2020年11月4日星期三

CloudCampus V100R019C10 Cloud

Management Scenario Training
Catalog
1 CloudCampus Solution Overview

2 CloudCampus Delivery Scenario

3 License Mode

4 Network Deployment Solution

2
Overall Architecture

3 Scenario Defined in CloudCampus Solution

Simple-service campus Multi-service campus Multi-branch interconnection campus

NETCONF/YANG

Virtual network

Hotel Primary/secondary Large

education education Branch site HQ

Simple-Service Campus Multi-Service Campus Multi-Branch Interconnection Campus

Network Single campus dominated, focusing on Complex network with many areas and multiple Wired / wireless network for Internet access in the HQ
architecture Internet access and network connectivity services, such as campuses with multiple and branches
buildings VPN connections between the HQ and branches
Common Management and authentication for multiple Management, authentication, and multi-service Management and authentication for multiple network
requirements network devices, such as APs, switches, and isolation for multiple network devices, such as devices, such as APs, switches, firewalls, and AR routers,
firewalls APs, switches, and firewalls and multi-branch interconnection management
Typical scenarios Multi-branch and small enterprise campuses, Universities, governments, and large enterprise Large enterprises and financial service outlets
such as hotels and primary/secondary campuses
education scenarios

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Overall Architecture

Components of Huawei Cloud Managed Campus Network Solution

Huawei support ESDP platform PKI platform SecCenter Huawei support website Device registration
(Device certificate) (DPI/antivirus signature (software versions & query center
system (License)
database) patches)
Service node clusters
Controller cluster

Device management Authentication Data collection node Data processing

Cloud node cluster Cloud-based Cloud-based PMI
node cluster cluster node cluster
(ACM cluster) (FI cluster) network planning component
management (ACA cluster) (ACC cluster)
component
platform Support node clusters (WLAN Planner)

CampusInsight
ETCD cluster GaussDB cluster Distributed cache cluster KAFKA
(Infinispan cluster) cluster

Deployment Huawei public cloud Amazon cloud AWS Microsoft cloud Azure
environment VM Physical machine
Cloud managed
Firewall Switch Central Remote
devices and remote AR AP RU
O&M app
O&M app AP

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

 Overall Architecture

Networking Architecture of Huawei Cloud Managed Campus Network Solution

Solution that offers cloud-based management of network devices covering all scenarios, full
lifecycle, and all business models
Cloud
Public cloud management
platform

Carrier network/
Enterprise Network

Firewall Firewall AR AR

Switch Firewall AR AP
Switch
Tenant
Switch
network AP Central AP
Switch Encrypted authentication
traffic and cloud-based
DC AP … AP
management traffic

RU Internet access traffic from

terminals, which does not
pass through the cloud
management platform
Shopping mall/supermarket, Mini store
Hotel Store
general education

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

 Value Solution

Value-added Customer Asset

Electronic Health
SaaS platform flow
analysis
schoolbag mgmt. mgmt.

Benefits to Users Benefits to MSPs

Fast deployment and
simplified management Cloud Open API Self-operated
Months -> days, 80%+↓ OPEX The first leasable and salable
management Automated management | Intelligent cloud management platform
O&M | Security collaboration
Multi-tenant network, platform
multi-functional network
Cloud-based
>> Cloud-based >> Cloud-based >> Cloud-based Large management
network deployment network PMI
Supports multi-tenant network planning optimization scale
services and service provisioning 20,000 -> 1M+ devices
within minutes.
AR Firewall Dual-mode
Open cloud platform, management, smooth
rich applications Multi-tenant Switch Switch Firewall AR AP evolution
20+ industry applications and cloud On-premise management ->
30+ partners
network Tenant n
cloud-based management
Tenant 1 Tenant 2

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 6

Product Family

Huawei CloudCampus Product Family

iMaster NCE-Campus is an autonomous driving iMaster NCE-CampusInsight is an analysis Cybersecurity intelligence system (CIS) uses the
Management and network management and control system that component of iMaster NCE-Campus that latest big data analytics and machine learning
control platforms provides full-lifecycle network services covering provides experience visibility, minute-level fault technologies, and collaborates with devices on the
planning, construction, O&M, and optimization. locating, and intelligent network optimization. entire network to defend against APT attacks.

S12700E-12 CloudEngine S12700E: new core switches for campus networks in the Wi-Fi 6 era

S12700E-8 CloudEngine S6730-H: full-featured 10GE routing switches

CloudEngine
switches S12700E-4 CloudEngine S5732-H: enhanced GE/multi-GE/optical-electrical hybrid switches

S7700 CloudEngine S5735-S: standard gigabit access switches

S5730-H/S S6730-H/S
S5735-S/L
CloudEngine S5735-L: compact gigabit access switches

AirEngine 8760-X1-PRO: Wi-Fi 6 indoor flagship AP

AirEngine
AirEngine 6760-X1/X1E: Wi-Fi 6 indoor high-end APs
Wi-Fi 6 APs
AirEngine 8760R-X1/X1E: Wi-Fi 6 outdoor APs

AirEngine 9700D-M + 5760-22WD: Wi-Fi 6 agile distributed AP and RU

8760-X1-PRO 6760-X1/X1E 5760-51 6760R-51/51E 8760R-X1/X1E AirEngine 5760-22W: Wi-Fi 6 wall plate APs
5760-22W

USG6700E
USG6600E AR6300
USG6500E AR6200
USG6300E
AR610 AR650 AR6100

HiSecEngine AI firewalls NetEngine AR routers

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential Page 7

Catalog
1 CloudCampus Solution Overview

2 CloudCampus Delivery Scenario

3 License Mode

4 Network Deployment Solution

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Deployment
Scenarios

Networking Modes of a Tenant Network (1)

Scenario 1: Single Site Access Scenario 2: Gateway + AP Scenario 3: Gateway + Switch + AP

Cloud Cloud Cloud

management management management
platform platform platform

Firewall Firewall

Switch

AP AP
AP

Characteristics: Characteristics: Characteristics:

1. Only one AP, one central AP together with
multiple RRUs, or one AR is deployed at
a site to provide WLAN coverage.
Alternatively, multiple APs independently
connect to the network.
2. Internet operator parameters need to be
configured on the AP or AR.
1. Multiple APs are deployed at a site to
provide WLAN coverage.
2. A dedicated firewall is deployed as a
gateway for Internet access.
3. Multiple APs implement Layer 3
interconnection through the gateway.
1. Multiple APs are deployed at a site to
provide WLAN coverage.
2. A firewall is deployed for Internet access.
3. Multiple switches can be deployed at
different layers to form a large Layer 2 LAN.
APs implement Layer 2 interconnection
through switches.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 9

Deployment
Scenarios

Scenario 6: FW dual-machine in
Networking Modes of a Tenant Network (2) Mirror Mode
Cloud
management
Scenario 4: AR/FW dual link Scenario 5: Switch Stack
platform
FW
Cloud Hot standby in
management mirror mode
platform

Characteristics:
FW After dual-machine hot backup,of FW is set locally in
mirror mode , it support to be managed by the
platform
iStack
Scenario 7: WLAN AC Monitor
Cloud
management
platform
Characteristics:
1. AR/FW support dual uplink, the interface Characteristics:
includeDialer(pppoe), Cellular(4G/LTE), L3 1. Aggregation, access switch support cloud
Ethernet Interface
WLAN AC
management in stack mode. Up to 9 devices
2. Dialer/Cellular dail configuration is done can be stacked, and no more than 4 devices
directly on the device, not configure are recommended.
through NCE-Campus 2. Stacking cables are required for local automatic
stacking of devices. Devices that do not use
cables can be manually enabled for stacking. Characteristics:
Platform support to monitoring the WAC, the
configure is still go throuth the WAC
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 10
Deployment
Scenarios

Networking Modes of a Tenant Network (3)

Scenario 8: Frame Swith Scenario 9: LAN WAN convergence Scenario 10: NAC

Cloud
Cloud
management
management
platform
platform

Native AC
RADIUS Server
CSS

MPLS
Middle Branch AP

Internet
Large Campus
Characteristics: Small Branch
1. Frame switch support the cloud
management
Characteristics: Characteristics:
2. Frame switch with CSS, need to build 1. Build overlay turnnel based on EVPN 1. The platform support 802.1x, MAC,
2. All the branch need to deploy the AR Portal use authentication. It can work
the CSS and then register to the
platform that support EVPN as Radius server and Portal server.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 11

Catalog
1 CloudCampus Solution Overview

2 CloudCampus Delivery Scenario

3 License Mode

4 Network Deployment Solution

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Business Mode

License
License Mode Application Scenario Role Operation
Redistribution
System administrator Import license files.
Global permanent Not supported On-Premises Scenario MSP administrator View the license information.
Tenant administrator View the license information.
a.When you log in to iMaster NCE-Campus for the first time, select Global
System administrator Subscription License, and set License Redistribution to No.
MSP-owned Cloud Scenario
b.Import license files.
Not supported (MSP administrators do not
need to centrally manage MSP administrator N/A
licenses.)
Tenant administrator N/A

Global subscription a.When you log in to iMaster NCE-Campus for the first time, select Global
Subscription License, and set License Redistribution to Yes.
System administrator b.Import license files.
MSP-owned Cloud Scenario
c.Configure license packages, and then distribute the packages to MSP
Supported (MSP administrators need to
administrators.
centrally manage licenses.)
MSP administrator Distribute licenses to tenant administrators.
Tenant administrator View the license information.
System administrator Disable the license split function when creating an MSP administrator.
Huawei Public Cloud Scenario
(MSP administrators do not MSP administrator Apply for license activation codes from the Electronic Software Delivery
Not supported Platform (ESDP).
need to centrally manage
tenant licenses.) Purchase license activation codes from MSPs, and import the codes to iMaster
Tenant administrator
Tenant subscription NCE-Campus.

Huawei Public Cloud Scenario System administrator Enable the license split function when creating an MSP administrator.
(MSP administrators need to Apply for license activation codes from the ESDP, and import the codes to
Supported MSP administrator
centrally manage tenant iMaster NCE-Campus.
licenses.)
Tenant administrator View the license information.

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Catalog
1 CloudCampus Solution Overview

2 CloudCampus Delivery Scenario

3 License Mode

4 Network Deployment Solution

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Device Deployment Process
Power on the device.
Obtain the IP address.
Register with the NCE-Campus.
Check before the device goes online.
Bring the device online.
Deliver Upgrade the
configurations. device.
15
Obtain the IP address:
• Through DHCP
• Specified static IP address (manually configured)
Obtain the IP address of the NCE-Campus:
• Through DHCP: The DHCP option 148 field carries the domain name and port number of
the NCE-Campus.
• Registration query center: The device uses the built-in domain name of the registration
query center to obtain the domain name and port number of the NCE-Campus.
Register with the NCE-Campus proactively:
• SSH connection establishment between the device and the NCE-Campus -> Version
negotiation on the SSH connection -> Key negotiation -> Authentication (bidirectional
certificate check) -> Session establishment and interaction -> NETCONF connection
establishment (SSHv2)
Perform license verification:
• After a device is registered and goes online, the device sends the ESN to the NCE-
Campus for verification. The ESN added by a tenant must be consistent with the device
ESN.
Perform device model consistency verification:
• Check whether the ESN uploaded by the device is consistent with the device model.
Perform MAC address validity verification:
• Generally, invalid MAC addresses are all 0s or 1s, or those of some blacklisted devices.
Invalid MAC addresses must be filtered out and devices with invalid MAC addresses
cannot be brought online.
Multiple Deployment Modes, Implementing ZTP

Deployment Deployment by scanning

DHCP-based deployment Registration query center
mode barcode

NCE-Campus NCE-Campus

NCE-Campus Registration
Firewall Enable DHCP Firewall
query center
(unique)

Application AR AR

scenario AP
LSW LSW

AP AP

Applicable to scenarios with APs Applicable to scenarios where Applicable to regions where a
only DHCP is enabled registration query center is available

Configuration Barcode scanning using an app

Automatic remote configuration Automatic remote configuration
method locally

16
Deployment Through Barcode Scanning Using a Mobile App
(Applicable to Scenarios with APs only)
① Pre-configuration
for network Before the deployment:
deployment NCE-Campus ① The tenant administrator imports device ESNs in batches
and plans offline configurations online.
Tenant
administrator
During the deployment:
Internet ② The installation engineer connects and powers on the
② Device connection devices.
and power-on ③ The installation engineer logs in to the CloudCampus app to
establish links between the APs and NCE-Campus through
Installation
engineer
barcode scanning, and then delivers configurations to the APs
through the local management SSID. After the operations are
complete, the NCE-Campus can detect and manage the APs.
③ App After the deployment:
deployment The devices retain persistent connections with the NCE-
Campus and periodically report performance data to the NCE-
Campus.

Log in to the Select a site. Select the Scan the

App. installation position. barcode. CloudCampus
App name
(available in Huawei/Google App Store)

Terminal Mobile phone

Operating
Android 4.4 and later
The device goes system
online.

Configure Internet Enable parameter Deliver

access parameters. delivery. configurations.
17
DHCP-based Deployment, Using the Option 148 Field to Carry
Information About the NCE-Campus
① Pre-configuration
for network
deployment NCE-Campus Before the deployment:
① The tenant administrator imports device ESNs in batches and plans
Tenant offline configurations online.
administrator ② The administrator deploys the egress gateway, configures it through the
⑦ Bidirectional web system or CLI, and specifies the device working mode (cloud
authentication and mode), domain name, and interface information in the DHCP Option
Internet
service 148 field. The device uses a static public IP address or obtains a public
configuration ② Deployment of ⑥ Device discovery
and initiation of
IP address through dial-up and performs NAT on internal devices,
delivery the egress gateway
connection requests ensuring that the internal devices can access the Internet.
and setting of DHCP
parameters
Tenant
During the deployment:
Firewall network ③ The devices are connected and powered on.
④ The devices apply for IP addresses from the egress gateway through
⑤ IP address allocation,
containing the cloud
DHCP.
mode, domain name, and ⑤ The egress gateway allocates IP addresses to the devices, carrying the
interface information ④ IP address device working mode (cloud mode), domain name, and interface
application information in the DHCP Option 148 field.
⑥ The devices (APs or switches) send connection requests (containing
Switch Switch their certificates) to the NCE-Campus based on the domain name.
③ Device ⑦ The NCE-Campus and devices complete bidirectional authentication
connection and establish a NETCONF channel for service configuration delivery
and power-on
based on ESNs.
AP AP AP AP After the deployment:
The devices retain persistent connections with the NCE-Campus and
periodically report performance data to the NCE-Campus.
DHCP Option 148 example：
agilemode=agile-cloud;agilemanage-mode=domain;agilemanage-domain=device-
18
naas.huawei.com;agilemanage-port=10020;
Deployment Through the Registration Query Center,
Implementing Automatic Device Registration Using the
Preconfigured Domain Name Only available in Huawei Public Cloud or
① Pre- MSP build scenario (Connected to Query
configuration ② ESN information
for network Center)
synchronization Registration
deployment
NCE-Campus query center Before the deployment:
(unique)
Tenant ① The tenant administrator imports device ESNs in batches, plans offline
administrator configurations online, and synchronizes the configurations to the
registration query center. All cloud managed devices are
preconfigured with the unique domain name of the registration
④ Address query center.
application for the
NCE-Campus from
② The NCE-Campus synchronizes device ESNs, its own address, and
Internet the registration query port number to the registration query center.
center During the deployment:
③ The devices are connected and powered on, then obtain IP address
Tenant network
⑤ Registration through the DHCP server.
with the NCE- Firewall (DHCP server)
Campus ④ The devices apply for the address of the NCE-Campus from the
registration query center based on the predefined domain name.
⑤ The devices send connection requests (containing their own
Switch certificates) to register with the NCE-Campus. The NCE-Campus
③ Device completes bidirectional authentication with the devices and delivers
connection
and power-on
service configurations to them based on ESNs.
After the deployment:
AP AP
The devices retain persistent connections with the NCE-Campus and
periodically report performance data to the NCE-Campus.

19
 Thank you
www.huawei.com

Copyright©2014 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and
operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and
developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for
reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.