Huawei Agile Controller-Campus
CONTENTS
01
Huawei Agile Controller-Campus
05
Access Control Manager
11
Guest Manager
15
Terminal Security Manager
17
Free Mobility Manager
21
Service Chain Manager
Huawei Agile Controller-Campus
Huawei Agile Controller-Campus
Product Overview
User terminals (information receivers) are not fixed in certain physical locations for services deriving from mobile
office, bring your own device (BYOD), and wireless local area network (WLAN). These types of services create the
following challenges on statically configured traditional networks:
1. How can a consistent experience be guaranteed for different user terminals regardless of location?
2. How can user rights, QoS priority, bandwidth, security, and other network policies be configured? Traditional
networks enable users to be bound to physical interfaces whereby the administrator manually configures
policies on the devices closest to users. Conversely, manual configuration cannot adapt to changes in user
locations. To meet the requirements of mobile users, networks must support dynamic resource allocation and
policy configuration; that is, network resources and policies must be able to migrate to users.
In Huawei xxx Solution, the Agile Controller intelligently works with network-wide devices and dynamically
schedules network-wide policies to provide free mobility for employees and flexible access for guests. In this
way, network can support services in a more agile way.
The Agile Controller-Campus (Agile Controller for short) is a user- and application-based unified policy control
system developed by Huawei. The Agile Controller centrally controls the network access rights, applications,
bandwidth, QoS, and security policies and provides Access Control Manager, Guest Manager, Terminal Security
Manager, Free Mobility Manager, and Service Chain Manager for enterprises.
User Terminals
Network Facilities
Service Resources
Before
NAC
Policy Controller
Wired user
PC
Access
DHCP
Laptop
Wireless user
Access
VPN user
Post-authentication domain
Policy Execution Device
01/
Printer
Camera
Huawei Agile Controller-Campus
Patch
Server
Policy exchange:
Permission / Application
/ Bandwidth / QoS / Security
Phone
O&M user
DNS
......
PAD
Guest
Pre-authentication domain
After
NAC
WLAN
Switch
Router
VPN gateway
Firewall
Intranet
Internet
Access
Office
data
R&D
data
......
MKT
data
Huawei Agile Controller-Campus
Functional Modules
Function Overview
Access Control Manager
Together with the network access device (NAD), this component controls the network
access of internal and external terminals and implements a unified access control policy. It
also provides flexible authentication and authorization policy management. This can meet
the service control needs of different enterprises.
Guest Manager
Provides full lifecycle guest management, including account application, approval,
distribution, authentication, auditing, and deregistration. It also supports the creation of
visualized portals and guest authentication over social media. This can assist enterprises in
advertising and marketing.
Terminal Security
Manager
Monitors terminal health and provides automatic recovery, software distribution, patch
management, and resource management. It forces terminals to conform to enterprise
security policy, enhances ability to defend against attacks, and ensures network security.
Free Mobility Manager
In combination with Huawei's agile switches, next-generation firewalls (NGFWs), and SVN
gateways, this innovative and agile component provides policy orchestration based on
two-dimensional matrices. It allows the unified planning and automatic deployment of
permissions, applications, bandwidth, QoS, and security policy based on security groups.
It ensures that network-wide policies are uniform and allows users to enjoy the same user
experience while on the move.
Service Chain Manager
This innovative and agile component allows the resource pooling of physical security
devices, screens specific physical forms and locations, and creates a security resource
center. It sends traffic to the security resource center according to service requirements,
where it is inspected and processed. This increases the usage rate of physical resources and
reduces network construction costs.
Product Characteristics
Centralized Control, Global Policy Orchestration, Service Experience Orientation
• Applies the SDN's centralized control concept to campus networks. The Agile Controller centrally controls
the users, services, and security policies, and dynamically schedules user rights, applications, bandwidth,
QoS, and security resources.
• Uniformly deploys network-wide policies, so that users can have the same rights and services when users
access the network from different time, locations, and terminals, implementing free mobility.
• Supports policy orchestration in natural language to shield differences of various devices, therefore the
maintenance personnel do not need to execute complicated commands.
Huawei Agile Controller-Campus
/02
Huawei Agile Controller-Campus
Openness and Interoperability, Speeding Up Service Innovation
• Interoperates with mainstream social media such as Facebook, Twitter, Google+, WeChat, Sina Weibo, QQ,
and QR code to simplify guest access and promote secondary marketing of enterprises.
• Provides northbound APIs to synchronize information about the networks, users, assets, and terminals,
helping enterprises develop valuable applications and speeding up service innovation.
Highly Reliable and Flexible Architecture, Ensuring Service Continuity and Protecting
Customer Investment
• Supports the Windows and Linux operating systems and provides comprehensive high availability (HA)
solutions to ensure the stable operation of the network service.
• Supports distributed and hierarchical deployment modes with the flexible system architecture, enabling
flexible service-oriented expansion and protecting customer investment.
Product Architecture
Management
Center (MC)
MC
Is used in hierarchical management scenarios, is responsible for defining global
policies, and monitors the SM and SC.
Service Manager
(SM)
SM
Performs service management. The system administrator completes user, service,
and security policy configuration through the web management page.
Service
Controller (SC)
SC
Integrates RADIUS and Portal servers and associates with NADs such as switches
to complete client authentication and authorization.
Network Access
Device (NAD)
Switch
Router
WLAN
VPN gateway
Firewall
Client
Controller client
Portal page
Web Agent
(Windows)
OS client
(Windows/Linux/MAC/iOS/Android)
Agile Controller Architecture
Operating Environment
Hardware Environment
03/
Platform
Configuration Requirements
Recommended Server
Windows
CPU: 2*E5-2620 or higher
Memory: 16 GB
Hard disk: 3 x 300 GB
Network adapter: 4 x GE NICs
Huawei RH2288H rack server
or
Huawei E9000 blade server
Single-node Linux
CPU: 2*E5-2620 or higher
Memory: 16 GB
Hard disk: 3 x 300 GB
Network adapter: 4 x GE NICs
Huawei RH2288H rack server
or
Huawei E9000 blade server
Huawei Agile Controller-Campus
Huawei Agile Controller-Campus
Platform
Configuration Requirements
Recommended Server
Linux-HA
CPU: 2*E5-2620 or higher
Memory: 16 GB
Hard disk: 3 x 300 GB + disk array
Network adapter: 6 x GE NICs
Huawei RH2288H rack server
+
Huawei S2600T disk array
NOTE
1. Each RH2288H or E9000 blade server can manage a maximum of 10,000 online users.
2. The Agile Controller manages a maximum of 100,000 online users with multiple servers or blade servers are deployed in
distributed/hierarchical mode.
3. If VMware 5.5 is selected, the configuration requirements are as follows:
Memory: 24 GB
CPU: 3 x 6 core CPUs
Mode: exclusive
Software Environment
Platform
Optional Environment
Recommended Environment
Windows
Windows Server 2008 R2 Standard SP1 64-bit
Windows Server 2012 R2 Standard 64-bit
Windows Server 2012 Standard 64-bit
MSSQL Server 2008 Standard SP2 64-bit
MSSQL Server 2012 R2 Standard 64-bit
Windows Server 2008 R2 Standard SP1 64-bit
MSSQL Server 2008 Standard SP2 64-bit
Linux
SUSE Linux 11 SP3 64-bit
Oracle 11g R2
SUSE Linux 11 SP3 64-bit
Oracle 11g R2
High Reliability Configuration
Dimension
Windows
Linux
Management Center
(MC)
Not supported
Supported. Provides the active/standby
switchover of HA based on Keepalived.
Service Manager
(SM)
Not supported
Supported. Provides the active/standby
switchover of HA based on Keepalived.
Service Controller
(SC)
Supported. A resource pool is used to
implement backup, and N+1 SCs need to be
deployed.
Supported. A resource pool is used to
implement backup, and N+1 SCs need to be
deployed.
Database
Supported. Uses the SQL Server database
mirroring and the principal, mirror, and
witness databases need to be deployed.
Supported. Uses the Real Application
Clusters (RAC) to implement hot backup and
the disk array needs to be deployed for data
storage.
Huawei Agile Controller-Campus
/04
Access Control Manager
Access Control Manager
Component Overview
Advances in Information and Communication Technologies (ICT) mean that enterprise users require network
access from anywhere. However, enterprise information security is at risk when high numbers of mobile staff
and partners frequently use their own terminals (such as laptops) to access the enterprise's local area networks
(LANs). Unauthorized terminals may infect enterprise networks with viruses and, in worst case scenarios, phish
trade secrets.
The maturity of WLAN technologies and prevalence of intelligent terminals prompt many enterprises to
allow employees intranet access through intelligent BYOD terminals. While enterprises are aiming to improve
employees' work efficiency and reduce mobile terminal costs, WLAN technologies on enterprise networks create
significant information security risks.
The Access Control component of the Huawei Agile Controller associates with network access control devices
to control access to enterprise networks from internal and external terminals. The component provides unified
access control policies, and flexibly manages authentication and authorization policies to meet different service
control requirements.
05/
Huawei Agile Controller-Campus
Access Control Manager
Component Characteristics
Comprehensive Access Authentication Modes for Different Network Scenarios
Authentication Mode
Characteristics
Application Scenarios
802.1X authentication
• Enables the 802.1X function on a switch or AC.
• Implements Layer 2 isolation.
• Complicates maintenance due to multiple
authentication points.
• Requires the switch to support 802.1X.
Applies to small, medium, and large
campus networks with high security
requirements. The Access Control
component can associate with Huawei allseries Sx7 switches, routers, WLAN devices,
and third-party standard 802.1X switches.
MAC address authentication
• Enables the switch or AC to automatically
enable 802.1X or MAC address authentication
for different terminals.
• Authenticates terminals on the authentication
server based on MAC addresses.
Applies to dumb terminals such as IP phones
and printers.
Portal authentication
• Configures a combination of Portal and
MAC address authentication on devices
at the aggregation layer. Devices select
authentication modes based on terminal type.
The AC unifies wireless user authentication.
• Makes clients optional on terminals based
on service requirements.
• Does not require access switches to support
802.1X.
Applies to small, medium, and large
campus networks, especially in scenarios
with no client installed.
Associates with Huawei all series Sx7
switches, AR routers, WLAN devices, and
third-party CMCC Portal-supported devices.
SACG authentication
• Connects the USG firewall to the router or
switch in bypass mode, and implements
terminal access control using policy-based
routing. There is no need to change network
topology.
• Simplifies management and maintenance
because there are few authentication points.
• Positions the control point at the aggregation
or core layer, weakening Layer 2 control
capability.
Applies to campus networks with a large
number of third-party switches and routers.
This authentication mode is especially
suitable for campus network reconstruction.
The Agile Controller supports the following functions:
• 802.1X, Portal, MAC address, and SACG authentication
• PAP, CHAP, EAP-MD5, EAP-PEAP-MSCHAPV2, EAP-TLS, EAP-TTLS-PAP, and EAP-PEAP-GTC authentication
• Anonymous authentication, account authentication, certificate authentication, AD/LDAP associated
authentication, third-party database associated authentication, and RADIUS relay agent authentication
• Two-password (user name and password + mobile phone verification code) authentication
• Social media (Facebook, Twitter, Google+, Wechat, QQ, and Sina Weibo) authentication
• An escape mechanism. When an AD/LDAP server breaks down, users directly pass authentication.
Flexible, Refined, and Secure 5W1H-based Context Awareness Authorization
Dimension
Description
Example
Who
User identity
Administrative personnel, ordinary employees, VIP users, guests
Where
Access location
R&D area, non-R&D area, home
When
Access time
On-duty time, off-duty time, work days
Whose
Device source
Enterprise devices, BYOD devices
What
Device type
Windows, Linux, iOS, Android
How
Access mode
Wired, wireless, VPN, Internet
Huawei Agile Controller-Campus
/06
Access Control Manager
The Agile Controller supports the following functions:
• Supports authorization based on user groups, accounts, roles, SSIDs, time periods, terminal IP addresses,
terminal device groups, access device groups, and terminal compliance check results.
• Supports authorization based on the dynamic ACL, static ACL, VLAN, user group, and security group.
• Supports online duration control. Control the one-time online duration and accumulated online duration
within a specified period.
Satisfying Complex Enterprises with Hierarchical User Group Management Features
• Supports up to 20 user group levels to satisfy the requirements of enterprises with complex organizational
structures.
Flexible User Source Selection, Seamlessly Interconnection with Existing Enterprise Systems
• Allows users to create accounts on the Agile Controller. In addition, it can interconnect with mainstream AD,
Lightweight Directory Access Protocol (LDAP), RADIUS, and dynamic token systems.
Authentication
Protocol
System Built-in
Account
AD
LDAP
RADIUS
Token
RADIUS Relay
PAP
YES
YES
YES
YES
Depends on the external system
CHAP
YES
NO
NO
NO
Depends on the external system
EAP-PEAP-MSCHAPV2
YES
YES
NO
NO
Depends on the external system
EAP-MD5
YES
NO
NO
NO
Depends on the external system
EAP-TLS
YES
YES
YES
NO
Depends on the external system
EAP-TTLS-PAP
YES
YES
YES
YES
Depends on the external system
EAP-PEAP-GTC
YES
YES
YES
YES
Depends on the external system
• Supports on-demand data synchronization or filtering to meet varied user requirements.
07/
Huawei Agile Controller-Campus
Access Control Manager
Intelligent Terminal Identification and Authentication
Page Customization for Permission Control on BYOD
Terminals
• Provides up to 200 types of terminal identification templates, and
supports multiple terminal identification modes. These include MAC
organizationally unique identifier (OUI), Dynamic Host Configuration
Protocol (DHCP) Option, Hypertext Transfer Protocol (HTTP) UserAgent, and Simple Network Management Protocol (SNMP).
• Supports the following terminal identification modes: SNMP, User
Agent, DHCP, and MAC OUI.
• Supports various terminal types such as PCs, smartphones, tablets,
dumb terminals, IP phones, and printers.
• Supports Windows, Linux, MAC OS, Android, iOS, and Windows
Phone operating systems.
• Identifies information about vendors such as Huawei, Samsung,
Apple, HTC, and Lenovo.
Automatic 802.1X Configuration Delivery to Terminals
Using the Boarding Function
• Interworks with the Windows CA server to deliver certificates.
• Provides network access policies by terminal type and user group.
• Supports automatic device registration, manual report of device loss,
and restriction on lost devices.
• Supports terminals running Windows, Android, and iOS operating
systems.
Deployment Scenarios
802.1X Access Control
802.1X is enabled on the switches closest to
the terminals. Before the terminals can access
the network, customers need to deploy the
security agents or 802.1X clients provided by
the operating system on the terminals.
After the terminals pass 802.1X authentication,
the Agile Controller server delivers authorization
parameters such as VLANs and ACLs to
access switches, which control the network
access permissions of terminals. MAC address
authentication is enabled to authenticate dumb
terminals, such as printers and IP phones, so
they can access the network. When dumb
terminals access the network, they automatically
trigger MAC address authentication to obtain
network access permission.
Network
Agile Controller
802.1X switch
Huawei Agile Controller-Campus
/08
Access Control Manager
Portal Access Control
A combination of Portal and MAC address authentication is enabled on the gateway. Terminals can use web
authentication or the Agile Controller NAC client to access the network. Dumb terminals access the network by
MAC address authentication.
Network
Agile Controller
Portal switch
SACG Access Control
SACG access control is suitable for complex campus networks with a large number of third-party datacom
devices, such as switches and routers. The SACG device connects to the Layer 3 switch or a router in bypass
mode. Upstream traffic sent from terminals is redirected to the SACG by the packet redirection function
configured on the switch or by policy-based routing configured on the router. Filtered by the SACG, traffic is sent
back to the switch or router for forwarding.
Pre-authentication domain
Agile Controller server
Network
Agile Controller server
Isolation domain
SACG
Area A
Third-party antivirus server
Post-authentication domain
Service server
09/
Huawei Agile Controller-Campus
File server
Service server
Access Control Manager
Auxiliary Devices
Device Role
Device Type
Authentication device
•
•
•
•
•
•
Huawei Sx7 switches
Huawei AR routers
Huawei WLAN ACs
Huawei USG firewalls
802.1X switches from mainstream third-party vendors
Third-party devices supporting the CMCC Portal protocol
Order Information
Item
Remarks
Agile Controller Access Control Function
Mandatory
Agile Controller Terminals of Access Control Function, Including 200 Access Terminals License
Optional
Agile Controller Terminals of Access Control Function, Including 500 Access Terminals License
Optional
Agile Controller Terminals of Access Control Function, Including 1000 Access Terminals License
Optional
Agile Controller Terminals of Access Control Function, Including 2000 Access Terminals License
Optional
Agile Controller Terminals of Access Control Function, Including 5000 Access Terminals License
Optional
Agile Controller Terminals of Access Control Function, Including 10000 Access Terminals License
Optional
Agile Controller Terminals of Access Control Function, Including 50000 Access Terminals License
Optional
Huawei Agile Controller-Campus
/10
Guest Manager
Guest Manager
Component Overview
The maturity of WLAN technologies and prevalence of intelligent terminals prompt many enterprises to open
their intranets for guests and partners. In public areas (such as, shopping malls, hotels, exhibition halls, chain
stores, scenic spots, business halls, and airport lounges), enormous advertising opportunities are created by the
huge number of users accessing WLAN.
The Guest Manager of the Huawei Agile Controller provides full lifecycle guest management functions, including
account application, approval, distribution, authentication, auditing, and deregistration. Guests can access the
network without registration, or using self-applied accounts, accounts applied by the administrator, or social
media accounts. for the component also supports graphical Portal page customization to flexibly push ads based
on the terminal location, type, and time period.
Component Characteristics
Unified Management on Employees and Guests to Reduce Enterprises' Construction
and IT O&M Costs
• Employee and guest access systems can be deployed on the same server or separately.
11/
Huawei Agile Controller-Campus
Guest Manager
Full Lifecycle Guest Management, Scenario-based Flexible Combination
Phase
Options
Registration
• Registration-free
• Self-help application
• Using accounts created by an administrator
Approval
•
•
•
•
•
Distribution
• SMS (GPRS and SMS gateway)
• Email
• Web
Authentication
•
•
•
•
•
•
Audit and deregistration
• User login and logout audit
• Automatic deregistration after expiration
• Scheduled account deregistration
Automatic approval
Administrator approval
Receptionist approval
Approval through email activation
Receptionist approval (QR code scanning)
Authentication-free
Account and password authentication
Passcode
Mobile phone verification code authentication
QR code authentication
Social media authentication
Prefect Portal Page Customization to Improve Brand Image
• Selects a system template based on scenarios and provides a page customization wizard.
• Supports customization of pages for PCs, tablets, and mobile phones, which include the authentication
page, authentication success page, user notice page, registration page, and registration success page.
• Supports the What You See Is What You Get (WYSIWYG) editor to edit texts, images, colors, hyperlinks,
buttons, dividing lines, and near video on demand (NVOD).
Huawei Agile Controller-Campus
/12
Guest Manager
• Supports functions of format painter, eraser, preview, and test.
• Supports multi-language templates, including simplified Chinese, traditional Chinese, English, German,
Spanish, Portuguese, and French.
Social Media Authentication, Facilitating Secondary Marketing of Enterprises
• Supports interconnection with Wechat, QQ, and Sina Weibo.
• Supports interconnection with Facebook, Twitter, and Google+.
Flexible Portal Page Pushing, Refining Message Pushing
• Supports page pushing based on SSIDs, locations (based on MAC addresses), time periods, terminal types,
and guest access modes.
Intelligent Terminals Unaware of Authentication and One-time Authentication for
Multiple Access Times
• Uses a combination of Portal and MAC address authentication for first access, and MAC address
authentication for subsequent access requests.
Deployment Scenarios
A combination of Portal and MAC address
authentication is enabled on the gateway.
Terminals can use web authentication to
access the network.
Network
Agile Controller server
Portal switch
13/
Huawei Agile Controller-Campus
Guest Manager
Auxiliary Devices
Device Role
Device Type
Authentication device
•
•
•
•
Huawei Sx7 series switches with native ACs
Huawei AR routers with native ACs
Huawei WLAN ACs
Third-party devices supporting the CMCC Portal protocol
Order Information
Item
Remarks
Agile Controller Guest Management Function
Mandatory
Agile Controller Guest Management Function, Including 200 Access Terminal Management License
Optional
Agile Controller Guest Management Function, Including 500 Access Terminal Management License
Optional
Agile Controller Guest Management Function, Including 1000 Access Terminal Management License
Optional
Agile Controller Guest Management Function, Including 2000 Access Terminal Management License
Optional
Agile Controller Guest Management Function, Including 5000 Access Terminal Management License
Optional
Agile Controller Guest Management Function, Including 1000 Access Terminal Management License
Optional
Agile Controller Guest Management Function, Including 50000 Access Terminal Management License
Optional
Huawei Agile Controller-Campus
/14
Terminal Security Manager
Terminal Security Manager
Component Overview
Security health assessments on access terminals are a key indicator of an enterprise's security management
capabilities. A large number of mobile staff and partners frequently use their own terminals (such as laptops)
to access enterprise LANs, which threatens enterprise information security. Unauthorized terminals may infect
enterprise networks with viruses, and acquire trade secrets.
The Terminal Security Management component of the Huawei Agile Controller strictly controls network access for
all terminal users, and enforces security policies to the users connected to the network. The component supports
terminal health checks, software distribution, patch management, and asset management to ensure that terminals
connected to the network possess self-defense capabilities and comply with enterprise security policies.
Component Characteristics
Terminal Security Management for Windows Clients, Forbidding Unauthorized Access
Terminal Compliance Check for Windows Terminals
• Checks the screen saver policies, registry policies, file sharing, antivirus software, software blacklist and
whitelist, redundant system accounts, ports in use, host names, runtime, weak passwords, automatic system
updates, Windows system settings, and operating system patches.
15/
Huawei Agile Controller-Campus
Terminal Security Manager
• Monitors local services, and DHCP settings
• Automatically repairs violated items, including the screen saver policies, registry policies, file sharing, antivirus
software, local services, DHCP settings, and operating system patches.
Windows Patch Management to Update Patches on the Agile Controller or Through
Association with the Windows Server Update Services (WSUS)
Software Distribution for Windows Clients, Including Patch Delivery, Execution, and
Removal
Asset Management for Manual or Automatic Terminal Asset Registration
Deployment Scenarios
The networking of the Terminal Security Management component is similar to that of the Access Control
component. Customers need to install the dedicated NAC client of the Agile Controller before they can enable
the terminal security management feature.
Auxiliary Devices
Terminal Operating System
Version
Windows
•
•
•
•
•
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Order Information
Item
Remarks
Agile Controller Access Control Function
Mandatory
Agile Controller Terminal Security Management Function
Mandatory
Agile Controller Terminal Security Feature, Including 200 Terminals License
Optional
Agile Controller Terminal Security Feature, Including 500 Terminals License
Optional
Agile Controller Terminal Security Feature, Including 1000 Terminals License
Optional
Agile Controller Terminal Security Feature, Including 2000 Terminals License
Optional
Agile Controller Terminal Security Feature, Including 5000 Terminals License
Optional
Agile Controller Terminal Security Feature, Including 10000 Terminals License
Optional
Agile Controller Terminal Security Feature, Including 50000 Terminals License
Optional
Huawei Agile Controller-Campus
/16
Free Mobility Manager
Free Mobility Manager
Component Overview
With popularity of mobile office and BYOD applications, users need to access enterprise networks from the
HQ, branches, and even on business trips. Employees of different roles start to work in the same area, physical
locations of terminals are no longer fixed, and users frequently handle business on their own terminals.
Additionally, guests and partners access the intranet, resulting in an increasing number of user types and intranet
security risks as well. In such a case, isolation is necessary. It becomes a common concern for enterprises to
ensure consistent QoE for users who access networks using different terminals at different places and to isolate
the users for security.
The Free Mobility component of Huawei Agile Controller provides a security group–based policy mechanism
in addition to the traditional NAC to implement decoupling of user policies and IP addresses. Free Mobility
better meets the requirements of mobile office networks than isolation through port binding, VLAN, ACL, and
VPN technologies. In combination with Huawei's agile switches, NGFWs, and SVN gateways, Free Mobility
provides policy orchestration based on two-dimensional matrices. It allows the unified planning and automatic
deployment of permissions, applications, bandwidth, QoS, and security policy based on security groups. It
ensures that network-wide policies are uniform and allows users to enjoy the same user experience while on the
move.
17/
Huawei Agile Controller-Campus
Free Mobility Manager
Component Characteristics
Security Group-based Policy Control Mechanism, More Suitable for Mobile Office Network
• Replaces the traditional isolation methods that use port binding, VLAN, ACL, and VPN technologies,
providing efficient policy planning.
• Works with agile switches, NGFWs, and VPN gateways to ensure uniform network-wide policies.
• Supports user group–based isolation when employees of different roles work in the same area.
Policy Planning Based on Two-Dimensional Matrices and One-Click Network-Wide
Deployment
Context Awareness–based Authorization and 5W1H Configuration Experience
Huawei Agile Controller-Campus
/18
Free Mobility Manager
Security Group–based Hierarchical QoS Policies to Ensure Service Experience
Global and Local Policies, Deploying Different Policies on a Single Device
BGP/MPLS VPN Networking, Deploying Different Policies for VPNs
Deployment Scenarios
The Free Mobility component has no special networking requirements, provided that there are reachable IP
routes between the Agile Controller server and associated network devices. Generally, the Agile Controller server
is connected to the agile core switch in bypass mode.
L2 SW
L2 SW
Branch
AR
Internet access
Branch
AR
Data center
WAN/Internet
Campus egress
NGFW/SVN
Agile Controller
Agile core
LSW
Server
Agile aggregation
LSW
Converged access
LSW
19/
Huawei Agile Controller-Campus
AP
AP
LSW
NMS
Free Mobility Manager
Auxiliary Devices
Device Role
Device Type
Authentication device
•
•
•
•
Modular switch: S7700/9700/12700 in V200R006C00 or later
Fixed switch: S5720HI in V200R006C00 or later
NGFW: USG63/65/66 in V1R00100C20 or later
VPN gateway: SVN 56/58 in V200R003C00 or later
Order Information
Item
Remarks
Agile Controller Access Control Function
Mandatory
Agile Controller Free Mobility Function
Mandatory
Huawei Agile Controller-Campus
/20
Service Chain Manager
Service Chain Manager
Component Overview
Traditional security solutions used on enterprise campus networks and data center networks define network
borders. They are deployed on security devices such as firewalls, anti-DDoS, antivirus (AV) software, the intrusion
prevention system (IPS), and data loss prevention (DLP) devices on borders with different security levels. As
network scale expands, users connect to networks using more diverse access methods. Traditional security
deployment results in an exponential increase in cost as a result. In addition, many customers determine the
number of security devices they need to purchase based on two to five times the peak-hour rates. However,
high-performance security devices, such as firewalls, IPS, and anti-DDoS have low resource utilization rates,
which wastes resources.
The Huawei Agile Controller Service Chain component virtualizes physical security devices to shield device
models and locations. All security devices form a security resource center. The component directs service flows
to the security resource center based on service requirements to improve use the utilization rate of physical
resources and reduce costs.
21/
Huawei Agile Controller-Campus
Service Chain Manager
Component Characteristics
Resource Virtualization, Service Flow-based Resource Scheduling to Implement Full
Security Protection
• Improves hardware utilization efficiency and reduces customer investment.
Comprehensive Service Flow Management to Define Service Flows Based on IP Address
or 5-fold User Group Information
• Defines service flows based on the source and destination IP addresses, source and destination port numbers,
and protocol.
• Defines service flows based on the source and destination user groups, source and destination port numbers,
and protocol.
Huawei Agile Controller-Campus
/22
Service Chain Manager
Role-based Service Chain Resource Management
• Enables service devices to be defined as a firewall, virus wall or online behavior management device.
• Enables the administrator to set up a GRE tunnel between an orchestration device (switch) and a service
device to redirect service traffic to the specified service device for security monitoring.
Service Chain Creation Based on Service Flows to Provide Differentiated Security
Policies for Different Services
• Configured service chain orchestration policies are displayed on the GUI, allowing administrators to rearrange
service chains by simply dragging service devices.
Deployment Scenarios
Three hardware parts are required to provide the Service Chain function:
• Agile Controller service server: functions as the Service Chain subsystem, which completes service logic
configuration on service chains.
• Orchestration device: must be a Huawei agile switch. The switch identifies service traffic and redirects the
traffic to the service devices in the sequence specified by the service chain. There must be reachable IP routes
between the orchestration device and service devices.
• Service device: processes the service flows redirected to it. The service and orchestration devices work at
Layer 3, and are connected through GRE tunnels. Service devices can be connected to the core router or the
core or aggregation switch based on the following principles:
Core layer: defines service flows based on IP information to shorten the traffic transmission path.
Aggregation layer: defines service flows based on user information if the customer can accept circuitous
transmission path.
23/
Huawei Agile Controller-Campus
Service Chain Manager
Service chain 1
Service chain 2
NMS center
Agile Controller
Campus egress
Firewall
Online behavior
management
Data center
Antivirus
Service chain node
Aggregation layer
Access layer
Guest area
Dept A
Dept B
Internal
public area
Application layer
Auxiliary Devices
Device Role
Device Type
Orchestration device
• Chassis switch: S77/97/127 V2R6C00 and later versions
Service device
• Firewall: USG63/65/66 V1R1C20 and later versions
• Juniper device: SRX210
Order Information
Item
Remarks
Agile Controller Access Control Function
Mandatory
Agile Controller Free Mobility Function
Mandatory
Agile Controller Service Chain Function
Mandatory
Huawei Agile Controller-Campus
/24
Copyright © Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademark Notice
, HUAWEI, and
are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-032102-20160607-C-1.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.
e.huawei.com