- 69 Actual Exam Questions
- Compatible with all Devices
- Printable Format
- No Download Limits
- 90 Days Free Updates
Get All Enterprise Routing and Switching, Professional Exam Questions with Validated Answers
| Vendor: | Juniper |
|---|---|
| Exam Code: | JN0-650 |
| Exam Name: | Enterprise Routing and Switching, Professional |
| Exam Questions: | 69 |
| Last Updated: | July 8, 2026 |
| Related Certifications: | Juniper Enterprise Routing and Switching |
| Exam Tags: |
Looking for a hassle-free way to pass the Juniper Enterprise Routing and Switching, Professional exam? DumpsProvider provides the most reliable Dumps Questions and Answers, designed by Juniper certified experts to help you succeed in record time. Available in both PDF and Online Practice Test formats, our study materials cover every major exam topic, making it possible for you to pass potentially within just one day!
DumpsProvider is a leading provider of high-quality exam dumps, trusted by professionals worldwide. Our Juniper JN0-650 exam questions give you the knowledge and confidence needed to succeed on the first attempt.
Train with our Juniper JN0-650 exam practice tests, which simulate the actual exam environment. This real-test experience helps you get familiar with the format and timing of the exam, ensuring you're 100% prepared for exam day.
Your success is our commitment! That's why DumpsProvider offers a 100% money-back guarantee. If you don’t pass the Juniper JN0-650 exam, we’ll refund your payment within 24 hours no questions asked.
Don’t waste time with unreliable exam prep resources. Get started with DumpsProvider’s Juniper JN0-650 exam dumps today and achieve your certification effortlessly!
Which two statements are correct about EVPN Pure Type-5 routes? (Choose two.)
EVPN Route Type 5 (IP Prefix Route) is used to advertise IP prefixes (subnets) between broadcast domains or between VRFs in an EVPN fabric.
IP-VRF-to-IP-VRF (Statement C): In an EVPN-VXLAN architecture, Type 5 routes are primarily used for Layer 3 connectivity. They allow different IP-VRFs on different VTEPs to exchange prefix information directly. This model is widely referred to as IP-VRF-to-IP-VRF routing because it enables inter-subnet routing at the leaf layer without requiring Layer 2 MAC learning for those specific prefixes.
Overlay Next Hop (Statement B): For a PE router to reach a prefix advertised via a Type 5 route, it must resolve the overlay next hop. This next hop is typically the loopback IP address of the originating VTEP, which the receiving router uses to build the VXLAN tunnel.
Why others are incorrect: Statement A is incorrect because Type 7 routes are used for IGMP/MLD join synchronization. Statement D is incorrect because Type 5 routes advertise IP prefixes, not MAC addresses; MAC extended communities are associated with Type 2 routes.
Exhibit.

Referring to the exhibit, which two statements are correct? (Choose two.)
The exhibit shows an OSPF network where Area 1 is configured as a Not-So-Stubby Area (NSSA). R5 is an Autonomous System Boundary Router (ASBR) injecting an External Route (203.0.113.0/24) into this area.
NSSA ASBR Behavior (Option D): Within an OSPF NSSA, external routes cannot be advertised as standard Type 5 LSAs because stubby areas do not support them. Instead, the ASBR (R5) advertises the external prefix using a Type 7 LSA (NSSA External LSA). This LSA is flooded throughout Area 1.
ABR Translation Behavior (Option C): When the Type 7 LSA reaches the Area Border Router (R1), the ABR is responsible for translating it into a Type 5 LSA (AS External LSA). This allows the external route to be propagated into the backbone (Area 0) and subsequently to the rest of the OSPF domain.
Incorrect Statements (A & B): Option A is incorrect because Type 7 LSAs are local to the NSSA and are never advertised into Area 0. Option B is incorrect because Type 5 LSAs are strictly prohibited within an NSSA.
The network you support currently has a mixture of MC-LAG and Virtual Chassis being used to provide redundant connectivity from various IDFs. A project to modernize the architecture and move to EVPN-VXLAN using ESI-LAG will be starting soon. You want to avoid IDFs losing connectivity as the core devices are migrated to EVPN-VXLAN. Which action will accomplish this task?
In an EVPN-VXLAN environment using ESI-LAG (Ethernet Segment Identifier Link Aggregation), the Core Isolation feature is a safety mechanism designed to prevent traffic blackholing. When a leaf switch (acting as a VTEP) loses its BGP peering or its link to the IP fabric core, it assumes it is 'isolated' from the rest of the network. To protect the network, the switch automatically shuts down its local member links of any multi-homed ESI-LAG to force traffic to the peer switch that still has core connectivity.
However, during a migration or in specific transitional topologies where the core might be temporarily unreachable or not yet fully established, this feature can cause the leaf switches to shut down all downstream IDF (Intermediate Distribution Frame) connections, leading to a total loss of connectivity.
The Solution (Option C): By enabling the no-core-isolation statement under the [edit protocols evpn] hierarchy, you instruct the switch to disable this automatic shutdown behavior. This ensures that even if the BGP session or core links are not yet stable during the migration process, the ESI-LAG interfaces remain Up, allowing the IDFs to maintain connectivity to their local default gateways or other local resources.
Why others are incorrect: Enabling EVPN-VXLAN before migration (Option A) does not address the isolation logic. Removing MC-LAG/Virtual Chassis links prematurely (Option B) would cause an immediate outage. The network-isolation-profile (Option D) is typically used for different loop prevention scenarios and does not override the specific core-isolation check that affects multi-homed ESIs.
Your organization uses 802 1X with a RADIUS server. If the RADIUS server stops responding, you want the fallback action to continue to permit access for devices that currently have authorization but deny any new access attempts.
Which fallback action provides this capability?
Junos OS 24.4 provides several server-failover options for 802.1X authentication to maintain network availability when the RADIUS server is unreachable.
Fallback Behavior (Option D): The use-cache fallback action allows the switch to consult its local cache of previously authenticated MAC addresses.
If a device was already authorized and its information is in the cache, the switch will continue to permit access based on those cached credentials.
However, if a new device (not in the cache) attempts to connect while the server is down, the switch cannot verify its credentials and will deny the access attempt. This matches the specific requirement to permit authorized devices while denying new ones.
Other Fallback Options:
permit (Option C): This would allow all devices (even new ones) to access the network, typically in a restricted 'guest' or 'bypass' VLAN.
deny (Option A): This would drop all traffic from all devices on the port if the server is unreachable.
vlan-name (Option B): This moves authenticated or unauthenticated users into a specific fallback VLAN.
Your Layer 2 network uses 802.1X to authenticate user devices connecting to the network. You are asked to include a new Layer 2 interface connection from the conference room in your network. You must ensure that only a single device is allowed to authenticate on this port at one time to avoid users from being able to plug in a rogue switch to this port.
In this scenario, which 802.1X method would you use for the new interface?
This question focuses on port security and preventing 'rogue switches' or multiple devices from accessing a single physical port simultaneously.
Single-Secure Supplicant Mode (Option A): This is the most restrictive 802.1X mode in Junos OS. It allows exactly one MAC address to be authenticated on the port at a time. If a device successfully authenticates, the switch will drop any traffic coming from any other MAC address on that same physical interface. If a user tries to plug in a switch, only the first device that authenticates will have access; all other devices behind that switch will be blocked.
Single Supplicant Mode (Option C): This mode allows the first authenticated user to 'open' the port for all other users. This would actually allow a rogue switch to function once the first device is authorized.
Multiple Supplicant Mode (Option B): This allows multiple devices to connect, provided each one authenticates individually. While secure, it does not prevent a user from connecting multiple devices to the port, which violates the requirement to allow only one.
MAC-RADIUS (Option D): This is an authentication method, not a port-access mode that limits the number of supplicants.
Security & Privacy
Satisfied Customers
Committed Service
Money Back Guranteed