JN0-351 Exam Dumps : Enterprise Routing and Switching Specialist (JNCIS-ENT)

Junos devices support various types of tunnels for different purposes 1 2 .

Option B is correct.  Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network 1 .  Junos devices support GRE tunnels 1 .

Option D is correct.  IPsec (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session 1 .  Junos devices support IPsec tunnels 1 .

Option A is incorrect. Spanning Tree Protocol (STP) is not a type of tunnel.  It’s a network protocol designed to prevent loops in a bridged Ethernet local area network 2 .

Option C is incorrect.  While Junos devices do support IP-IP (also known as IP tunneling), it’s not supported on all Junos devices 1 .

The DHCP snooping feature in Juniper Networks’ EX Series switches works by building a binding database that maps the IP address, MAC address, lease time, binding type, VLAN number, and interface information 1 .  This database is used to filter and validate DHCP messages from untrusted sources 1 .

However, there are certain conditions that could prevent entries from being automatically created in the snooping database for an interface:

MAC limiting: If MAC limiting is enabled on the interface, it could potentially interfere with the operation of DHCP snooping.  MAC limiting restricts the number of MAC addresses that can be learned on a physical interface to prevent MAC flooding attacks 1 . This could inadvertently limit the number of DHCP clients that can be learned on an interface, thus preventing new entries from being added to the DHCP snooping database.

Static IP address : If the device connected to the interface is configured with a static IP address, it will not go through the DHCP process and therefore will not have an entry in the DHCP snooping database 1 .  The DHCP snooping feature relies on monitoring DHCP messages to build its database 1 , so devices with static IP addresses that do not send DHCP messages will not have their information added.

Therefore, options B and C are correct.  Options A and D are not correct because performing a DHCPRELEASE would simply remove an existing entry from the database 1 , and Dynamic ARP inspection (DAI) uses the information stored in the DHCP snooping binding database but does not prevent entries from being created 1 .

A  is correct because dynamic ARP inspection (DAI) is a Layer 2 security feature that prevents ARP spoofing attacks. ARP spoofing is a technique that allows an attacker to send fake ARP messages to associate a spoofed MAC address with a legitimate IP address. This can result in traffic redirection, man-in-the-middle attacks, or denial-of-service attacks.  DAI validates ARP packets by checking the source MAC address and IP address against a trusted database, which is usually built by DHCP snooping 1 .  DAI discards any ARP packets that do not match the database or have invalid formats 1 .

C  is correct because DHCP snooping is a Layer 2 security feature that prevents DHCP spoofing attacks. DHCP spoofing is a technique that allows an attacker to act as a rogue DHCP server and offer fake IP addresses and other network parameters to unsuspecting clients. This can result in traffic redirection, man-in-the-middle attacks, or denial-of-service attacks. DHCP snooping filters DHCP messages by classifying switch ports as trusted or untrusted.  Trusted ports are allowed to send and receive any DHCP messages, while untrusted ports are allowed to send only DHCP requests and receive only valid DHCP replies from trusted ports 2 .  DHCP snooping also builds a database of MAC addresses, IP addresses, lease times, and binding types for each client 2 .