APIC-EM/IWAN App in existing network

•   APIC_EM in conjunction with the IWAN App to deploy IWAN in an existing WAN.  All of the sites in question already have been deployed (Legacy), with site specific Vlan's, etc from each location.  These Sites run BGP across MPLS.

1. When  the Hub site deployment in APIC-EM is started , getting as far as assigning IP pools unable to proceed further (as these pools can't be changed once saved).  The only need is to have APIC-EM to deploy DMVPN to the Hub and existing branch routers, and NOT change or modify any existing configuration on the routers, like IP addresses, sub interfaces, etc.  All that is needed is to deploy the tunnel's.  So basically the deployment will be brownfield using the IBLOCK deployment model.  All that is needed is to have APIC-EM to deploy DMVPN first, then I'll address QoS and PfRv3 later.
2. In our current deployment, we have two MPLS ASR's (CE devices), and two Internet ASR's (CE).  Each ASR has a circuit to a different provider.  These ASR's are currently in the same datacenter location.  We only purchased two ASR's for the Hub border routers, one for MPLS and one for the Internet that will sit behind the actual CE routers. Need  to deploy IWAN to utilize all 4 of these paths out of the hub routers via DMVPN.  Unable to find an actual deployment model.  Need to end up with two different tunnel interfaces on the MPLS side and two on the internet side. Then from the branch, have 4 different tunnels depending on the path that is needed.

• Got the Hub routers discovered, and the Hub MC on the CSR 1000v.

 In existing network (brownfield scenarios) we do support iWAN provisioning through App for both hub sites and remote branches. We run a set of validations on devices that are intended to be a part of hub/branch site to make sure there're no conflicts between what's already existing on the devices and what will be pushed through iWAN App. In addition to detecting and flagging conflicting config, we also run a few housekeeping checks to make sure the devices have correct IOS version and licensing, NTP clock sync etc. for the provisioning to go through.