Professional Documents
Culture Documents
05 NCE-Campus Scenario Baseline Introduction
05 NCE-Campus Scenario Baseline Introduction
05 NCE-Campus Scenario Baseline Introduction
Page 1 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Foreword
With the rapid development of cloud computing, the on-demand cloud service mode becomes
more popular so that the traditional network management mode also experiences great changes.
In this situation, the cloud-based network management has been a tendency, as well as a new
model for enterprise network construction, operations and maintenance (O&M).
This document mainly introduces the networking solutions and scenario-specific delivery
baselines of iMaster NCE-Campus.
Page 2 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Objectives
On completion of this course, you will be able to:
Understand all scenarios of iMaster NCE-Campus.
Understand the networking solutions and deployment constraints of iMaster NCE-Campus in on-
premises scenarios.
Understand the networking solutions and deployment constraints of iMaster NCE-Campus in MSP-
owned cloud scenarios.
Understand the networking solutions and deployment constraints of iMaster NCE-Campus in Huawei
public cloud scenarios.
Page 3 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Contents
iMaster NCE-Campus Scenario Overview
On-Premises Scenario
MSP-owned Cloud Scenario
Huawei Public Cloud Scenario
Page 4 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Scenario Overview Level-1
Level-2 Category Description
Category
Unified management of campus networks (VLAN
iMaster NCE-Campus VLAN campus networking), including the wireless network using WACs
scenario and Fit APs, wired VLAN, and access authentication
EasyBranch Network digital map Application/VIP user assurance services.
Access Unified management of campus networks (VXLAN
Device LAN VXLAN SD- SRv6 Traditional IoT VXLAN campus networking), including the wireless network using WACs
authentication
management management fabric WAN policy NMS service scenario and Fit APs, wired VLAN, and access authentication
service services.
iMaster NCE-Fabric iMaster NCE-FAN SecoManager iMaster NCE-IP eSight Agile Controller-IoT Cloud management Cloud management of small and midsize campus networks,
scenario for small including the wireless network using cloud APs, wired
On-premises MSP-owned Huawei public and midsize VLAN, AR/firewall as egress gateways, SD-WAN services,
scenario cloud scenario cloud scenario campus networks and access authentication services.
On-premises SD-WAN scenario SD-WAN services for multi-branch enterprise networks.
11 10 Traditional scenario
One enterprise
IoT management Traditional CE NE
ME60 Firewall
Third-party
network scenario
Management of one SRv6 WAN
NMS LSW switch router device
iMaster NCE-Campus functions only as an access
Authentication
IoT gateway
9 PON management 8 One SRv6 server scenario
authentication server and replaces Agile Controller-Campus
1.0.
Access
1 authentication network Traditional NMS
Traditional NMS capabilities are supported when traditional
switches and other non-cloud managed devices are deployed
service
2 Cloud Wi-Fi 4 VLAN management SRv6
scenario
on a campus.
management POL management is supported in campus networks using
Wired user PC NE routerAR Firewall IP+POL campus
the POL technology.
NE router IoT gateway management and service-oriented integration of
IoT management
Wireless
user
Laptop
Aggregation Core 7 SD-WAN IoT applications.
Cloud management of small and midsize campus networks,
Cloud AP SD-WAN Cloud management
Tablet Access switch switch including the wireless network using cloud APs, wired
scenario for small
switch VLAN, AR/firewall as egress gateways, SD-WAN services,
VPN remote
3 WAC/AP network
AR/ MSP-owned
and midsize
and access authentication services. MSPs can manage all
user
Phone management 5 VXLAN management
AR
vAR cloud scenario
campus networks
branch features or only some of them.
Guest
Printer
6Branch gateway MSP provides SD-WAN services for multi-branch enterprise
SD-WAN scenario networks, such as SD-WAN interconnection services and
Network POP WAN acceleration.
management IPsec Firewall Cloud management Cloud management of small and midsize campus networks,
Camera Aggregation Core
personnel scenario for small including the cloud Wi-Fi, cloud WAC, VLAN, egress
WAC & Fit AP Access switch switch switch POP/Private and midsize gateway/SD-WAN, and access authentication. Tenants can
User & Terminal AR Firewall cloud/Public Huawei public campus networks subscribe to all branch features or only some of them.
Campus/Branch cloud cloud scenario SD-WAN services for multi-branch enterprise networks.
Wireless network Wired network Egress network Tenants use the public cloud for self-O&M, or MSPs use the
network SD-WAN scenario
public cloud to provide MSP-managed O&M and POP WAN
acceleration.
Page 5 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Contents
iMaster NCE-Campus Scenario Overview
On-Premises Scenario
Service Scenario
Controller Deployment
Page 6 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Networking GW
Wired policy enforcement point
Gateway
Wireless policy enforcement point
Native WAC
Networking Single-Layer Switch Two-Layer Switch Two-Layer Switch Networking + Three-Layer Switch Three-Layer Switch Networking + Standalone
Solution Networking + Native WAC Networking + Native WAC Standalone WAC Networking + Native WAC WAC
S7700 + S12700E
GW
Number of < 2000 (dual-stack/single- < 10,000 (IPv4/IPv6 dual-stack); < 30,000 (IPv4/IPv6 dual-stack); < 50,000 (IPv4
< 5000 (IPv4/IPv6 dual-stack); < 10,000 (IPv4 single-stack)
terminals stack) < 30,000 (IPv4 single-stack) single-stack)
•Networking constraints:
1. V600 switches do not support the native WAC function. Therefore, standalone WACs must be deployed in off-path mode.
2. V600 switches do not support policy association. The core switches allow packets from aggregation/access switches in authentication-free mode. The access switches allow BPDU packets.
Page3.7 V600 switches do not
Copyright © 2024
support wired Huawei
Portal Technologies
authentication Co.,
or terminal Ltd. All rights reserved.
identification.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 8 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
1. If the number of online users is greater than 20,000, you are advised to deploy the minimum or distributed cluster with IAE nodes. The cluster provides network management and secondary authentication
services, and the IAE node provides the primary authentication service. Alternatively, the cluster provides only network management, and the IAE node provides authentication active/standby or load balancing.
Controller
2. If the number of online users is less than or equal to 20,000, a single-node system with IAE nodes can be used. The single-node system provides network management and secondary authentication services, and
deployment
the IAE node provides the primary authentication service.
3. For non-commercial customers, a single-node system can be used only when the number of users is less than 1000. No reliability is provided.
Device The controller can manage devices through NETCONF and SNMP. For details about managed devices and device management protocols, see the Device Mapping Panorama by clicking the following URL:
management https://support.huawei.com/enterprise/en/doc/EDOC1100331189?idPath=24030814|250382819|250382820|250987403|250852420
Traditional Huawei campus devices (LSWs and WACs) and network devices such as firewalls, CE series devices, NE series devices, and ME60 series devices are managed by the controller through SNMP. The
SNMP-based
following monitoring and O&M functions are supported: device performance monitoring, device alarm reporting, device configuration file management, device upgrade, CLI-based service configuration, WLAN
device management
resource monitoring, region monitoring, agile report, and SLA management. The traditional NMS also supports these functions.
Third-party network devices are managed through SNMP. The following functions are supported: device alarm reporting and basic information monitoring. For details about device mapping and specifications, see
Third-party device
the document by clicking the following URL:
management
https://support.huawei.com/enterprise/en/doc/EDOC1100331190?idPath=24030814%7C250382819%7C250382820%7C250987403%7C250852420
• In a VLAN campus scenario, you are advised to use network plan import for the overall deployment solution. Core switches and WACs are manually deployed, and aggregation switches, access switches, and
Device deployment
APs are managed through DHCP Option 148, management VLAN auto-negotiation, and Eth-Trunk auto-negotiation. You are advised not to use the default VLAN 1, which may cause broadcast storms.
mode
• SNMP-managed devices do not support the preceding plug-and-play deployment solution. Those devices can only be proactively managed through SNMP-based scanning.
1. Stacks must be manually set up and then managed by the controller. Stacks cannot be set up through the controller.
Switch stacking
2. When the controller manages a stack, it is recommended that the number of switches in the stack be less than or equal to four. In addition, only switches of the same series can be added to the stack.
Page 9 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
For details about configuration capabilities, click the following URL ( Only Chinese Temporary ) :
Pagehttps://3ms.huawei.com/documents/docinfo/931375382333517824?bookstackId=337384633191337984&catalogId=286318974438756352
10 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
M-LAG
Solutions (1/2)
control point
Wired policy Wireless policy enforcement Eth-Trunk
enforcement point point
GW Gateway Native WAC
GW Wireless gateway
Egress
Aggregation
VXLAN S6730-H
VXLAN S77 VXLAN
(edge)
S6730-H-V2
Networking VXLAN S12700E S5735-L S6730-H
S5731-H S6730-H-V2
S8700 S5736-S GW GW
S5732-H S5735-L S8706/10
S5731-H S5731-S
Access S5732-H-V2 S5736-S
Access S5732-H S5735-L-V2
(edge) S5755-H S5731-S GW GW
S5732-H-V2 S5735I-L-V2
S5735-L-V2
S5735I-L-V2 S5755-H
RU AP RU AP RU AP RU AP
S5731-L Wi-Fi 6/7 RU AP RU AP RU AP
S5731-L Wi-Fi 6/7 RU AP
Page 11 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
M-LAG
Solutions (2/2)
Wired policy enforcement point Wireless policy
enforcement point Eth-Trunk
GW Gateway Native WAC
GW Wireless gateway
Distributed Gateway + VXLAN Deployed Distributed Gateway + VXLAN Deployed Distributed Gateway + VXLAN
Networking Centralized Gateway + VXLAN Deployed Across
Across Core and Access Layers (Dual Across Core and Aggregation Layers (Dual Deployed Across Core and Aggregation
Solution Core and Aggregation Layers (M-LAG)
Border Nodes) Border Nodes) Layers (M-LAG)
Networking AC6805 AirEngine 9700-M1
AC6805 Egress
AC6805
S16704/08 Core
(border) S16700
S12700E GW GW
GW GW
S12700E GW GW GW GW
S16704/08 S16704/08
S6730-H-V2 M-LAG M-LAG
S12700E+MPUE+X6H S8706/10 Aggregation (edge) S6730-H-V2
S77 S6730-H GW GW
GW GW
S12700E S6730-H-V2
S5731-H S5735-L S5736-S
S5736-S
S8700 GW GW
S8706/10 S5735-L-V2
S5732-H S5736-S S5735-L/S-V2
S5735I-L-V2
S5732-H-V2 S5735I-L-V2
S5731-S S12700E+MPUE+X6E Access
S5755-H GW
S5735-L-V2
GW
S5735-S-V2
S5735I-L-V2
RU AP
RU AP RU
Page 12 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 13 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 14 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
1. VXLAN deployment is supported in on-premises scenarios, and is not supported in Huawei public cloud and MSP-owned cloud scenarios.
2. Centralized fabric, distributed fabric, and Layer 2 VXLAN transparent transmission are supported, and controller deployment modes are selected according to these three networking modes. For capacity
VXLAN networking
specifications of the deployment modes, click the following URL:
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100331205&id=EN-US_TOPIC_0159670496
Device model check For details about device models supporting VXLANs, see the LSW sheet in iMaster NCE-Campus V300R023C00 Device Mapping and System Versions.
Three types of global resources can be planned for tenants: VLAN, VXLAN Network Identifier (VNI), and bridge domain (BD). During fabric network orchestration, related resources are automatically allocated from
Fabric resource
the global resource pool. Note that VLAN resources are globally managed by tenants and cannot be reused between multiple fabrics. If VLAN resources are reused between multiple fabrics, it is
management
recommended that the multi-tenant mode be used.
The controller supports automatic deployment of fabric underlay networks and automatic provisioning of VLANIF interfaces, loopback interfaces, VTEP IP addresses, and routes required for establishing BGP EVPNs
on VXLAN fabrics.
1. Underlay interconnection resource planning, including the interconnection VLAN resource pool, interconnection IP address pool, and loopback interface IP address pool. The interconnection resource pools are
Underlay network global resources of tenants and cannot be reused between multiple fabrics. If the resource pools need to be reused, the multi-tenant mode is recommended.
automation 2. Underlay OSPF automation: Single-area and multi-area orchestration is supported. The restrictions are as follows:
• Automatic OSPF orchestration is supported at a site only when there are only NETCONF-managed devices. Cross-site OSPF does not support automatic orchestration, and OSPF needs to be configured for each site.
• The controller interconnection interface for automatic orchestration uses a VLANIF interface by default, and a VLAN and an IP address are automatically allocated for the VLANIF interface. The multi-area model
generates areas for each edge node. If the customer does not want automatic orchestration, it is recommended that automatic routing domain configuration be disabled.
Page 15 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
1. Based on where network service resources are deployed, the controller can be directly connected to a server, directly connected to a switch, or connected to a remote server.
Network service resources support DHCP, third-party RADIUS servers, third-party Portal servers, and other types of servers.
2. A centralized or distributed fabric gateway cannot function as the DHCP server for terminals. The DHCP server needs to be deployed by the customer independently, while the
Network service fabric network provides a DHCP relay agent to obtain IP addresses from the DHCP server.
resource 3. Currently, the DHCPv4 relay function is implemented via rerouting in distributed gateway scenarios, with VXLAN tunnels deployed between edge nodes.
4. If the DHCP server is deployed outside the campus, configure the controller to connect to a remote server, insteading of directly connecting to a switch.
5. In dual-stack scenarios, Portal authentication servers support IPv4/IPv6 dual stack, with IPv6 addresses used for accessing Portal pages. In addition, Portal servers use IPv4
addresses to interact with devices, while RADIUS authentication servers use only IPv4 addresses to interact with devices.
1. Subnets can be deployed on VNs as user gateways. A single VN supports a maximum of 300 subnets, and subnets support IPv4/IPv6 dual stack. The constraints are as follows:
a. Switching between single-stack and dual-stack is not supported.
b. Terminals supporting static IP addresses and terminals supporting DHCP cannot be both configured on a subnet. Otherwise, IP address conflicts may occur (especially when
Overlay VN Layer 2 isolation is enabled, because terminals cannot detect address conflicts through gratuitous ARP broadcast packets).
2. A single VN can be bound to a maximum of 16 external gateways, and IP addresses configured for these external gateways must be unique.
3. A maximum of eight network service resources can be bound to a VN, and only one DHCP network service resource can be bound to a VN. DHCP network service resources
cannot be configured for all subnets.
Page 16 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
1. The multicast source is located outside the fabric, and the requesters are located inside the fabric.
1) Layer 2 multicast is supported: The requesters and multicast source are in the same Layer 2 forwarding domain.
VXLAN 2) Layer 3 multicast is supported. The requesters and multicast source are in the Layer 3 forwarding domain. Layer 3 multicast packets are converted to Layer 2 packets on border nodes and forwarded as Layer 2
multicast multicast packets inside the fabric. Only the gateways of the Layer 3 exclusive egress type support Layer 3 multicast, and V600 devices do not support Layer 3 multicast.
2. When the multicast source and requesters are inside the fabric, only Layer 2 multicast is supported.
3. IPv6 subnets do not support IGMP snooping.
By default, VNs cannot access each other. If VNs need to access each other, use the following methods:
VN 1. Configure border nodes to implement mutual access between Layer 3 VNs.
communication 2. Configure routes between VNs through an external network to implement mutual access. The external network can be accessed through the Layer 3 exclusive egress (usually a firewall).
Policy Orchestration of policy association is supported. In centralized scenarios, core or aggregation devices can be used as control points. In distributed scenarios, aggregation devices are used as control points by default. V600
association devices do not support policy association. When V600 devices are used as access points, aggregation switches function as both authentication control points and enforcement points.
M-LAG The controller does not support automatic VXLAN orchestration when devices use M-LAG networking. If M-LAG networking is used on a fabric, the underlay and overlay networks must be manually deployed. In this
networking case, the controller provides only plug-and-play and device monitoring and O&M functions.
• It is recommended that iMaster NCE-Campus be used as the authentication server. If a third-party authentication server exists on the live network, iMaster NCE-Campus can serve as a relay agent and devices can be
connected to the third-party authentication server through iMaster NCE-Campus. In this way, free mobility can be implemented.
• 802.1X authentication is recommended for wireless access of employees, MAC address authentication for dumb terminals, and Portal authentication for guests. You are advised to set different SSIDs for employees and
Access guests.
authentication • You are advised to manage user accounts through local management by iMaster NCE-Campus or interconnection with the AD/LDAP server.
• If the customer's self-developed OA system and development customization are involved, single-point evaluation is required. In addition, the differentiated authorization function is restricted because iMaster NCE-
Campus does not have user group information.
• In VXLAN scenarios, Portal authentication supports only Portal 2.0 and does not support HACA. Therefore, the API relay function is limited.
Page 17 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Small branch
Number of Mini branch Small branch Small or midsize branch Midsize branch
Number of terminals <
terminals Number of terminals < 50 Number of terminals < 1000 Number of terminals < 2000 Number of terminals < 10,000
200
Page 18 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
n VP iMaster NCE-Campus and the stores is transmitted over the VPN tunnels.
tu N
N
VP
tu
nn Controller deployment: iMaster NCE-Campus is deployed in a 17-node
el
distributed cluster in the customer's HQ DC, and DR is deployed to
ensure reliability. iMaster NCE-Campus provides cloud NMS functions
LSW- LSW- LSW- such as batch configuration, monitoring, and O&M, instead of
LAN1 LAN2 LAN2
authentication services.
Network access authentication: 802.1X and MAC address authentication
are used for wired networks, and Portal authentication for wireless
Employee Wi-Fi Guest Wi-Fi Employee Wi-Fi Guest Wi-Fi networks. The customer provides Portal servers and RADIUS servers,
PC 1 Cashier
which are connected to switches and APs.
Germany France United States
Page 19 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 20 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
advertisement
advertisement
Route
Route
VRRP VRRP
OSPF OSPF VRRP
t
en Service traffic
em
Rou
rtis
ve
ad
te ad
Internet access
ute Service traffic
Ro service (active)
vert
Internet access
is
Service A
eme
Routing Transmission
Transmission Routing
Domain Network
Network Domain
2.2.2.2/24 3.3.3.3/24 ISP 1 ISP 1
Internet 2.2.2.2/24 3.3.3.3/24 Internet
Description Site
In the hub-spoke B
topology, the enterprise HQSite
andCDCs function as hub
ISPsites;
2 Site B
In the full-mesh ISPeach
Site C communicate with
topology, branches can directly 2 other,
enterprise branches function as spoke sites and centrally access server applications without the need to divert traffic through intermediate nodes. The full-mesh
deployed at the HQ or DCs through WANs. If enterprise branches need to topology is applicable to small enterprises with a small number of sites or large
communicate with each other, traffic between them is transmitted through the hub enterprises whose branches need to collaborate with each other.
sites. A maximum of 200 sites (400 CPEs)
Number of sites on a single network ≤ 2000 (2000 CPEs)
Page 22 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Area 1
Internet access
HQ site Branch & HQ
site A services Hub 1 Hub 2
Communication between
branches
Backbone area
Networking Level-2
Level-2 branch
branch
site C
site B Global centralized
Internet access site
Site 1 Site 4
Centralized
Internet
access site in
area 2
Level-3 Level-3 Site 2 Site 3
Level-3 branch branch branch
site B1 site B2 site C1
Area 2 Area 3 Customized networking mainly applies to irregular networking.
The hierarchical networking model can be considered as a combination of single- • No tunnel is established between some sites in full-mesh networking. Specifically, the controller
layer networking models. A WAN is divided into multiple areas, which are blocks tunnels between some sites.
interconnected through a centralized backbone area. In this way, a large number of • Tunnels are added between some sites in hub-spoke networking. Specifically, tunnels between
sites can communicate with each other across areas. The hierarchical network some sites are configured on the controller. In addition, priorities can be set the tunnels at the
Description
model features a clear network structure and excellent scalability and is therefore next-hop sites.
applicable to large enterprises and multinational enterprises that have a large As shown in the preceding figure, a hub-spoke network is created for four sites and two hubs. A
number of sites or sites widely distributed. direct tunnel needs to be created between site 3 and site 4. Mutual access through the direct tunnel is
This networking mode is not recommended. Flat networking is recommended. preferred. If the direct tunnel cannot be used, site 3 and site 4 can communicate with each other
through the hubs.
Page 23 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 24 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 25 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
tier-1 branch.
SRv6 policy reconstruction in 17 key industries, including the finance industry.
Tunnel
SRv6
Centralized path computation
iMaster NCE-Campus
and optimization
DC-P12 DC-P22
DC-PE12 DC-PE22
Networking solution
WAN-P1 WAN-P2
Intra-city equipment room A Intra-city equipment room B Unified and automatic management and control
MSTP private line of the
ISP
Centrally manage and control the core backbone network and WAN access
network, orchestrate network services, automatically provision services, and
BR-PE1 BR-PE2 perform SRv6 policy-based centralized path computation and optimization.
User domain of the Tunnel termination Core backbone network
tier-1 branch Service
Branch core The core backbone network is a dual-plane network consisting of DC-PEs, DC-
Branch switch Service domain of implementation
the tier-1 branch Ps, and WAN-Ps of the DC, and BR-PEs of the tier-1 branch. It carries DCI
services and services between the DC and tier-1 branch. NE8000-M8, NE8000-
2. WAN access
SRv6 tunnel
SRv6
Access WAN
network
MSTP private line of the ISP Tunnel Egress routers of a sub-branch connect to the downlink routers of the tier-1
branch through at least two ISP private lines, and SRv6-based SPR intelligent
traffic steering is implemented, improving the reliability and utilization of
Sub- private line links. NE8000-M6 and NE8000-M1C are recommended for hub
Spoke 1 Spoke 2 Spoke 3 Spoke 4
branch Sub-branch Sub-branch sites, and AR6710 for spoke sites.
Network Solution Deployment and Maintenance Guide on Huawei Smart WAN for City Commercial
Banks and Rural Credit Cooperatives ( Only Chinese Temporary ) :
Page 26 https://support.huawei.com/enterprise/zh/doc/EDOC1100285825
Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Internet access
extranet egress Internet egress
• Devices on district/county e-Government extranets are outdated, leading to
Municipal
zone
insufficient bandwidth and reliability. This severely limits the development of e-
WAN
Government extranet services and smart cities. Therefore, the live network needs to
be upgraded and reconstructed, implementing broadband upgrade or private line
access for district/county and township-/village-level government agencies, and
villagers' committees.
switching zone
management
• Use NE series routers to implement access for government agencies and villagers'
Security
Situational
zone
iMaster NCE
core
Log audit awareness committees. In addition, the routers integrate security capabilities such as firewall,
IPS, and antivirus to provide value-added services.
• Perform security hardening for the security management zone and Internet access
S7703/7706 SDP controller IOC screen
zone based on China's Classified Protection 2.0.
IPv6 Enhanced • Upgrade and reconstruct the secure access platform to provide secure and convenient
NetEngine A821E/822E/813E access for external organizations such as enterprises.
District/County
access zone
Customer benefits
• One network for all services: Allows an e-Government extranet to cover the entire
District/County District/County Township-/Village-level Villagers' committee district, implement information sharing for the e-Government information system,
government campus government agency government agency and improves e-Government service capabilities. This enables one network for all
government services, improves the business environment, and supports economic
Network Solution Deployment and Maintenance Guide for Huawei Intelligent e-Government Extranet development.
Across District/County ( Only Chinese Temporary ) : • Rural revitalization: Provides important network support, in order to facilitate rural
https://support.huawei.com/enterprise/zh/doc/EDOC1100338137/1cc2abd2?idPath=24030814|250421931| revitalization and the reform of streamlining administration and delegating power,
250422062|251755406 and enable people to handle services nearby.
Page 27 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
No new routing protocol needs to be deployed. Ensure that IP routes of WAN interfaces
Underlay route IS-ISv6 and BGP4+ for SRv6 protocols are deployed for IPv6 networks.
are reachable, and both IPv4 and IPv6 networks are supported.
Overlay route BGP EVPN for SD-WAN (carrying TNP/IPsec SA information) BGP EVPN for SRv6
BGP LS/SR Policy is added for the controller to collect topology information and deliver path
Path control protocol No need to deploy path control protocols. Automatic path computation is available.
computation results.
GRE tunnels are automatically generated by forwarders, with high encapsulation Static planning of local SRv6 BE/TE tunnels is supported. The controller computes and delivers
Overlay tunnel
efficiency. path policies.
Networking Supports interconnection with SD-WAN in loose coupling mode, with CPEs
SR traffic steering IPv6 SR is supported.
encapsulating BSIDs.
No independent IKE needs to be deployed. IPsec encryption is automatically enabled
Data encryption Independent link encryption and IKE-based IPsecv6 VPNs (being planned) are required.
for tunnels.
The local Internet access, centralized Internet access, and hybrid Internet access are
Site-to-Internet access Not supported
supported.
Site to Legacy network Supports interconnection with legacy networks through IWGs. Not supported
POP networking Supports hierarchical POP networking. Not supported
Supports automatic cloud migration to AWS, Huawei Cloud, and Alibaba Cloud.
Connection to public clouds Not supported
Microsoft Azure and e-Cloud are also supported.
Intelligent traffic steering Supports application-, priority-, and bandwidth-based traffic steering. MQC + SPR TE Policy
Experience
Path SLA detection IFIT (keepalive) Enhanced IFIT + BFD
FEC/TCP optimization/Dual fed and
WOC selective receiving/ Per-packet load Supported Not supported
balancing
Page 28 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 29 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
You are advised to manage users through local management by iMaster NCE-Campus or interconnection with the AD/LDAP server. In this way, differentiated authorization can be implemented by user group or role.
The RADIUS relay mode can be used for interconnection with the authentication server on the customer's live network.
For interconnection with the customer's self-developed OA system, the interconnection modes are as follows:
• The customer's OA system is developed based on the northbound API of iMaster NCE-Campus and configures user/user group information for the controller.
• HTTP interconnection: When a user initiates an authentication request, the controller extracts the username and password and invokes the API of the OA system for verification. (Constraint: Only Portal authentication is
supported, and all users belong to the same user group.)
User
• SAML-based SSO: The OA system provides Portal authentication. iMaster NCE-Campus redirects a user request to the OA system through the SAML protocol. After verifying the request, the OA system sends the request
management
back to the controller through the SAML protocol. (Constraint: Only Portal authentication is supported, and all users belong to the same user group.)
• API relay: The OA system provides Portal authentication. iMaster NCE-Campus redirects a user request to the OA system. After verifying the request, the OA system invokes the API of the controller to notify the
authorization result. (Constraint: Only Portal HACA authentication is supported, and all users belong to the same user group.)
• RADIUS relay: The OA system provides Portal authentication. iMaster NCE-Campus redirects a user request to the OA system. After the authentication information is entered on the Portal page of the OA system, the OA
system sends the information back to the controller. Then, the controller interconnects with the customer's RADIUS server through a RADIUS relay agent.
If the customer has social media accounts, see the list supported social media list. (Constraint: Only Portal authentication is supported, and all users belong to the same user group.)
Page 30 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Supported terminal types: mobile phone (802.1X/Portal/MAC address authentication), PC (802.1X/Portal/MAC address authentication), and dumb terminal
(depending on whether the 802.1X client or browser is carried) Other terminals with 802.1X clients support 802.1X authentication, and terminals with browsers
Terminal type
support Portal authentication. MAC address authentication is used for dumb terminals that do not support 802.1X or Portal authentication. Authentication of
other terminals needs to be evaluated separately.
iMaster NCE-Campus can interconnect with Ivanti, QAX, Leagsoft, Wanda TSM, VRV, and HiSec Insight. The controller can only synchronize the terminal
MDM system
compliance status to MDM systems and perform authorization control based on the compliance status. Information about other terminals cannot be
interconnection
synchronized.
Page 31 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
LSWs are traditional campus devices and cannot be managed by NETCONF due to their outdated models or versions. The controller uses the traditional SNMP protocol to manage LSWs, and monitors and
LSW
maintains the managed devices.
WACs are traditional campus devices and cannot be managed by NETCONF due to their outdated models or versions. The controller uses the traditional SNMP protocol to manage WACs, and monitors and
WAC
maintains the managed devices.
APs are traditional campus devices and cannot be managed by NETCONF due to their outdated models or versions. The controller uses the traditional SNMP protocol to manage APs, and monitors and
AP
maintains the managed devices.
AR routers as campus egress routers are deployed in the egress zone. They are connected to the WAN of the customer, external organizations, and the Internet. The controller uses the traditional SNMP
AR router
protocol to manage AR routers, and centrally monitors the managed devices.
Campus firewalls are connected to core switches in in-path or off-path mode for security protection. The controller uses the traditional SNMP protocol to manage firewalls, and centrally monitors the managed
Firewall
devices.
ME60 ME60 devices are commonly used as campus egress gateways in universities. The controller uses the traditional SNMP protocol to manage ME60 devices, and centrally monitors the managed devices.
NE routers serve as egress devices for midsized and large campuses, and the deployment scenario is similar to AR routers. The controller uses the traditional SNMP protocol to manage NE routers, and
NE router
centrally monitors the managed devices. The price for managing an NE router is the same as managing a third-party device.
CE switches are commonly used in the scenario where a small DC is also deployed on the customer's campus. If no other NMS is available on the campus, the controller can manage CE switches, and centrally
CE switch
monitor the managed devices. The price for managing a CE switch is the same as managing a third-party device.
Page 32 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Report management
Report management
Security policy
management SecoManager
Security policy
management
Unsupported features • Customized agile reports do not support year-on-year and period-
IPsec VPN MPLS VPN Mobile on-period comparison.
• Device performance reports, link management reports, and QoS
ZTP SVF management IP topology
traffic reports are not supported.
• Compliance audit cannot be configured using CLIs.
Page 33 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Item URL
https://support.huawei.com/enterprise/en/doc/EDOC1100331190?
Device list
idPath=24030814%7C250382819%7C250382820%7C250987403%7C250852420
Page 34 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
Page 35 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
VLAN Campus VXLAN Campus Cloud Management SD-WAN WAN SRv6 Authentication Server Traditional NMS IP+POL
1. iMaster NCE-Campus is available only in IP+POL scenarios, while iMaster NCE-FAN is recommended in POL scenarios.
Sales Scenarios 2. It is recommended that iMaster NCE-Campus be deployed in minimum cluster mode, while distributed cluster deployment
is not supported.
OLTs and ONUs can be managed. For details, click the following URL to see the list of device models that can be managed
POL device according to the controller version:
management https://support.huawei.com/enterprise/en/doc/EDOC1100331189?
idPath=24030814%7C250382819%7C250382820%7C250987403%7C250852420
Cross-public network iMaster NCE-Campus uses SNMP to manage POL devices. Therefore, the controller needs to communicate with POL private
constraints networks. Cross-public network management is not supported.
1. Currently, the POL network solution supports only Layer 2 pipes and automatic configuration of interfaces, VLANs, and
POL network WLANs.
solution 2. Currently, Layer 3 pipes and policy association are not supported.
3. The POL network solution is limited by iMaster NCE-FAN planning.
1. Supports 360-degree view of OLTs and ONUs, centralized display of device models, versions, and status, statistics of KPIs
such as CPU and memory, statistics of received and sent packets on interfaces, network topology display, and device alarm
POL device O&M
management
2. Supports device system software upgrade using patches.
Page 36 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Contents
iMaster NCE-Campus Scenario Overview
On-Premises Scenario
Service Scenario
Controller Deployment
Page 37 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
iMaster NCE-Campus Deployment in On-
Premises Scenarios
Basic Basic Value-added Feature Advanced Value-added Feature
Network Scale Reliability
Features (Optional) (Optional, New Resources Required)
+ Authentication Node
LAN Management
PON Management
Physical
SRv6 TE Policy
Scenario Deployment Server
No. Application Scenario
SD-WAN
VXLAN
Category Mode Quantity
+ DR
1 x server
Single-node Network management and authentication
1
lite
(prepared by the 500 500 3000 N N N
for small and mini campuses
customer)
Network management and authentication
New: 1 x 128 GB for small campuses. For customers who
Single-node physical machine Y have high requirements on user
2
system (LAN)
1 x 128 GB 5,000 5,000 20,000 (PM)/virtual (recommended)
Y Y
authentication reliability, an extra
machine (VM)
authentication component should be
deployed as a backup.
Unified management of multi-branch
networks for small enterprises.
Single-node
New: 1 x 128 GB In multi-branch scenarios, the single-node
3 system (LAN- 1 x 256 GB 5,000 5,000 1,000 20,000 PM/VM
« Y Y Y
system is not recommended. Cluster
WAN)
deployment is required to ensure
On- reliability.
premises New: 3 x 64
Minimum New: 1 x 128 GB Network management and authentication
scenario 4
cluster (LAN)
3 x 128 GB 30,000 30,000 100,000 PM/VM
GB Y Y Y
for midsized and large campuses
PMs/VMs
Category Description
Support cluster
LVS & Nginx High-performance HTTP proxy server that forwards concurrent
Proxy and load connection requests.
Cluster system balancing Load balancing component that improves north-south traffic reliability
of egresses.
Page 39 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
IAE Authentication Component for Enhancing
Authentication Reliability
The IAE authentication component is an independent node of iMaster NCE-Campus that is dedicated to implementing access authentication. It provides RADIUS
authentication, Portal authentication, and HWTACACS authentication. IAE authentication components can be deployed for each campus to implement nearby authentication and
reduce authentication delay. The IAE component is deployed in single-node mode. Each IAE node supports a maximum of 30,000 online users.
• When the central controller is deployed in single-node mode, a maximum of five IAE nodes can be deployed. When the central controller is deployed in cluster mode, a
maximum of 20 IAE nodes can be deployed.
• When IAE nodes and the central controller work in active/standby mode to provide authentication, the number of authentication users on all IAE nodes cannot exceed the
maximum number of authentication users in the central cluster.
• Authentication components are independent of each other and can function as active/standby authentication servers. However, online user information cannot be synchronized
between active/standby authentication components.
Page 40 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Controller Deployment Networking - Single
Cluster
For a simple campus network, the controller can connect access switches to core switches (border For networking on a large campus with a DC, the customer deploys the controller in the DC and
node) in off-path mode to implement nearby management. manages campus devices through the campus network.
• iMaster NCE-Campus is deployed on PMs and connects a group of access switches to a core • iMaster NCE-Campus is deployed in the DC on a PM or VM. You are advised to use the two-
switch in off-path mode. You are advised to use the two-plane deployment solution. That is, one plane deployment solution. That is, one plane is used for southbound and northbound external
plane is used for southbound and northbound external communication, and the other plane is used communication, and the other plane is used for communication between cluster nodes.
for communication between cluster nodes. • Determine whether to deploy IAE authentication nodes based on reliability requirements. The
• Determine whether to deploy IAE authentication nodes based on reliability requirements. The primary cluster and IAE authentication nodes work in active/standby mode. When the primary
primary cluster and IAE authentication nodes work in active/standby mode. When the primary cluster is faulty or being upgraded, the IAE nodes provide authentication backup.
cluster is faulty or being upgraded, the IAE nodes provide authentication backup. The Notes:
authentication component is deployed on one plane and can communicate with the southbound • If a firewall is deployed between the DC and campus, the IP address and interface of the
plane of the primary cluster through Layer 2 or Layer 3 routes. controller must be allowed on the firewall. For details, see iMaster NCE-Campus
Notes: V300R023C00 Communication Matrix (Ports Enabled on Firewalls).
• Access switches directly connected to the controller cannot be managed by the controller using
NETCONF. This misoperation must be prevented.
• The controller cannot be directly connected to the core switch, preventing the core switch from
being affected by heavy internal communication traffic of the controller.
Arbitration
DC (active) DC (standby)
Enterprise intranet
Internal communication of the controller (Layer 2)
Campus 1 Campus 2 Communication between DR clusters (Layer 2)
IAE node on Communication between the DR cluster and arbitration node
IAE node on iMaster NCE- (Layer 2)
iMaster NCE- Campus
Campus Communication between the controller cluster and devices
CSS CSS CSS CSS (Layer 3)
Communication between the primary cluster and IAE nodes
iStack iStack iStack iStack (Layer 3)
Page 42 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
DR Solution for the Controller: Layer 2 + Floating
IP Address
• DR clusters communicate with each other at layer 2 and provide floating IP addresses for external systems. Only the primary cluster
sends ARP packets carrying the floating IP address for locating the floating IP address.
IP address planning: The primary and secondary clusters are on the same network
segment. Internal communication is at Layer 2, and floating IP addresses are used
for southbound and northbound communication.
Enterprise intranet
Page 43 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
DR Solution for the Controller: Layer 3 + Floating
IP Address
DR clusters communicate with each other at Layer 3 and provide floating IP addresses for external systems. Configure static IP
floating routes for the gateways connected to the controller, and NQA is associated with the static routes for detection. Only the IP
floating route of the primary cluster is advertised to the network.
IP address planning: The primary and secondary clusters are in different network segments. Internal communication is at Layer 3,
and floating IP addresses are used for southbound and northbound communication.
iMaster NCE- iMaster NCE-
Internal channel data Campus
Campus
synchronization
Firewall/Router Firewall/Router
Static route: Unified southbound virtual IP Static route:
Prefix 174.16.2.100 address: 174.16.2.100 Prefix 174.16.2.100
nexthop 172.16.2.11 nexthop 173.16.2.12
track nqa test_172.16.2.11 track nqa test_173.16.2.12
Enterprise intranet
Page 44 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
DR Solution for the Controller: Layer 3 + Dual
Southbound IP Addresses
• In a scenario where multiple campuses are centrally managed, you are advised to deploy DR clusters for the controller to ensure reliability. If automatic
switchover between DR clusters is required, an arbitration node must be deployed for arbitration.
• DR clusters communicate with each other at Layer 3. The primary and secondary clusters provide different controller IP addresses for external systems.
Configure IP addresses for the active and standby controllers on network devices. When the primary cluster is faulty, devices are automatically switched
to the secondary cluster.
IP address planning: The primary and secondary clusters are on different network segments. Internal communication is at Layer 3, and
active/standby IP addresses are used for southbound and northbound communication.
Page 45 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
DR Solution for the Controller in Cloud
Management Scenarios
In multi-branch cloud management scenarios, management traffic between the controller and network devices may need to traverse the Internet. In this case,
NAT needs to be deployed for the network egress firewall where the controller resides to translate the internal IP address of the controller into a public IP
address. If a user wants nearby authentication, IAE authentication nodes can be deployed in branches. The IAE authentication nodes function as an active
authentication node, and the controller cluster functions as a backup authentication node.
DC DCI
DC
(active) (standby)
Internet
Branch 1 Branch 2
IAE node on
IAE node on iMaster NCE-
iMaster NCE- Campus
Campus
CSS CSS CSS CSS
Page 46 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Controller Deployment Networking - DR (Layer 2
+ NAT + Floating IP Address)
• If Layer 2 communication is implemented for the active and standby DCs, Layer 2 floating IP addresses are configured for the primary and secondary
controller clusters and then translated into public floating IP addresses through NAT. In addition, the priority for advertising southbound public virtual IP
addresses needs to be set in the active and standby DCs.
• The NAT policy on the firewalls cannot be used to monitor the active/standby status of the controller clusters and control route advertisement. Therefore,
manual switchover is performed for the controller. If automatic switchover is required, the DC where the controller is located must support cross-DC
Layer 2 floating IP address convergence. As shown in the following figure, if the primary cluster is faulty, the egress is still on the left, but the traffic can
be diverted to the standby DC from the active DC.
iMaster NCE-Campus Internal channel data iMaster NCE-Campus
synchronization
Virtual IP address Virtual IP address
for internal for internal
communication: communication:
172.16.1.11 172.16.1.12
Southbound private virtual IP
VBDIF: 172.16.1.1 24 address: 172.16.2.11 VBDIF: 172.16.1.1 24
It depends on host route convergence. DC gateway DC gateway It depends on host route convergence.
Internet
Page 47 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Controller Deployment Networking - DR (Layer 3
+ NAT + Floating IP Address)
• If only Layer 3 communication is allowed for the active and standby DCs, Layer 3 floating IP addresses are configured for the primary and secondary controller clusters and then
translated into public floating IP addresses through NAT. In addition, the priority for advertising southbound public virtual IP addresses needs to be set in the active and standby
DCs.
• The NAT policy on the firewalls cannot be used to monitor the active/standby status of the controller clusters and control route advertisement. Therefore, manual switchover is
performed for controller. If automatic switchover is required, the DC where the controller is located must support detection through association between static routes and NQA. As
shown in the following figure, if the primary cluster is faulty, the egress is still on the left, but the traffic can be diverted to the standby DC from the active DC.
Page 48 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Controller Deployment Networking - Unified
LAN-WAN Management
For unified LAN-WAN management, the controller uses southbound public virtual IP addresses to manage ARs; and uses southbound private virtual IP
addresses to manage LSWs and APs in branches. Management traffic is forwarded through SD-WAN tunnels on the overlay network.
AR Controller-IP: 110.16.2.100
Constraint: A single cluster with dual southbound addresses
(private/public virtual IP addresses) and a DR system with
LSW Controller-IP: 174.16.2.100 dual southbound addresses cannot be used together.
Page 49 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Controller Deployment: All Functions and Constraints
Category Function and Constraint
1. Select the deployment mode based on the number of devices and terminals to be installed. For details, click the following URL.
2. Single-node deployment in active/standby mode is required to ensure reliability. In a single campus scenario, if the customer is cost-sensitive, a single-node system
Controller deployment mode
with authentication components is required at least.
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100331205&id=EN-US_TOPIC_0000001606700656
In on-premises scenarios, the reliability solution is selected based on the importance of network services.
1. In a VLAN/VXLAN campus without authentication, a single-node system in active/standby mode or a cluster needs to be deployed.
2. In a VLAN/VXLAN campus with authentication, remote authentication nodes are recommended to improve the reliability of access authentication services.
Reliability
3. In an SD-WAN scenario, DR is recommended.
4. In multi-campus scenarios or cloud management/multi-branch scenarios for small and midsized campuses, DR combined with remote authentication nodes is
recommended.
Software and hardware for PM deployment:
Software and hardware 1. 2288X (EulerOS) and TaiShan (EulerOS) delivered by Huawei. For non-standard Huawei servers, their models need to be specified for separate evaluation.
2. Third-party servers (x86) cannot be deployed on PMs. Virtualization installation based on VMware is required.
Two-plane deployment (recommended): plane 1 (internal communication plane), and plane 2 (the service plane, southbound plane, and northbound plane are integrated).
Plane deployment
The default gateway is on plane 2.
1. Member nodes in a cluster or distributed cluster must use the same platform (ARM or x86), the same virtualization software, and the same OS.
2. In a DR scenario where the controller is newly deployed, the primary cluster/secondary cluster/arbitration node should use the same server specifications, the same
Deployment requirements
platform, the same virtualization software, and the same OS. However, there is no strict consistency requirement when a single cluster is expanded to a DR system.
3. For authentication components and the HQ controller, server specifications, platforms, virtualization software, and OSs are not required to be the same.
1. The bandwidth for internal communication between nodes must reach 1 Gbit/s, and the latency must be less than or equal to 1 ms.
2. The southbound and northbound bandwidths for external access depend on the number of managed devices. Every 10,000 devices can consume 35 Mbit/s bandwidth.
Batch device upgrade requires at least 400 Mbit/s bandwidth. The latency for accessing the southbound network must be less than or equal to 200 ms, and the latency
Latency and bandwidth for accessing the northbound network must be less than or equal to 100 ms.
3. In access control scenarios, the communication latency between iMaster NCE-Campus and external data sources (such as AD/LDAP and RADIUS servers) must be
less than or equal to 5 ms. Otherwise, the concurrent authentication performance may deteriorate.
4. In remote authentication scenarios, the latency between the primary cluster and remote authentication nodes is less than 200 ms.
• The controller server cannot be connected to the core switch (managed by the controller) in off-path mode. A management switch (a low-end switch that runs stably)
needs to be added. The controller is connected to the management switch and then connected to the core switch at Layer 3.
Networking requirements
• Devices and the controller must communicate with each other at Layer 3, while they cannot communicate with each other at Layer 2 on the same network. (In some
Layer 2 communication scenarios, LVS load balancing does not take effect.)
A single cluster does not support
A single controller cluster requires single-center deployment, and does not support remote deployment of cluster nodes.
remote node deployment
Page 50 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Controller Deployment: Main Functions and
Constraints (1/2)
Category Function and Constraint
1. Single-node systems for DR, minimum clusters for DR, and distributed clusters for DR are supported. Single-node lite does not support DR deployment.
DR deployment 2. DR supports automatic switchover and manual switchover, and automatic switchover requires deployment of arbitration nodes.
3. Arbitration nodes are recommended for customers who require fast switchover.
Latency and 1. The latency between the primary and secondary clusters is less than 20 ms, and the bandwidth is greater than or equal to 100 Mbit/s.
bandwidth in 2. In a DR scenario with an arbitration node, the communication latency between the arbitration node and the primary or secondary site must be less than or equal to 50 ms,
DR scenarios the NTP configuration must be synchronized between them, and the bandwidth between them must be greater than or equal to 10 Mbit/s.
Constraints in 1. DR nodes communicate with each other through private networks. NAT is not supported.
DR scenarios 2. DR systems cannot be deployed in IPv6 scenarios. Primary/Secondary cluster DR is supported only in IPv4 single-stack scenarios.
Based on the customer's network environment, DR networking supports the following solutions to manage network devices through the intranet:
• Layer 2 network interconnection between the active and standby controllers: The active and standby controllers use floating IP addresses in the southbound and northbound
directions. During normal operation, only the active controller enable the floating IP addresses. Arbitration nodes can be deployed to implement automatic switchover.
• Layer 3 network interconnection between the active and standby controllers: The southbound and northbound IP addresses of the active and standby controllers are in different
network segments, and routes need to be configured on the egress routers of the active and standby controllers. For the network supporting NQA, you can enable NQA to detect
the LVS floating IP addresses of the primary and secondary clusters and associate routes with NQA. In this way, the secondary cluster does not advertise the southbound and
DR networking northbound floating IP addresses, and implements automatic switchover through NQA association.
requirements • Different southbound and northbound IP addresses are enabled for the active and standby controllers, and the IP addresses of the active and standby controllers can be
configured on devices. For details about the constraints, click https://support.huawei.com/hedex/hdx.do?docid=EDOC1100331202&id=EN-US_TOPIC_0000001309222898.
Managing network devices through public networks: The active and standby controllers communicate with each other at Layer 2 or Layer 3, and manual active/standby switchover
is supported. The priority for configuring public floating IP address routes is manually set on an egress firewall, and then NAT is configured on the firewall to map private service
IP addresses to public floating IP addresses. In addition, the controller cannot use the post-NAT public IP addresses to manage network devices on the network where the controller
is located. Otherwise, after the device management traffic of the standby DC reaches the firewall and translated through NAT, the post-NAT traffic uses local direct routes by
default and therefore cannot reach the primary cluster.
1. Single cluster with multiple southbound IP addresses
Other • SD-WAN ARs can select public or private networks by device.
constraints on • Other intra-site devices can only select public or private networks by site.
multiple • A device cannot have multiple communication addresses. For example, it is not allowed that management traffic of the device passes through a public network, while its
controller authentication traffic passes through a private network.
southbound 2. DR system with multiple southbound IP addresses
addresses • A single cluster with multiple southbound addresses and a DR system with multiple southbound addresses cannot be both configured. That is, the controller cannot provide
four southbound IP addresses for external systems.
Page 51 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Controller Deployment: Main Functions and
Constraints (2/2)
Category Function and Constraint
1. In a single-campus scenario, independent authentication components are deployed to improve access authentication
reliability.
2. In a multi-campus scenario, independent authentication components are deployed to implement nearby authentication and
improve authentication reliability.
3. Authentication components are supported only in the global perpetual license mode.
4. iMaster NCE-Campus can interconnect with a maximum of five authentication components in a single-node deployment
Authentication scenario, 20 in a minimum cluster deployment (without the SD-WAN function) scenario,10 in a minimum cluster
components deployment (with the SD-WAN function) scenario, and 20 in a distributed cluster deployment scenario.
5. A single authentication component supports a maximum of 30,000 online users. If authentication components and the HQ
back up each other, the total number of online users of all authentication components cannot exceed the maximum number
supported by the HQ controller.
6. Currently, interconnection with an email server, guest account approval, or PPSK authentication is not supported when an
authentication component is deployed.
7. An authentication component does not support built-in CA authentication when the HQ controller is faulty.
Page 52 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Contents
iMaster NCE-Campus Scenario Overview
On-Premises Scenario
MSP-owned Cloud Scenario
Huawei Public Cloud Scenario
Page 53 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
MSP-owned Cloud Scenario
Manager + Controller + Analyzer
Wi-Fi optimization Application analysis SD-WAN
Cloud-based Cloud-based Cloud-based Cloud-based
WLAN planning deployment admission monitoring
Multi-tenant cloud SD-WAN networking service and WAN
management network POP acceleration service
S5735-L-V2 S6730-H-V2
S5731-S
Active IWG Standby IWG
S5736-S Active IWG
Switch
AP
LAN LAN
If you want to select a cloud management networking baseline for tenants, please refer to page 17.
An MSP provides SD-WAN networking services for tenants and support, and hub-spoke, full-mesh, and customized networking are supported. For details about the networking solutions,
see page 21 and 22.
PageFor
54 tenants who have
Copyright © 2024requirements
cross-border Huawei Technologies Co., Ltd.
and bandwidth All rights the
requirements, reserved.
MSP can also operate POP networks to provide bandwidth acceleration services.
MSP-owned Cloud Scenario: iMaster NCE-
Campus Deployment Specifications
Basic Value-added Feature Advanced Value-added Feature
Network Scale Basic features Reliability
(Optional) (Optional, New Resources Required)
+ Authentication Node
LAN Management
PON Management
Physical
SRv6 TE Policy
Maximu Maximu Maximu
Scenario Deployment Server Maximum m m m
SD-WAN
No. Application Scenario
VXLAN
Category Mode Quantity Number of Number
+ DR
Number Number
Devices of LAN of WAN of Online
Devices Devices Users
MSP administrator:
MSP • Tenant management
view MSP administrator • Device management
… • MSP dashboard
• Alarm/Log management
MSP auditor MSP operator • Third-party service (email/SMS)
Page 56 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
MSP-owned Cloud: Main Functions and Constraints
Category Function and Constraint
An MSP plans the controller deployment modes according to the expected total number of tenants/devices in the next year. It is recommended that a 6-node distributed cluster be
Controller deployment deployed in the first phase. As the number of tenants increases, the 6-node distributed cluster can be expanded to a 9-node distributed cluster, and then to a multi-cluster system.
For MSPs, DR is recommended to ensure reliability as remote authentication components cannot be deployed.
Generally, iMaster NCE-Campus communicates with multi-tenant network devices through the Internet. During installation and deployment, the post-NAT public IP address of the
NAT scenario platform need to be provided. LAN and WAN devices on campuses are connected to the controller through a southbound public floating IP address. Some dedicated MSPs
communicate with tenants through private networks, eliminating the need for NAT.
The latency and bandwidth for deploying iMaster NCE-Campus are the same as those described in the preceding slides. In MSP multi-tenant scenarios, as the scale of the managed
Controller networking
network expands, bandwidth expansion is required.
For details about the devices modes that can be managed by iMaster NCE-Campus, click
Device management https://support.huawei.com/enterprise/en/doc/EDOC1100331189?idPath=24030814|250382819|250382820|250987403|250852420.
SNMP-managed Huawei devices and third-party devices are not supported.
The global subscription license mode is used. If a user enables license redistribution, the user will be rewarded with a one-year iMaster NCE-Campus license and license resources
License management
of 30,000 device x days.
• Supports interconnection with Huawei devices for access authentication, including 802.1X authentication, MAC address authentication, and Portal (HACA) authentication. If
interconnection with third-party access devices is involved, ensure that the device IP addresses are not translated using NAT.
• Local management of the controller is recommended for user management.
• If interconnection with the users' AD/LDAP servers is involved (such as using 802.1X MSCHAPv2), the controller needs to be added to AS domains (maximum: 64 AS
Access authentication
domains). For MSPs, this function is used with restrictions.
• If interconnection with the OA system provided by an end user is involved, iMaster NCE-Campus provides the RADIUS relay (50 RADIUS servers can be connected to the
controller, and this function is used by MSPs with restrictions), API relay, SAML SSO (50 IdP servers can be connected to the controller, and this function is used by MSPs
with restrictions), and HTTPS functions for interconnection. Single-point evaluation is required to determine whether these functions can meet interconnection requirements.
The IP+POL networking solution is sold to MSPs with restrictions. POL management components can be deployed only when the controller is deployed in minimum cluster mode.
IP+POL networking
As POL devices are managed through SNMP, ensure that the IP addresses of the POL devices are not translated using NAT.
Restrictions on advanced
VXLAN, single-network SRv6 networking, free mobility, and IoT integration are not supported.
features
System-level scale The maximum number of tenants is 10,000, and the maximum number of sites is 60,000. When the number of tenants and sites reaches the upper limit, new clusters need to be
constraints added.
In multi-tenant scenarios, tenants need to preempt performance, such as performance for concurrent reporting of device monitoring information and concurrent access
Performance constraints
authentication.
Page 57 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Contents
iMaster NCE-Campus Scenario Overview
On-Premises Scenario
MSP-owned Cloud Scenario
Huawei Public Cloud Scenario
Page 58 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Huawei Public Cloud Scenario
(China) (Outside China)
AR Firewall AR
Firewall Switch
AP AP AR
Switch
AP
Huawei
V300R022C10 qiankun-saas.huawei.com
Qiankun
Page 60 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Huawei Public Cloud Scenario: Main Functions
and Constraints
Category Function and Constraint
Currently, click https://qiankun-saas.huawei.com/dm-web/#/eu to access the official website of Huawei public cloud. You can leave your contact information
Public cloud access on the web page and wait for Operation personnel to contact you.
Click https://qiankun-saas.huawei.com/dm-web/#/ to access the official website of Huawei Qiankun.
• The device models that can be managed by the cloud management platform lag behind the latest version of iMaster NCE-Campus. If the new models
Device management supported in iMaster NCE-Campus 23.0 (compared with 22.0) are not supported on the Huawei public cloud, please contact operations personnel.
• By default, Huawei public cloud uses NETCONF to manage devices. SNMP-based management and third-party device management are not supported.
• Supports interconnection with Huawei devices for access authentication, including 802.1X authentication, MAC address authentication, and Portal
(HACA) authentication. Portal (HACA) authentication is recommended.
• Local management of the cloud management platform is recommended for user management.
• If interconnection with the users' AD/LDAP servers is involved (such as using 802.1X MSCHAPv2), the controller needs to be added to AS domains
(maximum: 64 AS domains). In Huawei public cloud scenarios, this function is used with restrictions.
• If interconnection with the OA system provided by an end user is involved, the cloud management platform provides the RADIUS relay (50 RADIUS
Access authentication servers can be connected to the controller, and this function is used with restrictions), API relay, and SAML SSO (50 IdP servers can be connected to the
controller, and this function is used with restrictions) functions for interconnection. Single-point evaluation is required to determine whether these
functions can meet interconnection requirements.
• If the AD/LDAP server or customer's OA system is deployed on the customer's intranet, it is recommended that the customer prepare a local authentication
server to avoid security problems.
• Huawei public cloud does not support TACACS authentication, and interconnection with third-party access devices, MDM systems, online behavior
management devices, and RADIUS accounting devices.
Restrictions on VXLAN, single-network SRv6 networking, free mobility through IP-security group entry subscription, IoT integration, intelligent verification, proactive
advanced features scanning for terminal identification, and POL management are not supported.
Page 61 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Summary
This document describes all scenarios of iMaster NCE-Campus.
This document describes the networking solutions and deployment restrictions of iMaster NCE-Campus in on-
premises, MSP-owned cloud, and Huawei public cloud scenarios.
Through these introductions, you should have a deep understanding of the main application scenarios and constraints
of iMaster NCE-Campus.
Page 62 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.
Thank You
www.huawei.com
Page 63 Copyright © 2024 Huawei Technologies Co., Ltd. All rights reserved.