Juniper JN0-351 Enterprise Routing and Switching Specialist (JNCIS-ENT) Exam Practice Test

When the MAC address limit feature with the shutdown action is implemented on a switch, if a violation occurs, the interface is disabled and a system log entry is generated 1 .  If the switch has been configured with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout 1 .  However, if the switch has not been configured for auto-recovery from port error disabled conditions, you must manually clear the violation by running the clear ethernet-switching port-error command for the interface to send and receive traffic again 1 .  This explanation is based on the Enterprise Routing and Switching Specialist (JNCIS-ENT) documents and learning resources available at Juniper Networks 1 .

Link-state update packets are used to flood link-state advertisements (LSAs) among OSPF routers. The destination IP address of these packets depends on the network type and the state of the interface. On broadcast and point-to-point networks, OSPF uses two IP multicast addresses: 224.0.0.5 for all OSPF routers and 224.0.0.6 for all designated routers (DRs) and backup designated routers (BDRs)12. If the interface state is DR or BDR, the link-state update packets are sent to 224.0.0.5. Otherwise, they are sent to 224.0.0.63. On non-broadcast networks, such as Frame Relay or ATM, link-state update packets are sent as unicasts to each adjacent neighbor3. Therefore, the correct answer is A and D. References: Understanding OSPF Areas | Junos OS, How OSPF Works - IP Routing [Book] - O’Reilly Media, Link state packet - Wikipedia

Both aggregate and generated routes would work, but the best choice is generated routes.

https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/lsa-refresh-interval-edit-protocols-ospf.html

The DHCP snooping feature in Juniper Networks’ EX Series switches works by building a binding database that maps the IP address, MAC address, lease time, binding type, VLAN number, and interface information 1 .  This database is used to filter and validate DHCP messages from untrusted sources 1 .

However, there are certain conditions that could prevent entries from being automatically created in the snooping database for an interface:

MAC limiting: If MAC limiting is enabled on the interface, it could potentially interfere with the operation of DHCP snooping.  MAC limiting restricts the number of MAC addresses that can be learned on a physical interface to prevent MAC flooding attacks 1 . This could inadvertently limit the number of DHCP clients that can be learned on an interface, thus preventing new entries from being added to the DHCP snooping database.

Static IP address : If the device connected to the interface is configured with a static IP address, it will not go through the DHCP process and therefore will not have an entry in the DHCP snooping database 1 .  The DHCP snooping feature relies on monitoring DHCP messages to build its database 1 , so devices with static IP addresses that do not send DHCP messages will not have their information added.

Therefore, options B and C are correct.  Options A and D are not correct because performing a DHCPRELEASE would simply remove an existing entry from the database 1 , and Dynamic ARP inspection (DAI) uses the information stored in the DHCP snooping binding database but does not prevent entries from being created 1 .

According to the Juniper documentation 1 , the output of the show vlans command displays the forwarding options for the VLAN, including the DHCP security features. In the exhibit, the output shows that DHCP security is enabled, and that ARP inspection and IP source guard are also enabled. These features work together to protect the switch from IP spoofing and ARP spoofing attacks. DHCP snooping builds a database of IP/MAC bindings by snooping DHCP messages. ARP inspection validates ARP packets against the DHCP snooping database and drops invalid packets.  IP source guard checks the IP and MAC source addresses of packets against the DHCP snooping database and drops spoofed packets 2 3 . Therefore, the correct answer is A, B, and C.

The other options are not correct because:

D. The DHCP snooping database is not protected by default.  To protect the database from corruption or loss, you need to configure a file name and a location for storing the database, and enable periodic write operations to the file 4 . The exhibit does not show any such configuration.

E. DHCP snooping is not enabled for IPv6 traffic by default.  To enable DHCPv6 snooping, you need to configure a DHCPv6 relay agent and specify the trusted interfaces for DHCPv6 messages 5 . The exhibit does not show any such configuration.

A broadcast storm is a network condition where a large number of broadcast packets are sent and received by multiple devices, causing congestion and performance degradation 1 .  A broadcast storm can occur when there are loops in the network topology, meaning that there are multiple paths between two devices 2 .

A spanning tree protocol is a network protocol that prevents loops from being formed when switches or bridges are interconnected via multiple paths.  It does this by creating a logical tree structure that spans all the devices in the network, and disabling or blocking the links that are not part of the tree, leaving a single active path between any two devices 3 .

By eliminating loops, a spanning tree protocol also eliminates broadcast storms, as broadcast packets will not be forwarded endlessly along the looped paths.  Instead, broadcast packets will be sent only along the tree structure, reaching each device once and avoiding congestion 3 .

BFD is a protocol that can be used to quickly detect failures in the forwarding path between two adjacent routers or switches. BFD can be integrated with various routing protocols and link aggregation protocols to provide faster convergence and fault recovery.

According to the Juniper Networks documentation, the following protocols support BFD on Junos OS devices 1 :

BGP: BFD can be used to monitor the connectivity between BGP peers and trigger a session reset if a failure is detected.  BFD can be configured for both internal and external BGP sessions, as well as for IPv4 and IPv6 address families 2 .

OSPF: BFD can be used to monitor the connectivity between OSPF neighbors and trigger a state change if a failure is detected.  BFD can be configured for both OSPFv2 and OSPFv3 protocols, as well as for point-to-point and broadcast network types 3 .

LACP: BFD can be used to monitor the connectivity between LACP members and trigger a link state change if a failure is detected.  BFD can be configured for both active and passive LACP modes, as well as for static and dynamic LAGs 4 .

Other protocols that support BFD on Junos OS devices are:

IS-IS: BFD can be used to monitor the connectivity between IS-IS neighbors and trigger a state change if a failure is detected. BFD can be configured for both level 1 and level 2 IS-IS adjacencies, as well as for point-to-point and broadcast network types.

RIP: BFD can be used to monitor the connectivity between RIP neighbors and trigger a route update if a failure is detected. BFD can be configured for both RIP version 1 and version 2 protocols, as well as for IPv4 and IPv6 address families.

VRRP: BFD can be used to monitor the connectivity between VRRP routers and trigger a priority change if a failure is detected. BFD can be configured for both VRRP version 2 and version 3 protocols, as well as for IPv4 and IPv6 address families.

The protocols that do not support BFD on Junos OS devices are:

RSTP: RSTP is a spanning tree protocol that provides loop prevention and rapid convergence in layer 2 networks. RSTP does not use BFD to detect link failures, but relies on its own hello mechanism that sends BPDU packets every 2 seconds by default.

FTP: FTP is an application layer protocol that is used to transfer files between hosts over a TCP connection. FTP does not use BFD to detect connection failures, but relies on TCP’s own retransmission and timeout mechanisms.

Redundant Trunk Groups (RTGs) on EX Series switches provide a simple solution for network recovery when a trunk port on a switch goes down 1 .  They are configured on the access switch and contain two links: a primary or active link, and a secondary link 1 .  Therefore, option B is correct because if the active link fails, the secondary link automatically starts forwarding data traffic without waiting for normal spanning-tree protocol convergence 1 .

Option D is also correct.  In a typical enterprise network composed of distribution and access layers, RTGs are used where one Access switch is connected to two different uplink switches 2 .  This implies that RTGs must be connected to the same aggregation switch 2 .

In a trunk port configuration with multiple VLANs, the native VLAN carries untagged traffic. This means frames sent or received on the port without a VLAN tag are automatically assigned to the native VLAN.

Here ' s why the other options are incorrect:

A. The native VLAN must be the default VLAN on the port.  This is not necessarily true. The native VLAN and the default VLAN can be different. The default VLAN is the VLAN assigned to untagged traffic on access ports, while the native VLAN applies to trunk ports.

B. The native VLAN is automatically configured through DHCP.  This is incorrect. The native VLAN needs to be manually configured on the switch port. DHCP is used for assigning IP addresses, not VLAN IDs.

D. The native VLAN is the highest tagged VLAN ID on the port.  This is also incorrect. The native VLAN and tagged VLANs are independent. The native VLAN is not related to the highest or lowest tagged VLAN ID.

Therefore, the only true statement is that the native VLAN is an untagged VLAN ID on the port.

A tunnel is a connection between two computer networks, in which data is sent from one network to another through an encrypted link. Tunnels are commonly used to secure data communications between two networks or to connect two networks that use different protocols.

Option B is correct, because tunnel endpoints must have a valid route to the remote tunnel endpoint. A tunnel endpoint is the device that initiates or terminates a tunnel connection. For a tunnel to be established, both endpoints must be able to reach each other over the underlying network.  This means that they must have a valid route to the IP address of the remote endpoint 1 .

Option D is correct, because tunnels add additional overhead to packet size. Tunnels work by encapsulating packets: wrapping packets inside of other packets. This means that the original packet becomes the payload of the surrounding packet, and the surrounding packet has its own header and trailer. The header and trailer of the surrounding packet add extra bytes to the packet size, which is called overhead.  Overhead can reduce the efficiency and performance of a network, as it consumes more bandwidth and processing power 2 .

Option A is incorrect, because BFD can be used to monitor tunnels. BFD is a protocol that can be used to quickly detect failures in the forwarding path between two adjacent routers or switches. BFD can be integrated with various routing protocols and link aggregation protocols to provide faster convergence and fault recovery. BFD can also be used to monitor the connectivity of tunnels, such as GRE, IPsec, or MPLS.

Option C is incorrect, because IP-IP tunnels are stateless. IP-IP tunnels are a type of tunnels that use IP as both the encapsulating and encapsulated protocol. IP-IP tunnels are simple and easy to configure, but they do not provide any security or authentication features. IP-IP tunnels are stateless, which means that they do not keep track of the state or status of the tunnel connection. Stateless tunnels do not require any signaling or negotiation between the endpoints, but they also do not provide any error detection or recovery mechanisms.

A  is correct because RSTP alternate ports block traffic while receiving superior BPDUs from a neighboring switch.  An alternate port is a backup port for a root port, which means it receives better BPDUs from another bridge than the current root port 1 .  However, an alternate port does not forward any traffic, as it is in a discarding state 2 . It only listens to BPDUs and waits for the root port to fail.  If the root port fails, the alternate port can immediately transition to a forwarding state and become the new root port 1 .

C  is correct because RSTP alternate ports provide an alternate higher cost path to the root bridge.  An alternate port is selected based on the same criteria as the root port, which are the lowest bridge ID, the lowest path cost, the lowest sender port ID, and the lowest receiver port ID 3 .  However, an alternate port receives a higher cost BPDU than the root port, otherwise it would be the root port itself 1 . Therefore, an alternate port provides an alternate higher cost path to the root bridge than the root port.

The BGP attribute that you would use to forward all Internet traffic through the R1 device is the  local preference 1 .

The local preference is an attribute that is used within an autonomous system (AS) and exchanged between iBGP routers 1 .  It is used to select an exit point from the AS 1 .  The path with the highest local preference is preferred 1 .  By setting a higher local preference for the routes received from R1, you can make R1 the preferred exit point for all Internet traffic 1 .

The solution that should be implemented in this scenario is to create a default generate route that includes an import policy to match BGP routes from ISP1 and assign a preference value of four or less. This way, the default route will be advertised to the internal OSPF neighbors only when there is a BGP route from ISP1 in the routing table, and it will have a higher preference than any other default route from ISP2 or ISP3. If ISP1 is not available, the default generate route will be withdrawn and the traffic will use the next available default route from ISP2 or ISP3.

Option A is incorrect because creating a default static route with ISP1’s address as the next hop while specifying the addresses for ISP2 and ISP3 as qualified next hops with a preference value of six or higher will not ensure that the default route is advertised to the internal OSPF neighbors only when ISP1 is available. The default static route will always be in the routing table regardless of the availability of ISP1, and it will have a lower preference than any other default route from ISP2 or ISP3.

Option C is incorrect because creating a default static route with each neighbor address as the next hop will not ensure that all traffic uses ISP1 as the primary connection and only uses ISP2 and ISP3 when ISP1 is not available. The default static route will always be in the routing table regardless of the availability of ISP1, and it will load balance the traffic among the three ISPs.

Option D is incorrect because creating a default aggregated route will not ensure that the default route is advertised to the internal OSPF neighbors only when ISP1 is available. The default aggregated route will always be in the routing table regardless of the availability of ISP1, and it will not have any preference value associated with it. References:

Enterprise Routing and Switching, Specialist (JNCIS-ENT) - Juniper Networks

Enterprise Routing and Switching, Specialist (JNCIS-ENT) - Juniper Networks

The routers that are directly connected to the Dallas and Denver subnets are not advertising the connected subnets.  This can be resolved by redistributing the connected subnets into OSPF 1 .

Option C suggests to configure and apply a routing policy that redistributes the connected Dallas and Denver subnets.  This is correct because redistribution allows routes from one routing protocol to be communicated to another, and in this case, it allows the connected subnets to be advertised through OSPF 1 .

Option D suggests enabling the passive option on the OSPF interfaces that are connected to the Dallas and Denver subnets.  This is also correct because in OSPF, a passive interface is an interface that belongs to the OSPF router, but does not send OSPF Hello packets 1 .  It’s typically used on an interface that you don’t want to use for OSPF adjacencies, but you still want to advertise its IP address 1 . Therefore, enabling passive interface can help in advertising the Dallas and Denver subnets.

BGP attributes are properties that BGP uses for route advertisement, path selection, and loop prevention 1 .  There are four categories of BGP attributes 1 2 3 :

Well-known mandatory: Must be recognized by all BGP routers, present in all BGP updates, and passed on to other BGP routers 1 2 3 .

Well-known discretionary: Supported by all BGP implementations, and are optionally included in BGP updates 1 .

Optional transitive: May not be supported by all implementations of BGP 1 .

Optional non-transitive: May not be supported by all implementations of BGP 1 .

The well-known mandatory attributes must be supported by all BGP implementations and must be included in every update 1 2 3 .  These include the AS path and next hop attributes 2 3 . Therefore, options A and C are correct.

BGP is a routing protocol that operates between autonomous systems (AS). An AS is a group of routers under a single administrative control. BGP can be classified into two types: internal BGP (IBGP) and external BGP (EBGP). IBGP is the BGP communication between routers within the same AS, while EBGP is the BGP communication between routers in different AS. BGP uses the AS_PATH attribute to record the AS numbers that the route has passed through, and uses it to prevent routing loops and select the best path.

In this scenario, you want to add a second ISP connection and remove the default route to the existing ISP. This means that you want to have more control over the routing decisions and use BGP to exchange routes with both ISPs. To do this, you need to deploy the BGP protocol in your network and configure both IBGP and EBGP sessions. The correct statements about BGP in this scenario are:

IBGP peers advertise routes received from EBGP peers to other IBGP peers. This is the default behavior of IBGP, as it allows the routers within the same AS to learn the routes from different EBGP peers and select the best exit point. However, IBGP has a rule that it does not advertise routes received from IBGP peers to other IBGP peers, to avoid creating routing loops. Therefore, option B is correct and option C is incorrect. To overcome this rule, IBGP requires a full mesh topology, where every IBGP router is directly connected to every other IBGP router, or a route reflector or confederation design, where some IBGP routers act as intermediaries to reflect or aggregate the routes to other IBGP routers.

EBGP peers advertise routes received from IBGP peers to other EBGP peers. This is the default behavior of EBGP, as it allows the routers in different AS to exchange routes and reachability information. However, EBGP has a rule that it does not advertise routes received from EBGP peers to other EBGP peers, to avoid creating routing loops. Therefore, option D is correct and option A is incorrect. To overcome this rule, EBGP uses the AS_PATH attribute to filter out the routes that contain its own AS number, or uses route maps or policies to control the route advertisement. IBGP does not update the next-hop attribute to ensure reachability within an AS, as the next-hop attribute is preserved by IBGP. Instead, IBGP relies on an underlying IGP (Interior Gateway Protocol) to provide reachability to the next-hop.

The configuration shown in the exhibit is an example of a routing instance of type virtual-router.  A routing instance is a collection of routing tables, interfaces, and routing protocol parameters that create a separate routing domain on a Juniper device 1 .  A virtual-router routing instance allows administrators to divide a device into multiple independent virtual routers, each with its own routing table 2 .

The configuration also includes a rib-group statement, which is used to import routes from one routing table to another. A rib-group consists of an import-rib statement, which specifies the source routing table, and an export-rib statement, which specifies the destination routing table.

In this case, the rib-group name is inet-to-ispi, and the import-rib statement specifies inet.0 as the source routing table. The export-rib statement specifies ispi.inet.0 as the destination routing table. This means that the routes from inet.0 will be imported into ispi.inet.0.

Therefore, the correct answer is B. The inet.0 route table will be imported into the ispi.inet.0 route table.

In BGP, routing policies are used to control the flow of routing information between BGP peers 1 .

Option C suggests that import policies are applied after the RIB-In table.  This is correct because import policies in BGP are applied to routes that are received from a BGP peer, before they are installed in the local BGP Routing Information Base (RIB-In) 1 .  The RIB-In is a database that stores all the routes that are received from all peers 1 .

Option D suggests that export policies are applied after the RIB-Local table.  This is correct because export policies in BGP are applied to routes that are being advertised to a BGP peer, after they have been selected from the local BGP Routing Information Base (RIB-Local) 1 .  The RIB-Local is a database that stores all the routes that the local router is using 1 .

Therefore, options C and D are correct.

To isolate management traffic in a non-default routing-instance on Junos-based devices, you can use the  set system management-instance  and  set routing-instances mgmt_junos  commands 1 2 .

set system management-instance : This command associates the management interface (usually named fxp0 or em0 for Junos OS, or re0:mgmt-* or re1:mgmt-* for Junos OS Evolved) with the non-default virtual routing and forwarding (VRF) instance 1 .  After you configure the non-default management VRF instance, management traffic no longer has to share a routing table with other control traffic or protocol traffic 1 .

set routing-instances mgmt_junos : This command creates a new routing instance named  mgmt_junos .  The name of the dedicated management VRF instance is reserved and hardcoded as  mgmt_junos ; you cannot configure any other routing instance by the name  mgmt_junos 1 .

Therefore, options C and D are correct.  Options A and B are not correct because they attempt to assign an interface to the  mgmt_junos  routing instance, which is not necessary for isolating management traffic 1 .

The bridging table is a data structure that stores the MAC addresses and the associated interface details and MAC learned time for each MAC address. The bridging table is used by the switch to forward frames based on the destination MAC address. The ether type details and the preamble of Ethernet packet are not stored in the bridging table, as they are not relevant for the switching process. References:

Enterprise Routing and Switching, Specialist (JNCIS-ENT) - Juniper Networks

Enterprise Routing and Switching, Specialist (JNCIS-ENT) - Juniper Networks

[Junos OS Layer 2 Configuration Guide - TechLibrary - Juniper Networks]

[Junos OS Layer 2 Configuration Guide - TechLibrary - Juniper Networks]

In BGP, the path selection process is based on a set of attributes 1 .  The process starts by preferring the path with the highest weight, then the highest local preference, then the locally originated routes, and so on 1 .  If all these attributes are the same, then it prefers the path with the shortest AS path 1 .

Referring to the exhibit, all four ISPs have the same weight, local preference, and origin 1 .  However, ISP 4 has the shortest AS path 1 . Therefore, ISP 4 will be selected as the active path. So, option C is correct.

The Graceful Routing Engine Switchover (GRES) feature in Junos OS enables a router with redundant Routing Engines to continue forwarding packets, even if one Routing Engine fails 1 .  GRES preserves interface and kernel information, ensuring that traffic is not interrupted 1 .  However, GRES does not preserve the control plane 1 .

To preserve routing during a switchover, GRES must be combined with either Graceful Restart protocol extensions or Nonstop Active Routing (NSR) 1 .  When GRES is combined with NSR, nearly 75 percent of line rate worth of traffic per Packet Forwarding Engine remains uninterrupted during GRES 1 .  Any updates to the primary Routing Engine are replicated to the backup Routing Engine as soon as they occur 1 .

Therefore, when GRES is combined with NSR, routing is preserved and the new master RE does not restart rpd 1 .

MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). This feature is enabled on interfaces (ports). MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access port. The MAC limit value in the EX-series switch’s default configuration is five MAC addresses. You can configure the MAC limit on an interface, on an interface in a VLAN, or on all interfaces. You can also specify the action to be taken when the MAC limit is exceeded, such as dropping packets, logging messages, or shutting down the interface. Additionally, you can configure specific “allowed” MAC addresses for the access port. Any MAC address that is not in the list of configured addresses is not learned. Allowed MAC binds MAC addresses to a VLAN so that the address does not get registered outside the VLAN. References:

[EX] How to control MAC address access through Junos OS for EX Series switches1

Configuring MAC Limiting2

Understanding MAC Limiting and MAC Move Limiting3

Aggregate routes are used for advertising summarized network prefixes 1 2 .  They help minimize the number of routing tables in an IP network by consolidating selected multiple routes into a single route advertisement 1 .  This approach is in contrast to non-aggregation routing, in which every routing table contains a unique entry for each route 1 .

Therefore, option D is correct. Options A, B, and C are not correct because:

Aggregate routes can be used with both static routing and dynamic routing protocols 1 .

Aggregate routes are not automatically generated for all of the subnets in a routing table.  They need to be manually configured 1 .

Aggregate routes are not always preferred over more specific routes.  The route selection process in Junos OS considers several factors, including route preference and metric, before determining the active route 1 .