06-14-2012 01:52 AM - edited 06-14-2012 01:52 AM
I have the following devices to build a JNCIE-SEC lab, can you sugest me a best topology in which a will do very minimal physical changes. Can i use the J2350 as the spoke for the vpn,
2XSRX240 with SMB-CS and Dynamic vpn licence.
Solved! Go to Solution.
06-14-2012 03:38 AM
In my lab I connect every interface of the firewalls and routers to the layer three switch. I make a spreadsheet that lists all the ports of the switch and then identifies which device and interface is connected to each port.
I then create the 3 (or maximum available) routing instances on each firewall and distribute the interfaces among them.
Create a virtual internet
I assign a private range for my virtual internet. Then carve this up into a series of /29 addresses. This is another tab in the spreadsheet.
Now I assign every device in the lab a "wan" public address for their use.
On each interface that will be a "wan" on the virtual routing intance or physical device I setup the default gateway for their wan segment as an RVI.
Now all the devices can create vpn or other "internet" connections across my private internet.
Setup base config
Now configure the wan port and default routes in each routing instance and device for this topology and confirm access to each other.
I save these configs out for easy reset to base.
If you can get a console server you set that up with every device so you can use the console port over ip.
Otherwise put an old pc next to the stack with a com port cable you can move around as needed. Then rdp into that pc to do the console access.
With this arrangement all "cabling" changes then are simply a configuration change on the switch. You create and change vlans to be in the same one if you need a connection.
For example: to connect the routera port 1 to firewall b port 1 you just configure their connected switch port to be in the same layer 2 vlan by themselves. They are connected.
06-15-2012 09:38 AM
Thanks a lot for your descriptive inputs , Do you have any logical topology to share. My plan is to keep one SRX as HUB for studying the VPN and Other srx as with multiple VRs as spokes. This will help in testinf routing and VPNs. Do you have any more suggestions/Inputs.
Do you have any other topology other than Rob Cameron Juniper Security book.
06-16-2012 06:08 AM
Besides the Oreilly books, I generally search the documentation for the key words in the exam outline and add the word "example". This brings up all the sample configurations in the documentation. All of the sample configurations in the Junos documentation are titled; "Example: " as a prefix.