CloudCampus Service

**Table 1** Huawei Qiankun CloudCampus Service specifications
Level-1 Category	Level-2 Category	Level-3 Category	Level-4 Category	Item	Description
Cloud-based network management	Resource management	Resource management	Device management	Cloud managed device management	Cloud managed devices refer to the devices that connect to the console through NETCONF Callhome. ARs, cloud APs, switches, and firewalls can be managed in this method. Users can import device SNs, set device names and descriptions, and add devices to sites. Users can delete devices one by one or in batches. The console can display information about existing devices of a specific tenant. The displayed device information includes the device name, SN, status, site, model, license status, software version, and registration time. Devices can be filtered by status, site type, or keyword. Device information, such as the device name, description, SN, and role, can be modified.
	Resource management	Resource management	File management (*)	File management (*)	Allows users to upload various types of local files through the web UI, including software packages, patches, certificate files, and license files. Allows users to view the file upload task list and stop or cancel an upload task. Allows users to upload signature files of software packages or patches for verification. (Software packages and patches are managed using uUpgrade.)
	Network service configurations	NE registration	Protocol channel	Management mode (cloud managed devices)	Cloud managed devices proactively use the Call Home service to connect to the console through SSH channels.
			SN whitelist	-	An SN whitelist can be configured. Devices that are not whitelisted cannot be registered and managed, which improves security.
			NE authentication	-	Performs two-way authentication based on certificates and device SNs.
			Deployment modes	DHCP-based deployment	The DHCP Option 148 mode is used for on-premises deployment. After obtaining IP addresses, devices automatically connect to the Huawei Qiankun Cloud Platform.
				Registration query center-based deployment	After tenants import device SNs on the Huawei Qiankun Cloud Platform, the devices automatically connect to the registration query center for registration and onboarding. Currently, ARs do not support this deployment mode.
				CLI-based deployment	Users can connect to devices through the console port and run commands to specify the IP address of the Huawei Qiankun Cloud Platform to which the devices need to connect to onboard the devices.
				Others	Barcode scanning-based deployment is supported. Firewalls and ARs support USB-based deployment. Only ARs support email-based deployment.
		Template management	Site configuration template management (*)	Site configuration template (*)	Site templates can be created, viewed, modified, and deleted. Site templates can be bound to and unbound from sites. A site template can contain the following configurations: Site-level configuration: BootROM, SNMP, local users, and NTP AP parameters: radio, SSID, attack defense, wireless security, and DHCP Firewall parameters: subnet, DNS, authentication, SSID, and traffic policy
				CLI-based site configuration template (*)	APs, ARs, firewalls, and switches support CLI-based site configuration templates.
				Site configuration template clone (*)	Site configuration templates can be cloned.
			Feature template (*)	Template-based switch port feature configuration (*)	Port security: configures DHCP snooping, ND snooping, IPSG, DAI, port isolation, and storm control. One template can be bound to multiple switch ports. Port VLAN: configures VLANs for access, trunk, and hybrid ports, default VLANs for ports, allowed VLANs, and voice VLANs. One template can be bound to multiple ports. Port physical attribute: configures auto-negotiation and PoE. Port ring network: configures STP and loop detection. One template can be bound to multiple ports. Port traffic policy: configures a traffic policy specific to a port or port group. A traffic policy defines a DSCP value in the range from 0 (lowest) to 63 (highest) or an 802.1p priority in the range from 0 (lowest) to 7 (highest). Interface-based application identification and application traffic statistics collection are supported.
			Feature template (*)	Template-based switch feature configuration (*)	Device groups can be defined. Traffic policies can be delivered to devices or device groups (only applicable to switches). A traffic policy can contain the following configurations: Outbound, inbound, and bidirectional Traffic classifier: 5-tuple and VLAN range Traffic behavior: deny and permit Traffic rate limiting: CIR, PIR, CBS, and PBS Traffic priority: local priority, DSCP priority, and 802.1p priority
			Template management	Template management (*)	Allows users to create, modify, and delete service templates.
			Template management	Service template (*)	ACL, dynamic ACL, URL, and URL category templates are supported. RADIUS server, RADIUS relay server, HWTACACS server, and third-party Portal server templates are supported. Authentication and bypass policy templates are supported. Traffic classifier and traffic behavior templates are supported. HQoS-related templates, including user-defined application templates and application scheduling templates, are supported. IGMP snooping templates are supported. WAN link templates are supported. SNMP templates are supported to scan and discover traditional devices. Firewall security zone templates and IP/MAC address sets can be managed. SA applications can be customized.
			Device template information	Switch interface template (*)	Switch template management is supported, including adding, deleting, modifying, and viewing switch device templates. Switch interface features can be configured in switch device templates.
			Device template information	CLI-based template (*)	CLI-based device configuration templates can be configured for APs, ARs, firewalls, and switches.
		Basic configuration management	Device name configuration	-	The console can deliver device names to devices to accurately identify the devices.
			Device administrator account password configuration	-	The console supports change of the password, service level, and supported service type of the device administrator account admin.
			Time configuration	-	Time zones can be configured to enable devices to display the local time. The Network Time Protocol (NTP) can be configured so that devices can synchronize time using NTP to ensure time accuracy.
		Layer 2 and Layer 3 network service management	Interface management	Interface configuration	Ethernet interface information is displayed in a list. The following interface configurations are supported: administrative status, description, auto-negotiation (rate and duplex mode), management VLAN auto-negotiation, VLAN ID, allowed VLANs, and voice VLAN. Link neighbor discovery protocols LLDP and CDP can be configured. The following port security configurations are supported: DHCP snooping, ND snooping, ARP snooping, DNS snooping, mDNS snooping, DAI, IPSG, storm suppression, and loop detection. IP subnet-based VLAN assignment can be configured. The function of generating SNMP traps upon status changes can be configured. Dynamic MAC address collection can be configured. Trust options, port isolation, storm control, loop detection, and PoE can be configured. STP and edge ports can be configured.
			Interface management	Multi-egress management	Multi-egress links can be configured and managed, including NAT configuration and status monitoring on interfaces. 3G/LTE/5G links can function as standby links.
			Cloud-based modular switch management	-	Modular switches can be managed by the console. Basic O&M (diagnosis tool, performance monitoring, alarm reporting, and upgrade) and card insertion and removal are supported.
			Switch stacking	Stacking of fixed switches	The console supports automatic stacking. Tenant administrators can manage stacks and stack members. The console can display the alarm status of stacks, and allows users to onboard and disconnect stack master devices and stack members. The console supports stack upgrade, certificate replacement, stack alarm management, performance monitoring, and device log reporting. The console can deliver configurations to stack members, configure reserved VLANs, and perform multi-active detections for stacks.
			Switch stacking	CSS of modular switches	The console can manage CSSs set up by modular switches. It also allows users to view CSS topologies, inspect and upgrade CSSs, perform CSS split detections, and perform basic O&M operations for CSSs. A member device in a CSS can be replaced.
			Network	Internet access	Two types of network configurations are supported: local Internet access and multi-branch interconnection.
				Network parameters	Network configuration includes the name, description, purpose, VLAN ID, IP address, subnet mask, and DHCP configuration. The DHCP configuration includes the DHCP mode, DNS mode, server list in DHCP relay mode, IP address lease, and reserved IP address range. Proxy ARP, MTU, management VLAN, and static management address policy configurations are supported.
				Static management IP address	Allows users to configure fixed management IP addresses of switch subnets, firewall subnets, and AR subnets.
			DHCP	-	When a terminal accesses the network through a NAT device, the following configurations need to be configured for the terminal: the DHCP address pool, IP address, mask, and IP address lease, primary WINS server, secondary WINS server, and static IP address.
			DNS	-	The DNS mode (client or relay agent), DNS server address list, and local domain name list can be configured.
			NAT	-	NAT in Easy IP mode can be configured.
			VPN	IPsec VPN (*)	A VPN can be configured in hub-spoke and mesh modes when firewalls function as hub devices. In hub-spoke mode, users can configure one hub site, configure an IKE proposal and an IPsec proposal through a security profile, and configure multiple spoke sites. The hub site can contain third-party or cloud managed devices, on which administrators can configure accessible VPN network segments. Spoke sites can contain any devices, devices in a selected scope, or third-party devices, on which users can configure accessible VPN network segments and VPN rate limit. In mesh mode, multiple devices can connect to devices of the current site in mesh networking mode. Users can configure an IKE proposal and an IPsec proposal through a security profile, select all or specified devices at the current site to be added to the mesh network, and configure the accessible VPN network segments and VPN rate limit.
			VPN	IPsec VPN enhancement (*) NOTE: This enhancement is applicable only to firewalls.	Spoke sites support multiple uplinks in IPsec VPN intelligent traffic steering scenarios. M spoke sites can connect to a hub site through N uplinks. Intelligent traffic steering rules are generated in a unified manner. Intelligent traffic steering rules are re-generated when uplinks of a spoke site are changed. Intelligent traffic steering rules are re-generated when a hub site is changed. In the intelligent traffic steering scenario, link switchback is supported. Traffic is preferentially forwarded over the link with a higher priority. By default, the link with a higher priority is used. If the high-priority link is faulty, the link with a lower priority is used for traffic forwarding. After the high-priority link recovers, traffic is switched back to the high-priority link.
			Management VLAN	Management VLAN auto-negotiation of cloud managed devices	Cloud-managed devices support plug-and-play, and management VLAN auto-negotiation.
				Manual configuration of management VLANs	Users can configure management VLANs for intranet devices separately, so that the devices can obtain management IP addresses through these VLANs, preventing competition between management and service IP addresses.
				Management VLAN configuration	Wired and wireless PnP VLANs can be configured, and Layer 2 isolation policies can be configured for management VLANs based on ports of core switches.
			STP	MSTP (*)	MSTP basic functions, such as spanning tree instances and region names, can be configured.
			STP	RSTP (*)	RSTP can be enabled and RSTP priorities can be configured.
			Routing	Policy-based routing (PBR)	Static PBR based on the 5-tuple information can be configured for route selection. Dynamic PBR can be configured to implement intelligent traffic steering based on the application category and egress link quality.
				Configuring static routes for firewall sites	Static routes can be configured for firewall sites.
				Configuring static routes for switch sites	Static routes can be configured for switch sites.
				Configuring static routes for AR sites	Static routes can be configured for AR sites.
			CLI configuration tool	CLI configuration tool (*)	Traditional devices can be configured based on CLI configuration templates.
			Configuration file management	Configuration file management (*)	Backup, comparison, and restoration of switch configuration files are supported.
		WLAN service management	SSID management	SSID configuration	SSIDs can be created, modified, deleted, and viewed. Basic SSID configurations (including VLAN, maximum user count, radio enabling switch, SSID hiding, rate limiting, and WMM) and advanced SSID optimization configurations are supported.
			SSID management	Terminal rate limiting by time range (*)	The functions of limiting uplink and downlink traffic rates on a single terminal by time range are supported.
			Radio management	-	The console allows users to modify the country code, enable or disable radios, and set the frequency band, channel, transmit power, and gain of radios. The console supports manual, automatic, and scheduled calibration of the 2.4 GHz and 5 GHz radios, and allows users to set a TPC threshold.
			Radio management	-	Dual frequency bands can be enabled together on an AR with a built-in Wi-Fi module.
			Roaming	-	Layer 3 roaming between central APs and cloud APs is supported.
			WAC management	WAC basic configuration	SSH reverse tunnels between the console and devices can be created through NETCONF. Administrators can access device web systems through the console.
				Compatibility between APs of legacy models and WACs	The console can manage WACs and non-cloud managed APs, monitor the status of APs, and deliver configurations to WACs. The configurations that can be delivered to WACs are fewer than those of cloud APs.
				Association between WACs and Fit APs	Fit APs can be associated with and disassociated from WACs.
			Preventing interference from rogue APs (*)	-	Radio calibration policies can be configured to enable APs to automatically prevent interference from rogue APs.
			Load balancing (*)	-	APs can perform load balancing based on the number of terminals.
			Bluetooth (*)	Basic Bluetooth configuration (*)	Bluetooth broadcast and monitoring are supported.
			Bluetooth (*)	Personalized Bluetooth broadcast configuration (*)	Bluetooth broadcast parameters can be set to different values for devices at a site.
		QoS	Packet re-marking (*)	-	Packet re-marking is supported based on the IP subnet, protocol and port, host name, MAC address, application or application category (supported by APs, ARs, and firewalls, but not switches), user group, time range, and country and region (supported by firewalls).
			Rate limiting (*)	-	Rate limiting is supported based on the IP subnet, protocol and port, host name, MAC address, application or application category (supported by APs, ARs, and firewalls, but not switches), user group, time range, and country and region (supported by firewalls). Firewalls can rate-limit traffic based on the IP address. SSID- and terminal-based rate limiting are supported for uplink and downlink traffic.
			Traffic shaping (*)	-	Port queues and traffic shaping can be configured for device interfaces. Device interfaces can be configured to trust DSCP and 802.1p (default) priorities.
			Congestion management (*)	-	Congestion management in PQ, WRR, DRR, and hybrid scheduling modes can be configured on interfaces.
		Basic security service management	Static MAC address binding (*)	-	Static binding entries among device MAC addresses, VLANs, and interfaces can be configured.
			Security policy (*)	Traffic policy	Devices compare traffic packet features with certain conditions and perform security control on the packets meeting the conditions.
			DHCP snooping	-	DHCP snooping can be configured on interfaces.
MAC address blacklist and whitelist			-	The MAC address blacklist and whitelist can be configured.
WIDS and WIPS (*)			-	WIDS templates, whitelists (SSIDs, OUIs, and MAC addresses), and rules for identifying spoofing SSIDs can be configured. WIDS detection can be configured to implement containment against unauthorized devices and clients. Attack detection and defense can be configured.
URL filtering	-		Filters URLs based on predefined categories. Filters URLs using the URL blacklist and whitelist (HTTP/HTTPS).
Security signature database update (*)	Antivirus signature database update (*)		The console can update antivirus signature databases of firewalls.
	File reputation database update (*)		The console can update file reputation databases of firewalls.
	Malicious domain name database update (*)		The console can update malicious domain name databases of firewalls.
	IPS signature database update (*)		The console can update IPS signature databases of firewalls.
	IP reputation database update (*)		The console can update IP reputation databases of firewalls.
Interference detection (*)	-		Provides the function of detecting whether tenants suffer from interference. Provides the functions of querying the interfered APs and interference types for tenants.
Wireless non-operating management (*)	-	-	China's wireless access security requirements can be fulfilled.
Network O&M	Monitoring	Alarm management	-	Allows users to view device alarms. Allows users to clear alarms.
		Device monitoring	Device state	The console can display devices in online, offline, unregistered, alarm, and faulty states.
			Device information	Allows users to query details of a single device, including the device name, version, model, startup time, IP address, MAC address, running time, manufacturer, description, tag group, and location on the map. Allows users to query information about interfaces on a device, including the interface running status, name, IP address, bandwidth, MTU, and duplex mode.
			Resource monitoring	The console can monitor CPU and memory usages of a single device. The console can display SSID and radio information about a single device. The console can display traffic statistics and terminal information about a single device.
			AP air interface resource monitoring (*)	The console can display the statistics and trends of upstream and downstream unicast, multicast, and broadcast packets on air interfaces and wired interfaces of APs, as well as the status of those interfaces.
		Terminal monitoring	Online terminal information	Users can view the list of terminals that go online from a specified AP at a site. The terminal list contains diversified information, such as the terminal IP address, terminal MAC address, username, associated AP, negotiated rate, packet loss rate, signal-to-noise ratio (SNR), retransmission rate, signal strength, authentication mode, uplink and downlink rates, latest VLAN access time, access SSID, and traffic information.
			End user list export (*)	Exports end user lists within the last 30 days on the report customization page.
			Historical trend (*)	Historical users in the past seven days can be viewed. The console can display the quantity trend of terminals connecting to a site within a specified period of time, for example, one day, one week, one month, or one year.
			Mobility group and roaming neighbor	Information about roaming groups and roaming neighbors is reported periodically, and is displayed on the console. (in tables).
		Authenticated user monitoring (*)	-	The console can display information about online users who pass Portal authentication. The information includes the username, user group, authentication mode, access policy, access SSID, terminal MAC address, terminal IP address, login time, and site. Online user information can be exported. Tenant administrators can disconnect specific online users.
		Basic security service monitoring (*)	VPN status (*)	Allows users to query information about VPN tunnel connections, including the IPsec policy name, source device, source interface, destination device, and VPN status.
		Application monitoring (*)	Application identification (*)	DPI can be configured on APs and firewalls to identify specific types of applications, for example, QQ, MSN, and Sina email box. Through DPI application identification packets, statistics on traffic and application usages can be collected based on the time range, tenant, device, and site.
			DPI upgrade (*)	Application data of the console can be updated online. An upgrade address and an upgrade plan can be configured for firewalls, ARs, and APs. The console can trigger a device to update application data online immediately. The console supports application database upgrade in local mode. To implement this, tenants need to upload the database upgrade file to the console. The console can then deliver the file to devices for local upgrade of application data.
			Traffic analytics (*)	The console can display the network traffic trend of all the devices at a site within the specified period of time, for example, one day, one week, one month, or one year. It can also display uplink and downlink network traffic trends. The console can display top 5 devices by traffic at a site within the specified period of time, as well as the traffic statistics of each device. Users can click a device to view details. The console can display top 5 SSIDs by traffic at a site within the specified period of time, as well as the traffic statistics of each SSID. The console can display top 5 terminals by traffic at a site within the specified period of time, as well as the traffic statistics of each terminal. Tenant-level statistics is supported.
		Application experience (*)	IP-based in-band flow measurement (*)	In-band flow measurement based on 5-tuple information is supported.
		Application experience (*)	Application-based in-band flow measurement (*)	Identification of DPI applications and customized applications is supported. The functions of collecting and reporting application traffic statistics are supported. The console can display switch traffic statistics of a single application and of applications in an application list, and can also display top N applications by traffic. Application-based in-band flow measurement is supported.
	Topology management	Site network topology	-	Supports automatic discovery and display of physical topologies. Displays status of and basic information about devices. Supports quick search for devices. Allows users to view networking traffic heatmaps.
	Topology management	GIS topology	-	Displays VPN connection information between sites on a GIS map. Displays VPN tunnel status.
	Fault diagnosis	Remote CLI login (*)	-	Users can remotely log in to the CLI of devices on the console to diagnose device faults. Firewalls support this function in V300R003C00 and later versions.
		Remote control (*)	-	Allows users to blink an AP indicator. Allows users to remotely restart devices on the console. Allows users to turn on or off AP indicators in a specified time period.
		Batch device restart (*)	-	Users can select multiple devices and restart them in batches with one click, simplifying O&M and quickly recovering services.
		Packet header obtaining (*)	-	Users can configure packet header obtaining (obtaining 64 bytes of a packet) on specific device ports on the console. Users can also download the obtained packets from the console.
		Packet path tracing (*)	-	Packets of the following protocols can be detected: ICMP, IGMP, IP-in-IP, TCP, UDP, GRE, and OSPF.
		Diagnosis information collection (*)	-	Allows users to manually collect device diagnosis information, and automatically collect diagnosis information of a device when the device's CPU usage or memory usage is high or the device restarts.
		Fault locating (*)	Fault locating method	Allows users to view rogue signals based on APs on the console.
		Fault locating (*)	Fault locating tools	The following tests are supported: ping test, traceroute test, radio ping test, and virtual cable test.
	Network quality analysis	SLA management (*)	-	SLA management is supported for traditional devices.
	Upgrade (*)	Software package management (*)	-	SLA management is supported for traditional devices. Allows users to upload, modify, delete, and query software packages and patches. Allows users to download device software packages from the Huawei Online Upgrade Repository (HOUP).
		Software upgrade (*)	-	Users can install software packages and patch files by site, and view the installation progress. The console supports automatic upgrade for devices running earlier software versions. When a device is added to the site with devices running a later software version, the console automatically upgrades the newly added device to the later version. Users can select the desired devices for upgrade. The console supports the version upgrade of cloud managed devices at a site. The console supports the upgrade of traditional devices (through uUpgrade). The console supports the upgrade of stacks set by cloud managed devices.
		Resumable transfer (*)	-	Resumable transfer is supported for software packages during upgrade.
		Time window (*)	-	Users can configure the upgrade time window. When the time window starts, the device upgrade begins, and the upgrade stops tills the end of the time window.
	Reports (*)	Statistics report (*)	-	The following statistics are collected by tenant or site: Total uplink and downlink traffic statistics at the site egress (from the site perspective) and total traffic statistics of each site (from the tenant perspective) Number of access clients (access terminals) every day under a tenant or at a site. Users can configure the console to display top N records (N is configurable). Traffic statistics of each SSID, AP, user/user group, and application category/application under a tenant or at a site. Users can configure the console to display top N items (N is configurable). Security events (WIDS/IPS analysis and network alarms) under a tenant or at a site can be exported. Top N tenants can be displayed. Reports can be periodically exported in CVS or other formats, by day, week, month, or year, and can be sent via emails.
	Reports (*)	Agile report (*)	-	The console provides a default scenario-specific dashboard to simplify O&M, and allows users to flexibly customize dashboards based on their O&M requirements. The console also supports orchestration of common data sources and correlative data analysis. Analysis reports can be periodically exported to Word, PDF, or CSV files. The following reports are available based on the agile report framework: Resource reports: device vendor, device type, and device model reports Authentication reports: online terminal trend chart, online user trend chart, RADIUS log statistics chart, Portal log statistics chart, terminal type proportion chart, top N terminals by vendor, and top N terminals by OS.
	Logs (*)	Device channel logs (*)	-	Generates logs when the configuration channels, performance channels, authentication channels, and IP-security group channels are set up, and allows users to query these logs.
		Onboarding and disconnection logs of authenticated users (*)	-	The console can display onboarding and disconnection logs of Portal authentication users. Such a log contains the following information: username, authentication time, terminal MAC address, terminal IP address, disconnection time, authentication mode, user type, authentication failure cause, and associated SSID. These logs can be exported.
		Unified device log management (*)	-	The console can collect and display AP logs and allows users to export logs and delete expired logs.
		Centralized log management (*)	-	An independent syslog server can be configured for a tenant. The following logs can be reported: operation logs, security logs, and onboarding and disconnection logs of clients and devices. SSL encryption is supported. Syslog servers can be configured for APs, WACs, switches, firewalls, and ARs on the console.
Network health 360	Dashboard	-	-	Displays the evaluation results of the entire network, including the health scores, number of access users, number of devices, traffic statistics, network-wide issue distribution, number of times calibration is performed, inter-generation AP upgrade, and decision-making items for coverage hole compensation.
	Wireless network health	-	-	Three-level evaluation results (excellent, good, and poor) are provided based on the following metrics: access success rate, access time consumption, roaming fulfillment rate, signal and interference, capacity health, and throughput fulfillment rate. Root causes are analyzed based on the following metrics: association/authentication/DHCP success rate, time required for association/authentication/DHCP, signal strength, channel utilization, number of users, bandwidth, roaming success rate, roaming duration, interference rate, air interface congestion fulfillment rate, and non-5G-prior access. Users can view metric rankings and trends, root causes of issues, and details about metrics. Data analytics supports the following capabilities to improve operation efficiency: Associated issue display Data clustering by AP, user, and SSID Identification of faulty terminals and APs Users can download health evaluation reports to local hosts.
	Issue analysis	-	-	Allows users to view the number, distribution, and details of connectivity issues. Connectivity issues include authentication failure (802.1X authentication and MAC address authentication), slow authentication (802.1X authentication), authentication timeout (802.1X authentication and MAC address authentication), association failure (not supported for wired clients), slow association (not supported for wired clients), DHCP failure, and slow DHCP. Identifies the root causes of the following issues: issues that the authentication server is unreachable, issues that the number of clients exceeds the capacity, authentication issues, and associated device issues. NOTE: Due to differences between Portal servers and inconsistent Network Admission Control (NAC) processes, a Portal server must work with a RADIUS authentication server to implement Portal authentication. Allows users to view the number, distribution, and details of air interface performance issues, including weak-signal coverage, high channel utilization, high interference, air interface congestion, client capacity, and non-5G-prior access. Allows users to view the number, distribution, and details of roaming issues, including repeated roaming.
User experience 360	Client list	-	-	Allows users to view client access information lists.
	Client journey	-	-	Allows users to view client journey information, including client information, metric overview, and details about each node.
	Protocol tracing	-	-	Wireless client access phases including association, authentication (supporting only the 802.1X authentication mode), and DHCP are displayed in terms of different protocols. Refined analysis for individual faults that occur during client access is provided based on the protocol interaction result and duration at each phase. The analysis includes the most possible root causes and rectification suggestions for client access failures.
Intelligent optimization 360	Homepage overview	-	-	Allows users to view optimization benefits, including the uplink and downlink bandwidth, channel utilization, and interference rate. Allows users to view AI roaming benefits, including the roaming success rate, signal strength before roaming, and bandwidth during roaming. Allows users to view AI inference data, including the number of high-load APs, number of edge APs, number of key APs, number of roaming terminal profiles, and number of terminal vendors. Allows users to view the number of times intelligent radio calibration and AI roaming steering are performed.
	AI inference	-	-	Allows users to view details about high-load APs. Allows users to view details about edge APs. Allows users to add, delete, and view key APs.
	Calibration records	-	-	Allows users to view calibration records, including the calibration duration, calibration type, calibration scope, frequency band, uplink and downlink bandwidth of terminals after calibration, interference rate, and channel utilization.
	AI roaming	-	-	Supports AI roaming terminal statistics, including the number of trained terminal profiles and number of times roaming steering is performed. Allows users to view AI roaming steering data by vendor, including the vendor, number of profiles of different models under each vendor, number of terminals, number of roaming steering successes, signal strength before roaming, and uplink and downlink rates. Allows users to view AI roaming details, including roaming terminals, roam-out and roam-in APs, and roaming details.
Application assurance 360	Application overview	-	-	Allows users to view the application list, invalid applications, and traffic statistics, ensuring application visibility. Analyzes total traffic trends at a site and sets thresholds to monitor traffic.
Application assurance 360	Network traffic analysis	-	-	Analyzes network traffic by device and host.
Cloud-based admission	User management (*)	Local user management (*)	User management (*)	-	Allows users to create, modify, and delete user information, including the username, password, email address, expiration time, and contact number. The information is used for Portal authentication. Allows users to import and export the user information. Allows users to register accounts by themselves.
		Local user management (*)	User group management (*)	-	Allows users to create, modify, and delete user group information, including the user group name, address, postal code, administrator email address, and description. User group information is used in access control policies. Allows users to import and export user groups (using the same template for user import and export).
		Guest management (*)	Guest account management (*)	-	Allows tenant administrators and guest administrators to create common guest accounts, which can be cleared periodically. Allows tenant administrators to create passcode accounts in batches. Allows guest administrators to manage guest accounts by group or role. Sends account expiration notifications via emails or SMS messages.
			Guest account policy (*)	-	The guest username can be an account name, a mobile number, an email address, or a public QR code. Policies for enabling and approving guest accounts, as well as notification policies, can be configured. Guest login types can be restricted.
			Guest account approval (*)	-	Guest accounts can be approved in the following modes: approval-free, tenant administrator approval, employee approval, email-based approval, and public QR code-based approval. Approval notifications can be sent via SMS messages or emails. Messages that indicate successful guest account approvals can be sent via SMS messages or emails, or displayed on web pages.
			Guest authentication (*)	-	The following authentication modes are applicable to guests: username and password authentication, passcode authentication, SMS authentication, two-factor authentication, anonymous authentication, URL-based WeChat authentication, Wi-Fi via WeChat authentication, social media authentication (Facebook, Twitter, QQ, and Sina Weibo), WeChat authentication in developer mode, and public QR code authentication.
			Guest account application method (*)	-	Currently, guest accounts can be created by tenant administrators (one by one or in batches), be created by guest administrators (one by one or in batches), and be applied for by guests on their own.
			Configuration wizard for guest management functions (*)	-	The console provides a wizard for helping users to configure guest management functions, simplifying system deployment and implementation.
		Interconnection with a third-party data source (*)	Social media authentication (*)	-	Facebook and Twitter accounts can be used for social media authentication.
		Online user management (*)	Online user management (*)	-	Online users can be disconnected, and their data can be exported. RADIUS CoA authorization information can be changed through HACA channels.
		Traffic volume and online duration control (*)	Traffic volume and online duration control (*)	-	User/Terminal traffic volume and online duration statistics collection and management: User/Terminal traffic volume limit User/Terminal online duration control Terminal one-time online duration limit User/Terminal traffic volume and online duration limits based on user groups Manual clearance of user/terminal online duration information Manual reset of user/terminal traffic volume information Periodic clearance of online user/terminal traffic volume information Automatic reset of user/terminal traffic volume and online duration information upon each login User/Terminal traffic volume and online duration statistics collection
	Terminal management	Terminal management (*)	Terminal and terminal group management (*)	Terminal and terminal group management (*)	Terminal groups can be created, deleted, modified, and queried, and can be nested. The console can add terminals that are automatically discovered to terminal groups, and also allows users to manually add terminals and add them to terminal groups. The console allows access of identified terminals and supports the terminal blacklist function. The console allows users to configure policies for identifying preset terminals and custom terminals.
			Terminal and terminal group management (*)	Camera terminal management (*)	In addition to the terminal management functions, the following functions are newly supported: Allows users to check the PoE status of interfaces connecting to cameras and enable/disable the interfaces. Allows users to view camera traffic information.
			Terminal identification (*)	Terminal identification (*)	Rule database: Fingerbank Identification methods: User-Agent, DHCP Option, MAC OUI, mDNS, and LLDP Terminal information that can be identified: OS, vendor, terminal model, and terminal type
				AI clustering/identification (*)	Unknown terminals are classified by type to facilitate unified processing by administrators. Unknown terminals can be identified automatically based on learned marking rules.
				Offline update of the terminal fingerprint database (*)	Allows users to update the built-in terminal fingerprint database of the console by importing a new terminal fingerprint database.
			5G terminal access (*)	-	5G IoT terminals can access campus networks.
			IoT aware network (*)	-	SSIDs specific to iConnect terminals are configured to implement plug-and-play of iConnect IoT terminals. iConnect terminals can automatically load digital certificates to enhance access security.
		Terminal authentication logs (*)	Portal user login and logout logs (*)	-	Login and logout logs of Portal users can be filtered, viewed, and exported.
		Terminal authentication logs (*)	RADIUS user login and logout logs (*)	-	Authentication and accounting logs of RADIUS users can be filtered, viewed, and exported.
		Boarding management (*)	Boarding management (*)	-	Allows users to configure 802.1X authentication and manage network access policies through Boarding clients.
	Portal authentication	Built-in Portal authentication (*)	Portal protocol (*)	-	The console supports HTTP/2-based HACA Portal authentication (bypass supported).
			MAC prioritization (*)	-	The console saves MAC addresses of terminals, so that users can directly access networks using the terminals without entering usernames and passwords. Cross-site MAC address-prioritized Portal authentication is supported.
			Authentication mode (*)	-	The following Portal authentication modes are supported: username and password authentication, anonymous authentication, SMS authentication, Facebook authentication, and passcode authentication.
		Username and password generation policy (*)	Batch generation of usernames and passwords (*)	-	Accounts can be created in batches, and the validity period of the accounts can be specified. The validity period starts from the time when a user is authenticated for the first time.
			One-click generation of usernames and passwords (*)	-	Generates login passwords of accounts with one click.
			Passcode (*)	-	Allows users to be authenticated by entering only one parameter.
		Control over the number of access terminals (*)	-	-	The number of terminals using the same account to access a network is limited in username and password Portal authentication.
		Interconnection with a third-party Portal server (*)	-	-	The console can interconnect with a third-party Portal server and deliver interconnection parameters with the third-party Portal and RADIUS servers. APs can interconnect with a Srun server that function as a third-party Portal server. Firewalls can interconnect with the campus controller.
		Portal page management (*)	Page customization (*)	-	Preset Portal page templates, and dial-up and carousel image controls on Portal pages are supported. Users can add and delete Portal pages based on the templates, as well as modify the logo, title, description, and style of pages. Preset pages: URL-based WeChat authentication page, username and password authentication page, SMS authentication page, passcode authentication page, one-click authentication page, social media authentication page, anonymous authentication page, and full-screen advertisement page Portal pages can be customized.
			Portal page language (*)	-	The language in which Portal pages are presented can be set to English, Germany, or Spanish.
			Portal management (*)	-	Allows users to upload Portal pages and delete Portal files.
			Portal page push policy (*)	-	Different Portal pages can be pushed based on conditions specified in Portal page push policies. The following conditions can be configured: device, device type, device group, terminal OS, browser language, terminal IP address, SSID, time, and site.
	PPSK/DPSK	PPSK/DPSK (*)	-	-	PPSK accounts can be configured on the console web UI. The console provides APIs for configuring PPSK accounts, and allows users to import and export PPSK accounts in batches. Different PSK passwords can be provided for different users.
	Social media authentication	WeChat authentication (*)	URL-based WeChat authentication mode (*)	-	A URL can be provided for WeChat authentication. This mode requires a URL access key.
		WeChat authentication (*)	QR code-based WeChat authentication (*)	-	Users can be authenticated after scanning QR codes provided by the WeChat official accounts they have followed.
		Facebook authentication (*)	-	-	Users can be authenticated by entering their Facebook usernames and passwords.
		Twitter authentication (*)	-	-	Users can be authenticated by entering their Twitter usernames and passwords.
	SMS authentication	SMS authentication (*)	-	-	SMS authentication and preset Twillio and fungo SMS templates are supported.
	SMS authentication	SMS content customization (*)	-	-	Allows users to customize the content of SMS messages used for authentication.
	RADIUS authentication	RADIUS server (*)	-	-	The console can function as RADIUS authentication and accounting servers.
	RADIUS authentication	RADIUS proxy (*)	-	-	The console can interconnect with a third-party authentication server and an accounting server using the RADIUS protocol.
	Authentication rule management	Conditions in authentication rules (*)	-	-	The following conditions and their combinations can be configured in authentication rules: user, user group, role, site, admission device group, device type, access device, SSID, terminal group, terminal IP address, address range, time range, customized conditions based on RADIUS attributes, authentication mode, and access mode.
	Authentication rule management	Authentication rule processing (*)	-	-	The console supports self-learning of the IP address, access VLAN, and access port of an access device, MAC address and IP address of an access user, and IMSI and SN of a terminal. If an account has no access information bound, the account is not allowed to access the network. Multiple data sources can be specified in authentication rules. The preferred protocol for 802.1X authentication can be configured on the server side to increase the protocol negotiation rate. In RADIUS authentication scenarios, the RADIUS protocol types supported on the server side can be restricted. If a user does not exist, three policies can be executed: continue processing, not send response packets, and deny access. When identity authentication fails, three policies can be executed: continue processing, not send response packets, and deny access.
	Authorization result management	Conditions in authorization rules (*)	-	-	The following conditions and their combinations can be configured in authentication rules: user, user group, role, site, admission device group, device type, access device, SSID, terminal group, terminal IP address, address range, time range, customized conditions based on RADIUS attributes, authentication mode, and access mode.
	Authorization result management	Authorization result management (*)	-	-	The following authorization results can be configured: authorization VIP user identity, authorization URL filtering, authorization ACL, authorization VLAN, authorization QoS, authorization application scheduling (HQoS), user-defined RADIUS authorization parameters, authorization security group, authorization redirection, ACL (dynamic ACL and static ACL), and pushed authorization URL.
	Admission configuration delivery	Authentication configuration delivery management (*)	Authentication configuration for cloud APs (*)	-	Cloud APs support Portal authentication, PSK/PPSK authentication, MAC address authentication, and 802.1X authentication.
			Authentication configuration for switches (*)	-	Wired and wireless access authentication for switches include Portal authentication, PSK/PPSK authentication, MAC address authentication, and 802.1X authentication. The wired access mode on switches can be specified as follows: An interface can allow access of multiple terminals or only one terminal. Multiple terminals are authenticated separately, and only the first terminal needs to be authenticated.
			Authentication configuration for firewalls (*)	-	Firewalls support Portal authentication.
			Authentication configuration for ARs (*)	-	ARs support Portal authentication.
		Authorization configuration delivery management (*)	Cloud AP authorization configuration (*)	-	The following authorization configurations can be configured on cloud APs: VIP user, ACL, URL filtering, terminal traffic rate limiting, DSCP, and VLAN.
			Switch authorization configuration (*)	-	The following authorization configurations can be configured on switches: VIP user, ACL, IPv6 ACL, security group, VLAN, terminal traffic rate limiting, and application control template.
			Firewall authorization configuration (*)	-	The security group can be configured on firewalls.
			AR authorization configuration (*)	-	The following authorization configurations can be configured on ARs: ACL, terminal traffic rate limiting, and DSCP.
		PPSK account delivery (*)	-	-	PPSK account delivery is applicable only to APs.
	Free mobility	Free mobility resource management	Security group management	-	The console can manage security groups, including bypass security groups. Security groups can be imported and exported.
		Free mobility resource management	Resource group management	-	The console supports resource group management. Resource groups can be imported and exported.
		Free mobility policy	Free mobility policy	-	The following free mobility policy configurations are supported: Policy matrix specific to a site Policy matrix specific to a fabric network Policy matrix modification Policy matrix deployment Inter-group access control policy Group policy configuration in batches Reverse policy configuration Inter-group policy display in a matrix or list Custom policy view Policy priority adjustment
	IPv6 user authentication	802.1X authentication (*)	-	-	IPv6 terminals can access campus networks after passing 802.1X authentication.
		MAC address authentication (*)	-	-	IPv6 terminals can access campus networks after passing MAC address authentication.
		Portal authentication (*)	-	-	IPv6 terminals can access campus networks after passing Portal authentication.
SD-WAN (*)	Network configuration	Network planning configuration	Physical network	-	Parameters for physical networks: routing domain, transport network, IPsec encryption, device activation security, link connectivity detection, intelligent traffic steering, and NTP configurations
			Virtual network	-	Parameters for virtual networks: routing, IP address pool, DNS, and port configurations
			Collection configuration	-	Parameters for statistics collection: application traffic, application quality, and WAN link traffic
		WAN physical network	Physical interface	-	Physical interfaces and Eth-Trunk interfaces can be configured.
			ZTP	-	WAN-side links and NTP can be configured for a site. Multiple deployment modes are supported, including email-, USB-, and DHCP option-based deployment.
			WAN route	Static routing protocol	The CPE gateway can communicate with the WAN through IPv4 and IPv6 static routing protocols.
				OSPF	The CPE gateway can communicate with the WAN through OSPF.
				BGP	The CPE gateway can communicate with the WAN through BGP and BGP4+.
			VLAN	-	VLANs can be configured to implement Layer 2 isolation, so as to enhance network security.
			Interconnection between non-SD-WAN sites	GRE	IPv6 packets are encapsulated into IPv4 packets through GRE tunneling technology, so that IPv6 packets can be transmitted on IPv4 networks. This enables IPv6 branches to communicate with each other.
			Interconnection between non-SD-WAN sites	IPsec	SD-WAN sites can set up IPsec tunnels with legacy sites, third-party sites, or public cloud VPCs.
			Universal configuration	TACACS	A TACACS server can be configured.
				Authentication mode	NAC authenticates access clients and users on the LAN side to ensure network security.
				Advanced device configuration	The device QoS mode and QoS GTS can be configured.
				Connection source port	A source port can be configured for STUN connections.
				Local TNP-preferred traffic steering	Local TNP-preferred traffic steering can be configured.
				Device reliability	VRRP MAC types can be configured.
			RR connection	-	Associates edge sites with route reflector (RR) sites.
		WAN virtual network	Topology	-	The topology model for inter-site communication varies according to service communication requirements. Predefined topology Single-layer network models: hub-spoke, full-mesh, and partial-mesh Hierarchical network model: Multiple areas are interconnected through a centralized hub area (backbone area) so that a large number of sites can communicate with each other across areas. Customized topology Topology policies can be customized based on the predefined topology to adjust the interworking paths between sites.
			LAN interface	-	Layer 3 and Layer 2 interfaces can be configured for CPE gateways at sites to connect to the LAN.
			LAN route	Static routing protocol	The CPE gateway can communicate with the LAN through IPv4 and IPv6 static routing protocols.
				OSPF	The CPE gateway can communicate with the LAN through OSPF and OSPFv3.
				BGP	The CPE gateway can communicate with the LAN through BGP and BGP4+.
			WAN route	WAN routing policy	After the overlay network is configured, the system automatically deploys BGP between sites to advertise routes on the overlay network. Blacklist and whitelist can be configured for overlay route filtering to filter the BGP routes to be advertised or received on the overlay WAN side.
			WAN route	WAN routing policy template	Allows users to configure and modify WAN routing policies in batches through configuring a WAN routing policy template.
			WLAN	-	The WLAN can be configured so that wireless terminals on the LAN side can access gateways through Wi-Fi.
			Loopback interface	-	Overlay loopback interfaces can be configured in an overlay VPN network.
			Static ARP	-	Static ARP entries can be configured based on IPv4.
			VAS connection	-	CPEs connect to the firewall through the VAS connection function. The firewall functions as a centralized security gateway to protect traffic from headquarters and branches.
	Application experience	Security policy	URL	-	URL security policies can be configured to control the URLs that users can access.
			Firewall	-	Firewall security policies can be configured to logically separate an internal network from an external network. This implements security protection for Internet access services of users and protects the internal network from unauthorized external access.
			IPS and AV	-	A policy can be configured to implement the intrusion prevention system (IPS) and antivirus (AV) functions. After the policies are applied to a device, the device compares characteristics of received packets against the preset IPS and virus signature databases. If a match is found, the device takes the corresponding prevention measure.
		Traffic policy	Overlay QoS	-	The bandwidth of applications or traffic can be limited
			Overlay ACL	-	An ACL policy can be deployed on the LAN side to block specific traffic between internal users and external networks.
			Intelligent traffic steering	-	When there are multiple links to the destination network, intelligent traffic steering enables devices to dynamically select the optimal link based on the link quality, bandwidth, and application priority. By monitoring the network quality in real time, devices dynamically adjust traffic forwarding paths based on the real-time status of each link. This minimizes the impact of network quality on user experience.
			WAN optimization	-	Technologies such as forward error correction (FEC), multi-fed and selective receiving, and per-packet load balancing improve the quality and efficiency of data transmission over WAN links.
			Site-to-Internet access	-	The local Internet access, centralized Internet access, and hybrid Internet access are supported.
			Site-to-legacy networking	-	The local access, centralized access, and hybrid access are supported.
			Overlay NAT	-	Dynamic NAT can be implemented in three modes: Easy IP, PAT, and No-PAT.
			Underlay ACL	-	An ACL policy can be configured on the WAN side to prevent specific traffic from external networks from entering CPEs and internal networks.
			Cloud security	-	Security policies can be configured for interconnection with a third-party cloud security gateway, so as to enhance Internet access security.
			Underlay NAT	-	Allows intranet users with private IP addresses to access public IP addresses on public networks.
			Common QoS	-	When service packets are sent from the LAN side to the WAN side on the underlay network, the common QoS is recommended to limit the bandwidth of applications or traffic.
			NAT ALG	-	NAT can be performed for specific application-layer protocols.
			Dynamic QoS	-	Relieves congestion for key service assurance.
			Redirection	-	Redirection policies can be configured on EVPN tunnel interfaces, interworking tunnel interfaces, and LAN interfaces.
			Broadcast packet forwarding	-	Enables a device to receive and forward directed broadcast packets.
		Application management	Customized application	-	The console can identify traffic of common applications using its built-in application signature database. When predefined applications cannot meet the requirement, users can create such applications based on their signatures. There are three application types: SA, Domain Name, and Advance Rule.
		Application management	Application group	-	Allows users to create an application group to match application traffic to be identified.
	Network monitoring	WAN site interconnection	Link traffic	-	Allows users to view the link traffic distribution chart and top 10 applications by traffic. Allows users to view the throughput trend, bandwidth usage trend, and LQM trend by time range.
			Link quality	-	Allows users to view link quality data, including the LQM trend, delay change trend, jitter change trend, and packet loss rate change trend.
			SPR switchover	-	Allows users to view the SPR switchover statistics of the selected site.
			Application	-	Allows users to view the application quality and the quality of the link where the application traffic is forwarded, throughput trend, and uplink and downlink bandwidth usage trend.
			FEC	-	Allows users to view the optimization effect after WAN optimization.
		Application monitoring	-	-	Allows users to view application information, application AQM, statistics ranking, details about applications between network-wide sites, and performance trends.
(*): The feature needs to be operated on the GUI of iMaster NCE-Campus.