CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Juniper
  5. JN0-636

Free JN0-636 Exam Braindumps (page: 3)

Page 2 of 29
PDF with 115 Questions

Exhibit



You configure a traceoptions file called radius on your returns the output shown in the exhibit What is the source of the problem?

  1. An incorrect password is being used.
  2. The authentication order is misconfigured.
  3. The RADIUS server IP address is unreachable.
  4. The RADIUS server suffered a hardware failure.

Answer(s): A

Explanation:

According to the output of the traceoptions file called radius, the source of the problem is that the RADIUS server IP address is unreachable. This is indicated by the line FAILURE: sendto: No route to host, which shows that the SRX device cannot send the authentication request to the RADIUS server. This could be due to a network issue, such as a misconfigured route, a firewall blocking the traffic, or a physical link failure.
To troubleshoot this issue, the user should check the following:
The RADIUS server IP address and port are correctly configured on the SRX device. The user can verify this by using the command show configuration access radius-server. The SRX device can ping the RADIUS server IP address. The user can use the command ping <RADIUS- server-IP> to test the connectivity.
The SRX device has a valid route to the RADIUS server IP address. The user can use the command show route <RADIUS-server-IP> to check the routing table. The SRX device and the RADIUS server are using the same shared secret key. The user can verify this by using the command show configuration access radius-server secret. The SRX device and the RADIUS server are using the same authentication protocol. The user can verify this by using the command show configuration access profile <profile-name>4. The firewall policies on the SRX device and any intermediate devices are allowing the RADIUS traffic. The user can use the command show security policies from-zone <source-zone> to-zone <destination-zone> to check the firewall policies.


Reference:

1: Configuring RADIUS Server Parameters 2: ping - Technical Documentation - Support - Juniper Networks 3: show route - Technical Documentation - Support - Juniper Networks 4: Configuring Authentication Profiles 5: show security policies - Technical Documentation - Support - Juniper Networks



Exhibit



You have configured the SRX Series device to switch packets for multiple directly connected hosts that are within the same broadcast domain However, the traffic between two hosts in the same broadcast domain are not matching any security policies Referring to the exhibit, what should you do to solve this problem?

  1. You must change the global mode to security switching mode.
  2. You must change the global mode to security bridging mode
  3. You must change the global mode to transparent bridge mode.
  4. You must change the global mode to switching mode.

Answer(s): C

Explanation:

According to the exhibit, which is a configuration snippet of the SRX Series device, the global mode for the device is set to switching mode. This means that the device is operating as a Layer 2 switch and does not apply any security policies to the traffic between hosts in the same broadcast domain. Therefore, the traffic between two hosts in the same broadcast domain are not matching any security policies.
To solve this problem, the user should change the global mode to transparent bridge mode. This means that the device will operate as a Layer 2 transparent bridge and apply security policies to the traffic between hosts in the same broadcast domain. This will allow the user to enforce security policies based on the source and destination IP addresses, ports, and protocols of the traffic. To change the global mode to transparent bridge mode, the user should use the following command:
set protocols l2-learning global-mode transparent-bridge This command will set the global mode for the SRX Series device as Layer 2 transparent bridge mode. After changing the mode, the user must reboot the device for the configuration to take effect.


Reference:

1: global-mode (Protocols) 2: Configuring Layer 2 Transparent Mode



You are asked to deploy filter-based forwarding on your SRX Series device for incoming traffic sourced from the 10.10 100 0/24 network in this scenario, which three statements are correct? (Choose three.)

  1. You must create a forwarding-type routing instance.
  2. You must create and apply a firewall filter that matches on the source address 10.10.100.0/24 and then sends this traffic to your routing
  3. You must create and apply a firewall filter that matches on the destination address 10 10.100.0/24 and then sends this traffic to your routing instance.
  4. You must create a RIB group that adds interface routes to your routing instance.
  5. You must create a VRF-type routing instance.

Answer(s): A,B,D

Explanation:

According to the Juniper documentation, filter-based forwarding (FBF) is a technique that allows the SRX Series device to forward packets based on firewall filter rules, rather than the default routing table. FBF can be used to implement policy-based routing, load balancing, or traffic engineering.

To deploy FBF on the SRX Series device for incoming traffic sourced from the 10.10.100.0/24 network, the following steps are required:
You must create a forwarding-type routing instance. A forwarding-type routing instance is a special type of routing instance that is used for FBF. It does not have any interfaces or routing protocols associated with it, but it has its own routing table that can be populated by static routes, RIB groups, or routing policies. You can create a forwarding-type routing instance by using the following command:
set routing-instances <instance-name> instance-type forwarding You must create and apply a firewall filter that matches on the source address 10.10.100.0/24 and then sends this traffic to your routing instance. A firewall filter is a set of rules that can match on various packet attributes, such as source and destination addresses, ports, protocols, and so on. You can use the then routing-instance action to specify the routing instance that the packet should be forwarded to. You can create and apply a firewall filter by using the following commands:
set firewall family inet filter <filter-name> term <term-name> from source-address 10.10.100.0/24 set firewall family inet filter <filter-name> term <term-name> then routing-instance <instance-name> set interfaces <interface-name> unit <unit-number> family inet filter input <filter- name>
You must create a RIB group that adds interface routes to your routing instance. A RIB group is a mechanism that allows you to import routes from one routing table to another. You can use a RIB group to add the interface routes of the ingress interface to the routing table of the forwarding-type routing instance. This will ensure that the SRX device can forward the packets to the correct next hop based on the destination address. You can create a RIB group by using the following commands:
set routing-options rib-groups <rib-group-name> import-rib inet.0 set routing-options rib-groups <rib-group-name> import-rib <instance-name>.inet.0 set routing-instances <instance-name> routing- options instance-import <rib-group-name>
The following steps are not required or incorrect:
You do not need to create a VRF-type routing instance. A VRF-type routing instance is a type of routing instance that is used for virtual routing and forwarding. It allows you to create multiple logical routers on the same physical device, each with its own interfaces, routing protocols, and routing tables. VRF-type routing instances are typically used for VPNs, MPLS, or network segmentation. However, they are not necessary for FBF, which can be achieved with a forwarding- type routing instance.
You do not need to create and apply a firewall filter that matches on the destination address 10.10.100.0/24 and then sends this traffic to your routing instance. This would be redundant and unnecessary, as the destination address of the incoming traffic is already determined by the routing table of the forwarding-type routing instance. Moreover, this would create a loop, as the traffic would be sent back to the same routing instance that it came from.


Reference:

1: Filter-Based Forwarding Overview 2: Configuring Filter-Based Forwarding 3: forwarding (Routing Instances) 4: routing-instance (Firewall Filter Action) 5: Configuring RIB Groups : [vrf (Routing Instances)]



You are connecting two remote sites to your corporate headquarters site. You must ensure that all traffic is secured and sent directly between sites In this scenario, which VPN should be used?

  1. IPsec ADVPN
  2. hub-and-spoke IPsec VPN
  3. Layer 2 VPN
  4. full mesh Layer 3 VPN with EBGP

Answer(s): A

Explanation:

According to the Juniper documentation, the best VPN type for connecting two remote sites to the corporate headquarters site while ensuring that all traffic is secured and sent directly between sites is IPsec ADVPN. ADVPN stands for Auto Discovery VPN, which is a feature that allows the SRX Series devices to dynamically establish IPsec tunnels between remote sites without requiring a full mesh configuration. IPsec ADVPN uses NHRP (Next Hop Resolution Protocol) to discover the optimal path between two remote sites and create a shortcut tunnel that bypasses the hub device. This reduces the latency and bandwidth consumption of the traffic and improves the performance and scalability of the VPN.
To configure IPsec ADVPN on the SRX Series devices, the following steps are required:
Configure the hub device as an NHRP server and assign it a unique NHRP network ID and a public IP address.
Configure the spoke devices as NHRP clients and register them with the hub device using the same NHRP network ID and the hub's public IP address.
Configure the IPsec VPN parameters on the hub and spoke devices, such as the IKE and IPsec proposals, policies, and gateways.
Configure the routing protocols on the hub and spoke devices, such as OSPF or BGP, to advertise the routes between the sites.
Once the IPsec ADVPN is configured, the hub and spoke devices will establish IPsec tunnels with each other and exchange NHRP information.
When a spoke device needs to send traffic to another spoke device, it will send an NHRP resolution request to the hub device, which will reply with the public IP address of the destination spoke device. The source spoke device will then initiate a shortcut IPsec tunnel with the destination spoke device and send the traffic directly to it. The following VPN types are not suitable for this scenario:
Hub-and-spoke IPsec VPN: This type of VPN requires that all traffic between the remote sites go through the hub device, which adds latency and consumes bandwidth. It also does not scale well as the number of remote sites increases.
Layer 2 VPN: This type of VPN allows the remote sites to extend their Layer 2 networks over a Layer 3 network, such as the internet. It is typically used for data center interconnection or service provider networks. However, it does not provide any security or encryption for the traffic, and it may not be compatible with the existing network infrastructure.

Full mesh Layer 3 VPN with EBGP: This type of VPN allows the remote sites to exchange Layer 3 routing information over a Layer 3 network, such as the internet, using EBGP (External Border Gateway Protocol). It is typically used for enterprise networks or service provider networks. However, it requires that each remote site has a unique AS (Autonomous System) number and a public IP address, and that each remote site establishes a BGP session with every other remote site. This can be complex and cumbersome to configure and maintain, and it may not provide any security or encryption for the traffic.


Reference:

1: Auto Discovery VPN Overview 2: Understanding Auto Discovery VPN 3: Configuring NHRP on the Hub and Spoke Devices 4: Configuring IPsec VPN on the Hub and Spoke Devices :
[Configuring Routing Protocols on the Hub and Spoke Devices] : [Hub-and-Spoke VPNs Overview] :
[Layer 2 VPNs Feature Guide for Security Devices] : [Layer 3 VPNs Feature Guide for Security Devices]






Post your Comments and Discuss Juniper JN0-636 exam with other Community members:

JN0-636 Discussions & Posts