You want to make a widget appear on the main dashboard in Juniper Apstra. In this scenario, which statement is correct?
When creating the widget, select the Add to Blueprint Dashboard option.
On the blueprint dashboard, click on the Add Widget option.
Widgets automatically appear on the blueprint dashboard.
Set the Default toggle switch to On for the desired widget.
In Juniper Apstra, a widget is a graphical element that displays data from an intent-based analytics (IBA) probe. A widget can be used to monitor different aspects of the network and raise alerts to any anomalies. A widget can be viewed by itself or added to an analytics dashboard. A dashboard is a collection of widgets that can be customized and organized according to the user’s preference1.
The main dashboard in Juniper Apstra is the blueprint dashboard, which is the default view that shows the network information and configuration for the active blueprint. A blueprint is a logical representation of the network design and intent. The blueprint dashboard can display the system-generated dashboards, the user-generated dashboards, and the individual widgets that are relevant to the network2.
To make a widget appear on the main dashboard in Juniper Apstra, the user needs to set the Default toggle switch to On for the desired widget. This will add the widget to the blueprint dashboard, where it can be viewed along with other network information. The user can also remove the widget from the blueprint dashboard by setting the Default toggle switch to Off for the widget3. Therefore, the statement D is correct in this scenario.
The following three statements are incorrect in this scenario:
When creating the widget, select the Add to Blueprint Dashboard option. This is not true, because there is no such option when creating a widget in Juniper Apstra. The user can only select the widget type, the probe, and the display mode when creating a widget4. To add the widget to the blueprint dashboard, the user needs to set the Default toggle switch to On for the widget after creating it3.
On the blueprint dashboard, click on the Add Widget option. This is not true, because there is no such option on the blueprint dashboard in Juniper Apstra. The user can only view, edit, or delete the existing widgets and dashboards on the blueprint dashboard2. To add a widget to the blueprint dashboard, the user needs to set the Default toggle switch to On for the widget from the widgets table view3.
Widgets automatically appear on the blueprint dashboard. This is not true, because widgets do not automatically appear on the blueprint dashboard in Juniper Apstra. The user needs to manually add the widgets to the blueprint dashboard by setting the Default toggle switch to On for the widgets that they want to see on the blueprint dashboard3. The only exception is the widgets that are part of the system-generated dashboards, which are automatically created and added to the blueprint dashboard based on the state of the active blueprint2.
What is the primary reason for creating an Apstra worker node?
To support more than one blueprint
To create a space for storing event logs
To run Zero Touch Provisioning (ZTP)
To offload off-box agents and Intent-Based Analytics (IBA)
In Apstra 5.1, the worker node’s primary purpose is to add scalable runtime capacity to an Apstra cluster by hosting off-box services that would otherwise consume resources on the controller. Specifically, worker nodes run containerized services such as off-box device agents (used to communicate with and manage devices) and Intent-Based Analytics (IBA) components (such as probes and analytics-related services). This design keeps the controller node focused on cluster management and control-plane functions (API handling, cluster-wide state, blueprint control workflows), while shifting resource-intensive operational services to worker nodes.
As your fabric grows—more switches, more telemetry, more devices requiring agent connectivity—CPU and memory demand increases notably, especially when IBA is enabled. Adding worker nodes allows you to scale those container workloads horizontally without redesigning the fabric or reducing analytics coverage. In a Juniper data center built on EVPN-VXLAN with Junos v24.4 leaf-spine roles, this separation helps ensure that Apstra can continuously validate intent, process streaming telemetry, and maintain device communications reliably at scale. Worker nodes therefore exist primarily to offload and scale operational agents and IBA services, improving performance and resilience for larger deployments.
What does VXLAN use to uniquely label and identify broadcast domains?
VLAN ID
Agent Circuit Identifier (ACI)
Virtual Network Identifier (VNI)
End System Identifier (ESI)
In a VXLAN overlay, each Layer 2 broadcast domain (the logical equivalent of a VLAN/bridge domain) is identified by a 24-bit VXLAN Network Identifier (VNI) carried in the VXLAN header. This VNI is what allows the overlay to scale far beyond traditional VLAN space (12-bit VLAN IDs), enabling up to ~16 million distinct segments. In an EVPN-VXLAN data center fabric, Junos v24.4 leaf switches operate as VTEPs and map local bridge domains (often associated with VLANs on server-facing ports) to a VNI. When traffic is sent across the routed underlay, the leaf encapsulates Ethernet frames into VXLAN packets and inserts the VNI so the receiving VTEP can place the frame into the correct broadcast domain on decapsulation.
Apstra 5.1 abstracts this mapping through virtual networks and resource allocation: when you define a VXLAN-based virtual network, Apstra allocates a VNI from the appropriate pool and consistently programs the necessary constructs on all participating leaves. The key point is that VNI is the unique identifier in the VXLAN data plane used to label the broadcast domain across the IP fabric; VLAN IDs may exist locally at the edge for tagging, but the globally significant overlay identifier is the VNI.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/junos/evpn/topics/topic-map/sdn-vxlan.html
Which type of generic system should you select when adding a new server inside an existing rack type?
Internal generic
Rack generic
External generic
Embedded generic
In Apstra 5.1, servers that connect to leaf switches are represented as generic systems so Apstra can model links, apply connectivity templates, attach virtual networks, and validate intent. The selection of generic system type depends on whether the endpoint is considered part of the rack’s internal topology or an external attachment. When you add a new server inside an existing rack type, that server is treated as a component of the rack topology (that is, it lives “within” the rack alongside leaf switches and any other rack-internal endpoints). Apstra documentation refers to such systems as internal generic systems.
Internal generic systems are not managed like switches (no full device management), but they are first-class topology objects: they occupy ports on leaf switches, can be tagged with roles, and can be associated with link definitions that drive correct interface intent (LAG vs single link, VLAN tagging, and virtual network association). This modeling is essential in EVPN-VXLAN fabrics because correct endpoint attachment on leaf ports determines VLAN/VNI mapping and the resulting Junos v24.4 configuration rendered by Apstra.
External generic systems, by contrast, represent devices outside the rack topology (often used for external routers, firewalls, or other non-rack-contained endpoints). Because the question explicitly places the server inside an existing rack type, the correct choice is Internal generic.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/topic-map/internal-generic-system-create.html
You are assigning managed devices to a blueprint, for a fully functioning IP fabric. In the Juniper Apstra UI, which mode should you choose for this task?
Deploy
Ready
Not Set
Drain
In Apstra, Deploy mode is the state in which a device is intended to fully participate in the fabric. For a three-stage eBGP IP Clos (typical EVPN-VXLAN underlay), “fully functioning” means the switch receives the complete, intent-derived configuration required for production operation—underlay interface addressing, BGP peering, routing policy constructs, and any overlay-related prerequisites appropriate for its role (leaf, spine, border leaf). In Apstra’s device configuration lifecycle, Deploy is the mode that causes Apstra to render and apply the full set of intended services for that node so it becomes an active member of the IP fabric and contributes to ECMP pathing and control-plane adjacency.
By contrast, Ready is commonly used when you want the device discovered and prepared (for example, basic identity and interface readiness), but not actively routing in the fabric. Drain is a maintenance state used to gracefully withdraw an already-deployed device from forwarding to minimize impact (for example, for upgrades or repairs). Not Set indicates the deploy mode has not been chosen and therefore does not represent an operationally complete participation state.
Therefore, when your objective is an operational IP fabric where the assigned devices are actively routing and forwarding according to blueprint intent on Junos v24.4, the correct choice is Deploy.
What are three port group roles that you are allowed to assign to a logical device? (Choose three.)
Leaf
Empty
Generic
Spine
Root
In Apstra, a logical device abstracts a physical switch’s front-panel layout into one or more panels containing port groups. Each port group has a defined speed and one or more roles that describe how those ports are expected to be used in the fabric. These roles are essential because they constrain where ports may be consumed during rack type and template construction (for example, spine-facing vs server-facing vs generic connectivity).
Apstra-supported port group roles include fabric roles such as Spine and Leaf, and endpoint-facing roles such as Generic (commonly used for ports that connect to servers or external generic systems). Assigning Leaf and Spine roles ensures Apstra can correctly validate and render intent for uplinks and interconnects in a three-stage Clos or larger topologies. Assigning Generic indicates ports that can be used for non-fabric connections (such as server links, external routers modeled as generic systems, or other non-managed endpoints).
The options Empty and Root are not valid Apstra port group roles in the logical device model; Apstra uses other explicit role names (for example, Access, Peer, Unused, Generic, Leaf, Spine, Superspine depending on design type and version). In Junos v24.4 EVPN-VXLAN fabrics, getting these roles correct is foundational because Apstra relies on them to place underlay and overlay configuration onto the right interfaces with predictable results.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra4.2/apstra-user-guide/topics/concept/logical-devices.html
https://www.juniper.net/documentation/us/en/software/jvd/jvd-collapsed-dc-fabric-juniper-apstra-access-switches/configuration_walkthrough.html
A member of your organization made changes to a predefined interface map using Juniper Apstra.
Which two statements are correct in this scenario? (Choose two.)
Changes to interface maps in the global catalog do not affect interface maps that have already been imported into blueprint catalogs
Any changes made to predefined interface maps are discarded when Apstra is upgraded.
Changes made to predefined interface maps will not have an impact on the Apstra software.
Changes to interface maps in the global catalog will raise anomalies that may need to be addressed at the next commit.
According to the Juniper documentation1, an interface map is a configuration template that maps interfaces between logical devices and physical hardware devices (represented with device profiles) while adhering to vendor specifications. An interface map can be either predefined or custom. A predefined interface map is one that ships with Apstra software and supports most qualified Juniper devices. A custom interface map is one that is created by the user to meet specific requirements. An interface map can be stored in either the global catalog or the blueprint catalog. The global catalog contains all the interface maps that are available for use in any blueprint. The blueprint catalog contains the interface maps that are imported from the global catalog and used in a specific blueprint.
When a member of your organization makes changes to a predefined interface map, the following statements are correct:
Changes to interface maps in the global catalog do not affect interface maps that have already been imported into blueprint catalogs. This means that the existing blueprints that use the original version of the interface map will not be impacted by the changes. However, if you want to use the updated version of the interface map in a new or existing blueprint, you need to import it again from the global catalog.
Any changes made to predefined interface maps are discarded when Apstra is upgraded. This means that the changes will not be preserved across different versions of Apstra software. If you want to retain a customized interface map through Apstra upgrades, you need to clone the predefined interface map, give it a unique name, and customize it instead of changing the predefined one directly.
Therefore, the correct answer is A and B. Changes to interface maps in the global catalog do not affect interface maps that have already been imported into blueprint catalogs and any changes made to predefined interface maps are discarded when Apstra is upgraded. References: Edit Interface Map | Apstra 4.2 | Juniper Networks
Which statement is correct about an event log?
It stores alerts for anomalies in the event log.
It can be exported to a PDF file.
You can view the configuration of a device.
It runs on the worker node.
In Juniper Apstra 5.1, the Event Log is a centralized record used for auditing and operational visibility. It includes audit events (user/system actions) and anomaly-related alerts (events generated when Apstra detects abnormal conditions). In Apstra documentation, anomaly entries are explicitly treated as “Alert” records with high severity, meaning the Event Log is a valid place to review anomaly notifications and their associated details. Therefore, the statement that the Event Log stores alerts for anomalies is correct.
The other options do not match the Event Log function. Viewing a device’s configuration is handled in device configuration and blueprint operational views, not as the primary purpose of the Event Log. Export behavior, where supported, is described for formats such as CSV rather than PDF, and exporting dashboards is a separate capability from event logging. Finally, while worker nodes are used to offload operational services (such as off-box agents and IBA components), the Event Log is a platform logging feature exposed through the controller UI/API rather than something described as “running on the worker node” as its defining trait.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/topic-map/event-log.html
https://www.juniper.net/documentation/us/en/software/apstra5.0/apstra-user-guide/topics/topic-map/event-log.html
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/topic-map/syslog-config.html
What is the purpose of a Juniper Apstra rack?
It stores information on how pods connect to super spines.
It stores information on how leaf nodes connect to generic devices
It stores IP address and ASN pool information.
It stores device port data rates and vendor information.
A Juniper Apstra rack is a physical entity that contains one or more network devices, such as leaf nodes, access switches, or generic systems. A rack is used to organize and manage the network devices in the Apstra software application. A rack has the following characteristics:
It stores information on how leaf nodes connect to generic devices. This is because a rack can include generic systems, which are devices that are not managed by Juniper Apstra, but are connected to the network. A generic system can be a server, a firewall, a load balancer, or any other device that has a network interface. A rack stores the information on how the leaf nodes, which are the devices that provide access to the end hosts, connect to the generic devices, such as the port number, the link speed, the LAG mode, and the roles1.
It has a rack type, which defines the type and number of leaf devices, access switches, and/or generic systems that are used in the rack. A rack type is a resource that is created in the data center design phase, and it does not specify the vendor or the model of the devices. A rack type can be predefined or custom-made, and it can be used to create multiple racks with the same structure and configuration2.
It has a rack build, which assigns the specific vendor and model of the devices to the rack. A rack build is created in the staged phase, and it uses the rack type as a template. A rack build can also assign the resources, such as the IP addresses, the ASNs, and the VNIs, to the devices in the rack3.
It has a rack deployment, which applies the network configuration and services to the devices in the rack. A rack deployment is performed in the active phase, and it uses the rack build as a reference. A rack deployment can also monitor the network performance and compliance of the devices in the rack4.
The following three statements are incorrect in this scenario:
It stores information on how pods connect to super spines. This is not true, because a rack does not store any information on the pod or the super spine level of the network. A pod is a cluster of leaf and spine devices that form a 3-stage Clos topology, and a super spine is a device that connects multiple pods in a 5-stage Clos topology. A rack only stores information on the leaf and the access level of the network1.
It stores IP address and ASN pool information. This is not true, because a rack does not store any information on the IP address and ASN pools. IP address and ASN pools are resources that are created in the data center design phase, and they contain a range of IP addresses and ASNs that can be assigned to the devices and the virtual networks. A rack only uses the IP address and ASN pools to assign the resources to the devices in the rack build2.
It stores device port data rates and vendor information. This is not true, because a rack does not store any information on the device port data rates and vendor information. The device port data rates and vendor information are specified in the rack build, which assigns the specific vendor and model of the devices to the rack. A rack only uses the rack build to apply the network configuration and services to the devices in the rack deployment3.
You have accessed your deployed blueprint and see the banner shown in the exhibit.
Which two statements are correct in this scenario? (Choose two.)
Devices must be assigned to profiles.
There are changes that are not active on the fabric.
Resources must be assigned to devices.
There are anomalies that must be addressed.
In Apstra 5.1, the top-level blueprint banner uses tab indicators (colored badges) to summarize blueprint status across areas such as Staged, Uncommitted, Active, and Analytics. The presence of an Uncommitted indicator signifies that there are staged modifications that have not yet been committed and therefore are not part of the active, deployed intent. That directly corresponds to the statement that changes exist which are not active on the fabric.
At the same time, the banner shows an Active indicator in an alarm state, which reflects that the running fabric has issues requiring attention—commonly surfaced as anomalies (for example, configuration deviation, interface/link faults, protocol/session issues, or service-impacting conditions). In Apstra’s operational model, these issues appear as anomalies that operators should investigate and remediate to restore compliance and health. Therefore, the statement that there are anomalies that must be addressed is also correct.
The remaining options are not implied by this banner alone. Device profile assignment and resource assignment are build-time tasks, but their absence is not what the Uncommitted/Active alert indicators are specifically communicating here. The banner is highlighting uncommitted intent changes and active anomalies that affect the deployed blueprint state and assurance posture.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/concept/uncommitted.html
https://www.juniper.net/documentation/us/en/software/apstra5.0/apstra-user-guide/topics/topic-map/anomalies-service-active.html
https://cloudlabs.apstra.com/labguide/Cloudlabs/6.0.0/test-drive-guide/lab1-junos-5_blueprints_.html
What are two available Juniper Apstra template types? (Choose two.)
Collapsed
Rack-based
Compressed
Device-based
In Juniper Apstra 5.1, a template is a design abstraction used to create a blueprint. It captures the intended topology shape and design rules without tying the design to a specific vendor’s CLI. Apstra supports multiple template types to match common data center fabric architectures.
A rack-based template is used for the standard three-stage Clos (leaf–spine) approach. In this model, you define the spine logical devices and one or more rack types (containing leaf devices and optional endpoint constructs). This is the dominant pattern for EVPN-VXLAN IP fabrics: leaf switches provide server attachment, VXLAN encapsulation (VTEP function), and optional IRB gateways, while spines provide high-capacity L3 transit with ECMP.
A collapsed template is used for a spine-less (spineless) topology. Instead of a separate spine tier, a collapsed design models a fabric where leaf nodes interconnect in a mesh-like arrangement (as supported by the template type) to provide underlay reachability and redundancy. This can be useful for smaller environments or edge data centers where a full spine tier is unnecessary.
“Compressed” and “device-based” are not Apstra template types. Junos v24.4 is relevant when the blueprint is instantiated and deployed, but the template type selection is an Apstra design-time decision that determines the fabric topology class.
What are two system-defined user roles that are available in Juniper Apstra? (Choose two.)
authorized
root
viewer
user
Juniper Apstra provides four system-defined user roles that are available in the Apstra GUI environment. They are: administrator, device_ztp, viewer, and user1. Based on the web search results, we can infer the following statements:
viewer: This role includes permissions to only view various elements in the Apstra system, such as blueprints, devices, design, resources, external systems, platform, and others. Users with this role cannot create, edit, or delete any element12.
user: This role includes permissions to view and edit various elements in the Apstra system, such as blueprints, devices, design, resources, external systems, platform, and others. Users with this role cannot create or delete any element12.
authorized: This is not a system-defined user role in Juniper Apstra. It is a term used to describe users who have been authenticated by an external system, such as LDAP, Active Directory, TACACS+, or RADIUS3.
root: This is not a system-defined user role in Juniper Apstra. It is a term used to describe the superuser account on a Linux system, which has full access to all commands and files. Creating a user in the Apstra GUI does not provide that user access to the Apstra platform via SSH. To access the Apstra platform via SSH, you must create a local Linux system user4. References:
User / Role Management Introduction
User/Role Management (Platform)
AAA Providers
User Profile Management
What is correct about the selected device shown in the exhibit?
It is a peer switch.
It is an external generic system.
It is an internal generic system.
It is an access switch.
The exhibit shows node100 (Generic System) selected, with links from that generic system to two fabric leaf switches (for example, a leaf participating in an ESI pair and another leaf node). In Apstra 5.1, a Generic System represents an endpoint that is not managed as a network device by Apstra (such as a server, appliance, or host), but it is still modeled so Apstra can apply interface intent (LAG vs single link), connectivity templates, and virtual network attachments.
Because the device is shown as a generic system connected on leaf-facing ports inside the fabric topology, this aligns with an internal generic system. Internal generic systems are used for servers or endpoints that reside “inside” the rack/fabric context and consume leaf switch ports as access-facing connections. This is the common representation for endpoints in EVPN-VXLAN data center designs, where the leaf switches provide the VLAN/VNI mapping and, if required, IRB gateway services within the tenant VRF (routing zone).
An external generic system is typically used for devices outside the fabric boundary—most commonly external routers, firewalls, or upstream networks attached at border leafs—where the intent is external connectivity rather than server access. The selected node is neither a peer switch nor an access switch (those are network infrastructure roles), and the UI explicitly labels it as a Generic System, confirming the correct classification as an internal generic system.
You are creating a new security policy using Juniper Apstra.
Referring to the exhibit, which application point should you select to allow or deny traffic to or from a particular VRF?
Routing Zone
External Endpoint
Internal Endpoint
Virtual Network
In Apstra 5.1, multitenancy is modeled using routing zones, which map directly to the network operating system concept of a VRF. A VRF is an isolated Layer 3 routing instance with its own routing table and forwarding context, and Apstra’s routing zone is the intent-based abstraction used to define and manage that isolation consistently across the fabric. Therefore, if your goal is to allow or deny traffic to or from a particular VRF, you must select Routing Zone as the security policy application point.
This choice enables you to express policy at the tenant boundary (VRF boundary) rather than at a single segment boundary. In EVPN-VXLAN data center fabrics, a tenant VRF commonly contains multiple virtual networks (VXLAN segments) and their associated IRB gateways on the leaf switches. Applying policy at the routing-zone level allows Apstra to compile intent and deploy enforcement consistently where traffic enters or exits that VRF context—typically as ACL constructs rendered as Junos firewall filters on the appropriate interfaces (for example, IRB interfaces for east-west controls or border interfaces for north-south controls).
By contrast, selecting Virtual Network targets a single segment (not the whole VRF), and Internal/External Endpoint targets specific endpoints or endpoint groups rather than the VRF-wide policy boundary. Hence, Routing Zone is the correct application point when policy scope is the VRF.
The same connectivity template is applied to the ge-0/0/6 interface on both borderleaf1 and borderleaf2 nodes. This connectivity template describes the intended configuration of the eBGP session between each of the borderleaf nodes and the external router. You want to ensure that the 172.23.x/24 routes are not installed in the borderleaf nodes’ Finance routing table.
Referring to the exhibit, what would you change in Juniper Apstra to accomplish this task?
Add an aggregate prefix to the routing policy.
Modify the import policy to only allow the default route.
Select the “Expect Default IPv4 Route” checkbox.
Modify the export policy to only allow the default route.
The exhibit shows the border leaf receiving multiple routes via BGP from the external router, including 172.23.x/24 prefixes, and those routes appearing in the Finance VRF routing table. To stop these routes from being installed in the Finance table, you must change what the border leaf imports from that eBGP session. In Apstra, this control is implemented through a Routing Policy attached to the protocol session described by the connectivity template. By setting the Import Policy to accept default route only, Apstra renders Junos policy so that only 0.0.0.0/0 is imported into the VRF, while the 172.23.x/24 prefixes are rejected and therefore never installed in Finance.inet.0.
Option C is a common trap: the “Expect Default IPv4 Route” setting is an assurance expectation—it generates an expectation/anomaly if the default route is missing, but it does not change device configuration or filtering behavior. Export-policy changes (option D) would only affect what the border leaf advertises outbound to the external router, not what it learns inbound. Aggregation (option A) does not prevent installation of the specific learned /24s; it changes advertisement behavior rather than import filtering. The correct fix is to tighten the import policy on that external eBGP session.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/concept/routing-policies.html
https://www.juniper.net/documentation/us/en/software/apstra6.0/apstra-user-guide/topics/concept/routing-policies.html
https://www.juniper.net/documentation/us/en/software/apstra4.2/apstra-user-guide/topics/concept/connectivity-templates.html
You have an EVPN-VXLAN data center IP fabric, with all single-homed hosts/servers. Which two EVPN route types are present in this scenario? (Choose two.)
Type 3
Type 7
Type 2
Type 4
In an EVPN-VXLAN fabric where all hosts are single-homed (each endpoint is attached to only one leaf/VTEP), the EVPN control plane still needs to advertise endpoint reachability and enable BUM handling across the overlay. Two EVPN route types are fundamental in this case: Type 2 and Type 3.
EVPN Route Type 2 (MAC/IP Advertisement) is used to advertise learned MAC addresses and, optionally, associated IP addresses for endpoints connected to the local leaf. This enables remote VTEPs to learn where a given host resides (which VTEP to send unicast traffic to) without relying on data-plane flooding for MAC learning. In Junos v24.4 EVPN-VXLAN deployments, Type 2 routes are the core mechanism for distributing endpoint reachability (MAC and MAC+IP bindings) within the EVPN domain.
EVPN Route Type 3 (Inclusive Multicast Ethernet Tag / IMET) is used to establish the flooding scope for BUM traffic in EVPN-VXLAN. In VXLAN fabrics that use ingress replication (common in data centers), Type 3 routes help build the list of remote VTEPs that should receive replicated BUM traffic for a given segment.
By contrast, Type 4 (Ethernet Segment) routes are associated with EVPN multihoming (ESI-based) and DF election; with only single-homed hosts, Type 4 is not required. Type 7 is not part of the baseline single-homed EVPN-VXLAN host advertisement set in this context.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/junos/evpn/topics/concept/evpn-bgp-multihoming-overview.html
https://www.juniper.net/documentation/us/en/software/junos/evpn/topics/topic-map/assisted-replication-evpn.html
You are using Juniper Apstra to create security policies that create ACLs on the fabric devices. What are two valid objects that would be used within Apstra in this scenario? (Choose two.)
Virtual network
Domain name
Routing zone
Application signature
In Apstra 5.1, Security Policies express traffic-permit/deny intent between defined fabric endpoints, and Apstra compiles that intent into ACL enforcement on the appropriate switches (for example, on gateway interfaces for east-west segmentation and on border leaf interfaces for north-south controls). The objects you use to define that policy intent must correspond to fabric connectivity constructs that Apstra understands as endpoints in the blueprint’s logical model.
Two such valid objects are Virtual Networks and Routing Zones. A virtual network represents a tenant segment (typically mapped into EVPN-VXLAN constructs such as VNI and associated IRB gateway when L3 is enabled). Policies between virtual networks are a common way to implement micro-segmentation or tier-based segmentation (web/app/db) within the same tenant boundary. A routing zone represents the L3 tenancy boundary (mapped to a VRF) and can be used to group and control connectivity at the tenant level, especially where policy needs to be expressed for aggregated tenant domains or for controls involving external connectivity.
“Domain name” and “application signature” are not endpoint objects for Apstra Security Policies in this context. They may exist in other security ecosystems, but Apstra’s security intent model for ACL generation is based on topology and blueprint objects (routing zones, virtual networks, and endpoint definitions), which can then be rendered into Junos v24.4 firewall filter–style enforcement on the fabric devices.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/topic-map/policy-security.html
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/concept/routing-zones.html
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/concept/virtual-networks.html
You are asked to deploy a collapsed fabric architecture. Which two statements are correct about this deployment? (Choose two.)
All EVPN-VXLAN overlay functions are provided by the leaf devices.
Leaf devices are full-mesh connected.
Top-of-rack switches are full-mesh connected.
Top-of-rack switches provide VXLAN support.
In Apstra, a collapsed fabric (also described as “spineless”) consolidates traditional fabric tiers so that the primary fabric devices perform combined roles. Instead of a dedicated spine tier providing transit between leafs, the fabric is formed by leaf devices connected directly to each other using mesh links. This means a collapsed fabric uses a full-mesh topology at the leaf level, replacing the usual leaf-to-spine connections found in a three-stage Clos. Therefore, the statement that leaf devices are full-mesh connected is correct.
Because the collapsed fabric devices serve the fabric roles, they also provide the EVPN-VXLAN overlay functions (VTEP behavior, EVPN control-plane participation, and VXLAN encapsulation/decapsulation) necessary for tenant segmentation and service delivery. Juniper’s collapsed fabric validated designs further describe the collapsed fabric switches as serving all fabric roles (including border-leaf behaviors when external connectivity is required), reinforcing that overlay functions reside on these fabric leaf devices.
The remaining statements are not generally true for the collapsed fabric definition. Top-of-rack (access) switches—when present in certain collapsed designs—are not defined by default as full-mesh connected, and VXLAN support is not a requirement for those TOR/access switches unless the specific architecture explicitly uses them as VTEPs. The defining characteristics are the consolidated fabric roles and the leaf-level full-mesh.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra5.0/apstra-user-guide/topics/concept/templates.html
https://www.juniper.net/documentation/us/en/software/apstra4.2/apstra-user-guide/topics/concept/rack-types.html
https://www.juniper.net/documentation/us/en/software/jvd/jvd-collapsed-dc-fabric-with-apstra/jvd-collapsed-dc-fabric-with-apstra.pdf
You are attempting to attach the server connected to the my_border_001_leaf1 node’s ge-0/0/5 interface to the finance-app virtual network.
Referring to the exhibit, what would you do to solve the problem?
You can add a generic system to the physical topology.
You can set the generic system to the deploy mode.
You can allocate an IP pool resource to the virtual network.
You can assign the finance-app virtual network to the my_border_001_leaf1 node.
In Apstra 5.1, servers are modeled as Generic Systems and must be represented in the blueprint topology so that Apstra can bind an endpoint (the server) to a specific switch interface and then apply the intended connectivity template / virtual network attachment. In the exhibit, the interface ge-0/0/5 on my_border_001_leaf1 is shown as missing from the assignment workflow, which indicates that Apstra does not currently have an endpoint object connected to that port in the blueprint’s staged physical topology (or that the port is not presented as an eligible connectivity point for server attachment).
The correct remediation is to add a Generic System connected to my_border_001_leaf1 ge-0/0/5 in Staged > Physical > Topology, thereby creating a modeled server link on that interface. Once the Generic System exists and the interface is a recognized server-facing connectivity point, you can assign the Tagged VXLAN “finance-app” connectivity template (or the VN assignment action driven by that template) to the server-facing interface and then commit the staged changes.
Changing “deploy mode” may affect whether Apstra actively configures a generic system-facing link, but it does not solve a missing interface in the topology model. Likewise, allocating an IP pool is unrelated to making the port available for attachment, and assigning the VN to the switch node is not how server interfaces are attached in this workflow.
Verified Juniper sources (URLs):
https://www.juniper.net/documentation/us/en/software/apstra5.1/apstra-user-guide/topics/topic-map/internal-generic-system-create.html
https://www.juniper.net/documentation/us/en/software/apstra5.0/apstra-user-guide/topics/topic-map/virtual-network-assignment-update.html
https://cloudlabs.apstra.com/labguide/Cloudlabs/6.0.0/test-drive-guide/lab1-junos-11_adding-gs.html
Copyright © 2014-2026 Certensure. All Rights Reserved