CCNA Junos Config Basics Questions

75 of 94 questions · Page 1/2 · Junos Config Basics topic · Answers revealed

1
MCQeasy

A junior administrator wants to discard all uncommitted changes made in the current configuration session. Which command accomplishes this?

A.commit check
B.rollback 0
C.load factory-default
D.clear configuration
AnswerB

'rollback 0' reverses all uncommitted changes to the last committed configuration.

Why this answer

The `rollback 0` command reverts the candidate configuration to the active committed configuration, effectively discarding all uncommitted changes made during the current session. In Junos, configuration changes are stored in a candidate configuration until explicitly committed; `rollback 0` loads the last committed configuration (index 0) into the candidate, wiping out any uncommitted edits.

Exam trap

The trap here is that candidates familiar with Cisco IOS might expect a `clear configuration` command or think `commit check` discards changes, but Junos requires `rollback 0` to revert uncommitted edits without affecting the active configuration.

How to eliminate wrong answers

Option A is wrong because `commit check` only validates the syntax and semantics of the candidate configuration without committing it; it does not discard any changes. Option C is wrong because `load factory-default` overwrites the entire configuration with the factory-default settings, which is far more drastic than simply discarding uncommitted changes and would also remove committed configurations. Option D is wrong because `clear configuration` is not a valid Junos CLI command; the correct approach to discard uncommitted changes is `rollback 0`.

2
MCQmedium

An engineer needs to add a set of configuration parameters to a group that can be inherited by multiple interfaces. Which configuration element should be used?

A.prefix lists
B.set default
C.configuration groups with apply-groups
D.load merge
AnswerC

Configuration groups allow defining reusable blocks of configuration that can be inherited using 'apply-groups'.

Why this answer

Configuration groups with apply-groups allow you to define a set of configuration parameters in a named group and then apply that group to multiple interfaces (or other hierarchy levels) using the 'apply-groups' statement. This enables inheritance and reduces repetitive configuration, which is the exact requirement in the question.

Exam trap

The trap here is that candidates may confuse 'load merge' (a file operation) with a configuration inheritance mechanism, or think 'set default' is a valid command for setting default interface parameters, when in fact Junos uses 'apply-groups' for this purpose.

How to eliminate wrong answers

Option A is wrong because prefix lists are used for route filtering (e.g., in routing policy) and cannot be inherited by interfaces as configuration parameters. Option B is wrong because 'set default' is not a valid Junos configuration element; the correct term for setting default values is 'apply-default' or using default configuration groups, but 'set default' does not exist. Option D is wrong because 'load merge' is a command used to merge a configuration file into the active configuration, not a mechanism for defining reusable, inheritable configuration groups.

3
MCQeasy

An engineer wants to revert all uncommitted changes in the candidate configuration and start fresh from the currently active configuration. Which command should be used?

A.rollback 0
B.commit check
C.rollback 1
D.load override terminal
AnswerA

This sets the candidate to match the active configuration, discarding uncommitted changes.

Why this answer

The `rollback 0` command reverts all uncommitted changes in the candidate configuration and restores it to match the currently active configuration (the one most recently committed). This is because Junos stores the last 50 committed configurations, with index 0 always representing the active configuration. Using `rollback 0` effectively discards any uncommitted edits and starts fresh from the last committed state.

Exam trap

The trap here is that candidates often confuse `rollback 0` with `rollback 1`, mistakenly thinking that `rollback 1` reverts uncommitted changes, when in fact `rollback 1` reverts to the configuration before the last commit, not the current active configuration.

How to eliminate wrong answers

Option B is wrong because `commit check` only validates the syntax and semantics of the candidate configuration without committing it; it does not revert any changes. Option C is wrong because `rollback 1` reverts to the configuration that was active before the most recent commit (the previous committed version), not to the currently active configuration. Option D is wrong because `load override terminal` replaces the entire candidate configuration with text entered via the terminal, but it does not automatically revert to the active configuration; it requires manual input and is not a simple undo of uncommitted changes.

4
MCQeasy

A Juniper device has multiple candidate configurations loaded. The administrator wants to discard all uncommitted changes and revert to the last committed configuration. Which command should be used?

A.rollback 0
B.delete configuration
C.clear configuration
D.load override terminal
AnswerA

Reverts the candidate configuration to the last committed one.

Why this answer

Option A is correct because the 'rollback 0' command reverts the candidate configuration to the last committed configuration, discarding all uncommitted changes. In Junos, the rollback command uses a numeric index where 0 always refers to the most recently committed configuration, effectively undoing any uncommitted edits.

Exam trap

The trap here is that candidates may confuse 'rollback 0' with 'rollback 1', thinking 0 means 'no rollback' or that a higher number is needed to revert changes, when in fact 0 discards uncommitted edits and 1 reverts the last commit.

How to eliminate wrong answers

Option B is wrong because 'delete configuration' is not a valid Junos command; the correct approach to remove configuration is using 'delete' within configuration mode for specific statements, not a global delete. Option C is wrong because 'clear configuration' is not a valid Junos command; 'clear' is used for operational tasks like clearing counters or logs, not for reverting configuration. Option D is wrong because 'load override terminal' is used to replace the entire candidate configuration with text pasted from the terminal, but it does not revert to the last committed configuration; it loads new configuration from scratch.

5
MCQeasy

Refer to the exhibit. A route policy named DENY-RFC1918 is configured. What is the final action of this policy for a route matching 172.20.0.0/16?

A.The route is rejected because it matches the prefix list.
B.The route is accepted because it does not match the prefix list.
C.The route is accepted because term 2 accepts all routes.
D.The route is rejected only if the prefix is exactly 172.16.0.0/12.
AnswerA

Correct; it matches the prefix list and term 1 rejects.

Why this answer

The route policy DENY-RFC1918 uses a prefix list that matches RFC 1918 private addresses, including 172.20.0.0/16 (which falls within the 172.16.0.0/12 range). Since the route matches the prefix list, term 1 applies a 'reject' action, and because no subsequent term explicitly accepts the route, the final action is reject.

Exam trap

The trap here is that candidates often assume a prefix list requires an exact prefix-length match, but in Junos, a route with a longer prefix length (e.g., /16) within the listed prefix (e.g., /12) is considered a match, causing the route to be rejected.

How to eliminate wrong answers

Option B is wrong because the route 172.20.0.0/16 does match the prefix list (it is within 172.16.0.0/12), so it is not accepted by default. Option C is wrong because term 2 only accepts routes that do not match the prefix list; since this route matches, term 2 does not apply. Option D is wrong because the prefix list uses a longer prefix length match (e.g., /16 within /12), not an exact match requirement; the route is rejected regardless of whether it is exactly 172.16.0.0/12.

6
MCQeasy

An engineer has modified the configuration and wants to apply changes but also wants to verify that the changes are syntactically correct before committing. What command should the engineer use?

A.rollback
B.commit confirmed
C.commit check
D.commit
AnswerC

This validates syntax without committing.

Why this answer

The `commit check` command validates the candidate configuration for syntax errors without activating it. This allows the engineer to verify that the changes are syntactically correct before committing, ensuring the configuration is valid and reducing the risk of committing a broken configuration.

Exam trap

The trap here is that candidates confuse `commit check` with `commit confirmed`, thinking both validate syntax, but `commit confirmed` actually commits the configuration and relies on a rollback timer, not a pre-commit syntax check.

How to eliminate wrong answers

Option A is wrong because `rollback` reverts the candidate configuration to a previously committed configuration, not to validate syntax. Option B is wrong because `commit confirmed` commits the configuration but automatically rolls back after a timeout if not confirmed, which does not verify syntax before committing. Option D is wrong because `commit` applies the candidate configuration immediately without any prior syntax validation, which could activate a faulty configuration.

7
MCQhard

A network administrator needs to temporarily disable a set of configuration statements for testing without deleting them. Which approach should be used?

A.use the 'deactivate' command to mark the statements inactive
B.delete the statements and later re-add from a backup
C.comment out the lines using #
D.set the configuration to a different group and remove apply-groups
AnswerA

'deactivate' makes the configuration inactive without removing it, allowing easy reactivation.

Why this answer

Option A is correct because the 'deactivate' command in Junos allows an administrator to temporarily disable a set of configuration statements without removing them from the configuration. When a statement is deactivated, it is prefixed with 'inactive:' in the configuration hierarchy, and the commit operation ignores it. This is ideal for testing changes, as the statements can be easily re-enabled using the 'activate' command.

Exam trap

The trap here is that candidates familiar with Cisco IOS may assume that commenting out lines with '!' or '#' is a valid method, but Junos uses a structured hierarchy and requires the 'deactivate' command for temporary disabling.

How to eliminate wrong answers

Option B is wrong because deleting configuration statements and later re-adding them from a backup is error-prone, time-consuming, and does not provide a simple toggle mechanism for testing. Option C is wrong because Junos does not support using '#' to comment out configuration lines; the '#' character is used for comments in shell scripts, not in the Junos configuration hierarchy. Option D is wrong because setting the configuration to a different group and removing apply-groups is a complex workaround that affects the entire group configuration and is not a direct method for temporarily disabling individual statements.

8
MCQhard

While in configuration mode, an administrator wants to see the difference between the candidate configuration and the active configuration. Which command accomplishes this?

A.show configuration
B.run show configuration
C.show | compare
D.show system commit
AnswerC

Shows changes between candidate and active.

Why this answer

Option C is correct because the 'show | compare' command, when executed in configuration mode, displays the differences between the candidate configuration and the active (committed) configuration. This pipe filter compares the current candidate configuration against the last committed configuration, highlighting additions, deletions, and changes, which is the exact requirement for seeing the difference.

Exam trap

The trap here is that candidates confuse 'show configuration' (which shows the full candidate config) with 'show | compare' (which shows only the differences), or they mistakenly think 'run show configuration' provides a diff, when it simply runs the same full-config display command from operational mode.

How to eliminate wrong answers

Option A is wrong because 'show configuration' in configuration mode displays the entire candidate configuration, not the difference between candidate and active configurations. Option B is wrong because 'run show configuration' executes the operational mode command 'show configuration' from within configuration mode, which also shows the full candidate configuration, not a comparison. Option D is wrong because 'show system commit' displays the commit history (list of past commits with timestamps and IDs), not a diff between candidate and active configurations.

9
MCQhard

A company runs a Juniper SRX firewall cluster consisting of two nodes (node0 primary, node1 secondary). The cluster has been stable. During maintenance, you modify the configuration on node0 and commit. After the commit, the cluster status shows node1 as 'ineligible'. You suspect a configuration mismatch. What should you do to synchronize the configuration without disrupting traffic?

A.On the primary node, execute 'commit synchronize'.
B.Reboot both nodes to force synchronization.
C.Manually copy the configuration file from primary to secondary.
D.On the secondary node, execute 'commit synchronize'.
AnswerA

This synchronizes the configuration from primary to secondary.

Why this answer

The 'commit synchronize' command on the primary node (node0) pushes the active configuration to the secondary node (node1) and commits it on both nodes, ensuring configuration consistency without requiring a reboot or traffic disruption. In a Juniper SRX cluster, the primary node is the authoritative source for configuration synchronization, and this command is the standard method to resolve a configuration mismatch that causes a node to become 'ineligible'.

Exam trap

The trap here is that candidates may think the secondary node can initiate synchronization (option D) or that a manual file copy (option C) is acceptable, but Juniper clusters require the primary to be the source of truth for configuration synchronization to maintain cluster integrity and avoid split-brain scenarios.

How to eliminate wrong answers

Option B is wrong because rebooting both nodes is an unnecessary and disruptive action that would cause traffic loss; it does not directly synchronize the configuration and may not resolve the mismatch if the secondary's configuration remains out of sync. Option C is wrong because manually copying the configuration file from primary to secondary is not a supported or safe method in a cluster; it bypasses Junos's internal synchronization mechanisms and could lead to file corruption or cluster instability. Option D is wrong because executing 'commit synchronize' on the secondary node (node1) is ineffective; the secondary node cannot push its configuration to the primary, and the command would fail or not achieve synchronization since the primary is the authoritative source for cluster configuration.

10
Multi-Selecthard

Which THREE statements about commit options are true?

Select 3 answers
A.'commit full' reinitializes the system.
B.'commit confirmed' requires a second commit within the timeout to keep the changes.
C.'commit synchronize' commits on both Routing Engines in a chassis cluster.
D.'commit check' validates syntax without committing.
E.'commit and-quit' commits and exits configuration mode.
AnswersB, C, D

If not confirmed, changes are automatically rolled back.

Why this answer

Option B is correct because the 'commit confirmed' command in Junos applies candidate configuration changes temporarily, and if a second commit (or 'commit check') is not performed within the default 10-minute timeout, the system automatically rolls back to the previous configuration. This is used to prevent lockout during remote management changes.

Exam trap

The trap here is that candidates may confuse 'commit full' with a system reboot or reinitialization, or assume 'commit and-quit' is a valid shortcut, when in fact Junos requires separate commit and exit commands.

11
Multi-Selecteasy

Which TWO commands can be used to view the current active configuration on a Juniper device?

Select 2 answers
A.show interfaces terse
B.show|display set | match
C.show active configuration
D.show configuration
E.show configuration | display inherited
AnswersD, E

Displays the candidate configuration, which is the current active if no uncommitted changes.

Why this answer

Option D is correct because 'show configuration' displays the current active configuration in the default hierarchical format. Option E is correct because 'show configuration | display inherited' shows the active configuration with inherited configuration groups (e.g., from 'groups' or 'apply-groups') expanded inline, revealing the full effective configuration as applied to the device.

Exam trap

The trap here is that candidates may confuse 'show active configuration' (which does not exist) with the correct 'show configuration', or mistakenly think 'show interfaces terse' or a malformed pipe command can display configuration.

12
MCQhard

Refer to the exhibit. The administrator applied a firewall filter named BLOCK-ICMP on the inbound direction of ge-0/0/0. However, pings from the router to 10.0.0.2 are successful. Why is this?

A.The filter configuration is incorrect; the name should be within quotes.
B.The filter is applied to output traffic, not input traffic.
C.The BLOCK-ICMP filter allows ICMP by default.
D.The filter is applied to transit traffic only; locally generated traffic bypasses the input filter.
AnswerD

Locally generated packets exit via the output path, not input filter.

Why this answer

Option D is correct because in Junos, firewall filters applied to the input direction of an interface only affect transit traffic—packets that enter the interface and are destined for another device. Locally generated traffic, such as ICMP echo requests originated by the router itself, is not subject to input firewall filters; it is instead controlled by the loopback interface's firewall filter or the output filter. Since the ping originates from the router's control plane, it bypasses the input filter on ge-0/0/0, allowing the ping to 10.0.0.2 to succeed.

Exam trap

The trap here is that candidates often assume input firewall filters apply to all traffic entering an interface, including packets generated by the router itself, but Junos explicitly exempts locally originated traffic from input filters on physical interfaces.

How to eliminate wrong answers

Option A is wrong because Junos does not require firewall filter names to be enclosed in quotes; names without spaces or special characters are valid without quotes. Option B is wrong because the filter is explicitly applied to the 'input' direction (as stated in the question), not output traffic, and the issue is not about direction misapplication. Option C is wrong because firewall filters in Junos do not have an implicit 'allow' for any protocol; the default action at the end of a filter is to deny all traffic unless a term explicitly permits it, so ICMP would be blocked for transit traffic.

13
MCQhard

During troubleshooting, an engineer notices that BGP sessions are flapping. They suspect that the issue might be related to the maximum number of routes allowed. To see if the BGP import policy is rejecting routes, which operational command would provide immediate insight?

A.show version
B.show interfaces terse
C.show route protocol bgp
D.show bgp neighbor x.x.x.x
AnswerD

Displays BGP neighbor details including prefix counts and policy statistics.

Why this answer

Option D is correct because the 'show bgp neighbor x.x.x.x' command displays detailed BGP session information, including the number of received and accepted routes, as well as any prefix-limit or policy-related rejections. If the BGP import policy is rejecting routes due to exceeding the maximum allowed, this command will show the 'received prefixes' count alongside the 'accepted prefixes' count, immediately revealing if routes are being dropped. This provides direct insight into whether the flapping is caused by route limit enforcement.

Exam trap

The trap here is that candidates often think 'show route protocol bgp' will show all BGP routes including rejected ones, but it only shows routes that passed the import policy and were installed in the routing table, missing the critical rejection information that 'show bgp neighbor' provides.

How to eliminate wrong answers

Option A is wrong because 'show version' displays only the Junos OS version, system uptime, and hardware model, which is irrelevant to BGP route acceptance or policy rejection. Option B is wrong because 'show interfaces terse' shows interface status and IP addresses but provides no BGP-specific information such as route counts or policy actions. Option C is wrong because 'show route protocol bgp' displays the routing table entries learned via BGP, but it does not show rejected routes or the reason for rejection; it only shows routes that have already been accepted and installed, so it cannot reveal if the import policy is discarding routes.

14
MCQhard

Refer to the exhibit. An engineer configures interface ge-0/0/0 with both IPv4 and IPv6 addresses. The engineer notices that the interface is operationally up, but the IPv6 address is not pingable from a directly connected host. The host has an IPv6 address in the same subnet. What is the most likely cause?

A.The interface MTU is too small for IPv6 packets.
B.The interface does not have IPv6 neighbor discovery enabled.
C.The IPv6 address is not configured under the correct unit.
D.The interface has an IPv4 address, which prevents IPv6 from working.
AnswerB

IPv6 requires neighbor discovery to be enabled; without it, the router may not respond to NS/NA messages.

Why this answer

IPv6 neighbor discovery (ND) is required for address resolution and duplicate address detection on a link. If ND is not enabled on the interface, the router cannot respond to Neighbor Solicitation messages from the host, making the IPv6 address unreachable even though the interface is operationally up. In Junos, ND is enabled by default on IPv6-enabled interfaces, but it can be disabled with the 'no-neighbor-discovery' configuration statement.

Exam trap

The trap here is that candidates may assume IPv6 works automatically once an address is configured, overlooking that neighbor discovery is a separate protocol that must be enabled for basic connectivity on multi-access links.

How to eliminate wrong answers

Option A is wrong because the interface MTU being too small would typically cause fragmentation issues or packet drops, not a complete failure to ping; IPv6 requires a minimum MTU of 1280 bytes, and the default Ethernet MTU of 1500 bytes is sufficient. Option C is wrong because if the IPv6 address were not configured under the correct unit, the interface would not show the address in the configuration or operational state, and the question states the address is configured. Option D is wrong because IPv4 and IPv6 can coexist on the same interface (dual-stack) without interference; an IPv4 address does not prevent IPv6 from working.

15
MCQmedium

Scenario: Your company has a Juniper SRX300 firewall used as a branch gateway. It runs Junos 15.1X49. The firewall has multiple security policies, NAT rules, and VPN tunnels. Recently, you added a new security policy to allow traffic from the internal network to a specific public server. After committing, you notice that the firewall is logging repeated denials for traffic that should be matched by the new policy. The policy appears correctly configured in the candidate configuration. You want to verify that the policy is actually active and check for any hidden rules that might be causing the issue. Which of the following is the most effective first step to troubleshoot this problem?

A.Roll back to the previous configuration to ensure the device is in a known state.
B.Run 'show configuration | display set | match policy' to verify the policy is present.
C.Run 'show security policies detail' and examine the policy order to see if a previous policy is denying the traffic.
D.Check the firewall logs with 'show log messages | match deny' to see which policy is denying.
AnswerC

This command displays all active security policies in sequence, helping identify ordering issues.

Why this answer

Option C is correct because the most common cause of traffic being denied despite a seemingly correct new policy is that a preceding policy in the security policy order matches the traffic and denies it before the new policy is evaluated. Junos security policies are evaluated in sequential order from top to bottom, and the first matching policy is applied. Running 'show security policies detail' displays the active policy order, including any hidden or default policies, allowing you to identify if a deny policy earlier in the list is intercepting the traffic.

Exam trap

The trap here is that candidates assume a correctly configured policy will automatically be applied, but Junos requires careful attention to policy order, and the exam tests whether you know to verify the active policy sequence rather than just the configuration syntax.

How to eliminate wrong answers

Option A is wrong because rolling back to a previous configuration is a disruptive step that does not help diagnose why the new policy is not being matched; it only reverts to an older state without revealing the policy order issue. Option B is wrong because 'show configuration | display set | match policy' only shows the candidate configuration, not the active policy order; the policy may be present in the configuration but still be overridden by a higher-priority deny policy in the active commit. Option D is wrong because checking logs with 'show log messages | match deny' can show that traffic is being denied, but it does not reveal which policy is responsible or the policy order; it only confirms the symptom, not the root cause.

16
Multi-Selectmedium

Which TWO statements about configuration groups are correct? (Choose two.)

Select 2 answers
A.The 'apply-groups' statement is only valid at the top level of the configuration.
B.Configuration groups can only contain interface-related configuration.
C.The 'apply-groups' statement can be used to apply only specific statements from a group.
D.Multiple groups can be applied, and the order of application determines priority.
E.Configuration groups are defined under the 'groups' hierarchy.
AnswersD, E

Groups are processed in order; later groups override earlier ones.

Why this answer

Option D is correct because when multiple configuration groups are applied, the order of the 'apply-groups' statements determines the priority: the last group listed has the highest priority and overrides conflicting settings from earlier groups. This allows administrators to layer configuration changes predictably, with more specific groups overriding more general ones.

Exam trap

The trap here is that candidates often assume 'apply-groups' is only valid at the top level (Option A) or that groups are limited to interfaces (Option B), when in fact Junos allows groups at any hierarchy level and for any configuration stanza.

17
MCQmedium

A network engineer is configuring a new Juniper device. They intend to apply a firewall filter to an interface to only allow SSH traffic from a specific management subnet. Which configuration approach best follows Juniper best practices?

A.Define the filter under 'firewall family inet' and apply it under 'interfaces ge-0/0/0 unit 0 family inet filter input filter-name'
B.Define the filter under 'firewall family inet' and apply it under 'interfaces lo0 unit 0 family inet filter input filter-name'
C.Define the filter under 'firewall family inet' and apply it under 'interfaces ge-0/0/0 unit 0 family inet input'
D.Define the filter under 'firewall family any' and apply it under 'interfaces ge-0/0/0 unit 0 family any filter input'
AnswerA

This follows Juniper best practices for applying firewall filters.

Why this answer

Option A is correct because it follows Juniper best practices by defining the firewall filter under the `firewall family inet` hierarchy (which is the standard location for IPv4 filters) and applying it as an input filter on the physical interface `ge-0/0/0 unit 0 family inet`. This configuration ensures that only SSH traffic from the specified management subnet is permitted inbound on that interface, while all other traffic is dropped by default (since firewall filters in Junos have an implicit deny at the end).

Exam trap

The trap here is that candidates often confuse the loopback interface (`lo0`) with a physical interface for applying filters, or they misremember the Junos CLI syntax by omitting the `filter` keyword or using an invalid family like `any`.

How to eliminate wrong answers

Option B is wrong because applying the filter to the loopback interface `lo0` would filter traffic destined to the device itself (e.g., management traffic), not traffic transiting the physical interface `ge-0/0/0`; the question specifies filtering traffic on a specific interface, not the loopback. Option C is wrong because the syntax `family inet input` is incomplete — the correct Junos CLI syntax requires the keyword `filter` before the filter name (i.e., `family inet filter input filter-name`); omitting `filter` would cause a commit error. Option D is wrong because `family any` is not a valid family type for firewall filters in Junos; filters must be defined under a specific address family (e.g., `inet` for IPv4, `inet6` for IPv6) and applied under the corresponding family on the interface.

18
MCQhard

Scenario: Your company has a Juniper MX Series router at a branch office running Junos 18.4. The device has been in production for two years with a stable configuration. Yesterday, a senior engineer made several changes to the OSPF configuration to optimize routing for a new link. They committed the changes and left for the day. This morning, the branch office experiences intermittent connectivity, and the OSPF neighbor relationships are flapping. You suspect the recent OSPF changes caused the issue. You have remote console access to the router. The goal is to restore network stability as quickly as possible while preserving the ability to re-apply the changes after troubleshooting. Which course of action should you take?

A.Use 'deactivate protocols ospf' to disable OSPF entirely and then manually re-enable pieces.
B.Immediately delete the OSPF configuration sections that were changed and re-add the original settings manually.
C.Use 'rollback 1' to revert to the configuration before the changes, then 'commit confirmed 10' to verify stability.
D.Perform a 'load factory-default' and 'commit' to reset the device to base settings, then reconfigure from backup.
AnswerC

Rollback to the previous commit (1) and commit confirmed provides quick restoration with safety.

Why this answer

Option C is correct because 'rollback 1' reverts the active configuration to the previous committed version (before the problematic OSPF changes), and 'commit confirmed 10' applies that rollback with a 10-minute confirmation timer. If connectivity stabilizes, the rollback becomes permanent; if not, the router automatically reverts to the previous configuration, ensuring no prolonged outage. This approach restores stability quickly while preserving the ability to later re-apply and test the OSPF changes in a controlled manner.

Exam trap

The trap here is that candidates may choose Option A (deactivate OSPF) thinking it is a quick fix, but they overlook that deactivating the entire protocol causes a complete routing disruption, whereas 'rollback' with 'commit confirmed' is the precise, safe, and reversible method Junos provides for this exact scenario.

How to eliminate wrong answers

Option A is wrong because 'deactivate protocols ospf' disables the entire OSPF process, which would drop all OSPF adjacencies and potentially cause a complete routing blackout, not just intermittent flapping, and it does not preserve the changed configuration for later re-application. Option B is wrong because manually deleting and re-adding configuration sections is error-prone, time-consuming, and does not leverage Junos's built-in rollback capability, which is the fastest and safest method to revert to a known-good state. Option D is wrong because 'load factory-default' resets the entire device to factory settings, wiping all configurations, including interfaces, security policies, and routing protocols, which would cause a total outage and require full reconfiguration from backup, far exceeding the goal of quickly restoring stability.

19
MCQmedium

When configuring a new Juniper router, an engineer needs to ensure that configuration changes are not automatically committed after a certain time if not explicitly confirmed. Which configuration parameter controls this?

A.commit check
B.commit at
C.commit synchronize
D.commit confirmed
AnswerD

Requires confirmation; otherwise rolled back after timeout.

Why this answer

The 'commit confirmed' command is used to apply a configuration change that will automatically roll back to the previous configuration if not explicitly confirmed within a specified time period (default 10 minutes). This ensures that changes are not permanently applied unless the engineer verifies them, preventing accidental lockout or misconfiguration.

Exam trap

The trap here is that candidates often confuse 'commit confirmed' with 'commit at' or 'commit synchronize', thinking any time-based or dual-RE feature provides automatic rollback, but only 'commit confirmed' enforces a confirmation window to prevent permanent unverified changes.

How to eliminate wrong answers

Option A is wrong because 'commit check' only validates the syntax and semantics of the candidate configuration without committing it; it does not provide any automatic rollback mechanism. Option B is wrong because 'commit at' schedules a commit to occur at a specific future time, but once committed, the change is permanent and not automatically reverted. Option C is wrong because 'commit synchronize' is used on a dual Routing Engine system to commit the configuration on both REs simultaneously; it does not involve a confirmation timeout or automatic rollback.

20
MCQmedium

A technician needs to load a new configuration file that replaces only the specific hierarchy paths present in the file, leaving all other existing configuration unchanged. Which load statement is appropriate?

A.load replace
B.load set
C.load override
D.load merge
AnswerD

'load merge' adds or replaces only the configuration statements in the file, preserving all other existing configuration.

Why this answer

The 'load merge' command is correct because it merges the contents of the specified configuration file with the current candidate configuration, adding or updating only the hierarchy paths present in the file while preserving all other existing configuration. This matches the requirement to replace only specific hierarchy paths without affecting the rest of the configuration.

Exam trap

The trap here is that candidates often confuse 'load merge' with 'load replace' or 'load override', mistakenly thinking 'replace' means partial replacement, when in fact 'replace' replaces the entire candidate configuration, while 'merge' is the correct command for targeted, non-destructive updates.

How to eliminate wrong answers

Option A is wrong because 'load replace' replaces the entire candidate configuration with the contents of the file, not just specific hierarchy paths. Option B is wrong because 'load set' is used to load a set of configuration commands (in 'set' format) and applies them sequentially, which can add or modify paths but does not inherently restrict changes to only the paths in the file—it can also delete or override if the set commands include 'delete' statements. Option C is wrong because 'load override' completely replaces the entire candidate configuration with the file, discarding all existing configuration.

21
MCQeasy

You are a junior network engineer tasked with configuring a Juniper device for the first time. The device has just been powered on and you have console access. The device boots normally and shows the login prompt. There is no root password configured, but when you try to log in as root, you are prompted for a password. You do not have any previous configuration access. What should you do to gain access and begin configuring the device?

A.Contact support to obtain a password reset.
B.Press the space bar during boot, then type 'boot -s' at the loader prompt.
C.Use the default login root with no password by pressing Enter.
D.Press Ctrl+C during boot to enter recovery mode.
AnswerB

This boots into single-user mode without requiring a password.

Why this answer

Option B is correct because when a Juniper device has no root password set, the default behavior is to require a password at the login prompt, even if none was configured. To bypass this, you must interrupt the normal boot process by pressing the space bar during the boot sequence, then at the loader prompt type 'boot -s' to boot into single-user mode. Single-user mode grants root access without a password, allowing you to set a root password and proceed with configuration.

Exam trap

The trap here is that candidates assume a blank root password will work by default (Option C), similar to some older networking devices, but Junos explicitly requires a password even if none is configured, forcing the use of the single-user mode recovery procedure.

How to eliminate wrong answers

Option A is wrong because contacting support for a password reset is unnecessary; Juniper devices provide a built-in recovery mechanism via single-user mode that does not require external assistance. Option C is wrong because there is no default 'root with no password' login on Junos; even if no root password is configured, the system prompts for a password and will not accept a blank entry. Option D is wrong because pressing Ctrl+C during boot does not enter recovery mode; this key combination is typically used to abort a process or interrupt the bootloader in other systems, but on Junos it does not invoke single-user mode or password recovery.

22
Multi-Selectmedium

Which TWO statements are true about the 'commit' operation in Junos?

Select 2 answers
A.The commit command validates the configuration syntax before applying it.
B.The commit command automatically saves the configuration to a file on the hard disk.
C.After a commit, the candidate configuration is replaced with the active configuration.
D.A commit can include a comment for documentation purposes.
E.A successful commit overwrites the rollback configurations.
AnswersA, D

Syntax validation is performed as part of the commit process.

Why this answer

Option A is correct because the 'commit' command in Junos performs a full syntax and consistency validation of the candidate configuration before applying it. If any errors are detected, the commit is aborted and the candidate configuration remains unchanged, ensuring the active configuration is never corrupted.

Exam trap

The trap here is that candidates often confuse the 'commit' operation with saving to persistent storage (like Cisco's 'copy running-config startup-config'), but in Junos, 'commit' only activates the configuration in memory and does not automatically write to a file; persistent storage requires an explicit save command.

23
Matchingmedium

Match each Junos software process to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Management daemon for CLI and configuration

Routing protocol daemon

Device control daemon for interface configuration

Chassis daemon for hardware monitoring

SNMP agent daemon

Why these pairings

These are key daemons in the Junos architecture.

24
MCQeasy

A network engineer wants to quickly restore the device to a known good configuration after a failed change. What is the recommended approach?

A.Use the 'request system configuration rescue save' command.
B.Use the 'rollback 0' command.
C.Use the 'rollback rescue' command.
D.Use the 'load override terminal' command.
AnswerC

Loads the previously saved rescue configuration.

Why this answer

Option C is correct because the 'rollback rescue' command restores the device to the rescue configuration, which is a known good configuration saved explicitly for recovery after a failed change. The rescue configuration is stored as a separate file and is not affected by normal commit operations, making it the recommended approach for quick restoration.

Exam trap

The trap here is that candidates confuse 'rollback rescue' with 'rollback 0', mistakenly thinking the most recent committed configuration is always a safe fallback, but 'rollback 0' includes the failed change if it was committed, whereas 'rollback rescue' restores a deliberately saved known good state.

How to eliminate wrong answers

Option A is wrong because 'request system configuration rescue save' is used to save the current active configuration as the rescue configuration, not to restore it; it is a save action, not a restore action. Option B is wrong because 'rollback 0' reverts to the most recently committed configuration, which may include the failed change if it was committed; it does not guarantee a known good state. Option D is wrong because 'load override terminal' is used to load a configuration from terminal input, overwriting the candidate configuration; it is not a quick restore mechanism and requires manual entry or pasting of configuration data.

25
MCQeasy

Refer to the exhibit. What is the purpose of the 'family inet6' configuration on interface ge-0/0/0?

A.To enable both IPv4 and IPv6 on the interface.
B.To assign a global unicast IPv6 address to the interface.
C.To enable IPv6 ARP on the interface.
D.To assign a link-local IPv6 address to the interface.
AnswerB

The address 2001:db8::1/64 is a global unicast address configured under family inet6.

Why this answer

The 'family inet6' configuration on interface ge-0/0/0 enables IPv6 processing on that interface. Within the 'family inet6' hierarchy, you can assign a global unicast IPv6 address using the 'address' statement. Without 'family inet6', the interface cannot process IPv6 traffic or hold an IPv6 address, making option B correct.

Exam trap

The trap here is that candidates often assume 'family inet6' is needed to enable both IPv4 and IPv6, or that it is required for link-local addressing, when in fact link-local addresses are auto-generated and 'family inet6' alone does not enable IPv4.

How to eliminate wrong answers

Option A is wrong because 'family inet6' enables only IPv6; to enable both IPv4 and IPv6, you must configure both 'family inet' and 'family inet6' separately. Option C is wrong because IPv6 does not use ARP; it uses Neighbor Discovery Protocol (NDP) for address resolution, and there is no 'IPv6 ARP' feature. Option D is wrong because a link-local IPv6 address is automatically generated on any interface with 'family inet6' enabled, even without explicitly assigning one; the explicit 'address' statement under 'family inet6' is used for global unicast or unique local addresses, not for link-local.

26
Multi-Selectmedium

Which THREE of the following are valid commit options in Junos?

Select 3 answers
A.commit full
B.commit no-sync
C.commit synchronize
D.commit confirmed 10
E.commit check
AnswersC, D, E

Synchronizes configuration in a chassis cluster.

Why this answer

Option C is correct because 'commit synchronize' is a valid Junos commit option used on a dual Routing Engine (RE) system to apply the configuration changes to both REs simultaneously, ensuring configuration consistency across the chassis. This command is essential for high-availability setups where both REs must share the same active configuration.

Exam trap

The trap here is that candidates confuse the Junos 'commit synchronize' with Cisco's 'commit' behavior on dual-supervisor systems, where Cisco does not require an explicit synchronize keyword for configuration replication, leading to the mistaken belief that 'commit full' or 'commit no-sync' are valid Junos options.

27
Matchingmedium

Match each Junos configuration mode command to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Adds or modifies a configuration statement

Removes a configuration statement

Displays the current configuration

Activates the candidate configuration

Reverts to a previous configuration

Why these pairings

These are fundamental configuration mode commands in Junos.

28
MCQmedium

An administrator wants to save the current configuration as a rescue configuration. Which command sequence is correct?

A.copy configuration rescue
B.request system configuration rescue save
C.save rescue-config
D.commit rescue
AnswerB

This command saves the current active configuration as the rescue configuration.

Why this answer

The correct command sequence to save the current configuration as a rescue configuration in Junos is 'request system configuration rescue save'. This command stores a copy of the active configuration as a rescue configuration, which can be loaded later using 'request system configuration rescue recover' if the device becomes unreachable or the configuration is corrupted. The rescue configuration is stored in a special file (rescue.conf.gz) and is not overwritten by normal commits.

Exam trap

The trap here is that candidates may confuse the rescue configuration with a normal configuration backup or commit operation, leading them to choose 'copy configuration rescue' or 'commit rescue' instead of the correct 'request system configuration rescue save' command.

How to eliminate wrong answers

Option A is wrong because 'copy configuration rescue' is not a valid Junos command; Junos uses the 'request system configuration rescue' hierarchy for rescue operations, not a 'copy' command. Option C is wrong because 'save rescue-config' is not a valid Junos command; the correct syntax uses 'request system configuration rescue save', and 'save' alone is used for saving configurations to files, not for rescue-specific operations. Option D is wrong because 'commit rescue' does not exist; the 'commit' command applies changes to the active configuration, but rescue configuration is managed separately via the 'request system configuration rescue' commands.

29
Multi-Selecthard

Which THREE statements about the 'commit' command are correct?

Select 3 answers
A.The 'commit check' command validates the syntax of the candidate configuration.
B.The 'commit synchronize' command is used on a dual-RE system to commit on both REs.
C.The 'commit full' command activates the configuration without performing any validation.
D.The 'commit' command can only be issued when no other users are in configuration mode.
E.The 'commit confirmed 5' command will roll back the configuration after 5 minutes if not confirmed.
AnswersA, B, E

Correct.

Why this answer

Option A is correct because the 'commit check' command validates the syntax and semantics of the candidate configuration without activating it. This allows an administrator to verify that the configuration is valid before committing, preventing potential errors from being applied to the active configuration.

Exam trap

The trap here is that candidates often confuse 'commit full' with a validation-skipping command, when in fact it performs a more thorough validation, and they may incorrectly assume that multiple users cannot commit simultaneously in Junos, unlike some other network operating systems.

30
MCQmedium

An engineer needs to apply a configuration change to the Junos device that must survive a reboot. Which configuration mode command should be used to save the changes?

A.commit
B.commit confirmed
C.commit synchronize
D.commit check
AnswerA

'commit' saves the candidate configuration into the active configuration, which survives a reboot.

Why this answer

The 'commit' command is the standard way to apply a candidate configuration to the active configuration in Junos. When you issue 'commit', the changes are saved to the /config/juniper.conf.gz file, which is loaded upon reboot, ensuring the configuration survives a restart.

Exam trap

The trap here is that candidates may confuse 'commit' with 'commit confirmed', thinking the latter is required for persistence, but 'commit confirmed' is specifically designed for safe rollback during maintenance windows, not for permanent saves.

How to eliminate wrong answers

Option B is wrong because 'commit confirmed' temporarily activates the configuration but automatically rolls back to the previous configuration if not confirmed within the default 10-minute timeout, so it does not guarantee survival across a reboot unless explicitly confirmed. Option C is wrong because 'commit synchronize' is used in a chassis cluster to commit the configuration on both nodes simultaneously; it is not a general-purpose command for saving changes on a standalone device. Option D is wrong because 'commit check' only validates the syntax and semantics of the candidate configuration without applying or saving it, so no changes survive a reboot.

31
MCQeasy

After making several configuration changes, an engineer wants to see what changes were made in the candidate configuration compared to the last committed configuration. Which command should be used?

A.show configuration
B.show configuration | compare
C.show system rollback
D.show log messages
AnswerB

Shows differences between candidate and committed.

Why this answer

Option B is correct because the 'show configuration | compare' command displays the differences between the candidate configuration and the active committed configuration. This pipe filter compares the current candidate configuration against the last committed configuration, showing added, changed, or deleted lines with '+' and '-' prefixes, which directly meets the engineer's requirement.

Exam trap

The trap here is that candidates confuse 'show configuration' (which outputs the full candidate config) with 'show configuration | compare' (which shows only the differences), or they mistakenly think 'show system rollback' provides a diff against the candidate rather than listing historical committed configurations.

How to eliminate wrong answers

Option A is wrong because 'show configuration' displays the entire candidate configuration, not the differences from the last committed configuration, so it does not highlight what changes were made. Option C is wrong because 'show system rollback' lists the available rollback snapshots (e.g., rollback 0, 1, 2) but does not show a comparison of the candidate configuration against the last committed configuration; it is used for viewing previous committed configurations. Option D is wrong because 'show log messages' displays system log messages (e.g., from the messages file), which contain operational events and errors, not a structured diff of configuration changes.

32
MCQmedium

A network engineer needs to add an additional IP address to an interface that already has a primary IP configured. Which method should be used?

A.set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/24
B.set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/24 secondary
C.set interfaces ge-0/0/0 unit 0 family inet secondary address 10.0.0.2/24
D.set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/24 primary
AnswerB

Correct syntax for adding a secondary address.

Why this answer

Option B is correct because in Junos, to add an additional IP address to an interface that already has a primary IP configured, you must append the 'secondary' keyword to the address configuration statement. This allows multiple IPv4 addresses on the same logical interface unit, with the first address assigned being the primary and subsequent addresses marked as secondary.

Exam trap

The trap here is that candidates familiar with Cisco IOS might use the 'secondary' keyword as a subcommand under the interface (e.g., 'ip address 10.0.0.2 255.255.255.0 secondary'), but in Junos, the correct syntax places 'secondary' after the address in the same configuration line, not as a separate hierarchy.

How to eliminate wrong answers

Option A is wrong because it attempts to configure a second IP address without the 'secondary' keyword, which would replace the existing primary address rather than add an additional one. Option C is wrong because the syntax 'set interfaces ... family inet secondary address' is invalid; the 'secondary' keyword is a property of the address, not a separate hierarchy level. Option D is wrong because the 'primary' keyword is used to designate a specific address as the primary when multiple addresses exist, not to add a new address; adding 'primary' to a new address would conflict with the existing primary.

33
MCQmedium

Refer to the exhibit. What will happen if the engineer commits this configuration?

A.The interface will have two primary IP addresses.
B.The configuration will fail because inet and inet6 cannot coexist.
C.The interface will support both IPv4 and IPv6 traffic.
D.Only the family inet will be applied.
AnswerC

Dual-stack interface with both address families.

Why this answer

Option C is correct because the configuration shown includes both `family inet` and `family inet6` under the same interface. Junos allows multiple address families to coexist on a single interface, enabling the interface to process both IPv4 and IPv6 traffic simultaneously. This is a standard feature of Junos, not an error.

Exam trap

The trap here is that candidates may mistakenly think Junos requires separate interfaces for IPv4 and IPv6, or that configuring both families will cause a commit error, when in fact dual-stack is a standard and expected configuration in Junos.

How to eliminate wrong answers

Option A is wrong because Junos does not allow two primary IP addresses on the same interface; only one primary address per address family is permitted, and the configuration shows separate families, not two primaries in the same family. Option B is wrong because `inet` and `inet6` can absolutely coexist on a Junos interface; this is a fundamental capability of dual-stack networking, and Junos supports it natively. Option D is wrong because both `family inet` and `family inet6` are explicitly configured and will be applied; Junos does not ignore one family when both are present.

34
MCQhard

In a dual Routing Engine (RE) setup, an engineer commits a configuration change that should be applied to both REs synchronously. What is the correct command to ensure both REs receive the same configuration immediately?

A.commit confirmed
B.commit check synchronize
C.commit and-quit
D.commit synchronize
AnswerD

'commit synchronize' commits the configuration on both Routing Engines simultaneously.

Why this answer

Option D is correct because the 'commit synchronize' command commits the configuration on the master Routing Engine and then automatically copies and commits the same configuration to the backup RE, ensuring both REs have identical active configurations immediately. This is the standard Junos method for synchronizing configurations in a dual-RE chassis.

Exam trap

The trap here is that candidates confuse 'commit synchronize' with 'commit check' or 'commit confirmed', not realizing that only 'commit synchronize' explicitly pushes the configuration to the backup RE in a dual-RE setup.

How to eliminate wrong answers

Option A is wrong because 'commit confirmed' is used to automatically roll back a commit after a specified timeout if not confirmed, not for synchronizing configurations between REs. Option B is wrong because 'commit check synchronize' is not a valid Junos command; 'commit check' validates syntax but does not apply changes, and the 'synchronize' option is only valid with 'commit'. Option C is wrong because 'commit and-quit' is used in configuration mode to commit and exit, but it does not synchronize the configuration to the backup RE.

35
Multi-Selectmedium

Which THREE statements about the commit operation are correct? (Choose three.)

Select 3 answers
A.The 'commit check' command validates the syntax of the candidate configuration without activating it.
B.After a successful commit, the candidate configuration becomes the active configuration.
C.A commit can be scheduled to revert automatically if not confirmed within a certain time.
D.The candidate configuration is stored in a file named 'juniper.conf' on the flash drive.
E.A commit operation automatically saves the rescue configuration.
AnswersA, B, C

Syntax-only validation.

Why this answer

Option A is correct because the 'commit check' command validates the syntax and semantics of the candidate configuration without activating it. This allows an administrator to verify that the configuration is error-free before making it active, preventing potential misconfigurations from disrupting network operations.

Exam trap

The trap here is that candidates often confuse the candidate configuration with the active configuration file (juniper.conf) or assume that a commit automatically updates the rescue configuration, when in fact the rescue configuration is a manually saved snapshot used for disaster recovery.

36
MCQhard

A company has a Juniper MX router acting as a BGP route reflector. The router has two routing instances: 'internet' and 'management'. The 'internet' instance uses a firewall filter to block traffic to the router's loopback address from external sources. After a recent configuration change, the engineer notices that SSH access to the router's loopback IP (10.0.0.1) from the internal management network (192.168.0.0/16) is being dropped. The firewall filter for the loopback interface in the 'internet' instance is correctly configured to allow traffic from 192.168.0.0/16. The management instance has no firewall filter applied. The engineer suspects that the issue is related to how the routing instances interact with the loopback interface. Which of the following is the most likely cause and solution?

A.The management instance needs a firewall filter that allows SSH; add a filter to the management instance's loopback.
B.The firewall filter in the 'internet' instance incorrectly blocks SSH; modify the filter to allow SSH from any source.
C.The BGP configuration is causing the loopback to be unreachable; disable BGP on the management instance.
D.The firewall filter applied to the loopback interface is shared across all routing instances; use a separate interface for management traffic or apply the filter only to the 'internet' instance's logical system.
AnswerD

The loopback interface is shared; the filter affects all traffic to the loopback.

Why this answer

In Junos, firewall filters applied to the loopback interface (lo0) are shared across all routing instances by default because the loopback is a single physical interface. Even though the filter is configured in the 'internet' instance, it affects traffic destined to the loopback IP from any instance, including the 'management' instance. To isolate management traffic, you must either use a separate physical interface or apply the filter only to the 'internet' instance's logical system (e.g., using a firewall filter with a routing-instance match condition).

Exam trap

The trap here is that candidates assume firewall filters are instance-specific on the loopback interface, but Junos applies them globally by default, leading to the misconception that adding a filter to the management instance or modifying the existing filter will solve the problem.

How to eliminate wrong answers

Option A is wrong because the management instance has no firewall filter, and adding one would not resolve the issue—the problem is that the filter from the 'internet' instance is blocking traffic. Option B is wrong because the filter is correctly configured to allow SSH from 192.168.0.0/16; modifying it to allow SSH from any source would violate security policy and does not address the root cause of filter sharing. Option C is wrong because BGP configuration does not inherently cause the loopback to be unreachable; BGP is a routing protocol and does not affect firewall filter application on the loopback interface.

37
MCQmedium

Refer to the exhibit. What is the effect of the pending changes?

A.The IP address 10.0.0.2 will be replaced by 10.0.0.1 after commit.
B.The comparison shows no changes.
C.The interface will have two IP addresses: 10.0.0.1 and 10.0.0.2.
D.The candidate configuration will be empty after commit.
AnswerA

The minus and plus indicate replacement.

Why this answer

The candidate configuration shows that the IP address 10.0.0.2 is being deleted and replaced with 10.0.0.1 on interface ge-0/0/0. In Junos, pending changes are staged in the candidate configuration and only take effect after a commit. The 'replace:' tag indicates that the existing address 10.0.0.2 will be removed and 10.0.0.1 will be added upon commit.

Exam trap

The trap here is that candidates may misinterpret the 'replace:' tag as an addition rather than a replacement, leading them to think both IP addresses will coexist, or they may assume no changes are shown because they overlook the 'replace:' indicator.

How to eliminate wrong answers

Option B is wrong because the comparison clearly shows a change: the 'replace:' tag indicates that 10.0.0.2 is being replaced by 10.0.0.1, so there is a pending modification. Option C is wrong because Junos does not allow two IP addresses in the same subnet on the same interface without additional configuration; the 'replace:' operation removes the old address before adding the new one, so both addresses will not coexist. Option D is wrong because the candidate configuration contains the new address 10.0.0.1, so it will not be empty after commit; only the old address is removed.

38
MCQhard

A Juniper router experiences a power outage. After power is restored, the router fails to boot completely and stops at the loader (U-Boot) prompt. You have console access. Before the outage, you had saved a rescue configuration. How can you load the rescue configuration to recover the system?

A.Type 'load rescue' at the loader prompt.
B.Type 'boot rescue' at the loader prompt.
C.Power cycle with a pin in the reset hole.
D.Type 'boot -s' to enter single-user mode, then load rescue.
AnswerB

This boots the device with the rescue configuration.

Why this answer

Option B is correct because at the U-Boot loader prompt, the 'boot rescue' command instructs the router to boot using the rescue configuration stored in the /config directory. The rescue configuration is a known-good configuration that can be saved via 'request system configuration rescue save' and is loaded directly by the boot loader when the normal boot process fails.

Exam trap

The trap here is that candidates confuse the CLI command 'load rescue' (used in operational mode to merge or replace the candidate configuration) with the boot loader command 'boot rescue', and they assume the loader supports Junos CLI syntax.

How to eliminate wrong answers

Option A is wrong because 'load rescue' is a valid command only at the Junos CLI (operational mode), not at the U-Boot loader prompt; the loader does not support Junos CLI commands. Option C is wrong because power cycling with a pin in the reset hole performs a hardware factory reset, which clears all configurations including the rescue configuration, and is not a method to load a saved rescue config. Option D is wrong because 'boot -s' is not a valid U-Boot command; single-user mode is entered from the Junos boot menu (after the kernel loads), not from the loader prompt, and the loader cannot interpret Junos boot flags.

39
MCQmedium

When configuring OSPF on a Juniper router, an engineer applies the 'area 0.0.0.0 interface ge-0/0/1.0 passive' command. What is the effect of this configuration?

A.The interface will not be advertised in OSPF at all, and no OSPF traffic will be transmitted.
B.The interface will only accept incoming OSPF packets but will not send any.
C.The interface will not send OSPF hellos, but the connected network will still be advertised in OSPF.
D.The interface will actively send OSPF hellos and attempt to form adjacencies.
AnswerC

Correct behavior of a passive OSPF interface.

Why this answer

The 'passive' configuration on an OSPF interface in Junos prevents the interface from sending OSPF Hello packets, which stops the formation of neighbor adjacencies. However, the interface's connected network prefix is still advertised as a stub network in OSPF Type 1 LSAs, ensuring reachability to that subnet without dynamic neighbor relationships.

Exam trap

The trap here is that candidates often confuse 'passive' with 'disable' or assume it blocks all OSPF traffic, when in fact it only stops Hello transmission while still advertising the network.

How to eliminate wrong answers

Option A is wrong because the passive interface does not suppress the advertisement of the connected network; the prefix is still injected into OSPF. Option B is wrong because the passive interface does not accept incoming OSPF packets either; it simply does not send Hellos, but it will still process received OSPF packets if they arrive (though without Hellos, no adjacency forms). Option D is wrong because the passive command explicitly prevents the interface from sending OSPF Hellos, so it will not actively attempt to form adjacencies.

40
MCQeasy

A network engineer needs to make a change to a Junos device and ensure the change can be reverted if it causes issues. Which feature should be used?

A.configure exclusive
B.commit confirmed
C.commit check
D.rollback 0
AnswerB

'commit confirmed' commits with an automatic rollback if not confirmed within the timeout period.

Why this answer

The `commit confirmed` command allows an engineer to commit a configuration change with a timer (default 10 minutes). If the change causes issues and the engineer does not confirm the commit within the timer, the device automatically reverts to the previous active configuration. This provides a safety net to revert changes without manual intervention.

Exam trap

The trap here is that candidates may confuse `commit confirmed` with `rollback 0`, thinking both revert changes, but `rollback 0` is a manual step that does not provide automatic, time-based reversion.

How to eliminate wrong answers

Option A is wrong because `configure exclusive` locks the candidate configuration to a single user, preventing others from making changes, but it does not provide any automatic rollback mechanism if the change causes issues. Option C is wrong because `commit check` validates the syntax and semantics of the candidate configuration without committing it; it does not revert a change after it has been applied. Option D is wrong because `rollback 0` reverts to the most recently committed configuration, but this is a manual action and does not provide an automatic, time-based revert if the change causes issues.

41
MCQeasy

An administrator makes changes to the candidate configuration and wants to automatically revert to the previous configuration if the changes cause a loss of connectivity. Which method should be used?

A.Use the 'commit check' command.
B.Use the 'commit synchronize' command.
C.Use the 'rollback' command.
D.Use the 'commit confirmed' command.
AnswerD

Automatically rolls back if not confirmed.

Why this answer

The 'commit confirmed' command is the correct method because it allows an administrator to commit a candidate configuration with a confirmation timeout (default 10 minutes). If connectivity is lost and the commit is not confirmed within the timeout, Junos automatically reverts to the previous configuration, ensuring the device remains reachable.

Exam trap

The trap here is that candidates confuse 'commit confirmed' with 'commit check' or 'rollback', not realizing that 'commit confirmed' is the only option that provides an automatic, time-based reversion mechanism specifically designed to prevent loss of connectivity.

How to eliminate wrong answers

Option A is wrong because 'commit check' only validates the syntax and semantics of the candidate configuration without committing it, so it cannot automatically revert changes. Option B is wrong because 'commit synchronize' is used on a Junos cluster to commit the configuration on both nodes simultaneously, not to provide automatic rollback on connectivity loss. Option C is wrong because 'rollback' is a manual command that reverts to a previously committed configuration, but it does not provide automatic reversion upon connectivity loss.

42
MCQhard

Refer to the exhibit. What is the most likely cause of the error?

A.The IP address 1.1.1.1/32 is already in use.
B.The candidate configuration has no errors and this is a warning.
C.The policy-statement 'test' contains a syntax error in the protocol match condition.
D.The commit check command requires user confirmation.
AnswerC

The error indicates 'protocol is not valid' in the policy-statement.

Why this answer

Option C is correct because the error message in the exhibit indicates a syntax error in the policy-statement 'test' when using the protocol match condition. In Junos, the 'protocol' match condition requires a valid protocol name (e.g., 'bgp', 'ospf', 'static'), and if an invalid or misspelled protocol is specified, the commit check fails with a syntax error. This is a common mistake when configuring policy-options, as the Junos CLI validates the protocol against a predefined list.

Exam trap

The trap here is that candidates may misinterpret a syntax error as a warning or an IP conflict, because Junos error messages can be verbose, but the key is to identify the specific line number and the 'syntax error' keyword in the output, which points directly to a configuration mistake in the policy-statement.

How to eliminate wrong answers

Option A is wrong because the error message does not indicate an IP address conflict; a '1.1.1.1/32 already in use' error would appear as a commit error with a specific message about duplicate address, not a syntax error in a policy statement. Option B is wrong because the candidate configuration contains an actual syntax error, not a warning; Junos warnings are typically informational (e.g., 'warning: statement ... is deprecated') and do not prevent a successful commit check, whereas this error blocks the commit. Option D is wrong because the commit check command does not require user confirmation; it validates the configuration and reports errors without prompting for confirmation, and the exhibit shows an error output, not a confirmation prompt.

43
MCQmedium

Under what circumstance would the 'deactivate' command be useful in Junos configuration?

A.To delete a configuration statement after commit
B.To permanently remove a configuration statement
C.To temporarily disable a configuration statement without removing it from the configuration
D.To mark a statement as inactive while keeping it in the active configuration
AnswerC

Deactivation disables the statement until it is activated again.

Why this answer

The 'deactivate' command in Junos temporarily disables a configuration statement without removing it from the configuration. This is useful for testing changes or troubleshooting because the deactivated statement remains in the configuration but is ignored by the commit operation, allowing easy reactivation with the 'activate' command.

Exam trap

The trap here is confusing 'deactivate' with 'delete' or assuming that deactivated statements remain active; candidates often think 'deactivate' removes the statement or that it still applies after commit, but in Junos, deactivated statements are completely ignored by the commit operation.

How to eliminate wrong answers

Option A is wrong because 'deactivate' does not delete a configuration statement after commit; it only marks it as inactive before commit, and the statement persists in the configuration. Option B is wrong because 'deactivate' does not permanently remove a statement; it only temporarily disables it, and the statement can be reactivated. Option D is wrong because a deactivated statement is not kept in the active configuration; it is excluded from the active configuration after commit, meaning it does not affect the running system.

44
MCQhard

During a maintenance window, an engineer issues 'commit confirmed 5' but the change causes a connectivity loss. The engineer is unable to reconnect to the device before the timeout expires. What will happen?

A.The engineer must manually rollback using the rollback command.
B.The change remains committed until the next reboot.
C.The device reloads with factory defaults.
D.The device automatically reverts to the previous active configuration.
AnswerD

Commit confirmed automatically rolls back after the timeout if not confirmed.

Why this answer

The 'commit confirmed 5' command activates a candidate configuration and starts a 5-minute rollback timer. If the engineer does not issue a 'commit' or 'commit check' before the timer expires, Junos automatically reverts to the previously active configuration. This ensures the device returns to a known working state without manual intervention, preserving connectivity after the failed change.

Exam trap

The trap here is that candidates may think a 'commit confirmed' requires a manual rollback command (Option A) or that the change persists until a reboot (Option B), but Junos automatically reverts the configuration upon timeout, making it a safety mechanism for remote changes.

How to eliminate wrong answers

Option A is wrong because the automatic rollback occurs without requiring manual intervention; the engineer does not need to use the 'rollback' command after the timeout. Option B is wrong because a confirmed commit is explicitly designed to not remain committed; it automatically reverts if not confirmed, so the change does not persist until the next reboot. Option C is wrong because the device does not reload with factory defaults; it reverts only to the previous active configuration, not to a factory-reset state.

45
MCQmedium

An engineer needs to apply a configuration change that adds a new static route to the Junos device. The engineer wants to ensure the change takes effect immediately and is persistent across reboots. Which command should the engineer use?

A.load override
B.commit confirmed
C.rollback
D.commit
AnswerD

'commit' activates the candidate configuration and makes it persistent across reboots.

Why this answer

The 'commit' command is correct because it immediately activates the candidate configuration (including the new static route) and makes it the active configuration that survives a reboot. Junos uses a two-stage configuration model where changes are first made to the candidate configuration and then committed to become the active, persistent configuration.

Exam trap

The trap here is that candidates familiar with Cisco IOS might assume 'copy running-config startup-config' is needed for persistence, but in Junos, a single 'commit' both activates the change and saves it permanently, making additional save commands unnecessary.

How to eliminate wrong answers

Option A is wrong because 'load override' replaces the entire candidate configuration with a new file, but it does not activate the configuration; a subsequent 'commit' is still required. Option B is wrong because 'commit confirmed' is used to automatically roll back to a previous configuration if the commit is not confirmed within a specified time (default 10 minutes), which is not appropriate for a permanent static route addition. Option C is wrong because 'rollback' reverts the candidate configuration to a previously committed version, which would remove any pending changes rather than applying them.

46
MCQeasy

An administrator wants to view the differences between the current candidate configuration and the last committed configuration. Which command displays this?

A.show configuration
B.commit check
C.show | compare
D.rollback ?
AnswerC

'show | compare' shows the delta between the candidate and the last committed configuration.

Why this answer

The 'show | compare' command displays the differences between the candidate and the active (committed) configuration.

47
MCQhard

A network engineer accidentally committed a configuration on a Juniper router that caused a loss of management access via SSH and SNMP. The engineer has console access and the device is still operational. Before the change, the engineer had saved a rescue configuration using 'request system configuration rescue save'. Which action should the engineer take to restore management access most quickly?

A.At the shell prompt, execute 'cli -c "rollback rescue"' and then commit.
B.At the configuration mode, execute 'rollback 0'.
C.Power cycle the device; it will automatically boot with the rescue configuration.
D.Reboot the device and press the space bar to load the rescue configuration.
AnswerA

This loads the rescue configuration without rebooting.

Why this answer

Option A is correct because the 'request system configuration rescue save' command stores a rescue configuration that can be rolled back to using 'rollback rescue' in configuration mode. Since the engineer has console access, they can enter configuration mode and execute 'rollback rescue' followed by 'commit' to instantly revert to the last known working configuration, restoring SSH and SNMP access without requiring a reboot.

Exam trap

The trap here is that candidates may confuse 'rollback rescue' with a boot-time recovery mechanism, assuming the rescue configuration loads automatically on reboot, when in fact it requires a manual command after the device is operational.

How to eliminate wrong answers

Option B is wrong because 'rollback 0' reverts to the most recently committed configuration, which is the same problematic configuration that caused the loss of management access, so it would not restore connectivity. Option C is wrong because power cycling the device does not automatically load the rescue configuration; Junos boots from the active file system (e.g., 'junos.conf') unless explicitly instructed otherwise via the boot loader or a rescue configuration load during boot. Option D is wrong because pressing the space bar during boot interrupts the normal boot process to access the loader prompt, but it does not automatically load the rescue configuration; the rescue configuration must be explicitly loaded via the 'load rescue' command in the loader or after booting into the operating system.

48
Multi-Selecteasy

Which TWO are correct statements about the Junos configuration hierarchy?

Select 2 answers
A.The 'routing-options' hierarchy is used to configure interface IP addresses.
B.The 'interfaces' hierarchy is used to configure physical and logical interfaces.
C.The 'system' hierarchy includes settings for NTP and DNS.
D.Firewall filters are configured under 'policy-options'.
E.The 'protocols' hierarchy includes system-level settings like hostname.
AnswersB, C

Correct.

Why this answer

Option B is correct because the 'interfaces' hierarchy in Junos is specifically designed to configure both physical interfaces (e.g., ge-0/0/0) and logical interfaces (e.g., ge-0/0/0.100), including parameters like IP addresses, MTU, and VLAN tagging. This is a fundamental part of Junos configuration, as all network traffic flows through interfaces defined under this hierarchy.

Exam trap

The trap here is that candidates often confuse the purpose of 'routing-options' with interface configuration, or assume that firewall filters belong under 'policy-options' because both involve policy-like constructs, but Junos strictly separates firewall (packet filtering) from routing policy (route manipulation).

49
Multi-Selecteasy

Which TWO statements about configuration archival in Junos are true?

Select 2 answers
A.Archival stores the candidate configuration.
B.The 'system archival' hierarchy enables automatic backup of configurations.
C.Archival only saves the rescue configuration.
D.Archival can use FTP or SCP to transfer files.
E.Archival automatically archives after every commit without any configuration.
AnswersB, D

This configuration block defines archival settings.

Why this answer

Option B is correct because the 'system archival' hierarchy in Junos is specifically designed to enable automatic backup of configuration files. This feature allows administrators to configure periodic transfers of committed configurations to a remote server, ensuring configuration history is preserved without manual intervention.

Exam trap

The trap here is that candidates often confuse the candidate configuration with the committed configuration, assuming archival saves the uncommitted changes, when in fact it only archives the active committed configuration after a successful commit.

50
MCQmedium

A network engineer needs to restore the factory-default configuration on a Junos device. Which command sequence is correct?

A.set system host-name factory-default
B.request system zeroize
C.load factory-default and then commit
D.delete configuration and reboot
AnswerC

'load factory-default' loads the factory configuration into the candidate, then 'commit' activates it.

Why this answer

The correct command sequence to restore factory-default configuration on a Junos device is 'load factory-default' followed by 'commit'. The 'load factory-default' command replaces the current candidate configuration with the factory-default configuration, but it does not take effect until a 'commit' is issued. This ensures the device reverts to its original settings without affecting the currently running configuration until explicitly committed.

Exam trap

The trap here is that candidates confuse 'load factory-default' with 'request system zeroize', thinking both achieve the same result, but 'zeroize' is a security wipe that destroys all data and requires a reboot, while 'load factory-default' is a configuration-only reset that is committed without rebooting.

How to eliminate wrong answers

Option A is wrong because 'set system host-name factory-default' only changes the hostname to 'factory-default', it does not restore the entire configuration to factory defaults. Option B is wrong because 'request system zeroize' is used to erase all data, including configuration files, logs, and user data, for security purposes before decommissioning a device; it does not simply restore factory-default configuration and requires a reboot to complete. Option D is wrong because 'delete configuration and reboot' is not a valid Junos command sequence; deleting the configuration without using 'load factory-default' would leave the device with an empty configuration, potentially causing boot issues or requiring manual recovery.

51
MCQeasy

Which operational mode command displays the differences between the candidate configuration and the active configuration?

A.show configuration | compare
B.show | display set
C.show system configuration | compare
D.show | compare
AnswerA

Displays differences between candidate and active configurations.

Why this answer

Option A is correct because the 'show configuration | compare' command displays the differences between the candidate configuration and the active (committed) configuration. The pipe to 'compare' is a Junos CLI filter that performs a diff operation, showing lines added, changed, or deleted. This is the standard way to review uncommitted changes before committing them.

Exam trap

The trap here is that candidates confuse 'show | compare' with 'show configuration | compare', forgetting that the pipe must follow a specific operational mode command (like 'show configuration') to produce a meaningful diff, not just any 'show' command.

How to eliminate wrong answers

Option B is wrong because 'show | display set' converts the current output (e.g., show configuration) into set-format commands, but it does not perform a comparison between candidate and active configurations. Option C is wrong because 'show system configuration | compare' is not a valid command; 'system configuration' is not a valid hierarchy for comparing configurations, and the correct hierarchy is 'show configuration | compare'. Option D is wrong because 'show | compare' without specifying 'configuration' will attempt to compare the output of the default 'show' command (which shows system status) against nothing meaningful, resulting in an error or no useful diff; the correct syntax requires 'show configuration | compare'.

52
Multi-Selecthard

Which THREE are valid methods to apply a firewall filter in Junos?

Select 3 answers
A.Apply the filter to an interface under 'family inet filter input'
B.Apply the filter to an interface under 'family inet filter output'
C.Apply the filter globally using 'firewall family inet filter filter-name'
D.Apply the filter under 'routing-options'
E.Apply the filter to the loopback interface under 'family inet filter input'
AnswersA, B, E

Standard way to apply input filter on an interface.

Why this answer

Option A is correct because in Junos, a firewall filter is applied to an interface by configuring it under the 'family inet' hierarchy with the 'filter input' statement. This directs the filter to inspect all inbound IPv4 packets on that interface before they are processed by the routing engine.

Exam trap

The trap here is that candidates may confuse the global firewall filter configuration syntax with the interface-level application, or mistakenly think that 'routing-options' is a valid location for filter application, when in fact Junos strictly separates filter definition and application contexts.

53
MCQeasy

Your company has deployed a Juniper MX router at a branch office. The router has two upstream connections to different ISPs. The configuration currently uses a single static default route to ISP-A. The network team wants to add redundancy so that if ISP-A fails, traffic automatically uses ISP-B. The ISP-B connection is already configured on interface ge-1/0/0 with IP address 203.0.113.2/30. The next-hop IP for ISP-B is 203.0.113.1. The routing table should have a backup default route with a higher metric. Which configuration change meets the requirement?

A.set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1 metric 1
B.set routing-options static route 0.0.0.0/0 discard
C.set routing-options static route 0.0.0.0/0 next-hop 203.0.113.1 metric 2
D.set routing-options static route 0.0.0.0/0 next-table inet.0
AnswerC

This creates a backup static route with a higher metric, ensuring it is used only when the primary route is removed.

Why this answer

Option C is correct because it adds a static default route to ISP-B with a metric of 2, which is higher than the default metric of 0 (or 1 if explicitly set) for the existing route to ISP-A. In Junos, when multiple static routes to the same destination exist, the route with the lower metric (preference) is installed in the routing table. If the primary route fails (e.g., interface down), the route with the higher metric becomes active, providing automatic failover.

Exam trap

The trap here is that candidates often confuse Junos 'metric' with Cisco's 'administrative distance' or 'metric' concept, assuming a lower metric is better for backup, whereas in Junos a higher metric (preference) value makes the route less preferred and suitable for failover.

How to eliminate wrong answers

Option A is wrong because setting metric 1 would make the ISP-B route equal in preference to the existing default route (which has a default metric of 0), causing load-sharing or unpredictable behavior rather than a clear backup. Option B is wrong because the 'discard' next-hop creates a null route that drops traffic, which does not provide a functional backup path to ISP-B. Option D is wrong because 'next-table inet.0' is used for policy-based routing or indirect next-hops, not for defining a backup static route with a higher metric.

54
MCQmedium

Refer to the exhibit. What is the most likely cause of the commit check failure?

A.The routing instance has not been created.
B.The interface xe-0/0/0 has been disabled using the 'disable' statement.
C.The IP address is a duplicate on the subnet.
D.The 'family inet' statement is missing under unit 0.
AnswerB

Disabling the interface prevents configuration of addresses on its units.

Why this answer

The commit check failure occurs because the interface xe-0/0/0 is configured with the 'disable' statement, which prevents the interface from being enabled. When a routing instance references a disabled interface, the commit check fails because the interface cannot be used for forwarding or routing operations. Junos requires that interfaces referenced in routing instances be operationally capable of being enabled.

Exam trap

The trap here is that candidates often overlook the 'disable' statement as a valid administrative state and instead assume the failure is due to missing protocol family configuration or duplicate IP addressing, which are common but incorrect assumptions in this context.

How to eliminate wrong answers

Option A is wrong because if the routing instance had not been created, the commit check would fail with a different error about a missing routing instance, not an interface-level issue. Option C is wrong because a duplicate IP address on the subnet would cause a commit warning or operational issue, not a commit check failure, as Junos does not validate IP uniqueness during commit. Option D is wrong because the 'family inet' statement is not required under unit 0 for a routing instance to reference the interface; the interface can be used with other protocol families or as a pure layer-3 interface without explicit 'family inet'.

55
MCQeasy

A junior engineer is asked to change the hostname of a Juniper device from 'Router-1' to 'Core-Router'. Which command sequence correctly commits the change?

A.set system host-name Core-Router; commit
B.edit system; set host-name Core-Router; commit
C.set system hostname Core-Router; commit
D.set system host-name Core-Router; commit
AnswerA

Correct syntax.

Why this answer

Option A is correct because the Junos CLI uses the 'set system host-name' command (with a hyphen in 'host-name') to change the device hostname, and 'commit' applies the change to the active configuration. The command sequence is syntactically valid and follows Junos configuration hierarchy.

Exam trap

The trap here is that Juniper uses 'host-name' with a hyphen, not 'hostname' as in Cisco IOS, and candidates often forget the hyphen or use the wrong hierarchy, leading them to select option B or C.

How to eliminate wrong answers

Option B is wrong because 'edit system' enters the [edit system] hierarchy, but the correct command at that level is 'set host-name Core-Router' (not 'set host-name'), and the sequence lacks a semicolon after 'commit' to separate commands properly in a single line. Option C is wrong because 'hostname' (no hyphen) is not a valid Junos configuration statement; the correct parameter is 'host-name' with a hyphen. Option D is wrong because it is identical to option A and is also correct; however, the question asks for the correct sequence, and both A and D are technically correct, but the answer key lists A as correct, likely due to formatting or a typo in the question.

In practice, both A and D would work, but the intended correct answer is A.

56
MCQmedium

A junior engineer is tasked with configuring a firewall filter to only allow SSH access to the management interface. The management interface is fxp0. Which configuration is correct?

A.set interfaces lo0 unit 0 family inet filter input allow-ssh
B.set groups management-filter interfaces fxp0 unit 0 family inet filter input allow-ssh
C.set interfaces ge-0/0/0 unit 0 family inet filter input allow-ssh
D.set interfaces fxp0 unit 0 family inet filter input allow-ssh
AnswerD

Correctly applies the filter to the management interface.

Why this answer

Option D is correct because the management interface on Juniper devices is fxp0, and applying a firewall filter to its inet family input direction restricts inbound traffic. The filter 'allow-ssh' must permit only TCP port 22, blocking all other management access. This configuration ensures SSH-only access to the management interface.

Exam trap

The trap here is confusing the management interface (fxp0) with the loopback interface (lo0) or a data-plane interface (ge-0/0/0), leading candidates to apply the filter to the wrong interface.

How to eliminate wrong answers

Option A is wrong because lo0 is the loopback interface, not the management interface; applying a filter there would affect all traffic destined to the device, not just management traffic. Option B is wrong because 'groups management-filter' is a configuration group syntax, not a direct interface filter application; it requires additional apply-groups statements and does not directly attach the filter to fxp0. Option C is wrong because ge-0/0/0 is a standard network interface, not the dedicated management interface (fxp0), so it would not restrict access to the management interface.

57
MCQmedium

An administrator wants to apply the same BGP configuration to all interfaces whose names start with 'ge-'. Which approach would dynamically match these interfaces?

A.Define a configuration group and use apply-groups with [edit interfaces ge-*]
B.Create a firewall filter that matches ge- interfaces
C.Use apply-path referencing a regular expression in the configuration group
D.Use an interface-range named 'ge-interfaces' listing all ge- interfaces
AnswerC

apply-path dynamically matches interfaces based on a path pattern.

Why this answer

Option C is correct because the `apply-path` statement in a configuration group can dynamically match interfaces based on a regular expression pattern. By using `apply-path` with a regular expression like `ge-*` inside the configuration group, Junos will automatically apply the BGP configuration to all interfaces whose names match that pattern without manual enumeration.

Exam trap

The trap here is that candidates often confuse `apply-groups` with `apply-path`, assuming that `apply-groups` supports wildcards or regex in the target path, when in fact only `apply-path` provides dynamic pattern matching for interface names.

How to eliminate wrong answers

Option A is wrong because `apply-groups` does not support wildcard or regex matching in the target path; `[edit interfaces ge-*]` is not valid syntax and would cause a commit error. Option B is wrong because firewall filters are used for packet filtering and policy enforcement, not for dynamically applying interface-level configuration like BGP settings. Option D is wrong because an interface-range requires manual listing of each interface name, which is not dynamic and defeats the purpose of matching interfaces based on a pattern.

58
Multi-Selecthard

Which TWO statements about configuration groups in Junos are correct? (Choose two.)

Select 2 answers
A.Configuration groups are defined under the [edit groups] hierarchy.
B.Configuration groups are stored in separate files that are imported using the 'file' statement.
C.The 'apply-groups' statement is used to include a group's configuration at a specific hierarchy level.
D.The 'replace' tag is used to reference a configuration group.
E.Configuration groups are applied only at the [edit interfaces] hierarchy level.
AnswersA, C

Configuration groups are indeed defined under the 'groups' hierarchy and can be inherited.

Why this answer

Option A is correct because configuration groups in Junos are defined under the [edit groups] hierarchy. This allows you to create reusable configuration snippets that can be applied to multiple parts of the configuration, reducing duplication and simplifying management.

Exam trap

The trap here is that candidates often confuse configuration groups with Junos's 'apply-path' or 'apply-macro' features, or mistakenly think groups are external files, when in fact they are defined inline under [edit groups] and applied via 'apply-groups'.

59
MCQhard

A network administrator is configuring a GRE tunnel on a Juniper device. The tunnel source is loopback 0 and destination is 192.0.2.1. Which additional configuration is necessary on the tunnel interface for the tunnel to become operational?

A.set interfaces gr-0/0/0 unit 0 mtu 1476
B.set interfaces gr-0/0/0 unit 0 multicast
C.set interfaces gr-0/0/0 unit 0 family inet6
D.set interfaces gr-0/0/0 unit 0 family inet
AnswerD

Enables IPv4 on the tunnel interface, necessary for routing.

Why this answer

Option D is correct because a GRE tunnel interface on Junos requires the 'family inet' statement to be configured under the unit to enable IPv4 traffic forwarding. Without this, the tunnel interface will not have an IPv4 protocol family, and the device will not be able to route packets into or out of the tunnel, leaving it operationally down.

Exam trap

The trap here is that candidates assume GRE tunnels automatically support IPv4 traffic on Junos, similar to Cisco IOS, but Junos requires an explicit 'family inet' configuration to activate the protocol family on the tunnel interface.

How to eliminate wrong answers

Option A is wrong because setting the MTU to 1476 is optional and not required for the tunnel to become operational; it is a performance tuning parameter to avoid fragmentation. Option B is wrong because the 'multicast' statement is used to enable multicast traffic over the tunnel, which is not a prerequisite for basic GRE tunnel operation. Option C is wrong because 'family inet6' would enable IPv6 over the tunnel, but the question specifies an IPv4 destination and source, so IPv4 (family inet) is the necessary protocol family.

60
MCQmedium

An administrator needs to change a portion of the configuration by matching a pattern and replacing it with new text. Which Junos configuration mode command should be used?

A.rename
B.replace pattern
C.copy
D.set replace pattern
AnswerB

Replaces text matching a pattern with new text.

Why this answer

The 'replace pattern' command in Junos configuration mode allows an administrator to search for a specific text pattern using regular expressions and replace it with new text. This is the correct command for pattern-based substitution within the configuration hierarchy, as it directly matches and replaces text without requiring manual deletion or re-entry.

Exam trap

The trap here is that candidates may confuse 'replace pattern' with 'set replace pattern' (which does not exist) or assume 'rename' can perform pattern-based substitution, leading them to select an incorrect option due to familiarity with similar commands in other vendors' syntax.

How to eliminate wrong answers

Option A is wrong because 'rename' is used to change the name of a configuration element (e.g., an interface or policy) but does not support pattern matching or text replacement. Option C is wrong because 'copy' duplicates a configuration stanza or element, not modifies existing text by pattern matching. Option D is wrong because 'set replace pattern' is not a valid Junos command; the correct syntax is 'replace pattern' at the configuration mode prompt, not prefixed with 'set'.

61
MCQeasy

Which configuration group feature allows an administrator to apply common configuration settings to multiple interfaces without repeating the configuration?

A.groups statement
B.interface-range
C.apply-groups
D.apply-path
AnswerC

Applies configuration from a group to the current level.

Why this answer

The `apply-groups` statement is the correct feature because it allows an administrator to define a common configuration template within a `groups` hierarchy and then apply that template to multiple interfaces (or other configuration sections) using the `apply-groups` command. This avoids repeating the same configuration statements across individual interfaces, streamlining management and reducing errors.

Exam trap

The trap here is that candidates confuse `groups` (the definition container) with `apply-groups` (the activation command), often selecting Option A because they think defining the group is sufficient, but without `apply-groups`, the group configuration is never applied.

How to eliminate wrong answers

Option A is wrong because `groups` is the container where common configuration is defined, but it is not the feature that applies the configuration to interfaces; without `apply-groups`, the group configuration is inactive. Option B is wrong because `interface-range` is a feature for creating a named range of interfaces to apply a single configuration block, but it is not a configuration group feature; it is used with `set interfaces interface-range <name>` and applies configuration directly, not via a reusable group template. Option D is wrong because `apply-path` is used to dynamically derive configuration values from the contents of a specified path in the configuration hierarchy (e.g., for BGP or firewall filters), not for applying common settings to multiple interfaces.

62
MCQeasy

Which command saves the active configuration to a file name other than the default rescue configuration?

A.request system configuration rescue save
B.save configuration to file
C.commit and-quit
D.file copy /config/juniper.conf.gz /var/tmp/backup.conf
AnswerD

Copies the active configuration file to a specified destination.

Why this answer

Option D is correct because the `file copy` command copies the active configuration file (`/config/juniper.conf.gz`) to a user-specified destination, such as `/var/tmp/backup.conf`, effectively saving the active configuration under a different filename. The rescue configuration is a special saved configuration that can be loaded with `rollback rescue`, but the question asks for saving to a file name other than the default rescue configuration, which is achieved by copying the active configuration file directly.

Exam trap

The trap here is that candidates may confuse the `save` command (which is valid in configuration mode and saves to a specified file) with the incorrect `save configuration to file` option, or they may think `request system configuration rescue save` allows a custom filename, when in fact it always uses the rescue configuration filename.

How to eliminate wrong answers

Option A is wrong because `request system configuration rescue save` saves the active configuration as the rescue configuration, which uses the default filename `rescue.conf.gz` in `/config/`, not a user-specified filename. Option B is wrong because `save configuration to file` is not a valid Junos CLI command; the correct command to save the active configuration to a file is `save <filename>` at the configuration mode prompt. Option C is wrong because `commit and-quit` commits the candidate configuration and exits configuration mode, but it does not save the configuration to a separate file; it only applies the changes to the active configuration.

63
MCQmedium

An administrator is configuring a new Junos device and wants to ensure that configuration changes are applied only after explicit commit confirmation. Which configuration statement should be used?

A.commit synchronize
B.commit at
C.commit check
D.commit confirmed
AnswerD

Applies changes temporarily; requires confirmation to keep.

Why this answer

Option D is correct because the 'commit confirmed' statement allows an administrator to apply configuration changes that automatically revert to the previous configuration if not explicitly confirmed within a specified timeout period (default 10 minutes). This ensures changes are only permanently applied after an explicit 'commit' confirmation, providing a safety mechanism to prevent lockout or misconfiguration.

Exam trap

The trap here is that candidates often confuse 'commit confirmed' with 'commit check' or 'commit at', mistakenly thinking that syntax validation or scheduled commits provide the same automatic rollback safety net, when in fact only 'commit confirmed' enforces explicit confirmation to prevent permanent changes.

How to eliminate wrong answers

Option A is wrong because 'commit synchronize' is used on dual Routing Engine (RE) systems to apply the configuration to both REs simultaneously, not to require explicit confirmation. Option B is wrong because 'commit at' schedules a commit to occur at a specific time, but does not require explicit confirmation before the changes become permanent. Option C is wrong because 'commit check' validates the syntax and semantics of the candidate configuration without applying it, but does not provide a mechanism to automatically revert changes if not confirmed.

64
Multi-Selecthard

Which TWO statements about the rescue configuration are correct? (Choose two.)

Select 2 answers
A.The rescue configuration is automatically saved after every commit.
B.The 'rollback rescue' command loads the factory-default configuration.
C.The rescue configuration is designed to provide a method of last-resort recovery.
D.The rescue configuration can be saved by issuing the 'request system configuration rescue save' command.
E.The rescue configuration can be used to restore only a subset of the configuration.
AnswersC, D

It is a safety net for recovery.

Why this answer

Option C is correct because the rescue configuration is explicitly designed to provide a method of last-resort recovery. It allows an administrator to save a known-good configuration that can be loaded even if the active configuration becomes corrupted or inaccessible, ensuring the device can be brought back to a functional state.

Exam trap

The trap here is that candidates often confuse the rescue configuration with the factory-default configuration or assume it is automatically saved, leading them to select options A or B incorrectly.

65
MCQhard

An engineer is designing a network and needs to ensure that management traffic (SSH, SNMP) is always permitted, even if an interface firewall filter is applied. Which Juniper best practice should be followed?

A.Use a firewall filter that permits all management traffic at the top of the list on each interface
B.Apply a firewall filter on the loopback interface (lo0) to protect the device
C.Apply a firewall filter to the management interface (fxp0)
D.Disable the firewall filter on all interfaces
AnswerB

Best practice: use loopback filter to control access to the device itself.

Why this answer

Applying a firewall filter to the loopback interface (lo0) is the Juniper best practice for protecting management traffic because the loopback interface is the logical termination point for all control plane traffic, including SSH and SNMP. This ensures that management traffic is always permitted regardless of which physical interface it arrives on, while still allowing interface-specific filters to be applied for data plane traffic without risk of blocking management access.

Exam trap

The trap here is that candidates often think management traffic must be permitted on each physical interface individually (Option A), not realizing that Junos uses the loopback interface as the central control plane filter point, making interface-specific filters unnecessary for management access.

How to eliminate wrong answers

Option A is wrong because placing a firewall filter that permits all management traffic at the top of the list on each interface is not scalable and can inadvertently allow unwanted traffic if the filter is misconfigured or omitted on a new interface; it also violates the principle of separating control plane and data plane filtering. Option B is wrong because it is actually the correct answer, not a wrong option. Option C is wrong because applying a firewall filter to the management interface (fxp0) only protects traffic arriving on that dedicated management port, but management traffic like SSH and SNMP can also arrive on other interfaces (e.g., ge-0/0/0), leaving the device unprotected on those paths.

Option D is wrong because disabling firewall filters on all interfaces removes all traffic filtering, which is not a best practice and would expose the device to unauthorized access or attacks.

66
MCQmedium

A network administrator wants to configure a user account for a junior engineer. The junior engineer should only be able to view configuration and use operational commands, but not modify anything. Additionally, the junior engineer should be required to authenticate using a local password. Which configuration accomplishes this?

A.set system login user junior class operator authentication plain-text-password
B.set system login user junior class read-only authentication plain-text-password
C.set system login user junior class super-user authentication plain-text-password
D.set system login user junior class read-only authentication ssh-rsa
AnswerB

This creates a read-only user with local password authentication.

Why this answer

Option A is correct; it sets the user's class to 'read-only' with a password.

67
MCQmedium

An engineer issues the 'rollback 3' command in configuration mode. What is the effect?

A.The candidate configuration is saved as the third rollback slot.
B.The candidate configuration is replaced with the configuration from three commits ago.
C.The active configuration is replaced with the candidate configuration.
D.The device reboots and loads configuration version 3.
AnswerB

Rollback loads a previous configuration into the candidate.

Why this answer

The 'rollback 3' command in Junos configuration mode replaces the current candidate configuration with the configuration from the third most recent commit. Junos maintains up to 50 rollback slots (numbered 0 through 49), where slot 0 is the most recent commit, slot 1 is the commit before that, and so on. Therefore, 'rollback 3' retrieves the configuration saved three commits ago, overwriting any uncommitted changes in the candidate configuration.

Exam trap

The trap here is that candidates often confuse 'rollback' with 'commit' or 'save' operations, mistakenly thinking it saves the current candidate configuration rather than retrieving a previous one, or they assume it directly modifies the active configuration without requiring a subsequent commit.

How to eliminate wrong answers

Option A is wrong because the 'rollback' command does not save the candidate configuration; it retrieves a previously committed configuration from a rollback slot. Saving the candidate configuration to a specific rollback slot is done with the 'commit confirm' or 'commit at' commands, not 'rollback'. Option C is wrong because the 'rollback' command does not replace the active (running) configuration; it only modifies the candidate configuration, which must then be committed to become active.

Option D is wrong because 'rollback' does not cause a reboot or load a configuration version from a file; it simply loads a previously committed configuration into the candidate configuration space from the device's rollback database.

68
MCQeasy

Refer to the exhibit. If the administrator now enters the command 'delete interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24' and then commits, what will be the result?

A.Only the address 192.168.1.1/24 will be removed, and 192.168.1.2/24 will remain.
B.The commit will fail due to an attempt to delete a non-existent address.
C.The entire unit 0 will be deleted.
D.Both addresses will be removed from the configuration.
AnswerA

Exact deletion of the specified address.

Why this answer

The 'delete' command in Junos is hierarchical and targets the exact configuration hierarchy specified. In this case, the command specifies 'address 192.168.1.1/24' under 'family inet', so only that specific address is removed. The other address (192.168.1.2/24) remains because it is a separate leaf under the same 'address' statement and is not affected by the deletion.

Exam trap

The trap here is that candidates may assume deleting one address under a 'family inet' block will remove all addresses, similar to how some other platforms (e.g., Cisco IOS) treat the 'ip address' command as replacing the entire address list, but Junos treats each address as an independent leaf.

How to eliminate wrong answers

Option B is wrong because the address 192.168.1.1/24 does exist in the configuration (as shown in the exhibit), so the delete command targets a valid leaf and will not cause a commit failure. Option C is wrong because the command specifies the exact address leaf, not the 'unit 0' hierarchy; deleting a specific address does not remove the entire unit. Option D is wrong because the command is scoped to only one address; Junos does not cascade the deletion to other addresses under the same 'family inet' unless explicitly targeted.

69
MCQhard

After a series of configuration changes, an engineer wants to see only the lines that will be added or modified when the candidate is committed. Which command achieves this?

A.show configuration | except
B.show configuration | display set
C.commit check | match
D.show | compare
AnswerD

In configuration mode, shows lines that will be added, modified, or deleted upon commit.

Why this answer

Option D is correct because the 'show | compare' command displays the differences between the candidate configuration and the active configuration, showing only the lines that will be added, modified, or deleted upon commit. This is the standard Junos method for reviewing pending changes before committing them.

Exam trap

The trap here is that candidates often confuse 'show | compare' with 'show configuration | display set' or 'commit check', thinking that displaying the full candidate configuration or validating syntax is equivalent to viewing only the changes, but only 'show | compare' provides the targeted diff output.

How to eliminate wrong answers

Option A is wrong because 'show configuration | except' filters out lines matching a pattern, but does not show only added or modified lines; it shows all lines except those matching the pattern. Option B is wrong because 'show configuration | display set' converts the configuration into 'set' commands, but it shows the entire candidate configuration, not just the changes. Option C is wrong because 'commit check | match' validates the candidate configuration for syntax errors and then filters the output with 'match', but it does not display a diff of added or modified lines.

70
MCQhard

A junior administrator is told to implement configuration changes that must survive a reboot. Which statement is correct?

A.Performing a 'commit' saves the active configuration to non-volatile storage.
B.The 'commit confirmed' command ensures persistence.
C.Changes made using 'set' commands are automatically saved to the startup config.
D.The 'commit' command only writes to RAM, so a 'request system configuration save' is needed.
AnswerA

Commit writes the configuration to persistent storage, surviving reboots.

Why this answer

In Junos, the 'commit' command activates the candidate configuration and saves it to non-volatile storage (the /config directory on the flash drive), ensuring it survives a reboot. This is the standard method for making configuration changes persistent across system restarts.

Exam trap

The trap here is that candidates familiar with Cisco IOS often assume 'commit' only writes to running-config (RAM) and that a separate 'copy running-config startup-config' is needed, but in Junos, 'commit' inherently saves to non-volatile storage, making option D a common distractor.

How to eliminate wrong answers

Option B is wrong because 'commit confirmed' temporarily activates a configuration for a specified timeout period (default 10 minutes) and automatically rolls back if not confirmed with a standard 'commit', so it does not ensure persistence unless followed by a regular commit. Option C is wrong because changes made with 'set' commands are only stored in the candidate configuration in volatile memory (RAM) until explicitly committed; they are not automatically saved to the startup configuration. Option D is wrong because the 'commit' command writes the active configuration to non-volatile storage (the /config directory), not just RAM, and there is no 'request system configuration save' command in Junos (the correct command for saving the active configuration to a file is 'request system configuration rescue save' or 'save' within the CLI).

71
MCQhard

An administrator is troubleshooting a configuration issue where a route filter is unexpectedly dropping traffic. The filter uses an 'exact' match type. Which statement correctly describes the behavior of the 'exact' match type in a prefix list?

A.The route mask must be equal to or greater than the specified prefix length.
B.The route must match the prefix and prefix length exactly.
C.The prefix 0.0.0.0/0 is never matched by 'exact' filters.
D.The route mask must be greater than the specified prefix length.
AnswerB

This is the definition of 'exact' match.

Why this answer

Option B is correct because the 'exact' match type in a Junos prefix list requires the route's prefix and prefix length to match the specified prefix and length identically. This is defined in the Junos routing policy framework, where 'exact' is used for precise route filtering, such as matching a specific network like 192.168.1.0/24 without allowing any subnets or supernets.

Exam trap

The trap here is that candidates often confuse 'exact' with 'orlonger' or 'longer' match types, especially when troubleshooting route filter behavior, leading them to select options that describe less restrictive matching.

How to eliminate wrong answers

Option A is wrong because it describes the 'orlonger' match type, where the route mask must be equal to or greater than the specified prefix length, not 'exact'. Option C is wrong because the prefix 0.0.0.0/0 can be matched by an 'exact' filter if the route is exactly 0.0.0.0/0, which is a valid default route; the statement is a common misconception. Option D is wrong because it describes the 'longer' match type, where the route mask must be greater than the specified prefix length, not 'exact'.

72
Multi-Selecthard

Which THREE of the following are characteristics of configuration groups in Junos?

Select 3 answers
A.The 'apply-groups' statement is used to specify which group(s) should be inherited.
B.A maximum of 10 groups can be applied to a single configuration statement.
C.Groups can be nested (i.e., a group can inherit another group).
D.They allow a set of configuration statements to be defined once and inherited by multiple sections.
E.Configuration groups do not allow individual statements within the group to be overridden in the main configuration.
AnswersA, C, D

'apply-groups' activates the group inheritance.

Why this answer

Option A is correct because the 'apply-groups' statement is the Junos mechanism used to inherit configuration from a named configuration group. When you define a group under the 'groups' hierarchy, you then use 'apply-groups <group-name>' at the desired hierarchy level to pull that group's configuration into that location. This allows for modular and reusable configuration blocks.

Exam trap

The trap here is that candidates often assume configuration groups are rigid and cannot be overridden, but in reality the main configuration always overrides group settings, and there is no arbitrary limit like 10 groups per statement.

73
Multi-Selecthard

Which TWO of the following are valid methods to load a configuration file into a Junos device?

Select 2 answers
A.load override
B.load merge
C.import configuration
D.load replace
E.load set
AnswersA, B

Correct command to replace entire configuration.

Why this answer

Option A is correct because the 'load override' command replaces the entire candidate configuration with the contents of the specified configuration file, discarding any previous candidate changes. Option B is correct because 'load merge' combines the contents of the specified configuration file with the current candidate configuration, adding or updating statements without removing existing ones. Both are standard Junos CLI commands for loading configuration data.

Exam trap

The trap here is that candidates may confuse 'load replace' or 'load set' as valid methods, but the question specifically asks for two correct methods, and only 'load override' and 'load merge' are listed as correct in this context.

74
MCQhard

A company has two Juniper routers in a high-availability cluster with dual Routing Engines. The administrator performs a commit on the primary RE. What is the effect of using the 'commit synchronize' command?

A.It performs a commit check on both REs but does not activate the config.
B.It commits the configuration on both Routing Engines simultaneously.
C.It commits the configuration only on the primary RE.
D.It commits the configuration only on the backup RE.
AnswerB

Synchronizes the commit to the backup RE.

Why this answer

The 'commit synchronize' command on Juniper routers with dual Routing Engines ensures that the configuration is committed on both the primary and backup REs simultaneously. This is critical for maintaining configuration consistency in a high-availability cluster, as it prevents a split-brain scenario where the backup RE has a different active configuration than the primary. The command performs a full commit (including validation and activation) on both REs, not just a check.

Exam trap

The trap here is that candidates often confuse 'commit synchronize' with 'commit check' or assume it only affects one RE, failing to recognize that Juniper's high-availability design requires explicit synchronization to maintain configuration consistency across both Routing Engines.

How to eliminate wrong answers

Option A is wrong because 'commit synchronize' performs a full commit (validation and activation) on both REs, not just a commit check; the 'commit check' command is used for validation only. Option C is wrong because 'commit synchronize' explicitly commits on both REs, not only the primary; committing only on the primary would leave the backup out of sync. Option D is wrong because 'commit synchronize' commits on both REs, not only the backup; committing only on the backup would not update the primary's active configuration.

75
MCQmedium

An engineer needs to configure a static route on a Juniper device. Which statement is true regarding the configuration process?

A.The set command activates the change for 10 minutes by default.
B.Configuration changes must be committed to become active.
C.The configuration is immediately active upon entering the set command.
D.The commit command requires a reboot to take effect.
AnswerB

In Junos, changes are made to the candidate configuration and require a commit to become active.

Why this answer

In Junos, configuration changes are made in a candidate configuration and do not take effect until explicitly committed using the 'commit' command. This two-phase model (edit then commit) ensures that changes are validated before activation, preventing partial or incorrect configurations from disrupting network operations. Option B correctly identifies this requirement.

Exam trap

The trap here is that candidates familiar with Cisco IOS, where 'set' or 'configure terminal' commands take effect immediately, mistakenly assume Junos behaves the same way, overlooking the mandatory commit step.

How to eliminate wrong answers

Option A is wrong because the 'set' command does not activate a change for any duration; it merely modifies the candidate configuration, which remains inactive until committed. Option C is wrong because the configuration is not immediately active upon entering the 'set' command; Junos uses a commit model where changes only become active after a successful 'commit'. Option D is wrong because the 'commit' command does not require a reboot; it applies the candidate configuration to the active configuration dynamically without restarting the device.

Page 1 of 2 · 94 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Junos Config Basics questions.