Visit here for our full Juniper JN0-351 exam dumps and practice test questions.
Question 121
A network engineer is configuring OSPF on a Juniper router. The engineer needs to ensure that the router becomes the designated router (DR) on a broadcast segment. Which configuration parameter should be modified to influence DR election?
A) Decrease the OSPF hello interval to 5 seconds
B) Increase the OSPF interface priority to a higher value than other routers
C) Configure the router-id to a lower IP address
D) Increase the OSPF dead interval to 60 seconds
Answer: B
Explanation:
The correct answer is B) Increase the OSPF interface priority to a higher value than other routers. In OSPF, the Designated Router (DR) election on broadcast and non-broadcast multi-access (NBMA) networks is determined primarily by interface priority. The router with the highest priority becomes the DR, and the router with the second-highest priority becomes the Backup Designated Router (BDR). If priorities are equal, the router with the highest router-id wins the election. By default, Junos sets the OSPF interface priority to 128. Increasing this value above other routers on the segment ensures DR election victory.
The configuration command to modify priority is under the interface configuration within the OSPF protocol hierarchy. For example, setting priority to 200 would be configured as: set protocols ospf area 0 interface ge-0/0/0 priority 200. Setting priority to 0 prevents a router from participating in DR/BDR election entirely, which is useful for routers that shouldn’t become DR due to resource constraints.
Option A) is incorrect because hello interval affects neighbor relationship timing but doesn’t influence DR election. Option C) is incorrect because higher router-id (not lower) serves as tiebreaker when priorities are equal. Option D) is incorrect because dead interval affects neighbor timeout detection, not DR election.
Question 122
A network administrator is troubleshooting a spanning tree issue on a Juniper EX switch. The administrator notices that a port is in the blocking state when it should be forwarding. Which command displays the current spanning tree port states and role assignments?
A) show spanning-tree interface
B) show vlans extensive
C) show ethernet-switching table
D) show route forwarding-table
Answer: A
Explanation:
The correct answer is A) show spanning-tree interface. This command displays comprehensive spanning tree information for all interfaces including port state (forwarding, blocking, learning, listening, disabled), port role (root, designated, alternate, backup), port priority, path cost, and edge port status. This information is essential for troubleshooting spanning tree topology issues and understanding why specific ports are in particular states.
The output includes critical information such as the port’s role in the spanning tree topology, whether it’s configured as an edge port, the designated bridge ID, and cost calculations. For detailed information about a specific interface, administrators can specify the interface name: show spanning-tree interface ge-0/0/1. The command also shows whether features like BPDU guard or root protection are enabled on interfaces.
Option B) is incorrect because show vlans extensive displays VLAN membership and statistics, not spanning tree port states. Option C) is incorrect because show ethernet-switching table displays MAC address table entries, not spanning tree information. Option D) is incorrect because show route forwarding-table displays Layer 3 routing information, not Layer 2 spanning tree states.
Question 123
An engineer is implementing BGP on a Juniper router and needs to configure an external BGP (eBGP) peering session with a directly connected neighbor. The local AS is 65001 and the neighbor AS is 65002. Which configuration correctly establishes this eBGP session?
A) set protocols bgp group external type external peer-as 65001 neighbor 10.1.1.2
B) set protocols bgp group external type internal peer-as 65002 neighbor 10.1.1.2
C) set protocols bgp group external type external peer-as 65002 neighbor 10.1.1.2
D) set protocols bgp group external peer-as 65002 neighbor 10.1.1.2 multihop
Answer: C
Explanation:
The correct answer is C) set protocols bgp group external type external peer-as 65002 neighbor 10.1.1.2. For eBGP peering, the group type must be configured as “external” and the peer-as must specify the remote neighbor’s autonomous system number, which is 65002 in this scenario. The local AS number (65001) is configured separately under routing-options autonomous-system, not within the BGP neighbor configuration.
The complete configuration requires setting the local AS number first: set routing-options autonomous-system 65001. Then the BGP group configuration specifies the external peer relationship. Junos requires explicit declaration of group type for BGP sessions. For directly connected eBGP peers, the default TTL of 1 is sufficient, so multihop configuration is unnecessary.
Option A) is incorrect because peer-as should specify the remote AS (65002), not the local AS (65001). Option B) is incorrect because type should be “external” for eBGP sessions, not “internal” which is used for iBGP. Option D) is incorrect because while peer-as is correct, multihop is unnecessary for directly connected neighbors and the type declaration is missing.
Question 124
A network engineer needs to configure a static route on a Juniper router with a floating static route as backup. The primary path should use next-hop 10.1.1.1 and the backup should use 10.2.2.2 only when the primary fails. How should this be configured?
A) Configure both routes with the same preference value
B) Configure the backup route with a higher preference value than the primary route
C) Configure the backup route with a lower preference value than the primary route
D) Configure both routes with qualified-next-hop and equal metrics
Answer: B
Explanation:
The correct answer is B) Configure the backup route with a higher preference value than the primary route. In Junos, route preference (also called administrative distance) determines which route is installed in the forwarding table when multiple routes to the same destination exist. Lower preference values are preferred, so the primary route should have the default static route preference of 5, while the backup floating static route should have a higher preference value (such as 10 or 200).
The configuration would be: set routing-options static route 192.168.0.0/24 next-hop 10.1.1.1 for the primary route, and set routing-options static route 192.168.0.0/24 next-hop 10.2.2.2 preference 200 for the backup route. When the primary next-hop becomes unreachable (detected through interface state or BFD), the higher preference backup route becomes active. This floating static route pattern provides simple redundancy without dynamic routing protocols.
Option A) is incorrect because equal preference would cause load balancing or unpredictable route selection, not failover behavior. Option C) is incorrect because lower preference would make the backup route preferred over the primary. Option D) is incorrect because qualified-next-hop is used for different purposes and equal metrics don’t provide failover capability.
Question 125
A network administrator is configuring VRRP on two Juniper EX switches for gateway redundancy. The administrator wants Switch-A to be the master router under normal conditions. Which parameter should be configured higher on Switch-A compared to Switch-B?
A) VRRP authentication key length
B) VRRP priority value
C) VRRP advertisement interval
D) VRRP preempt delay timer
Answer: B
Explanation:
The correct answer is B) VRRP priority value. Virtual Router Redundancy Protocol (VRRP) uses priority values ranging from 1 to 255 to determine which router becomes the master for a virtual router group. The router with the highest priority becomes the master and responds to ARP requests for the virtual IP address. The default priority is 100, so configuring Switch-A with priority 200 and leaving Switch-B at default ensures Switch-A becomes master.
The configuration on Switch-A would include: set interfaces vlan unit 100 family inet address 10.1.1.2/24 vrrp-group 1 virtual-address 10.1.1.1 priority 200. Priority 255 is reserved for the router that owns the virtual IP address (when the virtual IP matches a real interface IP). When preempt is enabled (default behavior), if Switch-A recovers from failure, it will reclaim master status from Switch-B due to higher priority.
Option A) is incorrect because authentication key length doesn’t affect master election. Option C) is incorrect because advertisement interval should be consistent between VRRP peers and doesn’t determine master election. Option D) is incorrect because preempt delay affects timing of master transitions but doesn’t determine which router becomes master.
Question 126
An engineer is troubleshooting an OSPF adjacency issue between two Juniper routers. The routers are connected via an Ethernet link but remain stuck in the ExStart state. Which configuration mismatch is most likely causing this issue?
A) Mismatched hello intervals
B) Mismatched MTU values on the connecting interfaces
C) Mismatched area types
D) Mismatched router-id values
Answer: B
Explanation:
The correct answer is B) Mismatched MTU values on the connecting interfaces. When OSPF neighbors are stuck in the ExStart or Exchange state, MTU mismatch is the most common cause. During database description (DBD) packet exchange, OSPF includes the interface MTU in packets. If routers have different MTU values configured on their connecting interfaces, they cannot agree on DBD parameters and the adjacency fails to progress beyond ExStart state.
To resolve this issue, verify MTU configuration on both interfaces using show interfaces ge-0/0/0 and ensure they match. Alternatively, if MTU cannot be changed, configure OSPF to ignore MTU during adjacency formation: set protocols ospf area 0 interface ge-0/0/0 mtu-ignore. However, this workaround can cause problems with large LSA flooding if actual MTU differs, so matching MTU values is preferred.
Option A) is incorrect because mismatched hello intervals prevent neighbors from forming any adjacency—they would remain in Down state, not ExStart. Option C) is incorrect because mismatched area types would cause adjacency failures during the Init or 2-Way states when options fields are compared. Option D) is incorrect because different router-ids are required (not mismatched)—duplicate router-ids cause problems, but different values are expected.
Question 127
A network engineer is configuring port security on a Juniper EX switch to limit the number of MAC addresses learned on an access port. Which feature should be configured to achieve this requirement?
A) Storm control
B) MAC limiting
C) DHCP snooping
D) Dynamic ARP inspection
Answer: B
Explanation:
The correct answer is B) MAC limiting. MAC limiting is a port security feature on Juniper EX switches that restricts the number of MAC addresses that can be learned on an interface. When the configured limit is reached, the switch can take various actions including dropping packets from new MAC addresses, logging violations, or shutting down the port. This feature prevents MAC flooding attacks and controls the number of devices connected through a port.
The configuration uses ethernet-switching-options with the mac-table-size or allowed-mac parameters. For example: set ethernet-switching-options secure-access-port interface ge-0/0/1 mac-limit 5 action drop. This limits the port to learning five MAC addresses, dropping traffic from additional MACs. Actions include drop, log, shutdown, or drop-and-log.
Option A) is incorrect because storm control limits broadcast, multicast, or unknown unicast traffic rates, not the number of MAC addresses. Option C) is incorrect because DHCP snooping validates DHCP messages and builds a binding table but doesn’t limit MAC address learning. Option D) is incorrect because Dynamic ARP inspection validates ARP packets against DHCP snooping bindings but doesn’t control MAC address limits.
Question 128
A network administrator needs to redistribute static routes into OSPF on a Juniper router. The administrator wants to assign a specific metric to the redistributed routes. Which policy action accomplishes this?
A) set protocols ospf export static-to-ospf with metric defined in policy
B) set protocols ospf import static-to-ospf
C) set routing-options static defaults metric 100
D) set protocols ospf reference-bandwidth 1000
Answer: A
Explanation:
The correct answer is A) set protocols ospf export static-to-ospf with metric defined in policy. In Junos, route redistribution is accomplished through routing policies applied as export policies under the routing protocol. To redistribute static routes into OSPF with a specific metric, create a policy that matches static routes and sets the desired OSPF metric, then apply the policy as an export policy under the OSPF configuration.
The complete configuration requires creating a policy: set policy-options policy-statement static-to-ospf term 1 from protocol static set policy-options policy-statement static-to-ospf term 1 then metric 100 set policy-options policy-statement static-to-ospf term 1 then accept
Then apply it to OSPF: set protocols ospf export static-to-ospf
This redistributes all static routes into OSPF as external routes with metric 100.
Option B) is incorrect because import policies filter routes received from OSPF, not routes being advertised into OSPF. Option C) is incorrect because this sets static route preference, not OSPF redistribution metric. Option D) is incorrect because reference-bandwidth affects internal OSPF cost calculations, not redistributed route metrics.
Question 129
An engineer is configuring a trunk port on a Juniper EX switch to carry multiple VLANs to another switch. The trunk should carry VLANs 10, 20, and 30 while tagging all traffic. Which interface mode and VLAN membership configuration is correct?
A) interface-mode access with vlan members all
B) interface-mode trunk with vlan members [vlan10 vlan20 vlan30]
C) interface-mode hybrid with native-vlan 10
D) interface-mode trunk with vlan members default
Answer: B
Explanation:
The correct answer is B) interface-mode trunk with vlan members [vlan10 vlan20 vlan30]. Trunk ports in Junos carry multiple VLANs with 802.1Q tagging. The interface-mode trunk configuration enables VLAN tagging on the port, and vlan members specifies which VLANs are allowed on the trunk. This configuration ensures that only traffic for VLANs 10, 20, and 30 traverses the trunk link.
The complete configuration would be: set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan10 set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan20 set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan30
Or using the list format: vlan members [vlan10 vlan20 vlan30]. This explicitly defines permitted VLANs rather than allowing all VLANs, which is a security best practice.
Option A) is incorrect because access mode is for single VLAN membership without tagging. Option C) is incorrect because hybrid mode, while supporting tagged and untagged traffic, is not the standard trunk configuration for carrying multiple tagged VLANs. Option D) is incorrect because vlan members default only includes the default VLAN, not the specific VLANs required.
Question 130
A network engineer is implementing IS-IS on Juniper routers in a multi-area network. The engineer needs to configure a router to participate in both Level 1 and Level 2 routing. Which IS-IS router type should be configured?
A) Level 1 only router
B) Level 2 only router
C) Level 1-2 router
D) Level 0 backbone router
Answer: C
Explanation:
The correct answer is C) Level 1-2 router. IS-IS uses a two-level hierarchy for routing domains. Level 1 (L1) routing operates within an area, while Level 2 (L2) routing connects areas forming the backbone. Level 1-2 (L1/L2) routers participate in both levels, maintaining separate link-state databases for each level. These routers serve as area border routers, connecting intra-area routing with the inter-area backbone.
By default, Junos configures IS-IS interfaces as Level 1-2, but this can be explicitly set: set protocols isis interface ge-0/0/0 level 1 enable and set protocols isis interface ge-0/0/0 level 2 enable. L1/L2 routers advertise a default route (ATT bit) to Level 1 routers within their area, directing inter-area traffic toward the Level 2 backbone. The router maintains separate SPF calculations for each level.
Option A) is incorrect because Level 1 only routers participate only in intra-area routing and cannot route between areas. Option B) is incorrect because Level 2 only routers participate only in backbone routing without intra-area connectivity. Option D) is incorrect because Level 0 doesn’t exist in IS-IS; the hierarchy uses only Level 1 and Level 2.
Question 131
A network administrator is configuring link aggregation (LAG) between two Juniper EX switches using LACP. The administrator wants LACP to actively negotiate the aggregation. Which LACP mode should be configured?
A) LACP mode passive on both switches
B) LACP mode active on at least one switch
C) LACP mode on without negotiation
D) LACP mode disabled with static aggregation
Answer: B
Explanation:
The correct answer is B) LACP mode active on at least one switch. Link Aggregation Control Protocol (LACP) requires at least one side of the aggregation to be in active mode to initiate negotiation. Active mode sends LACP PDUs (Protocol Data Units) to negotiate aggregation parameters with the peer. The other side can be either active or passive—passive mode responds to LACP PDUs but doesn’t initiate them. Both sides in passive mode will never form aggregation because neither initiates negotiation.
The configuration for active LACP is: set interfaces ae0 aggregated-ether-options lacp active. Member interfaces are assigned: set interfaces ge-0/0/0 ether-options 802.3ad ae0. LACP provides benefits over static aggregation including automatic detection of misconfigured or failed links, ensuring only properly connected links participate in the bundle.
Option A) is incorrect because two passive LACP endpoints will never negotiate—neither sends initial LACP PDUs. Option C) is incorrect because LACP requires explicit mode configuration; there’s no “on” mode without negotiation type. Option D) is incorrect because disabling LACP removes the dynamic negotiation benefits that ensure proper aggregation formation.
Question 132
An engineer is troubleshooting BGP route advertisement issues. A prefix is present in the local routing table but not being advertised to BGP peers. Which BGP requirement is most likely not met?
A) The prefix is not in the inet.0 routing table
B) The prefix lacks an export policy permitting advertisement
C) The BGP session is using MD5 authentication
D) The prefix has a preference value that is too low
Answer: B
Explanation:
The correct answer is B) The prefix lacks an export policy permitting advertisement. Unlike some other routing platforms, Junos BGP does not advertise any routes by default. Routes must be explicitly permitted through an export policy applied to the BGP group or neighbor. Without an export policy, BGP will not advertise locally originated routes, redistributed routes, or even routes learned from other BGP peers to its neighbors.
To advertise routes, create and apply an export policy: set policy-options policy-statement advertise-routes term 1 from protocol direct set policy-options policy-statement advertise-routes term 1 then accept set protocols bgp group external export advertise-routes
This policy matches directly connected routes and permits their advertisement. For advertising specific prefixes, use route-filter or prefix-list matches within the policy.
Option A) is incorrect because routes in inet.0 can be advertised; the issue is policy, not routing table presence. Option C) is incorrect because MD5 authentication affects session establishment, not route advertisement within established sessions. Option D) is incorrect because preference value affects route selection, not advertisement capability.
Question 133
A network administrator needs to configure a Juniper router to perform NAT for internal hosts accessing the internet. The internal network is 192.168.1.0/24 and should be translated to the router’s external interface address. Which NAT type should be configured?
A) Static NAT
B) Destination NAT
C) Source NAT with interface translation
D) Twice NAT
Answer: C
Explanation:
The correct answer is C) Source NAT with interface translation. Source NAT (SNAT) modifies the source IP address of outbound packets, which is exactly what’s needed for internal hosts accessing external networks. Interface-based translation (also called PAT or NAT overload) translates multiple internal addresses to the single IP address of the egress interface, using port numbers to distinguish connections. This is the most common NAT deployment for internet access.
The configuration on Junos involves creating a source NAT rule: set security nat source rule-set internal-to-internet from zone trust set security nat source rule-set internal-to-internet to zone untrust set security nat source rule-set internal-to-internet rule nat-rule match source-address 192.168.1.0/24 set security nat source rule-set internal-to-internet rule nat-rule then source-nat interface
This translates all traffic from 192.168.1.0/24 going to the untrust zone to the egress interface address.
Option A) is incorrect because static NAT provides one-to-one translation typically for servers requiring inbound access, not many-to-one translation for internet access. Option B) is incorrect because destination NAT modifies destination addresses for inbound traffic, not source addresses for outbound traffic. Option D) is incorrect because twice NAT modifies both source and destination addresses, which isn’t required for simple internet access.
Question 134
A network engineer is configuring OSPF authentication between two Juniper routers. The engineer wants to use MD5 authentication for enhanced security. Which configuration correctly enables MD5 authentication on an OSPF interface?
A) set protocols ospf area 0 interface ge-0/0/0 authentication simple-password secret123
B) set protocols ospf area 0 interface ge-0/0/0 authentication md5 1 key secret123
C) set protocols ospf area 0 authentication-type md5
D) set protocols ospf area 0 interface ge-0/0/0 authentication none
Answer: B
Explanation:
The correct answer is B) set protocols ospf area 0 interface ge-0/0/0 authentication md5 1 key secret123. MD5 authentication in OSPF provides cryptographic validation of OSPF packets, preventing unauthorized routers from forming adjacencies or injecting false routing information. The configuration specifies md5 as the authentication type, followed by a key-id (1 in this example) and the secret key. The key-id allows for key rotation without disrupting adjacencies.
Both routers must have matching MD5 key-id and key values for adjacency formation. Multiple keys can be configured with different key-ids for hitless key rotation—configure the new key on both routers before removing the old key. The authentication applies per-interface, allowing different authentication settings on different OSPF interfaces if needed.
Option A) is incorrect because simple-password uses cleartext authentication, which is less secure than MD5 and transmits the password in readable form. Option C) is incorrect because authentication is configured at the interface level, not area level, and the syntax is incomplete. Option D) is incorrect because authentication none explicitly disables authentication, providing no security.
Question 135
An administrator is configuring a routing policy to filter BGP routes based on AS path. The administrator wants to accept only routes that originated from AS 65010. Which AS path regular expression correctly matches routes originated by AS 65010?
A) .* 65010 .*
B) 65010$
C) ^65010$
D) 65010+
Answer: B
Explanation:
The correct answer is B) 65010. In BGP AS path regular expressions, the $ symbol represents the end of the AS path, which corresponds to the originating AS. Routes originated by AS 65010 will have 65010 as the last AS in the path (closest to the origin). The expression 65010 matches any AS path ending with AS 65010, regardless of how many transit ASes appear before it.
The policy configuration would be: set policy-options policy-statement accept-65010-origin term 1 from as-path origin-65010 set policy-options policy-statement accept-65010-origin term 1 then accept set policy-options as-path origin-65010 “65010$”
This matches routes like “65001 65002 65010” or simply “65010” where AS 65010 is the originator.
Option A) is incorrect because .* 65010 .* matches AS 65010 anywhere in the path, including transit, not specifically as the originator. Option C) is incorrect because ^65010$ matches only paths containing exactly AS 65010 with no other ASes (direct peer originated routes only). Option D) is incorrect because 65010+ matches one or more occurrences of 65010 anywhere in the path, which is typically used for prepending detection.
Question 136
A network engineer needs to configure BFD (Bidirectional Forwarding Detection) to provide fast failure detection for OSPF neighbors. What is the primary benefit of using BFD with OSPF?
A) BFD increases OSPF routing table capacity
B) BFD provides sub-second failure detection independent of OSPF timers
C) BFD encrypts OSPF hello packets
D) BFD reduces OSPF LSA flooding frequency
Answer: B
Explanation:
The correct answer is B) BFD provides sub-second failure detection independent of OSPF timers. BFD is a lightweight protocol designed specifically for rapid failure detection. While OSPF’s default dead interval is 40 seconds (4x hello interval of 10 seconds), BFD can detect failures in milliseconds (typically 50-300ms). BFD operates independently of OSPF, providing a dedicated mechanism for detecting link or neighbor failures and notifying OSPF to reconverge quickly.
The configuration enables BFD on OSPF interfaces: set protocols ospf area 0 interface ge-0/0/0 bfd-liveness-detection minimum-interval 100 set protocols ospf area 0 interface ge-0/0/0 bfd-liveness-detection multiplier 3
This configures BFD with 100ms intervals and failure detection after 3 missed packets (300ms total). When BFD detects failure, it immediately notifies OSPF to tear down the adjacency and reconverge, rather than waiting for OSPF dead timer expiration.
Option A) is incorrect because BFD doesn’t affect routing table capacity; it’s purely a failure detection mechanism. Option C) is incorrect because BFD provides failure detection, not encryption; OSPF authentication handles security. Option D) is incorrect because BFD doesn’t affect LSA flooding behavior; it only accelerates failure detection triggering faster reconvergence.
Question 137
A network administrator is configuring Virtual Chassis on multiple Juniper EX switches. Which statement correctly describes Virtual Chassis operation?
A) Virtual Chassis requires all member switches to be different models for redundancy
B) Virtual Chassis combines multiple physical switches into a single logical device with unified management
C) Virtual Chassis operates only in Layer 3 routing mode
D) Virtual Chassis requires external controller software
Answer: B
Explanation:
The correct answer is B) Virtual Chassis combines multiple physical switches into a single logical device with unified management. Virtual Chassis (VC) technology interconnects multiple physical Juniper switches to operate as a single logical switch. This provides simplified management through a single control plane, increased port density, built-in redundancy, and distributed forwarding. All member switches share a single configuration and appear as one device to the network.
Virtual Chassis requires dedicated VC ports (VCPs) or configured uplink ports to interconnect members. One switch is elected as the primary (RE0), another as backup (RE1), and remaining switches become line cards. The configuration includes: set virtual-chassis preprovisioned set virtual-chassis member 0 role routing-engine serial-number ABC123 set virtual-chassis member 1 role routing-engine serial-number DEF456
Link aggregation across members (MC-LAG equivalent) provides redundancy to connected devices.
Option A) is incorrect because Virtual Chassis typically requires compatible switch models from the same family, not different models. Option C) is incorrect because Virtual Chassis operates at both Layer 2 and Layer 3. Option D) is incorrect because Virtual Chassis is self-contained within member switches without external controller requirements.
Question 138
An engineer is implementing route summarization in OSPF on a Juniper router. The router is an Area Border Router (ABR) connecting Area 1 to Area 0. The engineer wants to summarize the 10.1.0.0/24, 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 networks from Area 1 into a single summary. Which configuration achieves this?
A) set protocols ospf area 0 area-range 10.1.0.0/22
B) set protocols ospf area 1 area-range 10.1.0.0/22
C) set protocols ospf area 1 stub default-metric 10
D) set protocols ospf area 0 nssa area-range 10.1.0.0/22
Answer: B
Explanation:
The correct answer is B) set protocols ospf area 1 area-range 10.1.0.0/22. OSPF route summarization on ABRs is configured using area-range under the area containing the more specific routes being summarized. The four /24 networks (10.1.0.0-10.1.3.0) can be summarized into a single /22 prefix. The area-range command is applied to Area 1 because that’s where the specific routes originate, and the ABR will advertise the summary into Area 0.
The area-range configuration creates a single Type 3 Summary LSA for 10.1.0.0/22 instead of four separate LSAs. This reduces LSA database size in Area 0 and other areas. The restrict option can be added to suppress advertisement entirely: set protocols ospf area 1 area-range 10.1.0.0/22 restrict.
Option A) is incorrect because area-range for summarizing Area 1 routes must be configured under Area 1, not Area 0. Option C) is incorrect because stub configuration with default-metric creates stub areas receiving default routes, not route summarization. Option D) is incorrect because NSSA configuration is for Not-So-Stubby Areas handling external route redistribution, not inter-area summarization.
Question 139
An organization implements GRE tunnels on Juniper routers to connect remote sites. What is the PRIMARY limitation of basic GRE tunnels?
A) No native encryption requiring additional security like IPsec
B) Incompatibility with IPv4 networks
C) Maximum distance limitation of 100 kilometers
D) Support for only two endpoints
Answer: A
Explanation:
Generic Routing Encapsulation provides tunnel technology encapsulating arbitrary network layer protocols enabling transport of one protocol over different protocol infrastructure. GRE’s primary use cases include connecting IPv4 islands across IPv6 infrastructure or vice versa, carrying multicast traffic across unicast-only networks, and connecting enterprise sites across internet. GRE operation encapsulates original packet in GRE header and outer IP header creating tunnel endpoint-to-endpoint connectivity, supporting protocols beyond IP through protocol type field, and enabling routing protocol operation across tunnel treating it as virtual point-to-point link. GRE header contains protocol type identifying encapsulated protocol, checksum optional integrity verification, and key optional tunnel identification. GRE limitations include lack of native encryption transmitting all traffic including encapsulated payload in clear text visible to anyone intercepting packets, no authentication allowing potential man-in-the-middle attacks or unauthorized tunnel endpoints, and no built-in integrity verification beyond optional checksum. Addressing security limitations requires combining GRE with IPsec using GRE for encapsulation flexibility and IPsec for confidentiality, authentication, and integrity. GRE over IPsec configuration encrypts GRE packets within IPsec tunnel protecting encapsulated traffic. Recursive routing prevention avoids routing loops where tunnel transport addresses are learned via tunnel itself requiring explicit static routes or careful dynamic routing configuration. Path MTU considerations require reducing tunnel interface MTU accounting for GRE and optional IPsec overhead preventing fragmentation. Keep alive mechanisms detect tunnel endpoint failures enabling rapid failover to backup paths. GRE supports point-to-point topologies with multipoint GRE (mGRE) enabling hub-spoke dynamic tunnel creation for DMVPN implementations. GRE deployment scenarios include lab interconnection, disaster recovery site connectivity, and temporary migrations between network architectures.
B is incorrect because GRE explicitly supports IPv4 networks as one of its primary use cases. GRE was designed to work across IPv4 infrastructure carrying various encapsulated protocols. Claiming IPv4 incompatibility is factually wrong.
C is incorrect because GRE has no distance limitation. As IP-based tunnel, GRE works across any IP-routable path regardless of physical distance spanning global distances limited only by transport network reach not arbitrary kilometer limits.
D is incorrect because while basic GRE is point-to-point between two endpoints, multipoint GRE enables hub-spoke topologies with multiple spokes connecting to single hub. Claiming only two endpoints ignores mGRE capabilities.
Question 140
A security team wants to prevent unauthorized DHCP servers on the network. Which Junos feature protects against rogue DHCP servers?
A) DHCP snooping with trusted port configuration
B) Static IP address assignment to all devices
C) Disabling DHCP entirely across network
D) No protection mechanisms exist
Answer: A
Explanation:
DHCP snooping is Layer 2 security feature protecting against rogue DHCP servers and various DHCP-based attacks by monitoring and controlling DHCP messages on network. Understanding DHCP snooping operation and deployment is essential for protecting enterprise networks. DHCP snooping functionality includes classifying ports as trusted or untrusted where trusted ports connect to legitimate DHCP servers or upstream network infrastructure allowing all DHCP messages, and untrusted ports connect to end users or potentially hostile devices permitting only DHCP client messages while blocking DHCP server messages. Validation ensures DHCP messages conform to expected patterns including verifying DHCP server messages arrive only on trusted ports preventing rogue server responses, confirming DHCP release and decline messages come from MAC addresses that previously received leases, and validating source MAC addresses match DHCP client hardware addresses preventing spoofing. Binding database maintains mappings of client MAC address, IP address, lease time, VLAN ID, and interface creating state table of legitimate DHCP allocations. This database enables other security features including dynamic ARP inspection validating ARP packets against bindings, and IP source guard preventing clients from using IP addresses not assigned via DHCP. Rate limiting prevents DHCP starvation attacks by restricting DHCP packet rates on untrusted ports limiting attack impact. Option 82 insertion adds information about access switch and port into DHCP requests enabling DHCP server to make policy decisions based on client location. DHCP snooping configuration requires enabling feature globally, designating trusted ports typically uplinks to DHCP servers, and optionally configuring rate limits, option 82, and database storage. Implementation considerations include ensuring DHCP servers connect through trusted ports, understanding that trunk ports can be trusted or untrusted based on requirements, and monitoring binding database growth managing state table size.
B is incorrect because while static IP assignment eliminates DHCP altogether avoiding rogue server risks, it is operationally impractical for large modern networks requiring manual configuration per device, lacking mobility support, and creating management overhead. DHCP snooping enables secure DHCP use.
C is incorrect because disabling DHCP entirely across network forces static address assignment with associated operational challenges. Organizations use DHCP for automation and flexibility requiring security through DHCP snooping not elimination of service.
D is incorrect because Junos explicitly provides DHCP snooping feature for rogue DHCP server protection. Claiming no protection mechanisms misrepresents security capabilities available in Juniper platforms.
