Tag Archives: junos

Juniper publishes vMX

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

This tweet from @JuniperNetworks has really inspired me yesterday. I liked Junipers Firefly Perimeter (vSRX) from the first day. I like the idea behind this product (yes, I like everything that can be run as a VM…). But yesterday Juniper has go one better.

Juniper Networks announced yesterday a virtualized and carrier-grade version of their MX Series 3D router. The Juniper Networks vMX is a virtual MX Series 3D Universal Edge Router and it’s optimized to run on x86 hardware. Juniper vMX can run on all major Hypervisors, including VMware ESXi and KVM. It was also mentioned, that vMX can be run in Docker containers or on bare-metal.

The development of vMX was relieved by Junipers acquisition of Contrail. Junipers physical MX series router is powered by Junipers Trio chipset and Juniper has virtualized their Trio chipset for vMX (now called vTrio). It was also optimized for x86 hardware. Depending on the number of physical resources, a vMX can achieve a throughput of 160 Gbps. vMX uses vTrio, Junos OS and supports the same feature set, so it feels and behaves like a physical MX series router. This ensures that customers can leverage their Juniper MX knowhow to run vMX in their environment. If a customer uses physical or virtual MX router is only a question of performance. Multiple vMX can be managed with Junos Space, Contrail SDN controller and OpenStack Cloud Manager. Customers will be able to buy vMX with beginning of Q1/2015 in a flexible license model (Pay-as-you-grow, perpetual or subscription license). Details about the pricing weren’t revealed by Juniper.

This short video was published by Juniper Networks and it’s available on YouTube.

Exam experience JNCIA-Junos

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

The Juniper Networks Certification Program (JNCP) consists of different tracks, which enable you to demonstrate your skills with Juniper products and technologies in the areas most pertinent to your job function and experience. There are three main areas:

  • Junos
  • Support
  • Product and Technology

The Junos area consists of three tracks:

  • Service Provider Routing and Switching
  • Enterprise Routing and Switching
  • Junos Security

The “Service Provider Routing and Switching” track focuses on service provider and telecommunication (M-, MX-Series, Routing with OSPF, BGP, MPLS etc.), the “Enterprise Routing and Switching” on enterprise routing and switching in LAN and WAN (EX-Series, MX-Series, Spanning-Tree, VLANs, Routing etc.) and the “Junos Security” track is focused on the Juniper Security products (SRX-Series, Routing, Firewall, VPN etc.). All three tracks have the Juniper Networks Certified Associate – Junos (JNCIA-Junos) as a prerequisite. This is an entry-level certification and it covers the following objectives:

  • Networking Fundamentals
  • Junos OS Fundamentals
  • User Interfaces
  • Junos Configuration Basics
  • Operational Monitoring and Maintenance
  • Routing Fundamentals
  • Routing Policy and Firewall Filters

The certification is compareable to Cisco CCNA (Routing & Switching, Security) or HP ATP (FlexNetworks or TippingPoint Security). The certification can be achieved by passing the JN0-102 exam, that can be booked at Pearson VUE and which is delivered as an proctored exam. The exam costs ~100 € (depending on taxes). A Fast Track program for different certifications is available, so also for the JNCIA-Junos. If you pass a pre-assessment exam, you can get a 50% discount exam voucher for Pearson VUE. I strongly recommend to take the pre-assessment exam and save 50% costs. The voucher can only be used one time. So if you fail the first attempted, you have to pay the full price for the second attempt. It’s strongly recommended to get a CertManager ID before you schedule the exam. Otherwise you can’t get your eCertificate. You can get a CertManager ID later and connect it with your Juniper accounts. You can get a CertManager ID here.

To pass the exam you have to answer 70 multiple-choice questions in 90 minutes. I can’t tell you the passing score, because it’s not officially published by Juniper. But it’s compareable to other entry-level exams I passed in the last years. Nothing special. You get the result (if you passed or failed) immediately after the exam. But, and this was new to me, you get only a provisional score report! Juniper states on its homepage:

Juniper Networks then performs industry standard statistical analyses on all exam results to ensure compliance with the Juniper Networks Candidate Agreement and JNCP exam security policies.

It seems that Juniper tries to avoid that people pass the exam that have used braindumps or that have thrown a coin at each question. You get the final score report within three business days. I passed the exam on friday (based on the provisional score report) and today I had the exam listed as “passed” in my CertManager account.

Exam preparation

You can prepare for the exam in many ways. Juniper offers three different trainings that cover some of the exam objectives:

You don’t have to take a classroom or virtual training, you can prepare yourself for the exam. Juniper offers an excellent free software documentation, the Fast Track Self-study Guides and different Day One Guides (e.g. Day One: Exploring the Junos CLI). If you like CBT, try the course on Pluralsight: Juniper JNCIA-Junos – Introduction to Junos OS (thanks to Chris Frisch for developing the course!). Hands-on experience is strongly recommended! You can get cheap SRX 100 or 110 on eBay. Or try Juniper Firefly Perimeter, a virtual SRX. You can use it for 30 days without a license. Don’t make the mistake and buy Juniper 5GT or SSG series! They are running ScreenOS, not Junos! If you think you are well prepared, try the practice test that is offered by Juniper. If you pass the practice test schedule your exam at Pearson VUE.

The exam

I passed the Fast Track pre-assessment exam some weeks ago and scheduled an appointment for last friday (24. October). I had not much time to prepare for the exam. I used the Fast Track Self-study Guides (two PDF with ~ 160 pages) and a Juniper Firefly Perimeter to prepare for the exam. Since I’m quite familar with the SSG and SRX, I know how firewalls policies, routing and routing protocols work. As above mentioned the exam consists of 70 questions that have to be answered in 90 minutes. There is no bonus time for non-native speaker. Some questions can be answered really quick, but some questions, especially question with an exhibit, need more time. As far as I’ve seen all exam objectives were covered. I can’t reveal any details, but reading the study guides is not enough to pass the exam! You should be familiar with converting decimal to binary and IPv6. You should also be familiar with IP routing, subnetting, longest route match etc. Know the Junos CLI and the syntax for the important commands. You should also know how Junos routing engine and packet forwarding engine act together. Don’t waste to much time with basic questions. And very important: READ CAREFULLY! Some questions are nasty if you haven’t read the question, the exhibit and the answers…

I finished the exam after round about 60 minutes and passed it. I felt the exam as challenging, compared to other entry-level exams.

What’s next? I think I will start prepare for JNCIS-SEC and maybe JNCIS-ENT. The latter is more of a hobby because my employer does not sell Juniper EX. But in any case: It opens future options and learning new things is always a good thing.

Juniper SRX: Using CoS to manage bandwidth

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to limit specific traffic in terms of bandwidth. Today I like to show you how to manage bandwidth limits using QoS and firewall policies. Especially if you have only limited bandwidth, e.g. a DSL connection, it can be useful to manage the used bandwidth for specific hosts or protocols. I use a really simple setup to show you, how you can manage bandwidth using CoS on a Juniper SRX.


Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

As you can see: A very simple setup. Also the initial config of my SRX is also quite simple. Two Interfaces, default-permit between the zones. Interface ge-0/0/1 is the untrusted, the external interface. Interface ge-0/0/0 is my the interface to my trusted network, therefore it belongs to my trusted zone. Let’s assume, that ge-0/0/1 is limited to 15 Mb/s and that 10 Mb/s of the traffic should be for traffic to port 80 and 5001. Any other traffic should be limited to 5 Mb/s.

Class of Service Config

First of all we need to configure two new queues.

Now we add two schedulers. The first scheduler will set the transmit rate to 10 Mb/s, the second scheduler to 5 Mb/s. The keyword “exact” causes, that packets were buffered under congestion.

Before the schedulers can be applied to an interface, we have to create a scheduler-map and map the forwarding-class to a specific scheduler.

Now we can apply the scheduler-map to the untrusted interface. The keyword “shaping-rate” specifies the amount of bandwidth to be allocated to the logical interface.

Firewall Config

The next step is to create input and output filters. The filters assigns traffic with specific criterias to a forwarding queue. The first filter is the filter for the input traffic.

As you can see, the filter assigns traffic with source-port 80 or 5001 to the forwarding-class “bandwidth-10mb”, which uses the scheduler “scheduler-10mb”. This scheduler limits the transmit-rate to 10 Mb/s. If traffic doesn’t use source port 80 or 5001, then the forwarding-class” bandwidth-5mb” will be assigned.

The second filter is for the outbound traffic. It uses the same setup, but it assigns traffic to forwarding-class “bandwidth-10mb”, when the destination port is 80 or 5001

Filter Config

The last step is to assign the input and output filter, as well as setting the “per-unit-scheduler” option, which is needed when shaping is used with logical interfaces.

Final words

This setup worked in my lab and I was able to test the funktion of the different filters with iperf. The most challenging part are the firewall filters, especially if you need to create more complex filters. I recommend not to change the default queues. I added two new queues for my needs. Input filters are used to evaluate packets received on the interface. For output filters the opposite is true: They are used to evaluate packets that are transmitted on the interface.

Configuration management with Juniper Junos

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

One strength of Juniper Junos is the config file management. The concept of different configurations is nothing special. For example Cisco uses two configuration files to reflect the current configuration in the RAM (running configuration), and the configuration used on startup (startup configuration). HP is doing the same on their networking gear. If you are new to Juniper Junos, the concept of an active configuration and a candidate config, which holds the current changes but isn’t active, maybe confuses you.

The basics

Junos knows two command mods: The operational mode and the confguration mode. The operational mode is used for managing and monitoring your Junos device. You can switch from the operational mode to the configuration mode. The configuration mode allows you to configure your device.

As you can see, the prompt changes when entering or leaving the configuration mode. When you change from the operational mode into the configuration mode, the latest configuration file is used to create a candidate configuration. The latest configuration is stored in the filesystem and reflects the active configuration in the memory. The candidate configuration is used to store the changes that were made in the configuration mode. But changes to the candidate configuration doesn’t take effect immediately. You have to commit the changes at the end of the configuration process. During the commit, the configuration is checked for syntax errors and if it’s fine, the commited configuration gets the new active configuration. This configuration is stored in the filesystem and the older files get rolled.The filesystem contains more then the latest config. You can check this by using the file command in the operational mode:

The rescue.conf.gz contains the rescure configuration, the juniper.conf.gz contains the latest configuration and the juniper.conf.#.gz contain the last configurations, which can be used for a configuration rollback. I have tried to illustrate in a graphic:


Juniper/ www.juniper.com

Advanced operations

Junos is designed to handle configuration as a process. This explains why the active configuration isn’t changed immediately. The syntax check upon commit gives you more safety in regard to syntax or configuration errors. We all know this situation: We connect to a network device by Telnet or SSH, we enter a command and the session disconnects. This can also happen to you when you use Junos. After the commit, the candidate configuration gets active and your session goes down. But hey, there’s a solution!

If you commit a change with the “commit confirmed” command, you have to enter a second commit to save the configuration. Otherwise your changes will be rolled back after 10 minutes. So the worst case is, that you make a change, you lose your connection but after 10 minutes the failed change is rolled backup automatically. You can also specify the point of time, at which a candidate configuration should be commited:


 If you don’t use the “commit confirmed” command, you can use the “rollback” command to revert commited changes.

The “rollback”  command copies an archived config to a candidate configuration, which can be commited.

Another often faced problem are missing configuration backups. Junos provides a way to automate the backup of configuration files. The configuration can be backuped after an interval or after a commit.


The interval is given in minutes and has to be set between 15 and 2880 minutes. In both cases you need to add an archive site, meaning a place where the files has to be uploaded. You can add multiple achive sites, in this case I have entered a FTP and a SCP destination.

The password in the configuration file is saved encrypted . :) Depending on what you have chosen, the configuration will be uploaded after the interval or after a commit.

Juniper Firefly Perimeter

This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

I’m a big fan of Juniper Networks! I work mainly with the SSG (ScreenOS) and SRX (Junos) series. The Juniper SRX is a network security solution, which can be positioned in the data center or at the branch. You will surely agree, that virtualization and cloud computing changed a lot from the network perspective. This demands security solutions that are not bound to hardware boundaries. Juniper Firefly Perimeter addresses this demands.

What is Juniper Firefly Perimeter?

Juniper Firefly Perimeter is a SRX Service Gateway and it’s delivered in form of a virtual appliance. You can compare it with HP VSR1000 Virtual Service Router or Cisco Cloud Service Router 1000V. Firefly Perimeter is available for VMware vSphere 5.x and Linux KVM. Microsoft Hyper-V is currently not supported. When you take a look into the datasheet you will notice, that Firefly Perimeter can all the cool things, that you expect from this kind of a virtual appliance: From simple routing, routing protocols (RIP, OSP, BGP, IS-IS…), MPLS, VPN, stateful/ stateless firewall, Network attack detection, a lot of management feature and many more.

A really cool thing is the Juniper Software Advantage for Security. With this licensing you can choose from multiple options and deploy the software on any platform, regardless if it’s hardware or a virtual appliance. The licensing is a perpetual licensing, so you buy once and use it indefinitely.

When using hardware based appliances it’s easy to track them. Go into the datacenter or the branch office and take a look into the rack. But a lesson I learned over the last years is: When you use virtualization, you need a lifecycle management. Otherwise you will often hear the question “What does server XYZ do??”. Junos Space Virtual Director addresses this demands. It’s a management application for Juniper Firefly Perimeter that helps you to automate the deployment and management of Juniper Firefly Perimeter appliances. To do so, you can use the REST API and attach the Junos Space Virtual Director to other platforms and tools (e.g. VMware Orchestrator).

Shut up and take my money!

If you want to test Juniper Firefly Perimeter in your lab, then you can simply download it. Juniper provides a 60 days evaluation. All you need is a Juniper Networks account and this link: *click*


Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

I assume that you use VMware vSphere. In this case you have to download the OVA file and deploy it with the vSphere C# or Web Client. The virtual appliance is configured with 2 vCPUs, 2 GB RAM and two E1000 vNICs. If you want to build complex setups, you can add additional vNICs (up to 10). Simply deploy the OVA file.

After powering on the appliance, the appliance will try to get an IP address on interface ge-0/0/0.0 via DHCP. Web management is also enabled on this interface. If the VM gets an IP address, you can open a browser and enter the IP address. If everything went right, the Setup Wizard appears.


Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The wizard helps you to do the initial configure of the appliance. It’s very handy if you have not much experience with Junos. If you’re versed with the configuration of Junos, you can configure the appliance using the CLI. Just login as root without a password. Juniper Networks has a really good documentation, so take a look into the Junos 12.1 documentation.