/r/jncip
The Reddit Juniper Ring
/r/jncip
Hi everyone, I want to create an eve-ng on the cloud to practice JNCIP labs, with approximately 14-20 nodes vmx. Which hourly plan would be the best choice?
Hi,
anyone have recertified for JNCIP SEC with course attendence ?
i'm planning to take the "jncie-sec certification self-study bundle" to get recertified and i can't find math on internet regards.
Thanks
Looks like no one posts here regularly. So I figured why not.
I just passed my JNCIP-SP. By a hair!
I don't really have any advice. I just wanted to tell some one and unwind from all that stress.
I self studied for about 2 months.
I watched the videos on juniper's learning site. They moved everything and I think they took away things that existed before March. But what can you do? I just spent time searching their site for content. I couldn't afford the 4-6k per online class so I did what I had to. If anyone can't find the content I could share the URLs.
I organized a notebook by topic and read the juniper website to learn more and see configuration examples.
I took the practice tests from juniper and then carefully marked how many i got wrong from each subject and then went back to research those subjects more.
I would say if I had to do it again I would focus on just one subject at a time and not move on until I mastered that subject. The way I studied was very unorganized. And I found myself not really digging in deep and then not learning everything but just the slimmest amount. In the end I focused on single subjects and really focused on them. That seemed to help the most.
It was really frustrating. There are so many things to remember. I found myself learning about one thing then forgetting all of it when I learned the next subject. And I'd have to go back and read it all over again.
I probably brought this on myself by setting a deadline. Give yourself time. Don't rush. That's another thing I learned. Rushing it made me stress even more and then my brain would just block me from learning.
Good luck to anyone else taking it! It's a pretty tough exam.
Lecture 3: https://youtu.be/RlvbqZbTYj0
Register Here: http://sudoupgrade.com/PythonForNetworkEngineers/registration.html
FREE OpenStack lab access: sudoupgrade.com/openstack
Hi all, I’m recently passed my JNCIS-SP and want to start prepping for JNCIP-SP.
Unfortunately the Juniper Recommended materials and courses are way too expensive for me. Are there any other resources one could use?
Thanks
I thought I was going to fail that exam so hard. Squeaked in by 2%
So relieved! Needed to vent, even if the last post here was a year ago!
Hello everyone, I'm going to be taking the JNCIS-ENT soon and I want to start planning for my JNCIP-ENT studies. So far I plan on reading the O'Rielly routing and switching books, but I'm also considering the FryGuy book. The author really seems to know his stuff and I'm wondering if anyone else has experience with it. Thanks. https://leanpub.com/JNCIE-ENT/c/5ynkTZvi6wYw
My MPLS post the other week was pretty well received so I figured might as well show the other side of the coin and do it again with Juniper boxes.
#Topology
Today's Topology is similar to last time but Juniperified, we have:
There are again two customers, CUST-A and CUST-B because originality is hard.
To save on some config space I'll just focus on a single router at a time unless there is differences that are worth seeing.
#Provider Routers
###Disable Flow Mode
I'm using SRX routers for my core so we need to disable the default flow based mode and reboot the boxes before we can use them with MPLS.
root@P01# set security forwarding-options family inet6 mode packet-based
[edit]
root@P01# set security forwarding-options family mpls mode packet-based
[edit]
root@P01# set security forwarding-options family iso mode packet-based
root@P01# commit
commit complete
[edit]
root@P01# run request system reboot
Reboot the system ? [yes,no] (no) yes
Once this is done we will no longer need to use security zones for everything.
###Basic Setup
To keep things clean I'm using a virtual-router instance to move the first interface into another routing table for management.
set routing-instances MGMT instance-type virtual-router
set routing-instances MGMT interface ge-0/0/0.0
set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.211/24
Most of my interfaces are connecting to trunk ports to make life easier so I'm going to enable vlan tagging and use subinterfaces to connect to everything.
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.1/24
set interfaces ge-0/0/1 unit 3012 vlan-id 3012
set interfaces ge-0/0/1 unit 3012 family inet address 10.1.2.1/24
set interfaces ge-0/0/1 unit 3013 vlan-id 3013
set interfaces ge-0/0/1 unit 3013 family inet address 10.1.3.1/24
set interfaces ge-0/0/1 unit 3014 vlan-id 3014
set interfaces ge-0/0/1 unit 3014 family inet address 10.1.4.1/24
set interfaces lo0 unit 0 family inet address 192.168.255.1/32
Then I'll just turn on OSPF on all active interfaces in the routing instance.
root@P01# set protocols ospf area 0.0.0.0 interface all
Once we are done we should see a neighbor with every other P router and a PE router (once we get that far)
root@P01# run show ospf neighbor
Address Interface State ID Pri Dead
10.1.11.254 ge-0/0/1.3011 Full 192.168.255.11 128 39
10.1.2.2 ge-0/0/1.3012 Full 192.168.255.2 128 32
10.1.3.3 ge-0/0/1.3013 Full 192.168.255.3 128 39
10.1.4.4 ge-0/0/1.3014 Full 192.168.255.4 128 34
###Enabling MPLS
While Cisco put effort into making sure MPLS is turned on right away, Juniper takes a bit more effort.
First we need to enable MPLS and LDP in the control plane under protocols, we can conveniently use the interface all keyword to enable it on all interfaces.
root@P01# set protocols mpls interface all
root@P01# set protocols ldp interface all
Next we need to turn it on for the forwarding plane by adding the mpls family to each interface on the router that will be in the MPLS path. This can be a bit annoying so you might want to look into things like config groups to ease the admin burden.
set interfaces ge-0/0/1 unit 3011 family mpls
set interfaces ge-0/0/1 unit 3012 family mpls
set interfaces ge-0/0/1 unit 3013 family mpls
set interfaces ge-0/0/1 unit 3014 family mpls
set interfaces lo0 unit 0 family mpls
#Route Reflector
We'll use a route reflector again but this time I'm just take advantage of the logical-system feature to carve PE01 and PE02 into two new Route Reflector boxes.
###RR01
First we'll turn on vlan-tagging for the interface I want to use since we still need to configure physical stuff at the interface level in logical-systems.
root@PE11# set interfaces ge-0/0/2 vlan-tagging
Next we configure the interfaces like above under the logical-system.
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 vlan-id 3123
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family inet address 10.0.123.254/24
root@PE11# set logical-systems RR01 interfaces ge-0/0/2 unit 3123 family mpls
root@PE11# set logical-systems RR01 interfaces lo0 unit 1 family inet address 192.168.255.154/32
root@PE11# set logical-systems RR01 protocols ospf area 0.0.0.0 interface all
root@PE11# set logical-systems RR01 protocols mpls interface all
root@PE11# set logical-systems RR01 protocols ldp interface all
BGP is configured with the inet-vpn
family which is the same as Cisco's VPNv4 family, the route reflector will have all for PEs as a peer, will use 65123 as the AS for iBGP and will set a cluster-id so Juniper knows it is a Route Reflector.
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL type internal
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL local-address 192.168.255.154
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL family inet-vpn unicast
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL cluster 192.168.255.254
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.11
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.22
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.33
root@PE11# set logical-systems RR01 protocols bgp group PE-INTERNAL neighbor 192.168.255.44
root@PE11# set logical-systems RR01 routing-options autonomous-system 65123
###RR02
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 vlan-id 3123
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family inet address 10.1.123.254/24
root@PE22# set logical-systems RR02 interfaces ge-0/0/2 unit 3123 family mpls
root@PE22# set logical-systems RR02 interfaces lo0 unit 1 family inet address 192.168.255.254/32
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL type internal
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL local-address 192.168.255.254
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL family inet-vpn unicast
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL cluster 192.168.255.254
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.11
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.22
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.33
root@PE22# set logical-systems RR02 protocols bgp group PE-INTERNAL neighbor 192.168.255.44
root@PE22# set logical-systems RR02 protocols ospf area 0.0.0.0 interface all
root@PE22# set logical-systems RR02 protocols mpls interface all
root@PE22# set logical-systems RR02 protocols ldp interface all
root@PE22# set logical-systems RR02 routing-options autonomous-system 65123
#Provider Edge
The PE will be similar to the Route-Reflector minus the logical system stuff, we'll setup the interfaces enable OSPF and MPLS, then peer with each of the RRs.
root@PE11# set routing-instances MGMT instance-type virtual-router
root@PE11# set routing-instances MGMT interface ge-0/0/0.0
root@PE11# set routing-instances MGMT routing-options static route 0.0.0.0/0 next-hop 10.20.2.1
root@PE11# set interfaces ge-0/0/0 unit 0 family inet address 10.20.2.201/24
root@PE11# set interfaces ge-0/0/1 vlan-tagging
root@PE11# set interfaces ge-0/0/1 unit 3011 vlan-id 3011
root@PE11# set interfaces ge-0/0/1 unit 3011 family inet address 10.1.11.254/24
root@PE11# set interfaces ge-0/0/1 unit 3011 family mpls
root@PE11# set interfaces ge-0/0/1 unit 3123 vlan-id 3123
root@PE11# set interfaces ge-0/0/1 unit 3123 family inet address 10.0.123.11/24
root@PE11# set interfaces ge-0/0/1 unit 3123 family mpls
root@PE11# set interfaces ge-0/0/2 vlan-tagging
root@PE11# set interfaces ge-0/0/5 unit 0 family inet address 192.168.1.254/24
root@PE11# set interfaces lo0 unit 0 family inet address 192.168.255.11/32
root@PE11# set interfaces lo0 unit 0 family inet6 address 2001:1234::1/128
root@PE11# set interfaces lo0 unit 0 family mpls
root@PE11# set routing-options autonomous-system 65123
root@PE11# set protocols bgp group RR type internal
root@PE11# set protocols bgp group RR local-address 192.168.255.11
root@PE11# set protocols bgp group RR family inet-vpn unicast
root@PE11# set protocols bgp group RR neighbor 192.168.255.154
root@PE11# set protocols bgp group RR neighbor 192.168.255.254
#VRF / Policies
Now our BGP is up it is time to create the last piece of the L3VPN and which is making the policies as well as the VRF the CE goes into.
###Policies
In Cisco land we controlled what route we imported and exported under the VRF configuration, Juniper does that too but for more granular control we will make a more elaborate policy.
First we make an community policy that just exports the PE's RD on each router.
root@PE11# set policy-options community RT-EXPORT-CE01 members target:65123:101
Next we'll do the same for the import community where we will make one for each CE for flexibility's sake.
root@PE11# set policy-options community RT-IMPORT-CE01 members target:65123:101
root@PE11# set policy-options community RT-IMPORT-CE02 members target:65123:102
root@PE11# set policy-options community RT-IMPORT-CE03 members target:65123:103
root@PE11# set policy-options community RT-IMPORT-CE04 members target:65123:104
With that in place we make a policy that will become our VRF-Export policy, we will say that if the protocol is directly connected or one of the routing protocols then we will add the export community and accept the route.
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT from protocol [ direct bgp rip ospf ]
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then community add RT-EXPORT-CE01
root@PE11# set policy-options policy-statement EXPORT-CE01 term EXPORT then accept
If it doesn't match that criteria then we will reject it.
root@PE11# set policy-options policy-statement EXPORT-CE01 term REJECT then reject
The VRF-Import policy will always be from MBGP so we match on protocol BGP, then we select what communities we want to talk to each other.
In our topology Cust-A is CE01 and CE02 so we'll do that then reject the rest.
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from protocol bgp
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT from community [ RT-IMPORT-CE01 RT-IMPORT-CE02 ]
root@PE11# set policy-options policy-statement IMPORT-CE01 term IMPORT then accept
root@PE11# set policy-options policy-statement IMPORT-CE01 term REJECT then reject
###VRFs
With all that in place we need to make a VRF instance. In my case I'm using ge-0/0/5 on all the PEs as the CE interface so we add it to the VRF, we also set the PE's proper RD and apply the VRF policies we just made. We also use vrf-table-label
to help make the L3VPN happy.
root@PE11# set routing-instances CE01 instance-type vrf
root@PE11# set routing-instances CE01 interface ge-0/0/5.0
root@PE11# set routing-instances CE01 route-distinguisher 65123:101
root@PE11# set routing-instances CE01 vrf-import IMPORT-CE01
root@PE11# set routing-instances CE01 vrf-export EXPORT-CE01
root@PE11# set routing-instances CE01 vrf-table-label
We'll also set the router-id for the instance just to have a bit more control
root@PE11# set routing-instances CE01 routing-options router-id 192.168.255.11
#Customer Edge
###PE01
Finally we will start working on the CE routing!
We need an export policy so Juniper knows what to send so I'll make a simple one that just accepts any route, since PE01 is BGP we'll setup that too. The config is the same as you have seen though you may want to use the as-override option if you are using BGP.
root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set routing-instances CE01 protocols bgp group CUST-A type external
root@PE11# set routing-instances CE01 protocols bgp group CUST-A export EXPORT-BGP
root@PE11# set routing-instances CE01 protocols bgp group CUST-A peer-as 65101
root@PE11# set routing-instances CE01 protocols bgp group CUST-A neighbor 192.168.1.1 as-override
root@PE11# set policy-options policy-statement EXPORT-BGP then accept
root@PE11# set policy-options policy-statement EXPORT-OSPF from protocol bgp
root@PE11# set policy-options policy-statement EXPORT-OSPF then accept
root@PE11# set policy-options policy-statement EXPORT-RIP then metric 5
root@PE11# set policy-options policy-statement EXPORT-RIP then accept
###CE01, CE02, CE03, CE04
Since the CE's are still in flow mode, we need to make sure the interfaces we use are trusted by the security zone, we could get more specific but we aren't really playing with the firewall today :)
root@CE01# set security zones security-zone trust host-inbound-traffic system-services all
root@CE01# set security zones security-zone trust host-inbound-traffic protocols all
root@CE01# set security zones security-zone trust interfaces ge-0/0/1.0
root@CE01# set security zones security-zone trust interfaces ge-0/0/2.0
###CE01
For BGP we just do a normal peering and advertise everything directly connected.
root@CE01# set policy-options policy-statement EXPORT-BGP from protocol direct
root@CE01# set policy-options policy-statement EXPORT-BGP then accept
root@CE01# set protocols bgp group CUST-A type external
root@CE01# set protocols bgp group CUST-A export EXPORT-BGP
root@CE01# set protocols bgp group CUST-A peer-as 65123
root@CE01# set protocols bgp group CUST-A neighbor 192.168.1.254
###CE02
Same with RIP for CE02
root@CE02# set policy-options policy-statement EXPORT-RIP from protocol direct
root@CE02# set policy-options policy-statement EXPORT-RIP then accept
root@CE02# set protocols rip group CUST-A export EXPORT-RIP
root@CE02# set protocols rip group CUST-A neighbor ge-0/0/1.0
###CE03 and CE04
The OSPF CE is a bit unique because it is the only protocol we are looking at today that cares about external routes. Let's setup OSPF in two ways, one will simply add all interfaces to OSPF and the other will use the export method we have been doing
root@CE03# set protocols ospf area 0.0.0.0 interface all
root@CE03# set protocols ospf area 0.0.0.0 interface lo0.0 passive
root@CE04# set policy-options policy-statement EXPORT-OSPF from protocol direct
root@CE04# set policy-options policy-statement EXPORT-OSPF then accept
root@CE04# set protocols ospf export EXPORT-OSPF
root@CE04# set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
Now we get the routes but routes from CE04 are external! We might talk about OSPF specific MPLS topics another day!
root@CE03# run show ospf route
Topology default Route Table:
Prefix Path Route NH Metric NextHop Nexthop
Type Type Type Interface Address/LSP
192.168.3.254 Intra Area/AS BR IP 1 ge-0/0/1.0 192.168.3.254
172.16.31.0/24 Intra Network IP 1 ge-0/0/2.0
172.16.32.0/24 Intra Network IP 1 ge-0/0/2.0
172.16.33.0/24 Intra Network IP 1 ge-0/0/2.0
172.16.34.0/24 Intra Network IP 1 ge-0/0/2.0
172.16.41.0/24 Ext2 Network IP 0 ge-0/0/1.0 192.168.3.254
172.16.42.0/24 Ext2 Network IP 0 ge-0/0/1.0 192.168.3.254
172.16.43.0/24 Ext2 Network IP 0 ge-0/0/1.0 192.168.3.254
172.16.44.0/24 Ext2 Network IP 0 ge-0/0/1.0 192.168.3.254
192.168.3.0/24 Intra Network IP 1 ge-0/0/1.0
192.168.4.0/24 Ext2 Network IP 0 ge-0/0/1.0 192.168.3.254
#Verification
Now that everything is up we can make sure that BGP is working properly (probably should have done that sooner!)
root@PE11# run show bgp summary
Groups: 2 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp.l3vpn.0
12 6 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.1.1 65101 1803 1794 0 3 13:27:34 Establ
CE01.inet.0: 5/6/6/0
192.168.255.154 65123 1594 1582 0 1 11:54:35 Establ
bgp.l3vpn.0: 6/6/6/0
CE01.inet.0: 6/6/6/0
192.168.255.254 65123 1591 1581 0 1 11:54:41 Establ
bgp.l3vpn.0: 0/6/6/0
CE01.inet.0: 0/6/6/0
We can also see the MPLS interfaces on the router
root@PE11# run show mpls interface
Interface State Administrative groups (x: extended)
ge-0/0/1.3011 Up <none>
ge-0/0/1.3123 Up <none>
[edit]
As well as the LDP neighbors
root@PE11# run show ldp neighbor
Address Interface Label space ID Hold time
10.1.11.1 ge-0/0/1.3011 192.168.255.1:0 14
10.0.123.33 ge-0/0/1.3123 192.168.255.33:0 13
10.0.123.44 ge-0/0/1.3123 192.168.255.44:0 13
10.0.123.254 ge-0/0/1.3123 192.168.255.154:0 11
###PE01 Routing Table
Juniper groups everything into the routing table so we can see the main routing table, the MPLS labels, the VRF routes, and IPv6 routes all in one place! We can also see the INET-VPN routes so we can see if things are being learned properly.
root@PE11# run show route
inet.0: 26 destinations, 26 routes (26 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.123.0/24 *[Direct/0] 12:09:45
> via ge-0/0/1.3123
10.0.123.11/32 *[Local/0] 12:09:45
Local via ge-0/0/1.3123
10.1.2.0/24 *[OSPF/10] 14:45:03, metric 2
> to 10.1.11.1 via ge-0/0/1.3011
10.1.3.0/24 *[OSPF/10] 14:45:03, metric 2
> to 10.1.11.1 via ge-0/0/1.3011
10.1.4.0/24 *[OSPF/10] 14:45:03, metric 2
> to 10.1.11.1 via ge-0/0/1.3011
10.1.11.0/24 *[Direct/0] 14:45:09
> via ge-0/0/1.3011
10.1.11.254/32 *[Local/0] 14:45:09
Local via ge-0/0/1.3011
10.1.123.0/24 *[OSPF/10] 11:41:39, metric 2
> to 10.0.123.33 via ge-0/0/1.3123
to 10.0.123.44 via ge-0/0/1.3123
10.2.3.0/24 *[OSPF/10] 11:42:39, metric 3
to 10.1.11.1 via ge-0/0/1.3011
> to 10.0.123.33 via ge-0/0/1.3123
10.2.4.0/24 *[OSPF/10] 11:41:48, metric 3
to 10.1.11.1 via ge-0/0/1.3011
> to 10.0.123.44 via ge-0/0/1.3123
10.2.22.0/24 *[OSPF/10] 11:41:39, metric 3
to 10.1.11.1 via ge-0/0/1.3011
to 10.0.123.33 via ge-0/0/1.3123
> to 10.0.123.44 via ge-0/0/1.3123
10.3.4.0/24 *[OSPF/10] 11:41:48, metric 3
to 10.1.11.1 via ge-0/0/1.3011
to 10.0.123.33 via ge-0/0/1.3123
> to 10.0.123.44 via ge-0/0/1.3123
10.3.33.0/24 *[OSPF/10] 11:42:39, metric 2
> to 10.0.123.33 via ge-0/0/1.3123
10.4.44.0/24 *[OSPF/10] 11:41:48, metric 2
> to 10.0.123.44 via ge-0/0/1.3123
192.168.255.1/32 *[OSPF/10] 14:45:03, metric 1
> to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32 *[OSPF/10] 12:00:32, metric 2
> to 10.1.11.1 via ge-0/0/1.3011
192.168.255.3/32 *[OSPF/10] 11:42:39, metric 2
> to 10.1.11.1 via ge-0/0/1.3011
to 10.0.123.33 via ge-0/0/1.3123
192.168.255.4/32 *[OSPF/10] 11:41:48, metric 2
> to 10.1.11.1 via ge-0/0/1.3011
to 10.0.123.44 via ge-0/0/1.3123
192.168.255.11/32 *[Direct/0] 14:52:17
> via lo0.0
192.168.255.22/32 *[OSPF/10] 11:41:39, metric 2
> to 10.0.123.33 via ge-0/0/1.3123
to 10.0.123.44 via ge-0/0/1.3123
192.168.255.33/32 *[OSPF/10] 11:42:39, metric 1
> to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32 *[OSPF/10] 11:41:48, metric 1
> to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[OSPF/10] 12:07:04, metric 1
> to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[OSPF/10] 11:41:39, metric 2
to 10.0.123.33 via ge-0/0/1.3123
> to 10.0.123.44 via ge-0/0/1.3123
224.0.0.2/32 *[LDP/9] 14:52:17, metric 1
MultiRecv
224.0.0.5/32 *[OSPF/10] 14:52:17, metric 1
MultiRecv
inet.3: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.255.1/32 *[LDP/9] 14:45:03, metric 1
> to 10.1.11.1 via ge-0/0/1.3011
192.168.255.2/32 *[LDP/9] 12:00:32, metric 1
> to 10.1.11.1 via ge-0/0/1.3011, Push 299840
192.168.255.3/32 *[LDP/9] 11:42:38, metric 1
> to 10.1.11.1 via ge-0/0/1.3011, Push 299808
to 10.0.123.33 via ge-0/0/1.3123, Push 299776
192.168.255.4/32 *[LDP/9] 11:41:47, metric 1
> to 10.1.11.1 via ge-0/0/1.3011, Push 299792
to 10.0.123.44 via ge-0/0/1.3123, Push 299776
192.168.255.22/32 *[LDP/9] 11:37:45, metric 1
> to 10.0.123.33 via ge-0/0/1.3123, Push 299952
to 10.0.123.44 via ge-0/0/1.3123, Push 299952
192.168.255.33/32 *[LDP/9] 11:42:38, metric 1
> to 10.0.123.33 via ge-0/0/1.3123
192.168.255.44/32 *[LDP/9] 11:41:47, metric 1
> to 10.0.123.44 via ge-0/0/1.3123
192.168.255.154/32 *[LDP/9] 11:44:55, metric 1
> to 10.0.123.254 via ge-0/0/1.3123
192.168.255.254/32 *[LDP/9] 11:37:45, metric 1
to 10.0.123.33 via ge-0/0/1.3123, Push 299936
> to 10.0.123.44 via ge-0/0/1.3123, Push 299936
CE01.inet.0: 13 destinations, 20 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.11.0/24 *[BGP/170] 13:28:31, localpref 100
AS path: 65101 I, validation-state: unverified
> to 192.168.1.1 via ge-0/0/5.0
172.16.12.0/24 *[BGP/170] 13:28:31, localpref 100
AS path: 65101 I, validation-state: unverified
> to 192.168.1.1 via ge-0/0/5.0
172.16.13.0/24 *[BGP/170] 13:28:31, localpref 100
AS path: 65101 I, validation-state: unverified
> to 192.168.1.1 via ge-0/0/5.0
172.16.14.0/24 *[BGP/170] 13:28:31, localpref 100
AS path: 65101 I, validation-state: unverified
> to 192.168.1.1 via ge-0/0/5.0
172.16.21.0/24 *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.22.0/24 *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.23.0/24 *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
172.16.24.0/24 *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.1.0/24 *[Direct/0] 14:45:09
> via ge-0/0/5.0
[BGP/170] 13:28:31, localpref 100
AS path: 65101 I, validation-state: unverified
> to 192.168.1.1 via ge-0/0/5.0
192.168.1.254/32 *[Local/0] 14:45:09
Local via ge-0/0/5.0
192.168.2.0/24 *[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:33:22, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
192.168.254.1/32 *[BGP/170] 13:28:31, localpref 100
AS path: 65101 I, validation-state: unverified
> to 192.168.1.1 via ge-0/0/5.0
192.168.254.2/32 *[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
MGMT.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 14:45:09
> to 10.20.2.1 via ge-0/0/0.0
10.20.2.0/24 *[Direct/0] 14:45:09
> via ge-0/0/0.0
10.20.2.201/32 *[Local/0] 14:45:09
Local via ge-0/0/0.0
mpls.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/0] 14:52:17, metric 1
to table inet.0
0(S=0) *[MPLS/0] 14:52:17, metric 1
to table mpls.0
1 *[MPLS/0] 14:52:17, metric 1
Receive
2 *[MPLS/0] 14:52:17, metric 1
to table inet6.0
2(S=0) *[MPLS/0] 14:52:17, metric 1
to table mpls.0
13 *[MPLS/0] 14:52:17, metric 1
Receive
16 *[VPN/0] 14:52:17
> via lsi.0 (CE01), Pop
299776 *[LDP/9] 14:45:03, metric 1
> to 10.1.11.1 via ge-0/0/1.3011, Pop
299776(S=0) *[LDP/9] 14:45:03, metric 1
> to 10.1.11.1 via ge-0/0/1.3011, Pop
299792 *[LDP/9] 11:41:47, metric 1
to 10.1.11.1 via ge-0/0/1.3011, Swap 299792
> to 10.0.123.44 via ge-0/0/1.3123, Swap 299776
299808 *[LDP/9] 11:42:38, metric 1
to 10.1.11.1 via ge-0/0/1.3011, Swap 299808
> to 10.0.123.33 via ge-0/0/1.3123, Swap 299776
299824 *[LDP/9] 12:00:32, metric 1
> to 10.1.11.1 via ge-0/0/1.3011, Swap 299840
299856 *[LDP/9] 11:42:38, metric 1
> to 10.0.123.33 via ge-0/0/1.3123, Pop
299856(S=0) *[LDP/9] 11:42:38, metric 1
> to 10.0.123.33 via ge-0/0/1.3123, Pop
299872 *[LDP/9] 11:41:47, metric 1
> to 10.0.123.44 via ge-0/0/1.3123, Pop
299872(S=0) *[LDP/9] 11:41:47, metric 1
> to 10.0.123.44 via ge-0/0/1.3123, Pop
299904 *[LDP/9] 11:44:55, metric 1
> to 10.0.123.254 via ge-0/0/1.3123, Pop
299904(S=0) *[LDP/9] 11:44:55, metric 1
> to 10.0.123.254 via ge-0/0/1.3123, Pop
299936 *[LDP/9] 11:37:45, metric 1
> to 10.0.123.33 via ge-0/0/1.3123, Swap 299936
to 10.0.123.44 via ge-0/0/1.3123, Swap 299936
299952 *[LDP/9] 11:37:45, metric 1
> to 10.0.123.33 via ge-0/0/1.3123, Swap 299952
to 10.0.123.44 via ge-0/0/1.3123, Swap 299952
bgp.l3vpn.0: 6 destinations, 12 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
65123:102:172.16.21.0/24
*[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.22.0/24
*[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.23.0/24
*[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:172.16.24.0/24
*[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.2.0/24
*[BGP/170] 00:33:22, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:33:22, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
> to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
65123:102:192.168.254.2/32
*[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.154
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
[BGP/170] 00:31:09, MED 2, localpref 100, from 192.168.255.254
AS path: I, validation-state: unverified
to 10.0.123.33 via ge-0/0/1.3123, Push 19, Push 299952(top)
> to 10.0.123.44 via ge-0/0/1.3123, Push 19, Push 299952(top)
inet6.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2001:1234::1/128 *[Direct/0] 14:52:17
> via lo0.0
fe80::250:560f:fc9e:4cd1/128
*[Direct/0] 14:52:17
> via lo0.0
ff02::2/128 *[INET6/0] 14:52:17
MultiRecv
#Pastebins
Here are the configs in pastebins for a bit more convenient looking at.
I'm studying for the JNCIP-ENT certification and I was wondering if anybody knew where you can get the course materials at a discounted rate? $1200 in books seems a little crazy. I also see that they are changing the cert to be JN0-647 in September so I wonder if that will affect the training materials. Are the O'Reilly books still a good resource or are they outdated?
Thanks guys
So i have decided to try and liven up some forums that have been noticeably quiet, because i can't be the only one going for certain exam certs .. And it might help other people as well as me.
First Topic
BGP Confederations!
Test lab
Diagram
I am omitting IPs for now for the most part, As that seems like it would pad this post alot. I will include base configs though which should help along the way.
AS Breakdown
P1, PE11, PE12, PE21, PE22 Are all apart of the public AS 300.
PE11, PE12 Are apart of SUB-AS 65500
PE1 Is apart of SUB-AS 65300
PE21, PE22 Are apart of SUB-AS 65200
CE10 Is multi homed to both PE11 and PE12 Using Public AS 500
CE20 Is multi homed to both PE21 and PE22 Using Public AS 600
What is the difference between a BGP Confederation and the use of route reflectors/clusters?
Differences between Route Reflectors and clusters / Confederations https://jncie.files.wordpress.com/2008/09/350010_differences-between-bgp-route-reflectors-and-confederations.pdf
Quick Config guide https://www.juniper.net/documentation/en_US/junos16.1/topics/example/routing-protocol-bgp-security-confederation-configuring-cli.html
Some key differences i think that should be kept in mind Route Reflectors Should have a full mesh between them, While the clients only peer with the reflectors.
Whereas in a confederation, There is no need for full mesh peering between sub-as's, BUT within each Sub-AS there should be a full mesh between routers.
Peering RR to RRclients -> IBGP
Clusters IBGP used within the Sub AS's EBGP like protocol is used (EIBGP) used to connect Sub AS's
Changes or additions to BGP attributes Route Reflectors
New mandatory attributes Originator ID Cluster ID
Confederations Enhancements to the AS Path attribute Type 3:AS confederation set Type 4:AS confederation Sequence
Example in this lab, If i look at routes from AS600 to SUB-AS 6550 from the point of view of PE11 and PE12
If i look at these same routes from the perspective of CE10 from CE20 As we see, The SUB-AS paths are HIDDEN from the point of view of the CEs
EXAMPLE http://imgur.com/r0oxyHt
NEXT HOP handling With confederations even though the protocol being used is like EBGP, The next hop handling is essentially the same as IBGP, Where it is not changed and is preserved on the way through the network by default. These can be changed with a next hop policy of your choosing.
Local Preference Both protocols use the same method of handling the local preference value. It is passed through the network as is and preserved. Even between SUB ASs.
MED(Multi Exit Discriminator) Same as Local Preference, It is passed as it between SUB ASs
Re-Advertising a learned prefix. Route Reflectors Because there is fully meshed IBGP peering between route reflectors, a route reflector does not re-advertise a learned prefix from a NON CLIENT peer to another.
Route Reflectors advertise prefixes learned from a client to the other client or non client peers.
Confederations Because the protocol is like EBGP, Routes learned from each SUB-AS is advertised to other SUB-ASs that are peered. NOTE:Because of the next hop policy listed above, Your routes learned from each sub as will most likely show up as hidden, Unless you are running some sort of IGP between the sub-as's that advertise all internal routes etc etc.
Communication with non member BGP peers (Important info!) Route Reflectors If route reflectors peer with non route reflector routers located in the same AS, The route reflector attributes that are being passed are ignored, because of the type of the attributes (OPTIONAL, non transitive) And the attributes are dropped.
If route reflectors peer with an EBGP peer, ONLY AS number is passed.
Confederations If a member of the confederation is peering with a BGP peer located in another AS, the sub-AS numbers located in the AS-Path are suppressed and ONLY THE CONFEDERATION NUMBER IS PASSE WITHIN THE AS PATH ATTRIBUTE.
Support of multiple instances Route Reflectors can be members of multiple clusters as long as the routers are configured as route reflectors.
Confederations The router can only be a member of a single sub-as or a single confederation
Use of multi-hop parameter. Not needed with route reflectors, But might be needed with confederations.
In the listed PDF there are a few more interesting differences listed toward the bottom that will make for a good read.
OSPF
BGP
IP Multicast
Ethernet Switching and Spanning Tree
Layer 2 Authentication and Access Control
IP Telephony Features
Class of Service (CoS)
Application-Aware Security Services
Virtualization
Advanced NAT
Advanced IPSec VPNs
Intrusion Prevention
Transparent Mode
Troubleshooting
OSPF
IS-IS
BGP
Class of Service (CoS)
IP Multicast
MPLS
Layer 3 VPNs
Layer 2 VPNs
Automation
What is JNCIP?
What is its exam number?
What is the current version of the exam?
What OS does it cover?
What is the most equivalent certification by another vendor?