Security Policies Using VRF Group

Overview

In SD-WAN network, when different VRF based traffic enter the device from same tunnel such as GRE or GE, the device applies policy based on the given VRF instance. The device either permit or deny traffic destined to a particular VRF instance to control the VRF based traffic.

Currently, there are 5 matching conditions for each policy:

From zone
To zone
Source address
Destination address
Applications

Figure 1 shows the match conditions in a policy.

Figure 1: Match Conditions Firewall rule table: Traffic from Zone Z1 to Zone Z2 is allowed for any source and destination address using HTTPS. Action is permit with UTM.

Firewall rule table: Traffic from Zone Z1 to Zone Z2 is allowed for any source and destination address using HTTPS. Action is permit with UTM.

With the current policy matching conditions, you cannot permit VRF-B1 or VRF-B2 and deny VRF-A1 or VRF-A2. To support this, additional matching conditions are added to the policy in the SD-WAN network using VRF group.

When the flow receives the information of source and destination VRF groups, it forwards the information to policy search API along with the policy key tuple information to meet the match conditions.

Figure 2 shows the VRF groups added as match condition in a policy.

Figure 2: Match Conditions with VRF group Table showing network security policies with match conditions and actions. vpn-a_policy denies traffic to VRF-GRP_A; vpn-b_policy permits traffic to VRF-GRP_B.

Table showing network security policies with match conditions and actions. vpn-a_policy denies traffic to VRF-GRP_A; vpn-b_policy permits traffic to VRF-GRP_B.

Note:

If the source and destination VRF group information is not specified in a policy, then these groups matches any VRF group.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from an IP Network to MPLS Network using VRF Group

This example shows how to configure a security policy to permit traffic from a private IP network to MPLs network using VRF group.

Requirements
Overview
Configuration

Requirements

Any supported Junos release.
On supported devices.

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 3, an SRX Series Firewall is deployed in an SD-WAN to permit the traffic from a private IP network to MPLS network using VRF group.

Figure 3: Traffic from Private Network to MPLS Network architecture diagram showing Site-a and Site-b connected through VPNs and routing. Data flows from Site-a via VPN-A and from Site-b via VPN-B into VRF-g, the central routing domain. Orange arrows indicate data flow from Site-a; green arrows indicate data flow from Site-b.

Network architecture diagram showing Site-a and Site-b connected through VPNs and routing. Data flows from Site-a via VPN-A and from Site-b via VPN-B into VRF-g, the central routing domain. Orange arrows indicate data flow from Site-a; green arrows indicate data flow from Site-b.

This configuration example shows how to:

Permit traffic from IP network (LAN-a) to VRF group
Permit traffic from IP network (LAN-b) to VRF group

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.

Create VRF group vpn-A with VRF instances A1 and A2

Create VRF group vpn-A1 with VRF instances A11, and A21

Create VRF group vpn-B with VRF instances B1 and B2

Create VRF group vpn-B1 with VRF instances B11 and B21

Create a security policy to permit vrf-a traffic.

Create a security policy to permit vrf-b traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration

Purpose
Action

Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to an IP Network using VRF Group

This example shows how to configure a security policy to permit traffic from MPLS to IP netwrok using the VRF group.

Requirements
Overview
Configuration

Requirements

- Any supported Junos release.
- On supported devices.
Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 4, the firewall is deployed in an SD-WAN to permit traffic from a MPLS network to private network using VRF group.

Figure 4: Traffic Permit from MPLS to Private Network Network diagram illustrating a VPN setup with hub-and-spoke topology. Site-a and Site-b connect to Spoke SRX via VPN-A and VPN-B through LAN-a and LAN-b. Spoke SRX connects to Hub SRX via GRE tunnels with specific identifiers.

Network diagram illustrating a VPN setup with hub-and-spoke topology. Site-a and Site-b connect to Spoke SRX via VPN-A and VPN-B through LAN-a and LAN-b. Spoke SRX connects to Hub SRX via GRE tunnels with specific identifiers.

This configuration example shows how to:

Permit traffic from GRE MPLS to LAN-a
Permit traffic from GRE MPLS to LAN-b

Configuration

Procedure

CLI Quick Configuration
Step-by-Step Procedure
Results

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.

Create VRF group vpn-A with VRF instances A1 and A2.

Create VRF group vpn-B with VRF instances B1 and B2.

Create a security policy to permit VRF-a traffic.

Create a security policy to permit VRF-b traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration

Purpose
Action

Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from Public IP Network to MPLS Network using VRF Group

This example describes how to configure the destination NAT rule to translate incoming public IP network to MPLS network using VRF group.

Requirements
Overview
Configuration
Verification

Requirements

Understand how SRX Series Firewalls work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.

Overview

In Figure 5, the firewall is configured with destination NAT rule to translate incoming public IP network to per VRF based destination routing table and IP. The firewall is configured with two VRF groups, vpn-A and vpn-B.

Figure 5: Traffic Permit from Public Network to MPLS Network architecture diagram featuring NAT, VRF, and GRE tunnels for traffic flow from Global IP Network to SRX device.

Network architecture diagram featuring NAT, VRF, and GRE tunnels for traffic flow from Global IP Network to SRX device.

Configuration

Procedure
Results

Procedure

CLI Quick Configuration
Step-by-Step Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.

To configure destination NAT mapping for a single VRF:

In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1 and A2.

Create another VRF group vpn-B with VRF instances B1 and B2.

Specify a destination NAT IP address pool.

Assign the routing instance to the destination pool.

Create a destination NAT rule set.

Configure a rule that matches packets and translates the destination IP address to an IP address in the destination NAT IP address pool.

Create a security policy to permit VRF-a traffic.

Create a security policy to permit VRF-b traffic.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Destination NAT Rule Usage and Security Policies

Purpose
Action

Purpose

Verify that there is traffic matching the destination NAT rule.

Action

From operational mode, enter the show security nat destination rule all command. In the Translation hits field, verify whether there is traffic that matches the destination NAT rule.

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to Public IP Network to using VRF Group

This example describes how to configure the routing group to translate per VRF group network traffic to global IP pool.

Requirements
Overview
Configuration
Verification

Requirements

Understand how the firewall work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.

Overview

In Figure 6, the firewall is configured with routing group to permit VRF group network traffic from MPLS to global IP pool. The firewall is configured with two VRF groups, vpn-A and vpn-B.

Figure 6: Traffic Permit from MPLS to Public Network Diagram of network flow through SRX device: GRE to VPN-A or VPN-B, then through routing and NAT, exiting via GE.

Diagram of network flow through SRX device: GRE to VPN-A or VPN-B, then through routing and NAT, exiting via GE.

Configuration

Procedure
Results

Procedure

CLI Quick Configuration
Step-by-Step Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in theCLI User Guide.

To configure source NAT mapping for a single VRF:

In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1 and A2.

Create another VRF group vpn-B with VRF instances B1 and B2.

Specify a source NAT IP address pool.

Create a source NAT rule set.

Configure a rule that matches packets and translates per VRF group network traffic to global IP pool.

Create a security policy to permit vpn-A traffic.

Create a security policy to permit vpn-B traffic.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Destination NAT Rule Usage and Security Policies

Purpose
Action

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. In the Translation hits field, verify whether there is traffic that matches the source NAT rule.

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network without NAT using VRF Group

This example describes how to configure the routing group to permit traffic between MPLS networks without using NAT.

Figure 7: Traffic between MPLS Networks Network diagram showing SRX1, SRX2, and SRX3 connected via GRE-1 and GRE-2 tunnels with VPN-A and VPN-B for secure routing and traffic flow.

Network diagram showing SRX1, SRX2, and SRX3 connected via GRE-1 and GRE-2 tunnels with VPN-A and VPN-B for secure routing and traffic flow.

Requirements
Overview
Configuration
Verification

Requirements

Understand how the firewall work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.

Overview

In Figure 7, the firewall is configured with routing group to permit traffic between MPLS networks without using NAT. The firewall is configured with two VRF groups, vpn-A and vpn-B.

Configuration

Procedure
Results

Procedure

CLI Quick Configuration
Step-by-Step Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure source NAT mapping for a single VRF:

In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1and A2.

In Layer 3 VPNs create a VRF group vpn-A1 with VRF instances A11and A12.

Create another VRF group vpn-B with VRF instances B1 and B2.

Create another VRF group vpn-B1 with VRF instances B11 and B12.

Create a security policy to permit vpn-A1 traffic.

Create a security policy to permit vpn-B1 traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Security Policies

Purpose
Action

Purpose

Verify that configuration output of security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network using NAT and VRF Group

This example describes how to configure the routing group and permit traffic between MPLS networks using NAT.

Figure 8: Traffic Permit between MPLS Networks with NAT Network flow diagram with SRX devices, GRE tunnels, VPN tunnels, routing, and NAT. Session 1 uses VPN-A with orange flow, and Session 2 uses VPN-B with green flow.

Network flow diagram with SRX devices, GRE tunnels, VPN tunnels, routing, and NAT. Session 1 uses VPN-A with orange flow, and Session 2 uses VPN-B with green flow.

Requirements
Overview
Configuration
Verification

Requirements

Understand how SRX Series Firewalls work in an SD-WAN deployment for NAT.
Understand Virtual Routing and Forwarding Instances. See Virtual Routing and Forwarding Instances in SD-WAN Deployments.

Overview

In Figure 8, an SRX Series Firewall is configured the routing group and permit traffic between MPLS networks using NAT. The SRX Series Firewall is configured with the VRF groups, vpn-A, vpn-A1, vpn-B, and vpn-B1.

Configuration

Procedure
Results

Procedure

CLI Quick Configuration
Step-by-Step Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide..

To configure source NAT mapping for a single VRF:

In Layer 3 VPNs create a VRF group vpn-A with VRF instances A1and A2.

In Layer 3 VPNs create a VRF group vpn-A1 with VRF instances A11and A12.

Create another VRF group vpn-B with VRF instances B1 and B2.

Create another VRF group vpn-B1 with VRF instances B11 and B12.

Specify a source NAT IP address pool.

Create a source NAT rule set.

Configure a rule that matches packets and translates per VRF group network traffic to global IP pool.

Create a security policy to permit vpn-A1 traffic.

Create a security policy to permit vpn-B1 traffic.

Results

From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Security Policies

Purpose
Action

Purpose

Verify that there is traffic matching the source NAT rule.

Action

From operational mode, enter the show security nat source rule all command. In the Translation hits field, verify whether there is traffic that matches the destination NAT rule.

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from MPLS Network to an IP Network using Source VRF Group

This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF group.

Requirements
Overview
Configuration

Requirements

Understand how to create a security zone. SeeExample: Creating Security Zones .
Supported SRX Firewall with any supported Junos OS Release.
Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 9, an SRX Firewall is deployed in an SD-WAN to control traffic using the source VRF group. Traffic from the GRE MPLS network is sent to site A and site B of the IP network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.

Figure 9: Policy Control from MPLS network Network diagram of VRF groups and a GRE tunnel on an SRX device. VRF-Group A is blocked from the GRE tunnel, while VRF-Group B has access.

Network diagram of VRF groups and a GRE tunnel on an SRX device. VRF-Group A is blocked from the GRE tunnel, while VRF-Group B has access.

This configuration example shows how to:

Deny traffic from vpn-A (from GRE MPLS)
Permit traffic from vpn-B (from GRE MPLS)

Configuration

Procedure

CLI Quick Configuration
Step-by-Step Procedure
Results

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

Create VRF group vpn-A with VRF instances A1 and A2

Create VRF group vpn-B with VRF instances B1 and B2

Create a security policy to deny vpn-A traffic.

Create a security policy to permit vpn-B traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration

Purpose
Action

Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from an IP Network to MPLS Network using Destination VRF Group

This example shows how to configure a security policy to permit traffic and deny traffic using the source VRF group.

Requirements
Overview
Configuration

Requirements

Understand how to create a security zone. See Example: Creating Security Zones.
Supported SRX Firewall with any supported Junos OS Release.
Configure network interfaces on the device. See Interfaces User Guide for Security Devices.

Overview

In Junos OS, security policies enforce rules for transit traffic, in terms of what traffic can pass through the device and the actions that need to take place on the traffic as it passes through the device. In Figure 10, an SRX Firewall is deployed in an SD-WAN to control traffic using the destination VRF group. Traffic from IP network is sent to site A and site B of the GRE MPLS network. As per the network requirement, site A traffic should be denied, and only site B traffic should be permitted.

This configuration example shows how to:

Figure 10: Policy control to MPLS network Network architecture diagram showing MPLS network connected to SRX device with multiple VRF groups. VRF-GROUP A has restricted traffic to LAN_VRF_A, indicated by red arrow and symbol. VRF-GROUP B allows traffic to LAN_VRF_B, shown by green arrows, demonstrating traffic segmentation and control.

Network architecture diagram showing MPLS network connected to SRX device with multiple VRF groups. VRF-GROUP A has restricted traffic to LAN_VRF_A, indicated by red arrow and symbol. VRF-GROUP B allows traffic to LAN_VRF_B, shown by green arrows, demonstrating traffic segmentation and control.

Deny traffic to vpn-A (to GRE MPLS)
Permit traffic to vpn-B (to GRE MPLS)

Configuration

Procedure

CLI Quick Configuration
Step-by-Step Procedure
Results

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

Create VRF group vpn-A with VRF instances A1 and A2

Create VRF group vpn-B with VRF instances B1 and B2

Create a security policy to deny vpn-A traffic.

Create a security policy to permit vpn-B traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Policy Configuration

Purpose
Action

Purpose

Verify information about security policies.

Action

From operational mode, enter the show security policies command to display a summary of all the security policies configured on the device.

Managing Overlapping VPN using VRF group

When there are two sessions in a L3VPN network, to avoid any conflicts between the two sessions VRF group-ID is added to session key as an additional key to differentiate the sessions.

In Figure 11 network1 and network3 are grouped together to VRF group-A in L3VPN network, and network2 and network4 are grouped together to VRF group-B. The sessions use VRF group-A and VRF group-B as differentiators.

Figure 11: Overlapping VPN using VRF groups Network architecture diagram showing an SRX device connecting four L3VPN MPLS networks using VRF instances and GRE tunnels for routing and session establishment.

Network architecture diagram showing an SRX device connecting four L3VPN MPLS networks using VRF instances and GRE tunnels for routing and session establishment.

Table 1

Table 1: L3VPN Session Information
L3VPN Network 1 and 3 session		L3VPN Network 2 and 4 session
(Forward)	(Reverse)	(Forward)	(Reverse)
5-tuple: x/y/sp/dp/p	5-tuple: y/x/dp/sp/p	5-tuple: x/y/sp/dp/p	5-tuple: y/x/dp/sp/p
Token: GRE1(zone_id+VR_id) + VRF group-ID (A)	Token: GRE1(zone_id+VR_id) + VRF group-ID (B)	Token: GRE1(zone_id+VR_id) + VRF group-ID (A’)	Token: GRE1(zone_id+VR_id) + VRF group-ID (B’)

ON THIS PAGE

Overview

Example: Configuring a Security Policy to Permit VRF-Based Traffic from an IP Network to MPLS Network using VRF Group

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Policy Configuration

Purpose

Action

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to an IP Network using VRF Group

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Policy Configuration

Purpose

Action

Example: Configuring a Security Policy to Permit VRF-Based Traffic from Public IP Network to MPLS Network using VRF Group

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Destination NAT Rule Usage and Security Policies

Purpose

Action

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to Public IP Network to using VRF Group

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Destination NAT Rule Usage and Security Policies

Purpose

Action

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network without NAT using VRF Group

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Security Policies

Purpose

Action

Example: Configuring a Security Policy to Permit VRF-Based Traffic from MPLS Network to MPLS Network using NAT and VRF Group

Requirements

Overview

Configuration

Procedure

CLI Quick Configuration

Step-by-Step Procedure

Results

Verification

Verifying Security Policies

Purpose

Action

Example: Configuring a Security Policy to Permit or Deny VRF-Based Traffic from MPLS Network to an IP Network using Source VRF Group

Requirements

Overview

Configuration

Procedure