HCPP-03 - Small - and Medium-Sized Campus Network Design Guide-2022.01

HCPP - IP Network
Small- and Medium-Sized Campus Network Design Guide

Page 0 Copyright © Huawei Technologies Co., Ltd. All rights reserved.
Contents
1. Service Requirements and Challenges of Small- and Medium-Sized
Campus Networks
2. Introduction to Huawei CloudCampus Solution
3. Huawei CloudCampus Solution Design for Small- and Medium-Sized

Campus Networks
4. Typical Industry Application Scenarios

Technology Development Trend
Network cloudification Cloud security IoT
• Thanks to the evolution of the cloud • The cloud security becomes increasingly • The use of IoT directly leads to a huge
architecture, enterprises can focus on important. increase in the number and types of
services without the need to pay too much • Facing cloudification, enterprises are subject terminals that access the networks, and these
attention to the IT architecture construction. terminals generate a large amount of data.
to attacks that are different from traditional
• To support service cloudification, enterprises networks when providing various services. • Diversified IoT sensing networks need to be
need to create a ubiquitous, intelligent, • Security has shifted from passive defense to smoothly connected to the existing campus
controllable, and on-demand network. network.
proactive defense.
• The network needs to become more a • The types of terminals connected to the
• Detection and response have become as
service than a solution. campus network become complex, and the
important as defense.
network becomes a converged network with
multiple types of terminals and media.

Service Requirements and Challenges of Small- and
Medium-Sized Campus Networks
Industry changes accelerate, bringing the following Traditional deployment and management solutions have
changes in campus network service requirements the following problems
Network cloudification brings rapid development in new ICT 1. Low deployment efficiency slows down service provisioning
technologies, such as cloud computing, cloud security, big data, Site survey, planning, deployment, software commissioning,
and IoT, leading to tremendous changes in all industries. configuration, and optimization must be completed onsite by
• Traditional retail industry such as shopping malls and professional IT personnel.
supermarkets often offer free Wi-Fi as a way to attract and 2. Complex network management causes high OPEX
retain customers, and they also use wireless positioning and Local professional O&M results in low O&M efficiency and high
customer flow analysis to carry out precision marketing. labor costs. The network management system (NMS), policy
• In education sector, electronic classrooms are becoming more control server, charging system, and data analysis platform are
and more popular, and various multimedia teaching methods deployed independently, causing high management and
can stimulate students' interest. maintenance costs.
• Small- and medium-sized enterprises (SMEs) implement 3. Poor network openness
simplified service deployment and fast provisioning through The open data provided by multiple management systems of
cloud management network interconnection, remote access,
the traditional network needs to be integrated. In addition, due
and mobile office, as well as unified cloud data management to the incompatibility of interfaces, the network and
and analysis. applications are connected at a far slower speed than
However, an increasing number of network nodes bring complex application development.
requirements.

Requirement Analysis for Small- and
Medium-Sized Campus Networks
Plug-and-play network devices improve Open APIs accelerate business application
Cloud-based centralized and simplified O&M
deployment efficiency integration
Unified management and centralized Centralized cloud management of multiple

Open APIs and big data analytics
configuration branches and automated remote O&M
capabilities
Cloud
management
Network devices at a site Site network 2 platform
Site network 1 Site network Site network

Plug-and-play and on-demand expansion Site network N
Site network
• Centrally delivers configurations of multiple • Centrally manages scattered campus • Interconnects with multiple management
sites, reducing onsite configuration and branches on the cloud through the systems to achieve unified network
commissioning workload and improving Internet. management through open APIs and big
deployment efficiency. • Integrates multiple automation tools for data analytics capabilities.
• Implements plug-and-play of network devices troubleshooting, monitoring, and other • Provides more value-added applications
and on-demand expansion, requiring low costs management operations, so as to to help digital transformation of
for upgrades. implement remote automated O&M. enterprises.
Digitalization leads to changes in network models, accelerating network transformation to cloud-based network management.

Contents
Campus Networks

Campus Networks

Huawei CloudCampus Solution Deployment
CloudCampus
On-premises scenario Huawei public cloud scenario MSP-owned cloud scenario
Customers purchase the controller and MSPs purchase cloud management

analyzer and deploy them in their data Customers purchase Huawei's public platform software, such as the controller
centers or on the public cloud IaaS cloud management service and use the and analyzer, and deploy the software in
Scenario definition
platform to manage their own SaaS service deployed on Huawei public their data centers or on the public cloud
networks, without the need to provide cloud to manage their own networks. IaaS platform to provide network
network management services. management services.
Operations entity Customer Huawei MSP or carrier
Software quotation • MSP subscription mode (through the
mode (same as the A-la-carte mode or N1 software Tenant subscription mode (through the license file)
hardware package: permanent license + SNS activation code) • Tenants do not need to subscribe to
quotation mode) services from Huawei.
Recommended
Medium- and large-sized campus Small- and medium-sized campus Small- and medium-sized campus
application
networks networks networks
scenario
• Small- and medium-sized campus networks are sensitive to CAPEX and OPEX. Therefore, the public cloud management mode is recommended. In
this mode, the SaaS service provided by Huawei or MSPs is used to manage small- and medium-sized campus networks.
• Both Huawei public cloud and MSP-owned cloud modes are available and the two modes are similar. The only difference lies in the operation entity
and cloud management service provider. Unless otherwise specified, only Huawei public cloud management is used as an example.

Huawei Cloud Managed Network, Enabling
Digital Operations with Ultimate Experience
Industry applications Ultra-broadband connection, improving network and application quality
Value-added SaaS
• All-scenario WLAN, ensuring high bandwidth, high concurrency, and low
latency
• Secure and reliable platform and network in compliance with laws and
regulations of the industry and related countries
• Open APIs for industry-specific applications, accelerating digital
iMaster NCE transformation
Simplified management, reducing OPEX
• WLAN Planner: customized network planning templates and automatic

generation of network planning reports
• Diversified scenario-based packages: topology + device models +
parameters, implementing one-stop configuration
• Various O&M methods based on GIS maps, logical topologies, and
mobile apps
• Online and centralized inspection of multiple branches and automatic
Multi-tenant report generation
network
AI-powered cloud-based Intelligent O&M
• Intelligent network O&M: proactively predicts potential faults, ensuring

user and application access experience
• SD-WAN: intelligently ensures WAN interconnection of key services,
bringing ultimate experience to branches

Simplified Full — Lifecycle Management
Deployment by scanning
Scenario-based package 3D barcodes using a mobile
Self-service order Online network app Intelligent O&M
Mobile app Fault self-diagnosis
Cloud managed network placement planning Automatic delivery of
One-click acceptance
scenario-based
configurations
Network
Procurement Deployment Acceptance O&M
planning
Traditional network
Manual order Manual 2D Onsite Manual Manual fault
placement planning deployment inspection locating

Architecture of Huawei CloudCampus Solution for
Small- and Medium-Sized Campus Networks
Third-party authentication
Value-added SaaS Big data analytics Customer flow analysis
and accounting
APP ...
RESTful API
Huawei public cloud MSP-owned cloud On-premises

iMaster
scenario scenario scenario
NCE
Cloud-based Cloud-based Cloud-based
Cloud-based O&M
network planning deployment inspection
Internet Internet Internet Internet
Firewall Firewall AR Firewall
DCN Switch Switch Switch WAC
AP AP Firewall AP AR
Multi-tenant network
Shopping center, primary/secondary education Supermarket/Shopping mall Hotel Micro store

Highlights of Huawei CloudCampus Solution for
Small- and Medium-Sized Campus Networks
• Automatic deployment: Devices can be easily and quickly deployed.
• Cloud-based network planning and mobile O&M: WLAN design and device O&M are simplified.
• Diversified product portfolios: Huawei provides different product portfolios, including full series
of network devices (switches, firewalls, ARs, and APs), meeting diversified network requirements of
tenants.
• Dual-working-mode: All network devices used in this solution can work in either cloud-based or
traditional management mode. Tenants can implement cloud-based network management after
devices are upgraded.
• VASs: Terminal behavior analysis is a value-added application of iMaster NCE-Campus. More VASs
can be developed based on terminal behavior analysis.

Quiz
• 1. What are the differences between Huawei public cloud scenario and MSP-owned
cloud scenario?
A. Operations entity
B. Software quotation mode
C. Recommended application scenario
• 2. What are the highlights of Huawei CloudCampus solution ?
A. Automatic deployment
B. Cloud-based network planning and mobile O&M
C. Dual-working-mode

Contents
Campus Networks
3. Huawei CloudCampus Solution Design for Small- and Medium-

Sized Campus Networks

Solution Design for Small- and Medium-
Sized Campus Networks
Networking
1 2 Network design 3 QoS design 4 Security design 5 O&M design
solution design
Single AP, AR, or Basic network

Administrator design Rate limiting Egress security design
firewall management
Physical network Intranet security (wired

AR + AP Wireless QoS Intelligent O&M
design network)
Network deployment Intranet security

Firewall + AP
design (wireless network)
AR + L2 switch + AP Basic service design
Firewall + L2 switch +
WLAN design
AP
Access control design

Design Principles of the Networking
Requirement Solution (1/3)
Network scale Network security requirements
analysis
Site area, number of terminals, etc. Requirements for advanced security features and egress gateway security
Number of APs, etc. Egress gateway device model and security feature requirements
Internet
AR or Firewall
Switch
AP ... AP

Solution (2/3)
Egress Recommended
Recommended
Network Scale Security Key Networking Requirement Networking
Networking
Requirement Device
• Wireless user access only

Low AP
• Single Internet egress
Area < 50 m²; • Wired and wireless user access

maximum number of Low Singe-device AR
• Ethernet uplink or 3G/LTE uplink
concurrent online networking
terminals < 50 • Wired and wireless user authentication and access
• Multiple Internet uplinks with an LTE backup uplink
High Firewall
• High security requirements (URL
filtering/IPS/security protection/antivirus)
• Wireless access only

Low AR + AP
• Ethernet uplink or 3G/LTE uplink
Area < 300 m²; Egress gateway
maximum number of
concurrent online • Wired and wireless authentication and access + AP
terminals < 200 • Multiple Internet uplinks networking
High Firewall + AP
• High security requirements (URL

Solution (3/3)
Egress Security Recommended Recommended
Network Scale Key Networking Requirement
Requirement Networking Networking Device
• Wired and wireless access AR + L2 switch

Low
Area < 3000 m²; • Multiple Internet uplinks + AP
maximum number Egress gateway
of concurrent • Wired and wireless access + L2 switch +
online terminals AP networking
• Multiple Internet uplinks Firewall + L2 switch
< 2000 High
• High security requirements (URL + AP

Networking Solution: Single AP
• Solution description
Internet

In single-AP networking, an AP functions as the gateway of end users
Carrier CPE and the egress device of the campus network.
• Applicable scenarios

This networking applies to small-sized stores (such as agent stores
AP and gas stations) with an area of smaller than 50 m².


A maximum of 50 concurrent online terminals are supported.

Only wireless user access is supported.

Only one wired Internet egress link is required.

Networking Solution: Single AR
Internet
Carrier LTE 
In single-AR networking, an AR functions as the gateway to provide
Carrier CPE base station access for wired and wireless terminals.
Wired uplink 3G/LTE

This networking applies to small convenience stores and clothing stores
AR with an area of smaller than 50 m².


Wired and wireless terminal access is supported, and wired uplinks or
3G/LTE wireless uplinks are required for Internet access.

Networking Solution: Single Firewall

In single-firewall networking, a firewall functions as the gateway to
Internet
provide access for wired and wireless terminals.
Carrier LTE
Carrier CPE base station • Applicable scenarios

This networking applies to high-security scenarios such as small stores for
Wired uplink 3G/LTE
logistics, office, and finance with an area of smaller than 50 m².
Firewall 

High security requirements (URL filtering/IPS/security
protection/antivirus) need to be met and Internet access is provided
through multiple uplinks. For example, in a scenario where an LTE backup
link is required, only simple PSK or non-authentication wireless access is
supported.

Networking Solution: AR + AP
Internet 
In a scenario where multiple APs are required to meet wireless
Carrier LTE
Carrier CPE coverage requirements, an AR functions as the user gateway to provide
base station
egress features, such as WAN access, DHCP, and NAT.
Wired uplink 3G/LTE • Applicable scenarios


This networking applies to small- and medium-sized clothing stores,
AR
shopping malls, and supermarkets with an area of smaller than 300 m².

AP AP 
Multiple APs are required to provide coverage, and a wired uplink or a
3G/LTE wireless uplink is required for Internet access.

Networking Solution: Firewall + AP
Internet 
In a scenario where multiple APs are required to meet wireless coverage
Carrier CPE requirements, a firewall functions as the user gateway to provide egress
features, such as WAN access, DHCP, and NAT.

This networking applies to small- and medium-sized experience stores
Firewall
and logistics/insurance service stores, with an area of smaller than 300
m² and fewer than 200 concurrent online terminals.

Multiple APs are required, high security requirements (URL
AP AP
filtering/IPS/security protection/antivirus) must be met, and Internet
access is provided through multiple uplinks.

Networking Solution: AR + L2 Switch + AP

An L2 PoE switch is used to increase the number of APs that can be
connected.
Internet

An AR functions as the egress gateway and user gateway to provide
Carrier CPE egress features, such as WAN access, DHCP, and NAT.

An L2 switch provides extended PoE access and access for wired
AR terminals, which connects to APs that provide access for wireless
terminals.
L2 switch

This networking applies to small- and medium-sized clothing stores and
retail stores with an area of smaller than 3000 m² and fewer than 2000
AP AP concurrent online terminals.

Multiple APs need to be deployed to provide wireless access, a PoE LAN
switch is used to increase the number of APs that can be connected, and
multiple uplinks are required for Internet access.
Networking Solution: Firewall + L2 Switch + AP
An L2 PoE switch is used to increase the number of APs that can be

Internet

connected. A firewall functions as the user gateway to provide egress

Carrier CPE features, such as WAN access, DHCP, and NAT. An L2 switch provides
extended PoE access and access for wired terminals, which connects to
APs that provide access for wireless terminals.
Firewall

This networking applies to small- and medium-sized experience stores
L2 switch
and logistics/insurance service stores, with an area of smaller than 3000
m² and fewer than 2000 concurrent online terminals.
AP AP 
Multiple APs need to be deployed to provide wireless access, high
security requirements (URL filtering/IPS/security protection/antivirus)
need to be met, and multiple uplinks are required for Internet access.

Important Roles in the CloudCampus Solution for
Small- and Medium-Sized Campus Networks (1/4)
Platform operator
Platform operator
• Description: It is also called the platform
administrator or system administrator.
MSP MSP • Account: The account is created by the
platform operator when iMaster NCE-Campus is
installed.
• Responsibilities:
Tenant Tenant Tenant Tenant

Installs and maintains iMaster NCE-Campus.

Manages MSPs and tenants.

Collects statistics on the number of devices
End user End user End user End user
and services on the entire network.

Provides basic network VASs.

MSP
Platform operator
• Description: It is also called cloud managed service provider and has
professional network construction and maintenance capabilities.
• Account: This account is created by the platform or system

administrator.
MSP MSP
• Responsibilities:

Provide cloud managed service to end user.

Monitors tenant networks and periodically performs cloud
inspection to detect exceptions and evaluate risks and problems.
Tenant Tenant Tenant Tenant

Provides simple deployment assistance if tenant administrators can
deploy and maintain campus network.

Builds and maintains campus networks for tenants if tenant
administrators do not have IT capabilities and authorize MSPs to
End user End user End user End user manage their networks.

Tenant
Platform operator • Description: Tenants manage and maintain campus networks.
They need to purchase cloud-managed devices and services
based on their own service development requirements to build
networks.
MSP MSP • Account


This account is created by an MSP administrator.

Tenant self-registration is supported only in the Huawei
public cloud scenario.
Tenant Tenant Tenant Tenant • Responsibilities:


Builds and maintains campus networks. There are two
scenarios based on the IT capabilities:
• Tenant-managed construction and maintenance: Tenant

End user End user End user End user administrators deploy and maintain campus networks by
themselves.
• MSP-managed construction and maintenance: Tenant

administrators apply for managed services from the MSP
Page 26 Copyright © Huawei Technologies Co., Ltd. All rights reserved. administrator.
Platform operator
MSP MSP
Tenant Tenant Tenant Tenant End user

• Description: end users of a campus network,
for example, employees or visitors
• Account: N/A
End user End user End user End user
• Responsibility: N/A

Site Design
Site in the CloudCampus Solution
A site is an abstract concept in the CloudCampus Solution. It

can be defined as an independent network, such as a branch or
an independent campus network.
Site design: considering management and O&M convenience

Internet
• An independent branch can be deployed as a site based on the
physical location, for example, a financial branch of a bank or a
campus of a university.
• Each site can be assigned a tenant administrator for network

Supermarke O&M or an MSP administrator for O&M.
Store School
t
• For a medium-sized campus network, do not allocate too many
sites. Otherwise, the interconnection between sites will be
complicated and the management complexity will increase.

Physical Network Design for a Site —
Egress Gateway
Egress gateway
• Use firewalls in high security scenarios.
Internet • Use AR routers in family hotels, small retail outlets, and branches.
• Use APs in small stores where only a single AP is deployed
Egress networking design
Gateway Egress gateway
• For a large-scale network, it is recommended that firewalls or AR
routers be deployed in a two-node cluster at the egress and links
L2 switch of multiple carriers be used as egress links for backup.
• For a small-scale network, it is recommended that a single device
and links of a single carrier be used at the egress.
Function requirements for egress devices

• Basic VPN function and WAN port/dial-up access function
• Security firewall function for scenarios with security
requirements.

Physical Network Design for a Site — Core
and Aggregation Layer
Internet
Consider the following aspects when designing the aggregation layer

(combined with the core layer):
Aggregation • For a large-scale network, stack networking is recommended for the

layer aggregation layer. If there are two layers of aggregation switches, they
are interconnected through Eth-Trunks. It is recommended that the
egress device be used as the user gateway.
• For a small-scale network, it is recommended that a single device be

deployed at the aggregation layer. Stack networking can also be
deployed based on the network scale and reliability requirements. It is
recommended that the egress device be used as the user gateway.
• For smaller-scale networks such as small shopping malls and

supermarkets, aggregation devices do not need to be deployed.

Access Layer
Access device
• Select PoE switches with enough ports to satisfy the number of connected
APs.
Internet
• Select a PoE switch according to the specific AP model.
• Use agile distributed APs in multi-room building scenarios.
Networking design
• For a large-scale network, stack networking is recommended for the access
layer. If a single device can provide sufficient access capacity for downstream
terminals, the single-device networking can be used at the access layer.
When the upstream devices at the access layer are stacked, it is
recommended that Eth-Trunks be used to connect to the upstream devices.
If multiple APs need to be deployed, PoE LAN switches can be used to
Access layer Access layer increase the number of APs that can be connected.
• For a small-scale network, it is recommended that the single-device
networking be used at the access layer and a single link be used to connect
to the upstream device. If multiple APs need to be deployed, PoE LAN
switches can be used to increase the number of APs that can be connected.
• In small- and medium-sized stores, APs need to be deployed. APs can be
directly connected to egress gateways without access switches.

Reliability
Cloud management platform reliability Authentication reliability Network reliability
Authentication Egress link

server reliability
Internet
Wired uplink 3G/LTE

Primary Secondary
Network egress device

• Management-side reliability Network
• High redundancy admission
control device
Device reliability
Terminal
• Two egress gateways can
be deployed for dual-
Highly reliable data center
You can consider the bypass policy that is system backup.
used if the authentication server is faulty. • LAN switches at the core
Currently, there are two types of policies that and aggregation layers
come into effect after a fault: those that can be stacked to
require no authentication and those that implement physical
prevent user access from being affected. device backup.

Network Deployment Design —
Deployment Mode (1/3)
Through CloudCampus APP (barcode scanning) Through registration center
1 Record device information.

4
Tenant: Tenant X Synchronize device information.
Site: Site Y Huawei
Device: AP (ESN...) 2 registration
1.1.1.1:8080 center
3
Register and get Internet Report AP
managed. information. Tenant: Tenant X
Register and iMaster NCE:
5 3 get managed. 6 Internet 1.1.1.1:8080
Device: AP (ESN...)
Scan
barcode. 1
Automatically initiate a
Switch to the cloud
query request to Huawei
2 mode and initiate a
registration center to
registration request 5 4 obtain the IP address and
The APP obtains the ESN
to iMaster NCE.
and MAC address of the AP. port number of iMaster
NCE.
Devices supported: AP Devices supported: AR, firewall, switch, AP

Network Deployment Design — Deployment
Mode (2/3)
Through web system Through CLI
Register and Internet Register and Internet

get get managed.
managed.
2 2
WEB CLI
1 1
In the web system, configure Internet access On the CLI, configure Internet access parameters,
parameters, cloud management mode, and IP cloud management mode, and IP address/URL and
address/URL and port number of iMaster NCE. port number of iMaster NCE.
Devices supported: AR, firewall, switch, AP Devices supported: AR, firewall, switch, AP

Network Deployment Design — Deployment
Mode (3/3)
Through DHCP Option 148
Internet
1 AR
• The network administrator has deployed the
DHCP service on the network in advance (by DHCP response 4 Switch to the cloud mode and
deploying the DHCP service on the egress 3 carrying Option initiate a registration request
device or deploying an independent DHCP
DHCP request 2 148 to iMaster NCE.
server.)
• In addition to delivering IP addresses to the
devices to be deployed, the DHCP server uses Switch to be deployed
DHCP Option 148 to notify the devices of the
iMaster NCE IP address and port number.
Devices supported: AR, switch, AP

Network Deployment Design — Recommended
Deployment Mode for Egress Gateways
Recommended Deployment Mode

Scenario
AR Firewall AP
In the Huawei public cloud or MSP-owned cloud

scenario, egress gateways can obtain IP addresses Web system Web system CloudCampus APP
only in static or PPPoE mode.
In the Huawei public cloud scenario, egress

Registration query Registration query
gateways can directly obtain IP addresses of external Registration query center
center center
network interfaces through DHCP.

Network Deployment Design — Deployment and
Registration of Devices on the Intranet (LAN Side)
• LAN-side devices include LAN switches and APs. These devices are deployed on the intranet.
• In the Huawei public cloud scenario, the registration center is recommended for deployment.
• If you do not want to synchronize device information to the registration center, you can use the DHCP option
deployment mode.
LAN-Side Device Deployment Mode

Networking Scenario
LAN switch AP
The DHCP options cannot be configured on the
Registration center
Huawei public cloud network.
scenario
The DHCP options can be configured on the network. Registration center or DHCP option
The DHCP options cannot be configured on the
Web system CloudCampus APP
MSP-owned cloud network.
scenario
The DHCP options can be configured on the network. Registration center or DHCP option

Quiz
1. Which of the following statements are true about the access layer design of the CloudCampus
Solution that is applied to small- and medium-sized campus networks?
A. Access switch models are selected based on the number of APs to be connected and whether PoE is
required.
B. In small-scale sites, such as small stores, APs and egress devices must be deployed to provide WLAN
coverage. APs cannot directly connect to egress links and do not support NAT.
C. For large-scale networks in medium-sized shopping malls, supermarkets, and primary/secondary

education campuses, stack networking is recommended at the access layer. A single device can be used at
the access layer if it will provide sufficient access for downstream terminals. When aggregation or core
switches are stacked, it is recommended that Eth-Trunk interfaces be used to connect to them. Multiple APs
need to be deployed and a PoE LAN switch is used to increase the number of APs to be connected.
D. As a switch is selected according to the following formula: Number of connected APs x AP power ≤
Power provided by the PoE switch, it is important to select PoE switch models with power supplies sufficient
for the model and quantity of APs used.
Basic Service Design — VLAN
• Allocate consecutive VLAN IDs to ensure proper use of VLAN resources.
• Reserve a specific number of VLANs for future use.
• VLANs are classified into service VLANs, management VLANs, and interconnection VLANs.
• Typically, VLANs are divided based on interfaces. According to different design principles, interfaces of
access switches are added to different VLANs so that users of different service types can be isolated.
Service VLAN design Management VLAN design
VLANIF 100
VLAN assignment by 192.168.100.254
geographic area
VLAN assignment by VLAN assignment by VLANIF 100 VLANIF 100

192.168.100.1 Management 192.168.100.2
logical area personnel structure
VLAN 100
Generally, Layer 2 switches use VLANIF interface addresses as

VLAN assignment by management addresses. It is recommended that all Layer 2 switches
service type use the same management VLAN and all management IP addresses
be on the same network segment.

Basic Service Design — IP Address
Planning
Management IP address Service IP address
192.168.1.254
192.168.5.254
VLANIF 100
192.168.100.254
192.168.100.254
VLANIF 100 VLANIF 100

192.168.100.1 Management 192.168.100.2
VLAN 100
A Layer 2 device uses the VLANIF interface's IP address as the

management IP address. It is recommended that all Layer 2 switches Shop assistant Partner Guest
192.168.1.0/24 192.168.5.0/24 192.168.100.0/24
connected to a gateway be on the same network segment.
Service IP addresses are the IP addresses of servers, hosts, and gateways.
• You are advised to use the same last digit as the gateway address,
Interconnection IP address such as .254.
• The IP address range of each service must be clearly distinguished.
It is recommended that the interconnection IP address use a 30-bit The IP addresses of each type of service terminals must be contiguous
mask. The core device uses a smaller IP address. and can be aggregated.
• You are advised to use an IP address segment with a 24-bit mask.

Assignment Mode (1/2)
Egress gateway Devices such as servers and printers
It is recommended that servers and special terminals (such as
punch-card machines, printers, and IP video surveillance devices)

Internet use static IP addresses.
Carrier CPE
End user
IP addresses of WAN interfaces: Internet

assigned in static, DHCP, or PPPoE
Egress mode
gateway Egress
gateway It is recommended that end
users be assigned IP
IP addresses of WAN interfaces on egress gateways are assigned by AP addresses in DHCP mode
the carrier in static, DHCP, or PPPoE mode. The IP addresses of and the gateway provide the
these interfaces need to be obtained from the carrier in advance. DHCP service.

Assignment Mode (2/2)
LAN-side devices
Internet Internet
Egress gateway Egress gateway

Layer 3
interconnection
L3 switch
AP
When the egress gateway connects to an L3 switch, It is recommended that the IP address
it is recommended that the interconnection IP of the AP be dynamically assigned
addresses be manually configured in static mode. through DHCP after the DHCP server is
deployed on the gateway.

Routing Design
Internet
• Internal routing design of the campus network

Egress gateway 
APs: After an IP address is assigned through DHCP, a default
route is generated by default.

Switch and gateway: Static routes can be used to meet
L2 switch
requirements. No complex routing protocol needs to be
deployed.
• Egress routing design of the campus network
AP AP 
You are advised to configure static routes on the egress
device.

WLAN Design 1: WLAN Planner
1 Obtain the floor
plan.
2 Log in to Huawei online WLAN Planner.

https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/dist/#/toolappmarket
1. Environment setting
3
2. Region setting
With Huawei Cloud-based
WLAN Planner, users can
3. Device deployment complete WLAN planning in 4 • Use the network planning
five steps. report to provide guidance for
4. Signal simulation onsite construction.
• The network planning result
5. Report export can be imported into iMaster
NCE.

WLAN Design 2: Why Does Radio Calibration
Require a Leader AP?
• A cloud AP is a Fat AP.
• some WLAN services, such as radio calibration, need to be

processed in a centralized manner. When no WAC is deployed to
ensure reliability and performance and enable local computing, a
Campus global control role similar to WAC should be configured.
• Leader AP: In a group of APs, an AP with strong capabilities is

elected as the leader AP, which is responsible for global service
functions of all APs in the group.
• The leader AP is responsible for radio calibration, load balancing,

AP AP AP AP
Leader AP and other services.
• After the leader AP is elected, other APs set up CAPWAP links with
the leader AP for sending radio calibration and load balancing
messages.
• The leader AP is automatically elected by cloud APs.

WLAN Design 3: Radio Calibration
• Three calibration modes are available:
• Automatic mode: APs periodically perform global calibration based on the

calibration time and interval
iMaster NCE
• Manual mode: APs do not proactively perform radio calibration, and you
1 delivers the
calibration need to manually perform global or local calibration for APs at the site on
command.
The leader AP iMaster NCE-Campus.
delivers the
Campus calibration result. • Scheduled mode: APs perform global calibration at a scheduled time every
5 day.
• APs perform calibration detection according to the configured mode and switch to
2 other channels to scan neighboring APs. The scanning lasts for 15 minutes.
All APs perform
4 3 • During the detection, the APs report the detected data to the leader AP every 10s.
detection.
The leader AP The APs report
• The leader AP performs computing and calibration every 5 minutes and performs
performs computing detection data.
and calibration. computing for three times to achieve algorithm convergence.
• The leader AP delivers the calibration result to each AP in the group, including the
calculated channel and power.

WLAN Design 4: AP Grouping Design
• The number of APs that the leader AP can manage is limited.
• If the number of APs exceeds the management capability of a leader AP, network planning is required. Management VLANs
need to be planned for AP grouping. When there are a large number of APs in a management VLAN, the APs are automatically
divided into multiple groups.
• Radio calibration is performed on WLANs in a continuous area. Therefore, it is recommended that APs be grouped by
geographic location such as by floor to ensure that APs in a group are in the same area. This maximizes the calibration effect.
Random groups Groups based on management VLANs

VLAN 1000
F1 F1
VLAN 1001
F2 F2
VLAN 1002
F3 F3
If manual intervention is not performed when the number of APs exceeds In a continuous area (such as adjacent APs or APs on the same floor),
the upper limit, APs are randomly grouped, affecting the calibration effect. management VLANs are planned for AP grouping. A leader AP is
elected in each group.

WLAN Design 5: Channel and Frequency
Bandwidth Selection
AP channel Frequency bandwidth
• 2.4 GHz frequency band: Channel sets 1, 6, and 11 • 2.4 GHz frequency band: Only the
are recommended. If APs are densely deployed, 20 Mbit/s bandwidth can be
channel sets 1, 5, 9, and 13 are recommended. selected.
• 5 GHz frequency band: When an AP uses a single 5 • 5 GHz frequency band: The 40
GHz radio, it is recommended that high and low Mbit/s bandwidth is recommended.
frequency channels of neighboring APs be
staggered. When an AP uses dual 5 GHz radios, it is
recommended that two 5 GHz radios be planned at
low and high frequencies respectively.

WLAN Design 6: Basic Concepts of Wireless
Roaming
Layer 2 roaming Layer 3 roaming
1. When a STA roams between APs on the same Layer 2 network, the • APs before and after STA roaming belong to different service
service VLAN remains unchanged before and after the roaming. VLANs. The two APs belong to different Layer 2 service domains,
and connect to different service gateways.
2. Characteristics: Two APs at the same site have the same SSID and
service VLAN. • Characteristics: Two APs at the same site have the same SSID and
authentication mode but different service VLANs.
AP1 AP2 AP1 AP2
Before After Before After

roaming roaming roaming roaming
192.168.1.25 192.168.1.25 192.168.1.25 192.168.1.25
SSID: guest (VLAN 100) SSID: guest (VLAN 100) SSID: guest (VLAN 101)

WLAN Design 7: Wireless Roaming Design
• A small- and medium-sized campus network has a small number of STAs. Therefore, Layer 2 roaming is recommended on such
a network. (An SSID corresponds to one service VLAN, and all users share one user gateway.)
• When more than 50 APs are deployed on a network or there are more than 1,000 STAs, Layer 3 roaming needs to be deployed.
(An SSID corresponds to different service VLANs.)
• 802.11r fast roaming supports an enhanced roaming mechanism based on device-pipe synergy when working with Huawei
terminals. This mechanism helps reduce the roaming handover delay and packet loss rate. Therefore, you are advised to enable
the mechanism when enabling 802.11r fast roaming.
• Description:
▫ Wireless roaming is supported only by APs at the same site.
▫ If the Layer 2 roaming domain is large, broadcast packets may be flooded. You are advised to rate limit broadcast packets on iMaster NCE-
Campus. By default, the rate limit for broadcast packets is 256 pps.
▫ Each AP supports only 64 Layer 3 roaming STAs. If there are a larger number of Layer 3 roaming STAs, roaming fails and STAs need to go offline
and then online again.
▫ When a STA roams at Layer 3, its traffic is detoured to the AP that the STA accesses for the first time or another AP in the same Layer 2 domain
as the AP that the STA accesses for the first time. Therefore, it is recommended that a large Layer 2 domain be planned for APs at the network
ingress to facilitate traffic detouring and load sharing after Layer 3 roaming.

Access Control Design — Typical Authentication
Technology Comparison
MAC Address
Item Portal Authentication 802.1X Authentication
Authentication
Client No special requirements No special requirements Required
Advantage Flexible deployment No client required High security

MAC address registration
Disadvantag
Low security required, making Inflexible deployment
e
management complex
Network authentication of Network
Access authentication of
Applicable guests who move authentication of office
dumb terminals such as
scenario frequently and use different users with high
printers and fax machines
types of terminals security requirements

Access Control Design — Portal Authentication Used
in Multiple Application Scenarios (1/2)
Authenticatio Dependenc
Feature Application Scenario
n Mode y
• Authentication based on the user name and
password created by an administrator is
applicable to a fixed user group, for example,
enterprise employees.
User name A user can use the user name and password
• Authentication based on accounts registered
and password created by the tenant administrator or register -
by users is applicable to scenarios where
authentication an account for access authentication.
access permission of guests such as
membership needs to be verified. The
accounts registered by users need to be
approved.
Guests access the network without using any

This mode is applicable to open networks on
Anonymous accounts. iMaster NCE-Campus automatically
- which the Internet access service is provided for
authentication displays the login accounts of the guests as
customers free of charge.
anonymous accounts.
A user enters a mobile number as the user

This mode is applicable to guest authentication.
name and clicks the button for obtaining a An SMS
SMS authentication improves the validity of guest
SMS password. The SMS server then sends a server has
identities and enables merchants to obtain user
authentication password to the user. The system automatically been
information more conveniently so that they can
registers and authenticates the user name and configured.
interact with the guests.
password after the user enters the password.
Access Control Design — Portal Authentication Used
in Multiple Application Scenarios (2/2)
Authentication
Feature Dependency Application Scenario
Mode
• For WeChat authentication,
iMaster NCE-Campus interworks an enterprise has its own • WeChat authentication is
with the WeChat or Facebook WeChat official account applicable to the scenario where
platform, so that users can use platform, which can shopping malls provide free
their social media accounts and communicate with iMaster Internet access services for
Social media passwords to perform NCE-Campus. guests who follow their public
authentication authentication on the service • For Facebook accounts.
manager page without registering authentication, an • Facebook authentication is
any new account. After being enterprise has applied for applicable to shopping malls
authenticated, users can access and obtained an that provide free Internet access
the network. independent Facebook services for guests.
account from Facebook.
Users enter the passcode on the

Passcode This mode is simple and applicable
pushed page for access -
authentication to guest access in stores.
authentication.

Access Control Design — Best Practices
Internet
Egress gateway
• Portal authentication is recommended for guests.
Authentication points can be deployed on APs, ARs, or
firewalls based on the networking requirements.
L2 switch
• Portal or 802.1X authentication can be selected for
enterprise employees. It is recommended that access
Dumb
devices be selected as authentication points.
AP
terminal
• Dumb terminals in enterprises are connected to the
network in wired mode. MAC address authentication is
recommended for these dumb terminals, and access
switches can be selected as authentication points.
Employee’s terminal Guest’s terminal

Access Control Design — Terminal Identification
Methods (1/2)
To deploy the automatic terminal identification and policy delivery solution, the network administrator needs
to design terminal identification methods and terminal policies.
1 2
Identification
Description Applicable Scenario
Method
The first three bytes of a MAC address indicate vendor

MAC OUI Identify the device vendor only
information. This method is inaccurate in most cases.
A browser's User Agent string contains the manufacturer,

HTTP Mobile phones, tablets, PCs, workstations,
terminal type, operating system, browser type, and other
UserAgent intelligent audio/video terminals
information.
Some options of a terminal's DHCP packets can be used to Mobile phones, tablets, PCs, workstations,
DHCP Option
classify terminals, for example, DHCP options 55, 60, and 12. IP cameras, IP phones, printers
IP phones, IP cameras, network devices,

LLDP LLDPDUs carry device model information.
etc.
mDNS mDNS packets contain terminal model and service information. Apple devices, printers, IP cameras, etc.
When terminals access the network, network devices can collect terminal information and report the information to iMaster NCE-
Campus, which can automatically identify the type, operating system, and manufacturer of the terminals.
Access Control Design — Terminal Identification
Methods (2/2)
1 Analyze the network 2 Traverse items one by one according to the following table
1. Collect the types of terminals Based on the collected information, traverse the items listed in the following table and select the required
terminal identification methods. All the identification methods that meet requirements must be enabled.
on the network, such as PCs,
mobile phones, printers, IP Identification
Identifiable Terminal Type Application Scenario
cameras, and access control Method
devices. MAC OUI All IP terminals (identifying device manufacturers only) General scenarios
2. Check whether Portal Mobile phones, tablets, PCs, workstations, intelligent Portal authentication
HTTP UserAgent
authentication is deployed. audio/video terminals scenarios only
3. Check whether the IP Mobile phones, tablets, PCs, workstations, IP cameras, Dynamic IP address
DHCP Option
IP phones, printers, etc. assignment scenarios only
addresses of terminals are
assigned in DHCP or static LLDP IP phones, IP cameras, network devices, etc. General scenarios
mode. mDNS Apple devices, printers, IP cameras, etc. General scenarios
3 Enable the terminal identification function

Identification Method Enabled On Other Functions
MAC OUI Access switch and AP -
HTTP UserAgent Portal authentication device -
DHCP Option Access switch and AP DHCP snooping for access switches. By default, DHCP snooping is enabled on APs.
LLDP Access switch and AP -
mDNS Access switch and AP mDNS snooping

Access Control Design — Terminal Policy
1 Perform policy design. Sort out the types of terminals that require automatic
policy delivery on the network,
3
• Enable automatic policy delivery based on terminal types to design corresponding authorization policies, and
authorize policies depending on access authentication. configure the policies on iMaster NCE-Campus.
• Deploy access authentication on access switches and APs. Item Access Policy Authorization Policy
• Enable MAC address authentication on access switches and Operating system:
APs when dumb terminals are deployed. User access Authorized ACL 1
Android
Operating system: iOS User access Authorized ACL 2
Terminal type: printer Automatic access Authorized VLAN 10
Terminal type: IP camera Automatic access Authorized VLAN 20
Authorized VLAN 30;

Terminal type: IP phone Automatic access
2 Enable the terminal identification function on the DSCP 48
network.
Terminal type: access
Automatic access Authorized VLAN 40
control device
Manufacturer: ABC User access Authorized ACL 100

Quiz
• 1. With Huawei WLAN Planner, users can complete WLAN planning by following some simple steps.
Which of the following steps are included?
A. Environment and area settings
B. Device deployment
C. Signal simulation
D. Report export
E. Configuration delivery
2. Which of the following functions are also supported by the CloudCampus APP?
A: Deployment
B: Onsite acceptance
C: O&M
D: Site survey
Quiz
• 3. What are the advantages of MAC address authentication?
A:Authentication packets and data packets are separately transmitted through logical
interfaces.
B:If terminals (including dumb terminals such as printers and fax machines) fail to be
authenticated using 802.1X authentication, they can be authenticated through MAC address
authentication.
C:A user does not need to enter a user name and password for MAC address authentication.
D:In the CloudCampus Solution, the intelligent terminal identification function can be used
to eliminate the need to manually record terminals' MAC addresses.

QoS Design — Rate Limiting
The CloudCampus Solution for small- and medium-sized campus networks supports the following rate limiting modes:
Per-user rate limiting SSID-based rate limiting ACL-based rate limiting
Internet Internet Internet
SSID1 SSID2
Unlimited Bandwidth
bandwidth < 20 Mbit/s
Employee terminals Customer terminals Employee terminals Customer terminals FTP applications
This mode is applicable to the scenario where an This mode is applicable to the scenario where This mode is applicable to the scenario where
administrator wants to perform refined control an administrator performs comprehensive an administrator manages and controls the
over the traffic of each user. For example, the management and control over traffic of all traffic that meets specific characteristics. For
administrator assigns different bandwidths for users connected to a specific service. For example, the administrator rate-limits FTP
VIP users, enterprise employees, and guests. example, the administrator limits the maximum traffic on the network.
bandwidth for all guests to 20 Mbit/s.

QoS Design — Wireless QoS (Wireless Queue Mapping)
On a WLAN, user traffic of different services is mapped to different queues based on the priority configured for each
service. This ensures that services that are sensitive to network parameters, such as voice and video services, can be
preferentially scheduled.
Modifying DSCP priorities based on application types Re-marking DSCP priorities of packets based on user groups
Internet Internet
Example: Re-mark Example: Re-mark the

DSCP priorities after a DSCP priority for users
device identifies the in a VIP group.
audio and video
services.
VIP

Security Design — Basic Concepts (Security Policy)
The firewall can identify traffic attributes and match the attributes with security
policy conditions.
Internet If all the conditions are met, the traffic matches the security policy. The firewall
External
network then applies the action defined in the matching security policy to the traffic.
• Control traffic
• If the action is permit, the firewall checks the traffic content, and determines
forwarding whether to permit traffic based on content security detection results.
• Control content
security monitoring Firewall • If the action is deny, the firewall does not allow the traffic to pass through.
Integrated content security detection uses the intelligent awareness engine to

detect and process the content of a flow, implementing content security
Intranet functions including antivirus, intrusion prevention, URL filtering, DNS filtering,
file filtering, content filtering, application behavior control, mail filtering, and
PC1
192.168.1.1/24 Advanced Persistent Threat (APT) defense. This ensures network security.

Security Design — Intranet Security (Wired Network) (1/2)
Broadcast storm control DHCP snooping
Invalid DHCP response

BUM traffic DHCP server
Valid DHCP response
Broadcast storm
Trusted interface
suppression
Untrusted interface
L2 switch L2 switch
On downlink interfaces of the access layer, configure When DHCP snooping is enabled, the interface directly or
suppression of broadcast, unknown unicast, and multicast indirectly connected to a trusted DHCP server needs to be
(BUM) packets to effectively reduce broadcast storms. configured as a trusted interface, and other interfaces are
configured as untrusted interfaces. This ensures that
DHCP clients can obtain IP addresses only from the
authorized DHCP server.

Security Design — Intranet Security (Wired Network) (2/2)
IP source guard (IPSG) and dynamic ARP inspection (DAI) Port isolation
Port isolation
Bogus traffic
L2 switch L2 switch
Forger Authorized user Guest 1 Guest 2
IPSG prevents unauthorized hosts from accessing or attacking the network You are advised to configure port isolation on
through IP addresses of authorized hosts or through specified IP addresses. the interfaces connecting the access switch to
A device with DAI enabled matches the source IP address, source MAC terminals. This configuration secures user
address, interface, and VLAN ID in an ARP packet against a binding table, and communication and prevents invalid
then discards invalid ARP packets after detecting them. broadcast packets from affecting user services.

Security Design — Intranet Security (Wireless Network):
Wireless Air Interface Security
WIDS and WIPS Attack detection
STA AP AC AAA
Access
authentication
Link encryption
Attack Policy control
detection and
prevention
Rogue device Ad-hoc device Rogue STA Rogue AP Rogue bridge
Rogue detection and WIDS&WIPS

containment To prevent attacks, you are advised to enable the attack
device
detection function in public areas and primary/secondary
WIDS and WIPS can be enabled to prevent intrusion of education scenarios with high security requirements to
unauthorized devices or interference devices, so as to detect flood, weak-vector, and spoofing attacks,
detect and contain rogue devices on the network. automatically add attackers to the dynamic blacklist, and
send alarms to notify the administrator.

Security Design — Intranet Security (Wireless Network):
Terminal Access Security
Four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, WLAN Authentication and Privacy
Infrastructure (WAPI). Each security policy has a series of security mechanisms, including link authentication used to establish a wireless link, user
authentication used when users attempt to connect to a wireless network, and data encryption used during data transmission.
Security Mechanism Characteristics
The same static key needs to be preconfigured on the server and client. Both the encryption mechanism and the
WEP
encryption algorithm are vulnerable to security threats. Therefore, this authentication mode is not recommended.
WPA and WPA2 provide almost the same level of security. WPA/WPA2 has two editions: enterprise edition and personal
edition.
• WPA/WPA2 in enterprise edition requires an authentication server and is recommended for employee access on
WPA/WPA2 medium- and large-sized campus networks.
• WPA/WPA2 in personal edition does not require an authentication server and is recommended for guest access on
medium- and large-sized campus networks. The WPA/WPA2-Private PSK (PPSK) enhances network security while
ensuring the convenience.
WAPI WAPI is a WLAN security standard proposed in China and provides higher security than WEP and WPA.
For example, in an enterprise, the following access authentication modes can be used:
• Enterprise employees: WPA/WPA2-802.1X authentication
• Guests: WPA/WPA2-PPSK or Portal authentication
• Dumb terminals: MAC address authentication
In addition, if users do not need to communicate with each other, it is recommended that user isolation be configured.

Openness and Ecosystem
• Customer group analysis • Student health management
Cooperation • Asset management
scenarios • ELS • Smart classroom
Chain stores & Primary/Secondary

Industries Enterprises
SaaS platform supermarkets education
Partners See details in Huawei official websites
Authorization Portal& Resource Network Network Network Terminal Terminal

information AAA management configuration performance alarm location status
Infrastructure API VAS API Third-party authentication API LBS API
Cloud management
API orchestration framework
platform
Unified controller platform
Tenant network

Contents
Campus Networks

Campus Networks

Retail Industry Scenario 1 — Small Chain Stores
Customer requirements
Advertisement push ELS • Quick rollout of widely distributed new chain stores
• No professional O&M personnel, difficult to locate faults in a short period of time
• Manual replacement of paper shelf labels in stores, which is slow and error-prone
Solutions
• Deployment by scanning barcodes enables wireless networks to go online in

minutes, and iMaster NCE-Campus implements one-stop management from
Internet deployment to O&M. Customized advertisement push pages are configured for
guests who connect to the network through Portal authentication.
• IoT APs provide built-in IoT slots to implement IoT & Wi-Fi convergence and co-
site deployment. ELSs interconnect with management and ERP systems of
supermarkets to dynamically display prices and implement interactive functions
such as real-time price change and out-of-stock warning.
Small chain • Information about wireless terminals such as barcode scanners can be imported
supermarket in batches, implementing access of massive terminals quickly.
Customer benefits
POS Mobile Barcode POS Mobile Barcode
machine phone scanner machine phone scanner
• IoT & Wi-Fi convergence deployment and unified planning, saving investments
Store 1 Store N • Real-time or periodic update of ESLs, ensuring fast response, eliminating errors,
and reducing costs

Retail Industry Scenario 2 — Medium-Sized Stores
Energy
Customer Digital Video Heat map
efficiency ELS
flow analysis screen
management
surveillance analysis • Support various types of wireless terminals and diversified applications
• Effectively support sales growth and bring business benefits
• Save labor costs
Solutions
• Firewalls function as egress gateways. Switches and APs provide wired and wireless
Internet network access, and the switches supply power to APs and terminals.
• The wireless network reports information to big data platform in real time. iMaster
Big data platform then analyzes customers' preferences and habits, accurately
pushes advertisements to customers, and assists in goods display.
• The digital screen displays discount information in real time for customers and
online price comparison and self-service checkout are supported.
Medium-sized store
Customer benefits
• Access devices supply power to cameras, reducing cabling costs. Video surveillance
POS Mobile Barcode POS Mobile Barcode
machine phone scanner machine phone scanner ensures property security.
Camera Camera
• iMaster NCE-CampusInsight helps customers make operation decisions, improve
Store 1 Store N sales performance, and enhance customer loyalty through precision pushing.

Retail Industry Scenario 3 — Large Shopping Malls
Asset Store Customer flow
Car seeking
management navigation analysis
• Unified management of wired and wireless devices, meeting the access
requirements of different types of terminals and simplifying O&M
• Car seeking mechanism in large shopping malls, improving shopping experience
Solutions
• Core switches, access switches, and APs are managed in a unified manner,
Internet meeting the bandwidth requirements even in scenarios of burst traffic.
• Portal, SMS, social media, and MAC address authentication modes are supported
to ensure access security of dumb terminals (including phones, printers, and
cameras).
• On a WLAN, APs collect and report RSSI information about terminals to the RTLS.
The RTLS then uses the established fingerprint database to calculate locations of
Large shopping mall terminals and provide services such as car seeking and store navigation.
Shopping Parking lot Office
area area Customer benefits
• Simplify management and require no O&M professionals.
• Improve users' shopping experience, implement precision marketing, and ensure

POS Mobile Barcode
machine phone scanner
Camera
the security and control of important assets.

Primary/Secondary Education Campus
Attendance Asset Health Personnel • Implement multi-level and multi-domain management and centralized management and
management management monitoring tracking O&M of schools in a region, requiring a visualized, easy-to-understand, and easy-to-
operate management platform.
• Meet wireless coverage requirements in multiple campus scenarios and implement
flexible authentication and accounting based on roles.
• Implement smart classrooms to improve teaching experience, and provide unified
management of value-added services such as student health monitoring, electronic
attendance, and asset management.
Education
Solutions
MAN
• In Huawei public cloud scenario, unified management is implemented. The education
bureau serves as the tenant to perform multi-level and multi-domain management for
schools.
• Various AP models are provided to meet wireless access requirements in multiple
scenarios, such as classrooms, dormitories, auditoriums, and stadiums.
• APs provide IoT slots for IoT & Wi-Fi convergence. In addition, network data is reported
Primary and to the big data analytics platform in real time to implement various digital service
secondary school applications.
Customer benefits
Mobile Mobile
Wristband Camera Wristband Camera
phone phone • Devices are plug-and-play and networks are deployed remotely, reducing deployment
costs. Servers such as the network management system (NMS) do not need to be
PC PC
deployed locally, reducing investment costs.
School 1 School N • The cloud platform provides various northbound APIs to connect to multiple applications,
facilitating on-demand subscription.
Quiz
• 1. In Huawei public cloud scenario, the DHCP options cannot be configured on the network. Which
deploy mode is recommended？
A. CloudCampus APP
B. Registration center
C. Web system
D. CLI
2. Which terminal identification methods can be used in portal authentication scenarios only?
A. MAC OUI
B. HTTP UserAgent
C. DHCP Option
D. LLDP

Summary (1/2)
• Small- and medium-sized campus networks are sensitive to CAPEX and OPEX. Therefore, the
public cloud management mode is recommended. In this mode, the SaaS service provided by
Huawei or MSPs is used to manage small- and medium-sized campus networks.
• Networking Solution include:
▫ Single device(AP, AR,FW),
▫ AR + AP, Firewall + AP,
▫ AR + L2 Switch + AP, Firewall + L2 Switch + AP,
• Support 4 Level accounts: Platform operator, MSP, Tenant, End Users
• Site Design: Physical Network Design(Egress Gateway, Core and Aggregation Layer, Access
Layer, Reliability)
• Network Deployment Design: Deployment Mode
▫ CloudCampus APP , registration center , web system
▫ Through CLI
▫ Through DHCP Option 148

Summary (2/2)
• Basic Service Design: VLAN, IP Address Planning, Routing Design

• WLAN Design: WLAN Planner, Leader AP, Radio Calibration, AP Grouping Design, Channel
and Frequency Bandwidth Selection, Wireless Roaming
• Access Control Design: Typical Authentication Technology Comparison , Portal
Authentication Scenarios, Access Control Design Best Practices
• Terminal Identification Methods: Terminal Policy
• QoS Design — Rate Limiting, Wireless QoS (Wireless Queue Mapping)
• Security Design — Basic Concepts (Security Policy), Intranet Security (Wired Network) ,
Intranet Security (Wireless Network)
• Typical Industry Application Scenarios

Thank You
www.huawei.com

HCPP-03 - Small - and Medium-Sized Campus Network Design Guide-2022.01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCPP-03 - Small - and Medium-Sized Campus Network Design Guide-2022.01

Uploaded by

Copyright:

Available Formats

HCPP - IP Network

Small- and Medium-Sized Campus Network Design Guide

2. Introduction to Huawei CloudCampus Solution

3. Huawei CloudCampus Solution Design for Small- and Medium-Sized

4. Typical Industry Application Scenarios

Page 1 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Network cloudification Cloud security IoT

Page 2 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Page 3 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Unified management and centralized Centralized cloud management of multiple

Site network 1 Site network Site network

Page 4 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

2. Introduction to Huawei CloudCampus Solution

3. Huawei CloudCampus Solution Design for Small- and Medium-Sized

4. Typical Industry Application Scenarios

Page 5 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

On-premises scenario Huawei public cloud scenario MSP-owned cloud scenario

Customers purchase the controller and MSPs purchase cloud management

Page 6 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Simplified management, reducing OPEX

• WLAN Planner: customized network planning templates and automatic

• Intelligent network O&M: proactively predicts potential faults, ensuring

Page 7 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Page 8 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Huawei public cloud MSP-owned cloud On-premises

Internet Internet Internet Internet

Firewall Firewall AR Firewall

DCN Switch Switch Switch WAC

Shopping center, primary/secondary education Supermarket/Shopping mall Hotel Micro store

Page 9 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Page 10 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

B. Software quotation mode

C. Recommended application scenario

• 2. What are the highlights of Huawei CloudCampus solution ?

B. Cloud-based network planning and mobile O&M

Page 11 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

2. Introduction to Huawei CloudCampus Solution

3. Huawei CloudCampus Solution Design for Small- and Medium-

4. Typical Industry Application Scenarios

Page 12 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Single AP, AR, or Basic network

Physical network Intranet security (wired

Network deployment Intranet security

AR + L2 switch + AP Basic service design

Access control design

Page 13 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Page 14 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

• Wireless user access only

Area < 50 m²; • Wired and wireless user access

• Wireless access only

Page 15 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

• Wired and wireless access AR + L2 switch

Page 16 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

AP and gas stations) with an area of smaller than 50 m².

Page 17 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Page 18 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Page 19 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Wired uplink 3G/LTE • Applicable scenarios

Page 20 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

Page 21 Copyright © Huawei Technologies Co., Ltd. All rights reserved.

An L2 PoE switch is used to increase the number of APs that can be

connected. A firewall functions as the user gateway to provide egress

Page 23 Copyright © Huawei Technologies Co., Ltd. All rights reserved.