JN0-481

Explanation:
When an agent installation is successful, devices are placed into the Out of Service Quarantined (OOS-QUARANTINED) state using the Juniper Apstra UI. This state means that the device is not yet managed by Apstra and has not been assigned to any blueprint. The device configuration at this point is called Pristine Config. To make the device ready for use in a blueprint, you need toacknowledge the device, which changes its state to Out of Service Ready (OOS-READY)12.
References:
- Managing Devices
- AOS Device Configuration Lifecycle

Explanation:
Juniper Apstra role-based access control (RBAC) is a feature that allows you to specify access permissions for different users based on their roles. RBAC servers are remote network servers that authenticate and authorize network access based on roles assigned to individual users within an enterprise1. Juniper Apstra has four predefined user roles: administrator, device_ztp, user, and viewer2. The administrator role is the most powerful role, and it can see all permissions and perform all actions in the Apstra software application. The administrator role can also create, clone, edit, and delete user roles, except for the four predefined user roles, which cannot be modified2. Therefore, the statement that the administrator role can see all permissions is correct.
The following three statements are incorrect in this scenario:
- The viewer role is predefined and can be deleted. This is not true, because the viewer role is one of the four predefined user roles, and it cannot be deleted. The viewer role is the most restricted role, and it can only view the network information and configuration, but not make any changes2.
- The user role can create roles. This is not true, because the user role is one of the four predefined user roles, and it cannot create roles. The user role can perform most of the network configuration and
management tasks, but it cannot access the platform settings or the user management features2.
- The administrator role is the only predefined role. This is not true, because there are four predefined user roles, not just one. The other three predefined user roles are device_ztp, user, and viewer2.
References:
- Providers ― Apstra 3.3.0 documentation
- User/Role Management (Platform)

Explanation:
A graph query is a component that identifies devices that supply data for a specific probe. A graph query is an expression that matches nodes in the Apstra graph database based on their attributes, such as device name, role, type, or tag. A graph query can be used to select the source devices for the input processors of a probe, as well as to filter the data by device attributes in the subsequent processors of a probe12.
References:
- Probes
- Apstra IBA Getting Started Tutorial

Explanation:
To implement ECMP in IP fabric using EBGP, you need to enable BGP to install multiple equal-cost paths in the routing table and to advertise them to the peers.
The following actions are required to achieve this:
B. Use a load balancing policy applied to BGP as an export policy. This is true because you need to apply a load balancing policy to BGP as an export policy to allow BGP to advertise multiple paths to the same destination to the peers. By default, BGP only advertises the best path to the peers, which prevents
ECMP. A load balancing policy can be configured to match the desired routes and set the multipath attribute to true. This will enable BGP to advertise up to the maximum number of paths configured by the maximum-paths command. For example, the following configuration applies a load balancing policy to BGP as an export policy for the neighbor 10.10.10.1:
policy-statement load-balance { term 1 { from { route-filter 192.168.0.0/16 exact; } then { multipath; accept; } } } protocols { bgp { group ebgp { type external; neighbor 10.10.10.1 { export load-balance; } } } }
C. Use the multipath multiple-as BGP parameter. This is true because you need to enable the multipath multiple-as BGP parameter to allow BGP to install multiple paths from different autonomous systems in the routing table. By default, BGP only installs multiple paths from the same autonomous system, which limits ECMP. The multipath multiple-as parameter can be configured under the BGP group or neighbor level. This will enable BGP to install up to the maximum number of paths configured by the maximum-paths command. For example, the following configuration enables the multipath multiple-as parameter for the BGP group ebgp:
protocols { bgp { group ebgp { type external; multipath multiple-as; } } }
The following options are incorrect because:
A. Use a load balancing policy applied to the forwarding table as an export policy is wrong because applying a load balancing policy to the forwarding table does not affect the BGP advertisement or installation of multiple paths. A load balancing policy applied to the forwarding table only affects how the traffic isdistributed among the multiple paths in the forwarding table. It does not enable ECMP in BGP.
D. Use a load balancing policy applied to BGP as an import policy is wrong because applying a load balancing policy to BGP as an import policy does not affect the BGP advertisement of multiple paths. A load balancing policy applied to BGP as an import policy only affects how the BGP routes are accepted or rejected from the peers. It does not enable ECMP in BGP. References:
- IP Fabric Underlay Network Design and Implementation
- Use ECMP to distribute traffic between two paths, one learned by eBGP and one learned by iBGP on a Cisco NX-OS switch
- Example: Configure an EVPN-VXLAN Centrally-Routed Bridging Fabric Using EBGP

Explanation:
A security policy is the feature that would be used to accomplish the task of controlling access to other virtual networks in the same routing zone using the Juniper Apstra UI. A security policy allows you to define rules that specify which traffic is allowed or denied between different virtual networks, IP endpoints, or routing zones. A security policy can be applied to one or more virtual networks in the same routing zone, and it can use various criteria to match the traffic, such as source and destination IP addresses, protocols, ports, or tags. A security policy can also support DHCP relay, which enables the forwarding of DHCP requests from one virtual network to another.
The other options are incorrect because:
A. interface policy is wrong because an interface policy is a feature that allows you to configure the interface parameters for the devices in a blueprint, such as interface names, speeds, types, or
descriptions. An interface policy does not affect the access control between different virtual networks in the same routing zone.
B. anti-affinity policy is wrong because an anti-affinity policy is a feature that allows you to prevent certain devices or logical devices from being placed in thesame rack or leaf pair in a blueprint. An anti-affinity policy is used to enhance the availability and redundancy of the network, not to control the access between different virtual networks in the same routing zone.
C. routing policy is wrong because a routing policy is a feature that allows you to configure the routing parameters for the devices in a blueprint, such as routing protocols, autonomous system numbers, route filters, or route maps. A routing policy does not affect the access control between different virtual networks in the same routing zone, unless the routing policy is used to filter or modify the routes exchanged between different routing zones.
References:
- Security Policy
- Interface Policy
- Anti-Affinity Policy
- Routing Policy