Backgroound Image

Cisco ISR Project – IWAN Deployment to DC1 (7 of?)

Now that Prime and the routers are deployed it’s time to start getting them added in.  I have a deployed a set-up lab using an old Catalyst 2960 and a 2911 router to simulate Internet and MPLS connections between my HQ and remote routers.  Since the MPLS isn’t in place yet I can’t add the remote routers, but I will add the CSR and the ISR devices at HQ.

Log into Prime and click the Menu button in the top left corner, the Inventory – Network Devices

Prime Network Devices

A Discovery could be created to find and add all the devices, but since there’s only three devices I added them manually.  Simply click “Add Device” in the All Devices pane and then fill out the connection information.

Add Device window

Compete the fields in the Add Device window.  Make sure to complete the SNMP and SSH windows to make sure you are able to get a full inventory collection from the devices.

After the devices are added it takes a few minutes for the initial sync to complete.

Once the devices are added then we can start the IWAN deployment.  Initially, I am going to have a single CSR at my primary datacenter, with a second being added later at a DR DC.  At the HQ there will be a pair of ISR 4331s, one for terminating MPLS and the other for terminating Internet connections.

To start the process of IWAN Enablement first click on the menu button in the top left corner, then Services – IWAN Enablement.

IWAN Enablement

First off, there’s a picture of the IWAN topologies.

The IWAN design is a hub and spoke topology, though there can be a redundant hub.  At the hub site there are three rolls, the Master Controller which basically oversees the IWAN topology, and both an Internet and MPLS router.  If a second hub location is used then it would have a Transit Master Controller, as well as the Internet and MPLS routers.  For the branch locations they can be single router or dual router.  With a single router location both MPLS and Internet connections terminate on a single router.  The dual router sites have two routers, so MPLS terminates on one router and Internet terminates on the other.

Cisco also has a link to their YouTube video on the IWAN deployment process.  https://www.youtube.com/watch?v=5LMpJtf2uuw

I did notice that the video is for the non-updated version of Prime Infrastructure 3.0, so it doesn’t match up with the prompts I was seeing.  However, it’s still an awesome resource.

After clicking Next on the first page the wizard prompts to chose the configuration.  The first options are:

IWAN Branch

IWAN Hub DC1

IWAN Hub DC2

Since this is at the primary HQ site (the DR site will be added at a later date) the selection is IWAN Hub DC1.  Once that selection is made it will prompt to determine the device role:

Master Controller DC1

MPLS Hub DC1

Internet Hub DC1

The first thing needed is the Master Controller, so that’s the selection to make.  It will then prompt for a template.  One thing to be aware of is CVD stands for Cisco Validated Design.  So the default (and only) option is the CVD template for the Master Controller at DC1.

DC1 Master Controller

After clicking Next the wizard will prompt to select a Device

Master Controller Device selection

Find the CSR 1000V and check the box next to that.  The only thing the CSR will do is serve as the Master Controller for the IWAN deployment.

Here’s a diagram Cisco provides on the DC topology:

DC Topology

Now comes setting the Master Controller specific settings.

Master Controller settings

There is a little help bubble next to each field that will give additional information about that field.  Additionally, there is a help button near the top right of the page.  However, here’s what the fields are asking for.

The Loopback IP is an IP address that is basically used for the device to communicate with itself.  It’s not used by any other device on the network.  With that said, it is recommended to use a /32 mask for the address.  So, pick an address that’s not going to overlap with anything in the network and assign that.

The PfR-Auth-Password is the password that all routers will use to authenticate routing updates.  Make a note of this, as this password will need to be used on all PfR devices.

Wondering what PfR means?  It is Performance Routing.  Traditional routing protocols look at network stats, like hop count, and link speed to determine the best path.  PfR actually monitors traffic on a per-flow basis, so it finds the best path for a specific application.  For example, route VoIP calls over MPLS as it has the lowest latency, but route a file transfer over the Internet VPN as there’s better throughput.  Now, to clarify this a little bit… PfR doesn’t replace a routing protocol, but instead it augments the protocol.  Later on, we will select the overlay routing protocol that is used.  More information on PfR can be found here: http://www.cisco.com/c/en/us/products/ios-nx-os-software/performance-routing-pfr/index.html

Enterprise_Prefix is the network prefix for the entire network.  This includes HQ and all remote locations.  I’m still not clear on how to handle this field if you have a non-contiguous network, like some 10.X.X.X networks, and a few 172.16.X.X networks.

The DC1_Prefix is the networks at the DC the Master Controller is being installed at.  The field does allow multiple networks to be entered with a comma (,) separator.

The Netflow Collector IP is the Prime Sever, or VIP if there is a HA deployment of PI.

After everything has been entered you click Apply.  This will populate the CLI preview, which shows what the commands are that will be entered.

Clicking on Next will bring up the CLI Summary.  Since there was only one configuration step this shows the same thing as the CLI Preview from the previous step.  If there were more configuration pages then this would compile all the CLI entries for all the pages.

By clicking Next again it brings up the option to schedule the deployment.

Master Config deployment schedule

Personally, I leave it set to run now since the device isn’t in production.  I also check both boxes to Copy Running Config to Startup and Archive Config after Deploy.  This way I have the config committed, and I have a backup of it.


All that’s left is to click Next, and then on the Confirmation page click Deploy.  Then wait while this configuration is deployed.  The deployment process can be monitored from the Job Dashboard.  Once this is complete then the MPLS and Internet routers can be configured.

To configure the MPLS router go back into the IWAN Enablement wizard.  This time select the IWAN Hub DC1 category, then MPLS Hub DC1.

MPLS Hub DC1 config

After the device role is selected a number of additional options become available.  The Overlay Protocol is the routing that is used to build the network route topology, and then is used by PfR to determine the best application pathing.  There are two options here, EIGRP and BGP.  Since this a Cisco shop, and EIGRP is generally an easier protocol to configure, that is the option I selected.

The rest of the dropdowns only have the default setting.  The only other customization is the Deploy PKI checkbox. When unchecked the DMVPN uses a pre-shared key to authenticate routers.  If a PKI is used then certificates are used for authentication.  The PKI deployment requires an APIC-EM (

Application Policy Infrastructure Controller Enterprise Module), which I don’t have, so pre-shared keys are fine by me.

After clicking Next the wizard will prompt to select the device that the config will be applied to.

MPLS Hub DC1 Device selection

Find and select the MPLS router, then click Next.

Now comes setting the MPLS DMVPN settings.

MPLS Hub DC1 setting (1 of 2)

Again, a loopback IP is required.  Use a /32 that doesn’t overlap with the rest of the network.

For the bandwidth don’t get confused by the use of all CAPS.  It is asking for the bandwidth in Kbps.

The tunnel IP address is the virtual IPs that will be used to create the tunnel endpoints.  These IPs are what allow the devices to think they are peers even over an Internet or MPLS connection.  A single subnet will be used for the tunnel IPs for all MPLS endpoints, and another subnet will be used for all Internet VPN endpoints.  As an example, 192.168.10.0/24 for MPLS and 192.168.20.X/24 for Internet endpoints.

Set the Tunnel Subnet Mask according to the IP range selected.

The Tunnel subnet field is a bit confusing.  This is just the network IP for the subnet selected.  In the example of using 192.168.10.X/24 for the MPLS Tunnel IPs the fields would look like this:

Tunnel IP: 192.168.10.1

Tunnel Subnet Mask: 255.255.255.0

Tunnel Subnet: 192.168.10.0

The MPLS WAN Interface is self explanatory.  This is the interface of the router connected to the WAN.

The Pre-shared key here is the DMVPN key, not the PfR key that was set on the Master Controller.  Enter a key, then make note of it as it will be needed for the spoke routers.

When those fields are done then we can scroll down…

MPLS Hub DC1 settings (2 of 2)

This should all be pretty straight  forward.  For the MPLS WAN, enter the WAN IP of the router, the subnet mask for the MPLS link, and the gateway IP for the MPLS.  If unsure of this info, contact the ISP as they should be able to provide it.

Under the EIGRP section, the Master Controller IP is the address of the CSR 1000V.  The PI IP address is for the Prime Infrastructure server (or VIP if clustered), the APIC-EM IP is if a APIC-EM appliance is being used for PKI, and lastly, the DC prefix is the network range for the datacenter.  As before, if needed, additional IP ranges can be applied to the DC prefix field using a comma separator.

Click Apply, then click Next.  It will now ask for the PfR information.  Again, enter the IP of the Master Controller and the Auth password.  This is the PfR password that was set up when the Master Controller was deployed.  Again, click Apply, then click Next.

For the MPLS settings leave the Device Type as “ProductSeries” and set the WAN bandwidth (again, ignore the capital B, this field should be in kilobits per second) and the physical interface that the MPLS connection is on.

I must admit, I find it odd that the wizard asks for the same information that was previously entered.  It seems like this is just asking for a misconfiguration, as it doesn’t compare the two values.  The one that really surprises me is that for the DMVPN-Physical-Interface it doesn’t give a dropdown for the interface names, so you have to correctly type it.  With that said, type the full name, not the CLI shorthand, so use “GigabitEthernet0/0/1” as opposed to “gi0/0/1”

When that’s completed click Apply and Next.  Then it will bring up the AVC-MPLS page.  Even though there’s a log on the page there’s nothing that can be modified.

Clicking Next again will bring up the CLI summary for everything that was entered.  Review the CLI summary if desired, then click Next.

Again, the page to schedule the job deployment will come up.  Select the desired option and click Next.  At the Confirmation page click Deploy to complete the wizard and start the deployment (if it was set to run now).

The deployment process will take a few minutes to complete.

For the Internet Hub DC1 router settings it’s nearly identical to the MPLS settings.  Just replace the word MPLS with Internet.  All the fields, and even the order are identical, just for the Internet side instead of the MPLS.

When the deployments are complete the next thing to do is to integrate the new routers into the existing topology.  It seems the wizard uses EIGRP AS 400.  That AS can be modified to match an existing EIGRP AS, or it could be configured on the existing gear.  Route redistribution or static routes could also be used, all depending on the existing environment.

Leave a Reply

Your email address will not be published. Required fields are marked *