JNCIS-ENT: Juniper Networks Certified Specialist, Enterprise Routing and Switching
Most candidates who pass JNCIA-Junos walk into JN0-351 assuming the step up is just more of the same material at slightly higher depth. That assumption tends to produce a failing score. JNCIS-ENT does not add more Junos basics. It tests protocol mechanics, specifically the behavior of routing protocols under non-default conditions, the interaction between policy and forwarding, and the specifics of how Junos implements features that other vendors do differently. Candidates who prep by re-reading JNCIA material and expecting to extrapolate usually discover the gap on exam day rather than during preparation.
Exam at a glance
| Detail | Value |
|---|---|
| Provider | Juniper Networks |
| Exam code | JN0-351 |
| Full name | Juniper Networks Certified Specialist, Enterprise Routing and Switching (JNCIS-ENT) |
| Duration | 90 minutes |
| Question count | 65 questions |
| Question format | Multiple choice, multiple select |
| Passing score | ~70% (Juniper does not publish the exact cutoff) |
| Exam fee | ~$300 USD |
| Validity | 3 years |
| Delivery | Pearson VUE (in-person or online proctored) |
| Prerequisites | JNCIA-Junos (required) |
| Retake policy | 30-day wait after a failed attempt |
What's tested
Layer 2 Switching. The exam goes deeper than basic VLAN configuration. You need to understand STP variants, specifically RSTP (Rapid Spanning Tree, 802.1w) and MSTP (Multiple Spanning Tree, 802.1s), and the exact conditions that trigger port state transitions. Link aggregation via LACP (IEEE 802.3ad) covers both static and dynamic bundle configuration, minimum link requirements, and how Junos handles member link failures within an aggregated Ethernet interface. IRB (Integrated Routing and Bridging) interfaces sit at the boundary between Layer 2 and Layer 3 in a bridge domain, and questions tend to test how routing across VLANs flows through an IRB rather than through a standard logical interface. Q-in-Q tunneling (802.1ad) extends VLANs across provider networks by stacking a second VLAN tag; exam questions here focus on the provider-edge configuration in Junos and which tag is the outer versus inner.
OSPF. Both OSPFv2 (IPv4) and OSPFv3 (IPv6) are in scope, and the exam tests them as distinct protocols, not just OSPFv2 with an IPv6 address. Area types are a heavy topic: backbone (area 0), stub (blocks external LSAs), NSSA (allows limited external route injection via type 7 LSAs), and totally stub (blocks both external and inter-area LSAs). LSA types matter here. The exam expects you to identify LSA types 1 through 7 by their roles: router LSA (type 1), network LSA (type 2), summary LSAs (types 3 and 4), AS external LSA (type 5), and NSSA external LSA (type 7). DR and BDR election on broadcast networks versus point-to-point links is a reliable trap. See the traps section below.
IS-IS. IS-IS uses a fundamentally different addressing model from OSPF. The NET (Network Entity Title) address identifies the router, not an interface, and its structure (area, system ID, N-SEL) is tested directly. Level 1 routing is intra-area; level 2 routing is inter-area and forms the IS-IS backbone. Candidates who come from an OSPF background often under-prepare IS-IS because it looks conceptually similar to OSPF areas, but the details differ: IS-IS runs directly on top of Layer 2 (not IP), metric types (narrow versus wide), and the way a default route is generated from level 2 to level 1 are all tested with specificity.
BGP. eBGP (between different autonomous systems) and iBGP (within the same autonomous system) are tested on behavior, not just configuration. Route reflectors solve the iBGP full-mesh requirement by allowing one RR to re-advertise iBGP routes to its clients; the exam tests cluster IDs, the distinction between client and non-client peers, and how ORIGINATOR_ID and CLUSTER_LIST prevent routing loops. BGP communities give you a mechanism to tag routes and apply policy at the receiving end. The exam expects you to understand standard communities, extended communities, and how to match and set them in Junos routing policy. Import and export policy filtering is heavily tested: which direction policies apply, how route maps interact with BGP attributes, and what happens when no policy is configured (Junos accepts all from iBGP, denies all from eBGP by default).
IP Tunneling and MPLS. GRE tunnels carry traffic between endpoints that cannot route natively to each other. The exam tests GRE configuration in Junos, including the interface type (gr-), encapsulation, and how the tunnel appears in the routing table. MPLS forwarding is covered at a conceptual level: label imposition at the ingress PE, label swapping at transit P routers, and label disposition at the egress PE. LDP (Label Distribution Protocol) distributes labels based on the underlying IGP topology. This is not deep MPLS design. The exam wants you to understand the forwarding plane mechanics and the role of LDP without expecting you to configure a full L3VPN from scratch.
High Availability. BFD (Bidirectional Forwarding Detection) provides sub-second failure detection for routing protocol neighbors. The exam tests BFD timer configuration and which protocols support it in Junos. VRRP (Virtual Router Redundancy Protocol) provides gateway redundancy on a LAN segment, with one master and one or more backup routers sharing a virtual IP and MAC. Graceful restart (also called GR or NSR in Junos depending on the mechanism) allows a routing engine to restart without tearing down its adjacencies immediately, giving neighbors time to hold their state rather than withdrawing routes.
Common exam traps
OSPF DR/BDR election on point-to-point links. On broadcast networks (Ethernet segments with multiple OSPF neighbors), OSPF elects a Designated Router and Backup Designated Router to reduce flooding overhead. On point-to-point links, there are only two routers and no need for DR/BDR election. The exam will describe a point-to-point link and ask about DR election. The correct answer is that no election happens. This is a reliable trap because it requires knowing the network type, not just the election rules, and Junos sets network type automatically based on the interface type, which differs from Cisco defaults on certain encapsulation types.
OSPF NSSA versus totally NSSA: what each area allows. An NSSA area blocks type 5 (AS external) LSAs from the backbone but allows the ASBR within the NSSA to inject external routes as type 7 LSAs, which are converted to type 5 at the ABR. A totally NSSA area adds one more restriction: it also blocks type 3 (inter-area summary) LSAs, relying entirely on a default route from the ABR. Exam questions present a topology and ask which LSA types are present inside the area. Getting this wrong is common because the names sound interchangeable until you internalize the difference.
BGP route reflector client versus non-client peering behavior. A route reflector re-advertises routes from a client peer to all other client peers and to non-client peers. Routes received from a non-client iBGP peer are re-advertised only to client peers, not to other non-clients. This asymmetry causes candidates to predict incorrect route propagation in topology diagrams. The CLUSTER_LIST attribute is appended each time a route passes through a reflector and prevents loops; the ORIGINATOR_ID is set to the originating router's ID. Exam questions test both the propagation rules and the loop prevention mechanism.
IS-IS default route from level 2 to level 1. In a two-level IS-IS deployment, level 2 routers know the full inter-area topology. Level 1 routers know only their own area. The mechanism for getting traffic out of a level 1 area toward external destinations is an "attached" bit set by a router that participates in both level 1 and level 2, which signals to level 1 neighbors that it can reach the level 2 backbone. The exam tests this behavior and the conditions under which the attached bit is set. Candidates who memorize IS-IS level definitions but skip the default route mechanism answer these questions incorrectly.
Junos "passive" in OSPF differs from what Cisco candidates expect. This is the trap that does not appear in the Juniper study guide. On Cisco IOS, setting an interface as OSPF passive prevents the router from sending or receiving Hello packets on that interface, which suppresses adjacency formation but still advertises the interface's prefix into OSPF. On Junos, configuring OSPF passive at the interface level has the same logical intent, but it is configured under the protocol hierarchy and behaves correctly within Junos. The subtler trap is the commit model. Junos uses a two-stage commit: you make changes to the candidate configuration, then commit. During the commit operation, a brief window exists where interfaces are reconfigured. Candidates who observe OSPF adjacencies dropping briefly after a commit and assume the configuration is broken are hitting commit-timing behavior, not a protocol error. Forum discussions on TechExams.net frequently surface this as a failed-lab scenario where candidates issue rollback unnecessarily.
How ARIA prepares you for JNCIS-ENT
JNCIA-Junos is a hard prerequisite, both for registration and for preparation. My evaluation for JNCIS-ENT assumes you hold or have substantial working knowledge of JNCIA-level content: Junos CLI navigation, the commit model, interface configuration, basic routing policy, and static routing. If that foundation has gaps, I will surface them in the CAT evaluation before building your roadmap, and the roadmap will address them first.
The evaluation for JNCIS-ENT focuses on protocol mechanics across six domains. Because the exam does not distribute questions evenly, the roadmap weights OSPF, BGP, and Layer 2 switching more heavily. IS-IS and MPLS are real exam topics but narrower in scope; I give them dedicated milestones rather than full phases.
For a candidate starting from scratch without JNCIA-Junos, plan for 14 to 18 weeks total, with the first 4 to 6 weeks dedicated to building the prerequisite foundation. For a candidate who already holds JNCIA-Junos and has been working in a Juniper environment, 6 to 8 weeks of focused preparation is the realistic window. The roadmap is generated from your CAT baseline, not from a marketing estimate.
Pass guarantee for JNCIS-ENT
JNCIS-ENT qualifies for the ClaudeLab pass guarantee. Full conditions here.
Related certifications
JNCIA-Junos is the required prerequisite for JNCIS-ENT. If you have not yet passed it, that is where the roadmap starts. CCNP covers the Cisco-equivalent advanced enterprise routing and switching track, relevant for candidates working in mixed-vendor environments or comparing career paths. CCNA (200-301) is the Cisco associate-level counterpart to JNCIA-Junos, and useful for candidates deciding between a Cisco-first or Juniper-first approach to enterprise networking. CKA (Certified Kubernetes Administrator) is the logical next step for network engineers moving into container orchestration, where understanding the underlying network fabric that Kubernetes runs on makes you a stronger cluster administrator.
Start your JNCIS-ENT roadmap
Start your JNCIS-ENT roadmap with ARIA → claudelab.me
The JN0-351 exam rewards precision over breadth. Knowing roughly how OSPF area types work is not the same as knowing which LSA types each area permits, and the exam distinguishes between the two. I track that precision across every session, surface the gaps before they cost you points, and do not consider you ready until the readiness score and the milestone record support it.