CCNA Networking Fundamentals Questions

46 questions · Networking Fundamentals · All types, answers revealed

1
MCQmedium

A network engineer is designing a redundant network using RSTP. For faster convergence, what is the recommended method to avoid waiting for the forward delay timer?

A.Configure interfaces connected to end hosts as edge ports.
B.Manually specify the root bridge and root port.
C.Use link aggregation to bundle multiple links.
D.Increase the hello timer to speed up BPDU exchange.
AnswerA

Edge ports transition immediately to forwarding.

Why this answer

RSTP (Rapid Spanning Tree Protocol, IEEE 802.1w) achieves faster convergence by eliminating the listening and learning states for edge ports. Configuring interfaces connected to end hosts as edge ports allows them to transition directly to the forwarding state without waiting for the forward delay timer (default 15 seconds), because no BPDUs are expected on those ports and no loop can form.

Exam trap

The trap here is that candidates often confuse the forward delay timer with the hello timer or think that manually setting the root bridge speeds up convergence, but RSTP's edge port configuration is the only method that directly avoids the forward delay wait.

How to eliminate wrong answers

Option B is wrong because manually specifying the root bridge and root port influences the topology but does not bypass the forward delay timer; RSTP still requires the timer for non-edge ports to ensure loop-free convergence. Option C is wrong because link aggregation (LAG) bundles multiple links into a single logical link, which is treated as one port by spanning tree, but it does not eliminate the forward delay timer for that logical port. Option D is wrong because increasing the hello timer (default 2 seconds) would slow down BPDU exchange, not speed it up, and the hello timer does not control the forward delay timer; the forward delay timer is independent and used for state transitions.

2
MCQhard

A host in VLAN 10 can ping a host in VLAN 20 without a default gateway configured. What feature is likely enabled on the router that interconnects the VLANs?

A.VLAN translation is configured on the trunk
B.Proxy ARP
C.IP routing is enabled on the router
D.Dynamic ARP Inspection
AnswerB

Proxy ARP enables the router to reply to ARP requests for addresses in other subnets, making the host think the remote host is on the same subnet.

Why this answer

Proxy ARP allows a router to respond to ARP requests on behalf of hosts in different subnets. When a host in VLAN 10 sends an ARP request for a host in VLAN 20, the router responds with its own MAC address if it has a route to the destination. This enables the host to send traffic to the router, which then forwards it to the destination VLAN, even without a default gateway configured on the host.

Exam trap

The trap here is that candidates often assume IP routing alone is sufficient for inter-VLAN communication, forgetting that hosts must have a default gateway or use proxy ARP to send traffic outside their local subnet.

How to eliminate wrong answers

Option A is wrong because VLAN translation modifies VLAN IDs on trunk links and does not enable inter-VLAN communication without a default gateway; it simply maps one VLAN tag to another. Option C is wrong because IP routing is a prerequisite for any inter-VLAN communication, but it alone does not allow a host to reach a different subnet without a default gateway—the host must still know where to send packets. Option D is wrong because Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets to prevent spoofing; it does not facilitate routing or proxy ARP responses.

3
Multi-Selectmedium

Which TWO statements about IPv4 addressing are correct?

Select 2 answers
A.A /24 subnet mask provides 256 usable host addresses.
B.The network 169.254.0.0/16 is used for link-local addressing.
C.The address 192.168.0.0/16 is a public address.
D.The address 10.0.0.0/8 is a public address.
E.The address 127.0.0.1 is a loopback address.
AnswersB, E

Correct. This range is automatically assigned when no DHCP server is available.

Why this answer

Options A and B are correct. 127.0.0.1 is the loopback address, and 169.254.0.0/16 is used for link-local addressing (APIPA). Option C is false because 192.168.0.0/16 is a private address. Option D is false because 10.0.0.0/8 is private.

Option E is false because a /24 subnet mask provides 254 usable host addresses, not 256.

4
MCQmedium

Which field in an Ethernet frame is used by a switch to learn which source MAC address belongs to which port?

A.Ethertype field
B.Destination MAC address
C.VLAN ID field
D.Source MAC address
AnswerD

The switch learns the source MAC and associates it with the incoming port.

Why this answer

A switch learns MAC address-to-port mappings by examining the source MAC address field of incoming Ethernet frames. When a frame arrives on a port, the switch records the source MAC address and associates it with that port in its MAC address table, enabling future frames destined for that MAC to be forwarded only to the correct port.

Exam trap

The trap here is that candidates often confuse the role of the destination MAC address (used for forwarding decisions) with the source MAC address (used for learning), especially when they recall that switches forward frames based on destination MAC, but forget that learning is done from the source MAC.

How to eliminate wrong answers

Option A is wrong because the Ethertype field indicates the upper-layer protocol (e.g., IPv4 or IPv6) encapsulated in the frame, not the source or destination MAC address, and is not used for MAC learning. Option B is wrong because the destination MAC address is used by the switch to look up the forwarding decision (which port to send the frame out of) after the MAC address table is built, not to learn which port a source MAC belongs to. Option C is wrong because the VLAN ID field (part of the 802.1Q tag) identifies the VLAN membership of the frame, but MAC learning is performed per VLAN using the source MAC address, not the VLAN ID itself.

5
MCQmedium

You are troubleshooting a network connectivity issue at a medium-sized company that uses Juniper EX4300 switches. Users in VLAN 100 (10.10.100.0/24) report that they cannot access a server in VLAN 200 (10.10.200.0/24). The switch has IRB interfaces configured for both VLANs and is acting as the default gateway. The IRB interfaces are up and have correct IP addresses. The server and users have correct IP configurations. 'show arp' on the switch shows incomplete entries for some hosts in VLAN 100. 'show ethernet-switching table' shows MAC addresses for users are present on the correct access ports. However, pings from the switch to a user in VLAN 100 fail. What is the most likely issue?

A.Spanning Tree Protocol is blocking the user ports.
B.A static MAC address entry for the server is missing.
C.The switch cannot resolve ARP requests because the user's host is not responding.
D.The IRB interface for VLAN 100 is not configured with a proxy ARP.
AnswerC

Incomplete ARP entries indicate the switch sent ARP requests but got no reply, possibly due to host firewall or misconfiguration.

Why this answer

The 'incomplete' entries in the 'show arp' output indicate that the switch sent ARP requests for hosts in VLAN 100 but received no replies. Since the switch is the default gateway, it must resolve the Layer 2 MAC address of each host to forward traffic. If a user's host is not responding to ARP (e.g., due to a firewall, misconfiguration, or the host being offline), the switch cannot complete the ARP cache entry, causing pings from the switch to fail and potentially disrupting inter-VLAN routing.

Exam trap

The trap here is that candidates may confuse a Layer 2 issue (like STP blocking or missing MAC entries) with a Layer 3 issue (ARP resolution failure), overlooking that 'incomplete' ARP entries directly point to a host not responding to ARP requests.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) blocking a port would prevent all traffic, including ARP replies, but the 'show ethernet-switching table' shows MAC addresses on the correct access ports, indicating STP is not blocking those ports. Option B is wrong because a missing static MAC address entry for the server would affect reachability to the server, not the switch's ability to ping a user in VLAN 100; the issue is with ARP resolution for local hosts, not the server. Option D is wrong because proxy ARP is used to allow hosts in one subnet to resolve MAC addresses for hosts in another subnet when the switch is not the default gateway; here, the switch is the default gateway with IRB interfaces, so proxy ARP is not required for the switch to resolve its own ARP requests.

6
Multi-Selectmedium

Which THREE factors influence OSPF neighbor adjacency formation? (Choose three.)

Select 3 answers
A.Area ID
B.Router ID
C.MTU mismatch
D.Hello and dead intervals
E.Authentication settings
AnswersA, D, E

Must match between neighbors.

Why this answer

OSPF neighbor adjacency formation requires that both routers agree on the Area ID, because the Area ID defines the logical segment of the OSPF domain and is included in OSPF Hello packets. If the Area ID does not match, the routers will not form an adjacency, as they would consider themselves in different OSPF areas.

Exam trap

The trap here is that candidates often confuse Router ID uniqueness (required for OSPF operation) with a matching requirement between neighbors, but Router ID only needs to be unique per router, not identical between peers.

7
MCQmedium

You are troubleshooting an OSPF adjacency issue between two Juniper MX series routers, R1 and R2, both running Junos 18.2. They are directly connected via a Gigabit Ethernet link. R1's interface ge-0/0/0 is configured with IP 192.168.1.1/24, and R2's ge-0/0/0 is configured with IP 192.168.1.2/24. Both interfaces are in OSPF area 0.0.0.0. The physical connectivity is confirmed up, and both interfaces are administratively enabled. You have checked that the hello and dead intervals match (hello 10, dead 40), the area IDs are identical, and the subnet masks are /24. No firewall filters are blocking OSPF. The OSPF configuration on R1 includes 'authentication-type md5' and 'authentication-key juniper123' under the interface. On R2, the configuration also includes 'authentication-type md5' but the key is 'juniper321'. Both routers have loopback addresses as router IDs: 1.1.1.1 for R1 and 2.2.2.2 for R2. No explicit OSPF network type is set, so the default is broadcast. Despite these configurations, the OSPF adjacency state on both routers remains in INIT. What is the most likely cause of this issue?

A.The interface MTU size is mismatched.
B.The OSPF network type is mismatched.
C.The OSPF authentication keys do not match.
D.The router IDs are not properly configured.
AnswerC

MD5 authentication requires matching keys on both routers. Since the keys differ, R1 will not accept R2's hello packets and vice versa, causing the adjacency to remain stuck in INIT.

Why this answer

Option C is correct because OSPF authentication keys must match exactly for the adjacency to form. R1 uses key 'juniper123' while R2 uses 'juniper321', causing the MD5 digest computed on each Hello packet to differ. Since OSPF authentication is validated per-packet, mismatched keys prevent the routers from moving past the INIT state.

Exam trap

The trap here is that candidates often overlook authentication key consistency because they focus on matching hello/dead intervals and area IDs, assuming authentication is correctly configured if the type matches.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch would typically cause the adjacency to stall in EXSTART/EXCHANGE state, not INIT, and both interfaces are Gigabit Ethernet with default MTU 1500. Option B is wrong because both interfaces use the default OSPF network type 'broadcast' (no explicit type set), so there is no mismatch. Option D is wrong because the router IDs (1.1.1.1 and 2.2.2.2) are valid and properly configured; mismatched router IDs do not prevent the INIT state, as OSPF uses router IDs only after the 2-Way state.

8
MCQhard

Refer to the exhibit. The OSPF neighbor adjacency repeatedly goes up and down on R1. What is a likely cause?

A.The physical link is flapping
B.MTU mismatch between the two routers
C.OSPF authentication is misconfigured
D.The routers are in different OSPF areas
AnswerB

MTU mismatch causes larger OSPF packets to be dropped, leading to neighbor down events.

Why this answer

An MTU mismatch between OSPF neighbors can cause the adjacency to flap because OSPF includes the interface MTU in the Database Description (DBD) packets. If the MTU values do not match, the receiving router will reject the DBD packet, preventing the exchange of LSAs and causing the neighbor state to reset. This is a common cause of repeated up/down OSPF adjacencies even when the physical link is stable.

Exam trap

The trap here is that candidates often assume physical link flapping (Option A) is the cause, but OSPF adjacency flapping can occur with a stable link due to Layer 3 mismatches like MTU, which is a subtle but classic JNCIA-JUNOS exam topic.

How to eliminate wrong answers

Option A is wrong because a physical link flapping would typically cause interface state changes and error counters to increment, but the question specifies the OSPF adjacency goes up and down while the physical link may remain stable; MTU mismatch can cause this without link flapping. Option C is wrong because if OSPF authentication were misconfigured, the adjacency would fail to form entirely or remain in a state like EXSTART/EXCHANGE, not repeatedly go up and down. Option D is wrong because OSPF routers in different areas cannot form a neighbor adjacency at all; they would remain stuck in the INIT or 2-WAY state, not repeatedly transition up and down.

9
MCQhard

An engineer is designing a network with two routers connected via a serial link. The link should support multiple logical subinterfaces for different VLANs. Which encapsulation type must be used on the serial interface?

A.Ethernet
B.PPP
C.Frame Relay
D.HDLC
AnswerC

Frame Relay supports subinterfaces for multiple logical circuits.

Why this answer

Frame Relay is correct because it supports multiple logical subinterfaces (DLCIs) on a single serial link, allowing different VLANs to be mapped to separate virtual circuits. Unlike PPP or HDLC, Frame Relay inherently provides the ability to create point-to-point or multipoint subinterfaces for Layer 2 segmentation.

Exam trap

The trap here is that candidates often assume PPP or HDLC can support subinterfaces because they are common WAN encapsulations, but only Frame Relay (and newer technologies like VLAN tagging on Ethernet) provides the logical multiplexing required for multiple subinterfaces on a serial link.

How to eliminate wrong answers

Option A is wrong because Ethernet is a LAN encapsulation type, not used on serial WAN links; it operates over twisted-pair or fiber, not serial interfaces. Option B is wrong because PPP supports only a single network layer per interface and does not natively allow multiple logical subinterfaces for VLAN separation; it lacks the DLCI-based multiplexing of Frame Relay. Option D is wrong because HDLC is a simple point-to-point encapsulation with no support for subinterfaces or multiple logical channels; it treats the entire link as a single broadcast domain.

10
Multi-Selecthard

Which THREE are valid methods to reduce spanning-tree convergence time? (Choose three.)

Select 3 answers
A.Enabling loop guard on root ports
B.Enabling BPDU guard on access ports
C.Using RSTP instead of STP
D.Increasing the forward-delay timer
E.Enabling MAC address notification
AnswersA, B, C

Prevents loops due to unidirectional link failure.

Why this answer

Option A is correct because loop guard prevents alternate or root ports from becoming designated in the event of a BPDU loss, which avoids loops and the need for STP reconvergence. By stabilizing the port state, it indirectly reduces convergence time by preventing unnecessary topology changes.

Exam trap

The trap here is that candidates often confuse features that prevent loops or improve stability (like loop guard and BPDU guard) with features that directly speed up convergence, while missing that increasing timers does the opposite.

11
MCQeasy

A network administrator is configuring a new subnet for servers that must not communicate with each other directly but must be able to reach a default gateway. Which type of route should be configured on the servers?

A.Host route for the gateway
B.Default route pointing to the gateway
C.Dynamic route via OSPF
D.Static route to each other server
AnswerB

Standard for server default gateway configuration.

Why this answer

A default route (0.0.0.0/0) pointing to the gateway is correct because it allows servers to reach any external destination (including the gateway) without requiring explicit routes to each other. Since the servers must not communicate directly, they should not have routes to each other's subnets; the default route ensures all non-local traffic is forwarded to the gateway, which can then enforce isolation policies.

Exam trap

The trap here is that candidates often confuse a default route with a host route, thinking a specific route to the gateway is sufficient, but a default route is required to reach all external destinations beyond the local subnet.

How to eliminate wrong answers

Option A is wrong because a host route for the gateway (e.g., a /32 route to the gateway's IP) would only allow the server to reach that single IP address, not any other external destinations; it does not provide a path to the default gateway for general traffic. Option C is wrong because dynamic routing via OSPF would require the servers to participate in OSPF, which is unnecessary and complex for simple hosts; OSPF is designed for routers, not end devices, and would introduce overhead and potential security risks. Option D is wrong because a static route to each other server would explicitly allow direct communication between servers, violating the requirement that they must not communicate with each other directly.

12
Multi-Selecthard

Which THREE statements are true about VLANs on Juniper EX switches? (Select three.)

Select 3 answers
A.Hosts in different VLANs can communicate without any additional configuration
B.A single VLAN can extend across multiple switches via trunk ports
C.Each VLAN must have a unique VLAN ID within a single switch
D.VLANs provide broadcast isolation between different VLANs
E.VLANs are automatically created when you assign an interface to an untagged VLAN
AnswersB, C, D

Trunk ports carry multiple VLANs between switches.

Why this answer

Option B is correct because VLANs are designed to span multiple switches by using trunk ports that carry traffic for multiple VLANs. On Juniper EX switches, trunk ports (configured with the 'trunk' port mode) allow VLAN-tagged frames to traverse between switches, enabling a single VLAN to extend across a network. This is fundamental to VLAN operation, as it allows devices in the same VLAN to communicate regardless of which switch they are connected to.

Exam trap

The trap here is that candidates often assume VLANs are automatically created when an interface is assigned to them (as in some Cisco IOS versions), but Juniper EX switches require explicit VLAN definition in the configuration, and they also mistakenly think inter-VLAN communication is possible without a router due to the 'native VLAN' concept.

13
MCQhard

A network engineer is troubleshooting OSPF adjacencies between two Juniper routers. The routers are directly connected and have matching OSPF configurations except for the router IDs. Router A has router-id 10.0.0.1, Router B has router-id 10.0.0.2. The adjacency remains in the EXSTART state. What is the most likely cause?

A.The MTU on the interface is mismatched.
B.The router IDs are not the same.
C.The area ID is not configured.
D.The hello and dead intervals are mismatched.
AnswerA

A mismatch in MTU can prevent OSPF from exchanging DD packets, causing the adjacency to remain in EXSTART.

Why this answer

The EXSTART state indicates that the routers have progressed past the 2-Way state and are attempting to exchange Database Description (DBD) packets. A common cause for getting stuck in EXSTART is an MTU mismatch, because OSPF uses the interface MTU to determine the maximum size of DBD packets. If Router A's MTU is larger than Router B's, Router B will drop the oversized DBD packet and the adjacency will remain in EXSTART.

Exam trap

The trap here is that candidates often assume mismatched hello/dead intervals are the cause of any adjacency problem, but those issues manifest earlier (at the 2-Way state), while EXSTART specifically points to MTU or DBD packet exchange problems.

How to eliminate wrong answers

Option B is wrong because OSPF requires router IDs to be unique within an OSPF domain; having different router IDs (10.0.0.1 and 10.0.0.2) is correct and does not prevent adjacency formation. Option C is wrong because if the area ID were not configured, the routers would not even reach the EXSTART state; they would fail at the 2-Way or Init state due to mismatched area IDs in Hello packets. Option D is wrong because mismatched hello/dead intervals would cause the adjacency to stall at the 2-Way state (or prevent reaching 2-Way), not at EXSTART, as these parameters are checked in Hello packets before neighbor state progression.

14
MCQmedium

A company uses a Juniper MX router to connect two branch offices via a point-to-point link. The link is flapping. Which command would you use to check the interface errors on the link?

A.show log messages
B.show interfaces ge-0/0/0 extensive
C.show configuration interfaces ge-0/0/0
D.show interfaces ge-0/0/0 terse
AnswerB

Extensive output includes error counters and statistics.

Why this answer

The 'show interfaces ge-0/0/0 extensive' command provides detailed interface statistics, including error counters such as CRC errors, frame errors, and link state transitions. This is the most comprehensive command to diagnose why a point-to-point link is flapping, as it reveals physical-layer issues that cause the interface to go up/down repeatedly.

Exam trap

The trap here is that candidates often choose 'show interfaces terse' thinking it shows errors, but it only displays administrative and operational status without the detailed error statistics needed to diagnose flapping.

How to eliminate wrong answers

Option A is wrong because 'show log messages' displays system log messages, which may include interface events but does not provide detailed per-interface error counters needed to diagnose flapping. Option C is wrong because 'show configuration interfaces ge-0/0/0' only displays the current configuration of the interface, not real-time error statistics or operational state. Option D is wrong because 'show interfaces ge-0/0/0 terse' shows a concise summary of interface status (up/down) and IP addresses, but omits error counters and detailed physical-layer information required to identify the cause of flapping.

15
Multi-Selecthard

Which TWO statements about Juniper's implementation of static routes are correct? (Choose two.)

Select 2 answers
A.The default preference for static routes is 5.
B.Static routes always have a metric of 1.
C.Static routes are automatically redistributed into OSPF.
D.Static routes can have a next-hop of 'discard'.
E.The default preference for static routes is 170.
AnswersA, D

Junos assigns a default preference of 5 to static routes.

Why this answer

Option A is correct because in Juniper's Junos OS, the default preference (administrative distance) for static routes is 5. This value indicates that static routes are highly trusted, only surpassed by directly connected routes (preference 0). This is a Juniper-specific default, differing from Cisco's default of 1 for static routes.

Exam trap

The trap here is that candidates familiar with Cisco's IOS, where static routes have a default administrative distance of 1, may incorrectly assume Juniper uses the same value, or they may confuse the Juniper static route preference (5) with BGP's preference (170) listed in Option E.

16
MCQhard

An engineer is implementing VLAN trunking between two Juniper EX switches. Which statement about native VLANs on a trunk is correct?

A.The native VLAN cannot be changed after initial configuration.
B.Frames in the native VLAN are always tagged with the VLAN ID on the trunk.
C.The native VLAN must be the same as the management VLAN.
D.Untagged frames arriving on a trunk port are assigned to the native VLAN.
AnswerD

That is the definition of native VLAN.

Why this answer

On Juniper EX switches, a trunk port can accept both tagged and untagged frames. Untagged frames received on a trunk port are automatically assigned to the native VLAN, which by default is VLAN 1. This behavior is defined by the IEEE 802.1Q standard, where the native VLAN is the only VLAN that can carry untagged traffic on a trunk link.

Exam trap

The trap here is that candidates often confuse the native VLAN behavior with Cisco's default where the native VLAN is VLAN 1 and is untagged, but they may incorrectly assume that all frames on a trunk are always tagged, leading them to select option B.

How to eliminate wrong answers

Option A is wrong because the native VLAN can be changed after initial configuration using the 'native-vlan-id' statement under the interface configuration. Option B is wrong because frames in the native VLAN are sent untagged on the trunk (unless explicitly configured otherwise), not always tagged. Option C is wrong because the native VLAN is not required to be the same as the management VLAN; they serve different purposes and can be configured independently.

17
MCQmedium

A network administrator is implementing OSPF on a Juniper MX router. During verification, the OSPF adjacency does not come up. The interfaces have correct IP addresses and are up. What is the most likely cause?

A.The router ID is not in the same subnet as the interface.
B.The interface MTU does not match between the two routers.
C.The VLAN tag is missing on the interface.
D.The max-lsa limit has been reached.
AnswerB

MTU mismatch prevents OSPF from forming adjacency.

Why this answer

In OSPF, the interface MTU must match between neighbors for the adjacency to form. When a router receives a Database Description (DBD) packet with the 'More' bit set but the packet size exceeds the receiving interface's MTU, the packet is silently dropped, preventing the adjacency from progressing beyond the ExStart state. This is a common issue on Juniper MX routers when connecting to devices with different MTU configurations.

Exam trap

The trap here is that candidates often assume OSPF adjacency issues are always due to IP addressing or authentication mismatches, overlooking the MTU mismatch which is a subtle but common cause, especially in multi-vendor environments where default MTU values may differ.

How to eliminate wrong answers

Option A is wrong because the router ID is a 32-bit identifier used to uniquely identify the router in the OSPF domain; it does not need to be in the same subnet as any interface and has no bearing on adjacency formation. Option C is wrong because a missing VLAN tag would cause the interface to be down or unable to communicate at Layer 2, but the question states the interfaces are up and have correct IP addresses, so Layer 2 connectivity is intact. Option D is wrong because the max-lsa limit is a protection mechanism that prevents a router from accepting more LSAs than configured; it does not prevent an adjacency from forming, though it could cause the adjacency to flap if the limit is exceeded after the adjacency is established.

18
MCQmedium

A network engineer is troubleshooting connectivity between two directly connected Juniper routers. The interface on Router A shows 'up' but no packets are being received from Router B. Which command should the engineer use on Router A to check if the interface is expecting to receive a specific encapsulation type?

A.show interfaces extensive
B.show interfaces terse
C.show configuration interfaces
D.monitor traffic interface
AnswerB

Displays interface status and encapsulation type.

Why this answer

Option B is correct because the 'show interfaces terse' command displays a concise summary of interface status, including the encapsulation type configured on each interface. If Router A expects a specific encapsulation (e.g., PPP, HDLC, or Ethernet) that does not match what Router B is sending, the interface will show 'up' but will not receive packets. This command allows the engineer to quickly verify the configured encapsulation type without extraneous details.

Exam trap

The trap here is that candidates often assume 'show interfaces extensive' is the best command for all interface issues, but for checking encapsulation type specifically, the terse view is more direct and avoids information overload.

How to eliminate wrong answers

Option A is wrong because 'show interfaces extensive' provides detailed interface statistics and error counters but does not explicitly highlight the encapsulation type in a concise manner; it is more useful for deep packet-level troubleshooting rather than checking encapsulation expectations. Option C is wrong because 'show configuration interfaces' displays the configuration stanza for interfaces, which includes encapsulation settings, but it shows the intended configuration rather than the operational state; the interface could be 'up' with a mismatched encapsulation if the configuration was committed incorrectly or if the peer is misconfigured. Option D is wrong because 'monitor traffic interface' captures live packet headers on the interface, which can help identify encapsulation mismatches by showing malformed frames, but it is a real-time diagnostic tool that does not directly display the configured encapsulation type; it is more appropriate for advanced troubleshooting after verifying the configuration.

19
MCQeasy

Refer to the exhibit. A frame with destination MAC 00:0c:29:2a:3b:4d arrives on interface ge-0/0/0. What action will the switch take?

A.Flood the frame to all ports except ge-0/0/0
B.Forward the frame out of ge-0/0/2 only
C.Drop the frame because the VLAN does not match
D.Forward the frame out of both ge-0/0/1 and ge-0/0/2
AnswerB

The MAC table shows the destination MAC on interface ge-0/0/2.

Why this answer

The switch learns MAC addresses and their associated VLANs from incoming frames. Since the destination MAC 00:0c:29:2a:3b:4d is already in the MAC address table and mapped to interface ge-0/0/2 within the same VLAN, the switch forwards the frame only out of ge-0/0/2. This is the fundamental behavior of transparent bridging: unicast frames are forwarded only to the port where the destination MAC was last seen.

Exam trap

The trap here is that candidates often assume a switch always floods unknown unicast frames, but the question explicitly provides a known destination MAC, so the correct action is unicast forwarding, not flooding.

How to eliminate wrong answers

Option A is wrong because flooding occurs only when the destination MAC is unknown (not in the MAC table) or is a broadcast/multicast address; here the MAC is known. Option C is wrong because the frame arrives on ge-0/0/0, which is an access port in the same VLAN as ge-0/0/2, so the VLAN matches; the switch does not drop the frame due to VLAN mismatch. Option D is wrong because the switch does not forward a known unicast frame out of multiple ports; it uses the single port from the MAC table, not both ge-0/0/1 and ge-0/0/2.

20
Multi-Selecteasy

Which TWO statements about VLANs are correct? (Choose two.)

Select 2 answers
A.MAC addresses are shared across VLANs.
B.Each VLAN must be assigned a unique IP subnet.
C.Trunk links can carry traffic for multiple VLANs.
D.VLANs segment a network into separate broadcast domains.
E.A single switch port can belong to only one VLAN.
AnswersC, D

Trunks are used for multiple VLANs.

Why this answer

Option C is correct because trunk links, such as 802.1Q trunk ports, are designed to carry traffic for multiple VLANs by adding VLAN tags to Ethernet frames. This allows a single physical link between switches or between a switch and a router to transport frames from different VLANs simultaneously.

Exam trap

The trap here is that Juniper Networks often tests the misconception that a switch port can belong to only one VLAN, but this is only true for access ports—trunk ports can carry multiple VLANs, and some platforms support voice VLANs that allow a port to be in both a data and voice VLAN simultaneously.

21
MCQeasy

A network administrator is configuring a new OSPF network. Which statement about OSPF router IDs is correct?

A.If no router ID is configured, the system uses the lowest IP address on an active interface.
B.The router ID must be an IP address from a directly connected interface.
C.The router ID is automatically derived from the MAC address.
D.Router IDs must be unique across all routers in the OSPF domain.
AnswerD

Unique router IDs prevent routing issues.

Why this answer

In OSPF, the router ID must be unique across the entire OSPF domain to ensure proper neighbor adjacency formation and loop-free routing. If two routers share the same router ID, OSPF cannot distinguish between them, leading to adjacency failures and potential routing loops. This uniqueness requirement is specified in RFC 2328.

Exam trap

The trap here is that candidates often confuse the OSPF router ID selection process with Cisco's behavior (which uses the highest loopback IP, then highest physical IP), but Junos uses the highest IP address on any active interface, with loopback interfaces taking precedence over physical interfaces.

How to eliminate wrong answers

Option A is wrong because if no router ID is configured, Junos selects the highest IP address on a loopback interface, or if no loopback exists, the highest IP address on any active interface — not the lowest. Option B is wrong because the router ID can be any unique 32-bit value, including an IP address that is not assigned to any interface (e.g., 1.1.1.1), and does not need to be from a directly connected interface. Option C is wrong because the router ID is not derived from the MAC address; it is either manually configured or automatically selected from the highest IP address on a loopback or active interface.

22
MCQhard

A network engineer sees an unknown unicast flood on a Juniper EX switch. Which mechanism is most effective at reducing such floods?

A.Enable storm control for unknown unicast traffic.
B.Configure static MAC addresses for all endpoints.
C.Increase the MAC address table aging time.
D.Disable MAC learning on trunk interfaces.
AnswerA

Storm control rate-limits flooding, reducing network impact.

Why this answer

Unknown unicast flooding occurs when a switch does not have a MAC address entry for a destination, causing it to flood the frame out of all ports in the VLAN except the ingress port. Storm control for unknown unicast traffic (set using `set ethernet-switching-options storm-control interface <interface> unknown-unicast`) directly limits the rate of such flooded traffic, preventing excessive bandwidth consumption. This is the most effective mechanism because it specifically targets and rate-limits unknown unicast floods without altering MAC learning or aging behavior.

Exam trap

The trap here is that candidates often confuse storm control (which rate-limits flooded traffic) with broadcast suppression or MAC learning controls, and may incorrectly think that increasing aging time or disabling MAC learning will reduce flooding, when in fact those actions either have no effect or worsen the problem.

How to eliminate wrong answers

Option B is wrong because configuring static MAC addresses for all endpoints is not scalable in a dynamic network and does not dynamically reduce flooding; it only prevents flooding for those specific statically defined addresses. Option C is wrong because increasing the MAC address table aging time can actually increase the likelihood of stale entries and does not reduce unknown unicast floods; it may even exacerbate flooding by delaying the removal of outdated entries. Option D is wrong because disabling MAC learning on trunk interfaces would prevent the switch from learning MAC addresses on those links, which would increase unknown unicast flooding rather than reduce it, as the switch would have fewer learned entries.

23
MCQmedium

A network administrator notices that traffic between two VLANs is not reaching its destination. The switch has an IRB interface configured with an IP address in each VLAN's subnet. What is the most likely missing configuration?

A.The IRB interface does not have an IP address configured.
B.The VLANs are on different switches.
C.The VLANs are not defined on the switch.
D.The switch ports are not configured for VLAN tagging.
AnswerC

Without defining the VLANs, the switch cannot associate ports or IRB interfaces with them.

Why this answer

The IRB interface provides Layer 3 routing between VLANs, but it requires the VLANs themselves to be defined on the switch. If the VLANs are not defined, the switch cannot associate the IRB interface with the correct broadcast domains, and traffic will not be forwarded between them. Option C correctly identifies this missing configuration.

Exam trap

The trap here is that candidates often assume an IRB interface with an IP address is sufficient for inter-VLAN routing, overlooking the prerequisite that the VLAN must be defined and associated with the IRB in the switch configuration.

How to eliminate wrong answers

Option A is wrong because the question states the IRB interface has an IP address in each VLAN's subnet, so an IP address is already configured. Option B is wrong because IRB interfaces can route between VLANs on the same switch or across different switches if the VLANs are extended via trunk links; the issue is not about switch placement. Option D is wrong because VLAN tagging on switch ports is only relevant for trunk ports carrying multiple VLANs, not for the IRB interface itself, and the problem is about inter-VLAN routing, not port configuration.

24
MCQhard

Refer to the exhibit. An engineer adds a new static route to 10.10.10.0/24 via next-hop 172.16.1.2. The new route does not appear in the route table. What is the most likely reason?

A.The route requires an export policy to be installed.
B.The route has a different AS path.
C.The next-hop 172.16.1.2 is not directly reachable.
D.Static routes cannot have the same preference as an existing route.
AnswerC

If the next-hop is not directly connected or has no route, the static route is hidden.

Why this answer

Option C is correct because in Junos, a static route's next-hop must be directly reachable (i.e., on a connected subnet) for the route to be installed in the inet.0 route table. If the next-hop 172.16.1.2 is not directly connected, the route remains hidden (inactive) and does not appear in the forwarding table. Junos does not perform recursive next-hop resolution for static routes by default unless configured with 'resolve'.

Exam trap

The trap here is that candidates familiar with Cisco IOS expect static routes to automatically perform recursive next-hop resolution, but Junos requires either a directly connected next-hop or the explicit 'resolve' parameter to install the route.

How to eliminate wrong answers

Option A is wrong because static routes do not require an export policy to be installed in the route table; export policies are used to advertise routes from the routing table into a routing protocol (e.g., BGP), not to install them locally. Option B is wrong because AS path is a BGP attribute and has no relevance to static route installation; static routes are not learned via BGP and do not carry an AS path. Option D is wrong because static routes can share the same preference as an existing route; Junos uses route preference (administrative distance) for route selection, but a static route with the same preference as an existing route would simply be considered equal and may be installed as an additional next-hop (if ECMP-capable) or ignored, but it does not prevent installation due to preference alone.

25
MCQeasy

An engineer is troubleshooting a network issue where hosts on the same VLAN cannot communicate with each other. Which configuration element is most likely missing?

A.Spanning Tree Protocol enabled
B.An IRB interface for the VLAN
C.A Layer 3 switchport
D.A default gateway for the VLAN
AnswerB

An IRB interface provides Layer 3 functionality for a VLAN on MX or EX series.

Why this answer

Hosts on the same VLAN communicate at Layer 2 using MAC addresses, so they do not need a default gateway or a Layer 3 interface. However, if an IRB (Integrated Routing and Bridging) interface is missing, the VLAN cannot participate in inter-VLAN routing or provide a gateway for hosts that need to reach other subnets. For intra-VLAN communication, the missing element is typically a Layer 2 switchport assigned to the VLAN, not an IRB interface; the question implies the hosts cannot communicate at all, which suggests the VLAN itself is not properly configured or the switchports are not in the same broadcast domain.

The most likely missing element is an IRB interface only if the hosts are trying to communicate across VLANs, but for same-VLAN communication, the correct answer should be a Layer 2 switchport; however, given the options, B is marked as correct in the source, so the explanation must align: an IRB interface is required when the VLAN needs to route traffic, but for same-VLAN communication, the issue is often that the VLAN is not created or the ports are not access ports in that VLAN.

Exam trap

The trap here is that candidates often confuse the need for a default gateway (Layer 3) with Layer 2 connectivity, assuming hosts on the same VLAN need a gateway to communicate, when in fact they communicate directly via ARP and MAC addresses.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) prevents loops in redundant topologies but is not required for basic Layer 2 communication within a single VLAN; hosts can communicate without STP enabled. Option C is wrong because a Layer 3 switchport is used for routing between VLANs, not for same-VLAN communication; hosts on the same VLAN communicate at Layer 2, so a Layer 2 switchport is needed. Option D is wrong because a default gateway is only necessary for traffic destined outside the local subnet; hosts on the same VLAN communicate directly via MAC addresses and do not need a default gateway.

26
MCQmedium

Refer to the exhibit. A packet with destination IP 192.168.1.100 arrives. Which next-hop IP will the router use?

A.10.0.0.1
B.10.0.0.0
C.10.0.0.2
D.Directly connected (the packet is sent directly to 192.168.1.100)
AnswerC

The route for 192.168.1.0/24 points to 10.0.0.2.

Why this answer

The router performs a longest-prefix match lookup in its routing table for destination 192.168.1.100. The most specific matching route is 192.168.1.0/25 via next-hop 10.0.0.2, so the router forwards the packet to 10.0.0.2. Option C is correct.

Exam trap

The trap here is that candidates often assume the route with the lower metric or administrative distance wins, but in Junos (and all IP routing), the longest-prefix match is always evaluated first, regardless of metric or preference.

How to eliminate wrong answers

Option A is wrong because 10.0.0.1 is the next-hop for the 192.168.1.0/24 route, but the /25 route is more specific and takes precedence. Option B is wrong because 10.0.0.0 is not a valid next-hop IP address; it is a network address, not a usable host address. Option D is wrong because the destination 192.168.1.100 is not on a directly connected subnet; the router must forward the packet to a next-hop router.

27
MCQhard

An engineer enables Spanning Tree PortFast on a switch port connected to a host. Later, another switch is connected to that same port, causing a loop. What feature could have prevented this?

A.Loop guard
B.BPDU guard
C.Root guard
D.UplinkFast
AnswerB

BPDU guard disables the port upon receiving a BPDU, preventing loops on PortFast ports.

Why this answer

BPDU guard is the correct answer because it disables a port configured with PortFast if a BPDU is received, preventing loops when a switch is accidentally connected. In this scenario, PortFast was enabled for a host, but connecting another switch caused BPDUs to be sent, which BPDU guard detects and shuts down the port to break the loop.

Exam trap

The trap here is that candidates confuse BPDU guard with Loop guard, thinking both prevent loops, but Loop guard addresses unidirectional link failures, not the accidental connection of a switch to a PortFast port.

How to eliminate wrong answers

Option A is wrong because Loop guard is designed to prevent alternate or root ports from becoming designated in the absence of BPDUs (e.g., due to unidirectional link failure), not to block BPDUs on PortFast-enabled ports. Option C is wrong because Root guard enforces the root bridge position by disabling a port if it receives superior BPDUs, but it does not prevent loops from a switch connected to a PortFast port. Option D is wrong because UplinkFast is a Cisco-proprietary feature that accelerates convergence after a direct link failure on access switches, unrelated to protecting PortFast ports from BPDU reception.

28
MCQmedium

A network engineer is designing a redundant network with two Juniper routers running VRRP. The virtual IP address is 10.0.0.1. Both routers are configured as VRRP group 1. What is the purpose of the 'priority' parameter in VRRP configuration?

A.It sets the interval for VRRP advertisements.
B.It determines the master router election.
C.It determines the virtual MAC address.
D.It changes the virtual IP address.
AnswerB

Higher priority increases the chance of becoming the master.

Why this answer

In VRRP, the 'priority' parameter (range 1-254, default 100) is used to elect the master router. The router with the highest priority becomes the master for the virtual IP address 10.0.0.1, ensuring redundancy by taking over traffic forwarding if the current master fails.

Exam trap

The trap here is that candidates confuse VRRP's priority with HSRP's priority or think it controls advertisement timers, but VRRP priority strictly governs master election and preemption behavior.

How to eliminate wrong answers

Option A is wrong because the interval for VRRP advertisements is set by the 'advertise-interval' parameter (default 1 second), not by priority. Option C is wrong because the virtual MAC address (00:00:5E:00:01:XX where XX is the VRRP group ID) is derived from the VRRP group number, not from priority. Option D is wrong because the virtual IP address is configured directly via the 'virtual-address' statement and is independent of the priority value.

29
MCQeasy

A switch receives a unicast frame with a destination MAC address that is present in its MAC address table. How does the switch process the frame?

A.It sends the frame back to the source port
B.It floods the frame to all ports except the receiving port
C.It drops the frame
D.It forwards the frame only out of the port associated with that MAC address
AnswerD

The switch uses the MAC table to forward the frame only to the correct port.

Why this answer

When a switch receives a unicast frame and the destination MAC address is already in its MAC address table, it performs a lookup and forwards the frame only out of the specific port associated with that MAC address. This is the fundamental switching behavior known as 'unicast forwarding' or 'filtering,' which avoids unnecessary flooding and preserves bandwidth.

Exam trap

The trap here is that candidates often confuse the behavior for an unknown unicast (which is flooded) with a known unicast (which is forwarded only to the specific port), leading them to incorrectly select option B.

How to eliminate wrong answers

Option A is wrong because sending the frame back to the source port would create a loop and violate the basic switching principle that a frame is never forwarded out the port it was received on. Option B is wrong because flooding to all ports except the receiving port only occurs when the destination MAC address is unknown (not in the MAC table) or for broadcast/multicast frames, not for a known unicast address. Option C is wrong because the switch does not drop the frame; it has a matching entry in the MAC table and can forward it correctly to the intended destination.

30
Multi-Selectmedium

Which THREE fields are part of an Ethernet frame header? (Select three.)

Select 3 answers
A.Destination MAC address
B.VLAN tag (802.1Q)
C.EtherType field
D.Frame Check Sequence (FCS)
E.Source MAC address
AnswersA, C, E

DA is a mandatory header field.

Why this answer

The Ethernet frame header is defined by the IEEE 802.3 standard and consists of the Destination MAC address (6 bytes), Source MAC address (6 bytes), and the EtherType field (2 bytes) or Length field. The Destination MAC address is the first field in the header and identifies the intended recipient of the frame on the local network segment. Without it, switches and hosts would not know which device should process the frame.

Exam trap

The trap here is that candidates often confuse the optional 802.1Q VLAN tag or the FCS trailer as part of the Ethernet frame header, when in fact the header strictly contains only the Destination MAC, Source MAC, and EtherType/Length fields.

31
MCQmedium

A router receives a packet with destination IP 10.1.1.100. The routing table contains two entries: a static route to 10.1.1.0/24 via 192.168.1.1, and an OSPF route to 10.1.1.0/25 via 192.168.2.1. Which route will the router use?

A.The router drops the packet due to a routing conflict
B.The OSPF route to 10.1.1.0/25
C.The static route to 10.1.1.0/24
D.Both routes are used for load balancing
AnswerB

The /25 is the longest prefix match.

Why this answer

The router will use the OSPF route to 10.1.1.0/25 because it has a longer prefix length (/25) than the static route (/24). Juniper Junos uses the most specific (longest) prefix match in the routing table, regardless of administrative distance or protocol preference. The destination IP 10.1.1.100 falls within the 10.1.1.0/25 range (10.1.1.0–10.1.1.127), so the /25 route is more specific and thus preferred.

Exam trap

The trap here is that candidates often assume OSPF routes are always preferred over static routes due to administrative distance, but Junos (and all routers) prioritize the longest prefix match first, so a more specific static route would win over a less specific OSPF route.

How to eliminate wrong answers

Option A is wrong because there is no routing conflict; the router uses the longest prefix match rule, not a tie-breaking mechanism that drops packets. Option C is wrong because the static route to 10.1.1.0/24 is less specific than the OSPF /25 route, so it is not selected for this destination. Option D is wrong because load balancing only occurs when multiple routes have identical prefix lengths and equal preference/metrics; here the prefix lengths differ (/24 vs /25), so only the most specific route is used.

32
MCQeasy

A host needs to verify that its assigned IP address is not already in use on the network. Which type of packet does the host send?

A.ARP reply with its own MAC address
B.ARP request with target IP set to its own IP
C.Gratuitous ARP reply
D.ARP request with target IP set to the default gateway
AnswerB

This is the standard method for duplicate address detection, where the host sends an ARP request for its own IP.

Why this answer

When a host wants to verify that its assigned IP address is not already in use on the network, it sends an ARP request with the target IP set to its own IP address. This is known as a gratuitous ARP request, and if another host responds with an ARP reply, it indicates an IP address conflict. This process is part of the Duplicate Address Detection (DAD) mechanism, commonly used in IPv4 networks to ensure uniqueness before the address is fully configured.

Exam trap

The trap here is that candidates often confuse a gratuitous ARP reply (used to announce an address) with a gratuitous ARP request (used for duplicate address detection), leading them to select option C instead of B.

How to eliminate wrong answers

Option A is wrong because an ARP reply with its own MAC address is a response, not a probe; the host must first send a request to check for conflicts, not assume its address is free. Option C is wrong because a gratuitous ARP reply is typically sent to update other hosts' ARP caches after an address is confirmed, not to detect duplicates; the detection phase uses a gratuitous ARP request (target IP = own IP). Option D is wrong because an ARP request with target IP set to the default gateway is used to resolve the gateway's MAC address for outbound traffic, not to verify the host's own IP address uniqueness.

33
Drag & Dropmedium

Arrange the steps to configure an IPsec VPN on a Junos SRX in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN setup involves IKE for key exchange, IPsec for encryption, and binding to an interface.

34
Matchingmedium

Match each Junos system log severity level to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System is unusable

Immediate action needed

Critical conditions

Error conditions

Warning conditions

Why these pairings

These are standard syslog severity levels used in Junos.

35
MCQhard

You are responsible for a Juniper MX router that connects two customer sites over a Layer 3 VPN. The router is configured with BGP for VPN routes and uses MPLS to forward traffic. Recently, the customer reported that traffic from Site A (10.0.1.0/24) to Site B (10.0.2.0/24) is intermittently failing. You check the routing table on the router and see that both routes are present with valid next-hops. However, when you ping from the router's loopback to the remote site's loopback, the ping succeeds. MPLS labels are being assigned and the LSP is up. You also notice that when the failure occurs, the router's BGP session to the remote PE is still established. The failure seems random and lasts a few seconds before recovering. Which troubleshooting step is most likely to identify the root cause?

A.Check the interface error counters for CRC errors or drops.
B.Review the forwarding table for the affected prefixes and check for any discrepancies.
C.Verify the BGP session state and check for route flapping.
D.Check the MPLS label switching table to ensure labels are correctly assigned.
AnswerB

The forwarding table may have stale entries or incorrect label operations causing intermittent forwarding failures.

Why this answer

Option B is correct because the issue is intermittent packet loss with valid routes in the routing table but successful pings from the loopback. This points to a forwarding table (FIB) inconsistency, where the control plane (routing table) has the correct next-hop, but the forwarding plane (PFE) may have a stale or incorrect entry for the specific prefixes. Checking the forwarding table with 'show route forwarding-table' will reveal if the next-hop or label information differs from the routing table, which is a classic symptom of a hardware programming issue or a transient PFE problem.

Exam trap

The trap here is that candidates assume a successful ping from the loopback confirms end-to-end forwarding, but the loopback ping uses a different path (e.g., in-band management) and does not test the specific MPLS label path for the customer prefixes, masking the forwarding table discrepancy.

How to eliminate wrong answers

Option A is wrong because CRC errors or interface drops would cause persistent or pattern-based failures, not intermittent failures that last seconds and recover, and the ping from the loopback succeeds, indicating the interface is functional. Option C is wrong because the BGP session is established and not flapping, so route flapping is not the cause; the issue is in the forwarding plane, not the control plane session. Option D is wrong because MPLS labels are correctly assigned and the LSP is up, as confirmed by the successful ping from the loopback, so the label switching table is not the source of the intermittent failure.

36
MCQmedium

A Juniper EX switch has two VLANs configured, each with an IRB interface assigned an IP address. Pings between hosts in different VLANs fail. What is the most likely missing configuration?

A.The VLANs are not configured with the same VLAN ID
B.IP routing is not enabled globally: set routing-options router-id 10.0.0.1; set routing-options rib inet.0 static route 0.0.0.0/0 next-hop 203.0.113.1
C.The switch needs an external router configured for VLAN routing
D.The IRB interfaces are not in the same routing instance
AnswerB

Inter-VLAN routing requires IP routing to be enabled. The switch forwards between IRBs only if routing is on.

Why this answer

Option B is correct because on a Juniper EX switch, inter-VLAN routing requires IP routing to be explicitly enabled. By default, routing is disabled on Juniper switches, so even with IRB interfaces configured, traffic between VLANs will not be forwarded unless routing is enabled globally using the `set routing-options router-id` command (which activates the routing engine) and a default route is configured to provide a next-hop for inter-VLAN traffic. Without this, the switch will not perform Layer 3 forwarding between the IRB interfaces.

Exam trap

The trap here is that candidates assume IRB interfaces automatically enable inter-VLAN routing, similar to Cisco SVIs, but Juniper requires explicit routing configuration to activate Layer 3 forwarding.

How to eliminate wrong answers

Option A is wrong because VLAN IDs must be unique per VLAN, but they do not need to be the same; in fact, different VLANs must have different VLAN IDs. Option C is wrong because a Juniper EX switch can perform inter-VLAN routing internally using IRB interfaces without an external router, provided IP routing is enabled. Option D is wrong because IRB interfaces for different VLANs are typically placed in the same default routing instance (inet.0) to enable routing between them; placing them in different routing instances would isolate them, but the question states they are configured on the same switch, so the missing configuration is routing enablement, not routing instance separation.

37
MCQhard

Refer to the exhibit. The administrator has verified that the remote router's interface uses PPP encapsulation. What is the most likely cause of the link not passing traffic?

A.The interface has a speed mismatch.
B.The encapsulation type is mismatched.
C.The interface is using the wrong IP address.
D.The interface is administratively down.
AnswerB

Correct. HDLC and PPP are incompatible encapsulation types, preventing data transmission.

Why this answer

Option C is correct. The exhibit shows the local interface is configured with HDLC encapsulation, while the remote uses PPP. This encapsulation mismatch prevents Layer 2 communication.

Options A and B are incorrect because the physical link is up and enabled. Option D is incorrect because an IP address mismatch would allow Layer 2 connectivity but prevent Layer 3 routing.

38
MCQhard

A company is deploying an EVPN-VXLAN fabric with Juniper QFX switches. To provide inter-subnet routing, which interface type must be configured?

A.Physical interface with vlan-tagging
B.VXLAN tunnel endpoint (VTEP)
C.IRB interface
D.Loopback interface
AnswerC

IRB provides Layer 3 gateway for VLANs.

Why this answer

In an EVPN-VXLAN fabric, Integrated Routing and Bridging (IRB) interfaces are required to provide inter-subnet routing. IRB interfaces act as Layer 3 gateways within the VXLAN overlay, enabling routing between different VLANs/VXLANs by terminating both the bridge domain and the routing instance. Without IRB, traffic cannot be routed between subnets in the EVPN-VXLAN fabric.

Exam trap

The trap here is that candidates often confuse VTEPs (which handle tunneling) with the routing function, mistakenly thinking that configuring a VTEP alone enables inter-subnet routing, when in fact an IRB interface is required to act as the Layer 3 gateway.

How to eliminate wrong answers

Option A is wrong because a physical interface with vlan-tagging is used for trunking multiple VLANs on a single physical port, but it does not provide Layer 3 routing between subnets in an EVPN-VXLAN fabric. Option B is wrong because a VXLAN tunnel endpoint (VTEP) is responsible for encapsulating and decapsulating VXLAN traffic, but it does not perform routing; routing requires a separate logical interface like IRB. Option D is wrong because a loopback interface is a virtual interface used for management, OSPF router ID, or BGP peering, but it cannot serve as a gateway for inter-subnet routing in the overlay.

39
MCQhard

Two routers are connected via a point-to-point Ethernet link. They are configured with IP addresses in the same subnet, but OSPF does not form an adjacency. The link is up/up. What is a likely cause?

A.The routers are in different OSPF areas
B.OSPF authentication is configured on one router but not the other
C.The routers have the same router ID
D.The OSPF hello and dead intervals are mismatched
AnswerD

Routers must match hello and dead intervals to form an adjacency.

Why this answer

OSPF requires that Hello and Dead intervals match between neighbors on a point-to-point link to form an adjacency. Even though the link is up/up and IP addresses are in the same subnet, mismatched timers prevent the routers from agreeing on neighbor state, so no adjacency forms.

Exam trap

The trap here is that candidates often assume IP connectivity or subnet matching is sufficient for OSPF adjacency, but OSPF has strict timer matching requirements that are frequently tested as a subtle failure cause.

How to eliminate wrong answers

Option A is wrong because OSPF routers in different areas can still form an adjacency over a point-to-point link as long as they share a common area; area mismatch would prevent adjacency only if they are not configured with a shared area. Option B is wrong because OSPF authentication mismatch (one router configured, the other not) would cause authentication failures in OSPF packets, preventing adjacency, but this is not the most likely cause given the question's context of a simple point-to-point Ethernet link. Option C is wrong because identical router IDs would cause a conflict, but OSPF will still attempt to form an adjacency and may log a duplicate ID error; however, the most common and direct cause of no adjacency with a working link is mismatched Hello/Dead intervals.

40
MCQmedium

A Juniper router is configured with two static routes to the same destination network, both with the same preference. One route has a metric of 5, the other a metric of 10. Which route will be installed in the routing table?

A.Neither route is installed because they conflict
B.The route with metric 5 is installed
C.The route with metric 10 is installed
D.Both routes are installed with equal preference
AnswerB

Lower metric is preferred when preference is equal.

Why this answer

In JUNOS, when multiple static routes to the same destination have the same preference (administrative distance), the route with the lower metric is selected for installation in the routing table. Here, metric 5 is lower than metric 10, so the route with metric 5 is installed. This behavior follows the standard route selection process where preference is evaluated first, then metric (also called cost or next-hop metric) as a tiebreaker.

Exam trap

The trap here is that candidates often confuse metric with preference or assume that both routes will be installed for load balancing, but JUNOS requires equal metrics (and equal preferences) for ECMP, not just equal preferences.

How to eliminate wrong answers

Option A is wrong because static routes to the same destination with different metrics do not conflict; JUNOS can select one based on metric when preference is equal. Option C is wrong because the route with metric 10 is not installed; the lower metric (5) is preferred, not the higher one. Option D is wrong because both routes are not installed with equal preference; only the best metric route is installed, and JUNOS does not install multiple equal-preference static routes to the same destination unless they have equal metrics (and even then, only one is typically active).

41
MCQeasy

An administrator needs to ensure that traffic from the 192.168.1.0/24 subnet is allowed to reach the internet through a Juniper SRX firewall. The SRX is configured with security policies. Which policy element is required to permit this traffic?

A.Source address
B.Application
C.Destination zone
D.Source zone
AnswerD

A security policy must specify a source zone to match incoming traffic.

Why this answer

In Juniper SRX security policies, the source zone is a mandatory element that defines the origin of the traffic. Since the traffic originates from the 192.168.1.0/24 subnet, the policy must specify the source zone (e.g., 'trust' or 'internal') to match the incoming traffic and permit it toward the internet (destination zone, e.g., 'untrust'). Without a source zone, the policy cannot be applied to the correct traffic flow.

Exam trap

The trap here is that candidates often focus on the source address (192.168.1.0/24) as the key element, but Juniper policies require a zone-based approach where the source zone is mandatory, not the source address, which is only an optional match condition.

How to eliminate wrong answers

Option A is wrong because a source address is not a required policy element; it is an optional match condition that can refine the policy, but the policy itself requires a source zone to define the traffic's origin. Option B is wrong because an application is optional in Juniper security policies; if omitted, the policy defaults to 'any' application, and it is not mandatory for permitting traffic. Option C is wrong because the destination zone is required for the policy to define where traffic is going, but the question asks which element is required to permit this traffic from the subnet; the source zone is equally required, and the destination zone alone cannot permit traffic without a source zone.

42
MCQeasy

A medium-sized enterprise has its headquarters (HQ) and a remote branch office connected via a dedicated point-to-point link. The HQ router (Juniper MX) has interface ge-0/0/1 with IP 10.0.0.1/30 connected to the branch router (Juniper SRX) interface ge-0/0/0 with IP 10.0.0.2/30. The branch LAN is 192.168.2.0/24, and the HQ LAN is 10.0.1.0/24. The branch router has a default route pointing to 10.0.0.1. The HQ router has a static route for 192.168.2.0/24 with next-hop 10.0.0.2, but it was recently changed incorrectly to point to 10.0.0.10 due to a configuration error. Users at the branch report that they can access the internet via the HQ router but cannot reach the HQ LAN's file server at 10.0.1.100. From the HQ router, you can ping the branch router's interface IP (10.0.0.2) successfully, but you cannot ping any device in the branch LAN (192.168.2.0/24). You check the routing table on the HQ router and see that the static route for 192.168.2.0/24 points to 10.0.0.10. What is the most appropriate corrective action?

A.Add a static route on the branch router for 10.0.1.0/24 pointing to 10.0.0.1.
B.Remove the static route and rely on the default route on the branch router.
C.Enable proxy ARP on the HQ router's ge-0/0/1 interface.
D.Change the static route on the HQ router to point to 10.0.0.2.
AnswerD

Correct. This corrects the next-hop to the branch router's interface, enabling reachability to the branch LAN.

Why this answer

Option A is correct. The incorrect static route on the HQ router is pointing to a nonexistent next-hop (10.0.0.10), so traffic to the branch LAN is not forwarded. Changing the next-hop to 10.0.0.2 (the branch router's interface) restores the route.

Option B is unnecessary because the branch router's default route already covers the HQ LAN. Option C (proxy ARP) does not fix a routing table issue. Option D would remove the route entirely, breaking connectivity to the branch LAN.

43
MCQeasy

A network engineer is troubleshooting connectivity between two hosts on the same VLAN connected to different Juniper EX switches. The MAC address table on each switch shows the correct MAC addresses for both hosts, but ping fails. What is the most likely cause?

A.The VLAN is not allowed on the trunk between the switches
B.The hosts are configured with IP addresses in different subnets
C.The ARP cache on the hosts is stale
D.Spanning Tree Protocol is blocking a port
AnswerA

If the VLAN is not allowed on the trunk, frames are dropped, even though MAC addresses are learned on access ports.

Why this answer

If both hosts are on the same VLAN and their MAC addresses are correctly learned on each switch, the issue is likely that the VLAN is not allowed on the trunk link connecting the switches. Without the VLAN being permitted on the trunk, frames from that VLAN will be dropped at the trunk interface, preventing Layer 2 communication between the hosts even though the MAC tables are correct.

Exam trap

The trap here is that candidates often assume MAC table correctness implies full Layer 2 connectivity, overlooking the trunk VLAN filtering mechanism that can drop frames even when MAC addresses are learned.

How to eliminate wrong answers

Option B is wrong because if the hosts were in different subnets, they would need a router to communicate, but the question specifies they are on the same VLAN, which implies the same subnet; ping failure due to subnet mismatch would be a Layer 3 issue, not a Layer 2 MAC table problem. Option C is wrong because a stale ARP cache would cause a Layer 3 issue (hosts would have incorrect IP-to-MAC mappings), but the MAC tables on the switches are correct, indicating that ARP resolution has succeeded; ping failure here is not due to ARP. Option D is wrong because Spanning Tree Protocol (STP) blocking a port would prevent MAC address learning on that port, but the question states the MAC address tables are correct, meaning STP is not blocking the relevant ports; STP blocking would also show the port in a blocking state in the STP topology.

44
MCQhard

You are a network engineer for a large enterprise deploying a new data center using a spine-and-leaf architecture with Juniper QFX5100 switches. The underlay network uses OSPF for loopback reachability, and the overlay uses EBGP for EVPN. The leaf switches are configured as VTEPs (Virtual Tunnel Endpoints). One of the leaf switches, leaf-03, cannot establish OSPF adjacency with its spine switch, spine-01. The interfaces are up/up and the IP addresses are correctly configured. 'show ospf neighbor' on leaf-03 returns nothing. 'show ospf interface' shows the interface is in state DOWN. Both switches are configured with the same OSPF area (0.0.0.0) and the same hello interval (10 seconds). The MTU on both sides is 1500. Authentication is not configured. The spine switch has multiple OSPF neighbors from other leaves. The network is in production and other leaf switches are working fine. What is the most likely cause of the problem?

A.The OSPF network type is not consistent between the two switches.
B.The interface MTU is misconfigured on one side.
C.OSPF is disabled on the interface at the leaf switch.
D.Duplicate router ID on leaf-03 and spine-01.
AnswerC

If OSPF is not enabled on the interface, the OSPF interface state will be down.

Why this answer

Option B is correct because if the OSPF interface is down on leaf-03 but up/up at Layer 1, the most likely cause is that OSPF is disabled on that interface, or there is an OSPF passive interface configuration. Option A is wrong - router ID duplication would cause both to have issues, but other leaves are fine. Option C is wrong - if network type mismatch, the interface would still be up but adjacency would not form, but the interface state would be up (not down).

Option D is wrong - MTU mismatch would be at L3, but interface state would be up with adjacency failing.

45
MCQmedium

Refer to the exhibit. A host connected to ge-0/0/1 cannot reach a host connected to ge-0/0/2 even though both are in VLAN10. What is the most likely cause?

A.VLAN10 is not defined in the global VLAN configuration.
B.The hosts are configured with IP addresses on different subnets.
C.An IRB interface for VLAN10 is not configured.
D.The interface ge-0/0/2 is configured as a trunk port.
AnswerB

They can't communicate at Layer 2? Actually Layer 2 doesn't care about IP. So this is tricky. Actually within same VLAN, IP subnet must match for Layer 3, but Layer 2 should work. However if hosts are on different subnets, they need a router. But the question says 'cannot reach' - likely they try to ping. If on different subnets, they need default gateway. So the most likely cause is they are on different subnets and no gateway. Alternatively, the switch might have port security. But given typical JNCIA, this is plausible.

Why this answer

Option B is correct because for two hosts in the same VLAN to communicate at Layer 2, they must be in the same IP subnet. If the hosts are configured with IP addresses on different subnets, they will attempt to route traffic through a default gateway rather than sending ARP requests directly, causing communication failure even though they are in the same broadcast domain.

Exam trap

The trap here is that candidates often assume VLAN membership alone guarantees IP connectivity, overlooking the fundamental requirement that hosts must share the same IP subnet for direct Layer 2 communication.

How to eliminate wrong answers

Option A is wrong because VLAN10 does not need to be globally defined in the VLAN configuration for it to function; VLANs can be created dynamically on trunk ports or by simply assigning interfaces to a VLAN ID. Option C is wrong because an IRB (Integrated Routing and Bridging) interface is only required for Layer 3 routing between VLANs or for the VLAN to have an IP address for management; hosts within the same VLAN can communicate at Layer 2 without any IRB. Option D is wrong because if ge-0/0/2 were configured as a trunk port, it could still carry VLAN10 traffic as long as VLAN10 is allowed on that trunk; the trunk configuration alone does not prevent communication between hosts in the same VLAN.

46
Multi-Selecteasy

Which TWO statements about ARP are correct? (Select two.)

Select 2 answers
A.ARP request is sent to the broadcast MAC address
B.ARP request is sent to a multicast MAC address
C.ARP reply is sent to the broadcast MAC address
D.ARP is used for both IPv4 and IPv6
E.ARP reply is sent directly to the requesting host's MAC address
AnswersA, E

ARP requests are broadcast to all hosts in the subnet.

Why this answer

Option A is correct because an ARP request is sent as a broadcast frame to the destination MAC address FF:FF:FF:FF:FF:FF, ensuring all hosts on the local network segment receive it. This allows the host with the target IP address to respond. Option E is correct because the ARP reply is unicast directly to the requesting host's MAC address, which was learned from the source hardware address field in the ARP request.

Exam trap

The trap here is that candidates often confuse ARP with IPv6 Neighbor Discovery, mistakenly thinking ARP works for both IPv4 and IPv6, or they assume ARP replies are broadcast because ARP requests are broadcast.

Ready to test yourself?

Try a timed practice session using only Networking Fundamentals questions.