Juniper Networks Certied Internet Specialist Study Guide
Introduction xv
Assessment Test xxvii
Chapter 1 Routing Policy 1
Chapter 2 Open Shortest Path First 71
Chapter 3 Intermediate System to Intermediate System (IS-IS) 161
Chapter 4 Border Gateway Protocol (BGP) 257
Chapter 5 Advanced Border Gateway Protocol (BGP) 317
Chapter 6 Multicast 397
Chapter 7 Multiprotocol Label Switching (MPLS) 455
Chapter 8 Advanced MPLS 529
Chapter 9 Layer 2 and Layer 3 Virtual Private Networks 605
Glossary 685
Index 731
Bonus Chapters
Chapter A Class of Service
Chapter B Security
Chapter C IP version 6
Juniper Networks Technical Certification Program
The Juniper Networks Technical Certification Program (JNTCP) consists of two platform-
specific, multitiered tracks. Each exam track allows participants to demonstrate their compe-
tence with Juniper Networks technology through a combination of written proficiency and
hands-on configuration exams. Successful candidates demonstrate a thorough understanding of
Internet technology and Juniper Networks platform configuration and troubleshooting skills.
The two JNTCP tracks focus on the M-series Routers and T-series Routing Platforms and the
ERX Edge Routers, respectively. While some Juniper Networks customers and partners work
with both platform families, it is most common to find individuals working with only one or the
other platform. The two certification tracks allow candidates to pursue specialized certifica-
tions, which focus on the platform type most pertinent to their job functions and experience.
Candidates wishing to attain a certification on both platform families are welcome to do so, but
they are required to pass the exams from each track for their desired certification level.
M-series Routers and T-series Routing Platforms
The M-series routers certification track consists of four tiers:
Juniper Networks Certified Internet Associate (JNCIA) The Juniper Networks Certified
Internet Associate, M-series, T-series Routers (JNCIA-M) certification does not have any pre-
requisites. It is administered at Prometric testing centers worldwide.
Juniper Networks Certified Internet Specialist (JNCIS) The Juniper Networks Certified
Internet Specialist, M-series, T-series Routers (JNCIS-M) certification also does not have any
prerequisites. Like the JNCIA-M, it is administered at Prometric testing centers worldwide.
Juniper Networks Certified Internet Professional (JNCIP) The Juniper Networks Certified
Internet Professional, M-series, T-series Routers (JNCIP-M) certification requires that candi-
dates first obtain the JNCIS-M certification. The hands-on exam is administered at Juniper Net-
works offices in select locations throughout the world.
Juniper Networks Certified Internet Expert (JNCIE) The Juniper Networks Certified Inter-
net Expert, M-series, T-series Routers (JNCIE-M) certification requires that candidates first
obtain the JNCIP-M certification. The hands-on exam is administered at Juniper Networks
offices in select locations throughout the world.

http://rapidshare.de/files/48523787/Sybex_Juniper_JNCIS_Study_Guide-www.junipernet.org.rar.html

http://www.2shared.com/file/8444379/cdaf92fb/Sybex_Juniper_JNCIS_Study_Guide-wwwjunipernetorg.html

http://www.4shared.com/file/141009174/d545c67e/Sybex_Juniper_JNCIS_Study_Guide-wwwjunipernetorg.html

http://rapidshare.com/files/293235596/Sybex_Juniper_JNCIS_Study_Guide-www.junipernet.org.rar.html

1. Introduction ……………………………………………………………………………………………………………………………….. 6
1.1. Exam Information ………………………………………………………………………………………………………………………. 6
1.2. Exam Content ……………………………………………………………………………………………………………………………. 7
2. Basic Firewall/VPN Operations ……………………………………………………………………………………………………. 9
2.1. NetScreen Firewall Systems………………………………………………………………………………………………………… 9
2.1.1. NS500 9
2.1.2. NS5000………………………………………………………………………………………………………………………………… 11
2.2. Interfaces………………………………………………………………………………………………………………………………… 14
2.2.1. Security Interfaces …………………………………………………………………………………………………………………. 16
2.2.2. Functional Interfaces………………………………………………………………………………………………………………. 16
2.2.3. Tunnel Interfaces …………………………………………………………………………………………………………………… 17
2.3. Advanced Interfaces…………………………………………………………………………………………………………………. 17
2.3.1. Subinterfaces………………………………………………………………………………………………………………………… 17
2.3.2. Aggregate Interfaces………………………………………………………………………………………………………………. 18
2.3.3. Redundant Interfaces……………………………………………………………………………………………………………… 18
2.3.4. Virtual Security Interfaces ……………………………………………………………………………………………………….. 19
2.4. Zones 19
2.4.1. Security Zones………………………………………………………………………………………………………………………. 21
2.4.2. Function Zones ……………………………………………………………………………………………………………………… 22
2.5. Virtual Routers…………………………………………………………………………………………………………………………. 23
2.5.1. Static Routes ………………………………………………………………………………………………………………………… 23
2.6. Security Policies ………………………………………………………………………………………………………………………. 27
2.6.1. Interzone Policies ………………………………………………………………………………………………………………….. 28
2.6.2. Intrazone Policies ………………………………………………………………………………………………………………….. 29
2.6.3. Global Policies ………………………………………………………………………………………………………………………. 29
2.6.4. Policy Configuration Order ………………………………………………………………………………………………………. 30
2.7. Network Address Translation……………………………………………………………………………………………………… 30
2.7.1. Interface NAT………………………………………………………………………………………………………………………… 31
2.7.2. Policy NAT-src ………………………………………………………………………………………………………………………. 31
2.7.3. DIPs 32
2.7.4. Policy NAT-dst ………………………………………………………………………………………………………………………. 33
3. VPNs………………………………………………………………………………………………………………………………………… 43
3.1. PKI 43
3.1.1. Digital Certificates………………………………………………………………………………………………………………….. 43
3.1.2. Certificate Authorities……………………………………………………………………………………………………………… 43
3.1.3. Certificate Revocation…………………………………………………………………………………………………………….. 44
3.1.4. Configuring Digital Certificates on a NetScreen………………………………………………………………………….. 44
3.2. IKE 45
3.2.1. Modes 46
3.2.2. Proposals……………………………………………………………………………………………………………………………… 47
3.3. IPSec 47
3.3.1. Protocols………………………………………………………………………………………………………………………………. 47
3.3.2. Encapsulation ……………………………………………………………………………………………………………………….. 48
3.3.3. Perfect Forward Secrecy ………………………………………………………………………………………………………… 48
3.3.4. Proposals……………………………………………………………………………………………………………………………… 48
3.3.5. Proxy-IDs ……………………………………………………………………………………………………………………………… 48
3.4. Policy-Based VPNs…………………………………………………………………………………………………………………… 49
3.5. Route-Based VPNs…………………………………………………………………………………………………………………… 49
3.6. IPSec Packet Flow……………………………………………………………………………………………………………………. 51
3.7. Dynamic Peers ………………………………………………………………………………………………………………………… 54
3.8. Hub and Spoke VPNs………………………………………………………………………………………………………………..55
3.8.1. Back-to-Back VPNs ………………………………………………………………………………………………………………..58
3.8.2. VPNs using the NHTB ……………………………………………………………………………………………………………. 60
3.9. Overlapping VPN Networks ……………………………………………………………………………………………………….. 64
3.10. VPN Monitoring ……………………………………………………………………………………………………………………….. 66
3.10.1. Rekey 67
3.10.2. Optimisation………………………………………………………………………………………………………………………….. 67
3.11. VPN Groups ……………………………………………………………………………………………………………………………. 67
3.11.1. Priorities……………………………………………………………………………………………………………………………….. 68
3.12. VPN Troubleshooting………………………………………………………………………………………………………………… 69
3.12.1. IKE 69
3.12.2. Security Associations……………………………………………………………………………………………………………… 72
3.12.3. Common VPN Errors ……………………………………………………………………………………………………………… 73
3.13. Review Questions…………………………………………………………………………………………………………………….. 78
3.13.1. Review Answers ……………………………………………………………………………………………………………………. 83
4. Network Management ………………………………………………………………………………………………………………..88
4.1. Local Management …………………………………………………………………………………………………………………… 88
4.2. Remote Management ………………………………………………………………………………………………………………..88
4.3. Manage/r IPs …………………………………………………………………………………………………………………………… 88
4.3.1. Manage IPs…………………………………………………………………………………………………………………………… 88
4.3.2. Manager IPs …………………………………………………………………………………………………………………………. 90
4.4. Management Methods ………………………………………………………………………………………………………………. 90
4.4.1. CLI 91
4.4.2. WebUI 92
4.4.3. NSM 93
4.5. User Privileges ………………………………………………………………………………………………………………………… 93
4.5.1. Root User……………………………………………………………………………………………………………………………… 93
4.5.2. Root System Write/Read Users ……………………………………………………………………………………………….. 94
4.5.3. Root System Read Only Users ………………………………………………………………………………………………… 94
4.5.4. Virtual System Write/Read Users …………………………………………………………………………………………….. 94
4.5.5. Virtual System Read Only Users ……………………………………………………………………………………………… 94
4.6. Firewall Logs …………………………………………………………………………………………………………………………… 94
4.6.1. Self Log………………………………………………………………………………………………………………………………… 95
4.6.2. Event Log……………………………………………………………………………………………………………………………… 95
4.6.3. Traffic Log…………………………………………………………………………………………………………………………….. 98
4.7. Counters …………………………………………………………………………………………………………………………………. 98
4.7.1. Flow Counters……………………………………………………………………………………………………………………….. 98
4.7.2. Screen Counters……………………………………………………………………………………………………………………. 99
4.7.3. Hardware Counters………………………………………………………………………………………………………………. 100
4.7.4. Policy Counters……………………………………………………………………………………………………………………. 101
4.8. SYSLOG……………………………………………………………………………………………………………………………….. 101
4.9. SNMP 102
4.10. Traffic Alarms ………………………………………………………………………………………………………………………… 104
4.11. Review Questions…………………………………………………………………………………………………………………… 105
4.11.1. Review Answers ………………………………………………………………………………………………………………….. 108
5. Troubleshooting Traffic Flows …………………………………………………………………………………………………. 110
5.1. Debugging …………………………………………………………………………………………………………………………….. 110
5.1.1. The Debug Buffer ………………………………………………………………………………………………………………… 110
5.2. Snoop 111
5.2.1. Activating Snoop………………………………………………………………………………………………………………….. 111
5.2.2. Filtering with Snoop ……………………………………………………………………………………………………………… 111
5.2.3. Snoop Output………………………………………………………………………………………………………………………. 113
5.3. Flow Filters ……………………………………………………………………………………………………………………………. 114
5.3.1. Using Flow Filters ………………………………………………………………………………………………………………… 115
5.3.2. Flow Filter Output ………………………………………………………………………………………………………………… 117
5.4. Session Information………………………………………………………………………………………………………………… 121
5.5. Review Questions…………………………………………………………………………………………………………………… 122
5.5.1. Review Answers ………………………………………………………………………………………………………………….. 128
6. Traffic Management…………………………………………………………………………………………………………………. 132
6.1. Interface Bandwidth………………………………………………………………………………………………………………… 132
6.2. Policies and Bandwidth Management ………………………………………………………………………………………… 132
6.2.1. Priority Queuing …………………………………………………………………………………………………………………… 133
6.2.2. Guaranteed Bandwidth …………………………………………………………………………………………………………. 134
6.2.3. Maximum Bandwidth…………………………………………………………………………………………………………….. 134
6.2.4. DSCP 135
6.3. Review Questions…………………………………………………………………………………………………………………… 135
6.3.1. Review Answers ………………………………………………………………………………………………………………….. 138
7. Virtual Systems ………………………………………………………………………………………………………………………. 140
7.1. Creating Virtual Systems …………………………………………………………………………………………………………. 140
7.1.1. Administration ……………………………………………………………………………………………………………………… 141
7.1.2. Sharing ………………………………………………………………………………………………………………………………. 142
7.1.3. Exporting and Importing………………………………………………………………………………………………………… 143
7.2. Traffic Sorting ………………………………………………………………………………………………………………………… 144
7.2.1. Self Traffic…………………………………………………………………………………………………………………………… 144
7.2.2. Through Traffic ……………………………………………………………………………………………………………………. 144
7.2.3. VLAN-based Classification ……………………………………………………………………………………………………. 146
7.2.4. IP-based Classification …………………………………………………………………………………………………………. 147
7.3. InterVSYS Communication ………………………………………………………………………………………………………. 148
7.3.1. Routing ………………………………………………………………………………………………………………………………. 148
7.3.2. Policies ………………………………………………………………………………………………………………………………. 148
7.4. Review Questions…………………………………………………………………………………………………………………… 148
7.4.1. Review Answers ………………………………………………………………………………………………………………….. 150
8. NSRP ……………………………………………………………………………………………………………………………………… 152
8.1. Clustering ……………………………………………………………………………………………………………………………… 152
8.2. VSD Groups ………………………………………………………………………………………………………………………….. 153
8.2.1. VSIs 153
8.2.2. Prioritities ……………………………………………………………………………………………………………………………. 153
8.2.3. Preempt Option……………………………………………………………………………………………………………………. 154
8.2.4. States 154
8.2.5. Heartbeat Messages…………………………………………………………………………………………………………….. 155
8.3. Active/Passive ……………………………………………………………………………………………………………………….. 156
8.4. Synchronisation ……………………………………………………………………………………………………………………… 157
8.4.1. Synchronising Configurations ………………………………………………………………………………………………… 157
8.4.2. Synchronising Files………………………………………………………………………………………………………………. 158
8.4.3. Run-Time Objects………………………………………………………………………………………………………………… 158
8.4.4. Synchronising Time ……………………………………………………………………………………………………………… 159
8.5. HA Interfaces…………………………………………………………………………………………………………………………. 160
8.5.1. Control Messages………………………………………………………………………………………………………………… 160
8.5.2. Data Messages……………………………………………………………………………………………………………………. 160
8.5.3. Link Probes…………………………………………………………………………………………………………………………. 160
8.6. Active/Active ………………………………………………………………………………………………………………………….. 161
8.7. Failover 164
8.7.1. Failover Monitoring ………………………………………………………………………………………………………………. 164
8.8. Review Questions…………………………………………………………………………………………………………………… 166
8.8.1. Review Answers ………………………………………………………………………………………………………………….. 169

Introduction
Juniper Network’s Certified Internet Specialist in Firewall and VPN (JNCIS-FWV) is a new
stream of certification as part of Juniper Network’s Technical Certification Program (JNTCP).
The exam is derived from the previous NCSP (NetScreen Certified Security Professional)
certification and focuses on advanced configuration and troubleshooting of NetScreen
firewall Appliances and Systems.
This study guide will attempt to get you familiar with advanced NetScreen configuration and
administration and provide you with the necessary theoretical and practical training in order
to obtain your JNCIS-FWV certification.
!
Disclaimer: While this study guide was written to assist you in preparing for
the JNCIS-FWV exam, it does not guarantee that you will pass it. The author
has tried their darndest to ensure it includes all the relevant content that is
covered by the exam; you will have to study rigorously in order to understand
and remember it all (and there is plenty to remember).

1.1. Exam Information
The exam is structured around:
• 75 multiple choice questions
• 90 minutes completion time
• A pass grade of 70 out of a possible 100
!
Some questions only require one answer, but others will require multiple
answers (i.e. select the best 3 answers). However, not all questions will
specify how many answers you need to select! If you only select 2 answers
when the question requires 3 (no, it doesn’t warn you that you haven’t
selected enough – silly I know), you will get that question wrong. Make sure
you check at the bottom left hand corner of the screen. That is where it will
list how many answers you need to select.

The exam is regarded as “difficult” and it is recommended that candidates have at least 1
year of experience with NetScreen firewall products.
All questions relating to configuration examples and command syntax are based around the
Command Line Interface (CLI). There are no questions, or multiple choice answers based on
the Web User Interface (WebUI).
The exam is generally based on the ScreenOS version 5.0.x firmware.
Although this study guide and accompaniments are self-contained (and hopefully all you
need to pass the exam), additional resources are available to assist in your studies:
Juniper’s NetScreen Concepts and Examples ScreenOS Reference Guide v5.0.0:

http://www.juniper.net/techpubs/software/screenos/screenos5x/

Juniper ScreenOS Knowledgebase:

https://www.juniper.net/customers/support/NetScreen_kb/

And worst case, if you need references on standards or a certain technology in general,
remember: Google is your best friend (www.google.com). This guide will not attempt to
cover the detailed theories of the diverse range of technologies that the product taps into. It
is assumed that you understand those technologies, or can quickly pick them up if need be.
2. Exam Content
JNCIS-FWV focuses on 7 specific areas of the NetScreen Firewall products:
1. Basic Firewall/VPN Operations:
NetScreen firewall Systems specifications (NS500 and NS5000 series), virtual router
configuration, advanced routing (static routing only), security zones, interfaces (sub,
aggregate, tunnel and redundant), security policies, packet flows and network
address translation.
2. VPNs:
PKI, IKE, IPSec, Policy-based and Route-based VPNs, dynamic peers, NHTB, Hub
and Spoke VPNs, VPN groups and advanced VPN troubleshooting.
3. Network Management:
Local and remote administration configuration, securing administration traffic, user
privileges, management IP addresses, logging (self, event and traffic), counters,
SYSLOG and SNMP.
4. Troubleshooting with Debug/Snoop:
Configuring, using and understanding debug output from Flow Filters and Snoop.
5. Traffic Management:
Interface bandwidth, policy guaranteed bandwidth and maximum bandwidth, priority
queues and DSCP.
6. Virtual Systems:
Virtual System creation, administration, sharing of virtual routers and zones,
importing and exporting interfaces, intraVSYS routing and policies and traffic sorting
(IP Classification and VLANs).
7. NSRP

jncis exams

http://www.4shared.com/file/141008121/60e4a1d1/NetscreenJNCIS-FWV-StudyGuide-v13-public_wwwjunipernetorg.html

http://rapidshare.de/files/48523747/NetscreenJNCIS-FWV-StudyGuide-v1.3-public_www.junipernet.org.rar.html

http://rapidshare.com/files/293232664/NetscreenJNCIS-FWV-StudyGuide-v1.3-public_www.junipernet.org.rar.html

http://www.2shared.com/file/8444296/c251c8d3/NetscreenJNCIS-FWV-StudyGuide-v13-public_wwwjunipernetorg.html

http://www.4shared.com/file/140998347/50314f01/wwwjunipernetorg_Sybex_-_JNCIA-Juniper_Networks_Certified_Internet_Associate_Study_Guide_2003_.html

http://www.2shared.com/file/8443262/df7328bc/wwwjunipernetorg_Sybex_-_JNCIA-Juniper_Networks_Certified_Internet_Associate_Study_Guide_2003_.html

Product Description
Get ready for the hot new JNCIA certification from Juniper Networks with the Official Study Guide from Sybex! Juniper Networks develops high-speed, scalable routers for the service provider and networking industry, and they are challenging Cisco in the internetworking market with state of the art technology and innovation. Juniper Networks offers a four-tiered certification program that validates knowledge and skills related to Juniper Networks technologies. The JNCIA (Juniper Networks Certified Internet Associate) is the entry-level certification that tests network administrators in their knowledge of IP-network protocols, Juniper routers, and the JUNOS operating system. Published in partnership with the Juniper Networks Technical Certification Program, and written by Juniper Networks instructors, this official Study Guide provides in-depth coverage of all exam objectives along with practical insights drawn from real-world experience. The accompanying CD includes hundreds of challenging review questions, electronic flashcards, and a searchable electronic version of the entire book.

From the Back Cover
Here’s the book you need to prepare for the JNCIA exam, JN0-201, from Juniper Networks. Written by a team of Juniper Network trainers and engineers, this Study Guide provides: Assessment testing to focus and direct your studies In-depth coverage of official test objectives Hundreds of challenging practice questions, in the book and on the CD
Authoritative coverage of all test objectives, including: Working with the JUNOS software Implementing Juniper Networks boot devices Troubleshooting Routing Information Protocol Implementing a routing policy Configuring and monitoring an OSPF Network Implementing Border Gateway Protocol Monitoring and troubleshooting an IS-IS network Understanding the Reverse Path Forwarding process Operating firewall filters Using Multiprotocol Label Switching

About the Author
Joseph M. Soricelli, JNCIE # 14, CCIE #4803, is an Education Services Engineer at Juniper Networks Inc. John L. Hammond is an Education Services Engineer at Juniper Networks Inc. Galina Diker Pildush, JNCIE #18, CCIE #3176, provides training and does course development for Juniper Networks Inc. Thomas E. Van Meter, JNCIE #34, CCIE #1769, is an Education Services Engineer at Juniper Networks Inc. Todd M. Warble, JNCIE #7, is a Senior Education Services Engineer with Juniper Networks Inc.

Lab 1: EX-series User Interface Options (Detailed) . 1-1
Part 1: Logging In to J-Web 1-2
Part 2: Exploring J-Web Monitoring Capabilities . . . 1-3
Part 3: Exploring J-Web Configuration and Diagnostic Capabilities 1-8
Part 4: Logging In Using the CLI . . . 1-13 Continue Reading ->

Module 3: The JUNOS software CLI
After successfully completing this module, you will be able to:
Login to an AXI 520/580 Router
Issue operational mode commands
Enter the configuration mode
Navigate the candidate configuration
Modify the candidate configuration
Commit a new active configuration
Describe the JUNOS interface naming convention