© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Building IPSEC VPNS Using Cisco Routers
Security at the Network Layer: IPSec
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Chapter 8: Implementing Virtual Private Networks
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Eight Implementing Virtual Private Networks.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
Virtual Private Network Configuration
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 18 IP Security  IP Security (IPSec)
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter Eight Implementing Virtual Private Networks
Presentation transcript:

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks

© 2012 Cisco and/or its affiliates. All rights reserved. 2 VPN Terminology

© 2012 Cisco and/or its affiliates. All rights reserved. 3 A system to accomplish the encryption/decryption, user authentication, hashing, and key-exchange processes. A cryptosystem may use one of several different methods, depending on the policy intended for various user traffic situations.

© 2012 Cisco and/or its affiliates. All rights reserved. 4 Encryption transforms information (clear text) into ciphertext which is not readable by unauthorized users. Decryption transforms ciphertext back into clear text making it readable by authorized users. Popular encryption algorithms include: –DES –3DES –AES

© 2012 Cisco and/or its affiliates. All rights reserved. 5 Guarantees message integrity by using an algorithm to convert a variable length message and shared secret key into a single fixed-length string. Popular hashing methods include: –SHA (Cisco default) –MD5

© 2012 Cisco and/or its affiliates. All rights reserved. 6 Is the ability to prove a transaction occurred. –Similar to a signed package received from a shipping company. This is very important in financial transactions and similar data transactions.

© 2012 Cisco and/or its affiliates. All rights reserved. 7 How do the encrypting and decrypting devices get the shared secret key? –The easiest method is Diffie-Hellman public key exchange. Used to create a shared secret key without prior knowledge. This secret key is required by: –The encryption algorithm (DES, 3DES, AES) –The authentication method (MD5 and SHA-1)

© 2012 Cisco and/or its affiliates. All rights reserved. 8 Identifies a communicating party during a phase 1 IKE negotiation. The key must be pre-shared with another party before the peers routers can communicate.

© 2012 Cisco and/or its affiliates. All rights reserved. 9 A “framework” of open standards developed by the IETF to create a secure tunnel at the network (IP) layer. –It spells out the rules for secure communications. IPsec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms.

© 2012 Cisco and/or its affiliates. All rights reserved. 10 VPNs

© 2012 Cisco and/or its affiliates. All rights reserved. 11

© 2012 Cisco and/or its affiliates. All rights reserved. 12

© 2012 Cisco and/or its affiliates. All rights reserved. 13 A Virtual Private Network (VPN) provides the same network connectivity for remote users over a public infrastructure as they would have over a private network. VPN services for network connectivity include: –Authentication –Data integrity –Confidentiality

© 2012 Cisco and/or its affiliates. All rights reserved. 14

© 2012 Cisco and/or its affiliates. All rights reserved. 15 VPN Topologies

© 2012 Cisco and/or its affiliates. All rights reserved. 16 Site-to-Site VPNs: –Intranet VPNs connect corporate headquarters, remote offices, and branch offices over a public infrastructure. –Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate Intranet over a public infrastructure. Remote Access VPNs: –Which securely connect remote users, such as mobile users and telecommuters, to the enterprise.

© 2012 Cisco and/or its affiliates. All rights reserved. 17

© 2012 Cisco and/or its affiliates. All rights reserved. 18

© 2012 Cisco and/or its affiliates. All rights reserved. 19

© 2012 Cisco and/or its affiliates. All rights reserved. 20

© 2012 Cisco and/or its affiliates. All rights reserved. 21

© 2012 Cisco and/or its affiliates. All rights reserved. 22 GRE Tunnel

© 2012 Cisco and/or its affiliates. All rights reserved. 23 There are 2 popular site-to-site tunneling protocols: –Cisco Generic Routing Encapsulation (GRE) –IP Security Protocol (IPsec) When should you use GRE and / or IPsec? User Traffic IP Only? Use GRE Tunnel No Yes No Yes Unicast Only? Use IPsec VPN

© 2012 Cisco and/or its affiliates. All rights reserved. 24 GRE can encapsulate almost any other type of packet. –Uses IP to create a virtual point-to-point link between Cisco routers –Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and therefore routing protocols) –Best suited for site-to-site multiprotocol VPNs –RFC 1702 and RFC 2784 GRE header adds 24 bytes of additional overhead

© 2012 Cisco and/or its affiliates. All rights reserved. 25 GRE does not provide encryption! –It can be monitored with a protocol analyzer. However, GRE and IPsec can be used together. IPsec does not support multicast / broadcast and therefore does not forward routing protocol packets. –However IPsec can encapsulate a GRE packet that encapsulates routing traffic (GRE over IPsec).

© 2012 Cisco and/or its affiliates. All rights reserved Create a tunnel interface: interface tunnel 0 2. Assign the tunnel an IP address. 3. Identify the source tunnel interface: tunnel source 4. Identify the tunnel destination: tunnel destination 5. (Optional) Identify the protocol to encapsulate in the GRE tunnel: tunnel mode gre ip –By default, GRE is tunneled in an IP packet.

© 2012 Cisco and/or its affiliates. All rights reserved. 27 R1(config)# interface tunnel 0 R1(config–if)# ip address R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination R2(config–if)# tunnel mode gre ip R2(config–if)#

© 2012 Cisco and/or its affiliates. All rights reserved. 28

© 2012 Cisco and/or its affiliates. All rights reserved. 29 IPsec

© 2012 Cisco and/or its affiliates. All rights reserved. 30 A “framework” of open standards developed by the IETF to create a secure tunnel at the network (IP) layer. –It spells out the rules for secure communications. –RFC RFC 2412 IPsec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPsec allows newer and better algorithms to be implemented without patching the existing IPsec standards.

© 2012 Cisco and/or its affiliates. All rights reserved. 31 AH does not provide confidentiality (encryption). –It is appropriate to use when confidentiality is not required or permitted. –All text is transported unencrypted. It only ensures the origin of the data and verifies that the data has not been modified during transit. If the AH protocol is used alone, it provides weak protection. AH can have problems if the environment uses NAT.

© 2012 Cisco and/or its affiliates. All rights reserved. 32 ESP can also provide integrity and authentication. –First, the payload is encrypted using DES (default), 3DES, AES, or SEAL. –Next, the encrypted payload is hashed to provide authentication and data integrity using HMAC-MD5 or HMAC-SHA-1.

© 2012 Cisco and/or its affiliates. All rights reserved. 33 ESP and AH can be applied to IP packets in two different modes.

© 2012 Cisco and/or its affiliates. All rights reserved. 34 IPsec Tasks

© 2012 Cisco and/or its affiliates. All rights reserved Ensure that ACLs configured on the interface are compatible with IPsec configuration. 2. Create an IKE policy to determine the parameters that will be used to establish the tunnel. 3. Configure the IPsec transform set which defines the parameters that the IPsec tunnel uses. –The set can include the encryption and integrity algorithms. 4. Create a crypto ACL. –The crypto ACL defines which traffic is sent through the IPsec tunnel and protected by the IPsec process. 5. Create and apply a crypto map. –The crypto map groups the previously configured parameters together and defines the IPsec peer devices. –The crypto map is applied to the outgoing interface of the VPN device.

© 2012 Cisco and/or its affiliates. All rights reserved. 36 ESP50AH51ISAKMP500 ESP = protocol # 50, AH = protocol # 51, ISAKMP = UDP port 500

© 2012 Cisco and/or its affiliates. All rights reserved. 37 Creating a plan in advance is mandatory to configure IPsec encryption correctly to minimize misconfiguration. Determine the following policy details: –Key distribution method –Authentication method –IPsec peer IP addresses and hostnames –IKE phase 1 policies for all peers –Encryption algorithm, Hash algorithm, IKE SA lifetime Goal: Minimize misconfiguration.

© 2012 Cisco and/or its affiliates. All rights reserved. 38

© 2012 Cisco and/or its affiliates. All rights reserved. 39

© 2012 Cisco and/or its affiliates. All rights reserved. 40 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit

© 2012 Cisco and/or its affiliates. All rights reserved. 41

© 2012 Cisco and/or its affiliates. All rights reserved. 42

© 2012 Cisco and/or its affiliates. All rights reserved. 43

© 2012 Cisco and/or its affiliates. All rights reserved. 44 To use the hostname parameter, configure the crypto isakmp identity hostname global configuration mode command. –In addition, DNS must be accessible to resolve the hostname.

© 2012 Cisco and/or its affiliates. All rights reserved. 45 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit

© 2012 Cisco and/or its affiliates. All rights reserved. 46 Cisco IOS software supports the following IPsec transforms: CentralA(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher CentralA(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher Note: esp-md5-hmac and esp-sha-hmac provide more data integrity. They are compatible with NAT/PAT and are used more frequently than ah-md5-hmac and ah-sha-hmac.

© 2012 Cisco and/or its affiliates. All rights reserved. 47 RouterA# show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: seconds, no volume limit RouterA# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MY-SET, } RouterA# show crypto ipsec transform-set MY-SET Transform set MY-SET: { esp-des } will negotiate = { Tunnel, },

© 2012 Cisco and/or its affiliates. All rights reserved. 48

© 2012 Cisco and/or its affiliates. All rights reserved. 49

© 2012 Cisco and/or its affiliates. All rights reserved. 50 Configures global IPsec lifetime values used when negotiating IPsec security associations. IPsec SA lifetimes are negotiated during IKE phase 2.

© 2012 Cisco and/or its affiliates. All rights reserved. 51 tcp

© 2012 Cisco and/or its affiliates. All rights reserved. 52 access-list 110 permit tcp RouterA#(config) access-list 110 permit tcp RouterB#(config)

© 2012 Cisco and/or its affiliates. All rights reserved. 53

© 2012 Cisco and/or its affiliates. All rights reserved. 54

© 2012 Cisco and/or its affiliates. All rights reserved. 55 RouterA(config)# crypto map MYMAP 110 ipsec-isakmp RouterA(config-crypto-map)# match address 110 RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set transform-set MINE RouterA(config-crypto-map)# set security-association lifetime 86400

© 2012 Cisco and/or its affiliates. All rights reserved. 56

© 2012 Cisco and/or its affiliates. All rights reserved. 57

© 2012 Cisco and/or its affiliates. All rights reserved. 58

© 2012 Cisco and/or its affiliates. All rights reserved. 59 Clears IPsec Security Associations in the router database. clear crypto sa clear crypto sa peer clear crypto sa map clear crypto sa entry clear crypto sa clear crypto sa peer clear crypto sa map clear crypto sa entry Router#

© 2012 Cisco and/or its affiliates. All rights reserved. 60 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: pre-share Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: pre-share Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit

© 2012 Cisco and/or its affiliates. All rights reserved. 61 E0/ E0/ A RouterA# show crypto ipsec transform-set MY-SET Transform set MY-SET: { esp-des } will negotiate = { Tunnel, },

© 2012 Cisco and/or its affiliates. All rights reserved. 62 QM_IDLE (quiescent state) indicates that an ISAKMP SA exists but is idle. The router will remain authenticated with its peer and may be used for subsequent quick mode (QM) exchanges. RouterA# show crypto isakmp sa dstsrcstateconn-idslot QM_IDLE475 RouterA# show crypto isakmp sa dstsrcstateconn-idslot QM_IDLE475 E0/ E0/ A

© 2012 Cisco and/or its affiliates. All rights reserved. 63 RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: MYMAP, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: MYMAP, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C E0/ E0/ A

© 2012 Cisco and/or its affiliates. All rights reserved. 64 RouterA# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MINE, } RouterA# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MINE, } E0/ E0/ A

© 2011 Cisco and/or its affiliates. All rights reserved. 65