h12 711

Huawei Exam H12-711 HCNA-Security-CBSN (Huawei Certified Network Associate Constructing
Basic Security Network)
Total Questions: 363 Q&A's Web URL: http://www.becertify.com/h12-711-exam-training-

49223.htm
BeCertify H12-711 Saving Pack Instant Download Printable PDF Document Test Software
& Online Engine Included Download and study offline Written in plain English Highest
success rate! Verified answers for all questions 100% Pass and Money Back Guarantee
BeCertify guarantees your success at your first attempt with only understanding and
mastering well our studying material, if somehow you fail the exam at the first time, we will
arrange FULL REFUND for you.
Get Complete Collection of H12-711 Exam's Questions and Answers.

http://www.becertify.com/
Huawei H12-711 Exam QUESTION NO: 1 After using the vpn client user Wang l2tp vpn
dial from outside the network normally get the address and found able to access all the
resources within the network, but it cannot open the page on the internet, possible reasons
for the? A. vpn device software version is incorrect B. vpn client software version is
incorrect C. Misconfigured firewall l2tp D. After the dial-in l2tp vpn, default route points to
the local computer dial-up access to the address Answer: D
QUESTION NO: 2 In tunnel mode, AH security protocol, which of the following new IP
packet header fields without data integrity check? A. TTL B. Source IP address C.
Destination IP address D. The source IP address and destination IP address Answer: A
QUESTION NO: 3 SSL VPN file sharing applications in use need to enter a user name,
password, and domain information, in order not to enter a user name and password, you can
set the permissions on the file sharing server. A. True B. False Answer: A
"Pass Any Exam. Any Time." - 100% Guarantee
Huawei H12-711 Exam
QUESTION NO: 4 Which of the following is an IETF industry standard VPN protocols? A.
PPTP B. L2F C. L2TP D. PP2F Answer: C
QUESTION NO: 5 Difference IPSEC security protocol that AH AH and ESP can achieve
data encryption, data validation to support a wider range of ESP? A. True B. False Answer:
B
QUESTION NO: 6 ASPF makes firewall to support multiple data channels of a control on
the channel protocol, but also to facilitate the formulation of policies in various security
applications are very complex situation. A. True B. False Answer: A
Huawei H12-711 Exam QUESTION NO: 7 SVN3000 network expansion in the

application, the client obtains an IP address in two ways: the virtual gateway address pool
and DHCP server within the network. A. True B. False Answer: A
QUESTION NO: 8 Network Address Port Translation (NAPT) and Network Address
Translation (NAT) what is the difference? (Choose two) A. After NAPT conversion for
users outside the network,all packets from the same IP address or IP address of a few B.
NAT only supports application layer protocol address translation C. NAPT only supports
network layer protocol address translation D. NAT support network layer protocol address
translation Answer: A,D
QUESTION NO: 9 In the GRE configuration environment, under the Tunnel interface
mode, destination address generally refers to? A. The end of the Tunnel interface IP address
B. The end of the IP address outside the network outlet C. Peer IP address outside the
network entry D. Remote Tunnel Interface IP address Answer: C
Huawei H12-711 Exam QUESTION NO: 10 Which of the following are IPSec security
protocol? (Choose two) A. AH B. ESP C. 3DES D. AES Answer: A,B
QUESTION NO: 11 SVN3000 file sharing interactive process, the correct order is: 1, file
server accepts the request packet, the format of the response SMB packet to SVN; 2, the
client user initiates a request inwards network file server HTTPS format, sent to SVN; 3,
SVN SMB response packet will be converted to HTTPS format and forwarded to the client;
4, SVN HTTPS requests will be converted to the format of packets SMB packet format and
forwarded to the file server. A. 1-2-3-4 B. 2-4-1-3 C. 3-1-4-2 D. 3-1-2-4 Answer: B
QUESTION NO: 12 Access control lists which mainly consists of the following scenarios?
(Choose three)
A. Network Address Translation (NAT) B. QOS C. Policy Routing D. GRE "Pass Any
Exam. Any Time." - 100% Guarantee
Huawei H12-711 Exam Answer: A,B,C
QUESTION NO: 13 Which of the following protocols are GRE VPN technology in the
world's most used Internet transport protocol? A. GRE B. IPX C. IP D. TCP Answer: C
QUESTION NO: 14 Use one or many- way NAT translation (non- PAT), when all are
using the external IP address (using NAT technology to access the Internet application
scenarios), the subsequent network users Internet For what will happen? A. Squeezing out
the previous user,forcing the NAT Internet B. Subsequent users will not access the network
C. NAT PAT automatically switch to the Internet D. The packets are synchronized to other
devices for NAT NAT translation Answer: B
QUESTION NO: 15 Which of the following is a multi -channel protocol? A. FTP B. Telnet
C. HTTP D. SMTP "Pass Any Exam. Any Time." - 100% Guarantee
Huawei H12-711 Exam Answer: A
QUESTION NO: 16 About stateful inspection firewall and packet filtering firewall
description is correct. A. Packet filtering firewall is not required for each packet entering
the firewall rule matching; B. Because the UDP protocol is connectionless -oriented
protocol,so stateful inspection firewall UDP packetscannotmatch state table; C. When
stateful inspection firewall to inspect packets,packets of the same before and after the
connection is not relevant. D. Stateful inspection firewall only needs to connect to the first
packet to match the access rule,which is connected directly to the subsequent packets
matching(to TCP applications,for example) in the state table Answer: D
QUESTION NO: 17 Firewalls can protect the internal network security in the Internet, but
cannot protect the host security in an internal network. A. True B. False Answer: B
QUESTION NO: 18 Applied on the interface of the firewall packet filtering, cited acl2000,
the source IP address of the IP address 192.168.0.55 to reach the interface, the following
statements is correct? (Choose two) acl 2000 match-order auto rule permit source
192.168.0.1 0.0.0.255 "Pass Any Exam. Any Time." - 100% Guarantee
Huawei H12-711 Exam rule deny source 192.168.0.32 0.0.0.31 A. The IP packet matching
allows policy to be forwarded by the firewall B. The IP packet matching refused strategy
will be discarded by the firewall C. configured to match the order of priority of use acl2000
D. acl2000 using a depth-first match order Answer: B,D
QUESTION NO: 19 SVN file sharing technology is to convert the file sharing protocol to
SSL-based Hypertext Transfer Protocol (Https), for end-users feel is a Web-based file
server application. A. True B. False Answer: A
QUESTION NO: 20 LNS through what information (protocol field) to determine the packet
as L2TP packet and sent L2TP protocol processing module for processing? A. LAC client
source IP address B. The LNS destination IP address C. Source UDP port 1701 D. UDP
port 1701 Answer: D
QUESTION NO: 21 When TSM system supports strong linkage anti-virus software, anti-
virus software will be able to drive anti-virus and other operations. "Pass Any Exam. Any
Time." - 100% Guarantee
Huawei H12-711 Exam A. True B. False Answer: A
QUESTION NO: 22 In these types of scenarios, mobile users need to install additional
features (L2TP) for VPDN software? A. Based on user-initiated L2TP VPN B. Based NAS
-initiated L2TP VPN C. Initiated based on LNS L2TP VPN D. All other options are
Answer: B
QUESTION NO: 23 The following are the main features stateful inspection firewall is
which? A. Processing speed B. Excellent follow-up packet processing performance C. Only
detect the network layer D. Packet filtering detection for each package Answer: B
QUESTION NO: 24 When configuring l2tp, for commands allow l2tp virtual-template,
statements is correct? A. LNS is used to specify the trigger condition to initiate a call B.
LAC is used to specify the trigger condition to initiate a call C. LAC is used to specify the
call to accept Virtual-Template used "Pass Any Exam. Any Time." - 100% Guarantee
Huawei H12-711 Exam D. LNS to accept the call to specify the use of Virtual-Template
Answer: D
QUESTION NO: 25 AH which can provide the following security features? (Choose three)
A. Data origin authentication B. Data Confidentiality C. Data integrity check D. Anti-replay
Answer: A,C,D
QUESTION NO: 26 Which of the following agreement is a multi- channel protocol? A.

WWW B. FTP C. PING D. TELNET Answer: B
QUESTION NO: 27 PPPoE is mainly used for which scene? A. Provide remote access
users access to Ethernet B. Provide access to remote Ethernet services for dial-up users C.
Enables users to access the Internet data packets are encrypted D. To the user can access the
Internet faster
10

QUESTION NO: 28 Following on E1 and CE1, saying right there? (Choose three) A. Can
operate in clear channel mode B. E1 work in the non -channel mode are unframed mode C.
E1 work in framing mode,only once timeslot bundling D. CE1 work in unframed mode, you
can bundle multiple slots Answer: A,C,D
QUESTION NO: 29 Packet filtering firewall at the application layer for each packet
inspection, forwarding or discarding packets according to the configured security policy: A.
True B. False Answer: B
QUESTION NO: 30 Interzone packet filtering matching principle is: first find inter-domain
Policy, if there is no matching policy, the domain will not find among other strategies, but
directly to discard the packet, refused to pass. A. True B. False Answer: B
11
Huawei H12-711 Exam
QUESTION NO: 31 Meaning Trunk Access Port PVID value and significance of the port
PVID bit different, in Access represents the value of the default VLAN, but said the port
belongs to the VLAN Trunk actually. A. True B. False Answer: B
QUESTION NO: 32 Compare similar symmetric encryption algorithms and asymmetric

encryption algorithm key distribution method, encryption and decryption are performed by
the information sent to the receiver key, the method can be used to send E-mail and other
means. A. True B. False Answer: B
QUESTION NO: 33 Packet filtering firewall does not check the session state data content
analysis, safety cannot be adequately protected. A. True B. False Answer: A
QUESTION NO: 34 Asymmetric encryption algorithm strength stronger than symmetric

algorithms, asymmetric "Pass Any Exam. Any Time." - 100% Guarantee
12
Huawei H12-711 Exam algorithms because the longer the key length. A. True B. False
Answer: B
QUESTION NO: 35 SVN3000 virtual gateway, which can be accessed using the IP
address, and can be accessed using the domain name which of the following types? A.
Exclusive type B. Share -based C. Fixed D. Manual type Answer: A
QUESTION NO: 36 Stateful inspection firewall intercepts packets at the network layer and
application layer extracted from each state information security policies need, and save the
session table, through the analysis of these sessions tables and data packets associated with
the connection request to make a follow-up appropriate decision. A. True B. False Answer:
A
QUESTION NO: 37 Which of the following ways L2TP VPN, the tunnel is established
between the client and the LNS Client -side? "Pass Any Exam. Any Time." - 100%
Guarantee
13
Huawei H12-711 Exam A. Client-Initialized L2TP way B. NAS-Initialized L2TP way C.

Unsolicited L2TP D. VPDN Answer: A
QUESTION NO: 38 VPN for mobile users have access? (Choose two) A. GRE B. L2TP C.
MPLS D. L2TP + IPSec Answer: B,D
QUESTION NO: 39 USG (Eudemon) firewall nat configuration is as follows: # nat

address-group 1 10.1.1.5 10.1.1.10 nat server 1 protocol tcp global 1.1.1.1 ftp inside
10.1.1.2 ftp # nat-policy interzone dmz untrust inbound policy 0 action source-nat policy
destination 1.1.1.1 0 address-group 1 #
14
Huawei H12-711 Exam The following statement is correct that: A. NAT outbound
configuration,network users to access the external network into an address in the address
pool 10.1.1.5 10.1.1.10 B. untrust host access nat server 1.1.1.1, destination address into
10.1.1.2, the original address unchanged C. Built- domain nat,DMZ host access nat server
1.1.1.1, destination address into 10.1.1.2, the source address into the address pool 1 D. NAT
inbound configuration,untrust host access nat server 1.1.1.1, destination address into
10.1.1.2, the source address into the address pool 1 Answer: D
QUESTION NO: 40 Common symmetric encryption algorithms are there? (Choose three)
A. DES B. 3DES C. AES D. MD5 Answer: A,B,C
QUESTION NO: 41 Address range rule permit ip source 192.168.11.32 0.0.0.31 represents
the? A. 192.168.11.0-192.168.11.255 B. 192.168.11.32-192.168.11.63 C. 192.168.11.31-
192.168.11.64 D. 192.168.11.32-192.168.11.64 Answer: B
15
Huawei H12-711 Exam QUESTION NO: 42 The following statement about the NAT
address translation Which is correct: (Choose three) A. NAT technology can effectively
hide the hosts on the LAN,is an effective network security technology. B. NAT can follow
the user’s needs, providing FTP, WWW, Telnet and other services outside the LAN. C.
Some application layer protocols carry IP address information in the data,but also to modify
the data in the upper IP address information when they make NAT. D. For some non- TCP,
UDP protocol(such as ICMP, PPTP), NATcannotdo the conversion. Answer: A,B,C
QUESTION NO: 43 When you configure ipsec, ike local-name for the command statement
is correct? (Choose two) A. When using aggressive mode,when the name of the
authentication,you need to configure the local name B. Use main mode when you need to
configure the local name C. The local name must be on the side of the remote-name
consistent configuration D. Local name must configure remote-name local consistency
Answer: A,C
QUESTION NO: 44 SVN3000 following ways in which you can access the user control?
(Choose three) A. IP B. MAC C. PORT D. URL Answer: A,C,D
16
Huawei H12-711 Exam
QUESTION NO: 45 When the device at both ends of the tunnel is using IPSec non-
template approach, ACL need to completely mirror configuration? A. True B. False
Answer: A
QUESTION NO: 46 The following description of the error on the standard ACL is: A.
Standard access control list,also known as basic access control lists. B. Standard access
control list including rule number,perform an action and the source IP address. C.
Application of standard access control lists typically need only the source address of the
packet defined scenes. D. Standard access control list can be controlled protocol type
Answer: D
QUESTION NO: 47 The following protocol, the data link layer to work with? (Choose
three) A. IP B. PPP C. HDLC D. FR Answer: B,C,D
17
Huawei H12-711 Exam
QUESTION NO: 48 Which of the following hardware components SACG primarily for
data exchange? A. SM management server B. SC control server C. Agent D. The database
server Answer: B
QUESTION NO: 49 Which of the following types of Ethernet switch ports, after the data
flow out of the port may also carry VLAN identification? (Choose two) A. Access Port B.
Trunk port C. Hybrid port D. Switch port Answer: B,C
QUESTION NO: 50 SVN3000 network expansion capabilities, the need to implement a
remote user can only access the corporate network, you cannot access the local LAN and
Internet, the client needs to use routing as follows: A. Full- channel mode (Full Tunnel) B.
Separation channel mode (Split Tunnel) C. Routing (route Tunnel) D. Manually (Manual
Tunnel) Answer: A
18
Huawei H12-711 Exam
QUESTION NO: 51 Source socket means: source IP address + port + source and
destination IP address A. True B. False Answer: B
QUESTION NO: 52 For inter-domain packet filtering, the following statements is correct?
(Choose three) A. policy 1 disable command to disable policy 1 B. By default,Policy to
create higher the priority,the more the first match C. By policy move command to adjust the
position of the policy,policy id will change accordingly D. Once matched to a Policy, in
accordance with the Policy on the definition of processing packets no longer continue to
match directly down Answer: A,B,D
QUESTION NO: 53 When a router receives a packet, if no match is found, the specific
route entry, the default routing table can be forwarded. A. True B. False Answer: A
19
Huawei H12-711 Exam QUESTION NO: 54 Source address, destination address, protocol
type, IP bearer senior ACL2000 ~ 2999 can use the packet (such as TCP source port,
destination port, ICMP protocol type, message code, etc.) defined rules. A. True B. False
Answer: B
QUESTION NO: 55 In the inter- domain packet filtering firewall, the following is not a
direction (Outbound)? A. Data from the DMZ zone to the Untrust zone flow B. Data from
the Trust zone to the DMZ zone flow C. Data from the Trust zone to the Untrust zone flow
D. Data from the Trust zone to the Local area streams Answer: D
QUESTION NO: 56 View l2tp command -line user information? A. display l2tp session B.
display l2tp tunnel C. display access-user D. display right-manager online-users Answer: C
QUESTION NO: 57
20
Huawei H12-711 Exam Here on Client-Initialized the L2TP VPN, right there saying?
(Choose three) A. L2TP tunnel connection request initiated remote users via PSTN / ISDN
access to NAS, to get permission to access the Internet directly to the remote LNS. B. L2TP
LNS device receives user connection requests,based on the user name and password to
authenticate the user C. LNS assigns a private IP address for the remote user. D. VPN
remote dial-up users do not need to install software Answer: A,B,C
QUESTION NO: 58 Which of the following products can be achieved on NAT audit log
management? A. TSM B. DSM C. eLog D. VSM Answer: C
QUESTION NO: 59 Note that when the Clear to clear ISAKMP SA SA Stage 1, and then
remove IPSEC SA Phase 2. A. True B. False Answer: B
QUESTION NO: 60 Which of the following components are optional TSM system?
21
Huawei H12-711 Exam A. TMC (TSM Management Center) B. SM Security Manager C.

SC safety controller D. SA Security Agent Answer: A
QUESTION NO: 61 Under the same conditions for an encryption algorithm, key lengths
longer need to crack the higher the cost. A. True B. False Answer: A
QUESTION NO: 62 IPSec if want to do a new IP packet header validation, you need to use
what IPSec security protocol? A. AH B. ESP C. MD5 D. SHA1 Answer: A
QUESTION NO: 63 Digital certificates do not include which of the following section? A.
Name of the certificate holder B. The certificate is valid "Pass Any Exam. Any Time." -
100% Guarantee
22
Huawei H12-711 Exam C. Public key certificate D. Certificate private key Answer: D
QUESTION NO: 64 Network extensions that do not support the following access modes:
A. Separation mode (Split Tunnel) B. Full routing mode (Full Tunnel) C. Fixed Mode
(Fixed Tunnel) D. Manual mode (Manual Tunnel) Answer: C
QUESTION NO: 65 Which of the following three types of VPN more assurance in terms of
security? A. GRE B. PPTP C. IPSec D. L2F Answer: C
QUESTION NO: 66 IP-link which is mainly used in the following scenarios? (Choose two)
A. Link Aggregation B. Static Routing C. Hot Standby D. Long connection "Pass Any
23
Huawei H12-711 Exam Answer: B,C
QUESTION NO: 67 About ASPF the following statements is correct? (Choose two) A.
ASPF checking application layer protocol application layer protocol information and
monitor the connection status B. ASPF by dynamically generating ACL to determine
whether the packet through the firewall C. Servermap table is a temporary table entry D.
Servermap table with the five-tuple to represent a conversation Answer: A,C
QUESTION NO: 68 No matter under what circumstances? 2 packets between interfaces

must flow through the firewall interzone packet filtering? A. True B. False Answer: B
QUESTION NO: 69 For E1/CE1 configuration (1, 2 configure virtual serial port IP address,
configure virtual serial link layer protocol 3, 4 E1 configuration mode, configure timeslot
bundling), correct configuration sequence is: A. 1-2-3-4 B. 2-1-3-4 C. 3-4-2-1 D. 4-3-2-1
24
Huawei H12-711 Exam Answer: C
QUESTION NO: 70 In network security, interruption means an attacker to compromise a

network system resources, making it become invalid or useless. This is () attack? A.
Availability B. Confidentiality C. Integrity D. Truth Answer: A
QUESTION NO: 71 Which of the following types of VPN adapt to mission personnel? A.
Access VPN B. Intranet VPN C. Internet VPN D. Extranet VPN Answer: A
QUESTION NO: 72 About NAT argument error are: (Choose two) A. NAT Outbound
refers to the source IP address conversion,NAT Inbound refers to the destination IP address
conversion B. NAT Inbound NAT Server commands and command consistent feature
configuration can be selected according to personal preference C. Outbound direction NAT
supports the following applications: one -many,many-toD. NAT technology to support
multi-channel protocols, such as FTP and other standard multi"Pass Any Exam. Any Time."
- 100% Guarantee
25
Huawei H12-711 Exam channel protocol Answer: A,B
QUESTION NO: 73 In the system view, execute the command reset saved-configuration,
the configuration file will be erased. A. True B. False Answer: B
QUESTION NO: 74 In IPSEC VPN, the tunnel mode is mainly used in which of the
following scenarios? A. Between the host and the host B. Between the host and the security
gateway C. Between security gateways D. Between tunnel mode and transport mode
Answer: C
QUESTION NO: 75 ACL 2009 belonging to () A. Standard access control list B. Extended
access control lists C. MAC address -based access control lists D. Time -based access
control lists Answer: A "Pass Any Exam. Any Time." - 100% Guarantee
26
Huawei H12-711 Exam
QUESTION NO: 76 TSM system which consists of the following regions? (Choose three)
A. Pre-authentication domain B. After authentication domain C. Isolated domain D. TSM
domain Answer: A,B,C
QUESTION NO: 77 Between the Client and the LAC protocol by which to communicate?
(Choose two) A. PPP B. PPPOE C. IP D. UDP Answer: A,B
QUESTION NO: 78 In some scenarios, it is necessary to convert the source IP address,

destination IP address but also for the conversion, is called bidirectional NAT. A. True B.
False Answer: A
27
Huawei H12-711 Exam QUESTION NO: 79 Which of the following devices will not be
affected "Monitoring USB storage device " policy control? A. USB mouse B. U disk C.
USB drive D. USB hard drives Answer: A
QUESTION NO: 80 Execution acl 3000 match-order auto configured, the data flow will
match what way the ACL? A. Matching automatically sorted according tothe "depth-first"
principle to match. B. Match the order configured.That is according to the order the user to
configure the ACL match. C. Press the automatic sorting match,then match the order
configured. D. The firewall is not configured Answer: A
QUESTION NO: 81 GRE Tunnel ends of the device if configured to identify keyword,
keyword identification must be consistent in order to pass validation. A. True B. False
Answer: A
QUESTION NO: 82
28
Huawei H12-711 Exam In the firewall, detect ftp command configuration in which mode?
A. System Mode B. Interface Mode C. Domain mode D. Inter-domain model Answer: D
QUESTION NO: 83 Tunnel interface (Tunnel Interface) is a virtual interface to achieve

multipoint type of packet encapsulation provided. A. True B. False Answer: B
QUESTION NO: 84 SVN3000 product extensions supported by the network access

methods, including what? (Choose three) A. Full- channel mode (Full Tunnel) B.
Tunnel) Answer: A,B,D
QUESTION NO: 85 About L2TP message, saying the error is:
29
Huawei H12-711 Exam A. L2TP supports two types of messages : control messages and
data messages B. Control messages for tunnel and session connection establishment,
maintenance,and transmission control. C. Data messages are used to encapsulate PPP
frames and transmitted over the tunnel. D. Control messages and data messages are
transmitted reliably provide flow control and congestion control. Answer: D
QUESTION NO: 86 When a data frame into the switch port VLAN Access will check
whether the data frame with VLAN tag tag tag tag if carry, then discarded; If no tag tag, be
marked PVID of the port. A. True B. False Answer: A
QUESTION NO: 87 About GRE checksum verification techniques, when the end of the
configuration checksum while the client does not check and when configured correctly
described below have () (Choose two) A. The end of paper checks and verification of a
received message B. Peer checks the received packet checksum C. The end of the checksum
is calculated and sent packets D. For end-to- send packets to calculate the checksum
Answer: B,C
QUESTION NO: 88 Private business network address cannot be on the road in the internet,
if the user needs to access the private network address internet, need to go through the
NAT.
30
QUESTION NO: 89 Security Alliance (SA) is composed of tuples which uniquely identify?
(Choose three) A. SPI B. Source IP address C. Destination IP address D. Security Protocol
No. Answer: A,C,D
QUESTION NO: 90 Matching advanced ACL, you can dimension source IP address,
destination IP address, source MAC address, destination MAC address, protocol traffic to
match. A. True B. False Answer: B
QUESTION NO: 91 Following on TSM deployments statement is correct? (Choose three)

A. Centralized deployment of SM and SCcannotbe installed on the same server B. SC
centralized deployment can be madeinto a cluster approach to achieve system redundancy
C. The size of the terminal is quite large, consider using a distributed network,to avoid a
large number of terminal access TSM server,take up a lot of network bandwidth D. When
distributed deployment,TSM security agents to select the nearest control server,access "Pass
Any Exam. Any Time." - 100% Guarantee
31
Huawei H12-711 Exam authentication and access control,and other business. Answer:
B,C,D
QUESTION NO: 92 LAC is a device with PPP and L2TP protocol processing capabilities.
A. True B. False Answer: A
QUESTION NO: 93 Which of the following IKE exchange mode IP address can be used to
identify or by Name manner peer? A. Master Mode B. Aggressive Mode C. Fast mode D.
Passive mode Answer: B
QUESTION NO: 94 When configuring l2tp, the command start l2tp {ip ip-address,
statement is correct? (Choose three) A. LNS is used to specify the trigger condition to
initiate a call B. LAC is used to specify the trigger condition to initiate a call C. You can
specify the domain name as a trigger condition D. You can specify the full name as a trigger
condition Answer: B,C,D "Pass Any Exam. Any Time." - 100% Guarantee
32
Huawei H12-711 Exam
QUESTION NO: 95 Firewall access control lists default settings steps A. 1 B. 3 C. 5 D. 10

Answer: C
QUESTION NO: 96 Which of the following techniques can be implemented to refuse

illegal host or illegal data packets? (Choose three) A. MAC and IP address binding B. ACL
C. Blacklist D. Static Routing Answer: A,B,C
QUESTION NO: 97 For VPN Client users, you can use the following way to the LAC
device which initiated the request? (Choose two) A. PPP B. PPPOE C. IP D. TCP Answer:
A,B "Pass Any Exam. Any Time." - 100% Guarantee
33
Huawei H12-711 Exam
QUESTION NO: 98 GRE is a technology by which of the following protected data stream
that is selected packets are encapsulated into GRE packets? A. ACL B. Static Routing C.
Routing Policy D. User Account Answer: B
QUESTION NO: 99 IKE main mode and aggressive mode are the main differences?
(Choose two) A. Exchange messages using the three main mode packet mode uses six
brutal message B. Finally, there are two main mode message encryption, identity protection
C. Finally, there are two messages savage mode encryption, identity protection D. Master
mode only way to identify the IP address of the peer,and barbarous mode can be used to
identify the IP address or name of the peer manner. Answer: B,D
QUESTION NO: 100 In tunnel mode IPSec applications in which data packets following
areas protected by encryption? (Choose two) A. The entire data packet B. Original IP
header C. The new IP header D. Transport layer and upper layer packets
34
Huawei H12-711 Exam Answer: B,D
QUESTION NO: 101 The following types of interfaces can handle PPP protocol packets?
A. interface Virtual-Template 1 B. interface Ethernet 0/0(within the network) C. interface
Ethernet 0/0(external network) D. interface loopback 1 Answer: A
QUESTION NO: 102 For stateful inspection firewall, if not the first TCP packet package
will not be interzone packet filtering checks. A. True B. False Answer: A
QUESTION NO: 103 Single TSM server system supports a maximum concurrent users. A.
5000 B. 10000 C. 20000 D. 40000 Answer: C
35
Huawei H12-711 Exam
QUESTION NO: 104 Which of the following IKE exchange mode can only use IP
addresses to identify peer manner? A. Master Mode B. Aggressive Mode C. Fast mode D.
Passive mode Answer: A
QUESTION NO: 105 The following agreements, in the application layer have? (Choose
two) A. ARP B. IGMP C. TELNET D. TFTP Answer: C,D
QUESTION NO: 106 After the LAC configure the Ethernet interface to bind the virtual
template interface, Ethernet interface may configure the IP address. A. True B. False
Answer: A
36
Huawei H12-711 Exam QUESTION NO: 107 For the firewall that comes trust and untrust
security zone statement right there? (Choose two) A. Untrust zone access area from the trust
direction outboud direction B. Untrust zone access area from the trust direction inboud
direction C. Follow the direction of inter-domain access does not matter which area initiated
only associated with priority D. When entering the inter-domain view,the trust must be
placed in front of the area Answer: A,C
QUESTION NO: 108 Following the agreement, the work at the network layer have?
(Choose two) A. ICMP B. IGMP C. FTP D. TELNET Answer: A,B
QUESTION NO: 109 Packet forwarding based routing table information, which of the
following information will then be routed to match forwards? A. Mask length of the longest
route entry B. Cost routing C. Route priority D. Routing Protocol Answer: A
37
Huawei H12-711 Exam QUESTION NO: 110 After a successful L2TP user authentication,
IP address obtained is wrong to say : A. User address allocation has been assigned an IP
address bound and dynamically assigned IP addresses from the address pool in two ways B.
L2TP user-assigned IP address can be any address C. L2TP user-assigned IP address and
the address of the network to be accessed in the same network segment D. Address
assignment plan well in advance to avoid address conflicts exist Answer: B
QUESTION NO: 111 Which of the following statements is correct? A. Ability to

International Organization for Standardization definition of " security" is a way to identify
and mitigate insecurity B. Security is to find a balance between confidentiality and integrity
C. A high level of security technologies and policies can make the device or network
without any risk D. Information security is a subset of network security is a comprehensive
and continuous technology Answer: A
QUESTION NO: 112 About L2TP VPN configuration statement is correct: (Choose three)
A. The LNS L2TP client must configure the IP address of the virtual interface template,and
the virtual interface template need to join the security domain B. Firewall policies in order
to ensure the normal dial-up users log on,you must configure the firewall to receive L2TP
tunnel packets security zone where the physical interface between the regions and the Local
C. Dial-up users need access to internal network resources, you must configure the firewall
policy template region corresponding virtual interface and internal security network located
between areas where security "Pass Any Exam. Any Time." - 100% Guarantee
38
Huawei H12-711 Exam D. If a virtual template interface is added to a safe area,you can
directly delete the security zone. Answer: A,B,C
QUESTION NO: 113 Users log in via TELNET device, because many times forgotten
password login authentication fails, resulting in the account is frozen for several minutes,
what is the role of technology? A. ACL B. Attack prevention C. Blacklist D. Account
frozen Answer: C
QUESTION NO: 114 GRE’s features include: (Choose three) A. Simple mechanism B.
CPU load on both ends of the small tunnel C. Encrypt data D. Does not provide traffic
control and QoS. Answer: A,B,D
QUESTION NO: 115 When configuring L2TP group, which of the following commands
can be described l2tp-group 1 is the default L2TP group? A. allow l2tp virtual-template 1
remote Client01 B. allow l2tp virtual-template 1 remote default C. allow l2tp virtual-
template 1 "Pass Any Exam. Any Time." - 100% Guarantee
39
Huawei H12-711 Exam D. allow l2tp virtual-template 1 default Answer: C
QUESTION NO: 116 TSM system support and Duba Online version 5.0, KV2010 Jiangmin
and Rising Online antivirus software, such as the strong linkage. A. True B. False Answer:
B
QUESTION NO: 117 The following area is not correct about TSM is? A. Pre-
authentication domain is the area by the client before authentication can be accessed B.
After authentication domain is the area the client can access through the security
certification C. Isolated domain refers to the area by the client access authentication must D.
Isolated domain is required for access to the area when the client security authentication
failure Answer: C
QUESTION NO: 118 TSM supports access control which of the following? (Choose three)
A. Hardware SACG(Hardware Security Access Control Gateway) B. 802.1X C. Software
SACG(host firewall) D. ARP control Answer: A,B,C "Pass Any Exam. Any Time." - 100%
Guarantee
40
Huawei H12-711 Exam
QUESTION NO: 119 eLog log management system products using the B / S architecture
supports centralized, distributed deployment, diverse log acquisition mode, provides the
industry's most extensive device support. A. True B. False Answer: A
QUESTION NO: 120 Proxy Firewall role in the transport layer of the network, its essence
is the business directly between the internal network and external network users by the
proxy firewall takes over. A. True B. False Answer: B
QUESTION NO: 121 The following information about the different types of firewalls
correct to say there? (Choose three) A. Packet filtering firewall for each packet through the
firewall,should be carried out to check ACL match B. Stateful inspection firewall does not
hit only the first session packets matching ACL checks C. Stateful inspection firewall needs
to be configured packet " go " and "back" in both directions ACL D. Proxy Firewall is the
essence of the business directly between the internal network and external network users to
take over Answer: A,B,D "Pass Any Exam. Any Time." - 100% Guarantee
41
Huawei H12-711 Exam
QUESTION NO: 122 Priority DMZ area is how much? A. 5 B. 50 C. 85 D. 100 Answer: B
QUESTION NO: 123 The following are symmetric encryption algorithm is: (Choose two)
A. DES B. 3DES C. SHA-1 D. MD5 Answer: A,B
QUESTION NO: 124 SVN can be achieved only allows users to access remote enterprise
network cannot access the Internet and local area networks. A. True B. False Answer: A
42
Huawei H12-711 Exam QUESTION NO: 125 Encryption technology which of the
following elements? (Choose three) A. Tunneling algorithm B. Key C. Ciphertext D.
Encryption Algorithm Answer: B,C,D
QUESTION NO: 126 About the VLAN tag processing, the following description of the
error is? A. When Trunk port receives a frame,if the frame does not contain 802.1Q tag
header, will be marked with PVID port; If the frame contains the 802.1Q tag header, no
change. B. When Trunk port to send the frame,when the port’s PVID VLAN ID of the
frame is not the same,discarded; When PVID VLAN ID and port with the same time
frame,the pass-through C. When Access port receives a frame,if the frame does not contain
802.1Q tag header, will be marked with PVID port; If the frame contains the 802.1Q tag
header, the switch does not deal with them directly discarded. D. When Access port to send
frames,stripping 802.1Q tag header, frame issued ordinary Ethernet frames Answer: B
QUESTION NO: 127 About domain NAT statement is correct (Note: the internal network
IP address is a private address, the IP address of the network boundary public address)
(Choose two) A. First NAT within the user's source IP address of the request packet into the
network server IP address B. Will request packets based on source and destination IP
address conversion C. The request packet destination IP address into the IP address of the
network server D. After the data within the network server will receive a packet processing,
packet destination IP address back to convert that into a public IP address(the IP address of
the network boundary)
43
Huawei H12-711 Exam Answer: B,C
QUESTION NO: 128 Hardware packet filtering ACL number ranges? A. 2000-2999 B.
3000-3999 C. 4000-4999 D. 9000-9499 Answer: D
QUESTION NO: 129 Proxy firewall to check request from the user, the user checks the
security policy through the firewall on behalf of external users to establish a connection to
the real server, forwarding an external user request, and returns a response back to the real
server to the external user. A. True B. False Answer: A
QUESTION NO: 130 GRE VPN itself does not have to provide data integrity verification
and confidentiality of transmission capacity. A. True B. False Answer: A
44
Huawei H12-711 Exam
QUESTION NO: 131 If the main mode IKE negotiation mode, you can only configure the
IP address in the form of ID type. If aggressive mode negotiation mode, you can only
configure the ID type the name of the form. A. True B. False Answer: B
QUESTION NO: 132 Outbound NAT configuration based on the direction, in the case of
no-pat configuration commands, the following description of what is wrong? (Choose three)
A. Conducted only source IP address translation B. Conducted only destination IP address
translation C. The source IP address and source port translation D. Be the destination IP
address and destination port translation Answer: B,C,D
QUESTION NO: 133 VPN tunneling technology is to achieve data encryption algorithm
(such as DES, 3DES) transmission in the network will not be intercepted. A. True B. False
Answer: B
45
Huawei H12-711 Exam QUESTION NO: 134 The following does not belong to the IP
packet quintuple is () A. Source IP address B. Destination MAC address C. Agreement No.
D. Source port Answer: B
QUESTION NO: 135 Firewall supports three main VPDN VPN, namely, L2TP, PPTP,
IPSec: A. True B. False Answer: B
QUESTION NO: 136 SVN3000 port proxy function is mainly used for C / S and other
techniques cannot be used to access web applications. A. True B. False Answer: A
QUESTION NO: 137 In order to ensure the normal remote L2TP dial-up users to access the
corporate network, the user is required to assign an IP address within the enterprise network
services and resources to be "Pass Any Exam. Any Time." - 100% Guarantee
46
Huawei H12-711 Exam accessed not on the same network segment (without considering the
ARP Proxy technology). A. True B. False Answer: A
QUESTION NO: 138 When the port is configured to allow certain vlan trunk through,
trunk belongs to these vlan. A. True B. False Answer: A
QUESTION NO: 139 In some scenarios, it is necessary to convert the source IP address,
destination IP address but also for the conversion, is called bidirectional NAT. A. True B.
False Answer: A
QUESTION NO: 140 Under IPSec in tunnel mode, ESP on which field do validation? A.
Original IP packet header B. The new IP packet header C. TCP packet header D.
Application layer data
47
QUESTION NO: 141 SVN3000 network expansion feature is the use of technology for
which the following business resource access control? A. Static Routing B. Dynamic
Routing C. ACL D. Policy Routing Answer: A
QUESTION NO: 142 SVN3000 virtual gateway, domain names can only be accessed using
a virtual gateway is which of the following types? A. Exclusive type B. Share -based C.
Fixed D. Manual type Answer: B
QUESTION NO: 143 LAC is to achieve the established L2TP VPN tunnel by what means?
(Choose two) A. User Account B. Domain name C. ACL D. Routing Table
48
Huawei H12-711 Exam Answer: A,B
QUESTION NO: 144 In the configuration time for ACL, they can specify the name of the
binding period, while in the same time period name, you can configure multiple time
periods, these time periods are () relationship. A. "Or" B. "And" C. "XOR" D. " With or"
Answer: A
QUESTION NO: 145 Servermap used in the table which follows? A. Quintuple B. Quad C.
Triples D. Tuple Answer: C
QUESTION NO: 146 To make the trip within the enterprise mobile users can access the file
server, which can use the following functions to achieve optimal SSL VPN? A. Web Proxy
B. File Sharing C. Port Forwarding D. Network expansion "Pass Any Exam. Any Time." -
100% Guarantee
49
Huawei H12-711 Exam Answer: B
QUESTION NO: 147 L2TP supports the following protocols that load data. A. IP B. IPX C.
NetBEUI D. More support Answer: D
QUESTION NO: 148 Firewall trust untrust domain client wants to access the ftp server
services, has allowed clients to access the server tcp 21 port, but only log in to the server,
but cannot download the file, the following solutions are possible: (Choose three) A.
Untrust domain repair the trust between the two-way access policy to allow default B. FTP
works when port mode,modify untrust trust between domains inbound direction to permit
the default access policy C. Enable detect ftp between trust untrust domain configuration D.
FTP works when passive mode,modify untrust trust between domains inbound direction to
permit the default access policy Answer: A,B,C
QUESTION NO: 149 To support dynamic routing protocols, IP addresses Tunnel interfaces
at both ends must be configured in the same segment. A. True B. False "Pass Any Exam.
Any Time." - 100% Guarantee
50
QUESTION NO: 150 What are the main features Secospace DSM product? (Choose three)
A. Encrypt the document management B. Document Actions behavior records of
employees, providing audit logs C. Control employee access to documents D. The
document archive management,in order to prevent loss of documents Answer: A,B,C
QUESTION NO: 151 USG (Eudemon) supports NAT firewall features include: (Choose
three) A. NAT outbound B. NAT server C. NAT Traversal D. NAT Inbound Answer:
A,B,D
QUESTION NO: 152 Stateful inspection firewall subsequent packets (non- first packet)
forwarding mainly based on which of the following? A. route table B. MAC address C.
session table D. FIB table Answer: C "Pass Any Exam. Any Time." - 100% Guarantee
51
Huawei H12-711 Exam
QUESTION NO: 153 FTP protocol port numbers may be used there? (Choose two) A. 23
B. 21 C. 20 D. 25 Answer: B,C
QUESTION NO: 154 SVN3000 network expansion capabilities, the need to implement
remote users can access the corporate network and local area network, you cannot access
the Internet, the client needs to use routing as follows: A. Full- channel mode (Full Tunnel)
B. Separation channel mode (Split Tunnel) C. Routing (route Tunnel) D. Manually (Manual
Tunnel) Answer: B
QUESTION NO: 155 Which of the following does not support GRE technology? (Choose
two) A. Tunneling B. Encryption and decryption technology C. Key management
technology D. End checksum Answer: B,C "Pass Any Exam. Any Time." - 100%
Guarantee
52
Huawei H12-711 Exam
QUESTION NO: 156 For command tunnel name, statement is correct? (Choose two) A. Is
used to specify the name of the end of the tunnel B. Is used to specify the name of the end
of the tunnel C. Must be consistent on the side of the tunnel name configured D. If you do
not configure the tunnel name, the tunnel name is the name of the local system Answer:
A,D
QUESTION NO: 157 Check the NAT session command? A. display nat translation B.
display firewall session table C. display current nat D. display firewall nat translation
Answer: B
QUESTION NO: 158 When you configure the security level of firewall security zone, the
principles to be followed arE. (Choose three) A. New security zone,the security level is not
set before it,the system requirements of its security level to 100 B. Can set the security level
for the custom security zones C. Once you set the security level is not allowed to change D.
The same system,two security zones do not allow the same level of security configuration
Answer: B,C,D "Pass Any Exam. Any Time." - 100% Guarantee
53
Huawei H12-711 Exam
QUESTION NO: 159 As a general L2TP Layer 2 VPN technology to support packet
encryption. A. True B. False Answer: B
QUESTION NO: 160 Bidirectional NAT usage scenarios include: (Choose two) A.
Common use of NAT outbound and NAT inbound B. NAT outbound and common use of
NAT server C. NAT Inbound and NAT Server used together D. Domain used in
conjunction with NAT and NAT Server Answer: C,D
QUESTION NO: 161 SSL protocol by which elements to accomplish? (Choose three) A.
Handshake protocol B. Record Protocol C. Warning agreement D. Heartbeat Protocol
Answer: A,B,C
54
Huawei H12-711 Exam QUESTION NO: 162 GRE VPN technology itself can provide
which of the following techniques? A. Tunneling B. Encryption and decryption technology
C. Flow control and QoS D. Key Management Answer: A
QUESTION NO: 163 L2TP technology, LAC client uses port number _____ _____
protocol encapsulated packets. A. TCP 51 B. UDP 51 C. UDP 1701 D. TCP 1701 Answer:
C
QUESTION NO: 164 You can connect to a specific length of TCP, UDP data streams to set
long aging time, ensure that the session information for a long time not to be aging. A. True
B. False Answer: B
QUESTION NO: 165 When you configure ipsec vpn, for the sa duration command
statement is correct? (Choose two) "Pass Any Exam. Any Time." - 100% Guarantee
55
Huawei H12-711 Exam A. Is used to configure sa lifetime B. Can be configured based on

the flow and cycle time based on survival C. After configuring the life cycle,and for the use
of ike sa created manually take effect D. For IKE sa way to build both ends,the
configuration must be consistent sa lifetime Answer: A,B
QUESTION NO: 166 You cannot add any interface to the firewall Local security zone, the
firewall interface itself belongs to the Local security zone. A. True B. False Answer: A
QUESTION NO: 167 When configuring ACL need to use anti- mask, elected the following
statements are true about the anti-mask option. A. Take anti- mask bit 0,which means that
the network needs to match the corresponding bit comparison B. Take anti- mask bit
1,which means that the network needs to match the corresponding bit comparison C. Not all
anti- mask value of 0 D. Not all anti- mask value of 1 Answer: A
QUESTION NO: 168 There is VPN Client -side, LAC, LNS and other three components of
the application scenario, which of the following components used between the L2TP
TUNNEL? (Choose two)
56
Huawei H12-711 Exam A. Between the VPN Client and LAC B. Between the VPN Client
and LNS C. Between LAC and LNS D. All other options are correct Answer: B,C
QUESTION NO: 169 MAC address -based ACL application, which of the following
description is correct? A. Can only be a source MAC address filtering B. Can only be a
source MAC address and destination MAC address filtering C. Only data link layer protocol
type, source MAC address and destination MAC address filtering D. Only network layer
protocol type, source MAC address and destination MAC address filtering Answer: C
QUESTION NO: 170 VPDN tunneling protocols include: (Choose three) A. L2TP B. GRE
C. PPTP D. L2F Answer: A,C,D
QUESTION NO: 171 Which of the following configuration command parameter is not
consistent with the actual scenario or technology implementations? A. ah authentication-
algorithm md5 "Pass Any Exam. Any Time." - 100% Guarantee
57
Huawei H12-711 Exam B. ah encryption-algorithm des C. esp authentication-algorithm

md5 D. esp encryption-algorithm des Answer: B
QUESTION NO: 172 In the transmission mode IPSec applications, the following data
packets which area may be subject to encryption security? A. The network layer and the
upper layer packets B. Original IP packet header C. The new IP packet header D. Transport
layer and upper layer packets Answer: D
QUESTION NO: 173 In tunnel mode and ESP, which of the following regional information
is expressly transfusion? A. The new IP packet header B. Original IP packet header C.
Transport layer header D. Application layer packet header Answer: A
QUESTION NO: 174 In the inter-domain packet filtering, and firewall into the direction of
data flow (Inbound) refers to the direction of data from high to low security zones security
zone transfer. A. True "Pass Any Exam. Any Time." - 100% Guarantee
58
Huawei H12-711 Exam B. False Answer: B
QUESTION NO: 175 IPSEC WEB configuration wizard which does not support the
following scenarios? A. Gateway to Gateway B. Gateway Center C. Branch Gateway D.
Host and Host Answer: D
QUESTION NO: 176 Which of the following addresses can be used to manage the SVN
web address? (Choose three) A. Interface address B. Sub- interface address C. Sub- IP
address of the interface D. loopback address Answer: A,B,C
QUESTION NO: 177 After the firewall interface is added to a security zone, the interface
will no longer belong to the Local area A. True B. False Answer: B "Pass Any Exam. Any
59
Huawei H12-711 Exam
QUESTION NO: 178 For firewall security zone statement is correct? A. Different firewall
security zones,priority can be the same B. Firewall with an interface can belong to different
security zones C. Different interfaces of the firewall may belong to the same security zone
D. Built-in firewall security zones can be deleted Answer: C
QUESTION NO: 179 Which of the following IPSec security protocol provides encryption?
A. AH B. ESP C. SA D. IKE Answer: B
QUESTION NO: 180 Before SVN3000 configure Web proxy basic functions, you need
those data for the following: (Choose two) A. Name of Web resources B. URL address of
the Web resources C. Account Information Web Resources D. All other options are not
right Answer: A,B
60
Huawei H12-711 Exam
QUESTION NO: 181 Middle attack both passive and active attacks characteristic attack A.
True B. False Answer: A
QUESTION NO: 182 Proxy firewalls need to develop a protocol for each application layer
proxy, long development cycle, but it is difficult to upgrade. A. True B. False Answer: A
QUESTION NO: 183 In GRE VPN technology, GRE packet header belongs transport
protocol. A. True B. False Answer: B
QUESTION NO: 184 In the GRE configuration environment, which of the following
configuration can be achieved without the need to configure rules can guarantee inter-
domain data streams forwarded correctly. "Pass Any Exam. Any Time." - 100% Guarantee
61
Huawei H12-711 Exam A. Tunnel interface to the physical interface and its bearers
belonging to different security zones B. Tunnel interface to the physical interface of its
bearers belonging to the same security zone C. Physical interface belongs Untrust zone and
its bearing Tunnel interface belongs to Local area D. All other options are correct Answer:
B
QUESTION NO: 185 Description of the error based GRE encapsulation and de-
encapsulation yes? A. Packaging process: after the original packet routing to pass through
to find the packet to start trigger GRE tunnel interface module encapsulation B. Packaging
process: After the GRE module package, this package will enter the IP module for further
processing C. Decapsulation process: After receipt of GRE packet destination,find the route
to pass through the packet to the GRE tunnel interface module start trigger decapsulate D.
Decapsulation process: After the GRE module solution package, this package will enter the
IP module for further processing Answer: C
QUESTION NO: 186 When the host receives the ARP response packet, it will not be sent
to verify whether they had the ARP request, but the response bag MAC address and IP
corresponding relationship directly replace the original ARP cache table out A. True B.
False Answer: A
QUESTION NO: 187 IKE negotiation mode include? (Choose two) "Pass Any Exam. Any
62
Huawei H12-711 Exam A. Master Mode B. Aggressive Mode C. Fast mode D. Transfer
mode Answer: A,B
QUESTION NO: 188 Under USG (Eudemon) series firewall VRP command, which is the
highest level of authority? A. Visit level B. Monitoring level C. Configuration level D.
Management level Answer: D
QUESTION NO: 189 Seen through the display ike sa result follows statements is correct?
(Choose two) current ike sa number: 1 connection-id peer vpn flag phase doi 0x1f1 2.2.2.1
0 RD | ST v1: 1 IPSEC 0x60436dc4 flag meaning RD - READY ST - STAYALIVE RL -
REPLACED FD - FADING TO - TIMEOUT A. The first phase has been successfully
established ike sa B. The second phase has been successfully established ipsec sa C. ike
using version V1 D. ike using version V2 Answer: A,C

63
Huawei H12-711 Exam
QUESTION NO: 190 Active attacks focused prevention, rather than detection, for such
attacks are generally uses encryption technology to protect the confidentiality of the
information A. True B. False Answer: B
QUESTION NO: 191 VPN tunneling technology and DDN line like the link to achieve
security by building physical channel. A. True B. False Answer: B
QUESTION NO: 192 The main scope of NAT host visits in the same security domain, you
need to convert the IP address of the target host via NAT outbound command. A. True B.
False Answer: B
QUESTION NO: 193
64
Huawei H12-711 Exam In GRE VPN applications, the network physical interface and
Tunnel interfaces added to the same security zone, you can reduce the inter -domain packet
filtering policy configuration. A. True B. False Answer: A
QUESTION NO: 194 In the WLAN configuration, if the authentication type is set to open
system authentication, all clients will request certification by certification. A. True B. False
Answer: A
QUESTION NO: 195 Stateful inspection firewall session table to track the use of a variety
of active TCP sessions and UDP sessions, which decided to establish a session by the
access control list, only when a packet associated with the session will be forwarded. A.
QUESTION NO: 196 The following statement on local-address command is correct?

(Choose three) A. Require local-address for the virtual IP address hot standby Network B.
Interface Application IPSec policy if configured with multiple IP addresses(IP address or if
the "Pass Any Exam. Any Time." - 100% Guarantee
65
Huawei H12-711 Exam primary sub-interface),multiple equal-cost routes,and use of virtual

interface templates may be looking in the wrong address,you need to configure the local-
address is the actual the IP address of the IKE negotiation C. local-address should be
consistent with the peer specified remote-address D. The other three options are wrong to
say Answer: A,B,C
QUESTION NO: 197 Which authentication technology is the use of the following ways to
recognize the legitimacy of the user identity? (Choose two) A. Username Password B. USB
KEY C. Cryptographic algorithms D. Private key information to identify Answer: A,B
QUESTION NO: 198 TSM system "Computer Peripherals Monitor" strategy which cannot
be controlled for the following devices? A. Bluetooth devices B. U disk C. Infrared
equipment D. Floppy Answer: B
QUESTION NO: 199 When configuring the firewall packet filtering ACL rules, if we want
to 192.168.0.0/24 network is set to match the object ACL rules, the match operation is
rejected, the following configuration is "Pass Any Exam. Any Time." - 100% Guarantee
66
Huawei H12-711 Exam correct (). A. rule 0 deny source 192.168.0.0 255.255.255.0 B. rule
2 deny source 192.168.0.0 0.0.0.255 C. rule 3 deny source 192.168.0.0 24 D. rule 4 deny
source 192.168.0.0 0.0.255.255 Answer: B
QUESTION NO: 200 About NAT’s statement is correct A. NAT will do within the packet
source address B. NAT compatible with all current IPSec security protocol C. Because the
FTP protocol is a multi- channel protocol,it does not support NAT D. NAT support for TCP
/ IP two,three,four conversion Answer: A
QUESTION NO: 201 Firewall own security zone cannot be deleted, but you can modify the
security level A. True B. False Answer: B
QUESTION NO: 202 pppoe-server bind virtual-template 1 This command applications

which interface? A. LAC’s internal network port B. LAC’s external network "Pass Any
67
Huawei H12-711 Exam C. LNS within the network port D. LNS external network port
Answer: A
QUESTION NO: 203 USG2000 (Eudemon 200E) series firewall default ACL match type
A. auto B. config C. predefine D. custom Answer: B
QUESTION NO: 204 Security access control gateway (Security Access Control Gateway,
referred SACG) main function is to control network access terminals for different users,
different security situation open different permissions. A. True B. False Answer: A
QUESTION NO: 205 Which of the following options are part of the 5-tuple integral part?
(Choose three) A. Source IP address B. Destination IP address C. Agreement No. D. Source
MAC Address "Pass Any Exam. Any Time." - 100% Guarantee
68
QUESTION NO: 206 Which of the following stages of the second stage belongs to IKE
exchange mode? A. Master Mode B. Aggressive Mode C. Fast mode D. Passive mode
Answer: C
QUESTION NO: 207 Which of the following is the best technology to solve business
interruption issues for some applications (such as an Oracle database application data flow
due to extended lead -free connection is interrupted)? A. Configure a business long
connection B. Configure default session aging time C. Optimization of packet filtering rules
D. Open the fragment cache Answer: A
QUESTION NO: 208 Security Alliance (SA) is bidirectional security associations can be
achieved through data streams in both directions for security protection. A. True B. False
Answer: B "Pass Any Exam. Any Time." - 100% Guarantee
69
Huawei H12-711 Exam
QUESTION NO: 209 Firewalls are several network access control point, all incoming and
outgoing network protected by a firewall data flow should first go through the firewall and
out to form an information gateway. A. True B. False Answer: A
QUESTION NO: 210 Seen through the display ike proposal command results are as
follows, the following statements is correct? (Choose two) priority authentication
authentication encryption Diffie-Hellman duration method algorithm algorithm group
(seconds) -------------------------------------------------- ------------------------default
PRE_SHARED SHA DES_CBC MODP_768 86400 A. Authentication algorithm is SHA
B. DES encryption algorithm C. DH group using group2 D. Use a barbaric mode Answer:
A,B
QUESTION NO: 211 A USG (Eudemon) L2TP main firewall configuration is as follows:
70
Huawei H12-711 Exam [LNS] l2tp-group 1 [LNS-l2tp1] tunnel name LNS [LNS-l2tp1]
allow l2tp virtual-template 1 remote client1 [LNS-l2tp1] tunnel authentication [LNS-l2tp1]
tunnel password simple Password123 on the above configuration statement is correct : A.
l2tp-group 1 is the default l2tp group,all the different remote name of the client can be
connected B. Only the remote device or client’s tunnel name when LNS, L2tp able to build
the tunnel C. Enable the L2TP authentication and encryption features D. Client1 only a
remote name for the user to be able to establish the connection l2tp Answer: D
QUESTION NO: 212 After SVN3000 network extensions configured for full- channel
mode (Full Tunnel), network users can access Internet resources. A. True B. False Answer:
B
QUESTION NO: 213 Meaning as access control lists are: [USG (or Eudemon)] acl number
3100 [USG (or Eudemon)-acl-3100] rule deny icmp source 10.1.10.10 0.0.255.255
destination any icmp-type host-unreachable A. The serial number is 3100 rule prohibited to
10.1.10.10 host unreachable packets to all hosts "Pass Any Exam. Any Time." - 100%
Guarantee
71
Huawei H12-711 Exam B. The serial number is 3100 rule prohibiting all 10.1.0.0/16 that
host unreachable packets C. The serial number is 3100 rule prohibited from 10.1.0.0/16 to
all hosts on the network unreachable packets D. Rules of the serial number is 3100,banned
from all hosts 10.1.10.10 host unreachable packets Answer: C
QUESTION NO: 214 USG (Eudemon) series firewall ike default using. dh group2 A. True
B. False Answer: B
QUESTION NO: 215 About trunk port is correct there? (Choose two) A. Upon receipt of a
trunk port carries the label of a data frame,if different from the label and PVID,then
forwarded directly B. Upon receipt of a trunk port carries the label of a data frame,if the
label and PVID different, then discards C. Upon receipt of a trunk port carries the label of a
data frame,if the label and the same PVID, then forwarded directly D. After the trunk port
carries the label when you receive a data frame,if the label and the same PVID, then remove
the label forwarding Answer: A,D
QUESTION NO: 216 Which of the following is not a proxy firewall features:
72
Huawei H12-711 Exam A. Safe B. Processing speed C. Application layer security D. Easy
to upgrade Answer: D
QUESTION NO: 217 Asymmetric encryption algorithm encryption key and decryption key
are not the same. A. True B. False Answer: A
QUESTION NO: 218 The following fragment cache function on the firewall, saying right
there? (Choose two) A. Configure fragmented packets directly after forwarding,firewall
does not fragment packets cache B. Configure fragmented packets directly after forwarding
the packet is not the first piece fragmented packets,the firewall will be forwarded in
accordance with inter -domain packet filtering policy. C. Fragmented packets will create the
session table will look when forwarding the session table D. Fragmented packets of non-
first fragment packets, because there is no port number, so fragmented packets forwarding
function generallycannotbe used directly in a NAT environment Answer: A,D
QUESTION NO: 219 Which of the following are Huawei security software products?
(Choose three)
73
Huawei H12-711 Exam A. TSM B. DSM C. eLog D. SVN3000 Answer: A,B,C
QUESTION NO: 220 Address-group {number | name} meaning no-pat in no-pat parameter
is? A. Do address translation B. The port multiplexing C. Not convert the source port D.
Not convert the destination port Answer: C
QUESTION NO: 221 Which of the following user system can be modified, such as user
account or password information directly on SVN3000 system? A. VPNDB Users B. LDAP
user C. Radius Users D. All user system Answer: A
QUESTION NO: 222 Switcher (not configured VLAN) when it receives a data frame, if no
match is found in the MAC address table, it will forward the data frame (including switcher
receiving port) to all ports.
74
Huawei H12-711 Exam A. True B. False Answer: B
QUESTION NO: 223 SVN3000 port forwarding is based on the way the port control access
to network resources for what applications? A. TCP B. UDP C. TCP or UDP D. SPX
Answer: A
QUESTION NO: 224 GRE VPN tunnel interface (Tunnel Interface) interface borrows the
IP address of the other as its IP address on this interface to enable the dynamic routing
protocol. A. True B. False Answer: B
QUESTION NO: 225 SVN support the following types of file-sharing, which has several?
(Choose two) A. SMB B. Windows C. NFS D. Linux "Pass Any Exam. Any Time." - 100%
Guarantee
75
Huawei H12-711 Exam Answer: A,C
QUESTION NO: 226 After the write function is enabled USB encryption policies, end-user
copy to U disk files are encrypted, only the enterprise user and installed TSM terminal
security agents in order to use these encrypted files, encrypted files copied from disk to the
local U hardware automatically decrypted; A. True B. False Answer: A
QUESTION NO: 227 IKE first and second switching stage comprises ()? (Choose three) A.
Fast mode B. Aggressive Mode C. Transfer mode D. Master Mode Answer: A,B,D
QUESTION NO: 228 ESP packet encapsulation mode in what can be achieved on the
original IP header data confidentiality? A. Transfer mode B. Tunnel Mode C. Transfer
Mode + tunnel mode D. Encryption mode
76
QUESTION NO: 229 Packet filtering firewall interfaces, inbound high priority area is the
access interface from lowpriority areas in the interface. A. True B. False Answer: B
QUESTION NO: 230 For firewall access control process : 1, 2 routing table lookup, find
interzone packet filtering rules 3, 4 session table lookup, find the blacklist, the correct
order? A. 1-3-2-4 B. 3-2-1-4 C. 3-4-1-2 D. 4-3-1-2 Answer: D
QUESTION NO: 231 SVN provides the following IP address allocation which way?
(Choose three) A. DHCP allocation B. IP address pool(randomly assigned) C. IP address
pool(user account with an IP address binding) D. Virtual IP address allocation Answer:
A,B,C
77
Huawei H12-711 Exam
QUESTION NO: 232 SVN3000 support functions are not included? A. WEB push B. Port
Forwarding C. File Sharing D. Network expansion Answer: A
QUESTION NO: 233 In IKE Peer view, if the implementation of exchange-mode main,
then the following configuration which is impossible in force? A. remote-address
202.101.0.1 B. remote-address 202.101.0.1 202.101.0.5 C. remote-name chengdu D. All
other options are Answer: C
QUESTION NO: 234 Configuration [LAC-l2tp1] start l2tp ip 3.3.2.1 full username pc1 in,
pc1 mean? A. The end of the tunnel name B. On the end of the tunnel name C. The end of
the account name to initiate certification D. Peer initiates an authentication account name
Answer: C
78
Huawei H12-711 Exam
QUESTION NO: 235 IKE protocol is based on the framework by the Internet Security
Association and Key Management Protocol ISAKMP definition. It is able to provide auto-
negotiation IPSec key exchange to establish security associations, in order to simplify the
use and management of IPSec. A. True B. False Answer: A
QUESTION NO: 236 SVN support routing protocols include: (Choose three) A. Static
Routing B. RIP C. OSPF D. BGP Answer: A,B,C
QUESTION NO: 237 In the GRE configuration environment, which of the following
statements are true? (Choose three) A. To make both ends of the tunnel to forward data
packets,the two devices are configured through the Tunnel interface routing. B. Enable both
ends to verify the configuration keywords,the keywords should be the same C. When the
local device to send data packets,the IP protocol field value by identifying GRE to decide
whether to submit to the GRE protocol packet processing module D. When receiving a data
packet to the client device,by identifying GRE IP protocol field value to determine whether
the data submitted to the GRE protocol packet processing module Answer: A,B,D
79
Huawei H12-711 Exam
QUESTION NO: 238 SVN3000 default virtual gateway supports only a few, in order to
increase the number of virtual gateways need to purchase License. A. True B. False
Answer: A
QUESTION NO: 239 Following on inter-domain packet filtering firewall policy Policy,
statements is correct? A. Priority match match between packet filtering Policy in
accordance with the order in the arrangement of the former B. Interzone packet filtering
Policy in accordance with the ID number match the size of a small number of priority match
C. Interzone packet filtering Policy in accordance with the size to match the ID number,a
large number of priority match D. Interzone packet filtering policy automatically arranged
according to the size of the serial number,when changing the order in which numbers can
change with it. Answer: A
QUESTION NO: 240 Commands allow l2tp virtual-template virtual-template-number

[remote remote-name], when l2tp group is 1:00, you must specify the remote-name
parameter A. True B. False Answer: B
80
Huawei H12-711 Exam
QUESTION NO: 241 Configuration [LNS-l2tp10] allow l2tp virtual-template 1 remote

client1 in, client1 mean? A. The end of the tunnel name B. On the end of the tunnel name
C. The end of the account name to initiate certification D. Peer initiates an authentication
account name Answer: B
QUESTION NO: 242 Which of the following is the TSM system "illegal outreach" strategy
has the function? (Choose two) A. Allows connection to external networks through the legal
route B. Prohibit access to the Internet C. Prohibit access to corporate resources critical
business systems D. Prohibit terminal visits Answer: A,B
QUESTION NO: 243 Which TSM system mainly consists of the following components?
(Choose three) A. SM management server B. SC control server C. Admission Control D.
Anti -virus server Answer: A,B,C
81
Huawei H12-711 Exam
QUESTION NO: 244 In SVN3000 configuration, set the port number if the Web interface
and IP address to bind to port other than 443, then enter the IP address of the Web interface
login next, followed by the IP address, please add " : port ", such as "https://xxxx:port",
otherwise it will not log the Web interface. A. True B. False Answer: A
QUESTION NO: 245 SVN TCP port forwarding applications include three static ports:
single-port single-server, singleport multi-server, multi-port multi-server. The following are
single-port single server? A. Outlook B. FTP C. Lotus Notes D. Http Answer: D
QUESTION NO: 246 Which of the following business functions SSL VPN will be used to
control? (Choose two) A. Web Proxy B. File Sharing C. Port Forwarding D. Network
expansion Answer: C,D
82
Huawei H12-711 Exam
QUESTION NO: 247 How to see the number of matches the ACL () A. display current-
configuration B. display ACL all C. display startup saved-configuration D. display device
Answer: B
QUESTION NO: 248 L2TP VPN, and L2TP tunnels and sessions on the statement is
correct: (Choose two) A. Between the same pair of LAC and LNS can create multiple L2TP
tunnel,the tunnel consists of a control connection and at least one session (Session)
composition B. Tunnel multiplexed on the session connection for the session,said carrying
PPP tunnel connecting each C. After the session connection must be established
successfully in the tunnel D. L2TP tunnel control message transmission, data message
transmission in the session Answer: A,C
QUESTION NO: 249 In the TCP three-way handshake, for packet SYN (seq = b, ack = a
+1), the following statement is correct there? A. Confirmation of the number of data packets
is b B. A +1 on the number of packets that are recognized C. A desired number of the next
data packet received is b D. A desired number of the received packet is a +1 Answer: D
83
Huawei H12-711 Exam
QUESTION NO: 250 As a kind of generic GRE VPN encapsulation protocol encapsulated
in the VPN can include multicast packets, including all L3 packets. A. True B. False
Answer: A
QUESTION NO: 251 What are Web proxy implementations? (Choose two) A. Web-link B.
Web rewritten C. Web Forwarding D. Web pass-through Answer: A,B
QUESTION NO: 252 Which TSM system supports the following authentication methods?
(Choose three) A. User Name Password Authentication B. MAC address authentication C.
Fingerprint Authentication D. LDAP Authentication Answer: A,B,D
84
Huawei H12-711 Exam QUESTION NO: 253 GRE encapsulation is a work in which of the
following interfaces (protected data stream arriving at the interface)? A. interface tunnel 1
B. interface Ethernet 0/0(within the network) C. interface Ethernet 0/0(external network) D.
interface loopback 1 Answer: A
QUESTION NO: 254 As illustrated connection : PC1 ----- SW1 ------------ SW2 ----- PC2;
SW1 two ports defined for VLAN1 access type port, SW2 two ports defined as VLAN 2
access port type, (PC1 and PC2 in the same subnet) then the following description is
correct? A. Because all access port,in fact, do not pass VLAN tag information, so you can
access PC1 PC2. B. Because VLAN SW2 SW1 and the ends are different, so
youcannotcommunicate between two PC. C. If two switches are connected to the port is set
to trunk ports, two PC can communicate. D. Because PVID default port on the switch is
VLAN 1, so the PC can be both visits. Answer: A
QUESTION NO: 255 TSM systems enable the "Monitoring DHCP settings" strategy, end
users will be forced to only use DHCP to obtain an IP address automatically. A. True B.
False Answer: A
85
Huawei H12-711 Exam
QUESTION NO: 256 L2TP VPN configuration on the following statement in the correct
precautions are: (Choose three) A. The LNS L2TP client must be configured virtual
interface template (Virtual-Template) the IP address of the virtual interface template needs
to join the domain B. The default firewall requires authentication of the tunnel. If you do
not configure authentication,you need to undo tunnel authentication command C. To enable
L2TP dial-up users can normally access the network address, the address assigned to L2TP
users can dial up the network and the user's address on the same network segment or need
to enable proxy ARP D. LNS side is not allowed to configure multiple L2TP-Group
Answer: A,B,C
QUESTION NO: 257 Which of the following security zones can be conditionally deleted?
A. Regional Security B. trust region C. untrust area D. dmz area Answer: A
QUESTION NO: 258 Stateful inspection firewall can detect TCP protocol, but cannot
detect UDP, since UDP is a connectionless protocol face. A. True B. False Answer: B "Pass
Any Exam. Any Time." - 100% Guarantee
86
Huawei H12-711 Exam
QUESTION NO: 259 The following types of encryption algorithm, encryption and
decryption key are the same? A. DES B. RSA (1024) C. MD5 D. SHA-1 Answer: A
QUESTION NO: 260 When you configure NAT through the web, you need to configure
the trust and untrust regional inbound direction, you need to select the security domain trust
area in front, untrust area on the back. A. True B. False Answer: B
QUESTION NO: 261 IPSec IKE aggressive mode is mainly to solve the problem? A. Solve
the problem of slow negotiation ends of the tunnel B. Negotiation process to resolve
security issues C. Solve the NAT traversal problem D. Address the source address of the
originator of uncertainty andcannotchoose a pre -shared key issues Answer: D

87
Huawei H12-711 Exam
QUESTION NO: 262 Which of the following algorithms in IPSec encryption algorithm
does not belong? A. DES B. SHA1 C. 3DES D. AES Answer: B
QUESTION NO: 263 In order to ensure the confidentiality of information, the need for
confidentiality encryption algorithm: A. True B. False Answer: B
QUESTION NO: 264 Which of the following are the first stage of IKE exchange mode?
(Choose two) A. Master Mode B. Aggressive Mode C. Fast mode D. Passive mode Answer:
A,B
88
Huawei H12-711 Exam QUESTION NO: 265 What is the purpose IPSec IKE pre-shared
key configuration is? A. Do the encryption key messages B. The key to decrypt the packets
do C. Do key authentication algorithm D. Do negotiate key exchange material Answer: D
QUESTION NO: 266 ALG main function is to ensure smooth communication protocol
what kind of conduct? A. All application layer protocol B. All the transport layer protocol
C. All network layer protocol D. Multi-channel application layer protocol Answer: D
QUESTION NO: 267 USG2200 (Eudemon200E)-A between USG2200 (Eudemon200E)-B

equipment and the establishment of GRE tunnels, the following configuration of GRE
tunnel establishment does not affect (both ends are configured gre checksum). A side
configuration : gre key usg2200 (or Eudemon200E)-a; B -side configuration : gre key
usg2200 (or Eudemon200E)-b; A. True B. False Answer: B
89
Huawei H12-711 Exam QUESTION NO: 268 Hybrid port allows multiple VLAN frames
through, and you can enter the port in the direction of some of the Tag VLAN frames
stripped. A. True B. False Answer: B
QUESTION NO: 269 Which of the following techniques can be achieved after a key is
compromised, will not affect the security of other keys? A. DH (Diffie-Hellman) key
exchange and distribution B. Perfect forward secrecy (Perfect Forward Secrecy) C.
Authentication D. Identity Protection Answer: B
QUESTION NO: 270 About Advanced ACL, the following statements is correct? (Choose
two) A. Advanced ACL can match the source IP address B. Advanced ACL can match the
destination IP address C. Advanced ACL can match the source MAC address D. Advanced
ACL can match the destination MAC address Answer: A,B
QUESTION NO: 271
90
Huawei H12-711 Exam For nat inbound direction, the following statement is correct:
(Choose two) A. Mainly used in internal hosts do not need to know the situation of a public
network of B. Is the source address of the external network user request packet,converted to
network addresses C. Is a network user address into internet addresses D. In order for the
internal private network users can access internet address Answer: A,B
QUESTION NO: 272 Configuration [LAC-l2tp1] start l2tp ip 3.3.2.1 full username pc1 in,
ip address 3.3.1.1 means? A. This initiates an IP address B. The end of the virtual template
address C. The LNS public address D. Virtual template addresses the LNS Answer: C
QUESTION NO: 273 In L2TP scenario, private address allocation is done by the user
which of the following components? A. LAC B. LNS C. VPN Client D. User-configurable
Answer: B
QUESTION NO: 274
91
Huawei H12-711 Exam In the case of using detect regional command application protocol
if it is non-standard port, which of the following techniques to solve the problems brought
by a non-standard port? A. Port identification B. MAC and IP address binding C. Packet
filtering D. Long connection Answer: A
QUESTION NO: 275 SVN3000 business functions include? (Choose three) A. Web Proxy
B. Network expansion C. Port Sharing D. File Sharing Answer: A,B,D
QUESTION NO: 276 In the TSM system supports access control devices, which of the
following devices do not support access control terminal visits functions? A. Hardware
SACG(Hardware Security Access Control Gateway) B. 802.1X C. Software SACG(host
firewall) D. ARP control Answer: A
QUESTION NO: 277

92
Huawei H12-711 Exam In the Internet world, the protocol that you can do the following
transport protocols, and can do the passenger protocol: A. IP B. GRE C. IPX D. TCP
Answer: A
QUESTION NO: 278 Encryption refers to the cipher text into the plaintext message to be
transmitted in the network. A. True B. False Answer: B
QUESTION NO: 279 Check whether the L2TP tunnel has been established command is: A.
display l2tp tunnel B. display lac tunnel C. display lns tunnel D. display tunnel Answer: A
QUESTION NO: 280 IP-Link auto- detection results can only be applied to detect double
hot backup. A. True "Pass Any Exam. Any Time." - 100% Guarantee
93
Huawei H12-711 Exam B. False Answer: B
QUESTION NO: 281 What are the common hashing algorithms? (Choose two) A. DES B.
AES C. MD5 D. SHA-1 Answer: C,D
QUESTION NO: 282 What are the main cryptographic services security capabilities?
(Choose three) A. Confidentiality B. Integrity C. Repudiation D. Scalability Answer: A,B,C
QUESTION NO: 283 Which statement is correct? A. Latency refers to the first bit of the
packet enters the firewall to the first bit of the output firewall interval indicator,is an ideal
situation for measuring the speed of processing data firewall B. Refers to the maximum
number of concurrent connections per second, the new set up through the firewall can be a
complete TCP / UDP connection C. If the USG (Eudemon) transparent firewall mode to
work,just like the place in the network "Pass Any Exam. Any Time." - 100% Guarantee
94
Huawei H12-711 Exam bridges (bridge) the same access to the USG (Eudemon) firewall
device without the need to modify the original structure and configuration D. When USG
(Eudemon) firewall using routing mode,no ACL packet filtering,ASPF dynamic filtering,
NAT conversion functions Answer: C
QUESTION NO: 284 SSL is a security protocol that provides a secure connection for TCP-
based application layer protocol, SSL between the TCP / IP protocol stack between the
fourth and fifth layers. SSL provides secure connections for HTTP (Hypertext Transfer
Protocol) protocol. A. True B. False Answer: A
QUESTION NO: 285 VLAN port types include: (Choose three) A. Access Port B. Trunk
ports C. Hybrid port D. Ethernet port Answer: A,B,C
QUESTION NO: 286 In GRE VPN technology, which of the following is an encapsulation
protocol? A. GRE B. IPX "Pass Any Exam. Any Time." - 100% Guarantee
95
QUESTION NO: 287 Huawei firewall security zones are provided by default () (Choose
three) A. local area B. trust region C. untrust area D. Regional Security Answer: A,B,C
QUESTION NO: 288 IPSEC configuration steps include: (Choose three) A. Restart
Firewall B. Define the data flow and inter-domain protection rules C. Configure IPSec
security proposal D. Configure IKE Peer Answer: B,C,D
QUESTION NO: 289 For AH and ESP, the following statement is correct? (Choose three)
A. AH provides data integrity and encryption B. Tunnel mode,AH for the new IP header
must verify,so AH IPSEC VPNcannotbe applied in the middle of a situation nat conversion.
C. AH ESP can provide all of the features in addition to data encryption outside D. Tunnel
mode,ESP packets do not verify the new IP header. Answer: B,C,D "Pass Any Exam. Any
96
Huawei H12-711 Exam
QUESTION NO: 290 IETF protocol based SSL3.0 launched TLS1.0, also known as
SSL3.1. A. True B. False Answer: A
QUESTION NO: 291 VPN technology belong there? (Choose three) A. GRE B. L2TP C.
DPI D. IPSec Answer: A,B,D
QUESTION NO: 292 Symmetric encryption algorithm encryption key and decryption key
are the same. A. True B. False Answer: A
QUESTION NO: 293
97
Huawei H12-711 Exam Source port by the application (protocol) decision, the same
application (protocol) using the same source port A. True B. False Answer: B
QUESTION NO: 294 Security Alliance (SA) is the basis of IPSec is agreement between the
communicating peers on certain safety elements. A. True B. False Answer: A
QUESTION NO: 295 LAC device via L2TP users to understand what information is
requested to initiate a tunnel which LNS? A. Source IP address B. Destination IP address C.
The source IP address and destination IP address D. Username + Password Answer: D
QUESTION NO: 296 IPSec by AH (Authentication Header) and ESP (Encapsulating

Security Payload) protocol to achieve these two private security, integrity, authenticity, and
anti-replay, and also through IKE (Internet Key Exchange) provides auto-negotiation
exchanged for IPSec key to establish and "Pass Any Exam. Any Time." - 100% Guarantee
98
Huawei H12-711 Exam maintain security alliance services to simplify the use and
management of IPSec. A. True B. False Answer: A
QUESTION NO: 297 L2TP user authentication statement is correct: A. In the LAC can
authenticate the user B. The LNS can authenticate the user C. After LAC authenticates the
user,LNS can authenticate the user again D. All other options are on the argument Answer:
D
QUESTION NO: 298 L2TP protocol registered ports are: A. TCP 1701 B. TCP 1710 C.
UDP 1701 D. UDP 1702 Answer: C
QUESTION NO: 299 When renting leased line to connect two ISP firewall port to use by
SA, two firewalls are DTE devices, clocks are set to slave. A. True "Pass Any Exam. Any
99
Huawei H12-711 Exam B. False Answer: A
QUESTION NO: 300 In most scenarios, NAT Inbound refers to the use of an Internet
address instead of the internal LAN address, his role is used to hide the actual IP address of
the Internet server. A. True B. False Answer: B
QUESTION NO: 301 Protocol mainly used for encryption mechanisms are: A. HTTP B.
FTP C. TELNET D. SSL Answer: D
QUESTION NO: 302 TSM management system which supports the following dimensions?
(Choose two) A. Organization and management B. Regional Management Network C.
Management hardware features D. Administration Answer: A,B "Pass Any Exam. Any
100
Huawei H12-711 Exam
QUESTION NO: 303 IPSec AH + ESP used to establish an IPSec tunnel mode, will create
several IPSec SA? A. 2 B. 3 C. 4 D. 1 Answer: C
QUESTION NO: 304 Microsoft patch does not include what level? A. Key B. Serious C.
Important D. Medium Answer: D
QUESTION NO: 305 Following on the firewall access control lists, statements is correct?
(Choose three) A. Basic Access Control Lists can be filtered for the source and destination
IP address B. Advanced Access Control Lists can be filtered for agreement C. You can
filter on the data link layer protocol header type field in the MAC -based access control list
D. The hardware packet filtering ACL,you can dimension source MAC address, destination
MAC address, protocol,etc. to match traffic Answer: B,C,D "Pass Any Exam. Any Time." -
100% Guarantee
101
Huawei H12-711 Exam
QUESTION NO: 306 USG2000 (Eudemon 200E) Firewall supports the following which
match the pattern? (Choose two) A. config mode B. auto mode C. acl mode D. rule mode
Answer: A,B
QUESTION NO: 307 The vast majority of endpoint security threats from Internet, internal
network only need to deploy anti-virus software can solve the problem. A. True B. False
Answer: B
QUESTION NO: 308 About SVN3000 hardware description, is correct: (Choose three) A.
SVN3000 a 1U standard chassis,the chassis with Console port B. There are four pairs
SVN3000 fixed 10/100/1000M Ethernet optical ports are mutually exclusive C. Provided a
total of two expansion slots on the chassis,one for encryption card is inserted,another spare
for extended functions. D. SVN3000 installed two internal AC or DC power modules,
redundant dual power supply and backup power supply. Answer: A,C,D
102
Huawei H12-711 Exam
QUESTION NO: 309 Source host sends ARP-request, the data package source IP address
field of the source host IP address, source MAC address field is the MAC address of the
source host, destination IP address field of the destination host IP address, destination MAC
address of the destination host is encapsulated MAC address A. True B. False Answer: B
QUESTION NO: 310 In order to ensure the success of the tunnel verification, LAC and
LNS client -side configuration must be consistent, such as password information. A. True
B. False Answer: A
QUESTION NO: 311 VLAN tag information which is contained in the message section? A.
Ethernet packet header B. IP packet header C. TCP packet header D. UDP packet header
Answer: A
103
Huawei H12-711 Exam QUESTION NO: 312 USG2000 (Eudemon 200E) firewall on the
same match order of ACL description of the different rules is correct: (Choose three) A. In
multiple rules configured with an ACL,there are two matching order: automatic matching
mode (auto) and configure priority mode (config). B. Firewall defaults to auto mode C. In
automode:depth-first rule matching principles,namely: the higher the smaller the address
range rule priority. D. In configmode:priority rules are configured first match,which is the
serial number of the smaller the priority rule. Answer: A,C,D
QUESTION NO: 313 Similar anti- mask and subnet mask format, but the value has
different meanings: 1 indicates that the corresponding IP address bits need to compare, 0
indicates that the corresponding IP address bits ignored comparison. A. True B. False
Answer: B
QUESTION NO: 314 Which of the following statements is true? (Choose two) A. New
connections per second per second refers to establish TCP connections through the
firewall,including the semi- connection B. Throughput refers to the maximum amount of
data that can be processed simultaneously firewall,generally 1500Byte packets as a test
standard C. Latency refers to the last bit of the packet enters the firewall to the first bit of
the output firewall interval indicator D. Refers to the maximum number of concurrent
connections Connection Firewall can accommodate the number of
104
Huawei H12-711 Exam Answer: C,D
QUESTION NO: 315 Local firewall security zones do not contain any interface. Ping
firewall on the firewall when an interface IP address, the packet will be given to those
inside the firewall module for processing, not to be forwarded. Because they belong to the
same security zone, so no need to configure interzone packet filtering can communicate
properly. A. True B. False Answer: A
QUESTION NO: 316 Packet filtering firewall main features include: (Choose three) A.
With the complexity and increase the length of ACL,the firewall filtering performance
exponentially decreasing trend B. ACL rules difficult to adapt static dynamic security
filtering requirements C. Do not check the session state data is not analyzed,it is very easy
for hackers to get away D. Complete control of the network to exchange information and
control the session,with high security Answer: A,B,C
QUESTION NO: 317 NAT technology which has the following characteristics? (Choose
two) A. Provide addresses for the network user to hide,there is a certain security B. Does
not support an unlimited number of IP for network NAPT conversion C. For network users
both inside and outside,feel the IP address of the conversion process,the entire process is
transparent for the user, "Pass Any Exam. Any Time." - 100% Guarantee
105
Huawei H12-711 Exam D. After you configure a bidirectional NAT, an external user can
access the network resources within Answer: A,C
QUESTION NO: 318 Which of the following key management techniques are often applied
to the VPN environment? A. IKE B. Authentication C. IPSec D. PKI / CA Answer: A
QUESTION NO: 319 SVN3000 Shared Web gateway can be accessed via IP, domain
names in two ways. A. True B. False Answer: B
QUESTION NO: 320 SVN3000 network expansion capabilities, the need to implement a
remote user can access the corporate network and local area network, and can access the
Internet, the client needs to use routing as follows: A. Full- channel mode (Full Tunnel) B.
Tunnel) "Pass Any Exam. Any Time." - 100% Guarantee
106
Huawei H12-711 Exam Answer: D
QUESTION NO: 321 Firewall configured nat server global 202.106.1.1 inside 10.10.1.1,
and now need to filter through the interface technology package allows users of the public
network WWW server access is correcT. A. rule permit TCP source 202.106.1.1 0 source-
port 80 B. rule permit TCP source 10.10.1.1 0 source-port 80 C. rule permit TCP
destination 202.106.1.1 0 destination-port 80 D. rule permit TCP destination 10.10.1.1 0
destination-port 80 Answer: D
QUESTION NO: 322 There are several IPSec protocol encapsulation mode? (Choose two)
A. Tunnel Mode B. Transfer mode C. Master Mode D. Aggressive Mode Answer: A,B
QUESTION NO: 323 After receiving the L2TP LNS packets, check if the newspaper
wengong IP address is not found in the local header successfully established the link, but
also to the next step L2TP packet of information processing. A. True B. False
107

QUESTION NO: 324 Multiple interfaces of the firewall can belong to the same security
zone? A. True B. False Answer: A
QUESTION NO: 325 Transparent firewall mode works like a switch, according to MAC
address forwarding for packets matching ACL check is not performed, nor generate the
session table A. True B. False Answer: B
QUESTION NO: 326 Which of the following applications are dynamic port TCP
applications? A. SSH B. FTP C. Http D. Telnet Answer: B
108
Huawei H12-711 Exam QUESTION NO: 327 L2TP default group primarily to scenes
acceptable any client calls. A. True B. False Answer: A
QUESTION NO: 328 USG (Eudemon) Series firewalls from priority (priority) to define
security zones can be set which of the following values ? (Choose two) A. 150 B. 100 C. 80
D. 40 Answer: C,D
QUESTION NO: 329 Extended access control lists can be used to carry traffic which of the
following Latitude match? (Choose two) A. Source MAC B. Destination MAC C. Source IP
D. The purpose of IP Answer: C,D
QUESTION NO: 330
109
Huawei H12-711 Exam Address conversion technology advantages include: (Choose three)
A. NAT allows the internal network users(private IP address)to easily access the Internet.
B. NAT allows many hosts to share a single internal LAN IP address of the Internet. C.
Address conversions can handle IP header encryption. D. NAT can shield the user’s internal
network,improve the security of the internal network. Answer: A,B,D
QUESTION NO: 331 TCP / IP V4 version, there are security risks there? (Choose three) A.
Lack of data origin authentication mechanism B. Lack of data packet acknowledgment
mechanism C. Lack of data integrity verification mechanism D. Lack of confidentiality
safeguards Answer: A,C,D
QUESTION NO: 332 ARP-REPLY packet sent using the broadcast, the host can receive on
the same Layer 2 network, and accordingly to the IP and MAC address learning
correspondence. A. True B. False Answer: B
QUESTION NO: 333 The following types of firewall packet processing speed is the fastest
non-first? A. Packet filtering firewall "Pass Any Exam. Any Time." - 100% Guarantee
110
Huawei H12-711 Exam B. Proxy Firewall C. Stateful inspection firewall D. Software

firewalls Answer: C
QUESTION NO: 334 Normal access to the user Wang credited l2tp vpn from outside the
network address, found inside the firewall can ping the network port, but cannot access the
network server, check the configuration discovery, Virtual-Template is added to the untrust
zone within the network port in trust area, resulting in the cause cannot access the server,
the following statements is correct? (Choose two) A. The server is not configured gateway
B. Untrust and trust between domain rules unopened C. Untrust and local inter-domain
rules unopened D. The other three options are correct Answer: A,B
QUESTION NO: 335 Which of the following are VPDN tunneling protocol? (Choose two)
A. PPPOE B. L2TP C. PPTP D. IPSec Answer: B,C
QUESTION NO: 336 TSM system to prohibit end users to copy important data to the
storage medium of information security incidents caused, but the business needs to allow
end users to read data stored inside, "Pass Any Exam. Any Time." - 100% Guarantee
111
Huawei H12-711 Exam enable Which of the following strategies? A. Disable removable
storage devices B. Read-only removable storage devices C. Monitoring removable storage
devices D. Write encrypted removable storage devices Answer: B
QUESTION NO: 337 VPN by business use classification does not include which of the
following? A. Access VPN B. Intranet VPN C. Internet VPN D. Extranet VPN Answer: C
QUESTION NO: 338 If the DNS server addresses SVN configuration has been completed,
the URL of the Web proxy function must be configured IP. A. True B. False Answer: B
QUESTION NO: 339 Use NAT technology to hide internal IP addresses deployment, it is
possible to improve the security of the network.
112
QUESTION NO: 340 Virtual private network (Virtual Private Network) is a "private data
channel established through shared public network, each virtual network require access to
this network or a terminal connected through tunnels (channels), constituting a dedicated,
having certain security and quality of service network. A. True B. False Answer: A
QUESTION NO: 341 SSL VPN supports file sharing types are divided into two kinds of
SMB and NFS, SMB corresponding Windows hosts, NFS corresponding Linux host. A.
QUESTION NO: 342 SSL and IPSec security protocols, encryption and authentication.
However, SSL protocol only on the application of both data communications transmission
is encrypted, but not all of the data from one host to another is encrypted (such as TCP / IP
and application layer protocol). A. True B. False "Pass Any Exam. Any Time." - 100%
Guarantee
113
QUESTION NO: 343 USG2000 (Eudemon200E) on how the device is booted into bootrom
main menu (Main Menu)? A. Press CTRL + C B. Press CTRL + B C. Press CTRL + Z D.
Press CTRL + ALT + A Answer: B
QUESTION NO: 344 In the GRE configuration environment, the local peer network device
configuration GRE private network need to point which of the following interfaces or IP
address? (Choose two) A. Tunnel Interface B. External network(Internet)interface C.
Tunnel Interface IP address D. External network(Internet)interface IP address Answer: A,C
QUESTION NO: 345 GRE configuration, the Tunnel interface mode which of the
following items must be configured? (Choose three) A. source ip-address B. destination ip-
address C. Tunnel Interface IP address D. gre encryption-algorithm 3des
114
QUESTION NO: 346 Port-mapping function is used to publish certain port internal server
to the external network. A. True B. False Answer: B
QUESTION NO: 347 Which of the following security protocols IPSec NAT traversal
(middle ipsec vpn tunnels circumstances nat device)? A. AH B. ESP C. AH + ESP D. AES
Answer: B
QUESTION NO: 348 SVN3000 web proxy server resources can only be accessed by
clicking on the web SVN list. A. True B. False Answer: B
115
Huawei H12-711 Exam QUESTION NO: 349 Which of the following symmetric
encryption algorithms in the same scene, encryption and decryption is the fastest? A. DES
B. 3DES C. RSA (1024) D. MD5 Answer: A
QUESTION NO: 350 GRE VPN technology is mainly used in which of the following
scenarios? (Choose two) A. The discontinuous subnets connected B. The non- IP protocol
networks connected via an IP network C. Confidentiality will be required to transfer data
network connected via GRE VPN D. Applied to the need to provide flow control
characteristics of the network and Qos Answer: A,B
QUESTION NO: 351 Here on the NAS-Initialized the L2TP VPN, correct statement are:
(Choose three) A. Remote users via PSTN / ISDN access NAS (LAC), LAC determine
whether the L2TP users. B. L2TP remote user to user,LAC to the LNS initiates channel
connection establishment request. C. LNS assigns a private IP address for remote dial-up
users D. Validation of remote dial-up users can only be done at the LNS Answer: A,B,C
QUESTION NO: 352 "Pass Any Exam. Any Time." - 100% Guarantee
116
Huawei H12-711 Exam When SVN3000 configuration, VPNDB user information to create
a single, you can also create a batch file by importing. A. True B. False Answer: A
QUESTION NO: 353 In ipsec vpn configuration if you use pre-shared key authentication
mode, you can choose whether to configure the key for the end, but if you configure a key,
the key must be the same on both sides. A. True B. False Answer: B
QUESTION NO: 354 You can also use the template mode IPSEC remote-address is the
address specified above. A. True B. False Answer: A
QUESTION NO: 355 ADSL configure dialer-rule 1 ip permit, and configuration of the
following correspondence between? A. dialer1 B. dialer bundle 1 "Pass Any Exam. Any
117
Huawei H12-711 Exam C. dialer-group 1 D. pppoe-client dial-bundle-number 1 Answer: C
QUESTION NO: 356 For the end user, SVN equivalent web___________, while the
internal servers, SVN has assumed the role of __________ of: A. Server, B. The client,the
client C. Client, server D. Server,the client Answer: D
QUESTION NO: 357 Use NAT technology, the data packets in the network layer
information (IP header) for encryption to enhance the security of the data. A. True B. False
Answer: B
QUESTION NO: 358 All Categories Access Control List support for IP access control
quintuple A. True B. False Answer: B "Pass Any Exam. Any Time." - 100% Guarantee
118
Huawei H12-711 Exam
QUESTION NO: 359 Establish a GRE tunnel between the two companies through the
Internet Internet, the A corporate network port IP address is 192.168.0.1, Tunnel port IP
address is 10.10.10.1, Loopback port IP address is 172.16.15.1, external network is
171.13.15.1. Will the Tunnel interface mode, source address is configured which one? A.
192.168.0.1 B. 10.10.10.1 C. 172.16.15.1 D. 171.13.15.1 Answer: D
QUESTION NO: 360 In the USG (Eudemon) series firewall, which of the following
techniques first to be matched? A. Packet filtering B. Attack prevention C. Blacklist D.
White List Answer: C
QUESTION NO: 361 The main difference between symmetric and asymmetric encryption
algorithm encryption algorithm that different algorithms, but they are using the same key to
encrypt and decrypt. A. True B. False Answer: B "Pass Any Exam. Any Time." - 100%
Guarantee
119
Huawei H12-711 Exam
QUESTION NO: 362 Which of the following IKE exchange mode does not provide
identity protection? A. Master Mode B. Aggressive Mode C. Fast mode D. Passive mode
Answer: B
QUESTION NO: 363 Huawei firewall nat outbound which supports the following scenario?
(Choose three) A. One address translation B. -Many address translation C. -Many address
translation D. Many-to- address translation Answer: A,C,D

h12 711

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

h12 711

Uploaded by

Copyright:

Available Formats

Huawei Exam H12-711 HCNA-Security-CBSN (Huawei Certified Network Associate Constructing

Basic Security Network)

Total Questions: 363 Q&A's Web URL: http://www.becertify.com/h12-711-exam-training-

Get Complete Collection of H12-711 Exam's Questions and Answers.

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam QUESTION NO: 7 SVN3000 network expansion in the

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam Answer: A,B,C

Huawei H12-711 Exam Answer: A

Huawei H12-711 Exam A. True B. False Answer: A

QUESTION NO: 26 Which of the following agreement is a multi- channel protocol? A.

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam Answer: A

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam

QUESTION NO: 32 Compare similar symmetric encryption algorithms and asymmetric

QUESTION NO: 34 Asymmetric encryption algorithm strength stronger than symmetric

Huawei H12-711 Exam A. Client-Initialized L2TP way B. NAS-Initialized L2TP way C.

QUESTION NO: 39 USG (Eudemon) firewall nat configuration is as follows: # nat

"Pass Any Exam. Any Time." - 100% Guarantee

"Pass Any Exam. Any Time." - 100% Guarantee

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam

"Pass Any Exam. Any Time." - 100% Guarantee

"Pass Any Exam. Any Time." - 100% Guarantee

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam A. TMC (TSM Management Center) B. SM Security Manager C.

Huawei H12-711 Exam Answer: B,C

QUESTION NO: 68 No matter under what circumstances? 2 packets between interfaces

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam Answer: C

QUESTION NO: 70 In network security, interruption means an attacker to compromise a

Huawei H12-711 Exam channel protocol Answer: A,B

Huawei H12-711 Exam

QUESTION NO: 78 In some scenarios, it is necessary to convert the source IP address,

"Pass Any Exam. Any Time." - 100% Guarantee

"Pass Any Exam. Any Time." - 100% Guarantee

QUESTION NO: 83 Tunnel interface (Tunnel Interface) is a virtual interface to achieve

QUESTION NO: 84 SVN3000 product extensions supported by the network access

QUESTION NO: 85 About L2TP message, saying the error is:

"Pass Any Exam. Any Time." - 100% Guarantee

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam A. True B. False Answer: A

QUESTION NO: 91 Following on TSM deployments statement is correct? (Choose three)

Huawei H12-711 Exam

QUESTION NO: 95 Firewall access control lists default settings steps A. 1 B. 3 C. 5 D. 10

QUESTION NO: 96 Which of the following techniques can be implemented to refuse

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam Answer: B,D

"Pass Any Exam. Any Time." - 100% Guarantee

Huawei H12-711 Exam

"Pass Any Exam. Any Time." - 100% Guarantee

"Pass Any Exam. Any Time." - 100% Guarantee

QUESTION NO: 111 Which of the following statements is correct? A. Ability to

Huawei H12-711 Exam D. allow l2tp virtual-template 1 default Answer: C

Huawei H12-711 Exam

Huawei H12-711 Exam