The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Applying Network Wide Settings occurs after changes have been entered in Network Wide Settings. This includes further hub router configuration.
This (Apply Changes) section might not be required since the Save and Continue option performs this action now. Please confirm
Note (Important) Before clicking Apply Changes, ensure that the settings you applied when setting up the hub site settings are as expected. If the settings are incorrect, and you click Apply Changes below, you will need to perform the installation again.
After checking the hub site settings and reviewing the settings that you made, click Apply Changes —available on the right side of the window. You may choose to apply changes immediately or schedule a time to apply the changes in the future.
Note The Apply Now option does not check for validations in conflict with future scheduled workflows. Please reevaluate scheduled jobs based on these changes and update scheduled jobs as required. If there is a conflict when the scheduled job is activated, it may fail at that time.
Wait a short while for the hub routers to be provisioned based on previous settings in Configure Hub Site and Settings.
Apply the following configurations to the hub router.
When IWAN App is behind a hub core router and not connected directly to a hub branch router, the following configuration must be entered in the hub router for specifying the LAN routing protocol. This is to ensure that IWAN App is aware of reaching WAN when the hub branch WAN is configured under a VPN routing and forwarding (VRF).
Enter the following configuration in the hub router, if the LAN protocol used is EIGRP 400:
Enter the following configuration in the hub router, if the LAN protocol used is EIGRP 100:
Enter the following configuration in the hub router, if the LAN protocol used is BGP:
Enter the following configuration in the hub router, if the LAN protocol used is OSPF:
The following additional route leak configuration is required for virtual IP support in multi-host, high availability -(HA) based controller environments. Route leak configuration is required for connection between controller (IWAN App) and spoke after VRF is configured on the hub branch. IWAN App leverages the virtual IP address of the cluster to automatically configure the route leaks. However, the controller uses virtual IP address as inbound connection and uses physical IP address of the service resident host for outbound traffic. Thus, route leak is required for all three physical IP addresses of the cluster along with virtual IP address.
For the hub router, apply configuration steps such as the ones in the example below. This adds the loopback47233 interface and LAN interface to the EIGRP routing added by IWAN on APIC-EM.
EIGRP should be configured on the router or switch connected to the LAN interfaces of the hub.
The following sections describe how to create prefix lists for the enterprise and data center (or hub site), used for PfRv3.
Create an enterprise prefix list to match IP packets or routes.
ip prefix-list ENTERPRISE_PREFIX seq 10 permit 10.0.0.0/8
The enterprise prefix list is mainly used to determine the enterprise boundary. IP prefixes can be summarized routes.
Using an enterprise prefix list ensures that traffic that goes towards a remote site router that is not PfR-enabled will not be influenced by load balancing. Otherwise, if you do not use an enterprise prefix list, traffic going towards a remote site router that is not PfR-enabled will be learned as an internet traffic class and subjected to load balancing.
Create a site prefix list to match IP packets or routes.
ip prefix-list DC_PREFIX seq 10 permit 10.8.0.0/16
Include IP prefixes that are part of the data center (hub site).
In the hub router configuration, include steps such as the ones shown in the following example.
This design uses a single EIGRP autonomous system for the WAN and all of the WAN remote sites. Every remote site is connected for resiliency. However, due to the multiple paths that exist within this topology, effort must be made to avoid to avoid routing loops and to prevent remote sites from becoming transit sites if WAN failures were to occur.
The following logic is used to control the routing.
Outbound distribute-lists are used to set tags on the DMVPN hub routers towards the WAN and LAN. The tags set towards the WAN are used by the remote-site routers to protect against becoming transit sites.
An inbound distribute-list is used on the DMVPN hub routers to limit which routes are accepted for installation into the route table. These routers are configured to only accept routes which do not originate from the MPLS and DMVPN WAN sources. To do this task, the DMVPN learned WAN routes must be explicitly tagged by their DMVPN hub router during the route redistribution process. The specific route tags in use are shown in the following table.
In the table below 10.6.34.0 is used for Hub 1, DMVPN Tag Tunnel 10 and 10.6.36.0 for Hub 2, Tag Tunnel 11. Replace these tags with the Tunnel networks provisioned by IWAN on APIC-EM.
|
|
|
|
|
---|---|---|---|---|
For route filtering, configure Hub-1 and Hub-2 as shown in the examples below:
Routes are redistributed between the LAN and WAN. IWAN Application pushes route leaking if the Cisco APIC-EM is not reachable through the DMZ interface.
After specifying network settings, go to “Set Up Branch Sites” shown on the main IWAN menu.