This document provides an overview of data communication network basics. It discusses the common components of a data communication network including routers, switches, firewalls, wireless controllers, access points, PCs, printers and servers. It then describes some of the basic concepts around IP routing, Ethernet switching, network security, WAN technologies, network management and QoS. The objectives are to describe common network architectures, devices and their functions, as well as introduce basic protocols and models including TCP/IP, IPv4, IPv6, routing, switching and the OSI model. The document is an introductory course that covers these fundamental network concepts.

1. Data Communication Network Basics

2. Huawei Confidential
2
Foreword
⚫ A data communication network consists of routers, switches, firewalls, wireless controllers, wireless
access points (APs), personal computers (PCs), network printers, and servers. The most basic function
of a data communication network is to implement data communication.
⚫ Nowadays, the data communication network has become the cornerstone of the intelligent world and
an important support for the digital transformation of enterprises.
⚫ Before grasping an in-depth understanding of products and solutions in the data communication
network field, you are expected to master common basic technologies and familiarize yourself with
basic protocols.
⚫ This course introduces basic knowledge about the data communication network, including basic
concepts of the data communication network, Internet Protocol (IP) routing, Ethernet switching,
network security, wide area network (WAN) technologies, network management and O&M, and
Quality of service (QoS).

3. Huawei Confidential
3
Objectives
⚫ Upon completion of this course, you will be able to:
 Describe the concepts and functions of the data communication network.
 Describe the common networking architecture of the data communication network.
 Describe common devices of the data communication network as well as their basic
functions and application scenarios.
 Describe the TCP/IP reference model and use this model to analyze the data
encapsulation and decapsulation processes.
 Describe basic concepts related to IP routing, Ethernet switching, network security, WAN
technologies, network management and O&M, and QoS.

4. Huawei Confidential
4
Contents
1. Basic Concepts of the Data Communication Network
2. IP Routing Basics
3. Ethernet Switching Basics
4. Network Security Overview
5. WAN Technologies
6. Network Management and O&M
7. QoS

5. Huawei Confidential
5
End-to-End Data Communication Industry
CloudCampus
CloudWAN
General-purpose
computing
Storage
High-performance
computing
Hyper-converged
data
center
network
(DCN)
Network security
End-to-end data communication industry
• The data communication network comprises a variety of data communication devices.
• The data communication network is the cornerstone for the digital world.

6. Huawei Confidential
6
Concepts of the Data Communication Network
⚫ A data communication network consists of routers, switches, firewalls, wireless controllers, wireless APs, PCs, network printers, and
servers. The most basic function of a data communication network is to implement data communication.
Hotel
AP
Firewall
Switch
Central
AP
RU
Wireless access
controller
(WAC)
Enterprise
Firewall
Switch
AP
Firewall
Switch
Switch Switch
Home network
Campus
network
AR
Micro-sized store
AP
Firewall AR
WAN
Internet WAN
or
Firewall
Switch
Higher
education
institution
AP AP
Switch Switch
Local
DC
DCN Spine
Leaf
Internet
access
zone
Intrusion
prevention
system (IPS)
Firewall
NE router
Production
environment zone
Server
Storage
network
Demilitarized
zone (DMZ)

7. Huawei Confidential
7
Simplest Data Communication Scenario
Ethernet twisted pair
PC1 PC2
Application layer
Transport layer
Network layer
Data link layer
Physical layer
Application layer
Transport layer
Network layer
Data link layer
Physical layer
IP address
Media access control
(MAC) address
IP address
MAC address
Layer 4 envelope
Transport layer
Layer 3 envelope
Network layer
Layer 2 envelope
Data link layer
Payload

8. Huawei Confidential
8
Common Network Devices: Campus Switches
• Is used to construct local area networks (LANs).
• Connects terminals (such as PCs and servers) to networks.
• Enables exchanges of Ethernet data frames.
Switch
A campus switch:

9. Huawei Confidential
9
Common Network Devices: CloudEngine S Series Campus Switches
CloudEngine S series campus switches (fixed) CloudEngine S series campus switches (modular)
CloudEngine S5731-H48T4XC
Viewing product information
CloudEngine S12700E-8
Viewing product information
Main
control
board
Service
board
Switch
fabric unit
(SFU)
Power module
Centralized monitoring unit (CMU)

10. Huawei Confidential
10
Common Network Devices: Routers
• Is used to connect to different broadcast domains and
IP network segments.
• Maintains routing tables and runs routing protocols to
discover data forwarding paths (routing information).
• Forwards IP packets according to its routing table.
• Connects to a WAN, with functions such as network
address translation and access control.
Router
Internet
A router:

11. Huawei Confidential
11
Common Network Devices: NetEngine Series Routers
NetEngine access router (AR) NetEngine metro router
NetEngine AR6121
Viewing product information
NetEngine 8000
Viewing product information

12. Huawei Confidential
12
Common Network Devices: DC Switches
Test environment zone
Production environment zone
Spine
Leaf
Spine
Leaf
Core
Campus access
zone
WAN access
zone
Internet access
zone
Server Server
• Is an Ethernet switch applied in DCs.
• Connects to a myriad of servers, firewalls,
intrusion prevention system (IPS) devices,
and load balancers to meet network
requirements of DCs in the cloud era.
• Is required to provide high performance,
high density, low latency, and large buffer.
• Provides high scalability and supports
large-scale networking through the spine-
leaf architecture
A DC switch:

13. Huawei Confidential
13
Common Network Devices: CloudEngine Series DC Switches
CloudEngine series DC switches
CloudEngine 12800 and 16800
Viewing product information
CloudEngine 6800
Viewing product information

14. Huawei Confidential
14
Common Network Devices: Firewalls
Firewall
Untrust zone
Trust zone
DMZ
• Isolates networks of different security levels.
• Implements traffic control (using security policies).
• Implements intrusion prevention, Uniform Resource
Locator (URL) filtering, data filtering, and application
behavior control.
• Implements user identity authentication.
• Implements Remote Authentication Dial In User
Service (RADIUS).
• Implements data encryption and virtual private
network (VPN) services.
• Implements Network Address Translation (NAT) and
other security functions.
Internet
A firewall:

15. Huawei Confidential
15
Common Network Devices: HiSec Engine USG Series
Firewalls
HiSec Engine unified security gateway (USG) series firewalls
HiSec Engine USG6600E
Viewing product information

16. Huawei Confidential
16
Common Network Devices: WAC and APs
Fat AP
Internet
• Networking characteristics: Fat APs work
independently and require separate
configurations. Fat APs provide only simple
functions and are cost-effective.
• Applicability: homes, micro-sized stores, etc.
WAC + Fit APs
• Networking characteristics: Fit APs are managed and configured by
the WAC in a unified manner, providing various functions. Fit APs have
high requirements on network maintenance personnel's skills.
• Applicability: medium- and large-sized enterprises
Fat AP
Fit AP
WAC

17. Huawei Confidential
17
Common Network Devices: WAC and AirEngine APs
WAC
AP
AirEngine 9700-M
Viewing product information
AirEngine 8760-X1-PRO
Viewing product information

18. Huawei Confidential
18
Network Topology
• Is presented as a structured layout using
transmission media (such as twisted pairs and
optical fibers) to interconnect various devices
(such as computers, routers, and switches).
• Is a very important network concept used to
describe the physical or logical structure of a
network in the network engineering field.
iStack/CSS link
Egress zone
Core layer
Aggregation layer
Access layer
Terminal layer
Internet WAN
Network management
and O&M zone
DC
A network topology:

19. Huawei Confidential
19
Management Modes for Common Network Devices
Console cable
Console port
Management mode 1: You can log in to a
device through the console port from a PC.
Typically, this method is used in scenarios
where a device is powered on for the first
time.
Management traffic
Management mode 2: You can
remotely manage a device through a
PC using Telnet and secure shell
protocol (SSH), or through a web.
Management traffic
Management mode 3: The network management system
(NMS) remotely manages and delivers configurations to a
device through Telnet, SSH, or Simple Network
Management Protocol (SNMP). On this basis, the
software-defined networking (SDN) controller manages
the device through Network Configuration Protocol
(NETCONF).

20. Huawei Confidential
20
iMaster NCE
Full-lifecycle automation
Device plug-and-play and self-service
Intelligent closed-loop management based
on big data and AI
Predictive maintenance, solving problems
before customer complaints
All-cloud platform with ultra-large capacity
Ultra-large capacity and elastic scalability
Open programmability-enabled and
scenario-based application ecosystem
Simplified IT application integration based
on Design Studio
Network
automation
Network
intelligence
Development & operations (DevOps)
iMaster NCE
Analysis
Management Control
IT/Operations
support system
(OSS)/Application
Multi-tenant Multi-service Multi-industry
Network
Cloud platform

21. Huawei Confidential
21
Reference Model in the Data Communication Network
Application layer
Transport layer
Network layer
Data link layer
Physical layer
Contains various types of applications that provide abundant system application interfaces for
users' application software.
Establishes, maintains, and cancels end-to-end data transmission, controls transmission speeds,
and adjusts the data sequences.
Implements end-to-end data transmission between any two nodes based on the network layer
addresses contained in the data.
A logical data link is established between adjacent nodes connected through a physical link to
implement direct data communication in point-to-point (P2P) or point-to-multipoint (P2MP)
mode on the link.
Converts logical 0s and 1s into physical signals (optical/electrical signals) that can be carried by
transmission media, sends and receives physical signals, and transmits physical signals on
transmission media.
1
2
3
4
5

22. Huawei Confidential
22
Reference Model and Common Protocols in the Data
Communication Network
Application layer
Transport layer
Network layer
Data link layer
Physical layer
Telnet, FTP, TFTP, SNMP, HTTP, Simple Mail Transfer Protocol
(SMTP), DHCP, etc.
Transmission Control Protocol (TCP), User Datagram Protocol
(UDP), etc.
Internet Protocol version 4 (IPv4), Internet Protocol version 6 (IPv6), Internet Control
Message Protocol (ICMP), Internet Control Message Protocol version 6 (ICMPv6), Open
Shortest Path First (OSPF), intermediate system-to-intermediate system (IS-IS), Border
Gateway Protocol (BGP), etc.
Point-to-Point Protocol (PPP), Link Layer Discovery Protocol
(LLDP), Point-to-Point Tunneling Protocol (PPTP), etc.
EIA/TIA-232, etc.
1
2
3
4
5

23. Huawei Confidential
23
Application Layer
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer
Application layer
Transport layer
Network layer
Data link layer
Physical layer
• The application layer provides interfaces for application software so that
applications can use network services.
• The application layer protocol designates transport layer protocols and ports.
• The protocol data unit (PDU) corresponding to the application layer is called
data, which is also the payload to be transmitted by a network system.
• HTTP (TCP port 80): Hypertext Transfer Protocol, providing web browsing
services
• Telnet (TCP port 23): a remote login protocol, providing remote device
management services
• FTP (TCP port 20 and TCP port 21): File Transfer Protocol, providing file
resource sharing services
• DHCP (UDP port 67 and UDP port 68): Dynamic Host Configuration Protocol,
providing dynamic address management services
• TFTP (UDP port 69): Trivial File Transfer Protocol, providing simple file transfer
services
• ...

24. Huawei Confidential
24
Transport Layer
Application layer
Transport layer
Network layer
Data link layer
Physical layer
• The transport layer receives data from the application layer,
encapsulates the data with the corresponding transport layer
protocol header, and helps establish an end-to-end connection.
• Typical transport layer protocols include TCP and UDP.
• The PDU corresponding to the transport layer is called segment.
Latest transport layer protocols: Multipath Transmission Control Protocol (MPTCP), data
center TCP (DCTCP), Data Center Quantized Congestion Notification (DCQCN), Quick UDP
Internet Connections (QUIC), etc.
TCP UDP
Connection-oriented Connectionless
Reliable transmission Best-effort transmission
Flow control and window mechanism None
Applications: HTTP, FTP, Telnet, etc. Applications: DNS, SNMP, etc.
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

25. Huawei Confidential
25
Transport Layer: Port Number
PC1 PC2
Network
IP address: 1.1.1.1
TCP port 1024 TCP port 1231
HTTP application Telnet
IP address: 2.2.2.2
TCP port 80 TCP port 23
HTTP application Telnet
• Generally, the source port is randomly allocated, while the destination port is specified by the corresponding
application.
• Generally, the source port used by the application client is an idle port whose number is greater than 1023.
• The number of the destination port is the same as that of the listening port of an application (or a service) enabled
on the server. For example, the default port number for HTTP is 80.
Web browser Web server
HTTP payload
Source IP address: 1.1.1.1
Destination IP address:
2.2.2.2
Source port number:
1024
Destination port
number: 80
IP header TCP header
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

26. Huawei Confidential
26
Network Layer
Application layer
Transport layer
Network layer
Data link layer
Physical layer
• The transport layer is responsible for connections between nodes, while
the network layer is for end-to-end data transmission from one node
to another and for data forwarding from the source to the destination.
• The PDU corresponding to the network layer is called packet.
• The network layer defines the packet format, provides logical addresses
for nodes, and is responsible for the addressing and routing of data
packets.
IPv4 IPv6
OSPFv2 IS-IS BGP OSPFv3 IPv6 IS-IS BGP4+
Key protocols
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

27. Huawei Confidential
27
Network Layer: IPv4 and IPv6 Network Addresses
PC1
1.1.1.1/24
PC2
2.2.2.2/24
IPv4
network
• An IPv4 address identifies a node (or a device interface) on
an IPv4 network.
• An IPv4 address is 32 bits long.
• An IPv4 address is usually represented in dotted decimal
notation.
• A subnet mask of an IPv4 address is 32 bits and can be
expressed in dotted decimal notation or be presented by a
mask length.
• In a subnet mask of an IPv4 address, bits with the value of 1
correspond to the network bits, while bits with the value of 0
the host bits. As such, the network and host bits in an IPv4
address can be identified.
PC1
FC00:1::1/64
PC2
FC00:2::1/64
IPv6
network
• The network addresses used on an IPv6 network are IPv6
addresses.
• An IPv6 address is 128 bits long.
• An IPv6 address is usually expressed in hexadecimal numbers
separated by colons (:).
• An IPv6 address is expressed in the format of IPv6
address/mask length, specifying the mask length of the
network part in the address.
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

28. Huawei Confidential
28
Network Layer: Packet Forwarding Based on Network
Addresses
R1
Network
Outbound
Interface
Network A GE1/0/0
… …
… …
Routing table of R1
PC1
Address 1
Payload
Network layer header
PC2
Address 2
• Source network address
• Destination network address
GE1/0/0
Network A
• The network layer header of the
packet sent by the source node
carries the network addresses of the
source and destination nodes of the
packet.
• Routing-capable devices (such as
routers) maintain routing tables.
• When receiving packets, these
devices read the destination
addresses carried in the packets at
the network layer and query the
addresses in their routing tables.
After finding matching entries, the
devices forward the packets
according to the entries.
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

29. Huawei Confidential
29
Data Link Layer
Application layer
Transport layer
Network layer
Data link layer
Physical layer
• The data link layer is responsible for data transmission between two
adjacent nodes on a physical link, and provides error notification and
flow control.
• The data link layer encapsulates packets from the network layer into
frames and converts the frames into bits for data transmission at the
physical layer.
• During the assembly of a data frame, the address is written into the
header of the data frame for addressing and forwarding.
• The network layer implements data transmission between any two
nodes on the global network. During this process, data may pass
through multiple links. One basic function of the data link layer is to
transmit data from one node to another adjacent node on these links.
• Common data link layer protocols include LLDP, PPP, and Spanning
Tree Protocol (STP).
• The PDU corresponding to the data link layer is called frame.
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

30. Huawei Confidential
30
Data Link Layer: Ethernet
• Ethernet is a well-known and widely used technology defined in IEEE 802.3.
• Currently, network interfaces of PCs comply with the Ethernet standard.
• An address defined in the data link layer is called a MAC address, which is
compulsory for all Ethernet NICs that comply with the IEEE 802 standards.
• A MAC address is 48 bits long and is usually expressed in hexadecimal
format. The following are two examples:
 00-21-0A-B9-DC-79
 0021-0AB9-DC79.
• A device that works at the data link layer, such as an Ethernet switch,
maintains a MAC address table that guides frame forwarding.
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

31. Huawei Confidential
31
Physical Layer
Application layer
Transport layer
Network layer
Data link layer
Physical layer
• After data arrives at the physical layer, the physical layer converts a
digital signal into an optical signal, an electrical signal, or an
electromagnetic wave signal based on the physical media.
• The PDU corresponding to the physical layer is called bit.
• The physical layer defines physical features and specifications such as
cables, pins, and ports.
• Common transmission media include Ethernet twisted pairs, optical
fibers, and electromagnetic waves.
Application
Layer
Transport
Layer
Network
Layer
Data Link
Layer
Physical
Layer

32. Huawei Confidential
32
Encapsulation and Decapsulation During Data Transmission
Application
layer
Transport layer
Network layer
Data link layer
Physical layer
Data payload
101010111100…
PDU
Segment
Packet
Frame
Bit
Data payload
Transport layer
header
Upper-layer
data
IP header
Upper-layer
data
Frame header
Frame
trailer
Data payload
101010111100…
Data payload
Upper-layer data
Upper-layer data
Encapsulation Decapsulation

33. Huawei Confidential
33
Contents
1. Basic Concepts of the Data Communication Network
2. IP Routing Basics
3. Ethernet Switching Basics
4. Network Security Overview
5. WAN Technologies
6. Network Management and O&M
7. QoS

34. Huawei Confidential
34
Concepts of Routing
Destination/Mask Protocol Preference Cost Next Hop Interface
192.168.1.0/24 Direct 0 0 192.168.1.254 GE0/0/0
192.168.12.0/24 Direct 0 0 192.168.12.1 GE0/0/2
192.168.2.0/24 OSPF 10 3 192.168.12.2 GE0/0/2
Routing table of R1
R1
PC1
192.168.1.1/24
Data
IP header
PC2
192.168.2.1/24
GE0/0/0
Data submitted by an upper layer
(for example, the transport layer)
is put into an envelope.
Data encapsulation at the network layer
(Source/Destination IP address)
When a router (or a routing-capable device) receives an IP data packet, it searches its routing table for the destination IP
address of the packet and selects an optimal path to forward the packet. This process is called routing.

35. Huawei Confidential
35
How to Obtain Routing Information
A router forwards packets based on its routing table. To achieve this, the router needs to discover routes. Common
three types of routes are as follows:
GE0/0/0
10.1.1.0/24
20.1.1.0/24
GE0/0/1
GE0/0/1
30.1.1.0/24
40.1.1.0/24
GE0/0/2
Direct route
Route Type
Destination
/Mask
Outbound
Interface
Direct 10.1.1.0/24 GE0/0/0
Direct 20.1.1.0/24 GE0/0/1
Static route Dynamic route
Route
Type
Destination
/Mask
Outbound
Interface
Static 30.1.1.0/24 GE0/0/1
Dynamic routing
protocol: OSPF
Route Type
Destination
/Mask
Outbound
Interface
Dynamic 40.1.1.0/24 GE0/0/2
Direct routes are automatically generated
by devices and point to directly connected
local networks.
Static routes are manually configured by
network administrators.
Dynamic routes are learned by dynamic routing
protocols running on routers.

36. Huawei Confidential
36
Application Scenarios of Static Routes
GE0/0/1
20.1.1.2/24
GE0/0/0
10.0.0.2/24
GE0/0/1
20.1.1.3/24
GE0/0/0
10.0.0.1/24
Router A Router C
Router B
Destined for
20.1.1.0/24
Destination
Network
Type Next Hop
20.1.1.0 Static 10.0.0.2
10.0.0.0 Direct 10.0.0.1
• Static routes are manually configured by network
administrators. They are easy to configure, have low
system requirements, and apply to stable and small
networks with simple topologies.
• However, static routes cannot automatically adapt
to network topology changes, thus requiring manual
intervention.
• Router A forwards packets destined for 20.1.1.0/24.
As only direct routes are available in the routing
table of Router A, no matching route is found for
packet forwarding. In this case, a static route can be
manually configured so that Router A can forward
packets destined for 20.1.1.0/24 to the next hop
10.0.0.2.

37. Huawei Confidential
37
Overview of Dynamic Routes
• Dynamic routing protocols can automatically discover and
generate routes, and update routes when the topology
changes. These protocols effectively reduce the workload
of management personnel and are more suitable to large
networks.
Static route
• When the network scale continues to expand, it becomes
increasingly complex to manually configure static routes. In
addition, static routes cannot adapt to network topology
changes in a timely and flexible manner.
Dynamic routing protocol: OSPF
Static route Dynamic route
• Static routes need to
be manually configured
on devices.
• Static routes cannot
adapt to link changes.
• Dynamic routes can be
automatically
discovered and learned.
• Dynamic routes can
adapt to topology
changes.

38. Huawei Confidential
38
OSPF Application on a Campus Network
Internet
Office building 1 Office building 2 Office building 3
Server cluster
Firewall
Core switch
Aggregation
switch
Aggregation
switch
Aggregation
switch
OSPF is configured on the core switch and
aggregation switches to enable route
reachability on the campus network.

39. Huawei Confidential
39
Concepts of AS
AS 100
AS 200
• A large number of organizations use IGP routing protocols
such as OSPF and IS-IS on their internal networks. However,
as the network size increases, the number of routes on the
network also rises, thus leading to the failure of IGP to
manage large-scale networks. To solve this issue, the concept
of Autonomous System (AS) emerges.
• An AS consists of a set of devices that are managed by the
same organization and use the same route selection policy.
• Each of these ASs is uniquely identified using an Autonomous
System Number (ASN), which is distributed by the Internet
Assigned Numbers Authority (IANA).
• Which routing protocols should be used to transmit routes
for inter-AS communication?
?
...
...
OSPF
IS-IS
...
...
...
OSPF
...

40. Huawei Confidential
40
Route Transmission Through BGP
AS 100
OSPFv3 and RIPng AS 200
IS-IS and IPv6
BGP
BGP
• IGP enables a router discover routes to each segment of the local AS, implementing data
communication within the AS.
• On a large-scale network consisting of multiple ASs, an exterior gateway protocol (EGP) is
used to implement route exchange between ASs.
• The Internet is an ultra-large network consisting of multiple ASs. EGP is used on the backbone
nodes of the Internet to implement route exchange between ASs. BGP is the most well-known
and widely used EGP today.

41. Huawei Confidential
41
BGP Application on Enterprise Networks
Communication within an enterprise network Communication between enterprise and carrier networks
On a large enterprise network, BGP is used for route exchange between the
headquarter and branches. The two parties respectively belong to different
ASs and are deployed by corresponding network management teams.
BGP can be used for route exchange between an enterprise and a carrier
so that both the enterprise network and carrier network can obtain specif
ic routes from each other.
AS 100
AS 200 AS 800
BGP
HQ
Branch Branch
AS 200 AS 800
Carrier X
Enterprise
B
Enterprise
N
BGP
BGP
BGP
Enterprise A
AS 1000
AS 100

42. Huawei Confidential
42
Contents
1. Basic Concepts of the Data Communication Network
2. IP Routing Basics
3. Ethernet Switching Basics
4. Network Security Overview
5. WAN Technologies
6. Network Management and O&M
7. QoS

43. Huawei Confidential
43
Ethernet Layer 2 Switching
Core switch
Access switch 1 Access switch 2
Terminal 1
192.168.1.1/24
5469-98AB-0001
Terminal 2
192.168.1.2/24
5469-98AB-0002
Terminal 3
192.168.1.3/24
5469-98AB-0003
Terminal 4
192.168.1.4/24
5469-98AB-0004
Layer 2
communication
Payload
TCP/UDP header
IP
header
Ethernet
header
Ethernet
trailer
Layer 4
header
Layer 3
header
Layer 2
header
Destination
MAC address
Source MAC
address
• Layer 2 switching is a basic function of Ethernet switches.
• Layer 2 switching is a process in which a switch forwards a frame based on
the destination MAC address in the frame's Layer 2 header.
• Each switch maintains a MAC address table for frame forwarding.
• Upon receipt of a frame, a switch reads the frame's destination MAC
address, searches for this MAC address in the local MAC address table, and
then processes the frame accordingly. In addition, the switch learns the
source MAC address of the frame.

44. Huawei Confidential
44
Ethernet Layer 2 Switching and MAC Address Table
PC1 PC2
IP: 2001:DB8:1::1/64
MAC: 0050-5600-0001
IP: 2001:DB8:1::2/64
MAC: 0050-5600-0002
Source IP address 2001:DB8:1::1
Destination MAC address 0050-5600-0002
Destination IP address 2001:DB8:1::2
Source MAC address 0050-5600-0001
GE0/0/1 GE0/0/2
Source IP address 2001:DB8:1::1
Destination MAC address 0050-5600-0002
Destination IP address 2001:DB8:1::2
Source MAC address 0050-5600-0001
Upon receipt of a frame, a switch
reads the frame's destination MAC
address, searches for this MAC
address in the local MAC address
table, and then processes the
frame accordingly. In addition, the
switch learns the source MAC
address of the frame.
MAC addresses are used to implement data frame addressing and node
identification on the Ethernet.

45. Huawei Confidential
45
MAC Address Table
PC1
00e0-fc12-3458
Printer
00e0-fc12-3457
GE0/0/1 GE0/0/2
Switch
• A MAC address table records the mapping between the
MAC addresses learned by a switch and the interfaces, and
the VLANs to which the interfaces belong.
• The display mac-address command can be run on the
switch to check its MAC address table.
MAC Address Interface VLAN
00e0-fc12-3458 GE0/0/1 100
00e0-fc12-3457 GE0/0/2 200

46. Huawei Confidential
46
Why Do We Need VLAN?
Switch
...
PC1
GE0/0/1
PC24
GE0/0/24
PC2
GE0/0/2
PC23
GE0/0/23
PC3
GE0/0/3
Broadcast, unknown unicast, and multicast (BUM) frames
• By default, all interfaces of a switch belong to the same broadcast domain.
• When there are a large number of switches on a network, the broadcast domain becomes
large and the network may be flooded with a myriad of broadcast packets.
• Network units cannot be flexibly planned based on service requirements.

47. Huawei Confidential
47
VLAN
Virtual Local Area Network (VLAN) technology allows a physical LAN to be divided into multiple logical LANs
(multiple VLANs). Each VLAN functions as a separate broadcast domain, with hosts in the same VLAN able to directly
communicate with one another, while those in different VLANs cannot. As a result, broadcast packets are confined
within a single VLAN.
Switch
...
PC1
GE0/0/1
PC24
GE0/0/24
PC2
GE0/0/2
PC23
GE0/0/23
PC3
GE0/0/3
VLAN10: VLAN for the marketing
department
VLAN20: VLAN for the R&D
department

48. Huawei Confidential
48
VLAN Communication Across Switches
Tagged frame
(802.1Q tag)
PC4
VLAN10: VLAN
for the
technology
department
PC5
Switch1
GE0/0/4
GE0/0/1 GE0/0/2 GE0/0/3
VLAN10: VLAN for the
technology
department
VLAN20:
VLAN for the
accounting
department
PC1 PC2 PC3
Switch2
GE0/0/4
GE0/0/1 GE0/0/2 GE0/0/3
• To enable a switch to distinguish data frames from different VLANs, you need to add a field that identifies the
VLANs to which the data frames belong.
• As defined by IEEE 802.1Q, a 4-byte VLAN tag is inserted between the Source/Destination MAC address field and
Length/Type field in an Ethernet frame to identify the VLAN to which the frame belongs.
20
Untagged
frame
20
VLAN20:
VLAN for the
accounting
department

49. Huawei Confidential
49
Types of Layer 2 Ethernet Interfaces
Layer 2 Ethernet interfaces on a switch are classified into the
following types:
• Access: often connects to a terminal such as a user PC or
server. In most cases, access interfaces connecting to the
NICs of such terminals can only receive and send
untagged frames, and an access interface can join only
one VLAN.
• Trunk: allows data frames from multiple VLANs to pass
through. These data frames are differentiated by 802.1Q
tags. A trunk interface is used for connecting switches
and can connect to a sub-interface on a device (such as a
router or firewall).
• Hybrid: allows data frames from multiple VLANs to pass
through. These data frames are differentiated by 802.1Q
tags. The data frames sent from a hybrid interface can be
manually configured to carry tags for some VLANs and
not to carry tags for other VLANs.
Access Trunk
Core switch
Access switch 1 Access switch 2
VLAN 10 (office)
VLAN 20
(monitoring)
Terminal 1
2001:DB8:1::1/64
Terminal 2
2001:DB8:1::2/64
Terminal 3
2001:DB8:1::3/64
Terminal 4
2001:DB8:2::1/64

50. Huawei Confidential
50
Technical Background: Redundancy and Loops on a Layer 2
Switching Network
The introduction of redundancy brings Layer 2 loops.
Without redundancy design
The access switch has only one uplink.
If this link fails, downstream PCs will
be disconnected.
Access switch
Aggregation
switch
There is only one aggregation switch. If
this switch fails, downstream devices
will be disconnected.
Aggregation
switch
Aggregation
switch
Access switch
Layer 2
loop
Layer 2 loops occur at the
expense of enhanced
network redundancy.

51. Huawei Confidential
51
Technical Background: Layer 2 Loops Caused by Human Errors
Case 2
Case 1
Layer
2 loop
Layer
2 loop
Some Layer 2 loops may be attributed to human negligence,
for example, incorrect cable connections between devices.
Some Layer 2 loops may be attributed to incorrect
configurations. In this example, the network administrator does
not bundle the links between Switch1 and Switch2 to a logical
link (aggregated link), causing Layer 2 loops.
Switch1
Switch2

52. Huawei Confidential
52
Problems Caused by Layer 2 Loops
BUM frame
1
2 2
3
3
4
4
Typical problem 2: MAC address flapping
Typical problem 1: broadcast storm
Upon receiving BUM frames, Switch3 floods the frames. The
flooding happens once again after Switch1 and Switch2 receive
the frames, leading to network resource exhaustion and
breakdown.
Switch1 Switch2
Switch3
BUM frame
Source MAC address: 5489-
98EE-788A
1
Switch1 Switch2
Switch3
GE0/0/2
MAC address flapping occurs. For example, Switch1 sees the
MAC address 5489-98EE-788A rapidly changing its location
between GE0/0/1 and GE0/0/2.

53. Huawei Confidential
53
Spanning Tree Protocol
On a network with a spanning tree protocol, switches exchange BPDUs to calculate a loop-
free network topology. Finally, one or more interfaces on the network are blocked to eliminate loops.
With a spanning
tree protocol
With a spanning
tree protocol
With a spanning
tree protocol
BPDU packet
Switch1
(root)
Switch1 Switch2
Switch3
Switch2
Switch3
An interface is
blocked.

54. Huawei Confidential
54
Spanning Tree Protocol: Dynamically Responding to Network
Topology Changes and Adjusting Blocked Interfaces
A spanning tree protocol running on a switch continuously monitors the network topology. Upon detecting network
topology changes, the spanning tree protocol can automatically make adjustment.
Therefore, a spanning tree protocol can be used to eliminate Layer 2 loops and also provide a network redundancy
solution.
An interface
is blocked.
A link is faulty.
Switch1 Switch2
Switch3
Switch1 Switch2
Switch3
The interface
is restored.
1
2
3

55. Huawei Confidential
55
Technical Background: Inter-VLAN Communication
PC1
VLAN 10
PC2
VLAN 10
Layer 2
communication
When PC1 and PC2 belong to the same
VLAN (using the same IP subnet), they
are in the same broadcast domain and
can directly communicate with each
other. This is also known as Layer 2
communication.
PC1
VLAN 10
PC2
VLAN 20
Layer 2
communication
When PC1 and PC2 belong to
different VLANs, they are in different
broadcast domains and cannot
communicate with each other.
PC1
VLAN 10
PC2
VLAN 20
To allow devices in different VLANs
to communicate with each other, a
routing-capable device is used to
implement Layer 3 communication.
Router
Layer 2 switch Layer 2 switch Layer 2 switch

56. Huawei Confidential
56
Inter-VLAN Communication Using Ethernet Sub-Interfaces
PC1
VLAN 10
192.168.1.1/24
Default gateway:
192.168.1.254
Router
PC2
VLAN 20
192.168.2.1/24
Default gateway:
192.168.2.254
GE0/0/1.1
192.168.1.254
GE0/0/1.2
192.168.2.254
GE0/0/24
Trunk (VLANs 10 and 20)
GE0/0/1
Access (VLAN 10)
GE0/0/2
Access (VLAN 20)
• A router connects to a switch through a physical interface
(GE0/0/1), which allows for the creation of two sub-
interfaces GE0/0/1.1 and GE0/0/1.2 as the default gateways
of VLANs 10 and 20, respectively.
• The sub-interfaces created on a router are used to
implement inter-VLAN communication.
 Sub-interfaces are logical interfaces created based on an
Ethernet interface and are identified by the physical
interface ID and sub-interface ID.
 Based on service requirements, a network administrator
can create multiple sub-interfaces on a physical interface
and configure IP addresses and VLAN IDs for these sub-
interfaces.

57. Huawei Confidential
57
Layer 3 Switch and VLANIF Interface
• A Layer 2 switch provides only the Layer 2
switching function.
• Apart from providing the Layer 2 switching
function, a Layer 3 switch can implement
routing and forwarding through Layer 3
interfaces (such as VLANIF interfaces).
• A VLANIF interface is a Layer 3 logical
interface that can remove and add VLAN
tags in packets. This allows devices in
different VLANs to communicate with each
other.
• A VLANIF interface number corresponds a
VLAN ID. For example, VLAN 10 corresponds
to VLANIF 10.
Routing module
Switching module
Layer 3 switch
VLANIF 20
192.168.2.254/24
VLANIF 10
192.168.1.254/24
PC1
192.168.1.1/24
Gateway: 192.168.1.254
PC2
192.168.1.2/24
Gateway: 192.168.1.254
PC3
192.168.2.1/24
Gateway: 192.168.2.254
GE0/0/1
(Access, PVID = 10)
GE0/0/2
(Access, PVID = 10)
GE0/0/3
(Access, PVID = 20)

58. Huawei Confidential
58
Core switch
Access switch 1 Access switch 2
Terminal 1 Terminal 2 Terminal 3 Terminal 4
Internet
• High reliability and high link bandwidth are two
important objectives to achieve on a commercial
network.
• As shown in the figure, if links 1 to 5 are all key
links on the network. How can we ensure the
reliability of these links and improve their
bandwidth?
1 2
3 4
5
How to Improve the Bandwidth and Reliability of Ethernet Links

59. Huawei Confidential
59
Core switch
Access switch1 Access switch2
Terminal 1 Terminal 2 Terminal 3 Terminal 4
Internet
• Link aggregation is a method of bundling several
physical links into a logical link to increase
bandwidth and reliability.
• These aggregated links are also known as Eth-
Trunks.
Firewall1 Firewall2
GE0/0/1
GE0/0/2
GE0/0/1
GE0/0/2
Eth-Trunk1 Eth-Trunk1
Increased
bandwidth
Higher
reliability
Load balancing
Ethernet Link Aggregation

60. Huawei Confidential
60
Working Modes of Ethernet Link Aggregation
Switch1 Higher LACP
system priority
Switch2 Lower LACP
system priority
Active interface selected by
Switch1
Active interface elected by
Switch2
Switch2
Switch1
Manual mode LACP mode
• In this mode, an Eth-Trunk interface is manually created and
member interfaces are manually added to the Eth-Trunk interface,
without the use of Link Aggregation Control Protocol (LACP).
• This mode is applicable when high link bandwidth is required
between two directly connected devices that do not support LACP.
• Faults, such as link layer faults and incorrect link connections,
cannot be detected.
• In this mode, LACP is used in link aggregation.
• LACP provides a standard negotiation mechanism for devices to
automatically aggregate multiple links.
• After an aggregated link is formed, LACP maintains the link status
and adjusts or disables link aggregation when the link aggregation
condition changes.

61. Huawei Confidential
61
iStack and CSS
Stack cable Stack
• Intelligent stack (iStack) is a technology that connects multiple stacking-capable switches through stack
cables to form a logical switch for data forwarding.
• A cluster switch system (CSS) combines two clustering-capable switches into a single logical switch.
• Generally, the CSS function is used to set up a stack of modular switches, while the iStack function a stack of
fixed switches.
iStack CSS
Link aggregation
CSS link
Link
aggregation
Equivalent to
Equivalent to

62. Huawei Confidential
62
Link Aggregation Application (1/2)
Interface expansion
iStack
• If the port density of an existing switch cannot meet the access
requirements of users, you can deploy new switches and add all
the switches to a stack to increase the number of interfaces.
Bandwidth expansion and redundancy backup
Aggregation
layer
Access
layer
iStack
• To achieve higher uplink bandwidth, you can deploy new switches
and add all the switches to a stack, and bundle physical links of the
member switches into a LAG. This also implements device backup
and inter-device redundancy backup, thus improving reliability.
iStack link
iStack link Eth-Trunk
Access
layer

63. Huawei Confidential
63
Link Aggregation Application (2/2)
• Two switches on the network set up a CSS to form a single logical switch. The simplified networking does not
require protocols such as Multiple Spanning Tree Protocol (MSTP) and Virtual Router Redundancy Protocol (VRRP),
simplifying network configuration. Additionally, the use of inter-device link aggregation achieves fast convergence
and improves reliability.
MSTP + VRRP
CSS
Aggregation
layer
Access layer
CSS link Eth-Trunk

64. Huawei Confidential
64
Typical Architecture
iStack
CSS
iStack
iStack
iStack/CSS link
Eth-Trunk
Aggregation layer
Core layer
• Access devices that are geographically close to each other (for
example, access switches in the same building) are virtualized
into one logical device using iStack. This ensures sufficient ports
and simplifies device management.
• Access devices connect to aggregation devices through Eth-
Trunks. The logical network structure is simple, without the use
of STP or VRRP. As such, the network has advantages in high
reliability, high uplink bandwidth, and fast convergence.
• iStack is configured on aggregation switches, and Eth-Trunks
are configured between upstream/downstream switches to
form a reliable and loop-free network.
• The CSS cluster networking is used at the core layer, and Eth-
Trunks are configured between upstream/downstream switches
to form a reliable and loop-free network.
Access layer
Network

65. Huawei Confidential
65
Contents
1. Basic Concepts of the Data Communication Network
2. IP Routing Basics
3. Ethernet Switching Basics
4. Network Security Overview
5. WAN Technologies
6. Network Management and O&M
7. QoS

66. Huawei Confidential
66
Firewall: Security Zone
DMZ
GE1/0/5
Server
172.16.1.1/24
Firewall
PC1
192.168.1.1/24
GE1/0/1
Untrust zone
Trust zone
GE1/0/0
Internet
• A security zone, also known as a zone, is a concept of the firewall.
Most security policies are implemented based on security zones.
• A security zone is a collection of networks connected through one or
more interfaces. Users on the networks in a security zone have the
same security attributes.
• Firewall interfaces must be added to security zones. Otherwise, the
firewall cannot work properly.
• Each security zone defines its security level, which is also called
priority. The priority value ranges from 1 to 100. A larger value
indicates a higher security level.
• By default, four security zones are preset on the firewall: Trust,
Untrust, DMZ, and local zones.
• Users can define new security zones as required.

67. Huawei Confidential
67
Firewall: Security Policy
• The security policy controls traffic forwarding and performs integrated content security detection on traffic.
• The firewall can identify traffic attributes and match the attributes with security policy conditions. If all conditions are matched, the
traffic matches the security policy and the firewall performs the action defined in the security policy.
• Integrated content security detection indicates that the firewall uses the Intelligent Awareness Engine (IAE) to detect and process
traffic contents at one time, implementing content security functions including antivirus, intrusion defense, and URL filtering.
Trust
Internet
Untrust
Security policy
Traffic forwarding control
Content security monitoring

68. Huawei Confidential
68
NAT
⚫ Network address translation (NAT) is a method of parsing an IP packet header and replacing the
source or destination IP address in the packet header automatically, allowing users on private
networks to access public networks through private IP addresses. Users are unaware of the
translation from a private IP address into a public one.
Data
TCP/UDP header
IP header
Source IP
address
Destination
IP address
Source port
number
Destination
port number
Layer 4 header
Layer 3 header
Common types of NAT are as follows:
• Source IP address-based NAT
 No-port address translation (No-PAT)
 Network address and port translation (NAPT)
• Destination IP address-based NAT
 NAT server
 Destination NAT

69. Huawei Confidential
69
IPsec VPN
• Enterprise branches can interconnect with each other in various modes, for example, through WAN private lines or
Internet lines.
• Considering costs and requirements, some enterprises choose to use the Internet lines for interconnection, while
security risks may occur. Internet Protocol Security (IPsec) encrypts data packets to ensure secure interconnection
for enterprises.
Internet
VPN

70. Huawei Confidential
70
Contents
1. Basic Concepts of the Data Communication Network
2. IP Routing Basics
3. Ethernet Switching Basics
4. Network Security Overview
5. WAN Technologies
6. Network Management and O&M
7. QoS

71. Huawei Confidential
71
WAN
A WAN, short for wide area network, is a network that connects LANs in different areas. A WAN generally covers tens
of kilometers to thousands of kilometers. It can connect multiple regions, cities, and countries, or provide long-distance
communication across several continents, forming an international remote network.
DC
Enterprise
branch
Enterprise
HQ
Residential area
LAN
WAN LAN
Internet
service
provider (ISP)

72. Huawei Confidential
72
WAN Device Roles
⚫ There are three basic roles of WAN devices: customer edge (CE), provider edge (PE), and provider (P).
 CE: edge devices within a customer network that connect to one or more PEs at a service provider's site.
 PE: edge devices within a service provider network that connect to CEs. PEs are important network nodes that
can connect to both CEs and Ps.
 P: devices within a service provider network that do not directly connect to CEs.
CE
CE
PE
PE
PE
PE
Enterprise A
Enterprise B
P
CE
CE
Enterprise C
Enterprise D
Service provider

73. Huawei Confidential
73
Traditional IP Routing and Forwarding
Traditional IP routing and forwarding uses the hop-by-hop forwarding mode, in which a packet is decapsulated by all
routers that receive the packet. Each router needs to obtain the network layer information about the packet and
selects routing entries for packet forwarding based on the longest match rule. The repeated processes of packet
decapsulation, routing entry selection, and packet re-encapsulation result in low forwarding performance.
Destination/Mask Protocol Preference Cost Next Hop Interface
192.168.1.0/24 Direct 0 0 192.168.1.254 GE0/0/0
192.168.12.0/24 Direct 0 0 192.168.12.1 GE0/0/2
192.168.2.0/24 OSPF 10 3 192.168.12.2 GE0/0/2
R1 R2 R5 R6
R3
R4
PC1:192.168.1.1/24 PC2:192.168.2.1/24
IGP
G0/0/2
Routing table of R1
Characteristics of traditional IP routing and forwarding:
▫ All routers need to know the network-wide routes.
▫ Traditional IP routing and forwarding is connectionless and
cannot guarantee end-to-end QoS.
IP
address
Data
IP
address
Data
IP
address
Data
IP
address
Data
IP
address
Data

74. Huawei Confidential
74
MPLS Label-Based Forwarding
⚫ Multiprotocol Label Switching (MPLS) is a
technology applied on IP backbone networks.
⚫ MPLS is a tunneling technology that provides
connection-oriented switching for the network
layer based on IP routing and control protocols,
guaranteeing QoS.
⚫ Local MPLS labels, instead of IP routes, are
searched for to forward packets, greatly improving
forwarding efficiency.
⚫ Labels used in MPLS label-based forwarding can
be manually configured or dynamically allocated
using a label distribution protocol.
IGP
R1 R2
PE
node
R5
PE node
R6
R3
P node
R4
P node
PC1:192.168.1.1/24 PC2:192.168.2.1/24
MPLS domain
IP
address
Data
MPLS Label 1
IP address
Data
MPLS Label 2
IP address
Data
IP
address
Data
IP
address
Data

75. Huawei Confidential
75
MPLS VPN Overview
MPLS VPN backbone:
a backbone network
built by the service
provider
PE1 P PE2
CE
CE
Site 1 of customer A Site 2 of customer A
Site 1 of customer B Site 2 of customer B
CE
CE
• Customer A and customer B have two sites respectively. Both customers purchase MPLS VPN services from the same service
provider.
• For example, customer A wants to exchange routes between site 1 and site 2 through the MPLS VPN network so that data between
the two sites can be transmitted through the MPLS VPN network. From the perspective of customer A, the logical network is as
follows:
CE
Site 1 of customer A Site 2 of customer A
CE
MPLS VPN network
P
Route to site 1 Route to site 1
Data sent to site 1
Data sent to site 1

76. Huawei Confidential
76
Contents
1. Basic Concepts of the Data Communication Network
2. IP Routing Basics
3. Ethernet Switching Basics
4. Network Security Overview
5. WAN Technologies
6. Network Management and O&M
7. QoS

77. Huawei Confidential
77
Network Management
Network management plays an important role on a communications network. It ensures that devices
work properly and the communications network runs properly to provide efficient, reliable, and secure
communications services.
Common enterprise network architecture
Network
administrator
The network administrator manages
and maintains the network for
stable network operations.

78. Huawei Confidential
78
Network Management Modes
Network administrator Network management station
Web-based
network
management
CLI-based
network
management
SNMP-based
centralized
network
management
Traditional network management
Enterprise resource
planning (ERP)
Network
automation
Network
intelligence
`
Cloud platform
Northbound API
Commercial
application
iMaster NCE
DC Campus WAN Branch
Video
meeting
Advertisement
operations
Office OS
Analysis
Management Control
iMaster NCE-based network management
…

79. Huawei Confidential
79
Web-Based and CLI-Based Network Management
⚫ CLI-based and web-based network management modes are generally used for managing small-scale networks.
 Network administrators can log in to devices through HTTPS, Telnet, or the console port for device management.
 The two modes are cost-effective, as programs or servers do not need to be installed on networks.
 Network administrators must have a good command of network knowledge and vendor-specific network configuration
commands.
 These modes have great limitations for large-scale networks with a complicated topology.
Network administrator
One-to-one management
Vendor A
Switch
Vendor A
Firewall
Vendor A
AC
Vendor A
Router
Vendor B
Router
Vendor C
Switch
Vendor D
Switch

80. Huawei Confidential
80
SNMP-Based Centralized Management
⚫ SNMP is a standard network management protocol widely used on TCP/IP networks. It provides a
method for managing NEs through using a central computer (that is, a network management station)
that runs network management software.
NMS Network
administrator
SNMP
packet exchange
One-to-many
management
• Network administrators can use the NMS to
query and modify information, and
troubleshoot faults on any node on
networks, improving work efficiency.
• Network devices of different types and from
different vendors are managed in a unified
manner.

81. Huawei Confidential
81
Typical SNMP Architecture
• On a network where SNMP is used for network management,
an NMS functions as a network management center and runs a
management process. Each managed device needs to run an
agent process. The management process and agent processes
transmit SNMP messages for communication.
• An NMS is a system that uses SNMP to manage and monitor
network devices and runs on a server.
• Managed devices are devices that are managed by the NMS on
the network.
• Agent processes run on managed devices to maintain the
information data of the managed devices, respond to requests
from the NMS, and report the management data to the NMS.
Network
management process
NMS
Client
Monitor
A GUI is provided.
SNMP packet
Agent
process
Managed device
Agent
process
Managed device
IP network
Agent
process
Managed device

82. Huawei Confidential
82
SNMP Management Model
• Query/Modify operation:
▫ The NMS sends an SNMP request packet to an agent process.
▫ The agent process searches the MIB on the device for desired
information and sends an SNMP response packet to the NMS.
• Trap operation:
▫ If the trap triggering conditions defined for a module on the
managed device are met, the agent process sends a message to
notify the NMS that a trap has occurred on the device. This
helps network administrators promptly process network faults.
Network
management process
NMS
Agent process
Managed device
Management
information base (MIB)
Managed object
SNMP packet
exchange

83. Huawei Confidential
83
Huawei iMaster NCE
Huawei iMaster NCE is an intelligent network automation platform that integrates management, control, analysis, and
AI functions.
• iMaster NCE manages and controls:
▫ Traditional devices through traditional technologies such as CLI and
SNMP.
▫ SDN-capable networks through NETCONF (based on the YANG model).
• iMaster NCE collects network data through protocols such as
SNMP and telemetry, performs intelligent big data analysis based
on AI algorithms, and displays device and network status in
multiple dimensions through dashboards and reports, helping
O&M personnel quickly detect and handle device and network
exceptions and ensuring normal running of devices and networks.
Telemetry
Traditional
device
SDN-capable network device
NETCONF/YANG
CLI/SNMP
Unified cloud platform
Management Control Analysis
iMaster NCE
Open API
Intent engine
Cloud platform & applications

84. Huawei Confidential
84
NETCONF Overview
NETCONF provides a network device management mechanism. You can use NETCONF to add, modify, or delete
configurations of network devices, and obtain configurations and status of network devices.
NETCONF server
Device
Device 1 Device 2 Device 3
Network
NETCONF client
NETCONF
message exchange
NETCONF has three objects:
▫ NETCONF client
▫ NETCONF server
▫ NETCONF message
NETCONF requires
that messages
exchanged between a
client and server be
encoded using XML.

85. Huawei Confidential
85
Advantages of NETCONF
Description NETCONF SNMP CLI
API type
Machine-machine interface: As the interface definition is
complete and standard, the interface is easy to control and
use.
Machine-
machine
interface
Man-machine
interface
Operation
efficiency
High: Data is modeled based on objects. Only one-time
interaction is required for operations on an object.
Operations such as filtering, batch processing, and packet
splitting are supported.
Medium Low
Scalability Proprietary protocol capabilities can be extended. Weak Minor
Transaction
processing
Supported: transaction processing mechanisms such as trial
running, rollback upon errors, and configuration rollback
are supported.
Not supported
Partially
supported
Secure
transmission
Multiple security protocols: SSH, TLS, Blocks Extensible
Exchange Protocol (BEEP)/TLS, and Simple Object Access
Protocol (SOAP)/HTTP/TLS
Only SNMPv3
supports secure
transmission.
SSH is
supported.

86. Huawei Confidential
86
Typical NETCONF Interaction
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-
id= "101">
<edit-config>
<target>
<running/>
</target>
<config>
Configuration content in XML format
</config>
</edit-config>
</rpc>
This operation is to
modify configurations.
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<ok/>
</rpc-reply>
RPC
SSH connection
RPC reply
The modification succeeds.

87. Huawei Confidential
87
YANG Language Overview
⚫ YANG is a data modeling language that standardizes NETCONF data content.
⚫ A YANG model defines a data hierarchy and can be used for NETCONF-based operations. Objects of data modeling
include configuration data, state data, RPCs, and notifications. This is a complete description of all data transmitted
between a NETCONF client and server.
A data model is an abstraction and expression of data features.
A model is an abstraction and expression of things.
Name, gender,
height, weight, age,
etc.
Person Router
Interface, routing
protocol, IP address,
and routing table,
etc.

88. Huawei Confidential
88
Telemetry Overview
⚫ Telemetry, also called network telemetry, is a technology that remotely collects data from physical or virtual devices at a high speed.
⚫ Devices periodically send information including interface traffic statistics, CPU usage, and memory usage to collectors in push mode.
Compared with the traditional pull mode (question-answer interaction), the push mode provides faster and real-time data collection.
T < 1s
T > 5 min
"Subscription
and push"
Pull
Telemetry supports data
collection within
subseconds.
SNMP Telemetry

89. Huawei Confidential
89
Contents
1. Basic Concepts of the Data Communication Network
2. IP Routing Basics
3. Ethernet Switching Basics
4. Network Security Overview
5. WAN Technologies
6. Network Management and O&M
7. QoS

90. Huawei Confidential
90
Bandwidth/Throughput
• Bandwidth, also called throughput, refers to the maximum number of data bits transmitted between two ends
within a specified period (1 second) or the average rate at which specific data flows are transmitted between two
network nodes.
• Bandwidth is expressed in bit/s.
• In concept, bandwidth can be compared to the volume of water that can flow through a pipe in a water supply
system.
IP network

91. Huawei Confidential
91
Delay
• A delay refers to the period of time during which a packet is transmitted from a source to its destination.
• Use voice transmission as an example. A delay refers to the period from when words are spoken to when
they are heard. If a long delay occurs, voices become unclear, discontinuous, or interrupted.
• Most users are insensitive to a delay of less than 100 ms. If a delay ranging from 100 ms to 300 ms occurs,
the speaker can sense slight pauses in the responder's reply, which can seem annoying to both. If a delay
greater than 300 ms occurs, both the speaker and responder obviously sense the delay.
IP network

92. Huawei Confidential
92
Delay Variation: Jitter
• Jitter refers to the difference in delays of packets in the same flow.
• Jitters occur if the period between a device sending a packet and another device receiving the packet differs from
one packet to another in a flow, negatively affecting service qualities.
• Real-time services, such as voice and video services, are highly sensitive to jitters. Voice or video services are
interrupted if packets of these services are sent and received with timing variations.
• Jitters also affect protocol packet transmission. Some protocols send interactive packets at a fixed interval. If the
jitter is too large, protocol flapping occurs. All transmission systems cause a jitter, but the service quality will not be
affected if the jitter does not exceed a specific tolerance. The buffer can overcome the excessive jitter, which,
however, increases the delay.
IP network

93. Huawei Confidential
93
Packet Loss Rate
IP network
• Slight packet loss does not affect services. For example, the speaker and the responder are unaware of the loss of a
bit or a packet in voice transmission.
• The loss of a bit or a group of packet in video transmission may cause the image on the screen to become garbled
instantly, but the image can be restored quickly. TCP can be used to transmit data to handle slight packet loss as
TCP allows the lost packets to be retransmitted.
• The packet loss rate refers to the percentage of the number of packets lost during data transmission.

94. Huawei Confidential
94
QoS Specifications of Common Services
Service Type Bandwidth/Throughput Delay Jitter Packet Loss Rate
Delay
Indicator
Jitter
Indicator
Packet Loss
Rate
Indicator
Video
conference and
teleconference
High
Highly
sensitive
Highly sensitive Predictable ≤ 50 ms ≤ 10 ms ≤ 0.1%
E-commerce Medium Sensitive Sensitive
Sensitive,
reliable
transmission
≤ 200 ms ≤ 100 ms
Best-effort
TCP
guarantee
Streaming
media
High
Relatively
sensitive
Relatively sensitive Predictable ≤ 1s ≤ 200 ms ≤ 0.1%
Email and file
transmission
Low Delay-tolerant Jitter-tolerant
Best-effort
transmission
N/A N/A
Best-effort
TCP
guarantee
HTML web page
browsing
Not specific
Relatively
delay-tolerant
Relatively jitter-
tolerant
Best-effort
transmission
N/A N/A N/A
FTP service Medium Sensitive Sensitive
Sensitive,
reliable
transmission
N/A N/A
Best-effort
TCP
guarantee

95. Huawei Confidential
95
IntServ Service Model
R1 R2
A bandwidth
of 2 Mbit/s is
required.
A bandwidth
of 2 Mbit/s is
required.
A bandwidth
of 2 Mbit/s is
required.
A bandwidth
of 2 Mbit/s is
required.
OK
OK
OK
OK
• Take multiprotocol label switching traffic engineering (MPLS TE) as an example. The IntServ model uses Resource Reservation
Protocol (RSVP) for signaling. Resources such as bandwidth and priority are reserved on a known path, and each network element
along the path must reserve required resources for data flows requiring QoS guarantee. This resource reservation state is called soft
state.
• A soft state is a temporary state that refreshes periodically using RSVP messages. Each network element checks whether sufficient
resources can be reserved based on these RSVP messages. The path is available only when all involved network elements can provide
sufficient resources.
• The IntServ model takes effect only when all nodes on the end-to-end network support the model. Since devices at the core layer,
aggregation layer, and access layer have different functions, the IntServ model is not supported by these devices. Therefore, the
IntServ model cannot be widely used on Internet backbone networks.

96. Huawei Confidential
96
DiffServ Service Model
Video Video
Data Data
Voice Voice
Service Type Priority
Voice 5
Video 4
Data 0
• In the DiffServ model, edge nodes classify and aggregate traffic. Edge nodes flexibly classify packets based on a combination
of conditions in packets, and then mark the packets with different priorities. Other nodes only need to identify the marked
priorities for resource allocation and traffic control.
• In the DiffServ model, an application does not need to apply for network resources before sending packets and no signaling
protocol is required. The DiffServ model provides differentiated services based on the QoS parameters of each data flow. In
addition, packets are classified into different service levels, and traffic control and forwarding are performed in a
differentiated manner, ensuring end-to-end QoS.

97. Huawei Confidential
97
General QoS Service Process
Traffic
policing
Data flow
Inbound
interface
Outbound
interface
Traffic
classificati
on
Congestion management
Queue 0
Queue 1
Queue N
...
Other
operations
Congestion
avoidance
Entering a
queue
Leaving the
queue
Scheduling
General principles:
• Traffic classification, traffic marking, and traffic policing are performed in the inbound direction on a service access
interface.
• Traffic shaping is performed in the outbound direction on a service access interface. If packets of various levels are involved,
queue scheduling and a packet discard policy are also required in the outbound direction on the service access interface.
• Congestion management and congestion avoidance are performed in the outbound direction on a network-side interface.

98. Huawei Confidential
98
Quiz
1. In the network reference model of the data communication network, at which
layer do routing protocols such as OSPF and IS-IS work?
A. Application layer
B. Transport layer
C. Network layer
D. Data link layer
E. Physical layer

99. Huawei Confidential
99
Summary
⚫ A data communication network comprises multiple types of devices and is deployed with
multiple technologies and network protocols.
⚫ Before grasping an in-depth understanding of products and solutions in the data
communication network field, you are expected to master basic technologies and familiarize
yourself with common data communication devices and basic protocols.
⚫ This course introduces basic knowledge about the data communication network, including
basic concepts of the data communication, IP routing, Ethernet switching, network security,
WAN technologies, network management and O&M, and QoS of the network, laying a solid
foundation for further learning.

100. Huawei Confidential
100
Thank you.

101. Huawei Confidential
1
Huawei Enterprise Datacom Network Solutions Overview
⚫ Security Level:

102. Huawei Confidential
2
Foreword
This document provides an overview of Huawei's datacom business in
the enterprise market, covering Huawei's datacom organizations,
business priorities, major products and solutions, and typical use cases.
Scenario-specific solutions mentioned in this document will be further
detailed in other relevant documents.

103. Huawei Confidential
3
Objectives
⚫ On completion of this course, you will be able to:
 Understand the scenario classifications and basic concepts of Huawei's
datacom network solutions.
 Learn about the basic concepts, typical architectures, and typical application
scenarios of campus networks, WLANs, data center networks, WANs, and
Network security.
 Gain insight into Huawei's solutions in each scenario.

104. Huawei Confidential
4
Contents
1. Huawei Enterprise Datacom Business Overview
2. Huawei Enterprise Datacom Network Solutions
3. Success Stories

105. Huawei Confidential
5
Overview and Objectives
This section describes Huawei's vision for the datacom industry, as well
as R&D organizational structure, R&D investment, and achievements in
each datacom domain.

106. Huawei Confidential
6
Huawei's Vision for the Datacom Industry: IP on Everything
Connecting
applications
5G
Optical
Copper
Computing power
Intelligence
Data
Connecting
everything
MPLS
IPv6 Enhanced
IPv4
• Ultra-high
bandwidth
• Security
• Ubiquitous
connectivity
• Automation
• Deterministic
quality
• Low latency
Digital
currency
Industrial
control
Medical
data
VR video
e-Government
IP 2030
Delivering the non-stop intelligence and computing power of the intelligent world to everything,
and building ubiquitous intelligent IP connections
IP on Everything

107. Huawei Confidential
7
Huawei Datacom Product Line: Business Focuses and
Organizational Structure
Enterprise business
The first-choice partner for enterprise and industry digital transformation
Serving global enterprises and industry players
Carrier business
The best strategic partner
Serving global carriers
Backbone
router
Network
management
Metro
router
Campus
network
Data center
network
Network
security
6 domains
Energy
Government Finance Transportation
…
Manufacturing
Education

108. Huawei Confidential
8
Huawei Keeps Innovating and Advancing Datacom
Technologies, with 26 Years of Expertise
R&D staff
11,000+
scientists and top experts
100+
of annual revenue reinvested into R&D
~15%
research centers worldwide
14
0
10
20
30
40
50
60
70
80
Ethernet FlexE WLAN 5G transport SDN/NFV SRv6 Network
cloudification
Leading contributions to many fields,
including Wi-Fi 6, IPv6 Enhanced, and 400G
Contributions to 550+ IETF RFCs
OpenStack IETF IEEE OPNFV ONAP ITU Broadband Forum

109. Huawei Confidential
9
12+
Industry standards bodies and
open source organizations
that Huawei has joined
50+
Working groups that Huawei
participates in as chair or higher
IETF RFCs
550+
11,500+
Total patents granted by the
end of 2021
One of top vendors contributing to IETF RFCs
https://www.arkko.com/tools/allstats/ Note: Futurewei is a wholly-owned subsidiary of Huawei.
No. 1 contributions in 6 fields in 2021
• IETF routing domain and O&M domain RFCs
• IEEE 802.11be (Wi-Fi 7) standards
• IEEE 802.3 MAC architecture standards
• IEEE 802.1 TSN standards
• SPN product (including ITU-T) standards
• Mobile bearer network clock standards
49
43
14
20
44
26
0
10
20
30
40
50
60
70
2017 2018 2019 2020 2021
Vendor C
Huawei
Vendor N
Vendor J
Vendor E
Vendor G
Key Player and Contributor: 20 Years of Dedication in Major
IP Standards-Defining Organizations
In 2021, China Communications
Standards Association (CCSA)
released the IPv6 Enhanced standard
system and Huawei helped set up the
IPv6 national standard team.

110. Huawei Confidential
10
SRv6 is a next-generation protocol for IPv4 and IPv6 evolution. It's also the basis of next-
generation networks. SRv6 is considered as "5G" for IP protocols.
Huawei's more than 10 top experts dedicated to SRv6 standards
Li Zhenbin, Huawei's SRv6 chief expert and also IETF IAB member
IGP for SRv6
BGP for SRv6
SRv6 VPN
PCE for SRv6
SRv6 OAM
SRv6 SFC
SRv6 SD-WAN
SRv6 ANG
models
FPC YANG
models
Hu Zhibo/
Dean Cheng
Mash Chen/
Zhuang Shunwan
Donald Eastlake/
Zhuang Shunwan
Dhruv
Cheng Li
Haoyu Song/Li
Cheng
Linda Dunbar
Hu Zhibo
Wang Zitao
3GPP CT
Chairman
Georg Mayer
SR
pioneer
Stefano. Previdi
SRv6 in
3GPP
Wireless
Li Zhenbin
Wu Qin
Huawei IP
Standards
Representative
IETF
L3SM/L2SM
Chair
SRv6 in
RTG Area
SRv6 in
OPS Area
Transmission
2 2 0 1 1
3
9
3
6 8
12
17
22
25
10
IETF 101 IETF 102 IETF 103 IETF 104 IETF 105
IETF meeting-specific SRv6 standards document
contributions by vendors
Vendor C Huawei Huawei and vendor C*
SRv6 standards document contributions by
vendors
Huawei
Huawei and
vendor C*
Vendor C
Others
Up to 75%
Data as of IETF 105
Leading the SRv6 Standards: 10+ Top Experts, Remarkable
Contributions to 60% of SRv6 Drafts

111. Huawei Confidential
11
Core Contributor to Wi-Fi 6: No. 1 in Submitted Proposals
Dr. Osama Aboul Magd,
Huawei's top expert, serves
as the Chair of the 802.11ax
standard working group.
Huawei's
contributions
No. 1
Submitting 318 new proposals (15% of the total),
ranking No. 1 among equipment vendors
Holding 18% of global Wi-Fi 6 patents, ranking
No. 1 among equipment vendors
OFDMA
64T64R
Massive-MIMO
3GPP: 5G 256-QAM
IEEE: Wi-Fi 6
8T8R
UL MU-MIMO OFDMA 1024-QAM
Wi-Fi 6 inherits Huawei's 5G technologies, and its key technologies
are derived from Huawei's proposals.

112. Huawei Confidential
12
AirEngine CloudEngine NetEngine HiSecEngine
Cloud campus
network
Hyper-converged data
center network
Cloud WAN Network security
Huawei Datacom Portfolio: "Four Engines" Products +
Integrated Management, Control, and Analysis Platform

113. Huawei Confidential
13
Maintaining a Leading Position in the Global Datacom Market
NetEngine
WAN routers
No. 1
in the Chinese enterprise router
market
WAN
* 2017–2021 OMDIA data
CloudEngine
data center switches
No. 1
global shipments of enterprise data
center switch ports
Data center network
CloudEngine S-series
campus switches
No. 1
global shipments of 10/25GE ports
of enterprise campus switches
HiSecEngine
USG series firewalls
No. 1
share in the Chinese hardware
firewall equipment market
Network security
* 2021 Gartner data * 2021 Gartner data * 2021 IDC data
Campus network

114. Huawei Confidential
14
WAN
A challenger in Gartner
MQ for 5 consecutive years
Network firewall
Cyber security
NetEngine series routers:
Campus network Data center network
AirEngine Wi-Fi 6:
Frost & Sullivan
2021 Global Wi-Fi
6 Market
Leadership Award
A visionary in
Gartner MQ
Huawei's
CloudCampus Solution
2021 Gartner Peer Insights
Customers' Choice
SD-WAN
Data center
switches:
a leader
named by
Forrester
Data center switches:
Frost & Sullivan
2021 Global
Technology
Leadership Award
Interop Best of
Show Award
Huawei CloudFabric
Solution
2021 Gartner Peer Insights
Customers' Choice
Interop Best of
Show Award
Frost & Sullivan
2021 New Product Innovation
Leadership Award
Gartner Peer Insights
Customers' Choice, with the
highest rating
Winning Many Awards and Wide Industry Recognition

115. Huawei Confidential
15
Cloud Reshapes Enterprise IT Modes and Extends Connectivity,
Driving the Upgrade of the Datacom Industry
cloud
cloud
cloud
PC + mobile terminal + IoT terminal
As-Is: client-server mode To-Be: cloud service mode
Changes in cloud and terminals
drive network upgrades
Server
Campus
office
Campus
production
Campus
assets
PC
Campus
office
Campus
office
Campus
office
Security mode change
Deterministic service quality
Data traffic explosion
Flat network architecture
Expanded management scope
Network boundary extension
Cloud
Hundreds of billion IoT terminal connections by 2025
85% of enterprise applications will be
cloud-based by 2025

116. Huawei Confidential
16
What is IPv6 Enhanced?
TCP/IP standard model
Application
layer
Transport
layer
Network
layer
Network
interface
layer
Technology
enhancement
IPv6
Enhanced
Innovation directions
IPv6
IPv6
IPv6 Enhanced (Comprehensive Upgrade from IPv6):
Building a Technology Base for Digital Networks
Per-hop latency: best-effort → ~30 µs
+Security +Deterministic quality
+Automation
+Ubiquitous
connectivity
+Low latency
+Ultra-high
bandwidth
100GE → 400GE
Fault recovery: days → minutes
Per-hop jitter:
Not guaranteed → ~20 µs
Threat containment:
days → minutes
Multi-hop to clouds →
one hop to clouds
SRv6
FlexE
Network-security
association
Security knowledge
graph
APN6
In-band flow
measurement
ADN, AI
Non-blocking
interconnection 400GE
One-hop cloud
access
Resource
isolation
Proactive O&M
Cloud-network-
security integration
Application
awareness
IPv6+1.0
Network programmability
SRv6 BE/TE/Policy
IPv6+2.0
Experience assurance capability
FlexE/IFIT/BIER 6/DIP
IPv6+3.0
Application-driven capability
APN6
IPv6
Basic network capabilities
1996–2019 2020–2021 2021–2023 2023–2025

117. Huawei Confidential
17
Intelligent Cloud-Network, Accelerating Industry Digital
Transformation
Vision
Solution features
Industry-specific
solutions
Theme
Datacom solutions
Cross-industry
solutions
Products
IP on Everything
Bring digital to every person, home, and organization
for a fully connected, intelligent world
Digital Intelligent Service-oriented
Intelligent
cloud-network
@ carrier
Intelligent Cloud-Network, Accelerating Industry Digital Transformation
Intelligent cloud-network solutions
CloudEngine NetEngine HiSecEngine
AirEngine iMaster NCE
CloudWAN 3.0
Cloud WAN (* for the enterprise market)
CloudCampus 3.0
Cloud campus
network
HiSec 3.0
Network security
Intelligent Cloud-Network
(* for the carrier market)
Intelligent
cloud-network
@ governments
Intelligent
cloud-network
@ cities
Intelligent
cloud-network
@ finance
Intelligent
cloud-network
@ mining
Intelligent
cloud-network
@ electric power
Intelligent
cloud-network
@ manufacturing
Intelligent
cloud-network
@ airports
Intelligent
cloud-network
@ education
Intelligent
cloud-network
@ healthcare
CloudFabric 3.0
Hyper-converged data
center network

118. Huawei Confidential
18
Section Summary
This section describes Huawei's vision for the datacom industry, as well
as R&D organizational structure, R&D investment, and market position
in each datacom domain.
On completion of this section, you will gain a clear consensus on future
datacom network development trends

119. Huawei Confidential
19
Quiz
1. What are the names of four engines of Huawei datacom? What
product categories do they represent?
2. What is Huawei's vision for the datacom industry?

120. Huawei Confidential
20
Contents
1. Huawei Enterprise Datacom Business Overview
2. Huawei Enterprise Datacom Network Solutions
3. Success Stories

121. Huawei Confidential
21
Datacom Accelerates the Flow of Data, Building Global
Digital Network Infrastructures
Global Digital Strategy
Industry digital transformation
Healthcare
Health for all
Healthcare IoT
Medical insurance
network
Digital government
Government
Gov. extranet
Smart city
Manufacturing
Advanced
manufacturing
Manufacturing
Light industry
Strong transportation
Transportation
Railway & urban rail
Roadway
Smart finance
Finance
Bank
Securities & insurance
Education
Educational
modernization
Higher education
Primary & secondary
education
Energy Internet
Energy
Electric power
Oil & gas
Datacom network
Campus network Data center network
Security
Metro network Backbone network
101011110100000101010101011110 0100010101011010111101011101010 0100010101011010111101011101010
1010111101
1010111101
1
0
1
0
1
1
101011
101011
1
0
1
0
1
1
Digital
government
Digital
society
Digital
economy
Digital
economy
Digital
education
Digital
village
Smart
broadband
5G
communications
Digital
technology
Remote
healthcare
Other 11
projects
Digital China
Accelerating digital development
Digital Compass
Shaping Europe's digital future
Smart Africa
Accelerating digital transformation in African
countries

122. Huawei Confidential
22
Cloud-Network Is the "Power Grid" of the Digital World,
Supplying Non-Stop Digital to Numerous Industries
In the past, electricity drove industrialization. Today, clouds drive digitalization.
0101
0101
Services
Power grid
Power generation
Power consumption
Wind power
Hydropower
Coal power
Government
cloud
Private
cloud
Public
cloud
Cloud-network
supplies
Enterprises
supplies
electric power computing power

123. Huawei Confidential
23
Huawei Intelligent Cloud-Network: Empowering Enterprise
Digital Development with Data-driven Intelligence
Empowering digital development with data-driven
intelligence
CloudWAN
Cloud WAN
VM
VM
VM
CloudCampus
Cloud campus network
(industrial Internet campus)
AR Switch AP
Network
security
CloudFabric
Hyper-converged DCN
IPv6
Enhanced
Network security
Hyper-converged DCN
Cloud WAN
Cloud campus network
Intelligent resource scheduling, and fault self-healing,
enabling all-Ethernet DCNs
Real-time status visualization, intelligent resource
scheduling, and one-click service subscription, enabling
smooth service cloudification and SLA assurance
Network fault self-healing and open network programmability,
enabling all-scenario data awareness and interaction
Unified cloud-based management, intelligent security
protection, and cloud-network-security integration, ensuring
E2E security for data collection, aggregation, and processing
Intelligent cloud-network solutions

124. Huawei Confidential
24
(CloudCampus Network)
CloudCampus 3.0

125. Huawei Confidential
25
Campus Network, a Bridge Between the Physical and
Digital Worlds
Warehousing
campus
Manufacturing
campus
R&D campus
Retail store
Home office
HQ campus
SaaS cloud
Private
cloud
With the further development of wireless, IoT, and cloud on enterprise campuses, IT and OT infrastructures become ubiquitous. As such, enterprises urgently
need to break the boundaries from HQ to branches sites, from workplace to production services, and from fixed to mobile terminals. In this way, cross-regional
remote collaboration, cross-service converged transport, and cross-terminal unified access come true.
Today's campus network is transformed from a service support system into a key production factor to enable efficient flow of enterprise data and services. If
we compare an enterprise as a person, the enterprise's network is the blood vessels while data is the blood that carries oxygen and nutrients. The smooth flow
of blood determines the vitality of the person. Likewise, network quality is crucial to improving enterprise office and production efficiency and attaining
business growth goals.

126. Huawei Confidential
26
Three Changes Drive Campus Networks Towards the
All-Cloud Era
Service
deployment
Terminal
access
Data flow
Traditional IT IT in the cloud era
Public & private clouds
Local server
...
...
Wi-Fi
IoT
HQ
Branch 1 Branch n
HQ Branch n
Branch 1
Driven by both business and technology, enterprises
are undergoing profound changes to service
deployment modes, data flow scope, and terminal
access modes. As such, campus networks are
marching into the cloud era from the PC era.
• Service deployment (on-premises → public or
private cloud-based): This change brings better
economics and scalability. Users can access and use
services anytime and anywhere.
• Data flow (local data exchange → cross-domain
data exchange): This change helps build a global
enterprise network that enables real-time interaction
between HQ and branches.
• Terminal access (Ethernet cable- or optical fiber-
based wired access → fully-wireless access): This
change removes the restriction of wired access and
enables users and terminals to move freely on demand.
Wired
On-premises →
Cloud-based
Wired →
Wireless
LAN → Cross-
domain

127. Huawei Confidential
27
Four Challenges Faced by Campus Networks in the
Cloud Era
76% of enterprises are dissatisfied with their
wireless experience, according to IDC:
• Wi-Fi hotspot deployment results in
discontinuous coverage, signal blind spots, and
frequent disconnection during roaming.
• APs interfere with each other, but effective
global optimization methods are unavailable,
resulting in low performance and poor user
experience.
Multi-branch interconnection is a must for midsize
and large enterprises. Today's pain points include:
• Scattered branches, slow private line
provisioning, high cost, complex and error-prone
manual deployment, and difficult service
cloudification
• Poor service experience, lack of service visibility,
network congestion, frequent video buffering
and artifacts, and low user satisfaction
Enterprises of all sizes pursue a campus network that
aligns with business development. But they face the
following challenges:
• Given the influx of terminals, inflexible networks
cannot achieve fast capacity expansion, resulting in
time-consuming terminal onboarding.
• Wi-Fi upgrade is needed, but old Ethernet cables
cannot quickly meet bandwidth needs and re-cabling
is costly.
Coverage hole
Signal interference
Branch Branch
CLI
76% of enterprises require campus network
reconstruction in the next 2 years. But the reality is:
• Planning relies on professional skills. CLI-based
deployment is time-consuming and labor-
intensive. Policy change response is slow and
inefficient.
• The huge number of devices complicates O&M.
SNMP-based management suffers from lack of
visibility, difficult fault locating, and time-
consuming troubleshooting.
Engineers
HQ
WAN
In the cloud era, Wi-Fi is the preferred access mode for terminals. Ubiquitous WLANs are required to ensure terminal access anytime, anywhere.
Furthermore, the influx of terminals calls for flexibly scalable campus networks to quickly adapt to service changes and facilitate rapid terminal
onboarding and service rollout. Data interaction between HQ and branches is also becoming more frequent than ever. In turn, this requires stable,
reliable, and economical connection modes to ensure high-speed and high-quality cross-domain data interaction and collaboration. More efficient
deployment and O&M methods are another urgent needs, as they are crucial to managing numerous devices and user terminals in a more fine-
grained manner. Traditional solutions, however, cannot meet these expectations.
Enterprises are taking strides towards the all-cloud era, rising great challenges to networks
Wi-Fi
discontinuous
networking
Cross-domain
fragile
infrastructure
Cloud
outpacing
network
Difficult
network
scaling

128. Huawei Confidential
28
CloudCampus 3.0: Fully-Wireless Intelligent Cloud Campus
Network, Inspiring Digital Innovation
L3 autonomous driving
90% fewer complaints
One global network
40% lower private line costs
Low-carbon intelligence
30% smaller energy consumption
of the entire network
Fully-wireless experience
40% higher productivity
SD-WAN
Router
Education Finance
Healthcare Retail MSP
Manufacturing
...
NETCONF/YANG Telemetry
Automated
deployment
Intelligent
O&M

129. Huawei Confidential
29
Fully-Wireless Experience: Breaking Down Boundaries and
Inspiring Enterprise Innovation
Zero signal blind spot
Unique dynamic-zoom smart antenna
Industry's only to support both omnidirectional and
high-density modes, intelligently adapting to diverse
scenarios and increasing performance by 20%
Zero interruption
during roaming
Unique AI roaming algorithm
70% higher roaming success rate, 30%
larger bandwidth during roaming
Zero packet loss for
intelligent control
First-of-the-kind Wi-Fi 6E network
for smart manufacturing
6 GHz frequency band, ultra-low interference
Air interface slicing: 99.999% @ 10 ms
AG
V
Production line AOI
Wireless extends from workplaces to production environments. How to build a
Wi-Fi 6 network that delivers a continuous experience?
76%
of enterprises are not satisfied
with their WLAN experience.
No signal or
weak signal
Connected
but slow
Roaming with
frequent interruptions
Unstable network

130. Huawei Confidential
30
Low-Carbon Intelligence: 3 Layers Simplified into 2 Layers,
Entire Network Managed as One Device
Public area Mobile office
Desktop
1/2.5/10GE
Access switch
PoE-out
Core switch
10/25/40GE Central switch
Remote unit
ELV room
Aggregation
switch
Access switch
Central
switch
RU
37%
TCO savings
Low carbon and
energy saving
• Power consumption control and intelligent
hibernation on ports and the entire device
• Fanless design for super quietness, reducing
energy consumption by 30%
Simplified
architecture
• 3 layers → 2 layers, reducing managed
nodes by 80%
• Planning-free, management-free, and
plug-and-play RUs
Service
continuity
• Exclusive optical-electrical PoE + secondary
PoE, ensuring network continuity even
without local mains supply
• Ultra-high bandwidth offered by the hybrid
cable, no cable replacement for 15 years
Network-wide automation |
AI-powered intelligent O&M

131. Huawei Confidential
31
One network across
geographic locations
Unique "SD-WAN + SRv6",
enabling ultra-fast multi-
branch interconnection
One network on and
off the cloud
One hop cloud access,
multi-cloud
interconnection, ultrafast
cloud access
2x
cloud access
efficiency
5G/MPLS
/Internet
Internet
SaaS
IaaS
One network for
multiple services
Unique free mobility,
security segmentation for
services, consistent user
experience
Public
cloud
Private
cloud
Challenge: difficult cross-
domain interworking
• How to construct production, OA, and IoT networks
in a unified manner?
• How to reduce the costs of branch interconnection
that relies heavily on costly private lines?
• How to improve cloud access efficiency for services
that need to go through HQ?
50%
Lower network
construction costs
40%
Smaller private
line costs
Google
Office 365
VPC
One Global Network: Ubiquitous Connectivity from Any
Branch, for Any User, on Any Terminal
HQ
MPLS
Internet
5G
Remote campus
Branch
SD-WAN

132. Huawei Confidential
32
L3 Autonomous Driving: Autonomous Driving Network for
Reliable and Stable Services
47%
44.50%
7.50%
1%
是，企业计划近期实现网络自
动化/智能化
是，企业计划3年实现网络自
动化/智能化
是，企业计划3年以上实现网
络自动化/智能化
并不是
Enterprise network automation and intelligence
transformation plan
SD-WAN
Management + control + analysis
Roaming
success rate
50% Terminal
identification
rate
60%
98%
90%
Traditional
solution
Huawei
solution
AirEngine Wi-Fi 6 CloudEngine S switch HiSecEngine firewall
NetEngine AR
Network challenges faced by enterprise
digital transformation
Yes, very soon
Yes, in the next 3 years
Yes, in more than 3 years
No plan

133. Huawei Confidential
33
Section Summary
This section describes the four differentiators of CloudCampus 3.0: fully-wireless experience,
low-carbon intelligence, one global network, and L3 autonomous driving.
⚫ Fully-wireless experience: Huawei WLAN provides unique features, such as fully-wireless
intelligent continuous networking, dynamic-zoom smart antenna, AI roaming, and Wi-Fi 6
Advanced.
⚫ Low-carbon intelligence: The simplified architecture stands out with super power supply via
hybrid cable and management-free remote units (RUs).
⚫ One global network: SD-WAN helps build one network on and off the cloud.
⚫ L3 autonomous driving: iMaster NCE offers compelling features such as intelligent
verification and application assurance 360.

134. Huawei Confidential
34
(Hyper-converged DCN)
CloudFabric 3.0

135. Huawei Confidential
35
Three IT Changes Drive DCNs Towards All-Ethernet
Scale: 100x
Centralized
↓
Distributed
IT
architecture
Computing
unit
Storage
media
PCIe
IB Ethernet
Performance: 100x
or
As-Is To-Be
Capacity: 1000x
SCSI NVMe
FC (32G) RoCE (400G)
PCIe is replaced
HDD → SSD
Ethernet Ethernet
Centralized Distributed
CPU/GPU interconnection
over Ethernet
All-flash storage
interconnection over Ethernet
Server interconnection
over Ethernet
NetApp DELLEMC
Intel Ascend Kirin

136. Huawei Confidential
36
CloudFabric 3.0 Hyper-converged DCN Solution
Full-lifecycle automation
Reduces TTM by 90%
Network-wide
Intelligent O&M
Proactively predicts 90%
of faults
Improves IOPS by 90%
Unleashes 100% of
computing power
Ethernet for HPC
Multi-cloud
Three characteristics
Core benefits
OpenStack
Kubernetes
FusionSphere
VMware
Network-wide intelligent O&M
• Device-, interface-, optical module-,
network-, and service-level
• Predictive maintenance, zero service
interruption
Full-lifecycle automation
• Automated network planning, construction,
maintenance, and optimization
• Intent-driven network, NaaS
Lossless Ethernet
• Zero packet loss for local and
long-distance transmission
• Convergence of computing and
storage networks
Optimization
Planning
Construction Maintenance
Hyper-Converged DCN
Automation Intelligence
General-purpose
computing Storage HPC
Ethernet for active-active
storage

137. Huawei Confidential
37
L3.5 Autonomous Driving Network, Accelerating Evolution
Towards Multi-Cloud and Multi-DC
Industry
3.2
3.4
3.6
3.7
3.3
3.6
2.5
2.7
2.9
2.9
2.9
2.7
3.51
2.80
Simulation &
verification
Network
automation
Intelligent fault
remediation
Simulation &
verification
AI inference
Digital twin
Public cloud
Leaf Leaf
Spine Spine
Leaf Leaf
DC 1
Industry cloud
Leaf Leaf
Spine Spine
Leaf Leaf
DC n
Customer service systems and
operation platforms
Northbound: interconnection
with service systems
Southbound:
network-agnostic
2022
OpenStack Kubernetes FusionSphere
Red Hat
Faster
construction
Faster
deployment
Planning +
Design
Deployment +
Provisioning
Service
Provisioning
Monitoring +
Troubleshooting
Network
Change
Parameter
Adjustment
Faster
troubleshooting
Cross-cloud connectivity:
months → minutes
Service provisioning:
days → minutes
Fault locating:
hours → minutes
Full-lifecycle automation
Optimization
Planning
Construction Maintenance

138. Huawei Confidential
38
CloudFabric Easy
Lightweight SDN solution for
small and midsize DCs
iMaster NCE-Fabric single-node
system or cluster (mandatory)
CloudEngine switch
iMaster NCE-FabricInsight
single-node system (optional)
Simplification
• 8x the industry's leaf
scale, facilitating
network capacity
expansion
• Modular spine
switches: flexible
scalability and high
reliability
EasY-Maintenance
• Comprehensive health
evaluation, automatic
detection of 90% risks
• Proactive fault O&M,
rectifying faults in
minutes
Automation
• 3-step service
provisioning, taking
only minutes
• Pre-event simulation
and post-event
verification, ensuring
100% configuration
correctness
Expandability
• Factory installation
and automatic joint
commissioning,
50%↓ service costs
• One-click
deployment,
involving only 3
steps with 3
parameters
CloudFabric Easy Solution, Helping SMEs Build Cloud Data
Center Networks in an "EASY" Way

139. Huawei Confidential
39
Challenge: Ethernet packet loss has gone
unsolved for 40 years
Why is Ethernet prone to
packet loss?
N:1 traffic, exceeding the receive
bandwidth
Higher packet loss for more nodes
Real-time, precise speed control through AI algorithm,
rather than O&M experts
Innovatively introduce AI algorithm to address
this global challenge
Years of research has failed to resolve this issue.
• Real-time
traffic model
• Tens of
millions of
random
samples
Non-precise
backpressure Traffic control
Frequent transmission
suspension
Overly low throughput
Ever-changing traffic
Difficult to seize the
best time window
……
Scenario auto-adaptation, a result after training of tens
of millions of random samples
Random samples for
adaption to any scenario
+
Real service samples to
ensure service effects
OLTP VDI Video
OLAP AI
Unique algorithm
Ethernet for HPC: Eliminates Ethernet Packet Loss and
Unleashes 100% of Computing Power
Packet loss
Scenario auto-
adaptation
Zero packet
loss at 100%
throughput
Scale auto-
adaptation

140. Huawei Confidential
40
Why cannot a traditional Ethernet be used for
cross-DC active-active storage?
Lossless algorithm upgrade: zero packet loss for a
70 km long-distance transmission on an Ethernet
vs
The RTT for 70 km intra-city transmission reaches up to
1 ms. The traditional lossless algorithm cannot ensure
zero packet loss over such a long-distance transmission.
Three-dimensional lossless
algorithm fails in long-distance
transmission scenarios
+ Spatiotemporal
variable
(distance, delay,
jitter, etc.)
Four-dimensional lossless
algorithm ensures zero
packet loss over long-
distance transmission.
Service
requirement
Traffic
model Network status
One more dimension,
100x difficulty
Annual
saving of
CNY25.73
million
100+ 8G FC links → 10 100GE links
8G*128 100G*10
Example (a bank with cross-DC active-active storage): 10 x 100GE lossless Ethernet links
replace 100+ FC links, reducing links by 90%+.
Ethernet for Active-Active Storage: Lossless Long-Distance
Transmission, 90%+ Fewer Links
Active DC Intra-city active-
active DC
Active DC
Huawei switch
Traditional Ethernet:
> 0.2% packet loss rate
over long-distance
transmission
Requirement Actual situation
Intra-city active-
active DC
Active-active
storage requires
zero packet loss

141. Huawei Confidential
41
Section Summary
This section describes Huawei's hyper-converged data center network products and major
solutions:
⚫ L3.5 autonomous driving network, accelerating evolution towards multi-cloud and multi-DC
⚫ CloudFabric Easy Solution, helping SMEs build cloud data center networks in an "EASY" way
⚫ Ethernet for HPC, eliminating Ethernet packet loss and unleashing 100% of computing
power
⚫ Ethernet for active-active storage, achieving lossless long-distance transmission and
reducing links by 90%+

142. Huawei Confidential
42
(CloudWAN)
CloudWAN 3.0

143. Huawei Confidential
43
CloudWAN 3.0: Leading WANs into the Intelligent Cloud-
Network Era
SRv6
FlexE-based slicing
100+ commercial cases worldwide
IPv6 Enhanced, laying a foundation for digital infrastructure
IFIT NETCONF/YANG
Township Federal HQ
State
DC
Real-time
visibility
Fault locating
in minutes
Failover in
milliseconds
One-fiber multipurpose transport: deterministic
experience
• Hierarchical slicing: 1000+ slices, 10x the
industry average.
• Slice ID-based slicing for simplified deployment
One-network wide connection: network digitalization
• Industry-unique hop-by-hop measurement
technology, enabling real-time visibility of network-
wide status and troubleshooting within minutes
One-hop cloud access: flexible cloud-network
connection
• SRv6 enables service provisioning within minutes
and agile service cloudification.
One-click fast scheduling: cloud-network
coordinated scheduling
• SDN + intelligent cloud-map algorithm, improving
cloud-network resource utilization by 30%
| |

144. Huawei Confidential
44
MPLS MPLS VLAN Cloud path 10
Cloud path 20
Cloud path 30
27
36
27
16
SR & SRv6 standards document contributions
by vendors
Huawei
Vendor C &
Huawei
Vendor C
Others
Huawei leads or participates in the
formulation of 59% of SRv6 standards.
Major contributor to SRv6 standards
Leading global SRv6 commercial use
100+ SRv6 commercial deployments
(as of 2022)
One-Hop Cloud Access: Overcoming Process Barriers with
Technology to Enable Fast and Smooth Cloudification for Enterprises
VXLAN
Interop Best
of Show
Award
Frost & Sullivan Global
New Product
Innovation Leadership
Award
Industry: multi-level cross-department
collaboration
10+ stages, 30+ days for provisioning
Huawei: configuration-free cross-domain cloud
path deployment
Provisioning within minutes and application-
level assurance
Cloud path 20: 100 Mbps
bandwidth, latency < 2 ms
Cloud path 30: 50 Mbps
bandwidth, latency < 10 ms

145. Huawei Confidential
45
Most powerful hierarchical slicing, maximal network value
Huawei Other vendor
vs.
1000+ slices:
Huawei-exclusive
32
1000
Restricted protocol path
computation capability
Patented slice ID-
based slicing,
planning free
Configuration within
hours, requiring
address planning
Slice-based hard
isolation, guaranteeing
bandwidth and latency
Soft isolation and
bandwidth sharing,
unable to guarantee SLAs
10 Mbps granularity,
without wasting
resources
Only 5 Gbps
granularity
supported
10 Mbps/slice
…
5 Gbps/slice
One-Fiber Multipurpose Transport: Hierarchical Slicing Enables
IP-Based Production Networks and Ensures Deterministic SLAs
Remote
mgmt.
Video
security
Office
service
Remote
mgmt.
Video
security
Office
service
Office
service
Production
service
Video
service
slice
Control
service
slice
10+ networks → N slices
over 1 network
Multi-network
convergence and private
network-like experience
Telepresence conference:
latency < 10 ms
Video security:
bandwidth > 100 Mbps
Office service: service
isolation
Office
service
slice
Before Now
More
Faster
Better
More
cost-
effective
FlexE-based slice 1
FlexE-based slice 2
FlexE-based slice 3
FlexE-based slice 4

146. Huawei Confidential
46
90% 12% 25%
IDC1 IDC2 IDC3
CNY120 million/year
investment
38% resource
utilization Computing
power
Cost
Storage
Cloud
factors
Network
factors
Bandwidth
Reliability
Latency
45% 50% 47%
IDC1 IDC2 IDC3
Lower TCO
Cloud-network
resource utilization
Intelligent cloud-map
algorithm
Active DC
Intra-city DR DC
Inter-city DR DC
Cloud management
platform
Cloud resource
information
90,000
cameras
200T/day
video data
90% 10%
50% 50% 30%
CNY 30
million/year
One-Click Fast Scheduling: Intelligent Cloud-Map Algorithm
Improves IDC Resource Utilization by 30%
Huawei: cloud-network coordinated scheduling, enabling
efficient resource utilization
Industry: unbalanced cloud-network
resource loads, wasting investment

147. Huawei Confidential
47
One-Network Wide Connection: Network Digitalization
Builds Resilient WANs to Ensure Service Availability 24/7
Customer L
Customer U
Customer pain points:
CloudVR video artifacts and
frame freezing, and long period
to locate silent faults (over 2
hours)
Solution:
IFIT delivers a packet loss
detection rate of 100% and
enables fault demarcation within
minutes.
Customer requirements:
Key areas need to be ensured,
and problems need to be quickly
located and rectified.
Solution:
Real-time visualization and
automatic optimization of
service quality, and closed-loop
network self-healing
100x
Fault demarcation efficiency
50%
OPEX
Prompt fault
diagnosis
In-depth service
perception
Proactive fault
identification
First IFIT-based service
SLA monitoring
Delay Jitter Packet
loss
Knowledge graph
algorithm, enabling
comprehensive
analysis of millions
of alarms
80,000+ KPIs
Real-time
collection
400+ scenarios
Automatic root cause analysis
90%
Fault identification rate
Automatic demarcation
of disconnection faults
Days
Minutes
Quick and automatic
root cause analysis
Proactive identification rate
of 200+ typical network risks
60% 90%
Huawei solution: visualized, detailed, and predictive network O&M
Hours Minutes
In-band
measurement
Monitoring and locating
service SLAs

148. Huawei Confidential
48
Section Summary
This section describes Huawei's cloud WAN products and major solutions:
• One-hop cloud access: Process barriers are overcome with technology to enable fast and
smooth cloudification for enterprises.
• One-fiber multipurpose transport: Hierarchical slicing enables IP-based production
networks and ensures deterministic SLAs.
• One-click fast scheduling: Intelligent cloud-map algorithm improves IDC resource utilization
by 30%.
• One-network wide connection: Network digitalization builds resilient WANs to ensure
service availability 24/7.

149. Huawei Confidential
49
Hisec 3.0
(Network Security)

150. Huawei Confidential
50
HiSec: Intelligent Security, Protecting a Fully Connected,
Digital World
Analyzer
HiSec Insight FireHunter
SecoManager
Controller
Threat
intelligence
Identity
controller
Safe city e-Government
cloud
Telco cloud
Scientific research
enterprise
Manufacturing Government
security brain
Industrial
park
ICT infrastructure
...
IAM
Enforcers
iMaster NCE
Based on automated
service-policy mapping
80%
Security O&M costs
OPEX
Intelligent
detection
Intelligent
handling
Intelligent
O&M
Within seconds
Collaboration between network and
security devices, enabling proactive
threat deception, and automatic
closed-loop threat handling
Threat response time
99%
Unknown threat detection
accuracy

151. Huawei Confidential
51
• Intrusions by exploiting web and application vulnerabilities
• Intrusions through zombies, Trojan horses, viruses, and malicious code
• Phishing emails and web pages as well as APT attacks
• DDoS attacks
• Bandwidth misuse, failing to guarantee the QoS of key services
Challenges
Campus intranet
Firewall
• Intrusion prevention: supports flow-based signature detection and 12,000+ IPS
signatures, achieving approximately zero false positives.
• Antivirus: combines application identification with virus scanning, detecting over 5
million viruses.
• Data breach prevention: identifies and filters files and contents transmitted
through email, HTTP, FTP, IM, and SNS, identifies 120+ file types, and restores and
filters 30+ file contents.
• DDoS attack mitigation: fends off multiple types of DDoS attacks.
• Powerful security performance: offers 10GE-level all-threat prevention, with up
to 40 Gbps performance.
• Application QoS optimization: identifies 6000+ applications and supports
application-based bandwidth limiting, minimum bandwidth guarantee, and policy-
based routing.
• Unknown threat detection: supports cloud-based sandbox detection technology,
with the signature database updated every day.
• Intelligent management: automatically generates the most stringent security
policies for easy optimization.
Customer Benefits
Huawei Network Security Use Cases (1/3): Internet
Border Protection
Internet

152. Huawei Confidential
52
WAN
access area
Branch
HQ LAN
• Service data breach during transmission
• Intrusion behavior of internal users
• Internal virus spread
• Unauthorized access by internal users
• Resources misuse, preempting service bandwidth
Challenges
• VPN: supports IPsec VPN, SSL VPN, IPsec hot standby (for zero service
interruptions), and DSVPN.
• Intrusion prevention and antivirus, preventing data breaches.
• Application QoS optimization: identifies 6000+ applications and supports
application-based bandwidth limiting, minimum bandwidth guarantee, and
policy-based routing.
• Unknown threat detection: supports cloud-based sandbox detection
technology, with the signature database updated every day.
Customer Benefits
IPsec VPN
Huawei Network Security Use Cases (2/3): Secure
Subnet/Branch Interconnection
Firewall
Firewall
LAN LAN LAN
WAN (private
network)

153. Huawei Confidential
53
Huawei Network Security Use Cases (3/3): Data Center
Security
• Adaptation to the elastic scaling, quick rollout, and self-service needs
of the cloud
• Blurring network boundaries and rampant security threats
• In need of strong processing performance, effective traffic
management mechanisms, and comprehensive reliability mechanisms
Challenges
• North-south and east-west security services for tenants through
security resource pools and service traffic diversion based on
different types of traffic
• Rich security capabilities: security protection of cloud data center
borders, tenant borders, and tenant intranet
• High performance: built-in NP acceleration engine, content mode
matching engine, and encryption/decryption engine for high service
processing performance
• High reliability: hot standby for improved reliability
Customer Benefits
BorderLeaf
ServerLeaf
Spine
VXLAN domain
Internet
Firewall
Firewall
SecoManager
Service-oriented
integration
DDoS

154. Huawei Confidential
54
Huawei's Main Security Product Portfolio
Anti-DDoS Firewall
SecoManager
security controller
AntiDDoS1905
Fixed anti-DDoS devices Desktop firewalls
USG6510E USG6530E
USG6575E-B
USG6605E-B
Bypass models
High-end fixed firewalls
USG6680E
USG6712E
USG6716E
USG6525E
USG6555E
USG6565E
USG6585E
Low-end and mid-
range fixed
USG6500 series
Low-end and mid-
range fixed
USG6600 series
USG6650E
USG6630E
USG6610E
USG6620E
AntiDDoS1908
USG6615F
USG6625F
USG6635F
USG6655F
USG6710F
USG6715F
USG6725F
USG12008
AntiDDoS12004-F
USG12004
Modular firewalls
USG12004-F USG12008-F
AntiDDoS12004 AntiDDoS12008
Modular anti-DDoS devices
AntiDDoS12008-F
USG6685F
80 Gbps–240 Gbps series 2 Gbps–9 Gbps series 10 Gbps–50 Gbps series
400 Gbps–800 Gbps series
960 Gbps–2.4 Tbps Series
400 Gbps–1.2 Tbps series
300 Gbps–600 Gbps series
1.2 Gbps–4 Gbps series
40 Gbps–80 Gbps series
7 Gbps–10 Gbps series

155. Huawei Confidential
55
✓ Entry into Gartner's MQ as a firewall
vendor since 2013
✓ A challenger in Gartner's MQ for 5 years
in a row
✓ A vendor in Gartner's MQ for 9
consecutive years
"Challenger" in Gartner MQ Gartner Peer Insights Customers' Choice
✓ Huawei firewalls won Gartner Peer
Insights "Customers' Choice" in 2021.
✓ Overall rating for Huawei firewalls: 4.9/5
stars, ranking No. 1 among all vendors
✓ Gaining the highest score (full score) in
many domains, such as automated
malware analysis, IPS and IDS, TLS
decryption, and SOC automated analysis
"Strong performer" named by Forrester
Winning World-Renowned Honors and Leading the Industry

156. Huawei Confidential
56
Section Summary
This section describes Huawei’s Network security products and major solutions, covering:
• Huawei Network security use cases
• Huawei's security product portfolio

157. Huawei Confidential
57
Contents
1. Huawei Enterprise Datacom Business Overview
2. Huawei Enterprise Datacom Network Solutions
3. Success Stories

158. Huawei Confidential
58
• XX University is a national key university in country Z. It has 2xxx full-time teachers and about 40,000 full-time students.
• The legacy wireless network performance was poor and failed to support online courses in dormitories during the COVID-19 pandemic.
• One new network needs to be built for the entire campus that features multi-network convergence and high-speed interconnection, meeting the
requirements of teachers and students across six campuses in three cities in complex network scenarios.
Huawei solution: visualized, manageable, and
controllable high-quality Wi-Fi 6 campus network
• Multi-network convergence (wired, Wi-Fi, and IoT): consistent access to
campus resources and the Internet for teachers and students
• Flattened, simplified two-layer (access + core) architecture: higher
transmission efficiency and lower network construction costs
• All-optical access: PoE++ at a distance of 300 m through hybrid optical-
electrical switches
• Wi-Fi 6 and AI-powered iMaster NCE-CampusInsight: better Wi-Fi network
services for all the teachers and students on campus.
Products: iMaster NCE-Campus, iMaster NCE-CampusInsight, S12700E,
CloudEngine S5732-H, AirEngine 5760-22W
Core switch
(Campus S)
Teaching
and research
area B
Teaching
and research
area A
Carrier
B
Firewall
Online behavior
management
Situational
awareness
Anti-DDoS BRAS in
teaching and
research area
Carrier A Carrier B Carrier C
BRAS in
the
dormitory
area
Dormitory
egress
AP AP
AP AP
Dormitory
area A
Dormitory
area B
Core switch
(Campus J)
Teaching and research area C
Carrier
B
Firewall
Online behavior
management
Situational
awareness
Anti-DDoS
BRAS in
teaching and
research area
Carrier A Carrier B Carrier C
Dormitory
egress
AP
A
P
Dormitory
area C
AP
AP
AP
AP
Carrier
A
Carrier
C
Carrier
A
Carrier
C
Education
network
Education
network
XX University: Wi-Fi 6 and All-Optical Ethernet Combine to
Build an Intelligent and Digital Information Highway
WAN Security
Campus DCN

159. Huawei Confidential
59
⚫ Exclusive optical-electrical PoE
technology: 10 Gbps ultra-
broadband access and 300 m
long-distance PoE++ via hybrid
cable, as well as secondary PoE
from RUs to downstream APs,
removing the need of local
power supply
⚫ Simplified network architecture: 3
layers (core, aggregation, and
access) → 2 layers (core and access)
• XX University has historical buildings that have no extra-low voltage (ELV) rooms on floors. The cabling length from the building equipment room to
terminals exceeds 100 meters, so it's impossible to use Ethernet cables for both data transmission and power supply.
• In line with national carbon neutrality goals and policies, XX University needs to build a green and low-carbon network for lower energy consumption.
• Amid the ongoing pandemic, teachers and students require high-bandwidth services, such as large file download, online courses, MOOCs, and video
conferencing.
Customer Benefits
Huawei Solution
⚫ Low-carbon and green: Highly energy-efficient
RUs reduce single-port power consumption by 30%,
greatly saving energy on the campus network.
⚫ Simple O&M: By using hybrid cables, RUs receive
PoE at long distances and also supply PoE to
downstream devices, removing the need of local
power supply. RUs are also management-free,
reducing managed nodes by over 90% and
slashing O&M costs.
⚫ High-quality experience: Full Wi-Fi 6 coverage
achieves 100% signal coverage, roaming latency of
less than 30 ms, average packet loss rate of less
than 0.1%, and single-user speed of 100 Mbps,
ideal for bandwidth-hungry services of teachers
and faculty members.
⚫ New Wi-Fi 6 wireless
networking
WAN Security
Campus DCN
CloudCampus @ Education: Helping XX University to Build a
Low-Carbon and Green All-optical Campus Network
Egress
Education
network Carrier C
Carrier B
Carrier A
Authenticati
on system
S12700E-8
(integrated
WAC)
S10500
(wired network)
S10500
(wireless network)
USG 9560
iMaster NCE-
CampusInsight
iMaster NCE-
Campus
Building
ELV room Hybrid optical-
electrical switch
(building A)
Hybrid optical-
electrical switch
(building B)
Aggregation
switch
(building C)
Aggregation
switch
(building D)
Aggregation
switch
(building N)
Hybrid cable Hybrid cable
RU RU
Central AP

160. Huawei Confidential
60
Solution and Customer Benefits
LAN-WAN Converged Networking
 SD-WAN
intelligent traffic
steering
 Wi-Fi-6 + IoT
access
 Intelligent O&M
 Wired + 4G/5G
SD-WAN Project @ XX: Building Smart Stores with LAN-WAN
Convergence
• XX is one of top restaurant chains in country Z and even the world. It has 4000+ stores in country Z and opens 500+ new stores every year. It urgently
needs to introduce IT cloud architecture, IoT, and smart store applications.
• Costly leased lines and fast traffic growth: The average cost per Mbps bandwidth is CNY10K/year. The use of self-service systems sharply increases the
demand for bandwidth.
• Long service provisioning period: A huge number of stores and no local IT engineers result in high O&M costs.
• Large equipment room space occupied by routers: 24 traditional routers exist in the DC, which is complex to replace them.
• Reduced O&M costs: Intelligent O&M and converged network reduce O&M
costs by 60%.
• Increased network bandwidth and access user capacity: Internet lines are
added, and bandwidth is upgraded from X Mbps to XXX Mbps.
• Enhanced reliability: Wired and 5G ensure always-on services for more returns.
• Improved service support: cloud-managed network + smart store (IoT + AI)
WAN Security
Campus DCN
Huawei
Cloud
Tencent
Cloud
Alibaba
Cloud
* Backup
DC
Network-wide automation |
AI-powered intelligent O&M

161. Huawei Confidential
61
Customer Benefits
Huawei SD-WAN for reliable leased lines
with superior experience
As-Is To-Be
Multi-link bundling + intelligent
traffic steering, improving customer
experience by 50%
Fast deployment and visualized
O&M, reducing OPEX by 50%
Secure, cost-
effective
uplink egress
SD-WAN Project @ XX Bank: Embracing Smart Branches in
the Digital Era
• XX Bank is a century-old state-owned savings bank in country T, having a large number of branches, including 1000+ branches and 8000+ ATMs.
• The legacy routers from vendor C are about to expire. Their performance is insufficient, failing to support link upgrade.
• Currently, XX Bank uses leased lines from multiple carriers, leading to high link costs and low maintenance efficiency.
• The leased line and Internet link are used together, suffering from low security.
Traditional
leased line +
Internet
Single-site
management
+ local O&M
Intelligent
and simplified
O&M
WAN Security
Campus DCN
Tenant A
Tenant B

162. Huawei Confidential
62
-
Intelligent and Lossless Network @ XX: World's 1st
RoCE
Network Used for the Car Crash Simulation Platform
XX is a joint venture and R&D-centric enterprise. All of its in-house car models use the car crash simulation platform. Huawei's
intelligent and lossless CE9860 switch was selected to build a high-performance network for the car crash simulation platform.
Huawei's 100GE intelligent and lossless network @ XX's car crash simulation platform
The car crash simulation platform is applied to high-performance computing
(HPC) for large-scale parallel systems. It models complex geometric shapes by
providing different structural and continuum elements: beams, shells,
membranes and solids. This provides a large number of linear and non-linear
materials. By using rigid bodies to perform computing and ignoring
deformations of unimportant components, this platform can simulate the
performance state of the proposed car design, and evaluate the potential
damage to occupants in a variety of crash situations.
14:47:45
12:04:48 11:33:15
9:28:43
0:00:00
2:24:00
4:48:00
7:12:00
9:36:00
12:00:00
14:24:00
16:48:00
4-node IB 4-node RCoE 8-node IB 8-node RCoE
JCT
(s)
Job completion time (JCT) comparison
(Huawei RoCE vs. IB)
↑ 22.48%
↑ 21.90%
The customer compares IB and RoCE in the real-world 4-node and
8-node scenarios, with the following findings:
• 4-node scenario: 22.48% better than IB
• 8-node scenario: 21.90% better than IB
WAN Security
Campus DCN

163. Huawei Confidential
63
End-to-end
failover < 1s
24/7 zero service
interruption
Storage network smart
discovery (SNSD)
A storage network fault
detection and alarm
mechanism is added to
quickly detect link faults
and perform failover within
seconds, ensuring 24/7
core transaction services.
Max. improvement
of storage
performance
(vs. FC)
30%
Powerful
performance
Intelligent and lossless
Ethernet switch
AI-powered dynamical
adjustment of thresholds
ensures zero packet loss
even at 100% throughput.
TCO
reduction
• All IP for data center
networks
• Smaller network
construction cost
• Simpler O&M and
management
• Lower requirements for
team technical skills
x86 server
CE6860-SAN
OceanStor Dorado 6000
Networking diagram
25GE RoCE
CE6860-SAN
* Comparison between 32G FC and 25G RoCE
XX Bank had long used the FC network, where there were only two leading vendors. Once the FC network was faulty, it's difficult to receive vendor-
branded services. XX Bank decided to upgrade storage from HDD to SSD, putting huge strain on the legacy FC network. Finally, XX Bank selected
Huawei's NoF+ intelligent and lossless network solution, achieving zero service interruption, powerful performance, and TCO reduction.
Huawei NoF+ intelligent and lossless network @ XX Bank
Development
and test area
Huawei Data Center NoF+ Solution @ XX Bank: Marching
Towards the High-Tech Road
WAN Security
Campus DCN

164. Huawei Confidential
64
World's 1st
400G RoCE Switch Project @ Computing Power
Platform of XX Lab
• World's 1st
"400G aggregation, 200G access" RoCE switch project, setting a new benchmark
• Huawei's 1st
high-performance AI network that adapts to NVIDIA GPUs
• National qualifications-ready lab led by the government of Z province that is mainly working on AI computing
The customer chose RoCE technology and built an HPC network through lossless Ethernet.
JCT 4.87%
IB network RoCE network
AI computing
cluster area
CE9860 (400G card)
Computing network:
parameter plane & data
plane
Core
switching
...
...
25GE 100GE 200GE 400GE
25*400G
8*400G
CE8851
Spine
Leaf
Service
network
...
Compute node Storage node
Cabinet 1
Cabinet N
4*200G 4*200G
1*100G
CE8850-64CQ
100 GB/s
100 GB/s
Mellanox7890
Text
Prediction
Task
Classifier
Layer Norm
Feed Forward
Layer Norm
Masked Multi
Self Attention
Text & Position
Embed
Generates a language
model based on text
training and fine-tunes the
model based on NLP tasks.
Application: human
language training
Test iteration: 1000 times
JCT: RoCE (29,236.51s)
vs. IB (30,731.63s)
GPT
model
AI computing cluster networking: 200GE high-speed
access of servers to TOR switches
Spine-Leaf: 400G ultra-broadband interconnection,
meeting 1:1 convergence ratio
Computing performance: slightly better than IB
Job completion time (JCT): 4.87% better than IB
WAN Security
Campus DCN

165. Huawei Confidential
65
XX Power Company: One IP Network for All, Safeguarding
Operations, Reducing Costs, and Increasing Efficiency
Substation Substation
Dispatch center Substation Dispatch center Substation
Wide area
measurement
system (WAMS)
SCADA Relay
protection
C37.94
ETH ETH
VPN1
VPN2
WAMS SCADA Relay
protection
ETH ETH
ETH
ETH
Video
inspection
As-Is: Multi-network bearer leads to
complex O&M and high TCO.
To-Be: One bearer network with slicing
delivers high reliability and reduces costs.
Multi-network bearer for OT & IT services is expensive.
Low bandwidth fails to support new services.
O&M on the outdated network is complex.
Converged bearer: PCM interfaces adapt to OT service systems.
Intelligent slicing: 1000+ slices and Mbps-level granularity
Intelligent O&M: improves network stability and service quality
✓ One IP network for all,
reducing investment in
PCM devices
✓ Higher O&M efficiency,
optimizing the electric
power service experience
✓ Hard slicing for
isolation, ensuring key
power grid services
40%
Overall CAPEX
30%
Safety incidents
25%
Network construction cost
WAN Security
Campus DCN

166. Huawei Confidential
66
Unbalanced DCI traffic,
prone to congestion
Intelligent optimization for DCI
traffic load balancing
As-Is To-Be
• SLA assurance for key
production services
• Balanced utilization of
private line bandwidth
• CAPEX cost savings
Customer
requirements
• Shortest path forwarding,
with a congestion rate of
90%
• Unbalanced resource load
and high capacity expansion
costs
• Affected service transactions
during peak hours
Pain points
Resource utilization
after global
optimization
Network TCO
CNY30M/year
Intelligent cloud-
map algorithm
Intelligent traffic scheduling for load balancing
20%
Best-effort SRv6
90%
20%
40%
40%
Bank J in Country Z: Global Intelligent Optimization
Improves Cloud-Network Utilization While Reducing TCO
WAN Security
Campus DCN

167. Huawei Confidential
67
XX Bank: Efficient Security Protection for Rapid Development
of Banking Business
• Due to political or economic factors, the financial
system is prone to attacks.
• Outdated legacy equipment hinders rapid
business development.
• Lack of centralized management results in
low O&M efficiency.
Huawei Solution Customer Benefits
• Robust security protection and best
performance of mixed traffic,
safeguarding financial services
• Secure isolation of each area within
three data centers, and CAPEX
reduction by 60%, after 50+ products
replace 100+ legacy devices
• Unified O&M and OPEX reduction by
80%, through SecoManager for
centralized firewall management
• XX Bank is the largest private bank in xxx. It is a
Fortune global 500 company.
• The bank has multiple data centers, has an
independent security team, and attaches great
importance to Network security.
Background
Challenge
Internet
…
DC 1 DC n
USG6000E USG6000E
SecoManager • USG6000E delivers high service
performance needed for financial
service scenarios.
• SecoManager was deployed to centrally
manage firewalls and implement service
orchestration, greatly simplifying O&M.
• USG6000E was deployed to offer IPS,
antivirus, URL filtering, and other security
capabilities, and intelligently detect
unknown malware, effectively enhancing
system defense.
WAN Security
Campus DCN

168. Huawei Confidential
68
Quiz
1. What are the four differentiators of Huawei's CloudCampus Solution?
2. What are the three highlights of low-carbon intelligence?
3. What does "one global network" refer to?

169. Copyright© 2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.

170. Huawei Confidential
1
Huawei CloudCampus Solution and Switch Products
Presales Training
⚫ Security Level:

171. Huawei Confidential
2
Foreword
⚫ Campus networks, as the infrastructure for campuses to connect to the digital world, are an
indispensable part of campus construction and play an increasingly important role in daily
working, R&D, production, and operation management.
⚫ This course describes the concept, typical networking scenarios, and typical architecture of
enterprise campus networks, as well as the requirements, trends, and challenges of campus
networks. This course then briefly introduces Huawei CloudCampus 3.0, and focuses on
Huawei CloudEngine S series campus switches and their competitiveness and highlights.

172. Huawei Confidential
3
Objectives
⚫ On completion of this course, you will be able to:
 Describe the concept of a campus network and its position on an E2E (end-to-end) large-
scale network.
 Distinguish between different types of campus networks and describe their main
characteristics.
 Describe the typical logical and physical architectures of campus networks.
 Describe the architecture, components, and main functions of Huawei CloudCampus 3.0.
 Recommend a proper campus network architecture based on customer requirements.
 Differentiate between Huawei switch models and flexibly select them for different projects.

173. Huawei Confidential
4
Contents
1. Campus Network and Solution Overview
2. CloudCampus Solution Highlights
3. CloudEngine S Series Switches

174. Huawei Confidential
5
What Is a Data Communication Network?
Cloud campus
network Cloud WAN
General-purpose
computing
Storage
High-performance
computing
Hyper-converged
data center network
(DCN)
Network security
E2E data communication industry
• A data communication network comprises a variety of data communication devices.
• Data communication networks are the cornerstone for the digital world.

175. Huawei Confidential
6
What Is a Campus Network?
Regional core Regional core
Government
building
Smart street lamp
School
Hospital
Community
Industrial park
CCTV
Operation center
HQ core
DC (active) DC (standby)
Enterprise
Shopping mall/
Supermarket
Government
building

176. Huawei Confidential
7
Campus Networks Across Industries
Enterprise campus network Education campus network Government campus network Commercial campus network
• Refers to the enterprise office
network here.
• Focuses on network reliability and
advancement to improve office
experience and ensure the
efficiency and quality of operation
and production.
• Has two types: primary/secondary
education and higher education
campus networks.
• A higher education campus
network is relatively complex: It
generally contains a teaching and
scientific research network, a
student network, and an
operational dormitory network.
• The network must be highly
manageable and secure as well as
advanced.
• Generally refers to the internal
network of a government agency.
• Has ultra-high security
requirements. The internal
network is isolated from the
external network to ensure the
absolute security of confidential
information.
• Commercial campuses refer to
malls, supermarkets, hotels, and
parks.
• Mainly serves consumers and
contains internal office subnets.
• Provides Internet access services
and builds an intelligent business
system to improve user
experience and business
efficiency, reduce O&M costs, and
transfer value.
To meet service requirements in different industries, the campus network architecture and technical applications are designed based on
industry characteristics.

177. Huawei Confidential
8
Internet/MPLS
Simple-service campus Large multi-service campus
Small or midsize campus
or branch campus
SD-WAN
Public cloud,
private cloud,
and hybrid cloud
Overview of campus types
• Office
• R&D
• IoT
Simple-service campus
• Midsize or large scale, simple services, and similar site models
Large multi-service campus
• Large scale, complex services, and logical isolation required
between services
Small or midsize campus or branch campus
• Small scale, simple services, and inter-site communication
WLAN WLAN
WLAN
Technical fields
• SD-WAN: software-defined WAN in the hybrid WAN scenario,
implementing intelligent enterprise WAN interconnection
• Switching network (LAN): contains switches at the core,
aggregation, and access layers and has different hierarchical
structures based on the network scale. This course will focus on
this network.
• Wireless network (WLAN): contains wireless access controllers
(WACs) and access points (APs).
Service
migration to
the cloud
Campus Network Types and Technical Fields

178. Huawei Confidential
9
Typical Physical Networking of Campus Networks
Stack/CSS link
Egress zone
Core layer
Aggregation layer
Access layer
Terminal layer
DC
• Egress zone: enables internal users on the campus network to access
the public network or external users (including customers, partners,
branches, and remote office users) to access the campus network.
• DC (data center): has servers and application systems deployed to
provide data and application services for internal and external users of
an enterprise.
• Network management and O&M zone: has campus network
management and O&M servers deployed.
• Core layer: serves as the core for campus data switching and connects
all components of the campus network. A WAC is usually deployed at
the core layer.
• Aggregation layer: functions as the switching core in an area to
aggregate the area traffic and can extend the quantity of access
terminals.
• Access layer: provides wired or wireless access for terminals and has
switches and APs deployed.
• Terminal layer: contains various terminals that access the campus
network, such as PCs, printers, IP phones, mobile phones, and cameras.
Internet WAN
Network
management
and O&M
zone

179. Huawei Confidential
10
Campus WAN Interconnection Networking
Static IPsec VPN SD-WAN interconnection
Internet
MPLS
MPLS/Internet
IPsec VPN tunnels are established between devices at different sites.
Traffic is diverted to the VPN tunnels based on the configuration to
implement secure inter-site communication.
SD-WAN implements on-demand interconnection between branches and
between branches and DCs. It provides application-based intelligent traffic
steering and acceleration as well as intelligent O&M features to deliver
better service experience and reshape the full-process service outcomes of
enterprise WAN interconnection.
HQ
Branch 1
Branch 2
This course focuses on campus switches and related solutions.
MPLS
DC
HQ campus
Internet
Branch 1
Branch 2
RR

180. Huawei Confidential
11
Service Requirements and Challenges of Large and Midsize
Campus Networks
Converged bearing
Requirements:
Diversified access terminals and
services are calling for a
converged network.
Challenges:
• Services such as Wi-Fi and IoT
are separately planned,
deployed, and managed,
resulting in high network
construction costs.
• The workload of network
management and O&M is
heavy.
User experience awareness
Requirements:
Network O&M needs to be
automated and intelligent to
perceive user experience anytime
and anywhere.
Challenges:
• Service faults cannot be
detected in a timely manner.
• Root cause locating of a fault is
slow and relies on the O&M
skills of professional personnel.
• The network cannot be
automatically optimized.
Network automation
Requirements:
As applications and services surge,
the network needs to be automated
to address the deployment and
policy complexity.
Challenges:
• The workload is heavy, and
manual configuration is complex.
• New services need to be
configured on each device, which
is time-consuming and costly.
• Network policy deployment and
adjustment result in heavy
workload.
Border defense
Requirements:
Unknown threats must be
detected and contained to prevent
intrusion and spread.
Challenges:
• Traditional security tools
provide inadequate threat
detection, resulting in high miss
rates when detecting gray
traffic which is often disguised
as having local origins.
• The border defense solution is
inadequate.

181. Huawei Confidential
12
Service Requirements and Challenges of Small and Midsize
Campus Networks
Deployment efficiency O&M APIs
Site network devices
Plug-and-play and on-
demand expansion
Centralized cloud-based management
of multiple branches and remote
automated O&M
Site
network 1
Site
network 2
Site
network N
Site
network
Cloud
management
platform
Site
network
Site
network
Openness and big data analytics capabilities
Requirements:
Plug-and play network devices improve
deployment efficiency
Challenges:
• Configurations of multiple sites are
centrally delivered, reducing onsite
configuration and commissioning workload
and improving deployment efficiency.
• The network is plug-and-play and able to
be expanded on demand, requiring low
cost for upgrades.
Unified management and centralized
configuration
Requirements:
Centralized and simplified O&M of multiple
sites from the cloud
Challenges:
• Scattered campus branch networks are
centrally managed on the cloud through
the Internet, and multiple automation tools
are provided for troubleshooting,
monitoring, and other management
operations, so as to implement remote
automated O&M.
Requirements:
Open application programming interfaces
(APIs) accelerate integration of business
applications
Challenges:
• A cloud management platform with open
APIs and big data analytics capabilities
interconnects with multiple management
systems to achieve unified network
management. It is able to provide
diversified value-added applications to
accelerate enterprise digital transformation.

182. Huawei Confidential
13
Service Requirements and Challenges of Multi-Campus
Network Interconnection
Service provisioning
period
Service experience Management and O&M Centralized management
Branch interconnection
cost
Requirements:
Reduce the costs for WAN
interconnection between
branches.
Challenges:
Physical leased lines or
MPLS VPN leased lines
provided by carriers are of
high quality, but they are
very expensive.
Requirements:
Improve the network
deployment efficiency and
shorten the service
provisioning period.
Challenges:
• Provisioning of traditional
leased lines takes a long
time.
• Services need to be
manually configured by
network engineers onsite,
which requires high skills
and is inefficient.
Requirements:
Improve the application
identification capability and
ensure the experience of key
services.
Challenges:
• Enterprise applications
have varying
requirements on link
quality.
• Traditional leased lines
cannot detect the
application status and
thereby cannot guarantee
key services at all times.
Requirements:
Adopt a visualized method
to simplify management
and O&M.
Challenges:
• CLI-based management
and O&M are inefficient,
and there is no visualized
O&M method.
• If an enterprise has a
large number of
branches, onsite O&M
costs a lot.
Requirements:
Manage LAN-side and
WAN-side services in a
unified manner.
Challenges:
• Unified configuration
management and O&M
cannot be implemented.

183. Huawei Confidential
14
CloudCampus 3.0: Boosting Enterprise Digital Transformation
Network-wide automation |
Intelligent O&M
Private
cloud
Public
cloud Internet
Router
Hybrid optical-
electrical switch
Wi-Fi 6/
Wi-Fi 6E
Continuous experience
SD-WAN
MPLS/Internet 5G/Internet
HQ campus Branch
campus
• AirEngine Wi-Fi 6/Wi-Fi 6E: fully wireless continuous
networking, no rate limiting for applications, and zero service
disconnection
• CloudEngine S switch: easy access and 10GE backhaul
• iMaster NCE-Campus: automatic network provisioning and
policy deployment across LANs and WANs
• SRv6 + SD-WAN: secure interconnection across branches and
clouds, building one network for all services
• iMaster NCE-CampusInsight: user, network, and application
experience assurance and fault self-healing

184. Huawei Confidential
15
Fully-Wireless Experience: Breaking Down Boundaries and
Inspiring Innovation
Electronic shelf label
Wireless mobile
cashier
Self-service checkout
machine
Wireless scale
Wired-to-wireless
upgrade
AR/VR teaching
Wireless multimedia
teaching
Fully wireless office
Wireless campus
Wireless mobile
office
Public Wi-Fi
Wireless city
Production
automation
Automated guided
vehicle (AGV)
Asset
management
HD quality
inspection
Massive branches
going wireless
Remote O&M
AirEngine series Wi-Fi 6 APs
Provide continuous wireless coverage and ensure
good user experience.
CloudEngine S series switches
Build 10GE backbone wireless backhaul networks for campuses.

185. Huawei Confidential
16
L3 Autonomous Driving: Network Autonomous Driving
Ensures Agile Service Rollout
• Device plug-and-play: simplified device deployment, scenario-specific
guided configuration, template-based configuration
• Simplified network deployment: network resource pooling, multi-
purpose network, automatic service provisioning
• Free mobility: GUI-based policy configuration, consistent permission and
experience during moving
• Intelligent terminal identification: anti-spoofing for terminal access,
high accuracy in intelligent terminal identification
• Intelligent HQoS: application-based traffic scheduling and shaping, fine-
grained bandwidth management
• Real-time experience visualization: network experience visualization at
any moment, for any user, and in any area
• Precise fault analysis: proactively identifies typical network problems and
provides suggestions
• Intelligent network optimization: predictive optimization of wireless
networks based on historical data
NETCONF
SNMP
Telemetry
Management Control Analysis

186. Huawei Confidential
17
One Global Network: One Hop to Cloud, Multi-Branch
Interconnection, and Service Accessible Anywhere
• One set of controller, centrally managing LAN/WAN services
• Intelligent application policy selection, intent-based automatic
application experience assurance
• Application-based intelligent traffic steering, optimizing applications
and guaranteeing experience
• Border security protection, ensuring egress security for branches
• One hop from the AR1000V to six clouds, multi-cloud interconnection
• Cabling-free, plug-and-play, on-demand interconnection anytime and
anywhere
MPLS
DC
HQ campus
Internet
Branch site
Branch site
GRE/IPsec VPN Management channel Control plane: BGP
EVPN peer relationship
RR
Planning Deployment O&M Optimization Orchestration

187. Huawei Confidential
18
Low-Carbon Intelligence: Transforming Campus Network
Architecture and Transmission Media
Network-wide automation |
Intelligent O&M
Optical fiber Hybrid cable Hybrid cable Ethernet cable
PoE OUT
1/2.5/10GE
Central switch
RU
Public area Mobile office
Office desktop
Three layers → two layers, simplifying
management
Planning-free, management-free, and
plug-and-play RUs
80%+↓
Number of
managed nodes
Intelligent device/port hibernation
Fanless RU design, noise-free and
energy-saving
30%+↓
Power consumption of
network-wide devices
10–15 years
Smooth network
evolution
Exclusive optical-electrical PoE,
ensuring network continuity even
without local power supply
Ultra-large transmission bandwidth,
smooth network upgrade

188. Huawei Confidential
19
Three Deployment Modes of CloudCampus
Operation
entity
Customer MSP and carrier
Huawei
Scenario
description
Target
customers
Customers purchase and own software
entities, such as the controller and analyzer,
which can be deployed in their data centers
or on the public cloud IaaS platform.
MSP-operated: MSPs purchase software,
such as the controller and analyzer, for
operational purposes. The software can be
deployed in their data centers or on the
public cloud IaaS platform.
Huawei operates the public cloud and
customers do not need to purchase the
controller or analyzer software. Instead,
customers just purchase Huawei's cloud
managed network service.
Government, education, large enterprise,
retail, finance, and other industry customers
MSP and carrier
Government, education, large
enterprise, retail, finance, and other
industry customers
CloudCampus
Software
transaction mode
Perpetual license + SnS TBL subscription mode
SaaS mode
On-premises scenario MSP-owned cloud scenario
Huawei public cloud scenario

189. Huawei Confidential
20
Contents
1. Campus Network and Solution Overview
2. CloudCampus Solution Highlights
3. CloudEngine S Series Switches

190. Huawei Confidential
21
CSS: 2-to-1 Virtualization, Delivering Higher Link Bandwidth
and Simplifying Management
Enhanced Service Security Innovative Architecture
Simplified Networking Automation
Traditional: route redundancy with 1:1
link protection
Blocked by STP
• Two core devices are virtualized
into one device using CSS,
reducing the number of
managed NEs by 50%.
• Aggregation devices implement
uplink aggregation using Eth-
Trunk, increasing the
bandwidth by 100%.
Physical topology Logical topology
Huawei: device cluster with 1+1 link protection
Physical topology Logical topology
CSS

191. Huawei Confidential
22
iStack: Many-to-One Virtualization, Simplifying Device
Configuration and Management
CSS
iStack iStack
Physical topology
• Virtualizes multiple devices into one
device, greatly simplifying network
configuration and device
management.
• Works with Eth-Trunk to provide
uplink aggregation and load
balancing, improving uplink reliability.
• Supports service port stacking,
without requiring dedicated stack
ports or stack cards, making
networking convenient and flexible.
Logical topology
CSS/iStack can be used with Eth-Trunk to form a logical tree topology. This simplified network topology prevents Layer 2 loops and
improves network reliability.
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

192. Huawei Confidential
23
One-to-Many Campus Network Virtualization: Automatic
Service Provisioning on Multi-Purpose Networks
Office
Video
conferencing
Security
protection
Internet
Office
Video
conferencing
Security
protection
Internet
Office Videoconferencing Security protection
VXLAN
VN1
Office VN
VN2
Videoconferencing
VN
VN3
Security
protection VN
• One network carrying multiple services
• Automatic physical network deployment
• Automatic virtual network (VN) deployment
• Automatic service policy delivery
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

193. Huawei Confidential
24
Native WAC: Implements Wired and Wireless Network Convergence
The switch integrates the WAC function to eliminate bottlenecks in wireless traffic forwarding,
reduce failure points, and centrally manage wired and wireless traffic:
• Uniformly manages and forwards wired and wireless services.
• Functions as the gateway for both wired and wireless users and manages both types of users.
• Used as the authentication point for both wired and wireless access.
• Enforces policies for both wired and wireless services.
Wired and wireless convergence (native WAC)
• Independent service
forwarding
• Separate device
management
• Separate user policies
• Installed on a switch as a
WAC card
• Convergence only at the
hardware level.
Standalone WAC WAC card
Separate wired and wireless authentication points, decentralized policy control, separate traffic forwarding, complex
troubleshooting, difficult management
Standalone
WAC
WAC card
Native
WAC
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

194. Huawei Confidential
25
Free Mobility: User-based Policy Control, Delivering
Consistent User Experience Across the Network
Campus
network
User A User B User C
Access
authentication
Access
authentication
Access
authentication
Security group and policy delivery
3
4
2
Sales user
security group
R&D user
security group
Server resource
security group
Permission policy
1
1. Security groups are defined, each specifying
a group of users with the same network
access policies.
2. Permission control policies are defined based
on security groups and are delivered to
network devices.
3. Authorized security groups are assigned to
the users who pass admission authentication.
4. After user traffic enters the network,
network devices enforce policies based on
the corresponding source and destination
security groups of the traffic.
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

195. Huawei Confidential
26
Free Mobility: Typical Solution
Scenario description
• Centralized authentication point + centralized policy
enforcement point.
• The authentication point and policy enforcement point are
deployed on the same device.
• The devices do not support VXLAN.
Scenario characteristics
• Core functions as the centralized authentication point for
network-wide wired and wireless users.
• Core functions as the policy enforcement point for free mobility.
• Core has authentication information about all users on the
network. After traffic is forwarded to Core, it enforces policies
based on the defined policy control matrix.
• The network does not need to support or deploy VXLAN.
Group Name Group ID
Sales 1
R&D 2
Marketing 3
... ...
Sales R&D Marketing ...
Sales √ × √ ...
R&D × √ √ ...
Marketing √ √ √ ...
... ... ... ... ...
PC1 1.1.1.1
Sales
PC3 3.3.3.3
Marketing
Core
AGG1 AGG2
Access1 Access2
Security group Security group–based policy control matrix
PC2 2.2.2.2
R&D
Authentication
point
Policy
enforcement point
Security group and policy
control matrix delivery
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

196. Huawei Confidential
27
Intelligent HQoS: User- and Application-based QoS Policies
• Traditional QoS schedules traffic based on port
bandwidth, allowing differentiation of traffic based
on service levels. However, it is difficult to
differentiate services based on users.
• Traditional QoS cannot manage and schedule traffic
of multiple services from multiple users
simultaneously.
Challenges
• Hierarchical QoS (HQoS) can not only differentiate
traffic of different users but also schedule traffic
based on service priorities.
• HQoS differentiates service traffic using multi-level
queues, and manages and schedules transport
objects such as multiple users and services in a
unified manner.
Solution
User terminal
Network device
VIP user Common user
• Defines who are
VIP users
• Defines application
priorities
1
VIP user Common user
Two-level scheduling:
user queue and
application queue
2
Management-
control-analysis
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

197. Huawei Confidential
28
MACsec: Implements Secure Transmission of Ethernet Data Frames
Site 1
Site 2
Internet
IPsec
Context
Most data is transmitted in plain text on LAN links, which brings security
risks in scenarios with high security requirements.
MACsec overview
Media Access Control Security (MACsec) defines a method for securing
data communication over Ethernet. It encrypts data hop by hop to ensure
data transmission security. The corresponding standard is 802.1AE.
Data frame
integrity check
Service data
encryption
Data source
authenticity
verification
Replay protection
Typical application scenarios
• MACsec is deployed between switches to protect data security, for
example, between access switches and upstream aggregation or core
switches.
• When transmission devices exist between switches, MACsec can be
deployed to ensure data security.
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

198. Huawei Confidential
29
Dumb Terminal Spoofing Detection: Accurate Identification
of Bogus Terminals Based on Traffic Behaviors
Dumb terminals are prone to
spoofing, and manual
troubleshooting is difficult.
Dumb terminal spoofing detection
Campus
network
Attack the network
using a bogus camera
Campus
network
Attack the network
using a bogus camera
Switch
Traffic behavior
collection
Preset terminal
signature database
Inference
Normal
Abnormal
Enforce an
isolation
policy
1. Define dumb terminal types and
configure isolation policies.
2. A lightweight terminal signature
database is deployed on the switch.
3. A single switch can detect 2K dumb
terminals and discover exceptions within
60s. The identification accuracy is 90%+.
Report alarms
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

199. Huawei Confidential
30
Simplified Architecture: Planning-Free and Configuration-
Free RUs Are Plug-and-Play
As-Is: traditional solution
A large number of nodes configured and managed,
deployment after planning, high O&M costs
To-Be: Huawei solution
Planning-free and configuration-free RUs deployed, on-
demand deployment and replacement, flexible expansion
The network topology is manually orchestrated, and
access devices are maintained separately.
Core layer
Aggregation layer
Access
layer
Architecture
transformation
3 layers → 2
layers
Core layer
Access
layer
RU
The network topology is automatically discovered, and
RUs are used as extended ports.
AP
Central switch
RU AP
Central switch
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

200. Huawei Confidential
31
Optical-Electrical PoE: Central Switches Provide Centralized Power Supply,
Ensuring Network Continuity Even Without Local Power Supply
As-Is: Ethernet cable
Ethernet cables are of different generations and need to
be replaced for each acceleration, resulting in high costs.
To-Be: hybrid cable
15 patents, one-time cabling saves replacement workload for
10–15 years, protecting investment
Medium
revolution
Common cable
→ Hybrid cable
Wi-Fi 7
Cat3
10M
Cat5
100M
Cat6
5GE
Cat6A
10GE 25GE
Cat5E
1/2.5GE
Acceleration = Re-cabling
Wi-Fi 5
Wi-Fi 3/4 Wi-Fi 6
Re-cabling
Re-cabling
Re-cabling
Re-cabling
• Superconducting red copper material, providing 300 m 60
W PoE++ power supply
• 6 mm ultra-thin design
• Intelligent sensing at ends, preventing electric shock and
short circuits
Optical cable
Electrical cable
Hybrid module
Hybrid cable
Enhanced Service Security Innovative Architecture
Simplified Networking Automation

201. Huawei Confidential
32
Contents
1. Campus Network and Solution Overview
2. CloudCampus Solution Highlights
3. CloudEngine S Series Switches

202. Huawei Confidential
33
Huawei Campus Switches: Building High-Quality Campus
Networks in the Wi-Fi 6 Era
CloudEngine
S5735-L
CloudEngine
S5731-H/S
CloudEngine
S8700
CloudEngine S12700E-12
CloudEngine S12700E-8
CloudEngine
S7700 CloudEngine
S6730-H
Wi-Fi 6 ready IoT ready Cloud ready Quality ready
• The core switches provide 6x
industry-average switching
performance.
• Innovative hybrid optical-
electrical switch
• WAC integrated, managing an
ultra-large number of APs
• Intelligent terminal
identification, facilitating refined
access control of IoT terminals
• Cloud-based management and
O&M on iMaster NCE,
implementing automatic
deployment and intelligent
O&M
• HQoS, guaranteeing user
experience of key applications
• Open and programmable
architecture, boosting smooth
network evolution

203. Huawei Confidential
34
Naming Rules for Huawei Campus Switches
Position Meaning Description
A Brand name (1 character) Fixed to S
B Network positioning (1 character) 8: core switch; 6: 10GE downlink port; 5: GE downlink port
C Market positioning (1 character) 7: enterprise network market; 3: carrier network market
D Switch sub-series (2 characters) Product sub-series, for example, 00 or 10
E Industry identifier (1 or 2 characters) Left empty by default. EC: e-commerce; S: channel distribution
F Series model (1 character) H: high-level version; S: standard version; L: lightweight version
G Number of downlink ports (2 characters) Number of downlink ports
H Downlink port type (1 to 3 characters)
D: 400GE; C: 100GE; Q: 40GE; Y: 25GE; X: 10GE optical; M: 10GE electrical; N: 2.5GE/5GE electrical; S: GE
optical; T: GE electrical; F: 100M electrical; P: GE electrical, PoE; U: GE electrical, PoE++; UM: multi-GE, PoE++
I Number of uplink ports (1 character) Number of uplink ports
J Uplink port type (1 character) D: 400GE; C: 100GE; Q: 40GE; Y: 25GE; X: 10GE optical; S: GE optical; T: GE electrical
K Card (1 character) Empty: Cards are not supported. C: Pluggable cards are supported.
L Special function flag (0 or 1 character) I: wide temperature range; M: video monitoring; B: back-to-front airflow design; Q: natural heat dissipation
M Power
A/A1: AC power supply; D/D1: –48 V power supply. This field is left empty if a pluggable power module is
used.
S 5 7 0 0 S - H 4 8 T 4 Y C - M A
A G
B F I
H J M
C D E K L
Product series Port combination Key characteristics

204. Huawei Confidential
35
Huawei CloudEngine S Series Switch Portfolio
CloudEngine
S12700E series
Access switch
Core switch
CloudEngine
S8700 series
S7700 series
S6700 series
CloudEngine
S5700 series
Aggregation switch
CloudEngine S12700E
4/8/12 slots, up to 288 x 100GE
CloudEngine S7700
3/6/12 slots,
up to 96 x 100GE
CloudEngine
S6730-H
25GE downlink
CloudEngine
S6730-H
10GE downlink
CloudEngine S5732-H
GE/Multi-GE downlink
CloudEngine S5731-H/S
GE downlink
CloudEngine S5735-L
GE downlink
CloudEngine S5736-S
Multi-GE downlink
CloudEngine S8700
6/10 slots,
48 x 10GE hybrid optical-
electrical card supported
RU
CloudEngine
S5731-L-RUA
series
CloudEngine S5731-L-RUA wired RU
4/8 x GE downlink, GE optical uplink

205. Huawei Confidential
36
CloudEngine S12700E: New Core Switch for Campus
Networks in the Wi-Fi 6 Era
CloudEngine S12700E-4/8/12
Control and switching separation, on-demand
configuration, and flexible capacity expansion
The CloudEngine S12700E is the next-generation high-performance campus core switch
that unleashes the speed potential of Wi-Fi 6.
Benchmarking Model
HW: S12700E Vendor C: C9600
Redundancy design for key components,
ensuring 99.999% reliability
Ultra-large buffer and HQoS scheduling, delivering
optimal user experience of key applications
Powerful slot forwarding capability, building
Wi-Fi 6 high-speed channels

206. Huawei Confidential
37
CloudEngine S12700E MPU, SFU, and CMU
USB port
BITS port
(reserved)
Console port
Ethernet management port
CPU
Subcard slot
(reserved)
MPUE
SFUE
SFUH/SFUM
• 1 GB memory and 128 MB flash memory
• Used on the CloudEngine S12700E-4/8
• 2 GB memory and 128 MB flash memory
• SFUH for the CloudEngine S12700E-4/8
• SFUM for the CloudEngine S12700E-12
• One subcard slot reserved for capacity expansion
• Supports hardware-based OAM/BFD
• Supports multi-core and multi-instance, and manages a
maximum of 10K APs and 50K concurrent users
• Supports hot swapping, 1+1 backup, and asset
management
• Supports fan module management
• Supports power module management
CMU

207. Huawei Confidential
38
CloudEngine S12700E: 100GE Interface Card
• 6 x 100GE optical ports (X6E/X6S)
• Supports 100GE QSFP28 optical modules and 40GE QSFP+
optical modules
• Supports native WAC, VXLAN, and free mobility
Note: The LST7C06HX6EK0 card cannot be used on the
CloudEngine S12700E-12.
• 24 x 100GE optical ports (X6E)
• Supports 100GE QSFP28 optical modules and 40GE QSFP+
optical modules
• Supports native WAC, VXLAN, and free mobility
• Supports MACsec (ports 0 to 5)
Note: The LST7C24HX6EK0 card cannot be used on the
CloudEngine S12700E-12.

208. Huawei Confidential
39
CloudEngine S12700E: 40GE/100GE Interface Card
• Supports 100GE QSFP28 optical modules (ports 0 and 1) and 40GE QSFP+
optical modules (all ports)
• Supports diversified features such as native WAC, VXLAN, and free mobility
• Supports MACsec
2 x 100GE 4 x 40GE

209. Huawei Confidential
40
CloudEngine S12700E: 25GE Interface Card
Port combination 1
(default): 32 x 25GE 8 x 25GE 8 x 10GE
32 x 25GE 16 x 10GE
Port combination 2:
Available Unavailable
40 x 25GE interface card (X6H)
• MACsec supported by all ports
• Ultra-large entry capacity: 1M MAC address entries, 1M FIB entries, and 384K ARP entries
• Supports diversified features such as native WAC, VXLAN, and free mobility
• 4 GB ultra-large buffer and exclusive 4-level HQoS: guaranteeing experience of key users and applications
when the traffic is heavy

210. Huawei Confidential
41
CloudEngine S12700E: 10GE Interface Card
• 48 x 10GE optical ports (X6E/X6S)
• Supports 10GE/GE optical modules and copper transceivers
• Supports diversified features such as native WAC, VXLAN,
and free mobility
• 24 x 10GE + 24 x GE optical ports (X6E/X6S)
• Supports 10GE/GE optical modules and copper transceivers
• Supports diversified features such as native WAC, VXLAN,
and free mobility

211. Huawei Confidential
42
CloudEngine S12700E: GE Interface Card
• 48 x GE optical ports (X6E/X6S)
• Supports optical modules and copper transceivers
• Supports diversified features such as native WAC, VXLAN,
and free mobility
• 48 x GE electrical ports (X5E/X5S)
• Supports 10M/100M/1000M auto-sensing
• Supports diversified features such as native WAC, VXLAN,
and free mobility

212. Huawei Confidential
43
CloudEngine S12700E Interface Cards
X Series 100GE 40GE 25GE
10GE
Optical
Port
GE
Optical
Port
GE
Electrical
Port
Native
WAC
VXLAN
Free
Mobility
MACsec
X6E 24* - - - - - √ √ √ √
X6E/X6S 6* - - - - - √ √ √ √
X6E 2* 4 - - - - √ √ √ √
X6H - - 40 - - - √ √ √ √
X6E/X6S - - - 48 - - √ √ √ -
X6E/X6S - - - 24 24 - √ √ √ -
X6E/X6S - - - - 48 - √ √ √ -
X5E/X5S - - - - - 48 √ √ √ -
* Compatible with 40GE

213. Huawei Confidential
44
CloudEngine S12700E: Power Modules
• The power module uses a screwless ejector latch for easy replacement. The indicator shows whether the power module is securely installed in the slot.
• AC and DC power modules can be used together in the same device.
Input voltage:
• AC: 90 V AC to 290 V AC
• DC: 190 V DC to 290 V DC
Maximum output power:
• 3000 W @ 220 V AC/240 V DC
• 1500 W @ 110 V AC
Input voltage:
• –40 V DC to –72 V DC
Maximum output power:
• 2200 W
• S12700E-4: 4 power slots, N+1 backup
• S12700E-8: 6 power slots, N+1 or N+2 backup
• S12700E-12: 6 power slots, N+1 or N+2 backup
3000 W AC power module (PAC3KS54-CE) 2200 W DC power module (W2PSD2200)
CMU
The CMU manages the power modules and fan modules in the chassis and is hot-swappable. Two CMUs can be installed in a
chassis and work in active/standby mode.

214. Huawei Confidential
45
CloudEngine S12700E: Fan Modules
S12700E-4 S12700E-8 S12700E-12
Airflow:
Left-to-back airflow design, improving the heat dissipation
efficiency of the rack
Hot swapping:
Installation or removal of a fan module does not affect other
fan modules.
Intelligent fan speed adjustment:
Associated speed adjustment for all fans based on the
temperature of each partition
Note: Each fan module has two fans. When one fan is faulty,
the fan module can still work for a short period of time.

215. Huawei Confidential
46
CloudEngine S8700: Highest-Density Modular Access Switch
in the Industry
High-density access Carrier-class reliability
Super power supply
• Exclusive 384 x 10GE ports, 2x
the industry average
• Uplink ports provided by the
MPU, enabling flexible service
deployment
(1*100GE/2*40GE/4*25G/8*10G
Combo)
• Microsecond-level active/standby
MPU switchover, one-tenth the
industry average
• Redundancy design for key
components, ensuring 99.999%
reliability
• 90 W power supply by a single
port
• A maximum of 2880 W (4800
W) by a card
CloudEngine S8700-6/10
Benchmarking Model
HW: S8700 Vendor C: C9400

216. Huawei Confidential
47
CloudEngine S8700 Structure
MPU (2)
Interface card (4 or 8)
Power module (6)
Centralized forwarding
architecture
Height: 8 U/13 U
Service port stacking

217. Huawei Confidential
48
CloudEngine S8700-10 Structure
Fan module (2)
Air exhaust vent
Air exhaust status indicator

218. Huawei Confidential
49
CloudEngine S8700 Card Information Summary (1/2)
CloudEngine S8700-6
CloudEngine S8700-10
Card Type Capability
Main control
board: SRU
• Integrated control and switching, centralized
architecture, and lower switching latency
• 1:1 active/standby, with < 10 ms switchover latency
• Provides 10GE/25GE/40GE/100GE combo ports that
can be used for uplink transmission, saving slots and
ensuring low oversubscription ratio and low costs
10GE optical
card
• 24 x 10GE optical
• 48 x 10GE optical
• MACsec
Multi-GE
card (10GE
capable)
• 48-port multi-GE card, supporting
100M/1GE/2.5GE/5GE/10GE
• 90 W, PoE++
• MACsec
GE/10GE
mixed-rate
card
• 12 x 10GE optical + 16 x GE optical + 24 x GE
electrical, applicable to various connection scenarios
• MACsec
GE card
• 48 x GE optical
• 48 x GE electrical
• MACsec

219. Huawei Confidential
50
CloudEngine S8700 Card Information Summary (2/2)
Card Type Series Port Information
S8700-6 main control
board
LSG7SRUEX1C0 1 x 100GE/2 x 40GE + 4 x 25GE/8 x 10GE
LSG7SRUEX1T0 1 x 100GE/2 x 40GE + 4 x 25GE/8 x 10GE, HPM
S8700-10 main control
board
LSG7SRUFX1C0 1 x 100GE/2 x 40GE + 4 x 25GE/8 x 10GE
LSG7SRUFX1T0 1 x 100GE/2 x 40GE + 4 x 25GE/8 x 10GE, HPM
Interface card
LSG7X48PX1E0 48-port 10GE hybrid optical-electrical card, 90 W PoE++
LSG7X24SX1E0, LSG7X48SX1E0 24/48 x 10GE optical
LSG7M48VX1E0 48-port multi-rate 10GE card, 90 W PoE++
LSG7X52BX1E0
LSG7X24BX1E0
16 x GE optical + 12 x 10GE optical + 24 x GE electrical
20 x GE optical + 4 x 10GE optical
LSG7G48SX1E0 48 x GE optical
LSG7G24TX1E0
LSG7G48TX1E0, LSG7G48VX1E0
24/48 x GE electrical, PoE++

220. Huawei Confidential
51
CloudEngine S8700-6 Main Control Board: SRU
USB port
Ethernet
management port
Console port
CPU
NP
100GE/40GE 4 x 25GE/10GE
4 x 10GE
40GE
USB-based
deployment
Debugging through
the console port
Ethernet port
configuration
8-core ARM 8 GB memory 8 GB flash memory 8 GB storage
Hardware-based
OAM
Hot swapping 1+1 hot backup HTM*
Service port
LSG7SRUEX1C0/
LSG7SRUEX1T0
* The LSG7SRUEX1T0 card supports HTM.

221. Huawei Confidential
52
CloudEngine S8700-10 Main Control Board: SRU
USB-based
deployment
Debugging through
the console port
Ethernet port
configuration
8-core ARM 8 GB memory 8 GB flash memory 8 GB storage
Hardware-based
OAM
Hot swapping 1+1 hot backup HTM*
Service port
* The LSG7SRUFX1T0 card supports HTM.
USB port
Ethernet
management port
Console port
CPU
NP
40GE
LSG7SRUFX1C0/
LSG7SRUFX1T0
NP
4 x 10GE
100GE/40GE 4 x 25GE/10GE

222. Huawei Confidential
53
CloudEngine S8700: Power Modules
2200 W DC power module
(PDC2K2S54-DF)
2500 W/3000 W AC & DC power
module (PAC3KS54-DF)
Modular and pooling power supply design
• Adopts the modular design, providing a maximum output
power of 18,000 W. Occupies only one layer of space.
• Supports six power modules and adopts the pooling
design. N+N backup, N+1 backup, and N+0 non-backup
are supported, ensuring that one faulty power module
does not affect the overall system running.
Small and energy-efficient power supply
• Adopts the innovative TCM-based rectification technology,
providing a conversion efficiency of 95%.
• Adopts the low-loss magnetic transformer, providing 3x
operating efficiency with a 65% smaller size.
• Adopts the integrated magnetic core technology, reducing
the wind resistance by 30% and improving the heat
dissipation efficiency by 40%.
1 2 3 4 5 6

223. Huawei Confidential
54
CloudEngine S8700: Fan Modules
FAN-240SM-B FAN-480SM-B
Matches the
S8700-6
Matches the
S8700-10
4 fans
2 fans
All-new Psi (ψ)-type fans, efficient and energy-saving
Adopts the innovative mixed-flow single-rotor fan technology, high-performance
airfoil algorithm, high-performance brushless DC motor, and high-strength alloy
plastic material.
• Has a 10%+ lower fan speed, 30%+ lower power consumption, and 15%+ lower
noise than the industry average in the same service scenario.
Intelligent fans, ensuring high reliability
• Provides the intelligent noise reduction mode: The fans run at 40% of the full
speed when they are powered on. If the communication is not set up after 5
minutes, the fans run at 70% of the full speed. If the communication is still not
set up after another 5 minutes, the fans run at full speed to ensure heat
dissipation.
• During normal running, the fan speed is intelligently adjusted based on the rack
temperature.
• If one fan in the module is faulty, the other fans intelligently adjust their speeds
to ensure heat dissipation.
• If a single fan module is faulty, the fault can be rectified within 10 minutes,
which is one-third of the industry average.
Modular fan design, easy to install
• Tool-free installing and uninstalling, plug-and-play.

224. Huawei Confidential
55
CloudEngine S7700: Intelligent Routing Switch
CloudEngine S7703/06/12
Industry-leading native WAC feature,
managing up to 4K APs
High port density, rich forms, strong power supply, and powerful scenario adaptability
Benchmarking Model
HW: S7700 Vendor C: C9400
Redundancy design for key components,
ensuring 99.999% reliability
Supports up to 288 PoE++ ports
Distributed forwarding architecture, unleashing
the uplink forwarding speed

225. Huawei Confidential
56
CloudEngine S7700: MCU
• Integrates control and monitoring functions, excluding SFUs (full-mesh).
• Manages up to 1024 APs (using the native WAC).
• 2 GB memory, 2 GB NAND flash memory, and 64 MB NOR flash memory.
MCUD
SRUHX1
Note: When the S7712 uses SRUHX1, slots 6 and 7 are prime slots that provide higher bandwidth.
S7706/S7706 PoE/S7712 MCU
S7703/S7703 PoE MCU
• Integrates hardware-based OAM/BFD, implementing millisecond-level
network quality detection.
• CSS based on service ports, ensuring stable running of devices.
• Cannot be used for capacity expansion or replacement of old MCUs on
the live network.
• 4 GB memory, 2 GB NAND flash memory, and 64 MB NOR flash memory.
• Supports only ES1M2G48TX5E, ES1M2G48TX5S, LSS7G48VX5E0, X6E
series, and X6S series interface cards.

226. Huawei Confidential
57
CloudEngine S7700 Interface Cards
X Series 100GE 40GE
10GE
Optical
Port
GE Optical
Port
GE
Electrical
Port
GE
Electrical
Port (PoE++)
Native
WAC
VXLAN
Free
Mobility
MACsec
X6E/X6S 6* - - - - - √ √ √ √
X6E 2* 4 - - - - √ √ √ √
X6E/X6S - - 48 - - - √ √ √ -
X6E/X6S - - 24 24 - - √ √ √ -
X6E/X6S - - - 48 - - √ √ √ -
X5E/X5S - - - - 48 - √ √ √ -
X5E - - - - - 48 √ √ √ -
* Compatible with 40GE

227. Huawei Confidential
58
CloudEngine S7700: Power Modules
The following table lists the recommended redundancy modes.
S7703 S7703 PoE S7706 S7706 PoE
S7712
(Non-PoE Slots)
S7712
(PoE Slots)
800 W AC
1600 W DC
2200 W DC
3000 W AC
2200 W DC 1600 W DC 800 W AC
3000 W AC
Operating voltage:
• –40 V to –72 V
Output power:
• 2200 W
Operating voltage:
• –38.4 V to –72 V
Output power:
• 1600 W
Operating voltage:
• 90 V to 290 V
Output power:
• 400 W @ 110 V
• 800 W @ 220 V
Note: These power modules cannot work at the same time.
Operating voltage:
• AC: 90 V AC to 290 V AC
• DC: 190 V DC to 290 V DC
Output power:
• 3000 W @ 220 V AC/240
V DC
• 1500 W @ 110 V AC

228. Huawei Confidential
59
S7700 PoE Power Supply Capability
S7703 PoE S7706 PoE
S7712
(PoE Slots)
Power Module Architecture 3 modules (shared) 8 modules (shared) 4 modules
Maximum PoE Output Power (Entire Device) 8640 W 17,280 W 8800 W
Maximum PoE Output Power (Per Card Slot) 2880 W 2880 W 1440 W
Number of PoE Ports (Per Card Slot) 48 48 48
Number of PoE Ports 144 288 586
Number of PoE+ Ports (Per Card Slot) 48 48 48
Number of PoE+ Ports 144 288 292
Number of PoE++ Ports (Per Card Slot) 48 48 24
Number of PoE++ Ports 144 288 146

229. Huawei Confidential
60
CloudEngine S7700: Power Modules
S7703: PS3 is the PoE power slot.
S7703 PoE: All slots are PoE power slots.
3000 W AC power module (PAC3KS54-CE) 2200 W DC power module (W2PSD2200)
PS1 PS2 PS3
S7706/7712: PS5–PS8 are PoE power slots.
S7706 PoE: All slots are PoE power slots.
PS1–PS4 PS5–PS8
Input voltage:
• AC: 90 V AC to 290 V AC
• DC: 190 V DC to 290 V DC
Maximum output power:
• 3000 W @ 220 V AC/240 V DC
• 1500 W @ 110 V AC
Input voltage:
• –40 V DC to –72 V DC
Maximum output power:
• 2200 W
• The power module uses a screwless ejector latch for easy replacement, and the indicator shows whether the power module is securely installed in the slot.
• AC and DC power modules can be used together.
C
M
U
The CMU manages the power modules and fan modules in the chassis and is hot-swappable. Two CMUs can be installed in a
chassis and work in active/standby mode.

230. Huawei Confidential
61
CloudEngine S6730 Series Switch
Product positioning:
• Aggregation switch on large and midsize enterprise campus networks: supports 10GE/25GE access and
40GE/100GE uplink transmission, effectively reducing the network oversubscription ratio.
• Core switch on small and midsize enterprise campus networks: helps enterprises build simplified two-layer
networks (access + core). The access network is connected to the core network at a rate of 25 Gbit/s.
Typical networking:
• Fully-wireless campus: Wi-Fi 6 AP + S5736-S multi-GE + S6730-H
• RTU scenario: S5736-S multi-GE (RTU) + S6730-H (RTU) + S12700E (RTU)
CloudEngine S6730-H
25GE
CloudEngine S6730-H
10GE
* Right to Use (RTU): The downlink port rate can be upgraded through the license.

231. Huawei Confidential
62
CloudEngine S6730 Overview
Model Image Description
S6730-H
25GE switch
S6730-H28Y4C:
28 x 25GE SFP28, 4 x 100GE QSFP28
S6730-H
10GE switch
S6730-H24X6C / S6730-H48X6C:
24/48 x 10GE SFP+, 6 x 40GE/100GE QSFP28
S6730-H24X4Y4C:
24 x 10GE SFP+, 4 x 25GE SFP28, 4 x 100GE QSFP28
Benchmarking Model
HW: S6730-H 25GE/10GE switch Vendor C: C9500

232. Huawei Confidential
63
Main Features of CloudEngine S6730 Series Switches
Function
CloudEngine
S6730-H 10GE
CloudEngine
S6730-H 25GE
S6730-H24X6C S6730-H48X6C S6730-H24X4Y4C S6730-H28Y4C
Hardware
architecture
220 mm depth
Programmability
Hardware
reliability
Stacking
Fan redundancy
Power module redundancy
O&M
NETCONF/YANG
Telemetry
NetStream
PTP: 1588v2
Security MACsec
Native WAC Native WAC
User management
NAC
Free mobility
Virtualization VXLAN
VPN MPLS

233. Huawei Confidential
64
CloudEngine S6730-H28Y4C: All-Optical 25GE Switch
Three built-in fans
Left-to-right airflow design
Dual pluggable power slots, supporting 1+1 backup
4 x 100GE
Console
MEth
USB 2.0
port
28 x 25GE
28 x 25GE SFP28, 4 x 100GE QSFP28
• Service port stacking
• Maximum stack bandwidth: 1.2 Tbit/s
• The programmable network processor supports four resource
modes, which can be switched through configuration.
• Maximum number of MAC addresses: 384K
• 220 mm depth, flexible deployment, saving 50% of the
equipment room area
• Native WAC, managing up to 1K APs
• Automated deployment of VXLAN-based virtual
networks, achieving "one network for multiple purposes"
• Telemetry-based data collection within seconds and
visualized intelligent O&M

234. Huawei Confidential
65
CloudEngine S6730-H: 10GE Routing Switch
CPU:
4 cores, 1.4 GHz
RAM: 4 GB
Flash: 2 GB
Four pluggable fan slots Two pluggable power slots
(1+1 backup)
USB 2.0 port
Console
MEth 6 x 40GE/100GE
SSD card slot*
* Reserved SSD
card slot
24/48 x 10GE SFP+, 6 x 40GE/100GE QSFP28
• Native WAC, managing up to 1K APs
• Maximum number of MAC address entries: 384K
• Automated deployment of VXLAN-based virtual networks,
achieving "one network for multiple purposes"
• IEEE 1588v2 supported, ensuring precise time synchronization

235. Huawei Confidential
66
CloudEngine S6730-H24X4Y4C All-Optical 10GE Switch
Two pluggable power slots
1+1 backup supported
4 x 25GE 4 x 100GE
Console
MEth
USB 2.0 port
24 x 10GE
Three built-in fans
Left-to-right airflow design
• The programmable network processor supports four resource
modes, which can be switched through configuration.
• Maximum number of MAC address entries supported by the
device: 384K
• Service port stacking, maximum stack bandwidth: 1 Tbit/s
• Native WAC, managing up to 1K APs
• MACsec supported, implementing hop-by-hop secure
data transmission
• Automated deployment of VXLAN-based virtual
networks, achieving "one network for multiple purposes"
• Telemetry-based data collection within seconds and
visualized intelligent O&M
Note: MACsec is supported (downlink ports 0–7 and uplink ports 2–3).

236. Huawei Confidential
67
CloudEngine S5730 Overview
Model Image Description
S5732-H
Multi-GE access switch
24/48 x multi-GE, 4 x 25GE SFP28 + 2 x 40GE QSFP+/2 x 100GE QSFP2
8, and one expansion slot
S5736-S
Multi-GE/All-optical switch
24 x multi-GE (10 Gbit/s capable)/48 x GE SFP/48 x 10GE SFP+, 4 x 10
GE SFP+, and one expansion slot
S5732-H
Hybrid optical-electrical switch
24 x multi-GE/24 x 10GE SFP+ combo, 4 x 25GE SFP28 + 2 x 40GE QSF
P+/2 x 100GE QSFP28, and one expansion slot
S5732-H
Enhanced all-optical switch
24/48 x GE SFP, 4 x 25GE SFP28 + 2 x 40GE QSFP+/2 x 100GE QSFP28,
and one expansion slot
S5731-H
Agile GE switch
24/48 x GE electrical, 4 x 10GE SFP+, and one expansion slot
S5731-H
Agile hybrid optical-electrical switch
20/44 x GE optical-electrical SFP, 4 x 10GE optical-electrical SFP+, 4 x 1
0GE SFP+, and one expansion slot
S5731-S
Standard GE switch
24/48 x GE electrical/24 x GE SFP + 8 x GE electrical/48 x GE SFP, 4 x 1
0GE SFP+
S5735-L
Simplified GE switch
8/12/24/48 x GE electrical, 4 x GE SFP/4 x 10GE SFP+
24 x GE SFP + 8 x GE electrical, 4 x 10GE SFP+
S5735-S-IA
Next-generation video backhaul switch
4 x GE/8 x GE (PoE) + 2 x 10GE SFP+

237. Huawei Confidential
68
Main Features of CloudEngine S5730 Series Switches
Native
WAC
MPLS VXLAN
Free
Mobility
NetStream BGP IS-IS BFD Stacking
Cloud
Management
MACsec
S5732-H
S5731-H
S5731-S
S5736-S
S5735-L
Benchmarking Model
HW S5732-H Vendor C C9300
HW S5731-H/S Vendor C C9300
HW S5736-S Vendor C C9300
HW S5735-L Vendor C C9200

238. Huawei Confidential
69
CloudEngine S5732-H: Multi-GE Access Switch
1.4 GHz 4-core
CPU
Memory: 4 GB
Flash: 2 GB
2 x 100GE QSFP28
4 x 25GE + 2 x 40GE
One expansion slot,
supporting 2 x 25GE or
8 x 10GE optical and 8
x 25GE optical cards
Two pluggable
fan slots
Two pluggable
power slots
(1+1 redundancy)
USB 2.0 port
24/48 x multi-GE, 4 x 25GE SFP28 + 2 x 40GE QSFP+ or 2 x 100GE QSFP28
• Native WAC, managing up to 1K APs
• Maximum number of MAC addresses: 128K
• Stack bandwidth: 800 Gbit/s
• PoE++, supporting a maximum of 48 x 10GE access

239. Huawei Confidential
70
CloudEngine S5732-H: Enhanced All-Optical Switch
1.4 GHz 4-core CPU
Memory: 4 GB
Flash: 2 GB 6 x 40GE QSFP+
20/44 x GE SFP, 4 x 10GE SFP+, 6 x 40GE QSFP+
• Maximum number of MAC addresses: 128K
• Stack bandwidth: 480 Gbit/s
• Native WAC, managing up to 1K APs
• Supports GE or 10GE all-optical ports.
Four pluggable fan
modules
Two pluggable power modules (1+1 redundancy),
supporting 600 W AC or 1000 W DC power modules
Console port
Ethernet
management port
USB 2.0 port
SSD card slot*
* Reserved SSD card slot

240. Huawei Confidential
71
CloudEngine S5731-H: Agile GE Switch
24/48 x GE electrical, 4 x 10GE SFP+, and one expansion slot
• Maximum number of MAC
addresses: 288K
• Stack bandwidth: 240 Gbit/s
• Native WAC, managing up to
1K APs
• 512 MB buffer
One expansion slot,
supporting 2 x 40GE optical, 2
x 25GE or 8 x 10GE optical, and
8 x 10GE electrical cards
Two pluggable fan slots Two pluggable power slots
(1+1 redundancy)
USB 2.0 port
1.4 GHz 4-core CPU
Memory: 4 GB
Flash: 1 GB
Programmability 4 x 10GE
Console port
Ethernet
management port

241. Huawei Confidential
72
CloudEngine S5731-H: Hybrid Optical-Electrical Switch
20/44 x GE optical-electrical SFP, 4 x 10GE optical-electrical SFP+, 4 x 10GE SFP+, and one expansion slot
• Maximum number of MAC
addresses: 288K
• Stack bandwidth: 240 Gbit/s
• Native WAC, managing up to 1K
APs
• 512 MB buffer
1.4 GHz 4-core
CPU
Memory: 4 GB
Flash: 1 GB
Programmability
4 x 10GE
SFP+
Console port
Ethernet
management port
One expansion slot,
supporting 2 x 40GE optical,
2 x 25GE or 8 x 10GE optical,
and 8 x 10GE electrical cards
Two pluggable fan
slots
Two pluggable power slots
(1+1 redundancy)
USB 2.0 port
• Supports second-generation hybrid cable: 220 m @ 90 W power supply, 300 m @ 60 W
PoE++ power supply, and 650 m @ 30 W PoE+ power supply.

242. Huawei Confidential
73
Hybrid Cables, Providing High-Speed Data Transmission as
Well as Long-Distance Power Supply
Hybrid cable
Constraint: The remote device must support
optical-electrical integration.
Cable Specification
Cable
Diameter
PoE Power Supply
Distance
(15.4 W)
PoE+ Power Supply
Distance
(30 W)
PoE++ Power Supply
Distance
(60 W)
PoE++ Power Supply
Distance
(90 W)
Hybrid cable-1.5 mm2
9.0 mm 1900 650 330 220
Hybrid cable-17AWG 6.2 mm 1280 500 250 195
Hybrid cable-21AWG 5.7 mm 500 200 97
Note: Cat5E @ 6.1 mm, Cat6 @ 7.3 mm, Cat6A @ 7.4 mm
Upgraded 10GE 25GE plug-and-play
Electrical signal
Optical signal
Hybrid module
Cable diameter
Cable diameter

243. Huawei Confidential
74
CloudEngine S5731-S: Standard GE Access Switch
Two pluggable
fan slots
Two pluggable power slots
(1+1 redundancy)
USB 2.0 port
Downlink: 24/48 x GE electrical; 24 x GE SFP + 8 x GE electrical; 48 x GE SFP. Uplink: 4 x 10GE SFP+
• Pluggable power modules and fan modules in
1+1 redundancy mode*
• Stack bandwidth: 80 Gbit/s
• Maximum number of MAC addresses: 32K
• Plug-and-play
Note: The S5731-S32ST4X, S5731-S32ST4X-A/D, S5731-S48S4X, and S5731 S48S4X-A have built-in fans.
The S5731-S32ST4X-A/D and S5731 S48S4X-A have built-in power modules.
1.4 GHz 4-core
CPU
Memory: 4 GB
Flash: 1 GB
Programmability
4 x 10GE
SFP+
Console port
Ethernet
management port

244. Huawei Confidential
75
CloudEngine S5735-L: Simplified GE Access Switch
Built-in AC
power module
1.0 GHz 4-core
CPU
Memory: 1 GB
Flash: 512 MB
Built-in ASIC
4 x GE SFP or 4
x 10GE SFP+
USB 2.0 port*
Note: USB ports are available only on models with 4 x 10GE uplink ports.
Console port
Ethernet
management port
12/24/32/48 x GE optical or electrical ports and 4 x GE/10GE optical ports
• Supports perpetual/fast PoE to provide high-quality power supply.
• Supports intelligent port dormancy and intelligent fan speed adjustment,
reducing power consumption.
• Supports noise-free and wide-temperature models.
• Stack bandwidth: 80 Gbit/s
• Maximum number of MAC
addresses: 16K

245. Huawei Confidential
76
CloudEngine S5736-S: Standard Multi-GE Access Switch
24 x multi-GE electrical (10 Gbit/s capable) and 4 x 10GE SFP+
• Stack bandwidth: 480 Gbit/s
• Maximum number of MAC addresses: 32K
• 90 W PoE++, meeting high power supply
requirements
• Redundancy design for power modules and fan
modules
• Port rate customization on software and on-
demand rate upgrade using the RTU license
Two pluggable power slots
(1+1 redundancy)
1.2 GHz
4-core CPU
Memory: 2 GB
Flash: 1 GB
Built-in ASIC
4 x 10GE
SFP+
USB 2.0 port
Console port
Ethernet
management port
Two pluggable fan
modules
One expansion
slot

246. Huawei Confidential
77
CloudEngine S5736-S: Standard All-Optical Access Switch
Two pluggable power slots
(1+1 redundancy)
4 x 10GE
SFP+
Console port
Ethernet
management port
Two pluggable fan modules*
One expansion slot*
Note:
1. The S5736-S48S4X-A/D does not support card expansion.
2. The S5736-S48S4X-A/D has three built-in fans that are not pluggable.
3. The S5736-S48S4X-A/D has a single built-in power module.
24/48 x GE SFP or 48 x GE SFP+ (supports RTU upgrade to 10GE), 4 x 10GE SFP+
1.2 GHz 4-
core CPU
Memory: 2 GB
Flash: 1 GB
Built-in ASIC
• Stack bandwidth: 480 Gbit/s
• Maximum number of MAC addresses: 32K
• Redundancy design for power modules and fan
modules
• All-optical ports. The 220 mm model supports
RTU upgrade to 10GE.

247. Huawei Confidential
78
CloudEngine S5731-L-RU Series RU
All-scenario deployment
Flexible installation: DIN rail, wall-mounted,
wall-embedded, and desktop
Bidirectional high-efficiency PoE
Long-distance optical-electrical PoE In and
secondary PoE power supply. A single port supports
a maximum of 60 W PoE++ power supply.
Energy efficiency
Fanless design, natural heat dissipation, and
noise-free; power consumption of a single device
< 7 W
CloudEngine S5731-L-RUA
Wired RU
4/8 x GE downlink and GE/2.5GE optical uplink (9 models)

248. Huawei Confidential
79
CloudEngine S5731-L-RU Hardware Specifications
4-Port Model 8-Port Model
Model
S5731-L4P2HW-
RUA S5731S-
L4P2HW-RUA
S5731-L4T2S-
RUA S5731S-
L4T2S-RUA
S5731-L4P2S-
RUA S5731S-
L4P2S-RUA
S5731-L4T2ST-
RUA S5731S-
L4T2ST-RUA
S5731-L4P2ST-
RUA S5731S-
L4P2ST-RUA
S5731-
L4P2HT-RUA
S5731S-
L4P2HT-RUA
S5731-L8T2ST-
RUA S5731S-
L8T2ST-RUA
S5731-L8P2ST-
RUA S5731S-
L8P2ST-RUA
S5731-L8P2HT-
RUA S5731S-
L8P2HT-RUA
Downlink Port
4 x GE electrical
ports
4 x GE electrical
ports
4 x GE electrical
ports
4 x GE electrical
ports
4 x GE electrical
ports
4 x GE
electrical ports
8 x GE electrical
ports
8 x GE electrical
ports
8 x GE
electrical ports
Uplink Port
2 x GE hybrid
optical-electrical
ports
2 x GE optical
ports
2 x GE optical
ports
1 x GE optical
port + 1 x GE
electrical port
1 x GE optical
port + 1 x GE
electrical port
1 x GE hybrid
optical-
electrical port
+ 1 x GE
electrical port
1 x GE optical
port + 1 x GE
electrical port
1 x GE optical
port + 1 x GE
electrical port
1 x GE hybrid
optical-
electrical port +
1 x GE
electrical port
Hybrid Cable
PoE Power Input
Supported Not supported Not supported Not supported Not supported Supported Not supported Not supported Supported
Cable PoE
Power Input
N/A N/A N/A Not supported Not supported Supported Not supported Not supported Supported
PoE Power
Output
A single port
supports PoE++
at most.
(Type 3)
Not supported
A single port
supports PoE++
at most.
(Type 3)
Not supported
A single port
supports PoE++
at most.
(Type 3)
A single port
supports
PoE++ at most.
(Type 3)
Not supported
A single port
supports PoE+
at most.
A single port
supports PoE+
at most.
Maximum PoE
Power of the
Device
77 W N/A 77 W N/A 77 W 77 W N/A 131 W 131 W
Local Power
Supply
External power
adapter (90 W)
External power
adapter (12 W)
External power
adapter (90 W)
External power
adapter (12 W)
External power
adapter (90 W)
/
External power
adapter (12 W)
External power
adapter (150 W)
/

249. Huawei Confidential
80
Expansion Cards for CloudEngine S5730 Series Switches (1/2)
Expansion card
Note: By default, the ports 0 and 1 on the 8 x 10GE SFP+ card can be configured as a 25GE SFP28 port.
2 x 40GE QSFP+ card 8 x 10GE electrical card
8 x 10GE SFP+ or 2 x 25GE SFP28 card 8 x 25GE SFP28 card

250. Huawei Confidential
81
Expansion Cards for CloudEngine S5730 Series Switches (2/2)
Model 2 x 40GE QSFP+ 8 x 10GE Base-T 8 x 10GE SFP+ Card* 8 x 25GE SFP28 Card**
S5732-H
Multi-GE model
- - √ √
S5732-H
Hybrid optical-electrical model
- - √ √
S5731-H √ √ √ -
S5736-S
Multi-GE model
√ - √ -
* Note: The 8 x 10GE card can support 2 x 25GE SFP28 (ports 0 and 1) through mode switching, and all ports support MACsec.
** Note: The 8 x 25GE card supports 10GE/25GE auto-sensing and its ports can be switched to GE ports through the CLI. All ports support MACsec.

251. Huawei Confidential
82
CloudEngine S6730/S5730 Series Switch Power Modules (1/2)
PoE power module
AC/DC power module
60 W AC 150 W AC 600 W AC 180 W DC 1000 W DC 1000 W AC
Input Voltage
(AC)
90 V AC to 264 V AC 100 V AC to 240 V AC 90 V AC to 290 V AC N/A N/A
100 V AC to 130 V AC
200 V AC to 240 V AC
AC Frequency 47 Hz to 63 Hz 47 Hz to 63 Hz 45 Hz to 65 Hz N/A N/A 45 Hz to 65 Hz
Maximum
Input Voltage
(DC)
190 V DC to 290 V
DC
N/A 190 V DC to 290 V DC N/A N/A 190 V DC to 290 V DC
Input Voltage
(DC)
N/A N/A N/A –38.4 V DC to –72 V DC
–38.4 V DC to –72 V
DC
N/A
Power slot 1 Power slot 2

252. Huawei Confidential
83
CloudEngine S6730/S5730 Series Switch Power Modules (2/2)
Power
Module
Type
S6730-H S5735-L S5735-S-IA S5736-S S5731-S S5731-H S5732-H
All Models 48-Port PoE SmartX Multi-GE All-Optical PoE Non-PoE PoE Non-PoE All-Optical Multi-GE
60 W AC - - √ - - - - - - - -
150 W AC - - - - √ - √ - √ - -
600 W AC √ - - - √ - √ - √ √ -
1000 W AC - √ - √ - √ - √ - - √
180 W DC - - √ - √ - √ - √ - -
1000 W DC √ - - √ √ - √ √ √ √ -
Note: This table is for reference only. For details about the mapping between product models and power modules, see the latest brochure on the official
website or log in to the SCT configurator.

253. Huawei Confidential
84
CloudEngine S6730 Series Switch Fan Modules
Pluggable fan module
FAN-031A-B
• Maximum power consumption: 21.6 W
• Rated fan speed: 24500±10%
• Hot-swappable, easy to maintain
• Intelligent speed adjustment, saving energy
• Can be used on CloudEngine S6730 series switches
Fan
module
slot 1
Fan
module
slot 2
Fan
module
slot 3
Fan
module
slot 4

254. Huawei Confidential
85
CloudEngine S5730 Series Switch Fan Modules
Pluggable
fan module
Fan
module
slot 1
Fan
module
slot 2
FAN-031A-B FAN-023A-B (Air Out) FAN-031A-F (Air In) Remarks
S5732-H Supported -- --
S5731-H -- Supported Supported
S5731-H48T4XC-B -- -- Supported
To ensure heat dissipation, do not install
expansion cards to the S5731-H48T4XC with the
FAN-031A-F installed.
S5731-S -- Supported --
S5736-S -- Supported --

255. Huawei Confidential
86
Quiz
1. Which two innovative technologies are used in the low-carbon intelligence
solution of CloudCampus 3.0?
2. Can Huawei RUs receive power through hybrid cables?
3. What ports are provided by the main control board of the CloudEngine S8700?
4. Which Huawei fixed switch models support expansion slots?

256. Huawei Confidential
87
More Information
⚫ Product overview: https://e.huawei.com/en/products/enterprise-networking/switches
⚫ Detailed introduction materials: https://e.huawei.com/en/material/MaterialList
⚫ Campus network solution: https://e.huawei.com/en/solutions/business-needs/enterprise-
network/campus-network
⚫ Product document: https://support.huawei.com/enterprise/en/category/switches-pid-
1482605678974?submodel=doc

257. Copyright© 2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.

258. Huawei Confidential
1
Huawei Campus WLAN Products and Solutions
Presales Training
⚫ Security Level:

259. Huawei Confidential
2
Foreword
⚫ Wired LANs use cables or optical fibers as transmission media, which are expensive
and do not support user mobility. As further emphasis was placed on network
mobility, wired LANs became unable to meet user's requirements.
⚫ This led to the development of wireless local area network (WLAN), which has
become the most cost-effective and convenient network access mode.
⚫ This training introduces the WLAN, the development history and challenges of
enterprise WLANs in different phases, and Huawei AirEngine Wi-Fi 6 products,
solutions, and highlights.

260. Huawei Confidential
3
Objectives
⚫ On completion of this course, you will be able to:
 Understand the WLAN and its relationship with Wi-Fi.
 Have a good command of WLAN architectures and various networking modes.
 Understand the features of Huawei WLAN products and solutions.
 Be familiar with the models and highlights of Huawei WLAN products.
 Be familiar with the differences between Huawei WLAN product models and
flexibly select specific models based on project requirements.

261. Huawei Confidential
4
Contents
1. Introduction to WLAN Networking
2. Development and Value of the Wi-Fi 6 (802.11ax) Standard
3. Huawei Wi-Fi 6 Cutting-Edge Technologies and Continuous Networking Solutions
4. Huawei Wi-Fi 6 Product Overview

262. Huawei Confidential
5
Overview and Objectives
⚫ This chapter describes the definition of WLAN and Wi-Fi knowledge.
After learning this chapter, you will be able to:
 Understand the WLAN and its relationship with Wi-Fi.
 Have a good command of WLAN networking modes and their
application scenarios.

263. Huawei Confidential
6
Overview of Data Communication Industrial Campuses
Internet/MPLS
Simple-service
campus
Large
multi-service
campus
Small
or
midsize
campus
or
branch
campus
SD-WAN
Public cloud,
private cloud, or
hybrid cloud
Campus type classification
• Office
• R&D
• IoT
Simple-service campus
• Midsize or large scale, simple services, and similar site models
Large multi-service campus
• Large scale, complex services, coexistence of multiple services,
and logical isolation requirements
Small and midsize campus or branch campus
• Small scale, simple services, and mutual access between sites
WLAN
WLAN
WLAN
Technical field
• WLAN: involves components including wireless access controller
(WAC), wireless access point (AP), etc.
• LAN: operates at different hierarchical structures depending on
network scales and mainly involves switches at the core, layer,
and access layers.
• Software-defined Wide Area Network (SD-WAN): defines
WANs based on hybrid WAN scenarios and implements
intelligent enterprise WAN interconnection.
Cloud-based
services

264. Huawei Confidential
7
What Is WLAN?
• A WLAN is constructed using wireless technologies.
▫ Wireless technologies mentioned here include not only Wi-Fi, but also infrared, Bluetooth, and ZigBee.
▫ WLAN technology allows users to easily access a wireless network and move around within the coverage area of the wireless network.
• Wireless networks can be classified into wireless personal area network (WPAN), WLAN, wireless metropolitan area network
(WMAN), and wireless wide area network (WWAN) by application scope.
WPAN WLAN WMAN WWAN
• Bluetooth
• ZigBee
• Near Field Communication
(NFC)
• HomeRF
• Ultra-wideband (UWB)
• Wi-Fi
• WPAN-related technologies are
also used in WLANs, mainly for
IoT applications.
• Worldwide Interoperability for
Microwave Access (WiMAX)
• Global System for Mobile
Communications (GSM)
• Code Division Multiple Access
(CDMA)
• Wideband Code Division
Multiple Access (WCDMA)
• Time Division-Synchronous Code
Division Multiple Access (TD-
SCDMA)
• Long Term Evolution (LTE)
• 5th Generation (5G)

265. Huawei Confidential
8
WLAN and Wi-Fi
⚫ WLAN:
 WLAN is an extension of wired networks. It is a combination of computer networks and Wi-Fi technology.
⚫ Wi-Fi:
 Wi-Fi is a WLAN technology implemented based on IEEE 802.11 standards.
 In daily life, Wi-Fi is often used as a synonym of 802.11.
 Wi-Fi is also a trademark of Wi-Fi Alliance manufacturers as well as a brand certification of Wi-Fi products.
 When created in 1999, the Wi-Fi Alliance was called the Wireless Ethernet Compatibility Alliance (WECA) at that
time. In October 2002, the WECA was renamed Wi-Fi Alliance.

266. Huawei Confidential
9
Wi-Fi 7
Wi-Fi 6E
IEEE 802.11 Standards and Wi-Fi Generations
Wi-Fi 6
Wi-Fi 5
Wi-Fi 4
Wi-Fi 3
Wi-Fi 2
Wi-Fi 1
Standard Released In Frequency Band Rate
802.11 1997 2.4 GHz 2 Mbps
802.11b 1999 2.4 GHZ 11 Mbps
802.11a 1999 5 GHz 54 Mbps
802.11g 2003 2.4 GHz 54 Mbps
802.11n 2009 2.4 GHz and 5 GHz
2.4 GHz: 450 Mbps
5 GHz: 600 Mbps
802.11ac Wave 1 2013 5 GHz 3.74 Gbps
802.11ac Wave 2 2015 5 GHz 6.9 Gbps
802.11ax 2021 2.4 GHz and 5 GHz
2.4 GHz: 1.15 Gbps
5 GHz: 9.6 Gbps
802.11ax 2022 6 GHz 6 GHz: 9.6 Gbps
802.11be 2024 2.4 GHz, 5 GHz, and 6 GHz 46 Gbps
Latest Wi-Fi
evolution
standards

267. Huawei Confidential
10
Main NEs on an Enterprise WLAN
Fit AP
WAC
STA
PoE switch
RADIUS
server
Portal
server
Main network elements (NEs) on a WLAN
• WAC: manages AP configurations, authenticates and
manages access stations (STAs), and controls broadband
access and security.
• AP: provides wireless signals to cover a specified area and
allows STAs to access the network.
• Power over Ethernet (PoE) switch: transmits data signals
and provides DC power for IP-based terminals through
Ethernet cables.
• RADIUS server: generally runs on the central computer or
workstation. The server maintains user authentication and
network access information, and is responsible for receiving
user connection requests, authenticating users, and
returning required information (for example,
authentication request accepted or denied) to clients.
• Portal server: receives authentication requests from Portal
clients. The server provides free Portal services and a web
authentication GUI, and exchanges client authentication
information with the access device.

268. Huawei Confidential
11
Common WLAN Networking Modes (1/2)
Fat AP mode
Internet
• Characteristics: A Fat AP works
independently and requires separate
configurations. It provides only simple
functions and is cost-effective.
• Applicability: homes, mini stores, etc.
WAC + Fit AP architecture
• Characteristics: The WAC manages and
configures Fit APs in a unified manner. This
architecture provides a variety of functions
and has high requirements on network
maintenance personnel's skills.
• Applicability: midsize and large enterprises
Fat AP
Fit AP
WAC
Cloud management mode
• Characteristics: An SDN controller is
deployed on the cloud or in the data center
to manage and configure cloud APs in a
unified manner through the Internet,
providing abundant functions.
• Applicability: multi-branch enterprises
Cloud
AP
SDN controller

269. Huawei Confidential
12
Common WLAN Networking Modes (2/2)
Leader AP
• Characteristics: A Fat AP can be configured as the leader
AP to replace the WAC to manage a small number of APs,
thereby implementing self-networking. This architecture is
cost-effective and does not have high requirements on
network maintenance personnel's skills.
• Applicability: micro and small enterprises
Agile distributed architecture
• Characteristics: The agile distributed architecture divides an AP into a central AP and
remote units (RUs). The central AP can manage multiple RUs, achieving good coverage
with lower costs. RUs can be used in the Fat AP, WAC + Fit AP, and cloud management
architectures. Without occupying license resources, RUs greatly reduces the capital
expenditure (CAPEX).
• Applicability: densely distributed rooms
Internet
Leader AP
Central AP
RU
Room 1 Room 2 Room 3
Room
N
Central AP
RU
Room 1 Room 2 Room 3
Room
N
WAC

270. Huawei Confidential
13
Contents
1. Introduction to WLAN Networking
2. Development and Value of the Wi-Fi 6 (802.11ax) Standard
3. Huawei Wi-Fi 6 Cutting-Edge Technologies and Continuous Networking Solutions
4. Huawei Wi-Fi 6 Product Overview

271. Huawei Confidential
14
Overview and Objectives
⚫ This chapter describes the development history and unique value of Wi-Fi 6.
After learning this chapter, you will be able to:
 Understand the current industry development of Wi-Fi 6.
 Have a good command of key features in Wi-Fi 6.

272. Huawei Confidential
15
Standard Evolution and Mature Wi-Fi 6 Industry Chain
Wi-Fi 6 icon displayed on the Android system
Various Wi-Fi 6
terminals
Major vendors release
Wi-Fi 6/6E enterprise
APs or home routers.
Enterprise AP brands: Huawei, Cisco, Aruba, H3C, and Ruijie
Home router brands: Huawei, TP-Link, Honor, Linksys, ASUS, and NETGEAR
Brand Terminal
Huawei Huawei P40, Mate 40 series, and Huawei P50 series
iPhone iPhone 11, iPhone 12, iPhone SE (new), and iPhone 13 (Wi-Fi 6E)
Samsung Galaxy S10 series, S20 series, S21 series, and S22 series
Xiaomi Xiaomi 11 and Xiaomi 12
Intel AX200, AX201, and AX210 (Wi-Fi 6E)

273. Huawei Confidential
16
A Core Contributor, Huawei is Ranks No.1 in the Number of
Proposals in Wi-Fi 6 Standardization
Dr. Osama, Huawei's expert in wireless technology, serves
as the chairman of the 802.11ax Working Group.
Huawei plays a leading role in the Wi-Fi
technology standard field and ranks No. 1 in the
number of valid standard proposals or patents,
accounting for 18% of the total.

274. Huawei Confidential
17
C = n x B x log2(1+S/N)
Number
of spatial
streams
Channel capacity
(throughput)
Signal-to-noise
ratio (SNR)
Shannon Theorem
Frequency
bandwidth
Throughput depends on the number of spatial
streams, frequency bandwidth, and SNR.
Factors Related to the Wireless Rate (Throughput)
of a Wi-Fi AP

275. Huawei Confidential
18
Wi-Fi 5
4T4R
Wi-Fi 6
8T8R
(2-fold increase in the
number of spatial streams)
Four factors affecting the Wi-Fi rate: number of spatial streams, number of
subcarriers, symbol duration, and coding mode
Wi-Fi 5
256-QAM coding
Wi-Fi 6
1024-QAM coding
(Rate of each spatial stream: 25% )
... ...
Wi-Fi 5
234 subcarriers
Wi-Fi 6
980 subcarriers (HT80)
(Rate of each spatial stream: 5% )
802.11ac 802.11ax
Wi-Fi 5
Transmission time: 3.2
μs per STA
Wi-Fi 6
Transmission time: 12.8 μs per
STA
(Rate of each spatial stream: 6% )
Symbol length
How Wi-Fi 6 Increases Bandwidth

276. Huawei Confidential
19
1 frame
Frequency
Time
Resource unit of user 1
Resource unit of user 2
Resource unit of user 3
System bandwidth
Time
1 frame
Frequency
User 1
User 2
User 3
System bandwidth
Wi-Fi 5
OFDM
(Each user exclusively occupies channel resources.)
Wi-Fi 6
OFDMA
(Multiple users share channel resources.)
Factors affecting the concurrent capacity: Spatial stream and spectrum utilization
Spectrum utilization:
improved by more
than 30x
How Wi-Fi 6 Increases the Concurrent Capacity

277. Huawei Confidential
20
Factors affecting the Wi-Fi network latency: Spectrum utilization and air interface quality
Wi-Fi 5
OFDM
(Like a single lane without traffic lights,
multiple users contend for resources in
a disordered manner.)
Wi-Fi 6
OFDMA
(Like multiple lanes with
traffic lights, resources are
scheduled for multiple users in
sequence.)
Wi-Fi 5
Power adjustment based on
clear channel assessment (CCA)
(Different users on the same channel
need to wait in a queue for channel
resources.)
Wi-Fi 6
BSS coloring
(Different users on the same
channel have different colors
and can transmit data at the
same time.)
Spectrum utilization: improved by 30x+
With interference
Without interference
Interference rate:
30%
OFDMA: reduces channel conflicts and
improves spectrum utilization
BSS coloring: reduces co-channel interference
How Wi-Fi 6 Reduces Network Latency

278. Huawei Confidential
21
Core Technologies (Wi-Fi 6 vs. Wi-Fi 5)
Low latency
High concurrency
User 1
User 2
User 3
User 4
Frequency
Time
UL/DL OFDMA
UL/DL MU-MIMO
• 1024 STAs per AP
• Number of concurrent
users increased by 4 times
OFDMA
Spatial reuse
• Service latency
reduced to 20 ms
• Average latency
reduced by 50%
TWT
20 MHz-Only
• Target wakeup time
(TWT) mechanism
• Terminal power
consumption
reduced by 30%
High bandwidth
• Rate of up to 9.6 Gbps
• Bandwidth increased by
4 times
1024-QAM
8x8 MU-MIMO
Low power
consumption

279. Huawei Confidential
22
Example: Calculating the Air Interface Rate in Wi-Fi 6
Conditions for calculating the link
setup rate of the Wi-Fi air interface
1. 802.11ax 2. MIMO 8x8
3. GI 4. 1024-QAM
5. 5/6 coding rate
6. 160 MHz, 1960 valid subcarriers (5 GHz)
7. 40 MHz, 468 valid subcarriers (2.4 GHz)
Number of valid subcarriers
802.11ac and
Earlier
802.11ax
FFT 64-order 256-order
Subcarrier bandwidth 312.5 kHz
78.125
kHz
Number of
valid
subcarriers
20 MHz 52 234
40 MHz 108 468
80 MHz 234 980
160 MHz 468 1960
Coding mode and rate
MCS
Index
Modulation
Scheme
Subcarrier
Coding
Rate
MCS0 BPSK 1 1/2
MCS1 QPSK 2 1/2
MCS2 QPSK 2 3/4
MCS3 16-QAM 4 1/2
MCS4 16-QAM 4 3/4
MCS5 64-QAM 6 2/3
MCS6 64-QAM 6 3/4
MCS7 64-QAM 6 5/6
VMCS8 256-QAM 8 3/4
VMCS9 256-QAM 8 5/6
VMCS10 1024-QAM 10 3/4
VMCS11 1024-QAM 10 5/6
Symbol and GI
802.11ac and
Earlier
802.11ax
FFT 64-order 256-order
Subcarrier
bandwidth
312.5 kHz 78.125 kHz
Symbol
length
3.2 μs 12.8 μs
Short GI 0.4 μs /
GI 0.8 μs 0.8 μs
2 x GI / 1.6 μs
4 x GI / 3.2 μs
Number of antennas
or spatial streams
Number of spatial streams x 1/(Symbol length + short GI or GI) x (bit/subcarrier) x coding rate x
number of valid subcarriers
8 1/13.6 μs
x 10 bits/subcarrier
x x 5/6 x 1960 = 9607 Mbps
5 GHz:
4 1/13.6 μs
x 10 bits/subcarrier
x x 5/6 x 468 = 1147 Mbps
2.4 GHz:
40 MHz at most @ 2.4 GHz
160 MHz at most @ 5 GHz

280. Huawei Confidential
23
Contents
1. Introduction to WLAN Networking
2. Development and Value of the Wi-Fi 6 (802.11ax) Standard
3. Huawei Wi-Fi 6 Cutting-Edge Technologies and Continuous Networking Solutions
4. Huawei Wi-Fi 6 Product Overview

281. Huawei Confidential
24
Overview and Objectives
⚫ This chapter describes the highlights of Huawei AirEngine Wi-Fi 6 products. After
learning this chapter, you will be able to:
 Understand the networking capabilities of Huawei WLAN products and recommend
applicable solutions in different scenarios.
 Understand the highlights of Huawei WLAN products in terms of antennas and radios,
such as smart antennas and air interface optimization.
 Understand the highlights of Huawei WLAN products in experience optimization.
 Understand the highlights of Huawei WLAN products in security.
 Understand the highlights of Huawei WLAN products in intelligent O&M.

282. Huawei Confidential
25
To Achieve High Speeds, High Capacity, and Low Latency, Wi-Fi 6
Also Requires Continuous WLAN Networking
No signal or weak signal
• Some scenarios involve diverse space
environments and many partitions. As a
result, coverage holes or poor signals
exist in some areas.
Poor user
experience on a
non-continuous
WLAN
networking
Connection failed in areas with signals
• A large number of STAs attempt to
connect to the network at the same
time. As a result, some STAs cannot
access the network.
Low network access rate even when
connected
• High-density user access causes network
congestion and sharp decreases in
wireless network bandwidth.
Intermittent network disconnections
• Dense deployment and uncertain
interference cause users to go offline
or lead to unexpected service
interruption.
Frequent in-roaming disconnections
• No protection is available during
roaming, the handover takes a long
time, and a large number of packets
are lost.
Slow fault rectification
• WLAN faults are difficult to
reproduce, so it takes a long time to
locate or demarcate these faults,
leading to difficulties in rectification.

283. Huawei Confidential
26
Resolve coverage holes or
weak coverage issues
Huawei WLAN Network Construction Concepts
Resolve issues related to
bandwidth, roaming, latency,
and IoT networking
Quickly identify and
demarcate network faults
Resolve discontinuous and
unstable experience issues
④
③
②
①
For continuous
networking and
experiences

284. Huawei Confidential
27
Walking mode
AP
Distance in the industry's 2D
network planning simulation
Inaccurate
Distance in Huawei's 3D
network planning simulation
More accurate
Simulation point
Actual
deployment
point
2D network planning simulation
effect in the industry
Issues Related to AP Positions and Signal Coverage Quality
Have Been Resolved Before Deployment
STA
Huawei's exclusive 3D network planning platform:
WYSIWYG network planning and deployment
Plan Construct Maintain Optimize

285. Huawei Confidential
28
Industry-Leading Smart Antennas Resolve Coverage Holes
and Signal Reliability Issues
More focused signals
Penetrating one more wall*
Unique hardware design Beam training
Co-directional matching
for digital beams
*: brick wall, glass,
wooden door, etc.
Industry: omnidirectional antennas Huawei: Smart Antenna
Signals weakened Signals enhanced
Antenna A Antenna A
Antenna B
Out-of-phase superposition
of signals
Antenna B
⚫ Patented dual-band co-planar design,
smaller AP size
⚫ 4 elements for each antenna and 248
beam
combinations, achieving all-round
beamforming and more accurate beams
Try
Try
Try-Best
Try
⚫ Patented intelligent beam training algorithm for
selecting the beam with the maximum gain
⚫ Flexible environment adaptation, enabling always-
on optimal signals for users anytime, anywhere
20% longer
coverage
Digital
TxBF gain
Beam gain of
smart antennas
Traditional
antenna
Element
adjustment
Forming digital
TxBF
⚫ Flexible direction adjustment for
antenna beams and digital beams to
maximize the signal gain in the target
STA direction
In-phase superposition
of signals

286. Huawei Confidential
29
Intelligent calibration algorithm
Automatic optimization of parameters
such as channel, power, and
interference
AI roaming algorithm
Steered roaming between APs, handover delay
of less than 10 ms, and zero packet loss
Intelligent scheduling algorithm
Bandwidth adaptation policy implemented based on
network load, no rate limiting on the entire network,
and “100 Mbps @ Everywhere" experience
Calibration, Roaming, and Scheduling Algorithms Resolve
Multi-User Scheduling and Roaming Issues
Plan Construct Maintain Optimize
Interference
Roaming Channel
Frequency
bandwidth
Power

287. Huawei Confidential
30
SmartRadio for Air Interface Optimization — SDR: Flexible
Adaptation to Different Scenarios
Customer benefits:
1. In high-bandwidth scenarios, the dual-radio mode is
used to provide ultra-high throughput.
2. In high-concurrency scenarios, the triple-radio mode
is used to allow more STAs to access the network
concurrently.
3. In scenarios with severe interference, the dual-radio
+ independent scanning radio mode is used. In this
mode, the independent radio is used to monitor and
optimize the network quality in real time without
compromising network performance.
4. On a large-scale network, APs working in different
radio modes can be deployed together, meeting
requirements of different services and traffic types,
improving network-wide performance, and saving
the TCO.
Many interference sources,
requiring real-time
network status awareness
120 users,
6–10 Mbps per user
30 users,
50-70 Mbps per user
Electronic
classroom Lab
Stadium
Public
classroom
• 2.4 GHz/5 GHz software-defined radio (SDR)
• Exclusively supporting flexible switching of dual-radio,
triple-radio, and scanning modes
Huawei Vendor C Vendor A Vendor H
SDR
Supported
by mid-
range and
high-end
models
To be
supported by
mid-range and
high-end
models
To be
supported by
mid-range and
high-end
models
Not
supported
Comparison with other vendors:
Plan Construct Maintain Optimize

288. Huawei Confidential
31
SmartRadio for Air Interface Optimization — DFA: Identifying
Redundant Radios and Reducing Interference
Adjust the channel and transmit power
Determine redundant radios
➢ Dynamic frequency assignment (DFA): automatically calculates whether 2.4 GHz radios of APs are redundant,
adjusts the power, disables the redundant radios, or enables the APs to switch to the monitor mode.
➢ If an AP becomes faulty, the WAC re-calculates the network-wide signals and adjusts the frequency band,
channel, and transmit power of the APs accordingly.
Initial state
➢ Interference on the 2.4 GHz channels ➢ Redundant 2.4 GHz radios after calculation
➢ Adjust the 2.4 GHz transmit power of
other APs and disable the 2.4 GHz
channel of AP A to reduce interference.
2.4 GHz
AP D
AP C
AP B
AP A
AP B
AP C
AP D
AP C
AP B
AP D
AP A AP A
Plan Construct Maintain Optimize

289. Huawei Confidential
32
SmartRadio for Air Interface Optimization — DBS: Dynamically
Adjusting Bandwidth for Network-Wide Bandwidth Improvement
Before adjustment After adjustment
2.4 GHz
Channel: 1
HT20 MHz
Channel: 44
HT40 MHz
Channel: 6
HT20 MHz
Channel: 149
HT20 MHz
Channel: 6
HT20 MHz
Channel: 149
HT80 MHz
Channel: 11
HT20 MHz
Channel: 52
HT40 MHz
5 GHz
Channel: 11
HT20 MHz
Channel: 60
HT20 MHz
2.4 GHz
5 GHz
Channel: 1
HT20 MHz
Channel: 161
HT20 MHz
Channel: 1
HT20 MHz
Channel: 44
HT40 MHz
Channel: 6
HT20 MHz
Channel: 60
HT20 MHz
Channel: 11
HT20 MHz
Channel: 165
HT20 MHz
2.4 GHz
5 GHz
Hotspot area
Channel detection and traffic identification algorithm:
More network resources are preferentially allocated to
core areas with heavy traffic volumes, improving the
network-wide throughput by more than 20%.
2.4 GHz
Channel: 1
HT20 MHz
Channel: 44
HT20 MHz
Channel: 6
HT20 MHz
Channel: 149
HT20 MHz
Channel: 6
HT20 MHz
Channel: 149
HT20 MHz
Channel: 11
HT20 MHz
Channel: 52
HT20 MHz
5 GHz
Channel: 11
HT20 MHz
Channel: 60
HT20 MHz
2.4 GHz
5 GHz
Channel: 1
HT20 MHz
Channel: 161
HT20 MHz
Channel: 1
HT20 MHz
Channel: 44
HT20 MHz
Channel: 6
HT20 MHz
Channel: 60
HT20 MHz
Channel: 11
HT20 MHz
Channel: 165
HT20 MHz
2.4 GHz
5 GHz
Hotspot area
Early network planning: To ensure no interference on
all channels, the AP works in HT20 mode by default.
This mode limits user bandwidth to some extent.
>>
Plan Construct Maintain Optimize

290. Huawei Confidential
33
AI Roaming: Differentiated Terminal Steering, Increasing the
Wireless Speeds of Roaming Terminals by 30%
WAC
AP1 AP2 AP3
WAC
AP1 AP2 AP3
AP1 AP2 AP3
AP1 AP2 AP3
Mate 30 iPhone 11 Xiaomi8
Differentiated roaming steering based
on STA types to increase the roaming
success rate and wireless speeds
➢ The AP identifies the types of access STAs.
➢ STA profiles allow the system to match
different roaming steering policies and
parameters based on the types and
operating systems of STAs.
➢ Steer STAs to roam so that different types
of STAs can obtain the optimal roaming
experience and increase the wireless
speeds of roaming STAs by 30%.
* For STAs that do not match any types or
operating systems, CampusInsight will verify a
large number of parameters and select the
optimal parameter combination to construct
STA profiles.
As-Is: one for all
To-Be: differentiated profile-based
terminal steering
Mate 30:
RSSI: –60 dBm
Steering mode:
802.11v
Target: AP2
iPhone 11:
RSSI: –65 dBm
Steering mode:
802.11v
Target: AP2
Xiaomi 8:
RSSI: –68 dBm
Steering mode:
Deauthentication
Unified
steering policy:
RSSI: –60–dBm
Steering mode:
802.11v
Target: AP2
Sticky terminal,
handed over to
a nearby AP
within minutes
Plan Construct Maintain Optimize

291. Huawei Confidential
34
Lossless Roaming: No Packet Loss During Roaming
AGV
AGV
CH1
AGV
AGV
AGV
CH6 CH11
Pre-roaming
Path guidance before roaming, improving efficiency
by 100%
Roaming handover time: 50 ms -> 10 ms
1
Device-pipe synergy
Buffering service data during roaming,
preventing packet loss
2
Seamless resumable transmission
Data is replayed after roaming, ensuring no
service interruption.
3
Lossless roaming: Services are stable and are not interrupted in AGV scenarios,
improving the running efficiency by 40%.
Plan Construct Maintain Optimize

292. Huawei Confidential
35
Intelligent Multimedia Scheduling, No Need to Configure Rate
Limiting on the Entire Network
Suppress heavy-traffic greedy
services to ensure multimedia service
experience, eliminating the need of
the rate limiting configuration on the
entire network and fully utilizing
network bandwidth.
• BT download that preempts
bandwidth
• Frame freezing of voice and
video services
What else other than
rate limiting?
Intelligent multimedia
scheduling
Network rate limiting seems to be
fair and also ensures key services.
However, such a configuration
greatly wastes network resources.
• Preferential scheduling for
multimedia services
• DBS
In congestion scenarios, the delay of voice
and video services is reduced by 56% to 66%
compared with the industry level. The
proportion of poor-QoS packets whose
downlink delay is greater than 100 ms is
reduced from 8.23% to only 0.08%.
Suppress heavy-traffic greedy services to
ensure multimedia service experience,
eliminating the need of the rate limiting
configuration on the entire network
Intra-AP: downlink Inter-AP*: uplink/downlink
10K
Byte
1K
Byte
1K
Byte
1K
Byte
VI
< Slicing
ratio:
Strict-
priority
scheduling
> Slicing
ratio:
Relative-
priority
scheduling
VO
BK
BE
20%
80%
RR
scheduling
Backpressure through the TCP
sliding window + lower-size uplink
aggregation window, suppressing
uplink greedy services
Intra-AP: uplink
Poor-QoE
AP
Coordinated
AP
Coordinated
AP
A poor-QoE AP broadcasts beacons
to instruct the coordinated APs to
suppress heavy-traffic users whose
traffic volume exceeds the threshold
Plan Construct Maintain Optimize

293. Huawei Confidential
36
Three-Layer WLAN Protection: End-to-End Security Assurance
Interference
Rogue AP
Hacking
Rogue AP
Authentication server
Air interface security Encryption security
Access security
• The Wi-Fi protocol itself is secure.
• In most cases, people ignore security for
convenience.
• Huawei provides E2E Wi-Fi security assurance.
• Spectrum analysis for interference
identification (independent radio
scanning)
• WIDS/WIPS air interface attack
defense
• Rogue AP identification and
countermeasure
• Air interface management frame
encryption: PMF
• Air interface data encryption: WEP,
WPA, WPA2, WPA3
• Wired tunnel hardware encryption:
DTLS and IPsec
• Authentication: MAC/802.1X/portal
authentication
• Authorization: Free mobility and
unified authorization
4W1H refined control policy: Who,
Where, What, When, How
• Protection: policy control and virus
filtering at the network ingress
Plan Construct Maintain Optimize

294. Huawei Confidential
37
Full Series Support for WPA3: Encryption Upgrade,
Improving Air Interface Security
As-is To-be (WPA3)
Enhanced algorithm
and key length
Enhanced algorithm
Encryption algorithm
added
WPA3 enhanced
encryption
WPA2 strong
encryption
WPA strong
encryption
WEP weak
encryption
Open: no
encryption
WPA2-Enterprise uses 128-bit keys
Does not meet security requirements of
governments and banks
WPA2-Personal uses PSK encryption
Vulnerable to dictionary attacks
Open SSID with no encryption
Easy to be intercepted
WPA3-Personal uses Simultaneous
Authentication of Equals (SAE)
WPA3-Enterprise uses the 192-bit
encryption key algorithm
More secure key exchange mode
Advantage: Even if an attacker obtains an
intermediate key, the attacker cannot decrypt data.
Meets higher CNSA/Suite B security
requirements of governments and banks
Opportunistic Wireless Encryption (OWE)
Encryption keys are automatically negotiated when
terminals connect to an open SSID.
Advantage: Data in the open SSID is encrypted.
• Launched in 2004
• Cracked in October 2017
• Launched in 1999
• Cracked in 2001
• Launched in 2003
• Replaced by WPA2 in 2004
• Launched in 2019
• Meets security
requirements of
governments and banks
Plan Construct Maintain Optimize

295. Huawei Confidential
38
In-service Software Upgrade on a WLAN: Service Reliability
Assurance
• Identify the AP upgrade
sequence in the region and
perform the multi-batch,
scattered upgrade.
3. Perform a multi-batch,
scattered upgrade.
Uninterrupted
WAC upgrade
Uninterrupted
AP upgrade
1. Determine the AP
upgrade sequence.
2. Proactively
migrate users.
Uninterrupted
WAC upgrade
Active WAC Standby WAC
• Data of different versions can
be backed up during an
upgrade of the active and
standby WACs.
• After the active WAC is
upgraded, APs switch back to
the active WAC and then the
standby WAC begins to be
upgraded.
• The coverage area of the AP
to be upgraded is reduced,
and the coverage area of
surrounding APs is expanded
to fill the coverage holes.
• Proactively migrate users to
neighboring APs.
• APs in the overlapping area are
restarted and upgraded, and
neighboring APs expand their
coverage areas to fill the
coverage holes. The overall
network coverage is not affected.
Plan Construct Maintain Optimize

296. Huawei Confidential
39
Leader AP Function: Simplifying WLAN Management for
Enterprise Branches
Fit AP
Internet
PoE switch
Egress gateway
• The leader AP integrates some WAC functions and can be
used to manage Fit APs in small- and medium-sized
branches or stores, implementing AC-free and license-free
access and reducing investment.
• Supports PSK, local Portal, 802.1X, and MAC address
authentication.
• Supports intelligent radio calibration and Layer 2 roaming.
• Supports the web platform.
Management packets
Data packets
. . . . . .
Leader AP
AP Series
Number of
Managed APs
Number of
Managed STAs
AirEngine 8760 series 48 1024
AirEngine
6760/6761/5760/5761 series
32 512
AirEngine 5762 series 16 512
Plan Construct Maintain Optimize

297. Huawei Confidential
40
Wi-Fi & IoT Convergence: Allowing for Hybrid Networking
Deployment
Internal/
External IoT
+ +
Bluetooth RFID ZigBee
ESL: reducing manpower by 90%
through automatic update of
commodity prices
Student health
management, keeping users
informed of physical status
Office asset management, improving
the asset utilization rate by 100%
Healthcare IoT, improving
hospital services
➢ IoT expansion via the card on the AP: applicable to scenarios where the IoT
adaptation solution has been determined in the initial phase of network
construction, IoT devices and APs do not need to be deployed separately, and
mature IoT solutions (compatible with the existing solution) are available.
➢ IoT expansion via the USB port: applicable to scenarios where it is easy to
integrate the partner's existing USB modules and mature IoT solutions are available.
➢ Exclusive IoT & Wi-Fi interference avoidance algorithm, mitigating interference
Huawei Vendor C Vendor A Vendor H
1. IoT expansion
via the USB port
2. Built-in IoT card
3. Built-in BLE
1. Built-in BLE
2. IoT
expansion
via the USB
port
1. Built-in
RFID
2. IoT
expansion
via the USB
port
1. IoT expansion
via the USB
port
2. IoT expansion
via PoE
IoT card installed
on the AP
IoT
management
platform
AirEngine series
WAC
IoT expansion via
the USB port
Plan Construct Maintain Optimize
New Sales

298. Huawei Confidential
41
Major Sales Scenarios: AGV and AOI
Product
line
Logistics
AGV Warehousing
Wi-Fi 6 CPE
Real-time intelligent control: air interface
slicing
Spectrum slicing and gigabit wireless transmission
Deterministic experience assurance for key
services, latency < 10 ms
Real-time intelligent control: dual fed
and selective receiving
Dual-band simultaneous transmission,
99.999% link reliability
No disconnection and zero packet loss
during AGV roaming
Replacing industrial wired devices with wireless devices,
higher efficiency at lower costs
• Wired backhaul for data of devices such as machine vision detection
and PLC signal detection in production lines
• Frequent production line changes due to new product manufacturing
or process adjustment
To-be: wireless transmission
As-is: wired transmission
Customer benefits
Net increase of 10-day
production capacity
Revenue increased by
USD650,000 per
product line
• On average, the production line is
changed four times in one year. It takes
3 days to change a production line, and
production is stopped for 12 days in
one year, which severely affects the
production capacity and benefits.
• It takes only 0.5 day to change
a production line. The annual
production capacity increases
by 10 days, and the revenue of
each production line increases
by USD650,000.
Traditional
wired
network
Wi-Fi 6
Background
server
AirEngine 6761-21
Empowered by Wi-Fi 6 Advanced technology
Ultra-long-distance deployment: hybrid cable
600 m PoE+ power supply, long enough in a factory
Air Interface Slicing, and Dual Fed and Selective Receiving,
Facilitating Wireless Reconstruction of Production Lines
Plan Construct Maintain Optimize

299. Huawei Confidential
42
Train-to-Ground Backhaul Fast Handover Technology:
Achieving Wireless Communication for High-Speed Trains
Transport bearer
network
Video wall
Access
authentic
ation
video
manage
ment
Storage
manage
ment
Network
management
Application
service
WAC
Broadcast center
subsystem
Vehicle-
mounted AP
6760-51EI Vehicle-
mounted
switch
Trackside AP
8760R-X1E
Station
subsystem
Industrial
Ethernet
switch
Network
management
LED
Touch
screen
Trackside AP
8760R-X1E
Rolling stock
depot/stabling
yard
subsystem
Industrial
Ethernet switch
Network
management
Vehicle-
mounted AP
6760-51EI
Vehicle-
mounted
switch
Train-to-ground wireless
communication system
Wi-Fi coverage in compartments
LED
Trackside AP
Vehicle-
mounted AP
Trackside AP
Trackside AP
160 km/h
⚫ Dual 5 GHz links, HT80
large bandwidth
⚫ Train-to-ground wireless
backhaul bandwidth:
300+ Mbps
High bandwidth
⚫ Make-before-break
link setup, zero service
interruption during the
handover
⚫ Handover delay < 50
ms @ 160 km/h
Fast handover
⚫ Professional
shockproof chassis,
anti-loose interfaces
⚫ Dual 5 GHz active-
active links for
trackside APs
Stable running
Plan Construct Maintain Optimize

300. Huawei Confidential
43
PC era
Network admission control
Focus on PC authentication, terminal
security, and desktop management
BYOD era
Pan BYOD converged network
Focus on refined policy control for
wired and wireless terminals
Identify devices, users, locations, time, and
access modes, and implement refined policy
control based on VLANs and ACLs
SDN era
Free mobility on an
agile network
Focus on the consistency of policies
and experience on the entire
network when users move
Identify user groups and implement
centralized management and control of
policies and experience based on
global user groups and SDN ideas
Who are you?
Do you have
permission?
Are you secure?
What kind of terminal is
this? Whose terminal?
Where is it connected?
Is it wireless or wired?
Branch A
Policies and
resources
Branch B
Policies and
resources
Campus
Policies and
resources
Which user group does
a user belong?
What users and
services can it access?
Is it a VIP user? What
is its bandwidth?
Identify user identities and implement
network isolation and policy control
based on VLANs and ACLs
ACL and
VLAN
ACL and
VLAN
User group
Bandwidth
QoS
Unified SDN Controller, Implementing Evolution from Policy
Control to Free Mobility
Plan
Constru
ct
Maintai
n
Optimiz
e

301. Huawei Confidential
44
Home
R&D campus
HQ building
Business trip
Access location: R&D area
Terminal type:
desktop cloud
Security policy:
① Office area
② Code area
③ Intranet mailbox
④ Documentation
area
Department: R&D
Access location: non-
R&D area
Terminal type: laptop
Security policy:
① Office area
② Extranet mailbox
③ Documentation
area
④ Internet
Department: R&D
Access location:
outside the company
Terminal type:
mobile phone
Security policy:
① Office area
② Extranet
mailbox
Department: R&D
Access location:
outside the company
Terminal type: tablet
Security policy:
① Office area
② Extranet mailbox
③ Documentation
area
Department: R&D
Objectives of Free Mobility: Consistent Experience Everywhere
Plan Construct Maintain Optimize

302. Huawei Confidential
45
Define security groups Define policies by group
NETCONF/YANG
>>
>>
>>
Free Mobility, User Group-based Access Control Policies
Plan Construct Maintain Optimize

303. Huawei Confidential
46
Define security group policies and
deliver them to the entire network.
WAN/Internet
Authenticate
users who
attempt to access
the network. Map users to specific security groups
based on the "5W1H" principle and
deliver the mappings to devices.
Control the access permission, bandwidth, priority,
application, and security using the security group policies.
DC/Internet
1
3
2
4
Free Mobility: Ensuring Consistent Access Permissions for
Users Anytime and Anywhere
User Name User Group Access Mode Access Location Access Duration Access Permission Access Bandwidth Priority
Mark
Physics
department
Wired Dormitory 08:00–22:00
Scientific research resources,
Internet, and material sharing zone
2 Mbps Medium
Joy
Economic
research
institute
Wired Office 00:00–24:00
Scientific research resources,
Internet, OA, management, and
materials
4 Mbps
Relatively
high
Terry Other school Wired/Wireless Anywhere 08:00–18:00 Public material sharing zone 500 kbps Low
Jim Principal Wired/Wireless
Administrative
building
00:00–24:00 All websites, zones, and documents 4 Mbps Highest
Plan Construct Maintain Optimize

304. Huawei Confidential
47
Learn about the
device status
Control user experience
Remote diagnosis in
1 minute
Onsite fault locating
for half a day
Manual onsite
troubleshooting
Automatic intelligent
calibration
• User: full journey playback
• Network: 7-dimensional site
quality evaluation
• Application: audio and video
experience awareness
• User: protocol playback and KPI correlation analysis
• Network: 100+ fault inference rules and wired and wireless fault diagnosis
• Application: poor-QoE correlation analysis for audio and video services
• Precise
troubleshooting
suggestions
• Predictive
automatic
calibration
Comprehensive wired
network fault diagnosis
Intelligent radio calibration
Intelligent O&M Platform, One-Stop Display of Wired and
Wireless Network Quality and Experience
Plan Construct Maintain Optimize

305. Huawei Confidential
48
Neural Network-based Intelligent Radio Calibration, Improving
Network-Wide Performance by 50%+
Load change trend
AI-based predictive
calibration: Based on
predictive future values
Traditional calibration:
Based on past values
Calibration time
Yesterday
Time
Today Tomorrow
7-day
historical
running data
Baseline training
AI-based intelligent algorithm (CampusInsight)
Device
Load
prediction
Report data Instruct device calibration
Edge identification
(reducing STA
stickiness)
Load first
(spectrum
squeeze)
Average downlink rate
of STAs※
198 Mbps
125 Mbps
58%
Before
calibration
After AI-powered
smart calibration
* indicates the PHY transmit and receive rates between a single Wi-Fi STA and an AP.
Average Wi-Fi channel
interference
2.8%
49%
5.5%
After AI-powered
intelligent calibration
Before
calibration
Network-wide calibration of thousands of APs can be
completed in the following three steps:
• Step 1: Score the network from seven dimensions to evaluate its
quality.
• Step 2: Identify APs with high loads, channel conflicts, and abnormal
coverage.
• Step 3: Automatically adjust the network based on AI learning and
simulation.
Plan Construct Maintain Optimize

306. Huawei Confidential
49
Quiz
1. What is the intelligent O&M platform of Huawei CloudCampus? What functions
does it provide?
2. Which models of Huawei AirEngine series APs support smart antennas?
3. What are the differences between AI roaming and common roaming? What
benefits does AI roaming bring?
4. What are the three-layer protection for Huawei WLAN?

307. Huawei Confidential
50
Section Summary
⚫ This chapter describes the highlights of Huawei AirEngine series products, including:
 Networking: leader AP function, fast handover technology in train-to-ground backhaul, etc.
 Radio calibration: Smart Antenna, pre-distortion algorithm, SmartRadio for air interface
optimization, etc.
 Security: WPA3, Layer 3 air interface protection, etc.
 Experience optimization: intelligent multimedia scheduling, application acceleration, AI roaming,
lossless roaming, etc.
 O&M management: iMaster NCE-Campus manages devices in a unified manner, and
CampusInsight performs intelligent O&M.

308. Huawei Confidential
51
Contents
1. Introduction to WLAN Networking
2. Development and Value of the Wi-Fi 6 (802.11ax) Standard
3. Huawei Wi-Fi 6 Cutting-Edge Technologies and Continuous Networking Solutions
4. Introduction to Huawei AirEngine Wi-Fi 6 Products

309. Huawei Confidential
52
Overview and Objectives
⚫ This chapter describes Huawei AirEngine series WLAN products and their
features. After learning this chapter, you will be able to:
⚫ Understand Huawei WLAN products.
⚫ Have a good command of the models and highlights of AirEngine series
Wi-Fi 6 products.
⚫ Know the application scenarios of AirEngine series Wi-Fi 6 APs.

310. Huawei Confidential
53
Persons
Things
Connectivity of everything
Ubiquitous connections for optimal
user experience
Intelligent connection
Ubiquitous intelligence, fully leveraging
computing power
Cloud
Intelligence
Pacific pipeline
Fabric interconnection
NetEngine
WAN
CloudEngine
AirEngine
HiSecEngine
Intelligent security
Campus
network
Data center
network
WAN
AirEngine: Brand Name of Huawei Wi-Fi 6 and also the
Name of Huawei Wi-Fi 6

311. Huawei Confidential
54
Full-Series AirEngine Wi-Fi 6 APs for All Scenarios
AirEngine 5761-12W
• Device rate: 1.775 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE 5.0, PoE out
• Uplink: 1 x GE electrical
• Downlink: 4 x GE electrical
+ 2 x RJ45 passthrough
AirEngine 5761-11W
• Device rate: 1.775 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE5.0
• Uplink: 1 x GE electrical
• Downlink: 4 x GE electrical
+ 2 x RJ45 passthrough
AirEngine 6760-X1E
• Device rate: 10.75 Gbps
• NSS: 4+6/4+8/4+4+4
• External antennas
• BLE 5.0, two built-in IoT slots
• 1 x 10GE electrical + 1 x GE
electrical
+ 1 x 10GE SFP+
AP7060DN
•Device rate: 5.95 Gbps
• NSS: 4+8
• Built-in smart antennas
• BLE 5.0, external IoT module
• 1 x 10GE electrical + 1 x GE
electrical
AirEngine 6761-21T
• Device rate: 6.575 Gbps
• NSS: 2+2+4
• Built-in smart antennas
• BLE5.0
• 1 x 2.5GE electrical + 1 x
GE electrical
AirEngine 8760-X1-PRO
• Device rate: 10.75 Gbps
• NSS: 4+12/4+8+4
• Built-in smart antennas
• BLE 5.0, two built-in IoT slots
• 2 x 10GE electrical + 1 x
10GE SFP+
AirEngine 6760-X1
• Device rate: 10.75 Gbps
• NSS: 4+6/4+8/4+4+4
• Built-in smart antennas
• BLE 5.0, two built-in IoT slots
• 1 x 10GE electrical + 1 x GE
electrical
+ 1 x 10GE SFP+
AirEngine 5760-51
• Device rate: 5.95 Gbps
• NSS: 2+4/4+4/2+2+4
• Built-in smart antennas
• BLE 5.0, two built-in IoT
slots
• 1 x 5GE electrical + 1 x GE
electrical
AirEngine 6761-21
• Device rate: 3.55 Gbps
• NSS: 4+4
• Built-in Dynamic-Zoom
Smart Antennas
• BLE5.0
• 1 x 2.5GE electrical + 1 x
10GE SFP+
AirEngine 5761-21
• Device rate: 5.375 Gbps
• NSS: 2+4
• Built-in smart antennas
• BLE5.0
• 1 x 2.5GE electrical + 1 x GE
electrical
AirEngine 5761-11
• Device rate: 1.775 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE 5.0, USB
•1 x GE electrical
AirEngine 6761-21E
• Device rate: 3.55 Gbps
• NSS: 4+4
• External antennas
• BLE5.0
• 1 x 2.5GE electrical + 1 x
10GE SFP+
AirEngine 8760R-X1
• Device rate: 10.75 Gbps
• NSS: 8+8/4+12
• Built-in smart antennas
• BLE 5.0, PoE out
• 1 x 10GE electrical + 1 x GE
electrical
+ 1 x 10GE SFP+
AirEngine 8760R-X1E
• Device rate: 10.75 Gbps
• NSS: 8+8/4+4+4
• External antennas
• BLE 5.0, PoE out
• 1 x 10GE electrical + 1 x
GE electrical + 1 x 10GE
SFP+
AirEngine 6760R-51
• Device rate: 5.95 Gbps
• NSS: 4+4
• Built-in smart antennas
• BLE5.0
• 1 x 5GE electrical + 1 x GE
electrical + 1 x 10GE SFP+
AirEngine 6760R-51E
• Device rate: 5.95 Gbps
• NSS: 4+4
• External antennas
• BLE5.0
• 1 x 5GE electrical + 1 x
GE electrical + 1 x 10GE
SFP+
AirEngine 5761R-11E
• Device rate: 2.4 Gbps
• NSS: 2+2
• External antennas
• BLE5.0
• 1 x GE electrical + 1 x SFP
AirEngine 5761R-11
• Device rate: 1.775 Gbps
• NSS: 2+2
• Built-in antennas
• BLE5.0
• 1 x GE electrical + 1 x
SFP
Wi-Fi 6 (802.11ax) outdoor AP
Wi-Fi 6 (802.11ax) wall plate AP
Wi-Fi 6 (802.11ax) indoor AP
AirEngine 5762-12
• Device rate: 2.975 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE5.0
• 1 x GE electrical
AirEngine 5761-12
• Device rate: 1.775 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE 5.2, two built-in IoT slots
• 2 x GE electrical
AirEngine 5762-13W
• Device rate: 2.975 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE5.0
• Uplink: 1 x GE electrical
• Downlink: 1 x GE
electrical
AirEngine 5762-12SW
• Device rate: 2.975 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE5.0
• Uplink: 1 x GE electrical
• Downlink: 1 x GE
electrical
(Optional colorful shells)
AirEngine 5762-15HW
• Device rate: 2.975 Gbps
• NSS: 2+2
• Built-in smart antennas
• BLE5.0
• Uplink: 1 x SFP (hybrid,
GPON, or GE optical
module)
• Downlink: 4 x GE electrical
AC6805
• Forwarding performance: 120
Gbps
• Number of managed APs: 6K
• Number of access users: 64K
AirEngine 9700-M1
• Forwarding performance: 120
Gbps
• Number of managed APs: 2K
• Number of access users: 32K
AC6508
• Forwarding performance: 10 Gbps
• Number of managed APs: 256
• Number of access users: 4K
WAC
Wi-Fi 6 CPE UNR032H with
vertical network ports
• Device rate: 2.975 Gbps
• NSS: 2+2
• External antennas
• 4 x GE electrical
AirEngine 6760-51EI
• Device rate: 4.8 Gbps
• NSS: 4
• External antennas
• 1 x 5GE electrical + 1 x GE
electrical + 1 x 10GE SFP+
Wi-Fi 6 CPE UNR033H with
horizontal network ports
•Device rate: 2.975 Gbps
• NSS: 2+2
• External antennas
• 4 x GE electrical
Wi-Fi 6 (802.11ax) scenario-specific AP
High-
density
scenario
Hybrid
optical-
electrical
Hybrid
optical-
electrical
For vehicle-mounted
backhaul
Hybrid
optical-
electrical
IoT AP

312. Huawei Confidential
55
Indoor wall
plate APs
Indoor cost-
effective APs
Indoor high-
density APs
Outdoor APs
AP7060DN
NSS: 4+8
AirEngine 6760 series APs
NSS: 4+8/4+4+4/4+6+scanning
AirEngine 5760-51
NSS: 2+2+2/2+4+scanning
AirEngine 8760R series
NSS: 4+12/8+8/4+4+8/4+8+scanning
AirEngine 6760R series
NSS: 4+4
WACs
AirEngine 5761-12W/11W
NSS: 2+2
AirEngine 6761-21T
NSS: 2+2+4
AirEngine 5761-11/5762-12
NSS: 2+2
AirEngine 5762-15HW/13W
NSS: 2+2
AirEngine 5761R-11/-11E
NSS: 2+2
AirEngine 9700-M1
(2K AP)
AC6508
(256 AP)
Application scenarios:
Centralized AP management on midsize and large campus networks
Education, district/county government and hospital, hotel building, etc.
Application scenarios:
Wi-Fi coverage in high-density and high-performance scenarios
Enterprise office, production area, warehousing, healthcare,
electronic classroom, stadium, etc.
Application scenarios:
Indoor open Wi-Fi coverage
OA in government, education, healthcare, and enterprise scenarios;
Wi-Fi coverage in hotel and store scenarios
Application scenarios:
Wi-Fi coverage in multi-room and house scenarios
OA offices, VIP rooms, hotel rooms, campus dormitories,
apartments, houses, etc.
Application scenarios:
Wi-Fi coverage in outdoor public scenarios
Public facilities, parks, amusement parks, squares, building
parking lots, cold chain warehouses, etc.
AC6805
(6K AP)
AirEngine 6761-21
NSS: 4+4
AirEngine 5761-21
NSS: 2+4
AirEngine 5762-12SW
NSS: 2+2
WACs are classified into high-end, mid-range, and entry-level models based on AP management specifications.
Wi-Fi 6 APs are classified into four subcategories based on the number of spatial streams and deployment scenarios:
1. High-density settled models supporting at least eight spatial streams
2. Cost-effective settled models supporting four to six spatial streams
3. Wall plate models supporting four streams
4. Outdoor models (high-end, mid-range, and entry-level models based on the number of spatial streams)
Huawei Wi-Fi 6 Product Classification and Scenarios
AirEngine 6761-22T
NSS: 2+2+4 (6 GHz)

313. Huawei Confidential
56
Flagship Indoor Wi-Fi AP: AirEngine 8760-X1-PRO
AirEngine 8760-X1-PRO
16 spatial streams
Ultra-high capacity
10.75 Gbps
Radio modes: 4+8+independent radio for
scanning/4+12/4+8+4
16 spatial streams + flexible
radio mode switchover Independent probe
Independent hardware +
spectrum scanning
Real-time network
optimization
* Works with CampusInsight to perform big data optimization.
Parameter Specifications Parameter Specifications
Port 2 x 10GE electrical + 1 x 10GE SFP+, dual-PoE Antenna Built-in smart antennas
Bluetooth BLE 5.0 Power supply
DC: 42.5 V to 57 V
PoE++, dual power supplies for backup
Device rate 1.15 Gbps + 9.6 Gbps USB port 1
Built-in IoT module ZigBee, RFID, asset management, and ESL Security
Hardware encryption: IPsec and DTLS
WPA3

314. Huawei Confidential
57
Indoor High-End Wi-Fi 6 AP: AirEngine 6760 Series
AirEngine 6760-X1
AirEngine 6760-X1E
Basic mode: 4+6
Radio 2
Radio 1
Radio 3
2.4 GHz
Switchable 5 GHz-2
5 GHz-1
Radio 2
Radio 1
5 GHz 2.4 GHz
Device rate: 8.35 Gbps Device rate: 10.75 Gbps
RTU mode:
Parameter Specifications Parameter Specifications
Port
1 x 10GE electrical + 1 x GE
electrical + 1 x 10GE SFP+
Antenna Built-in smart antennas
Bluetooth BLE 5.0 Power supply
DC: 42.5 V to 57 V
PoE++
Device rate
4+6 mode: 1.15 Gbps + 7.2 Gbps
4+8 mode: 1.15 Gbps + 9.6 Gbps
USB port 1
Built-in IoT
module
ZigBee, RFID, asset
management, and ESL
Security
Hardware encryption: IPsec and DTLS
WPA3
* Right To Use (RTU): The number of spatial streams and functions are added through licenses.
1. Two spatial streams
added: 4+8 (bringing
higher performance)
2. SDR, 4+8/4+4+4/
4+6+scanning
3. Independent
dual-band scanning
Real-time network
status awareness
Flexible switchover

315. Huawei Confidential
58
AirEngine 5760-51
Wins Japan's highest design award:
GOOD DESIGN AWARD 2020
Indoor Mid-Range Wi-Fi 6 AP: AirEngine 5760-51
Parameter Specifications Parameter Specifications
Port 1 x 5GE electrical + 1 x GE electrical Antenna Built-in smart antennas
Bluetooth BLE 5.0 Power supply
DC: 42.5 V to 57 V
PoE+/PoE++
Device rate
2+4 mode: 0.57 Gbps + 4.8 Gbps
4+4 mode: 1.15 Gbps + 4.8 Gbps
USB port 1
Built-in IoT
module
ZigBee, RFID, asset management,
and ESL
Security
Hardware encryption: IPsec and DTLS
WPA3
Basic mode
6 spatial streams
AP rate: up to 5.37 Gbps
..
.
2+2+4/4+4/2+4+scanning
SDR; AP rate: up to 5.95 Gbps
Radio 2
Radio 1
Radio
3
2.4 GHz
5 GHz-2
5 GHz-1
Radio 2
Radio 1
Radio 3
2.4 GHz
5 GHz-2
5 GHz-1
SDR
2+2+2/2+4
RTU mode
One-click opening,
facilitating O&M
Built-in IoT module
Flexible IoT expansion: BLE,
ZigBee, RFID, and Thread
* RTU: The number of spatial streams and functions are added through licenses.

316. Huawei Confidential
59
Indoor Ultra-High-Density Wi-Fi 6 AP: AirEngine 6761-21/-21E
AirEngine 6761-21
Dynamic-Zoom
Smart Antennas
High-density/Omnidirectional
smart coverage
Easily coping with high-
density interference
Independent third radio
Surrounding
environment scanning
and detection
Independent
scanning radio
Parameter Specifications Parameter Specifications
Device rate
3.55 Gbps
(1.15 Gbps + 2.4 Gbps)
Antenna
6761-21: Built-in Dynamic-Zoom
Smart Antennas
6761-21E: External antennas
Radio
4+4+Independent scanning
radio (5 GHz)
Number of STAs 1024
Port
1 x 2.5GE electrical port + 1
x 10GE optical port
Bluetooth BLE 5.0
Power
consumption
22.6 W (excluding USB) USB port 1
Power supply
DC: 42.5–57 V
PoE+ power supply
IoT expansion
External IoT expansion through
USB
AI roaming
AI roaming
Differentiated roaming
steering for STAs
Steering
policy A
Steering
policy B

317. Huawei Confidential
60
Indoor Triple-Radio Wi-Fi 6E AP AirEngine 6761-22T
AirEngine 6761-22T
Triple radios:
2.4 GHz + 5 GHz + 6 GHz
Parameter Specifications Parameter Specifications
Device rate
6.575 Gbps
(0.575 Gbps + 1.2 Gbps + 4.8 Gbps)
Antenna
Built-in smart
antennas
Radio
2x2 @ 2.4 GHz + 2x2 @ 5 GHz + 4x4
@ 6 GHz
Number of STAs 1536
Port
1 x 2.5GE electrical port + 1 x GE
electrical port
Bluetooth BLE 5.2
Maximum power
consumption
24.2 W (excluding USB) USB 1
Power supply
DC: 12 V ± 10%
PoE: 802.3at/af
IoT expansion
External IoT
expansion via USB
Device rate:
6.575 Gbps (2+2+4)
Wi-Fi 6E-6 GHz
6 GHz (up to 1200 MHz)
P1 P2 P3 P4
P1 P2 P3 P4
Dual fed and
selective receiving
Proactive defense against packet
loss, no service interruption
Feed 1 Feed 2
Radio 1 Radio 2

318. Huawei Confidential
61
Indoor High-End Triple-Radio Wi-Fi 6 AP: AirEngine
6761-21T
AirEngine 6761-21T
Triple radios
Radio 2
Radio 1
Radio 3
2.4 GHz
5 GHz-2
5 GHz-1
Device rate: 6.575 Gbps
(2+2+4)
Direct forwarding: 24
Tunnel forwarding: 12
Leader AP
Parameter Specifications Parameter Specifications
Device rate
6.575 Gbps
(0.575 Gbps + 1.2 Gbps + 4.8 Gbps)
Antenna Built-in smart antennas
Interface 1 x 2.5GE + 1 x GE electrical port Bluetooth BLE 5.0
Power
consumption
21.2 W (excluding USB) USB 1
Power
supply
DC: 12 V ± 10%
PoE+ power supply
IoT
expansion
External IoT expansion via USB
Insensitive
access
Module CPE
Secure and insensitive
terminal access

319. Huawei Confidential
62
Indoor Cost-Effective Wi-Fi 6 AP: AirEngine 5761-21
AirEngine 5761-21
Parameter Specifications Parameter Specifications
Device rate
5.375 Gbps
(0.575 Gbps + 4.8 Gbps)
Antenna Built-in smart antennas
Interface 1 x 2.5GE + 1 x GE electrical port Bluetooth BLE 5.0
Power
consumption
17.9 W (excluding USB) USB 1
Power supply
DC: 12 V ± 10%
PoE+ power supply
IoT expansion External IoT expansion through USB
6 spatial streams +
smart antenna
Device rate: 5.375 Gbps
(2+4)
Direct forwarding: 24
Tunnel forwarding: 12
Leader AP Insensitive
access
Module CPE
Secure and insensitive
terminal access

320. Huawei Confidential
63
Indoor Cost-Effective IoT Wi-Fi 6 AP: AirEngine 5761-12
AirEngine 5761-12
One-click opening, facilitating O&M
Built-in IoT
Flexible expansion
BLE/ZigBee/RFID/Thread
Parameter Specifications Parameter Specifications
Device rate
1.775 Gbps
(0.575 Gbps + 1.2 Gbps)
Antenna Built-in smart antennas
Radio
2x2 @ 2.4 GHz + 2x2 @ 5
GHz
Number of STAs 1024
Port 2 x GE electrical ports Bluetooth BLE 5.2
Maximum
power
consumption
12.63 W (excluding USB) USB 1
Power supply
DC: 12 V ± 10%
PoE: 802.3at/af
IoT expansion
Two built-in IoT slots (PCIe)
External IoT expansion via USB
Built-in PCIe slot
and BLE 5.2
Built-in IoT
P1 P2 P3 P4
P1 P2 P3 P4
Dual fed and selective
receiving
Feed 1 Feed 2
Radio 1 Radio 2
Proactive defense against packet
loss, no service interruption

321. Huawei Confidential
64
Indoor Entry-Level Wi-Fi 6 AP: AirEngine 5761-11
AirEngine 5761-11
Parameter Specifications Parameter Specifications
Device rate
1.775 Gbps
(0.575 Gbps + 1.2 Gbps)
Antenna Built-in smart antennas
Interface 1 x GE electrical port Bluetooth BLE 5.0
Power
consumption
15.3 W (excluding USB) USB 1
Power supply
DC: 12 V ± 10%
PoE+ power supply
IoT expansion External IoT expansion through USB
4 spatial streams
Device rate: 1.775 Gbps
(2+2)
2.4G
2x2 MIMO
0.57 Gbps
Radio 2
Radio 1
5G 2.4G
5G
2x2 MIMO
1.2 Gbps
Direct forwarding: 24
Tunnel forwarding: 12
Leader AP Insensitive
access
Module CPE
Secure and insensitive
terminal access

322. Huawei Confidential
65
Indoor Entry-Level Wi-Fi 6 AP: AirEngine 5762-12
180 mm
AirEngine 5762-12
Parameter Specifications Parameter Specifications
Device rate
2.975 Gbps
(0.575 Gbps + 2.4 Gbps)
Antenna Built-in smart antennas
Interface 1 x GE electrical port Bluetooth BLE 5.0
Power
consumption
11 W (excluding USB) USB None
Power supply
DC: 12 V ± 10%
PoE: 802.af
IoT expansion None
4 spatial streams
2.4G
2x2 MIMO
0.575 Gbps
Radio 2
Radio 1
5G 2.4G
5G
2x2 MIMO
2.4 Gbps
2.975 Gbps
(HT160)
Smart antennas
Free of WAC
management
Leader AP
Beamforming
20% longer coverage range than
omnidirectional antennas

323. Huawei Confidential
66
Wall Plate Wi-Fi 6 AP: AirEngine 5761-12W/11W
Parameter Specifications Parameter Specifications
Device rate
1.775 Gbps
(0.575 Gbps + 1.2 Gbps)
Antenna Built-in smart antennas
Interface
Uplink 1 x GE electrical + Downlink
4 x GE electrical + 2 x RJ45
(passthrough)
(12W: GE4 supports 11 W PoE Out.)
Bluetooth BLE 5.0
Power
consumption
12W: 13.1 W (excluding USB and
PoE Out)
11W: 12.7 W (excluding USB)
USB 1
Power supply
12W: DC: 42.5 V to 57 V
PoE+ power supply
11W: DC: 12 V ± 10%
PoE power supply
IoT
expansion
External IoT expansion through USB
AirEngine 5761-12W/11W
Various ports
Uplink GE electrical port: GE/FE
Downlink multi-port: 4 x GE
+ 2 x passthrough
Passthrough port
Direct forwarding: 24
Tunnel forwarding: 12
Leader AP Insensitive access
Module CPE
Secure and insensitive
terminal access

324. Huawei Confidential
67
Hybrid Optical-Electrical Wall Plate Wi-Fi 6 AP: AirEngine
5762-15HW
AirEngine 5762-15HW
Parameter Specifications
Device rate 2.975 Gbps (0.575 Gbps + 2.4 Gbps)
Radio 2x2 @ 2.4 GHz + 2x2 @ 5 GHz
Maximum
power
consumption
15 W (excluding USB)
Power supply DC: 12 V ± 10%; PoE: 802.3at/af
Port
• Uplink: 1 x SFP (hybrid cable,
GPON, or common SFP);
downlink: 4 x GE electrical ports
• Bluetooth serial port + USB port
4 spatial streams
2.4G
2x2 MIMO
0.575 Gbps
Radio 2
Radio 1
5G 2.4G
5G
2x2 MIMO
2.4 Gbps
2.975 Gbps
Smart antennas
Hospital ward
Dormitory
Hybrid cable
Optical/electrical port, 600 m
PoE+ power supply
Simplifying access-layer
networking and reducing the
occupation of the ELV room
Application scenarios
Beamforming
20% longer coverage range
than omnidirectional antennas

325. Huawei Confidential
68
Cost-Effective Wall Plate Wi-Fi 6 AP: AirEngine 5762-13W
AirEngine 5762-13W
4 spatial streams
2.4G
2x2 MIMO
0.575 Gbps
Radio 2
Radio 1
5G 2.4G
5G
2x2 MIMO
2.4 Gbps
2.975 Gbps
Smart antennas
Small office
Beamforming
20% longer coverage range than
omnidirectional antennas
Leader AP
Dormitory
Free of WAC
management
Parameter Specifications
Device rate 2.975 Gbps (0.575 Gbps + 2.4 Gbps)
Radio 2x2 @ 2.4 GHz + 2x2 @ 5 GHz
Maximum
power
consumption
12 W (excluding USB)
Power supply
DC: 12 V ± 10%
PoE: 802.3af
Port
• Uplink GE electrical port +
downlink GE electrical port
• Bluetooth serial port + USB port
Application scenarios

326. Huawei Confidential
69
Wall Plate 86x86 Wi-Fi 6 AP: AirEngine 5762-12SW
Application scenarios
House
SOHO/store:
Small-scale self-
networking
Low-end/mid-
range and budget
hotels
AirEngine 5762-12SW
Parameter Specifications
Device rate
2.975 Gbps (0.575 Gbps + 2.4
Gbps)
Radio 2x2 @ 2.4 GHz + 2x2 @ 5 GHz
Maximum
power
consumption
12 W
Power supply PoE: 802.3af
Port
• Uplink GE electrical port +
downlink GE electrical port
• Bluetooth serial port
Leader AP
Choices of shells in
multiple colors
APP
3-step deployment
Shells of various colors
(white, golden, silver gray)
4 spatial streams
2.4G
2x2 MIMO
0.575 Gbps
Radio 2
Radio 1
5G 2.4G
5G
2x2 MIMO
2.4 Gbps
Free of WAC
management
2.975 Gbps

327. Huawei Confidential
70
Outdoor Flagship Wi-Fi 6 AP: AirEngine 8760R-X1/X1E
AirEngine
8760R-X1E
8760R-X1 Extreme environment
10GE uplink
10GE electrical + GE electrical + 10G SFP+ optical
• Multi-rate: 10G optical + 10G electrical (2.5G/5G) + GE
electrical
• IoT: built-in BLE/ZigBee/RFID/Thread
external PoE out
GE
PoE out Camera
IoT device
…
AirEngine 8760R-X1: 8+8/4+12/4+8+independent scanning
AirEngine 8760R-X1E: 8+8/4+4+4/4+4+independent scanning
16 spatial streams, providing up to 10.75 Gbps rate Innovative 2.4 GHz 8T8R,
providing 40% longer coverage
Network port
surge protector
Antenna surge
protector
• Waterproof/dustproof level: IP68
• Built-in surge protection design
• Wide temperature: -40℃ to +65℃

328. Huawei Confidential
71
Outdoor High-End Wi-Fi 6 AP: AirEngine 6760R-51/51E
2.4 GHz (4x4 MIMO)
Radio 2
Radio 1
5G 2.4G
5 GHz (4x4 MIMO)
…
AirEngine
6760R-51E
6760R-51
8 spatial streams 4+4, providing up to 5.95 Gbps rate
Extreme environment
Network port
surge protector
Antenna surge
protector
• Waterproof/dustproof level: IP68
• Built-in surge protection design
• Wide temperature: -40℃ to +65℃

329. Huawei Confidential
72
Outdoor Cost-Effective Wi-Fi 6 AP: AirEngine 5761R-11/11E
AirEngine 5761R-11/-11E
Parameter Specifications Parameter Specifications
Device rate
5761R-11: 1.775 Gbps
5761R-11E: 2.4 Gbps
Antenna
5761R-11: Built-in directional
antennas
5761R-11E: External antennas
Radio
2+2 (5761R-11E: dual 5
GHz radios)
Number of
STAs
1024
Port*
1 x GE electrical port +
1 x GE optical port
Bluetooth BLE 5.0
Power consumption
(excluding USB)
17.7 W USB port N/A
Power supply
802.3at/af power
supply
IoT expansion N/A
4 spatial streams Built-in high-level protection
Network
port surge
protector
Feeder surge
protector
High IP rating
IP68 waterproof and dustproof, built-in surge
protection, –40°
C to +65°
C wide temperature range
Device rate: 1.775 Gbps or 2.4 Gbps
(2+2)
2.4G
2x2 MIMO
0.57 Gbps or 1.2
Gbps
Radio 2
Radio 1
5G 2.4G
5G
2x2 MIMO
1.2 Gbps
Note: The GE optical port can be evolved and connect to a second-generation (2.0) hybrid cable.

330. Huawei Confidential
73
Vehicle-Mounted Wi-Fi 6 AP: AirEngine 6760-51EI
AirEngine 6760-51EI
Parameter Specifications Parameter Specifications
Maximum rate
4.8 Gbps
(5 GHz: 4x4:4)
Antenna External antennas
Interface
1 x 5GE electrical port + 1 x GE
electrical port + 1 x 10GE optical
SFP+ port
Bluetooth BLE 5.0
Power
consumption
23.8 W USB --
Power supply
DC: 42.5 V to 57 V
PoE+ power supply
IoT expansion --
Ultra-high-speed Wi-Fi 6
vehicle-mounted AP
Fast handover High-level
protection
High-grade die-casting
aluminum, shockproof,
waterproof, and fireproof
900 Mbps per train @ 160 km/h
30 ms soft handover, ensuring
zero service interruption

331. Huawei Confidential
74
Mappings Between AirEngine Wi-Fi 6 APs and Antennas
27011172 (omnidirectional)
27013721 (omnidirectional)
No.
Product
Type
Product Model/Part
Number
Port Type Gain Lobe Angle
1 Indoor AirEngine 6760-X1E 8 x RP-SMA-K N/A N/A
2 Outdoor
AirEngine 8760R-X1E 8 x N-Type (female) N/A N/A
AirEngine 6760R-51E 4 x N-Type (female) N/A N/A
3
Indoor
antenna
27011172
(omnidirectional)
1 x PR-SMA-J/2.4G&5G dual-
polarized
3.5/4 dBi 360°
27012545
(omnidirectional)
4 x PR-SMA-J/2.4G&5G dual-
polarized
4/5 dBi 360°/110°
4
Outdoor
antenna
27013721
(omnidirectional)
1 x N-type/male
connector/2.4G&5G dual-
polarized
4/7 dBi 360°
27013720
(directional)
4 x N-type/female
connector/2.4G&5G dual-
polarized
8/8 dBi 70°/70°
27013719
(directional)
4 x N-type/female
connector/2.4G&5G dual-
polarized
13/13 dBi
2.4 GHz: 33°/33°
5 GHz: 30°/30°
27013718
(directional)
4 x N-type/female
connector/2.4G&5G dual-
polarized
13/16 dBi
2.4 GHz: 33°/33°
5 GHz: 18°/18°
Antennas are general-purpose components. Alternatively, you can also use the models
available on the SCT. For more models, visit the official website.

332. Huawei Confidential
75
Fourth-Generation Universal Mounting Bracket + Leading
Engineering Installation Capability: Flexible Adaptation to 3
Scenarios and 13 Sub-scenarios
Flexible adaptation to 3
scenarios and 13 sub-scenarios
Ceiling-mounted Wall-mounted
Cable distribution box
Unified mounting bracket,
simplifying installation
*In some scenarios, the APs can interconnect with the mounting bracket of other
vendors, facilitating device replacement.
Buckle secured + D-type
antitheft: secure and reliable

333. Huawei Confidential
76
Huawei's Mainstream WACs
WAC
• Maximum throughput: 120 Gbps
• Maximum number of managed APs: 6K
• Maximum number of access STAs: 64K
• 2 x 40GE optical ports + 12 x 10GE
optical ports + 12 x GE electrical ports
AC6805
• Maximum throughput: 10 Gbps
• Maximum number of managed APs:
256
• Maximum number of access STAs: 4K
• 2 x 10GE optical ports + 10 x GE
electrical ports
AC6508
• Maximum throughput: 120 Gbps
• Maximum number of managed APs: 2K
• Maximum number of access STAs: 32K
• 2 x 40GE optical ports + 12 x 10GE
optical ports + 12 x GE electrical ports
AirEngine 9700-M1

334. Huawei Confidential
77
WAC: AirEngine 9700-M1
• 2K APs, 32K STAs, forwarding performance of 120 Gbps
Parameter Specifications
Port 2 x 40GE (QSFP+) + 12 x 10GE (SFP+) + 12 x GE
Forwarding performance 120 Gbps
Number of managed APs 2K
Number of managed STAs 32K
Protection mode 1+1 HSB or N+1 backup
Power supply
Pluggable power modules, AC power supply, dual-
power hot backup
Fan Pluggable fan modules x 3
Dimensions
(H x W x D)
43.6 mm x 442 mm x 420 mm
Applicable to 600 mm deep cabinets
+ +
School campus Large enterprise Stadium
Port: The 40GE port is mutually exclusive with the four 10GE ports.

335. Huawei Confidential
78
WAC: AC6805
• 6K APs, 64K STAs, forwarding performance of 120 Gbps
Parameter Specifications
Port 2 x 40GE (QSFP+) + 12 x 10GE (SFP+) + 12 x GE
Forwarding performance 120 Gbps
Number of managed APs 6K
Number of managed STAs 64K
Protection mode 1+1 HSB or N+1 backup
Power supply
Pluggable power modules, AC power supply, dual-
power hot backup
Fan Pluggable fan modules x 4
Dimensions (H x W x D)
43.6 mm x 442 mm x 420 mm
Applicable to 600 mm deep cabinets
School campus Large enterprise
+ +
Stadium
Port: The 40GE port is mutually exclusive with the four 10GE ports.

336. Huawei Confidential
79
WAC: AC6508
• 256 APs, 4K STAs, forwarding performance of 10 Gbps
Parameter Specifications
Port 2 x 10GE (SFP+) + 10 x GE (RJ45)
Forwarding performance 10 Gbps
Number of managed APs 256
Number of managed STAs 4K
Protection mode 1+1 HSB or N+1 backup
Dimensions (H x W x D) 43.6 mm x 250 mm x 210 mm, applicable to cabinets
Primary/Secondary
education
SME
+ +
Branch

337. Huawei Confidential
80
Quiz
1. What is Huawei's flagship Wi-Fi 6 AP? How many spatial streams does it support
and what is the maximum rate?
2. What IoT expansion mode are supported by Huawei Wi-Fi 6 APs?
3. What function is supported by Huawei Wi-Fi 6 APs to achieve WAC-free self
networking?
4. How many APs can a Huawei WAC manage at most?

338. Huawei Confidential
81
Summary
⚫ This chapter describes Huawei AirEngine series APs (entry-level, mid-range,
high-end, and scenario-specific) and WACs, and their highlights.

339. Huawei Confidential
82
More Information
⚫ Product overview: https://e.huawei.com/en/products/enterprise-networking/wlan
⚫ Detailed documentation: https://e.huawei.com/en/material/MaterialList
⚫ Campus network solution: https://e.huawei.com/en/solutions/business-needs/enterprise-network/campus-network
⚫ Product documentation: https://support.huawei.com/enterprise/en/category/wlan-pid-
1482616818654?submodel=21875860
⚫ Wi-Fi 6 technology white paper:
https://e.huawei.com/en/material/networking/wlan/f3ae84efd98d440eb457b4caf405b509

340. Copyright© 2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.

341. Huawei Confidential
1
Huawei Campus SD-WAN Products and Solutions
Presales Training
⚫ Security Level:

342. Huawei Confidential
2
Foreword
⚫ After years of development and evolution, the Internet has undergone significant changes. In the past,
the Internet was mainly network-centric, and there were few Internet applications. As the main
component of the network, the WAN took the most important position. However, with the rise of cloud
computing, the potential of applications is fully exploited, and the Internet gradually becomes
application-centric.
⚫ Traditional WAN interconnection is mainly implemented through direct fiber connections or MPLS
leased lines leased from carriers, ensuring QoS or SLA. Facing the application-centric Internet,
enterprise branches are interconnected through optical fibers or MPLS leased lines, increasing costs. To
address this issue, SD-WAN emerges.
⚫ This course will help you understand the development trends of WAN technologies, application
scenarios of SD-WAN, and highlights of Huawei SD-WAN.

343. Huawei Confidential
3
Objectives
⚫ On completion of this course, you will be able to:
 Understand the WAN development process and what SD-WAN is.
 Be familiar with the features of Huawei SD-WAN products and solutions.
 Be familiar with the models and highlights of Huawei NetEngine AR products.
 Be familiar with the differences between Huawei NetEngine AR models and
flexibly select specific AR models based on project requirements.

344. Huawei Confidential
4
Contents
1. Development Trends and Challenges Facing WAN Interconnection
2. Introduction to Huawei SD-WAN Solution
3. Introduction to Huawei NetEngine AR Products

345. Huawei Confidential
5
Overview and Objectives
⚫ This chapter describes the WAN development and SD-WAN development
process. After learning this chapter, you will be able to:
 Describe the challenges facing WAN interconnection in the cloud background.
 Explain the basic concepts of SDN.
 Explain the basic concepts of SD-WAN.

346. Huawei Confidential
6
What Is a WAN?
A wide area network (WAN) provides interconnection between different regions, cities, and countries. A WAN typically
spans a large physical distance (dozens of kilometers to thousands of kilometers). To meet the long-distance
transmission requirements of a WAN, optical fibers are often used as interconnection media.
DC
Branch
Headquarters Residents
LAN WAN LAN
ISP

347. Huawei Confidential
7
WAN and Enterprise WAN Interconnection
⚫ Enterprise WAN interconnection refers to the interconnection between enterprise private networks
across a large distance, such as the headquarters, DCs, branches, offices, and mobile offices.
⚫ Enterprise WAN interconnection typically depends on the carrier WAN or enterprise-built WAN.
Carrier network/enterprise-
built network
Branch
site
Branch
site
Enterprise
HQ
Branch
site
Enterprise WAN
interconnection
WAN

348. Huawei Confidential
8
Main Enterprise WAN Interconnection Modes
⚫ Enterprise WAN interconnection can be implemented in the
following modes:
 Regional networks are connected through MPLS or leased lines of
carriers. This mode applies to enterprises that have high SLA
requirements and is expensive.
 The carriers' Internet+VPN technologies are used for connections. This
mode applies to small- and medium-sized branches that do not have
high SLA requirements.
 Carriers' point-to-point leased lines are used for cross-city or cross-
country connections. This mode is mainly used to connect DCs,
headquarters, or important outlets and is expensive.
 Industries such as electric power and transportation have self-built
leased line network connections.
⚫ Enterprise WANs are usually a combination of the preceding
connection modes.
Enterprise WAN interconnection
Enterprise
HQ
Branch site
Leased
line
MPLS 4G/5G Internet
Self-built
private network
Branch site Branch site
Enterprise
HQ

349. Huawei Confidential
9
Common Application Scenarios of Enterprise
WAN Interconnection
Enterprise WAN interconnection needs to be deployed based on enterprise requirements. For example, in the finance
industry, leased lines or MPLS lines are often used to ensure reliability and security. To reduce network costs, other
enterprises usually lease MPLS lines as the primary lines and Internet+VPN lines as the backup lines.
WAN interconnection in the finance industry
National core backbone
high-speed backbone
Level-1 branch
Level-2 branch
Sub-
branch
Sub-
branch
Level-2 branch
ATM
Sub-
branch
Branch service
network
Branch LAN
Branch LAN
SDH/MSTP/MPLS
SDH/MSTP/MPLS
SDH/MSTP/MPLS
WAN interconnection of a manufacturing enterprise
Enterprise HQ
Branch in
area A
Internet (backup)
MPLS (primary)
Branch in
area B
Branch in
area C
GRE over IPsec

350. Huawei Confidential
10
Challenges Brought by Service Cloudification to Enterprise
WAN Interconnection
⚫ Before cloud computing, enterprise applications are mainly deployed locally. Branch employees access the headquarters network through VPN to access
various servers, such as the ERP system. Network service quality can be guaranteed as long as bandwidth is expanded. Service traffic does not need to be
managed in a refined manner.
⚫ With the advent of cloud computing, a large number of enterprise applications are deployed in a cloud-based and centralized manner (public clouds or
private clouds), greatly increasing branch interconnection traffic. In the case of surging traffic, it is difficult for enterprises to strike a balance between line
costs and service quality.
Enterprise
HQ/DC
Branch site
WAN
Branch site Branch site
Growing enterprise services

351. Huawei Confidential
11
Challenges Brought by Multiple Services to Enterprise
WAN Interconnection
⚫ Traditional networks are unable to detect service traffic in real time and therefore cannot effectively guarantee key services. In addition, the capability of
monitoring service traffic is insufficient, and service traffic cannot be quickly adjusted.
Internet backup link: low bandwidth efficiency
Unknown
application
MPLS primary link: congested during peak hours
Unknown
application
HQ
SaaS applications are routed out
through HQ, resulting in a long delay.
Cloud
Cloud
No application visibility, causing difficulty in traffic scheduling
Bandwidth conflict leads to frame
freezing in video conferences
Idle bandwidth makes video
conference smooth
Priority conflict: Key applications cannot be
identified, and the scheduling priority is low.
Bandwidth conflict: During peak hours, burst
traffic is three to five times the average
traffic, affecting key applications.
600+
Cross-WAN
application
(an enterprise)
Difficult management of key services such as voice, video, and
SaaS applications

352. Huawei Confidential
12
Challenges Brought by Large Numbers of Branches to
Enterprise WAN Interconnection
⚫ With the development of an enterprise, it will have more and more inter-city, inter-province, and inter-country branches, causing the
following problems in managing branch site networks:
 Too many branches result in high O&M costs.
 It takes a long time to provision new services in branches.
 It is difficult to rectify faults on branch networks.
Process
approval
(2 to 5 days)
Hardware
installation
(1 to 3 days)
Hardware
transportation
(2 to 5 days)
Software
commissioning
(1 to 3 weeks)
Site survey
(1 to 3 days)
Business
consideration
and device
selection
(1 to 3 days)
Network
planning
(2 to 5 days)
Branch 1
...
It takes a long time to provision new services in branches
Branch 2
Branch 3
Difficult troubleshooting on branch networks result in high
O&M costs
Branch site
Branch site
Branch site
Branch site

353. Huawei Confidential
13
What Is SDN?
⚫ Software-Defined Networking (SDN) decouples forwarding, control, and service applications, enabling
networks to be quickly adjusted like IT applications and new services to be quickly deployed.
Branch
site
Branch
site
Enterprise
HQ
Branch
site
Forwarding plane
Unified management
ISP network
/Enterprise-built
network
SDN controller
Application

354. Huawei Confidential
14
Emergence of SD-WAN
⚫ Software-defined Wide Area Network (SD-WAN) applies the SDN architecture and concept to WAN
and reshapes WAN with SDN.
Top 10 SD-WAN requirements
defined by ONUG
SD-WAN features defined by
Gartner
SD-WAN features defined by MEF
⚫ Uses Zero Touch Provisioning (ZTP) to implement fast
deployment and provisioning of branches, improving
deployment efficiency.
⚫ Dynamically adjusts traffic paths by application type,
making traffic steering more flexible and convenient.
⚫ Provides automatic and intelligent O&M capabilities to
implement centralized management and control and
network-wide status visualization.
⚫ Provides value-added services such as WAN optimization
and security to implement fast service provisioning.
Features
of
SD-WAN

355. Huawei Confidential
15
Basic Features of SD-WAN: Hybrid Links
⚫ Flexible IP overlay network based on hybrid WAN links
Enterprise
HQ
Carrier
leased line
Carrier
leased line
Branch
Enterprise
HQ
Carrier
leased line Internet
Branch
Traditional WAN Hybrid WAN
Virtual network (overlay network)
Physical network (underlay network)
MPLS
Internet
Virtual network 1
HQ edge
Branch edge
Branch
edge
Branch
edge
Virtual network 2

356. Huawei Confidential
16
Basic Features of SD-WAN: Plug-and-Play
⚫ Devices are plug-and-play and services can be quickly provisioned.
Subscription &
self-service
Multi-tenant
management
MSP/Carrier Enterprise
Email-based
deployment
USB-based
deployment
DHCP-based
deployment
Batch operation of
devices in the
warehouse for
centralized deployment
No skill
requirements
for on-site
personnel
One-click
deployment
applicable to
multiple
access modes
SD-WAN controller
Plug-and-play in multiple modes
Carrier
network
Device deployment
and onboarding

357. Huawei Confidential
17
⚫ High-performance branch devices process all application-centered services.
SD-WAN
Multiple scenarios
Various
networking modes
L3-L7
Application
Pure routing
Forwarding performance
requirements
Forwarding performance
requirements
Routing
L1-L3
Package
Route
WAN connection
Router performance bottleneck is a key
factor restricting large-scale commercial
deployment of SD-WAN
After SD-WAN is enabled,
the forwarding performance
deteriorates greatly.
80%
0
500
1000
Forwarding
performance
Traditional
WAN
SD-WAN
Basic Features of SD-WAN: High-Performance
Gateway Devices

358. Huawei Confidential
18
Core Values of SD-WAN
Powerful
interconnection
Flexible networking for
on-demand
interconnection of
multiple clouds and
multiple networks:
• Mesh, hub-spoke, and
partial mesh
• WAN interfaces such as
Ethernet, LTE, 5G, and DSL
interfaces
• Communication between
traditional networks and
MPLS networks
• Flexible Internet access
Optimal experience
Application-based
traffic steering and
optimization ensure
key application
experience:
• Intelligent application
identification
• Flexible and dynamic
traffic steering
• QoS
• WAN optimization
High performance
High-performance
branch devices build a
new forwarding engine:
• The demand for new
applications, especially
bandwidth-hungry
applications such as video,
increases.
• Network devices require
more software functions,
from L1-L3 to L1-L7,
posing higher
requirements on CPE
performance.
Easy O&M
Intent-driven simplified
branch network O&M
• Automatic orchestration
and easy configuration
• Automatic discovery and
easy O&M
• Open ecosystem and easy
integration
• Simplicity and visibility,
saving labor
The core values of SD-WAN are that it helps enterprises build a high-quality WAN interconnection
network that features powerful interconnection, optimal experience, high performance, and easy O&M
anytime, anywhere. SD-WAN is an ideal solution to the problems faced by enterprise WANs.

359. Huawei Confidential
19
Section Summary
⚫ This chapter describes the concepts of WAN, development process of WAN
interconnection, and concepts of SD-WAN. It also introduces three basic
features of SD-WAN: hybrid links, plug-and-play, and high-performance
gateway devices.
⚫ It introduces the core values of SD-WAN: powerful interconnection, optimal
experience, high performance, and easy O&M.

360. Huawei Confidential
20
Contents
1. Development Trends and Challenges of WAN Interconnection
2. Introduction to Huawei SD-WAN Solution
3. Introduction to Huawei NetEngine AR Products

361. Huawei Confidential
21
Overview and Objectives
⚫ This chapter describes Huawei SD-WAN Solution. After learning
this chapter, you will be able to explain:
 Overall architecture and components of Huawei SD-WAN Solution
 Highlights of Huawei SD-WAN Solution in device deployment
 Networking, interoperability capabilities, and highlights of Huawei
SD-WAN Solution
 Experience optimization capabilities of Huawei SD-WAN Solution
 Intelligent O&M capabilities of Huawei SD-WAN Solution

362. Huawei Confidential
22
Network Layers
An enterprise SD-WAN network can be divided into two layers: underlay physical network and overlay virtual network, which are
completely decoupled from each other.
⚫ Physical network: refers to the underlay WAN provided by a carrier or built by the enterprise, including the leased line network and
MPLS network.
⚫ Virtual network: is also called the overlay network. Huawei SD-WAN Solution uses the IP overlay virtualization technology to build
one or more virtual overlay networks on top of the physical network. Service policies are deployed on virtual networks and are
decoupled from physical networks, thereby separating services from the WAN.
Carrier network/enterprise-
built network
Branch
site
Branch
site
Enterprise
HQ
Branch
site
Overlay
Virtual network
Underlay
Physical network
Edge
Edge
Edge
Edge
/RR

363. Huawei Confidential
23
Edge Overview
⚫ An edge device is essentially an edge node of the SD-WAN network and is also called an Edge-CPE. Edge devices
are interconnected using the IP overlay tunneling technology.
⚫ Edge devices typically can be traditional CPEs or vCPE. vCPEs can be deployed at sites on the public cloud.
⚫ All SD-WAN edge devices of an enterprise are managed by iMaster NCE and managed and maintained by tenant
administrators.
VPC/vNet
vCPE
CPE
Branch
site
Branch
site
Enterprise
HQ
Branch
site
Overlay
Virtual network
Edge
Edge
/RR
Unified management
Edge
Edge

364. Huawei Confidential
24
Route Reflector (RR) Overview
⚫ RRs are used to transmit BGP routes and reduce the
number of BGP peers.
⚫ In Huawei SD-WAN Solution, RRs also control routes
and network topologies. Therefore, RRs are also called
regional controllers in this solution.
⚫ Both RRs and edge nodes are managed by iMaster NCE.
⚫ Control channels are established between RRs as well
as between RRs and edge sites.
⚫ RRs are managed by iMaster NCE and control route
sending and receiving at edge sites based on the
overlay network topology model. In this way, sites can
communicate with each other based on the user-
configured overlay topology model.
HQ/
DC site
Branch
site
Branch
site
Management channel BGP EVPN peer relationship
RR
Regional
controller
Edge
Edge
Edge
MPLS
Internet
Filters overlay routes
Controls the overlay
topology

365. Huawei Confidential
25
Gateway Overview
⚫ New SD-WAN sites of an enterprise need to communicate with its legacy sites or third-party services. Some legacy
sites are interconnected through MPLS VPN, and SD-WAN sites are interconnected through IP overlay tunnels.
Therefore, the legacy network and SD-WAN network cannot directly communicate with each other.
⚫ An SD-WAN gateway can connect to both the SD-WAN and legacy networks. It can function as an intermediate
gateway to implement interconnection between SD-WAN and legacy networks.
Traditional MPLS domain SD-WAN domain
PE
Gateway
PE
MPLS
SD-WAN
network
Enterprise
1
Enterprise
2
Enterprise
1
Enterprise
2
Enterprise
3

366. Huawei Confidential
26
Architecture of Huawei SD-WAN Solution
RESTful APIs
Tenant/Carrier Portal No. Product Functions
①
iMaster
NCE
1. Network service orchestration
2. NE control
3. Basic network O&M
4. CPE orchestration and management
5. Basic performance monitoring (provides link quality
information, application quality information, traffic
information, and multi-dimensional statistics for
single sites and between sites)
② RR
1. Distributes VPN routes and tunnel information
between CPEs based on VPN topology policies.
2. Deployed on physical AR routers or AR1000V
software vCPEs.
3. Deployed independently or co-deployed with the
CPE at the site.
③ CPE
Egress CPE of a site, which can be a traditional CPE or
an NFV vCPE.
④ IWG
Implements multi-tenant interconnection between SD-
WAN and traditional MPLS networks.
Northbound network service layer
Southbound NE layer
VPN/Traffic
steering/QoS/Security/WOC
CPE-VIM O&M
①
MPLS
Internet
Public
cloud
HQ/DC
private cloud
IWG
vCPE
vCPE
RR
SD-WAN CPE
Traditional L3 CPE
③
②
③
④
③
Campus/Branch
Underlay
Network management
Control plane
• RR: route reflector
• CPE: customer-premises equipment
• vCPE: virtual customer premises equipment (CPE)
• IWG: Interagency Working Group

367. Huawei Confidential
27
Architecture of Huawei iMaster NCE
Southbound
interfaces
Service
functions
Basic
functions
Northbound
interfaces
NETCONF
VAS
management
Traffic policy Security policy
Plug-and-play
Visualized
O&M
Multi-tenant
management
Cluster
management
Alarm
management
Log management
Device
configuration
Tunnel
management
Network
inspection
Device upgrade
Network devices CPE vCPE
Value-added services OSS/BSS Analysis system Other applications
RESTful SNMP Trap
Telemetry

368. Huawei Confidential
28
• The controller is deployed in a distributed cluster architecture to
provide high reliability and load balancing capabilities. When a node in
the cluster is faulty, other nodes take over services without affecting
services.
• Northbound load balancing: External requests are distributed to all
cluster nodes, instead of being processed on a single node. This makes
full use of cluster capabilities and improves reliability.
• Southbound load balancing: Controller nodes are dynamically
allocated to network devices based on the load of each controller node.
Cluster Function
Service processing
cluster
Provides service processing capabilities, such as CPE
management, overlay network configuration delivery, and
traffic policy configuration.
Data processing
cluster
Stores and aggregates CPE performance data.
Nginx cluster
Functions as a high-performance HTTP proxy server that
forwards concurrent connection requests. It is mainly used
for L4-L7 load balancing of northbound traffic.
LVS
Is short for Linux Virtual Server. It is a load balancing
component that is mainly used for L1-L4 load balancing of
north-south traffic.
Distributed clusters for the controller
Nginx cluster
Service
processing
cluster
Data
processing
cluster
LVS
Physical
server
VM
Distributed Cluster Deployment Supports Large Scale, High
Reliability, and Flexible Capacity Expansion

369. Huawei Confidential
29
Controller cluster (active) Controller cluster (standby)
Branch
site
Edge 1 Edge 2 Edge 3 Edge n
Heartbeat
Data
synchronization
Remote DR
center
Active DC
Administrator
Internet
. . . .
DNS server
Geographic Redundancy: Fast Switchover Ensures
Service Continuity
• Geographic redundancy supports disaster recovery backup
between two clusters. The number of nodes in the active
cluster must be the same as that in the standby cluster.
• The active and standby controller clusters are both running.
However, only the active cluster can provide services, while the
standby cluster does not provide services. Data in the active
cluster is synchronized to the standby cluster in real time to
ensure data consistency.
• The northbound and southbound interfaces or platforms of the
controller use the same domain name or IP address. Tenants
and devices use the same domain name or IP address to access
the active controller cluster. After an active/standby switchover,
traffic is automatically switched to the new active cluster.
• Huawei SD-WAN controller active/standby solution supports
only one active cluster and one standby cluster.

370. Huawei Confidential
30
Huawei SD-WAN: Zero Configuration, On-Demand
Interconnection, Superior Experience, and Intelligent O&M
Distributed control component
NetEngine AR
Counter
Wi-Fi
Large/Midsize branch
VTM VR
finance
Greeting
robot
...
Small branch
...
NetEngine AR
5G
Cloud
VR finance
Robot service
VTM
Counter
service
MSTP
MPLS
RR
RR
RR
Management
layer
Network
layer
Control
layer
Application-level traffic steering
and optimization: delivering
superior experience
• Multiple application identification
technologies with high identification precision
• Network optimization technologies such as
intelligent traffic steering, A-FEC, and multi-
fed and selective receiving
ZTP: automatic deployment
Integration of management, control,
and analysis: intelligent O&M
• LAN/WAN convergence and unified policy
orchestration
• Intelligent O&M, one-stop network
diagnosis and treatment
On-demand interconnection:
high-quality network
• One network for all services in the HQ,
branches and cloud
• Internet access, cloud service access, and
cross-domain interworking
• ZTP for multiple branches, fast site
deployment
• 5G-ready network free of cables, fast
network provisioning

371. Huawei Confidential
31
Intelligent Network Construction, One-Stop Management
and O&M
ZTP Deployment
On-Demand
Interconnection
Application
Experience
Intelligent O&M
• Site-to-site access
• Site-to-legacy access
• Cloud on-ramp
• Application identification
• Intelligent traffic steering
• Application optimization
• Intelligent application
policy selection
• Security
• USB-based deployment
• Email-based deployment
• DHCP-based deployment
• Registration center-based
deployment
• Service visualization
• Alarm management
• Log backtracking
• Network diagnosis
• Agile report

372. Huawei Confidential
32
ZTP Achieves Network Provisioning Within Minutes
RESTful APIs Subscription &
self-service
Multi-tenant
management
MSP/Carrier Enterprise
Email-based
deployment
USB-based
deployment
DHCP-based
deployment
Registration
center-based
deployment
Batch operation of
devices in the
warehouse for
centralized deployment
No skill requirements
for on-site personnel
One-click deployment
applicable to multiple
access modes
Process
approval
(2 to 5 days)
Hardware
installation
(1 to 3 days)
Hardware
transportation
(2 to 5 days)
Software
commissioning
(1 to 3 weeks)
Site survey
(1 to 3 days)
Business
consideration and
device selection
(1 to 3 days)
Network
planning
(2 to 5 days)
As-Is
To-Be
Multiple ZTP
modes, making
minute-level
network
provisioning and
device rollout
possible
On-site manual
configuration
and deployment,
error-prone and
time-consuming
(1 to 3 months)
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M
Supported by default,
automatic ZTP upon
power-on

373. Huawei Confidential
33
Simplified and Batch Deployment, One Site for Multiple Purposes
Wizard-based template for batch site
deployment, greatly improving efficiency
Low efficiency, loose UI relationships,
and high skill requirements
As-Is To-Be
Time-consuming
30 mins for
deploying one site
Complex operations
Switching between pages
High requirements
Experience-
dependent and
error-prone
Create a
device
(3 mins)
Configure
WAN routes
(10 mins)
Create a
device
(3 mins)
Configure
WAN links
(10 mins)
Configure
NTP
(2 mins)
Connect to
RRs
(2 mins)
Fast configuration
3 mins for deploying
one site
Wizard-based
One page for E2E
configuration
One site for multiple
purposes
Batch deployment for
sites of the same type
Site replication
Template-based
configuration
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

374. Huawei Confidential
34
Multiple Flexible Networking Models Meet Different Branch
Communication Requirements • Multiple networking
modes
Supports multiple networking modes,
including hub-spoke, full-mesh, partial-
mesh, and hierarchical networking.
• Hub redundancy
Supports single-hub dual-device and
dual-hub (a maximum of eight service
hub nodes). When a hub node is faulty,
the connected spoke node
automatically switches to the hub node
with a lower priority.
• Link redundancy
A single CPE supports a maximum of
10 links, and dual CPEs support 20
links for intelligent traffic steering,
and an escape link.
• CPE redundancy
Two CPEs at a site back up each other,
and they support VRRP or route
switchover.
Hub-spoke
1. Scenario 1: Branches mainly need to communicate with the headquarters,
and there is no or little service traffic between branches.
2. Scenario 2: In scenarios with high security requirements, all branch traffic
needs to be diverted to the HQ for cleaning.
Hierarchical networking
1. Scenario: cross-province, cross-region, and cross-country
large-scale enterprise network, which is divided into
different areas for networking and management
Backbone
area
Region
Border router
RR
Hub
Full-mesh networking
1. Scenario: Branches need to directly
communicate with each other.
RR
Partial-mesh networking
1. Scenario: Also called user-defined networking. Used
when the live network is complex and needs to be
customized to match the current network architecture,
reducing the impact of SD-WAN reconstruction.
RR
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

375. Huawei Confidential
35
Multi-Hub Solution Improves Interoperability and
Reliability of DCs
• A maximum of 16 southbound and northbound service hubs can
be deployed for communication between branches and DCs.
• Southbound and northbound service hubs support backup and load
balancing.
• All hubs can function as branch-to-branch hubs. Two branch-to-
branch hubs can be configured on the entire network to work in
active/standby mode for higher reliability.
• Priorities can be configured for service hubs based on branch sites.
Hub1 Hub2 Hub3 Hub4 Hub5
Spoke1 Spoke2
RR
Hub7
Hub6 Hub8
ISP1 ISP3
ISP2
Office services
Production
services
Requirements & Challenges
• Some enterprise customers may have three or more DCs deployed in
different areas for service isolation and network-wide reliability
(geographic redundancy). For example, it is common in China that
an enterprise deploys three DCs in two cities.
• Branch sites need to communicate with multiple DCs based on
service requirements. Some branch sites need to communicate with
each other through the hub site at the HQ.
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

376. Huawei Confidential
36
Interconnection Between Legacy MPLS Branches: Dual-Domain
Network Interconnection, Implementing Smooth Service Evolution
Legacy MPLS domain SD-WAN domain
Interconnection between legacy MPLS
branches
Scenario:
An enterprise has a large number of legacy MPLS branches and
requires communication between the legacy MPLS domain and
SD-WAN domain to implement smooth evolution.
Solution:
• Local access: The SD-WAN site and legacy site communicate
with each other through the local CPE. That is, the CPE
functions as a CE to communicate with the remote MPLS PE.
• Centralized access: The SD-WAN site and legacy site
communicate with each other through a centralized gateway.
The centralized gateway selects a hub site device as a CE to
communicate with the remote MPLS PE.
• Access through a dedicated IWG: A dedicated IWG is
deployed between an SD-WAN site and a legacy site. The
IWG functions as the centralized gateway for access in the
SD-WAN domain and as a PE in the MPLS domain. IWGs
support multi-tenancy.
SD-WAN domain
Internet
MPLS
Enterprise
3
Enterprise
2
Enterprise
2
Enterprise
1
Enterprise
3
Local breakout Centralized hub access
Hub
Local breakout
and access of
MPLS branches
Through the IWG
IWG
Enterprise
1
Dedicated IWG
Centralized access
3
2
1
PE
PE
PE
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

377. Huawei Confidential
37
A-FEC: Smooth Video Experience Even at 30% Packet Loss Rate
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M
Packet Loss Rate A-FEC Redundancy Rate
30M + 65 ms delay + 5% packet loss rate 7%
30M + 65 ms delay + 10% packet loss rate 11%
30M + 65 ms delay + 20% packet loss rate 22%
Receiver: Restores lost data based
on the FEC algorithm, original
packets, and redundant packets to
ensure video quality.
Internet
Branch 1 Branch 2
Sender: Sends original packets
and redundant packets based on
the FEC algorithm.
AR router AR router
Link packet
loss
Vendor: artifacts at 3%
packet loss rate
Huawei: no frame freezing and
artifacts at 30% packet loss rate
A-FEC: Vendor V ensures no frame freezing only at 2%
packet loss rate.
A-FEC, ensuring no frame freezing at 30% packet
loss rate
According to the test on the customer's live network, the
video quality can be guaranteed even at the 30% packet loss
rate. However, vendor V ensures the video quality only at 2%
packet loss rate.
A-FEC, easy-to-use and bandwidth saving
⚫ Vendors V and F support only static FEC. Users need to
manually specify the redundancy rate, resulting in poor
availability.
⚫ Huawei SD-WAN Solution supports A-FEC, which can
dynamically adjust the redundancy rate (as shown in the
following table) based on real-time packet loss. This not
only improves availability but also reduces the number of
redundant packets to be sent, saving bandwidth.
Application-based policy, flexible and controllable
⚫ Huawei: enables or disables A-FEC for specific services
based on applications, improving device performance and
saving link bandwidth.
⚫ Vendor C: supports FEC only based on links.
Note: Forward Error Correction (FEC) can be applied to all applications and protocols. It is recommended that FEC be applied to packet loss-sensitive
services such as video services. FEC can only be used in SD-WAN scenarios.

378. Huawei Confidential
38
Difficult and Inefficient Traditional Enterprise Branch O&M
Numerous devices,
difficult deployment
Numerous devices (switch, Wi-
Fi, firewall, router) -> Many
systems, teams, and O&M
personnel -> Many branches
Traditional service
configuration mode
Site creation -> Link
configuration -> VPN
configuration -> QoS policy
configuration -> Routing
policy configuration...
Manual troubleshooting
Network fault -> Passive
response -> Check on the
NMS -> Manual locating...
Long branch
provisioning period
Complex service
configuration
Difficult O&M
Traditional
O&M
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

379. Huawei Confidential
39
LAN-WAN Convergence: Unified Management and Control
and One-Stop Deployment
WAN egress interconnection LAN campus configuration Routes for LAN-WAN interconnection
WAN traffic policy, such as
intelligent traffic steering
One platform with an integrated GUI, improving deployment and O&M efficiency and reducing customer investment
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

380. Huawei Confidential
40
Simplified O&M: Visualized Services, Large-Screen
Monitoring, and Topology-based O&M
Large-screen real-time monitoring
⚫ Customized dashboard (role or preference)
⚫ Network-wide real-time alarms (in minutes)
⚫ Multi-dimensional logs, facilitating problem
backtracking
⚫ Agile report, on-demand customization
Visualized topology status
⚫ Displays topology based on sites and
links.
⚫ Provides real-time status and
performance of sites and links.
Topology O&M
⚫ Topology-based graphical O&M
⚫ Network-wide inspection, detecting
potential problems
Quickly obtain
abnormal traffic
Optimize WAN investment and
configuration policies
Locate the root cause of a fault in
minutes
Quickly locate faulty
devices or sites
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

381. Huawei Confidential
41
CampusInsight: Visualized WAN Network Health and E2E
Visualized Network O&M
WAN network
health
WAN-side intelligent
O&M: wired network
health, including AR
health evaluation
Details include health
overview, device
environment, device
capacity, network
performance, health
trend, and network status.
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M

382. Huawei Confidential
42
Checking whether physical
components are normal
Checking whether data transmission is
abnormal, affecting the throughput
• Layer 2 loop
• Port congestion and queue congestion
• Error packets on a port
• Packet loss due to CPCAR exceeding
• Traffic prediction for possible threshold-crossing
Checking whether the device resource quantity or capacity is sufficient
• Threshold-crossing for ARP entries
• Threshold-crossing for MAC address entries
• Threshold-crossing for FIB forwarding entries
• Threshold-crossing for ND forwarding resources (IPv6)
• Insufficient ACL resources
• Threshold-crossing for storage capacity
• Threshold-crossing for CPU usage
• Threshold-crossing for memory usage
• Port down
• Intermittent port disconnection
• Port error-down
• Physical port suspension
• Abnormal optical module
Checking whether a network
port is abnormal
• Device fault
• Device disconnection
• Repeated device restart
• Modular switch cluster
split/
Dual-active modular
switch cluster
• LPU fault
• Repeated LPU fault
• MPU fault
• Repeated MPU fault
• SFU fault
• Repeated AC restart
• Repeated SFU fault
• Inconsistency between hardware-
and software-based entries
• Fan fault
• Power supply fault
• Threshold-crossing for the storage
life
• Abnormal board temperature
• Abnormal file system
• Virtual license expiration
• Expiration of other licenses
• Repeated AP restart
• Insufficient AP power supply
• Threshold-crossing for the CPU usage on the
forwarding plane (AR)
• Failure to apply for the table entry memory on
the forwarding plane (AR)
• Threshold-crossing for the block memory on the
forwarding plane (AR)
• Threshold-crossing for forwarding entries (AR)
• Threshold-crossing for SAC/SPR/IPS flow tables
on the forwarding plane (AR)
• Threshold-crossing for flow table sessions on the
forwarding plane (AR)
• Threshold-crossing for EVPN connections (AR)
• Lower BUF data on the forwarding plane than
the threshold (AR)
• PoE fault
• Repeated PoE fault
• Note: AR products support the features in red.
ZTP Deployment On-Demand Interconnection Application Experience Intelligent O&M
CampusInsight Provides Four Types of Intelligent Analysis,
20+ AR Issue Analysis

383. Huawei Confidential
43
Quiz
1. Single-answer question: What is the maximum packet loss rate supported by A-
FEC while ensuring smooth video playback? ( )
A. 10% B. 20% C. 30% D. 40%
2. Multiple-answer question: Which load balancing modes are supported by Huawei
SD-WAN? ( )
A. Per-packet load balancing
B. Per-flow load balancing
C. Load balancing by link bandwidth percentage
D. Even load balancing by traffic volume

384. Huawei Confidential
44
Section Summary
⚫ This chapter describes the architecture, components, and highlights of Huawei SD-WAN Solution.
 ZTP: Three deployment modes are available: USB-based deployment, DHCP option-based deployment, and
email-based deployment. In addition, template-based batch deployment is supported.
 On-demand interconnection: Multiple networking models, multi-hub scenarios, MPLS branch interconnection,
and multi-cloud interconnection solutions
 Application experience: application identification, intelligent traffic steering, load balancing, multi-fed and
selective receiving, and A-FEC
 Intelligent O&M: iMaster NCE-Campus centrally manages LANs and WANs, and CampusInsight visualizes E2E
experience.

385. Huawei Confidential
45
Contents
1. Development Trends and Challenges of WAN Interconnection
2. Introduction to Huawei SD-WAN Solution
3. Introduction to Huawei NetEngine AR Products

386. Huawei Confidential
46
Overview and Objectives
⚫ This chapter describes Huawei NetEngine AR series enterprise gateway
routers, their features, and highlights. After learning this chapter, you will
be familiar with:
 Naming conventions and features of Huawei NetEngine AR series products
 Application scenarios of Huawei NetEngine AR series products
 Highlights of Huawei NetEngine AR series products

387. Huawei Confidential
47
Huawei High-Performance NetEngine AR Series
Enterprise Routers
NetEngine AR650 & AR610 series NetEngine AR6000 series NetEngine AR8000 series
NetEngine AR1000V
vCPE
5G uplink SD-WAN One-hop cloud access Cloud-based management
• Industry's first router with
5G uplinks
• Industry's highest 5G uplink
performance
• 20 Gbit/s forwarding
capability
• E2E SRv6 networking
• One hop to six clouds, one
network to multiple clouds
• vCPE 10 Gbit/s SD-WAN
performance
• Automated service
deployment
• Intelligent O&M

388. Huawei Confidential
48
Modular router
NetEngine AR 6 1 1W-LTE4CN
Series: 1/2 (G3 series), 6 (600 series)
Grade: 1 (standard); 5 (high-end)
WAN port type: 1 (GE); 7 (VDSL2 35B)
Function: W (Wi-Fi); V (voice)
Additional information: LTE (LTE); 4 (Cat4); 6
(Cat6); CN (China)
Fixed-configuration router
NetEngine AR 6 1 2 1
Type: AR (global market brand)
Series: 1/2/3 (G3 series), 6 (6000 series) Height: 1 (1 U), 2 (2 U), and 3 (3 U)
Number of slots: 1 to 9 (number of slots); 0
(slot 10, 2 U or higher)
Generation: 0 (first generation), n (n+1
generation)
Brand: NetEngine (product brand)
Naming Conventions of NetEngine AR Products (1/2)

389. Huawei Confidential
49
Modular router
NetEngine AR 6 7 1 0 – L26T2X4
Series: 6 (AR6700 product platform)
Market positioning: 7 (enterprise network
market)
Product generation ID. The tens place
indicates the generation, and the ones place is
0 by default.
Number of downlink ports
Downlink port type: T (GE electrical port)
Fixed-
configuration
router
NetEngine AR 8 1 4 0 – 12G10XG
Type: AR (global market brand)
Series: AR8000 product platform Height: 1 (1 U), 2 (2 U), and 3 (3 U)
Number of slots: 1 to 9 (number of slots); 0 (slot 10, 2 U or
higher)
Generation: 0 (first generation), n (n+1 generation)
Brand: NetEngine (product brand)
Naming Conventions of NetEngine AR Products (2/2)
(Optional) Extended host information: nG
indicates that n GE interfaces are supported. nXG
indicates that n 10GE interfaces are supported.
Series model: L (simplified version)
Number of uplink ports
Uplink port type: X (10GE optical port)
Card slot: No value indicates that cards
are not supported. n indicates the number
of supported slots.

390. Huawei Confidential
50
Huawei NetEngine AR Series Routers
NetEngine
AR8000/AR6300/AR6200
series
HQ/Large branch
NetEngine AR6300
NetEngine AR6280
NetEngine AR8140-12G10XG
Small and midsize branch
NetEngine AR6121E
NetEngine AR6140E-9G-2AC
Small enterprise
NetEngine AR651
NetEngine AR651W-8P
NetEngine AR651W
NetEngine AR657W
SOHO
NetEngine AR611W
NetEngine AR617VW-LTE4EA
NetEngine AR617VW-LTE4
(Available only in Latin America)
NetEngine
AR6100/AR6700 series
NetEngine
AR650 series
NetEngine
AR610 series
NetEngine AR611
vCPE
NetEngine AR1000V
NetEngine AR6710-L50T2X4
NetEngine AR6710-L50T2X4-T
NetEngine AR6710-L26T2X4
NetEngine AR6710-L26T2X4-T

391. Huawei Confidential
51
Main Control Boards and Boards of Huawei NetEngine AR
Series Routers (1/2)
Category Model Description Type AR6300 AR6280 AR8140 AR6700 AR6140E AR6121E AR657W AR651W-8P AR651W AR651 AR610
Main
control
board
SRU-400H
Service and Router Unit 400H, 14*10GE(SFP+), 10*GE Copper,
1*USB2.0
NA √ √
SRU-600H
Service and Router Unit 600H, 14*10GE(SFP+), 10*GE
Copper,1*USB2.0
NA √ √
Ethernet
LAN
AR01XEGFTA
24-Port 10/100/1000BASE(RJ45)-L2/L3 Ethernet Switch Interface
Card,1*1
XSIC √ √
AR-4ES2G-S 4-Port 1000BASE-RJ45 L2/L3 Ethernet Interface Card(SIC),1*3 SIC √ √ √ √
AR01WEG4SB 4-Port 1000BASE-SFP-L2 Ethernet Interface Card,1*1 WSIC √ √ √ √
AR-9ES2-W
8-Port 100M-RJ45 and 1 Port 1000M- RJ45 L2 Ethernet Interface
Card,1*2
WSIC √ √ √ √
WSIC-4GE-C-V2
Four GE combo interfaces, Layer 3 interfaces by default, supporting
Layer 2 and Layer 3 switching
WSIC √ √
WSIC-8GE-T-V2
Eight GE electrical interfaces, Layer 3 interfaces by default,
supporting Layer 2 and Layer 3 switching
WSIC √ √
Ethernet
WAN
AR01SEG1CA 1-Port GE Combo WAN Interface Card,1*2 SIC √ √ √ √
AR01SEF2TA 2-Port FE WAN Interface Card,1*2 SIC √ √ √ √
AR-2X10GL-W 2-Port 10GE Optical Ports Interface Card,1*1 WSIC √ √
AR-4GECS-W 4-Port GE COMBO WAN Interface Card(support syncE) ,1*1 WSIC √ √ √ √
AR01WEG4TA 4-Port 1000BASE-RJ45-L3 Ethernet WAN Interface Card,1*1 WSIC √ √ √ √
E1/T1
board
AR01SDE11A 1-Port Fractional Channelized E1/T1 WAN Interface Card,1*2 SIC √ √ √ √
AR01SDME1A 1-Port Channelized E1/T1/PRI/VE1 Multiflex Trunk Interface Card,1*2 SIC √ √ √ √
AR01SDE12A 2-Port Fractional Channelized E1/T1 WAN Interface Card,1*2 SIC √ √ √ √
AR01SDME2A 2-Port Channelized E1/T1/PRI/VE1 Multiflex Trunk Interface Card,1*2 SIC √ √ √ √

392. Huawei Confidential
52
Main Control Boards and Boards of Huawei NetEngine AR
Series Routers (2/2)
Category Model Description Type AR6300 AR6280 AR8140 AR6700 AR6140E AR6121E AR657W AR651W-8P AR651W AR651 AR610
Synchronous
/Asynchrono
us board
AR01SDSA1A 1-Port Sync/Async Serial Port Interface Card,1*2 SIC √ √ √ √
AR01SDSA2A 2-Port Sync/Async Serial Port Interface Card,1*2 SIC √ √ √ √
AR01WDAS8A 8-Port Async Serial Port Interface Card,1*1 WSIC √ √ √ √
AR-8SA-W 8-Port Sync/Async Wan Interface Card,1*1 WSIC √ √ √ √
3G/LTE
board
SIC-1LTE4-EA TDD/FDD/HSPA+ Interface Card (replacing AR-1ELTE-L-S) SIC √ √ √ √
MIC-1ELTE6-EA WCDMA/LTE FDD/LTE TDD CAT6 interface card MIC √ √ √
MIC-1LTE4 FDD/WCDMA/HSPA+ Interface Card MIC √ √ √
MIC-1LTE4-EA FDD/WCDMA/HSPA+ Interface Card MIC √ √ √
MIC-1LTE6-EA FDD/TDD/HSPA+/WCDMA Cat6 interface card MIC √ √ √
5G board
SIC-5G-100 5G NR/LTE/WCDMA Interface Card SIC √ √ √ √
SIC-NR-102-V2 AR6000,SIC-NR-102-V2,5G NR/LTE/WCDMA Interface Card,1*2 SIC √ √
POS/CPOS
board
AR-1CSTM1-W
1-Port 155M Channelized Packet over SDH/Sonet Interface
Card(WSIC),1*2
WSIC √ √ √
AR-1STM1-W 1-Port 155M Packet over SDH/Sonet Optical Interface Card,1*1 WSIC √ √ √
AR-4STM1-W 4-Port 155M Packet over SDH/Sonet Optical Interface Card,1*1 WSIC √ √ √
Voice board SIC-4FXS 4-Port FXS Voice Interface Card SIC √ √ √ √
xDSL board SIC-1V35B-AM 1-Port VDSL2 WAN Interface Card SIC √ √ √ √
5G RU RU-5G-101 RU-5G-101, 2*GE, 5G (NR/LTE/WCDMA), PoE PD, IP65 RJ45 √ √ √ √ √ √ √ √ √ √ √

393. Huawei Confidential
53
NetEngine AR8000: Ultra-High-Performance SD-WAN Hub
Ultra-high SD-WAN
forwarding performance
• SD-WAN IMIX: 12 Gbit/s to
20 Gbit/s
• SD-WAN 1400 bytes: 25
Gbit/s to 36 Gbit/s
Ultra-large Hub capacity
• Up to 6000 SD-WAN tunnels,
supporting connection with a
maximum of 6000 sites
Dual hot
swappable
power modules
4 x SIC expansion
slots
SRv6
• Intelligent optimal path
selection for E2E SLA assurance
1 x USB
port 3.0
expansion
10 x 10GE
optical ports
8 x GE combo
ports
4 x GE
electrical
ports
NetEngine AR8140-12G10XG
All WAN ports can be
switched to LAN ports.
Height: 1 U
1 x console port
1 x MGMT port
Built-in fan
Ports with the same number
are the same combo port.

394. Huawei Confidential
54
NetEngine AR6300: High-Reliable Router for the HQ
and Large Branches
High reliability
• Dual SRUs, dual power modules
• Fan redundancy design
Dual SRUs
SRU-400H/SRU-600H
High-density slots
4 x SIC slots, 2 x WSIC slots, 4 x XSIC slots
Double
power
modules
Other vendors
Huawei
14 Gbit/s
1.5 to 9.6
Gbit/s
VS
NetEngine AR6300
* Two SIC slots can be combined into one WSIC slot, and
two WSIC slots can be combined into one XSIC slot.
High-density ports
SRU400H/SRU600:
WAN: 14 x 10GE optical ports
LAN: 10 x GE electrical ports
Independent
swappable
fan modules
3x the industry average
(Tolly certified)
* 10GE optical ports can be switched to GE optical ports,
and LAN ports can be switched to WAN ports.

395. Huawei Confidential
55
NetEngine AR6300 Specifications
Specifications AR6300 (SRU-400H) AR6300 (SRU-600H)
NAT + QoS + ACL throughput (IMIX) 10 Gbit/s 12 Gbit/s
Dual SRUs Dual-SRU dual forwarding Dual-SRU dual forwarding
Dual power modules Supported Supported
Port
14 x 10GE optical ports + 10 x GE electrical
ports (can be configured as LAN ports)
14 x 10GE optical ports + 10 x GE electrical ports
(can be configured as LAN ports)
SIC slot 4 4
WSIC slot (default/maximum) 2/8 2/8
XSIC slot (default/maximum) 4/6 4/6
Memory 8 GB 16 GB
Flash memory 2 GB 4 GB
Operating temperature 0°C to 45°C 0°C to 45°C
AR6300 front view AR6300 rear view

396. Huawei Confidential
56
NetEngine AR6280: High-Reliable Router for the HQ and
Large Branches
High-density slots
4 x SIC slots, 2 x WSIC slots, 2 x XSIC slots
NetEngine AR6280
SRU
SRU-400H/SRU-600H
Double
power
modules
* Two SIC slots can be combined into one WSIC slot, and two
WSIC slots can be combined into one XSIC slot.
Independent
swappable
fan modules
High-density ports
SRU400H/SRU600:
WAN: 14 x 10GE optical ports
LAN: 10 x GE electrical ports
High reliability
• Double power modules
• Fan redundancy design
* 10GE optical ports can be switched to GE optical
ports, and LAN ports can be switched to WAN ports.
Other vendors
Huawei
14 Gbit/s
1.5 to 9.6
Gbit/s
VS
3x the industry average
(Tolly certified)

397. Huawei Confidential
57
NetEngine AR6280 Specifications
AR6280 front view AR6280 rear view
Specifications AR6280 (SRU-400H) AR6280 (SRU-600H)
NAT + QoS + ACL throughput (IMIX) 10 Gbit/s 12 Gbit/s
Dual power modules Supported Supported
Port
14 x 10GE optical ports + 10 x GE electrical
ports (can be configured as LAN ports)
14 x 10GE optical ports + 10 x GE electrical ports
(can be configured as LAN ports)
SIC slot 4 4
WSIC slot (default/maximum) 2/6 2/6
XSIC slot (default/maximum) 2/4 2/4
Memory 8 GB 16 GB
Flash memory 2 GB 4 GB
Operating temperature 0°C to 45°C 0°C to 45°C

398. Huawei Confidential
58
NetEngine AR6140E-9G-2AC: All-in-One Router for Small
and Midsize Branches
4 x SIC or 2 x WSIC slots
WAN: 2 x GE optical
ports + 2 x GE ports
Double power
modules
5G ultra-broadband for flexible
expansion
5G-SIC card
Security
• Built-in advanced security
capabilities, such as firewall, IPS,
URL filtering, and antivirus,
implementing multi-level security
border protection
• IPsec VPN for secure interconnection
between branches
RU-5G-101
NetEngine AR6140E-9G-2AC
LAN: 2 x GE optical
ports + 3 x GE ports
1 x USB port
3.0 expansion
1 x console
port
+
Built-in fan
module
Height: 1 U
* Ports with the same number
are the same combo port.
* Two SICs can be combined into one WSIC.
WAN optimization
• Multi-fed and selective
receiving, preventing packet loss
• Per-packet load balancing,
improving bandwidth efficiency

399. Huawei Confidential
59
NetEngine AR6121E: All-in-One Router for Small and
Midsize Branches
2*SIC
LAN: 8 x GE ports, 1 x GE
combo port
1 x console port
NetEngine AR6121E
WAN: 2 x GE combo ports,
1 x 10GE optical port
* Ports with the same number are
the same combo port.
1 x USB port 3.0 (compatible with USB 2.0)
1*USB3.0
Single power
module
Height: 1 U
Mounting ears
can be installed.
* Two SICs can be combined
into one WSIC.
5G ultra-broadband for
flexible expansion
5G-SIC card RU-5G-101
+
WAN optimization
• Multi-fed and selective
receiving, preventing packet
loss
• Per-packet load balancing,
improving bandwidth efficiency
Security
• Built-in advanced security
capabilities, such as firewall, IPS,
URL filtering, and antivirus,
implementing multi-level security
border protection
• IPsec VPN for secure
interconnection between branches

400. Huawei Confidential
60
NetEngine AR6100 Specifications
Specifications AR6121E AR6140E-9G-2 (AC)
NAT + QoS + ACL throughput (IMIX) 2 Gbit/s 2 Gbit/s
Port
WAN: 1 x 10GE optical port + 2 x GE combo ports
LAN: 8 x GE ports + 1 x GE combo port
WAN: 2 x GE optical ports + 2 x GE ports
LAN: 2 x GE optical ports + 3 x GE ports
SIC slot 2 4
WSIC slot (default/maximum) 0/1 0/2
Memory 4 GB 4 GB
Flash memory 1 GB 1 GB
Operating temperature 0°C to 45°C 0°C to 45°C

401. Huawei Confidential
61
AR6710: Security Converged Gateway
4 x SIC
expansion slots
2 x GE
copper ports
48 x GE
copper ports
2 x 10GE
SFP+ ports
NetEngine AR6710-L50T2X4
1 x console port
1 x MGMT port
NetEngine AR6710-L26T2X4
*Note: NetEngine AR6710-L50T2X4-T and NetEngine AR6710-L26T2X4-T models support TPM chips to enhance startup security.
*Switching between WAN
and LAN ports
Built-in fan
module
Dual hot swappable
power modules
4 x SIC
expansion slots
2 x GE
copper ports
24 x GE
copper ports
2 x 10GE
SFP+ ports
1 x console port
1 x MGMT port
*Switching between
WAN and LAN ports
Built-in fan
module
Dual hot swappable
power modules
6 built-in enterprise-level
security capabilities
IPS, URL filtering, antivirus, firewall,
IPsec, SA
One device for one branch
LAN ports: 48*GE electrical ports.
One device in a small-or medium-
sized branch manages one branch,
reducing O&M costs.
1G SD-WAN forwarding performance
SRv6
Intelligent optimal path selection
E2E latency assurance

402. Huawei Confidential
62
NetEngine AR651W-8P: All-in-One Multi-Functional Access
Router for Small Branches
2 x Wi-Fi antenna
ports
LAN: 8 x GE ports
All in One
• Integration of the routing,
switching, VPN, security, and
WLAN functions
PoE+ power supply
• Directly connected to devices
such as APs and cameras,
simplifying power cable routing
Plug-and-play of
5G/4G modules
• RU-5G-101
• LTE MIC card
NetEngine AR651W-8P
WAN: 2 x GE
combo ports
PoE power port
1 x MIC expansion
slot
1 x USB port2.0
2 x console ports
Indicators on the
AR651W-8P
1 x power
port
* Ports with the same number are the same combo port.
* If PoE+ power supply is required, a 150 W PoE power adapter must be configured.

403. Huawei Confidential
63
NetEngine AR650 Series Specifications
Specifications AR651 AR651W-8P AR651W AR657W
NAT + QoS + ACL
throughput (IMIX)
Default value: 1 Gbit/s
Enhanced license: 2 Gbit/s
2 Gbit/s
Default value: 1 Gbit/s
Enhanced license: 2 Gbit/s
Default value: 1 Gbit/s
Enhanced license: 2 Gbit/s
Port
WAN: 2 x GE combo ports
LAN: 8 x GE ports (can be
configured as WAN ports)
WAN: 2 x GE combo ports
LAN: 8 x GE ports (can be
configured as WAN ports)
WAN: 2 x GE combo ports
LAN: 8 x GE ports (can be
configured as WAN ports)
WAN: 2 x GE combo ports +
1 x VDSL 35B port
LAN: 8 x GE ports (can be
configured as WAN ports)
PoE - PoE+/PoE++ (150 W) - -
Slot 1 1 1 1
Wi-Fi - - 802.11ac/b/g/n 802.11ac/b/g/n
LTE LTE MIC card LTE MIC card LTE MIC card LTE MIC card
Memory 2 GB 2 GB 2 GB 2 GB
Flash memory 1 GB 1 GB 1 GB 1 GB
Operating
temperature
0°C to 45°C 0°C to 45°C 0°C to 45°C 0°C to 45°C

404. Huawei Confidential
64
NetEngine AR610 Series Specifications
Specifications AR611W AR617VW
AR617VW-
LTE4EA/AR617VW-LTE4
NAT + QoS + ACL
throughput (IMIX)
300 Mbit/s 300 Mbit/s 300 Mbit/s
Port
WAN: 1 x GE combo port
LAN: 4 x GE ports (can be
configured as WAN ports)
WAN: 1 x GE combo port + 1 x
VDSL port
LAN: 4 x GE ports (can be
configured as WAN ports)
WAN: 1 x GE combo port
+ 1 x VDSL port
LAN: 4 x GE ports (can be
configured as WAN ports)
Slot - - -
Wi-Fi 802.11ac/b/g/n 802.11ac/b/g/n 802.11ac/b/g/n
Voice - 2 x FXS ports 2 x FXS ports
LTE - - Supported
Memory 1 GB 1 GB 1 GB
Flash memory 1 GB 1 GB 1 GB
Operating temperature 0°C to 45°C 0°C to 45°C 0°C to 45°C
Note: The AR617VW-LTE4 is available only in Latin America.

405. Huawei Confidential
65
5G Uplink: SIC-5G-100 and RU-5G-101
Specifications SIC-5G
Frequency
band
5G NR n1/n3/n28/n41/n77/n78/n79
LTE FDD B1/B3/B5/B7/B8/B20/B28
LTE TDD B34/B38/B39/B40/B41
WCDMA B1/B5/B8
Data rate
5G SA: 230 Mbit/s in the uplink and 900
Mbit/s in the downlink
5G NSA: 115 Mbit/s in the uplink and
900 Mbit/s in the downlink
Specifications SIC-5G
Frequency
band
5G NR
NSA
n1/n3/n5/n7/n8/n20/n28/n38/n40/n41/n77/
n78/n79
5G NR SA
n1/n3/n5/n7/n8/n20/n28/n38/n40/n41/n77/
n78/n79
LTE FDD B1/B3/B5/B7/B8/B18/B19/B20/B26/B28/B32
LTE TDD B34/B38/39/B40/B41/B42/B43
WCDMA B1/B3/B5/B6/B8/B19
Hardware
specifications
Interface Fixed 2 x GE RJ45 ports
Number
of SIM
cards
2 x SIM cards
RU-5G-101
SIC-5G-100 Antenna

406. Huawei Confidential
66
RU-5G-101: Providing 5G Wireless Access for
Enterprise Routers
5G-RU-101
High reliability
• Wide temperature range: –40°C to
+70°C
• Surge protection: 3 kA
• Double-card single-standby, 1+1
power supply backup for PDs
All-scenario installation
• Outdoor installation: IP65 rating,
dust- and water-proof
• Wall-mounted on the balcony:
EMC Class B
Unique floating ground design
Free of grounding cables, built-in
omnidirectional antenna with high
gains, connecting to the AR router via
only an Ethernet cable (at a maximum
distance of 50 m)
SIM card slot
(SIM1 and SIM2)
2 x GE/PoE_IN
ports
Console port
Ventilation
valve
It can be used with all NetEngine
AR600/AR6000 series routers.

407. Huawei Confidential
67
NetEngine AR1000V: One Hop to Six Clouds
Universal server
(X86 architecture)
Hypervisor
(KVM/VMware/FusionSphere)
AR1000V
Router VPN
QoS
Eth/IP Security
Service models in different service scenarios
⚫ Basic SD-WAN: EVPN + IPsec + HQoS
⚫ Typical SD-WAN: EVPN + IPsec + FPI + SA +
NetStream + HQoS
⚫ SD-WAN IWG: EVPN + IPsec + MPLS
R21C00
Role
IWG, Hub, Spoke, vRR
It cannot be used in white-box and traditional solution scenarios.
Performance 1G, 5G, and 10G, mainly used on the cloud and as the IWG
Running
environment
• Infrastructure: x86 platform
• Hypervisors: VMware ESXi, Red Hat KVM, Huawei FusionSphere, Microsoft Hyper-V
• Public cloud platforms: Huawei Cloud, China Telecom e-Cloud, Alibaba Cloud, AWS,
Microsoft Azure, and Tencent Cloud
• The AR1000V can be automatically deployed on Huawei Cloud and AWS through
the controller, but need to be manually deployed on other clouds.
Supported private
clouds
• Private clouds that support the preceding hypervisors
Features not
supported
• WAN optimization capabilities, including FEC, multi-path packet duplication, and
per-packet load balancing
• Security capabilities, including antivirus, IPS, and URL filtering
• Layer 2 interfaces and Layer 2 features

408. Huawei Confidential
68
All-In-One Convergence, Simplified Branch
Interconnection
Secure
interconnection
between branches
Built-in security
Built-in firewall, IPS,
URL filtering...
On-demand VPN
interconnection
Diversified VPN types
Multiple types of Layer
2/Layer 3 VPNs
Application
experience assurance
Application optimization
A-FEC, multi-fed and
selective receiving, and
application-based
intelligent traffic steering
Simplified branch
O&M
Plug-and-play
Email-, USB-, and DHCP-
based deployment
Smart routing
Flexible switchover
Layer 3 routing and
forwarding/Layer 2
switching

409. Huawei Confidential
69
Smart Policy Routing (SPR), Load Balancing Among
Multiple Links
NetEngine AR
• Traditional routing is performed based on the shortest
path, without considering the routing path quality.
• Different types of key services, such as voice, video, and
data services, require routing paths of different quality.
SPR
NQA Traffic
Policy
As the basis of SPR, NQA is used
to detect the path quality.
Traffic policies are used to identify key services
and match corresponding paths.
5G/LTE escape link
Enterprise
branch
DC
• Select the optimal link to forward service data,
effectively preventing problems such as network
blackhole and flapping.
• Ensure the link quality for key services.
Video and voice
Data
NetEngine AR
Requirements & Challenges Benefits
Note: To enable SPR, you need to configure
the license of the value-added service
package for data services.
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

410. Huawei Confidential
70
Integrated Routing and Switching: Flexible Switching
Fixed ports: LAN ports can be
switched to WAN ports using the
undo port switch command.
Fixed ports: WAN ports
can be switched to LAN
ports on some models.
Layer 2 cards configured with VLANIF
interfaces support simple Layer 3
forwarding, but do not support NAT,
MPLS, IPsec, and HQoS.
Some Layer 2 cards support
LAN/WAN switching.
1 3
2 4
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

411. Huawei Confidential
71
Diversified VPNs: Providing Secure Channels for Enterprise
Branch Interconnection
Internet
Branch A
Branch B
Branch C
Mobile employee
Enterprise HQ
Enterprise DC
IPsec DSVPN
Branch D
Scenarios Solutions and Benefits
• Interconnection between enterprise branches and HQ: The
enterprise HQ and branches communicate with each other, involving
multicast service requirements such as video conferencing.
• Interconnection between enterprise branches: High security is
required for communication between enterprise branches.
• Mobile office: The access location is flexible.
• GRE over IPsec VPN solution: Multi-protocol secure interworking,
supporting multicast, broadcast, and non-IP packets
• IPsec DSVPN solution: On a hub-spoke network, branches dynamically
establish secure VPN connections as required.
• L2TP over IPsec VPN solution: L2TP dial-up of clients and IPsec
encryption for P2P and E2E secure interconnection as required
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

412. Huawei Confidential
72
Comprehensive Six Border Security Protection Capabilities
Flexible traffic steering for SaaS applications,
ensuring service quality
• Local, centralized, and hybrid Internet access modes are available,
ensuring services.
• Application-based flexible traffic steering
Abundant built-in security capabilities, saving costs
and simplifying O&M
• Built-in L7 application identification and control, 6 enterprise-level
security capabilities, ensuring Internet access security, reducing costs,
and facilitating management but requiring no additional devices
Internet
Branch
SaaS
Local
breakout for
SaaS
Centralized Internet access
HQ
NetEngine AR
ACL FW URL filtering
IPS
Antivirus
Data encryption
Remote URL filtering
140+ categories, > 96% accuracy
Fine-grained Internet access
control
Real-time remote query
Mainstream VPN
encryption protocols
Antivirus
5+ million signatures
Remote real-time update
of the virus signature
database
IPS
1600+ attacks detected, > 90%
detection rate
Remote real-time update of
the IPS signature database
Built-in firewall
Stateful inspection and
packet filtering firewalls
Application-
level ACL
6000+ applications in the SA
database, user-defined applications
Fine-grained control
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

413. Huawei Confidential
73
Identification of Various Applications, Including Well-Known
Applications and Private Applications
Signature
database (new)
Signature
database (old)
Seamless
switchover
Protocol 1
Protocol 2
...
New
protocol
Protocol 1
Protocol 2
...
Remote signature
database file
Identification of various applications
• Multiple identification methods are supported: including packet signature
identification, correlation identification, and behavior identification.
• 6000+ mainstream applications in and outside China are supported,
including Office 365, VoIP, game, email, and video.
• Applications can be customized based on the 5-tuple, URL, and DSCP,
facilitating identification of private applications.
Flexible SA signature database upgrade, ensuring
the identification of all new applications
• The SA signature database file is maintained and released by Huawei
Security Competence Center. Customized applications can also be imported.
• Batch upgrade, scheduled upgrade, and periodic release of new signature
databases are supported.
• The SA signature database upgrade status can be checked, including the
upgrade time, countdown, upgrade progress bar, and upgrade
success/failure.
• The SA signature database can be rolled back if it fails to be upgraded.
SA engine
Unidentified
packets
Identified
packets
Application
policy
SA
Correlation
identification
Customized
applications
Identification of various applications and flexible
SA signature database upgrade
Flexible SA signature
database upgrade
Identification of
various applications
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

414. Huawei Confidential
74
Multi-Fed and Selective Receiving, Ensuring Zero Packet Loss
for Key Services and 0 ms Service Switchovers
X
P1 P2 P3 P4
Key services Weak
signal P1 P2 X P4
5G P1 P2 X P4
No service
interruption
Multi-fed and selective receiving, preventing packet loss
P1 X P3 P4
5G/wired
P1 P3 P4
Multi-fed Selective
receiving
AR-assisted remote guidance Telemedicine
Dual experience assurance for key services Optimized experience
Optimized experience
• The AR on the transmit end duplicates traffic flows and
sends different copies through different links. After receiving
the traffic, the AR on the receive end selects in-order packets
on one link to receive, which ensures service experience.
• Since two copies of flows are sent over two links at the same
time, if packets on one link are lost, service experience is not
affected, achieving 0 ms service switchovers.
Without dependency on underlay links,
applicable to various scenarios
• Supports dual 5G links, 5G+wired link, and different wired
links to fit various application scenarios.
Flexible and controllable application-
based policies
• Allows users to enable/disable this function for specific
application services, improving device performance and
saving link bandwidth resources.
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

415. Huawei Confidential
75
Per-Flow/Per-Packet Load Balancing, Improving Bandwidth
Utilization to 90%
Uneven traffic distribution on links,
resulting in low bandwidth utilization
Per-flow and per-packet load balancing:
No congestion occurs on high-quality links, and the
bandwidth utilization > 90%.
Congested active link (MPLS)
Uneven traffic distribution on links
The primary link is congested, and the
backup link is idle.
Low comprehensive
bandwidth utilization
5G
Backup
link
Idle
P1 P2 P2 P3 P4
P1 P3 P4
Packet
reassembly
P1 P2 P3 P4
P1 P2 P3 P4
P1 P2 P3 P4
P1 P2 P3 P4
Key services
Common service
(elephant flow)
Transmit
end
Receive end
MPLS (high-quality link)
5G/Internet (lossy link)
• Per-flow/per-packet load balancing for common services (elephant flows) to share
high-quality links
• Packets on high-quality links are dynamically adjusted based on the bandwidth,
improving bandwidth utilization and preventing congestion.
• Packets lost on lossy links are retransmitted once to avoid packet loss and ensure
low latency.
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

416. Huawei Confidential
76
Built-in AC function, Managing Wi-Fi APs in a Unified Manner
Tablet
AP AP AP
NetEngine AR
WAN
Policy center • Applicable to small and midsize enterprises and integrated
wired and wireless networking
• APs forward data locally, and ARs authenticate users in a
centralized manner.
• Both APs and ACs support Layer 2 and Layer 3 networking.
Application scenarios
• All AR series routers support the built-in AC function.
• Huawei APs can be managed. For details about supported
models, see the product manual.
• Multiple authentication methods are supported, including
Portal authentication, 802.1X authentication, and MAC address
authentication, ensuring secure and flexible access.
Industry's first built-in AC, simplifying branch
wireless networking
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

417. Huawei Confidential
77
Multiple ZTP Modes: Zero Touch and Plug-and-Play Devices
DHCP
USB flash
drive
Email
Network
Power supply
NetEngine AR
Plug-and-play devices, minute-level
deployment
Multiple ZTP modes, applicable to branch network
deployment in different scenarios
Adaptation to different interfaces: Eth/LTE/xDSL...
Adaptation to different access modes: static IP
address, PPPoE, DHCP...
Adaptation to different deployment scenarios:
dual-CPE, batch deployment, device replacement...
5G
5G/Internet/
MPLS
Go online after
initiating registration
with iMaster NCE
Smart Routing VPN Interconnection Secure Interconnection Experience Assurance Simplified O&M

418. Huawei Confidential
78
Quiz
1. Multiple-answer question: Which security features do NetEngine AR routers
support? ( )
A. Built-in firewall
B. URL filtering
C. Antivirus
D. IPS
E. Data encryption

419. Huawei Confidential
79
Summary
⚫ This chapter describes Huawei NetEngine AR products and their application
scenarios (all series routers support SD-WAN):
 HQ/Large branches: AR8000, AR6280, and AR6300
 Midsize branches: AR6100 and AR6710
 Small branches: AR650
 SOHO: AR610
⚫ It also describes the highlights of the NetEngine AR routers in terms of intelligent
routing, VPN interconnection, security, experience assurance, and simplified O&M.

420. Huawei Confidential
80
More Information
⚫ Product overview: https://e.huawei.com/en/products/enterprise-
networking/routers
⚫ Detailed introduction materials: https://e.huawei.com/en/material/materiallist
⚫ Campus network solution: https://e.huawei.com/en/solutions/business-
needs/enterprise-network/campus-network
⚫ Product documentation:
https://support.huawei.com/enterprise/en/routers/ar6000-pid-250680700

421. Copyright© 2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.

422. Huawei Confidential
1
Huawei Data Center Network Products and Solutions
Presales Training
⚫ Security Level:

423. Huawei Confidential
2
Foreword
⚫ This course describes basic concepts of data center networks (DCNs),
Huawei's CloudFabric 3.0 hyper-converged DCN solution, and basic
knowledge of Huawei's CloudEngine data center (DC) switches.

424. Huawei Confidential
3
Objectives
⚫ On completion of this course, you will be able to:
 Describe the basic architecture of a DCN.
 Have general knowledge of Huawei's all-Ethernet storage network, autonomous driving
DCN solutions.
 Understand Huawei's CloudEngine DC switches and their deployment scenarios.

425. Huawei Confidential
4
Contents
1. DCN Fundamentals
2. CloudFabric 3.0 Autonomous Driving Network
3. CloudFabric 3.0 All-Ethernet Storage Network
4. CloudEngine Switch Introduction
5. Market Progress

426. Huawei Confidential
5
What is a DC?
• A DC is used by enterprises and departments to store, manage, and
exchange information and data.
• It usually includes computing resources, storage resources, data
communication network, power supply, environment control, and
various security devices.
• Based on the number of standard racks, DCs can be classified into
small and midsize DCs (< 3000 racks), large DCs (3000-10000 racks),
and ultra-large DCs (> 10000 racks).
Phase 1: server hosting
Phase 2: server hosting and
web hosting
Phase 3: traditional services and
new network applications
Provides hosting and maintenance
services for basic resources and
facilities such as sites, network
bandwidth, and communication
devices. These services are mostly
provided by telecom carriers.
Provides services such as data
storage management, security
management, network
interconnection, egress
bandwidth, link, and QoS, besides
the server hosting service.
Large-scale, virtualized, and
comprehensive DCs, implementing
on-demand services and reducing
power consumption
1990s 1995-2004 2005-present
DC Evolution
DC Introduction

427. Huawei Confidential
6
DCN Introduction
What is a DCN?
• A DCN plays an important role in a DC because it connects all DC resources.
• DCNs need to be scalable and efficient to connect tens or even hundreds of thousands of servers to
cope with the growing demands of cloud computing.
DCN components and
technologies:
1. Network device
Switches, routers, etc.
2. Ethernet cable
Interface cables, optical fibers,
etc.
3. Network addressing scheme
IPv4, IPv6, etc.
4. Network security
Firewalls, intrusion detection
systems (IDSs), etc.
5. Internet connection
Private lines, optical fibers, etc.
Spine
Internet
Server
Physical connections
Storage
Leaf
Border leaf
Logical topology
Server Server Server Server Server
Access switch Access switch Access switch Access switch Access switch
Core/Aggregation
switch

428. Huawei Confidential
7
DCN Connects General-Purpose Computing, HPC, and
Storage Devices
General-purpose
computing
Storage HPC
Storage network
Service network Computing network
DCN

429. Huawei Confidential
8
Typical DC Evolution Trend
DB
DB DB DB DB
DB DB DB DB
Distributed computing
Distributed DB
Distributed storage
VM VM
VM VM
VM VM
VM VM
VM VM
VM VM
LB
DB
DB
DB
Physical machines (PMs)
Single-point interaction
VMs in a DC
Intra-cluster interaction
Inter-cluster interaction
VMs and containers in a DC
Elastic large-scale cluster
Massive east-west traffic
Cloud-based DC deployment
Multiple clouds
Tenant isolation and access
Centralized Virtualized Distributed Multi-site and multi-cloud

430. Huawei Confidential
9
Three IT Transformations Drive DCNs Towards All-Ethernet
Scale: 100x
Centralized ->
Distributed
IT architecture
Computing unit
Storage media
PCIE
IB Ethernet
CPU/GPU interconnection
over Ethernet
Performance: 100x
or
AS-IS TO-BE
Capacity: 1000x
SCSI NVMe
FC (32G) RoCE (400GE)
PCIe is
replaced
HDD -> SSD
All-flash storage
interconnection over Ethernet
Server
interconnection
over Ethernet
Ethernet Ethernet
Centralized Distributed
Intel Ascend Kirin
Huawei NetApp DELLEMC

431. Huawei Confidential
10
Three Challenges Faced by DCN All-Ethernet Evolution
More complex O&M on large
networks
Zero packet loss required for
dual-active storage
Zero packet loss required for HPC
The packet loss rate increases
exponentially as the number
of network nodes increases
on a traditional Ethernet.
Traditional Ethernet lacks
effective O&M methods.
The network is too complex to
be handled manually.
0.2%–0.3% packet loss rate
The latency increases in intra-
city long-distance
transmission, making cross-DC
flow control more difficult on
a traditional Ethernet network.
0.15%
0.02%
(> 70 km)
DC A DC B
1000 nodes, millions
of configurations
Nodes

432. Huawei Confidential
11
CloudFabric 3.0 Hyper-Converged DCN Solution
Full-lifecycle
automation
TTM reduced by 90%
Network-wide
intelligent O&M
Proactive prediction of
90% of faults
Active-active all-Ethernet
storage network
Storage performance
improved by 90%
100% computing
power unleashing
All-Ethernet HPC
network
Hyper-converged DCN
General-purpose
computing Storage
HPC
Optimization
Planning
Multi-cloud
Construction Maintenance
Automation Intelligence
Lossless all-Ethernet
Zero packet loss for local and
long-distance transmission
Convergence of computing
and storage networks
Network-wide intelligent
O&M
Device/Port/Optical
module/Network/Service
Predictive O&M, ensuring zero service
interruption
Full-lifecycle automation
Automation of planning,
construction, maintenance, and
optimization
Intent-driven network, enabling
network servitization
Three Characteristics
Core Values
OpenStack
Kubernetes
FusionSphere
VMware

433. Huawei Confidential
12
Hyper-Converged DCN Solution Overview
Application layer
• Cloud OS: collaboratively manages computing, storage,
and network resources. The container provisioning
platform creates and provisions containers.
Control and analysis layer
• Computing manager: implements virtualization and
resource management at the computing layer.
• Network controller: manages and controls network
devices in a centralized manner.
• VAS controller: provides security policy control for
firewalls.
• Multi-DC network orchestration: The MDC is used to
uniformly orchestrate multiple private cloud DCs.
• Network analyzer: analyzes intra-DC traffic and
quickly locates traffic exceptions. The MDA is used to
analyze inter-DC traffic and evaluate the health status
of inter-DC traffic.
Forwarding layer
• Network devices: CloudEngine series switches are used
as physical switches to support various DC features.
• VAS devices: NGFWs/vNGFWs are used to provide
multiple security features for DCs. LBs are used to
provide flexible load balancing services for DC services.
Traffic diversion to third-party VAS devices is supported.
DC 1
Cloud
platform
Container
platform
FabricInsight
HiSec Insight
Cloud OS
VMM iMaster NCE-Fabric SecoManager
vSwitch
Leaf Leaf
Spine
NGFW/vNGFW Third-party
firewall
Server
pool VAS pool
Fabric
Intelligent and lossless network
DC n
MDC
Core
WAN
Multi-DC fabric
Fabric
gateway
Fabric
gateway
Application
layer
MDA
Public
cloud
...
iMaster
NCE-Fabric
FabricInsight
Control
and
analysis
layer
Forwarding
layer

434. Huawei Confidential
13
Contents
1. DCN Fundamentals
2. CloudFabric 3.0 Autonomous Driving Network
3. CloudFabric 3.0 All-Ethernet Storage Network
4. CloudEngine Switch Introduction
5. Market Progress

435. Huawei Confidential
14
Collaboration with the Industry to Promote L0 to L5
Standards for Autonomous Driving Networks
Level Definition
L0:
Manual
O&M
L1:
Tool-assisted
automation
L2:
Partial
Autonomous
Network
L3:
Conditional
Autonomous
Network
L4:
High
Autonomous
Network
L5:
Full
Autonomous
Network
Execution By human
By human/
system
By system By system By system By system
Awareness By human By human
By human/
system
By system By system By system
Analysis By human By human By human
By human/
system
By system By system
Decision-making By human By human By human
By human/
system
By system By system
Intent/
Experience
By human By human By human By human
By human/
system
By system
Application
scope
N/A Some scenarios All scenarios
Key Features
Manual
processing
Automatic
processing
Manual fault
remediation
Automatic fault
remediation
Special
scenario
All
scenarios
TMF Autonomous Network White
Paper 2.0
(jointly with 22 vendors and users)
Huawei ADN
White Paper
Huawei Autonomous Driving Data
Center Network Solution White
Paper
IDC: Leveraging the
Autonomous Driving
Datacenter Network Index
• Download the Tolly report at http://3ms.huawei.com/documents/docinfo/494215783089229824?bookstackId=13672&catalogId=394909258739236864.

436. Huawei Confidential
15
3.5:2.8: Huawei's Autonomous Driving DCN Takes the Lead
in the Industry
Phase Day 0 Day 1 Day 2 Day N
Scenario
Planning and
design
• Online planning
• Online
simulation and
verification
Deployment
• Exception
reporting during
automatic
commiqssioning
Service provisioning
• Service intent-
based configuration
recommendation
• Online simulation
and verification
Monitoring and
troubleshooting
• Automatic fault
demarcation
• Automatic service
recovery
Network
change
• Online
simulation and
verification
• Proactive
exception
detection
Optimization
and parameter
adjustment
• Indicator
deterioration
prediction
• Automatic
parameter
adjustment
Weight
5% 5% 15% 35% 35% 5%
3.6
Vs
2.7
3.3
Vs
2.9
3.7
Vs
2.9
3.6
Vs
2.9
3.4
Vs
2.7
3.2
Vs
2.5
3.5
Solutions of
other vendors
Controller &
Analyzer
iMaster NCE-Fabric
NCE-FabricInsight
Controllers of
other vendors
Switches of
other vendors
CloudFabric
DC ADN
2.8
:
"Huawei's CloudFabric solution
scored 3.51 points, outperforming
the 2.8 points scored by the
mainstream DC SDN solution in the
industry. The CloudFabric solution is
the only DCN solution that provides
L3.5 autonomous driving in the
industry among all DCN solutions
evaluated by Tolly."
Industry
average
Other
vendors
Switches
CE 16800
9800/8800/6800

437. Huawei Confidential
16
iMaster NCE-Fabric: Data Center Surpassing L3 Autonomous
Driving Network Engine
Zero-wait deployment
◼ 21 intent cases, fully automated planning,
design, and deployment
◼ Multi-DC and multi-cloud, implementing
automatic orchestration
Zero configuration errors
◼ Underlay/Overlay pre-event simulation,
eliminating human errors
◼ Network change simulation, ensuring zero
network design errors
Zero service interruption
◼ Three-level (network-wide/tenant/service)
rollback, achieving network-wide fast
recovery within 20 minutes
◼ Automatic fault remediation, rectifying
faults within 5 minutes
Fast
Accurate
Stable
Fast provisioning, error-free
configuration, fast rollback
Planning Construction Maintenance Optimization
Intent recommendation
Network automation
Intelligent fault
remediation
Simulation and
verification
AI inference
Digital twin
Public cloud
Leaf Leaf
Spine Spine
Leaf Leaf
DC 1
Industry cloud
Leaf Leaf
Spine Spine
Leaf Leaf
DC N
Customer service
system/operations platform
Interconnecting with
service systems in the
northbound direction
Shielding network differences in
the southbound direction
OpenStack Kubernetes FusionSphere
Red Hat

438. Huawei Confidential
17
iMaster NCE-Fabric Delivers Simplified Full-Lifecycle
Management & Control for DCNs
Day 0 planning and
construction
Day N change and
optimization
Day 1: service provisioning
01 DC construction 02 Application
launch
03 Application
change
04 Application
interconnection
05 Application
offline
06 Server capacity
expansion
07
Server leaf node
capacity expansion
08
Border leaf node
capacity
expansion
09
VAS capacity
expansion
13 Network analysis
14 Risk prediction
15
Device
replacement
16 Server port
replacement
10
Passive complaint
handling 17
Server offline
(follow-up)
19
20
21
11
Key assurance
monitoring 18
12
Network change
simulation
Device upgrade
and patch
installation
Traffic optimization and
capacity expansion
Application optimization
(follow-up)
Network optimization
(follow-up)
Day 2 O&M and monitoring

439. Huawei Confidential
18
iMaster NCE-FabricInsight: Smart Brain of Autonomous
Driving DCNs
Fault locating within minutes
⚫ "1-3-5" intelligent O&M, automatic locating
for 90% of faults
⚫ Application-network integration analysis and
one-click fault demarcation
Comprehensive health evaluation
⚫ Five-dimensional network health evaluation
system, 24/7 real-time visualization
⚫ Prediction of 20+ risks, ensuring that the
SLA is not affected
Comprehensive network
change assurance
⚫ Automatic identification of configuration and
entry changes, improving efficiency by 10 times
⚫ Automatic verification of network-wide
connectivity, ensuring comprehensive
assurance of important services
Network telemetry
Software
SDN
Multi-cloud
network
Hardware
SDN
Multi-vendor
devices
Traditional
network
Vendor A
Vendor B
Public
cloud
On-
premises
cloud
Private
cloud
Unified modeling
Network digital map
Intent engine
AI learnware
Big data analytics
Network health
evaluation
"1-3-5"
troubleshooting
Application fault
demarcation
Network
optimization
Key service
assurance
Integrator
ITSM APM NPM
Full data service openness and one-click release
of scenario-based APIs
RoCE
network
RoCE

440. Huawei Confidential
19
FabricInsight: Building All-Scenario O&M Service Apps Based
on Knowledge Graph Modeling
Network
digital map
Intent
engine
AI learnware
Big data
analytics
Data
catalog
AI
capability
Scenario-
specific app
Open
orchestration
Atomic
service
Network health
evaluation
"1-3-5"
troubleshooting
Data plane intent
verification
IP 360
Network snapshot
comparison
NetSearch
O&M service
Data collection
Intelligent
analysis
Intelligent
platform
Openness
service
...
...
Unified
modeling
Configuration
data
Network
metrics
Forwarding
entry
Log & alarm
Network
topology
Network
resource
Service flow
Heterogeneous
network Hardware SDN Software SDN Traditional network
Intelligent and
lossless network
Public cloud Hybrid overlay

441. Huawei Confidential
20
iMaster NCE-FabricInsight vs Traditional NMS
Telemetry
Second-level
data
collection
SNMP
5-minute
polling
period
Passive response Proactive O&M
Service-centric
Performing
inspection 2
hours a day
Depending on
manual fault
locating
Multi-DC and
multi-cloud
Separated and
independent O&M
Overall
perspective
Unified O&M
Traditional NMS
Device-centric
Network data visualization in all scenarios
• Eight-dimensional indicator analysis
• Anomaly detection based on dynamic baselines
"1-3-5" troubleshooting
• AI algorithm + expert experience
• Automatic locating of multi-vendor
device problems
Comprehensive network health
evaluation
• Five-layer evaluation model + AI
algorithm
• Capacity/Traffic risk prediction
iMaster NCE-FabricInsight
Minute-level risk
identification
Automatic
troubleshooting
Multi-cloud and multi-DC analysis
• Unified health evaluation for multiple DCs
• Visualized cross-cloud service access

442. Huawei Confidential
21
Large and Midsize SDNs Have Strong Demands for
Automated Planning, Deployment, and O&M
⚫ DC personnel focus on services, and there is a lack of
CCIE-level planning experts for networks.
⚫ The service department detects problems before the
network department, and the network cannot prove
its innocence.
Pain points
3 to 5
weeks for
manual
design
1 to 2 days for
manual
evaluation
Automatic
configuration
delivery
Manual
analysis
Static
optimization
Manual fault
locating in hours
Knowledge
graph
Capacity expansion
Self-design
Self-
verification
Self-
recovery
Self-
optimization
Maintenance
Construction
Planning
Optimization
Requirements
Typical customers
Single-active Multi-active
⚫ A new DR DC is built for the delivery of multi-active
services.
⚫ SDN makes the network a black box, which is
difficult to locate faults.
⚫ Planning and design take more than 60% of network
O&M personnel's working hours.
Scattered Centralized

443. Huawei Confidential
22
Intelligent ADN Deployment: Deployment Efficiency Three
Times the Industry Average, Zero Wait, Zero Error, and Zero
Interruption
Zero-wait deployment
21 intents (planning/design/deployment)
Deployment efficiency improved by 90%
Zero configuration errors
Pre-event AI-powered simulation,
post-event verification
100% configuration correctness
Zero service interruption
Multi-level rollback (network-
wide/tenant/service)
Fast and flexible rollback based on
the fault impact scope
No planning/design automation
Complex operations, multi-interface
switching, low efficiency
No pre-event simulation
40% of network faults caused
by human errors
No service rollback
Precise fault rectification not possible,
network-wide rollback extremely slow
SDN
in the industry
ADN

444. Huawei Confidential
23
O&M Challenges: Evolution from Traditional Manual O&M
to AI-Powered Intelligent O&M
More than 85% network faults
are detected only after service
complaints.
On average, it takes 76
minutes to locate a fault.
System shutdown causes a loss of
a million of US dollars per hour.
Source: Network Computing, the Meta Group and
Contingency Planning Research
Manual fault
identification
Manual packet
obtaining for
fault locating
Manual
step-by-step
fault isolation
Media
Healthcare
Retail
Manufacturing
Telecom
Power
Finance
2.0
2.8
6.48
1.6
1.1
0.63
0.09
30%
can be identified
through
traditional O&M.
70%
cannot be
identified
through
traditional O&M.
Abnormal
flows
account for
3.65% of
network-wide
flows.
Zero fault
tolerance
Difficult fault
detection
Difficult fault
locating

445. Huawei Confidential
24
"1-3-5" Intelligent O&M for ADNs: Faults Detected in 1
Minute, Located in 3 Minutes, and Rectified in 5 Minutes
Real-time network
health monitoring Service assurance upon changes
Real-time network
health
70+ metrics
Telemetry-based data
collection in
milliseconds
Real-time full
information collection
AI knowledge graphs
"1-3-5" intelligent O&M
Quick locating of 75+ faults
Unknown fault inference
and learning
24/7 automated
intent verification on
the data plane
Configuration
comparison before and
after network changes
Comprehensive
assurance for mission-
critical services
Quick root cause locating
Route
switching
Many trucks
No systematic evaluation,
depending on expert's experience
No intelligent analysis,
failing to quickly locate root
causes of failures
No method to predict road
conditions,
switching routes blindly
Traditional
solution

446. Huawei Confidential
25
CloudFabric SDN Private Cloud Baseline Networking
DC2
Spine
Server leaf
Border leaf Service leaf
Fabric gateway
M-LAG
Multi-active
M-LAG
2. VAS device
in bypass mode
1. VAS device in
service mode CloudFabric product model selection (models in blue
are recommended models)
1. Server leaf node:
➢ 10GE access and 40GE/100GE uplink: CE 6881
➢ 25GE access and 100GE uplink: CE 6863E, CE 6866
➢ Hybrid-rate access: CE 8851, CE 16800 (G card)
2. Spine node:
➢ Modular device networking: CE 16800 (G card), CE 16800 (P
card)
➢ Fixed device networking: CE 9860, CE 8850, CE 8851
3. Border leaf node:
➢ Modular device networking: CE 16800 (G card), CE 16800 (P
card)
➢ Fixed device networking: CE 6881, CE 6863E, CE 8851, CE
6866, CE 6870
4. Service leaf node:
➢ Modular device networking: CE 16800 (P and G cards)
➢ Fixed device networking: CE 6881, CE 6863E, CE 8851, CE
6866, CE 6870
5. Fabric gateway (DCI leaf node):
➢ Modular device networking: CE 16800 (G card), CE16800 (P
card)
➢ Fixed device networking: CE 6881, CE 6870
Scenario constraints:
(1) Two-layer architecture: If the number of physical servers on the entire network is
less than 200 or the number of VMs is less than 6000, the two-layer architecture
where border leaf nodes and spine nodes are combined can be used, and the
optional models include CE16800.
(2) The fixed device networking does not support the two-layer architecture where
border leaf, service leaf, and spine nodes are combined.

447. Huawei Confidential
26
CloudFabric Easy: Standard Solution for Small and Midsize
DCs, Simplifying Pre-/Post-Sales
Egress
1. Limited equipment room
space and small scale
2. Fixed services, no capacity
expansion
3. Standard networking,
simplifying delivery
Hosting or mini-sized equipment
room with fewer than 30 cabinets
+
Border leaf:
iMaster NCE-Fabric/
iMaster NCE-FabricInsight
25GE: CE6863E-48S6CQ
10GE optical: CE 6881-48S6CQ
10GE electrical: CE 6881-48T6CQ
CE 8850-64CQ-EI/9860
CE 16804
CE 6863E-48S6CQ
CE 6881-48S6CQ
Server leaf:
Spine:
Service requirements CloudFabric Easy baseline networking
Single-node deployment using
the 2288X V5 (x86) server
Euler OS
Controllor:

448. Huawei Confidential
27
Multi-DC Controller: Collaborative Orchestration of Public
and Private Clouds
VPC
Subnet-2
IPsec gateway
IPsec VPN
Private line
• Separated management
for multiple
heterogeneous clouds
• One service with multiple
work orders
• Insufficient O&M
capabilities
• 50% of O&M personnel
are fully occupied by
service configuration
and rollout verification.
• Inefficient cross-cloud
deployment
Solution
Three-layer
network visibility
Low cost and high
ease of use
Intelligent O&M
Uniform
orchestration
Unified model and
interconnection visibility
• Lack of a global
perspective
• Visualization on a
per-resource basis
• 10+ days taken to
deploy a single cross-
cloud service
Hybrid cloud
simulation and
verification
Cross-cloud simulation,
sensing interconnection
Huawei DCN hybrid cloud service architecture
Hybrid cloud orchestration layer: Terraform/vRO
Private
cloud
Public cloud
MDC (hybrid cloud
orchestration)
Private cloud: unified management,
control, and analysis
Public cloud: visualized and unified
O&M of network resources
Common VPC
The MDC innovatively defines the interconnection model, which reads VPCs of public and private clouds in
the southbound direction, and implements one-click interconnection of hybrid cloud services.
Scenario: distributed multi-DC and multi-cloud services for enterprises
Public cloud VPC
Interconnection
model
or
Unified public cloud model
Driver of public cloud vendors
Zero service
interruption
NCE-Fabric
Public cloud's
open APIs
NCE-FabricInsight

449. Huawei Confidential
28
Contents
1. DCN Fundamentals
2. CloudFabric 3.0 Autonomous Driving Network
3. CloudFabric 3.0 All-Ethernet Storage Network
4. CloudEngine Switch Introduction
5. Market Progress

450. Huawei Confidential
29
RDMA and RoCE and Their Typical Applications
➢ Distributed storage
• Back-end network
• Front-end network
...
Compared with the TCP, RoCEv2 slashes latency.
Remote Direct Memory Access (RDMA) is a method of transferring data between
buffers of applications on two servers over a network.
RoCE: direct remote memory access over Ethernet
□ Low latency □ High throughput □ Low CPU and OS resource usage
RDMA Software Stack
IB Transport
Protocol
IB Network
Layer
Ethernet Link
Layer
Ethernet/IP
Management
IB Transport
Protocol
UDP
Ethernet Link
Layer
Ethernet/IP
Management
IP
RoCEv1 RoCEv2
Application scenarios
➢ AI applications
• Speech recognition
• Image recognition
• Autonomous driving
• Intelligent
recommendation
...
➢ Centralized storage
• Traditional storage
• Front-end network
...
RDMA Application/ULP
RDMA API (Verbs)
Traditional mode RDMA mode

451. Huawei Confidential
30
RDMA Performance of Computing and Storage Is Improved
by 100 Times, and Packet Loss and Latency Become
Computing Bottlenecks
0.02 ms
Hardware: With computing and storage performance
improvement, the network has become a bottleneck.
Computing
power: key to AI
Software: RDMA reduces latency.
0.02 ms
Compute server Storage server
Network
10 ms 10 ms
1 ms
1 ms
E2E latency before computing and storage
performance is improved:
E2E latency after computing and storage
performance is improved:
HDD SSD
GPU
CPU
99% of network latency is caused by packet loss.
A packet loss rate of 2% decreases the RoCE
throughput rate from 100% to 0.
RoCE outperforms FC. RoCE has TCP advantages.
NVMe over Fabric
10x throughput bandwidth
and lower latency
With all-Ethernet and
all-IP support
Ethernet
adaptation solution
UDP/IP
FC Encoding
FC Physical Ethernet
NVMe
RDMA Stack
NVMe
FC FS
FC adaptation
solution
IB adaptation
solution
NVMe
IB
RDMA Stack
IB Stack

452. Huawei Confidential
31
FC Network Introduction
FC switching network
Converts SCSI packets into FC
packets, without occupying host
resources.
Internal bus
FC network
FC HBA
Storage device
FC SAN
FC HBA
A Fibre Channel (FC) network uses an independent FC protocol stack and requires dedicated FC network devices,
including:
• FC hot bus adapter (HBA): connects a server to an FC disk array.
• FC switching device: an optical switching device that implements optical switching and interconnection between
HBAs of multiple servers and back-end storage devices.

453. Huawei Confidential
32
Ethernet Outperforms FC on the Storage Network in the All-
Flash Era
RoCE (Ethernet) outperforms FC in terms of
storage performance, bandwidth, and
management. However, replacing FC with
RoCE for all-flash storage requires
improvements in the following 3 aspects:
Storage Network
Focus
Network
performance
Bandwidth
Packet loss
Reliability
Ease of use
32/64G 400GE
FC RoCE (Ethernet)
Zero packet loss
Packet loss easy to occur
upon congestion,
especially during long-
distance transmission
< 1s
Active/standby
switchover period
Service interruption
time during an
upgrade
< 1s
< 1s < 8s to 15s
Open Ethernet,
converged architecture
Closed architecture,
dedicated management
Routine O&M Intelligent fault locating Intelligent O&M
Easy
management
Storage
deployment
Centralized
management
TCO High TCO Low TCO
Plug-and-play Manual configuration
1
2
3
Active/standby switchover
in seconds
Zero-packet-loss mechanism
Plug-and-play
The FC storage network is simple and
easy to configure. Currently, the
Ethernet needs certain improvements
to be suitable for storage scenarios.
To ensure storage reliability, multiple
network planes are constructed, and
switching should take less than 1s.
Zero packet loss is a basic requirement
of storage networks. Traditional
Ethernets are prone to packet loss
during congestion.

454. Huawei Confidential
33
All-Flash Storage Drives Storage Industry Reconstruction,
Bringing a Chance to Replace FC
Server OS
SCSI
Calls for faster
networks
Faster interfaces
Latency reduced
by 20 μs NVMe
Server OS
Three pain points of
the FC live network
All-flash era calling for
faster networks
FC NoF
By 2021, NVMe all-flash
storage has exceeded
SCSI storage.
> 50% TOP 5
All storage vendors
now support NoF.
Source: G2M
Source: official websites
of storage vendors
Throughput
Latency
Bandwidth
200 μs
Minimum FC latency
50 µs
Minimum
Ethernet latency
1 million
FC IOPS limit
3 million
Ethernet
performance
(not maximum)
400GE
Ethernet
32G
FC

455. Huawei Confidential
34
0
1000
2000
3000
4000
5000
6000
0%
10%
20%
30%
40%
50%
1 2 4 8 16 32
Average
latency/us
IOPS提升比例
Single-host concurrency
FC iNOF 平均时延降低
Joint Solution with OceanStor, Improving Performance by
87% and Shortening Latency by 42%
* The test results are derived from the joint innovation project environment of Bank of China in 2020.
87% higher
ERP/CRM/VDI
Large enterprises
Online transaction/ODS
/Data warehouse
Finance
General-purpose
database/VDI
Government
+
Dorado v6
All-flash storage
CloudEngine
Hyper-converged
Ethernet switch
In typical OLTP/OLAP scenarios, NoF+ RoCE SAN offers 87% higher performance and 42%
shorter latency than FC.
Comparison test environment for NoF+ RoCE SAN
and FC
Joint
solution
IOPS increase
IOPS
increase
percentage
Single-host concurrency
42% shorter
Average latency
decrease
IOPS
increase
percentage

456. Huawei Confidential
35
Plug-and-Play Storage Servers and Link Fault Detection,
Aligning Usability and Reliability with FC
iLossless algorithm
ensures zero packet loss at high
throughput
The built-in AI algorithm dynamically
adjusts the threshold.
Ensures zero packet loss in the case
of high throughput and low latency.
AI-powered
adjustment
Dynamic threshold,
precise backpressure for
speed adaptation
Storage Server
100% throughput
Proactive link switchover within
seconds
Real-time awareness of link status
Switches monitor faults in real time
and notify the entire network of the
faults.
Servers proactively perform
switchover, slashing the fault
convergence time from 8s to 1s.
Active link
Standby link
1
2
Monitors
faults in
real time.
Notifies the
server plug-in
to proactively
perform link
switchover.
Network-wide synchronization
of single-point configurations
Storage server plug-and-play
Single-point configuration:
configuration performed on one
switch.
Plug-and-play: automatic link setup
for servers and storage devices
A B
C D
Zone 1 Zone 2
Zone 3
100 km long-distance transmission
and 200GE interconnection
iLossless algorithm upgrade,
achieving zero packet loss for
Ethernet transmission over 100 km
100 km
DCI DCI
DCI DCI
Switch
DWDM

457. Huawei Confidential
36
Local Networking Design for a Single DC - Single-Layer
Networking
Leaf
Spine
Computing
network
Storage
network
Plane A
Plane B
• Single-layer networking applies to small networks.
• In single-layer networking, no spine nodes are deployed and
horizontal capacity expansion is supported. Generally, such
networking applies to fixed services that do not require
capacity expansion.
• Compute nodes and storage nodes are connected
independently. That is, each port uses an independent IP
address and is not bonded with another port. Physical dual
planes A and B are deployed to improve reliability.
TCP/IP
RoCE

458. Huawei Confidential
37
Local Networking Design for a Single DC - Two-Layer
Networking
Leaf
Spine
Plane A
Plane B
• Two-layer networking applies to midsize and large networks.
• The spine-leaf architecture is deployed.
• Compute nodes and storage nodes are connected
independently. That is, each port uses an independent IP
address and is not bonded with another port. Physical dual
planes A and B are deployed to improve reliability.
• Compute nodes are connected to independent leaf nodes.
Storage nodes are directly connected to spine nodes.
• OSPF or BGP is deployed between leaf and spine nodes to
implement Layer 3 interconnection, and iNoF is enabled.
Computing
network
Storage
network
TCP/IP
RoCE

459. Huawei Confidential
38
Intra-City Replication Network Design
Spine
Leaf
Physical server
Storage disk
C0
Physical server
Storage disk
DCI DCI
Spine
Leaf
Spine
Leaf
Spine
Leaf
DWDM DWDM
Intra-city transmission network
Spine
Leaf
C0
Computing
network
Computing
network
Storage network Storage network
Service network: 25GE TCP/IP
Storage network plane A:
25GE RoCE
Cascading network: 100GE
TCP&IP/RoCE
Storage network plane B:
25GE RoCE
• For details about the local
network design, see the local
networking design based on
the network scale.
• DCI switches need to be
deployed for the intra-city
transmission network to
implement long-distance
lossless transmission in the
same city.
• Replication ports of storage
disks are connected to DCI
switches, which are
interconnected across DCs
through DWDM.

460. Huawei Confidential
39
All-Ethernet Storage Network Product Family
✓ The CE16800 series switches support CEL72XS-SAN for 10GE/25GE high-density access and
CEL48CQ-SAN for 100GE high-density interconnection.
✓ Fixed series switches include the CE6860-SAN for 10GE/25GE/50GE access and CE8850-SAN for
40GE/100GE high-density interconnection.
✓ The CE8850-SAN and CE6860-SAN switches are used as DCI nodes.
CE8850-SAN
CE16800 series CE6860-SAN

461. Huawei Confidential
40
Contents
1. DCN Fundamentals
2. CloudFabric 3.0 Autonomous Driving Network
3. CloudFabric 3.0 All-Ethernet Storage Network
4. CloudEngine Switch Introduction
5. Market Progress

462. Huawei Confidential
41
CloudFabric 3.0 Hyper-Converged DCN Product Portfolio
CloudEngine 16800
CE6881-48S6CQ
CE6820（H）-48S6CQ
CE6881-48T6CQ
100GE switches
CE8850-SAN
CE8851-32CQ8DQ-P
25GE switches
CE6860-SAN
CE6866-48S8CQ-P
CE9860-4C-EI
Storage network switches
CE6863E-48S6CQ CE6870-48S6CQ
CE8850-64CQ-EI
CE5882-48T4S
10GE switches

463. Huawei Confidential
42
Orthogonal Architecture Concepts
SFU
Non-orthogonal
architecture
Orthogonal
architecture
Active
backplane
LPU
SFU
MPU
• Non-orthogonal architecture: The system is relatively simple and the cost is low. The backplane cabling
limits the overall switching capacity and rate, and the upgrade and evolution capabilities are limited.
• Orthogonal architecture: LPUs and SFUs use the orthogonal design. The front and rear cards are
interconnected without cabling. Service traffic between LPUs is directly transmitted to SFUs through
orthogonal connectors. This greatly improves the system bandwidth and evolution capability. The entire
system capacity can be smoothly expanded, and evolution and upgrade are more flexible.

464. Huawei Confidential
43
CloudEngine 16800: MPUs, SFUs, and LPUs
SFU
40GE LPU
100GE LPU
400GE LPU
25/10GE LPU
CE-MPUD-HALF2 CE-MPUD-FULL
CE-SFU16G-G
CE-SFU08G-G
CEL36DQHG-P
CEL18CQFD-G
CEL36LQFD-G
CEL48XSFD-G
CEL36CQFD-G
CEL24LQFD-G
MPU
CE-SFU04G-G
CEL72XSHGA-P
CE16804 CE16816 CE16808

465. Huawei Confidential
44
CloudEngine 9860-4C-EI: 100GE TOR Switch with High-
Density Flexible Cards
Parameter CE9860-4C-EI
Port type
4 slots, providing a maximum of 128 100GE QSFP28
ports
Switching
capacity 25.6 Tbit/s
Forwarding
performance 8000 Mpps
Cache capacity 65 MB
Key features
M-LAG, telemetry, enhanced ERSPAN, PFC, and AI
ECN
Front view
Rear view
➢ High-performance, high-density, and low-latency Ethernet
switches with flexible cards for DCs
➢ 4 U high, supporting four full-width flexible cards
➢ 400GE ready, meeting future evolution requirements

466. Huawei Confidential
45
CloudEngine 8850-64CQ-EI: High-Density 100GE TOR Switch
Front view
Rear view
➢ High-performance, high-density, and low-latency Ethernet
switches for DCs
➢ Provides a maximum of 64 100GE QSFP28 ports or 64 40GE
QSFP+ ports.
➢ Functions as core or aggregation switches of DC and campus
networks.
Parameter CE8850-64CQ-EI
Port type
64 x 100GE QSFP28
Can be auto-negotiated to 40GE or split into four
25GE ports.
Switching capacity 12.8 Tbit/s
Forwarding
performance
4482 Mpps
Cache capacity 42 MB
Key features
DC features: M-LAG, VXLAN, and BGP EVPN
Hardware-based BFD, telemetry, and enhanced
ERSPAN
AI Fabric (dynamic ECN, fast CNP, VIQ, and DLB)

467. Huawei Confidential
46
CloudEngine 6863E-48S6CQ: 25GE Access TOR Switch
Front view
Rear view
➢ High-density 25GE access switches for DCs
➢ Supports 100GE uplink ports.
Parameter CE6863E-48S6CQ
Port type Downlink: 48 x 25GE SFP28; uplink: 6 x 100GE QSFP28
Cache capacity 42 MB
Key features
DC features: M-LAG, VXLAN, and BGP EVPN
Hardware-based BFD, minimum packet sending
interval of 3.3s
Telemetry and enhanced ERSPAN
Microsegmentation

468. Huawei Confidential
47
CloudEngine 6881: 10GE Access TOR Switch
Parameter CE6881-48S6CQ CE6881-48T6CQ
Port type
48 x 10GE SFP
6 x 100GE QSFP28
48 x 10GE BASE-T
6 x 100GE QSFP28
Each 100GE port can work as a 40GE port.
Switching capacity 4.8 Tbit/s
Forwarding
performance
2000 Mpps
Maximum number
of stacked devices
16
Key features
Abundant DC features: M-LAG, VXLAN, and BGP EVPN
Telemetry and enhanced ERSPAN
Microsegmentation and NSH
Front view
Rear view
➢ High-performance and high-density 10GE Ethernet switches
for DCs
➢ Provides high-density 10GE access ports and 40GE/100GE
uplink ports.
➢ Supports abundant DC features.
➢ Enables flexible selection of airflow directions.

469. Huawei Confidential
48
CloudEngine 6820H-48S6CQ: 10GE TOR Switch
Front view Rear view
➢ High-performance and high-density 10GE access switches designed for DCs
➢ Provides 40GE/100GE uplink ports and high-density 10GE access ports.
➢ Uses Huawei's next generation YUNSHAN operating system.
➢ Supports abundant DC features.
➢ Enables flexible selection of airflow directions.

470. Huawei Confidential
49
Sales Scenarios of CloudEngine Switches
1. CE5882-48T4S
Used for management and GE
access
Recommended in non-VXLAN
scenarios
1. CE6881: 10GE optical or
electrical access and 100GE
uplink, recommended for
VXLAN scenarios
2. CE6820(H): 10GE optical or
electrical access and 100GE
uplink, recommended for
Non-VXLAN scenarios
1. CE6863E: recommended for
25GE access
2. CE6860-SAN: recommended
for centralized storage
network scenarios
1. CE8850-64CQ: 100GE
aggregation for small and
midsize networks
2. CE9860: 100GE aggregation
for Internet and non-VXLAN
scenarios
3. CE8850-SAN: recommended
for centralized storage
network scenarios
4. CE8851: 100GE access and
400GE uplink in VXLAN
scenarios
EOR
CE16800
Intra-DC communication
Inter-DC communication
Next-generation high-performance 400GE and high-
density 25GE access LPUs and corresponding SFUs
Dedicated SAN LPUs in the centralized storage network scenario
GE TOR 10GE TOR 25GE TOR 40GE/100GE TOR

471. Huawei Confidential
50
Contents
1. DCN Fundamentals
2. CloudFabric 3.0 Autonomous Driving Network
3. CloudFabric 3.0 All-Ethernet Storage Network
4. CloudEngine Switch Introduction
5. Market Progress

472. Huawei Confidential
51
Award-Winning and Continuously-Innovating DCN Solution: Highly
Recognized by 21000+ Customers
• Huawei DCN switches positioned as
a leader for open and
programmable SDN by Forrester
• Gartner: Huawei DCN switches
(10GE+25GE) ranked No.1 in global
shipments
2018
2017
2016 2015
2013
2014 2012
• Grand debut at Interop,
receiving high appraisal
• Industry-leading ultra-
high performance
• Global DCN vendor
with the fastest
growth
• Best of ShowNet Award
at Interop Tokyo for
outstanding SDN
capabilities
• Challenger in Gartner
Magic Quadrant for Data
Center Networking
• Leader in Data Center
Hardware Platforms for SDN
• AI Fabric won the Best of
Show Award at Interop
• AI Fabric passed EANTC's tests
2019
• AI Fabric was certified
by Tolly to far outpace
Cisco
2019
2020
• First vendor outside
North America to be
named a Gartner
Peer Insights
Customers' Choice
• Only Chinese vendor in the
global SDN leadership list
• No. 1 market
share in China
• No. 3 global
market share
2020
• CloudEngine 16800 won
Frost & Sullivan's Global
Data Center Switch
Technology Leadership
Award with highest score
• Huawei's CloudFabric 3.0
solution won Frost & Sullivan's
Global Technology Leadership
Award
2021
• Huawei's next generation
high-performance storage
network NoF+ won the
award at Tokyo Interop
• Science and Technology
Award of China
Communication Society
2022
IDC HIS Technology IDC
Gartner
Gartner
Forrester
Gartner

473. Copyright © 2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.

474. Huawei Confidential
1
Huawei CloudWAN Products and Solutions Presales
Training
⚫ Security Level:

475. Huawei Confidential
2
Foreword
⚫ An enterprise IP bearer WAN is a backbone WAN used to implement cross-region
communication inside an enterprise. In enterprise network scenarios, various sectors, such as
government, finance, education, and power, widely use IP bearer WANs to connect sites and
clouds in different geographical locations, facilitating digitalization.
⚫ This course focuses on Huawei enterprise routers and their competitiveness and highlights,
analyzes their market opportunities, and elaborates network solutions and the
corresponding selection of routers, following an introduction of the concept, typical
networking scenarios, typical architectures, requirements, and trends of enterprise WANs
and a brief overview of Huawei CloudWAN3.0.

476. Huawei Confidential
3
Objectives
⚫ Upon completion of this course, you will be able to:
• Describe the concept of an enterprise WAN and its position on an end-to-end (E2E)
large-scale network.
• Describe the typical logical and physical architectures of enterprise WANs.
• Describe the architecture, components, and main functions of Huawei CloudWAN3.0.
• Differentiate Huawei enterprise routers and flexibly select applicable router and board
models based on project requirements.
• Understand major market opportunities, network architectures, and model selection of
routers.

477. Huawei Confidential
4
Contents
1. Scenarios and Trends
2. Introduction to Huawei Routers
3. Industry Application Solutions for Huawei Routers
4. Reference Documents for Huawei Routers

478. Huawei Confidential
5
What Is an Enterprise WAN
Data
center
Enterprise
HQ
Enterprise
branch
Data
center
Data
center
Enterprise
branch
Definition
• A cross-region private network
(including leased links) built by
an enterprise.
Goal
• Implements cross-region
interconnection between
enterprise campus networks and
data centers.
Classification by purpose
• Self-built for internal use
• Self-built for external use

479. Huawei Confidential
6
Evolution of Enterprise WAN Architectures
⚫ Traditional enterprise networks mainly carry LAN traffic and also carry a small amount of LAN interconnection traffic. The
interconnection requirements can be easily met using MPLS private lines and Internet.
⚫ In the Internet era, fast-growing services are integrated in data centers. With the commercial use of mobile bearer and cloud
technologies, enterprise services are carried in cross-region multi-cloud mode (multi-region and multi-center).
⚫ To brace service growth and ensure service quality, it is imperative for large enterprises to build self-managed WAN bearer networks.
• LAN traffic
mainly
• LAN
interconnection
• WAN
interconnection
• Level-1
backbone
networks
• Core backbone
networks
• Multiple centers
in multiple cities
• Operable
networks
• Three centers in
two cities
• DCs as the root
• DC as the root
• Hierarchical
networks

480. Huawei Confidential
7
Evolution of WAN Bearer Technologies
⚫ With the development of technologies and increasing service requirements, the VPN bearer mode becomes the
mainstream WAN service bearer mode. The WAN's control and forwarding plane technologies are also evolving.
⚫ The bearer WAN continues to evolve towards Segment Routing (SR) and IPv6.
MPLS SR-MPLS SRv6
Forwarding
plane
Control
plane LDP
RSVP-TE
IGP
Simplifies the
control plane.
IPv6
forwarding
IGP + SR Extension
IGP + SR Extension
BGP (L3 Service)
BGP for Service BGP for Service
Payload
IPv6 Header + SRH
BGP-LU (Inter-AS)
Payload
VXLAN/GRE/L2TP, etc.
MPLS Labels
Payload
VXLAN/GRE/L2TP, etc.
MPLS Labels
Continues to
simplify the
control plane.
Direct evolution

481. Huawei Confidential
8
CloudWAN 3.0: Leading WANs into the Intelligent Cloud-
Network Era
SRv6
FlexE slicing
One-fiber multipurpose transport:
deterministic experience
• Hierarchical slicing delivers 1000+ slices, 10
times the industry average.
• Patented slice ID-based slicing, simplified
deployment
One-hop cloud access: flexible cloud-
network connection
• SRv6-based service provisioning within
minutes, agile service cloudification.
One-click fast navigation: cloud-network
coordinated scheduling
• SDN+intelligent cloud-map algorithm, cloud-
network resource utilization 30%↑
Real-time
visualization
| Fault locating
within minutes |
Protection switching
within milliseconds
100+ commercial use cases worldwide
IPv6 Enhanced builds a digital
infrastructure foundation.
IFIT NETCONF/YANG
Municipalities Federation Federal QH
States
DC
One-network wide connection: network
digitalization
• Industry-unique hop-by-hop measurement
technology enables real-time visualization of
network-wide status and troubleshooting
within minutes.

482. Huawei Confidential
9
Contents
1. Scenarios and Trends
2. Introduction to Huawei Routers
3. Industry Application Solutions for Huawei Routers
4. Reference Documents for Huawei Routers

483. Huawei Confidential
10
Huawei NetEngine Routers Portfolio
Aggregation
routers
NetEngine 8000 M1A/M1C/M1D-B
• 1 U high, 220
mm deep
• DC: 1 + 1
redundancy
NetEngine 40E X16A/X8A
• 2 Tbit/s LPU, BNG/FMC
service router
• High-performance
CGN/IPsec
NetEngine 8000 X16/X8/X4
• 4 Tbit/s per slot,
expandable to 14.4
Tbit/s per slot
• Compact design
NetEngine 8000 M14
• 5 U high, 2
Tbit/s
• 300 mm
NetEngine 8000 M8
• 3 U high,
1.2 Tbit/s
• 300 mm
NetEngine 8000 F1A
• 1 U
• Dual-channel
AC and DC
Core routers
Access
routers
NetEngine 8000 M6
• 2 U high, 220
mm deep
• DC/AC: 1+1
NetEngine 8000 M4
• 2 U high,
1.2 Tbit/s
• 300 mm
M1C
M1A
NetEngine A821 E
• 1 U high, 220 mm
deep
• 10GE FlexE
NetEngine 8000 F8
• 8 LPUs and 32
subcards
• 13 U high, 2
Tbit/s per slot
M1D-B

484. Huawei Confidential
11
NetEngine 8000 X8 NetEngine 8000 X4
Compact, high-density, and
applicable to all service scenarios
• High-density 100GE
• Large capacity and high performance,
14.4 Tbit/s per slot
• EVPN/SRv6 ready
• Large-scale Layer 2 and Layer 3 services
Multiple roles
• High-density 100GE WAN routers
• Various peer routers
• Multi-service convergence edge routers
• Telco cloud/DC gateway routers
• Mobile bearer aggregation routers
NetEngine 8000 X Series: Highlights
Core Aggregation Access
4 slots
8 slots
One 19-inch cabinet
can house two devices
One 19-inch cabinet
can house four devices
15.8 RU
9.8 RU
NetEngine 8000 X16
32.3 RU
16 slots

485. Huawei Confidential
12
NetEngine 8000 X: Line Processing Units
Core Aggregation Access
LPUI-4T
8 x 100GE QSPF28 + 8 x 400GE QSPF-DD
Hybrid 100GE/400GE port
72 x 10GE SFP/25GE SFP28
LPUI-2T
High-density 25GE/10GE
aggregation
LPUI-4T
40 x 100GE QSPF28
High-density 40 x 100GE
Medium- and high-
density 20 x 100GE
LPUI-2TA
20 x 100GE QSFP28
VUSI-400-E IPsec
service board
Service interface boards Value-added service boards
Large number of QoS queues, full
services, and large number of
routing entries
High specifications, high reliability,
and high forwarding performance

486. Huawei Confidential
13
NetEngine 40E X16A/X8A: Highlights
NetEngine 40E X16A/X8A
Large capacity
• 2 Tbit/s per slot, 81.92 Tbit/s switching capacity of the entire device
• High-speed LPUs: 50 Gbit/s, 120 Gbit/s, 240 Gbit/s, 480 Gbit/s, 1
Tbit/s, or 2 Tbit/s
• Various interface types: 100GE/50GE/40GE/10GE/GE/FE
• 4M FIB routing entries
All-service applicability
• L2/L3 VPN, EVPN, VXLAN, Seamless MPLS, SR/SRv6, HQoS, PIM, MLD,
MVPN, BIER/BIERv6, and DHCP/DHCPv6
• Synchronous Ethernet, 1588v2, G.8275.1, and G.8273.2
• Telemetry, YANG, and NETCONF
High reliability
• Distributed forwarding architecture, low latency, and large buffer,
improving 4K video user experience
• Fast switchover mechanisms (VPN/VLL/PW/LDP FRR) and hardware
BFD in 3.3 ms
40 RU
21 RU
Core Aggregation Access

487. Huawei Confidential
14
NetEngine 40E X16A/X8A: Service Processing Units
Core Aggregation Access
Service
boards
50 Gbit/s 1 Tbit/s
480 Gbit/s
240 Gbit/s 2 Tbit/s
LPUF-53A
24 x GE MACsec
LPUF-243A
2 x 50GE/1 x
100GE
FlexE/MACsec
4 x 25GE
MACsec
12 x 10GE
FlexE/MACsec
LPUF-483A
4 x 50GE/2 x
100GE
FlexE/MACsec
8 x 25GE
MACsec
24 x 10GE
MACsec
LPUF-1T2A
4 x 100GE/8-port
50GE QSFP28
16 x 25GE SFP28
1-port 400GBASE
-QSFP-DD
20 x 100GE QSFP28
FlexE/MACsec
LPUI-2TA
8 x
GE/10GE+8xPOS
2 x CPOS+24xE1
LPUI-243A-CM LPUI-483A-CM
Forwarding
performance

488. Huawei Confidential
15
LPUF-245-E (2 subslots) BRAS access board
LPUF-485-E (2 subslots) BRAS access board
Matching with a P245-E
(recommended)
or P245-A subcard
NetEngine 40E X16A/X8A: Value-Added Service Boards &
BRAS Access Boards
Core Aggregation Access
Matching with a P485
subcard
P485-A subcard
2 x 100GE
20 x 10GE
24 x 10GE
P245-E subcard
1 x 100GE
10 x 10GE
24 x GE/FE
P245-A subcard
1 x 100GE
12 x 10GE
24 x GE/FE
Specification Comparison LPUF-485-E LPUF-480-E LPUF-245-E
Application Scenario BRAS user side
Subcard • P485-A • P480
• P245-E (recommended)
• P245-A
BRAS Supported. No license is required.
Number of users on each
board
128,000 128,000 128,000
Number of queues
Upstream: 2 x 192 x 1000
Downstream: 2 x 256 x 1000 per slot
Upstream: 2 x 128 x 1000
Downstream: 2 x 128 x 1000
⚫ Motherboards whose model ends with "-E" and matching subcards are recommended for user-side access.
⚫ Both the LPUF-485-E and LPUF-485 (BRAS not supported) are equipped with eTM chips, and subcards are interchangeable on them.
⚫ The LPUF-485-E supports only the P485 subcard. The LPUF-245-E supports the P245-E (recommended) and P245-A subcards.
VSUI-400-E
VSUI-400
VSUI-400 series value-added service boards
VSUI-400-S
NAT and IPsec supported,
SA not supported
NAT, IPsec, and SA
supported
NAT, IPsec, and SA
supported
VSUI-401-E
VSUI-401
VSUI-401 series value-added service boards
NAT, IPsec, and SA
supported
NAT and SA supported,
IPsec not supported
2022Q2
Upgrade

489. Huawei Confidential
16
NetEngine 8000 F8: Enterprise Router with Port Density
Ranking Top in the Industry
Core Aggregation Access
High density: large capacity and high port
density ranking top in the industry
• Large capacity: The 2 Tbit/s capacity can be
evolved to 6.4 Tbit/s, meeting smooth evolution
requirements in the next 10 years. 32 high-speed
subcards can be configured.
• High-density ports: 24 x 100GE/240 x 10GE/320 x
GE/256 x E1/256 x STM-1c/256 x STM-4c
• Evolvability: The ports can be evolved to 64 x
100GE/576 x 10GE/576 x GE/512 x E1/256 x STM-
1c/256 x STM-4c.
• Multi-platform convergence: financial and electric
power aggregation nodes, metro network MEF/cloud
network CE aggregation routers
• Multi-service platform: supports all-service
capabilities such as IPsec, NAT, SA, and MACsec.
• Innovative solutions: SD-WAN POP
IPv6 Enhanced: full programmability and
deterministic SLA assurance
• Network slicing: 10GE port FlexE, 1GE granularity FlexE
slicing, and hard isolation, guaranteeing zero packet loss
and bandwidth
• SRv6: path programmability, realizing deterministic paths
and latency
• IFIT: in-band flow measurement, enabling minute-level
fault locating and ensuring high network availability
Industry-leading hardware: energy-saving
pioneer, all-round quality assurance
• High reliability: forwarding-control separation and
separate switching
• Energy saving: 1300 W power consumption in typical
configuration, about 60% lower than industry average;
front-to-back airflow
• Flexible hardware: flexible motherboard-and-subcard
design, improving device performance by about 25%
NetEngine 8000 F8
LPUT x 8
SRU x 2 (1:1)
MPU (1:1)
PSU x 6
All-scenario: all-service transport and all-scenario
deployment for enterprise networks

490. Huawei Confidential
17
NetEngine 8000 F8: Line Processing Unit
Core Aggregation Access
High-
speed
subcards
Line
Processing
Unit LPUT-800-CM, 400G enabled by default,
supporting 4 PIC slots
8 x 100/1000Base-RJ45
8 x STM-1/STM-1000Base-RJ45
16 x E1 (750/120 ohm)
2 x 50GE/1 x 100GE QSFP28 FlexE MACsec
4 x 10G SFP+
10 x 10GE SFF+ MACsec
10 x GE/FE SFP
Subcards
Low-
speed
subcards

491. Huawei Confidential
18
NetEngine 8000 M14/M8: Highlights
Core Aggregation Access
Compactness and hardware redundancy
• 220 mm deep, less footprint
• Reliability: control/forwarding separation and hardware
redundancy
High performance
• NetEngine 8000 M14: 800 Gbit/s, 1.2 Tbit/s, or 2 Tbit/s capacity
• NetEngine 8000 M8: 480 Gbit/s or 1.2 Tbit/s capacity
• Diverse interfaces: E1, cPOS, POS, GE, 10GE, 25GE, 40GE, 50GE,
and 100GE, meeting multi-service access requirements
All-service integration
• Simplified protocol evolution: SRv6
• New Ethernet Features: FlexE and MACsec
• High clock precision: 10 ns
4-in-1 function integration
• All-service aggregation, CGNAT, distributed BNG, and IPsec
encryption
220 mm
3 RU
NetEngine 8000 M8
NetEngine 8000 M14
220 mm
5 RU

492. Huawei Confidential
19
NetEngine 8000 M14: Slot-based Bandwidth Distribution
Core Aggregation Access
13 100 Gbit/s 100 Gbit/s 14
11 200 Gbit/s 200 Gbit/s 12
9 200 Gbit/s 200 Gbit/s 10
7 200 Gbit/s 200 Gbit/s 8
18 PIU IPUA-1T2/2T 16
17 PIU IPUA-1T2/2T 15
5 100 Gbit/s 100 Gbit/s 6
3 100 Gbit/s 100 Gbit/s 4
1 100 Gbit/s 100 Gbit/s 2
13 10 Gbit/s 10 Gbit/s 14
11 200 Gbit/s 200 Gbit/s 12
9 100 Gbit/s 100 Gbit/s 10
7 100 Gbit/s 100 Gbit/s 8
18 PIU IPU-1T2-A/1T2-BN 16
17 PIU IPU-1T2-A/1T2-BN 15
5 100 Gbit/s 100 Gbit/s 6
3 100 Gbit/s 100 Gbit/s 4
1 10 Gbit/s 10 Gbit/s 2
13 10 Gbit/s 10 Gbit/s 14
11 100 Gbit/s 100 Gbit/s 12
9 100 Gbit/s 100 Gbit/s 10
7 100 Gbit/s 100 Gbit/s 8
18 PIU IPU-800-BN 16
17 PIU IPU-800-BN 15
5 100 Gbit/s 100 Gbit/s 6
3 100 Gbit/s 100 Gbit/s 4
1 10 Gbit/s 10 Gbit/s 2
Remarks: The NetEngine 8000E M14 2T
supports 400 Gbit/s boards.
Supported slots: slots 7 and 9, or slots 8 and
10. One subcard occupies two subcard slots.
If AC power supply is used,
slots 1 and 3 are used for
power modules.
If AC power supply is used,
slots 1 and 3 are used for
power modules.
Bundle: IPU-1T2 or IPU-2T Bundle: IPU-800-BN
Bundle: IPU-1T2-A or IPU-1T2-BN
When the NetEngine 8000 M14 is configured with different types of main
control boards, each slot supports different bandwidths.

493. Huawei Confidential
20
NetEngine 8000 M8: Slot-based Bandwidth Distribution
Core Aggregation Access
7 100GE 100GE 8
5 200GE 200GE 6
10 IPU-1T2
9 IPU-1T2
3 200GE 200GE 4
1 100GE 100GE 2
7 20GE 20GE 8
5 200GE 200GE 6
10 IPU-480-BN
9 IPU-480-BN
3 200GE 200GE 4
1 20GE 20GE 2
Bundle: IPU-1T2-B/C
Bundle: IPU-480-BN
If AC power supply is used, slots 1 and 3 are used for power modules.
If AC power supply is used, slots 1 and 3 are used for power modules.
When the NetEngine 8000 M8 is configured with different types of main control
boards, each slot supports different bandwidths.

494. Huawei Confidential
21
NetEngine 8000 M14/M8: Interface Board Portfolio
Core Aggregation Access
4 x 25GE SFP28/
4 x 10GE SFP+
2 x 50GE QSFP28/
1 x 100GE QSFP28
2 x 100GE QSFP28/
2 x 50GE QSFP28
10GE/GE 25GE/10GE
100GE/50GE
10 x 10GE SFP+/
10 x GE SFP
GE
10xGE SFP
E1
16-Port E1
4 x Port Channelized
STM-1c POS-SFP
CPOS
4 x Port OC-3c/STM-1c
POS-SFP
POS
GE
20 x GE CSFP/
10 x GE SFP
Low-speed subcards High-speed subcards
100GE/50GE
100GE
1 x 100GE CFP2
8 x Port V.35/X.21/V.24
PCM
4 x Port C37.94 &
4 x Port CoDir64K
PCM
4 x Port FXS/FXO &
2 x Port E&M & 2 x Port
RS232 & 2 x Port RS485
PCM
6 x Port E&M
PCM
GE
E1
32-port E1
GE
4 x GE SFP 8 x GE RJ45
8 x 25GE SFP28
25GE/10GE
10GE
(FlexE)
4 x 10GE SFP+
25GE
4 x 25GE SFP28
8 x STM-1c/8 x STM-4c
POS
VSUP-100
Universal service board
1 x 400GE QSFP
400GE Supported only
by the NetEngine
8000 M14
6 x Port E&M

495. Huawei Confidential
22
NetEngine 8000 M4: Industry-Leading Compact 2U All-
Service Router
Core Aggregation Access
2 U
NetEngine 8000 M4
✓ Small size, large capacity
• Device forwarding capacity up to 1.2 Tbit/s, port
capacity up to 1.6 Tbit/s
• 2 U high, 220 mm deep, 70% less footprint
✓ Environmental friendliness
• Chassis replaced with boxes, power consumption
reduced by 60%
✓ Multi-rate ports, smooth service evolution
• E1/CPOS/POS/GE/10GE/25GE/40GE/50GE/100GE/400GE
✓ All-service router
• 4-in-1: SR + BRAS + CGN + IPsec
• SRv6 path programmability
• FlexE hard slicing supported, guaranteeing bandwidth

496. Huawei Confidential
23
NetEngine 8000 M4: FPIC Design and Multi-Rate Ports
Core Aggregation Access
Low-speed subcards High-speed subcards
16-Port
E1
4 x Port
Channelized STM-
1c POS-SFP
CPOS
4 x Port OC-
3c/STM-1c POS-SFP
POS
E1 GE
8 x GE
RJ45
10 x GE
SFP
GE
2 x 50GE QSFP28/1
x 100GE QSFP28
100GE/50GE
10 x 10GE
SFP+/GE SFP
4 x 10GE
SFP+/GE SFP
10GE/GE
MACsec
2 x 100GE
QSFP28/2 x 50GE
QSFP28
100GE/50GE
FlexE, MACsec
10GE/GE
4 x 25GE
SFP28/10GE SFP+
25GE
25GE/10GE
MACsec
8 x 25GE SFP28/10GE
SFP+
400GE
1 x 400G QSFPDD
(with OA)
VSUPA-100
CGN
VSUPA-100
IPsec
Service subcards

497. Huawei Confidential
24
NetEngine 8000 F1A: 1 U High and 1.2 Tbit/s Capacity
420 mm
NetEngine 8000 F1A
1 U
• Compact design: 1 U high, 420 mm deep, 1.2 Tbit/s capacity.
• High-density ports: 8 x 100GE/50GE + 20 x 25GE/10GE + 28 x
10GE/GE
• Energy saving: 0.23 W/G, 20% lower than the industry average
• Flexible airflow: front-to-back or back-to-front airflow
• FlexE: supported by 100 Gbit/s ports
• MACsec: 28 x 10GE/GE + 4 x 25GE/10GE/GE
Application scenarios:
• High-density WAN routers
• Multi-service convergence edge routers
Switching capacity 1.2 Tbit/s
Dimensions (H x W x D) 44 mm (1 RU) x 442 mm x 420 mm
Weight <12 kg
Typical power
consumption
350 W
Characteristics
Segment Routing, SRv6, EVPN, VXLAN, 1588v2,
NETCONF YANG, and Telemetry
Power supply DC/AC, 1 + 1 redundancy
Operating temperature 0°C to 45°C (long term)
28 x 10GE/GE
SFP+
20 x
25GE/10GESFP
28
8 x
100GE/50GE/40GE
QSFP28
Flexible port configuration
Port Fixed Extension Total
100GE/50GE/40GE 8 8
25GE 20 8 x 4 52
10GE 28+20 8 x 4 80
GE 28 28
Core Aggregation Access

498. Huawei Confidential
25
NetEngine 8000 M6: Access and Aggregation Router for All
Scenarios
Product positioning: large-
capacity access and aggregation
router for all scenarios
• Dimensions: 2 U high, 220 mm deep
• Capacity: 160 Gbit/s, 6 slots
• Maximum: 2 x 50GE/16 x 10GE/100GE
• SRv6 ready
• NP architecture for new
services in the future
• Supports private lines, IGWs, and DC-GWs.
• Diverse interfaces:
E1/CPOS/GE/10GE/25GE/50GE
Small size, large capacity Excellence
All-scenario platform
Dimensions (H x W x D) • 88.9 mm (2 U) x 442 mm × 220 mm
Device capacity • 160 Gbit/s
Voltage range • DC: –40 V to –72 V; AC: 90 V to 290 V
Power consumption • 230 W
Slot quantity • 6 (DC)
Device interface capacity • 50GE:2 // 10GE:16 // GE:100
Layer 2 features • IEEE802.1q, IEEE802.1p, IEEE802.3ad, IEEE802.1ab, and STP/RSTP/MSTP
Layer 3 features • OSPF, RIP, IS-IS, BGP, ACL, IPv4, 6VPE, ARP, VLANIF, and VXLAN
MPLS features • LDP, RSVP-TE, L2VPN, L3VPN, and seamless MPLS
SRv6/EVPN • SRv6, SR, EVPN L3VPN, EVPN VPWS, EVPN VPLS, and EVPN over SRv6
Valuable services • NAT, IPsec, and MACsec
Multicast • IGMP, static multicast routing, PIM-SM/SSM, and MBGP
QoS • 5-level HQoS
Clock • 1588v2 and synchronous Ethernet
O&M management • Telemetry, IFIT, BFD, NQA, RFC 2544, and TWAMP
Operating temperature • DC: –40°C to +65°C; AC: –20°C to +55°C
Operating relative humidity • Long-term: 5% to 95%, non-condensing
NetEngine 8000 M6
Converged transport
Unified transport of multiple services
Vertical industries
Access and aggregation scenarios
Campus egress
Layer 3 egress on a Layer 2 network
Core Aggregation Access

499. Huawei Confidential
26
12 x
GE/FE(o)
16 x
10GE/GE/FE(o)
4 x
GE/FE(e)
Dual DC
inputs
• Wide temperature range: –40°C to +70°C,
applicable to outdoor cabinet scenarios
High
adaptability
• SR and EVPN as bearer protocols, smooth
evolution to SRv6 based on NP
Transmissio
n-oriented
High
compactness
• Dimensions (H x W x D): 1 U x 300 mm x 220
mm; less footprint and easy installation in a
cabinet
• 176 Gbit/s
• 16 x 10GE/GE/FE + 12 x GE/FE(o) + 4 x GE/FE(e)
Large
capacity
DC
NetEngine 8000 M1A: Access Router
Flexible configuration:
⚫ 4 x 10GE/GE/FE + 12 x GE/FE
⚫ 6 x 10GE/GE/FE + 26 x GE/FE
⚫ 16 x 10GE/GE/FE + 12 x GE/FE(o) + 4 x GE/FE(e)
Core Aggregation Access
AC
12 x
GE/FE(o)
16 x
10GE/GE/FE(o)
4 x
GE/FE(e)
AC input

500. Huawei Confidential
27
• Wide temperature range: –40°C to +65°C,
applicable to outdoor cabinet scenarios
• SR and EVPN as bearer protocols, smooth
evolution to SRv6 based on NP
• Dimensions (H x W x D): 1 U x 300 mm x 220
mm; less footprint and easy installation in a
cabinet
• 172 Gbit/s
• 16 x 10GE/GE/FE + 8 x GE/FE(o) + 4 x GE/FE(e)
NetEngine 8000 M1C: Access Router
Flexible configuration:
⚫ 4 x 10GE/GE/FE + 12 x GE/FE
⚫ 6 x 10GE/GE/FE + 22 x GE/FE
⚫ 16 x 10GE/GE/FE + 8 x GE/FE(o) + 4 x GE/FE(e)
Core Aggregation Access
8 x
GE/FE(o)
16 x
10GE/GE/FE(o)
4 x
GE/FE(e)
Dual DC
modules
DC
AC
8 x
GE/FE(o)
16 x
10GE/GE/FE(o)
4 x
GE/FE(e)
Dual AC
modules
High
adaptability
Transmissio
n-oriented
High
compactness
Large
capacity

501. Huawei Confidential
28
• Wide temperature range: –40°C to +65°C,
applicable to outdoor cabinet scenarios
• SR and EVPN as bearer protocols, smooth
evolution to SRv6 based on NP
• Dimensions (H x W x D): 1 U x 300 mm x 220
mm; less footprint and easy installation in a
cabinet
• 176 Gbit/s
• 2 x 50GE + 2 x 25GE + 2 x 10GE + 10 x GE + 4GE
RJ45
NetEngine 8000 M1D-B: Access Router
Core Aggregation Access
Dual DC
modules
DC
AC
10 x 10GE or 2 x 50GE
10 x GE/FE(o) 2 x 25GE/4 x
10GE(o)
Dual AC
modules
4 x
10GE(o)
10 x 10GE or 2 x 50GE
10 x GE/FE(o)
2 x 25GE/4 x
10GE(o)
4 x
10GE(o)
Flexible configuration:
⚫ 2 x 50GE + 2 x 25GE+2 x 10GE + 10 x GE + 4 x GE RJ45
⚫ 2 x 50GE + 1 x 25GE + 4 x 10GE + 10 x GE + 4 x GE RJ45
⚫ 2 x 50GE + 6 x 10GE + 10 x GE + 4 x GE RJ45
⚫ 2 x 25GE + 12 x 10GE + 10 x GE + 4 x GE RJ45
⚫ 16 x 10GE + 10 x GE + 4 x GE RJ45
High
adaptability
Transmissio
n-oriented
High
compactness
Large
capacity

502. Huawei Confidential
29
NetEngine A821 E: Designed for Cloudification, One-Hop
Cloud Access
Core Aggregation Access
Specifications NetEngine A821 E
Switching capacity 72 Gbit/s
Packet forwarding rate 54 Mpps
Port type
2 x 10GE ports + 8 x GE optical ports + 8 x GE
electrical ports
High 1 U
Dimensions (H x W x D) 43.6 mm (1 U) x 320 mm X 220 mm
Weight 5 kg
SDRAM 4 GB
Typical power
consumption
75 W
Power input AC: 100 V to 240 V
Cooling mode Air cooling
Operating temperature –40°C to +65°C
FIB IPv4: 512K; IPv6: 64K
Network slicing 10GE port FlexE slicing
Segment Routing SR BE, SR Policy, SRv6 BE, and SRv6 Policy
NAT 800 Mbit/s
Service visualization In-band flow measurement (IFIT)
Huawei cloud terminal
NetEngine A821 E

503. Huawei Confidential
30
Key Feature Matrix of NetEngine Routers
L2VPN L3VPN EVPN VXLAN
NG
MVPN
BIER HQoS 1588v2
Telem
etry
IFIT BRAS MACsec IPsec CGNAT SR SRv6 FlexE
Multicast-
NAT
NetEngine 40E
X16A/X8A
√ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000
X16/X8/X4
√ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 F8 √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 M14 √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 M8 √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 M4 √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 F1A √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 M6 √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 M1A √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine 8000 M1C √ √ √ √ √ √ √ √ √ √ √ √ √ √
NetEngine A821 E √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

504. Huawei Confidential
31
NetEngine 40E Naming Conventions
Device naming
conventions
NE40E-X8A
Model
X: extended, indicating
performance improvement
Number of
service slots
A:
advanced
Brand
name
Net Engine
MPUB11 SRUA17
Main
Processing
Unit
A component that physically
integrates the control and
switching functions.
Switching and Routing Unit
B: MPU of the NE40E X16/X16A
D: MPU of the NE40E X3/X3A
Board
version
A: SRU of the NE40E-X8A
Board version
Main control board
naming conventions
SFU naming conventions
SFUI-480-N
Switch Fabric
Unit
I: integrated, indicating
that no flexible plug-in
card (FPIC) can be
configured
Switching capacity,
480 Gbit/s per slot
Used to distinguish
device models
M/E/G/P/I: NE40E X16A
N/F/H/Q/J: NE40E X8A
VSUI-401-E
Versatile
Service Unit
I: integrated,
indicating that no FPIC
can be configured Board capacity: 400 Gbit/s
The last digit represents the
serial number of a board version.
VSU naming conventions
Performance type
S: smart
E: enhanced
LPU naming conventions
LPUI-243-CM
P243
Line Processing
Unit
F: flexible, indicating that the board is a motherboard for flexible plug-in cards
I: integrated, indicating that the board is configured with fixed interfaces
Board capacity: 240 Gbit/s. The last digit represents
the serial number of a board version.
Consumption model, a new sales
mode. The RTU is to control the
board capacity, flexibly meeting
commercial requirements.
Indicates the
matching
motherboard
Subcard of an LPU
P: subcard of the NE40E
BP: subcard of the ME60

505. Huawei Confidential
32
NetEngine 8000 Naming Conventions
• Fixed-configuration device: "F" stands for "fixed", the
digit (1/2) after "F" indicates the device height, and the
letter (A/B/C) after the digit indicates the device
generation. The rightmost field (F) contains port
information.
• Modular device: "M" stands for "modular", the digit
(4/6/8/14) after "M" indicates the number of slots, and the
letter (A/B/C) after the digit indicates the device
generation.
• Chassis-shaped device: "X" stands for "chassis", and the
digit (4/8/16) after "X" indicates the number of slots.
Field Description
A
Indicates the device series:
NE8000: NetEngine 8000 series
NE8000E: "E" stands for Enterprise.
B
Indicates the device type:
M: modular; F: fixed configuration; X: chassis-shaped
C
Number of slots or device height:
Modular device: The digit indicates the number of slots.
Fixed-configuration device: The digit indicates the device height.
D
Indicates the device generation: A, B, C, and so forth. Each lette
r represents one device generation, and devices with similar cap
acities and specifications are of the same generation.
A: first generation; B: second generation;......N: Nth generation
E
Optional. It is an extension bit.
If the generation letter and port information are not enough to
distinguish different devices, this extension bit (filled with a lett
er) is used.
F
Indicates port information:
Number of ports (digits) + port type (letters)
H: 100GE; V: 50GE; Q: 25GE; X: 10GE
For combo ports, the common port model combination in the in
dustry is used.
Device naming conventions
NE8000 F1A(X)-8H20Q
Model
A B C D E
Brand name
F

506. Huawei Confidential
33
Contents
1. Scenarios and Trends
2. Introduction to Huawei Routers
3. Industry Application Solutions for Huawei Routers
4. Reference Documents for Huawei Routers

507. Huawei Confidential
34
Industry Scenario Overview
Electric power and transportation bearer network
ISP metro aggregation
Campus
Horizontal solutions: evolution based on four major scenarios
Focus on five key industries
ISP
Backbone network
expansion and
migration
Government/Education
Smart
city
SDN, IPv6 Enhanced, and
backbone network
reconstruction
E-
government
Finance
SDN-based backbone
network and cloud-
based branches
OTT
DCI
IAP
Industry
Opportunity
Scenario
Transportation
Electric
power
production
network
Full-service bearing of production and office services,
migration from SDH to all-IP
Railway Urban rail
Education
backbone
network
Data center
Energy
Financial
backbone
network
Branch
interconnection
Electric
power office
network
Coal mine
Pan-government bearer network
Interconnection between financial backbone branches
Campus
network
General-purpose
computing
Storage
High-performance
computing
Data
Center

508. Huawei Confidential
35
ISP Market Segmentation and Opportunities for Routers
ISP Government Finance Transportation Power
Service Level Target User Service Available Product
OTT
Content and service
providers
• Service providers that transmit streaming media over the
Internet.
• The networks include DCI backbone networks and POP
nodes.
DCI backbone routers
International POPs
IXP Internet exchange points
• Network facilities that connect different ASs and
exchange Internet traffic between them.
• The networks provide Layer 2 and Layer 3 P2P and
P2MP exchange connections and value-added services. DC-GW
MTDC Colo/Hosting/IaaS/NaaS
• Provide leasing or hosting services based on data centers
and gradually transform to cloud service providers.
Network IAP
• An Internet access provider (IAP) provides end users
with Internet access services and limited information
services.
✓ Services: FBB and enterprise VPN
✓ Networks: backbone, metro, and access networks
Major markets of routers:
Backbone networks: P/PE
and IGW
Metro networks:
aggregation routers and
BRAS

509. Huawei Confidential
36
IAP Network Architectures and Applicable Routers
Metro network Backbone network
S-PoP
NetEngine 40E X16A
NetEngine
8000 M14
NetEngine
8000 M8
NetEngine
8000 F1A
(Mini-BNG)
NetEngine
40E X8A
SR/centralized BNG/CGN
NetEngine
8000 X8
NetEngine
8000 X4
NetEngine
8000 M6
NetEngine
8000 M1C
NetEngine
8000 M4
(Distributed BNG)
ISP Government Finance Transportation Power
BNG: Broadband Network Gateway CGN: Carrier-Grade Network Address Translation S-PoP: Super-Point-of-Presence
14.4 Tbit/s per slot
(P/PE/IGW/DC GW)
2 Tbit/s per slot
(P/PE/IGW/DC GW)
NetEngine
40E X8A
Service
Metro network Backbone network
S-PoP
End users Access network
ACC
PE
P
ACC
PE
AGG
AGG
Internet
Telecom
Cloud
BNG
SR
PC
OLT
RGW ONT
CPE
Small- and
medium-sized
enterprises
Enterprises
Telephone
OLT
Internet TV
ONT IGW
PE
DC-GW
DC-GW

510. Huawei Confidential
37
Service
Metro network Backbone network
S-PoP
End users Access network
ACC
PE
P
ACC
PE
AGG
AGG Internet
Telecom
Cloud
BNG
SR
PC
OLT
RGW ONT
CPE
Small- and
medium-sized
enterprises
Enterprises
Telephone
OLT
Internet TV
ONT IGW
PE
DC-GW
DC-GW
IAP Service Deployment Solution
VOIP
VLAN EVPN-L3VPN
VLAN
IPTV VLAN
VLAN
VLAN
EVPN-L3VPN
EVPN
Native IP multicast/EVPN-BIER
BNG
L2 VLAN
VLAN
L3
FlexE slice-based private network
FlexE slice-based private network
Q-in-Q
HSI
VLAN EVPN-VPLS
Q-in-Q BNG EVPN-L3VPN
Home
broadband
Enterprise
private
lines
Centralized BNG
Distributed BNG
Video on
Demand (VOD)
BTV (multicast)
SRv6
Industry slice
ISP Government Finance Transportation Power

511. Huawei Confidential
38
Highlights of Huawei ISP Solution
NetEngine 8000 M4
NetEngine 8000 F1A
99% satisfaction of
customer requirements
4-in-1
BNG/CGN/
SR/IPsec
Compact design, making
use of small spaces
1 U/2 U
300 mm
Co-cabinet with
the OLT
"0" investment
for a cabinet
Energy efficiency
300 W
30% less energy
consumption
Value-added service board
CGN+IPsec subcard
Leading the industry
Economical Efficient
Simple
The cost of one device
is saved every year,
in terms of device leasing
and power consumption.
Simple, easy to sell,
and promised profits.
More efficient mini
BNG in the industry
BRAS CGN SR
NetEngine 8000 M
IPsec
ISP Government Finance Transportation Power

512. Huawei Confidential
39
Government WAN Scenarios and Market Opportunities
for Routers
Government
G2E: Government
to Employee
• Electronic payroll
• E-benefit
• E-training
G2B: Government
to Business
• Online investment
• Online business
• Online tax filing
• Online annual audit
G2C: Government to Citizen
• Information publication
• Government consultation
• Online services
• Online complaints
• Online filing
G2G: Government to
Government
• Cross-department data sharing
• Collaborative office: video
conference
• Joint approval
National
broadband
National broadband
network
Provincial networks
Dedicated networks
for provinces
City network
Dedicated networks
for cities
MOX
Dedicated networks for ministries
Ministry of the Interior (MOI)
Ministry of Education (MOE)
Ministry of Finance (MOF)
Ministry of Defense (MOD)
...
ISP Government Finance Transportation Power

513. Huawei Confidential
40
MOX Government Network Architectures and Applicable
Routers
NetEngine 8000 X4
NetEngine 8000 M14
NetEngine 8000 X8
Backbone routers
ISP Government Finance Transportation Power
MOX campus
Aggregation routers
Access routers
NetEngine 8000 M6 NetEngine 8000 M1C
NetEngine 8000 M8
Backbone
network
Aggregation
network
Access
network
MOX campus MOX campus
MOX
data center
MOX
data center

514. Huawei Confidential
41
Data
center
Data
center
MOX Government Network Deployment Solution
G2G/
G2E
EVPN-L3VPN/L2VPN over FlexE
EVPN-L3VPN/L2VPN over FlexE
Department
Department
Data center IP
Department
EVPN-L3VPN/L2VPN (public VPN) over FlexE
G2B/
G2C
Department
Department
EVPN-L3VPN (Internet VPN)
Web Enterprise/Individual
SRv6
• SRv6+EVPN-based unified deployment
• N+2 VPN: N VPNs are used for connecting departments, one public VPN,
and one Internet VPN.
IP
IP
IP
VLAN
VLAN
VLAN
IP
ISP Government Finance Transportation Power
Backbone
network
Aggregation
network
Access
network
Campus

515. Huawei Confidential
42
Highlights of the Government Network Solution
Federal
government
private network
Regional government
private network
Municipalities State government
private network
SRv6 for one-hop cloud access
FlexE slicing, single-network transport
Ministry of
Finance
Ministry of
Culture
Ministry of
Communications
Government network construction goal: Combine
two steps in one step, taking the lead at the start.
"Elite 1" device
Compact and efficient
access routers
Safe
E2E security Carrier-class
reliability
Simple Smart
"Elite 2" device
Cost-effective core
routers
Simplified
O&M
1 U high, half-chassis
wide, plug-and-play
Strong network
hard slicing
Flexible multi-
service access
Government
cloud
ISP Government Finance Transportation Power

516. Huawei Confidential
43
Financial WAN Scenarios and Market Opportunities for Routers
• Network and cloud pool resource usage
• Reduced investment in capacity
expansion every year
Scenario 1: agile cloudification
of bank branches
Scenario 2: interconnection load
balancing between backbone clouds
DC DC
DC DC
DC
Branch/outlet Branch/outlet
Cutting-edge feature: SRv6, enabling
one-hop cloud access of branches
Intelligent cloud-
map algorithm
Active DC
Intra-city disaster recovery
Remote disaster recovery
Cloud management
platform
Cloud resource
information
47%
50%
45%
31%
30%
32%
24,000+
branches
800 million
transactions
per day
Cutting-edge feature: SRv6 intelligent
scheduling, saving private line bandwidth
30%
CNY 30
million
• Services can be deployed in minutes, and new
apps can be rolled out in months weeks.
• Intelligent path optimization,
network link utilization
35%
ISP Government Finance Transportation Power

517. Huawei Confidential
44
NetEngine
8000 X4
NetEngine 8000 M14
NetEngine
8000 M1C
NetEngine
8000 X8
Backbone/DC GW routers
Access Aggregation
NetEngine 8000 M6 NetEngine 8000 M8
Financial WAN Solution Architectures and Applicable Routers
Aggregation
Backbone
network
Third-party
network
Third-party
network
Third-party
network
Production campus
Office building
IoT
+
Terminals
Multiple centers
Authentication
center
Registration
center
Big data
center
DMZ
open area
Intranet
service zone
big data
Distributed
DC1
DMZ
open area
Extranet
service zone
big data
Distributed
DC2
DC-GW
Aggregation
Access Backbone
Aggregation
ISP Government Finance Transportation Power

518. Huawei Confidential
45
E2E
SRv6
Technical approaches are used to break down silos between
organizations at different levels, achieving agile service innovation.
DC 2
Traditional outlets Traditional outlets
Level-1
branch
Level-2
branch
Carrier network
Carrier
network
• The network that connects data centers is managed by the
head office. Networks connecting data centers and level-1
branches are managed by the head office and the branches.
Networks that connect outlets and level-1 branches are
managed by the branches.
• The entire network is divided into three segments, making
service provisioning difficult, because it requires coordination
between network management departments at three levels.
DC DC
DC
DC
DC
Branch/outlet Branch/outlet
NetEngine8000 M6 NetEngine8000 M1A
AS IS
Segment-by-segment management by
the head office and branches
TO BE
Unified management by the head office Customer benefits
Provisioning
time
Months Minutes
10+ 3,000+
Service
categories
• The SRv6 technology is used to build an end-to-end
seamless network for data centers, branches, and
outlets, extending the management scope of the
original backbone domain.
• E2E integrated service management, fast
microservice provisioning
DC 3
DC 1
Carrier
network
C
a
r
r
i
e
r
C
a
r
r
i
e
r
ISP Government Finance Transportation Power
SRv6 Enables Fast Service Rollout for Bank Branches

519. Huawei Confidential
46
• SRv6 Policies support both ECMP and UCMP, enabling
automatic traffic balancing.
• SRv6 can traverse all types of private lines for traffic
optimization.
• SLA assurance for production services: Low-priority
services are preferentially scheduled to other paths,
ensuring that bandwidth requirements of high-priority
services are met.
• The usage of busy lines is as high as 90%, which may result in
transaction service failure. However, the usage of idle lines is as
low as 20%. Traffic distribution is severely unbalanced.
• Policies are manually delivered, and high-risk operations such
as patch installation on the production network are prone to
errors and may incur new problems.
• Rough capacity expansion is performed, such as simply
doubling the capacity of busy lines. In this case, the costs surge
as the total private line bandwidth doubles.
DC1 DC3
DC2
Branches
1#
2#
1
#
2#
2
#
1
#
2
#
1#
30%
30%
30%
Reduced investment
CNY XX
millions/year
DC1 DC3
DC2
Branches
90% 20% 0%
China
Unicom
China
Telecom
China
Mobile High private
line utilization
Full Mesh SR-TE
On-demand path
splitting
SRv6 Policy
AS IS
Uneven private line usage, passive
capacity expansion, high costs
Carrier Bandwidth Peak Utilization
China Unicom 50 Mbit/s 45 Mbit/s 90.00%
China Telecom 50 Mbit/s 15 Mbit/s 30.00%
China Mobile 2 Mbit/s 0 Mbit/s 0%
TO BE
Intelligent optimization,
balanced traffic distribution
Customer benefits
Capacity expansion
frequency
1 year 3 years
The Cloud-Map Algorithm Improves the Utilization of
Financial Backbone Networks by 30%
ISP Government Finance Transportation Power

520. Huawei Confidential
47
• Single-cloud architecture -> multi-
cloud architecture, inter-cloud traffic
increases greatly
• The traffic increases by 30% per year,
and the investment in capacity
expansion is as high as 1 billion.
Single
cloud
30% per year
Traffic increase
Multiple
clouds
1 billion per year
High capacity
expansion costs
VSUI-400
Data
center A
Data
center B
Core backbone
network
IP support
network
Data compression
card
Data compression
card
Experimental network
of a bank in China
No service impacts
Data compression without
affecting services
Easy deployment
Stateless data
decompression
Ultra-high performance
160 Gbit/s throughput
Efficient compression
Enhanced compression algorithm,
enabling 30%+ data reduction
The lz4 and zstd algorithms are used to compress data
to increase the data transmission volume.
Source IP
address
Destination
IP address
Compression
flag
Source and
destination
ports
Compressed data
Built-in
Huawei-
exclusive
OPEX reduction
CNY 30 million
per year
Data reduction
30%
Industry's Only DCI WAN Data Compression Solution,
Reducing Bandwidth by 30%+
AS IS
Inter-cloud traffic increases, and capacity
expansion costs are high.
TO BE
Enhanced compression algorithm and
efficient data compression
Customer benefits
ISP Government Finance Transportation Power

521. Huawei Confidential
48
Highlights of the Financial WAN Solution
Energy
efficiency
30% less
energy
consumption
Any topology
Carrier-class
protection
End-to-end
MACsec/IPsec
High security and reliability
Industry-leading
financial DCI router
NetEngine 8000 X4
SRv6-based
intelligent traffic
steering
Service provisioning
within minutes
APN6-based
application-level
assurance
Intelligent identification
and scheduling of apps
NetEngine 8000 M1D-B
High cost-effectiveness compared
with similar products
Branch access router
Bandwidth compression by 37%
VSUI-400
Industry's first WAN
compression service board
Data
center
Data
center
Data center
Outlet
Outlet
Outlet
Outlet
Three data centers
in two cities
Cloud
access Cloud
access
Stable
High security and reliability
Agile
Quick service rollout
Outlet
ISP Government Finance Transportation Power

522. Huawei Confidential
49
Railway Services and Market Opportunities for Routers
Base station
Interlocking
SCADA
CTC
CCTV
OA
Office
phone
Dispatch
phone
Tickets PIS
Video
conference
WIFI
Service types Opportunities Solution marketing guidance strategies
Integrated information
network
Dispatch
center
Data center
Railway signal
bearer network
SCADA server
Vehicle-ground
communication network
BSC Core network
◼ Heavy traffic and large network scale are
main application scenarios of routers.
◼ Guide customers to use the NetEngine 8000
series solution to carry all services on a
unified network.
◼ Currently, industrial switches and dual-
plane architecture are used.
◼ Guide customers to use an integrated
information network as the backup plane
or unified bearer network.
◼ Generally, SDH devices are used on the
current network.
◼ Guide customers to use IP solutions instead
of SDH solutions.
ISP Government Finance Transportation Power

523. Huawei Confidential
50
Access
network
IP multi-service bearer network Dispatch
center
Monitoring
Office
Travel
uniform
SCADA
CTC dispatch
center
Data center
NMS
CCTV
monitoring
center
Station
interlocki
ng
SCADA
Dispatch
phone
RBC
GSM-R base
station
Counter-terrorism
committee
GSM-R base
station
BSC
CCTV
Signaling
Dispatching
GSM-R/
LTE-R
Railway IP Multi-Service Network Architecture and Applicable Routers
• A universal railway bearer network can be divided into three
layers: core layer (regional center), aggregation layer (large
station), and access layer (small station).
• Considering the high reliability requirements of railway services,
the access layer of GSM-R uses dual-plane networking. Two PEs
are deployed for each site to provide redundancy protection.
• Small stations are directly connected through optical fibers.
Every four to six small stations are grouped into a ring network,
which connects to the aggregation station. Aggregation stations
can form an aggregation ring, which connects to the regional
control center.
NetEngine 8000 X4
NetEngine 8000 M14 NetEngine 8000 M8
NetEngine 8000 X8
Cores/Centers
Aggregation
sites
Access sites
NetEngine 8000 M6 NetEngine 8000 M1C
Railway bearer network architecture
Routers applicable to railway bearer networks
Data
NetEngine A821E
ISP Government Finance Transportation Power
Access
sites
Aggrega
tion sites
Cores/Cen
ters

524. Huawei Confidential
51
Railway Service Deployment Solution
CCTV
OA
Dispatch
phone
SCADA
Software
Access PE Aggregation PE
GSM-R
OCC
Core PE
Software
Signal
Dispatch center Dispatch center
Network
control plane
Service
control plane
OAM plane
SRv6 TE Policy
SRv6 TE Policy
SRv6 TE Policy
SRv6-BE/
SRv6 TE Policy
IS-IS Level2
SRv6-BE/SRv6 Policy
GSM-R slicing: EVPN L2VPN
Signal slicing: EVPN L2VPN
BFD
SCADA: EVPN L2VPN
Default slice (office, video surveillance,
and dispatch phone):
EVPN L3VPN/L2VPN
Unified OT/IT bearer solution
• Control plane
It is recommended that IS-IS L2 and SRv6
be used on the control plane, and that all
service slices share the IGP process of the
default slice. Slicing does not increase the
complexity of service configuration.
• Service plane
Use slicing and EVPN L3VPN/L2VPN to
isolate services. SCADA/Signal/GSM-R uses
separate slices and EVPN L2VPN for
service isolation. Other services use shared
single slices and EVPN L3VPN/L2EVPN for
service isolation.
• Protection
SRv6-BE and SRv6 Policies are supported.
SRv6-BE supports TI-LFA protection. SRv6
Policies support TE FRR, TI-LFA, and
mirroring protection. BFD is used for
millisecond-level detection.
ISP Government Finance Transportation Power

525. Huawei Confidential
52
Power
generation
Power
distribution
Power
transmission and
distribution
Group
company
Headqu
arters
Office
building
Service center
• Power dispatching IT
platform
• MIS IT platform
• Security monitoring for
power plant campuses
• Transmission and transformation
communication network for a
smart grid (90% SDH)
• Integrated data communication
network
Distribution automation
communications network
• xPON/wireless/Internet
backhaul
• IT platform of distribution
automation master station
• Power IoT
OT IT
• Off-grid PV
• Value-added service
(power broadband
operation)
Others
Two opportunities: power transmission and transformation communications network, power broadband operation
Electric Power Services and Market Opportunities for Routers
Integrated data communication network
• Data center construction (ERP)
• Campus network and security
monitoring
• New DWDM (DCI)
• Collaborative office (UC & VC)
• Call center
Distribution and
transformation
ISP Government Finance Transportation Power

526. Huawei Confidential
53
Power WAN Solution and Applicable Routers
Relay
protection
SCADA
Video
surveillance
Dispatch
phone
WAMS
Office
phone
Office
automation
Slice 1: various office services
Slice 2: video surveillance
Slice 3: SCADA, WAMS, and dispatch phone
Slice 4: relay protection and WAPS
All-in-one device: supports low-
speed interfaces (G.703 64 kbit/s,
C37.94, and RS232), reducing TCO.
Unified O&M: NCE manages power
transmission and transformation
network devices in a unified manner.
1 Assurance for SLA of key services:
Ensure the SLA of key services and
support 1G FlexE to implement
OT/IT physical isolation.
2
3
IT services
OT service
WAPS
Power plant Dispatch center
Substation
Access sites
NetEngine 8000 M6/M1C
Aggregation sites
NetEngine 8000 M8
Core sites:
NetEngine 8000 M14
SRv6/EVPN: Simplified protocols and
simplified service deployment
4
ISP Government Finance Transportation Power

527. Huawei Confidential
54
Service core
Power Broadband Operation Solution
IPTV
VOD/livecast HE
NGN/IMS
PC
OLT
ONT
VoIP
Set top box (STB)
Terminal
Small- and medium-
sized enterprise DSLAM
Enterprise
Switch
Power
distribution room Dispatch center
Base station Microwave
Base station
Internet
Automated
scheduling
SLA
assurance
Proactive
O&M
Intelligent O&M
• Full-lifecycle automation
• IFIT: real-time service
visualization and minute-level
troubleshooting
• Intelligent optimization of
network paths
SLA commitment
• FlexE-based slicing, ensuring
bandwidth
• SRv6-based intelligent traffic
steering, committed latency
Simplified protocols and ultra-
broadband
• SRv6-based routing protocol
simplification, enabling fast
provisioning of services through NCE.
• Ultra-broadband: E2E (aggregation
to core) 100 Gbit/s or 400 Gbit/s
substation
NetEngine 8000
F1A/A821E/M1C/M6
NetEngine 8000
M8/M14
NetEngine 8000
M14/X4/X8
ISP Government Finance Transportation Power

528. Huawei Confidential
55
Highlights of the Power WAN Solution
Multi-rate
ports
64K to 100GE
Stepless bandwidth
adjustment
Jitter ≤ 100 μs
μs
MACsec
encryption
10 Gbit/s FlexE, industry-leading low latency
SDN
Automated O&M
SRv6-based intelligent
traffic steering
Intelligent traffic steering based
on latency and bandwidth
1 Gbit/s to 100 Gbit/s
FlexE slicing
NetEngine 8000 M
Security and stability Intelligence & agility
Dispatch center
Substation
Power plant Substation
Communication network for power
transmission and transformation
ISP Government Finance
Transportati
on
Power

529. Huawei Confidential
56
Summary
⚫ Our customers:
⚫ ISP, government, power, transportation, etc.
⚫ Customer requirements on the WAN:
⚫ High bandwidth
⚫ High availability
⚫ Easy O&M
⚫ Huawei NetEngine series:
⚫ NetEngine 8000 and NetEngine 40E series
⚫ Highlights of Huawei solutions:
⚫ SRv6
⚫ FlexE
⚫ IFIT + iMaster NCE

530. Huawei Confidential
57
Contents
1. Scenarios and Trends
2. Introduction to Huawei Routers
3. Industry Application Solutions for Huawei Routers
4. Reference Documents for Huawei Routers

531. Huawei Confidential
58
The Market Share of Huawei's NetEngine Routers Ranks
No.1 in the World
0%
5%
10%
15%
20%
25%
30%
35%
40%
4Q20 1Q21 2Q21 3Q21 4Q21
Source: Omdia © 2022 Omdia
Market share
Vendor C
Vendor J
Huawei
Vendor N

532. Huawei Confidential
59
References for Huawei NetEngine Series Routers
Detailed introduction materials
https://e.huawei.com/en/material/MaterialList
Product overviews
https://e.huawei.com/en/products/enterprise-networking/routers
NetEngine 8000 series product documentations
https://support.huawei.com/enterprise/en/routers/netengine-8000-pid-252772223
Intent-driven IP solution
https://e.huawei.com/en/solutions/business-needs/enterprise-network/CloudWAN/intent-driven-ip

533. Huawei Confidential
60
Quiz
1. What technology is used for "one-fiber multipurpose transport" in the CloudWAN
3.0 solution?
2. Which one of Huawei enterprise routers is the minimum-specifications device
that supports FlexE?
3. What is the maximum forwarding capability of the main control board on the
NetEngine 8000 M series routers?

534. Copyright©2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.

535. Huawei Confidential
1
Huawei Network Security Products and Solutions
Presales Training
⚫ 部门：
⚫ 作者：
⚫ 日期：
⚫ Security Level:

536. Huawei Confidential
2
Foreword
⚫ With the development of network information technologies such as the Internet, Internet of Things (IoT), big data,
and cloud computing, thousands of industries are accelerating their digital transformation. Moreover, ubiquitous
connectivity has made service cloudification, remote office, and mobile access of massive terminals available, breaking
the network access boundary for people, devices, and services. This also leaves the network highly exposed to security
threats. Worse yet, the number of advanced network threats is on the rise, such as that of advanced persistent threats
(APTs) and zero-day vulnerabilities. Against this backdrop, how to effectively and efficiently defend against network
security threats has become a key issue facing enterprises.
⚫ During traditional network security construction, firewalls are mainly used for border isolation. Security policies are
configured to control service access and isolate threats, which fail to meet the requirements for dynamic network
security defense, proactive defense, and multi-node collaborative defense amid new network threats.
⚫ On completion of this course, you will be able to understand the current situation and trend of network security,
understand the basic knowledge about network security products and security technologies, and get familiar with the
technical advantages of Huawei network security products and solutions.

537. Huawei Confidential
3
Objectives
⚫ On completion of this course, you will be able to:
 Understand the current situation and development trend of network security and get
familiar with common network security products and basic knowledge
 Understand Huawei network security products, product functions and features, as well as
the major sales scenarios
 Understand the technical features and applicable scenarios of Huawei security solutions

538. Huawei Confidential
4
Contents
1. Network Security Overview
2. Huawei Security Product Overview
3. HiSec Solution

539. Huawei Confidential
5
Overview and Objectives
⚫ This chapter describes the current situation and development trend of
network security, as well as the basic concepts and knowledge of network
security. After learning this chapter, you will be able to:
 Understand the current situation and development trend of network security
 Get familiar with the basic knowledge of network security products

540. Huawei Confidential
6
Development Trend of Network Security Threats
Hacker organizations with clear business or political motives, clear attack targets, and advanced attack methods
Showing off expertise
Organized crime
Business
Individual hackers:
Showing off expertise
and spoofing
Industry chain:
Money, theft/damage
Hackers backed up by organizations or governments
Business/Political requirements, interception/theft/damage
Worms
Trojan
horses
Web
threats
APTs
Botnets
Mobile
threats
Motiveless
network attacks
Common targeted
network attack
APTs
Viruses
Social engineering attacks
and zero-day vulnerabilities:
Targeted APTs
Internet access:
Random virus/Trojan
horse infection
Web vulnerabilities:
Active web attacks and DoS attacks
Capabilities and
motives of hackers
Attack methods
and targets

541. Huawei Confidential
7
✓ Huawei firewall: has been listed in
Gartner Magic Quadrant since 2013
✓ Listed in Gartner's Challengers quadrant
for 5 consecutive years
✓ Listed in Gartner Magic Quadrant for 9
consecutive years
Gartner Magic Quadrant (Challengers) Gartner Peer Insights Customers' Choice
✓ Huawei firewall: recognized as Gartner
Peer Insights Customers' Choice in 2021
✓ Comprehensive score of Huawei firewall:
4.9/5, ranking No. 1 among all global
vendors
"Strong Performer" in Forrester
Wave™ Report
Huawei Security Products, Leading the Industry with Multiple
Authoritative Awards
Full score in multiple indicators, such as
automatic malware analysis, intrusion
prevention and detection, TLS decryption, and
SOC-based automated analysis.

542. Huawei Confidential
8
Huawei Enterprise Security Product Portfolio
Anti-DDoS
Controller
Firewall
SecoManager
Security Controller
AntiDDoS1905
Fixed-configuration
anti-DDoS
Desktop firewall
USG6510E
USG6530E
USG6575E-B
USG6605E-B
Bypass device
High-end fixed-
configuration
USG6680E
USG6712E
USG6716E
USG6525E
USG6555E
USG6565E
USG6585E
Entry-level and mid-
range fixed-
configuration
USG6600 series
USG6650E
USG6630E
USG6610E
USG6620E
AntiDDoS1908
USG6615F
USG6625F
USG6635F
USG6655F
USG6710F
USG6715F
USG6725F
USG12008
AntiDDoS12004-F
USG12004
Modular firewall
USG12004-F
USG12008-F
AntiDDoS12004
AntiDDoS12008
Modular anti-DDoS
AntiDDoS12008-F
USG6685F
Entry-level and mid-
range fixed-
configuration
USG6500 series

543. Huawei Confidential
9
Contents
1. Network Security Overview
2. Huawei Security Product Overview
• USG Firewall
• Anti-DDoS
• SecoManager
3. HiSec Solution

544. Huawei Confidential
10
Overview and Objectives
⚫ This chapter describes the types, functions, technical advantages, and major
sales scenarios of Huawei network security products. After learning this
chapter, you will be able to:
 Understand Huawei network security capabilities and products
 Understand the benefits and highlights of Huawei network security products
 Understand common sales scenarios of Huawei network security products

545. Huawei Confidential
11
Huawei Next-Generation Firewalls
USG6712E, 120 Gbps, 1 U, 2 x 100GE + 2 x 40GE + 20 x 10GE + 2 x 10GE, HA
USG6716E, 160 Gbps, 1 U, 2 x 100GE + 2 x 40GE + 20 x 10GE + 2 x 10GE, HA
USG6565E, 6 Gbps, 1 U, 2 x 10GE + 8 x GE combo + 2 x GE WAN
USG6555E, 4 Gbps, 1 U, 2 x 10GE + 8 x GE combo +2 x GE WAN
USG6525E, 2 Gbps, 1 U, 2 x 10GE + 8 x GE combo + 2 x GE WAN
USG6610E, 10 Gbps, 1 U, 12 x GE (RJ45) + 8 x GE (SFP+) + 4 x 10GE (SFP+) + 1 x USB3.0
USG6630E, 30 Gbps, 1 U, 2 x 40GE (QSFP+) + 12 x 10GE (SFP+) + 12 x GE + 1 x USB3.0
USG6650E, 40 Gbps, 1 U, 2 x 40GE (QSFP+) + 12 x 10GE (SFP+) + 12 x GE + 1 x USB3.0
USG6530E, 4 Gbps, Desktop, 4 x GE + 2 combo, 2 x 10GE + 10 x GE (RJ45)
USG6510E, 1.2 Gbps, Desktop, 2 x GE (SFP) + 10 x GE (RJ45)
USG6620E, 20 Gbps, 1 U, 12 x GE (RJ45) + 8 x GE (SFP+) + 4 x 10GE (SFP+) + 1 x USB3.0
USG6680E, 80 Gbps, 1 U, 4 x 40GE + 28 x 10GE + 2 x 10GE, HA
USG6585E, 9 Gbps, 1 U, 2 x 10GE + 8 x GE combo + 2 x GE WAN
USG12004, 960 Gbps, 9.8 U, 40GE,100GE
USG6510E-POE, 1.2 Gbps, Desktop, 2 x GE (SFP) + 10 x GE (RJ45), GE0/0/0-GE0/0/3 support PoE
USG6635F, 35 Gbps, 1 U, 8 x GE combo + 4 x GE (RJ45) + 10 x 10GE (SFP+) + 1 x USB3.0
USG6615F, 15 Gbps, 1 U, 8 x GE combo + 4 x GE (RJ45) + 4 x GE (SFP) + 6 x 10GE (SFP+) + 1 x USB3.0
USG6625F, 25 Gbps, 1 U, 2 x 40GE (QSFP+) + 12 x 10GE (SFP+) + 12 x GE + 1 x USB3.0
USG6685F, 80 Gbps, 1 U, 8 x GE combo + 4 x GE (RJ45) + 10 x 10GE (SFP+)
USG6655F, 50 Gbps, 1 U, 8 x GE combo + 4 x GE (RJ45) + 10 x 10GE (SFP+) + 1 x USB3.0
USG6710F, 100 Gbps, 1 U, 2 x 100GE (QSFP28) + 2 x 40GE (QSFP+) + 8 x 25GE (ZSFP+) + 20 x 10GE (SFP+)
USG6715F, 160 Gbps, 1 U, 2 x 100GE (QSFP28) + 2 x 40GE (QSFP+) + 8 x 25GE (ZSFP+) + 20 x 10GE (SFP+)
USG6725F, 240 Gbps, 1 U, 4 x 100GE (QSFP28) + 16 x 25GE (ZSFP+) + 8 x 10GE (SFP+)
USG12004-F, 400 Gbps, 8 U, 40GE, 100GE
USG12008-F, 800 Gbps, 13 U, 40GE, 100GE
USG12008, 2.4 Tbps, 15.8 U, 40GE, 100GE
License
• USG12000 performance expansion license: 20 Gbit/s
• Virtual system (vSYS) license: 10 vSYSs are provided for free. The
number of virtual firewalls for expansion ranges from 5 to 4000.
• Number of concurrent SSL VPN users: 100 users are provided for
free. The number of users for expansion ranges from 100 to
20,000.
• Threat prevention service life, including intrusion prevention
system (IPS), antivirus (AV), and URL filtering
IPS/AV board (100 Gbps)
4 x 100GE + 24 x 10GE
Expansion card 1
Firewall board (480 Gbps)
Expansion card 2
Expansion module
2 x 100GE + 24 x 10GE
48 x 10GE
18 x 100GE

546. Huawei Confidential
12
Proper Hardware Design, High Reliability, and Higher Energy
Efficiency, Ideal for Future-Proof Equipment Rooms
• Automatic power consumption adjustment based on the interface
working status, reducing power consumption by 30%
• Adaptive Voltage Scaling (AVS) for the core components,
effectively reducing power consumption
Intelligent frequency conversion,
saving more power
Solid-state drives (SSDs) and
hard disk drives (HDDs) both
available, meeting log storage
requirements
Flexible hard disk combination Various interfaces
• Bypass interfaces available on the
USG6000E-B model, ensuring link connection
even in device power-off scenarios
• Flexible selection of 10GE and GE interfaces
• Downwardly adaptive, enabling more
flexible applications
• Front-to-rear airflows, meeting data
center (DC) requirements
• 1 U in height, saving rack space
Dedicated for DCs
• Multiple fan modules for redundancy,
supporting hot swapping
• Dual power modules for redundancy,
supporting hot swapping

547. Huawei Confidential
13
Model USG6510E USG6530E USG6525E USG6555E USG6565E USG6585E USG6575E-B USG6605E-B
Interface
2 x GE (SFP)
+ 10 x GE
2 x 10GE (SFP+)
+ 10 x GE
2 x 10GE (SFP+) + 8 x GE combo + 2 x GE WAN
16 x GE (RJ45) + 8 x GE combo +
2 x 10GE (SFP+)
Firewall Throughput 1.2 Gbit/s 4 Gbit/s 2 Gbit/s 4 Gbit/s 6 Gbit/s 9 Gbit/s 7 Gbit/s 10 Gbit/s
Full Protection
Throughput
(Realworld)
0.3 Gbit/s 0.6 Gbit/s 0.6 Gbit/s 0.8 Gbit/s 0.9 Gbit/s 1 Gbit/s 1 Gbit/s 1.4 Gbit/s
IPsec VPN
Throughput
1 Gbit/s 3 Gbit/s 2 Gbit/s 4 Gbit/s 6 Gbit/s 6 Gbit/s 6 Gbit/s 6 Gbit/s
Form Desktop 1 U
Storage
Optional, 64 GB/128 GB micro-
SD card supported
Optional, M.2
card supported,
64 GB/240 GB
Optional, M.2 card supported, 240
GB
Optional, 2.5-inch SSD/HDD
supported, 240 GB for SDD and 1
TB for HDD
Power Module Adapter Dual power modules (optional) Dual power modules (optional)
Airflow Natural heat dissipation Front-to-rear airflow
Fan Module None Standard pluggable fan module
-USG6000E-B: A hardware bypass model with two electrical bypass interface pairs, providing higher reliability.
USG Series Firewalls Supporting Lower Than 10 Gbit/s: Huawei
HiSecEngine USG6000E Series Firewalls

548. Huawei Confidential
14
Model USG6610E USG6620E USG6630E USG6650E USG6680E USG6712E USG6716E
Interface
12 x GE (RJ45) + 8 x GE
(SFP) + 4 x 10GE (SFP+)
2 x 40GE (QSFP+) + 12 x 10GE
(SFP+) + 12 x GE
4 x 40GE (QSFP+) + 28 x
10GE (SFP+), 2 x 10GE
(SFP+) HA1
2 x 100GE (QSFP28) + 2 x 40GE (QSFP+) + 20 x
10GE (SFP+) + 2 x 10GE (SFP+) HA2
Firewall
Throughput
12 Gbit/s 20 Gbit/s 30 Gbit/s 40 Gbit/s 80 Gbit/s 120 Gbit/s 160 Gbit/s
Full Protection
Throughput
(Realworld)
4.8 Gbit/s 4.8 Gbit/s 6 Gbit/s 6 Gbit/s 12 Gbit/s 16 Gbit/s 18 Gbit/s
IPsec VPN
Throughput
10 Gbit/s 20 Gbit/s 20 Gbit/s 30 Gbit/s 70 Gbit/s 100 Gbit/s 120 Gbit/s
Form 1 U
Storage Optional, 2.5-inch SSD/HDD supported, 240 GB for SDD and 1 TB for HDD
Power Module
Dual power modules
(optional)
Dual power modules (standard)
Airflow Front-to-rear airflow
Fan Module Standard pluggable fan module
USG Series Fixed-Configuration Firewalls Supporting Higher Than
10 Gbit/s (1/2): Huawei HiSecEngine USG6000E Series AI Firewalls

549. Huawei Confidential
15
USG Series Fixed-Configuration Firewalls Supporting Higher Than
10 Gbit/s (2/2): Huawei HiSecEngine USG6000F Series AI Firewalls
Model USG6615F USG6625F USG6635F USG6655F USG6685F USG6710F USG6715F USG6725F
Interface
8 x GE combo + 4 x GE (RJ45) +
4 x GE (SFP) + 6 x 10GE (SFP+)
8 x GE combo + 4 x GE (RJ45) + 10 x 10GE
(SFP+)
2 x 100GE (QSFP28) + 2 x 40GE
(QSFP+) + 8 x 25GE (ZSFP+) + 20
x 10GE (SFP+)
4 x 100GE (QSFP28) +
16 x 25GE (ZSFP+) + 8
x 10GE (SFP+)
Firewall
Throughput
15 Gbit/s 25 Gbit/s 35 Gbit/s 50 Gbit/s 80 Gbit/s 100 Gbit/s 160 Gbit/s 240 Gbit/s
Full
Protection
Throughput
(Realworld)
4 Gbit/s 5 Gbit/s 7 Gbit/s 8 Gbit/s 8 Gbit/s 16 Gbit/s 16 Gbit/s 24 Gbit/s
IPsec VPN
Throughput
15 Gbit/s 25 Gbit/s 30 Gbit/s 30 Gbit/s 30 Gbit/s 40 Gbit/s 45 Gbit/s 65 Gbit/s
Form 1 U
Storage Optional, 2.5-inch SSD/HDD supported, 240 GB for SDD and 1 TB for HDD
Power
Module
Dual power modules (optional) Dual power modules (standard)
Fan Module 1+3, standard pluggable
1+4, standard
pluggable
Airflow Standard front-to-rear airflow
Note: Some 100GE interfaces and 25GE interfaces on the USG6710F/USG6715F/USG6725F work as combo interfaces.

550. Huawei Confidential
16
USG12000 Series Modular Firewalls, Providing Industry's
Highest Throughput
Model USG12004 USG12008
Firewall Throughput (Maximum) 960 Gbit/s 2.4 Tbit/s
IPsec VPN Throughput 540 Gbit/s 1 Tbit/s
Concurrent Session Number (Maximum) 640,000,000 1,920,000,000
MPU Slot 2 2
Service Expansion Slot 4 8
LPU
24 x 10GE + 4 x 100GE
24 x 10GE + 2 x 100GE
48 x 10GE
24 x 10GE + 4 x 100GE
24 x 10GE + 2 x 100GE
48 x 10GE
18 x 100GE
SPU SPUs and expansion cards, threat prevention processing boards and expansion cards
Dimensions (H x W x D) (mm) 436 x 442 x 905 (10 U) 702 x 442 x 905 (16 U)
Airflow Front-to-rear airflow Front-to-rear airflow
1. Self-developed software, hardware, and core chips
2. Processing capability: single-slot 400 Gbit/s, outperforming competitors' single-slot 200 Gbit/s
3. Highest density of 100GE interfaces per slot and the 100GE interfaces are configured in 40GE, 4 x 25GE, or 4 x 10GE mode. The
10GE interfaces are backward compatible with GE interfaces.

551. Huawei Confidential
17
USG12000-F Series Modular Firewalls, Ensuring
Cost-Effectiveness
Model USG12004-F USG12008-F
Firewall Throughput 400 Gbit/s 800 Gbit/s
IPsec VPN Throughput 189 Gbit/s 378 Gbit/s
Concurrent Session Number (Maximum) 180,000,000 360,000,000
MPU Slot 2 2
Service Expansion Slot 4 8
LPU
2 x 40GE/100GE + 12 x 10GE
24 x 10GE
2 x 40GE/100GE + 12 x 10GE
24 x 10GE
SPU SPUs and expansion cards, threat prevention processing boards and expansion cards
Dimensions (H x W x D) (mm) 352.8 x 442 x 585.5 (8 U) 575 x 442 x 585.5 (13 U)
Airflow Front-to-rear airflow Front-to-rear airflow
1. Self-developed software, hardware, and core chips
2. The 100GE interfaces are configured in 40GE, 4 x 25GE, or 4 x 10GE mode. The 10GE interfaces are backward compatible with GE interfaces.

552. Huawei Confidential
18
How to Select a Desired Product for Campus Border Protection?
1. Actual throughput
when the firewall,
situational awareness
(SA), IPS, and AV
functions are enabled
together
2. Concurrent session
number (300 to 400
sessions/user)
3. Interface
4. IPsec throughput or
number of tunnels
Key parameters
If there is no specific requirement, refer to the throughput of the actual traffic.

553. Huawei Confidential
19
Major Product Advantages
Excellent
performance
100% utilization of firewall's defense
capabilities, improving the unknown threat
detection performance by 5 times
Intelligent
defense
Simplified
O&M
Real-time handling of threats at the network
edge, ensuring an unknown threat detection
accuracy of over 99%
Security O&M based on service deployment and
policy changes, slashing OPEX by over 80%

554. Huawei Confidential
20
Dynamic Resource Allocation to Service Modules by ASE,
Maximizing Resource Utilization
Dynamic memory allocation for IPS
Dynamic memory allocation for AV
Dynamic memory allocation for anti-DDoS
Memory pre-allocation for policy functions
Idle resources
To-Be
The Adaptive Security Engine (ASE) is used to dynamically allocate
CPU resources to service modules, maximizing resource utilization.
In addition, component-based function delivery is available.
Memory pre-allocation for IPS
Memory pre-allocation for AV
Memory pre-allocation for
policy functions
Idle resources
Memory pre-allocation
for anti-DDoS
As-Is
Resources are dynamically allocated to service modules in
advance. The resources are occupied and cannot be
dynamically optimized. The functions of each module must be
delivered as a whole.
• The traditional mechanism allocates
CPU resources to each function
module in advance. Memory resources
are still reserved for function modules
even if the corresponding functions
are disabled. When the functions
require more resources, the memory
cannot be dynamically allocated.
• Component-based delivery is not
available. Therefore, compilation,
release, and restart must be
performed as a whole.
• Flexible resource scheduling:
ASE can dynamically schedule
processes based on CPU
resources and service traffic
to decouple content security
services, maximizing resource
utilization.
• Component-based delivery:
independent compilation,
release, deployment, restart,
and upgrade.
Content security features Network features

555. Huawei Confidential
21
⚫ Identified botnets: 500+
⚫ Identified worms and Trojan horses: 1000+
⚫ Accurate role identification capability based
on botnet topology analysis technology
⚫ Zombie tool collection and analysis
technology
Service awareness
Defense against botnets, Trojan
horses, and worms
Web category (URL)
Anti-malware
Intrusion prevention
⚫ Identified applications: 6000+
⚫ Full coverage of mainstream application
protocols
⚫ Support encrypted P2P protocols, Web 2.0,
mobile applications, and micro applications
⚫ Rapid response to customized requirements
⚫ Multi-level protection technologies defending against hundreds of
millions of viruses
⚫ Integrated intelligent technologies, detecting unknown viruses
(through CDE)
⚫ Detection of 20+ types of malicious code carriers
⚫ Threat detection accuracy: over 99.9%
⚫ Real-time virus database update, covering popular high-risk malware
⚫ 12,000+ signatures, 80%+ default
blocking rate, and emergency patch
update for vulnerabilities within 24 hours
⚫ Attack detection technologies based on
vulnerability and behavior analysis
⚫ Anti-evasion technologies based on
context semantic restoration
⚫ Main web category database capacity: >
160 million
⚫ Local high-performance self-learning hot
database
⚫ Effective data matching rate: 96%+
⚫ Enterprise-level web categories: 100+
⚫ Real-time analysis of 500 million URLs on
the cloud
Huawei security center: https://isecurity.huawei.com/sec/web/securityResearch.do#
Extensive Security Database and Comprehensive Security
Detection Capabilities

556. Huawei Confidential
22
Identification of 6000+ Applications in 57 Subcategories Under 5
Categories, Enabling Policy Control and Traffic Visualization
Game
Media
Mail
Map
USG6300E
▪ Application control, for example, denying the
access to some services or allowing only the
access to some services
▪ Bandwidth control, for example, limited rate of
P2P applications
▪ Policy-based routing (PBR), for example,
enterprise applications using ISP-A (high rate but
expensive), and entertainment applications using
ISP-B (unstable rate but cost-effective)
Policy control
Traffic visualization
Identification of 6000+ applications in 57 subcategories
under 5 categories
Application identification scenario
Yahoo Mail
Lotus
Notes
NaviGon
Warcraft
Facebook
games
Google Maps
Youtube
Facebook
videos
Facebook games
Yahoo Mail
Lotus Notes
Youtube
Warcraft
Facebook videos
Google Maps

557. Huawei Confidential
23
Cloud-based Intelligent Signature Production, Continuously
Improving the IPS Blocking Rate
High risks caused by
the low blocking rate
App
Alarm
Block
Alarm
➢ Small number of signatures, resulting in a
limited detection scope of vulnerabilities
➢ Massive alarm information, requiring manual
intervention
➢ Information leakage, privilege escalation, and
Denial of Service (DoS) attacks caused by
delayed blocking
Intelligent signature
production
Malware samples
Non-
malware
samples
IPS/AV
detection
engine
Traffic
baseline
+ Intelligence
Cloud
+ Intelligence
Intelligent signature
production + baseline learning
➢ Cloud-based intelligent signature production,
improving production efficiency by 30 times
➢ Local baseline learning, improving IPS
blocking accuracy
➢ Malware sample–based incremental learning,
reversely training the detection engines
IPS blocking rate: 3x the
industry average
30%
Industry
average
80%
Huawei's
current data
➢ Industry average IPS blocking rate: 30%
➢ Huawei's current IPS blocking rate: 80%
➢ "Recommended" rating from NSS Labs

558. Huawei Confidential
24
12000+ IPS Signatures and 400+ Anti-evasion Methods, Building
Fast and Cost-Effective Intrusion Prevention Capabilities
▪ Number of IPS signatures: 12,000+, covering 8000+ CVEs
as well as 2000+ botnet, Trojan horse, and worm families
▪ Anti-evasion: 400+ anti-evasion methods, including
traffic reassembly and application content identification
▪ Update frequency: once or more per week for regular
updates and once per 24 hours for urgent updates
▪ Wide vulnerability information sources: commercial
organizations, open-source organizations, and Huawei
WeiRan Lab
▪ Default blocking rate of up to 80%, reducing alarm
logs: the number of alarm logs to be analyzed is reduced
by 40% to 60%, simplifying O&M
⚫ Malware planting
⚫ Controlling attacked
devices
⚫ Transmitting data
outwards
⚫ Changing a host to
a zombie
⚫ Inputting commands
⚫ Cross-site attacks
⚫ Remote code
execution
⚫ Brute-force attacks
⚫ IP address scanning
⚫ Port address scanning
⚫ Software system
scanning
⚫ Software vulnerability
scanning
Pre-attack During attack Post-attack
Security Competence Center
Signature database
Update
Server
OA
USG6000F
Attack traffic
Service traffic
▪ Vulnerability types: system vulnerability and application
software vulnerability
▪ Attack methods: command line injection, remote code
execution, cross-site attacks, brute-force attacks, etc.
▪ Bearer protocols: including HTTP, FTP, SMTP, and SMB
▪ Harm: DoS attacks, information leakage, and privilege
escalation
Vulnerability types and harm
Intrusion prevention capabilities

559. Huawei Confidential
25
Self-Developed CDE Engine with Intelligent Algorithms,
Improving the Malicious File Detection Rate
68%
Defense
tool A
91%
92%
97%
Huawei
CDE
✓ Signature : Malicious file family = 1:N
✓ High detection speed, matching virus
signature detection performance
✓ Capability of detecting unknown threats
Malicious family
signature detection
Features:
✓ Slow detection
speed
✓ Numerous
detectable files
Signature :
Malicious
file family
= 1:1
File hash detection
Signature :
Malicious
file
= 1:1
Features:
✓ Fast detection
speed
✓ Few coverage
samples
✓ CNCERT captured 100+ million
malicious programs in 2018.
✓ "DTStealer" virus attacks
100,000 users in just 2 hours.
✓ Data encrypted by ransomware
is difficult to recover.
Analyze massive
samples to extract
virus features.
Introduce the
machine learning
algorithm — PE
Class 2.0.
Perform In-depth
decoding of multiple
types of files.
CDE
Virus
detection
engine
Data type
identification
Content
extraction
Scanner
Defense
tool B
Defense
tool C
✓ Average relative detection rate (30 days)
✓ Daily tests on the latest 500,000 samples
by Huawei WeiRan Lab

560. Huawei Confidential
26
Dynamic and Static Intelligent Uplink Selection Based on
Multiple Egress Links
Static intelligent uplink selection
ISP1 ISP2
ISP1 ISP2
Dynamic intelligent uplink selection
⚫ User-defined weight, flexible traffic scheduling, and flexible
combination of multiple static modes
⚫ Uplink selection by binding ISP address sets to interfaces
⚫ User-defined link SLA (latency, jitter, and packet loss rate)
for optimal link selection to forward traffic
⚫ Application-based intelligent uplink selection
• Link weight
• Interface
bandwidth
• Link priority
(1 primary link +
N secondary links)
• Latency
• Jitter
• Packet loss rate
ISP1
Video
Traffic of file
downloading

561. Huawei Confidential
27
High-Performance and High-Reliability IPsec VPN, Applicable to
Video Traffic Transmission and Multi-Branch Scenarios
Scenario-specific requirements:
• Heavy video traffic requires high
service processing performance.
• Encrypted transmission is required
to improve transmission security.
SecoManager
DC
Video storage server
AIFW
AIFW
AIFW
AIFW
Branch
Branch
Branch
IPsec
decryption
IPsec
encryption
Encrypted video traffic transmission
Province B
VPN gateway
USG6300E
Province A
...
HQ
USG6000E
HQ-branch interconnection
IPsec VPN highlights:
• SM2/SM3/SM4 encryption
algorithms, improving security
• Pattern matching engine–driven
encryption, delivering 3x industry
average performance
Scenario-specific requirements:
• Multi-branch communication
requires security assurance.
• Communication quality needs
to be ensured.
IPsec VPN highlights:
• SM2/SM3/SM4 encryption
algorithms, improving security
• IPsec intelligent traffic steering,
ensuring communication quality

562. Huawei Confidential
28
Office
PCs
Intranet
servers
Internet
Huawei
AIFW
Internal network
Convenience
Supports four access modes: web proxy, file
sharing, interface forwarding, and network
extension, enabling convenient and secure
access to intranet resources.
Flexible authentication and precise control
Supports fine-grained permission control based on
the type of resources to be accessed.
Potential risk elimination
Provides host check policies to check whether the
operation systems, interfaces, processes, and AV
software of remote user terminals meet security
requirements, and provides the secondary jump
prevention as well as anti-snapshot functions to
eliminate security risks for remote user terminals.
Application
Time
Attack
Content
User
New threat
identification
Malicious codes
140 million URLs
Identification of
30+ types of file
contents
Identification of
120+ file types
7 types of user
authentication
technologies
5-tuple Application Content Time User Threat Action
Identification
of 6000+
types of
applications
Security policy:
IPS
AV
VPN
URL
DDoS
Bandwidth
management
Firewall
10100
01000
00011
10001
11101
10101
11100
10100
11101
00110
Convenient, Secure, and Reliable SSL VPN, Meeting Remote
Office Requirements

563. Huawei Confidential
29
Attack situation (IoC):
Attack details:
Event Description Time
Category
No. Impact Details
1 Investigation Application scanning Web scanning Low *.*.22.2 2020... Report
Source
2 Penetration SQL injection SQL attempt Low *.*.22.2 2020... Report
3 Penetration SQL injection SQL executed High *.*.22.2 2020... Report
4 Penetration Web backdoor upload Trojan horse upload High *.*.22.2 2020... Report
5 C&C stagnation Web backdoor command Web backdoor command High *.*.22.2 2020... Report
Newly added network threat scoring and kill
chain visualization functions
1
Investigation
2
Penetration
3
C&C
stagnation
3
Proliferation
1
Compromise
Better User Experience: All-New Web UI, Enabling Threat
Visualization

564. Huawei Confidential
30
The device has been connected to the
cloud management platform.
Data has been transmitted and received between
the device and the cloud management platform.
The device has accessed the cloud management
platform.
USB-based deployment has been
completed.
The system is reading data from
the USB flash drive.
Blinks four
times every
second
Steady on
Steady
on
Default display
status
Cloud
management
platform
iMaster
NCE-Campus
Zero Touch Provisioning (ZTP)
Three steps for device management through
iMaster NCE-Campus:
1. Obtain the IP address.
2. Log in to the Huawei Cloud DNS
registration center and obtain the latest
version of iMaster NCE-Campus.
3. Connect the device to iMaster NCE-
Campus, which automatically delivers
pre-configurations to the device.
Obtain the IP address
of iMaster NCE-
Campus
Managed by
iMaster NCE-
Campus
2 PoE+ or 4 PoE
interfaces, ideal
for power supply
in small-sized
branch scenarios
Hardware usability
SecoManager
SecoManager integrated into iMaster
NCE-Campus as an application
Configure and manage advanced security services,
including IPS, AV, URL filtering, and anti-APT.
SecoManager integrated into iMaster NCE-Campus
Multi-Branch Cloud-based Management, Easy to Use

565. Huawei Confidential
31
SecoManager
Firewall Management Modes
Web NMS
Reports
Commands

566. Huawei Confidential
32
• Intrusions through web and application vulnerabilities
• Intrusions through Botnets, Trojan horses, viruses, and malicious codes
• Phishing (through mails and web pages) and APTs
• Distributed denial-of-service (DDoS) attacks
• Bandwidth abuse, failing to ensure QoS for key services
Challenges
Campus intranet
Firewall
• Intrusion prevention: flow-based signature detection by the intrusion prevention
signature database with 12,000+ signatures, causing approximately 0 false positives
• Antivirus: combination of application identification and virus scanning, detecting over
5,000,000 viruses
• Data breach prevention: identification and filtering for files and file contents
transmitted through emails, HTTP, FTP, IM, and SNS, identifying 120+ file types, as
well as restoring and filtering 30+ types of file contents
• Anti-DDoS: defense against multiple types of DDoS attacks
• Security performance: 10GE full-featured threat prevention performance, offering 40
Gbit/s at maximum
• Application-specific QoS optimization: identification of 6000+ applications, as well as
application-based bandwidth limiting, minimum bandwidth guarantee, and PBR
• Detection of unknown threats: cloud-based sandbox detection technology and
daily-updated signature database
• Intelligent management: automatic generation of the strictest security policies
and easy optimization
Customer benefits
Major Application Scenarios of Huawei Network Security
(1/3): Internet Border Protection
Internet

567. Huawei Confidential
33
WAN
access
zone
Branch
HQ LAN
• Service data breach during transmission
• Intrusion behaviors of intranet users
• Virus spreading on the intranet
• Unauthorized access from internal personnel
• Resource abuse, occupying service bandwidths
Challenges
• VPN: IPsec, SSL VPN, and IPsec hot standby, ensuring zero
service interruption. The DSVPN technology is also supported.
• Intrusion prevention, AV, and data breach prevention
• Application-specific QoS optimization: identification of
6000+ applications, as well as application-based bandwidth
limiting, minimum bandwidth guarantee, and PBR
• Detection of unknown threats: cloud-based sandbox
detection technology and daily updated signature database
Customer benefits
IPsec VPN
Major Application Scenarios of Huawei Network Security
(2/3): Secure Interconnection Between Subnets/Branches
Firewall
Firewall
LAN LAN LAN
WAN (private
network)

568. Huawei Confidential
34
Major Application Scenarios of Huawei Network Security
(3/3): DC Security
• Features to adapt to the cloud, such as elastic scaling, fast onboarding,
and self-service
• Blurred network borders and escalated security threats
• Requirements for powerful processing performance, reasonable traffic
management mechanism, and complete reliability mechanism
Challenges
• For different traffic of tenants, security resource pools and service
traffic diversion can be used to provide north-south and east-west
security services for tenants.
• Rich security capabilities: meeting the security protection
requirements of cloud DC borders, tenant borders, and tenant intranets
• High performance: built-in NP acceleration engine, content mode
matching engine, and encryption/decryption engine, offering high
service processing performance
• High reliability: hot standby, effectively improving reliability
Customer benefits
Border leaf
Server leaf
Spine
VXLAN domain
Internet
Firewall
Firewall
SecoManager
Service-oriented
integration
DDos

569. Huawei Confidential
35
Contents
1. Network Security Overview
2. Huawei Security Product Overview
• USG Firewall
• Anti-DDoS
• SecoManager
3. HiSec Solution

570. Huawei Confidential
36
Huawei Anti-DDoS Solution Products and Services
Cleaning center Management center
SecoManager
• Installed on the server
• Used to configure defense
policies and view reports
• Supports connections from
RESTful APIs and Syslog to
a third-party SOC
Per-packet
detection
Detecting center
HiSecEngine
AntiDDoS12004
400 Gbps (maximum)
HiSecEngine
AntiDDoS12008
1.2 Tbps (maximum)
HiSecEngine
AntiDDoS1905
40 Gbps (maximum)
HiSecEngine
AntiDDoS1908
80 Gbps (maximum)
HiSecEngine
AntiDDoS12004-F
300 Gbps (maximum)
HiSecEngine
AntiDDoS12008-F
600 Gbps (maximum)
HiSecEngine
AntiDDoS12004
400 Gbps (maximum)
HiSecEngine
AntiDDoS12008
1.2 Tbps (maximum)
HiSecEngine
AntiDDoS1905
40 Gbps (maximum)
HiSecEngine
AntiDDoS1908
80 Gbps (maximum)
HiSecEngine
AntiDDoS12004-F
300 Gbps (maximum)
HiSecEngine
AntiDDoS12008-F
600 Gbps (maximum)

571. Huawei Confidential
37
Huawei Anti-DDoS Solution Advantages
Superb
performance
Millisecond-level
response
Precise
defense
• Intelligent 7-layer filtering
capability + multi-
dimensional machine learning,
rapidly blocking 100+ attacks
at the network and application
layers, the most in the
industry
• Behavior analysis + machine
learning, accurately identifying
CC attacks
• Unique defense engine that
allows online upgrade,
quickly responding to attack
evolutions
Intelligent
driving
• NP-boosted hardware
defense acceleration powered
by collaborative processing
with CPU, small-packet
defense for boards at 200
Gbit/s, ensuring terabit-level
defense for each standalone
device
• Increased number of boards,
delivering linear performance
growth
• Highly reliable software and
hardware platforms, enabling
the stable running of devices
for 5 years
• Per-packet detection of all
traffic and 60+ traffic models
• Millisecond-level attack
response, fastest in the
industry
• Instant blocking of pulse-wave
attacks and heavy-traffic
attacks, ensuring zero impact
on services
Automatic defense
policy optimization
Real-time defense effect evaluation
Attack-defense confrontation
Attack process
snapshots
• Attack-defense confrontation
experience incorporated into
expert policy templates,
providing out-of-the-box
availability
• Automatic defense effect
evaluation and defense policy
optimization
NP
support.huawei.com
Huawei official website
CPU

572. Huawei Confidential
38
Superb Performance: Terabit-Level Defense for Each Standalone
Device, On-Demand Defense Performance Expansion, and
Optimal TCO
• NP-boosted intelligent defense
acceleration powered by collaborative
processing with CPU, efficiently defending
against heavy-traffic attacks
• Intergration of multiple high-performance
multi-core CPUs into boards
• Small-packet line-speed defense for boards
Anti-DDoS
performance
Number
of SPUs
Industry
Huawei
• Up to 18 x 100GE LPUs and high-
density interfaces
• Flexible deployment of 10GE, 40GE, and
100GE interfaces
• Terabit-level anti-DDoS capability of
each standalone device
Hardware defense acceleration On-demand capacity expansion Terabit-level defense
1.2 T
• Traffic diversion on LPUs, ensuring service load
balancing
• 10-fold expansion capability of the entire device
• On-demand capacity expansion, providing
large-capacity protection with the lowest
total cost of operations (TCO)
NP
CPU
CPU

573. Huawei Confidential
39
Millisecond-Level Response: Blocking Heavy-Traffic Attacks
in Milliseconds Without Affecting Services
Millisecond-level attack response with zero impact
on services
• Per-packet detection of all traffic and 60+ traffic models
• Millisecond-level attack response, fastest in the industry
• Instant blocking of pulse-wave attacks and heavy-traffic
attacks, ensuring zero impact on services
Terabit-level attacks with sharply increased traffic in
minutes, challenging the response speed of defense systems

574. Huawei Confidential
40
Intelligent 7-layer filtering capability
• Intelligent 7-layer filtering capability + multi-dimensional machine learning, rapidly blocking 100+ attacks at the network
and application layers, ensuring service continuity
• Multi-dimensional source access behavior analysis, accurately identifying high-frequency CC attacks, as well as
defending against encrypted attacks without decryption, delivering high performance
• Cluster analysis algorithm for machine learning, accurately identifying low-frequency CC attacks
• Comprehensive defense, protecting key service systems including web, app, and DNS
• IPv4/IPv6 dual-stack defense technology, facilitating smooth IPv4-to-IPv6 transition
AI-powered detection engine and cluster analysis
algorithm, accurately identifying robot access
Learning result application
AI-powered detection engine
BOT
Precise Defense: Intelligent 7-Layer Filtering Capability of
CPU + AI, Filtering 100+ Attacks Layer by Layer

575. Huawei Confidential
41
Intelligent Driving: Expertise + Intelligent Technology Enablement, Out-of-
the-Box Availability, and Intelligent Driving During Whole Defense Process
Defense policy self-learning
Automatic defense policy
optimization
Attack event backtracking
Defense policy templates
Service learning
Multi-dimensional service traffic
model learning and automatic
defense threshold setting
Deployment for rollout
Attack-defense confrontation experience
incorporated into expert policy templates,
providing out-of-the-box availability
Real-time defense effect evaluation
Automatic defense
policy optimization
Attack-defense confrontation
Attack process
snapshots
Attack source tracing
Data archiving and
retention for backtracking
after attacks
Intelligent defense
Attack-based dynamic defense
policy optimization, ensuring
service continuity
Note: ratio of automatically handled attack events to total attack events
Attack handling time reduced
from minutes to seconds
> 10 min < 30s
Collection of traffic statistics on attack
ranges reduced from minutes to seconds
Attack defense automation rate
increased to 99%
45%
99%
5 min 10s

576. Huawei Confidential
42
Flexible Deployment Across Multiple Scenarios
In-path deployment (transparent access
supported)
(Small and medium-sized enterprises)
Off-path dynamic traffic diversion and injection
(Finance/Government/Carrier)
Off-path static traffic diversion and injection
(IDC)
• Simple networking, blocking attacks in real
time
• The cleaning device is deployed in in-path
mode in the upstream of the firewall and
supports transparent access (applicable to
scenarios where the firewall or load balancer
replaces the router as an egress gateway).
• Connection of the bypass card in serial mode,
enhancing reliability
• Zero impact on the original network
architecture, requiring simple maintenance
• Replacement of optical splitters through router
interface mirroring on small-scale networks
• Only attack traffic is diverted to the cleaning
device for cleaning. This prevents full traffic
processing from consuming forwarding
resources in heavy traffic scenarios.
• Per-packet detection and cleaning, responding
to attacks within 3s
Anti-DDoS
cleaning center
Enterprise network
Anti-DDoS
detecting center
Anti-DDoS
cleaning center
Optical
splitter
Service zone
Anti-DDoS
cleaning
center
Internet
• Static traffic diversion and injection,
responding to attacks in milliseconds
• Improved traffic diversion performance
through static traffic diversion, effectively
defending against attacks (especially
carpet-bombing attacks)
Recommended
* The firewall does not support traffic
diversion and injection.
* The firewall is deployed in the downstream
of a traffic diversion device.
SecoManager
SecoManager
Internet Internet
SecoManager
Bypass

577. Huawei Confidential
43
Contents
1. Network Security Overview
2. Huawei Security Product Overview
• USG Firewall
• Anti-DDoS
• SecoManager
3. HiSec Solution

578. Huawei Confidential
44
Panorama of SecoManager Capabilities
1. Tenant-oriented security policy and NE
management capabilities, featuring large
capacity and high performance
3. High level of network-security collaboration,
handling threats within seconds
2. Policy configuration based on applications,
services, and sites, automated policy deployment
based on the service topology, and manual
deployment of anti-DDoS policies
4. Compliance check and intelligent optimization of
policies, identifying redundant and invalid policies
5. Post-event O&M, application visualization, and
topology visualization
Platform — distributed basic service layer
Management
Control
O&M
1. Security policy/NE management
Policy management
Device management
(firewall, IPS, anti-DDoS, etc.)
Hot standby
2. Security policy orchestration
Security policy
service
Service
topology
Security
resource pool
3. Security collaboration
VNFM collaboration
HiSec Insight collaboration
Network controller collaboration
5. Security policy
visualization
Application
visualization
Topology
visualization
4. Security
policy
optimization
Redundancy
and hit analysis
Application
policy
Partition policy
Site policy
Compliance
check
6. Device log
management
NAT source
tracing
Collection and
storage of session
logs and threat logs
6. NAT log–based identity association and source
tracing, enabling security audit and evidence
collection, providing threat reports, and
facilitating the formulation of corresponding
protection measures
7. Anti-DDoS
management
Traffic
diversion
Blackhole
routing
Homepage
report
Special
report
7. Log reporting through anti-DDoS devices,
implementing automatic traffic diversion and
blackhole routing. Homepage reports and special
reports are used to quickly implement policy
optimization and closed-loop management during
attack-defense confrontations.
Log
report

579. Huawei Confidential
45
SecoManager Features
Unified
management
Automatic
orchestration
Intelligent
optimization
• Unified
management of
multiple security
devices, including
firewalls, IPS
devices, and anti-
DDoS devices
• Centralized
management of
network-wide
security policies
• Tenant-based
service O&M
• Visualized device
and policy
deployment status
• Application mutual
access relationship
mappings and
application-based
policy management
• Policy management
based on customer
service partitions
• Automated
deployment of
security services
• Compliance check
• Policy
redundancy
analysis
Log
management
• High-performance
collection, query, and
storage of session logs
and threat logs
• Industry-leading NAT
source tracing solution
for identity association
and source tracing,
facilitating security audit
and evidence collection
• Presentation of threat
logs in reports, allowing
users to view and
compare threat log data
from different
dimensions
Network-wide
collaboration
Network-security
collaboration,
closed-loop threat
handling within
seconds
Anti-DDoS
management
• Responsible for the
centralized management
of anti-DDoS devices,
configuration of defense
policies, dynamic
scheduling of anti-DDoS
services, and
presentation of service
reports
• Identification of the real
attack source IP
addresses of botnets
based on machine
learning, enhancing
defense against CC
attacks

580. Huawei Confidential
46
Sandbox
Host
isolation
SecoManager (security controller)
Isolation
policy
TOR Internet
Switch Router
Blocking
policy
Isolation/Blocking
request
HiSec
Insight
Closed-loop security collaboration
Collaboration between the HiSec Insight, iMaster NCE-
Fabric, SecoManager, and the enforcers for real-time
network-wide security situational awareness, effectively
implementing closed-loop security collaboration
Precise detection of unknown threats
Precise detection of zero-day attacks and APTs,
effectively responding to new network attacks
Collaboration Between the Security Controller and iMaster
NCE-Fabric for Closed-Loop Handling of Threats

581. Huawei Confidential
47
SecoManager Deployment Mode
Features supported:
• ZTP
• Device management
• Security policy management
• Closed-loop collaboration
Features supported:
• Device management
• Service orchestration
• Automatic management
• Closed-loop collaboration
Independent deployment Integrated deployment with
iMaster NCE-Fabric
Integrated deployment with
iMaster NCE-Campus
All features supported:
• Firewall management
• Anti-DDoS management
• Intelligent optimization
• Log management
• Open northbound API

582. Huawei Confidential
48
Contents
1. Network Security Overview
2. Huawei Security Product Overview
• Firewall (USG)
• Anti-DDoS
• SecoManager
3. HiSec Solution

583. Huawei Confidential
49
HiSec: Intelligent Security, Protecting a Fully Connected,
Digital World
Analyzer
HiSec Insight FireHunter
SecoManager
Controller
Threat
intelligence
Identity
controller
Safe city e-Government
cloud
Telco cloud
Scientific research
enterprise
Manufacturing Government
security brain
Industrial
park
ICT infrastructure
...
IAM
Enforcers
iMaster NCE
Based on automated
service-policy mapping
80%
Security O&M costs
OPEX
Intelligent
detection
Intelligent
handling
Intelligent
O&M
Within seconds
Collaboration between network and
security devices, enabling proactive
threat deception, and automatic
closed-loop threat handling
Threat response time
99%
Unknown threat detection accuracy

584. Huawei Confidential
50
USG6000E and USG6000F, Meeting Security Requirements of
Medium- and Large-sized Campuses
Router
NGFW1: IPS/VPN/AV/URL
filtering/SA/NAT
Storage
Wireless
AC
NGFW2: IPS/AV
Internet WAN
Access switch
Core switch
NMS &
controller
FTP DNS
Web
page
Email
...
DMZ
DC
Service security design
① Internet users access DMZ services.
② Employees/Guests access the DMZ.
③ Employees implement cross-VLAN mutual access.
④ Employees access the DC.
⑤ Employees access the DC through a WAN.
⑥ Employees implement intra-VLAN mutual access.
⑦ Employees access the DC through a VPN.
⑧ Employees/Guests access the Internet.
⑨ Guests/Internet users access the DC: forbidden.
①
②
③ ④
⑤
⑥
⑦
⑧ ⑨
Χ
Office, ERP, and finance
HR, SCM, CSM, R&D...
USG6500E: 0.6 to 1 Gbit/s actual traffic, full-featured threat prevention
USG6635E: 4 to 6 Gbit/s actual traffic, full-featured threat prevention
USG6655E: 4 to 12 Gbit/s actual traffic, full-featured threat prevention
USG6700E: 15 to 18 Gbit/s actual traffic, full-featured threat prevention
After policy deployment, it is difficult to implement capacity
expansion or changes on firewalls. Therefore, the performance
must meet the requirements in the next 5 to 10 years.

585. Huawei Confidential
51
Branch N
USG6500E
Cloud AP
NMS (optional) eLog
Branch 1
HQ campus
USG6600E
USG6500E
Next-Generation Firewalls for Branch Security and
Cloud Wi-Fi
IPsec VPN
Internet CloudCampus
Cloud AP
ISP 1 ISP 2
Security challenges
1. Direct connection to the public network, resulting in high
security risks
2. Poor experience of key services
3. Difficulty in carrying out marketing activities
4. Management problems caused by large campus scale
Solution
1. Cost-effectiveness and comprehensive protection
2. Refined traffic management, improving user experience;
intelligent ISP link selection and optimal IPsec route selection
3. Simplified guest authentication, as well as portal and
advertisement pushing
4. USB-based ZTP, enabling simple and centralized management
5. Cloud management, plug-and-play, and fast onboarding

586. Huawei Confidential
52
Enhanced Campus Security
Service security design
1. Configure policies to define the types of traffic to be
reported to the sandbox for further detection.
2. After a policy is matched, the firewall restores the traffic
to a file or transparently transmits the traffic to the
sandbox.
3. The sandbox detects the file behavior or accesses the
URL web page.
4. The firewall queries the detection result and saves the
MD5 value of the file.
* All other firewalls synchronize the MD5 value to the local
knowledge base.
Internet/WAN
Router
Next-generation
firewall (NGFW)
Core switch
AP
NGFW
Branch 01
NGFW
Branch xx
AP
Sandbox
FireHunter6000

587. Huawei Confidential
53
Traditional DC scenario SDN-DC scenario
Mandatory: NGFW
Recommended: FireHunter, Anti-DDoS
Optional: HiSec Insight
Solutions:
Mandatory: NGFW, SecoManager
Recommended: FireHunter, Anti-DDoS
Optional: HiSec Insight
Solutions:
DCN Security Scenarios
SecoManager
eLog
eSight
eLog
eSight
Internet
Extranet
(partner)
Internet
WAN (other
branch)
WAN (other
branch)
Sandbox
Sandbox
NGFW
NGFW
Access zone Access zone
Core layer
Service zone
Core
switch
Spine
Service zone 1 Service zone 2 Management Service leaf Service leaf Management leaf
XXX leaf
Extranet
(partner)
Anti-
DDoS
Anti-
DDoS

588. Huawei Confidential
54
Quiz
1. Single-answer question: Which of the following statements about the number of signatures in the IPS
signature database and update frequency of Huawei security products is correct? ()
A. 12,000+, once a week, 24 hours for emergency patch update
B. 12,000+, once a day
C. 5000+, once a week, 24 hours for emergency patch update
D. 5000+, once a day
2. Multiple-answer question: Which of the following are advantages of Huawei anti-DDoS products? ()
A. Superb performance B. Millisecond-level response C. Precise defense D. Intelligent driving

589. Huawei Confidential
55
Summary
⚫ This course mainly describes Huawei security products and solutions, as well as the
highlights and features of Huawei security products.
 Firewall: features such as content security monitoring, intelligent uplink selection, and
VPN, as well as major application scenarios
 Anti-DDoS products: superb performance, millisecond-level response, precise defense,
and intelligent driving
 SecoManager: unified management, automatic orchestration, intelligent optimization,
log management, anti-DDoS management, etc.
 HiSec security solution: intelligent detection, handling, and O&M

590. Huawei Confidential
56
Recommendations
⚫ Info-Finder for one-stop query
 https://info.support.huawei.com/info-finder/search-center/en/enterprise/security
⚫ Security Product Documentation
 https://e.huawei.com/en/material/bookshelf/bookshelfview/20190907/8ff9ff846c
51466f999e7f6ee01785a9

591. Copyright© 2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.

592. Huawei Pre-Sales Tools Introduction -SCT
Security Level:

593. Huawei Confidential
1
Contents
⚫ Introduction of SCT
• General Introduction of SCT
• Common Functions of SCT
• Typical Cases

594. Huawei Confidential
2
Quotation Create quotations
Product Browse Huawei products
⚫ Simple interfaces & steps
⚫ Smart configuration verification
⚫ Swift discount setting
⚫ All enterprise products are available
SCT is a Swift, Smart, and
Simple online tool that makes
configuration and quotation
easier!
What is SCT

595. Huawei Confidential
3
SCT
Platform
1.Based on web, does not need installation.
2.Unified platform, includes products of all product lines in EBG.
Product Display
1.Graphical product display.
2.Hot-selling and latest products are highlighted.
Select and Compare
1.Product Selector: to select and locate the needed products quickly.
2.Product Comparison: similar products can be compared with each other.
Transfer
Configurations and quotations can be shared between partners and
Huawei product managers.
Product Document
Automatically synchronize various kinds of documents from Huawei
official website.
Advantages of SCT

596. Huawei Confidential
4
Create a quotation
Setting Sites and Quantities
Adding Configurations
Set Discounts
Submit to ePartner System
Adding and Configuring Products
Adding and Configuring Spare Parts
Adding and Configuring Services
Add and Configure Products,
Spare Parts, or Services
SCT supports to view Huawei products and select proper products. Besides, SCT is combined with ePartner system to support
you to purchase Huawei products.
Select Huawei Products Purchase Huawei Products
Compare Products
Search for a Product
View Product Details
Browse Hot-selling or New
Products
START
View All Product Lines
View Huawei Products
Glance at the SCT

597. Huawei Confidential
5
SCT Homepage displays the hot-selling and latest products.
Hot-selling products
Latest products
Browse Products (1)

598. Huawei Confidential
6
Product Details page displays the detailed product information, including key features, technical specifications, bidding documents etc..
Browse Products (2)

599. Huawei Confidential
7
The product catalogue tree and the search menu on homepage are available to help you to locate the needed product quickly.
Product Catalogue Tree
Search Menu
Search for a Product

600. Huawei Confidential
8
SCT supports to create a quotation in the following 3 ways:
1. Click ‘Quick Quotation’ on homepage. 2. Click ‘Create BOQ’ on My Quotation Tab.
Create a Quotation (1)

601. Huawei Confidential
9
3. Add the needed products to the shopping cart and create a BOQ.
Create a Quotation (2)
Add products to
shopping cart.
Select the products
and create a quotation.

602. Huawei Confidential
10
SCT supports to add the needed products to a quotation and make detailed configuration of the products based on customers’ requirements
Choose products.
Make detailed configuration.
Create a Quotation (2)

603. Huawei Confidential
11
SCT supports to set commercial parameters, including trade types, product discounts, and part discounts based on project requirements.
Set trade type & trade
coefficients.
Set product discount by discount
category or by part number.
Set Commercial Parameters

604. Huawei Confidential
12
SCT supports to submit a BOQ to ordering system or submit to other recipients for ordering.
Submit a Quotation
 Note:
• Submit by Business Type: Quote.
A Quote is a signatory application according to the configurations and terms of the project. It includes project basic
information, terms, configurations, discounts, quantities and delivery requirements etc. A quote can be converted to a
purchase order after it’s approved by Huawei.
• Submit to Recipient: After the quotation is submitted to the recipient, SCT notifies the recipient by email. The recipient can
apply for services such as promotion by using the quotation.
• Manual Review (Export DB): Manual review is used to manually upload quotations and DB files to the ePartner.
• Submit the logistics BOQ bidding volume estimation platform: The platform for estimating the logistics BOQ bidding
volume is used to forecast the weight and volume.

605. Huawei Confidential
13
Contents
⚫ Introduction of SCT
• General Introduction of SCT
• Common Functions of SCT
• Typical Cases

606. Huawei Confidential
14
SCT supports to compare specifications between Huawei similar products. This helps you to select the most suitable product.
① Click Compare to add the products
to the comparison area.
② Click Compare to check
the comparison result.
Compare Huawei Similar Products

607. Huawei Confidential
15
Common used configurations can be added to “Favorites”, so that the configuration can be added to other quotations from
“Favorites” easily later.
① Select product configuration
and click ‘Add to Favorites’.
③ Share or export your favorite
configurations.
② Add configurations from
favorites.
Favorite Configuration

608. Huawei Confidential
16
① Click ‘Batch Edit’.
② Select the products.
Batch Edit Configuration
Configurations of products belonging to the same series can be edited in batches to improve efficiency.

609. Huawei Confidential
17
③Select batch edit
products.
④Modify the configuration of one
product, the configuration of other
products can be modified together.
Batch Edit Configuration

610. Huawei Confidential
18
SCT supports to view the lifecycle of a product when adding the product, view the lifecycle of each part of a product in Config Result.
 Note:
• EOM: end of marketing. EOM date is the date of stopping accepting orders (for new equipment or system expansion).
• EOS: end of service. EOS date is the date when Huawei stops providing services associated with a product.
View the Lifecycle of Products & Parts

611. Huawei Confidential
19
SCT supports to make maintenance renewal quotation based on history project information with one-click.
① Click ’Maintenance Renewal’.
② Input search condition, such as Contract No., SN
Barcode, to link with history project information.
③ Based on search result, configure maintenance renewal
type/level/duration, and click “Quote” to create a BOQ.
OR
Maintenance Renewal

612. Huawei Confidential
20
SCT supports to make software subscription renewal quotation based on history project information with one-click.
① Click ‘Software’.
③ Based on search result, configure New Feature/ Upgrade/
Expand, and click ‘Generate new Quotation’ to create a BOQ.
② Input search condition, such as Contract No., SN
Barcode, to link with history project information.
Software Subscription Renewal

613. Huawei Confidential
21
SCT supports to configure products for DEMO. The discounts are fixed for DEMO products.
① Set basic information and set
BOQ Type as Demo BOQ.
② Search and add
DEMO products.
 Note:
•For demo BOQs, only demo products can be
added. Services cannot be added to demo
BOQs.
•The total amount and discount of demo
BOQs are preset and cannot be changed.
•Demo BOQs support contract amendment,
but the commercial setting cannot be edited
during amendment.
Configure Demo Products

614. Huawei Confidential
22
SCT supports to calculate customer discounts based on internal discounts and profit margins, or calculate internal discounts
based on customer discounts and profit margins.
Internal discount off: the discount partners get from Huawei.
Customer discount off: the discount partners offer to customers.
Calculate ‘customer discount off’
based on ‘internal discount off’
and profit.
Internal Discount off and Customer Discount off

615. Huawei Confidential
23
According to regional market situation and product price, Huawei provides the corresponding authorized discount for partners.
The authorized discount can be obtained from SCT directly.
Click ‘Apply Authorized Discount Off’.
Obtain Authorized Discount

616. Huawei Confidential
24
The same discount category for different products can be edited in batches to improve efficiency.
The same discount type, such
as hardware, for different
products can be edited
together.
Batch Set Discounts

617. Huawei Confidential
25
SCT supports to merge multiple quotations into one.
② Click Merge Quotations.
① Select the quotations to be merged.
 Note:
Quotations cannot be merged in the following cases:
• Quotations of different countries
• Quotations of different folders
• Quotations of different list price types
In addition, users who have only configuration permission cannot merge quotations.
Merge Quotations

618. Huawei Confidential
26
 Note:
• Software BOQ only contain self-made software. Outsourcing software belongs to hardware
BOQ.
• BOQs can be submitted, checked, and split in batches.
SCT supports to split a quotation to hardware, software and service parts, or split to equipment and service parts.
① Click ‘Split’.
③ Original quotation is split into a
hardware BOQ, a software BOQ and a
service BOQ.
② Select split type.
Split a Quotation

619. Huawei Confidential
27
① Submit for Logistics Estimation.
SCT supports to get the estimated weight and volume of the BOQ, which can be used for logistics cost calculation.
② Get the result by email.
Submit BOQ for Logistics Estimation

620. Huawei Confidential
28
2
SCT supports to export a quotation to an Excel file. The contents of the Excel file can be customized.
② Customize the contents of
Excel file and export.
① Click ‘Export’.
Export a Quotation

621. Huawei Confidential
29
SCT supports to share the draft BOQ to other SCT users. The original user still has the right of the BOQ, the recipient can
copy the BOQ.
① Share multiple quotations
(maximum 20 each time).
① Share a quotation.
② Input the recipient and
validity time, choose whether
to share commerce info.
Share

622. Huawei Confidential
30
SCT supports to handover the submitted BOQ to other SCT users. The recipient will get all the rights of the BOQ and the original
user cannot view the BOQ after handover.
② Choose the quotations.
③ Input the recipient and Apply.
① Click Business Handover.
Hand-over

623. Huawei Confidential
31
Contents
⚫ Introduction of SCT
• General Introduction of SCT
• Common Functions of SCT
• Typical Cases

624. Huawei Confidential
32
2
5
Please Choose “Expand” in Product Parameter instead of “New” if only separate items are needed.
Choose “Expand” in Product
Parameter instead of “New”
Case 1 – Only Need Separate Items without Host

625. Huawei Confidential
33
2
5
Please select “Show EOM” if you need to configure the license of a EOM product. By default, the EOM products are not displayed.
Case 2 – Configure the License of an EOM Product
Select “Show EOM”

626. Huawei Confidential
34
2
5
Please choose other alternative product types or contact the local product manager to get the permission of the restricted products.
Cannot add the needed product to the BOQ.
Case 3 – The Needed Product without Permission

627. Huawei Confidential
35
2
5
Please choose other alternative items or apply for restriction cancellation if no other alternative choice.
Case 4 – The Needed Part without Permission
Click to apply for restriction cancellation if no
alternative choice.
Fill in the project information,
application reason etc.
Items with red are restricted.

628. Huawei Confidential
36
Case 5 – Requirements of an AP (Access Point)
Access Points
No. of Simultaneous Radios Operate in at least two radios, 2.4GHz and 5GHz, simultaneously that supports 4x4:4 Multi-User MIMO
Concurrent SSIDs At least 30 numbers
Frequency Band IEEE 802.11 b/g/n/ax: 2.4 – 2.4835GHz
IEEE 802.11a/ac/ac wave 2/ax: 5.15 – 5.35GHz; 5.47 – 5.85GHz
Maximum data rate (Theoretical) 1148Mbps in the 2.4GHz and 2400Mbps in the 5GHz band
Max. e.i.r.p. 2.4GHz: ≤36dBm
5GHz: ≤36dBm
Simultaneous Client Connections At least 500
Network Interface At least one Ethernet RJ45 port with speed 100/1000/2500Base-T, one Ethernet RJ45 port with speed
100/1000Base-T and one SFP+ port supporting 1GE/10GE
Internet Protocol Support IPv4 and IPv6
Authentication and encryption Support at least WPA2-PSK, WPA2-802.1X, WPA3-SAE
IoT Interface Support BLE5.0
Operating Temperature 0 – 65℃
Operating Humidity 5% - 90 % (non-condensing)
Power Input POE in compliance with 802.3-bt
Maximum Power Consumption ≤55W
Physical Dimension Not larger than 400mm (H) *250mm (W) *180mm (D)
Safety EN 60950-1
Compliance Wi-Fi Alliance Wi-Fi 6 Certified
Supporting Standards 802.11e Wireless Multimedia (WMM), 802.11i
Mounting Type Support wall mounted, and pole mounted
Operating Mode Support Mesh/Repeating Mode

629. Huawei Confidential
37
Case 5 – Choose a Suitable AP
Filter the suitable product types.
Check the detailed specifications of the
product.

630. Huawei Confidential
38
Case 5 – Configure the AP
The host is configured by default. Some necessary
installation accessories are included. You can click ? for
details.
Choose the type power supply:
None: PoE power supply is ready.
PoE power injector: Separate PoE Power injector will be
configured.
AC/DC: AC-to-DC power adapter will be configured.
10GE optical modules.
Optional accessories, configure based on practical
installations scenarios.
New software business mode (perpetual license + SnS).
Suggest to choose N1 mode if NCE-campus or NCE-
CampusInsight is needed in On-premise scenarios.
N1 Advanced Package needs to be configured if NCE-
CampusInsight is needed.

631. Huawei Confidential
39
Case 6 – Requirements of a Campus Switch
Distribution Switches
Switching Capacity At least 2 TB
Forwarding Performance At least 400 Mpps
Console Port 1
Network Port At least 24 numbers of GE SFP Ports, 8 numbers of 10/100/1000 Base-T Ports and 4
numbers of 10G SFP+ Ports
Link Aggregation IEEE802.3ad
Flow Control IEEE 802.3x flow control
Jumbo Frame Maximum frame size of 9KB
VLAN 4094
VLAN Virtual Interface 8
DHCP Server, Client, Relay
Layer 3 Routing Static Routing, RIP. OSPF
Layer 2 Network Protocol STP/RSTP/MSTP/Smart Link/G.8032 ERPS
Access Control List Yes
Internet Protocol Support IPv4 and IPv6
Multicast IGMP v1/v2/v3 snooping
Management Web-based interface, SNMP v1, v2c, v3
Operating Temperature 0oC – 45oC
Storage Temperature -20oC – 70oC
Operating Humidity 5% - 95 % (non-condensing)
Voltage Input 220VAC±10%, 50Hz±3%, with Redundant Power Supply
Maximum Power Consumption 150W
Safety CE or FCC
Physical Size 1RU
Mounting Type Support rack mounted

632. Huawei Confidential
40
Case 6 – Choose a Suitable Switch
Filter the suitable product types.
Check the detailed specifications of the
product.

633. Huawei Confidential
41
Case 6 – Configure the Switch
Choose the most suitable type from the list of host of S5732
series based on the needed port type and quantity.
Configure the needed RTU license for some types of switches.
Select the quantity of power modules, two
power modules are supported for S5732
series.
Configure the type of power cables.
Optional cards. Each S5732 switch can
support 1 extra card.
Select ‘Expand’ if host is not
needed.

634. Huawei Confidential
42
Case 6 – Configure the Switch
N1 Mode: New software business mode (perpetual license + SnS). Suggest to
choose N1 mode if NCE-campus or NCE-CampusInsight is needed in On-premise
scenarios. SnS must be configured.
Independent Sales Mode: Perpetual license, sold by function/feature.
Select the needed N1 package and optional Add-on package,
you can click the ? to check the detailed features of each
package.
Configure the time of SnS.
This switch VXLAN license needs to be configured when your project requires the switch
VXLAN function but doesn't need NCE-Campus.
VXLAN license is included in N1 Advanced package, no need to configure this license
separately if N1 Advanced package is configured.

635. Huawei Confidential
43
Case 6 – Configure the Switch
Configure the quantities of electrical and optical modules:
1. no need electrical transceivers for fiexed RJ45 electrical
ports, electrical transceiver is used for optical ports for
photoelectric conversion.
2. Optical/electrical transceivers need to be configured for
optical ports;
Generally, a 10GE SFP+ Ethernet optical port supports auto-
sensing to 1000 Mbit/s. It sends and receives service data at
1000 Mbit/s or 10 Gbit/s
Not all 40G/100G optical modules can support to connect
4x10G/25G. Please check the help information of the optical
modules and alarm information.
A 1GE/10GE/25GE SFP28 optical port sends and receives
service data at 1 Gbit/s, 10 Gbit/s, or 25 Gbit/s.
A 40GE/100GE QSFP28 optical port sends and receives service
traffic at 40 Gbit/s or 100 Gbit/s.

636. Huawei Confidential
44
Case 6 – Configure the Switch
Configure the hybrid cable by meter. Hybrid cable is composed of
optical fibers and copper cores. It is mainly used to connect an
S5732-H48XUM2CC switch to an AP so that the switch can
provide PoE power and transmit data for the AP at the same time.
Configure the quantities of high speed cables for short distance
data transmission or stacking.
These high speed cables have two optical modules with different
rates, you can connect either 40G or 10G optical module to the
switch. Make sure the other optical module is supported in the
switch on the opposite side.

637. Huawei Confidential
45
Case 7 – Requirements of an AR (Access Router)
Physical characteristics
They must have at least the following physical interfaces:
- At least 8 x 1Gbps ports.
- At least 6x 10Gbps ports.
They must have at least 2 expansion slots.
They must have the following memory characteristics:
- At least 16 GB of RAM.
Performance
characteristics
They must have the following performance characteristics:
- A enabled throughput of at least 8 Gbps.
They must be able to achieve growth in throughput of at least 10 Gbps without hardware upgrade.
Characteristics of layer 3
They must include support for the following layer 3 protocols enabled:
- RIP.
- OSPF.
- BGP.
- PIM-SM.
- Policy-based routing.
Security characteristics
They must support the following security features:
- Firewall.
- NAT.
- Termination of IPsec tunnels.

638. Huawei Confidential
46
Case 7 – Choose a Suitable Router
Filter the suitable product types.
Check the detailed specifications of the
product.

639. Huawei Confidential
47
Case 7 – Configure the AR
Select the type of control board. You can click ?
to check the differences of the 3 control boards.
SRU600H is needed based on the memory
requirement.
C13 AC power cable is used for the connection
of the host, while C7 AC power cable is used for
the connection to the POE adaptor of RU-5G.
Choose ‘Yes’ if power module backup is needed.
Choose the optional card for each slot based on
project requirements.

640. Huawei Confidential
48
Case 7 – Configure the AR
The RU-5G-101 is a remote module for 5G/4G/3G
wireless WAN access of AR6000 series. The RU-
5G-101 must be used with the routers and
connected through network cables.
1, Independent sales mode: suggest to choose
this mode if NCE-WAN/NCE-Campus is not
needed.
2, SD-WAN N1 mode: suggest to choose this
mode if NCE-WAN is needed to manage the
AR routers in a SD-WAN solution.
3, CloudCampus N1 mode: suggest to choose
this mode if NCE-Campus is needed to manage
the AR routers and campus switches/AP/AC at
the same time.
Choose the optical transceivers for the optical
ports of SRU600H and interface cards.
2x POE adaptors and 2 arrestors are suggested
to configure for 1x RU-5G.

641. Copyright©2022 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
Thank you.