Huawei Agile Campus Network Solution (SD)

CONTENTS
03 What Did the Agile Network Change?
11 Solution
Huawei Agile Campus Network Solution /13
Huawei Agile Stadium Solution /31
39 Success Stories
Your Wish Our Ways /41
Huawei Agile Switch S12700 Helps BAIC to Build the Agile Network
Creating a Digital Hospital and Promoting Mobile Medical IT

Construction /45
Huawei S12700 Series Agile Switches Help Third Affiliated Hospital of Guangzhou University of
Chinese Medicine Build an Agile Network
47 Technical Essays
Agile Campus Network Easily Tackles Mobility Challenges /49
Evolution of Free Mobility /52
Protect Your Network with Huawei's United Security Solution /54
Wired and Wireless Convergence and Simplified Network O&M

Management /56
Agile Network Brings a Brand New, Excellent Network O&M

Experience /59
63 Star Products
Agile Controller /65
S12700 Series Agile Switch /69
Secospace USG6600 Series Next-Generation Firewall /73

What did the agile
network change?
Solution
Success Stories
Technical Essays
Star Products
What Did the Agile Network Change
03 Huawei
HuaweiAgile
AgileCampus
Campus
Network
Network
Solution
Solution
Enable
Enable
Networks
Networks
to to
BeBe
More
More
Agile
Agile
forfor
Services
Services
What Did the Agile

Network Change?
T
he number of global Internet devices has reached 12 billion. Mobile payment is
everywhere, making life more convenient. Cloud computing is reinventing business
models. The Internet economy is revolutionizing the whole world by making global
business rules obsolete time and again - speeding up social development.
For businesses, growth rate, responsiveness to changes, and quickness of business model
transformation are essential to future survival and prosperity. In a time of interconnection
and ubiquitous information innovations, IT has become a key enabler for businesses
to build a new model of competitiveness. In the IT field, cloud computing, mobility,
social media, Big Data, and Internet of Things (IoT) are the five development trends.
Meanwhile, as basic IT platforms, networks are facing great challenges.
By Swift Liu
Huawei Agile Campus Network Solution Enable Networks to Be More Agile for Services 04
Challenges to Networks
Cloud computing places higher upper-layer IT services, realizing dynamic, real-time, and
flexible network adjustment.
demands on network quality
Second, in the future, 70% of all traffic will be generated
Many people were fascinated when Amazon's cloud
on DC networks while 16% and 14% will be generated
service entered China. In fact, this is a sign that cloud
on carrier and enterprise networks, respectively. Server
computing is having a great impact on the traditional
interfaces have expanded from GE to 10GE and are now
operation model of Data Centers (DCs). For networks,
expanding to 40GE and 100GE. This means that the
cloud computing may pose greater challenge since the
demand for DC network bandwidth is increasing at a
prerequisite for resource cloudification is strong network
much faster pace than Internet broadband.
support. Currently, cloud computing is posing two
challenges to traditional networks. For networks connecting DCs to users, user experience is
the greatest challenge.
For internal DC networks, flexibility and bandwidth are
two challenges. With the deployment of desktop cloud and service
migration to cloud, networks are now similar to
First, enterprise DC cloudification and virtualization are
computer buses. Network quality has a direct impact
now a general trend, which requires quick migration of
on user experience. For example, desktop cloud bears
Virtual Machines (VMs) and a dynamic network to support
not only work flows and emails, but also real-time video
this. There is no interaction between the traditional
conferencing and voice services. Multimedia services
closed network and virtual resource management, so the
have a high demand for network quality. Poor network
network cannot support VM migration.
quality will lead to inferior user experience. In reality, areas
Thats where Software-Defined Networking (SDN) comes adjacent to DCs often have better network quality and
in. SDN treats the network as resources and opens it to user experience.
05 Huawei Agile Campus Network Solution Enable Networks to Be More Agile for Services
User mobility complicates traffic 10 most influential technologies in 2014, if a business

does not have an effective basic network for multimedia
management
communication, its competitiveness will be greatly
With the popularization of mobile devices, BYOD has diminished.
become an effective way for businesses to improve office
Social networking requires multi-service, which has a
efficiency. Mobility also poses many challenges to traffic
profound impact on networks. Different networks have
management, VIP user experience assurance, resource
different requirements on the network. Voice services
allocation management, and QoS policy migration to
require a packet loss ratio of less than 10-2 and HD video
enterprise networks.
requires a packet loss ratio of less than 10-6 to prevent
The challenge to traffic management: Wi-Fi is now mosaic. For business users, the most annoying thing in a
widespread in enterprise campus networks and employees video conference is the flashing mosaic. On a traditional
can work at any location, making traffic unpredictable. network, it is impossible to identify whether the mosaic is
This unpredictable "swarm traffic" is a great challenge caused by the video conferencing system or the network,
to user experience. For example, if there are too many or to pinpoint the problem to a single device and board.
employees using Wi-Fi at the same time in a meeting How to support these bandwidth-consuming services and
room, the traffic will surge quickly, posing enormous ensure maintenance is a key question future networks
pressure to upstream switching devices. In this case, not need to answer.
only the service experience in the current meeting room
Many businesses are thinking about deploying social
degrades, but service experience of other meeting rooms
media systems that enable multipoint video conferencing.
connected to the same switching device will be affected
This surging traffic, combined with swarm traffic, makes
as well, particularly for those real-time and bandwidth
the traffic model in an enterprise campus network more
sensitive services like high-definition video conferencing.
unpredictable.
Meanwhile, few enterprise campus networks are
configured with QoS priorities. A few exceptions are
configured with static priorities. This means when the
Big Data analytics is required to
traffic surges, VIP user experience cannot be guaranteed. defend against network attacks
For example, if an employee needs to access Wi-Fi to Big Data analytics has been gaining attention in recent
process urgent or important business, surging traffic could years. Google once used it to accurately diagnose a
make it hard for him to do so, and that could result in loss blooming flu epidemic in the US based on the most
for the company. frequently searched pharmacy names and disease
symptoms. How could Google do this even though they
Challenge to dynamic policy migration: The change of
have no services in the pharmaceutical sector? How will
user access location and mode requires that user-related
Big Data analytics influence the ICT industry?
Network Access Control (NAC) and QoS policies change
accordingly. In a large enterprise campus network, the As enterprises become more globalized and mobile
fixed network, WLAN, and external access all have their workers become more common, network borders are
independent authentication and control centers and blurring. Network attacks also become more varied due to
systems. The NAC and QoS policies must be statically employee mobility and diversified terminal types. Wireless
configured for each system, which is time and labor- tapping, attacks targeting mobile terminals, and 3G/LTE-
consuming. The existence of multiple social networking based mobile network attacks are now commonplace.
services has a great impact on networks. Traditional networks still rely on static single-point attack
protection mechanisms. Firewalls, Intrusion Prevention
Used by an increasing number of businesses, social
Systems (IPSs), Data Loss Prevention (DLP) devices work
networks are undoubtedly the best platform for them to
independently without any interaction. Big Data analytics
promote services. According to Gartner's forecast of the
can help people perceive and even forecast abnormal
traffic and security threats so that they can schedule all Second, since IoT is interwoven into our lives, pipe
network resources for defense. security must be guaranteed. A market survey in the US
found that the most attacked facility in America's IoT is
IoT requires intelligent networks the waterworks. We cannot tolerate the possibility that a
malicious attack could lead to contamination of the public
Internet of Things (IoT) is no longer just an idea. It is a
supply of drinking water.
trend of business and industry development. Statistics
show that 10 billion things were interconnected through Therefore, in the IoT era, networks must ensure pipe
networks in 2013, and the number is going to surge to security in addition to supporting a large number of nodes
more than 50 billion by 2020. Many businesses are using and a wide variety of interfaces.
technologies like IoT and Big Data analytics to conduct The above changes require a new generation of enterprise
complex and more accurate operations, leading to a network architecture, and thats where Huawei's agile
strong demand for intelligent networks. network comes in. It was developed specifically to cope
First, the network must be of high bandwidth and with the current network transformation challenges.
reliability to support unprecedented traffic.
What Changes Can the Innovative Agile

Networking Bring?
I
n the last decade, network devices have become IP- and IT-based networks must be open, flexible, fast,
increasingly IP-based and interfaces are increasingly automatic, and highly efficient, while delivering a good
Ethernet-based. In the future, networks will be IT- user experience. Simply put, networks must be agile.
based and industrial bearer networks will be IP-based.
In August 2013, Huawei launched the agile network of employees. When Agile Controller are deployed in
solution, which, for the first time, integrated service a network, IT personnel need only to configure the
models with technical models. The new-generation controllers rather than the machines. The controllers can
network architecture integrates requirements of mobility, then function as a brain, translating and delivering signals
cloud computing technologies, and security collaboration, to switches. Since IT personnel now make configurations
enabling enterprises to provide services in a quicker and on interfaces with graphics and natural languages, what
more agile way. used to be complex is now simple.
The agile network is different from the traditional network

QoS policy
in five aspects. The agile network puts greater emphasis
QoS policies can also be configured on a controller. When
on users, services, and customers experiences and a bit
many people are in a meeting and the traffic surges,
less on technology, devices, and connectivity, while taking
the controller can accurately deliver the QoS policy to
the entire network into account rather than only a single
the switch nearest to a VIP user to make sure they can
point. It enables perceptible network quality while the
enjoy guaranteed bandwidth for a smooth experience.
traditional connectionless-IP-based network that relies
When BYOD becomes prevalent, the QoS policy will
on the best effort principle does not support network
become more important in enterprise campus networks.
quality perception. The agile network features automated
There are different types of services on mobile terminals
network configuration and service provisioning, and is a
such as Internet, voice, video, and other important
Software-Defined Network (SDN).
communication services. After configuration on the
The agile network can be deployed in enterprise campus controller, QoS policies can "go" wherever a user goes,
networks, DCs, branch networks, and WANs. It represents which ensures guaranteed bandwidth and priority for VIP
the latest ideas and results of SDN research. In 2013, users/groups and key services.
Huawei focused on agile campus networks. Through on-
demand service, security collaboration, quality perception, Storage and service policy
wireless/wired convergence, and SDN smooth evolution, Large companies have more than one DC. To ensure
we helped enterprise customers transform their networks consistent user experience, access latency must be
to support new services in an agile way. minimized. Since these DCs are distributed across the
globe, hot backup is adopted for important service
Change No.1: Cloudification of systems such as Enterprise Resource Planning (ERP). The
network resources and Free Mobility active-active backup mechanism ensures that employees
enjoy consistent experience and minimum latency while
Free mobility means the network policies, resources, and
accessing different DCs. This means that when employees
services can dynamically migrate as users move. Wherever
travel between facilities supported by different DCs, they
users are, they can access the network on any type of
enjoy the best service experience no matter if the DCs are
terminal and enjoy a consistent service experience. The
in different cities or different countries because services
following policies need to migrate as users move to
and service data are dynamically shared between DCs.
ensure consistent service experience.
This process is called "floating" and can be realized by the
integration of storage and networks on an agile network
Access control policy
architecture.
To ensure portable policies, Huawei employed the SDN
architecture in the agile network. In DCs, SDN allows
network policies to migrate as Virtual Machines (VMs) Change No.2: United Security on
migrate. Huawei also introduced SDN to enterprise the entire network
campus networks to enable migration of network Huawei integrates security analysis software into the
resources and policies in accordance with the migration controller to collect log information of all devices on
the entire network and record all security events. The services such as HD video conferencing, there are only a
controller analyzes all information to detect threat few devices. After iPCA is deployed, the number of lost
anomalies that would not be detected through single packets and the locations of packet loss can be accurately
point analysis. In the event of suspicious activity, the recorded. As a result, the video conferencing quality
controller sounds the alarm and sends a report to network can be monitored and faults can be detected and then
administrators. Network administrators can then schedule prevented or rectified.
all network resources to defend against threats. This
However, if devices from other vendors do not support
simplifies network administrators' work and protects
iPCA, how can iPCA be realized? Must all devices on
system security.
the whole network be Huawei devices? Absolutely not.
Another example: An enterprise network was attacked. iPCA only changes the reserved bit in IP packets and IP
When the network administrator summarized the data packets can be transmitted among all devices. Therefore,
afterwards, he found that if the logs of the attacked enterprises need only to deploy Huawei devices at
device and its surrounding devices had been properly particular network locations to evaluate the network
analyzed, the attack would been detected and successfully quality of a corresponding network segment.
resisted. So then, why wasnt defensive action taken?
Because the log data is so extensive that by the time it is Change No.4: In-depth convergence
processed and analyzed by a lone network administrator,
its too late.
of wired/wireless networks
What is in-depth convergence? How is it helpful? Huawei
Big Data analytics enables collaboration for security
proposed that service cards of switches should support
protection, and timely, even preemptive detection of
Access Controller (AC), integrating forwarding, control,
potential threats.
and management. However, convergence at this level is
far from enough to ensure consistent wired/wireless user
Change No.3: Perceptible network experience. We must integrate wired/wireless networks,
quality and accurate network which complement with each other. In-depth convergence
management of wired/wireless networks will promote consistent and
With connectionless IP, network quality is not perceptible optimized service and management experience for both
on the traditional network. Huawei's Packet Conservation wired and wireless users.
Algorithm for Internet (iPCA) can solve the problem of
In-depth convergence allows the wireless network to
network quality perception using a reserved bit to color,
adopt the virtualization capability of the wired network.
check, and count packets to accurately detect packet loss.
In a wired network, an access switch is virtualized into a
iPCA brings a lot of benefits in many scenarios.
service card of an agile switch and an Access Point (AP) is
Quality monitoring of WAN leased lines: Many enterprises virtualized into a switch interface. The whole network is
lease dedicated WAN lines from carriers. These leased virtualized into a switch, greatly simplifying management.
lines are subject to constant packet loss, but why isnt
In-depth convergence also allows the wired network
the packet loss perceived by users? Because of the re-
to benefit from the maintenance-free characteristic of
transmission mechanism of TCP and the application layer.
Even though user experience is guaranteed, network the wireless network. Since APs are all deployed in high
quality is still affected by packet loss. iPCA can be places like roof tops or poles, easy configuration and free
deployed at both interfaces of a leased line to record all maintenance are considered for APs from the start. The
packet loss, allowing enterprises to accurately evaluate WLAN management model can also be adopted in the
the quality of the leased line. wired network to make access switches "maintenance
free". Like an AC managing APs using the CAPWAP
Transparent link quality monitoring: For multimedia
protocol, the agile switch can also use the same protocol Moreover, many enterprises hope to use SDN without
to manage access switches. affecting services on existing networks. They don't want
the entire network to become SDN-based. In this case,
dual control planes on one switch can be implemented.
Change No.5: Smooth evolution to
One physical network can be split into two logical
SDN networks: one to run original protocols and services, the
SDN was first applied in DCs to enable flexible scheduling other for SDN new services. In this way, customers can
of network resources and policies as VMs migrate. There have networks capable of smooth evolution to SDN in the
are different understandings of SDN in the industry. We future.
can focus on how SDN evolves to address problems.
The agile network provides forwarding-level, device-level,
Huawei was the first to introduce SDN to enterprise NMS-level, and controller-based Application Programming
campus networks, which allows flexible network resource Interfaces (APIs) for service orchestration, providing a
allocation and policy adaptation as users roam. The platform for secondary development and innovation.
agile network also brings innovation to WANs, branch
The ultimate objective of the agile network is to enable
networks, and DCs.
people and things to enjoy distance-free communication,
SDN is used in WANs, greatly improving link utilization. and free dissemination of information. It aims to
For example, one of Huawei's large enterprise customers improve the ease of communication and free it from all
invested billions of dollars in leased lines, the utilization of interferences and limitations. The agile network attempts
which was only 30% to 40%. Through the deployment of to achieve excellent user experience, simplify network
WAN Agile Controller, the link utilization was increased to O&M, and maximize network efficiency. Huawei is
over 90%, significantly cutting line leasing fees. committed to providing customers with a fast and flexible
network architecture that enables more agile services.
Enterprises must be committed to

network innovation in order
to tackle current as well as
future service challenges.
Innovation, once begun,
never ends
Solution
Huawei Agile Campus Network Solution
Huawei Agile Stadium Solution
Solution
Huawei Agile Campus Network

Solution
Solution
Network Service Development Trends and

Challenges
S
ince its rollout in 1989, the Ethernet switch office is growing steadily. However, Wi-Fi traffic is
has become a key component in IT network unpredictable, requiring user-related network access
development. With network devices such as control and Quality of Service (QoS) policies that
Ethernet switches and routers increasing in forwarding dynamically change based on user location. However,
performance, functional features, and port rate, traditional enterprise campus Operation and Maintenance
networks provide advantages of high performance, (O&M) departments must manually configure these
cost-effectiveness, and high ease of use. In recent policies, which overloads O&M personnel. User rights
years, with new concepts such as Bring Your Own are also difficult to manage. Enterprises cannot quickly
Device (BYOD) mob ile office, cloud computing, respond to user demands or ensure a consistent service
Software-Defined Networking (SDN), Internet of experience. The reason is that traditional network
Things (IoT), and Big Data increasing in popularity, resources are allocated based on physical location, not
new technologies and applications are springing user location.
up and deployed on enterprise campuses, posing
considerable challenges on campus networks. Cloud Computing Challenge: Virtualization, Real-
Timeness, and High-Quality Experience
Mobile Applications Challenge: Static Configuration To improve resource use and O&M management
vs. Dynamic Configuration efficiency while reducing Operating Expense (OPEX),
Network users expect Wi-Fi networks on enterprise desktop clouds have been gradually deployed on campus
campuses to enable them to access corporate resources networks. However, cloud services require that data
from anywhere and at any time using any device. The center computing and storage resources be virtualized
demand for BYOD and the convenience of the mobile and dynamically and flexibly allocated. Desktop clouds
Solution
transmit multiple services such as electronic workflows, users who have to access various networks. Consequently,
emails, and real-time multimedia (video and voice terminal security and information security problems
conferences) that require high network quality. Networks increase sharply, and edge security becomes indistinct. In
interconnect the computing and storage resources of data the meantime, attack methods have become diversified.
centers, just as computer buses interconnect CPUs, hard According to statistics by a well-known technology
disks, and memory. But if network quality is poor, user research and advisory firm, 75 percent of threats occur at
experience will be degraded. the application layer. Over 50 percent of attacks are well-
organized by teams of hackers. Defending against such
New Service Challenge: Fast-Changing Services vs. diversified attack methods is a major focus of enterprises.
Rigid Network Attackers also tend to use unknown threat variants to
Network services and functionalities have been growing elude traditional protection methods. In 2010 alone,
rapidly. Take the number of IETF RFCs as an example. One 17.98 million new viruses attacked networks in China.
thousand-some RFCs were released over 20 years while,
in the last 10 years, over 3,000 RFCs were released. In Network O&M Challenge: Unknown Network
order to achieve business success, enterprises hope to
States and Non-automatic Management
shorten the time needed to provision new services. How Traditional networks lack an effective mechanism
can traditional networks accommodate this demand? that can automatically sense user experience and locate
Because traditional switches are based on ASICs, the network faults. For example, real-time services such as
packet forwarding function of the switches is fixed when video and voice place high importance on packet loss
they are delivered from factories. What's more, real-time ratio, latency, and jitter. However, the IP network is
network interaction services like video and voice keep connectionless. There is no information about service
increasing. How can a consistent experience be ensured states on IP networks. When users suffer video pixelation
when a broad variety of services are transmitted on only or unclear voice, the network itself is unaware of these
one network? problems. Network administrators are also unaware of
the problems and cannot determine the factors that are
IoT Challenge: Developing Standards, Openness, affecting users' service experience.
and Complex Environments
IoT is no longer a concept but, rather, an inevitable
feature of future enterprises and industries. According to
statistics by a famous consulting firm, in 2013, over 10
billion objects were connected to networks. It is predicted
that, by the end of 2020, the number of network nodes
will exceed 50 billion. The rapid development of the IoT
poses new challenges for networks, such as how to adapt
to such a large number of network nodes, various port
types, and communications methods, how to guarantee
high network security, and how to make devices adapt to
harsh industrial environments.
Network Security Challenge: Single-Node and

Static Defense vs. Multiple-Node and Dynamic
Defense Against Unknown Threats
The BYOD mobile office brings about many security
problems. BYOD can be used by both public and private
Solution
Huawei Agile Campus Network

Solution
Solution Overview
Huawei Agile Campus Network Solution is a next-generation network solution available now for all enterprise customers.
The agile network makes use of the latest ideas and research into Software-Defined Networking (SDN). By providing
features such as a fully programmable architecture, quality awareness and smooth evolution, the Huawei Agile Campus
Network Solution enables networks to provide responsive and flexible services. This solution aims at aiding enterprise
users to address problems on their campus networks. Huawei Agile Campus Network Solution features three architectural
innovations specifically for enterprise campus networks:
111 Huawei is the first company to apply SDN architecture to enterprise campuses and provide them a "smart brain"
the Agile Controller that centralizes control of the agile network, including the egress router and SSL VPN
(SVN). The Agile Controller also dynamically allocates network resources, enabling the resources to flexibly move
based on user location. In this manner, a high-quality service experience can be guaranteed for each user in a
mobile environment. In addition, the Agile Controller allocates security resources over the entire network, creating a
collaborative protective shield.
222 Huawei replaces traditional switches with agile switches that create an "agile body" for the campus network. With
these agile switches, the Huawei solution provides automatic fault detection and improved performance. This solution
can detect users and applications, network quality and faults, and security events.
333 Huawei's security resource pooling turns individual security resources such as firewalls into a resource pool shared
network-wide.
Branch L2 SW
AR network Internet access
L2 SW
Branch
network
AR WAN/Internet
eSight
Campus network egress NE/AR/SVN
Security Resource
Agile switch
Center Agile core
NG FW
Agile aggregation Agile switch

Agile Controller
Converged access
Agile Switch AP AP Agile switch
Huawei Agile Campus Network Solution architecture
Solution
Huawei Agile Campus Network Solution provides five innovative functionalities: free mobility, united security, quality
awareness, wired and wireless convergence, and fully programmable & smooth evolution, helping enterprise users
implement a network transformation oriented to new service trends. This solution also provides an architecture on which
networks can adapt to services to the fullest, enabling networks to be more agile for services.
Solution Details
Free Mobility: New Experience of Mobility
TThe rapid development of new network technologies and widespread use of BYOD drive mobile office and wireless access
to emerge and increase in popularity. Users want to work anywhere, anytime in a mobile manner. However, separated
user policies based on different access locations lead to poor remote and mobile office experiences. The reason is that
traditional network resources are allocated based on physical location and cannot move based on user location.
When an employee works at different places and accesses corporate resources from different locations, the network
must allocate different security policies and rights based on the actual access location and the terminal in use to ensure
high bandwidth/priority for a high-quality user experience. In other words, if user policies and service experiences can
dynamically migrate as users move, an employee working in a mobile office style can obtain a consistent experience by
accessing the network at any place using any terminal. To implement this functionality, networks must be capable of
dynamically allocating resources and deploying user policies, and network resources must move based on user location.
Ubiquitous Policies Ubiquitous Experience

1. Rights (Permit/Deny) 1. Priority
2. Service flow 2. Bandwidth
3. Security (IPS/AV/application
security)
User XXX
Policies, WAN/Internet
resources Location XXX
Policies,
resources
Silicon valley
Policies,
resources
Agile Controller
Shenzhen
No Access Guaranteed
Beijing Differentiation Experience
Free Mobility
Solution
By introducing the Agile Controller, agile switches, and SDN ideas, Huawei Agile Campus Network Solution enables
centralized management and control on the Agile Controller, implementing unified management of the entire network.
Specifically, on the Agile Controller, Huawei Agile Campus Network Solution defines rights, service flow security policies
and experience-related user priority, bandwidth, and VPN resources based on user group, and then delivers them to policy
execution devices such as campus switches, Next-Generation Firewalls (NGFWs), and SVN devices. When a user accesses
the campus network from different locations using different terminals through different modes including wired intranet,
wireless intranet, and remote extranet modes, the Agile Controller will automatically identify the user identity and user
group to which different the user belongs and sends user policy information to policy execution devices on the network to
execute the user policies, ensuring that the user obtains the same level of use security and a consistent service experience.
Ubiquitous Policies: Centralized Policy Control and Inter-User Group,

Fine-grained Policy Control
User Group Definition WAN /

Group Name GroupID Definition (5W1H-based) Internet
Data Center
R&D employees using
R&D desktop cloud 10 the desktop clou
Agile
Employees who bring
R&D BYOD 11 Controller
their own devices
Sales 20 Sales employees
User: A
VIP 30 VIP employees
Group ID: 13
IP address: XXX Agile Switch/
Inter-User Group Policy Definition Native AC
Destination
Group Sales Employee R&D Serve Sales Server
Source Group
R&D desktop cloud Deny Permit Deny
R&D BYOD Deny Deny Deny
Sales employees Permit Deny Permit

R&D employee
VIP employees Permit Permit Permit accesses the
campus network
Ubiquitous policies
Global Centralized Policy Control between a user group and a resource group provides
flexible, fine-grained user rights control while reducing
Huawei Agile Campus Network Solution uses the Agile
devices' use of Access Control List (ACL) resources.
Controller as the core to perform centralized configuration
and maintain user policies for the entire network. One-
time configuration takes effect in a uniform manner,
User Group-based Service Flow Security Policy
which reduces the number of inconsistent configurations. Dynamic security resource allocation performs traffic
This solution avoids tedious, traditional machine language- scheduling on an authentication switch, for a specified
based configurations and simplifies configurations by user group, in a specific orchestrated sequence. Huawei
using an easy-to-understand natural language. Agile Campus Network Solution configures user group-
based security service policies on the Agile Controller and
Inter-User Group Policy Control specifies which security devices will process the traffic and
the particular processing procedure.
Inter-user group rights control and policy control
Solution
Ubiquitous Access Experience: Unified User Experience and VIP Experience

Guarantees
Bandwidth, QoS,
and VIP user policy Bandwidth, QoS,
Bandwidth, QoS, Internet
and VIP user policy WAN and VIP user policy
NGFW
Router
Enterprise Bandwidth, QoS,
SVN Internet
branch and VIP user policy Agile Switch/
Native AC
Employee on a
business trip
VIP employee
through
Enterprise branch remote access
Ubiquitous access experience
Unified User Experience Guarantee When users access the campus network through a
remote VPN, the VPN client automatically selects the
No matter whether users access an enterprise's
optimal gateway with the shortest latency as the access
intranet resource or the Internet resource from a branch
gateway. When the available resource of a gateway is
or the campus headquarters or in a remote manner,
exhausted by online users, and new users cannot access
corresponding bandwidth and QoS policies are deployed
the gateway, the gateway automatically forces some
on key policy execution points that influence the service
common users to go offline and release system resources
experience, such as VPN access gateways, Internet egress
for VIP users, ensuring preferential access of VIP users.
firewalls, and branch egress devices. This way, users can
attain a consistent service experience. Additionally, VIP Free mobility associates network resources with users for
user traffic can be preferentially scheduled, and sufficient the first time, enabling the network resources to move
bandwidth can be guaranteed. based on user location and allowing employees to enjoy a
mobile office work style.
Automatic Selection of the Optimal VPN Gateway
and Preferential Access of VIP Users
Solution
United Security: From Single-Point Security Protection to

Comprehensive Network Protection
After the mobile office work style and Wi-Fi networks are applied to enterprises, users of any role can access the campus
network at any place using any device. Meanwhile, in addition to the traditional Internet egress, multiple new network
security threat sources including campus Wi-Fi access and remote access come into being. Approaches of hacker attacks
and virus transmission become ever more diversified and complex. Security threats are borderless, security devices defend
against attacks independently from each other, and deployment of security devices during network reconstruction is
complex. As a result, traditional physical location-based single-point defense and border security protection ideas can no
longer secure the campus network. Enterprises need to integrate and allocate security resources over the entire network to
proactively detect threats and defend against attacks in a highly efficient, flexible, and full-scale manner.
In order to help enterprise users effectively secure their campus network, Huawei offers its Agile Campus Network Solution
that leverages the Agile Controller, security resource center, and agile switches as well as Big Data analytics and SDN
ideas to integrate and schedule security capabilities on the entire network and implement united security. In the system
architecture of Huawei Agile Campus Network Solution, security monitoring points are ubiquitous on the network. The
Agile Controller collects security events over the entire network, performs Big Data analytics, and delivers security policies.
Security functions are no longer subject to constraints of physical locations. Security resources on the entire network can
be used on demand by diverting suspicious traffic to the virtual security resource center.
Performs Big
Agile Security
Collects security events Data analytics Resource Center
Controller
Dynamically NGFW
s allocates the security
Enables security policies lytic
a ana resource
Dat Third-party
s Big security device
orm ts
Perf even
rity
secu
oll ects
C
1. Collects security events on the entire network 3. Quickly responds to security events
Security events include network and security device Sends alarms in real time and provides handling suggestions. Flexibly delivers
logs, terminal user behavior logs, and abnormal security policies and quickly responds to security events.
traffic logs.
4. Dynamically allocates the security resource
2. Performs Big Data analytics Carries out resource pooling of security devices on the entire network and
The controller analyzes collected mass data and dynamically allocates the security resource based on areas, user groups, and security
detects potential security risks. events, significantly improving security protection capabilities of the entire network.
United Security
Solution
Big Data Analytics: Proactive Defense Against and Quick Response
Integrating security behavior analysis software, the Agile Controller collects logs of various devices, records various security
events on the network and, based on Big Data analytics, detects potential threats or attacks that single-point devices
cannot detect. O&M personnel can then "see" potential threats or attacks through an interaction interface. Administrators
can adjust security policies to quickly respond to potential threats and attacks. The system can also generate various
reports to display various security trends. By using Big Data analytics, security O&M personnel can detect potential threats
in a timely manner, quickly respond to and process the potential threats, and prevent security incidents.
Secure
Event logs response
Server zone NGFW
Association
Agile
analysis
Controller
Core switch
O&M zone
Event logs
Event logs
Aggregation
switch
United Security association analysis and proactive defense
Solution
Full-Scale Security Association Analysis, Proactive Display of Abundant Security States

Threat Detection, and Quick Response
The Agile Controller can check security states and
The Agile Controller collects logs of various devices display the health degree of the entire network. Through
such as network, security, and IT devices, performs an the area-based security state display, specific attack events
association analysis on massive log data based on defined can be displayed by clicking the attack traffic. Through
association rules, and detects threats. The system provides key assets-based security state display, specific security
a built-in default association rule template that supports events can be displayed by clicking each asset. In addition,
customization of association rules. The system also security events can also be displayed based on urgency
notifies O&M personnel of threats and attacks through degree, and handling suggestions are also provided.
multiple approaches, such as Short Messaging Service
(SMS) messages and emails, and delivers security policies
to quickly address the security problems.
Dynamic Allocation of Security Resources: On-Demand Invocation of Security

Capabilities Without Physical Location Constraints
Functioning as the "Smart Brain" of the campus network, the Agile Controller flexibly invokes security capabilities such as
firewall, online behavior management, and antivirus functions in the security resource center in the service orchestration
mode. For example, when marketing personnel access the Internet, security filtering must be performed using firewalls and
online behavior management devices. IT management personnel can orchestrate and define a service chain named "MKT
group's access to the Internet", and specify that this service chain should pass the NGFW in the security resource center.
Internet Security
Resource Center
Core layer:
Security policy configuration Third-party
agile switch
device 2
Tunnel
Agile Controller NGFW
Tunnel
Third-party
Aggregation layer: device 1
agile switch
Security policy
Tunnel
Service flow User Group Resource Group
Dynamic security resource allocation
Solution
When security devices are virtualized into a security Security Resource Sharing Improves Efficiency of
resource center, as long as the network is reachable, Security Resources
agile switches can flexibly invoke these security resources Huawei Agile Campus Network Solution not only
using tunneling technologies to protect service traffic. supports virtualization of security devices such as NGFWs
In this manner, deployment and use of security devices into a security resource center, but also permits integration
will not be subject to constraints of physical locations. of third-party security devices through open interfaces.
Security capabilities of the entire network will be quickly Security devices can be invoked by agile switches more
released. Security protection of service traffic of the than once, and the same security device can be invoked
BYOD mobile office work style, new applications, and by different agile switches.
temporary working groups, as well as effective defense
United security is implemented through Big Data analytics
response after security event detection will not be subject
and dynamic security resource allocation. As a result,
to live networks of which reconstruction and deployment
security intrusion events occurring at any location can be
are difficult. No additional security device needs to be
detected. The problems that a large number of security
purchased, which reduces customers' Capital Expenditure
threats exist in a mobile environment and single-point
(CAPEX).
firewalls cannot protect the network are completely
addressed. In this manner, network security protection
Flexible Orchestration of Service Flow Detection
has transformed from the single-point protection era
and Accommodation of Various Security Demands
to comprehensive network protection , and Chief
On the Agile Controller, security policies can be Information Officers (CIOs) are no longer worried about
configured for service traffic on the entire network to such security problems.
support service flow definitions based on the user group
or in the traditional ACL mode. The service flows can
invoke multiple security resource capabilities, including
firewall, intrusion detection, and antivirus functions.
Solution
Wired and Wireless Convergence: Simplifying Network O&M

Management
On traditional campus networks, common wireless deployment methods include independent Access Controllers (ACs)
and AC cards. Wired and wireless networks are separated in forwarding and control planes. With the arrival of the
802.11ac protocol and widespread use of the BYOD mobile office, AC devices have become performance bottlenecks due
to their limited forwarding capacity and port rate. Wired and wireless user authentication and policy management are
independently performed on switches and ACs, resulting in heavy network configuration and management workload for
O&M personnel.
Huawei has put forth its innovative idea of wired and wireless convergence, which makes full use of both wired and
wireless networks. Huawei Agile Campus Network Solution converges and optimizes wired and wireless networks in
terms of user experience and network management experience, helping enterprise users obtain a consistent use and
management experience.
Authentication Independent AC
gateway
Wired policy Agile Campus
control point
Wired and wireless separation Agile switch
Integrated AC
Integrated authentica-
tion gateway
CAPWAP tunnel Wired and wireless
Traditional Campus policy control point
AC card Wired and Wireless Convergence

Authentication
gateway
Wired policy
control point
Wired and wireless integration
Comparison between a traditional and an agile campus
Converged AC: Improving Performance with Unified Wired and Wireless Traffic
Forwarding
Wireless functions are integrated into a line card as a built-in feature. In this way, forwarding, control, and management
planes of wired and wireless networks are converged at the Network Element (NE) level. Agile switches' forwarding
capacity (up to the terabit level) and scalability completely eliminate the traffic bottlenecks caused by the traditional
forwarding function of AC devices and card ACs. In addition, users do not need to purchase additional AC devices or card
ACs, significantly reducing Total Cost of Ownership (TCO).
Solution
Converged Management: One Network Equals One Switch, Simplifying Network

Management
Huawei's Super Virtual Fabric (SVF) technology virtualizes box access switches into cards on a core or aggregation chassis
switch and APs into ports on a core or aggregation chassis switch. In this way, the original network architecture consisting
of "core/aggregation + access switch + AP" is virtualized into one switch, and the entire campus network becomes "One
Box". As a result, devices, services, and user management are unified and simplified.
Core/Aggregation switches Virtual MPUs
1 2 3 n
Access switches Virtual Cards
eSight 1 2 n
APs Virtual Ports
Converged Campus Network 1 2 n

Cloud architecture and on-demand scalability.
Devices on the entire campus network are virtualized into 1 device.
Access switches and wireless APs are merely extension ports of a virtual
switch (vSwitch).
SVF architecture
Simplifying Device Management Simplifying Service Configuration

Huawei Agile Campus Network Solution creates Devices, users, and services are configured in a unified
more efficient access switches. The Huawei solution manner on a core switch. Wired and wireless devices use
uses an AC to manage APs and enables agile core the same template for configurations that are delivered in
switches to manage access switches. After core switches one mouse-click, simplifying service configurations.
automatically discover aggregation and access switches
and APs, and establish channels, the access switches and Simplifying Network Device Maintenance
APs automatically download configurations by accessing
Maintenance operations such as patch installations and
the campus network. Access switches are now effectively
version upgrades are performed on the core switch in a
plug-and-play.
unified manner. Access switches and APs are automatically
upgraded without manual intervention.
Converged Policy: Unified Management of Wired and Wireless Users and Consistent
Experience
Huawei's agile switches integrate user authentication and management functions in the service plane, supporting
multiple authentication protocols such as MAC, Portal, 802.1x, and PPPoE. For example, management tunnels (CAPWAP
tunnels) between an agile switch and an access switch are used to deploy 802.1x authentication on the agile switch at
Solution
the aggregation layer, preventing a massive workload of access switch configurations. The agile switch provides tunnel
management that prohibits unauthorized users from accessing Layer 2 of the campus network, therefore enhancing
network security.
Huawei Agile Campus Network Solution unifies configuration and on-demand association of user access control policies.
The policies can be configured only on an agile switch. For example, the Virtual Local Area Network (VLAN) policy for
security isolation can be automatically deployed in the access area. Policies including ACL and QoS, which limit user rights
or service priorities, can be controlled at the core layer in a unified manner. The entire control process is performed by the
agile switch, eliminating additional O&M workload and enabling "smart" campus network management.
The Huawei solution integrates forwarding, management, and policy control, substantially simplifying deployment and
O&M management of wired and wireless campus networks.
Quality Awareness: First to Allow the IP Network Itself to Be

Aware of Service Quality
Real-time services such as videos, desktop clouds, and VoIP keep increasing in popularity and requiring ever-higher
network quality. Unclear voice, video pixelation, and slow applications have become big challenges for O&M management
personnel. Common factors affecting users' service experience include low network bandwidth, QoS, and network
outages. Other long-term factors that affect service experience but cannot be quickly detected include abnormal traffic
and exception handling caused by network attacks, invalid flow control, faults caused by poorly working devices, and
hidden network configuration errors.
Since the IP network is connectionless, no service connection information but data packets exist on the network. This
characteristic leads to large-scale deployment of the IP network and also difficult quality monitoring. Current quality
monitoring technologies such as Bidirectional Forwarding Detection (BFD), Network Quality Analysis (NQA), and Y.1731
are targeted for Point-to-Point (P2P) connections, which create the N2 problem when deployed on the IP network because
all communication nodes must be deployed symmetrically. Consequently, IP network scalability is low. So far, there are still
no quality detection measures on traditional IP and Ethernet networks.
Solution
iPCA (Packet Conservation Algorithm for Internet) Notify the administrator that
failure points are accurately
located
Automatic fault detection

Wait 100%
Low user experience can be Accurate fault location
detected. potential risk elimination
Agile Network
Quality
problems
Slow Internet access
Slow cloud desktop response
Pixelation Low voice quality
> 70% faults are difficult to locate
Repeated fault
> 90% occurrence
tolerant services
Network is unaware Manual fault location:
of user experience Several hours to Lowered user
degrading several days
experience
Traditional network
Comparison of fault detection results between a traditional and an agile network
Taking advantage of its over 20 years of technological coloring, and counting real service packets. No additional
research, Huawei has developed its innovative, unique detection packet needs to be inserted, so services remain
Packet Conservation Algorithm for Internet (iPCA) uninterrupted. Network quality can be detected in real
technology in the industry. iPCA technology colors and time, and network faults can be located to a network
counts real service packets at the network ingress and segment, a link, or even a device.
performs an accurate statistical calculation on the colored
packets at the network egress. This way, network faults MIMO-based Measurement and Adaptation to
that occur in any area or on any NE can be quickly Networks of Any Scale
detected. By leveraging iPCA technology, we can deploy a
The industry's first Multiple-Input Multiple-Output
complete network quality monitoring system in the entire
(MIMO) quality monitoring technology, it can monitor
network. Through this system, the network itself can
communications among multiple nodes without resulting
detect and locate any factor that affects terminal users'
in the N2 problem. This technology supports Point-to-
service experience. This technology not only remains
Multipoint (P2MP) and Multipoint-to-Multipoint (MP2MP)
the IP network's advantage of being connectionless,
networking, as well as cross-network End-to-End (E2E)
but also completely solves the problem of difficult
detection. This technology solves problems in network
service experience guarantee. Compared to traditional
measuring in scenarios with multi-path and multi-
quality detection methods, iPCA technology features the
directional service flows without limiting the network type
following advantages:
and size. The scenarios include dual-homing, port binding,
load balancing, and Layer 2 and Layer 3 E2E network
Zero Traffic Cost, Real-Time Quality Detection, and measuring. Network scale is not limited, and no problems
Precise Fault Location exist in connecting third-party devices.
iiPCA technology generates no additional performance
Huawei's unique iPCA technology is the first in the
or traffic cost. This technology enables data flows
industry to enable the IP network itself to detect service
between users to have network quality awareness
quality. If a user's experience is degraded, the network
capabilities while transmitting services by marking,
Solution
can quickly detect the poor experience, precisely locate Thanks to this technology, users will enjoy an enhanced
the fault, and provide detailed quality records, helping network experience without being bothered by a wide
network administrators quickly determine what is wrong. variety of network faults.
Fully Programmable & Smooth Evolution: First to Apply SDN

Architecture to Campus Networks
How can we allow enterprises' ICT system to stay ahead of the competition? How can we enable networks to be equipped
the capability of smooth evolution? How can we quickly introduce new services and functions into campus networks? The
answer is a fully programmable architecture. Enterprise customers often have large amounts of services deployed on their
live network. New networks must seamlessly connect to the live network and be able to evolve into the future network
architecture.
Fully Programmable: SDN-Ready, Implementing Rapid Evolution
The fully programmable architecture is a unique enhanced architecture of Huawei's agile network. The core of this
architecture is Ethernet Network Processor (ENP) + Protocol Oblivious Forwarding (POF). Based on Huawei's self-developed
ENP chips, devices' forwarding function can evolve to the future standards. When a new function must be added to
switches using ASIC chips, customers have to replace the old devices because the ASIC chips are unprogrammable.
Additionally, to implement a new function, customers have to wait for a long time period (standards -> chips -> devices).
After deploying agile switches using Huawei's ENP chips, customers can self-define devices' forwarding behaviors on the
Agile Controller, greatly reducing time for provisioning new functions and services and enabling networks to be SDN-ready.
POF Interface (New Function Definition)
Hardware-defined: Software-defined: hardware

Main functions cannot be expanded. performance + software flexibility
Evolution period: > 24 months Agile Functions can be flexibly scaled. Evolution
Controller period < 6 months
The fixed ASIC is used to forward packets. The ENP is used to forward packets. New
To increase the packet forwarding function, functions can be implemented through software
you need to purchase new devices. New upgrade or user-defined through POF.
Functions
Control plane Packet forwarding Packet Control plane

(CPU) (ASIC) forwarding (CPU)
Traditional switch Agile switch
Comparison between a traditional switch and an agile switch
Solution
Huawei's agile switch is the first to implement fully programmable control and forwarding planes, which allows very
convenient provisioning of new services and functions and is software-defined in the real sense. Huawei Agile Campus
Network Solution helps enterprise users easily introduce new functions in software-defined mode, four times faster than
the industry average, and stay ahead of competition.
Smooth Evolution: Perfect Compatibility with Traditional Networks
Each of Huawei's agile switches is configured with dual planes: traditional network plane and enhanced control plane (Agile
Controller). Huawei's agile switches have dual planes (traditional network plane and enhanced control plane) deployed
on one device. In this manner, Huawei agile switches enable traditional networks to smoothly evolve into agile networks,
maximizing the user's ROI.
Agile Controller (Optional)
Enhanced Control Plane

Rights/Security/QoS/Path
Agile Switch
Traditional Network
Plane
STP/OSPF/BGP/
Smooth evolution
The traditional network plane and the enhanced control plane (Agile Controller) can be deployed separately on the live
network. Huawei agile switches can seamlessly connect to the user's live network using the traditional network plane.
On the enhanced control plane, the controller provides full-scale network functionalities such as free mobility and
security collaboration over the entire network. Users can configure the controller on demand. Even if the controller fails,
connectivity of the traditional network plane will not be affected. This way, enterprise customers can deploy new networks
based on their own service development needs or migrate their existing services to the enhanced control plane, which will
not affect the live network.
Huawei Agile Network Solution provides SDN capabilities by leveraging a wide array of innovative technologies, including
fully open and programmable network architecture, POF technology, ENP chips, and dual control planes on one switch,
enabling the existing networks to smoothly evolve into the future network.
Solution
Customer Benefits
Huawei Agile Campus Network Solution accommodates enterprises' future network requirements: concentration on users,
automatic network resource deployment, automatic fault location, and fine-grained network management.
This solution eliminates many tricky problems:
Lack of experience guarantees
Low-efficiency deployment
Single-point security protection
Slow response to threats and attacks
Video pixelation, unclear voice, slow network access, and poor remote office and mobile office experiences
The Huawei solution also permits campus enterprise networks to quickly adapt to new services and build a service-friendly
network architecture. The solution proactively enables service quality awareness, network optimization, software-defined
provisioning of new services, and rapid service evolution.
The ultimate goal of Huawei Agile Campus Network Solution is to help enterprise users enjoy convenient, high-quality
communications without any constraints brought about by distance and to enable communication between people and
devices and the seamless transfer of information.
Why Huawei?
Huawei is backed by 20 years of accumulated

experience in the IP field and a full series of network
products and solutions. Recognized as a leading global
network solutions provider, Huawei's long-term plan
for network development includes expanding its world-
leading research and development into future network
architectures. Huawei has global facilities with world-
class experts plus extensive experience in pre-research into
network standards and chip development.
As a member of ONF, IETF, and IEEE, and other standards

organizations, Huawei participates in SDN standards
research. Huawei has contributed to areas of network
migration to SDN, including product development and
improvement in customization. Huawei also plans to
provide more intelligent, programmable, and open
networks through its respected carrier-grade network
experience and innovative products and solutions.
Solution
Huawei Agile Stadium Solution
Trend Towards Stadium Wi-Fi
Rise of Stadium Wi-Fi Era
T
First, a Wi-Fi network facilitates communications between
he Mobile Internet manifests itself by its ubiquitous
the stadium, fan club, and fans. With the help of a Wi-Fi
high-speed Internet access and abundant types of
network, the fans can access the local video server to relay
mobile applications and services. Wi-Fi networks
the game and to interact with family members, friends,
work as a supplement to 3G/LTE networks and balances
and other club members through social networking
the load of 3G/LTE networks. Due to their low cost and
websites (microblog, WeChat, and Facebook). Through
high bandwidth, Wi-Fi networks are widely popular and
the stadium APP, the audience can query club or team
widely deployed in public places such as shopping malls,
member information, learn real-time game statistics, or
bars, hotels, and public squares.
obtain a schedule.
A stadium is a typical high-density hotspot for a Wi-Fi
Second, a Wi-Fi network helps deliver business services
network offering the following functions:
by allowing an audience member to query and purchase
Solution
game or concert tickets online or order food through a onto the Portal access page, stadium APP page, Wi-Fi
customized stadium APP during a game or concert. After SSID, or browser page, creating additional income for the
the vendor receives the order, it will send the food directly stadium.
to the fan. At the entrance or garage, the audience can
Last, a Wi-Fi network offers stadium employees a mobile
use the indoor navigation system to find their seat or
office platform on which voice communications, mobile
parking place.
office applications, and other mobile communications
Third, a Wi-Fi network increases stadium revenue by are available for security personnel, sales staff, and game
providing value-added services or by pushing advertising. organizers, a great convenience for doing their job.
Game reports and advertisements can be planted directly
Stadium Wi-Fi Network Characteristics and Deployment Challenges
Unlike common office networks, the stadium Wi-Fi from internal network terminals. Additionally, terminal
network is characterized by high-density, large capacity, behaviors must be effectively controlled on the Wi-Fi
and real-time service delivery, which makes its deployment network.
complicated and demanding.
Considering the enormous variety of users, terminals,
More specifically, the deployment of a Wi-Fi network in a services, and locations, a stadium Wi-Fi network must be
stadium faces the following challenges: able to recognize user identities, control user access, and
deliver differentiated services.
First of all, the greatest challenge is the extremely high
user density. Most stadiums have tens of thousands
of seats; some world-renowned football stadiums are
equipped with over 80,000 seats. Therefore, user density
will be dozens or hundreds of times greater than in
offices, dormitories, and hotels.
High user density requires that a Wi-Fi network provide

large bandwidth and reliable core nodes, and be robust
enough to defend against potential security threats
Huawei Agile Network Solution Tailored for Stadiums

Based on an analysis of stadium Wi-Fi network characteristics and deployment challenges, a stadium Wi-Fi network design
involves three steps: designing a smart network with flexible user control, constructing a high-density Wi-Fi network, and
deploying a robust network.
Constructing a High-Density Wi-Fi Network
To fit well into a high-density stadium, a Wi-Fi network solution must offer end-to-end support capabilities and a
comprehensive guarantee process that includes product capability, network planning, network deployment, configuration
optimization, and testing and verification. Most importantly, the products and devices used must support high-density
features and large bandwidth. In short, a Wi-Fi network plan must match stadium characteristics and access scenarios.
Solution
High-Density Wi-Fi Access Features
Huawei WLAN products integrate the latest 802.11 adjusts the radio resources to ensure optimal access and
technologies, among which 802.11n, 802.11ac, MIMO, high user bandwidth.
and implicit Beamforming greatly improve network
Auto Radio technologies include dynamic channel
throughput; also, a smart scheduling mechanism enables
and power adjustment, dynamic load balancing, and
high-density access. The following paragraphs describe
automatic Clear Channel Assessment (CCA). Huawei's
some of the scheduling technologies in detail:
CCA dynamically adjusts CCA threshold values based on
the radio environment to improve channel efficiency and
Airtime scheduling: fair time scheduling increase capacity.
If low-rate terminals preempt the wireless channel ahead
of high-rate terminals, high-rate terminals cannot operate Multi-user access scheduling
at their maximum capacity. Airtime scheduling technology Multi-user Connection Access Control (CAC) controls user
allows high-rate terminals to go first and periodically access based on the number of users connected to APs
detects each terminal's data sending time. It assigns equal and channel usage. Such control is especially applicable
time to all terminals, ensuring fairness in channel usage. to high-density scenarios. It can limit the number of users
With equal channel occupation time, high-rate terminals occupying the AP bandwidth and thus maximize user
have more chances to transmit data. experience.
APs implement cyclic scheduling of voice, video, and
data services at low, medium, and high rates. The APs Control access of low-rate/weak-signal terminals
periodically detect terminal rates. A high-speed terminal In a high-density scenario, some stations (STAs) may
is placed behind the low-rate ones if it works at a lower attempt to associate with distant APs; therefore, the
speed. Huawei products support the association between APs may receive weak radio signals from the STAs. After
airtime scheduling and QoS scheduling. For wireless associating with the APs, these STAs work at low rates,
services, QoS scheduling (WMM) is implemented first, and affecting overall network throughput. These weak-signal
then airtime scheduling. or low-rate STAs can be prevented from accessing the
WLAN to reduce the impact of these STAs on the network
Auto Radio: dynamic radio calibration as well as improve the overall WLAN performance.
Movement of terminals within the stadium causes the
radio environment to change frequently. Auto Radio
Solution
High-Density Wi-Fi Network Plan
Proper network planning is the key to deploying a successful stadium high-density Wi-Fi network, but signal coverage
where terminals are densely distributed is not a deployment concern. A good network plan has to deal with the challenge
of minimizing signal interference without compromising network capacity. A stadium has a complex structure, with stands
of multiple layers in east, west, north, and south directions. The central lawn is sometimes used for concerts and also
requires signal coverage. A massive number of APs must be deployed throughout the stadium, working on both 2.4 and 5
GHz channels. To avoid signal interference, the location of APs and channel design must meet deployment requirements.
A stadium Wi-Fi network plan involves the following aspects:
User bandwidth analysis

Video services require a bandwidth of 512 kbps and data services a bandwidth of 256 kbps. To ensure that mainstream
applications run properly, the bandwidth must meet the following requirements:
APP Required Data Rate Remarks

Web 160-400 kbps Size of a web page: 200 KB; delay: 4 to 10s
Video 280-560 kbps Real-time services
Instant messaging 32-64 kbps 2 KB/Session, 0.5s.
Email 400 kbps 100 KB/Session, 2s
Social networking 200 kbps 50 KB/Session, 2s
VoIP 256 kbps Real-time services, for example, 256 kbps GBR for Face Time
Game 200 kbps 25 KB, 1s
Capacity design
Usually, the number of APs is determined by two factors: coverage area and network capacity. A high-density scenario
is capacity-limited but many APs need to be deployed in a high-density scenario. Therefore, the quantity of APs depends
mainly on network capacity. The distance between APs must also be controlled to reduce interference. To ensure good
coverage, Huawei uses calculation rules for typical scenarios to calculate the number of APs and conducts comprehensive
site surveys to create a detailed network design.
Example: capacity design for the south stand
Average bandwidth required by each user 300 kbps
Concurrent online users on a single AP 50
Total number of users on the first layer of the south stand 6,330
Total number of users that concurrently use Wi-Fi services 20% x 6,330 = 1,266
AP quantity required 1,266/50 = 25
Solution
AP deployment
AP deployment must match each stadium's unique structure. AP locations depend on the availability of acceptable
locations and lack of signal interference and, each location needs to be approved by the customer. Three deployment
modes are available: overhead, side, and floor.
Side Mode Advantages and disadvantages of the three modes are described as
follows:
1. Side mode:
Advantages: The APs are easy to install and can be mounted in a

line. Co-channel APs are far from each other, providing good anti-
interference capability.
Disadvantages: The last row of seats is often near the ceiling and within
Overhead Mode reach of the APs, which must be protected from the fans.
2. Overhead mode:
Advantages: APs are easy to install on bridleways. APs and terminals are
mounted in line-of-sight of one another keeping penetration loss within
the allowed range.
Disadvantages: It is difficult to install APs on high ceilings without
bridleways or similar structures.
Floor Mode
Ceiling 3. Floor mode:
Advantages: AP signals attenuate due to obstacles. The AP coverage

area can be controlled. Therefore, many APs can be deployed to connect
more users.
Stand
Disadvantages: Obstacles between a terrace and terminals are complex;
therefore, signal attenuation is hard to estimate.
Solution
Channel design
AP channels should be properly designed

to prevent interference. When planning AP
channels, avoid interference from other existing
signals which can severely affect access quality.
Overall channel planning rules: Co-channel

and adjacent-channel APs should be deployed
far from each other to increase channel
multiplexing efficiency. Additionally, interference
between APs on the same layer or different
layers should be considered.
Second layer of the stand

CH9 CH1 CH13 CH5 CH9 CH1 CH13 CH5 CH9 CH1 CH13 CH5
CH 36 CH 44 CH 52 CH 60 CH 100 CH 108 CH 56 CH 104 CH 120 CH 136 CH 44 CH 52
First layer of the stand

CH13 CH5 CH9 CH1 CH13 CH5 CH9 CH1 CH13 CH5 CH9 CH1
CH 116 CH124 CH 132 CH 140 CH 40 CH 48 CH 64 CH 112 CH 128 CH 116 CH 124 CH 132
Agile Stadium Solution Structure
DHCP server WAN/Internet

Data center Clustering/stacking
Agile Controller
Video server NE/AR series routers Link aggregation
Surveillance server 10GE
USG6600 series:
Network management next generation firewalls
10GE
S12700/S9700
Core switches, Native AC
10GE
East terrace West terrace
S7700 series: aggregation S7700 series: aggregation
switches (optional) switches (optional)
GE

S5700 series: PoE switches S5700 series: PoE switches
AP6610DN: outdoor AP AP6610DN: outdoor AP

AP6010DN/AP7110DN: AP6010DN/AP7110DN:
indoor APs indoor APs
Solution
Huawei recommends the agile campus network solution, The agile switch is the first core switch in the
which can build a high-bandwidth, reliable, and secure industry that provides T-bit AC capabilities that avoid
network for a stadium. Huawei's agile campus network performance bottlenecks found on independent AC
solution uses PoE switches as access switches to devices. The native T-bit AC capabilities achieve in-
connect and provide power for APs, which simplifies AP depth convergence of wired and wireless networks
installation. The access switches are enabled with 2 x GE helping customers migrate their wireless networks to
uplinks to obtain the required access bandwidth. Agile 802.11ac.
switches function as the core switches and have Ethernet
Security guarantee across the entire network: The
Network Processor (ENP) cards configured to offer
agile controller interoperates with the security
native access controller (AC) functions. Next-generation
resource center to provide security for the entire
USG6600 firewalls are utilized as the security resource
network. Security functions are not only implemented
center. Policy Center and Portal servers are deployed to
by egress firewalls. Additionally, the agile controller
implement unified policy control.
collects security events from the entire network,
performs Big Data analysis, and automatically delivers
The agile campus solution features the following
security policies.
advantages:
Free Mobility: The agile controller associates with
Super large entry size: ENP cards on Huawei's agile
agile switches as well as the next-generation firewalls
switches support a large number of entries (including
to realize multi-dimensional policy control, enabling
1M MAC address, 256K ARP, 3M routing, and 128K
provision of fine-grained rights and bandwidth
multicast routing entries), supporting access for over
policies for VIP users, employees, audience members,
80,000 users.
and VIP areas.
Wired and wireless convergence: Native ACs
Quality Awareness: First to detect IP network quality
provided by the agile switches enable customers
and fast locate fault by IPCA technology.
to build wireless networks without additional AC
hardware, reducing network construction costs.
Solution
Designing a Smart Network with Flexible User Control
A Wi-Fi network covers both common and VIP areas in Policy control based on service type: High priority
a stadium. In addition to delivering access to the fans, and large bandwidth are allocated to URLs, services,
a Wi-Fi network has to deliver access services to VIPs or applications customized by the stadium. Malicious
and stadium staff members. Applications the audience services or websites are assigned low priority, and
may use include ordinary internet services, unique apps related traffic is even blocked.
customized by stadiums and clubs, and video playback.
Portal page customization based on terminal type
Wireless terminals may include smartphones, customized
and location: The stadium portal page displays the
devices, and laptops.
stadium map and/or game schedule and provides
food and ticket information in the stand areas. The
Through the association of network devices, Huawei
Portal page automatically adjusts to mobile phones,
agile campus network can identify users, their locations,
pads, and laptops, improving user experience.
service and terminal types in order to implement smart
management and control accordingly: Video service multicast design: Video replay
services are assigned high priority. Since multicast
Service guarantee for VIP users: VIP users are
transmission across the entire network conserves
assigned high priority, large bandwidth, and specific
network bandwidth, APs are configured to use
access rights.
a multicast-to-unicast conversion mechanism on
Service guarantee for VIP areas: Users in VIP areas are wireless interfaces to transmit multicast data. This
provided with high quality services, with high priority, ensures high-quality video transmission on the
bandwidth, and rights. wireless network.
Success Stories
Your Wish Our Ways
Huawei Agile Switch S12700 Helps BAIC to Build the Agile Network
Creating a Digital Hospital and Promoting Mobile Medical IT

Construction
Huawei S12700 Series Agile Switches Help Third Affiliated Hospital of Guangzhou
University of Chinese Medicine Build an Agile Network
Success Stories
Your Wish Our Ways

Huawei Agile Switch S12700 Helps BAIC to Build
the Agile Network
The agile network with S12700 agile switches as the core is deployed
on the live network.
High performance and large-capacity entries ensure smooth

forwarding of big data between departments of the Beijing
Automotive Group.
Success Stories
BAIC and Agile Switch technology CSS2, large-capacity entries, and native AC
(wired and wireless convergence), fully programmable
Beijing Automotive Group (officially Beijing Automotive architecture of Huawei agile switch S12700 fully meet
Industry Holding Co., Ltd., also known as BAIC Group requirements of BAW future network construction.
or Beiqi) is one of five largest Chinese automotive
groups. BAIC Group is mainly engaged in automotive
manufacturing, production of auto parts, service trade,
R&D, and readjustment. It is also the development
Blueprint Leads the Way
and planning center, capital operation center, product "Rapid development of science and technology creates
development center, and talent center of the Beijing increasing requirements of production enterprises
automotive industry. on technologies. Without technology foresight, the
In June 2013, Beijing Automobile Works Co., Ltd. (BAW) intelligent system architecture established using
was founded. It is a subsidiary of BAIC that produces light outdated technologies may become outdated rapidly
off-load vehicles and military vehicles. This is an important and cannot meet users requirements. To ensure that the
measure for building Chinese specialized military vehicle system is able to adapt to intelligent development trends
and SUV base, which was proposed by Beijing municipal for the following several years, hardware, software,
leaders. The blueprint of BAW is ready to come out. network devices, and information systems should use
open protocols that are compatible with international
On August 8, 2013, BAIC leaders were invited to join
standards. The intelligent system should use advanced
the agile switch press conference. Participants are deeply
products and technologies so that an intelligent system
affected by the press conference. The subject "Now, it is
with high performance, high speed, large capacity, high
time to change the future" of the first agile switch S12700
reliability, ubiquitous connection capability is available."
press conference strikes resonance in BAIC leaders' heart
and mind. The topics of agile switch, agile network, and Being customer-oriented, BAIC quickly learns customers
continuous evolution draft the future blueprint, which is requirements, stipulates Big Data strategic planning, and
also the objective of BAW network construction. formulates Big Data blueprint. New service models can be
deployed to understand consumers' requirements.
Huawei communicates with BAIC multiple times after
the conference. The switching fabric hardware cluster By doing this, BAIC can implement precision marketing
Success Stories
and targeted advertising, reduce operation costs, and Miercom and Tolly show that the S12700 and Cisco
even accurately predict sales performance. To deploy switches have excellent interoperability. Miercom test of
innovative services, the lower-layer network must use the S12700 shows that Protocol Oblivious Forwarding
advanced technologies. Network devices should be open (POF) enables devices to support future innovative
to support new service deployment. protocols.
To meet advancedness requirements of the BAIC network, "Because POF applies to all protocols, in the future it
Huawei deploys the agile switch S12700. The S12700 will be able to control traffic types that have yet to be
uses the first built-in Ethernet Network Processor (ENP). introduced."Miercom
The S12700's fully programmable architecture allows
innovative services to be deployed, improving service
provisioning four times. The S12700's open interfaces Intelligent System Meets Fast-Changing
and user-defined forwarding processes meet service Requirements
customization requirements. The S12700 works with Agile
"The intelligent system should use advanced products
Controller in the SDN solution, which allows the current
and technologies so that an intelligent system with high
network to be smoothly migrated to the SDN network,
performance, high speed, large capacity, high reliability,
protecting investments.
ubiquitous connection capability is available."BAIC has
"The Huawei S12700 series agile switches can play a original ideas of the intelligent system platform, which are
significant role in campus networks now and for years to unique in the automotive industry.
come, thanks to its future-proof design and capability to
There are many networks in BAIC, including purchase,
accommodate evolving user needs. Key components of
production, R&D, sales, finance, and customer data
the future-proof design include large capacity of MAC, FIB
networks. The lower-layer network is required to provide
and ARP tables as well as its SDN-ready/ programmable
high capacity, high performance, and intelligence.
architecture."Miercom
Fu r t h e r m o re , t h e n e t w o r k l a y e r s a n d n e t w o r k
Openness is the core of BAIC. More than 30 years management need to be simplified. To meet BAIC
ago, BAIC took the first step in opening to the outside requirements, Huawei deploys the Agile Network Solution
world. "We can gain the initiative to international on the live network.
competitiveness and better develop BAIC only through
The S12700 agile switch provides millions of MAC and
openness." leaders emphasize the openness. In the
FIB entries, with the cluster bandwidth as high as 1.92
future network blueprint, openness is a necessity.
Tbit/s. IXIA test shows that the S12700 agile switch has
"Hardware, software, network devices, and information the highest density of 10GE interfaces and line-speed
systems should use open protocols that are compatible forwarding capability. The line-speed forwarding capability
with international standards."This is the network design of 576 10GE interfaces on the S12700 is leading around
principle. the world. The high-density 10GE interfaces ensure data
transmission bandwidth between BAIC departments.
Traditional network products carry many proprietary
The SFUs can be upgraded to provide higher switching
protocols or use current international standard protocols
capacity, protecting BAIC investments.
but cannot well support future international standard
protocols. Huawei S12700 on the BAIC live network uses Innovative CSS2 of the S12700 implements 1+N backup
Huawei stable and reliable Versatile Routing Platform of MPUs. The cluster system can work when only one
(VRP), hardware structure based on the core router. This MPU works. The CSS2 technology ensures the cluster
ensures the leading connectivity. The S12700 not only system works properly with only one MPU. The reliability
uses international standard open protocols, but also is surpasses traditional card-level backup. The switching
compatible with proprietary protocols of mainstream fabric hardware cluster technology provides the
vendors. Tests from global well-known test organizations interchassis forwarding delay only 4 s. CSS2 is suitable
Success Stories
for many inter-platform applications such as cloud data Conclusion

centers.
The thrive of BAIC services brings in explosive increase of
To simplify the BAIC network, Huawei Agile Campus purchase, production, R&D, sales, finance, and customers
Network uses native AC technology. A common service data. BAIC also considers analysis of unstructured
card can be integrated with AC processing and Ethernet customers information data from the Internet, social
switching. The switch provides as high as Tbit/s data networking, and communication tools to understand
forwarding. Compared with traditional AC, the switch customers' requirements and attitudes. By doing this,
manages more APs and STAs and allows 802.11ac BAIC can implement precision marketing and targeted
highspeed access. advertising, reduce operation costs, and even accurately
In addition to service processing, BAIC requires intelligent predict sales performance. BAIC will take a farewell to
O&M. As BAIC services develop, the BAIC network scale the besteffort (BE) model on the IP network and focuses
increases. There are increasing requirements for intelligent on service and user experience. Huawei, a pioneer of
deployment and accurate O&M. The S12700 considers the next-generation network, users the agile network
intelligent O&M requirements starting from its design. architecture and agile switches to help BAIC go along
The S12700 uses innovatively patented technology the agile way and become the leader of the automotive
Packet Conservation Algorithm for Internet (iPCA). iPCA industry network.
allows the network to detect the quality and accurately
locates faults. iPCA determines whether services can be
provisioned according to the service model, uses real
service flows to detect the network quality, displays
detailed visualized quality records in eSight, and accurately
locates network faults in real time.
Success Stories
Creating a Digital Hospital and Promoting

Mobile Medical IT Construction
Huawei S12700 Series Agile Switches Help Third Affiliated Hospital of
Guangzhou University of Chinese Medicine Build an Agile Network
T
he medical reform promotes digital hospital integrating medical treatment, teaching, and research. The
construction. Based on computer, network, and hospital is an important research center for the Chinese
intelligence technologies, a digital hospital integrates orthopedics science, which is a national and provincial
and transmits patient information, and includes patient key discipline in GZUCM. The hospital decided to build a
information in the society medical database. It facilitates digital hospital network for its new building. Future service
medical resource integration and process optimization, growth, network scalability, and logical isolation between
reduces operating expense (OPEX), and improves service internal and external networks should be considered in
quality, work efficiency, and management level. network construction. Core devices should be robust and
stable. Even when single-point failures occur, the network
Third Affiliated Hospital of Guangzhou University of Chinese
must stably process internal services such as hospital
Medicine (GZUCM), a hospital adopting both traditional
information system (HIS), laboratory information system
Chinese and western medicine, is a comprehensive hospital
Success Stories
(LIS), and picture archiving and communication system security problems in mobile payment and remote wireless
(PACS) services. The internal network should also support access that cannot be solved by traditional security devices.
wireless services, ensuring the construction of mobile
medical treatment in the hospital. Mobile Medical Treatment Promotes
the Medical IT Construction of Third
Network Reliability Is Crucial Affiliated Hospital of GZUCM
According to Huawei's experience in building digital Mobile medical treatment, compared to a crown jewel,
hospitals, hospital service systems such as HIS, LIS, and is a key project in the Ministry of Health. It is also a focus
PACS require the network to process services efficiently, of the medical IT construction in Third Affiliated Hospital
transmit image information in real time, and have high of GZUCM. The construction of mobile medical treatment
reliability. accelerates the deployment and implementation of wireless
medical services such as wireless ward round, mobile
To prevent service interruptions caused by single-point
nursing, mobile infusion, and patient positioning. To help
failures, Huawei uses the industry's most advanced switch
the hospital quickly deploy wireless services and simplify
fabric hardware clustering technology: Cluster Switch
wired and wireless networks management, Huawei uses
System Generation2 (CSS2). CSS2 technology virtualizes
the native AC function of S12700 series agile switches
two physical core switches into a logical switch through
to manage and control APs and forward APs' traffic
switch fabric units (SFUs). The innovative 1+N backup of
through Ethernet Network Processor (ENP) cards. S12700
main processing units (MPUs) further improves cluster
series agile switches provide industry-leading unified
reliability.
management, policy, and forwarding for wired and wireless
services, ensuring uniform and optimal user experience
Improving Network O&M Quality and
and management experience on the wired and wireless
Ensuring Internal Network Security
networks.
To simplify network operation and maintenance (O&M),
Huawei uses the unique Packet Conservation Algorithm for Future-oriented Network Evolution
Internet (iPCA) technology of S12700 series agile switches Capability
to mark, color, and count packets of services such as
The implementation of Huawei solutions in Third Affiliated
remote medical video teaching and teleconsultation. iPCA
Hospital of GZUCM enables the hospital network to
technology provides precise quality detection and real-
support various services. Huawei S12700 series agile
time fault location without extra traffic costs. It helps O&M
switches function as core devices on the network. S12700
personnel easily obtain network status, improves fault
series agile switches have the fully programmable and
location efficiency, and ensures the high quality of videos
shorten service provisioning from two years to six months,
used in remote medical teaching and teleconsultation.
removing the need to replace hardware. The live network
IT technologies and communications networks facilitate
can be smoothly evolved to a software-defined networking
medical IT construction, but also bring various security
(SDN) network, providing a more open and reliable
risks. Unauthorized users may steal confidential hospital
architecture, faster transmission speed, and higher security
information for personal gain, access hospital application
and scalability.
systems, and tamper data in the systems. Terminals may
not have patches installed in time, causing worm spreading
on the entire network. Based on the Big Data concept, Summary
Huawei S12700 series agile switches use a next-generation The deployment of Huawei agile network in Third Affiliated
security firewall card to help O&M personnel find security Hospital of GZUCM promotes the hospital's mobile medical
risks by analyzing user behaviors. The firewall card enables IT construction and improves the operation capability of the
the network to actively defend against attacks, solving digital hospital.
Technical Essays
Agile Campus Network Easily Tackles
Mobility Challenges
Evolution of Free Mobility
Protect Your Network with Huawei's United

Security Solution
In-Depth Convergence and Simplified

Network O&M Management
Agile Network Brings a Brand New,

Excellent Network O&M Experience
Technical Essays
Agile Campus Network Easily Tackles

Mobility Challenges
Challenges Brought About by Mobility Voice from IT Operation and Maintenance (O&M)
personnel: Our company has deployed Wireless Local
M obility brought by mobile office and Bring Your

Own Device (BYOD) is an inevitable trend in
enterprise campus networks. There are two mainstream
Area Network (WLAN) and mobile office, and most of the
employees access the company network using laptop or
tablet PCs. However, recently, our CIO often complains
mobile application scenarios inside the campus: that important video conferences are frequently affected
Employees access the campus network from by other service traffic at the beginning of the year, during
the corporate headquarters or branches or on a which many departments hold their annual planning
business trip. conference. A good service experience cannot be ensured
at all.
Employees access the campus network through Wi-Fi
networks. For example, employees carry their laptop Voice from a post-sales director: Employees in our
PC from their office to a conference room while department often need to access to our company
keeping services uninterrupted. network to handle problems on the customer's site. That's
why our department has long achieved mobile office and
Although mobile technologies help enterprises improve
remote access. However, it is found that, when accessing
their service operations efficiency, they also result in new
the company network through Virtual Private Network
problems. Let's listen to voices from different users.
Technical Essays
(VPN), employees in Beijing have to bypass and access the overloading the IT department. Moreover, each node
network in Sweden, and employees in Shenzhen have to on the IP network works independently from another.
bypass and access the network in Vietnam. Consequently, Service policy execution through single-point, distributed
the network quality is rather poor. When we handle a computing cannot ensure that configuration of each node
critical problem, such terrible network latency considerably is consistent with that of another on the entire network.
lowers our customer's satisfaction.
Then how can enterprises meet the challenges caused
Voice from a Chief Information Officer (CIO): To by mobility to their campus network? How to ensure
accommodate service demands, our company has set up consistent policies and service experiences? How to
many R&D project teams, and personnel in these project simplify workload of the IT department as well as policy
teams are frequently transferred. Accordingly, strict and service experience control?
network access rights isolation must be performed among
different project teams to secure our information assets,
which results in heavy network maintenance workload. SDN-based and Centralized Service
Although wireless network access is quite flexible, it Management and Control
makes our employee's access location become more
In fact, the cause of all problems is decentralized service
flexible. As a result, employees' network access becomes
management and control. If all services can be managed
more difficult to manage and control. That's why we still
in a centralized manner, security control and service
haven't made up our minds to deploy a wireless network
experience policies can be configured at the same place
in our company.
in a unified manner, and the policies are delivered to
It is safe to conclude that mobile office and BYOD have devices on the entire network simultaneously, policies and
brought about a new tricky problem how to provide service experiences can be kept consistent over the entire
consistent policies and service experiences for mobile network, and policy and service configurations will be
users. The security policies include policies for isolating greatly simplified.
and controlling users with different identities and service
security control policies for users who access a data
center. The service experiences include bandwidth and Agile Campus Network Provisioning
service priority guarantee for users who access services. Free Mobility
For example, VIP users working the mobile office work
Based on Software-Defined Networking (SDN) ideas,
style need to preferentially access the network.
Huawei Agile Campus Network Solution focuses on
These policies and service experiences must follow guaranteeing consistent security control and user service
users and be flexibly adjusted based on user location. experience. Free mobility encompasses ubiquitous policies
On a traditional enterprise campus, in order to control and access experience. The policies include access rights,
services and users, the IT department carries out complex service flows, and security policies. The experience
plan and design of the entire network. Virtual Local includes control of bandwidth and priority. This solution
Area Network (VLAN) and Access Control List (ACL) are enables campus networks to be more agile for services,
manually configured on access layer devices to control for example:
access rights and bandwidth. Quality of Service (QoS) and
Users with different roles such as VIP users and
traffic control policies are manually configured on routers
users in R&D, finance, and marketing departments
and firewalls. Nowadays, users can access the campus
can work simultaneously in the same office zone.
network using the same terminal at different locations,
They can be easily isolated from one another to
which exponentially increases complexity of policy and
secure network access. They also have different
service configurations. In addition, when services and
service priorities, which can be dynamically adjusted
users must be adjusted, policy and service configurations
according to user location and identity.
must be manually modified over the entire network,
Technical Essays
VIP users automatically obtain high bandwidth and and users' security control and service experience policies
service priorities for network access when they are kept consistent over the entire network.
connect to key devices, such as access switches,
By leveraging the SDN ideas, Huawei has put forth the
Wide Area Network (WAN) routers, Security Access
Free Mobility Solution in its overall Agile Campus Network
Gateways (SAGs), data center ingress firewalls, on
Solution. Compared to traditional Network Access Control
the campus network inside the company, across
(NAC) solutions, Huawei's Free Mobility Solution features
WANs, or on a business trip while working in mobile
the following advantages:
office mode.
Traffic of special users such as guests can be Advantage 1: Centralized management and control
automatically identified. Such traffic is automatically of polices on the entire network
diverted to corresponding security devices for Huawei uses the Agile Controller to manage and control
application security operations including online user-based security and service experience policies. The
behavior audit. Agile Controller's core benefit lies in easily implementing
consistent security control and service experience on the
Traffic scheduling oriented to different users on the
basis of reducing workload of IT O&M personnel and
campus network is implemented. For example, traffic
bringing excellent free mobility and enhanced experience.
of different users can be distributed and scheduled
based on user identity among multiple Internet
Advantage 2: Fine-grained user management
egresses such as China Telecom, China Mobile, and
China Unicom egresses. The Huawei solution shifts the mode, in which a user
group accesses a fixed server's IP address, of traditional
How can we achieve all these functions? In the first
NAC solutions to inter-user group policy control. Such
place, Agile Controller must be introduced to campus
two-dimensional, fine-grained user management and
networks, which controls user identities and policies on
control easily implement security isolation in scenarios
the entire network in a unified manner. The Campus
where a user group accesses another, which is unrelated
Control uniformly defines user groups, associates security
to users' physical location.
control and service experience policies that match users
with the user groups, and then delivers the policies to
Advantage 3: User- and service-based application
devices on the entire network simultaneously. Network security protection
devices including switches, firewalls, and VPN gateways
Service flows from insecure terminals or zones will be
will dynamically receive the policies delivered by the Agile
diverted to the security resource center for cleaning and
Controller, intelligently recognize the identity of the source
user group-based application security policy control.
user sending service packets and that of the destination
For example, guest traffic will be diverted to a Next-
user receiving service packets, and then execute the
Generation Firewall (NGFW) for intrusion detection, and
policies delivered by the Agile Controller.
the guest is prohibited from accessing any video service.
When users access the campus network at different
Huawei's Free Mobility Solution implements free mobility
locations, the security control polices, such as access rights
and access experience through more abundant policies,
control and user group isolation, will be delivered by the
more comprehensive policy control, and control modes
Agile Controller to edge devices closest to the user side
of higher ease of use. Taking advantage of the Huawei
based on user location. The service experience policies
solution, employees working in the mobile office style
such as bandwidth and QoS policies will be delivered by
can obtain a consistent service experience whenever and
the Agile Controller to key devices, such as firewalls and
wherever using any terminal.
security access devices at network egresses and data
center ingresses on the entire network. In this manner,
separate, tedious device configurations are prevented,
Technical Essays
Evolution of Free Mobility
E ver since the rollout of Huawei Agile Network Solution

last year, features such as free mobility, united
security, and Packet Conservation Algorithm for Internet
based on user role. External visitors gain no access to
core resources.
Therefore, it is safe to conclude that NAC technology

(iPCA) have been drawing more attention from the
focuses on access security, paying close attention to
industry. What is the difference between Huawei's agile
access management and control during the entire access
network and the traditional network? Let's take a look
process. It also controls access rights to server resources
at the evolution of free mobility, starting with Network
after users gain access to the network. However, this
Access Control (NAC) technology.
technology does not deal with the quality of user access.
NAC technology implements dynamic user authentication,
In recent years, a growing number of wireless networks
bandwidth control, and access rights control through
have been deployed on enterprise campuses, and
interaction between authentication servers and network
emerging technologies such as Bring Your Own Device
devices. Similarly, free mobility technology implements
(BYOD) also have developed rapidly. Many employees
user authentication and ensures service transmission
now use portable PCs, tablets, or even mobile phones
through interaction between the Controller and network
to access wireless networks through Wireless Local Area
devices.
Networks (WLANs) or 3G mobile networks. The mobile
NAC technology provides the following core functions: office work style has the following characteristics:
Authenticates access users, checks the health of user Users may access the campus network from
terminals, and then permits or denies access to the anywhere, anytime, causing frequent changes in
network based on the authentication result. policies on access devices and overloading network
administrators.
Controls the rights for accessing core resources
Technical Essays
Although VIP users as well as users in departments the China Education and Research Network (CERNET).
such as R&D, finance, and marketing often
To implement ubiquitous policies, free mobility technology
simultaneously use mobile applications to access the
makes the following revolutionary technological and
networks in the same office area, users of different
architectural changes:
roles must be isolated and assigned different service
priorities. SDN-based policy control: Free mobility use Software-
Defined Networking (SDN) concepts to configure all
Consistent network access and user experience must
user groups, user rights, and user experience policies
be guaranteed. For example, VIP users need to obtain
on the Controller. The Controller interacts with
high bandwidth and service priorities when they
devices on the entire network to translate and deliver
access the network across WANs on a business trip.
these policies.
Mobile applications challenge traditional NAC technology,
More control devices: "Ubiquitous" means policies
while the brand new free mobility technology can be used
must be controlled and implemented on the entire
to solve these problems. Free mobility focus more on user
network. Free mobility technology permits key
isolation, security control and, consistent user experience.
devices such as access/core switches, wireless
User isolation and security control: Free mobility devices, firewalls, and remote access gateways to
technology divides users into different user groups based communicate with the Controller, and then adds
on user identity. When users of different roles access these devices to the queue to automatically apply
the network, the network learns identities of the packet user policies.
sender and receiver and isolates different users groups
More control policies: In addition to rights policies
through intelligent association between the Controller
supported by NAC technology, free mobility
and edge devices closest to users.
technology supports Quality of Service (QoS) policies,
Consistent user experience: The network can coordinate route selection at the egress, and traffic diversion.
key devices over the entire network through the In the near future, this ubiquitous technology will
Controller. The network can also ensure consistent user develop to provide more application security policies.
experience and service scheduling by intelligently adjusting
Compared to NAC technology, free mobility technology is
policies. For example, VIP users obtain high bandwidth
more applicable to security isolation and user experience
and service priorities when they access the network inside
guarantees. By leveraging SDN ideas, free mobility
or outside the company or across WANs. All visitors have
technology features more useful policies, comprehensive
the same service priority and security control policy. For
control, and ease of use, enabling employees to obtain
students from different departments on the same college
a consistent mobile office user experience whenever and
campus, traffic distribution is automatically implemented
wherever they access the network, using any terminal.
among the egresses of China Telecom, China Unicom, and
Technical Essays
Protect Your Network with Huawei's

United Security Solution
A s a member of the IT Operations and Maintenance
(O&M) group, you may not be a stranger to the
situation where you are traveling on vacation and you get
By taking advantage of Huaweis United Security Solution
before a security event occurs, we can detect the
security state of the entire network and carry out security
a telephone call from work, saying they need you back hardening to enhance attack defense capabilities. If a
right away. You may be disappointed, but you realize that security event occurs, we can quickly detect and respond
hackers are never on holiday, so they could intrude into to it in its very early phase and effectively control security
your network at any time, using security loopholes to risks to prevent them from affecting networks and
cause major damage. services.
"We never know what the state of our network security

How the Huawei Solution was developed
is," said the Chief Information Officer (CIO) of a large
enterprise. "Its just like sitting on a volcanic vent without The edge of an enterprise network is deployed with
knowing when it will erupt." If they are unaware of the security devices, but the development of wireless
current state of their networks security, IT O&M personnel technologies and mobile offices have diminished the
will not know about any security problem unless their effect of such edge security protection. Although a lot
service department makes complaints. This passive way of security devices such as firewalls (FWs), Intrusion
of responding to security events makes IT O&M personnel Prevention System (IPS) devices, and Antivirus Gateways
feel helpless and even unnerves them. (AVGs) have been deployed on enterprise campus
networks, they still cannot detect or block attacks
How to guarantee network security and make from the intranet due to hackers' sophisticated attack
networks run properly techniques. Unlike a human body that is composed of
Technical Essays
many sensory organs and a smart brain, campus networks are, a hacker is guessing at passwords. A single device
have no intelligent, automatic sensing mechanism. cannot detect this kind of attack behavior, which must be
detected through collaboration between multiple devices.
Although we receive massive event logs from network
Big Data-based correlation analysis can solve this problem.
and security devices, we cannot quickly analyze which
In the near future, user behavior-based correlation analysis
information is valid or which information is correlated due
can be performed to detect abnormal behaviors and
to the limits of manual labor. Even though we detect a
further prevent attacks and information leakages.
security event, we have to locate and troubleshoot the
fault on devices one by one. However, there are thousands
How to quickly respond to security events
of network and security devices and tens of thousands of
terminals on an enterprise campus network. How can we If we detect a security event on individual devices, the
quickly troubleshoot a fault over the entire network? best opportunity for eliminating risks will be missed, and
worm viruses might already have spread across the entire
"Perhaps Big Data and Software-Defined Networking
network and interrupted services. By leveraging the SDN
(SDN) technologies can tackle this problem," suggested idea of unified control and forwarding, we can integrate
a senior security expert from Huawei, "Big Data analytics network and security device virtualization technology
obtains valuable information by analyzing large amounts and enable devices to collaborate with one another and
of data, so we can utilize this technology to collect massive quickly respond to security events. We can also build
logs from the entire network and perform a correlation a security resource center on campus networks. When
analysis to obtain the information we need. We can then detecting that worm viruses in an area are using a security
control network devices by leveraging the SDN concept loophole to spread, we can divert traffic in the area to
of 'centralized control,' and promptly respond to security the security resource center to block attack traffic while
events." permitting legitimate service traffic to be transmitted
normally.
How to become aware of the security state of the
This innovative technology also integrates terminal device
entire network
management, surpassing the SDN idea of controlling only
As a result of this concept, we can figure out the network devices. Through a unified Agile Controller, this
health of the network based on asset importance and technology delivers patch installation and virus library
threat severity. IT O&M personnel then can be aware upgrade policies to terminals on the entire network,
of the security state of the entire network in real time. performing security hardening and removing viruses from
Additionally, they can check risks based on areas and terminals. Unsecure traffic on the network is blocked, and
key assets and propose ways to handle them. They also risks from terminals are eliminated.
can quickly detect the areas and assets in their charge So now, before you leave on vacation, you can check the
and "harden" security by performing system upgrades security state of the entire network as well as the specific
and installing patches where needed. As a result, device areas and assets of which you are in charge, and harden
security loopholes will be closed, and hackers will be security in order to make your network more robust. If a
prevented from attacking the network. security event occurs during your travels, you can quickly
learn about the situation through a Short Messaging
How to quickly detect security events Service (SMS) message or an email. You can then remotely
We also can use Big Data technology to permit network connect to the Agile Controller through the security
devices to collaborate with one another over the entire O&M platform, and deliver security policies to handle the
network, and perform a correlation analysis to detect security event. The entire process will take only several
minutes or perhaps dozens of seconds. After this, you
security events based on characteristics of hacker attacks
can continue your vacation in a good mood, thanks to
and worm virus outbreaks. For example, if a terminal
Huaweis United Security Solution.
fails on log in to multiple devices in a short period of
time, we can analyze logs sent from those devices; odds
Technical Essays
In-Depth Convergence and Simplified

Network O&M Management
Huawei Agile Campus Network Solution Eases the Burden on IT Management
Personnel
T oday, as technicians, IT management personnel are

working under great pressure. They have to work in
closed telecommunications rooms chock-full of devices,
Device (BYOD) and Wireless Local Area Network
(WLAN) being introduced to offices, enterprise
campus networks have developed from relatively
expending considerable effort to construct and maintain simple wired networks into a complex coexistence
IT infrastructure platforms. They have little time to pay of wired and wireless networks. Wireless networks
attention to new technologies and trends in the industry. are completely independent systems and must be
As a result, they cannot provide suggestions for service planned, managed, and maintained independently
innovations for technological decision-makers. Specifically, from wired networks. This work-intensive situation
the routine work of IT management personnel includes: overloads IT management personnel.
Planning and management of IT infrastructure Complex configurations and difficult fault location:
platforms: Networks that function as IT infrastructure A traditional enterprise campus network consists of
platforms are the focus of IT management personnel. core and aggregation devices, and hundreds or even
With popular technologies such as Bring Your Own thousands of access devices. Routine configurations,
Technical Essays
upgrades, and maintenance of these access devices master/backup mode, and a wireless AC can manage a
involve a massive workload, and errors probably large number of wireless APs in a centralized manner. If
occur. Moreover, such strenuous manual labor has wired and wireless networks can be deeply converged,
become a heavy burden on all IT management network O&M management will be significantly simplified.
personnel. After enterprises construct wireless
However, wired and wireless traffic is forwarded in a
networks on a large scale, the network management
completely decentralized manner. As a result, the two
workload multiplies and, if any fault occurs,
networks adopt two independent mechanisms for device
troubleshooting is becomes more difficult.
and service configurations, network management,
Access user authentication and management: fault troubleshooting, user authentication, and policy
Network access authentication and access rights management. Although we can use stacking technology
control are common technologies for regulating and and AC cards to make network devices look like only one
managing users' online behaviors. Authentication device and use the same authentication system to permit
policies for wired network users are independent users to access wired and wireless networks through the
from those for wireless network users. Consequently, same account, the problem of decentralized forwarding of
IT management personnel have to perform additional wired and wireless traffic cannot be fundamentally solved.
maintenance on wireless access devices and wireless
Access Controllers (ACs). If a user cannot access the Centralized forwarding of wired and wireless traffic
campus network, IT management personnel have simplifies network management
to locate and troubleshoot the fault on massive If wired networks are capable of wireless network
numbers of access switches and wireless Access control, no independent wireless AC device or AC card
Points (APs), a time-consuming process that also will be needed, because identification, forwarding, and
deteriorates users' experience. control of wired and wireless packets can be integrated
Huawei is committed to simplifying management and on one network device. Such convergence at the
maintenance of enterprise campus networks to ease the Network Element (NE) level eliminates separate control
burden of IT management personnel, helping them shift and forwarding of wired and wireless traffic, unifies
their focus to more innovative work instead of merely management of devices, services, and configurations, and
heavy, complicated manual labor. shields management differences for IT personnel. In this
manner, we can integrate the advantages of both wired
How to simplify network O&M management and wireless networks.
The best way to simplify network Operations and

Wired and wireless networks take advantage of
Maintenance (O&M) management is to reduce the
each other's management capabilities, reducing
numbers of network types and network devices. In this
the number of management devices
way, device configuration, fault troubleshooting, and
network maintenance can be substantially lessened. Then Wired networks can take advantage of the plug-and-play
how can we unify network O&M management methods and zero-configuration capabilities of wireless networks
and reduce the number of network devices without to reduce the workload of configuring large numbers
changing the scale of existing campus networks? What of access switches. At the same time, wireless networks
are the critical technical difficulties? can take advantage of the stacking and virtualization
capabilities of wired networks. In this way, all wired and
There are multiple mature technologies for simplifying
wireless access and core devices can be virtualized into
network O&M management in both wired and wireless
one device for management. By introducing Software-
networks. For example, stacking technology can be used
Defined Networking (SDN) ideas, we can enable network
in wired networks to virtualize multiple switches into one
devices to automatically coordinate command translation,
logical switch; in wireless networks, devices can work in
message synchronization, and policy delivery. IT
Technical Essays
management personnel only need to manage one device, can be used to simplify network O&M management.
simplifying device, service, and user management. Nevertheless, traditional network devices cannot centrally
forward wired and wireless traffic due to different packet
Unified wired and wireless user authentication and compositions and encapsulation methods. To address this
policy management simplifies user management problem, Huawei introduced its Agile Campus Network
IT management personnel can unify wired and wireless Solution, which puts the SDN-based idea of "Wired and
user authentication regardless of the role of the user Wireless Convergence" into effect, and translates traffic
desiring access. They can uniformly set all service forwarding into a software process. This idea implements
management and security control policies such as service converged forwarding of wired and wireless traffic and
priority, bandwidth, and access rights. Network devices consistent user and management experiences on both
can judge these policies automatically and intelligently. wired and wireless networks.
Devices closest to the user side can automatically execute Huawei remains committed to freeing IT management
rights-related policies to enhance access security. Service personnel from complex technical terms and tedious
experience-related policies such as bandwidth and manual configurations of massive numbers of network
priorities take effect on the link through which traffic is devices. With Huawei's help, IT management personnel
transmitted. As a result, all wired and wireless services can can use their knowledge and experience to the fullest and
be configured with one mouse-click, and IT management focus on suggesting IT planning and construction ideas for
personnel can be further relieved of heavy manual work. valuable enterprise service development and innovation.
Huawei Agile Campus Network Solution featuring wired For example, they can figure out what IT services
and wireless convergence greatly reduces the burden of IT can provide opportunities for enterprises' sustainable
management personnel development and what IT systems need improvement to
meet the increasing service demands of enterprise users.
As long as user traffic on wired and wireless networks can
be forwarded in a centralized manner, multiple in-depth
convergence solutions at device, service, and user levels
Technical Essays
Agile Network Brings a Brand New,

Excellent Network O&M Experience
IT Operations and Maintenance (O&M) personnel are

under considerable pressure. A routine workday
might look like this:
increasingly diversified. As a result, when service
experience is degraded, IT O&M personnel cannot judge
whether the fault is caused by the system itself or by the
network. Locating the specific fault is equally difficult, and
At 2:00 a.m., in the telecommunications room of a
IT O&M personnel are often busy handling emergencies.
multinational company, some employees are working
How can IT O&M personnel quickly detect service quality
against the clock to diagnose why the company's video
and accurately locate network faults? This has become a
conference system has failed. Because the company's CEO
crucial problem in the field of network O&M, which must
has planned an important video conference for that same
be solved.
morning, these employees must troubleshoot the system
before 9:00 a.m., requiring overtime to cope with the
Factors Affecting User Service Experience
emergency.
In addition to common factors such as network outage
Today, networks are constantly scaling up, and
and insufficient bandwidth, many other factors also affect
service types transmitted over networks are becoming
Technical Essays
user service experience, for example, aging of network network fault detection.
devices, network configuration errors, optical fiber
Since the IP network is connectionless, the only service
degradation, network attacks, and invalid flow control.
connection information on the network is in the
These factors are often overlooked due to a lack of
data packets. This characteristic leads to large-scale
effective network quality detection methods.
deployment of the IP network as well as difficult quality
When data services are transmitted over networks, even monitoring. When video pixelation occurs during a video
though packet loss occurs, users may be aware of slow conference, the network itself cannot be quickly aware
network access. However, their service experience will not of service quality degradation. Users can only turn to IT
be affected because TCP packets are retransmitted. Real- O&M personnel for help, and personnel are unaware of
time services, such as High-Definition (HD) video and voice the fault unless users tell them. Intensifying the problem,
services, require much higher network quality than data IT O&M personnel cannot quickly locate the specific fault
services. Take the HD video service as an example. The using traditional network quality detection technologies.
packet loss ratio must be lower than 10-6. That is, if even
Current network quality detection technologies, such as
one of the one billion packets is lost, video pixelation will
Network Quality Analysis (NQA) and Y.1731, are targeted
occur and users may be immediately aware of the fault.
for Point-to-Point (P2P) connections, which create the N2
To ensure proper video service provisioning, some large
problem when deployed on the IP network because all
enterprises build an independent, costly, private network
communication nodes must be deployed symmetrically.
for their video conference system.
Consequently, IP network scalability is low. In addition,
the accuracy of network quality detection through these
Difficult Service Quality Detection and Network
technologies is low. For example, during NQA, special
Fault Location
detection packets must be inserted into service flows,
Driven by the rapid development of the Internet, the but the forwarding path of the detection packets may be
IP network has become a cornerstone for information different from that of service packets over the network,
transmission. The IP network is connectionless-oriented which lowers the detection accuracy. What's more, end-
and uses a "Best-Effort" service forwarding mode, to-end deployment and network quality detection cannot
leading to large-scale network deployment and providing be implemented. For example, Y.1731 technology can be
infrastructure support for abundant Internet services. used only for Layer 2 Ethernet quality detection and fault
However, this results in difficult service quality and diagnosis.
Technical Essays
Huawei's Agile Network Provides an Excellent synchronization method and periodically colors service
Network Experience packets using reserved bits in an IP packet header (that
is, remarking the service packets). iPCA then calculates
To allow the connectionless IP network to be aware of
the number of received packets at the egress based on
faults and quickly report them to IT O&M personnel,
the marked bits. In this way, iPCA can detect network
Huawei can add a proactive quality awareness mechanism
quality using real-world service flows without interrupting
to the IP network. This quality awareness mechanism
services. If the packets traverse multiple network devices
is similar to self-awareness and feedback systems in a
and links, this technology can locate the specific device
human body.
and link where a fault occurs, implementing highly
Huawei's unique Packet Conservation Algorithm for accurate network fault location and helping IT O&M
Internet (iPCA) technology can solve the problem of personnel improve fault locating efficiency.
difficult network quality detection and fault location.
Compared to traditional network quality detection
By leveraging this technology, Huawei's Agile Network
technologies, Huawei's iPCA technology features the
Solution adds a proactive quality awareness mechanism
following advantages:
to the IP network, maintaining the connectionless feature
and implementing proactive network quality awareness. IT O&M personnel can learn the overall network
iPCA technology fully enhances network quality detection quality through a Network Management System
and accurate fault location capabilities, reducing network (NMS) using iPCA-enabled network devices. For
O&M costs. example, IT O&M personnel can check whether
a large number of packets are lost on key devices
How does Huawei's iPCA technology implement proactive
and links and detect the quality of some important
network quality awareness? Each network has borders.
services.
The idea of iPCA technology is to judge whether a fault
occurs in a network area by calculating and comparing Accurate network fault demarcation: If an enterprise,
the number of input packets and that of output packets for example, connects to multiple branches by
during a certain time period. To apply this idea to live leasing a telecom carrier's private lines, when cross-
networks for accurate network quality detection, multiple WAN services are interrupted, the iPCA function can
technological difficulties must be tackled. For example, be enabled on devices on Wide Area Network (WAN)
how can we detect service quality on a Multiple-Input borders to accurately judge whether the fault occurs
Multiple-Output (MIMO) network without establishing on the telecom carrier's WAN or the enterprise's
P2P connections? How can we ensure high quality campus network.
detection accuracy while using real-world service flows?
Accurate network fault location: If a large number
Taking advantage of Huawei's profound experience in
of packets are lost in a certain network area, the
the network field, iPCA technology perfectly solves these
network can proactively notify IT O&M personnel
problems.
of the service interruption and network fault. IT
By leveraging the centralized control idea of Software- O&M personnel can then quickly and accurately
Defined Networking (SDN), this technology calculates locate the specific device and link where the fault
the difference between the number of input packets and occurs without troubleshooting possible faults on
that of output packets through multiple ports on network network devices one by one, diminishing their heavy
border devices to detect packet loss on the network. iPCA troubleshooting workload.
performs service quality detection and communication
based on IP packets, and no connection is established
among detection points, allowing large-scale network
deployment. iPCA performs clock synchronization
on all devices to be detected using an external clock
Technical Essays
H u a w e i ' s i P CA t e c h n o l o g y a l s o c re a t e s t w o
innovations:
Innovation 1: MIMO network quality detection and easy

deployment on large-scale IP networks
This technology requires no connection between every

two detection points and is easy to configure and deploy.
Compared to existing quality detection technologies,
Huawei's iPCA technology can be deployed on IP
networks of a larger scale.
Innovation 2: Real-time, accurate quality detection based

on real-world service flows
This technology detects service quality by using reserved

bits in an IP packet header, coloring real service packets,
and collecting input and output packet statistics.
Huawei's Agile Switch, using Ethernet Network Processor
(ENP) chips, is capable of coloring service packets, while
traditional switches using Application-Specific Integrated
Circuit (ASIC) chips cannot perform packet coloring.
iPCA does not need to insert detection packets. It causes

zero traffic cost and does not affect user services while
providing real-time, accurate quality detection results.
Additionally, since a majority of IP communication-based
services have standard IP packets, iPCA technology does
not rely on any service type. It can detect nearly all types
of services.
Huawei's leading iPCA technology can greatly reduce

hard, tedious troubleshooting tasks. IT O&M personnel
will no longer need to detect massive devices one by
one or race against time to locate network faults. Taking
advantage of its leading patented technologies, Huawei
has addressed the problem of difficult IP network quality
detection, helping IT O&M personnel be aware of full-
scale service quality. When user service experience is poor,
Huawei's iPCA technology can quickly detect and locate
network faults. In addition, some factors that might
otherwise be neglected can also be detected, which
reduces users' Operating Expense (OPEX).
Star Products
Agile Controller
S12700 Series Agile Switch
Secospace USG6600 Series Next - Generation Firewall
Star Products
Agile Controller
Product Overview
Agile Controller is the latest user-centric and application-based, automatic network resource control system developed
by Huawei. This system is positioned as the "Smart Brain" of a Agile network. Inspired by the idea of centralization in
Software-Defined Networking (SDN), the Agile Controller dynamically adjusts network and security resources across the
entire Agile, enabling networks to be more agile for services.
Email, ERP,
Policy delivery and codes
WAN/ Internet: R&D
Service flow Internet and sales
Data Center
WAN/
Internet
Agile Controller
HQ access: R&D, Branch access: R&D,

sales, and visitor sales, and visitor
Star Products
Product Features
Redefines Networks By Concentrating on Service and Centralized Control and Flexible Adjustment of
Experience Resources of the Entire Network
Shifting the focus from technologies, devices, and Shifting from static and manual network configuration
connectivity to users, services, and experiences, the Agile to dynamic and automatic network deployment, the
Controller provides a 5W1H-based policy matrix featuring Agile Controller controls resources on the entire network
scenario awareness, implementing a consistent experience in a centralized manner and can flexibly adjust network
over the entire network. A user can enjoy the same resources based on services. For example, the Agile
experience on the Agile network anywhere; regardless of controller can establish a temporary group, guarantee a
access location, or terminal device. high-quality experience for VIP users, identify high-risk
assets, and deploy stricter security policies.
Big Data Analytics-based United Security
Product Openness
Shifting from single-point security protection to united
security over the entire network and leveraging Big Data The Agile Controller connects to existing devices and
analytics, the Agile Controller detects security threats service systems through multiple interface modes such as
taking a holistic perspective of the entire network in Web Service API, SQL, and Syslog, implementing system
order to assist users in quickly identify network risks, and integration while improving new service provisioning
proactively implements defense solutions. efficiency and overall network operation and maintenance
(O&M).
Core Functionalities
Provides a unified policy engine and executes range and location, improving the enterprises' brand
unified access policy across an entire organization, presence and reducing the IT O&M pressure.
implementing authentication and authorization
Provides rights planning modes for the policy matrix
based on users, access time, access locations, device
and implements automatic deployment and state
types, device resources, and access modes (5W1H).
monitoring on the network based on 5W1H policy
Provides full-life-cycle guest management, supports control, ensuring consistent policies and allowing
a personalized Portal login interfaces, pushes users to enjoy a consistent service experience with
personalized webpages based on terminal IP address the freedom to move as they please.
Star Products
Provides user group-based QoS policy planning. When network resources are limited, VIP user experience is
guaranteed as their data is preferentially forwarded.
Provides service orchestration capabilities, virtualizes security devices into a security resource center, and diverts user
traffic to the security resource center for processing, improving security resource efficiency and enhancing the security
protection capabilities of the entire network.
Leverages Big Data analytics, collects and performs an association analysis on security events from across the entire
network, displays the security states of the entire network, provides a security association function, aids users in
quickly identifying network risks, and proactively executing security and defense solutions.
Star Products
Operating Environment
Configuration Requirement Service Management Server (SM & SC) Security Collaboration Server (SV & iRadar)
CPU 2 x hexa-core 2 GHz 2 x hexa-core 2 GHz
Memory 16 GB 32 GB to 64 GB
Storage 600 GB 4 T or more
Note: The service management servers (SM & SC) are used to run access control, guest management, free mobility, and service
orchestration functions while the security collaboration servers (SV & iRadar) are used to run the security collaboration function.
Networking
The Agile Controller has no special networking requirements. It works properly as long as the physical server on which it
runs is reachable. The Agile Controller is usually deployed in the data center zone.
L2 SW
L2 SW Branch
Branch network
network AR Internet access
AR
WAN/Internet
Data Center
Campus egress
NGFW/SVN
Agile core
LSW
Agile Controller
Agile aggregation
LSW
Server NMS
Converged access
LSW AP AP LSW
Star Products
S12700 Series Agile Switch

H UAWEI S12700 series agile switches are
designed for next-generation campus
networks. Using a fully programmable switching
forwarding, Cluster Switch System Generation2(CSS2), a switch
fabric hardware clustering system that allows 1+N backup of
Main Processing Units (MPUs), hardware Eth-OAM/BFD, and
architecture, the S12700 series allows fast, flexible ring network protection. These technologies help improve
function customization and supports a smooth productivity and maximize network operation time, reducing
evolution to Software-Defined Networking Total Cost of Ownership (TCO).
(SDN). The S12700 series uses a Huawei Ethernet
The S12700 series is available in two models: S12708 and
Network Processor (ENP) and provides a native
S12712.
Wireless Access Controller (AC) to help build a
wired and wireless converged network. Its Unified
User Management capabilities deliver unified user
and service management, and Huawei's Packet
Conservation Algorithm for Internet (iPCA) supports
hop-by-hop monitoring of any service flows,
helping manage services in a more refined way. The
S12700 series runs the Huawei Versatile Routing
Platform (VRP), which provides high-performance
L2/L3 switching services and rich network
services, such as Multiprotocoal Label Switching
(MPLS) VPN, hardware IPv6, desktop cloud, and
video conferencing. In addition, the S12700
series offers a variety of reliability technologies,
including in-service software upgrade, non-stop S12712 S12708
Star Products
Product Characteristics
Make Your Network Agile and Service-Oriented The S12700 series' unified user management
function authenticates both wired and wireless
The high-speed ENP chip used in the S12700 series
users, ensuring a consistent user experience no
is tailored for Ethernet. The chip's flexible packet
matter whether they are connected to the network
processing and traffic control capabilities can meet
through wired or wireless access devices. The
current and future service requirements, helping build
unified user management function supports various
a highly scalable network.
authentication methods, including 802.1x, MAC
In addition to providing all the capabilities of address, and Portal authentication, and is capable
common switches, the S12700 series provides of managing users based on user groups, domains,
fully programmable open interfaces and supports and time ranges. These functions control user and
programmable forwarding behaviors. Enterprises can service management and enable the transformation
use the open interfaces to develop new protocols from device-centered management to user-centered
and functions independently, or jointly with other management.
vendors, to build campus networks that meet their
needs. Provide Agile Fine Granular Management
The ENP chip uses a fully programmable architecture, Packet Conservation Algorithm for Internet (iPCA)
on which enterprises can define their own forwarding changes the traditional method that uses simulated
models, forwarding behaviors, and lookup algorithms. traffic for fault location. iPCA technology monitors
This architecture speeds service innovation and enables network quality for any service flow at any network
the provisioning of a customized service within six node, at any time, and without extra costs. It can
months, without replacing hardware. In contrast, detect temporary service interruptions within one
traditional Application Specific Integrated Circuit (ASIC) second and can identify faulty ports accurately.
chips use a fixed forwarding architecture and follow This cutting-edge fault detection technology
a fixed forwarding process. For this reason, new turns "extensive management" into "fine granular
services cannot be provisioned until new hardware is management."
developed to support the services, which can take one
Super Virtual Fabric (SVF) technology can not only
to three years.
virtualize fixed-configuration switches into S12700
Supports Protocol Oblivious Forwarding (POF), which switch line cards but also virtualize APs as switch ports.
allows multi-stage network deployment and fast With this virtualization technology, a physical network
service provisioning. with core/aggregation switches, access switches, and
APs can be virtualized into a "super switch", offering
Deliver Abundant Services Agilely the simplest network management solution.
The S12700 series native ACs allow enterprises
to build a wireless network without additional AC
Industry-leading Line cards
hardware. Each S12700 switch can manage 4,096 Using Huaweis advanced ENP chips, the S12700
APs and 65,536 users. It is the first core switch series supports several million hardware entries,
that provides T-bit AC capabilities, avoiding the leaving traditional switches far behind. The S12700
performance bottleneck on independent AC devices. series provides 1M MAC address entries and 3M
The native T-bit AC capabilities help organizations Forwarding Information Base (FIB) entries, meeting
better cope with challenges in the high-speed requirements of route-intensive scenarios, such as the
wireless era. Metropolitan Area Network (MAN) for a television
Star Products
broadcasting or education network. Providing CSS2 prevents a cluster from splitting. Cluster control
1M NetStream entries enables fine granular traffic and data packets are transmitted over independent
statistics for college campus networks and large-scale channels. Even if all links between switch fabric units
enterprise campus networks. fail, the cluster will not split because these packets can
still be transmitted over the control channels between
The S12700 series provides a 1.5 GB buffer on each
MPUs. In a cluster connected by service ports, control
line card to prevent packet loss upon traffic bursts,
packets and data packets are forwarded through links
delivering high-quality video services. Traditional
between service cards. Once a link between member
switches only provide 4 MB buffer per card, which
devices fails, control packets and data packets will be
cannot ensure high-quality video stream transmission.
lost, causing the cluster to split.
The S12700 series supports high-density line-speed
cards, such as 48 x 10 GE, 8 x 40G and 2 x 100 Network-Level Reliability: End-to-End Hardware
GE line cards. Each S12700 chassis can provide a Protection Switching
maximum of 576 x 10 GE ports, 96 x40G ports and 24
he S12700 uses a series of link detection and
x 100 GE ports. This large port capacity fully meets the
protection switching technologies, such as hardware
requirements of bandwidth-consuming applications,
Eth-OAM, BFD, G.8032, and Smart Ethernet
such as multimedia video conferencing, protecting
Protection (SEP), to realize 50 ms end-to-end
customer investments.
protection switching. These technologies help build
a campus network that responds quickly to topology
End-to-End Reliability Design
changes and provides the most reliable services.
Device-Level Reliability: CSS2 Switch Fabric Hardware
Clustering Technology
Comprehensive Security Measures
Based on back-to-back clustering technology, widely
NGFW is a next-generation firewall card that can
used on high-end core routers, the S12700 series
be installed on an S12700. In addition to the
employs second-generation switching fabric hardware
traditional defense functions such as firewall, identity
clustering technology, CSS2, an enhancement to CSS
authentication, and Anti-DDoS, the NGFW supports
switching fabric clustering technology.
IPS, anti-spam, web security, and application control
CSS2 technology connects cluster member switches functions.
through switch fabric unit hardware channels;
The S12700 provides innovative next-generation
therefore, cluster control and data packets need only
environment awareness and access control. It
be forwarded once by the switch fabric units and
identifies the application-layer attacks and protects
do not go through service cards. Compared with
network-layer applications based on application type,
traditional service port clustering technologies, CSS2
content, time, user, threaten, and location.
minimizes the impact of software failures, reduces
service interruption risks caused by service cards, and The dedicated software and hardware platforms
also significantly shortens transmission latency. provide an Intelligent Aware Engine (IAE) to perceive
application information when all security functions
CSS2 supports 1+N backup of MPUs. This means
are enabled. The built-in hardware accelerator
a cluster can run stably as long as one MPU of any
for content detection improves application-
chassis in the cluster is working normally. In a cluster
layer protection efficiency and ensures the 10G+
connected by service ports, each chassis must have
performance when all security functions are enabled.
at least one MPU working normally; therefore, CSS2
is more reliable than traditional service port clustering
technologies.
Star Products
Application
In an enterprise campus network switches on the MAN of a television broadcasting or

education network. The 3M FIB entries provided are
S12700 series switches are deployed on the core layer of
sufficient for large-scale routing on the MAN. CSS2 switch
an enterprise campus network. Native ACs provided by
fabric hardware clustering technology, originating from
the S12700 enable customers to build wireless networks
clustering technology for high-end core routers, delivers
without additional AC hardware, reducing network
carrier-class reliability on the MAN. Additionally, the
construction costs. The S12700 is the first core switch that
S12700 series supports comprehensive L2/L3 MPLS VPN
provides T-bit AC capabilities, avoiding the performance
features, providing a highly reliable, secure, and scalable
bottleneck on independent ACs. The native T-bit AC
metropolitan bearer network solution.
capabilities help customers migrate their wireless networks
to 802.11ac. The S12700 series realizes wired and
In an enterprise data center
wireless convergence and delivers consistent experience
to wired and wireless users through uniform device, user, S12700 series switches are deployed on the core or
and service management. aggregation layer of an enterprise data center network.
The S12700 series has high-density line cards, such as 8 x
In a college campus network 100 GE and 48 x 10 GE cards, meeting the requirements
for large data throughput on data center core/
S12700 series switches are deployed on the core layer of
aggregation nodes. Using CSS2 switch fabric hardware
a college campus network. The unified user management
clustering technology, the S12700 series provides up to
function on the S12700 reduces network construction
1.92 Tbit/s cluster bandwidth and shortens the inter-
costs by removing the need to purchase new BRAS
chassis forwarding latency to 21 s. This technology helps
hardware. Each S12700 switch supports 64,000 users,
customers build a high performance, high reliability, and
allowing a large number of concurrent access users. Its
low latency data center network.
five-level H-QoS feature implements fine granular user and
service management. The S12700 series realizes wired and For more information, visit http://enterprise.huawei.com,
wireless convergence and delivers consistent experience or contact your local Huawei sales office.
to wired and wireless users through uniform device, user,
and service management.
In a bearer network for video conferencing,

desktop cloud, and video surveillance applications
The 1.5 GB buffer prevents packet loss upon traffic
bursts, delivering high-quality video streams. The S12700
series supports up to 1M MAC address entries and 3M
FIB entries, which allow access from a large number of
terminals and help evolution to IPv6 and the Internet of
Things (IoT). Employing end-to-end hardware reliability
technologies and iPCA technology, the S12700 series
offers a highly reliable, high-quality, scalable video
conferencing and surveillance solution.
On the core/aggregation layer of a MAN

S12700 series switches are used as core or aggregation
Star Products
Secospace USG6600 Series Next-

Generation Firewall
Overview
Enterprise networks are evolving into next-generation Note: USG6600 is next-generation firewall products series in USG
networks that feature mobile broadband, Big Data, social (Unified Security Gateway) product family.
networking, and cloud services. Yet, mobile applications,

Web2.0, and social networks expose enterprise networks
to the risks on the open Internet. Cybercriminals can easily
penetrate a traditional firewall by spoofing or using Trojan
horses, malware, or botnets.
HUAWEI Secospace USG6600 series is designed to

address these challenges of Carrier, large- and medium-
sized enterprises and next-generation data centers. It
analyzes intranet service traffic from six dimensions,
including application , content, time, user, attack, and
location and then automatically generates security policies
as suggestions to optimize the security management and
provide high-performance application-layer protection for
enterprise networks.
Star Products
Product Features
Granular Application Access Control Easy Security Management

Identifies the application-layer attacks and their Classifies 6000+ applications into 5 categories and
application, content, time, user, and location 33 subcategories and supports application access
information. control based on the subcategories.
Provides all-round visibility into service status, Complies with the minimum permission control
network environment, security postures, and user principle and automatically generates policy tuning
behaviors. suggestions based on network traffic and application
Provides an analysis engine that integrates application risks.
identification and security functions, such as IPS, AV, Analyzes the policy matching ratio and discovers
and data leak prevention, to prevent application- redundant and invalid policies to remove policies and
based malicious code injections, network intrusions, simplify policy management.
and data interceptions.
Prevention of Unknown Threats
Excellent Performance Provide samples of worldwide suspicious threats. The
Provides an Intelligent Awareness Engine (IAE) USG6600 series executes suspicious samples within
capable of parallel processing with all security the sandbox in the cloud to monitor the activities of
functions enabled after intelligent application the samples and identifies unknown threats.
identification. Automatically extracts threat signatures and rapidly
Improves application-layer protection efficiency and synchronizes the signatures to the devices to defend
ensures the 10G+ performance with all security against zero-day attacks.
functions enabled. Prevent Advanced Persistent Threat (APT) attacks
using a reputation system.
Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
General Disclaimer HUAWEI TECHNOLOGIES CO., LTD.
The information in this document may contain predictive statements including, Huawei Industrial Base
without limitation, statements regarding the future financial and operating results, Bantian Longgang
future product portfolio, new technology, etc. There are a number of factors Shenzhen 518129, P.R. China
that could cause actual results and developments to differ materially from those Tel: +86-755-28780808
expressed or implied in the predictive statements. Therefore, such information Version No.: M3-032102-20140710-C-2.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice. www.huawei.com

Huawei Agile Campus Network Solution (SD)

Uploaded by

Copyright:

Available Formats

Huawei Agile Campus Network Solution (SD)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei Agile Campus Network Solution (SD)

Uploaded by

Copyright:

Available Formats

CONTENTS

03 What Did the Agile Network Change?

Huawei Agile Stadium Solution /31

Creating a Digital Hospital and Promoting Mobile Medical IT

Evolution of Free Mobility /52

Protect Your Network with Huawei's United Security Solution /54

Wired and Wireless Convergence and Simplified Network O&M

Agile Network Brings a Brand New, Excellent Network O&M

S12700 Series Agile Switch /69

Secospace USG6600 Series Next-Generation Firewall /73

What Did the Agile

User mobility complicates traffic 10 most influential technologies in 2014, if a business

What Changes Can the Innovative Agile

The agile network is different from the traditional network

Enterprises must be committed to

Huawei Agile Stadium Solution

Huawei Agile Campus Network

Network Service Development Trends and

Network Security Challenge: Single-Node and

Huawei Agile Campus Network

Campus network egress NE/AR/SVN

Agile aggregation Agile switch

Huawei Agile Campus Network Solution architecture

Free Mobility: New Experience of Mobility

Ubiquitous Policies Ubiquitous Experience

Ubiquitous Policies: Centralized Policy Control and Inter-User Group,

User Group Definition WAN /

R&D desktop cloud Deny Permit Deny

R&D BYOD Deny Deny Deny

Sales employees Permit Deny Permit

Ubiquitous Access Experience: Unified User Experience and VIP Experience

Ubiquitous access experience

United Security: From Single-Point Security Protection to

Big Data Analytics: Proactive Defense Against and Quick Response

United Security association analysis and proactive defense

Full-Scale Security Association Analysis, Proactive Display of Abundant Security States

Dynamic Allocation of Security Resources: On-Demand Invocation of Security

Agile Controller NGFW

Service flow User Group Resource Group

Dynamic security resource allocation

Wired and Wireless Convergence: Simplifying Network O&M

AC card Wired and Wireless Convergence

Comparison between a traditional and an agile campus

Converged Management: One Network Equals One Switch, Simplifying Network

Core/Aggregation switches Virtual MPUs

Access switches Virtual Cards

Converged Campus Network 1 2 n

Simplifying Device Management Simplifying Service Configuration

Quality Awareness: First to Allow the IP Network Itself to Be

Automatic fault detection

Comparison of fault detection results between a traditional and an agile network

Fully Programmable & Smooth Evolution: First to Apply SDN

Fully Programmable: SDN-Ready, Implementing Rapid Evolution

POF Interface (New Function Definition)

Hardware-defined: Software-defined: hardware

Control plane Packet forwarding Packet Control plane

Traditional switch Agile switch

Comparison between a traditional switch and an agile switch

Smooth Evolution: Perfect Compatibility with Traditional Networks

Agile Controller (Optional)