Juniper JN0-481 Exam Dumps

A three-stage Clos (leaf--spine) data center fabric separates roles to keep forwarding predictable and scalable. The leaf layer is the attachment point for endpoints, so servers connect to leaf devices. This is where the fabric accepts workload traffic, applies edge policies, and provides tenant/service constructs (for EVPN-VXLAN fabrics, the leafs typically act as VTEPs and host IRB gateways as required). The spine layer provides the non-blocking transit core between leafs using L3 underlay routing and ECMP, but it is not the place where servers attach directly.

For north-south connectivity, a typical three-stage Apstra data center architecture includes border leaf switches. These border devices provide the controlled connection point between the fabric and external networks (Internet/WAN/DCI or upstream services). As a result, fabric traffic enters and exits the border devices, not the spines. This design keeps the spines dedicated to high-speed east-west transit and simplifies operations: external routing policies, security controls, and inter-domain handoffs are concentrated at the border, while the spines remain a uniform L3 transit tier. In Junos v24.4 EVPN-VXLAN deployments, this separation also helps maintain clean overlay boundaries and consistent underlay behavior across the fabric.

Verified Juniper sources (URLs):

https://www.juniper.net/documentation/us/en/software/juniper-data-center-assurance/user-guide/topics/concept/dc-network-topology-on-dc-assurance.html

https://www.juniper.net/documentation/us/en/software/jvd/jvd-3-stage-datacenterdesign-with-juniper-apstra/solution_architecture.html

https://www.juniper.net/content/dam/www/assets/white-papers/us/en/design-considerations-for-spine-and-leaf-ip-fabrics.pdf

Apstra 5.1 Security Policies are intended to enforce permit/deny controls for traffic between defined endpoints such as routing zones, virtual networks, and IP endpoints. Apstra expresses this security intent in an implementation-independent way, then renders and deploys the equivalent enforcement configuration onto the appropriate devices and interfaces. In Apstra terminology, the outcome is an ACL applied at enforcement points, such as virtual network interfaces (SVIs/IRBs) for east-west controls and border leaf interfaces for external-to-internal controls.

Therefore, the two correct policy types in this context are access control lists (ACLs) and firewall filters. ''ACL'' is the abstract policy object Apstra compiles and applies, while on Junos v24.4 the concrete enforcement mechanism for stateless packet filtering on interfaces is typically implemented as a firewall filter. Apstra automatically places these rendered ACLs/filters where needed: when you add VXLAN endpoints (such as expanding a rack/leaf in a VN), the ACL is placed on the corresponding VN interface; when you add external connectivity points, relevant ACLs are placed on the border leaf enforcement points. This automation ensures that security intent remains consistent as the fabric scales or changes, reducing the risk of manual rule drift. In contrast, filter-based forwarding / policy-based routing changes forwarding decisions rather than expressing permit/deny security intent, and is not the primary mechanism used by Apstra Security Policies for reachability control.

According to the Juniper documentation1, an interface map is a configuration template that maps interfaces between logical devices and physical hardware devices (represented with device profiles) while adhering to vendor specifications. An interface map can be either predefined or custom. A predefined interface map is one that ships with Apstra software and supports most qualified Juniper devices. A custom interface map is one that is created by the user to meet specific requirements. An interface map can be stored in either the global catalog or the blueprint catalog. The global catalog contains all the interface maps that are available for use in any blueprint. The blueprint catalog contains the interface maps that are imported from the global catalog and used in a specific blueprint.

When a member of your organization makes changes to a predefined interface map, the following statements are correct:

Changes to interface maps in the global catalog do not affect interface maps that have already been imported into blueprint catalogs. This means that the existing blueprints that use the original version of the interface map will not be impacted by the changes. However, if you want to use the updated version of the interface map in a new or existing blueprint, you need to import it again from the global catalog.

Any changes made to predefined interface maps are discarded when Apstra is upgraded. This means that the changes will not be preserved across different versions of Apstra software. If you want to retain a customized interface map through Apstra upgrades, you need to clone the predefined interface map, give it a unique name, and customize it instead of changing the predefined one directly.

Therefore, the correct answer is A and B. Changes to interface maps in the global catalog do not affect interface maps that have already been imported into blueprint catalogs and any changes made to predefined interface maps are discarded when Apstra is upgraded.Reference:Edit Interface Map | Apstra 4.2 | Juniper Networks

In Apstra 5.1, off-box agents and analytics services are delivered as containerized workloads that consume CPU and memory within the Apstra cluster. When these workloads are concentrated on the controller node, the controller can become resource-constrained, impacting overall responsiveness and scaling limits. The supported architectural solution is to add a worker node (worker VM) and allow Apstra to place offbox (and, if applicable, iba) containers on that worker. This increases cluster capacity and shifts runtime load away from the controller, which should remain focused on core control-plane and management functions.

Juniper's sizing guidance also treats worker nodes as the scalable unit for off-box agent growth: each VM node (controller or worker) supports a bounded number of off-box agents, and when one VM is insufficient, the prescribed approach is to increase capacity by adding worker nodes to the Apstra VM cluster. This method scales horizontally and avoids overloading the controller with operational containers.

While increasing CPU/memory on the controller might help temporarily, the documented design pattern for sustained growth is to distribute the off-box workloads across worker nodes. Switching to on-box agents is a different operational model and not the direct remediation for controller resource pressure in an off-box deployment.

Verified Juniper sources (URLs):

https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-install-upgrade/topics/ref/apstra-server-resources.html

https://www.juniper.net/documentation/us/en/software/apstra5.0/apstra-user-guide/topics/topic-map/apstra-cluster-nodes.html

https://www.juniper.net/documentation/us/en/software/apstra4.2/apstra-user-guide/topics/topic-map/apstra-cluster-nodes.html

In Apstra 5.1, this screen represents a configuration deviation workflow: Apstra is comparing the intended (golden) configuration it generated from blueprint intent against the actual configuration currently on the device. When an operator makes a change directly on the switch CLI (for example, on a Junos v24.4 leaf), Apstra detects the difference and flags it as drift because it did not originate from the blueprint's intent model.

Clicking Accept Changes tells Apstra to adopt the device's current CLI state as the new accepted baseline for that device, effectively incorporating the observed CLI delta into Apstra's intended configuration for purposes of future comparison and compliance. In other words, Apstra stops treating that specific deviation as an error because it has been acknowledged and absorbed into the ''golden config'' (the intent-aligned configuration Apstra considers correct for that node). This is commonly used when an emergency change was made on-box and you want Apstra's source of truth to reflect it, rather than reverting it.

This differs from Apply Full Config, which is used to push Apstra's intended configuration down to the device to restore compliance. If you do not accept the change, a later commit/apply action can overwrite the CLI-entered configuration to re-align with blueprint intent.