Security PDF

H12-711 huawei
Number: H12-711
Passing Score: 800
Time Limit: 120 min
http://www.gratisexam.com/
Exam A
QUESTION 1
Some vendors set the TPID value in the outer VLAN tag of QinQ packets to the non-protocol value.
To be compatible with these vendors' devices, the TPID value on Huawei switches is adjustable.
Which is the default value of the TPID value on Huawei switches?
A. 0x9200
B. 0x9100
C. 0x8200
D. 0x8100
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Which types of interfaces can be configured with selective QinQ? (Select 2 Answers)
A. Access interface
B. Trunk interface
C. Hybrid interface
D. dot1q-tunnel interface
Correct Answer: BC
Section: (none)
Explanation
QUESTION 3
In a switching network that has been enabled with STP protocol, the priorities of all the switches are the same. The MAC address of switch1 is 00-e0-fc-00-00-40,
MAC address of switch2 is 00- e0-fc-00-00-10, MAC address of switch3 is 00-e0-fc-00-00-20, and MAC address of switch4 is 00-e0-fc-00-00-80. Which of the
switches will be elected as the Root Bridge?
A. Switch1
B. Switch2
C. Switch3
D. Switch4
Correct Answer: B
Section: (none)
Explanation
QUESTION 4
A switching network has been enabled with STP protocol. To provide fast access speed to the file server for most of the users, the switch that is directly connected
with file server is configured as the root bridge.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
Which of the following statements about the link failure detection in STP protocol is not true?
A. When network topology is stable, the Designated Port sends BPDU packet at every Hello Time interval.
B. When network topology is stable, BPDU packets will be transmitted periodically.
C. When the port does not receive new BPDU within a certain interval, the old configuration BPDU will time out and the link failure can be detected.
D. The port sends Configuration BPDU at every Hello Time interval. When the link fails, Configuration BPDU cannot be sent out. As a result, this port can detect the
link failure.
Correct Answer: D
Section: (none)
Explanation
answer is approved.
QUESTION 6
Which of the following statements about STP is not true?
A. STP can manage redundant links.

B. STP can block redundant links to eliminate loops
C. STP can prevent temporary loss of connectivity
D. STP can make LAN switch operate normally in a network with loops
Correct Answer: C
Section: (none)
Explanation
confirmed answer.
QUESTION 7
According to OSI reference model, Layer 2 LAN switch operates at ( ).
A. Physical layer
B. Data link layer
C. IP layer
D. Application layer
Correct Answer: B
Section: (none)
Explanation
QUESTION 8
According to the STP protocol, a certain field in the BPDU identifies the root switch. That is, if the BPDU sent by a switch contains this field, this switch is considered
as the root switch. What is this field?
A. Root Identifier
B. Root Path Cost
C. Bridge Identifier
D. Port Identifier
Correct Answer: A
Section: (none)
Explanation
QUESTION 9
Which are the two parts in the port identifier of the uplink interface on a non-root switch?
A. 1-bit port priority and 1-bit port number

B. 1-bit port priority and 2-bit port number
C. 2-bit port priority and 1-bit port number
D. 2-bit port priority and 2-bit port number
Correct Answer: A
Section: (none)
Explanation
QUESTION 10
In the network diagram, which switch will be selected as the root switch?
A. SWA
B. SWB
C. SWC
D. None of the above
Correct Answer: A
Section: (none)
Explanation
true.
QUESTION 11
Which statements about the PVID on the access interface are true? (Select 3 Answers)
A. When receiving a packet without the VLAN tag, the interface adds the VLAN tag to the packet and sets the VID in the tag to the default VLAN ID.
B. When receiving a packet with a VLAN tag, the interface compares the VLAN ID in the tag with the default VLAN ID. If they are the same, the interface forwards
the packets; otherwise, the interface discards the packets.
C. When the interface sends a packet with a VLAN tag that contains the default VLAN ID, the system removes the VLAN tag of the packet, and then forwards the
packet.
D. None of the above.
Correct Answer: ABC

Section: (none)
Explanation
valid.
QUESTION 12
Which statement about the hybrid interface is true?
A. A hybrid interface can only be connected to network device.

B. A hybrid interface can only be connected to host.
C. A hybrid interface can be connected to host or network device.
D. A hybrid interface cannot be configured with VLAN ID.
Correct Answer: C
Section: (none)
Explanation
right,
QUESTION 13
Which statement about MUX VLAN is false?
A. Principal VLAN
B. Subordinate VLAN
C. Subordinate group VLAN
D. Guest VLAN
Correct Answer: D
Section: (none)
Explanation
QUESTION 14
Which statements about the MUX VLAN configuration are true? (Select 2 Answers)
[Quidway]vlan 10
[Quidway-vlan10]mux-vlan
[Quidway-vlan10]subordinate group 11
[Quidway-vlan10]subordinate separate 12
A. VLAN 10 is the principal VLAN

B. VLAN 11 is the principal VLAN
C. VLAN 12 is the subordinate separate VLAN
Correct Answer: AC
Section: (none)
Explanation
QUESTION 15
When configuring VLAN mapping, you must set the priority of outer VLAN ID.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 16
The port isolation function can isolate the ports on the same switch.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 17
Which statements are false?
A. The VLAN mapping function is usually configured on the edge node of a public network.
B. The VLAN mapping function can save VLAN resources on a public network.
C. VLAN mapping allows private networks on different VLANs to communicate with each other over the ISP network.
D. VLAN mapping allows only the private networks on the same VLAN to communicate with each other.
Correct Answer: D
Section: (none)
Explanation
QUESTION 18
Which statements about VLAN are true? (Select 3 Answers)
A. The VLAN improves network security. Users on different VLANs cannot communicate with each other.
B. The VLAN improves network processing efficiency. Users on different VLANs are separated from each other. Therefore, the size of a broadcast domain is
reduced.
C. Layer 2 forwarding is only based on destination MAC addresses, and is irrelevant to VLAN configuration.
D. The VLAN technology is a management method that controls the communication between terminals.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 19
Which statements about the VLAN on S series switches are true? (Select 2 Answers)
A. The VLAN IDs on the switch range from 1 to 4090.

B. The switch has a default VLAN.
C. The priority value in the VLAN tag can be changed on the switch.
D. A VLAN tag contains one byte.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 20
If the customer requires high mobility and easy management, the staff of different departments can be added to different VLANs. In addition, these VLANs are
located on different IP subnets. Which VLAN allocation mode can meet these requirements?
A. VLAN allocation based on source IP addresses

B. VLAN allocation based on destination IP addresses
C. VLAN allocation based on source IP addresses and source MAC addresses
D. VLAN allocation based on destination MAC addresses and destination IP addresses
Correct Answer: A
Section: (none)
Explanation
QUESTION 21
Which statements about the access interface are true? (Select 3 Answers)
A. Only the VLAN whose ID is the same as the PVID of the access interface are allowed on the access interface.
B. When receiving an untagged frame, the access interface adds its own PVID to the frame.
C. The access interface sends only untagged frames to the peer device.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 22
Which statement is false?
A. The switch supports 1:1 VLAN mapping.

B. The switch does not support N:1 VLAN mapping on an interface.
C. The switch can perform VLAN mapping for double-tagged packets.
D. The switch can map the outer VLAN ID of packets to another VLAN ID.
Correct Answer: B
Section: (none)
Explanation
QUESTION 23
Which statement about VLAN is false?
A. A VLAN tag contains a 3-bit priority field. The priority value ranges from 0 to 7. It is used for differentiated service forwarding.
B. The priority in the VLAN tag can be mapped to the internal priority of the switch, for differentiated service forwarding.
C. The priority in the VLAN tag can be changed on the switch.
D. The priority in the VLAN tag cannot be changed.
Correct Answer: D
Section: (none)
Explanation
QUESTION 24
Which statements are true? (Select 3 Answers)
A. The routing ARP proxy allows the hosts on different physical networks of the same network segment to communicate with each other.
B. The intra-VLAN ARP proxy allows isolated users on a VLAN to communicate with each other.
C. The inter-VLAN ARP proxy allows hosts on different VLANs to communicate with each other through Layer 3.
D. The inter-VLAN ARP proxy function can't be enabled on the VLANIF interface of the super VLAN to implement communication between sub-VLANs.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 25
Which statement about VLAN mapping is true?
A. The interface configured with VLAN mapping must be a hybrid interface.

B. The same VLANs on different interfaces cannot be mapped to different VLANs.
C. Different VLANs on the same interface can be mapped to the same VLAN.
D. Any types of interfaces can be configured with VLAN mapping.
Correct Answer: C
Section: (none)
Explanation
QUESTION 26
Which statement about port isolation configuration is false?
A. Port isolation can be used for Layer 2 isolation.

B. In port isolation mode, ports are isolated at Layer 2 but can communicate at Layer 3 by default.
C. Before the port isolation function takes effect on an interface, the port isolation function must be enabled first.
D. The port-isolate enable command can run in the system view.
Correct Answer: D
Section: (none)
Explanation
QUESTION 27
Which VLAN assignment methods are supported by the Huawei S9300? (Select 3 Answers)
A. Assigning VLANs based on Layer 7 protocols
B. Assigning VLANs based on protocols
C. Assigning VLANs based on IP subnets
D. Assigning VLANs based on MAC addresses
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 28
Which statements about VLAN aggregation are true? (Select 3 Answers)
A. "multiple" VLANs (broadcast domains) are on the same physical network; therefore, different VLANs belong to the same subnet.
B. VLAN aggregation can save IP addresses.
C. Only the super VLAN requires an IP address, but sub-VLANs do not need.
D. The VLAN that is used to separate broadcast domains is called super VLAN.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 29
Which statement about VLAN mapping is false?
A. VLAN mapping is also called VLAN translation.

B. VLAN mapping can implement translation between C-VLAN IDs and S-VLAN IDs.
C. VLAN mapping can be configured.
D. VLAN mapping means that a VLAN tag is added to packets.
Correct Answer: D
Section: (none)
Explanation
QUESTION 30
Which statement about the VLAN on a Layer 2 switch is true?
A. The CFI in the VLAN tag specifies whether the priority in the VLAN tag is valid.
B. The VLAN tag is located in the Layer 2 header of a packet.
C. The CFI in the VLAN tag contains two bits.
D. A VLAN on the switch is a broadcast domain. The broadcast domains are separated.
Correct Answer: A
Section: (none)
Explanation
QUESTION 31
Which statements about VLAN configuration are true? (Select 2 Answers)
A. You can enter the VLAN view at the same time you create a VLAN.
B. If you run undo vlan, the VLAN is invalid, but still exists. You do not need to create the VLAN when you use it next time.
C. You can configure a character string of VLAN description. The length of the character string is not limited.
D. If you do not enter the VLAN ID when running the display vlan command, information about all VLANs will be displayed.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 32
Which statement about the following configuration is true?
port link-type hybrid

port hybrid pvidvlan 2
port hybrid untagged vlan 2
port hybrid tagged vlan 3
A. The default VLAN of the interface is VLAN 2.
B. The port hybrid tagged vlan 3 command configures the VLAN for a hybrid interface. Frames in the VLAN then pass through the hybrid interface in untagged
mode.
C. The port hybrid untagged vlan 2 command configures the VLAN for a hybrid interface.
Frames in the VLAN then pass through the hybrid interface in tagged mode.
D. All of the above.
Correct Answer: A
Section: (none)
Explanation
QUESTION 33
Which statements about VLAN mapping are true? (Select 2 Answers)
A. When sending a frame from the local VLAN, the switch replaces the VLAN tag in the frame with another VLAN tag.
B. When receiving a frame from another VLAN, the switch replaces the VLAN tag of the frame with the local VLAN tag.
C. When an interface receives a frame from another VLAN, it does not replace the VLAN tag of the frame. The interface replaces the VLAN tag of the frame with
another VLAN tag only when it sends a frame.
D. The interface replaces the VLAN tag of only the frame received from another VLAN, but does not change the VLAN tag of the frame it sends out.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 34
A. Port isolation is a mechanism that controls the access between switch interfaces.
B. Port isolation is an isolation mechanism at the physical layer.
C. Port isolation prevents the computers connected to different ports from accessing each other.
D. Port isolation can be configured based on VLANs.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 35
A. The sub-VLANs are configured in the super VLAN view.

B. VLANs 1 to 4094 can be configured as a super VLAN.
C. The aggregate-vlan command is used to configure the super VLAN.
D. A VLAN to be configured as a super VLAN cannot contain any interface.
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 36
Which statements about VLAN allocation are true? (Select 3 Answers)
A. The IP subnet VLAN is used to send the packets from the specified network segment or IP address over the specified VLAN.
B. The MAC address- or IP subnet-based VLAN is valid for only the untagged packets.
C. The protocol-based VLAN has a higher priority than the IP subnet-based VLAN.
D. The protocol-based VLAN indicates that service types on the network are bound to VLANs.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 37
Which is contained in the GVRP VLAN deregistration message?
A. Specified VLAN ID
B. Specified IP address
C. Specified MAC address
D. Known port number
Correct Answer: C
Section: (none)
Explanation
QUESTION 38
On a switch running GVRP, each interface is considered as a participant. The participants can exchange information.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 39
When the GVRP registration mode is FORBIDDEN, no VLAN can be created or registered on the interface. In addition, which VLANs are deregistered on the
interface?
A. All VLANs except VLAN 1

B. All VLANs except VLAN 4095
C. All VLANs
D. All VLANs except the VLAN specified by the user
Correct Answer: A
Section: (none)
Explanation
QUESTION 40
Which are contained in a GARP participant? (Select 2 Answers)
A. GARP Application
B. GARP Information Propagation (GIP)
C. GARP Information Declaration (GID)
D. Interface LLC
Correct Answer: AC
Section: (none)
Explanation
QUESTION 41
When the GVRP registration mode is FIXED, which statement is true?
A. VLANs can be manually created and registered on the interface, and can also be dynamically registered and deregistered on the interface.
B. VLANs cannot be manually created and registered on the interface, but can be dynamically registered and deregistered on the interface.
C. VLANs can be manually created and registered on the interface, but cannot be dynamically registered or deregistered on the interface.
D. VLANs cannot be manually created and registered on the interface, and cannot be dynamically registered or deregistered on the interface.
Correct Answer: C
Section: (none)
Explanation
QUESTION 42
Which statements about the relationship between GVRP and GARP are true? (Select 2 Answers)
A. GVRP, GARP, and GMRP are the standards of the same type.
B. GVRP and GARP are defined by IEEE 802.1p.
C. GVRP is based on GARP, and is an application of GARP.
D. GVRP is a new definition of GARP.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 43
GARP involves various messages. Besides JoinIn message and Leave message, which are also the GARP messages? (Select 3 Answers)
A. Notice
B. Empty
C. JoinEmpty
D. LeaveAll
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 44
As shown in the figure, port 1 of switch A is configured with the Fixed mode, and other ports are configured with the Normal mode. The trunk interfaces allow all
VLANs. Which VLANs are registered on port 1 of switch C? (Select 3 Answers)
A. VLAN 1
B. VLAN 5 to VLAN 10
C. VLAN 15 to VLAN 20
D. VLAN 25 to VLAN 30
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 45
If 802.1x authentication is enabled on an interface, MAC address authentication (enabled by the mac-authen enable command) and direct authentication (enabled
by the direct-authen enable command) cannot be enabled on the interface.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 46
Which are 802.1x authentication modes? (Select 2 Answers)
A. EAP relay mode

B. Proxy mode
C. EAP termination mode
D. Remote mode
Correct Answer: AC
Section: (none)
Explanation
QUESTION 47
Before configuring 802.1x services, you need to determine the configuration roadmap and prepare data.
Which are general steps in the configuration roadmap? (Select 3 Answers)
A. Configure a Tftp server.

B. Configure an AAA authentication template.
C. Configure a domain.
D. Configure 802.1x authentication.
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 48
After detecting a user with a new MAC address, the switch initiates an EAP authentication request. If the client does not respond and the MAC address bypass
authentication is not configured, which statement is false?
A. If the client does not respond after the number of authentication requests reaches a specified value, the switch considers that the client software is not installed.
B. All permissions of the user are prohibited.
C. The user is allowed to access only the isolated zone.
D. Detection is initiated again after a period of time.
Correct Answer: B
Section: (none)
Explanation
QUESTION 49
The Layer 2 packet header in EAPoL packets is | DMAC | SMAC | TYPE | EAPOL | FCS |.
A. The destination address of packets is a specified MAC address.

B. The destination address of packets is a unicast MAC address.
C. EAPoL packets cannot be forwarded by switches.
D. The source MAC address of packets is the MAC address of the interface that sends packets.
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 50
The dot1x command is used to enable 802.1x authentication globally or on an interface. Which statements about the undo dot1x command are true? (Select 3
Answers)
A. It is used to disable 802.1x authentication globally.
B. It will disconnect online users from the interface; therefore, use the command with caution.
C. It is used to disable 802.1x authentication on an interface.
D. Ensure that there are no online users before you run the undo dot1x command. Otherwise, running the undo dot1x command fails.
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 51
The dot1x authentication-method command is used to set the 802.1x authentication mode. Which is the most secure authentication mode?
A. PAP
B. EAP
C. CHAP
D. EAP-TTLS
Correct Answer: C
Section: (none)
Explanation
Topic 2, Volume B
QUESTION 52
Which statements about guest VLAN configuration are true? (Select 3 Answers)
A. The guest VLAN must be created before you configure the guest VLAN.
B. The default VLAN of the interface cannot be configured as the guest VLAN.
C. Different interfaces can be configured with different guest VLANs.
D. An interface can be configured with up to eight guest VLANs.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 53
If you have run the dot1x port-method command with the port parameter specified (port-based 802.1x authentication), the maximum number of users on an
interface changes to 1. In this case, which statements are true? (Select 2 Answers)
A. You can run the dot1x max-user command to change the maximum number of access users.
B. You cannot run the dot1x max-user command to set the maximum number of access users.
C. You need to run the undo dot1x port-method command, and then set the maximum number of access users.
D. All of the above
Correct Answer: BC
Section: (none)
Explanation
QUESTION 54
What is the function of DHCP Offer messages?
A. DHCP Offer messages are broadcast by the client to detect the available server.
B. DHCP Offer messages are sent by the server to respond to the DHCP Discover messages sent by the client. Certain configuration parameters are specified in
the Offer messages.
C. DHCP Offer messages are sent by the client to apply to the server for configuration parameters, configuration confirmation, or extension of the IP address lease.
D. DHCP Offer messages are sent from the server to the client. They contain configuration parameters such as including the IP address.
Correct Answer: B
Section: (none)
Explanation
QUESTION 55
The option field in DHCP messages uses the CLV mode.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 56
Which encapsulation mode is used for DHCP messages?
A. TCP encapsulation
B. RTP encapsulation
C. UDP encapsulation
D. PPP encapsulation
Correct Answer: C
Section: (none)
Explanation
QUESTION 57
The option field in DHCP messages has a fixed length of four bytes.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 58
When the DHCP relay receives a DHCP request message in which the giaddr (gateway IP address) field is 0, how does the DHCP relay process the DHCP request
message?
A. The DHCP relay fills its IP address in the giaddr field and transmits the DHCP request message to the DHCP server in unicast mode.
B. The DHCP relay fills its IP address in the giaddr field and transmits the DHCP request message in broadcast mode.
C. The DHCP relay retains the value of the giaddr field and transmits the DHCP request message to the DHCP server in unicast mode.
D. The DHCP relay retains the value of the giaddr field and transmits the DHCP request message in broadcast mode.
Correct Answer: A
Section: (none)
Explanation
QUESTION 59
What is the sequence of applying for an IP address in DHCP?
1. The host sends a DHCP Request message to apply for an IP address.

2. The DHCP server replies with a DHCP Offer message.
3. The host sends a DHCP Discovery message to search for the DHCP server.
4. The DHCP server replies with a DHCP ACK message after receiving the DHCP Request message.
A. 1-2-3-4
B. 1-4-3-2
C. 3-2-1-4
D. 3-4-1-2
Correct Answer: C
Section: (none)
Explanation
H12-711.exam.30q
Number: H12-711
Passing Score: 800
Time Limit: 120 min
File Version: 1
Huawei H12-711
https://www.gratisexam.com/
HCNA-Security-CBSN (Huawei Certified Network Associate – Constructing Basic Security Network)
https://gratisexam.com/
Exam A
QUESTION 1
Which of the following scenarios does not support by IPSEC WEB configuration of USG6000 series firewall? (Choose two.)
A. Gateway to Gateway
B. Gateway Center
C. Branch Gateway
D. Host and Host
Correct Answer: BD
Section: (none)
Explanation
QUESTION 2
What port numbers may be used by FTP protocol? (Choose two.)
A. 20
B. 21
C. 23
D. 80
Correct Answer: AB
Section: (none)
Explanation
QUESTION 3
Some applications, such as Oracle database application, there is no data transfer for a long time, so that firewall session connection is interrupted, thus resulting in
service interruption, which of the following technology can solve this problem?
A. Configure a long business connection

B. Configure default session aging time
C. Optimization of packet filtering rules
D. Turn fragment cache
Correct Answer: A
Section: (none)
Explanation
QUESTION 4
Which of the following option belongs to DES key length?
A. 56
B. 64
C. 128
D. 192
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
Terminal security access control can support? (Choose three.)
A. SACG hardware (hardware security access control gateway)

B. 802.1X
C. ARP control
D. Software SACG (host firewall)
Correct Answer: ABD
Section: (none)
Explanation
QUESTION 6
What are the main security capability of encryption service? (Choose three.)
A. Confidentiality
B. Integrity
C. Non-repudiation
D. Scalability
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 7
When Layer 2 switches (not configured VLAN) receiving a data frame, of no match is found in the MAC address table, it will forward the data frame to all ports
(including Layer 2 switches receiving port).
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 8
How to view the matching number of security policy?
A. display current-configuration
B. display policy all
C. display startup saved-configuration
D. display device
Correct Answer: B
Section: (none)
Explanation
QUESTION 9
VPN tunnel technology refers to through encryption algorithm (such as DES, 3DE5) to achieve data transmitted in the network will not be intercepted.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 10
Which VPN access modes are suitable for mobile office workers? (Choose three.)
A. GRE VPN
B. L2TP VPN
C. SSL VPN
D. L2TP over IPsec
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 11
In the GRE configuration environment, which of the following interface or IP address is the local GRE device configuration of the end private network route required
to point to? (Choose two.)
A. Tunnel Interface
B. External networks (Internet) Interface
C. Tunnel interface IP address
D. External network (Internet) interface IP address
Correct Answer: AC
Section: (none)
Explanation
QUESTION 12
Which of the following belongs to multi-channel protocol?
A. FTP
B. Telnet
C. HTTP
D. SMTP
Correct Answer: A
Section: (none)
Explanation
QUESTION 13
What problem does IPsec IKE aggressive mode mainly solve?
A. solve the problem of slow negotiation on both ends of the tunnel

B. solve the security problem in the process of negotiation
C. solve NAT traversal problem
D. solve because of uncertain originator source address cannot select pre-shared key problem
Correct Answer: D
Section: (none)
Explanation
QUESTION 14
Which statement about NAT is wrong? (Choose two.)
A. NAT Outbound refers to conversion to the source IP address, NAT Inbound refers to conversion to the destination IP address
B. NAT Inbound command and NAT Server command have the same functions, can choose to configure according to personal preference
C. Outbound direction NAT can support the following application modes: one-on-one, many-to-many and many-to-one
D. NAT technology can support multi-channel protocols such as FTP and other standard multi-channel protocol
Correct Answer: AB
Section: (none)
Explanation
QUESTION 15
When you configure a firewall between the domain security policy, if the 192.168.0.0/24 network segment is set to match object, the following configuration, which is
correct? (Choose two.)
A. policy 1
policy source 192.168.0.0 mask 255.255.255.0
B. policy 1
policy source 192.168.0.0 255.255.255.0
C. policy 1
D. policy 1
policy source 192.168.0.0 0.0.0.255
Correct Answer: AD
Section: (none)
Explanation
QUESTION 16
HRP (Huawei Redundancy Protocol) Protocol to backup the connection state of data includes:
A. TCP/UDP sessions table

B. Server Map table
C. The dynamic blacklist
D. The routing table
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 17
In most scenarios, NAT Inbound is used to the enterprise private network users to access the Internet scenario.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 18
What are common hash algorithms? (Choose two.)
A. DES
B. AES
C. MD5
D. SHA-1
Correct Answer: CD
Section: (none)
Explanation
QUESTION 19
In the environment of GRE configuration, which of the following statements are true? (Choose three.)
A. In order to make the ends of the tunnel forward data packets normally, the devices of both ends are configured routing which through the Tunnel interface
B. If both ends enable the configuration of keyword verification, the keyword must be the same
C. When the local device send data packets, by identifying the protocol field value of IP header for GRE to determine whether send the data packet to GRE module
for processing
D. When the opposite end receives data packets, by identifying the protocol field value of IP header for GRE to determine whether send the data packet to GRE
module for processing
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 20
Execute the command on the Firewall and display the above information.
Which of the following description is correct? (Choose two.)
A. This Firewall VGMP group status is Active

B. The virtual IP address of the firewall G1/0/1 interface is 202.30.10.2
C. The priority of the VRRP backup group of the firewall VRID 1 is 100
D. If the master device fails, it will not switch
Correct Answer: AC
Section: (none)
Explanation
QUESTION 21
Which of the following are the key features of the state inspection firewall include?
A. The processing speed is slow

B. Follow-up packet processing performance is excellent
C. Can only detect network layer
D. Do the packet filtering detection to each packet
Correct Answer: B
Section: (none)
Explanation
QUESTION 22
In IPSEC VPN, which of the following scenarios can be applied by tunnel mode?
A. between the host and the host

B. between hosts and security gateways
C. between security gateways
D. between tunnel mode and transport mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 23
Which of the following statement about the NAT is wrong?
A. NAT technology can effectively hide the costs of the LAN; it is an effective network security protection technology
B. Address Translation can follow the needs of users, providing FTP, WWW, Telnet and other services outside the LAN
C. Some application layer protocols carry IP address information in the data, but also modify the IP address information in the data of the upper layer when they are
as NAT
D. For some non-TCP, UDP protocols (such as ICMP, PPTP), unable to do the NAT translation
Correct Answer: D
Section: (none)
Explanation
QUESTION 24
As shown, when configuring the point-to-multipoint scenarios, the headquarters network segment is 10.1.1.0/24, the segment of branch 1 is 10.1.2.0/24, of branch 2
is 10.1.3.0/24.
About the protected data flow configuration which defined by headquarters and branch offices, which of the following combinations can be the full matched
requirements?
A. 12
B. 1235
C. 1246
D. 3456
Correct Answer: B
Section: (none)
Explanation
QUESTION 25
Which of the following addresses can be used for web management address of USG product? (Choose three.)
A. Interface Address
B. Sub-interface address
C. Slave IP address of the interface
D. AUX interface address
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 26
Which of the following statement about Internet user group management is wrong?
A. Each user group can include multiple users and user group
B. Each user group can belong to more than one parent user group
C. There is a default user group in the system; the user group is also the default authentication domain
D. Each user belongs to at least one user group, who can also belong to multiple user groups
Correct Answer: B
Section: (none)
Explanation
QUESTION 27
In SSL handshake protocol, what is the role of Server Key Exchange message?
A. server key exchange message indicates that the server has finished sending all the information
B. in the server key exchange message, it contains set of parameters required for completing key exchange
C. it contains an X.509 certificate in server key exchange message, the public key is contained in the certificate, which is issued to the client to verify signatures or
to encrypt messages when key exchange
D. in the server key exchange message, it contains the negotiated CipherSuite which is copied to the state of the current connection
Correct Answer: B
Section: (none)
Explanation
QUESTION 28
About the default security zones of USG series security firewall, which of the following statement is correct?
A. The default security zone can be deleted

B. The security level of the default security zone can be modified
C. The default security zone cannot be deleted, but can modify the security level
D. There are four default security zones
Correct Answer: D
Section: (none)
Explanation
QUESTION 29
Administrators want to clear the current session table. Which of the following command is correct?
A. clear firewall session table

B. reset firewall session table
C. display firewall session table
D. display session table
Correct Answer: B
Section: (none)
Explanation
QUESTION 30
When using the web configuration type to do the configuration, the correct statements as following are: (Choose two.)
A. When configuring the inter-domain security policy, it needs to set the source security area as Untrust, the target security area as DMZ
B. When configuring the NAT Server, the internal address is 10.1.1.2, the external address is 200.10.10.1
C. When configuring the inter-domain security policy, setting the source security area as DMZ, the target security area as Untrust
D. When configuring the NAT server, the internal address is 200.10.10.1, the external address is 10.1.1.2
Correct Answer: AB
Section: (none)
Explanation
H12-711
Number: H12-711
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
Exam A
QUESTION 1
Some vendors set the TPID value in the outer VLAN tag of QinQ packets to the non-protocol value.
To be compatible with these vendors' devices, the TPID value on Huawei switches is adjustable.
Which is the default value of the TPID value on Huawei switches?
A. 0x9200
B. 0x9100
C. 0x8200
D. 0x8100
Correct Answer: D
Section: (none)
Explanation
QUESTION 2
Which types of interfaces can be configured with selective QinQ? (Select 2 Answers)
A. Access interface
B. Trunk interface
C. Hybrid interface
D. dot1q-tunnel interface
Correct Answer: BC
Section: (none)
Explanation
QUESTION 3
In a switching network that has been enabled with STP protocol, the priorities of all the switches are the same. The MAC address of switch1 is 00-e0-fc-00-00-40,
MAC address of switch2 is 00- e0-fc-00-00-10, MAC address of switch3 is 00-e0-fc-00-00-20, and MAC address of switch4 is 00-e0-fc-00-00-80. Which of the
switches will be elected as the Root Bridge?
A. Switch1
B. Switch2
C. Switch3
D. Switch4
Correct Answer: B
Section: (none)
Explanation
QUESTION 4
A switching network has been enabled with STP protocol. To provide fast access speed to the file server for most of the users, the switch that is directly connected
with file server is configured as the root bridge.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
Which of the following statements about the link failure detection in STP protocol is not true?
A. When network topology is stable, the Designated Port sends BPDU packet at every Hello Time interval.
B. When network topology is stable, BPDU packets will be transmitted periodically.
C. When the port does not receive new BPDU within a certain interval, the old configuration BPDU will time out and the link failure can be detected.
D. The port sends Configuration BPDU at every Hello Time interval. When the link fails, Configuration BPDU cannot be sent out. As a result, this port can detect the
link failure.
Correct Answer: D
Section: (none)
Explanation
answer is approved.
QUESTION 6
Which of the following statements about STP is not true?
A. STP can manage redundant links.

B. STP can block redundant links to eliminate loops
C. STP can prevent temporary loss of connectivity
D. STP can make LAN switch operate normally in a network with loops
Correct Answer: C
Section: (none)
Explanation
confirmed answer.
QUESTION 7
According to OSI reference model, Layer 2 LAN switch operates at ( ).
A. Physical layer
B. Data link layer
C. IP layer
D. Application layer
Correct Answer: B
Section: (none)
Explanation
QUESTION 8
According to the STP protocol, a certain field in the BPDU identifies the root switch. That is, if the BPDU sent by a switch contains this field, this switch is considered
as the root switch. What is this field?
A. Root Identifier
B. Root Path Cost
C. Bridge Identifier
D. Port Identifier
Correct Answer: A
Section: (none)
Explanation
QUESTION 9
Which are the two parts in the port identifier of the uplink interface on a non-root switch?
A. 1-bit port priority and 1-bit port number

B. 1-bit port priority and 2-bit port number
C. 2-bit port priority and 1-bit port number
D. 2-bit port priority and 2-bit port number
Correct Answer: A
Section: (none)
Explanation
QUESTION 10
In the network diagram, which switch will be selected as the root switch?
A. SWA
B. SWB
C. SWC
D. None of the above
Correct Answer: A
Section: (none)
Explanation
true.
QUESTION 11
Which statements about the PVID on the access interface are true? (Select 3 Answers)
A. When receiving a packet without the VLAN tag, the interface adds the VLAN tag to the packet and sets the VID in the tag to the default VLAN ID.
B. When receiving a packet with a VLAN tag, the interface compares the VLAN ID in the tag with the default VLAN ID. If they are the same, the interface forwards
the packets; otherwise, the interface discards the packets.
C. When the interface sends a packet with a VLAN tag that contains the default VLAN ID, the system removes the VLAN tag of the packet, and then forwards the
packet.
Correct Answer: ABC

Section: (none)
Explanation
valid.
QUESTION 12
Which statement about the hybrid interface is true?
A. A hybrid interface can only be connected to network device.

B. A hybrid interface can only be connected to host.
C. A hybrid interface can be connected to host or network device.
D. A hybrid interface cannot be configured with VLAN ID.
Correct Answer: C
Section: (none)
Explanation
right,
QUESTION 13
Which statement about MUX VLAN is false?
A. Principal VLAN
B. Subordinate VLAN
C. Subordinate group VLAN
D. Guest VLAN
Correct Answer: D
Section: (none)
Explanation
QUESTION 14
Which statements about the MUX VLAN configuration are true? (Select 2 Answers)
[Quidway]vlan 10
[Quidway-vlan10]mux-vlan
[Quidway-vlan10]subordinate group 11
[Quidway-vlan10]subordinate separate 12
A. VLAN 10 is the principal VLAN

B. VLAN 11 is the principal VLAN
C. VLAN 12 is the subordinate separate VLAN
Correct Answer: AC
Section: (none)
Explanation
QUESTION 15
When configuring VLAN mapping, you must set the priority of outer VLAN ID.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 16
The port isolation function can isolate the ports on the same switch.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 17
Which statements are false?
A. The VLAN mapping function is usually configured on the edge node of a public network.
B. The VLAN mapping function can save VLAN resources on a public network.
C. VLAN mapping allows private networks on different VLANs to communicate with each other over the ISP network.
D. VLAN mapping allows only the private networks on the same VLAN to communicate with each other.
Correct Answer: D
Section: (none)
Explanation
QUESTION 18
Which statements about VLAN are true? (Select 3 Answers)
A. The VLAN improves network security. Users on different VLANs cannot communicate with each other.
B. The VLAN improves network processing efficiency. Users on different VLANs are separated from each other. Therefore, the size of a broadcast domain is
reduced.
C. Layer 2 forwarding is only based on destination MAC addresses, and is irrelevant to VLAN configuration.
D. The VLAN technology is a management method that controls the communication between terminals.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 19
Which statements about the VLAN on S series switches are true? (Select 2 Answers)
A. The VLAN IDs on the switch range from 1 to 4090.

B. The switch has a default VLAN.
C. The priority value in the VLAN tag can be changed on the switch.
D. A VLAN tag contains one byte.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 20
If the customer requires high mobility and easy management, the staff of different departments can be added to different VLANs. In addition, these VLANs are
located on different IP subnets. Which VLAN allocation mode can meet these requirements?
A. VLAN allocation based on source IP addresses
B. VLAN allocation based on destination IP addresses
C. VLAN allocation based on source IP addresses and source MAC addresses
D. VLAN allocation based on destination MAC addresses and destination IP addresses
Correct Answer: A
Section: (none)
Explanation
QUESTION 21
Which statements about the access interface are true? (Select 3 Answers)
A. Only the VLAN whose ID is the same as the PVID of the access interface are allowed on the access interface.
B. When receiving an untagged frame, the access interface adds its own PVID to the frame.
C. The access interface sends only untagged frames to the peer device.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 22
Which statement is false?
A. The switch supports 1:1 VLAN mapping.

B. The switch does not support N:1 VLAN mapping on an interface.
C. The switch can perform VLAN mapping for double-tagged packets.
D. The switch can map the outer VLAN ID of packets to another VLAN ID.
Correct Answer: B
Section: (none)
Explanation
QUESTION 23
Which statement about VLAN is false?
A. A VLAN tag contains a 3-bit priority field. The priority value ranges from 0 to 7. It is used for differentiated service forwarding.
B. The priority in the VLAN tag can be mapped to the internal priority of the switch, for differentiated service forwarding.
C. The priority in the VLAN tag can be changed on the switch.
D. The priority in the VLAN tag cannot be changed.
Correct Answer: D
Section: (none)
Explanation
QUESTION 24
A. The routing ARP proxy allows the hosts on different physical networks of the same network segment to communicate with each other.
B. The intra-VLAN ARP proxy allows isolated users on a VLAN to communicate with each other.
C. The inter-VLAN ARP proxy allows hosts on different VLANs to communicate with each other through Layer 3.
D. The inter-VLAN ARP proxy function can't be enabled on the VLANIF interface of the super VLAN to implement communication between sub-VLANs.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 25
Which statement about VLAN mapping is true?
A. The interface configured with VLAN mapping must be a hybrid interface.

B. The same VLANs on different interfaces cannot be mapped to different VLANs.
C. Different VLANs on the same interface can be mapped to the same VLAN.
D. Any types of interfaces can be configured with VLAN mapping.
Correct Answer: C
Section: (none)
Explanation
QUESTION 26
Which statement about port isolation configuration is false?
A. Port isolation can be used for Layer 2 isolation.

B. In port isolation mode, ports are isolated at Layer 2 but can communicate at Layer 3 by default.
C. Before the port isolation function takes effect on an interface, the port isolation function must be enabled first.
D. The port-isolate enable command can run in the system view.
Correct Answer: D
Section: (none)
Explanation
QUESTION 27
Which VLAN assignment methods are supported by the Huawei S9300? (Select 3 Answers)
A. Assigning VLANs based on Layer 7 protocols

B. Assigning VLANs based on protocols
C. Assigning VLANs based on IP subnets
D. Assigning VLANs based on MAC addresses
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 28
Which statements about VLAN aggregation are true? (Select 3 Answers)
A. "multiple" VLANs (broadcast domains) are on the same physical network; therefore, different VLANs belong to the same subnet.
B. VLAN aggregation can save IP addresses.
C. Only the super VLAN requires an IP address, but sub-VLANs do not need.
D. The VLAN that is used to separate broadcast domains is called super VLAN.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 29
Which statement about VLAN mapping is false?
A. VLAN mapping is also called VLAN translation.

B. VLAN mapping can implement translation between C-VLAN IDs and S-VLAN IDs.
C. VLAN mapping can be configured.
D. VLAN mapping means that a VLAN tag is added to packets.
Correct Answer: D
Section: (none)
Explanation
QUESTION 30
Which statement about the VLAN on a Layer 2 switch is true?
A. The CFI in the VLAN tag specifies whether the priority in the VLAN tag is valid.
B. The VLAN tag is located in the Layer 2 header of a packet.
C. The CFI in the VLAN tag contains two bits.
D. A VLAN on the switch is a broadcast domain. The broadcast domains are separated.
Correct Answer: A
Section: (none)
Explanation
QUESTION 31
Which statements about VLAN configuration are true? (Select 2 Answers)
A. You can enter the VLAN view at the same time you create a VLAN.
B. If you run undo vlan, the VLAN is invalid, but still exists. You do not need to create the VLAN when you use it next time.
C. You can configure a character string of VLAN description. The length of the character string is not limited.
D. If you do not enter the VLAN ID when running the display vlan command, information about all VLANs will be displayed.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 32
Which statement about the following configuration is true?
port link-type hybrid

port hybrid pvidvlan 2
port hybrid untagged vlan 2
port hybrid tagged vlan 3
A. The default VLAN of the interface is VLAN 2.

B. The port hybrid tagged vlan 3 command configures the VLAN for a hybrid interface. Frames in the VLAN then pass through the hybrid interface in untagged
mode.
C. The port hybrid untagged vlan 2 command configures the VLAN for a hybrid interface.
Frames in the VLAN then pass through the hybrid interface in tagged mode.
D. All of the above.
Correct Answer: A
Section: (none)
Explanation
QUESTION 33
Which statements about VLAN mapping are true? (Select 2 Answers)
A. When sending a frame from the local VLAN, the switch replaces the VLAN tag in the frame with another VLAN tag.
B. When receiving a frame from another VLAN, the switch replaces the VLAN tag of the frame with the local VLAN tag.
C. When an interface receives a frame from another VLAN, it does not replace the VLAN tag of the frame. The interface replaces the VLAN tag of the frame with
another VLAN tag only when it sends a frame.
D. The interface replaces the VLAN tag of only the frame received from another VLAN, but does not change the VLAN tag of the frame it sends out.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 34
A. Port isolation is a mechanism that controls the access between switch interfaces.
B. Port isolation is an isolation mechanism at the physical layer.
C. Port isolation prevents the computers connected to different ports from accessing each other.
D. Port isolation can be configured based on VLANs.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 35
A. The sub-VLANs are configured in the super VLAN view.

B. VLANs 1 to 4094 can be configured as a super VLAN.
C. The aggregate-vlan command is used to configure the super VLAN.
D. A VLAN to be configured as a super VLAN cannot contain any interface.
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 36
Which statements about VLAN allocation are true? (Select 3 Answers)
A. The IP subnet VLAN is used to send the packets from the specified network segment or IP address over the specified VLAN.
B. The MAC address- or IP subnet-based VLAN is valid for only the untagged packets.
C. The protocol-based VLAN has a higher priority than the IP subnet-based VLAN.
D. The protocol-based VLAN indicates that service types on the network are bound to VLANs.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 37
Which is contained in the GVRP VLAN deregistration message?
A. Specified VLAN ID
B. Specified IP address
C. Specified MAC address
D. Known port number
Correct Answer: C
Section: (none)
Explanation
QUESTION 38
On a switch running GVRP, each interface is considered as a participant. The participants can exchange information.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 39
When the GVRP registration mode is FORBIDDEN, no VLAN can be created or registered on the interface. In addition, which VLANs are deregistered on the
interface?
A. All VLANs except VLAN 1

B. All VLANs except VLAN 4095
C. All VLANs
D. All VLANs except the VLAN specified by the user
Correct Answer: A
Section: (none)
Explanation
QUESTION 40
Which are contained in a GARP participant? (Select 2 Answers)
A. GARP Application
B. GARP Information Propagation (GIP)
C. GARP Information Declaration (GID)
D. Interface LLC
Correct Answer: AC
Section: (none)
Explanation
QUESTION 41
When the GVRP registration mode is FIXED, which statement is true?
A. VLANs can be manually created and registered on the interface, and can also be dynamically registered and deregistered on the interface.
B. VLANs cannot be manually created and registered on the interface, but can be dynamically registered and deregistered on the interface.
C. VLANs can be manually created and registered on the interface, but cannot be dynamically registered or deregistered on the interface.
D. VLANs cannot be manually created and registered on the interface, and cannot be dynamically registered or deregistered on the interface.
Correct Answer: C
Section: (none)
Explanation
QUESTION 42
Which statements about the relationship between GVRP and GARP are true? (Select 2 Answers)
A. GVRP, GARP, and GMRP are the standards of the same type.
B. GVRP and GARP are defined by IEEE 802.1p.
C. GVRP is based on GARP, and is an application of GARP.
D. GVRP is a new definition of GARP.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 43
GARP involves various messages. Besides JoinIn message and Leave message, which are also the GARP messages? (Select 3 Answers)
A. Notice
B. Empty
C. JoinEmpty
D. LeaveAll
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 44
As shown in the figure, port 1 of switch A is configured with the Fixed mode, and other ports are configured with the Normal mode. The trunk interfaces allow all
VLANs. Which VLANs are registered on port 1 of switch C? (Select 3 Answers)
A. VLAN 1
B. VLAN 5 to VLAN 10
C. VLAN 15 to VLAN 20
D. VLAN 25 to VLAN 30
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 45
If 802.1x authentication is enabled on an interface, MAC address authentication (enabled by the mac-authen enable command) and direct authentication (enabled
by the direct-authen enable command) cannot be enabled on the interface.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 46
Which are 802.1x authentication modes? (Select 2 Answers)
A. EAP relay mode

B. Proxy mode
C. EAP termination mode
D. Remote mode
Correct Answer: AC
Section: (none)
Explanation
QUESTION 47
Before configuring 802.1x services, you need to determine the configuration roadmap and prepare data.
Which are general steps in the configuration roadmap? (Select 3 Answers)
A. Configure a Tftp server.

B. Configure an AAA authentication template.
C. Configure a domain.
D. Configure 802.1x authentication.
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 48
After detecting a user with a new MAC address, the switch initiates an EAP authentication request. If the client does not respond and the MAC address bypass
authentication is not configured, which statement is false?
A. If the client does not respond after the number of authentication requests reaches a specified value, the switch considers that the client software is not installed.
B. All permissions of the user are prohibited.
C. The user is allowed to access only the isolated zone.
D. Detection is initiated again after a period of time.
Correct Answer: B
Section: (none)
Explanation
QUESTION 49
The Layer 2 packet header in EAPoL packets is | DMAC | SMAC | TYPE | EAPOL | FCS |.
A. The destination address of packets is a specified MAC address.
B. The destination address of packets is a unicast MAC address.
C. EAPoL packets cannot be forwarded by switches.
D. The source MAC address of packets is the MAC address of the interface that sends packets.
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 50
The dot1x command is used to enable 802.1x authentication globally or on an interface. Which statements about the undo dot1x command are true? (Select 3
Answers)
A. It is used to disable 802.1x authentication globally.

B. It will disconnect online users from the interface; therefore, use the command with caution.
C. It is used to disable 802.1x authentication on an interface.
D. Ensure that there are no online users before you run the undo dot1x command. Otherwise, running the undo dot1x command fails.
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 51
The dot1x authentication-method command is used to set the 802.1x authentication mode. Which is the most secure authentication mode?
A. PAP
B. EAP
C. CHAP
D. EAP-TTLS
Correct Answer: C
Section: (none)
Explanation
Topic 2, Volume B
QUESTION 52
Which statements about guest VLAN configuration are true? (Select 3 Answers)
A. The guest VLAN must be created before you configure the guest VLAN.
B. The default VLAN of the interface cannot be configured as the guest VLAN.
C. Different interfaces can be configured with different guest VLANs.
D. An interface can be configured with up to eight guest VLANs.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 53
If you have run the dot1x port-method command with the port parameter specified (port-based 802.1x authentication), the maximum number of users on an
interface changes to 1. In this case, which statements are true? (Select 2 Answers)
A. You can run the dot1x max-user command to change the maximum number of access users.
B. You cannot run the dot1x max-user command to set the maximum number of access users.
C. You need to run the undo dot1x port-method command, and then set the maximum number of access users.
D. All of the above
Correct Answer: BC
Section: (none)
Explanation
QUESTION 54
What is the function of DHCP Offer messages?
A. DHCP Offer messages are broadcast by the client to detect the available server.
B. DHCP Offer messages are sent by the server to respond to the DHCP Discover messages sent by the client. Certain configuration parameters are specified in
the Offer messages.
C. DHCP Offer messages are sent by the client to apply to the server for configuration parameters, configuration confirmation, or extension of the IP address lease.
D. DHCP Offer messages are sent from the server to the client. They contain configuration parameters such as including the IP address.
Correct Answer: B
Section: (none)
Explanation
QUESTION 55
The option field in DHCP messages uses the CLV mode.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 56
Which encapsulation mode is used for DHCP messages?
A. TCP encapsulation
B. RTP encapsulation
C. UDP encapsulation
D. PPP encapsulation
Correct Answer: C
Section: (none)
Explanation
QUESTION 57
The option field in DHCP messages has a fixed length of four bytes.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 58
When the DHCP relay receives a DHCP request message in which the giaddr (gateway IP address) field is 0, how does the DHCP relay process the DHCP request
message?
A. The DHCP relay fills its IP address in the giaddr field and transmits the DHCP request message to the DHCP server in unicast mode.
B. The DHCP relay fills its IP address in the giaddr field and transmits the DHCP request message in broadcast mode.
C. The DHCP relay retains the value of the giaddr field and transmits the DHCP request message to the DHCP server in unicast mode.
D. The DHCP relay retains the value of the giaddr field and transmits the DHCP request message in broadcast mode.
Correct Answer: A
Section: (none)
Explanation
QUESTION 59
What is the sequence of applying for an IP address in DHCP?
1. The host sends a DHCP Request message to apply for an IP address.
2. The DHCP server replies with a DHCP Offer message.
3. The host sends a DHCP Discovery message to search for the DHCP server.
4. The DHCP server replies with a DHCP ACK message after receiving the DHCP Request message.
A. 1-2-3-4
B. 1-4-3-2
C. 3-2-1-4
D. 3-4-1-2
Correct Answer: C
Section: (none)
Explanation
QUESTION 60
If the lease of a client IP address is not extended after 87.5% of the lease is reached, which message is used by the client to extend the IP address lease?
A. DHCP Release broadcast message

B. DHCP Release unicast message
C. DHCP Request broadcast message
D. DHCP Request unicast message
Correct Answer: C
Section: (none)
Explanation
H12-711.34q
Number: H12-711
Passing Score: 800
Time Limit: 120 min
H12-711
HCNA-Security-CBSN (Huawei Certified Network Associate - Constructing Basic Security Network)
Exam A
QUESTION 1
Which of the following can be supported by Policy Center access control? (Choose three.)
A. Hardware SACG (hardware security access control gateway)

B. 802.1X
C. ARP control
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 2
SSL VPN supported file sharing types can be divided into two kinds of SMB and NFS, SMB correspond Windows hosts, NFS correspond Linux host
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 3
Which user authentication methods can be supported by Policy Center system? (Choose three.)
A. IP address authentication
B. MAC address authentication
C. Ordinary ID/password authentication
D. LDAP authentication
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 4
Which of the following encryption algorithm, encryption and decryption keys are the same?
A. DES
B. RSA(1024)
C. MD5
D. SHA-1
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
Policy Center system can implement two dimensions’ management functions: organizational management and regional management
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 6
Which of the following components do consist of Policy Center system? (Choose three.)
A. Anti-virus server
B. SC control server
C. Access control equipment
D. SM management server
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 7
Which of the following are included in the operating system patch violations level of Terminal security system? (Choose two.)
A. Low
B. Important
C. Serious
D. General
Correct Answer: CD
Section: (none)
Explanation
QUESTION 8
What does ACL 2999 belong to?
A. Basic Access Control Lists

B. Advanced Access Control Lists
C. Access control list based on MAC address
D. Time-based access control list
Correct Answer: A
Section: (none)
Explanation
QUESTION 9

Correct Answer: A
Section: (none)
Explanation
QUESTION 10

B. 802.1X
C. ARP control
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 11
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 12
D. display device
Correct Answer: B
Section: (none)
Explanation
QUESTION 13
A. GRE VPN
B. L2TP VPN
C. SSL VPN
D. L2TP over IPsec
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 14
A. Tunnel Interface
Correct Answer: AC
Section: (none)
Explanation
QUESTION 15
A. FTP
B. Telnet
C. HTTP
D. SMTP
Correct Answer: A
Section: (none)
Explanation
QUESTION 16

Correct Answer: D
Section: (none)
Explanation
QUESTION 17
When you configure a firewall between the domain security policy, if the 192.168.0.0/24 network segment is set to match object, the following configuration, which is
correct? (Choose two.)
A. policy 1
B. policy 1
policy source 192.168.0.0 255.255.255.0
C. policy 1
D. policy 1
policy source 192.168.0.0 0.0.0.255
Correct Answer: AD
Section: (none)
Explanation
QUESTION 18
In a Firewall hot standby configuration, HRP key configuration includes which of the following? (Choose three.)
A. Enable HRP backup
hrp enable
B. Enabling fast backup session summary
hrp mirror session enable
C. Specifies the heartbeat port
hrp interface interface-type interface-number
D. Preemption delay
hrp preempt [delay interval]
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 19
For E1/CE1 configuration:
1, configure the virtual serial port IP address

2, configure the virtual serial port link layer protocol
3, configure E1 working mode
4, configure the timeslot bundling
The correct configuration sequence is:
A. 1-2-3-4
B. 2-1-3-4
C. 3-4-2-1
D. 4-3-2-1
Correct Answer: C
Section: (none)
Explanation
QUESTION 20
What do VLAN port types include? (Choose three.)
A. Access Port
B. Trunk port
C. Hybrid port
D. Ethernet port
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 21
Which scenarios does IPSec WEB configuration wizard not support?
B. Center Gateway
C. Branch Gateway
D. Host and Host
Correct Answer: D
Section: (none)
Explanation
QUESTION 22
In the firewall, detect ftp command to set in which mode? (Choose two.)
A. System Model
B. Interface Mode
C. Domain Model
D. Inter-Domain mode
Correct Answer: CD
Section: (none)
Explanation
QUESTION 23
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 24
A. DES
B. AES
C. MD5
D. SHA-1
Correct Answer: CD
Section: (none)
Explanation
QUESTION 25
Execute the command on the Firewall and display the above information.
Which of the following description is correct? (Choose two.)
A. This Firewall VGMP group status is Active

B. The virtual IP address of the firewall G1/0/1 interface is 202.30.10.2
C. The priority of the VRRP backup group of the firewall VRID 1 is 100
D. If the master device fails, it will not switch
Correct Answer: AC
Section: (none)
Explanation
QUESTION 26

Correct Answer: B
Section: (none)
Explanation
QUESTION 27
is 10.1.3.0/24.
requirements?
A. 12
B. 1235
C. 1246
D. 3456
Correct Answer: B
Section: (none)
Explanation
QUESTION 28
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 29
Correct Answer: B
Section: (none)
Explanation
QUESTION 30
About the default security zones of USG series security firewall, which of the following statement is correct?
A. The default security zone can be deleted

B. The security level of the default security zone can be modified
C. The default security zone cannot be deleted, but can modify the security level
D. There are four default security zones
Correct Answer: D
Section: (none)
Explanation
QUESTION 31
When using the web configuration type to do the configuration, the correct statements as following are: (Choose two.)
A. When configuring the inter-domain security policy, it needs to set the source security area as Untrust, the target security area as DMZ
B. When configuring the NAT Server, the internal address is 10.1.1.2, the external address is 200.10.10.1
C. When configuring the inter-domain security policy, setting the source security area as DMZ, the target security area as Untrust
D. When configuring the NAT server, the internal address is 200.10.10.1, the external address is 10.1.1.2
Correct Answer: AB
Section: (none)
Explanation
QUESTION 32
In the SSL handshake protocol, which of the following message is optional? (Choose two.)
A. Server Key Exchange

B. ChangeCipherSpec
C. Certificate verify
D. ServerHelloDone
Correct Answer: AC
Section: (none)
Explanation
QUESTION 33
What are the following values can be set as in USG series firewall security level definition from the security zone? (Choose two.)
A. 150
B. 100
C. 80
D. 40
Correct Answer: CD
Section: (none)
Explanation
QUESTION 34
In the inter-domain security firewall policy, which of the following data stream is not Outbound direction?
A. Data flow from the DMZ to Untrust zone

B. Data flow from the Trust zone to the DMZ zone
C. Data flow from Trust area to the Untrust zone
D. Data flow from the Trust zone to the Local zone
Correct Answer: D
Section: (none)
Explanation
H12-711.exam.32q
Number: H12-711
Passing Score: 800
Time Limit: 120 min
H12-711
HCNA-Security-CBSN
(Huawei Certified Network Associate – Constructing Basic Security Network)
Exam A
QUESTION 1
What does USG products business include? (Choose three.)
A. Web Proxy
B. Network Expansion
C. Port sharing
D. File Sharing
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 2
Which of the following components do consist of Policy Center system? (Choose three.)
A. Anti-virus server
B. SC control server
C. Access control equipment
D. SM management server
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 3

Correct Answer: C
Section: (none)
Explanation
QUESTION 4
Which of the following are included in the operating system patch violations level of Terminal security system? (Choose two.)
A. Low
B. Important
C. Serious
D. General
Correct Answer: CD
Section: (none)
Explanation
QUESTION 5
What does ACL 2999 belong to?
A. Basic Access Control Lists

B. Advanced Access Control Lists
C. Access control list based on MAC address
D. Time-based access control list
Correct Answer: A
Section: (none)
Explanation
QUESTION 6
Which of the following scenarios does not support by IPSEC WEB configuration of USG6000 series firewall? (Choose two.)
B. Gateway Center
C. Branch Gateway
D. Host and Host
Correct Answer: BD
Section: (none)
Explanation
QUESTION 7
What port numbers may be used by FTP protocol? (Choose two.)
A. 20
B. 21
C. 23
D. 80
Correct Answer: AB
Section: (none)
Explanation
QUESTION 8

Correct Answer: A
Section: (none)
Explanation
QUESTION 9
Which of the following option belongs to DES key length?
A. 56
B. 64
C. 128
D. 192
Correct Answer: A
Section: (none)
Explanation
QUESTION 10
B. 802.1X
C. ARP control
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 11
What are the main security capability of encryption service? (Choose three.)
A. Confidentiality
B. Integrity
C. Non-repudiation
D. Scalability
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 12
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 13
D. display device
Correct Answer: B
Section: (none)
Explanation
QUESTION 14
VPN tunnel technology refers to through encryption algorithm (such as DES, 3DE5) to achieve data transmitted in the network will not be intercepted.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 15
A. GRE VPN
B. L2TP VPN.
C. SSL VPN
D. L2TP over IPsec
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 16
A. Tunnel Interface
Correct Answer: AC
Section: (none)
Explanation
QUESTION 17
A. FTP
B. Telnet
C. HTTP
D. SMTP
Correct Answer: A
Section: (none)
Explanation
QUESTION 18

Correct Answer: D
Section: (none)
Explanation
QUESTION 19
Which statement about NAT is wrong? (Choose two.)
A. NAT Outbound refers to conversion to the source IP address, NAT Inbound refers to conversion to the destination IP address
B. NAT Inbound command and NAT Server command have the same functions, can choose to configure according to personal preference
C. Outbound direction NAT can support the following application modes: one-on-one, many-to-many and many-to-one
D. NAT technology can support multi-channel protocols such as FTP and other standard multi-channel protocol
Correct Answer: AB
Section: (none)
Explanation
QUESTION 20
What do VLAN port types include? (Choose three.)
A. Access Port
B. Trunk port
C. Hybrid port
D. Ethernet port
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 21
Which scenarios does IPSec WEB configuration wizard not support?
B. Center Gateway
C. Branch Gateway
D. Host and Host
Correct Answer: D
Section: (none)
Explanation
QUESTION 22
Which of the Policy Center functional areas is wrong?
A. Pre-authentication domain refers to the client through the identity authentication before access to the area
B. Post-authentication domain refers to the client can access through the security certification area
C. Isolation domain refers to the client after authenticated must have access to the area
D. Isolation domain refers to the client security authentication failed the required access area
Correct Answer: C
Section: (none)
Explanation
QUESTION 23
In the firewall, detect ftp command to set in which mode? (Choose two.)
A. System Model
B. Interface Mode
C. Domain Model
D. Inter-Domain mode
Correct Answer: CD
Section: (none)
Explanation
QUESTION 24
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 25
A. DES
B. AES
C. MD5
D. SHA-1
Correct Answer: CD
Section: (none)
Explanation
QUESTION 26

Correct Answer: B
Section: (none)
Explanation
QUESTION 27

Correct Answer: C
Section: (none)
Explanation
QUESTION 28
Which of the following statement about the NAT is wrong?
A. NAT technology can effectively hide the costs of the LAN; it is an effective network security protection technology
B. Address Translation can follow the needs of users, providing FTP, WWW, Telnet and other services outside the LAN
C. Some application layer protocols carry IP address information in the data, but also modify the IP address information in the data of the upper layer when they are
as NAT
D. For some non-TCP, UDP protocols (such as ICMP, PPTP), unable to do the NAT translation
Correct Answer: D
Section: (none)
Explanation
QUESTION 29
is 10.1.3.0/24.
requirements?
A. 12
B. 1235
C. 1246
D. 3456
Correct Answer: B
Section: (none)
Explanation
QUESTION 30
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 31
Which of the following statement about Internet user group management is wrong?
A. Each user group can include multiple users and user group
B. Each user group can belong to more than one parent user group
C. There is a default user group in the system; the user group is also the default authentication domain
D. Each user belongs to at least one user group, who can also belong to multiple user groups
Correct Answer: B
Section: (none)
Explanation
QUESTION 32
Correct Answer: B
Section: (none)
Explanation
H12-711
Number: H12-711
Passing Score: 600
Time Limit: 120 min
File Version: 1.0
Exam A
QUESTION 1
The network administrator wants to improve the performance of network transmission, what steps can the administrator take? (Two Answers)
A. Change the work mode to full duplex of each end station.

B. Link the end stations together using a switch.
C. Change the work mode to half duplex of each end station.
D. Link the end stations together using a hub.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 2
On Huawei switch, which of the following commands can be used to set port duplex mode as"auto negotiation"? (Select 2 Answers)
A. duplex negotiation auto

B. duplex auto-negotiation
C. duplex auto
D. undo duplex
Correct Answer: CD
Section: (none)
Explanation
QUESTION 3
The network administrator wishes to transmit data between two end stations. The network interface cards of both devices operates at 100Mbps however one
supports half duplex while the other uses full duplex mode. What will occur as a result?
A. The end stations cannot communicate.

B. The end stations can communicate, but data may be lost during transmission of large amounts of traffic.
C. The end stations will operate normally
D. The end stations can communicate, but speed is different during transmission of large amounts of traffic.
Correct Answer: B
Section: (none)
Explanation
QUESTION 4
An Ethernet port can work one of three duplex modes, whereas an Optical Ethernet port only supports one single mode. Which of the following represents this
mode?
A. Full-duplex
B. Half-duplex
C. Auto-negotiation
D. Simplex
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
While inspecting packets in the network, a network administrator discovers a frame with the destination MAC address of 01-00-5E-A0-B1-C3. What can the
administrator determine from this?
A. The MAC address is a unicast address.

B. The MAC address is a broadcast address
C. The MAC address is a multicast address.
D. The MAC address is incorrect
Correct Answer: C
Section: (none)
Explanation
QUESTION 6
According to OSI reference model, which layer is responsible for end to end error checking and flow control?
A. Physical layer
B. Data link layer
C. Network layer
D. Transport layer
Correct Answer: D
Section: (none)
Explanation
QUESTION 7
Which of the following mechanisms are used for flow control? (Select 3 Answers)
A. Acknowledgement
B. Buffering
C. Source quench messages
D. Windowing
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 8
Source Destination Protocol Info
10.0.12.1 10.0.12.2 TCP 50190 > telnet [SYN] Seq=0 Win=8192 Len=0 MSS=1460
10.0.12.2 10.0.12.1 TCP telnet> 50190 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
10.0.12.1 10.0.12.2 TCP 50190 > telnet [ACK] Seq=1 Ack=1 Win=8192 Len=0
Refer to the capture output.The administrator has captured three packets in the network. Which statement regarding the capured packets is incorrect?
A. This packets represent a TCP three-way handshake process.

B. 10.0.12.1 is the telnet server, while 10.0.12.2 is the telnet client.
C. The three packets contain no application data.
D. 10.0.12.1 uses port 50190 to buid the telnet connection.
Correct Answer: B
Section: (none)
Explanation
QUESTION 9
An Ethernet frame is captured by network protocol analyzer tool and the value of Type/Length field is 0x0800. Which of the following statements about the frame are
correct? (Select 2 Answers)
A. The frame structure of the frame is Ethernet_II

B. The frame structure of the frame is 802.3
C. Its upper layer protocol is IP
D. Its upper layer protocol is IPX
Correct Answer: AC
Section: (none)
Explanation
QUESTION 10
Which of the following descriptions regarding the TTL field of the IP packet is correct?
A. The TTL defines how many packets the source can send.
B. The TTL defines the duration during which the source can send packets.
C. The TTL value will decrement by 1 each time the packet is routed.
D. The TTL value will increment by 1 each time the packet is routed.
Correct Answer: C
Section: (none)
Explanation
QUESTION 11
Which of the following statements are correct about TTL field in IP packet? (Select 2 Answers)
<choice ident="A">
<choice ident="B">
<choice ident="C">
<choice ident="D">
A. The maximum value of TTL is 65535

B. Normally, it's impossible for a router to receive a packet whose TTL is zero.
C. The main purpose of TTL is to prevent IP packets from circulating endlessly in a network which can consume a lot of bandwidth
D. TTL value will be decremented as a packet is passed through the network devices such as hub, LAN switch and router.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 12
In the case of Huawei router, what is the "-i" parameter in a Ping command issued on a VRP operating system used to set?
A. Interface for sending an Echo Request packet
B. Source IP address for sending an Echo Request packet
C. Interface for receiving an Echo Reply packet
D. Destination IP address for receiving an Echo Reply packet
Correct Answer: A
Section: (none)
Explanation
QUESTION 13
To provide the information about the IP addresses that a user packet traverses along the path to the destination, which of the following does Tracert record in each
expired ICMP TTL packet?
A. Destination port
B. Source port
C. Destination address
D. Source address
Correct Answer: D
Section: (none)
Explanation
QUESTION 14
Which of the following statements regarding the verification of IP connectivity are false? (Three Answers)
A. The ping 127.0.0.1 command can be used to check whether the network cable is correctly inserted into the host’s Ethernet port.
B. The ping command with the host IP address as the destination can be used to verify that the TCP/IP protocol suite is functioning correctly.
C. The ping command can be used to verify connectivity between the host and the local gateway.
D. The command “ipconfig /release” can be used to check connectivity problems between the host and the local gateway.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 15
A network administrator uses the ping command to check for points of failure in the network. Which protocols will be used during this process? (Two Answers)
<choice ident=“A”>
<choice ident=“B”>
<choice ident=“C”>
<choice ident=“D”>
A. ICMP.
B. TCP.
C. ARP.
D. UDP.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 16
A network administrator recently used tracert to trace the path to the destination IP address of an external website, however the trace path displayed only a timeout
result. Which of the following statements correctly explains the reason for this? (Two Answers)
A. The source router had shutdown the ICMP function.

B. This destination IP address does not exist.
C. The gateway canot find a route to the destination.
D. This is a normal phenomenon.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 17
Ping 10.0.0.2 : 56 data bytes, press CTRL_C to break
Reply from 10.0.0.2 : bytes=800 Sequence=1 ttl=255 time=2 ms
Reply from 10.0.0.2 : bytes=800 Sequence=2 ttl=255 time=10 ms
--- 10.0.0.2 ping statistics ---
2 packet(s) transmitted
2 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/6/10 ms
A network administrator uses the ping command to test connectivity to the destination 10.0.0.2 on a Huawei AR series router. Which statement regarding the output
is correct?
A. The network administrator used the command ping -c 2 -s 800 10.0.0.2

B. The network administrator used the command ping -a 2 -v 800 10.0.0.2
C. The path between the source and destination is not OK.
D. The network administrator changed the default TTL value.
Correct Answer: A
Section: (none)
Explanation
QUESTION 18
Which of the following statements explains the behavior of the ICMP redirect function? (Two Answers)
A. When a router receives data on the interface via which the same data needs to be forwarded, and the source is on the same segment as the next hop, an ICMP
redirect message will be sent by the router to the source.
B. When a router receives data on an interface, and the router’s IP address matches the destination IP of the data, an ICMP redirect message will be sent by the
router to the source.
C. When a router receives data on the interface via which the same data needs to be forwarded, and the source is on the same segment as the next hop, an ICMP
Redirect message will be sent by the source to the router.
D. When a router receives data on the interface via which the same data needs to be forwarded, and the source is on a different segment from the next hop, an
ICMP redirect message will be sent by the router to the source
Correct Answer: AD
Section: (none)
Explanation
QUESTION 19
Host A wishes to send data to host C, and generates an ARP request to obtain the destination MAC address. Which statement is true?
A. The destination IP address of the ARP request is Host C

B. The destination MAC address of this ARP request is Host C
C. The destination IP address for the ARP request is a broadcast IP address.
D. The destination MAC address of this frame is the MAC address of G0/0/0 on RTA.
Correct Answer: A
Section: (none)
Explanation
QUESTION 20
An ARP request is sent by host A to obtain the destination MAC address of host D. Which statement is true about regarding the ARP reply?
A. The destination MAC address of this frame is the MAC address of Switch A.
B. The destination IP address of this packet is the VLANIF1 IP address of Switch A.
C. The destination MAC address of this frame is the MAC address of Host A.
D. The destination IP address of this packet is a broadcast IP address.
Correct Answer: C
Section: (none)
Explanation
QUESTION 21
Which of the following applications can be used to detect the path along which the data packets are transmitted from the source to the destination?
<choice ident="A">
<choice ident="B">
<choice ident="C">
<choice ident="D">
A. Route
B. Netstat
C. Tracert
D. Send
Correct Answer: C
Section: (none)
Explanation
QUESTION 22
How many probe packets are sent for each TTL value by default when"tracert" is used to detect the path along which packet is sent from source to destination?
A. 3
B. 4
C. 6
D. 8
Correct Answer: A
Section: (none)
Explanation
QUESTION 23
Which of the following types can ICMP packets be classified into? (Select 2 Answers)
A. ICMP transport packet

B. ICMP error reporting packet
C. ICMP query packet
D. ICMP application packet
Correct Answer: BC
Section: (none)
Explanation
QUESTION 24
On VRP platform, which of the following parameters can be used together with the "ping" command to specify the source address of an echo request message?
A. A
B. S
C. D
D. N
Correct Answer: A
Section: (none)
Explanation
QUESTION 25
A router functioning as a Proxy receives an ARP request packet, but finds that the destination address in the packet is not intended for itself. In this case, what will
the router do? (Select 2 Answers)
A. Discard the packet.

B. Check for a route that matches the destination address.
C. Forward its MAC address to the ARP request sender after finding that a route to the destination address is available.
D. Broadcast the ARP request packet.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 26
Two end stations in a point-to-point network perform address resolution. Which of the following statements is correct?
A. The destination address of an ARP request from each station will be a unicast MAC address.
B. The destination address of an ARP request from each station will be a broadcast IP address.
C. The destination address of an ARP reply from each station will be a unicast MAC address
D. The destination address of an ARP reply from each station will be a broadcast MAC address.
Correct Answer: C
Section: (none)
Explanation
QUESTION 27
What will the destination MAC address be at the moment a frame is transmitted by the host, when the router is the IP destination?
A. The MAC address of the switch.

B. The MAC address of the router interface G0/0/0.
C. The MAC address of the host.
D. The destination MAC address will be a broadcast MAC address.
Correct Answer: D
Section: (none)
Explanation
QUESTION 28
Which of the following statements about gratuitous ARP packets are true? (Select 2 Answers)
A. A system can determine whether conflicting IP addresses are used by sending a gratuitous ARP packet
B. A gratuitous ARP packet uses the same format as an ARP request packet.
C. A gratuitous ARP packet can help to update an IP address.
D. A gratuitous ARP packet uses the same format as an ARP reply packet.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 29
UDP is connectionless oriented, which of the following must be used in order to ensure reliability?
A. Internet Protocol
B. Application Layer Protocol
C. Network Layer Protocol
D. Transmission Control Protocol
Correct Answer: B
Section: (none)
Explanation
QUESTION 30
The administrator has configured an IP address for Host A and Host B, but had forgotten to configure a default gateway. What effect will this have on the hosts?
A. Neither host will be affected, and therefore will be able to communicate with the peer.
B. Host A will be unable to connect to the router’s G0/0/0 interface.
C. Hosts will be unable to comminicate unless arp-proxy is enabled on the router.
D. The host will be unable to reach neither the local nor remote network destinations .
Correct Answer: C
Section: (none)
Explanation
QUESTION 31
A host has established a telnet connection with the router attached to interface G0/0/0. Which of the following statements are correct? (Two Answers)
A. The destination address of a frame sent by the host will be the MAC address of the router interface.
B. The destination address of a frame will be the MAC address of the switch interface.
C. The destination port number in a segment header will have a value of 80.
D. The destination IP address of a packet will be the IP address of the network interface of the router.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 32
The administrator uses the ping command on the host to test connectivity to the website www.huawei.com. The command line shows a request time out. The
administrator displays the ARP entries for the host. Which entry will be found in the ARP cache table of the host?
A. The MAC address of the destination www.huawei.com will exist in the ARP cache.
B. The MAC address of the switch will exist in the ARP cache.
C. The IP address of the destination www.huawei.com will exist in the ARP cache.
D. The MAC address of router interface G0/0/0, will exist in the ARP cache.
Correct Answer: D
Section: (none)
Explanation
QUESTION 33
When R2 forwards data to R3 from R1, which of the following items will change？
(Two Answers)
A. The source MAC address
B. The destination MAC address
C. The source IP address
D. The destination IP address
Correct Answer: AB
Section: (none)
Explanation
QUESTION 34
If Host B also configured the IP address as “192.168.1.1/24”, an IP address confict will occur. What will happen as a result?
A. Host B will send an ICMP request to the destination with the configured IP address. If a reply is received, the host will notify of an address conflict.
B. Host A will send a gratuitous ARP request to resolve the MAC address of the destination 192.168.1.1, for which Host B will reply.
C. Host B will send a gratuitous ARP request to resolve the MAC address of the destination 192.168.1.1, for which Host A will reply.
D. Host A will ignore any received ARP request intended for destination 192.168.1.1.
Correct Answer: C
Section: (none)
Explanation
QUESTION 35
<Quidway>display mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
5489-98ec-f018 1/- GE0/0/13 dynamic
-------------------------------------------------------------------------------
Total items displayed = 1
Refer to the graphic. A switch attempts to forward a frame to the MAC destination 5489-98ec-f01. What operation will occur on the switch?
A. The switch will send a request to obtain the MAC address of 5489-98ec-f011.
B. The switch will report that the destination is unreachable and report this to the source.
C. The switch will flood the frame via all ports, with exception of the port on which the frame was received.
D. The switch will drop the frame because it does not have an entry in its MAC address table.
Correct Answer: C
Section: (none)
Explanation
QUESTION 36
Host A has been connected to switch A and configured with an IP address. When Host A initially forwards a frame, what action will be taken by Switch A?
A. Switch A will drop this frame.

B. Switch A will attempt to flood the frame to all ports except for the G0/0/1 interface.
C. Switch A will forward the frame via ports G0/0/1, G0/0/2 and G0/0/3.
D. Switch will receive this frame before returning the frame to G0/0/1.
Correct Answer: B
Section: (none)
Explanation
QUESTION 37
Which of the following statements describes the network shown? (Two Answers)
A. There are 6 collision domains in the network.

B. There are 2 broadcast domains in the network.
C. There are 4 collision domains in the network.
D. There are 6 broadcast domains in the network.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 38
A server is linked to port interface G0/0/1 of a switch. The administrator wishes to allow only this server to be linked to this interface on the switch. Which method
can be used to achieve this?
A. Configure a static ARP entry using the server’s IP address and MAC address in the switch.
B. Configure a static MAC address binding entry of the server’s MAC address and the interface in the switch.
C. Configure the default gateway of the switch to be the same as the server’s IP address.
D. It is not possible to enable a single device to be associated with an interface.
Correct Answer: B
Section: (none)
Explanation
QUESTION 39
An administrator connects two switches together in a local enterprise network. The ports of one switch support Fast Ethernet, while the ports of the other switch
support Gigabit Ethernet. Hosts connected to one switch are able to communicate, however communication between the two switches fails. What is the possible
reason for this?
A. The ports have disabled auto-negoatition.

B. One port is supporting auto-negotiation, while auto-negotiation is disabled on the port of the other switch.
C. The port of one switch is operating using half duplex mode, while the port of the other switch is using full duplex mode.
D. A Fast Ethernet port cannot communicate directly with a Gigabit Ethernet port.
Correct Answer: A
Section: (none)
Explanation
QUESTION 40
A layer 2 LAN switch generates CAM table entries according to the ( ) of the received frame.
A. Source MAC address

B. Destination MAC address
C. Source IP address
D. Destination IP address
Correct Answer: A
Section: (none)
Explanation
QUESTION 41
Which of the following statements about collision domains and broadcast domains are correct? (Select 3 Answers)
A. Devices connected to the same hub form a collision domain

B. Devices connected to the same hub form a broadcast domain
C. Devices connected to the same bridge form a collision domain
D. Devices connected to the same bridge form a broadcast domain
E. Devices connected to the same router form a broadcast domain
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 42
Which of the following statements regarding layer-2 switch is incorrect?
A. The switch learns MAC addresses automatically
B. The layer-3 header is modified before the received packet is transmitted
C. The layer-2 header is modified before the received packet is transmitted.
D. The layer-2 LAN switch operates at data link layer
Correct Answer: B
Section: (none)
Explanation
QUESTION 43
[R1]display interface GigabitEthernet0/0/0
GigabitEthernet0/0/0 current state : Administratively DOWN
Line protocol current state : DOWN
Refer to the display output. What can be determined based on the output of the display command?
A. Interface Gigabit Ethernet 0/0/0 is connected to a wrong cable

B. Interface Gigabit Ethernet 0/0/0 is not associated with an IP address
C. Interface Gigabit Ethernet 0/0/0 is not associated with a dynamically defined route.
D. Interface Gigabit Ethernet 0/0/0 has been manually shut down by an administrator.
Correct Answer: D
Section: (none)
Explanation
QUESTION 44
Which of the following statements regarding static and dynamic routing is incorrect?
A. The static route can be easily configured and managed on the enterprise network.
B. The use of dynamic routing is more convenient for the administrator to manage the network following network convergence.
C. The static route can automatically recover when a link failure is encountered.
D. Dynamic routing will use more resources than static routes.
Correct Answer: C
Section: (none)
Explanation
QUESTION 45
Which of the following are routed protocols? (Select 2 Answers)
A. IP
B. OSPF
C. BGP
D. IPX
Correct Answer: AD
Section: (none)
Explanation
QUESTION 46
Which of the following statements regarding the routing table are correct? (Select 2 Answers)
A. The next hop in the routing table is redundant because the outgoing interface can be used for packet forwarding.
B. The routes from generated by different protocols have different preferences.
C. The metrics of different routing protocols are comparable.
D. The metrics of different routing protocols are not comparable
Correct Answer: BD
Section: (none)
Explanation
QUESTION 47
Which of the following commands can be used to display the routing table on a Quidway router?
A. display ip path
B. display ip routing-table
C. display interface
D. display current-configuration
Correct Answer: B
Section: (none)
Explanation
QUESTION 48
Which of the following entries is not included in the routing table?
A. source address
B. next hop
C. destination address
D. cost
Correct Answer: A
Section: (none)
Explanation
QUESTION 49
Which of the following problems are caused by routing loops? (Select 3 Answers)
A. Slow convergence
B. Packets circulate between routers
C. Router restarting
D. Inconsistency of routing information
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 50
An administrator wishes to manage the router in the remote branch office, which method can be used?
A. Telnet
B. FTP
C. Console Connection
D. DHCP
Correct Answer: A
Section: (none)
Explanation
H12-721
Number: H12-721
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
Exam A
QUESTION 1
The main method of caching servers DNS Request Flood defense is the use of DNS source authentication.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 2
Refer to the following diagram in regards to Bypass mode.
Which of the following statements is correct a few? (Choose two answers)
A. When the interface is operating in a non-Bypass state, the flow from the inflow of USG Router_A interfaces from GE0, GE1 after USG treatment from the
interface flow Router_B
B. When the Interface works in Bypass state, traffic flow from the interface by the Router_A GE0 USG, USG without any treatment, flows directly Router_B flows
from the GE1 interfaces.
C. When there are firewall requirements to achieve security policies, while working at the interface Bypass state to operate without interruption. Therefore, the
device can be maintained in the Bypass state job.
D. Power Bypass interface can work in bridge mode, and can work with the bypass circuit.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 3
With the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, drainage schemes can be used to have? (Choose three answers)
A. Dynamic routing drainage

B. Static routing strategy drainage
C. Static routing drainage
D. MPLS VPN cited
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 4
Regarding IKE main mode and aggressive modes, which of the following statements is correct?
A. In savage mode with the the first phase of negotiation, all packets are encrypted
B. All main mode packts under the first phase of negotiation are encrypted
C. The DH algorithm is used in aggressive mode
D. Whether the negotiation is successful or not, IKE will enter into fast mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 5
A network is shown below.
A dial customer cannot establish a connection via a VPN client PC and USG (LNS) l2tp vpn. What are valid reasons for this failure? (Choose three answers)
A. LNS tunnel tunnel name change is inconsistent with the client name.
B. L2TP tunnel authentication failed.
C. PPP authentication fails, PPP authentication mode set on the client PC and LNS inconsistent.
D. Client PC can not obtain an IP address assigned to it from the LNS.
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 6
From the branch offices, servers are accessed from the Headquarters via IPsec VPN. An IPSEC tunnel can be established at this time, but communication to the
servers fails. What are the possible reasons? (Choose three answers)
A. Packet fragmentation, the fragmented packets are discarded on the link.

B. Presence opf dual-link load balancing, where the path back and forth may be inconsistent.
C. Route flapping.
D. Both ends of the DPD detection parameters are inconsistent.
Correct Answer: ABC
Section: (none)
Explanation
QUESTION 7
A user has been successfully authenticated using an SSL VPN. However, users can not access the Web-link resources through the Web server.
Using the information provided, which of the following is correct?
A. Network server does not have the Web services enabled.

B. Virtual Gateway policy configuration error
C. Virtual connection between the gateway and the network server is not normal
D. Virtual gateway and network server is unreachable
Correct Answer: A
Section: (none)
Explanation
QUESTION 8
Q8
According to the network diagram regarding hot standby, which of the following are correct? (Choose three answers)
A. VRRP backup group itself has preemption. As shown, when USG_A failurs and is restored, USG_A re-use preemption becomes it has master status.
B. With VGMP management group preemption and VRRP backup groups, when the management group fails and recovers, the priority management group will also
be restored.
C. By default, the preemption delay is 0.
D. If a VRRP group is added to the VGMP management group, preemption will fail. The VGMP unified management group decides this behavior.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 9
Which of the following are correct regading TCP and TCP proxy on the reverse source detection? (Choose three answers)
A. TCP and TCP proxy detection can prevent reverse source SYN Flood.
B. TCP proxy acts as a proxy device. TP is connected between both ends, when one end initiates a connection with the device it must complete the TCP three-way
handshake.
C. With TCP proxy mode attack prevention, detection mechanism must be turned on.
D. TP reverse source probes to detect the source IP packets by sending a Reset.
Correct Answer: ABC
Section: (none)
Explanation
QUESTION 10
IPsec tunneling is used as a backup connection as shown below:
Which of the following statements are true about the tunnel interface? (Choose two answers)
A. IPsec security policy should be applied to the tunnel interface

B. Protocol for the Tunnel Interface must be GRE.
C. Tunnel interface needs to be configured on the IP address and the IP address of the gateway. The external network IP address of the outgoing interface must be
in the same network segment.
D. Tunnel interfaces can be added to any security zone, provided they have the appropriate interdomain security policies.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 11
The DHCP Snooping binding table function needs to maintain its binding table of contents that include? (Choose three answers)
A. MAC
B. Vlan
C. Interface
IP D. DHCP Server's
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 12
Through the configuration of the Bypass interface, you can avoid network communication interruption caused by equipment failure and improve reliability. The power
Bypass function can use any network interfaces to configure the Bypass GE parameters to achieve the Bypass function.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 13
Which of the following statements about IPsec and IKE following are correct? (Choose three answers)
A. With IPsec there are two ways to establish the security association, manual mode (manual) and IKE auto-negotiation (Isakmp) mode.
B. IKE aggressive mode can be selected based on negotitations initiated by the tunnel endpoint IP address or ID, to find the corresponding authentication word and
finalize negotiations.
C. The NAT traversal function is used to delete the IKE negotiation verification process for UDP port numbers, while achieving a VPN tunnel to discover the NAT
gateway function. If a NAT gateway device is used, then the data transfer after the IPsec uses UDP encapsulation.
D. IKE security mechanisms include DH Diffie-Hellman key exchange and distribution; improve the security front (Perfect Forward Secrecy PFS), encryption, and
SHA1 algorithms.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 14
In the attack shown below, a victim host packet captures the traffic. According to the information shown, what kind of attack is this?
A. SYN Flood
B. SYN-ACK Flood
C. ACK-Flood
D. Connection Flood
Correct Answer: C
Section: (none)
Explanation
QUESTION 15
In IPsec VPN with NAT traversal, you must use IKE aggressive mode.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 16
A man in the middle attack refers to an intermediate that sees the data exchange between server and client. To the server, all messages appear to be sent to or
received from the client; and to the client all the packets appear to have been sent to or received from the server. If a hacker is using the man-in-the-middle attack,
the hacker will send at least two data packets as shown to achieve this attack.
Which of the following packet 1 and packet 2 Field Description is correct? (Choose two answers)
A. Packet 1:
Source IP 1.1.1.1
Source MAC C-C-C
The purpose of IP 1.1.1.2
The purpose of Mac B-B-B
B. Packet 1:
Source IP 1.1.1.3
Source MAC C-C-C
C. Packet 2:
Source IP 1.1.1.2
Source MAC C-C-C
The purpose of Mac A-A-A
D. Packet 2:
Source IP 1.1.1.3
Source MAC C-C-C
Correct Answer: AC
Section: (none)
Explanation
QUESTION 17
In an Eth-Trunk interface, you can achieve load balancing by configuring different weights on each member link.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 18
A SSL VPN login authentication is unsuccessful, and the prompt says "wrong user name or password." What is wrong?
A. The username and password entered incorrectly.

B. There is a user or group filter field configuration error.
C. There is a certificates filter field configuration error.
D. The administrator needs to configure the source IP address of the terminal restriction policy.
Correct Answer: D
Section: (none)
Explanation
QUESTION 19
SSL works at the application layer and is encrypted for specific applications, while IPsec operates at which layer and provides transparent encryption protection for
this level and above?
A. The data link layer

B. Network Layer
C. Transport Layer
D. Presentation Layer
Correct Answer: B
Section: (none)
Explanation
QUESTION 20
The IP-MAC address binding configuration is as follows:
[USG] firewall mac-binding 202.169.168.1 00e0-fc00-0100
When the data packets travel through the Huawei firewall device, and other strategies such as packet filtering, attack prevention are not considered, the following
data ttravels hrough the firewall device? (Choose two answers)
A. Packet source IP: 202.169.168.1

Packet source MAC: FFFF-FFFF-FFFF
B. Packet source IP: 202.169.168.2
Packet source MAC: 00e0-fc00-0100
C. Packet source IP: 202.1.1.1
D. Packet source IP: 202.169.168.1
Correct Answer: CD
Section: (none)
Explanation
QUESTION 21
Dual hot standby load balancing service requires three interfaces, one for the line connecting the router, and two USG facilities mutual backup, configuration
commands are “hrp track master” and “hrp track slave”
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 22
IP-link probe packets will be sent to the specified IP address by default when the probe fails three times, enabling this interface if the main link fails.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 23
Two endpoints cannot build a successful IPsec VPN session. Which of the following firewall configuation errors could be the problem? (Choose three answers)
A. A device does not have a route to the peer within the network.
B. A gateway configuration on both ends with the referenced ACL security policy
C. The gateway configuration on both ends of the IPsec proposal is inconsistent.
D. Both ends are not configured for DPD.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 24
Testing Center is responsible for flow testing, and test results sent to the management center.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 25
Which of the following are scanned snooping attack??
A. SIP Flood attacks

B. HTTP Flood Attack
C. IP address scanning attack
D. ICMP redirect packet attack
Correct Answer: C
Section: (none)
Explanation
QUESTION 26
Which of the following VPN protocols do not provide encryption? (Choose three answers)
A. ESP
B. AH
C. L2TP
D. GRE
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 27
When a Haiwei Secure VPN client connection initializes using L2TP, the L2TP packet uses a source port of 1710, and a destination port of 1710.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 28
A user logs into the Virtual Gateway Web Page but receives a "can not display the webpage" message. What are possible causes for this? (Choose two answers)
A. Virtual Gateway Router unreachable from user PC

B. Virtual Gateway IP address has been changed.
C. Using a Shared Web Gateway
D. Client browser set up a proxy server.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 29
See the following firewall information:
Based on the output, which of the following answers are correct? (Choose three answers)
A. The first packet interface to enter this data stream from the Trust zone, issuing from the Untrust zone interfaces
B. This data stream has been NATed
C. NAPT conversion technology is being used
D. The virtual firewall feature is enabled firewall
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 30
In the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, the re-injection scheme can be used to have which of the following? (Choose
three answers)
A. routing strategy
B. MPLS VPN tunnel mode
C. routing
D. Layer 2 VPN mode
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 31
When an attack occurs, the attacked host (1.1.129.32) was able to capture many packets as shown. Based on the information shown, what kind of attack is this?
A. Smurf attack
B. Land Attack
C. WinNuke
D. Ping of Death attack
Correct Answer: B
Section: (none)
Explanation
QUESTION 32
Refer to the following NIP firewall intrusion detection actions:
1 records the invasion process, alarm logging
2. NIP attack detection
3 reconfigure the firewall
4 Termination invasion
Which of the following is the correct sequence of events?
A. 1 -> 2 -> 3 -> 4

B. 2 -> 1 -> 3 -> 4
C. 3 -> 1 -> 2 -> 4
D. 1 -> 2 -> 4 -> 3
Correct Answer: B
Section: (none)
Explanation
QUESTION 33
An administrator views the status information and IPsec Debug information as follows:
What is the most likely reason for failure?
A. The end ike ike peer strategies and policies do not match
B. The end ike remote name and peer ike name does not match
C. The end ipsec proposal and peer ipsec proposal does not match
D. The end of the Security acl or does not match the peer Security acl
Correct Answer: D
Section: (none)
Explanation
QUESTION 34
PCA has an IP address of 192.168.3.1 in the Trust area. In the Untrust zone users cannot access the Internet server.
Based on the configuration of the Trust and Untrust fields above, what is the most likely cause of the failure?
A. A misconfigured security policies, the direction should be Outbound.

B. Since the first rule of the firewall is the default packet-filter deny, the configuration is not implemented.
C. The policy source of 192.168.3.0 0.0.0.255 is incorrect; you need to modify a policy source 192.168.3.0 0.0.255.255.
D. The policy destination any is incorrect; you must define a clear destination IP address.
Correct Answer: A
Section: (none)
Explanation
QUESTION 35
Which of the following is a drawback of an L2TP VPN?
A. It cannot be routed in two layers

B. You must use L2TP Over IPsec
C. No authentication
D. No encryption
Correct Answer: D
Section: (none)
Explanation
QUESTION 36
Regarding the Radius authentication process, refer to the following steps:
1. Network device Radius client (network access server) receives the user name and password, and sends an authentication request to the Radius server.
2. When a user logs into the USG access servers and other network devices, the user name and password will be sent to the network access server.
3. After the Radius server receives a valid request to complete the request and the required user authorization information is sent back to the client.
Which of the following is a correct sequence?
A. 1-2-3
B. 2-1-3
C. 3-2-1
D. 2-3-1
Correct Answer: B
Section: (none)
Explanation
QUESTION 37
With IP-link, information is sent to the destination address specified with continuous ICMP packets or ARP request packets, and checks whether you can receive
the destination IP response icmp echo reply packets or ARP reply packets.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 38
With the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, dynamic routing drainage occurs without human intervention. When an
abnormality is detected, the management center will generate a draining task automatically, and the task is done directly after the drainage cleaning equipment is
issued if testing equipment.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 39
Which of the following statements is wrong regarding IPsec?
A. Under Transfer Mode, ESP does not validate the IP header

B. AH can not verify that the data uses encrypted packets
C. ESP can support NAT traversal
D. The AH protocol uses the 3DES algorithm for data validation
Correct Answer: D
Section: (none)
Explanation
QUESTION 40
Malformed packet attack techniques would use some legitimate packet data for network reconnaissance or testing. Tthese packets are legitimate for the application
type; while normal network packets are rarely used.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 41
Which ofthe following statements is correct about the blacklist? (Choose three answers)
A. When you log into a device and incorrectly enter the username/password three times, the IP address of the administrator will be added to the blacklist via Web or
Telnet.
B. Blacklist is divided into static and dynamic.
C. When the device is perceived to have behavioral characteristics of packets to a user's attempt to attack a specific IP address, it will use a dynamic IP address
blacklist technology.
D. When the packet reaches the firewall, the first thing to check for is packet filtering, and then it will match the blacklist.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 42
In a stateful standby failover switchover what will the firewall do? (Choose two answers)
A. Send a gratuitous ARP

B. Send proxy ARP
C. The VRRP backup group virtual address will be unavailable
D. The switchover automatically updates the relevant MAC table
Correct Answer: AD
Section: (none)
Explanation
QUESTION 43
In L2TP over IPsec scenarios, The USG device will first use the original data packet that is encrypted using IPsec, and then encapsulates the data packets using
L2TP.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 44
The Huawei abnormal flow cleaning solution must be deployed in an independent testing center.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 45
Regarding IKE DPD, which statement is incorrect?
A. IKE is used to detect the state of a neighbor

B. DPD regularly send messages between IKE peers.
C. When DPD messages are not received within the specified time DPD sends a request to the remote side and waits for response packets.
D. DPD sends encrypted queries only when the timer expires.
Correct Answer: B
Section: (none)
Explanation
QUESTION 46
Refer to the following hot standby and IP-link linkage networking environment shown below:
Which configuration will enable hot standby configuration key linkage?
A. hrp mirror ip-link 1

B. hrp track ip-link 1 master
C. hrp track ip-link 1 slave
D. ip-link check enable
Correct Answer: B
Section: (none)
Explanation
QUESTION 47
Virtual firewall technology does not include which of the following characteristics?
A. Provides multi-instance routing, security, multi-instance, multi-instance configuration, NAT multi-instance, VPN multi-instance application flexibility to meet a
variety of networking needs.
B. Each virtual firewalls can support four separate security zones TRUST, UNTRUST, DMZ, etc., flexible interface partitioning and allocation.
C. It guarantee that every virtual system and a separate firewall instance, and can be safely implement access between each virtual system.
D. Each virtual system provides independent administrator privileges.
Correct Answer: C
Section: (none)
Explanation
QUESTION 48
Which statement is correct regarding load checks and fingerprint learning with UDP Flood defenses.
A. UDP packet data segments are exactly the same content that can be used to check the load defense.
B. Fingerprint learning is dynamically generated by cleaning equipment, the attack packets after learning some salient features of the fingerprint, fingerprint
matching packets will be dropped.
C. Load inspection checks all UDP packets of data.
D. Load checks need to set the offset number of bytes, fingerprint learning does not need to set the offset number of bytes.
Correct Answer: D
Section: (none)
Explanation
QUESTION 49
When there is a lot BFD sessions in a system, in order to prevent periodic OFD control packets from affecting the normal operation of the system, you can use what
mode of BFD?
A. Synchronous Mode
B. Detection Mode
C. Asynchronous Mode
D. Query Mode
Correct Answer: D
Section: (none)
Explanation
QUESTION 50
Three FTP servers are configured with load balancing on a USG firewall. The address and weights of the three real servers are 10.1.1.3/24 (weight 16), 10.1.1.4/24
(weight 32), 10.1.1.5 / 24 (weight 16), while the virtual server address is 202.152.26.123/24. A host address with the IP address 202.152.26.3/24 initiates access to
the FTP server.
On the firewall running the display firewall session table command detection configuration, which of the following situations illustrate the successful implementation
of load balancing?
A. <USG> display firewall session table

Current total sessions: 1
ftp VPN: public -> public 202.152.26.3:3327 -> 10.1.1.4:21
B. <USG> display firewall session table
ftp VPN: public -> public 202.152.26.3:3327 -> 202.152.26.123:21 [10.1.1.3:21]
C. <USG> display firewall session table
D. <USG> display firewall session table
Correct Answer: B
Section: (none)
Explanation
QUESTION 51
Which of the following attack is SYN Flood attack?
A. An attacker sends a large number of SYN packets, resulting in a large number of not fully established TCP connections, occupying resources.
B. It refers to the attacker and the attacked object the establishment of a normal full TCP connection, but no follow-up messages.
C. It refers to the attacker sending a large number of ICMP packets (such as Ping) consuming link bandwidth.
D. It refers to the attacker sending a large number of UDP packets to the server consuming link bandwidth.
Correct Answer: A
Section: (none)
Explanation
QUESTION 52
In a Link-group with three physical interfaces, when either one of the interfaces fail, which of the following descriptions of what happens is correct? (Choose two
answers)
A. With any interface failure within the group, the system will set the other interface state to Down.
B. When any interface group fails, the other interface status within the group does not change.
C. When the group returned to normal with one of the interfaces up, the interface status within the entire group will be re-set to Up.
D. When the group returns to normal after all the interfaces are up, the interface status within the entire group was re-set to Up.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 53
Load balancing to ensure that the same user traffic will access the IP address assigned to different servers uses what technology? (Choose three answers)
A. Virtual Services Technology

B. Server Health Check
C. Hot Standby Technology
D. Flow-based forwarding
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 54
USG firewall supports which of the load balancing algorithms? (Choose three answers)
A. The source address hashing algorithm (srchash)
B. Polling simple algorithm (roundrobin)
C. Weighted Round Robin algorithm (weightrr)
D. ratio (Ratio)
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 55
With the Huawei Anti-DDoS equipment first packet discard technology, the defense is constantly changing the source IP address or source port number of attack
packets.
Regarding the first packet discard technology, which of the following is not correct?
A. UDP protocol does not have retransmission mechanism, so you can not use the first packet discard techniques
B. The first packet discarding used in conjunction with source authentication, prevents false source of attacks.
C. Based triples (source IP address, source port, and protocol) to match packets and packets by time interval to determine the first packet
D. The packet transmission interval is less than the lower limit of the first packet detection rate, or the rate is higher than the upper limit of the first packet inspection
packets believed to be the first package.
Correct Answer: A
Section: (none)
Explanation
QUESTION 56
Virtual firewalls to forward multiple instances refers to the presence of more than one firewall routing table, supports forwarding address overlapping, are
implemented in the same configuration interface, and the user can configure permissions and view all data.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 57
Below displays the IKE V1 first stage pre-shared key mode during the main mode packet switching crawl. Based on the information shown, the crawl occurs under
which packet?
A. IKE first or second Message

B. IKE third or fourth Message
C. IKE fifth or sixth Message
D. IKE seventh or eighth Message
Correct Answer: A
Section: (none)
Explanation
QUESTION 58
HWTACACS encrypts only part of the password, but with RADIUS the entire packet is encrypted.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 59
With the abnormal flow cleaning solutions, in order to ensure that the introduction of the attack traffic priority cleaning center can be cleaned as shown in the figure,
the following configuration was made using the management center:
Select "Configuration"> Anti-DDoS> "drainage management" to create drainage tasks, configure the IP address of the protected 10.1.3.10, subnet mask of
255.255.255.255.
After completion of the above steps to configure the cleaning center, what route will be generated?
A. The purpose of the address is 32 static host routes are the attacker’s
B. The destination address is a 32 bit iEGP host route is the attacker's
C. The destination address is 32 bit eBGP host route is the attacker's
D. The source address of the attacker's 32 static host routes
Correct Answer: A
Section: (none)
Explanation
QUESTION 60
In an enterprise network, USG A and USG B have established an IPsec VPN. The administrator needs to simulate traffic from server A to server B to test the
connection. What ping command should the administrator use to simulate this traffic?
A. Ping -a
B. Ping -c
C. Ping -t
D. Ping –s
Correct Answer: A
Section: (none)
Explanation
H12-721 huawei
Number: H12-721
Passing Score: 800
Time Limit: 120 min
Exam A
QUESTION 1
When using digital certificates for authentication in IPsec VPN, it should adopt IKE main mode negotiation and validation of certificate is completed in the 5th 6th
packet of the packet exchange.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 2
USG two ways to build a firewall to Site IPsec VPN through the Site, when viewing a USGA state as follows:
display ipsec statistics
the security packet statistics:
input / output security packets: 4/0
input / output security bytes: 400/0
input / output dropped security packets: 0/0
After viewing the state above, what information do you get? (Choose two answers)
A. USGA encrypted data packets 4; USGA decrypt the packet is set 0.

B. USGA has decrypted packet is 4, USGA already encrypted data packet is 0.
C. Site A network device, there is no route, leading to the protection of the data may not be sent to the USGA
D. IPsec tunnel is not established.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 3
In defense FIN / RST Flood attack method, conversation is checked. The workflow is when the FIN / RST packet rate exceeds the threshold, discarded packets,
and then start the conversation check.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 4
In the dual-system hot backup networking environment as shown in the standby firewall also need to configure NAT function, assuming that the external address of
the VRRP backup group. NAT address pool and NAT Server in the same network segment. Which of the following configuration needs to be on the Server?
(choose two answers)
A. HRP_M [USG_A] nat address-group 1 2.2.2.5 2.2.2.6 vrrp 1

B. HRP_M [USG_A] nat address-group 1 2.2.2.5 2.2.2.6 vrrp 2
C. HRP_M [USG_A] nat server global 2.2.2.10 inside 10.100.10.3 vrrp 2
D. HRP_M [USG_A] nat server global 2.2.2.10 inside 10.100.10.3 vrrp 1
Correct Answer: BC
Section: (none)
Explanation
QUESTION 5
The anti-DDoS device can implement traffic blocking or limiting to defend against attacks if the service learning function discovers that certain services do not run on
the network or the service traffic volume is small.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 6
An enterprise network flow is shown below. Server A can not access the server B, administrators troubleshoot and found that server A can access the firewall A, but
can not access the firewall B
What method will administrators use to troubleshoot this problem?
A. stratification
B. Break Law
C. substitution method
D. Block Method
Correct Answer: B
Section: (none)
Explanation
QUESTION 7
As shown in Figure Eth-Trunk functionality with binding, if the need is to implement each interfaceby-packet load balancing feature, you need to run which of the
following configuration commands?
A. [USG] load-balance interface eth-trunk 1 packet-all

B. [USG] interface eth-trunk 1
[USG-Eth-Trunk 1] load-balance packet-all
C. [USG] load-balance interface eth-trunk 1 src-dst-ip
D. [USG] interface eth-trunk 1
[USG-Eth-Trunk 1] load-balance src-dst-ip
Correct Answer: B
Section: (none)
Explanation
QUESTION 8
Hot Standby networking environment is shown in Figure 1 and 2 backup group joined VGMP management group, USG_A main equipment, USG_B as a backup
device.
When USG_A is in failed state, such as power failure, this time USG_B state switched from Slave to Master.
When USG_A firewall recovers, it switches back to its state Master, and USG_B status remains as Master.
What has caused this phenomenon?
A. Two firewall load balancing mode, both in the same backup set is configured to master, also configure the Slave
B. USGA after the failure to restore its priority VRRP backup group did not recover in time
C. After the USGA recover from a failure, malfunction heartbeat
D. No configuration hrp track
Correct Answer: C
Section: (none)
Explanation
QUESTION 9
In the standby link IPsec backup application scenarios, which of the following ways is used by the standby link switch?
A. Hot Standby
B. Link-Group
C. Eth-thrunk
D. IP-Link
Correct Answer: D
Section: (none)
Explanation
QUESTION 10
Administrators can create a vfw1 and vfw2 with multiple instances to provide security services for firms A and B on the root firewall. It can be configured between
vfw1 regional security and safety vfw2 forwarding policy.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 11
Static fingerprint filtering function is configured through static fingerprints. Fingerprints on the packets hit the appropriate treatment, and thus attack traffic defense.
General Anti-DDos device can capture function, first grab the attack packets, and then extract the functionality through fingerprint and fingerprint information input to
the static filter.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 12
According to the victim host capture shown in Figure, What type of attack is this?
A. ARP Flood attack

C. ARP spoofing attack
D. SYN Flood attack
Correct Answer: A
Section: (none)
Explanation
QUESTION 13
IPSec NAT traversal is not supported in IKE main mode and aggressive mode of IP addresses + pre-shared key authentication mode, because the pre-shared key
authentication requires the extraction of IP packets in order to find the IP address of the source address of the corresponding pre-shared secret key, and the
presence of NAT causes a change to make the device unable to find the address of a pre-shared key.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 14
When an attack occurs, the attacked host (1.1.128.4) was fooled. Host found many packets as shown. Based on an analysis what type of attack is this?
A. Smurf attack
B. Land Attack
C. WinNuke
D. TCP packet flag attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 15
In the use of virtual firewall technology: The two VPN users can travel over the public network Root VFW, log on to their respective private network VPN and get
direct access to the private network resources.
According to the characteristics of VPN Firewall that provides multiple instances of business, which of the following statements is correct? (Choose three answers)
A. safe, VPN user authentication and authorization access through the firewall, after a visit with independent access virtual firewall system for users to manage
different resources VPN users are completely isolated.
B. VPN flexible and reliable access to support from the public network to the VPN, can also support VPN to VPN from two modes.
C. easy to maintain, the user does not have superuser privileges on the system administrator account can manage the entire firewall (including each virtual firewall
service).
D. strict access control permissions, firewall can control access VPN access permissions based on user name, password, so that employees can make a business
trip, the super user (VPN require access to different resources), such as different users with different access rights.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 16
In static fingerprint filtering for different packets with different processing methods, which of the following statements is correct? (Choose two answers)
A. TCP / UDP / custom services can be based on the load (ie, packet data segment) fingerprints.
B. DNS packets fingerprints for Query ID.
C. HTTP packets fingerprints for Universal Resource Identifier URI (Uniform Resource Identifier).
D. ICMP packets through fingerprints identifier.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 17
In site to Site IPsec VPN negotiation process, what should be the order of checks?
1 network connectivity problems
2. Establish conditions and configuration View IKE Phase 1 Safety Alliance
3. Establish conditions and related configuration view IKE phase 2 security alliance
4 Check whether the ends of the Security ACL mirror each other
A. 1 -> 4 -> 2 -> 3

B. 4 -> 2 -> 3 -> 1
C. 2 -> 3 -> 1 -> 4
D. 4 -> 1 -> 2 -> 3
Correct Answer: A
Section: (none)
Explanation
QUESTION 18
Comparing URPF strict mode and loose mode, which of the following statement is incorrect?
A. Strict mode requires not only the presence of the corresponding entries in the forwarding table also called the interface but it must match in order to pass the
URPF check.
B. If using strict mode, the source address of the packet in the FIB USG does not exist, but the situation has configured a default route and doing allow-default-
route, the packet will pass the URPF check for normal forwarding.
C. Under a symmetrical environment, it is recommended to use the route URPF strict mode.
D. Loose mode does not check whether the interface matches the source address of the packet as long as the existence of the USG's FIB table, packets can be
passed.
Correct Answer: B
Section: (none)
Explanation
QUESTION 19
When using the SSL VPN client, it initiates network expansion "Connect gateway mate lost", what are the causes of this failure? (Choose three answers)
A. If you are using a proxy server, network extension client proxy server settings wrong.
B. PC and virtual gateway routing between unreachable.
TCP C. network expansion between the client and the virtual gateway connection is blocked by the firewall.
C. Username and password configuration errors.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 20
An enterprise network cutover has just been done. The old network equipment is off the assembly line and the line is now on new network equipment. After
operational testing we found that the majority of traffic will not work.
What will be administrators quickest way to restore business?
A. stratification
B. Break Law
D. Block Method
Correct Answer: C
Section: (none)
Explanation
QUESTION 21
HRP technology can achieve an alternate configuration of the firewall that does not need any kind of information, all the configuration information are synchronized
to the primary firewall HRP prepared by a firewall, and configuration information is not lost after restart.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 22
L2TP is used between the user and the enterprise server and it transparently transmits packets and sets up the PPP tunneling protocol, which includes which of the
following characteristics? (Choose three answers)
A. L2TP protocol uses TCP protocol

B. Support private address assignment; do not take the public IP address
C. It supports PPP authentication with RADIUS support with flexible local and remote AAA
D. After combining with IPsec support for encrypted packets
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 23
A USG standby scenario is shown in Figure. The service interface works in three steps, down the line connecting the router through an administrator to view,
USG_A status is H RP_M [USG A],
USG_B state HRP_S [USG_B ], but all the traffic is not completely passing through USG_A, half of the traffic also passes via USG_B.
Which of the following configuration command can solve this problem?

[USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet 0/0/1] hrp track master
[USG_A] ospf 101
[USG_A-ospf -101] area 0
[USG_A-ospf-101-area-0.0.0.0] network 10.104.10.0 0.0.0.255
[USG_A] hrp interface GigabitEthernet 0/0/2
[USG_B] interface GigabitEthernet 0/0/1
[USG_B-GigabitEthernet 0/0/1] hrp track slave
[USG_B] ospf 101
[USG_B] ospf 101
[USG_B-ospf -101] area 0
[USG_B-ospf-101-area-0.0.0.0] network 10.104.10.0 0.0.0.255
[USG_B] hrp interface GigabitEthernet 0/0/2
A. [USG_A] hrp ospf-cost adjust-enable

[USG_B] hrp ospf-cost adjust-enable
B. [USG_B] interface GigabitEthernet 0/0/1
[USG_B-GigabitEthernet 0/0/1] hrp track master
C. hrp preempt delay 60
D. heartbeat port addresses are not released to the OSPF
Correct Answer: A
Section: (none)
Explanation
QUESTION 24
If the two sides wish to establish an IPsec VPN tunnel and using just one of the IP addresses, which of the following configuration methods can not be applied in the
gateway?
A. Policy Template
B. Strategy Name savage mode authentication
C. Pre-share
D. Savage mode key certification
Correct Answer: A
Section: (none)
Explanation
QUESTION 25
As shown in Figure, firewall is in stateful failover networking environment, the firewall interfaces are in the business routing mode, and up and down are the router
with OSPF configured.
Assuming the OSPF protocol convergence Recovery time is 30s, following best configuration management is to seize on the HRP?
A. hrp preempt delay 20

B. hrp preempt delay 40
D. undo hrp preempt deplay
Correct Answer: B
Section: (none)
Explanation
QUESTION 26
Which of the following circumstances where main mode IKE negotiation can not be used? (Choose two answers)
A. IKE in the pre-shared mode and peer identity is ID

B. IKE in the pre-shared mode, and net exports outside the firewall dynamically assigned addresses using DHCP
C. IKE in the pre-shared mode, and there is a NAT device link
D. IKE certificate in RSA mode, and there is a NAT device link
Correct Answer: BC
Section: (none)
Explanation
QUESTION 27
About VRRP packets, which of the following statements is correct? (Choose two answers)
A. VRRP packets using TCP

B. VRRP packets using UDP
C. VRRP packet destination address is 224.0.0.18
D. VRRP packet TTL value is 255
Correct Answer: CD
Section: (none)
Explanation
QUESTION 28
Under preemption and the default.VGMP management group is enabled, the preemption delay is 60s.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 29
In Client-initial mode, it can be seen from the following debug information that L2TP dial husband is lost. What is most likely cause of failure of dial-up?
A. username and password aaa configuration inconsistencies.

B. LNS name configuration error.
C. tunnel password is not configured.
D. It is not enabled for l2tp.
Correct Answer: A
Section: (none)
Explanation
QUESTION 30
Under standby scene.USG hot standby, the service interface to work in three, down the line connecting the router through an administrator to view, USG_A state
has been switched to HRP_M [USG_A], USG_B state has also HRP_M [USG_B] most What are the possible reasons?
A. HRP using the wrong channel interface

B. heartbeat connectivity problems
C. No configuration session fast backup
D. no Hrp enable
Correct Answer: AB
Section: (none)
Explanation
QUESTION 31
What do we want to achieve with Virtual firewalls on a single physical firewall device where we create virtual multiple logical firewalls and multiple instances?
(Choose three answers)
A. Security multiple instances

B. VPN multi-instance
C. configure multiple instances
D. exchange multiple instances
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 32
Which statement is incorrect about IPsec NAT traversal?
A. AH and ESP supports NAT traversal
B. IPsec NAT traversal is not supported IKE main mode (pre-shared mode)
C. IPsec ESP packets using UDP through NAT packet encapsulation
D. All IKE initiator communication messages exchanged use port 4500 port
Correct Answer: A
Section: (none)
Explanation
QUESTION 33
When configured behind a firewall stateful failover, in the Web configuration interface, select "System> High Reliability> hot standby", click "Check HRP
configuration consistency" corresponding "check" button.
Pop-up window, as shown, which of the following configurations can solve the problem (assuming heartbeat interface is added to the DMZ zone)?
A. firewall packet-filter default permit interzone trust locaI

B. firewall packet-filter default permit interzone trust dmz
C. firewall packet-filter default permit interzone untrust dmz
D. firewall packet-filter default permit interzone local
Correct Answer: D
Section: (none)
Explanation
QUESTION 34
As shown below, for the L2TP over IPsec scenarios, the following configuration shows how to protect data on the IPsec flow. Which one is correct?
A. [LNS] acl number 2001

[LNS-acl-basic-2001] rule permit udp source 10.10.1.0 0.0.0.255
B. [LNS] acl number 3001
[LNS-acl-adv-3001] rule permit source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255
C. [LNS] acl number 3001
[LNS-acl-adv-3001] rule permit tcp source-port 1701
D. [LNS] acl number 3001
[LNS-acl-adv-3001] rule permit udp source-port eq 1701
Correct Answer: D
Section: (none)
Explanation
QUESTION 35
Corporate network administrator for a large data flow, when the USG is out of memory or CPU processing capacity limit is reached, in order to ensure that forwards
packets do not carry a threat, USG dropped over the device throughput traffic.
Which of the following commands can achieve this kind of functionality?
A. utm bypass enable

B. undo utm bypass enable
C. ips bypass enable
D. undo ips bypass enable
Correct Answer: B
Section: (none)
Explanation
QUESTION 36
Logging session log NAT / ASPF generated DPI traffic monitoring logs. Logs for this type provide a "binary" output mode. Using binary output can greatly reduce the
impact on system performance but the use of binary form output requires supporting eLog log management system.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 37
In the IPsec NAT traversal application scenarios, the firewall must be configured to initiate party NAT traversal, and the other end can not configure firewall NAT
traversal related commands.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 38
When making hot standby switch, USG Series Firewall service port will send gratuitous ARP scene there. Which deployment mode is used? (Choose two answers)
A. Routing Switch Mode +

B. routing mode + router
C. exchange mode + switch
D. exchange mode + router
Correct Answer: AB
Section: (none)
Explanation
QUESTION 39
Scenario: In the virtual firewall technology which is more commonly used in business to provide a phase out of business. If the virtual firewall VFW1 leased to
companies A, virtual firewall VFW2 leased enterprise B, which of the following statement is not correct?
A. The system is a virtual firewall VFW1, VFW2 respectively independent system resources among each other.
B. transparent to the user, the business between companies A and B is completely isolated from the enterprise, as with the use of a separate firewall deployment
respectively.
C. firms A and B can address the overlap and use vlan divided into different virtual LANs.
D. firms A and B alone can not manage their own virtual firewall, management must be implemented by the lessor administrator.
Correct Answer: D
Section: (none)
Explanation
QUESTION 40
When using optical Bypass Interface, Bypass link has two operating modes, automatic mode and forced mode.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 41
Policy strategy limiting constraints include quintuple, time, user identity and application protocols.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 42
An administrator using the following command to view the state of device components
Slot3 board is status abnormal, what are the possible causes? (Choose three answers)
A. The device does not support this interface cards.

B. The Interface Card is damaged.
C. The backplane or damaged pins on the motherboard, such as incorrect installation lead pin board tilt.
D. The ADSL phone line is faulty.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 43
In Hot standby, the backup channel must be the primary interface to the interface board. Which type is not supported?
A. Ethernet
B. GigabitEthernet
C. E1
D. vlan-if
Correct Answer: C
Section: (none)
Explanation
QUESTION 44
ACK Flood attacks exploit payload inspection defense. The principle is to clean equipment for ACK packet payload to check if the contents of the full load are
consistent (as are all a load of content, etc.), the packet is discarded.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 45
Which of the following packets are not sent during IP-link detection? (Choose two answers)
A. ARP packets
B. IGMP packets
C. ICMP packets
D. Hello packets
Correct Answer: BD
Section: (none)
Explanation
QUESTION 46
If using a policy template and configuring IPsec policy child policy, the firewall will first apply a policy template, and then it will apply the child policy.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 47
Limiting policy function supports only the number of connections to the specified IP initiated or received to limit the number of connections.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 48
In hot standby environment, there is an event of inconsistent data packets being sent back and forth. Which of the following conditions may cause packet loss?
A. Quick Sync feature is not enabled session

B. heartbeat insufficient bandwidth
C. Close monitoring of the state
D. heartbeat port specified error
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 49
Virtual firewall security services provide multiple instances of the following? (Choose three answers)
A. Address Binding
B. blacklist
C. ASPF
D. VPN routing
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 50
After the configuration on NRT Server (no-reverse parameter is not added), the firewall will automatically generate static Server-map entries, the first packet
matching Server-map entries, but it does not match the session table.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 51
BFD static route topology is shown in Figure
A. On the firewall, administrator needs to do the

following configuration:
[USG9000_A] bfd
[USG9000_A-bfd] quit
[USG9000_A] bfd aa bind peer-ip 1.1.1.2
[USG9000_A-bfd-session-aa] discriminator local 10
[USG9000_A-bfd-session-aa] discriminator remote 20
[USG9000_A-bfd-session-aa] commit
[USG9000_A-bfd-session-aa] quit
Which of the following section of the configuration is correct there? (Choose two answers)
B. The command "bfd as bind peer-ip 1.1.1.2" is used to create BFD sessions to detect link status binding policy
C. The command [U5G9000_A] bfd configuration errors, should be replaced by [U5G9000_A] bfd enable BFD function to enable
D. [USG9000_A-bfd-session-aa] commit configuration is optional, if not configure the system will default to submit to configure and generate BFD session log
information, but does not establish the session table
E. firewall on BFD session will also need to bind with a static route command:
[USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa
Correct Answer: AD
Section: (none)
Explanation
QUESTION 52
BFD static route topology is shown in Figure A . On the firewall, administrator needs to do the following configuration:
[USG9000_A] bfd
Which of the following commands should be added to the firewall configuration to achieve BFD for static route? (Choose two answers)
A. [USG9000_A-bfd-session-aa] commit
B. [USG9000_A] bfd aa bind local-ip 1.1.1.1
C. [USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa
D. [USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 bind bfd-session aa
Correct Answer: AC
Section: (none)
Explanation
QUESTION 53
Which statement is correct regarding local users with VPN instance bindings?
A. By the command Iocal-user user-name vpn-instance vpn-instance-name local user can bind a VPN instance
Under B. default bindings already achieved between local users and VPN instances
B. After the local user to bind with V PN instance, local users that can manage the entire firewalls
C. Local users with VPN instance can not bind
Correct Answer: A
Section: (none)
Explanation
QUESTION 54
In hot standby networking environment, two USG's NAT configuration is consistent. When the virtual IP address is in the address of the VRRP backup group, then
NAT address pool in the same network segment. The next two figures show the NAT Server applications with a combination of VRRP ARP response situations.
Which Combination of the following NAT Server configuration and VRRP shown as options are correct?
A. Figure 1 will VRRP backup group Interface NAT address pool with connection to the Internet on the binding, in Figure 2 the VRRP backup group Interface NAT
address pool with connection to the Internet on the binding.
B. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to the Internet on the binding, Figure 2 is not the VRRP backup group
Interface NAT address pool with connection to the Internet on the binding.
C. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to the Internet on the binding, in Figure 2 the VRRP backup group Interface
NAT address pool with connection to the Internet on the binding.
D. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to the Internet on the binding, Figure 2 is not the VRRP backup group
interfaces with NAT address pool on connection to the Internet unbound.
Correct Answer: C
Section: (none)
Explanation
QUESTION 55
No need to use deny rules because of the policy limiting strategy for deny rules without restrictions.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 56
Tracert packet attack occurs when an attacker using TTL returned ________. ICMP timeout packets reach the destination address and return an ICMP time
exceeded message back to the source IP address. An attacker may run the tracert program to detect source ip address in ICMP returned message and it can
snoop structure of the network.
A. 0
B. 1
C. 2
D. Changes according to the actual situation
Correct Answer: A
Section: (none)
Explanation
QUESTION 57
Which of the following description about SMURF attacks is correct?
A. Attacker sends ping requests to a subnet (broadcast), requesting that devices on that subnet send ping replies to a target system. Once the host or network is
detected, it is then brought down.
B. Attacker sends SYN packets with source and destination addresses for the IP address where the attacker is. A SYN-ACK message is sent to their own address,
so is the presence of an attacker hosts a large number of air connections.
C. An attacker can target where to send a UDP packet in the network. The source address of the packet is being attacked. Host address, destination address are in
the subnet broadcast address where the attack host the subnet network address using destination port number 7 or 19.
D. An attacker using a network or host receives an ICMP unreachable packets, the packets destined for the follow-up of this destination address directly considered
unreachable, thereby cutting off the connection to the host destination.
Correct Answer: A
Section: (none)
Explanation
QUESTION 58
Which of the following protocol packets can not be sent by default in an IPsec tunnel?
A. TCP
B. UDP
C. ICMP
D. IGMP
Correct Answer: D
Section: (none)
Explanation
QUESTION 59
Which of the statement is correct about the Eth-trunk function? (Choose three answers)
A. It improves communication bandwidth of the link

B. It improves data security
C. Traffic load balancing
D. It improve sthe reliability of the link
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 60
Which of the following statements is correct one for the dual hot standby in conjunction with IPSec functionality?
A. USG supports IPsec primary backup mode of hot standby.
B. Load does not support IPsec stateful failover under balancing.
C. You must configure the session fast backup.
D. You must configure preemption
Correct Answer: A
Section: (none)
Explanation
QUESTION 61
What type of packet sent in a VRRP HELLO message?
A. unicast packets
B. broadcast packets
C. multicast packets
D. UDP packets
Correct Answer: C
Section: (none)
Explanation
QUESTION 62
IPsec VPN using digital certificates for authentication has the following steps:
1. Certificate signature verification
2. Find the certificate serial number in the CRL
3. Both devices share their entity certificate
4. Verify the certificate is valid
5. Establish a VPN tunnel
Which of the following is the correct pattern?
A. 3-2-1-4-5
B. 1-3-2-4-5
C. 3-1-4-2-5
D. 2-4-3-1-5
Correct Answer: C
Section: (none)
Explanation
QUESTION 63
With regard to the Radius protocol, which of the following statements are correct (choose three answers)
A. Use the UDP protocol to transmit packets Radius

B. authentication and authorization port number can be 1812
C. To account for encryption processing using the Radius protocol to transmit user account and
password
D. authentication and authorization port number can be 1645
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 64
The following virtual firewall networking, USG provided outwardly rough business, VPN instance vfw1 coarse A, to the enterprise network diagram below.
A foreign enterprise network users need to access via PC C. Server B in DMZ zone is NAT’ed. If I want to achieve this requirement, then I must have following key
configuration? (Choose three answers)
A. [USG] ip vpn-instance vfw1 vpn-id 1

B. [USG] ip vpn-instance vfw1
[USG-vpn-vfw1] route-distinguisher 1001
[USG-vpn-vfw1] quit
C. [USG] nat server zone vpn-instance vfw1 untrust global 2.1.2.100 inside 192.168.1.2 vpninstance vfw1
D. [USG] nat address-group 1 2.1.2.5 2.1.3.10 vpn-instance vfw1
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 65
In a dual-system hot backup, the backup channel must be the primary interface port by the board, which type is not supported?
A. Ethernet
B. GigabitEthernet
C. E1
D. vlan-if
Correct Answer: C
Section: (none)
Explanation
QUESTION 66
As shown in a corporate network, where the USG_A and USG_B a hot standby configuration, USG_A based devices. Administrators want to configure SSL VPN
enables branch employees can access through SSL VPN headquarters on the firewall.
The SSL VPN virtual gateway address should be and why?
A. 202.38.10.2/24
B. 202.38.10.3/24
C. 202.38.10.1/24
D. 10.100.10.2/24
Correct Answer: C
Section: (none)
Explanation
H12-721
Passing Score: 800

Time Limit: 4 min
Exam A
QUESTION 1
The main method of caching servers DNS Request Flood defense is the use of DNS source authentication.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 2
Refer to the following diagram in regards to Bypass mode.
Which of the following statements is correct a few? (Choose two answers)
A. When the interface is operating in a non-Bypass state, the flow from the inflow of USG Router_A interfaces from GE0, GE1 after USG treatment from the
interface flow Router_B
B. When the Interface works in Bypass state, traffic flow from the interface by the Router_A GE0 USG, USG without any treatment, flows directly Router_B flows
from the GE1 interfaces.
C. When there are firewall requirements to achieve security policies, while working at the interface Bypass state to operate without interruption. Therefore, the
device can be maintained in the Bypass state job.
D. Power Bypass interface can work in bridge mode, and can work with the bypass circuit.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 3
With the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, drainage schemes can be used to have? (Choose three answers)
A. Dynamic routing drainage

B. Static routing strategy drainage
C. Static routing drainage
D. MPLS VPN cited
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 4
Regarding IKE main mode and aggressive modes, which of the following statements is correct?
A. In savage mode with the the first phase of negotiation, all packets are encrypted
B. All main mode packts under the first phase of negotiation are encrypted
C. The DH algorithm is used in aggressive mode
D. Whether the negotiation is successful or not, IKE will enter into fast mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 5
A network is shown below.
A dial customer cannot establish a connection via a VPN client PC and USG (LNS) l2tp vpn. What are valid reasons for this failure? (Choose three answers)
A. LNS tunnel tunnel name change is inconsistent with the client name.
B. L2TP tunnel authentication failed.
C. PPP authentication fails, PPP authentication mode set on the client PC and LNS inconsistent.
D. Client PC can not obtain an IP address assigned to it from the LNS.
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 6
From the branch offices, servers are accessed from the Headquarters via IPsec VPN. An IPSEC tunnel can be established at this time, but communication to the
servers fails. What are the possible reasons? (Choose three answers)
A. Packet fragmentation, the fragmented packets are discarded on the link.

B. Presence opf dual-link load balancing, where the path back and forth may be inconsistent.
C. Route flapping.
D. Both ends of the DPD detection parameters are inconsistent.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 7
A user has been successfully authenticated using an SSL VPN. However, users can not access the Web-link resources through the Web server.
Using the information provided, which of the following is correct?
A. Network server does not have the Web services enabled.

B. Virtual Gateway policy configuration error
C. Virtual connection between the gateway and the network server is not normal
D. Virtual gateway and network server is unreachable
Correct Answer: A
Section: (none)
Explanation
QUESTION 8
According to the network diagram regarding hot standby, which of the following are correct? (Choose three answers)
A. VRRP backup group itself has preemption. As shown, when USG_A failurs and is restored, USG_A re-use preemption becomes it has master status.
B. With VGMP management group preemption and VRRP backup groups, when the management group fails and recovers, the priority management group will also
be restored.
C. By default, the preemption delay is 0.
D. If a VRRP group is added to the VGMP management group, preemption will fail. The VGMP unified management group decides this behavior.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 9
Which of the following are correct regading TCP and TCP proxy on the reverse source detection? (Choose three answers)
A. TCP and TCP proxy detection can prevent reverse source SYN Flood.
B. TCP proxy acts as a proxy device. TP is connected between both ends, when one end initiates a connection with the device it must complete the TCP three-way
handshake.
C. With TCP proxy mode attack prevention, detection mechanism must be turned on.
D. TP reverse source probes to detect the source IP packets by sending a Reset.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 10
IPsec tunneling is used as a backup connection as shown below:
Which of the following statements are true about the tunnel interface? (Choose two answers)
A. IPsec security policy should be applied to the tunnel interface

B. Protocol for the Tunnel Interface must be GRE.
C. Tunnel interface needs to be configured on the IP address and the IP address of the gateway. The external network IP address of the outgoing interface must be
in the same network segment.
D. Tunnel interfaces can be added to any security zone, provided they have the appropriate interdomain security policies.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 11
The DHCP Snooping binding table function needs to maintain its binding table of contents that include? (Choose three answers)
A. MAC
B. Vlan
C. Interface
IP D. DHCP Server's
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 12
Through the configuration of the Bypass interface, you can avoid network communication interruption caused by equipment failure and improve reliability. The power
Bypass function can use any network interfaces to configure the Bypass GE parameters to achieve the Bypass function.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 13
Which of the following statements about IPsec and IKE following are correct? (Choose three answers)
A. With IPsec there are two ways to establish the security association, manual mode (manual) and IKE auto-negotiation (Isakmp) mode.
B. IKE aggressive mode can be selected based on negotitations initiated by the tunnel endpoint IP address or ID, to find the corresponding authentication word and
finalize negotiations.
C. The NAT traversal function is used to delete the IKE negotiation verification process for UDP port numbers, while achieving a VPN tunnel to discover the NAT
gateway function. If a NAT gateway device is used, then the data transfer after the IPsec uses UDP encapsulation.
D. IKE security mechanisms include DH Diffie-Hellman key exchange and distribution; improve the security front (Perfect Forward Secrecy PFS), encryption, and
SHA1 algorithms.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 14
In the attack shown below, a victim host packet captures the traffic. According to the information shown, what kind of attack is this?
A. SYN Flood
B. SYN-ACK Flood
C. ACK-Flood
D. Connection Flood
Correct Answer: C
Section: (none)
Explanation
QUESTION 15
In IPsec VPN with NAT traversal, you must use IKE aggressive mode.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 16
A man in the middle attack refers to an intermediate that sees the data exchange between server and client. To the server, all messages appear to be sent to or
received from the client; and to the client all the packets appear to have been sent to or received from the server. If a hacker is using the man-in-the-middle attack,
the hacker will send at least two data packets as shown to achieve this attack.
Which of the following packet 1 and packet 2 Field Description is correct? (Choose two answers)
A. Packet 1:
Source IP 1.1.1.1
Source MAC C-C-C
B. Packet 1:
Source IP 1.1.1.3
Source MAC C-C-C
C. Packet 2:
Source IP 1.1.1.2
Source MAC C-C-C
D. Packet 2:
Source IP 1.1.1.3
Source MAC C-C-C
Correct Answer: AC
Section: (none)
Explanation
QUESTION 17
In an Eth-Trunk interface, you can achieve load balancing by configuring different weights on each member link.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 18
A SSL VPN login authentication is unsuccessful, and the prompt says "wrong user name or password." What is wrong?
A. The username and password entered incorrectly.

B. There is a user or group filter field configuration error.
C. There is a certificates filter field configuration error.
D. The administrator needs to configure the source IP address of the terminal restriction policy.
Correct Answer: D
Section: (none)
Explanation
QUESTION 19
SSL works at the application layer and is encrypted for specific applications, while IPsec operates at which layer and provides transparent encryption protection for
this level and above?
A. The data link layer

B. Network Layer
C. Transport Layer
D. Presentation Layer
Correct Answer: B
Section: (none)
Explanation
QUESTION 20
The IP-MAC address binding configuration is as follows:
[USG] firewall mac-binding 202.169.168.1 00e0-fc00-0100
When the data packets travel through the Huawei firewall device, and other strategies such as packet filtering, attack prevention are not considered, the following
data ttravels hrough the firewall device? (Choose two answers)
A. Packet source IP: 202.169.168.1

Packet source MAC: FFFF-FFFF-FFFF
B. Packet source IP: 202.169.168.2
C. Packet source IP: 202.1.1.1
D. Packet source IP: 202.169.168.1
Correct Answer: CD
Section: (none)
Explanation
QUESTION 21
Dual hot standby load balancing service requires three interfaces, one for the line connecting the router, and two USG facilities mutual backup, configuration
commands are “hrp track master” and “hrp track slave”
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 22
IP-link probe packets will be sent to the specified IP address by default when the probe fails three times, enabling this interface if the main link fails.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 23
Two endpoints cannot build a successful IPsec VPN session. Which of the following firewall configuation errors could be the problem? (Choose three answers)
A. A device does not have a route to the peer within the network.
B. A gateway configuration on both ends with the referenced ACL security policy
C. The gateway configuration on both ends of the IPsec proposal is inconsistent.
D. Both ends are not configured for DPD.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 24
Testing Center is responsible for flow testing, and test results sent to the management center.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 25
Which of the following are scanned snooping attack??
A. SIP Flood attacks

C. IP address scanning attack
D. ICMP redirect packet attack
Correct Answer: C
Section: (none)
Explanation
QUESTION 26
Which of the following VPN protocols do not provide encryption? (Choose three answers)
A. ESP
B. AH
C. L2TP
D. GRE
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 27
When a Haiwei Secure VPN client connection initializes using L2TP, the L2TP packet uses a source port of 1710, and a destination port of 1710.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 28
A user logs into the Virtual Gateway Web Page but receives a "can not display the webpage" message. What are possible causes for this? (Choose two answers)
A. Virtual Gateway Router unreachable from user PC

B. Virtual Gateway IP address has been changed.
C. Using a Shared Web Gateway
D. Client browser set up a proxy server.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 29
See the following firewall information:
Based on the output, which of the following answers are correct? (Choose three answers)
A. The first packet interface to enter this data stream from the Trust zone, issuing from the Untrust zone interfaces
B. This data stream has been NATed
C. NAPT conversion technology is being used
D. The virtual firewall feature is enabled firewall
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 30
In the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, the re-injection scheme can be used to have which of the following? (Choose
three answers)
A. routing strategy
B. MPLS VPN tunnel mode
C. routing
D. Layer 2 VPN mode
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 31
When an attack occurs, the attacked host (1.1.129.32) was able to capture many packets as shown. Based on the information shown, what kind of attack is this?
A. Smurf attack
B. Land Attack
C. WinNuke
D. Ping of Death attack
Correct Answer: B
Section: (none)
Explanation
QUESTION 32
Refer to the following NIP firewall intrusion detection actions:
1 records the invasion process, alarm logging
2. NIP attack detection
3 reconfigure the firewall
4 Termination invasion
Which of the following is the correct sequence of events?
A. 1 -> 2 -> 3 -> 4

B. 2 -> 1 -> 3 -> 4
C. 3 -> 1 -> 2 -> 4
D. 1 -> 2 -> 4 -> 3
Correct Answer: B
Section: (none)
Explanation
QUESTION 33
An administrator views the status information and IPsec Debug information as follows:
What is the most likely reason for failure?
A. The end ike ike peer strategies and policies do not match
B. The end ike remote name and peer ike name does not match
C. The end ipsec proposal and peer ipsec proposal does not match
D. The end of the Security acl or does not match the peer Security acl
Correct Answer: D
Section: (none)
Explanation
QUESTION 34
PCA has an IP address of 192.168.3.1 in the Trust area. In the Untrust zone users cannot access the Internet server.
Based on the configuration of the Trust and Untrust fields above, what is the most likely cause of the failure?
A. A misconfigured security policies, the direction should be Outbound.

B. Since the first rule of the firewall is the default packet-filter deny, the configuration is not implemented.
C. The policy source of 192.168.3.0 0.0.0.255 is incorrect; you need to modify a policy source 192.168.3.0 0.0.255.255.
D. The policy destination any is incorrect; you must define a clear destination IP address.
Correct Answer: A
Section: (none)
Explanation
QUESTION 35
Which of the following is a drawback of an L2TP VPN?
A. It cannot be routed in two layers
B. You must use L2TP Over IPsec
C. No authentication
D. No encryption
Correct Answer: D
Section: (none)
Explanation
QUESTION 36
Regarding the Radius authentication process, refer to the following steps:
1. Network device Radius client (network access server) receives the user name and password, and sends an authentication request to the Radius server.
2. When a user logs into the USG access servers and other network devices, the user name and password will be sent to the network access server.
3. After the Radius server receives a valid request to complete the request and the required user authorization information is sent back to the client.
Which of the following is a correct sequence?
A. 1-2-3
B. 2-1-3
C. 3-2-1
D. 2-3-1
Correct Answer: B
Section: (none)
Explanation
QUESTION 37
With IP-link, information is sent to the destination address specified with continuous ICMP packets or ARP request packets, and checks whether you can receive
the destination IP response icmp echo reply packets or ARP reply packets.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 38
With the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, dynamic routing drainage occurs without human intervention. When an
abnormality is detected, the management center will generate a draining task automatically, and the task is done directly after the drainage cleaning equipment is
issued if testing equipment.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 39
Which of the following statements is wrong regarding IPsec?
A. Under Transfer Mode, ESP does not validate the IP header

B. AH can not verify that the data uses encrypted packets
C. ESP can support NAT traversal
D. The AH protocol uses the 3DES algorithm for data validation
Correct Answer: D
Section: (none)
Explanation
QUESTION 40
Malformed packet attack techniques would use some legitimate packet data for network reconnaissance or testing. Tthese packets are legitimate for the application
type; while normal network packets are rarely used.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 41
Which ofthe following statements is correct about the blacklist? (Choose three answers)
A. When you log into a device and incorrectly enter the username/password three times, the IP address of the administrator will be added to the blacklist via Web or
Telnet.
B. Blacklist is divided into static and dynamic.
C. When the device is perceived to have behavioral characteristics of packets to a user's attempt to attack a specific IP address, it will use a dynamic IP address
blacklist technology.
D. When the packet reaches the firewall, the first thing to check for is packet filtering, and then it will match the blacklist.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 42
In a stateful standby failover switchover what will the firewall do? (Choose two answers)
A. Send a gratuitous ARP

B. Send proxy ARP
C. The VRRP backup group virtual address will be unavailable
D. The switchover automatically updates the relevant MAC table
Correct Answer: AD
Section: (none)
Explanation
QUESTION 43
In L2TP over IPsec scenarios, The USG device will first use the original data packet that is encrypted using IPsec, and then encapsulates the data packets using
L2TP.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 44
The Huawei abnormal flow cleaning solution must be deployed in an independent testing center.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 45
Regarding IKE DPD, which statement is incorrect?
A. IKE is used to detect the state of a neighbor

B. DPD regularly send messages between IKE peers.
C. When DPD messages are not received within the specified time DPD sends a request to the remote side and waits for response packets.
D. DPD sends encrypted queries only when the timer expires.
Correct Answer: B
Section: (none)
Explanation
QUESTION 46
Refer to the following hot standby and IP-link linkage networking environment shown below:
Which configuration will enable hot standby configuration key linkage?
A. hrp mirror ip-link 1

B. hrp track ip-link 1 master
C. hrp track ip-link 1 slave
D. ip-link check enable
Correct Answer: B
Section: (none)
Explanation
QUESTION 47
Virtual firewall technology does not include which of the following characteristics?
A. Provides multi-instance routing, security, multi-instance, multi-instance configuration, NAT multi-instance, VPN multi-instance application flexibility to meet a
variety of networking needs.
B. Each virtual firewalls can support four separate security zones TRUST, UNTRUST, DMZ, etc., flexible interface partitioning and allocation.
C. It guarantee that every virtual system and a separate firewall instance, and can be safely implement access between each virtual system.
D. Each virtual system provides independent administrator privileges.
Correct Answer: C
Section: (none)
Explanation
QUESTION 48
Which statement is correct regarding load checks and fingerprint learning with UDP Flood defenses.
A. UDP packet data segments are exactly the same content that can be used to check the load defense.
B. Fingerprint learning is dynamically generated by cleaning equipment, the attack packets after learning some salient features of the fingerprint, fingerprint
matching packets will be dropped.
C. Load inspection checks all UDP packets of data.
D. Load checks need to set the offset number of bytes, fingerprint learning does not need to set the offset number of bytes.
Correct Answer: D
Section: (none)
Explanation
QUESTION 49
When there is a lot BFD sessions in a system, in order to prevent periodic OFD control packets from affecting the normal operation of the system, you can use what
mode of BFD?
A. Synchronous Mode
B. Detection Mode
C. Asynchronous Mode
D. Query Mode
Correct Answer: D
Section: (none)
Explanation
QUESTION 50
Three FTP servers are configured with load balancing on a USG firewall. The address and weights of the three real servers are 10.1.1.3/24 (weight 16), 10.1.1.4/24
(weight 32), 10.1.1.5 / 24 (weight 16), while the virtual server address is 202.152.26.123/24. A host address with the IP address 202.152.26.3/24 initiates access to
the FTP server.
On the firewall running the display firewall session table command detection configuration, which of the following situations illustrate the successful implementation
of load balancing?
A. <USG> display firewall session table

B. <USG> display firewall session table
C. <USG> display firewall session table
D. <USG> display firewall session table
Correct Answer: B
Section: (none)
Explanation
QUESTION 51
Which of the following attack is SYN Flood attack?
A. An attacker sends a large number of SYN packets, resulting in a large number of not fully established TCP connections, occupying resources.
B. It refers to the attacker and the attacked object the establishment of a normal full TCP connection, but no follow-up messages.
C. It refers to the attacker sending a large number of ICMP packets (such as Ping) consuming link bandwidth.
D. It refers to the attacker sending a large number of UDP packets to the server consuming link bandwidth.
Correct Answer: A
Section: (none)
Explanation
QUESTION 52
In a Link-group with three physical interfaces, when either one of the interfaces fail, which of the following descriptions of what happens is correct? (Choose two
answers)
A. With any interface failure within the group, the system will set the other interface state to Down.
B. When any interface group fails, the other interface status within the group does not change.
C. When the group returned to normal with one of the interfaces up, the interface status within the entire group will be re-set to Up.
D. When the group returns to normal after all the interfaces are up, the interface status within the entire group was re-set to Up.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 53
Load balancing to ensure that the same user traffic will access the IP address assigned to different servers uses what technology? (Choose three answers)
A. Virtual Services Technology

B. Server Health Check
C. Hot Standby Technology
D. Flow-based forwarding
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 54
USG firewall supports which of the load balancing algorithms? (Choose three answers)
A. The source address hashing algorithm (srchash)
B. Polling simple algorithm (roundrobin)
C. Weighted Round Robin algorithm (weightrr)
D. ratio (Ratio)
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 55
With the Huawei Anti-DDoS equipment first packet discard technology, the defense is constantly changing the source IP address or source port number of attack
packets.
Regarding the first packet discard technology, which of the following is not correct?
A. UDP protocol does not have retransmission mechanism, so you can not use the first packet discard techniques
B. The first packet discarding used in conjunction with source authentication, prevents false source of attacks.
C. Based triples (source IP address, source port, and protocol) to match packets and packets by time interval to determine the first packet
D. The packet transmission interval is less than the lower limit of the first packet detection rate, or the rate is higher than the upper limit of the first packet inspection
packets believed to be the first package.
Correct Answer: A
Section: (none)
Explanation
QUESTION 56
Virtual firewalls to forward multiple instances refers to the presence of more than one firewall routing table, supports forwarding address overlapping, are
implemented in the same configuration interface, and the user can configure permissions and view all data.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 57
Below displays the IKE V1 first stage pre-shared key mode during the main mode packet switching crawl. Based on the information shown, the crawl occurs under
which packet?
A. IKE first or second Message

B. IKE third or fourth Message
C. IKE fifth or sixth Message
D. IKE seventh or eighth Message
Correct Answer: A
Section: (none)
Explanation
QUESTION 58
HWTACACS encrypts only part of the password, but with RADIUS the entire packet is encrypted.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 59
With the abnormal flow cleaning solutions, in order to ensure that the introduction of the attack traffic priority cleaning center can be cleaned as shown in the figure,
the following configuration was made using the management center:
Select "Configuration"> Anti-DDoS> "drainage management" to create drainage tasks, configure the IP address of the protected 10.1.3.10, subnet mask of
255.255.255.255.
After completion of the above steps to configure the cleaning center, what route will be generated?
A. The purpose of the address is 32 static host routes are the attacker’s
B. The destination address is a 32 bit iEGP host route is the attacker's
C. The destination address is 32 bit eBGP host route is the attacker's
D. The source address of the attacker's 32 static host routes
Correct Answer: A
Section: (none)
Explanation
QUESTION 60
In an enterprise network, USG A and USG B have established an IPsec VPN. The administrator needs to simulate traffic from server A to server B to test the
connection. What ping command should the administrator use to simulate this traffic?
A. Ping -a
B. Ping -c
C. Ping -t
D. Ping –s
Correct Answer: A
Section: (none)
Explanation
QUESTION 61
An enterprise network deployed USG series firewalls, and they need to achieve per-user Telnet / SSH login to the USG and only the commands authorized by the
server should be allowed.
Which of the following authentication methods would meet these business requirements?
A. Radius
B. LDAP
C. HWTACACS
D. AD
Correct Answer: C
Section: (none)
Explanation
QUESTION 62
Which of the following is a correct desrcription of IKE? (Choose three answers)
A. IKE is UDP bearer protocol used in IPSEC

B. IKE negotiates for the IPSEC security protocol, and establishes the parameters and security association for IPSEC
C. IPSEC SA using IKE negotiation packets for the encryption or authentication process
D. IPSEC must use the IKE key exchange
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 63
Malformed packet attack techniques would use some legitimate data packets; these packets are of a legitimate application type.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 64
When the firewall is working in a hot standby load balancing networking environment, if the behavior of a router and firewall is down while working in routing mode,
you need to configure the OSPF cost adjustment value based on HRP.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 65
The USG supported HRP backup options are awhich of the follwoing? (Choose three answers)
A. Automatic Backup
B. Manual batch backup
C. Quick Backup
D. Real-time backup
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 66
With the USG firewall, which two commands can be used to view equipment components (control board, fans, power supplies, etc.) run state and memory / CPU
usage? (Choose two answers)
A. display device
B. display environment
C. display version
D. dir
Correct Answer: AB
Section: (none)
Explanation
QUESTION 67
You are able to ping the IP address of the IPSec tunnel peer and trigger a successful IPSec tunnel by doing this, but the IPSec tunnel can not be established from
within an internal PC on the network. What could be a possible reason for this?
A. IKE proposal configuration problems

B. IPsec proposal configuration problems
C. The ACL source segment does not include the PC
D. packet filtering (inter-domain policy) configuration problems
Correct Answer: CD
Section: (none)
Explanation
QUESTION 68
HTTP Flood attacks refer indirectly to the target server to initiate a large number of HTTP packets to burden the server so that it can not respond to normal
requests.
Through the interface rate limit function, HTTP flood attacks can be prevented.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 69
Which of the following regarding HTTP Flood defense is not correct?
A. HTTP Flood Source Authentication

B. URI destination IP detection
C. fingerprints learning
D. Checks the load
Correct Answer: D
Section: (none)
Explanation
QUESTION 70
Establishing an IPsec tunnel is unsuccessful. The following is the debug output:
%% 01IKE/4/WARNING (I): phase2: proposal mismatch, please check ipsec proposal configuration.
0.34476900%% 01IKE/7/DEBUG (d): dropped message from 3.3.3.1 due to notification type NO_PROPOSAL_CHOSEN
Based on this information, what is the likely cause of the failure?
A. The IKE proposal is inconsistent.

B. The ipsec proposal is inconsistent.
C. IKEpeer configuration error.
D. Security ACL configuration error.
Correct Answer: B
Section: (none)
Explanation
QUESTION 71
An IPsec VPN connection established by two USG firewalls in NAT traversal mode fail to see any information from the “display ike sa” command. Neither session
information nor UDP port 500 information is displayed. What are possible reasons for this? (Choose two answers)
A. public network unreachable.
B. middle device blocking UDP 500 port.
C. middle device blocking UDP 4500 port.
D. middle device blocking ESP packets.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 72
Which of the following is the role of Message5 and Message6 with the main mode IKE negotiation process?
A. Runs the DH algorithm

B. negotiate set of proposals
C. mutual authentication
D. negotiate IPsec SA
Correct Answer: C
Section: (none)
Explanation
QUESTION 73
In the firewall DDos attack prevention technology, the Anti-DDoS prevents attacks based on what?
A. Based on the ability of the application to authenticate the source address of the packet, the application, and the cleaning equipment source by sending probe
packets to prevent the attack traffic source.
B. session-based concurrent connections to the defense, where the new connection or abnormal connections exceeds the threshold levels..
C. Mainly by fingerprint analysis to study and get traffic capture feature to prevent bots or initiate the attack traffic through a proxy to distinguish normal user access
behavior.
D. By detecting the session using filter scanning packets and special control packets.
Correct Answer: B
Section: (none)
Explanation
QUESTION 74
Which of the following does an IPSec VPN use to encrypt the communication data stream?
A. Public Key Encryption

B. Private key encryption
C. Symmetric key encryption
D. Pre-shared key encryption
Correct Answer: C
Section: (none)
Explanation
QUESTION 75
In IKE V1 stage 1 pre-shared key with Main Mode exchange process, the SA is established after which messages?
A. message 1 and message 2

B. message 3 and message 4
C. message 5 and message 6
D. message 7 and message 8
Correct Answer: A
Section: (none)
Explanation
H12-721
Passing Score: 800

Time Limit: 4 min
Exam A
QUESTION 1
When using digital certificates for authentication in IPsec VPN, it should adopt IKE main mode negotiation and validation of certificate is completed in the 5th 6th
packet of the packet exchange.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 2
USG two ways to build a firewall to Site IPsec VPN through the Site, when viewing a USGA state as follows:
display ipsec statistics
the security packet statistics:
input / output security packets: 4/0
input / output security bytes: 400/0
input / output dropped security packets: 0/0
After viewing the state above, what information do you get? (Choose two answers)
A. USGA encrypted data packets 4; USGA decrypt the packet is set 0.

B. USGA has decrypted packet is 4, USGA already encrypted data packet is 0.
C. Site A network device, there is no route, leading to the protection of the data may not be sent to the USGA
D. IPsec tunnel is not established.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 3
In defense FIN / RST Flood attack method, conversation is checked. The workflow is when the FIN / RST packet rate exceeds the threshold, discarded packets,
and then start the conversation check.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 4
In the dual-system hot backup networking environment as shown in the standby firewall also need to configure NAT function, assuming that the external address of
the VRRP backup group. NAT address pool and NAT Server in the same network segment. Which of the following configuration needs to be on the Server?
A. HRP_M [USG_A] nat address-group 1 2.2.2.5 2.2.2.6 vrrp 1

B. HRP_M [USG_A] nat address-group 1 2.2.2.5 2.2.2.6 vrrp 2
C. HRP_M [USG_A] nat server global 2.2.2.10 inside 10.100.10.3 vrrp 2
D. HRP_M [USG_A] nat server global 2.2.2.10 inside 10.100.10.3 vrrp 1
Correct Answer: BC
Section: (none)
Explanation
QUESTION 5
The anti-DDoS device can implement traffic blocking or limiting to defend against attacks if the service learning function discovers that certain services do not run on
the network or the service traffic volume is small.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 6
An enterprise network flow is shown below. Server A can not access the server B, administrators troubleshoot and found that server A can access the firewall A, but
can not access the firewall B
What method will administrators use to troubleshoot this problem?
A. stratification
B. Break Law
D. Block Method
Correct Answer: B
Section: (none)
Explanation
QUESTION 7
As shown in Figure Eth-Trunk functionality with binding, if the need is to implement each interfaceby-packet load balancing feature, you need to run which of the
following configuration commands?
A. [USG] load-balance interface eth-trunk 1 packet-all
B. [USG] interface eth-trunk 1
[USG-Eth-Trunk 1] load-balance packet-all
C. [USG] load-balance interface eth-trunk 1 src-dst-ip
D. [USG] interface eth-trunk 1
[USG-Eth-Trunk 1] load-balance src-dst-ip
Correct Answer: B
Section: (none)
Explanation
QUESTION 8
Hot Standby networking environment is shown in Figure 1 and 2 backup group joined VGMP management group, USG_A main equipment, USG_B as a backup
device.
When USG_A is in failed state, such as power failure, this time USG_B state switched from Slave to Master.
When USG_A firewall recovers, it switches back to its state Master, and USG_B status remains as Master.
What has caused this phenomenon?
A. Two firewall load balancing mode, both in the same backup set is configured to master, also configure the Slave
B. USGA after the failure to restore its priority VRRP backup group did not recover in time
C. After the USGA recover from a failure, malfunction heartbeat
D. No configuration hrp track
Correct Answer: C
Section: (none)
Explanation
QUESTION 9
In the standby link IPsec backup application scenarios, which of the following ways is used by the standby link switch?
A. Hot Standby
B. Link-Group
C. Eth-thrunk
D. IP-Link
Correct Answer: D
Section: (none)
Explanation
QUESTION 10
Administrators can create a vfw1 and vfw2 with multiple instances to provide security services for firms A and B on the root firewall. It can be configured between
vfw1 regional security and safety vfw2 forwarding policy.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 11
Static fingerprint filtering function is configured through static fingerprints. Fingerprints on the packets hit the appropriate treatment, and thus attack traffic defense.
General Anti-DDos device can capture function, first grab the attack packets, and then extract the functionality through fingerprint and fingerprint information input to
the static filter.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 12
According to the victim host capture shown in Figure, What type of attack is this?
A. ARP Flood attack

C. ARP spoofing attack
D. SYN Flood attack
Correct Answer: A
Section: (none)
Explanation
QUESTION 13
IPSec NAT traversal is not supported in IKE main mode and aggressive mode of IP addresses + pre-shared key authentication mode, because the pre-shared key
authentication requires the extraction of IP packets in order to find the IP address of the source address of the corresponding pre-shared secret key, and the
presence of NAT causes a change to make the device unable to find the address of a pre-shared key.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 14
When an attack occurs, the attacked host (1.1.128.4) was fooled. Host found many packets as shown. Based on an analysis what type of attack is this?
A. Smurf attack
B. Land Attack
C. WinNuke
D. TCP packet flag attack
Correct Answer: D
Section: (none)
Explanation
QUESTION 15
In the use of virtual firewall technology: The two VPN users can travel over the public network Root VFW, log on to their respective private network VPN and get
direct access to the private network resources.
According to the characteristics of VPN Firewall that provides multiple instances of business, which of the following statements is correct? (Choose three answers)
A. safe, VPN user authentication and authorization access through the firewall, after a visit with independent access virtual firewall system for users to manage
different resources VPN users are completely isolated.
B. VPN flexible and reliable access to support from the public network to the VPN, can also support VPN to VPN from two modes.
C. easy to maintain, the user does not have superuser privileges on the system administrator account can manage the entire firewall (including each virtual firewall
service).
D. strict access control permissions, firewall can control access VPN access permissions based on user name, password, so that employees can make a business
trip, the super user (VPN require access to different resources), such as different users with different access rights.
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 16
In static fingerprint filtering for different packets with different processing methods, which of the following statements is correct? (Choose two answers)
A. TCP / UDP / custom services can be based on the load (ie, packet data segment) fingerprints.
B. DNS packets fingerprints for Query ID.
C. HTTP packets fingerprints for Universal Resource Identifier URI (Uniform Resource Identifier).
D. ICMP packets through fingerprints identifier.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 17
In site to Site IPsec VPN negotiation process, what should be the order of checks?
1 network connectivity problems
2. Establish conditions and configuration View IKE Phase 1 Safety Alliance
3. Establish conditions and related configuration view IKE phase 2 security alliance
4 Check whether the ends of the Security ACL mirror each other
A. 1 -> 4 -> 2 -> 3

B. 4 -> 2 -> 3 -> 1
C. 2 -> 3 -> 1 -> 4
D. 4 -> 1 -> 2 -> 3
Correct Answer: A
Section: (none)
Explanation
QUESTION 18
Comparing URPF strict mode and loose mode, which of the following statement is incorrect?
A. Strict mode requires not only the presence of the corresponding entries in the forwarding table also called the interface but it must match in order to pass the
URPF check.
B. If using strict mode, the source address of the packet in the FIB USG does not exist, but the situation has configured a default route and doing allow-default-
route, the packet will pass the URPF check for normal forwarding.
C. Under a symmetrical environment, it is recommended to use the route URPF strict mode.
D. Loose mode does not check whether the interface matches the source address of the packet as long as the existence of the USG's FIB table, packets can be
passed.
Correct Answer: B
Section: (none)
Explanation
QUESTION 19
When using the SSL VPN client, it initiates network expansion "Connect gateway mate lost", what are the causes of this failure? (Choose three answers)
A. If you are using a proxy server, network extension client proxy server settings wrong.
B. PC and virtual gateway routing between unreachable.
TCP C. network expansion between the client and the virtual gateway connection is blocked by the firewall.
C. Username and password configuration errors.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 20
An enterprise network cutover has just been done. The old network equipment is off the assembly line and the line is now on new network equipment. After
operational testing we found that the majority of traffic will not work.
What will be administrators quickest way to restore business?
A. stratification
B. Break Law
D. Block Method
Correct Answer: C
Section: (none)
Explanation
QUESTION 21
HRP technology can achieve an alternate configuration of the firewall that does not need any kind of information, all the configuration information are synchronized
to the primary firewall HRP prepared by a firewall, and configuration information is not lost after restart.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 22
L2TP is used between the user and the enterprise server and it transparently transmits packets and sets up the PPP tunneling protocol, which includes which of the
following characteristics? (Choose three answers)
A. L2TP protocol uses TCP protocol

B. Support private address assignment; do not take the public IP address
C. It supports PPP authentication with RADIUS support with flexible local and remote AAA
D. After combining with IPsec support for encrypted packets
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 23
A USG standby scenario is shown in Figure. The service interface works in three steps, down the line connecting the router through an administrator to view,
USG_A status is H RP_M [USG A],
USG_B state HRP_S [USG_B ], but all the traffic is not completely passing through USG_A, half of the traffic also passes via USG_B.
Which of the following configuration command can solve this problem?

[USG_A] ospf 101
[USG_A-ospf -101] area 0
[USG_A] hrp interface GigabitEthernet 0/0/2
[USG_B] ospf 101
[USG_B] ospf 101
[USG_B-ospf -101] area 0
[USG_B] hrp interface GigabitEthernet 0/0/2
A. [USG_A] hrp ospf-cost adjust-enable

[USG_B] hrp ospf-cost adjust-enable
B. [USG_B] interface GigabitEthernet 0/0/1
D. heartbeat port addresses are not released to the OSPF
Correct Answer: A
Section: (none)
Explanation
QUESTION 24
If the two sides wish to establish an IPsec VPN tunnel and using just one of the IP addresses, which of the following configuration methods can not be applied in the
gateway?
A. Policy Template
B. Strategy Name savage mode authentication
C. Pre-share
D. Savage mode key certification
Correct Answer: A
Section: (none)
Explanation
QUESTION 25
As shown in Figure, firewall is in stateful failover networking environment, the firewall interfaces are in the business routing mode, and up and down are the router
with OSPF configured.
Assuming the OSPF protocol convergence Recovery time is 30s, following best configuration management is to seize on the HRP?
A. hrp preempt delay 20

B. hrp preempt delay 40
D. undo hrp preempt deplay
Correct Answer: B
Section: (none)
Explanation
QUESTION 26
Which of the following circumstances where main mode IKE negotiation can not be used? (Choose two answers)
A. IKE in the pre-shared mode and peer identity is ID

B. IKE in the pre-shared mode, and net exports outside the firewall dynamically assigned addresses using DHCP
C. IKE in the pre-shared mode, and there is a NAT device link
D. IKE certificate in RSA mode, and there is a NAT device link
Correct Answer: BC
Section: (none)
Explanation
QUESTION 27
About VRRP packets, which of the following statements is correct? (Choose two answers)
A. VRRP packets using TCP

B. VRRP packets using UDP
C. VRRP packet destination address is 224.0.0.18
D. VRRP packet TTL value is 255
Correct Answer: CD
Section: (none)
Explanation
QUESTION 28
Under preemption and the default.VGMP management group is enabled, the preemption delay is 60s.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 29
In Client-initial mode, it can be seen from the following debug information that L2TP dial husband is lost. What is most likely cause of failure of dial-up?
A. username and password aaa configuration inconsistencies.

B. LNS name configuration error.
C. tunnel password is not configured.
D. It is not enabled for l2tp.
Correct Answer: A
Section: (none)
Explanation
QUESTION 30
Under standby scene.USG hot standby, the service interface to work in three, down the line connecting the router through an administrator to view, USG_A state
has been switched to HRP_M [USG_A], USG_B state has also HRP_M [USG_B] most What are the possible reasons?
A. HRP using the wrong channel interface

B. heartbeat connectivity problems
C. No configuration session fast backup
D. no Hrp enable
Correct Answer: AB
Section: (none)
Explanation
QUESTION 31
What do we want to achieve with Virtual firewalls on a single physical firewall device where we create virtual multiple logical firewalls and multiple instances?
A. Security multiple instances

B. VPN multi-instance
C. configure multiple instances
D. exchange multiple instances
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 32
Which statement is incorrect about IPsec NAT traversal?
A. AH and ESP supports NAT traversal

B. IPsec NAT traversal is not supported IKE main mode (pre-shared mode)
C. IPsec ESP packets using UDP through NAT packet encapsulation
D. All IKE initiator communication messages exchanged use port 4500 port
Correct Answer: A
Section: (none)
Explanation
QUESTION 33
When configured behind a firewall stateful failover, in the Web configuration interface, select "System> High Reliability> hot standby", click "Check HRP
configuration consistency" corresponding "check" button.
Pop-up window, as shown, which of the following configurations can solve the problem (assuming heartbeat interface is added to the DMZ zone)?
A. firewall packet-filter default permit interzone trust locaI

B. firewall packet-filter default permit interzone trust dmz
C. firewall packet-filter default permit interzone untrust dmz
D. firewall packet-filter default permit interzone local
Correct Answer: D
Section: (none)
Explanation
QUESTION 34
As shown below, for the L2TP over IPsec scenarios, the following configuration shows how to protect data on the IPsec flow. Which one is correct?
A. [LNS] acl number 2001

[LNS-acl-basic-2001] rule permit udp source 10.10.1.0 0.0.0.255
B. [LNS] acl number 3001
[LNS-acl-adv-3001] rule permit source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255
C. [LNS] acl number 3001
[LNS-acl-adv-3001] rule permit tcp source-port 1701
D. [LNS] acl number 3001
[LNS-acl-adv-3001] rule permit udp source-port eq 1701
Correct Answer: D
Section: (none)
Explanation
QUESTION 35
Corporate network administrator for a large data flow, when the USG is out of memory or CPU processing capacity limit is reached, in order to ensure that forwards
packets do not carry a threat, USG dropped over the device throughput traffic.
Which of the following commands can achieve this kind of functionality?
A. utm bypass enable

B. undo utm bypass enable
C. ips bypass enable
D. undo ips bypass enable
Correct Answer: B
Section: (none)
Explanation
QUESTION 36
Logging session log NAT / ASPF generated DPI traffic monitoring logs. Logs for this type provide a "binary" output mode. Using binary output can greatly reduce the
impact on system performance but the use of binary form output requires supporting eLog log management system.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 37
In the IPsec NAT traversal application scenarios, the firewall must be configured to initiate party NAT traversal, and the other end can not configure firewall NAT
traversal related commands.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 38
When making hot standby switch, USG Series Firewall service port will send gratuitous ARP scene there. Which deployment mode is used? (Choose two answers)
A. Routing Switch Mode +

B. routing mode + router
C. exchange mode + switch
D. exchange mode + router
Correct Answer: AB
Section: (none)
Explanation
QUESTION 39
Scenario: In the virtual firewall technology which is more commonly used in business to provide a phase out of business. If the virtual firewall VFW1 leased to
companies A, virtual firewall VFW2 leased enterprise B, which of the following statement is not correct?
A. The system is a virtual firewall VFW1, VFW2 respectively independent system resources among each other.
B. transparent to the user, the business between companies A and B is completely isolated from the enterprise, as with the use of a separate firewall deployment
respectively.
C. firms A and B can address the overlap and use vlan divided into different virtual LANs.
D. firms A and B alone can not manage their own virtual firewall, management must be implemented by the lessor administrator.
Correct Answer: D
Section: (none)
Explanation
QUESTION 40
When using optical Bypass Interface, Bypass link has two operating modes, automatic mode and forced mode.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 41
Policy strategy limiting constraints include quintuple, time, user identity and application protocols.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 42
An administrator using the following command to view the state of device components
Slot3 board is status abnormal, what are the possible causes? (Choose three answers)
A. The device does not support this interface cards.

B. The Interface Card is damaged.
C. The backplane or damaged pins on the motherboard, such as incorrect installation lead pin board tilt.
D. The ADSL phone line is faulty.
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 43
In Hot standby, the backup channel must be the primary interface to the interface board. Which type is not supported?
A. Ethernet
B. GigabitEthernet
C. E1
D. vlan-if
Correct Answer: C
Section: (none)
Explanation
QUESTION 44
ACK Flood attacks exploit payload inspection defense. The principle is to clean equipment for ACK packet payload to check if the contents of the full load are
consistent (as are all a load of content, etc.), the packet is discarded.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 45
Which of the following packets are not sent during IP-link detection? (Choose two answers)
A. ARP packets
B. IGMP packets
C. ICMP packets
D. Hello packets
Correct Answer: BD
Section: (none)
Explanation
QUESTION 46
If using a policy template and configuring IPsec policy child policy, the firewall will first apply a policy template, and then it will apply the child policy.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 47
Limiting policy function supports only the number of connections to the specified IP initiated or received to limit the number of connections.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 48
In hot standby environment, there is an event of inconsistent data packets being sent back and forth. Which of the following conditions may cause packet loss?
A. Quick Sync feature is not enabled session

B. heartbeat insufficient bandwidth
C. Close monitoring of the state
D. heartbeat port specified error
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 49
Virtual firewall security services provide multiple instances of the following? (Choose three answers)
A. Address Binding
B. blacklist
C. ASPF
D. VPN routing
Correct Answer: ABC
Section: (none)
Explanation
QUESTION 50
After the configuration on NRT Server (no-reverse parameter is not added), the firewall will automatically generate static Server-map entries, the first packet
matching Server-map entries, but it does not match the session table.
A. TRUE
B. FALSE
Correct Answer: A
Section: (none)
Explanation
QUESTION 51
BFD static route topology is shown in Figure
A. On the firewall, administrator needs to do the

following configuration:
[USG9000_A] bfd
[USG9000_A-bfd-session-aa] commit
[USG9000_A-bfd-session-aa] quit
Which of the following section of the configuration is correct there? (Choose two answers)
B. The command "bfd as bind peer-ip 1.1.1.2" is used to create BFD sessions to detect link status binding policy
C. The command [U5G9000_A] bfd configuration errors, should be replaced by [U5G9000_A] bfd enable BFD function to enable
D. [USG9000_A-bfd-session-aa] commit configuration is optional, if not configure the system will default to submit to configure and generate BFD session log
information, but does not establish the session table
E. firewall on BFD session will also need to bind with a static route command:
[USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa
Correct Answer: AD
Section: (none)
Explanation
QUESTION 52
BFD static route topology is shown in Figure A . On the firewall, administrator needs to do the following configuration:
[USG9000_A] bfd
Which of the following commands should be added to the firewall configuration to achieve BFD for static route? (Choose two answers)
A. [USG9000_A-bfd-session-aa] commit
B. [USG9000_A] bfd aa bind local-ip 1.1.1.1
C. [USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 track bfd-session aa
D. [USG9000_A] ip route-static 0.0.0.0 0 1.1.1.2 bind bfd-session aa
Correct Answer: AC
Section: (none)
Explanation
QUESTION 53
Which statement is correct regarding local users with VPN instance bindings?
A. By the command Iocal-user user-name vpn-instance vpn-instance-name local user can bind a VPN instance
Under B. default bindings already achieved between local users and VPN instances
B. After the local user to bind with V PN instance, local users that can manage the entire firewalls
C. Local users with VPN instance can not bind
Correct Answer: A
Section: (none)
Explanation
QUESTION 54
In hot standby networking environment, two USG's NAT configuration is consistent. When the virtual IP address is in the address of the VRRP backup group, then
NAT address pool in the same network segment. The next two figures show the NAT Server applications with a combination of VRRP ARP response situations.
Which Combination of the following NAT Server configuration and VRRP shown as options are correct?
A. Figure 1 will VRRP backup group Interface NAT address pool with connection to the Internet on the binding, in Figure 2 the VRRP backup group Interface NAT
address pool with connection to the Internet on the binding.
B. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to the Internet on the binding, Figure 2 is not the VRRP backup group
Interface NAT address pool with connection to the Internet on the binding.
C. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to the Internet on the binding, in Figure 2 the VRRP backup group Interface
NAT address pool with connection to the Internet on the binding.
D. Figure 1 is not the VRRP backup group Interface NAT address pool with connection to the Internet on the binding, Figure 2 is not the VRRP backup group
interfaces with NAT address pool on connection to the Internet unbound.
Correct Answer: C
Section: (none)
Explanation
QUESTION 55
No need to use deny rules because of the policy limiting strategy for deny rules without restrictions.
A. TRUE
B. FALSE
Correct Answer: B
Section: (none)
Explanation
QUESTION 56
Tracert packet attack occurs when an attacker using TTL returned ________. ICMP timeout packets reach the destination address and return an ICMP time
exceeded message back to the source IP address. An attacker may run the tracert program to detect source ip address in ICMP returned message and it can
snoop structure of the network.
A. 0
B. 1
C. 2
D. Changes according to the actual situation
Correct Answer: A
Section: (none)
Explanation
QUESTION 57
Which of the following description about SMURF attacks is correct?
A. Attacker sends ping requests to a subnet (broadcast), requesting that devices on that subnet send ping replies to a target system. Once the host or network is
detected, it is then brought down.
B. Attacker sends SYN packets with source and destination addresses for the IP address where the attacker is. A SYN-ACK message is sent to their own address,
so is the presence of an attacker hosts a large number of air connections.
C. An attacker can target where to send a UDP packet in the network. The source address of the packet is being attacked. Host address, destination address are in
the subnet broadcast address where the attack host the subnet network address using destination port number 7 or 19.
D. An attacker using a network or host receives an ICMP unreachable packets, the packets destined for the follow-up of this destination address directly considered
unreachable, thereby cutting off the connection to the host destination.
Correct Answer: A
Section: (none)
Explanation
QUESTION 58
Which of the following protocol packets can not be sent by default in an IPsec tunnel?
A. TCP
B. UDP
C. ICMP
D. IGMP
Correct Answer: D
Section: (none)
Explanation
QUESTION 59
Which of the statement is correct about the Eth-trunk function? (Choose three answers)
A. It improves communication bandwidth of the link

B. It improves data security
C. Traffic load balancing
D. It improve sthe reliability of the link
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 60
Which of the following statements is correct one for the dual hot standby in conjunction with IPSec functionality?
A. USG supports IPsec primary backup mode of hot standby.
B. Load does not support IPsec stateful failover under balancing.
C. You must configure the session fast backup.
D. You must configure preemption
Correct Answer: A
Section: (none)
Explanation
QUESTION 61
What type of packet sent in a VRRP HELLO message?
A. unicast packets
B. broadcast packets
C. multicast packets
D. UDP packets
Correct Answer: C
Section: (none)
Explanation
QUESTION 62
IPsec VPN using digital certificates for authentication has the following steps:
1. Certificate signature verification
2. Find the certificate serial number in the CRL
3. Both devices share their entity certificate
4. Verify the certificate is valid
5. Establish a VPN tunnel
Which of the following is the correct pattern?
A. 3-2-1-4-5
B. 1-3-2-4-5
C. 3-1-4-2-5
D. 2-4-3-1-5
Correct Answer: C
Section: (none)
Explanation
QUESTION 63
With regard to the Radius protocol, which of the following statements are correct (choose three answers)
A. Use the UDP protocol to transmit packets Radius

B. authentication and authorization port number can be 1812
C. To account for encryption processing using the Radius protocol to transmit user account and
password
D. authentication and authorization port number can be 1645
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 64
The following virtual firewall networking, USG provided outwardly rough business, VPN instance vfw1 coarse A, to the enterprise network diagram below.
A foreign enterprise network users need to access via PC C. Server B in DMZ zone is NAT’ed. If I want to achieve this requirement, then I must have following key
configuration? (Choose three answers)
A. [USG] ip vpn-instance vfw1 vpn-id 1

B. [USG] ip vpn-instance vfw1
[USG-vpn-vfw1] route-distinguisher 1001
[USG-vpn-vfw1] quit
C. [USG] nat server zone vpn-instance vfw1 untrust global 2.1.2.100 inside 192.168.1.2 vpninstance vfw1
D. [USG] nat address-group 1 2.1.2.5 2.1.3.10 vpn-instance vfw1
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 65
In a dual-system hot backup, the backup channel must be the primary interface port by the board, which type is not supported?
A. Ethernet
B. GigabitEthernet
C. E1
D. vlan-if
Correct Answer: C
Section: (none)
Explanation
QUESTION 66
As shown in a corporate network, where the USG_A and USG_B a hot standby configuration, USG_A based devices. Administrators want to configure SSL VPN
enables branch employees can access through SSL VPN headquarters on the firewall.
The SSL VPN virtual gateway address should be and why?
A. 202.38.10.2/24
B. 202.38.10.3/24
C. 202.38.10.1/24
D. 10.100.10.2/24
Correct Answer: C
Section: (none)
Explanation
QUESTION 67
As shown in Figure BFDS for SPF networking scenarios:
1. Run OSPF between FW_A, FW_B and FW_C. All three devices are neighbors.
2. To reach FULL neighbor state, configure OSPF BFD and linkage. BFD finished creating BFD sessions.
Which of the following statements are correct? (Choose two answers)
A. When a link fails, BD first perception, FWA and FWB will soon converge
B. Link switch toggles the seconds level
C. FWA deal with neighbors Down event, re-route calculation, a new route for the link b
D. When a link fails, OSPF convergence and automatic notification BD
Correct Answer: AC
Section: (none)
Explanation

Security PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security PDF

Uploaded by

Copyright:

Available Formats

H12-711 huawei

Which is the default value of the TPID value on Huawei switches?

A. STP can manage redundant links.

A. 1-bit port priority and 1-bit port number

Correct Answer: ABC

A. A hybrid interface can only be connected to network device.

A. VLAN 10 is the principal VLAN

Correct Answer: ABD

A. The VLAN IDs on the switch range from 1 to 4090.

A. VLAN allocation based on source IP addresses

Correct Answer: ABC

A. The switch supports 1:1 VLAN mapping.

Correct Answer: ABC

A. The interface configured with VLAN mapping must be a hybrid interface.

A. Port isolation can be used for Layer 2 isolation.

A. Assigning VLANs based on Layer 7 protocols

Correct Answer: BCD

Correct Answer: ABC

A. VLAN mapping is also called VLAN translation.

port link-type hybrid

Correct Answer: ABC

A. The sub-VLANs are configured in the super VLAN view.

Correct Answer: ACD

Correct Answer: ABD

A. All VLANs except VLAN 1

Correct Answer: BCD

Correct Answer: ABC

A. EAP relay mode

Which are general steps in the configuration roadmap? (Select 3 Answers)

A. Configure a Tftp server.

Correct Answer: BCD

A. The destination address of packets is a specified MAC address.

Correct Answer: ACD

Correct Answer: ACD

Correct Answer: ABC

1. The host sends a DHCP Request message to apply for an IP address.

HCNA-Security-CBSN (Huawei Certified Network Associate – Constructing Basic Security Network)

A. Configure a long business connection

A. SACG hardware (hardware security access control gateway)

Correct Answer: ABD

Correct Answer: ABC

Correct Answer: BCD

A. solve the problem of slow negotiation on both ends of the tunnel

A. TCP/UDP sessions table

Correct Answer: ABC

Correct Answer: ABD

A. This Firewall VGMP group status is Active

A. The processing speed is slow

A. between the host and the host

Correct Answer: ABC

A. The default security zone can be deleted

A. clear firewall session table

Which is the default value of the TPID value on Huawei switches?

A. STP can manage redundant links.

A. 1-bit port priority and 1-bit port number

Correct Answer: ABC

A. A hybrid interface can only be connected to network device.

A. VLAN 10 is the principal VLAN

Correct Answer: ABD

A. The VLAN IDs on the switch range from 1 to 4090.

Correct Answer: ABC

A. The switch supports 1:1 VLAN mapping.