The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
After you have configured and set up the hub site, add devices to Cisco IWAN and provision them to the sites.
Greenfield and Brownfield Devices
You can add and provision two types of devices:
– Greenfield devices are brand new out-of-the-box routers.
– Discovered by the Cisco Plug-n-Play (Cisco PnP) application.
– No pre-existing configurations to synchronize with IWAN-based configuration, no configuration conflicts to address.
– Brownfield devices belong to existing sites that are being added to Cisco IWAN.
– Discovered by the Cisco APIC-EM application.
– May have pre-existing configurations to synchronize with IWAN-based configuration.
– While provisioning a brownfield device, the IWAN app performs a validation step to determine whether any configuration conflicts exist. If an error or warning is reported, correct the issue on the device and perform the validation again. See Brownfield Validation Messages .
Use of network address translation (NAT) is supported for WAN links connected to public Internet clouds for all topologies—both for greenfield devices (using PnP discovery) and brownfield branch devices (discovered through APIC-EM). Both static NAT and dynamic NAT are supported.
For greenfield devices, the PnP application discovers the device if the device is reachable by APIC-EM, irrespective of whether there is a NAT router. Ensure that the device is reachable by APIC-EM.
For brownfield devices, discover the device using the external or public IP address.
To enable connections from Cisco APIC-EM to the NAT router during provisioning, enable port forwarding on the NAT router with following standard ports. This is required both for greenfield and brownfield devices.
After the provisioning is complete and the branch devices are managed by Cisco APIC-EM using the loopback interface, you can optionally remove these configurations.
Note The NAT router is not managed by Cisco IWAN. Configure the NAT router manually.
Note Spoke behind NAT supports many-to-one, many-to-many, and PAT translations. Many-to-one and PAT translations are the most common scenarios.
The IWAN app supports network topologies in which the APIC-EM controller communicates with spoke (branch) sites through network address translation (NAT).
When setting up an APIC-EM-behind-NAT network, configure the NAT public IP address of the APIC-EM controller before provisioning any spoke sites. Configure the address in the following location:
IWAN app home page > Configure Hub Site & Settings > System tab > IP Address section
IWAN App Provides the NAT Public IP Address to Spoke Devices
Spoke devices that connect to the APIC-EM controller through a public link (such as INET) require the NAT public address of the controller.
Note : During provisioning, add a brownfield spoke site using its public link interface IP address, or its NAT public IP address (in the case of spoke-behind-NAT).
|
|
|
---|---|---|
Add devices to Cisco IWAN and then provision them to the sites. |
Adding and Provisioning Greenfield Devices to the Branch Site Adding and Provisioning Brownfield Devices to the Branch Site |
|
You can bootstrap devices discovered by the Cisco PnP application. These are greenfield devices.
Use this procedure to download a bootstrap file.
Step 1 From the Cisco IWAN home page, click Manage Branch Sites. The Sites page opens.
Step 2 Click the Bootstrap tab. The bootstrap files that are available for download are displayed.
Step 3 From the Download column, click the download bootstrap icon to download the bootstrap file to a local directory on your computer. If required, you can use this file as a template to manually copy to the device so that PnP can call-home.
For details, see the Cisco Open Plug-n-Play Agent Configuration Guide at: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/pnp/configuration/xe-3e/pnp-xe-3e-book.html.
Use this procedure to add greenfield devices that are discovered by the Cisco PnP application and provision them to the branch site.
Note ● Saving the configuration
Before you use the devices to provision the site, we recommend that you save the running configuration in flash or bootflash in the IWAN_RECOVERY.cfg file so that you can restore the configuration if needed.
There must be at least 16 VTY lines configured.
The IWAN app supports configuration of a 4G/cellular interface for Cisco ISR4000 Series routers at branch sites.
The IWAN app supports many types of routing and switching devices at branch sites, but support for some features is limited to specific types of devices. The following table describes supported connection types.
|
|
Step 1 From the Cisco IWAN home page, click Manage Branch Sites. The Sites page opens.
Step 2 Click the Device(s) tab. A list of unclaimed devices is displayed as shown in the following figure:
Step 3 Select the checkbox next to the greenfield device(s) that you want to use, and then click the Provision Site tab. The Select Topology tab opens and displays the available topologies.
The available topology options depend on the network settings configured for the hub site on the IWAN app “Network wide settings” page. See the configuration of service provider count in Configuring IP Address Pools and and the topology in Configuring Service Providers.
Note To determine if the device is brownfield or greenfield, look at the Discovered By column in the Add Devices page. PNP indicates that it is a greenfield device. APIC indicates that it is a brownfield device.
Note You can choose a maximum of two devices.
Note Greenfield and brownfield devices cannot be part of the same site.
Step 4 Click the topology that is appropriate for your network. The L2/L3 options display.
Note The topology options that display are dependent on the number of devices you selected in Step 3.
Step 5 Click the L2 option. The Configure Topology page displays.
Note L3 is not supported on greenfield devices.
Step 6 From the Configure Topology page, specify the following properties:
Step 7 Configure WAN settings for the branch device. Do the following:
a. Click the + icon next to the WAN cloud. The Configure WAN Cloud dialog box opens. The WAN type selected in the previous step determines the fields that appear in the Configure WAN Cloud dialog box. (These fields differ, depending on the WAN type, such as T1, E1, Ethernet, or Cellular.)
b. Enter the required properties, and click Save. The + icon next to the WAN cloud changes to a checkmark icon.
Step 8 Configure LAN settings. Do the following:
Displays the following for greenfield devices:
Note You can either create the LAN greenfield IP address pool during hub provisioning, or you can add it after hub provisioning for greenfield deployments. When the LAN greenfield IP address pool is not present, the system automatically uses the generic pool IP address.
a. Click the + icon next to the LAN. If site specific IP address pools are configured for the site, the Configure VLAN dialog box opens.
b. Enter the following properties, and click Save :
Step 9 (During provisioning of a branch site with two routers) When provisioning a branch site with two routers, one of the two must be selected as master controller. To specify a device as the Master Controller (MC), hover the cursor over the device icon, then select the Master Controller switch in the pop-up.
Step 10 From the Provisioning Sites page, click Apply Changes. The Provisioning Site Summary dialog box opens with a summary of the configuration.
Step 11 Review the information, and then do one of the following:
Note The Apply Now option does not check for validations in conflict with future scheduled workflows. You must reevaluate scheduled jobs based on the changes and update the jobs as required. If there is a conflict when the scheduled job is activated, it might fail to provision the site.
Use this procedure to add brownfield devices that are discovered by the Cisco APIC-EM application and provision them to the branch site.
Brownfield devices are not automatically displayed on the Devices tab. You must first add them to Cisco IWAN, and then provision them to the branch site.
IWAN App Brownfield Branch Provisioning
Note ● Saving the configuration
Before you use the devices to provision the site, we recommend that you save the running configuration in bootflash in the IWAN_RECOVERY.cfg file so that you can restore the configuration if needed.
There must be at least 16 VTY lines configured.
Devices that are configured with SNMP version 2 or version 3 can be used as branch devices.
The IWAN app now supports configuration of a 4G/cellular interface at branch sites for: Cisco ISR4000 Series routers, Cisco 1000 Series Integrated Services Routers, Cisco 5000 Series Enterprise Network Compute System (ENCS)
The IWAN app supports many types of routing and switching devices at branch sites, but support for some features is limited to specific types of devices. The following table describes supported connection types.
|
|
Cisco ISR4000 Series routers, Cisco 1000 Series Integrated Services Routers, Cisco 5000 Series Enterprise Network Compute System (ENCS) |
Step 1 From the Cisco IWAN home page, click Manage Branch Sites. The Sites page opens.
Step 2 Click the Device(s) tab. The following page displays.
Step 3 To add a brownfield device, click the Add Device tab. The Add Device dialog box opens and displays a list of devices discovered by the Cisco APIC-EM application as shown in the following figure:
Note Alternatively, you can add devices using the Cisco APIC EM discovery feature.
Step 4 Do one of the following:
The device is verified in the background to determine if the device is suitable for provisioning. The following occurs:
The Cisco IWAN app accesses the router and checks its configuration to determine if it has any configuration that might conflict with the Cisco IWAN app. This is called Brownfield Validation.
If the router does not have conflicting configurations, an orange icon appears on top of the device and the Configure Router Dialog opens.
If the router has conflicting configurations, the Validation Status dialog opens listing all the validation failures, as shown in the following figure:
c. The validation status could be either Warning or Must Fix. Do the following:
– If the validation status is Warning, you can fix it or ignore it.
– If the validation status is Must Fix, remove the configurations suggested by the description, and then click Revalidate.
For information about the messages displayed in the Validation Status dialog box, see Appendix A, “Brownfield Validation Messages.”
Step 5 From the Devices page, select the checkbox next to the brownfield device(s) that you want to provision for a site, and then click the Provision Site tab. The Select Topology tab opens and displays the available topologies.
The available topology options depend on the network settings configured for the hub site on the IWAN app “Network wide settings” page. See the configuration of service provider count in Configuring IP Address Pools and and the topology in Configuring Service Providers.
Note To determine if the device is brownfield or greenfield, look at the Discovered By column in the Add Devices page. PNP indicates that it is a greenfield device. APIC indicates that it is a brownfield device.
Note You can choose a maximum of two devices.
Step 6 Click the topology that is appropriate for your network. The L2/L3 options display.
Note The topology options that display are dependent on the number of devices you selected in Step 5.
Step 7 Depending on the LAN site configuration, c lick the appropriate L2/L3 option. The Configure Topology page displays.
Note If the VLAN on branch devices are on the same subnet, choose L2. If the VLAN on the branch devices are on different subnets, choose L3.
Step 8 From the Configure Topology page, specify the following properties:
Step 9 Configure WAN settings for the branch device. Do the following:
a. Click the + icon next to the WAN cloud. The Configure WAN Cloud dialog box opens. Depending on the WAN type you chose in Step 8. the fields that display in the Configure WAN Cloud dialog box change.
b. Enter the required properties, and click Save. The + icon next to the WAN cloud changes to a checkmark icon.
Step 10 Configure LAN settings. Do the following:
Click the + icon next to the LAN. If you selected L2 topology and the LAN interface is a physical interface or a switchport interface, the Configure VLAN dialog box opens (see bellow). Choose the LAN interface from the drop-down list, and click Save.
Note ● If you selected a dual router topology, the common VLANs between devices are displayed.
If you selected L3 topology, the following Configure VLAN dialog box opens as shown in the following figure. Do the following:
a. Choose the LAN interface from the drop-down list. The IP address is automatically populated.
c. If you have dual routers, choose the LAN interface for that device, and click Save.
d. Click the + icon above Routing Configuration. The LAN Routing Configuration dialog box opens as shown in the following figure. Enter the properties and click Save.
Note VLANs are displayed per device.
Step 11 (During provisioning of a branch site with two routers) To specify a device as the Master Controller (MC), click the device icon and select the Master Controller switch in the pop-up.
Step 12 From the Provisioning Sites page, click Apply Changes. The Provisioning Site Summary dialog box opens with a summary of the configuration.
Step 13 Review the information and then do one of the following:
Note The Apply Now option does not check for validations in conflict with future scheduled workflows. You must reevaluate scheduled jobs based on the changes and update the jobs as required. If there is a conflict when the scheduled job is activated, it might fail to provision the site.
Use this procedure to view the information about the site and determine its overall status.
Step 1 From the Cisco IWAN home page, click Manage Branch Sites. The Sites page opens.
Step 2 Click the Site(s) tab. The following properties appear:
|
|
Application heath for the hub. Prime credentials must be configured to view this information. |
|
Click the hub name or site name as appropriate to display the following details:
– Various applications configured for the site. |
|
– Add or delete site prefixes after hub provisioning. This option is only available for L3 brownfield sites. See Adding or Deleting Site Prefixes. – Modify the QoS bandwidth percentage for a selected branch site. Modifying the QoS Bandwidth Percentages for a Branch Site. |
The IWAN app supports use of a 4G cellular connection by Cisco ISR 4000 Series routers at branch sites, as a WAN connection option.
The full instructions for provisioning appear in the Adding and Provisioning Greenfield Devices to the Branch Site and Adding and Provisioning Brownfield Devices to the Branch Site sections. The following is a brief description of the provisioning steps for an example scenario using 4G connection for a WAN link:
Step 1 In the Configure Hub Site & Settings > Service Providers tab, configure a services provider with a 4G cellular connection. Note that cellular connections must be configured with a WAN Type value of Public.
Step 2 In the Configure Hub Site & Settings > IWAN aggregation site tab, connect a hub site device to the 4G cellular WAN in the graphical display of the topology.
Step 3 On a branch site that includes a Cisco ISR 4000 Series device, connect the device to the 4G cellular WAN.
a. On the Sites page, select the Device(s) tab. Select an unclaimed Cisco ISR 4000 Series device. This displays the Provisioning Site page.
b. At the Select Topology step, select a topology and click Next.
c. At the Select L2/L3 step, select an option and click Next.
d. At the Configure Topology step, click the plus-sign on the link between the device and one of the WAN "cloud" options. A Configure WAN Cloud pop-up opens. For each interface on the device, configure any necessary details and click Save to proceed to the next interface on the device. When the "Connect to WAN" field in the pop-up displays the name of the 4G cellular WAN, ensure that the Interface field is configured to "Cellular". Click Save to complete configuration of the WAN connections for the device. The Configure VLAN pop-up opens.
e. Configure the LAN or verify the existing settings and click Save. The Provisioning Site page appears, showing that the WAN connections for the branch device, including the 4G cellular WAN link. The WAN connections of the device appear as solid lines with a check icon on the line, indicating a valid configuration.
f. Click Apply Changes to apply the configuration to the device. A Provisioning Site Summary page appears. The cellular WAN link appears in the summary.
Using cellular link for management interface
To use 4G cellular as a management interface on the IWAN app, ensure that the cellular interface is reachable from the APIC-EM controller.
Using cellular link for management interface: Supported
To use 4G cellular as a management interface on the IWAN app, ensure that the cellular interface is reachable from the APIC-EM controller.
Hub WAN address connected to cellular cloud must be reachable
The hub WAN address connected to the cellular cloud must be reachable from the cellular branch device before provisioning.
The IWAN App supports use of 4G-cellular WAN links on a private MPLS cloud.
You can change the upload or download WAN bandwidth after a branch site is provisioned ("day N"). Also see Updating the WAN Bandwidth of a Provisioned Hub Site.
Note Beginning with the IWAN App 1.5.0 release, a 4G interface can support an MPLS cloud.
Valid bandwidth values depend on the interface type:
Use the following procedure to update the bandwidth settings.
Step 1 From the IWAN app home page, click Set up Branch Sites.
Step 3 Click the pencil icon (Edit Site) for a spoke (branch) site. The Update Site dialog box opens.
Step 4 In the Site Topology area, click the pencil icon on a WAN link. The Configure WAN Cloud parameters are displayed in the dialog box.
Step 5 In the Upload or Download fields, enter new bandwidth values.
Step 6 Click the Update button.
You can change the WAN IP, mask, or next hop settings for a spoke site even after it has been provisioned ("day N").
Use the following procedure to change the IP settings.
Step 1 From the IWAN app home page, click Set up Branch Sites.
Step 3 Click the pencil icon (Edit Site) for a spoke (branch) site. The Update Site dialog box opens.
Step 4 In the Site Topology area, click the pencil icon on a WAN link.
The link settings appear in the dialog box. The available options depend on the type of WAN link.
Step 5 Edit the IP address in or more of the following fields:
Step 6 Click the Update button.
Note To discard changes, click the Reset button.
If you enter a value for CE or PE IP address that is not reachable, the operation will succeed, but connectivity between the APIC-EM controller and the site will be lost. If this occurs, restore connectivity. The method for restoring connectivity depends on the specific network. Possible remedies include:
You can modify the QoS bandwidth percentages for a branch site after the site is provisioned (Day N).
Step 1 From the IWAN app home page, click Set up Branch Sites. The Sites page opens.
Step 3 Click the pencil icon (Edit Site) for a branch site. The Update Site dialog box opens.
Step 4 In the Site Topology area, click the pencil icon on a WAN link (link between router and cloud).
The Configure Link dialog box opens.
Step 5 In the Configure Link dialog box, click the Edit (pencil) icon next to the Service Provider field. A dialog box opens, showing information for the specific service profile.
Step 6 Modify the QoS bandwidth percentages as needed.
Step 7 Click Update. The modified bandwidth percentages are applied to the WAN link.