H3C Application-Driven Campus Solution
25-08-2022H3C AD-Campus solution
Solution overview
In this era of digital economy, new and innovative applications emerge every day. These applications bring great impact on traditional campus networks and the construction demand for campus networks changes from day to day. To address needs of users from all walks of life and at different levels for campus network services in this challenging environment, H3C designed the application-driven campus (AD-Campus) solution. AD-Campus provides innovative solutions for service deployment, endpoint management and control, and O&M management on campus networks to meet various requirements of users and brings automated, intelligent, unified, and reliable campus network services to users.
Designed on an innovative cloud-native architecture, H3C AD-Campus solution can provide unified network control, orchestration, and management not only in a single scenario and but also across multiple scenarios including campus, data center, and WAN scenarios. With fine-grained data collection by SeerAnalyzer-Campus and big data and AI-assisted data analytics, AD-Campus brings AIOps to campus networks. It combines VXLAN and the concept of software-defined networking (SDN) to create a new-generation flexible infrastructure network. The solution converts campus networks from "users adapt to network" to "network adapt to users", enabling users to seamlessly roam in a campus network in an isolated way without network settings adjustment. It reduces complexity in network deployment and maintenance and meets the requirements for campus networks in this era of AI, mobility, and IoT.
Features and benefits
Uniform network settings and policy enforcement across the network (UniformUX 2.0)
In a traditional campus network, the IP address of a client changes as the client location changes. If a client roams to another location in the same campus network, its IP address, applicable network policies, and applicable security policies also change. This requires complex network planning, configuration, and tests.
With UniformUX 1.0, the AD-Campus network separates network services from physical devices to decouple physical network and virtual network. It enables clients' resources (address, security, and isolated channel resources), network policies, and security policies to be retained after roaming, simplifying network maintenance and improving efficiency.
Based on UniformUX 1.0, UniformUX 2.0 introduces microsegmentation and enables network decoupling, which can help users to upgrade networks to SDN networks with few changes on the live network.
Location decoupling—In traditional campus network solutions, services are tightly coupled with locations. Once the service location changes, the network needs to be adjusted. With services decoupled from the location, AD-Campus allows endpoints to move freely within the campus with stable services for which the network administrators do not need to perform any operations.
Network decoupling—AD-Campus uses microsegmentation to decouple roles from the network. All policies are deployed based on roles and role permissions are further classified, enabling role-based policy enforcement across campuses.
One-click service deployment—AD-Campus provides default and allows customization of user policy templates. To deploy a service, you only need to drag and drop the policy template into the two-dimensional matrix. The service will then be deployed automatically without requiring you to execute any commands.
Role-based user behavior audit—In traditional campus networks, user behaviors are typically audited based on user's IP address. However, because user's address changes constantly when the user moves, it is difficult to audit the user based on the IP address. By implementing uniformed network settings across the network, AD-Campus binds the IP address to the user. No matter where the user moves, the IP address remains unchanged, enabling direct audit of users.
Fully automated
AD-Campus decouples configuration from devices, classifies devices across the network into four roles, and creates a configuration template for each device role. It enables automated device onboarding, automated service deployment, and automated faulty module replacement.
Automated device onboarding—AD-Campus classifies network-wide devices into four roles: spine, AGGR, leaf, and access, and uses the same configuration file for devices of the same role. It provides a configuration wizard which will guide you to create a configuration file without any command execution. It enables devices to load the configuration file automatically after they power on, greatly improving network deployment efficiency.
Automated service deployment—Focusing on user services, AD-Campus orchestrates and allocates network resources flexibly to enable uniform network settings and enforcement of policies across the network. It abstracts the network to shield the underlying complexity and enables simple and efficient configuration and management at the upper layer. It defines main network virtual objects so users can easily and flexibly construct their business systems simply by dragging and dropping virtual objects.
Automated faulty module replacement—After devices are powered on, the system identifies the newly added devices (including new devices that replace the faulty devices) automatically, deploys configurations to the devices based on their roles, and then incorporates them. With a precise replacement workflow, the system can restore the existing configuration of the replaced devices completely on new devices.
Intelligent IoT
As IoT endpoints on campus networks grow exponentially in type and number, AD-Campus uses the intelligent IoT solution to enable fast and safe onboarding of IoT endpoints. When IoT endpoints start up, the intelligent IoT solution immediately identifies and onboards them and then automatically places them into isolated channels. In addition, this solution provides a flexible authentication policy. It can perform precise MAC-based authentication for endpoints with known MAC addresses and also allows fast onboarding of endpoints with unknown MAC addresses by using the authentication-free scheme.
AD-Campus innovatively introduces the Endpoints Profiling System (EPS) to perform compliance inspection on IoT endpoints. The EPS system is used mainly to identify and monitor endpoints across the network. The system scans all authenticated and non-authenticated endpoints with a scanner, accurately identifies the types of endpoints, provides baseline management of IoT endpoints, and detects abnormal endpoints in time. With EPS combined with the EIA endpoint access control system, AD-Campus provides all-round management of network access endpoints in high efficiency.
Unified management from multiple dimensions
Designed based on the cloud-native architecture, the AD-Campus solution provides unified management from multiple dimensions and can solve the issues existing in traditional campuses from multiple dimensions. AD-Campus dashboard is a single-pane-of-glass interface with a topology map that can provide network details such as health status, events, alarms and other relevant information.
Unified management across multiple scenarios—AD-Campus can provide unified network control, orchestration, and management across multiple scenarios including the campus, data center, and WAN scenarios from one single management platform.
Unified management across multiple campuses—With the H3C multi-fabric solution, AD-Campus achieves unified management and control across multiple campuses and simplifies O&M. The multi-fabric solution can not only enable automated network deployment, unified policy configuration, and uniform policy enforcement across campuses, greatly reducing campus O&M complexity, but also enable local authentication, local forwarding, and regional autonomy to reduce inter-campus communication complexity and enable unchanged permissions for employees travelling across campuses.
Network and security integration—AD-Campus innovatively introduces the service chain technology, and supports both east-west service chain and north-south service chain. Through traffic steering of service chains, AD-campus achieves SDN automation from Layer 4 to Layer 7 and enables orchestration of network and security from the global perspective. Thanks to elastic service resources scalability in service chains and transparency of security device replacement to network devices, AD-DC provides flexible and on-demand resource allocation as well as robust network protection.
Unified management of wired and wireless services—At the management level, AD-Campus uses one set of management systems and provides unified topology display, unified authentication, and unified user group division for wired and wireless services. At the policy level, wireless data forwarding is completely moved from the AC to the switch. The service policies defined through the policy matrix are completely applicable to both wired and wireless traffic, and you are not required to define inter-group policies separately for wireless traffic so as to realize unified wired and wireless policies.
AIOps
Employing SeerAnalyzer-Campus in combination with telemetry technologies, AD-Campus brings visibility into the network status in real time. Assisted with big data analysis and AI learning algorithms, AD-Campus provides trend prediction and fast fault location, which greatly improves O&M efficiency and enables network administrators to focus more on services rather than complicated O&M workload.
Features and benefits
All-round data acquisition
With the distributed deployment architecture, SeerAnalyzer-Campus can expand data collection flexibly. The data analysis platform built with components such as Vertica and Flink meets data collection needs of networks of any size.
Incorporating second-level data collection capacity of gRPC Telemetry, SeerAnalyzer-Campus provides visibility to the network operating status in real time.
SeerAnalyzer-Campus can collect network performance data for user access through Telemetry and playbacks the process with the data as needed.
In addition to traditional network management data collection protocols, SeerAnalyzer-Campus supports varieties of advanced data collection technologies, allowing comprehensive or specific data collection as needed.
Big data-powered
SeerAnalyzer-Campus uses big data technologies to implement massive data collection and distributed storage calculation that provides real-time visibility into network operating status and enables refined operation and maintenance.
Relying on big data technologies, SeerAnalyzer-Campus can trackback historical network running state, which is helpful for locating faults and implementing operation and maintenance tasks such as performance analytics and behavior audit.
AI analytics
Using distributed computing engines as well as AI algorithms, SeerAnalyzer-Campus can provide data analytics online and offline, to meet intelligent O&M analytics requirements in any scenarios.
SeerAnalyzer-Campus enables visibility into the entire network status by all-round collection and analytics of data including network device status data, protocol message data, traffic forwarding data, user access data, and log data. Assisted with machine learning (ML) algorithms and the expert system, SeerAnalyzer-Campus can detect network faults in real time, locate fault causes intelligently, and guide administrators to fix issues.
SeerAnalyzer-Campus can evaluate the quality of networks, user experiences, and applications based on AI analytics of massive data, and enhance network optimization and assurance.
High-performance data acquisition, real-time expertise system, and AI algorithm calculation enable fault isolation environment verification, fault detection, impact verification, and isolated push for analytics.
Through continuous AI analytics on historical network data, SeerAnalyzer-Campus can predict network faults and performance bottlenecks, and guide O&M personnel to intervene and plan in advance.
Collaborative analytics of network and service data
SeerAnalyzer-Campus provides visibility into overall network health status through collaborative analysis of network device status data and network performance data.
Provides full visibility into analytics on the operating status, faults, and risks of devices in the system plane, control plane, and data forwarding plane based on comprehensive, precise, and real-time metrics about the network devices.
Collects network performance data throughout the network access process of users and conducts group analysis based on massive user data, to gain an insight into the network quality and identify network issues.