HUAWEI National Distributed Cloud Data Center Technical Proposal Template20151120

XXX Project
HUAWEI National Distributed

Cloud Data Center
Technical Proposal
Issue 01
Date 2015-08-19
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Issue 01 (2015-01-19) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
XXX Project
HUAWEI ManageOne Technical Proposal About This Document
About This Document
1. As a technical proposal template for the National Distributed Cloud Data Center platform, this
document provides comprehensive information. Modify the content based on project
requirements.
2. Content in this document is in blue, green, or black.
 Content in blue indicates prompt information, which must be deleted when this
document is presented to customers.
 Content in green indicates examples, which must be modified based on projects.
 Content in black indicates essential information, which can be used directly or modified
based on project requirements.
3. Technical proposal must be prepared based on projects; otherwise, it will be like a product
overview. Therefore, you need to add information about a project when using this template.
4. This template is for HUAWEI National Distributed Cloud Data Center.
Issue 01 (2015-01-19) Huawei Proprietary and Confidential ii

XXX Project
HUAWEI ManageOne Technical Proposal Contents
Contents
About This Document .................................................................................................................... ii

1 XXX Project Overview .................................................................................................................. 9
1.1 Background ................................................................................................................................................................... 9
1.1.1 The importance of ICT development ......................................................................................................................... 9
1.1.2 The connection between ICT development and social development ......................................................................... 9
1.1.3 The necessity of National Data Center construction ................................................................................................ 10
1.1.4 National ICT trend and National Distributed Cloud Data Center technology trend ................................................ 11
1.1.4.1 ICT trend of developing region ............................................................................................................................ 11
1.1.4.2 Technical trends of ICT industry .......................................................................................................................... 12
1.1.4.3 Data center construction trend .............................................................................................................................. 13
1.1.4.4 Data center technology trend ................................................................................................................................ 13
1.2 Project Objectives ....................................................................................................................................................... 14
1.2.1 For government ........................................................................................................................................................ 14
1.2.2 For data center service provider ............................................................................................................................... 14
1.2.3 For users .................................................................................................................................................................. 14
1.3 Project Scope .............................................................................................................................................................. 15
1.4 Project Solution Design Principles ............................................................................................................................. 15
1.5 Customer Benefits ...................................................................................................................................................... 16
2 Requirements Analysis .............................................................................................................. 17

2.1 Application Requirements ........................................................................................................................................... 17
2.1.1 e-Government .......................................................................................................................................................... 17
2.1.2 e-Education .............................................................................................................................................................. 17
2.1.3 e-Health ................................................................................................................................................................... 17
2.1.4 e-Social Insurance ................................................................................................................................................... 17
2.1.5 e-Police .................................................................................................................................................................... 18
2.2 Management Requirements ........................................................................................................................................ 18
2.3 Computing and Storage Platform Requirements ........................................................................................................ 18
2.4 Network Platform Requirements ................................................................................................................................ 18
2.5 Infrastructure Requirements ....................................................................................................................................... 19
2.5.1 Server requirements ................................................................................................................................................. 19
2.5.2 Storage requirements ............................................................................................................................................... 19
2.6 Facility Requirements ................................................................................................................................................. 20
Issue 01 (2015-01-19) Huawei Proprietary and Confidential iii

XXX Project
2.7 Security Requirements ................................................................................................................................................ 20

2.8 Backup requirements .................................................................................................................................................. 21
3 HUAWEI National Distributed Cloud Data Center Solution ............................................ 22

3.1 Challenges to NDC2 Construction............................................................................................................................... 22
3.2 NDC2 Solution Architecture ........................................................................................................................................ 23
3.3 NDC2 Solution Highlights........................................................................................................................................... 24
3.3.1 Unified Management of Multiple Resource Pools ................................................................................................... 25
3.3.2 Employs the open architecture. ................................................................................................................................ 25
3.3.3 Ensures end-to-end security ..................................................................................................................................... 25
3.3.4 VDC Management Enables Users to Have Exclusive Data Centers ........................................................................ 25
3.3.5 VPC Management Meets Network and Security Requirements of All Applications ............................................... 26
4 Application Solution .................................................................................................................. 27

4.1 Overall Solution Design.............................................................................................................................................. 27
4.2 e-Education Solution .................................................................................................................................................. 27
4.2.1 Challenge ................................................................................................................................................................. 27
4.2.2 Overall Achitecture .................................................................................................................................................. 28
4.2.3 Application Service .................................................................................................................................................. 28
4.2.4 Resource sharing & Teaching interaction ................................................................................................................ 29
4.2.4.1 Software System Design ....................................................................................................................................... 29
4.2.4.2 System Function ................................................................................................................................................... 29
4.2.5 Digital Library & Assisted learning ......................................................................................................................... 31
4.2.5.2 System Function ................................................................................................................................................... 31
4.2.6 Expert teaching & Video broadcast ......................................................................................................................... 34
4.2.6.2 System Function ................................................................................................................................................... 34
4.2.7 Educational Web Disk.............................................................................................................................................. 36
4.2.7.2 System Function ................................................................................................................................................... 36
4.2.8 Customer Benefits ................................................................................................................................................... 39
4.3 e-Health Solution ........................................................................................................................................................ 39
4.3.1 Introduction to the e-Healthcare Solution ................................................................................................................ 39
4.3.2 Epidemic Reporting System .................................................................................................................................... 41
4.3.2.1 Case Information Management ............................................................................................................................. 42
4.3.3 Drug Monitoring System ......................................................................................................................................... 43
4.3.3.1 Drug Warehousing Management System .............................................................................................................. 43
4.3.3.2 Drug Transportation and Distribution Management ............................................................................................. 43
4.3.3.3 Medical Logistics Management Report Analysis ................................................................................................. 43
4.3.4 Healthcare Collaboration Platform .......................................................................................................................... 43
4.3.4.1 Teleconsultation Management System ................................................................................................................. 45
4.3.4.2 Videoconferencing System ................................................................................................................................... 45
Issue 01 (2015-01-19) Huawei Proprietary and Confidential iv

XXX Project
4.3.4.3 Medical Record Collection System ...................................................................................................................... 45

4.3.4.4 Remote Specialist Diagnosis System .................................................................................................................... 46
4.3.4.5 Distance Education System .................................................................................................................................. 46
4.3.4.6 Remote Digital Resource Sharing......................................................................................................................... 47
4.3.4.7 Two-way Referral and Remote Appointment System ........................................................................................... 47
4.3.4.8 Remote Monitoring System .................................................................................................................................. 47
4.4 E-Police Solution ........................................................................................................................................................ 48
4.4.1 Design of the Overall Project................................................................................................................................... 48
4.4.1.1 Sensor Layer ......................................................................................................................................................... 49
4.4.1.1 Transmission Layer............................................................................................................................................... 49
4.4.1.2 Infrastructure Layer .............................................................................................................................................. 49
4.4.1.3 Support Application Layer .................................................................................................................................... 49
4.4.1.4 Application Layer ................................................................................................................................................. 50
4.4.2 Crime Information System ....................................................................................................................................... 50
4.4.2.1 System Overview .................................................................................................................................................. 50
4.4.2.2 Needs analysis ...................................................................................................................................................... 50
4.4.2.3 Business overview ................................................................................................................................................ 50
4.4.2.4 Data flow diagram ................................................................................................................................................ 53
4.4.3 Human Resource Management System ................................................................................................................... 53
4.4.4 Fleet and Vehicle Tracking Management System .................................................................................................... 55
4.4.4.1 System overview................................................................................................................................................... 55
4.4.5 National Asset Management System ....................................................................................................................... 55
4.4.6 Detention Management System ............................................................................................................................... 56
4.4.7 Access Control System ............................................................................................................................................ 56
4.4.8 Lost & Found Asset Control System ....................................................................................................................... 56
4.4.9 Firearm Management System .................................................................................................................................. 56
4.4.10 C.I.D Vehicle Theft Squad (Car Tracking System) ................................................................................................ 56
4.4.11 Records management system ................................................................................................................................. 57
4.4.12 National crime records management system ......................................................................................................... 57
4.4.13 Criminal Intelligence and Profiling System ........................................................................................................... 57
5 Management Solution ................................................................................................................ 58

5.1 ManageOne Solution Architecture .............................................................................................................................. 58
5.2 Key features ................................................................................................................................................................ 60
5.2.1 Unified Management of Multiple Resource Pools ................................................................................................... 61
5.2.2 VDC Management Enables Users to Have Exclusive Data Centers ........................................................................ 62
5.2.3 VPC Management Meets Network and Security Requirements of All Applications ............................................... 63
5.2.4 Application Lifecycle Management Simplifies Application Management .............................................................. 63
6 Computing Platform Solution .................................................................................................. 65

6.1 Virtulization Platform Design ..................................................................................................................................... 65
6.2 Resource Management and Monitoring ...................................................................................................................... 66
6.3 Key Features ............................................................................................................................................................... 68
Issue 01 (2015-01-19) Huawei Proprietary and Confidential v

XXX Project
7 Network Platform Solution ....................................................................................................... 71

7.1 NDC2 Network Logical Architecture .......................................................................................................................... 71
7.2 NDC2 Network Physical Architecture......................................................................................................................... 72
7.2.2 Network Layer Design ............................................................................................................................................. 74
7.2.3 Network Plane Design ............................................................................................................................................. 74
7.2.4 Network Functional Area Design............................................................................................................................. 75
8 Storage Platform Solution ......................................................................................................... 76

8.1 Virtualization Platform Design（FusionStorage） .................................................................................................... 76
8.2 Deployment Plan（FusionStorage）.......................................................................................................................... 79
8.3 Key Features（FusionStorage） ................................................................................................................................ 81
8.3.1 Linear and Flexible Scalability ................................................................................................................................ 81
8.3.2 High Performance .................................................................................................................................................... 81
8.3.3 Robust Reliability .................................................................................................................................................... 82
8.3.4 Rich Advanced Storage Functions ........................................................................................................................... 82
8.3.5 Simplified O&M Management ................................................................................................................................ 82
8.3.6 Support for a Wide Range of Storage Media, Cache Media, and Networking Modes ............................................. 82
8.3.7 Compatibility with a Diversity of Hypervisors and Applications ............................................................................ 83
8.3.8 Support for Server Authentication ........................................................................................................................... 83
8.4 Storage solution (SAN storage solution) .................................................................................................................... 83
8.5 Specifications of SAN Storage ................................................................................................................................... 86
8.6 Key Features(SAN Storage Solution) ......................................................................................................................... 88
8.6.1 Converged ................................................................................................................................................................ 88
8.6.2 Intelligent ................................................................................................................................................................. 89
8.6.3 Industry-Leading Hardware ..................................................................................................................................... 89
8.6.4 Unified Storage Management Software ................................................................................................................... 89
9 Infrastructure Solution............................................................................................................... 90
9.1 Computing Resource Planning ................................................................................................................................... 90
9.1.1 Server Requirements ................................................................................................................................................ 90
9.1.2 Server Selection ....................................................................................................................................................... 91
9.1.3 Server Quantity Planning ......................................................................................................................................... 91
9.2 Network Resource Planning ....................................................................................................................................... 94
9.2.1 Switch Requirements ............................................................................................................................................... 94
9.2.2 Switch Selection ...................................................................................................................................................... 94
9.2.3 Switch Quantity Planning ........................................................................................................................................ 94
9.3 Storage Resource Planning ......................................................................................................................................... 94
9.3.1 Storage Requirements .............................................................................................................................................. 94
9.3.2 Storage Selection ..................................................................................................................................................... 94
9.3.3 Storage Capacity Planning ....................................................................................................................................... 98
10 Security Solution ....................................................................................................................... 99

10.1 Security Architecture ................................................................................................................................................ 99
Issue 01 (2015-01-19) Huawei Proprietary and Confidential vi

XXX Project
10.2 Physical Facility Security Design ........................................................................................................................... 100

10.3 Network Security Design ........................................................................................................................................ 102
10.3.1 Division of Security Zones .................................................................................................................................. 103
10.3.2 Network Security Infrastructure Design .............................................................................................................. 106
10.4 Host Security Design .............................................................................................................................................. 108
10.4.1 Host Security Threats........................................................................................................................................... 108
10.4.2 Antivirus Design .................................................................................................................................................. 109
10.5 Virtualization Security ............................................................................................................................................ 110
10.5.1 Virtualization Security Threats ............................................................................................................................ 110
10.5.2 Function Design ................................................................................................................................................... 111
10.6 Data Security Design .............................................................................................................................................. 112
10.7 Scenario Security Design ........................................................................................................................................ 113
11 Backup Solution ...................................................................................................................... 115

11.1 Backup solution overview ....................................................................................................................................... 115
11.2 Solution features ..................................................................................................................................................... 117
11.3 Backup capacity design........................................................................................................................................... 118
12 Disaster recovery solution ..................................................................................................... 119

12.1 DR Solution Basis and Principles ........................................................................................................................... 119
12.1.1 DR Indicators ....................................................................................................................................................... 119
12.1.2 Classification of Service Systems ........................................................................................................................ 119
12.2 DR Solution ............................................................................................................................................................ 121
12.2.1 Architecture.......................................................................................................................................................... 122
12.2.2 Storage Layer Solution ........................................................................................................................................ 123
12.2.2.1 Synchronous Replication .................................................................................................................................. 123
12.2.2.2 Asynchronous Replication ................................................................................................................................ 125
12.2.2.3 Primary and Secondary Switchover .................................................................................................................. 126
12.2.3 Database Layer Solution ...................................................................................................................................... 126
12.2.3.1 Technical Overview .......................................................................................................................................... 126
12.2.3.2 Data Guard Transport Services ......................................................................................................................... 128
12.2.3.3 Protection Modes .............................................................................................................................................. 129
12.2.3.4 Application Scenarios ....................................................................................................................................... 129
12.2.3.5 Networking Architecture .................................................................................................................................. 130
12.3 ReplicationDirector Management ........................................................................................................................... 130
12.4 Key Features ........................................................................................................................................................... 131
13 NDC2 Solution Advantages and Values ............................................................................. 132

13.1 Diverse Applications&Cloud Services ................................................................................................................... 132
13.2 Open Architecture ................................................................................................................................................... 132
13.3 Unified Management .............................................................................................................................................. 133
13.4 Security and safe information center ...................................................................................................................... 133
13.5 Strong Integration Delivery Capabilities ................................................................................................................ 133
Issue 01 (2015-01-19) Huawei Proprietary and Confidential vii

XXX Project
14 NDC2 Resource Plan ............................................................................................................... 135

15 Best Practice References ......................................................................................................... 137
15.1 Best Practice Reference of e-Policy ........................................................................................................................ 137
15.1.1 Venezuela Safe City National DC ........................................................................................................................ 137
15.1.2 China Hefei Safe City Data Center ...................................................................................................................... 138
15.2 Best Practice Reference of e-Health ....................................................................................................................... 139
15.2.1 e-Health Solution for Angola ............................................................................................................................... 139
15.2.2 Telemedicine System of the First Affiliated Hospital of Zhengzhou University .............................................. 140
15.3 Best Practice Reference of e-Education .................................................................................................................. 142
15.3.1 Huawei National Data Center Makes Ethiopia Education More Efficient ........................................................... 142
16 Appendix .................................................................................................................................. 144

16.1 Acronyms and Abbreviations .................................................................................................................................. 144
Issue 01 (2015-01-19) Huawei Proprietary and Confidential viii

XXX Project
HUAWEI ManageOne Technical Proposal 1 XXX Project Overview
1 XXX Project Overview
1.1 Background
Jordan was one of the first Arab countries to introduce communication technology (CT) to the
economy and also one of the first Arab countries to introduce information technology (IT) to
industry and the economy. ICT technology brings a huge and far-reaching impact to the
Jordan people's lifestyle, social pattern, economic development and all other aspects. Jordan
people enjoy the convenience the ICT technology brings to them. With the improving of the
Jordan people's lives and the development of economy, the requirements of ICT technologies
are increasingly high. How to make ICT technology serve the Jordan people better and
promote Jordan economic development, it is a big challenge for us.
Nowadays the staff of most enterprises in Jordan is less than 5 people and they can not afford
to build their own ICT platform. At the same time there are a lot of families do not have
network and can not enjoy the ICT services. How to make our ICT technologies to better
serve them, it is a pressing issue placed in front of us. Meanwhile, the connection between ICT
and medical industry and tourism is still not tight enough and can not provide more proactive
and targeted services, and how to ensure information security while providing services is also
a huge challenge for the ICT construction.
Jordan government initiated a technologies transformation program to rebuild the ICT
infrastructure to better serve its Citizens and enterprises. This program will also bring live
services through technologies and innovation to the people of Jordan. These services will help
advance Jordan into the future and the level of services will be raised in order to provide
more proactive services to the Citizens.
1.1.1 The importance of ICT development

Humanity’s progress has been the story of more – more crops grown, more bricks laid, more
ships built, and the pace of change is accelerating. However, Earth has limits, and so do our
networks. Humanity’s forces of change could potentially exceed them. ICT changes the
equation, by delivering more with less. It can improve efficiencies and transform industries,
while creating better experiences for all.
1.1.2 The connection between ICT development and social

development
ICT readiness and usage is key drivers and preconditions for obtaining economic and social
development.
Issue 01 (2015-01-19) Huawei Proprietary and Confidential 9

XXX Project
Despite ICT becoming increasingly universal, the question of access and usage remains
important—especially for developing countries, given their need to narrow the digital divide.
Even within developed nations, the need to provide high speed broadband to all segments of
the population has acquired importance in recent years. For example, in Brazil, Broadband
has added up to 1.4% to the employment growth rate. In Africa, ICTs directly contribute
around 7% of Africa’s GDP, which is higher than the global average.
As shown in the following figure, in low and middle-income economies, when the penetration
of broadband rises 10%, the GPD will rise 1.38%. The relationship between ICT drivers and
impacts are very strong. All countries have realized that an integrated ICT industry will
enhance the competitiveness and creativity of their economies and fuel the sustainable growth
of the economy.
Figure 1-1 The connection between ICT development and social development
1.4 1.38
High-income economies
1.21
1.2 Low-and middle-income 1.12
economies
1
0.81 0.77
0.8 0.73
0.6
0.6
0.43
0.4
0.2
0
Fixed Mobile Internet Broadband
Note: The vertical axis is the percentage-point rise in GDP per 10-percentage-point rise in penetration.
----Source: World Economic Forum; The Broadband Commission; World Bank
1.1.3 The necessity of National Data Center construction

These huge data and information are centralized in the same place, it is the data center. ICT
investment must begin at the core — without a robust infrastructure/foundation, anything
built atop of it risks falling prey to low usage due to poor experience. Along with this
investment should be directives to push IT budgets toward cloud-related projects and services.
Data is at the heart of the digital economy and it needs to be shared, connected, and analyzed
through a robust infrastructure.
Invest in data center construction and broadband construction first. They are core areas of
ICT, without a robust infrastructure/foundation, anything built atop of it risks falling prey to
low usage due to poor experience.
With the national data center construction, the digital government service, E-Health
economic, E-Education economic, E-Travel economic, E-Business economic and other
industries generate huge data and information.

XXX Project
There is a new understanding of future national cloud data center. It is that the national
developing strategy drives the ICT strategy. The ICT strategy based on ICT intent. ICT
architecture and ICT governance supports national developing strategy and realize the targets
of national developing strategy. And the national broadband network, future national cloud
data center are the key fundamental facilities of ICT strategy.
This opinion is a global consensus. There are some examples about the consensus:
Information and communication technologies (ICT) play a decisive role. They are the key to
productivity in all industries.
—ICT Strategy of the German Federal Government: Digital Germany 2015

ICT supports all aspects of our national development plan - from sustaining economic
prosperity to promoting human and social development to sustaining the environment for
future generations.
—Qatar National ICT Plan 2015

ICT as one of seven inter-connected pillars for sustainable national development. It is
envisioned that ICT will connect Trinidad and Tobago and play a pivotal role in building a
new economy.
—National ICT Plan of Trinidad and Tobago 2012-2016
1.1.4 National ICT trend and National Distributed Cloud Data

Center technology trend
1.1.4.1 ICT trend of developing region
The ICT industry has undergone some unprecedented developments over the last year.
Continued upheaval – including an upsurge in over-the-top (OTT) activity, the launch of
viable low-cost smartphones, and major changes in the competitive landscape as a result of
partnerships and mergers, are some of the things that have defined this year in ICT.
2015 will be a year of significant change in ICT, as budgets return to modest growth, driven
by the increasing role of technology in business strategies. Digital change and continuous
modernization are twin challenges for the CIO, with the requirement to enable process,
product and service transformation in conjunction with business heads, while continuing to
build a scalable and agile platform to support growth.
Top ICT trends it believes we can expect to see in Africa next year includes:
Multiple African governments will drive the provision of Internet access in the year
ahead.
There is now widespread acceptance of the importance of telecoms infrastructure in driving
socio-economic development, and governments across the continent will play an increasingly
important role in this respect. Already, objectives such as financial inclusion, public sector
service delivery, and healthcare, have received close attention and seen multiple pilot projects
launched.
The year 2015 will bring about extensive innovation in new business ecosystems.
This is a prominent global trend, but one that has particular application in Africa. Numerous
companies have emerged to address the key challenges faced on the continent including
power shortages, education, and the limited availability of data. Expect new trends such as

XXX Project
peer-to-peer applications, on-demand services, and infrastructure sharing to establish unique

models in Africa.
OTT players will expand their influence across Africa.
At a global level, OTT players like Google, Facebook and Apple have disrupted the telecoms
landscape, and 2015 will see them expand their influence across Africa. Beyond the continued
cannibalisation of messaging and, increasingly, voice revenues, one can expect the battle for
customers to intensify.
Other trends identified include:
The growing impact of convergence in the competitive landscape, the shift from bring your
own device to bring your own software and the expansion of big data analytics from data
collection to full application, bringing with it improved customer insights and personalization
1.1.4.2 Technical trends of ICT industry

Customers prefer to be reached through communication channels that they use most often and
are most comfortable with. For today’s customer, their preferred communication channel is
through their mobile device. Companies are beginning to interact with customers through text
messaging and social media platforms like Twitter, Facebook, and Instagram. Buying
products, making payments, and receiving receipts can all be done digitally through a
smartphone or tablet, making it easier for for both the customer and the business. Everything
can be stored in the cloud, allowing for easy access to data.
With social media interactions, companies can gain clear insight into their customers’
preferences. There’s more customer communication – we’ve moved past the age of mere
FAQs on websites. Now customers can ask questions on social media and vice versa, and with
mobile devices, these questions can be responded to instantaneously. Not only that, but
companies can also gather information on various other consumer behavior factors, like
buying patterns. The cloud stores all this data and makes analysis easy, helping companies
tailor their marketing campaigns, products, and promotions to best fit their target customers’
preferences.
Technology is constantly changing – the constant upgrades in smartphones are a testament to
this. The convergence of social, big data, and cloud platforms with mobile means that the
innovations being made in the mobile field are also relevant to the other fields and can help
fuel new innovations across the board.
Communication is fundamental to company success, especially among field-based
organizations or organizations with remote workers. With convergence, it’s easy to facilitate
employee to employee communication and manager to employee communication. Mobile
devices make communication more accessible. Office-based social media platforms on mobile
apps are an easy form of communication. The convergence of social, mobile, data, and cloud
increases company collaboration by making it simple and quick to use.
With the use of mobile devices becoming widespread, it makes sense that social, big data, and
cloud solutions would follow. Companies who unite all these fields early will realize the
benefits above, finding that they are able to better serve their customers through increased
levels of customer and company engagement. Convergence heralds the merging of business
and technology, a merge that has already happened and is continuing to happen. By staying on
trend with this convergence, you can ensure that your company is always up to date and able
to provide its customers and employees with the best solutions possible.
Cloud, BigData, Mobile and Social are four top technical trends of ICT industry.

XXX Project
1.1.4.3 Data center construction trend

In 2010, the federal have 2094 datacenters, and more than 7000 datacenters are on books.
The government launched the Federal Data Center Consolidation Initiative (FDCCI) in
February 2010 in order to reduce the number of Federal data centers and to reduce the cost of
hardware, software, and operations, shift IT investments to more efficient computing
platforms, promote the use of Green IT by reducing the overall energy and real estate
footprint of government data centers and increase the IT security posture of the government.
As shown in the following figure, the effort saved about US$1.1bn between 2011 and 2013, it
is expected to save a total of $5.5bn by 2017.
Figure 1-2 Centralization is the data center development trend
Souring: US Government Accountability Office (GAO)
1.1.4.4 Data center technology trend

As shown in the following figure, the development of data center technology is very fast.
From closed and exclusive data center to open hardware, then to virtualization, resource pool,
distributed cloud service, and the newest data center as a service. The architecture becomes
more and more open. The open architecture protects the existing investments and can be
compatible with third-party systems more easily in the future. With the development and
maturity of cloud computing and virtualization, data center evolve to service-oriented and
distributed data center.

XXX Project
Figure 1-3 Data center technology trend
1.2 Project Objectives

1.2.1 For government
 Drives productivity and GDP growth
 Drives science and technology innovation
 Creates new sectors and ways of doing business
 Creates high-paying jobs
 Provides digital services and digital contents
 Provides national ICT resources
 Builds up regional ICT resource hub
1.2.2 For data center service provider

 Supports national ICT strategy
 Launches national ICT projects
 Provides cloud and OTT innovation services
 Builds up ICT talent human resource system
 Realizes enterprise future-oriented prosperous
1.2.3 For users

 Saves government annual ICT budget
 Increases government service efficient
 Helps startup company to reduce initial investment
 Makes convenient citizen living environment
 Gets high quality service experience

XXX Project
1.3 Project Scope

The National Distributed Cloud Data Center covers the following scope:
 Typical Business Applications like e-Government, e-Education are provided
 A universal next-generation X86 hardware platform is used, and rack and blade servers
as well as high-performance servers combine to create a high availability (HA)
virtualization computing system.
 Quick delivery, easy management, and high input/output operations per second (IOPS)
storage system is built.
 A high-bandwidth, low-delay redundancy network is built.
 Backup services of different levels and disaster recovery solutions are provided.
 A unified management platform is established to manage the public cloud data center in
a unified manner.
 Green and efficient data center facilities are built
1.4 Project Solution Design Principles

 Maturity
As mission-critical nodes to carry key services on the Internet, National Distributed
Cloud Data Center must be highly mature and stable. Cutting-edge servers, storage, and
network devices that have been proven in the field for many years are used on the
underlying layer to bring network links.
 High reliability
The Huawei operation management platform must have high availability and reliability.
Therefore, the operation management platform must use high-availability two-node
cluster technology and traffic control and overload protection mechanisms, adopt the
system reliability architecture design at all levels from the hardware, network, and
software, provide high-performance data processing and application response
capabilities, ensure the efficient running of all types of applications and databases, and
support the access of a large number of users.
 security
Consider end-to-end security in the overall solution design and ensure secure,
environment-friendly use of resources.
 Open, standard-compliant
The system adopts the service oriented architecture (SOA) and provides the open
application programming interface (API) to connect to third-party systems. The system
designed based on an open architecture complies with international and industry
standards and accommodates mainstream OSs, web middleware, and databases in the
industry, ensuring that the system can be updated and transplanted at will.
 Component-based and loose coupling
Components in the system are loosely coupled. Upgrades and changes of a component
do not affect other components.
 Unified management
Physical and virtual resources in a single or multiple distributed data centers can be
managed in a unified manner.
 Smooth expansion

XXX Project
Designed with high performance and large capacity, the system is scalable and supports a
large number of concurrent users.
 Easy to use
The system provides intuitive graphical user interfaces (GUIs) on which users can easily
find desired operations and information. Operation steps are properly arranged, and
detailed help information is provided.
Different GUIs are displayed for different roles. Advanced features that are seldom used
are displayed by options.
 Green & Saving Energy
Take energy-saving measures, use green materials and improve the anti-electromagnetic
interference to meet the requirements of today’s centralized and hyper-scale data centers
which are strained by huge power consumption, even reduce the CAPEX.
1.5 Customer Benefits

 Diversified application and service offerings
 National Distributed Cloud Data Center can provide diverse applications like
e-Government, e-Education, e-Police, e-Health etc. Leveraging these applications can
improve the health of residents, reduce the public expend; Enhance people's happiness,
Promote social stability; erase the digital gap, improve resources Utilization.
 Efficient service deployment in minutes
The National Distributed Cloud Data Center technical architecture based on cloud
computing technology simplifies configurations and shortens the service rollout period
by up to 80%.
 Improved profitability
The National Distributed Cloud Data Center brings higher operating efficiency, lower
energy consumption, and higher resource utilization. This greatly increases ROI. In
addition, an open and professional industry ecosystem is built to protect interest of all
stakeholders and improve risk resistance capabilities.
 Optimized resource utilization
Server, storage, and network resources under the dynamic infrastructure of
cloud-computing-based cloud data centers are virtualized into resource pools using
virtualization technology. As a result, National Distributed Cloud Data Center resources
can be flexibly expanded and elastically scheduled for improved resource utilization.
 Reduced energy consumption
Cloud computing uses the virtualization technology to pool and share hardware
resources. This improves hardware resource utilization and reduces energy consumption
per unit. The resource management platform implements association between IT
equipment and infrastructure, on-demand scheduling, and reduced power consumption
by way of multiple technologies such as dynamic resource scheduling, load balancing,
and distributed power supply management.

XXX Project
HUAWEI ManageOne Technical Proposal 2 Requirements Analysis
2 Requirements Analysis
2.1 Application Requirements

The project has the following application requirements:
2.1.1 e-Government
 Public information portal and service center
 One stop online service for citizens
 ICT strategy based e-government service planning
 Distributed cloud data center resource pool
 End to end security and DR solution
 Unified data center management
 Efficient internal automation office for government
2.1.2 e-Education
 Massive Open Online Courses : setup rich teaching resource libraries & enable sharing
among universities
 Digital library : realize the digitization of books, journals & newspapers to expand
knowledge scope & methods
 Education cloud disk: provide web-based storage to teachers & students and enable
them in storage, backup & sharing datarealize sharing of high quality education
resources to maximize the value
2.1.3 e-Health
 EHR：build complete medical info for citizens & share them among healthcare
organizations
 Disease control & prevention: support all level healthcare organizations to report
certain diseases
 Drug management: monitor the whole distribution processes of drugs
 Cloud HIS service: provide HIS service to small hospitals & clinics via network
2.1.4 e-Social Insurance

 Minister, Province, City three Tiered Data Center Architecture
 Unified Individual Information
 Unified Software, Consolidated Database
 Optimized Process, Standardized management
 Unified Basic Service platform

XXX Project
2.1.5 e-Police
 Crime management, including an alarm receiving and dispatching command center, law
enforcement and crime investigation, etc.
 Public service: gun management, population management, ID management, traffic
management, control of the exit and entry of citizens.
 Administrative management: financial management, human resource management, etc.
2.2 Management Requirements

To ensure stable and efficient operation of systems and applications in the data center, the data
center management platform must meet the following requirements:
 Enables centralized management on the virtualization environment and physical
environment to achieve unified control on data center visualization.
 Implements comprehensive monitoring and management on operating systems,
middleware, databases, computing devices, storage devices, and network devices.
 Enables resource deployment management for the virtualization environment.
 Creates IT service management procedures and systems to support various functions,
such as service desk, event management (service request management), issue
management, configuration management, change management (release management),
and service level management.
 Establishes report systems to display various data in service management platforms and
helps users analyze such data.
2.3 Computing and Storage Platform Requirements

The data center must support heterogeneous computing and storage environments and
virtualization various platforms, including Huawei and other vendors' servers and storage
devices, Huawei FusionSphere, and other virtualization platforms such as VMware.
The data center must adopt physical servers (2-/4-CPU X86 server), virtual machines (VMs),
and storage area network (SAN), server SAN or network attached storage (NAS) storage
based on different features of service applications, such as large computing volume, high I/O
access, high concurrent access, and normal resource requirement.
Servers and storage devices can be configured based on these features to meet computing and
storage requirements for the CPU, memory, network I/O, and storage I/O.
The computing platform and storage platform must work with the IT management platform to
enable automatic deployment and allocation of virtual computing resources.
2.4 Network Platform Requirements

The project has the following network requirements:
 The data center network must set up a complete security policy control system to ensure
security of the data center.

XXX Project
Therefore, segment the data center network into several functional areas and ensure the
service traffic and efficiency of functional areas while strictly controlling mutual access
between the functional areas. Additionally, isolate the data center network from external
networks and also isolate different business service areas to ensure security of service
systems.
 The data center network must provide a variety of distinct features such as quick
convergence, easy maintenance, and easy management.
 The data center network must feature high reliability and high availability to prevent
single point of failures.
 The data center network must be scalable and meet service demands of today and
tomorrow.
 The data center network must support network virtualization.
Therefore, virtualize core switches and access switches into a logical device by using
switch cluster virtualization or stacking technology, thereby reducing the number of
nodes and simplifying configuration.
 Networks of multiple Data center connect to each other.
For an enterprise that has multiple data centers, consider interconnection of these data
centers.
2.5 Infrastructure Requirements

2.5.1 Server requirements
 One sub rack must support both two-socket E5 and four-socket E5/E7 blades.
 One sub rack must support a minimum of four switch boards.
 The back-end storage network must support 56 Gbit/s InfiniBand or 10GE networking,
which ensures distributed storage performance.
 The product must support storage servers. Each server must support 15 hard disks or two
PCIe solid-state drives (SSDs).
 A single node must support a minimum of four standard PCIe expansion slots.
 The system can run for a long term at the ambient temperature of 5 oC to 40 oC.
 The product must support full series of Intel Xeon E5 v2, E7 v2CPU.
 One single node should support a minimum of 24 memory slots
 Supports profile-based stateless computing management. No reconfiguration is required
after device replacement, ensuring quick rollout.
 Provides web-based management interface with quick start and simplified operations.
2.5.2 Storage requirements

 Support for NAS, IP SAN, and FC SAN or Server SAN
 High scalability: scale-out architecture allows capacity expansion effectively
 Openness and compatibility: supports mainstream virtualization platforms, including
FusionSphere, vSphere, KVM, and XenServer ; supports SCSI and iSCSI interfaces as
well as mainstream application systems; supports high-performance, low-latency
networks, such as InfiniBand and RoCE networks.

XXX Project
2.6 Facility Requirements

 The data center should adopt the concept of modularized design with sealed cold aisle
technology.
 The cabinets can be deployed by dual-row with integrating cabinet system, power supply
and distribution system, refrigeration systems, management system in single module.
 Tier rating: Comply with not less than Tier3 by TIA-942 standard
 Lightning rating: CLASSII/C Class，8/20us
 Waterproof / dustproof rating: IP20
 Certification: Major components of module can comply with CE certification
 Configuration: Configured with row-level air conditioner with N+1 redundancy in aisle
containment condition for high efficiency and energy saving, configuring with modular
UPS with 2N backup requirement.
 Floor load-bearing requirements: Floor load-bearing requirements of not more than
750kg / m2
 Backup Time: Backup time must be up to 15-30min
 UPS deployment: The UPS should be deployed inside the module.
 Battery deployment: The battery should be deployed outside the module in battery shelf.
 The opened type of the skylight adopt electromagnetic control and can be automatically
opened in the case of fire, as well as supporting manual control for the convenient of
maintenance
 Refrigeration form: should adopt air-cooled type.
 Monitoring function: Configured with aisle-level access control monitoring, video
surveillance for optional
 Cable outlet type: Support installation of cabling outlet above the module
 Installation period: The installation should be fast deployment if venue decoration,
electricity infrastructure are ready.
 Rodent control measures: All cabinets must be configured with anti-rat backplane
 Operation and maintenance convenience requirements: The module distribution,
refrigeration, business operation surface are on the same side, easy operation and
maintenance personnel to maintain.
2.7 Security Requirements

The project has the following security requirements:
 Network security
− Provide the comprehensive security protection capability for external network
borders of the data center to defend against threats from the Internet.
− Divide security domains for internal network of the data center. Perform network
isolation for security domain borders and define control policies for network access.
− Provide the security protection capability for internal servers and systems. Detect and
rectify vulnerabilities.
 Host security
Install antivirus software on hosts to protect antivirus protection for hosts and defend
against viruses, worms, and Trojan horses.

XXX Project
 Virtualization security
Provide the security protection capability for the virtualization infrastructure in the cloud
computing platform to ensure VM isolation, monitor the communication between
specific VMs, and ensure the security of VMs.
 Data security
− Ensure the confidentiality, integrity, and availability of sensitive data defined by
enterprises in the life cycle of the sensitive data.
− Identify sensitive data. Establish and maintain sensitive data directories. Formulate
protection policies and mechanisms to prevent unauthorized data distribution.
− Provide a security communication mechanism to ensure the confidentiality and
integrity of sensitive data transferred on the Internet.
− Provide a data destruction mechanism to ensure that data cannot be accessed after the
life cycle expires.
2.8 Backup requirements

The data center must support backup solution as following:
 Backup solution base on VM;
 Some services in the data center must run continuously. Therefore, backup must
minimize the impact on service running.
 As the backup data volume increases, the backup solution must support smooth
expansion.
 The data center provides services for multi-level users, whose backup levels are
different. Therefore, the backup system must support backup with different levels.

XXX Project 3 HUAWEI National Distributed Cloud Data Center
HUAWEI ManageOne Technical Proposal Solution
3 HUAWEI National Distributed Cloud

Data Center Solution
3.1 Challenges to NDC2 Construction

 Lack of unified plan & top-level design
− National ICT construction faces four major challenges
− Each sector or region designs & constructs ICT systems separately, causing
development imbalance
− ICT levels for some sectors are low as lack of capital, technology, staff, etc.
 Lack of info sharing
− Governments are difficult to make correct & rapid decisions because of isolated info
islands
− Lack of info sharing also causes difficulty in collaboration
 Resource wasting
− Duplicate functions & constructions cause resource wasting & financial pressures
− ICT systems are operated and maintained respectively with low resource utilization
 Severe information security problem
− Important ICT systems lack effective security assurance, facing kinds of risks with
low business continuity
 Poor service quality
− IT problems are difficult to be located. For more than 20% IT problems, it takes more
than one day to solve them.
− Traditional data centers have no unified and open management platform. As a result,
resources cannot be allocated in a centralized manner to support diversified
applications.
 Inefficient service management
− The service deployment of a traditional data center usually starts from the bottom
layer. The hardware installation phase is long and basic configuration is complicated.
Therefore, the service rollout period is more than 90 days, resulting in slow response
to service development requirements.
 Complex management and high management costs
− Hardware resources cannot be managed or shared in a unified manner.
− Network systems become increasingly complex; therefore, a large number of
professional O&M personnel are necessary to meet customers' requirements.
− System maintenance consumes a large amount of resources. According to statistics,
more than 70% of IT budgets are used for system maintenance, leaving insufficient
investment for deploying new IT systems.

− Three or more management tools are adopted in 70% data centers, which raises very
high requirements for O&M personnel competence.
− Data centers are developed based on the cloud computing technology. Lacking of
O&M experience, traditional enterprises can build the capability only after countless
practices.
3.2 NDC2 Solution Architecture

The National Distributed Cloud Data Center architecture consists of the following layers:
 Facility layer
The facilities can be the traditional data center, container data center, or modular data
center. The traditional data center provides power supply, cooling, and cabling
subsystems, meeting the requirements of the basic operating environment. The container
data center integrates power supply, cooling, and service modules, meet rapid
construction requirements in outdoor scenarios. The modular data center integrates
power supply, cooling, service cabinet, and cabling subsystems, meeting rapid
construction requirements in indoor scenarios and facilitating further expansion.
 Infrastructure layer
Basic hardware is deployed on the infrastructure layer to provide physical computing,
network, and storage resources. Physical resources are virtualized to form multiple
resource pools. The resource scheduling and management component allocates
on-demand virtual resources to upper-layer applications.
 Security layer
The Huawei NDC2 security architecture is divided into physical device security, network
security, host security, application security, virtualization security, data security, user
management, and security management layers.
 Management layer
The ManageOne is a Huawei data center management solution. It supports the charging
and measuring management, service catalog, self-service portal, and user subscription
for service operation. It also supports resource pool management, such as resource
scheduling in a resource pool, resource scheduling across resource pools, resource
allocation, process orchestration, and resource application, for cloud computing services.
In addition, the ManageOne intuitively monitors and manages servers, storage devices,
network devices, and VMs. This facilitates troubleshooting in case of any faults.
 Service layer(cloud service layer and application layer)
The Huawei NDC solution provides the cloud computing service and application service.
The cloud computing service includes cloud host, cloud storage, VPC, and other
value-added services. The application service is achieved by leveraging ISV.
The government cloud is designed for departments of government to provide cloud
computing services. The enterprise and public service cloud is designed for enterprises
and public customers to lease cloud resources.

Figure 3-1 National Distributed Cloud Data Center architecture
Figure 3-2 National Distributed Cloud Data Center physical architecture
3.3 NDC2 Solution Highlights

The National Distributed Cloud Data Center solution uses design of products with specific
specifications, for example, normalizes hardware, software and applications, to provide IT
infrastructure that is easy to deploy, manage, expand, and upgrade. This helps users to
increase ROI and meet requirements, such as data center construction, upgrade, and
expansion, and data center visualization.

3.3.1 Unified Management of Multiple Resource Pools

Based on the features of distributed deployment and the situation that one data center may
involve multiple virtualization platforms, unified integrated resource pools and feature
resource pools are constructed to meet the differentiation requirements of next-generation data
center management.
All devices, including security, network and virtual resources are integrated into a data center.
Management interconnection is implemented on heterogeneous virtualization platforms.
Unified management and SLA settings are implemented on physical and virtual resources for
different services. Based on the SLA, policy delivery and scheduling as well as automatic
configuration are implemented on data center resources.
Rights- and domain-based management is implemented in VDC mode, reducing management
costs.
In addition, automatic management of cross-area heterogeneous virtualization resource pools
is implemented by establishing the network.
3.3.2 Employs the open architecture.

Huawei solution employs the open-source architecture and provides open application platform
interfaces (APIs) for third-party systems.
3.3.3 Ensures end-to-end security

To ensure data center security, this solution employs an end-to-end security architecture that
protects the system from multiple dimensions, including the network access, virtualization,
cloud platform, and user data.
3.3.4 VDC Management Enables Users to Have Exclusive Data

Centers
Based on customers' requirements, physical data centers can be flexibly divided into VDCs.
Each VDC can independently provide services and resources as a physical data center. Each
VDC has the independent administrator and service catalog. The VDC administrator can
manage and approve the service applications from users in the VDC directly. Resources and
networks between VDCs are relatively isolated. VDCs can be deployed across physical data
centers, implementing unified resource provisioning and scheduling of multiple physical data
centers.
By pooling the physical resources of customer data centers, physical resources can be flexibly
allocated and services can be provided based on the requirements of different departments and
organizations. Each department and organization can independently manage and use the
resources in the VDC. Work of the data center super administrator is allocated and right-based
management is implemented, reducing the management costs of the super administrator and
meeting the requirements of different tenants and departments more flexibly.
As the administrator of all resources, the system administrator allocates computing, storage,
and network resources in an enterprise data center to VDCs, organizations, and branches.
As the owner of a VDC, a VDC administrator defines a virtual private cloud (VPC) or
template and performs VM provisioning in the VDC.

As the service user of a VDC, an end user applies resources in the VDC offline or on the
self-service platform.
3.3.5 VPC Management Meets Network and Security

Requirements of All Applications
A VPC provides isolated VMs and network environments to meet network isolation
requirements of different departments. Multiple networking modes are supported, such as
direct network, routed network, and internal network.
Each VPC can provide independent virtual firewall, elastic IP address, virtual load balancer
(vLB), security group, VXLAN, IP Security Protocol virtual private network (IPSec VPN),
and network address translation (NAT) gateway services. (Some of these functions are
provided by VAS.)

XXX Project
HUAWEI ManageOne Technical Proposal 4 Application Solution
4 Application Solution
4.1 Overall Solution Design

The NDC2 solution service architecture plan refers to following figure. With rapid
deployment, flexible expansion, low operating costs, high energy efficiency and low carbon
green variety of advantages containerized data center support, building highly available
business applications.
Figure 4-1 Overall service solution design
4.2 e-Education Solution

4.2.1 Challenge
There are some challenges of education ICT systems:
 Education resources are distributed unevenly
 Traditional education resources are obtained in a limited way & learning methods are not
flexible

Copyright © Huawei Technologies Co., Ltd
XXX Project
4.2.2 Overall Achitecture

IP Link Internet
Internet Outreach
Organizations
IB/IP Link
Data Replication
Link
Education Teaching-
Resource Digital Education Web
Network Learning Video Teaching Network
Service Shareing Library Disk
Interaction Service
Education VDC
Cloud Hosting Cloud Storage Charging

VPC Service DR Service Backup Service
Service Service Service
Layer 2/3
Core Switch Core Switch

DWDM
Management Zone VM Pool(Common) VM Pool(High VM Pool(High

PM Pool PM Pool VM Pool(Common)
Performance) Performance)
WEB WEB WEB WEB WEB WEB WEB WEB

DataCenter Backup
Management Management
WEB WEB App App App App Database Replication App App App App
Backup Server
App App
Media Server
DB
VM Replication
Storage Pool（Common） Storage Pool(High Performance) Storage Pool（Common） Storage Pool(High Performance)
Server-SAN Pool UDS Storage

Server-SAN Pool Server-SAN Pool Server-SAN Pool Server-SAN Pool
DC1 DC2
Figure 4-2 Solution architecture
4.2.3 Application Service

Huawei National Data Center Education Informatization Solution Technical Proposal include
following functions:
 Provide Resource sharing & teaching interaction platform to share abundant multimedia
courseware and high quality educational resources.
 Provide Digital Library & Assisted learning platform to construct Large-scaled
knowledge center, and Easy to utilize, exchange, share.
 Provide Expert teaching &Video broadcast platform to broadcast expert teaching video
and pass teaching experience.
ICT APP Suggestion for Modern Education:

Resource sharing & teaching interaction platform, Digital Library & Assisted learning
platform and Expert teaching &Video broadcast platform can be constructed independently,
and Huawei suggest constructing the three platforms in order as shown in the following
figure.

XXX Project
ICT APP suggestion for modern education
4.2.4 Resource sharing & Teaching interaction

4.2.4.1 Software System Design
Figure 4-3 Resource sharing & teaching interaction architecture

 MOE and every school can use this platform to share teaching resources.
 Every teacher can share self teaching materials and prepare lessons through this
platform.
 Students can download learning materials from this platform.
 The teacher and students can use Resource sharing platform to enrich teaching and
learning whatever before class, in class, and after class.
4.2.4.2 System Function

 Upload & share
The teachers and students will create new resources during teaching and learning, and they
can upload then new resources to the platform to share, so the platform becomes a dynamic
resource platform and the resources become richer and richer. The resources uploaded to
platform include existing public resources, purchasing resources, and new developed
resources.

XXX Project
Figure 4-4 Upload & share

 Smart push:
The MOE service platform is connected to all the school server platforms. MOE server
platform can push resources to schools, and schools can also share resources to the MOE
platform.
Figure 4-5 Resources construction & sharing-agile using

 Cloud storage
All resources are stored in cloud storage.
 Cloud portal
Solution provides portal system for MOE and school. According to different situations of
MOE and school, user can build different and personalized application portal by the system.
 Cloud Spare
Solution provides cloud spare for students, teachers and administrator.

XXX Project
 Teaching Resources
The teaching Resources include Teaching App, Media material, Courseware, Teaching
plan.
 Learning Resources
The learning resources include Learning App, Digital textbook, Excises & Practice,
Digital reading.
4.2.5 Digital Library & Assisted learning

Figure 4-6 Digital library solution architecture

 Library management
The library management mainly carries out the following functions:
- Classifying, integrating and releasing network resources.

- Integrating various heterogeneous digital resources and bringing them
into unified search and usage interface.
- Releasing processed digital resources in diverse presentation forms
。
- Conducting metadata management, digital right management, and digital
object management
 Digitization
The resource processing module realizes the function of converting various types of materials
into digital resources and enabling each type of materials to meet the basic management and
service requirements of central E-library. In particular, it includes converting various printed
materials into resources of digital format; literature digitalization is to digitize various printed
literature materials, books and papers and convert them into digitalization resources. The
following figure shows the digitizing process.

XXX Project
Figure 4-7 Digitizing process 01
Figure 4-8 Digitizing process 02

The acquiring network resources that might otherwise be disordered and dispersed and putting
them in order; making format conversion as necessary for various database, electronic books,
and electronic magazines.
 DRM
Digital Rights Management (DRM) refers to the technology used by the system to protect
data object usage rights. The digitalization contents protected by the DRM technology can be
stored as a file, video, audio or CD. The system can use the technology to control digital
resource usage time, duration and rights.
 Intelligent retrieve
Based on the world's leading artificial intelligence algorithms to achieve high-level
intelligence concept retrieval, automatic analysis of the article, generate summary keyword,
automatic classification clustering, and push article to user.
 OAI Metadata Harvesting
OAI Metadata Harvesting System, designed to solve issues of digital resources construction,
prompts constructions process of digital libraries and national culture sharing project by the
metadata sharing platform, realizes complementary relationship among resources,
technologies and services and "trinity" of digital libraries.

XXX Project
By using OAI-PMH 2.0 protocol and released functions of the OAI Metadata Harvesting
System V2.0, it can realize a series of services of browsing and retrieving region-wide and
nation-wide metadata through taking the center as a uniform platform.
Figure 4-9 OAI metadata harvesting

 Resources Transfer
Resources transfer system is made for improve the service network of transfer digital
resources. The main function of this system is to protect the normal operation of the entire
transfer network and improve the quality of the services. It is a highly intelligent, graphical
management system to ensure the resource data completeness, consistency, and reliability.
The statistical analysis functions for the management and maintenance staff could provide
timely, accurate and rapid transmission of network data queries from different angles.
Resources transfer system use the one way push, initiated by the Center and received by client
passively. During the file transfer process, the receiver can get various types of resource data.
 Assisted Learning management
System is developed for the students who need online learning, homework, exam, question &
answer etc. It is a self-learning platform, now it has been widely used in university in China
and got a lot of students praise.
 Mobile library
With CDI MLIB Mobile Library App, we can show the published data of CM content
management software in mobile systems using the interactive multimedia technology 3D
animation technology and network technology. Tablets pc as the carrier, with text, pictures,
3D animation, digital effects, interactive multimedia, background music, voice and other
features, CDI MLIB Mobile Library App is a full range of interactive three-dimensional
propaganda system. Bring us interactive experience through the Tablet PC and network,
anywhere, anytime.

XXX Project
4.2.6 Expert teaching & Video broadcast

Figure 4-10 Media video class solution architecture

Digital Assets Management: Digital Assets Management functions include Digitalization, File
Import, Metadata Extraction, Content Catalogue, Audit, Transition, Publish, Migration,
Backup, Search, Preview, download.
Rich-media Repurposing:
 Images: BMP, EPS, GIF, JP2, and so on.
 Video & Audio: MP3, WAV, WMA, AVI, FLV, MOV, MP4.
 Documents: DOC, HTM, PDF, XLS, PPT, PPTX, RAR.
There are two ways to watch the video on IPTV or internet:

 Live channel: Users can watch the video through live channel by broadcasting network.
The media is from class in MOE, through the broadcasting network, TV Antenna,
All-in-one Video Suite.

XXX Project
Figure 4-11 Transferring by broadcasting network

 On-demand video: Users can watch the video through on-demand channel through
broadband network. Record video on class in MOE, and the recorded media store in data
center MOE. MOE can also push media resource to the school.

XXX Project
Figure 4-12 Transferring by broadband network
4.2.7 Educational Web Disk

Figure 4-13 Educational web disk solution architecture

The Educational web disk Solution provides the online storage service for users, space lease
service and mass resource pool service for institutes of education.
The online storage service enables the user to back up important data and cooperate with one
another. Users can access the online storage service on web pages. In addition, the online
storage PC client can map the cloud storage space to local virtual disks, and the mobile client
on a mobile phone enables users to access the online storage service. The multiple access
modes make it possible for individual users to access web disk data at any time and any place.
The access functions of various clients may also vary according to different access modes. For
example, when a user uses the PC web disk as a virtual disk to access data, all operations are
integrated in right-click menus to adapt to users' operation habit. When a user uses a mobile
client to access data, the contact list on the mobile phone can be backed up to the web disk
and image files in the web disk can be uploaded to micro blogging websites or sent as
multimedia messages or email attachments.
With multiple access modes and the specific features of these access modes, individual users
can flexibly access web disk data and view the same file content, no matter what access mode
is used, implementing data interactions with multiple screens. The online storage service
supports document version management. A document version is generated each time the data
is saved. Users can download different versions marked by different timestamps.

XXX Project
Web pages
Figure 4-14 Accessing the online storage (web disk) service from web pages
The following functions are supported when users access the online storage service from web
pages:
2. Friendly information management and group management
3. Multiple data sharing modes, including data sharing among accounts and data sharing
among groups (the read/write authority attribute can be set for data sharing)
4. Sending a document link to the specified email recipient so that the recipient can access
file resources according to the link
5. File search
PC client
Figure 4-15 Accessing the online storage (web disk) service from a PC client
The following functions are supported when users access the online storage service from a PC
client:

XXX Project
6. Displaying the virtual disk icon on the system tray

7. Displaying the saving or transmission status of files on the virtual disk in the form of
different icons
8. Discontinuous file upload and download
9. Traffic control, which enables users to adjust the upload or download bandwidth
Mobile client
Figure 4-16 Accessing the online storage (web disk) service from a mobile client
The following functions are supported when users access the online storage service from a
mobile client:
10. Directly uploading photos taken with the embedded camera to the cloud storage space
11. Uploading image files to micro blogging websites
12. Sending image and audio files as multimedia messages or email attachments
13. Backing up and recovering the local contact list
14. Discontinuous transmission (DTX)
15. Traffic control
16. File compression and decompression
Unified data center O&M involves the following aspects:
 Overall architecture
 User role system
 Data center routine O&M
 Troubleshooting
 Proactive intelligent O&M
 Report management

XXX Project
4.2.8 Customer Benefits

 Regional intelligent management
- Convenient service
- Realize more places and more roles exchanging resources
 Resources Construction & Sharing
- High quality resources are easily available and shared
- Anyone, Anytime, Anywhere, Any device
 Open
- Seamless integrates the existing systems
- Flexible collocation system function
 Personalized Learning
- Classroom behavior control
- Intelligent learning performance analysis
 Mobile teaching
- No need teaching platform
- Online teaching
- Mobile office
 Evaluation of normalized
- Studying status evaluation
- Teaching effect evaluation
4.3 e-Health Solution

4.3.1 Introduction to the e-Healthcare Solution
The e-Healthcare solution consists of four sub solutions applicable to different scenarios. The
solution covers medical services of the national health department, central hospitals, small-
and medium-sized hospitals, and community healthcare service stations. Figure 4-17 shows
the overall architecture of this solution.

XXX Project
Figure 4-17 Four scenarios of the e-Healthcare solution
Ministry of Health / provincial branches

Scenario 1 Medical and health management services
platform （SaaS）
Medical information
Drug regulatory
sharing platform Disease surveillance
ManageOne
Application Server Storage

DC2
National Health Information Center
Hospital community
IP network Scenario 2 Healthcare collaboration platform

(SaaS)
Healthcare Healthcare
education service collaboration service
Transmission network (WAN / private line)
These scenarios are as follows:

 A health surveillance and public services platform for the health department, enabling
such services as drug monitoring, disease reporting and warning
 A healthcare collaboration and education platform between central hospitals and regional
hospitals
Figure 4-18 shows the logical deployment of the e-Healthcare solution.
Figure 4-18 Logical deployment of the e-Healthcare solution

XXX Project
 The national healthcare service center is based on a cloud computing data center and
provides services such as public health surveillance, collaborative healthcare, and
education in SaaS mode.
 Upper-level and lower-level hospitals perform online or offline remote collaboration
diagnosis or medical education based on the collaborative healthcare and education
provided by the national healthcare service center.
4.3.2 Epidemic Reporting System

The epidemic reporting system traces and handles medical emergencies, including data
collection, crisis determination, decision analysis, command deployment, real-time
communication, response command, and onsite support, to respond to medical emergencies
rapidly. The epidemic reporting system covers the following: epidemic monitoring data
management, warning model system, multi-dimension statistics and analysis system,
emergency report management, and basic knowledge base.
The epidemic reporting system consists of three core service modules, namely, epidemic
reporting management, statistics and analysis, and warning handling.
Figure 4-19 shows the overall architecture of the epidemic reporting system.
Figure 4-19 Overall architecture of the epidemic reporting system

XXX Project
Figure 4-20 shows the service process of the epidemic reporting system.
Figure 4-20 Service process of the epidemic reporting system
The following sections describe functional modules of the epidemic reporting system.
4.3.2.1 Case Information Management

As a basic function of the epidemic reporting system, case information management provides
basic data for further analysis and statistics. This module supports functions such as report
completing, review, fixing, check for duplicate, query, and data export.
4.3.2.2 Statistics and Analysis

The statistics and analysis module provides area-based statistics (categorized by disease in
any time period), age-and-sex-based statistics (categorized by disease for any place and in any
time period), and occupation-based statistics (categorized by disease for any place and in any
time period).
4.3.2.3 Warning Management

This module compares data based on preset indicators and gives warnings to related personnel
by means of email, short message service (SMS), or client.
4.3.2.4 Dynamic Appraisal

The dynamic assessment modules assess reported disease data and the reporting status,
including card review statistics, duplicate card statistics, constitution of disease reporting
institutions, direct reporting statistics, and report missing region statistics.
4.3.2.5 System Management

The system management module manages system configurations, sets operators' rights and
system parameters, and maintains users.

XXX Project
4.3.3 Drug Monitoring System

Figure 4-21 shows the overall process of the drug monitoring system.
Figure 4-21 Overall process of the drug monitoring system
The following sections describe functional modules of the drug monitoring system.
4.3.3.1 Drug Warehousing Management System

This module enables users to assign drug warehouses and storage locations, manage drug
issue and receipt, and allocate drugs. It can be operated by RF, handheld terminals, or
automatic warehousing equipment.
This module supports barcodes and allows queries of drug inventory, historical issue and
receipt details, total issue quantity, and issue details.
4.3.3.2 Drug Transportation and Distribution Management

This module generates delivery tasks, allocates transportation vehicles, traces delivery status,
and records receipts.
4.3.3.3 Medical Logistics Management Report Analysis

This module provides accurate and real-time service data, such as cost and profit.
4.3.4 Healthcare Collaboration Platform

Build healthcare collaboration services between large hospitals and small- and medium-sized
hospitals by leveraging resources in the cloud data center. Apply medical resources of central
hospitals to regional hospitals to improve the medical capability by means of training. In this
way, regional hospitals can provide better healthcare services to residents.

XXX Project
Figure 4-22 shows the architecture of the healthcare collaboration platform.
Figure 4-22 Architecture of the healthcare collaboration platform
The following sections describe functional modules of the healthcare collaboration platform.

XXX Project
4.3.4.1 Teleconsultation Management System

Figure 4-23 shows components of the teleconsultation management system.
Figure 4-23 Components of the teleconsultation management system
4.3.4.2 Videoconferencing System

 Uses IP-based high definition videoconferencing system.
 Uses H.323 and SIP protocols and supports mainstream video protocols, such as H.264.
 Resolution: ≥ 1280×720p
 Frame rate: 30 frames per second
 Dual stream: supports H.239 protocol; resolution of one channel ≥ 1280×720p
 Terminal uses embedded operating system
 Supports application display on dual screens
This system aims to achieve the following functions:
 Remote face-to-face communication among medical experts, hospital doctors, and
patients enables interactive consultation.
 Distance training allows synchronization of audio/video and training courseware and
supports interactive communication between the teacher and participants. The training
course can be retransmitted live or videotaped.
 High definition videoconferencing allows academic communication, case discussion, and
experience sharing between medical institutions.
 Audio and video materials of consultation, conferences, and trainings can be recorded
and replayed.
4.3.4.3 Medical Record Collection System

 Analog signal processing
Patients' films, paper medical records, laboratory test reports, and reports are scanned
and saved as electronic copies. This system can transfer, store, or browse scanned files.
Medical records can be manually documented into the system.

XXX Project
− For film materials

Use a medical-purpose scanner to scan film materials and save as DICOM image
files.
− For paper materials
Use a common scanner to scan paper materials and save as JPEG files.
 Digital signal processing
This system can obtain patients' image files from imaging equipment with a DICOM3.0
interface through a DICOM gateway or import DICOM3.0 images from the Picture
Archiving and Communication System (PACS).
If possible, a hospital can export medical records according to electronic medical record
standards issued by the health department. The telemedicine system can import, transfer,
store, and browse exported information.
4.3.4.4 Remote Specialist Diagnosis System

 Remote image diagnosis
This system can obtain patients' image files from imaging equipment with a DICOM3.0
interface or from the PACS and perform other operations such as storing or reproducing
these files. A DICOM3.0-based remote radiology consultation system supports the
following functions:
− Post-processing of image files
− Annotating and saving key images
− Preparing and issuing image consultation reports
− Report templates
Interactive communication of both parties during a consultation
If possible, central hospitals and regional hospitals can establish diagnosis service
relationship between corresponding departments.
 Remote pathology diagnosis
The system uses virtual section technology to transform pathological sections into virtual
digital sections consisting of complete digital images.
The system can zoom in or zoom out virtual digital sections. It can be used to annotate
and save key images, or prepare and issue pathology image reports.
 Remote ECG diagnosis
This system collects electrocardiograms from the digital electrocardiograph and sends
static electrocardiograms of regional hospitals to experts in central hospitals. It transfers,
stores, and reproduces electrocardiograms without data loss.
This system can be used to interpret and print electrocardiograms or prepare and issue
reports.
4.3.4.5 Distance Education System

This system provides two training modes: real-time interaction and course on demand (COD).
Real-time training allows synchronization of audio/video and training courseware and
supports interactive communication between the teacher and participants. The training course

XXX Project
can be videotaped or saved as files in common formats in the telemedicine center. Streaming
media courseware can be prepared or sorted on this system.
This system also provides COD services and enables courseware adding, deleting, uploading,
or query functions.
4.3.4.6 Remote Digital Resource Sharing

This system shares medical information among regional medical institutions, which facilitates
medical document query and helps improve medical capabilities of medical personnel.
In addition, central hospitals can share cases and surgery videos with medical personnel in
regional hospitals.
4.3.4.7 Two-way Referral and Remote Appointment System

This system provides two-way referral and remote appointment between regional hospitals
and central hospitals.
Patients can make an appointment for registration or examination, or apply for a referral in
regional hospitals. Central hospitals accept these applications and provide feedback.
4.3.4.8 Remote Monitoring System

If a monitoring system is available in a hospital, the hospital can use the monitoring system to
collect vital sign data, such as electrocardio, heart rate, blood pressure, and blood oxygen.
Central hospitals can store and print the monitoring data.
In actual application, the remote electrocardio monitoring function can work with the
videoconferencing system to enable efficient communication.
− .

XXX Project
4.4 E-Police Solution

4.4.1 Design of the Overall Project
IP Link Internet
Internet Outreach
Organizations
IB/IP Link
Data Replication
Link
National Criminal
Lost & Found
Firearm Records crime Intelligence
Asset Car Tracking
Management management records and
Control System
System system management Profiling
System
system System
Fleet and
Human National
Crime Vehicle Detention Access
Resource Asset
Information Tracking Management Control
Network Management Management
System Management System System Network
Service System System Service
System
e-Police VDC
Cloud Hosting Cloud Storage Charging

VPC Service DR Service Backup Service
Service Service Service
Layer 2/3
Core Switch Core Switch

DWDM
Management Zone VM Pool(Common) VM Pool(High VM Pool(High

PM Pool PM Pool VM Pool(Common)
Performance) Performance)
WEB WEB WEB WEB WEB WEB WEB WEB

DataCenter Backup
Management Management
WEB WEB App App App App Database Replication App App App App
Backup Server
App App
Media Server
DB
VM Replication
Storage Pool（Common） Storage Pool(High Performance) Storage Pool（Common） Storage Pool(High Performance)
Server-SAN Pool UDS Storage

Server-SAN Pool Server-SAN Pool Server-SAN Pool Server-SAN Pool
DC1 DC2
Overall architecture is divided into five layers:Sensor Layer,Transmission Layer,Infrastructure

Layer,Support Application Layer,Application Layer. The overall architecture diagram as
shown below:

XXX Project
4.4.1.1 Sensor Layer

Sensor Layer is the front end layer,include urban surveillance,command dispatch
terminal,telecom terminal etc.Urban surveillance includes secutity video
surveillance,electronic traffic police,intelligent checkpoint,key point
monitoring,etc.Command dispatch terminal is designed for leader or dispatcher,for disposing
incidents.Telecom terminal is a communication terminal,which is designed for policeman.
4.4.1.1 Transmission Layer

Transmission layer is the network layer.In this project,the network includes data
network,trunk radio,telecom network.The main data network are LAN and data centre
networks.Trunk Radio is the wireless network,which will be built in the voice communication
radio system.Telecom network is lent for WAN.
4.4.1.2 Infrastructure Layer

Infrastructure layer provides hardware for all the application systems.Hardware includes
server,storage,network security equipment,large display screen,etc.Infratructure layer includes
data centre,command centre,mobile command centre and integration test centre.
4.4.1.3 Support Application Layer

Support application layer is composed of two parts.The bottom part is database,includes basic
library,business library,standard library,and middleware.The upper part includes data
exchange and access platform,geography information system.

XXX Project
4.4.1.4 Application Layer

Application Layes includes 22 systems in this project.They are crime information
system,traffic management system,CCTV monitors,human resource management system,
fleet and vehicle tracking management system,national asset management system, message
handling system,detention management system,access control system,border security and key
point monitoring systems,public order management and surveillance system,lost & found
asset control system, firearm management system,C.I.D. vehicle theft squad(car tracking
system),records management system, national crime records management system,computer
aided dispatch system, patrol vehicles and foot patrol system,criminal intelligence and
profiling system,voice communication radio system, public automated branch exchange,voice
over IP.
4.4.2 Crime Information System

4.4.2.1 System Overview
As an integral part of the e-government, the system provides a complete set of electronic
solutions for the efficient operation of the national police system.With its functions involved
in all police stations, district, province and Police General Headquarters, the system is
designed to strengthen all national police departments’ crime information management,
improve the reliable and secure sharing of criminal information in the departments and
external departments, as well as provide decision-making support for all levels of
management sectors.
A need has been felt to adopt a holistic approach to address the requirements of the police,
mainly with relation to functions at the police stations, districts, provinces and the Police
General Headquarters. It becomes critical that information and communication technologies
are made an integral part of policing in order to enhance the efficiency and effectiveness of
the Police Service. In order to realize the benefits of e-Governance fully, it is essential that
an all encompassing approach is adopted that includes re-engineering and standardizing key
functions of the police and creating a sustainable and secure mechanism for sharing critical
crime information across all facets of Police. The Crime Information System has been
conceptualized in response to the need for establishing a comprehensive e-Governance system
which improve crime management in Police stations across the country as well as assisting
the management at all levels in decision making.
4.4.2.2 Needs analysis

4.4.2.3 Business overview
The system currently in use heavily depends on the use of forms, books, registers, and files in
the accomplishment of case recording and management. The functions undertaken can be
logically classified into two major areas of Crime Recording and Statistics and Criminal
Record Indexing.
1) Crime Recording and Statistics
When a report is received in the Charge Office, it is booked in the Report Received Book
(RRB) which is serialised. At Stations which handle a lot of cases, the report is booked in
Initial Report (IR). The following Forms are completed depending on the nature of the case:
a) Scene Report-Property
b) Scene Report-Violence
c) Scene Report Miscellaneous

XXX Project
d) Scene Report-Public Disorder

e) Sudden Death Report Book
Witness statements are then recorded. If accused/suspect is available a Warned and Cautioned
Statement is recorded and if there is need to detain the accused person then Detention Book is
completed. Forms and Statements completed form a docket which is forwarded to the
Member In Charge Crime who books it in the Docket Management Register in which Crime
Register (CR) reference for each case is allocated.
The Member In Charge crime then allocates the case to an investigating officer after noting
down instructions on the course of action to be followed on a Running Diary Log. The docket
is forwarded to the Records Office and details pertaining to the report are recorded in the
Crime Register using the CR reference extracted from the Docket Management Register.
Particulars of complainant are recorded in the Index Register in alphabetic order of
names against their CR reference for searching purposes.
If there are any exhibits relating to the case they are recorded in the Exhibits register against
their CR references. After all details relating to the case are recorded at the Records office the
docket is forwarded to the Investigating Officer (IO) or relevant station using Docket
Movement Register.
Upon receiving the Docket, the IO then follows the initial instructions and noting down the
inquiries made during investigations on the Running Diary Log date and time
stamping the inquiries. Docket is referred to IC Crime for further instructions. When
investigations are completed the IC Crime forwards the docket to Court for prosecution. If
accused person defaults court then a Warrant of Arrest is attached to the docket. Results of
trial are endorsed on the docket and the docket is returned to station. If the case is finalised,
the Records office books the docket in either Complete Dockets Register or Incomplete
Dockets Register and filed away according to their disposal reference. Outcome of Report
Received is sent to advise the complainant about the result of the case.
Also police station can receive reports and refer the dockets to relevant police station where
the case occurred.
2) Criminal Recording and Indexing System
The criminal records index is a manual system which is maintained by Criminal
Investigations Department. Its mandate is to keep criminal records for
cases recorded at all police stations across the country. Fingerprints and
records of criminal nature are forwarded to CID HQ by police stations where the records are
carded and indexed for searching purposes. This system aides investigating officers with
leads and in cases they will be investigating as well as uncover
previous charges against criminals. The following CID sections are involved:
a) Scenes of Crime
This section is responsible for:
* Uplifting fingerprints from scenes of crime.
* Classifying and searching of fingerprints.
* Keeping records of all fingerprints from crime scene.
* Assisting Investigating officers in identifying criminals through fingerprint search
process.
b) Central Criminal Bureau (CCB)

XXX Project
The functions of the Central Criminal Bureau:

* Maintains manual records of fingerprints of all convicted persons forwarded by all
stations.
* Giving records of previous convictions of accused person(s) and suspects.
* To maintain all criminal records and providing courts with previous convictions using
fingerprints.
c) Criminal Records Office (CRO)

The office is responsible for:-
* Carding/Filing Admission of Guilt.
* Carding / Filing Weekly Comments.
* Opening and Maintaining Headquarters Files.
* Carding Newspaper Cuttings on criminal related News.
* Carding of Stolen/Lost Property.
* Carding/filing wanted Persons.
* Creating and maintaining nominal index of vetted and carded parties.
* Prepare Police Gazettes and supplements for publication.
* Vetting daily Returns.
* Compilation of Police Clearance Certificates
* Creating and Maintaining National Registration (NR) Index
* General vetting for persons willing to apply for a firearm Certificate, Copper Licenses,
Private Investigators licenses, Security Guard Licenses and Immigration Clearance Forms.
* Vetting Intended Spouses for Policemen
The function of all the above sections are interwoven, they depend upon each other.
However, the indexing system is still manual and labour intensive.

XXX Project
4.4.2.4 Data flow diagram

Scene Report-Property
Scene Report-Violence
Scene Report MIscellaneous
Scene Report-Public Disorder
Sudden Death Report Book
Charge
complainant report station book docket
Office
Result of the Charge

note
case Crime
instructions
book
With CR number
investigati Docket Management

ng officer
Registry
Complete Dockets
Register
Record
Record
Office
Office
InComplete Dockets
Register
record
Particulars of Crime Exhibits
record
complainant in Register register
alphabetic order
Index against the CR
Docket with reference
Results of Register
trial record
using the CR
reference exhibits
detail
trial
Investigating
Officer (IO) or
relevant station
inquiries investigat
docket complete IC Crime
Count form ions
Crime information management data flow diagram
4.4.3 Human Resource Management System

Human resource management system, serving the majority of police officers, on the one hand,
helps human resource managers to streamline the labor cost, enhance the labor efficiency; on
the more important aspect enhances the dynamic relationship between the police officers and
stations, and combines the improvement of police officers with police service development
organically and strategically.
With the extensive application of network technology, Police Service will be developed in the
context of the information age. Management reengineering and process recombination will
become important means for Police Service breaking the traditional rules and obtaining the
new capabilities. The informatization of strategic human resource management which is as
one of the elements for core capability will be an important part and strategic support
elements in the informatization process of Police Service.The main significance of the human
resource informatization is embodied in:

XXX Project
The informatization of resource management information will enable HRM itself away from
the positioning of traditional transactional role. The traditional resume processing, police
officer information management, police officers attendance management and other business
works with little contribution to organizational strategy will be done by the human resources
informatization technology, strengthening and improving the service conditions of the entire
organization, human resources system and process. Human resource management can be more
used in the planning of human resources, police officer career design, strategic
decision-making consultation and other works with strategic significance for the organization,
achieving effective auxiliary organizational transformation and re-design.
Meet personalized needs of the policemen, and provide value-added services. For the police
officers belong to the knowledge workers over a long period of time, they pay more attention
on participation in the management, transparent and personalized services. Human resources
information system allows police officers to quickly and easily understand the career plans
and incentives tailored for their own. At the same time, the police officers also can through
independent design training, dynamic work arrangement and personal development plan to
make plans and programs favorable for their development. The human resources department
can more conveniently provide value-added services for the other managers and the vast
majority of police officers.(Advancement of skills and increase the motivation of staff in order
to achieve the highest possible level of performance over time) 。
Advanced reporting tools can support generation and distribution of all kinds of report, such
as attendance reports, performance reports, personnel statements, with easy and secure data
capturer of employees and retention of a historical record of HRMS data which will be used
to generate a variety of specialised reports.
Improve the management efficiency and reduce management costs. human resource
management with information technology can make a complete record of all police personnel
information, quick and convenient access to a variety of statistical analysis results, which
provides decision support of human resources elements for Police Service strategic goals, and
Decision Support System(DSS)to be embedded that will assist management at different levels
to make informed decisions, that are consistent with human resource planning and relating
costs to results. It’s convenient for high-level managers and department heads to know about
personnel status, talent needs standards, making human resources management more
scientific, talent allocation more reasonable. The purpose of reducing the operation costs is
achieved by reducing the operating costs of the HR work, reduce administrative HR staff,
reduce communication costs.
Strengthen the organization internal communication and enhance core competencies. Police is
with a wide range of organizational units and complex mechanism, but human resource
information system makes centralized data management, distributed application, using a full
range of network operating mode, which can greatly enhance the police internal
communicate. It promotes resource sharing of talent, technology, knowledge in police
internal, strengthens mutual ties, and improves human capacity. Maintenance of the employee
portal i.e. employees should be able to log on to the HR System and make authorised Human
Resources related queries
The problems that can be solved by human resource management system with information
technology are generally as follows:
Effective human resources management solved the problem of brain drain, idleness and
waste;
Systemic vocational training management solves the problem of lack of talent reserve;
Good talent maintenance solves the uneven trend of human resources structure and
distribution;
Improved systemic planning addresses the problem of self-contain and the lack of a virtuous
circle of the recruitment, training and assessment.

XXX Project
4.4.4 Fleet and Vehicle Tracking Management System

4.4.4.1 System overview
Fleet and vehicle tracking management system is designed by using informational
management system, to achieve the full range of management of Fleet and vehicle of the
police department. Based on geographic information system and satellite positioning system,
conduct Fleet and vehicle procurement, distribution, maintenance, and tracking process
management, to achieve mastery of Fleet and vehicle’s full life cycle; implement management
and control of vehicles daily use and dynamic security, including vehicle dispatch, key
control, vehicle positioning; fuel consumption control; standardized management of vehicle
maintenance, and full management of maintenance equipment, accessories, funding. Through
comprehensive sort and information customization of business processes, improve
management, and achieve integration development of Fleet and vehicle management,
protection, maintenance. Fleet and vehicle tracking management system has the following
characteristics:
(1) System uses interactive means with simple interface and flexible information query, safe
and reliable storage.
(2) With better management of suppliers, resources and user information, to strengthen the
management of information.
(3) Easy input and inquiry.
(4) Accurate understanding of the Fleet, vehicle dynamics, statistics of all kinds of
situations.
(5) Based on GIS, GPS technology, the vehicle, Fleet management is more intuitive.
(6) Achieve report function to conveniently print the data into the document.
(7) Conduct good data security and achieve data backup and recovery.
(8) Maximize the realization of easy to maintain and easy to operate.
4.4.5 National Asset Management System

With the high-speed advancement of information technology, the development of
e-government, national assets management is informationalized and has become increasingly
the mainstream. National assets management as an essential step in the government and
public, if they are still using the traditional manual management, it is bound to keep up with
the speed of development of the times. Information management of national assets by national
assets management system can save labor, capital investment, time, and its functionality can
provide effective protection for asset management.
The management of national assets is featured with large quantity of assets and complex
classification. To facilitate the effective management of national assets, and to allocate
rationally and use effectively of national assets, on the basis of day-to-day management of the
national assets, we adopt advanced computer technology and database management
technology and establish a complete set of dynamic national assets management system, so as
to fully reflect the situation of national assets. We also have management of national assets
during the whole process of the plan, purchase, registration, distribution, maintenance and
disposal, so as to achieve data sharing, and other functions, such as improving the
comprehensive data queries under various conditions, summary statistics, etc.

XXX Project
4.4.6 Detention Management System

Detention management system is the information system that combines computer networks,
database system and closed circuit monitoring system (CCTV) for application according to
operation responsibilities and management regulations of Police Interior Ministry for
supervision stations at province and Police General Headquarters in the country, state and
region to realize operation functions, such as entry management, arraignment, daily
management and transfer management. Meanwhile, detention management system also
realize operation information synchronization and interface service of data query between
criminal information system and judicial implementation system.
4.4.7 Access Control System

The system is deployed in important places at all levels and manages visiting personnel by
monitoring the entrance of place to ensure the safety of places at all levels.
4.4.8 Lost & Found Asset Control System

Lost & Found Asset Control System realizes relevant operation of lost property management
to facilitate public information and information of lost & found property, and contact of police
system with loser after obtaining lost property, which greatly improves the rate of getting back
lost property and enhances the image of police system in the public.
The system includes functions such as registration and release of loss information, seeking the
records of article, release of lost & found asset information, information query of loss, lost &
found property, mainly including following users. Criminal Record Office is responsible for
registration and release of loss information, combing and recording information of article for
seeking; information query of loss, lost & found property of loser and public; Relevant
external beneficiary party (external stakeholder's) obtains relevant information of lost article
through program interface or other means (example insurance company needs payout).
4.4.9 Firearm Management System

Due to the government endow citizens with the right to protect their private affairs, allowing
them to own firearm legally. But the existence of firearm tends to trigger crimes easily.
Therefore, it is necessary to establish a register system of firearm on a national scale. And by
advanced computer and data management technology, we can register and manage the firearm
of the whole country, improving the efficiency of management and strengthening the query
and statistical analysis of the firearm roundly.
4.4.10 C.I.D Vehicle Theft Squad (Car Tracking System)

With the development of social economy, the number of vehicle keeps raising, ensuring the
cases that stealing and robbing cars occur frequently. On the other hand, to some degree, those
cases increase the crime rates, the lost cars become the tool used by criminals, which make
more Social unrest elements. Criminals used the stolen or robbed cars to rob, making the
public security order can not be controlled efficiently, and it has drew highly attention of
government and public security department. How to be on guard, and how to stop those cases
alike from happening in time, Strengthen the stolen motor vehicle information management,

XXX Project
apply the modern information technology, under a network environment ,fast store, send, and
query this kind of information has been already imperative.
Stolen vehicle tracking system uses advanced information storage technology , number
identification technology and mass database dynamic retrieval technology, making stolen
vehicle dynamic tracking find possible. On the one hand, standard register of the stolen
vehicle information makes it more convenient to real-time query management, and let the
police recognize the stolen vehicles in daily patrol. On the other hand, using the street level
deployed number recognition system of vehicle number to locate the lost car from the flow of
vehicles, the video information from food monitoring system to track vehicle, and the border
bayonet vehicles’ pass record query improves the ratio of the stolen vehicle recover as well as
protects the personnel's property.
4.4.11 Records management system

Government agencies collect huge quantity of archived files annually. With the advance of
information construction, all kinds of information will be electronic gradually. Building a
safe, convenient file management system has become the most important archival work. The
construction of modern records management system not only realizes automatic archiving,
organization of all kinds archive (this means safe storage and information service), but also
build a good foundation for centralized management of all kinds of knowledge.
Records management system, as a file distribution center, not only realizes the electronic
archive of the original file, but can also be integrated with a variety of popular applications
environment, for example, a variety of popular database, operating system, server equipment,
storage device, portal system, security system, etc. At the same time, I can also be integrated
with various application systems for data exchange and sharing, such as OA, ERP, a variety of
business management systems, etc... The system provides a powerful, custom tool. It can
define the data structures of various archive, the screen display layout, print format, data
integrity limit requirements, data correctness limits, auxiliary set rules, fast input auxiliary
information, etc.. Through these custom tools, records management information system can
be customized for the user's specific needs. At the same time, the system uses structured
thinking development, various functions use modular combination and integration for specific
needs of the user. A management platform can be formed according to users’ specific
requirements. The records management system is an records management information
platform with strong security. It built a strong security control system in, but also can be
integrated with a variety of security systems to ensure user security requirements.
4.4.12 National crime records management system

The main goal of building crime records management system is, on the basis of electronic
crime information system (CIS), to provide data warehousing services generated by massive
criminal record information, to build a comprehensive, criminal record information analysis
oriented data platform and to provide data support and inquiries, synchronization services for
electronic crime information system, traffic management system, criminal intelligence system
to make better country X police forces at all levels and to provide decision making advice.
4.4.13 Criminal Intelligence and Profiling System

Profiling System is a computerized model by identifying problems and analyzing examples to
precisely locate price discrimination, provide specific services, find price fraud and provide
extended social ranking. In the field of criminal intelligence, the system is capable of sorting
and classifying the mass amounts of information to portray the target. MO and other relevant

XXX Project
HUAWEI ManageOne Technical Proposal 5 Management Solution
organizations are a few examples of the investment, and they constitute the system
intelligence foundation.
Specific to the current multi-source intelligence information for the police forces of Country
X, the sub-system offers the technical means of intelligence analysis and management
methods; designs intelligence analysis engine; supports the intelligence situation and trend
analysis, and establishes a unified intelligence information service system so as to form a
complete comprehensive application system of intelligence analysis and judgment including
intelligence collection, information processing, intelligence analysis and intelligence services
for different police departments of Country X
The cloud service operation manages all cloud and non-cloud resources of data centers based
on resource pools and provides highly customizable resource services, including unified
resource orchestration, customized resource scheduling policies, automatic resource allocation
and deployment, and customized enterprise service integration. The cloud service operation
provides a platform for enterprises to manage and provision resources of multiple data centers
in a unified manner. The overall architecture of the cloud service operation as following.
Service definition
− User management
− Service catalog management
− Metering management
5 Management Solution
ManageOne is an all-in-one solution for the operation and maintenance of NDC2. It can
integrate dispersed resources into a logical resource pool, provide computing, storage, and
network resources as cloud services to users, support user self-service, schedule, control, and
deploy data center physical and virtual resources in a unified manner, and monitor and
maintain cloud services using processes in a standard manner.
5.1 ManageOne Solution Architecture

Error! Reference source not found. shows the function modules of the Huawei ManageOne
solution.

XXX Project
Figure 5-1 Function modules of Huawei ManageOne
Management software used in the ManageOne solution is classified into two layers:
 Resource layer: Software at this layer is used to manage resource information (for
example, collecting device information) and send resource information to the service
layer for service assembling and provisioning and O&M analysis.
 Service layer: Two kinds of software are used at this layer:
− Operation software: provides operational services for tenants after resource
orchestration, and provides a unified operation platform for administrators.
− Maintenance software: implements comprehensive analysis on collected maintenance
information (such as alarm information and performance information), displays the
analysis results, and provides a unified maintenance platform for administrators.
Error! Reference source not found. describes the function modules in the ManageOne
solution.
Table 5-1 Function modules in the ManageOne solution
Module Description Related Product

Monitoring Monitors physical devices Huawei eSight (eSight for
management (including servers, network devices, short)
storage devices, and security NOTE
devices) in a unified manner. When one of the following
situations occurs, contact Huawei
for a solution:
 Devicesthat cannot be managed
by eSight exist in a project.
 Databasesand applications need
to be monitored and managed.

XXX Project
Module Description Related Product

Resource  Manages physical resources and Huawei FusionManager
management virtual resources for the Huawei (FusionManager for short)
system and third-party vendors.
 Manages the traditional
resources and cloud resources in
the data center in a unified
manner and collects resource
statistics by level, and provides
unified view management for
cloud resource capacity and
service management for
traditional resources.
Service center Provides customizable data center Huawei ServiceCenter
services and unified service (ServiceCenter for short)
orchestration and automatic
management capabilities based on
cloud and non-cloud resources,
including:
 Customizable heterogeneous
cloud and non-cloud platform
support capabilities
 Customizable policy setting and
service orchestration capabilities
for multiple resource pools
 Customizable enterprise service
integration capabilities
 Customizable resource pool
management system capabilities,
especially automatic traditional
resource provisioning
capabilities
O&M center Implements O&M operations based Huawei OperationCenter
on scenarios and visualized status, (OperationCenter for short)
risk, and efficiency analysis for data
center services, and works with the
service center to implement data
center self-optimization and
self-healing based on analysis
results.
5.2 Key features

The ManageOne solution provides a unified data center management platform, supports the
concept of agile operation and simplified O&M, and provides advanced management
solutions for the service assurance and service orchestration of distributed cloud data centers.

XXX Project
Multiple data centers are managed as one data center: Data centers are physically distributed
and logically centralized. Unified management of multiple data centers, cloud and non-cloud
resources, heterogeneous virtual platforms, and operation and maintenance is supported.
One data center is used as multiple data centers: Based on the virtual data center (VDC)
mode, one data center can be used to provide different resource services for different
departments and services, implementing the separation of resource construction and usage and
matching the enterprise and carrier management modes better.
5.2.1 Unified Management of Multiple Resource Pools

Based on the features of distributed deployment and the situation that one data center may
involve multiple virtualization platforms, unified integrated resource pools and feature
resource pools are constructed to meet the differentiation requirements of next-generation data
center management.
All devices, including security, network and virtual resources are integrated into a data center.
Management interconnection is implemented on heterogeneous virtualization platforms.
Unified management and SLA settings are implemented on physical and virtual resources for
different services. Based on the SLA, policy delivery and scheduling as well as automatic
configuration are implemented on data center resources.
Rights- and domain-based management is implemented in VDC mode, reducing management
costs.
In addition, automatic management of cross-area heterogeneous virtualization resource pools
is implemented by establishing the network.
Figure 5-2 Data center management development phases
(Currently, the construction of this project is in Phase 1.)

XXX Project
5.2.2 VDC Management Enables Users to Have Exclusive Data

Centers
Based on customers' requirements, physical data centers can be flexibly divided into VDCs.
Each VDC can independently provide services and resources as a physical data center. Each
VDC has the independent administrator and service catalog. The VDC administrator can
manage and approve the service applications from users in the VDC directly. Resources and
networks between VDCs are relatively isolated. VDCs can be deployed across physical data
centers, implementing unified resource provisioning and scheduling of multiple physical data
centers.
By pooling the physical resources of customer data centers, physical resources can be flexibly
allocated and services can be provided based on the requirements of different departments and
organizations. Each department and organization can independently manage and use the
resources in the VDC. Work of the data center super administrator is allocated and right-based
management is implemented, reducing the management costs of the super administrator and
meeting the requirements of different tenants and departments more flexibly.
As the administrator of all resources, the system administrator allocates computing, storage,
and network resources in an enterprise data center to VDCs, organizations, and branches.
As the owner of a VDC, a VDC administrator defines a virtual private cloud (VPC) or
template and performs VM provisioning in the VDC.
As the service user of a VDC, an end user applies resources in the VDC offline or on the
self-service platform.
Figure 5-3 Objects related to a VDC
The current VPC does not support cross-data center deployment.

XXX Project
5.2.3 VPC Management Meets Network and Security

Requirements of All Applications
A VPC provides isolated VMs and network environments to meet network isolation
requirements of different departments. Multiple networking modes are supported, such as
direct network, routed network, and internal network.
Each VPC can provide independent virtual firewall, elastic IP address, virtual load balancer
(vLB), security group, VXLAN, IP Security Protocol virtual private network (IPSec VPN),
and network address translation (NAT) gateway services. (Some of these functions are
provided by VAS.)
The VPC also provides bills per use and traffic statistics as the input of a metering system.
Figure 5-4 VPC network application scenario
Figure 5-5 VPC network topology
5.2.4 Application Lifecycle Management Simplifies Application

Management
After resources are enabled, the service-centered automatic orchestration platform is provided
based on application lifecycle management. Orchestration is performed from the development
and modeling of an application to the monitoring and elastic scaling of the application,
implementing automatic resource management of a data center.

XXX Project
Figure 5-6 Application lifecycle management
Easy-to-use application templates can define SDN networks, VMs, and physical machines,
including the software and databases that are installed. Templates are associated with services.
An actual application can be generated by instantiating a template based on the environment,
such as the Oracle test environment and the ERP system+OA system small branch
environment.
Figure 5-7 Application template design

XXX Project
HUAWEI ManageOne Technical Proposal 6 Computing Platform Solution
6 Computing Platform Solution
6.1 Virtulization Platform Design

This project uses Huawei cloud platform FusionSphere to abstract computing, storage, and
network resources into virtual resource pools, thereby implementing elastic service scaling
and rapid deployment.
Figure below shows the architecture of the Huawei cloud platform.
Figure 6-1 Huawei cloud platform architecture
Huawei FusionSphere is a cloud computing virtualization platform, serving as a new way of

providing computing resources, provides users accessible and cost effective services , the
platform include following functions:
 FusionCompute

XXX Project
The FusionCompute is a cloud operating system (OS). It virtualizes computing, storage,

and network resources, and implements centralized management and scheduling of the
virtual resources through a unified interface.
The Virtual Service Appliance (VSA) node provides virtual firewalls, virtual load
balancers (LBs), and the Dynamic Host Configuration Protocol (DHCP) function. This
node is required only when users need advanced FusionManager network features.
 FusionManager
The FusionManager monitors and manages hardware and software of cloud computing.
It provides automatic resource provisioning and automatic operation and maintenance
(O&M) for the infrastructure. Additionally, it provides a web user interface (UI) to
administrators to operate and manage the resources in the system.
 FusionSphere SOI
FusionSphere System Operation Insight (SOI) collects and displays VM performance
indicators in the FusionSphere cloud system, models and analyzes the collected data,
makes predictions on future performance changes based on the collected data, and
provides suggestions on system performance management.
 eBackup
The VM backup scheme uses the Huawei eBackup backup software combined with the
snapshot backup function and the Changed Block Tracking (CBT) backup function of the
FusionCompute to back up VM data.
 UltraVR
UltraVR is a piece of disaster recovery (DR) management software. By using the
asynchronous remote replication feature of the underlying storage system, FusionCloud
UltraVR provides Huawei virtual machines (VMs) data protection and DR of critical
data.
6.2 Resource Management and Monitoring

In the FusionSphere solution, Huawei-developed FusionManager manages resources in data
centers. FusionManager provides comprehensive resource pool management functions using
northbound APIs and offers hardware management functions using built-in hardware
management submodules.
Figure 6-2 shows the FusionManager position in the FusionSphere solution.

XXX Project
Figure 6-2 FusionManager position in the solution
FusionManager provides the following functions:

 External network management
Allows users to create, view, and delete external networks.
 Host management
Allows users to query and monitor hosts and view host performance information based on the
specified time period (by day or week).
 VM specifications management
Allows users to configure, query, and delete VM specifications and specify the VM startup
mode.
 Image management
Allows users to create, upload, delete, modify, and export images.
FusionManager supports a variety of image formats, including ISO, RAW, QCOW2, VMDK,
VHD, and AMI.
 Alarm management
− Displays all system alarms. An alarm is automatically cleared after the fault is
rectified.
− Allows users to manually clear alarms and export alarm information.
− Allows users to set different alarm severities, including critical, major, and minor.
− Allows users to mask alarms. The alarms that have been masked are no longer
reported.
− Allows alarms to be reported to third-party systems using emails, short messages, or
the Simple Network Management Protocol (SNMP) protocol.
− Allows users to collect alarm statistics by multiple dimensions, such as the object,
time, and severity. The alarm statistics are helpful to alarm analysis, trend analysis,
fault analysis, and fault prevention.
 Performance monitoring
− Monitors performance of hosts and VMs.
− Monitors the CPU, memory, and storage usages of hosts and VMs.

XXX Project
 Report
− Provides real-time and historical monitoring reports of hosts and VMs.
− Allows users to query reports generated at specified periods of time, for example,
daily, weekly, or monthly reports.
Server monitoring information includes:
− Alarm statistics
− CPU usage
− Memory usage
− Inbound and outbound network traffic rates
− Disk I/O and disk usage
Storage device monitoring information includes:
− Alarm statistics
− Mounting status
− Total size
− Allocated size and available size
Network monitoring information includes:
− Port status
− Port traffic
VM monitoring information includes:
− VM status
− CPU usage
− Memory usage
− Disk I/O and disk usage
 Open APIs
FusionSphere provides open APIs for external systems to obtain alarm data.
− Alarm query interfaces (HTTP REST):
 Querying the alarm list and alarm status
 Querying alarm resources
− Alarm subscription interfaces (HTTP REST)
− Alarm reporting interfaces (SNMP)
6.3 Key Features

Computing Virtualization
Server Virtualization
The FusionSphere system uses the bare-metal architecture to virtualize server computing
resources. One server can be virtualized into multiple isolated virtual servers, thereby
improving server resource utilization and simplifying system management.

XXX Project
The FusionSphere system supports VM affinity, which allows multiple VMs to be placed on
different servers based on the configured rules to implement mutual-assistant VMs or active
and standby VMs, and achieve cost-effectiveness.
 Location Affinity
− Keep VMs together: VMs that are added to this rule must run on the same host. One
VM can be added to only one Keep VMs together rule.
− Mutually exclusive: VMs that are added to this rule must run on different hosts. One
VM can be added to only one Mutually exclusive rule.
− VMs to hosts: This rule associates a VM group with a host group so that VMs in the
VM group can be only deployed on and migrated to hosts in the host group.
 Capability Affinity: Non-uniform memory access (NUMA) nodes are introduced in
physical servers to improve the memory access efficiency of CPUs. The CPUs and
memory resources used by VMs (guests) are grouped into NUMA nodes based on the
memory access efficiencies of the CPUs. A CPU can achieve its maximum memory
access efficiency when accessing memory within its own NUMA node. When a VM is
created, FusionSphere preferably allocates CPU and memory resources required by this
VM on one NUMA node, thereby reducing memory access latency and improving
memory performance.
VM Resource Management
Users can create VMs using a VM template or in a custom way, and manage clustered
resources, including automatic resource scheduling, VM management (such as creating,
deleting, starting, stopping, restarting, hibernating, and waking up a VM), storage resource
management (such as common disk and shared disk management), and VM security
management.
The FusionSphere system also supports VM live migration and VM HA.
FusionSphere allows users to adjust the number of virtual CPUs (vCPUs), memory size,
NICs, and volume attaching and detaching status.
Network Virtualization
The FusionSphere system supports the following features for network virtualization:
 Network bandwidth control, ensuring network QoS
 Distributed virtual switch (DVS)
 Single-root I/O virtualization (SR-IOV), improving network processing performance
Storage Virtualization
The FusionSphere system supports Huawei distributed storage software FusionStorage as well
as disk arrays, such as fibre channel storage area network (FC SAN) and IP SAN storage.
Virtual Data Center Management

FusionSphere provides various templates and specifications to facilitate service provisioning.
A private cloud is entirely isolated from all VMs that are not hosted by this private cloud. An
enterprise can apply for VPCs on the public cloud platform and use independent IP addresses
and subnets in its VPCs. Furthermore, the enterprise can use the access control list (ACL)
rules of physical firewalls to implement isolation between subnets in a VPC and between
subnets and external networks.

XXX Project
Users can apply for a security group based on VM security requirements and configure access
rules for the security group. After a VM is added to the security group, the VM is subject to
these rules. Security groups implement secure isolation and access control for VMs, thereby
improving VM security.
An elastic IP address allows users to use a fixed public IP address to access the VM to which
the public IP address is mapped.
Multi-Data-Center Management
If an enterprise or carrier has multiple data centers scattered in different regions, the
OpenStack cascading technology helps implement centralized management and maintenance
of multiple data centers.

XXX Project
HUAWEI ManageOne Technical Proposal 7 Network Platform Solution
7 Network Platform Solution
7.1 NDC2 Network Logical Architecture

Figure 7-1 shows the logical architecture of a data center. The logical architecture covers six
parts.
Figure 7-1 Logic architecture of a data center
Campus Enterprise
Partner External user DR center
network branch
External
Enterprise
dedicated Internet DR center
intranet
network
4 5
Partner DR center
Intranet Internet
network network
1 Core network
2
Production Other
area
Office area
areas
... Test area DMZ
3 Storage area
Backup area
6 Unified O&M platform
Numbers in the figure indicate areas in the data center.

 Core network area

XXX Project
The core network connects server areas, enterprise's intranet, partner's network, DR
center network, and access network for external users.
 Server area
Servers and application systems are deployed in this area. Based on different functions,
the network architecture can be divided into extranet area (including Internet access area
and enterprise remote access area), enterprise office network access area, and intranet
core area. The intranet core area includes network service area, service production area
(including high-security service production area and common service production area),
office automation (OA) area, operation management area, and development and test area.
 Storage area
This area houses fiber channel storage area network (FC SAN), IP storage area network
(IP SAN), and Fibre Channel over Ethernet (FCoE) devices.
 Network area
This area connects enterprise users and external users to the data center. Considering
security and scalability, the network is classified into the intranet, partner network, and
Internet based on user types.
The intranet connects to networks of the headquarters and branches through the campus
network and wide area network (WAN).
The partner network connects to networks of partners through metropolitan area
dedicated lines and wide area dedicated lines.
The Internet allows external users to access the data center and staff on business trips to
access offices where the WAN covers.
Egress routers are connected to different carrier networks to improve Internet egress
reliability. For example, enterprises in mainland China will choose China Telecom or
China Unicom as Internet egress.
 DR center network area
This area connects the production center to DR centers. The production center connects
to the DR center in the same city through transmission devices, and connects to the DR
center in a different city through the dedicated WAN.
 O&M management area
This area is responsible for network, security, server, application system, and storage
management. In this area, fault management, configuration management, performance
management, security management, alarm management, and log management are
implemented.
7.2 NDC2 Network Physical Architecture

Figure 7-2 shows the physical architecture of a data center.

XXX Project
Figure 7-2 Physical architecture of a data center
Internet MPLS VPN DMZ
External area
iStack
User portal, DNS, NTP
DDoS traffic cleaning

Service
management area
Core are
iStack
ManageOne+iSoC
CSS Background
management area
Internet
iStack
KVM authentication IP KVM

UMA server
Network service area

Network service area
CSS
CSS
Aggregation
switch
Aggregation switch
iStack iStack
iStack iStack
UVP
UVP
UVP
UVP
Traditional computing Cloud computing
resources Traditional computing Cloud computing
resources resources resources
Storage aggregation
network
IP SAN FC SAN

XXX Project
7.2.2 Network Layer Design

Data center convergence and virtualization pose higher requirements on the network, such as
lower latency, higher throughput, and higher reliability. Therefore, the DC2 solution adopts
two-layer network architecture (core network layer and access layer) and network
virtualization technology. The core switches implement core-layer and aggregation-layer
switching. The core layer uses cluster switch system (CSS) technology to virtualize two core
switches into one for shared backplane performance and improved switching capabilities. The
access layer uses stacking technology to virtualize two access switches into one for shared
backplane performance and improved switching capabilities.
The two-layer network adopts virtual cluster and stacking technologies to address link loop
and spanning-tree convergence issues. The tree network topology improves link usage and
network reliability. Advantages of the two-layer network architecture are as follows:
 Simplified network structure and reduced O&M costs
The number of switches and links is reduced, lowering early equipment purchase costs
and subsequent O&M costs.
 Improved network performance to better support traffic of high-performance servers
The number of network layers is reduced. Traffic traverses fewer switches than before.
This shortens delays and improves application performance.
 Improved network utilization to support dynamic allocation of cloud computing
resources
The bandwidth usage can be improved to 100% by using the Eth-Trunk link aggregation
technology. Computing and storage resources can be dispatched from the computing
resource pool and storage resource pool on demand.
 Enhanced network reliability
Virtual cluster and stacking technologies eliminate latent reliability risks, without the
need to run spanning-tree protocols. This reduces network failure convergence time and
improves network reliability.
7.2.3 Network Plane Design

Because the virtualization technology is used, the cloud platform management system must
exchange a large amount of management and monitoring data with computing resources and
storage resources. VMs must be attached to storage resources in storage pools, which requires
a large amount of data being transmitted over the internal network. In addition, VM service
data must also be transmitted over the internal network. Therefore, the internal network is
divided into three isolated planes to ensure that these planes do not affect each other. This
isolation ensures efficient data exchange.
 Service plane
Traffic between the user and service application systems in the data center and traffic
between internal cloud hosts are transmitted through the service plane. The service plane
is divided into several service areas based on service requirements.
 Management plane
Management data and command operation data among the data center network, server,
storage device, and security device, and maintenance and monitoring data of the cloud
computing system are transmitted through the management plane. The management
plane and service plane are isolated by virtual local area networks (VLANs) and these
two planes share the core switch.
 Storage plane

XXX Project
Storage traffic between the computing subsystem and storage subsystem is transmitted
through the storage plane. The storage network is independent and isolated from other
networks. This ensures the QoS and storage security.
7.2.4 Network Functional Area Design

Functional areas include the external area, data center core area, and storage and backup area.
 External area
The external area provides connections between data centers and Internet service
provider (ISP) networks and provides high-speed Internet egress links.
The external area enables customer branches and partners to access the data center over a
remote customer premises network which is connected to the application information
systems hosted in the data center. For example, the WAN in a large-sized enterprise
accesses application office systems in data centers over routers in the extranet area.
 Demilitarized zone (DMZ) area
The DMZ area is a public service area that provides network application services and
web services for the entire data center. The domain name system (DNS), Dynamic Host
Configuration Protocol (DHCP), Network Time Protocol (NTP), and web services are
deployed in this area.
 Service management area
Data center services are managed in this area. Self services and operation services are
deployed to support service application, unsubscription, and automatic service
provisioning.
 Background management area
Performance of devices in the data center, including storage devices, servers, network
devices, and security devices, is monitored in this area. This area also supports
out-of-band management. Users can access the data center through the maintenance
channel in emergent situations.
 Data center core area
The core area is the intranet of the data center. It consists of two layers (the core layer
and access layer) and three planes (the management, storage, and service planes). In
addition, the service plane is divided into multiple service functional areas.
 Network service area
The network service area provides IPS/intrusion detection system (IDS) network security
protection, load balancing, and network access control functions with firewalls, LBs, and
SSL VPN devices as well as security devices deployed in this area.

XXX Project
HUAWEI ManageOne Technical Proposal 8 Storage Platform Solution
8 Storage Platform Solution
Storage Scenario Design

Based on customer’s needs (availability, performance, capacity, cost), we can choose different
storage solutions: FC SAN, IP SAN, NAS, Server SAN, or mixed solutions.
FC NFS server SAN
transfer block file block
SCSI encapsulated in FC
transport file over TCP/IP SCSI encapsulated in TCP/IP
frames
host interface HBA NIC 10Gb E, FDR IB
link speeds up to 16Gbps up to 10GbE 10Gb E, 56Gb
export permissions
primary security zoning Scalable DHT ring
VLAN isolation
controls LUN masking strong consistency algorithm
IP security(ACLs)
typical application high performance, security,
Unstructured data high performance,high scalability
characteristics and stability
office document, text, image, XML file, HTML cloud resource pool, development
large database or cluster data
typical application file, all types of reports, figure, video, and and test cloud, VDI, database
base
audio information acceleration
8.1 Virtualization Platform Design（FusionStorage）

This project uses FusionStorage to abstract storage resources into virtual resource pools,
thereby implementing elastic service scaling and rapid deployment.
FusionStorage is a piece of distributed block storage software specifically designed for the
storage infrastructure of cloud computing data centers. Similar to a virtual distributed SAN
storage system, it can employ distributed technologies to organize HDDs and SSDs of x86
servers into large-scale storage resource pools and provide standard SCSI and iSCSI
interfaces for upper-layer applications and virtual machines.
FusionStorage applies to:
 Large-scale cloud computing data centers
FusionStorage organizes disks of x86 servers into large-scale storage resource pools,
provides standard block storage data access interfaces SCSI and iSCSI, and supports a
wide range of hypervisors and applications such as SQL, web, and industry applications.
In addition, it can integrate with a variety of cloud platforms such as Huawei
FusionSphere, VMware, and OpenStack, enabling on-demand resource allocation.
 Critical enterprise IT infrastructure
FusionStorage employs InfiniBand (IB) for server interconnection, SSD cache, and
primary storage, which significantly improves the performance and reliability of storage
systems while retaining the high scalability of distributed storage systems.
Figure 8-1 shows the system architecture of the FusionStorage.

XXX Project
Figure 8-1 FusionStorage system architecture
Figure 8-2 shows the software architecture of the FusionStorage.
Figure 8-2 The software architecture of the FusionStorage
OSD: Object Storage Device VBS: Virtual Block Store

MDC: Metadata Control N/A
Table 8-1 FusionStorage components
Component Function
FusionStorage A management process of the FusionStorage system.
Manager It supports O&M functions including alarm management, service
monitoring, operation logging, and data configuration.
Two FusionStorage Managers are deployed on the FusionStorage in
active/standby mode.
FusionStorage A management agent process of the FusionStorage system.

XXX Project
Component Function
Agent It is deployed on each node or server and communicates with the
FusionStorage Manager.
MDC A service control process that controls status of distributed clusters
and data distribution and reconstruction rules.
The MDC is deployed on three nodes to form an MDC cluster.
VBS A service input and output (I/O) process of the FusionStorage system.
It manages metadata and provides an access service that enables
computing resources to connect to distributed storage resources.
A VBS process is deployed on each server to form a VBS cluster.
OSD A service I/O process that performs I/O operations.
Multiple OSD processes can be deployed on each server and one disk
requires an OSD process.

XXX Project
8.2 Deployment Plan（FusionStorage）

FusionStorage supports open Linux Xen or KVM hypervisors, including Huawei Xen- or
KVM-enhanced FusionSphere virtualization platform and non-Huawei virtualization
platforms.
In the Xen or KVM virtualization scenario, FusionStorage supports both the converged
deployment and the separated deployment of computing and storage nodes.
 The computing and storage converged deployment allows VMs and storage software to
be deployed on the same server.
The computing and storage separated deployment requires VMs and storage software to be
deployed on separate servers.
In the Xen or KVM virtualization scenario, FusionStorage supports the computing and
storage converged deployment mode, which allows VMs or application instances to be
deployed together with storage software on the same server in a cluster.
Figure 8-3 shows the converged deployment mode of the open Linux Xen or KVM
hypervisor.
Figure 8-3 Converged deployment of an open system
The hypervisor in this figure can be Xen or KVM.

XXX Project
Resource Consumption
Table 4-1 lists the resources consumed by FusionStorage on a computing-storage converged
server in the Xen or KVM hypervisor.
Table 8-2 Resource consumption in converged deployment mode
Server Proc Number of Memory Storage

Type ess vCPUs
KVM or Xen MD  Typically, the 5 GB The MDC processes
computing-st C FusionStorage require at least 55
orage software requires GB space for storing
converged less than or control data. You
server equal to 6 are advised to
vCPUs. configure an
 Other software independent hard
(such as Xen disk for the MDC
Domain 0) also processes. In some
consumes vCPU special cases, the
resources in the MDC processes can
Xen or KVM share a disk with the
hypervisor. OS, but they cannot
Therefore, 8 be deployed
vCPUs are together with
recommended. management nodes.
VBS  4 GB in most N/A
cases
 6.5 GB in
InfiniBand+SSD
(primary
storage)
scenarios
OSD  2.5 GB: When N/A
the hard disk
space is less than
or equal to 2 TB,
the memory used
by the OSD
processes is 2.5
GB.
 3.5 GB: When
the hard disk
space is greater
than 2 TB but is
less than or
equal to 4 TB,
the memory used
by the OSD
processes is 3.5
GB. In the
InfiniBand+SSD
(primary

XXX Project
Server Proc Number of Memory Storage

Type ess vCPUs
storage)
scenarios, the
memory used by
each OSD
process is 3.5
GB, irrespective
of the primary
storage space.
Total memory size required by FusionStorage = MDC process memory + VBS process
memory + OSD process memory x Number of OSD processes
The number of OSD processes can be calculated based on the following formulas:
 Number of OSD processes = Actual number of hard disks (if HDDs or SSDs are used)
Number of OSD processes = Capacity of an SSD card/Size of the SSD fragmentation unit For
example, if the capacity of an SSD card is 2.4 TB and the default size of the SSD
fragmentation unit is 400 GB in the configuration file, the number of OSD processes is 6 (2.4
TB/400 GB). If a server is equipped with two 2.4 TB SSD cards, altogether 12 OSD processes
are running on this server.
8.3 Key Features（FusionStorage）

8.3.1 Linear and Flexible Scalability
FusionStorage employs a distributed hash table (DHT) architecture to distribute all metadata
onto all storage nodes according to the predefined rules, eliminating metadata bottlenecks
caused by cross-node metadata access. This architecture ensures that the FusionStorage
delivers higher linear scalability than traditional distributed file systems.
FusionStorage leverages innovative data block slicing technology and the DHT hash
algorithm to evenly distribute volume data to large resource pool failure domains, enabling
each volume to have better IOPS and MBPS performance and each hardware resource to
share even loads. In addition, multiple volumes share all the disks in a resource pool.
Resources can be flexibly allocated to each application as the load changes, preventing
unbalanced loads caused by traditional disk-based RAID groups.
8.3.2 High Performance

The lock-free I/O subsystem of the FusionStorage eliminates distributed lock conflicts. In
addition, the distributed local metadata design mechanism eliminates lock operations and
metadata queries on I/O paths, shortening I/O paths and system latencies. Distributed stateless
engines give each node's capability into full play, significantly improving IOPS and MBPS
concurrencies.
Distributed SSD cache technology and large-capacity SATA disks (serving as the primary
storage) ensure the SSD performance and SATA capacity of the system.

XXX Project
8.3.3 Robust Reliability

FusionStorage supports a variety of data redundancy protection mechanisms, for example, a
piece of data can have two or even three data copies. In addition, according to preset data
reliability policies, it allows different data copies to be stored in different servers, cabinets, or
even equipment rooms to ensure data integrity and access even if a server, cabinet, or even
equipment room is faulty.
FusionStorage provides redundancy protection for valid data fragments. It can concurrently
rebuild valid data if a disk or server is faulty, and 1 TB data can be rebuilt within 30 minutes,
notably enhancing system reliability.
8.3.4 Rich Advanced Storage Functions

FusionStorage supports a variety of advanced storage functions, such as thin provisioning and
synchronous DR replication:
The thin provisioning function provides users with more virtual storage resources than
physical storage resources. Physical storage space is allocated to a volume only when data is
written into the volume.
The synchronous DR replication function allows data at a site to be synchronized to another
site through underlying storage. In this way, if a site is faulty, related applications or virtual
machines can be started at the other site to ensure data security.
Using the SCSI interface, FusionStorage supports the snapshot, snapshot backup, and linked
cloning functions.
The snapshot function saves data on a logical volume at a certain point in time (a snapshot
point in time). The times of snapshot are unlimited, and system performance never decreases.
The snapshot backup function exports snapshot data at a certain point in time for backup, and
imports the snapshot data into the system for data recovery when a site is faulty.
The linked cloning function creates multiple clone volumes based on a snapshot, and data on
each clone volume is consistent with that of the snapshot. Subsequent data writes and reads on
a clone volume have no impact on the source snapshot and the other clone volumes.
8.3.5 Simplified O&M Management

FusionStorage provides redundancy protection to protect valid data based on data fragments.
Unlike traditional disk-based RAID groups, where a faulty disk must be replaced immediately
by a hot spare disk, the FusionStorage allows corrupted data to be recovered as long as
available storage capacity exists in the resource pool. If a disk or server is faulty, it does not
need to be replaced in a timely manner. Data on the faulty disk or server can be reconstructed
as long as the sufficient storage capacity is reserved.
8.3.6 Support for a Wide Range of Storage Media, Cache Media,

and Networking Modes
FusionStorage supports a variety of storage media, such as SATA, NL-SAS, SAS, SSD cards,
and SSDs. All of these media can serve as the primary storage of the FusionStorage.
FusionStorage supports the cache disabling mode and a variety of cache media, such as
NVDIMMs, SSD cards, SSDs, and memory cache. NVDIMMs, SSD cards, and SSDs
compose battery backup cache, and ensure zero data loss even if a system is unexpectedly
powered off. The memory cache is recommended only for test scenarios, because data stored

XXX Project
in the memory cache will be lost if a data center is powered off, and then you need to
configure FuisonStorage again. Although disabling cache can ensure zero data loss when a
data center is faulty, I/Os will write through to disks, decreasing performance by 70% to 90%.
FusionStorage supports storage server interconnection based on a variety of networks, such as
IB and GE/10GE.
8.3.7 Compatibility with a Diversity of Hypervisors and

Applications
FusionStorage supports standard SCSI and iSCSI interfaces and can integrate with a wide
range of hypervisors, such as Xen, KVM, VMware, and Hyper-V, as well as heterogeneous
virtualization platforms developed based on these hypervisors. In addition, it supports a
variety of applications, such as database applications including SQL Server, Oracle RAC,
DB2, and Sybase, enterprise IT applications, industry applications, and web applications.
8.3.8 Support for Server Authentication

FusionStorage can leverage server authentication to support servers of Huawei, HP, Dell, and
IBM. It can also implement new server authentication based on customer requirements. After
servers are authenticated, the FusionStorage can run on the servers to organize their disks into
resource pools.Easy-to-use application templates can define SDN networks, VMs, and
physical machines, including the software and databases that are installed. Templates are
associated with services. An actual application can be generated by instantiating a template
based on the environment, such as the Oracle test environment and the ERP system+OA
system small branch environment.
8.4 Storage solution (SAN storage solution)

The SAN storage cloud computing resource pool is built with SAN storage devices, which
use dual controllers for terminal storage and has central accesses and management.
HUAWEI OceanStor V3 converged storage systems (V3 converged storage systems) are
next-generation storage systems designed for enterprise-level applications. V3 converged
storage systems are built on a cloud-oriented architecture and have a powerful hardware
platform as well as rich intelligent management software. They deliver industry-leading
functions, performance, efficiency, reliability, and ease-of-use. Providing high data storage
performance for applications such as large-database Online Transaction Processing
(OLTP)/Online Analytical Processing (OLAP), file sharing, and cloud computing, they are
widely applied to industries such as government, finance, telecommunication, energy, and
media assets. Meanwhile, V3 converged storage systems provide a wide range of efficient and
flexible backup and disaster recovery solutions to ensure service continuity and data security
and deliver excellent storage services.
(FC-SAN HIGH RANGE)
The OceanStor 18500/18800 V3 is dedicated to setting a new benchmark for the high-end
enterprise storage field and providing the best data services for enterprises' mission-critical
businesses. With the industry-leading SmartMatrix 2.0 system architecture, HyperMetro
gateway-free active-active feature, flash-oriented convergence technology, next-generation
hardware platform, and a full range of efficiency improvement and data protection software,
the OceanStor 18500/18800 V3 delivers world-leading reliability, performance, and solutions
that meet the storage needs of various applications such as large-scale database OLTP/OLAP
and cloud computing. Applicable to sectors such as government, finance, telecommunications,

XXX Project
energy, transportation, and manufacturing, the OceanStor 18500/18800 V3 is the best choice
for mission-critical applications.
The following figure shows the storage network diagram.
Production center DR center
Oracle SQL Application VM

app CRM Oracle Application
database database server Application Asynchronous
database server
remote
replication
FC SAN
switch Core switch
Core switch FC SAN switch
High-end production array High-end DR array
The configuration is described as follows:

 Centralized storage of all critical service data
 Support for Fibre Channel and IP networks
 Intermixing of SSD, SAS, and SATA disks
 Advanced disk spin-down technology
 Snapshot and remote data replication
 Thin provisioning, dynamic storage tiering (DST), and cache partitioning
(IP SAN MIDDLE RANGE)

Figure 8-4 shows the networking diagram for constructing the cloud platform using the
server+SAN storage architecture

XXX Project
Figure 8-4 Storage network plane diagram
Server 1 Server 2
VLAN 20 VLAN 40
VLAN 20 VLAN 40
VLAN 30 VLAN 50
VLAN 30 VLAN 50
LAN switch LAN switch

1 Layer 2 network 2
VLAN 20 VLAN 30 VLAN 40 VLAN 50 VLAN 20 VLAN 30 VLAN 40 VLAN 50
Controller A Controller B
Controller enclosure
Each server is equipped with two storage NICs that are not bound. Each IP SAN storage
controller is equipped with eight NICs. Two NICs are in one network segment, so there are
four storage network segments. Each physical NIC on a server is assigned two IP addresses on
different network segments. A server has IP addresses from four network segments, which
correspond to four storage network segments on IP SAN storage devices. The storage plane
provides eight logical links (with multipathing configured) and four physical links.
 The IP SAN device in a cabinet employs the eight-path load balancing mode to ensure
reliability and stability of storage services. The storage services will not be interrupted
even if any one of the eight paths drops the connection.
 Controller A and controller B of the IP SAN device are connected to the two S57XX
switches in the cabinet through four GE optical interfaces in layer 2 networking mode.
Each S57XX switch has two VLANs configured. Controller A and controller B use four
IP network segments to communicate with the four VLANs of the switches. The ports
connected to the IP SAN device allow traffic from two VLANs, that is, from two IP
network segments.
 Multipathing software is running on the server to ensure load balancing efficiency and
reliability. Each server provides two network ports, and each network port is assigned
two VLAN IP addresses. These VLAN IP addresses each map a network segment of an
IP SAN controller.

XXX Project
8.5 Specifications of SAN Storage

Model 5300 V3 5500 V3 5600 V3 5800 V3 6800 V3
Storage Multi-core processor set

processor
Cache 32 GB to 48 GB to 64 GB to 64 GB to 128 GB to 4096 GB
(upgradable) 256 GB 512 GB 512 GB 1024 GB
Max. number of 8 8 8 8 8
controllers
Supported Fibre Channel, FCoE, iSCSI, InfiniBand, NFS, CIFS, HTTP, and FTP
protocols
Front-end ports 1 Gbit/s Ethernet, 10 Gbit/s FCoE, 10 Gbit/s TOE, 16 Gbit/s FC, and 56
Gbit/s InfiniBand
Back-end ports SAS 3.0 (single port 4 x 12 Gbit/s)

Max. number of 2 2 8 8 6
I/O modules
(per controller)
Max. number of 12 12 28 28 20
front-end host
ports (per
controller)
Max. number of 500 750 1000 1250 3200

disk slots
Disk type SAS, SSD, and NL SAS

RAID levels 0, 1, 5, 6, 10, and 50
Max. number of 256 1024 2048 2048 32768
snapshots
(LUN)
Max. number of 2048 4096 4096 8192 65536
LUNs
Max. number of 2048
snapshots per
file system
Max. capacity 256 TB
for each file
SmartX series SmartThin (intelligent thin provisioning)
software
SmartQoS (intelligent service quality control)
SmartTier (dynamic storage tiering)
SmartMotion (intelligent data migration)

XXX Project
Model 5300 V3 5500 V3 5600 V3 5800 V3 6800 V3
SmartPartition (intelligent cache partitioning)

SmartCache (intelligent SSD caching)
SmartMulti-Tenant (multi-tenancy)
SmartVirtualization (intelligent heterogeneous virtualization)
SmartMigration (LUN migration)

SmartCompression (online compression)
SmartDedupe (online deduplication)
SmartQuota (quota management)
SmartErase (data destruction)

HyperX series HyperSnap (snapshot)
software
HyperCopy (LUN copy)
HyperClone (clone)
HyperReplication (remote replication)
HyperLock (WORM)
HyperMirror(volume mirroring)
Host software UltraPath (multipathing software)

ReplicationDirector (disaster recovery management)
Virtual Environment Features

Supported VMware, Citrix, Hyper-V, and FusionSphere
virtual machines
Physical Features
Power supply AC: 100 V to 127 V AC: 100 V to 127 V or 200 V to 240 V
or 200 V to 240 V
DC: 192 V to 288 V DC: 192 V to 288 V

or –48 V to –60 V
Dimensions (H 2 U controller 3 U controller 6 U controller
x W x D) enclosure: enclosure: 130.5 mm enclosure: 263.9 mm
x 447 mm x 750 mm x 447 mm x 750 mm
86.1 mm x 447 mm x
750 mm
2 U disk enclosure: 86.1 mm x 447 mm x 490 mm
4 U disk enclosure: 175 mm x 447 mm x 490 mm
4 U high-density disk enclosure: 175 mm x 447 mm x 790 mm

XXX Project
Model 5300 V3 5500 V3 5600 V3 5800 V3 6800 V3
Weight 2 U controller 3 U controller 6 U controller

enclosure ≤ 37 kg enclosure: ≤ 50 kg enclosure: ≤ 95 kg
2 U disk enclosure: ≤ 2 U disk enclosure: ≤ 2 U disk enclosure: ≤
20 kg 20 kg 20 kg
4 U disk enclosure: ≤ 4 U disk enclosure: ≤ 4 U disk enclosure: ≤
40 kg 40 kg 40 kg
4 U high-density disk 4 U high-density disk 4 U high-density disk
enclosure: ≤ 91 kg enclosure: ≤ 91 kg enclosure: ≤ 91 kg
Environment 5°C to 40°C at an altitude below 1800 m; 5°C to 30°C at an altitude

temperature between 1800 m and 3000 m.
Environment 5% to 95%
humidity
(relative
humidity)
8.6 Key Features(SAN Storage Solution)

8.6.1 Converged
 Convergence of SAN and NAS
Convergence of SAN and NAS storage allows elastic service development, simplifies
service deployment, improves storage resource utilization, and cuts down TCO. With the
innovative parallel architecture of SAN and NAS storage, V3 converged storage systems
shorten access paths to storage resources and ensure high performance of SAN storage as
well as powerful file sharing of NAS storage.
 Convergence of heterogeneous systems
Thanks to SmartVirtualization, V3 converged storage systems can efficiently take over
mainstream storage arrays to create unified resource pools so that resources are allocated
in a unified and flexible manner.
 Convergence of high-end, mid-range, and entry-level storage systems
V3 converged storage systems enable convergence of high-end, mid-range, and
entry-level systems without any third-party system. This convergence allows free traffic
among devices of different models.

XXX Project
 Convergence of SSDs and HDDs

V3 converged storage systems are designed for SSDs and compatible with HDDs. The
parallel architecture gives full play to different storage media. By adjusting media
proportions, the systems provide all-HDD, HDD+SSD, and all-SSD arrays to balance the
performance and cost optimally.
 Convergence of primary storage and backup
The built-in backup function in V3 converged storage systems enables efficient data
backup without additional backup software. This function simplifies backup solution
management.
8.6.2 Intelligent
 Multiple tenancy and service levels
V3 converged storage systems allow storage resources to be intelligently allocated in
cloud computing environments based on customer requirements. Data isolation and a
variety of data security policies such as data encryption and data destruction are
employed to meet data security requirements of different users. The systems provide four
service levels and allocate resources based on service priorities. High-priority services
use resources first to ensure performance and response.
 SmartX series software
Advanced technologies such as SmartTier, SmartMotion, and SmartVirtualization are
employed to achieve vertical, horizontal, and cross-system data traffic. Resource
utilization can be improved by three times.
 HyperX series software
HyperX series software includes comprehensive data protection software such as remote
replication, snapshot, and LUN copy. HyperX series software satisfies the local, remote,
and multi-site data protection requirements of customers to ensure service continuity and
data availability.
8.6.3 Industry-Leading Hardware

 Leading performance and specifications
V3 converged storage systems are the first to adopt next-generation Intel multi-core Ivy
Bridge processors. The systems support a variety of host ports such as 16 Gbit/s Fibre
Channel, 10 Gbit FCoE, and 56 Gbit/s InfiniBand. With the next-generation PCIE 3.0
bus and 12 Gbit/s SAS interface, the systems are capable of providing up to a 40 Gbit/s
bandwidth, which is sufficient for scenarios such as videos and large files. The systems
offer million-level IOPS and support eight controllers, 1 TB cache, and 8 PB storage
space maximum.
 Smart I/O cards
A single interface card supports 8 Gbit/s Fibre Channel, 16 Gbit/s Fibre Channel, 10
Gbit/s iSCSI, and 10 Gbit/s FCoE protocols.
 Smart data co-processing cards
Smart data co-processing cards are capable of lossless deduplication and compression,
significantly reducing storage costs. They also support data encryption for data security.
8.6.4 Unified Storage Management Software

 Unified management

XXX Project
HUAWEI ManageOne Technical Proposal 9 Infrastructure Solution
One software suite can manage multiple product models and provides powerful functions
such as global topology view, capacity analysis, performance analysis, fault diagnosis,
and end-to-end service visualization.
 Mobile management
Systems can be left unattended because users can use a tabloid or a smart phone to
manage systems at any time with status information delivered automatically.
 Easy management
A V3 series storage system can be initially configured in five steps within 40 seconds
and expanded in two steps within 15 seconds. See Figure 8-5.
Figure 8-5 Easy management
9 Infrastructure Solution
9.1 Computing Resource Planning

9.1.1 Server Requirements
Table 9-1 describes the planning for the servers to be reused based on the server
configuration.

XXX Project
Table 9-1 Server reuse planning
No. Server CPU Memory Number Hard Disk Server Reusable Used As Remarks
Model Model (GB) and Quantity, Quantity
Traffic Capacity,
Rate of and Type
Network
Ports
1 RH228 Intel 48 Four GE Two 600 GB 20 Yes Computing
8H V2 E5620 ports SAS hard nodes
disks
No Physical Describe
servers for the reason
deploying why the
the XXX server
service cannot be
system reused.
9.1.2 Server Selection

This project uses x86 servers to build the virtualization platform. Physical servers are
consolidated into computing resource pools, and services are migrated to the cloud platform.
Resources are shared on the cloud platform, thereby implementing dynamic resource
scheduling, maximizing resource utilization, and reducing the hardware investment and
maintenance cost. Database components can be deployed on physical servers.
Observe the following requirements when selecting servers in this project:
(Delete this sentence before delivering this document to the customer.) Select servers
based on the specific project.
 Use blade servers in this project. As an emerging architecture, a blade server integrates
network, management, power supply, and heat dissipation facilities in a unified subrack,
thereby implementing integrated deployment of multiple servers and simplifying
network cabling for the project.
 Use four-socket servers (each blade server is equipped with four CPUs). Each server
must use the Intel Xeon E5-4620 CPUs and have at least 128 GB of memory. Large
memory is required because the servers are used to construct virtual resource pools.
9.1.3 Server Quantity Planning

Use SPECint2006 Rate for calculation. You can query the SPEC value from
http://www.spec.org/cgi-bin/osgresults?conf=rint2006.
To migrate existing application systems, calculate the number of required servers based
on the SPEC value. To add service systems, calculate the number of required servers
according to Performance Configuration Guide for the Server Consolidation Solution
v1.0.docx obtained at http://3ms.huawei.com/hi/group/8395/wiki_2558457.html.
The following introduces two calculation methods: a rough calculation method by
calculating the overall SPEC demand and an accurate method by converting the SPEC
value into the number of vCPUs and then converting the number of vCPUs into the
number of servers.

XXX Project
Method 1: Calculation based on the SPEC demand

The principle of this calculation method is to add all the SPEC values consumed by the
original application systems to calculate the total computing capability and to query the SPEC
value of the new servers. The number of servers equals to the total computing capability
divided by the SPEC value of the new servers.
An example is provided as follows:
The average CPU usage of 107 Dell PowerEdge 2950 servers (8 GB memory and two E5420
CPUs, each with 2.50 GHz dominant frequency and four cores) is 20%. The SPEC value is
118, which is obtained at http://www.spec.org/cgi-bin/osgresults?conf=rint2006.
Application systems are to be migrated to RH5885 servers (each with four 8-core E7-4820
CPUs at a dominant frequency of 2 GHz). The SPEC value is 775.
Therefore, the server quantity can be calculated according to the following formulas:
Computing capability requirement = ∑ (SPEC value of existing servers x CPU usage) x (1 +
Redundancy factor) = 107 x 118 x 20% x (1 + 20%) = 3283
Generally, the redundancy factor is from 10% to 20%. 20% is recommended.
Allocatable server computing capability = SPEC value x CPU usage x (1 – Number of UVP
hyperthreadings/Total number of hyperthreadings) = 775 x 70% x [1 – 2/(4 x 8 x 2)] = 525
The number of hyperthreadings consumed by the underlying hypervisor is 2. The CPU usage is from
50% to 70%.
Total number of servers = Roundup (Computing capability/Allocatable server computing

capability) = Roundup (3283/525) = 7 servers
When calculating the actual number of servers, take redundancy into consideration. You must reserve at
least one redundant server for each cluster to support the VM HA feature.
If 8 GB memory modules are used, the number of memory modules of each server can be
calculated as follows:
Number of memory modules of a server = (Total memory size/Number of servers + 8 GB)/8
GB = (987 GB/7 servers + 8 GB for virtualization consumption)/8 = 19 memory modules
You are recommended to configure an even number of memory modules. Make sure that the memory
usage is no more than 80%.
Method 2: Calculating the number of vCPUs based on the SPEC value

The number of VM vCPUs and memory size determine the number of servers. Currently,
servers support both 16 GB and 32 GB memory modules. Therefore, memory is not a
bottleneck for server performance.
An example is provided as follows:
The average CPU usage of 107 Dell PowerEdge 2950 servers (8 GB memory and two E5420
CPUs, each with 2.50 GHz dominant frequency and four cores) is 20%. The SPEC value is
118, which is obtained at http://www.spec.org/cgi-bin/osgresults?conf=rint2006.
Application systems are to be migrated to RH5885 servers (each with four 8-core E7-4820
CPUs at a dominant frequency of 2 GHz). The SPEC value is 775.

XXX Project
Therefore, the computing capability of a single server can be calculated according to the
following formulas:
Computing capability of a single server vCPU = SPEC CINT2006 rates value x CPU
usage/(Number of CPUs x Number of cores x 2 – Number of logical cores consumed by
virtualization) = 775 x 70%/(4 x 8 x 2 – 2) = 8.7
Number of required vCPUs = Roundup (118 x 20%/8.7) = 3
Required memory size: 8 GB
VM resources:
Total number of VMs: 107
Total number of vCPUs: 322
Total VM memory size: 856 GB
Server quantity calculation:
To ensure VM reliability on the cloud platform and enable smooth VM migration in the event
of server failures, reserve 20% (configurable based on the specific project) CPU and memory
resources on the computing servers during system deployment.
Based on the preceding principles, the number of computing resources required by the system
can be calculated as follows:
Number of vCPUs: 322 x 120% = 387
Memory size: 856 GB x 120% = 1028 GB
Based on server models (four 8-cores) and the 30% redundancy requirement, the number of
required servers can be calculated as follows:
Number of servers = Number of vCPUs/(Number of CPUs x Number of CPU cores x 2 – 2) =
387/(4 x 8 x 2 – 2) = 7 (Roundup)
If 8 GB memory modules are used, the number of memory modules of each server can be
calculated as follows:
Number of memory modules of a server = (Total memory size/Number of servers + 8 GB)/8
GB = (1028 GB/7 servers + 8 GB for virtualization consumption)/8 = 20 memory modules
Table 9-2 lists the number of required servers.
Table 9-2 Number of servers
No. Server Quantity Remarks

1 RH2288H V2 4 XXX
2 XXX XXX XXX

XXX Project
9.2 Network Resource Planning

9.2.1 Switch Requirements
Table 9-1 describes the planning for the servers to be reused based on the server
configuration.
9.2.2 Switch Selection

This project uses x86 servers to build the virtualization platform. Physical servers are
consolidated into computing resource pools, and services are migrated to the cloud platform.
Resources are shared on the cloud platform, thereby implementing dynamic resource
scheduling, maximizing resource utilization, and reducing the hardware investment and
maintenance cost. Database components can be deployed on physical servers.
9.2.3 Switch Quantity Planning

The principle of this calculation method is to add all the SPEC values consumed by the
original application systems to calculate the total computing capability and to query the SPEC
value of the new servers. The number of servers equals to the total computing capability
9.3 Storage Resource Planning

9.3.1 Storage Requirements
//(Delete this sentence before delivering this document to the customer.) Plan storage capacity
based on the specific project.
This project requires XXX TB storage capacity for services and XXX TB capacity for data
disaster recovery (DR).
9.3.2 Storage Selection

//(Delete this sentence before delivering this document to the customer.) Select FusionStorage
or disk arrays based on the specific project.
Distributed Storage (Recommended)

//(Delete this sentence before delivering this document to the customer.) If storage arrays are
used, delete this section.
FusionStorage is a distributed storage software product developed and owned by Huawei.
It uses innovative architecture and design and features high performance, reliability, and
cost-effectiveness. It highly integrates storage and computing resources and offers consistent
and predicable performance, scalability, flexibility, and self-recovery. FusionStorage uses the
distributed cluster control and hash routing technologies to provide distributed storage.
Figure 9-1 shows the functions provided by the FusionStorage architecture.

XXX Project
Figure 9-1 FusionStorage architecture
Storage interface layer: provides volumes for operating systems (OSs) and databases over the
Small Computer System Interface (SCSI).
Storage service layer: provides various advanced storage features, such as snapshots, linked
cloning, thin provisioning, distributed cache, and backup and DR.
Storage engine layer: provides basic storage functions, including management status control,
distributed data routing, strong-consistency replication, cluster self-recovery, and parallel data
rebuilding.
Storage management layer: provides the O&M functions, including software installation,
automatic configuration, online upgrade, alarm reporting, monitoring, and logging, and also
provides a portal for user operations.
Huawei distributed cloud data center solution uses the FusionStorage system. FusionStorage
employs the new-generation distributed storage architecture and parallel, distributed grid
storage technologies. The horizontally scalable architecture and distributed multiple-node grid
implement storage load balancing. Fine-grained data distribution algorithms are used to
ensure constantly even data distribution. FusionStorage improves system reliability,
availability, and data storage and retrieval efficiency. In addition, the capacity of
FusionStorage can be easily expanded. Simply speaking, FusionStorage can be deployed on
common servers to consolidate local disks on all servers into a virtual storage resource pool.
Volumes are fragmented and distributed to all hard disks of the resource pool, thereby
achieving fine-grained, high-concurrency data storage and retrieval.
Figure 9-2 shows the principles of the FusionStorage distributed storage resource pool.

XXX Project
Figure 9-2 Principles of the FusionStorage distributed storage resource pool
FusionStorage has the following characteristics:

 Advanced distributed architecture
FusionStorage uses a distributed architecture that features the distributed management
clusters, distributed hash routing algorithm, distributed and stateless engines, and distributed
intelligent cache. This architecture can effectively prevent SPOFs in the entire storage system.
 High performance and high reliability
FusionStorage balances loads among all disks and stores data in a distributed manner, thereby
preventing data hotspots in the system. The effective routing algorithm and distributed cache
mechanisms ensure high performance. FusionStorage supports data backup and stores a piece
of data with multiple identical copies on different servers or disks. Therefore, failures of a
single hardware device do not interrupt services. Furthermore, FusionStorage employs the
strong-consistency replication technology to ensure data consistency between data copies.
 High IOPS and low latency: FusionStorage uses large-capacity cache technology to
improve IOPS.
Volumes are fragmented and distributed to all disks in the resource pool, increasing the stripe
width. Compared with the traditional RAID, a single volume using virtualized RAID delivers
significantly improved performance.
FusionStorage provides balanced access, eliminating hotspots. The resource usages of all
nodes in the resource pool are the same.
Fixed RAID arrays do not need to be preset. The virtual storage resource pool adapts to the
dynamic changes of application loads.
Application programs access data from the storage system through the cache, which shortens
the latency.
 Easy expansibility and ultra-large capacity: The distributed system eliminates
performance bottlenecks and facilitates capacity expansion.
Capacity expansion: Distributed engines (each server acts as an engine) eliminate
performance bottlenecks and facilitate capacity expansion.
Non-stovepipe expansion: FusionStorage supports simultaneous storage and computing
capacity expansion.

XXX Project
Plug-and-play capacity expansion: After resources are added, the system automatically
balances loads among all servers, achieving smooth capacity expansion.
 Easy management: The simple FusionStorage structure simplifies management.
No configuration and management at low layers: FusionStorage is integrated in Huawei
virtualization solutions, and therefore only the application-layer management is required.
Zero performance management cost: FusionStorage implements automatic load balancing and
fault recovery. Manual performance optimization is not required.
 Rapid data rebuilding: FusionStorage implements rapid parallel data rebuilding.
Data is distributed to different servers or different cabinets so that data can be obtained even if
a server or cabinet is faulty.
Data is fragmented in the resource pool. If a hard disk is faulty, FusionStorage automatically
rebuilds these data fragments by simultaneously restoring data copies in the resource pool,
without requiring hot spare disks.
 Deep integration of computing and storage resources
FusionStorage is deployed on servers that have local hard disks attached to virtualize all the
local disks on the servers into a virtual resource pool. This resource pool integrates computing
and storage resources of the servers and can function like an external storage device of the
servers.
Storage Arrays
//(Delete this sentence before delivering this document to the customer.) If FusionStorage is
Storage arrays consist of IP SAN and FC SAN arrays. FC SAN is a closed network based on
traffic control, and therefore it has higher traffic transmission efficiency than IP SAN. This
project uses FC SAN storage to ensure high storage performance and reliability.
SAS, SATA, and NL SAS are the three mainstream disks in the industry. SAS disks are
typically recommended for carrying services.
RAID 5, RAID 6, and RAID 10 are all the commonly used RAID arrays. Among them, RAID
5 is typically used by service systems, whereas RAID 10 is typically used by databases.
Table 9-3 describes the example storage planning for this project.
Table 9-3 Storage planning
System Storage Array Hard Disk RAID Array

Service High-end FC 900 GB SAS disks with a RAID 5 (for service systems)
system SAN storage revolutions per minute and RAID 10 (for databases)
(RPM) of 10,000
XXX XXX XXX XXX

XXX Project
9.3.3 Storage Capacity Planning

Properly plan the storage performance and capacity, and ensure that the storage can meet the
service requirements in the following three to five years.
Distributed Storage (Recommended)

//(Delete this sentence before delivering this document to the customer.) If storage arrays are
This project requires XXX storage nodes.
Table 9-4 lists the key configuration of each storage node.
Table 9-4 Key configuration of each storage node
Item Specifications
Subrack RH2288H V2 subrack (with 14 hard disks configured)
Memory 18 x 32 GB
NIC Four 10GE optical interfaces
SSD card 400 GB
CPU Two Xeon® E5-2690 V2 CPUs
Hard disk Twelve 3.5-inch 2 TB SATA hard disks and two 2.5-inch 600 GB
SAS hard disks
Each storage node is equipped with 14 hard disks. Two 2.5-inch 600 GB SAS disks are used
to group RAID 1 for installing the virtualization software, and the rest 12 hard disks are
virtualized by FusionStorage to provide virtual disks for service VMs.
Storage Arrays
Table 9-5 describes the example configuration of storage arrays.
Table 9-5 Storage array configuration
Storage Array Quantity Remarks
S5300 V3 4 XXX
XXX XXX XXX

XXX Project
HUAWEI ManageOne Technical Proposal 10 Security Solution
10 Security Solution
10.1 Security Architecture

The data center security solution must be designed from the perspective of the whole
enterprise, and the enterprise security infrastructure must meet the requirements of the overall
information security. The development trend of enterprise information security demonstrates
that enterprises pay great attention to the security compliance, security management,
application and data security, cloud computing security, borderless enterprise network
security, security products, and service qualification. Figure 10-1 shows the development
trend of enterprise information security.
Figure 10-1 Development trend of enterprise information security
Based on the preceding development trend and best practice of the industry and Huawei, the
data center security architecture, as shown in Figure 10-2, is defined. This architecture is
considered in the process of designing the data center solution.

XXX Project
Figure 10-2 data center security architecture
This architecture consists of nine security sub-modules: security service, physical facility
security, network security, application security, host security, virtualization security, data
protection, user management, and security management. Each security sub-module integrates
systems, devices, and tools, and provides security control from the technical perspective.
Huawei provides security consulting, security integration, and professional security services
to support the implementation and running of the data center security architecture.
 The security consulting service helps design and construct security management systems.
 The security integration service helps build various types of security infrastructure.
 The professional security service provides security risk assessment and conformity
auditing that are required in security management activities.
Based on optimal planning principles for enterprise information security and the overall data
center architecture, this document describes security sub-modules complying with the design
of most Data center. The following sections describe security design from perspectives of
physical facility security, network security, host security, host security, virtualization security,
and data security.
10.2 Physical Facility Security Design

Table 10-1 lists physical security requirements for the data center based on the GB/T 22080
Information Technology-Security Techniques-Information Security Management
Systems-Requirements (equal to ISO/IEC 27001:2005) and GB/T 22239 Information Security
Technology-Baseline for Classified Protection of Information System.

XXX Project
Table 10-1 Physical security requirements
GB/T 22080 GB/T 22239
Technical Requirement
A.9 Physical and Environment Security
Physical Security
A.9.1 Secure Area
Purpose: To prevent unauthorized physical access,
damage, and interface to the area.
Security perimeters, such as
wall, card-controlled
Physical entrance, or attended
A.9.1.1 Peripheral reception desk, must be used 2. Physical Access Control
Security to protect the area containing
information and information
processing devices.
The secure area must be
Physical Access protected by entrance control
A.9.1.2 2. Physical Access Control
Control so that only authorized
personnel can access the area.
Security Physical security measures
Protection for the must be designed and taken
A.9.1.3
Offices, Rooms, for offices, rooms, and
and Facilities facilities.
Physical security measures 1. Physical Location
Security
must be designed and taken to 4. Lightning Protection
Protection against
protect against fire, flooding,
A.9.1.4 External and 5. Fire Protection
earthquake, explosion, social
Environmental
turbulence, and other natural 6. Water and Moisture
Threats
or artificial disasters. Protection
Physical protection and
Work in the manual s applicable to work
A.9.1.5
Secure Area in the secure area must be
available.
Special control must be
performed for the point of
presence (such as the
Security of the
cross-connection area) and
Common Access
other points where
A.9.1.6 Area and 2. Physical Access Control
unauthorized personnel can
Cross-Connection
visit. If possible, establish
Area
isolation from the information
processing facilities to
prevent unauthorized access.
A.9.2 Device Security
Purpose: To prevent loss, damage, stealing of assets, and
interruption of activities.

XXX Project
GB/T 22080 GB/T 22239
Devices must be properly

Device allocated and protected to 3. Protection Against
A.9.2.1 Allocation and prevent risks caused by Stealing and Destruction
Protection environmental risks and 7. ESD Protection
danger and authorized access.
Devices must be protected 8. Temperature and
against power failure and Humidity Control
A.9.2.2 Support Facilities
interruption due to a failure of
support facilities. 9. Power Supply
Power cables and 3. Protection Against

communication cables must Stealing and Destruction
A.9.2.3 Cable Security
be protected against 10. Electromagnetic
eavesdropping and damages. Protection
Devices must be properly
Device maintained to ensure
A.9.2.4
maintenance continuous availability and
completeness.
Security of Security measures must be
A.9.2.5 Devices Beyond taken for devices beyond the
the Area area.
All items of the device with
physical media must be
Security Device
checked to ensure that the SI
A.9.2.6 Disposal or
and registered software is
Reuse
deleted or overwritten before
any disposal.
The device, information, or
Relocation of software must not be taken
A.9.2.7
Assets beyond the area without
authorization.
For the physical security infrastructure design in the data center, the physical security
requirements for the highest grade of the information system security in the enterprise must be
incorporated with the control requirements specified in ISO27001:2005 to present complete
requirements for the physical security.
10.3 Network Security Design

Network security design consists of division of security zones and the design of network
security infrastructures. With a proper method of dividing security zones, network functional
areas can be allocated into different security zones. The network security infrastructure is
designed to implement isolation and access control of security zones by using firewalls,
intrusion prevention systems, anti-DDoS devices, or VPNs.

XXX Project
10.3.1 Division of Security Zones

The security zone is a logical range or region. The information assets in the same security
zone share the same or similar security attributes, such as the same security levels, security
threats, security vulnerabilities, and security risks. The systems in the same security zone are
mutually trusted. Defining and classifying security zone levels are the foundation of security
control design and deployment.
The security zone can be designed by referring to the security zone model shown in Figure
10-3.
Figure 10-3 Security domain model
The network of the data center can be classified into four security zones: public zone,
transitional zone, restricted zone, and core zone.
Table 10-2 Security zone description
Typ Description
e
Public zone The public zone refers to the zone where the data center can connect to the
external public network. The security entity in the public zone includes
Internet access devices of the enterprise. The public zone connects to the
entities and zones that are out of control. For example, the public zone
connects to the user resources and circuit resources from the Internet.
Therefore, the public zone is defined as non-secure zone with high risk
level. The data stream from this zone must be strictly controlled.

XXX Project
Typ Description
e
Transitional The transitional zone is located between the public zone and restricted
zone zone/core zone. The transitional zone isolates the public zone from the
restricted and core zones and hides resources of the public and core zones.
The network data stream does not reach the transitional zone directly.
 The security entity in the transitional zone includes all systems and
devices that may be accessed by unauthorized parties and may provide
services to unauthorized parties.
 The systems and devices are those providing services externally,
including web servers, DNS servers, application front-end servers,
application gateways, and communication front-end processors.
The transitional zone is a semi-trusted zone and is vulnerable to attacks.
You are advised not to store secret data in this zone.
Restricted The restricted zone is a high security level zone. Its security entity includes
zone internal terminals, such as service and office terminals. Non-core OA areas,
and development and test server areas can also be defined as restricted
zones.
The restricted zone is the trusted zone. In principle, the server in the
transitional zone works as the gateway or proxy to transmit the data stream
between the public zone and restricted zone. The data stream cannot access
the public and restricted zones directly. If the data stream accesses the
public and restricted zones directly, the data stream must be under strict
security control because of application restriction.
Core zone The core zone provides the highest security level. The key application
server, core database server, management console, and management server
are deployed in the core zone. The key application server provides critical
service applications. The database server stores the secret data. The
management console and management server are configured with the
permission and function to manage all systems. Therefore, the core area
must be protected with the most comprehensive security technology. The
access to and operation of systems and devices must be strictly controlled
based on the security management procedure.
The core zone is the trusted zone. In principle, the server in the transitional
zone works as the gateway or proxy to transmit the data stream between the
public zone and core zone. The data stream cannot access the public and
core zones directly. If the data stream accesses the public and restricted
zones directly, because of application restriction, the data stream must be
under strict security control. In addition, the access between the restricted
zone and core zone also must be controlled strictly to ensure strong security.

XXX Project
[Keep the preceding security zone model and description as they are. The security zone of the
data center can be designed based on the model and actual situations.]
Security sub-domains are defined in each zone. Figure 10-4 shows the data center security
zone.
Figure 10-4 data center security zone
The public zone is the Internet security zone. Access devices in the Internet access area on the
data center network connected to the Internet belong to the public zone.
The transitional zone is the Internet demilitarized zone (DMZ). The DMZ in the Internet
access area where external servers are deployed belongs to the transitional zone.
The restricted zone includes three security sub-domains: remote access, office network access,
and development and testing areas.
 The remote access area contains network devices used to connect the production data
center to partners, branches, and DR data centers.
 The office network access area contains network devices used to connect the production
data center to the enterprise office network.
 The development and testing area contains all types of devices used for development and
testing. In this zone, multiple security zone cases can be defined to isolate development
and tests, or support multiple concurrent development and test tasks.
The core zone includes four security sub-domains: the OA area, common service production
area, operation management area, and high-security service production area. The security
protection level of the high-security service production area and operation management area
is higher than that of the common service production area and OA area.

XXX Project
 The OA area includes the servers and devices that support OA applications. The OA
applications with higher security requirements can be deployed in the high-security
service production area.
 The common service production area includes non-critical service applications. Multiple
security zone cases can be defined to isolate applications from each other.
 The operation management area includes the devices related to operation management
systems, such as the network management, system management, and security
management systems. Multiple instances can be defined to isolate these system
applications from each other.
 The high-security service production area includes core service applications and data that
have the highest security level. Multiple security zone cases can be defined to isolate
applications from each other.
The data stream between security zones must be controlled based on the following principles:
 The cross-security-zone data stream must be controlled by the pre-defined border control
component.
 By default, the border control component blocks all data streams, except the data stream
permitted to transmit.
 The fault of the border control components will not cause the unauthorized access among
security zones.
 All data streams from the Internet or business partners are strictly controlled and
monitored. Each link must be authorized and audited.
10.3.2 Network Security Infrastructure Design

The data center network is exposed to multiple types of security threats, including hackers,
viruses, and network attacks. Therefore, the network border protection system, consisting of
powerful firewalls and the intrusion prevention system, must be provided to prevent scanning
attacks and detect intrusion risks.
Hardware security devices are deployed in the external connection area and the network
service area in the data center.
The external connection area meets mobile office requirements of enterprise office users and
is a window through which the enterprise provides external services. Due to openness, the
external connection area is exposed to security threats from the Internet and the external
connection network, such as hacker intrusion and user data eavesdropping and tampering.
These threats must be prevented to ensure secure and reliable operations of the data center.
The network service area supports secure access to the internal service area to ensure the
security of networks between service areas. This solution provides a secure data center
network from perspectives of network isolation, attack prevention, and transmission security.

XXX Project
Figure 10-5 shows the data center network security infrastructure.
Figure 10-5 data center network security infrastructure
The data center network security infrastructure contains the following components:
 Firewall
High-performance firewalls can be deployed in the external connection area, and the
firewall NAT function can be enabled to hide the intranet topology to ensure the security
of the data center network.
High-performance firewalls can be deployed in the network service area, and each
firewall can be virtualized into multiple logically isolated virtual firewalls. Each virtual
firewall provides independent security policies based on which security prevention
measures are specified for service areas or security zones in the data center.
Communication validity can be protected based on strict ACL policies and connection
status detection, and the security prevention function of firewalls can be enabled to
defend against increasingly rampant attacks on the application layer to ensure the
security of the data center network.
Firewalls in the data center work in active/standby mode to avoid the single point of
failure and meet high availability requirements.
 Intrusion prevention system
With the improvement of network attack techniques and the increasing of security
loopholes, firewalls cannot detect attack traffic hidden in the traffic permitted to
transmit. The intrusion detection system (IDS) detects malicious codes, attacks, DDoS
attacks contained in application data flows, and responds to these threats in real time.
Based on the preset security strategy, the IPS engine can detect data traffic that passes
through it and perform in-depth detection on each packet, including protocol analysis
tracing, feature matching, traffic statistics analysis, and event association analysis. If the
IPS engine detects a network attack, it adopts prevention measures based on the security
level. The IPS engine may adopt the following prevention measures: reporting an alarm

XXX Project
to the management center, discarding the packet, releasing the session, disconnecting the
TCP connection, and performing traffic limit on abused packets to protect bandwidth
resources.
This solution deploys firewalls with the IPS function in data center scenarios to protect
the application layer.
The following functions are supported:
− Ensuring the security of the network infrastructure
Automatically detects and blocks attacks and abnormal traffic to ensure the security
of the network infrastructure, including routers, switches, and DNS servers.
− Intrusion prevention
Implements multi-protocol analysis, ISO layer 7 in-depth protocol analysis, content
control, and URL filtering to effectively verify or block security threats, including
buffer overflow, Trojan horses, worms, spyware, DDoS attacks, IP fragment attacks,
and browser attacks; provides the packet competitiveness analysis function and the
virus scanning and cleaning function. When an attack is detected, the IPS records the
source IP address of the attack, attack type, attach purposes, and attack time, and
reports an alarm if a critical intrusion event occurs.
− Loophole attack prevention
Provides loophole attack protection and prevents loophole attacks in real time;
provides million-level attack signatures.
− Congestion-free transmission of key data
Provides the bandwidth management function; differentiates different levels of data
services and prepares related bandwidth policies for these data services to ensure that
normal communication between key services in the case of network congestion.
 Transmission security
data center user data may be interrupted, copied, tampered, intercepted, or monitored
during transmission. Therefore, data integrity, confidentiality, and effectiveness must be
ensured during transmission.
Data transmission security in the data center must be ensured from the following
perspectives:
− SSL encryption between the trusted zone and the non-trusted zone on the
management plane
− HTTPS access for user management and SSL VPN for higher secure access.
− SSL VPN for the access of O&M personnel
− SSH for user access to VMs
− IPSec VPN for data transmission in enterprise branches or the headquarters
10.4 Host Security Design

10.4.1 Host Security Threats
Viruses have strong destructive power, and have gone beyond the file infection. Combined
with hacker technology, viruses can infect the Windows-based clients, such as developers'
FusionAccesses, leaving "back doors" for hackers to control these clients. Because clients are
connected to the service server, hackers can further control the service server. This poses great
threats on the data center service database.

XXX Project
If hackers spread virus in the data center network, the whole data center network cannot
properly operate. The spreading virus occupies large amounts of bandwidth and launches
DDoS attacks to the key service hosts, causing a sharp decline in the system performance.
The data center virus protection must be designed from a comprehensive perspective, taking
into consideration any links that are vulnerable to virus. The data center devices must be
centrally managed to prevent missing any virus intrusion point.
10.4.2 Antivirus Design

It is recommended that the network antivirus system is deployed in the data center to prevent
viruses from affecting key servers.
Figure 10-6 shows the host antivirus system.
Figure 10-6 Host antivirus system
An agent must be installed on a host to be protected, as show in yellow areas in Figure 10-6.
These agents implement unified antivirus management over the AV Server deployed in the

XXX Project
operation management area. These agents provide the comprehensive antivirus function to
Windows-, Linux-, or Unix-based servers based on antivirus requirements of the data center
to ensure information security of key service servers and LANs and prevent virus attacks.
The following functions are supported:
1、 Centralized network management

A single management console simplifies the management of Windows-based servers and
network.
2、 Remote management
Remote management includes remote installation, remote update, and remote uninstallation,
update of virus pattern files, download of the scan engine and correction procedure, virus
scanning and removal, installation and setting, real-time virus alarming, virus event record
and report, and real-time scanning.
3、 Virus pattern update
The virus scanner can function only after the latest antivirus components are updated. The
latest virus pattern and scanner engine that can be automatically updated are allocated to the
specific server. The intelligent incremental update mode is used when the new virus pattern is
updated. That is, the server downloads only the newly added virus pattern. This efficient
update mode reduces the download time and network bandwidth.
4、 Virus event record and report

The complete records and reports on virus events help track and manage a large number of
antivirus-related issues, such as finding the infected files, updating virus patterns and
programs, virus alerts, transferring and checking suspected infected files, recording the
scanning time, modifying the write protection of important directories.
10.5 Virtualization Security

10.5.1 Virtualization Security Threats
Resource virtualization involves certain risks. To ensure VM security, the virtualization layer
must separate hosts from VMs and separate a VM from other VMs. Traditional security
protection devices cannot meet virtualization security requirements, because they cannot
prevent malicious attacks between VMs.
data center production data is stored on the virtualization platform which is exposed to the
following threats:
 VM attack on the Hypervisor
 Attack and sniff among VMs
 Hypervisor vulnerabilities
They disable VMs to provide services and threaten the data security (confidentiality,
integrity, and availability).
 Virus and worm attacks
They compromise the data integrity, data availability, and virtualization network
availability.
 System configuration defects

XXX Project
The system defects are vulnerable to attacks, abuse, and misuse.
10.5.2 Function Design

With virtualization technologies, Huawei FusionSphere provides virtualization functions
using the UVP Hypervisor, and provides the cloud management function using the
FusionSphere. This section describes security features of the FusionSphere. These features are
used to ensure virtualization security in Huawei data center solution.
Huawei FusionSphere provides the following security features on the virtualization layer:
 Virtual LAN (VLAN) isolation
The virtual switching function is implemented by using a virtual network bridge. The
virtual network bridge supports the VLAN tagging function so that VLANs can be
isolated and VMs are securely isolated, thereby ensuring data communication security
between VMs running on the same physical host.
The virtual bridge supports the VLAN tagging function. VMs of a security group
running on different hosts tag data frames. Switches and routers in the network forward
and route the frames based on the VLAN tag, and thereby isolating the virtual network.
Figure 10-7 UVP virtual switching
 Security group isolation

A VM security group is a group of VMs and a set of rules on how they communicate
with each other. VMs in the same security group may run on different hosts. Therefore,
the VM security group is used to divide a physical LAN into several isolated VLANs to
enhance the network security.
End users can control the communication between their own VMs and the
communication between their own VMs and others' VMs by setting a set of rules.
A user can create one or more security groups. A security group, however, belongs to
only one user. The user can specify a security group for a VM when creating the VM.
VMs of the same security group are allowed to be able to communicate with each other
by default. VMs of different security groups are isolated from each other by default.
The whitelist set in security group rules applies only in this security group. Users can set
rules to allow VMs of a specific security group to receive requests from VMs of other
security groups or of a specific IP address segment. Users also can specify the request
type, such as Transmission Control Protocol (TCP) and Internet Control Message
Protocol (ICMP).

XXX Project
Security group rules take effect automatically upon the start of the VM and remain
unchanged when the VM migrates to another host. Users only need to set the rules
without considering on which host the VM runs.
 VM protection
The client OSs running on the VMs have the same security risks as physical systems.
Virtualization cannot eliminate these risks. However, the attacks on a single VM only
endanger the security of the VM itself and do not harm the virtualization server that runs
the VM.
The VM antivirus system consists of endpoint protection servers and endpoint protection
clients on virtual servers. The endpoint protection servers control endpoint protection
clients on the network and perform host antivirus, host IPS, the setting and configuration
of host firewall strategies, log collection, and update of virus patterns and scanning
engines.
An antivirus client can be deployed on each running VM to protect the VMs.
 VM template security hardening
The template is configured with the security enhanced basic OS image, which is not
equipped with any application programs. The image enables all the newly created VMs
to share the same security level. The template can be used to deploy the VMs. The patch
programs and security tools of the template must be updated in time.
 VM management
The virtualization platform can accurately allocate host resources.
The resource management functions, such as share and restriction, can control the server
resources consumed by VMs. Therefore, the attacked VM does not affect the other VMs
running on the same physical host. This mechanism helps prevent DDoS attacks.
 Communication management from VMs to the physical host
VMs can write the troubleshooting information to log files, which are stored on the cloud
platform system. The intentional or unintentional configurations on VM users and
processes may result in the abuse of the log record function. A great mass of data is
written in log files. The log files occupy large file system space in the physical host and
use up the hard disk space. This causes DDoS attacks, and the host system cannot run
properly. However, the system is configurable. When one log file space reaches a certain
point, the system can be configured to use the other log files by turning or deleting the
large spaced log file.
10.6 Data Security Design

With enterprise information development, data, as key enterprise assets, is exposed to data
security problems, such as data loss, tamper, stealing. In the Huawei security architecture,
data security is designed and implemented as a necessary module.
Data deletion, also remaining information protection, indicates that users' sensitive data is
deleted before the storage space of the data is re-allocated to other users to ensure the security
of the sensitive data. Users' sensitive data includes system management data, user
authentication data, and key service data.
As a key security technology, data deletion is fully implemented on the Huawei cloud
platform to prevent sensitive data leakage due to re-allocation of storage resources.
The data deletion function has the following features:

XXX Project
 Remaining information protection for storage resources: Data of a user VM is deleted

before the storage space occupied by the user VM is re-allocated to other VMs to ensure
the security of the remaining information of storage resources.
 Remaining information protection for user files/objects: After the stored user files or
objects are deleted, the data in the corresponding storage area must be erased or the
storage area can only be overwritten (by new data) to prevent illegal data restoration.
 The data deletion feature ensures the security of remaining information of cloud platform
users and prevents malicious restoration of deleted data to meet data security
requirements of data center.
10.7 Scenario Security Design

This document provides the optimal security solution design based on Huawei's experience in
large Data center construction and best practice in the industry. The security solution can meet
security requirements of most Data center. However, enterprises may have different security
requirements due to different service requirements. Table 10-3 lists main security features of
the basic and lost-cost security solution for Data center. If data center requires other security
features, you can choose optional security features in Table 10-3 by referring to the data
center security architecture based on actual security requirements.
Table 10-3 Main security features of the basic and lost-cost security solution for Data center
Type Feature Rem Lost-Cost and
arks Basic Security
Solution
Infrastructure Physical Security Basic feature ●

security
Network VPN access service Optional ●
security feature
Network intrusion detection Optional
feature
Network intrusion prevention Basic feature ●
Traffic cleaning Optional
feature
Firewall/virtual firewall Basic feature ●
O&M bastion host Optional
feature
Gatekeeper Optional
feature
Antivirus gateway Optional
feature
Vulnerability scanning Optional
feature

XXX Project
Type Feature Rem Lost-Cost and

arks Basic Security
Application Web application firewall Optional Solution
security feature
Website Anti-Tamper Optional
feature
Mail Security Optional
feature
Host security Host Antivirus Basic feature ●
Virtualization VM Template Security Basic feature ●
security Hardening
VM isolation (security group)
Virtualization Layer Security

Cloud Host vFW and vIPS Optional
Safety feature
Data Security Data loss prevention Optional
feature
Data encryption (Guest OS Optional
encryption) feature
Document permission Optional
management feature
Data deletion Basic feature ●
Identity Key management (PKI) Optional
authentication feature
management
Dual-factor authentication Optional
feature
Identification and access Optional
management feature
Security Security management center Optional
management feature
Security device management Optional
feature
Compliance check Optional
feature

XXX Project
HUAWEI ManageOne Technical Proposal 11 Backup Solution
11 Backup Solution
11.1 Backup solution overview

Figure 11-1 illustrates the backup mechanism of eBackup VMs in the eBackup plan.
Figure 11-1 Backup mechanism of eBackup VMs
The eBackup VM backup plan uses Huawei eBackup backup servers, the FusionCompute
snapshot function, and the Changed Block Tracking (CBT) function to back up VM data. By
collaborating with FusionCompute, the eBackup software backs up data of a specified VM or
a VM volume based on the configured backup policies. If a VM becomes faulty or its data is
lost, the VM can be restored using the backup data. The data can be backed up to an external
SAN or NAS storage device.
The eBackup VM backup plan delivers the following characteristics:
 No backup agent needs to be installed on the VM to be backed up.

XXX Project
 VM data can be backed up regardless of whether the VM is in the running or stopped

state.
 Backup and restoration can be performed for VMs using different storage resources, such
as FusionStorage or virtualized storage resources.
 VM data can be backed up to various storage devices, including external SAN or NAS
storage devices connected to the backup server.
 The eBackup backup plan provides application-consistent backup and recovery by
leveraging Microsoft's Windows Volume Shadow Copy Service (VSS). VSS provides a
consistent interface that allows coordination between user applications that update data
on disks and those that back up applications.
 Multiple backup modes are supported, including full backup, incremental backup, and
batch backup.
− Full backup backs up only valid data.
− Incremental backup backs up only the data blocks that have been changed since the
last backup. Therefore, less data needs to be backed up, reducing VM backup costs
and minimizing the backup window.
 Data backups can be used to restore entire VMs or VM disks on the original or specified
VMs one by one or in batches. To restore a new entire VM, ensure that the new VM is
created on FusionCompute. Otherwise, the restoration fails. The VM created on
FusionManager or on the desktop cloud cannot be restored using the data backup.
 Multiple VM restoration modes are supported, including VM image-based restoration,
incremental data-based restoration, and fine-grained file-level OS restoration.
− When a VM image is used to restore a VM, the data to be restored is all data in a full
backup.
− Incremental VM data can only be used to restore VMs that use virtualized storage
resources. When the incremental backup data is used to restore the original VM, the
CBT function is used and only data blocks changed since the last backup need to be
restored, thereby implementing quick restoration.
− Fine-grained file-level restoration restores only some files or directories in a disk,
instead of restoring the entire disk. Therefore, the fine-grained file-level restoration is
the fastest and most effective restoration modes.
 When virtualized storage is used at the production site, multiple backup data
transmission modes are supported, including LAN, LAN SSL, and SAN (or LAN-free).
The LAN SSL encryption transmission mode secures the backup data, and the SAN (or
LAN-free) transmission mode improves backup and restoration performance and reduces
performance penalty on production servers. If FusionStorage is used at the production
site, the internal storage network is used for backup. Therefore, the backup data has no
security risks.
 eBackup supports flexible backup policies.
− Allows users to configure differentiated backup policies for VMs or VM groups.
− Allows users to select the VMs to be backed up by selecting a container, such as a
cluster, in the hypervisor, and then automatically discovers new VMs in the selected
container during the data backup.
− Supports multiple backup modes, including full backup and incremental backup.
− Supports deduplication and compression of backup data.
− Allows users to configure the data backup retention duration and automatic deletion
of expired data.
− Allows users to set backup policy priorities.

XXX Project
 eBackup supports concurrent backup and restoration. One backup agent supports up to
40 concurrent tasks.
 VM disks can be backed up and restored across FusionCompute sites.
 The eBackup backup plan employs the distributed architecture that blends backup
servers and backup agents. One backup server manages up to 64 backup agents. The
backup servers can also function as backup agents. Therefore, no additional backup
agent servers are required. Both backup servers and the backup agents can be centrally
managed using a browser. It is recommended that each backup agent backs up data for
200 VMs. You can add backup agents based on the VM scale. A maximum of 10,000
backup agents are supported.
 The eBackup backup plan delivers high reliability.
− If a backup agent fails, its services are distributed to other backup agents.
− The eBackup backup system supports self-recovery in the disaster scenarios, for
example, the OS, host, or storage is damaged.
 The eBackup backup plan supports easy management and maintenance.
− The backup system can be deployed on VMs using templates or on physical servers.
− The eBackup backup system supports centralized backup, restoration, and system
management using the GUI or command-line interface (CLI), which is easy and
straightforward for users to perform operations.
The VM backup plan applies to the following scenarios:
 Server consolidation, data center virtualization, FusionCube, and desktop cloud.
 Storage resources at the production site are provided by FusionStorage or virtualized
SAN devices, NAS devices, or local disks.
11.2 Solution features

The Huawei FuisonSphere eBackup system is closely cooperated with the Huawei
virtualization platform and protects user data effectively. The Huawei FuisonSphere eBackup
system has the following features:
 No agent is required, incurring no impact on VM running.
 VM backup is independent from VM status. The data in the stopped or running VMs can
be backed up.
 The Huawei FuisonSphere eBackup system is closely cooperated with the Huawei
virtualization platform. In this way, VM backup and restoration can be performed
concurrently, efficiently reducing required backup windows.
 A data disk can be restored to a new VM and automatically mounted as the data disk of
the new VM. Therefore, backing up the entire VM is not required, efficiently reducing
the volume of data to be backed up.
 The Processor Server supports super data disks. It can support up to ten 2 TB data disks.
It can also use the NAS as backup storage media, which has no limit on capacity.
 The Huawei FuisonSphere eBackup system supports backup across physical clusters,
enlarging the backup scope.

XXX Project
11.3 Backup capacity design

The storage space required for backing up the eBackup database is 50 GB. The storage space
required for user VM backup data is the backup data size of all VMs within the backup data
retention duration. If data deduplication is enabled, the storage space required for backup
decreases by about 20%. You must reserve 20% of the total storage space for redundancy.
The total storage capacity can be calculated as follows:
 Number of VMs to be backed up: N
 Disk space of a single VM: A GB
 Daily incremental data volume: B GB
 Full backup interval: P
 Incremental backup interval: Q
 Retention duration: R days
If data deduplication is disabled:
Total storage capacity = {[A x (R/P + 1) + B x R/Q] x N + 50} x 120%
where
If the full backup is implemented for the first time, and follow-up backup tasks are all
conducted in incremental backup mode, the R/P value is counted as 0.
If data deduplication is enabled:
Total storage capacity = [(A + B x R/Q) x N x 80% + 50] x 120%
In this project, data deduplication is disabled. Therefore, the first formula is used to calculate
the storage capacity.
The CBT files and snapshot data generated during eBackup running needs to consume some
space of the main storage. The space used by CBT and incremental snapshots must be in the
same LUN as the VMs to be backed up. To ensure the availability of the space, arrange the
VMs in the same LUN during storage planning. You also need to reserve some space (10%
recommended) of the main storage for VM backup. If the backup fails due to insufficient
space of the main storage, migrate some VMs away to release space.
Table 11-1 lists the planned capacity of the backup system.
Table 11-1 Capacity planning of the backup system

Service Backup Initial Estimated Full Incremental Retention Data
Host Object Source Incremental Backup Backup Duration Volume of
Name Data Data Interval Interval (Day) Backup
Volume Volume (Day) (Day) Medium
(GB) (GB) (GB)
LIGDB System 20 0.5 Weekly Daily One week 47

volume
Data 60 1 Monthly Daily One month 180
volume

XXX Project
HUAWEI ManageOne Technical Proposal 12 Disaster recovery solution
12 Disaster recovery solution
12.1 DR Solution Basis and Principles

12.1.1 DR Indicators
The basic function of the IT system DR is to recover services immediately after disasters
occur. The DR effectiveness is measured by RTO and RPO.
 RTO
RTO refers to the length of time that it takes to recover from an outage and resume
normal operations. RTO consists of the decision time and deployment time. Decision
time refers to the time spent in initiating the recovery process. Deployment time refers to
the time spent in DR. Generally, RTO is proportional to disaster losses and inversely
proportional to DR costs.
 RPO
RPO refers to the maximum tolerable amount of data lost after a disaster occurs.
Generally, RPO is proportional to DR costs and inversely proportional to disaster losses.
12.1.2 Classification of Service Systems

Providing important clues for DR development and planning, service recovery needs can be
used to determine DR goals, DR strategies, and DR sequences, and guide the implementation
of emergency recovery. Service systems in industry xx can be classified into the following
four levels based on service system types, service system importance, impact scope upon
service system interruption, and tolerable service interruption duration. By doing so, DR
construction of different service systems can be satisfied.
Classification of Class A Class B Class C Class D

Service Systems
Service system type Core service Critical service Important Auxiliary and test
system system service system service system
Service system Vital Critical Important Normal
importance
Service impact scope Global or public Local level or Office level Group level
level service line

XXX Project
Classification of Class A Class B Class C Class D

Service Systems
Tolerable service < 30 minutes < 4 hours < 8 hours < 24 hours
interruption duration
To meet service continuity requirements, the DR modes shown in the following figure are
recommended for different classes of service systems.
Class C service system

Mail system
Video conference system
Class B service system Gun management information system
Class A service system Public security information Civil explosive management
Eight major database systems management system information system
Comprehensive police system Onsite survey system Missing personnel and unidentified
PKI/PMI Comprehensive query system corpse information system
PGIS Data exchange system Stability maintenance management
Mobile police service system Fingerprint information system information
Inter-department data sharing DNA information system Seal information management system
platform OA Public security monitoring system
Class A Class B Class C
Application-level Application-level Data-level active/

active-active mode active/standby mode standby mode
RPO = 0 minutes and RPO = 15 minutes RPO = 30 minutes
RTO < 30 minutes and RTO < 4 hours and RTO < 12 hours
Note: Since the public security industry has no specific requirements, service systems may use different DR modes
depending on site requirements.
The following table lists the detailed classification of major service systems in the public
security industry to meet DR construction needs
Service System Name Service System Tolerable Service

Importance Interruption Duration
National population information management Vital < 30 minutes
system
Exit and entry management information system Vital < 30 minutes
National motor vehicle and driver information Vital < 30 minutes
management system
National key security entity information system Vital < 30 minutes
National criminal information system Vital < 30 minutes
National criminal escaped information system Vital < 30 minutes
National stolen vehicle information system Vital < 30 minutes
Personnel management system Vital < 30 minutes
Comprehensive police system Vital < 30 minutes
General intelligence platform Vital < 30 minutes
PKI/PMI Vital < 30 minutes
Mobile police service system Vital < 30 minutes
Public service system Vital < 30 minutes

XXX Project
Service System Name Service System Tolerable Service

Importance Interruption Duration
PGIS Vital < 30 minutes
Comprehensive transportation management system Vital < 30 minutes
DNA information system Critical < 4 hours
Fingerprint information system Critical < 4 hours
Onsite survey system Critical < 4 hours
Public security information management system Critical < 4 hours
Integrated query system Critical < 4 hours
Data exchange system Critical < 4 hours
Public security motor vehicle surveillance and Critical < 4 hours
control system
Hotel industry public security management Important < 8 hours
information system
Gun management information system Important < 8 hours
Civil explosive management system information Important < 8 hours
National missing personnel and unidentified corpse Important < 8 hours
information system
12.2 DR Solution
Based on the overall system design principle, success cases of DR system deployment in
industry xx, and years of accumulated experience, Huawei recommends an overall DR
architecture for the customer, as shown in the following figure:

XXX Project
R emote D R c enter
Produc tion c enter Intra-c ity D R c enter
Internet
D ata-lev el ac tiv e/s tandby mode IP WAN
LAN LAN LAN
Applic ation-lev el ac tiv e/s tandby mode D ata-lev el ac tiv e/s tandby
mode
Class A Class B Class C Applic ation-lev el ac tiv e -ac tiv e Class A Class B Class C Class A Class B Class C
mode
VM s Ph y s i c a l VM s Ph y s i c a l VM s Ph y s i c a l m a c h ines
m ac hines m ac hines WAN
Web Web APP Web APP Applic ation-lev el ac tiv e - Web APP
APP APP APP APP APP APP
APP APP
APP
APP APP
APP
APP
APP
s tandby mode APP
APP
APP
APP
APP APP
OS
APP O S APP APP O S APP O S APP O S APP O S APP
OS
OS OS OS OS OS OS
OS
OS OS OS OS OS OS OS
Ph y s i c a l m a c h in e s Ph y s i c a l m a c h in e s Ph y s i c a l m a c h in e s
DB DB DB DB DB DB DB DB DB DB
D WD M
SD H loop
VIS VIS SAN
SAN SAN
Mirroring
HP IB M E MC HW D ata replic ation HW HW HW HW D a ta re p lic a tio n HW HW HW HW
The recommended DR architecture adopts the two-site three-center mode.

In the intra-city DR center, it is recommended that class A service systems adopt the
application-level active-active DR mode, class B service systems use the application-level
active/standby DR mode, and class C service systems employ the data-level active/standby
mode (implemented by the asynchronous replication function among arrays).
In the remote DR center, it is recommended that classes A and B service systems adopt the
application-level active/standby DR mode and class C service systems use the data-level
active/standby mode (implemented by the asynchronous replication function among arrays).
12.2.1 Architecture
Huawei proposes application active/standby architecture to meet DR system needs, achieve
DR goals of various application systems in XXXX, and ensure service continuity in case of
large-scale disasters. The overall architecture is shown in the following figure:

XXX Project
IP
Production center DR center
DR service DR monitoring DR service DR monitoring

provisioning management provisioning management
Support
heterogeneous
servers and storage
devices; reduce the
RTO and RPO
① Database layer
DR
SAN
SAN
DR decision-
making platform
Storage Pool
② Unified visual Storage Pool
management and
control reduce the
switchover decision-
making time.
Architecture description
1. The database replication software based on log database replication technology is used to
implement data synchronization between the production center and DR center.
2. The DR management platform is used to visually monitor the status of the DR system,
data recovery time object (RTO) and recovery point object (RPO) indicators, as well as data
replication status in real time.
Solution highlights
1. Asymmetrical architecture is supported for the production center and DR center.
Heterogeneous storage and servers are compatible in the production center and DR center.
2. Second-level RPO and minute-level RTO.
3. The DR center is standby and also provides services, achieving a typical Active-Query
DR mode to improve resource utilization. The unified DR monitoring and decision-making
platform greatly reduces decision-making time and O&M costs.
12.2.2 Storage Layer Solution

12.2.2.1 Synchronous Replication
1. Technical Overview
As a type of remote replication technology, synchronous replication allows data to be
synchronized in real time to achieve full protection for data consistency and minimize data
loss in the event of a disaster.
2. Application Scenarios
Zero data loss

XXX Project
Replication ratio can be as high as 32:1 (the sum of synchronous remote replication and
asynchronous remote replication)
Primary and secondary storage can mirror each other
Applicable to local and intra-city data disaster recovery
3. Networking Architecture
The data consistency during the synchronous replication of the storage array is made possible
by logging. The realization process is illustrated as below
4. Technical Highlights
The highlights and realization of synchronous replication are as follows:
a) After a synchronous replication relationship is set up between a primary LUN at the
primary site and a secondary LUN at the remote replication site, an initial synchronization is
initiated to replicate all the data from the primary LUN to the secondary LUN.
b) If the primary LUN receives a write request from the production host during the initial
synchronization, the storage system checks the synchronization progress. If the original data
block to be replaced is not synchronized to the secondary LUN, the new data block is written
to the primary LUN and the storage system returns a write success response to the host. Then,
the synchronization task will synchronize the new data block to the secondary LUN. If the
original data block to be replaced has already been synchronized, the new data block must be
written to the primary and secondary LUNs. If the original data block to be replaced is being
synchronized, the storage system waits until the data block is copied. Then, the storage system
writes the new data block to the primary and secondary LUNs.
c) After the initial synchronization is complete, data on the primary LUN and on the
secondary LUN are the same. If the primary LUN receives a write request from the
production host later, the I/O will be processed based on the following steps.
d) The primary LUN receives a write request from a production host and sets the
differential log value to differential for the data block corresponding to the I/O.
e) The data of the write request is written to both the primary and secondary LUNs. When
writing data to the secondary LUN, the primary site sends the data to the secondary site over a
preset link.
f) If data is successfully written to both the primary and secondary LUNs, the
corresponding differential log value is changed to non-differential. Otherwise, the value
remains differential, and the data block will be copied again in the next synchronization.
g) The primary LUN returns a write completion acknowledgement to the production host

XXX Project
12.2.2.2 Asynchronous Replication

1. Technical Overview
Asynchronous replication is another type of remote replication technology that periodically
synchronizes data to minimize service performance deterioration caused by the long latency
of long-distance data transmission.
2. Application Scenarios
Small impact on performance, and RPO can be five seconds.
Replication ratio can be as high as 32:1 (the sum of synchronous remote replication and
asynchronous remote replication)
Primary and secondary storage can mirror each other
Applicable to local, intra-city, and remote data disaster recovery
3. Networking Architecture
The asynchronous replication of the storage array is realized as follows
4. Technical Highlights
The highlights and workflow of asynchronous replication are described below:
a) After an asynchronous remote replication relationship is set up between a primary LUN
at the primary site and a secondary LUN at the secondary site, an initial synchronization is
initiated to replicate all the data from the primary LUN to the secondary LUN.
b) If the primary LUN receives a write request from the production host during the initial
synchronization, data is written only to the primary LUN.
c) After the initial synchronization, the status of the secondary LUN is synchronized or
consistent. (If the host sends no write request during the initial synchronization, the status of
the secondary LUN is synchronized; otherwise, the status is consistent). Then, I/Os are
processed according to the following steps.
d) The primary LUN receives a write request from a production host.
e) After data is written to the primary LUN, a write completion response is immediately
returned to the host.
f) Incremental data is automatically synchronized from the primary LUN to the secondary
LUN based on the user-defined synchronization period that ranges from 1 to 1440 minutes. (If

XXX Project
the synchronization type is Manual, users need to trigger the synchronization manually.)
Before synchronization starts, a snapshot is generated for each of the primary LUN and the
secondary LUN. The snapshot of the primary LUN ensures that the data read from the
primary LUN during the synchronization remains unchanged. The snapshot of the secondary
LUN backs up the secondary LUN's data in case that the data becomes unavailable when an
exception occurs during the synchronization.
g) During the synchronization, data is read from the snapshot of the primary LUN and
copied to the secondary LUN.
h) After the synchronization is complete, the snapshot of the primary LUN and that of the
secondary LUN is canceled, and the next synchronization period starts
12.2.2.3 Primary and Secondary Switchover

Primary and secondary switchover is supported during data replication between storage
arrays.
The primary LUN at the primary site becomes the new secondary LUN after the switchover,
and the secondary LUN at the secondary site becomes the new primary LUN. Users just need
to perform some simple operations on the host side. The major operation is to map the new
primary LUN to the standby production host (which can be performed in advance). Then, the
standby production host at the secondary site takes over services and delivers new read and
write requests to the new primary LUN.
When links become abnormal, users can perform a mandatory primary/secondary switchover
which allows them to access data on the new primary LUN at the secondary site. Once the
mandatory primary/secondary switchover is complete, the new primary LUN has no
secondary LUNs. To replicate this new primary LUN, a secondary LUN must be assigned to
it.
A primary/secondary switchover can be completed within a few seconds. Therefore, services
at two sites away from each other can be flexibly switched with ensured data consistency.
Primary/Secondary switchover
12.2.3 Database Layer Solution

12.2.3.1 Technical Overview
Oracle Data Guard provides the management, monitoring, and automation software to create
and maintain one or more standby databases to protect Oracle data from failures, disasters,
human error, and data corruptions. A standby database can be either a physical standby
database or a logical standby database.

XXX Project
Administrators can choose either manual or automatic failover of production to a standby

system if the primary system fails in order to maintain high availability for mission critical
applications. Figure1 Data Guard shows the architecture of Oracle Data Guard. Overview of
Oracle Data Guard:
Data Guard is one of the multiple integrated high availability (HA) features of the Oracle
database shown in Figure that ensures business continuity by minimizing the impact of
planned and unexpected downtime
• In addition to data protection and availability, Data Guard standby databases delivery
high return on investment by supporting ad-hoc queries, reporting, backups, or test activities,
while in standby role. Specifically:
• The Active Data Guard option (Oracle Database 11g) enables a physical standby database
to be used for read-only applications while simultaneously receiving updates from the primary
database. Queries executed on an active standby database return up-to-date results.
• Snapshot Standby enables a physical standby database to be open real-write for testing or
any activity that requires a real-write replica of production data. A Snapshot Standby
continues to receive, but not apply, updates generated by the primary. These updates are
applied to the standby database automatically when the Snapshot Standby is converted back
to a physical standby database. Primary data is protected at all times.
• A logical standby database has the additional flexibility of being open read-write. While
data that is being maintained by SQL Apply cannot be modified, additional local tables can be
added to the database, and local index structures can be created to optimize reporting, or to

XXX Project
utilize the standby database as a data warehouse, or to transform information used to load data
marts.
• Standby databases can be used to perform planned maintenance in a rolling fashion.

Maintenance is first performed on a standby database. Production is switched over to the
standby database when the maintenance tasks are complete. The only downtime is the time
needed to effect a switchover operation. This increases availability and reduces risk when
performing hardware, OS, or site maintenance, upgrading to new database patch sets or full
database releases, or when implementing other significant database changes.
• A physical standby database, because it is an exact replica of the primary database, can
also be used to offload the primary database of the overhead of performing backups.
A Data Guard configuration includes a production database, referred to as the primary
database, and up to 30 standby databases. Primary and standby databases connect over
TCP/IP using Oracle Net Services. There are no restrictions on where the databases are
located provided that they can communicate with each other. A standby database is initially
created from a backup copy of the primary database. Data Guard automatically synchronizes
the primary database and all of its standby databases by transmitting primary database redo
(the information used by Oracle to recover transactions) and applying it to the standby
database.
12.2.3.2 Data Guard Transport Services

As users commit transactions at a primary database, Oracle generates redo records and writes
them to a local online log file. Data Guard transport services transmit the redo to a standby
database either synchronously or asynchronously, where it is written to a standby redo log
file, as shown in step one in Figure 1-3. Redo may be transmitted in compressed format to
reduce bandwidth requirements by using the Oracle Advanced Compression Option.
Synchronous redo transport (SYNC) causes the primary database to wait for confirmation
from the standby database that redo has been hardened to disk before it will acknowledge
commit success to the application, providing zero data loss protection. Primary database
performance is impacted by the sum of the time required for the standby redo log file I/O to
complete and network round-trip time.
Data Guard 11g Release 2 is designed to reduce the impact to primary performance of
synchronous transport. Redo is now transmitted to the remote standby in parallel with the
local online log file I/O on the primary database, effectively eliminating standby I/O from
impacting total round trip time. This enables greater geographic separation between primary
and standby databases in a synchronous zero data loss configuration. On low latency
networks, it can reduce the impact of SYNC replication on primary database performance to
near zero, making it attractive to complement a remote asynchronous redo transport (ASYNC)
standby with a local SYNC standby for zero data loss HA protection against component and
database failures (SAN failure for example).

XXX Project
12.2.3.3 Protection Modes

Data Guard provides three modes of data protection to balance cost, availability, performance,
and data protection. Each mode uses a specific redo transport method, and establishes rules
that govern the behavior of the Data Guard configuration should the primary database ever
lose contact with its standby. The following table describes the characteristics of each mode
Protection Mode Risk of Data Loss Transport If No Acknowledgement

from the Standby Database,
Then…
Maximum Zero data loss and SYNC Stall the primary database
protection double failure until acknowledgement is
protection received from the standby
database.
Maximum Zero data loss and SYNC Stall the primary database
Availability single failure until acknowledgement is
protection received or the
NET_TIMEOUT threshold
period expires and then
resume processing.
Maximum Potential for ASYNC The primary database never

Performance minimal data loss waits for standby
acknowledgement.
12.2.3.4 Application Scenarios

Oracle Data Guard is mainly deployed on the active and standby data centers of an
application, which includes the following benefits:
Reliably delivers aggressive recovery point (RPO – data protection) and recovery time (RTO
– data availability) objectives.
Provides the management, monitoring, and automation software to create and maintain one or
more synchronized standby databases that protect data from failures, disasters, errors, and
corruptions.

XXX Project
Avoids data loss and downtime when the production site is unavailable.
Support a maximum of 30 standby databases for one primary database.
12.2.3.5 Networking Architecture

As shown in the following Figure , two Oracle RACs are configured for two data centers
respectively. The active and standby data centers implement application-level DR between
Oracle databases by using Oracle Data Guard, which enables synchronous and asynchronous
database protection. The active and standby databases interconnect over IP links. The required
bandwidth is calculated based on actual data volume without considering the distances. Active
and standby data centers can use storage arrays provided by different vendors to achieve
heterogeneous storage
12.3 ReplicationDirector Management

Huawei OceanStor ReplicationDirector is a piece of DR management software specifically
designed for typical Huawei DR solutions. With application data consistency, snapshot, and
remote replication, it provides a GUI-based and process-based platform for simple and fast
operation and monitoring. ReplicationDirector supports the application-awareness capability
(including automatic application identification, application data consistency protection, and
automatic application start), simplified management (including GUI-based topology, flexible
policy-driven protection, one-click failback, and DR solution monitoring), and DR testing
(including recoverability verification and one-click testing). These features greatly simplify
the DR solution management and reduce the management cost. ReplicationDirector can be
used to manage typical Huawei DR solutions such as the high-availability, point-to-point,
active-active, 3DC.
Based on synchronous and asynchronous replication technologies provided by Huawei
storage, 3DC DR solution can cover remoter DR centers than the point-to-point DR solution.
3DC DR solution boasts a higher DR capability and wider DR scope. In the 3DC DR solution,
ReplicationDirector realizes:

XXX Project
1. End-to-end management of DR resources, including service host applications, VIS, service

storage devices, intra-city DR storage devices and remote DR storage devices.
2. Management of the production center, intra-city DR center, and remote DR center.
3. Protection of data replication between service storage devices, intra-city DR storage
devices, and remote DR storage devices.
4. DR testing and recovery management when switching services from the production center
to the intra-city or remote DR center.
The 3DC DR solution adopts either a cascading or parallel networking mode. The cascading
networking mode causes little impact on the services at the production center; whereas its
service failback from the remote DR center is complex. Using the cascading network mode,
the 3DC DR solution can be smoothly upgraded to a cloud DR solution in the future. In
contrast, the parallel networking mode causes bigger impact on the services at the production
center; whereas its service failback from the remote DR center is simpler, which is the same
as the point-to-point DR solution.
12.4 Key Features

Application awareness
 Automatically identifies service application types and instances.
 Works together with HostAgent to ensure DR data consistency.
 Automatically starts applications during DR process.
Simplified management
 Provides GUI-based DR topology view.
 Supports flexible protection policies for DR objects.
 Supports user-definable recovery processes and one-click recovery and switchover.
 Provides end-to-end real-time monitoring of the DR solution.
 Supports permission- and domain-specific user management.
 Supports RESTful northbound interfaces, and can be integrated with other management
systems owned by customers.
DR testing
 Verifies DR data recoverability through dedicated DR tests.
 Supports user-definable test procedures, one-click testing, and environment cleaning.

XXX Project
HUAWEI ManageOne Technical Proposal 13 NDC2 Solution Advantages and Values
13 NDC2 Solution Advantages and

Values
13.1 Diverse Applications&Cloud Services

The Huawei NDC2 solution provides diverse applications and advanced cloud-based
computing resource platforms for data centers. The Huawei NDC2 solution provides the
following typical services:
 e-Government: improve public services and government image through innovation,
collaboration and one-stop services; Reduce operation costs using unified data
management, data mining and data sharing; Enable transparent governance through
disclosure of information about procedures and decision-making
 e-Education: realize sharing of high quality education resources to maximize the value;
Enable flexible knowledge obtaining & learning methods to build a learning society;
Promote balanced development of the education
 e-Health: improve the information sharing & collaboration among all kinds of healthcare
organizations; alleviate the pressure caused by insufficient medical resources; help
MOH to make correct and quick decisions
 e-Social Insurance: one Smart Card Integrated with Multiple Functions ; One Social
Security Number; One E-ID card , National Wide Use Range
 e-Police: the traditional police affairs processing mode that requires so many human
resources is changed. The police affair processing efficiency is improved.
 Cloud host resource application self-service: helps end users to apply for resources in a
quick, flexible, and convenient manner by providing self-service application
management interfaces.
 Virtual desktop services: provides customers with complete and secure office desktop
solutions to simplify desktop management.
 Cloud storage services: provides end users with centralized online storage functions,
which allow users to store and obtain their data anywhere, by any means.
 Collaboration communications services: provides customers with typical services, such
as instant communication and online conference.
13.2 Open Architecture

The Huawei NDC2 solution is developed based on a service-oriented architecture (SOA)
concept and existing IT infrastructure. It ensures scalability, flexibility, and evolution
capability of the existing IT infrastructure. In addition, the service design and IT infrastructure
are loosely coupled, which allows the IT architecture to support diversified services and quick
service rollout. The Huawei NDC2 solution architecture design has the following advantages:

XXX Project
 Based on Huawei's years of experience and expertise in the telecommunications industry,

the cloud computing network solution uses cutting-edge network design methods,
technologies, and products to ensure that the data center network architecture meet
long-term service evolution requirements.
 Time-tested cloud computing design solution: The cloud computing platform solution
uses Huawei's independently developed virtualization products. Huawei's rich cloud
computing project experience and strict Integrated Product Development (IPD) process
ensure advancement and reliability of the cloud computing solution.
Cutting-edge carrier-class management solution: The Huawei cloud computing
management solution is designed to cover network element (NE) management, network
management, and cloud platform computing resource management. Huawei also
integrates advanced products in the industry to provide multi-dimensional management
systems, such as service management systems. It meets large-scale data center O&M
management requirements and forms a complete data center management system.
13.3 Unified Management

Manageone is the unified management platform. It is an east and unique management
platform with security polices and high scalability. Physical and virtual resources in a single
or multiple distributed data centers, mulitple datacenters, diverse virtualization technologies
can be managed in a unified manner. Leveraging the unified management platform can
achieve agile operation, support the self-service mode and fast service delivery.
13.4 Security and safe information center

The Huawei security solution is developed based on Huawei's experience in constructing
traditional data centers and cloud computing data centers, reflecting Huawei's competitiveness
in this industry. Huawei leverages the following strengths to develop the security solution:
 Huawei's rich carrier-class data center security products
 Deep understanding of security specifications of the telecommunications industry
 Huawei's rich experience in data center security control
 Profound project experience in telecommunications network security management
Huawei proposes a data center security framework and provides an end-to-end (E2E)
security solution that meets all the security requirements of data centers.
13.5 Strong Integration Delivery Capabilities

Huawei has set up data center-oriented integration service delivery teams around the
world. The delivery teams can deliver E2E data center solutions based on Huawei
software and hardware products or third-party products. In addition, the front line
delivery team cooperates with the R&D team to provide customized services and
solutions based on the specific requirements customers. This integration delivery mode
has been verified by users of the telecommunications industry and other industries all
over the world.
Huawei also has global service support teams to provide local supports for users in data
center constructing process and follow-up O&M management. The service support team

XXX Project
of Huawei headquarter provide 24/7 O&M management support for service support
teams around the world to provide timely response to user requests, solve problems, and
ensure stable and reliable service provisioning.
After the Huawei data center solution is successfully delivered, various value-added
services, such as health check tools are provided to ensure stable and efficient running of
user data centers.

XXX Project
HUAWEI ManageOne Technical Proposal 14 NDC2 Resource Plan
14 NDC2 Resource Plan
Based on the NDC2 solution, data center resource plan is listed in the following table:
In order to meet the requirements of small, medium, and large application scenarios, three
public cloud data center resource plans are available.
In the small application scenario:
Number of server: 10
Table 14-1 NDC2 resource plan(production data center)

Device Device Model Device Number Remarks
Type Configuration of Devices
Network CE6850 15 x 10GE optical 2 Core switch

module with resource
2 x 40GE optical pool
module
S3328 1 Access server
BMC port and
other driver
management
port
S5328 2x 10GE optical 2 Access CSB
module database server
and eSight
server
E1000E－X5 2x 10GE optical 2 Firewall

module
Cloud RH2288H V2 2 x E5-2695, 8 x 16 10 MCNA: 2
computing GB DIMM, and 12 x LCNA: 3
resource 2TB SATA
pool SCNA: 5
Virtualization FusionSphere 20 20 CPUs
software
Virtualization FusionStorage 240 240TB
software
CSB CSB XXX lincese 1
RH2288H V2 2 x E5-2650, 8 x 16 2
GB DIMM, and 2 x

XXX Project
HUAWEI ManageOne Technical Proposal 14 NDC2 Resource Plan

300GB SAS
S5500T 5 x 600GB SAS 1
ManageOne OC XXX lincese 1
eSight XXX lincese 1
RH2288H V2 2 x E5-2640, 4 x 8GB 1
DIMM, and 3 x
300GB SAS
Table 14-2 NDC2 resource plan( disaster data center)

Network CE6850 15 x 10GE optical 2 Core switch
module with resource
2 x 40GE optical pool
module
S3328 1 Access server
BMC port and
other driver
management
port
S5328 2x 10GE optical 2 Access CSB
module database server
and eSight
server
E1000E－X5 2x 10GE optical 2 Firewall

module
Cloud RH2288H V2 2 x E5-2695, 8 x 16 10 MCNA: 2
computing GB DIMM, and 12 x LCNA: 3
resource 2TB SATA
pool SCNA: 5
Virtualization FusionSphere 20 20 CPUs
software
Virtualization FusionStorage 240 240TB
software
CSB CSB XXX lincese 1
RH2288H V2 2 x E5-2650, 8 x 16 2
GB DIMM, and 2 x
300GB SAS
S5500T 5 x 600GB SAS 1

XXX Project
HUAWEI ManageOne Technical Proposal 15 Best Practice References

ManageOne OC XXX lincese 1

eSight XXX lincese 1
RH2288H V2 2 x E5-2640, 4 x 8GB 1
DIMM, and 3 x
300GB SAS
15 Best Practice References
15.1 Best Practice Reference of e-Policy

15.1.1 Venezuela Safe City National DC
When crime is on the rise, demands for social security management are being called upon by
Venezuela local citizens and government.
Build the system in accordance with 1 national data center, 7 war zone centers, 16 city
centers, 16 regional centers, 200 police stations, and 5 modes.

XXX Project
Figure 15-1 Venezuela Safe City National Data Center
Deployment of 30,000 HD cameras, 150 base stations, and 40 modular data centers, 7,000
LTE portable terminals;
Incident taking and dispatching systems, comprehensive dispatch system and integrated
intelligent analysis system.
Establishment of level 5 national security and intelligence networks, greatly improving the
national intelligence information sharing;
Greatly improve citizen satisfaction in the public security environments;
The intelligent video surveillance system gradually replaces manual operation, greatly
reducing labor costs.
15.1.2 China Hefei Safe City Data Center

Newly established networking platforms, realizing resource sharing of all functional
departments;
One hands-on platform, achieving pre-event prevention, detective controls and post-event
evidence collection;
Reuse the former video surveillance resources of public security, helping customers reduce
their investment.

XXX Project
Figure 15-2 China Hefei Safe City Data Center
Networking platforms are established in 1 council, 7 branches of the county, and 42 police
stations;
Deployment of 16,000 cameras, reuse of 2,000 cameras, and employment of video-aided
investigation, implementing intelligence analysis;
Visual integrated emergency command scheduling system;
Three-level monitoring networking, achieving resource sharing;
Improve the efficiency of public security investigation at prevention, control, and fighting.
Support the original surveillance equipments from multiple vendors, reducing roughly 20%
investment.
15.2 Best Practice Reference of e-Health

15.2.1 e-Health Solution for Angola
Backgroud and Challenges
 Bottleneck of the development of the health and medical
 Very low efficiency of hospital office.
 Hard to do medical budget management for government.

XXX Project
Huawei Solution
 Offer hospital information system, iPACS and others digital hospital systems.
 the system of customized office automation (OA ) system and email system for
government, universities and hospitals.
 Offer the government data center for Angola government to provide hosting capabilities
for e-government applications.
 Offer the information security system for government and hospitals.
 Offer the VOIP and Video Conference system.
 Set up the government-specific network.
Customer Benefits
 Improve the information level of the hospitals in Angola. With the digital hospital
systems, the hospitals operate more effectively and people of Angola get better medical
service.
 Integration of health care resources to promote resource exchanges and cooperation
between hospitals.
 With OA and email system, the government, universities and hospitals get better working
efficiency and office functions can be handle more quickly.
15.2.2 Telemedicine System of the First Affiliated

Hospital of
Zhengzhou University
Backgroud and Challenges

XXX Project
 The First Affiliated Hospital of Zhengzhou University Hospital is a large-scale upper

first-class hospital. Have over 7000 sickbed.
 A surgical operation with a high difficulty requires HD video assistance and faithful
reproduction of operation video.
 Real-time communication of remote specialist consultation rooms.
 Internal training and medical discussion.
Huawei Solution
 Provide the largest and highest technical standards remote health care system. Through
the construction of a the telepresence emergency command center, the telepresence
consultation room, remote classroom, surgery live room, and remote points around the city,
satellite communications, clinics car, covering the point of care in Henan province.
 The solution covers the telepresence and HD networking (120 HD video endpoints)
throughout the province, and can implement telemedicine and HD transfer of operating
pictures.
Customer Benefits
 The system will form the situation of the province telemedicine platform center to the
First Affiliated Hospital of Zhengzhou University, expert resources to maximize sharing,
improve the distribution of medical resources in Henan Province uneven status quo. Greatly
enhance the status and influence of the First Affiliated Hospital of Zhengzhou University the
medical profession in China.
 With OA and email system, the government, universities and hospitals get better working
efficiency and office functions can be handle more quickly.

XXX Project
15.3 Best Practice Reference of e-Education

15.3.1 Huawei National Data Center Makes Ethiopia
Education More Efficient
Background
The Ethiopian Government has made the development of information and communications
technology (ICT) one of its strategic priorities. The endorsed and currently enforce ICT policy
is a demonstration of its commitment to the development of ICT both as an industry and as an
enabler of socio-economic transformation. The policy stems from the recognition by the
Government of ICT as the key driver and facilitator for transforming Ethiopia's predominantly
subsistence-agriculture economy to an information and knowledge-based economy and
society, effectively integrated into the global economy.
One of the guiding principles of the Ethiopian government ICT policy is the government shall
actively collaborate with the private sector, civil society organizations and communities to
promote and encourage the use of ICT towards transforming Ethiopia to a knowledge and
information age.
The government of Ethiopia is creating favorable environment to enhance the exploitation of
ICTs for accelerated socio-economic development by elaboration and institutionalization of
the national ICT development framework and the creation of the former Ethiopian ICT
Development Agency (EICTDA), and the now Ministry of Communication and Information
Technology (MCIT) which is responsible to coordinate and supervise the planning and
implementation of Communication and Intonation Technology development initiatives and
ICT policies.
Chanllenges
• Growing computing need：The Addis Ababa Education Bureau has 300+
government schools in Addis Ababa.
• Difficult OM ：Scattered locations (classroom, library, office room in different
campuses) of PCs decrease O&M efficiency during each system update, upgrade, and
hardware maintenance.
• Extra Cost：Poor power grid environment and UPS protection for each PC bring
high extra costs.
Solution

XXX Project
School Information
Web based Digital
e-Education M anagement Education Cloud
Library and Schools
Systems
Integrated and Modular solution
VOD and Elastic computing

Desktop Cloud
Streaming eSight Unified
Applications Management
Backup &recovery AD/DNS/DHCP Email Platform
VSS
Platform Huawei FusionSphere Cloud OS
Infrastructur
e Modular Data center
IP networking
Server Storage Security
Terminals
Thin Client Camera
Plasma PC Smart Phone Table IP Phone
t
Huawei E2E Product and Service
 Huawei provides an total ICT solution

Education ICT planning, E-education solution design, desktop cloud, WAN (Wide Area
Network), data center management system and IT infrastructure system.
 Centralized cloud data center and e-Education platform in MOHE
Huawei E2E Fusioncloud solution including one national cloud data center and national
operation center.
 One-Stop MicroDC for accessing in the schools
Phase one, 65 high efficiency VDI sites, totally support 5200 desktop users.
Support the video playing in good quality.

XXX Project
HUAWEI ManageOne Technical Proposal 16 Appendix
16 Appendix
16.1 Acronyms and Abbreviations

A
ACL access control list
AD active directory
API Application Programming Interface
B
BIOS basic input/output system
BMC baseboard management controller
BPS bit per second
C
CA Certificate Authority
CAS central authentication service
CIM common information model
CMDB configuration management database
CPU central processing unit
D
DDoS distributed denial of service
DMZ demilitarized zone
DNET destination network address translation
DNS domain name system
E
EJB enterprise JavaBean

XXX Project
FSMO flexible single master operation

FTP File Transfer Protocol
FW firewall
H
HA high availability
HMC hardware management console
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
I
IDS intrusion detection system
Internet internetwork
IP Internet Protocol
IPMI Intelligent Platform Management Interface
IPS intrusion prevention system
IPsec Internet Protocol Security
ISO International Organization for Standardization
IT information technology
ITIL information technology infrastructure library
ITSM IT service management
J
JDBC Java database connectivity
JMS Java message service
JMX Java management extensions
JSP Java server pages
JTA Java Transaction API
JVM Java virtual machine
L
LAN local area network
LDAP Lightweight Directory Access Protocol

XXX Project
LLDP Link Layer Discovery Protocol

LR local regression
LUN logical unit number
N
NAS network attached storage
NAT Network Address Translation
NetBIOS network basic input/output system
NPS network policy server
NTP Network Time Protocol
O
OA office automation
Orchestrator orchestrator
OS operating system
PDF portable document format
PKI public key infrastructure

PXE preboot execute environment
QoS quality of service
R
RADIUS Remote Authentication Dial In User Service
RAM random access memory
REST Representational State Transfer
S
SAML Security Assertion Markup Language
SAN storage area network
SLA service level agreement
SLO service level objectives
SMI-S storage management initiative specification
SNET source network address translation

XXX Project
SNIA Storage Networking Industry Association

SNMP Simple Network Management Protocol
SOA service-oriented architecture
SOAP Simple Object Access Protocol
SSH Secure Shell
SSL Secure Sockets Layer
Syslog system log
T
TCO total cost of ownership
TCP Transmission Control Protocol
TLS Transport Layer Security
Topo topology
U
UDP User Datagram Protocol
UI user interface
UMA unified maintenance and audit
URL uniform resource locator
V
VDC Virtual Data Center
VEM VM encryption management
VES VM encryption system
VLAN virtual local area network
VM virtual machine
VPC Virtual Private Cloud
VPN virtual private network
W
WBEM Web-based enterprise management
WMI Windows management instrumentation
X
XML Extensible Markup Language

XXX Project


HUAWEI National Distributed Cloud Data Center Technical Proposal Template20151120

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

HUAWEI National Distributed Cloud Data Center Technical Proposal Template20151120

Încărcat de

Drepturi de autor:

Formate disponibile

XXX Project

HUAWEI National Distributed

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2015-01-19) Huawei Proprietary and Confidential i

About This Document

Issue 01 (2015-01-19) Huawei Proprietary and Confidential ii

About This Document .................................................................................................................... ii

2 Requirements Analysis .............................................................................................................. 17

Issue 01 (2015-01-19) Huawei Proprietary and Confidential iii

2.7 Security Requirements ................................................................................................................................................ 20

3 HUAWEI National Distributed Cloud Data Center Solution ............................................ 22

4 Application Solution .................................................................................................................. 27

Issue 01 (2015-01-19) Huawei Proprietary and Confidential iv

4.3.4.3 Medical Record Collection System ...................................................................................................................... 45

5 Management Solution ................................................................................................................ 58

6 Computing Platform Solution .................................................................................................. 65

Issue 01 (2015-01-19) Huawei Proprietary and Confidential v

7 Network Platform Solution ....................................................................................................... 71

8 Storage Platform Solution ......................................................................................................... 76

10 Security Solution ....................................................................................................................... 99

Issue 01 (2015-01-19) Huawei Proprietary and Confidential vi

10.2 Physical Facility Security Design ........................................................................................................................... 100

11 Backup Solution ...................................................................................................................... 115

12 Disaster recovery solution ..................................................................................................... 119

13 NDC2 Solution Advantages and Values ............................................................................. 132

Issue 01 (2015-01-19) Huawei Proprietary and Confidential vii

14 NDC2 Resource Plan ............................................................................................................... 135

16 Appendix .................................................................................................................................. 144

Issue 01 (2015-01-19) Huawei Proprietary and Confidential viii

1 XXX Project Overview

1.1.1 The importance of ICT development

1.1.2 The connection between ICT development and social

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 9

----Source: World Economic Forum; The Broadband Commission; World Bank

1.1.3 The necessity of National Data Center construction

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 10

—ICT Strategy of the German Federal Government: Digital Germany 2015

—Qatar National ICT Plan 2015

—National ICT Plan of Trinidad and Tobago 2012-2016

1.1.4 National ICT trend and National Distributed Cloud Data

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 11

peer-to-peer applications, on-demand services, and infrastructure sharing to establish unique

1.1.4.2 Technical trends of ICT industry

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 12

1.1.4.3 Data center construction trend

Figure 1-2 Centralization is the data center development trend

Souring: US Government Accountability Office (GAO)

1.1.4.4 Data center technology trend

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 13

Figure 1-3 Data center technology trend

1.2 Project Objectives

1.2.2 For data center service provider

1.2.3 For users

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 14

1.3 Project Scope

1.4 Project Solution Design Principles

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 15

1.5 Customer Benefits

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 16

2.1 Application Requirements

2.1.4 e-Social Insurance

Issue 01 (2015-01-19) Huawei Proprietary and Confidential 17