iMaster NCE-Campus

V300R019C10 Training

Security Level:
CloudCampus Solution Training Documents

This
document

Solution iMaster NCE-Campus — iMaster NCE-CampusInsight — Business model Competitive analysis

Overview network automation intelligent O&M

2 Huawei Confidential
Contents

1. iMaster NCE-Campus Overview

2. iMaster NCE-Campus — Campus Network
Deployment Automation (V300R019C10)
3. iMaster NCE-Campus FAQs
New Products in 2020: iMaster NCE

Data center NCE-Fabric *

Campus NCE-Campus *

SD-WAN NCE-WAN *

WAN
Transmission NCE-T Lite

WAN IP NCE-IP Lite

4 Huawei Confidential
New Highlights of iMaster NCE
• SDN-based automatic service
• Unified data base • Full lifecycle network management
configuration/deployment
• Closed-loop network assurance • Pre-event network change
• AI-powered intelligent analysis and
simulation and verification
predictive/proactive O&M Manager + Controller
Automation + Planning + Construction
+ Analyzer
Intelligence + O&M + Optimization

2 3 4

Autonomous driving
Manager Controller Analyzer network system
=

5 Huawei Confidential
 Huawei's Autonomous Driving Enterprise Network Solution

Application
Cloud
Self- Mobile Third-party
…
layer platform
service app app
Portal

Network
Autonomous Network Management and Control System
management
and control
Manager Controller Analyzer
layer

CloudEngine

DC Fabric
AP vSwitch AP

Campus CPE
VM
VM
CPE Campus
VM

Network HiSecEngine
layer
NetEngine NetEngine
AirEngine AirEngine
SD-WAN
DC Fabric
vSwitch
CPE
Branch CPE VM
VM
Branch
VM

6 Huawei Confidential
 iMaster NCE-Campus: Autonomous Driving Campus Network
Management and Control System

Manager + controller +
Fully converged
analyzer

Simple-service campus + multi-service

All-scenario campus + multi-branch interconnection
campus

iMaster NCE-Campus Planning + construction + O&M +

Full lifecycle optimization

SecoManager

7 Huawei Confidential
Fully Converged Platform: Manager + Controller + Analyzer

• Hardware cost Higher efficiency

Lower costs
• Deployment cost One-stop full lifecycle
Fewer servers
• O&M cost management

3 units
1 unit
Note:
No SD-WAN requirement Menu/Dashboard integration Workflow integration
Server 1 x 256 GB server
Cisco Huawei

Agile Controller eSight Network Agile Controller iMaster NCE-Campus

3.0 CampusInsight
1.0
Access Basic network Network Access Manager & controller Analyzer
authentication management automation authentication
WLAN Exception Security Exception
TACACS SD-WAN TACACS management
management identification identification
Security Root cause Basic network Root cause locating
Free mobility VXLAN Free mobility VXLAN
management locating automation
Compliance Troubleshooting Compliance Troubleshooting
Network analysis SecoManager SecoManager SD-WAN and optimization
check and optimization check

8 Huawei Confidential
 All-Scenario: Ranging from Single-Service to Multi-Branch
Interconnection Campus
Simple-service campus Multi-service campus Multi-branch interconnection campus

NETCONF/YANG

Virtual network

Hotel Primary/secondary Large

education education Branch site HQ

Simple-Service Campus Multi-Service Campus Multi-Branch Interconnection Campus

Network Single campus dominated, focusing on Complex network with many areas and multiple Wired / wireless network for Internet access in the HQ
architecture Internet access and network connectivity services, such as campuses with multiple and branches
buildings VPN connections between the HQ and branches
Common Management and authentication for multiple Management, authentication, and multi-service Management and authentication for multiple network
requirements network devices, such as APs, switches, and isolation for multiple network devices, such as devices, such as APs, switches, firewalls, and AR routers,
firewalls APs, switches, and firewalls and multi-branch interconnection management
Typical scenarios Multi-branch and small enterprise campuses, Universities, governments, and large enterprise Large enterprises and financial service outlets
such as hotels and primary/secondary campuses
education scenarios

9 Huawei Confidential
iMaster NCE-Campus: Full-Lifecycle Campus Network
Service Panorama

Hardware installation
Optimization (Day N)
Physical network deployment

WLAN planning Virtual network deployment

Network optimization
O&M (Day N)
Wired network planning Policy provisioning

Site design
Network monitoring User experience visibility
Deployment(Day 1–2)
Network resource planning
Routine device O&M Exception identification

NCE-Campus O&M Fault demarcation

Planning (Day 0)

Provided by Huawei Service Tube

Provided by iMaster NCE-Campus

Provided by the NCE-CampusInsight component (SSO and navigation via the iMaster NCE-Campus GUI)

10 Huawei Confidential Manual

Automatic Campus Network Construction Panorama
Automatic Campus Network Multi-Branch
Simple-Service Campus Multi-Service Campus
Construction Interconnection Campus
Automatic physical Small campus Midsize and Midsize and large campus Multi-campus
network provisioning network large campus network deployment interconnection campus
deployment network deployment
deployment PnP LAN
PnP device LAN & WAN convergence
PnP LAN

Automatic virtual network provisioning Single- Single- Multi-campus

campus campus interconnection
single-egress multi-egress virtualization
surveillance
Network
network
Office

Video

Single-border Multi-border
VXLAN VXLAN Fabric network across Layer
networking networking 3 gateways

Automatic service policy provisioning Inter-virtual network access

Admission Access QoS Bandwidth control SD-WAN service policy
policy policy policy policy
Inter-virtual network access
√ X control policy
Group 1 Group 2 Group 3
VIP user Employees Guests Bandwidth
PnP Free resource Intelligent
Intelligent reservation HQoS
terminal mobility HQoS
Admission Access QoS Bandwidth traffic
for VIP users policy policy policy policy (WAN)
steering

11 Huawei Confidential
 Contents
1. iMaster NCE-Campus Overview
2. iMaster NCE-Campus — Campus Network
Deployment Automation (V300R019C10)
--Simple-Service Campus
--Multi-Service Campus
--Multi-Branch Interconnection Campus
3. iMaster NCE-Campus FAQs

12 Huawei Confidential
How to React Rapidly to Service Expansion
Huawei User Equipment Stores: Fast Network Deployment Facing Rapid Store
Growth

Fast growth
Number  1000+ stores worldwide
of  100+ stores in Shanghai
stores 1000+ 100+  Annual growth rate > 30%

Similar services among stores:

time-consuming deployment
Smart home area Demonstration screen Experience zone
for wrist bands
 Traditional store deployment
BrandZ Top 100 Global Brands of and accessories depends on personnel experience
Most Valuable Value in 2019, Store and is complex.
ranking Top 50 for the fourth services AR and smart Sample display
treadmill and customer  It takes three days to construct a
consecutive year Interactive
experience Mobile phone and
area rest area
zone tablet sales network for one store, failing to
Ranking No.2 in the global mobile experience area
meet the requirements for fast
phone market share in 2018 service rollout.
Source: IDC

13 Huawei Confidential
iMaster NCE-Campus: Simple-Service Campus Network
Automation Solution

• Device go-online within 20

20 minutes
 Automatic physical network minutes • 0.5 days required for
deployment provisioning a branch and
completing service
commissioning
iMaster NCE-Campus is used for quick network
deployment, implementing device PnP. 4 • Simplified small campus
deployment
steps • Large campus network
 Automatic service policy >> configured and deployed
provisioning in just 4 steps
…

Hotel Primary/secondary Large Implement instant policy deployment and global 6

education 6 dimensional refined
enterprise policy validation via configuration delivery dimensions
permission control according
through the iMaster NCE-Campus GUI to "5W1H"
(configurations to be delivered: user access
authentication policy, guest management, free
mobility, HQoS, and terminal identification)

14 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

ZTP-based Simplified Deployment

Registration query center
APP DHCP
1. Planning and 1. Planning and 1. Planning and 2. Information
pre-configuration pre-configuration pre-configuration synchronization

Registration query center

3. Automatic registration
4. Automatic 3. Automatic 4. Automatic 5. Automatic 4. Automatic
with the controller and
configuration delivery registration with configuration delivery configuration delivery registration with the
going online
the controller and controller and going
online online
DHCP Server
3. Obtaining
2. Deployment by registration
2. Obtaining information.
scanning barcodes
registration
through the
information
CloudCampus app

Whether Agile Controller-

Deployment Mode Applicable Device Application Scenario
Campus connects to the Internet
App AP Required Simple network (APs mainly)
Network planning and management.
Network management personnel has the
DHCP AP, switch, and AR Not required
capability of managing and configuring a
DHCP server.
Registration query center AP, firewall, switch, and AR Required MSP-owned clouds and HUAWEI CLOUD

15 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Physical Network Provisioning: PnP Wired and

Wireless LANs

Underlay automation process for midsize and

large campus networks: implementing PnP of
aggregation switches, access switches, and APs
• Importing device and topology information through an excel file
Network planning • Network resource pool planning: IP address and VLAN
and device • Device pre-configuration based on the configuration template and
feature template (devices from vendor C cannot be pre-configured)
installation • Device installation, cabling, and power-on
• Manually registering core switches with iMaster NCE-Campus

Aggregation switches, access switches, and APs are

Automatic automatically discovered via LLDP and go online, and
topology discovery topology verification is performed. (Devices from vendor C
do not support topology verification.)

Automatic
configuration Devices automatically obtain configurations.
delivery

Automatic route Create a fabric network and enable automatic route

orchestration orchestration. OSPF routes then are automatically
orchestrated on the switches.

Zero-configuration
Zero-configuration device replacement by scanning
device barcodes through an app (not supported by vendor C)
replacement

16 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Implementing Terminal PnP Through Terminal

Identification

Requirements & Challenges

A university
Most
50+ types of comprehensive
smart terminals built-in terminal
fingerprint library
Terminal data collected by level-
2 institutes
Difficult and error-prone MAC >>
address collection

An automobile manufacturer
>>
10+
authentication
faults reported Terminal Type-Based Terminal Type-Based Terminal Type-Based
per day
Rogue devices are Automatic Authentication Automatic Authorization Rogue Device Detection
difficult to locate Recognized as a printer Recognized as a camera Recognized as an IP phone first
• Automatic MAC address • Automatically added to the video and then PC
authentication, MAC address-free surveillance group • A rogue terminal alarm is reported
device registration • Set as a VIP user

17 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Industry's Most Comprehensive Fingerprint Library, Facilitating

Terminal Identification
Identification
Category Description Application Scenario
Technology

Fingerprint library The leftmost three bytes of a MAC

MAC OUI All terminals
Industry's most comprehensive address indicate the vendor.
fingerprint library
A browser's UserAgent string contains
Mobile phones, tablets,
HTTP the manufacturer, terminal type,
workstations, and intelligent audio
Information Proactive UserAgent operating system, browser, and other
and video terminals
reporting scanning information.

Information Some options of DHCP packets can be

Mobile phones, tablets,
reporting DHCP option used to classify terminals, including
workstations, and dumb terminals
common DHCP options 55, 60, and 12.

Link-layer device discovery protocol,

IP phones, cameras, and network
LLDP which can be used to report the device
devices
model

mDNS packets contain the terminal

mDNS Apple terminals and printers
model and service information.

Identification information of related

Proactive nodes is obtained through querying
SNMP query Network devices and printers
scanning device information contained in the
SNMP MIB objects.

18 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Terminal Identification Accuracy

Terminal identification library Lab test (mobile terminal)

Terminal Type Huawei Terminal Identification Terminal Type Number of Number of Accurately Identification
Tested Identified Terminals Accuracy
Library (Vendor + Terminal Model) Terminals

Workstation 270 models (specifying the OS Mobile phone 70 68 97.14%

(Windows/Linux/...) versions of Android and iOS Tablet 7 7 100%
terminals) Apple laptop 3 3 100%
Mobile terminal (mobile 1835 models from 124 vendors
phone/tablet) Terminal Type Number of Number of Accurately Identification
(with OS Tested Identified Terminals Accuracy
Printer 745 models from 23 vendors Version) Terminals
Mobile phone 68 65 95.59%
IP camera 217 models from 7 vendors
Tablet 5 5 100%
IP phone 312 models from 29 vendors Apple laptop / / /

Network device (such as AP, 173 models from 45 vendors N7 canteen test in Nanjing Research
Identification Identification Center (mobile terminal):
switch, and router) Type Accuracy
Number of Number of Identification
Category 99.73%
Laptop and desktop 94 models from 3 vendors Tested Accurately Accuracy
Vendor 98.89% Terminals Identified
Terminals
IoT terminal (access control Not available currently Product model 96.37%

device and sensor) OS 97.70% 9751 9362 96%

19 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Terminal Identification Statistics Collection

Terminal identification granularity Terminal identification statistics report

Terminal type Terminal vendor Terminal model Operating system

20 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

User Access Authentication

Social media authentication Authentication Method

• Portal authentication: user name and password,
anonymous, SMS, QQ, Sina Weibo, WeChat,
QQ Sina Weibo
User management Portal page customization Facebook, Twitter, and passcode authentication
• PPSK authentication
WeChat Facebook Twitter • MAC address authentication
• 802.1X authentication (built-in RADIUS server)
3rd Radius server
Portal server Built-in RADIUS server • 802.1X authentication (interconnection with an
external RADIUS server)

802.1X Portal MAC address

Transmission Protocol
• Authentication data transmitted through HTTP2.0
NETCONF HTTP 2.0 RADIUS and RADIUS
configuration authentication authentication • Configuration data transmitted through NETCONF

Open-System Authentication
• Interconnection with a third-party Portal server
Authentication
• Interconnection with social media such as QQ,
device Switch AP Firewall AR
Sina Weibo, WeChat, Facebook, and Twitter

21 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Intelligent Policy Engine, Achieving Refined Permission Control

Condition: 5W1H Result: Fine-grained permission control

User identity
User/user group/role Permission VLAN/ACL/security group, VIP user...
Who

Site, region, device group,

Access location
device type, device, SSID, and
Where Uplink/Downlink bandwidth, DSCP
IP address Bandwidth

Access time
By week/time point
When High/Medium/Low
QoS Traffic and online duration control
(supported only in Portal
Terminal type authentication mode)
PC/iOS/Android
What
Intelligent policy
Engine Application Application group/application
Company-provided/BYOD Device attribute
terminal Whose

Wired/Wireless Access mode

Portal, MAC address, and Security URL filtering
How
802.1X authentication

22 Huawei Confidential
 Free Mobility: Policies Following Users, Ensuring Consistent
Experience

Network WAN/Internet User: xx

resources

Location: Shenzhen

Network
resources

Silicon Valley
Network Network
resources resources

1. Policy: permission
Shenzhen 2. Policy: security
3. Experience:
priority/bandwidth
Beijing

Users can access the network anytime, anywhere, ensuring consistent service policies
and network experience for users.

23 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Free Mobility , User Group-Based Access Control Policies

Define security groups Define policies by group

>>

>>

>>
Netconf/YANG

24 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Enhancements: Synchronize IP-Group Information

1. On-demand query 2. Packet-carried IP-Group synchronization

Query security groups via iMaster The source security group ID is iMaster NCE-Campus periodically synchronizes IP-Group
NCE-Campus based on IP carried in the VXLAN packet header. information to switches that function as policy enforcement points
addresses
Security
IP
Group
10.1.1.3 group_FIN
10.1.2.3 group_R&D
>>

>>
10.1.1.3 10.1.1.3 belongs to
Which security group the finance group
does it belong to?

Supported by some firewalls Supported by VXLAN-enabled switches Supported by free mobility-capable switches, enriching
Limitation: Traffic needs to pass through Limitation: VXLAN networking is required. application scenarios of free mobility
the firewall.

25 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

IP-Group Synchronization: Implementing Free Mobility in More Scenarios

IP Group

>>
IP-Group information synchronization: 10.1.1.3 group_FIN
iMaster NCE-Campus synchronizes association information between 10.1.2.3 group_R&D
IP addresses and groups to switches. The authentication points and
policy enforcement points are separated. This practice helps
implement flexible networking and third-party hybrid networking.

Free mobility: supported in the third-party Free mobility: supported in the ME60 Network-wide free mobility: supported in cross-
hybrid networking scenario networking for universities Layer 3 gateway scenarios
ME60 gateway
(authentication and Switch Huawei switch
Huawei switch
accounting point) (policy enforcement point) (policy enforcement point)
(policy enforcement point)
Huawei switch Huawei switch or independent AC
X X (authentication point) X (authentication point)
Huawei switch Third-party AC and switch
(authentication point) (authentication points)

Huawei AP Third-party AP

26 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Bandwidth Reservation for VIP Users

Requirements & Challenges • Define VIP users

• Define the percentage
Reserve OFDMA spectrum
Randomly flowing swarm traffic of bandwidth to be
resources for VIP users
reserved for VIP users
Time
Spectrum dedicated to
VIP users (reserved
subcarrier)

(Example) Conference room scenario: Wi-Fi 6 AP

A sharp increase in users air
interface resource preemption worse Spectrum shared
experience of wireless conference
>> Spectrum
by common users
(shared subcarrier)
terminals
20%
bandwidth
reserved

On-demand bandwidth reservation:

Conference Other office • When no VIP user is connected to an AP, no
terminals terminals bandwidth is reserved.
VIP user: conference • Sufficient bandwidth resources are reserved
Common user
for VIP users.
terminal
27 Huawei Confidential

Intelligent HQoS: User-/Application-Based QoS Policy
Requirements & Challenges
QoS policies are not
enough in Multi-users
video service scenarios
(Example) Building surveillance
scenario:
As wireless video services
increase, a large number of
network resources are occupied,
causing downlink congestion in
some scenarios.
28 Huawei Confidential
Automatic Physical Automatic Service
Network Deployment Policy Provisioning
User-/Application-based QoS policy: ensures
experience of key users and applications
1. • Define VIP users.
• Define the application
priority.
3. The native WLAN AC
and independent WLAN S12700E: 40*25GE card, 4 GB buffer
AC support large buffer AirEngine 9700-M: 512 MB buffer
and four-level queues.
2. Implement queue
scheduling based
>> on users and
applications. Restrictions:
• The wireless network requires the tunnel forwarding mode.
• S12700E: Only the card providing 40 x 25GE ports supports
HQoS; S5731/32-H: supporting 25G uplink ports
• It is recommended that the proportion of VIP users be less
than or equal to 10%.
• The application scheduling template is configured on the
WLAN AC through the web system.
Specifications:
• The S12700E supports 16K VIP users per card.
The AirEngine 9700-M supports 1800 users per
board.
Video • iMaster NCE-Campus supports up to 31
Camera
surveillance application scheduling templates.
VIP users Other users
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning
Intelligent HQoS: WAC (Integrated or Independent WAC): Queues at
Four Levels (Flow + User + AP + Port)
Priority-based traffic scheduling for each subscriber and each application, 4-level
queue buffer and shaping, and refined management and control
Flow queue (FQ) Subscriber queue (SQ) AP queue (GQ) Port shaping (DP)
(priority-based traffic scheduling and (Priority-based traffic scheduling for each subscriber) (per-AP traffic shaping)
shaping for each application)
VIP user 1
Application 1 2M Queue CS7 PQ
Application 2 2M Queue CS6 PQ VIP user 1
Application 3 2M Queue EF PQ AP1
Application 4 15M Queue AF4 DRR:15 SQ1
DRR VIP user 1
Application 5 15M Queue AF3 DRR:15 1:1 Traffic shaping
VIP user 2 300M
Application 6 30M Queue AF2 DRR:10 Common user 3 GQ1
Common user 4
Application 7 40M Queue AF1 DRR:10
SQ2 SP
Application 8 30M Queue BE DRR:10
DRR Shaping (bypass)
VIP user 2 1:1 DP1

AP2
Common user 3 Common user group
Common user 4 VIP user 2 Traffic shaping
Maximum integer value
Common user 5 SQ3 200M
Common
GQ2
user 5

Switches and WACs support multi-level queue scheduling through large buffers.

29 Huawei Confidential
 Automatic Physical Automatic Service
Network Deployment Policy Provisioning

Intelligent HQoS: Wireless Traffic Scheduling Based on

Users and Service Priorities

User group–based Air interface slicing- Application

scheduling based scheduling scheduling

Voice service

VR service Application-
Common based
VIP user
user bandwidth
Video service allocation

Web service

Common VIP user

user

Services of high-priority users are Transmission latency reduced to as low as 10

preferentially scheduled. ms through the air interface slicing technology

30 Huawei Confidential