the password with the
MD5 challenge, generates an EAP-Response/MD5-Challenge packet, and sends
the packet to the access device.
• Dumb terminal: Compared with other terminals, dumb terminals have limited
functions and simple interaction modes. In this document, dumb terminals refer to
terminals whose authentication information such as user names and passwords cannot
be entered.
• By default, a MAC address without hyphens (-) is used as the user name and password
for MAC address authentication, for example, 0005e0112233.
• Passwords of MAC address authentication users can be processed using PAP or CHAP.
The following MAC address authentication process uses PAP as an example:
1. When a terminal accesses the network, the access device detects and learns the
MAC address of the terminal, triggering MAC address authentication.
2. The access device generates a random value (MD5 challenge), arranges the user
MAC address, password, and random value in sequence, encrypts them using the
MD5 algorithm, encapsulates the encryption results into a RADIUS
authentication request packet, and sends the packet to the RADIUS server.
3. The RADIUS server arranges the user MAC address, password saved in the local
database, and received random value in sequence, and uses the random value to
encrypt them using the MD5 algorithm. If the encrypted password is the same as
that received from the access device, the RADIUS server sends an authentication
accept packet to the access device, indicating that MAC address authentication is
successful and the terminal is allowed to access the network.
• Different from PAP, CHAP involves password encryption twice on both the access
device and RADIUS server.
• Client: In most cases, a client is a host where an HTTP/HTTPS-capable browser is
installed.
• Access device: a network device such as a switch or router, which provides the
following functions:
▫ Redirects all HTTP or HTTPS requests of users on authentication subnets to the
Portal server before authentication.
▫ Interacts with the Portal server and authentication server to implement identity
authentication, authorization, and accounting.
▫ Grants users access to specified network resources upon successful authentication.
• Portal server: a server system that receives authentication requests from clients,
provides Portal services and authentication pages, and exchanges client authentication
information with an access device.
• Authentication server: interacts with the access device to implement user
authentication, authorization, and accounting.
• Advantages:
▫ Ease of use: In most cases, Portal authentication authenticates a user on a web page,
without any additional software required on the client.
▫ Convenient operations: Portal authentication allows for value-added services on the
web page, including advertisement push and enterprise publicity.
▫ Mature technology: Portal authentication has been widely used on networks of
carriers, fast food chains, hotels, and schools.
▫ Flexible deployment: Portal authentication implements access control at the access
layer or at the key ingress.
▫ Flexible user management: Portal authentication can be performed on users based
on the combination of user names and any one of VLANs, IP addresses, and MAC
addresses.
• HTTPS is a secure HTTP and also known as HyperText Transfer Protocol over Transport
Layer Security (HTTP over TLS) or HyperText Transfer Protocol over Secure Socket
Layer (HTTP over SSL). HTTPS uses HTTP for communication and SSL/TLS for data
encryption.
• A URL is a concise representation of the location and access method of a resource that
can be obtained from the Internet. It is the address of a standard resource on the
Internet. Each file on the Internet has a unique URL. The URL contains information
about the location of the file and how a browser should process the file.
• When HTTP/HTTPS-based Portal authentication is used, the authentication process is
as follows:
7. The Portal server instructs the client to send a Portal authentication request to the
access device.
8. The client sends a Portal authentication request (HTTP POST/GET) to the access
device.
9. After receiving the Portal authentication request, the access device parses the packet
according to parameter names to obtain parameters such as the user name and
password, and then sends the obtained user name and password to the RADIUS
server for authentication. The process is similar to the Portal-based authentication
process.
10.The access device returns the Portal authentication result to the client and adds the
user to the local online user list.
• As shown in the figure, an HTTP request is sent in Get mode:
https://Portal.example.com/login?userName=test&password=11111111. You can see
that the user name and password following the URL are transmitted in plain text,
which may be obtained by other users on the network and bring security risks.
• When the RADIUS server is used, the authentication accept packet also contains user
authorization information because RADIUS authorization is combined with
authentication.
• Authorized VLAN: After a user is authenticated, the RADIUS server delivers an
authorized VLAN to the user. The access device then changes the VLAN to which the
user belongs to the authorized VLAN, with the interface configuration remaining
unchanged. The authorized VLAN has a higher priority than the VLAN configured on
the interface. That is, the authorized VLAN takes effect after the authentication
succeeds, and the configured VLAN takes effect when the user is offline.
• The RADIUS server can assign an authorized ACL to a user in either of the following
modes:
▫ Static ACL assignment: The RADIUS server uses the standard RADIUS attribute
Filter-Id to assign an ACL ID to the user. In this mode, the ACL and corresponding
rules are configured on the access device in advance.
▫ Dynamic ACL assignment: The RADIUS server uses the Huawei extended RADIUS
attribute HW-Data-Filter to assign an ACL ID and corresponding rules to the user.
In this mode, the ACL ID and ACL rules are configured on the RADIUS server.
• The RADIUS server assigns an authorized UCL group to a user in either of the following
modes:
▫ Assigns the UCL group name through the standard RADIUS attribute Filter-Id.
▫ Assigns the UCL group ID through the Huawei extended RADIUS attribute HW-UCL-
Group.
You must configure the UCL group and corresponding network access policies on the
access device in advance, regardless of which UCL group authorization mode is used.
• RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific) defined in
RFC 2865 can be used to extend RADIUS to implement the functions not supported by
standard RADIUS attributes. For details about Huawei extended RADIUS attributes, see
the product documentation.
• When an authentication-free rule is configured using an ACL, the ACL number ranges
from 6000 to 6031.

• The NAC bypass mechanism grants specified network access rights to users when the
authentication server is Down or to users who fail the authentication or are in pre-
connection state. The bypass solutions vary according to the authentication modes.
Some bypass solutions are shared by all authentication modes, while some are
supported only in specific authentication modes. For details, see "NAC Escape
Mechanism" in the product documentation.
• Note:
▫ MAC address authentication supports only user logout control by the access
device and server.

▫ Portal authentication allows both the authentication server and Portal server to
control user logout.
• In addition to low security, moving authentication points upwards may cause the
following problems:

▫ Authentication access devices cannot transparently transmit BPDUs, causing 802.1X

authentication failure. Therefore, the Layer 2 transparent transmission function must
be configured.
▫ The authentication point cannot control mutual access between users in the same
VLAN on an authentication access device.

▫ An administrator does not know access positions of users, making fault locating
difficult.

▫ The gateway cannot immediately detect user logout in real time, and the detection
process increases workload on the gateway.
• User login process:
1. The authentication control device establishes a CAPWAP tunnel with the
authentication access device.
2. When detecting the access of a new user, the authentication access device creates a
user association entry to record basic information such as the user and access
interface.
3. The authentication access device sends a user association request to the
authentication control device.
4. The authentication control device creates a user association entry to save the
mapping between the user and authentication access device, and sends a user
association response to notify the authentication access device of successful
association.
5. The user initiates an authentication request to the authentication control device. The
authentication access device forwards the authentication packets between the user
and authentication control device.
6. The authentication control device deletes the user association entry. When the
authentication succeeds, the authentication control device generates a complete
user entry, and sends a user authorization request to the authentication access
device, and delivers the network access policy for the user.
7. The authentication access device updates the user association entry, grants the
specified network access rights to the user, and sends a user authorization response
to the authentication control device.
8. The user accesses the specified network resources.
• Decoupling of service policies from IP addresses
▫ iMaster NCE introduces the concept of security group. Administrators can
dynamically allocate end users to different security groups based on 5W1H
conditions in the authentication process and define control policies based on security
groups on switches. When a policy enforcement point (switch) matches service
packets with a given policy, it first matches the source/destination security group
based on the source/destination IP address of the packets, and then matches the
inter-group policy predefined by the administrator based on the source/destination
security group of the packets.
▫ With this innovative solution, all user- and IP address-based service policies on
traditional networks can be migrated to security group-based ones. When
predefining service policies, administrators do not need to consider the IP addresses
actually used by users, implementing complete decoupling between service policies
and IP addresses.
• Centralized management of user information
▫ iMaster NCE can centrally manage user authentication and onboarding information
and obtain the mappings between network-wide users and IP addresses.
• Centralized policy management
▫ iMaster NCE is not only the authentication center of the campus network, but also
the management center of service policies. Administrators can manage network-
wide policies on the iMaster NCE web UI. Service policies can be automatically
delivered to network-wide policy enforcement points after being configured only
once.
• Additional information about the policy enforcement point
▫ The policy enforcement point is responsible for enforcing security group-based
service policies. To enforce these service policies, the policy enforcement point must
be able to identify the source/destination security group information of packets. The
mapping between IP addresses and security groups can be obtained through
authentication, static configuration, or push by iMaster NCE.
▫ The authentication point and policy enforcement point are two device roles. Based
on the administrator's configuration and device capabilities, a physical device can
play either or both of the two roles.
• The administrator can define users and security groups on iMaster NCE in a unified
manner. Security groups can be defined based on network services for configuring
inter-group control policies.

• The administrator defines inter-group control policies in a matrix on iMaster NCE and
deploys the policies on policy enforcement points as needed.
• When a user is being authenticated, iMaster NCE associates the user with a security
group based on the user login conditions. After the user is authenticated successfully,
iMaster NCE delivers the authorization result containing the security group to which
the user belongs to the authentication point. During 802.1X authentication, if a
terminal has not obtained an IP address, the authentication point automatically detects
the actual IP address of the user after the user is successfully authenticated and
obtains an IP address, and reports the user's actual IP address to iMaster NCE.
• A user sends service traffic. When a packet reaches the policy enforcement point, the
device identifies the security group that matches the source and destination IP
addresses of the packet and enforces the corresponding inter-group policy.
• When the authentication point and policy enforcement point are separated, the policy
enforcement point needs to obtain the mapping between terminal IP addresses and
security groups (that is, IP-security group entries) to identify the source and destination
security groups of traffic during policy enforcement. Therefore, users need to configure
the IP-security group entry subscription function for the specific device. After the
configuration is complete, iMaster NCE pushes IP-security group entries to the device in
real time so that the device can obtain the security group information about an end
user even if the user is not authenticated on the device.
• Answers:
1. D
2. ACD
• According to the free-space signal attenuation model, the signal strength is
related to the frequency and distance. A higher frequency indicates a larger
signal attenuation. As the distance increases, the signal attenuation increases.
• Radio calibration is triggered when a new AP is connected to the network, an AP
is out of service, or the external radio environment deteriorates.
• In addition to radio calibration, channel adjustment can also be used in dynamic
frequency selection (DFS). In some regions, radar systems work on the 5 GHz
frequency band, which may interfere with radio signals of APs working on the 5
GHz frequency band. The DFS function enables APs to automatically switch to
other channels when they detect interference on their working channels.
• An AP's transmit power determines its radio coverage area. APs with higher
power have larger coverage areas. A traditional method to control the radio
power is to set the transmit power to the maximum value to maximize the radio
coverage area. However, a high transmit power level may cause interference with
other wireless devices. Therefore, the optimal power is required to balance the
coverage range and signal quality.

• Power adjustment enables APs to dynamically adjust their transmit power based
on the real-time radio environment.
• The DFA algorithm is used to automatically identify and adjust redundant 2.4
GHz radios. This algorithm processes a redundant radio as follows:
▫ After identifying a redundant radio, the DCA algorithm switches the radio to
the 5 GHz or monitor mode based on the channels, bandwidth, and
interference of other radios on the network.
▫ After the redundant radio is switched to the 5 GHz mode, it works on the
default 5 GHz channel. In this case, the DCA algorithm is used again to adjust
the radio channel.
▫ During this process, if a coverage hole is detected on 2.4 GHz radios, the 5
GHz radio is switched back to the 2.4 GHz mode.
▫ If the WAC restarts, the APs go online again with the original configurations
before the WAC restart, including the channel, power, frequency band, and
radio status. If an AP goes online after a long period of time, the WAC
determines redundant radios and allocates bands to radios again.
▫ When the DFA function is disabled, the redundant radio configuration is
restored. For example, the radio in 5 GHz or monitor mode will be restored to
the 2.4 GHz mode.
• Redundant radios on a WLAN not only generate co-channel interference but also
waste the network capacity. Therefore, the following policies are available to
process redundant radios:
▫ Switching to the 5 GHz mode: If 5 GHz channel resources are available, a
redundant radio can be switched to the 5 GHz mode, increasing the maximum
capacity of 5 GHz radios.
▫ Switching to the monitor mode: If no more 5 GHz channel resources are
available, a redundant radio can be switched to the monitor mode and used
for scanning services.
DBS algorithm:

• In indoor non-high-density deployment scenarios (AP spacing: 10 m to 15 m), the

DBS algorithm can automatically identify service priorities, service throughput,
and interference, and adaptively switch channels and bandwidth, improve
network throughput, and ensure the quality of core services. The algorithm takes
effect in the following ways:

▫ Groups available 5 GHz channels based on the capability of forming 80 MHz

or 40 MHz channels.

▫ Sorts APs by topology distance.

▫ Assigns primary channels based on factors such as the interference index,
bandwidth fulfillment, channel isolation degree, and channel reuse index.

▫ Upgrades 20 MHz channels to 40 MHz or 80 MHz for APs in the assignment

sequence.
• Radio calibration process:

▫ After global radio calibration is enabled on the WAC, the WAC instructs each
AP to perform neighbor probing periodically.

▫ The APs perform neighbor probing periodically.

▫ All APs report the probing results to the WAC.
▫ After the WAC receives neighbor information reported by all APs, it uses the
global radio calibration algorithm to allocate channels to the APs and adjust
the power of the APs.

▫ The WAC delivers calibration results to the APs. After the WAC implements
global radio calibration for the first time, it starts the next global radio
calibration until it receives neighbor information from all APs. The WAC
continuously implements global radio calibration to obtain optimal and
accurate calibration results.
• On live networks, most STAs support both 2.4 GHz and 5 GHz frequency bands.
When attempting to join a WLAN, some of the STAs associate with the 2.4 GHz
radio of APs by default. As a result, the 2.4 GHz frequency band with fewer
channels is congested, heavily-loaded, and has severe interference. The 5 GHz
frequency band with more channels and less interference is not well used. When
the 2.4 GHz frequency band has a large number of users or severe interference,
the 5 GHz frequency band can provide better access services for wireless users.
Users must manually select the 5 GHz radio to connect to it.

• Band steering is implemented involving two phases:

• 5G-prior access
▫ A STA preferentially accesses the 5 GHz frequency band before the number of
access STAs on an AP reaches the start threshold for 5G-prior access during
band steering.
• Intra-AP load balancing
▫ If the number of access STAs on an AP exceeds the start threshold for 5G-prior
access, new STAs and some 5 GHz STAs are steered to the 2.4 GHz radio of
the AP, implementing load balancing between different radios of the AP.
• If an AP does not receive any response from a STA after three attempts regarding
the instruction of connecting to the 5 GHz frequency band, the AP will send a
request to the STA, instructing it to connect to the 2.4 GHz frequency band.
• If an AP always steers 5 GHz STAs to its 5 GHz radio without comparing loads on
the 2.4 GHz and 5 GHz frequency bands, the 5 GHz frequency band may be
heavily loaded while the 2.4 GHz frequency band may be lightly loaded. Huawei
provides the band steering feature to achieve load balancing between the 2.4
GHz and 5 GHz radios. After band steering is enabled, an AP determines whether
to preferentially steer STAs to the 5 GHz or 2.4 GHz radio based on loads on the
two radios.
▫ The AP first checks whether the number of access STAs on the AP exceeds the
start threshold for load balancing. If not, the STA can preferentially access the
5 GHz radio.
▫ If the number of access STAs exceeds the start threshold for load balancing,
the AP calculates the load difference between the two radios using the
following formula: (Number of access STAs on the 5 GHz radio – Number of
access STAs on the 2.4 GHz radio)/Number of access STAs on the 5 GHz radio
x 100%. The AP compares the load difference with the load difference
threshold for load balancing between radios, and then determines the radio to
which the STA can connect.
• For example, after band steering is enabled for an AP, if a STA requests to
associate with the AP at the 2.4 GHz radio but the number of access STAs on the
2.4 GHz radio has exceeded the start threshold for load balancing, the AP
implements load balancing between the 2.4 GHz and 5 GHz radios based on the
load difference between the radios. If the value calculated using the formula
[(Number of access STAs on the 5 GHz radio – Number of access STAs on the 2.4
GHz radio)/Number of access STAs on the 5 GHz radio x 100%] is greater than
the load difference threshold for load balancing between radios, the AP
preferentially steers the STA to the 2.4 GHz radio; otherwise, the AP preferentially
steers the STA to the 5 GHz radio.
• On large- and medium-sized WLANs, some APs have a large number of STAs
connected, while some other APs have a small number of STAs connected. Since
the Wi-Fi air interface provides contention-based multi-address access services,
more access STAs on the same radio cause higher contention overheads, lower
air interface throughput, and poorer user experience. This means that deploying
more APs cannot improve user experience.
• If a lightly-loaded AP does not receive any response from a STA regarding its
association requests for three consecutive times, another heavily-loaded AP will
send an association request to the STA.
• Static load balancing can be implemented when the following conditions are
met:
▫ An AP radio can join only one load balancing group. The APs in the above
figure are single-band APs. That is, each AP has only one 2.4 GHz or 5 GHz
radio. If an AP has multiple radios, traffic is load balanced among radios on
the same frequency band. This means that a dual-band AP can join two load
balancing groups.

▫ Each load balancing group supports a maximum of 16 members.

• In dynamic load balancing mode, before a STA goes online, it broadcasts Probe
Request frames to scan surrounding APs. APs that receive the Probe Request
frames report the STA information to the WAC. The WAC adds all the APs that
report the STA information to a dynamic load balancing group and then uses the
load balancing algorithm to determine whether to permit access of the STA. In
static load balancing mode, a load balancing group supports a limited number of
members, and all members must be manually added to the group and on the
same frequency band. Dynamic load balancing overcomes these limitations.
• In load balancing, a WAC calculates the load percentage of each radio in a load
balancing group using the formula: Load percentage of a radio = (Number of
STAs associated with the radio/Maximum number of associated STAs supported
by the radio) x 100%. The WAC compares load percentages of all radios in the
load balancing group and obtains the smallest load percentage value. When a
STA requests to associate with an AP radio, the WAC calculates the difference
between the radio's load percentage and the smallest load percentage value and
compares the load difference with the load difference threshold (configured
using a command). If the load difference is smaller than the threshold, the WAC
allows the STA to associate with the radio. If not, the WAC denies the association
request from the STA. If the STA continues sending association requests to the
AP, the WAC allows the STA to associate with the radio when the number of
association requests sent by the STA exceeds the maximum number configured
on the WAC.
• In the formula, the value of "Maximum number of associated STAs supported by
the radio" depends on the AP type, which can be obtained using the display ap-
type command. The value of the Maximum station number field in the
command output is the maximum number of associated STAs supported by the
radio.
• If there are non-Wi-Fi devices (such as Bluetooth devices and microwave ovens)
that work on the ISM frequency band, they will cause severe interference to
WLAN communication and the WLAN performance also deteriorates. Therefore,
interference from non-Wi-Fi devices needs to be eliminated on WLANs. Ensure
that no similar devices exist for a long time in the WLAN environment.
• 802.11 wireless technology has been widely used on home, SOHO, and enterprise
networks. Users can easily access the Internet over WLANs. The 802.11 wireless
technology uses public spectrum resources, which are also used by Bluetooth
devices, cordless phones, and many other wireless devices. Consequently, severe
radio signal conflicts and interference occur on WLANs, resulting in poor user
experience.

• Spectrum analysis allows WLAN devices to identify and display interference

sources, so that users can locate the interference sources and eliminate
interference, improving user experience.
• The biggest advantage of a WLAN is that STAs can move within the WLAN
without physical media restrictions. WLAN roaming allows STAs to move within a
WLAN without service interruption.
• Multiple APs are located within an extend service set (ESS). When a STA moves
from an AP to another, WLAN roaming ensures seamless transition of STA
services between APs.
• WLAN roaming aims to achieve the following goals:
▫ Prevent packet loss or service interruption caused by a long authentication
duration during roaming.
The packet exchange duration of 802.1X or portal authentication is longer
than the WLAN connection setup duration; therefore, STAs will not be re-
authenticated or re-negotiate keys after they roam to another AP.
▫ Ensure that STAs' authorization information does not change.
Users' authentication and authorization information is their "passports" on
WLANs; therefore, after they roam, their authentication and authorization
information must be the same as that stored on the WAC.
▫ Ensure that STAs' IP addresses do not change.
Application-layer protocol packets are transmitted using IP addresses and
TCP/UDP sessions. STAs' IP addresses must be unchanged after roaming, so
that the corresponding TCP/UDP sessions are not interrupted and application-
layer data can be forwarded properly.
The roaming technology synchronizes authentication, authorization, and PMK
information to shorten the authentication duration and keep authentication
and authorization information consistent.
• Relevant concepts:

▫ HAC: WAC in a mobility group with which a STA associates before roaming

▫ HAP: AP in a mobility group with which a STA associates before roaming

▫ FAC: WAC with which a STA associates after roaming

▫ FAP: AP with which a STA associates after roaming

• Intra-WAC roaming: A STA associates with the same WAC before and after
roaming.

• Inter-WAC roaming: A STA associates with different WACs before and after
roaming.
• Layer 2 roaming: When a STA moves between APs, the STA disconnects from the
currently associated AP and connects to another AP. This process is called
roaming. The service VLAN and gateway of the APs remain unchanged before
and after STA roaming.

• Layer 3 roaming: The service VLANs of the SSIDs are different before and after
roaming, and APs provide different Layer 3 service networks with different
gateways. In this case, to ensure that the IP address of a roaming STA remains
unchanged, the STA's traffic needs to be sent back to the AP on the initial access
network segment to implement inter-VLAN roaming.

• In some cases, two subnets have the same VLAN ID but belong to different
network segments. Based only on the VLAN ID, the system may incorrectly
consider that a STA roams at Layer 2 when the STA roams between two subnets.
To prevent this, a roaming domain can be configured to determine whether the
STA roams within the same subnet. A STA is considered roaming at Layer 2 only
when the STA roams within the same VLAN and the same roaming domain;
otherwise, the STA roams at Layer 3.
• Intra-WAC roaming: A STA roams between APs connected to the same WAC. As
shown in the above figure, intra-WAC roaming occurs when the STA roams from
the HAP to the FAP.
Mobility server

• When a STA roams between WACs, a WAC is selected as the mobility server to
maintain the membership table of the mobility group and delivers member
information to other WACs in the group. In this way, WACs in the same mobility
group can identify each other and set up inter-WAC tunnels.
▫ The mobility server can be a WAC outside or inside a mobility group.

▫ A WAC can function as the mobility server of multiple mobility groups, but can
be added only to one mobility group.

▫ A mobility server managing other WACs in a mobility group cannot be

managed by another mobility server. That is, if a WAC functions as a mobility
server to synchronize roaming configurations to other WACs in a mobility
group, it cannot be managed by another mobility server or synchronize
roaming configurations from other WACs.
▫ As a centralized configuration point, a mobility server must be able to
communicate with all managed WACs but does not need to provide high data
forwarding capabilities.
• STAs stay in the same subnet before and after Layer 2 roaming. The FAP or FAC
forwards packets of Layer 2 roaming STAs in the same way as that it forwards
packets of new access STAs. That is, the FAP or FAC forwards the packets on the
local network, but does not send the packets back to the HAP over the inter-
WAC tunnel.
• STAs move from one subnet to another during Layer 3 roaming. To allow the
STAs to access the original network after roaming, ensure that their traffic is
forwarded to the original subnet over CAPWAP tunnels.

• In tunnel forwarding mode, service packets exchanged between the HAP and
HAC are encapsulated in the CAPWAP tunnel, and the HAP and HAC can be
considered in the same subnet. Instead of forwarding the packets back to the
HAP, the HAC directly forwards the packets to the upper-layer network.
• In direct forwarding mode, service packets exchanged between the HAP and HAC
are not encapsulated in the CAPWAP tunnel; therefore, whether the HAP and
HAC reside in the same subnet cannot be determined. Packets are sent back to
the HAP for forwarding by default. If the HAP and HAC reside in the same
subnet, the HAC with higher performance can be configured as the home agent.
This reduces traffic load on the HAP and improves data forwarding efficiency.
• In direct forwarding mode, service packets exchanged between the HAP and HAC
are not encapsulated in the CAPWAP tunnel; therefore, whether the HAP and
HAC reside in the same subnet cannot be determined. Packets are sent back to
the HAP for forwarding by default. If the HAP and HAC reside in the same
subnet, the HAC with higher performance can be configured as the home agent.
This reduces traffic load on the HAP and improves data forwarding efficiency.
1. When a STA is connected to the Internet through AP1 for the first time, the STA
is authenticated by the WAC and a PMK is generated. The STA and WAC save
the PMK. Each PMK has a PMK-ID, which is calculated based on the PMK, SSID,
STA's MAC address, and BSSID.

2. During roaming, the STA sends AP2 a Reassociation Request frame that carries
the PMK-ID.

3. After receiving the Reassociation Request frame, AP2 notifies the WAC that the
STA needs to roam from AP1 to AP2.

4. The WAC searches the PMK caching table for the PMK corresponding to the STA
based on the PMK-ID in the Reassociation Request frame. If the matched PMK is
found, the WAC considers that the STA has passed 802.1X authentication and
uses the cached PMK for key negotiation.
Intra-WAC 802.11r fast roaming:
1. When a STA is connected to the network through AP1 for the first time, the STA
is authenticated by the WAC and a PMK is generated.
▫ Based on the PMK, the WAC generates PMK-R0 (calculated based on the SSID,
MDID, WAC's MAC address, and STA's MAC address) and each AP's PMK-R1
(calculated based on PMK-R0, AP's MAC address, and STA's MAC address),
and delivers PMK-R1 to AP1.
▫ The STA and WAC generate and install a pairwise transient key (PTK) and a
group temporal key (GTK) through four-way and two-way handshakes,
respectively.
2. During roaming, the STA initiates an FT authentication request to AP2 and
delivers PMK-R1 to AP2.
3. After receiving the request, AP2 generates and installs a PTK based on PMK-R1
and information contained in the request. At the same time, AP2 starts the
reassociation timer, and sends an FT authentication response to the STA.
4. After receiving the response, the STA generates and installs a PTK based on the
information contained in the response. Then the STA sends a reassociation
request to AP2.
5. After receiving the reassociation request, AP2 stops the reassociation timer, and
then sends a reassociation response to the STA.
6. After receiving the response, the STA completes roaming.
Inter-WAC 802.11r fast roaming:
1. When a STA is connected to the network through AP1 for the first time, the STA
 is authenticated by WAC1 and a PMK is generated.
▫ Based on the PMK, WAC1 generates PMK-R0 (calculated based on the SSID,
MDID, WAC1's MAC address, and STA's MAC address) and AP1's PMK-R1
(calculated based on PMK-R0, AP1's MAC address, and STA's MAC address),
and delivers PMK-R1 to AP1.
▫ The STA and WAC1 generate and install a PTK and a GTK through four-way
and two-way handshakes, respectively.
▫ WAC1 synchronizes the PMK information to WAC2 through the inter-WAC
tunnel.
▫ WAC2 generates PMK-R0 and PMK-R1 corresponding to AP2 based on the
PMK, and delivers PMK-R1 to AP2.
1. During roaming, the STA initiates an FT authentication request to AP2.
2. After receiving the request, AP2 generates and installs a PTK based on PMK-R1
and information contained in the request. At the same time, AP2 starts the
reassociation timer, and sends an FT authentication response to the STA.
3. After receiving the response, the STA generates and installs a PTK based on the
information contained in the response. Then the STA sends a reassociation
request to AP2.
4. After receiving the reassociation request, AP2 stops the reassociation timer, and
then sends a reassociation response to the STA.
5. After receiving the response, the STA completes roaming.
• Different applications have different network requirements. Traditional WLANs
are mainly used to transmit data due to a low transmission rate.
• With the development of new WLAN technologies, WLANs have been widely
applied to media, financial service, education, and enterprise sectors. In addition
to data traffic, WLANs also transmit delay-sensitive multimedia data, such as
voice and video data.

• By enforcing QoS policies on a WLAN, a network administrator can properly plan

and assign network resources based on service characteristics. The WLAN then
provides differentiated access services for different applications, meeting user
requirements and improving network resource utilization.
• WMM is a major wireless QoS protocol that enables high-priority packets to be
sent preferentially, providing better quality for voice and video services on
WLANs.

• The UP indicates the priority of 802.11 packets. It is carried in the QoS field of the
MAC header of 802.11 packets. The UP ranges from 0 to 7. WMM defines the
mapping between ACs and UPs. WMM classifies packets into four ACs, each of
which maps to two UPs. An AP determines the AC of a data packet based on the
UP in the packet, and then forwards the packet according to the AC.

• A higher-priority AC queue has a higher capability of occupying a channel than a

lower-priority AC queue. In this way, different AC queues can obtain different
levels of services.

• Generally, the ACs of voice and video services in video conferences are AC_VO
and AC_VI, respectively, and the AC of voice and video services of social apps is
AC_BE.
• WMM defines a set of EDCA parameters for each AC. The following describes the
EDCA parameters:
▫ AIFSN: In 802.11 protocols, the DCF interframe space (DIFS) has a fixed value.
WMM allows configuration of different DIFS values for different ACs. A larger
AIFSN value indicates a longer waiting time for a STA.
▫ ECWmin and ECWmax: They together determine the average backoff time.
Larger ECWmin and ECWmax values mean a longer average backoff time for
a STA.
▫ TXOPLimit: determines the maximum duration in which a STA can occupy a
channel each time. A larger value indicates a longer duration. If this
parameter is set to 0, a STA can send only one packet each time it occupies a
channel.
▫ WMM defines two ACK policies: normal ACK and no ACK.
▪ The no ACK policy is applicable to environments with high communication
quality and little interference. The receiver does not need to return ACK
frames after receiving packets. The no ACK policy can effectively improve
the packet transmission efficiency. However, if the no ACK policy is used in
environment with poor communication quality, the sender does not
retransmit packets even if the receiver does not receive the packets. As a
result, the packet loss rate is high.
▪ The normal ACK policy indicates that the receiver must return an ACK
frame each time it receives a unicast packet.
• The AIFSN determines the channel idle time. A greater AIFSN value indicates a
longer channel idle time. Different AIFSN values can be configured for different
ACs.
• In the uplink direction, the STA converts 802.3 frames sent by its wireless network
adapter into 802.11 frames. After receiving 802.11 frames from the STA, the AP
performs priority mapping for the 802.11 frames as follows:

▫ Maps UPs of 802.11 frames to DSCP or 802.1p priorities of 802.3 frames.

▫ Maps DSCP priorities of 802.11 frames to DSCP priorities of 802.3 frames.

• In the downlink direction, the WAC forwards 802.3 frames received from the
Internet to the AP directly or through the CAPWAP tunnel. After receiving the
802.3 frames, the AP maps the DSCP or 802.1p priorities of the 802.3 frames to
UPs of 802.11 frames and then sends the 802.11 frames to the STA.
• On a WLAN, STAs' actual packet transmission rates differ greatly due to different
radio modes supported by the STAs or radio environments where the STAs reside.
If the STAs with lower packet transmission rates occupy channels for a long time,
user experience on the entire WLAN is affected.
• To ensure that the user who accesses the network first can occupy the channel
for data transmission subsequently and all access users have the same weight for
channel occupation, the device periodically clears all users' channel occupation
time.

• After WMM is enabled on the device and STAs, user packets are scheduled based
on service types (including VI, VO, BE, and BK). For example, voice packets are
only scheduled together with other voice packets, and video packets are only
scheduled together with other video packets.
• The two application scenarios differ in service deployment. Voice or video service
optimization can be deployed only on WACs and takes effect only for services
forwarded through CAPWAP tunnels. QoS policies can be configured for
applications except voice and video applications. The SAC function can be
configured on different devices based on the data forwarding mode.
• In high-density scenarios (such as exhibition halls and stadiums), a limit is usually
imposed on the maximum number of users who can associate with a radio and
VAP so as to improve user experience. In addition, preferential access of VIP users
is deployed to ensure that new VIP users can still access the network even if the
number of access users has reached the threshold. This function improves user
experience of VIP users.
• Identification of VIP users
▫ A device identifies users in the VIP user group as VIP users. The priority field is
added to the user authorization structure. After users are added to the VIP
user group and the authorization information is delivered to the VIP user
group, users in the VIP user group inherit the priority of the VIP user group.
• Preferential access of VIP users
▫ After preferential access of VIP users is configured on a device, if the number
of access users on a VAP reaches the maximum or the user Call Admission
Control (CAC) threshold, the network access attempt of a new user will
undergo the following process: The user will first be authenticated. Then the
system checks whether the user is a VIP user in the authorization phase. If the
user is a VIP user, the system forcibly disconnects an online non-VIP user and
allows the VIP user to access the network. If the user is not a VIP user, the
system denies the user's network access attempt.
▫ In Portal authentication scenarios, priorities of users in pre-connection state
cannot be determined. These users are considered high-priority users and will
not be forcibly disconnected when VIP users attempt to access the WLAN.
• Preferential service guarantee for VIP users
▫ After a user is identified as a VIP user in the user authorization process:
▪ The user's services will not be rate-limited.
▪ The user's services will be scheduled preferentially.
▪ The service priority will be re-marked.
• 1. ABCD

• 2. CD
• Currently, campus networks are moving from the PC era to the cloud era. In the
PC era, campus networks are mainly used for office services and connecting
wired terminals. Campus applications are deployed locally, and terminals directly
access applications through the local campus network. Therefore, most traffic on
a campus network is transmitted from terminals to local servers. In addition,
most terminals are fixed terminals that use wired access mode, and there are
only a small number of wireless terminals.
• In the cloud era, enterprises are gradually migrating applications from their local
servers to the cloud. More and more enterprises tend to deploy applications on
public clouds, private clouds, or even hybrid clouds. This brings a great change to
the data traffic model on campus networks. Different from the PC era where
traffic is mainly transmitted within a campus, the cloud era is witnessing more
traffic from the campus egress to the cloud. The new traffic model poses new
challenges to the campus egress and WAN access side. In addition, production
applications and production terminals are widely used, making the campus
network even more important, because it must deliver a better performance in
stability, reliability, convenience, and security. As services are migrated to the
cloud and wireless terminals are growing in popularity, enterprises are now
attaching increasing importance to Wi-Fi access and user experience. Many
enterprises even propose the concept of fully-wireless, in which scenario wireless
access becomes the mainstream access mode. This tendency accelerates the
mobility of users and terminals they use, making continuous networking and
high-quality roaming experience of Wi-Fi a fundamental requirement.
• Campus networks designed for the cloud era are called cloud campus networks,
which must have the following four characteristics:
▫ Autonomous driving:
▪ With the maturity and large-scale deployment of SDN technologies, SDN is
no longer strange to enterprise users; instead, SDN support is almost a
factor that must be considered when they build a new campus network. On
a cloud campus network, SDN must be supported over the wired switching
network (that is, LAN), WAN, and WLAN. SDN eliminates the need to
manage, operate, or maintain a network using traditional network
management and O&M methods, but instead, it enables network service
provisioning and network policy deployment to be carried out in a
centralized and simplified manner.
▪ Cloud campus networks also support AI-based intelligent O&M, making
networks more intelligent. For example, trends or faults can be predicted
based on historical network data. In addition, users' network experience
must be visualized on cloud campus networks. For example, if a Wi-Fi
experience problem is detected, the customer journey needs to be displayed
in an end-to-end manner, or intelligent analysis needs to be provided to
illustrate why: Is the poor user experience caused by problems in the access
authentication process or address assignment process? What are possible
root causes and the corresponding solutions? Suggestions must be provided
in all these aspects.
• To address the problems faced by the traditional network architecture, Huawei
launched the simplified "Solar System" network architecture. With this
architecture, network deployment and operations become more efficient, and the
entire network becomes more intelligent and eco-friendly.

• The architecture uses the optical-electrical PoE technology and is comprised of

central switches, hybrid copper-fiber cables, and remote units (RUs).

• A central switch functions as the RU manager, and the RUs work as the extended
ports of the central switch. RUs can go online in zero touch provisioning mode.
This distributed access model looks like stars and asteroids in galaxies. That is
why we call it the "Solar System" network architecture.
• iMaster NCE-Campus is a web-based centralized management and control
system used in the CloudCampus Solution. It delivers a wide range of functions,
including network service management, network security management, user
access management, network monitoring, network quality analysis, network
application analysis, alarm management, and report management. It also
provides big data analytics capability and open application programming
interfaces (APIs) that facilitate integration with other platforms. On iMaster NCE-
Campus, enterprise users can perform service configuration and routine O&M,
thereby centrally managing large numbers of devices.

• For details about iMaster NCE-Campus, see the iMaster NCE-Campus Product
Documentation, available at https://support.huawei.com/enterprise/en/network-
management-and-analysis-software/imaster-nce-campus-pid-250852420/doc.
• In the following part of this course, iMaster NCE-Campus will be abbreviated as
iMaster NCE.
• As-Is: current situation. To-Be: ideal state in the future.

• In the big data era, the traditional specified rule-based O&M methods can no
longer meet users' network O&M requirements, and the lack of automatic O&M
capabilities becomes increasingly prominent. This urgently calls for intelligent
O&M that can use a large amount of data generated on the network to improve
the O&M efficiency.

• Huawei CampusInsight, an intelligent network analysis platform, radically

changes the traditional resource status-centric monitoring mode and applies AI
to the network O&M field. Based on existing O&M data (such as device
performance indicators and terminal logs), Huawei CampusInsight uses Big Data
analytics, AI algorithms, and more cutting-edge analytics technologies to digitize
user experience, helping customers quickly detect network problems and improve
user experience accordingly.
• CampusInsight uses Telemetry technology to performance indicators and logs of
network devices and detects network anomalies based on real service traffic.
• The CloudCampus APP provides a variety of utility tools. The Tool screen contains
Wi-Fi health check, speed test, Internet configuration, project delivery, coverage
test, business test, scene test, and manufacturer customization.
• Cloud management configuration functions are available on the Network screen.
For details, see the Huawei Cloud Managed Campus Network Solution
Deployment Guide, available at
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100166653.
▫ Project delivery tools except the AP Calculator are available only after you log
in to WLAN Planner using a uniportal or Huawei W3 account and enter a
project.
▫ Cloud management functions are available only after you log in using a cloud
management account.
▫ Other tools are available without login.
• Wi-Fi Test
▫ Wi-Fi Test: allows you to quickly and comprehensively test Wi-Fi coverage,
service experience, and network security.
▫ Speed Test: allows you to conduct network speed tests for the Internet and
intranet. Network speed is a key indicator for measuring the network quality.
• Internet Configuration
▫ SOHO: allows you to quickly configure a Wi-Fi network through the leader AP
and manage the network in SOHO scenarios.
• Project Delivery
▫ AP Calculator: quickly generates a material list based on project scenarios and
capacity requirements.
▫ Site Survey: allows you to perform site surveys, record environment
information, test attenuation, and synchronize site survey information to
WLAN Planner.
• Managed Service Provider (MSP): delivers and manages network-based services,
applications, and devices. The serviced objects include enterprises, residential
areas, and other service providers.
• Perpetual license + SnS: The perpetual license is sold together with SnS services,
such as software updates, software upgrades (including new features of new
releases), and remote support. In the perpetual license + SnS mode, a customer
needs to pay SnS fee for a certain period of time, in addition to purchasing the
license upon the first purchase. If the customer does not renew the SnS annual
fee after it expires, the customer can only use functions provided in the license
purchased for the current version and can on longer use the service functions
covered in the SnS annual fee.
• SaaS mode: In SaaS mode, MSPs are responsible for deploying or leasing
hardware infrastructure, as well as O&M and management of the hardware and
software. Software is provided for customers as cloud services and customers
need to periodically pay for the cloud services.
• Term Based License (TBL) mode: Different from the "perpetual license + SnS"
mode, term based license purchased by a customer has a validity period. If the
customer does not renew the license after it expires, the customer can no longer
use the software product.
• Subscription and Support (SnS): It consists of two parts — software support and
software subscription. The complete software charge consists of the annual
software SnS fee and software license fee.
• Intent-driven deployment integrates Huawei's network planning experience in
various service scenarios to build a network expert knowledge base. After
customers input their basic network intents, such as the service scenario, service
scale, and required services, a network solution that best suits the intents will be
automatically generated. In addition, the system is capable of self-learning, that
is, it can feed the solution modifications made by customers to the AI module for
learning. This helps the system adapt to the complex and fast-changing network
environment.

• After customers input their network intents on the cloud, the cloud recommends
a network solution and generates the corresponding solution package. Customers
can import the solution package to the controller deployed in any form. Equipped
with an intent parsing engine, the controller then automatically parses the
solution package and deploys a network as planned. This cloud-premise synergy
implements one-click deployment, which improves the deployment efficiency,
reduces controller learning costs, and minimizes manual configuration errors and
workloads of configuring large networks.
• On a large multi-service campus network, a campus network usually needs to
carry multiple services at the same time, and data of different services needs to
be isolated from each other. The CloudCampus VXLAN-based virtualized campus
network solution can meet these requirements.
• In this solution, a network consists of underlay and overlay. Underlay is the
underlying bearer network that implements basic connectivity between network-
wide devices and provides connection capabilities for the upper-layer overlay
service network. Overlay is a logical network (virtual network) abstracted from
the underlay. Users can create multiple virtual networks (VNs), such as OA VN
and R&D VN. These VNs are isolated from each other and all VN data is
encapsulated using VXLAN when being forwarded on the underlay network.
• To ensure that overlay service data can be properly forwarded on the network, IP
addresses and routing protocols must be configured on underlay network devices
such as physical switches. The CloudCampus Solution provides a complete set of
automation solutions, in which devices support plug-and-play. This means that
an administrator can complete network planning on iMaster NCE first, and
devices can then automatically obtain configurations after they are onboarded.
Alternatively, an administrator can onboard devices first, and then complete
network configuration on iMaster NCE. iMaster NCE can also automatically
complete IP address and routing protocol configuration of the underlay network
without manual intervention.
• CloudCampus uses virtualization technologies to divide the network layer into the
physical network (underlay) and virtual network (overlay). Overlay is a virtual
network built on top of a physical network using virtualization technologies. This
solution applies to higher education, government campus, commercial building,
and other scenarios where VNs need to be created to isolate multiple services or
tenants.
• Multi-purpose network:
▫ Virtual Extensible LAN (VXLAN): VXLAN is the key to campus network
virtualization. It encapsulates a data packet received from a source host
into a UDP packet, encapsulates the IP and MAC addresses used on the
physical network in the packet outer header, and then sends the packet
over an IP network. The VXLAN tunnel endpoint (VTEP) then decapsulates
the packet and sends it to the destination host.
▫ BGP EVPN: In the initial VXLAN solution (RFC 7348), no control plane is
defined. Instead, VXLAN tunnels are manually configured and host
addresses are learned through traffic flooding. Although the flood-and-
learn approach is simple, it causes a large amount of flooded traffic on the
network and makes the network difficult to expand. To address these
problems, Ethernet Virtual Private Network (EVPN) is introduced as the
VXLAN control plane. By referring to the BGP/MPLS IP VPN mechanism,
EVPN defines several types of BGP EVPN routes by extending BGP. It
advertises routes on the network to implement automatic VTEP discovery
and host address learning.
• The free mobility solution allows a user to obtain the same network access policy
regardless of the user's location and IP address change on a campus network.
When configuring a policy, the administrator does not need to pay attention to IP
address ranges of different users, but only needs to focus on the logical access
relationships between users and servers.
• Different from traditional IP address-based ACLs, free mobility is a user
language-based solution that logically divides different types of network objects
with distinct permissions into different security groups. Each security group maps
one user type or one server type. An administrator can define security groups to
describe and organize the sources or destinations of network traffic. Security
group planning determines the number of security groups to be created.

• OPEX means the operating expense, which is the sum of the maintenance cost,
marketing expense, labor cost, and depreciation expense during the enterprise
operations.
• Application identification: Application identification is a technology that identifies
the enterprise application to which network traffic belongs based on the
characteristics of the traffic. Enterprise applications have varying requirements on
link quality as well as corresponding optimization measures. Applications must be
identified before application experience assurance measures can be applied.

• Application-based traffic steering: Traditional network technologies cannot

dynamically select paths for applications based on their requirements on link
quality. Application-based traffic steering continuously monitors the status of
multiple WAN links based on enterprise applications' priorities and their
requirements on link quality and selects the optimal link for transmission. This
ensures high-value application experience even in case of WAN link congestion
while maximizing the utilization of high-quality links.

• Hierarchical QoS scheduling: In addition to functions available in traditional QoS

technologies such as traffic policing, traffic shaping, and queue scheduling, SD-
WAN provides the service awareness (SA) function, enabling it to offer
differentiated services to enterprise applications. For an enterprise where
departments need to be isolated, SD-WAN can provide service quality assurance
based on departments, forming a hierarchical (service-department-site) quality
assurance solution.
• Among faults that occur during campus network changes, configuration errors
account for a high proportion. To deal with this, iMaster NCE provides the
intelligent network verification feature to verify differences before and after
campus network changes, reachability between key subnets, and network
reachability for key users.
• Intelligent network verification provides the following capabilities:

▫ Snapshot management: iMaster NCE-Campus collects the current

configurations and entry information of all devices (currently LAN switches
only) at sites, and uses the data plane verification (DPV) modeling
technology to generate a snapshot. A snapshot is a virtual replica of sites
on your network at a particular point in time. Leveraging the snapshots,
iMaster NCE-Campus is able to simulate and verify network changes at
different time points. For example, by comparing two snapshots of the
same network generated at different time points, iMaster NCE-Campus lets
you easily identify network configuration changes made in the involved
time span, such as changes of devices, configuration files, link interfaces,
and IP routes across the entire network.

▫ Subnet reachability verification: You can select a snapshot and verify the
reachability between subnets in the snapshot.

▫ Terminal access verification: You can select a snapshot and verify network
reachability for a terminal in the snapshot.
• Big data-based calibration leverages historical big data analytics results and uses
intelligent algorithms to implement intelligent radio calibration, optimizing signal
coverage and load transmission efficiency at the edge of an area.
• CSS/iStack can be used with Eth-Trunk to form a logical tree topology. This
simplified network topology prevents Layer 2 loops and improves network
reliability.
• Remote modules (RUs) work as expansion ports of a central switch, and are
configuration- and maintenance-free. RUs are centrally managed by the central
switch.

• RUs can automatically discover the topology through the XLDP protocol.
• Networking mode reliability: The entire series can run the spanning tree protocol
to prevent loops caused by unauthorized devices.

• Device access authentication: RUs support certificate-based authentication,

ensuring access switch security.

• User access authentication: 802.1X authentication is used in high-security user

access scenarios, where authentication packets are transparently transmitted to
the central switch for processing.

• User access security: RU ports support isolation and non-isolation modes, which
can be flexibly selected based on the site scenario (by default, an RU port works
in non-isolation mode).
• Conventionally, switches and APs are connected using twisted pairs, which can
function as media for PoE power supply to APs and data transmission between
switches and APs. However, as Wi-Fi technologies continue to develop, they pose
increasingly higher requirements on cable performance. For example, as Wi-Fi 6
is commercially used on a large scale, it requires the cable to deliver up to 10
Gbit/s bandwidth. The future-oriented Wi-Fi 7 standards further require the cable
to deliver a maximum of 40 Gbit/s bandwidth while supporting PoE power supply
to APs over long distances. In most cases, APs are installed in complex
environments and require PoE power supply over a distance of more than 100 m.
In some special scenarios, the power supply distance will be much longer. For
example, APs in some stadiums require 300 m or even longer-distance power
supply. The conventional twisted pairs, however, can only support PoE power
supply over a distance of up to 100 m. All of this proves that hybrid cables are
the best choice for connecting switches and APs.
• A hybrid cable incorporates optical fibers and copper cables, meeting both data
transmission and power supply requirements of devices. This is why hybrid cables
are typically used to connect switches and APs or RUs on campus networks. As
future-proof WLAN technologies, such as Wi-Fi 6 and Wi-Fi 7, gain momentum,
the conventional twisted pairs cannot keep pace with the bandwidth needs of
these technologies. Not only this, optical fibers cannot be used for PoE power
supply. This is where the hybrid cable comes in. As introduced above, a hybrid
cable incorporates optical fibers and copper wires within the same jacket. It
transmits data signals through optical fibers and electrical signals through copper
wires, enabling long-distance power supply while ensuring high-speed data
transmission. You may be wondering why hybrid cables support long-term
bandwidth evolution and long-distance PoE power supply, but twisted pairs and
optical fibers do not.
• In the CloudCampus Solution, the virtualized campus network sub-solution allows
a user network to be used for multiple purposes. One network for multiple
purposes, or multi-purpose network, means that a physical network carries a
variety of services (such as office and R&D services), and virtualization
technologies are used to create multiple logically isolated VNs on top of the
physical network, each for an independent service.
• On a large- or medium-sized campus network, the virtualization solution may be
used to decouple services from the network, so as to build a multi-purpose
network and achieve flexible, fast service deployment without changing the
network infrastructure. Using such a solution means that the virtualized campus
network architecture must be different from the traditional network architecture.
The virtualized campus network sub-solution uses the VXLAN technology to
encapsulate and logically isolate service data. The entire network can be divided
into two layers: physical network (underlay) and virtual network (overlay). The
underlay network provides basic connection services for the campus network. The
overlay network is built on top of the physical network using virtualization
technologies.
• The centralized SDN controller, iMaster NCE, manages network-wide devices in a
unified manner, builds models based on the network topology, and deploys the
underlay and overlay networks through the GUI. The entire process is
automatically completed by iMaster NCE. After a virtual network is built, service
policies can be configured based on users or service units. For example, users and
resources can be divided into groups, based on which mutual access control can
be implemented. Service policy provisioning can be configured on the GUI of
iMaster NCE, which can automatically deliver the configurations.
• The multi-campus interconnection solution is a sub-solution provided in the
CloudCampus Solution for the interconnection between branch campuses and
between branches and the HQ or DCs. With SD-WAN functions integrated, the
multi-campus interconnection solution provides two models for WAN
interconnection: static IPsec VPN and EVPN-based VPN.
▫ An IPsec VPN is a type of static VPN, in which IPsec tunnels are established
between devices at different sites to create VPN channels. Traffic is diverted
to the VPN tunnels based on the configured static network segments so
that service traffic between sites is transmitted through IPsec VPN tunnels.

▫ EVPN is a dynamic VPN technology that establishes tunnels between sites

on demand and dynamically advertises routes. EVPN establishes GRE
tunnels between sites to create VPN channels and uses IPsec encryption on
GRE tunnels to secure data transmission over the tunnels. In addition, the
EVPN-based interconnection solution offers application- and policy-based
intelligent traffic steering, allowing traffic to be transmitted over links with
higher quality based on applications and policies.
• Link quality-based traffic steering: Different applications have different
requirements on link quality. For example, voice and video services are sensitive
to delay and packet loss rate and have high requirements on link quality.
Therefore, you can configure the good-quality MPLS link as the primary link and
the Internet link as the secondary link for this type of service. In addition, you
need to configure SLA requirements for the services so that intelligent traffic
steering can be performed based on link SLA, thus meeting the SLA and
bandwidth requirements of applications.

• Load balancing-based traffic steering: If an enterprise has multiple links, you can
configure load balancing-based traffic steering to fully utilize link bandwidth.
During service forwarding, the devices can select different links for different
applications based on link weights, thereby improving the bandwidth utilization.
• Application priority–based traffic steering: If multiple types of service packets are
transmitted on the same link, traffic of high-priority applications is preferentially
processed in the case of congestion, ensuring user experience of high-priority
applications. For example, voice, video, and file transfer services are carried over
an MPLS link. If the link bandwidth is insufficient, traffic of voice and video
services is preferentially transmitted to guarantee the service experience.

• Bandwidth-based traffic steering: When the bandwidth usage of a link reaches

the threshold, this link is not selected for new traffic of some applications, and
other links that meet the requirements are preferred. This method ensures the
bandwidth usage of high-priority services and prevents application quality and
link quality from deteriorating due to network congestion.
1. ABCD

2. False
• From the perspective of functions, the overall architecture of Huawei SD-WAN
Solution consists of the network layer, control layer, and management layer.
These layers are associated with each other through standards-compliant
interfaces and communication protocols.

▫ Management layer: The controller manages the entire process of enterprise

interconnection services in a refined manner. In the southbound direction, it
manages network devices through NETCONF and collects performance data
from network devices using telemetry. In the northbound direction, it
interconnects with third-party applications through standard RESTful APIs.

▫ Control layer: The controller works with the distributed control component
to advertise routes between different sites in a region, implementing inter-
region network interconnection.
▫ Network layer: The overlay technology is used together with cost-effective
network devices to connect branches, HQ, and the cloud platform, thereby
achieving on-demand full-network connectivity by fully leveraging all types
of links such as the Internet and traditional private lines.

• iMaster NCE is Huawei's SD-WAN controller.

• Enterprise sites include enterprise branches, HQ, DCs, and IT infrastructure
deployed on the cloud.
• Multiple virtual networks can be deployed to serve different services (such as
multiple departments) of the same tenant or different tenants.
• In terms of network device functions, the network layer of Huawei SD-WAN
Solution consists of two types of NEs: customer-premises equipment (CPE) and
gateway.
• RR site: A CPE functions as an RR and distributes EVPN routes to the CPE
gateway at the edge site based on the VPN topology policy.
• If a tenant administrator sets the role of the egress CPE to Gateway + RR, the
site is an RR site. If no device of the Gateway + RR role exists at the site, the site
is an edge site.
• An edge site can establish IBGP peer relationships with two RRs that back up
each other.

• Multiple RRs can be deployed under a tenant and are fully meshed on the control
plane.
• A gateway's role varies depending on the service scenario. For example, a
gateway connecting SD-WAN sites to legacy sites is an interworking gateway
(IWG). A gateway connecting SD-WAN sites to a cloud is called a cloud gateway.
In addition, gateways can provide other functions. A gateway that connects Point
of Presence (PoPs) for building a PoP network is referred to as a PoP gateway.
• The same IP address or domain name must be configured for the active and
standby controller clusters in the northbound and southbound directions.
• The administrator accesses the controller through the domain name (based on
the DNS record) or IP address, and the network uses BGP to control access
traffic.
• ZTP: Multiple ZTP modes are available to enable CPEs to quickly register with
iMaster NCE.
• Forwarding-control separation, achieving flexible networking: CPEs establish
management channels with iMaster NCE through NETCONF, and iMaster NCE
delivers configurations to CPEs to establish IP overlay tunnels.
• Application optimization, making services controllable and visible: The service
awareness technology is used to identify applications. TCP flow performance
measurement (FPM) and IP FPM technologies are used to implement
application-based quality measurement. The IP FPM technology can also be used
for link quality measurement. Smart policy routing (SPR) implements intelligent
link switchover based on the application quality.

• Comprehensive security protection system, ensuring service security: Multiple VPN

technologies, such as IPsec and MPLS, are leveraged to provide end-to-end
protection. The firewall function is supported to provide comprehensive security
protection at the hardware, pipe, and application levels.
• ZTP:

▫ Provides unified configuration through a controller, improving the

deployment efficiency and facilitating large-scale site deployment.

▫ Uses URL parameters or DHCP options for deployment configuration,

simplifying the deployment process and implementing one-click
deployment.

▫ Allows deployed devices to automatically register with the controller,

simplifying the controller usage.
• Files can be generated through iMaster NCE in USB-based, email-based, and
DHCP-based deployment modes.
• For details about each deployment mode, refer to SD-WAN Intelligent O&M.
• Management channel:

▫ iMaster NCE sets up management channels with all devices through

NETCONF, so as to manage NEs and orchestrate services on the entire
network.
• Control channel:

▫ Control channels are established between CPEs and RRs.

▫ The RR centrally controls and distributes service routes between branch
sites.

▫ The enhanced BGP EVPN protocol is used to implement separate

transmission of tenants' VPN route and next hop information, and IPsec SA
negotiation.

• Data channel:
▫ Data channels are established between CPEs.
▫ Data is forwarded over GRE or GRE over IPsec data tunnels. The extended
GRE header carries VN IDs to differentiate tenants or departments, so that
data of multiple VNs can be transmitted over the same data tunnel.
• A TNP is a WAN port connecting a CPE to a transport network. Key information
of a TNP includes the site ID, CPE router ID, transport network ID, public IP
address, private IP address, and tunnel encapsulation mode.
• For details about SA and SPR, refer to HA Technologies.
• Improvement of the 5G link value
• ABC
• Hello, everyone. I'm an MO from NCE-Campus. Today, I'd like to introduce NCE-
Campus.
• iMaster NCE-Campus is Huawei‘s next-generation autonomous driving network
management and control system for campus networks. It is a platform that
integrates management, control, and analysis. It covers four phases of network
planning, construction, maintenance, and optimization, helping enterprises
reduce OPEX and O&M costs，accelerating Enterprise Cloudification and Digital
Transformation
• 学习完本次课程，将可以了解NCE-Campus在园区网络中的位置、整体架构、整体能
力、应用场景。

• After completing this course, you will be able to understand the positioning of
NCE (Campus) on a campus network, overall architecture, overall capabilities,
and application scenarios of NCE-Campus.
• 主要分为9个部分进行介绍，包括整体方案介绍，iMaster NCE-Campus的主要应用场
景和部署模式。

• This section describes the overall solution and main application scenarios and
deployment modes of iMaster NCE (Campus).
• First, let's look at the overall CloudCampus solution. The bottom-up architecture
of the solution includes the network layer and governance. The network layer
consists of CE switches, APs, firewalls, and NetEngine ARs. For details about
device capabilities, see device documents. At the application layer, the APIs
provided by NCE (Campus) interconnect with external application platforms to
provide applications for various industries. iMaster NCE mainly implements
automatic deployment and intelligent O&M of wired, wireless, and WAN
networks at the management and control layer.

• 首先我们看一下CloudCampus整体解决方案，方案从下到上的结构包括网络层、管
控，在网络层主要包括CE交换机、AP、防火墙、NetEngine AR等设备，关于设备侧
的能力在这里就不做重复展开了，大家可以通过设备侧材料进行了解，在应用层，主
要是通过NCE-Campus提供的API对接外部应用平台提供各行业对应的应用，iMaster
NCE是主要在管控层，实现有线、无线、广域等网络部署自动化和运维智能化。
• As the network management and control layer, the controller covers four
network construction phases: planning, construction, maintenance, and
optimization. It provides network management, policy control, data, and fault
analysis capabilities, including automatic SDN network delivery and intelligent
analysis capabilities.
• 作为网络管理层，控制器覆盖”规划+建设+维护+优化“四个网络建设阶段，提供网
络管理、策略控制、数据与故障分析的能力，这当然包括SDN网络自动化下发与智能
分析能力。
Here, it's the related functional features.

NCE implements end-to-end coverage from basic services, network management,

policy control, and data-based analysis and monitoring.
So, in which scenarios can campus be used? All-scenario converged controllers can
manage network management and user authentication on a single campus, large
multi-service campuses with complex networks and numerous buildings, SDWAN
services connected to multiple branches, and backbone network services such as NEs.

• 那么，哪些场景可以使用campus呢？从普通的单园区网络连通和用户认证到网络复
杂，楼宇众多的大型多业务园区再到多分支互联的SDWAN业务以及NE等骨干网业务
均可管理，因此我们称之为全场景融合控制器。
This is the campus network management panorama, including planning, construction,
maintenance, and optimization,

• In the planning part, wireless and wired networks are planned using other tools.
NCE-Campus plans network resources, such as VLANs and VNIs.

• The main focus is network construction, including network deployment and policy
provisioning. The network deployment layer is divided into four aspects: small-scale
campus, medium- and large-scale campus, LAN-WAN interconnected campus, and
automatic virtual network provisioning. Policy provisioning focuses on access
authentication, VIP experience assurance, and SD-WAN policies.

• In terms of O&M and optimization, the eSight network is integrated. Therefore, the
eSight network provides routine network monitoring, including terminal, topology,
alarm, and WAN monitoring. Routine maintenance is convenient, including device
upgrade, inspection, report, and system O&M. In terms of intelligent O&M, NCE-
CampusInsight is integrated through SSO.

• 目前看到的就是园区网络管理的全景图，包括规建维优四部分内容，

• 在规划部分，无线和有线网络的规划通过其他工具类完成，NCE-Campus主要是对网
络资源进行整体规划，如vlan、VNI等信息；

• 主体还是聚焦在网络建设方面，包括网络部署和策略发放，网络部署层面又分为小型
园区、中大型园区、LAN-WAN互联园区及虚拟网络自动化发放四个方面，在策略发
 放主要是聚焦在接入认证、VIP体验保障和SD-WAN策略；

• 在运维和优化层面，因为已经集成了esight network的能力，因此有网络的日常监控，
包括终端、拓扑、告警、WAN侧等的监控，在例行维护方便，包括有设备升级、巡检、
报表、自身系统运维等能力，智能运维方面，通过单点登录集成NCE-CampusInsight
来提供。
• Next, let's look at six typical application scenarios.

• 接下来，我们看下六大典型应用场景
• Basic capabilities: network management and access authentication

• Experience improvement: free mobility and terminal management

• SDN capability: One network for multiple purposes and LAN-WAN convergence.

• 基础能力：网络管理和接入认证

• 提升体验能力：业务随行、终端管理

• SDN能力：一网多用、LAN-WAN融合。
• Next, let's talk about network device management.

• 接下来我们依次介绍下,首先是网络设备管理
In terms of network resource planning, NCE (Campus) uses preset models to
implement automatic networking and service design for small-scale simple-service
campus networks.
It is used to improve the deployment efficiency of multi-branch sites. It not only
eliminates command lines, but also eliminates complex page configurations.
The application scenario is a simple service campus with multiple branches. The
networking is simple, but the number of sites is large and the service model is the
same. For example, retail stores, hotel chains, and general education. The current
version supports pre-configuration for medium- and large-sized stores.
Based on scenario-based experience, automatic preconfiguration of a single site
takes only 5 minutes, and templates can be directly applied to multiple sites in
batches.
Let's take a look at how it's done.

在网络资源规划层面，NCE-Campus首先针对小型简单业务园区，通过预置模型实现自动组
网和业务设计。
• 它的作用是提升多分支站点的开局效率，它不仅消灭命令行，还消灭繁琐的页面配置。
• 应用场景是多分支的简单业务园区，组网简单，但是站点数量多，业务模型都一样。
比如零售门店、连锁酒店、普教。目前的版本中支持中大型门店场景的预配置操作。
通过基于场景的经验总结，单站点自动预配置只需要5分钟，多站点可批量直接应用模
板
下面我们看一下是如何做到的
• Step 1: Prefabricated four common scenarios: office, retail, general
education, and user-defined. Customers can select scenarios based on
business intentions.

• Step 2: NCE (Campus) uses the collaborative recommendation algorithm to

accurately map networks.
• Step 3: Precisely recommend network models such as topology and model
selection for service intents.

• 第一步：预制办公/零售/普教/自定义4大类常用场景，客户可以基于业务意图选择

• 第二步：NCE-Campus利用协同推荐算法进行网络精准映射
• 第三步：为业务意图精准推荐拓扑、选型等网络模型
• The preceding solution solves the network planning of a single campus. When
there are multiple campuses, we provide batch capabilities. A customer defines a
campus template that can be replicated to N similar campuses to implement fast
network provisioning.

• 以上，解决了单园区的网络规划，当多园区时，我们提供批量能力，客户定义一个园
区模板，可以复制到N个类似的园区，实现网络快速开通。
• This is a graphical operation and configuration web page. Customize a
deployment template in two steps.
• 这个是图形化操作配置界面 ，两步完成开局模板定制
• To ensure the accuracy of network provisioning and adjustment, we provides the
intelligent verification capability.
• Compare snapshots before and after the configuration.

• Perform comprehensive network connectivity verification through mutual access

between subnets.

• Uses 100% mathematical modeling in the network environment to accurately

simulate and verify terminal access permissions in real time, ensuring network
security and trustworthiness, and finally achieving zero errors in service rollout
and change.
• 为解决网络开通与网络调整的准确性，我们提供智能校验能力，
• 通过快照对比完成配置前后对比；

• 通过子网互访完成网络全面性 连通性验证；

• 通过网络环境100%数学建模，实时精准模拟校验终端接入权限是否精准，使网络安
全可信，

• 最终实现让业务上线和变更“0”差错
• In terms of device monitoring, IP devices are monitored from seven dimensions:
basic information, event logs, locations, tools, resources, fault alarms, and entry
query. View the version, online and offline time, running status, network
connectivity, resource usage, and alarm information to comprehensively
understand the running status of the device.
• 设备监控方面，对IP设备通过基本信息、事件日志、位置、工具、资源、故障告警和
表项查询等7大维度全面监控设备，查看版本，上下线时间、运行状态、网络连通性、
资源使用率、告警等信息，全面掌握设备的运行情况。
• NCE (Campus) supports device upgrade. Users can upload device upgrade
software packages and patches, and specify upgrade policies, such as the
download time, restart time, and upgrade mode. After the policies are set,
devices are automatically upgraded. Users can view the upgrade status in real
time, including upgrade completion status and status statistics. Cancel upgrade
and re-upgrade. All graphical management can significantly reduce problems
caused by manual upgrade operations.

• NCE-Campus支持设备升级，支持上传设备升级软件包、补丁，指定升级策略，如下
载时间、重启时间、升级方式等策略，设置完成后，设备自动完成升级，升级的情况
可以实时查看，查看升级完成情况，各种状态统计，取消升级及重新升级等，全部图
形化管理，可显著减少因人为操作升级而导致的问题。
• NCE (Campus) fully integrates the authentication capabilities of the Agile
Controller-Campus, supports built-in RADIUS and Portal servers, and supports
802.1x authentication, Portal authentication, and MAC address authentication. It
also supports interconnection with external social media such as QQ, Sina Weibo,
WeChat, Facebook, and Twitter. Different from the original authentication system,
NCE-Campus has lower requirements on the network. Portal authentication can
be performed across the Internet, eliminating the need for intranet access,
further improving network adaptability. In addition, Passcode and PPSK
authentication capabilities are added.

• NCE-Campus已经全面集成了Agile Controller-Campus 的认证能力，支持内置

Radius server和Portal server，可以支持802.1x和Portal认证、MAC认证，同时支持
和外部如QQ、新浪微博、微信、facebook、Twitter等社交媒体对接。和原来的认
证系统能力不一样的是，NCE-Campus的认证能力对网络的要求进一步降低，Portal
认证能力可以跨越internet，不再需要必须是内网接入，进一步提高了网络的适配性。
同时目前还增加了Passcode认证和PPSK认证能力。
• In terms of refined policy management and control, NCE (Campus) performs
filtering based on the user identity, access location, access time, terminal type,
device attribute, and access mode based on the 5W1H policy conditions. In this
way, specific user information can be matched. Set refined permission control,
such as permission, bandwidth, QoS, application, and security control. For
example, the permission can be matched based on VLANs, ACLs, free mobility
security groups, and VIP users. In terms of bandwidth, the uplink and downlink
bandwidths can be set. DSCP, etc. The implements refined control over user
policies through multiple policy conditions and refined permission allocation.

• 在精细化策略管控方面，NCE-Campus基于5W1H的策略条件，匹配用户身份、接入
位置、接入时间、终端类型、设备属性和接入方式进行条件过滤，从而更明确的匹配
到具体用户信息，根据这些用户信息，设置精细化的权限控制，如权限、带宽、QoS、
应用、安全等各方面的精细化控制，如在权限方面可通过VLAN、ACL、业务随行的
安全组及VIP用户等信息进行匹配，带宽方面可以设置上行下行带宽，DSCP等。通过
多种策略条件和精细化的权限分配，从而完成对用户策略的精细化控制。
• At the same time, the system provides a portal page editor and provides multiple
controls. You can add controls to the customized page by dragging them.
Currently, nine pages can be customized. Note that the original version does not
support full-screen countdown ads and video controls. This feature is fully
supported in the new version. The Portal page editor can meet the customization
requirements of most projects. The customer has no learning cost. Therefore, the
Portal page editor can meet the requirements of quick customization of
personalized pages.

• 同时系统提供所见所得的Portal页面编辑器，提供多种控件，直接通过拖拽即可将控
件加入到定制页面中，目前可以完成9个页面的定制，需要特别指出的是在原版本中
不支持的全屏倒计时广告及视频控件，在新版本中已全面支持。Portal页面编辑器基
本上能满足大部分项目定制需要，客户侧基本上没有学习成本，能满足项目快速定制
个性化页面的需要。
• Supports full-lifecycle guest management. For example, when we go to a
restaurant, we need to use a wireless network and log in to the network through
an SMS verification code for authentication. This is a guest.

• The biggest difference between guest accounts and employee accounts is that
guest accounts are temporary and need to be reclaimed and cleared periodically.
NCE (Campus) manages guest accounts in terms of registration, approval,
distribution, authentication, audit, and deregistration. Guests can apply for
registration by themselves or employees. After the registration is approved, the
accounts are delivered through SMS messages, emails, or information is
displayed on the registration success page. Multiple authentication modes are
supported. In addition, the system automatically saves guest login and logout
information, automatically deregisters guests, and periodically deletes accounts.

• 支持访客的全生命周期管理能力，什么是访客，比如咱们去餐厅吃饭，需要使用无线
网络，通过短信验证码登录网络进行认证，这就是访客。

• 访客和员工账号最大的不同是，访客的账号是临时的，需要定期收回和清理，NCE-
Campus从访客账号的注册、审批、分发、认证及审计和注销各方面来完成访客的管
理。访客的注册可以通过自身或员工申请，审批后通过短信、邮件或注册成功页面直
接返回信息等方式下发账号，认证支持多种方式，同时系统自动保存访客的上下线信
息，自动注销及定时清理账号。
• Let's look at the device monitoring content. With more than 20 indicators, the
device access status is displayed, such as the user IP address, MAC address, online
duration, packet loss rate, uplink and downlink rates, signal-to-noise ratio, and
retransmission rate. From the information, you can view the usage status of the
terminal connected to the network in real time, so as to see whether the terminal
is good or faulty.

• 我们来看下终端监控的内容，通过20+以上指标的统计，全面展示出终端接入的情况，
如用户IP、MAC、在线时长，丢包率，上下行速率，信噪比，重传率等，从这些信
息中，那实时查看到终端接入网络的使用状态，从而看到终端使用的到底是好还是有
问题。
• In addition, the system provides statistical analysis and terminal behavior analysis
capabilities to collect statistics on the number of online users, traffic, network
connection information, and application statistics at a site. Note that the
application statistics are not based on a single terminal, but on the entire site. On
the terminal behavior analysis page, you can view the access quantity statistics
and passenger traffic trend information, and analyze the passenger traffic to
distinguish the access and stay duration of visitors, passers-by, and employees,
providing first-hand analysis data for subsequent management and marketing.

• 同时提供了统计分析和终端行为分析能力，统计站点中的在线用户数、流量情况、网
络连接信息，应用统计信息等，注意这里的应用统计不是基于单个终端的，而是基于
整体站点情况统计，在终端行为分析中可以查看到接入数量统计信息，客流量趋势信
息，提供客流量分析，区分出访客、路人、员工等接入及驻留时长，为后续管理和营
销提供第一手分析数据。
With the maturity and promotion of wireless network and remote access
technologies, the office location of enterprise employees can be no longer limited to
fixed physical locations. Allowing employees to access the office from any location
will improve the efficiency of collaborative work throughout the enterprise.
In the context of free mobility and random access, how to ensure that employees'
experience (such as forwarding priorities and bandwidths) and security (such as
network access rights and security policies) are consistent wherever they go is a
major challenge for enterprises and free mobility needs to be resolved.
NCE (Campus) supports free mobility, allowing users to access networks anytime
and anywhere, ensuring consistent service policies and network experience.
随着无线网络和远程接入技术的成熟和推广，企业员工的办公地点可以不再局限于固定
的物理位置。允许员工在任意位置接入办公，将提高整个企业的协同工作效率。
如何在自由移动，任意接入的大背景下，保证员工不管走到哪里，接入企业网络之后的
体验（如转发优先级、带宽）和安全（如网络访问权限、安全策略）都保持一致，是企
业主要面临的挑战和业务随行要解决的问题。
NCE-Campus支持业务随行能力，实现用户随时随地接入网络，用户的业务策略和网络
体验能够保持一致。
• Let's first look at the journey that the business has gone through. Free Mobility
1.0 was launched in 2014 to implement group policy control. Authentication
points and policy points cannot be separated. Cross-gateway groups are isolated
from each other. Firewalls must be bypassed and third-party networks are not
compatible. Free Mobility 2.0 will be launched in 2018. It supports region-specific
policy setting and VXLAN networking, but is not compatible with third-party
networking. In 2020, Free Mobility 3.0 uses the IP-Group capability to separate
authentication points from policy points and is compatible with third-party
networks.

• 我们首先看一下业务随行走过的历程，2014年业务随行1.0推出，实现了组策略控制，
要求有很多，认证点与策略点不可分离，跨网关组间隔离，要求绕行防火墙，同时不
兼容第三方组网，到2018年业务随行2.0推出，支持区域差异化策略设置，支持
Vxlan组网，仍然不兼容第三方组网，2020年业务随行3.0通过IP-Group能力解决了
认证点和策略点可分离问题，同时可以兼容第三方组网。
Why do enterprises need the IP-group capability? In IP-Group mode, NCE (Campus)
periodically synchronizes association information between user IP addresses and
groups to switches. All switches supporting free mobility on the entire network can
know the association information, separating authentication points from policy
points. To simply synchronize entries, you can set which devices require and which
devices do not require synchronization.
Why does the IP-group synchronization capability make free mobility applicable to a
wide range of scenarios?
The IP-group capability eliminates the need for authentication and policy
enforcement on Huawei devices on the network. In this way, hybrid networking with
third-party devices is supported. In the scenario where ME60s coexist in colleges and
universities, the ME60s can be used as authentication points and S series switches
can be used as policy enforcement point. In this way, the functions of switches on
the network can be highlighted, and the problem that firewalls must be bypassed
for control in cross-gateway networking is resolved.
为什么需要IP-Group的能力？IP-Group是NCE-Campus将定期向交换机同步用户IP地址
和Group的关联信息，全网支持业务随行的交换机都能知道关联信息，实现了认证点和
策略点的分离，当然为简单同步表项压力，可以设置哪些设备需要，哪些设备不需要同
步，IP-group同步能力使得业务随行适用场景更广泛，为什么这么说？
通过IP-Group能力，网络中不必要求必须在华为侧设备进行认证和策略执行，从而能支
持和第三方混合组网场景，同时在高校ME60并存场景中，可以将ME60做认证点，S系
列交换机做策略执行点，能更突出交换机在网络中的作用，并且解决了原来跨网关组网
中控制必须绕行防火墙进行控制的问题。
• Different from other networks, a campus network has various types of terminals.
It is common for different terminals to access different networks and obtain
different permissions. For example, mobile phones can connect to the Internet
but cannot connect to the office network, and computers can only connect to the
office network. Terminal management and policy division are time-consuming
and labor-intensive. Therefore, NCE (Campus) provides the plug-and-play
function for terminals.

• Terminal plug-and-play (PnP) is based on terminal types. NCE (Campus) has a

built-in terminal fingerprint library with the most comprehensive services.
Identifies terminal types and operating systems based on terminal information
packets on the network.

• Terminal identification - who I am, authentication and authorization - what I can

do, traffic statistics - what I have done, and spoofing detection - I have been
replaced, improving network security.

• 在园区网络中和其他网络不同的地方在于，网络中有各种类型的终端接入，不同的终
端进入不同的网络，获取不同的权限是常见的场景，比如手机能连接internet，不能
连入办公网络，电脑只能接入办公网络等，对终端进行管理及策略划分是一项费时费
力的工作，为此，NCE-Campus提供了终端即插即用功能。

终端即插即用功能是基于终端类型识别，NCE-Campus内置了业务最全的终端指纹库，
根据网络中的终端信息报文，识别出终端的类型及操作系统等信息。
• 可以完成终端识别-我是谁，认证授权-我能做什么，流量统计-我做了什么，仿冒检测-
我被替换了，这四个能力，提高网络的安全性。
• Currently, the terminal update and iteration speed is fast. Some new
terminals are not in our fingerprint database. So how should we deal with
this type of terminal? This requires the terminal AI clustering recognition
technology.

• The terminal AI clustering identification technology implements terminal

identification in two steps. Marking rules are automatically imported to the
fingerprint database. Then, new terminals of the same type are
automatically identified based on the learned marking rules.
• NCE (Campus) can identify device types, vendors, terminal models, and operating
systems. After identifying terminal information, administrators can flexibly
customize reports based on the information, such as the access terminal type
table, pie chart, trend chart, and type chart, to display the terminal information
in real time.
• Let's first look at why a multi-service campus is needed. In a multi-service
campus, multiple services coexist, and services must be isolated from each other.
Therefore, security requirements are met. A typical scenario is the college campus
network scenario in education. Look at a real example, in the new campus of
Xi'an Jiaotong University, there are a variety of educational buildings. Because of
the wide area of the building, relatively large, so called scientific research giant.
There are also medical and chemical industry and other school-run enterprises,
students, family living areas and other areas, the network is very complicated.
Multiple services exist on the network, such as the teaching office service
network, operation charging network in areas such as family members and
dormitories, commercial and residential user network, student card network,
asset management network of high-value professional devices, and IoT private
network. These networks have isolation requirements. If traditional physical
networks are used to build independent physical networks, the cost is high.
Therefore, the requirements for multi-service campus networks are naturally
raised. How to implement one network for multiple purposes, implement
automatic provisioning, and quickly adjust the network becomes the main
requirements.
• 我们首先看一下为什么会需要多业务园区，多业务园区的普遍特点是有多种业务并
存，并且需要要求业务间隔离，有一定的安全要求，典型的场景是教育中的大学校园
网络场景。看一个真实的例子，在西安交通大学的新建校区中，有多种教育楼宇，由
于楼宇占地面积广，比较庞大，因此称为科研巨构，又有医学化工等校办下属企业、
学生、
家属生活区等多区域，网络非常复杂，在网络中存在多种业务，如教学办公业务网络，
教学办公业务网络，家属、宿舍等区域的运营收费网络，商住用户网络，学生一卡通
网络、高价值专业设备的资产管理网络，物联网专网等，这些网络有隔离要求，如果
都采用传统的各个都建设独立的物理网络，成本太高，那么多业务园区网络的要求自
然而然的被提出，如何实现一网多用，并且实现自动化发放和快速调整成为主要诉求。
• First, let's look at the specific networking. On a multi-service campus network,
border and edge devices play an important role. Similar to the spine and leaf
structures in data center network, the two devices form a virtual VXLAN network
between the border and edge devices. Different from other vendors, Huawei's
solution is a magnified concept on the edge device side, not a simple
convergence capability of traditional solutions. The edge side can be connected to
the access switch, which is the case on the left. The user terminal can also be
connected downlink, which is the middle scenario. You can also connect to APs,
which is the scenario on the right, which is very flexible. In the scenario where the
access switch is connected to the left, if the access layer device is Huawei, policy
association can be implemented to deliver management and control to the
access layer device. In the scenario where downstream APs are connected on the
right, the APs do not need to support the VXLAN protocol. Therefore, the existing
APs can be fully reused. Based on the location of the L3 gateway, there are two
solutions: centralized gateway and distributed gateway. You can determine the
solution based on the project requirements.

• 我们先看一下具体的组网情况，在多业务园区网络中，有个重要的角色，即border和
edge设备，这两个设备可以类比数据中心网络中的spine和leaf结构，同样在border
和edge设备之间组成虚拟vxlan网络，华为的方案和其他厂家不同的是，在edge设备
侧是一个放大的概念，并不是传统方案的简单的汇聚能力，在edge侧可以下面下联接
入交换机，就是左侧的这种情形，也可以下联用户终端，就是中间的这种场景，还可
以下联AP设备，就是右侧这种场景，非常灵活。在左侧下联接入交换机的这种场景下，
如果是华为的接入层设备，可以实现策略联动，将管控下放到接入层设备。右侧下联
AP的场景下，无须AP设备支持vxlan协议，可以充分利旧。根据L3网关的位置的不同
分为集中式网关和分布式网关两种方案，可根据项目实际需要确定使用何种方案。
• How is the solution compatible with third-party devices? Let's take a look at the
figure. The devices marked in colors in the figure represent devices from other
vendors. The border and edge devices must be Huawei devices. The other devices
include egress routers, firewalls, and transmission devices between the border
and edge devices. Access switches, wireless APs, and WAC devices can be devices
of other vendors. In the case of network reconstruction, the existing devices on
the network can be fully reused. If non-Huawei devices are used at the access
layer, Huawei-specific policy association capabilities cannot be implemented with
edge devices. You need to manually configure access devices to isolate ports.
Wireless APs and ACs use third-party devices and need to be statically deployed
to access the virtual network. Local forwarding is required.

• 那么方案对第三方设备的兼容如何呢，我们看一下这个图，图中标颜色的设备代表其
他厂家设备，可以看到除了Border和edge这两个设备需要是华为设备，其余包括出口
的路由器、防火墙，Border和edge间的传输设备，接入交换机、无线AP和WAC设备
都可以是其他厂家设备，如果是网络改造，可以充分利旧网络中的现有设备。当然如
果在接入层设备采用其他厂家设备，就无法和edge设备实现华为独有的策略联动能力，
需要在接入层设备有些手动的配置，实现端口隔离。无线AP和AC采用第三方设备，
需要通过静态部署进入虚拟网络，需本地转发。
• On a virtual network, multiple services are isolated at two layers. At the macro
level, virtual network VNs are logically isolated and cannot communicate with
each other. The switch or firewall on the BorderBorder node is responsible for
policy execution. The second layer of policy is at the micro level, within each
virtual network. Free mobility is used to divide user rights. Different user groups
have different access rights. Different user groups can access each other or not.
The edge aggregation node switch is responsible for policy execution. The two-
layer isolation policy implements logical isolation of network policies and refined
management and control of user rights, ensuring network security.

• 在虚拟网络中，多种业务的隔离有两个层面的隔离，一是宏观层面，各个虚拟网络
VN之间是天然逻辑隔离的，各个VN间不能互访，主要是在BorderBorder节点交换
机或防火墙负责策略执行；第二层策略属于微观层面，在各个虚拟网络内部，通过业
务随行进行用户权限划分，不同用户组访问权限不同，不同的用户组之间可设置互访
或不互访，由edge汇聚节点交换机负责策略执行。通过两层隔离策略，可以实现网
络策略的逻辑隔离和用户的权限精细化管控，网络安全性能得到更充分的保障。
• Now, let's look at how NCE (Campus) automates the construction of multi-
branch campuses.
• 下面我们来看一下NCE-Campus如何实现多分支互联园区的建设自动化
• The NCE-Campus multi-campus interconnection automation solution includes
physical network deployment automation and service policy provisioning
automation. It implements quick deployment of network devices, automatic
policy provisioning and management, and application intelligent traffic steering.
It provides a management platform for GUI convergence. E2E configuration
streamlining improves management efficiency by two times and reduces
deployment costs.

• NCE-Campus的多园区互联自动化方案，包括物理网络部署自动化和业务策略发放自
动化，实现网络设备的快速开局部署及完成策略的自动发放和管控，以及应用的智能
选路，提供一个管理平台即可完成界面融合，配置端到端拉通，提升2倍管理效率，
同时降低部署成本。
There are two typical scenarios for multi-campus interconnection. One is direct
interconnection through IPSec VPN. In this scenario, data is transmitted in encrypted
mode to improve data transmission security. ARs and firewalls are supported.
Currently, firewalls are used in this mode. Full mesh/Hub-Spoke networking is
supported. Third-party devices can be interconnected to implement intelligent traffic
steering based on packet loss and delay. Note that intelligent link selection is not
based on applications.

Generally, SD-WAN is used for interconnection, which is called LAN-WAN

convergence. ARs are supported. Multiple links (such as MPLS and Internet) exist
between branches and headquarters. If there is only a single link between the
branch and the headquarters, there is no need to use the solution. The solution
supports BGP-EVPN, FullMesh/Hub-Spoke networking, application-based intelligent
traffic steering, access control, and QoS policies.
多园区互联的典型场景其实有两种，一种是直接通过IPSec VPN互联，这种场景中主要
是为了提升数据传输安全性，进行加密方式传输数据，主要支持的设备是AR和防火墙，
目前遇到的方案中主要是是防火墙设备进行这种方式的建设，能力方面支持
FullMesh/Hub-Spoke组网，第三方设备站点对接，也能完成基于丢包、时延的智能选
路，但是注意这里不是基于应用，主要是链路方面做智能选路。
我们一般关注的主要是第二种，采用SD-WAN方式互联，也就是所谓的LAN-WAN融合，
支持的设备是AR设备，场景是在分支和总部间有多链路，如MPLS、internet等，如果分
支和总部间只有单链路链接，其实完全没有必要应用，发挥不出方案的独特价值，能力
方面支持BGP-EVPN，FullMesh/Hub-Spoke组网，能基于应用做智能选路，做访问控
制和QoS策略。
• Multi-branch interconnection, that is, LAN-WAN convergence, can be completed
in four steps. On the NCE-Campus page, configure the WAN egress
interconnection, WAN networking structure, and site interconnection channels.
The second step is to configure the LAN campus network in the headquarters and
branches, including the SSID and switch port. Step 3: Configure LAN-WAN
interface routes to implement LAN-WAN service interconnection. Step 4
Configure WAN-side traffic policies, such as intelligent traffic steering and local
Internet access. After the preceding steps, the LAN-WAN interconnection service
can be provisioned.

• 多分支互联，即LAN-WAN融合，采用4步配置即可完成，在NCE-Campus页面上有引
导页，直接根据引导页进行相关配置即可，主要是WAN出口互联，配置WAN组网结
构，站点互联通道等，第二步是设置总部和分支内的LAN园区配置，根据实际需要配
置网络即可，包括SSID、交换机端口等，第3步，设置LAN-WAN接口路由，实现
LAN-WAN 业务互联互通，第4步设置WAN侧流量策略，如智能选路、本地上网等，
通过以上4步即可完成LAN-WAN互联业务开通。
• In terms of routine monitoring, monitoring information is displayed in an end-to-
end manner. Displays the network access status of terminals, such as the
duration and packet loss rate. The version, interface, running status, alarm
statistics, alarm clearance, device health status, and device topology are
displayed on the device side. WAN links and WAN application information can be
displayed on the WAN side. Therefore, LAN-WAN convergence needs to be
configured for WAN-side capability display.

• 日常监控方面，端到端呈现监控信息，从终端信息，展示出终端接入网络的状况，如
时长，丢包率等，设备侧显示出版本、接口、运行状态，告警统计，告警消除，显示
出站点内设备健康度、设备拓扑等，在WAN侧能显示WAN链路，WAN应用情况信
息，需要注意的是WAN侧能力呈现，需要配置LAN-WAN融合才行。
• During site and topology monitoring, you can monitor device health status,
detailed information, device status, and WAN statistics in a unified manner. The
topology displays IP+POL device information, including network connection,
device information, and link information. You can quickly switch to the detailed
monitoring page of an independent device through the topology.
• 站点及拓扑监控中，支持对设备健康度、详细信息、设备状态、WAN统计信息等进
行全面统一监控，拓扑中呈现IP+POL设备信息，展示网络连接情况、设备信息，链
路信息等，可通过拓扑结构快速跳转到独立设备详细监控页面。
• The PMI capability integrates Huawei's years of data communication network
PMI expert experience library to detect potential network problems. Note that
only the MSP administrator can perform this function. After the inspection is
complete, an inspection report is generated. In the report, you can view the basic
information, problem analysis, and description of the devices on the current
network. You can adjust the network in time based on the suggestions in the
report to avoid problems.

• 巡检能力，集成华为多年数据通信网络巡检专家经验库，可发现网络潜在问题，注意
这个能力只有MSP管理员这一层级能操作，巡检完成后，生成巡检报告，可以在报告
中查看目前网络中设备的基本情况，问题分析及说明，可根据报告中的建议及时调整
网络，规避问题发生。
In addition, NCE (Campus) provides comprehensive O&M, including system
monitoring, fault diagnosis, backup, and restoration, to quickly handle system
problems and reduce the impact on services.
同时NCE-Campus提供完善的自身运维，能对自身系统问题快速处理，减少对业务影响
• 主要包括系统监控、故障诊断、备份和恢复

• 系统监控中，支持节点监控,对NCE-Campus集群中各节点状态监控。

• 服务监控：对服务资源监控。

• 中间件监控：对中间件的关键指标监控。
• 业务监控：对产品业务关键指标监控。

• 故障诊断中，支持

• 故障诊断：包括故障预测、故障分析、历史问题匹配、资源变更查询。

• 健康检查：对硬件、操作系统、数据库、网络及业务进行检查和评估。

• 数据采集：按故障场景、微服务、目录采集故障数据
• 在备份和恢复中包括

• 备份：手工或定时备份产品数据、应用程序、数据库应用程序。

• 恢复：可以 恢复数据库、应用程序、产品数据等
• In terms of deployment, NCE supports direct deployment on physical machines
and virtualized deployment. You are advised to install the EularOS operating
system on x86 servers and virtualization on x86 servers and install the EularOS
operating system on software.

• 部署方面，NCE支持物理机直接部署和虚拟化部署。优先推荐X86服务器加软件自带
EularOS操作系统安装和X86服务器进行虚拟化加软件自带EularOS操作系统安装
• Campus can be deployed in multiple modes. How do we select a deployment
mode suitable for customers?
• The following figure shows the number of managed devices, number of access
authentication users, and advanced capabilities of the controller, such as LAN-
WAN convergence, plug-and-play, and SRv6.
• Campus的部署模式有多种，那么我们一般如何选择适合客户的部署模式呢？

• 如下图所示，主要从纳管设备数量，准入认证接入用户数量，以及一些控制器的高级
能力，如LAN-WAN融合、终端即插即用、SRv6等。
• Answer: ABCD
• In the following part of this course, iMaster NCE-CampusInsight will be
abbreviated as CampusInsight.
• Answer: ABCD
• The detailed drawing of the coverage area must be available.

• The number of access users provides reference for determining the number of
access STAs.

• The power supply mode for APs must also be considered.

• When switches are used for PoE power supply, the length of an Ethernet cable
between an AP and a switch cannot exceed 80 m. If PoE++ power supply is used,
the length of an Ethernet cable can reach up to 200 m.

• For areas with few coverage requirements, coverage is not provided. Typical
areas include the bathrooms, staircases, equipment rooms, and archive rooms.
• Generally, the dual-band power for indoor coverage must be greater than –65
dBm, and that for outdoor coverage must be greater than –70 dBm.

• Concurrency indicates that uplink and downlink services run simultaneously.

• Common Internet access/email: 512 kbps
• SD video: 2 Mbps
• Ceiling mounting is recommended.

• The distance of a PoE power cable cannot exceed 100 m.

• The detailed drawing of the coverage area must be available.

• The number of access users provides reference for determining the number of
access STAs.

• The power supply mode for APs must also be considered.

• When switches are used for PoE power supply, the length of an Ethernet cable
between an AP and a switch cannot exceed 80 m. If PoE++ power supply is used,
the length of an Ethernet cable can reach up to 200 m.
• The detailed drawing of the coverage area must be available.

• The number of access users provides reference for determining the number of
access STAs.

• The power supply mode for APs must also be considered.

• When switches are used for PoE power supply, the length of an Ethernet cable
between an AP and a switch cannot exceed 80 m. If PoE++ power supply is used,
the length of an Ethernet cable can reach up to 200 m.
• Select an obstacle to be tested, which can be a typical indoor obstacle or an
obstacle made of uncertain materials. If necessary, test the signal attenuation of
the ceiling and floor.

• Place the test AP (as the signal source) at a proper position and power on it.
Keep a certain distance between the AP and the obstacle and ensure that there is
no blocking between them. Do not place the AP too close to the obstacle. This is
because the signal strength fluctuates greatly near the signal source, which
affects the test accuracy.

• Use a signal scanning tool to test the field strength on both sides of the obstacle.
The signal attenuation of the obstacle is the difference between the field
strength values obtained on both sides.

• For example, as shown in the figure above, deploy a Fat AP as the test AP. The
field strength values of 2.4 GHz and 5 GHz signals are both –50 dBm at test
point 1, but –60 dBm and –65 dBm respectively at test point 2. Therefore, the
signal attenuation of the obstacle is 10 dB at 2.4 GHz and 15 dB at 5 GHz.
• SISO
▫ In SISO, there is a unique path between the TX antenna and the RX
antenna. Apparently, such transmission is unreliable and rate limited. To
address this issue, we add more antennas on the receiver (STA) so that two
or more signals can be received concurrently, that is, single-input multiple-
output (SIMO).
• SIMO
▫ There are two paths between the TX antenna and RX antennas. Data is sent
from the same TX antenna, and therefore only one signal is transmitted,
doubling reliability. This mode is also known as receive diversity.
• MISO
▫ There are two paths between TX antennas and the RX antenna. Only one
RX antenna exists, and therefore the TX antennas can send only the same
data along the two paths. The effect is similar to that of SIMO. This mode
is also known as transmit diversity.
• MIMO
▫ MIMO technology allows multiple antennas to send and receive spatial
streams (multiple signals) simultaneously and to differentiate the signals
sent to or received from different spaces. By leveraging technologies such
as spatial reuse (SR) and space diversity (SD), MIMO boosts system
capacity, coverage scope, and SNR without increasing the occupied
bandwidth.
27013721 Omni-directional Antenna,2400~2500MHz&5150~5850MHz,4/7dBi,linear
polarized,5W,N-male,without mounting parts (H: omnidirectional; V: 30°/15°)

27013720 Directional Antenna,N-female,with bracket,8dBi@2.4GHz&8dBi@5GHz

(H70 V70 @ dual-band)

27013718 Directional Antenna,N-female,with bracket,13dBi@2.4GHz&16dBi@5GHz

(H: 33°/18°; V: 33°/18°)
• According to the country code of China, the indoor EIRP of 5 GHz is 23 dBm, and
that of 2.4 GHz is 20 dBm.
• EIRP is short for Effective Isotropic Radiated Power.
• All the preceding specifications are based on the assumption that the AP supports
Wi-Fi 6 4x4 HE40 mode and STAs support Wi-Fi 6 dual spatial streams.
• The total number of people refers to the total number of users connected to the
WLAN in this scenario (number of access users).
• Concurrency rate x Total number of access users = Number of concurrent users,
which is the number of users on the WLAN that are transmitting data at the
same time.
• The concurrency rate is usually an empirical value.
• Local power supply is inconvenient, and exposed power cables bring security risks.
• PoE modules save the need of local power supply, but bring potential fault risks
and are hard to maintain.
• The PoE power supply mode facilitates installation and provides convenient,
stable, and secure power supply.
• Hybrid copper-fiber cable (hybrid cable for short): Data is transmitted over the
optical fiber in the hybrid cable, with the network port providing power supply.
The power supply distance can reach 200 m.
Advantages: one-off cabling, low cost, and long service life; applicable to long-
distance power supply scenarios with fewer distance limitations on PoE power
supply.
Disadvantages: Hybrid optical-electrical switches are required, which are costly.
Optical modules are expensive, and one hybrid cable needs to be connected to
one optical port and one electrical port, occupying a lot of switch port resources.
Select a power supply mode based on the AP power requirements:
• PoE power supply standards:
▫ PoE: IEEE 802.3af, with the maximum power supply of 12.95 W
▫ PoE+: IEEE 802.3at, with the maximum power supply of 25.5 W
▫ PoE++: IEEE 802.3bt, with the maximum power supply of 81.6 W
Wi-Fi 6 APs require 802.3bt power supply.
• Local power supply using a power module (Power supply requirements of Wi-Fi 5
and Wi-Fi 6 need to be considered.)
• Local AC power supply
• Cabling design rules:

▫ In normal cases, the length of an Ethernet cable cannot exceed 100 m due to
signal attenuation. In actual projects, Ethernet cables are often used to supply
power to APs. If an Ethernet cable is longer than 80 m, the network quality
will be affected. Therefore, it is recommended that the length of Ethernet
cables in actual projects do not exceed 80 m.

▫ It is recommended that a length of about 5 m be reserved for an Ethernet

cable during AP deployment for future adjustment to optimize WLAN signals.
If signals are of poor quality, engineers can flexibly adjust AP positions to
ensure good coverage.
▫ To avoid interference of high-voltage cables, it is recommended that low-
voltage cables be deployed as far as possible from strong electromagnetic
field.
▫ When planning the cables, communicate with the customer in advance so that
project construction will not be forbidden for reasons of property, aesthetics,
etc.
• Outdoor installation rules:

• The azimuth and downtilt of an antenna can be adjusted based on the mounting
bracket.

• Antennas that do not require angle adjustment can be directly mounted to a

wall.

• Install outdoor omnidirectional antennas at a height of 4 m to 6 m and

directional antennas at a height of 6 m to 8 m.
▫ 1. A

▫ 2. ABD
• A leader AP cannot be deployed together with a WAC. If a WAC is deployed on
the network, it is recommended that the leader AP be switched to the Fit mode
and be managed by the WAC.
• A leader AP can manage Fit APs running the same VxxxRxxxCxx version as itself
and Fit APs of the earlier two R versions. For example, a leader AP running
V200R020C10 can manage Fit APs running V200R010C00.
• Leader AP is an extended Fat AP mode. If an AP works in Fit mode, you need to
switch its working mode to the Fat mode, restart the AP, and restore its factory
settings.
• Obtain the Huawei Wi-Fi 6 Leader AP Technology White Paper from
https://e.huawei.com/en/material/networking/campus-
network/wlan/4ae75e7ea95a4da0b5567e0f3bbe8ecf.
• A leader AP functions like a WAC. In independent networking, the NCE
management platform is not used, and the leader AP can manage only a small
number of Fit APs. In the cloud management architecture, NCE manages APs in a
unified manner. One AP is elected as a leader AP that provides WAC functions
and implements roaming. The specifications of the leader AP are higher than
those in independent networking. The management specifications are as follows
in ascending order: Leader AP + APs < NCE + APs < WAC + APs. The configuration
management capability of the leader AP in independent networking is different
from that of NCE.
• A leader AP cannot connect to iMaster NCE-CampusInsight or eSight.
• The Fat AP architecture is also called autonomous network architecture. It does
not require a dedicated device for centralized control, and can implement
functions such as wireless user access, service data encryption, and service data
packet forwarding.

• A Fat AP works independently and requires no additional centralized control

device. Therefore, Fat APs are easy to deploy and cost-effective. These
advantages make the Fat AP architecture most suitable for home WLANs.
However, for enterprises, independent autonomy of Fat APs becomes a
disadvantage.

• The increase in the WLAN coverage area and the number of access users requires
more and more Fat APs. No unified control device is available for these
independently working Fat APs. Therefore, it is difficult to manage and maintain
the Fat APs. For example, to upgrade the software version of APs, you must
upgrade each Fat AP separately, which is time-consuming and labor-intensive.
The Fat AP architecture cannot meet the roaming requirements of STAs in a
larger coverage area. Additionally, the Fat AP architecture cannot support
complex services, such as priority policy control based on different data types of
network users.

• Therefore, the Fat AP architecture is not recommended for enterprises. Instead,

the WAC + Fit AP, cloud management, and leader AP architectures are more
suitable.
▫ Security: Fat APs cannot be upgraded in a unified manner, which cannot
ensure the latest security patches are installed on APs of all versions. In the
WAC + Fit AP architecture, security capabilities are mainly implemented on the
WAC, and you only need to perform the software upgrade and security
configuration on the WAC. This allows for quick global security configuration.
Additionally, to prevent malicious code from being loaded, the WAC performs
digital signature authentication on the software, enhancing the security of the
upgrade process. The WAC also implements some security functions that are
not supported by the Fat AP architecture, including advanced security features
such as virus detection, uniform resource locator (URL) filtering, and stateful
inspection firewall.
▫ Upgrade and expansion: The centralized management mode of this
architecture enables APs connected to the same WAC to run the same
software version. When an upgrade is required, the WAC obtains the new
software package or patch and then upgrades the AP version. The separation
of AP and WAC functions prevents frequent AP version upgrades. You only
need to update the user authentication, network management, and security
functions on the WAC.
• In Layer 2 networking, the WAC and Fit APs are located in the same broadcast
domain. The Fit APs can discover the WAC by broadcasting packets. The
networking, configuration, and management are simple. However, this mode is
not applicable to large-scale networks.

• In Layer 3 networking, the WAC and Fit APs are located in different network
segments, making the configuration complex. The intermediate network must
ensure that the WAC and Fit APs are reachable to each other. Additional
configurations are required to enable the Fit APs to discover the WAC. Layer 3
networking is suitable for large- and medium-sized networks. For example, on a
large campus network, APs are deployed in each building for wireless coverage,
and the WAC is deployed in the core equipment room for unified management
and control. In this case, a complex Layer 3 network must be deployed between
the WAC and Fit APs. When the WAC and APs are connected through a Layer 3
network and the APs discover the WAC in DHCP or DNS mode (the WAC
functioning as a DHCP server), the devices between the WAC and APs must
support the DHCP relay function.
• In-path networking:

▫ In this networking, APs or access switches are directly connected to a WAC.

The WAC also functions as an aggregation switch to forward and process data
and management services of APs.

▫ CAPWAP management tunnels are established between the WAC and APs,
through which the WAC centrally manages and controls the APs. Service data
of wireless users can be forwarded between the WAC and APs over CAPWAP
data tunnels (in tunnel forwarding mode) or be directly forwarded by APs (in
direct forwarding mode).

▫ Since the WAC is deployed in in-path mode, the direct forwarding mode is
used in most cases and users' service data is forwarded by APs.

▫ In direct forwarding mode, management flows of APs are encapsulated in

CAPWAP tunnels, while data flows of APs are not encapsulated in CAPWAP
tunnels. Instead, APs send data flows to the WAC, which then transparently
transmits the data flows to upper-layer devices. As shown in the figure above,
data flows of APs are transparently transmitted by the WAC to the upper-layer
devices and management flows of APs are encapsulated in CAPWAP tunnels.
Service flows are identified by VLAN IDs.
• Off-path networking:

▫ A WAC is connected (usually to an aggregation switch) in off-path mode on

the live network to manage WLAN services of APs.

▫ The WAC manages APs, and management flows are encapsulated and
transmitted over CAPWAP tunnels. Data service flows can be forwarded by the
WAC over CAPWAP data tunnels, or forwarded to the upper-layer network by
the aggregation switch without passing through the WAC.

▫ The APs deployed within the management scope of the aggregation switch
are managed by the WAC connected to the aggregation switch in off-path
mode. The WACs are centrally deployed. This networking mode applies to
scenarios where APs are scattered across hot spots.

▫ The off-path networking mode rarely changes the existing network structure
and can be deployed quickly. The direct or tunnel forwarding mode can be
selected according to networking requirements. Tunnel forwarding is
recommended for most enterprise networks, which is commonly used for
overlay network deployment.
• In direct forwarding mode, service data of wireless users is translated from 802.3
packets into 802.11 packets on APs, which are then forwarded by the upstream
aggregation switch.

• The WAC only manages APs, and service data is directly forwarded. Management
flows of APs are encapsulated in CAPWAP tunnels and terminated on the WAC.
Service flows of APs are directly forwarded to switching devices without being
encapsulated in CAPWAP tunnels.

• This networking mode is commonly used. Service data of wireless users does not
need to be processed by the WAC, eliminating the bandwidth bottleneck and
facilitating the usage of existing security policies. Therefore, this networking
mode is recommended for integrated network deployment.
• Local forwarding of data packets

▫ The WAC only manages APs, and service data is directly forwarded.
Management flows of APs are encapsulated in CAPWAP tunnels and
terminated on the WAC. Service flows of APs are directly forwarded to
switching devices without being encapsulated in CAPWAP tunnels.
• Centralized forwarding of data packets

▫ Service data packets are encapsulated by APs and then transmitted to the
WAC for forwarding. The WAC manages the APs and forwards traffic of APs.
Management flows and data flows are encapsulated in CAPWAP tunnels and
then transmitted to the WAC.
• A local AC occupies four AP management licenses on the Navi AC.
• When a large enterprise deploys a WLAN to provide access services for
employees, the WLAN also needs to provide wireless access services for guests.
However, guest data may pose security threats to the network. To solve this
problem, Huawei provides the Navi AC networking architecture. With this
architecture, the enterprise can divert guest traffic to the Navi AC in the DMZ for
centralized management, thereby implementing security isolation between
employees and guests.

• Employee traffic is forwarded on the enterprise intranet, and employees can

access intranet servers. Guest traffic is forwarded to the DMZ through the
CAPWAP tunnel. Guests then obtain IP addresses and are authenticated in the
DMZ in a unified manner. Only servers in the DMZ and the Internet are
accessible to the guests.
• Uplink traffic (AP -> local AC -> Navi AC)
▫ When an AP receives an uplink service data packet and the VAP uses the
tunnel forwarding mode, the AP encapsulates the packet using CAPWAP and
sends the encapsulated packet to the local AC.
▫ After receiving the packet, the local AC decapsulates the packet and identifies
the VAP to which the packet belongs. Then the local AC determines the VAP
type. If the VAP type is Navi AC, the local AC encapsulates the packet again
using CAPWAP, adds the Navi VAP flag (that is, WLAN ID for CAPWAP tunnel
establishment between the local AC and Navi AC) and user VLAN, and then
forwards the packet to the Navi AC.
▫ The Navi AC decapsulates the received packet, identifies the VAP based on the
Navi VAP flag, and executes the corresponding VAP services (such as
authentication).
• Downlink traffic (Navi AC -> local AC -> AP)
▫ When receiving a downlink service data packet, the Navi AC executes the
corresponding downlink services. Then it encapsulates the packet and
forwards it to the local AC.
▫ After receiving the packet, the local AC decapsulates it. Then it encapsulates
the packet again using CAPWAP and forwards it to the AP.
▫ After receiving the packet, the AP decapsulates it. If the packet is a unicast
packet, the AP forwards it based on the forwarding table. If the packet is a
broadcast packet, the AP forwards it based on the VLAN.
• This is a special WLAN scenario, in which a large number of STAs access an area
and then roam to other areas. As a result, the number of STAs in this access area
greatly increases, requiring a large number of IP addresses. Typical areas include
the entrance of a stadium and the lobby of a hotel. Therefore, this phenomenon
is generally called the entry effect. In this scenario, if one SSID maps to only one
VLAN that maps to one subnet, when a large number of STAs access the network
from an area, only expanding the corresponding subnet can ensure that STAs can
obtain IP addresses. However, this may enlarge the broadcast domain, leading to
transmission of a large number of broadcast packets, such as ARP and DHCP
packets, and causing severe network congestion. In this scenario, the VLAN pool
can be used as the service VLAN. The VLAN pool provides the VLAN management
and assignment algorithms. In this way, one SSID can map to multiple VLANs so
that a large number of STAs can be distributed to different VLANs, narrowing
down the broadcast domain.
• During the network design, consider the redundancy design for devices and links
and deploy switchover policies. In this way, the system functions are not affected
even if a single point of failure occurs. The WAC backup design is essential to the
WAC + Fit AP architecture.

• HSB service backup in real time involves backup of the following information:
▫ User data information

▫ CAPWAP tunnel information

▫ AP entries

▫ DHCP address information

• The HSB channel can be carried by the direct physical link between the WACs or
by a switch. For example, the HSB channel can reuse the physical channel
through which VRRP packets are exchanged.
• HSB service backup in real time involves backup of the following
information:
▫ User data information

▫ CAPWAP tunnel information

▫ AP entries
▫ Load balancing is supported.
• When the CAPWAP tunnel between an AP and the active WAC is disconnected,
the AP attempts to establish a CAPWAP tunnel with the standby WAC. After the
new CAPWAP tunnel is established, the AP restarts and obtains configurations
from the standby WAC. During this process, services are affected.
• This function is valid only in local forwarding mode, but does not work in tunnel
forwarding mode.
• Some small and micro enterprises want to build their own wireless networks and
manage the networks independently, but do not want to use the cloud
management architecture. In the Fat AP architecture, APs cannot be managed
and maintained in a unified manner and roaming is not supported. In the WAC +
Fit AP architecture, the WAC and licenses cost high. However, in scenarios with a
small number of STAs and small wireless coverage areas, only a small number of
APs are required. If an AP can manage other APs and provide unified O&M and
continuous roaming capabilities, the requirements of small and micro enterprises
can be met. The leader AP architecture designed by Huawei can meet these
requirements.
• Only APs are deployed in the leader AP architecture. After purchasing APs, you
can configure one AP to work in leader AP mode, and configure other APs to
connect to the network in Fit mode and communicate with the leader AP at
Layer 2. The leader AP broadcasts its role on the Layer 2 network, and other APs
automatically discover the leader AP and connect to it. Similar to a WAC, the
leader AP provides centralized wireless resource management and roaming
management, as well as unified access management, configuration, and O&M
based on CAPWAP tunnels. You only need to log in to the leader AP to configure
wireless services. All APs provide the same wireless services, and STAs can roam
between different APs.
• Traditional network solutions have many network deployment problems, such as
high deployment costs and difficult O&M, especially for enterprises with many
branches or geographically dispersed branches. The cloud management
architecture can solve these problems. The cloud management platform can
centrally manage and maintain devices at any place, greatly reducing network
deployment and O&M costs.
• Compared with the traditional WAC + Fit AP architecture, the cloud management
architecture has the following advantages:
▫ Plug-and-play and automatic deployment: reduce network deployment costs.

▫ Unified O&M: All cloud managed NEs are monitored and managed on the
cloud management platform in a unified manner.

▫ Tools: Cloud solutions usually provide various tools on the cloud, reducing the
OPEX. For example, Huawei CloudCampus Solution provides end-to-end cloud
tools, such as the CloudCampus APP.
• iMaster NCE-Campus is Huawei's cloud management platform and a core
component of Huawei CloudCampus Solution. It centrally manages Huawei
network devices, such as APs, ARs, switches, and firewalls. iMaster NCE-Campus
not only implements unified multi-tenant management, plug-and-play of
network devices, and batch deployment of network services, but also provides
APIs for interconnection with third-party platforms to expand more VASs.
• Cloud APs have the same core algorithm logic for radio calibration as traditional
WACs. To be specific, APs detect and collect information about neighboring
radios and interference, and report the information to the calibration computing
engine. After the computing is complete, the calibration computing engine
delivers the allocated channel and power configuration to each AP.
• Different from the traditional network where the calibration computing engine is
deployed on the WAC, the cloud managed network has the calibration
computing engine deployed on the leader AP.

• Radio calibration of cloud APs depends on the leader AP elected in the AP group.
The number of APs that the leader AP can manage is limited and varies
according to the AP model. For example, the AP4050DN-E can manage a
maximum of 50 APs and the AP6050DN can manage a maximum of 128 APs. If
the number of APs exceeds the management capability of the leader AP, network
planning is required. Management VLANs need to be planned for AP grouping.
When there are a large number of APs in a management VLAN, the APs are
automatically divided into multiple groups.
• Radio calibration is performed on a WLAN in a continuous area. Therefore, it is
recommended that APs be grouped by area, such as by floor, to ensure that APs
in a group are in the same area. This maximizes the calibration effect.
• Cloud APs have the same core algorithm logic for radio calibration as traditional
WACs. To be specific, APs detect and collect information about neighboring
radios and interference, and report the information to the calibration computing
engine. After the computing is complete, the calibration computing engine
delivers the allocated channel and power configuration to each AP.
• Different from the traditional network where the calibration computing engine is
deployed on the WAC, the cloud managed network has the calibration
computing engine deployed on the leader AP.
• Roaming neighbor: An AP detects neighboring APs through the air interface. If
two APs at the same site use the same SSID, they can detect each other and are
roaming neighbors to each other. (An AP can have up to 64 roaming neighbors.)

• Each AP establishes CAPWAP control tunnels with its roaming neighbors through
wired links for transmitting roaming information.
• When a STA goes online on AP1, AP1 synchronizes the STA's MAC address to all
its roaming neighbors (such as AP2). The roaming neighbors save the STA's MAC
address. When the STA goes offline or roams, the MAC address is changed
accordingly.
• When the STA roams from AP1 to AP2, AP2 searches the roaming table to
determine whether the STA is a roaming STA and the AP from which it roams.
After obtaining the information about the AP from which the STA roams, AP2
obtains the STA information (such as the VLAN ID, IP address, authentication
result, and authorization group) from the AP and generates a user entry.

• After the STA roams to AP2, AP2 notifies its neighboring APs of the STA
information so that the STA can roam from AP2 to another AP. AP1 instructs its
neighbors to delete the STA information.
• The APs through which a STA roams are on the same Layer 2 network. After the
STA roams to a new AP, the AP can directly forward the STA's packets.
• Roaming neighbor: An AP detects neighboring APs through the air interface. If
two APs at the same site use the same SSID, they are roaming neighbors to each
other. The link establishment and STA information synchronization processes in
Layer 3 roaming are the same as those in Layer 2 roaming.
• HAP selection: The HAP is selected among the neighboring APs in the same
service VLAN. Multiple APs can be selected as the HAPs to prevent the STA's
traffic from being sent back to the same AP after Layer 3 roaming, which may
cause a performance bottleneck.
• When the STA goes online on an AP, the AP selects an HAP among its Layer 2
neighbors (in the same service VLAN) for the STA using the hash algorithm.
When the STA roams at Layer 3, the STA's traffic is sent to the HAP through the
tunnel.
• When the STA roams, the HAP obtains the STA information from the original AP,
including the HAP information of the STA. If the STA roams at Layer 3, the new
AP establishes a CAPWAP data tunnel with the HAP. The STA's traffic is sent back
to the HAP selected when the STA goes online.
• Each time the STA roams at Layer 3, the STA establishes a tunnel with the
original HAP. No matter where the STA roams, its traffic is sent back to the
initially selected HAP.
• If the STA roams back to the original Layer 2 domain, the HAP information is still
migrated with the roaming entry. However, the STA's traffic does not need to be
forwarded to the HAP, and can be directly forwarded by the new AP.
• Note:
 Customer flow analysis requires APs to periodically report STA information
(such as the MAC address, IP address, access AP, SSID, and signal strength) to
iMaster NCE. Therefore, you need to enable the function of reporting STA
locations in the settings of the site where the APs reside on iMaster NCE. If
using STA information may pose data security threats, disable this function.
 By default, customer flow analysis is performed by site. To check customer
flow analysis results of some devices at a site, mark APs with tags. One AP can
be marked with multiple tags to facilitate result check from different
dimensions. For example, in shopping mall A, an AP at the entrance of store B
can be marked with the tag A/B/entrance. AP check and terminal behavior
analysis can then be performed based on such tags.
 Huawei CloudCampus Solution for small- and medium-sized campus networks
can be interconnected with third-party terminal behavior management
software to provide more detailed services such as terminal profiling and
behavior analysis. This solution provides APIs for interconnection. Third-party
software can adapt to the APIs to provide customer behavior analysis based
on big data for commercial promotion. If necessary, contact Huawei engineers.
• In the IoT field, Huawei WLAN builds a pipe-based technology platform and
ecosystem to fully leverage advantages of IoT partners, implement multi-network
convergence, and maximize benefits for customers.
 Huawei IoT cloud APs provide pipe-layer capabilities. Specifically, they provide
standard Mini PCIe expansion slots and USB ports for connecting to IoT
modules, and provide uplink data channels.
 Partners provide access-layer capabilities. Specifically, they provide IoT cards
that comply with Huawei's port specifications and connect to Huawei IoT
cloud APs through Mini PCIe ports or USB ports.
 Partners provide terminal-layer capabilities, including tags and wristbands, to
interact with IoT cards.
 Huawei IoT cloud APs only forward uplink and downlink data of IoT cards, but
do not process data of specific IoT service protocols.
• Compared with traditional IoT solutions, Huawei Wi-Fi & IoT convergence
solution offers the following advantages:
 IoT base stations and APs are deployed at the same site, and the Wi-Fi and IoT
networks are converged, facilitating site planning and power supply while
reducing deployment costs.
 APs provide uplink data channels for a unified entry and unified management,
simplifying deployment.
 APs provide pipe-layer capabilities, providing high flexibility and scalability.
• As new technologies such as IoT, big data, cloud computing, and AI are applied
across industries, enterprises are undergoing digital transformation in their
operation and production models. Enterprise campus networks that bridge the
physical and digital worlds face new challenges. To meet the requirements of
increasing data and applications, campus networks must be deployed more
simply and quickly, run more securely and reliably, and be more intelligent in
management and O&M. To cope with the impact and challenges brought by
digital transformation to campus networks and adapt to the development trend
of future campus networks, Huawei proposes a next-generation campus network
architecture — CloudCampus network architecture. The core concepts of the
CloudCampus network architecture include ultra-broadband, simplicity,
intelligence, security, and openness. It is hoped that these concepts can help
network professionals understand future trends of campus networks.
• Devices report KPI information to the WLAN Maintaining Insight (WMI) server
for analysis and monitoring.
• BC
• The detailed drawing of the coverage area must be available.

• The number of access users provides reference for determining the number of
access STAs.

• The power supply mode for APs must also be considered.

• When switches are used for PoE power supply, the length of an Ethernet cable
between an AP and a switch cannot exceed 80 m. If PoE++ power supply is used,
the length of an Ethernet cable can reach up to 200 m.
• The detailed drawing of the coverage area must be available.

• The number of access users provides reference for determining the number of
access STAs.

• The power supply mode for APs must also be considered.

• When switches are used for PoE power supply, the length of an Ethernet cable
between an AP and a switch cannot exceed 80 m. If PoE++ power supply is used,
the length of an Ethernet cable can reach up to 200 m.
• The penetration loss of some obstacles can be obtained based on onsite surveys
and empirical data, providing a reference for AP planning and field strength
rendering.

• If outdoor APs are used to provide indoor coverage, WLAN signals may be
blocked by obstacles made of different materials, such as glass, brick walls, or
wooden doors. In this case, penetration loss of these obstacles must be taken into
account for evaluating the link budget to ensure the signal strength in indoor
coverage areas.
• Select an obstacle to be tested, which can be a typical indoor obstacle or an
obstacle made of uncertain materials. If necessary, test the signal attenuation of
the ceiling and floor.

• Place the test AP (as the signal source) at a proper position and power on it.
Keep a certain distance between the AP and the obstacle and ensure that there is
no blocking between them. Do not place the AP too close to the obstacle. This is
because the signal strength fluctuates greatly near the signal source, which
affects the test accuracy.

• Use a signal scanning tool to test the field strength on both sides of the obstacle.
The signal attenuation of the obstacle is the difference between the field
strength values obtained on both sides.

• For example, as shown in the figure above, deploy a Fat AP as the test AP. The
field strength values of 2.4 GHz and 5 GHz signals are both –50 dBm at test
point 1, but –60 dBm and –65 dBm respectively at test point 2. Therefore, the
signal attenuation of the obstacle is 10 dB at 2.4 GHz and 15 dB at 5 GHz.
• Before planning a project, communicate with the customer to determine the
WLAN coverage areas based on the onsite environment and drawings.
• Key coverage areas include office areas and meeting rooms.

• The classification of coverage areas must be confirmed with the customer and
marked on the drawing provided by the customer for subsequent WLAN planning.
• For details about antenna gain, see the AP product documentation.

• The transmission attenuation values of 2.4 GHz and 5 GHz signals need to be
calculated separately.
• The maximum number of concurrent STAs (single-radio) is calculated assuming
that the radio works on the 5 GHz frequency band.
• The maximum number of concurrent STAs (dual-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other on the 5 GHz
frequency band.
• The maximum number of concurrent STAs (triple-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other two on the 5
GHz frequency band.
• The table above describes the specifications of an AP (802.11ax, 8x8 MIMO,
HE20). For details about other specifications, see the WLAN Planning
Specifications.

• The specifications in the following slides are based on this kind of AP and assume
that STAs conform to 802.11ax and support dual spatial streams.
• The total number of people refers to the total number of users connected to the
WLAN in this scenario (number of access users).
• Concurrency rate x Total number of access users = Number of concurrent users,
which is the number of users on the WLAN that are transmitting data at the
same time.
• The concurrency rate is usually an empirical value.
• EIRP: Effective Isotropic Radiated Power

• EIRP ≥ AP transmit power + MIMO gain + Antenna gain – Feeder loss

• Determine the local available channels.

▫ Query the available channels in the channel compliance table, and confirm
with the customer.

▫ For example, in China, channels 1, 6, and 11 are available on the 2.4 GHz
frequency band.

▪ To avoid interference between channels, it is required that center

frequencies of two channels on 2.4 GHz are at least 25 MHz apart. It
is recommended that channels 1, 6, and 11 be used alternately.

▫ Channels 149, 153, 157, 161, and 165 are available on the 5 GHz frequency
band.
▫ Some channels may be reserved in different countries or regions. Therefore,
confirm available channels before planning.
• Avoid co-channel interference.
▫ Do not use the same channel on two neighboring APs in any direction.

▫ In the case of multiple floors, avoid overlapping with channels of APs at the
same or adjacent floors.
▫ If channel overlapping cannot be avoided, reduce AP power to minimize the
overlapping areas.
• Cabling design rules:

▫ In normal cases, the length of an Ethernet cable cannot exceed 100 m due
to signal attenuation. In actual projects, Ethernet cables are often used to
supply power to APs. If an Ethernet cable is longer than 80 m, the network
quality will be affected. Therefore, it is recommended that the length of
Ethernet cables in actual projects do not exceed 80 m.

▫ It is recommended that a length of about 5 m be reserved for an Ethernet

cable during AP deployment for future adjustment to optimize WLAN
signals. If signals are of poor quality, engineers can flexibly adjust AP
positions to ensure good coverage.
▫ To avoid interference of high-voltage cables, it is recommended that low-
voltage cables be deployed as far as possible from strong electromagnetic
fields.
▫ When planning the cables, communicate with the customer in advance so
that project construction will not be forbidden for reasons of property,
aesthetics, etc.
• Experience rate: perceived data rate under a light network load

▫ An experience rate is the target rate that can be achieved in 95% of areas
according to SpeedTest on a light-loaded network where the channel
utilization is less than 20%.
• Service-assured rate: guaranteed rate under a heavy network load

▫ A service-assured rate is the target rate that can be achieved in 90% of

time according to SpeedTest in a multi-user concurrency scenario where the
network load is less than 80%.

• 2.4 GHz @ HT20 indicates that the 2.4 GHz frequency band uses 20 MHz
bandwidth, and 5 GHz @ HT40 indicates that the 5 GHz frequency band uses 40
MHz bandwidth.
• B, A, and C
• Sticky STAs: Some STAs are insensitive to roaming and stay associated with the
original AP even if the AP has poor signal quality and an AP with better signal
quality is available. This phenomenon is called stickiness and these STAs are
called sticky STAs.
• The detailed drawing of the coverage area must be available.

• The number of access users provides reference for determining the number of
access STAs.

• The power supply mode for APs must also be considered.

• When switches are used for PoE power supply, the length of an Ethernet cable
between an AP and a switch cannot exceed 80 m. If PoE++ power supply is used,
the length of an Ethernet cable can reach up to 200 m.
• The detailed drawing of the coverage area must be available.

• The number of access users provides reference for determining the number of
access STAs.

• The power supply mode for APs must also be considered.

• When switches are used for PoE power supply, the length of an Ethernet cable
between an AP and a switch cannot exceed 80 m. If PoE++ power supply is used,
the length of an Ethernet cable can reach up to 200 m.
• The penetration loss of some obstacles can be obtained based on onsite surveys
and empirical data, providing a reference for AP planning and field strength
rendering.

• If outdoor APs are used to provide indoor coverage, WLAN signals may be
blocked by obstacles made of different materials, such as glass, brick walls, or
wooden doors. In this case, penetration loss of these obstacles must be taken into
account for evaluating the link budget to ensure the signal strength in indoor
coverage areas.
• Select an obstacle to be tested, which can be a typical indoor obstacle or an
obstacle made of uncertain materials. If necessary, test the signal attenuation of
the ceiling and floor.

• Place the test AP (as the signal source) at a proper position and power on it.
Keep a certain distance between the AP and the obstacle and ensure that there is
no blocking between them. Do not place the AP too close to the obstacle. This is
because the signal strength fluctuates greatly near the signal source, which
affects the test accuracy.

• Use a signal scanning tool to test the field strength on both sides of the obstacle.
The signal attenuation of the obstacle is the difference between the field
strength values obtained on both sides.

• For example, as shown in the figure above, deploy a Fat AP as the test AP. The
field strength values of 2.4 GHz and 5 GHz signals are both –50 dBm at test
point 1, but –60 dBm and –65 dBm respectively at test point 2. Therefore, the
signal attenuation of the obstacle is 10 dB at 2.4 GHz and 15 dB at 5 GHz.
• Before planning a project, communicate with the customer to determine the
WLAN coverage areas based on the onsite environment and drawings.
• Key coverage areas include dorm rooms, libraries, classrooms, lobbies, meeting
rooms, offices, and exhibition halls.
• The classification of coverage areas must be confirmed with the customer and
marked on the drawing provided by the customer for subsequent WLAN
planning.
• For details about antenna gain, see the AP product documentation.

• The transmission attenuation values of 2.4 GHz and 5 GHz signals need to be
calculated separately.
• The maximum number of concurrent STAs (single-radio) is calculated assuming
that the radio works on the 5 GHz frequency band.
• The maximum number of concurrent STAs (dual-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other on the 5 GHz
frequency band.
• The maximum number of concurrent STAs (triple-radio) is calculated assuming
that one radio works on the 2.4 GHz frequency band and the other two on the 5
GHz frequency band.
• The table above describes the specifications of an AP (802.11ax, 8x8 MIMO,
HE20). For details about other specifications, see the WLAN Planning
Specifications.
• The specifications in the following slides are based on this kind of AP and assume
that STAs conform to 802.11ax and support dual spatial streams.
• The total number of people refers to the total number of users connected to the
WLAN in this scenario (number of access users).
• Concurrency rate x Total number of access users = Number of concurrent users,
which is the number of users on the WLAN that are transmitting data at the
same time.
• The concurrency rate is usually an empirical value.
• EIRP: Effective Isotropic Radiated Power

• EIRP ≥ AP transmit power + MIMO gain + Antenna gain – Feeder loss

• Determine the local available channels.

▫ Query the available channels in the channel compliance table, and confirm
with the customer.

▫ For example, in China, channels 1, 6, and 11 are available on the 2.4 GHz
frequency band.

▪ To avoid interference between channels, it is required that center

frequencies of two channels on 2.4 GHz are at least 25 MHz apart. It is
recommended that channels 1, 6, and 11 be used alternately.

▫ Channels 149, 153, 157, 161, and 165 are available on the 5 GHz frequency
band.
▫ Some channels may be reserved in different countries or regions. Therefore,
confirm available channels before planning.
• Avoid co-channel interference.
▫ Do not use the same channel on two neighboring APs in any direction.

▫ In the case of multiple floors, avoid overlapping with channels of APs at the
same or adjacent floors.
▫ If channel overlapping cannot be avoided, reduce AP power to minimize the
overlapping areas.
• Local power supply is inconvenient, and exposed power cables bring security risks.
• PoE modules save the need of local power supply, but bring potential fault risks
and are hard to maintain.
• The PoE power supply mode facilitates installation and provides convenient,
stable, and secure power supply.
• Hybrid copper-fiber cable (hybrid cable for short): Data is transmitted over the
optical fiber in the hybrid cable, with the network port providing power supply.
The power supply distance can reach 200 m.
Advantages: one-off cabling, low cost, and long service life; applicable to long-
distance power supply scenarios with fewer distance limitations on PoE power
supply.
Disadvantages: Hybrid optical-electrical switches are required, which are costly.
Optical modules are expensive, and one hybrid cable needs to be connected to
one optical port and one electrical port, occupying a lot of switch port resources.
Select a power supply mode based on the AP power requirements:
 PoE power supply standards:
▫ PoE: IEEE 802.3af, with the maximum power supply of 12.95 W
▫ PoE+: IEEE 802.3at, with the maximum power supply of 25.5 W
▫ PoE++: IEEE 802.3bt, with the maximum power supply of 81.6 W
Wi-Fi 6 APs require 802.3bt power supply.
 Local power supply using a power module (Power supply requirements of Wi-Fi 5
and Wi-Fi 6 need to be considered.)
 Local AC power supply
• Cabling design rules:

▫ In normal cases, the length of an Ethernet cable cannot exceed 100 m due to
signal attenuation. In actual projects, Ethernet cables are often used to supply
power to APs. If an Ethernet cable is longer than 80 m, the network quality
will be affected. Therefore, it is recommended that the length of Ethernet
cables in actual projects do not exceed 80 m.

▫ It is recommended that a length of about 5 m be reserved for an Ethernet

cable during AP deployment for future adjustment to optimize WLAN signals.
If signals are of poor quality, engineers can flexibly adjust AP positions to
ensure good coverage.
▫ To avoid interference of high-voltage cables, it is recommended that low-
voltage cables be deployed as far as possible from strong electromagnetic
fields.
▫ When planning the cables, communicate with the customer in advance so that
project construction will not be forbidden for reasons of property, aesthetics,
etc.
• Experience rate: perceived data rate under a light network load

▫ An experience rate is the target rate that can be achieved in 95% of areas
according to SpeedTest on a light-loaded network where the channel
utilization is less than 20%.
• Service-assured rate: guaranteed rate under a heavy network load

▫ A service-assured rate is the target rate that can be achieved in 90% of time
according to SpeedTest in a multi-user concurrency scenario where the
network load is less than 80%.
Answer: B
• Network cloudification
▫ Cloud computing has completely changed the production mode of enterprises
over the past decade. A large number of services are deployed and operate on
the cloud, enabling enterprises to quickly launch new services. Thanks to the
evolution of the cloud architecture, enterprises can focus on services without
the need to pay too much attention to the IT architecture construction.
▫ As the pipe, the most important part in the cloud-pipe-device architecture, the
network plays a decisive role in user experience. To support service
cloudification, enterprises need to create a ubiquitous, intelligent, controllable,
and on-demand network. The traditional network architecture cannot adapt
to cloud transformation. The network needs to become more a service than a
solution, which is not only the business value brought by network
cloudification to enterprises but also the trend of network cloudification.
▫ Network cloudification is an important method to build service-based
networks. With infrastructure as a service (IaaS), enterprises no longer need to
repeatedly construct infrastructure. Similarly, with network cloudification,
enterprises simply need to consider the functions networks need to provide
and no longer need to care about the architecture, location, or function
implementation of the networks. In this way, enterprises can fully focus on
services.
• Huawei CloudCampus Solution migrates local network management to the
cloud, implementing automated and centralized management of multiple
branches based on the Internet. In addition, the solution enables the cloud
network management to be characterized by multi-tenancy, ultra-large scale,
and elastic scalability, and provides data collection and analysis capabilities that
cannot be provided by traditional networks. The solution can also restrict the
overall traffic of access users, the traffic of certain applications, and the uniform
resource locators (URLs) accessible to users.
1. Plug-and-play of network devices improves deployment efficiency.
▪ iMaster NCE-Campus centrally delivers configurations of multiple
sites, reducing onsite configuration and commissioning workload and
improving deployment efficiency. Network devices are plug-and-play
and able to be expanded on demand, requiring low costs for
upgrades.
2. Centralized cloud O&M simplifies O&M of multiple sites.
▪ iMaster NCE-Campus centrally manages scattered campus branches
on the cloud through the Internet, and integrates multiple
automation tools for troubleshooting, monitoring, and other
management operations, so as to implement remote automated
O&M.
3. Open APIs accelerate integration of business applications.
▪ With open APIs and big data analytics capabilities, iMaster NCE-
Campus can interconnect with multiple management systems to
achieve unified network management. It is able to provide diversified
value-added applications to help digital transformation of enterprises.
• Huawei CloudCampus Solution for small- and medium-sized campus networks
uses cloud computing technology to implement automatic and centralized
network management, and provides data collection and analysis capabilities that
are unavailable on traditional networks, so as to achieve network (LAN/WLAN)
as a service (NaaS).
• The roadmap of designing the architecture of Huawei CloudCampus Solution for
small- and medium-sized campus networks is as follows:
1. Construct a cloud campus communication network that features unified
bearing, on-demand definition, and elastic scaling. Then determine the
networking scheme of the multi-tenant network based on user
requirements and application scenarios, and conduct the network design
according to the actual service requirements of users, including the
physical network design, basic network service design, WLAN service
design, and user access control design.

2. Use a centralized cloud management system to implement automatic

management and intelligent analysis of the network with automated
deployment and intelligent O&M features. In addition, to meet the
requirements of basic network attributes such as security, reliability, and
openness, pay attention to the design related to network security and
interconnection with value-added platforms.
• Before designing a networking solution, obtain the following information:

▫ Scale of the customer's network, including the area to be covered by the

network and the number of terminals to be supported on the network. This
information helps determine the number of APs to be deployed.
▫ Customer's security requirements, for example, whether advanced security
features are required and whether the egress devices need to work in hot
standby mode. This information helps select egress device models.
• The CloudCampus Solution supports rights- and domain-based management.

▫ In rights- and domain-based management, rights are assigned to users

based on roles, responsibilities, and managed domains so as to properly
control the rights and scope of the operations to be performed. This
reduces the possibility of causing service security issues out of
misoperations and unauthorized operations. If rights and domains are not
divided or are divided improperly, O&M efficiency will be adversely affected,
and users may even operate NEs beyond their managed domains or
perform unauthorized operations, causing service interruptions.
• Deployed on the cloud, iMaster NCE-Campus provides management reliability.
Therefore, network reliability is the focus of network design.
• Authentication reliability: When a device is connected to the authentication
server, you can consider the bypass policy that is used if the authentication server
is faulty. Currently, there are two types of policies that come into effect after a
fault: those that require no authentication and those that prevent user access
from being affected.

• Network reliability involves link reliability and device reliability:

▫ Reliability of egress links: In most scenarios, there is only one egress link, and
therefore no link redundancy needs to be considered. In scenarios where high
reliability is required, more than one egress link needs to be deployed, so
active and standby links must be configured.
▫ Reliability of links internal to a campus network: Typically, Eth-Trunk
technology is adopted to ensure link reliability. It is recommended that inter-
device Eth-Trunks be used to ensure link reliability of switch stacks.

▫ Device reliability: Two devices can be deployed as egress gateways in hot

standby mode. LAN switches at the core and aggregation layers can be
stacked for physical device redundancy.
• The registration query center is a public cloud service provided by Huawei on the
Internet and can therefore be considered a cloud platform. It is mainly used to
implement plug-and-play of devices on the customer's network. During the
deployment configuration of network devices, the most important thing is to
register them with iMaster NCE and enable them to be managed by iMaster NCE.
Huawei CloudCampus Solution supports Huawei public cloud and MSP-owned
cloud deployment modes. Therefore, multiple iMaster NCE instances may exist on
the Internet. The problem is which iMaster NCE should a device register with
after the device is powered on and connected to the network?
• Huawei has set up a registration query center. Users can implement plug-and-
play of network devices through the registration query center in the Huawei
public cloud or MSP-owned cloud scenarios. Users need to record information
about the network devices to be managed on iMaster NCE, including ESNs.
iMaster NCE synchronizes the information to the Huawei registration query
center, which maintains the information. After a user connects a Huawei cloud
device to the network with factory settings, the device obtains an IP address and
then initiates a query request to the registration query center. The domain name
of the registration query center has been preset on the device before delivery.
The domain name is unique globally. The device initiates resolution requests
through DNS servers in different regions and obtains the addresses of the
registration query centers in these regions. Then, the registration query center
returns information such as the IP address of the corresponding iMaster NCE to
the device. In this way, the device can initiate a registration request to the
address so it can get managed by iMaster NCE.
• In MSP-owned cloud scenarios, deployment through the registration query center
is not supported because devices need to connect to the public network.
• VLAN 1 is not recommended as a service VLAN.
• The service IP address is the IP address of the server, host, or gateway. It is
recommended that gateway IP addresses use the same last digits; for example,
gateways use IP addresses suffixed by .254. The IP address range of each service
and the IP address range of the server and client must be clearly distinguished.
The IP addresses of each type of service terminals must be contiguous and can be
aggregated. Considering the scope of a broadcast domain and easy planning, it is
recommended that an IP address segment with a 24-bit mask be reserved for
each service. If the number of service terminals exceeds 200, another IP address
segment with a 24-bit mask is reserved.
• Dynamic IP address assignment or static IP address binding can be used for IP
address assignment. On a small- and medium-sized campus network, IP
addresses are assigned based on the following principles:

• IP addresses of WAN interfaces on egress gateways are assigned by the carrier,

and can be static addresses and addresses assigned through DHCP or PPPoE. The
IP addresses of egress gateways should be obtained from the carrier in advance.

• It is recommended that servers and special terminals (such as punch-card

machines, printing servers, and IP video security devices) use statically bound IP
addresses.
• It is recommended that the DHCP server be deployed on the gateway to
dynamically assign IP addresses to user terminals such as PCs and IP phones
using DHCP.
• The routing design of the small- and medium-sized campus network includes
design of internal routes and the routes between the campus egress and the
Internet or WAN devices.

• The internal routing design of the campus network must meet the
communication requirements of devices and terminals on the campus network
and enable interaction with external routes. As the campus network is small in
size, the network structure is simple.

▫ APs: After an IP address is assigned through DHCP, a default route is

generated by default.
▫ Switch and gateway: Static routes can be used to meet requirements. No
complex routing protocol needs to be deployed.

• The egress routing design must be able to support Internet and WAN access of
users. To achieve this, you are advised to configure static routes on the egress
device connected to the Internet or WAN.
• Network planning is important for WLAN project implementation. WLAN
planning consists of the following parts:
▫ Network coverage design: Determine the requirements and principles for
signal coverage.
▫ Network capacity design: Determine the bandwidth requirements of a
single user based on the service model and terminal behavior, and then
determine the number of APs based on the AP capability.
▫ AP and switch deployment design: Determine installation positions based
on the deployment principles.
▫ AP channel design: Properly plan channels for APs in neighboring areas to
minimize co-channel and adjacent-channel interference.
▫ AP power supply and cabling design.
• This document does not describe the WLAN design from the preceding
dimensions. For details about the WLAN design, visit
https://e.huawei.com/en/material/networking/campus-
network/699b63ddae1543f1b91dd014e799e3e0.
• Huawei provides an online cloud-based WLAN Planner to guide users through
WLAN network planning in simple steps.
• Cloud APs have the same core algorithm logic for radio calibration as traditional
ACs. To be specific, APs detect and collect information about neighboring radios
and interference, and report the information to the calibration computing engine.
After the computing is complete, the computing engine delivers the allocated
channel and power configuration to each AP.
• Different from the traditional network where the calibration computing engine is
deployed on the WAC, the cloud managed network has the calibration
computing engine deployed on the leader AP.

• Radio calibration of cloud APs depends on the leader AP (elected) in an AP

group. The number of APs that the leader AP can manage is limited and varies
according to models. For example, AP4050DN-E can manage 50 APs and
AP6050DN can manage 128 APs. If the number of APs exceeds the management
capability of a leader AP, network planning is required. Management VLANs need
to be planned for AP grouping. When there are a large number of APs in a
management VLAN, the APs are automatically divided into multiple groups.

• Radio calibration is performed on WLANs in a continuous area. Therefore, it is

recommended that APs be grouped by area, such as by floor, to ensure that APs
in a group are in the same area. This maximizes the calibration effect.
• During scheduled radio calibration, you can enable intelligent radio calibration
and use the analyzer to analyze historical data of the WLAN and predict
interference sources on the network. During network optimization, APs can avoid
possible interference sources on the network in advance to improve the quality of
the entire WLAN.
• During deployment, after the APs are deployed and go online, you are advised to
perform manual calibration to automatically plan the channels and power of
APs.
• When a WLAN is deployed for an enterprise or campus, the coverage area of a
single AP is limited, and multiple APs are generally required to implement
continuous wireless coverage of the entire space. To deliver good user experience
and ensure service continuity when STAs move among APs, the APs must support
roaming.
• Customer flow analysis requires APs to periodically report STA information (such
as the MAC address, IP address, access AP, SSID, and signal strength) to iMaster
NCE-Campus. Therefore, you need to enable the function of reporting STA
locations in the settings of the site where the APs reside on iMaster NCE-Campus.
If using STA information may pose data security threats, disable this function.
• By default, customer flow analysis is performed by site. To check results of some
devices at the site, mark APs with tags. One AP can be marked with multiple tags
to facilitate result check from different dimensions. For example, in shopping
mall A, an AP at the entrance of store B can be marked with A/B/entrance. AP
check and behavior analysis then can be performed based on such tags.
• Huawei CloudCampus Solution for small- and medium-sized networks can be
interconnected with third-party terminal behavior management software to
provide more detail-oriented services such as terminal profile and behavior
analysis. This solution provides APIs for interconnection. Third-party software can
adapt to the APIs to provide customer behavior analysis based on big data for
commercial promotion. If necessary, contact Huawei engineers.
• In the IoT field, Huawei WLAN builds a pipe-based technology platform and
ecosystem to fully leverage IoT partners' advantages, implement multi-network
convergence, and maximize benefits for customers.
1. Huawei IoT cloud APs provide pipe-layer capabilities. Specifically, they provide
standard Mini PCIe expansion slots and USB ports for connecting to IoT
modules, as well as uplink data channels.
2. Partners provide access-layer capabilities. Specifically, they provide IoT cards
that comply with Huawei port specifications and connect to Huawei IoT cloud
APs through Mini PCIe ports or USB ports.
3. Partners provide terminal-layer capabilities, including tags and wristbands, to
interact with IoT cards.
4. Huawei IoT cloud APs only forward uplink and downlink data of IoT cards, but
do not process data of specific IoT service protocols.
• Compared with traditional IoT solutions, Huawei Wi-Fi and IoT convergence
solution offers the following advantages:
1. IoT base stations and APs are deployed on the same site, and the Wi-Fi and
IoT networks are converged, facilitating site planning and power supply while
reducing deployment costs.
2. APs provide uplink data channels for a unified entry and unified management,
simplifying deployment.
3. APs provide pipe-layer capabilities, enabling flexibility and scalability.
• Based on the preceding authentication modes:

▫ Access devices are recommended as authentication points.

▫ The advantages of using access devices as authentication points are as

follows:

▪ Multiple access devices perform user authentication separately,

reducing the workload of centralized authentication.

▪ Authentication points are closer to terminals, improving security.

▪ The configuration is simple. If authentication points are deployed at

the upper layer, the following factors must be considered:
performance specifications of the devices acting as authentication
points, Layer 2 isolation at the access layer, and configuration for
transparent transmission of 802.1X protocol packets at the access
layer.
• The terminal management function of iMaster NCE-Campus can help identify
terminals and display the terminal type, operating system, and vendor.
• If the network administrator cannot determine the required terminal
identification methods, the following methods are recommended: MAC OUI,
HTTP UserAgent, DHCP Option, LLDP, and mDNS.

• In this slide, "general scenarios" refer to authentication, non-authentication, and

dynamic/static IP address assignment scenarios.
• In non-authentication scenarios, the controller can display information about
wired terminals only after the ARP snooping function is enabled on access
devices.
• The network administrator can use iMaster NCE-Campus to automatically deliver
policies to terminals, without the need to manually configure different services
and policies for each type of service terminals. Terminal policies can be delivered
based on the terminal type, operating system, or vendor.

• It is recommended that access and authorization policies be automatically

delivered to dumb terminals (such as printers, IP phones, and IP cameras) based
on terminal types. This helps implement automatic service provisioning and plug-
and-play for dumb terminals.
• The purpose of rate limiting is to prevent some users or applications from
occupying a large amount of bandwidth resources. In this way, other users or
applications can obtain sufficient bandwidth resources, ensuring user experience.
• The security policy is the core function of firewalls. In normal cases, there is no
need to divide many security zones for small- and medium-sized campus
networks. To simplify configurations, you are advised to add WAN-side interfaces
to the Untrust zone and LAN-side interfaces to the Trust zone, and allow inter-
zone traffic. Traditional firewalls block or forward traffic between security zones
based on 5-tuple (including source IP address, destination IP address, source port,
destination port, and protocol type). Security policies of Huawei NGFWs can not
only replace the packet filtering function but also implement traffic forwarding
control based on users and applications. In addition, they can be used to detect
and process traffic content. Security policies of NGFWs can better adapt to
modern network characteristics and meet modern network requirements.
• Wireless Intrusion Detection Systems (WIDS): WIDS can detect rogue APs,
wireless bridges, wireless terminals, ad-hoc devices, and interfering APs with
overlapping channels.
• Wireless Interference Prevention System (WIPS): WIPS can disconnect authorized
users from rogue APs and disconnect unauthorized terminals and ad-hoc devices
from the WLAN, defending against rogue devices.
• WIDS is used to protect wireless networks against rogue terminals, malicious user
attacks, and intrusions. WIPS is an extension to WIDS and further protects
enterprise wireless networks, for example, prevents networks and users from
unauthorized access and provides defense against attacks to network systems.
• Concepts related to WIDS and WIPS:
▫ Rogue AP: an unauthorized or malicious AP. A rogue AP can be an AP that is
connected to a network without permission, unconfigured AP, neighbor AP, or
an AP manipulated by an attacker.
▫ Rogue client: an unauthorized or malicious client, similar to a rogue AP.
▫ Rogue wireless bridge: an unauthorized or malicious wireless bridge.
▫ Monitor AP: an AP that scans or listens on wireless channels and attempts to
detect attacks to wireless networks.
▫ Ad-hoc mode: working mode of wireless clients. Ad-hoc devices can directly
communicate with each other without using any other device.
• Answer: ABD
• In Huawei's SD-WAN Solution, IP overlay tunnels are mainly GRE or GRE over
IPsec tunnels.
• Services on the management plane are mainly implemented by iMaster NCE,
which is not described in this document.
• This course describes the implementation principles of the control plane and
forwarding plane.
• TNP information and related information will be described later.
• TNs and RDs are used to establish overlay tunnels in enumeration mode.

• A site ID is used as the next hop for addressing and forwarding during user
routing.

• CPE router IDs are used to establish BGP peer relationships between different
sites.

• TNPs are used to establish tunnels.

• TNs and RDs are mainly used to enumerate tunnels.

▫ Tunnel enumeration: All tunnels that can be established are enumerated.

• Router IDs are mainly used to establish control channels.

• A site ID is used as the next hop for data forwarding.

• A TNP ID can be considered as an interface number.

• The public and private IP addresses are used as the source or destination IP
addresses of control and data channels.

▫ Some CPEs are deployed behind the NAT device. The post-NAT public IP
address is required for the establishment of data channels between CPEs.

▪ CPEs typically use the Session Traversal Utilities for NAT (STUN)
technology to detect public IP addresses.
• Tunnels are enumerated before data channels are established to ensure that all
available data channels are established.
• Tunnels can be enumerated only when the following conditions are met:

▫ CPEs have learned service routes of each other.

▫ CPEs have learned the TNP information of each other.
• Details about how to learn service routes and TNP information will be described
in the following slides.
• A management channel is used to establish control channels and deliver basic
configurations.
• Control channels are used to establish data channels.

• Data channels are used to transmit user data.

• TNP information is exchanged twice:
▫ During control channel establishment, TNP information is exchanged to
exchange information about channels to be established between RRs and
edge devices.

▫ During data channel establishment, TNP information is exchanged to

exchange information about channels to be established between edge devices.
• For details about ZTP and management channel establishment, see SD-WAN
Device Deployment.
• An RR is typically deployed at the same site as HQ edge devices. For ease of
understanding, an RR is deployed independently in the above figure.
• All configurations on the edge devices and RR are delivered by iMaster NCE.

• The IP address of an edge device's loopback interface is used as the edge device's
router ID.

• Tunnel interfaces are used to establish management channels, which use GRE
over IPsec encapsulation.
• Basic BGP configurations are also delivered by iMaster NCE to instruct edge
devices to establish BGP peer relationships with the RR through loopback
interfaces.
• Site IDs are generally allocated to edge devices in ascending order based on the
sequence in which they go online.
• The process of establishing a control channel is as follows:

1. An edge device establishes a DTLS channel with the RR based on the TNP
information delivered by iMaster NCE.

▪ A DTLS channel is established to ensure security of TNP information

exchanged between the edge device and RR.

2. The edge device and RR exchange TNP and IPsec SA information through
the DTLS channel, and establish an EVPN tunnel based on the TNP and
IPsec SA information.

▪ In Huawei's SD-WAN Solution, EVPN tunnels use GRE over IPsec

encapsulation.

▪ The source and destination IP addresses of an EVPN tunnel are mainly

determined by TNP information of the edge device and RR.
3. The edge device and RR establish a BGP peer relationship through
loopback interfaces.

▪ All edge devices are BGP RR clients of the RR.

▪ The edge device and RR send BGP packets to each other to exchange
the TNP and IPsec SA information required for establishing a data
channel.
• The process of exchanging TNP and IPsec SA information is as follows:

1. Through a BGP control channel, an edge device sends local TNP and IPsec
SA information to the RR through a BGP route.

▪ The RD ID and TN ID in TNP information are used to enumerate

tunnels.

▪ The public and private IP addresses are used as the source and
destination IP addresses of a data tunnel.

▪ IPsec SA information is mainly used to encrypt the data tunnel.

▪ The site ID is used for traffic steering. The functions of a site ID will be
described later.

2. The RR sends the BGP route received from the edge device to all edge
devices associated with the RR.
• The site ID is mainly used for route selection. The functions of the site ID will be
described in the following sections.
• Data channels use GRE over IPsec encapsulation.

• Routes of different services are isolated using the VPN technology.

▫ Different service routes belong to different VPNs. Therefore, different service

routes are installed in different VRF routing tables.
• Multiple links may be available between edge devices. If different routes of a
service are in the same RD, edge devices enumerate data channels.
▫ A data channel is also known as an EVPN connection.

▫ Multiple data channels are carried in one tunnel.

• There may be multiple data channels to the same site ID. Therefore, one data
channel needs to be selected for data forwarding.
▫ Typically, a data channel is selected based on the channel priority. However,
various data channel selection policies are available. For details, see SD-WAN
Application Experience.
• Data transmitted over a data tunnel will be re-encapsulated before being sent.

▫ GRE over IPsec is used for data encapsulation.

▫ The VPN field is added to the ExtGRE header to identify the service (VPN) to
which data belongs during data forwarding.
• Different services may use different overlay topologies.

• Because an RR reflects service routes of all edge devices associated with it, the RR
can change the next-hop site ID of service routes to control the overlay topology.

• When the hub-spoke topology is used, the RR only needs to change the next-hop
site ID of service routes to the site ID of the hub site.

• When the full-mesh topology is used, a full-mesh network can be built without
requiring the RR to change the next-hop site ID of service routes.

• When the partial-mesh topology is used, only the next-hop site ID of some
service routes needs to be changed.
• An RR is also known as an area controller because it can control the overlay
topology.
• STUN, defined in RFC 3489, is a complete NAT traversal solution.

• In RFC 5389, the STUN protocol is positioned as a tool to allow packets to

traverse NAT devices, rather than a complete solution. RFC 5389 supports TCP
traversal, whereas RFC 3489 does not.
• A STUN client sends a STUN binding request to the STUN server.

• The STUN server obtains the source IP address and port number from the STUN
binding request, and sends a STUN binding response to the STUN client.

• The STUN client obtains an IP address and a port number from the STUN binding
response, and compares the obtained IP address and port number with the
source IP address and port number carried in the STUN binding request. If they
are different, a NAT device is used between the STUN client and STUN server.

• STUN clients learn each other's TNP information (including the pre-NAT and
post-NAT IP addresses and port numbers) through BGP routes.
• After the preceding STUN packets are exchanged, a data channel is established
between the STUN clients so that packets can traverse the NAT devices based on
the hole punching mechanism.
• If a site has only one CPE, LAN-side connections are simple.

▫ For small sites, for example, SOHO sites, LAN-side interfaces can be directly
connected to terminals at the sites.

▫ If the CPE has insufficient LAN-side interfaces, an access switch can be

connected to the CPE through one-armed routing.

• If a site has two CPEs, VRRP is typically deployed on the CPEs to prevent the
dual-CPE architecture from affecting the LAN-side network.

▫ Multiple LAN-side switches can be deployed to form a stack. If two CPEs are
deployed at a site, they can be interconnected directly or through the LAN-
side network.
▫ If the two CPEs are directly interconnected, an interlink needs to be
established between them to forward service packets. The interlink can be an
Eth-Trunk.
• For a large enterprise site, the site network has a complex structure and complex
network facilities (for example, Layer 3 core devices). Therefore, egress routers
need to connect or dual-homed to Layer 3 devices. BGP, OSPF, and static routing
are supported.

• In the Layer 3 interconnection scenario, if only one CPE is deployed, only routing
protocol needs to be configured based on the requirements of LAN-side devices.
If a CPE needs to interconnect with two LAN-side devices, the LAN-side devices
must be stacked to function as a single device.
• This solution can be used when BGP is deployed on the user-side network of a
dual-gateway site and users want to transmit the original BGP community
attributes of private network routes between two SD-WAN sites. (These
community attributes may be used in routing policies on user networks for route
control.)
• If OSPF is deployed on the interlink between two gateways, BGP community
attributes of user routes may be lost when the routes are transmitted through
the interlink.
• In this case, IBGP can be deployed on the interlink, so that the original BGP
community attributes carried in private network routes are not lost when these
routes are transmitted between the gateways.
• To improve the reliability of egress links, multiple links are usually provided, that
is, one active link and one standby link are used. This design is simple and
reliable. The standby link is in standby state and does not forward network traffic
in normal cases. Therefore, enterprise customers need to pay extra fees for
reliability.
• Huawei's SD-WAN Solution does not use this link backup mode. Instead, multiple
uplinks of a site are active at the same time and services can be load balanced
among the links according to a preconfigured traffic scheduling policy. If a link
fails, the link failure or link quality deterioration can be detected within sub-
seconds. Then, services can be switched from the failed link to an operational
link. This mechanism ensures link reliability and maximizes the efficiency of
enterprises' link resources, providing high access bandwidth and facilitating
interconnection between enterprise sites.
• Hub-spoke networking

▫ Generally, the enterprise HQ/DC functions as a hub site, and enterprise

branches function as spoke sites and access server applications deployed at
the HQ/DC through the WAN in a centralized manner.
• Full-mesh networking

▫ Branches of an enterprise can directly communicate with each other,

without the need to divert traffic through intermediate nodes.

• Partial-mesh networking

▫ A partial-mesh network can be considered as a special type of full-mesh

networks. If direct underlay network connections are available between two
sites, traffic is directly transmitted between the sites. Otherwise, traffic
between the sites is forwarded through a redirect site, to which both sites
are connected.

• Hierarchical networking

▫ The hierarchical networking model can be considered as a combination of

single-layer networking models. A WAN is divided into multiple areas,
which are interconnected through a centralized backbone area. In this way,
sites can communicate with each other across areas.
• In the hierarchical networking, a redirect site refers to a border site.
• Traffic cannot be transmitted to the Internet through multiple links in load
balancing mode. The links can work only in active/standby mode based on their
priorities.

• If local Internet access is configured for specified application traffic and

centralized Internet access is also configured, local Internet access for specified
application traffic is implemented by orchestrating policy-based routing (PBR).

• When local Internet access is enabled, the default route on the underlay WAN
needs to be configured. The default route can be a static route (mainly for
Internet access through the Internet network interface) or a BGP/OSPF route
(mainly for Internet access through the MPLS network interface).
• If hub sites function as centralized Internet access gateways, the active and
standby hub sites can be selected. If branch or aggregation sites function as
centralized Internet access gateways, only one branch or aggregation site can be
selected.
• If hub sites function as centralized Internet access gateways, the active and
standby hub sites can be selected. If branch or aggregation sites function as
centralized Internet access gateways, only one branch or aggregation site can be
selected.
• If hub sites function as centralized Internet access gateways, the active and
standby hub sites can be selected. If branch or aggregation sites function as
centralized Internet access gateways, only one branch or aggregation site can be
selected.
• A dedicated link is established between user-side interfaces on both the legacy
edge and SD-WAN edge devices. The dedicated link runs a protocol such as BGP
or OSPF to exchange routes between the legacy MPLS network and SD-WAN
network. In this way, users on the two networks can communicate with each
other through the dedicated link.
• Multiple traffic models are supported in this scenario, and you can choose one
based on your service requirements.
▫ Distributed local access: This model applies if all SD-WAN sites can
communicate with legacy sites over the underlay MPLS network through
local breakout. In this model, traffic of each site is directly forwarded
through the local site without being forwarded through overlay tunnels.

▫ Centralized local access: If some SD-WAN sites cannot communicate with

legacy sites through local breakout, you can configure a site that can
communicate with the legacy sites as the centralized access site. Traffic
from other SD-WAN sites is sent to the centralized access site through
overlay tunnels, and then forwarded to the legacy sites through local
breakout.
▫ Hybrid local access: The SD-WAN Solution enables multi-link sites using the
distributed local access model to use local access preferentially, with
centralized local access as a backup. This enhances reliability. Traffic from
an SD-WAN site that uses the distributed local access model is
preferentially transmitted to legacy sites through local breakout. If the
MPLS link for local access fails, traffic is automatically switched to the
overlay tunnel of another link and transmitted to the centralized access site.
The centralized access site then forwards the traffic to legacy sites.
• 1. ABCD
• The ZTP function of Huawei's SD-WAN Solution helps to address the above pain
points:
▫ Lower technical requirements for site deployment: Onsite device
deployment does not require highly skilled professional IT engineers.
▫ E2E automatic deployment: ZTP eliminates manual configuration errors.

▫ Centralized service planning for batch devices: Services are provisioned

immediately after site devices are registered with iMaster NCE.
• Email-based deployment applies only to devices with factory settings.

• Before email-based deployment, a user cannot log in to the web UI of a device or

change the password. Otherwise, email-based deployment cannot be performed.
• Tenant mode: The system administrator directly creates tenants.

▫ This mode is applicable when an enterprise wants to deploy and manage its
own internal network. The system administrator can create multiple tenants
to isolate and manage networks of different departments or subsidiaries.
Each tenant can create an administrator to manage the tenant's network.
• MSP mode: The system administrator creates an MSP, and then the MSP
administrator creates tenants.

▫ This mode is applicable when an enterprise provides network management

services for external users. An MSP can be a product distributor, whereas a
tenant is a customer who needs network management services.
▫ The system administrator creates an MSP and specifies an MSP
administrator. The specified MSP administrator can create other MSP
administrators and specify their management permissions. MSP
administrators create tenants and specify tenant administrators. The
specified tenant administrators can create other tenant administrators and
specify their management permissions.

▫ A tenant administrator can authorize an MSP to manage the tenant

network. In this way, the MSP administrator can maintain the tenant
network.
• Tenants can entrust network O&M services to MSPs so that the MSPs can
maintain the tenant networks.
• ZTP is available to both MSPs and tenants.

• If a tenant authorizes an MSP to manage the tenant network, the MSP can also
manage devices of the tenant.

• RRs added by an MSP are shared RRs, and can be shared by multiple tenants.
Shared RRs are used to reduce investment costs.

• RRs added by a tenant are exclusive RRs, and cannot be shared by other tenants.
Exclusive RRs are used to improve stability.
• Email-based deployment applies only to devices with factory settings.

• Before email-based deployment, a user cannot log in to the web UI of a device or

change the password. Otherwise, email-based deployment cannot be performed.
• Email-based deployment applies only to devices with factory settings.

• Before email-based deployment, a user cannot log in to the web UI of a device or

change the password. Otherwise, email-based deployment cannot be performed.
• 1. BC

• 2. False
• This course is based on Huawei's SD-WAN Solution.
• For details about SA and SPR, see HA Technologies.
• After receiving a service packet, a CPE processes the packet as follows:

1. Identifies the application.

▪ If no session table exists, the CPE identifies the service type of the packet
based on the SA signature database or through FPI, performs application-
based traffic steering, and sets up a session table.

▪ If a session table exists, the CPE directly performs application-based traffic

steering.

2. Performs application-based traffic steering.

▪ If intelligent traffic steering is not configured, the CPE searches the routing
table for a route to forward the packet.

▪ If an intelligent traffic steering policy is configured, the CPE performs traffic

steering based on the link or application quality.
3. Performs overlay and underlay tunnel encapsulation for the packet, and sends
it out.
• For details about application identification, see HA Technologies.
• Each site can be configured with primary and secondary transport networks.

▫ Primary transport network: You can configure multiple primary transport

networks for a site and specify their priorities. A smaller value indicates a
higher priority. You can also set the same priority for multiple primary
transport networks. The primary and secondary links in this document refer
to the primary transport networks working in active/standby mode.

▫ Secondary transport network: A secondary transport network provides

escape links. Application traffic is switched to the secondary transport
network only when all the primary transport networks become unavailable.
• MPLS links are high-value links, which are expected to be fully utilized. To ensure
user experience of high-priority applications, it is not recommended that MPLS
links be used to transmit traffic of low-priority applications when the bandwidth
utilization of MPLS links exceeds 70%.

• A link cannot be selected for transmitting bandwidth-demanding services (such

as the backup service) when its available bandwidth is insufficient. In this case,
bandwidth-based traffic steering can be configured.

• For example, an enterprise leases three links: MPLS, Internet1, and Internet2. It
expects to reserve certain bandwidth resources for high-value VoIP services to
ensure user experience of VoIP services, while fully utilizing the MPLS link. In this
case, bandwidth-based traffic steering can be configured. Bandwidth conditions
can be configured for low-value applications (such as email and FTP) to select
the MPLS link. For example, when the bandwidth utilization of the MPLS link
exceeds 50%, new traffic is not transmitted over the MPLS link; when the
bandwidth utilization of the MPLS link exceeds 70%, existing traffic on the MPLS
link needs to be dynamically switched to other links.
• The scheduling following function is supported only when Inter-TN Policy is set
to Load balance. Dynamic primary/secondary switchover is not supported.
• An enterprise usually has multiple departments of different importance, which
require traffic isolation and differentiated bandwidths.
▫ A specified bandwidth quota is assigned to each department to meet its
service requirements.
▫ If some departments do not fully use their bandwidth quotas, idle
bandwidth resources can be used by other departments with insufficient
bandwidth.

▫ The bandwidth for accessing the Internet or legacy sites needs to be limited
separately.
• Traffic can be classified based on one or a combination of the following:

▫ 5-tuple information

▫ Applications or application groups

▫ DSCP values

• Currently, the following traffic actions are supported:

▫ Priority-based queue scheduling

▫ Bandwidth limiting: CAR & shaping

▫ DSCP re-marking
• FEC optimization technology is used to mitigate packet loss by specifying data
flows based on 5-tuple information through an agent. The FEC agent obtains
specified data flows, adds verification information to packets, and performs
verification at the receive end. If a packet is lost or damaged on the network, the
packet can be recovered based on the verification information.
• On the basis of FEC, A-FEC can automatically adjust the FEC redundancy rate to
save bandwidth at a low packet loss rate. When the packet loss rate increases
sharply in a short period of time, the FEC redundancy rate can be increased
adaptively to offset the impact of packet loss on the network.

• Huawei FEC/A-FEC has the following advantages:

▫ Different from TCP that requires retransmission, FEC does not require packet
retransmission and has high real-time performance.
▫ FEC uses Reed Solomon (RS) algorithm. Compared with the simple exclusive
OR (XOR) algorithm, the RS algorithm recovers multiple lost packets,
mitigating burst packet loss.

▫ A-FEC can dynamically adjust the redundancy rate to reduce bandwidth waste
and mitigate continuous packet loss.
• 1. ABCD

• 2. False
• The LAN-WAN converged management model of the CloudCampus Solution
delivers the following benefits:
▫ Easy deployment: iMaster NCE, also called the cloud management
platform, manages campus networks of all sizes. It supports LAN and LAN-
WAN convergence scenarios, and can be flexibly deployed.
▫ Simplified configuration: WAN and LAN services can be configured on one
set of GUIs. This solution supports both the traditional IPsec VPN
interconnection and SD-WAN interconnection. It also supports flexible
networking, simplifying the configuration and improving service
provisioning efficiency.
▫ Forwarding-control separation: The control plane is separated from the
forwarding plane and is centrally managed, improving network routing and
topology flexibility and network scalability.
▫ Simplified O&M: One set of GUIs is used for O&M status monitoring of
branches of all sizes and network-wide service data presentation,
facilitating network-wide monitoring and analysis.

▫ Value extension: Enterprise IT and network value-added services are

migrated to the cloud, and services that can be provided by carriers are
extended from WAN services, LAN services, all the way to value-added
services.
• Service presentation layer: The WAN-side interconnection functions in the
CloudCampus Solution are presented to end users at this layer. Huawei provides
Portals for different customer roles, such as enterprises and MSPs. The Portals
offer a complete end-to-end service processing and enabling process of the
CloudCampus Solution. The service presentation layer transfers end users'
requirements to iMaster NCE.
• The multi-campus network interconnection solution is a sub-solution provided in
the CloudCampus Solution for the interconnection between branches and
between branches and the HQ or DCs. With SD-WAN functions integrated, the
multi-campus network interconnection solution provides two WAN
interconnection models: static IPsec VPN and SD-WAN.
▫ An IPsec VPN is a type of static VPN, in which IPsec tunnels are established
between devices at different sites to create VPN channels. Traffic is diverted
to the VPN tunnels based on the configured static network segments so
that services between sites can be accessed through the VPN tunnels.

▫ EVPN is a type of dynamic VPN that can establish tunnels between sites on
demand and dynamically advertise routes. EVPN establishes GRE tunnels
between sites to establish VPN tunnels and uses IPsec encryption on GRE
tunnels to secure data transmission over the tunnels. In addition, the SD-
WAN interconnection solution offers application- and policy-based
intelligent traffic steering, allowing high-quality links to be chosen based on
applications and policies for data transmission.
• In the IPsec VPN interconnection solution, point-to-point (P2P) or point-to-
multipoint (P2MP) IPsec VPN tunnels are created between sites, and service
traffic between sites is transmitted through the IPsec tunnels. The detailed
process is described as follows:
1. On iMaster NCE, create sites, record device information, and configure
service deployment information for the devices. The devices then register
with iMaster NCE.
2. Define the subnet segments that can access VPN services.
3. On iMaster NCE, orchestrate the site VPNs and define the IPsec VPN
interconnection model (hub-spoke or full-mesh). If the hub-spoke model is
used, specify the spoke and hub nodes. Non-cloud devices can be deployed
as hub nodes.
4. When adding devices to site VPNs, specify the subnet segment. During
IPsec tunnel establishment, the subnet segment is sent to the peer end to
generate static UNRs. This ensures that traffic can be properly transmitted
between sites.
5. In the hub-spoke model, configure the IPsec template mode for the hub
sites to monitor the link establishment requests from the spoke sites. In
this way, IPsec VPN tunnels are established between the HQ and branches.
The spoke sites proactively send link establishment requests to the hub
sites.
• UNRs are used to implement return routes of multiple branch sites and
implement inter-site communication.
• Flexible overlay network based on the hybrid WAN
▫ Hybrid WAN implements interconnection of enterprise branches through
various WAN connection technologies such as MPLS and Internet. As the
Internet improves in terms of quality and coverage, it becomes more
suitable for use as a WAN technology. That is, in addition to deploying
MPLS private lines provided by carriers, enterprises can select the Internet
for WAN branch interconnection to implement hybrid WAN interconnection.
• Service-orientation, implementing network orchestration and automatic
provisioning
▫ Traditionally, network services are provisioned through manual
configuration. Such an approach requires engineers to have a thorough
understanding of networks, especially when the network is complex. The
SD-WAN interconnection solution uses the centralized controller iMaster
NCE to abstract, orchestrate, and automatically provision services on
demand.
▫ iMaster NCE abstracts and models network services while shielding users
from technical implementation details of the network through model
abstraction, exposing only service-oriented interfaces and parameters.
▫ Additionally, iMaster NCE provides service GUIs or programmable APIs, with
which end users can drive iMaster NCE to orchestrate and automatically
provision network services based on their service requirements.
• Intelligent traffic steering, ensuring application experience
• WAN link: A WAN link refers to a link connecting to a WAN interface. The IP
address obtaining mode, link negotiation rate, and subscribed bandwidth can be
configured for a WAN link.

• Overlay tunnel: An overlay tunnel refers to the connection of TNPs between

different sites. Multiple overlay tunnels can be established between two sites, and
packets are distributed concurrently through intelligent traffic steering.
• The SD-WAN interconnection solution uses the EVPN and IP tunneling
technologies to establish logical networks isolated from a carrier's physical
network. The physical network and logical networks are the underlay and overlay
networks, respectively. Because user traffic is encapsulated in tunnels, only
overlay networks are involved in site interconnection. In this way, multiple WAN
service technologies can be flexibly applied, improving enterprise network
deployment efficiency and user experience.
• The SD-WAN interconnection solution uses the EVPN and IP tunneling
technologies to establish logical networks isolated from a carrier's physical
network. The physical network and logical networks are the underlay and overlay
networks, respectively. Because user traffic is encapsulated in tunnels, only
overlay networks are involved in site interconnection. In this way, multiple WAN
service technologies can be flexibly applied, improving enterprise network
deployment efficiency and user experience.
• WAN links are the basis for building an SD-WAN interconnection network. To
prevent repeated configuration of parameters for each site, configuration
information such as the number of gateways and WAN links is abstracted into a
WAN link template. The site WAN model is configured through the WAN link
template. Therefore, after creating sites, you need to plan a WAN link template
for each site. If multiple sites have the same WAN-side configurations, including
the gateway type, WAN link, and interconnection link between two gateways, the
same WAN link template can be used.
• If only one CPE is deployed, the LAN connection is simple. For a small site (for
example, a SOHO site), the LAN-side interface can directly connect to terminals
at the site. If the CPE has insufficient LAN-side interfaces, an access switch can be
connected to the CPE in 802.1Q VLAN trunk mode.

• If dual CPEs are deployed, VRRP is generally deployed on the CPEs to prevent
them from affecting the LAN. The VRRP virtual IP address is used as the gateway
address of the network to transparently provide the redundancy function.
Multiple switches can be deployed on the LAN side to form a stack. If two CPEs
are deployed at a site, they can be interconnected directly or through the LAN. If
the two CPEs are directly interconnected, the interconnection links can be added
to an Eth-Trunk. In the VRRP group, the master CPE forwards service packets.
However, in the actual environment, service packets may need to be transmitted
through the egress link on the backup CPE. In this case, the master CPE needs to
forward service packets to the backup CPE first, which then sends the packets out
over the EVPN tunnel. Therefore, an interconnection link needs to be set up
between the master and backup CPEs to forward service packets between them.
• For a large enterprise site, the site network has a complex structure and complex
network facilities (for example, Layer 3 core devices). Therefore, the egress
routers need to connect or dual-homed to Layer 3 devices. BGP, OSPF, and static
routing are supported.

• In the Layer 3 interconnection scenario, if only one CPE is deployed, the

interconnection is simple. In such a scenario, only a routing protocol needs to be
configured on the LAN side based on requirements of LAN-side devices. If dual
CPEs are deployed on the LAN side, multiple devices need to be configured to
form a stack.
• The hub-spoke topology is applicable to enterprises whose major service traffic is
from branches to the hub site at the HQ, with little east-west traffic between
branches. Application servers of these enterprises are deployed at a few HQ and
DC sites. A typical example is chain stores. Major traffic of each chain store is
north-south traffic between the chain store and the HQ or DC, and there is
almost no east-west traffic between different chain stores.
• To improve the reliability of egress links, multiple network connection links are
usually provided, that is, one active link and one standby link are used. This
design is simple and reliable. In normal cases, the standby link is usually in the
backup state and does not forward network traffic. Therefore, enterprise
customers need to pay extra line fees for reliability.
• The SD-WAN interconnection solution provides link backup. In this solution,
multiple uplinks of a network site are active at the same time and services can be
load balanced among the links according to the preconfigured traffic scheduling
policy. If a link is faulty, the link fault or quality deterioration can be detected
within sub-seconds. In this manner, services can be switched from the faulty link
to an operational link. This mechanism ensures link reliability, makes full use of
enterprise access links, and provides high access bandwidth, facilitating
interconnection between enterprise sites.
• On a network with a hub, if the hub site fails, network-wide disasters may occur.
To prevent this, you can deploy devices in redundancy mode at each hub site and
deploy hub sites in redundancy mode. The SD-WAN interconnection solution
supports the dual-hub redundancy design. When the active hub site is faulty,
services are automatically switched to the standby hub site, without requiring
manual intervention.
• In local Internet access mode, Internet access traffic cannot be load balanced
among multiple links.
• If local Internet access is enabled, the default route on the underlay WAN needs
to be configured. The default route can be a static route (mainly for Internet
access through the Internet network interface) or BGP/OSPF route (mainly for
Internet access through the MPLS network interface).

• A single CPE supports a maximum of 10 egress links. However, when accessing

the Internet, a CPE supports a maximum of three egress links in one routing
domain.
• If local Internet access with the default policies (Policy is set to All) is used and
centralized Internet access is enabled, local Internet access is preferred. If the
local link fails, the centralized Internet access mode is used.

• In hybrid Internet access mode, NAT in Easy IP mode can also be enabled on the
outbound interface for local Internet access.
• This Internet access mode is applicable to scenarios where centralized security
control is required for Internet access traffic but Internet access traffic of
specified services is routed out from the local site to minimize the access delay.
• Precisely identifying applications on a network is a prerequisite and a basis for
network services such as intelligent traffic steering, QoS, application optimization,
and security. Service policies can be applied in subsequent service processes only
after applications are identified.

• When a packet reaches the application identification module, the module

performs FPI on the packet. If an application is identified through FPI, the module
does not perform SA on the packet. If the application fails to be identified
through FPI, the module performs SA on the packet.

• For FPI and SA, the FPI signature database and SA signature database are
preconfigured on CPEs before delivery. The CPEs can identify common
applications based on the application definition (port number, signature, and
behavior) in the signature database. In addition, FPI and SA can also identify
customized applications. You can customize applications whose signatures are
not in the signature databases.
• Static identification

• For applications with fixed IP addresses, port numbers, and protocol types, their
3-tuple information is recorded in a static identification table. When the first
packet of a data flow arrives at a device, the device searches the static
identification table for its 3-tuple information. If a match is found, the application
type corresponding to the entry is identified. This method is mainly used to
identify customized applications.

• If a user customizes an application on iMaster NCE by defining the IP address,

port number, and protocol type, the device preferentially searches the static
identification table for the matching destination IP address, destination port
number, and protocol type when receiving the first packet of an application. If no
match is found, the device searches the static identification table for the
matching source IP address, source port number, and protocol type. If there is
still no matching entry, SA is performed.

• DNS correlation identification

• FPI also supports DNS correlation identification. If an application is defined by

domain name, a CPE can match and cache the domain name (for example,
www.example.com) and IP address (for example, 1.1.1.1) in DNS responses
during DNS resolution. In this way, the application type can be identified based
on the IP address of the first packet during the subsequent TCP handshakes.
• Different applications generally use different protocols. Each protocol has its own
characteristics, which are known as signatures and can be a specific port number,
character string, or bit sequence.
• SA determines an application by detecting signatures in data packets.
• Signatures of some protocols are contained in multiple packets, and therefore the
system must collect and analyze multiple packets to identify a protocol type. The
system analyzes service flows passing through a device, and compares the
analysis result with the signature database loaded on the device. The system
identifies an application by detecting signatures in data packets, and then
implements refined policy control based on the identification result.
• Applications can be identified in customized mode or through the SA signature
database predefined on CPEs.
▫ Customized mode: Applications are identified based on URLs or keywords. On
CPEs, rules can be created based on 3-tuple information, keywords, or both 3-
tuple information and keywords. The 3-tuple information refers to the server
IP address, protocol type, and port number. The keywords are signatures of
data packets or data flows corresponding to an application and uniquely
identify the application.
▫ SA signature database: SA identifies applications based on the SA signature
database. The SA signature database can have 500+ or 6000+ signatures,
depending on the device type. The SA signature database can be upgraded
through Huawei Security Center Platform. The SA signature database needs to
be updated frequently because applications on the live network change
rapidly. If the SA signature database is not updated in time, some applications
may fail to be identified.
• Link quality–based traffic steering: Different applications have different
requirements on link quality. For example, voice and video services are sensitive
to delay and packet loss rate and have high requirements on link quality.
Therefore, you can configure the good-quality MPLS link as the primary link and
the Internet link as the secondary link for this type of services. In addition, you
need to configure SLA requirements for the services so that intelligent traffic
steering can be performed based on link SLA, thus meeting the SLA and
bandwidth requirements of applications.

• Load balancing–based traffic steering: If an enterprise has multiple links, you

can configure load balancing-based traffic steering to fully utilize the link
bandwidth. During service forwarding, the devices can select different links for
different applications based on link weights, thereby improving the bandwidth
utilization.
• Application priority–based traffic steering: If multiple types of service packets
are transmitted on the same link, traffic of high-priority applications is
preferentially processed in the case of congestion, ensuring user experience of
high-priority applications. For example, voice, video, and file transfer services are
carried over an MPLS link. If the link bandwidth is insufficient, traffic of voice and
video services is preferentially transmitted to guarantee the service experience.
• To control the traffic entering a CPE, you can configure ACL rules to classify
packets based on packet information including the source IP address, destination
IP address, source port number, destination port number, and application
information, and then filter the packets that match the ACL rules. In the SD-WAN
interconnection solution, the ACL-based traffic filtering function is implemented
through ACL policies. Currently, ACL policies can be deployed on the WAN- or
LAN-side interfaces of CPEs to control the traffic entering the CPEs. You can
define the priority of each ACL policy and set related parameters including the
filtering action (permit or deny) and validity time range.
• URL filtering
▫ URL filtering regulates online behaviors by controlling URLs that users can
access, thereby permitting or denying users' access to specified web resources.
▫ A CPE permits or denies users' access to a URL or a type of URLs based on the
pre-defined categories and blacklist/whitelist. A CPE extracts the URL field
from an HTTP request packet and matches the URL field value with that in the
blacklist/whitelist or predefined categories. If a match is found, the CPE
processes the HTTP request packet according to the configured response
action.
▫ URL filtering is implemented through security policies, which are applied to
interzones. URL filtering security policies are deployed on CPEs to control URLs
that enterprise users can access.
• IPS
▫ The IPS is a security mechanism that detects intrusion behaviors (such as
buffer overflow attacks, Trojan horses, and worms) by analyzing network
traffic signatures and terminates intrusion behaviors in real time through
certain responses. The IPS protects enterprise information systems and
network architectures against intrusions.
▫ The IPS signature database is preconfigured on CPEs and defines common
intrusion behaviors. The IPS compares packet signatures with those in the
signature database. If a match is found, a CPE considers it as an intrusion
behavior and takes corresponding protection measures.
▫ The IPS function is implemented through security policies, which are applied to
interzones. IPS security policies are deployed on CPEs to implement security
protection for Internet access services of enterprise users and block a variety of
intrusion behaviors from the Internet.
• Application scenarios
▫ The IPS function is mainly used in the site-to-Internet access scenario, that is, to
implement security protection for Internet access services.
The deployment of a WAN-side egress device (a CPE) involves the following steps:
1. The CPE obtains the IP address of the WAN link.
Currently, WAN links support the following access types: Ethernet link (static IP,
DHCP, and PPPoE) and LTE link (APN). A CPE can obtain the IP address of the
WAN link in any of the following ways:
• Imported from the deployment email (URL)
• Imported from the USB flash drive
• Automatically obtained through DHCP (The LTE public network can
automatically obtain an IP address. Because LTE traffic may be charged and
most enterprises customize APNs, APN parameters need to be set. Therefore,
the LTE data function is disabled on the CPE before delivery.)
• In email-based deployment, also called URL-based deployment, a network
administrator completes the ZTP configuration on iMaster NCE, which then
automatically generates a deployment email and sends the email to the specified
mailbox. The deployment email contains a URL that provides the deployment
information. After receiving the deployment email, the deployment engineer
clicks the URL in the email to start the deployment process, after which devices
are automatically deployed.
• The email-based deployment mode is used when a CPE is installed at a site and
deployment needs to be performed onsite. Email-based deployment greatly
simplifies the operation process for the deployment engineer. The deployment
engineer can start the deployment process simply with one click on the web UI.
Then, the deployment can be completed automatically. This lowers skill
requirements for the deployment engineer, minimizes labor costs, and shortens
the deployment time.
• Advantages:
▫ This deployment mode applies to various access modes and operation
scenarios.
▫ This deployment mode is simple and has low skill requirements for
deployment engineers.
• Disadvantages:
▫ A PC/laptop and a network cable are required for onsite deployment.
• In USB-based deployment mode, after a network administrator completes the
ZTP configuration on iMaster NCE, iMaster NCE automatically generates a ZTP
file that records the CPE deployment configuration. Then, the site deployment
engineer uses a tool (IniConverter1.0.exe) to generate a configuration file and
imports the configuration file to a USB flash drive for USB-based deployment.
• USB-based deployment is mainly used in batch deployment scenarios. The device
administrator of a system integrator or an enterprise uniformly imports
deployment configurations to CPEs in warehouses and distributes the CPEs to the
sites for onsite installation and deployment.

• Advantages:
▫ The site deployment is simple. Deployment engineers do not need to master
any professional skills or carry tools such as PCs. (A USB flash drive is required
for onsite deployment.)
• Disadvantages:
▫ The administrator needs to manually create a configuration file based on
CPEs. The configuration file contains command configurations, which are
complex and error-prone.
▫ CPEs may be incorrectly delivered if the ESNs are bound to incorrect sites.
• In DHCP-based deployment mode, the network administrator configures ZTP for
a site on iMaster NCE, and configures the IP address to be allocated to the CPE's
WAN-side interface, gateway, as well as the southbound IP address and port
number of iMaster NCE on the DHCP server. The WAN-side interface of the CPE
at the site must apply for an IP address from the DHCP server through DHCP.
When allocating an IP address to the CPE, the DHCP server also sends the
iMaster NCE information to the CPE through Option fields in DHCP messages.
After obtaining an IP address and accessing the underlay network, the CPE
automatically registers with iMaster NCE to complete the deployment.

• For WAN-side egress devices, DHCP-based deployment is applicable to network

construction scenarios where a carrier has the permission to configure a DHCP
server on the WAN side.

• Advantages:
▫ Devices are plug-and-play, and no deployment terminal is required for
deployment.

• Disadvantages:

▫ The permission to configure a DHCP server is required.

• Answer: C
1
4
5
6
7
8
9
10
11
12
13
15
16
17
18
19
20
21
22
23
26
28