Free Juniper JN0-637 Übungsprüfungen - Seite 2 von 5

Question #11

You are enabling advanced policy-based routing. You have configured a static route that has a next hop from the inet.0 routing table. Unfortunately, this static route is not active in your routing instance.

In this scenario, which solution is needed to use this next hop?

A . Use RIB groups.
B . Use filter-based forwarding.
C . Use transparent mode.
D . Use policies.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

To enable advanced policy-based routing in Junos OS and activate a static route with a next-hop address in the inet.0 table within your routing instance, you should utilize RIB groups. RIB groups allow you to import routes from one routing table to another. In this scenario, the static route within the routing instance needs access to the inet.0 routes, which is facilitated by configuring a RIB group. Juniper’s documentation outlines RIB groups as a necessary component for handling instances where routes need to be shared across routing tables, thereby ensuring seamless traffic flow through specified routes. For more details, refer to the Juniper Networks Documentation on RIB Groups.

In Junos OS for SRX Series devices, when enabling advanced policy-based routing and configuring a static route with a next-hop from the inet.0 routing table, the issue arises because the static route is not being used in the routing instance. This is a common scenario when the next-hop belongs to a different routing table or instance, and the routing instance is not aware of that next-hop.

To resolve this, RIB (Routing Information Base) groups are used. RIB groups allow routes from one routing table (RIB) to be shared or imported into another routing table. This means that the routing instance can import the necessary routes from inet.0 and make them available for the routing instance where the policy-based routing is applied.

Detailed Steps:

Configure the Static Route: First, configure the static route pointing to the next-hop in inet.0.

Here’s an example:

bash set routing-options static route 10.1.1.0/24 next-hop 192.168.1.1 This static route will be placed in the inet.0 routing table by default.

Create and Apply a RIB Group: To import routes from inet.0 into the routing instance, create a RIB group configuration. This will allow the static route from inet.0 to be visible within the routing instance.

Example configuration for the RIB group:

bash

set routing-options rib-groups RIB-GROUP import-rib inet.0

set routing-options rib-groups RIB-GROUP import-rib <routing-instance-name>.inet.0

This configuration ensures that routes from inet.0 are imported into the specified routing instance.

Apply the RIB Group to the Routing Instance:

Once the RIB group is configured, apply it to the appropriate routing instance:

bash

set routing-instances <routing-instance-name> routing-options rib-group RIB-GROUP

Verify Configuration: Use the following command to verify that the static route has been imported

into the routing instance:

bash

show route table <routing-instance-name>.inet.0

The output should now display the static route imported from inet.0.

Juniper Security

Reference: RIB Groups Overview: Juniper’s documentation provides detailed information on how RIB groups function and how to use them to share routes between different routing tables. This is essential for scenarios involving policy-based routing where routes from one instance (like inet.0) need to be available in another instance.

Reference: Juniper Networks Documentation on RIB Groups.

By using RIB groups, you ensure that the static route from inet.0 is available in the appropriate routing instance for policy-based routing to function correctly. This avoids the need for other methods like filter-based forwarding or transparent mode, which do not address the specific issue of static route visibility across routing instances.

Question #12

Exhibit:

Host A shown in the exhibit is attempting to reach the Web1 webserver, but the connection is failing. Troubleshooting reveals that when Host A attempts to resolve the domain name of the server (web.acme.com), the request is resolved to the private address of the server rather than its public IP.

Which feature would you configure on the SRX Series device to solve this issue?

A . Persistent NAT
B . Double NAT
C . DNS doctoring
D . STUN protocol

Lösung einblenden Lösung ausblenden

Question #13

Exhibit:

Referring to the exhibit, which technology would you use to provide communication between IPv4 host1 and ipv4 internal host

A . DS-Lite
B . NAT444
C . NAT46
D . full cone NAT

Lösung einblenden Lösung ausblenden

Question #14

What are three core components for enabling advanced policy-based routing? (Choose three.)

A . Filter-based forwarding
B . Routing options
C . Routing instance
D . APBR profile
E . Policies

Lösung einblenden Lösung ausblenden

Richtige Antwort: ACD
ACD

Explanation:

To enable Advanced Policy-Based Routing (APBR) on SRX Series devices, three key components are necessary: filter-based forwarding, routing instances, and APBR profiles. Filter-based forwarding is utilized to direct specific traffic flows to a routing instance based on criteria set by a policy. Routing instances allow the traffic to be managed independently of the main routing table, and APBR profiles define how and when traffic should be forwarded. These elements ensure that APBR is flexible and tailored to the network’s requirements. Refer to Juniper’s APBR Documentation for more details.

Advanced policy-based routing (APBR) in Juniper’s SRX devices allows the selection of different paths for traffic based on policies, rather than relying purely on routing tables.

To enable APBR, the following core components are required:

Filter-based Forwarding (Answer A): Filter-based forwarding (FBF) is a technique used to forward traffic based on policies rather than the default routing table. It is essential for enabling APBR, as it helps match traffic based on filters and directs it to specific routes.

Configuration Example:

bash

set firewall family inet filter FBF match-term source-address 192.168.1.0/24 set firewall family inet filter FBF then routing-instance custom-routing-instance

Routing Instance (Answer C): A routing instance is required to define the separate routing table used by APBR. You can create multiple routing instances and assign traffic to these instances based on policies. The traffic will then use the routes defined within the specific routing instance.

Configuration Example:

bash

set routing-instances custom-routing-instance instance-type forwarding

set routing-instances custom-routing-instance routing-options static route 0.0.0.0/0 next-hop 10.10.10.1

APBR Profile (Answer D): The APBR profile defines the rules and policies for advanced policy-based routing. It allows you to set up conditions such as traffic type, source/destination address, and port, and then assign actions such as redirecting traffic to specific routing instances.

Configuration Example:

bash

set security forwarding-options advanced-policy-based-routing profile apbr-profile match application http

set security forwarding-options advanced-policy-based-routing profile apbr-profile then routing-instance custom-routing-instance

Other Components:

Routing Options (Answer B) are not a core component of APBR, as routing options define the general behavior of the routing table and protocols. However, APBR works by overriding these default routing behaviors using policies.

Policies (Answer E) are crucial in many network configurations but are not a core component of enabling APBR. APBR specifically relies on profiles rather than standard security policies. Juniper Security

Reference: Advanced Policy-Based Routing (APBR): Juniper’s APBR is a powerful tool that allows routing based on specific traffic characteristics rather than relying on static routing tables. APBR ensures that specific types of traffic can take alternate paths based on business or network needs.

Reference: Juniper Networks APBR Documentation.

Question #15

You are asked to create multiple virtual routers using a single SRX Series device. You must ensure that each virtual router maintains a unique copy of the routing protocol daemon (RPD) process.

Which solution will accomplish this task?

A . Secure wire
B . Tenant system
C . Transparent mode
D . Logical system

Lösung einblenden Lösung ausblenden

Question #16

A company has acquired a new branch office that has the same address space as one of its local networks, 192.168.100.0/24. The offices need to communicate with each other.

Which two NAT configurations will satisfy this requirement? (Choose two.)

A . [edit security nat source]
user@OfficeA# show rule-set OfficeBtoA {
from zone OfficeB;
to zone OfficeA;
rule 1 {
match {
source-address 192.168.210.0/24;
destination-address 192.168.200.0/24;
}
then {
source-nat { interface; }
}
}
}
B . [edit security nat static]
user@OfficeA# show rule-set From-Office-B {
from interface ge-0/0/0.0;
rule 1 {
match {
destination-address 192.168.200.0/24;
}
then {
static-nat {
prefix { 192.168.100.0/24; }
}
}
}
}
C . [edit security nat static]
user@OfficeB# show rule-set From-Office-A {
from interface ge-0/0/0.0;
rule 1 {
match {
destination-address 192.168.210.0/24;
}
then {
static-nat {
prefix { 192.168.100.0/24; }
}
}
}
}
D . [edit security nat source]
user@OfficeB# show rule-set OfficeAtoB {
from zone OfficeA;
to zone OfficeB;
rule 1 {
match {
source-address 192.168.200.0/24;
destination-address 192.168.210.0/24;
}
then {
source-nat { interface; }
}
}
}

Lösung einblenden Lösung ausblenden

Question #17

You are deploying a large-scale VPN spanning six sites.

You need to choose a VPN technology that satisfies the following requirements:

All sites must have secure reachability to all other sites.

New spoke sites can be added without explicit configuration on the hub site.

All spoke-to-spoke communication must traverse the hub site.

Which VPN technology will satisfy these requirements?

A . ADVPN
B . Group VPN
C . Secure Connect VPN
D . AutoVPN

Lösung einblenden Lösung ausblenden

Question #18

Exhibit:

The Ipsec VPN does not establish when the peer initiates, but it does establish when the SRX series device initiates.

Referring to the exhibit, what will solve this problem?

A . IKE needs to be added for the host-inbound traffic on the VPN zone.
B . The screen configuration on the untrust zone needs to be modified.
C . IKE needs to be added to the host-inbound traffic directly on the ge-0/0/0 interface.
D . Application tracking on the untrust zone needs to be removed.

Lösung einblenden Lösung ausblenden

Question #19

Click the Exhibit button.

Referring to the exhibit. SRX-1 and SRX-3 have to be connected using EBGP. The BGP configuration on SRX-1 and SRX-3 is verified and correct.

Which configuration on SRX-2 would establish an EBGP connection successfully between SRX-1 and SRX-3?

A . The host-inbound-traffic statements do not allow EBGP traffic to traverse SRX-2.
B . The security policy to allow SRX-1 and SRX-3 to communicate on TCP port 79 should be configured.
C . The security policy to allow SRX-1 and SRX-3 to communicate on TCP port 169 should be configured.
D . The security policy to allow SRX-1 and SRX-3 to communicate on TCP port 179 should be configured.

Lösung einblenden Lösung ausblenden

Question #20

You configure two Ethernet interfaces on your SRX Series device as Layer 2 interfaces and add them to the same VLAN. The SRX is using the default L2-learning setting. You do not add the interfaces to a security zone.

Which two statements are true in this scenario? (Choose two.)

A . You are unable to apply stateful security features to traffic that is switched between the two interfaces.
B . You are able to apply stateful security features to traffic that enters and exits the VLAN.
C . The interfaces will not forward traffic by default.
D . You cannot add Layer 2 interfaces to a security zone.

Lösung einblenden Lösung ausblenden