Archive for the ‘juniper’ tag
JNCIS – Epic Win!
I quit my job…by design. I start a new gig on Tuesday and am getting back to the world of Cisco. As a last nod to Juniper, I decided to use an exam voucher I had and take the JNCIS-ENT exam. Easy pass.
The content was right along with the exam objectives, so there were no surprises. Most of the topics are things I’ve done a thousand times on the job. There were some things, though, that were beyond my experience. IS-IS was the big one. The very first question I got was about IS-IS metrics, and I had absolutely no clue what the answer was. Nor did I have any clue about the other IS-IS questions. I went 0-for-3 on those guys. The only other problematic topic was HA, which didn’t really surprised me. I was able to answer the VRRP questions, but I’ve never done any GRES, ISSUe, RTG, etc., at any point in my career. It wasn’t surprising that I didn’t do too well on those. Everything else was cake, and I only missed 6 questions in my comfort zone.
The exam was yet another top-notch effort from Liz and the group, but there was one questions that didn’t meet the standard set by the others. It was a VRRP question, but it used some awkward wording that that I read over and over. I just used the context of the questions to give an answer and moved on.
There was really nothing else to report. It was a great exam, so don’t be afraid to take it if it’s next on your list.
Send any Cisco refresher courses questions my way.
The Usual End of the Year Tripe
The year is finally coming to an end, so it’s time yet again to look at goals and embarrass myself by publicly admitting that I didn’t meet them. Oh, well. Let’s get this done so I can go back to sleep.
I changed the layout of the blog, so the page with my goals isn’t really visible. Here’s what I claimed I would do this past year.
- Select a CCIE training vendor – Yeah…this didn’t happen. This is a very high-priced item, and I simply couldn’t afford the packages I wanted. We’re talking $8k – $10k for everything. Yikes! I asked management at work to pay for it. They said they would but that I would have to agree not to leave the company for some long length of time. I didn’t want to put myself in a situation where finding a new job meant writing a check for $10k, so I decided to pass on it. Without the financial backing, this ended with me just sighing pitifully on my couch.
- Take the CCIE R&S lab – Of course this didn’t happen without the first one. I guess I could have bought the materials that I could and just got on a bus to Raleigh to see what happens. This whole thing was complicated by the fact that the new job is 95% Juniper. My waking hours at work and my study time at home were spent trying to figure out how Junos works; I tried my best, but it was just too difficult for me to study both at the same time. For the trifecta of excuses, I also had an issue with my study area. I went from a 4-bedroom house to a 1-bedroom apartment when we moved for the new job. There’s no quiet space at all to study at all – a huge problem I need to fix.
- Pass JNCIA-Junos exam – Wo! I actually did this one. I took this exam a few months back and passed it without any problems. Good for me! One out of three!
As for my goals, it really wasn’t a very good year. Even for me, it was bad. I’ll tell you, though, it’s very hard to study when you don’t have one subject or a place to do so. Definitely things I need to work on in 2013.
Since the Mayan doom did not hit us, we move into 2013. I hope you all have a prosperous and happy new year. The best of luck to you all.
Junos Basics – Routing Instances
Here’s one that I use every day at work. We have multiple customers coming into the same router, and, as luck would have it, they all use 192.168.1.0/24 (OK…not really but it might happen). That means we have to separate them into their own routing instance, or virtual router, so pass traffic to their firewall. Think VRF lite on a Cisco router. Let’s conflagrate.
First, we configure the instance as a virtual-router.
set routing-instances CUST1 instance-type virtual-router
There are a handful of instance types, and, to tell the truth, I’ve never cared to really look into them all. Let’s use the good ol’ “beyond the scope of this document” excuse on that one so I look a little more prepared.
In practice, the virtual-router type creates a new routing table to isolate traffic on the same router. It’s pretty worthless to just create it and not do anything with it, so let’s take some of our interfaces and shove them into the new routing instance.
set routing-instances CUST1 interface ge-0/0/0.100 set routing-instances CUST1 interface ge-0/0/0.150 set routing-instances CUST1 interface vlan.200
Not hard. So, let’s add some static routes and some OSPF config to make it even more functional. With the base routing table, you just configure those under routing-options and protocols. It’s the same here, but you just shove that config under the routing instance tree. Something like this.
set routing-instances CUST1 routing-options static route 192.168.0.0/16 \
next-hop 10.1.100.1
set routing-instances CUST1 protocols ospf export REDIST-INTO-OSPF
set routing-instances CUST1 protocols ospf area 0.0.0.0 interface ge-0/0/0.100
set routing-instances CUST1 protocols ospf area 0.0.0.0 interface vlan.200
set routing-instances CUST1 protocols ospf area 0.0.0.150 interface ge-0/0/0.150
Now we have a new routing instance with 3 interfaces in it along with a static routes and OSPF. Great. Let’s see what the routing table looks like now. A show route does that job.
inet.0: 6 destinations, 6 routes (3 active, 0 holddown, 3 hidden)
+ = Active Route, - = Last Active, * = Both
...SNIP...
CUST1.inet.0: 15 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[OSPF/150] 1w5d 14:49:47, metric 0, tag 0
> to 10.1.100.1 via ge-0/0/0.100
...SNIP...
Now the CUST1 table shows up. Looks like we already have an OSPF route, too. That turned out better than I thought.
With routing instances, you’ll have to look at adding instance or routing-instance to your show commands to limit output to just a single instance. For example, show ospf neighbor instance X and show interfaces terse routing-instance X. Contextual help for the win!
NOTE: I’m going to leave it at that, but you may have to add more to this config to make it work. For example, on the SRX platform in flow-based processing mode (the default), you’ll have to create security zones for each interface along with appropriate policies and host-inbound-traffic. This is twice in one post that I’m claiming this is beyond the scope of this document. :)
Send any Halloween candy questions to me.
An Interesting Interview Story
We’ve been looking for a new Network Engineer for quite a while but are having no luck at all. There is plenty of talent out there, but finding a high-end Juniper guy is almost impossible around here. We’ve loosened up our requirement for Juniper experience just to get someone in for interviews. This led us to one prospect and an interesting story.
This guy’s resume was very impressive. For the last 5 years, he’s been the Network Architect at a very large company. His experiences were off the chart. Large-scale Enterprise deployments. Monster PCI environments. Years of Juniper experience. Years of Cisco experience. I had to talk to this guy, so I got a phone interview with him.
His phone interview was great. We talked about all of the different models of Juniper gear. All the different Cisco routers. Checkpoint. F5. He even had experience with the FWSM and CSM (I’m the only other guy I know who’s dealt with those modules!). This guy was dead on target with what we needed. Before I knew it, it was 2 hours later, and I had to stop the call before we went too late into the night. We hung up, and the other engineer and I huddled to talk about this guy. There was no doubt about it; it was time to get this guy in for a face-to-face. My Director and I met him for dinner the next week. He was well prepared for everything we had for him. He knew about the company. He knew about each of us. He had all the answers we wanted. All thumbs up, so we moved on to the technical lab the next week.
I told him to be prepared for a BGP and an OSPF lab that would be on both Cisco 1800s and Juniper SRX 240s. When he showed up, he had a notebook full of notes and configurations. He had his laptop full of examples and implementation notes. Wonderfully prepared this guy was, so I drew the lab on the whiteboards for him. An routed VPN tunnel with BGP between a couple routers. Some OSPF and redistribution here. Some VRF/RI there. Not very complicated, but not very easy either.
I expected him to be done in about 3 hours or so. After 20 minutes, I asked him how we was doing. He was still configuring IP addresses on interfaces. After an hour, he was still working on getting OSPF working. After two hours of struggling, I helped him get the VPN tunnel up and running. Hour four was spent working through the VRFs and leaking. I finally just called it done to give him a chance at the Juniper stuff in hopes that he was faster in Junos than IOS. Nope. At the 7 total hour mark, I finally just told him he had to go.
I was ready to hire this guy after the phone interview. My Director’s loved him after the face-to-face and actually said he was worried that this guy would be bored in our environments. The obvious moral of the story is that you have to actually challenge a potential coworkers before making a hiring decision.
And I will never think about hiring anyone without putting them through the paces.
Junos Basics – Configuring BGP
I’m stuck deep in Junos these days. I mean deep. I have an F5 load balancer and an ASA 5520; the rest of my stuff is Juniper. That means I have some learning to do.
Here’s one of the basics in Junos – configuring BGP. I guess I’ve always said that BGP is BGP. How much different can it be from IOS? Well, the end result is the same, but it’s different enough to have to look up how to do it. :) The first difference is the fact that all BGP configuration is done with groups just like peer groups in IOS. You can act like you’re configuring neighbors, but there’s no way around using groups. After going back and forth, I just settled with an group for eBGP neighbors and another for iBGP neighbors. If settings are different, I just set them in the neighbor. Here’s an example of that.
routing-options {
autonomous-system 65001;
}
protocols {
bgp {
group EBGP {
type external;
peer-as 65021;
neighbor 192.0.2.1;
}
group IBGP {
type internal;
neighbor 192.0.2.100;
}
}
}
You noticed that your own ASN isn’t configured in the BGP section, didn’t you? It’s actually configured in the routing-options configuration. Also notice the type directive there. For some reason (can someone speak to why?), you declare a group as either internal or external neighbors. If the type is external, you obviously have to declare the peer’s ASN.
This configuration won’t do very much. Actually, it pretty darn pointless. All it does is peer up with the two neighbors and accept their routes. We’re not sending them anything or doing anything funky with their routes as they come in. To do something cool, you’ll need to look at seemingly endless configuration items. Those are beyond scope here, though.
Did we configure BGP correctly? Let’s find out.
root@ROUTER> show bgp summary Groups: 2 Peers: 2 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending inet.0 494478 431927 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped... 192.0.2.1 65021 3819628 58226 0 3 1w2d21h 401542/415727/415727/0 0/0/0/0 192.0.2.100 65001 3554056 3457157 0 1 2w4d6h 30385/78751/78751/0 0/0/0/0
That’s horrible output, but you can see that we have two neighbors. You can also see their ASNs, how many routes we’re getting from them, how many we’re dampening, etc. One cool thing to notice is the routing table that is being used. We’re not running routing instances on this router, so we only see “inet.0″ in the list. That’s the base routing table. If we did indeed have BGP neighbors on a configured routing instance, you’d see it listed here as well. One more thing to notice – the 431k active paths. That’s a lot of routes!
How do I know what I’m sending to my BGP neighbors? Like I said, you’re sending nothing here. The default behavior of BGP in Junos is to not send anything; you’ll have to configure a policy-statement if you want to actually advertise something. If you put in a little more config (again, beyond scope here), you can see something like this. A single route for 199.199.199.0/24 coming from our external peer. Success!
root@ROUTER> show route advertising-protocol bgp 192.0.2.1 inet.0: 431634 destinations, 494173 routes (431634 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 199.199.199.0/24 Self I
That’s good enough for now. We’ll have to fill in the gaps over time.
Send any canoe rental vouchers questions to me.
Juniper to Get Deep in the Consumer Market
My Juniper account exec let some news slip yesterday. We were on the phone talking about how great the SRX platform was and that I wanted to put one in my house instead of my ASA 5505. Of course, I don’t want to spend too much on a new gateway device, so I asked if there was anything below the $100 mark. He said there wasn’t anything on the books but there was something in the works. I think he had a little too much to drink at dinner. :)
It turns out that Juniper is in talks to buy D-link – one of the big names in home networking. The idea is that D-link already has some large, medium, and small business offerings, so the catalog is very wide. The big money, though, is in the consumer market. My account exec went on to tell me that they’re already working on a new consumer-level product based on the SRX; it will be marketed as a D-link device with the Juniper name on it somewhere. I can’t wait to see a home router with Junos on it. Think about running the Pulse client to connect back home. Awesome!
I also learned that Juniper is going to buy the EasyShare line from Kodak. Kodak just announced that they have already lost $200 million in the first two months of the year, so they are definitely hurting and looking to get some help after their Chapter 11 bankruptcy filing. The EasyShare line provides a way for Juniper to get themselves positioned in the video market with the rest of the big hitters. There is no word on why they want to get into video, but the logical next step would be an enterprise video solution or maybe it’s a building block for another larger product. We’ll have to see.
I’ll have to get my account exec a few more drinks in him the next time he’s in town. Maybe he’ll tell me when Juniper is going to have a voice solution. LOL
Send any similar stories questions to me.
JNCIA – Epic Win!
Maybe not epic, but a win nonetheless.
My boss is over all the network guys in the company, and that includes guys that support different divisions and departments. He told me he was tired of waking up at 2am every morning to fix a problem the other groups can’t handle, so he’s working to get the junior guys motivated to learn for themselves. One technique he’s implemented is to force them to get their CCNAs and JNCIAs by June. Since he made it part of the job description, that means that everyone above the Analysts has to meet those requirements, too. I made the deadline with plenty of time to spare.
Do you remember the full day off of work I had to take to sit the CCNP exams? The 2-hour drive to a prison town, lunch, a 2-hour exam, and 2 hours back? That sucked. I live in a major metropolitan area now, so my travel time to the nearest testing center is 45 seconds. I mean, literally 45 seconds. It’s right across the street from my apartment complex. Easy walk if it wasn’t so cold. That’s good, too, because I showed up this morning, and the center didn’t have any power! Someone plugged in a coffee maker in the break room, and power went out in a whole wing of the building. Since I always get there early, I was actually able to drive home, wait for them to fix the problem, and still be there at my scheduled time. Convenient for sure.
I must say that the exam was pretty darn good. It may, in fact, be the best IT exam I’ve ever taken. The breadth of material was awesome; it had questions from the absolute basics to some of the stuff I saw on the CCIE R&S written. Since I’ve been doing networking for so many years and have my string of certs, the exam was pretty easy to me, but I’m sure an absolute network newb would find the material’s scope a little overwhelming. The exam scores very high on the fairness meter, as well. The questions were clearly written; the exhibits were legible and well-marked. Best of all, there were no real trick questions. They asked what they wanted you to answer and provided the answer to you. There were no assumptions or judgments involved in trying to figure out what was being asked.
Overall, I was very impressed with the exam. Two thumbs up. I can only hope the rest of the exam in the track are this good. I won’t know until after I pass my CCIE lab, though. :)
Send any certification delays questions my way.