Juniper JN0-351 Online Practice Questions and Exam Preparation

Juniper JN0-351 Online Questions & Answers

• Question 111:

  Which two statements are correct about using firewall filters on EX Series switches? (Choose two.)

  A. You can deploy only stateless firewall filters on an EX Series switch.
  B. You can only apply firewall filters to Layer 2 traffic on an EX Series switch.
  C. You can apply firewall filters to both Layer 2 and Layer 3 traffic on an EX Series switch.
  D. You can deploy both stateless and stateful firewall filters on an EX Series switch.
  A. You can deploy only stateless firewall filters on an EX Series switch.
  C. You can apply firewall filters to both Layer 2 and Layer 3 traffic on an EX Series switch.

  ---

  Explanation/Reference:

  A is correct because you can deploy only stateless firewall filters on an EX Series switch. A stateless firewall filter is a filter that evaluates each packet individually based on the header information, such as source and destination addresses, protocol, and port numbers1. A stateless firewall filter does not keep track of the state or context of a packet flow, such as the sequence number, flags, or sessioninformation1. EX Series switches support only stateless firewall filters, which are also called access control lists (ACLs) or packet filters2. C is correct because you can apply firewall filters to both Layer 2 and Layer 3 traffic on an EX Series switch. Layer 2 traffic is traffic that is switched within a VLAN or a bridge domain, while Layer 3 traffic is traffic that is routed between VLANs or networks3. EX Series switches support three types of firewall filters: port (Layer 2) firewall filters, VLAN firewall filters, and router (Layer 3) firewall filters4. You can apply these filters to different interfaces and directions to control the traffic entering or exiting the switch.

• Question 112:

  Which two statements are true about GRE tunnels on Junos devices? (Choose two.)

  A. Only one GRE tunnel can be included for each logical unit.
  B. Multiple GRE tunnels can be included for each logical unit.
  C. GRE interfaces can include multiple logical units.
  D. GRE interfaces can include only a single logical unit.
  A. Only one GRE tunnel can be included for each logical unit.
  C. GRE interfaces can include multiple logical units.

• Question 113:

  Click the Exhibit button.

  

  Referring to the exhibit, what does the asterisk(*) following the ge-0/0/5.0 interface indicate?

  A. It indicates the interface is not active.
  B. It indicates the interface is a trunk port.
  C. It indicates the interface is an access port.
  D. It indicates the interface is active.
  D. It indicates the interface is active.

• Question 114:

  Referring to the exhibit, which two statements are correct? (Choose two.)

  

  A. R2 and R3 can form a Level 1 IS-IS adjacency.
  B. R4 and R5 can form a Level 1 IS-IS adjacency.
  C. R1 and R5 can form a Level 1 IS-IS adjacency.
  D. R3 and R4 can form a Level 2 IS-IS adjacency.
  A. R2 and R3 can form a Level 1 IS-IS adjacency.
  D. R3 and R4 can form a Level 2 IS-IS adjacency.

• Question 115:

  What are three types of port designation specific to Private VLANs? (Choose three.)

  A. Promiscuous ports
  B. Transparent ports
  C. PVLAN trunk ports
  D. Designated ports
  E. Isolated ports
  A. Promiscuous ports
  C. PVLAN trunk ports
  E. Isolated ports

• Question 116:

  Click the Exhibit button.

  

  You are building a network and make some configuration changes. While trying to validate these changes, you receive the error shown in the exhibit.

  How would you solve this problem?

  A. You must create a new VLAN called all using the VLAN ID of 30.
  B. You must configure the ge-0/0/5.0 interface with family inet instead of family ethernet- switching.
  C. You must configure the port mode as trunk on the ge-0/0/5.0 interface.
  D. You must create two sub-interfaces on ge-0/0/5 with the appropriate VLAN member assigned to each.
  C. You must configure the port mode as trunk on the ge-0/0/5.0 interface.

• Question 117:

  Referring to the exhibit, which devices will receive the packet sent by User B?

  

  A. User A and User D
  B. User C and User D
  C. User C
  D. User C, User A, and User D
  B. User C and User D

• Question 118:

  Click the Exhibit button.

  

  Referring to the exhibit, which port on Switch-2 will be selected as the RSTP root port?

  A. ge-0/0/8.0
  B. ge-0/0/9.0
  C. ge-0/0/10.0
  D. ge-0/0/1.0
  C. ge-0/0/10.0

• Question 119:

  Click the Exhibit button.

  

  Referring to the exhibit, which set of interfaces is enabled for Ethernet switching?

  A. ge-0/0/6, ge-0/0/7, and ge-0/0/8
  B. ge-0/0/6, ge-0/0/8, and ge-0/0/10
  C. ge0/0/6, ge-0/0/7, ge-0/0/8, and ge-0/0/10
  D. ge-0/0/6 and ge-0/0/8
  C. ge0/0/6, ge-0/0/7, ge-0/0/8, and ge-0/0/10

• Question 120:

  You are concerned about spoofed MAC addresses on your LAN.

  Which two Layer 2 security features should you enable to minimize this concern? (Choose two.)

  A. dynamic ARP inspection
  B. IP source guard
  C. DHCP snooping
  D. static ARP
  A. dynamic ARP inspection
  C. DHCP snooping

  ---

  Explanation/Reference:

  A is correct because dynamic ARP inspection (DAI) is a Layer 2 security feature that prevents ARP spoofing attacks. ARP spoofing is a technique that allows an attacker to send fake ARP messages to associate a spoofed MAC address with a legitimate IP address. This can result in traffic redirection, man-in-the-middle attacks, or denial-of-service attacks. DAI validates ARP packets by checking the source MAC address and IP address against a trusted database, which is usually built by DHCP snooping1. DAI discards any ARP packets that do not match the database or have invalid formats1. C is correct because DHCP snooping is a Layer 2 security feature that prevents DHCP spoofing attacks. DHCP spoofing is a technique that allows an attacker to act as a rogue DHCP server and offer fake IP addresses and other network parameters to unsuspecting clients. This can result in traffic redirection, man-in- the-middle attacks, or denial-of-service attacks. DHCP snooping filters DHCP messages by classifying switch ports as trusted or untrusted. Trusted ports are allowed to send and receive any DHCP messages, while untrusted ports are allowed to send only DHCP requests and receive only valid DHCP replies from trusted ports2. DHCP snooping also builds a database of MAC addresses, IP addresses, lease times, and binding types for each client2.