jncie-ent v1.2 (2017) - inetzero€¦ · jncie-ent v1.2 (2017) demo workbook . why this demo...

JNCIE-ENT V1.2 (2017) Demo workbook

Why this demo workbook?

This workbook is intended to give you an idea of what the

purched workbook looks like, and the way the original workbook

teaches you the curriculum.

Due to this, we hope you will understand that

some content will be covered.

If you have any questions, please don’t hesitate to contact me.

Jörg Buesink

[email protected]

Owner iNET ZERO

About meMaxim lives in Russia and speaks Russian and English. He started his network-

ing career in 1999. Throughout the years Maxim has designed and imple-

mented several large-scale networks for enterprise and service provider

customers. Over the years he has developed several high quality courseware

materials for industry leading networking vendors. Maxim has the following

certifications: JNCIE, JNCIS-SEC, Nortel NNCSS. For technology Max values

efficiency and pragmatic design. When Max is not at work he likes to spend

time with his family. Max enjoys being outside in the nature and loves to

travel and exploring the world.

About the authors

About meJörg lives in the Netherlands near Amsterdam and brings more than 10 years

of experience in the IT and networking industry. He has worked for several

large ISPs / service providers in the role of technical consultant,designer and

network architect.He has extensiveexperience in network implementation,

design and architecture and teached several networking classes.

CertificationsQuadruple JNCIE certified

(JNCIE-DC#007,JNCIE-ENT#21,JNCIE-SP#284 and JNCIE-SEC#30)

Triple CCIE #15032

(Routing/Switching, Service provider and Security),

Cisco CCDE#20110002 certified,

Huawei HCIE#2188 Routing and Switching.

Table of ContentsGeneral information

Exam strategy

Workbook updates and configuration files

iNET ZERO rack rental service

Chapter One: General System Features

Task 1: Initial System Configuration

Task 2: User Authentication and Authorization

Task 3: Syslog Configuration

Task 4: SNMP Configuration

Task 5: Firewall Filters

Chapter Two: L2 Switching and L2 security

Task 1: L2 Switching Network Deployment

Task 2: Virtual Chassis

Task 3: VLAN Configuration

Task 4: Spanning Tree Configuration

Task 5: VRRP Configuration

Task 6: L2 Switching Security Features

Task 7: Provider bridging / Q in Q implementation

Chapter Three: IGP Routing

Task 1: Base Network and Virtual Router Deployment

Task 2: Multi Area OSPF Configuration

Task 3: RIP Configuration and Redistribution Policies

Task 4: Protocol-independent Routing and Routing Policies

Task 5: IPv6 Network Deployment and GRE tunneling

Task 6: IPv6 IGP Routing

Chapter Four: BGP Routing

Task 1: Base Network Deployment

Task 2: Advanced BGP Configuration and features

Task 3: IPv4 BGP Routing Policies

Task 4: IPv6 BGP Routing Policies

Chapter Five: Multicast Routing


Task 2: Multicast Configuration

Task 3: Multicast Verification

Chapter Six: Class of Service


Task 2: SRX Forwarding Classes, Queues, and Schedulers

Task 3: EX Forwarding Classes, Queues, and Schedulers

Task 4: Network Edge CoS Configuration

Task 5: Network Core CoS Configuration

Task 6: CoS Verification

Chapter Seven: Super lab 1


Task 2: Building the Network

Task 3: Preprovisioned Virtual chassis

Task 4: Advanced Layer 2 switching configuration and security

Task 5: IPv4 and IPv6 IGP Configuration

Task 6: Inter domain BGP Configuration

Task 7: Multicast Configuration

Task 8: Class of Service Configuration

Task 9: Service Level Agreement (SLA) / Performance monitoring

Task 10: Advanced infrastructure protection

Chapter Eight: Super Lab 2


Task 2: Layer 2 Configuration

Task 3: Protocol Independent Routing

Task 4: IGP Routing

Task 5: BGP Routing

Task 6: Multicast Routing

Task 7: Class of Service

Chapter Nine: Super Lab 3


Task 2: Layer2 Configuration


Task 4: IGP Routing

Task 5: BGP Routing



Chapter Ten: Additional theory

Virtual chassis reconfiguration

OSPF adjacency troubleshooting

BGP adjacency troubleshooting

BGP IPV6 NLRI over IPV4 peering

Troubleshooting: Multicast traffic engineering using RIB-groups

Advanced firewall filtering

IPv4 and IPv6 Filter Based Forwarding

Appendix - Chapter One: General System Features

Solution - Task 1: Initial System Configuration

Solution - Task 2: User Authentication and Authorization

Solution - Task 3: Syslog Configuration

Solution - Task 4: SNMP Configuration

Solution - Task 5: Firewall Filters

Appendix - Chapter Two: L2 Switching

Solution - Task 1: L2 Switching Network Deployment

Solution - Task 2: Virtual Chassis

Solution - Task 3: VLAN Configuration

Solution - Task 4: Spanning Tree Configuration

Solution - Task 5: VRRP Configuration

Solution - Task 6: L2 Switching Security Features

Solution - Task 7: Provider Bridging / Q in Q implementation

Appendix - Chapter Three: IGP Routing

Solution - Task 1: Base Network and Virtual Router Deployment

Solution - Task 2: Multi Area OSPF Configuration

Solution - Task 3: RIP Configuration and Redistribution Policies

Solution - Task 4: Protocol-independent Routing and Routing Policies

Solution - Task 5: IPv6 Network Deployment and GRE tunneling

Solution - Task 6: IPv6 IGP Routing

Appendix - Chapter Four: BGP Routing

Solution - Task 1: Base Network Deployment

Solution - Task 2: Advanced BGP Configuration and features

Solution - Task 3: IPv4 BGP Routing Policies

Solution - Task 4: IPv6 BGP Routing Policies

Appendix - Chapter Five: Multicast Routing


Solution - Task 2: Multicast Configuration

Solution - Task 3: Multicast Verification

Appendix - Chapter Six: Class of Service


Solution - Task 2: SRX Forwarding Classes, Queues, and Schedulers

Solution - Task 3: EX Forwarding Classes, Queues, and Schedulers

Solution - Task 4: Network Edge CoS Configuration

Solution - Task 5: Network Core CoS Configuration

Solution - Task 6: CoS Verification

Appendix - Chapter Seven: Super lab 1

D1 final configuration






Virtual chassis D7D8 final configuration

Appendix - Chapter Eight: Super Lab 1


Task 2: Layer 2 Configuration


Task 4: IGP Configuration

Task 5: BGP Routing



Appendix – Chapter Nine: Super Lab 3


Task 2: Layer2 Configuration


Task 4: IGP Routing

Task 5: BGP Routing



iNET ZERO rack rental serviceDo you know that this workbook can be used in combination with our premium JNCIE rack rental service?

Take a look on our website for the latest information www.inetzero.com

Chapter One: General System Features

TIP: Please read the entire chapter, before you start with the first task.

This chapter will focus on initial system configuration and general system features. You will configure vari-

ous features, such as host name, root password, management network access, user authentication and

authorization, NTP, SNMP, Syslog and RE protection Firewall Filters. You will be operating 8 devices D1

through D8. The topology for chapter one is shown in Figure 1.

Figure 1

Task 1: Initial System ConfigurationIn this part you will configure your devices: host names, root passwords, the OoB management interfaces,

system services, static routing and DNS.

1) Load the latest workbook baseline configurations for this chapter to all devices. Do not forget the

access-switch and vr-device configs as well.

2) Configure the host names for all devices according to Table 1.

Table 1

Device iNET ZERO rack rental device Host Name

D1 SRX1 - SRX240 Mercury

D2 SRX2 - SRX240 Venus

D3 SRX3 - SRX240 Earth

D4 SRX4 - SRX240 Mars

D5 EX1 - EX4200 Jupiter

D6 EX2 - EX4200 Saturn

D7 EX3 - EX4200 Uranus

D8 EX4 - EX4200 Neptune

3) Configure the OoB management interfaces for each device with the appropriate IP addresses.

The devices and their respective IP addresses are listed in Table 2. Configure the interface

descriptions.

Table 2

Device OoB Interface Name OoB Interface IP Address

D1 ge-0/0/0 10.10.1.1/24

D2 ge-0/0/0 10.10.1.2/24

D3 ge-0/0/0 10.10.1.3/24

D4 ge-0/0/0 10.10.1.4/24

D5 me0 10.10.1.11/24

D6 me0 10.10.1.12/24

D7 me0 10.10.1.13/24

D8 me0 10.10.1.14/24

4) Enable each device to accept management connections for the SSH, Telnet, HTTP, and HTTPS

services. Ensure that the device uses an automatically generated X.509 certificate for

HTTPS. Make sure that all devices accept HTTP and HTTPS management access only on the

OoB management ports.

5) Configure a static route to the management network 10.10.10/24 with next-hop 10.10.1.254.

Make sure this network is never redistributed to any dynamic routing protocol. Ensure the

device is reachable while RPD is not running.

6) Configure server S1 as the DNS server.

Chapter Two: L2 Switching and L2 security

In this chapter you will be configuring and monitoring L2 features such as Aggregated Ethernet links,

VLANs and PVLANs, VLAN routing interface, VRRP, Virtual chassis, LLDP, Voice VLANs as well as security

features like 802.1X, MAC RADIUS, Storm control and MAC address limiting. The summarized view of the

L2 network that you are going to build is shown in Figure 2.

Figure 2

Task 1: L2 Switching Network DeploymentFor this task you will configure the following L2 switched network.

Figure 3

1) Make sure that your devices are running the baseline configurations. Use username lab and pass-

word lab123 and login to the VR-device and load override the Chapter 2 baseline configuration.

2) Build the L2 network as shown in Figure 3. The interface parameters can be found in Table 3. Con-

figure interfaces i3 and i4 on D5 and D6 to form an Aggregated Ethernet bundle.

3) Enable LACP continuity checking on the AE interface.

Enter this temporary vouchercode within 1 week to get

10% off your purchase! ( workbooks only ) G

o to:

www.bit.ly/2cfO1Mx

H2993DJ

Automatically expires within one week of downloading this demo workbookContent only available in the original workbook

Table 3

Device Interface Interface Name Interface Type

D1 i1 ge-0/0/3.0 L3, IP address: 172.30.96.2/30

Mercury i2 ge-0/0/10.0 L2, trunk

SRX1 i3 ge-0/0/6.0 L2, trunk

i4 ge-0/0/9.0 L3, tagged, IP: 192.168.1.0/31

D2 i1 ge-0/0/3.0 L3, IP address: 172.30.96.6/30

Venus i2 ge-0/0/10.0 L2, trunk

SRX2 i3 ge-0/0/6.0 L2, trunk

i4 ge-0/0/9.0 L3, tagged, IP: 192.168.1.1/31

Chapter Three: IGP Routing This chapter is focused on IGP routing. You will configure and monitoring IPv4 and IPv6 networks, OSPFv2

and v3 protocols, Multi-area design, the RIP protocol, Routing policies, Protocol-independent routing, BFD

continuity checking, virtual routers and GRE tunnels.

Task 1: Base Network and Virtual Router Deployment In this task you will load the baseline configuration and configure your devices to create a L3 network.

Figure 4

1) Split the D7_D8 Virtual Chassis into two independent devices D7 and D8.

2) Load override all your devices configuration with the baseline configuration saved in the F1 file.

3) Use username lab and password lab123 and login to the VR-device and load override the

Chapter 3 baseline configuration.

4) Build the L3 network as shown in Figure 4. Configure interfaces i1 and i2 on D5 and D6 to

form an Aggregated Ethernet bundle.

5) Enable LACP continuity checks on the AE interface.

Chapter Five: Multicast RoutingIn this chapter you will configure and monitor the following multicast network protocols: PIM sparse

mode multicast distribution for both ASM and SSM models, IGMPv2 and IGMPv3, PIM Bootstrap protocol,

MSDP protocol and Anycast RP, and Multicast Scoping. The summarized view of the Multicast enabled

network that you are going to build is shown in Figure 5.

Figure 5

.............................................................................................

DEMO OUTPUT OMITTED DEMO

.............................................................................................

1) Enable PIM Sparse mode on all interfaces in your network. Ensure that the OoB

management interfaces do not run PIM.

2) Ensure that the vlan.1000 interface on D7 and D8 use IGMPv2. Ensure that

interface i5 on D3 uses IGMPv3.

3) Configure the 172.30.5.0/24 LAN IGMP Querier router to act as a PIM

Designated router for the LAN.

4) Configure D7 and D8 to map IGMP reports with an unknown source address and with G3 as

the group address to source S2. Ensure that the devices accept IGMP reports with an

unknown source for the well known SSM range.

Content only available in the orginal workbook


10% off your purchase! ( workbooks only ) G

o to:

www.bit.ly/2cfO1Mx

H2993DJ

Automatically expires within one week of downloading this demo workbook

Chapter Eight: Additional theory

Virtual chassis reconfiguration

Virtual chassis configuration is an important topic to master and might appear on your JNCIE-ENT exam.

It’s likely that you will fail the exam if your virtual chassis is not functioning properly. The reason is simple,

if your layer 2 domain is not working you can be assured that there are a lot of layer 3 connectivity issues

and you will loose a lot of points for the exam.

In this section we will demonstrate a migration towards a pre provisioned virtual-chassis, where SW1 will

become the routing engine and SW2 a dedicated linecard. Use the following topology as a reference for

this section.

We recommend performing chassis configuration tasks on the console connections

Let’s first start by looking at the current state of the switches SW1 and SW2.

Verify if the switches VCP ports are up.

root@vchassis> show virtual-chassis vc-port

fpc0:

--------------------------------------------------------------------------

Interface Type Trunk Status Speed Neighbor

or ID (mbps) ID Interface

PIC / Port

vcp-0 Dedicated 2 Up 32000 1 vcp-1


fpc1:

--------------------------------------------------------------------------

Interface Type Trunk Status Speed Neighbor

or ID (mbps) ID Interface

PIC / Port



{master:0}

root@vchassis>

All looks fine as both our VCP-0 and VCP-1 connections are working.

Let’s see the current state of our virtual chassis:

root@vchassis> show virtual-chassis

Virtual Chassis ID: 27ee.46c2.d32f

Virtual Chassis Mode: Enabled

Mstr Mixed Neighbor List

Member ID Status Serial No Model prio Role Mode ID Interface

0 (FPC 0) Prsnt BM0321431191 sw2200-24t 128 Master* N 1 vcp-0

1 vcp-1

1 (FPC 1) Prsnt BM0321431107 sw2200-24t 128 Backup N 0 vcp-0

0 vcp-1

Member ID for next new member: 2 (FPC 2)

{master:0}

root@vchassis>

The following election process will determine which switch will become the master node:

• The member with the highest configured priority (manual).

The priority range is from 1-255 where 128 is the factory default

• The member which previously was functioning as master (before a reboot)

• The member with the highest uptime (more then 1 minute difference is required)

• The member with the lowest MAC address

• The runner-up switch will become the “backup” switch.

.............................................................................................DEMO OUTPUT OMITTED DEMO.............................................................................................

Appendix - Chapter One: General System Features

Solution - Task 1: Initial System Configuration

1) Load the latest workbook baseline configurations for this chapter to all devices. Do not forget to

load the access-switch and vr-device configs also.

Log in to the devices and use the following command to load the baseline configuration.

[edit]

root@device# load override terminal

Use Ctrl-D key sequence to end load operation.

2) Using username lab and password lab123 and login to the VR-device and load override

the Chapter 1 baseline configuration.

[edit]

lab@vr-device# load override <filename>

3) Configure the host names for the devices according to Table 1.

Use the following command to set the host names.

[edit]

root@device# set system host-name Mercury

4) Configure OoB management interfaces in each device with the appropriate IP addresses.

The devices and their respective IP addresses are listed in Table 2. Set the interface de

scriptions.

The example below shows the OoB management interface settings on D1.

[edit interfaces]

root@Mercury# show

ge-0/0/0 {

unit 0 {

description “OoB management connection”;

family inet {

address 10.10.1.1/24;

}

}

}

5) Enable each device to accept management connections for the SSH, Telnet, HTTP, and

HTTPS services. Ensure that the device uses an automatically generated X.509 certificate

for HTTPS. Make sure all devices accept HTTP and HTTPS management access only on the

OoB management ports.

Use the following example as a guide to complete the step.

[edit system]

root@Mercury# show

services {

ssh;

telnet;

web-management {

http {

interface ge-0/0/0.0;

}

https {

system-generated-certificate;

interface ge-0/0/0.0;

}

}

}

6) Configure a static route to the management network 10.10.10/24 with next-hop

10.10.1.254. Make sure the network is never redistributed to any dynamic routing proto

col. Ensure the device is reachable while RPD is not running.

Configure the static route as shown in the example for the D1 below.

[edit routing-options]

root@Mercury# show

static {

route 10.10.10.0/24 next-hop 10.10.1.254 no-readvertise;

}

While RPD is not running, configuring the backup router provides remote reachability.

[edit]

root@Mercury# set system backup-router 10.10.1.254

7) Configure the S1 server as the DNS server.

Use the following command to set the DNS server.

[edit]

root@Mercury# set system name-server 10.10.10.1

8) Set system time zone to Europe/Amsterdam on all your devices.

Use the following command to set the time zone.

[edit]

root@Mercury# set system time-zone Europe/Amsterdam


Solution - Task 2: Multi Area OSPF Configuration 1) Configure a multi area OSPF network according to the requirements in Table 11. Ensure

that all OSPF-enabled Ethernet interfaces are configured as OSPF point-to-point links.

Ensure that that the Router ID is explicitly configured. The loopback interface ip address

must be used as the Router id.

Use the following command to set the Router ID on D1.

[edit]

lab@Mercury# set routing-options router-id 172.30.15.1

Use the following commands to set the Router ID on D2.

[edit]

lab@Mercury# set routing-options router-id 172.30.15.2

[edit]

lab@Venus# set routing-instances Alpha routing-options router-id 172.30.15.9

[edit]

lab@Venus# set routing-instances Beta routing-options router-id 172.30.15.10


Verify that BFD sessions are established using the command in the example below.

lab@Mercury> show bfd session

Detect Transmit

Address State Interface Time Interval Multiplier

172.30.0.6 Up ge-0/0/10.0 0.900 0.300 3

172.30.0.10 Up ge-0/0/6.0 0.900 0.300 3

2 sessions, 2 clients

Cumulative transmit rate 6.7 pps, cumulative receive rate 6.7 pps

2) Configure all your routers to automatically calculate an OSPF metric of 10 for 1G

interfaces.

Use the following command to ensure that the routers automatically calculate a metric of 10 for 1G inter-

faces.

[edit protocols ospf]

lab@Mercury# set reference-bandwidth 10g

3) Ensure that all OSPF adjacencies are in the Full state and that connectivity is

provided between all routers loopback ip addresses.

Verify if the OSPF adjacencies are successfully established using the following command:

lab@Mercury> show ospf neighbor

Address Interface State ID Pri Dead

172.30.0.6 ge-0/0/10.0 Full 172.30.15.6 128 39

172.30.0.10 ge-0/0/6.0 Full 172.30.15.5 128 30

172.30.0.2 vl-172.30.15.2 Full 172.30.15.2 0 36

172.30.0.2 ge-0/0/1.0 Full 172.30.15.2 128 37

Use the following command to verify the OSPF adjacencies on D2a and D2b routers.

lab@Venus> show ospf neighbor instance Alpha


172.30.0.17 ge-0/0/15.0 Full 172.30.15.2 128 39

172.30.0.22 lt-0/0/0.0 Full 172.30.15.10 128 32

lab@Venus> show ospf neighbor instance Beta


172.30.0.26 ge-0/0/7.0 Full 172.30.15.6 128 33

172.30.0.21 lt-0/0/0.1 Full 172.30.15.9 128 30

Verify that all the routers have the other routers loopback IP addresses in their routing tables using the

example command below.

lab@Mercury> show route protocol ospf terse | match “/32”

* 172.30.15.2/32 O 10 1 >172.30.0.2

* 172.30.15.3/32 O 10 2 >172.30.0.10

* 172.30.15.4/32 O 10 2 172.30.0.6

* 172.30.15.5/32 O 10 1 >172.30.0.10

* 172.30.15.6/32 O 10 1 >172.30.0.6

* 172.30.15.7/32 O 10 3 172.30.0.6

* 172.30.15.8/32 O 10 3 >172.30.0.6

* 172.30.15.9/32 O 10 3 >172.30.0.6

* 172.30.15.10/32 O 10 2 >172.30.0.6

* 224.0.0.5/32 O 10 1 MultiRecv

Verify that D7 and D8 do not have any Type 3, Type 4 or Type 5 LSAs in their databases and that they

receive a default route from both D3 and D4, which are the ABRs.

{master:0}

lab@Uranus> show ospf database

OSPF database, Area 0.0.0.2

DEMO END

This workbook was developed by iNET ZERO.

All rights reserved. No part of this publication may be reproduced or distributed in any form or

by any means without the prior written permission of iNET ZERO a registered company in the

Netherlands. This product cannot be used by or transferred to any other person.

You are not allowed to rent, lease, loan or sell iNET ZERO training products including this

workbook and its configurations. You are not allowed to modify, copy, upload, email or

distribute this workbook in any way. This product may only be used and printed for your

own personal use and may not be used in any commercial way. Juniper (c), Juniper Networks

inc, JNCIE, JNCIP, JNCIS, JNCIA, Juniper Networks Certified Internet Expert, are registered

trademarks of Juniper Networks, Inc.

This original workbook helped over more than 340+ people achieve the expert certification

Unfortunately you have reached the end of this demo workbook.


10% off your purchase! ( workbooks only ) Go to:

www.bit.ly/2cfO1Mx

H2993DJAutomatically expires within one week of downloading this demo workbook

jncie-ent v1.2 (2017) - inetzero€¦ · jncie-ent v1.2 (2017) demo workbook . why this demo...

Documents