JN0-480 Data Center Specialist (JNCIS-DC) Question and Answers

In the EVPN-VXLAN data center fabric bridged overlay architecture shown in the exhibit, the servers are connected to Leaf1 and Leaf6 using the same virtual network identifier (VNI). This means that the servers belong to the same Layer 2 domain and can communicate with each other using VXLAN tunnels across the fabric. The underlay network provides the IP connectivity between the leaf and spine devices, and it uses EBGP as the routing protocol. Therefore, the following two statements are correct in this scenario:

• Loopback IPv4 addresses must be advertised into the EBGP underlay from leaf and spine devices. This is because the loopback addresses are used as the source and destination IP addresses for the VXLAN tunnels, and they must be reachable by all the devices in the fabric. The loopback addresses are also used as the router IDs and the BGP peer addresses for the EBGP sessions.
• The underlay EBGP peering’s must be established between leaf and spine devices. This is because the EBGP sessions are used to exchange the underlay routing information and the EVPN routes for the overlay network. The EBGPsessions are established using the loopback addresses of the devices, and they follow a spine-and-leaf topology, where each leaf device peers with all the spine devices, and each spine device peers with all the leaf devices.

The following two statements are incorrect in this scenario:

• The underlay must use IRB interfaces. This is not true, because the underlay network does not provide any Layer 3 gateway functionality for the overlay network. The IRB interfaces are used to provide inter-VXLAN routing within the fabric, which is not the case in the bridged overlay architecture. The IRB interfaces are used in the edge-routed bridging (ERB) or the centrally-routed bridging (CRB) architectures, which are different from the bridged overlay architecture.
• The underlay must be provisioned with PIMv2. This is not true, because the underlay network does not use multicast for the VXLAN tunnels. The VXLAN tunnels are established using EVPN, which uses BGP to distribute the MAC and IP addresses of the end hosts and the VTEP information of the devices. EVPN eliminates the need for multicast in the underlay network, and it provides optimal forwarding and fast convergence for the overlay network.

References:

• Exploring EVPN-VXLAN Overlay Architectures – Bridged Overlay
• EVPN LAGs in EVPN-VXLAN Reference Architectures
• EVPN-VXLAN Configuration Guide

When a new switch is added to Juniper Apstra software, it initially shows the “0 OS-Quarantined” status, which means that the device is not yet managed by Apstra and has not been assigned to any blueprint. The proper next step to make the device ready for use in a blueprint is to acknowledge the device, which is a manual action that confirms the device identity and ownership. Acknowledging the device changes its status to “OOS-Ready”, which means that the device is ready to be assigned to a blueprint and deployed12. References:

• Managing Devices
• AOS Device Configuration Lifecycle

VXLAN VNIs are virtual network identifiers that are used to identify and isolate Layer 2 segments in the overlay network. VXLAN VNIs have the following characteristics:

• VNIs can have over 16 million unique values. This is because VXLAN VNIs are 24-bit fields that can range from 4096 to 16777214, according to the VXLAN standard1. This allows VXLAN to support a large number of Layer 2 segments and tenants in the network.
• VNIs identify a broadcast domain. This is because VXLAN VNIs are used to group the end hosts that belong to the same Layer 2 segment and can communicate with each other using VXLAN tunnels. The VXLAN tunnels are established using the VTEP information that is distributed by EVPN. The VTEPs are VXLAN tunnel endpoints that perform the VXLAN encapsulation and decapsulation. The VXLAN tunnels preserve the Layer 2 semantics and support the broadcast, unknown unicast, and multicast traffic within the same VNI2.

The following two statements are incorrect in this scenario:

• VNIs identify a collision domain. This is not true, because VXLAN VNIs do not identify a collision domain, which is a network segment where data packets can collide with each other. VXLAN VNIs identify a broadcast domain, which is a network segment where broadcast traffic can reach all the devices. Collision domains are not relevant in VXLAN networks, because VXLAN uses MAC-in-UDP encapsulation and IP routing to transport the Layer 2 frames over the Layer 3 network1.
• VNIs are alphanumeric values. This is not true, because VXLAN VNIs are numeric values, not alphanumeric values. VXLAN VNIs are 24-bit fields that can range from 4096 to 16777214, according to the VXLAN standard1. Alphanumeric values are values that contain both letters and numbers, such as ABC123 or 1A2B3C.

References:

• Virtual Extensible LAN (VXLAN) Overview
• EVPN LAGs in EVPN-VXLAN Reference Architectures

To keep virtual networks isolated from each other within the Juniper Apstra system, you can use one or more of the following methods:

• Enable Security Policy for virtual networks in the same Routing Zone. This allows you to define rules that control the traffic flow between different virtual networks within the same routing zone. You can specify the source and destination virtual networks, the protocol, the port, and the action (allow or deny) for each rule. The security policy is applied on the ingress interface of the leaf devices1.
• Use Connectivity Templates to block access within the same Routing Zone. This allows you to customize the connectivity between different racks within the same routing zone. You can create templates that define the link type, the routing protocol, and the access control list(ACL) for each rack pair. The ACL can be used to filter the traffic based on the source and destination IP addresses, the protocol, and the port2.
• Put each network in different Routing Zones. This allows you to create logical boundaries between different virtual networks based on the route target (RT) values. A routing zone is a collection of virtual networks that share the same RT for importing and exporting routes. Virtual networks in different routing zones do not exchange routes with each other, unless you configure remote EVPN gateways to connect them3. References:
• Security Policy
• Connectivity Templates
• Routing Zones

To answer this question, we need to understand the concept of ESI values in EVPN LAGs. An ESI is a 10-byte value that identifies an Ethernet segment, which is a set of links that connect a multihomed device (such as a server) to one or more PE devices (such as leaf switches) in an EVPN network. The same ESI value must be configured on all the PE devices that connect to the same Ethernet segment. This allows the PE devices to form an EVPN LAG, which supports active-active or active-standby multihoming for the device. The ESI value can be manually configured (type 0) or automatically derived from LACP (type 1) or other methods. In the exhibit, Server A is connected to two leaf switches (QFX 5210) using a LAG with LACP enabled. Server B is connected to three leaf switches (QFX 5120) using a LAG with LACP enabled. Based on this information, the following statements are correct about ESI values for the server connections to the fabric:

• C. A valid ESI value for Server A is 0x00.10.10.10.10.10.10.10.10.10. This is true because this ESI value can be automatically derived from the LACP configuration on the QFX 5210 devices. The LACP system ID is usually based on the MAC address of the device, and the LACP administrative key is a 2-byte value that identifies the LAG. For example, if the MAC address of the QFX 5210 device is 00:10:10:10:10:10 and the LAG ID is 10, then the LACP system ID is 00:10:10:10:10:10 and the LACP administrative key is 00:0A. The ESI value is then derived by concatenating the LACP system ID and the LACP administrative key, resulting in 00:10:10:10:10:10:00:0A. This ESI value can be represented in hexadecimal notation as 0x00.10.10.10.10.10.00.0A, or padded with zeros as 0x00.10.10.10.10.10.00.0A.00.00. This ESI value must be configured on both QFX 5210 devices that connect to Server A.
• D. A valid ESI value for Server B is 0x00.00.00.00.00.00.00.00.00.00. This is true because this ESI value is a reserved value that indicates a single-homed device. Server B is connected to three leaf switches (QFX 5120) using a LAG, but it is not multihomed to any of them. This means that Server B does not need an ESI value to form an EVPN LAG with any of the leaf switches. Instead, Server B can use the reserved ESI value of 0x00.00.00.00.00.00.00.00.00.00, which indicates that it is a single-homed device and does not participate in any EVPN LAG. This ESI value must be configured on all three QFX 5120 devices that connect to Server B. Thefollowing statements are incorrect about ESI values for the server connections to the fabric:
• A. A valid ESI value for Server A is 0x00.00.00.00.00.00.00.00.00.00. This is false because this ESI value is a reserved value that indicates a single-homed device. Server A is connected to two leaf switches (QFX 5210) using a LAG with LACP enabled, which means that it is multihomed to both of them. This means that Server A needs an ESI value to form an EVPN LAG with the leaf switches. The ESI value must be unique and non-zero for each Ethernet segment, so the reserved ESI value of 0x00.00.00.00.00.00.00.00.00.00 is not valid for Server A.
• B. A valid ESI value for Server B is 0x00.20.20.20.20.20.20.20.20.20. This is false because this ESI value is not derived from the LACP configuration on the QFX 5120 devices. Server B is connected to three leaf switches (QFX 5120) using a LAG with LACP enabled, but it is not multihomed to any of them. This means that Server B does not need an ESI value to form an EVPN LAG with any of the leaf switches. Instead, Server B can use the reserved ESI value of 0x00.00.00.00.00.00.00.00.00.00, which indicates that it is a single-homed device and does not participate in any EVPN LAG. The ESI value of 0x00.20.20.20.20.20.20.20.20.20 is not valid for Server B, and it may cause conflicts with other Ethernet segments that use the same ESI value. References:
• Ethernet Segment Identifiers, ESI Types, and LACP in EVPN LAGs
• Understanding Automatically Generated ESIs in EVPN Networks
• Ethernet Segment in EVPN: All You Need to Know

Referring to the exhibit, the image shows a user interface of the Juniper Apstra software application, which is used for network management and configuration. The image shows the Virtual Networks table under the Resources menu, which displays the details of the VLANs and VXLANs in the network. The table has 11 columns, but only 9 are visible in the image. The other two columns are IPv6 Connectivity and IPv6 Subnet, which are hidden by default. To display the IPv6 subnets for all of the listed VXLANs, the user needs to select Columns, then select IPv6 Subnet. This will show the IPv6 Subnet column in the table, which will display the IPv6 addresses assigned to the VXLANs from the IPv6 pools. For more information, see Virtual Networks (Resources). References:

• Virtual Networks (Resources)
• IPv6 Pools (Resources)
• Apstra User Guide

According to the Juniper documentation1, an interface map is a configuration template that maps interfaces between logical devices and physical hardware devices (represented with device profiles) while adhering to vendor specifications. An interface map specifies a connection between the interfaces of two devices, such as a leaf and a spine, a leaf and a server, or a leaf and an external gateway. An interface map can also specify port transformations, such as breaking out a 40 GbE port into four 10 GbE ports, or disabling unused ports. An interface map can be used to achieve the intended network configuration rendering and to enable features such as LAG, ESI-LAG, or MLAG. Therefore, the correct answer is B. An interface map specifies a connection between the interfaces of two devices. References: Interface Maps (Datacenter Design)

Juniper Apstra role-based access control (RBAC) is a feature that allows you to specify access permissions for different users based on their roles. RBAC servers are remote network servers that authenticate and authorize network access based on roles assigned to individual users within an enterprise1. Juniper Apstra has four predefined user roles: administrator, device_ztp, user, and viewer2. The administrator role is the most powerful role, and it can see all permissions and perform all actions in the Apstra software application. The administrator role can also create, clone, edit, and delete user roles, except for the four predefined user roles, which cannot be modified2. Therefore, the statement that the administrator role can see all permissions is correct.

The following three statements are incorrect in this scenario:

• The viewer role is predefined and can be deleted. This is not true, because the viewer role is one of the four predefined user roles, and it cannot be deleted. The viewer role is the most restricted role, and it can only view the network information and configuration, but not make any changes2.
• The user role can create roles. This is not true, because the user role is one of the four predefined user roles, and it cannot create roles. The user role can perform most of the network configuration and management tasks, but it cannot access the platform settings or the user management features2.
• The administrator role is the only predefined role. This is not true, because there are four predefined user roles, not just one. The other three predefined user roles are device_ztp, user, and viewer2.

References:

• Providers — Apstra 3.3.0 documentation
• User/Role Management (Platform)

BGP is the protocol used to advertise EVPN routes. EVPN routes are a new type of BGP network layer reachability information (NLRI) that carry MAC address and IP prefix information for Ethernet VPNs. EVPN routes are exchanged between PEs using BGP multiprotocol extensions (MP-BGP) over MPLS, VXLAN, SR, or SRv6 tunnels. EVPN routes enable PEs to learn the reachability of MAC addresses and IP prefixes of different sites within the same EVPN instance. EVPN routes also support various features such as fast convergence, redundancy, aliasing, and inter-subnet routing. The other options are incorrect because:

• A. OSPF is wrong because OSPF is an interior gateway protocol (IGP) that is used to advertise IP routes within an autonomous system. OSPF is not used to advertise EVPN routes, which are a type of BGP NLRI that carry MAC address and IP prefix information for Ethernet VPNs.
• C. IS-IS is wrong because IS-IS is an interior gateway protocol (IGP) that is used to advertise IP routes and MPLS labels within an autonomous system. IS-IS is not used to advertise EVPN routes, which are a type of BGP NLRI that carry MAC address and IP prefix information for Ethernet VPNs.
• D. RIP is wrong because RIP is an interior gateway protocol (IGP) that is used to advertise IP routes within an autonomous system. RIP is not used to advertise EVPN routes, which are a type of BGP NLRI that carry MAC address and IP prefix information for Ethernet VPNs. References:
• EVPN Fundamentals
• RFC 9136 - IP Prefix Advertisement in Ethernet VPN (EVPN)
• EVPN Type-5 Routes: IP Prefix Advertisement
• Understanding EVPN Pure Type 5 Routes

According to the Juniper documentation1, an ESI-LAG is a link aggregation group (LAG) that spans two or more devices and is identified by an Ethernet segment identifier (ESI). An ESI-LAG provides redundancy and load balancing for a multihomed server in an EVPN-VXLAN network. To configure an ESI-LAG, you need to ensure that the following requirements are met:

• The LACP system ID on both devices must be the same. This ensures that the LACP protocol can negotiate the LAG parameters and form a single logical interface for the server.
• The ESI ID on both devices must be the same. This ensures that the EVPN control plane can advertise the ESI-LAG as a single Ethernet segment and synchronize the MAC and IP addresses of the server across the devices.
• The VLAN ID and VNI on both devices must be the same. This ensures that the server can communicate with other hosts in the same virtual network and that the VXLAN encapsulation and decapsulation can work properly.

In the exhibit, the LACP system ID and the ESI ID on both devices are different, which prevents the ESI-LAG from coming up as multihomed. Therefore, the correct answer is B and D. The LACP system ID on both devices must be the same and the ESI ID on both devices must be the same. References: ESI-LAG Made Easier with EZ-LAG, Example: Configuring an ESI on a Logical Interface With EVPN-MPLS Multihoming, Introduction to EVPN LAG Multihoming

When an agent installation is successful, devices are placed into the Out of Service Quarantined (OOS-QUARANTINED) state using the Juniper Apstra UI. This state means that the device is not yet managed by Apstra and has not been assigned to any blueprint. The device configuration at this point is called Pristine Config. To make the device ready for use in a blueprint, you need to acknowledge the device, which is a manual action that confirms the device identity and ownership. Acknowledging the device changes its status to Out of Service Ready (OOS-READY)12. References:

• Managing Devices
• AOS Device Configuration Lifecycle

Device profiles are objects that associate a specific vendor model to a logical device in Juniper Apstra. Device profiles contain extensive hardware model details, such as form factor, ASIC, CPU, RAM, ECMP limit, and supported features. Device profiles also define how configuration is generated, how telemetry commands are rendered, and how configuration is deployed on a device. Device profiles enable the Apstra system to render and deploy the configuration according to the Apstra Reference Design12. References:

• Device Profiles
• Juniper Device Profiles

To make the IP fabric a valid IP fabric, the connection between the two spine nodes must be removed. This is because an IP fabric is a network topology that uses a spine-leaf architecture, where the spine devices are only connected to the leaf devices, and the leaf devices are only connected to the spine devices. This creates a non-blocking, high-performance, and scalable network that supports Layer 3 routing protocols such as BGP or OSPF. The connection between the two spine nodes in the exhibit violates the spine-leaf design principle and introduces unnecessary complexity and potential loops in the network. The other options are incorrect because:

• A. The IP fabric must consist of only one device model throughout the fabric is wrong because an IP fabric can support different device models as long as they are compatible and interoperable. The exhibit shows two different models of QFX switches, which are both supported by Juniper Networks for IP fabric deployments.
• B. The connection between the two spine nodes must be increased to 40 Gbps is wrong because increasing the speed of the connection does not make the IP fabric valid. The connection between the two spine nodes should be removed, as explained above.
• C. The IP fabric connections must be increased to a speed greater than 10 Gbps is wrong because the speed of the connections does not affect the validity of theIP fabric. The IP fabric can use any speed that meets the bandwidth and performance requirements of the network. 10 Gbps is a common speed for IP fabric connections, but higher or lower speeds can also be used depending on the network design and devices. References:
• IP Fabric Underlay Network Design and Implementation
• IP Fabric Overview
• IP Fabric: Automated Network Assurance Platform

In the Juniper Apstra UI, the Resources menu allows you to create and manage global and local resources that are used for various elements of the network design and configuration. The Resources menu includes the following three types of resources that can be assigned to the network devices and virtual networks:

• ASN pools: These are pools of autonomous system numbers (ASNs) that are used for the underlay routing protocol (EBGP) between the leaf and spine devices. You can create ASN pools with either 2-byte or 4-byte ASNs, and assign them to the logical devices in the blueprint.
• VNI pools: These are pools of virtual network identifiers (VNIs) that are used for the overlay network (VXLAN) between the end hosts. You can create VNI pools with a range of VNIs, and assign them to the virtual networks in the blueprint.
• IP address pools: These are pools of IPv4 or IPv6 addresses that are used for various purposes in the network, such as the loopback addresses for the devices, the IP prefixes for the virtual networks, the host IP addresses for the end hosts, and the gateway IP addresses for the IRB interfaces. You can create IP address pools with a range of IP addresses, and assign them to the logical devices and virtual networks in the blueprint.

The following two types of resources are not assigned under the Resources menu:

• VTEP pools: These are not resources that can be created or assigned by the user. VTEPs are VXLAN tunnel endpoints that are automatically generated by the Apstra server based on the loopback IP addresses of the devices. VTEPs are used as the source and destination IP addresses for the VXLAN tunnels in the overlay network.
• Logical device pools: These are not resources that can be created or assigned by the user. Logical device pools are groups of logical devices that share the same role, interface map, and resource assignments in the blueprint. Logical device pools are used to simplify the network design and configuration by applying the same settings to multiple devices.

References:

• Resources Introduction
• ASN Pools (Resources)
• VNI Pools (Resources)
• IP Address Pools (Resources)

The attribute that enables Juniper Apstra to scale and manage thousands of devices with a single server instance is that Apstra is a distributed state system. This means that Apstra uses a graph database to store the network topology and configuration data in a distributed and replicated manner across multiple server nodes. This allows Apstra to handle large-scale networks with high performance, reliability, and availability. Apstra also uses a stateful orchestration engine that ensures the network state is always consistent with the intent of the blueprint, which is the logical representation of thenetwork design and behavior. Apstra can automatically detect and resolve any discrepancies between the desired and actual network state, as well as handle any changes or failures in the network. The other options are incorrect because:

• A. Apstra is installed as a cloud resource is wrong because Apstra can be installed either as a cloud resource or as an on-premises resource. Apstra is available as a virtual machine image that can be deployed on various hypervisors, such as VMware ESXi, QEMU/KVM, Microsoft Hyper-V, or Oracle VirtualBox. Apstra can also be deployed on public cloud platforms, such as Amazon Web Services (AWS) or Microsoft Azure. However, the installation method does not affect the scalability of Apstra, which is determined by the distributed state system architecture.
• B. Apstra is based on NGINX is wrong because Apstra is not based on NGINX, but on Python and Django. NGINX is a web server and reverse proxy that Apstra uses to serve the web user interface and the REST API. However, NGINX is not the core component of Apstra, and it does not affect the scalability of Apstra, which is determined by the distributed state system architecture.
• C. Apstra is available as an OVA is wrong because Apstra is available as an OVF, not an OVA. An OVF (Open Virtualization Format) is a standard format for packaging and distributing virtual machine images. An OVA (Open Virtual Appliance) is a single file that contains the OVF and the virtual disk images. Apstra provides an OVF file that can be imported into various hypervisors, such as VMware ESXi, QEMU/KVM, Microsoft Hyper-V, or Oracle VirtualBox. However, the availability of Apstra as an OVF does not affect the scalability of Apstra, which is determined by the distributed state system architecture. References:
• JUNIPER APSTRA ARCHITECTURE
• Apstra Server Requirements/References
• Juniper Networks Apstra 4.0 enhances the experience of users and operators

According to the Juniper documentation1, a predefined device profile is a configuration template that is shipped with Apstra software and supports most qualified Juniper devices. A predefined device profile cannot be changed, since any changes would be discarded and overwritten when you upgrade the Apstra server version. If you want to customize a predefined device profile, you can clone and edit it instead. Therefore, the correct answer is A. The changes you make to a predefined device profile will be discarded and overwritten when upgrading the Apstra server version. References: Edit Device Profile | Apstra 4.2 | Juniper Networks