JNCIE-ENT V1.2 (2017) - iNETZERO€¦ · JNCIE-ENT V1.2 (2017) Demo workbook . Why this demo...
Transcript of JNCIE-ENT V1.2 (2017) - iNETZERO€¦ · JNCIE-ENT V1.2 (2017) Demo workbook . Why this demo...
JNCIE-ENT V1.2 (2017) Demo workbook
Why this demo workbook?
This workbook is intended to give you an idea of what the
purched workbook looks like, and the way the original workbook
teaches you the curriculum.
Due to this, we hope you will understand that
some content will be covered.
If you have any questions, please don’t hesitate to contact me.
Jörg Buesink
Owner iNET ZERO
About meMaxim lives in Russia and speaks Russian and English. He started his network-
ing career in 1999. Throughout the years Maxim has designed and imple-
mented several large-scale networks for enterprise and service provider
customers. Over the years he has developed several high quality courseware
materials for industry leading networking vendors. Maxim has the following
certifications: JNCIE, JNCIS-SEC, Nortel NNCSS. For technology Max values
efficiency and pragmatic design. When Max is not at work he likes to spend
time with his family. Max enjoys being outside in the nature and loves to
travel and exploring the world.
About the authors
About meJörg lives in the Netherlands near Amsterdam and brings more than 10 years
of experience in the IT and networking industry. He has worked for several
large ISPs / service providers in the role of technical consultant,designer and
network architect.He has extensiveexperience in network implementation,
design and architecture and teached several networking classes.
CertificationsQuadruple JNCIE certified
(JNCIE-DC#007,JNCIE-ENT#21,JNCIE-SP#284 and JNCIE-SEC#30)
Triple CCIE #15032
(Routing/Switching, Service provider and Security),
Cisco CCDE#20110002 certified,
Huawei HCIE#2188 Routing and Switching.
Table of ContentsGeneral information
Exam strategy
Workbook updates and configuration files
iNET ZERO rack rental service
Chapter One: General System Features
Task 1: Initial System Configuration
Task 2: User Authentication and Authorization
Task 3: Syslog Configuration
Task 4: SNMP Configuration
Task 5: Firewall Filters
Chapter Two: L2 Switching and L2 security
Task 1: L2 Switching Network Deployment
Task 2: Virtual Chassis
Task 3: VLAN Configuration
Task 4: Spanning Tree Configuration
Task 5: VRRP Configuration
Task 6: L2 Switching Security Features
Task 7: Provider bridging / Q in Q implementation
Chapter Three: IGP Routing
Task 1: Base Network and Virtual Router Deployment
Task 2: Multi Area OSPF Configuration
Task 3: RIP Configuration and Redistribution Policies
Task 4: Protocol-independent Routing and Routing Policies
Task 5: IPv6 Network Deployment and GRE tunneling
Task 6: IPv6 IGP Routing
Chapter Four: BGP Routing
Task 1: Base Network Deployment
Task 2: Advanced BGP Configuration and features
Task 3: IPv4 BGP Routing Policies
Task 4: IPv6 BGP Routing Policies
Chapter Five: Multicast Routing
Task 1: Base Network Deployment
Task 2: Multicast Configuration
Task 3: Multicast Verification
Chapter Six: Class of Service
Task 1: Base Network Deployment
Task 2: SRX Forwarding Classes, Queues, and Schedulers
Task 3: EX Forwarding Classes, Queues, and Schedulers
Task 4: Network Edge CoS Configuration
Task 5: Network Core CoS Configuration
Task 6: CoS Verification
Chapter Seven: Super lab 1
Task 1: Initial System Configuration
Task 2: Building the Network
Task 3: Preprovisioned Virtual chassis
Task 4: Advanced Layer 2 switching configuration and security
Task 5: IPv4 and IPv6 IGP Configuration
Task 6: Inter domain BGP Configuration
Task 7: Multicast Configuration
Task 8: Class of Service Configuration
Task 9: Service Level Agreement (SLA) / Performance monitoring
Task 10: Advanced infrastructure protection
Chapter Eight: Super Lab 2
Task 1: Initial System Configuration
Task 2: Layer 2 Configuration
Task 3: Protocol Independent Routing
Task 4: IGP Routing
Task 5: BGP Routing
Task 6: Multicast Routing
Task 7: Class of Service
Chapter Nine: Super Lab 3
Task 1: Initial System Configuration
Task 2: Layer2 Configuration
Task 3: Protocol Independent Routing
Task 4: IGP Routing
Task 5: BGP Routing
Task 6: Multicast Routing
Task 7: Class of Service
Chapter Ten: Additional theory
Virtual chassis reconfiguration
OSPF adjacency troubleshooting
BGP adjacency troubleshooting
BGP IPV6 NLRI over IPV4 peering
Troubleshooting: Multicast traffic engineering using RIB-groups
Advanced firewall filtering
IPv4 and IPv6 Filter Based Forwarding
Appendix - Chapter One: General System Features
Solution - Task 1: Initial System Configuration
Solution - Task 2: User Authentication and Authorization
Solution - Task 3: Syslog Configuration
Solution - Task 4: SNMP Configuration
Solution - Task 5: Firewall Filters
Appendix - Chapter Two: L2 Switching
Solution - Task 1: L2 Switching Network Deployment
Solution - Task 2: Virtual Chassis
Solution - Task 3: VLAN Configuration
Solution - Task 4: Spanning Tree Configuration
Solution - Task 5: VRRP Configuration
Solution - Task 6: L2 Switching Security Features
Solution - Task 7: Provider Bridging / Q in Q implementation
Appendix - Chapter Three: IGP Routing
Solution - Task 1: Base Network and Virtual Router Deployment
Solution - Task 2: Multi Area OSPF Configuration
Solution - Task 3: RIP Configuration and Redistribution Policies
Solution - Task 4: Protocol-independent Routing and Routing Policies
Solution - Task 5: IPv6 Network Deployment and GRE tunneling
Solution - Task 6: IPv6 IGP Routing
Appendix - Chapter Four: BGP Routing
Solution - Task 1: Base Network Deployment
Solution - Task 2: Advanced BGP Configuration and features
Solution - Task 3: IPv4 BGP Routing Policies
Solution - Task 4: IPv6 BGP Routing Policies
Appendix - Chapter Five: Multicast Routing
Solution - Task 1: Base Network Deployment
Solution - Task 2: Multicast Configuration
Solution - Task 3: Multicast Verification
Appendix - Chapter Six: Class of Service
Solution - Task 1: Base Network Deployment
Solution - Task 2: SRX Forwarding Classes, Queues, and Schedulers
Solution - Task 3: EX Forwarding Classes, Queues, and Schedulers
Solution - Task 4: Network Edge CoS Configuration
Solution - Task 5: Network Core CoS Configuration
Solution - Task 6: CoS Verification
Appendix - Chapter Seven: Super lab 1
D1 final configuration
D2 final configuration
D3 final configuration
D4 final configuration
D5 final configuration
D6 final configuration
Virtual chassis D7D8 final configuration
Appendix - Chapter Eight: Super Lab 1
Task 1: Initial System Configuration
Task 2: Layer 2 Configuration
Task 3: Protocol Independent Routing
Task 4: IGP Configuration
Task 5: BGP Routing
Task 6: Multicast Routing
Task 7: Class of Service
Appendix – Chapter Nine: Super Lab 3
Task 1: Initial System Configuration
Task 2: Layer2 Configuration
Task 3: Protocol Independent Routing
Task 4: IGP Routing
Task 5: BGP Routing
Task 6: Multicast Routing
Task 7: Class of Service
iNET ZERO rack rental serviceDo you know that this workbook can be used in combination with our premium JNCIE rack rental service?
Take a look on our website for the latest information www.inetzero.com
Chapter One: General System Features
TIP: Please read the entire chapter, before you start with the first task.
This chapter will focus on initial system configuration and general system features. You will configure vari-
ous features, such as host name, root password, management network access, user authentication and
authorization, NTP, SNMP, Syslog and RE protection Firewall Filters. You will be operating 8 devices D1
through D8. The topology for chapter one is shown in Figure 1.
Figure 1
Task 1: Initial System ConfigurationIn this part you will configure your devices: host names, root passwords, the OoB management interfaces,
system services, static routing and DNS.
1) Load the latest workbook baseline configurations for this chapter to all devices. Do not forget the
access-switch and vr-device configs as well.
2) Configure the host names for all devices according to Table 1.
Table 1
Device iNET ZERO rack rental device Host Name
D1 SRX1 - SRX240 Mercury
D2 SRX2 - SRX240 Venus
D3 SRX3 - SRX240 Earth
D4 SRX4 - SRX240 Mars
D5 EX1 - EX4200 Jupiter
D6 EX2 - EX4200 Saturn
D7 EX3 - EX4200 Uranus
D8 EX4 - EX4200 Neptune
3) Configure the OoB management interfaces for each device with the appropriate IP addresses.
The devices and their respective IP addresses are listed in Table 2. Configure the interface
descriptions.
Table 2
Device OoB Interface Name OoB Interface IP Address
D1 ge-0/0/0 10.10.1.1/24
D2 ge-0/0/0 10.10.1.2/24
D3 ge-0/0/0 10.10.1.3/24
D4 ge-0/0/0 10.10.1.4/24
D5 me0 10.10.1.11/24
D6 me0 10.10.1.12/24
D7 me0 10.10.1.13/24
D8 me0 10.10.1.14/24
4) Enable each device to accept management connections for the SSH, Telnet, HTTP, and HTTPS
services. Ensure that the device uses an automatically generated X.509 certificate for
HTTPS. Make sure that all devices accept HTTP and HTTPS management access only on the
OoB management ports.
5) Configure a static route to the management network 10.10.10/24 with next-hop 10.10.1.254.
Make sure this network is never redistributed to any dynamic routing protocol. Ensure the
device is reachable while RPD is not running.
6) Configure server S1 as the DNS server.
Chapter Two: L2 Switching and L2 security
In this chapter you will be configuring and monitoring L2 features such as Aggregated Ethernet links,
VLANs and PVLANs, VLAN routing interface, VRRP, Virtual chassis, LLDP, Voice VLANs as well as security
features like 802.1X, MAC RADIUS, Storm control and MAC address limiting. The summarized view of the
L2 network that you are going to build is shown in Figure 2.
Figure 2
Task 1: L2 Switching Network DeploymentFor this task you will configure the following L2 switched network.
Figure 3
1) Make sure that your devices are running the baseline configurations. Use username lab and pass-
word lab123 and login to the VR-device and load override the Chapter 2 baseline configuration.
2) Build the L2 network as shown in Figure 3. The interface parameters can be found in Table 3. Con-
figure interfaces i3 and i4 on D5 and D6 to form an Aggregated Ethernet bundle.
3) Enable LACP continuity checking on the AE interface.
Enter this temporary vouchercode within 1 week to get
10% off your purchase! ( workbooks only ) G
o to:
www.bit.ly/2cfO1Mx
H2993DJ
Automatically expires within one week of downloading this demo workbookContent only available in the original workbook
Table 3
Device Interface Interface Name Interface Type
D1 i1 ge-0/0/3.0 L3, IP address: 172.30.96.2/30
Mercury i2 ge-0/0/10.0 L2, trunk
SRX1 i3 ge-0/0/6.0 L2, trunk
i4 ge-0/0/9.0 L3, tagged, IP: 192.168.1.0/31
D2 i1 ge-0/0/3.0 L3, IP address: 172.30.96.6/30
Venus i2 ge-0/0/10.0 L2, trunk
SRX2 i3 ge-0/0/6.0 L2, trunk
i4 ge-0/0/9.0 L3, tagged, IP: 192.168.1.1/31
Chapter Three: IGP Routing This chapter is focused on IGP routing. You will configure and monitoring IPv4 and IPv6 networks, OSPFv2
and v3 protocols, Multi-area design, the RIP protocol, Routing policies, Protocol-independent routing, BFD
continuity checking, virtual routers and GRE tunnels.
Task 1: Base Network and Virtual Router Deployment In this task you will load the baseline configuration and configure your devices to create a L3 network.
Figure 4
1) Split the D7_D8 Virtual Chassis into two independent devices D7 and D8.
2) Load override all your devices configuration with the baseline configuration saved in the F1 file.
3) Use username lab and password lab123 and login to the VR-device and load override the
Chapter 3 baseline configuration.
4) Build the L3 network as shown in Figure 4. Configure interfaces i1 and i2 on D5 and D6 to
form an Aggregated Ethernet bundle.
5) Enable LACP continuity checks on the AE interface.
Chapter Five: Multicast RoutingIn this chapter you will configure and monitor the following multicast network protocols: PIM sparse
mode multicast distribution for both ASM and SSM models, IGMPv2 and IGMPv3, PIM Bootstrap protocol,
MSDP protocol and Anycast RP, and Multicast Scoping. The summarized view of the Multicast enabled
network that you are going to build is shown in Figure 5.
Figure 5
.............................................................................................
DEMO OUTPUT OMITTED DEMO
.............................................................................................
1) Enable PIM Sparse mode on all interfaces in your network. Ensure that the OoB
management interfaces do not run PIM.
2) Ensure that the vlan.1000 interface on D7 and D8 use IGMPv2. Ensure that
interface i5 on D3 uses IGMPv3.
3) Configure the 172.30.5.0/24 LAN IGMP Querier router to act as a PIM
Designated router for the LAN.
4) Configure D7 and D8 to map IGMP reports with an unknown source address and with G3 as
the group address to source S2. Ensure that the devices accept IGMP reports with an
unknown source for the well known SSM range.
Content only available in the orginal workbook
Enter this temporary vouchercode within 1 week to get
10% off your purchase! ( workbooks only ) G
o to:
www.bit.ly/2cfO1Mx
H2993DJ
Automatically expires within one week of downloading this demo workbook
Chapter Eight: Additional theory
Virtual chassis reconfiguration
Virtual chassis configuration is an important topic to master and might appear on your JNCIE-ENT exam.
It’s likely that you will fail the exam if your virtual chassis is not functioning properly. The reason is simple,
if your layer 2 domain is not working you can be assured that there are a lot of layer 3 connectivity issues
and you will loose a lot of points for the exam.
In this section we will demonstrate a migration towards a pre provisioned virtual-chassis, where SW1 will
become the routing engine and SW2 a dedicated linecard. Use the following topology as a reference for
this section.
We recommend performing chassis configuration tasks on the console connections
Let’s first start by looking at the current state of the switches SW1 and SW2.
Verify if the switches VCP ports are up.
root@vchassis> show virtual-chassis vc-port
fpc0:
--------------------------------------------------------------------------
Interface Type Trunk Status Speed Neighbor
or ID (mbps) ID Interface
PIC / Port
vcp-0 Dedicated 2 Up 32000 1 vcp-1
vcp-1 Dedicated 1 Up 32000 1 vcp-0
fpc1:
--------------------------------------------------------------------------
Interface Type Trunk Status Speed Neighbor
or ID (mbps) ID Interface
PIC / Port
vcp-0 Dedicated 2 Up 32000 0 vcp-1
vcp-1 Dedicated 1 Up 32000 0 vcp-0
{master:0}
root@vchassis>
All looks fine as both our VCP-0 and VCP-1 connections are working.
Let’s see the current state of our virtual chassis:
root@vchassis> show virtual-chassis
Virtual Chassis ID: 27ee.46c2.d32f
Virtual Chassis Mode: Enabled
Mstr Mixed Neighbor List
Member ID Status Serial No Model prio Role Mode ID Interface
0 (FPC 0) Prsnt BM0321431191 sw2200-24t 128 Master* N 1 vcp-0
1 vcp-1
1 (FPC 1) Prsnt BM0321431107 sw2200-24t 128 Backup N 0 vcp-0
0 vcp-1
Member ID for next new member: 2 (FPC 2)
{master:0}
root@vchassis>
The following election process will determine which switch will become the master node:
• The member with the highest configured priority (manual).
The priority range is from 1-255 where 128 is the factory default
• The member which previously was functioning as master (before a reboot)
• The member with the highest uptime (more then 1 minute difference is required)
• The member with the lowest MAC address
• The runner-up switch will become the “backup” switch.
.............................................................................................DEMO OUTPUT OMITTED DEMO.............................................................................................
Appendix - Chapter One: General System Features
Solution - Task 1: Initial System Configuration
1) Load the latest workbook baseline configurations for this chapter to all devices. Do not forget to
load the access-switch and vr-device configs also.
Log in to the devices and use the following command to load the baseline configuration.
[edit]
root@device# load override terminal
Use Ctrl-D key sequence to end load operation.
2) Using username lab and password lab123 and login to the VR-device and load override
the Chapter 1 baseline configuration.
[edit]
lab@vr-device# load override <filename>
3) Configure the host names for the devices according to Table 1.
Use the following command to set the host names.
[edit]
root@device# set system host-name Mercury
4) Configure OoB management interfaces in each device with the appropriate IP addresses.
The devices and their respective IP addresses are listed in Table 2. Set the interface de
scriptions.
The example below shows the OoB management interface settings on D1.
[edit interfaces]
root@Mercury# show
ge-0/0/0 {
unit 0 {
description “OoB management connection”;
family inet {
address 10.10.1.1/24;
}
}
}
5) Enable each device to accept management connections for the SSH, Telnet, HTTP, and
HTTPS services. Ensure that the device uses an automatically generated X.509 certificate
for HTTPS. Make sure all devices accept HTTP and HTTPS management access only on the
OoB management ports.
Use the following example as a guide to complete the step.
[edit system]
root@Mercury# show
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
system-generated-certificate;
interface ge-0/0/0.0;
}
}
}
6) Configure a static route to the management network 10.10.10/24 with next-hop
10.10.1.254. Make sure the network is never redistributed to any dynamic routing proto
col. Ensure the device is reachable while RPD is not running.
Configure the static route as shown in the example for the D1 below.
[edit routing-options]
root@Mercury# show
static {
route 10.10.10.0/24 next-hop 10.10.1.254 no-readvertise;
}
While RPD is not running, configuring the backup router provides remote reachability.
[edit]
root@Mercury# set system backup-router 10.10.1.254
7) Configure the S1 server as the DNS server.
Use the following command to set the DNS server.
[edit]
root@Mercury# set system name-server 10.10.10.1
8) Set system time zone to Europe/Amsterdam on all your devices.
Use the following command to set the time zone.
[edit]
root@Mercury# set system time-zone Europe/Amsterdam
.............................................................................................DEMO OUTPUT OMITTED DEMO.............................................................................................
Solution - Task 2: Multi Area OSPF Configuration 1) Configure a multi area OSPF network according to the requirements in Table 11. Ensure
that all OSPF-enabled Ethernet interfaces are configured as OSPF point-to-point links.
Ensure that that the Router ID is explicitly configured. The loopback interface ip address
must be used as the Router id.
Use the following command to set the Router ID on D1.
[edit]
lab@Mercury# set routing-options router-id 172.30.15.1
Use the following commands to set the Router ID on D2.
[edit]
lab@Mercury# set routing-options router-id 172.30.15.2
[edit]
lab@Venus# set routing-instances Alpha routing-options router-id 172.30.15.9
[edit]
lab@Venus# set routing-instances Beta routing-options router-id 172.30.15.10
.............................................................................................DEMO OUTPUT OMITTED DEMO.............................................................................................
Verify that BFD sessions are established using the command in the example below.
lab@Mercury> show bfd session
Detect Transmit
Address State Interface Time Interval Multiplier
172.30.0.6 Up ge-0/0/10.0 0.900 0.300 3
172.30.0.10 Up ge-0/0/6.0 0.900 0.300 3
2 sessions, 2 clients
Cumulative transmit rate 6.7 pps, cumulative receive rate 6.7 pps
2) Configure all your routers to automatically calculate an OSPF metric of 10 for 1G
interfaces.
Use the following command to ensure that the routers automatically calculate a metric of 10 for 1G inter-
faces.
[edit protocols ospf]
lab@Mercury# set reference-bandwidth 10g
3) Ensure that all OSPF adjacencies are in the Full state and that connectivity is
provided between all routers loopback ip addresses.
Verify if the OSPF adjacencies are successfully established using the following command:
lab@Mercury> show ospf neighbor
Address Interface State ID Pri Dead
172.30.0.6 ge-0/0/10.0 Full 172.30.15.6 128 39
172.30.0.10 ge-0/0/6.0 Full 172.30.15.5 128 30
172.30.0.2 vl-172.30.15.2 Full 172.30.15.2 0 36
172.30.0.2 ge-0/0/1.0 Full 172.30.15.2 128 37
Use the following command to verify the OSPF adjacencies on D2a and D2b routers.
lab@Venus> show ospf neighbor instance Alpha
Address Interface State ID Pri Dead
172.30.0.17 ge-0/0/15.0 Full 172.30.15.2 128 39
172.30.0.22 lt-0/0/0.0 Full 172.30.15.10 128 32
lab@Venus> show ospf neighbor instance Beta
Address Interface State ID Pri Dead
172.30.0.26 ge-0/0/7.0 Full 172.30.15.6 128 33
172.30.0.21 lt-0/0/0.1 Full 172.30.15.9 128 30
Verify that all the routers have the other routers loopback IP addresses in their routing tables using the
example command below.
lab@Mercury> show route protocol ospf terse | match “/32”
* 172.30.15.2/32 O 10 1 >172.30.0.2
* 172.30.15.3/32 O 10 2 >172.30.0.10
* 172.30.15.4/32 O 10 2 172.30.0.6
* 172.30.15.5/32 O 10 1 >172.30.0.10
* 172.30.15.6/32 O 10 1 >172.30.0.6
* 172.30.15.7/32 O 10 3 172.30.0.6
* 172.30.15.8/32 O 10 3 >172.30.0.6
* 172.30.15.9/32 O 10 3 >172.30.0.6
* 172.30.15.10/32 O 10 2 >172.30.0.6
* 224.0.0.5/32 O 10 1 MultiRecv
Verify that D7 and D8 do not have any Type 3, Type 4 or Type 5 LSAs in their databases and that they
receive a default route from both D3 and D4, which are the ABRs.
{master:0}
lab@Uranus> show ospf database
OSPF database, Area 0.0.0.2
DEMO END
This workbook was developed by iNET ZERO.
All rights reserved. No part of this publication may be reproduced or distributed in any form or
by any means without the prior written permission of iNET ZERO a registered company in the
Netherlands. This product cannot be used by or transferred to any other person.
You are not allowed to rent, lease, loan or sell iNET ZERO training products including this
workbook and its configurations. You are not allowed to modify, copy, upload, email or
distribute this workbook in any way. This product may only be used and printed for your
own personal use and may not be used in any commercial way. Juniper (c), Juniper Networks
inc, JNCIE, JNCIP, JNCIS, JNCIA, Juniper Networks Certified Internet Expert, are registered
trademarks of Juniper Networks, Inc.
This original workbook helped over more than 340+ people achieve the expert certification
Unfortunately you have reached the end of this demo workbook.
Enter this temporary vouchercode within 1 week to get
10% off your purchase! ( workbooks only ) Go to:
www.bit.ly/2cfO1Mx
H2993DJAutomatically expires within one week of downloading this demo workbook