JNCIE-ER prep materials - practice labs and topology

Aldur

Hey everybody!

Here's my long overdue labs and topology that I created and used to study for the JNCIE-ER. Enjoy and let me know if you have any questions.

JNCIE-ER pretest Topo V2
JNCIE-ER pretest
Services - extra labs
CoS - extra labs

seraphus

Aldur wrote: »

Hey everybody!

Here's my long overdue labs and topology that I created and used to study for the JNCIE-ER. Enjoy and let me know if you have any questions.

JNCIE-ER practice topology
JNCIE-ER pretest
Services - extra labs
CoS - extra labs

Excellent, thanks!

Sumptuous

Wow thanks Lot$$$$$ this will come in handy

mikej412

Sweeeeeet!!!

hoogen82

Thank you Aldur..

Aldur

I was chatting with seraphus about getting equipment together for the JNCIE-ER and so I thought I would post my thoughts here to help with any who wanted to get the needed equipment together.

The best/cheapest equipment to get for the JNCIE-ER is few J2300 routers and some hardware olives. You'll need the J2300 routers to run any services, stateful-fw, IPsec, GRE, MLPPP, NAT and routers that are not of your "internal" network can be the hardware olives. Keep in mind that for the routers that run your services you will more then likely be deploying them at the edges of your network so any internal/non-edge routers really can be olives. So in reality if you bought 3 or 4 J's and had some hardware olives you could place your J's on the edge and use hardware olives split up into logical routers to work as your other routers.

If you look at the topology that I used to study for the JNCIE-ER there appears to be an unreal amount of routers. In all actuality I only have 8 J series routers and 2 hardware olives. The hardware olives are cut up into logical routers and placed throughout the testbed. Then the J routers make up the internal network and plus one router on the outside of the network, so I can run an IPsec tunnel to the "remote office" on this router.

Something else to keep in mind is that the J2300 routers only have 2 FastEthernet ports and 2 T1 ports. The T1 ports are great for practicing MLPPP and MLFR but there appears to be a lacking amount of FE ports to do any really routing. To overcome this I plugged all my FE cables into an old cisco switch, 2950XL, and then split up one FE port on each router into different VLANS. This allowed me to define as many "links" as I wanted to since I could configure as many logical units and VLANS as needed. This was also extremely helpful when it came to changing my topology. Doing a logical change is much easier then recabling everything.

joshrain

thank you so much.

i had couple of questions

1) how many routers would there be in the actual testbed.
2) if one is familar with configuring everything according to your setup, should they just go and sit for the exam?
3) what are some of the areas i should be very strong at?
4) can i set this up using 1-2 (m10i's) and logical routers (the job i currently work have these available in the lab). also, i don't have access to mcast sources/rcvr (not sure how to test those).


thanks again for helping us out and guiding us.

--josh

Aldur wrote: »

I was chatting with seraphus about getting equipment together for the JNCIE-ER and so I thought I would post my thoughts here to help with any who wanted to get the needed equipment together.

The best/cheapest equipment to get for the JNCIE-ER is few J2300 routers and some hardware olives. You'll need the J2300 routers to run any services, stateful-fw, IPsec, GRE, MLPPP, NAT and routers that are not of your "internal" network can be the hardware olives. Keep in mind that for the routers that run your services you will more then likely be deploying them at the edges of your network so any internal/non-edge routers really can be olives. So in reality if you bought 3 or 4 J's and had some hardware olives you could place your J's on the edge and use hardware olives split up into logical routers to work as your other routers.

If you look at the topology that I used to study for the JNCIE-ER there appears to be an unreal amount of routers. In all actuality I only have 8 J series routers and 2 hardware olives. The hardware olives are cut up into logical routers and placed throughout the testbed. Then the J routers make up the internal network and plus one router on the outside of the network, so I can run an IPsec tunnel to the "remote office" on this router.

Something else to keep in mind is that the J2300 routers only have 2 FastEthernet ports and 2 T1 ports. The T1 ports are great for practicing MLPPP and MLFR but there appears to be a lacking amount of FE ports to do any really routing. To overcome this I plugged all my FE cables into an old cisco switch, 2950XL, and then split up one FE port on each router into different VLANS. This allowed me to define as many "links" as I wanted to since I could configure as many logical units and VLANS as needed. This was also extremely helpful when it came to changing my topology. Doing a logical change is much easier then recabling everything.

Aldur

joshrain wrote: »

1) how many routers would there be in the actual testbed.

In my testbed I had 2 hardware olives, 6 j2300's, and 2 j4300's. The following routers in my topology are the J-series routers.

Ale
Lager
PBR
Stout
Bock
Porter
Dirt

And every other router that you see in the topology are logical routers that come from the 2 olives.

joshrain wrote: »

2) if one is familar with configuring everything according to your setup, should they just go and sit for the exam?

Even if somebody is familiar with configuring everything according to my setup I still would recommend getting some lab time in to practice. A big part of the test is fighting against the clock. If you can't setup the routers quickly then you won't be able to finish in time to check your work.

joshrain wrote: »

3) what are some of the areas i should be very strong at?

Kinda hard to say. With me I was weak with services but strong with routing protocols. Since I finished my JNCIE-M/T before attempting the JNCIE-ER I only had to briefly review routing protocols, just a little before the test actually. I would recommend being strong in all areas that the test covers. I was strong in routing protocols and weak in services, so services was the main point of my focus when studying.

joshrain wrote: »

4) can i set this up using 1-2 (m10i's) and logical routers (the job i currently work have these available in the lab). also, i don't have access to mcast sources/rcvr (not sure how to test those).

As long as you have an AS PIC in the M10i's then you should be fine to chop them up into logical routers. I'm not to sure of the support for services in logical routers, I wouldn't think it would be a problem, but this is something you'll want to check into. Also, with M10i's you can't have an AS PIC running in L3 mode and L2 mode at the same time. This will cause some problems if you try to configure L2 services, such as MLPPP, and L3 services such as stateful firewalls. I could also see this causing a problem with doing any IPsec over GRE implementations since GRE tunnels. But for the majority of it you should be fine. Plus you could just throw 2 AS PIC's in each router

You can fake MC sources and receivers by using the by-pass routing ping as the MC sender coupled with the SAP protocol as the receiver. There's a great section in the JUNOS Enterprise Routing book that describes this in detail. If you don't have that book I would recommend picking up a copy.


Let me know if you have any questions,

HTH

zrcheng

Great stuff.
Do you have cases to investigate service more?
like mix NAT and IPsec? using interface and next-hop to implement ?

Aldur

zrcheng wrote: »

Great stuff.
Do you have cases to investigate service more?
like mix NAT and IPsec? using interface and next-hop to implement ?

The labs that I currently have can be solved by next-hop or interface style service sets. I actually highly recommend mixing both to accomplish many of the tasks. Such as using a interface style SFW and NAT mixed with a next-hop style IPsec tunnel.

Also, to tell you the truth, an interface style IPsec tunnel is only useful when doing IPsec over GRE. If your not doing IPsec over GRE then always use next hop with IPsec.

hermatize

You got a solutions guide?

Aldur

hermatize wrote: »

You got a solutions guide?

Well, not particularly but if you have any questions about how to do something that is listed I'm happy to answer them here. So more of a "solutions guide" on an as-needed-basis

ccie15672

Aldur:

For the first requirement in those labs... wouldn't it be something like this:

set services nat rule INET term 10 then translate source-prefix 200.1.1.24/29
set services nat rule INET term 10 then translate translation-type source-dynamic

No NAPT, but since JUNOS tracks the translations by all flow information you can still essentially "overload" the pool? Basically no two people can go the same destination and port number if they happen to also choose the same source-port number...

Help me out here...

Hey Juniper's documentation on NAT is wrong in a couple of places... like this:

"However, source dynamic NAT (without NAPT) and destination static NAT allow more than one rule or service set to refer to the same pool, and allow multiple pools to have subnets that can overlap. A prefix pool can be used by multiple rules or terms."

You can never share a pool across service-sets with any kind of *source* translation... right? I have tried to do this 8 ways from Sunday... I must be missing something or the docs are wrong.

Aldur

Yup that's the correct NAT for the first criteria in the services lab.

With no NAPT/PAT there's really only 6 people who can get NAT'd before the NAT pool becomes exhausted.

When you apply the source pool to two different rules do both rules try to use the first available address at the same time?

I hate to admit this but I rarely/never get to play with NAT at work, so I'm a little rusty with all it's caveats.

hermatize

Can you share the final configs? I have 15 j2300's and im trying to set everything up before my test in December.

Aldur

Sorry hermatize, but I didn't think about grabbing the configs for the end of the whole lab. And the lab has been torn down to be used for other purposes.

But seriously if you have any questions about how a lab should be configured please let me know and I'll be able to spout off any necessary configs.

zrcheng

Hi, Aldur
I have a Q regarding COS on sp interface, in the AJRE student guide example, "life of a packet" example, sheduler-map apply to sp-0/0/0 no matter its interface or next-hop style service set. re-write rule apply to GRE and outside interface.
But in AJRE detail lab guide, in cos chapter part 5, re-write rule applies to sp-0/0/0.2 interface.
all of them good?

Qamar Abbas

Hi everybody!
I am preparing for above quoted lab,would you please guide
regarding it. There is no one in Pakistan, conducting its boot camp.
Please help me.

Aldur

zrcheng wrote: »

Hi, Aldur
I have a Q regarding COS on sp interface, in the AJRE student guide example, "life of a packet" example, sheduler-map apply to sp-0/0/0 no matter its interface or next-hop style service set. re-write rule apply to GRE and outside interface.
But in AJRE detail lab guide, in cos chapter part 5, re-write rule applies to sp-0/0/0.2 interface.
all of them good?

This is confusing for alot of people and the key is to just look at what interface the packet is entering and leaving. Just because the service interface unit is 'inside' doesn't mean that the packet will always be entering on the inside interface, it very well could be entering on the outside interface.

Sooo... always classify on the interface in which packets come in and rewrite on the interface that the packets leave. This alot of times will mean that you will be classifying and rewriting on both the inside and outside interface, at the same time.

Qamar Abbas wrote: »

Hi everybody!
I am preparing for above quoted lab,would you please guide
regarding it. There is no one in Pakistan, conducting its boot camp.
Please help me.

Sure thing, we'd all be glad to help. What are your specific questions?

NikeBoy

Dear Aldur,

this link with topology is not existing for me:

Aldur wrote: »

JNCIE-ER practice topology

can you check it please, or re-share it?

Thanks in advance!

---
Yev.

froggy3132000

What did you use for the frame-relay switch?

Aldur

NikeBoy wrote: »

Dear Aldur,

this link with topology is not existing for me:


can you check it please, or re-share it?

Thanks in advance!

---
Yev.

I just checked this out, looks like it was flagged as 'inappropriate'... I clicked the review button and google is going to review it... Not sure what the hell happened here... Not a big user of google docs, maybe somebody didn't like my topology... weird...

Aldur

froggy3132000 wrote: »

What did you use for the frame-relay switch?

Frame relay switch? Didn't use anything in this particular setup. Although I have setup my J4300 loaded with T1 PIMs as a FR switch. But I didn't include that in this setup because it seemed unnecessary.

froggy3132000

OK, I was under the impression you following the AJRE topo as well. I am trying to figure out the easiest way to mock up the frame-relay "switch" part of the lab. I guess 4300 with (4) 2port T1 PIMS would do it. Gotta find them for a good price.

Aldur

Yup, the J4300 with 2 port T1 PIMs works great for practicing the AJRE stuff.

Kinda hard to find at a good price for what you need to do but it's a pretty sweet setup once you get it all going.

Aldur

NikeBoy wrote: »

Dear Aldur,

this link with topology is not existing for me:


can you check it please, or re-share it?

Thanks in advance!

---
Yev.

I'm not sure what somebody found offensive about the topology but I re-uploaded it, changed all the router names, AS numbers and such just incase somebody thought I was getting to close to the topology used in the JUNOS Enterprise Routing book.

But as another note if anybody thinks that this is inappropriate please just let me know instead of flagging the google doc and I will try to make amends.

hoogen82

I am thinking about what I uploaded... It is a topology from the Harry Reynolds book.. Only that the questions are different.

Aldur

hoogen82 wrote: »

I am thinking about what I uploaded... It is a topology from the Harry Reynolds book.. Only that the questions are different.

I don't think it's a big deal, I mean one topology, it's not like you're giving out the book in whole.

I added considerable to the topology so I didn't think it would be a problem either, but I'm assuming that somebody thought it was.

The thing I found surprising is that that google says that they'll only take something offline if it is flagged AND they deem it inappropriate. But when I went to mine I saw that it was just flagged and google had yet to review it... so it looks like any random person can flag it and it goes offline... Might have to share it on an invite only basis... hopefully not.

hoogen82

Hmm.. yeah.. I guess invite only basis might be an option... But that might become real complicated to use.. Maybe the Techexams guys should allow us to upload sometimes..

P.Sandwijk

I have a question about the following information from Alden.

Frame relay switch? Didn't use anything in this particular setup. Although I have setup my J4300 loaded with T1 PIMs as a FR switch. But I didn't include that in this setup because it seemed unnecessary.

How do you setup a J-serie to become a frame-relay switch, we now use cisco as FR switch.

Can anyone give a configuration snapshot of FR switch with Juniper J-serie.

Greetz,

Patrick

hoogen82

For example say there are three routers.. R3,R4,R5 all connected to the frame relay switch you are looking at a config similar to this.. I did this for OSPF multipoint exercise in the JNCIP book...R3 is the hub and R4 and R5 are spoke


R3
interfaces {
t1-1/0/1 {
encapsulation frame-relay;
unit 0 {
multipoint;
family inet {
address 10.1.0.3/24 {
multipoint-destination 10.1.0.4 dlci 800;
multipoint-destination 10.1.0.5 dlci 1000;
}
}
}
}

protocols {
ospf {
area 0.0.0.0 {
interface t1-1/0/1.0 {
neighbor 10.1.0.4;
neighbor 10.1.0.5;
}
}
}
}

lab@R3> show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
t1-1/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 2
Type: P2MP, Address: 10.1.0.3, Mask: 255.255.255.0, MTU: 1500, Cost: 65
Adj count: 2
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None

lab@R3>

R4
interfaces {
t1-1/0/1 {
encapsulation frame-relay;
unit 0 {
point-to-point;
dlci 750;
family inet {
address 10.1.0.4/24;
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface t1-1/0/1.0;
}
}
}

[edit]
lab@R4#

lab@R4# run show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
t1-1/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 1500, Cost: 65
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
t1-1/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
Type: P2P, Address: 10.1.0.4, Mask: 255.255.255.0, MTU: 1500, Cost: 65
Adj count: 0, , Passive
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None

R5
interfaces {
t1-1/0/1 {
encapsulation frame-relay;
unit 0 {
point-to-point;
dlci 750;
family inet {
address 10.1.0.5/24;
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface t1-1/0/1.0;
}
}
}

lab@R5>

lab@R5> show ospf interface detail
Interface State Area DR ID BDR ID Nbrs
t1-1/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
Type: P2P, Address: 0.0.0.0, Mask: 0.0.0.0, MTU: 1500, Cost: 65
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
t1-1/0/1.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
Type: P2P, Address: 10.1.0.5, Mask: 255.255.255.0, MTU: 1500, Cost: 65
Adj count: 0, , Passive
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None

lab@R5>


Frame relay Switch configuration
interfaces {
t1-1/0/0 {
dce;
encapsulation frame-relay-ccc;
unit 400 {
encapsulation frame-relay-ccc;
point-to-point;
dlci 800;
}
unit 500 {
encapsulation frame-relay-ccc;
point-to-point;
dlci 1000;
}
}
t1-1/0/1 {
dce;
encapsulation frame-relay-ccc;
unit 100 {
encapsulation frame-relay-ccc;
point-to-point;
dlci 750;
}
}
t1-2/0/0 {
dce;
encapsulation frame-relay-ccc;
unit 100 {
encapsulation frame-relay-ccc;
point-to-point;
dlci 750;
}
}
}
protocols {
mpls {
interface all;
}
connections {
interface-switch R3-to-R4 {
interface t1-1/0/0.400;
interface t1-2/0/0.100;
}
interface-switch R3-to-R5 {
interface t1-1/0/0.500;
interface t1-1/0/1.100;
}
}
}

[edit]
root@Frame_Relay_Switch#
root@Frame_Relay_Switch>


root@Frame_Relay_Switch> show connections interface-switch
CCC and TCC connections [Link Monitoring On]
Legend for status (St) Legend for connection types
UN -- uninitialized if-sw: interface switching
NP -- not present rmt-if: remote interface switching
WE -- wrong encapsulation lsp-sw: LSP switching
DS -- disabled tx-p2mp-sw: transmit P2MP switching
Dn -- down rx-p2mp-sw: receive P2MP switching
-> -- only outbound conn is up
<- -- only inbound conn is up Legend for circuit types
Up -- operational intf -- interface
RmtDn -- remote CCC down tlsp -- transmit LSP
Restart -- restarting rlsp -- receive LSP


Connection/Circuit Type St Time last up # Up trans
R3-to-R4 if-sw Up Sep 9 05:54:43 1
t1-1/0/0.400 intf Up
t1-2/0/0.100 intf Up
R3-to-R5 if-sw Up Sep 9 06:24:00 1
t1-1/0/0.500 intf Up
t1-1/0/1.100 intf Up
R4-to-R5 if-sw Up Sep 9 06:24:00 1
t1-1/0/1.400 intf Up
t1-2/0/0.500 intf Up

root@Frame_Relay_Switch>

root@Frame_Relay_Switch> show interfaces t1-1/0/1
Physical interface: t1-1/0/1, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 38
Link-level type: Frame-Relay-CCC, MTU: 1504, Clocking: Internal, Speed: T1,
Loopback: None, FCS: 16, Framing: ESF
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags : No-Keepalives DCE
ANSI LMI settings: n392dce 3, n393dce 4, t392dce 15 seconds
LMI: Input: 162 (00:00:06 ago), Output: 167 (00:00:06 ago)
DTE statistics:
Enquiries sent : 0
Full enquiries sent : 0
Enquiry responses received : 0
Full enquiry responses received : 0
DCE statistics:
Enquiries received : 135
Full enquiries received : 27
Enquiry responses sent : 140
Full enquiry responses sent : 27
Common statistics:
Unknown messages received : 0
Asynchronous updates received : 0
Out-of-sequence packets received : 0
Keepalive responses timedout : 1
CoS queues : 8 supported, 8 maximum usable queues
Last flapped : 2009-09-08 20:27:56 UTC (09:57:00 ago)
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
DS1 alarms : None
DS1 defects : None

Logical interface t1-1/0/1.100 (Index 6 (SNMP ifIndex 45)
Flags: Point-To-Point SNMP-Traps Encapsulation: FR-CCC
Input packets : 331
Output packets: 223
Protocol ccc, MTU: 1504
Flags: None
DLCI 750
Flags: Active
Total down time: 00:16:18 sec, Last down: 00:42:32 ago
Input packets : 331
Output packets: 223

Logical interface t1-1/0/1.400 (Index 70) (SNMP ifIndex 53)
Flags: Point-To-Point SNMP-Traps Encapsulation: FR-CCC
Input packets : 0
Output packets: 0
Protocol ccc, MTU: 1504
Flags: None
DLCI 1000
Flags: Active
Total down time: 0 sec, Last down: Never
Input packets : 0
Output packets: 0
DLCI statistics:
Active DLCI :2 Inactive DLCI :0

root@Frame_Relay_Switch>

All above done on a J-Series... But you could always do b2b connection on Jseries t1 interfaces...