Site-to-Site DMVPN IKEv2 + VRF + OSPF + Dual Hub Single Domain

Previously I introduced FlexVPN IKEv2 via labs, this time is about DMVPN IKEv2. Although DMVPN works fine with IKEv2, FlexVPN adds flexibility via vir

站点间FlexVPN试验(二): 静态隧道 (static tunnel)+证书认证(PKI)
Cisco WAN Optimisation – WAAS Lab and Training Notes
站点间FlexVPN试验(四):SPOKE和SPOKE间动态隧道

Previously I introduced FlexVPN IKEv2 via labs, this time is about DMVPN IKEv2. Although DMVPN works fine with IKEv2, FlexVPN adds flexibility via virtual template/virtual access interface.

Lab Introduction

This lab tested dual hub single domain DMVPN with IKEv2 IPSec encryption. WAN facing interfaces are placed in FVRF (front door VRF), which is in consistent to Cisco recommended design. RED_IVRF and GREEN_IVRF (inner VRF) are configured on each WAN edge. Due to time limitation, only RED_IVRF are fully configured and GREEN_IVRF doesn’t have IPSec encryption and only single hub in single domain.

Out-of-band management is deployed with management port in MGMT vrf.

A couple of considerations are addressed in the lab as we will run OSPF (why OSPF? EIGRP+DMVPN is nothing new) across DMVPN : 1) ospf broadcast configured for tunnels; 2) HUB1 configured as DR and HUB2 configured as BDR.

In the scenario of Dual Hub Single Domain design (why dual hub single domain? dual domain is nothing new from single hub single domain just configure twice^^), HUB 2 establishes static tunnel to HUB 1 and dynamic tunnels to SPOKEs. SPOKEs points to both HUB1 and HUB2. It means HUB 2 is treated as a SPOKE to HUB 1, but functions as HUB to other SPOKEs.

It is also possible to use Dual Hub Dual Domain design, which provides better control in two DMVPN domains. (Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubs)

The lab uses PSK for simplicity. PKI configuration is available in my previous FlexVPN labs.

The lab uses CSRv installed on Virtual Box and GNS3 to simulate WAN edge routers. Please refer to my previous blog for Virtual Box and GNS3 setup.

Topology is as below:

dmvpn_diagram

Configuration Steps

For the ease of troubleshooting, I would recommend configure in following phases and test for each phase. Overall tests are also required. Test examples below are for reference only and may not be sufficient.

1)    Management, NTP, WAN interface connectivity, VRF etc.

2)    DMVPN

HUB-2#show dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
T1 – Route Installed, T2 – Nexthop-override
C – CTS Capable
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
=======================================================Interface: Tunnel211, IPv4 NHRP Details
Type:Hub/Spoke, NHRP Peers:3,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–
1 200.1.1.91         172.16.210.1   UP 01:26:40     S
1 200.1.1.93         172.16.210.3   UP 01:19:37     D
1 200.1.1.94         172.16.210.4   UP 01:11:22     D

3)   IKEv2

HUB-1#show crypto session
Crypto session current statusInterface: Tunnel211
Profile: IKEV2_PROFILE
Session status: UP-ACTIVE
Peer: 200.1.1.94 port 500
Session ID: 497
IKEv2 SA: local 200.1.1.91/500 remote 200.1.1.94/500 Active
IPSEC FLOW: permit 47 host 200.1.1.91 host 200.1.1.94
Active SAs: 2, origin: crypto map

 

HUB-1# show crypto ikev2 sa
IPv4 Crypto IKEv2 SATunnel-id Local                 Remote               fvrf/ivrf           Status
2         200.1.1.91/500       200.1.1.93/500       FVRF/RED_IVRF       READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3029 secTunnel-id Local                 Remote               fvrf/ivrf           Status
5         200.1.1.91/500       200.1.1.94/500       FVRF/RED_IVRF       READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3047 sec

 

HUB-1#show crypto ipsec sa
interface: Tunnel211
Crypto map tag: Tunnel211-head-0, local addr 200.1.1.91protected vrf: RED_IVRF
local ident (addr/mask/prot/port): (200.1.1.91/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.1.1.94/255.255.255.255/47/0)
current_peer 200.1.1.94 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 387, #pkts encrypt: 387, #pkts digest: 387
#pkts decaps: 386, #pkts decrypt: 386, #pkts verify: 386
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 200.1.1.91, remote crypto endpt.: 200.1.1.94
plaintext mtu 1362, path mtu 1400, ip mtu 1400, ip mtu idb Tunnel211
current outbound spi: 0x43F9F13(71278355)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x9957E94A(2572675402)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000008, crypto map: Tunnel211-head-0
sa timing: remaining key lifetime (k/sec): (4607949/455)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

4)   OSPF

HUB-1# show ip os nei
Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.92.1     1   FULL/BDR       00:00:34   172.16.210.2   Tunnel211
192.168.93.1     0   FULL/DROTHER   00:00:37   172.16.210.3   Tunnel211
192.168.94.1     0   FULL/DROTHER   00:00:34   172.16.210.4   Tunnel211

5)   Overall

SITE1_1#ping vrf RED_IVRF 192.168.91.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.91.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/15 msSITE1_1#ping vrf RED_IVRF 192.168.92.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.92.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 msSITE1_1#ping vrf RED_IVRF 192.168.93.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.93.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

SITE1_1#ping vrf RED_IVRF 192.168.94.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.94.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/18 ms

 

HUB 1 Configuration

 

HUB-1#show run
Building configuration…Current configuration : 3519 bytes
!
! Last configuration change at 05:28:37 UTC Sat Mar 12 2016
! NVRAM config last updated at 05:28:59 UTC Sat Mar 12 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname HUB-1
!
boot-start-marker
boot-end-marker
!
!
vrf definition FVRF
rd 100:91
!
address-family ipv4
exit-address-family
!
vrf definition GREEN_IVRF
rd 220:91
!
address-family ipv4
exit-address-family
!
vrf definition MGMT
rd 10:91
!
address-family ipv4
exit-address-family
!
vrf definition RED_IVRF
rd 210:91
!
address-family ipv4
exit-address-family
!
enable password cisco
!
no aaa new-model
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 990BEFETJEQ
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$KD9r$IK.14WhlchQX3IX/sbLvc1
!
redundancy
!
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
!
crypto ikev2 policy default
match fvrf any
proposal default
!
crypto ikev2 keyring IKEV2_KEY
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 keyring IKEV2_KEY_GREEN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key green123
!
crypto ikev2 profile IKEV2_PROFILE
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY
dpd 60 2 on-demand
ivrf RED_IVRF
!
crypto ikev2 profile IKEV2_PROFILE_GREEN
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY_GREEN
dpd 60 2 on-demand
ivrf GREEN_IVRF
!
crypto ipsec profile IKEV2_IPSEC
set ikev2-profile IKEV2_PROFILE
!
crypto ipsec profile IKEV2_IPSEC_GREEN
set ikev2-profile IKEV2_PROFILE_GREEN
!
interface Loopback0
vrf forwarding RED_IVRF
ip address 192.168.91.1 255.255.255.255
!
interface Tunnel211
vrf forwarding RED_IVRF
ip address 172.16.210.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 210
ip nhrp holdtime 300
ip ospf network broadcast
ip ospf priority 2
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 210
tunnel vrf FVRF
tunnel protection ipsec profile IKEV2_IPSEC
!
interface Tunnel221
vrf forwarding GREEN_IVRF
ip address 172.16.220.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication green
ip nhrp map multicast dynamic
ip nhrp network-id 220
ip nhrp holdtime 300
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 220
tunnel vrf FVRF
!
interface GigabitEthernet1
vrf forwarding MGMT
ip address 192.168.1.91 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
vrf forwarding FVRF
ip address 200.1.1.91 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
router ospf 1 vrf RED_IVRF
network 172.16.210.0 0.0.0.255 area 0
network 192.168.91.1 0.0.0.0 area 1
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
login
!
ntp server vrf MGMT 192.168.1.8
!
end

 

HUB 2 Configuration

 

HUB-2#show run
Building configuration…

Current configuration : 3086 bytes
!
! Last configuration change at 05:28:25 UTC Sat Mar 12 2016
! NVRAM config last updated at 05:29:04 UTC Sat Mar 12 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname HUB-2
!
boot-start-marker
boot-end-marker
!
!
vrf definition FVRF
rd 100:92
!
address-family ipv4
exit-address-family
!
vrf definition GREEN_IVRF
rd 220:92
!
address-family ipv4
exit-address-family
!
vrf definition MGMT
rd 10:92
!
address-family ipv4
exit-address-family
!
vrf definition RED_IVRF
rd 210:92
!
address-family ipv4
exit-address-family
!
enable password cisco
!
no aaa new-model
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 91OJZQ6AD3Q
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$RxrZ$jq3TXAV3fKpUA4wgnkpj70
!
redundancy
!
crypto ikev2 keyring IKEV2_KEY
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 keyring IKEV2_KEY_GREEN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key green123
!
crypto ikev2 profile IKEV2_PROFILE
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY
dpd 60 2 on-demand
ivrf RED_IVRF
!
crypto ikev2 profile IKEV2_PROFILE_GREEN
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY_GREEN
dpd 60 2 on-demand
ivrf GREEN_IVRF
!
crypto ipsec profile IKEV2_IPSEC
set ikev2-profile IKEV2_PROFILE
!
crypto ipsec profile IKEV2_IPSEC_GREEN
set ikev2-profile IKEV2_PROFILE_GREEN
!
interface Loopback0
vrf forwarding RED_IVRF
ip address 192.168.92.1 255.255.255.255
!
interface Tunnel211
vrf forwarding RED_IVRF
ip address 172.16.210.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map 172.16.210.1 200.1.1.91
ip nhrp map multicast 200.1.1.91
ip nhrp network-id 210
ip nhrp holdtime 300
ip nhrp nhs 172.16.210.1
ip ospf network broadcast
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 210
tunnel vrf FVRF
tunnel protection ipsec profile IKEV2_IPSEC
!
interface GigabitEthernet1
vrf forwarding MGMT
ip address 192.168.1.92 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
vrf forwarding FVRF
ip address 200.1.1.92 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
router ospf 1 vrf RED_IVRF
network 172.16.210.0 0.0.0.255 area 0
network 192.168.92.1 0.0.0.0 area 2
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
login
!
ntp server vrf MGMT 192.168.1.8
!
end

 

SITE1_1 Configuration

 

SITE1_1#show run
Building configuration…

Current configuration : 3798 bytes
!
! Last configuration change at 05:28:02 UTC Sat Mar 12 2016
! NVRAM config last updated at 05:29:06 UTC Sat Mar 12 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname SITE1_1
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
rd 100:93
!
address-family ipv4
exit-address-family
!
vrf definition GREEN_IVRF
rd 220:93
!
address-family ipv4
exit-address-family
!
vrf definition MGMT
rd 10:93
!
address-family ipv4
exit-address-family
!
vrf definition RED_IVRF
rd 210:93
!
address-family ipv4
exit-address-family
!
enable password cisco
!
no aaa new-model
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 9RUT7G8QNIO
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$WFU5$2B0XGmjEERZ3G1VNykxyp0
!
redundancy
!
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
!
crypto ikev2 policy default
match fvrf any
proposal default
!
crypto ikev2 keyring IKEV2_KEY
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 keyring IKEV2_KEY_GREEN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key green123
!
crypto ikev2 profile IKEV2_PROFILE
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY
dpd 60 2 on-demand
ivrf RED_IVRF
!
crypto ikev2 profile IKEV2_PROFILE_GREEN
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY_GREEN
dpd 60 2 on-demand
ivrf GREEN_IVRF
!
crypto ipsec profile IKEV2_IPSEC
set ikev2-profile IKEV2_PROFILE
!
crypto ipsec profile IKEV2_IPSEC_GREEN
set ikev2-profile IKEV2_PROFILE_GREEN
!
interface Loopback0
vrf forwarding RED_IVRF
ip address 192.168.93.1 255.255.255.255
!
interface Tunnel211
vrf forwarding RED_IVRF
ip address 172.16.210.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 200.1.1.91
ip nhrp map 172.16.210.1 200.1.1.91
ip nhrp map multicast 200.1.1.92
ip nhrp map 172.16.210.2 200.1.1.92
ip nhrp network-id 210
ip nhrp holdtime 300
ip nhrp nhs 172.16.210.1
ip nhrp nhs 172.16.210.2
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 210
tunnel vrf FVRF
tunnel protection ipsec profile IKEV2_IPSEC
!
interface Tunnel221
vrf forwarding GREEN_IVRF
ip address 172.16.220.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication green
ip nhrp map multicast 200.1.1.91
ip nhrp map 172.16.220.1 200.1.1.91
ip nhrp network-id 220
ip nhrp holdtime 300
ip nhrp nhs 172.16.220.1
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 220
tunnel vrf FVRF
!
interface GigabitEthernet1
vrf forwarding MGMT
ip address 192.168.1.93 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
vrf forwarding FVRF
ip address 200.1.1.93 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
router ospf 1 vrf RED_IVRF
network 172.16.210.0 0.0.0.255 area 0
network 192.168.93.1 0.0.0.0 area 3
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
stopbits 1
line vty 0 4
password cisco
login
!
ntp source GigabitEthernet1
ntp server vrf MGMT 192.168.1.8
!
end

 

SITE1_2 Configuration

SITE1_2#show run
Building configuration…Current configuration : 3536 bytes
!
! Last configuration change at 05:28:44 UTC Sat Mar 12 2016
! NVRAM config last updated at 05:29:01 UTC Sat Mar 12 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname SITE1_2
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
rd 100:94
!
address-family ipv4
exit-address-family
!
vrf definition GREEN_IVRF
rd 220:94
!
address-family ipv4
exit-address-family
!
vrf definition MGMT
rd 10:94
!
address-family ipv4
exit-address-family
!
vrf definition RED_IVRF
rd 210:94
!
address-family ipv4
exit-address-family
!
no aaa new-model
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid CSR1000V sn 97VQGE9X8Z9
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$v/PG$W9ic8OeK8yM4yZJaZC/NJ0
!
redundancy
!
crypto ikev2 keyring IKEV2_KEY
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 keyring IKEV2_KEY_GREEN
peer DMVPN
address 0.0.0.0 0.0.0.0
pre-shared-key green123
!
crypto ikev2 profile IKEV2_PROFILE_GREEN
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY_GREEN
dpd 500 20 on-demand
ivrf GREEN_IVRF
!
crypto ikev2 profile IKEV2_PROFILE
match fvrf any
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY
dpd 60 2 on-demand
ivrf RED_IVRF
!
crypto ipsec profile IKEV2_IPSEC
set ikev2-profile IKEV2_PROFILE
!
crypto ipsec profile IKEV2_IPSEC_GREEN
set ikev2-profile IKEV2_PROFILE_GREEN
!
interface Loopback0
vrf forwarding RED_IVRF
ip address 192.168.94.1 255.255.255.255
!
interface Tunnel211
vrf forwarding RED_IVRF
ip address 172.16.210.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast 200.1.1.91
ip nhrp map 172.16.210.1 200.1.1.91
ip nhrp map multicast 200.1.1.92
ip nhrp map 172.16.210.2 200.1.1.92
ip nhrp network-id 210
ip nhrp holdtime 300
ip nhrp nhs 172.16.210.1
ip nhrp nhs 172.16.210.2
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 210
tunnel vrf FVRF
tunnel protection ipsec profile IKEV2_IPSEC
!
interface Tunnel221
vrf forwarding GREEN_IVRF
ip address 172.16.220.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication green
ip nhrp map multicast 200.1.1.91
ip nhrp map 172.16.220.1 200.1.1.91
ip nhrp network-id 220
ip nhrp holdtime 300
ip nhrp nhs 172.16.220.1
tunnel source GigabitEthernet2
tunnel mode gre multipoint
tunnel key 220
tunnel vrf FVRF
!
interface GigabitEthernet1
vrf forwarding MGMT
ip address 192.168.1.94 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
vrf forwarding FVRF
ip address 200.1.1.94 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
!
interface GigabitEthernet4
no ip address
negotiation auto
!
router ospf 1 vrf RED_IVRF
network 172.16.210.0 0.0.0.255 area 0
network 192.168.94.1 0.0.0.0 area 4
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
password cisco
login
stopbits 1
line vty 0 4
password cisco
login
!
ntp server vrf MGMT 192.168.1.8
!
end

COMMENTS

WORDPRESS: 0
DISQUS: 0