Training, Certification, and Career Topics
Reply
Contributor
ABC-TECH
Posts: 20
Registered: ‎05-31-2009
0
Accepted Solution

JNCIE-SEC Lab topology Build

[ Edited ]

I have the following devices to build a JNCIE-SEC lab, can you sugest me a best topology in which a will do very minimal physical changes. Can i use the J2350 as the spoke for the vpn, 

 

2XSRX240 with SMB-CS and Dynamic vpn licence.

2XJ2350 

2XEX4200

 

Distinguished Expert
spuluka
Posts: 2,566
Registered: ‎03-30-2009

Re: JNCIE-SEC Lab topology Build

In my lab I connect every interface of the firewalls and routers to the layer three switch.  I make a spreadsheet that lists all the ports of the switch and then identifies which device and interface is connected to each port.

 

I then create the 3 (or maximum available) routing instances on each firewall and distribute the interfaces among them.

 

Create a virtual internet

 

I assign a private range for my virtual internet.  Then carve this up into a series of /29 addresses.  This is another tab in the spreadsheet. 

 

Now I assign every device in the lab a "wan" public address for their use.

 

On each interface that will be a "wan" on the virtual routing intance or physical device I setup the default gateway for their wan segment as an RVI.

 

Now all the devices can create vpn or other "internet" connections across my private internet.

 

Setup base config

 

Now configure the wan port and default routes in each routing instance and device for this topology and confirm access to each other.

 

I save these configs out for easy reset to base.

 

Console access

If you can get a console server you set that up with every device so you can use the console port over ip.

 

Otherwise put an old pc next to the stack with a com port cable you can move around as needed.  Then rdp into that pc to do the console access.

 

Daily use

 

With this arrangement all "cabling" changes then are simply a configuration change on the switch.  You create and change vlans to be in the same one if you need a connection.

 

For example: to connect the routera port 1 to firewall b port 1 you just configure their connected switch port to be in the same layer 2 vlan by themselves.  They are connected.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
ABC-TECH
Posts: 20
Registered: ‎05-31-2009
0

Re: JNCIE-SEC Lab topology Build

Thanks a lot for your descriptive inputs , Do you have any logical topology to share. My plan is to keep one SRX  as HUB for studying the VPN and Other srx as with multiple VRs as spokes. This will help in testinf routing and VPNs. Do you have any more suggestions/Inputs.

 

Do you have any other topology other than Rob Cameron Juniper Security book.

Distinguished Expert
spuluka
Posts: 2,566
Registered: ‎03-30-2009

Re: JNCIE-SEC Lab topology Build

Besides the Oreilly books, I generally search the documentation for the key words in the exam outline and add the word "example".  This brings up all the sample configurations in the documentation.  All of the sample configurations in the Junos documentation are titled; "Example: " as a prefix.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.