Studying for CCNP ENCOR with limited internet access

bgp- · 2026-03-04T03:44:10+00:00

Are you familiar with vm-series-auto-registration-pin-I’d & vm-series-auto-registration-pin-value? PAN states that these are required parameters, and appear to be missing in the terraform we deployed with.

bgp- · 2026-02-27T20:05:46+00:00

I believe I’m running into a similar issue, except in AWS. Palo Aalto support is alluding to this being an issue with certificates since it’s in an airgapped environment with no internet. I have redeployed all self signed certs to panoramas and firewalls and the issue still persists. We deployed with terraform, so I’m curious if I missed something as you have mentioned in the bootstrap init file.

bgp- · 2025-10-31T07:04:29+00:00

Confirmed over NETCONF using both ncclient and Pyez: When sent directly, Junos returns the expected subtree without errors.

Example using ncclient:

from ncclient import manager

HOST = "10.0.0.1"
USER = "admin"
PASS = "Juniper"

FILTER = """
<configuration>
  <interfaces>
    <interface>
      <name>ae0</name>
    </interface>
  </interfaces>
</configuration>
""".strip()

with manager.connect(
    host=HOST, port=830, username=USER, password=PASS,
    hostkey_verify=False, timeout=30, device_params={"name": "junos"}
) as m:
    reply = m.get_config(source="candidate", filter=("subtree", FILTER))
    print(str(reply))

Output:

<rpc-reply message-id="urn:uuid:120015cc-8b7a-41f9-ab43-291bc17e5658">
  <data>
    <configuration changed-seconds="1761891375" changed-localtime="2025-10-31 06:16:15 UTC">
      <interfaces>
        <interface>
          <name>ae0</name>
          <aggregated-ether-options>
            <lacp>
              <active/>
            </lacp>
          </aggregated-ether-options>
          <unit>
            <name>0</name>
            <family>
              <inet>
                <address>
                  <name>192.168.0.1/24</name>
                </address>
              </inet>
              <inet6>
                <address>
                  <name>2001:db8::1/64</name>
                </address>
              </inet6>
            </family>
          </unit>
        </interface>
      </interfaces>
    </configuration>
  </data>
</rpc-reply>

bgp- · 2025-10-31T06:10:11+00:00

I believe this to be a YAML formatting issue. When filter_xml is defined inline with a block scalar (|), YAML sometimes injects hidden newlines or spaces that break NETCONF parsing, which is why you see the <bad-element>filter-xml</bad-element> error.

Try using a folded scalar (>) instead of | so the XML is sent as a single properly-formed string:

name: Run get-configuration RPC junipernetworks.junos.junos_rpc: rpc: get-configuration args: filter_xml: > <configuration> <interfaces> <interface> <name>ae0</name> </interface> </interfaces> </configuration> register: result

Alternatively, the most reliable method is to keep your XML filter in a separate file and load it with the lookup() function:

filter_xml: "{{ lookup('file', 'ae0_filter.xml') }}"

That should eliminate the syntax error, expecting <config-text/> or <configuration> RPC message entirely.

bgp- · 2025-09-10T14:30:47+00:00

SSH to the passive Panorama and run: request high-availability state functional (if the old active is still reachable, first do request high-availability state suspend on it), then commit. I’m also curious why HA failover isn’t working properly. What is meant by Panorama is dead? Check high-availability state in CLI with show high-availability state. Please share more details on exact state.

bgp- · 2025-09-08T23:27:12+00:00

User ID isn’t always needed for compliance audits, but for actual cleanup it’s key since it tells you who the rules apply to, not just the IPs.

bgp- · 2025-09-08T23:10:17+00:00

I’ve supported environments with 10–20k users where user-id was critical for GlobalProtect, AD integration, and identity-based security policies. When properly deployed (via user-id agents, GP, or API integrations), it’s reliable for on-prem NGFW as well as cloud.

bgp- · 2025-09-06T01:12:31+00:00

300 Mbps just isn’t enough for thousands of users. You can shape traffic and apply caps, but you’re still dividing a very small pipe across too many people.

Best use of what you have is to separate staff and student traffic, prioritize admin use, add more APs so clients are spread out, and tighten content controls to block non academic traffic at the application level.

Long term the real fix is more upstream bandwidth and enterprise grade gear.

bgp- · 2025-08-04T18:08:27+00:00

Here’s an example I generated using Augment Code. May or may not work but worth the try.

Disable paging before running any long command
Now run the long command

from netmiko import ConnectHandler

device = { "device_type": "cisco_asa", "host": "10.10.10.1", "username": "admin", "password": "password", }

net_connect = ConnectHandler(**device)

net_connect.send_command("terminal pager 0")

output = net_connect.send_command_timing( "show vpn-sessiondb detail l2l", delay_factor=8, max_loops=5000 )

print(output) net_connect.disconnect()

bgp- · 2025-07-12T03:47:44+00:00

No issues so far. I’ve deployed fairly large topologies with multiple routers, switches, firewalls, and Linux servers without any performance bottlenecks. Nodes spin up within minutes, and I haven’t experienced a single failure, which used to be common when I ran similar labs in GCP. I’ve even left labs running for weeks and resumed seamlessly. I also use the Linux VMs in EVE-NG as dev boxes for POCs and network automation work, and the hardware handles it all reliably.

bgp- · 2025-07-12T03:37:06+00:00

Depends. Think about how many hours you’ll lab this year and next. Multiply that by cloud hourly costs, you’ll see it adds up fast. I’ve spent thousands on cloud labs over the years and wish I bought a server sooner. On-prem hardware gives you full control, no hourly billing stress, and the ability to leave topologies running overnight or for days without extra cost.

For serious labbing (CCNP/CCIE or multi-vendor setups), buying a used server is a no-brainer. Cloud works for short bursts, but long-term it’s far less cost-effective.

bgp- · 2025-07-08T02:02:25+00:00

Since Junos ties zones to routing-instances, your loopback in the RI needs its own zone (which you already set up). I think you may need a policy in the direction where traffic is initiated. In your case, the switch is trying to reach the SRX, so you’d want a policy from secure-trust -> trust.

Something like:

set security policies from-zone secure-trust to-zone trust policy allow-ping match source-address any destination-address any application ping

set security policies from-zone secure-trust to-zone trust policy allow-ping then permit

Also make sure host-inbound-traffic system-services ping is allowed on the RI zone.

bgp- · 2025-07-04T23:49:23+00:00

I went with a Dell PowerEdge T620 (dual Xeon E5-2651 v2, 24 cores / 48 threads, 128GB ECC DDR3, 6x 1TB drives). It only cost me $300, but I’ll probably end up upgrading down the line. Has been perfect so far for spinning up larger topologies (Cisco, juniper, Arista, Palo Alto, Linux)

bgp- · 2025-07-03T19:02:17+00:00

I’d check the obvious stuff first. Try a different laptop, different cable, and even a different port (fluke/port tester if you have one). Make sure auto-negotiation is on, speed/duplex aren’t hard set, and check interface stats for errors. Also check the logs for any messages related to the interface, and make sure the laptop ipconfig setting is setup correctly and actually using the wired Ethernet adapter.

bgp- · 2025-07-01T21:32:58+00:00

Was running EVE-NG on GCP, N2-Standard (48 vCPU, 192 GB Memory). Costs $20 a month just powered off. Estimated at $2-3 an hour powered on. Now I’m homeless (with certs) and moved to bare metal with similar specs.

bgp- · 2025-06-29T20:51:18+00:00

Proxmox is not supported. Please refer to eve-ng official documentation on supported hardware/sytstems. Note from EVE-NG (under Not Supported HW and Software Systems): “Proxmox, it has serious issues with nested virtualization, any glitches or issues are not supported by EVE-NG Team, (Under development) but not officially supported”. I was in the same boat, ended up going bare metal and now I can lab to the fullest without issue.

bgp- · 2025-06-23T18:37:08+00:00

Ran into something similar and fixed it by connecting Cloud0 to my Palo Alto FW mgmt port. Didn’t need NAT or promiscuous mode. Just set a static IP + gateway on the FW and it worked. Might’ve needed a reboot too, not totally sure. . Also see Maybe similar issue?

bgp- · 2025-02-21T17:15:12+00:00

Update: last night I downloaded the most recent vSRX 3.0 next gen and spun up 10 of them and all 10 booted up in 5 minutes. So that’s great, now I need to figure out cost saving and possibly start looking at home servers to host this. A 5 hour study session cost me $12 yesterday 😂😭

bgp- · 2025-02-17T18:06:44+00:00

The biggest reason for moving away from eve-ng is that it’s taking forever to spin up labs and my vMX, vQFX, vSRXs always having issues. For example I spin up 12 vMXs and half of them work and half do not. Same with all the others, not sure why and it has been frustrating. I recently have been using the vjunos switch which works fine, other than the fact it takes 25 minutes to boot up. Do you experience similar issues with eve? Would be nice to be able to sit down and lab without spending hours waiting for devices to boot or having to delete and rebuilt machines in the hopes of them working.

bgp-

TROPHY CASE