JNCIE-ER prep materials - practice labs and topology

[Aldur]

Hey everybody!

Here's my long overdue labs and topology that I created and used to study for the JNCIE-ER. Enjoy and let me know if you have any questions.

JNCIE-ER pretest Topo V2
JNCIE-ER pretest
Services - extra labs
CoS - extra labs

[seraphus]

Hey everybody!

Here's my long overdue labs and topology that I created and used to study for the JNCIE-ER. Enjoy and let me know if you have any questions.

JNCIE-ER practice topology
JNCIE-ER pretest
Services - extra labs
CoS - extra labs

Excellent, thanks!

[Sumptuous]

Wow thanks Lot$$$$$ this will come in handy

[mikej412]

Sweeeeeet!!!

[hoogen82]

Thank you Aldur..

[Aldur]

I was chatting with seraphus about getting equipment together for the JNCIE-ER and so I thought I would post my thoughts here to help with any who wanted to get the needed equipment together.

The best/cheapest equipment to get for the JNCIE-ER is few J2300 routers and some hardware olives. You'll need the J2300 routers to run any services, stateful-fw, IPsec, GRE, MLPPP, NAT and routers that are not of your "internal" network can be the hardware olives. Keep in mind that for the routers that run your services you will more then likely be deploying them at the edges of your network so any internal/non-edge routers really can be olives. So in reality if you bought 3 or 4 J's and had some hardware olives you could place your J's on the edge and use hardware olives split up into logical routers to work as your other routers.

If you look at the topology that I used to study for the JNCIE-ER there appears to be an unreal amount of routers. In all actuality I only have 8 J series routers and 2 hardware olives. The hardware olives are cut up into logical routers and placed throughout the testbed. Then the J routers make up the internal network and plus one router on the outside of the network, so I can run an IPsec tunnel to the "remote office" on this router.

Something else to keep in mind is that the J2300 routers only have 2 FastEthernet ports and 2 T1 ports. The T1 ports are great for practicing MLPPP and MLFR but there appears to be a lacking amount of FE ports to do any really routing. To overcome this I plugged all my FE cables into an old cisco switch, 2950XL, and then split up one FE port on each router into different VLANS. This allowed me to define as many "links" as I wanted to since I could configure as many logical units and VLANS as needed. This was also extremely helpful when it came to changing my topology. Doing a logical change is much easier then recabling everything.

[joshrain]

thank you so much.

i had couple of questions

1) how many routers would there be in the actual testbed.
2) if one is familar with configuring everything according to your setup, should they just go and sit for the exam?
3) what are some of the areas i should be very strong at?
4) can i set this up using 1-2 (m10i's) and logical routers (the job i currently work have these available in the lab). also, i don't have access to mcast sources/rcvr (not sure how to test those).


thanks again for helping us out and guiding us.

--josh

I was chatting with seraphus about getting equipment together for the JNCIE-ER and so I thought I would post my thoughts here to help with any who wanted to get the needed equipment together.

The best/cheapest equipment to get for the JNCIE-ER is few J2300 routers and some hardware olives. You'll need the J2300 routers to run any services, stateful-fw, IPsec, GRE, MLPPP, NAT and routers that are not of your "internal" network can be the hardware olives. Keep in mind that for the routers that run your services you will more then likely be deploying them at the edges of your network so any internal/non-edge routers really can be olives. So in reality if you bought 3 or 4 J's and had some hardware olives you could place your J's on the edge and use hardware olives split up into logical routers to work as your other routers.

If you look at the topology that I used to study for the JNCIE-ER there appears to be an unreal amount of routers. In all actuality I only have 8 J series routers and 2 hardware olives. The hardware olives are cut up into logical routers and placed throughout the testbed. Then the J routers make up the internal network and plus one router on the outside of the network, so I can run an IPsec tunnel to the "remote office" on this router.

Something else to keep in mind is that the J2300 routers only have 2 FastEthernet ports and 2 T1 ports. The T1 ports are great for practicing MLPPP and MLFR but there appears to be a lacking amount of FE ports to do any really routing. To overcome this I plugged all my FE cables into an old cisco switch, 2950XL, and then split up one FE port on each router into different VLANS. This allowed me to define as many "links" as I wanted to since I could configure as many logical units and VLANS as needed. This was also extremely helpful when it came to changing my topology. Doing a logical change is much easier then recabling everything.

[Aldur]

1) how many routers would there be in the actual testbed.

In my testbed I had 2 hardware olives, 6 j2300's, and 2 j4300's. The following routers in my topology are the J-series routers.

Ale
Lager
PBR
Stout
Bock
Porter
Dirt

And every other router that you see in the topology are logical routers that come from the 2 olives.

2) if one is familar with configuring everything according to your setup, should they just go and sit for the exam?

Even if somebody is familiar with configuring everything according to my setup I still would recommend getting some lab time in to practice. A big part of the test is fighting against the clock. If you can't setup the routers quickly then you won't be able to finish in time to check your work.

3) what are some of the areas i should be very strong at?

Kinda hard to say. With me I was weak with services but strong with routing protocols. Since I finished my JNCIE-M/T before attempting the JNCIE-ER I only had to briefly review routing protocols, just a little before the test actually. I would recommend being strong in all areas that the test covers. I was strong in routing protocols and weak in services, so services was the main point of my focus when studying.

4) can i set this up using 1-2 (m10i's) and logical routers (the job i currently work have these available in the lab). also, i don't have access to mcast sources/rcvr (not sure how to test those).

As long as you have an AS PIC in the M10i's then you should be fine to chop them up into logical routers. I'm not to sure of the support for services in logical routers, I wouldn't think it would be a problem, but this is something you'll want to check into. Also, with M10i's you can't have an AS PIC running in L3 mode and L2 mode at the same time. This will cause some problems if you try to configure L2 services, such as MLPPP, and L3 services such as stateful firewalls. I could also see this causing a problem with doing any IPsec over GRE implementations since GRE tunnels. But for the majority of it you should be fine. Plus you could just throw 2 AS PIC's in each router

You can fake MC sources and receivers by using the by-pass routing ping as the MC sender coupled with the SAP protocol as the receiver. There's a great section in the JUNOS Enterprise Routing book that describes this in detail. If you don't have that book I would recommend picking up a copy.


Let me know if you have any questions,

HTH

[zrcheng]

Great stuff.
Do you have cases to investigate service more?
like mix NAT and IPsec? using interface and next-hop to implement ?

[Aldur]

Great stuff.
Do you have cases to investigate service more?
like mix NAT and IPsec? using interface and next-hop to implement ?

The labs that I currently have can be solved by next-hop or interface style service sets. I actually highly recommend mixing both to accomplish many of the tasks. Such as using a interface style SFW and NAT mixed with a next-hop style IPsec tunnel.

Also, to tell you the truth, an interface style IPsec tunnel is only useful when doing IPsec over GRE. If your not doing IPsec over GRE then always use next hop with IPsec.

[hermatize]

You got a solutions guide?

[Aldur]

You got a solutions guide?

Well, not particularly but if you have any questions about how to do something that is listed I'm happy to answer them here. So more of a "solutions guide" on an as-needed-basis

[ccie15672]

Aldur:

For the first requirement in those labs... wouldn't it be something like this:

set services nat rule INET term 10 then translate source-prefix 200.1.1.24/29
set services nat rule INET term 10 then translate translation-type source-dynamic

No NAPT, but since JUNOS tracks the translations by all flow information you can still essentially "overload" the pool? Basically no two people can go the same destination and port number if they happen to also choose the same source-port number...

Help me out here...

Hey Juniper's documentation on NAT is wrong in a couple of places... like this:

"However, source dynamic NAT (without NAPT) and destination static NAT allow more than one rule or service set to refer to the same pool, and allow multiple pools to have subnets that can overlap. A prefix pool can be used by multiple rules or terms."

You can never share a pool across service-sets with any kind of *source* translation... right? I have tried to do this 8 ways from Sunday... I must be missing something or the docs are wrong.

[Aldur]

Yup that's the correct NAT for the first criteria in the services lab.

With no NAPT/PAT there's really only 6 people who can get NAT'd before the NAT pool becomes exhausted.

When you apply the source pool to two different rules do both rules try to use the first available address at the same time?

I hate to admit this but I rarely/never get to play with NAT at work, so I'm a little rusty with all it's caveats.

[hermatize]

Can you share the final configs? I have 15 j2300's and im trying to set everything up before my test in December.

[Aldur]

Sorry hermatize, but I didn't think about grabbing the configs for the end of the whole lab. And the lab has been torn down to be used for other purposes.

But seriously if you have any questions about how a lab should be configured please let me know and I'll be able to spout off any necessary configs.

[zrcheng]

Hi, Aldur
I have a Q regarding COS on sp interface, in the AJRE student guide example, "life of a packet" example, sheduler-map apply to sp-0/0/0 no matter its interface or next-hop style service set. re-write rule apply to GRE and outside interface.
But in AJRE detail lab guide, in cos chapter part 5, re-write rule applies to sp-0/0/0.2 interface.
all of them good?

[Qamar Abbas]

Hi everybody!
I am preparing for above quoted lab,would you please guide
regarding it. There is no one in Pakistan, conducting its boot camp.
Please help me.

[Aldur]

Hi, Aldur
I have a Q regarding COS on sp interface, in the AJRE student guide example, "life of a packet" example, sheduler-map apply to sp-0/0/0 no matter its interface or next-hop style service set. re-write rule apply to GRE and outside interface.
But in AJRE detail lab guide, in cos chapter part 5, re-write rule applies to sp-0/0/0.2 interface.
all of them good?

This is confusing for alot of people and the key is to just look at what interface the packet is entering and leaving. Just because the service interface unit is 'inside' doesn't mean that the packet will always be entering on the inside interface, it very well could be entering on the outside interface.

Sooo... always classify on the interface in which packets come in and rewrite on the interface that the packets leave. This alot of times will mean that you will be classifying and rewriting on both the inside and outside interface, at the same time.

Hi everybody!
I am preparing for above quoted lab,would you please guide
regarding it. There is no one in Pakistan, conducting its boot camp.
Please help me.

Sure thing, we'd all be glad to help. What are your specific questions?

[NikeBoy]

Dear Aldur,

this link with topology is not existing for me:

JNCIE-ER practice topology

can you check it please, or re-share it?

Thanks in advance!

---
Yev.

[froggy3132000]

What did you use for the frame-relay switch?

[Aldur]

Dear Aldur,

this link with topology is not existing for me:


can you check it please, or re-share it?

Thanks in advance!

---
Yev.

I just checked this out, looks like it was flagged as 'inappropriate'... I clicked the review button and google is going to review it... Not sure what the hell happened here... Not a big user of google docs, maybe somebody didn't like my topology... weird...

[Aldur]

What did you use for the frame-relay switch?

Frame relay switch? Didn't use anything in this particular setup. Although I have setup my J4300 loaded with T1 PIMs as a FR switch. But I didn't include that in this setup because it seemed unnecessary.

[froggy3132000]

OK, I was under the impression you following the AJRE topo as well. I am trying to figure out the easiest way to mock up the frame-relay "switch" part of the lab. I guess 4300 with (4) 2port T1 PIMS would do it. Gotta find them for a good price.

[Aldur]

Yup, the J4300 with 2 port T1 PIMs works great for practicing the AJRE stuff.

Kinda hard to find at a good price for what you need to do but it's a pretty sweet setup once you get it all going.