Visit here for our full Juniper JN0-351 exam dumps and practice test questions.
Question 181:
A network administrator needs to configure OSPF authentication on a Juniper router. Which authentication types are supported?
A) Simple password and MD5
B) Only simple password
C) Only SHA-256
D) Only HMAC-SHA
Answer: A
Explanation:
Juniper routers support both simple password authentication and MD5 authentication for OSPF (Open Shortest Path First) protocol security, protecting routing protocol exchanges from unauthorized neighbor relationships and malicious route injection. Simple password authentication sends clear-text passwords in OSPF packets, providing basic protection against accidental misconfigurations but offering minimal security since passwords can be intercepted through packet capture. MD5 authentication provides cryptographic protection by computing message digests using shared secret keys and MD5 hashing algorithm, ensuring OSPF packets originate from authenticated neighbors and haven’t been tampered with during transit. Both authentication types operate at the area level, interface level, or virtual link level depending on network topology requirements.
Configuration involves navigating to the OSPF protocol hierarchy using set protocols ospf area <area-id> authentication-type for area-wide authentication or set protocols ospf area <area-id> interface <interface-name> authentication for interface-specific settings. Simple password authentication uses authentication-type simple password <password> where the password is transmitted in clear text within OSPF hello and other protocol packets. MD5 authentication configured with authentication-type md5 key-id <id> key <secret> allows multiple keys identified by key IDs enabling key rotation without service disruption by configuring new keys before removing old ones. All OSPF routers in an area or on a broadcast segment must use identical authentication configuration including type, passwords, and key IDs for neighbor relationships to form successfully. Mismatched authentication causes adjacency failures logged as authentication errors in system logs. Security best practices recommend MD5 over simple password despite MD5’s cryptographic weaknesses, using long random keys, implementing regular key rotation schedules, and considering migration to more secure protocols or authentication methods where supported.
Option B is incorrect because Juniper OSPF supports both simple and MD5 authentication, not limited to simple password only. Option C is incorrect because SHA-256 authentication is not standard OSPF authentication type, though newer protocols may support stronger cryptographic methods. Option D is incorrect because HMAC-SHA isn’t traditional OSPF authentication, though similar concepts exist in other routing protocols or newer OSPF extensions.
Question 182:
What is the default OSPF reference bandwidth on Juniper routers?
A) 100 Mbps (100,000,000 bps)
B) 1 Gbps
C) 10 Gbps
D) 10 Mbps
Answer: A
Explanation:
The default OSPF reference bandwidth on Juniper routers is 100 Mbps (100,000,000 bits per second), which OSPF uses to calculate interface costs based on the formula: cost = reference-bandwidth / interface-bandwidth. This default originated when 100 Mbps was considered high-speed networking, but modern networks with Gigabit and 10 Gigabit interfaces create scaling issues where all high-speed interfaces receive the minimum OSPF cost of 1, preventing OSPF from differentiating path quality based on bandwidth. For example, with default 100 Mbps reference bandwidth, both 1 Gbps and 10 Gbps interfaces calculate costs as 100M/1G = 0.1 and 100M/10G = 0.01, both rounded to minimum cost of 1, making OSPF unable to prefer 10 Gbps paths over 1 Gbps paths.
Administrators should modify reference bandwidth to match the highest speed interfaces in their network using set protocols ospf reference-bandwidth <value> where value is specified in bits per second or using units like 1g for 1 Gbps or 10g for 10 Gbps. Setting reference bandwidth to 10 Gbps (10,000,000,000 bps) ensures proper cost differentiation across modern network speeds: 10 Gbps interfaces receive cost 1, 1 Gbps interfaces cost 10, and 100 Mbps interfaces cost 100, allowing OSPF to correctly prefer higher bandwidth paths. This configuration must be consistent across all routers in the OSPF domain since mismatched reference bandwidths cause inconsistent cost calculations leading to suboptimal routing or routing loops. When changing reference bandwidth, coordinate changes across all OSPF routers simultaneously during maintenance windows, verify cost calculations using show ospf interface extensive displaying calculated costs, and update documentation reflecting the new reference standard. Interface-specific costs can override calculated costs using set protocols ospf area <area-id> interface <interface> metric <value> for fine-tuning specific paths.
Option B is incorrect because 1 Gbps is not the default though it’s a common configuration value for modern networks. Option C is incorrect because 10 Gbps would be appropriate for very high-speed networks but isn’t the Junos default. Option D is incorrect because 10 Mbps is too low and wasn’t the original OSPF standard reference bandwidth.
Question 183:
A network engineer needs to prevent specific routes from being installed in the routing table. Which Juniper feature should be used?
A) Routing policy with reject action
B) Firewall filter
C) Access control list
D) Interface disable
Answer: A
Explanation:
Routing policies with reject actions in Junos provide granular control over which routes are accepted into the routing table, allowing administrators to filter unwanted routes based on various attributes including prefix, prefix-length, community values, AS path patterns, or route preferences. Routing policies evaluate routes as they’re received from routing protocols or static configuration, applying match conditions and taking actions like accept, reject, or modify before routes are considered for routing table installation. The reject action explicitly blocks matched routes from entering the routing table, useful for implementing security policies preventing private address ranges from external peers, filtering default routes from certain neighbors, blocking overly specific prefixes causing table bloat, or enforcing corporate routing policies about acceptable network announcements.
Policy configuration involves creating policy statements under [edit policy-options] hierarchy defining match conditions with from clauses specifying criteria like route-filter <prefix/length> <match-type> for prefix matching, protocol <protocol-name> for source protocol, community <community-name> for BGP communities, or as-path <as-path-name> for AS path regular expressions. The then clause specifies actions with reject explicitly denying matched routes. Policies are applied to routing protocols using statements like set protocols bgp group <group-name> import <policy-name> for BGP import policies controlling received routes, or set protocols ospf import <policy-name> for OSPF route filtering. Multiple match conditions combine with implicit AND logic unless nested in or statements, and policies evaluate in order with first-match winning unless configured otherwise. Rejected routes appear in protocol-specific route databases but not the main routing table, visible in show route receive-protocol bgp <neighbor> but absent from show route output. Careful policy design prevents unintended route rejection causing connectivity loss, testing in lab environments before production deployment, and comprehensive logging of policy matches for troubleshooting.
Option B is incorrect because firewall filters operate on packet forwarding in the data plane, not routing table population in the control plane. Option C is incorrect because ACLs typically refer to packet filtering rather than route filtering in Junos terminology. Option D is incorrect because disabling interfaces prevents all protocol operation and traffic forwarding, not selective route filtering.
Question 184:
What command displays the OSPF neighbors on a Juniper router?
A) show ospf neighbor
B) display ospf neighbor
C) get ospf neighbor
D) list ospf neighbor
Answer: A
Explanation:
The show ospf neighbor command displays OSPF neighbor relationships on Juniper routers, providing essential information about adjacency states, neighbor router IDs, interface associations, and neighbor addresses. This operational command is fundamental for verifying OSPF operation, troubleshooting adjacency issues, and confirming network topology. The output includes columns for Address (neighbor’s IP address), Interface (local interface where neighbor was discovered), State (adjacency state such as Full, 2Way, ExStart), ID (neighbor’s router ID), Pri (neighbor’s priority for DR/BDR election), Dead (seconds until neighbor declared dead if no hello received), and additional details. Full state indicates fully adjacent neighbors exchanging complete link-state databases, the normal operational state for point-to-point links and routers adjacent to DR/BDR on broadcast networks.
Extended information is available using show ospf neighbor extensive displaying additional details including neighbor capabilities, authentication status, number of database description packets exchanged, LSA counts, and timing information. The show ospf neighbor detail provides similar extended output with different formatting. Specific neighbors can be queried using show ospf neighbor <address> or filtering by interface with show ospf neighbor interface <interface-name>. Common troubleshooting scenarios include neighbors stuck in ExStart or Exchange states indicating database synchronization issues, possibly from MTU mismatches resolved by checking show interfaces <interface> and adjusting MTU values; neighbors missing entirely suggesting physical connectivity problems, OSPF not enabled on interfaces, or area misconfigurations verified through show ospf interface; and neighbors in Init state indicating one-way communication where local router receives hello packets but neighbor doesn’t receive responses, often caused by firewall filters blocking OSPF protocol. Healthy OSPF deployment shows all expected neighbors in Full state with reasonable Dead timer values typically 40 seconds for default hello intervals.
Option B is incorrect because “display” is not a Junos operational command verb; Junos uses “show” for operational commands. Option C is incorrect because “get” is not standard Junos syntax, though similar to other network OS commands. Option D is incorrect because “list” is configuration mode command for displaying configuration, not operational state.
Question 185:
A network administrator needs to configure a static route with a next-hop IP address. What is the correct Junos configuration syntax?
A) set routing-options static route <destination> next-hop <next-hop-ip>
B) set static route <destination> gateway <next-hop-ip>
C) set route static <destination> via <next-hop-ip>
D) set protocols static route <destination> next-hop <next-hop-ip>
Answer: A
Explanation:
The correct Junos syntax for configuring static routes with next-hop IP addresses is set routing-options static route <destination> next-hop <next-hop-ip> where destination specifies the network prefix in CIDR notation like 192.168.10.0/24 and next-hop-ip is the IP address of the next-hop router that can reach the destination. Static routes are fundamental routing configuration providing explicit path definitions independent of dynamic routing protocols, commonly used for default routes, routes to stub networks, backup routes, or routing where dynamic protocols are impractical. The routing-options hierarchy contains global routing configuration including static routes, aggregate routes, router ID, and autonomous system numbers, distinct from the protocols hierarchy used for dynamic routing protocol configuration.
Additional static route options include qualified-next-hop <ip> preference <value> creating floating static routes with higher preference (lower priority) than primary routes, activating only when primary paths fail; no-readvertise preventing static route redistribution into routing protocols; resolve enabling recursive route resolution when next-hop isn’t directly connected; retain keeping routes in forwarding table even when next-hop becomes unreachable; and metric <value> or tag <value> setting route attributes used in redistribution policies. Multiple next-hops create equal-cost multipath (ECMP) with load balancing across available paths. Discard routes are configured with discard instead of next-hop, dropping matching traffic, useful for security filtering or preventing routing loops. Static routes have default preference of 5, lower than most dynamic protocols ensuring manual configuration takes precedence. Verification uses show route protocol static displaying all static routes in the routing table, and show route <destination> showing active and inactive routes to specific prefixes. Best practices include documenting static route purposes, using qualified-next-hop for redundancy, implementing policies controlling static route redistribution, and regularly reviewing static routes for obsolete entries.
Option B is incorrect because “gateway” is not Junos terminology for next-hop specification. Option C is incorrect because “via” keyword and command structure don’t match Junos syntax. Option D is incorrect because static routes configure under routing-options, not protocols hierarchy in Junos.
Question 186:
What is the purpose of OSPF virtual links?
A) Connect non-backbone areas to the backbone through another area
B) Increase routing table size
C) Disable OSPF on specific interfaces
D) Create routing loops intentionally
Answer: A
Explanation:
OSPF virtual links serve the critical purpose of connecting non-backbone areas to Area 0 (the backbone area) through an intermediate area when physical connectivity to the backbone is impossible or impractical, maintaining OSPF’s hierarchical routing architecture requirement that all areas must connect to the backbone. OSPF design mandates that inter-area routing occurs through Area 0, ensuring loop-free routing through hierarchical topology. However, network evolution, mergers, or geographical constraints sometimes create situations where areas cannot physically attach to the backbone. Virtual links solve this by creating logical connections through transit areas, treating the transit area as if it were part of the backbone for routing purposes.
Virtual link configuration requires two Area Border Routers (ABRs) both connected to the transit area and configured with matching virtual link statements specifying each other’s router IDs. Configuration uses set protocols ospf area <transit-area-id> virtual-link neighbor-id <remote-router-id> transit-area <area-id> establishing the virtual adjacency. Virtual links inherit area 0 characteristics, forming regular OSPF adjacencies exchanging hello packets encapsulated within the transit area, synchronizing link-state databases, and computing shortest paths through the virtual connection. Authentication can be applied using authentication md5 key-id <id> key <secret> within virtual-link configuration. Troubleshooting involves verifying both ABRs have connectivity through the transit area using show ospf route, confirming matching router IDs in virtual-link configuration, checking authentication consistency, and examining virtual-link state with show ospf overview displaying virtual-link status. Virtual links should be temporary solutions with network redesign preferred for permanent backbone connectivity, as they add complexity and potential failure points. Best practices include minimizing virtual link usage, fully meshing backbone routers for redundancy, documenting virtual link purposes and affected areas, and planning network topology changes eliminating virtual link requirements.
Option B is incorrect because virtual links don’t increase routing table size; they provide topology connectivity. Option C is incorrect because virtual links enable OSPF operation rather than disabling it. Option D is incorrect because OSPF prevents loops through hierarchical design, not creating them intentionally.
Question 187:
A network engineer needs to view the BGP routing table on a Juniper router. Which command should be used?
A) show route protocol bgp
B) display bgp routes
C) get bgp table
D) list bgp routing-table
Answer: A
Explanation:
The show route protocol bgp command displays BGP routes in the Juniper routing table, showing learned BGP prefixes, their attributes, active versus inactive states, next-hops, and AS paths. This operational command is essential for verifying BGP operation, troubleshooting routing issues, confirming policy applications, and analyzing path selection. The output presents routes with prefixes in the first column, followed by preference values (protocol preference and local preference combined), next-hop IP addresses or keywords like “Self” for locally originated routes, AS paths showing autonomous system numbers traversed, and additional attributes like MED, communities, or origin codes. Active routes marked with asterisks (*) indicate the selected best path installed in the forwarding table, while multiple BGP paths to the same destination show with only the best path active.
Additional filtering and detail options include show route protocol bgp terse for compact output with minimal details useful for quickly counting routes or identifying basic path information, show route protocol bgp extensive displaying complete BGP attributes including all communities, extended communities, cluster lists, originator ID, and policy evaluations useful for deep troubleshooting. Filtering by specific prefixes uses show route <prefix> protocol bgp showing all BGP paths to particular destinations regardless of active state. The show route receive-protocol bgp <neighbor> displays routes received from specific BGP neighbors before import policy application, while show route advertising-protocol bgp <neighbor> shows routes advertised to neighbors after export policy filtering. Understanding the difference between received routes (pre-policy), routes in routing table (post-import policy), and advertised routes (post-export policy) is crucial for BGP troubleshooting. Common analysis includes verifying expected prefixes are received, confirming best path selection follows expected BGP decision process considering weight, local preference, AS path length, origin, and MED, identifying why specific routes aren’t active through attribute comparison, and validating policy applications through attribute modifications.
Option B is incorrect because “display” isn’t Junos command syntax; Junos uses “show” for operational commands. Option C is incorrect because “get” is not standard Junos syntax for viewing routing information. Option D is incorrect because “list” is configuration mode command for displaying configuration structure, not operational routing table state.
Question 188:
What is the default BGP keepalive interval on Juniper routers?
A) 30 seconds
B) 60 seconds
C) 90 seconds
D) 180 seconds
Answer: A
Explanation:
The default BGP keepalive interval on Juniper routers is 30 seconds, working in conjunction with a default hold-time of 90 seconds to maintain BGP neighbor relationships and detect failures. BGP uses these timing mechanisms to ensure neighbor sessions remain active and detect when peers become unreachable. The keepalive timer determines how frequently BGP sends keepalive messages to neighbors when no other BGP traffic (like UPDATE or NOTIFICATION messages) is exchanged. These keepalive messages are small packets confirming the BGP session is still operational. The hold-time is the maximum interval a router waits to receive any BGP message from a neighbor before declaring the session down; receiving any BGP message (keepalive, update, or notification) resets this timer.
BGP negotiates hold-time and keepalive values during session establishment, using the lower of the two routers’ configured hold-times, and setting keepalive to one-third of the negotiated hold-time automatically unless explicitly configured otherwise. For example, if Router A configures hold-time 90 and Router B configures hold-time 120, the session uses 90-second hold-time with 30-second keepalive. Administrators can modify these timers using set protocols bgp group <group-name> hold-time <seconds> and optionally keepalive <seconds> for fine control. Reducing timers like hold-time 30 keepalive 10 enables faster failure detection in critical environments but increases protocol overhead and CPU utilization from more frequent messages and can cause false failures on networks with jitter or congestion causing temporary packet loss. Increasing timers reduces overhead but delays failure detection. Best practices include matching timers to network stability and failure detection requirements, using consistent values across BGP deployment for predictable behavior, implementing BFD (Bidirectional Forwarding Detection) for sub-second failure detection while maintaining standard BGP timers, and monitoring for keepalive failures indicating network issues or router resource exhaustion. The show bgp neighbor command displays negotiated keepalive and hold-time values along with timer expiration counters.
Option B is incorrect because 60 seconds is not the default keepalive though it’s valid hold-time in some configurations. Option C is incorrect because 90 seconds is the default hold-time, not keepalive. Option D is incorrect because 180 seconds is neither default keepalive nor hold-time on Juniper routers.
Question 189:
A network administrator needs to configure VRRP on a Juniper router. What is the valid priority range?
A) 1-255
B) 0-100
C) 1-1024
D) 0-65535
Answer: A
Explanation:
VRRP (Virtual Router Redundancy Protocol) priority values on Juniper routers range from 1 to 255, with higher values indicating higher priority for master election among VRRP group members. Priority determines which router becomes the VRRP master owning the virtual IP address and forwarding traffic, while backup routers monitor the master’s health and assume mastership if the master fails. The router with highest priority becomes master; if multiple routers have identical priority, the router with highest IP address on the VRRP interface wins. Default priority is 100, providing neutral starting point allowing administrators to configure specific routers as preferred masters through higher priorities like 150 or 200, or as backup-only routers through lower priorities like 50.
VRRP configuration includes set interfaces <interface> unit <unit> family inet address <ip/prefix> vrrp-group <group-id> virtual-address <virtual-ip> establishing the virtual IP address clients use as default gateway, and priority <value> setting the router’s priority for master election. Priority value 255 has special meaning reserved for the router owning the virtual IP address as a physical interface address, automatically becoming master. Additional configuration options include preempt allowing higher-priority routers to reclaim mastership from lower-priority masters (disabled by default preventing unnecessary failovers), preempt hold-time <seconds> delaying preemption after boot to allow routing protocol convergence, fast-interval <milliseconds> and advertise-interval <seconds> controlling VRRP advertisement timing for faster or slower failure detection, authentication-type md5 authentication-key <key> securing VRRP advertisements, and track monitoring interface or routing conditions dynamically adjusting priority to trigger failovers based on network state. The show vrrp command displays VRRP status including current master, priorities, virtual addresses, and advertisement intervals. Common use cases include gateway redundancy for end users where dual routers provide continuous default gateway availability, load distribution using multiple VRRP groups with different masters serving distinct subnets, and geographic redundancy with VRRP groups spanning data centers.
Option B is incorrect because 0-100 range is too limited; VRRP supports 1-255. Priority 0 has special meaning in VRRP signaling immediate mastership release. Option C is incorrect because 1-1024 exceeds VRRP’s 8-bit priority field capacity. Option D is incorrect because this range is typical for spanning tree priorities or other protocols, not VRRP.
Question 190:
What is the purpose of BGP communities?
A) Tag routes with attributes for policy-based routing decisions
B) Encrypt BGP advertisements
C) Compress routing tables
D) Disable BGP neighbors
Answer: A
Explanation:
BGP communities serve as route tags attaching metadata to BGP prefixes, enabling flexible policy-based routing decisions without relying solely on prefix or AS path matching. Communities are 32-bit values traditionally represented as two 16-bit numbers in format AS:value like 65000:100, allowing autonomous systems to mark routes with attributes that downstream routers use for filtering, preference modification, or other policy actions. This tagging mechanism provides scalable routing policy implementation where routes carrying specific communities trigger predefined actions such as accepting, rejecting, modifying local preference, prepending AS path, or setting MED values. Communities enable cooperative routing policies between autonomous systems where upstream providers tag routes according to agreements, and customers implement policies based on those tags.
Well-known communities defined in RFCs include NO_EXPORT (65535:65281 or 0xFFFFFF01) preventing route advertisement to EBGP peers while allowing IBGP propagation, useful for keeping routes within AS boundaries; NO_ADVERTISE (65535:65282 or 0xFFFFFF02) preventing route advertisement to any BGP peer effectively making routes local to receiving router; and NO_EXPORT_SUBCONFED preventing advertisement outside confederation sub-AS in BGP confederation deployments. Custom communities implement traffic engineering, backup path signaling, or routing preferences. Configuration involves setting communities on route advertisement using export policies with community add <community-name> or community set <community-name> actions, defining community names under [edit policy-options community] like set policy-options community CUSTOMER members 65000:100, and matching communities in import policies using from community <community-name> conditions. Multiple communities attach to single routes enabling complex multi-dimensional routing policies. Extended communities provide 8-byte values for additional flexibility supporting route targets in MPLS VPNs, site-of-origin in multihoming scenarios, and other specialized applications. The show route protocol bgp extensive displays communities attached to routes, while policies can add, remove, or match communities for sophisticated routing control.
Option B is incorrect because communities don’t provide encryption; they’re routing metadata visible in BGP updates. Option C is incorrect because communities don’t compress tables; they add metadata for policy decisions. Option D is incorrect because communities are route attributes, not neighbor control mechanisms.
Question 191:
A network engineer needs to configure an aggregate route on a Juniper router. What is the correct configuration syntax?
A) set routing-options aggregate route <prefix/length>
B) set protocols aggregate route <prefix/length>
C) set firewall aggregate route <prefix/length>
D) set interfaces aggregate route <prefix/length>
Answer: A
Explanation:
The correct Junos configuration syntax for aggregate routes is set routing-options aggregate route <prefix/length> where the prefix and length define the summarized network range like 10.0.0.0/8 or 192.168.0.0/16. Aggregate routes, also called summary routes, represent multiple more-specific routes with a single less-specific prefix, reducing routing table size, improving convergence times, and hiding internal network topology from external domains. Aggregation is fundamental to scalable Internet routing where upstream providers receive summarized prefixes rather than individual subnets from customers. Junos generates aggregate routes automatically when contributing routes exist in the routing table, installing the aggregate only if at least one more-specific active route falls within the aggregate’s address space.
Additional aggregate route configuration options include policy <policy-name> applying routing policies determining which contributing routes qualify for aggregate generation, enabling selective aggregation based on protocol source, communities, or other attributes; discard creating a discard route for the aggregate preventing routing loops by dropping traffic matching the aggregate but not matching any more-specific routes, particularly important when advertising aggregates to prevent black-holing; as-path atomic-aggregate settings controlling AS_PATH handling in BGP aggregation; and passive creating the aggregate unconditionally without requiring contributing routes, useful for pre-announcing address space before deployment. Contributing routes appear in show route <aggregate-prefix> output with “Contributing” tags indicating they contribute to aggregate generation. Aggregation policy best practices include advertising aggregates to external peers while maintaining specific routes internally for optimal routing, implementing discard routes with aggregates preventing loops, documenting aggregation boundaries and policies, and carefully planning address allocation enabling efficient summarization with minimal waste. Common troubleshooting issues include aggregates not appearing due to absence of contributing routes, resolved by verifying at least one specific route exists within aggregate range; unexpected aggregate behavior from policy restrictions, debugged through policy evaluation tracing; and routing loops from missing discard routes, fixed by adding discard option to aggregate configuration.
Option B is incorrect because aggregate routes configure under routing-options, not protocols hierarchy in Junos. Option C is incorrect because firewall hierarchy manages packet filters, not routing aggregation. Option D is incorrect because interfaces configure physical/logical network interfaces, not routing table aggregation.
Question 192:
What is the default administrative distance for OSPF routes in Junos?
A) 10 (internal) and 150 (external)
B) 110 (internal and external)
C) 90 (internal) and 170 (external)
D) 100 (internal and external)
Answer: A
Explanation:
Junos uses administrative distance values (called route preference in Junos terminology) of 10 for OSPF internal routes and 150 for OSPF external routes, differing from Cisco’s convention of 110 for all OSPF routes. Route preference determines which routing source is trusted when multiple protocols provide routes to the same destination, with lower values indicating higher preference. Junos’s distinction between internal and external OSPF routes reflects the hierarchical OSPF design where internal routes (intra-area and inter-area) originate within the OSPF domain, while external routes are redistributed from other routing sources into OSPF as Type 5 or Type 7 LSAs. This preference differentiation allows OSPF internal routes to take precedence over external routes from the same OSPF process, aligning with the general principle that routes learned directly through native protocol operation are more trustworthy than redistributed routes.
Route preference values for common protocols in Junos include: directly connected routes (0), static routes (5), OSPF internal (10), IS-IS Level 1 internal (15), IS-IS Level 2 internal (18), RIP (100), OSPF external (150), IS-IS external (160), BGP (170), and aggregated routes (130). Administrators can modify default preferences using set protocols ospf preference <value> for both internal and external together, or separately using set protocols ospf external-preference <value> for external routes only, enabling traffic engineering by making specific routing sources more or less preferred. Lower preference causes routes from that source to be selected over routes from sources with higher preference when multiple routes to identical destinations exist. Common use cases include preferring static routes over OSPF by keeping static at preference 5 below OSPF’s 10, creating floating static routes by setting their preference higher than primary routing protocol like preference 200, and adjusting external route preference controlling whether redistributed routes or native protocol routes are preferred when overlap occurs. The show route <prefix> command displays all routes to a destination with their preferences, and asterisks mark active routes selected for forwarding. Understanding preference is critical for troubleshooting unexpected routing paths where lower-preference protocols override expected routes from higher-preference sources.
Option B is incorrect because 110 is Cisco OSPF administrative distance, not Junos’s preference values. Option C is incorrect because these values match EIGRP in Cisco environments, not Junos OSPF. Option D is incorrect because 100 doesn’t match Junos’s default OSPF preferences for either internal or external routes.
Question 193:
A network administrator needs to configure an interface in trunk mode allowing multiple VLANs. What is the correct Junos configuration?
A) set interfaces <interface> unit <unit> family ethernet-switching interface-mode trunk
B) set interfaces <interface> switchport mode trunk
C) set interfaces <interface> trunk allow vlan all
D) set vlan trunk interface <interface>
Answer: A
Explanation:
The correct Junos configuration for trunk ports allowing multiple VLANs is set interfaces <interface> unit <unit> family ethernet-switching interface-mode trunk which configures the interface to carry traffic for multiple VLANs using 802.1Q VLAN tagging. Junos EX-series switches use the ethernet-switching family for Layer 2 configuration, distinct from the inet family used for Layer 3 IP configuration. Trunk mode interfaces tag frames with VLAN IDs allowing switches to identify which VLAN each frame belongs to when traversing inter-switch links or connecting to devices understanding VLAN tagging like routers, servers with 802.1Q-capable NICs, or other switches. The unit number typically is 0 for physical interfaces but can vary for aggregated interfaces or logical configurations.
Additional trunk configuration includes vlan members <vlan-list> specifying which VLANs are allowed on the trunk, using formats like [10 20 30-40] for individual VLANs and ranges, or all permitting all configured VLANs. Without explicit member specification, trunks typically don’t carry any VLAN traffic requiring administrators to explicitly permit VLANs. Native VLAN configuration uses native-vlan-id <vlan-id> designating one VLAN whose frames transmit untagged on the trunk, supporting devices not understanding VLAN tags; native VLAN typically is VLAN 1 by default but should be changed to unused VLAN for security. Configuration example: set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk vlan members [10 20 30] native-vlan-id 99. Access ports contrast with trunks using interface-mode access and vlan members <single-vlan> carrying traffic for only one VLAN without tagging. Verification commands include show ethernet-switching interfaces <interface> displaying interface mode, VLAN memberships, and tagging behavior, and show vlans showing VLAN definitions and member interfaces. Common misconfigurations include forgetting vlan members causing trunks to carry no traffic, native VLAN mismatches between trunk endpoints causing connectivity issues for untagged traffic, and mode mismatches where one end configures as trunk and other as access.
Option B is incorrect because this Cisco IOS-style syntax doesn’t match Junos configuration structure. Option C is incorrect because Junos doesn’t use “trunk allow vlan” syntax; VLAN membership specifies under interface configuration. Option D is incorrect because trunk configuration occurs under interfaces hierarchy, not vlan hierarchy in Junos.
Question 194:
What protocol does Juniper switches use for loop prevention in Layer 2 networks?
A) Spanning Tree Protocol (STP, RSTP, MSTP)
B) Border Gateway Protocol
C) Open Shortest Path First
D) Enhanced Interior Gateway Routing Protocol
Answer: A
Explanation:
Juniper switches use Spanning Tree Protocol and its variants (STP, RSTP, MSTP) for loop prevention in Layer 2 networks, ensuring a loop-free topology even when physical redundancy exists through multiple inter-switch connections. Without spanning tree, Layer 2 loops cause broadcast storms where broadcast or unknown unicast frames circulate endlessly, multiplying with each loop iteration until network collapse from resource exhaustion. STP prevents loops by logically blocking redundant paths, maintaining only loop-free active paths while keeping blocked paths as standby, automatically unblocking them when active paths fail, providing both loop prevention and redundancy. Juniper supports multiple spanning tree protocols including legacy 802.1D STP with slow convergence (30-50 seconds), 802.1w RSTP (Rapid Spanning Tree Protocol) with fast convergence (typically under 6 seconds) through improved BPDU handling and port state transitions, and 802.1s MSTP (Multiple Spanning Tree Protocol) mapping multiple VLANs to spanning tree instances for load distribution across redundant links.
STP operation involves electing a root bridge based on lowest bridge ID (priority + MAC address), calculating shortest paths to root using port costs, designating root ports (best path to root) and designated ports (best path to segment), and blocking all other ports to eliminate loops. RSTP improves convergence through port roles including alternate ports (immediate root port backup) and backup ports (designated port backup), edge port designation for host-facing ports bypassing listening/learning states, and point-to-point link detection enabling rapid transition. MSTP creates multiple spanning tree instances (MSTIs) each with independent topology, allowing VLAN load balancing where different VLANs forward on different physical paths, maximizing bandwidth utilization. Configuration uses set protocols rstp or set protocols mstp enabling protocol globally, set protocols rstp bridge-priority <value> setting bridge priority for root election (lower values preferred, multiples of 4096), set protocols rstp interface <interface> edge marking host-facing ports for rapid forwarding, and set protocols mstp configuration-name <name> revision-level <number> defining MSTP regions. Verification commands include show spanning-tree bridge displaying bridge role and root information, show spanning-tree interface showing port roles and states, and show spanning-tree statistics revealing BPDU counts and topology changes. Best practices include setting deliberate root bridge through low priority rather than relying on random MAC-based election, enabling BPDU guard on edge ports preventing loops from connected switches, implementing root guard on non-root-facing ports preventing unauthorized root elections, and using RSTP or MSTP instead of legacy STP for faster convergence.
Option B is incorrect because BGP is an external routing protocol for inter-AS routing, not Layer 2 loop prevention. Option C is incorrect because OSPF is a Layer 3 routing protocol operating on IP networks, not Layer 2 switching. Option D is incorrect because EIGRP is a Cisco proprietary routing protocol, and Juniper doesn’t implement EIGRP, nor would routing protocols prevent Layer 2 loops.
Question 195:
A network engineer needs to configure port security on a Juniper switch to limit MAC addresses per port. What feature should be used?
A) MAC limiting and persistent MAC learning
B) OSPF authentication
C) BGP route filtering
D) VLAN pruning
Answer: A
Explanation:
Juniper switches implement port security through MAC limiting and persistent MAC learning features, controlling how many MAC addresses can be learned on interfaces and optionally specifying which specific MAC addresses are allowed, preventing unauthorized devices from connecting to the network. MAC limiting restricts the number of MAC addresses learned per interface or VLAN, protecting against MAC address table overflow attacks where attackers flood switches with frames containing random source MAC addresses attempting to exhaust CAM table resources causing switch degradation to hub-like behavior. Persistent MAC learning (also called MAC locking or secure MAC) allows administrators to specify exact MAC addresses permitted on ports, automatically blocking any other MAC addresses from transmitting, useful for securing dedicated device ports like printers, servers, or IP phones.
MAC limiting configuration uses set protocols l2-learning global-mac-limit <number> for switch-wide limits, set protocols l2-learning interface <interface> mac-limit <number> for per-interface limits, and set protocols l2-learning interface <interface> mac-limit <number> packet-action drop specifying action when limits are exceeded (drop frames from excess MACs versus default log-only). The set ethernet-switching-options secure-access-port interface <interface> mac-limit <number> action shutdown variation combines limiting with port shutdown response to violations, disabling interfaces when unauthorized devices attempt connection. Persistent MAC learning configures using set ethernet-switching-options secure-access-port interface <interface> allowed-mac <mac-address> specifying permitted MACs, often combined with set ethernet-switching-options secure-access-port interface <interface> no-dhcp-snooping and other security features. Violation responses include drop (silently discard frames), log (generate system log messages), shutdown (disable interface requiring manual re-enabling), and combinations thereof. Configuration example: set protocols l2-learning interface ge-0/0/10 mac-limit 2 packet-action drop limiting interface to 2 MAC addresses and dropping frames from any additional MACs.
Verification commands include show ethernet-switching table displaying learned MAC addresses per interface and VLAN, show l2-learning mac-limit showing configured limits and current MAC counts, and show log messages | match “MAC limit” filtering logs for limit violations. Common use cases include access edge ports where one or two devices (computer and IP phone) should connect, server ports preventing VM sprawl or unauthorized virtualization, and guest network ports limiting rogue DHCP servers or other malicious devices. Best practices include setting appropriate limits based on expected device counts, implementing logging for visibility into violations, using persistent MAC learning for critical infrastructure, combining with DHCP snooping and dynamic ARP inspection for comprehensive Layer 2 security, and maintaining documentation of secure ports and authorized MAC addresses.
Option B is incorrect because OSPF authentication secures routing protocol, not port-level access control. Option C is incorrect because BGP filtering controls routing advertisements, not Layer 2 port security. Option D is incorrect because VLAN pruning removes unused VLANs from trunks for efficiency, not security limiting.
Question 196:
What is the purpose of IGMP snooping on Juniper switches?
A) Efficiently forward multicast traffic only to interested receivers
B) Encrypt unicast traffic
C) Load balance spanning tree instances
D) Configure static routes
Answer: A
Explanation:
IGMP snooping on Juniper switches enables intelligent multicast traffic forwarding by monitoring IGMP (Internet Group Management Protocol) messages between hosts and routers, learning which ports have interested multicast receivers, and forwarding multicast streams only to those ports rather than flooding to all ports. Without IGMP snooping, switches treat multicast traffic like broadcasts, flooding to all ports in the VLAN wasting bandwidth on segments without interested receivers and potentially overwhelming hosts with unwanted traffic. IGMP snooping inspects IGMP Join messages (indicating hosts want to receive specific multicast groups), IGMP Leave messages (indicating hosts no longer want traffic), and IGMP Query messages (from routers checking for active receivers), building a multicast forwarding table mapping multicast group addresses to interface lists.
The snooping process involves intercepting IGMP messages at Layer 2, parsing group addresses and membership information, updating forwarding tables associating multicast MAC addresses (derived from IP multicast addresses) with interested ports, forwarding multicast data frames only to ports with active receivers plus router ports (multicast router ports or mrouter ports), and periodically aging out entries when hosts leave or don’t respond to queries. IGMP versions include IGMPv1 (basic join/leave), IGMPv2 (adding leave messages for faster convergence), and IGMPv3 (source-specific multicast supporting “include” and “exclude” source lists), with snooping supporting all versions. Configuration uses set protocols igmp-snooping vlan <vlan-name> enabling snooping per-VLAN, set protocols igmp-snooping vlan <vlan-name> interface <interface> configuring specific interfaces, and set protocols igmp-snooping vlan <vlan-name> immediate-leave enabling fast leave processing for VLANs with single hosts per port, skipping query-response waiting and immediately stopping forwarding when leave received.
Additional features include proxy reporting where switches send aggregate IGMP reports upstream representing multiple downstream hosts, reducing IGMP traffic to routers; static multicast group configuration for applications not using IGMP properly; IGMP querier functionality where switches generate query messages when no multicast router exists; and multicast VLAN registration (MVR) enabling multicast delivery across VLANs without Layer 3 routing. Verification commands include show igmp snooping membership displaying learned multicast groups and member ports, show igmp snooping statistics showing IGMP message counts, and show multicast snooping database revealing forwarding table entries. Common applications include IP television (IPTV) delivering video streams efficiently, video conferencing reducing bandwidth consumption, financial market data feeds targeting specific trading desks, and any application using multicast for one-to-many communication. Best practices include enabling snooping on VLANs carrying multicast traffic, configuring immediate-leave on ports with single hosts like access ports, using querier on VLANs without multicast routers, monitoring for IGMP version compatibility, and understanding interaction with spanning tree where blocked ports shouldn’t receive multicast even with active receivers.
Option B is incorrect because IGMP snooping manages multicast forwarding, not unicast encryption. Option C is incorrect because spanning tree load balancing uses MSTP or VLAN-based instances, unrelated to IGMP. Option D is incorrect because static routes are Layer 3 routing configuration, while IGMP snooping operates at Layer 2.
Question 197:
A network administrator needs to monitor traffic on a switch port for troubleshooting. What Juniper feature allows copying traffic to an analysis port?
A) Port mirroring or analyzer
B) Port shutdown
C) Port security
D) Port aggregation
Answer: A
Explanation:
Port mirroring (also called port analyzer, SPAN – Switched Port Analyzer, or monitoring) on Juniper switches copies traffic from monitored ports or VLANs to an analyzer port where monitoring tools like Wireshark, network analyzers, or IDS/IPS systems connect for packet inspection and troubleshooting. Port mirroring is essential for network troubleshooting enabling visibility into traffic flows without interrupting production traffic, investigating security incidents by capturing suspicious traffic, performance analysis identifying bottlenecks or errors, application troubleshooting by examining protocol interactions, and compliance monitoring ensuring policy adherence. Juniper supports local mirroring where monitor and analyzer ports exist on the same switch, and remote mirroring (RSPAN) where captured traffic sends across the network to analyzers on different switches.
Configuration involves defining analyzer instances under [edit forwarding-options analyzer] hierarchy using set forwarding-options analyzer <analyzer-name> input ingress interface <interface> specifying ports to monitor, set forwarding-options analyzer <analyzer-name> output interface <interface> designating where to send copied traffic, and options like input egress interface for egress traffic, input vlan <vlan-name> for VLAN-based mirroring, and ratio <value> sampling every Nth packet when full mirroring would overwhelm analyzer capacity. Example configuration: set forwarding-options analyzer capture-traffic input ingress interface ge-0/0/5.0, set forwarding-options analyzer capture-traffic output interface ge-0/0/20.0 copies all traffic entering ge-0/0/5 to ge-0/0/20 where monitoring tool connects. Multiple source interfaces can feed single analyzer port, though high aggregate traffic rates may exceed analyzer port bandwidth requiring sampling or selective mirroring.
RSPAN extends mirroring across switches by encapsulating mirrored traffic in VLAN tags, transporting across trunk links to remote analyzer locations, configured through RSPAN VLANs and analyzer configurations specifying remote output. Important considerations include analyzer port bandwidth must accommodate mirrored traffic volume or packet loss occurs, mirrored ports should not participate in spanning tree or other protocols causing configuration interference, security implications of giving analyzer ports access to potentially sensitive traffic requiring physical and logical access controls, and performance impact on switches where excessive mirroring can strain resources. Verification uses show forwarding-options analyzer displaying configured analyzers and statistics. Use cases include troubleshooting connectivity issues by capturing DHCP, ARP, or routing protocol exchanges; security investigations capturing attack traffic for forensics; VoIP quality analysis examining RTP streams and SIP signaling; and application performance monitoring timing database queries or API calls. Best practices include mirroring selectively to minimize performance impact, using filters to capture only relevant traffic, securing analyzer ports from unauthorized access, temporarily enabling mirroring during troubleshooting versus continuous monitoring, and considering network TAPs for permanent monitoring solutions avoiding switch load.
Option B is incorrect because port shutdown disables interfaces completely, preventing traffic flow rather than monitoring it. Option C is incorrect because port security limits MAC addresses for access control, not traffic monitoring. Option D is incorrect because port aggregation combines interfaces for bandwidth and redundancy, unrelated to traffic copying for analysis.
Question 198:
What command displays the MAC address table on a Juniper switch?
A) show ethernet-switching table
B) display mac-address-table
C) get mac table
D) list ethernet-switching
Answer: A
Explanation:
The show ethernet-switching table command displays the MAC address forwarding table on Juniper EX-series switches, showing learned MAC addresses, associated VLANs, interfaces where MACs were learned, and entry types (static, dynamic, or persistent). The MAC address table is fundamental to switch operation, enabling frame forwarding decisions where switches examine destination MAC addresses in incoming frames and forward out specific interfaces reaching those MACs rather than flooding to all ports. This table populates through learning where switches observe source MAC addresses in received frames and record which interface the frame arrived on, associating that MAC with that interface and VLAN. The command output includes MAC address in hexadecimal format, VLAN ID or name, interface name or trunk designation, and age showing time since last frame received from that MAC.
Output filtering and detailed information uses show ethernet-switching table brief for condensed view, show ethernet-switching table extensive for additional details including hardware indices and timeout values, show ethernet-switching table vlan <vlan-name> showing MACs in specific VLAN, show ethernet-switching table interface <interface> displaying MACs learned on particular interface, and show ethernet-switching table mac-address <mac> finding specific MAC location. The show ethernet-switching table statistics reveals table utilization, entry counts by type, and aging parameters. Dynamic entries age out after inactivity periods (default 300 seconds) and are automatically removed when unused, while static entries configured manually remain until explicitly deleted, and persistent entries created by secure port features don’t age. Understanding table operation aids troubleshooting including verifying expected MACs appear on correct ports indicating proper connectivity, investigating MAC flapping where same MAC appears on multiple ports suggesting loops or cabling errors, identifying unauthorized devices through unexpected MAC addresses, and diagnosing connectivity issues where absent MACs indicate non-communicating devices or incorrect VLAN assignment.
Table management includes clearing entries manually using clear ethernet-switching table for all entries or with filters for specific VLANs, interfaces, or addresses useful after network changes or troubleshooting; configuring aging timers with set protocols l2-learning global-mac-table-aging-time <seconds> adjusting how quickly inactive entries are removed; and setting table limits with MAC limiting features. Normal operation shows host MACs learned as dynamic entries on access ports, router/gateway MACs on uplink/trunk ports, and possibly static entries for critical infrastructure. Abnormalities include constant MAC table churn indicating network instability, same MAC on multiple interfaces suggesting misconfiguration or spanning tree issues, and empty table indicating learning problems or VLAN configuration errors. Best practices include regular table review during troubleshooting, understanding expected MAC patterns for the network, using filters to focus on relevant VLANs or interfaces, and correlating MAC table with ARP cache and neighbor tables for complete visibility into device connectivity.
Option B is incorrect because “display” is not Junos command syntax; Junos uses “show” for operational commands. Option C is incorrect because “get” is not standard Junos syntax for viewing switching tables. Option D is incorrect because “list” is configuration mode command for displaying configuration, not operational forwarding table state.
Question 199:
A network engineer needs to configure link aggregation on Juniper switches. What protocol is used for dynamic aggregation?
A) LACP (Link Aggregation Control Protocol)
B) OSPF
C) BGP
D) STP
Answer: A
Explanation:
LACP (Link Aggregation Control Protocol), defined in IEEE 802.3ad and 802.1AX standards, provides dynamic link aggregation on Juniper switches by negotiating aggregated Ethernet (ae) interfaces between switches, automatically determining which links should bundle together, detecting failures, and distributing traffic across member links. Link aggregation, also called port-channel, EtherChannel (Cisco terminology), or LAG (Link Aggregation Group), combines multiple physical interfaces into a single logical interface increasing bandwidth, providing redundancy, and preventing spanning tree from blocking redundant connections. LACP advantages over static aggregation include automatic member link addition/removal, failure detection within seconds, and standardized multi-vendor interoperability ensuring Juniper switches aggregate with other vendors’ equipment.
LACP operates by exchanging LACP Data Units (LACPDUs) between potential aggregation partners, negotiating system priorities and port priorities to determine which links aggregate, using actor/partner information identifying each side’s configuration, and monitoring link status continuously to detect failures and remove failed links from aggregates. Switches must agree on aggregation parameters including system ID, link speeds, and duplex settings for links to bundle successfully. Configuration involves creating aggregated interfaces with set interfaces ae<number> aggregated-ether-options lacp active enabling LACP in active mode where the switch initiates LACP negotiation, or lacp passive where the switch waits for partner to initiate (at least one side must be active). Member links configure with set interfaces <interface> ether-options 802.3ad ae<number> assigning physical interfaces to the aggregated interface. Example: creating ae0 with two members: set interfaces ae0 aggregated-ether-options lacp active, set interfaces ge-0/0/0 ether-options 802.3ad ae0, set interfaces ge-0/0/1 ether-options 802.3ad ae0, then configuring Layer 2 or Layer 3 settings on ae0 interface.
Additional configuration includes minimum-links <number> requiring specific minimum active members before the aggregate interface becomes operational, protecting against scenarios where only one link remains active defeating redundancy purposes; link-speed <speed> enforcing uniform link speeds; and load-balancing algorithms using source/destination MAC, IP addresses, or transport ports for traffic distribution. LACP modes include active (initiates LACP), passive (responds to LACP), and static mode without LACP negotiation requiring matching manual configuration both sides. Verification commands include show interfaces <ae-interface> displaying aggregate status and member links, show lacp interfaces <ae-interface> showing LACP negotiation state and partner information, and show lacp statistics <ae-interface> revealing LACP PDU counts and errors. Use cases include switch-to-switch uplinks aggregating multiple connections for higher bandwidth, server connectivity with NIC teaming providing redundancy and performance, and storage network connections supporting high-throughput demands. Best practices include using LACP active mode on both sides for faster detection, matching link speeds and duplex, configuring minimum-links appropriately for desired redundancy, documenting aggregate membership, and understanding load-balancing behavior for expected traffic patterns.
Option B is incorrect because OSPF is a routing protocol for Layer 3 path determination, not Layer 2 link aggregation. Option C is incorrect because BGP is an inter-domain routing protocol unrelated to combining physical links. Option D is incorrect because STP prevents loops in redundant topologies but doesn’t aggregate links; link aggregation and STP interact where aggregates appear as single logical links to spanning tree.
Question 200:
What is the default VLAN ID on Juniper switches?
A) VLAN 1 (default)
B) VLAN 0
C) VLAN 4095
D) VLAN 100
Answer: A
Explanation:
The default VLAN on Juniper EX-series switches is VLAN 1 (named “default”), consistent with IEEE 802.1Q standards and common switch implementations. VLAN 1 serves as the default VLAN for all switch ports unless explicitly configured otherwise, meaning ports configured as access ports without specific VLAN assignment automatically belong to VLAN 1, and management traffic often uses VLAN 1 by default. The IEEE 802.1Q standard defines VLAN ID range 1-4094 as usable VLANs, with VLAN 1 designated as the default VLAN and VLAN 4095 reserved, leaving 4093 usable VLAN IDs for network segmentation. Juniper switches ship with default configuration including the “default” VLAN with ID 1, and a management interface (vlan.0 or me0) often assigned to this VLAN for initial access.
VLAN 1 characteristics and considerations include special status where many protocols like VTP (VLAN Trunking Protocol on Cisco), CDP (Cisco Discovery Protocol), and various management protocols traditionally use VLAN 1, though Juniper is less reliant on VLAN 1 for these purposes; security implications where default VLAN usage is discouraged for production traffic due to widespread knowledge of its existence and potential attack vectors targeting commonly-used VLANs; spanning tree considerations where VLAN 1 participates in spanning tree by default requiring careful root bridge planning; and best practice recommendation to create separate VLANs for different traffic types and user communities rather than using default VLAN for actual production networks. VLAN configuration uses set vlans <vlan-name> vlan-id <id> creating named VLANs with specific IDs like set vlans engineering vlan-id 10, and assigning interfaces with set interfaces <interface> unit 0 family ethernet-switching interface-mode access vlan members <vlan-name> for access ports or interface-mode trunk vlan members [list] for trunks.
Security hardening typically involves disabling or isolating VLAN 1 by creating separate management VLANs (like VLAN 99 or 999), moving all production traffic to non-default VLANs, potentially disabling VLAN 1 on trunk ports if not needed, and restricting VLAN 1 usage to isolated administrative purposes. The show vlans command displays all configured VLANs including default VLAN with member interfaces, and show ethernet-switching table vlan default shows MAC addresses learned in VLAN 1. VLAN design best practices include planning VLAN numbering schemes aligning with organizational structure or geographical locations, creating separate VLANs for different security zones like users, servers, guests, and management, implementing VLAN access control through router ACLs or firewall rules between VLANs, documenting VLAN purposes and IP address assignments, and avoiding VLAN 1 for sensitive production networks favoring explicitly defined VLANs with clear purposes. Troubleshooting VLAN connectivity involves verifying VLAN exists on all switches in the path, confirming trunk ports carry required VLANs, checking access port VLAN assignments match expectations, validating inter-VLAN routing configuration if communication needed between VLANs, and using show vlans extensive for detailed VLAN statistics and member information.
Option B is incorrect because VLAN 0 is invalid; 802.1Q defines usable VLAN range starting at 1. VLAN 0 has special meaning in priority tagging but isn’t a usable VLAN ID. Option C is incorrect because VLAN 4095 is reserved and not usable for network configuration. Option D is incorrect because VLAN 100 has no special default status; it’s just a standard usable VLAN ID that administrators might choose but isn’t the system default.
