Archive for the ‘ JNCIA ’ Category

Juniper Exams vs Cisco Exams

Juniper exams are interesting.  I’ve written before that they expect you to understand a lot of the underlying concepts before you take the exam.

The exams are entirely written.  They’re multiple choice, single answer and multiple choice, multiple answer.  This format works well, and even with this format they’re extremely difficult questions.  I, for one, am glad there are no labs or drag and drop questions.  Why?

I took a Cisco exam, the ICND1 or CCENT exam.  On this exam was a simulator.  In this simulator a question was asked inquiring about a connectivity issue.  Using the show interface <if-name> command revealed that the interface was up and up.  The problem is that this wasn’t an option in the answers.  And none of the other options were valid, either.  I was at an impasse.  Four options, none of them valid answers.  In desperation, I issued the show ip interface brief command.  I was shocked and amazed to discover that this command showed a different status for the interfaces than the show interface command.  I had my answer, but I almost missed a question because show interface and show ip interface brief showed two completely different statuses for an interface.  They should have had the same output, regardless of what Cisco was looking for.  This question was extremely unfair and very poorly designed and executed.

Because Juniper doesn’t use simulators, it doesn’t suffer from this problem.  Whether these potential bugs or “features” are the reasons for them not using simulators or not, I applaud them.  I cannot praise the simplicity of the Juniper Networks certification exams enough.  Without the complexities, there are fewer potential bugs or issues.  Yet their exams are still difficult enough to ensure their own validity and to validate the knowledge and skills of their candidates.

Juniper, please learn from this post and keep these points in mind.  I fully believe that simulators and the like can, will, and have prevented otherwise successful candidates from passing their exams.  I am even more displeased with Cisco after taking their exams.  And I’m more impressed by Juniper for avoiding the pitfalls that Cisco suffers from.

Advertisements

For the Love of Networking or How I Learned to Stop Worrying and Love the Bomb

People usually tell you to do what you love. What they may not tell you is that you probably shouldn’t do something unless you love it.

There are obviously exceptions to this. If you need the work and can’t get anything else, you have to do what you have to do. However, with IT, the rule of “do what you love” seems particularly harsh.

I realize more and more that, with IT in general, if you don’t love what you do, you won’t get very far. You’ll probably work at a Tier I help desk for the rest of your life. While someone has to do it (and while it can be an art itself), I think most people aspire for more. Unfortunately, if you don’t love it, you won’t get any further.

As I study for my JNCIS, I have realized more and more that if I didn’t really want this, there’s no way I could pass it honestly. Sure, I could use a brain dump (read here for why not to) and pass, but that wouldn’t get me very far. I would either bomb every interview or get lucky, get hired, and then get fired within 30 days as my employer realizes I cheated on the test.

This stuff isn’t extremely simple. It’s not overly difficult, but you’re going to hate it if you don’t crave it. And if you hate it, how far do you realistically expect to get?

If you love it, don’t worry. It will all come with perseverance and dedication. Just study, ask questions, and delve deeper and deeper.

JNCIA Question of the Week #6 – Commit Requirements

Q:

With a clean Juniper router (one that is using the factory default configuration), what must be set before the router will allow you to commit configuration changes? How is this option set?

A:

Chris got it right, of course. Root passwords are required to save configuration changes in Junos. The command to do so is:
set system root-authentication plain-text-password

If you’re reading this and preparing for JNCIA-Junos, be sure you know this. Even if it’s not on the exam, it’s a pretty basic skill. Don’t use Brain Dumps!

JNCIA Question of the Week #5 – Benefits of Class of Service

Q:

Class of Service offers a number of benefits. From the list below, select 3.

  • Quicker Network Convergence
  • Eliminates Congestion
  • Prioritizes Latency-Sensitive Network Traffic, Such as VoIP
  • Allocates Bandwidth According to Service Type
  • Forces Packets Through, Eliminating Packet Loss
  • Alleviates Congestion, but Does Not Eliminate it

[edit]

A:

  • Prioritizes Latency-Sensitive Network Traffic, Such as VoIP
  • Allocates Bandwidth According to Service Type
  • Alleviates Congestion, but Does Not Eliminate it

Feature Lab Friday #3 – Securing Telnet Access

Feature Lab Friday #3 – Securing Telnet Access

This coincides with the previous JNCIA Question of the Week regarding how to secure access via telnet. Our objective here is to limit telnet access to a router to only a specific subnet. We want to allow telnet access only from the router’s loopback address. To test this, we will make use of advanced pinging techniques available in the Junos software.

First, we will assume that you have two routers configured in the following way:

  • R1 – em0.0 172.16.0.1/30
  • R1 – em1.0 192.168.1.1/24
  • R1 – lo0.0 10.1.1.1
  • R2 – em0.0 172.16.0.2/30
  • R2 – em1.0 192.168.2.1/24
  • R2 – lo0.0 10.2.2.2

We will assume that you have the em0.0 interfaces directly connected to each other. We will also assume that we have routes to all subnets, whether they are statically or dynamically configured.

First, log into R2 and issue the following command:
telnet source 192.168.2.1 10.1.1.1
It should succeed. Now issue this command:
telnet source 10.2.2.2 10.1.1.1
This should also succeed. Right now, we can telnet to this device from anywhere in the world. We’re going to apply a firewall filter that allows us to restrict telnet access to R1 to only the 10.2.2.2 address. Obviously this isn’t very practical in the real world since you would only be able to access R1 by first being in R2, but this will give you an idea as to how to configure for a more practical situation.

The following commands will restrict telnet access to R1. Only the 10.2.2.2 IP address will be able to access the router remotely.

[edit]
root# edit firewall filter restrict-telnet term accept-telnet

[edit firewall filter restrict-telnet term accept-telnet]
root# set from source-prefix-list trusted-subnets

[edit firewall filter restrict-telnet term accept-telnet]
root# set from protocol tcp

[edit firewall filter restrict-telnet term accept-telnet]
root# set from destination-port telnet

[edit firewall filter restrict-telnet term accept-telnet]
root# set then accept

[edit firewall filter restrict-telnet term accept-telnet]
root# up

[edit firewall filter restrict-telnet]
root# edit term reject-telnet

[edit firewall filter restrict-telnet term reject-telnet]
root# set from protocol tcp

[edit firewall filter restrict-telnet term reject-telnet]
root# set from destination-port telnet

[edit firewall filter restrict-telnet term reject-telnet]
root# set then discard

[edit firewall filter restrict-telnet term reject-telnet]
root# up

[edit firewall filter restrict-telnet]
root# set term accept-other-traffic then accept

[edit firewall filter restrict-telnet]
root# top

[edit]
root# set policy-options prefix-list trusted-subnets 10.2.2.2

Now, if we try to telnet from our 192.168.2.0/24 subnet, telnet will simply hang.

root> telnet source 192.168.2.1 10.1.1.1
Trying 10.1.1.1…
^C
root>

But if we telnet from the 10.2.2.2 address, we will get our login prompt:

root> telnet source 10.2.2.2 10.1.1.1
Trying 10.1.1.1…
Connected to 10.1.1.1.
Escape character is ‘^]’.

(ttyp0)

login:

JNCIA Question of the Week #4 – Securing Remote Access

JNCIA Question of the Week #4

After several weeks off due to heavy work load and vacation, we’re back with the JNCIA Question of the Week. And to start the week off, we’re going to be asking a more complicated question than has been customary.

Q:

This week, we want to allow telnet access only from a specific subnet.

Assume we have the following scenario:

  • Two routers directly connected through their em0 interfaces on the 172.16.0.0/30 subnet
  • R1’s lo0.0 address is 10.1.1.1
  • R2’s lo0.0 address is 10.2.2.2
  • R1 has the 192.168.1.0/24 network attached to its em1 interface
  • R2 has the 192.168.2.0/24 network attached to its em1 interface
  • We only want to allow telnet access to R1 from R2 from the 10.2.2.2/32 address.

What firewall filter(s) need to be created, to which device(s) and interface(s) must it/they be applied to and in which direction (ingress/egress), and how can we verify the firewall filter(s) work as intended?

This is a very open-ended question. Substitute IP addresses as you want. These were provided strictly as guidelines.

The answer to this week’s question will not be provided until Friday due to its complexity relative to previous questions. Also on Friday will be a Feature Lab Friday detailing how this can be accomplished and why we would want to accomplish such a thing.

[edit]

A:

Please refer to the post here for details on how to answer this question.
[/edit]

JNCIA and Network Fundamentals

There is a very fundamental concept behind the Juniper JNCIA-Junos exams: they expect you to have an understanding of networks before you ever take the exam.

The exam itself expects you to understand concepts such as subnetting and other networking basics. If you are not familiar with subnetting, how it’s done, why it’s done, what it means, etc., please consider taking the CompTIA Network+ exam. The official materials for the JNCIA-Junos exam do not really go over the fundamentals of data networking. (please see the note at the end of this post)

If you need to study or brush up on your networking fundamentals, I can recommend Michael Meyers’ CompTIA Network+ Guide to Managing and Troubleshooting Networks, Second Edition. It is several years old now, but it is still an excellent book.

If you’re looking for something more up-to-date, or if you prefer videos to books, check out Professor Messer’s N10-004 CompTIA Network+ Training Course. They’re free, too!

I don’t think that anyone could stress enough how important the fundamentals are. Although subnetting seemed to be the only fundamental stressed on the JNCIA-Junos exam that wasn’t covered in the official materials, everything on the Network+ exam is important to a career as a network technician, analyst, or engineer.

[note]
When I say “official materials,” I am talking about the materials offered via FastTrack. I don’t have the funds to purchase the JNCIA-Junos handbooks or attend the JNCIA-Junos classes. While the FastTrack video does talk about several fundamental concepts, I feel that it does not touch on them enough.
[/note]