To make the IP fabric a valid IP fabric, the connection between the two spine nodes must be removed. This is because an IP fabric is a network topology that uses a spine-leaf architecture, where the spine devices are only connected to the leaf devices, and the leaf devices are only connected to the spine devices. This creates a non-blocking, high-performance, and scalable network that supports Layer 3 routing protocols such as BGP or OSPF. The connection between the two spine nodes in the exhibit violates the spine-leaf design principle and introduces unnecessary complexity and potential loops in the network. The other options are incorrect because:

• A. The IP fabric must consist of only one device model throughout the fabric is wrong because an IP fabric can support different device models as long as they are compatible and interoperable. The exhibit shows two different models of QFX switches, which are both supported by Juniper Networks for IP fabric deployments.
• B. The connection between the two spine nodes must be increased to 40 Gbps is wrong because increasing the speed of the connection does not make the IP fabric valid. The connection between the two spine nodes should be removed, as explained above.
• C. The IP fabric connections must be increased to a speed greater than 10 Gbps is wrong because the speed of the connections does not affect the validity of theIP fabric. The IP fabric can use any speed that meets the bandwidth and performance requirements of the network. 10 Gbps is a common speed for IP fabric connections, but higher or lower speeds can also be used depending on the network design and devices. References:
• IP Fabric Underlay Network Design and Implementation
• IP Fabric Overview
• IP Fabric: Automated Network Assurance Platform

A configlet is a small piece of configuration that can be applied to a device or a group of devices to make persistent changes that are not overwritten by Apstra. Configlets can be used to install manual changes that are not part of the Apstra rendered configuration, such as custom commands, scripts, or features. Configlets can be created, edited, and deleted from the Apstra GUI or CLI12. References:

• Configlets Overview
• Configlets User Guide

According to the Juniper documentation1, an ESI-LAG is a link aggregation group (LAG) that spans two or more devices and is identified by an Ethernet segment identifier (ESI). An ESI-LAG provides redundancy and load balancing for a multihomed server in an EVPN-VXLAN network. To configure an ESI-LAG, you need to ensure that the following requirements are met:

• The LACP system ID on both devices must be the same. This ensures that the LACP protocol can negotiate the LAG parameters and form a single logical interface for the server.
• The ESI ID on both devices must be the same. This ensures that the EVPN control plane can advertise the ESI-LAG as a single Ethernet segment and synchronize the MAC and IP addresses of the server across the devices.
• The VLAN ID and VNI on both devices must be the same. This ensures that the server can communicate with other hosts in the same virtual network and that the VXLAN encapsulation and decapsulation can work properly.

In the exhibit, the LACP system ID and the ESI ID on both devices are different, which prevents the ESI-LAG from coming up as multihomed. Therefore, the correct answer is B and D. The LACP system ID on both devices must be the same and the ESI ID on both devices must be the same. References: ESI-LAG Made Easier with EZ-LAG, Example: Configuring an ESI on a Logical Interface With EVPN-MPLS Multihoming, Introduction to EVPN LAG Multihoming

Juniper Apstra supports three deploy modes for devices: Deploy, Drain, and Ready. These modes determine the configuration and state of the devices in the data center fabric12.

• Deploy: This mode applies the full Apstra-rendered configuration to the device, according to the Apstra Reference Design. The device state becomes IS-ACTIVE and the device is ready to carry traffic in the fabric12.
• Drain: This mode adds a “drain” configuration to the device, which prevents any new traffic from entering the device. The device state becomes IS-READY and the device is prepared for maintenance or decommissioning12.
• Ready: This mode removes the Apstra-rendered configuration from the device, leaving only the basic configuration such as device hostname, interface descriptions, and port speed/breakout. The device state becomes IS-READY and the device is not part of the fabric12. References:
• Device Configuration Lifecycle
• Set Deploy Mode (Datacenter)

The graph query output shown in the exhibit is a JSON representation of an interface node and its properties in the Apstra graph database. Based on the output, we can infer the following statements:

• The output shows a LAG connection. This is true because the interface node has a property called lag_mode which is set to lacp_active, indicating that the interface is part of a link aggregation group (LAG) that uses the Link Aggregation Control Protocol (LACP) to negotiate the link state and parameters12.
• The switch in the output is a Juniper device. This is true because the interface node has a property called if_name which is set to ae2, indicating that the interface name follows the Juniper naming convention for aggregated Ethernet interfaces34.
• The interface has an IP address assigned to it. This is false because the interface node has properties called ipv4_addr and ipv6_addr which are both set to null, indicating that the interface does not have any IPv4 or IPv6 address configured2.
• The interface has tags assigned to it. This is false because the interface node has a property called tags which is set to null, indicating that the interface does not have any tags associated with it2. References:
• Link Aggregation Overview
• Processor: Generic Graph Collector
• Understanding Aggregated Ethernet Interfaces and LACP
• Graph

According to the Juniper documentation1, a VXLAN virtual network is a collection of Layer 2 forwarding domains that span multiple racks in a fabric. A VXLAN virtual network requires a name and a VXLAN network identifier (VNI), which is a 24-bit number that identifies the virtual network. The VNI can be either explicitly assigned or auto-assigned from a resource pool. A VXLAN virtual network can also have Layer 3 connectivity, which enables routing between different VNIs within a routing zone. A routing zone is an L3 domain that isolates the IP traffic of different tenants. A routing zone can have one or more VNIs associated with it. To enable Layer 3 connectivity, a VXLAN virtual network needs an IP subnet, which is a range of IP addresses that can be assigned to the hosts in the virtual network. The IP subnet can be either explicitly assigned or auto-assigned from a resource pool. Therefore, the correct answer is A and C. IP subnet and VXLAN VNI are two components that would be automatically derived when enabling a new VXLAN virtual network using Juniper Apstra. References: Virtual Networks | Apstra 4.1 | Juniper Networks

Juniper Apstra role-based access control (RBAC) is a feature that allows you to specify access permissions for different users based on their roles. RBAC servers are remote network servers that authenticate and authorize network access based on roles assigned to individual users within an enterprise1. Juniper Apstra has four predefined user roles: administrator, device_ztp, user, and viewer2. The administrator role is the most powerful role, and it can see all permissions and perform all actions in the Apstra software application. The administrator role can also create, clone, edit, and delete user roles, except for the four predefined user roles, which cannot be modified2. Therefore, the statement that the administrator role can see all permissions is correct.

The following three statements are incorrect in this scenario:

• The viewer role is predefined and can be deleted. This is not true, because the viewer role is one of the four predefined user roles, and it cannot be deleted. The viewer role is the most restricted role, and it can only view the network information and configuration, but not make any changes2.
• The user role can create roles. This is not true, because the user role is one of the four predefined user roles, and it cannot create roles. The user role can perform most of the network configuration and management tasks, but it cannot access the platform settings or the user management features2.
• The administrator role is the only predefined role. This is not true, because there are four predefined user roles, not just one. The other three predefined user roles are device_ztp, user, and viewer2.

References:

• Providers — Apstra 3.3.0 documentation
• User/Role Management (Platform)

To implement remote user authentication for the role-based access control of your Apstra server, you can use one of the following methods: TACACS+, LDAP, or RADIUS. These are the protocols that Juniper Apstra supports to authenticate and authorize users based on roles assigned to individual users within an enterprise. You can configure the Apstra server to use one or more of these protocols as the authentication sources and specify the order of preference. You can also configure the Apstra server to use local user accounts as a fallback option if the remote authentication fails. The other options are incorrect because:

• D. SAML is wrong because SAML (Security Assertion Markup Language) is not a supported protocol for remote user authentication for the role-based access control of your Apstra server. SAML is an XML-based standard for exchanging authentication and authorization data between different parties, such as identity providers and service providers. SAML is commonly used for web-based single sign-on (SSO) scenarios, but it is not compatible with the Apstra server.
• E. Auth0 is wrong because Auth0 is not a protocol, but a service that provides authentication and authorization solutions for web and mobile applications. Auth0 is a platform that supports various protocols and standards, such as OAuth, OpenID Connect, SAML, and JWT. Auth0 is not a supported service for remote user authentication for the role-based access control of your Apstra server. References:
• User Authentication Overview
• [Juniper Apstra] Authentication and Authorization Debugging1
• Authenticate User (API)
• Configure Apstra Server

A Juniper Apstra rack is a physical entity that contains one or more network devices, such as leaf nodes, access switches, or generic systems. A rack is used to organize and manage the network devices in the Apstra software application. A rack has the following characteristics:

• It stores information on how leaf nodes connect to generic devices. This is because a rack can include generic systems, which are devices that are not managed by Juniper Apstra, but are connected to the network. A generic system can be a server, a firewall, a load balancer, or any other device that has a networkinterface. A rack stores the information on how the leaf nodes, which are the devices that provide access to the end hosts, connect to the generic devices, such as the port number, the link speed, the LAG mode, and the roles1.
• It has a rack type, which defines the type and number of leaf devices, access switches, and/or generic systems that are used in the rack. A rack type is a resource that is created in the data center design phase, and it does not specify the vendor or the model of the devices. A rack type can be predefined or custom-made, and it can be used to create multiple racks with the same structure and configuration2.
• It has a rack build, which assigns the specific vendor and model of the devices to the rack. A rack build is created in the staged phase, and it uses the rack type as a template. A rack build can also assign the resources, such as the IP addresses, the ASNs, and the VNIs, to the devices in the rack3.
• It has a rack deployment, which applies the network configuration and services to the devices in the rack. A rack deployment is performed in the active phase, and it uses the rack build as a reference. A rack deployment can also monitor the network performance and compliance of the devices in the rack4.

The following three statements are incorrect in this scenario:

• It stores information on how pods connect to super spines. This is not true, because a rack does not store any information on the pod or the super spine level of the network. A pod is a cluster of leaf and spine devices that form a 3-stage Clos topology, and a super spine is a device that connects multiple pods in a 5-stage Clos topology. A rack only stores information on the leaf and the access level of the network1.
• It stores IP address and ASN pool information. This is not true, because a rack does not store any information on the IP address and ASN pools. IP address and ASN pools are resources that are created in the data center design phase, and they contain a range of IP addresses and ASNs that can be assigned to the devices and the virtual networks. A rack only uses the IP address and ASN pools to assign the resources to the devices in the rack build2.
• It stores device port data rates and vendor information. This is not true, because a rack does not store any information on the device port data rates and vendor information. The device port data rates and vendor information are specified in the rack build, which assigns the specific vendor and model of the devices to the rack. A rack only uses the rack build to apply the network configuration and services to the devices in the rack deployment3.

References:

• Racks (Staged)
• Rack Types (Datacenter Design)
• Rack Builds (Staged)
• Racks (Active)

 According to the Juniper documentation1, the Revert button is located on the Uncommitted tab of the blueprint page. The Uncommitted tab shows the changes that have been staged but not yet committed to the network. The Revert button allows you to discard any uncommitted changes and revert to the last committed state of the blueprint. This is useful if you want to cancel the changes that you have made or if you want to start over with a fresh slate. Therefore, the correct answer is B. The Revert button deletes any uncommitted changes within Apstra. References: Commit / Revert Changes to Blueprint | Apstra 4.2 | Juniper Networks

According to the Juniper documentation1, a template is a configuration template that defines a network’s policy intent and structure. A template can be either rack-based or pod-based, depending on the type and number of racks and pods in the network design. A template includes the following details:

• Policies: These are the parameters that apply to the entire network, such as the overlay control protocol, the ASN allocation scheme, and the underlay type.
• Structure: This is the physical layout of the network, such as the type and number of racks, pods, spines, and leaves. The structure also defines the leaf-to-spine interconnection, which is the number and type of links between the leaf and spine devices. The leaf-to-spine interconnection can be either single or dual, depending on the redundancy and bandwidth requirements.

Therefore, the correct answer is A. the leaf-to-spine interconnection. This is a component that is defined in a template, as it determines the physical connectivity of the network. The speed of the links, the number of spine devices, and the definition of IP pools are not components that are defined in a template, as they are either derived from the device profiles, the resource pools, or the blueprint settings. References: Templates Introduction | Apstra 4.2 | Juniper Networks

The attribute that enables Juniper Apstra to scale and manage thousands of devices with a single server instance is that Apstra is a distributed state system. This means that Apstra uses a graph database to store the network topology and configuration data in a distributed and replicated manner across multiple server nodes. This allows Apstra to handle large-scale networks with high performance, reliability, and availability. Apstra also uses a stateful orchestration engine that ensures the network state is always consistent with the intent of the blueprint, which is the logical representation of thenetwork design and behavior. Apstra can automatically detect and resolve any discrepancies between the desired and actual network state, as well as handle any changes or failures in the network. The other options are incorrect because:

• A. Apstra is installed as a cloud resource is wrong because Apstra can be installed either as a cloud resource or as an on-premises resource. Apstra is available as a virtual machine image that can be deployed on various hypervisors, such as VMware ESXi, QEMU/KVM, Microsoft Hyper-V, or Oracle VirtualBox. Apstra can also be deployed on public cloud platforms, such as Amazon Web Services (AWS) or Microsoft Azure. However, the installation method does not affect the scalability of Apstra, which is determined by the distributed state system architecture.
• B. Apstra is based on NGINX is wrong because Apstra is not based on NGINX, but on Python and Django. NGINX is a web server and reverse proxy that Apstra uses to serve the web user interface and the REST API. However, NGINX is not the core component of Apstra, and it does not affect the scalability of Apstra, which is determined by the distributed state system architecture.
• C. Apstra is available as an OVA is wrong because Apstra is available as an OVF, not an OVA. An OVF (Open Virtualization Format) is a standard format for packaging and distributing virtual machine images. An OVA (Open Virtual Appliance) is a single file that contains the OVF and the virtual disk images. Apstra provides an OVF file that can be imported into various hypervisors, such as VMware ESXi, QEMU/KVM, Microsoft Hyper-V, or Oracle VirtualBox. However, the availability of Apstra as an OVF does not affect the scalability of Apstra, which is determined by the distributed state system architecture. References:
• JUNIPER APSTRA ARCHITECTURE
• Apstra Server Requirements/References
• Juniper Networks Apstra 4.0 enhances the experience of users and operators

A cabling anomaly is an issue that occurs when the physical connections between the devices in the data center fabric do not match the expected connections based on the Apstra Reference Design. A cabling anomaly can cause problems such as incorrect routing, suboptimal traffic flow, or device isolation. To remediate the issue, you can use one or both of the following methods:

• Manually edit the cabling map. This allows you to override the Apstra-generated cabling and specify the correct connections between the devices. You can use the Apstra UI or the Apstra CLI to edit the cabling map and apply the changes to the fabric12.
• Have Apstra autoremediate the cabling map using LLDP. This allows Apstra to collect LLDP data from the devices and use it to update the cabling map automatically. LLDP is a protocol that allows devices to exchange information about their identity, capabilities, and neighbors. Apstra can use the LLDP data to detect and correct any cabling errors in the fabric34. References:
• Edit Cabling Map (Datacenter)
• Import / Export Cabling Map (Datacenter)
• LLDP Overview
• Anomalies (Service)

VXLAN VNIs are virtual network identifiers that are used to identify and isolate Layer 2 segments in the overlay network. VXLAN VNIs have the following characteristics:

• VNIs can have over 16 million unique values. This is because VXLAN VNIs are 24-bit fields that can range from 4096 to 16777214, according to the VXLAN standard1. This allows VXLAN to support a large number of Layer 2 segments and tenants in the network.
• VNIs identify a broadcast domain. This is because VXLAN VNIs are used to group the end hosts that belong to the same Layer 2 segment and can communicate with each other using VXLAN tunnels. The VXLAN tunnels are established using the VTEP information that is distributed by EVPN. The VTEPs are VXLAN tunnel endpoints that perform the VXLAN encapsulation and decapsulation. The VXLAN tunnels preserve the Layer 2 semantics and support the broadcast, unknown unicast, and multicast traffic within the same VNI2.

The following two statements are incorrect in this scenario:

• VNIs identify a collision domain. This is not true, because VXLAN VNIs do not identify a collision domain, which is a network segment where data packets can collide with each other. VXLAN VNIs identify a broadcast domain, which is a network segment where broadcast traffic can reach all the devices. Collision domains are not relevant in VXLAN networks, because VXLAN uses MAC-in-UDP encapsulation and IP routing to transport the Layer 2 frames over the Layer 3 network1.
• VNIs are alphanumeric values. This is not true, because VXLAN VNIs are numeric values, not alphanumeric values. VXLAN VNIs are 24-bit fields that can range from 4096 to 16777214, according to the VXLAN standard1. Alphanumeric values are values that contain both letters and numbers, such as ABC123 or 1A2B3C.

References:

• Virtual Extensible LAN (VXLAN) Overview
• EVPN LAGs in EVPN-VXLAN Reference Architectures

To answer this question, we need to understand the concept of ESI values in EVPN LAGs. An ESI is a 10-byte value that identifies an Ethernet segment, which is a set of links that connect a multihomed device (such as a server) to one or more PE devices (such as leaf switches) in an EVPN network. The same ESI value must be configured on all the PE devices that connect to the same Ethernet segment. This allows the PE devices to form an EVPN LAG, which supports active-active or active-standby multihoming for the device. The ESI value can be manually configured (type 0) or automatically derived from LACP (type 1) or other methods. In the exhibit, Server A is connected to two leaf switches (QFX 5210) using a LAG with LACP enabled. Server B is connected to three leaf switches (QFX 5120) using a LAG with LACP enabled. Based on this information, the following statements are correct about ESI values for the server connections to the fabric:

• C. A valid ESI value for Server A is 0x00.10.10.10.10.10.10.10.10.10. This is true because this ESI value can be automatically derived from the LACP configuration on the QFX 5210 devices. The LACP system ID is usually based on the MAC address of the device, and the LACP administrative key is a 2-byte value that identifies the LAG. For example, if the MAC address of the QFX 5210 device is 00:10:10:10:10:10 and the LAG ID is 10, then the LACP system ID is 00:10:10:10:10:10 and the LACP administrative key is 00:0A. The ESI value is then derived by concatenating the LACP system ID and the LACP administrative key, resulting in 00:10:10:10:10:10:00:0A. This ESI value can be represented in hexadecimal notation as 0x00.10.10.10.10.10.00.0A, or padded with zeros as 0x00.10.10.10.10.10.00.0A.00.00. This ESI value must be configured on both QFX 5210 devices that connect to Server A.
• D. A valid ESI value for Server B is 0x00.00.00.00.00.00.00.00.00.00. This is true because this ESI value is a reserved value that indicates a single-homed device. Server B is connected to three leaf switches (QFX 5120) using a LAG, but it is not multihomed to any of them. This means that Server B does not need an ESI value to form an EVPN LAG with any of the leaf switches. Instead, Server B can use the reserved ESI value of 0x00.00.00.00.00.00.00.00.00.00, which indicates that it is a single-homed device and does not participate in any EVPN LAG. This ESI value must be configured on all three QFX 5120 devices that connect to Server B. Thefollowing statements are incorrect about ESI values for the server connections to the fabric:
• A. A valid ESI value for Server A is 0x00.00.00.00.00.00.00.00.00.00. This is false because this ESI value is a reserved value that indicates a single-homed device. Server A is connected to two leaf switches (QFX 5210) using a LAG with LACP enabled, which means that it is multihomed to both of them. This means that Server A needs an ESI value to form an EVPN LAG with the leaf switches. The ESI value must be unique and non-zero for each Ethernet segment, so the reserved ESI value of 0x00.00.00.00.00.00.00.00.00.00 is not valid for Server A.
• B. A valid ESI value for Server B is 0x00.20.20.20.20.20.20.20.20.20. This is false because this ESI value is not derived from the LACP configuration on the QFX 5120 devices. Server B is connected to three leaf switches (QFX 5120) using a LAG with LACP enabled, but it is not multihomed to any of them. This means that Server B does not need an ESI value to form an EVPN LAG with any of the leaf switches. Instead, Server B can use the reserved ESI value of 0x00.00.00.00.00.00.00.00.00.00, which indicates that it is a single-homed device and does not participate in any EVPN LAG. The ESI value of 0x00.20.20.20.20.20.20.20.20.20 is not valid for Server B, and it may cause conflicts with other Ethernet segments that use the same ESI value. References:
• Ethernet Segment Identifiers, ESI Types, and LACP in EVPN LAGs
• Understanding Automatically Generated ESIs in EVPN Networks
• Ethernet Segment in EVPN: All You Need to Know

According to the Juniper documentation1, a routing zone is an L3 domain, the unit of tenancy in multi-tenant networks. You create routing zones for tenants to isolate their IP traffic from one another, thus enabling tenants to re-use IP subnets. In addition to being in its own VRF, each routing zone can be assigned its own DHCP relay server and external system connections. You can create one or more virtual networks within a routing zone, which means a tenant can stretch its L2 applications across multiple racks within its routing zone. For virtual networks with Layer 3 SVI, the SVI is associated with a Virtual Routing and Forwarding (VRF) instance for each routing zone isolating the virtual network SVI from other virtual network SVIs in other routing zones. Therefore, the correct answer is D. A routing zone is used to enable the communication between two VNIs within a VRF. A routing zone is not used for L4-L7 inspection, securing routing protocols, or requiring firewalls. Those are not the purposes of a routing zone in Juniper Apstra software. References: Routing Zones