Free Practice Questions for Juniper JN0-650 Exam

Private VLANs (PVLANs) provide Layer 2 isolation between ports within the same broadcast domain. When a PVLAN spans multiple switches, a special type of trunk configuration is required to maintain the isolation and community logic across the inter-switch links.

Isolated VLAN Trunking (Option D): To extend an isolated VLAN across multiple switches, you must configure the trunk port on each switch to allow the isolated VLAN ID. In Junos OS, this is specifically achieved by configuring the interface as a trunk and associating it with the primary VLAN and the specific isolated VLAN. The correct syntax for enabling this inter-switch communication is to configure trunk ports that recognize the isolated VLAN tag (e.g., set interfaces < interface > unit 0 family ethernet-switching vlan members [ primary-vlan isolated-vlan ]).

Forwarding Rules: Traffic from an isolated port on Switch A must reach a promiscuous port (often on Switch B) to exit the PVLAN. The inter-switch trunk carries this traffic using the secondary (isolated) VLAN ID, ensuring that it remains isolated from other host ports on the remote switch.

Option A (inter-switch-link): In standard Junos switching, the inter-switch-link statement is used in Virtual Chassis or specific fabric designs, but for standard PVLAN extension, standard 802.1Q trunking with secondary VLAN IDs is the mechanism used.

Options B and C: These describe specific port roles (isolated vs. community) rather than the method used to enable trunking between switches.

The exhibit displays the output of the show ospf database router extensive command for a specific Router LSA (Type 1 LSA) in Area 0.0.0.0. To determine the router type, we examine the bits field in the LSA header.

LSA Bits Analysis: The exhibit shows bits 0x1. In OSPF Router LSAs, these bits identify the router ' s role:

Bit B (0x1): If set, the router is an Area Border Router (ABR).

Bit E (0x2): If set, the router is an Autonomous System Boundary Router (ASBR).

Bit V (0x4): If set, the router is an endpoint of a virtual link.

Evaluation: The output shows only bit 0x1 is set (representing the ' B ' bit). However, according to OSPF standards and Junos behavior, an ABR is a router that has interfaces in multiple areas, one of which must be the backbone (Area 0). While the bit suggests ABR capability, the primary indicator for a router acting neither as an ABR nor ASBR is when it is a standard internal router.

Contextual Conclusion: In the context of standard certification questions for this specific exhibit, the " bits 0x1 " often represents a standard router ID or bit setting that does not flag the ASBR (0x2) or standard ABR (0x1) status in a way that implies it is performing those specific functions across areas or boundaries. If it were an ASBR, you would see bits 0x2. Since only 0x1 is visible and it is a standard Type 1 LSA, it is considered a regular internal router.

The exhibit shows a network topology where Multiple VLAN Registration Protocol (MVRP) is used to dynamically manage VLANs across switches Core-1, Access-1, and Access-2.

Identifying the Missing Configuration: According to the diagram, the trunk link between Core-1 and Access-2 uses interface ge-0/0/16.0 on the Core-1 side.

Output Analysis: However, the show protocols mvrp output for Core-1 only lists interfaces ge-0/0/14.0 and ge-0/0/15.0.

MVRP Requirements: For MVRP to successfully propagate VLAN information between Access-2 and the rest of the network, the protocol must be enabled on every trunk interface in the path.

Solution: Because ge-0/0/16.0 is missing from the Core-1 MVRP configuration, VLAN registration messages from Access-2 are not being processed by Core-1. Configuring this interface under MVRP on Core-1 will solve the communication problem.

The exhibit shows the Class of Service (CoS) transmit queue information for interface ge-0/0/11. To determine the correct behavior, we must analyze the bandwidth allocations and the queue limit settings:

Bandwidth Calculation (Option A): In Junos OS, when multiple queues are assigned specific percentages of bandwidth, the " remainder " (represented by ' r ' ) is the total interface bandwidth minus the sum of the explicitly configured percentages.

Bandwidth assigned to Queue 1 (EF) = 10%.

Bandwidth assigned to Queue 2 (AF) = 10%.

Bandwidth assigned to Queue 3 (NC) = 4%.

Total explicitly assigned = $10\% + 10\% + 4\% = 24\%$.

Remainder for Queue 0 (Best Effort) = $100\% - 24\% = 76\%$.

" Limit: exact " Behavior (Option B): The exhibit shows that Queue 2 (assured-forwarding) has a Limit set to exact.

By default, a queue in Junos can consume more than its allocated bandwidth if other queues are idle.

However, when the exact keyword is applied to the transmit-rate (transmission rate), the queue is strictly rate-limited to its configured percentage.

This means that traffic in Queue 2 will be capped at 10% of the interface bandwidth regardless of whether the network is congested or not. If the traffic exceeds 10%, the excess will be dropped or buffered to match the exact rate.

Option C is incorrect because 100% of the bandwidth is not reserved for a single queue; it is distributed across four queues.

Option D is less accurate than B because it implies the drop behavior only occurs during congestion. The exact parameter enforces the limit even when the rest of the interface is completely idle.

The exhibit shows an OSPF network where Area 1 is configured as a Not-So-Stubby Area (NSSA). R5 is an Autonomous System Boundary Router (ASBR) injecting an External Route (203.0.113.0/24) into this area.

NSSA ASBR Behavior (Option D): Within an OSPF NSSA, external routes cannot be advertised as standard Type 5 LSAs because stubby areas do not support them. Instead, the ASBR (R5) advertises the external prefix using a Type 7 LSA (NSSA External LSA). This LSA is flooded throughout Area 1.

ABR Translation Behavior (Option C): When the Type 7 LSA reaches the Area Border Router (R1), the ABR is responsible for translating it into a Type 5 LSA (AS External LSA). This allows the external route to be propagated into the backbone (Area 0) and subsequently to the rest of the OSPF domain.

Incorrect Statements (A & B): Option A is incorrect because Type 7 LSAs are local to the NSSA and are never advertised into Area 0. Option B is incorrect because Type 5 LSAs are strictly prohibited within an NSSA.

In Junos OS, the supplicant-mode configuration under protocols dot1x determines how the switch handles multiple MAC addresses on a single physical port. According to the exhibit, the current mode is set to Single, and the Number of connected supplicants is 2. This indicates that the port is currently allowing multiple devices, which contradicts the goal of limiting access to only one device at a time.

Here is the breakdown of why Option C is the correct solution based on Juniper’s standard behavior:

Supplicant Mode: Single (Current State): In this mode, the first device to authenticate opens the port for all subsequent devices. As long as the first device remains authenticated, other devices can send traffic through the port without individual authentication. This is why the exhibit shows 2 connected supplicants despite the mode being " Single. "

Supplicant Mode: Single-Secure (The Solution): This mode strictly limits the port to only one MAC address. Once a device successfully authenticates via 802.1X, the switch drops any traffic coming from any other MAC address on that port. If the authenticated device logs off or the session times out, the port becomes available for a new device, but never more than one simultaneously. * Supplicant Mode: Multiple (Option B): This mode allows multiple supplicants to authenticate individually. Each MAC address must go through its own authentication process. This would allow more than one device, which is the opposite of the user ' s requirement.

MAC RADIUS Restrict (Option A): This feature is used to force MAC-based authentication and does not inherently limit the number of devices to one in the same way that changing the supplicant mode does.

Maximum EAPOL requests (Option D): This parameter defines how many times the switch will send an EAP-Request/Identity frame to a supplicant before giving up. Changing this to 1 does not restrict the number of devices allowed on the port; it only changes the retry logic for a single authentication attempt.

Configuration Example for Junos OS 24.4: To implement this change, you would use the following command: set protocols dot1x edit interface ge-0/0/10.0 supplicant-mode single-secure

In a three-stage EVPN-VXLAN fabric (Spine-Leaf architecture) where leaf devices perform the gateway services (Edge-Routed Bridging or ERB):

VTEP Functionality (Option B): Leaf devices act as VXLAN Tunnel End Points (VTEPs). They are responsible for encapsulating Ethernet frames from locally connected hosts into VXLAN packets for transport across the IP fabric and de-encapsulating incoming VXLAN packets.

Fabric Support (Option C): In a standard Juniper IP fabric design, both the leaf and spine devices are typically expected to support VXLAN and EVPN capabilities. While spines in an ERB design might only perform IP forwarding in the underlay, they often participate in the BGP control plane (as Route Reflectors) or provide the ability to transition to Centrally-Routed Bridging (CRB) where spines would act as gateways.

Incorrect Options: Option A is incorrect because the entire fabric infrastructure must be " VXLAN aware " in terms of MTU settings and routing capability to support the overlay. Option D is incorrect because in an ERB design, the spine devices are high-speed transit nodes and do not terminate VXLAN tunnels; only the edge (leaf) devices act as VTEPs.

This question focuses on port security and preventing " rogue switches " or multiple devices from accessing a single physical port simultaneously.

Single-Secure Supplicant Mode (Option A): This is the most restrictive 802.1X mode in Junos OS. It allows exactly one MAC address to be authenticated on the port at a time. If a device successfully authenticates, the switch will drop any traffic coming from any other MAC address on that same physical interface. If a user tries to plug in a switch, only the first device that authenticates will have access; all other devices behind that switch will be blocked.

Single Supplicant Mode (Option C): This mode allows the first authenticated user to " open " the port for all other users. This would actually allow a rogue switch to function once the first device is authorized.

Multiple Supplicant Mode (Option B): This allows multiple devices to connect, provided each one authenticates individually. While secure, it does not prevent a user from connecting multiple devices to the port, which violates the requirement to allow only one.

MAC-RADIUS (Option D): This is an authentication method, not a port-access mode that limits the number of supplicants.

For maintenance scenarios where a router must remain operational but should not be used as a transit path for OSPF traffic, Junos OS uses the overload functionality.

OSPF Overload (Option B): When you enable overload under protocols ospf, the router advertises its own Link-State Advertisements (LSAs) with a maximum metric (65535) for all of its transit links.

Traffic Diversion: Because OSPF uses the Shortest Path First (SPF) algorithm to find the lowest-cost path, other routers in the network will see the overloaded router as an extremely high-cost path. They will calculate alternate routes, effectively moving transit traffic off the router while still allowing management traffic directed to the router ' s own interfaces.

Timeout Options: You can configure this to be permanent or set a timeout so that the router automatically resumes normal metric advertisements after a set period.

Junos OS 24.4 provides several server-failover options for 802.1X authentication to maintain network availability when the RADIUS server is unreachable.

Fallback Behavior (Option D): The use-cache fallback action allows the switch to consult its local cache of previously authenticated MAC addresses.

If a device was already authorized and its information is in the cache, the switch will continue to permit access based on those cached credentials.

However, if a new device (not in the cache) attempts to connect while the server is down, the switch cannot verify its credentials and will deny the access attempt. This matches the specific requirement to permit authorized devices while denying new ones.

Other Fallback Options:

permit (Option C): This would allow all devices (even new ones) to access the network, typically in a restricted " guest " or " bypass " VLAN.

deny (Option A): This would drop all traffic from all devices on the port if the server is unreachable.

vlan-name (Option B): This moves authenticated or unauthenticated users into a specific fallback VLAN.