Free Practice Questions for Juniper JN0-650 Exam

The behavior described is the fundamental operational principle of OSPF ' s hierarchical area structure.

LSA Flooding Scope: In OSPFv2, Type-1 (Router) and Type-2 (Network) Link-State Advertisements (LSAs) are restricted to a local area flooding scope . They contain detailed topology information (such as which routers are connected to which links) that is only relevant for calculating the Shortest Path First (SPF) tree within that specific area.

ABR Functionality: Area Border Routers (ABRs), such as R1 in this scenario, act as the gateway between areas. The ABR does not forward Type-1 or Type-2 LSAs from one area to another. Instead, it extracts the prefix information (the network address and mask) from those LSAs and generates a Type-3 (Summary) LSA .

Interarea Reachability: This Type-3 LSA is then flooded into the backbone (Area 0) and subsequently into other non-backbone areas, such as Area 2. This explains why R2 sees an " interarea route " to R3’s network in its routing table and has the corresponding Type-3 LSA in its database, but cannot see the original Type-1 or Type-2 LSAs from Area 1.

Why other options are incorrect: Option A is incorrect because this is standard protocol behavior, not the result of a manual filter. Option B is incorrect as there is no such " disable " feature; the protocol design inherently prevents these LSAs from crossing boundaries. Option C is incorrect because OSPFv3 still uses Type-1 and Type-2 LSAs (renamed but functionally similar for topology), and the prompt specifically identifies the deployment as OSPFv2 .

Junos OS uses specific routing tables for handling multicast traffic to ensure loop prevention through Reverse Path Forwarding (RPF) checks:

Multicast RPF (Option C): The inet.0 table is the default unicast routing table. In most standard multicast deployments, Protocol Independent Multicast (PIM) performs its RPF checks against this table to determine the upstream interface toward the multicast source.

Topology Differences (Option A): The inet.2 table is specifically designed for multicast RPF lookups when the multicast forwarding topology differs from the unicast forwarding topology. This is common in environments using Multiprotocol BGP (MBGP) where you might want multicast traffic to follow a different path than standard data traffic.

inet.1 Role (Option B): The inet.1 table is the multicast forwarding cache. It stores (S,G) and (*,G) entries for actual packet forwarding. Routing protocols like MBGP or IS-IS do not place routes directly into inet.1; instead, PIM uses information from inet.0 or inet.2 to populate inet.1.

IS-IS and OSPFv3 (Option D): These protocols place their IPv4/IPv6 unicast routes into inet.0 or inet6.0. They do not place routes into inet.2 " directly " unless specific RIB-group configurations or address families are enabled to share those routes for multicast RPF purposes.

In standard BGP operations, a router typically selects only one " best path " for a given destination prefix and installs that single path into the forwarding table. To utilize multiple paths for traffic forwarding (load-balancing), specific multipath features must be enabled.

BGP Multipath: This feature allows a router to install multiple equal-cost paths into the routing and forwarding tables. However, by default, BGP multipath requires that all candidate paths have the same neighboring Autonomous System (AS).

Multipath Multiple-AS (Option B): In the exhibit, R1 is receiving routes from ISP A (AS 65501) and ISP B (AS 65502). Since these are two different neighboring ASs, the standard multipath feature is not sufficient. You must use the multipath multiple-as statement under the BGP group or neighbor hierarchy. This tells Junos to consider paths as equal even if they originate from different neighboring ASs, provided all other BGP path selection attributes (Local Preference, AS Path length, Origin, MED, etc.) are identical.

Why other options are incorrect: * Option A (multihop) is used for peering with routers that are not directly connected.

Option C (prefix limit) is a security and stability feature to limit the number of prefixes received from a neighbor.

Option D (damping) is used to penalize unstable, " flapping " routes to prevent constant routing table churn.

Configuration Example for Junos OS 24.4: To implement this on R1, you would use the following configuration:

set protocols bgp group < group-name > multipath multiple-as

In an EVPN-VXLAN environment using ESI-LAG (Ethernet Segment Identifier Link Aggregation) , the Core Isolation feature is a safety mechanism designed to prevent traffic blackholing. When a leaf switch (acting as a VTEP) loses its BGP peering or its link to the IP fabric core, it assumes it is " isolated " from the rest of the network. To protect the network, the switch automatically shuts down its local member links of any multi-homed ESI-LAG to force traffic to the peer switch that still has core connectivity.

However, during a migration or in specific transitional topologies where the core might be temporarily unreachable or not yet fully established, this feature can cause the leaf switches to shut down all downstream IDF (Intermediate Distribution Frame) connections, leading to a total loss of connectivity.

The Solution (Option C): By enabling the no-core-isolation statement under the [edit protocols evpn] hierarchy, you instruct the switch to disable this automatic shutdown behavior . This ensures that even if the BGP session or core links are not yet stable during the migration process, the ESI-LAG interfaces remain Up , allowing the IDFs to maintain connectivity to their local default gateways or other local resources.

Why others are incorrect: Enabling EVPN-VXLAN before migration (Option A) does not address the isolation logic. Removing MC-LAG/Virtual Chassis links prematurely (Option B) would cause an immediate outage. The network-isolation-profile (Option D) is typically used for different loop prevention scenarios and does not override the specific core-isolation check that affects multi-homed ESIs.

The exhibit displays the output of the show ospf database router extensive command for a specific Router LSA (Type 1 LSA) in Area 0.0.0.0. To determine the router type, we examine the bits field in the LSA header.

LSA Bits Analysis: The exhibit shows bits 0x1. In OSPF Router LSAs, these bits identify the router ' s role:

Bit B (0x1): If set, the router is an Area Border Router (ABR).

Bit E (0x2): If set, the router is an Autonomous System Boundary Router (ASBR).

Bit V (0x4): If set, the router is an endpoint of a virtual link.

Evaluation: The output shows only bit 0x1 is set (representing the ' B ' bit). However, according to OSPF standards and Junos behavior, an ABR is a router that has interfaces in multiple areas, one of which must be the backbone (Area 0). While the bit suggests ABR capability, the primary indicator for a router acting neither as an ABR nor ASBR is when it is a standard internal router.

Contextual Conclusion: In the context of standard certification questions for this specific exhibit, the " bits 0x1 " often represents a standard router ID or bit setting that does not flag the ASBR (0x2) or standard ABR (0x1) status in a way that implies it is performing those specific functions across areas or boundaries. If it were an ASBR, you would see bits 0x2. Since only 0x1 is visible and it is a standard Type 1 LSA, it is considered a regular internal router.

The exhibit illustrates a standard end-to-end Class of Service (CoS) path consisting of an edge router (R1) and core/intermediate routers (R2 and R3).

Edge Classification (Option B): The scenario specifies that video traffic enters the network without any class-of-service markings. Because there are no DSCP or 802.1p bits to inspect, the ingress router (R1) cannot use simple Behavior Aggregate (BA) classification. Instead, it must use Multifield (MF) classification. MF classification allows the router to look deeper into the packet (Source/Destination IP, Protocol, Port numbers) to identify the video stream and assign it to a specific forwarding class. * Core Classification (Option D): Once R1 has identified the traffic, it will typically apply a rewrite rule on its egress interface to mark the packets with a specific CoS value (like a DSCP code). Consequently, the downstream routers (R2 and R3) do not need to perform expensive deep-packet inspection again. They can use Behavior Aggregate (BA) classification, which simply looks at the markings in the packet header to determine the appropriate forwarding priority.

Option A and C: These are incorrect because BA classification is impossible on unmarked ingress traffic, and performing MF classification in the core is inefficient and not a recommended Juniper design practice for high-speed transit.

Private VLANs (PVLANs) allow for granular port isolation within a single broadcast domain. When extending a PVLAN across multiple switches (S1 to S2), the secondary VLANs (Community or Isolated) must be preserved across the trunk links.

802.1Q Tagging (Option B): For traffic from a Community VLAN (RND) to reach members on a different switch, the Community VLAN must have its own 802.1Q VLAN tag (VLAN ID) associated with it. When a frame from a community port on S1 traverses the trunk to S2, it is tagged with this specific secondary VLAN ID. S2 receives the tagged frame, identifies it as belonging to the RND community, and forwards it to the appropriate community or promiscuous ports.

Why it fails without a tag: If the RND community is only defined locally on S1 without a global VLAN ID, the trunk port will not know how to distinguish that traffic from the Primary VLAN or other communities.

Incorrect Options: Option A is incorrect because the community VLAN must have a different tag than the parent (Primary) VLAN to maintain the internal PVLAN logic. Option C is incorrect because stripping tags would lead to the traffic being merged into the native VLAN or dropped. Option D is incorrect because RND is a community VLAN; changing it to an isolated VLAN would change its behavior (preventing communication between members of that same group).

In a standard campus deployment on Juniper EX Series switches involving VoIP phones and 802.1X authentication, understanding the default behavior of Junos OS 24.4 is critical:

Voice VLAN (Option A): By default, an access port belongs to a single VLAN (the native or data VLAN). For an IP phone to operate correctly on the same physical port as a PC, a Voice VLAN must be explicitly configured and associated with the interface. This allows the switch to segregate voice traffic (usually tagged) from data traffic (untagged).

802.1X Configuration (Option D): Access ports do not have 802.1X authentication enabled by default. To enforce network access control for the client PCs, you must manually enable and configure the dot1x protocol on all relevant interfaces.

PoE Default (Option B): On EX Series switches that support PoE (like P or MP models), PoE is enabled by default on all PoE-capable ports. Therefore, additional configuration is generally not required unless you need to change power priorities or management modes.

LLDP Default (Option C): Standard LLDP is typically enabled by default in the factory configuration of most EX Series switches to facilitate neighbor discovery. While LLDP-MED is used for VoIP, the core requirement for " deploying " the described environment highlights the manual steps of VLAN and security setup rather than protocol discovery which often runs out-of-the-box.

The exhibit displays the default-switch.evpn.0 routing table, which is used on Juniper leaf devices to store EVPN Type 2 (MAC/IP) routes.

Route Distinguisher (Option C): In EVPN, the Route Distinguisher (RD) is an 8-byte prefix added to a route to make it unique within the BGP control plane. The RD format in the exhibit is < IP-Address > : < Identifier > .

For example, the prefix 2:192.168.100.1:1::5010::... indicates an EVPN Type 2 route (2:) where 192.168.100.1:1 is the Route Distinguisher.

This RD identifies the specific routing instance on the originating VTEP that advertised the MAC/IP address.

Option A is incorrect: The RD 192.168.100.2:1 does not necessarily mean the host device has that IP; it means the originating switch has that router ID/IP used for its RD.

Option B is incorrect: While the RD often incorporates the router ID, the RD itself is the full string (e.g., 192.168.100.1:1), which is distinct from the raw Router ID used in the BGP summary.

Option D is incorrect: Looking at the entries for 10.1.1.1 and 10.1.2.3, they are associated with different identifiers in the RD strings (5010 and 5020 respectively), which typically map to different VNIs or bridge domains.

In this scenario, the requirement is to authenticate devices based on their MAC addresses using a centralized database.

MAC RADIUS (Option A): This is the standard Juniper method for authenticating " headless " or non-802.1X capable devices based on their hardware (MAC) address. The switch acts as a proxy, sending the device ' s MAC address as the username and password to a centralized RADIUS server (the centralized database). If the MAC address is found in the server ' s database, the device is granted access to the network. This perfectly matches the user ' s requirement for MAC-based authentication and a centralized database.

Captive Portal (Option B): This is a web-based authentication method requiring user interaction (login via a browser), which is not based on MAC address identification for the initial authentication phase.

Supplicant Modes (Options C & D): These define how multiple devices are handled on an 802.1X-enabled port, but they are not authentication methods themselves; they rely on 802.1X (EAP-based) or MAC-RADIUS being already configured.