华为Agile-Controller-Campus技术建议书

华为Agile Controller（园区版）技术建议书（模板）文档版本01发布日期2016-05-26版权所有© 华为技术有限公司2016。

保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。

商标声明和其他华为商标均为华为技术有限公司的商标。

本文档提及的其他所有商标或注册商标，由各自的所有人拥有。

注意您购买的产品、服务或特性等应受华为公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，华为公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

华为技术有限公司地址：深圳市龙岗区坂田华为总部办公楼邮编：518129网址：客户服务邮箱：******************************客户服务电话：400-822-9999华为Agile Controller（园区版）错误!未知的文档属性名称目录目录1 概述 (3)1.1 项目背景 (3)1.1.1 园区网发展趋势 (3)1.1.2 项目现状 (3)1.1.3 接入场景及安全风险分析 (3)1.1.4 项目目标和范围 (4)2 应用场景 (4)3 方案设计思想及原则 ...................................................................................... 错误!未定义书签。

4 项目方案设计 (7)4.1 方案概述.......................................................................................................................... 错误!未定义书签。

华为Agile Controller 方案概述移动办公、BYOD、WLAN的基本特征就是作为信息消费者的用户终端，物理位置变得不固定，这对传统以手工静态配置为核心的传统网络形成了挑战：1. 不同的位置、不同的终端，如何保证一致的用户办公体验？让用户感觉不到位置的差异？2. 如何动态配置用户的权限、安全、QoS优先级等网络策略？传统的固定网络用户可以跟一个物理端口绑定，策略是管理员手工配置到离用户最近的网络设备上的，当用户位置不固定时，我们不能要求网络管理员通过手工配置去适应每个人位置的变化。

这就要求网络需要具备动态分配资源和部署策略的能力，网络资源需要跟着用户走。

3. 网络安全如何部署？传统的网络安全泄漏点主要是在企业到互联网的边界，很多企业也都把防火墙等安全设备部署到这个边界位置进行防护。

但移动性的引入，以及网络攻击手段的发展，使得安全防护失去了边界：Wi-Fi、移动终端、远程办公引入了大量的新的安全泄漏点，以及内部攻击手段(病毒/木马/APT 攻击)的出现，都让传统的边界防护手段彻底失效。

敏捷控制器（Agile Controller）是华为面向企业市场发布的下一代网络解决方案敏捷网络的核心部件，全面覆盖敏捷园区、敏捷分支、敏捷广域、敏捷数据中心各种应用场景，实现从接入到数据中心端到端联接的应用策略控制。

Agile Controller应用SDN集中化控制原则，以业务体验为中心，基于用户和应用动态调配全网资源，实现网络与安全资源跟随用户自由移动，让网络更敏捷地为业务服务。

产品特点以业务体验为中心重新定义网络从以前关注技术、设备、连通性，到关注用户、业务、体验；从以前手工配置，到用自然语言规划和自动部署。

•将SDN集中化控制思想引入园区，动态调配整个园区的网络与安全资源，让资源跟随用户移动，实现业务随行。

•可灵活调整全网权限、QoS、安全等策略，大大缩短新业务开通或网络扩容周期，适应越来越快的业务变化需要。

CPE/uCPEEnterprise HQCloudCPEEnterprise Network in CloudDCThe Agile Controller-Campus is a next-generation campus and branch network controller developed by Huawei. The AgileController-Campus uses new technologies such as cloud computing, SD-WAN, and VXLAN to implement network virtualization, policy centralization, and cloud-based management. The Agile Controller-Campus provides enterprises with fast managed LAN and cloud-based leased line services, reduces OPEX, and accelerates migration of services to the cloud and digital transformation.Huawei Agile Controller-Campus is the core component of Huawei SD-WAN solution. This document describes the functions of the Agile Controller-Campus in the SD-WANsolution.Product OverviewSolution DescriptionAs enterprises undergo ICT transformation, a large number of enterprise services are being migrated to the cloud. Traditional enterprise leased line solutions hardly can meet enterprise service requirements in the cloud era. First of all, leased lines are expensive. According to the Telecom market research and survey of consulting corporations, thecost of MPLS leased lines is several times or dozens of times that of the Internet, consuming a large amount of enterprise funds. In addition, it takes a long time (an average of 30 working days) to provision services, preventing enterprise customers from quickly obtaining services. Finally, maintaining enterprise leased lines is costly. Traditional leased line devices require maintenance to be carried out onsite. For enterprises with multiple branches, it is difficult to maintain the branch networks and maintenance costs are high.To meet the requirements of service cloudification and industry digitalization, enterprise leased lines require higher bandwidth, simplified O&M, and quick responses to service changes. Huawei's innovative SD-WAN solution helps enterprises build application-aware, cost-effective, easy-to-maintain, and on-demand cloud-based enterprise leased lines, and reshapes the online experience of service provisioning, O&M, adjustment, and optimization. This solution facilitates the rapid innovation of enterprise services in thecloud era and helps enterprises achieve business success.Huawei Agile Controller-Campus DatasheetNETCONFEnterprise Branch 1CPEuCPEvFWvWoC …Enterprise Branch nInternetMPLSArchitecture of Huawei SD-WAN solutionHuawei SD-WAN solution aims to solve problems caused by traditional enterprise leased lines. It allows enterprises to quickly pr ovision new services, reduce investment and O&M costs, and quickly respond to service demands and changes in the cloud era. This solution strengthens enterprise competitiveness and leads the entire business ecosystem. Huawei SD-WAN solution offers the following benefits:• Flexible link binding, reducing bandwidth costs• Service provisioning time shortened from months to days• Application -aware intelligent path selection, improving user experience • Plug -and-play, visualized O&M, reducing OPEXKey ComponentsHuawei Agile Controller-Campus is the core component of Huawei SD-WAN solution. It manages enterprise interconnection services throughout the entire process, and provides a wide range of unmatched functions and capabilities, such as automated deployment of leased line services, configuration of intelligent path selection policies, VAS management, plug-and-play, and visualized O&M. The Agile Controller-Campus providesnorthbound RESTful interfaces for easy interconnection with third-party systems, and communicates with devices through southbound NETCONF, HTTP2.0, and HTTPS interfaces to implement device management and control.NETCONFHTTP2Southbound interfaceHTTPSVAS managementTraffic policySecurity policyPlug-and-play Service functionsRESTful Northbound interface Multi-tenant managementCluster management Alarm managementBasic functionsLog managementVASsOSS/BSSAnalysis system3rd-party VASOther applicationsVisualized O&M Enterprise branchCPEuCPEHQ/DCPhysical networkMPLSInternetLTEPublic cloud/private cloudCPE/uCPE Device configurationTunnel management Network PMI Device upgradevCPEEnterprise branchBenefitsFast deployment, accelerating SD-WAN service provisioningThe Agile Controller-Campus can automatically deploy end-to-end network services and supports plug-and-play for all series of CPEs, so that devices can quickly go online. The Agile Controller-Campus supports quick configuration and automatic deployment of leased line tunnels, shortening the leased line service provisioning period from months to days, making service provisioning more convenient, and meeting enterprise requirements for rapid network service expansion.Intelligent path selection, improving user experienceThe Agile Controller-Campus supports configuration of application-based intelligent path selection, including the configuration of predefined application identification and user-defined application identification. The Agile Controller-Campus implements differentiated network services based on different user requirements on application quality to preferentially ensure the quality of services for key applications.On-demand VAS, accelerating service provisioningThe Agile Controller-Campus supports uCPE management. The uCPE uses the x86/ARM universal hardware platform to carry virtualization services, and runs VNFs to provide functions such as firewall and WOC. The Agile Controller-Campus can manage VNFs on the uCPE throughout the lifecycle. Enterprise customers can quickly load VASs. In addition, the Agile Controller-Campus supports service chain orchestration, ensuring that service traffic passes through multiple VNF nodes in sequence, meeting enterprises' various service requireme nts.Visualized O&M and visualized application traffic across the entire networkThe Agile Controller-Campus supports visualized management of applications and links. The Agile Controller-Campus can visualize the status of the entire network and display the network status in real time, improving O&M efficiency. The Agile Controller-Campus monitors and collects statistics on the actual service flow, and presents the quality, status, and trend of applications and links, implementing quick troubleshooting and accurate fault backtracking.Key Features Key Feature ValuePlug-and-play Tunnel managementIntelligent path selectionOn-demand VAS Application visualization In the SD-WAN scenario, an enterprise needs to deploy CPEs at the sites. After being powered on, the CPEs automatically obtain IP addresses and proactively register with the Agile Controller-Campus to complete configurations and go online. The plug-and-play feature requires no manual configuration, saving much time and reducing misconfigurations. Plug-and-play can be implemented using the following methods:• URL in the emailHuawei SD-WAN solution provides hybrid link access capabilities. To ensure experience of services for key enterprise applications, the Agile Controller-Campus supports application-and application quality-based intelligent path selection. This ensures that services requiring high link quality use leased lines, and other services use Internet links. When a network fault occurs or the link quality is unstable, a link switchover can be flexibly performed to improve user experience. To implement intelligent path selection, the Agile Controller-Campus supports the following functions:• Identification of predefined applications and user-defined applications• IP FPM-based link quality detection (including latency, jitter, and packet loss)• Path selection policy management of applicationsIn traditional mode, VASs for enterprise sites are provided by different pieces of hardware. The disadvantages lie in fixed hardware functions and complex service deployment and provisioning. To implement fast, on-demand VAS deployment, Huawei launches the uCPE based on the x86/ARM architecture. The uCPE can carry virtualized VASs. The Agile Controller-Campus can manage and control VNFs on the uCPE, including:• Full-lifecycle management of VNFs on the uCPE, including installing, pausing, stopping, restarting and deleting VNFs• Service chain orchestration of VNFs on the uCPE• Monitoring of VNFs on the uCPE(including query of information such as the VNF management IP address, CPU, RAM, and running/operating status)• Support for multiple types of VNFs (such as Huawei vFW/vAR, Riverbed vWOC, Fortinet FortiGate, and Checkpoint vSec)The Agile Controller-Campus supports application-based visualized management. Users can quickly locate faults using the Agile Controller-Campus, simplifying O&M. To implement application visualization, the Agile Controller-Campus can display:• Health score distribution, worst 5 sites by health score, site list and other information of network-wide sites• Average AQM , bandwidth usage, throughput trend, Worst 5 Applications by AQM, and other information of a specified site• Worst 5 links by LQM, top 5 links by traffic, link list and other information of network-wide links• LQM trend, throughput trend, application top traffic, application AQM distribution, and other information of a specified link • AQM distribution, worst 5 applications by AQM, top 5 application traffic, application list and other information of network-wide applications.• AQM trend, throughput trend, and other information of a specified applicationAs the number of enterprise branches increases, inter-branch access traffic also increases. Traditionally, inter-branch access traffic needs to be transmitted via the enterprise headquarters, consuming resources of the headquarters and causing delay. The Agile Controller-Campus supports automatic deployment of dynamic smart VPN (DSVPN), implementing dynamic establishment of tunnels between branches. The Agile Controller-Campus supports IPSec encryption, ensuring security of enterprise services. To implement tunnel management, the Agile Controller-Campus supports the following functions:• DSVPN tunnel• Full-mesh and Hub-Spoke networking• IPSec encryptionOrdering InformationItem License QuantityPlatformDevice management SD-WAN function VAS management SD-WAN Platform SoftwareDevice Management License For AR160, Per DeviceDevice Management License For AR1X00, Per DeviceDevice Management License For AR2X00, Per DeviceDevice Management License For AR3X00, Per DeviceDevice Management License For AR651W-X4, Per DeviceDevice Management License For AR651-X8, Per DeviceDevice Management License For AR1610-X6, Per DeviceDevice Management License For AR1000V, Per DeviceSD-WAN Service License For AR160, Per DeviceSD-WAN Service License For AR1X00, Per DeviceSD-WAN Service License For AR2X00, Per DeviceSD-WAN Service License For AR3X00, Per DeviceSD-WAN Service License For AR651W-X4, Per DeviceSD-WAN Service License For AR651-X8, Per DeviceSD-WAN Service License For AR1610-X6, Per DeviceSD-WAN Service License For AR1000V, Per DeviceVirtual Application Management License For uCPE, Per vCPU1-21-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-N1-NAgile Controller software licenseAgile Controller Subscription And Support LicenseMore InformationFor more information about the Huawei Agile Controller-Campus, visit .Item Quantity Platform SnSDevice management SnSSD-WAN function SnSVAS management SnSSnS LicenseSubscription And Support, 1/2/3 Year, SD-WAN Platform SoftwareSubscription And Support, 1/2/3 Year, Device Management License For AR160 or AR6X0, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR1X00, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR2X00, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR3X00, Per DeviceSubscription And Support, 1/2/3 Year, Device Management License For AR651W-X4, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR651-X8, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR1610-X6, Per Device Subscription And Support, 1/2/3 Year, Device Management License For AR1000V, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR160, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR1X00, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR2X00, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR3X00, Per DeviceSubscription And Support, 1/2/3 Year, SD-WAN Service License For AR651W-X4, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR651-X8, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR1610-X6, Per Device Subscription And Support, 1/2/3 Year, SD-WAN Service License For AR1000V, Per DeviceSubscription And Support, 1/2/3 Year, Virtual Application Management License For uCPE, Per vCPU1-N1-N 1-N 1-N 1-N1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N 1-N。

华为企业园区网络建设技术方案建议书目录1项目概述 (4)1.1项目背景 (4)1。

2项目目标 (4)2园区总体系统规划设计 (5)2.1需求分析 (5)2.2设计原则 (6)3园区网络架构规划设计 (7)3。

1园区网络总体网络架构规划设计 (7)3。

1。

1典型园区网网络架构 (7)3.1。

2经济型园区网网络架构 (8)3.1.3虚拟交换园区网网络架构 (9)3.2园区网络分层网络规划设计 (10)3.2。

1接入层 (10)3。

2.2汇聚层 (11)3。

2。

3核心层 (11)3。

2.4出口层 (12)4园区网络高可靠性规划设计 (14)4。

1园区网络高可靠性规划设计 (14)4.2园区网络设备高可靠性规划设计 (19)4。

2.1重要部件冗余 (19)4.2.2设备自身安全 (20)4。

3园区网络交换机虚拟化规划设计 (21)4.3.1汇聚交换机的集群CSS(Cluster Switch Switching） (21)4.3。

2接入交换机的堆叠iStack (24)5园区网络安全方案规划设计 (26)5.1园区网安全方案总体规划设计 (26)5.2园区接入安全规划设计 (27)5。

3园区网络监管/监控规划设计 (33)5。

3.1防IP/MAC地址盗用和ARP中间人攻击 (33)5。

3。

2防IP/MAC地址扫描攻击 (34)5。

3.3广播/组播报文抑制 (36)5.4园区网边界防御规划设计 (36)5.4。

1防火墙部署规划设计 (36)5。

4。

2防火墙功能规划设计 (37)5.4。

3防火墙性能选择 (38)5.4.4虚拟防火墙规划设计 (39)5.4。

5NAT规划设计 (40)5。

5园区网出口安全规划设计 (41)6园区网络网管系统方案规划设计 (43)6.1网管系统概述 (43)6。

2系统优势介绍 (44)6。

2.1网络管理优势功能 (45)6。

2。

2网络流量分析器优势功能 (46)6。

2.3认证计费优势功能 (48)6。

BrochureProduct OverviewThe CloudEngine S5732-H series switches are the next-generation enhanced Ethernet switches developed by Huawei. The CloudEngine S5732-H builds on Huawei's unified Versatile Routing Platform (VRP) and boasts various IDN features. For example, the integrated wireless AC capabilities can manage up to 1,024 wireless APs; the free mobility feature ensures consistent user experience; the VXLAN functionality implements network virtualization; and built-in security probes support abnormal traffic detection, threat analysis even in encrypted traffic, and network-wide threat deception. With these merits, the CloudEngine S5732-H can function as core switches for small-sized campus networks and branches of medium- and large-sized campus networks, and also work as access switches for Metropolitan Area Network.Models and AppearancesThe following models are available in the CloudEngine S5732-H series.CloudEngine S5732-H24S6QCloudEngine S5732-H48S6QFeatures and HighlightsEnabling Networks to Be More Agile for Services●CloudEngine S5732-H has a built-in high-speed and flexible processor chip. The chip's flexible packet processing and traffic control capabilities can meet current and future service requirements, helping build a highly scalable network.●In addition to capabilities of traditional switches, the CloudEngine S5732-H provides open interfaces and supports user-defined forwarding behavior. Enterprises can use the open interfaces to develop new protocols and functions independently or jointly with equipment vendors to build campus networks meeting their own needs.●CloudEngine S5732-H series switches, on which enterprises can define their own forwarding models, forwarding behavior, and lookup algorithms. Microcode programmability makes it possible to provide new services within six months, without the need of replacing the hardware. In contrast, traditional ASIC chips use a fixed forwarding architecture and follow a fixed forwarding process. For this reason, new services cannot be provisioned until new hardware is developed to support the services one to three years later.Delivering Abundant Services More Agilely●This CloudEngine S5732-H provides the integrated WLAN AC function that can manage 1,024 APs, reducing the costs of purchasing additional WLAN AC hardware and breaking the forwarding performance bottleneck of an external WLAN AC. With this switch series, customers can stay ahead in the high-speed wireless era.●With the unified user management function, the CloudEngine S5732-H authenticates both wired and wireless users, ensuring a consistent user experience no matter whether they are connected to the network through wired or wireless access devices. The unified user management function supports various authentication methods, including 802.1x, MAC address, and Portal authentication, and is capable of managing users based on user groups, domains, and time ranges. These functions visualize user and service management and boost the transformation from device-centric management to user-centric management.●The CloudEngine S5732-H provides excellent quality of service (QoS) capabilities and supports queue scheduling and congestion control algorithms. Additionally, it adopts innovative priority queuing and multi-level scheduling mechanisms to implement fine-grained scheduling of data flows, meeting service quality requirements of different user terminals and services.Providing Fine Granular Network Management More Agilely●The CloudEngine S5732-H uses the Packet Conservation Algorithm for Internet (iPCA) technology that changes the traditional method of using simulated traffic for fault location. iPCA technology can monitor network quality for any service flow anywhere and anytime, without extra costs. It can detect temporary service interruptions in a very short time and can identify faulty ports accurately. This cutting-edge fault detection technology turns "extensive management" to "fine granular management."●The CloudEngine S5732-H supports Two-Way Active Measurement Protocol (TWAMP) to accurately check any IP link and obtain the entire network's IP performance. This protocol eliminates the need of using a dedicated probe or a proprietary protocol.●The CloudEngine S5732-H supports SVF and functions as a parent switch. With this virtualization technology, a physical network with the "Small-sized core/aggregation switches + Access switches + APs" structure can be virtualized into a "super switch", greatly simplifying network management.●With the Easy Deploy function, the CloudEngine S5732-H manages access switches in a similar way an AC manages APs. In deployment, access switches and APs can go online with zero-touch configuration. In the Easy Deploy solution, the Commander collects topology information about the connected clients and stores the clients' startup information based on the topology. Clients can be replaced with zero-touch configuration. The Commander can deliver configurations and scripts to clients in batches and query the delivery results. In addition, the Commander can collect and display information about power consumption on the entire network.Comprehensive VPN Technologies●The CloudEngine S5732-H supports the MPLS function, and can be used as access devices of high-quality enterprise leased line.●The CloudEngine S5732-H allows users in different VPNs to connect to the same switch and isolates users through multi-instance routing. Users in multiple VPNs connect to a provider edge (PE) device through the same physical port on the switch, which reduces the cost on VPN network deployment.Flexible Ethernet Networking●In addition to traditional Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP), the CloudEngine S5732-H supports Huawei-developed Smart Ethernet Protection (SEP) technology and the latest Ethernet Ring Protection Switching (ERPS) standard. SEP is a ring protection protocol specific to the Ethernet link layer, and applies to various ring network topologies, such as open ring topology, closed ring topology, and cascading ring topology. This protocol is reliable, easy to maintain, and implements fast protection switching within 50 ms. ERPS is defined in ITU-TG.8032. It implements millisecond-level protection switching based on traditional Ethernet MAC and bridging functions.●The CloudEngine S5732-H supports Smart Link and Virtual Router Redundancy Protocol (VRRP), which implement backup of uplinks. One CloudEngine S5732-H switch can connect to multiple aggregation switches through multiple links, significantly improving reliability of access devices.Various Security Control Methods●The CloudEngine S5732-H supports 802.1x authentication, MAC address authentication, Portal authentication, and hybrid authentication, and can dynamically delivery user policies such as VLANs, QoS policies, and access control lists (ACL). It also supports user management based on user groups.●The CloudEngine S5732-H provides a series of mechanisms to defend against DoS and user-targeted attacks. DoS attacks are targeted at switches and include SYN flood, Land, Smurf, and ICMP flood attacks. User-targeted attacks include bogus DHCP server attacks, IP/MAC address spoofing, DHCP request flood, and change of the DHCP CHADDR value.●The CloudEngine S5732-H sets up and maintains a DHCP snooping binding table, and discards the packets that do not match the table entries. You can specify DHCP snooping trusted and untrusted ports to ensure that users connect only to the authorized DHCP server.●The CloudEngine S5732-H supports strict ARP learning, which prevents ARP spoofing attackers from exhausting ARP entries.Mature IPv6 Features●The CloudEngine S5732-H is developed based on the mature, stable VRP and supports IPv4/IPv6 dual stacks, IPv6 routing protocols (RIPng, OSPFv3, BGP4+, and IS-IS for IPv6). With these IPv6 features, the CloudEngine S5732-H can be deployed on a pure IPv4 network, a pure IPv6 network, or a shared IPv4/IPv6 network, helping achieve IPv4-to-IPv6 transition.Intelligent Stack (iStack)●The CloudEngine S5732-H supports the iStack function that combines multiple switches into a logical switch. Member switches in a stack implement redundancy backup to improve device reliability and use inter-device link aggregation to improve link reliability. iStack provides high network scalability. You can increase a stack's ports, bandwidth, and processing capacity by simply adding member switches. iStack also simplifies device configuration and management. After a stack is set up, up to nine physical switches can be virtualized into one logical device. You can log in to any member switch in the stack to manage all the member switches in the stack.VXLAN Features●VXLAN is used to construct a Unified Virtual Fabric (UVF). As such, multiple service networks or tenant networks can be deployed on the same physical network, and service and tenant networks are isolated from each other. This capability truly achieves 'one network for multiple purposes'. The resulting benefits include enabling data transmission of different services or customers, reducing the network construction costs, and improving network resource utilization.●The CloudEngine S5732-H series switches are VXLAN-capable and allow centralized and distributed VXLAN gateway deployment modes. These switches also support the BGP EVPN protocol for dynamically establishing VXLAN tunnels and can be configured using NETCONF/YANG.Big Data Security Collaboration●The CloudEngine S5732-H switches use NetStream to collect campus network data and then report such data to the Huawei Cybersecurity Intelligence System (CIS). The purposes of doing so are to detect network security threats, display the security posture across the entire network, and enable automated or manual response to security threats. The CIS delivers the security policies to the Agile Controller. The Agile Controller then delivers such policies to switches that will handle security events accordingly. All these ensure campus network security.●The CloudEngine S5732-H supports Encrypted Communication Analytics (ECA). It uses built-in ECA probes to extract characteristics of encrypted streams based on NetStream sampling and Service Awareness (SA), generates metadata, and reports the metadata to Huawei Cybersecurity Intelligence System (CIS). The CIS uses the AI algorithm to train the traffic model and compare characteristics of extracted encrypted traffic to identify malicious traffic. The CIS displays detection results on the GUI, provides threat handling suggestions, and automatically isolates threats with the Agile Controller to ensure campus network security.●The CloudEngine S5732-H supports deception. It functions as a sensor to detect threats such as IP address scanning and port scanning on a network and lures threat traffic to the honeypot for further checks. The honeypot performs in-depth interaction with the initiator of the threat traffic, records various application-layer attack methods of the initiator, and reports security logs to the CIS. The CIS analyzes security logs. If the CIS determines that the suspicious traffic is an attack, it generates an alarm and provides handling suggestions. After the administrator confirms the alarm, the CIS delivers a policy to the Agile Controller. The Agile Controller delivers the policy to the switch for security event processing, ensuring campus network security.Intelligent O&M●The CloudEngine S5732-H provides telemetry technology to collect device data in real time and send the data to Huawei campus network analyzer CampusInsight. The CampusInsight analyzes network data based on the intelligent fault identification algorithm, accurately displays the real-time network status, effectively demarcates and locates faults in a timely manner, and identifies network problems that affect user experience, accurately guaranteeing user experience.●The CloudEngine S5732-H supports a variety of intelligent O&M features for audio and video services, including the enhanced Media Delivery Index (eMDI). With this eDMI function, the switch can function as a monitored node to periodically conduct statistics and report audio and video service indicators to the CampusInsight platform. In this way, the CampusInsight platform can quickly demarcate audio and video service quality faults based on the results of multiple monitored nodes.Intelligent Upgrade●Switches support the intelligent upgrade feature. Specifically, switches obtain the version upgrade path and download the newest version for upgrade from the Huawei Online Upgrade Platform (HOUP). The entire upgrade process is highly automated and achieves one-click upgrade. In addition, preloading the version is supported, which greatly shortens the upgrade time and service interruption time.●The intelligent upgrade feature greatly simplifies device upgrade operations and makes it possible for the customer to upgrade the version independently. This greatly reduces the customer's maintenance costs. In addition, the upgrade policies on the HOUP platform standardize the upgrade operations, which greatly reduces the risk of upgrade failures.Open Programmability System (OPS)●Open Programmability System (OPS) is an open programmable system based on the Python language. IT administrators can program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligent O&M.LicensingCloudEngine S5732-H supports both the traditional feature-based licensing mode and the latest Huawei IDN One Software (N1 mode for short) licensing mode. The N1 mode is ideal for deploying Huawei CloudCampus Solution in the on-premises scenario, as it greatly enhances the customer experiences in purchasing and upgrading software services with simplicity.Software Package Features in N1 ModeNote: Only V200R019C00 and later versions can support N1 modeProduct SpecificationsService FeaturesNetworking and ApplicationsLarge-Scale Enterprise Campus NetworkCloudEngine S5732-H series switches can be deployed at the access layer of a campus network to build a high-performance and highly reliable enterprise network.Small- or Medium-scale Enterprise Campus NetworkCloudEngine S5732-H series switches can be deployed at the aggregation layer of a campus network to build a high-performance, multi-service, and highly reliable enterprise network.Small-scale Enterprise Campus NetworkWith powerful aggregation and routing capabilities of CloudEngine S5732-H series switches make them suitable for use as core switches in a small-scale enterprise network. Two or more S5732-H switches use iStack technology to ensure highreliability. They provide a variety of access control policies to achieve centralized management and simplify configuration.Application on a MANCloudEngine S5732-H series switches can be deployed at the access layer of a MAN(Metropolitan Area Network) to build ahigh-performance, multi-service, and highly reliable ISP MAN network.Application in Public CloudCloudCampus Solution is a network solution suite based on Huawei public cloud. CloudEngine S5732-H series switches can be located at the access layer.The switches are plug-and-play. They go online automatically after being powered on and connected with network cables, without the need for complex configurations. The switches can connect to the management and control system (CloudCampus@AC-Campus for switches running V200R019C00 and earlier versions; iMaster NCE-Campus for switches running V200R019C10 and later versions), and use bidirectional certificate authentication to ensure management channel security. The switches provide the NETCONF and YANG interfaces, through which the management and control system delivers configurations to them. In addition, remote maintenance and fault diagnosis can be performed on the management and control system.The following table lists ordering information of the CloudEngine S5732-H series switches.More InformationFor more information about Huawei Campus Switches, visit or contact us in the following ways: ●Global service hotline: /en/service-hotline ●Logging in to the Huawei Enterprise technical support website: /enterprise/ ●Sendinganemailtothecustomerservicemailbox:********************Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, andrecommendations in this document are provided "AS IS" without warranties, guarantees or representations ofany kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address:Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website:。

光联SD-WAN产品使用手册1.产品定位和特点1.1产品定位Agile Controller-Campus是针对SD-WAN解决方案场景的管理控制系统，对企业互联业务实现全流程管理，提供了专线业务的自动化部署、智能选路策略配置、VAS业务管理，企业分支连接公有云，以及即插即用、可视化运维等能力。

通过Agile Controller-Campus可以实现在多租户网络中独立开展业务开通配置、日常运维等工作。

1.2产品特点简单∙网络部署简单：可实现端到端网络业务自动化部署，支持全系列CPE设备（customer premise equipment）即插即用，设备快速上线，无技术门槛。

∙业务开通简单：在SD-WAN解决方案中，支持专线隧道快速配置及自动化部署，支持基于应用的智能选路配置，根据关键应用需求，对应用实现差异化网络服务，并对链路质量和应用质量进行检测，根据策略配置优先保障关键应用优质体验。

∙网络运维简单：SD-WAN控制器能够实时的对全网业务流量，质量，告警和日志等关键信息进行收集并统一呈现，提供友好的网络拓扑和GIS地图信息，方便用户对网络运行状况进行全局掌控，及时发现并处理问题。

弹性∙网络按需扩展：支持超大规模以及跨地域设备接入管理，支持基于应用的智能选路，根据关键应用需求，对应用实现差异化网络服务。

∙管理按需扩展：Agile Controller-Campus支持多租户，企业网络既可自运维，也可交由MSP代维，企业可根据自身能力和业务需求，自由选择网络管理模式。

开放∙第三方O层对接：Agile Controller-Campus提供完整的面向SD-WAN业务模型的北向API，可方便快捷的与第三方协同器进行对接，快速的集成进客户的业务系统。

∙uCPE广泛生态构筑：uCPE作为按需提供VAS服务的平台，覆盖业界主流VAS 功能，包括安全、语音、广域加速、DHCP、DNS、IPAM、文件共享等。

Agile Controller-Campus接入层部署802.1X+MAC认证（有线认证）文档版本V1.0发布日期2016-3-30版权所有 © 华为技术有限公司 2016。

保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。

商标声明和其他华为商标均为华为技术有限公司的商标。

本文档提及的其他所有商标或注册商标，由各自的所有人拥有。

注意您购买的产品、服务或特性等应受华为公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，华为公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

华为技术有限公司地址：深圳市龙岗区坂田华为总部办公楼邮编：518129网址：1接入层部署802.1X+MAC认证（有线认证）适用产品和版本本案例适用如下产品和版本：组网需求由于企业对安全性要求很高，网络管理员为了防止非法人员和不安全的电脑接入到公司网络中，造成公司信息资源受到损失，希望员工的电脑在接入到公司网络之前进行身份验证和安全检查，只有身份合法的用户使用安全检查通过的电脑才可以接入到公司网络。

对于IP电话、打印机等哑终端，同样需要认证通过才允许接入网络。

根据公司现有网络设备的性能分析结果，企业具有如下特征：l现有接入交换机功能较强，均支持802.1X功能。

l公司园区规模较小，且不存在分支机构，网络相对集中。

l公司现有员工不超过1000人，包括访客日均终端接入量低于2000。

l公司网络中需要接入哑终端，如IP电话、打印机等。

l Agile Controller-Campus不可用时希望可以启用逃生通道，用户或哑终端可以直接访问认证后域，避免业务中断。

Agile Controller-Campus V100R002C00 配置手册(仅供内部使用)拟制: 汪敦全、丁凌风、蒲俊杰日期：2014-4-2审核: 日期：审核: 日期：批准: 日期：华为技术有限公司版权所有侵权必究目录1Agile Controller-Campus V100R002C00总体介绍 (9)1.1系统网络逻辑结构及接口关系 (10)1.1.1Controller服务器网络实体组成 (10)1.1.2Controller安全协防组件网络实体组成 (11)1.2组网方式和配置原则介绍 (11)1.2.1Controller服务器的组网和配置原则 (11)1.2.2802.1X准入控制的组网和配置原则 (17)1.2.3硬件SACG准入控制的组网和配置原则 (20)2产品基本配置说明 (24)2.1系统配置简介 (24)2.2SM&SC组件的服务器和客户端配置说明 (26)2.2.1服务器配置 (27)2.2.2客户端配置 (32)2.2.3服务器软硬件配置说明 (32)1.单服务器方案配置说明 (33)2.服务器备份方案配置说明 (34)3.数据库镜像方案配置说明 (35)2.3安全协防组件设备配置说明 (35)3报价项配置说明 (38)3.1配置概述 (38)3.2Agile Controller-Campus 软件报价说明 (38)3.2.1接入控制报价项 (38)3.2.2访客管理报价项 (39)3.2.3业务随行报价项 (40)3.2.1业务编排报价项 (40)3.3安全协防软件报价说明 (40)3.3.1SecView报价项 (43)3.3.2iRadar报价项 (43)3.4SM&SC组件的业务整机报价项说明 (43)3.5安全协防组件的业务整机服务器报价项说明 (49)3.7存储设备报价项说明 (52)4产品配置说明 (52)4.1产品配置清单和配置说明 (52)4.2业务整机的配置说明 (54)4.3存储配置说明 (69)4.4组件｜附件-Agile Controller-软件 (73)4.5组件｜License配置说明 (76)4.5.1License包配置说明 (76)4.5.2License报价项配置说明 (77)4.5.3接入控制服务License配置说明 (77)4.5.4访客管理特性License配置说明 (78)4.5.5业务随行特性License配置说明 (79)4.5.6业务编排特性License配置说明 (79)4.5.7安全协防特性License配置说明 (80)4.5.8定制开发License配置说明 (82)4.6外部成套电缆配置说明 (82)5资料配置说明 (84)6部分配件说明 (84)6.1市场建议 (84)6.2用户自备硬件说明 (84)6.3合同预审要求 (85)7扩容和升级改造方法与配置说明 (85)7.1扩容方法与配置说明 (85)7.1.1扩容的方法与原则 (85)7.1.2扩容设备的清单 (85)7.1.3可扩容部分的说明 (85)7.1.4扩容所涉及的机柜、母板插框、单板等的配置原则 (86)7.1.5扩容中需特别注意的问题 (86)7.2升级改造方法与配置说明 (86)7.2.1升级改造方法 (86)7.2.2升级设备的清单 (86)7.2.3可升级部分的说明 (86)7.2.4更换部件注意事项 (86)8.1附录I：缩略语清单 (87)表目录表1 集中组网推荐配置表 (25)表2 分布式组网分支机构推荐配置表 (25)表3 AnyOffice客户端的运行环境 (32)图目录图1 Agile Controller-Campus系统网络实体组成 (10)图2 单服务器集中组网方案 (12)图3 双服务器集中组网方案 (13)图4 三服务器集中组网方案 (14)图5 业务控制器分布式组网方案 (16)图6 在接入层交换机上实施802.1X (18)图7 在汇聚层交换机上实施802.1X (19)图8 SACG直挂路由模式部署方案 (20)图9 SACG侧挂路由模式部署方案 (21)图10 SACG透明/混合模式部署方案 (22)图11 SACG侧挂侧挂核心交换机示意图 (23)Agile Controller-Campus V100R002C00配置手册关键词：准入控制、补丁管理、软件分发、安全接入控制网关、WEB认证客户端。

华为校园敏捷网络配置综合案例1.1 方案简介校园网发展到现在，承载的业务越发多种多样：智能移动终端在校园的普及带来访问用户位置多变和无线访问量倍速增长；云计算带来的业务实时性、服务虚拟化；高清视频；社交网络等等，这些都给现有网络部署带来了挑战。

为了解决以上挑战，华为基于SDN思想，把敏捷概念引入园区网络，实现高性能校园核心以及高效无线接入，让网络更敏捷地为业务服务。

敏捷网络中，“灵活+快速”的敏捷交换机替代了传统交换机。

例如，管理员可以“灵活+快速”地配置、管理和维护设备，业务更改时不再需要逐一对单台设备进行配置更改，不再为网络故障而花费长时间定位。

接入用户在敏捷网络中可以“灵活+快速”访问网络，从任意地点使用任意接入方式都可获得相同的网络体验。

下面以某高校校园的敏捷网络部署为例，一起看下敏捷网络给高校园区带来的改变。

1.2 组网需求某高校本部原有网络如图1-1所示，通过核心交换机管理有线用户，通过独立AC管理无线用户。

l 本部园区网络为本部不同区域的用户提供接入及访问Internet的服务，有线采用802.1x认证，无线采用WEB认证。

图中只列出了教学区和办公区的网络规划，其他区域与之相似，未列出。

l 网络中有VOIP电话业务，同时提供网络打印机、多媒体等服务。

l 分校区用户通过Intranet内部网络访问本部园区网络。

l 外部用户通过Internet访问本部园区网络的服务器。

图1-1 高校本部园区基本网络（未部署敏捷网络）目前在现有网络基础上部署业务时遇到以下问题：l 学校人数逐年增多，庞大的无线终端用户对无线业务需求迫切，由于学校将有线网络和无线网络分开部署，管理困难。

学校希望有线网络和无线网络能够统一部署，简化管理，提升效率。

l 随着学校各类网络业务的发展，接入用户具有高移动性的特点，网络信息安全显得尤其重要。

学校希望实现对接入用户进行角色划分，各类角色用户在自由移动、任意接入的大背景下，业务策略和网络体验能够保持一致。

华为AgileControlle...华为Agile Controller-CampusV100R003 订购指南Issue V1.5Date2017-7-31华为技术有限公司修订记录⽬录1产品简介 (4)1.1产品简介 (4)1.2产品架构 (4)1.3可靠性说明 (5)1.4可销售特性 (5)2产品订购指导 (6)2.1软件配置 (6)2.2硬件配置 (8)2.3外购件 (11)2.4定制开发费⽤ (12)2.5版本升级费⽤ (13)2.6服务 (13)3新建项⽬的配置报价指导 (13)3.1新建项⽬的数据准备： (13)3.2添加产品节点 (15)3.3配置Agile Controller-Campus (15)3.4配置Agile Controller-Campus HW (17)4扩容项⽬的配置报价指导 (18)4.1扩容项⽬的数据准备： (18)4.2添加产品节点 (19)4.3配置Agile Controller-Campus (19)4.4配置Agile Controller-Campus HW (20)1产品简介1.1产品简介Agile Controller-Campus是华为推出的园区策略控制系统，提供企业雇员、访客⼈员、设备管理员的统⼀接⼊和管理，可集中控制园区⽤户的权限，QoS，带宽，应⽤，安全等策略，适⽤于需要对⽤户接⼊⽹络进⾏⾝份验证和授权的项⽬，可涵盖⾦融、政府、教育、医疗、酒店等⾏业。

1.2产品架构分级管理中⼼（Manager Center, MC）在分级管理场景使⽤，负责制定全局策略，对下级节点（SM/SC）的实施情况进⾏监控。

业务管理器（Service Manager, SM）承担业务管理的⾓⾊。

系统管理员通过WEB管理界⾯，完成⽤户、业务、安全策略的配置⼯作。

业务控制器（Service Controller, SC）集成标准Radius、Portal服务器，与NAD设备（交换机等）联动，完成Client的认证和授权⼯作。

BrochureProduct OverviewCloudEngine S6730S-S series full-featured 10 GE switches are Huawei's new generation fixed switches ,to provide 10 GE downlink ports as well as 40 GE uplink ports.CloudEngine S6730S-S can be used to provide high-speed access for WiFi 6 APs and 10 Gbit/s access to high-density servers or function as a core/aggregation switch on a campus network to provide 40 Gbit/s rate. In addition, CloudEngine S6730S-S provides a wide variety of services, comprehensive security policies, and various QoS features to help customers build scalable, manageable, reliable, and secure campus and data center networks.Models and AppearanceAppearance DescriptionCloudEngine S6730S-S24X6Q-A ●24 x 10 Gig SFP+, 6 x 40 Gig QSFP ● Dual pluggable power modules, with one 600 W AC power module by default●Forwarding performance: 300Mpps●Switching capacity: 2.4 Tbit/s Features and HighlightsAbundant Convergence● The CloudEngine S6730S-S series supports SVF and functions as a parent switch. With this virtualization technology, a physical network with the "Small-sized core and aggregation switches + Access switches + APs" structure can be virtualized into a "super switch", greatly simplifying network management.● The CloudEngine S6730S-S series provides excellent QoS capabilities and supports queue scheduling and congestion control algorithms. Additionally, it adopts innovative priority queuing and multi-level scheduling mechanisms to implement fine-grained scheduling of data flows, meeting service quality requirements of different user terminals and services.Providing Granular Network Management● The CloudEngine S6730S-S series uses the Packet Conservation Algorithm for Internet (iPCA) technology that alters the traditional method of using simulated traffic for fault location. iPCA technology can monitor network quality for any service flow anywhere, anytime, without extra costs. It can detect temporary service interruptions in a very short time and can identify faulty ports accurately. This cutting-edge fault detection technology turns "extensive management" to "granular management."●The CloudEngine S6730S-S series supports Two-Way Active Measurement Protocol (TWAMP) to accurately check any IP link and obtain the entire network's IP performance. This protocol eliminates the need of using a dedicated probe or a proprietary protocol.Flexible Ethernet Networking●In addition to traditional Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP), the CloudEngine S6730S-S series supports Huawei-developed Smart Ethernet Protection (SEP) technology and the latest Ethernet Ring Protection Switching (ERPS) standard. SEP is a ring protection protocol specific to the Ethernet link layer, and applies to various ring network topologies, such as open ring topology, closed ring topology, and cascading ring topology. This protocol is reliable, easy to maintain, and implements fast service switching within 50 milliseconds. ERPS is defined in ITU-T G.8032. It implements millisecond-level protection switching based on traditional Ethernet MAC and bridging functions.●The CloudEngine S6730S-S series supports Smart Link and Virtual Router Redundancy Protocol (VRRP), which implement backup of uplinks. One CloudEngine S6730S-S switch can connect to multiple aggregation switches through multiple links, significantly improving reliability of access devices.Intelligent Stack (iStack)●The CloudEngine S6730S-S series supports the iStack function that combines multiple switches into a logical switch. Member switches in a stack implement redundancy backup to improve device reliability and use inter-device link aggregation to improve link reliability. iStack provides high network scalability. You can increase a stack's ports, bandwidth, and processing capacity by simply adding member switches. iStack also simplifies device configuration and management. After a stack is set up, multiple physical switches can be virtualized into one logical device. You can log in to any member switch in the stack to manage all the member switches in it.Cloud-based Management●The Huawei cloud management platform allows users to configure, monitor, and inspect switches on the cloud, reducing on-site deployment and O&M manpower costs and decreasing network OPEX. Huawei switches support both cloud management and on-premise management modes. These two management modes can be flexibly switched as required to achieve smooth evolution while maximizing return on investment (ROI).OPS●Open Programmability System (OPS) is an open programmable system based on the Python language. IT administrators can program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligent O&M. Big Data Powered Collaborative Security●Agile switches use NetStream to collect campus network data and then report such data to the Huawei Cybersecurity Intelligence System (CIS). The purposes of doing so are to detect network security threats, display the security posture across the entire network, and enable automated or manual response to security threats. The CIS delivers the security policies to the Agile Controller. The Agile Controller then delivers such policies to agile switches that will handle security events accordingly. All these ensure campus network security.●The CloudEngine S6730S-S series supports Encrypted Communication Analytics (ECA). It uses built-in ECA probes to extract characteristics of encrypted streams based on NetStream sampling and Service Awareness (SA), generates metadata, and reports the metadata to Huawei Cybersecurity Intelligence System (CIS). The CIS uses the AI algorithm to train the traffic model and compare characteristics of extracted encrypted traffic to identify malicious traffic. The CIS displays detection results on the GUI, provides threat handling suggestions, and automatically isolates threats with the Agile Controller to ensure campus network security.●The CloudEngine S6730S-S series supports deception. It functions as a sensor to detect threats such as IP address scanning and port scanning on a network and lures threat traffic to the honeypot for further checks. The honeypot performs in-depth interaction with the initiator of the threat traffic, records various application-layer attack methods of the initiator, and reports security logs to the CIS. The CIS analyzes security logs. If the CIS determines that the suspicious traffic is an attack, it generates an alarm and provides handling suggestions. After the administrator confirms the alarm, the CIS delivers a policy to the Agile Controller. The Agile Controller delivers the policy to the switch for security event processing, ensuring campus network security.Intelligent O&M●The CloudEngine S6730S-S series provides telemetry technology to collect device data in real time and send the data to Huawei campus network analyzer CampusInsight. The CampusInsight analyzes network data based on the intelligent fault identification algorithm, accurately displays the real-time network status, effectively demarcates and locates faults in a timely manner, and identifies network problems that affect user experience, accurately guaranteeing user experience.●The CloudEngine S6730S-S series supports a variety of intelligent O&M features for audio and video services, including the enhanced Media Delivery Index (eMDI). With this eDMI function, the CloudEngine S6730S-S series can function as a monitored node to periodically conduct statistics and report audio and video service indicators to the CampusInsight platform. In this way, the CampusInsight platform can quickly demarcate audio and video service quality faults based on the results of multiple monitored nodes.Intelligent Upgrade●Switches support the intelligent upgrade feature. Specifically, switches obtain the version upgrade path and download the newest version for upgrade from the Huawei Online Upgrade Platform (HOUP). The entire upgrade process is highly automated and achieves one-click upgrade. In addition, preloading the version is supported, which greatly shortens the upgrade time and service interruption time.●The intelligent upgrade feature greatly simplifies device upgrade operations and makes it possible for the customer to upgrade the version independently. This greatly reduces the customer's maintenance costs. In addition, the upgrade policies on the HOUP platform standardize the upgrade operations, which greatly reduces the risk of upgrade failures. Product SpecificationsFixed ports 24 x 10 Gig SFP+, 6 x 40 Gig QSFPDimensions (W x D x H) 442 mm x 420 mm x 43.6 mmChassis height(U) 1UInput voltage AC Power●Rated AC voltage: 100V to 240V AC; 50/60 Hz●Max. AC voltage: 90V to 290V AC; 45–65 HzDC Power●–48V～–60VInput current AC 600W：Max 8AMaximum power consumption 225W（220V input）249W（90V input）Minimum power consumption 88WOperating temperature ●0–1800 m altitude: -5°C to 45°C●1800–5000 m altitude: The operating temperature reduces by 1°C every time thealtitude increases by 220 m.Storage temperature -40-70℃Operating altitude 5000 m52dB(A)Noise (sound pressure at normaltemperature)Surge protection specification AC power interface: differential mode: ±6kV: common mode: ±6kVPower supply type 600W AC Power1000W DC PowerRelative humidity 5% to 95% (non-condensing)Fans 4 , Fan modules are pluggableHeat dissipation Heat dissipation with fan, intelligent fan speed adjustmentService FeaturesMAC Up to 64K MAC address entriesIEEE 802.1d standards complianceMAC address learning and agingStatic, dynamic, and blackhole MAC address entriesPacket filtering based on source MAC addressesVLAN 4K VLANsGuest VLANs and voice VLANsGVRPMUX VLANVLAN assignment based on MAC addresses, protocols, IP subnets, policies, and portsVLAN mappingARP Static ARPDynamic ARPIP routing Static routes, RIP v1/2, RIPng, OSPF, OSPFv3, IS-IS, IS-ISv6, BGP, BGP4+, ECMP, routing policyUp to 32K FIBv4 entriesUp to 16K FIBv6 entriesInteroperability VLAN-Based Spanning Tree (VBST), working with PVST, PVST+, and RPVSTLink-type Negotiation Protocol (LNP), similar to DTPVLAN Central Management Protocol (VCMP), similar to VTPEthernet loop protection RRPP ring topology and RRPP multi-instanceSmart Link tree topology and Smart Link multi-instance, providing millisecond-level protectionswitchoverSEPERPS (G.8032)BFD for OSPF, BFD for IS-IS, BFD for VRRP, and BFD for PIMSTP (IEEE 802.1d), RSTP (IEEE 802.1w), and MSTP (IEEE 802.1s)BPDU protection, root protection, and loop protectionIPv6 features Neighbor Discover (ND)PMTUIPv6 Ping, IPv6 Tracert, IPv6 TelnetACLs based on source IPv6 addresses, destination IPv6 addresses, Layer 4 ports, or protocoltypesMulticast Listener Discovery snooping (MLDv1/v2)IPv6 addresses configured for sub-interfaces, VRRP6, DHCPv6, and L3VPNMulticast IGMP v1/v2/v3 snooping and IGMP fast leaveMulticast forwarding in a VLAN and multicast replication between VLANsMulticast load balancing among member ports of a trunkControllable multicastPort-based multicast traffic statisticsIGMP v1/v2/v3, PIM-SM, PIM-DM, and PIM-SSMMSDPMulticast VPNQoS/ACL Rate limiting in the inbound and outbound directions of a portPacket redirectionPort-based traffic policing and two-rate three-color CAREight queues on each portDRR, SP, and DRR+SP queue scheduling algorithmsWREDRe-marking of the 802.1p and DSCP fields of packetsPacket filtering at Layer 2 to Layer 4, filtering out invalid frames based on the source MACaddress, destination MAC address, source IP address, destination IP address, TCP/UDPsource/destination port number, protocol type, and VLAN IDQueue-based rate limiting and shaping on portsSecurity Hierarchical user management and password protectionDoS attack defense, ARP attack defense, and ICMP attack defenseBinding of the IP address, MAC address, port number, and VLAN IDPort isolation, port security, and sticky MACMAC Forced Forwarding (MFF)Blackhole MAC address entriesLimit on the number of learned MAC addressesIEEE 802.1X authentication and limit on the number of users on a portAAA authentication, RADIUS authentication, and HWTACACS authenticationNACSSH V2.0HTTPSCPU protectionBlacklist and whitelistAttack source tracing and punishment for IPv6 packets such as ND, DHCPv6, and MLD packetsIPSec for management packet encryptionECADeceptionReliability LACPE-TrunkEthernet OAM (IEEE 802.3ah and IEEE 802.1ag)ITU-Y.1731DLDPLLDPBFD for BGP, BFD for IS-IS, BFD for OSPF, BFD for static routesSVF Acting as the parent node to vertically virtualize downlink switches and APs as one device for managementTwo-layer client architectureASs can be independently configured. Services not supported by templates can be configured onthe parent node.Third-party devices allowed between SVF parent and clientsiPCA Marking service packets to obtain the packet loss ratio and number of lost packets in real time Measurement of the number of lost packets and packet loss ratio on networks and devicesManagement and maintenance Cloud-based managementVirtual cable testSNMP v1/v2c/v3RMONWeb-based NMSSystem logs and alarms of different severities GVRPMUX VLANNetStreamTelemetryNetworking and ApplicationsThe CloudEngine S6730S-S series switches can be used as access or aggregation switches on small- and medium-sized campus networks and provide 10G ports for high-speed AP access, meeting the requirement for increasing bandwidth. The rich service features and comprehensive security mechanisms make the CloudEngine S6730S-S cost effective on campus networks.Ordering InformationThe following table lists ordering information of the CloudEngine S6730S-S series switches.Model Product DescriptionCloudEngine S6730S-S24X6Q-A(24*10 Gig SFP+, 6*40 Gig QSFP,1*600W AC power) CloudEngine S6730S-S24X6Q-AL-VxLAN-S67 S67Series, VxLAN License, Per DeviceN1-S67S-M-Lic S67 Series Basic SW,Per DeviceN1-S67S-M-SnS1Y S67 Series Basic SW,SnS,Per Device,1YearPAC-600S12-CB 600W AC power modulePDC1000S12-DB 1000W DC power moduleMore InformationFor more information about Huawei Campus Switches, visit or contact us in the following ways:●Global service hotline: /en/service-hotline●Logging in to the Huawei Enterprise technical support website: /enterprise/Sending an email to the customer service mailbox: ********************Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, andrecommendations in this document are provided "AS IS" without warranties, guarantees or representations ofany kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address:Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website:。

Agile Controller-Campus V100R002C00 配置手册(仅供内部使用)拟制: 汪敦全、丁凌风、蒲俊杰日期：2014-4-2审核: 日期：审核: 日期：批准: 日期：华为技术有限公司版权所有侵权必究目录1Agile Controller-Campus V100R002C00总体介绍 (9)1.1系统网络逻辑结构及接口关系 (10)1.1.1Controller服务器网络实体组成 (10)1.1.2Controller安全协防组件网络实体组成 (11)1.2组网方式和配置原则介绍 (11)1.2.1Controller服务器的组网和配置原则 (11)1.2.2802.1X准入控制的组网和配置原则 (17)1.2.3硬件SACG准入控制的组网和配置原则 (20)2产品基本配置说明 (24)2.1系统配置简介 (24)2.2SM&SC组件的服务器和客户端配置说明 (26)2.2.1服务器配置 (27)2.2.2客户端配置 (32)2.2.3服务器软硬件配置说明 (32)1.单服务器方案配置说明 (33)2.服务器备份方案配置说明 (34)3.数据库镜像方案配置说明 (35)2.3安全协防组件设备配置说明 (35)3报价项配置说明 (38)3.1配置概述 (38)3.2Agile Controller-Campus 软件报价说明 (38)3.2.1接入控制报价项 (38)3.2.2访客管理报价项 (39)3.2.3业务随行报价项 (40)3.2.1业务编排报价项 (40)3.3安全协防软件报价说明 (40)3.3.1SecView报价项 (43)3.3.2iRadar报价项 (43)3.4SM&SC组件的业务整机报价项说明 (43)3.5安全协防组件的业务整机服务器报价项说明 (49)3.7存储设备报价项说明 (52)4产品配置说明 (52)4.1产品配置清单和配置说明 (52)4.2业务整机的配置说明 (54)4.3存储配置说明 (69)4.4组件｜附件-Agile Controller-软件 (73)4.5组件｜License配置说明 (76)4.5.1License包配置说明 (76)4.5.2License报价项配置说明 (77)4.5.3接入控制服务License配置说明 (77)4.5.4访客管理特性License配置说明 (78)4.5.5业务随行特性License配置说明 (79)4.5.6业务编排特性License配置说明 (79)4.5.7安全协防特性License配置说明 (80)4.5.8定制开发License配置说明 (82)4.6外部成套电缆配置说明 (82)5资料配置说明 (84)6部分配件说明 (84)6.1市场建议 (84)6.2用户自备硬件说明 (84)6.3合同预审要求 (85)7扩容和升级改造方法与配置说明 (85)7.1扩容方法与配置说明 (85)7.1.1扩容的方法与原则 (85)7.1.2扩容设备的清单 (85)7.1.3可扩容部分的说明 (85)7.1.4扩容所涉及的机柜、母板插框、单板等的配置原则 (86)7.1.5扩容中需特别注意的问题 (86)7.2升级改造方法与配置说明 (86)7.2.1升级改造方法 (86)7.2.2升级设备的清单 (86)7.2.3可升级部分的说明 (86)7.2.4更换部件注意事项 (86)8.1附录I：缩略语清单 (87)表目录表1 集中组网推荐配置表 (25)表2 分布式组网分支机构推荐配置表 (25)表3 AnyOffice客户端的运行环境 (32)图目录图1 Agile Controller-Campus系统网络实体组成 (10)图2 单服务器集中组网方案 (12)图3 双服务器集中组网方案 (13)图4 三服务器集中组网方案 (14)图5 业务控制器分布式组网方案 (16)图6 在接入层交换机上实施802.1X (18)图7 在汇聚层交换机上实施802.1X (19)图8 SACG直挂路由模式部署方案 (20)图9 SACG侧挂路由模式部署方案 (21)图10 SACG透明/混合模式部署方案 (22)图11 SACG侧挂侧挂核心交换机示意图 (23)Agile Controller-Campus V100R002C00配置手册关键词：准入控制、补丁管理、软件分发、安全接入控制网关、WEB认证客户端。

Agile Controller-Campus V100R002C00 配置手册(仅供内部使用)拟制: 汪敦全、丁凌风、蒲俊杰日期：2014-4-2审核: 日期：审核: 日期：批准: 日期：华为技术有限公司版权所有侵权必究目录1Agile Controller-Campus V100R002C00总体介绍 (9)1.1系统网络逻辑结构及接口关系 (10)1.1.1Controller服务器网络实体组成 (10)1.1.2Controller安全协防组件网络实体组成 (11)1.2组网方式和配置原则介绍 (11)1.2.1Controller服务器的组网和配置原则 (11)1.2.2802.1X准入控制的组网和配置原则 (17)1.2.3硬件SACG准入控制的组网和配置原则 (20)2产品基本配置说明 (24)2.1系统配置简介 (24)2.2SM&SC组件的服务器和客户端配置说明 (26)2.2.1服务器配置 (27)2.2.2客户端配置 (32)2.2.3服务器软硬件配置说明 (32)1.单服务器方案配置说明 (33)2.服务器备份方案配置说明 (34)3.数据库镜像方案配置说明 (35)2.3安全协防组件设备配置说明 (35)3报价项配置说明 (38)3.1配置概述 (38)3.2Agile Controller-Campus 软件报价说明 (38)3.2.1接入控制报价项 (38)3.2.2访客管理报价项 (39)3.2.3业务随行报价项 (40)3.2.1业务编排报价项 (40)3.3安全协防软件报价说明 (40)3.3.1SecView报价项 (43)3.3.2iRadar报价项 (43)3.4SM&SC组件的业务整机报价项说明 (43)3.5安全协防组件的业务整机服务器报价项说明 (49)3.7存储设备报价项说明 (52)4产品配置说明 (52)4.1产品配置清单和配置说明 (52)4.2业务整机的配置说明 (54)4.3存储配置说明 (69)4.4组件｜附件-Agile Controller-软件 (73)4.5组件｜License配置说明 (76)4.5.1License包配置说明 (76)4.5.2License报价项配置说明 (77)4.5.3接入控制服务License配置说明 (77)4.5.4访客管理特性License配置说明 (78)4.5.5业务随行特性License配置说明 (79)4.5.6业务编排特性License配置说明 (79)4.5.7安全协防特性License配置说明 (80)4.5.8定制开发License配置说明 (82)4.6外部成套电缆配置说明 (82)5资料配置说明 (84)6部分配件说明 (84)6.1市场建议 (84)6.2用户自备硬件说明 (84)6.3合同预审要求 (85)7扩容和升级改造方法与配置说明 (85)7.1扩容方法与配置说明 (85)7.1.1扩容的方法与原则 (85)7.1.2扩容设备的清单 (85)7.1.3可扩容部分的说明 (85)7.1.4扩容所涉及的机柜、母板插框、单板等的配置原则 (86)7.1.5扩容中需特别注意的问题 (86)7.2升级改造方法与配置说明 (86)7.2.1升级改造方法 (86)7.2.2升级设备的清单 (86)7.2.3可升级部分的说明 (86)7.2.4更换部件注意事项 (86)8.1附录I：缩略语清单 (87)表目录表1 集中组网推荐配置表 (25)表2 分布式组网分支机构推荐配置表 (25)表3 AnyOffice客户端的运行环境 (32)图目录图1 Agile Controller-Campus系统网络实体组成 (10)图2 单服务器集中组网方案 (12)图3 双服务器集中组网方案 (13)图4 三服务器集中组网方案 (14)图5 业务控制器分布式组网方案 (16)图6 在接入层交换机上实施802.1X (18)图7 在汇聚层交换机上实施802.1X (19)图8 SACG直挂路由模式部署方案 (20)图9 SACG侧挂路由模式部署方案 (21)图10 SACG透明/混合模式部署方案 (22)图11 SACG侧挂侧挂核心交换机示意图 (23)Agile Controller-Campus V100R002C00配置手册关键词：准入控制、补丁管理、软件分发、安全接入控制网关、WEB认证客户端。

agile controller 手册Agile Controller 手册是关于华为公司开发的网络管理平台——Agile Controller 的详细文档。

本手册旨在为用户提供必要的指导，帮助他们正确、高效地使用和管理这一平台。

在本手册中，你将了解到关于Agile Controller的基本概念、功能特性以及使用方法等内容。

以下是本手册的详细内容：一、简介1.1 Agile Controller 概述1.2 手册目的1.3 使用范围和对象1.4 术语和缩略语解释二、安装与部署2.1 系统要求2.2 安装前准备2.3 Agile Controller 安装步骤2.4 系统部署配置三、用户管理3.1 超级管理员账户3.2 用户权限管理3.3 用户组管理3.4 登录与注销操作四、网络设备管理4.1 设备接入与管理4.2 设备监控与告警4.3 设备配置备份与恢复4.4 设备拓扑图五、网络拓扑管理5.1 拓扑发现与显示5.2 拓扑分析与规划5.3 拓扑自动布局六、网络服务管理6.1 VLAN配置与管理 6.2 路由配置与管理6.3 QoS配置与管理6.4 安全策略配置与管理6.5 NAT配置与管理七、流量监控与分析7.1 流量监控与实时统计 7.2 流量报表与分析7.3 流量告警与日志管理八、故障定位与排除8.1 告警处理与故障定位 8.2 故障排除与修复8.3 系统日志与事件管理九、系统管理与维护9.1 系统配置与设置9.2 数据备份与恢复9.3 系统升级与Patch管理9.4 授权与License管理十、常见问题解答10.1 安装与部署问题10.2 用户管理问题10.3 设备管理问题10.4 网络服务问题10.5 流量监控问题10.6 故障排除问题10.7 系统维护问题结论本手册为用户提供了关于Agile Controller的全面介绍，并指导用户如何正确使用和管理该平台。

通过学习本手册，用户可以更好地理解Agile Controller的功能特性，并掌握相应的操作技巧。