JNCIE-SEC Lab Master Plan
Objective
This lab is designed to support intensive hands-on preparation for the Juniper Networks Certified Internet Expert – Security (JNCIE-SEC) certification. It simulates enterprise-grade secure network deployments using real Juniper hardware with current Junos firmware.
Lab Equipment Inventory
| Device | Quantity | Model | Role |
|---|---|---|---|
| SRX320 | 2 | Juniper SRX320 | Core firewall / perimeter |
| SRX300 | 1 | Juniper SRX300 | Internal security |
| EX2300-12T | 2 | Juniper EX2300 | Access / Layer 2 switching |
| EX2300-12P | 1 | Juniper EX2300 | PoE switch (management) |
Firmware Versions (JUNOS)
| Device | Recommended JUNOS Version |
|---|---|
| SRX300 Series | 24.4R1+ |
| EX2300 Series | 23.4R2-S4+ |
All devices must be upgraded to the listed versions before beginning configuration.
Physical Lab Topology
+-----------+ +-----------+ +-----------+
| SRX320-A | <------> | EX2300-12T| <------> | SRX320-B |
+-----------+ +-----------+ +-----------+
| | |
| | |
+-------------+ +-------------+ +-------------+
| Mgmt Laptop | | EX2300-12P | | SRX300 |
+-------------+ +-------------+ +-------------+
All devices are interconnected via the EX switches. Management is provided through the EX2300-12P using out-of-band access. This topology supports zones, VPNs, NAT, IDP, UTM, and routing protocols.
Cabling Plan (Interfaces)
| Device | Port | Connects To |
|---|---|---|
| SRX320-A | ge-0/0/0 | WAN simulation |
| SRX320-A | ge-0/0/1 | EX2300-12T (uplink) |
| SRX320-B | ge-0/0/0 | EX2300-12T (uplink) |
| SRX300 | ge-0/0/0 | EX2300-12P |
| EX2300-12T | ge-0/0/1–4 | Inter-SRX links |
| EX2300-12P | ge-0/0/0 | Management LAN |
| Laptop | eth0 | EX2300-12P (VLAN 10) |
All interfaces will be manually configured. Zero Touch Provisioning (ZTP) and DHCP are not used.
Logical Lab Design
The following logical elements are implemented:
- Zones: Trust / Untrust / DMZ / VPN / Management
- Services: IPSec VPN, NAT, IDP, AppSecure, UTM
- Routing: OSPF, static routes, redundancy with RETH
- Policy: ALGs, security policies, zone-based firewalling
- High Availability: Chassis cluster (SRX320-A and SRX320-B)
- Management: Out-of-band via EX2300-12P (accessible from laptop)
Configuration Structure
Configuration files will be organized in the following directories:
- base-configs/: Initial zeroed configurations
- system-configs/: Hostname, users, time, DNS, services
- interface-configs/: Physical and logical interfaces
- security-configs/: Zones, policies, address books
- vpn-configs/: Site-to-site and remote access VPN
- services-configs/: IDP, UTM, AppSecure
- routing-configs/: Static, OSPF, ECMP, BFD
- cluster-configs/: Chassis clustering (SRX320 pair)
Lab Execution Plan
| Phase | Description |
|---|---|
| Phase 1 | Firmware upgrade and base configuration |
| Phase 2 | Interface wiring, VLAN setup, and L3 interfaces |
| Phase 3 | Zone setup, security policies, NAT configuration |
| Phase 4 | IPSec VPN: Site-to-site and remote access |
| Phase 5 | IDP, AppSecure, and UTM service testing |
| Phase 6 | Chassis Cluster configuration on SRX320s |
| Phase 7 | Redundancy testing, failover verification |
Topology
Basic Configs
root / Juniper123
carrot / Juniper123
SRX320-A
set system host-name SRX320-A
set system root-authentication encrypted-password "$5$YjO8ZGdi$Dxb3Gufp7V/JrYcKwx5Vi7bAN1R/BXVG/RDskzyPFr7"
set system login user carrot full-name Carrot
set system login user carrot uid 2002
set system login user carrot class super-user
set system login user carrot authentication encrypted-password "$5$tZgvxpAy$qW2cx2fj6IsOpwK2VqgaHa71SgYa/bETx0ioNnpBEy6"
set system services ssh
set system services web-management https system-generated-certificate
set system time-zone UTC
set system name-server 1.1.1.1
set system name-server 9.9.9.9
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 description WAN-Uplink
set interfaces ge-0/0/0 unit 0 family inet address 192.168.255.170/24
set interfaces ge-0/0/1 description "Trust zone to EX2300-12T"
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.255.250
SRX320-B
set system host-name SRX320-B
set system root-authentication encrypted-password "$5$YjO8ZGdi$Dxb3Gufp7V/JrYcKwx5Vi7bAN1R/BXVG/RDskzyPFr7"
set system login user carrot full-name Carrot
set system login user carrot uid 2002
set system login user carrot class super-user
set system login user carrot authentication encrypted-password "$5$tZgvxpAy$qW2cx2fj6IsOpwK2VqgaHa71SgYa/bETx0ioNnpBEy6"
set system services ssh
set system time-zone UTC
set system name-server 1.1.1.1
set system name-server 9.9.9.9
set security zones security-zone trust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 description "Trust zone to EX2300-12T"
set interfaces ge-0/0/0 unit 0 family inet address 10.0.20.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.0.10.1
SRX300
set system host-name SRX300
set system root-authentication encrypted-password "$5$YjO8ZGdi$Dxb3Gufp7V/JrYcKwx5Vi7bAN1R/BXVG/RDskzyPFr7"
set system login user carrot full-name Carrot
set system login user carrot uid 2002
set system login user carrot class super-user
set system login user carrot authentication encrypted-password "$5$tZgvxpAy$qW2cx2fj6IsOpwK2VqgaHa71SgYa/bETx0ioNnpBEy6"
set system services ssh
set system time-zone UTC
set system name-server 1.1.1.1
set system name-server 9.9.9.9
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 description "Internal LAN to EX2300-12P"
set interfaces ge-0/0/0 unit 0 family inet address 10.0.30.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.0.20.1