HCPP-01 CloudCampus Solution-2022.01
HCPP-01 CloudCampus Solution-2022.01
HCPP-01 CloudCampus Solution-2022.01
• Huawei CloudCampus Solution is designed especially for enterprises of all sizes to build ultra-
broadband, intelligent, simplified, secure, and open intent-driven campus networks. By
gaining real-time insights into and quickly responding to network and service needs, this
innovative solution empowers enterprises to capture new business opportunities.
• This course systematically introduces Huawei CloudCampus Solution, including the solution
architecture, key components, functions, and features. It describes the key functions and
features of the solution from multiple dimensions, such as ultra-broadband connectivity,
simplified network, multi-purpose network, intelligent policy, and intelligent O&M.
▫ Describe the architecture, key components, and highlights of the CloudCampus Solution.
▫ Describe the ultra-broadband and simplified networks defined in the CloudCampus Solution.
▫ Describe the methods of implementing intelligent policy, intelligent O&M, and intelligent
security in the CloudCampus Solution.
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
NETCONF/YANG
• Free mobility
Medium- and large- Small- and medium-
sized campuses sized campuses
Campus network
interconnection • Intelligent terminal identification
OA VN
WAN/ • Intelligent HQoS
Internet
R&D VN
Quick intelligent O&M, improving network performance
Customer flow e-Schoolbag Health Smart Government/Enterprise Education Retail Manufacturing Wireless City
analysis management OA OA
Management & control iMaster NCE-Campus: one-stop O&M platform for management, control, and analysis
layer
Automatic network construction Intelligent O&M
Manage + Control + Enabling Wi-Fi 6 services Ensuring Wi-Fi 6 experience
Analyze
NETCONF/YANG Telemetry
Network layer
Wi-Fi 6 ready wired network
10GE access, delivering the speed of Wi-Fi 6
• Multi-GE switch + high-density 25GE fixed switch + 100G core, building Wi-Fi 6 ultra-broadband
channels
• Default converged management for wired and wireless users: up to 10K APs and 50K concurrent
users,One
supporting concurrent access of massive numbers of users in the Wi-Fi 6 era
hybrid cable
CloudEngine S series campus switches • Wireless campus with tens of thousands of users: 100G core switch CloudEngine 12700E with 57.6
Tbit/s throughput, which is able to manage 50,000 wireless users
VN 1
Internet VN 2
Internet
VN 3
MPLS
Store Primary/Secondary Hotel Large enterprise Higher education and large enterprises
education
Underlay Multi-branch
Full lifecycle
Converged LAN&WAN
Day N O&M monitoring
360-degree Intelligent O&M One-stop PMI
health management
RR
Control
WAN-side GUI
IPsec VPN EVPN plane
LAN-side (large or
small- and Centralized management Forwarding
medium-sized plane
campus)
One set of controller manages only LAN or GUI, flexible networking, device plug-and-play Central management of the control plane
manages both LAN and WAN services implements flexibly control while improving
scalability
Easy deployment Simplified configuration Forwarding-control separation
MPLS Internet
Visualized network service data for monitoring and Services provided by the carrier can be extended from WAN to LAN and even
analyzing entire network status value-added services
Simplified O&M Value extension
Software
Perpetual license + SnS SaaS mode TBL subscription mode
transaction mode
S12700E-12 CloudEngine S12700E: new core switches for campus networks in the Wi-Fi 6 era
S12700E-8
CloudEngine CloudEngine S6730-H: full-featured 10GE routing switches
switches S12700E-4
S7700 CloudEngine S5732-H: enhanced GE/multi-GE/optical-electrical hybrid switches
S5730-H/S S6730-H/S
S5735-/L
CloudEngine S5735-L: compact gigabit access switches
8760-X1-PRO 6760-X1/X1E 5760-51 5760-12W 6760R-51/51E 8760R-X1/X1E AirEngine 5760-12W: Wi-Fi 6 wall plate APs
USG6700E
USG6600E AR6300
USG6500E AR6200
AR610 AR650 AR6100
Management/Contro
l/Analysis layer
• Unified data base
Converged
Manage +
• Centralized
Control + Analyze detection/locating/processing
SecoManager
iMaster NCE-Campus, an autonomous driving campus network management and control system
• Visualized experience
• Topology mgmt. management
• Client journey playback
• Performance mgmt.
Traditional NMS • Alarm mgmt.
• Potential fault
identification
• Configuration • Root cause identification
mgmt. • Predictive network
SNMP Telemetry optimization
• Device-centric, lacking insights into user experience Visualized experience: Telemetry-based second-level data collection, visualizing
• Passive response, unable to identify potential faults experience of any user in any application at any moment
• Onsite fault locating relies on experienced engineers Minute-level proactive identification and root cause locating for potential faults
• Identifies potential faults based on dynamic baselines and big data correlation analysis.
• Accurately locates root causes using KPI correlation analysis and protocol trace.
Predictive network optimization: AI is used to intelligently analyze the load trend of APs
so as to complete predictive optimization of wireless networks.
In addition to using algorithms to improve efficiency, intelligent O&M leverages scenario-based continuous learning and accumulated
expert experience to free O&M personnel from complex alarms and noises, making O&M more automated and intelligent.
Planning (Day 0) Construction (Day 1-2) Operations (Day N) Maintenance (Day N) Optimization (Day N)
Wireless network
Hardware installation Role definition Network monitoring Network optimization
planning
WLAN Planner Manual installation
Regular maintenance –
License management
Physical network for device
Wired network planning
deployment
Fault demarcation
The contents highlighted in blue are the network lifecycle management service provided by iMaster
NCE.
1. Environment setting
3
2. Region setting
With Huawei Cloud-based
WLAN Planner, users can
3. Device deployment complete WLAN planning in • Use the network planning
five steps. 4 report to provide guidance for
4. Signal simulation onsite construction.
• The network planning result
5. Report export can be imported into iMaster
NCE.
1. Preset roaming
path
3
Register and
Internet Report AP
get 3 information. Tenant: Tenant X
Register and
managed. 5 6 Internet iMaster NCE: 1.1.1.1:8080
get managed.
Device: AP (ESN...)
Scan barcode 1
Switch to the cloud Automatically initiate a
mode and initiate a query request to Huawei
2
registration request 5 registration center to
4
The APP obtains the ESN to iMaster NCE. obtain the IP address and
and MAC address of the port number of iMaster
Site network Site network NCE.
AP.
WEB CLI
1 1
In the web system, configure Internet On the CLI, configure Internet access
access parameters, cloud management parameters, cloud management
mode, and IP address/URL and port mode, and IP address/URL and port
Site network number of iMaster NCE. Site network number of iMaster NCE.
Devices supported: AR, firewall, switch, AP Devices supported: AR, firewall, switch, AP
Internet
1 AR
Devices supported: AR
Interconnection VLAN
Underlay Interconnection IP address Device fault • Replace faulty devices by scanning barcodes using the APP,
without requiring any manual configuration (advantage).
Requirements
1. A physical network is divided into multiple virtual networks that are
OA VN isolated from each other.
IoT VN 2. Virtual networks are automatically deployed.
Overlay
Huawei Solution and Customer Benefits
Multi-
• VXLAN-based multi-purpose network
purpose
network
• Automatic tunnel establishment through BGP-EVPN
Automation
• NETCONF/YANG
• iMaster NCE GUI
Marketing √ √ √ Requirements
1. Fine-grained policy control, allowing users to move across the entire network
with consistent policies and service experience
2. Flexible and simplified policy deployment, lowering OPEX
Office Office
building 1 building 2 Huawei solution and customer benefits
Security
group- • User- and application-based policy/experience, including
based permissions, bandwidth, and QoS
MPLS
CPE CPE
Site 1 Site 2
Video Internet
HTTP
Identification of 6,000+ well-known and • Application- and traffic classifier-based • Application- and VPN-based multi-level
• Upgrade devices
Diagnostic tools
• Activate device license
• Ping, trace, obtain packet header, trace
• Backup up and restore device configuration file
packet path, collect diagnosis
• ...
information, detect application quality ...
Intelligent network
Real-time experience visibility Minute-level fault locating
optimization
1. Per-area: intuitively displays the network 1. Proactive issue identification: proactively 1. Real-time simulation feedback:
status and user experience on the entire identifies 85% of potential network issues evaluates channel conflicts on wireless
network or in each area through the using the AI algorithms that are networks in real time and provides
seven-dimensional evaluation system. continuously trained via Huawei's optimization suggestions based on
2. Per-user: displays network experience 200,000+ terminals. neighbor and radio information about
(who connects to which AP at what time, 2. Minute-level fault locating: uses the fault devices on each floor.
experience, and issue) of each user in real inference engine to locate issues within 2. Predictive optimization: identifies edge
time throughout the journey, making minutes, identify root causes of the issues, APs and predicts the load trend of APs
faults easier to be traced. and provide effective fault rectification based on historical data analysis,
3. Per-application: perceives experience of suggestions. performs predictive optimization on
voice and video applications in real time, 3. Intelligent fault prediction: uses AI to wireless networks, and compares the
demarcates faulty devices quickly and learn historical data and dynamically gains before and after the optimization.
intelligently, and analyzes the root cause generate a baseline, and compares and This practice improves the network-wide
of poor quality. analyzes real-time data against the performance by 50%+ (Tolly certification).
baseline to predict possible faults.
• Challenge 2: Network environment and • Challenge 2: Only the current status can be
interference changes cannot be detected in real detected, but historical load and interference
time. cannot.
C. MSP-owned Cloud
D. Virtual Machine
B. HiSecEngine, NetEngine
C. iMaster NCE-Campus
D. iMaster NCE-CampusInsight
B. Registration center
C. Web system
D. CLI
E. DHCP
F. Email
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
4 degrees
AirEngine 8760-X1-
PRO Big data-based radio
Independent hardware +
dual-band scanning Mini air duct system for Liquid cooling
calibration with excellence in heat dissipation
Real-time network
CampusInsight
optimization
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
Independent WAC
forwarding as a WAC card
• Separate device • Simply provides
management hardware-level
• Separate user convergence
policies
Separate wired and wireless authentication points, distributed policy control, separate traffic forwarding, complex troubleshooting, difficult to
manage
Native WAC The switch integrates the WAC function to eliminate bottlenecks in wireless traffic forwarding,
reduce failure points, and manage wired and wireless traffic in a centralized manner:
• Uniformly manages and forwards wired and wireless services.
• Functions as the gateway of both wired and wireless users and manages both types of users.
• Used as the authentication point for both wired and wireless access.
NM Area
Native Native
WAC WAC
CAPWAP
Unified forwarding: Wired and wireless traffic is centrally
processed by the core switch before being forwarded.
Wi-Fi Wi-Fi Bluetooth RFID IoT Wristband 2.4 GHz (Wi-Fi) 2.4 GHz (RFID)
terminal tag tag tag sensor Channel-6 Channel-11
by 100%.
Blocked by STP
CSS/iStack can be used with Eth-Trunk to form a logical tree topology. This simplified network topology prevents Layer 2 loops and
improves network reliability.
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
VXLAN VN3
VN1 VN2 Security
OA VN VC VN protection
VN
Border
VXLAN
Edge Edge Access
• Two-layer physical network • Three-layer physical network • Three-layer physical network • Aggregation switches
• Access switches function as • Access switches function as • Aggregation switches function as function as edge nodes and
edge nodes. edge nodes. edge nodes. provide the native WAC
function.
• Aggregation switches do not • Access switches do not need to
need to support VXLAN. support VXLAN and can work with • APs are managed by
aggregation switches to aggregation switches. APs do
implement policy association. not need to support VXLAN
and can be reused.
• Legacy access switches can be
reused.
Campus1
Campus2
Border1 Border2 Border1 Border2 Border1 Border2
VXLAN VXLAN
VXLAN
Description: Multiple border nodes Description: Multiple border nodes Scenario description: Multiple campuses.
connect to the same egress to implement connect to different egresses, and Each campus connects to its external
egress redundancy. different services are transmitted through network through its own border.
Application: A campus network has different border nodes. Application: Multiple campus networks
multiple border nodes connected to the Application: A single campus network has belong to the same fabric, and each campus
same external network to implement different external networks that are network has an independent border and
reliability in non-stack scenarios. connected through different border nodes. egress network.
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
Transmission protocols:
Configuration Authentication Authentication • HTTP/2 and RADIUS for authentication data
NETCONF HTTP/2 RADIUS
transmission
• NETCONF for configuration data transmission
Authentication
device Open authentication:
• Interconnection with third-party Portal servers
User terminal • Interconnection with social media such as QQ, Weibo,
WeChat, Facebook, and Twitter
Page 48 Copyright © Huawei Technologies Co., Ltd. All rights reserved.
Intelligent Policy Engine Achieves Refined
Policy Control
Condition: 5W1H-based policy Result: fine-grained permission control
User identity
User/User Permission VLAN/ACL/Security group, VIP
Who
group/Role user...
Site, region, device
group, device type, Access position
device, SSID, IP Where Uplink/Downlink bandwidth,
Bandwidth
address DSCP value
Access time
Day/Hour
When High/Medium/Low
QoS Traffic duration control (for
Terminal type Portal authentication only)
PC/iOS/Android, etc.
What
Intelligent
policy Application Application group/Application
Company-issued/BYOD Device attribute
terminal Whose engine
With this function, enterprises can conveniently customize their own Portal pages so as to launch VASs such as brand
promotion and advertisement push.
Terminal fingerprint
database
Example: higher education Proactive scanning
institution
>
Example: an enterprise
Terminal type-based Terminal type-based Terminal type-based
10+ authentication faults
reported every day Automatic authentication Automatic authorization Bogus terminal detection
Recognized as a printer Recognized as a camera Recognized as an IP phone first
Difficult to locate
• Automatic MAC address • Automatically added to a video and then a PC
bogus terminals
authentication, without the surveillance group • Report a bogus terminal alarm.
need of manual MAC address • Set as a VIP user
input
fingerprint
1
and- 3 Report fingerprint
Collect
detect
2
2 Feedback
Send traffic 1
Information Some options of a terminal's DHCP packets Mobile phones, tablets, PCs,
reporting DHCP Option can be used to classify terminals, for example, workstations, IP cameras, IP phones,
DHCP options 55, 60, and 12. printers, etc.
B. HTTP
C. LLDP
D. DHCP
E. OSPF
B. 4(2.4g)+8(5g)+4(5g)
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
Function description: iMaster NCE synchronizes the mappings between user IP addresses and groups to
the switches functioning as policy enforcement points. In this way, authentication points and policy
enforcement points can be separated, implementing flexible networking. In addition, hybrid networking
2. WAC 5
AP AC AP AC
STA STA
A connected user is
A user who has connected to A user who has connected to 3 forced to go offline.
the network the network
If a non-VIP user attempts to connect to an AP when the If a VIP user attempts to connect to an AP when the number of
number of users connected to the AP reaches the threshold, users connected to the AP reaches the threshold, the AP
the connection attempt will fail. forcibly disconnects a non-VIP user and connects the VIP user
to the network.
Requirements
Identify VIP users and guarantee sufficient
bandwidth for them.
• Spectra dedicated
for VIP users Solution
bandwidth
Frequency
• Reserved fixed
subcarriers • OFDMA spectrum resources are reserved for
VIP users.
• Spectra shared 3 • On-demand bandwidth reservation:
by common 20% bandwidth Bandwidth No bandwidth is reserved when no VIP user
users accesses an AP.
• Shared
reserved contention
subcarriers Sufficient resources are reserved only for
VIP users.
Time
OFDMA spectrum resources
Conference terminal User terminal
reserved for VIP users VIP user Common user
VIP user Common user
RR
Branch 1
BGP EVPN+
HQ Branch 2
Branch 1
Internet
HQ MPLS
MPLS/Internet
Branch 1
Internet
Branch 2
HQ MPLS
MPLS/Internet
Branch 2
An IPsec VPN is a type of static VPN, in which IPsec tunnels are EVPN can be used to establish tunnels between sites and dynamically
established between devices at different sites to create VPN channels. advertise routes. The forwarding plane supports GRE or GRE over
Traffic is diverted to the VPN tunnels based on the configured static IPsec. In addition, high-quality links can be chosen based on
network segments to implement mutual access between the sites. applications and policies for data transmission, implementing
application- and policy-based intelligent traffic steering.
GUI
MPLS
2
MPLS Internet
Dynamic
Internet adjustment
Centralized
management
1 Delay and control
Performance
data
When an enterprise has multiple types of Measures the quality of different WAN links,
WAN egress links (hybrid WAN), WAN links defines network quality requirements of
can be flexibly used to implement applications, and performs intelligent traffic
interconnection and interworking. steering based on specific policies.
CPE2 CPE2
CPE2 CPE2
Low priority
Select a link that
meets the
MPLS Internet MPLS bandwidth usage Internet
requirement for
High priority new traffic.
High-quality link Low-quality Bandwidth Bandwidth
(network congestion) link usage: 70% usage: 2%
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
• Visualized experience
management
• Topology mgmt. • Client journey playback
Traditional NMS • Performance mgmt. • Potential fault
• Alarm mgmt. identification
• Configuration mgmt. • Root cause identification
• Predictive network
SNMP Telemetry optimization
• Device-centric, without perception of user experience Visualized experience: Telemetry-based second-level data collection, visualizing experience of
any user in any application at any moment
• Passive response, unable to identify potential faults
Minute-level proactive identification and root cause locating for potential faults
• Onsite fault locating relies on experienced engineers
• Proactively identifies potential faults based on dynamic baselines and big data correlation
analysis
• Accurately locates root causes using KPI correlation analysis and protocol trace
Network optimization and self-healing: uses AI to intelligently analyze APs' load trend, thus
completing predictive optimization of wireless networks.
In addition to using algorithms to improve efficiency, intelligent O&M leverages scenario-based continuous learning and accumulated
expert experience to free O&M personnel from complex alarms and noises, making O&M more automated and intelligent.
Autonomy and
Automatic calibration in off-peak hours in the event of high interference
self-healing
Fault Prediction &
Autonomous Self-healing
Fault prediction Optical module fault prediction
Network-wide quality Per-client journey playback Integrated wired and wireless topology
Experience Visualization Experience
evaluation system
Telemetry visualization Visualized and comparable WLAN calibration
Wi-Fi signal heatmap
iMaster NCE-CampusInsight collects statistics on signal strength of access clients for each AP. If the signal strength of most access clients under an AP
Weak coverage (wireless)
remains to be weak for a long time, an AP weak coverage issue is identified.
iMaster NCE-CampusInsight collects statistics on RFs that suffer from various types of signal interference such as co-channel, adjacent-channel, or non-
High interference (wireless) Wi-Fi signal interference within a period of time. If the value remains higher than the threshold (which is generated after learning of the historical
interference data for each RF) for a period of time, a high interference issue is identified.
iMaster NCE-CampusInsight collects statistics on the radios with high channel usage, including the radios occupied for transmitting normal Wi-Fi data
High channel usage
Performanc and those occupied by interference signals. If the usage remains higher than the threshold (generated after the historical channel usage of each radio is
(wireless)
learned) for a period of time, a high channel usage issue is identified.
e issues
Air interface congestion iMaster NCE-CampusInsight collects statistics on air interface data by radio. If a large amount of data needs to be transmitted on a radio, data may be
(wireless) delayed or lost. If the data volume on a radio remains to be greater than the threshold, an air interface congestion issue is identified.
Dual-band-capable client For APs working at both 2.4 GHz and 5 GHz bands, iMaster NCE-CampusInsight checks whether dual-band-capable clients frequently access the 2.4 GHz
prefers 2.4G (wireless) band and therefore result in high latency. If this scenario persists on an AP, a "dual-band-capable clients prefer 2.4 GHz" issue is identified.
CampusInsight collects client capacity statistics by AP. If the number of clients connected to an AP exceeds the threshold (which is generated based on
Client capacity (wireless)
the number of clients connected to the AP historically) for a long period of time, a client capacity issue is identified.
2. Ultra-Broadband Connectivity
3. Simplified Network
4. Multi-Purpose Network
5. Access Authentication
6. Intelligent Policy
7. Intelligent O&M
8. Intelligent Security
2. (True or false) When free mobility is deployed on a campus network, the authentication
point of user terminals must be a Huawei device.
• O&M (Day N)
▫ Experience Visibility: Network-level, User-level, Application-level.
▫ Anomaly identification and root cause analysis.
▫ Troubleshooting and optimization: Radio calibration, Real-time WLAN AP channel simulation feedback, Big data-
based predictive WLAN optimization without manual intervention.