[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 2, Volume B part 05

Ensurepass

QUESTION 111  (Topic 2)

 

 

 

 

After implementing a chassis cluster for active/active clustering, you have identified a congestion issue with traffic traversing the data link between the two nodes.

 

Which solution should you implement?

 

A.

Increase the throughput ratio for the active/active clustering configuration.

B.

Use a link with a higher bandwidth capacity for the data link.

C.

Offload the excess traffic to a dedicated reth group.

D.

Implement dual data links to load balance data traffic

 

Answer: B

 

 

Explanation: You have to upgrade fabric link to support a higher bandwidth. Connecting two fabric links between nodes provide with redundency. Having two fabric links helps to avoid a possible single point of failure but does not provide load balancing of data traffic.

 

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/chassis- cluster-dual-fabric-links-understanding.html

 

 

QUESTION 112  (Topic 2)

 

You want to add a dynamic VPN to your SRX650. This dynamic VPN must be able to support five users at the same time.

 

What are two primary requirements? (Choose two.)

 

A.

You must use a policy-based VPN.

B.

You must use a route-based VPN.

C.

You must install the proper licenses.

D.

You must configure local client authentication.

 

Answer: AC

 

 

Explanation: SRX only supports Dynamic VPN which has embedded client. For that it must be policy-based as for client-based VPN SRX will be specifically looking for this tunnel policy. So this cannot work as route-based VPN. Dynamic VPN is a licensed feature. By default, a two user evaluation license is provided free of cost on the SRX devices, and it does not expire. In cases where there are more than two users that need to connect concurrently, a license is required. These are available as a 5, 10, 25, and 50 user license.

 

 

 

 

 

Reference:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/dialup-vpn-over-route-based-vpn/m- p/90610

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436&actp=search&viewlocale =en_US&searchid=1320423410978#

 

 

QUESTION 113  (Topic 2)

 

You have configured persistent NAT in your NAT rule base. You create a security policy in the direction of external to internal.

 

Which persistent NAT parameter should you configure?

 

A.

all-remote-host

B.

target-host

C.

any-remote-host

D.

target-host-port

 

Answer: BC

Explanation:

The following types of persistent NAT can be configured on the Juniper Networks device:

 

?Any remote host–All requests from a specific internal IP address and port are mapped to the same reflexive transport address. Any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

 

?Target host–All requests from a specific internal IP address and port are mapped to the same reflexive transport address. An external host can send a packet to an internal host by sending the packet to the reflexive transport address. The internal host must have previously sent a packet to the external host’s IP address.

 

Reference:

 

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/security/junos-security-swconfig-security.pdf

 

 

 

 

 

 

QUESTION 114  (Topic 2)

 

Your company recently acquired another company. During a site visit and network audit, you recognize that the acquired company’s private net
work address space overlaps with yours. You will eventually merge the networks, but for the moment, you must make communication between the networks work over the Internet as a first step toward the migration.

 

What should you do to meet the requirements?

 

A.

Use source NAT to deliver the necessary translations between private and public networks.

B.

Implement a static NAT at one site.

C.

Implement double NAT on both sites’ public network-facing routers.

D.

Migrate to multicast.

 

Answer: C

 

 

Explanation: Double NAT occurs when both the source IP address and destination IP address leave the translating system changed. Double NAT is commonly used fo
r merging two networks with overlapping address space. This has become an increasingly common scenario as more organizations have moved to using RFC 1918 private address space for their internal addressing in an effort to overcome public IPv4 address exhaustion. When these organizations merge, they are left with overlapping RFC 1918 addressing. In these cases, double NAT must be leveraged until systems can be readdressed.

 

Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 243

 

 

QUESTION 115  (Topic 2)

 

Click the Exhibit button.

 

 

 

 

 

clip_image002

 

Referring to the exhibit, what happens when the source pool is exhausted?

 

A.

Traffic is forwarded with the translated source as the egress interface.

B.

Traffic is dropped.

C.

Traffic is forwarded without port translation.

D.

Traffic is forwarded without translation.

 

Answer: A

 

 

Explanation: When a given pool is exhausted, it may then reference a completely different overflow-pool for additional translations. If interface key word is used with overflow-pool then interface’s IP address is used for NAT and PAT.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.1/junos-security-cli-reference/jd0e81039.html?searchid=1320424816614

 

 

 

 

 

 

QUESTION 116  (Topic 2)

 

Click the Exhibit button.

 

clip_image004

 

The NHTB configuration excerpt shown in the exhibit is applied on an SRX Series device that is a hub in a hub-and-spoke VPN

 

Which statement is true about this configuration?

 

A.

The spoke devices can be any IPSec VPN gateway

B.

The spoke devices must be SRX Series devices

C.

The spoke devices must support NHTB protocol.

D.

The spoke devices require multipoint configured on the st0 interface.

 

Answer: A

 

 

Explanation: As far as NHTB is configured the remote spoke device is not required to be Juniper. NHTB protocol must be supported by the hub only and only on the hub st0 is configured as multipoint.

 

Reference: Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 267.

 

 

 

 

 

 

QUESTION 117  (Topic 2)

 

You have configured your SRX Series device with two route-based VPNs for the same destination network Remote SRX Series device A’s route has a preference of 5 and remote SRX Series device B has a preference of 10. Users complain they cannot reach the networks through the VPN tunnel. You verify the VPN’s status and discover that the IKE Phase 1 and Phase 2 security associations are active, but the remote networks are not reachable.

 

Which SRX VPN feature would you use to cause the route-based VPN with preference 10 to be used?

 

A.

Configure the dead peer detection feature.

B.

Configure the vpn-monitor feature.

C.

Configure the establish-tunnels-immediately option.

D.

Configure the IPSec security association lifetime to a lower value.

 

Answer: B

 

 

Explanation: One issue with DPD is that it doesn’t necessarily mean the underlying VPN is up and running, just that the peer is up and responding. VPN monitoring is not an Ipsec standard feature, but it utilizes Internet Control Message Protocol (ICMP) to determine if the VPN is up. VPN monitoring allows the SRX to send ICMP traffic either to the peer gateway, or to another destination on the other end of the tunnel (such as a server), along with specifying the source IP address of the ICMP traffic. If the ICMP traffic fails, the VPN is considered down.

 

Reference: Reference: O’Reilly, Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 269.

 

 

QUESTION 118  (Topic 2)

 

Click the Exhibit button.

 

 

 

 

 

clip_image006

 

Given the exhibit, which type of NAT is implemented?

 

A.

one-to-many with port translation

B.

many-to-many with port translation

C.

many-to-many without port translation

D.

many-to-one with port translation

 

Answer: B

 

 

Explanation: Many-to-many with port translation type of NAT was implemented in exhibit. It translates source IP for maximum 255 hosts from matching 10.1.1.0/24 network to the pool of 11 Ips from 200.0.0.30 ?200.0.0.40. As the first number 255 is greater than the second one (11) PAT may be neede for translation.

 

Reference: Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 209.

 

 

 

 

 

 

QUESTION 119  (Topic 2)

 

You are configuring a hub-and-spoke VPN topology between an SRX Series device deployed at the hub site and several devices at spoke sites. You have configured all the settings to establish the tunnel, but the IPSec SA has not yet established all configured proposals and policies match on both sides

 

Which three actions can you perform to establish the IPSec SA between the hub and spoke sites? (Choose three.)

 

A.

Enable VPN monitoring

B.

Initiate traffic from the spoke site to the hub site

C.

Configure the tunnel to establish immediately

D.

Configure dead peer detection

E.

Initiate traffic from the hub site to the spoke site

 

Answer: BCE

 

 

Explanation: The VPN can be established immediately when the configuration is applied (and subsequently whenever the VPN expires), or it can be established on-traffic when there is user data traffic. By default, VPNs are established on-traffic.

 

Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 296

 

 

QUESTION 120  (Topic 2)

 

Click the Exhibit button

 

clip_image008

 

 

 

 

In the exhibit, Node 0 had primacy of RG 1 until interface ge-0/0/1 failed. Upon restoration of interface ge-0/0/1 Node 1 retained primacy for RG 1

 

What will allow Node 0 to regain primacy of RG 1?

 

A.

Add the preempt parameter.

B.

Add the acquire parameter.

C.

Increase the gratuitous ARP threshold.

D.

Decrease the hold-down interval.

 

Answer: A

Explanation:

Preempt command enables chassis cluster node preemption within a redundancy group. If preempt is added to a redundancy group configuration, the device with the higher priority in the group can initiate a failover to become master. By default, preemption is disabled.

Reference:

 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security- cli-reference/jd0e11037.html?searchid=1320424816614

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.