User Account Shopping Cart
Practice Exams:
View All

JN0-649 Juniper Practice Test Questions and Exam Dumps



Question 1

You are troubleshooting a BGP connection. Referring to the exhibit, which two statements are correct? (Choose two.)

A. Packet fragmentation is preventing the session from establishing.
B. The 192.168.1.5 peer has a misconfigured MD5 key.
C. The ge-0/0/1 interface is disabled.
D. The 192.168.1.4 peer has a misconfigured autonomous system number.

Correct answers:  B, D

Explanation:

To determine which two statements are correct, we must closely analyze the system log output shown in the exhibit. The goal is to identify clear symptoms from the BGP session establishment logs and match them to the correct issues.

1. Analysis of the Autonomous System (AS) Misconfiguration

The log entry shows:

NOTIFICATION sent to 192.168.1.4 ... subcode 2 (bad peer AS number), Reason: peer 192.168.1.4 (Internal AS 65000) claims 65100, 65000 configured

This clearly indicates that a BGP session attempt with peer 192.168.1.4 failed due to a mismatch in AS numbers. The local router expected the peer to use AS 65000, but the peer claimed to be using 65100. This is a textbook example of an autonomous system number misconfiguration, confirming D as a correct answer.

2. Analysis of MD5 Authentication Failure

Next, consider the log message:

router kernel: tcp_auth_ok: Packet from 192.168.1.5:64047 missing MD5 digest

This message indicates that a packet from peer 192.168.1.5 attempted to connect, but it did not include the required MD5 digest. In BGP, if MD5 authentication is configured but the peer does not include the correct key (or omits it entirely), the session will not be established. This is a strong indication of an MD5 key misconfiguration, making B the second correct answer.

3. Why the Other Options Are Incorrect

  • A. Packet fragmentation is preventing the session from establishing:
     There is no evidence of packet fragmentation issues in the logs. The logs only mention AS number mismatches and MD5 authentication issues. Fragmentation issues would typically present different error messages related to MTU or IP fragmentation problems.

  • C. The ge-0/0/1 interface is disabled:
     There is a mention of interface ge-0/0/1.0 in the context of not matching a group, but no logs show the interface being disabled. A disabled interface would typically be indicated by link state changes or specific interface-down messages, which are absent here.

By evaluating the specific error messages:

  • The peer at 192.168.1.4 had a misconfigured autonomous system number, clearly validating D.

  • The peer at 192.168.1.5 attempted to connect without a valid MD5 digest, confirming a misconfigured MD5 key, which is B.

Thus, the correct answers, strictly based on the exhibit, are B and D.


Question 2

Referring to the exhibit, anycast RP is implemented to ensure multicast service availability. The source is currently sending multicast traffic using group 239.1.1.1 and R3 is receiving PIM register messages, but R2 does not have active source information. In this scenario, what are two methods to receive the active source information on R2? (Choose two.)

A. Configure an RP set in PIM on R1, allowing R1 to forward PIM register messages to R2 and R3 in the set.
B. Configure an MSDP protocol between R2 and R3.
C. Configure an RP set in PIM on R2 and R3, allowing the RPs to forward PIM register messages to the other RPs in the set.
D. Configure an MSDP protocol between R1 and R2.

Correct answers: B, D

Explanation:

This scenario involves multicast routing with an anycast RP (Rendezvous Point) deployment. Anycast RP is commonly used to provide fault tolerance and load balancing for multicast routing by configuring the same IP address on multiple routers (RPs). These routers, however, must share source information to properly forward multicast traffic, which is where MSDP (Multicast Source Discovery Protocol) plays a crucial role.

Understanding the Problem

  • The source is sending multicast traffic to group 239.1.1.1.

  • R3 is receiving PIM register messages and shows 857 register messages received, indicating it is actively learning about the source.

  • R2, although part of the anycast RP setup, does not have active source information—meaning it is not aware of the multicast source, and thus cannot forward traffic to its receivers.

This discrepancy arises because in an anycast RP deployment, each RP learns source information only from directly connected sources unless this information is shared between RPs.

MSDP's Role in Anycast RP

MSDP enables the sharing of active source information between multiple RPs. It allows one RP to inform other RPs about sources it has learned through PIM register messages. This means that even if only one RP receives the multicast source traffic, it can advertise it to other RPs using MSDP.

  • Option B (Configure MSDP between R2 and R3) ensures that the RP that has the source (R3) can inform the RP that lacks it (R2).

  • Option D (Configure MSDP between R1 and R2) is valid if R1 is also acting as an RP (or is part of the multicast registration path). It allows R2 to learn about sources R1 may register, depending on the topology.

Why the Other Options Are Incorrect

  • Option A: "Configure an RP set in PIM on R1" is invalid because RP sets are not a PIM feature; they’re a conceptual construct. PIM itself does not support forwarding register messages to multiple RPs. Register messages are unicast to the configured RP and not distributed further.

  • Option C: "Configure an RP set in PIM on R2 and R3" is similarly flawed. PIM does not have a mechanism to forward register messages to other RPs. Again, PIM register messages are unicast, and sharing of source information across RPs must be handled via MSDP, not PIM.

The only correct way to propagate source information between multiple RPs in an anycast RP deployment is through MSDP. Therefore, the two correct answers are:

B and D.


Question 3

You are asked to establish interface-level authentication for users connecting to your network. You must ensure that only corporate devices, identified by MAC addresses, are allowed to connect and authenticate. Authentication must be handled by a centralized server to increase scalability. Which authentication method would satisfy this requirement?

A. MAC RADIUS
B. captive portal
C. 802.1X with single-secure supplicant mode
D. 802.1X with multiple supplicant mode

Correct answer: A

Explanation:

The question requires an authentication solution that:

  1. Authenticates devices, not users.

  2. Uses MAC addresses to identify allowed endpoints.

  3. Relies on a centralized server for scalability.

  4. Applies at the interface level.

Given these conditions, let’s evaluate each option:

A. MAC RADIUS – Correct

MAC RADIUS (also known as MAC Authentication Bypass – MAB) is specifically designed for scenarios where endpoints may not support traditional 802.1X authentication (e.g., printers, phones, or headless devices). It works by using the device’s MAC address as the username and password. The switch or access point forwards the MAC address to a centralized RADIUS server (typically part of a NAC solution like Cisco ISE or Juniper UAC), which checks the MAC address against a database of authorized devices.

Key advantages:

  • No user interaction is needed.

  • Suitable for corporate-owned devices with known MAC addresses.

  • Centralized authentication via RADIUS supports scalability.

  • Works at interface level, often combined with 802.1X in fallback scenarios.

B. Captive Portal – Incorrect

A captive portal is a browser-based authentication method. It redirects users to a login page after establishing a network connection. While useful in guest access or wireless networks, it:

  • Requires user interaction through a web browser.

  • Does not authenticate based on MAC address.

  • Is not suitable for device-level interface authentication.

  • Doesn’t scale well in environments focused solely on known corporate endpoints.

C. 802.1X with Single-Secure Supplicant Mode – Incorrect

802.1X is a port-based authentication protocol that uses EAP (Extensible Authentication Protocol) to allow or deny access. Single-secure supplicant mode allows only one device per port and is tied to user-level authentication.

Limitations:

  • Requires a supplicant (software client) on the endpoint.

  • Uses credentials or certificates, not MAC addresses.

  • Devices without 802.1X support (e.g., legacy IoT) will fail to authenticate.

  • Not ideal for MAC-based authentication of headless devices.

D. 802.1X with Multiple Supplicant Mode – Incorrect

This mode allows multiple clients to authenticate independently on a single port. However:

  • Still requires each device to support 802.1X.

  • Does not use MAC addresses for authentication.

  • Primarily used in environments like shared desks or VoIP phones + PCs on one port.

  • Again, not suitable when the authentication must be based purely on MAC address.

MAC RADIUS is the only method that satisfies all the requirements: MAC-based device identification, centralized RADIUS authentication, scalability, and applicability at the interface level without user intervention.

Correct answer: A.


Question 4

Click the Exhibit button. Referring to the exhibit, which LSA type is used to advertise 192.168.1.0/24 to R5?

A. Type 5
B. Type 4
C. Type 3
D. Type 7

Correct answer:  D

Explanation:

This question revolves around how OSPF (Open Shortest Path First) advertises redistributed external routes across different area types. The focus is on how a RIP-learned route (192.168.1.0/24) gets advertised from a Not-So-Stubby Area (NSSA) into the OSPF domain and then reaches router R5 in a non-backbone area.

Step-by-step Analysis:

  1. Redistribution at R1:

    • According to the exhibit, R1 is redistributing the 192.168.1.0/24 RIP route into OSPF.

    • R1 belongs to an NSSA (Not-So-Stubby Area).

  2. OSPF LSA Behavior in NSSA:

    • NSSA areas do not allow Type 5 LSAs (used for external routes).

    • Instead, they use Type 7 LSAs to describe redistributed routes.

  3. Role of Type 7 LSAs:

    • Type 7 LSAs are generated within an NSSA to carry external routing information (e.g., from RIP or BGP).

    • These Type 7 LSAs are then translated to Type 5 LSAs by an ABR (Area Border Router) connecting the NSSA to the backbone (in this case, R2).

  4. Flow of Route Advertisement:

    • R1 redistributes the 192.168.1.0/24 route into OSPF as a Type 7 LSA.

    • R2 (the ABR) then translates the Type 7 into a Type 5 LSA and injects it into Area 0.

    • From there, the route is propagated throughout the OSPF domain to other routers, including R3 and finally R5 in the non-backbone area.

  5. What the Question Asks:

    • The question explicitly asks which LSA type is used to advertise the route to R5, not what gets injected into the backbone.

    • Since the initial advertisement of the RIP-learned 192.168.1.0/24 into OSPF (in NSSA) is via a Type 7 LSA, that is the correct answer.

Other Options – Why They're Incorrect:

  • A. Type 5:
     Type 5 LSAs are used for external routes in standard OSPF areas, not NSSAs. In this case, the route is injected into an NSSA, so it starts as a Type 7.

  • B. Type 4:
     Type 4 LSAs describe ASBRs (Autonomous System Boundary Routers), not the actual external routes themselves. They help routers find the ASBR, but do not carry the route.

  • C. Type 3:
     Type 3 LSAs are summary LSAs, used to advertise inter-area routes, not external routes.

Because the RIP route 192.168.1.0/24 is being redistributed into OSPF from within an NSSA (R1's area), it is initially advertised using a Type 7 LSA. Even though it eventually becomes a Type 5 LSA when propagated beyond the NSSA, the question focuses on the initial advertisement of the route.

Correct answer:  D.


Question 5
 You enable the Multiple VLAN Registration Protocol (MVRP) to automate the creation and management of virtual LANs. Which statement is correct in this scenario?

A. The forbidden mode does not register or declare VLANs.
 B. When enabled, MVRP affects all interfaces.
 C. Timers dictate when link state changes are propagated.
 D. MVRP works with RSTP and VSTP.

**Correct answer: ** A

Explanation:

This question focuses on understanding how MVRP (Multiple VLAN Registration Protocol) operates and what its various operational modes do. MVRP is a standards-based Layer 2 protocol used for automatic VLAN registration and pruning across trunks, eliminating the need for manual VLAN configuration on every switch port.

Understanding MVRP Modes:

MVRP uses several operational modes on interfaces, including:

  • Normal: Interfaces can both declare and register VLANs. This is the standard mode of operation.

  • Forbidden: In this mode, the interface will not participate in MVRP; it will neither declare nor register VLANs.

  • Fixed: VLANs are statically assigned and MVRP will not change the VLAN membership.

  • Dynamic: VLANs are created or removed based on MVRP advertisements.

So, when "forbidden" mode is enabled on a port, that port will not declare (advertise) or register (learn) any VLANs dynamically. This ensures strict control over VLAN propagation.

Why Other Options Are Incorrect:

  • B. When enabled, MVRP affects all interfaces:
     This is false. MVRP operates on a per-interface basis. You can enable or disable it on specific interfaces depending on your VLAN propagation policy. It does not universally affect all interfaces unless explicitly configured that way.

  • C. Timers dictate when link state changes are propagated:
     This statement is misleading and not directly accurate. MVRP uses timers (like join timers, leave timers, and leave-all timers) to manage VLAN registration advertisements, but not link state propagation, which is the role of STP (Spanning Tree Protocol). Therefore, this option is confusing VLAN registration timing with link state handling.

  • D. MVRP works with RSTP and VSTP:
     MVRP can coexist with various spanning tree protocols, but this statement is overly broad and vague. MVRP’s operation is independent of the spanning tree variant in use. The correctness of this statement would require specific implementation contexts, making it a poor general answer.

Conclusion:

The most accurate and technically correct statement in the context of MVRP behavior is that "the forbidden mode does not register or declare VLANs." This aligns with standard protocol definitions and operational characteristics of MVRP.

**Correct answer: ** A.


Question 6

Which address range is used for source-specific multicast?

A. 239.0.0.0/8
B. 233.0.0.0/8
C. 232.0.0.0/8
D. 224.2.0.0/16

Correct answer:  C

Explanation:

This question focuses on identifying the correct IP multicast address range that is reserved for source-specific multicast (SSM), a method of delivering multicast data only from a specific source to receivers who explicitly request it.

Overview of Multicast Address Ranges

IP multicast uses the Class D address range: 224.0.0.0 to 239.255.255.255. Within this range, different blocks are reserved for specific purposes:

  • 224.0.0.0/24 — Reserved for local network control (e.g., routing protocols like OSPF).

  • 224.2.0.0/16 — Reserved for SAP and global announcements (like the MBone).

  • 232.0.0.0/8 — Reserved for Source-Specific Multicast (SSM).

  • 233.0.0.0/8 — Assigned for GLOP addressing, a legacy scheme for mapping multicast groups to AS numbers.

  • 239.0.0.0/8 — Administratively scoped multicast, similar to private IP ranges, for local domains.

Why 232.0.0.0/8 is for SSM

SSM (Source-Specific Multicast), defined by RFC 4607, is designed to improve multicast security and efficiency by enabling receivers to request data only from a specific source and multicast group. This model is commonly represented as:

(source, group)

Unlike Any-Source Multicast (ASM), which receives traffic from any source, SSM traffic is filtered based on the exact source IP and group IP, making it more secure and predictable.

The SSM address range is explicitly defined as 232.0.0.0/8, and protocols like IGMPv3 and PIM-SSM are used to manage it.

Why Other Options Are Incorrect:

  • A. 239.0.0.0/8
     This is administratively scoped multicast, used for private multicast domains (like 10.0.0.0/8 for unicast). It is not used for SSM.

  • B. 233.0.0.0/8
     This range is reserved for GLOP addressing, a historical method of assigning multicast addresses based on Autonomous System (AS) numbers.

  • D. 224.2.0.0/16
     This is used for global-scope applications such as SAP and other multicast service announcements—not for SSM.

SSM is specifically implemented using the 232.0.0.0/8 multicast address range. This range is optimized for filtering multicast traffic by both source and group and is widely used in modern multicast deployments for better control and efficiency.


Question 7

Which three configuration parameters must match on all switches within the same MSTP region? (Choose three.)

A. VLAN to instance mapping
B. revision level
C. configuration name
D. bridge priority
E. region name

Correct answers:  A, B, C

Explanation:

This question tests your understanding of Multiple Spanning Tree Protocol (MSTP) and how regions are formed within it. MSTP is an enhancement of the Spanning Tree Protocol that allows multiple VLANs to be mapped to a smaller number of spanning tree instances, improving scalability and efficiency in large Layer 2 networks.

For MSTP to function correctly across multiple switches, they must be grouped into the same MST region. This is only possible if certain configuration parameters match across all participating switches.

Parameters Required to Match in MSTP Regions

To be part of the same MSTP region, switches must have identical values for the following three parameters:

  1. Configuration Name (C)

    • This is a case-sensitive identifier that helps differentiate one MST region from another.

    • All switches must have the same name to be considered part of the same region.

  2. Revision Level (B)

    • This is a manually configured number that helps in identifying changes to the MST configuration.

    • All switches in a region must use the same revision number.

  3. VLAN to Instance Mapping (A)

    • MSTP allows you to map multiple VLANs to different spanning tree instances.

    • This mapping must be identical across all switches within the region to ensure consistent path calculation.

If any of these three parameters differ, the switches will consider themselves as belonging to different MST regions, which can result in suboptimal spanning trees or even broadcast storms.

Why the Other Options Are Incorrect

  • D. Bridge Priority

    • This value affects which switch becomes the root bridge within the region, but it does not affect region membership. It can vary between switches.

  • E. Region Name

    • While this might seem like a valid choice, MSTP only uses the configuration name, not a separate "region name." Often, "region name" is informally used to describe the configuration name, but technically only the configuration name (option C) is relevant and must match.

To ensure that all switches are in the same MSTP region, the Configuration Name, Revision Level, and VLAN to Instance Mapping must match. These parameters ensure consistency and synchronization of the spanning tree structure across the switches in the region.


Question 8

Which two statements are correct about the deployment of EVPN-VXLAN on QFX Series devices? (Choose two.)

A. Type 1 route advertisements always have the single-active flag set to 1.
B. Junos OS supports underlay replication for BUM traffic forwarding.
C. Junos OS supports ingress replication for BUM traffic forwarding.
D. Type 1 route advertisements always have the single-active flag set to 0.

Correct answers:  B, C

Explanation:

This question focuses on how EVPN-VXLAN is deployed on Juniper QFX Series switches, particularly with respect to Type 1 routes and BUM (Broadcast, Unknown Unicast, and Multicast) traffic replication methods.

EVPN-VXLAN and BUM Traffic

BUM traffic is a category of Layer 2 traffic that must be flooded within a VXLAN segment because its destination is unknown or multicast/broadcast in nature.

In Junos OS, two main methods are used to replicate this traffic:

  • Ingress Replication (IR):

    • This method has the originating VTEP replicate BUM traffic to all remote VTEPs in the VXLAN.

    • Supported in Junos OS.

    • Scales reasonably well in smaller environments and avoids multicast dependencies.

  • Underlay Replication (Multicast-based replication):

    • Uses multicast groups in the underlay network to distribute BUM traffic.

    • Also supported in Junos OS, particularly in environments where multicast is enabled and properly configured.

So both options B and C are correct.

Type 1 Route Advertisements and Single-Active Flag

In EVPN, Type 1 routes (also known as Ethernet Auto-Discovery or EAD routes) are used to signal the presence of a device and its redundancy mode.

  • The single-active flag in Type 1 routes indicates whether only one Ethernet Segment Identifier (ESI) is active at a time.

  • The flag can be either 0 or 1, depending on the redundancy mode:

    • 0: Active-active mode (both links are usable).

    • 1: Single-active mode (only one link is used, typically with LACP fallback).

Thus, neither A nor D is always correct because the value of the single-active flag is not static—it depends on the deployment scenario.

On Juniper QFX Series switches running Junos OS:

  • Ingress replication is supported.

  • Underlay (multicast-based) replication is also supported.

  • Type 1 route flags vary depending on redundancy mode.


Question 9

Your enterprise network is running BGP VPNs to support multitenancy. Some of the devices with which you peer BGP do not support the VPN NLRI. You must ensure that you do not send BGP VPN routes to the remote peer. Which two configuration steps will satisfy this requirement? (Choose two.)

A. Configure an import policy on the remote peer to reject the routes when they are received.
B. Configure an export policy on the local BGP peer to reject the VPN routes being sent to the remote peer.
C. Configure a route reflector for the VPN NLRI.
D. Configure the apply-vpn-export feature on the local BGP peer.

Correct answers:  B, D

Explanation:

In a BGP/MPLS VPN environment (often used for multitenancy), BGP routes related to VPNs use VPN NLRI (Network Layer Reachability Information). When you peer with devices that do not support VPN NLRIs, you must prevent sending them routes they can't process, or else the session could be disrupted or degraded.

Let's break down the correct and incorrect options:

Correct Option: B — Export Policy on Local Peer

An export policy applied to the local BGP peer controls what routes are sent outbound to a remote peer.
 To prevent VPN routes from being advertised to peers that don't support VPN NLRIs, an export policy is the correct tool.

This is preferred over import policies (which filter incoming routes) because:

  • The goal is to prevent the sending of VPN NLRIs in the first place.

  • Applying the filter at the source (local peer) avoids consuming remote peer resources or violating compatibility.

Correct Option: D — apply-vpn-export

The apply-vpn-export option in Junos OS ensures that VPN routes (which exist in a VRF routing instance) are subject to the same export policy rules when leaking into BGP.

When used properly:

  • You can write an export policy for your BGP group/neighbor.

  • That policy will be applied to VPN routes via the apply-vpn-export setting.

  • This enables precise control over which VPN routes are sent over the session.

This is essential when peers don't support VPN NLRIs, as it allows you to prevent advertisement of those routes.

Incorrect Option: A — Import Policy on Remote Peer

While import policies can reject unwanted routes, this method is not sufficient or ideal for preventing VPN NLRI issues:

  • Some peers might drop the session entirely if they receive unknown or unsupported NLRI types.

  • It's always safer and more controlled to prevent the sending of incompatible routes, rather than relying on the remote peer to reject them.

Incorrect Option: C — Route Reflector

A route reflector is used to redistribute routes among internal BGP peers in larger networks.

  • It is not related to the problem of filtering or suppressing VPN NLRIs to specific peers.

  • Using a route reflector does not control route advertisement unless additional policies are configured.

To ensure that BGP VPN routes are not sent to devices that don’t support VPN NLRI, the proper approach is to configure:

  • An export policy on the local BGP peer (B), and

  • Use the apply-vpn-export feature (D) to apply that policy to VPN routes.



Question 10

You want to create an OSPF area that only contains intra-area route information in the form of Type 1 and Type 2 LSAs. In this scenario, which area is needed to accomplish this task?

A. totally non-to-stubby area
B. totally stubby area
C. stub area
D. non-to-stubby area

Correct answer:  B

Explanation:

This question is about selecting the appropriate OSPF area type to limit the types of LSAs (Link-State Advertisements) within an area. To answer this correctly, it's important to understand what types of LSAs are allowed in each area type.

Understanding the LSA Types:

  • Type 1 LSAs: Router LSAs; generated by all routers and describe the router’s links.

  • Type 2 LSAs: Network LSAs; generated by designated routers on broadcast and NBMA networks.

  • Type 3 LSAs: Summary LSAs; generated by ABRs to summarize inter-area routes.

  • Type 5 LSAs: External LSAs; used for routes redistributed into OSPF from other protocols.

  • Type 7 LSAs: NSSA External LSAs; similar to Type 5 but used within NSSAs.

Requirement Recap:

You need an OSPF area that only contains Type 1 and Type 2 LSAs — meaning:

  • No inter-area (Type 3)

  • No external (Type 5 or 7)

That immediately suggests a more restrictive stub area type.

Reviewing Each Option:

A. Totally non-to-stubby area

  • This is not a valid OSPF term. It’s a misnomer, often confused with NSSA or “not-so-stubby area.”

  • Eliminate this option.

B. Totally stubby area

  • This area allows only Type 1 and Type 2 LSAs.

  • Blocks Type 3 and Type 5 LSAs.

  • The ABR injects a default route (0.0.0.0) for inter-area and external destinations.

  • Perfect match for the requirement.

C. Stub area

  • Allows Type 1, 2, and 3 LSAs.

  • Blocks Type 5 (external routes), but still includes inter-area routes (Type 3).

  • Not strict enough for this task.

D. Non-to-stubby area (NSSA)

  • Allows Type 1, 2, 3, and 7 LSAs.

  • Allows external routing information via Type 7 LSAs, which can be converted to Type 5 at the ABR.

  • Does not restrict LSA types to only Type 1 and 2.

To create an area that contains only Type 1 and Type 2 LSAs, the correct choice is a Totally Stubby Area. It blocks both inter-area (Type 3) and external (Type 5) LSAs and uses a default route to direct traffic outside the area.

Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.