Question 462 of 514
Junos Configuration BasicshardMultiple ChoiceObjective-mapped

Quick Answer

The correct change is to insert a term 0 before term 1 to permit SNMP from 10.1.1.1. This works because Junos firewall filters are evaluated sequentially from the lowest term number; a packet is immediately accepted or rejected upon the first match, so placing the specific permit rule before the broader deny rule ensures the host 10.1.1.1 is allowed while the rest of the 10.0.0.0/8 subnet remains blocked. On the JNCIA-Junos exam, this concept tests your understanding of filter evaluation order and the importance of term sequencing, often appearing in scenario-based questions where a specific host must be allowed before a subnet-wide deny. A common trap is placing the permit term after the deny, which would cause the specific host to be rejected by the earlier broader rule. Remember the memory tip: "Specific before general, permit before deny" — think of it as letting the VIP through the gate before closing it on the crowd.

JNCIA-JUNOS Junos Configuration Basics Practice Question

This JNCIA-JUNOS practice question tests your understanding of junos configuration basics. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

user@router> show configuration interfaces ge-0/0/1
unit 0 {
    family inet {
        filter {
            input BLOCK-SNMP;
        }
        address 192.168.1.1/24;
    }
}
user@router> show configuration firewall family inet filter BLOCK-SNMP
term 1 {
    from {
        source-address {
            10.0.0.0/8;
        }
        protocol udp;
        port 161;
    }
    then {
        reject;
    }
}
term 2 {
    then accept;
}

Refer to the exhibit. An engineer notices that SNMP traffic from source 10.1.1.1 is being rejected on interface ge-0/0/1. The engineer wants to allow SNMP from this source while still blocking other SNMP traffic from the 10.0.0.0/8 range. Which change should be made?

Exhibit

Refer to the exhibit.

user@router> show configuration interfaces ge-0/0/1
unit 0 {
    family inet {
        filter {
            input BLOCK-SNMP;
        }
        address 192.168.1.1/24;
    }
}
user@router> show configuration firewall family inet filter BLOCK-SNMP
term 1 {
    from {
        source-address {
            10.0.0.0/8;
        }
        protocol udp;
        port 161;
    }
    then {
        reject;
    }
}
term 2 {
    then accept;
}

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Insert a term 0 before term 1 to permit SNMP from 10.1.1.1

Option C is correct because firewall filters in Junos are evaluated sequentially from the lowest term number. By inserting a new term 0 before the existing term 1 that explicitly permits SNMP traffic (UDP ports 161/162) from source 10.1.1.1, the filter will match and accept this traffic before reaching the deny term for the 10.0.0.0/8 range. This ensures the specific host is allowed while still blocking other SNMP traffic from the broader subnet.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Add a term at the end to permit all from 10.1.1.1

    Why it's wrong here

    Would be after reject, so ineffective.

  • Change the source-address in term 1 to 10.0.0.0/8 except 10.1.1.1

    Why it's wrong here

    Not possible with a single prefix; would require a separate term.

  • Insert a term 0 before term 1 to permit SNMP from 10.1.1.1

    Why this is correct

    This allows specific source before blocking remainder.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Remove the filter and apply a new filter that permits SNMP from 10.1.1.1

    Why it's wrong here

    Overkill; can modify existing filter.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often think they can use an 'except' keyword or add a term at the end to override a previous deny, not realizing that Junos filters stop processing after the first match and do not support exclusion syntax within a source-address match.

Detailed technical explanation

How to think about this question

Junos firewall filters use an ordered list of terms, each with match conditions and then an action (accept, reject, discard). The filter is processed top-down, and the first matching term determines the action—subsequent terms are ignored. This sequential evaluation is fundamental to Junos ACL design, similar to Cisco IOS but with different syntax. In real-world scenarios, inserting a term at the correct position (using the insert command or by editing the configuration) is critical to avoid accidentally permitting or blocking unintended traffic.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related JNCIA-JUNOS practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free JNCIA-JUNOS practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this JNCIA-JUNOS question test?

Junos Configuration Basics — This question tests Junos Configuration Basics — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Insert a term 0 before term 1 to permit SNMP from 10.1.1.1 — Option C is correct because firewall filters in Junos are evaluated sequentially from the lowest term number. By inserting a new term 0 before the existing term 1 that explicitly permits SNMP traffic (UDP ports 161/162) from source 10.1.1.1, the filter will match and accept this traffic before reaching the deny term for the 10.0.0.0/8 range. This ensures the specific host is allowed while still blocking other SNMP traffic from the broader subnet.

What should I do if I get this JNCIA-JUNOS question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This JNCIA-JUNOS practice question is part of Courseiva's free Juniper Networks certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the JNCIA-JUNOS exam.