INEt Zero JNCIE Workbook

http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved

JNCI

E-EN

T w

orkb

ook:

1

1 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0

iNET ZERO – JNCIE-ENT

Lab preparation workbook v1.0 For Juniper Networks ® - JNCIE-ENT Lab exam

http://www.inetzero.com/


JNCI

E-EN

T w

orkb

ook:

2


Copyright information

This workbook, iNET ZERO's JNCIE-ENT Lab Preparation Workbook, was developed by iNET ZERO.

All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means without the prior written permission of iNET ZERO.

This product cannot be used by or transferred to any other person. You are not allowed to rent, lease, loan or sell iNET ZERO training products including this workbook.

You are not allowed to modify, copy, upload, email or distribute this workbook in any way. This product may only be used and printed for your own personal use and may not be used in any commercial way.

Juniper (c), Juniper Networks (c), JNCIE, JNCIP, JNCIS, JNCIA, Juniper Networks Certified Internet Expert, are registered trademarks of Juniper Networks, Inc.



JNCI

E-EN

T w

orkb

ook:

3


About iNET ZERO’s content developers and authors:

Maxim Frolov

Maxim lives in Russia and speaks Russian and English. He started his networking career in 1999. Throughout the years Maxim has designed and implemented several large scale networks for enterprise and service provider customers. Over the years he has developed several high quality courseware materials for industry leading networking vendors. Maxim has the following certifications: JNCIE, JNCIP-ENT, JNCIS-SEC, Nortel NNCSS and is a certified Juniper Networks Instructor. For technology Max values efficiency and pragmatic design. When Max is not at work he likes to spend time with his family. Max enjoys being outside in the nature and loves to travel and exploring the world.

Jörg Buesink

Jörg lives in the Netherlands near Amsterdam and brings more than 10 years of experience in the IT and networking industry. He has worked for several large ISPs / service providers in the role of technical consultant, designer and network architect. He has extensive experience in network implementation, design and architecture and teached several networking classes. Jörg is triple JNCIE certified (JNCIE-ENT#21, JNCIE-SP#284 and JNCIE-SEC#30) as well as triple CCIE#10532 (Routing/ Switching, Service provider and Security) and Cisco CCDE#20110002 certified.

Alan Gravett

Originally from South Africa, Alan spent a long time away from his country of birth, travelling extensively and learning about different peoples and cultures. Alan’s experience in the IT industry started more than 30 years ago, but had a necessary break for a few years in between. He was also the first South African to be employed by Juniper Networks, which after working at the biggest ISP on the planet at the time UUNET provided the opportunity to really see and understand how the biggest networks on the planet are designed. As an early starter at Juniper, he has had the opportunity to become both JNCIE-SP #24 as well as JNCIE-ENT #9. During his career at Juniper Networks Alan has had the pleasure of sharing much of this knowledge with hundreds of students and also to verify their understanding as the primary EMEA based Certification proctor for the JUNOS Professional and Expert Lab exams. Alan’s first language is English, but is also fluent in Dutch.



JNCI

E-EN

T w

orkb

ook:

4


Alexey Kolmov

Alexei lives in Moscow and speaks Russian and English. He started his carrier in telecommunication area in 1995 as a technician in S.W.I.F.T. Access Point. Since that time he gained experience as a field, technical support and systems engineer, project manager, technical writer and instructor. He had taken part in many projects for corporate clients and service providers, participated in the creation of networks based on X.25, Frame Relay, ATM, PDH/SDH, TCP/IP and VoIP technologies, learned and implemented solutions from Motorola, Nortel Networks, Tellabs and Acme Packet.

Since 2006 Alexei has been working with Juniper Networks technologies and products, focusing primarily on security solutions. Alexei becomes energized and determined to stimulate people to move, grow and develop to higher levels of personal effectiveness. Alexei is a certified Juniper Networks Instructor and holds the following certification: JNCIP-M/T, JNCIP-SEC, JNCIS-FW, JNCIS-SSL, JNCIA-EX, JNCI and Acme Packet Certified Instructor

Richard Pracko

Richard Pracko comes from the heart of the Europe, from a small but beautiful country Slovakia. Right after finishing his studies at the university with telecommunications as a major, he joined the Siemens Networking department, and focused on the integration of Juniper Networks and Siemens products. There, he gathered a lot of experience and skills in the networking area by taking an active part to numerous projects, and this , all over the world. It was during that time that his teaching career started. In the beginning of 2009, he left Siemens on his own initiative, and became a full time instructor and technical consultant, over a vast geographic area (EMEA and more).

Richard is an energetic young man, with interests ranging across numerous sport disciplines like tennis, soccer, skiing and others. Richard speaks English, German, Czech and Slovak. Richard is a certified Juniper Networks Instructor and holds the following certifications: JNCIS-FWV, JNCIP-SEC, JNCIS-ENT, JNCIA-EX, JNCI.



JNCI

E-EN

T w

orkb

ook:

5


Rack rental service

Did you know that this workbook can be used in combination with our premium JNCIE rack rental service? Take a look on our website for more information www.inetzero.com




JNCI

E-EN

T w

orkb

ook:

Tab

le o

f Con

tent

s

6


Table of Contents

Chapter One: General System Features

Task 1: Initial System Configuration Task 2: User Authentication and Authorization Task 3: Syslog Configuration Task 4: SNMP Configuration Task 5: Firewall Filters

Chapter Two: L2 Switching

Task 1: L2 Switching Network Deployment Task 2: Virtual Chassis Task 3: VLAN Configuration Task 4: MSTP Configuration Task 5: VRRP Configuration Task 6: L2 Switching Security Features

Chapter Three: IGP Routing

Task 1: IPv4 Network Deployment Task 2: OSPF Configuration Task 3: RIP Configuration and Redistribution Policies Task 4: Protocol-independent Routing and Routing Policies Task 5: IPv6 Network Deployment Task 6: IPv6 IGP Routing

Chapter Four: BGP Routing

Task 1: Base Network Deployment Task 2: BGP Configuration Task 3: IPv4 BGP Routing Policies Task 4: IPv6 BGP Routing Policies

Chapter Five: Multicast Routing

Task 1: Base Network Deployment Task 2: Multicast Configuration Task 3: Multicast Verification

Chapter Six: Class of Service

Task 1: Base Network Deployment Task 2: SRX Forwarding Classes, Queues, and Schedulers Task 3: EX Forwarding Classes, Queues, and Schedulers Task 4: Network Edge CoS Configuration Task 5: Network Core CoS Configuration Task 6: CoS Verification

Chapter Seven: A Full Day Lab Challenge

Task 1: Initial System Configuration Task 2: Building the Network Task 3: L2 Switching Configuration Task 4: IGP Configuration Task 5: BGP Configuration



JNCI

E-EN

T w

orkb

ook:

Tab

le o

f Con

tent

s

7


Task 6: Multicast Configuration Task 7: Class of Service Configuration

Appendix - Chapter One: General System Features

Solution - Task 1: Initial System Configuration Solution - Task 2: User Authentication and Authorization Solution - Task 3: Syslog Configuration Solution - Task 4: SNMP Configuration Solution - Task 5: Firewall Filters

Appendix - Chapter Two: L2 Switching

Solution - Task 1: L2 Switching Network Deployment Solution - Task 2: Virtual Chassis Solution - Task 3: VLAN Configuration Solution - Task 4: MSTP Configuration Solution - Task 5: VRRP Configuration Solution - Task 6: L2 Switching Security Features

Appendix - Chapter Three: IGP Routing

Solution - Task 1: IPv4 Network Deployment Solution - Task 2: OSPF Configuration Solution - Task 3: RIP Configuration and Redistribution Policies Solution - Task 4: Protocol-independent Routing and Routing Policies Solution - Task 5: IPv6 Network Deployment Solution - Task 6: IPv6 IGP Routing

Appendix - Chapter Four: BGP Routing

Solution - Task 1: Base Network Deployment Solution - Task 2: BGP Configuration Solution - Task 3: IPv4 BGP Routing Policies Solution - Task 4: IPv6 BGP Routing Policies

Appendix - Chapter Five: Multicast Routing

Solution - Task 1: Base Network Deployment Solution - Task 2: Multicast Configuration Solution - Task 3: Multicast Verification

Appendix - Chapter Six: Class of Service

Solution - Task 1: Base Network Deployment Solution - Task 2: SRX Forwarding Classes, Queues, and Schedulers Solution - Task 3: EX Forwarding Classes, Queues, and Schedulers Solution - Task 4: Network Edge CoS Configuration Solution - Task 5: Network Core CoS Configuration Solution - Task 6: CoS Verification

Appendix - Chapter Seven: A Full Day Lab Challenge

The D1 configuration listing. The D2 configuration listing. The D3 configuration listing. The D4 configuration listing.



JNCI

E-EN

T w

orkb

ook:

Tab

le o

f Con

tent

s

8


The D5 configuration listing. The D6 configuration listing. The D7 configuration listing. The D8 configuration listing.



JNCI

E-EN

T w

orkb

ook:

Cha

pter

One

: Gen

eral

Sys

tem

Fea

ture

s

9


Chapter One: General System Features

TIP: Throughout the workbook before you begin a chapter, we recommend you to read the entire chapter before starting with the first task.

This chapter will focus on initial system configuration and general system features. You will configure various features, such as host name, root password, management network access, management user authentication and authorization, NTP, SNMP, Syslog and RE protection Firewall Filters. You will be operating 8 devices D1 through D8 referred to as your devices. Topology for chapter one is shown in Figure 1.

Figure 1

Task 1: Initial System Configuration In this part you will configure your devices’ host names, root passwords, the OoB management interfaces including definition of specific services allowed to access the devices, static routing and DNS.

1) Download the latest initial configurations from our website http://www.inetzero.com in the download section and load them on your devices. Use root password root123 in every device.

2) Using user name lab and password lab123 log in to the VR-device and load override the Chapter 1 baseline configuration.

NOTE: You are not allowed to change any of the VR-device settings except that are loaded in the baseline file throughout all chapter tasks.

3) Configure host names in the devices according to Table 1.




JNCI

E-EN

T w

orkb

ook:

Cha

pter

One

: Gen

eral

Sys

tem

Fea

ture

s

10


Table 1

Device Device Type Host Name D1 SRX 240 Mercury D2 SRX 240 Venus D3 SRX 240 Earth D4 SRX 240 Mars D5 EX 4200 Jupiter D6 EX 4200 Saturn D7 EX 4200 Uranus D8 EX 4200 Neptune

4) Configure the OoB management interfaces in each device with the appropriate IP addresses. The devices and their respective IP addresses are listed in Table 2.

Table 2

Device OoB Interface Name OoB Interface IP Address

D1 ge-0/0/0 10.10.1.1/24 D2 ge-0/0/0 10.10.1.2/24 D3 ge-0/0/0 10.10.1.3/24 D4 ge-0/0/0 10.10.1.4/24 D5 me0 10.10.1.11/24 D6 me0 10.10.1.12/24 D7 me0 10.10.1.13/24 D8 me0 10.10.1.14/24

5) Enable each device to accept management connections for the SSH, Telnet, HTTP, and HTTPS services. Make system to use automatically generated X.509 certificate for HTTPS. Make sure all devices accept HTTP and HTTPS management access only on the OoB management ports.

6) Configure static route to the management network 10.10.10/24 with the next-hop 10.10.1.254. Make sure the network is never redistributed to any dynamic routing protocol. Ensure the device is reachable while RPD is not running.

7) Configure the S1 server as the DNS server.

8) Set the time zone to Europe/Amsterdam on all your devices.

9) Ensure that all your devices synchronize their time with the NTP server S1. Configure the devices to synchronize time with the S1 at boot time. Ensure that all the NTP exchanges are authenticated using MD5 with password workbook.

NOTE: The lab uses a dedicated VR-device to emulate external systems interacting with your domain. The device is reachable at 10.10.1.9 IP address.

NOTE: Server S1 is the dedicated FTP/SNMP/Syslog/RADIUS/DNS proxy server. The server is reachable at 10.10.10.1 IP address.



JNCI

E-EN

T w

orkb

ook:

Cha

pter

One

: Gen

eral

Sys

tem

Fea

ture

s

11


...

...

DEMO

...

...

Task : User Authentication and Authorization In this part you will configure new users allowed to access the devices and define their privileges and permissions.

1) Configure the authentication method that first tries authenticate users on RADIUS server and then if not successful with local password. Use S2 as the RADIUS server. Configure the RADIUS server with retry attempts 1 and timeout 2 seconds. Use workbook as the RADIUS shared secret.

2) Create on every device a new user lab, with the password lab123, that will have super user privileges.

3) Configure additional users on all the devices as defined in Table 3. Note that word “any” in the Table 3 is used literally, i.e. a user can have any user name.

TIP: From this point on we recommend you to operate routers using user lab account.

Table 3

Username Password Privileges Any - Permissions “view” and “view-configuration”. Authenticated on

the RADIUS server S2 Support noc123 Permissions “all”. Additionally cannot execute any of the “clear”,

“configure”, “edit” or “start shell” commands ...

...

DEMO

...

...



JNCI

E-EN

T w

orkb

ook:

Cha

pter

One

: Gen

eral

Sys

tem

Fea

ture

s

12


Task 3: Syslog Configuration Ensure that all the devices have following Syslog configuration:

5) All “emergency” messages regardless of facility are displayed on terminals of all currently logged users.

6) All messages regardless of facility with the severity level of “info” and higher are sent to the default syslog file.

7) A file named “interactive-commands” for command audit tracking receives records about the users and commands they execute.

8) A separate file named “authorization-file” is used for authorization messages with the severity “info” and higher.

9) All messages with severity level “warning” and higher regardless of facility are sent to the S1 syslog server. Additionally use explicit priority tag and prefix message “JNCIE-ENT”.

The archive size is set to 3 files with 100K size each.

...

...

DEMO

...

...



JNCI

E-EN

T w

orkb

ook:

Cha

pter

Tw

o: L

2 Sw

itchi

ng

13


Chapter Two: L2 Switching

This chapter focus is on L2 switching applications. In this tasks you will be configuring and monitoring L2 features such as Aggregated Ethernet links, VLANs and PVLANs, VLAN routing interface, VRRP, Virtual chassis, LLDP, Voice VLAN as well as security features 802.1X, MAC RADIUS, Storm control and MAC address limiting. The summarized view of the L2 network that you are going to build is shown in Figure 2.

Figure 2

...

...

DEMO

...

...



JNCI

E-EN

T w

orkb

ook:

Cha

pter

Tw

o: L

2 Sw

itchi

ng

14


Task 2: Virtual Chassis 1) Set D7 and D8 to have them merged into a Virtual Chassis. Ensure that both backplane VCP

ports are used to connect the VC members. Ensure that D7 becomes a master RE with member ID 0 and holds the mastership when it is operational.

NOTE: The VCP ports are already physically connected.

2) Restore the VC non-master member interfaces configuration appropriately.

3) Configure the vme.0 VC management interface with the IP address set to the master RE OoB management interface IP address.

...

...

DEMO

...

...

Task 4: MSTP Configuration In this task you will configure MSTP protocol to provide traffic load balancing across multiple VLANs.

1) Configure a single MSTP region with two MSTP instances: Instance 1 and Instance 2. Instance 1 must be bound to VLAN A, Instance 2 must be bound to VLANs B and C. Ensure that the Instance 1 Spanning tree is rooted at D5 and the Instance 2 Spanning tree is rooted at D6. Ensure that CIST root is at D1.

...

...

DEMO

...

...



JNCI

E-EN

T w

orkb

ook:

Cha

pter

Fou

r: BG

P Ro

utin

g

15


Chapter Four: BGP Routing

This chapter focuses on BGP routing. You will configure both IPv4 and IPv6 multi AS BGP network, set up policy based traffic engineering, route redistribution, configure Aggregate routes and BGP over GRE tunnels. The summarized view of the BGP network that you are going to build is shown in Figure 6.

Figure 3

...

...

DEMO

...

...

Task 3: IPv4 BGP Routing Policies In this task you are configuring BGP routing policies to control traffic flows among your Autonomous systems and the Internet.

NOTE: You are not allowed to use static routes in this task.

1) Configure D7 and D8 to advertise RIP routes to iBGP peers. Configure D7 and D8 to advertise the BGP default route to RIP. Make sure that D7 and D8 use optimal routing to the Internet destinations.

2) Configure D3 and D4 to advertise a tightest possible summary route representing all your Autonomous Systems internal prefixes including the RIP prefixes to the Internet. No other prefixes are allowed to be advertised at D3 to the Internet.



JNCI

E-EN

T w

orkb

ook:

Cha

pter

Fou

r: BG

P Ro

utin

g

16


...

...

DEMO

...

...



JNCI

E-EN

T w

orkb

ook:

Cha

pter

Fiv

e: M

ultic

ast R

outin

g

17


Chapter Five: Multicast Routing

In this chapter you will configuring and monitoring Multicast network applications such as: PIM sparse mode multicast distribution for both ASM and SSM models, IGMPv2 and IGMPv3, PIM Bootstrap protocol, MSDP protocol and Anycast RP, and Multicast Scoping. The summarized view of the Multicast enabled network that you are going to build is shown in Figure 8.

Figure 4

...

...

DEMO

...

...


Documents

INEt Zero JNCIE Workbook