Cisco CCNP Enterprise 300-415 ENSDWI – SDWAN Policy Part 6
This session is just the extension. That what we have a study, only one or two new points you’ll find now in case of dual router hybrid site design. So let me quickly show you the site diagram. So I have my branch and in this branch you can see that I have two devices in hybrid mode internet and MP TLS. But we are using tlock extension. So in between these two devices we have transport locator and then we are going to use the dia. So the same thing that we have a study earlier that for Guest traffic that is the green color, it can go and use the dia that is in the guest VRF that will be the not part of VPN.
So other important corporate or maybe partners or trusted Jones or trusted VPN they are part of VPN member but guest is not. So that means if you have any issue at this point of time, guest traffic will get dropped. On the other hand, I have the employee traffic that is also using dia and if this link will go down then it will take other path. So it will go and take other path and then it will go and use the internet. So probably it will go like this and then here and then internet it can use that path. All right so let’s see the theory. So we have theory that we are going to design the hybrid.
We have just seen that hybrid branch design where we are using the tlock extension as well. Obviously their option that in the van facing interface you can get the IP from DHCP or you can have the static IP as well. There is no problem. Generally we are getting the internet facing interfaces. They are getting the IP from the DHCP DHCP server or DHCP is hosted over the ISP side. But on the MPLS side, what we are doing that we are providing the strategic IP and if any problem will happen, obviously over the internet side, the internet traffic of the employee will go via the MPLS.
Now what is the important thing here that since you are using the tlock extension while configuring the tlock extension all these interfaces we know this thing from the tlock extension theory that whenever you are doing the tlock extension these interfaces are the part of VPN zero. So these interfaces who are here part of VPN zero there you should go and enable the VPN zero net as well. So you should go inside VPN zero, enable Nat, not only the vanfacing interface but the tlock extension as well. Next thing that we can use the track as well we know that we have two deployment model either we can use Nat dia route or we can use the centralized data policy from VA Smart. Both things we have discussed earlier.
Now here you can see that in case of failure how it looked like. So if failure is there guest traffic will get dropped. So guest traffic is dropped as the primary internet is down but you can see that the internet traffic for the corporate or for the employee that is going by MPLS and then it is going to the core switch and aggregator and then the firewall and the internet so in this way they can do the failover. There is no problem on that. And to check the van interface or the VPN zero interface we can go and use the tracking. So we have already discussed about the tracker what? We have a study in the last section what new things we have added. So since we are using the tlock extension over the tlock extension also use the VPN zero net okay and rest whatever we have a study earlier everything will be the same in this design as well. Okay.
One by one we are discussing all their deployment model. So in this case say for example I have a single device with dual internet connection. So here you can see in the diagram that I have one device, one edge device vs device having Internet one and Internet two. And what is the business best practices related to the Dia? Let’s try to understand.
Now in this case either it’s iOS XE or it’s a victim box. There is no problem, we can have that type of deployment model. Now in this case again that these interfaces who is facing ISP, they are getting the IP addresses and default route towards the ISP is getting installed. Okay? So once we have such arrangement now what will happen with the traffic flow? Here we can see that the same strategy that we have discussed earlier that guest traffic can do the local exit, they will never be the part of VPN membership.
My employee traffic that can go to the internet and here we have two internet connection. So here you can see that if this link is down, obviously it will fall back to the other internet link and it can use the applications or resources hosted over internet, correct? Now while doing this type of deployment we should go and enable Nat over both the interfaces if we want the Dia and obviously internet is connected. So we should go and enable the net. We know that we have two deployment model. Either we can go and use the centralized data policies or we can go and use the Dia route.
And here you can see the Dia route having the higher precedence because the ad is six rather this OMP route the ad is 251 but still the OMP will be used as a fallback. Now, very important thing, an important point here to understand is that inside iOS XE if you have two net interface they will use ECMP equal cost multiparting and even that is the limitation of iOS XE. But in the Viptila OS we can go label the colors over the teloC obviously and then we can provide who is the primary and the backup. So now here you can see in the diagram that one of the internet circuit that we have, we are providing this as primary and other link.
You can see that is working as a backup. So we have this option that we can go and give preferred local T lock color and the backup local T lock color. So here you can see that one is the primary, other one will be the second and vice versa. That’s the important thing we have. If we have two internet connection we can go and add the tracking interface. We have discussed about this tracker, the tracker is there who will constantly go and send the probes. If the link is down, then it will get rerouted to the backup interface. We have technical tip that in this design two different Nat tracker name must be configured. So you should configure unique tracker name and then you have to assign over the interfaces. Correct. That must be enabled before cracker to be configured. So these are the very important and interesting use cases in case we have single device and two broadband or internet connection.
Next we have dual router, dual internet design. So whatever we have a study so far we can go and simply summarize and those things and those knowledge will be added here. So what we know at this point of time, suppose if you have two internet you can use those internet for redundancy purpose. So we have good redundancy. Second thing here that we are going to use the T lock transport locator. So tlock extension we are going to use here we can see that two links we have for the tlock extension. Third very important thing we know that we can go and use the tracker and finally we have two methods. Either we can use Nat dia routes or we can push this with the centralized data policy. So for example centralized data policy where we can go and put the Nat rule inside that so few of the traffic will use normal IPsec tunnel, few of the traffic will go via the Nat rule. Correct.
So these things we have studied so far and here also you can see that you have extra device for the sake of redundancy while we are using the transport locator extension tlock extension at that time we should go inside VPN zero and those interfaces where we are using the transport locator extension we should go and use VPN zero nat command rest of the things you can see that we have studied the same thing, same rule applies here as well and those are the advanced practices or those are the standard practices we should follow here as well.
So here we can see that not only that you have primary and secondary but here we can see that in this case you can go and have the local exit over other internet as well. So you may have local exit here, you may have local exit here and you can go and add the fifth point that will be the priority. So who is the preferred color? Who is the backup local DE lock color? We can go and assign that and that’s the way that we can go and provide the dual router, dual internet connectivity or dual internet dia theory or the design.
Now we are going to do the actual configuration for the dia and obviously we have two methods one is that we can create decentralized data policy other one is that we can go and create dia nat routes so one by one we’ll go and do both the things. Say in this example I have in say for example I have VPN ten, VPN 20 and VPN 40. Let me quickly show you the diagram so here you can see that I have two branches. One of the branch having devices ch devices ch one and ch two this green color is internet link and this blue one is MPLS say MPLS and internet. Now what we are going to do that we have VPN 1020 so we have VPN ten as a corporate, 20 as a PCI and 40 as a guest.
Now for this VPN that is VPN ten we’ll go and create the rule later on with this VPN that will assume that this is guest VPN. For this also we are going to create the route but first of all let’s focus on VPN Ten and then we have Branch with site ID 304 hundred so in PPT we have a different site ID and the VPN but in actual lab we are going to follow this 300, 410, 20 and 40. So let me go back to the slide we are back to the slide so while we are doing this rule although the creation of rule you’ll find it’s very easy from the we manage but we should understand the flow and the logic behind that. So you can go to the configuration and policy you want to create a centralized policy you have to go here to add policy. Once you click add policy then we know that we have four different things to consider what are those four different things that is coming one by one.
So first of all interesting traffic this is your classification phase then the next phase is related to control policy so if you go and click next you are here inside the control policy page then the next one is related to data policy and final one is to apply the policy. So we have actually these four phases from we manage that we can create the centralized policy. Now in classification phase what we want that we want to create the list for VPN. So in case in our case that is VPN ten, then we should go and create the site list for the branches. Site list belonging to something that we want to apply the policy. Remember apply policy 100% of time related to site list.
So we’ll go and define the VPN then the site list and the data prefix list. Why? Because we want few of the traffic will go via IPsec but for few of the traffic that is intended or destined to internet for that nat will happen. Now here in our lab we have mix of two devices we have, say for example iOS XE plus Viptella OS. We have two different type of operating system for both different type of operating system. Obviously the iOS XE is not that matured as to compare with the Vipela OS and that’s the reason Cisco has their own ISR product, say ISR 11004 g 60, where we can put actual Viptella codes, for example 19 two. So it will work and support all the SDWAN Viptella features, correct. But still, most of the customer at present time, if you see 70% to 80% of branch devices are Cisco devices, ISR or ASR et cetera.
Cisco has given one what we can say that option to the customer that customers you don’t need to purchase new box, but you can upgrade your hardware with the new iOS XC. Inside that we have put the SDWAN patch and it will work. But remember, before doing the deployment you should list out and confirm that what features are there, what features are not there related to sqm? All right, so once we create the list related to data prefix list, site ID list, VPN list, obviously then we’ll go to phase number two. So in this example we have some other subnet, but when we do our lab, we may change the subnet just for an example like that you can go and create the list or the classification you can do so you can go and create the data prefix list.
Suppose if different branches has different different prefixes, obviously different branches have different IPS or subnets, who wants to go to the internet? So in that way we can go and categorize. So we’ll see that in our lab. So for example, here for branch one you have 1010. For branch three, four and five. This is branch just an example, this is branch two and this is branch three, four, five, last three and then four and five. Like that we can think. So then we have 1020, 1040. All right? So like that we can create the prefix list area of the summary in our lab it will be a bit different and then you have overlay traffic subnet as well and that’s actually very interesting. So now you can see that you are creating the data prefix list for overlay traffic and the rest of traffic, or at least those type of traffic. Who wants to do the net? All right, then you have to go and click next. Likewise we can go and add the branch list. So there’s just nothing but adding the site list or the branch list like that. In our case we have branch ID 304 hundred, I’ll show you in the lab section.
So once you have the branch list, then once you have that, then you can go and create the VPN. In our case, for example, we have VPN ten instead of one. So what we have done at this point of time that create group of interests that’s done. We know that next is control policy. So we’ll go next we’ll skip this page then we’ll go here to the configure traffic rules. You should go there configure traffic rules create a new policy and this is one of the data policy. What is the agenda for this policy? The description is that data policy to match employee traffic and route the traffic from service VPN one to VPN zero. Correct? So now we’ll go ahead and we’ll create the custom policy. I am going to explain you each and every step in the lab section. So you have sequence rule, you have match take action and finally you have the default action as well. How you are going to create the rule? We are going to create the rule in this manner.
So first of all the overlay traffic accepted for overlay traffic we are not doing that because overlay traffic have their own IPsec tunnels. Then for branch three, four, five which are the iOS XE type of branch nat VPN zero in our case that is branch one. So for branch one I will do Nat VPN zero and for branch number two where we have the riptella code there we can go and we can use Nat VPN zero and then the fallback is local tlocklist internet. Same way I’m going to create the policy only the site ID VPN ID will change. Now finally we have the accept action. Default action will be dropped. You can go and make this accept. So say for example what will happen whatever categorization or prefixes we have for data prefix list or for nat plus the overlay traffic apart from that all the traffic will get dropped if you make this as a default. So go ahead change this policy as accept save this policy. Once you save this policy then you have options to do the preview. But before doing the preview obviously we should go and apply this policy. That’s the phase of the policy.
So once you go and apply this policy I want to apply this policy from service side to branch 1234 for VPN ten or sorry for VPN one in this case but in actuality we are going to apply to VPN ten. Then we have the preview option here you can see the number five is a preview option. Once you go and click you can see the cliq elements of the configuration and I’ll show you that also. So this sequence one is actually for the ipset traffic the sequence eleven and 21 sequence eleven is for your VH traffic sequence 21 is for your CSR or ISR traffic ISR devices or iOS XE rule. So finally it will look like this we can save the policy. Once you save the policy then we know that at a time only one policy is active inside the we manage. Once you save the policy you need to activate it.
So what’s the flow? The flow is. Let me quickly draw here so you will understand. So you have your we manage and then we manage will push this policy to all the Vsmart they are communicating with net conf. Obviously you have either DTLs or TLS tunnel in between them and from Vsmart, whatever selected branches we have say list of site list and there you have V edge or you have the C edge at that time the VA smart and V ed devices they have Ompper or they are OMP pair. And this policy will push with help of OMP to all the edges that will be the of flow that NETCONF and OMP in between running between we manage Vsmart, Vsmart and VH and that’s it. So this is the way that we are going to do this particular policy. Let’s just stop here and next section I’ll log into the lab and I’ll show you how you can create and verify.
Let’s do the lab. So let me log to the devices. Just wanted to show you that what are the interfaces we have inside the VPN ten. So for branch two the IP subnet is ten four. Here we can see the network inside VPN ten is this. And if we can go and check show IP route four, VPN ten. So here you can see that inside VPN ten we are receiving the routes. But basically the connected route that we have for VPN ten is ten for so what I can do that, I can use a subnet, say for example ten 40 zero. We can take this subnet ten 4100. Okay? And if you see here the description you have ten 1251 slashly this is just the IP connected with the switch or router. All right, then we should go and check the VPN ten in the branch as well. So let’s go to branch one and check show interface, IP interface brief because this is the ISR or this is the iOS XE. Here you can see that the ten 310 is the subnet for the branch number one. Okay? All right, so we got the data prefix list for which I want to create the policy.
Let’s go here and let’s go to the configuration and policy. Once you are inside the configuration and policy here you can see that you have centralized policy. You can go and click add policy in that. I can go here and add the prefix list. So let’s add it. This name is say for example, branch one and this network is this is just the name I’m giving. So for example, this is the name but you should go and give the prefix. Now here it has probably you can see dot and other things which is it will not understand. So net traffic. Alright, let’s quickly give the data prefix list 24 this for branch one and then I’ll go and create for branch two as well. So let’s add branch two nat and what’s that say ten 410 00:24. Now, since we are creating this particular network, we should know that what will be my overlay and we know that the order of operation means once you create the policy, the system will learn that policy or system will act on the policy from top to bottom. So rule one, then rule two, then rule three or rule ABC like that. So I should have something called overlay network as well. So what I will do here, that for overlay network. Let’s quickly go and check so we can see that we have the overlay network. Say we have ten network for VPN or VRF 1020 and 40 we are going to use later on.
But here you can see that you have 100 dot network on that we are going to form the tunnel. If I go to branch one we have 164, 164 and here also I can go and check 164. So now next. What I can do that. I can create one more data prefix list. Let’s go and create one more. That is for overlay and that network is nothing but one hundred and sixty four zero zero. So we have the data prefix list one. You can see that you have the data prefix list created for branch two, for branch one, for overlay. Likewise we’ll go and we should have branch one and branch two.
Actually we have all branches. So I’m going to use this particular site list. Then for VPN, we have VPN ten, VPN 20, et cetera. So we have the VPN, we have the prefix list, we have the site. Let’s go next. This is related to control policy. So we can move on. We’ll go next. Now, the data traffic here you can see we want to create the new policy. Yes. And this is for say for example, Nat for branch one and branch two. Say Nat rule four, branch one and branch two. Little bit slow for branch one and branch two. Here you can see that they are not able to understand these characters.
Now it’s okay. Go click the sequence type. This is not belonging to application firewall, QoS service chaining traffic engineering. But we’ll go to the custom rule. Once you are inside the custom rule, click sequence rule and then we have the terms of options. So application family, DNS packet length, protocol, source, destination, et cetera, et cetera. So in this case, what we want, what my policy is that we want to match the destination for overlay and source for my net traffic. That’s the rule. Actually we are going to create.
So what we can do first of all, I want to match the overlay traffic. So for that I will go and add the prefix list. That is nothing. But just now we have created is the overlay. Now for this guy, this particular overlay, what is the action? You know that action is simply accept because this will form the IP save tunnel. Great. Click here, save and match condition. Then go and add one more. This time what we want to do this time I want to match the source.
So we have the source data prefix and we have two options. We have actually one CS type of device, one V edge type of device. So anything I can take? So for example, let’s take branch one that is nothing but C edge devices. Then we’ll go to the action accept and what you want. Remember, we want to do Nat VPN. And here you can see this. Nat VPN is zero. You have any fallback at the moment? I’m not giving any fallback at this point of time. All right. So save this. Now here you can see the policy clearly. Now the third rule or third line that we want to add here is so let’s quickly go and add. This is also related to source. So we’ll go here and add the source data prefix.
This belongs to branch number two. Now this guy is related to V edge so go ahead accept we’re going to accept the net so let’s quickly go and accept that. All right so where is our net VPN zero fallback and that’s it. So this I am choosing the fallback option and the fallback is your local T lock. What’s your local T lock? We have the local T lock internet and if you have local T lock list encapsulation you can go and use the restrict but we are not using that so we can safely save this condition as well. So now I have three rules. Finally we should go to the default action. By default it will be dropped. So we’ll go and click Accept save the match condition. Now we can go and save the policy. We can go next where we want to apply this policy. So we should go here and give the net say rule for branches and you should give the proper name and the description as per the requirement since this is the data policy and we should apply this. So here you can see we should choose the VPN and the site they select the list we know we are going to apply to all the branches select the VPN.
This VPN is nothing but VPN ten add it. Now we have option to click preview and we can see that. So first of all, we have this overlay as per our previous recording, we can go and check. Match the destination of overlay accepted. Then match the branch one that is the CSR type of devices. Action accept net use. VPN zero. Then the sequence number 21 match the source. And what we are going to do here is that action use Nat fallback. And then it’s up to us that we are going to use the fall back or not. And then we set the local T lock as the internet. Then you have the list and then finally you have the apply policy. So this is the way that we can go and create the policy.
Once you go and create the policy you should go and activate it. If you activate this policy then it will go and apply to the Vsmarts and if you go back to the Vsmart and if you go and check show and policy you can see there’s a data policy applied to the devices. Okay and if you go to the branch one you can go and check show IPsec inbound connection. There is no problem with the inbound and outbound connection because anyways the overlay tunnel we are allowing here and that’s why we have given the overlay as well.
So this is the way that we can create the policy and then we can push we can create the policy at the level of we manage push to Vsmart from that Vsmart with help of OMP it will go and push to the edge devices. Now, here, if you want to see the policy, you can go and check. Say, for example, show policy from Bsmart. Because what is happening here is this is the data policy and we know the difference between the control policy and data policy. Data policy should be downloaded via all the sites where we are applying the policy. This is the way we can go and check as well. All right, so let’s stop here.
I’m going to show you that how you can copy the policy and little bit of basic verification command. So if you want to copy the policy, you should go to policy. And once we have the policy created then what? We can do that here. You can see that you can go to the policy and on top you can see that we have custom option click to the traffic policy. We know all these things and then instead of creating new policy we can import existing so that’s the whole goal here import the policy. If you want to do some edit, do not edit the already activated policy. Copy the policy and then edit. So what I try to tell here. Say once you are here and this policy is activated means true. If you want to do any change, first of all create a copy. So for example nat rule and like that you can give any name, but we should give the change ticket number and the description that what date, what change ticket, what is the description related to, what is the justification, et cetera.
We can go and give no problem. So once you have this rule created that’s a copy this is false means this is not activated then you can go here and edit this whatever it is you want to do, you can edit it there is no problem you can go and do all type of edit now on top you can see so let me quickly show you this thing so if you see on the top this is policy application Topology remember, policy means apply policy topology means your control policy. Traffic roofs means your data policy. So these three options we have on the top we haven’t created any control policy, so we can leave it.
But if you go here to the traffic rules, we have App Route, we have Sea float, et cetera. We can go to Add Policy, and then here we can go and detach a view or copy. Now, still, if you want to do any type of change in this policy from where you will do. See, on top you have the custom option. Go click to the custom option and then you have the traffic policy. Remember traffic policy, that means your data policy. Topology means control policy. Any change. If you want to do the control policy, you should go here. Any change inside the data policy, go and click there. And now you can see that you have your data policy here. Now you can go here. Click edit. And you can do all sorts of edit, correct? So that’s one way that you can copy. I have shown you the full path that you can go and copy from here. Then you can edit this rule.
And then you can attach this at the moment you attach the other rule the first one will become false, zero and one bulletin is there still you want to create new policy. So there is other way as well. Go and create to the centralized policy and then you can go here to the traffic policy and then you have this option called import existing now you can go and import any of the existing policy so here you can see that I have this policy that’s obviously the data policy this I can import okay? And then we can go next and we can rename the policy, then we can apply so, edit, import, rename, sequence all sorts of options are there for us.
Now let’s quickly go and verify whatever policy that we have. Created. We should go and verify. We have two different type of operating system. We have iOS XE. There you’ll find the verification will be different. So here you have to go and type show SDWAN and can go and check the Nat option. So here you can see that show is Divan and then you can see you have Nat and then forward and then IP net translations like that you can go and get the result this list is big and then if you go here and you can check the verbose as well this will show you in detail. So when you have created the rule it’s very detailed actually create time last updated it is showing us so when we have created the rule and when that rule has been updated it is showing us in detail correct? All right.
The other option that Cisco has always show IP net translations. You can go and see the net table here and again you can see that we have multiple options. So we have total. Normally this is related to iOS Xi. So I’ll leave it. But we have options. Now the next thing that suppose if you want to see the configuration, the Cisco term we can go and use the filter showrun pipe section, IP net. All Nat related configurations are coming correct. But if we are very much specific to the SDWAN configuration so we should do config transaction.
Now we are loop back inside the SDWAN mode and here you have to type like that, show full configuration and SDWAN and then the Nat. So here you can get the Nat portion of the configuration. Let me quickly check if I have this Nat option IP and you can see this full configuration related to SDWAN and we should have SDWAN and then I should go ahead and check show full configuration and Nat yup so instead of SDWAN Nat you should go and check like this. This is the configuration that we have done one of the configuration is related to guest VPN that we’ll see but you can verify from these places now in the V edge command issue IP net filter and then you can get this result. If you want to go and check inside the table form you can go and verify like this. All right so stop here.
Now we are ready to learn about the guest, how they are going to use the internet. It’s actually very straightforward and easy. In St van say for example, guest VPN is VPN two. In our case that is VPN 440. And simply we have to go inside the template and inside the service side VPN two or VPN 40 in our case. And we have to point out the default route towards the VPN zero. So how you can do that? Suppose if you have existing template, you can copy and edit it. In our case I will show you. That how we are going to do. But we are inside the service side VPN template. And here you can see that default route pointing towards gateway VPN and enable VPN on.
So those things we are going to do. Now suppose if that guest user is connected with Health Resource where I’m running the OSP protocol or any dynamic protocol. So in that case we should go and redistribute that Nat route inside the dynamic protocol. So how you can do that, you can simply go to that particular protocol template where you have the distribute option inside that you should use the protocol as an ad for redistribution and that’s it. And that will work. Okay. So let me quickly log into the lab section and I’m going to show you all these two options. We are here in the lab. You should go to the feature. And so for example, we know that our VPN is VPN 40. That is belonging to branch number two. So here we have here you can see that VPN 40 template.
This template, first of all, let me copy this. I will make this as a four Nat. So VPN 40 template we are going to use for Natting purpose. Here it is. And now we’ll go and edit. So if you go and edit you should go inside IPV four route. Once you are inside the IPV four route, you should go and add. So here you can see that I have this edit option even I can add also. But if I go here and add here you can see that it’s already VPN gateway and Nat is enabled. So here you can see that enable VPN is on and the gateway is VPN. This is the same setting actually we want to do that is already here related to VPN 40. Let’s click update, save this. And now this particular template I want to use inside the device feature template. So we’ll go here to branch type two. Let’s see that which particular template this is using inside the VPN 45, VPN 40. And here let’s scroll a little bit down. So here we can see that it is using branch two VPN 40 template. And if I scroll down branch two here you can see that we have VPN 40 template for Nat that actually I want to use.
So I can go and use this and then I can click update. But we should verify that also that what was branched to VPN 40 template as well. Anyways, let’s update that. Once we update that, let’s click next because this is going to push configuration and we should go and if you want to see that what portion of difference we have in the configuration, we can go and check the side by side difference. And if I scroll down, it will show you that that particular portion or change you have. So inside VPN 40 initially actually there are certain statements say OMP and advertise OMP and connected static as well that we are not giving at this point of time, but rest is fine.
So we can go and click configure devices. Meanwhile, it is pushing the configuration. What we can do here is that I’m going to show you this option related to OSPF net distribution. So if I go here, I have one OSPF feature template as well and I can go here and we can see that branch VPN Ten OSPF actually I want and we have certain places where I can see the no OSPF and OSPF as well. So Ospfbc filtering just to show you, let me quickly copy this so I can do the edit inside the copy. I don’t want to play around with the template that is already attached. So we are here inside the OSPF basically with filtering Nat, I want to do let’s click edit.
Once you are inside the OSPF, if you go to redistribute inside redistribute, if you go and add new redistribute protocol, we have Nat and we can add and then we can update. So like that you can create or change the small feature template. That feature template can be called inside the main template. So now if I am here inside the GCB edges, I can go and edit because here we are using the OSPF and then I can go and use the net. So in this case, all the DC One devices, they will add one extra line of configuration inside the OSPF redistribution. Okay? All right, so we have done the configuration for Branch too. And if you want to see that, you can go and check you want to see this Nat and filter, it was there already initially as well. And we can go and check the net flow like that. So this is the way that we can create it edit, it applies.
Popular posts
Recent Posts