Tag Archives: juniper

Juniper launches Design Certification Track

This tweet from @JuniperCertify has caught my attention:

Later that day, I got an e-mail from Juniper with the same announcement. Juniper has launched its Design Certification Track inside the Juniper Networks Certification Program (JNCP) and the Juniper Networks Certified Design Associate (JNCDA) is the first available certification.

The new Design Certification Track

A picture says more than a thousands words (… I found this in the blog post “Juniper Networks New Network Design Curriculum and Certifications” on the Juniper “My Certification Journey” blog):

juniper-plan-build-operate

Juniper addresses the “Plan” phase of the network life cycle and many of the talented folks from Juniper contributed to this new certification track. This certification is not addressed directly to network architects, pre-sales consulting and the other people who are involved in the planning. It’s aimed more at network professionals and designers with beginner knowledge.

Currently there is only an associate-level certification, but this will be the prerequisite certification for specialist-level certifications on the Design Track, that are currently in development.

First stop: Associate certification

The Juniper Networks Certified Design Associate (JNCDA) certification is the first available certification and Juniper starts, similar to the other certification tracks, with an associate-level certification. On a higher level, the written exam covers the following objectives:

  • Customer Design Requirements
  • Customer Organizational Structure
  • Physical Design Considerations
  • Logical Design Considerations
  • Industry Alternatives

A more detailed objective list can be found on the Training & Certification website. You can schedule the exam (JN0-1100) at any Pearson VUE test center. You have 90 minutes to answer 65 multiple-choice questions. Unfortunately, Juniper doesn’t release any information about the needed passing score. The exam fee is 100 US-$.

To prepare yourself for the exam, you can book a 3 day Juniper Networks Design Fundamentals (JNDF) course. This course covers all necessary topics. If you think you’re experienced enough, try the practice test. For the moment, there is no self-study material available.

Juniper publishes vMX

This tweet from @JuniperNetworks has really inspired me yesterday. I liked Junipers Firefly Perimeter (vSRX) from the first day. I like the idea behind this product (yes, I like everything that can be run as a VM…). But yesterday Juniper has go one better.

Juniper Networks announced yesterday a virtualized and carrier-grade version of their MX Series 3D router. The Juniper Networks vMX is a virtual MX Series 3D Universal Edge Router and it’s optimized to run on x86 hardware. Juniper vMX can run on all major Hypervisors, including VMware ESXi and KVM. It was also mentioned, that vMX can be run in Docker containers or on bare-metal.

The development of vMX was relieved by Junipers acquisition of Contrail. Junipers physical MX series router is powered by Junipers Trio chipset and Juniper has virtualized their Trio chipset for vMX (now called vTrio). It was also optimized for x86 hardware. Depending on the number of physical resources, a vMX can achieve a throughput of 160 Gbps. vMX uses vTrio, Junos OS and supports the same feature set, so it feels and behaves like a physical MX series router. This ensures that customers can leverage their Juniper MX knowhow to run vMX in their environment. If a customer uses physical or virtual MX router is only a question of performance. Multiple vMX can be managed with Junos Space, Contrail SDN controller and OpenStack Cloud Manager. Customers will be able to buy vMX with beginning of Q1/2015 in a flexible license model (Pay-as-you-grow, perpetual or subscription license). Details about the pricing weren’t revealed by Juniper.

This short video was published by Juniper Networks and it’s available on YouTube.

Exam experience JNCIA-Junos

The Juniper Networks Certification Program (JNCP) consists of different tracks, which enable you to demonstrate your skills with Juniper products and technologies in the areas most pertinent to your job function and experience. There are three main areas:

  • Junos
  • Support
  • Product and Technology

The Junos area consists of three tracks:

  • Service Provider Routing and Switching
  • Enterprise Routing and Switching
  • Junos Security

The “Service Provider Routing and Switching” track focuses on service provider and telecommunication (M-, MX-Series, Routing with OSPF, BGP, MPLS etc.), the “Enterprise Routing and Switching” on enterprise routing and switching in LAN and WAN (EX-Series, MX-Series, Spanning-Tree, VLANs, Routing etc.) and the “Junos Security” track is focused on the Juniper Security products (SRX-Series, Routing, Firewall, VPN etc.). All three tracks have the Juniper Networks Certified Associate – Junos (JNCIA-Junos) as a prerequisite. This is an entry-level certification and it covers the following objectives:

  • Networking Fundamentals
  • Junos OS Fundamentals
  • User Interfaces
  • Junos Configuration Basics
  • Operational Monitoring and Maintenance
  • Routing Fundamentals
  • Routing Policy and Firewall Filters

The certification is compareable to Cisco CCNA (Routing & Switching, Security) or HP ATP (FlexNetworks or TippingPoint Security). The certification can be achieved by passing the JN0-102 exam, that can be booked at Pearson VUE and which is delivered as an proctored exam. The exam costs ~100 € (depending on taxes). A Fast Track program for different certifications is available, so also for the JNCIA-Junos. If you pass a pre-assessment exam, you can get a 50% discount exam voucher for Pearson VUE. I strongly recommend to take the pre-assessment exam and save 50% costs. The voucher can only be used one time. So if you fail the first attempted, you have to pay the full price for the second attempt. It’s strongly recommended to get a CertManager ID before you schedule the exam. Otherwise you can’t get your eCertificate. You can get a CertManager ID later and connect it with your Juniper accounts. You can get a CertManager ID here.

To pass the exam you have to answer 70 multiple-choice questions in 90 minutes. I can’t tell you the passing score, because it’s not officially published by Juniper. But it’s compareable to other entry-level exams I passed in the last years. Nothing special. You get the result (if you passed or failed) immediately after the exam. But, and this was new to me, you get only a provisional score report! Juniper states on its homepage:

Juniper Networks then performs industry standard statistical analyses on all exam results to ensure compliance with the Juniper Networks Candidate Agreement and JNCP exam security policies.

It seems that Juniper tries to avoid that people pass the exam that have used braindumps or that have thrown a coin at each question. You get the final score report within three business days. I passed the exam on friday (based on the provisional score report) and today I had the exam listed as “passed” in my CertManager account.

Exam preparation

You can prepare for the exam in many ways. Juniper offers three different trainings that cover some of the exam objectives:

You don’t have to take a classroom or virtual training, you can prepare yourself for the exam. Juniper offers an excellent free software documentation, the Fast Track Self-study Guides and different Day One Guides (e.g. Day One: Exploring the Junos CLI). If you like CBT, try the course on Pluralsight: Juniper JNCIA-Junos – Introduction to Junos OS (thanks to Chris Frisch for developing the course!). Hands-on experience is strongly recommended! You can get cheap SRX 100 or 110 on eBay. Or try Juniper Firefly Perimeter, a virtual SRX. You can use it for 30 days without a license. Don’t make the mistake and buy Juniper 5GT or SSG series! They are running ScreenOS, not Junos! If you think you are well prepared, try the practice test that is offered by Juniper. If you pass the practice test schedule your exam at Pearson VUE.

The exam

I passed the Fast Track pre-assessment exam some weeks ago and scheduled an appointment for last friday (24. October). I had not much time to prepare for the exam. I used the Fast Track Self-study Guides (two PDF with ~ 160 pages) and a Juniper Firefly Perimeter to prepare for the exam. Since I’m quite familar with the SSG and SRX, I know how firewalls policies, routing and routing protocols work. As above mentioned the exam consists of 70 questions that have to be answered in 90 minutes. There is no bonus time for non-native speaker. Some questions can be answered really quick, but some questions, especially question with an exhibit, need more time. As far as I’ve seen all exam objectives were covered. I can’t reveal any details, but reading the study guides is not enough to pass the exam! You should be familiar with converting decimal to binary and IPv6. You should also be familiar with IP routing, subnetting, longest route match etc. Know the Junos CLI and the syntax for the important commands. You should also know how Junos routing engine and packet forwarding engine act together. Don’t waste to much time with basic questions. And very important: READ CAREFULLY! Some questions are nasty if you haven’t read the question, the exhibit and the answers…

I finished the exam after round about 60 minutes and passed it. I felt the exam as challenging, compared to other entry-level exams.

What’s next? I think I will start prepare for JNCIS-SEC and maybe JNCIS-ENT. The latter is more of a hobby because my employer does not sell Juniper EX. But in any case: It opens future options and learning new things is always a good thing.

My lab network design

Inspired by Chris Wahls blog post “Building a New Network Design for the Lab“, I want to describe how my lab network designs looks like.

The requirements

My lab is separated from my home network, and it’s focused on the needs of a lab. A detailed overview about my lab can be found here. My lab is a lab and therefore I divided it into a lab, and an infrastructure part. The infrastructure part of my lab consists of devices that are needed to provide basic infrastructure and management. The other part is my playground.

While planning my lab, I focused on these requirements:

  • Reuse of existing equipment
  • Separation of traffic within the lab and to the outer world
  • Scalable, robust and predictable performance

The equipment

To meet my requirements, I had the following equipment available:

  • HP 1910-24G switch
  • HP 1910-8G switch
  • Juniper 5GT firewall

The design

The HP 1910 switch is an awesome product with a very good price / performance ratio. Especially because the can do IP routing, which was important for my lab design. Each of my ESXi hosts has 4x 1 GbE interfaces, plus one interface for ILO. In sum 20 ports are necessary to connect my ESXi hosts to my network. The 1910-24G and 1910-8G were connected with a 1 GbE RJ45 SFP. The 1910-8G is used to connect the firewall and client devices, e.g. a Thin Client or a laptop. No other devices are connected to my lab. Because storage is delivered by a HP StoreVirtual VSA, no ports are needed for a NAS or similar.

To separate the traffic, I created a couple of VLANs. Unlike Chris, I’m still using VLAN 1 in my lab. In a customer environment, I would avoid the use of VLAN 1.

VLAN IDNameUsage
1Access (Default)Client connectivity
2ManagementILO, Management VMkernel ports
3InfraVMs and devices for the lab infrastructure
4Lab 1Lab VLAN
5Lab 2Lab VLAN
6Lab 3Lab VLAN
7Temptemporary connectivity
10iSCSI 1iSCSI
11iSCSI 2iSCSI
100NFSNFS
200vMotionvMotion VMkernel ports

VLAN 1 (Default) and 3 are carried to the 1910-8G. All VLANs are carried to the ESXi hosts using trunk ports on the 1910-24G. The Juniper 5GT is connected to the 1910-8G and the trusted interface is connected to an access port in VLAN 3. The untrusted port is connected to the outer world.

The routing is a bit complex on the first look. I configured a couple of switch virtual interfaces (SVI) on the 1910-24G. I configured a SVI for the VLANs 1, 2, 3, 7, 10, 11 and 100. But how do I get traffic in and out of my lab VLANs? I use a small firewall VM that is housed in VLAN 3 (Infra). It has interfaces (vNICs) in VLAN 4, 5 and 6. With this VM, I can carry traffic in and out of my lab VLANs, as long as a policy allows the traffic.

I use  /27 subnets for VLAN 1 to 7, two /28 for VLAN 100 (NFS) and 200 (vMotion), and two /24 for VLAN 10 and 11 (both iSCSI).

VLAN IDNameIP Subnet
1Access (Default)192.168.200.0/27
2Management192.168.200.32/27
3Infra192.168.200.64/27
4Lab 1192.168.200.96/27
5Lab 2192.168.200.128/27
6Lab 3192.168.200.160/27
7Temp192.168.200.192/27
10iSCSI 1192.168.110.0/24
11iSCSI 2192.168.111.0/24
100NFS192.168.200.224/28
200vMotion192.168.200.240/28

I don’t use a routing protocol inside my lab. It looks complex, but with this design I can easily separate the traffic for my three lab VLANs. iSCSI is routed, but I don’t route iSCSI traffic. The same applies for NFS. This drawing gives you an overview about the routing.

vlans_and_routing

To simplify address assignment, I use a central DHCP on VLAN 3 with several scopes. The HP 1910-24G and my firewall VM act as DHCP relay and forward DHCP requests to my DHCP. For each VLAN only a small number of dynamic IPs are available. Usually, the servers get a fixed IP.

VLAN IDNameDHCP Scope
1Access (Default)192.168.200.0/27
3Infra192.168.200.64/27
4Lab 1192.168.200.96/27
5Lab 2192.168.200.128/27
6Lab 3192.168.200.160/27
7Temp192.168.200.192/27

The VLAN 10 is used to carry iSCSI from the HP StoreVirtual VSA to my ESXi hosts. The second iSCSI VLAN (ID 11) can be used for tests, e.g. to simulate routed iSCSI traffic. The VLANs 4, 5 and 6 are used for lab work. Until I add a  rule on my firewall VM, no traffic can enter or leave VLAN 4, 5 and 6. When deploying a new VM, I add the VM to VLAN 1 or 3. The VM is installed using MDT and PXE. After applying all necessary updates (MDT uses WSUS during the setup), I can add the VM to VLAN 4, 5 or 6.

Final words

Sure, a lab network design could be easier. The IP subnets can be a pitfall, if you’re not familiar with subnetting. The routing seems to be complex, if you’re not an expert in IP routing. Until today, the network has done exactly what I expected.

Juniper SRX: Using CoS to manage bandwidth

Sometimes it’s necessary to limit specific traffic in terms of bandwidth. Today I like to show you how to manage bandwidth limits using QoS and firewall policies. Especially if you have only limited bandwidth, e.g. a DSL connection, it can be useful to manage the used bandwidth for specific hosts or protocols. I use a really simple setup to show you, how you can manage bandwidth using CoS on a Juniper SRX.

juniper-srx-testbed

As you can see: A very simple setup. Also the initial config of my SRX is also quite simple. Two Interfaces, default-permit between the zones. Interface ge-0/0/1 is the untrusted, the external interface. Interface ge-0/0/0 is my the interface to my trusted network, therefore it belongs to my trusted zone. Let’s assume, that ge-0/0/1 is limited to 15 Mb/s and that 10 Mb/s of the traffic should be for traffic to port 80 and 5001. Any other traffic should be limited to 5 Mb/s.

Class of Service Config

First of all we need to configure two new queues.

Now we add two schedulers. The first scheduler will set the transmit rate to 10 Mb/s, the second scheduler to 5 Mb/s. The keyword “exact” causes, that packets were buffered under congestion.

Before the schedulers can be applied to an interface, we have to create a scheduler-map and map the forwarding-class to a specific scheduler.

Now we can apply the scheduler-map to the untrusted interface. The keyword “shaping-rate” specifies the amount of bandwidth to be allocated to the logical interface.

Firewall Config

The next step is to create input and output filters. The filters assigns traffic with specific criterias to a forwarding queue. The first filter is the filter for the input traffic.

As you can see, the filter assigns traffic with source-port 80 or 5001 to the forwarding-class “bandwidth-10mb”, which uses the scheduler “scheduler-10mb”. This scheduler limits the transmit-rate to 10 Mb/s. If traffic doesn’t use source port 80 or 5001, then the forwarding-class” bandwidth-5mb” will be assigned.

The second filter is for the outbound traffic. It uses the same setup, but it assigns traffic to forwarding-class “bandwidth-10mb”, when the destination port is 80 or 5001

Filter Config

The last step is to assign the input and output filter, as well as setting the “per-unit-scheduler” option, which is needed when shaping is used with logical interfaces.

Final words

This setup worked in my lab and I was able to test the funktion of the different filters with iperf. The most challenging part are the firewall filters, especially if you need to create more complex filters. I recommend not to change the default queues. I added two new queues for my needs. Input filters are used to evaluate packets received on the interface. For output filters the opposite is true: They are used to evaluate packets that are transmitted on the interface.

Configuration management with Juniper Junos

One strength of Juniper Junos is the config file management. The concept of different configurations is nothing special. For example Cisco uses two configuration files to reflect the current configuration in the RAM (running configuration), and the configuration used on startup (startup configuration). HP is doing the same on their networking gear. If you are new to Juniper Junos, the concept of an active configuration and a candidate config, which holds the current changes but isn’t active, maybe confuses you.

The basics

Junos knows two command mods: The operational mode and the confguration mode. The operational mode is used for managing and monitoring your Junos device. You can switch from the operational mode to the configuration mode. The configuration mode allows you to configure your device.

As you can see, the prompt changes when entering or leaving the configuration mode. When you change from the operational mode into the configuration mode, the latest configuration file is used to create a candidate configuration. The latest configuration is stored in the filesystem and reflects the active configuration in the memory. The candidate configuration is used to store the changes that were made in the configuration mode. But changes to the candidate configuration doesn’t take effect immediately. You have to commit the changes at the end of the configuration process. During the commit, the configuration is checked for syntax errors and if it’s fine, the commited configuration gets the new active configuration. This configuration is stored in the filesystem and the older files get rolled.The filesystem contains more then the latest config. You can check this by using the file command in the operational mode:

The rescue.conf.gz contains the rescure configuration, the juniper.conf.gz contains the latest configuration and the juniper.conf.#.gz contain the last configurations, which can be used for a configuration rollback. I have tried to illustrate in a graphic:

juniper_commit_process

Advanced operations

Junos is designed to handle configuration as a process. This explains why the active configuration isn’t changed immediately. The syntax check upon commit gives you more safety in regard to syntax or configuration errors. We all know this situation: We connect to a network device by Telnet or SSH, we enter a command and the session disconnects. This can also happen to you when you use Junos. After the commit, the candidate configuration gets active and your session goes down. But hey, there’s a solution!

If you commit a change with the “commit confirmed” command, you have to enter a second commit to save the configuration. Otherwise your changes will be rolled back after 10 minutes. So the worst case is, that you make a change, you lose your connection but after 10 minutes the failed change is rolled backup automatically. You can also specify the point of time, at which a candidate configuration should be commited:

 or

 If you don’t use the “commit confirmed” command, you can use the “rollback” command to revert commited changes.

The “rollback”  command copies an archived config to a candidate configuration, which can be commited.

Another often faced problem are missing configuration backups. Junos provides a way to automate the backup of configuration files. The configuration can be backuped after an interval or after a commit.

or

The interval is given in minutes and has to be set between 15 and 2880 minutes. In both cases you need to add an archive site, meaning a place where the files has to be uploaded. You can add multiple achive sites, in this case I have entered a FTP and a SCP destination.

The password in the configuration file is saved encrypted . :) Depending on what you have chosen, the configuration will be uploaded after the interval or after a commit.

Juniper Firefly Perimeter

I’m a big fan of Juniper Networks! I work mainly with the SSG (ScreenOS) and SRX (Junos) series. The Juniper SRX is a network security solution, which can be positioned in the data center or at the branch. You will surely agree, that virtualization and cloud computing changed a lot from the network perspective. This demands security solutions that are not bound to hardware boundaries. Juniper Firefly Perimeter addresses this demands.

What is Juniper Firefly Perimeter?

Juniper Firefly Perimeter is a SRX Service Gateway and it’s delivered in form of a virtual appliance. You can compare it with HP VSR1000 Virtual Service Router or Cisco Cloud Service Router 1000V. Firefly Perimeter is available for VMware vSphere 5.x and Linux KVM. Microsoft Hyper-V is currently not supported. When you take a look into the datasheet you will notice, that Firefly Perimeter can all the cool things, that you expect from this kind of a virtual appliance: From simple routing, routing protocols (RIP, OSP, BGP, IS-IS…), MPLS, VPN, stateful/ stateless firewall, Network attack detection, a lot of management feature and many more.

A really cool thing is the Juniper Software Advantage for Security. With this licensing you can choose from multiple options and deploy the software on any platform, regardless if it’s hardware or a virtual appliance. The licensing is a perpetual licensing, so you buy once and use it indefinitely.

When using hardware based appliances it’s easy to track them. Go into the datacenter or the branch office and take a look into the rack. But a lesson I learned over the last years is: When you use virtualization, you need a lifecycle management. Otherwise you will often hear the question “What does server XYZ do??”. Junos Space Virtual Director addresses this demands. It’s a management application for Juniper Firefly Perimeter that helps you to automate the deployment and management of Juniper Firefly Perimeter appliances. To do so, you can use the REST API and attach the Junos Space Virtual Director to other platforms and tools (e.g. VMware Orchestrator).

Shut up and take my money!

If you want to test Juniper Firefly Perimeter in your lab, then you can simply download it. Juniper provides a 60 days evaluation. All you need is a Juniper Networks account and this link: *click*

juniper_firefly_download

I assume that you use VMware vSphere. In this case you have to download the OVA file and deploy it with the vSphere C# or Web Client. The virtual appliance is configured with 2 vCPUs, 2 GB RAM and two E1000 vNICs. If you want to build complex setups, you can add additional vNICs (up to 10). Simply deploy the OVA file.

After powering on the appliance, the appliance will try to get an IP address on interface ge-0/0/0.0 via DHCP. Web management is also enabled on this interface. If the VM gets an IP address, you can open a browser and enter the IP address. If everything went right, the Setup Wizard appears.

juniper_firefly_setup_wizard

The wizard helps you to do the initial configure of the appliance. It’s very handy if you have not much experience with Junos. If you’re versed with the configuration of Junos, you can configure the appliance using the CLI. Just login as root without a password. Juniper Networks has a really good documentation, so take a look into the Junos 12.1 documentation.