Huawei H12-721 Certification Exam Material - Free Download and Guaranteed Pass
Demo :
Exam code : H12-721
Exam name : HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network)
QUESTION NO: 1
The main method of caching servers DNS Request Flood defense is the use of DNS source
authentication.
A. TRUE
B. FALSE
Answer: A
Explanation:
QUESTION NO: 2
Refer to the following diagram in regards to Bypass mode.
Which of the following statements is correct a few? (Choose two answers)
A. When the interface is operating in a non-Bypass state, the flow from the inflow of USG
Router_A interfaces from GE0, GE1 after USG treatment from the interface flow Router_B.
B. When the Interface works in Bypass state, traffic flow from the interface by the Router_A GE0
USG, USG without any treatment, flows directly Router_B flows from the GE1 interfaces.
C. When there are firewall requirements to achieve security policies, while working at the interface
Bypass state to operate without interruption. Therefore, the device can be maintained in the
Bypass state job.
D. Power Bypass interface can work in bridge mode, and can work with the bypass circuit.
Answer: A,B
Explanation:
QUESTION NO: 3
With the Huawei abnormal flow cleaning solution, deployed at the scene of a bypass, drainage
schemes can be used to have? (Choose three answers)
A. Dynamic routing drainage
B. Static routing strategy drainage
C. Static routing drainage
D. MPLS VPN cited
Answer: A,B,C
Explanation:
QUESTION NO: 4
Regarding IKE main mode and aggressive modes, which of the following statements is correct?
A. In savage mode with the the first phase of negotiation, all packets are encrypted
B. All main mode packts under the first phase of negotiation are encrypted
C. The DH algorithm is used in aggressive mode
D. Whether the negotiation is successful or not, IKE will enter into fast mode
Answer: C
Explanation:
QUESTION NO: 5
A network is shown below.
A dial customer cannot establish a connection via a VPN client PC and USG (LNS) l2tp vpn.
What are valid reasons for this failure? (Choose three answers)
A. LNS tunnel tunnel name change is inconsistent with the client name.
B. L2TP tunnel authentication failed.
C. PPP authentication fails, PPP authentication mode set on the client PC and LNS inconsistent.
D. Client PC can not obtain an IP address assigned to it from the LNS.
Answer: B,C,D
Explanation:
QUESTION NO: 6
From the branch offices, servers are accessed from the Headquarters via IPsec VPN. An IPSEC
tunnel can be established at this time, but communication to the servers fails. What are the
possible reasons? (Choose three answers)
A. Packet fragmentation, the fragmented packets are discarded on the link.
B. Presence opf dual-link load balancing, where the path back and forth may be inconsistent.
C. Route flapping.
D. Both ends of the DPD detection parameters are inconsistent.
Answer: A,B,C
Explanation:
QUESTION NO: 7
A user has been successfully authenticated using an SSL VPN. However, users can not access
the Web-link resources through the Web server.
Using the information provided, which of the following is correct?
A. Network server does not have the Web services enabled.
B. Virtual Gateway policy configuration error
C. Virtual connection between the gateway and the network server is not normal
D. Virtual gateway and network server is unreachable
Answer: A
Explanation:
QUESTION NO: 8
According to the network diagram regarding hot standby, which of the following are correct?
(Choose three answers)
A. VRRP backup group itself has preemption. As shown, when USG_A failurs and is restored,
USG_A re-use preemption becomes it has master status.
B. With VGMP management group preemption and VRRP backup groups, when the management
group fails and recovers, the priority management group will also be restored.
C. By default, the preemption delay is 0.
D. If a VRRP group is added to the VGMP management group, preemption will fail. The VGMP
unified management group decides this behavior.
Answer: A,B,D
Explanation:
QUESTION NO: 9
Which of the following are correct regading TCP and TCP proxy on the reverse source detection?
(Choose three answers)
A. TCP and TCP proxy detection can prevent reverse source SYN Flood.
B. TCP proxy acts as a proxy device. TP is connected between both ends, when one end initiates
a connection with the device it must complete the TCP three-way handshake.
C. With TCP proxy mode attack prevention, detection mechanism must be turned on.
D. TP reverse source probes to detect the source IP packets by sending a Reset.
Answer: A,B,C
Explanation:
QUESTION NO: 10
IPsec tunneling is used as a backup connection as shown below:
Which of the following statements are true about the tunnel interface? (Choose two answers)
A. IPsec security policy should be applied to the tunnel interface
B. Protocol for the Tunnel Interface must be GRE.
C. Tunnel interface needs to be configured on the IP address and the IP address of the gateway.
The external network IP address of the outgoing interface must be in the same network segment.
D. Tunnel interfaces can be added to any security zone, provided they have the appropriate interdomain
security policies.
Answer: A,D
Explanation:
QUESTION NO: 11
The DHCP Snooping binding table function needs to maintain its binding table of contents that
include? (Choose three answers)
A. MAC
B. Vlan
C. Interface
IP D. DHCP Server's
Answer: A,B,C
Explanation:
QUESTION NO: 12
Through the configuration of the Bypass interface, you can avoid network communication
interruption caused by equipment failure and improve reliability. The power Bypass function can
use any network interfaces to configure the Bypass GE parameters to achieve the Bypass
function.
A. TRUE
B. FALSE
Answer: B
Explanation:
QUESTION NO: 13
Which of the following statements about IPsec and IKE following are correct? (Choose three
answers)
A. With IPsec there are two ways to establish the security association, manual mode (manual) and
IKE auto-negotiation (Isakmp) mode.
B. IKE aggressive mode can be selected based on negotitations initiated by the tunnel endpoint IP
address or ID, to find the corresponding authentication word and finalize negotiations.
C. The NAT traversal function is used to delete the IKE negotiation verification process for UDP
port numbers, while achieving a VPN tunnel to discover the NAT gateway function. If a NAT
gateway device is used, then the data transfer after the IPsec uses UDP encapsulation.
D. IKE security mechanisms include DH Diffie-Hellman key exchange and distribution; improve the
security front (Perfect Forward Secrecy PFS), encryption, and SHA1 algorithms.
Answer: A,B,C
Explanation:
QUESTION NO: 14
In the attack shown below, a victim host packet captures the traffic. According to the information
shown, what kind of attack is this?
A. SYN Flood
B. SYN-ACK Flood
C. ACK-Flood
D. Connection Flood
Answer: C
Explanation:
QUESTION NO: 15
In IPsec VPN with NAT traversal, you must use IKE aggressive mode.
A. TRUE
B. FALSE
Answer: B
Explanation:
QUESTION NO: 16
A man in the middle attack refers to an intermediate that sees the data exchange between server
and client. To the server, all messages appear to be sent to or received from the client; and to the
client all the packets appear to have been sent to or received from the server. If a hacker is using
the man-in-the-middle attack, the hacker will send at least two data packets as shown to achieve
this attack.
Which of the following packet 1 and packet 2 Field Description is correct? (Choose two answers)
A. Packet 1:
Source IP 1.1.1.1
Source MAC C-C-C
The purpose of IP 1.1.1.2
The purpose of Mac B-B-B
B. Packet 1:
Source IP 1.1.1.3
Source MAC C-C-C
The purpose of IP 1.1.1.2
The purpose of Mac B-B-B
C. Packet 2:
Source IP 1.1.1.2
Source MAC C-C-C
The purpose of IP 1.1.1.1
The purpose of Mac A-A-A
D. Packet 2:
Source IP 1.1.1.3
Source MAC C-C-C
The purpose of IP 1.1.1.1
The purpose of Mac A-A-A
Answer: A,C
Explanation:
QUESTION NO: 17
In an Eth-Trunk interface, you can achieve load balancing by configuring different weights on each
member link.
A. TRUE
B. FALSE
Answer: A
Explanation:
QUESTION NO: 18
A SSL VPN login authentication is unsuccessful, and the prompt says "wrong user name or
password." What is wrong?
A. The username and password entered incorrectly.
B. There is a user or group filter field configuration error.
C. There is a certificates filter field configuration error.
D. The administrator needs to configure the source IP address of the terminal restriction policy.
Answer: D
Explanation:
QUESTION NO: 19
SSL works at the application layer and is encrypted for specific applications, while IPsec operates
at which layer and provides transparent encryption protection for this level and above?
A. The data link layer
B. Network Layer
C. Transport Layer
D. Presentation Layer
Answer: B
Explanation:
QUESTION NO: 20
The IP-MAC address binding configuration is as follows:
[USG] firewall mac-binding 202.169.168.1 00e0-fc00-0100
When the data packets travel through the Huawei firewall device, and other strategies such as
packet filtering, attack prevention are not considered, the following data ttravels hrough the firewall
device? (Choose two answers)
A. Packet source IP: 202.169.168.1
Packet source MAC: FFFF-FFFF-FFFF
B. Packet source IP: 202.169.168.2
Packet source MAC: 00e0-fc00-0100
C. Packet source IP: 202.1.1.1
Packet source MAC: 00e0-fc11-1111
D. Packet source IP: 202.169.168.1
Packet source MAC: 00e0-fc00-0100
Answer: C,D
Explanation:
QUESTION NO: 21
Dual hot standby load balancing service requires three interfaces, one for the line connecting the
router, and two USG facilities mutual backup, configuration commands are “hrp track master” and
“hrp track slave”
A. TRUE
B. FALSE
Answer: A
Explanation:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment