华为Agile-Controller-Campus技术建议书

华为Agile Controller（园区版）技术建议书（模板）文档版本01发布日期2016-05-26版权所有© 华为技术有限公司2016。

保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。

商标声明和其他华为商标均为华为技术有限公司的商标。

本文档提及的其他所有商标或注册商标，由各自的所有人拥有。

注意您购买的产品、服务或特性等应受华为公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，华为公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

华为技术有限公司地址：深圳市龙岗区坂田华为总部办公楼邮编：518129网址：客户服务邮箱：******************************客户服务电话：400-822-9999华为Agile Controller（园区版）错误!未知的文档属性名称目录目录1 概述 (3)1.1 项目背景 (3)1.1.1 园区网发展趋势 (3)1.1.2 项目现状 (3)1.1.3 接入场景及安全风险分析 (3)1.1.4 项目目标和范围 (4)2 应用场景 (4)3 方案设计思想及原则 ...................................................................................... 错误!未定义书签。

4 项目方案设计 (7)4.1 方案概述.......................................................................................................................... 错误!未定义书签。

华为Agile Controller 方案概述移动办公、BYOD、WLAN的基本特征就是作为信息消费者的用户终端，物理位置变得不固定，这对传统以手工静态配置为核心的传统网络形成了挑战：1. 不同的位置、不同的终端，如何保证一致的用户办公体验？让用户感觉不到位置的差异？2. 如何动态配置用户的权限、安全、QoS优先级等网络策略？传统的固定网络用户可以跟一个物理端口绑定，策略是管理员手工配置到离用户最近的网络设备上的，当用户位置不固定时，我们不能要求网络管理员通过手工配置去适应每个人位置的变化。

这就要求网络需要具备动态分配资源和部署策略的能力，网络资源需要跟着用户走。

3. 网络安全如何部署？传统的网络安全泄漏点主要是在企业到互联网的边界，很多企业也都把防火墙等安全设备部署到这个边界位置进行防护。

但移动性的引入，以及网络攻击手段的发展，使得安全防护失去了边界：Wi-Fi、移动终端、远程办公引入了大量的新的安全泄漏点，以及内部攻击手段(病毒/木马/APT 攻击)的出现，都让传统的边界防护手段彻底失效。

敏捷控制器（Agile Controller）是华为面向企业市场发布的下一代网络解决方案敏捷网络的核心部件，全面覆盖敏捷园区、敏捷分支、敏捷广域、敏捷数据中心各种应用场景，实现从接入到数据中心端到端联接的应用策略控制。

Agile Controller应用SDN集中化控制原则，以业务体验为中心，基于用户和应用动态调配全网资源，实现网络与安全资源跟随用户自由移动，让网络更敏捷地为业务服务。

产品特点以业务体验为中心重新定义网络从以前关注技术、设备、连通性，到关注用户、业务、体验；从以前手工配置，到用自然语言规划和自动部署。

•将SDN集中化控制思想引入园区，动态调配整个园区的网络与安全资源，让资源跟随用户移动，实现业务随行。

•可灵活调整全网权限、QoS、安全等策略，大大缩短新业务开通或网络扩容周期，适应越来越快的业务变化需要。

CPE/uCPEEnterprise HQCloudCPEEnterprise Network in CloudDCThe Agile Controller-Campus is a next-generation campus and branch network controller developed by Huawei. The AgileController-Campus uses new technologies such as cloud computing, SD-WAN, and VXLAN to implement network virtualization, policy centralization, and cloud-based management. The Agile Controller-Campus provides enterprises with fast managed LAN and cloud-based leased line services, reduces OPEX, and accelerates migration of services to the cloud and digital transformation.Huawei Agile Controller-Campus is the core component of Huawei SD-WAN solution. This document describes the functions of the Agile Controller-Campus in the SD-WANsolution.Product OverviewSolution DescriptionAs enterprises undergo ICT transformation, a large number of enterprise services are being migrated to the cloud. Traditional enterprise leased line solutions hardly can meet enterprise service requirements in the cloud era. First of all, leased lines are expensive. According to the Telecom market research and survey of consulting corporations, thecost of MPLS leased lines is several times or dozens of times that of the Internet, consuming a large amount of enterprise funds. In addition, it takes a long time (an average of 30 working days) to provision services, preventing enterprise customers from quickly obtaining services. Finally, maintaining enterprise leased lines is costly. Traditional leased line devices require maintenance to be carried out onsite. For enterprises with multiple branches, it is difficult to maintain the branch networks and maintenance costs are high.To meet the requirements of service cloudification and industry digitalization, enterprise leased lines require higher bandwidth, simplified O&M, and quick responses to service changes. Huawei's innovative SD-WAN solution helps enterprises build application-aware, cost-effective, easy-to-maintain, and on-demand cloud-based enterprise leased lines, and reshapes the online experience of service provisioning, O&M, adjustment, and optimization. This solution facilitates the rapid innovation of enterprise services in thecloud era and helps enterprises achieve business success.Huawei Agile Controller-Campus DatasheetNETCONFEnterprise Branch 1CPEuCPEvFWvWoC …Enterprise Branch nInternetMPLSArchitecture of Huawei SD-WAN solutionHuawei SD-WAN solution aims to solve problems caused by traditional enterprise leased lines. It allows enterprises to quickly pr ovision new services, reduce investment and O&M costs, and quickly respond to service demands and changes in the cloud era. This solution strengthens enterprise competitiveness and leads the entire business ecosystem. Huawei SD-WAN solution offers the following benefits:• Flexible link binding, reducing bandwidth costs• Service provisioning time shortened from months to days• Application -aware intelligent path selection, improving user experience • Plug -and-play, visualized O&M, reducing OPEXKey ComponentsHuawei Agile Controller-Campus is the core component of Huawei SD-WAN solution. It manages enterprise interconnection services throughout the entire process, and provides a wide range of unmatched functions and capabilities, such as automated deployment of leased line services, configuration of intelligent path selection policies, VAS management, plug-and-play, and visualized O&M. The Agile Controller-Campus providesnorthbound RESTful interfaces for easy interconnection with third-party systems, and communicates with devices through southbound NETCONF, HTTP2.0, and HTTPS interfaces to implement device management and control.NETCONFHTTP2Southbound interfaceHTTPSVAS managementTraffic policySecurity policyPlug-and-play Service functionsRESTful Northbound interface Multi-tenant managementCluster management Alarm managementBasic functionsLog managementVASsOSS/BSSAnalysis system3rd-party VASOther applicationsVisualized O&M Enterprise branchCPEuCPEHQ/DCPhysical networkMPLSInternetLTEPublic cloud/private cloudCPE/uCPE Device configurationTunnel management Network PMI Device upgradevCPEEnterprise branchBenefitsFast deployment, accelerating SD-WAN service provisioningThe Agile Controller-Campus can automatically deploy end-to-end network services and supports plug-and-play for all series of CPEs, so that devices can quickly go online. The Agile Controller-Campus supports quick configuration and automatic deployment of leased line tunnels, shortening the leased line service provisioning period from months to days, making service provisioning more convenient, and meeting enterprise requirements for rapid network service expansion.Intelligent path selection, improving user experienceThe Agile Controller-Campus supports configuration of application-based intelligent path selection, including the configuration of predefined application identification and user-defined application identification. The Agile Controller-Campus implements differentiated network services based on different user requirements on application quality to preferentially ensure the quality of services for key applications.On-demand VAS, accelerating service provisioningThe Agile Controller-Campus supports uCPE management. The uCPE uses the x86/ARM universal hardware platform to carry virtualization services, and runs VNFs to provide functions such as firewall and WOC. The Agile Controller-Campus can manage VNFs on the uCPE throughout the lifecycle. Enterprise customers can quickly load VASs. In addition, the Agile Controller-Campus supports service chain orchestration, ensuring that service traffic passes through multiple VNF nodes in sequence, meeting enterprises' various service requireme nts.Visualized O&M and visualized application traffic across the entire networkThe Agile Controller-Campus supports visualized management of applications and links. The Agile Controller-Campus can visualize the status of the entire network and display the network status in real time, improving O&M efficiency. The Agile Controller-Campus monitors and collects statistics on the actual service flow, and presents the quality, status, and trend of applications and links, implementing quick troubleshooting and accurate fault backtracking.Key Features Key Feature ValuePlug-and-play Tunnel managementIntelligent path selectionOn-demand VAS Application visualization In the SD-WAN scenario, an enterprise needs to deploy CPEs at the sites. After being powered on, the CPEs automatically obtain IP addresses and proactively register with the Agile Controller-Campus to complete configurations and go online. The plug-and-play feature requires no manual configuration, saving much time and reducing misconfigurations. Plug-and-play can be implemented using the following methods:• URL in the emailHuawei SD-WAN solution provides hybrid link access capabilities. To ensure experience of services for key enterprise applications, the Agile Controller-Campus supports application-and application quality-based intelligent path selection. This ensures that services requiring high link quality use leased lines, and other services use Internet links. When a network fault occurs or the link quality is unstable, a link switchover can be flexibly performed to improve user experience. To implement intelligent path selection, the Agile Controller-Campus supports the following functions:• Identification of predefined applications and user-defined applications• IP FPM-based link quality detection (including latency, jitter, and packet loss)• Path selection policy management of applicationsIn traditional mode, VASs for enterprise sites are provided by different pieces of hardware. The disadvantages lie in fixed hardware functions and complex service deployment and provisioning. To implement fast, on-demand VAS deployment, Huawei launches the uCPE based on the x86/ARM architecture. The uCPE can carry virtualized VASs. The Agile Controller-Campus can manage and control VNFs on the uCPE, including:• Full-lifecycle management of VNFs on the uCPE, including installing, pausing, stopping, restarting and deleting VNFs• Service chain orchestration of VNFs on the uCPE• Monitoring of VNFs on the uCPE(including query of information such as the VNF management IP address, CPU, RAM, and running/operating status)• Support for multiple types of VNFs (such as Huawei vFW/vAR, Riverbed vWOC, Fortinet FortiGate, and Checkpoint vSec)The Agile Controller-Campus supports application-based visualized management. Users can quickly locate faults using the Agile Controller-Campus, simplifying O&M. To implement application visualization, the Agile Controller-Campus can display:• Health score distribution, worst 5 sites by health score, site list and other information of network-wide sites• Average AQM , bandwidth usage, throughput trend, Worst 5 Applications by AQM, and other information of a specified site• Worst 5 links by LQM, top 5 links by traffic, link list and other information of network-wide links• LQM trend, throughput trend, application top traffic, application AQM distribution, and other information of a specified link • AQM distribution, worst 5 applications by AQM, top 5 application traffic, application list and other information of network-wide applications.• AQM trend, throughput trend, and other information of a specified applicationAs the number of enterprise branches increases, inter-branch access traffic also increases. Traditionally, inter-branch access traffic needs to be transmitted via the enterprise headquarters, consuming resources of the headquarters and causing delay. The Agile Controller-Campus supports automatic deployment of dynamic smart VPN (DSVPN), implementing dynamic establishment of tunnels between branches. The Agile Controller-Campus supports IPSec encryption, ensuring security of enterprise services. To implement tunnel management, the Agile Controller-Campus supports the following functions:• DSVPN tunnel• Full-mesh and Hub-Spoke networking• IPSec encryptionOrdering InformationItem License QuantityPlatformDevice management SD-WAN function VAS management SD-WAN Platform SoftwareDevice Management License For AR160, Per DeviceDevice Management License For AR1X00, Per DeviceDevice Management License For AR2X00, Per DeviceDevice Management License For AR3X00, Per DeviceDevice Management License For AR651W-X4, Per DeviceDevice Management License For AR651-X8, Per DeviceDevice Management License For AR1610-X6, Per DeviceDevice Management License For AR1000V, Per DeviceSD-WAN Service License For AR160, Per DeviceSD-WAN Service License For AR1X00, Per DeviceSD-WAN Service License For AR2X00, Per DeviceSD-WAN Service License For AR3X00, Per DeviceSD-WAN Service License For AR651W-X4, Per DeviceSD-WAN Service License For AR651-X8, Per DeviceSD-WAN Service License For AR1610-X6, Per DeviceSD-WAN Service License For AR1000V, Per DeviceVirtual Application Management License For uCPE, Per vCPU1-21-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-NAgile Controller software licenseAgile Controller Subscription And Support LicenseMore InformationFor more information about the Huawei Agile Controller-Campus, visit .Item Quantity Platform SnSDevice management SnSSD-WAN function SnSVAS management SnSSnS LicenseSubscription And Support, 1/2/3 Year, SD-WAN Platform SoftwareSubscription And Support, 1/2/3 Year, Device Management License For AR160 or AR6X0, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR1X00, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR2X00, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR3X00, Per DeviceSubscription And Support, 1/2/3 Year, Device Management License For AR651W-X4, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR651-X8, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR1610-X6, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR1000V, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR160, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR1X00, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR2X00, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR3X00, Per DeviceSubscription And Support, 1/2/3 Year, SD-WAN Service License For AR651W-X4, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR651-X8, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR1610-X6, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR1000V, Per DeviceSubscription And Support, 1/2/3 Year, Virtual Application Management License For uCPE, Per vCPU1-N1-N 1-N 1-N 1-N1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N。

华为企业园区网络建设技术方案建议书目录1项目概述 (4)1.1项目背景 (4)1。

2项目目标 (4)2园区总体系统规划设计 (5)2.1需求分析 (5)2.2设计原则 (6)3园区网络架构规划设计 (7)3。

1园区网络总体网络架构规划设计 (7)3。

1。

1典型园区网网络架构 (7)3.1。

2经济型园区网网络架构 (8)3.1.3虚拟交换园区网网络架构 (9)3.2园区网络分层网络规划设计 (10)3.2。

1接入层 (10)3。

2.2汇聚层 (11)3。

2。

3核心层 (11)3。

2.4出口层 (12)4园区网络高可靠性规划设计 (14)4。

1园区网络高可靠性规划设计 (14)4.2园区网络设备高可靠性规划设计 (19)4。

2.1重要部件冗余 (19)4.2.2设备自身安全 (20)4。

3园区网络交换机虚拟化规划设计 (21)4.3.1汇聚交换机的集群CSS(Cluster Switch Switching） (21)4.3。

2接入交换机的堆叠iStack (24)5园区网络安全方案规划设计 (26)5.1园区网安全方案总体规划设计 (26)5.2园区接入安全规划设计 (27)5。

3园区网络监管/监控规划设计 (33)5。

3.1防IP/MAC地址盗用和ARP中间人攻击 (33)5。

3。

2防IP/MAC地址扫描攻击 (34)5。

3.3广播/组播报文抑制 (36)5.4园区网边界防御规划设计 (36)5.4。

1防火墙部署规划设计 (36)5。

4。

2防火墙功能规划设计 (37)5.4。

3防火墙性能选择 (38)5.4.4虚拟防火墙规划设计 (39)5.4。

5NAT规划设计 (40)5。

5园区网出口安全规划设计 (41)6园区网络网管系统方案规划设计 (43)6.1网管系统概述 (43)6。

2系统优势介绍 (44)6。

2.1网络管理优势功能 (45)6。

2。

2网络流量分析器优势功能 (46)6。

2.3认证计费优势功能 (48)6。

BrochureProduct OverviewThe CloudEngine S5732-H series switches are the next-generation enhanced Ethernet switches developed by Huawei. The CloudEngine S5732-H builds on Huawei's unified Versatile Routing Platform (VRP) and boasts various IDN features. For example, the integrated wireless AC capabilities can manage up to 1,024 wireless APs; the free mobility feature ensures consistent user experience; the VXLAN functionality implements network virtualization; and built-in security probes support abnormal traffic detection, threat analysis even in encrypted traffic, and network-wide threat deception. With these merits, the CloudEngine S5732-H can function as core switches for small-sized campus networks and branches of medium- and large-sized campus networks, and also work as access switches for Metropolitan Area Network.Models and AppearancesThe following models are available in the CloudEngine S5732-H series.CloudEngine S5732-H24S6QCloudEngine S5732-H48S6QFeatures and HighlightsEnabling Networks to Be More Agile for Services●CloudEngine S5732-H has a built-in high-speed and flexible processor chip. The chip's flexible packet processing and traffic control capabilities can meet current and future service requirements, helping build a highly scalable network.●In addition to capabilities of traditional switches, the CloudEngine S5732-H provides open interfaces and supports user-defined forwarding behavior. Enterprises can use the open interfaces to develop new protocols and functions independently or jointly with equipment vendors to build campus networks meeting their own needs.●CloudEngine S5732-H series switches, on which enterprises can define their own forwarding models, forwarding behavior, and lookup algorithms. Microcode programmability makes it possible to provide new services within six months, without the need of replacing the hardware. In contrast, traditional ASIC chips use a fixed forwarding architecture and follow a fixed forwarding process. For this reason, new services cannot be provisioned until new hardware is developed to support the services one to three years later.Delivering Abundant Services More Agilely●This CloudEngine S5732-H provides the integrated WLAN AC function that can manage 1,024 APs, reducing the costs of purchasing additional WLAN AC hardware and breaking the forwarding performance bottleneck of an external WLAN AC. With this switch series, customers can stay ahead in the high-speed wireless era.●With the unified user management function, the CloudEngine S5732-H authenticates both wired and wireless users, ensuring a consistent user experience no matter whether they are connected to the network through wired or wireless access devices. The unified user management function supports various authentication methods, including 802.1x, MAC address, and Portal authentication, and is capable of managing users based on user groups, domains, and time ranges. These functions visualize user and service management and boost the transformation from device-centric management to user-centric management.●The CloudEngine S5732-H provides excellent quality of service (QoS) capabilities and supports queue scheduling and congestion control algorithms. Additionally, it adopts innovative priority queuing and multi-level scheduling mechanisms to implement fine-grained scheduling of data flows, meeting service quality requirements of different user terminals and services.Providing Fine Granular Network Management More Agilely●The CloudEngine S5732-H uses the Packet Conservation Algorithm for Internet (iPCA) technology that changes the traditional method of using simulated traffic for fault location. iPCA technology can monitor network quality for any service flow anywhere and anytime, without extra costs. It can detect temporary service interruptions in a very short time and can identify faulty ports accurately. This cutting-edge fault detection technology turns "extensive management" to "fine granular management."●The CloudEngine S5732-H supports Two-Way Active Measurement Protocol (TWAMP) to accurately check any IP link and obtain the entire network's IP performance. This protocol eliminates the need of using a dedicated probe or a proprietary protocol.●The CloudEngine S5732-H supports SVF and functions as a parent switch. With this virtualization technology, a physical network with the "Small-sized core/aggregation switches + Access switches + APs" structure can be virtualized into a "super switch", greatly simplifying network management.●With the Easy Deploy function, the CloudEngine S5732-H manages access switches in a similar way an AC manages APs. In deployment, access switches and APs can go online with zero-touch configuration. In the Easy Deploy solution, the Commander collects topology information about the connected clients and stores the clients' startup information based on the topology. Clients can be replaced with zero-touch configuration. The Commander can deliver configurations and scripts to clients in batches and query the delivery results. In addition, the Commander can collect and display information about power consumption on the entire network.Comprehensive VPN Technologies●The CloudEngine S5732-H supports the MPLS function, and can be used as access devices of high-quality enterprise leased line.●The CloudEngine S5732-H allows users in different VPNs to connect to the same switch and isolates users through multi-instance routing. Users in multiple VPNs connect to a provider edge (PE) device through the same physical port on the switch, which reduces the cost on VPN network deployment.Flexible Ethernet Networking●In addition to traditional Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP), the CloudEngine S5732-H supports Huawei-developed Smart Ethernet Protection (SEP) technology and the latest Ethernet Ring Protection Switching (ERPS) standard. SEP is a ring protection protocol specific to the Ethernet link layer, and applies to various ring network topologies, such as open ring topology, closed ring topology, and cascading ring topology. This protocol is reliable, easy to maintain, and implements fast protection switching within 50 ms. ERPS is defined in ITU-TG.8032. It implements millisecond-level protection switching based on traditional Ethernet MAC and bridging functions.●The CloudEngine S5732-H supports Smart Link and Virtual Router Redundancy Protocol (VRRP), which implement backup of uplinks. One CloudEngine S5732-H switch can connect to multiple aggregation switches through multiple links, significantly improving reliability of access devices.Various Security Control Methods●The CloudEngine S5732-H supports 802.1x authentication, MAC address authentication, Portal authentication, and hybrid authentication, and can dynamically delivery user policies such as VLANs, QoS policies, and access control lists (ACL). It also supports user management based on user groups.●The CloudEngine S5732-H provides a series of mechanisms to defend against DoS and user-targeted attacks. DoS attacks are targeted at switches and include SYN flood, Land, Smurf, and ICMP flood attacks. User-targeted attacks include bogus DHCP server attacks, IP/MAC address spoofing, DHCP request flood, and change of the DHCP CHADDR value.●The CloudEngine S5732-H sets up and maintains a DHCP snooping binding table, and discards the packets that do not match the table entries. You can specify DHCP snooping trusted and untrusted ports to ensure that users connect only to the authorized DHCP server.●The CloudEngine S5732-H supports strict ARP learning, which prevents ARP spoofing attackers from exhausting ARP entries.Mature IPv6 Features●The CloudEngine S5732-H is developed based on the mature, stable VRP and supports IPv4/IPv6 dual stacks, IPv6 routing protocols (RIPng, OSPFv3, BGP4+, and IS-IS for IPv6). With these IPv6 features, the CloudEngine S5732-H can be deployed on a pure IPv4 network, a pure IPv6 network, or a shared IPv4/IPv6 network, helping achieve IPv4-to-IPv6 transition.Intelligent Stack (iStack)●The CloudEngine S5732-H supports the iStack function that combines multiple switches into a logical switch. Member switches in a stack implement redundancy backup to improve device reliability and use inter-device link aggregation to improve link reliability. iStack provides high network scalability. You can increase a stack's ports, bandwidth, and processing capacity by simply adding member switches. iStack also simplifies device configuration and management. After a stack is set up, up to nine physical switches can be virtualized into one logical device. You can log in to any member switch in the stack to manage all the member switches in the stack.VXLAN Features●VXLAN is used to construct a Unified Virtual Fabric (UVF). As such, multiple service networks or tenant networks can be deployed on the same physical network, and service and tenant networks are isolated from each other. This capability truly achieves 'one network for multiple purposes'. The resulting benefits include enabling data transmission of different services or customers, reducing the network construction costs, and improving network resource utilization.●The CloudEngine S5732-H series switches are VXLAN-capable and allow centralized and distributed VXLAN gateway deployment modes. These switches also support the BGP EVPN protocol for dynamically establishing VXLAN tunnels and can be configured using NETCONF/YANG.Big Data Security Collaboration●The CloudEngine S5732-H switches use NetStream to collect campus network data and then report such data to the Huawei Cybersecurity Intelligence System (CIS). The purposes of doing so are to detect network security threats, display the security posture across the entire network, and enable automated or manual response to security threats. The CIS delivers the security policies to the Agile Controller. The Agile Controller then delivers such policies to switches that will handle security events accordingly. All these ensure campus network security.●The CloudEngine S5732-H supports Encrypted Communication Analytics (ECA). It uses built-in ECA probes to extract characteristics of encrypted streams based on NetStream sampling and Service Awareness (SA), generates metadata, and reports the metadata to Huawei Cybersecurity Intelligence System (CIS). The CIS uses the AI algorithm to train the traffic model and compare characteristics of extracted encrypted traffic to identify malicious traffic. The CIS displays detection results on the GUI, provides threat handling suggestions, and automatically isolates threats with the Agile Controller to ensure campus network security.●The CloudEngine S5732-H supports deception. It functions as a sensor to detect threats such as IP address scanning and port scanning on a network and lures threat traffic to the honeypot for further checks. The honeypot performs in-depth interaction with the initiator of the threat traffic, records various application-layer attack methods of the initiator, and reports security logs to the CIS. The CIS analyzes security logs. If the CIS determines that the suspicious traffic is an attack, it generates an alarm and provides handling suggestions. After the administrator confirms the alarm, the CIS delivers a policy to the Agile Controller. The Agile Controller delivers the policy to the switch for security event processing, ensuring campus network security.Intelligent O&M●The CloudEngine S5732-H provides telemetry technology to collect device data in real time and send the data to Huawei campus network analyzer CampusInsight. The CampusInsight analyzes network data based on the intelligent fault identification algorithm, accurately displays the real-time network status, effectively demarcates and locates faults in a timely manner, and identifies network problems that affect user experience, accurately guaranteeing user experience.●The CloudEngine S5732-H supports a variety of intelligent O&M features for audio and video services, including the enhanced Media Delivery Index (eMDI). With this eDMI function, the switch can function as a monitored node to periodically conduct statistics and report audio and video service indicators to the CampusInsight platform. In this way, the CampusInsight platform can quickly demarcate audio and video service quality faults based on the results of multiple monitored nodes.Intelligent Upgrade●Switches support the intelligent upgrade feature. Specifically, switches obtain the version upgrade path and download the newest version for upgrade from the Huawei Online Upgrade Platform (HOUP). The entire upgrade process is highly automated and achieves one-click upgrade. In addition, preloading the version is supported, which greatly shortens the upgrade time and service interruption time.●The intelligent upgrade feature greatly simplifies device upgrade operations and makes it possible for the customer to upgrade the version independently. This greatly reduces the customer's maintenance costs. In addition, the upgrade policies on the HOUP platform standardize the upgrade operations, which greatly reduces the risk of upgrade failures.Open Programmability System (OPS)●Open Programmability System (OPS) is an open programmable system based on the Python language. IT administrators can program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligent O&M.LicensingCloudEngine S5732-H supports both the traditional feature-based licensing mode and the latest Huawei IDN One Software (N1 mode for short) licensing mode. The N1 mode is ideal for deploying Huawei CloudCampus Solution in the on-premises scenario, as it greatly enhances the customer experiences in purchasing and upgrading software services with simplicity.Software Package Features in N1 ModeNote: Only V200R019C00 and later versions can support N1 modeProduct SpecificationsService FeaturesNetworking and ApplicationsLarge-Scale Enterprise Campus NetworkCloudEngine S5732-H series switches can be deployed at the access layer of a campus network to build a high-performance and highly reliable enterprise network.Small- or Medium-scale Enterprise Campus NetworkCloudEngine S5732-H series switches can be deployed at the aggregation layer of a campus network to build a high-performance, multi-service, and highly reliable enterprise network.Small-scale Enterprise Campus NetworkWith powerful aggregation and routing capabilities of CloudEngine S5732-H series switches make them suitable for use as core switches in a small-scale enterprise network. Two or more S5732-H switches use iStack technology to ensure highreliability. They provide a variety of access control policies to achieve centralized management and simplify configuration.Application on a MANCloudEngine S5732-H series switches can be deployed at the access layer of a MAN(Metropolitan Area Network) to build ahigh-performance, multi-service, and highly reliable ISP MAN network.Application in Public CloudCloudCampus Solution is a network solution suite based on Huawei public cloud. CloudEngine S5732-H series switches can be located at the access layer.The switches are plug-and-play. They go online automatically after being powered on and connected with network cables, without the need for complex configurations. The switches can connect to the management and control system (CloudCampus@AC-Campus for switches running V200R019C00 and earlier versions; iMaster NCE-Campus for switches running V200R019C10 and later versions), and use bidirectional certificate authentication to ensure management channel security. The switches provide the NETCONF and YANG interfaces, through which the management and control system delivers configurations to them. In addition, remote maintenance and fault diagnosis can be performed on the management and control system.The following table lists ordering information of the CloudEngine S5732-H series switches.More InformationFor more information about Huawei Campus Switches, visit or contact us in the following ways: ●Global service hotline: /en/service-hotline ●Logging in to the Huawei Enterprise technical support website: /enterprise/ ●Sendinganemailtothecustomerservicemailbox:********************Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, andrecommendations in this document are provided "AS IS" without warranties, guarantees or representations ofany kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address:Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website:。

光联SD-WAN产品使用手册1.产品定位和特点1.1产品定位Agile Controller-Campus是针对SD-WAN解决方案场景的管理控制系统，对企业互联业务实现全流程管理，提供了专线业务的自动化部署、智能选路策略配置、VAS业务管理，企业分支连接公有云，以及即插即用、可视化运维等能力。

通过Agile Controller-Campus可以实现在多租户网络中独立开展业务开通配置、日常运维等工作。

1.2产品特点简单∙网络部署简单：可实现端到端网络业务自动化部署，支持全系列CPE设备（customer premise equipment）即插即用，设备快速上线，无技术门槛。

∙业务开通简单：在SD-WAN解决方案中，支持专线隧道快速配置及自动化部署，支持基于应用的智能选路配置，根据关键应用需求，对应用实现差异化网络服务，并对链路质量和应用质量进行检测，根据策略配置优先保障关键应用优质体验。

∙网络运维简单：SD-WAN控制器能够实时的对全网业务流量，质量，告警和日志等关键信息进行收集并统一呈现，提供友好的网络拓扑和GIS地图信息，方便用户对网络运行状况进行全局掌控，及时发现并处理问题。

弹性∙网络按需扩展：支持超大规模以及跨地域设备接入管理，支持基于应用的智能选路，根据关键应用需求，对应用实现差异化网络服务。

∙管理按需扩展：Agile Controller-Campus支持多租户，企业网络既可自运维，也可交由MSP代维，企业可根据自身能力和业务需求，自由选择网络管理模式。

开放∙第三方O层对接：Agile Controller-Campus提供完整的面向SD-WAN业务模型的北向API，可方便快捷的与第三方协同器进行对接，快速的集成进客户的业务系统。

∙uCPE广泛生态构筑：uCPE作为按需提供VAS服务的平台，覆盖业界主流VAS 功能，包括安全、语音、广域加速、DHCP、DNS、IPAM、文件共享等。

Agile Controller-Campus接入层部署802.1X+MAC认证（有线认证）文档版本V1.0发布日期2016-3-30版权所有 © 华为技术有限公司 2016。

保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。

商标声明和其他华为商标均为华为技术有限公司的商标。

本文档提及的其他所有商标或注册商标，由各自的所有人拥有。

注意您购买的产品、服务或特性等应受华为公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，华为公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

华为技术有限公司地址：深圳市龙岗区坂田华为总部办公楼邮编：518129网址：1接入层部署802.1X+MAC认证（有线认证）适用产品和版本本案例适用如下产品和版本：组网需求由于企业对安全性要求很高，网络管理员为了防止非法人员和不安全的电脑接入到公司网络中，造成公司信息资源受到损失，希望员工的电脑在接入到公司网络之前进行身份验证和安全检查，只有身份合法的用户使用安全检查通过的电脑才可以接入到公司网络。

对于IP电话、打印机等哑终端，同样需要认证通过才允许接入网络。

根据公司现有网络设备的性能分析结果，企业具有如下特征：l现有接入交换机功能较强，均支持802.1X功能。

l公司园区规模较小，且不存在分支机构，网络相对集中。

l公司现有员工不超过1000人，包括访客日均终端接入量低于2000。

l公司网络中需要接入哑终端，如IP电话、打印机等。

l Agile Controller-Campus不可用时希望可以启用逃生通道，用户或哑终端可以直接访问认证后域，避免业务中断。