Connecting DataCenters with OverLapping Private IP Addresses & Hiding Real Server IP For Security.

Transcription

1 Connecting DataCenters with OverLapping Private IP Addresses & Hiding Real Server IP For Security. Overview Connecting Multiple Data-Centers or Remote Branches to Centralized or Hub Sites is very common practice in Legacy Network Environment and Cloud Deployments.Securing the Real Server IP or handling the Overlapping IP Addresses across the Data-Centers is always a challenge and can be achieve by leveraging Encrypted Tunnels ( Site-to-Site IPSec VPN ) in combination with Nating. Brocade v5400 Router Initially v5400 Router was performing DNAT on inbound IPsec terminating Interface & Return Traffic was de-translated gracefully into IPsec Tunnel using connection tracking Table.

2 1. In this Topology for DNAT translation IPSec packet has been decrypted in v IPSec peering is established b/w 2 v5400 devices. 3. Client is targeting sourced from , expected behavior is destination address will translate to in packet header. Brocade v5600 Router With the advent and Architectural changes of v5600 platform some of the key features and functionality works differently as they used to work in Vyatta v5400 like Firewall, S-S IPsec v5600 with NAT etc.let's discuss S-S IPsec VPN with DNAT as Router Behavior is changed and now functions differently, sessions/connections tracking table gets created however

3 the Return Traffic by passes the IPsec Tunnel after connection tracking table reverses the DNAT change.v5600 sends packet on wire without performing IPsec encryption. Upstream Device is not expecting this traffic and will most likely drop this traffic. In v5400 Router, IPsec traffic appears to originate from the interface that IPsec is connected on (i.e if IPsec is over Public with v5400 on the Bond1 IP,the traffic is tied to Bond1. v5600 does not tied IPsec traffic to an interface unless using VTI or GRE Tunnels.v5600 requires traffic be tied to an interface in order to manage source/destination. Brocade v5600 Router Version 5.2X In order to handle this behavior in v code Brocade/AT&T has suggested a workaround to use local loopback as an IP for a GRE Tunnel interface and uses Policy Based Routing (PBR) to get the traffic originating from the IPsec onto an interface in order to perform NAT functions.

4 Vyatta 1 Interface configuration Commands set interfaces dataplane dp0p192p1 address ' /30' set interfaces dataplane dp0p224p1 address ' /30' set interfaces dataplane dp0p224p1 policy route pbr 'Backwards-DNAT' set interfaces loopback lo address ' /24' set interfaces tunnel tun50 address ' /32' set interfaces tunnel tun50 encapsulation 'gre' set interfaces tunnel tun50 local-ip ' ' set interfaces tunnel tun50 remote-ip ' ' Note. Logical tunnel interface is created for DNAT/SNAT /16 - This is the "link local" block. It is allocated for communication between hosts on a single link ( VPN configuration commands set security vpn ipsec esp-group ESP lifetime '30000' set security vpn ipsec esp-group ESP proposal 1 encryption 'aes128' set security vpn ipsec esp-group ESP proposal 1 hash 'sha1'

5 set security vpn ipsec ike-group IKE lifetime '60000' set security vpn ipsec ike-group IKE proposal 1 encryption 'aes128' set security vpn ipsec ike-group IKE proposal 1 hash 'sha1' set security vpn ipsec site-to-site peer authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer authentication pre-shared-secret 'thekey' set security vpn ipsec site-to-site peer default-esp-group 'ESP' set security vpn ipsec site-to-site peer ike-group 'IKE' set security vpn ipsec site-to-site peer local-address ' ' set security vpn ipsec site-to-site peer tunnel 1 local prefix ' /30' set security vpn ipsec site-to-site peer tunnel 1 remote prefix ' /24' NAT configuration commands set service nat destination rule 10 destination address ' ' set service nat destination rule 10 inbound-interface 'tun50' set service nat destination rule 10 source address ' ' set service nat destination rule 10 translation address ' ' set service nat source rule 10 destination address ' ' set service nat source rule 10 'log' set service nat source rule 10 outbound-interface 'tun50' set service nat source rule 10 source address ' ' set service nat source rule 10 translation address ' ' Note For bidirectional NAT, Source NAT is required else only DNAT is needed on the tunnel interface.

6 Protocols configuration commands set protocols static interface-route /32 next-hop-interface 'tun50' set protocols static table 50 interface-route /0 next-hop-interface 'tun50' set protocols static interface-route /32 next-hop-interface 'tun50' PBR configuration commands set policy route pbr Backwards-DNAT desc 'Get return traffic back to tunnel for DNAT' set policy route pbr Backwards-DNAT rule 10 action 'accept' set policy route pbr Backwards-DNAT rule 10 address-family 'ipv4' set policy route pbr Backwards-DNAT rule 10 destination address ' /24' set policy route pbr Backwards-DNAT rule 10 source address ' /24' set policy route pbr Backwards-DNAT rule 10 table '50' Vyatta 2 set security vpn ipsec esp-group ESP lifetime '30000' set security vpn ipsec esp-group ESP proposal 1 encryption 'aes128' set security vpn ipsec esp-group ESP proposal 1 hash 'sha1' set security vpn ipsec ike-group IKE lifetime '60000' set security vpn ipsec ike-group IKE proposal 1 encryption 'aes128' set security vpn ipsec ike-group IKE proposal 1 hash 'sha1' set security vpn ipsec site-to-site peer authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer authentication pre-shared-secret 'thekey' set security vpn ipsec site-to-site peer default-esp-group 'ESP'

7 set security vpn ipsec site-to-site peer ike-group 'IKE' set security vpn ipsec site-to-site peer local-address ' ' set security vpn ipsec site-to-site peer tunnel 1 local prefix ' /24' set security vpn ipsec site-to-site peer tunnel 1 remote prefix ' /30' AT&T VRA v5600 Router Version 18.X In VRA v X code AT&T has introduced a concept of VFP (Virtual Feature Point) Interface to resolve the issues related to S-S IPsec and applying of Firewalls to IPsec that was not handled earlier in 5.2 code.secondly all the interface-dependent features like Nat, Firewall, PBR, TCP-MSS etc can be applied.

8 Mexico-VRA x Version Version: 1801n Description: AT&T vrouter n License: Standard Interface configuration Commands set interfaces bonding dp0bond0 address ' /26' set interfaces bonding dp0bond0 vrrp vrrp-group 1 virtual-address ' /26' set interfaces bonding dp0bond1 address ' /29' set interfaces bonding dp0bond1 vrrp vrrp-group 1 virtual-address ' /29' set interfaces bonding dp0bond0 vif 790 address ' /26' set interfaces bonding dp0bond1 vif 1245 address ' /29' set interfaces virtual-feature-point vfp0 address ' /30' Note VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800'

9 set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer authentication id ' ' set security vpn ipsec site-to-site peer authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer authentication remote-id ' ' set security vpn ipsec site-to-site peer connection-type 'initiate' set security vpn ipsec site-to-site peer default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer local-address ' ' set security vpn ipsec site-to-site peer tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer tunnel 0 local prefix ' /32' set security vpn ipsec site-to-site peer tunnel 0 remote prefix ' /24' set security vpn ipsec site-to-site peer tunnel 0 uses 'vfp0' Note.The configuration is exactly similar compare to S-S IPsec VPN on v5400 the only addition is uses vfp0. NAT configuration commands

10 set service nat destination rule 10 destination address ' ' set service nat destination rule 10 inbound-interface 'vfp0' set service nat destination rule 10 source address ' ' set service nat destination rule 10 translation address ' ' set service nat source rule 10 description 'SERVER-Client' set service nat source rule 10 destination address ' ' set service nat source rule 10 outbound-interface 'vfp0' set service nat source rule 10 source address ' ' set service nat source rule 10 translation address ' ' Note. Where is the real Server IP & is the fake IP advertising or declaring as a local subnet to Remote Client..DNAT is translating if the traffic is coming via S-S VFP interface to Real Server IP. Protocols configuration commands set protocols static interface-route /24 next-hop-interface 'vfp0'set protocols static interface-route /32 next-hop-interface 'vfp0' USE-CASE-1 ( Traffic Moving from Server to Client ) Server Initiating Traffic to Client Using Source NAT to hide Real Server IP to Fake IP

11

12 SOURCE NAT ENTRIES & SESSION show nat source translations Pre-NAT Post-NAT Prot Timeout : :1 icmp 60 show nat source statistics rule pkts bytes interface used/total vfp0 0/ dp0bond1 0/65535 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent : :1 icmp [1] ES 15 vfp0 0 vyatta@mexico1v56-18:~$ show vpn ike sa Peer ID / IP Local ID / IP State Encrypt Hash D-H Grp A-Time L-Time IKEv

13 up 3des sha vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time up 240.0/ des sha vyatta@mexico1v56-18:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description dp0bond /26 u/u dp0bond /26 u/u dp0bond /29 u/u 2607:f0d0:1c01:3e::5/64 dp0bond /29 u/u dp0vrrp /32 u/u dp0vrrp /32 u/u lo /24 u/u /24 vfp /30 u/u

14 USE-CASE-2 ( Traffic Moving from Client to Server ) Client is initiating traffic to Server Traffic is coming via S-S to Fake IP and using DNAT on VFP0 interface translated to Real Server IP and forwarded to Server. VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer authentication id ' ' set security vpn ipsec site-to-site peer authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer authentication remote-id ' ' set security vpn ipsec site-to-site peer connection-type 'respond' set security vpn ipsec site-to-site peer default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer local-address ' ' set security vpn ipsec site-to-site peer tunnel 0 allow-nat-networks 'disable'

15 set security vpn ipsec site-to-site peer tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer tunnel 0 local prefix ' /24' set security vpn ipsec site-to-site peer tunnel 0 remote prefix ' /32' vyatta@hou2v560018x:~$ show vpn ike sa Peer ID / IP Local ID / IP State Encrypt Hash D-H Grp A-Time L-Time IKEv up 3des sha vyatta@hou2v560018x:~$ show vpn ipsec sa Peer ID / IP Local ID / IP Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time up 0.0/0.0 3des sha

16 ping interface PING ( ) from : 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=127 time=36.2 ms 64 bytes from : icmp_seq=2 ttl=127 time=32.6 ms 64 bytes from : icmp_seq=3 ttl=127 time=33.0 ms 64 bytes from : icmp_seq=4 ttl=127 time=32.8 ms 64 bytes from : icmp_seq=5 ttl=127 time=32.9 ms ^C ping statistics packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = /33.546/36.270/1.377 ms MEXICO vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout : :6986 icmp 54 vyatta@mexico1v56-18:~$ show nat destination statistics rule pkts bytes interface used/total vfp0 0/65535

17 show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent : :6986 icmp [1] ES 33 vfp0 0 USE-CASE-3 ( Traffic Moving B/W Server & Client Using PBR instead of Static Route ) Protocols configuration commands delete protocols static interface-route /24 next-hop-interface 'vfp0' delete protocols static interface-route /32 next-hop-interface 'vfp0' set protocols static table 50 interface-route /0 next-hop-interface 'vfp0' PBR Policy Based Routing set interfaces bonding dp0bond0 vif 790 policy route pbr 'VFP0-DNAT' set policy route pbr VFP0-DNAT rule 10 action 'accept' set policy route pbr VFP0-DNAT rule 10 address-family 'ipv4' set policy route pbr VFP0-DNAT rule 10 destination address ' /24' set policy route pbr VFP0-DNAT rule 10 source address ' /26' set policy route pbr VFP0-DNAT rule 10 table '50'

18 show nat source translations Pre-NAT Post-NAT Prot Timeout : :1 icmp 46 show nat destination translations Pre-NAT Post-NAT Prot Timeout : :18962 icmp 20 show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent : :18962 icmp [1] ES 16 vfp : :1 icmp [1] ES 35 vfp0 0

19 USE-CASE-4 ( Traffic Moving B/W Server & Client Using VFP as IP unnumbered) set interfaces loopback lo1 address ' /24' set interfaces virtual-feature-point vfp0 ip unnumbered donor-interface lo1 preferred-address ' ' Note /16 - This is the "link local" block. It is allocated for communication between hosts on a single link ( vyatta@mexico1v56-18:~$ show vpn ike sa Peer ID / IP Local ID / IP State Encrypt Hash D-H Grp A-Time L-Time IKEv up 3des sha vyatta@mexico1v56-18:~$ show vpn ipsec sa Peer ID / IP Local ID / IP Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time

20 0 1 up 492.0/ des sha vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout : :1 icmp 53 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent : :1 icmp [1] ES 47 vfp0 0 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent : :19122 icmp [1] ES 55 vfp0 0 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout

21 USE-CASE-5 ( Traffic B/W Server & 2 Remote Clients Using Separate S-S VFP Interfaces as IP unnumbered)

22 VPN configuration commands set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 encryption '3des' set security vpn ipsec esp-group NETORC_ESP_GROUP proposal 1 hash 'sha1' set security vpn ipsec ike-group NETORC_IKE_GROUP lifetime '28800' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 dh-group '5' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 encryption '3des' set security vpn ipsec ike-group NETORC_IKE_GROUP proposal 1 hash 'sha1' set security vpn ipsec nat-traversal 'enable' set security vpn ipsec site-to-site peer authentication id ' ' set security vpn ipsec site-to-site peer authentication mode 'pre-shared-secret' set security vpn ipsec site-to-site peer authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer authentication remote-id ' ' set security vpn ipsec site-to-site peer connection-type 'respond' set security vpn ipsec site-to-site peer default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer local-address ' ' set security vpn ipsec site-to-site peer tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer tunnel 0 local prefix ' /32' set security vpn ipsec site-to-site peer tunnel 0 remote prefix ' /24' set security vpn ipsec site-to-site peer tunnel 0 uses 'vfp1' set security vpn ipsec site-to-site peer authentication id ' ' set security vpn ipsec site-to-site peer authentication mode 'pre-shared-secret'

23 set security vpn ipsec site-to-site peer authentication pre-shared-secret '********' set security vpn ipsec site-to-site peer authentication remote-id ' ' set security vpn ipsec site-to-site peer connection-type 'initiate' set security vpn ipsec site-to-site peer default-esp-group 'NETORC_ESP_GROUP' set security vpn ipsec site-to-site peer ike-group 'NETORC_IKE_GROUP' set security vpn ipsec site-to-site peer local-address ' ' set security vpn ipsec site-to-site peer tunnel 0 allow-nat-networks 'disable' set security vpn ipsec site-to-site peer tunnel 0 allow-public-networks 'disable' set security vpn ipsec site-to-site peer tunnel 0 local prefix ' /32' set security vpn ipsec site-to-site peer tunnel 0 remote prefix ' /24' set security vpn ipsec site-to-site peer tunnel 0 uses 'vfp0' PBR Policy Based Routing set interfaces bonding dp0bond0 vif 790 policy route pbr 'VFP0-DNAT' set policy route pbr VFP0-DNAT rule 10 action 'accept' set policy route pbr VFP0-DNAT rule 10 address-family 'ipv4'

24 set policy route pbr VFP0-DNAT rule 10 destination address ' /24' set policy route pbr VFP0-DNAT rule 10 source address ' /26' set policy route pbr VFP0-DNAT rule 10 table '50' set policy route pbr VFP0-DNAT rule 20 action 'accept' set policy route pbr VFP0-DNAT rule 20 address-family 'ipv4' set policy route pbr VFP0-DNAT rule 20 destination address ' /24' set policy route pbr VFP0-DNAT rule 20 source address ' /26' set policy route pbr VFP0-DNAT rule 20 table '60' set protocols static table 50 interface-route /0 next-hop-interface 'vfp0' set protocols static table 60 interface-route /24 next-hop-interface 'vfp1' SNAT & DNAT set service nat destination rule 10 destination address ' ' set service nat destination rule 10 inbound-interface 'vfp0' set service nat destination rule 10 source address ' ' set service nat destination rule 10 translation address ' ' set service nat destination rule 20 destination address ' ' set service nat destination rule 20 inbound-interface 'vfp1' set service nat destination rule 20 source address ' ' set service nat destination rule 20 translation address ' ' set service nat source rule 10 description 'SERVER-Client' set service nat source rule 10 destination address ' ' set service nat source rule 10 outbound-interface 'vfp0' set service nat source rule 10 source address ' ' set service nat source rule 10 translation address ' ' set service nat source rule 30 description 'SERVER-Client-Seattle' set service nat source rule 30 destination address ' '

25 set service nat source rule 30 outbound-interface 'vfp1' set service nat source rule 30 source address ' ' set service nat source rule 30 translation address ' ' Protocols configuration commands set interfaces loopback lo2 address ' /24' set interfaces virtual-feature-point vfp1 ip unnumbered donor-interface lo2 preferred-address ' ' set protocols static table 50 interface-route /0 next-hop-interface 'vfp0' set protocols static table 60 interface-route /24 next-hop-interface 'vfp1' show vpn ipsec sa Peer ID / IP Local ID / IP Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time up 4.2K/4.2K 3des sha Peer ID / IP Local ID / IP Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time up 4.0K/4.0K 3des sha

26 show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent : :3 icmp [1] ES 42 vfp1 0 vyatta@mexico1v56-18:~$ show nat source translations Pre-NAT Post-NAT Prot Timeout : :3 icmp 27 vyatta@mexico1v56-18:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout : :23998 icmp : :28948 icmp 60 vyatta@mexico1v56-18:~$ show session table TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent : :23998 icmp [1] ES 60 vfp : :28948 icmp [1] ES 60 vfp1 0 vyatta@mexico1v56-18:~$ show conf

27

28 Best Practice for Using Virtual Feature Point Interface in S-S IPsec VPN 1 In case of Multiple S-S IPSEC VPNs with DNAT to a Single or different Remote-Site do we need common or separate VFP interface or not? a. As per AT&T Engineering same VFPX interface can be used on multiple tunnels with same or different peers.however, this could introduce unwanted complexity and as Best Practice it would be easy to differentiate the tunnels with separate VFPX numbers. b. The second major advantage of using separate VFPX interface is applying firewall where one can have more control and flexibility of applying firewall rules to block/allow traffic based on Remote-Peer.In a nutshel use a unique vfp per IPsec tunnel and prefer to use the 'ip unnumbered' command on the vfp rather than the 'address' command 2 Requirement for PBR (Policy based Routing) and Static Routes in VFP Based S-S IPsec VPN? PBR or Static both can be used for directing the traffic to VFP Interface but AT&T engineering recommends to use PBR as its less complex.

29 Virtual Feature Point Flow Diagram

30 References Created By Syed Faizullah Director Network Solutions Engineering Wanclouds Inc E: Web: