Dr Ahriakin's Singalong JNCIE-Sec Blog

12346

Comments

  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    A couple of hours on UTM as planned and then done. I'm off to CA in the morning.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Best of luck man, let us know how it goes.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Wooo! From following your blog you should be well prepared for what awaits you.

    Watch for sneaky wordy when it comes to configuring policies, and don't forget to make sure they all fall in the right order.

    Have fun and kick butt! :)
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Thanks Guys. Worst case scenario it's recon, that's how I approached the CCIE. While I feel better prepared for this there's no way to know until I see the real thing ( (tm) captain obvious :) ).
    I'm settled in for the night at the Staybridge suites (seems a good choice so far, nice rooms and a shuttle to the exam in the morning) just down the road from the Juniper campus - on a side note does anyone know if there's an obvious marker on the exam building (Letters or something similar), no biggy but it would save some time in the morning.
    I'm trying to resist the urge to open the books so just settled on the couch with the idiot box on.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Dang, I can't think of any obvious markers, been a while since I've been to the SV campus. I would say to just walk into the main building (man, I can't even think of the building letter, A3 maybe?) And tell the receptionist that you're there to take an exam. And don't worry if you're a little late, the proctor won't start clock ticking until you're in your seat and ready to go.

    And resist that urge to study, just veg out and let your brain relax. The most important thing now is to get a good nights sleep, and studying the night before an exam can cause problems with that.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Done. I'll do a, better write up later as IM waiting on some food at the mo and on my phone, excuse the typoes. It was tough but I finished the first draft about 2.5 he's early. So I had good time to check over it. 2 big tasks were fubar, that's the only reason IM skeptical about passing. It figures that the only thing I needed the docs for wasn't in there. Ah well, the carbs are here...... More later
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Home sweet home and I'm completely shattered. Its wasn't a long trip, I didn't not sleep last night or anything like that....I think it's just the months of work and stress yesterday finally hitting without the adrenaline of rushing towards a Lab any more.

    Obviously I can't discuss lab specifics but as I mentioned above there were 2 tasks I know were not successful by the time I was finished. I finished my first run through about 2 and a half hours before deadline knowing those 2 and a few others needed revisiting. I took about an hour or so checking over everything and covering the other areas that needed revision but could not fix those 2 no matter what I tried with the time remaining. TBH even now I don't know why they didn't work, I'd labbed up very similar tasks for both within the last week and had checked the specifics for one in particular just the day before. They are both areas I've seen be 'flakey' in my own lab and rack rental before and they were behaving oddly in the exam also. It's hard to describe without giving away detail but one would mostly work then die after I made some more changes elsewhere, come back up piece by piece as I reset it multiple times until it was back to 90%. It was like repeatedly flicking a switch until the light would stay on. Unfortunately those 2 were worth quite a few points and could impact later stages. I jimmied one of them to work more directly, deactivating the config I was sure (and still am now after checking the docs) should have worked, so even if it was gremlins I deliberately sacrificed those points to reduce impact on other tasks.
    If it wasn't for those 2 I would be cautiously optimistic of a pass, but as it is I have to presume it's a fail.


    As for the logistic side of things (remember this may change over time):

    As was recommended definitely bring your own keyboard and mouse, the lab is conducted on some fairly worn laptops using SecureCRT (so it won't hurt to learn the basics of that terminal App. if you haven't used it before, personally I prefer mRemote and Putty and find SecureCRT clunky).

    Pens and highlighters were provided, all fresh and working perfectly (something Cisco didn't manage :) ).

    The exam was in building 3, the confirmation letter does not state this but the street address given is building accurate and thankfully my hotel-shuttle driver knew the layout well enough to drop me off at the front door...That said the poor girl on the reception desk had no idea what I was talking about and had to call multiple people before they realized that there is a thing called a JNCIE and yes it was going on a few rooms down.

    Lunch is actually open, you're simply told to be back 1hr after the pause is called. If you've ever done the CCIE then you'll find this openness quite different (were you are basically chaperoned for the entire day, including lunch). On one hand the trust was nice but on the other I could have quite easily started calling friends for tips or simply reading my security book or web articles from my phone during the break...and no I didn't, if I get this it will be for the knowledge (which I think I have already gained) and my personal achievement, it will likely not make a massive difference to my career at this stage so cheating would render the efforts until now worthless...I won't lie, I was tempted though icon_twisted.gif... There is a canteen onsite as the guys mentioned above, and it's very good.

    The proctor was extremely helpful and approachable. Again comparing it to my CCIE experiences our first proctor there was a jerk imho, sarcastic and of very little help, the 2nd was much better but still a little aloof...for the JNCIE Dave was great, there was a definite sense that he was there to help you and not just look over your shoulder.

    The exam itself? Not much I can say except it was tough. Not quite as tricky as the Cisco side, but also a little more realworld because of it (or vice versa). But there is a LOT to do, and so much interdependency between tasks - a simple NAT task later in the exam might have you changing configuration on 3 other devices to match and it can get very hard to keep track of. So once-more comparing to the CCIE the hoops to jump through were not as convoluted but there were more of them and they were tied together more intricately....yes I know I am killing that metaphor.
    When I was talking to the other candidates pre-exam we of course asked which track each was doing. When I said security one of the guys just said 'Oh...the hard one'....he'd been told it now has an 8% pass rate on the first attempt....nice, that filled me with confidence...I was the only guy doing security that day.

    Documentation was provided as PDFs from a folder on the desktop. Exactly what you'd expect to see for this exam, you likely have a copy of the very same PDFs in your own reference folders.

    There was no scratch paper but we had 2 copies of the lab diagram to work on so sketching it out is not a problem.

    Last but not least I hope Dave stays true to his word and gets some WD40 for some of the desk hinges. On 2 of them (mine included) the slightest movement had them squeeking like crazy). At one point, as we were typing feverishly, it got so ridiculous everyone was trying to stifle laughter and failing.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Hoping for the best for you, and that you find out soon! I remember waiting nearly 2 months, each day my confidence level dropping lower and lower, and then just plummeting into an abyss. All my previous exams gave me results immediately after, and once the next day. But those were the old exams and the grading was heavily scripted at that point. Plus I was usually the only guy testing so Dave could jump on it immediately after, and he always seemed just as excited as me to see how I did :) I gotta agree with you, Dave is awesome! Especially for the first time I took a lab exam, the good ole JNCIP-M. He helped put me at ease and was very helpful. He kept me coming back to Sunnyvale for more and more :) Not knocking Reston, Stefan was great too of course when I went for my JNCIE-SEC, but I believe he moved onto something else and I'm not sure who's there now.
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Sorry to hear you were missing something in the docs. Not sure what feature you were missing, but I tried to nudge/suggest somewhere along this blog to check for the l2 configuration guide, as for some reason it is separate from the security configuration guide. There may be some other separate guides too, routing and whatnot, but those are usually more common and likely not overlooked. If you know which ones you're missing, I'm sure the proctor would be happy to help you get them. Unfortunately, the problem is often that you don't know you're missing it and you just get frustrated with the guides they did provide :S At least that something I ran into in my lab, sigh.
  • down77down77 Member Posts: 1,009
    Keeping my fingers crossed that you get a passing result. A close friend of mine passed his JNCIE-SEC recently and mentioned how painful the experience was.
    CCIE Sec: Starting Nov 11
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Thanks for the well-wishes guys.

    2 months? Holy crap Zoidberg I'd have gone nuts. Dave said it should be a max. of 2 weeks, hopefully less. On one hand if I did fail I'd like to know early so I can get moving again, but on the other a break won't hurt, you know yourself though it's hard to just pull the brakes. By the way how are we notified, by email or the JNCIP portal?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Great write up on the event and even though you might have fubared two tasks, I'm hoping that you did pass :)

    Dave is a great proctor, and I'm glad you had a similar experience with him that the rest of us did. :) I had Ryan Israel proctor my JNCIE-SEC exam, he did a great job of proctoring too. Both him and Dave, as the rest of the proctors, are great at helping and we're more than willing to answer my 1000+ questions I threw at them.

    Man, two months of waiting would have killed me too. I believe that I found out officially about my pass through email in about two weeks after I took the exam. I think the JNCIP portal updated around the same time that I got the official word.

    If I remember correctly, the cert team was in the process of hiring more proctors, due to tons more people taking exams, when Zoidberg took his exam, which delayed his results significantly. So that's something you shouldn't have to worry about now. :)
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Some people I know that have taken it have seen much quicker turn around lately. You'll get an email telling you either congratulations, or sorry but here are the topics you should work on. I don't believe they provide a final grade. Sometime after, you will get an email from the JNCP portal showing updated certifications and your JNCIE #. That email seems to be coming pretty quick afterwards as well; could be the same day or a few days later. Because all JNCIE numbers are handed out in the order they were achieved, it may have the unfortunate draw back of sometimes holding up your certification and number until they are able to fully process the guy that passed in front of you. In the past, this caused delays for one reason or another. So I would do my JNCIE-M, be told I passed right after I finished the exam, but then don't have any actual proof of the pass until a month and half later. Now that was stressful too. Start doubting yourself thinking, did that really happen? Did they look at it again and change the grade? Was that guy just messing with me? The constant questions of "so what's your JNCIE number?" got rough, and I was getting worried my coworkers were starting to think I made up the whole thing :P Lol.
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Aldur wrote: »
    due to tons more people taking exams

    In the past, when I did exams, I was usually the only one there. I think once there was another person? Last time there were 6 or 8 of us in that room.

    I got an email this week from someone that got a JNCIE-SP # just under 2000. I was surprised to find out there are that many already. Really seems to be picking up the pace. I'm not sure where the JNCIE-SECs are at yet, still very low obviously.

    Also surprised to see someone with CCIE # >38,000. Last time I was looking at chasing after that it was still in the low 20,000s, and it doesn't feel like it's been that long ago. I need to start my CCIE studying again :)
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Yeah, I remember those days too. When I took my JNCIP-M, JNCIE-M, and JNCIE-ER, it was just me and another guy. When I took the JNCIE-SEC, I think there were 4 or 5 other people taking lab exams at the same time. The lab certs have really picked up the pace, which is fantastic news for Ed Services. :)

    Ha, yeah, I remember it taking for ever in the JNCIE-M and JNCIE-ER days to get your cert number. Would keep rechecking the "Congratulations" email just to make sure I didn't read it wrong. Think it took two+ months back then. The good news is that it is pretty quick now. I think I found out my number around, or on, the same day that I received the official "Congratulations" email. So things have improved tons in that regards.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    2 weeks to the day and still not a word.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • buzzkilbuzzkil Member Posts: 13 ■□□□□□□□□□
    I've been lurking your thread for a while since I'm going to be studying for the JNCIE-SEC very soon. I oddly enough was taking the JNCIE-ENT in Sunnyvale the day after you were taking your exam. I experienced the same thing with the front desk person not knowing what was going on. I was placed at the table in the very last row, which was the squeakiest of them all... extremely annoying and quite distracting. Otherwise, the experience wasn't too bad. I met some of the other exam takers and they all worked for Juniper. The few I talked to took their exam in Sunnyvale specifically because Dave is the proctor.

    I have yet to receive my results either. The wait is terrible.

    Good luck!
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Man, that does suck to still be waiting. I would say give it another week, if you don't hear anything, hit up the cert team to see if you can get a status update.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    I emailed Dave yesterday (forgot I had his card icon_redface.gif ), he said they are hoping to have the results by the end of this week. Sooo, likely back to the grind presuming I didn't pass at this stage. I reckon I'll book it for as close to a month out as possible if so.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    buzzkil wrote: »
    The few I talked to took their exam in Sunnyvale specifically because Dave is the proctor.

    That is cool to hear that's he has earned himself that reputation and following. Well deserved, SV is my spot of choice because of him too :)
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Ahriakin wrote: »
    I reckon I'll book it for as close to a month out as possible if so.

    So should the worst happen and you need to rebook icon_sad.gif are you looking at a month for your studying and travel arrangements? or are you looking at a month out because of retake policies? The wait between retakes should start from when you took the exam, not when they finally give you results. And I think it might be 14 days?

    Anyhoo, hang in there and hope for the best. Waiting for results sucks.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Well as expected 'tis not a pass. I'm going to continue the break through this weekend and then start again next week, looking to book the next attempt in early May I guess.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AldurAldur Juniper Moderator Member Posts: 1,460
    Ahh man, that sucks to hear. icon_sad.gif

    Did they give you a break down on which areas you struggled with.
    "Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."

    -Bender
  • zoidbergzoidberg Member Posts: 365 ■■■■□□□□□□
    Bummer. But do not despair, you are amongst very good company. That exam has defeated many very talent engineers. You'll nail it next time!
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,947 Admin
    Hey, I just failed the JNCIA-JUNOS, so I know 1/100th of how you feel. ;)


    You will nail it next time. :D
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Thanks again guys, encouragement helps :). I'm not actually that broken up about it tbh, I mean yes I would have liked to pass it first time but I know I have learned so much during the journey so far it has already been worth it (paved the way for a very large project that has helped nail a promotion :) ). I will go back in roughly a month, still have to make my booking, but won't be able to work on it this week after all, I've got a lot of overnight maintenance work that is going to kill my sleeping patterns.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Working the Inetzero sessions again tonight. No point in going into a lot of detail as I've been over them multiple times. I was tempted to just run to problem areas but I have more than enough time to do all the tasks in order over the next few weeks, I'll leave the problem areas to my own lab. One new approach I have been trying tonight is using the dif output from "show | compare" and "load patch terminal" to move common sections between chassis, it's a lot faster than any other method I've seen so far. "load merge terminal relative" is close when doing new common sections but as you progress into the config and just want to pull out changes as you go it is MUCH faster. Coupling that with replace commands has sped up my initial common config tasks considerably. Anyway I'm aiming to get System Setup (Interfaces, Auth, services etc.), Clustering and IPSec done tonight.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Lots of maintenance activity for the last few weeks, which means broken up sleep patterns and yours truly having all the study capabilities of a bludgeoned cheese.
    I redid some of the IPSec and Security Policy labs on Inetzero during the week and then some more work this morning on my own lab for IPSec/Multipoint and OSPF variations. Nothing spectacular, just playing with different variations and perfecting using the 'load patch terminal' option to migrate config between boxes, so much easier than anything else I've used before. I might do some additional NAT work this afternoon. TBH it's hard to concentrate on any one task, I really just want to take another stab at the lab and get it done but that didn't exactly turn out too well last time soooo patience grasshopper.
    Now off to have a read of the AJSEC book again.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    UTM and NAT (Source/Dest/Static) last night. On the workbook it stipulates blocking non-translated traffic for destination-nat and some of the static-nat statements. Now the destination-nat I understand and the config is easy (just append 'destination-address drop-untranslated' to the permit statement, but I didn't think you could/should use it with statics since they are bidirectional. Probably just errata in the workbook but I think I'll test it out tonight on my own equipment just to be sure.
    Re-reading the attack mitigation and NAT sections today on the O'Reilly book.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Well whaddya know... 'destination-address drop-(un)translated' does affect static-nat . I had always assumed that a static-nat would automatically lock it down to xlated only since the replies would also have to be xlated, also all the documentation I've seen only explicitly references destination-nat (as a config, not simply the implication that it is one side of a static-nat function).

    With a static NAT in place and security policies referencing the real IP allowing ICMP in both directions.
    • You can ping both the NAT and real IP
    • If you set it to drop translated-traffic (just for s&gs) you can only ping the real IP from the UNTRUST side, but you can still ping from the TRUST host to the UNTRUST host. Which makes sense since stateful replies pre-empt the nat-rule-check.
    • If you set it to drop untranslated traffic you can just ping the NAT IP as expected, again you can ping from the TRUST host out.
    • Traffic dropped by this option does not seem to appear in any log message.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.