JNCIP-SEC Journey Begins

Since the Juniper forums don't see a whole lotta love, I figured I'd at least post this and perhaps use it to document the experience. Not sure if there will be much interest from others, but I may use it to get some peer pressure to stay on track

I am aiming to sit the exam some time in June with a basic plan in place. For starters, I am currently reading the SRX book by O' Reiley. Its acting as a refresher in a way as well as exposure to some JNCIP topics (I will most likely skip the chapter on UTM as its not apart of the objectives). After that is complete, I plan on taking a JNCIP-SEC training course. Once that is complete, its study and labbing until I feel like I am ready. I am in the process of rebuilding my lab now while I am just reading so its ready when I need it.

Again, I may use this to check in and update my progress and bounce some topics off the other Juniper folks, but we will see.

I have not been this exited about a test in a while. Lets hope it stays that way.

-Snadam

Find more posts tagged with

Comments

Good luck mate, look forward to seeing how you get on.

Have read Chapters 1-5 in the O'Reilly book, and about to takes notes on chapter 5. So far, its been review and it feels good to get a refresher if you will. However, the next chapter is about Transparent Mode, which is a JNCIP topic. Plan on finishing my notes and getting Chapter 6 started over the weekend.

Alex90 wrote: »

Good luck mate, look forward to seeing how you get on.

A belated Thanks!

Today was Chapter 6 Transparent Mode in the O'Reilly book. I'll be honest, I am not a fan of how this book flows from chapter to chapter. Nevertheless, its still decent enough info. I am looking forward to getting my hands on the Juniper Courseware and see how they are. I'll be taking notes on this chapter and probably be done tomorrow. Then, on to chapter 7 (HA Clustering). It's not an exam objective, so I may casually glance through the chapter, or bypass it altogether and move on to Chapter 8 (security policies).

Skimmed Chapter 7 (HA) and read Chapter 8 (Security Policy). Mainly review, but an excellent refresher.

This week was...umm...fun. Nevertheless, got my reading and notes done for NAT. Next chapter is 10 - IPSEC, so I will be looking forward to tackle that chapter!

Got hit with the sickness going around work and home. Still managed to read the IPSEC VPN chapter. Currently taking notes on it now. This is my favorite chapter in the book so far. Will continue to take notes (probably though the weekend), as I am not putting too much time in this week.

FINALLY Finished the note on the IPSEC VPN chapter. Long chapter, but informational. Next up is SCREENS and Flows. In the home stretch of this book!

Still Plugging away. Read IPSec VPN and SCREEN chapters. Now on to uncharted territory; AppSecure. Cool stuff to read. Should be done in a day or two.

Keeping a close eye on this thread. I love juniper but hate web filtering on the SRX.

Quick question have you done inter-VR routing on a branch series SRX cluster? On branch series cluster tou can't use lt- interfaces, using a a physical link with multiple logical point-to-point connections.

Thanks, Staunchy! Once I get the Juniper Courseware books and my training done (Some time in April), this thread will get more interesting; or boring, depending on how you look at it

As for your VR question; the only way I know how to accomplish that in an HA pair of Branch SRX is via physical interfaces. You can allegedly use a reth interface for this. The downside is you gotta burn at least two ports. I've only seen/read about this though, so I'm not 100% certain. You DID give me a good idea for a lab though

Love this thread. But you should post stuff from the days you don't do anything too... "Got up this morning and had coffee and a donut. Thought about studying for my JNCIP but I got distracted playing solitaire."

snadam wrote: »

As for your VR question; the only way I know how to accomplish that in an HA pair of Branch SRX is via physical interfaces. You can allegedly use a reth interface for this. The downside is you gotta burn at least two ports. I've only seen/read about this though, so I'm not 100% certain. You DID give me a good idea for a lab though

I'm using reth interfaces at the moment, was wondering if I might be missing another possible way of doing it.

What about route-leaking between the VRs? I don't normally play with the branch SRXs, but I'm assuming it would be supported? No extra interfaces needed. You could use rib-groups, routing-instance import/export policies, or even a static route with using next-table instead of next-hop (easiest). Note: The static route option would only work in one direction. You can not have 2 VRs with static routes each pointing back to the other one, even if the routes do not overlap (at least the last time I tried it back 11.x code).

@ccie4023, I am trying to determine if you are being condescending or not. I'll give you the benefit of the doubt, however!

Today, my son slept in, so that means we all slept in. Ate breakfast and lunch, purchased a washing machine and decided to study so I can ultimately get a raise to alleviate the stress of purchasing large ticket items such as washing machines.

@Aldur, cool suggestion. I will have to try that out also in my lab. Thanks for your input!

Continuing notes on AppSecure. I may go to Juniper KB and other blogs out there to get more info on AppSecure after this. I'm pretty excited that I got confirmation for my week-long JNCIP training course. Shame that they can't get me the courseware books in advance so I can prepare for the course ahead of time, but I can understand why. I will just use Juniper KBs and my lab to try and get a better understanding prior to training.

Just finished the notes on AppSecure chapter. I will definitely need to be digging in to some outside resources for more info. That being said, the last chapter I'm reading in the O'Reily book is Intrusion Prevention. Sadly, this book doesn't seem to cover any of the Virtualization exam topics (e.g. LSYS, Routing-Instances, RIB groups, etc.). I am going to have to scour the internet for those. I am also considering getting my lab topology set up soon. I have 2xSRX 100B and 2xSRX 210H. I'm thinking about clustering my 100Bs and will be my "HQ", and the 210s will be "branch sites". This is so I can do things like hub and spoke VPN, and have two physical devices that are hi-memory with the ability of AppSecure/IDP. We'll see though. I'll take a look at other peoples blogs to see what they did as well.

JNCIP course is in less than 4 weeks!

I just started this journey a little while ago myself, have a copy of the AJSEC course material of which I read and made notes on the appsecure chapter. I also sat the JIPS course a few weeks ago so I've been going through that course material making study notes as well

I have an exam voucher that expires in 2 weeks but I doubt I'll even get through it all before then. Might sit the exam anyway to get a feel for it and see how I do. I have a few vouchers from taking Juniper courses and doing their champion program so hopefully I can pass without having to pay for the exam

Good luck on your journey!

snadam wrote: »

Sadly, this book doesn't seem to cover any of the Virtualization exam topics (e.g. LSYS, Routing-Instances, RIB groups, etc.).

Try the other SRX book? There is the Junos Security book and the Juniper SRX Series book. I haven't fully read both of those, but I do remember a LSYS chapter in the Junos Security book. I think the Junos Security book covered at least enough rib-groups and routing-instances to configure a little bit of filter based forwarding.

If you have any access to any of the enterprise or service provider material, there should be some rib-group and maybe routing-instance information there.

Thank you for the suggestion, Zoidberg! I also have the Junos Security eBook, so I will check that out. Also, you think the fast track material for SP and ENT will cover the other routing/virtualization topics?

Route leaking does work on the branch series. I'd say once you have the actual cert. in the bag spend some time playing with the advanced routing features like this. The single biggest project I ever worked on, and I am most proud of, involved Geo-redundant stateless and stateful traffic across 6 VRs with overlapping address space. The opposing team's proposal utilised about 16 different devices (switches, routers, loadbalancers etc.). With the SRX I was able to do it on 2 clusters (and 2 were only needed for the georedundant part). With it's routing options you can turn your security appliance into a business enabler as well as protector.
Oh and that project - I used to joke with my boss that our peers would have had a heart-attack if they'd seen the lab I built and proved it on....2x SRX100s at the core

. They literally used to overheat and give off alarms but hell if they didn't run a full config designed to link 9mil customers to about 36 mil others.

Ahriakin, that project sounded awesome! These SRX boxes are extremely versatile. I do plan on focusing on my route/switch skills after JNCIP-SEC and will throw in these more advanced routing techniques in my studies.

Speaking of studying, I am about 25% done with my note taking on the IDP chapter. After that, I'm done with the book. I took the practice test on juniper's website, and I did well on the topics I already knew, and poorly on the topics I have little/no experience in. I have some work to do, but this was expected. I'm supplementing my studies with the Juniper Learning Bytes on YouTube as well as their KB articles to break up the monotony of reading the same book.

How goes your studies? Also, just an FYI, but I just did two AppQoS LBs that might help you understand AppQoS if you need a little help on that. They haven't gone live on the LB website, or the Youtube channel, but they should be there soon.

Back from a break!

Long work week, plus friends visiting from out of town made me take a two week break. I'm back in the saddle, though. Only need to finish a few more pages on the IDP chapter in my book. My JNCIP bootcamp is less than a month away (originally I think I said it was in 4 weeks, which was false). So between now and bootcamp I want to focus on the objectives I feel I'm weak in so I can be more prepared to ask questions when I'm actually there.

Aldur, its great to see you back! I am really looking forward to more learning bytes as well. I try and find the SRX related ones and watch those when I have "down time".

Best of luck with your studies and thanks for the reply in my thread. I'm in the pre process of building a chassis cluster across sites with SRX650's and multiple routing instances for some tennants, and throwing in some UTM features too. Should prove a decent learning experience.

I so completely understand having to take breaks from studying. Before kids and when I lived further away from family, wasn't such a big deal. Now, it's next to impossible to find an hour to sit down and study. But glad to hear you back at it.

Just out of curiosity, when you say JNCIP-SEC bootcamp, are you referring to the JNCIE-SEC bootcamp that Juniper runs, or something else?

Agreed. Add a kid in the mix and it gets real fun

as for the "bootcamp" its through Juniper, but held at Dynamic Worldwide Training Consultants (at least in my area). My courses are below.

https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=4286
https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=2320

That being said, the April course was canceled due to lack of attendance, so I am now booked for May. This may work out to my advantage, because I can hit the books hard and cover everything. Once I get to the training course, I can focus on my weak spots and then build on that. A week or two after that, I can sit the exam.

ahh ok, I got it. It's a workshop that covers the AJSEC and JIPS material. There's also a JNCIE-SEC bootcamp course that puts you through 5 days of lab exercises to get you ready for the JNCIE-SEC exam. Something to think about after you pass your IP-SEC.

I would LOVE to pursue my JNCIE-SEC. I'm in year two of my 5 year goal for that. I was planning on picking up some ENT certs too, along with that other networking company's cert so I can keep that stuff current.

An update on my progress:

It's been a crazy 3 weeks. Now that things have calmed down personally and professionally, its back to the routine again. Since my class was rescheduled, the training center were kind enough to send me the courseware material early. I am in the process of reading Chapter 2; AppSecure. This is where the fun begins; books and labs! I've been waiting to dig into my lab for quite some time now.

Just finished reading Chapter 2 AppSecure. Will take notes over the weekend and its on to the next chapter; L2 Packet Handling and security features.

Ahhh, feels good to make studying progress again! At some point soon, I will build out my lab the same way the courseware books do.

I'm still at it! Got sick (again) last week, along with a few late night/early morning shifts. Needless to say I didn't get a whole lot of studying done. However, I'm back at it today taking my notes on AppSecure. Should be done tomorrow and can continue reading on to the next chapter!

Quick Links