Category Archives: jncip-sec

JNCIP-SEC exam

When I was studying for jncip-sec exam, I decided to book my exam just to force myself to study more efficiently in a time constraint way. I think this is the way it should be and on Monday afternoon, I passed the exam. It was definitely a challenging exam for me. What I like about juniper exams is, there is a sample test that gives you an idea how the exam will look like in juniper.net page. I recommend to anyone to take a look at this test in addition to all studies you do.  I wish success to all and I think it is time to get started for jncie-sec slowly…

 

 

JNCIP-SEC [ 5 – Advanced IPSEC ] Part 2

This post is a continuation of the first part of Advanced IPSEC topic. This post’s topic is HUB and SPOKE topology in SRX devices. I will use the following topology for this post;

Because I have only two srx210 deviceS, I am using a linux box as the second spoke instead of an srx in my hub and spoke ipsec vpn setup. I will also attach my linux setup as a reference.

Continue reading

JNCIP-SEC [ 5 – Advanced IPSEC ] Part 1

Yes again I would like to write something about ipsec vpn. It won’t cover everything about the jncip-sec exam but I would like to compile something that I can also use in the future as a reference. As I have said in my previous posts, any constructive comment,feedback is welcomed. Lets get started.

1) Point to Point IPSEC VPN configuration and troubleshooting in SRX

The first topic I have chosen is point to point IPSEC VPN. Below is the topology I have used.

IP Allocation:
SRX1
ge-0/0/0.0 : 10.1.1.2/24
ge-0/0.1.0 : 172.16.100.1/24
GW: 10.1.1.1
SRX2
ge-0/0/0.0 : 10.2.2.2/24
ge-0/0/1.0: 172.16.200.1/24
GW: 10.2.2.1
Server1: 172.16.100.2/24
Server2: 172.16. 200.2/24

Continue reading

JNCIP-SEC [ 4 – High Availability ]

Today’s post is about high availability which is one of the topics of jncip-sec exam. This post doesn’t cover everything though as it only reflects my self studies. Let’s get started.
Test Topology

Test Platform: 2 x SRX 210 with JunOS 10.4R6.5
Before starting configuration of my srx 210s for cluster, I must remove some configuration items not to avoid some post configuration errors. In each srx do the followings;

fe-0/0/6 interface is the management (fxp0) interface and must be removed
fe-0/0/7 interface is the control interface (fxp1) and must also be removed
After this operation make sure there is no ethernet-switching left:
Continue reading

JNCIP-SEC [ 3 – Advanced NAT ]

In this post I would like to do some experiment in Advanced NAT topics according to detailed exam guide here are the details:

1) Given a scenario, describe and implement static, source, destination, and dual NAT
2) Describe and implement variations of persistent NAT
3) Given a scenario, describe the interaction between NAT and security policy
Here is my test topology: JunOS release is 10.4R6.5

Continue reading

JNCIP-SEC [ 2 – Virtualization ]

According to exam topics I will focus on routing instances, routing between instances and filter based forwarding. Lets get started;

Routing Instances

Routing instances may be considered to be virtual routers within a physical router configured like below. I have two virtual routers configured each of which inherits one interface from physical router.  In configuring these instances, be careful that these interfaces must belong to different zones since two interfaces cannot be in the same zone while they are in different routing instances.

[edit]
root@host# show routing-instances
RA {
    instance-type virtual-router;
    interface vlan.100;
}
RB {
    instance-type virtual-router;
    interface vlan.200;
}
To display routing tables on both routing instances;
[edit]
root@host# run show route table RA.inet.0
RA.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
10.1.100.0/24      *[Direct/0] 00:02:20
                    > via vlan.100
10.1.100.2/32      *[Local/0] 00:02:20
                      Local via vlan.100
[edit]
root@host# run show route table RB.inet.0
RB.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
10.1.200.0/24      *[Direct/0] 01:26:36
                    > via vlan.200
10.1.200.2/32      *[Local/0] 01:27:20
                      Local via vlan.200
[edit]
root@host# run show route table inet.0
inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0          *[Static/5] 01:34:52
                    > to 172.30.72.1 via ge-0/0/0.0
10.1.10.0/24       *[Direct/0] 01:13:41
                    > via vlan.10
10.1.10.1/32       *[Local/0] 01:13:41
                      Local via vlan.10
10.1.20.0/24       *[Direct/0] 01:13:41
                    > via vlan.20
10.1.20.1/32       *[Local/0] 01:13:41
                      Local via vlan.20
172.30.72.0/23     *[Direct/0] 01:34:52
                    > via ge-0/0/0.0
172.30.72.244/32   *[Local/0] 01:34:52
                      Local via ge-0/0/0.0
192.168.1.0/24     *[Direct/0] 00:26:17
                    > via ge-0/0/1.0
192.168.1.1/32     *[Local/0] 00:26:17
                      Local via ge-0/0/1.0
192.168.3.0/24     *[Direct/0] 00:04:43
                    > via ge-0/0/3.0
192.168.3.1/32     *[Local/0] 00:04:43
                      Local via ge-0/0/3.0

JNCIP-SEC [1 – Advanced Security Policy ]

I have finally decided to start my study for JNCIP-SEC exam. To be honest, exam is just a driving force. What I would like to achieve is to get knowledge because of which I am not only going to share my studies related to exam but I will try to go deeper as much as I can on every specific topic because of which I am planing to test more than an exam asks.

I am also learning and so I do appreciate visitor’s feedback and contribution. I will try to update every topic slowly as I don’t have much time to update all in big chunks.  For example until I finish this post, it will be updated from time to time. Let’s get started…

[Analyzing Traffic Flows]

Figure1

I will use the topology above throughout this post.  Just assume JUNOS1 and JUNOS2 devices are two physical devices, all routing configuration is in place and JUNOS2 has a default allow policy. (To be honest, in my setup R2 is a linux machine just to test policies, so be careful)

Continue reading