Juniper Networks Certified Associate Junos JNCIA-Junos (JNCIA-JUNOS) — Questions 301375

514 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecteasy

Which TWO statements about configuration archival in Junos are true?

Select 2 answers
A.Archival stores the candidate configuration.
B.The 'system archival' hierarchy enables automatic backup of configurations.
C.Archival only saves the rescue configuration.
D.Archival can use FTP or SCP to transfer files.
E.Archival automatically archives after every commit without any configuration.
AnswersB, D

This configuration block defines archival settings.

Why this answer

Option B is correct because the 'system archival' hierarchy in Junos is specifically designed to enable automatic backup of configuration files. This feature allows administrators to configure periodic transfers of committed configurations to a remote server, ensuring configuration history is preserved without manual intervention.

Exam trap

The trap here is that candidates often confuse the candidate configuration with the committed configuration, assuming archival saves the uncommitted changes, when in fact it only archives the active committed configuration after a successful commit.

302
MCQmedium

A network engineer needs to restore the factory-default configuration on a Junos device. Which command sequence is correct?

A.set system host-name factory-default
B.request system zeroize
C.load factory-default and then commit
D.delete configuration and reboot
AnswerC

'load factory-default' loads the factory configuration into the candidate, then 'commit' activates it.

Why this answer

The correct command sequence to restore factory-default configuration on a Junos device is 'load factory-default' followed by 'commit'. The 'load factory-default' command replaces the current candidate configuration with the factory-default configuration, but it does not take effect until a 'commit' is issued. This ensures the device reverts to its original settings without affecting the currently running configuration until explicitly committed.

Exam trap

The trap here is that candidates confuse 'load factory-default' with 'request system zeroize', thinking both achieve the same result, but 'zeroize' is a security wipe that destroys all data and requires a reboot, while 'load factory-default' is a configuration-only reset that is committed without rebooting.

How to eliminate wrong answers

Option A is wrong because 'set system host-name factory-default' only changes the hostname to 'factory-default', it does not restore the entire configuration to factory defaults. Option B is wrong because 'request system zeroize' is used to erase all data, including configuration files, logs, and user data, for security purposes before decommissioning a device; it does not simply restore factory-default configuration and requires a reboot to complete. Option D is wrong because 'delete configuration and reboot' is not a valid Junos command sequence; deleting the configuration without using 'load factory-default' would leave the device with an empty configuration, potentially causing boot issues or requiring manual recovery.

303
MCQhard

Refer to the exhibit. What is the most likely cause of the BGP session failure?

A.Hold timer expired due to delayed keepalives
B.The peer is unreachable
C.BGP configuration mismatch
D.Route flapping
AnswerA

The log clearly states 'Hold time expired'.

Why this answer

The BGP session failure is most likely due to the hold timer expiring because keepalive messages were not received in time. In JUNOS, the default hold time is 90 seconds, and if a router does not receive a keepalive or update within that interval, it declares the peer dead and resets the session. The exhibit shows the BGP state as 'Idle' or 'Active', which is consistent with a hold timer expiry event.

Exam trap

The trap here is that candidates often assume a BGP session failure is always due to a configuration mismatch or unreachable peer, but the hold timer expiry is a common operational issue caused by delayed keepalives, which is a key concept in BGP session maintenance.

How to eliminate wrong answers

Option B is wrong because if the peer were unreachable, the BGP session would typically show 'Active' state indefinitely, but the hold timer expiry is a more specific cause given the session failure. Option C is wrong because a BGP configuration mismatch (e.g., AS number mismatch) would result in a 'Notification' message or 'Idle' state with a specific error code, not a hold timer expiry. Option D is wrong because route flapping affects the stability of routes but does not directly cause the BGP session itself to fail; it would trigger route withdrawals and updates, not a hold timer expiry.

304
MCQeasy

A network engineer is configuring a new Juniper MX router to replace an existing core router. The engineer has applied several configuration changes and wants to ensure that the new configuration can be tested safely. If the test fails (e.g., loss of management connectivity), the router should automatically revert to the previous configuration after a 5-minute period. The engineer performs a commit confirmed with a timeout of 5 minutes. After 4 minutes, the engineer verifies that the change is successful and wants to make it permanent. Which action should the engineer take to ensure the configuration persists?

A.Issue the 'rollback 0' command, then commit.
B.Issue the 'commit confirmed 5' command again to reset the timer.
C.Issue the 'request system reboot' command to reload the router.
D.Issue a standard 'commit' command to confirm the configuration.
AnswerD

A standard commit makes the candidate configuration permanent and cancels the commit confirmed timer.

Why this answer

Option C is correct because issuing 'commit check' does not make the configuration permanent; it only validates syntax. The engineer must explicitly commit the candidate configuration to confirm it. Option A is wrong because 'rollback 0' reverts to the previous configuration, undoing the change.

Option B is wrong because 'request system reboot' would interrupt operations and is unnecessary. Option D is wrong because 'commit confirmed' with a new timeout would restart the timer but does not finalize; a standard commit is needed.

305
MCQmedium

An engineer wants to view system log messages as they are generated in real-time. Which command should they use?

A.start log messages
B.monitor log messages
C.request system log
D.show log messages
AnswerB

monitor log streams log messages to the terminal.

Why this answer

The 'monitor log messages' command in Junos OS provides a real-time view of system log messages as they are generated, similar to the 'tail -f' command on Unix systems. It streams new log entries to the terminal without requiring manual refresh, making it ideal for live monitoring of events.

Exam trap

The trap here is that candidates familiar with Cisco IOS may confuse 'show log' (which in Cisco shows a static log) with Junos 'show log messages', and incorrectly assume it provides real-time output, while 'monitor log messages' is the correct real-time equivalent.

How to eliminate wrong answers

Option A is wrong because 'start log messages' is not a valid Junos command; the correct command to begin logging is 'set system syslog' or similar configuration, not a real-time view. Option C is wrong because 'request system log' is used for operations like rotating or archiving log files, not for live viewing. Option D is wrong because 'show log messages' displays the contents of the /var/log/messages file at the time of execution, but does not provide real-time updates; it shows a static snapshot.

306
Multi-Selecteasy

Which TWO commands can be used to view the current operational state of an interface? (Choose two.)

Select 2 answers
A.show interfaces extensive
B.show log
C.show configuration interfaces
D.show interfaces terse
E.show route
AnswersA, D

Shows detailed operational state.

Why this answer

The 'show interfaces extensive' command displays detailed operational state information, including current status, errors, and statistics. The 'show interfaces terse' command provides a concise operational view showing interface names, administrative status, link status, and protocol families. Both commands query the current operational state of interfaces from the Junos OS kernel.

Exam trap

The trap here is that candidates confuse 'show configuration interfaces' (which shows the intended configuration) with commands that show the actual operational state, leading them to select option C instead of the correct operational commands.

307
MCQhard

A service provider has two MX routers (R1 and R2) connected via two separate physical links. Both links are in an aggregated Ethernet bundle (ae0). The ae0 interface is configured with LACP active on both sides. Recently, a fiber cut occurred on one of the member links, and the aggregated interface continued working. However, after the fiber was repaired, the network operator noticed that the restored link is not being re-added to the bundle. 'show lacp interfaces' indicates the link is in a 'detached' state. The operator checks 'show interfaces diagnostics optics' and finds that the optical parameters are normal. Which action should the operator take to restore the link to the bundle without affecting traffic?

A.Reboot the router to clear all LACP states
B.Remove and re-add the member link from the ae0 configuration
C.Issue the 'clear lacp statistics' command on the interface to reset LACP negotiation on that link
D.Replace the SFP module on the restored link
AnswerC

Clearing LACP statistics resets the LACP state machine, allowing the link to re-negotiate and join the bundle.

Why this answer

Option C is correct because the 'detached' state in LACP indicates that the link is physically up but LACP negotiation has failed or is stuck. The 'clear lacp statistics' command resets the LACP state machine on the specified interface, forcing it to re-initiate LACP PDUs and renegotiate with the peer. This restores the link to the bundle without disrupting active traffic on other member links.

Exam trap

The trap here is that candidates assume a physical layer issue (like a bad SFP) or a configuration change is needed, when in fact the problem is a stuck LACP state machine that can be resolved with a non-disruptive clear command.

How to eliminate wrong answers

Option A is wrong because rebooting the router is an unnecessarily disruptive action that would affect all traffic, not just the problematic link, and is not required to clear a per-interface LACP state. Option B is wrong because removing and re-adding the member link from the ae0 configuration would cause a brief traffic interruption on that link and is an operational overhead; the issue is a software state problem, not a configuration mismatch. Option D is wrong because the operator has already verified that optical parameters are normal via 'show interfaces diagnostics optics', indicating the SFP module and physical layer are healthy, so replacing the SFP would not resolve the LACP state machine issue.

308
Multi-Selecthard

Which TWO commands can be used to view the current routing table entries for IPv4 unicast routes?

Select 2 answers
A.show route protocol static
B.show route table inet.0
C.show forwarding-table
D.show route
E.show route table inet6.0
AnswersB, D

'show route table inet.0' explicitly displays the IPv4 unicast routing table. This is equivalent to 'show route' but more specific.

Why this answer

Option B is correct because `show route table inet.0` explicitly displays the IPv4 unicast routing table (inet.0) in Junos. Option D is correct because `show route` without any filter defaults to showing all routes in the inet.0 table, which is the primary IPv4 unicast routing table.

Exam trap

The trap here is that candidates confuse the routing table (`show route`) with the forwarding table (`show forwarding-table`), or assume a specific protocol filter like `protocol static` shows all routes, when in fact it only shows routes learned via that protocol.

309
MCQhard

Two routers running IBGP with full mesh have a routing loop for prefix 10.1.1.0/24. Both routers have an IBGP route (preference 170) for the prefix with next-hop 10.2.2.2, and an OSPF route (preference 10) for the same prefix. The OSPF next-hop on each router points to the other router's loopback interface. Which action should be taken to stop the loop while preserving BGP route advertisement?

A.Increase the OSPF preference for 10.1.1.0/24 to 175
B.Add a static route for 10.1.1.0/24 with next-hop 10.2.2.2
C.Configure 'set protocol bgp group internal-mesh local-address 10.2.2.2' to set next-hop to self
D.Use route reflection to break the loop
AnswerA

A higher preference value makes OSPF less preferred than BGP, so the BGP route becomes active and the loop is resolved.

Why this answer

The loop occurs because the OSPF route (preference 10) is active, pointing a BGP next-hop that causes a recursive loop. By increasing the OSPF route's preference to 175 (higher than BGP's 170), the BGP route becomes active, and if the BGP next-hop is reachable via a non-looping path, the loop stops. Option A is correct.

Option B is incorrect because setting next-hop to self does not prevent the OSPF route from being used. Option C is incorrect because a static route would override BGP and would not be received via BGP. Option D is incorrect because route reflection does not address the preference conflict.

310
MCQhard

You are administering a Juniper MX240 router that provides connectivity to multiple customer sites. The router uses BGP to exchange routes with two upstream ISPs. Recently, you applied a new firewall filter to the loopback interface to restrict management access. After committing the configuration, you can no longer establish SSH sessions to the router from the management network. You are currently connected via console. The loopback filter is still applied. You suspect the filter is blocking SSH traffic from the management network. What should you do to restore SSH access without losing the other filter rules?

A.Roll back to the previous configuration using 'rollback 0' and commit.
B.Add a new term at the end of the filter that accepts SSH traffic from any source.
C.Add a new term at the beginning of the filter that accepts SSH traffic from the management network, then reorder the terms so that this term is evaluated first.
D.Delete the firewall filter from the loopback interface and commit.
AnswerC

This ensures SSH from the management network is accepted before any deny rules are evaluated.

Why this answer

Option C is correct because firewall filters in Junos are evaluated in order, and adding a term at the beginning that explicitly accepts SSH traffic from the management network ensures that the SSH packets are permitted before any subsequent deny terms are evaluated. This preserves all existing filter rules while restoring SSH access. The 'insert' command or reordering terms is necessary to place the new term first, as the default behavior appends new terms to the end of the filter.

Exam trap

The trap here is that candidates assume adding a permit rule anywhere in the filter will work, but they forget that Junos filters are order-dependent and that new terms are appended to the end by default, which may be after a deny term that blocks the traffic.

How to eliminate wrong answers

Option A is wrong because 'rollback 0' rolls back to the most recently committed configuration, which would remove the entire firewall filter and any other recent changes, not just the problematic rule. Option B is wrong because adding a term at the end of the filter that accepts SSH from any source would still be evaluated after any existing deny terms that might block SSH traffic, so it would not restore access. Option D is wrong because deleting the entire firewall filter from the loopback interface removes all security restrictions, not just the one blocking SSH, which violates the requirement to keep other filter rules.

311
MCQeasy

Which operational mode command displays the differences between the candidate configuration and the active configuration?

A.show configuration | compare
B.show | display set
C.show system configuration | compare
D.show | compare
AnswerA

Displays differences between candidate and active configurations.

Why this answer

Option A is correct because the 'show configuration | compare' command displays the differences between the candidate configuration and the active (committed) configuration. The pipe to 'compare' is a Junos CLI filter that performs a diff operation, showing lines added, changed, or deleted. This is the standard way to review uncommitted changes before committing them.

Exam trap

The trap here is that candidates confuse 'show | compare' with 'show configuration | compare', forgetting that the pipe must follow a specific operational mode command (like 'show configuration') to produce a meaningful diff, not just any 'show' command.

How to eliminate wrong answers

Option B is wrong because 'show | display set' converts the current output (e.g., show configuration) into set-format commands, but it does not perform a comparison between candidate and active configurations. Option C is wrong because 'show system configuration | compare' is not a valid command; 'system configuration' is not a valid hierarchy for comparing configurations, and the correct hierarchy is 'show configuration | compare'. Option D is wrong because 'show | compare' without specifying 'configuration' will attempt to compare the output of the default 'show' command (which shows system status) against nothing meaningful, resulting in an error or no useful diff; the correct syntax requires 'show configuration | compare'.

312
MCQmedium

Refer to the exhibit. An engineer notices that input drops are increasing. What is the most likely cause?

A.Speed mismatch
B.Buffer overflow
C.Cable fault
D.CRC errors
AnswerB

Input drops indicate buffer overflow or congestion.

Why this answer

Input drops occur when the ingress interface's receive buffer is full and cannot accept more packets, typically due to the ingress rate exceeding the interface's ability to process or forward packets to the internal switch fabric. In Junos, this is often caused by microbursts or sustained oversubscription, not by a speed mismatch (which would show as errors or link flaps) or cable faults (which cause physical-layer errors). Buffer overflow is the correct answer because input drops directly indicate that the packet buffer has been exhausted.

Exam trap

The trap here is that candidates often confuse input drops with CRC errors or assume a speed mismatch is the cause, but Junos explicitly separates input drops (buffer overflow) from physical-layer errors, and the question's exhibit would show no CRC errors or link flaps, isolating the issue to buffer exhaustion.

How to eliminate wrong answers

Option A is wrong because a speed mismatch between two connected interfaces would typically cause the link to not come up or generate extensive CRC/alignment errors, not specifically input drops. Option C is wrong because a cable fault usually manifests as CRC errors, frame errors, or link flaps, not as a steady increase in input drops. Option D is wrong because CRC errors are a separate counter indicating data corruption at the physical layer, often due to signal integrity issues, and are not the direct cause of input drops.

313
Multi-Selectmedium

Which THREE fields are part of an Ethernet frame header? (Select three.)

Select 3 answers
A.Destination MAC address
B.VLAN tag (802.1Q)
C.EtherType field
D.Frame Check Sequence (FCS)
E.Source MAC address
AnswersA, C, E

DA is a mandatory header field.

Why this answer

The Ethernet frame header is defined by the IEEE 802.3 standard and consists of the Destination MAC address (6 bytes), Source MAC address (6 bytes), and the EtherType field (2 bytes) or Length field. The Destination MAC address is the first field in the header and identifies the intended recipient of the frame on the local network segment. Without it, switches and hosts would not know which device should process the frame.

Exam trap

The trap here is that candidates often confuse the optional 802.1Q VLAN tag or the FCS trailer as part of the Ethernet frame header, when in fact the header strictly contains only the Destination MAC, Source MAC, and EtherType/Length fields.

314
Matchingmedium

Match each Junos CLI operational mode command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays brief interface status and configuration

Displays the routing table

Displays the current active configuration

Displays system log messages

Captures and displays live traffic on an interface

Why these pairings

These are common operational mode commands used for monitoring and troubleshooting in Junos.

315
MCQeasy

A technician needs to view the last 50 log messages from the system log file. Which command accomplishes this?

A.show system log messages
B.monitor start messages
C.show system syslog
D.show log messages | last 50
AnswerD

The 'show log messages' command displays log entries from the messages file, and piping with '| last 50' shows the last 50 lines. This is the proper way to view recent log messages.

Why this answer

Option D is correct because the 'show log messages | last 50' command displays the last 50 lines from the /var/log/messages file on a Junos device. The pipe to 'last' is a Junos CLI filter that outputs only the final N lines of the command output, which is exactly what is needed to view the most recent log entries.

Exam trap

The trap here is that candidates confuse the 'show log' command with 'show system syslog' or 'show system log messages', misremembering the exact syntax for viewing log file contents versus configuration.

How to eliminate wrong answers

Option A is wrong because 'show system log messages' is not a valid Junos command; the correct command to view the system log file is 'show log messages'. Option B is wrong because 'monitor start messages' is used to tail the log file in real time, not to view a static set of the last 50 messages. Option C is wrong because 'show system syslog' displays the syslog configuration, not the actual log file contents.

316
Multi-Selecthard

Which THREE are valid methods to apply a firewall filter in Junos?

Select 3 answers
A.Apply the filter to an interface under 'family inet filter input'
B.Apply the filter to an interface under 'family inet filter output'
C.Apply the filter globally using 'firewall family inet filter filter-name'
D.Apply the filter under 'routing-options'
E.Apply the filter to the loopback interface under 'family inet filter input'
AnswersA, B, E

Standard way to apply input filter on an interface.

Why this answer

Option A is correct because in Junos, a firewall filter is applied to an interface by configuring it under the 'family inet' hierarchy with the 'filter input' statement. This directs the filter to inspect all inbound IPv4 packets on that interface before they are processed by the routing engine.

Exam trap

The trap here is that candidates may confuse the global firewall filter configuration syntax with the interface-level application, or mistakenly think that 'routing-options' is a valid location for filter application, when in fact Junos strictly separates filter definition and application contexts.

317
MCQeasy

Your company has deployed a Juniper MX router at a branch office. The router has two upstream connections to different ISPs. The configuration currently uses a single static default route to ISP-A. The network team wants to add redundancy so that if ISP-A fails, traffic automatically uses ISP-B. The ISP-B connection is already configured on interface ge-1/0/0 with IP address 203.0.113.2/30. The next-hop IP for ISP-B is 203.0.113.1. The routing table should have a backup default route with a higher metric. Which configuration change meets the requirement?

A.set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1 metric 1
B.set routing-options static route 0.0.0.0/0 discard
C.set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1 metric 2
D.set routing-options static route 0.0.0.0/0 next-table inet.0
AnswerC

This creates a backup static route with a higher metric, ensuring it is used only when the primary route is removed.

Why this answer

Option C is correct because it adds a static default route to ISP-B with a metric of 2, which is higher than the default metric of 0 (or 1 if explicitly set) for the existing route to ISP-A. In Junos, when multiple static routes to the same destination exist, the route with the lower metric (preference) is installed in the routing table. If the primary route fails (e.g., interface down), the route with the higher metric becomes active, providing automatic failover.

Exam trap

The trap here is that candidates often confuse Junos 'metric' with Cisco's 'administrative distance' or 'metric' concept, assuming a lower metric is better for backup, whereas in Junos a higher metric (preference) value makes the route less preferred and suitable for failover.

How to eliminate wrong answers

Option A is wrong because setting metric 1 would make the ISP-B route equal in preference to the existing default route (which has a default metric of 0), causing load-sharing or unpredictable behavior rather than a clear backup. Option B is wrong because the 'discard' next-hop creates a null route that drops traffic, which does not provide a functional backup path to ISP-B. Option D is wrong because 'next-table inet.0' is used for policy-based routing or indirect next-hops, not for defining a backup static route with a higher metric.

318
MCQhard

A technician needs to upgrade the Junos OS on a device that is part of a redundant cluster. Which approach minimizes traffic disruption?

A.Use 'request system software add' on both nodes at the same time.
B.Upgrade both nodes simultaneously to reduce maintenance time.
C.Upgrade one node at a time, ensuring the cluster remains redundant.
D.Use the 'commit synchronize' command to keep configurations in sync after upgrade.
AnswerC

This maintains traffic flow by failing over to the upgraded node.

Why this answer

Option C is correct because upgrading one node at a time in a redundant cluster ensures that at least one node remains active to handle traffic while the other is being upgraded. This approach maintains cluster redundancy and minimizes traffic disruption, as the active node continues forwarding traffic using the gratuitous ARP or VRRP mechanisms, and the upgraded node rejoins the cluster after reboot.

Exam trap

The trap here is that candidates might think simultaneous upgrades are efficient or that 'commit synchronize' is related to software upgrades, but Junos requires sequential node upgrades in a cluster to maintain redundancy and avoid traffic loss.

How to eliminate wrong answers

Option A is wrong because using 'request system software add' on both nodes simultaneously would cause both nodes to reboot at the same time, resulting in a complete traffic outage for the cluster. Option B is wrong because upgrading both nodes simultaneously reduces maintenance time but causes a total loss of redundancy and traffic disruption, which is not acceptable for minimizing disruption. Option D is wrong because 'commit synchronize' is used to synchronize configuration changes between nodes, not to manage software upgrades; it does not address the upgrade process or traffic disruption.

319
MCQhard

During a routing table lookup, a packet matches both a static route and an OSPF route to the same destination. Which route will be installed in the forwarding table?

A.Both routes, if they are equal-cost.
B.The route with the higher preference value.
C.The OSPF route, because OSPF is a dynamic routing protocol.
D.The static route, because it has a lower preference value.
AnswerD

Static route preference 5 is lower than OSPF's 10.

Why this answer

In Junos, the route with the lowest preference value is installed in the forwarding table. Static routes have a default preference of 5, while OSPF internal routes have a default preference of 10. Therefore, the static route is preferred and installed.

Exam trap

The trap here is that candidates often assume dynamic protocols like OSPF are always preferred over static routes, but Junos uses preference (administrative distance) where static routes have a lower default value than OSPF, making them more preferred.

How to eliminate wrong answers

Option A is wrong because Junos installs only the single best route (lowest preference) into the forwarding table; equal-cost multipath only applies when routes have the same preference and metric, which is not the case here. Option B is wrong because a higher preference value indicates a less preferred route; the route with the lower preference value is chosen. Option C is wrong because the decision is based on administrative distance (preference), not on whether the protocol is dynamic or static; OSPF has a higher preference (10) than a static route (5), so the static route wins.

320
Multi-Selectmedium

Which THREE statements about static routes in Junos are correct?

Select 3 answers
A.Static routes have a default preference of 5.
B.You can configure multiple static routes to the same destination for load balancing.
C.The preference of a static route cannot be changed.
D.Static routes automatically update if the next hop becomes unreachable.
E.A static route can use a qualified next hop to specify a fallback.
AnswersA, B, E

Default preference for static routes is 5.

Why this answer

Static routes in Junos have a default preference of 5, which is lower (more preferred) than routes learned from most dynamic routing protocols like OSPF (preference 10) or IS-IS (preference 18). This default value ensures that static routes are preferred over dynamically learned routes unless explicitly overridden.

Exam trap

The trap here is that candidates often assume static route preference is immutable (like in some other vendors' implementations), but Junos allows preference modification, and they may also forget that static routes do not dynamically react to next-hop failures without additional configuration.

321
MCQmedium

Refer to the exhibit. An engineer is trying to commit a configuration but receives a 'no space left on device' error. Which filesystem is most likely full?

A./config
B./tmp
C./dev
D./var
AnswerD

/var is at 100% capacity, causing no space left error.

Why this answer

The /var filesystem on Junos stores log files, core dumps, and other operational data. When the device runs out of disk space, it is most commonly the /var partition that is full, as it accumulates logs and crash files over time. The 'no space left on device' error during a commit indicates that the system cannot write the new configuration to the /var/tmp or /var/db/config directory, which reside under /var.

Exam trap

The trap here is that candidates often assume the /config filesystem is the one that stores configurations and thus must be full, but in Junos, the commit process uses /var/tmp as a staging area, making /var the most likely culprit when a commit fails due to disk space.

How to eliminate wrong answers

Option A is wrong because /config is a separate partition that stores the active and backup configurations, and it is rarely the cause of a 'no space left on device' error during a commit; it is typically small and only fills if configurations are excessively large. Option B is wrong because /tmp is a memory-backed filesystem (tmpfs) used for temporary files and is not persistent; it is not where commit operations write configuration data. Option C is wrong because /dev is a virtual filesystem for device nodes and does not store configuration or log files; it cannot become full in the traditional sense.

322
MCQeasy

Refer to the exhibit. An engineer wants to verify that static routes for 10.0.1.0/24 and 10.0.2.0/24 are present in the routing table. Based on the output, which statement is true?

A.Both routes are active and have the same preference value.
B.Both routes have a preference of 0.
C.Only the 10.0.1.0/24 route is active.
D.Both routes use the same next-hop IP address.
AnswerA

Both are active (marked with '*') and have preference 5.

Why this answer

The output shows both 10.0.1.0/24 and 10.0.2.0/24 as static routes with a preference of 5. Since the preference value is the same and both are listed as active (the 'A' flag is present in the routing table), both routes are installed and active in the forwarding table. In Junos, a static route's default preference is 5, and any route with a lower preference is preferred; here both have equal preference, so they coexist as active routes.

Exam trap

The trap here is that candidates may assume a static route always has a preference of 0 (like a connected route) or that only one static route can be active per destination, but Junos allows multiple static routes with equal preference to be active simultaneously if they have different prefixes.

How to eliminate wrong answers

Option B is wrong because the preference shown in the output is 5, not 0; a preference of 0 is reserved for directly connected routes in Junos. Option C is wrong because the output clearly shows both 10.0.1.0/24 and 10.0.2.0/24 with the 'A' (active) flag, indicating both are active. Option D is wrong because the next-hop IP addresses differ: 10.0.1.0/24 uses 192.168.1.1 and 10.0.2.0/24 uses 192.168.2.1, as seen in the exhibit.

323
MCQmedium

Refer to the exhibit. What is the most likely cause of the commit check failure?

A.The routing instance has not been created.
B.The interface xe-0/0/0 has been disabled using the 'disable' statement.
C.The IP address is a duplicate on the subnet.
D.The 'family inet' statement is missing under unit 0.
AnswerB

Disabling the interface prevents configuration of addresses on its units.

Why this answer

The commit check failure occurs because the interface xe-0/0/0 is configured with the 'disable' statement, which prevents the interface from being enabled. When a routing instance references a disabled interface, the commit check fails because the interface cannot be used for forwarding or routing operations. Junos requires that interfaces referenced in routing instances be operationally capable of being enabled.

Exam trap

The trap here is that candidates often overlook the 'disable' statement as a valid administrative state and instead assume the failure is due to missing protocol family configuration or duplicate IP addressing, which are common but incorrect assumptions in this context.

How to eliminate wrong answers

Option A is wrong because if the routing instance had not been created, the commit check would fail with a different error about a missing routing instance, not an interface-level issue. Option C is wrong because a duplicate IP address on the subnet would cause a commit warning or operational issue, not a commit check failure, as Junos does not validate IP uniqueness during commit. Option D is wrong because the 'family inet' statement is not required under unit 0 for a routing instance to reference the interface; the interface can be used with other protocol families or as a pure layer-3 interface without explicit 'family inet'.

324
MCQmedium

Your company recently acquired a small office that uses a Juniper MX router to connect to two ISPs for redundancy. The router has two uplinks: xe-0/0/0 to ISP-A (next-hop 10.0.0.1) and xe-0/0/1 to ISP-B (next-hop 10.0.1.1). The router receives a full BGP table from both ISPs. You want to prefer ISP-A for most traffic, but use ISP-B as a backup. You have configured BGP with local-preference 200 on routes from ISP-A and local-preference 100 on routes from ISP-B. After committing, you check the routing table and see that for some destinations, the route from ISP-B is active despite having lower local-preference. What is the most likely reason?

A.The local-preference is not applied to routes that are learned via eBGP; it only works for iBGP.
B.The router is not receiving the ISP-A routes for those specific prefixes; perhaps ISP-A's BGP session is missing or the prefix is not advertised.
C.The IGP metric to the next-hop from ISP-B is lower, causing the route to be preferred.
D.The MED value from ISP-A is higher than from ISP-B, overriding the local-preference.
AnswerB

If only ISP-B has the route, it will be active regardless of local-preference.

Why this answer

Option A is correct because BGP best path selection considers local-preference first, but if multiple routes have the same local-preference, other attributes like AS-path length are considered. Since both routes have different local-preference (200 vs 100), the one with 200 should be preferred. If the ISP-B route is active for some destinations, it indicates that the ISP-A route might not be received for those prefixes (e.g., partial BGP table).

Option B is incorrect; MED is compared only if the routes are from the same AS. Option C is incorrect; IGP metric is not compared in BGP best path selection until later steps, and local-preference is first. Option D is incorrect; the router does not ignore local-preference.

325
Multi-Selecteasy

Which TWO statements are true about the Junos OS boot process?

Select 2 answers
A.The routing engine initializes after the kernel loads.
B.The forwarding engine is initialized before the kernel.
C.The configuration is loaded from /config before the kernel starts.
D.The boot loader loads the kernel from the boot device.
E.The kernel mounts the root file system.
AnswersD, E

This is the first step in the boot process.

Why this answer

Option D is correct because the boot loader (such as U-Boot or GRUB) is responsible for loading the Junos OS kernel from the boot device (e.g., compact flash or hard disk) into memory. This is the first step in the boot sequence after the hardware POST completes. Option E is correct because after the kernel is loaded, it mounts the root file system from the boot device to access essential system files and directories before initializing processes.

Exam trap

The trap here is that candidates often confuse the order of initialization, mistakenly thinking the forwarding engine or configuration loading occurs earlier in the boot process than it actually does, due to a misunderstanding of the separation between control and forwarding planes in Junos.

326
Matchingmedium

Match each Junos interface type to its typical use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Out-of-band management interface

Gigabit Ethernet data interface

Loopback interface for router ID and management

Embedded management interface on some platforms

Generic routing encapsulation (GRE) tunnel

Why these pairings

These are common interface types in Junos.

327
MCQmedium

A network engineer notices that a Junos device is not forwarding traffic for a specific subnet. The routing table shows the route for that subnet, but traffic is still not being forwarded. Which command should the engineer use to verify whether the firewall filter is dropping the traffic?

A.show interfaces terse
B.show firewall filter counter
C.show firewall filter
D.show firewall filter log
AnswerD

This command displays logs of packets that match filter terms with log/syslog actions, helping identify drops.

Why this answer

Option D is correct because the 'show firewall filter log' command displays the log entries generated by firewall filter terms that have a 'log' action configured. When traffic is not being forwarded despite a valid route, a firewall filter may be silently dropping packets; this command reveals which packets matched the filter and whether they were logged, helping to identify drops.

Exam trap

The trap here is that candidates often confuse 'show firewall filter' (which shows configuration) with 'show firewall filter log' (which shows actual packet logs), or they assume counters alone can identify drops without realizing counters only show matches, not the specific action taken.

How to eliminate wrong answers

Option A is wrong because 'show interfaces terse' displays interface status and configuration, not firewall filter counters or logs, so it cannot show whether a filter is dropping traffic. Option B is wrong because 'show firewall filter counter' shows packet and byte counts for filter terms with a 'counter' action, but it does not show log entries or detailed packet information; it only indicates that packets matched, not whether they were dropped or logged. Option C is wrong because 'show firewall filter' displays the filter configuration (terms, actions, match conditions), not real-time packet matching or drop statistics, so it cannot verify if traffic is being dropped.

328
MCQeasy

A junior engineer is asked to change the hostname of a Juniper device from 'Router-1' to 'Core-Router'. Which command sequence correctly commits the change?

A.set system host-name Core-Router; commit
B.edit system; set host-name Core-Router; commit
C.set system hostname Core-Router; commit
D.set system host-name Core-Router; commit
AnswerA

Correct syntax.

Why this answer

Option A is correct because the Junos CLI uses the 'set system host-name' command (with a hyphen in 'host-name') to change the device hostname, and 'commit' applies the change to the active configuration. The command sequence is syntactically valid and follows Junos configuration hierarchy.

Exam trap

The trap here is that Juniper uses 'host-name' with a hyphen, not 'hostname' as in Cisco IOS, and candidates often forget the hyphen or use the wrong hierarchy, leading them to select option B or C.

How to eliminate wrong answers

Option B is wrong because 'edit system' enters the [edit system] hierarchy, but the correct command at that level is 'set host-name Core-Router' (not 'set host-name'), and the sequence lacks a semicolon after 'commit' to separate commands properly in a single line. Option C is wrong because 'hostname' (no hyphen) is not a valid Junos configuration statement; the correct parameter is 'host-name' with a hyphen. Option D is wrong because it is identical to option A and is also correct; however, the question asks for the correct sequence, and both A and D are technically correct, but the answer key lists A as correct, likely due to formatting or a typo in the question.

In practice, both A and D would work, but the intended correct answer is A.

329
Multi-Selecteasy

Which TWO statements are true about static routes in Junos?

Select 2 answers
A.Static routes have a default preference value of 10.
B.Static routes remain in the routing table even if the next hop is unreachable.
C.Static routes have a default preference value of 5.
D.Static routes require a routing protocol to be activated.
E.Static routes are automatically updated if the network topology changes.
AnswersB, C

Junos keeps static routes in the table; they are not removed automatically.

Why this answer

Static routes in Junos have a default preference of 5, not 10 (which is the default for OSPF internal routes). They remain in the routing table even if the next hop becomes unreachable because Junos uses a 'passive' route model; the route is only removed if explicitly deleted or if a better route is learned via a routing protocol. This behavior is controlled by the 'no-readvertise' and 'passive' attributes of static routes.

Exam trap

The trap here is that Cisco candidates often assume static routes have a default preference of 1 (Cisco's administrative distance for static routes) or 10 (OSPF), but Junos uses 5, and they also mistakenly think static routes are removed when the next hop is unreachable, which is true in Cisco IOS but not in Junos without explicit configuration.

330
MCQeasy

What is the purpose of the 'commit confirmed' command in Junos OS?

A.It compares the candidate configuration with the active configuration
B.It allows the administrator to test a configuration change with automatic rollback if confirmation is not received
C.It permanently saves the candidate configuration to the startup configuration
D.It confirms that a previous commit was successful
AnswerB

This is the primary use: to safely apply changes and revert if connectivity is lost.

Why this answer

The 'commit confirmed' command in Junos OS applies a candidate configuration change and starts a confirmation timer (default 10 minutes). If the administrator does not issue a 'commit' command before the timer expires, the system automatically rolls back to the previous active configuration. This allows safe testing of changes, especially over remote connections, preventing lockout if the change breaks connectivity.

Exam trap

The trap here is that candidates confuse 'commit confirmed' with a simple confirmation prompt or a verification step, when in fact it is a timed rollback mechanism designed to prevent lockout during remote configuration changes.

How to eliminate wrong answers

Option A is wrong because comparing the candidate configuration with the active configuration is done using the 'show | compare' command or 'show configuration | compare', not 'commit confirmed'. Option C is wrong because permanently saving the candidate configuration to the startup configuration is achieved with 'commit' (or 'commit and-quit'), not 'commit confirmed'; the 'commit confirmed' command applies the change temporarily and requires a subsequent 'commit' to make it permanent. Option D is wrong because confirming a previous commit was successful is not a function of 'commit confirmed'; the system logs commit success or failure in the event log, and 'show system commit' displays the commit history, but 'commit confirmed' is used to test a change with automatic rollback, not to verify a past commit.

331
Multi-Selectmedium

Which TWO statements correctly describe the behavior of the Junos CLI operational mode?

Select 2 answers
A.Commands such as show and ping are available.
B.Command options are enclosed in curly braces { }.
C.Commands must be entered in full; abbreviation is not allowed.
D.You can commit configuration changes directly.
E.The CLI uses a hierarchical command structure.
AnswersA, E

Operational mode provides show and ping commands.

Why this answer

Option A is correct because Junos CLI operational mode provides commands for monitoring, troubleshooting, and verifying the device state, such as 'show' for displaying configuration and operational data, and 'ping' for network connectivity tests. These commands do not alter the active configuration, which is the defining characteristic of operational mode.

Exam trap

The trap here is that candidates familiar with Cisco IOS may assume curly braces indicate optional parameters (as in Cisco's syntax), but Junos uses square brackets for options and curly braces for configuration blocks, leading to confusion in identifying correct statements.

332
Multi-Selecteasy

Which THREE statements about the Junos CLI help system are correct? (Choose three.)

Select 3 answers
A.Pressing <Tab> completes the current keyword if unique.
B.Pressing ? after a command shows available completions.
C.The 'help' command provides detailed documentation for specific topics.
D.Pressing <Ctrl+P> clears the command line.
E.Pressing ? at the beginning of a line shows all commands regardless of the current hierarchy level.
AnswersA, B, C

Correct; Tab auto-completes the partially typed keyword.

Why this answer

Option A is correct because the Junos CLI includes a tab-completion feature that, when you press the <Tab> key, automatically completes the current keyword if it is unique within the current hierarchy level. This speeds up command entry and reduces typing errors, a standard behavior in Junos.

Exam trap

The trap here is confusing Junos CLI help behavior with Cisco IOS, where pressing ? at the beginning of a line shows all commands regardless of mode, whereas Junos restricts completions to the current hierarchy level.

333
MCQmedium

Refer to the exhibit. Which interface(s) have a physical layer issue?

A.ge-0/0/1 only
B.ge-0/0/0 only
C.ge-0/0/0 and ge-0/0/2
D.ge-0/0/2 only
AnswerA

ge-0/0/1 has link down while admin up, indicating physical issue.

Why this answer

The 'Physical link is Down' status on ge-0/0/1 indicates a Layer 1 issue, such as a disconnected cable, faulty transceiver, or powered-down remote device. The other interfaces show 'Up' physical status, confirming they have no physical layer problem.

Exam trap

The trap here is that candidates may confuse 'Physical link is Down' with an administrative 'down' state, but the output clearly shows 'up' in the admin column, so the issue is purely physical layer, not configuration-based.

How to eliminate wrong answers

Option B is wrong because ge-0/0/0 shows 'Physical link is Up', meaning its physical layer is operational. Option C is wrong because both ge-0/0/0 and ge-0/0/2 have 'Physical link is Up', so neither has a physical layer issue. Option D is wrong because ge-0/0/2 shows 'Physical link is Up', indicating no physical layer problem.

334
MCQeasy

You are managing a small branch office with a Juniper SRX firewall that connects to the internet via a single ISP. The internal network uses 192.168.1.0/24. You need to configure a default route so that all internet-bound traffic goes to the ISP's next-hop 203.0.113.1. The SRX has two interfaces: ge-0/0/0 (untrust) with IP 203.0.113.2/30 and ge-0/0/1 (trust) with IP 192.168.1.1/24. You add the following configuration: 'set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1'. After committing, devices on the trust network can ping the internet (e.g., 8.8.8.8) successfully. However, users report that they cannot access a specific public website hosted at 198.51.100.10. You verify that the SRX can reach that IP via ping and traceroute. What is the most likely cause of this issue?

A.The SRX's source IP for outbound traffic is incorrect; it should use the untrust interface IP but is using the trust IP.
B.The return traffic from the website is not reaching the SRX, possibly due to asymmetric routing or the website's firewall blocking the SRX's source IP.
C.The default route is missing; the ISP must be configured as a static route.
D.There is a more specific static route to 198.51.100.0/24 with a different next-hop causing traffic to be sent elsewhere.
AnswerB

Since SRX can ping, the forward path works; return path or the destination server's security may be blocking traffic.

Why this answer

Option C is correct because the default route is working, but the specific path may have a problem like a routing loop or black hole. Since the SRX can reach the IP, the issue is likely on the return path or the destination is filtering traffic. Option A is incorrect because the default route is present and working for other destinations.

Option B is incorrect because there is no evidence of a more specific route. Option D is incorrect because the SRX can ping, so source IP is not the issue.

335
MCQmedium

A junior engineer is tasked with configuring a firewall filter to only allow SSH access to the management interface. The management interface is fxp0. Which configuration is correct?

A.set interfaces lo0 unit 0 family inet filter input allow-ssh
B.set groups management-filter interfaces fxp0 unit 0 family inet filter input allow-ssh
C.set interfaces ge-0/0/0 unit 0 family inet filter input allow-ssh
D.set interfaces fxp0 unit 0 family inet filter input allow-ssh
AnswerD

Correctly applies the filter to the management interface.

Why this answer

Option D is correct because the management interface on Juniper devices is fxp0, and applying a firewall filter to its inet family input direction restricts inbound traffic. The filter 'allow-ssh' must permit only TCP port 22, blocking all other management access. This configuration ensures SSH-only access to the management interface.

Exam trap

The trap here is confusing the management interface (fxp0) with the loopback interface (lo0) or a data-plane interface (ge-0/0/0), leading candidates to apply the filter to the wrong interface.

How to eliminate wrong answers

Option A is wrong because lo0 is the loopback interface, not the management interface; applying a filter there would affect all traffic destined to the device, not just management traffic. Option B is wrong because 'groups management-filter' is a configuration group syntax, not a direct interface filter application; it requires additional apply-groups statements and does not directly attach the filter to fxp0. Option C is wrong because ge-0/0/0 is a standard network interface, not the dedicated management interface (fxp0), so it would not restrict access to the management interface.

336
MCQmedium

Refer to the exhibit. An operator tries to ping 192.168.1.2 from this router and fails. The router can ping itself (192.168.1.1). What is the most likely cause?

A.Reverse path forwarding (RPF) check is dropping the echo request.
B.The remote host is not reachable or is not responding to ARP requests.
C.The interface is administratively down.
D.Proxy ARP is not configured on the interface.
AnswerB

Ping failing to a host on the same subnet suggests ARP resolution failure or remote host down.

Why this answer

The router can ping its own interface (192.168.1.1), confirming that the interface is up and IP is configured correctly. The failure to ping 192.168.1.2 indicates that the router cannot reach the remote host, most likely because the host is down, not connected, or not responding to ARP requests. ARP resolution is required for the router to map the destination IP to a MAC address on the local subnet; without a successful ARP reply, the router cannot send the echo request.

Exam trap

The trap here is that candidates may confuse a local connectivity issue (like a down interface or RPF) with a remote host unreachability, but the ability to ping the local interface proves the interface is operational and the problem lies with the destination host or its ARP response.

How to eliminate wrong answers

Option A is wrong because reverse path forwarding (RPF) checks are used in multicast or unicast RPF (uRPF) scenarios to verify the source address of incoming packets, not to drop locally generated echo requests. Option C is wrong because if the interface were administratively down, the router would not be able to ping its own address (192.168.1.1). Option D is wrong because Proxy ARP is used to allow a router to respond to ARP requests on behalf of hosts on another subnet; it is not required for a router to ping a host on the same directly connected subnet.

337
MCQmedium

You are configuring a Juniper MX router to act as a BGP route reflector for your ISP network. The router has several iBGP peers, including clients and non-clients. You have configured the route-reflector-cluster-id and set the clients. After the configuration, you notice that some prefixes are not being reflected to a specific client router. The client has a valid BGP session to the route reflector and can see other prefixes. You check the BGP routing table on the route reflector and see that the missing prefixes are present but have the 'non-routable' flag. The route reflector's BGP table shows the prefix with a next-hop that is reachable via an IGP route. What is the most likely cause?

A.The next-hop for the missing prefixes is not reachable via the IGP on the route reflector; the route reflector needs a route to the next-hop to advertise the prefix.
B.The route-reflector-cluster-id is set incorrectly, causing the route reflector to drop the route to prevent loops.
C.The ORIGINATOR_ID attribute from a previous route reflector is causing the route to be suppressed.
D.The route reflector is using the next-hop-self option and cannot resolve its own IP as a next-hop.
AnswerA

BGP requires the next-hop to be reachable for the route to be considered valid and eligible for advertisement.

Why this answer

Option B is correct because BGP route reflection only sends routes that are valid (i.e., routable). The 'non-routable' flag indicates that the next-hop is not reachable via the IGP (or any route) in the route reflector's routing table. Even if the next-hop is reachable from the client, the route reflector must have a route to the next-hop to advertise the prefix to clients.

Option A is incorrect; cluster-id is used to detect loops, not to suppress routes. Option C is incorrect; the ORIGINATOR_ID attribute is set by the route reflector, but it does not suppress the route. Option D is incorrect; the route reflector does not modify the next-hop by default; the client must have a route to the next-hop.

338
MCQeasy

Which Junos command displays the route to a specific IP address, including the active route and any backup routes?

A.show route 192.168.1.1
B.show route protocol
C.show route active
D.show route table
AnswerA

Displays all routes to that IP address.

Why this answer

Option A is correct because the 'show route 192.168.1.1' command in Junos displays all routes in the routing table that match the specified destination, including the active route (marked with '>') and any backup routes (marked with a space). This command provides a comprehensive view of the forwarding table entries for that prefix, which is essential for understanding both primary and failover paths.

Exam trap

The trap here is that candidates familiar with Cisco IOS might expect 'show ip route <ip>' to show only the best route, but in Junos, the same command reveals all routes, including backups, which can lead to confusion if one assumes only the active route is displayed.

How to eliminate wrong answers

Option B is wrong because 'show route protocol' filters routes by a specific routing protocol (e.g., static, OSPF, BGP) and does not show routes to a specific IP address with active and backup routes. Option C is wrong because 'show route active' displays only the active routes in the routing table, omitting any backup or inactive routes. Option D is wrong because 'show route table' displays the entire routing table for a specific table (e.g., inet.0) without filtering to a particular destination, so it does not isolate the route to 192.168.1.1 or highlight active versus backup routes.

339
MCQeasy

Refer to the exhibit. Which filesystem should the administrator investigate to free up disk space?

A./config
B./ (root)
C./dev
D./var
AnswerD

/var is at 97% usage, closest to capacity.

Why this answer

The /var filesystem on Junos devices stores system logs, core dumps, and temporary files. When disk space is low, /var is the most common culprit because it contains rotating log files (e.g., messages, interactive-commands) and crash data that can accumulate rapidly. The administrator should investigate /var to free up space by clearing old logs or core files.

Exam trap

The trap here is that candidates often assume the root filesystem (/) is the primary space consumer, but Junos intentionally segregates dynamic data into /var, making it the correct target for disk space recovery.

How to eliminate wrong answers

Option A is wrong because /config is a dedicated partition for the active and backup configuration files (e.g., juniper.conf.gz), which are small and rarely cause disk space issues. Option B is wrong because / (root) contains the Junos kernel and base system files, which are static and do not grow significantly over time. Option C is wrong because /dev is a virtual filesystem for device nodes and does not consume persistent disk space.

340
MCQmedium

An administrator wants to apply the same BGP configuration to all interfaces whose names start with 'ge-'. Which approach would dynamically match these interfaces?

A.Define a configuration group and use apply-groups with [edit interfaces ge-*]
B.Create a firewall filter that matches ge- interfaces
C.Use apply-path referencing a regular expression in the configuration group
D.Use an interface-range named 'ge-interfaces' listing all ge- interfaces
AnswerC

apply-path dynamically matches interfaces based on a path pattern.

Why this answer

Option C is correct because the `apply-path` statement in a configuration group can dynamically match interfaces based on a regular expression pattern. By using `apply-path` with a regular expression like `ge-*` inside the configuration group, Junos will automatically apply the BGP configuration to all interfaces whose names match that pattern without manual enumeration.

Exam trap

The trap here is that candidates often confuse `apply-groups` with `apply-path`, assuming that `apply-groups` supports wildcards or regex in the target path, when in fact only `apply-path` provides dynamic pattern matching for interface names.

How to eliminate wrong answers

Option A is wrong because `apply-groups` does not support wildcard or regex matching in the target path; `[edit interfaces ge-*]` is not valid syntax and would cause a commit error. Option B is wrong because firewall filters are used for packet filtering and policy enforcement, not for dynamically applying interface-level configuration like BGP settings. Option D is wrong because an interface-range requires manual listing of each interface name, which is not dynamic and defeats the purpose of matching interfaces based on a pattern.

341
MCQhard

During a maintenance window, a network engineer is about to commit changes but wants to ensure no active sessions are disrupted. Which command should they run first?

A.commit confirmed
B.commit check
C.commit synchronize
D.commit at
AnswerA

Commits with a timeout; if session is lost, automatically rolls back.

Why this answer

Option A is correct because the 'commit confirmed' command allows the engineer to apply changes with a default 10-minute rollback timer. If the commit is not confirmed within that window, Junos automatically reverts to the previous configuration, ensuring that any disruption caused by the changes is temporary and active sessions are not permanently affected.

Exam trap

The trap here is that candidates often confuse 'commit check' as a safe way to test changes, but it only validates syntax, not runtime behavior, and provides no automatic rollback to protect active sessions if the changes cause disruption.

How to eliminate wrong answers

Option B is wrong because 'commit check' only validates the syntax and semantic correctness of the candidate configuration without applying it; it does not provide any rollback mechanism to protect active sessions from disruption. Option C is wrong because 'commit synchronize' is used in a dual-RE (Routing Engine) chassis to apply the configuration to both REs simultaneously, but it does not offer a safety net like automatic rollback if the changes cause session drops. Option D is wrong because 'commit at' schedules the commit to occur at a specific time, but once committed, the changes are permanent unless manually reverted; it lacks the automatic rollback feature that protects active sessions during the maintenance window.

342
MCQmedium

A router receives a packet with destination IP 10.1.1.100. The routing table contains two entries: a static route to 10.1.1.0/24 via 192.168.1.1, and an OSPF route to 10.1.1.0/25 via 192.168.2.1. Which route will the router use?

A.The router drops the packet due to a routing conflict
B.The OSPF route to 10.1.1.0/25
C.The static route to 10.1.1.0/24
D.Both routes are used for load balancing
AnswerB

The /25 is the longest prefix match.

Why this answer

The router will use the OSPF route to 10.1.1.0/25 because it has a longer prefix length (/25) than the static route (/24). Juniper Junos uses the most specific (longest) prefix match in the routing table, regardless of administrative distance or protocol preference. The destination IP 10.1.1.100 falls within the 10.1.1.0/25 range (10.1.1.0–10.1.1.127), so the /25 route is more specific and thus preferred.

Exam trap

The trap here is that candidates often assume OSPF routes are always preferred over static routes due to administrative distance, but Junos (and all routers) prioritize the longest prefix match first, so a more specific static route would win over a less specific OSPF route.

How to eliminate wrong answers

Option A is wrong because there is no routing conflict; the router uses the longest prefix match rule, not a tie-breaking mechanism that drops packets. Option C is wrong because the static route to 10.1.1.0/24 is less specific than the OSPF /25 route, so it is not selected for this destination. Option D is wrong because load balancing only occurs when multiple routes have identical prefix lengths and equal preference/metrics; here the prefix lengths differ (/24 vs /25), so only the most specific route is used.

343
MCQmedium

A technician notices that the /var partition is filling up on a Juniper device. Which action would be most appropriate to free up space while preserving critical logs?

A.Delete core files manually
B.Run 'request system storage cleanup'
C.Reboot the device
D.Delete all files in /var/log
AnswerB

The 'request system storage cleanup' command safely removes temporary and unnecessary files like old log files, core files, and software images. It preserves important logs.

Why this answer

The 'request system storage cleanup' command is the correct action because it safely removes non-essential files such as old log files, core dumps, and temporary files that are no longer needed, while preserving critical logs and configuration files. This command performs a controlled cleanup without risking the deletion of important operational data, making it the most appropriate method for freeing up space on the /var partition.

Exam trap

The trap here is that candidates often assume manual deletion (Option A) or a reboot (Option C) are quick fixes, but they overlook the Junos-specific safe cleanup command that automates the process while preserving essential data.

How to eliminate wrong answers

Option A is wrong because manually deleting core files is risky and inefficient; core files may be needed for debugging, and manual deletion could accidentally remove files that are still in use or miss other space-consuming temporary files. Option C is wrong because rebooting the device does not free up disk space; it only clears temporary memory and may cause unnecessary downtime without addressing the underlying storage issue. Option D is wrong because deleting all files in /var/log would remove critical logs needed for troubleshooting and compliance, and it could also delete active log files that are still being written to, potentially causing system instability or loss of forensic data.

344
Multi-Selecthard

Which TWO statements about configuration groups in Junos are correct? (Choose two.)

Select 2 answers
A.Configuration groups are defined under the [edit groups] hierarchy.
B.Configuration groups are stored in separate files that are imported using the 'file' statement.
C.The 'apply-groups' statement is used to include a group's configuration at a specific hierarchy level.
D.The 'replace' tag is used to reference a configuration group.
E.Configuration groups are applied only at the [edit interfaces] hierarchy level.
AnswersA, C

Configuration groups are indeed defined under the 'groups' hierarchy and can be inherited.

Why this answer

Option A is correct because configuration groups in Junos are defined under the [edit groups] hierarchy. This allows you to create reusable configuration snippets that can be applied to multiple parts of the configuration, reducing duplication and simplifying management.

Exam trap

The trap here is that candidates often confuse configuration groups with Junos's 'apply-path' or 'apply-macro' features, or mistakenly think groups are external files, when in fact they are defined inline under [edit groups] and applied via 'apply-groups'.

345
MCQhard

A network administrator is configuring a GRE tunnel on a Juniper device. The tunnel source is loopback 0 and destination is 192.0.2.1. Which additional configuration is necessary on the tunnel interface for the tunnel to become operational?

A.set interfaces gr-0/0/0 unit 0 mtu 1476
B.set interfaces gr-0/0/0 unit 0 multicast
C.set interfaces gr-0/0/0 unit 0 family inet6
D.set interfaces gr-0/0/0 unit 0 family inet
AnswerD

Enables IPv4 on the tunnel interface, necessary for routing.

Why this answer

Option D is correct because a GRE tunnel interface on Junos requires the 'family inet' statement to be configured under the unit to enable IPv4 traffic forwarding. Without this, the tunnel interface will not have an IPv4 protocol family, and the device will not be able to route packets into or out of the tunnel, leaving it operationally down.

Exam trap

The trap here is that candidates assume GRE tunnels automatically support IPv4 traffic on Junos, similar to Cisco IOS, but Junos requires an explicit 'family inet' configuration to activate the protocol family on the tunnel interface.

How to eliminate wrong answers

Option A is wrong because setting the MTU to 1476 is optional and not required for the tunnel to become operational; it is a performance tuning parameter to avoid fragmentation. Option B is wrong because the 'multicast' statement is used to enable multicast traffic over the tunnel, which is not a prerequisite for basic GRE tunnel operation. Option C is wrong because 'family inet6' would enable IPv6 over the tunnel, but the question specifies an IPv4 destination and source, so IPv4 (family inet) is the necessary protocol family.

346
MCQmedium

An administrator needs to change a portion of the configuration by matching a pattern and replacing it with new text. Which Junos configuration mode command should be used?

A.rename
B.replace pattern
C.copy
D.set replace pattern
AnswerB

Replaces text matching a pattern with new text.

Why this answer

The 'replace pattern' command in Junos configuration mode allows an administrator to search for a specific text pattern using regular expressions and replace it with new text. This is the correct command for pattern-based substitution within the configuration hierarchy, as it directly matches and replaces text without requiring manual deletion or re-entry.

Exam trap

The trap here is that candidates may confuse 'replace pattern' with 'set replace pattern' (which does not exist) or assume 'rename' can perform pattern-based substitution, leading them to select an incorrect option due to familiarity with similar commands in other vendors' syntax.

How to eliminate wrong answers

Option A is wrong because 'rename' is used to change the name of a configuration element (e.g., an interface or policy) but does not support pattern matching or text replacement. Option C is wrong because 'copy' duplicates a configuration stanza or element, not modifies existing text by pattern matching. Option D is wrong because 'set replace pattern' is not a valid Junos command; the correct syntax is 'replace pattern' at the configuration mode prompt, not prefixed with 'set'.

347
MCQeasy

Which configuration group feature allows an administrator to apply common configuration settings to multiple interfaces without repeating the configuration?

A.groups statement
B.interface-range
C.apply-groups
D.apply-path
AnswerC

Applies configuration from a group to the current level.

Why this answer

The `apply-groups` statement is the correct feature because it allows an administrator to define a common configuration template within a `groups` hierarchy and then apply that template to multiple interfaces (or other configuration sections) using the `apply-groups` command. This avoids repeating the same configuration statements across individual interfaces, streamlining management and reducing errors.

Exam trap

The trap here is that candidates confuse `groups` (the definition container) with `apply-groups` (the activation command), often selecting Option A because they think defining the group is sufficient, but without `apply-groups`, the group configuration is never applied.

How to eliminate wrong answers

Option A is wrong because `groups` is the container where common configuration is defined, but it is not the feature that applies the configuration to interfaces; without `apply-groups`, the group configuration is inactive. Option B is wrong because `interface-range` is a feature for creating a named range of interfaces to apply a single configuration block, but it is not a configuration group feature; it is used with `set interfaces interface-range <name>` and applies configuration directly, not via a reusable group template. Option D is wrong because `apply-path` is used to dynamically derive configuration values from the contents of a specified path in the configuration hierarchy (e.g., for BGP or firewall filters), not for applying common settings to multiple interfaces.

348
MCQeasy

Which command saves the active configuration to a file name other than the default rescue configuration?

A.request system configuration rescue save
B.save configuration to file
C.commit and-quit
D.file copy /config/juniper.conf.gz /var/tmp/backup.conf
AnswerD

Copies the active configuration file to a specified destination.

Why this answer

Option D is correct because the `file copy` command copies the active configuration file (`/config/juniper.conf.gz`) to a user-specified destination, such as `/var/tmp/backup.conf`, effectively saving the active configuration under a different filename. The rescue configuration is a special saved configuration that can be loaded with `rollback rescue`, but the question asks for saving to a file name other than the default rescue configuration, which is achieved by copying the active configuration file directly.

Exam trap

The trap here is that candidates may confuse the `save` command (which is valid in configuration mode and saves to a specified file) with the incorrect `save configuration to file` option, or they may think `request system configuration rescue save` allows a custom filename, when in fact it always uses the rescue configuration filename.

How to eliminate wrong answers

Option A is wrong because `request system configuration rescue save` saves the active configuration as the rescue configuration, which uses the default filename `rescue.conf.gz` in `/config/`, not a user-specified filename. Option B is wrong because `save configuration to file` is not a valid Junos CLI command; the correct command to save the active configuration to a file is `save <filename>` at the configuration mode prompt. Option C is wrong because `commit and-quit` commits the candidate configuration and exits configuration mode, but it does not save the configuration to a separate file; it only applies the changes to the active configuration.

349
MCQmedium

An administrator is configuring a new Junos device and wants to ensure that configuration changes are applied only after explicit commit confirmation. Which configuration statement should be used?

A.commit synchronize
B.commit at
C.commit check
D.commit confirmed
AnswerD

Applies changes temporarily; requires confirmation to keep.

Why this answer

Option D is correct because the 'commit confirmed' statement allows an administrator to apply configuration changes that automatically revert to the previous configuration if not explicitly confirmed within a specified timeout period (default 10 minutes). This ensures changes are only permanently applied after an explicit 'commit' confirmation, providing a safety mechanism to prevent lockout or misconfiguration.

Exam trap

The trap here is that candidates often confuse 'commit confirmed' with 'commit check' or 'commit at', mistakenly thinking that syntax validation or scheduled commits provide the same automatic rollback safety net, when in fact only 'commit confirmed' enforces explicit confirmation to prevent permanent changes.

How to eliminate wrong answers

Option A is wrong because 'commit synchronize' is used on dual Routing Engine (RE) systems to apply the configuration to both REs simultaneously, not to require explicit confirmation. Option B is wrong because 'commit at' schedules a commit to occur at a specific time, but does not require explicit confirmation before the changes become permanent. Option C is wrong because 'commit check' validates the syntax and semantics of the candidate configuration without applying it, but does not provide a mechanism to automatically revert changes if not confirmed.

350
Multi-Selecthard

Which TWO statements about the rescue configuration are correct? (Choose two.)

Select 2 answers
A.The rescue configuration is automatically saved after every commit.
B.The 'rollback rescue' command loads the factory-default configuration.
C.The rescue configuration is designed to provide a method of last-resort recovery.
D.The rescue configuration can be saved by issuing the 'request system configuration rescue save' command.
E.The rescue configuration can be used to restore only a subset of the configuration.
AnswersC, D

It is a safety net for recovery.

Why this answer

Option C is correct because the rescue configuration is explicitly designed to provide a method of last-resort recovery. It allows an administrator to save a known-good configuration that can be loaded even if the active configuration becomes corrupted or inaccessible, ensuring the device can be brought back to a functional state.

Exam trap

The trap here is that candidates often confuse the rescue configuration with the factory-default configuration or assume it is automatically saved, leading them to select options A or B incorrectly.

351
MCQmedium

A network engineer is troubleshooting a BGP session that is not establishing. They want to see the BGP configuration details for peer 10.0.0.1. They type 'show configuration protocols bgp group external peer 10.0.0.1' but receive 'error: syntax error'. They are in operational mode. What is the most likely issue?

A.The peer IP 10.0.0.1 is not configured on the device.
B.The keyword 'peer' should be 'neighbor'.
C.The command should be 'show configuration protocols bgp group external | match 10.0.0.1'.
D.They need to enter configuration mode first.
AnswerB

In JunOS BGP configuration, the keyword 'neighbor' is used to refer to a BGP peer, not 'peer'.

Why this answer

In Junos OS, the correct keyword to reference a BGP peer in operational mode commands is 'neighbor', not 'peer'. The command 'show configuration protocols bgp group external neighbor 10.0.0.1' would display the configuration for that specific peer. Using 'peer' causes a syntax error because Junos does not recognize that keyword in this context.

Exam trap

The trap here is that candidates familiar with Cisco IOS, which uses 'neighbor' in configuration mode but 'peer' in some show commands, may incorrectly assume Junos uses 'peer' similarly, leading to a syntax error.

How to eliminate wrong answers

Option A is wrong because the syntax error occurs regardless of whether the peer IP is configured; the command itself is invalid due to the keyword 'peer'. Option C is wrong because while piping to 'match' could filter output, the primary issue is the incorrect keyword, and this workaround does not address the syntax error in the original command. Option D is wrong because 'show configuration' is a valid operational mode command; entering configuration mode is not required to view configuration details.

352
MCQhard

What happens when a user issues the 'request system reboot' command without any options?

A.The device reboots after the current commit.
B.The device reboots immediately.
C.The device prompts for confirmation.
D.The device schedules a reboot in 5 minutes.
AnswerC

B is correct; user must confirm reboot.

Why this answer

When a user issues the 'request system reboot' command without any options, Junos OS prompts for confirmation before proceeding. This is a safety mechanism to prevent accidental reboots, as the command does not automatically reboot the device immediately or schedule a delayed reboot by default.

Exam trap

The trap here is that candidates often assume 'request system reboot' behaves like a typical Linux 'reboot' command (immediate execution), but Junos requires explicit confirmation or the 'now' option to proceed without a prompt.

How to eliminate wrong answers

Option A is wrong because the 'request system reboot' command does not wait for a commit; it reboots the device immediately after confirmation, and the current configuration is already active. Option B is wrong because the command does not reboot immediately; it first prompts the user for confirmation to avoid unintended disruptions. Option D is wrong because the command does not schedule a reboot in 5 minutes; that behavior requires the 'at' or 'in' option (e.g., 'request system reboot at 12:00' or 'request system reboot in 5').

353
Multi-Selecthard

Which three steps are part of a typical software upgrade process on a Juniper device? (Choose three.)

Select 3 answers
A.Issue the request system software add command
B.Download the image to /var/tmp
C.Shut down all interfaces
D.Delete the old image before adding the new one
E.Reboot the device
AnswersA, B, E

Adds the software package.

Why this answer

Option A is correct because the 'request system software add' command is the standard Junos CLI command used to initiate the installation of a new software image on a Juniper device. This command triggers the process of copying the image from a specified source (e.g., a URL or local file) into the system's active software partition, preparing it for the next reboot.

Exam trap

The trap here is that candidates may mistakenly think interfaces must be shut down before an upgrade (option C), confusing Junos' non-disruptive upgrade process with Cisco IOS procedures where manual interface shutdown is often recommended to prevent routing flaps during the reload.

354
MCQhard

An engineer is designing a network and needs to ensure that management traffic (SSH, SNMP) is always permitted, even if an interface firewall filter is applied. Which Juniper best practice should be followed?

A.Use a firewall filter that permits all management traffic at the top of the list on each interface
B.Apply a firewall filter on the loopback interface (lo0) to protect the device
C.Apply a firewall filter to the management interface (fxp0)
D.Disable the firewall filter on all interfaces
AnswerB

Best practice: use loopback filter to control access to the device itself.

Why this answer

Applying a firewall filter to the loopback interface (lo0) is the Juniper best practice for protecting management traffic because the loopback interface is the logical termination point for all control plane traffic, including SSH and SNMP. This ensures that management traffic is always permitted regardless of which physical interface it arrives on, while still allowing interface-specific filters to be applied for data plane traffic without risk of blocking management access.

Exam trap

The trap here is that candidates often think management traffic must be permitted on each physical interface individually (Option A), not realizing that Junos uses the loopback interface as the central control plane filter point, making interface-specific filters unnecessary for management access.

How to eliminate wrong answers

Option A is wrong because placing a firewall filter that permits all management traffic at the top of the list on each interface is not scalable and can inadvertently allow unwanted traffic if the filter is misconfigured or omitted on a new interface; it also violates the principle of separating control plane and data plane filtering. Option B is wrong because it is actually the correct answer, not a wrong option. Option C is wrong because applying a firewall filter to the management interface (fxp0) only protects traffic arriving on that dedicated management port, but management traffic like SSH and SNMP can also arrive on other interfaces (e.g., ge-0/0/0), leaving the device unprotected on those paths.

Option D is wrong because disabling firewall filters on all interfaces removes all traffic filtering, which is not a best practice and would expose the device to unauthorized access or attacks.

355
MCQeasy

A network engineer configures a static route to a remote network. They want the route to be automatically removed from the routing table if the directly connected interface used to reach the next hop fails. Which configuration approach should be used?

A.Configure a higher metric on the static route.
B.Configure a preference of 0 on the static route.
C.Configure the next-hop as an IP address.
D.Configure the next-hop as the interface name.
AnswerD

Using an interface as the next-hop ties the route to the interface being up; if the interface goes down, the route is removed.

Why this answer

Option D is correct because configuring the next-hop as an interface name (e.g., ge-0/0/0) creates a static route that is automatically removed from the routing table when that interface goes down. This is due to the route being 'qualified' by the interface's operational state; if the interface fails, the route is withdrawn. In contrast, using an IP address as the next-hop does not tie the route to the interface's state, so the route remains even if the interface fails, as long as the next-hop is reachable via another path.

Exam trap

The trap here is that Cisco engineers often assume that specifying a next-hop IP address is the only valid way to configure a static route, but in Junos, using the interface name directly ties the route to the interface's state, which is the key to automatic removal upon interface failure.

How to eliminate wrong answers

Option A is wrong because configuring a higher metric on a static route does not cause it to be removed when an interface fails; metric (or cost) is used for route selection among multiple routes to the same destination, not for interface-based withdrawal. Option B is wrong because setting a preference of 0 makes the static route the most preferred route (lowest preference value), but it does not tie the route to the interface's operational state; the route remains even if the interface fails. Option C is wrong because configuring the next-hop as an IP address creates a static route that is not automatically removed when the directly connected interface fails; the route persists in the routing table unless the next-hop becomes unreachable via any interface, which may not happen if an alternate path exists.

356
MCQmedium

A network engineer needs to commit a configuration change but wants to ensure the change can be easily reverted if it causes issues. Which approach should the engineer take?

A.Use the 'commit and-quit' command to apply changes.
B.Use the 'commit confirmed' command with a timeout.
C.Use the 'commit check' command before committing.
D.Use the 'rollback 0' command after committing.
AnswerB

Commit confirmed provides automatic rollback if not confirmed.

Why this answer

Option B is correct because the 'commit confirmed' command allows the engineer to commit a configuration change with a default timeout of 10 minutes (configurable). If the change causes issues and the engineer does not confirm the commit within the timeout period, Junos automatically reverts to the previous active configuration, providing a safe rollback mechanism.

Exam trap

The trap here is that candidates often confuse 'commit check' (syntax validation) with a rollback mechanism, or assume 'rollback 0' provides automatic reversion, when in fact it requires manual execution after the fact.

How to eliminate wrong answers

Option A is wrong because 'commit and-quit' is not a valid Junos command; the correct command is 'commit and-quit' to exit the configuration mode after committing, but it does not provide any automatic rollback capability. Option C is wrong because 'commit check' only validates the syntax and semantics of the candidate configuration without applying it; it does not allow reverting a change after it has been committed. Option D is wrong because 'rollback 0' reverts to the most recently committed configuration, but it must be issued manually after the change is already active, and it does not provide an automatic or timed rollback.

357
MCQmedium

A network administrator wants to configure a user account for a junior engineer. The junior engineer should only be able to view configuration and use operational commands, but not modify anything. Additionally, the junior engineer should be required to authenticate using a local password. Which configuration accomplishes this?

A.set system login user junior class operator authentication plain-text-password
B.set system login user junior class read-only authentication plain-text-password
C.set system login user junior class super-user authentication plain-text-password
D.set system login user junior class read-only authentication ssh-rsa
AnswerB

This creates a read-only user with local password authentication.

Why this answer

Option A is correct; it sets the user's class to 'read-only' with a password.

358
Multi-Selecthard

Which three characteristics are true for OSPF? (Choose three.)

Select 3 answers
A.Uses the Bellman-Ford algorithm
B.Supports VLSM (Variable Length Subnet Masks)
C.Uses cost as the metric
D.Uses the SPF (Shortest Path First) algorithm
E.Is classful and does not support VLSM
AnswersB, C, D

OSPF is a classless protocol and supports VLSM.

Why this answer

The correct answers are A, C, and E. OSPF uses the Dijkstra SPF algorithm, supports VLSM/CIDR, and uses cost as its metric. It does not use Bellman-Ford (that's RIP).

It is classless, not classful. So A, C, E are correct.

359
MCQhard

A network operator is using the 'monitor traffic' command but wants to stop after capturing 100 packets. Which option should be added?

A.size 100
B.packets 100
C.limit 100
D.count 100
AnswerC

Correctly limits the packet capture to 100 packets.

Why this answer

The 'monitor traffic' command in Junos captures packets for analysis. To stop the capture after a specific number of packets, the correct option is 'limit 100', which instructs the command to terminate after processing 100 packets. This is a Junos-specific parameter for controlling the capture duration.

Exam trap

The trap here is that candidates may confuse Junos syntax with Cisco IOS, where 'packets' or 'count' are used in similar commands, leading them to select 'packets 100' or 'count 100' instead of the correct Junos-specific 'limit 100'.

How to eliminate wrong answers

Option A is wrong because 'size 100' is not a valid option for 'monitor traffic'; it would be used with other commands like 'monitor interface' to specify buffer size, not packet count. Option B is wrong because 'packets 100' is not a recognized parameter in Junos for this command; Junos uses 'limit' to specify the number of packets to capture. Option D is wrong because 'count 100' is not a valid option for 'monitor traffic'; 'count' is used in other contexts like firewall filters or show commands, not for packet capture termination.

360
MCQmedium

A network engineer is troubleshooting connectivity between two VLANs on the same Juniper EX switch. Hosts in VLAN 100 cannot ping hosts in VLAN 200. The switch has an IRB interface configured for each VLAN. Which configuration is most likely missing?

A.Spanning Tree Protocol is not enabled on the switch
B.The switchport mode is set to access instead of trunk
C.The IRB interfaces are not assigned to the same routing instance
D.DHCP relay is not configured on the IRB interfaces
AnswerC

IRB interfaces must be in the same routing instance with routing between them enabled; default instance works, but if they are in different instances, routing fails.

Why this answer

For hosts in different VLANs to communicate through an EX switch, the IRB interfaces must belong to the same routing instance to enable inter-VLAN routing. By default, each IRB is placed in the default routing instance (inet.0), but if they are assigned to separate routing instances, no route exists between them, breaking Layer 3 forwarding. Option C directly addresses this missing configuration.

Exam trap

The trap here is that candidates confuse Layer 2 issues (like trunking or STP) with Layer 3 routing, assuming VLAN-to-VLAN ping failures must be caused by a missing trunk or STP misconfiguration, when the actual missing piece is the routing instance assignment for the IRB interfaces.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) prevents Layer 2 loops and does not affect Layer 3 connectivity between VLANs; inter-VLAN routing relies on IRB interfaces and routing instances, not STP. Option B is wrong because switchport mode (access vs. trunk) applies to Layer 2 port-to-VLAN assignment, not to IRB interfaces; IRBs are Layer 3 logical interfaces and do not use switchport mode. Option D is wrong because DHCP relay is only needed when hosts require dynamic IP addresses from a remote DHCP server; it is not required for static IP-based ping tests between VLANs.

361
MCQhard

An engineer wants to see the differences between the active configuration and the candidate configuration. Which command should they use?

A.'show configuration | display set'
B.'show configuration | compare'
C.'run show configuration | compare'
D.'show | compare'
AnswerD

In configuration mode, this command shows diff between candidate and active.

Why this answer

Option D, 'show | compare', is correct because in the Junos CLI, the pipe (|) operator can be used to filter or modify the output of any operational mode command. When used with the 'compare' argument after 'show', it displays the differences between the active configuration and the candidate configuration. This is the standard syntax for comparing configurations in Junos.

Exam trap

The trap here is that candidates often confuse the 'show configuration' command with the 'show' command, and assume that 'compare' must be applied to 'configuration' specifically, when in fact the correct syntax is 'show | compare' without the 'configuration' keyword.

How to eliminate wrong answers

Option A is wrong because 'show configuration | display set' only converts the current configuration into 'set' commands format; it does not perform any comparison. Option B is wrong because 'show configuration | compare' is not valid syntax; the 'compare' argument must follow the pipe directly after 'show', not after 'configuration'. Option C is wrong because 'run show configuration | compare' is incorrect; 'run' is used to execute operational commands from configuration mode, but the correct command to compare configurations is simply 'show | compare' from operational mode.

362
Multi-Selectmedium

Which TWO statements are true about the Junos OS candidate configuration model? (Choose two.)

Select 2 answers
A.Each change is applied incrementally to the active configuration.
B.The candidate configuration is stored in a separate file from the active configuration.
C.After a commit, the candidate configuration is automatically discarded.
D.The candidate configuration can be modified without affecting the active configuration.
E.Multiple users can edit the candidate configuration simultaneously.
AnswersD, E

Changes are made to the candidate configuration and only affect the device after commit.

Why this answer

Option D is correct because the Junos OS candidate configuration model allows modifications to be made to a separate candidate configuration file without affecting the active configuration currently running on the device. This ensures that changes can be staged, reviewed, and validated before being committed, providing a safe and non-disruptive way to manage configuration changes.

Exam trap

The trap here is that Cisco engineers often confuse Junos's candidate model with Cisco IOS's running-config/startup-config model, where changes are applied immediately to the running configuration and saved separately, leading them to incorrectly assume that Junos also applies changes incrementally or that the candidate is a separate file.

363
MCQmedium

An engineer issues the 'rollback 3' command in configuration mode. What is the effect?

A.The candidate configuration is saved as the third rollback slot.
B.The candidate configuration is replaced with the configuration from three commits ago.
C.The active configuration is replaced with the candidate configuration.
D.The device reboots and loads configuration version 3.
AnswerB

Rollback loads a previous configuration into the candidate.

Why this answer

The 'rollback 3' command in Junos configuration mode replaces the current candidate configuration with the configuration from the third most recent commit. Junos maintains up to 50 rollback slots (numbered 0 through 49), where slot 0 is the most recent commit, slot 1 is the commit before that, and so on. Therefore, 'rollback 3' retrieves the configuration saved three commits ago, overwriting any uncommitted changes in the candidate configuration.

Exam trap

The trap here is that candidates often confuse 'rollback' with 'commit' or 'save' operations, mistakenly thinking it saves the current candidate configuration rather than retrieving a previous one, or they assume it directly modifies the active configuration without requiring a subsequent commit.

How to eliminate wrong answers

Option A is wrong because the 'rollback' command does not save the candidate configuration; it retrieves a previously committed configuration from a rollback slot. Saving the candidate configuration to a specific rollback slot is done with the 'commit confirm' or 'commit at' commands, not 'rollback'. Option C is wrong because the 'rollback' command does not replace the active (running) configuration; it only modifies the candidate configuration, which must then be committed to become active.

Option D is wrong because 'rollback' does not cause a reboot or load a configuration version from a file; it simply loads a previously committed configuration into the candidate configuration space from the device's rollback database.

364
MCQeasy

You are a network administrator for a service provider that uses Juniper MX series routers to provide MPLS VPN services to customers. Management has requested that you implement a secure out-of-band management (OOBM) solution for all MX routers to ensure that management traffic is isolated from the production network, reducing the risk of unauthorized access and management plane attacks. You are tasked with designing the OOBM solution using a dedicated management interface (me0) and a separate management routing instance. Which of the following best practices should you follow?

A.Place me0 in the inet.0 routing table and rely on static routes
B.Enable VLAN tagging on me0 to separate management traffic into different subnets
C.Configure the me0 interface in the default routing instance with a simple ACL
D.Create a dedicated routing instance for management, assign me0 to it, and apply a firewall filter to restrict access
AnswerD

This isolates management traffic and allows granular control.

Why this answer

Option D is correct because it follows Juniper's best practice for OOBM: creating a dedicated management routing instance (e.g., mgmt_junos) and assigning the me0 interface to it. This ensures management traffic is completely isolated from the production routing table (inet.0), preventing management plane attacks and unauthorized access. Applying a firewall filter on the me0 interface further restricts access to only authorized management hosts, aligning with security hardening guidelines.

Exam trap

The trap here is that candidates assume VLAN tagging (Option B) is a valid method for separating management traffic on any interface, but the me0 interface on Juniper MX routers does not support VLAN tagging as it is a dedicated Layer 3 out-of-band port, not a trunk port.

How to eliminate wrong answers

Option A is wrong because placing me0 in the inet.0 routing table mixes management traffic with production traffic, defeating the purpose of OOBM isolation and exposing the management plane to potential attacks. Option B is wrong because VLAN tagging on me0 is not supported; the me0 interface is a dedicated out-of-band management port that operates at Layer 3 and does not support subinterfaces or VLAN tagging. Option C is wrong because keeping me0 in the default routing instance (inet.0) does not isolate management traffic; a simple ACL is insufficient for full isolation, and the default instance is shared with production routes, violating OOBM principles.

365
MCQhard

Refer to the exhibit. The route for 192.168.0.0/16 is hidden. What is the most likely reason?

A.The BGP next-hop is unreachable
B.The route has a lower local preference
C.The route has a longer AS path
D.The route has a higher MED value
AnswerA

Hidden routes often result from an unreachable next-hop.

Why this answer

A hidden BGP route typically indicates that the next-hop is unreachable. Option A is correct. Option B is incorrect because localpref affects best path selection but does not cause hidden state.

Option C is incorrect because AS path length is considered but does not hide the route. Option D is incorrect because MED is 0, same as others.

366
MCQmedium

An organization has two ISPs and wants to load-balance traffic equally across both links for all outbound traffic. Which routing configuration approach should be used?

A.Configure two static default routes with different metric values.
B.Configure policy-based routing to match all traffic and forward to both ISPs.
C.Configure two static default routes with equal metric values and enable ECMP.
D.Establish BGP sessions with both ISPs and rely on BGP path selection.
AnswerC

ECMP allows load balancing across equal-cost routes.

Why this answer

Option C is correct because configuring two static default routes with equal metric values and enabling Equal-Cost Multi-Path (ECMP) allows the Juniper device to load-balance outbound traffic equally across both ISP links. ECMP uses per-flow or per-packet load balancing based on the hash of source/destination IP addresses and ports, ensuring traffic is distributed evenly without relying on dynamic routing protocols.

Exam trap

The trap here is that candidates often confuse metric (cost) with preference (administrative distance) in Junos, assuming that different metric values still allow load balancing, whereas Junos requires equal metric values for ECMP to activate.

How to eliminate wrong answers

Option A is wrong because configuring two static default routes with different metric values results in only the route with the lower metric being active in the routing table, providing failover but not load balancing. Option B is wrong because policy-based routing (PBR) can forward traffic based on match criteria, but it does not inherently load-balance equally across two links without additional configuration like filter-based forwarding and per-packet load balancing, which is not the standard approach for simple equal load sharing. Option D is wrong because establishing BGP sessions with both ISPs and relying on BGP path selection does not guarantee equal load balancing; BGP selects only the best path based on attributes like local preference and AS path length, and additional configuration (e.g., multipath) is required to enable ECMP for BGP routes.

367
MCQmedium

Refer to the exhibit. How many next hops are configured for the 192.168.1.0/24 route?

A.0
B.3
C.1
D.2
AnswerD

The route has two next hops: 10.0.0.1 and 10.0.0.2.

Why this answer

The correct answer is D because the route 192.168.1.0/24 has two next hops configured: one via 10.0.0.2 and another via 10.0.0.3. This is a case of equal-cost multipath (ECMP) routing, where Junos installs multiple next hops for the same prefix to load-balance traffic across multiple paths.

Exam trap

The trap here is that candidates often count the number of lines in the output rather than the distinct next-hop addresses, leading them to mistakenly select 3 (if they count a local interface line) or 1 (if they only see the first next hop).

How to eliminate wrong answers

Option A is wrong because the route exists and has next hops, not zero. Option B is wrong because only two next hops are present, not three; the exhibit shows exactly two next-hop addresses. Option C is wrong because the route has two next hops, not one; a single next hop would indicate a single path, but the exhibit clearly shows two.

368
MCQmedium

Refer to the exhibit. The router has a default static route and a static route to 10.0.0.0/24. An engineer updates the next-hop for the default route from 192.168.1.1 to 192.168.1.2. Which command should the engineer use to verify that the change is active?

A.show route 192.168.1.2
B.ping 192.168.1.2
C.show route 0.0.0.0/0
D.show route protocol static
AnswerC

This shows the active default route and its next-hop.

Why this answer

Option C is correct because the command 'show route 0.0.0.0/0' displays the routing table entry for the default route, including its next-hop address. After changing the next-hop from 192.168.1.1 to 192.168.1.2, this command confirms the active route has the updated next-hop. It directly verifies the specific prefix that was modified.

Exam trap

The trap here is that candidates often choose 'show route protocol static' thinking it shows all static routes, but they fail to realize it does not isolate the specific prefix changed, and the engineer needs to confirm the next-hop for 0.0.0.0/0, not just any static route.

How to eliminate wrong answers

Option A is wrong because 'show route 192.168.1.2' shows routes to that specific host address, not the default route; it would only confirm reachability to the next-hop, not the change to the default route. Option B is wrong because 'ping 192.168.1.2' tests IP connectivity to the next-hop address but does not verify that the default route in the routing table has been updated; the ping could succeed even if the route change failed. Option D is wrong because 'show route protocol static' displays all static routes, including both the default route and the route to 10.0.0.0/24, but it does not focus on the specific prefix 0.0.0.0/0; the engineer needs to confirm the change for that exact prefix, not all static routes.

369
MCQeasy

A host needs to verify that its assigned IP address is not already in use on the network. Which type of packet does the host send?

A.ARP reply with its own MAC address
B.ARP request with target IP set to its own IP
C.Gratuitous ARP reply
D.ARP request with target IP set to the default gateway
AnswerB

This is the standard method for duplicate address detection, where the host sends an ARP request for its own IP.

Why this answer

When a host wants to verify that its assigned IP address is not already in use on the network, it sends an ARP request with the target IP set to its own IP address. This is known as a gratuitous ARP request, and if another host responds with an ARP reply, it indicates an IP address conflict. This process is part of the Duplicate Address Detection (DAD) mechanism, commonly used in IPv4 networks to ensure uniqueness before the address is fully configured.

Exam trap

The trap here is that candidates often confuse a gratuitous ARP reply (used to announce an address) with a gratuitous ARP request (used for duplicate address detection), leading them to select option C instead of B.

How to eliminate wrong answers

Option A is wrong because an ARP reply with its own MAC address is a response, not a probe; the host must first send a request to check for conflicts, not assume its address is free. Option C is wrong because a gratuitous ARP reply is typically sent to update other hosts' ARP caches after an address is confirmed, not to detect duplicates; the detection phase uses a gratuitous ARP request (target IP = own IP). Option D is wrong because an ARP request with target IP set to the default gateway is used to resolve the gateway's MAC address for outbound traffic, not to verify the host's own IP address uniqueness.

370
MCQmedium

You are a network engineer for a company that has just deployed a Juniper SRX firewall in a branch office. The device has multiple interfaces: ge-0/0/0 connected to the internet, ge-0/0/1 connected to the internal LAN (192.168.1.0/24), and ge-0/0/2 connected to a DMZ (10.0.0.0/24). After initial configuration, you attempt to ping from the SRX to a server on the internet (8.8.8.8) but receive no response. You also notice that internal users can access the internet. You have verified the routing table shows a default route via ge-0/0/0. The security policies appear correct. You suspect the issue is related to interface configuration. What is the most likely cause and the correct course of action?

A.The security policy from the trust zone to the untrust zone is blocking traffic; you should create a policy allowing all traffic from the SRX itself.
B.The interface ge-0/0/0 has an incorrect MAC address; you should clear the ARP cache.
C.The interface ge-0/0/0 is missing the 'host-inbound-traffic' configuration under its security zone; you should add the appropriate system services under the zone.
D.The default route is missing or incorrect; you should add a default route via the internet gateway IP.
AnswerC

This is the most likely cause because the device cannot initiate traffic without explicit host-inbound traffic settings.

Why this answer

The SRX can ping internal hosts but not the internet because the interface ge-0/0/0 is in the untrust zone, which by default blocks all inbound traffic, including pings originated from the device itself. The 'host-inbound-traffic' configuration under the security zone allows system services such as ping, SSH, and SNMP to be received on that interface. Without it, even though the routing table and security policies are correct, the SRX will drop its own outbound ICMP echo requests before they can be sent, or drop the replies if they are treated as inbound traffic.

Exam trap

The trap here is that candidates confuse transit security policies (which control traffic passing through the device) with host-inbound traffic controls (which manage traffic destined to the device itself), leading them to incorrectly modify security policies instead of enabling system services under the zone.

How to eliminate wrong answers

Option A is wrong because the security policy from trust to untrust controls traffic passing through the SRX, not traffic originated from the SRX itself; device-originated traffic is governed by the 'host-inbound-traffic' settings, not security policies. Option B is wrong because an incorrect MAC address would cause a failure to resolve the next-hop MAC, which would prevent all traffic (including internal users) from reaching the internet, but internal users can access the internet, so ARP is working. Option D is wrong because the routing table already shows a default route via ge-0/0/0, and internal users can access the internet, confirming the default route is correct.

371
MCQeasy

Refer to the exhibit. If the administrator now enters the command 'delete interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24' and then commits, what will be the result?

A.Only the address 192.168.1.1/24 will be removed, and 192.168.1.2/24 will remain.
B.The commit will fail due to an attempt to delete a non-existent address.
C.The entire unit 0 will be deleted.
D.Both addresses will be removed from the configuration.
AnswerA

Exact deletion of the specified address.

Why this answer

The 'delete' command in Junos is hierarchical and targets the exact configuration hierarchy specified. In this case, the command specifies 'address 192.168.1.1/24' under 'family inet', so only that specific address is removed. The other address (192.168.1.2/24) remains because it is a separate leaf under the same 'address' statement and is not affected by the deletion.

Exam trap

The trap here is that candidates may assume deleting one address under a 'family inet' block will remove all addresses, similar to how some other platforms (e.g., Cisco IOS) treat the 'ip address' command as replacing the entire address list, but Junos treats each address as an independent leaf.

How to eliminate wrong answers

Option B is wrong because the address 192.168.1.1/24 does exist in the configuration (as shown in the exhibit), so the delete command targets a valid leaf and will not cause a commit failure. Option C is wrong because the command specifies the exact address leaf, not the 'unit 0' hierarchy; deleting a specific address does not remove the entire unit. Option D is wrong because the command is scoped to only one address; Junos does not cascade the deletion to other addresses under the same 'family inet' unless explicitly targeted.

372
MCQhard

Your company operates a dual-homed network with two Juniper MX routers (R1 and R2) each connected to a different ISP. R1 uses BGP to receive a default route from ISP-A (preference 170), and R2 uses BGP to receive a default route from ISP-B (preference 170). Additionally, both routers have a static default route pointing to a local next-hop (192.0.2.1) with preference 5 for backup. R1 and R2 are connected via an internal link (10.0.0.0/30) and run OSPF to exchange internal routes. You notice that traffic from internal hosts is always exiting via R1's ISP-A link, even when R1's BGP session to ISP-A goes down. The OSPF routes are preferred. You want traffic to fail over to R2's ISP-B link when R1 loses its BGP default. Which configuration change should you make?

A.Increase the preference of the BGP default routes to 180 so that the static default is always preferred.
B.Configure a routing policy on R2 to reject the default route from ISP-B, forcing all traffic through R1.
C.Remove the static default route and rely on OSPF to propagate a default route from the router with the active BGP session.
D.Configure the static default route with a preference of 180 so that the BGP default routes (pref 170) are preferred when available.
AnswerD

This ensures BGP default is used when up, and OSPF routes to R2's default become active when R1's BGP is down.

Why this answer

Option D is correct because the static default route currently has a preference of 5, making it preferred over the BGP default (preference 170) even when the BGP route is available. By raising the static default's preference to 180 (higher than BGP's 170), the BGP default will be chosen when present, and the static default will only be used as a backup when BGP is unavailable. This ensures traffic fails over to R2's ISP-B link when R1 loses its BGP default, as OSPF will propagate the default from R2.

Exam trap

The trap here is that candidates often assume static routes with a lower preference are always better, but the question requires the static route to act as a backup, so it must have a higher preference than the BGP route to be less preferred when the BGP route is available.

How to eliminate wrong answers

Option A is wrong because increasing the BGP default preference to 180 would make it less preferred than the static default (preference 5), causing the static route to always be used, which does not solve the failover issue. Option B is wrong because rejecting the default route from ISP-B on R2 would prevent R2 from having any default route, breaking failover entirely and not addressing the preference problem on R1. Option C is wrong because removing the static default route would leave no backup path; OSPF does not automatically propagate a default route unless explicitly configured with a default-information originate statement, and even then, the OSPF default would have a preference of 10 (or 150 for external routes), which could still be preferred over BGP's 170, potentially causing the same issue.

373
MCQhard

After a series of configuration changes, an engineer wants to see only the lines that will be added or modified when the candidate is committed. Which command achieves this?

A.show configuration | except
B.show configuration | display set
C.commit check | match
D.show | compare
AnswerD

In configuration mode, shows lines that will be added, modified, or deleted upon commit.

Why this answer

Option D is correct because the 'show | compare' command displays the differences between the candidate configuration and the active configuration, showing only the lines that will be added, modified, or deleted upon commit. This is the standard Junos method for reviewing pending changes before committing them.

Exam trap

The trap here is that candidates often confuse 'show | compare' with 'show configuration | display set' or 'commit check', thinking that displaying the full candidate configuration or validating syntax is equivalent to viewing only the changes, but only 'show | compare' provides the targeted diff output.

How to eliminate wrong answers

Option A is wrong because 'show configuration | except' filters out lines matching a pattern, but does not show only added or modified lines; it shows all lines except those matching the pattern. Option B is wrong because 'show configuration | display set' converts the configuration into 'set' commands, but it shows the entire candidate configuration, not just the changes. Option C is wrong because 'commit check | match' validates the candidate configuration for syntax errors and then filters the output with 'match', but it does not display a diff of added or modified lines.

374
MCQeasy

Which command displays the status of all configured interfaces, including administrative and operational status?

A.show interfaces terse
B.show configuration interfaces
C.show chassis hardware
D.show interface statistics
AnswerA

'show interfaces terse' displays all interfaces with administrative (Admin) and operational (Link) status in a concise format. It clearly shows which interfaces are up or down.

Why this answer

The 'show interfaces terse' command displays a concise summary of all interfaces, including their administrative status (up or down) and operational status (up or down), along with protocol states. This makes it the correct choice for quickly viewing the status of all configured interfaces in a single output.

Exam trap

The trap here is that candidates often confuse 'show interfaces terse' with 'show interface statistics' or 'show configuration interfaces', mistakenly thinking statistics or configuration output will show operational status, but only 'show interfaces terse' provides the concise admin and link status in a single view.

How to eliminate wrong answers

Option B is wrong because 'show configuration interfaces' displays the current configuration of interfaces, not their real-time operational or administrative status. Option C is wrong because 'show chassis hardware' shows physical hardware components (like FPCs, PICs, and power supplies), not interface status. Option D is wrong because 'show interface statistics' shows traffic counters and error statistics for interfaces, but does not explicitly display administrative or operational status in a summary format.

375
Drag & Dropmedium

Arrange the steps to configure an IPsec VPN on a Junos SRX in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN setup involves IKE for key exchange, IPsec for encryption, and binding to an interface.

Page 4

Page 5 of 7

Page 6

All pages