Comprehensive and Detailed Explanation with Exact Extracts:

Options A, B, and C are TRUE:

A:  BFD detects microsecond-level link failures, faster than BGP timers.

B:  BFD negotiates a control-packet rate during session setup.

C:  Missed BFD packets trigger a session-down event, notifying BGP.

Extract from Nokia SR Linux Configuration Guide (Section: BFD for BGP):

"BFD provides sub-second failure detection. Peers negotiate  tx-interval  and  rx-interval  timers dynamically. If the configured  multiplier  threshold of missed packets is reached, BFD notifies BGP to tear down the session."

Option D is FALSE:  BFD  does not modify  BGP’s update timers (e.g.,  min-advertisement-interval ). It only accelerates failure detection.

Extract from Nokia SR Linux Fundamentals Guide (Section: BFD Integration):

"BFD  does not influence  BGP’s route advertisement or withdrawal timers. It solely enhances failure detection speed, allowing BGP to react faster to topology changes."

Comprehensive and Detailed Explanation with Exact Extracts:

Option B (CPM-filter ACL) is CORRECT:

The CPM-filter ACL is  explicitly designed  to match control-plane traffic and copy it to the CPM (Control/Management Plane). It is instantiated  in hardware  on all line cards.

Extract from Nokia SR Linux Security Guide (Section: Control Plane Protection):

"The  cpm-filter  ACL is instantiated on every line card to identify packets destined for the CPM (e.g., routing protocols, ICMP). Matched packets are  copied to the CPM  while data-plane traffic is forwarded normally."

Other Options are INCORRECT:

A:  Capture-filter ACL is for packet mirroring (e.g., SPAN), not CPM copying.

C/D:  Ingress/Egress ACLs filter user traffic and are not specific to CPM-bound packets.

Extract from Nokia SR Linux ACL Configuration Guide:

"Only  cpm-filter  ACLs are globally applied across line cards for CPM protection. Interface ACLs (ingress/egress) operate locally and do not copy packets to the CPM."

Comprehensive and Detailed Explanation with Exact Extracts:

Option A (TRUE):  VTEPs (VXLAN Tunnel Endpoints) are deployed flexibly.

Extract from Nokia VXLAN Configuration Guide:

"VTEPs can reside on  hypervisors  (virtual switches),  leaf routers  (network-based overlays), or  data center gateways  (for inter-fabric connectivity)."

Option B (TRUE):  EVPN is the control plane for VXLAN.

Extract from Nokia EVPN-VXLAN Integration Guide:

"EVPN route types (e.g., Type 2 MAC/IP, Type 3 Inclusive Multicast) are exchanged  between VTEPs  to establish forwarding semantics for the VXLAN overlay."

Option C (FALSE):  The VNI (VXLAN Network Identifier) is  not  automatically assigned per VTEP.

Extract from Nokia SR Linux Fundamentals Guide (Section: VXLAN):

"The VNI is a  manually configured 24-bit segment ID  per Layer 2 domain (or VRF for L3VNI). A single VTEP handles  multiple VNIs  simultaneously. VTEPs are identified by IP addresses, not VNIs."

Option D (TRUE):  VXLAN enables L2 extension over IP underlays.

Extract from Nokia Data Center Design Guide:

"VXLAN encapsulation provides  Layer 2 connectivity  between workloads (e.g., VMs, containers) across a routed  underlay network ."

Comprehensive and Detailed Explanation with Exact Extracts:

Option B is FALSE:

The  system-cpu-policer  is a  software-based policer  running on the CPM CPU, not hardware-based.

Extract from Nokia SR Linux QoS Guide (Section: Control Plane Policing):

"The  system-cpu-policer  is enforced in  software  on the CPM. In contrast,  distributed-policers  are hardware-based and execute on line cards."

Other Options are TRUE:

A:  Hierarchical policing (e.g., per-protocol child policers under an aggregate) is supported.

Extract: "Hierarchical policers allow aggregate rate-limiting plus per-protocol sub-policers (e.g., for BGP, OSPF)."

C:  The  system-cpu-policer  polices the  aggregate  traffic reaching the CPM.

Extract: " system-cpu-policer  applies to the  sum of all traffic  forwarded from line cards to the CPM."

D:  CPM-filter entries can combine both policers:

distributed-policer  (line card hardware) for early per-card rate-limiting.

system-cpu-policer  (CPM software) for final aggregate policing.

Extract: "CPM-filter entries may reference both a  distributed-policer  (for per-line card enforcement) and a  system-cpu-policer  (for CPM-wide aggregation)."

Comprehensive and Detailed Explanation From Exact Extract:

Option A :  TRUE  – Only one management interface ( mgmt0 ) exists.

"The system supports a single management interface ( mgmt0 ) for out-of-band access."

—  SR Linux Interface Guide, "Management Port"

Option B :  TRUE  – Network interfaces bind to hardware ports.

"Network interfaces (e.g., ethernet-1/1) map directly to physical line card ports."

—  SR Linux Interface Guide, "Port Mapping"

Option C :  FALSE  –  Loopback interfaces are virtual , not physical.

"Loopback interfaces (e.g.,  lo0 ) are logical entities with no physical hardware association."

—  SR Linux Routing Guide, "Loopback Interfaces"

Option D :  TRUE  – L2 parameters (e.g., MTU) are set at the main interface; L3 (e.g., IP) at subinterfaces.

"Layer 2 attributes (MTU, admin-state) are configured under the main interface. Layer 3 settings (IP, VRF) are applied to subinterfaces."

—  SR Linux Interface Guide, "Subinterface Configuration"

Comprehensive and Detailed Explanation with Exact Extracts:

Options A, B, and C ARE configured in  static-routes :

Blackhole:  Configured under  static-routes  for a prefix to drop traffic.

IPv4 destination prefix:  Defined directly in the  static-routes  container.

Preference value:  Set per static route entry within  static-routes .

Extract from Nokia SR Linux Configuration Guide (Section: Static Routes):

"Static routes are configured under  /routing-policy/static-routes . Each entry requires a  prefix  (e.g.,  0.0.0.0/0 ). The  blackhole  parameter and  preference  value are configured directly within this container for a specific prefix."

Option D (Next-hop group) CANNOT be configured in  static-routes :

Next-hop groups are  separate objects  defined under  /routing-policy/next-hop-groups .

The  static-routes  container  references  a next-hop group by name but does not define its properties.

Extract from Nokia SR Linux Configuration Guide (Section: Next-Hop Groups):

"Next-hop groups are configured under  /routing-policy/next-hop-groups . Each group is given a name and defines properties like  next-hop  IPs,  blackhole  behavior, or  indirect  settings. Static routes  reference  a next-hop group via the  next-hop-group  parameter under  /routing-policy/static-routes  but  do not configure the group itself  here."

Comprehensive and Detailed Explanation with Exact Extracts:

Options A, B, and D are supported:

SR Linux users  (A): Locally configured users for CLI/management access.

Regular Linux OS users  (B): Native Linux users (e.g.,  admin ) for host OS operations.

Remote users  (D): Authenticated via AAA (TACACS+/RADIUS).

Extract from Nokia SR Linux System Management Guide:

"User types include  SR Linux users  (CLI access),  Linux OS users  (host system), and  remote users  (external AAA)."

Option C (Container users) is NOT supported:

SR Linux does not define "container users" as a distinct category. Containers (e.g., management container) share the host's user management.

Extract from Nokia SR Linux Security Guide:

"SR Linux does not provision separate user identities for containers. User access is managed at the  host OS level  or via SR Linux CLI, with no container-specific user type."

Comprehensive and Detailed Explanation From Exact Extract:

Option A :  TRUE  –  state  mode shows configuration + operational state.

"The  state  command provides a unified view of configuration and real-time operational data."

—  SR Linux CLI User Guide, "State Mode"

Option B :  TRUE  –  show  mode uses predefined templates.

" show  commands use structured report templates for consistent operational data display."

—  SR Linux CLI User Guide, "Show Commands"

Option C :  TRUE  –  running  mode is for configuration changes.

"Configuration edits occur in  running  mode, which modifies the candidate configuration."

—  SR Linux Configuration Fundamentals, "CLI Modes"

Option D :  FALSE  –  use  (not  enter ) switches modes .

"Mode transitions use the  use  command (e.g.,  use state ).  enter  navigates hierarchical paths within a mode."

—  SR Linux CLI User Guide, "Mode Navigation"

The "baseline diff" command is used to compare the candidate configuration against the baseline datastore to see changes or conflicts, especially when multiple users are involved or to verify differences. It does not indicate that the user is unable to commit changes.

Comprehensive and Detailed Explanation From Exact Extract:

Option A :  TRUE  – Fabric intent is declaratively defined in YAML.

"FSS uses YAML-based declarative intent to define and manage fabric configurations."

—  Nokia Fabric Services System User Guide, "Intent-Based Fabric"

Option B :  FALSE  – The  Digital Sandbox  is for  pre-deployment validation , not performance monitoring.

"The Digital Sandbox simulates configurations for validation before deployment. Performance monitoring is handled by telemetry analytics, not the sandbox."

—  Nokia FSS Deployment Guide, "Digital Sandbox"

Option C :  TRUE  – Telemetry is contextualized with intent.

"Telemetry data is correlated with fabric intent, providing context-aware insights."

—  Nokia FSS Operations Guide, "Telemetry and Analytics"

Option D :  TRUE  – FSS is cloud-native for flexible integration.

"FSS’s cloud-native microservices architecture simplifies integration with customer ecosystems."

—  Nokia FSS Architecture White Paper, "Cloud-Native Design"

Conclusion:  Option B misrepresents the Digital Sandbox’s purpose.