0% found this document useful (0 votes)

205 views211 pages

Higher Education Network Solution V100R024C00 Deployment and Maintenance Guide

Higher education

Uploaded by

Muhammad Rizwan Tariq

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

205 views211 pages

Higher Education Network Solution V100R024C00 Deployment and Maintenance Guide

Higher education

Uploaded by

Muhammad Rizwan Tariq

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Huawei Smart Higher Education Network

Solution
V100R024C00

Deployment and Maintenance

Guide
Issue 01
Date 2024-10-31

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: https://www.huawei.com
Email: [email protected]

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. i

Security Declaration
Vulnerability
Huawei's regulations on product vulnerability management are subject to the Vul. Response Process. For
details about this process, visit the following web page:
https://www.huawei.com/en/psirt/vul-response-process
For vulnerability information, enterprise customers can visit the following web page:
https://securitybulletin.huawei.com/enterprise/en/security-advisory

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. ii

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Preface

Preface

Purpose
This document describes Huawei Smart Higher Education Network Solution in
terms of version mapping, networking, tool usage, data planning, and solution
deployment.

Intended Audience
This document is intended for Network planning engineers, network deployment
engineers, and network O&M engineers. Operators must have the following
experience and skills:

● Be familiar with the product networking and related NEs' versions.

● Have device maintenance experience and be familiar with device operation
and maintenance.

Security Statements
● Personal Data
Some personal data (such as MAC and IP addresses of terminals) may be
obtained or saved during business operations, fault locating, or log audit of
your purchased products, services, or features. Therefore, user privacy policies
must be defined in compliance with local laws and adequate measures taken
to fully protect personal data. Logs and fault diagnosis data can be
transferred out of your network only with your authorization. If the data
needs to be transferred out of the European Economic Area (EEA), personal
data must be anonymized and cannot be restored by any means.
When discarding, recycling, or reusing a device, back up or clear data on the
device as required to prevent data leakage. If you need support, contact after-
sales technical support personnel.
● Product Lifecycle
Huawei's regulations on product lifecycle are subject to the Product End of
Life Policy. For details about this policy, visit the following web page:
https://support.huawei.com/ecolumnsweb/en/warranty-policy
● Vulnerability

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. iii

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Preface

Huawei's regulations on product vulnerability management are subject to the

Vul. Response Process. For details about this process, visit the following web
page:
https://www.huawei.com/en/psirt/vul-response-process
For vulnerability information, enterprise customers can visit the following web
page:
https://securitybulletin.huawei.com/enterprise/en/security-advisory
● Huawei Enterprise End User License Agreement
This agreement is the end user license agreement between you (an individual,
company, or any other entity) and Huawei for the use of the Huawei
Software. Your use of the Huawei Software will be deemed as your
acceptance of the terms mentioned in this agreement. For details about this
agreement, visit the following web page:
https://e.huawei.com/en/about/eula
● Lifecycle of Product Documentation
Huawei after-sales user documentation is subject to the Product
Documentation Lifecycle Policy. For details about this policy, visit the
following web page: https://support.huawei.com/enterprise/en/bulletins-
website/ENEWS2000017761.
● Rights and Responsibilities of Initial Digital Certificates on Huawei Devices
The initial digital certificates delivered with Huawei devices are subject to the
Rights and Responsibilities of Initial Digital Certificates on Huawei Devices.
For details about this document, visit the following web page: https://
support.huawei.com/enterprise/en/bulletins-service/ENEWS2000015789.
● Initial Certificate Usage Declaration
The initial certificates on Huawei devices during production are mandatory
identity credentials for Huawei devices. The usage declarations of initial
certificates are as follows:
a. Huawei initial certificates are used only to establish initial security
channels for devices to connect to the customer network in the
deployment phase. Huawei does not promise or guarantee the security of
initial certificates.
b. The customer shall handle the security risks and security events caused
by using Huawei initial certificates as service certificates and be
responsible for the consequences.
c. You can run the display pki certificate command to view the validity
period of Huawei initial certificates.
d. After an initial certificate expires, services using the certificate are
interrupted.
e. Customers are advised to deploy the PKI system to issue certificates for
devices and software on the live network and manage the certificate
lifecycle. To ensure security, certificates with short validity periods are
recommended.
f. The Huawei PKI root certificate is used for initial configuration and
connection of Huawei products during network access. (This certificate
can be re-enabled if a new Huawei device needs to be verified for
network access.) You are advised to disable this certificate after

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. iv

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Preface

completing the network access configuration and configuring a CA

certificate you have issued for the product. Otherwise, security risks exist
and you should be liable for the consequences caused by related security
events.
For details about how to query, update, or back up a digital certificate, refer
to "Digital Certificate Management" in the corresponding product
documentation.
● Device Upgrade and Patch Installation Declaration
When upgrading a device or installing a patch, use the digital signature
verification tool (OpenPGP) to verify the downloaded software package. To
prevent security risks caused by software tampering or replacement, you are
advised to perform this operation.
● Interface and Command Usage Declaration
The documentation describes the commands used for network deployment
and maintenance when you use Huawei devices. The interfaces and
commands used for production, assembly, and return and repair are not
described in this document.
If some advanced commands for project implementation and fault location
and upgrade compatibility commands are incorrectly used, exceptions may
occur or services may be interrupted. It is recommended that the advanced
commands be used by engineers with higher permissions. If necessary, you
can apply to Huawei for the permissions to use advanced commands.
● MAC Address and Public IP Address Usage Declaration
For purposes of introducing features and giving configuration examples, the
MAC addresses and public IP addresses of real devices are used in this
document. Unless otherwise specified, these addresses are used as examples
only.
The IP addresses, URLs, and email addresses involved in open-source software
and third-party software comply with industry practices and open-source
software usage specifications. No service data leakage risks exist.
● Default Account Declaration
A default account of the device is an internal default user, and the account
cannot be used to log in to the device externally. The default usernames and
passwords can be found in the XXXX Default Usernames and Passwords,
which is available on the product documentation download page. If you have
not obtained the access permission of the document, see Help on the website
to find out how to obtain it.
The device has no default username or password. Configure a username and
a password after entering the system for the first time.
● Password and Authentication Configuration Declaration
– When configuring a password, the ciphertext is recommended. For
security purposes, do not disable password complexity check, and change
the password periodically.
– When configuring a cleartext password, do not start and end the
password with %+%# or %@%#, because this will allow the password to
be considered as a valid ciphertext that can be decrypted by the device
and make it visible in the configuration file.
● Encryption Algorithm Declaration

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. v

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Preface

For details, see "Encryption Algorithm Declaration" in the product

documentation.

Declaration
● This manual is only a reference for you to configure your devices. The
contents in the manual, such as command line syntax, and command outputs,
are based on the device conditions in the lab. The manual provides
instructions for general scenarios, but do not cover all usage scenarios of all
product models. The contents in the manual may be different from your
actual device situations due to the differences in software versions, models,
and configuration files. The manual will not list every possible difference. You
should configure your devices according to actual situations.
● The purchased products, services and features are stipulated by the
commercial contract made between Huawei and the customer. All or partial
products, services and features described in this document may not be within
the purchased scope or the usage scope. Unless otherwise specified in the
contract, all statements, information, and recommendations in this document
are provided "AS IS" without warranties, guarantees or representations of any
kind, either express or implied.
● The specifications provided in this manual are tested in lab environment (for
example, the tested device has been configured with a certain type of cards or
only one protocol is run on the device). Results may differ from the listed
specifications when you attempt to obtain the maximum values with multiple
functions enabled on the device.
● Interface numbers used in this manual are examples. In device configuration,
use the existing interface numbers on devices.

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk which, if not

avoided, will result in death or serious injury.

Indicates a hazard with a medium level of risk which, if not

avoided, could result in death or serious injury.

Indicates a hazard with a low level of risk which, if not avoided,

could result in minor or moderate injury.

Indicates a potentially hazardous situation which, if not

avoided, could result in equipment damage, data loss,
performance deterioration, or other unanticipated results.
NOTICE is used to address practices not related to personal
injury.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. vi

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Preface

Symbol Description

Supplements the important information in the main text.

NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.

Command Format Conventions

Format Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by vertical

bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.

{ x | y | ... } * Optional items are grouped in braces and separated by vertical

bars. A minimum of one item or a maximum of all items can
be selected.

[ x | y | ... ] * Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.

GUI Conventions
Format Description

Boldface Buttons, menus, parameters, tabs, windows, and dialog titles

are in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder.

Change History
Issue Date Description

01 2024-10-30 This issue is the first official release.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. vii

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Contents

Contents

Preface.......................................................................................................................................... iii
1 Version Requirements.............................................................................................................1
2 Overview....................................................................................................................................8
2.1 Logical Architecture................................................................................................................................................................ 8
2.2 Physical Architecture.............................................................................................................................................................. 9

3 Tool Usage Description........................................................................................................ 11

4 Network Plan......................................................................................................................... 15
5 Deployment Process..............................................................................................................24
6 Installation..............................................................................................................................25
6.1 Installing Network Devices................................................................................................................................................ 25
6.2 Installing iMaster NCE-Campus/iMaster NCE-CampusInsight.............................................................................. 26
6.3 Installing the Licenses......................................................................................................................................................... 27

7 Deployment Configuration................................................................................................. 30
7.1 Creating a Site........................................................................................................................................................................30
7.2 Importing the Network Plan............................................................................................................................................. 31
7.3 Configuring Core Switches to Go Online...................................................................................................................... 34
7.3.1 Configuring a Stack or CSS for Switches................................................................................................................... 34
7.3.2 Configuring the Controller to Manage the Core Switch Running V200 Through NETCONF.................. 34
7.3.3 Configuring the Controller to Manage the Core Switch Running V600 Through NETCONF.................. 35
7.3.4 Configuring Stacked Core Switches to Be Managed by the Controller.......................................................... 37
7.4 Configuring Aggregation and Access Switches to Go Online................................................................................38
7.5 Configuring WACs and APs to Go Online.....................................................................................................................45
7.5.1 Configuring WAC HSB..................................................................................................................................................... 45
7.5.2 Configuring WACs to Be Managed by the Controller........................................................................................... 57
7.5.3 Configuring Fit APs to Join a WAC.............................................................................................................................. 58
7.6 (Optional) Configuring the Service Awareness Function........................................................................................60
7.6.1 (Optional) Configuring the Service Awareness Function for the Switches Running V200...................... 60
7.6.2 (Optional) Configuring the WAC Resource Mode................................................................................................. 62
7.7 Configuring BRAS.................................................................................................................................................................. 63
7.7.1 Configuring VRRP HSB.....................................................................................................................................................63

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. viii

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Contents

7.7.2 Configuring an Egress...................................................................................................................................................... 68

7.7.3 Configuring Interconnection Between the BRAS and the Authentication Server....................................... 72
7.8 Enabling LLDP........................................................................................................................................................................ 72
7.9 Configuring Time Synchronization..................................................................................................................................72
7.9.1 Configuring Time Synchronization Between the Controller and Analyzer.................................................... 73
7.9.2 Configuring Time Synchronization for Switches..................................................................................................... 73
7.9.3 Configuring Time Synchronization for WACs and Fit APs................................................................................... 73
7.10 Configuring Region Information................................................................................................................................... 74
7.10.1 Configuring Regions and AP Positions in Batches............................................................................................... 74
7.10.2 Manually Configuring a Region and an AP Position.......................................................................................... 76
7.11 Configuring Data Synchronization for the Analyzer.............................................................................................. 77

8 Service Deployment.............................................................................................................. 78
8.1 Service Deployment for MAC Address-Prioritized Portal Authentication Users..............................................78
8.1.1 Configuring a Wired Network....................................................................................................................................... 78
8.1.2 Configuring the Wireless Network.............................................................................................................................. 79
8.1.3 Configuring Authentication for BRAS Users............................................................................................................. 79
8.2 Service Deployment for 802.1X Proxy Authentication............................................................................................. 87
8.2.1 Configuring 802.1X Authentication on the WAC.................................................................................................... 87
8.2.2 Configuring BRAS Proxy Authentication....................................................................................................................88
8.3 Service Deployment for Wired Dumb Terminals........................................................................................................96
8.3.1 Configuring a Wired Network....................................................................................................................................... 96
8.3.2 Configuring MAC Address Authentication on Switches....................................................................................... 96

9 Security Solution Deployment......................................................................................... 103

9.1 Overview................................................................................................................................................................................ 103
9.2 Deployment Process.......................................................................................................................................................... 104
9.3 Enabling the Function of Reporting Terminal Monitoring Information.......................................................... 105
9.4 Enabling Terminal Identification................................................................................................................................... 106
9.5 Configuring Unauthorized Terminal Access Prevention........................................................................................ 106
9.5.1 Configuring Unauthorized Terminal Access Prevention.................................................................................... 107
9.5.2 (Optional) Disabling Detection on an Interface.................................................................................................. 109
9.5.3 Checking the Detection Result of Unauthorized Access Prevention............................................................. 113
9.5.4 Checking Unauthorized Access Prevention Alarms............................................................................................. 114
9.5.5 Blocking Unauthorized Terminal Access................................................................................................................. 115
9.5.6 Canceling Unauthorized Access Blocking............................................................................................................... 116

10 Intelligent O&M Deployment........................................................................................ 118

10.1 Integrated Deployment of the Controller and Analyzer.....................................................................................118
10.1.1 Map Configuration....................................................................................................................................................... 118
10.1.1.1 Configuring an Online GIS Map........................................................................................................................... 119
10.1.1.2 Configuring the GIS Coordinates of a Site....................................................................................................... 119
10.1.1.3 Configuring a Logical Map.................................................................................................................................... 120
10.1.2 Completing Basic Analyzer Configuration........................................................................................................... 121

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. ix

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Contents

10.1.3 Configuring Devices to Report Data...................................................................................................................... 123

10.1.4 Configuring the Application Experience Assurance Function........................................................................ 130
10.1.5 Configuring User Experience Assurance............................................................................................................... 139
10.1.6 Configuring Terminal Statistics Reporting........................................................................................................... 142
10.1.7 Basic Operations on the Digital Map.................................................................................................................... 143
10.2 Independent Deployment of the Analyzer.............................................................................................................. 155
10.2.1 Completing Basic Analyzer Configuration........................................................................................................... 155
10.2.1.1 Planning the Time, Time Zone, and NTP.......................................................................................................... 155
10.2.1.2 Adding Switches........................................................................................................................................................ 156
10.2.1.2.1 Adding the Switches Running V200 and Later Versions and Enabling Neighbor Discovery
Through LLDP............................................................................................................................................................................. 156
10.2.1.2.2 Adding the Switches Running V600 and Later Versions and Enabling Neighbor Discovery....... 157
10.2.1.3 Adding WACs and Fit APs...................................................................................................................................... 157
10.2.1.4 Adding Resources...................................................................................................................................................... 158
10.2.2 Configuring Log Data Reporting............................................................................................................................. 159
10.2.2.1 Configuring Switches Running V200.................................................................................................................. 159
10.2.2.2 Configuring Switches Running V600.................................................................................................................. 162
10.2.2.3 Configuring WACs and Fit APs............................................................................................................................. 164
10.2.3 Configuring Performance Metric Reporting........................................................................................................ 165
10.2.3.1 Configuring Switches Running V200.................................................................................................................. 165
10.2.3.2 Configuring Switches Running V600.................................................................................................................. 167
10.2.3.3 Configuring WACs and Fit APs............................................................................................................................. 169
10.2.4 Configuring Packet Loss Visualization................................................................................................................... 170
10.2.4.1 Configuring Switches Running V600.................................................................................................................. 170
10.2.5 Configuring Wireless Location Data Reporting.................................................................................................. 171
10.2.5.1 Configuring WACs and Fit APs............................................................................................................................. 172
10.2.6 Configuring DNS Data Reporting............................................................................................................................173
10.2.6.1 Configuring WACs and Fit APs............................................................................................................................. 173
10.2.7 Configuring Radio Calibration.................................................................................................................................. 173
10.2.7.1 Configuring WACs and Fit APs............................................................................................................................. 173
10.2.8 Configuring Spectrum Analysis Data Reporting................................................................................................ 174
10.2.8.1 Configuring WACs and Fit APs............................................................................................................................. 174
10.2.9 Configuring Application Data Reporting.............................................................................................................. 175
10.2.9.1 Configuring Switches Running V200.................................................................................................................. 175
10.2.9.2 Configuring Switches Running V600.................................................................................................................. 176
10.2.9.3 Configuring WACs and Fit APs............................................................................................................................. 176
10.2.10 Configuring Packet Loss and Delay Measurement Result Reporting.......................................................177
10.2.11 Basic Operations on the Digital Map.................................................................................................................. 182

11 O&M..................................................................................................................................... 197
11.1 Instructions for Maintenance Engineers.................................................................................................................. 197
11.1.1 Troubleshooting Principles.........................................................................................................................................197
11.1.2 Troubleshooting Precautions.................................................................................................................................... 197

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. x

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide Contents

11.1.3 Troubleshooting Process............................................................................................................................................. 198

11.1.4 Asking for Help.............................................................................................................................................................. 198

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. xi

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 1 Version Requirements

1 Version Requirements

Table 1-1 lists the products and software versions used in Huawei Smart Higher
Education Network Solution.

Table 1-1 Products and versions required by Huawei Smart Higher Education
Network Solution
Scenari Device Product Series Mappin Description Related
o Type g Docume
Version nt

External Firewall USG12000F/ V600R0 It functions as USG

intercon USG6600F 24C00 the egress Series
nection firewall on a Product
zone campus extranet Docume
to provide ntation
antivirus and
intrusion
prevention
functions.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 1

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 1 Version Requirements

Scenari Device Product Series Mappin Description Related

o Type g Docume
Version nt

Security HiSec Insight V100R0 The security HiSec

situation 22C00 analyzer is Insight
al capable of big Product
awarene data security Docume
ss analysis and file ntation
analysis. It can
identify
unknown
threats based
on
comprehensive
analysis of files,
traffic, logs and
threat
intelligence, and
deliver security
policies by
collaborating
with the
security
controller.

Security FireHunter 6000 V100R0 It is used for FireHunt

threat 20C00 malicious file er6000
analysis detection. Series
Product
Docume
ntation

DDoS AntiDDoS1880/ V600R0 It defends AntiDDo

protecti AntiDDoS1905 24C00 against DDoS S Series
on attacks in the Product
Internet egress Docume
zone of the ntation
school.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 2

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 1 Version Requirements

Scenari Device Product Series Mappin Description Related

o Type g Docume
Version nt

Security Security SecoManager V500R0 The security SecoMa

O&M controll 24C00 controller nager
manage er performs Product
ment security Docume
zone handling ntation
measures
delivered by the
analyzer,
orchestrates the
policies that can
be executed by
enforcers, and
delivers the
policies to the
enforcers.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 3

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 1 Version Requirements

Scenari Device Product Series Mappin Description Related

o Type g Docume
Version nt

Campus iMaster NCE- V100R0 It functions as iMaster

analyzer CampusInsight 24C00 an intelligent NCE-
O&M CampusI
management nsight
platform for Product
campus Docume
networks. ntation

Core Core CloudEngine V200R0 Generally, two S12700

campus switch S12700E series 24C00 core switches Series
network are deployed on Product
zone a campus Docume
network. ntation

BRAS ME60-X8A V800R0 Generally, two ME60

24C00 devices are Series
deployed in hot Product
standby (HSB) Docume
mode and are ntation
connected to a
core switch in
off-path mode.

NetEngine 8000 V800R0 Generally, two NE8000

M14 24C00 devices are Series
deployed in HSB Product
mode and are Docume
connected to a ntation
core switch in
off-path mode.

WAC AC6805 V200R0 It refers to a AirEngin

24C00 standalone WAC e 9700
designed for Series
AirEngine 9700- V200R0 large and Product
M1 24C00 midsized Docume
enterprise ntation
campuses,
enterprise
branches, and
education
campuses.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 4

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 1 Version Requirements

Scenari Device Product Series Mappin Description Related

o Type g Docume
Version nt

Aggrega Aggrega CloudEngine V600R0 It supports a S8700

tion tion S8700 24C00 maximum of Series
campus switch three hundred Product
zone and eighty-four Docume
10GE ports. It is ntation
recommended
that the device
be used for
regional
aggregation or
building
aggregation.

Aggrega CloudEngine V200R0 It supports a S6700

tion S6730-H 24C00 maximum of Series
switch forty-eight 10GE Product
ports. It is Docume
recommended ntation
that multiple
devices form a
stack for
building
aggregation.

Classroo Wired CloudEngine V200R0 It refers to the S5700

m/office access S5731-H/S 24C00 access switch Series
access switch that is Product
scenario responsible for Docume
wired terminal ntation
access.

Remote CloudEngine V200R0 It refers to the

unit S5731-L-RU 24C00 RU in the
(RU) simplified
architecture.

Wireless CloudEngine V200R0 It has downlink

access S5736-S 24C00 multi-rate
switch Ethernet ports,
supporting PoE
power supply
for APs in a
centralized
manner.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 5

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 1 Version Requirements

Scenari Device Product Series Mappin Description Related

o Type g Docume
Version nt

Wireless CloudEngine V200R0 It has downlink

access S5735-S 24C00 GE optical/
switch electrical ports
or 2.5GE optical
ports, providing
AP access.

Commo AirEngine 6776 V200R0 It refers to a AirEngin

n settled series/AirEngine 24C00 common settled e 6700
AP 5776 series/ AP. Series
AirEngine 5773 Product
series/AirEngine Docume
6760 series/ ntation
AirEngine 5760
series

Wall AirEngine 5773 V200R0 It refers to a AirEngin

plate AP series/AirEngine 24C00 wall plate AP. e 5700
5760 series Series
Product
Docume
ntation

Library Wired CloudEngine V200R0 It refers to the S5700

(high- access S5731-H/S 24C00 access switch Series
density) switch that is Product
access responsible for Docume
scenario wired terminal ntation
access.

RU CloudEngine V200R0 It refers to the

S5731-L-RU 24C00 RU in the
simplified
architecture.

Wireless CloudEngine V200R0 It has downlink

access S5736-S 24C00 multi-rate
switch Ethernet ports,
supporting PoE
power supply
for APs in a
centralized
manner.

Wireless CloudEngine V200R0 It has downlink S6700

access S6730-H 24C00 10GE optical Series
switch ports to provide Product
AP access. Docume
ntation

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 6

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 1 Version Requirements

Scenari Device Product Series Mappin Description Related

o Type g Docume
Version nt

High- AirEngine 8771 V200R0 It refers to the AirEngin

density series/AirEngine 24C00 high-density AP e 8700
settled 8760 series that is deployed Series
AP outdoors. Product
Docume
ntation

Dormito Wireless CloudEngine V200R0 It refers to the S5700

ry access S5731-H/S 24C00 access switch Series
access switch that is Product
scenario (RU) responsible for Docume
AP access. ntation

Wireless CloudEngine V200R0 It refers to the

access S5735-S 24C00 access switch
switch that is
(PoE) responsible for
AP access.

Wall AirEngine 5773 V200R0 It refers to a AirEngin

plate AP series/AirEngine 24C00 wall plate AP. e 5700
5760 series Series
Product
Docume
ntation

Outdoor Wireless CloudEngine V200R0 It refers to the S5700

scenario access S5735-S 24C00 access switch Series
switch that is Product
(PoE) responsible for Docume
AP access. ntation

Outdoor AirEngine 8700R/ V200R0 It refers to the AirEngin

wireless AirEngine 6760R/ 24C00 high-density AP e 8700
AP AirEngine 5761R that is deployed Series
outdoors. Product
Docume
ntation

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 7

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 2 Overview

2 Overview

2.1 Logical Architecture

The logical architecture of a campus network consists of the following parts, as
shown in Figure 2-1.

Figure 2-1 Logical architecture of the campus network

● Campus network egress

The campus network egress provides unified access of campus network users
and connects internal terminal users to the public network and external users
to the intranet. The egress not only transmits data between the intranet and
external network, but also protects border security.
● Network management zone
The zone works with the BRASs to implement authentication and accounting
for access users in a unified manner. The controller implements unified O&M

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 8

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 2 Overview

for network devices. The security big data platform implements network-wide
security situational awareness.
● Core layer
The core layer is responsible for high-speed connections on a campus
network, but does not have specific services deployed. This layer refers to the
zone where servers and application systems are deployed in the data center,
and provides data and application services for internal and external users on
the campus network.
● Aggregation layer
Traffic of access devices and users converges at the aggregation layer and is
then forwarded to the core layer. In this way, the aggregation layer increases
the quantity of users who can access the core layer.
● Access layer
It connects various terminals to the campus network. Typically, Ethernet
switches are used at this layer. Some terminals may need other types of
access devices, such as APs and IoT access gateways.
● Campus user terminal layer
It contains various campus terminals, including computers, laptops, printers,
fax machines, mobile phones, and cameras.

2.2 Physical Architecture

Figure 2-2 shows the physical architecture of a campus network.

Figure 2-2 Physical architecture of the campus network

● Campus network design

A fabric is constructed between the aggregation switches in all areas and the
core switches to build virtual private networks (VPNs) that carry multiple
services. Layer 2 interconnections are implemented between the aggregation
and access layers. The access layer consists of switches, APs, and IoT

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 9

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 2 Overview

gateways, and provides access for wired, wireless, and IoT terminals of
campus users.
Multiple campuses are interconnected through DWDM devices.
● Security design
Firewalls are deployed at the egress for isolation, anti-DDoS devices are used
to defend against DDoS attacks from the Internet, and the sandbox is used to
prevent unknown threats.
● Authentication design
All users are authenticated by the BRAS device in a unified manner, and the
third-party accounting system is used to implement accounting. Multi-path
load balancing is implemented to improve the utilization of multi-link
resources at the Internet egress of the campus network.
● IoT design
IoT applications can be flexibly expanded through edge computing gateways
and wireless private networks to manage logistics assets.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 10

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 3 Tool Usage Description

3 Tool Usage Description

Table 3-1 Tool usage description

Scen Tool Description Applicable Product Link
ario

Plan WLAN Functions as a WAC and AP WLAN

ning Planner WLAN planning tool Planner
and for indoor and
desi outdoor APs,
gn featuring onsite
environmental
planning, AP
deployment,
network signal
simulation, network
planning report
generation, and
other functions.

Campus Provides flexible S series switch, WAC, Campus

Networ networking modes, and AP Network
k helps conduct Designer
Designe physical networking
r planning, data
planning, and
network planning,
and automatically
generates LLD and
configuration scripts,
improving planning
and design efficiency
and quality.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 11

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 3 Tool Usage Description

Scen Tool Description Applicable Product Link

ario

Specific Allows you to query S series switch, Specifications

ations and compare CloudEngine series Query
Query software switch, NetEngine
specifications of series router, AR series
Huawei enterprise router, USG series
network products. firewall, WAC, and AP
You can quickly
search for
information by
product, version,
card, or keyword.

Hardwa Allows you to query S series switch, Hardware

re hardware CloudEngine series Center
Center specifications of switch, NetEngine
Huawei enterprise series router, AR series
network products. router, USG series
You can quickly firewall, WAC, and AP
search for
information by
product, version,
card, or keyword.

License Allows you to query S series switch, License Query

Query licenses related to CloudEngine series
Huawei enterprise switch, NetEngine
network products. series router, AR series
router, USG series
firewall, WAC, and AP

Product Obtains product S series switch, Product

Image photos, visio-format CloudEngine series Image Gallery
Gallery profiles, and NE switch, NetEngine
icons in a one-stop series router, AR series
manner. router, USG series
firewall, WAC, and AP

Insta Hardwa Calculates S series switch, Hardware

llati re parameters of CloudEngine series Configuration
on Configu Huawei enterprise switch, NetEngine
ration network products series router, AR series
such as hardware router, USG series
configuration, power firewall, WAC, and AP
consumption, and
weight.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 12

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 3 Tool Usage Description

Scen Tool Description Applicable Product Link

ario

Conf Enterpri Quickly and S series switch, Enterprise

igur se accurately translates CloudEngine series network
atio networ third-party device switch, NetEngine configuration
n k configuration files series router, AR series translation
and configu into Huawei device router, USG series
com ration configuration files. firewall, WAC, and AP
miss translat This effectively
ioni ion solves the problem
ng of time-consuming
manual translation
during migration
project delivery
when you are
unfamiliar with
commands of third-
party devices.

CloudC Provides a series of WAC and AP Search for

ampus functions related to CloudCampus
APP mobile device APP on
project delivery, Huawei
including quick AppGallery.
deployment,
deployment based
on network
planning, network
acceptance, and
project O&M.

Stack Provides the stack S series switch Stack

Assista deployment guide Assistant
nt for switches,
including cable
connections and
configuration
procedures.

Mai eDesk Supports data S series switch, eDesk Pro

nten Pro collection, fault CloudEngine series
ance diagnosis, cutover switch, NetEngine
execution, NE series router, AR series
upgrade, and other router, USG series
functions. This is a firewall, WAC, and AP
lightweight
maintenance tool
developed for
enterprise network
datacom products.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 13

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 3 Tool Usage Description

Scen Tool Description Applicable Product Link

ario

Enterpri Supports network S series switch, Enterprise

se device inspection, CloudEngine series Network
Networ quick report export, switch, NetEngine Inspection
k and real-time result series router, AR series
Inspecti query with one click. router, USG series
on firewall, WAC, and AP

Comma Allows you to query S series switch, Commands

nds commands related CloudEngine series Query
Query to Huawei enterprise switch, NetEngine
network products. series router, AR series
router, USG series
firewall, WAC, and AP

Alarms Allows you to query S series switch, Alarms Query

Query alarms related to CloudEngine series
Huawei enterprise switch, NetEngine
network products. series router, AR series
router, USG series
firewall, WAC, and AP

MIB Allows you to query S series switch, MIB Query

Query MIB files related to CloudEngine series
Huawei enterprise switch, NetEngine
network products. series router, AR series
router, USG series
firewall, WAC, and AP

Lifecycl Allows you to query S series switch, Lifecycle

e Query the lifecycle of CloudEngine series Query
Huawei enterprise switch, NetEngine
network products. series router, AR series
router, USG series
firewall, WAC, and AP

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 14

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

4 Network Plan

Figure 4-1 shows the networking topology of the solution.

Figure 4-1 Networking topology

● The entire campus network uses a three-layer architecture, including the core
layer, aggregation layer, and access layer. Two core switches form a stack and
are deployed at the core layer to connect to all access switches. Terminals are
directly connected to access switches.
● Two BRASs as authentication access points work in HSB mode and connect to
the core switches in off-path mode.
● Two firewalls work in HSB mode. If the BRASs connect to the core switches in
off-path mode, the firewalls connect to the core switches. If the BRASs
connect to the core switches in in-path mode, the firewalls connect to the two
BRASs and the ISP.
● iMaster NCE-Campus functions as a network controller, and iMaster NCE-
CampusInsight functions as a network analyzer.
● iMaster NCE-Campus and iMaster NCE-CampusInsight connect to the core
switches through a switch.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 15

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

● A standalone WAC manages Fit APs.

● iMaster NCE-CampusInsight can be either deployed independently or
integrated with iMaster NCE-Campus. Select a deployment mode based on
service requirements.
● Unless otherwise specified, "Core" in this document refers to the CSS
"CORE0102", and "WAC" refers to the master WAC "WAC1".
NOTE

● Set parameters based on network conditions, such as the network scale and
topology. The recommended values and precautions provided in the following
tables are for reference only.
● In this solution, you can select a physical interface or an Eth-Trunk interface as the
public network interface. If you select an Eth-Trunk interface as the public network
interface, run the mode lacp-static command.

Table 4-1 VLAN and service planning

Servic VLAN Gate Gatewa Authen Authe Description
e way y tication nticati
Scena Devic Address Mode on
rio e Point

Servic 3101 Core 10.10.10 Wired Access Dumb terminal

e switch 1.1/24 MAC switch access
VLAN address
authenti
cation

3111 BRAS 10.10.11 MAC BRAS MAC address-

1.1/24 address- prioritized Portal
prioritiz authentication
ed for wired and
Portal wireless
authenti terminals
cation

3211 BRAS 10.10.21 - - Outbound

1.1/24 interface of the
user gateway

3201 Core 10.10.20 - - Outbound

switch 1.1/24 interface of the
gateway for
dumb terminals

Mana 3100 WAC 10.10.10 - - AP management

geme 0.1/24
nt
VLAN 4000 Core 172.31.3 - - Management of
switch 1.4/24 core switches
and WACs by
NCE

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 16

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

Servic VLAN Gate Gatewa Authen Authe Description

e way y tication nticati
Scena Devic Address Mode on
rio e Point

4080 Core 172.31.3 - - Management of

switch 2.1/24 aggregation and
access switches
by NCE

Table 4-2 Data plan

S Et Source VL IP De Et Destin VLA IP Interfa
o h- Device A Addre sti h- ation N ID Addr ce
u Tr Interfa N ss of na Tr Device of ess Descri
rc un ce ID the tio un Interfa the of ption
e k of Sourc n k ce Inter the
D Int th e De In face Desti
e er e Devic vic te on natio
vi fa In e e rf the n
c ce te Interf ac Dest Devi
e on rf ace e inati ce
th ac on on Inter
e e th Devi face
So on e ce
ur th De
ce e sti
De So na
vic ur tio
e ce n
De De
vic vic
e e

S - 10GE1/ 40 172.3 Co - XGigab 4000 172.3 Interfa

w 0/1 00 1.31.1 re itEther 1.31. ce for
it 8/24 net6/0/ 4/24 connec
c 12 ting to
h the
networ
k
controll
er and
analyze
r

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 17

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

S Et Source VL IP De Et Destin VLA IP Interfa

o h- Device A Addre sti h- ation N ID Addr ce
u Tr Interfa N ss of na Tr Device of ess Descri
rc un ce ID the tio un Interfa the of ption
e k of Sourc n k ce Inter the
D Int th e De In face Desti
e er e Devic vic te on natio
vi fa In e e rf the n
c ce te Interf ac Dest Devi
e on rf ace e inati ce
th ac on on Inter
e e th Devi face
So on e ce
ur th De
ce e sti
De So na
vic ur tio
e ce n
De De
vic vic
e e

C et XGigab 40 172.3 M et Gigabit 4000 172.3 Manag

o h- itEther 00 1.31.4 E6 h- Ethern 1.31. ement
re tru net5/0/ /24 0- tr et0/3/2 22/2 interfac
nk 9 a un 2 4 es of
5.4 k5 ME60-
00 XGigab .4 Gigabit a
0 itEther 00 Ethern
net6/0/ 0 et0/3/2
9 3

C et XGigab 40 172.3 M et Gigabit 4000 172.3 Manag

o h- itEther 00 1.31.4 E6 h- Ethern 1.31. ement
re tru net5/0/ /24 0- tr et0/3/1 20/2 interfac
nk 10 b un 7 4 es of
6.4 k6 ME60-
00 XGigab .4 Gigabit b
0 itEther 00 Ethern
net6/0/ 0 et0/3/1
10 8

C et XGigab 40 172.3 F et xGigabi 4000 172.3 Manag

o h- itEther 00 1.31.4 W- h- tEthern 1.31. ement
re tru net5/0/ /24 a tr et0/0/1 14/2 interfac
nk 7 un 4 es of
7.4 k7 FW-a
00 XGigab .4 xGigabi
0 itEther 00 tEthern
net6/0/ 0 et0/0/2
7

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 18

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

S Et Source VL IP De Et Destin VLA IP Interfa

C et XGigab 40 172.3 F et xGigabi 4000 172.3 Manag

o h- itEther 00 1.31.4 W- h- tEthern 1.31. ement
re tru net5/0/ /24 b tr et0/0/1 16/2 interfac
nk 8 un 4 es of
8.4 k8 FW-b
00 XGigab .4 xGigabi
0 itEther 00 tEthern
net6/0/ 0 et0/0/2
8

C et XGigab 40 172.3 wa et XGigab 4000 172.3 Manag

o h- itEther 00 1.31.4 c1 h- itEther 1.31. ement
re tru net5/0/ /24 tr net0/0/ 11/2 interfac
nk 4 un 10 4 es of
3 k3 ME60-
XGigab XGigab a
itEther itEther
net6/0/ net0/0/
4 11

C et XGigab 40 172.3 wa et XGigab 4000 172.3 Manag

o h- itEther 00 1.31.4 c2 h- itEther 1.31. ement
re tru net5/0/ /24 tr net0/0/ 12/2 interfac
nk 11 un 10 4 es of
4 k4 ME60-
XGigab XGigab b
itEther itEther
net6/0/ net0/0/
11 11

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 19

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

S Et Source VL IP De Et Destin VLA IP Interfa

C et XGigab 40 172.3 AG et XGigab 4080 172.3 Manag

o h- itEther 80 1.32.1 G h- itEther 1.32. ement
re tru net5/0/ /24 tr net3/0/ X/24 interfac
nk 5 un 5 es of
2 k2 aggreg
XGigab XGigab ation
itEther itEther and
net6/0/ net4/0/ access
5 5 switche
XGigab XGigab s
itEther itEther
net5/0/ net3/0/
6 6

XGigab XGigab
itEther itEther
net6/0/ net4/0/
6 6

C et XGigab 31 10.10. M et Gigabit 3111 10.10 Interna

o h- itEther 11 111.4/ E6 h- Ethern .111. l
re tru net5/0/ 24 0- tr et0/3/2 2/24 interfac
nk 9 a un 2 es of
5.3 k5 user
11 XGigab .3 Gigabit gatewa
1 itEther 11 Ethern ys
net6/0/ 1 et0/3/2
9 3

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 20

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

S Et Source VL IP De Et Destin VLA IP Interfa

C et XGigab 31 10.10. M et Gigabit 3111 10.10 Interna

o h- itEther 11 111.4/ E6 h- Ethern .111. l
re tru net5/0/ 24 0- tr et0/3/1 3/24 interfac
nk 10 b un 7 es of
6.3 k6 user
11 XGigab .3 Gigabit gatewa
1 itEther 11 Ethern ys
net6/0/ 1 et0/3/1
10 8

C et XGigab 32 10.10. M et Gigabit 3211 10.10 Outbou

o h- itEther 11 211.4/ E6 h- Ethern .211. nd
re tru net5/0/ 24 0- tr et0/3/2 2/24 interfac
nk 9 a un 2 es of
5.3 k5 user
31 XGigab .3 Gigabit gatewa
1 itEther 31 Ethern y
net6/0/ 1 et0/3/2 routes
9 3

C et XGigab 32 10.10. M et Gigabit 3211 10.10 Outbou

o h- itEther 11 211.4/ E6 h- Ethern .211. nd
re tru net5/0/ 24 0- tr et0/3/1 3/24 interfac
nk 10 b un 7 es of
6.3 k6 user
31 XGigab .3 Gigabit gatewa
1 itEther 31 Ethern y
net6/0/ 1 et0/3/1 routes
10 8

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 21

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

S Et Source VL IP De Et Destin VLA IP Interfa

C et XGigab 32 10.10. F et xGigabi 3211 10.10 Outbou

o h- itEther 11 211.4/ W- h- tEthern .211. nd
re tru net5/0/ 24 a tr et0/0/1 6/24 interfac
nk 7 un es of
7.3 k7 user
31 XGigab .3 xGigabi gatewa
1 itEther 31 tEthern y
net6/0/ 1 et0/0/2 routes
7

C et XGigab 32 10.10. F et xGigabi 3211 10.10 Outbou

o h- itEther 11 211.4/ W- h- tEthern .211. nd
re tru net5/0/ 24 b tr et0/0/1 7/24 interfac
nk 8 un es of
8.3 k8 user
31 XGigab .3 xGigabi gatewa
1 itEther 31 tEthern y
net6/0/ 1 et0/0/2 routes
8

C et XGigab 32 10.10. F et xGigabi 3201 10.10 Outbou

o h- itEther 01 201.1/ W- h- tEthern .201. nd
re tru net5/0/ 24 a tr et0/0/1 2/24 interfac
nk 7 un es of
7.3 k7 user
30 Gigabit .3 xGigabi gatewa
1 Ethern 30 tEthern y
et6/0/7 1 et0/0/2 routes

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 22

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 4 Network Plan

S Et Source VL IP De Et Destin VLA IP Interfa

C et XGigab 32 10.10. F et xGigabi 3201 10.10 Outbou

o h- itEther 01 201.1/ W- h- tEthern .201. nd
re tru net5/0/ 24 b tr et0/0/1 3/24 interfac
nk 8 un es of
8.3 k8 user
30 Gigabit .3 xGigabi gatewa
1 Ethern 30 tEthern y
et6/0/8 1 et0/0/2 routes

This section does not include the network planning configuration for VRRP
HSB. For details, see the corresponding section.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 23

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 5 Deployment Process

5 Deployment Process

Figure 5-1 and Figure 5-2 show the solution deployment process.

Figure 5-1 Solution deployment process (integrated deployment of the controller

and analyzer)

Figure 5-2 Solution deployment process (standalone deployment of the analyzer)

You can view the basic network configuration, network egress configuration,
security service configuration, access control configuration, and O&M
management configuration of the solution by referring to CloudCampus
Documentation.
This document focuses on the unauthorized access prevention solution and the
digital map for intelligent O&M.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 24

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 6 Installation

6 Installation

6.1 Installing Network Devices

Hardware Installation Guide
Table 6-1 lists a collection of installation guides for datacom hardware products.
For details about the products to be installed in this solution, see 1 Version
Requirements.

Table 6-1 Hardware installation guide

Product Installation Guideline

S12700 S12700 and S12700E Series Agile Switches

Hardware Installation and Component
Replacement

S8700 CloudEngine S8700 Series Switches Hardware

Installation and Component Replacement

S7700 S7700, S7900, and S9700 Series Switches

Hardware Installation and Component
Replacement

S5700 and S6700 S5700 and S6700 Series Switches Hardware

Installation and Component Replacement

WAC and AP WLAN Quick Start

WLAN Antenna Quick Start

USG6000, USG6000E, and USG Series Hardware Guide

USG9500

AntiDDoS8000 AntiDDoS Series Hardware Guide

NetEngine 8000 NetEngine 8000 Series Hardware Installation

Guide

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 25

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 6 Installation

Product Installation Guideline

ME60 ME60 Series Hardware Installation Guide

6.2 Installing iMaster NCE-Campus/iMaster NCE-

CampusInsight
Software Installation Guide
Table 6-2 lists a collection of installation guides for datacom software products.
For details about the products to be installed in this solution, see 1 Version
Requirements.

Table 6-2 Software installation guide

Product Installing the Software Importing Licenses

iMaster NCE-Campus iMaster NCE-Campus iMaster NCE-Campus

Planning and License Importing
Installation Guide Guide

iMaster NCE- iMaster NCE- After interconnection

CampusInsight CampusInsight between iMaster NCE-
(integrated deployment) Planning and CampusInsight and
Installation Guide iMaster NCE-Campus is
(Integration Scenario) configured, you need to
import the license of
iMaster NCE-
CampusInsight on
iMaster NCE-Campus.
For details, see iMaster
NCE-Campus License
Importing Guide.
iMaster NCE- iMaster NCE- iMaster NCE-
CampusInsight CampusInsight CampusInsight License
(independent Planning and Importing Guide
deployment) Installation Guide (Single-Node System
(Single-Node System Installation)
Installation)

NOTE

When installing iMaster NCE-Campus, you need to install the terminal identification value-
added feature so that the terminal view of the digital map can be accessed.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 26

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 6 Installation

6.3 Installing the Licenses

The following table describes how to install licenses for products involved in this
solution.

Table 6-3 License installation guide

Product Download Link

BRAS router Apply for and install licenses based on the purchased
license items in the bill of quantity (BOQ) of this project
by referring to Huawei Router License Operation Guide.

AP+AC Apply for and install licenses based on the purchased

license items in the BOQ of this project by referring to
WLAN License Usage Guide.
S series switch In this scenario, only basic functions of switches are used.
The basic software license has been loaded and activated
before device delivery. You do not need to manually
activate it, and the license will not become invalid.
If additional advanced functions need to be configured,
query the purchased license items in the BOQ, and apply
for and install the licenses by referring to the Switches
License Usage Guide.
iMaster NCE- iMaster NCE-Campus License Usage Guide describes
Campus the basic concepts of licenses, and how to obtain, load,
and verify licenses in different NCE deployment scenarios.

iMaster NCE- For details about how to apply for and install a license for
CampusInsight the analyzer that is integrated with the controller, see
iMaster NCE-CampusInsight License Usage Guide
(Integrated with iMaster NCE-Campus).
For details about how to apply for and install a license for
the analyzer that is independently deployed, see iMaster
NCE-CampusInsight License Usage Guide (Independent
Deployment).

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 27

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 6 Installation

Table 6-4 BRAS router licensing requirements

Fun License Usage Description Mea Product Model
ctio sure
n men
t
Unit

Du Dual- Each device requires one By NE8000 X and NE40E

al- device such license. devi series
dev backup ce
ice function
bac license
kup
Cross- This license controls the By ME60 series
device dual-device backup devi
high function of a device. ce
reliability
function
license

Use BNG This license is for the BNG By NE40E series, ME60
r function function and supports 32K devi series, NetEngine 8000E
acc license users by default. It can be ce M8, NetEngine 8000
ess purchased to increase the M14, NetEngine 8000
number of users to 128K. M8K, NetEngine 8000
PPPoE, IPoE, L2TP, DAA, M14K, and NetEngine
and EDSG functions are 8000 X
included in this license.

User This license controls the By NE40E series, NetEngine

count number of online users. user 8000E M8, NetEngine
license 8000 M14, NetEngine
(1K users) 8000 M8K, NetEngine
8000 M14K, and
NetEngine 8000 X

Access This license controls the By ME60-X3, ME60-X8, and

user count number of BAS access user ME60-X16
license users. One license is
(1K users) required for every 1000
activated users.

BNG user This license controls the By NE8000 X

count number of BAS access user
license users. One license is
(1K users) required for every 1000
activated users.

Use PPPoE/ This license controls the By NE40E-X3, NE40E-X8,

r IPoE PPPoE/IPoE function. boar and NE40E-X16
aut function d
hen license
tica
tion

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 28

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 6 Installation

Fun License Usage Description Mea Product Model

ctio sure
n men
t
Unit

PPPoE/ This license helps build a By NE40E-X3, NE40E-X8,

IPoE port new business model based port NE40E-X16 and
license on CM fixed boards. Ports NetEngine 8000 X
(per XX on a CM fixed board are
Gbit/s) restricted if a license that
controls basic port
functions is not purchased.
Service functions are
unavailable if a license
that controls
corresponding service
functions is not purchased.
This license controls PPPoE
and IPoE functions for
ports on CM fixed boards.

PPPoE/ This license controls the By NE40E-X3, NE40E-X8,

IPoE PPPoE/IPoE function of a devi NE40E-X16, NE40E-X1,
function device. ce NE40E-X2
license

Table 6-5 Licensing requirements for digital map

Product License Impact upon No License

iMaster NCE- Device Devices cannot be managed.

Campus management
license

Terminal access Access authentication users cannot be

management displayed.
license

iMaster NCE- Foundation The user journey cannot be displayed.

CampusInsight package license

Application Key applications cannot be assured.

analysis value-
added package
license

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 29

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

7 Deployment Configuration

7.1 Creating a Site

You need to configure longitude and latitude information on the GIS map and
location information on the logical map for each site.

Procedure
Step 1 Choose Resource Center > Site Management and click Create to create a site.
Set Device Type to LSW, WAC, and FW, and click OK.

Step 2 Set parameters in the Site Info area, such as Site name, Site location, and
Device type. In IPv4 single-stack or IPv4/IPv6 dual-stack deployment scenarios,
you can set Southbound IP service name as needed.

NOTE

● A tenant administrator can select a southbound IP service created by the system

administrator for Southbound IP service name and view available southbound IP
services on the System > Southbound Access > Southbound Access Configuration
page.
● After Device type is set, you can only add device types but cannot replace device types.
For example, you can add ARs to a site that contains only APs. However, you cannot
change a site that contains only APs to a site that contains only ARs. When LSWs are
deployed as WACs, you need to select both LSW and WAC.
● AP and WAC cannot be selected at the same time for Device type of a site. If Device
type of a site is set to WAC, the site can manage both WACs and Fit APs.

Step 3 Set parameters in the Configuration Information area.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 30

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Step 4 Click OK. The site is created and configurations are delivered.

----End

7.2 Importing the Network Plan

Context
Many devices are deployed on a higher education campus network. This example
uses the network plan import function to add devices by entering information
such as device ESNs in a template. To obtain device ESNs required during template
import, you can use the CloudCampus APP to scan the barcodes of these devices.
To add a stack to a site, add stack members to the site first, and set up the stack.
For details, see Stack Assistant. A stack can be added to a site only when the
preceding conditions are met. This example uses the network plan import function
to import the information about stack members and stack to a site in batches
after devices are stacked.
In addition, aggregated links (Eth-Trunks) cannot be dynamically discovered
through LLDP. Therefore, you need to manually configure Eth-Trunks and use a
template to import related physical link data to a site on iMaster NCE-Campus.

Procedure
Step 1 Choose Resource Center > Site Management > Import Network Plan from the
main menu. On the displayed page, click the template download link to download
the template.

Step 2 Enter the information about devices and physical links to be added based on the
template requirements.
Table 7-1 shows an example of the information entered on the Device sheet;
Table 7-2 shows an example of the information entered on the Board sheet; and
Table 7-3 shows an example of the information entered on the Link sheet.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 31

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

NOTE

When you add a stack to a site on iMaster NCE-Campus by importing the stack information
through a template, the stack restarts if the actual stack information is different from the
information in the template imported to iMaster NCE-Campus. Before the restart, iMaster
NCE-Campus delivers new stack information (except the slot IDs of modular switch
members in the stack) to the stack. Therefore:
● For a stack of modular switches that needs to go online on iMaster NCE-Campus using
commands, you can run the display esn and display css status commands during local
command configuration and record the mappings between the ESNs, stack IDs, and
stack priorities of the member switches in the stack. To prevent a stack restart, ensure
that the stack information filled in the template is the same as that when the stack is
set up.
● For a stack of fixed switches that achieves plug-and-play in DHCP mode, the stack
needs to have empty configuration. In addition, you are advised to fill in the stack
information in the template as planned due to the presence of many fixed switches on
the stadium network. If the stack information in the template is different from the
original information, the stack can restart and go online again according to the planned
information.

Table 7-1 Example values on the Device sheet

ESN Device Device Des Ro Stack Slot ID Stack

Name Model cri le Name Priority
pti
on

210XXXXXXX S12700 S12700E-12 - Co Core 1 200

54 E-1 re

210XXXXXXX S12700 S12700E-12 - Co Core 2 150

55 E-2 re

● ESN: If the ESN is not specified, the device name and device model must be
specified. If the ESN is specified, you are advised to specify the device model
as well. Otherwise, the device may fail to be added.
The ESNs of switches, APs, and WACs must be imported to the site to which
these devices belong. You are advised to enter device ESNs using the network
plan template.
● Device Name: Mandatory.
● Device Model: Optional for devices with 20-character ESNs, and mandatory
for devices with 12-character ESNs.
● Description: Optional.
● Role: Optional. Configure roles for devices based on the site requirements. If
you do not set the device role when adding a device, the system sets the
device role to Access by default.
● Stack Name: Mandatory for stacked devices.
● Slot ID: Mandatory for stacked devices.
● Stack Priority: Optional. If this parameter is not set for a stack device, the
default value 100 is used.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 32

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Table 7-2 Example values on the Board sheet

Device Name Card Slot No./Slot Board Model

No.

S12700E-1 slot1/1 LST7X48SX6E0

S12700E-1 slot1/2 LST7X48SX6E0

● Device Name: Mandatory.

● Board Slot No./Slot No.: Mandatory.
● Board Model: Mandatory.

Table 7-3 Example values on the Link sheet

Uplin Physical Port Eth-Trunk Downli Physical Eth-Trunk

k Number on Interface on nk Port Interface on
Devic the Uplink the Uplink Device Number on the
e Device Device the Downlink
Downlink Device
Device

S1270 XGigabitEther Eth-Trunk 1 S6730- XGigabitEthe Eth-Trunk 1

0E-1 net1/1/0/1 H-a1 rnet1/0/1

S1270 XGigabitEther Eth-Trunk 1 S6730- XGigabitEthe Eth-Trunk 1

0E-1 net1/1/0/2 H-a2 rnet2/0/1

S1270 XGigabitEther Eth-Trunk 1 S6730- XGigabitEthe Eth-Trunk 1

0E-2 net2/1/0/1 H-a1 rnet1/0/2

S1270 XGigabitEther Eth-Trunk 1 S6730- XGigabitEthe Eth-Trunk 1

0E-2 net2/1/0/2 H-a2 rnet2/0/2

● Uplink Device: Mandatory.

● Physical Port Number on the Uplink Device: Mandatory. The port number,
name, and case must be set based on the actual device query result.
Otherwise, an error may occur during the import.
● Eth-Trunk Interface on the Uplink Device: Mandatory for aggregated links.
The port number, name, and case must be set based on the actual device
query result. Otherwise, an error may occur during the import.
● Downlink Device: Mandatory.
● Physical Port Number on the Downlink Device: Mandatory. The port
number, name, and case must be set based on the actual device query result.
Otherwise, an error may occur during the import.
● Eth-Trunk Interface on the Downlink Device: Mandatory for aggregated
links. The port number, name, and case must be set based on the actual
device query result. Otherwise, an error may occur during the import.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 33

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Step 3 On iMaster NCE-Campus, select the template file for Select file, and click Upload.
After the upload is complete, click Import All to import the data in the template
file to the site.

NOTE

If you need to add new devices and links to the network, you can import a new template
that contains information about the new devices, devices connected to the new devices,
and new links.

----End

7.3 Configuring Core Switches to Go Online

7.3.1 Configuring a Stack or CSS for Switches

To improve switch reliability, a CSS of modular switches or a stack of fixed
switches is deployed on a key node. The stacking or CSS solution needs to be
customized based on project requirements. You can use Stack Assistant to obtain
more information.

7.3.2 Configuring the Controller to Manage the Core Switch

Running V200 Through NETCONF
Context
After devices to be managed are added to campus network sites, iMaster NCE-
Campus needs to establish management channels with the devices, so that it can
manage the devices and deliver service configurations to them. Currently, iMaster
NCE-Campus mainly manages devices from the access layer to the core layer. To
manage a core switch, you need to run commands on the core switch to connect
it to iMaster NCE-Campus.

Configuration Roadmap
1. Configure the VLAN and IP address for the core switch to connect to iMaster
NCE-Campus.
2. Configure a static route from the core switch to iMaster NCE-Campus.
3. Configure the core switch to communicate with iMaster NCE-Campus in
NETCONF over SSH Call Home mode.

NOTE

To manage a core switch on iMaster NCE-Campus using commands, you need to connect
the core switch to iMaster NCE-Campus first and then enable the NETCONF function.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 34

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Procedure
Basic configurations on the core switch have been completed. Therefore, in this
section, you only need to configure parameters for communication between the
core switch and iMaster NCE-Campus.

Step 1 Configure NETCONF.

[Core] netconf
[Core-netconf] source ip 172.31.31.4 // Configure the IPv4 address used by the switch to communicate
with iMaster NCE-Campus using NETCONF.
[Core-netconf] callhome imaster-campus
[Core-netconf-callhome-imaster-campus] ip address 172.31.31.30 port 10020 //Configure the IPv4 address
and port number of iMaster NCE-Campus, so that the switch can communicate with iMaster NCE-Campus
using NETCONF.
[Core-netconf-callhome-imaster-campus] return

Step 2 Check whether the core switch is managed by iMaster NCE-Campus on the
controller's web UI or by running the following command:
[Core] display netconf connect-status
------------------------------------------------------------------------------
Netconf status : enable
Upload alarm status : enable
Connected to controller before : yes
------------------------------------------------------------------------------
Controller address source : --
Controller URL : --
Controller IP address : --
Controller port : --
Management VLAN : --
Management IP address : --
Register phase : --
Register status : --
------------------------------------------------------------------------------
Netconf src-ip : 172.31.31.4
Netconf src-ipv6 : --
Netconf src-port : 830
Controller information :
No Mode name IP Port Connected
-------------------------------------------------------------------------------
1 callhome imaster-campus 172.31.31.30 10020
Y
2 ssh - - - N
3 ssh - - - N
4 ssh - - - N
5 ssh - - - N
6 ssh - - - N
-------------------------------------------------------------------------------

Log in to iMaster NCE-Campus as a tenant administrator and choose Resource

Center > Device Management from the main menu to view the status of the
device. If the status is Normal, the device goes online successfully.

----End

7.3.3 Configuring the Controller to Manage the Core Switch

Running V600 Through NETCONF
Context
After devices to be managed are added to campus network sites, iMaster NCE-
Campus needs to establish management channels with the devices, so that it can
manage the devices and deliver service configurations to them. Currently, iMaster

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 35

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

NCE-Campus mainly manages devices from the access layer to the core layer. To
manage a core switch, you need to run commands on the core switch to connect
it to iMaster NCE-Campus.

NOTE

To manage a core switch on iMaster NCE-Campus using commands, you need to connect
the core switch to iMaster NCE-Campus first and then enable the NETCONF function.

Procedure
Step 1 Configure an SSH server user.
<Core> system-view
[Core] ssh user huawei
[Core] ssh user huawei authentication-type x509v3-rsa
[Core] ssh user huawei assign pki default
[Core] ssh user huawei service-type snetconf

NOTE

The username must be huawei. Otherwise, the device cannot go online, causing a
deployment failure.

Step 2 Specify the source interface of the SSH server. When Warning is displayed, enter y
and press Enter.
[Core] ssh server-source all-interface

Step 3 Check the public key algorithm of the SSH server.

[Core] display current-configuration | in ssh server publickey

Step 4 Configure the SSH authentication mode. Set the authorization type and the public
key algorithm of the SSH server. Add the x509v3-ssh-rsa algorithm without
changing the current public key algorithms configured on the SSH server. In this
example, the default public key algorithms RSA_SHA2_256 and RSA_SHA2_512 are
used.
[Core] ssh server assign pki default
[Core] ssh authorization-type default root
[Core] ssh server publickey x509v3-ssh-rsa rsa_sha2_256 rsa_sha2_512

Step 5 Enable NETCONF.

[Core] snetconf server enable

Step 6 Set parameters for interconnection with iMaster NCE-Campus on the device based
on the ZTP configuration that has been performed on iMaster NCE-Campus. The
callhome template name must be set to default-callhome, and the endpoint
name can be set as needed. You are advised to set the endpoint name in the
format interface-name_ac-south-ip-address.
[Core] netconf
[Core-netconf] callhome default-callhome

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 36

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

[Core-netconf-call home-default-callhome] endpoint vlanif4000_172.31.31.30

[Core-netconf-callhome-default-callhome-vlanif4000_172.31.31.30] peer-ip 172.31.31.30 port 10020

Step 7 Load the preset CA certificate from the NVRAM to the realm default.
[Core] pki import-certificate default_ca realm default

Step 8 Check whether the switch goes online successfully.

1. Run the display controller connect-status command in the system view of
the device and check the value in the Register phase field. If Registered is
displayed, the registration is successful.
2. Log in to iMaster NCE-Campus as a tenant administrator and choose
Resource Center > Device Management from the main menu to view the
status of the device. If the status is Normal, the device goes online
successfully.

----End

7.3.4 Configuring Stacked Core Switches to Be Managed by

the Controller

Context
The core switches have set up a stack or a CSS, and the stack/CSS needs to be
managed by iMaster NCE-Campus.

Prerequisites
The controller is configured by referring to 7.3.2 Configuring the Controller to
Manage the Core Switch Running V200 Through NETCONF to manage two
member devices.

Procedure
Step 1 Choose Resource Center > Site Management.

Step 2 Choose Device Management > Device Group and click Create Stack.

Step 3 Set parameters such as Stack name and Site, and select Synchronize from
detected stacks or Manual creation for Creation mode.
1. Synchronize from detected stacks: The system automatically detects the
stacks that have been set up on switches. You need to manually add the stack
of detected member switches. If the stack member information fails to be
obtained, click Synchronize from detected stacks again to refresh the stack
member information.
2. Manual creation: Switches need to be manually added to a stack.

Step 4 Choose Resource Center > Device Management from the main menu. Then,
choose Device Management > Device Group and check the status of the added
device. If the device status is Normal or Alarm, the device is successfully
managed.

----End

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 37

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

7.4 Configuring Aggregation and Access Switches to Go

Online
Context
On a higher education campus network, aggregation and access switches are
deployed in great numbers. Therefore, you are advised to use the method
described in 7.2 Importing the Network Plan to import device and Eth-Trunk
information to iMaster NCE-Campus in advance using a template. In this way,
when configuring aggregation and access switches to be managed by the
controller, you can use the core switch as the management subnet gateway of the
aggregation and access switches, and configure the auto-negotiated management
VLAN (with the core switch acting as the root device). The aggregation and access
switches can then go online in plug-and-play (PnP) mode.

Configuration Roadmap
1. Configure the core switch as the management subnet gateway of the
aggregation and access switches.
2. Configure the management VLAN auto-negotiation function with the core
switch acting as the root device.

NOTE

In this example, aggregation/access switches and APs respectively use different auto-
negotiated management VLANs. When configuring the management VLANs, enable the
management VLAN auto-negotiation function for wireless devices.

Data Plan

Core 408 Mana Man 172.31.32.1/ DHCP Enabled Enabled

0 ge_Ne ual 24 server
t mode

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 38

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Table 7-5 Data plan for auto-negotiated management VLANs

De Managemen Management Manage Allow traffic on uplink
vic t VLAN VLAN auto- ment interfaces
e auto- negotiation VLAN
negotiation for wireless
for wired devices
devices

Cor 4080 3100 Default Disabled

Procedure
Step 1 On the core switch, configure a management subnet for aggregation and access
switches, enable the DHCP server function on the gateway interface of the subnet,
and enable the function of automatically negotiating the iMaster NCE-Campus
address.
Step 2 Choose Network Configuration > Site Configuration > Site Configuration from
the main menu. Click the Site Configuration tab, and choose Switch > Subnet
from the navigation pane. On the page that is displayed, click Create. Configure
the wired management subnet based on the following information, and then click
OK.
● Set Device to Core, Subnet name to Manage_Net, VLAN ID to 4080, IP
assignment to Manual, and IP address/Mask to 172.31.32.1/24.
● Toggle on DHCP and set DHCP mode to Server.
● Enable Management network. Then set AP mode to Fit AP, and enable
Controller address auto-negotiation.
● Enable Static management IP address for switches and set Static
management IP address range to 172.31.32.2-172.31.32.100.
NOTE

– If IP assignment is set to Auto, you can click in the Operation column of the
subnet list to modify a created subnet and configure the static management IP
address function for switches.
– A core switch must have the IP addresses that can be dynamically assigned.
Aggregation and access switches obtain IP addresses when they go online for the
first time in PnP mode. It is recommended that half of the IP address segment of a
management subnet be used to allocate static IP addresses and the other half be
used to allocate dynamic IP addresses.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 39

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 40

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Table 7-6 Parameters for configuring a management subnet

Parameter Description

DHCP mode The options include Server and Relay. In this example, the
server mode is used. As such, the core switch acts as a DHCP
server to dynamically assign IP addresses to aggregation and
access switches for device management.

AP mode This parameter specifies the mode of APs on the current

subnet. The Fit AP mode is typically used on a higher
education campus network.

Controller When this function is enabled, the DHCP server of the

address current subnet automatically generates Option 148. Devices
auto- on the subnet can obtain the iMaster NCE-Campus address
negotiation through Option 148 and then go online.

WAC When this function is enabled, the DHCP server of the

address current subnet automatically generates Option 43. Fit APs
auto- can obtain the WAC's address through Option 43 and then
negotiation join the WAC.

Static When this function is enabled, the IP addresses dynamically

managemen assigned to aggregation and access switches are selected
t IP address from the static management IP address range and are fixed
for switches as static IP addresses after dynamic assignment is complete.

Step 3 Configure the management VLAN auto-negotiation function on the core switch. In
this way, the core switch can act as the root device to configure a management
VLAN for aggregation and access switches through PnP packet negotiation.
Step 4 Choose Network Configuration > Site Configuration > Site Configuration from
the main menu, and click the Site Configuration tab. Choose Site >
Management VLAN from the navigation pane. Select the core switch in the
device list, and then click . In the Modify Management VLAN window that is
displayed, set Management VLAN auto-negotiation for wired devices to 4080
and Management VLAN auto-negotiation for wireless devices to 3100, and
disable Allow traffic on uplink interfaces. After the configuration is completed,
click OK. Then enable Management VLAN Auto-Negotiation and click Apply.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 41

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 42

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Table 7-7 Parameters for configuring the management VLAN auto-negotiation

function
Parameter Description

Management With the current device acting as the root device, the
VLAN auto- management VLAN of the connected downlinks can be enabled
negotiation level by level through the negotiation mechanism. When wired
for wired and wireless devices share the same management VLAN and the
devices auto-negotiated management VLAN for wireless devices is not
configured, if the root device or its connected device identifies
that a downlink port is connected to an AP, the device changes
the PVID of the port to the auto-negotiated management VLAN
ID for wired devices.

Management With the current device acting as the root device, the wireless
VLAN auto- management VLAN of the connected downlinks can be enabled
negotiation level by level through the negotiation mechanism. When
for wireless management VLANs are planned separately for wired and
devices wireless devices, and both management VLAN auto-negotiation
for wired devices and management VLAN auto-negotiation for
wireless devices are configured, if the root device or its
connected device identifies that a downlink port is connected to
an AP, the device changes the PVID of the port to the configured
auto-negotiated management VLAN ID for wireless devices,
instead of the auto-negotiated management VLAN ID for wired
devices.

Management This parameter specifies the management VLAN of the current

VLAN device. If the management VLAN auto-negotiation function is
enabled, set this parameter to Default.

Set as the After this function is enabled, the PVID of the current device's
PVID for uplink interface will be changed to the management VLAN ID.
uplink
interfaces

Allow traffic After this function is enabled:

on uplink ● If the uplink interface of the current device is a trunk
interfaces interface, the management VLAN is automatically configured
as an allowed VLAN for this interface.
● If the uplink interface of the current device is an access
interface, the management VLAN is used as the default VLAN
for this interface.
In this example, the uplink interface of the core switch is
connected to the gateway in the network management zone.
Therefore, this function needs to be disabled.

Step 5 Verify the configuration for managing aggregation and access switches.
● Check the device onboarding information on iMaster NCE-Campus.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 43

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Choose Resource Center > Device Management from the main menu and
view the device list of the site. If Status is displayed as Normal, the devices
go online successfully.
● Check the configuration delivery results on iMaster NCE-Campus.
Choose Task Center > Configuration Result to view the configuration result.
You can select a device and view the configuration details in the feature list,
including whether the configuration is successfully delivered to the device.
● Log in to the device CLI to view the device onboarding information.
Run the display netconf connect-status command to check the NETCONF
configuration on the switch, including the connection status between the
switch and iMaster NCE-Campus.
[Agg] display netconf connect-status
------------------------------------------------------------------------------

Netconf status : enable

Upload alarm status : enable
Connected to controller before : yes
------------------------------------------------------------------------------

Controller address source : --

Controller URL : --
Controller IP address : --
Controller port : --
Management VLAN : --
Management IP address : --
Register phase : --
Register status : --
------------------------------------------------------------------------------

Netconf src-ip : 172.31.32.2

Netconf src-ipv6 : --
Netconf src-port : 830
Controller information :
No Mode name IP Port
Connected
-------------------------------------------------------------------------------

1 callhome imaster-campus 172.31.31.30 10020

Y
2 ssh - - - N
3 ssh - - - N
4 ssh - - - N
5 ssh - - - N
6 ssh - - - N
-------------------------------------------------------------------------------
– Log in to the device CLI to view the Eth-Trunk interface information.
Run the display eth-trunk command to view the configuration of Eth-Trunk
interfaces, including the status of the Eth-Trunk interfaces as well as their
local member interfaces.
<Agg> display eth-trunk
Eth-Trunk2's state information is:
Local:
LAG ID: 10 WorkingMode: LACP
Preempt Delay Time: 10 Hash arithmetic: According to SIP-XOR-DIP
System Priority: 120 System ID: 0018-82d4-04c3
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEhternet3/0/5 Selected 1GE 10 262 2609 10111100 1
GigabitEhternet3/0/6 Selected 1GE 10 263 2609 10111100 1
GigabitEhternet4/0/5 Selected 1GE 10 262 2609 10111100 1

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 44

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

GigabitEhternet4/0/6 Selected 1GE 10 263 2609 10111100 1

Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEhternet5/0/5 32768 00e0-fc6e-bb11 32768 262 2609 10111100
GigabitEhternet5/0/6 32768 00e0-fc6e-bb11 32768 263 2609 10111100
GigabitEhternet6/0/5 32768 00e0-fc6e-bb11 32768 262 2609 10111100
GigabitEhternet6/0/6 32768 00e0-fc6e-bb11 32768 263 2609 10111100

----End

7.5 Configuring WACs and APs to Go Online

7.5.1 Configuring WAC HSB

Service Requirements
To ensure that services are running normally, the customer wants to improve
network reliability while reducing the configuration and maintenance workloads.
Wireless configuration synchronization can be deployed in VRRP HSB to meet this
requirement. This backup solution has higher reliability than dual-link HSB. In this
solution, the master and backup WACs are often deployed in the same location,
and the service switchover is fast.

Network Requirements
● WAC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The WAC and core switch function as DHCP servers
to assign IP addresses to APs and STAs, respectively.
● Service data forwarding mode: direct forwarding
● CSS: Two switches at the core layer are deployed in a CSS.

Data Plan

Table 7-8 WAC data planning

Item Data

Source interface of the VLANIF 3100: 10.10.100.2/24

master WAC

Source interface of the VLANIF 3100: 10.10.100.3/24

backup WAC

Virtual IP address of the 10.10.100.1/24

management VRRP group

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 45

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Item Data

VAP profile Name: Edu_vap

Forwarding mode: direct forwarding
Service VLAN: VLAN 3102
Referenced profiles: security profile Edu_sec and
SSID profile Edu_test

AP group Name: ap-group1

Referenced profiles: VAP profile Edu_vap and
regulatory domain profile default

Regulatory domain profile Name: default

Country code: CN

SSID profile Name: Edu_test

SSID name: Edu_test

Security profile Name: Edu_sec

Security policy: WPA-WPA2+PSK+AES
Password: Root@123

DHCP servers The WAC (WAC1) functions as a DHCP server to

assign IP addresses to APs, and a stack or CSS
of switches functions as a DHCP server to
assign IP addresses to STAs.

Gateway for APs VLANIF 3100: 10.10.100.1/24

IP address pool for APs 10.10.100.4–10.10.100.254/24

Gateway for STAs VLANIF 3102: 10.10.102.1/24

IP address pool for STAs 10.10.102.2–10.10.102.254/24

IP address and port number IP address: 10.10.29.1/24 of VLANIF 3099

of the HSB channel for WAC1 Port number: 10241

IP address and port number IP address: 10.10.29.2/24 of VLANIF 3099

of the HSB channel for WAC2 Port number: 10241

Scheduled wireless Start time of scheduled synchronization: 01:00

configuration synchronization Interval for scheduled synchronization: 1440
minutes

Configuration Roadmap
1. Configure network connectivity between WACs, APs, and other network
devices.
2. Configure a VRRP group on WAC1 and WAC2. Configure a higher priority for
WAC1 so that it becomes the master device to forward traffic. Configure a
lower priority for WAC2 so that it becomes the backup device.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 46

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

3. Configure basic WLAN services to ensure that users can connect to the
Internet through the WLAN.
4. Configure the HSB function on WAC1 and WAC2 so that service information
on WAC1 is backed up to WAC2 in real time or in batches, ensuring seamless
service switchover from the master device to the backup device in case of a
master device failure.
5. Configure wireless configuration synchronization in VRRP HSB scenarios.

Configuration Precautions
● In direct forwarding mode, you are advised to configure multicast packet
suppression on the interfaces of a switch connected to APs. In tunnel
forwarding mode, you are advised to configure multicast packet suppression
in traffic profiles of the WAC.
● The port isolation configuration is recommended on the ports of the device
directly connected to APs. If port isolation is not configured and direct
forwarding is used, a large number of unnecessary broadcast packets may be
generated in the VLAN, blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN can be transmitted
between the WAC and APs, and packets from the service VLAN cannot.
● In the VRRP HSB networking, the configurations of the DHCP address pools
on the master and backup ACs must be consistent. For example, the ranges of
IP addresses that cannot be automatically assigned must be consistent on the
master and backup WACs.
● In wireless configuration synchronization scenarios, the device does not
support profile-based configuration for source-ip and nas-ip.

Procedure
Step 1 Configure switches, WAC1, and WAC2 to ensure that APs and WACs can exchange
CAPWAP packets with each other.
NOTE

If direct forwarding is used, you are advised to configure port isolation on GE1/0/1 of
switches connected to APs. If port isolation is not configured, a large number of
unnecessary broadcast packets may be transmitted in the VLANs, or STAs connected to
different APs can directly communicate at Layer 2.

# On ACC0102, set the PVIDs of GE1/0/1 and GE2/0/1 connected to APs to VLAN
3100 (management VLAN) and add the interfaces to VLAN 3100 and VLAN 3102
(service VLAN). Add the interfaces connecting ACC0102 to AGG0102 to Eth-Trunk
1, and allow packets from VLAN 3100 and VLAN 3102 to pass through Eth-Trunk
1.
<ACC0102> system-view
[ACC0102] vlan batch 3100 3102
[ACC0102] interface gigabitethernet 1/0/1
//The configuration for gigabitethernet 2/0/1 is the same as that for gigabitethernet 1/0/1, and is not
mentioned here.
[ACC0102-GigabitEthernet0/0/1] port link-type trunk
[ACC0102-GigabitEthernet0/0/1] port trunk pvid vlan 3100
[ACC0102-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[ACC0102-GigabitEthernet0/0/1] port trunk allow-pass vlan 3100 3102
[ACC0102-GigabitEthernet0/0/1] port-isolate enable

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 47

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

[ACC0102-GigabitEthernet0/0/1] quit
[ACC0102] interface eth-trunk 1
[ACC0102-Eth-Trunk1] port link-type trunk
[ACC0102-Eth-Trunk1] undo port trunk allow-pass vlan 1
[ACC0102-Eth-Trunk1] port trunk allow-pass vlan 3100 3102
[ACC0102-Eth-Trunk1] quit
[ACC0102] interface Xgigabitethernet 1/0/4
[ACC0102-Xgigabitethernet 1/0/4] undo port link-type
[ACC0102-Xgigabitethernet 1/0/4] eth-trunk 1
[ACC0102-Xgigabitethernet 1/0/4] quit
[ACC0102] interface Xgigabitethernet 2/0/4
[ACC0102-Xgigabitethernet 2/0/4] undo port link-type
[ACC0102-Xgigabitethernet 2/0/4] eth-trunk 1
[ACC0102-Xgigabitethernet 2/0/4] quit

# Add the interfaces connecting AGG0102 to ACC0102 to Eth-Trunk 1, and allow

packets from VLAN 3100 and VLAN 3102 to pass through Eth-Trunk 1. Add the
interfaces connecting AGG0102 to Core to the planned Eth-Trunk. Set the Eth-
Trunk type to trunk, and allow packets from VLAN 3100 and VLAN 3102 to pass
through the Eth-Trunk.
[AGG0102] interface eth-trunk 1
[AGG0102-Eth-Trunk1] port link-type trunk
[AGG0102-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AGG0102-Eth-Trunk1] port trunk allow-pass vlan 3100 3102
[AGG0102-Eth-Trunk1] quit
[AGG0102] interface Xgigabitethernet 3/0/4
[AGG0102-Xgigabitethernet 3/0/4] undo port link-type
[AGG0102-Xgigabitethernet 3/0/4] eth-trunk 1
[AGG0102-Xgigabitethernet 3/0/4] quit
[AGG0102] interface Xgigabitethernet 4/0/4
[AGG0102-Xgigabitethernet 4/0/4] undo port link-type
[AGG0102-Xgigabitethernet 4/0/4] eth-trunk 1
[AGG0102-Xgigabitethernet 4/0/4] quit
[AGG0102] interface eth-trunk 2
[AGG0102-Eth-Trunk2] port link-type trunk
[AGG0102-Eth-Trunk2] undo port trunk allow-pass vlan 1
[AGG0102-Eth-Trunk2] port trunk allow-pass vlan 3100 3102
[AGG0102-Eth-Trunk2] quit
[AGG0102] interface Xgigabitethernet 3/0/5
[AGG0102-Xgigabitethernet 3/0/5] undo port link-type
[AGG0102-Xgigabitethernet 3/0/5] eth-trunk 2
[AGG0102-Xgigabitethernet 3/0/5] quit
[AGG0102] interface Xgigabitethernet 4/0/5
[AGG0102-Xgigabitethernet 4/0/5] undo port link-type
[AGG0102-Xgigabitethernet 4/0/5] eth-trunk 2
[AGG0102-Xgigabitethernet 4/0/5] quit
[AGG0102] interface Xgigabitethernet 3/0/6
[AGG0102-Xgigabitethernet 3/0/6] undo port link-type
[AGG0102-Xgigabitethernet 3/0/6] eth-trunk 2
[AGG0102-Xgigabitethernet 3/0/6] quit
[AGG0102] interface Xgigabitethernet 4/0/6
[AGG0102-Xgigabitethernet 4/0/6] undo port link-type
[AGG0102-Xgigabitethernet 4/0/6] eth-trunk 2
[AGG0102-Xgigabitethernet 4/0/6] quit

# Add the interfaces connecting Core to AGG0102 to the planned Eth-Trunk. Set
the Eth-Trunk type to trunk, and allow packets from VLAN 3100 and VLAN 3102
to pass through the Eth-Trunk. Add the interfaces connecting Core to WAC1 and
WAC2 to the planned Eth-Trunk. Set the Eth-Trunk type to trunk, and allow
packets from VLAN 3100 to pass through the Eth-Trunk.
[Core] vlan batch 3100 3102
[Core] interface eth-trunk 2
[Core-Eth-Trunk2] port link-type trunk
[Core-Eth-Trunk2] undo port trunk allow-pass vlan 1
[Core-Eth-Trunk2] port trunk allow-pass vlan 3100 3102
[Core-Eth-Trunk2] quit

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 48

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

[Core] interface Xgigabitethernet 5/0/5

[Core-Xgigabitethernet 5/0/5] undo port link-type
[Core-Xgigabitethernet 5/0/5] eth-trunk 10
[Core-Xgigabitethernet 5/0/5] quit
[Core] interface Xgigabitethernet 5/0/6
[Core-Xgigabitethernet 5/0/6] undo port link-type
[Core-Xgigabitethernet 5/0/6] eth-trunk 10
[Core-Xgigabitethernet 5/0/6] quit
[Core] interface Xgigabitethernet 6/0/5
[Core-Xgigabitethernet 6/0/5] undo port link-type
[Core-Xgigabitethernet 6/0/5] eth-trunk 10
[Core-Xgigabitethernet 6/0/5] quit
[Core] interface Xgigabitethernet 6/0/6
[Core-Xgigabitethernet 6/0/6] undo port link-type
[Core-Xgigabitethernet 6/0/6] eth-trunk 10
[Core-Xgigabitethernet 6/0/6] quit
[Core] interface eth-trunk 3
[Core-Eth-Trunk3] port link-type trunk
[Core-Eth-Trunk3] undo port trunk allow-pass vlan 1
[Core-Eth-Trunk3] port trunk allow-pass vlan 3100
[Core-Eth-Trunk3] quit
[Core] interface Xgigabitethernet 5/0/4
[Core-Xgigabitethernet 5/0/4] undo port link-type
[Core-Xgigabitethernet 5/0/4] eth-trunk 3
[Core-Xgigabitethernet 5/0/4] quit
[Core] interface Xgigabitethernet 6/0/4
[Core-Xgigabitethernet 6/0/4] undo port link-type
[Core-Xgigabitethernet 6/0/4] eth-trunk 3
[Core-Xgigabitethernet 6/0/4] quit
[Core] interface eth-trunk 4
[Core-Eth-Trunk4] port link-type trunk
[Core-Eth-Trunk4] undo port trunk allow-pass vlan 1
[Core-Eth-Trunk4] port trunk allow-pass vlan 3100
[Core-Eth-Trunk4] quit
[Core] interface Xgigabitethernet 5/0/11
[Core-Xgigabitethernet 5/0/11] undo port link-type
[Core-Xgigabitethernet 5/0/11] eth-trunk 4
[Core-Xgigabitethernet 5/0/11] quit
[Core] interface Xgigabitethernet 6/0/11
[Core-Xgigabitethernet 6/0/11] undo port link-type
[Core-Xgigabitethernet 6/0/11] eth-trunk 4
[Core-Xgigabitethernet 6/0/11] quit

# Add the interfaces connecting WAC1 to Core to the planned Eth-Trunk, and
allow packets from VLAN 3100 to pass through the Eth-Trunk.
[WAC1] vlan batch 3100 3102
[WAC1] interface eth-trunk 3
[WAC1-eth-trunk 3] port link-type trunk
[WAC1-eth-trunk 3] undo port trunk allow-pass vlan 1
[WAC1-eth-trunk 3] port trunk allow-pass vlan 3100
[WAC1-eth-trunk 3] quit
[WAC1] interface 10GE 0/0/10
[WAC1-10GE 0/0/10] undo port link-type
[WAC1-10GE 0/0/10] eth-trunk 3
[WAC1-10GE 0/0/10] quit
[WAC1] interface 10GE 0/0/11
[WAC1-10GE 0/0/11] undo port link-type
[WAC1-10GE 0/0/11] eth-trunk 3
[WAC1-10GE 0/0/11] quit
[WAC1] interface vlanif 3100
[WAC1-Vlanif3100] ip address 10.10.100.1 24
[WAC1-Vlanif3100] quit

# Add the interfaces connecting WAC2 to Core to the planned Eth-Trunk, and
allow packets from VLAN 3100 to pass through the Eth-Trunk.
[WAC2] vlan batch 3100 3102
[WAC2] interface eth-trunk 4

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 49

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

[WAC2-eth-trunk 3] port link-type trunk

[WAC2-eth-trunk 3] undo port trunk allow-pass vlan 1
[WAC2-eth-trunk 3] port trunk allow-pass vlan 3100
[WAC2-eth-trunk 3] quit
[WAC2] interface 10GE 0/0/10
[WAC2-10GE 0/0/10] undo port link-type
[WAC2-10GE 0/0/10] eth-trunk 4
[WAC2-10GE 0/0/10] quit
[WAC2] interface 10GE 0/0/11
[WAC2-10GE 0/0/11] undo port link-type
[WAC2-10GE 0/0/11] eth-trunk 4
[WAC2-10GE 0/0/11] quit
[WAC2] interface vlanif 3100
[WAC2-Vlanif3100] ip address 10.10.100.2 24
[WAC2-Vlanif3100] quit

Step 2 Configure WAC1 and WAC2 to communicate with each other.

# On WAC1, add the interface connected to WAC2 to VLAN 3099.
[WAC1] vlan batch 3099
[WAC1] interface 10GE 0/0/9
[WAC1-10GE 0/0/9] port link-type trunk
[WAC1-10GE 0/0/9] undo port trunk allow-pass vlan 1
[WAC1-10GE 0/0/9] port trunk allow-pass vlan 3099
[WAC1-10GE 0/0/9] stp disable
[WAC1-10GE 0/0/9] quit
[WAC1] interface vlanif 3099
[WAC1-Vlanif102] ip address 10.10.29.1 24
[WAC1-Vlanif102] quit

# On WAC2, add the interface connected to WAC1 to VLAN 3099.

[WAC2] vlan batch 3099
[WAC2] interface 10GE 0/0/9
[WAC2-10GE 0/0/9] port link-type trunk
[WAC2-10GE 0/0/9] undo port trunk allow-pass vlan 1
[WAC2-10GE 0/0/9] port trunk allow-pass vlan 3099
[WAC2-10GE 0/0/9] stp disable
[WAC2-10GE 0/0/9] quit
[WAC2] interface vlanif 3099
[WAC2-Vlanif102] ip address 10.10.29.2 24
[WAC2-Vlanif102] quit

Step 3 Configure the DHCP servers.

NOTE

Configure the DNS server address as required. The common methods are as follows:
● In the interface address pool scenario, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In the global address pool scenario, run the dns-list ip-address &<1-8> command in the
IP address pool view.

# Configure WAC1 as a DHCP server to assign IP addresses to APs. Exclude the

following IP addresses from the interface address pools on the master and backup
WACs: 10.10.100.1 of the master WAC; 10.10.100.2 of the backup WAC; and
10.10.100.3 of the VRRP group.
[WAC1] dhcp enable
[WAC1] dhcp server database enable
[WAC1] dhcp server database recover
[WAC1] interface vlanif 3100
[WAC1-Vlanif3100] dhcp select interface
[WAC1-Vlanif3100] dhcp server excluded-ip-address 10.10.100.1 10.10.100.3
[WAC1-Vlanif3100] quit

# Configure WAC2 in the same way as WAC1.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 50

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

# Configure Core as a DHCP server to assign IP addresses to STAs.

[Core] dhcp enable
[Core] interface vlanif 3102
[Core-Vlanif3102] ip address 10.10.102.1 24
[Core-Vlanif3102] dhcp select interface
[Core-Vlanif3102] quit

Step 4 Configure VRRP on WAC1 to implement WAC HSB.

# Set the recovery delay of VRRP groups to 60 seconds.
[WAC1] vrrp recover-delay 60

# Create a management VRRP group on WAC1. Set the VRRP priority of WAC1 to
120 and the preemption delay to 1800 seconds.
[WAC1] interface vlanif 3100
[WAC1-Vlanif3100] vrrp vrid 1 virtual-ip 10.10.100.3
[WAC1-Vlanif3100] vrrp vrid 1 priority 120
[WAC1-Vlanif3100] vrrp vrid 1 preempt-mode timer delay 1800
[WAC1-Vlanif3100] admin-vrrp vrid 1
[WAC1-Vlanif3100] quit

# Create HSB service 0 on WAC1, and configure the IP addresses and port
numbers for the active and standby channels. Set the number of retransmission
times and the interval of HSB service 0.
[WAC1] hsb-service 0
[WAC1-hsb-service-0] service-ip-port local-ip 10.10.29.1 peer-ip 10.10.29.2 local-data-port 10241 peer-data-
port 10241
[WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC1-hsb-service-0] quit

# Create HSB group 0 on WAC1, and bind HSB service 0 and mVRRP group 1 to
HSB group 0.
[WAC1] hsb-group 0
[WAC1-hsb-group-0] bind-service 0
[WAC1-hsb-group-0] track vrrp vrid 1 interface vlanif 3100
[WAC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[WAC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[WAC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[WAC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[WAC1] hsb-group 0
[WAC1-hsb-group-0] hsb enable
[WAC1-hsb-group-0] quit

Step 5 Configure VRRP on WAC2 to implement WAC HSB.

# Set the recovery delay of VRRP groups to 60 seconds.
[WAC2] vrrp recover-delay 60

# Create a management VRRP group on WAC2.

[WAC2] interface vlanif 3100
[WAC2-Vlanif3100] vrrp vrid 1 virtual-ip 10.10.100.3

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 51

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

[WAC2-Vlanif3100] admin-vrrp vrid 1

[WAC2-Vlanif3100] quit

# Create HSB service 0 on WAC2, and configure the IP addresses and port
numbers for the active and standby channels. Set the number of retransmission
times and the interval of HSB service 0.
[WAC2] hsb-service 0
[WAC2-hsb-service-0] service-ip-port local-ip 10.10.29.2 peer-ip 10.10.29.1 local-data-port 10241 peer-data-
port 10241
[WAC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[WAC2-hsb-service-0] quit

# Create HSB group 0 on WAC2, and bind HSB service 0 and mVRRP group 1 to
HSB group 0.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] bind-service 0
[WAC2-hsb-group-0] track vrrp vrid 1 interface vlanif 3100
[WAC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[WAC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[WAC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[WAC2] hsb-service-type dhcp hsb-group 0

Step 6 Configure WLAN services on WAC1.

1. Configure system parameters on WAC1.
[WAC1] wlan
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] regulatory-domain-profile name default
[WAC1-wlan-regulate-domain-default] country-code cn
[WAC1-wlan-regulate-domain-default] quit
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: This configuration
change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/
N]:y
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] quit
[WAC1] capwap source ip-address 10.10.100.3

2. Import an AP on WAC1.
[WAC1] wlan
[WAC1-wlan-view] ap auth-mode mac-auth
[WAC1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[WAC1-wlan-ap-0] ap-name area_1
[WAC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information: P : insufficient power supply
--------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
--------------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 52

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

3. Configure WLAN service parameters on WAC1.

# Create the security profile wlan-net and configure a security policy.
NOTE

In this example, the security policy is set to WPA-WPA2+PSK+AES and the password to
YsH_2022. In actual situations, configure the security policy according to service
requirements.
[WAC1-wlan-view] security-profile name wlan-net
[WAC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase YsH_2022 aes
[WAC1-wlan-sec-prof-wlan-net] quit

# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[WAC1-wlan-view] ssid-profile name wlan-net
[WAC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[WAC1-wlan-ssid-prof-wlan-net] quit

# Create the VAP profile wlan-net, set the data forwarding mode and service
VLAN, and bind the security profile and SSID profile to the VAP profile.
[WAC1-wlan-view] vap-profile name wlan-net
[WAC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[WAC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 3102
[WAC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[WAC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[WAC1-wlan-vap-prof-wlan-net] quit

# Bind the VAP profile wlan-net to radios 0 and 1 of APs in the AP group.
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[WAC1-wlan-ap-group-ap-group1] quit
[WAC1-wlan-view] quit

Step 7 Configure private WLAN service parameters on WAC2.

# Configure the source address of WAC2.

[WAC2] capwap source ip-address 10.10.100.3

Step 8 Configure DTLS encryption for inter-WAC control and data tunnels.

# Configure DTLS encryption for inter-WAC control and data tunnels on WAC1.
[WAC1] capwap dtls inter-controller psk YsH_2022
[WAC1] capwap dtls inter-controller control-link encrypt on
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/
N]:y
[WAC1] capwap dtls inter-controller data-link encrypt
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/
N]:y
[WAC1] wlan

# Configure DTLS encryption for inter-WAC control and data tunnels on WAC2.
[WAC2] capwap dtls inter-controller psk YsH_2022
[WAC2] capwap dtls inter-controller control-link encrypt on
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/
N]:y
[WAC2] capwap dtls inter-controller data-link encrypt
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/
N]:y
[WAC2] wlan

Step 9 Configure wireless configuration synchronization in VRRP HSB scenarios.

# Configure wireless configuration synchronization on WAC1.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 53

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

[WAC1-wlan-view] master controller

[WAC1-master-controller] master-redundancy peer-ip ip-address 10.10.29.2 local-ip ip-address 10.10.29.1
psk YsH_2022
[WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 3100
[WAC1-master-controller] quit
[WAC1-wlan-view] quit

# Configure wireless configuration synchronization on WAC2.

[WAC2-wlan-view] master controller
[WAC2-master-controller] master-redundancy peer-ip ip-address 10.10.29.1 local-ip ip-address 10.10.29.2
psk YsH_2022
[WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 3100
[WAC2-master-controller] quit
[WAC2-wlan-view] quit

# Configure scheduled wireless configuration synchronization on WAC1.

[WAC1-wlan-view] synchronize-configuration auto interval 1440 start-time 01:00:00

Step 10 Trigger wireless configuration synchronization manually.

# Run the display sync-configuration status command to check the wireless
configuration synchronization status. The Status field is displayed as cfg-
mismatch. Manually trigger wireless configuration synchronization from the
master WAC to the backup master WAC. Wait until the backup master WAC is
restarted.
[WAC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
----------------------------------------------------------------------------------------------------
10.10.29.2 Backup AC V200R023C10 cfg-mismatch(config check fail) -
----------------------------------------------------------------------------------------------------
Total: 1
[WAC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to conti nue? [Y/N]:y

Step 11 Enable HSB on WAC2.

# Enable the HSB function.
[WAC2] hsb-group 0
[WAC2-hsb-group-0] hsb enable
[WAC2-hsb-group-0] quit

Step 12 Verify the configuration.

1. Check VRRP.
# After the configurations are complete, run the display vrrp command on
WAC1 and WAC2. The State field of WAC1 is displayed as Master and that of
WAC2 is displayed as Backup.
[WAC1] display vrrp
Vlanif3100 | Virtual Router 1
State : Master
Virtual IP : 10.10.100.3
Master IP : 10.10.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 00e0-fc00-0101
Check TTL : YES

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 54

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Config type : admin-vrrp

Backup-forward : disabled
Create time : 2024-01-17 16:58:22
Last change time : 2024-01-17 16:58:25
[WAC2] display vrrp
Vlanif3100 | Virtual Router 1
State : Backup
Virtual IP : 10.10.100.3
Master IP : 10.10.100.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 00e0-fc00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2024-01-17 02:31:42 UTC-07:00
Last change time : 2024-01-17 02:32:21 UTC-07:00

# Run the display hsb-service 0 command on WAC1 and WAC2 to check the
HSB service status. In the command output of both devices, the value
Connected of Service State indicates that the HSB channel has been
established.
[WAC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.29.1
Peer IP Address : 10.10.29.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
[WAC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.29.2
Peer IP Address : 10.10.29.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------

Run the display hsb-group 0 command on WAC1 and WAC2 to check the
running status of the HSB group.
[WAC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif3100
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Backup State : Ended
Backup Start Time : JAN, 14 Sep 2024 14:30:46

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 55

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Peer Group Device Name : AC

Peer Group Software Version : V200R023C10
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[WAC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif3100
Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Backup State : Ended
Backup Start Time : JAN, 14 Sep 2024 14:30:46
Peer Group Device Name : AC
Peer Group Software Version : V200R023C10
Group Backup Modules : Access-user
AP
DHCP
---------------------------------------------------------

2. Verify wireless configuration synchronization.

# Run the display sync-configuration status command on the master WAC
and backup master WAC to view the wireless configuration synchronization
status. If the status is up, the wireless configuration synchronization function
is normal.
[WAC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.10.29.2 Backup AC V200R023C10 up 2024-01-01/11:18:15
-----------------------------------------------------------------------------------------
Total: 1
[AC2] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------
10.10.29.1 Master AC V200R023C10 up 2024-01-01/11:18:25
-----------------------------------------------------------------------------------------
Total: 1

3. The WLAN with SSID wlan-net is available for STAs connected to the AP, and
these STAs can connect to the WLAN and go online normally.
# Simulate a fault of the master WAC by restarting the master WAC to verify
the backup configuration. Restart WAC1. When the link between the AP and
WAC1 is disconnected, WAC2 becomes the master WAC to ensure service
stability.

NOTE

Before restarting the WAC, run the save command to save the configuration file on the
WAC to prevent configuration loss after the restart.

# During the restart of WAC1, services on the STAs are not interrupted. After the
AP goes online on WAC2, run the display ap all command on WAC2. The
command output shows that the AP state changes from standby to normal.
# After WAC1 recovers from the restart, an active/standby switchback is triggered.
The AP automatically goes online on WAC1.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 56

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

----End

7.5.2 Configuring WACs to Be Managed by the Controller

Context
In this solution, two WACs work in HSB mode and need to be managed by iMaster
NCE-Campus.

Procedure
Step 1 Manually add the WAC information to the site.

Choose Resource Center > Device Management > Device, click Add Device, and
manually add device ESNs and roles to the site. Then click OK.

NOTE

● The ESNs of switches, APs, and WACs must be entered into the site. You are advised to
enter device ESNs when adding them to the site.
● If the ESN of a device has 12 characters, you must set Mode to Device model and
specify the device model in the Device information area.

Step 2 Configure the core switch as the management subnet gateway (VLAN 3100) of
the WACs. For details, see 7.5.3 Configuring Fit APs to Join a WAC.

Step 3 Configure management VLAN auto-negotiation for wireless devices on the core
switch that acts as the root device. For details, see Configuring Aggregation and
Access Switches to Be Managed by the Controller (Batch Import of Device and
Eth-Trunk Information).

Step 4 Create Eth-Trunks for connecting to the downstream WACs on the core switch.

Create Eth-Trunk interfaces for connecting to the downstream WACs on the core
switches.

Choose Network Configuration > Site Configuration > Site Configuration from
the main menu. On the Site Configuration tab page, choose Switch > Interface
from the navigation pane. The physical interface configuration page is displayed.
Click a stack at the access layer, select the member interfaces to be aggregated on
the interface panels of the two member switches, and click Aggregate. In the
Interface Configuration area, set the IDs of the Eth-Trunk interfaces to 3 and 4,
respectively, set the link type to hybrid, and add the interfaces to VLAN 3100.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 57

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

NOTE

Wireless AP management packets are sent from the core switch to the WACs, while wireless
service packets do not need to be forwarded by the WACs. Therefore, when configuring
wireless management VLAN, select Eth-Trunks 3 and 4 of the core switch as the access
interfaces for wireless AP management VLANs. Since the default type of links delivered by
iMaster NCE-Campus is hybrid, you need to set the link type of Eth-Trunks 3 and 4
connected to the WACs to hybrid.

Step 5 Configure the WACs to connect to iMaster NCE-Campus using commands.

Log in to WAC1 and connect it to iMaster NCE-Campus. WAC2 can be configured
in a similar manner. After the two WACs obtain the PnP management VLAN ID
through the core switch, they can send packets to each other through the
heartbeat link, causing a loop. To prevent this, disable the PnP receiving function
on the WACs. If a physical loop exists between the WACs and core switch, the
WAC interfaces will be blocked during STP convergence, causing an HSB heartbeat
failure. To prevent this, disable STP on the interconnection interfaces of the WACs.
[WAC1] ac-mode cloud
Warning: This operation will switch the AC mode to cloud, Continue? [Y/N]y
Warning: This operation will load the general CA and local certificates to the default realm and set the
certification revocation check to none. In this way, the device can go online and report WMI data.
Continue? [Y/N]y
[WAC1] cloud-mng controller ip-address 172.31.31.30 port 10020 source-interface Vlanif 4000
[WAC1] undo pnp startup-vlan receive enable
[WAC1] interface XGigabitEthernet0/0/9
[WAC1-GigabitEthernet0/0/9] stp disable
[WAC1-GigabitEthernet0/0/9] quit
[WAC1] quit
<WAC1> save

Step 6 (Optional) Creating a WAC group.

1. Choose Resource Center > Device Management.
2. Click the Device Group tab, choose WAC Group, and click Create.

----End

7.5.3 Configuring Fit APs to Join a WAC

Configuration Roadmap
1. (On iMaster NCE-Campus) Configure a DHCP interface address pool on the
core switch. As such, APs can obtain their management IP addresses through
DHCP and establish management channels with the WAC.
2. (On iMaster NCE-Campus) Associate Fit APs with the WAC to ensure that only
authorized Fit APs can join the WAC. After the configuration is complete, if an
AP attempts to access the network, the WAC checks the ESN of the AP to
determine whether the AP is authorized. If the AP is authorized, a CAPWAP
tunnel can be established between the WAC and the AP, and the AP can join
the WAC successfully.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 58

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Co 3100 AP_Man Manu 10.10.100.2 DHCP Enabled 10.10.100.1

re age_Net al 54/24 server
mode

Procedure
Step 1 Configure a DHCP interface address pool for the core switch, and enable Option
43 to carry the WAC's IP address. In this example, the management channel
between the WAC and AP is automatically established using the auto-negotiated
management VLAN for wireless devices, which has been enabled in 7.4
Configuring Aggregation and Access Switches to Go Online. The procedure for
configuring a wireless management subnet is as follows:
Choose Network Configuration > Site Configuration > Site Configuration from
the main menu. Click the Site Configuration tab, and choose Switch > Subnet
from the navigation pane. On the page that is displayed, click Create. Configure
the subnet based on the following information, and then click OK.
● Set Device to Core, Subnet name to AP_Manage_Net, VLAN ID to 3100, IP
assignment to Manual, and IP address/Mask to 10.10.100.254/24.
● Toggle on DHCP and set DHCP mode to Server.
● Enable Management network. Then set AP mode to Fit AP, enable WAC
address auto-negotiation, and set WAC address to 10.10.100.1.
● If Fit APs are added in advance by importing a network plan, perform steps 1
and 2 to manage them. If Fit APs are not added in advance, perform steps 2
and 3 to manage them after they are connected to the network.
Step 2 Associate APs with the WAC. Choose Network Configuration > Site
Configuration > Site Configuration from the main menu, click the Site
Configuration tab, and choose Switch > Fit AP Management from the
navigation pane. In the WAC list, select the row where the core switch resides, and
click Add in the lower right corner to add the Fit APs added offline for
management by the core switch.
NOTE

After you configure an existing WAC to manage working Fit APs, the original configurations
on the Fit APs will be lost. Exercise caution when performing this operation.

Step 3 Manually add APs that are not added through network plan import in advance.
Choose Resource Center > Device Management. In the device list, click the
standalone WAC. The Basic Information page is displayed. In the AP List area,

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 59

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

select the APs to be managed, click Repair, and select the corresponding site.
Then click OK.

----End

7.6 (Optional) Configuring the Service Awareness

Function

7.6.1 (Optional) Configuring the Service Awareness Function

for the Switches Running V200
Smart application control (SAC) uses the signature identification technology, a
basic service awareness technology, to identify and classify application traffic.
Different applications generally use different protocols, each with its own
characteristics, called signatures, which can be specific port numbers, character
strings, or bit sequences. The system analyzes service flows passing through a
device, and compares the analysis result with the signature database loaded to the
device. It identifies an application by detecting signatures in data packets, and
implements refined QoS policy control based on the identification result. To enable
key service assurance and in-band flow measurement based on SAC, you need to
configure service awareness on access and core switches of specific V200 models
and then enable SAC.

NOTICE

● SAC affects the forwarding performance of devices. Therefore, use SAC properly
when necessary.
● Only the following models support SAC: S5731-H, S5731-H-K, S5731S-H,
S5731-S, S5731S-S, S5732-H, S5732-H-K, S6730-H, S6730-H-K, S6730S-H,
S6730-S, and S6730S-S.
● Functions such as application assurance and in-band flow measurement are
supported on switches after their resource mode is configured as planned.
● To use application assurance, both access and core switches must support
service awareness.
● To use in-band flow measurement, access switches or access APs must support
service awareness.

Configuration Roadmap
The configuration roadmap is as follows:
1. Set the resource allocation mode.
2. Enable the IAE.
3. Update the signature database for application identification.
4. Enable service awareness on an interface.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 60

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

5. Verify the configurations.

Procedure
Configure the service awareness function.
# Change the resource allocation mode of a switch to sac.
<HUAWEI> system-view
[HUAWEI] assign resource-mode sac
[HUAWEI] quit

NOTE

After the resource allocation mode is set to sac, you need to save the configuration and
restart the switch for the configuration to take effect.
You can change the resource allocation mode of mid-points (such as aggregation switches)
for in-band flow measurement to Enhanced_sipfm. After the resource allocation mode is
changed, you need to save the configuration and restart the devices.

# Enable IAE on the switch.

<HUAWEI> system-view
[HUAWEI] defence engine enable

# Enable service awareness on GE0/0/1 of the switch.

[HUAWEI] interface gigabitEthernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] service-awareness enable
[HUAWEI-GigabitEthernet0/0/1] quit

Verify the configurations.

# Check SAC entries on the switch.
[HUAWEI] display engine session application
Source IP Destination IP SPort DPort ProtocolID AppName AppID Expire(S)
--------------------------------------------------------------------------------------
10.1.1.10 10.1.1.20 65146 23 6 STelnet 415 300
10.1.1.10 10.1.1.20 65146 23 6 STelnet 415 150
10.1.1.10 10.1.1.20 65063 23 6 STelnet 415 175
10.1.1.10 10.1.1.20 64997 23 6 STelnet 415 185
10.1.1.10 10.1.1.20 64970 23 6 STelnet 415 45
--------------------------------------------------------------------------------------
Total:5

# Log in to SwitchA on the PC connected to GE0/0/1 using STelnet, and run the
display traffic policy statistics interface gigabitethernet 0/0/1 inbound
command to check STelnet packet statistics. The command output shows statistics
about the packets matching the traffic classifier, and the forwarded packets
matching the traffic classifier.
[HUAWEI] display traffic policy statistics interface gigabitethernet 0/0/1 inbound
Interface: GigabitEthernet0/0/1
Traffic policy inbound: p1
Rule number: 1
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched | Packets: 21
| Bytes: 1,986
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 61

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------

7.6.2 (Optional) Configuring the WAC Resource Mode

Step 1 Enable the security engine.
NOTE

● In this example, the direct data forwarding mode is used. Therefore, you need to enable
the security engine for both the WAC and AP. If tunnel forwarding is used, you need to
enable the security engine only on the WAC.
● Application assurance and in-band flow measurement are available on the WAC and the
AP after their resource modes are configured as planned.

1. Choose Configuration > QoS > App Identification & Optimization > SAC >
SAC Configuration.
2. Enable Loading the SAC signature database on the AC.
3. Disable Loading the SAC signature database on the AP. In Loading the
SAC Signature Database for APs by AP Group, enable SAC for a specified AP
group.
4. Click Apply.

Step 2 Update the SAC signature database.

1. Visit Huawei Security Center (https://isecurity.huawei.com/sec/web/
freesignature.do) and download the SAC signature databases of the WAC and
AP.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 62

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

2. Choose Maintenance > AC Maintenance > Signature DB.

3. Under Signature Database List, click Local upgrade corresponding to AP
SAC Signature Database. In the dialog box that is displayed, click Upload. In
the dialog box that is displayed, select the corresponding SAC signature
database and click OK. In the dialog box that is displayed, click OK.
4. After the update is successful, click OK in the dialog box that is displayed.
5. The method for updating the SAC signature database for WACs is similar to
that for APs, and is not mentioned here.

----End

7.7 Configuring BRAS

7.7.1 Configuring VRRP HSB

When two BRAS nodes are running properly, service traffic is load balanced based
on VLAN configuration. Virtual Router Redundancy Protocol (VRRP) and
Redundancy User Information (RUI) are deployed to implement HSB on the BRAS
nodes. In this way, services are not interrupted when a BRAS node fails or the link
connecting a BRAS node to the core layer fails.
HSB enables the master device to back up user service control data on the backup
device in real time. If the master device or the link directly connected to the
master device fails, service traffic quickly switches to the backup device. When the
master device or link recovers, user services can be swiftly switched back from the
backup device to the master device. In this way, HSB ensures uninterrupted
services upon a fault.
Table 7-10 lists the parameters for planning VLANs between the core switches
and the BRASs.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 63

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Table 7-10 Data plan for VLANs between the core switches and the BRASs
S Interface VLAN IP Des Interface VLAN IP Int
o on the ID of Address tin on the ID of Addre erf
ur Source the of the ati Destinati the ss of ace
ce Device Interfac Interfac on on Interfa the Des
D e on the e on the Dev Device ce on Interf crip
e Source Source ice the ace tio
vi Device Device Destin on n
ce ation the
Device Desti
natio
n
Devic
e

C eth- 3940 - ME eth- 3940 10.39. Inte

or trunk5.394 60- trunk5.39 36.1/2 rfac
e 0 a 40 4 e
run
nin
g
VR
RP

C eth- 3940 - ME eth- 3940 10.39. Inte

or trunk6.394 60- trunk6.39 36.2/2 rfac
e 0 b 40 4 e
run
nin
g
VR
RP

M GigabitEth - 10.39.40 ME GigabitEt - 10.39. Re

E ernet0/3/7 .1/24 60- hernet0/ 40.2/2 mo
6 b 3/7 4 te
0- bac
a kup
ser
vice
(RB
S)
inte
rfac
e

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 64

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

S Interface VLAN IP Des Interface VLAN IP Int

o on the ID of Address tin on the ID of Addre erf
ur Source the of the ati Destinati the ss of ace
ce Device Interfac Interfac on on Interfa the Des
D e on the e on the Dev Device ce on Interf crip
e Source Source ice the ace tio
vi Device Device Destin on n
ce ation the
Device Desti
natio
n
Devic
e

M LoopBack0 - 10.10.0. - - - - Pro

E 39/32 tect
6 ion
0- tun
a nel
inte
rfac
e

M LoopBack0 - 10.10.04 - - - - Pro

E 0/32 tect
6 ion
0- tun
b nel
inte
rfac
e

Table 7-11 lists the parameters for planning VRRP between the core switch and
the BRAS nodes.

Table 7-11 Data plan for VRRP between the core switch and the BRAS nodes
Item ME60-a ME60-b

VRID 1 (user-defined) 1 (user-defined)

Priority 120 110

VRRP virtual IP 10.39.36.100 10.39.36.100

address

Management VRRP Enabled Enabled

Track interface GE0/3/22 and GE0/3/23 GE0/3/17 and GE0/3/18

(BRAS interface) (BRAS interface)

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 65

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Table 7-12 lists the RBS planning parameters for the BRASs.

Table 7-12 Data plan for the RBS of the BRASs

Item ME60-a ME60-b

Backup 1 (user-defined) 1 (user-defined)

Service BRAS BRAS

type

Backup HSB HSB

mode

VRID 1 (VRRP VRID) 1 (VRRP VRID)

Procedure
Step 1 Configure VRRP on the access side of the master and backup BRASs. ME60-a is the
master device, and ME60-b is the backup device.

The configurations on ME60-a are as follows:

#
interface Eth-Trunk 5 //Configure an Eth-Trunk.
mode lacp-static
#
interface GigabitEthernet0/3/22 //Add a member interface to the Eth-Trunk.
undo shutdown
eth-trunk 5
#
interface GigabitEthernet0/3/23
undo shutdown
eth-trunk 5
#
interface Eth-Trunk5.3940
vlan-type dot1q 3940
ip address 10.39.36.1 255.255.255.0 //Configure an IP address for the VRRP sub-interface.
vrrp vrid 1 virtual-ip 10.39.36.100 //Configure a VRRP virtual IP address.
admin-vrrp vrid 1 //Configure a VRRP VRID.
vrrp vrid 1 priority 120 //Configure a VRRP priority for ME60-a.
#

The configurations on ME60-b are as follows:

#
interface Eth-Trunk 6 //Configure an Eth-Trunk.
mode lacp-static
#
interface GigabitEthernet0/3/17 //Add a member interface to the Eth-Trunk.
undo shutdown
eth-trunk 6
#
interface GigabitEthernet0/3/18
undo shutdown
eth-trunk 6
#
interface Eth-Trunk6.3940
vlan-type dot1q 3940
ip address 10.39.36.2 255.255.255.0 //Configure an IP address for the VRRP sub-interface.
vrrp vrid 1 virtual-ip 10.39.36.100 //Configure a VRRP virtual IP address.
admin-vrrp vrid 1 //Configure a VRRP VRID.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 66

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

vrrp vrid 1 priority 110 //Configure a VRRP priority for ME60-b.

Step 2 Configure an RBS and a remote backup profile (RBP).

The configurations on ME60-a are as follows:

#
interface LoopBack0
ip address 10.10.0.39 255.255.255.255 //Configure a loopback address.
#
interface GigabitEthernet0/3/7
undo shutdown
ip address 10.39.40.1 255.255.255.252 //Configure an IP address for an RBS interface.
dcn
#
remote-backup-service s1 //Configure an RBS.
peer 10.39.40.2 source 10.39.40.1 port 11000
protect lsp-tunnel for-all-instance peer-ip 10.10.0.40
#
remote-backup-profile p1 //Configure an RBP.
service-type bras
backup-id 1 remote-backup-service s1
peer-backup hot
vrrp-id 1 interface Eth-Trunk5.3940
#

The configurations on ME60-b are as follows:

#
interface LoopBack0
ip address 10.10.0.40 255.255.255.255 //Configure a loopback address.
#
interface GigabitEthernet0/3/7
undo shutdown
ip address 10.39.40.2 255.255.255.252 //Configure an IP address for an RBS interface.
mpls
mpls ldp
dcn
#
remote-backup-service s1 //Configure an RBS.
peer 10.39.40.1 source 10.39.40.2 port 11000
protect lsp-tunnel for-all-instance peer-ip 10.10.0.39
#
remote-backup-profile p1 //Configure an RBP.
service-type bras
backup-id 1 remote-backup-service s1
peer-backup hot
vrrp-id 1 interface Eth-Trunk6.3940
#

Step 3 Configure OSPF.

The configurations on ME60-a are as follows:

#
ospf 1 router-id 10.10.0.39
default cost inherit-metric
area 0.0.0.0
network 10.10.0.39 0.0.0.0
network 10.39.40.0 0.0.0.3
#

The configurations on ME60-b are as follows:

#
ospf 1 router-id 10.10.0.40
area 0.0.0.0
network 10.10.0.40 0.0.0.0

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 67

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

----End

7.7.2 Configuring an Egress

In the scenario where two BRASs are connected to the core switch in off-path
mode, the BRASs function as user gateways and communicate with external
networks through the core switch. IPv4 routes are configured for upstream traffic
between the BRASs and core switch. The default routes to the core switch are
configured on the BRASs, while the default routes to the firewalls are configured
on the core switch. The UNR routes for downstream traffic are advertised to the
firewalls through OSPF, and the firewalls control access policies through the
security zone.
Table 7-13 lists the parameters for planning VLANs between the core switch and
BRASs.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 68

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Table 7-13 Data plan for VLANs between the core switch and BRASs
S Et Source VL IP De Et Destina VLA IP Interfa
o h- Device A Addre sti h- tion N ID Addr ce
u Tru Interfa N ss of na Tr Device of ess of Descrip
rc nk ce ID the tio un Interfa the the tion
e Int of Sourc n k ce Inter Desti
D erf th e De Int face natio
e ac e Devic vic erf on n
vi e Int e e ac the Devic
c on erf Interf e Desti e
e th ac ace on natio Interf
e e th n ace
So on e Devi
urc th De ce
e e sti
De So na
vic ur tio
e ce n
De De
vic vic
e e

C eth XGigabi 32 10.10. ME et Gigabit 3211 10.10. Outbou

o - tEthern 11 211.4/ 60- h- Etherne 211.2 nd
re tru et5/0/9 24 a tru t0/3/22 /24 interfac
nk nk es of
5.3 XGigabi 5.3 Gigabit user
31 tEthern 31 Etherne gatewa
1 et6/0/9 1 t0/3/23 y routes

C eth XGigabi 32 10.10. ME et Gigabit 3211 10.10. Outbou

o - tEthern 11 211.4/ 60- h- Etherne 211.3 nd
re tru et5/0/1 24 b tru t0/3/17 /24 interfac
nk 0 nk es of
6.3 6.3 user
31 XGigabi 31 Gigabit gatewa
1 tEthern 1 Etherne y routes
et6/0/1 t0/3/18
0

C eth XGigabi 32 10.10. FW et xGigabi 3211 10.10. Outbou

o - tEthern 11 211.4/ -a h- tEthern 211.6 nd
re tru et5/0/7 24 tru et0/0/1 /24 interfac
nk nk es of
7.3 XGigabi 7.3 xGigabi user
31 tEthern 31 tEthern gatewa
1 et6/0/7 1 et0/0/2 y routes

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 69

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

S Et Source VL IP De Et Destina VLA IP Interfa

o h- Device A Addre sti h- tion N ID Addr ce
u Tru Interfa N ss of na Tr Device of ess of Descrip
rc nk ce ID the tio un Interfa the the tion
e Int of Sourc n k ce Inter Desti
D erf th e De Int face natio
e ac e Devic vic erf on n
vi e Int e e ac the Devic
c on erf Interf e Desti e
e th ac ace on natio Interf
e e th n ace
So on e Devi
urc th De ce
e e sti
De So na
vic ur tio
e ce n
De De
vic vic
e e

C eth XGigabi 32 10.10. FW et xGigabi 3211 10.10. Outbou

o - tEthern 11 211.4/ -b h- tEthern 211.7 nd
re tru et5/0/8 24 tru et0/0/1 /24 interfac
nk nk es of
8.3 XGigabi 8.3 xGigabi user
31 tEthern 31 tEthern gatewa
1 et6/0/8 1 et0/0/2 y routes

Step 1 Configure a default static route to the core switch on the BRAS.
ip route-static vpn-instance vpn_xxx 0.0.0.0 0.0.0.0 vpn-instance vpn_xxx 10.10.211.4 //Configure a default
route to the core switch on the BRAS.

Step 2 Configure a VLANIF interface and a route on ME60-a.

#
ip vpn-instance out_vrf
ipv4-family
route-distinguisher 3940:1
#
vlan 3211
#
interface Vlanif3211 //Configure a VLANIF interface.
description ToInternet
ip address 10.10.211.2 255.255.255.0
#
interface eth-trunk5.3211 //Add the interface to the VLAN.
negotiation auto
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 3211
dcn
#
ip route-static vpn-instance out_vrf 0.0.0.0 0.0.0.0 vpn-instance out_vrf 10.10.211.4 //Configure a default
IPv4 route to the core switch.
#
ospf 101 router-id 10.10.0.39 vpn-instance out_vrf

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 70

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

default cost inherit-metric

import-route unr
area 0.0.0.0
network 10.10.0.39 0.0.0.0
network 10.39.40.0 0.0.0.3
network 10.10.211.0 0.0.0.255 //Add the egress address of the core switch to the OSPF area.
#

Step 3 Configure a VLANIF interface and a default route on ME60-b.

#
ip vpn-instance out_vrf
ipv4-family
route-distinguisher 3940:1
#
route-policy unr permit node 10
apply cost 100
#
vlan 3211
#
interface Vlanif3211 //Configure a VLANIF interface.
description ToInternet
ip binding vpn-instance out_vrf
ip address 10.10.211.3 255.255.255.0
#
interface eth-trunk 6.3211 //Add the interface to the VLAN.
negotiation auto
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 3211
dcn
#
ip route-static vpn-instance out_vrf 0.0.0.0 0.0.0.0 vpn-instance out_vrf 10.10.211.4 //Configure a default
IPv4 route to the core switch.
#
ospf 101 router-id 10.10.0.40 vpn-instance out_vrf
default cost inherit-metric
import-route unr route-policy unr
area 0.0.0.0
network 10.10.0.40 0.0.0.0
network 10.39.40.0 0.0.0.3
network 10.10.211.0 0.0.0.255 //Add the egress address of the core switch to the OSPF area.
#

Step 4 Configure a VLANIF interface and a default route on the core switch.
#
ip vpn-instance out_vrf
ipv4-family
route-distinguisher 3940:1
#
vlan 3211
#
interface Vlanif3211 //Configure a VLANIF interface.
ip binding vpn-instance out_vrf
ipv6 enable
ip address 10.10.211.4 255.255.255.0
#
interface eth-trunk 5.3211 //Add the interface to the VLAN.
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3211
port negotiation disable
trust dscp
#
interface eth-trunk 6.3211 //Add the interface to the VLAN.
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3211
trust dscp

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 71

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

#
ospf 101 router-id 10.10.0.36 vpn-instance out_vrf //Configure OSPF.
area 0.0.0.0
#
ip route-static vpn-instance out_vrf 0.0.0.0 0.0.0.0 10.10.211.5 //Configure a default IPv4 route to the
firewall.
#

----End

7.7.3 Configuring Interconnection Between the BRAS and the

Authentication Server
The BRAS is connected to the authentication server at Layer 2 through the core
switch. Configure the route between the BRAS and the authentication server to
allow packets from VLAN 4000 to pass through.

7.8 Enabling LLDP

LLDP can advertise the management address, device identifier, and interface
identifier of the local device to its neighbors and collect information from the
neighbors. After LLDP is enabled, the NMS can learn the Layer 2 connection status
between devices and analyze the network topology.

Prerequisites
A site has been created. For details, see 7.1 Creating a Site.

Procedure
To enable LLDP globally, perform the following steps:

Step 1 Log in to iMaster NCE-Campus as a tenant administrator and choose Network

Configuration > Site Configuration > Site Configuration from the main menu.

Step 2 Select a site from the Site drop-down list box in the upper left corner.

Step 3 Click the Site Configuration tab.

Step 4 Choose Site > Device System Configuration, and enable LLDP in the Others area.

NOTE

iMaster NCE-Campus supports only global LLDP configuration on switches. To enable LLDP
on WACs, you need to run commands. The following uses a WAC as an example:
<AC01>system-view
[AC01]lldp enable

----End

7.9 Configuring Time Synchronization

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 72

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

7.9.1 Configuring Time Synchronization Between the

Controller and Analyzer
You are advised to purchase a high-precision clock source. If no clock source is
available, configure the core switch as a master clock.

Step 1 Configure the core switch as a clock source on the analyzer and controller. The
following uses the configuration on the analyzer as an example. The procedure on
the controller is the same as that on the analyzer.

Log in to the analyzer management plane, choose Maintenance > Time

Management > Configure NTP, and click Add.

Step 2 Click to check whether the NTP is successfully configured.

Step 3 Choose Maintenance > Time Management > Configure Time Zone and Time,
click Forcibly Synchronize, and wait until the synchronization is complete.

----End

7.9.2 Configuring Time Synchronization for Switches

Step 1 Choose Network Configuration > Site Configuration > Site Configuration from
the main menu.

Step 2 Select a site from the Site drop-down list box in the upper left corner.

Step 3 Choose Site > Device System Configuration on the Site Configuration tab page.

Step 4 In the Basic Configuration area, set Time zone, DST, and NTP server IP address,
and click OK.

----End

7.9.3 Configuring Time Synchronization for WACs and Fit APs

Prerequisites
The WAC that functions as the NTP client can communicate with the NTP server.
NTP time synchronization needs to be configured on both the master and backup
WACs.

Procedure
Step 1 Specify the source interface for sending NTP packets.
[WAC1]ntp-service enable
[WAC1]ntp server server-source -i all
Warning: Setting the protocol listening source address to all interfaces will bring security risks and lead to
connection interruptions. Continue? [Y/N]y

Step 2 Specify the service mode of the NTP server.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 73

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

[WAC1]ntp-service unicast-server X.X.X.X //X.X.X.X is the IP address of the NTP server.

----End

Verifying the Configuration

Run the display ntp status command to check whether the NTP clock is
synchronized. If the clock status is synchronized, the device has synchronized its
clock with the NTP server.
[WAC1]dis ntp sessions
clock source: X.X.X.X
clock stratum: 6
clock status:configured, master, sane, valid
reference clock ID: LOCAL(0)
reach: 1
poll: 64
now: 17
offset: 0.0000 ms
delay: 0.00 ms
disper: 0.00 ms

7.10 Configuring Region Information

7.10.1 Configuring Regions and AP Positions in Batches

Context
You can use WLAN Planner to plan regions and import the planning project
exported from WLAN Planner to iMaster NCE-Campus.

Precautions
A planning project must meet the following requirements; otherwise, the import
will fail.
● The size of the planning file does not exceed 200 MB.
● When you upload planning projects exported from Huawei WLAN Planner,
you can upload a maximum of three planning projects at a time, with the size
of each planning project package within 30 MB.
● The number of regions in each planning project does not exceed 250. In a
single region, the number of APs does not exceed 200, and the number of
obstacles also does not exceed 200.

Prerequisites
A planning project has been exported from WLAN Planner. In addition, the MAC
addresses and SNs of APs at different positions have been filled in the planning
project.

Procedure
Step 1 Choose Network Monitoring > LAN Monitoring > WLAN Monitoring from the
main menu and select a site.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 74

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Step 2 Click Planning Import and click the Planner Project tab.

Step 3 Set Planner Type, click , and select the desired planning project package.
NOTE

● You need to upload planning projects exported from WLAN Planner. During the upload,
do not plan regions on multiple clients; otherwise, the upload may fail.
● You can import information only about the regions that you have permissions to
configure.
● If you want to upload planning projects exported from Huawei WLAN Planner, you can
upload a maximum of three planning projects at a time.

Step 4 Click Upload. After the upload is successful, the planned regions are displayed in
the region topology.
NOTE

● If an AP is not added to iMaster NCE-Campus, the AP is created in the region topology

as a pre-deployed AP in the planning project exported from WLAN Planner.
● Only obstacles supported by iMaster NCE-Campus can be displayed in the topology.

After the upload is successful, you can view uploaded planning projects in the
Import Records area. After you click View Details, the file
PlannerProjectImportResult is automatically downloaded.

Open the PlannerProjectImportResult file and check whether planning details

are correct.

Step 5 Associate a single AP.

Right-click in the imported network planning diagram and choose Edit mode from
the shortcut menu. Then, right-click an AP and choose Associate with Pre-
deployed AP from the shortcut menu. Set the MAC address of the AP and click
OK.

Step 6 Associate APs in batches.

You can associate APs in batches when the following conditions are met:

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 75

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

● You have imported information about pre-deployed APs by referring to

Procedure.
● You have added the pre-deployed APs to be associated to iMaster NCE-
Campus.
The detailed operations are as follows:
1. Choose Network Monitoring > LAN Monitoring > WLAN Monitoring >
Planning Import from the main menu.
2. Click the Pre-deployed AP tab.
3. (Optional) If there are a large number of pre-deployed APs, you are advised
to set the MAC addresses and SNs of the APs in batches before the
association.

4. Click to export information about pre-deployed APs.

Modify the MAC addresses and SNs of the APs. Then, click and select the
modified Pre-deployed AP List.xls.
5. Associate pre-deployed APs.
6. Right-click in the upper-layer region of the region where the APs are located
and choose Edit mode from the shortcut menu. Then, right-click in the region
where the APs are located and choose Associate with Pre-deployed AP from
the shortcut menu.
7. After the association is successful, the system displays a message, indicating
that the operation is successful. If the association fails, rectify the fault based
on the displayed cause.

----End

7.10.2 Manually Configuring a Region and an AP Position

You can create a virtual region structure by simulating live network environment
and add devices to the region to construct a complete region.

Procedure
Step 1 Choose Network Monitoring > LAN Monitoring > WLAN Monitoring from the
main menu and select a site.
Step 2 Choose Planning Import, and click the Region List tab.

Step 3 Click to download the planning template, and fill in region and
AP information in this template.

NOTE

1. During the import, do not add, delete, or modify regions, WACs, or APs on multiple
clients. Otherwise, the import may fail.
2. You can import information only about the regions that you have permissions to
configure.

Step 4 In the resource tree, select the node for which you want to create a region, right-
click in the blank area in the region topology, and choose Add Region from the
shortcut menu.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 76

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 7 Deployment Configuration

Step 5 Set Name and Description.

Step 6 Click Confirm. The region is successfully created and displayed in the resource
tree.

Step 7 Right-click in the blank area in the region topology and choose Add AP from the
shortcut menu. In the displayed dialog box, plan and add APs and click OK.

----End

7.11 Configuring Data Synchronization for the Analyzer

Context
iMaster NCE-Campus is integrated with iMaster NCE-CampusInsight to implement
intelligent WLAN fault diagnosis and user experience analysis, achieving intelligent
O&M.

Prerequisites
The system administrator has configured interconnection with iMaster NCE-
CampusInsight. For details, see Configuring Interconnection Between iMaster
NCE-CampusInsight and iMaster NCE-Campus.

Procedure
Step 1 Log in to iMaster NCE-Campus as a tenant administrator and choose System >
System Management > Analysis Component Integration from the main menu.

Step 2 Click Synchronize Immediately and click OK in the dialog box that is displayed.
iMaster NCE-Campus then synchronizes data of all devices and sites under the
current tenant to iMaster NCE-CampusInsight.

Step 3 After Synchronization status changes to Synchronization completed, you can

view the data synchronization result on iMaster NCE-CampusInsight.

----End

Follow-up Procedure
● After iMaster NCE-Campus and iMaster NCE-CampusInsight are
interconnected, you can be redirected to the iMaster NCE-CampusInsight web
UI through the iMaster NCE-Campus web UI. In this way, you can perform
O&M operations on iMaster NCE-CampusInsight.
● To view metric data of devices on iMaster NCE-CampusInsight, enable data
reporting by referring to Configuring Devices to Report Data to iMaster
NCE-CampusInsight.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 77

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

8 Service Deployment

8.1 Service Deployment for MAC Address-Prioritized

Portal Authentication Users

8.1.1 Configuring a Wired Network

The user service gateway is located on the BRAS. Therefore, you need to configure
interconnection interfaces between the BRAS, switches, and APs to allow packets
from corresponding service VLANs to pass through.

Procedure
Step 1 Choose Network Configuration > Site Configuration > Site Configuration from
the main menu, select a target site, and click the Site Configuration tab. On the
page that is displayed, choose Switch > Interface from the navigation pane and
click the Physical Interface tab.

Step 2 Select a switch to be configured, click interfaces, and set Link type. You can select
multiple physical interfaces or Eth-Trunk interfaces.
1. Set Link type to Trunk for device interconnection interfaces and allow
packets from all service VLANs to pass through.
2. Set Link type to Access for the interfaces connected to wired terminals and
set the VLAN IDs of the interfaces to the service VLAN IDs of wired users.
3. Set Link type to Trunk for the switch interfaces connected to APs, set the
default VLAN as the management VLAN of APs, and allow packets from the
service VLANs for wireless uses to pass through.

Step 3 Choose Remote Module > Module Configuration from the navigation pane,
select the device for which an RU is to be configured, select the interface
connected to the RU, and set RU interface VLAN mode.
1. If all terminals connected to the RU are in the same VLAN, set RU interface
VLAN mode to Transparent. That is, the RU interfaces do not change the
VLAN IDs of received packets.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 78

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

2. If both wired terminals and APs are connected to the RU or different VLANs
are used, set RU interface VLAN mode to Manual.
a. For the interface connected to wired terminals, configure the default
VLAN and untagged VLANs as the user service VLANs.
b. For the interface connected to APs, configure the AP management VLAN
as the default VLAN and an untagged VLAN, and configure the wireless
user service VLAN as a tagged VLAN.
c. For the uplink interface of the RU, configure all service VLANs and AP
management VLANs as tagged VLANs.

----End

8.1.2 Configuring the Wireless Network

MAC address-prioritized Portal authentication is used. Users are authenticated by
the BRAS in a unified manner, and APs provide open networks.

Procedure
Step 1 Log in to the web system of the WAC, choose Config Wizard > Wireless Service,
and click Create. On the Basic Information page that is displayed, set the SSID
name, forwarding mode, and service VLAN ID, and click Next.

Step 2 On the Security Authentication page, set Security settings to Open and click
Next.

Step 3 On the Access Control page, configure the bound AP group, effective radios, and
single-user rate limit or no rate limit based on service requirements, and click
Finish.

----End

8.1.3 Configuring Authentication for BRAS Users

Data Plan

Table 8-1 Authentication parameter plan

Para Authenti Authentica Accounting RADIUS Address Authe

met cation tion Scheme Server Pool nticati
er Domain Scheme Group on
Mode

MAC mac-auth mac-auth radius shenlan jiaoxuelo MAC

addr u_1,... addres
ess s
auth authe
entic nticati
ation on
dom
ain

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 79

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

Para Authenti Authentica Accounting RADIUS Address Authe

met cation tion Scheme Server Pool nticati
er Domain Scheme Group on
Mode

Web web-auth none none - jiaoxuelo Web

pre- u_1,... authe
auth nticati
entic on
ation
dom
ain

Web after-auth radius radius shenlan jiaoxuelo Web

post- u_1,... authe
auth nticati
entic on
ation
dom
ain

Procedure
Step 1 Configure a RADIUS server group.
[~BRAS1] radius-server group shenlan
[*BRAS1-radius-shenlan] radius-server authentication 172.31.4.216 1812
[*BRAS1-radius-shenlan] radius-server accounting 172.31.4.216 1813
[*BRAS1-radius-shenlan] radius-server shared-key-cipher ******
[*BRAS1-radius-shenlan] radius-server source interface Loopback1
[*BRAS1-radius-shenlan] undo radius-server user-name domain-included

Step 2 Configure an authentication domain.

[~BRAS1] aaa
[*BRAS1-aaa] domain mac-auth
[*BRAS1-aaa-domain-mac-auth] quit
[*BRAS1-aaa] domain web-auth
[*BRAS1-aaa-domain-web-auth] quit
[*BRAS1-aaa] domain after-auth
[*BRAS1-aaa-domain-after-auth] quit
[*BRAS1-aaa] commit
[~BRAS1-aaa] quit

Step 3 Configure authentication and accounting schemes.

# Configure an authentication scheme named mac-auth, and redirect users to the
web authentication domain named web-auth if authentication fails.
[~BRAS1] aaa
[~BRAS1-aaa] authentication-scheme mac-auth
[*BRAS1-aaa-authen-mac-auth] commit
[~BRAS1-aaa-authen-mac-auth] authenting authen-fail online authen-domain web-auth
[*BRAS1-aaa-authen-mac-auth] commit
[~BRAS1-aaa-authen-mac-auth] quit

# Configure an authentication scheme named radius, with RADIUS authentication

specified.
[~BRAS1-aaa] authentication-scheme radius
[*BRAS1-aaa-authen-radius] authentication-mode radius

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 80

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

[*BRAS1-aaa-authen-radius] commit
[~BRAS1-aaa-authen-radius] quit

# Configure an authentication scheme named none, with none authentication

specified.
[~BRAS1-aaa] authentication-scheme none
[*BRAS1-aaa-authen-none] authentication-mode none
[*BRAS1-aaa-authen-none] commit
[~BRAS1-aaa-authen-none] quit

# Configure an accounting scheme named radius, with RADIUS accounting

specified.
[~BRAS1-aaa] accounting-scheme radius
[*BRAS1-aaa-accounting-radius] accounting-mode radius
[*BRAS1-aaa-accounting-radius] commit
[~BRAS1-aaa-accounting-radius] quit

# Configure an accounting scheme named none, with none accounting specified.

[~BRAS1-aaa] accounting-scheme none
[*BRAS1-aaa-accounting-none] accounting-mode none
[*BRAS1-aaa-accounting-none] commit
[~BRAS1-aaa-accounting-none] quit
[~BRAS1-aaa] quit

Step 4 Configure an address pool.

# Configure an IPv4 address pool.
[~BRAS1] ip pool jiaoxuelou_1 bas local
[*BRAS1-ip-pool-jiaoxuelou_1] gateway 10.10.111.1 255.255.0.0
[*BRAS1-ip-pool-jiaoxuelou_1] section 0 10.10.111.2 10.10.111.254
[*BRAS1-ip-pool-jiaoxuelou_1] dns-server x.x.x.x y.y.y.y
[*BRAS1-ip-pool-jiaoxuelou_1] commit
[~BRAS1-ip-pool-jiaoxuelou_1] quit

# Configure a local IPv6 prefix pool. WLAN users use IPv6 ND addresses, and the
prefix allocation mode is set to unshared.
[~BRAS1] ipv6 prefix jiaoxuelou_v6 local
[*BRAS1-ipv6-prefix-jiaoxuelou_v6] prefix 2001:DA2:207:E030::/60
[*BRAS1-ipv6-prefix-jiaoxuelou_v6] slaac-unshare-only
[*BRAS1-ipv6-prefix-jiaoxuelou_v6] commit
[~BRAS1-ipv6-prefix-jiaoxuelou_v6] quit

# Configure a local IPv6 address pool, and bind the prefix pool to this address
pool.
[~BRAS1] ipv6 pool jiaoxuelou_v6 bas delegation
[*BRAS1-ipv6-pool-jiaoxuelou_v6] prefix jiaoxuelou_v6
[*BRAS1-ipv6-pool-jiaoxuelou_v6] commit
[~BRAS1-ipv6-pool-jiaoxuelou_v6] quit

Step 5 Enable MAC address authentication in the MAC address authentication domain
named mac-domain, and bind the RADIUS server group and the authentication
template named mac-auth to this domain.
[~BRAS1] user-group mac-group
[~BRAS1] aaa
[~BRAS1-aaa] domain mac-auth
[*BRAS1-aaa-domain-mac-auth] radius-server group shenlan
[*BRAS1-aaa-domain-mac-auth] authentication-scheme mac-auth
[*BRAS1-aaa-domain-mac-auth] accounting-scheme radius
[*BRAS1-aaa-domain-mac-auth] commit
[~BRAS1-aaa-domain-mac-auth] ip-pool jiaoxuelou1
[~BRAS1-aaa-domain-mac-auth] ipv6-pool jiaoxuelou_v6
[~BRAS1-aaa-domain-mac-auth] mac-authentication enable

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 81

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

[~BRAS1-aaa-domain-mac-auth] user-group mac-group

[~BRAS1-aaa-domain-mac-auth] quit
[~BRAS1-aaa] quit

Step 6 Configure a web authentication domain named web-auth in which users can
access only limited resources. Bind none authentication scheme and none
accounting scheme to this domain.
[~BRAS1] user-group web-before
[~BRAS1] aaa
[~BRAS1-aaa] domain web-auth
[*BRAS1-aaa-domain-web-auth] authentication-scheme none
[*BRAS1-aaa-domain-web-auth] accounting-scheme none
[*BRAS1-aaa-domain-web-auth] commit
[~BRAS1-aaa-domain-web-auth] ip-pool jiaoxuelou_1
[~BRAS1-aaa-domain-web-auth] prefix-assign-mode unshared
[~BRAS1-aaa-domain-web-auth] ipv6-pool jiaoxuelou_v6
[~BRAS1-aaa-domain-web-auth] user-group web-before
[~BRAS1-aaa-domain-web-auth] web-server 172.31.4.216
[~BRAS1-aaa-domain-web-auth] web-server url https://172.31.4.216/index_20.html
[~BRAS1-aaa-domain-web-auth] quit
[~BRAS1-aaa] quit

# Configure the web authentication server. By default, the BRAS supports only
Portal 3.0. You can configure Portal 2.0 based on the web server protocol. You are
advised to set the IP address for communicating with the web server to the
loopback address of the active and standby BRASs.
[~BRAS1] web-auth-server enable
[~BRAS1] web-auth-server version v2
[~BRAS1] web-auth-server 172.31.4.216 key cipher ******
[~BRAS1] web-auth-server source-ip 10.10.0.1
[~BRAS1] web-auth-server source interface LoopBack1

Step 7 Configure ACLs and a traffic policy for the web authentication domain named
web-auth.
# Configure an ACL numbered 6004 to permit the traffic between the user group
(web-before) and the web authentication server and between the user group
(web-before) and the DNS server.
[~BRAS1] acl number 6004
[*BRAS1-acl-ucl-6004] rule 5 permit ip source user-group web-before destination ip-address 172.31.4.216 0
[*BRAS1-acl-ucl-6004] rule 10 permit ip source user-group web-before destination ip-address x.x.x.x 0
[*BRAS1-acl-ucl-6004] rule 15 permit ip source ip-address 172.31.4.216 0 destination user-group web-before
[*BRAS1-acl-ucl-6004] rule 20 permit ip source ip-address DNS_ip destination user-group web-before
[*BRAS1-acl-ucl-6004] commit
[~BRAS1-acl-ucl-6004] quit

# Configure an ACL numbered 6005 to allow HTTP redirection for the TCP packets
originating from the user group (web-before) and carrying the destination port
(www or 8080).
[~BRAS1] acl number 6005
[*BRAS1-acl-ucl-6005] rule 5 permit tcp source user-group web-before destination-port eq www
[*BRAS1-acl-ucl-6005] rule 10 permit tcp source user-group web-before destination-port eq 8080
[*BRAS1-acl-ucl-6005] commit
[~BRAS1-acl-ucl-6005] quit

# Configure an ACL numbered 6006 to allow HTTPS redirection for the TCP
packets originating from the user group (web-before) and carrying the
destination port (443).
[~BRAS1] acl number 6006
[*BRAS1-acl-ucl-6006] rule 5 permit tcp source user-group web-before destination-port eq 443
[*BRAS1-acl-ucl-6006] commit
[~BRAS1-acl-ucl-6006] quit

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 82

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

# Configure an ACL numbered 6008 to deny all traffic originating from the user
group (web-before).
[~BRAS1] acl number 6008
[*BRAS1-acl-ucl-6008] rule 5 permit ip source ip-address any destination user-group web-before
[*BRAS1-acl-ucl-6008] rule 10 permit ip source user-group web-before destination ip-address any
[*BRAS1-acl-ucl-6008] commit
[~BRAS1-acl-ucl-6008] quit

# Configure an IPv6 ACL numbered 6004 to permit the traffic between the user
group (web-before) and the web authentication server and between the user
group (web-before) and the DNS server.
[~BRAS1] acl ipv6 number 6004
[*BRAS1-acl-ucl-6004] rule 5 permit ipv6 source user-group web-before destination ipv6-address
2001:db8:1::1/128
[*BRAS1-acl-ucl-6004] rule 10 permit ipv6 source user-group web-before destination ipv6-address
2001:db8:1::2/128
[*BRAS1-acl-ucl-6004] rule 15 permit ipv6 source ipv6-address 2001:db8:1::1/128 destination user-group
web-before
[*BRAS1-acl-ucl-6004] rule 20 permit ipv6 source ipv6-address 2001:db8:1::2/128 destination user-group
web-before
[*BRAS1-acl-ucl-6004] commit
[~BRAS1-acl-ucl-6004] quit

# Configure an IPv6 ACL numbered 6005 to allow HTTP redirection for the TCP
packets originating from the user group (web-before) and carrying the
destination port (www or 8080).
[~BRAS1] acl ipv6 number 6005
[*BRAS1-acl-ucl-6005] rule 5 permit tcp source user-group web-before destination-port eq www
[*BRAS1-acl-ucl-6005] rule 10 permit tcp source user-group web-before destination-port eq 8080
[*BRAS1-acl-ucl-6005] commit
[~BRAS1-acl-ucl-6005] quit

# Configure an IPv6 ACL numbered 6006 to allow HTTPS redirection for the TCP
packets originating from the user group (web-before) and carrying the
destination port (443).
[~BRAS1] acl ipv6 number 6006
[*BRAS1-acl-ucl-6006] rule 5 permit tcp source user-group web-before destination-port eq 443
[*BRAS1-acl-ucl-6006] commit
[~BRAS1-acl-ucl-6006] quit

# Configure an IPv6 ACL numbered 6008 to deny all traffic originating from the
user group (web-before).
[~BRAS1] acl number 6008
[*BRAS1-acl-ucl-6008] rule 5 permit ipv6 source ipv6-address any destination user-group web-before
[*BRAS1-acl-ucl-6008] rule 10 permit ipv6 source user-group web-before destination ipv6-address any
[*BRAS1-acl-ucl-6008] commit
[~BRAS1-acl-ucl-6008] quit

# Configure a traffic policy.

[~BRAS1] traffic classifier web-before-permit
[*BRAS1-classifier-web-before-permit] if-match acl 6004
[*BRAS1-classifier-web-before-permit] if-match ipv6 acl 6004
[*BRAS1-classifier-web-before-permit] quit
[*BRAS1] traffic classifier web-before-http-redirect
[*BRAS1-classifier-web-before-http-redirect] if-match acl 6005
[*BRAS1-classifier-web-before-http-redirect] if-match ipv6 acl 6005
[*BRAS1-classifier-web-before-http-redirect] quit
[*BRAS1] traffic classifier web-before-https-redirect
[*BRAS1-classifier-web-before-https-redirect] if-match acl 6006
[*BRAS1-classifier-web-before-https-redirect] if-match ipv6 acl 6006
[*BRAS1-classifier-web-before-https-redirect] quit

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 83

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

[*BRAS1] traffic classifier web-before-deny

[*BRAS1-classifier-web-before-deny] if-match acl 6008
[*BRAS1-classifier-web-before-deny] if-match ipv6 acl 6008
[*BRAS1-classifier-web-before-deny] quit
[*BRAS1] traffic behavior permit
[*BRAS1-behavior-permit] permit
[*BRAS1-behavior-permit] quit
[*BRAS1] traffic behavior http-redirect
[*BRAS1-behavior-http-redirect] http-redirect
[*BRAS1-behavior-http-redirect] quit
[*BRAS1] traffic behavior https-redirect
[*BRAS1-behavior-https-redirect] https-redirect
[*BRAS1-behavior-https-redirect] quit
[*BRAS1] traffic behavior deny
[*BRAS1-behavior-denny] deny
[*BRAS1-behavior-denny] quit
[*BRAS1] traffic policy web-before
[*BRAS1-policy-web-before] classifier web-before-permit behavior permit
[*BRAS1-policy-web-before] classifier web-before-http-redirect behavior http-redirect
[*BRAS1-policy-web-before] classifier web-before-https-redirect behavior https-redirect
[*BRAS1-policy-web-before] classifier web-before-deny behavior deny
[*BRAS1-policy-web-before] quit
[*BRAS1] traffic-policy web-before inbound
[*BRAS1] commit

Step 8 Configure the HTTPS cipher suite and self-signed certificate.

[~BRAS1] access https-redirect
[*BRAS1-access-https-redirect] self-signed ecdsa modulus 384
[*BRAS1-access-https-redirect] cipher-suite support c02f 1301 1302 c02b
[*BRAS1-access-https-redirect] commit
[*BRAS1-access-https-redirect] quit

Step 9 Configure the HTTPS noise reduction function and insert the JavaScript script
during HTTPS redirection.
[~BRAS1-access-https-redirect] js enable
Warning: To enable the function of inserting a JavaScript script during web redirection, run the web-server
mode post command in the domain view.
[*BRAS1-access-https-redirect] blacklist packet-rate 40
[*BRAS1-access-https-redirect] blacklist retry-time 10 interval 3
[*BRAS1-access-https-redirect] commit
[~BRAS1-access-https-redirect] quit

Step 10 Configure a post-authentication domain.

[~BRAS1] aaa
[*BRAS1-aaa] domain after-auth
[*BRAS1-aaa-domain-after-auth] authentication-scheme radius
[*BRAS1-aaa-domain-after-auth] accounting-scheme radius
[*BRAS1-aaa-domain-after-auth] radius-server group shenlan
[*BRAS1-aaa-domain-after-auth] commit
[~BRAS1-aaa-domain-after-auth] quit

Step 11 Configure the MAC address carried in the Access-Request packet of a user as the
user name.
[~BRAS1-aaa] default-user-name template mac-name include mac-address -
[*BRAS1-aaa] default-password template pwd1 cipher ****
[*BRAS1-aaa] commit
[~BRAS1-aaa] quit

Step 12 Configure a BRAS interface.

# Create a user access sub-interface, enable IPv6, and configure a VLAN.
[~BRAS1] interface Eth-Trunk 1.3111 mode l2
[*BRAS1-Eth-Trunk1.3111] ipv6 enable
[*BRAS1-Eth-Trunk1.3111] ipv6 address auto link-local
[*BRAS1-Eth-Trunk1.3111] commit
[~BRAS1-Eth-Trunk1.3111] user-vlan 3111
[~BRAS1-Eth-Trunk1.3111-vlan-3111-3111] quit

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 84

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

# Apply the remote backup profile.

[~BRAS1-Eth-Trunk8.3111] remote-backup-profile p1
[*BRAS1-Eth-Trunk8.3111] commit

# Configure BAS access on the interface.

[~BRAS1-Eth-Trunk1.3111] bas
[~BRAS1-Eth-Trunk1.3111-bas] access-type layer2-subscriber default-domain pre-authentication mac-auth
authentication after-auth
[~BRAS1-Eth-Trunk1.3111-bas] authentication-method web
[*BRAS1-Eth-Trunk1.3111-bas] authentication-method-ipv6 web
[*BRAS1-Eth-Trunk1.3111-bas] commit

# Configure port roaming on the BAS interface. If a BAS interface or VLAN

switching occurs when the user moves, BAS port roaming is triggered.
[~BRAS1-Eth-Trunk8.3111-bas] wlan-switch enable
[*BRAS1-Eth-Trunk8.3111-bas] ip-trigger
[*BRAS1-Eth-Trunk8.3111-bas] arp-trigger
[*BRAS1-Eth-Trunk8.3111-bas] ipv6-trigger
[*BRAS1-Eth-Trunk8.3111-bas] nd-trigger
[*BRAS1-Eth-Trunk8.3111-bas] commit
[~BRAS1-Eth-Trunk8.3111-bas] quit
[~BRAS1-Eth-Trunk8.3111] quit

# If multiple remote backup profiles exist on the network, configure the dhcp
session-mismatch action offline command so that a DHCP request is sent to
trigger user logout when the BAS interface or VLAN changes. If only one remote
backup profile exists on the network, configure the dhcp session-mismatch
action roam ipv4 ipv6 nd command so that a DHCP request is sent to trigger
user roaming when the BAS interface or VLAN changes.
[~BRAS1-Eth-Trunk8.3111-bas] dhcp session-mismatch action offline
[*BRAS1-Eth-Trunk8.3111-bas] commit

Or
[~BRAS1-Eth-Trunk8.3111-bas] dhcp session-mismatch action roam ipv4 ipv6 nd
[*BRAS1-Eth-Trunk8.3111-bas] commit

----End

Verifying the Configuration

1. Associate a STA with the configured SSID, and enter the user name and
password on the Portal authentication page that is displayed. The STA is
authenticated and can access the network.
2. Check information about online users on the BRAS. To check information
about all online users, run the display access-user command. To check
detailed information about a user, run the display access-user [ user-id user-
id-value| username user-name| ip-address ip-addr| ipv6-address ipv6-addr]
command.
[~BRAS01]display access-user username
teacher
------------------------------------------------------------------------------
UserID Username Interface IP address MAC
Vlan IPv6 address Access type
------------------------------------------------------------------------------
7169 teacher Eth-Trunk8.3111 10.10.111.245 9eec-a9a2-544a
3113/- 2001:DA1:207:E039::/64
IPOE
------------------------------------------------------------------------------
Normal users :0

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 85

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

RUI Local users :1

RUI Remote users :0
Total users :1

3. Run the display station all command on the WAC to check information
about online STAs.
[WAC1]display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4 address
SSID IPv6 address Online time
-----------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------
9eec-a9a2-544a 2 AirEngine5773-21_1 1/1 5G 11be 6/195 -64 3113 10.10.111.245
EDU_BRAS 2001:DA1:207:E039:CFF5:EEAD:1067:2260 000:00:01:45
-----------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1 6G: 0

4. If a user fails to go online, run the display aaa online-fail-record command

on the BRAS to check the user's online failure records or check the user's
authentication records on the AAA server.
[~BRAS1] display aaa normal-offline-record mac-address 00e0-fc12-3456
--------------------------------------------
User name : HUAWEI-02017000000000@dom1
Domain name : dom1
User MAC : 00e0-fc12-3456
User access type : IPoE
User access interface: GigabitEthernet1/0/1.1
User access PeVlan/CeVlan : -/-
User IP address : -
User IPv6 address : 2001:db8::2/128
User ID :0
User authen state : Authened
User acct state : AcctReady
User author state : AuthorIdle
User login time : 2012-01-09 13:38:41
User offline time : 2012-01-09 14:15:44
User offline reason: DHCPV6 client release
--------------------------------------------
Are you sure to display some information?[Y/N]:

5. If a user goes offline, run the display aaa offline-record command on the
BRAS to check the user's offline records or check the user's authentication
records on the AAA server.
[~BRAS1] display aaa normal-offline-record mac-address 00e0-fc12-3456
--------------------------------------------
User name : HUAWEI-02017000000000@dom1
Domain name : dom1
User MAC : 00e0-fc12-3456
Stack type flag : IPv4
User access type : IPoE
User access interface: GigabitEthernet1/0/1.1
User access PeVlan/CeVlan : -/-
User IP address : 10.10.0.254
User IPv6 address : 2001:db8::2/128
User ID :0
User authen state : Authened
User acct state : AcctReady
User author state : AuthorIdle
User login time : 2012-01-09 13:38:41
User offline time : 2012-01-09 14:15:44
User offline reason: User request to offline
--------------------------------------------
Are you sure to display some information?[Y/N]:

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 86

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

6. Run the cut access-user command to forcibly disconnect an online user on

the BRAS.
[~BRAS] aaa
[~BRAS-aaa] cut access-user username teacher

8.2 Service Deployment for 802.1X Proxy

Authentication

8.2.1 Configuring 802.1X Authentication on the WAC

Procedure
Step 1 Configure a RADIUS server template, a RADIUS authentication scheme, and a
RADIUS accounting scheme.
In the scenario where the BRAS functions as a proxy for authentication, the
RADIUS server configured on the WAC is the BRAS, and RADIUS authentication
and accounting are enabled.
# Configure a RADIUS server template. Set the server IP address to the loopback
IP address of the active and standby BRASs, and set the source IP address for
communicating with the server to the VRRP virtual IP address (CAPWAP source
address) of the active and standby WACs.
[WAC1] radius-server template BRAS
[WAC1-radius-BRAS] radius-server authentication 10.10.0.1 1812
[WAC1-radius-BRAS] radius-server accounting 10.10.0.1 1813
[WAC1-radius-BRAS] radius-server shared-key cipher EDU@1234
[WAC1-radius-BRAS] quit
[WAC1] radius-server source ip-address 10.10.100.1

# Configure a RADIUS authorization server and set the IP address of the

authorization server to the loopback IP address of the active and standby BRASs.
[WAC1] radius-server authorization 10.10.0.1 share-key cipher EDU@1234 server-group BRAS
[WAC1] radius-server authorization server-source ip-address 10.10.100.1

# Configure a RADIUS authentication scheme.

[WAC1] aaa
[WAC1-aaa] authentication-scheme radius
[WAC1-aaa-authen-radius] authentication-mode radius
[WAC1-aaa-authen-radius] quit

# Configure a RADIUS accounting scheme. The accounting function is not used to

calculate fees. Instead, it uses accounting packets to maintain online information
about terminals.
[WAC1-aaa] accounting-scheme radius
[WAC1-aaa-accounting-radius] accounting-mode radius
[WAC1-aaa-accounting-radius] quit
[WAC1-aaa] quit

Step 2 Configure the 802.1X access profile named d1.

[WAC1] dot1x-access-profile name d1
[WAC1-dot1x-access-profile-d1] quit

Step 3 Configure the authentication profile named p1.

[WAC1] authentication-profile name p1
[WAC1-authentication-profile-p1] dot1x-access-profile d1

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 87

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

[WAC1-authentication-profile-p1] authentication-scheme radius

[WAC1-authentication-profile-p1] accounting-scheme radius
[WAC1-authentication-profile-p1] radius-server BRAS
[WAC1-authentication-profile-p1] quit

Step 4 Configure WLAN service parameters.

# Create a security profile named EDU_dot1x and configure a security policy.

[WAC1] wlan
[WAC1-wlan-view] security-profile name EDU_dot1x
[WAC1-wlan-sec-prof-EDU_dot1x] security wpa2 dot1x aes
[WAC1-wlan-sec-prof-EDU_dot1x] quit

# Create the SSID profile named EDU_dot1x, set the SSID name to EDU_dot1x,
and enable PMK fast roaming.
[WAC1-wlan-view] ssid-profile name EDU_dot1x
[WAC1AC-wlan-ssid-prof-EDU_dot1x] ssid EDU_dot1x
[WAC1-wlan-ssid-prof-EDU_dot1x] pmk-cache-roam enhancement enable
[WAC1-wlan-ssid-prof-EDU_dot1x] quit

# Create the VAP profile named EDU_dot1x, configure the data forwarding mode
and service VLANs, and bind the security profile, SSID profile, and authentication
profile to the VAP profile.
[WAC1-wlan-view] vap-profile name EDU_dot1x
[WAC1-wlan-vap-prof-EDU_dot1x] forward-mode tunnel
[WAC1-wlan-vap-prof-EDU_dot1x] service-vlan vlan-id 3116
[WAC1-wlan-vap-prof-EDU_dot1x] security-profile EDU_dot1x
[WAC1-wlan-vap-prof-EDU_dot1x] ssid-profile EDU_dot1x
[WAC1-wlan-vap-prof-EDU_dot1x] authentication-profile p1
[WAC1-wlan-vap-prof-EDU_dot1x] quit

# Bind the VAP profile named EDU_dot1x to the AP group, and apply the profile
to radios 0 and 1 of APs in the AP group.
[WAC1-wlan-view] ap-group name ap-group1
[WAC1-wlan-ap-group-ap-group1] vap-profile EDU_dot1x wlan 1 radio 0
[WAC1-wlan-ap-group-ap-group1] vap-profile EDU_dot1x wlan 1 radio 1
[WAC1-wlan-ap-group-ap-group1] quit

----End

8.2.2 Configuring BRAS Proxy Authentication

Data Plan

Table 8-2 Authentication parameter plan

Parame Authenti Authenti Accounti RADIUS Address Authenti

ter cation cation ng Server Pool cation
Domain Scheme Scheme Group Mode

RADIUS radiuspro rdp radius shenlan office_v4 RADIUS

proxy xy office_v6 proxy
authent authenti
ication cation
domain

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 88

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

Procedure
This section uses BRAS1 as an example. The configuration on BRAS2 is similar to
that on BRAS1.

Step 1 Configure an address pool.

# Configure a local IPv4 address pool.
[~BRAS1] ip pool office_v4 bas local
[*BRAS1-ip-pool-office_v4] gateway 10.10.116.1 24
[*BRAS1-ip-pool-office_v4] commit
[~BRAS1-ip-pool-office_v4] section 0 10.10.116.2 10.10.116.254
[~BRAS1-ip-pool-office_v4] quit

# Configure a local IPv6 prefix pool. WLAN users use IPv6 ND addresses, and the
prefix allocation mode is set to unshared.
[~BRAS1] ipv6 prefix office_v6 local
[*BRAS1-ipv6-prefix-office_v6] prefix 2001:DA2:207:E030::/60
[*BRAS1-ipv6-prefix-office_v6] slaac-unshare-only
[*BRAS1-ipv6-prefix-office_v6] commit
[~BRAS1-ipv6-prefix-office_v6] quit

# Configure a local IPv6 address pool, and bind the prefix pool to this address
pool.
[~BRAS1] ipv6 pool office_v6 bas delegation
[*BRAS1-ipv6-pool-office_v6] prefix office_v6
[*BRAS1-ipv6-pool-office_v6] commit
[~BRAS1-ipv6-pool-office_v6] quit

Step 2 Set the RADIUS server group to a third-party AAA server. The source address for
communicating with the RADIUS server and the NAS address are the loopback
address of the active and standby BRASs.
[~BRAS1] radius-server group shenlan
[*BRAS1-radius-shenlan] radius-server shared-key-cipher EDU@1234
[*BRAS1-radius-shenlan] radius-server authentication 172.31.4.216 1812
[*BRAS1-radius-shenlan] radius-server accounting 172.31.4.216 1813
[*BRAS1-radius-shenlan] radius-server source interface LoopBack1
[*BRAS1-radius-shenlan] radius-server nas-ip-address 10.10.0.1
[*BRAS1-radius-shenlan] undo radius-server user-name domain-included
[*BRAS1-radius-shenlan] commit
[~BRAS1-radius-shenlan] quit
[~BRAS1] radius-server authorization 172.31.4.216 shared-key-cipher EDU@1234

Step 3 Configure an AAA scheme.

# Configure an authentication scheme and set the authentication mode to
RADIUS proxy authentication.
[~BRAS1] aaa
[~BRAS1-aaa] authentication-scheme rdp
[*BRAS1-aaa-authen-rdp] authentication-mode radius-proxy
[*BRAS1-aaa-authen-rdp] commit
[~BRAS1-aaa-authen-rdp] quit

# Configure an accounting scheme named rds, with RADIUS accounting specified.

[~BRAS1-aaa] accounting-scheme radius
[*BRAS1-aaa-accounting-radius] accounting-mode radius
[*BRAS1-aaa-accounting-radius] commit
[~BRAS1-aaa-accounting-radius] quit

Step 4 Configure an authentication domain. Apply the authentication scheme, accounting

scheme, and RADIUS server group to the authentication domain.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 89

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

[~BRAS1-aaa] domain radiusproxy

[*BRAS1-aaa-domain-radiusproxy] authentication-scheme rdp
[*BRAS1-aaa-domain-radiusproxy] accounting-scheme radius
[*BRAS1-aaa-domain-radiusproxy] radius-server group shenlan
[*BRAS1-aaa-domain-radiusproxy] prefix-assign-mode unshared
[*BRAS1-aaa-domain-radiusproxy] commit
[~BRAS1-aaa-domain-radiusproxy] ip-pool office_v4
[~BRAS1-aaa-domain-radiusproxy] ipv6-pool office_v6
[~BRAS1-aaa-domain-radiusproxy] quit
[~BRAS1-aaa] quit

Step 5 Configure a RADIUS proxy.

# Configure a RADIUS client. The IP address of the RADIUS client must be the
same as that configured through the radius-server source ip-address command
on the WAC. If there are multiple WACs on the network, you can run this
command to configure multiple IP addresses or a network segment for them.
[~BRAS1] radius-client 10.10.0.0 mask 255.255.0.0 server-group shenlan shared-key-cipher EDU@1234
[*BRAS1] commit

# (Required when a Huawei WAC is connected) Configure the NAS-Identifier

attribute to be not sent when a RADIUS client is connected.
[~BRAS1] radius-client 10.10.0.0 mask 255.255.0.0 attribute disable nas-identifier dm-request
[*BRAS1] commit

# Configure the local IP address used by the RADIUS server to create UDP sockets
with local ports 1645, 1646, and 3799.
[~BRAS1] radius local-ip 10.10.0.1
[*BRAS1] commit

# (Optional) Configure a DSCP value for RADIUS packets sent from the BRAS to
the WAC.
To prevent RADIUS packets from being discarded due to network congestion, run
the following commands to increase the DSCP value of RADIUS packets sent from
the BRAS to a RADIUS proxy.
[~BRAS1] radius-client packet dscp 48
[*BRAS1] commit

Step 6 (Optional) Configure avalanche prevention for the RADIUS proxy to adjust the
access rate of RADIUS proxy users.
NOTE

1. In RADIUS proxy scenarios, the default access rate of a high-performance MPU is 200
users per second, and that of a low-performance MPU is 150 users per second. For details
about how to improve the access performance, see the board specifications.
2. To view RADIUS proxy statistics, run the display radius-client statistics global
command. When the RADIUS proxy server continuously discards a large number of packets,
perform the following operations based on the processing capability of the BRAS: decrease
the first-packet processing rate of the RADIUS proxy server; increase the suppression and
recovery thresholds for the number of active sessions on the RADIUS proxy, the bandwidth
of whitelist CPCAR for RADIUS, and the sending rate limit for total CAR.
3. Before increasing the access performance of the RADIUS proxy access, check whether the
processing performance of the RADIUS server can meet the requirements, especially in the
scenario where one server connects to multiple BAS devices. This can prevent the server
from being suspended due to the increase of concurrent access requests.

To change the access rate of RADIUS proxy users to 500 users per second, perform
the following operations:

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 90

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

# Set the first-packet processing rate of the RADIUS proxy.

[~BRAS1] radius-client first-packet rate 500
[*BRAS1] commit

# Configure the suppression and recovery thresholds for the number of active
sessions on the RADIUS proxy.
[~BRAS1] aaa
[*BRAS1-aaa] access-speed adjustment system-state radius-proxy active-session threshold restrain 600
resume 550
[*BRAS1-aaa] commit
[~BRAS1-aaa] quit

# Increase the bandwidth of whitelist CPCAR for RADIUS.

[~BRAS1] cpu-defend policy 6
[*BRAS1-cpu-defend-policy-6] car whitelist radius cir 6000 cbs 4000000
[*BRAS1-cpu-defend-policy-6] car total-packet high
[*BRAS1-cpu-defend-policy-6] commit
[~BRAS1-cpu-defend-policy-6] quit
[~BRAS1]slot 9
[~BRAS1-slot-9] cpu-defend-policy 6
[*BRAS1-slot-9] commit
[~BRAS1-slot-9] quit

# Increase the bandwidth of whitelist session-CAR for RADIUS.

[~BRAS1] whitelist session-car radius pir 6000 pbs 1000000
[*BRAS1] commit

Step 7 Configure BAS access on an interface.

# Configure a sub-interface and a user-side VLAN.
[~BRAS1] interface Eth-Trunk8.3116
[*BRAS1-Eth-Trunk8.3116] commit
[~BRAS1-Eth-Trunk8.3116] user-vlan 3116
[~BRAS1-Eth-Trunk8.3116-vlan-3116-3116] quit

# Enable IPv6 and configure stateful address autoconfiguration on the interface.

[~BRAS1-Eth-Trunk8.3116] ipv6 enable
[*BRAS1-Eth-Trunk8.3116] ipv6 address auto link-local
[*BRAS1-Eth-Trunk8.3116] commit

# Apply the remote backup profile.

[~BRAS1-Eth-Trunk8.3116] remote-backup-profile p1
[*BRAS1-Eth-Trunk8.3116] commit

# Configure BAS access on the interface.

[~BRAS1-Eth-Trunk8.3116] bas
[~BRAS1-Eth-Trunk8.3116-bas] access-type layer2-subscriber default-domain authentication radiusproxy
[*BRAS1-Eth-Trunk8.3116-bas] authentication-method bind
[*BRAS1-Eth-Trunk8.3116-bas] authentication-method-ipv6 bind
[*BRAS1-Eth-Trunk8.3116-bas] commit

# Configure port roaming on the BAS interface. If a BAS interface or VLAN

switching occurs when the user moves, BAS port roaming is triggered.
[*BRAS1-Eth-Trunk8.3116-bas] dhcp session-mismatch action offline
[*BRAS1-Eth-Trunk8.3116-bas] wlan-switch enable
[*BRAS1-Eth-Trunk8.3116-bas] ip-trigger
[*BRAS1-Eth-Trunk8.3116-bas] arp-trigger
[*BRAS1-Eth-Trunk8.3116-bas] ipv6-trigger
[*BRAS1-Eth-Trunk8.3116-bas] nd-trigger
[*BRAS1-Eth-Trunk8.3116-bas] commit

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 91

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

[~BRAS1-Eth-Trunk8.3116-bas] quit
[~BRAS1-Eth-Trunk8.3116] quit

----End

Verifying the Configuration

1. Associate a STA with the configured SSID, enter the user name and password,
and go online without using the certificate. The STA is authenticated and can
access the network.
2. Check information about online users on the BRAS.
# Run the display access-user command to view statistics about all online
users.
[~ME60_BRAS01]disp access-user
------------------------------------------------------------------------------
Total users :4
IPv4 users :0
IPv6 users :0
Dual-Stack users :2
Lac users :0
RUI local users :2
RUI remote users :0
Wait authen-ack :0
Authentication success :4
Accounting ready :3
Accounting state :1
Wait leaving-flow-query :0
Wait accounting-start :0
Wait accounting-stop :0
Wait authorization-client :0
Wait authorization-server :0
------------------------------------------------------------------------------
Domain-name Online-user
------------------------------------------------------------------------------
default0 :0
default1 :0
default_admin :2
802dot1x :0
web-auth :1
after-auth :0
mac-auth :0
portal_before_srun :0
portal_after_srun :0
radiusproxy :1
web-auth-tesgine :0
after-auth-tesgine :0
web-auth-2 :0
after-auth-2 :0
radiusproxy2 :0
mac-auth-2 :0
------------------------------------------------------------------------------
The used CID table are :
6145-7168,2094260,2094318
------------------------------------------------------------------------------
# Display detailed information about a specified user using the display
access-user [ user-id user-id-value| username user-name| ip-address ip-addr|
ipv6-address ipv6-addr] verbose command. Radius Proxy Info displays
RADIUS proxy information, and RadiusClientIP indicates the WAC's IP
address.
[~ME60_BRAS01]disp access-user username teacher verbose
-------------------------------------------------------------------
Basic:
User access index : 7168
State : Used

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 92

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

User name : teacher(Radius)

Domain name : radiusproxy
Backup from(IPv4) : Local
Backup from(IPv6) : Local
RUI user state : Master
User access interface : Eth-Trunk8.3116
User access physical interface: GigabitEthernet5/0/0
User access PeVlan/CeVlan : 3117/-
User access slot :5
User MAC : 5225-7639-f88d
User IP address : 10.10.111.246
User IP netmask : 255.255.255.255
User gateway address : 10.10.111.1
User Primary-DNS : 10.6.4.66
User Secondary-DNS : 10.6.4.67
User IPv6 NDRA Prefix : 2001:DA1:207:E038::/64
User Authen IP Type : ipv4/ipv6/-
User Basic IP Type : -/-/-
Server IP : 10.10.111.1
IPv6 address assignment protocol : NDRA
IPv6 configuration information allocation protocol : DHCPv6
IPv6 address assignment mode : -
RA link-prefix : Disable
Coa-zero-lease : No
User lease : 2024-10-17 20:28:55---2024-10-20 20:28:55
Remain lease(sec) : 258973
User access type : IPOE
User authentication type : Bind authentication
Agent-Circuit-Id :-
Agent-Remote-Id :-
Access-line-id Information(dhcpv4 option82): -
Access start time : 2024-10-17 20:28:56
User-Group :-
Next-hop :-
Policy-route-IPV6-address :-

AAA:
Server-template of second acct: -
Current authen method : RADIUS-PROXY authentication
Authen result : Success
Current author method : Idle
Author result : Success
Action flag : Idle
Authen state : Authed
Author state : Idle
Configured accounting method : RADIUS accounting
Quota-out : Offline
Current accounting method : RADIUS accounting
Realtime-accounting-switch : Open
Realtime-accounting-interval(sec) : 900
Realtime-accounting-send-update : No
Realtime-accounting-traffic-update : No
Accounting start time : 2024-10-17 20:28:56
Online time (h:min:sec) : 00:03:46
Accounting state : Accounting
Accounting session ID : BRAS052083117000005c6c4dAAAB1m
MTU : 1500
IPv6 MTU : 1500
Idle-cut direction : Both
Idle-cut-data (time,rate,idle): 0 sec, 60 kbyte/min, 0 min 0 sec
Ipv4 Realtime speed : 0 kbyte/min
Ipv4 Realtime speed inbound : 0 kbyte/min
Ipv4 Realtime speed outbound : 0 kbyte/min
Ipv6 Realtime speed : 0 kbyte/min
Ipv6 Realtime speed inbound : 0 kbyte/min
Ipv6 Realtime speed outbound : 0 kbyte/min

Dot1X:
User MSIDSN name :-

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 93

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

EAP user : No
MD5 end : No

VPN&Policy-route:
Vpn-Instance :-
IPv6 Vpn-Instance :-

Multicast Service:
Multicast-profile :-
Multicast-profile-ipv6 :-
Max Multicast List Number :4
IGMP enable : Yes
PIM-SM enable : No
PIM-SM-V6 enable : No

ACL&QoS:
Link bandwidth auto adapt : Disable
UpPriority : Unchangeable
DownPriority : Unchangeable

Flow Statistic:
If flow info contain l2-head : Yes
Flow-Statistic-Up : Yes
Flow-Statistic-Down : Yes
Up packets number(high,low) : (0,78)
Up bytes number(high,low) : (0,12988)
Down packets number(high,low) : (0,86)
Down bytes number(high,low) : (0,29291)
IPV6 Up packets number(high,low) : (0,0)
IPV6 Up bytes number(high,low) : (0,0)
IPV6 Down packets number(high,low) : (0,0)
IPV6 Down bytes number(high,low) : (0,0)

Dslam information :
Circuit ID :-
Remote ID :-
Actual datarate upstream :0(Kbps)
Actual datarate downstream :0(Kbps)
Min datarate upstream :0(Kbps)
Min datarate downstream :0(Kbps)
Attainable datarate upstream :0(Kbps)
Attainable datarate downstream :0(Kbps)
Max datarate upstream :0(Kbps)
Max datarate downstream :0(Kbps)
Min lowpower datarate upstream :0(Kbps)
Min lowpower datarate downstream :0(Kbps)
Max delay upstream :0(s)
Max delay downstream :0(s)
Actual delay upstream :0(s)
Actual delay downstream :0(s)
Access loop encapsulation :0x000000

Radius Proxy Info:

BrasIP : 10.10.0.1
RadiusClientIP : 10.10.200.1
Vpn-Instance :-
AcctSessionID : WAC3000000000031177588bc0401457
LogicHostName : WAC3
CallingStationId : 5225-7639-f88d
CalledStationId : 28-FB-AE-B8-7E-10:EDU_dot1x
Nas-IP-Address : 10.10.200.1
-------------------------------------------------------------------
3. Run the display station all command on the WAC to check information
about online STAs.
[WAC1]display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit
rate(Mbps)
-----------------------------------------------------------------------------------------------------------------------

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 94

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

-------------
------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4 address
SSID IPv6 address
Online time
-----------------------------------------------------------------------------------------------------------------------
-------------
------------------------------------------------
5225-7639-f88d 2 AirEngine5773-21_1 1/2 5G 11be 6/172 -65 3117 10.10.111.246
EDU_dot1x 2001:DA1:207:
E038:1501:CFFF:8431:8DE6
000:00:06:27
-----------------------------------------------------------------------------------------------------------------------
-------------
------------------------------------------------
Total: 1 2.4G: 0 5G: 1 6G: 0

4. If a user fails to go online, run the display aaa online-fail-record command

6. Run the cut access-user command to forcibly disconnect an online user on

the BRAS.
[~BRAS] aaa
[~BRAS-aaa] cut access-user username teacher

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 95

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

8.3 Service Deployment for Wired Dumb Terminals

8.3.1 Configuring a Wired Network

Procedure
Step 1 Configure a user subnet gateway on the core switch.
1. Choose Network Configuration > Site Configuration > Site Configuration
from the main menu, click the Site Configuration tab, and choose Switch >
Subnet from the navigation pane, and create a subnet.

2. Click Create to create a service gateway for users and set parameters based
on the site requirements. Select a core switch from the Device drop-down list,
set Subnet name, and set VLAN ID and IP/Mask. Enable DHCP, set DNS
service, and disable Management network. Then click OK.

3. Repeat the preceding steps to create gateways for all users.

Step 2 Configure the interconnection interfaces between the core, aggregation, and
access switches to allow packets from corresponding service VLANs to pass
through.
1. Choose Network Configuration > Site Configuration > Site Configuration,
click the Site Configuration tab, choose Switch > Interface from the
navigation pane, select a switch, and select a device interconnection interface.

2. Click the Eth-Trunk icon on the interface, set Link type to Trunk, add allowed
VLANs, and click Apply.

3. Configure the interconnection interfaces between switches to allow packets

from corresponding service VLANs to pass through.

Step 3 Configure the type of user access interfaces and service VLANs on the access
switches.

Choose Network Configuration > Site Configuration > Site Configuration from
the main menu, click the Site Configuration tab, choose Switch > Interface from
the navigation pane, select an access switch, select an interface, set Link type to
Access, add the interface to a service VLAN, and click Apply.

----End

8.3.2 Configuring MAC Address Authentication on Switches

Procedure
Step 1 Create a RADIUS server template.
1. Choose Network Configuration > Global Settings > Template
Management, click the Policy Template tab, and select RADIUS Server.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 96

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

2. Click Create and configure a RADIUS server template. If Type is set to Built-
in, iMaster NCE-Campus is used as the authentication server. If Type is set to
Third-party, a third-party authentication server is used.

Step 2 Configure MAC address authentication on the authentication control point, and
bind the configured RADIUS server template to it.
1. Choose Network Configuration > Site Configuration > Site Configuration
from the main menu, and click the Site Configuration tab. Choose Switch >
Authentication from the navigation pane, click the Wired Authentication
tab, and click Create.
2. Set Authentication mode to MAC address authentication, select the
RADIUS server template configured in step 1 for RADIUS server, select a
bypass policy to grant specified network access rights to users when the
device is disconnected from the authentication server, and click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 97

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

3. In the Bound Device Interface List area, select an authentication interface.

An authentication interface can be a physical interface or a VLANIF interface.
Configure an authentication interface based on the actual scenario.

Step 3 Configure a default permit rule for the access device to allow access to the
domain names or IP addresses of the authentication, DHCP, and DNS servers.
1. Choose Network Configuration > Site Configuration > Site Configuration
from the main menu, and click the Site Configuration tab. Choose Switch >
Authentication from the navigation pane, click the Default Permit Rule tab,
and click Create.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 98

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

2. Set Name and click ... on the right of ACL to create an ACL. In the displayed
dialog box, create ACL rules to allow access to the authentication server, DNS
server, and DHCP server by specifying the corresponding IP address segments.
Then select the authentication device where the default permit rule is to be
applied. After the configuration is completed, click OK.

Step 4 Configure the authentication server. (If iMaster NCE-Campus is used as the
authentication server, perform the following steps. If a third-party authentication
server is used, contact technical support from vendors.)
1. Choose Admission Management > Admission Resource > Admission User
Management from the main menu, click the User tab, click , and create a
user group named Printer_MAC. It is recommended that MAC accounts with
the same permissions be added to the same user group. This facilitates
subsequent authorization based on user groups.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 99

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

2. Choose Admission Management > Admission Resource > Admission User

Management from the main menu, click the MAC Account tab, and click
Create to create a MAC account for a dumb terminal (a printer is used as an
example). Specifically, set MAC Account Name, and set the MAC address of
the printer in the MAC account information. Then, add the MAC account to
the user group named Printer_MAC.

3. Create an authentication rule.

Choose Admission Management > Admission Policy > Authentication and
Authorization from the main menu and click the Authentication Rule tab.
Click Create. On the displayed page, set Authentication mode to MAC
address authentication and Access mode to Wired. In addition, toggle on
Match user groups, set User group to which MAC accounts are mapped to
Printer_MAC, and select authentication protocols. Then click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 100

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

4. Create an authorization result. Assume that the printer can access only
network segment 10.1.2.0/24 after being authenticated. The configuration is
as follows.
Choose Admission Management > Admission Policy > Authentication and
Authorization from the main menu and click the Authorization Result tab.
Click Create. On the displayed page, set Name to Printer_MAC_Result and
ACL to Printer_MAC_Author_ACL. You can configure an ACL on this page to
allow packets destined for 10.1.2.0/24 to pass through. For user authorization,
you have to configure a numbered ACL. After the configuration is completed,
click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 101

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 8 Service Deployment

5. Create an authorization rule.

Choose Admission Management > Admission Policy > Authentication and
Authorization, and click the Authorization Rule tab. Click Create. On the
displayed page, set Authentication mode to MAC address authentication
and Access mode to Wired. In addition, toggle on Match user groups, set
User group to which MAC accounts are mapped to Printer_MAC, and set
Authorization result to Printer_MAC_Result. Then click OK.

----End

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 102

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

9 Security Solution Deployment

9.1 Overview
Users exploit defects of the broadband accounting technology to cut down their
broadband costs. Specifically, they purchase their personal broadband services and
share the services with their roommates through unauthorized routers or
unauthorized software, and in return their roommates pay a certain fee for the
services.
The switch is embedded with intelligent identification of unauthorized access. The
lightweight deployment solution is used to identify unauthorized access during
forwarding. The network administrator enables the unauthorized access
prevention function in one-click mode. The access switch passively listens to uplink
packets in the forwarding process, constructs a flow sequence feature profile,
determines whether there is a flow sequence exception based on the terminal flow
sequence detection algorithm and whether an unauthorized access behavior
exists, and identifies the type of the unauthorized access behavior. When detecting
flow sequence hopping, the switch collects hopping information, sends the
information to iMaster NCE-Campus, and collects evidence based on the terminal
fingerprint database. iMaster NCE-Campus displays the unauthorized access
detection result and provides handling functions, such as MAC address-based
blocking.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 103

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Figure 9-1 Service process of unauthorized access prevention in a campus

Process description:

1. The network administrator enables the unauthorized access prevention

function on the iMaster NCE-Campus controller GUI.
2. iMaster NCE-Campus delivers the unauthorized access prevention
configurations to the access switch.
3. After unauthorized access prevention is enabled globally, the switch analyzes
whether unauthorized access behaviors exist.
4. Users access the network through unauthorized routers, hubs, and Wi-Fi
sharing by agent software.
5. The switch sends specific packets to the unauthorized access prevention
module as required. The module detects unauthorized access behaviors,
including unauthorized router connections, unauthorized hub connections,
and Wi-Fi sharing by agent software, based on the packets sent from the
switch.
6. When detecting an unauthorized access behavior, the switch sends an alarm
to iMaster NCE-Campus. iMaster NCE-Campus receives the alarm and stores
the unauthorized access information.
7. Based on the policy defined on iMaster NCE-Campus, the identified
unauthorized access behavior is blocked collaboratively. The blocking action is
ACL filtering.

9.2 Deployment Process

Table 9-1 shows the deployment process of unauthorized terminal access
prevention.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 104

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Table 9-1 Deployment process of the security solution

Deployment Process Description

9.3 Enabling the Function of Enable the function of reporting

Reporting Terminal Monitoring terminal monitoring information.
Information

9.4 Enabling Terminal Identification Enable terminal identification.

9.5 Configuring Unauthorized 9.5.1 Configuring Unauthorized

Terminal Access Prevention Terminal Access Prevention

9.5.2 (Optional) Disabling Detection

on an Interface

9.5.3 Checking the Detection Result

of Unauthorized Access Prevention

9.5.4 Checking Unauthorized Access

Prevention Alarms

9.5.5 Blocking Unauthorized

Terminal Access

9.5.6 Canceling Unauthorized Access

Blocking

9.3 Enabling the Function of Reporting Terminal

Monitoring Information
Procedure
Step 1 On iMaster NCE-Campus, choose Monitoring > Monitoring Settings > Data
Collection Configuration.
Step 2 Choose HTTP, enable Report terminal monitoring information, and click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 105

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

----End

9.4 Enabling Terminal Identification

Procedure
Step 1 On iMaster NCE-Campus, choose Admission > Admission Resource > Terminal
Management > Terminal Configuration.

Step 2 Enable Terminal identification and click OK.

----End

9.5 Configuring Unauthorized Terminal Access

Prevention

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 106

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

9.5.1 Configuring Unauthorized Terminal Access Prevention

Procedure
NOTE

● Only the switches running V600 support the unauthorized access prevention function.
● The unauthorized access prevention function can be enabled on the aggregation switch.
Applicable scenarios: VXLAN deployed across core and aggregation layers and VLAN
deployed across core and aggregation layers
Applicable models: S5755-H, S5732-H-V2, S6730-H-V2, and S6750-H
● The unauthorized access prevention function can be enabled on the access switch.
Applicable scenarios: VXLAN deployed across core and access layers and VLAN deployed
across core and access layers
Applicable models: S5755-H, S5732-H-V2, S6730-H-V2, S6750-H, S5735-L-V2, S5735-S-
V2, S5735I-L-V2, S5735I-S-V2, S5535-L-V2, and S5535-S-V2
● False positives occur when the unauthorized hub access prevention function is enabled
on the switch that is not directly connected to terminals.
● After the unauthorized access prevention function is enabled, the CPU usage of the
device increases. Therefore, exercise caution when enabling this function.

Step 1 Choose Provision > Device > Device Configuration from the main menu of
iMaster NCE-Campus, select the devices to be configured in the Device List, and
click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 107

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Step 2 In the Feature List on the left, choose Unauthorized access prevention >
Unauthorized access prevention and click Unauthorized access prevention
type.

Step 3 Click Create, select an unauthorized access prevention type, and click OK to create
multiple unauthorized access prevention tasks.

Step 4 Click Commit.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 108

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Step 5 Check the configuration delivery of unauthorized access prevention on the

corresponding switch.
[ACC1] display current-configuration | include uap
uap enable uap-type unauthorized-hub
uap enable uap-type unauthorized-router
uap enable uap-type wi-fi-sharing

----End

9.5.2 (Optional) Disabling Detection on an Interface

Context
As a global function, unauthorized access detection takes effect on all ports once
being enabled. If some ports are trusted in actual projects, you can disable
unauthorized access detection on these ports. After unauthorized access detection
is disabled on a port, the device will not perform this detection over uplink traffic
of the port.

Procedure
Step 1 Choose Provision > Device > Device Configuration from the main menu of
iMaster NCE-Campus, select the devices to be configured in the Device List, and
click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 109

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Step 2 In the Feature List on the left, choose Unauthorized access prevention >
Unauthorized access prevention and click Disabled detection interface.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 110

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Step 3 Click Create.

Step 4 Click Create, enter interface information, and click OK. You can add multiple
interfaces on which unauthorized access detection is to be disabled.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 111

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Step 5 Select the created interface and click OK.

Step 6 Click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 112

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Step 7 Click Commit.

Step 8 Check the configuration delivery of disabling unauthorized access detection on

interfaces on the switch.
[ACC1] display current-configuration | include uap
uap enable uap-type unauthorized-hub
uap enable uap-type unauthorized-router
uap enable uap-type wi-fi-sharing
uap disabled-detection-interface MultiGE1/0/1
uap disabled-detection-interface MultiGE1/0/2
uap disabled detection interface MultiGE1/0/3

----End

9.5.3 Checking the Detection Result of Unauthorized Access

Prevention
You can check the detection result of unauthorized access prevention on iMaster
NCE-Campus or by running commands on the device.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 113

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

NOTE

● The detection result of unauthorized access prevention on a terminal for which

authentication is not configured or whose authentication point is on the BRAS does not
contain Access Device Name and Access Device Port.
● There may be a delay of 5 to 15 minutes for displaying Access Device Port in the
detection result of unauthorized access prevention on the controller.

Procedure
Step 1 Query the detection result of unauthorized access prevention on the switch port. If
the query result contains data, unauthorized access exists on the port, and Ua-
type indicates the unauthorized access type.
[ACC1] display uap detection-results
------------------------------------------------------------------------------------
Interface MAC Ip-address Ua-type Detection-time
------------------------------------------------------------------------------------
100GE1/0/1 0010-9400-0005 192.168.99.138 wi-fi-sharing 2024-05-06T16:40:53+08:00

Step 2 Choose Admission > Admission Resources > Terminal Management from the
main menu of iMaster NCE-Campus and click Private Terminal. On the
Unauthorized Terminal List tab page, you can view the unauthorized access
result, including the MAC address, unauthorized access type, access device name
and port, reported device name and port, and blocking status.

----End

9.5.4 Checking Unauthorized Access Prevention Alarms

You can check the unauthorized access prevention alarms on iMaster NCE-
Campus.

Procedure
Step 1 Choose Monitoring > Alarm > Current Alarms from the main menu of iMaster
NCE-Campus. The alarm named The terminal is unauthorized terminal then is
displayed.

Step 2 Click the alarm name to view alarm details, including the unauthorized access
type, terminal IP address and MAC address, and reported device name and port.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 114

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

----End

9.5.5 Blocking Unauthorized Terminal Access

On iMaster NCE-Campus, you can block the ports to which unauthorized terminals
are connected.

NOTE

If a port is shut down, the device may be out of management, which poses high risks.
Therefore, this blocking mode is not recommended.

Procedure
Step 1 Choose Admission > Admission Resources > Terminal Management from the
main menu of iMaster NCE-Campus and click Private Terminal. On the
Unauthorized Terminal List tab page, select the unauthorized terminal and click
MAC Block Reporting Device.

Step 2 Select I understand the risks and want to continue and click OK.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 115

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

In this case, Blocking Status changes to Reporting device MAC address

blocking, indicating that the blocking is successful.

Step 3 Check the delivery of MAC address blocking on the switch.

[ACC1] display current-configuration
#
traffic-policy ac_policy1 global inbound
#
traffic-policy ac_policy1 global outbound
#
acl number 4999
rule 1 name 1 deny source-mac 00-10-94-00-00-05
#
traffic classifier ac_calssifier1 type or
if-match acl 4999
#
traffic behavior ac_behavior1
#
traffic policy ac_policy1
classifier ac_calssifier1 behavior ac_behavior1 precedence 5
#

----End

9.5.6 Canceling Unauthorized Access Blocking

On iMaster NCE-Campus, you can cancel the blocking of the ports that are already
blocked due to unauthorized terminal access.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 116

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 9 Security Solution Deployment

Step 2 Select I understand the risks and want to continue and click OK.

If Blocking Status changes to No Blocking, the blocking is canceled successfully.

Step 3 Check the delivery of MAC address blocking canceling on the switch.
[ACC1] display current-configuration
...
#
acl number 4999
#

----End

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 117

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

10 Intelligent O&M Deployment

10.1 Integrated Deployment of the Controller and

Analyzer
When interconnected with iMaster NCE-Campus, iMaster NCE-CampusInsight
synchronizes information including sites, buildings/floors, wired devices, wireless
devices, and links from iMaster NCE-Campus.

NOTE

● To use the online GIS map, you need to pay for it and ensure that iMaster NCE-Campus
can access the Internet. If you choose to use a logical map instead of the online GIS
map, you can only view organizations, sites, and direct links between sites. Currently,
offline GIS maps are not supported.
● Only IPsec VPN tunnel interconnection links can be displayed on the online GIS map.
● Non-managed third-party devices can be added to the device topology, but monitoring
information such as the status of the third-party devices cannot be displayed.
● When installing iMaster NCE-Campus, you need to install the terminal identification
value-added feature and enable it so that terminals can be viewed on the digital map.
To view all information about terminals, you need to disable the terminal data masking
function.
● There is a delay of 10 to 20 minutes for terminals that go online without being
authenticated to be displayed in the terminal statistics and device topology on the
digital map.
● SNMP-managed devices can be displayed on the topology only and do not support
advanced functions such as application experience assurance and VIP user assurance on
the digital map.
● Only site-based domain management is supported. Sites and their devices are displayed
by site. Site-based domain management does not apply to applications, users, or
terminals.
● A single site can manage a maximum of 5000 devices. If the number of devices on a
campus exceeds 5000, they need to be managed at different sites.

10.1.1 Map Configuration

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 118

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

10.1.1.1 Configuring an Online GIS Map

To use the online GIS map mode of the digital map, you need to apply for the
map key value and configure the GIS map and GIS coordinate information of sites.
If the system administrator or MSP administrator has configured a map URL, the
map key value information is inherited by tenants and you do not need to apply
for a new one. If both the system administrator and MSP administrator have
configured a map URL, the key value configured by the MSP administrator is
inherited by default. For details, see Configuring a Map URL.

10.1.1.2 Configuring the GIS Coordinates of a Site

After the GIS coordinates of a site are configured, the actual location of the site on
the online GIS map is displayed.

Prerequisites
A GIS map has been configured. For details, see 10.1.1.1 Configuring an Online
GIS Map.

Procedure
Step 1 Create a site and configure its GIS coordinates.
● Create sites in batches and configure their GIS coordinates.
a. Log in to iMaster NCE-Campus as a tenant administrator and choose
Resource Center > Site Management from the main menu.
b. Click Batch Create, download the site configuration template, enter site
information in the template, and save the template.
The longitude and latitude are required for configuring GIS coordinates of
a site.

c. Click and select the template created in the previous step, click
Upload, and click OK.
● Create a site and configure its GIS coordinates.
Log in to iMaster NCE-Campus as a tenant administrator and choose
Resource Center > Site Management from the main menu. Then, create a
single site by referring to 7.1 Creating a Site.
To configure the GIS coordinates of the site, you need to set Site location to
the longitude and latitude of the site or click to select a location.

Step 2 Modify the GIS coordinates of an existing site. If you do not configure the GIS
coordinates of a site when creating it or wants to modify the GIS coordinates of
an existing site, perform the following steps:

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 119

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

1. Log in to iMaster NCE-Campus as a tenant administrator and choose

Resource Center > Site Management from the main menu.

2. Click next to the site name, set Site location to the longitude and latitude
of the site or click to select a location.
3. Click OK.
----End

10.1.1.3 Configuring a Logical Map

If no GIS map is available, the digital map homepage is displayed in logical map
mode by default. You can customize the background image for the logical map
and plan site locations based on the background image. The logical map displays
direct links between sites based on the link layer discovery protocol (LLDP).

Procedure

Step 1 In logical map mode, click in the lower right corner to set the background
image for the digital map.

Step 2 In the Set Background window that is displayed, click Select Background. In the
Select Background window, upload the image to be set.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 120

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Step 3 Click OK. The background image is selected.

----End

Related Operation
After setting the background image of the logical map, you can plan site locations
based on the background image.

1. (Optional) If the current map layout is locked, click in the lower right
corner to unlock the map layout.
2. Drag the site icon to the planned position on the background image and then
save the change.

10.1.2 Completing Basic Analyzer Configuration

When interconnected with iMaster NCE-Campus, iMaster NCE-CampusInsight can
synchronize resources including sites, buildings/floors, wired devices, wireless
devices, and links from iMaster NCE-Campus. The tenant administrator can view
these resources and set the licenses of wireless and wired devices based on the
WLAN network plan. The following describes some basic operations of iMaster
NCE-CampusInsight.
Managing Site and Buildings/Floors
1. Choose Inventory > Device > Device from the main menu, and then click the
Site-Region tab.
2. View information about buildings and floors at a site or in a region.
3. Perform the following operations based on the site requirements.

Table 10-1 Related tasks

Task Operation

Setting the
background 1. Click next to the target site or building/floor. The
image of a topology management page is displayed.
site or region 2. Click to enter the editing mode.
3. Right-click the blank area, choose Set Background
Image from the shortcut menu, and set the background
image as prompted.

4. Click on the left of the page to set the font size and
color of the node label on the topology page.
5. After the setting is complete, click to enter the
monitoring mode.

Managing Wired Devices

Wired device information is automatically synchronized from iMaster NCE-Campus
to iMaster NCE-CampusInsight. The tenant administrator can view these devices,
and set the licenses based on the WLAN network plan.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 121

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

By default, wired devices are not configured with licenses and cannot use the analysis
capability of iMaster NCE-CampusInsight. You need to set the licenses for the devices based
on your site requirements. After the licenses are successfully set, the system enables the
corresponding analysis capability for these devices and starts deducting the corresponding
resource items.
1. Choose Inventory > Device > Device from the main menu, and then click the
Wired Device tab.
2. Select one or more devices, click Set Protocol, and select Set SNMP from the
drop-down list box. In the dialog box that is displayed, modify the device
protocol parameters.
NOTE

SNMP parameter settings must be the same as those on devices.

3. Set the licenses for wired devices based on your site requirements.
iMaster NCE-CampusInsight provides licenses for the basic package and
value-added package. You need to set licenses for devices to be analyzed
based on the license resource type in the license table.

Table 10-2 Setting licenses for wired devices

Task Operation

Setting licenses for all ● Click Set License and choose All Devices.
wired devices ● In the dialog box that is displayed, set
License category and click Confirm.

Setting licenses for ● Select one or more wired devices, click Set
selected wired devices License and choose Selected Devices.
● In the dialog box that is displayed, set
License category and click Confirm.

Automatically setting 1. Click Set License and choose Autoset

licenses for all wired License.
devices 2. In the dialog box that is displayed, set
License category, toggle on Enable, and
click Confirm.

NOTE

● On the Wired Device tab page, click Export Device and choose Export All Devices
to export all devices. To export selected devices, select one or more devices, click
Export Device and choose Export Selected Devices.

● Click in the Operation column to view the remote unit.

Managing Wireless Devices

Wireless device information is automatically synchronized from iMaster NCE-
Campus to iMaster NCE-CampusInsight. The tenant administrator can view these
devices, and set the licenses based on the WLAN network plan.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 122

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

By default, wireless devices are not configured with licenses and cannot use the analysis
capability of iMaster NCE-CampusInsight. You need to set the licenses for the devices based
on your site requirements. After the licenses are successfully set, the system enables the
corresponding analysis capability for these devices and starts deducting the corresponding
resource items.

1. Choose Inventory > Device > Device from the main menu, and then click the
Wireless Device tab.
2. Set the licenses for wireless devices based on your site requirements.

CampusInsight provides licenses for the basic package and value-added

package. You need to set licenses for devices to be analyzed based on the
license resource type in the license table.

Table 10-3 Setting licenses for wireless devices

Task Operation

Setting licenses for all ● Click Set License and choose All Devices.
wireless devices ● In the dialog box that is displayed, set
License category and click Confirm.

Setting licenses for ● Select one or more wireless devices, click Set
selected wireless devices License and choose Selected Devices.
● In the dialog box that is displayed, set
License category and click Confirm.

Automatically setting 1. Click Set License and choose Autoset

licenses for all wireless License.
devices 2. In the dialog box that is displayed, set
License category, toggle on Enable, and
click Confirm.

NOTE

On the Wireless Device tab page, click Export Region Plan and choose Export All to
export positions of wireless devices mounted to all sites and buildings/floors. Select
one or more sites or buildings/floors from the list, click Export Region Plan and
choose Export Selected to export positions of wireless devices mounted to the
selected sites or buildings/floors.

10.1.3 Configuring Devices to Report Data

Context
Switches, firewalls, AR routers, cloud APs, WACs, and Fit APs can report data to
iMaster NCE-Campus and iMaster NCE-CampusInsight. In this manner, iMaster
NCE-Campus or iMaster NCE-CampusInsight can monitor device and terminal
information in real time, learn the device states based on the reported alarms and
logs, and display the health status of devices and networks on the GUI.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 123

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

You can enable the data reporting function for switches, firewalls, AR routers, and
cloud APs on iMaster NCE-Campus.
You can configure WACs and Fit APs to report data using the web system. For
WACs running V600R023C00 or later versions, this function can also be enabled
on iMaster NCE-Campus.

Procedure
Step 1 Choose Network Monitoring > Monitoring Settings > Data Collection Settings
from the main menu and click the Monitoring Settings tab.
Step 2 Enable switches to report data to iMaster NCE-Campus. Specifically, click Devices
report performance data to the iMaster NCE-Campus using HTTP, enable the
function as required, and click OK.

If Report device log data is enabled, select the types of logs to be reported to
iMaster NCE-Campus.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 124

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

● Enable Report terminal identification information. This function helps improve the
identification accuracy. If the controller identifies terminals using DHCP options or
mDNS, you need to configure DHCP snooping and mDNS snooping on devices.
● Device models that can report terminal identification information lists the device
models that can report terminal identification information.

Step 3 Click Devices report performance data to the iMaster NCE-CampusInsight

using HTTP, enable related functions as required, and click OK.

Step 4 Enable WACs and Fit APs to report data to iMaster NCE-Campus and iMaster NCE-
CampusInsight on iMaster NCE-Campus,.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Step 5 Enable WACs and Fit APs to report data to iMaster NCE-Campus and iMaster NCE-
CampusInsight through the WAC's web system.
Item Data

AP group ap-group1

AP system default
profile

KPI ● Reported to iMaster NCE-Campus:

reporting – Destination IP address: 172.31.31.30
configurati
on for – Port number: 10032
WACs ● To iMaster NCE-CampusInsight:
– Destination IP address: 172.31.31.31
– Port number: 27371

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Item Data

KPI ● Reported to iMaster NCE-Campus:

reporting – WMI profile name: cloudmng
configurati
on for APs – Destination IP address: 172.31.31.30
– Port number: 10032
● To iMaster NCE-CampusInsight:
– WMI profile name: campusinsight
– Destination IP address: 172.31.31.31
– Port number: 27371

1. Configure interconnection parameters for a WAC to communicate with the

WMI server.
a. Configure interconnection parameters for the WAC to communicate with
iMaster NCE-Campus.
On the WAC's web system, choose Maintenance > AC Maintenance >
WMI from the main menu. On the Channel 1 tab page, set
interconnection parameters for the WAC to communicate with iMaster
NCE-Campus, and click Apply.
Generally, the port number of iMaster NCE-Campus is 10032.

b. Set parameters for interconnection between the WAC and iMaster NCE-
CampusInsight.
On the WAC's web system, choose Maintenance > AC Maintenance >
WMI from the main menu. On the Channel 2 tab page, set parameters
for interconnection between the WAC and iMaster NCE-CampusInsight,
and click Apply.
Generally, the port number of iMaster NCE-CampusInsight is 27371.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

2. Configure interconnection parameters for APs to communicate with the WMI

server.
a. Configure interconnection parameters for APs to communicate with
iMaster NCE-Campus.
# On the WAC's web system, choose Configuration > AP Config > AP
Group. On the AP Group tab page, click ap-group1.
# Choose AP > AP System Profile > WMI Profile (Channel 1). Click
Create and create the WMI profile named cloudmng.
# Configure interconnection parameters based on the data plan, and click
Apply.

b. Set parameters for interconnection between an AP and iMaster NCE-

CampusInsight.
# On the WAC's web system, choose Configuration > AP Config > AP
Group. On the AP Group tab page, click ap-group1.
# Choose AP > AP System Profile > WMI Profile (Channel 2). Click
Create and create the WMI profile named campusinsight.
# Configure interconnection parameters based on the data plan, and click
Apply.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

In the WAC + Fit AP networking (CloudCampus Solution), APs report KPI

information of the WAC and APs to the servers of iMaster NCE-Campus and
iMaster NCE-CampusInsight based on the WMI reporting mechanism. APs of
some models can directly report KPI information, while other APs require the
WAC to transparently transmit the reported KPI information. For APs that directly
report information, network interconnection needs to be ensured between the
APs and the servers of iMaster NCE-Campus and iMaster NCE-CampusInsight.

Step 6 To enable firewalls to report data to iMaster NCE-Campus, click Devices report
performance data to the iMaster NCE-Campus using HTTP, enable related
functions as required, and click OK.
NOTE

Firewalls that assume the TG or Firewall role support only Report performance data,
Report terminal monitoring information, and Report application data functions.
Firewalls that assume the Gateway role support only Report performance data, Report
WAN-side application traffic data, and Report WAN-side link traffic data functions.

----End

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

10.1.4 Configuring the Application Experience Assurance

Function
NOTE

The application experience assurance function has the following limitations:

● Devices must support application identification. If a device does not support
application identification, it cannot ensure forwarding priority of applications.
● If abnormal flow identification and fault demarcation and locating are required, iPCA
2.0 must be enabled on devices. In-Band Flow Measurement Configuration lists the
devices that support iPCA 2.0.
● Core switches must be deployed at a site and support application identification or
iPCA 2.0.
● Policy orchestration applies to APs and LSWs only, but not to firewalls, ARs, and WACs
+ Fit APs.
● Application experience assurance does not apply to VXLAN and SD-WAN networking
scenarios.
● To implement iPCA 2.0 and application assurance based on application identification,
ensure that the version of the service signature database is the latest. You are advised
to periodically update the service signature database.
● In this example, wireless service data is directly forwarded without passing through the
WAC. Therefore, you can specify only APs as in-points for iPCA 2.0 without configuring
the WAC connected in off-path mode.

Context
A large number of users are using various applications every moment on the
campus network. Huawei's iMaster NCE-Campus and iMaster NCE-CampusInsight
provide application experience assurance capabilities, helping network O&M
personnel monitor application analysis details in real time and detect network
problems in a timely manner.

iMaster NCE-Campus and iMaster NCE-CampusInsight provide the following

application experience assurance functions:

● Key application assurance: You can configure assurance for key applications to
monitor application analysis details on a per-site basis. For example, you can
configure application assurance for a WeLink conference to ensure the
conference quality.
● Key service assurance: You can create service assurance events for
applications, that is, create assurance objects (including assured terminals and
assurance period) to monitor application analysis details by assurance object.
For example, you can create a service assurance event for the Huawei WeLink
conference application (by specifying the assured terminal and assurance
period of a WeLink conference) to monitor the quality for a terminal to access
the WeLink conference application in a conference in real time.

Prerequisites
● Interconnection has been configured between iMaster NCE-
CampusInsight and iMaster NCE-Campus and data has been synchronized
between iMaster NCE-CampusInsight and iMaster NCE-Campus.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

● Application data reporting has been enabled for the site. For details, see
10.1.3 Configuring Devices to Report Data.

Procedure
Step 1 Click Application on the map navigation bar. In the Application Statistics
window, view application statistics of the current tenant.
NOTE

● Only the applications with traffic and enabled with the application analysis license on
iMaster NCE-CampusInsight are displayed.
● Application assurance depends on application identification, and application
identification requires the latest service awareness signature database. Therefore, you
need to update the service awareness signature database (independent of device
software upgrades). Otherwise, a device may fail to identify a new application, and
becomes invisible on the traffic path of the application during the analysis and
demarcation.

By default, the application statistics of the current day is displayed. You can click
Today to select a time frame as needed.

Step 2 Configure key application assurance.

1. Configure assurance for an application.
a. Click Add Application Assurance, create an application that requires
assurance, select the corresponding site, and click Next.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

You can select a predefined application or a customized application. Click

Customized Applications. Then, click the Policy Template tab on the
Network Configuration > Global Settings > Template Management
page, and choose Application Management > Service Awareness
Application to create a customized application.

b. iMaster NCE-Campus automatically orchestrates and generates an

application assurance policy. For example, the uplink interface of the core
switch is configured as the out-point of iPCA measurement flows.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

The following application assurance policy content is orchestrated on iMaster

NCE-Campus:

▪ Application priority scheduling policy: application-based DSCP value re-

marking

▪ iPCA configurations are automatically generated at common fault locations of

application traffic. Currently, orchestration for aggregation switches is not
supported.
○ Wireless air interfaces: are automatically configured as in-points of iPCA
measurement flows.
○ Uplink interfaces on core switches: are automatically configured as out-
points of iPCA measurement flows.
○ Interfaces connecting access switches to APs: are automatically
configured as mid-points of iPCA measurement flows.
If the automatically generated iPCA configurations cannot meet the
requirements, you need to manually add iPCA configurations.
○ Configuring an in-point of iPCA measurement flows: In wired terminal
access scenarios, you need to select an access switch in Topology View
of the policy, right-click the access switch, choose Selecting The
Terminal Access Port from the shortcut menu, and manually specify the
wired access interface on the access switch. During policy delivery,
iMaster NCE-Campus configures the wired access interface of the
terminal as the in-point of iPCA measurement flows.
○ Configuring an out-point of iPCA measurement flows: For switches
connected to application servers, you need to select a switch in
Topology View of the policy, right-click the switch, choose Selecting
The App Server Access Port from the shortcut menu, and manually
specify the application server access interface on the switch. During
policy delivery, iMaster NCE-Campus configures the application server
access interface as the out-point of iPCA measurement flows.
○ Configuring a mid-point of iPCA measurement flows: Choose Network
Monitoring > Monitoring Settings > Application Experience Settings,
click the In-Band Flow Measurement Configuration tab, and click
Configure next to Interface for automatic measurement.
○ For details, see Key Service Assurance.

▪ Click View Policy. You can select the topology view or list view to
view the automatically orchestrated policy information.

▪ If the system displays a message indicating that the resource mode is

not set for some devices, click To set up, select the devices whose
resource mode needs to be modified, and click Setting the resource
mode. The system then automatically sets the resource mode
required by the application assurance policy, saves the configuration,
and restarts the devices. Wait until the devices go online again and
then configure application assurance.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

▪ The application assurance priority is automatically set to 41. Click

Modify to change the priority of the application.

▪ Click Reset Policy. The system clears all manual configurations of

the policy and restores the policy to the initial state before manual
configuration. Exercise caution when performing this operation.
c. Click Deliver to deliver the orchestrated policy to devices at the selected
site.
If the configuration fails to be delivered, click Configuration Details to
view the failure cause. Rectify the fault and then click Retry.
2. Configure application assurance for the WAC and Fit APs.
Choose Configuration > Config Wizard > Application Assurance >
Configure Applications, select a predefined application or a customized
application, set DSCP, enable Poor-QoE application analysis and
Application detection, and add the application.

Click Next and add the SSID for which application assurance needs to be
enabled. Then, click Finish.

After application assurance is configured in the web system, an SAC profile

referenced by a VAP profile is displayed on the WAC for creating assured
applications. Enable traffic statistics collection for assured applications in the
SAC profile.
Enter the WLAN view and run the sac-profile name profile-name command
to enter the SAC profile view. Run the vap-protocol-statistic enable
command to enable the protocol statistics collection function on VAPs. Run

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

the user-protocol-statistic enable command to enable the user-based

protocol statistics collection function.
NOTE

– This configuration applies to the scenario where STA service traffic is directly
forwarded and the IP address pool is not on the WAC. That is, STA service traffic
does not pass through the WAC. If STA service traffic passes through the WAC, you
need to configure iPCA 2.0 on the WAC. For details, see Application Scenarios for
iPCA 2.0.
– The SSID to be selected must be referenced by the AP group. Otherwise, the SSID
may fail to be selected.
3. Monitor the application analysis details of each site.
a. Click Application on the map navigation bar. In the Application
Statistics window, click an application name.

b. On the Involved Site tab page, view the list of sites that access the
application.

c. Click a site name to go to the iMaster NCE-CampusInsight page and view

application details of the site, including poor-QoE indicators such as the
packet loss rate and delay.
The Flow List displays the path, status, packet loss rate, and delay of
each flow for all terminals at the current site to access the application.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

d. In Flow List, click a flow path whose Status is Abnormal.

e. In the topology view on the left, click High packet loss rate to view fault
analysis details, including basic information, troubleshooting, and packet
loss rate trend.

Step 3 Configure key service assurance.

1. Create an assurance object.
a. Click Application on the map navigation bar. In the Application
Statistics window, click an application name.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

b. On the Assurance Object tab page, click Add to add terminals to be

assured and assurance period for the application.

2. Monitor application analysis details based on assurance objects.

a. On the Assurance Object tab page, monitor services by assurance object.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

b. Click a site name to go to the iMaster NCE-CampusInsight page and view

application details of assurance objects at the site, including poor-QoE
indicators such as the packet loss rate and delay.
The Flow List displays the path, status, packet loss rate, and latency of
each flow for the assured terminals to access the application within the
assurance period at the current site.

c. In Flow List, click a flow path whose Status is Abnormal.

d. In the topology view on the left, click High packet loss rate to view fault
analysis details, including basic information, troubleshooting, and packet
loss rate trend.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

----End

10.1.5 Configuring User Experience Assurance

Context
Before configuring VIP user assurance, you need to enable preferential access for
VIP users and configure bandwidth reservation, independent authorization, and AP
location.

● Preferential access must be enabled for VIP users. Otherwise, they cannot
access the SSID after the number of SSID access users exceeds the threshold.
● Bandwidth reservation must be enabled for VIP users. The reserved bandwidth
is 20% by default. When the bandwidth reserved for VIP users is insufficient,
user experience cannot be guaranteed.
● An independent authorization result must be configured for VIP users to
distinguish them from common users. Otherwise, APs cannot identify VIP
users and experience of VIP users cannot be guaranteed.
● The AP location must be configured for VIP users. Otherwise, the user journey
cannot be displayed.
NOTE

● VIP user experience assurance depends on identification of VIP users. This function is
applicable only to users authorized based on user groups (such as MAC address, 802.1X,
and PPSK authentication users), but is not applicable to users who are not authorized
based on user groups (such as open-system and PSK authentication users) because
these users cannot be identified as VIP users.
● To configure wireless VIP users, you need to configure the WAC as the authentication
point and iMaster NCE-Campus as the authentication server or authentication relay
agent, and authorize a VIP user group for wireless VIP users.

Procedure
The following configures VIP user assurance in the WAC + Fit AP scenario.

Step 1 Configure preferential access and bandwidth reservation for VIP users.
1. Configure the priority for a VIP user group. When the priority of a user group
is set to 1, this user group is a VIP user group. When the priority of a user
group is set to 0, this user group is a common user group.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[AC] user-group vip1

[AC-user-group-vip1] priority 1
[AC-user-group-vip1] quit

2. Configure preferential access of VIP users based on VAPs.

[AC-wlan-view] ssid-profile name Edu_test
[AC-wlan-ssid-prof-wlan-net] max-sta-number 40
[AC-wlan-ssid-prof-wlan-net] reach-max-sta priority-replace
[AC-wlan-ssid-prof-wlan-net] quit

3. Configure bandwidth reservation for VIP users based on a radio profile.

<AC> system-view
[AC] wlan
[AC-wlan-view] radio-2g-profile name default
[AC-wlan-radio-2g-prof-default] vip-user bandwidth reservation-ratio 30
[AC-wlan-view] radio-5g-profile name default
[AC-wlan-radio-5g-prof-default] vip-user bandwidth reservation-ratio 30

NOTE

If the default radio profile is not used, bind the configured radio profile to the
corresponding AP or AP group, so that parameter settings in the profile can take
effect.
If wireless configuration synchronization in VRRP HSB scenarios has been configured
on the master and backup WACs, the above configurations of the master WAC can be
automatically synchronized to the backup WAC.

Step 2 Configure an authorization result for VIP users.

1. Choose Admission Management > Admission Policy > Authentication and
Authorization > Authorization Result from the main menu.
2. For the native WAC, click Create and toggle on VIP User.

3. In the standalone WAC + Fit AP scenario, create a user group on the WAC and
enter the name of the user group in Authorized user group on the controller.

Step 3 Configure an authorization rule for VIP users.

1. Choose Admission Management > Admission Policy > Authentication and
Authorization > Authorization Rule from the main menu.
2. Click Create. In the User Information area, toggle on Match roles.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

3. Click Add and select the Default VIP+ role.

4. Select the authorization result configured in Step 2 from the Authorization

result drop-down list box. Then click OK.

Step 4 Configure an authentication rule for VIP users.

1. Choose Admission Management > Admission Policy > Authentication and
Authorization > Authentication Rule from the main menu.
2. Click Create. In the User Information area, toggle on Match roles.
3. Click Add and select the Default VIP+ role. For details about how to set other
parameters, see 8.1.3 Configuring Authentication for BRAS Users.

4. Click OK.

Step 5 Configure VIP users.

● Configure VIP users on the digital map homepage.
a. Click User on the map navigation bar. The User Statistics page is
displayed.
b. Click VIP Management to view all VIP users, including the VIP users on
the User VIP and Guest VIP tab pages.
c. Click Add VIP to add VIP users or guests. All users with accounts can be
added as VIP users.
d. Click in the Operation column, or select multiple accounts and click
Delete to delete the selected VIP users. After the VIP user is deleted, it
becomes a common user.

----End

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

10.1.6 Configuring Terminal Statistics Reporting

Context
● Before viewing terminal statistics, you need to enable terminal identification
and disable terminal data masking. After terminal identification is enabled,
authenticated terminals are identified and displayed on the digital map. After
terminal data masking is disabled, you can view the details and user journey
of terminals.

● Terminal identification is disabled by default. After terminal identification is

enabled, information about terminals that connect to iMaster NCE-Campus
and are authenticated successfully will be recorded.
● iMaster NCE-Campus provides a tenant-level terminal privacy policy named
TenantPolicy. In this policy, terminal access records are stored for 30 days and
terminal data masking is enabled by default.
NOTE

There is a delay of 10 to 20 minutes for terminals that go online without being

authenticated to be displayed in the terminal statistics and device topology on the
digital map. To view data of terminals that go online without being authenticated in
real time, choose Network Monitoring > LAN Monitoring > Terminals from the main
menu, click the Terminal Monitoring tab, and click Fast Report Terminal Data in the
User List area.

Procedure
Step 1 Enable terminal identification.
1. Choose Admission Management > Admission Resource > Terminal
Management > Terminal Configuration from the main menu, toggle on
Terminal identification, and click OK.

Step 2 Disable terminal data masking.

1. Choose Network Monitoring > Monitoring Settings > Terminal Privacy
Settings from the main menu. Click in the Operation column of the built-
in tenant-level policy of iMaster NCE-Campus, set Terminal Data Masking to
Disabled for the policy, and click OK.

2. Toggle on Enabled or Disabled to enable the tenant-level policy. Once being

enabled, the policy takes effect on all sites under the tenant.

Step 3 If iMaster NCE-CampusInsight is interconnected, disable client privacy masking.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

1. Choose Advanced Feature > CampusInsight from the main menu. The
iMaster NCE-CampusInsight GUI is displayed.
2. Choose System > Security Management > Client Privacy Masking from the
main menu.
3. Ensure that In-depth Masking of Client Privacy is disabled.

----End

10.1.7 Basic Operations on the Digital Map

Homepage Introduction

In the new mode, click Workbench or in the upper left

corner of the page. The digital map homepage is displayed. The homepage
consists of the following parts: GIS map or logical map, map navigation bar,
search box, and smart assistant.

● GIS map/Logical map

If no GIS map is available, the logical map is displayed by default. You can
click in the lower right corner and configure the GIS map on the digital
map configuration page that is displayed. For details, see 10.1.1.1
Configuring an Online GIS Map.
After the GIS map is configured, you can switch between GIS Map and
Logical Map in the lower left corner.
Table 10-4 describes the differences between the GIS map and logical map.

Table 10-4 Differences between the GIS map and logical map

Difference GIS Map Logical Map

Item

Map source Online query Imported background image

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Difference GIS Map Logical Map

Item

Data source Map source of a third- Background image provided by

party company (Google) the customer

Loading Real-time map data Background image import

mode query

Charge for Yes No

query

Connecting Yes No
the client to
the Internet

Zoom The map view is Sites are zoomed in or out with

function determined by the map the background image.
provider. Different map
views are displayed with
the zoom-in or zoom-
out of the map.

Toolbox See Table 10-5. See Table 10-6.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Table 10-5 GIS map tool buttons

Tool Icon Description

Search button. You can click it to search for sites and

locate them on the map.

Buttons for displaying the topology in full screen and

/ exiting the full-screen mode.

Button for configuring a GIS map.

Button for setting the initial view of the GIS map. The
initial view can be auto view and custom view.
If you select the auto view, the view is automatically
adjusted based on the object positions on the map. After
you select this view, the settings are automatically saved
and the map is refreshed. If you select the custom view,
you can drag and zoom on the map to adjust the view and
then click Save to save the settings and refresh the map.

Legend button. You can click this button to view

description of colors and shapes on the map.

Zoom-in/Zoom-out button. You can click or scroll the

/ mouse wheel to adjust the zoom level.

Table 10-6 Logical map tool buttons

Tool Icon Description

Topology refresh button. After you click this button, the

topology layout will be restored to the previously saved
one.

Default layout button. After you click this button, the

topology layout will be restored to the previously saved
one.

Move button. You can click this button to drag the view.

Lock/Unlock button. A locked layout cannot be modified.

Button for saving the current topology layout.

Buttons for displaying the topology in full screen and

/ exiting the full-screen mode.

Zoom-in/Zoom-out button. You can click or scroll the

/ mouse wheel to adjust the zoom level.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Tool Icon Description

Button for adjusting the zoom level of the topology page.

Button for setting the color of the NE name and the

background image of the logical map. The settings take
effect for all users.

Legend button. You can click this button to view

description of colors and shapes on the map.

Button for adjusting current layout of the map. Multiple

layout modes are supported, such as symmetrical, single-
ring, multi-ring, smart, star-shaped, and tree-shaped
layouts.
NOTE
Smart layout supports a maximum of 1000 NEs.

Button for opening and closing the topology panorama. If

/ the topology is large, you can view the topology panorama
and select an area in the panorama to quickly view
information about the selected area.

– Map navigation bar

You can click Site, Device, User, Terminal, Interconnection, or
Application on the map navigation bar to view the corresponding
resources. In this way, network-wide resources are displayed in one map.

▪ GIS map: Resources can be located in the topology.

▪ Logical map: Only site resources can be located in the logical

topology. For example, if you click a single device, the site to which
the device belongs on the logical map is not marked with the device
icon or located.

Table 10-7 Buttons on the map navigation bar

Button Function Description

Site See Viewing Site Information.

Device See Viewing Device Information and Device Topology

at a Site.

Applicatio See Viewing Application Information.

User See Viewing Information About Users and Terminals.

Terminal See Viewing Information About Users and Terminals.

– Search box

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

You can search for information about specific sites. You can click a site
name to locate the site on the map and view the site details.

Viewing Site Information

On the digital map, you can view the statistics about all sites and details of a
single site under the current tenant.
1. View site statistics of the current tenant.
Click Site on the map navigation bar to view the statistics of all sites under
the current tenant, including the total number of sites, site status, number of
sites in each state (normal or abnormal), and information about site
resources (including applications, users, devices, and terminals). For example,
3/20 in the Device column of a site indicates that the site has 20 devices,
among which three are abnormal.

2. View details about a single site.

– View information about a single site through site statistics.
i. In the Site Statistics window, click a site name to view the site
location on the digital map and the site details.
ii. Click Go to Site and view the device topology information of the site.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

– View information about a single site on the digital map homepage.

i. On the digital map homepage, move the cursor to a site icon to view
the tips of the site.

ii. Double-click the site or click to view the device topology

information of the site.

Viewing Device Information and Device Topology at a Site

On the digital map, you can view the statistics about all devices, details of a single
site, and device topology at a site under the current tenant.

NOTE

LLDP has been configured. For details, see 7.8 Enabling LLDP.
1. View device statistics of the current tenant.
Click Device on the map navigation bar to view statistics on all devices of the
current tenant, including the total number of devices, device status, and
number of devices in each state (normal, alarm, offline, and not registered).

2. View details about a single device.

a. Use either of the following methods to go to the page for displaying
details about a single device:

▪ In the Device Statistics window, click a device name. When the

online GIS map mode is used, the site where the device resides is
located on the map and the device details are displayed in the right
pane.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

▪ In the Device Statistics window, click a site name to access the

topology page of the site.
○ Double-click the device. Alternatively, right-click the device and
choose View Device Details from the shortcut menu. The device
details page is displayed.
○ Hover the mouse pointer over a device to view the brief
information about the device. Click Details. The device details
page is displayed.

○ When multiple devices are aggregated into a device group in the

topology, you can right-click the device group, choose View
Device Group Details, and click a device name to access the
device details page.
b. View device information. The page varies depending on the device model.
The following takes an LSW as an example.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

3. View the device topology of a site.

a. Click Site on the map navigation bar and click a site name. In the Site
Details window, click Go to Site, and view the device topology of the
site.

The device name, model, and status are displayed in the device topology.
Mover the cursor to a device in the topology to view the device
information. You can right-click the device to perform O&M operations on
the device. Mover the cursor to a link to view the link information. For an
aggregated link, you can double-click the link to view information about

its member links. For a topology branch, you can click to expand it
and view link information.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

● For an aggregated link, its color is determined by member link states as

follows in descending order of priority: Abnormal > Disconnection > Fault >
Unmanaged > Normal > Unknown.
● A link is in Abnormal state if any link exception indicator exceeds the upper
threshold.
● Offline links are displayed in gray even if any link exception indicator exceeds
the upper threshold.
● When both ends of a link are managed through SNMP, the link status is as
follows:
● Normal: The NEs at both ends are not offline or unmanaged, and the
administrative status and running status of the interfaces at both ends
are up.
● Unmanaged: The NE at one end is unmanaged.
● Fault:
● The NEs at both ends of the link are not offline or unmanaged. The
administrative status of the interface at one end is down, and the
administrative status and running status of the interface at the
other end are up.
● The NEs at both ends of the link are not offline or unmanaged. The
administrative status of the interface at one end is up but the
running status is down.
● Disconnection: The NE at one end is offline.
● Unknown: A link that does not meet the preceding conditions is in the
unknown state.
● When one end of a link is managed through NETCONF, the link status is as
follows:
● Normal: The running statuses of the source and sink NE ports are both
up.
● Disconnection: The running statuses of the source and sink NE ports are
both down.

▪ Click in the lower right corner of the page to unlock the view.
You can drag device icons in the current topology view to modify the

current topology layout. Click to save the modified topology

layout.
b. In the lower left corner of the page, click Device topology and select No-
link device. Devices without link connections are displayed.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

c. Right-click a device and choose Create Link from the shortcut menu. You
can configure the peer device to be connected to the current device. After
the configuration is complete, the current device is added to a link. The
link created using this method must be consistent with the actual
physical link connection. Otherwise, a conflict occurs.
d. In the lower left corner of the page, click Device topology and select
Streamlight switch. The dynamic effect of the current device topology
connection is displayed.
e. In the lower left corner of the page, click Device topology and select
Spatial view to view the physical locations of devices at each layer of the
current site.
When you switch from the device topology to the spatial view, the space
view of the selected level in the resource tree is displayed. When you
switch from the spatial view to the device topology, the device topology
is displayed. For a non-device node, you can double-click the current icon
to display the next level. For a device node, you can double-click the
device to display the device details window.
f. In the upper right corner of the page, click Edit Topo. In the Edit Topo
pane that is displayed on the right, add unmanaged third-party devices
and configure links.
g. In the upper right corner of the page, click Region Management and
view and manage region information of the current site. For details, see
7.10 Configuring Region Information.
h. In the upper right corner of the page, click Network Monitoring to view
information such as the device health status and terminal packet loss
rate at the current site.
i. In the upper right corner of the page, click Configure Site to configure a
single site, or configure sites in batches by using templates to provision
services.

Viewing Application Information

For details, see 10.1.4 Configuring the Application Experience Assurance
Function.

Viewing Information About Users and Terminals

NOTE

Currently, only the WAC can be used as the authentication point for wireless VIP user
authentication. When a third-party authentication server is used, you can view VIP users
and their flags in the user experience view of the analyzer.

Click Workbench to access the digital map homepage and view user statistics. VIP
users set in 10.1.5 Configuring User Experience Assurance are marked with VIP
flags. VIP users whose experience scores are lower than 60 are identified as
experience exceptions. User experience scoring applies only to wireless
authentication users.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Click the name of a user to go to the User Details page. You can view the basic
user information and access records of the user, including the online access
terminals authenticated using the name of this user and historical access records
of the terminals.

Click the name of a terminal to go to the Terminal Details page. You can also
access the Terminal Details page by clicking a terminal on the Terminal
Statistics page.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

On the Terminal Details page, view details such as the device type, access
location, key indicators, and authentication records of the terminal. Then, click
User Journey. On the floor plan that is displayed, you can view the locations and
tracks of the APs accessed by the terminal.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

On the User Journey Details page, view user access details, experience exception
analysis, and logout information.
● Click each dimension in Experience Analysis Model. The trend and issue
analysis of the selected dimension are displayed on the right.
● Click the time axis of Experience Journey in the lower part of the page to
view the user journey details at a specific time point.
User locations in the device topology view are displayed. You can move the cursor
to a device to view basic information.
The User Details page displays the basic information and network quality
information about the user.

10.2 Independent Deployment of the Analyzer

In the independent deployment scenario, that is, iMaster NCE-Campus is not
deployed, iMaster NCE-CampusInsight needs to synchronize required information
directly from devices.

10.2.1 Completing Basic Analyzer Configuration

10.2.1.1 Planning the Time, Time Zone, and NTP

In the scenario where the analyzer is independently deployed, NTP clock
synchronization is required for both switches and WACs. It is recommended that

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

the core switch be used as the NTP server and that network-wide devices
(including the analyzer node server) use the core switch as the NTP clock source.

For details about time synchronization of the analyzer, see 7.9.1 Configuring
Time Synchronization Between the Controller and Analyzer. For details about
time synchronization of the switch and WAC, see 7.9.3 Configuring Time
Synchronization for WACs and Fit APs.

10.2.1.2 Adding Switches

10.2.1.2.1 Adding the Switches Running V200 and Later Versions and Enabling
Neighbor Discovery Through LLDP
Configure SNMP to add devices to CampusInsight for management. SNMP
parameter settings on CampusInsight must be consistent with those on the
devices.
<HUAWEI> system-view
[HUAWEI] snmp-agent sys-info version v3
[HUAWEI] snmp-agent mib-view included iso-view iso
//iso-view specifies the configured MIB view name. To ensure that CampusInsight can properly manage
devices, the MIB view must contain the iso node.
[HUAWEI] snmp-agent group v3 snmpv3group privacy write-view iso-view notify-view iso-view
//snmpv3group specifies the configured user group. The write view name and notification view name are
specified as iso-view. By default, the write view has the read permission. Therefore, you do not need to set
the read view. The notification view is used to specify the MIB objects for which alarms can be sent to
CampusInsight.
[HUAWEI] snmp-agent usm-user v3 snmpv3user group snmpv3group
//snmpv3user specifies the configured user name, which is consistent with the security name of
CampusInsight. The security level of a user cannot be lower than that of the user group to which the user
belongs. Otherwise, a communications failure occurs. For example, if the security level of the user group
that snmpv3group specifies is privacy, the security level of the user that snmpv3user specifies must be
authentication and encryption.
[HUAWEI] snmp-agent usm-user v3 snmpv3user authentication-mode sha
Please configure the authentication password (8-255)
Enter Password:
Confirm Password:
//Set the authentication protocol and password of the user, which are the same as that of CampusInsight.
The authentication protocol is SHA. Enter the authentication password as prompted.
[HUAWEI] snmp-agent usm-user v3 snmpv3user privacy-mode aes256
Please configure the privacy password (8-255)
Enter Password:
Confirm Password:
//Set the encryption protocol and password of the user, which are the same as the proprietary protocol and
encryption password of CampusInsight. The encryption protocol is AES256. Enter the encryption password
as prompted.
[HUAWEI] snmp-agent protocol source-interface vlanif4000
//You are advised to set the loopback interface as the SNMP source interface. vlanif4000 specifies the
device interface corresponding to the IP address used by CampusInsight for managing the device. Set the
device interface based on the site requirements.

NOTE

If a switch fails to go online due to limitations on the SNMP source interface, you can run
the snmp-agent protocol source-status all-interface command to allow all interfaces to
be used by the SNMP proxy to receive and respond to IPv4 packets from the CCU. In this
way, data can be managed in a unified manner. A risk message will be displayed when you
run this command.

Configure LLDP to enable CampusInsight to discover LLDP links of devices.

<HUAWEI> system-view
[HUAWEI] lldp enable

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

10.2.1.2.2 Adding the Switches Running V600 and Later Versions and Enabling
Neighbor Discovery
<HUAWEI> system-view
[HUAWEI] snmp-agent sys-info version v3
[HUAWEI] snmp-agent mib-view included iso-view iso
//iso-view specifies the configured MIB view name. To ensure that CampusInsight can properly manage
devices, the MIB view must contain the iso node.
[HUAWEI] snmp-agent group v3 snmpv3group privacy write-view iso-view notify-view iso-view
//snmpv3group specifies the configured user group. The write view name and notification view name are
specified as iso-view. By default, the write view has the read permission. Therefore, you do not need to set
the read view. The notification view is used to specify the MIB objects for which alarms can be sent to
CampusInsight.
[HUAWEI] snmp-agent usm-user v3 snmpv3user group snmpv3group
//snmpv3user specifies the configured user name, which is consistent with the security name of
CampusInsight. The security level of a user cannot be lower than that of the user group to which the user
belongs. Otherwise, a communications failure occurs. For example, if the security level of the user group
that snmpv3group specifies is privacy, the security level of the user that snmpv3user specifies must be
authentication and encryption.
[HUAWEI] snmp-agent usm-user v3 snmpv3user authentication-mode sha
Please configure the authentication password (8-255)
Enter Password:
Confirm Password:
//Set the authentication protocol and password of the user, which are the same as that of CampusInsight.
The authentication protocol is SHA. Enter the authentication password as prompted.
[HUAWEI] snmp-agent usm-user v3 snmpv3user privacy-mode aes256
Please configure the privacy password (8-255)
Enter Password:
Confirm Password:
//Set the encryption protocol and password of the user, which are the same as the proprietary protocol and
encryption password of CampusInsight. The encryption protocol is AES256. Enter the encryption password
as prompted.
[HUAWEI] snmp-agent protocol source-status all-interface (This command needs to be configured on the
S8700 and does not need to be configured on the S6700 running V200R020C00 and later versions.)
//Allow all interfaces to receive and respond to CampusInsight request packets. By default, no interface can
receive or respond to CampusInsight request packets.

Configure LLDP to enable CampusInsight to discover LLDP links of devices.

<HUAWEI> system-view
[HUAWEI] lldp enable

10.2.1.3 Adding WACs and Fit APs

SFTP is configured to enable CampusInsight to synchronize such information
about APs as basic information, interface information, and link information from
devices.
Configuring First-Time Authentication on the SSH Client
<AC> system-view
[AC] ssh client first-time enable //Enable authentication upon the first login of the SSH client.

Configuring Secure Key Exchange Algorithms on the SSH Client

Devices use the SSH client to set up file transfer channels with the SFTP server of
CampusInsight. Currently, the SFTP server supports the following secure key
exchange algorithms: dh-group15-sha512, dh-group16-sha512, dh-group17-
sha512, dh-group18-sha512, and dh-group-exchange-sha256.
You are advised to use secure key exchange algorithms supported by devices.
Perform the following steps to configure a secure exchange algorithm:
<AC> system-view
[AC] display current-configuration | include ssh client key-exchange //Check key exchange algorithms that
have been configured on the device. If any of the preceding secure key exchange algorithms has been

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

configured, no further configuration is required.

[AC] ssh client key-exchange ? //Check all the key exchange algorithms supported by the device and
determine whether the device supports secure key exchange algorithms.
[AC] ssh client key-exchange dh-group-exchange-sha256 //Configure a key exchange algorithm (dh-group-
exchange-sha256 is used as an example).

NOTE

If the device does not support the secure key exchange algorithms and you still need to use
the SFTP synchronization mode, evaluate the security risks, enable the SFTP function in
non-secure mode on CampusInsight, and perform operations according to 3 in What Do I
Do If AP Information Fails to Be Synchronized Using SFTP .
<AC> system-view
[AC] mgmt isolate disable
//The management plane isolation function is enabled by default for the AC6605, AC6805, and ACU2
running V200R010C00. When the WAC is managed through a non-management interface, run this
command to disable the management plane isolation function.
[AC] snmp-agent sys-info version v3
[AC] snmp-agent mib-view iso-view include iso
//iso-view specifies the configured MIB view name. To ensure that CampusInsight can properly manage
devices, the MIB view must contain the iso node.
[AC] snmp-agent group v3 snmpv3group privacy write-view iso-view notify-view iso-view
//snmpv3group specifies the configured user group. The write view name and notification view name are
specified as iso-view. By default, the write view has the read permission. Therefore, you do not need to set
the read view. The notification view is used to specify the MIB objects for which alarms can be sent to
CampusInsight.
[AC] snmp-agent usm-user version v3 snmpv3user group snmpv3group
//snmpv3user specifies the configured user name, which is consistent with the security name of
CampusInsight. The security level of a user cannot be lower than that of the user group to which the user
belongs. Otherwise, a communications failure occurs. For example, if the security level of the user group
that snmpv3group specifies is privacy, the security level of the user that snmpv3user specifies must be
authentication and encryption.
[AC] snmp-agent usm-user version v3 snmpv3user authentication-mode sha
Please configure the authentication password (8-255)
Enter Password:
Confirm Password:
//Set the authentication protocol and password of the user, which are the same as that of CampusInsight.
The authentication protocol is SHA. Enter the authentication password as prompted.
[AC] snmp-agent usm-user version v3 snmpv3user privacy-mode aes128
Please configure the privacy password (8-255)
Enter Password:
Confirm Password:
//Set the encryption protocol and password of the user, which are the same as the proprietary protocol and
encryption password of CampusInsight. The encryption protocol is AES128. Enter the encryption password
as prompted.
[AC] snmp-agent protocol source-interface vlanif4000
//You are advised to set the loopback interface as the SNMP source interface. vlanif4000 specifies the
device interface corresponding to the IP address used by CampusInsight for managing the device. Set the
device interface based on the site requirements.

Configure LLDP to enable CampusInsight to discover LLDP links of devices.

<AC> system-view
[AC] lldp enable
[AC] wlan
[AC-wlan-view] ap-system-profile name default //Configure the AP system profile (default). By default, this
profile is bound to the AP group.
[AC-wlan-ap-system-prof-default] lldp report enable //Enable the AP to report LLDP neighbor information
in the AP system profile (default).

10.2.1.4 Adding Resources

Before managing campus networks using CampusInsight, you need to set sites
and regions, and add wired devices, wireless devices, and links based on the actual
network plan.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

For details, see Adding Resources under "Operation Guide > Inventory > Device"
in the iMaster NCE-CampusInsight Product Documentation (Independent
Deployment).

10.2.2 Configuring Log Data Reporting

10.2.2.1 Configuring Switches Running V200

Configuring the HTTP/2 Protocol Channel for the Access Switch

<HUAWEI> system-view
[HUAWEI] undo access-user syslog-restrain enable
//Disable the Syslog suppression function.
[HUAWEI] snmp-agent trap enable
//Enable the switch to send traps.
[HUAWEI] snmp-agent trap type entity-trap
//Configure the device to send ENTITYTRAP traps.
[HUAWEI] smi-server
[HUAWEI-smi-server] source ip-address 172.31.32.8
//172.31.32.8 is the management IP address of the switch.
//172.31.32.8 is used as an example. Set this parameter based on site requirements.
//Perform either of the following configurations based on the installation scenario.
[HUAWEI-smi-server] server ip-address 172.31.31.32 port 27371
//(Non-DR scenario) 172.31.31.32 is the southbound floating IP address of iMaster NCE-CampusInsight. The
port number is fixed at 27371.
//172.31.31.32 is used as an example. Set this parameter based on site requirements.
[HUAWEI-smi-server] server ip-address 172.31.31.32 port 27371 backup ip-address 172.31.31.34 port 27371
//(DR scenario) 172.31.31.34 is the southbound floating IP address of the secondary iMaster NCE-
CampusInsight node. The port number is fixed at 27371.
//172.31.31.34 is used as an example. Set this parameter based on site requirements.
[HUAWEI-smi-server] collect-item syslog l2ifppi enable
//Configure the device to report Layer 2 service logs of the l2ifppi module.
[HUAWEI-smi-server] collect-item syslog l3adp enable
//Configure the device to report Layer 3 service logs of the l3adp module.
[HUAWEI-smi-server] collect-item syslog mcast enable
//Configure the device to report multicast service logs of the mcast module.
[HUAWEI-smi-server] collect-item syslog mpls enable
//Configure the device to report MPLS service logs of the mpls module.
[HUAWEI-smi-server] collect-item syslog acl enable
//Configure the device to report ACL logs of the acl module.
[HUAWEI-smi-server] collect-item syslog dhcp enable
//Configure the device to report DHCP logs of the dhcp module.
[HUAWEI-smi-server] collect-item syslog ifnet enable
//Configure the device to report interface logs of the ifnet module.
[HUAWEI-smi-server] collect-item syslog ifpdt enable
//Configure the device to report interface logs of the ifpdt module.
[HUAWEI-smi-server] collect-item syslog poe enable
//Configure the device to report PoE logs of the poe module.
[HUAWEI-smi-server] collect-item syslog shell enable
//Configure the device to report logs of the shell module.
[HUAWEI-smi-server] collect-item syslog entitytrap enable
//Configure the device to report entity logs of the entitytrap module.
[HUAWEI-smi-server] collect-item syslog basetrap enable
//Configure the device to report basic logs of the basetrap module.
[HUAWEI-smi-server] collect-item syslog sece enable
//Configure the device to report attack logs of the sece module.
[HUAWEI-smi-server] collect-item syslog defd enable
//Configure the device to report attack logs of the defd module.
[HUAWEI-smi-server] collect-item syslog mstp enable
//Configure the device to report attack logs of the mstp module.
[HUAWEI-smi-server] collect-item syslog lbdt enable
//Configure the device to report Layer 2 loop logs of the lbdt module.
[HUAWEI-smi-server] collect-item syslog bgp enable
//Configure the device to report BGP logs of the bgp module.
[HUAWEI-smi-server] collect-item syslog ospf enable

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

//Configure the device to report OSPF logs of the ospf module.

[HUAWEI-smi-server] collect-item syslog am enable
//Configure the device to report logs of the AM module.
[HUAWEI-smi-server] collect-item syslog cssm enable
//Configure the device to report logs of the CSSM module. The log reporting function can be enabled only
on stacking-capable modular switches.
[HUAWEI-smi-server] collect-item syslog fsp enable
//Configure the device to report logs of the fsp module. The log reporting function can be enabled only on
stacking-capable fixed switches.
[HUAWEI-smi-server] collect-item syslog entityexttrap enable
//Configure the device to report logs of the entityexttrap module.
[HUAWEI-smi-server] collect-item syslog mad enable
//Configure the device to report logs of the MAD module. The log reporting function can be enabled only
on DAD-capable stacked switches.
[HUAWEI-smi-server] collect-item syslog errdown enable
//Configure the device to report logs of the ERRDOWN module.
[HUAWEI-smi-server] collect-item syslog ipca enable
//Configure the device to report logs of the IPCA module.
[HUAWEI-smi-server] collect-item syslog sea enable
//Configure the device to report logs of the SAC module.
//The preceding configuration is used only as an example. The logs that can be reported vary depending on
the device.

Configuring the HTTP/2 Protocol Channel for the Aggregation Switch

<HUAWEI> system-view
[HUAWEI] undo access-user syslog-restrain enable
//Disable the Syslog suppression function.
[HUAWEI] snmp-agent trap enable
//Enable the switch to send traps.
[HUAWEI] snmp-agent trap type entity-trap
//Configure the device to send ENTITYTRAP traps.
[HUAWEI] smi-server
[HUAWEI-smi-server] source ip-address 172.31.32.6
//172.31.32.6 is the management IP address of the switch.
//172.31.32.6 is used as an example. Set this parameter based on site requirements.
//Perform either of the following configurations based on the installation scenario.
[HUAWEI-smi-server] server ip-address 172.31.31.32 port 27371
//(Non-DR scenario) 172.31.31.32 is the southbound floating IP address of iMaster NCE-CampusInsight. The
port number is fixed at 27371.
[HUAWEI-smi-server] server ip-address 172.31.31.32 port 27371 backup ip-address 172.31.31.34 port 27371
//(DR scenario) 172.31.31.34 is the southbound floating IP address of the secondary iMaster NCE-
CampusInsight node. The port number is fixed at 27371.
//172.31.31.34 is used as an example. Set this parameter based on site requirements.
[HUAWEI-smi-server] collect-item syslog l2ifppi enable
//Configure the device to report Layer 2 service logs of the l2ifppi module.
[HUAWEI-smi-server] collect-item syslog l3adp enable
//Configure the device to report Layer 3 service logs of the l3adp module.
[HUAWEI-smi-server] collect-item syslog mcast enable
//Configure the device to report multicast service logs of the mcast module.
[HUAWEI-smi-server] collect-item syslog mpls enable
//Configure the device to report MPLS service logs of the mpls module.
[HUAWEI-smi-server] collect-item syslog acl enable
//Configure the device to report ACL logs of the acl module.
[HUAWEI-smi-server] collect-item syslog dhcp enable
//Configure the device to report DHCP logs of the dhcp module.
[HUAWEI-smi-server] collect-item syslog nac enable
//Configure the device to report network access control logs (mainly user access logs) of the nac module.
[HUAWEI-smi-server] collect-item syslog ifnet enable
//Configure the device to report interface logs of the ifnet module.
[HUAWEI-smi-server] collect-item syslog ifpdt enable
//Configure the device to report interface logs of the ifpdt module.
[HUAWEI-smi-server] collect-item syslog poe enable
//Configure the device to report PoE logs of the poe module.
[HUAWEI-smi-server] collect-item syslog entitytrap enable
//Configure the device to report entity logs of the entitytrap module.
[HUAWEI-smi-server] collect-item syslog basetrap enable
//Configure the device to report basic logs of the basetrap module.
[HUAWEI-smi-server] collect-item syslog aaa enable

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

//Configure the device to report authentication logs of the aaa module.

[HUAWEI-smi-server] collect-item syslog dot1x enable
//Configure the device to report authentication logs of the dot1x module.
[HUAWEI-smi-server] collect-item syslog web enable
//Configure the device to report authentication logs of the web module.
[HUAWEI-smi-server] collect-item syslog portal enable
//Configure the device to report authentication logs of the portal module.
[HUAWEI-smi-server] collect-item syslog sece enable
//Configure the device to report attack logs of the sece module.
[HUAWEI-smi-server] collect-item syslog defd enable
//Configure the device to report attack logs of the defd module.
[HUAWEI-smi-server] collect-item syslog mstp enable
//Configure the device to report attack logs of the mstp module.
[HUAWEI-smi-server] collect-item syslog lbdt enable
//Configure the device to report Layer 2 loop logs of the lbdt module.
[HUAWEI-smi-server] collect-item syslog shell enable
//Configure the device to report CLI logs of the shell module.
[HUAWEI-smi-server] collect-item syslog bgp enable
//Configure the device to report BGP logs of the bgp module.
[HUAWEI-smi-server] collect-item syslog ospf enable
//Configure the device to report OSPF logs of the ospf module.
[HUAWEI-smi-server] collect-item syslog am enable
//Configure the device to report logs of the AM module.
[HUAWEI-smi-server] collect-item syslog cssm enable
//Configure the device to report logs of the CSSM module. The log reporting function can be enabled only
on stacking-capable modular switches.
[HUAWEI-smi-server] collect-item syslog fsp enable
//Configure the device to report logs of the fsp module. The log reporting function can be enabled only on
stacking-capable fixed switches.
[HUAWEI-smi-server] collect-item syslog entityexttrap enable
//Configure the device to report logs of the entityexttrap module.
[HUAWEI-smi-server] collect-item syslog mad enable
//Configure the device to report logs of the MAD module. The log reporting function can be enabled only
on DAD-capable stacked switches.
[HUAWEI-smi-server] collect-item syslog errdown enable
//Configure the device to report logs of the ERRDOWN module.
[HUAWEI-smi-server] collect-item syslog ipca enable
//Configure the device to report logs of the IPCA module.
[HUAWEI-smi-server] collect-item syslog sea enable
//Configure the device to report logs of the SAC module.
//The preceding configuration is used only as an example. The logs that can be reported vary depending on
the device.

Configuring the HTTP/2 Protocol Channel for the Core Switch

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[HUAWEI-smi-server] collect-item syslog mcast enable

//Configure the device to report multicast service logs of the mcast module.
[HUAWEI-smi-server] collect-item syslog mpls enable
//Configure the device to report MPLS service logs of the mpls module.
[HUAWEI-smi-server] collect-item syslog acl enable
//Configure the device to report ACL logs of the acl module.
[HUAWEI-smi-server] collect-item syslog dhcp enable
//Configure the device to report DHCP logs of the dhcp module.
[HUAWEI-smi-server] collect-item syslog ifnet enable
//Configure the device to report interface logs of the ifnet module.
[HUAWEI-smi-server] collect-item syslog ifpdt enable
//Configure the device to report interface logs of the ifpdt module.
[HUAWEI-smi-server] collect-item syslog poe enable
//Configure the device to report PoE logs of the poe module.
[HUAWEI-smi-server] collect-item syslog entitytrap enable
//Configure the device to report entity logs of the entitytrap module.
[HUAWEI-smi-server] collect-item syslog basetrap enable
//Configure the device to report basic logs of the basetrap module.
[HUAWEI-smi-server] collect-item syslog shell enable
//Configure the device to report CLI logs of the shell module.
[HUAWEI-smi-server] collect-item syslog sece enable
//Configure the device to report attack logs of the sece module.
[HUAWEI-smi-server] collect-item syslog defd enable
//Configure the device to report attack logs of the defd module.
[HUAWEI-smi-server] collect-item syslog mstp enable
//Configure the device to report attack logs of the mstp module.
[HUAWEI-smi-server] collect-item syslog lbdt enable
//Configure the device to report Layer 2 loop logs of the lbdt module.
[HUAWEI-smi-server] collect-item syslog bgp enable
//Configure the device to report BGP logs of the bgp module.
[HUAWEI-smi-server] collect-item syslog ospf enable
//Configure the device to report OSPF logs of the ospf module.
[HUAWEI-smi-server] collect-item syslog am enable
//Configure the device to report logs of the AM module.
[HUAWEI-smi-server] collect-item syslog cssm enable
//Configure the device to report logs of the CSSM module. The log reporting function can be enabled only
on stacking-capable modular switches.
[HUAWEI-smi-server] collect-item syslog fsp enable
//Configure the device to report logs of the fsp module. The log reporting function can be enabled only on
stacking-capable fixed switches.
[HUAWEI-smi-server] collect-item syslog entityexttrap enable
//Configure the device to report logs of the entityexttrap module.
[HUAWEI-smi-server] collect-item syslog mad enable
//Configure the device to report logs of the MAD module. The log reporting function can be enabled only
on DAD-capable stacked switches.
[HUAWEI-smi-server] collect-item syslog errdown enable
//Configure the device to report logs of the ERRDOWN module.
[HUAWEI-smi-server] collect-item syslog ipca enable
//Configure the device to report logs of the IPCA module.
[HUAWEI-smi-server] collect-item syslog sea enable
//Configure the device to report logs of the SAC module.
//The preceding configuration is used only as an example. The logs that can be reported vary depending on
the device.

10.2.2.2 Configuring Switches Running V600

Telemetry is a technology for rapidly collecting data from remote devices. Devices
proactively send their data to iMaster NCE-CampusInsight in push mode,
implementing real-time and high-speed data collection.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTICE

● To ensure system security and proper running of the data reporting function,
the Telemetry function uses the TLS authentication mode by default. You are
advised not to use non-TLS authentication, because it may cause system
security risks.
● The onsite network must be implemented based on the plan to ensure that all
switches on the campus network and iMaster NCE-CampusInsight can
communicate with each other. Otherwise, Telemetry packets will fail to be
reported. The Telemetry configuration on devices must be planned based on
the network requirements. The configuration here is for reference only.
● Before configuring the Telemetry function, load a license. In some versions, the
Telemetry function can be configured after the license is loaded. In some other
versions, the Telemetry function can be configured after the license is loaded
and the device is restarted. For details, see the corresponding product
documentation of the device.

Procedure
Step 1 Configure the southbound floating IP address of iMaster NCE-CampusInsight.
<HUAWEI> system-view
[HUAWEI] telemetry
[HUAWEI-telemetry] destination-group destgroup
[HUAWEI-telemetry-destination-group-destgroup] ipv4-address 172.31.31.32 port 30003 [ vpn-instance vpn-
instance-name ] protocol grpc
//Configure the southbound floating IP address of iMaster NCE-CampusInsight. 172.31.31.32 is used as an
example. Set this parameter based on site requirements. The port number is fixed at 30003. If the route to
the destination IP address destip-address is a private network route, specify vpn-instance vpn-instance-
name, where vpn-instance-name specifies the name of the VPN instance corresponding to the private
network.
[HUAWEI-telemetry-destination-group-destgroup] quit

Step 2 Configure a sampling sensor group.

NOTE

If multiple sampling intervals are configured for the same sampling object, the network
load will increase. To prevent this, ensure that the same sensor path sensor-path
corresponding to the sampled data sent to iMaster NCE-CampusInsight is added to only
one sensor group sensor-group.
[HUAWEI-telemetry] sensor-group clientlg
//Create a sampling sensor group named devicesyslog to collect Syslog information.
[HUAWEI-telemetry-sensor-group-devicesyslog] sensor-path huawei-syslog:syslog/loginfos/loginfo
[HUAWEI-telemetry-sensor-group-devicesyslog-path] quit
[HUAWEI-telemetry-sensor-group-devicesyslog] quit

Step 3 Create a subscription.

[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group clientlg sample-interval 0
[HUAWEI-telemetry-subscription-subscriptiongroup] destination-group destgroup
[HUAWEI-telemetry-subscription-subscriptiongroup] quit
[HUAWEI-telemetry] quit
//Associate the sampling sensor group clientlg with the destination group destgroup for the subscription
subscriptiongroup.
//Set the interval for collecting logs to 0.

----End

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

10.2.2.3 Configuring WACs and Fit APs

The commands for configuring the HTTP/2 protocol channel on a WAC are as
follows:
<WAC> system-view
[WAC] undo access-user syslog-restrain enable
//Disable the Syslog suppression function.
[WAC] wmi-server
[WAC-wmi-server] server ip-address 172.31.31.32 port 27371
//172.31.31.32 is the southbound floating IP address of iMaster NCE-CampusInsight. The port number is
fixed at 27371.
[WAC-wmi-server] server backup ip-address 172.31.31.34 port 27371
//(Perform this step only in DR scenarios.) 172.31.31.34 is the southbound floating IP address of the
secondary iMaster NCE-CampusInsight node. The port number is fixed at 27371.
[WAC-wmi-server] collect-item log-data interval 60
[WAC-wmi-server] log module mid ff760000
//Configure the device to report Portal 2.0 authentication logs of the ff760000 module.
[WAC-wmi-server] log module mid ff5f0000
//Configure the device to report 802.1X authentication logs of the ff5f0000 module.
[WAC-wmi-server] log module mid ff630000
//Configure the device to report authentication logs of the ff630000 module.
[WAC-wmi-server] log module mid fff30000
//Configure the device to report offline logs of the fff30000 module.
[WAC-wmi-server] log module mid ff5d0000
//Configure the device to report AM logs of the ff5d0000 module.
[WAC-wmi-server] log module mid ff050000
//Configure the device to report port status logs of the ff050000 module.
[WAC-wmi-server] log module mid d0410000
//Configure the device to report device operation logs of the d0410000 module.
[WAC-wmi-server] log module mid ff5a0000
//Configure the device to report AAA logs of the ff5a0000 module.
[WAC-wmi-server] log module mid ff8c0000 name ENTITYTRAP
//Configure the device to report ENTITYTRAP logs of the ff8c0000 module.
[WAC-wmi-server] log module mid ff2f0000 name SACADP
//Configure the device to report SACADP logs of the ff2f0000 module.
[WAC-wmi-server] log module mid fe090000 name SIPFPM
//Configure the device to report SIPFPM logs of the fe090000 module.

The commands for configuring the HTTP/2 protocol channel on an AP are as

follows:
<WAC> system-view
[WAC] wlan
[WAC-wlan-view] wmi-server name test
//Create the WMI profile test.
[WAC-wlan-wmi-server-prof-test] server ip-address 172.31.31.32 port 27371
//172.31.31.32 is the southbound floating IP address of iMaster NCE-CampusInsight. The port number is
fixed at 27371.
[WAC-wlan-wmi-server-prof-test] server backup ip-address 172.31.31.34 port 27371
//(Perform this step only in DR scenarios.) 172.31.31.34 is the southbound floating IP address of the
secondary iMaster NCE-CampusInsight node. The port number is fixed at 27371.
[WAC-wlan-wmi-server-prof-test] collect-item log-data interval 60
[WAC-wlan-wmi-server-prof-test] ap log module mid ff600000
//Configure the AP to report HTTPS redirection logs of the ff600000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid d0410000
//Configure the AP to report device operation logs of the d0410000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid ff620000
//Configure the AP to report DHCP logs of the ff620000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid ffed0000
//Configure the AP to report audio and video logs of the ffed0000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid ffef0000
//Configure the AP to report association logs of the ffef0000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid fff30000
//Configure the AP to report WLAN logs of the fff30000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid ff2b0000
//Configure the AP to report logs about user gateway unreachable of the ff2b0000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid FE011004
//Configure the AP to report switching logs of the FE011004 power supply module.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[WAC-wlan-wmi-server-prof-test] ap log module mid FFDC0000

//Configure the AP to report interference fingerprint event logs of the FFDC0000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid ff2f0000
//Configure the AP to report SACADP logs of the ff2f0000 module.
[WAC-wlan-wmi-server-prof-test] ap log module mid fe090000
//Configure the AP to report SIPFPM logs of the fe090000 module.
[WAC-wlan-wmi-server-prof-test] quit
[WAC-wlan-view] ap-system-profile name default
[WAC-wlan-ap-system-prof-default] wmi-server test index 2
[WAC-wlan-ap-system-prof-default] quit
//Bind the WMI profile test to the AP system profile default and use index 2 as the fixed index to report
data to iMaster NCE-CampusInsight.
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-default] ap-system-profile default
//Bind the AP system profile to the AP group.

10.2.3 Configuring Performance Metric Reporting

10.2.3.1 Configuring Switches Running V200

Configuring the Access Switch to Report Performance Metrics

NOTE

The following configuration is used only as an example. The logs that can be reported vary
depending on the device.
<HUAWEI> system-view
[HUAWEI] collect dynamic mac disable
//Disable the function of reporting data of wired users who are not authenticated. If data of wired users
who are authenticated needs to be reported, you do not need to disable data reporting. Perform this
operation based on the site requirements.
[HUAWEI] pki realm default
[HUAWEI-pki-realm-default] certificate-check none
[HUAWEI-pki-realm-default] quit
//Disable certificate revocation check.
[HUAWEI] arp snooping enable
//Enable the ARP snooping function globally.
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] dhcp snooping packet-flow log enable
//Enable the DHCP snooping function globally, configure the device to process only DHCPv4 packets, and
enable the DHCP snooping print function.
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] quit
//Enable the ARP snooping and DHCP snooping functions on the user-side interface.
//After ARP snooping and DHCP snooping are enabled, the switch reports ARP and DHCP packets to
iMaster NCE-CampusInsight. ARP packets are used to display the switch interface to which a user is
connected during user journey. DHCP packets are used to display the protocol interaction process in the
DHCP phase of a user during protocol tracing and display the time required for DHCP during user journey.
GigabitEthernet 0/0/1 is used only as an example. Set this parameter based on the site requirements.
[HUAWEI] interface 25GigabitEthernet 0/0/3
[HUAWEI-25GigabitEthernet0/0/3] dhcp snooping trusted
[HUAWEI-25GigabitEthernet0/0/3] quit
//After DHCP snooping is enabled, all interfaces on the switch are untrusted interfaces by default. In this
case, you need to run the dhcp snooping trusted command to configure the interface connected to the
DHCP server as a trusted interface. Otherwise, DHCP Reply packets sent from the DHCP server are
discarded and users connected to the switch cannot obtain IP addresses from the DHCP server.
25GigabitEthernet 0/0/3 is used only an example. Set this parameter based on the site requirements.
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item device-data enable
[HUAWEI-smi-server] collect-item device-data interval 1
//Configure the switch to report device, board, interface, and AP data to iMaster NCE-CampusInsight at an
interval of one minute (5 minutes by default).
[HUAWEI-smi-server] collect-item poe enable

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[HUAWEI-smi-server] collect-item poe interval 1

//Configure the switch to report PoE data to iMaster NCE-CampusInsight at an interval of one minute (5
minutes by default).
[HUAWEI-smi-server] collect-item fiber-module enable
[HUAWEI-smi-server] collect-item fiber-module interval 1
//Configure the switch to report optical module data to iMaster NCE-CampusInsight at an interval of one
minute (5 minutes by default).
[HUAWEI-smi-server] collect-item device-status enable
[HUAWEI-smi-server] collect-item device-status interval 1
//Configure the switch to report device status data to iMaster NCE-CampusInsight at an interval of one
minute (5 minutes by default).

Configuring the Aggregation Switch to Report Performance Metrics

<HUAWEI> system-view
[HUAWEI] collect dynamic mac disable
//Disable the function of reporting data of wired users who are not authenticated.
[HUAWEI] pki realm default
[HUAWEI-pki-realm-default] certificate-check none
[HUAWEI-pki-realm-default] quit
//Disable certificate revocation check.
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] statistic enable
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
//Enable the traffic statistics collection function. The authentication point is deployed on the aggregation
switch.
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item device-data enable
[HUAWEI-smi-server] collect-item device-data interval 1
//Configure the switch to report device, board, interface, and AP data to iMaster NCE-CampusInsight at an
interval of one minute (5 minutes by default).
[HUAWEI-smi-server] collect-item poe enable
[HUAWEI-smi-server] collect-item poe interval 1
//Configure the switch to report PoE data to iMaster NCE-CampusInsight at an interval of one minute (5
minutes by default).
[HUAWEI-smi-server] collect-item fiber-module enable
[HUAWEI-smi-server] collect-item fiber-module interval 1
//Configure the switch to report optical module data to iMaster NCE-CampusInsight at an interval of one
minute (5 minutes by default).
[HUAWEI-smi-server] collect-item user-data enable
[HUAWEI-smi-server] collect-item user-data interval 1
[HUAWEI-smi-server] collect-item device-status enable
[HUAWEI-smi-server] collect-item device-status interval 1
//Configure the switch to report device status data to iMaster NCE-CampusInsight at an interval of one
minute (5 minutes by default).

Configuring the Core Switch to Report Performance Metrics

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

minute (5 minutes by default).

[HUAWEI-smi-server] collect-item user-data enable
[HUAWEI-smi-server] collect-item user-data interval 1
[HUAWEI-smi-server] collect-item device-status enable
[HUAWEI-smi-server] collect-item device-status interval 1
//Configure the switch to report device status data to iMaster NCE-CampusInsight at an interval of one
minute (5 minutes by default).

10.2.3.2 Configuring Switches Running V600

After log data reporting is configured, the subscription group for log data
reporting can be reused.
[HUAWEI-telemetry] sensor-group deviceandif
//Create a sampling sensor group named deviceandif to collect CPU, memory, interface statistics, top N
CPU processes, packet statistics, and queue buffer usage information.
[HUAWEI-telemetry-sensor-group-deviceandif] sensor-path huawei-cpu-memory:cpu-memory/board-cpu-
infos/board-cpu-info
[HUAWEI-telemetry-sensor-group-deviceandif-path] sensor-path huawei-cpu-memory:cpu-memory/board-
memory-infos/board-memory-info
[HUAWEI-telemetry-sensor-group-deviceandif-path] sensor-path huawei-devm:devm/ports/port/huawei-
pic:ethernet
[HUAWEI-telemetry-sensor-group-deviceandif-path] sensor-path huawei-ifm:ifm/interfaces/interface/
common-statistics
[HUAWEI-telemetry-sensor-group-deviceandif-path] sensor-path huawei-cpu-memory:cpu-memory/board-
cpu-process-infos/board-cpu-process-info
[HUAWEI-telemetry-sensor-group-deviceandif-path] sensor-path huawei-host-security:host-security/top-
packet-statistics/top-packet-statistic
[HUAWEI-telemetry-sensor-group-deviceandif-path] sensor-path huawei-qos:qos/global-query/port-buffer-
usage-statisticss/port-buffer-usage-statistics
[HUAWEI-telemetry-sensor-group-deviceandif-path] sensor-path huawei-qos:qos/global-query/queue-
buffer-usage-statisticss/queue-buffer-usage-statistics
[HUAWEI-telemetry-sensor-group-deviceandif-path] quit
[HUAWEI-telemetry-sensor-group-deviceandif] quit
//Configure a sampling path for the Telemetry sensor to collect CPU, memory, interface statistics, top N
CPU processes, packet statistics, and queue buffer usage information.
[HUAWEI-telemetry] sensor-group optical
//Create a sampling sensor group named optical to collect optical module information.
[HUAWEI-telemetry-sensor-group-optical] sensor-path huawei-devm:devm/ports/port/huawei-pic:optical-
module
[HUAWEI-telemetry-sensor-group-optical-path] depth 3
[HUAWEI-telemetry-sensor-group-optical-path] quit
[HUAWEI-telemetry-sensor-group-optical] quit
//Configure a sampling path for the Telemetry sensor to collect optical module information.
[HUAWEI-telemetry] sensor-group boardgroup
//Create a sampling sensor group named boardfib to collect information about entry resources, flash
resources, and power supply metrics.
[HUAWEI-telemetry-sensor-group-boardgroup] sensor-path huawei-system-resources-usage:system-
resources-usage/resources/resource
[HUAWEI-telemetry-sensor-group-boardgroup-path] sensor-path huawei-cpu-memory:cpu-memory/board-
storage-flash-bad-block-infos/board-storage-flash-bad-block-info
[HUAWEI-telemetry-sensor-group-boardgroup-path] sensor-path huawei-cpu-memory:cpu-memory/board-
storage-flash-erase-infos/board-storage-flash-erase-info
[HUAWEI-telemetry-sensor-group-boardgroup-path] sensor-path huawei-devm:devm/huawei-driver:driver/
power-supplys/power-supply
[HUAWEI-telemetry-sensor-group-boardgroup-path] depth 3
[HUAWEI-telemetry-sensor-group-boardgroup-path] quit
[HUAWEI-telemetry-sensor-group-boardgroup] quit
//Configure a sampling path for the Telemetry sensor to collect entry resources, flash resources, and power
supply metrics.
[HUAWEI-telemetry] sensor-group clientif
//Create a sampling sensor group named clientif to collect user information.
[HUAWEI-telemetry-sensor-group-clientif] sensor-path huawei-arp-security:arp-security/arp-snooping-
records/arp-snooping-record
[HUAWEI-telemetry-sensor-group-clientif-path] sensor-path huawei-aaa:aaa/access-user-qrys/access-user-
qry
[HUAWEI-telemetry-sensor-group-clientif-path] quit
[HUAWEI-telemetry-sensor-group-clientif] quit
//Configure a sampling path for the Telemetry sensor to collect user information.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[HUAWEI-telemetry] sensor-group clientlg

//Create a sampling sensor group named clientlg to collect information about user access logs.
[HUAWEI-telemetry-sensor-group-clientlg] sensor-path huawei-syslog:syslog/loginfos/loginfo[feature-
name="AAA"]
[HUAWEI-telemetry-sensor-group-clientlg-path] sensor-path huawei-syslog:syslog/loginfos/loginfo[feature-
name="DHCPSNP"]
[HUAWEI-telemetry-sensor-group-clientlg-path] sensor-path huawei-syslog:syslog/loginfos/loginfo[feature-
name="DOT1X"]
[HUAWEI-telemetry-sensor-group-clientlg-path] sensor-path huawei-syslog:syslog/loginfos/loginfo[feature-
name="M-LAG"]
[HUAWEI-telemetry-sensor-group-clientlg-path] quit
[HUAWEI-telemetry-sensor-group-clientlg] quit
//Configure a sampling path for the Telemetry sensor to collect information about user access logs.
[HUAWEI-telemetry] sensor-group ipv4v6
[HUAWEI-telemetry-sensor-group-ipv4v6] sensor-path huawei-ifm:ifm/interfaces/interface/huawei-ifm-ip-
statistics:ip-statistics
[HUAWEI-telemetry-sensor-group-ipv4v6-path] quit
[HUAWEI-telemetry-sensor-group-ipv4v6] quit
[HUAWEI-telemetry] sensor-group powergroup
//Create a sampling sensor group named powergroup to collect energy consumption metric information
about devices, boards, and interfaces.
[HUAWEI-telemetry-sensor-group-powergroup] sensor-path huawei-devm:devm/chassiss/chassis/huawei-
driver:power-supply-attribute
[HUAWEI-telemetry-sensor-group-powergroup-path] sensor-path huawei-driver:driver/area-energyinfos/
area-energyinfo/board-energys/board-energy
[HUAWEI-telemetry-sensor-group-powergroup-path] sensor-path huawei-devm-poe:devm-poe/poes/poe/
ports/port
[HUAWEI-telemetry-sensor-group-powergroup-path] quit
[HUAWEI-telemetry-sensor-group-powergroup] quit
//Configure the function of reporting basic data of remote units. In the actual configuration, configure a
sensor group for sampling basic data of remote units based on whether the functions related to the remote
units are used.
[HUAWEI-telemetry] sensor-group remoteunitbasic
[HUAWEI-telemetry-sensor-group-remoteunitbasic] sensor-path huawei-remote-unit-mng:remote-unit-mng/
remote-unit-status/basic-data/device-datas/device-data
[HUAWEI-telemetry-sensor-group-remoteunitbasic-path] sensor-path huawei-remote-unit-mng:remote-unit-
mng/remote-unit-status/basic-data/interfaces/interface
[HUAWEI-telemetry-sensor-group-remoteunitbasic-path] sensor-path huawei-remote-unit-mng:remote-unit-
mng/remote-unit-status/basic-data/optical-modules/optical-module
[HUAWEI-telemetry-sensor-group-remoteunitbasic-path] quit
[HUAWEI-telemetry-sensor-group-remoteunitbasic] quit
//Configure the function of reporting performance metric data of remote units. In the actual configuration,
configure a sensor group for sampling performance metric data of remote units based on whether the
functions related to the remote units are used.
[HUAWEI-telemetry] sensor-group remoteunitdetail
[HUAWEI-telemetry-sensor-group-remoteunitdetail] sensor-path huawei-remote-unit-mng:remote-unit-
mng/remote-unit-status/detail-data/device-datas/device-data
[HUAWEI-telemetry-sensor-group-remoteunitdetail-path] sensor-path huawei-remote-unit-mng:remote-
unit-mng/remote-unit-status/detail-data/interfaces/interface
[HUAWEI-telemetry-sensor-group-remoteunitdetail-path] sensor-path huawei-remote-unit-mng:remote-
unit-mng/remote-unit-status/detail-data/optical-modules/optical-module
[HUAWEI-telemetry-sensor-group-remoteunitdetail-path] quit
[HUAWEI-telemetry-sensor-group-remoteunitdetail] quit
//Create a sampling sensor group to collect IPv4 and IPv6 traffic statistics.
[HUAWEI-telemetry] quit
[HUAWEI] interface 10GE1/0/4
[HUAWEI-10GE1/0/4] statistics ipv4 enable
[HUAWEI-10GE1/0/4] statistics ipv6 enable
//Enable IPv4 and IPv6 traffic statistics collection on 10GE1/0/4.
[HUAWEI-telemetry] subscription subscriptiongroup
//Configure the source IP address for sending data using the gRPC protocol.
[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group deviceandif sample-interval 60000
[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group optical sample-interval 60000
[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group boardgroup sample-interval 60000
[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group powergroup sample-interval 60000
[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group clientif sample-interval 60000
[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group clientlg sample-interval 0
[HUAWEI-telemetry-subscription-subscriptiongroup] sensor-group ipv4v6 sample-interval 60000
//Configure a destination group named destgroup.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[HUAWEI-telemetry-subscription-subscriptiongroup] destination-group destgroup

[HUAWEI-telemetry-subscription-subscriptiongroup] quit
//If a remote unit is used, create sampling sensor groups remoteunitbasic and remoteunitdetail to collect
remote unit information. You can run the display remote-unit command in the system view to check
whether a remote unit exists on the device.
[HUAWEI-telemetry] subscription remoteunitgroup
[HUAWEI-telemetry-subscription-remoteunitgroup] sensor-group remoteunitbasic sample-interval 0
[HUAWEI-telemetry-subscription-remoteunitgroup] sensor-group remoteunitdetail sample-interval 60000
//Configure a destination group named destgroup.
[HUAWEI-telemetry-subscription-remoteunitgroup] destination-group destgroup
[HUAWEI-telemetry-subscription-remoteunitgroup] quit
[HUAWEI-telemetry] quit
//Associate the sampling sensor groups deviceandif, optical, boardgroup, clientif, clientlg,
remoteunitbasic, and remoteunitdetail with the destination group destgroup for the subscription
subscriptiongroup.
//The collection interval is related to the precision of the collected data and the accuracy of data analysis.
The recommended value must be used. You are advised to set the interval for collecting user access logs to
0 and the intervals for collecting other information to 60,000 ms.
[HUAWEI] commit

10.2.3.3 Configuring WACs and Fit APs

iMaster NCE-CampusInsight uses Telemetry technology to collect performance
metrics and logs of network devices and detects network exceptions based on real
service traffic.

This configuration enables devices to proactively report WLAN service performance

metric data to iMaster NCE-CampusInsight for analysis.

NOTE

● Data between iMaster NCE-CampusInsight and WACs or APs is collected at an interval

of 60 seconds by default. However, iMaster NCE-CampusInsight collects data of rogue
Wi-Fi devices at an interval of 300 seconds. For details, see the following configuration.
<WAC> system-view
[WAC] pki realm default
[WAC-pki-realm-default] certificate-check none
[WAC-pki-realm-default] quit
//Disable certificate revocation check.
[WAC] wmi-server
[WAC-wmi-server] server ip-address 172.31.31.32 port 27371
//172.31.31.32 is the southbound floating IP address of iMaster NCE-CampusInsight. The port number is
fixed at 27371.
[WAC-wmi-server] server backup ip-address 172.31.31.34 port 27371
//(Perform this step only in DR scenarios.) 172.31.31.34 is the southbound floating IP address of the
secondary iMaster NCE-CampusInsight node. The port number is fixed at 27371.
[WAC-wmi-server] collect-item device-data interval 60
[WAC-wmi-server] collect-item interface-data interval 60
[WAC-wmi-server] collect-item cpcar-data interval 60
[WAC-wmi-server] collect-item security-data interval 300
[WAC-wmi-server] quit
//Configure the interval for a WAC to collect and report performance metrics to iMaster NCE-CampusInsight.
[WAC] wlan
[WAC-wlan-view] wmi-server name test
//Create the WMI profile test.
[WAC-wlan-wmi-server-prof-test] server ip-address 172.31.31.32 port 27371
//In the profile test, configure the destination address and port number for the APs to report performance
metric data. 172.31.31.32 is the southbound floating IP address of iMaster NCE-CampusInsight, and the
port number is fixed at 27371.
[WAC-wlan-wmi-server-prof-test] server backup ip-address 172.31.31.34 port 27371
//(Perform this step only in DR scenarios.) 172.31.31.34 is the southbound floating IP address of the
secondary iMaster NCE-CampusInsight node. The port number is fixed at 27371.
[WAC-wlan-wmi-server-prof-test] report-interval 60
[WAC-wlan-wmi-server-prof-test] collect-item device-data interval 60
[WAC-wlan-wmi-server-prof-test] collect-item radio-data interval 60

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[WAC-wlan-wmi-server-prof-test] collect-item ssid-data interval 60

[WAC-wlan-wmi-server-prof-test] collect-item terminal-data interval 60
[WAC-wlan-wmi-server-prof-test] collect-item non-wifi-data interval 60
[WAC-wlan-wmi-server-prof-test] collect-item interface-data interval 60
[WAC-wlan-wmi-server-prof-test] quit
//In the profile test, set the interval for collecting performance metrics of APs to 60 seconds.
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-default] radio 0
[WAC-wlan-group-radio-default/0] wids device detect enable
[WAC-wlan-group-radio-default/0] spectrum-analysis enable
[WAC-wlan-group-radio-default/0] channel-monitor enable
[WAC-wlan-group-radio-default/0] quit
[WAC-wlan-ap-group-default] radio 1
[WAC-wlan-group-radio-default/1] wids device detect enable
[WAC-wlan-group-radio-default/1] spectrum-analysis enable
[WAC-wlan-group-radio-default/1] channel-monitor enable
[WAC-wlan-group-radio-default/1] quit
[WAC-wlan-ap-group-default] quit
//Enable device detection on radios 0 and 1 in the AP group default.
//The autonavigation-roam-optimize enable command cannot be executed to enable the automatic
navigation roaming optimization function for the AP group. If this function is enabled, the function of
monitoring the status of all channels enabled through the channel-monitor enable command does not
take effect. As a result, no data is displayed in the status monitoring chart for all channels on the spectrum
analysis page of iMaster NCE-CampusInsight.
[WAC-wlan-view] ap-system-profile name default
//Configure the AP system profile default. By default, the profile is bound to the AP group.
[WAC-wlan-ap-system-prof-default] wmi-server test index 2
[WAC-wlan-ap-system-prof-default] quit
//Bind the WMI profile test to the AP system profile default and use index 2 as the fixed index to report
data to iMaster NCE-CampusInsight.
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-default] ap-system-profile default
//Bind the AP system profile to the AP group.

APs running V200R023C10 and later versions support energy consumption

analysis. To view energy consumption metrics in the network health view, log in to
the switch that supplies power to the APs and run the following commands:
Switches running V200:
<HUAWEI> system-view
[HUAWEI] interface MultiGE 0/0/1 //Switch's interface connected to an AP.
[HUAWEI-MultiGE0/0/1] lldp tlv-enable legacy-tlv actual-power

Switches running V600:

<HUAWEI> system-view
[HUAWEI] interface GE 0/0/1 //Switch's interface connected to an AP.
[HUAWEI-GE0/0/1] poe transmit actual-power enable

10.2.4 Configuring Packet Loss Visualization

10.2.4.1 Configuring Switches Running V600

iMaster NCE-CampusInsight collects packet loss information through the Packet
Event function on network devices to monitor and analyze network exceptions. If
packet loss occurs on a device, the device reports corresponding flow entries to
iMaster NCE-CampusInsight for analysis and display.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

● The Packet Event configuration on devices must be planned based on the network
requirements. The configuration here is for reference only.
● Only the S5700, S6700, S8700, and S16700 running V600R22C10 and later versions
support the Packet Event function. Before the configuration, ensure that the current
device model and version support the Packet Event function. For details, see the product
documentation of the corresponding device.
<HUAWEI> system-view
[HUAWEI] collector collect collect-id
//Create a flow table collector.
[HUAWEI-collect-1] source {ip | ipv6} source-ip-address export host {ip | ipv6} destip-address udp-port
30002 [ vpn-instance vpn-instance-name ]
//Set the destination address destip-address for receiving flow entries to the data collection IP address of
iMaster NCE-CampusInsight and source address source-ip-address to the IP address of the device interface.
The destination UDP port number is fixed at 30002. If the interface corresponding to source-ip-address is
bound to a VPN instance, vpn-instance vpn-instance-name must be specified, where vpn-instance-name
indicates the name of the VPN instance.
[HUAWEI-collect-1] quit
[HUAWEI] packet event monitor
[HUAWEI-packet-event-monitor] collector collect collect-id
//Associate the flow table collector with the Packet Event packet monitoring view.
[HUAWEI-packet-event-monitor] capture drop-event
[HUAWEI-packet-event-monitor-drop-event] capture drop-packet forward-exception enable
//Enable the packet loss visualization function for packets discarded due to a forwarding exception.
[HUAWEI-packet-event-monitor-drop-event] capture drop-packet forward-normal enable
//Enable the packet loss visualization function for packets discarded due to specified packet discarding rules.
[HUAWEI-packet-event-monitor-drop-event] capture drop-packet buffer-overflow enable
//Enable the packet loss visualization function for packets discarded due to buffer congestion.
[HUAWEI-packet-event-monitor-drop-event] capture drop-packet acl-deny enable
//Enable the packet loss visualization function for packets discarded due to the deny action in an ACL rule.
[HUAWEI-packet-event-monitor-drop-event] quit
[HUAWEI-packet-event-monitor] export interval 10
//Set the interval at which flow entries are reported to iMaster NCE-CampusInsight to 10s. In the actual
configuration, you need to perform the configuration based on the network maintenance experience. The
configuration here is for reference only.
[HUAWEI-packet-event-monitor] capture drop-event
[HUAWEI-packet-event-monitor-drop-event] aging-time 15
//Set the aging time of packet loss visualization flow entries to 15s. In the actual configuration, you need to
perform the configuration based on the network maintenance experience. The configuration here is for
reference only.
[HUAWEI-packet-event-monitor-drop-event] quit
[HUAWEI-packet-event-monitor] quit
[HUAWEI] quit

10.2.5 Configuring Wireless Location Data Reporting

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

10.2.5.1 Configuring WACs and Fit APs

NOTE

● The function of reporting wireless location data is available only when the license of the
value-added package for wireless location has been purchased and the basic wireless
location feature has been installed. To check whether the license of the value-added
package for wireless location has been purchased, choose System > System Settings >
License Management from the main menu and click the Resource Control Item
Consumption tab.
● To use the terminal location function to locate rogue terminals and APs, you need to
enable the WIDS function on APs.
● Wireless location data can be reported through HTTP/2 and UDP. HTTP/2 is
recommended. UDP is an insecure protocol and therefore is not recommended.
By default, HTTP/2 is enabled and UDP is disabled. To use UDP for reporting wireless
location data, log in to the management plane of iMaster NCE-CampusInsight, and
choose Product > Software Management > Deploy Product Software from the main
menu. Select Modify Configurations from the More drop-down list box. On the page
that is displayed, set RTLS_UDP_Enable to true.
● Only APs and WACs running V200R020C10 or later can report terminal location data
through HTTP/2.
<WAC> system-view
[WAC] wlan
[WAC-wlan-view] air-scan-profile name default
//Create the air scan profile default. By default, the profile already exists in the system.
[WAC-wlan-air-scan-prof-default] scan-period 100
//Set the air scan period. The recommended value is 100 ms.
[WAC-wlan-air-scan-prof-default] scan-interval 2000
//Set the air scan interval. The recommended value is 2000 ms.
[WAC-wlan-air-scan-prof-default] quit
[WAC-wlan-view] radio-2g-profile name wlan-radio-2g
[WAC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile default
[WAC-wlan-radio-2g-prof-wlan-radio-2g] quit
[WAC-wlan-view] radio-5g-profile name wlan-radio-5g
[WAC-wlan-radio-5g-prof-wlan-radio-5g] air-scan-profile default
[WAC-wlan-radio-5g-prof-wlan-radio-5g] quit
//Create a radio profile and bind the air scan profile to the radio profile.
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-default] radio-2g-profile wlan-radio-2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[WAC-wlan-ap-group-default] radio-5g-profile wlan-radio-5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[WAC-wlan-ap-group-default] quit
//Bind the radio profile to an AP group.
[WAC-wlan-view] location-profile name default
//Create the location profile default.
[WAC-wlan-location-prof-default] collect-location-data enable
//Enable the terminal location data reporting function on the APs.
[WAC-wlan-location-prof-default] quit
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-default] location-profile default radio all
//Bind the location profile default to the AP group.
[WAC-wlan-ap-group-default] quit
[WAC-wlan-view] wmi-server name test
//Create the WMI profile test.
[WAC-wlan-wmi-server-prof-test] server ip-address 172.31.31.32 port 27371
//In the profile test, configure the destination address and port number for the APs to report terminal
location data. 172.31.31.32 is the southbound floating IP address of iMaster NCE-CampusInsight. The port
number is fixed at 27371.
[WAC-wlan-wmi-server-prof-test] server backup ip-address 172.31.31.34 port 27371
//(Perform this step only in DR scenarios.) 172.31.31.34 is the southbound floating IP address of the
secondary iMaster NCE-CampusInsight node. The port number is fixed at 27371.
[WAC-wlan-wmi-server-prof-test] collect-item location-data interval 3
//Set the interval at which the APs report terminal location data to 3s.
[WAC-wlan-view] ap-system-profile name default

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[WAC-wlan-ap-system-prof-default] wmi-server test index 2

[WAC-wlan-ap-system-prof-default] quit
//Bind the WMI profile test to the AP system profile default and use index 2 as the fixed index to report
data to iMaster NCE-CampusInsight.
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-default] ap-system-profile default
//Bind the AP system profile to the AP group.

10.2.6 Configuring DNS Data Reporting

10.2.6.1 Configuring WACs and Fit APs

You can enable DNS and configure the interval for a WAC to collect and report
DNS performance metrics to iMaster NCE-CampusInsight. DNS performance
metrics are used to display the DNS statistics about users during user journey.
ARP packets are used to display the switch interface to which users are connected
during user journey. DHCP packets are used to display the protocol interaction
process in the DHCP phase of users during protocol tracing and display the time
required for DHCP during user journey.

NOTE

Only APs and WACs running V200R020C10 or later can report DNS data through HTTP/2.
[WAC] interface vlanif 100
[WAC-Vlanif100] dhcp server dns-list 10.6.4.66
//Set the IP address of the DNS server to 10.6.4.66 for the interface address pool on VLANIF 100. 10.6.4.66
is used only as an example. Change it to the actual IP address of the DNS server.
[WAC-Vlanif100] wlan
[WAC-wlan-view] wmi-server name test
//Create the WMI profile test.
[WAC-wlan-wmi-server-prof-test] collect-item dns-data enable
[WAC-wlan-wmi-server-prof-test] collect-item dns-data interval 60
//In the profile test, set the interval for collecting DNS performance metrics to 60 seconds.
[WAC-wlan-wmi-server-prof-test] wlan
[WAC-wlan-view] vap-profile name wlan-vap
[WAC-wlan-vap-prof-wlan-vap] dns-snooping enable
//Enable DNS snooping in the VAP profile. By default, DNS snooping is disabled.
[WAC-wlan-vap-prof-wlan-vap] quit
[WAC-wlan-view] ap-system-profile name default
//Configure the AP system profile default. By default, the profile is bound to the AP group.
[WAC-wlan-ap-system-prof-default] wmi-server test index 2
//Bind the WMI profile test to the AP system profile default. In this case, the index must be set to index 2.

10.2.7 Configuring Radio Calibration

10.2.7.1 Configuring WACs and Fit APs

Configuring Intelligent Radio Calibration

<WAC> system-view
[WAC] wlan
[WAC-wlan-view] calibrate enable schedule time 02:00:00
//Enable automatic radio calibration globally and set a proper calibration time based on site requirements.
You are advised to set the time to early in the morning.
[WAC-wlan-view] undo calibrate reference data-analysis
//Enable big data calibration on the WAC.
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-default] radio 0
[WAC-wlan-group-radio-default/0] calibrate auto-txpower-select enable

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[WAC-wlan-group-radio-default/0] calibrate auto-channel-select enable

[WAC-wlan-group-radio-default/0] calibrate auto-bandwidth-select enable
[WAC-wlan-group-radio-default/0] quit
[WAC-wlan-ap-group-default] radio 1
[WAC-wlan-group-radio-default/1] calibrate auto-txpower-select enable
[WAC-wlan-group-radio-default/1] calibrate auto-channel-select enable
[WAC-wlan-group-radio-default/1] calibrate auto-bandwidth-select enable
[WAC-wlan-group-radio-default/1] quit
[WAC-wlan-ap-group-default] quit
//Enable the function of selecting transmit power, channel, and bandwidth on radios 0 and 1 in the AP
group default.

Configuring AI Roaming
NOTE

The AirEngine 6760-X1, AirEngine 6760-X1E, and AirEngine 5760-51 can switch to the dual-
radio + independent scanning mode only after an RTU license is loaded.
<WAC> system-view
[WAC] wlan
[WAC-wlan-view] ap-system-profile name default
//Create an AP system profile and enter its view.
[WAC-wlan-ap-system-prof-default] radio-mode 2radio-independent-scan
[WAC-wlan-ap-system-prof-default] quit
//Enable the dual-radio + independent radio scanning mode. Switching the radio mode will cause an AP to
restart.
[WAC-wlan-view] sta-profiling enable
//Enable the terminal profiling function.
[WAC-wlan-view] rrm-profile name wlan-rrm01
//Create an RRM profile and enter its view.
[WAC-wlan-rrm-prof-wlan-rrm01] smart-roam ai-mode
[WAC-wlan-rrm-prof-wlan-rrm01] quit
//Enable AI-powered proactive roaming.
[WAC-wlan-view] radio-5g-profile name radi01
//Create a 5G radio profile and enter its view.
[WAC-wlan-radio-5g-prof-radio01] rrm-profile wlan-rrm01
[WAC-wlan-radio-5g-prof-radio01] quit
[WAC-wlan-view] quit
//Bind the RRM profile to the 5G radio profile.

10.2.8 Configuring Spectrum Analysis Data Reporting

10.2.8.1 Configuring WACs and Fit APs

NOTE

APs running V200R023C00SPC100 and later versions can report spectrum analysis data.
<WAC> system-view
[WAC] wlan
[WAC-wlan-view] ap-id 1
[WAC-wlan-ap-1] radio 0
[WAC-wlan-radio-1/0] spectrum-analysis enable
[WAC-wlan-radio-1/0] quit
[WAC-wlan-ap-1] radio 1
[WAC-wlan-radio-1/1] spectrum-analysis enable
//Enable spectrum analysis on radios 0 and 1 of AP 1.
<WAC> system-view
[WAC] wlan
//Configure parameters for APs to communicate with iMaster NCE-CampusInsight. 172.31.31.32 is the
southbound floating IP address of iMaster NCE-CampusInsight. The port number is fixed at 27371.
[WAC-wlan-view] wmi-server name test
[WAC-wlan-wmi-server-prof-test] server ip-address 172.31.31.32 port 27371
//Enable the function of reporting spectrum analysis data.
[WAC-wlan-wmi-server-prof-test] collect-item spectrum-data enable

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[WAC-wlan-wmi-server-prof-test] quit
//Bind the WMI profile to the AP group default through an AP system profile.
[WAC-wlan-view] ap-system-profile name default
[WAC-wlan-ap-system-prof-default] wmi-server test index 2
[WAC-wlan-ap-system-prof-default] quit
[WAC-wlan-view] ap-group name default
[WAC-wlan-ap-group-dafault] ap-system-profile default

10.2.9 Configuring Application Data Reporting

10.2.9.1 Configuring Switches Running V200

You can configure switches to collect traffic statistics on a specified application
and report the statistics to iMaster NCE-CampusInsight for visualized display.

NOTE

You need to perform the configuration on required access switches.

<HUAWEI> system-view
[HUAWEI] assign resource-mode sac
[HUAWEI] quit
<HUAWEI> save
<HUAWEI> reboot
//Change the resource allocation mode of the switch to sac. After the resource allocation mode is changed,
you need to save the configuration and restart the switch for the configuration to take effect.
<HUAWEI> system-view
[HUAWEI] defence engine enable
//Enable the Intelligent Awareness Engine (IAE) and load the application signature database. By default,
the IAE is disabled.
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] service-awareness enable
[HUAWEI-GigabitEthernet1/0/1] quit
//Enable service awareness (SA) on GE1/0/1, which is the interface that connects to terminals. This function
can be enabled only on the interface that connects an access switch to a terminal.
[HUAWEI] ip netstream record app-report
[HUAWEI-record-app-report] match ip source-address
[HUAWEI-record-app-report] match ip destination-address
[HUAWEI-record-app-report] match ip source-port
[HUAWEI-record-app-report] match ip destination-port
[HUAWEI-record-app-report] match ip protocol
[HUAWEI-record-app-report] collect counter packets
[HUAWEI-record-app-report] collect counter bytes
[HUAWEI-record-app-report] collect interface input
[HUAWEI-record-app-report] collect interface output
[HUAWEI-record-app-report] quit
//Configure the NetStream flexible flow statistics template app-report to collect information such as the 5-
tuple, number of packets, number of bytes, and inbound/outbound interface indexes.
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip netstream inbound
[HUAWEI-GigabitEthernet1/0/1] ip netstream outbound
[HUAWEI-GigabitEthernet1/0/1] ip netstream sampler fix-packets 199 inbound
[HUAWEI-GigabitEthernet1/0/1] ip netstream sampler fix-packets 199 outbound
[HUAWEI-GigabitEthernet1/0/1] port ip netstream record app-report
[HUAWEI-GigabitEthernet1/0/1] quit
//Enable traffic statistics collection in the inbound and outbound directions of GE1/0/1, set the sampling
ratio to 199:1, and apply the NetStream flexible flow statistics template to GE1/0/1. A NetStream flexible
flow statistics template must be applied to an SA-enabled interface.
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item application-statistics-data enable
//Configure the device to periodically report application traffic statistics to iMaster NCE-CampusInsight.

Configuring Poor-QoE Monitoring Result Reporting

<HUAWEI> system-view
[HUAWEI] sea

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[HUAWEI-sea] monitor application name welink_meeting

......
//Configure the names of applications for which application-based poor-QoE monitoring is performed, for
example, welink_meeting.
[HUAWEI-sea] monitor application period 60
[HUAWEI-sea] quit
//Set the interval for application-based poor-QoE monitoring to 60 seconds.
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item media-quality enable
//Configure the device to periodically report application-based poor-QoE monitoring results to iMaster NCE-
CampusInsight.

10.2.9.2 Configuring Switches Running V600

NOTE

On wired networks, only the S8700-6 equipped with SRUEX1 series and the S8700-10
equipped with SURFX1 series support application-based IFIT measurement.
Before configuring application-based packet loss and delay measurement result reporting,
ensure that application-based traffic statistics reporting has been configured.
For details, see 10.2.10 Configuring Packet Loss and Delay Measurement Result
Reporting.

10.2.9.3 Configuring WACs and Fit APs

Configuring Application-based Traffic Statistics Reporting

In the following example, you can configure APs to collect traffic statistics on a
specified application and report the statistics to iMaster NCE-CampusInsight for
visualized display.

NOTE

● You can configure a WAC to collect traffic statistics on a specified application and report
the statistics to iMaster NCE-CampusInsight for visualized display (only in tunnel
forwarding scenarios).
● After application-based traffic statistics reporting is enabled on a WAC, the forwarding
performance of the WAC will deteriorate by about 20%. Therefore, you are advised to
enable application-based traffic statistics reporting on APs.
● The number of applications that can be identified using the application signature
database for APs is fewer than that for WACs. For details, see Service Awareness.
<WAC> system-view
[WAC] defence engine enable
//Enable the security engine on the WAC.
[WAC] defence engine enable ap-group name name
//Enable the security engine for APs in the AP group name.
[WAC] wlan
[WAC-wlan-view] sac-profile name wlan-sac
[WAC-wlan-sac-prof-wlan-sac] vap-protocol-statistic enable
[WAC-wlan-sac-prof-wlan-sac] user-protocol-statistic enable
[WAC-wlan-sac-prof-wlan-sac] quit
//Create the SAC profile wlan-sac and enable the SAC statistics collection function (collecting VAP protocol
statistics and user protocol statistics).
[WAC-wlan-view] vap-profile name wlan-vap
[WAC-wlan-vap-prof-wlan-vap] sac-profile wlan-sac
[WAC-wlan-vap-prof-wlan-vap] quit
//Bind the SAC profile wlan-sac to the VAP profile wlan-vap to make the configured policy take effect.
[WAC-wlan-view] wmi-server name test
[WAC-wlan-wmi-server-prof-test] undo collect-item application-statistics-data
[WAC-wlan-wmi-server-prof-test] collect-item application-statistics-data interval 300
[WAC-wlan-wmi-server-prof-test] quit

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

//Enable APs to report application-based traffic statistics at an interval of 300 seconds.

[WAC-wlan-view] ap-system-profile name default
//Configure the AP system profile default. By default, the profile is bound to the AP group.
[WAC-wlan-ap-system-prof-default] wmi-server test index 2
//Bind the WMI profile test to the AP system profile default.

Configuring Poor-QoE Monitoring Result Reporting

You can configure APs to implement application-based poor-QoE monitoring and
report the application-based poor-QoE monitoring results to iMaster NCE-
CampusInsight for visualized display.

NOTE

Before configuring the function of reporting poor-QoE monitoring results, ensure that SAC
has been configured.
The SAC configuration roadmap is as follows:
1. Enable the security engine.
2. Create an SAC profile and bind it to a VAP profile.
For details, see Configuring Application-based Traffic Statistics Reporting.
<WAC> system-view
[WAC] defence engine enable ap-group name name
//Enable the security engine for APs in the AP group name.
[WAC] wlan
[WAC-wlan-view] vap-profile name wlan-vap
[WAC-wlan-vap-prof-wlan-vap] service-experience-analysis monitor application espace_voip
......
[WAC-wlan-vap-prof-wlan-vap] quit
//Configure an application to be monitored based on service experience analysis (SEA), for example,
espace_voip (eSpace).
//Enable APs to report application-based poor-QoE monitoring results at an interval of 60 seconds.
[WAC-wlan-view] ap-system-profile name default
//Configure the AP system profile default. By default, the profile is bound to the AP group.
[WAC-wlan-ap-system-prof-default] wmi-server test index 2
//Bind the WMI profile test to the AP system profile default.

10.2.10 Configuring Packet Loss and Delay Measurement

Result Reporting
NOTE

Before configuring application-based packet loss and delay measurement result reporting,
ensure that application-based traffic statistics reporting has been configured.

This section uses the following networking as an example to describe how to

configure iPCA 2.0 based on applications to monitor packet loss and delay on a
network in real time. In the actual situation, you need to perform the
configuration based on the networking requirements. The configuration here is for
reference only.

Measurement points are classified into in-point, mid-point, and out-point based
on the packet forwarding direction. Different interfaces on a device can function
as different measurement points.
● In-point: indicates the ingress measurement point of a measurement flow. An
in-point (marked as ) colors a measurement flow.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

● Mid-point: indicates a transit measurement point of a measurement flow. A

mid-point (marked as ) does not color a measurement flow or remove the
color bit from it.
● Out-point: indicates the egress measurement point of a measurement flow.

An out-point (marked as ) removes the color bit from a measurement

flow.

NOTICE

1. Before configuring a measurement point, determine the packet forwarding

path of the measurement flow.
2. After a measurement flow is colored, the color bit must be removed from the
colored measurement flow.
If the destination device of the measurement flow is a Huawei device, you are
advised to enable the function of removing the color bit from the measurement
flow on the device.
If the destination device of the measurement flow is a non-Huawei device, you
are advised to enable the function of removing the color bit from the
measurement flow on the last-hop Huawei device through which the
measurement flow passes.

1. Configure WACs and Fit APs.

<WAC> system-view
[WAC] s-ipfpm measure interval 60
//Set the iPCA 2.0 measurement interval to 60 seconds.
[WAC] wlan
[WAC-wlan-view] vap-profile name wlan-vap
[WAC-wlan-vap-prof-wlan-vap] s-ipfpm measure application welink_meeting
......
[WAC-wlan-vap-prof-wlan-vap] quit
[WAC-wlan-view] quit
//When an AP functions as the in-point, enable iPCA 2.0 in the AP's VAP profile wlan-vap by
application name, for example, welink_meeting.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

[WAC] wmi-server
[WAC-wmi-server] undo collect-item s-ipfpm-data
[WAC-wmi-server] quit
//Enable the WAC to periodically report measurement results to iMaster NCE-CampusInsight.
[WAC] wlan
[WAC-wlan-view] wmi-server name test
[WAC-wlan-wmi-server-prof-test] undo collect-item s-ipfpm-data disable
[WAC-wlan-wmi-server-prof-test] quit
//Enable the AP to periodically report measurement results to iMaster NCE-CampusInsight.
[WAC-wlan-view] ap-system-profile name default
//Configure the AP system profile default. By default, the profile is bound to the AP group.
[WAC-wlan-ap-system-prof-default] wmi-server test index 2
//Bind the WMI profile test to the AP system profile default.

NOTE

This configuration applies to the scenario where STA service traffic is directly forwarded and
the IP address pool is not on the WAC. That is, STA service traffic does not pass through the
WAC. If STA service traffic passes through the WAC, you need to configure iPCA 2.0 on the
WAC. For details, see Application Scenarios for iPCA 2.0 and Configuring Application-
based iPCA 2.0 to Implement Network Packet Loss and Delay Measurement.

2. Configure access switches ACC01 and ACC02 connecting to wireless APs.

<HUAWEI> system-view
[HUAWEI] assign resource-mode enhanced-sipfpm
[HUAWEI] quit
[HUAWEI] save
[HUAWEI] reboot
//Change the resource allocation mode of the switch to enhanced-sipfpm. After the resource
allocation mode is changed, you need to save the configuration and restart the switch for the
configuration to take effect.
<HUAWEI> system-view
[HUAWEI] s-ipfpm measure interval 60
//Set the packet loss and delay measurement interval to 60 seconds on the access switch.
[HUAWEI] s-ipfpm report-loss-reason enable
//Enable the function of reporting the packet loss cause.
//Only the S5731-H, S5731-H-K, S5731-S, S5731S-H, S5731S-S, S5732-H, S5732-H-K, S6730-H, S6730-
H-K, S6730S-H, S6730-S, and S6730S-S support this command.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] s-ipfpm measure auto-detect mid-point ingress bidirectional
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 2/0/1
[HUAWEI-GigabitEthernet2/0/1] s-ipfpm measure auto-detect mid-point ingress bidirectional
[HUAWEI-GigabitEthernet2/0/1] quit
[HUAWEI] interface Xgigabitethernet 1/0/4
[HUAWEI-Xgigabitethernet 1/0/4] s-ipfpm measure auto-detect mid-point egress bidirectional
[HUAWEI-Xgigabitethernet 1/0/4] quit
[HUAWEI] interface Xgigabitethernet 2/0/4
[HUAWEI-Xgigabitethernet 2/0/4] s-ipfpm measure auto-detect mid-point egress bidirectional
[HUAWEI-Xgigabitethernet 2/0/4] quit
//Enable the measurement function on interfaces. After this function is enabled, the interfaces can
automatically detect the measurement flow bound to the in-point without the need of binding the
measurement flow to the interfaces. All the interfaces connected to APs are ingress interfaces, and
the interfaces connected to upstream aggregation switches are egress interfaces.
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item sipfpm-data enable
[HUAWEI-smi-server] quit
//Enable access switches to periodically report measurement results to iMaster NCE-CampusInsight.

3. Configure access switch ACC3 connecting to wired terminals.

<HUAWEI> system-view
[HUAWEI] s-ipfpm measure interval 60
//Set the packet loss and delay measurement interval to 60 seconds on the access switch.
[HUAWEI] s-ipfpm report-loss-reason enable
//Enable the function of reporting the packet loss cause.
//Only the S5731-H, S5731-H-K, S5731-S, S5731S-H, S5731S-S, S5732-H, S5732-H-K, S6730-H, S6730-
H-K, S6730S-H, S6730-S, and S6730S-S support this command.
[HUAWEI] s-ipfpm flow 1000 application welink_meeting
//On the access switch, configure a measurement flow and specify the name of the application based

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

on which packet loss and delay measurement results are reported, for example, welink_meeting.
[HUAWEI] interface 25GE0/0/3
[HUAWEI-25GE0/0/3] s-ipfpm measure flow 1000 in-point egress bidirectional
[HUAWEI-25GE0/0/3] quit
//Bind the measurement flow to the interface specified as an in-point and enable the measurement
function on the interface.
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item sipfpm-data enable
[HUAWEI-smi-server] quit
//Enable the access switch to periodically report measurement results to iMaster NCE-CampusInsight.

NOTE

Access switches running V600 do not support application identification. Therefore, wired
access switches running V200 and later versions as described in Licensing Requirements
and Limitations for SAC must be used. On wired networks, only the S8700-6 equipped
with SRUEX1 series and the S8700-10 equipped with SRUFX1 series support application-
based IFIT measurement. Application identification can be enabled on the S8700-6
functioning as the core or aggregation switch through reverse flow creation and the
S8700-6 is configured as an in-point. Bidirectional flow measurement can be enabled on
the access switch running V600 functioning as the out-point. For details, see Configuring
Application-based Packet Loss and Delay Measurement Result Reporting.

4. Configure aggregation switches AGG01 and AGG02 running V200 and later
versions.
<HUAWEI> system-view
[HUAWEI] assign resource-mode enhanced-sipfpm
[HUAWEI] quit
[HUAWEI] save
[HUAWEI] reboot
//Change the resource allocation mode of the switch to enhanced-sipfpm. After the resource
allocation mode is changed, you need to save the configuration and restart the switch for the
configuration to take effect.
<HUAWEI> system-view
[HUAWEI] s-ipfpm measure interval 60
//On aggregation switches, set the packet loss and delay measurement interval to 60 seconds.
[HUAWEI] s-ipfpm report-loss-reason enable
//Enable the function of reporting the packet loss cause.
//Only the S5731-H, S5731-H-K, S5731-S, S5731S-H, S5731S-S, S5732-H, S5732-H-K, S6730-H, S6730-
H-K, S6730S-H, S6730-S, and S6730S-S support this command.
[HUAWEI] interface Xgigabitethernet 3/0/4
[HUAWEI-Xgigabitethernet 3/0/4] s-ipfpm measure auto-detect mid-point ingress bidirectional
[HUAWEI-Xgigabitethernet 3/0/4] quit
//Configure this command on all interfaces connected to access switches, such as XGE3/0/4,
XGE4/0/4, and XGE4/0/7. XGE3/0/4 is used as an example.
[HUAWEI] interface Xgigabitethernet 3/0/5
[HUAWEI-XGigabitEthernet3/0/5] s-ipfpm measure auto-detect mid-point egress bidirectional
//Enable the measurement function on interfaces. After this function is enabled, the interfaces can
automatically detect the measurement flow bound to the in-point without the need of binding the
measurement flow to the interfaces. You need to configure this function on all interfaces connected
to core switches, such as XGE3/0/5, XGE3/0/6, XGE4/0/5, and XGE4/0/6. XGE3/0/5 is used as an
example.
[HUAWEI-XGigabitEthernet3/0/5] quit
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item sipfpm-data enable
[HUAWEI-smi-server] quit
//Enable aggregation switches to periodically report measurement results to iMaster NCE-
CampusInsight.

5. Configure aggregation switches AGG01 and AGG02 running V600 and later
versions.
<HUAWEI> system-view
[HUAWEI] system resource large-flow
[HUAWEI] quit
[HUAWEI] save
[HUAWEI] reboot
//Change the resource allocation mode of the switch to large-flow. After the resource allocation
mode is changed, you need to save the configuration and restart the switch for the configuration to

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

take effect.
<HUAWEI> system-view
[HUAWEI] ifit
[HUAWEI-ifit] flow-learning native-ip
[HUAWEI-ifit-native-ip] report-loss-reason enable
//Enable the function of reporting the packet loss cause on aggregation switches.
[HUAWEI-ifit-native-ip] flow-learning interface Xgigabitethernet 3/0/4 transit-input bidirectional
//Configure this command on all interfaces connected to access switches, such as XGE3/0/4,
XGE4/0/4, and XGE4/0/7. XGE3/0/4 is used as an example.
[HUAWEI-ifit-native-ip] flow-learning interface Xgigabitethernet 3/0/5 transit-output bidirectional
//Bind native IP flow learning to a specified interface on an aggregation switch. Enable the
measurement function on interfaces. After this function is enabled, the interfaces can automatically
detect the measurement flow bound to the in-point without the need of binding the measurement
flow to the interfaces. You need to configure this function on all interfaces connected to core
switches, such as XGE3/0/5, XGE3/0/6, XGE4/0/5, and XGE4/0/6. XGE3/0/5 is used as an example.
[HUAWEI-ifit-native-ip] quit
[HUAWEI-ifit] quit
[HUAWEI] telemetry
[HUAWEI-telemetry] sensor-group test
[HUAWEI-telemetry-sensor-test] sensor-path huawei-ifit:ifit/huawei-ifit-statistics:flow-native-ip-
statistics/flow-native-ip-statistic
//Configure aggregation switches to report statistics to iMaster NCE-CampusInsight through Telemetry.
[HUAWEI-telemetry-sensor-group-test] quit
[HUAWEI-telemetry] destination-group test
[HUAWEI-telemetry-destination-group-test] ipv4-address 172.31.31.32 port 10001 protocol grpc
[HUAWEI-telemetry-destination-group-test] quit
[HUAWEI-telemetry] subscription test
[HUAWEI-telemetry-subscription-test] sensor-group test
[HUAWEI-telemetry-subscription-test] destination-group test

6. Configure core switches CORE01 and CORE02 running V200.

<HUAWEI> system-view
[HUAWEI] assign resource-mode enhanced-sipfpm
[HUAWEI] quit
[HUAWEI] save
[HUAWEI] reboot
//Change the resource allocation mode of the switch to enhanced-sipfpm. After the resource
allocation mode is changed, you need to save the configuration and restart the switch for the
configuration to take effect.
<HUAWEI> system-view
[HUAWEI] s-ipfpm measure interval 60
//Set the packet loss and delay measurement interval to 60 seconds on the switches.
[HUAWEI] s-ipfpm report-loss-reason enable
//Enable the function of reporting the packet loss cause.
//Only the S5731-H, S5731-H-K, S5731-S, S5731S-H, S5731S-S, S5732-H, S5732-H-K, S6730-H, S6730-
H-K, S6730S-H, S6730-S, and S6730S-S support this command.
[HUAWEI] interface Xgigabitethernet 5/0/5
[HUAWEI-Xgigabitethernet 5/0/5] s-ipfpm measure auto-detect mid-point ingress bidirectional
[HUAWEI-Xgigabitethernet 5/0/5] quit
//Configure this command on all interfaces connected to aggregation switches, such as XGE5/0/5,
XGE5/0/6, XGE6/0/5, and XGE6/0/6. XGE5/0/5 is used as an example.
[HUAWEI] interface Xgigabitethernet 5/0/8
[HUAWEI-Xgigabitethernet 5/0/8] s-ipfpm measure auto-detect out-point egress bidirectional
[HUAWEI-Xgigabitethernet 5/0/8] quit
//Enable the measurement function on interfaces. After this function is enabled, the interfaces can
automatically detect the measurement flow bound to the in-point without the need of binding the
measurement flow to the interfaces. You need to configure this function on all uplink interfaces, such
as XGE5/0/8, XGE5/0/9, XGE6/0/8, and XGE6/0/9. XGE5/0/8 is used as an example.
<HUAWEI> system-view
[HUAWEI] smi-server
[HUAWEI-smi-server] collect-item sipfpm-data enable
[HUAWEI-smi-server] quit
//Enable the switches to periodically report measurement results to iMaster NCE-CampusInsight.

7. Configure core switches CORE01 and CORE02 running V600.

<HUAWEI> system-view
[HUAWEI] system resource large-flow
[HUAWEI] quit
[HUAWEI] save
[HUAWEI] reboot

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

//Change the resource allocation mode of the switch to large-flow. After the resource allocation
mode is changed, you need to save the configuration and restart the switch for the configuration to
take effect.
<HUAWEI> system-view
[HUAWEI] ifit
[HUAWEI-ifit] flow-learning native-ip
[HUAWEI-ifit-native-ip] report-loss-reason enable
//Enable the function of reporting the packet loss cause on core switches.
[HUAWEI-ifit-native-ip] flow-learning interface Xgigabitethernet 5/0/5 transit-input bidirectional
//Bind native IP flow learning to a specified interface on a core switch. Configure this function on all
interfaces connected to aggregation switches, such as XGE5/0/5, XGE5/0/6, XGE6/0/5, and XGE6/0/6.
XGE5/0/5 is used as an example.
[HUAWEI-ifit-native-ip] flow-learning interface Xgigabitethernet 5/0/8 egress bidirectional
//Enable the measurement function on interfaces. After this function is enabled, the interfaces can
automatically detect the measurement flow bound to the in-point without the need of binding the
measurement flow to the interfaces. You need to configure this function on all uplink interfaces, such
as XGE5/0/8, XGE5/0/9, XGE6/0/8, and XGE6/0/9. XGE5/0/8 is used as an example.
[HUAWEI-ifit-native-ip] quit
[HUAWEI-ifit] quit
[HUAWEI] telemetry
[HUAWEI-telemetry] sensor-group test
[HUAWEI-telemetry-sensor-group-test] sensor-path huawei-ifit:ifit/huawei-ifit-statistics:flow-native-ip-
statistics/flow-native-ip-statistic
//Configure core switches to report statistics to iMaster NCE-CampusInsight through Telemetry.
[HUAWEI-telemetry-sensor-group-test] quit
[HUAWEI-telemetry] destination-group test
[HUAWEI-telemetry-destination-group-test] ipv4-address 172.31.31.32 port 10001 protocol grpc
[HUAWEI-telemetry-destination-group-test] quit
[HUAWEI-telemetry] subscription test
[HUAWEI-telemetry-subscription-test] sensor-group test
[HUAWEI-telemetry-subscription-test] destination-group test

10.2.11 Basic Operations on the Digital Map

Network Health View

1. Choose Network > Map > Network Health View from the main menu.
2. The homepage consists of the topology display area, smart assistant, metric
display area, topology view switching, and timeline.

– Topology display area: Displays information about metrics of sites and

links between the sites. You can adjust the topology layout as required.
You can move the pointer to a site or link to view the corresponding
information.
– Smart assistant: Provides basic information about the global topology,
including the numbers of sites and devices, as well as to-dos. You can

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

click in the upper right corner of the page to enable the smart
assistant.
– Metric display area: Displays the global data of selected metrics within
the specified time range.
– Topology view switching: You can select site and link metrics to be
displayed and switch to the user experience view or application
experience view as required.
– Timeline: You can select Real Time or History from the drop-down list
box.

▪ Real Time: The data is displayed by a time period of 5 minutes. You

can click the corresponding time point to view real-time data.

▪ History: You can click to select a time range and drag the
pointer on the timeline to adjust the time range to view the
corresponding metric data.
3. In the To Be Handled area on the right, click the desired network
optimization item to view network events. Click an event to view the root
cause analysis and service impact analysis.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Click a network event to view its details, including statistics, cause analysis,
and troubleshooting suggestions. Click an affected device to view the AP

details of the device. Click of a site to view the detailed location of the
faulty device or link in the topology.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

4. Click the Network Health View icon to check site metrics, link metrics, and
view types in the pop-up window. The selected metrics are displayed in the
topology display area. A maximum of three site metrics and three link metrics
can be selected at the same time.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

– Site Metrics: After site metrics are selected, the metric values of all sites
within the selected time range are displayed. You can click the metric
value to view details.
– Link Metrics: After link metrics are selected, you can move the pointer to
a link to view basic link information and information about selected link
metrics within the selected time range.
– View Type: You can switch to the user experience view or application
experience view as required.
5. After the required metrics are selected, pop-ups are displayed for sites that
have data. Click a pop-up to view the metric details of the corresponding site.
6. On the Metric Details page, select the time range in the upper part for
metric statistics. Click different tabs to view details about different metrics,
including statistics and trend charts.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

7. In the topology display area, double-click a site to enter the device topology
view.
– Click Device Topo, select metrics to be displayed, and view network
health details in the metric display area based on the current dimension.
You can click the pop-up above a device to view the metric details.

– Click Device Topo and select Space View under View Type to view
network health details based on the space dimension. You can click the
pop-up above a region to view the metric details. In addition, you can
double-click a region to drill down to view network health details by the
minimum granularity of floors.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

Parameter Description

Table 10-8 Key icons and descriptions

Tool Icon Description

Displays the description of colors and shapes on the map.

Intelligently modifies the layout of the topology.

Locks or unlocks the current layout. A locked layout cannot be

/
modified.

Changes the background. The default background is black. You can

click this icon to change the background of the topology view or
upload a customized background.

Saves the current topology layout.

Sets the number of characters for the node name to be displayed.

Refreshes the topology. After you click this icon, the topology layout
will be restored to the layout saved last time.

Displays the topology panorama. If the topology is large, you can

click this icon to view the global topology information. You can also
select a partial view in the panorama to quickly view information
about the selected area.

User Experience View

1. Choose Clients > Client Map > User Experience Map from the main menu.
2. The homepage consists of the user topology and smart assistant.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

– User topology: Displays the number of abnormal VIP users and total
number of users at each site. You can view the distribution of users at
each site and adjust the layout.
– Smart assistant: Provides an overview of the user experience view,
including information about common users and VIP users, to-dos, and

event broadcast. You can click in the upper right corner of the page
to enable the smart assistant.
3. Click Users in the upper part on the homepage to view statistics about all end
users in a list. The latest experience score is displayed for users with Access
Type set to Wireless.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

4. Click VIP Setting. The VIP user list is displayed. You can add or delete VIP
users as required.
– Adding a VIP user: Click Add. In the dialog box that is displayed, enter the
desired user name, click , select the user, and click OK. Then the user
is set as a VIP user.
– Deleting a VIP user: Search for a VIP user by user name or MAC address,
select the user, and click Delete. Then the user is set as a common user.
5. Click a user name to go to the details page and view the user experience
details.
– Timeline
The Experience Journey area in the lower part of the page displays the
access time ranges in the current time window. You can click the timeline
to view details about APs to which end users connect in a specified time
range.

– Space view: Displays the AP panorama of a floor. The highlighted AP is

the one to which users connect. You can click the highlighted AP to view
its details in the selected time window.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

– The User Details page displays detailed information about the user,
experience exception analysis, access applications, and network quality.

▪ Experience Exception Analysis: Displays the analysis result with the

lowest user experience score in the time range selected in the
Experience Journey area by default. You can select a time range in
the upper right corner as required.
Experience Score: Displays the user network experience score in the
selected time range using intelligent algorithms.
Experience Analysis Model: Displays the user network experience
model from dimensions of network, terminal, and application, and
provides causes of network experience deterioration based on the
analysis result of each dimension. (The application dimension is not
displayed if no application is accessed within the specified time
range.) You can click each dimension to view detailed information.
In the network dimension, you can view the signal strength, air
interface delay, air interface packet loss rate, and bandwidth, which
display the metric details and trend in the selected time range and
provide event analysis results for poor metric values. The access
experience dimension displays user access data.
In the terminal dimension, you can view the dual-band capability
and power saving mode, as well as event analysis results for poor
metric values.
In the application dimension, you can view the packet loss rate and
delay.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

▪ Access Applications: Lists applications accessed by the user in the

time range selected in the Experience Journey area. If no application
is accessed within the specified time range, the access application list
is not displayed.

▪ Network Quality: Displays the metric trend in the time window

from dimensions of signal strength, air interface delay, air interface
packet loss rate, and traffic. You can view network quality
information about users.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

– Wired user
User locations in the device topology view are displayed. You can move
the cursor to a device to view basic information.
The User Details page displays the basic information and network
quality information about the user.

6. Double-click the user icon on the homepage of the user experience view and
drill down to check user data by selected site, region, building, and floor
based on the completed network plan.

Application Experience View

1. Choose Application > Application Map > Application Experience View from
the main menu.
2. The homepage consists of the application topology and smart assistant.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

– Application topology: Displays the total number of applications, total

traffic, top 5 applications with the highest traffic, and abnormal
applications at each site. You can view the distribution of applications at
each site and adjust the layout.
– Smart assistant: Provides an overview of the application experience view,
including the number of applications, traffic, to-dos, and event broadcast.

You can click in the upper right corner of the page to enable the
smart assistant.
3. Click Applications in the upper part of the map on the homepage to view
statistics about all applications. The application list displays the application
name, traffic, and total number of abnormal/service flows.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

4. Click an application to view its details. The Application Details page displays
detailed information about the application and the list of sites that access the
application.

5. Click a site name to view the application details of the site, including basic
application information, fault demarcation information, and flow list.

The fault demarcation information includes the packet loss rate and delay of
traffic.
The flow list displays information about users who use the application. You
can click a user name to go to the user details page. In addition, you can click
the start or end time of a user to view the traffic data of the user at each
time point in the topology on the left. You can also click the source or
destination to view the location of the user in the device view of the topology.
If the application status is abnormal, the abnormal flow is marked in red in
the topology. You can click an abnormal metric in red to view the fault
analysis result on iMaster NCE-CampusInsight. The page on the right displays
basic information and troubleshooting information about the abnormal flow.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 10 Intelligent O&M Deployment

NOTE

This function can be applied to the following issues: optical module exception, queue
congestion, port congestion, abnormal increase of forwarding CPU usage, abnormal
increase of AC CPU usage, abnormal increase of AC memory usage, and block memory
threshold exceeded on the forwarding plane.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 11 O&M

11 O&M

11.1 Instructions for Maintenance Engineers

11.1.1 Troubleshooting Principles

Analyze, locate, and rectify a fault in compliance with the following principles:
● Restore the system as soon as possible.
● During fault locating, collect fault data in a timely manner and save the data
to mobile storage media or PCs on the network.
● When determining a troubleshooting scheme, evaluate the impact and ensure
the normal transmission of services first.
● In the case of third-party hardware faults, refer to third-party hardware
documents or call the third-party customer service center for help.
● If you fail to locate the faulty point or rectify the fault, see 11.1.4 Asking for
Help for technical support and cooperate with Huawei engineers in fault
rectification to minimize service interruption.

11.1.2 Troubleshooting Precautions

Read the following precautions before locating and rectifying a fault:
● Evaluate whether the fault is an emergency one. If it is an emergency one,
immediately recover the faulty module by using the pre-formulated
troubleshooting methods, and then recover services.
● Strictly conform to operation rules and industrial safety standards, ensuring
human and device safety.
● Record original information about any problem that occurs during
troubleshooting. Do not delete data or logs without permission.
● Analyze the fault symptom and identify the cause before trying to rectify the
fault. Performing rectification when the cause is unknown will worsen the
fault.
● Obtain the customer's written consent before collecting fault logs to ensure
security and privacy of the customer network.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 11 O&M

● Record all the operations you have performed, especially the key operations
such as restarting devices and clearing databases. Before performing the key
operations, confirm the operation feasibility, back up data, and prepare the
emergency and security measures. Only qualified personnel can perform key
operations.
● Take ESD protection measures, for example, wear an ESD wrist strap when
replacing or maintaining device components.
● After the system recovers, observe system running to ensure that the fault is
rectified. Then, complete the associated troubleshooting report in a timely
manner.

11.1.3 Troubleshooting Process

Figure 11-1 shows the troubleshooting flowchart. All possible causes of a fault
can be grouped into multiple cause sets to reduce problem complexity. Systematic
troubleshooting is to find fault causes step by step, and finally resolve the fault.

Figure 11-1 Troubleshooting flowchart

A fault can be detected on the user side (for example, a user cannot access the
Internet) or on the network side (for example, an alarm is generated on a device).
After a fault is detected, you need to collect the fault information about each
device immediately, analyze the fault information, and then locate and rectify the
fault. For solution-level troubleshooting on the entire network, the key is to
quickly narrow down the fault scope to a specific component based on the fault
symptom and then rectify the fault.

11.1.4 Asking for Help

For enterprise customers:

● Access the intelligent Q&A customer service system of Huawei enterprise

business.

Huawei Smart Higher Education Network Solution
Deployment and Maintenance Guide 11 O&M

● Contact Huawei customer service center.

– Hotline: global service hotline
– Email: [email protected]
● Visit Huawei technical support website for enterprise business and search
for troubleshooting cases or post your questions on Support Community.

Huawei ONT Web Page Reference 09 (Enterprise)
100% (2)
Huawei ONT Web Page Reference 09 (Enterprise)
1,452 pages
How To Activate A Router License - Huawei Router License Operation Guide
No ratings yet
How To Activate A Router License - Huawei Router License Operation Guide
71 pages
Manual Do Produto SmartAX MA5600T PDF
No ratings yet
Manual Do Produto SmartAX MA5600T PDF
106 pages
Huawei NE8000
No ratings yet
Huawei NE8000
675 pages
Huawei NE40E-X1X2 Product Description (2012-11-10) PDF
No ratings yet
Huawei NE40E-X1X2 Product Description (2012-11-10) PDF
80 pages
03 OZO035301 Imanager M2000 Client Application Operation and Maintenance ISSUE6.00
No ratings yet
03 OZO035301 Imanager M2000 Client Application Operation and Maintenance ISSUE6.00
127 pages
S2350 - S5300 - S6300 V200R003C00 Upgrade Guide
No ratings yet
S2350 - S5300 - S6300 V200R003C00 Upgrade Guide
59 pages
IMaster NCE Smart LCT V100R021C00 Software Installation and Commissioning Guide (SUSE) 01-C
No ratings yet
IMaster NCE Smart LCT V100R021C00 Software Installation and Commissioning Guide (SUSE) 01-C
53 pages
SMU11C V100R021C10 Site Monitoring Unit User Manual
No ratings yet
SMU11C V100R021C10 Site Monitoring Unit User Manual
46 pages
Switch V1910 SERIES JE004A HP Baseline Smart 48 Port Gig SW - Started Guide
No ratings yet
Switch V1910 SERIES JE004A HP Baseline Smart 48 Port Gig SW - Started Guide
44 pages
TP48600B-N16C1 Indoor Power System User Manual (SMU06T2)
No ratings yet
TP48600B-N16C1 Indoor Power System User Manual (SMU06T2)
69 pages
Huawei OLT 5800 01-05 EA5800-X7 Service Subrack Description
No ratings yet
Huawei OLT 5800 01-05 EA5800-X7 Service Subrack Description
8 pages
ETP4860-B1A2 Embedded Power User Manual
No ratings yet
ETP4860-B1A2 Embedded Power User Manual
95 pages
ETP4830-A1 Engineer Manual
No ratings yet
ETP4830-A1 Engineer Manual
42 pages
Huawei OLT 5800 01-04 EA5800-X15 Service Subrack Description
No ratings yet
Huawei OLT 5800 01-04 EA5800-X15 Service Subrack Description
8 pages
AAU3902 Installation Guide (09) (PDF) - en
No ratings yet
AAU3902 Installation Guide (09) (PDF) - en
87 pages
ALCOMA ALxxF Class Carrier Radio Description
No ratings yet
ALCOMA ALxxF Class Carrier Radio Description
91 pages
Guide Huawei - Access Controllers (ACs)
No ratings yet
Guide Huawei - Access Controllers (ACs)
16 pages
PTN 950 Huawei Product Description
No ratings yet
PTN 950 Huawei Product Description
244 pages
EG8145X6-10 Datasheet
No ratings yet
EG8145X6-10 Datasheet
4 pages
(Hua) (ST) Ne40ecx600me60ne20e v800r008 CC St-Security Target-V1 51
No ratings yet
(Hua) (ST) Ne40ecx600me60ne20e v800r008 CC St-Security Target-V1 51
65 pages
User Manual: ETP4830-A1 V300R001
No ratings yet
User Manual: ETP4830-A1 V300R001
39 pages
Grandstream HT814
No ratings yet
Grandstream HT814
39 pages
Product Description (Super, Compatible With X86) : Imaster Nce V100R019C00
100% (1)
Product Description (Super, Compatible With X86) : Imaster Nce V100R019C00
245 pages
Manual Do Produto 980
No ratings yet
Manual Do Produto 980
471 pages
Huawei OLT MA5680T/MA5683T Super Control Unit Board H801SCUH Hardware Description
No ratings yet
Huawei OLT MA5680T/MA5683T Super Control Unit Board H801SCUH Hardware Description
7 pages
M8 V800R022C00SPC600 Release Notes
No ratings yet
M8 V800R022C00SPC600 Release Notes
36 pages
NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 20 NAT and IPv6 Transition
No ratings yet
NetEngine 8000 M14, M8 and M4 V800R022C10 Configuration Guide 20 NAT and IPv6 Transition
842 pages
Ne40e v800r0220c00spc600 Release Notes
No ratings yet
Ne40e v800r0220c00spc600 Release Notes
49 pages
Optix RTN 310
No ratings yet
Optix RTN 310
34 pages
WMPT For Transmission For NodeB
No ratings yet
WMPT For Transmission For NodeB
5 pages
ETP4860-B1A2 Chassi Retificador 60A ENG
No ratings yet
ETP4860-B1A2 Chassi Retificador 60A ENG
2 pages
Imaster NCE-Campus V300R020C10 Monitoring and O&M
No ratings yet
Imaster NCE-Campus V300R020C10 Monitoring and O&M
96 pages
NG WDM Networking and Applications Guide
No ratings yet
NG WDM Networking and Applications Guide
42 pages
Optical Network Termination Unit Botu: For ULAF+ Access Platform
No ratings yet
Optical Network Termination Unit Botu: For ULAF+ Access Platform
2 pages
OSN 9800 U32 Enhanced Subrack Quick Installation Guide 03
No ratings yet
OSN 9800 U32 Enhanced Subrack Quick Installation Guide 03
78 pages
Optical Network Training Guide
No ratings yet
Optical Network Training Guide
93 pages
Datasheet Huawei iMagicPower ETP23036 C6A1
No ratings yet
Datasheet Huawei iMagicPower ETP23036 C6A1
5 pages
Smartax Ma5800-X7 Quick Installation Guide: Issue: 04 Date: 2016-08-24
No ratings yet
Smartax Ma5800-X7 Quick Installation Guide: Issue: 04 Date: 2016-08-24
22 pages
ATN 910I Product Brochure PDF
No ratings yet
ATN 910I Product Brochure PDF
4 pages
OptiX PTN 1900 Hardware Description - (V100R002C01 04)
No ratings yet
OptiX PTN 1900 Hardware Description - (V100R002C01 04)
218 pages
Huawei OptiX Imanager T2000 Operation Guide
100% (3)
Huawei OptiX Imanager T2000 Operation Guide
547 pages
Catalogo de Leviton
No ratings yet
Catalogo de Leviton
260 pages
AT&T Open GPON Line Card Spec
No ratings yet
AT&T Open GPON Line Card Spec
30 pages
ETP48150-B3A1 Embedded Power User Manual
No ratings yet
ETP48150-B3A1 Embedded Power User Manual
55 pages
Manual Furukawa FK-C16
No ratings yet
Manual Furukawa FK-C16
357 pages
OSN 9800 P32 Quick Installation Guide 05
No ratings yet
OSN 9800 P32 Quick Installation Guide 05
82 pages
Gxw4004 User Manual
No ratings yet
Gxw4004 User Manual
60 pages
Engr. MD Yusuf Miah - Huawei GPON OLT & ONU Configuration & Troubleshooting
No ratings yet
Engr. MD Yusuf Miah - Huawei GPON OLT & ONU Configuration & Troubleshooting
5 pages
OTF803101 OptiX RTN 980L Integrated LH Features Description ISSUE 1.00
No ratings yet
OTF803101 OptiX RTN 980L Integrated LH Features Description ISSUE 1.00
51 pages
HoVPN Configuration Guide
No ratings yet
HoVPN Configuration Guide
9 pages
HUAWEI S1700 Switch Datasheet
No ratings yet
HUAWEI S1700 Switch Datasheet
12 pages
Configuration Guide EA5800
0% (1)
Configuration Guide EA5800
3 pages
SmartSite Management System V100R002C00 User Manual
No ratings yet
SmartSite Management System V100R002C00 User Manual
219 pages
Network Configuration for GPON Setup
No ratings yet
Network Configuration for GPON Setup
7 pages
MA5600&MA5603 V300R003C05 Configuration Guide 09
No ratings yet
MA5600&MA5603 V300R003C05 Configuration Guide 09
384 pages
Design Guide For High-Quality 10 Gbps Office Campus Networks (Cloud Management)
No ratings yet
Design Guide For High-Quality 10 Gbps Office Campus Networks (Cloud Management)
198 pages
SD-WAN V100R023C10 Solution Technology Proposal
No ratings yet
SD-WAN V100R023C10 Solution Technology Proposal
174 pages
HUAWEI IdeaHub S2, ES2, S2 Pro, ES2 Pro, and ES2 Plus 24.0 User Interface Operation Guide
No ratings yet
HUAWEI IdeaHub S2, ES2, S2 Pro, ES2 Pro, and ES2 Plus 24.0 User Interface Operation Guide
91 pages
ESM-48200A1 V100R023C00 User Manual
No ratings yet
ESM-48200A1 V100R023C00 User Manual
90 pages
Assignment# 3 (CS-507) Name:M Rizwan Tariq Student Id:DC200200221
No ratings yet
Assignment# 3 (CS-507) Name:M Rizwan Tariq Student Id:DC200200221
1 page
Proggreress Hey Repytrort
No ratings yet
Proggreress Hey Repytrort
3 pages
H3C S5590-EI Series Data Center Ethernet Switches Datasheet
No ratings yet
H3C S5590-EI Series Data Center Ethernet Switches Datasheet
30 pages
Device Interconnection
No ratings yet
Device Interconnection
3 pages
Campus 9
No ratings yet
Campus 9
1 page
Sugar Free Atta: New Product Development
No ratings yet
Sugar Free Atta: New Product Development
9 pages
Semester Fall 2020: Assignment I
No ratings yet
Semester Fall 2020: Assignment I
3 pages
AHP Method for Decision Making in Business
No ratings yet
AHP Method for Decision Making in Business
3 pages
Assignment No. 01 SEMESTER Fall 2020 CS507-Information Systems DC200200221 Muhammad Rizwan Tariq PGD Business Administration
No ratings yet
Assignment No. 01 SEMESTER Fall 2020 CS507-Information Systems DC200200221 Muhammad Rizwan Tariq PGD Business Administration
2 pages
Medical Claim Form (Reimbursement Only)
100% (1)
Medical Claim Form (Reimbursement Only)
2 pages
Objective: Assignment No. 03 Semester Fall 2020 IT430:E-Commerce
No ratings yet
Objective: Assignment No. 03 Semester Fall 2020 IT430:E-Commerce
2 pages
(Exam) DM Finals FA20 (MSEM & MBAE)
No ratings yet
(Exam) DM Finals FA20 (MSEM & MBAE)
1 page
DHA Phase XIII Address Change Form
No ratings yet
DHA Phase XIII Address Change Form
1 page
MS EM HR & OB Exam Instructions
No ratings yet
MS EM HR & OB Exam Instructions
1 page
NewPMDataQueryResult 20210202100154
No ratings yet
NewPMDataQueryResult 20210202100154
1 page
Evpn PDF
100% (1)
Evpn PDF
100 pages
Subject
No ratings yet
Subject
1 page
Ielts Writing Practice Sample
No ratings yet
Ielts Writing Practice Sample
17 pages
DLIMS - Driving License Information Management System PDF
100% (1)
DLIMS - Driving License Information Management System PDF
1 page
Evpn PDF
100% (1)
Evpn PDF
100 pages
WES Procedure
No ratings yet
WES Procedure
2 pages
SV Serverview Raid en PDF
No ratings yet
SV Serverview Raid en PDF
134 pages
Project 46
No ratings yet
Project 46
7 pages
APM v2.4 ABAP Add-On Installation
No ratings yet
APM v2.4 ABAP Add-On Installation
11 pages
Generate SSH Key with Terraform TLS
No ratings yet
Generate SSH Key with Terraform TLS
4 pages
840D SL ONE CMVM 3d Builder Config Man 0324 en-US
No ratings yet
840D SL ONE CMVM 3d Builder Config Man 0324 en-US
88 pages
AMOS Security Handbook Overview 22.12
No ratings yet
AMOS Security Handbook Overview 22.12
37 pages
CISSP Review Questions
100% (1)
CISSP Review Questions
87 pages
Bconnect - v1.0 API Documentation
No ratings yet
Bconnect - v1.0 API Documentation
120 pages
Digicert Private Pki Datasheet 2 8 17
No ratings yet
Digicert Private Pki Datasheet 2 8 17
2 pages
Continuous Integration and Deployment With Rancher and Docker
No ratings yet
Continuous Integration and Deployment With Rancher and Docker
47 pages
NET C Sharp
No ratings yet
NET C Sharp
263 pages
Network and Security Lab Report: Lab 4.1: Installing Certificate Services
No ratings yet
Network and Security Lab Report: Lab 4.1: Installing Certificate Services
67 pages
E-Banking Concepts and Case Study
No ratings yet
E-Banking Concepts and Case Study
45 pages
EIMS Compliance Draft
No ratings yet
EIMS Compliance Draft
106 pages
Greece Electronic Tax Register Books (E-Books) Setting Up SAP Integration Suite (SAP ERP, SAP S4HANA) - Cloud Foundry Environment
No ratings yet
Greece Electronic Tax Register Books (E-Books) Setting Up SAP Integration Suite (SAP ERP, SAP S4HANA) - Cloud Foundry Environment
26 pages
RFP For Selection of Transaction Advisor For Development of Multi-Level Car Parking at Sadar Bazar, Gurugram, Haryana
No ratings yet
RFP For Selection of Transaction Advisor For Development of Multi-Level Car Parking at Sadar Bazar, Gurugram, Haryana
54 pages
Absolute Manage User Guide
No ratings yet
Absolute Manage User Guide
653 pages
MCD Level 2 (60 Questions)
No ratings yet
MCD Level 2 (60 Questions)
11 pages
Cyber Law and Cyber Crime
No ratings yet
Cyber Law and Cyber Crime
37 pages
CNS R20 Unit 4
No ratings yet
CNS R20 Unit 4
36 pages
SEED Labs PKI Lab Guide
No ratings yet
SEED Labs PKI Lab Guide
12 pages
Mastering Paloalto
No ratings yet
Mastering Paloalto
36 pages
Annual Income Certieicate: Government of Assam
No ratings yet
Annual Income Certieicate: Government of Assam
1 page
VPN Project Documentation
87% (15)
VPN Project Documentation
70 pages
WinCC Flexible HMI System Alarms
No ratings yet
WinCC Flexible HMI System Alarms
38 pages
InTouch Exam Report Summary
100% (1)
InTouch Exam Report Summary
18 pages
Nse6 FWF
No ratings yet
Nse6 FWF
19 pages
Azure Questions
No ratings yet
Azure Questions
7 pages
Web Application Pentesting Guide
No ratings yet
Web Application Pentesting Guide
7 pages
Certificado Iso 9001 Siegwerk Mexico Tinta
No ratings yet
Certificado Iso 9001 Siegwerk Mexico Tinta
1 page

Higher Education Network Solution V100R024C00 Deployment and Maintenance Guide

Uploaded by

Higher Education Network Solution V100R024C00 Deployment and Maintenance Guide

Uploaded by

Huawei Smart Higher Education Network

Deployment and Maintenance

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. i

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. ii

● Be familiar with the product networking and related NEs' versions.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. iii

Huawei's regulations on product vulnerability management are subject to the

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. iv

completing the network access configuration and configuring a CA

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. v

For details, see "Encryption Algorithm Declaration" in the product

Indicates a hazard with a high level of risk which, if not

Indicates a hazard with a medium level of risk which, if not

Indicates a hazard with a low level of risk which, if not avoided,

Indicates a potentially hazardous situation which, if not

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. vi

Supplements the important information in the main text.

Command Format Conventions

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by vertical

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... } * Optional items are grouped in braces and separated by vertical

[ x | y | ... ] * Optional items are grouped in brackets and separated by

Boldface Buttons, menus, parameters, tabs, windows, and dialog titles

> Multi-level menus are in boldface and separated by the ">"

01 2024-10-30 This issue is the first official release.

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. vii

3 Tool Usage Description........................................................................................................ 11

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. viii

7.7.2 Configuring an Egress...................................................................................................................................................... 68

9 Security Solution Deployment......................................................................................... 103

10 Intelligent O&M Deployment........................................................................................ 118

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. ix

10.1.3 Configuring Devices to Report Data...................................................................................................................... 123

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. x

11.1.3 Troubleshooting Process............................................................................................................................................. 198

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. xi

External Firewall USG12000F/ V600R0 It functions as USG

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 1

Scenari Device Product Series Mappin Description Related

Security HiSec Insight V100R0 The security HiSec

Security FireHunter 6000 V100R0 It is used for FireHunt

DDoS AntiDDoS1880/ V600R0 It defends AntiDDo

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 2

Scenari Device Product Series Mappin Description Related

Security Security SecoManager V500R0 The security SecoMa

Network Campus iMaster NCE- V300R0 As the iMaster

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 3

Scenari Device Product Series Mappin Description Related

Campus iMaster NCE- V100R0 It functions as iMaster

Core Core CloudEngine V200R0 Generally, two S12700

BRAS ME60-X8A V800R0 Generally, two ME60

NetEngine 8000 V800R0 Generally, two NE8000

WAC AC6805 V200R0 It refers to a AirEngin

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 4

Scenari Device Product Series Mappin Description Related

Aggrega Aggrega CloudEngine V600R0 It supports a S8700

Aggrega CloudEngine V200R0 It supports a S6700

Classroo Wired CloudEngine V200R0 It refers to the S5700

Remote CloudEngine V200R0 It refers to the

Wireless CloudEngine V200R0 It has downlink

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 5

Scenari Device Product Series Mappin Description Related

Wireless CloudEngine V200R0 It has downlink

Commo AirEngine 6776 V200R0 It refers to a AirEngin

Wall AirEngine 5773 V200R0 It refers to a AirEngin

Library Wired CloudEngine V200R0 It refers to the S5700

RU CloudEngine V200R0 It refers to the

Wireless CloudEngine V200R0 It has downlink

Wireless CloudEngine V200R0 It has downlink S6700

Issue 01 (2024-10-31) Copyright © Huawei Technologies Co., Ltd. 6