I got something nice in my post yesterday.
It always fun to get something like this.
Wednesday, October 12, 2011
JNCIE #16
Hi All,
I got something nice in my post yesterday.
It always fun to get something like this.
I got something nice in my post yesterday.
It always fun to get something like this.
Tuesday, September 13, 2011
How i prepared myself for JNCIE-SEC
Hi All,
How I prepared myself for the JNCIE-SEC Beta lab Exams.
Intro/background:
I have been working with ScreenOs from 1999, so I know the security features and flow very well. Which is a plus, because they re use a lot of these in Junos for security.
2 a 3 years ago I started to play with Junos because they released a special version Junos-es (enhanced services) for the J-series routers that had some of the security features there.
Then they came with the EX devices and SRX devices and worked more with Junos then ScreenOs.
From then on I wanted to know as much as I can about this OS and all there features (EX/SRX/MX/etc).
In the beginning of my career I did Cisco and worked up to CCNP and almost started to do the CCIE, but never went there because a move from switching/routing to Security.
That day I stated “whenever there is a netscreen CCIE like certificate I want to get it”
And this certificate is there now (not on ScreenOs, but on Junos) JNCIE-SEC.
What I want to tell with above information is that you first need extensive practical experience to start with the JNCIE-SEC journey.
Preparation:
To prepare myself for the lab I first did all the other written exams (JNCIS-SEC/JNCIP-SEC). The first was no problem, but the JNCIP-Sec wasn’t that easy, my first attempt I didn’t pass (I didn’t study for it because I was pretty sure I would pass based on my hands-on experience. (Which wasn’t the fact)
There was a topic that I never heard of …. Group vpn!
The second time I order the 2 juniper courses to prepare myself. After reading them I did it again and passed. (courses: Advanced Junos Security (AJSEC) ,Junos Intrusion Prevention System Functionality (JIPS) )
So this exam was good to see which topics I never did in real life and needed to do in lab environment.
Lab setup:
Then I build a lab setup, where I could test most of the topic that were listed in the lab topic:
• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, including PKI, hub-and-spoke, transparent mode, dynamic, and overlapping address designs;
• HA
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management
• Advanced management configurations
• VLANs
• Aggregated Ethernet.
This is the lab schema:
2 x SRX100: (HA, IPS, UTM, VPN, OSPF)
1 x SRX100: Remote Sites (VPN, OSPF)
With this setup I tested the following things:
• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, hub-and-spoke, dynamic, and overlapping address designs.
• HA
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management
I didn’t test following things:
• PKI, transparent mode
• Advanced management configurations
• VLANs
• Aggregated Ethernet
I didn’t test these because i know how these work (hands-on experience)
Be aware: this doesn’t mean it is not in the lab exams!
To give some more details on the things I tested:
With the srx100 we made a cluster. This device did all the IPS and UTM stuff.
We connected 2 srx100 with vpn(one fixed ip and one with a dynamic ip (so we both had dynamic and static vpn peer). We enabled OSPF between the 2 devices.
We also tested the “Group VPN”, because we never did this before and wanted to see what I could do and how you needed to build it.
One of the last tests was to ask a college of mine to change some stuff and try to find what the problem was. (Test some advanced troubleshooting )
The day before I did my exams I also configure some Dynamic VPN (remote ipsec client feature) on the srx. (This was in the bar of my hotel, with I nice beer)
Tips:
- Read all your questions in the beginning and make a L3 drawing of the setup
- Know your configuration commands (you don’t have much time)
- The whole exam is in CLI (no web or nsm)
- Be sure you can configure all the topics that are in the exam description!
That’s all good luck all.
How I prepared myself for the JNCIE-SEC Beta lab Exams.
Intro/background:
I have been working with ScreenOs from 1999, so I know the security features and flow very well. Which is a plus, because they re use a lot of these in Junos for security.
2 a 3 years ago I started to play with Junos because they released a special version Junos-es (enhanced services) for the J-series routers that had some of the security features there.
Then they came with the EX devices and SRX devices and worked more with Junos then ScreenOs.
From then on I wanted to know as much as I can about this OS and all there features (EX/SRX/MX/etc).
In the beginning of my career I did Cisco and worked up to CCNP and almost started to do the CCIE, but never went there because a move from switching/routing to Security.
That day I stated “whenever there is a netscreen CCIE like certificate I want to get it”
And this certificate is there now (not on ScreenOs, but on Junos) JNCIE-SEC.
What I want to tell with above information is that you first need extensive practical experience to start with the JNCIE-SEC journey.
Preparation:
To prepare myself for the lab I first did all the other written exams (JNCIS-SEC/JNCIP-SEC). The first was no problem, but the JNCIP-Sec wasn’t that easy, my first attempt I didn’t pass (I didn’t study for it because I was pretty sure I would pass based on my hands-on experience. (Which wasn’t the fact)
There was a topic that I never heard of …. Group vpn!
The second time I order the 2 juniper courses to prepare myself. After reading them I did it again and passed. (courses: Advanced Junos Security (AJSEC) ,Junos Intrusion Prevention System Functionality (JIPS) )
So this exam was good to see which topics I never did in real life and needed to do in lab environment.
Lab setup:
Then I build a lab setup, where I could test most of the topic that were listed in the lab topic:
• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, including PKI, hub-and-spoke, transparent mode, dynamic, and overlapping address designs;
• HA
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management
• Advanced management configurations
• VLANs
• Aggregated Ethernet.
This is the lab schema:
2 x SRX100: (HA, IPS, UTM, VPN, OSPF)
1 x SRX100: Remote Sites (VPN, OSPF)
With this setup I tested the following things:
• Complex policy implementations, including anti-virus scanning, and URL filtering
• IPS, IPSec VPNs, hub-and-spoke, dynamic, and overlapping address designs.
• HA
• Troubleshooting of policy, routing, and IPSec VPNs
• Traffic management
I didn’t test following things:
• PKI, transparent mode
• Advanced management configurations
• VLANs
• Aggregated Ethernet
I didn’t test these because i know how these work (hands-on experience)
Be aware: this doesn’t mean it is not in the lab exams!
To give some more details on the things I tested:
With the srx100 we made a cluster. This device did all the IPS and UTM stuff.
We connected 2 srx100 with vpn(one fixed ip and one with a dynamic ip (so we both had dynamic and static vpn peer). We enabled OSPF between the 2 devices.
We also tested the “Group VPN”, because we never did this before and wanted to see what I could do and how you needed to build it.
One of the last tests was to ask a college of mine to change some stuff and try to find what the problem was. (Test some advanced troubleshooting )
The day before I did my exams I also configure some Dynamic VPN (remote ipsec client feature) on the srx. (This was in the bar of my hotel, with I nice beer)
Tips:
- Read all your questions in the beginning and make a L3 drawing of the setup
- Know your configuration commands (you don’t have much time)
- The whole exam is in CLI (no web or nsm)
- Be sure you can configure all the topics that are in the exam description!
That’s all good luck all.
Wednesday, August 3, 2011
Passed the JNCIE-SEC lab exam!
Hi,
I am very proud to tell you all that i passed my JNCIE-SEC lab exams.
Later this week i will make a post on how i prepared myself for this exams.
GreetZ,
Frac
I am very proud to tell you all that i passed my JNCIE-SEC lab exams.
Later this week i will make a post on how i prepared myself for this exams.
GreetZ,
Frac
Tuesday, May 24, 2011
Juniper EMEA partner of the year
Hi all,
I am very proud to announce that Securelink won the "EMEA partner of the year" for Juniper Networks.
The last 2 years we won the "Juniper Partner of the Year for Northern Europe"
Greetz,
Frac
I am very proud to announce that Securelink won the "EMEA partner of the year" for Juniper Networks.
The last 2 years we won the "Juniper Partner of the Year for Northern Europe"
Greetz,
Frac
Wednesday, November 4, 2009
IF-MAP Juniper
Hi all,
Been a while i did some posts, but i am very busy with several projects.
i been working with SRX devices, did some UAC projects with 802.1X, but also with IF-MAP implementation.
I did the IF-MAP with SA + SRX + SSG + IC appliances. I will do some more tests and implementations, when all this is done i will post some detail information
Hope see you all soon again,
Frac
Been a while i did some posts, but i am very busy with several projects.
i been working with SRX devices, did some UAC projects with 802.1X, but also with IF-MAP implementation.
I did the IF-MAP with SA + SRX + SSG + IC appliances. I will do some more tests and implementations, when all this is done i will post some detail information
Hope see you all soon again,
Frac
Tuesday, September 29, 2009
Deploy SRX Cluster Across Layer 2 Network
Hi,
The SRX3400/3600 and the SRX5600/5800 can be deployed over a layer2 network. For this there is a nice guide line available by juniper. (SRX Series Services Gateways Cluster Deployment Acrosss Layer 2 Networks)
I did this with srx3400 on a layer2 cisco network and had some problems. The cisco l3 switches seem to check l3 traffic even if there are in a layer2 deployment. There the jsrp uses ip header for there traffic, these switches can block this traffic.
This means your jsrp will not work.
Here the commands you have to do, to disable these layer3 checks on cisco.
On a Cat 6500
- no mls verify ip checksum
- no mls verify ip length
- no mls verify ip same-address
For other cisco switches it seems the following command:
- no ip verify header vlan all
Kind Regards,
Frac
The SRX3400/3600 and the SRX5600/5800 can be deployed over a layer2 network. For this there is a nice guide line available by juniper. (SRX Series Services Gateways Cluster Deployment Acrosss Layer 2 Networks)
I did this with srx3400 on a layer2 cisco network and had some problems. The cisco l3 switches seem to check l3 traffic even if there are in a layer2 deployment. There the jsrp uses ip header for there traffic, these switches can block this traffic.
This means your jsrp will not work.
Here the commands you have to do, to disable these layer3 checks on cisco.
On a Cat 6500
- no mls verify ip checksum
- no mls verify ip length
- no mls verify ip same-address
For other cisco switches it seems the following command:
- no ip verify header vlan all
Kind Regards,
Frac
Wednesday, August 26, 2009
Check if i can make the screenos to junos click if i want
Hi all,
Because junos is spreading rappedly over the world, because of the launch of the SRX devices. I had to make the switch also.
As mentioned before, i worked/work a lot with ScreenOS, and must say i don't mind to make the switch to JUNOS if needed.
JUNOS is a ritch and nice OS, the more you work with it the more you will love it. It has nice advanced features, which you would love to have in ScreenOS (but sadly never will ...)
So because of this switch i wanted to check if i understand the junos security solution and did the exames JNCIS-ES.
I passed and have a other Certificate I can hang on the wall (well put in one of the schelfs with the other ...)
If you want to go the JUNOS way. I suggest you look at the fasttrack.
Fasttrack
Greetz,
Frac
Because junos is spreading rappedly over the world, because of the launch of the SRX devices. I had to make the switch also.
As mentioned before, i worked/work a lot with ScreenOS, and must say i don't mind to make the switch to JUNOS if needed.
JUNOS is a ritch and nice OS, the more you work with it the more you will love it. It has nice advanced features, which you would love to have in ScreenOS (but sadly never will ...)
So because of this switch i wanted to check if i understand the junos security solution and did the exames JNCIS-ES.
I passed and have a other Certificate I can hang on the wall (well put in one of the schelfs with the other ...)
If you want to go the JUNOS way. I suggest you look at the fasttrack.
Fasttrack
Greetz,
Frac
Subscribe to:
Posts (Atom)
wim@securelink.be
Frac @ LinkedIn
Posts
