It is more faster and easier to pass the Juniper JN0-633 exam by using Realistic Juniper Security, Professional (JNCIP-SEC) questuins and answers. Immediate access to the Renovate JN0-633 Exam and find the same core area JN0-633 questions with professionally verified answers, then PASS your exam with a high score now.
Q71. You are asked to merge the corporate network with the network from a recently acquired company. Both networks use the same private IPv4 address space (172.25.126.0/24). An SRX device serves as the gateway for each network.Which solution allows you to merge the two networks without adjusting the current address assignments?
A. source NAT
B. persistent NAT
C. double NAT
D. NAT444
Answer: C
Explanation:
Reference :http://class10e.com/juniper/what-should-you-do-to-meet-the-requirements/
Q72. Click the Exhibit button.
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay. Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp
who has 172.168.3.254 tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell
172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
A. The server is in the wrong VLAN.
B. The server has been misconfigured with the wrong IP address.
C. The firewall has been misconfigured with the incorrect routing-instance.
D. The firewall has a filter enabled to blocktrafficfrom the server.
Answer: C
Q73. You have implemented a tunnel in your network using DS-Lite. The tunnel is formed between one of the SRX devices in your network and a DS-Lite-compatible CPE device in your customer's network.Which two statements are true about this scenario? (Choose two.)
A. The SRX device will serve as the softwire initiator and the customer CPE device will serve as the softwire concentrator.
B. The SRX device will serve as the softwire concentrator and the customer CPE device will serve as the softwire initiator.
C. The infrastructure network supporting the tunnel will be based on IPv4.
D. The infrastructure network supporting the tunnel will be based on IPv6.
Answer: B,D
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/ipv6-ds-lite-overview.html
Q74. Click the Exhibit button.
user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address
97 UP bb224408940cc5d 435b9404284083c2 Main 192.168.11.1
98 UP 242c840089404d15 ab19284089408ba8 Main 192.168.11.2
user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id: 1
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-l-sa ESP:3des/shal 1343991c 2736 Group: group-2, Group id: 2
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-2-sa ESP:3des/shal 13be9e9 2741 Group: group-3, Group Id: 3
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-3-sa ESP:3des/shal 20709057 2741 Group: group-4, Group Id: 4
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-4-sa ESP:3des/shal 5111c2e1 2741
Which statement is correct regarding the outputs shown in the exhibit?
A. Two established peers are in the group VPNs.
B. One established peer is in the group VPNs.
C. No established peer is in the group VPNs.
D. Four established peers are in the group VPNs.
Answer: A
Q75. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?
A. all traffic including non-IP traffic
B. any IP traffic
C. only TCP and UDP traffic
D. only BPDU traffic
Answer: D
Q76. What is the default action for an SRX device in transparent mode to determine the outgoing interface for an unknown destination MAC address?
A. Perform packet flooding.
B. Send an ARP query.
C. Send an ICMP packet with a TTL of 1.
D. Perform a traceroute request.
Answer: A
Explanation: Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-interfaces-and-routing/understand-l2-forwarding-tables-section.html
Q77. You have a group IPsec VPN established with a single key server and five client devices. Regarding this scenario, which statement is correct?
A. There is one unique Phase 1 security association and five unique Phase 2 security associations used for this group.
B. There is one unique Phase 1 security association and one unique Phase 2 security association used for this group.
C. There are five unique Phase 1 security associations and five unique Phase 2 security associations used for this group.
D. There are five unique Phase 1 security associations and one unique Phase 2 security association used for this group.
Answer: D
Explanation:
Reference :http://www.thomas-krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf
Q78. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, which feature allows the hosts in the Trust and DMZ zones to route to either ISP, based on source address?
A. source NAT
B. static NAT
C. filter-based forwarding
D. source-based routing
Answer: C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.2/topics/example/logical-systems-filter-based-forwarding.html
Q79. You are responding to a proposal request from an enterprise with multiple branch offices. All branch offices connect to a single SRX device at a centralized location. The request requires each office to be segregated on the central SRX device with separate IP networks and security considerations. No single office should be able to starve the CPU from other branch offices on the central SRX device due to the number of flow sessions. However, connectivity between offices must be maintained.Which three features are required to accomplish this goal? (Choose three.)
A. Logical Systems
B. Interconnect Logical System
C. Virtual Tunnel Interface
D. Logical Tunnel Interface
E. Virtual Routing Instance
Answer: A,B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/logical-systems-interfaces.html
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/logical-systems-config/index.html?topic-57390.html
Q80. Click the Exhibit button.
-- Exhibit --
CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/5.0
CID-0:RT: ge-0/0/5.0:10.0.0.2/55892->192.168.1.2/80, tcp, flag 2 syn
CID-0:RT: find flow: table 0x5a386c90, hash 50728(0xffff), sa 10.0.0.2, da 192.168.1.2, sp 55892, dp 80, proto 6, tok 7
CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 CID-0:RT: flow_first_create_session
CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/5.0>, out <N/A> dst_adr 192.168.1.2, sp 55892, dp 80
CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if.
CID-0:RT:flow_first_rule_dst_xlatE.DST no-xlatE.0.0.0.0(0) to 192.168.1.2(80)
CID-0:RT:flow_first_routinG.vr_id 0, call flow_route_lookup(): src_ip 10.0.0.2, x_dst_ip 192.168.1.2, in ifp ge-0/0/5.0, out ifp N/A sp 55892, dp 80, ip_proto 6, tos 10
CID-0:RT:Doing DESTINATION addr route-lookup
CID-0:RT: routed (x_dst_ip 192.168.1.2) from LAN (ge-0/0/5.0 in 0) to ge-0/0/1.0, Next- hop: 172.16.32.1
CID-0:RT:flow_first_policy_searcH.policy search from zone LAN-> zone WAN (0x0,0xda540050,0x50)
CID-0:RT:Policy lkup: vsys 0 zone(7:LAN) -> zone(6:WAN) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6
CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6
CID-0:RT: app 6, timeout 1800s, curr ageout 20s CID-0:RT: packet dropped, denied by policy
CID-0:RT: denied by policy default-policy-00(2), dropping pkt CID-0:RT: packet dropped, policy deny.
CID-0:RT: flow find session returns error.
CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1) CID-0:RT:jsf sess close notify
CID-0:RT:flow_ipv4_del_flow: sess , in hash 32
-- Exhibit --
A host is not able to communicate with a Web server.
Based on the logs shown in the exhibit, what is the problem?
A. A policy is denying the traffic between these two hosts.
B. A session has not been created for this flow.
C. A NAT policy is translating the address to a private address.
D. The session table is running out of resources.
Answer: A