Contents 1 Network Management Status and Challenges 2 HuaweieSight Management Features 3 Success Stories
Multi-Vendor Devices and Multiple NMSs Increase Network Management Costs Management system Network resources Costs The styles and operating graphical user interfaces (GUIs) of different NMSs are different, increasing costs on learning how to use these NMS products. Various NMSs cannot be associated. A third-party NMS can monitor devices from multiple vendors but cannot manage them in a unified manner.
New Information Technologies Bring Challenges to the IT Management Department The video quality is poor. Network administrators and system administrators work together to locate network problems. I cannot receive Emails. I cannot connect to the ERP. O&M personnel The network negatively affects my work. • A stable and reliable network is necessary for routine operation of enterprise business.
Frequent Network Attacks Threaten Network Security • In 2011, 819 information leakage events were reported globally, with a total loss of 20 billion US dollars. • Network attacks result in a total loss of 111 billion US dollars globally. • The average loss of each electronic document leakage is 500,000 US dollars for Fortune 1000 enterprises. • According to the statistics from Ministry of State Security, 63.6% of Chinese enterprise networks are faced with high risks and the loss caused by information security problems reaches the 10 billion US dollars every year. ? What are the threats to and potential risks on the network? Enterprise network
Contents 1 Network Management Status and Challenges 2 HuaweieSight Management Features 3 Success Stories
Huawei eSight Management Features Protecting enterprise investments • Unified management of multi-vendor devices • Unified platform and quick expansion • Fast network deployment • Visible daily maintenance • Efficient troubleshooting Improving O&M efficiency Huawei eSight Unified Network Management System • Visible network status • System security hardening • O&M monitor and audit Improving network security
Protecting Enterprise Investments • Unified management of multi-vendor devices • Unified platform and quick expansion
Management Capability for Multi-Vendor Devices Multi-Vendor and Multi-Type Devices Devices on the network are from multiple vendors, such as Huawei, Cisco, and H3C. Multiple vendor ? • Security devices, WLAN devices, switches, routers, servers, and printers Multiple type Can eSight manage them uniformly? Quick Adaption Based on Best Practices 1 eSight month for one device type 1 4 3 2 • Preparation • Adaption • package development • Test • Acceptance and release There are various types of devices on the network, including switches, routers, WLAN devices, and firewalls. • Basic device management capability: manufacturer, device type, device version, interface information, performance, and panel • Link discovery • Universal alarms • Configuration file management • Clients use tools to obtain MIB objects about devices to be managed.
Unified Platform Allows for Quick Expansion ? Flexibly Select Required Components I am using eSight to manage my network. In the future, my network needs to support BYOD. Can eSight manage WLAN? …… VPN management DC management NTA management Select as required WLAN management SLA management (packet loss rate, jitter, and latency) AppBase Platform Unified platform + Components B/S architecture eSight
Improving O&M Efficiency • Fast network deployment • Visible daily maintenance • Efficient troubleshooting
Batch Configuration Improves Working Efficiency VS Batch delivery to multiple devices system-view interface XGigabitEthernet 0/0/1 Port link-type trunk Port trunk allow-pass vlan 2 to 4094 quit You only need to change parameter values. Use the smart configuration tool. Through commands • Do not need to memorize commands • Support batch configuration • Memorize a large number of commands • Configure one device each time, low O&M efficiency …... When command line-based configuration is used, it takes 2 days for Huawei IT engineers to configure 300 switches. eSight can complete configuration of 300 switches within 2 hours.
Wizard Facilitates Service Configuration Configuration List AP authentication mode Forwarding mode of user data MTU value of Ethernet ports Log backup mode Server IP address for log backup Radio mode Rate mode Rate Channel management mode Power management mode …………. Deploy APs. Configure templates. Select APs. Configure the AC. Select the AC. • The AC and APs are deployed dispersedly. • There are a large number of APs. • The configuration is complex. AC Switch PoE switch AP AP AP Deployment of 100 APs is shortened from 100 minutes to 10 minutes.
Topology-Centric Management Meets Daily Monitoring Demands All information you want can be displayed on the topology. • Zoom in device icons focused on. • Highlight links focused on. • Displays bandwidth usage. • Mark links consuming different bandwidth with different colors. • Display access terminal information. • Display device and link traffic. eSight Automatic scanning Topology setup Topology display Right-clicking items on the topology to display various information, which simplifies management.
SVF: One Device = One Network Super Virtual Fabric
Visibly Display Service Information from Multiple Aspects Visualized Wireless Coverage Status Visualized Wired and Wireless Connection Status Visualized coverage holes AC Visualized collision domains PoE AP Visualized interference sources Visualized channel signal quality Visualized channel interference strength Visualized channel usage Spectrum Analysis
Collaborative Management and Information Sharing Skill Transfer Experience Sharing Sharing Experienced administrators Commands Share maintenance experience. Alarm knowledge base Maintenance experience + Command template Using You only need to change parameter values. Common administrators Administrators share O&M experience with each other, improving management efficiency.
Automatic Monitoring Discovers Network Problems in Advance Device performance (CPU and memory) exceeding threshold Sound Email SMS Automatic collection Packet loss rate, Jitter and latency exceeding threshold Automatic detection eSight Bandwidth usage Automatic monitoring Automatic discovery Unauthorized terminal access, MAC or IP address interception
Network Quality Awareness, Service Experience Diagnosis eSight Provides Service Experience-oriented Diagnosis 1. Emulation test before service provisioning Before services are provisioned, no effective quality evaluation method is available to determine whether the network can support new services. 2. Real-time quality measurement after service provisioning After services are provisioned, no method is available to guarantee user experience and easily locate faults. DC LAN Challenges of cloud computing and BYOD: How can user experience be guaranteed when user traffic is transmitted over the entire network? WAN eSight
Before Service Provisioning: Emulation Test Measures That Network Quality Meets Service Requirements Service WAN Audio EF (delay-sensitive service) Carrier network Requirement 1. Before provisioning new services, you need to conduct an emulation test to measure whether network quality meets service requirements. 2. Before adjusting policies to guarantee service quality, you need to evaluate quality of the bearer network. Solution eSight displays the packet loss ratio, delay, and jitter based on the emulation test. Video AF (key data services that require assured bandwidth) Data BE (best-effort services that require no strict QoS assurance)
Industry-leading Technology: Real-Time Measurement Guarantees High-Quality User Experience eSight DC LAN B2 Step 1: Define the service flow characteristics. acl number 3888 rule 1 permit ip destination 10.112.7.1 0 …… rule 237 permit ip destination 10.72.54.61 0 B1 WAN Step 2: Collect packet statistics. Classifier: test2 operator or if-match ACL 3888 Last 30 seconds rate 379 pps, 1,662,392 bps A2 A1 Step 3: Analyze packet loss causes. • iPCAsolution • Collects statistics on real service packets. • Performs end-to-end path measurement to quickly locate faults. • Traditional solution: troubleshooting segment by segment based on packet statistics • Defines the service flow characteristics segment by segment. • Collects and analyzes packet statistics segment by segment. • Locates the faulty points based on the packet statistics analysis results.
One-Click Fault Diagnosis Improves Troubleshooting Efficiency – BYOD O&M engineer must go to the employee's work place for troubleshooting because simple instruction over a telephone cannot rectify the fault. Fail to connect to the wireless network. Open WLAN Diagnostic Tools and choose iDesk > Tools. Get a snapshot and send it to the O&M engineer. Employee O&M engineer O&M personnel do not need to go to the employee's work place to rectify faults. Users can use WLAN Diagnostic Tools to rectify various network faults on their terminals by themselves. For example, employees can use the tool to check their operating system versions, wireless network adapter settings, and system service settings.
One-Click Fault Diagnosis Improves Troubleshooting Efficiency – BYOD 25% of the faults are related to the wireless network and are difficult to locate. SSID High channel utilization may result in a low network speed. Solution Analyze the user, SSID, AP, and AC through one-click diagnosis to locate the fault. AP Too many users have connected to the current AP; therefore, requests from other users are rejected.
MPLS VPN One-Click Fault Diagnosis Improves Troubleshooting Efficiency – Network Representative office Representative office PE1 PE2 CE1 CE2 CE1 and CE2 cannot ping each other. • One-Click diagnosis: • Links between CEs and PEs • Links on the backbone network • MPLSVPN tunnel • Public network route
One-Click Fault Diagnosis Improves Troubleshooting Efficiency – Network IPSec tunnel Headquarters Branch Internet • Interface status at two ends • Whether IPSec policies are applied to interfaces • Whether a device initiates IPSec negotiation • IPSec policy integrity • IKE negotiation result • IPSec negotiation result
Improving Network Security • Visible network status • System security hardening • O&M monitor and audit
Refined Policy Management Improves Network Security and Firewall Efficiency Included Can be deleted Policy redundancy analysis After a device runs for a period, there are hundreds or even thousands of policies on the device. Administrators only add but not delete policies. Policy 3 Overlapping Can be optimized Policy 4 Policy 2 Policy 1 Solution Policy matching analysis Policy 3 has a low matching rate; therefore, it can be placed after policy 4. policy 3 ** (Matched 0 times) policy 4 ** (Matched 1000 times) Policy risk analysis policy 5 ** destination ipany action permit (The destination addresses defined in this policy are of a large range.) policy 6 ** destport 80 action permit (There is a high risk that packets sent and received by port 80 are not encrypted.)
Massive Logs Help Quickly Locate Network Vulnerabilities ? Massive logs Logs are in different formats and of poor readability. Hacker Switch Router Host Firewall Database and other applications Trojan horse Virus Log analysis Enterprise network What are the attacks affecting the system currently? What viruses can the system defend against? Which device is frequently attacked and what are the attacks? Comprehensive security service analysis: DDoS attack event analysis, plug-in block analysis, access control event analysis, policy matching analysis, IPS analysis, URL filter analysis, and email filter analysis
Security Defense from Multiple Aspects Makes the System More Secure Device Communication Security Server Side Security Access Side Security Encryption between clients and servers Web security Hardening Communication encryption Managed network Database encryption Uses an ACL to control administrator access. SSHv2/SSLv3/SNMPv3 1:1 dual server backup Managed network Hacker Provides a list of ports. Enables corresponding ports on the firewall. Managed network Operator Hardening Virus Installs an antivirus library on the operating system. • eSight provides a three-stage communication protection mechanism to ensure network security. Secondary eSight server Primary eSight server
Real-time monitoring interface Graphical user interface Monitoring During the Entire O&M Process Reduces Internal Leaks Monitoring During the Entire O&M Process Problems of Traditional O&M • Monitors operations on the CLI, GUI, and databases and supports screen recording and screen cutting. • Makes policies in advance so that the system can automatically inform users of the risks and block high-risk operations. • Internal O&M personnel have opportunities to know enterprises' key information, increasing information leak risks. • Users share accounts with each other and their behaviors are not recorded, making it difficult to determine responsible persons. Solution Flexible Audit Helps Detect Illegal Operations • Combinatorial research and variable speed replay • Text abstracting from videos and video content searching through texts x 2 times Hospitals leak information about patient and new-born babies. Hotels leak customer booking information. Carriers leak recharge card information. x 4 times x 8 times
Contents 1 Network Management Status and Challenges 2 Huawei eSight Management Features 3 Success Stories
Bank of Brazil eSight Monitors Network Quality • Background • Bank of Brazil has branches sparsely distributed across a wide geography. • The bank network transmits traffic from a diverse set of devices. • The bank had rolled out a VoIP service but it's quality was poor. The VoIP device manufacturer claimed that the poor quality was not the fault of the devices. • Solution • Huawei used the eSight SLA module to monitor the bank network and carries out testing on the voice quality using Huawei VoIP devices. • The eSight produced results showing that the quality of the bank network needed improving. • The eSight regularly monitored KPIs (such as latency, jitter, and packet loss). It sends alarms of potential performance deterioration to help the customer troubleshoot and optimize the network. • Benefits to the customer • The eSight is able to visualize network quality for both customer and leased networks and provides a professional easy-to-use solution to help customers build high-quality networks that deliver high-quality services.
BovenIJ Hospital eSight Platform for IT-Enabled Healthcare System • Background • With IT playing an increasingly important role in day-to-day healthcare operations, BovenIJ was seeking a vendor that could offer a reliable network solution that implements unified management and reduces operation and maintenance (O&M) costs. • The two most important factors for BovenIJ were: • Simple management and operation • Interoperability and compatibility • Solution • The eSight is a lightweight NMS that uses a browser/server architecture. • The system's modular design allows for flexible deployment options for different enterprise network scenarios. • The eSight manages devices from multiple vendors using different adaptation packages. • Easy secondary development. • The eSight supports unified management of wired network devices and WLAN devices. • Benefits to the customer • With eSight, BovenIJ can monitor network devices in real time and prevent faults through a clear understanding of network status. The system helps locate and rectify faults quickly through an alarm topology linkage. • These features significantly reduce the cost and complexity of network maintenance and help ensure reliable operation of the BovenIJ healthcare network.
Local Taxation Bureau in Guizhou Province eSight Secures Network Management • Background • The local taxation bureau of Guizhou province constructed a three-level (provincial, municipal, county) WAN and required an easy-to-use and stable management platform to monitor and manage all security devices, routers, and switches on the WAN in a unified manner. • The customer wanted to monitor branch bandwidth utilization and application traffic distribution and direction on links to find the bottleneck on the WAN and ensure stable running of key services. • Solution • Hierarchical network management: Deploys a professional version eSight on the provincial network center and a standard version eSight on each municipal or county network, so headquarters administrators can know the branch network status while the headquarters and branches manage devices on their own network. Manages user access permissions based on their rights and domains, making network management more secure. • Traffic analysis: Monitors WAN links between the provincial network center and each municipal or county network to timely detect abnormal traffic and unauthorized applications, ensuring bandwidth for and stable running of key services. Provides various traffic reports and sends reports to network administrators through emails, so network administrators can know long-term traffic and application distribution in each branch and obtain professional and accurate statistics for network optimization and planning. Simple and effective O&M: Supports device import, addition, and configuration in a batch to significantly improve O&M efficiency. • Benefits to the customer • The solution simplifies O&M by deploying eSight separately on the provincial network center and each municipal or county network, and reduces maintenance workloads through hierarchical and unified network management. • The solution provides visible traffic statistics for troubleshooting and network planning by using the traffic analysis function to monitor key WAN links.
People's Procuratorate of Shanxi ProvinceeSight Serves on the Dedicated Line • Background • The dedicated line for Shanxi province procuratorate institutions connects the provincial procuratorate and several municipal and county procuratorates. An effective, stable, and secure procuratorate dedicated line and data center with unified standards is required. The dedicated line and data center must support triple play services including voice, video, and data, and provide a high-quality application support platform for various service application software used by national procuratorate institutions. • High security must be ensured to prevent intrusion of unauthorized users, virus attacks, or information leakage. • High reliability must be ensured through device redundancy or link backup, so the system can restore within the shortest period. • Solution • Hierarchical network management: Deploys a professional version eSight on the provincial procuratorate and a standard version eSight on each municipal or county procuratorate, so headquarters administrators can know branch network status while the headquarters and branches manage devices on their own network. Manages user access permissions based on their rights and domains, making network management more secure. • Supports visible MPLS VPN management. Automatically discovers VPN services and displays service status. Provides various diagnosis tools to help administrators quickly locate faults. • Benefits to the customer • eSight provides hierarchical network management tailored for a specified enterprise structure to guarantee management security. • The solution uses visible VPN management and one-click fault diagnosis to help administrators effectively manage VPNs and ensure key services of the enterprise.
Huawei IT Data CentereSight Builds an IT Data Center for Huawei's Global Employees • Background • Huawei has many global branches which lease carrier bandwidth to implement inter-WAN communication and transmit wireless services. Network traffic analysis is required to analyze traffic trends and detect unauthorized abnormal traffic to ensure normal running of branch networks and prevent useless investment. • Quality of key applications such as voice and video on regional networks must be ensured. • The IT data center wants to locate unauthorized terminals and prevent their access to ensure enterprise security. • Solution • Comprehensive quality monitoring: Huawei eSight uses an E2E quality monitoring system to monitor a regional network or networks in an area, identify network faults, and rectify faults by one-click operation. eSight sends alarms when the packet loss ratio, delay, or jitter values exceed the upper threshold; therefore, network administrators can know the service quality in real time. • Integrated wired and wireless management: Quickly deploys WLAN networks, uniformly manages wired and wireless devices on the network including about ten thousand APs, and uses a unified topology to facilitate fault locating. • Traffic analysis: Monitors worldwide WAN egress traffic to know the traffic trends and detect abnormal traffic. • Intrusion and interference management: Identifies key interference sources, takes measures to prevent interfering signals, and disconnects unauthorized APs and users. • Benefits to the customer • The terminal management function of eSight is used to implement integrated network, terminal, and user management. The solution can monitor networks in real time and prevent access of users or terminals with invalid IP addresses. • The solution displays network traffic trends, reduces bandwidth congestion, and optimizes network planning through traffic monitoring.
Prison Administration Bureau of Liaoning ProvinceeSight Delivers Multi Vendor Management • Background • The prison project involved multiple types of devices, including video devices, service, and data devices. • The prison backbone network used ZTE devices, which caused testing difficulties. • NMS was recognized as the key to project success. • Solution • eSight is capable of managing devices of multiple vendors. • It automatically discovers SNMP capable devices, such as routers and switches, across the whole network. This includes ZTE devices. • Provides highly visible colored panels that identify third-party devices and port status. • Integrates common tools such as Telnet, Trace, and Ping, which enable users to directly log in to devices and perform tests. • Supports customized devices types and provides performance counters (such as the CPU, memory usage, and interface traffic) and fault information for third-party devices. • Displays third-party device alarms in real time and uses different colors to identify the alarm clearance status. • Supports predefined reports such as resource, performance, alarm information, link connection and disconnection, and device connection and disconnection. • Benefits to the customer • eSight can manage devices of multiple vendors in a unified manner, which reduces enterprise O&M costs and creates value for the enterprise.