In my previous blog post about Juniper Training, I discussed how Juniper Firewall Filters were quite interesting and new to me because I have been using SRX since I started with Juniper equipment 12 months ago.

Robert Juric (@robertjuric) has written two really good blog posts about this topic that provides a really good overview of the topic. Robert is currently studying for his JNCIA-EX exam and has written several articles about Junos configuration.

If you are new to Juniper and Junos, then you really should check out the following to Articles:

• JUNOS Firewall Filters
• JUNOS Firewall Filters – Part 2

Living in Australia, I have gotten used to hearing about “once in a lifetime opportunities” and expecting they will always be on the other side of the world. This is a nice way of protecting myself from the inevitable disappointment that follows… BUT NOT TODAY!

The news is out that Emmanuel Conde from CCIE Flyer has brought together two of the biggest names in CCIE training and taken the show on the road.  Narbik Kocharians and Scott Morris have joined together to create a 12 day tag team CCIE R&S Bootcamp. Details are on his website.

Currently the proposed “Tour Dates” include Bangalore/India in January 2011, Sydney/Australia in April (Woohoo!), Milton Keynes/UK in July and Wilmington/Delaware in October.

Now I just need to put my CCIE prep into high gear to ensure I am in an optimal position by the time they come to Sydney!

Stay tuned for more information or send an email to [email protected] and he “will be happy to share more details as the planning is finalized!”

As a Network Janitor, I spend a lot of time mopping up other peoples mess!  When called in for a consulting job, it doesnt pay to be a vendor bigot. This is why we decided that staff at my company would need to get trained in the key vendors in the networking space. We identified our first 3 targets as Cisco, Juniper and HP. We then started working towards improving our partner levels with each of these vendors, and this is a process that is still underway.

The partner process opens up the requirement for X number of individuals with A, B and C qualifications – Juniper is no different. There was a requirement for at least one career certified individual (along with the obligatory sales and SE “certification). Being no stranger to certification, I felt I should at least attempt to meet all three requirements. Passing the Sales and SE was somewhat trivial, but Juniper has provided many good resources to accomplish this in their Partner Portal.

I had registered with the Juniper Fast Track program back in 2008, but had not really attempted to complete the process – I guess I took the slower track?! Back in 2008 my Account Manager sent me on the Junos as a Second Language course as an incentive to buy more Juniper kit. They threw in a copy of “Junos Enterprise Routing” and a Juniper Sports bag!

I had started to study for the JNCIS-ER (second level) exam when I saw the announcement from Juniper that they had decided to retire the JNCIx-ER and -EX certification and replace them with a single -ENT course. I decided to “wimp out” and instead sit the JNCIA-ER (entry level exam), as this still met the requirements for my partner status. I made this decision on Wednesday, sat the Fast Track prelim exam online, and booked the exam for 10am last Saturday.

I arrived an hour early (I live about an hour out of Sydney so I like to leave plenty of time), and after the usual pre-exam processing and ritual emptying of pockets, I made my way to my assigned seat.

What follows is my cliff notes from the JNCIA-ER:

• The first thing I noticed was that I was able to go back and change questions after submitting them in the exam. This really took me by surprise after so many Cisco exams. I really had to resist the urge to swap and change my answers. I did give in at the end and did a complete review of the exam.
• My allocated question set included 60 questions in 90 minutes. All multiple choice. No Lab/Sim questions.
• There seemed to be a lot of product specific questions – “What is the default setting for X on the M Series Platform” etc.
• Very few of my questions were protocol or technology specific, but rather “Which command implements feature Y”.
• There seemed to be a surprising number of questions relating to the J-Web interface. “Where would you configure Z in the J-Web Interface”. Now Juniper have spent a lot of time making J-Web be pretty and functional, but to be completely honest I had never logged into this interface in the 12 months I have played on Juniper kit (Well… until I got back from the exam at least!). I’m a Network Engineer, not a Windows Admin 😉 I do everything from the CLI.
• If you managed to work your way through the Fast Track material, and were able get some hands on with the Junos platform, you should not have problem passing this exam. (Lets just say I had more than 2/3rds my allotted time left over when I left the room, much to the annoyance of the other candidates who started at the same time I did).

In the end I passed this exam, and am actually looking forward to reading what the curriculum is for the JNCIS-ENT certificatiom, and would like to make a start on that soon after it is announced. Part of my certification road map has the JNCIE-ER (-ENT?) as a probability within the next 18-24 months, so I plan to put a lot more effort into the Juniper product portfolio.

If you follow my @networkjanitor twitter feed than you may know that I spent 3 days last week in training provided by Juniper and the local distributer Avnet.

In the old tradition of “free training for channel partners”, I signed up for “Junos Routing Essentials (JRE)” and “Junos for Security Platforms”. There was an “Introduction to Junos Software” course on the Monday that I sent one of my engineers along to, but I didnt attend personally. I have included below my review of the two courses.

Junos Routing Essentials (JRE)

This course was a one day course aimed at engineers who may or may not already understand the theory behind various routing protocols and processes.

There was a brief overview of how a routing table works and how the forwarding table is produced from this, which felt a little redundant at first, but led into further discussion about the various routing tables used within Junos and their functions. There were a few things I had not picked up working on Juniper kit that was handy here.

Quite a bit of this course was devoted to routing policy and how to import and export using Junos routing policies. This makes sense as once you understand the routing policy structures within Junos you open the doorway to some of the true power of the design inherent in Junos. There are quite a lot of match options available to routing policies that make life much easier (especially if you come from a Cisco background). I am working on a seperate blog post to discuss this topic further, as I feel there is a lot to point out.

The section on (stateless) firewall rules was interesting for me because I am used to working on SRX series routers which use zone based / statefull firewalls. To date the extent of my firewall policies was around rules on the loopback to control access to SSH/Telnet/SNMP etc.

Class of Service section was brief but gave an overview of how to build policies to control different CoS settings. You really would want some kind of previous exposure to QoS/CoS to supplement this module, but that really is the point of these condensed courses.

Junos For Security Platforms (SEC)

This course was a two day course focusing on the SRX series routers. Most of my Juniper experience has been on SRX240s, so I felt quite comfortable in this class. As always, I taught myself to do exactly what I needed to do to get the job done, so learning the ins and outs of how and why the platform works the way it does was insightful.

The opening module discusses the benefits and features of a converged router/firewall device and the superiority over traditional disparate devices. Mostly a lot of “my product is better”, but there is little dive into how the hardware traffic flows through the SRX platform. The module finishes up discussing the modular design of the Junos OS and further discussion of Flow based processing that is the foundation of the SRX platform (and shows its lineage from ScreenOS products).

The next two sections discussed the advantages of Zone based firewalling and how to build security policies to implement your goal. Discussion of the scheduling feature of policies to enforce time of day or day of week style firewall rules was an interesting design I had never really looked at, but has obvious uses within an enterprise type environment.

Firewall authentication, which is the ability to auth against the firewall to open up a particular set of firewall policies was interesting, and I have seen similar things when I used to use OpenBSD as a firewall, but I felt the uses were fairly restrictive and somewhat limited. If I really wanted something like this, the SRX is perfectly suited to operate as a VPN device and provide even greater functionality to boot.

Given the lineage from ScreenOS, the SRX platform has inherited a series of SCREEN features to filter broadstroke denial of service attempts as well as handling suspicious traffic. We discussed when to use SCREEN versus some of the optional IDP features or using firewall policies.

NAT on the SRX platform is somewhat different from both traditional Junos as well as from ScreenOS. The usual list of features are supported. Static 1:1 NAT, Destination Nat (port forwards etc), and Source Based Nat (both with and without PAT). Two interesting gotchas with the NAT implementation:

a) Security Policy is applied after NAT translations, so say you have a static 1:1 NAT arrangement, you would actually apply your zone based rules on the outside interface, but reference the internal address in the destination as opposed to the IP address used by the remote host. This makes sense after a while, but took some time to get my head around.

b) Like other firewalls, the SRX will happily snatch and translate any traffic routed through it according to any NAT rules that are configured. If on the otherhand you have say a large subnet on the “untrust” side of the firewall, and you try to make some NAT rules using some of those additional addresses, you will need to tell the router to Proxy ARP those addresses. I had been caught out on this one on a previous job, and felt a little foolish when they brought it up on the course. I wont be forgetting this one.

As one would expect from a modern firewall product, the SRX supports IPSec VPNs, which were covered quite well in the course. There are two types of IPSec VPNs – policy based and route based. Essentially policy based uses security policies to determine which traffic gets handled by IPSec. Anyone familiar with Cisco IPSec implementations should understand this concept. The other option is route based which configures a new interface on the router (st0.x) that is used as the tunnel between two VPN gateways. You can assign IP addresses to these interfaces and route traffic across it (Or use a dynamic routing protocol) just like any other interface type. It feels somewhat like a GRE tunnel in IOS, but with the added benefit of IPSec encryption and integrity checks.

A very brief look at the Intrusion Detection and Prevention features of the SRX was given, but this could have been a whole course on its own, not to mention this is a licensed feature of the SRX. A lot of interesting features, but not as powerful as a dedicated IPS/IDS solution. Worth considering for a branch deployment though, which is where this feature is aimed.

The last section covered an area of the SRX that I have spent some time on – High Availability. One of the great features of the SRX platform is that you can implement an Active/Active zone based firewall solution even on the smaller branch/appliance series of devices. I have implemented a HA pair of SRX240’s for a customer and have been quite happy with the result (though I suggest you lab this heavily before implementing due to instability issues on certain Junos versions).

In HA mode, you configure a set of redundancy groups and weightings for device failover triggers. There is a bit of fiddling to get some of these groups configured the way you expect them, but this is mostly due to the fact that both devices in the cluster have active data planes, and you need to know which interfaces (and on which device) traffic will ingress and egress.

HA on SRX Platforms could take another whole blog entry, which I am happy to go into if there is enough interest – so let me know if you want to hear more.

Final Thoughts?

So, after 3 days of training I walked away feeling that I had managed to learn quite a bit even though I have been working with Juniper equipment for 12 months now. The theory was aimed at engineers who already understood core concepts and routing protocol requirements, but even a junior engineer would learn a lot from these courses. There was a lot of hands-on lab exposure to teach you the ins and outs of the theory – it certainly made sure you learnt the material.

If you can get your account rep to organise the training (or have a company who will pay for it for you), then this is certainly worth spending some time on.

Hope this helps someone out there who is starting to look into Juniper as an alternative network vendor. Please let me know if you want me to follow up anything here, or would like me to show some further examples of the Juniper solutions.

Im currently working on my plan of attack on the CCIE R&S and I need some advice. I finally finished my CCNP in June after years of putting it off (I first got my CCNA in 2001!), and now I am trying to determine the best course of action moving forward.

So far my plan is this:

1. Buy CCIE Written Certification Guide – Check!
2. Improve my Skills in QoS, BGP and MPLS – Sit each of the CCIP exams associated with these subjects as confirmation of understanding of the base knowledge.
3. Review each major section of the CCIE R&S Blueprint, and read books from the CCIE Recommended Reading list.
4. Purchase IP Expert (At this stage) self study package and study from the video and audio material
5. Sit CCIE Written
6. Continue deeper study of each topic from the Blueprint
7. Work through practice lab exams from IP Expert and other online sources
8. Book and Sit Lab exam
9. Repeat #8 until I pass!

So does the above plan sound reasonable? Should I attempt the written exam earlier and spend more time focusing on the lab preparation? Are there other resources that you have found worked well for you? Should I alter some of these steps?

Let me know your thoughts.

During my research into the new world of storage network and all the wonders contained within, I stumbled across a really great podcast – The Packet Pushers Podcast!

I think the tagline of the series says it all for me “Where too MUCH networking is NEVER enough”.

Now I’m a network geek and this has provided something I have been looking for – A networking specific podcast, that is entertaining, informative, not specifically vendor biased. Sure there is a tendancy to be Cisco-centric when dealing with networking, but there is a line between discussing discussing networking at a technical depth and being a vendor bigot. This team has pulled that off quite well.

The range of guest speakers/hosts they have brought in already also adds to the quality of discussions.

With my 200km round trip commute everyday, having another great podcast series to listen to is certainly a welcome addition!

PS. Hearing an Australian accent saying “rooters” is still humorous – Im used to it from English/European engineers.

When I started this blog last week, I certainly didn’t think my first post would be on the topic of Storage Networking. My background is R&S / SP more than it is storage. I work as a consultant building ISPs in Australia (and occasionally across Asia Pacific).

Some of my customers are End User ISPs, others are Content Providers, so I often get thrown at interesting new projects (sometimes at the whim of engineers on a tech-fetish, sometimes from the buzzword bingo of Sales and Marketing).

Given the industry craze at the moment for “virtualisation” and “cloud computing”, I knew it wouldn’t be long before I had to design a solution based on the Nexus platform and that this would involve more than just Ethernet and IP.

I knew that the Nexus would allow me to just implement a tried and true solution using MST and some port channels. What I hadn’t realised was that a whole new world of networking goodness had been opened up in the Nexus platform running NX-OS. Upon researching the NX-OS platform I learned wonderful terms such as “Lossless Ethernet”, “Virtual Port Channel”, not to mention more information about Storage networking than I had gained working with some VMWare/Virtualisation geeks on several projects.

I’m still investigating best-practices builds for the Nexus platform, but I currently have a project on hand that requires me to learn about FCoE and Virtual Port-Channel implementation.

I promise I will keep you updated with any new tricks I learn.

Resources:

http://jasonnash.wordpress.com/2009/08/10/vpc-virtual-port-channel-and-the-nexus-platform/

http://www.cisco.com/en/US/products/ps9670/prod_white_papers_list.html