Professional Documents
Culture Documents
Huawei SD-WAN Solution Dual-Hub Scenario Demo Introduction4
Huawei SD-WAN Solution Dual-Hub Scenario Demo Introduction4
Huawei SD-WAN Solution Dual-Hub Scenario Demo Introduction4
V100R020C00
Demo Introduction
Security Level:
Contents
3 Demo Case
Intent-Driven SD-WAN Solution Architecture
No. Component Function
Underlay Tenant/Carrier portal
Network management
RESTful 1. Network service orchestration
Control plane
2. NE control
Northbound network service layer
3. Basic network O&M
VPN, traffic steering, QoS,
security, and WOC
CPE-VIM O&M 4. CPE orchestration and management
iMaster NCE iMaster
5. Basic performance monitoring: real-time
Southbound NE layer
NCE
multi-dimensional statistics such as link
quality information, application quality
information, traffic information, and intra-site
and inter-site statistics
RR
VPN routing and tunnel information distribution
between CPEs based on VPN topology policies
RR Physical AR routers or vCPEs can function as RRs.
RRs can be deployed independently or together
vCPE
Internet with CPEs at a site.
Public cloud
CPE Egress CPE of a site, which can be a traditional
CPE
CPE or an NFV vCPE.
MPLS VPN
Multi-tenant gateway that can be
DC/Private cloud IWG
Traditional L3 CPE vCPE
interconnected with the MPLS PE.
Branch/Campus
IWG
Note: vCPEs are restricted for sales and currently can only be used
in testing.
Huawei SD-WAN: Accelerating Cloudification of Carriers' B2B Services and Enterprise Services
Intent-Driven SD-WAN
V100R020C00 Horizontal WAN solution
Solution
Note: The components in the red-framed box are used in the demo.
Contents
3 Demo Case
DemoCloud Environment
iMaster NCE
Site
Site
LAN-side device LAN-side device LAN-side device
LAN-side
device LAN-side
device
In this scenario, a single device In this scenario, two devices In this scenario, two devices In this scenario, the hub-spoke In this scenario, the hub-border-
is deployed at the site. The and two WAN links are and three WAN links are two-layer network (for financial spoke three-layer network (for
corresponding DemoCloud deployed at a site. The deployed at a site. The services) is used. The financial services) is used.
environments are as follows: corresponding DemoCloud corresponding DemoCloud corresponding DemoCloud The corresponding DemoCloud
SD-WAN-Topo1(Single-user) environments are as follows: environments are as follows: environment is as follows: environment is as follows:
SD-WAN-Topo2(Single-user) SD-WAN-Topo6(Single-user) SD-WAN-Topo5-1~8(Multi-User) SD-WAN-Topo7(Single-user) SD-WAN-Topo8(Single-user)
SD-WAN-Topo3(Single-user) SD-WAN-Topo5-1~3(View)
SD-WAN-Topo4(Single-user)
Note: The information in red indicates the SD-WAN environment name in DemoCloud.
• The Multi-User environment is shared by multiple users in a physical environment. Most cases in this scenario can be experienced.
• The Single-User environment is a dedicated environment. Users can use a single physical environment and experience all cases in this scenario.
• The View environment is a shared view environment, which provides only the service view function.
DemoCloud SD-WAN Use Cases
Scenario 2: Dual-
Scenario 3: Dual- Scenario 4: Dual-
Scenario 1: Single- Gateway&WAN Scenario 5: Dual-Hub
Gateway&Multi WAN Links Hub Flattened
DemoCloud Use Cases Gateway Networking Links Hierarchical Networking
Networking Networking
Networking
Single-user Single-user Multi-User View-Only Single-user Single-user
Email-based deployment
Network
deployment DHCP-based deployment
(ZTP)
Service access
Application-based intelligent
traffic steering
Intelligent traffic steering and
automatic switchover
Application Intelligent traffic steering
experience based on load balancing
A-FEC
Local breakout
Visualized monitoring
GIS-based monitoring
O&M
management Real-time fault alarm
Role-based access control
(RBAC)
CPE redundancy
Reliability
Dual hubs for load balancing
Contents
3 Demo Case
Demo Environment and Nodes of the Dual-Hub Flattened Networking
(Topo7)
1. Site: a branch network of an enterprise. Site1 uses dual gateways, and Site2 uses
DC1 PC1 PC2 DC2
a single gateway.
SW1 SW2 2. CPE: egress gateway device, which is an edge node on the SD-WAN network.
DC
3. Hub: The hub is connected to the router in the DC in off-path mode and
RT1 RT2
functions as an RR to distribute VPN routing and tunnel information between
Hub-1 Hub-2 CPEs. In this scenario, the RR is independently deployed under a tenant.
4. iMaster NCE: SD-WAN controller, responsible for network management, service
provisioning, and network O&M.
MPLS Internet 5. Network impairment emulator: simulates network link quality changes by
iMaster NCE changing indicators such as the delay, jitter, and packet loss rate of network links.
Network 6. PC: PC at the site. The following software is run on the PC to simulate different
impairment
applications in intelligent traffic steering:
emulator
• FTP/HTTP client and server: simulate FTP and HTTP application traffic in the
intelligent traffic steering function.
Access layer
Site1-CPE Site2-CPE
• JPerf client and server: simulate UDP traffic in application-based load
balancing.
PC3 PC4 PC5 • VLC: a media player, which is used to simulate video on demand (VoD)
services in A-FEC.
Site1 Site2 Legacy site 7. MPLS/Internet: In this environment, a switch is used for simulation.
SW1 SW2 2. CPE: egress gateway device, which is an edge node on the SD-WAN network.
3. Hub: The hub is connected to the router in the DC in off-path mode and functions
RT1 RT2 as an RR to distribute VPN routing and tunnel information between CPEs. In this
Hub-1 Hub-2 scenario, the RR is independently deployed under a tenant.
4. Border: aggregation device, which is connected to a router at the aggregation
MPLS Internet layer in off-path mode.
iMaster NCE 5. iMaster NCE: SD-WAN controller, responsible for network management, service
Aggregation layer
services in A-FEC.
SW4
8. MPLS/Internet: In this environment, a switch is used for simulation.
PC4 PC5
Site1 Site2
Hub1 AR6280
AR6280
Hub2 AR6280
Topo7
Site1 AR6121
Site2 AR6121
AR6121
Note: All devices on this slide are used only for DemoCloud function demonstration. For details about the
models available for sales in each region, see the SD-WAN Sales Guide.
DemoCloud Dual-Hub Hierarchical Networking Environment and Device
Appearances
Hub1 AR6300
Hub2 AR6300
AR6300
Border1 AR6140-9G-2AC
Site1-2 AR651
Site2 AR6120
AR651
AR6120
Note: All devices on this slide are used only for DemoCloud function demonstration. For details about
the models available for sales in each region, see the SD-WAN Sales Guide.
Environment Pre-configuration (1/4)
Hub-2 Pre-
Hub-1 Description
configuration
RT1 RT2 Gateway
Software installation and initial
2. Controller: configuration have been
Software
iMaster NCE completed on the SD-WAN
MPLS Internet installation
controller, and the
AGG and license
interconnection between the SD-
loading
WAN controller and the email
RT3 RT4 server has been configured.
3. Site1 and Site2 Border-1 Border-2 The super administrator, MSP,
Account and tenant accounts have been
MPLS Internet SW3 created.
Pre-configuration Description
1. Network
SW1 SW2
infrastructure iMaster NCE The IP addresses and default
Hub-1 Hub-2 gateways have been
PC1~PC4
configured for network
RT1 RT2 Gateway
adapters.
• Devices have been connected through cables, and the connectivity of the underlay is normal.
Network infrastructure • Routes have been configured for the traditional router, which is connected to the AR in off-path mode.
• The network impairment emulator has been connected to the network.
• iMaster NCE has been installed and deployed. The super administrator, MSP, and tenant accounts have been created.
• iMaster NCE has been connected to the email server.
Controller: iMaster NCE
• Site templates have been created.
• Application groups and traffic classifiers related to HTTP and FTP have been created.
• The hub, border, and some sites have been brought online and managed by iMaster NCE. The hub, border, and some
sites (except the site used to verify the deployment) can work properly.
Hub, border, and some sites • LAN-side ports and IP addresses have been configured for CPEs that have been deployed.
• VPN-based topology orchestration and service provisioning have been completed. Traffic monitoring and traffic
steering policies have been configured.
• The IP addresses and default gateways have been configured for network adapters on PCs at all sites.
PCs at sites • The HTTP, FTP, JPerf, and VLC software has been installed on the PCs at some sites.
• The PC used for deployment can access the Internet and receive emails.
The underlay and overlay networks have been configured for all sites except the site used to verify the deployment.
Mapping Between Demonstration Scenario Requirements and Key Solution
Features Scenario description: The SD-WAN Solution implements WAN interconnection between bank branches.
This use case simulates the scenarios where a bank deploys new sites and provisions new services on the
Office service Production service existing network that is reconstructed into the SD-WAN network, optimizes links for key services, and
OA PA performs routine O&M.
User requirements Solution features
Intelligent traffic steering: Multiple WAN links exist at a site. • Application-based intelligent traffic
Key services need to be carried on high-quality links or steering
automatic switchover needs to be implemented when the • SLA-based automatic traffic steering and
ISP1 ISPN link quality deteriorates. Multiple WAN links need to be switchover
fully used to improve link bandwidth utilization. When link • Application- and link-based load balancing
quality deteriorates, links are automatically optimized to • A-FEC, no freeze frame even at 20% packet
ensure user experience. loss
Site-to-Internet: Internet access modes can be flexibly • Local breakout
Level-2 Border1 Border7 defined for different sites or departments. • Centralized Internet access
branch
Site security: Users' access to unauthorized or enterprise-
prohibited websites needs to be prevented. URL filtering
DC1 PC1 PC2 DC2 • Services (including overlay topology, routing, and security) are
automatically orchestrated, and overlay tunnels are established
SW1 SW2
DC
between sites through EVPN on the control plane. GRE over IPSec is
used to encapsulate data on the forwarding plane.
Topology of VPN1
RT1 RT2 • Two virtual networks (office and production) are constructed using
(office)
Hub-1 Hub-2 VRF. Services are isolated from each other. Different VPNs use
independent topologies and policies.
MPLS Internet • Diverse WAN-side traffic steering policies are provided, including
iMaster NCE traffic steering based on applications (L3–L7), optimal link between
Aggregation layer
1.1 Email-based 2.1 Application-based 3. CPE built-in firewall: 4.1 Visualized 5.1. CPE redundancy
deployment intelligent traffic URL filtering monitoring 5.2 Dual hubs for load
1.2 Service access (VPN- steering 4.2 GIS-based balancing
based service isolation + 2.2 Intelligent traffic monitoring
flexible networking) steering and automatic 4.3 Real-time fault
switchover alarm
2.3 Intelligent traffic 4.4 Role-based access
steering based on load control
balancing
2.4 A-FEC
2.5 Local breakout
2.6 Centralized Internet
access
Demo Procedure (1/2)
No. Use Case Description
Sites can communicate with each other based on the hub-spoke, full-mesh, or partial-mesh
Service access (hub-spoke, full-mesh, and multi-
1.2 networking. In addition, VPNs can be isolated from each other, with varying networking for each
VPN and multi-topology)
VPN.
Traffic of different applications (L3–L7) can be transmitted over different links (primary and
2.1 Application-based intelligent traffic steering
secondary links). The link quality can be automatically detected.
Intelligent traffic steering and automatic If the link quality deteriorates and the switching conditions are met, traffic is automatically switched
2.2
switchover to a qualified secondary link.
2.3 Intelligent traffic steering based on load balancing On a multi-link network, per-flow load balancing can be implemented.
2.4 A-FEC A-FEC ensures smooth video experience even at 20% packet loss.
2.5 Local breakout Sites can access the Internet through local Internet links.
All the other sites can access the Internet through the centralized Internet site, where dual CPEs can
2.6 Centralized Internet access
be deployed in active/standby mode to function as gateways.
The CPE provides built-in firewall functions. Fuzzy search can be performed against the URL blacklist
3 Built-in firewall: URL filtering
and whitelist based on keywords to filter specific web pages.
Visualized monitoring (site, link, and application
4.1 Visualized monitoring pages are provided for site, link, and application data.
data)
4.2 GIS-based monitoring Basic site information and physical locations are displayed based on the GIS map.
Demo Procedure (2/2)
No. Use Case Description
4.3 Real-time fault alarm Alarms are generated in real time for site faults, and users can be notified of these alarms by email.
4.4 Role-based access control Different permissions are configured for different accounts or users based on roles.
CPE redundancy (Topo8 available for When one CPE at a site fails (regardless of whether the fault occurs on the WAN side, LAN side, or interlink),
5.1
demonstration)
traffic can be transmitted through the other CPE, ensuring service continuity.
In dual-hub mode, branch services can be load balanced to different DCs (hubs) based on routing policies to
5.2 Dual hubs for load balancing improve the bandwidth utilization of the current link. The two DCs back up each other. If one hub or its link is
faulty, traffic is diverted to the other hub.
Network Application Service O&M
Reliability
Deployment Experience Security Management
RT1 RT2 • Prepare ZTP configurations, encrypt information such as the device
link, WAN port, WAN port address obtaining mode, and protocol,
Hub-1 Hub-2
write the information into a URL, and send the URL to site engineers
MPLS Internet through an email.
iMaster NCE
(2) Device plug-and-play (onsite operation)
Aggregation layer
Site1 Site2
HTTP traffic FTP traffic (2) Deliver the traffic policies to devices and send application traffic.
• Deliver traffic policies to sites.
AGG
Border-1 Border-2 • Use a simulation tool to simulate application traffic at sites.
(3) Check application traffic statistics through visualized monitoring.
MPLS Internet • On iMaster NCE, check application traffic statistics through visualized
monitoring.
Site1-CPE Site2-CPE
PC3 PC4 Note: This use case uses the dual-hub hierarchical
networking as an example. The procedure for the dual-hub
flattened networking is the same.
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
real-time monitoring.)
Network MPLS Internet
impairment
emulator • On iMaster NCE, it is found that the quality of the MPLS link between
sites deteriorates.
Site1-CPE Site2-CPE
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
Use Case 2.3: Intelligent Traffic Steering Based on Load Balancing (Dual-
Hub Flattened Networking)
Hub1 Hub2
(1) Create traffic policies.
PC1 PC2
• Create a UDP application group in the predefined application library.
• Create a traffic classifier and bind it to the UDP application group.
Hub1-CPE Hub2-CPE • Create a UDP traffic policy and bind the UDP traffic classifier to it.
In the traffic policy, set the same priority for the MPLS and Internet
When there are multiple WAN links and configure intelligent traffic steering based on load
Traffic
Traffic links, intelligent traffic balancing.
steering based on load
(2) Deliver the traffic policies to devices and send application traffic.
balancing can be configured.
• Deliver traffic policies to sites.
Internet
MPLS
• Use the simulation tool JPerf to simulate UDP traffic sent from
different ports.
Network impairment
emulator (3) Check application traffic statistics through visualized monitoring.
• On iMaster NCE, check inter-site application-based UDP traffic
Site1-CPE Site2-CPE statistics.
Site1 Site2
Overlay tunnel
Network Application Service O&M
Reliability
Deployment Experience Security Management
Use Cases 2.5 and 2.6: Local Breakout and Centralized Internet Access
Hub1 Hub2
(1) Enable the local Internet access policy.
PC1 PC2 • Enable the local breakout function for Hub2 and configure traffic to
be transmitted over the local Internet link.
• Access the Internet on PC2 at Hub2 and check the Internet
Hub1-CPE Hub2-CPE
connectivity.
(2) Configure a centralized Internet access policy.
MPLS Internet • Access the Internet on PC4 at Site1. The Internet fails to be accessed.
• Enable the centralized Internet access policy and configure the CPE
at Hub2 as the gateway.
AGG
Centralized • Access the Internet on PC4 at Site1. The Internet is accessed
Border-1 Border-2
Internet access successfully. Perform tracert on the public network address and
check the traffic path. Traffic from PC4 to the Internet traverses
MPLS Internet
Hub2.
• (3) Enable the local Internet access policy for Site1.
Local Internet access • Enable the local Internet access policy for Site1.
Site1-CPE Site2-CPE • Access the Internet on PC4 at Site1. Perform tracert on the public
network address and check the traffic path. Traffic from PC4 to the
Internet is routed out through the local Internet link.
PC4 PC5 Note: This use case uses the dual-hub hierarchical networking as
an example. The procedure for the dual-hub flattened networking
is the same.
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
PC1 PC2
Configure a URL-based security policy.
PC4 PC5 Note: This use case uses the dual-hub hierarchical networking
as an example. The procedure for the dual-hub flattened
networking is the same.
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
PC1 PC2
Hub1-CPE Hub2-CPE
MPLS Internet
Site data
AGG
Border-1 Border-2 Link quality
Application service
MPLS Internet
Real-time monitoring
Site1-CPE Site2-CPE
PC4 PC5
Site1 Site2
Note: This use case uses the dual-hub hierarchical networking as an example.
The procedure for the dual-hub flattened networking is the same.
Network Application Service O&M
Reliability
Deployment Experience Security Management
PC1 PC2
MPLS Internet
AGG
Border-1 Border-2
MPLS Internet
Site1-CPE Site2-CPE
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
PC1 PC2
Hub1-CPE Hub2-CPE
AGG
Border-1 Border-2
MPLS Internet
Site1-CPE Site2-CPE
PC4 PC5 Note: This use case uses the dual-hub hierarchical
networking as an example. The procedure for the
dual-hub flattened networking is the same.
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
MPLS Internet new user can access only the monitoring page.
Site2-CPE
Site1-CPE Note: This use case uses the dual-hub hierarchical
networking as an example. The procedure for the
PC4 PC5 dual-hub flattened networking is the same.
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
PC1 PC2
1. Perform an extended ping test between the two
AGG
Border-1 Border-2
MPLS Internet
Site2-CPE
Note: This use case can be demonstrated only
Site1-CPE
in the dual-hub hierarchical networking.
PC4 PC5
Site1 Site2
Network Application Service O&M
Reliability
Deployment Experience Security Management
PC4 PC5
OA OA Note: This use case uses the dual-hub hierarchical
networking as an example. The procedure for the dual-hub
Site1 Site2 flattened networking is the same.
OA VPN instance
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.