H12 711

Huawei
Exam H12-711
HCNA-Security-CBSN (Huawei Certified Network Associate -
Constructing Basic Security Network)
Total Questions: 363 Q&A's

Web URL: http://www.becertify.com/h12-711-exam-training-49223.htm
BeCertify H12-711 Saving Pack
Instant Download
Printable PDF Document
Test Software & Online Engine Included
Download and study offline
Written in plain English
Highest success rate!
Verified answers for all questions
100% Pass and Money Back Guarantee
BeCertify guarantees your success at your first

attempt with only understanding and mastering
well our studying material, if somehow you fail
the exam at the first time, we will arrange FULL
REFUND for you.
Get Complete Collection of H12-711 Exam's Questions and Answers.

http://www.becertify.com/
Huawei H12-711 Exam
QUESTION NO: 1
After using the vpn client user Wang l2tp vpn dial from outside the network normally get the
address and found able to access all the resources within the network, but it cannot open the page
on the internet, possible reasons for the?
A. vpn device software version is incorrect

B. vpn client software version is incorrect
C. Misconfigured firewall l2tp
D. After the dial-in l2tp vpn, default route points to the local computer dial-up access to the
address
Answer: D
QUESTION NO: 2
In tunnel mode, AH security protocol, which of the following new IP packet header fields without
data integrity check?
A. TTL
B. Source IP address
C. Destination IP address
D. The source IP address and destination IP address
Answer: A
QUESTION NO: 3
SSL VPN file sharing applications in use need to enter a user name, password, and domain
information, in order not to enter a user name and password, you can set the permissions on the
file sharing server.
A. True
B. False
Answer: A
"Pass Any Exam. Any Time." - 100% Guarantee 2

Huawei H12-711 Exam
QUESTION NO: 4
Which of the following is an IETF industry standard VPN protocols?
A. PPTP
B. L2F
C. L2TP
D. PP2F
Answer: C
QUESTION NO: 5
Difference IPSEC security protocol that AH AH and ESP can achieve data encryption, data
validation to support a wider range of ESP?
A. True
B. False
Answer: B
QUESTION NO: 6
ASPF makes firewall to support multiple data channels of a control on the channel protocol, but
also to facilitate the formulation of policies in various security applications are very complex
situation.
A. True
B. False
Answer: A

Huawei H12-711 Exam
QUESTION NO: 7
SVN3000 network expansion in the application, the client obtains an IP address in two ways: the
virtual gateway address pool and DHCP server within the network.
A. True
B. False
Answer: A
QUESTION NO: 8
Network Address Port Translation (NAPT) and Network Address Translation (NAT) what is the
difference? (Choose two)
A. After NAPT conversion for users outside the network,all packets from the same IP address or
IP address of a few
B. NAT only supports application layer protocol address translation
C. NAPT only supports network layer protocol address translation
D. NAT support network layer protocol address translation
Answer: A,D
QUESTION NO: 9
In the GRE configuration environment, under the Tunnel interface mode, destination address
generally refers to?
A. The end of the Tunnel interface IP address

B. The end of the IP address outside the network outlet
C. Peer IP address outside the network entry
D. Remote Tunnel Interface IP address
Answer: C

Huawei H12-711 Exam
QUESTION NO: 10
Which of the following are IPSec security protocol? (Choose two)
A. AH
B. ESP
C. 3DES
D. AES
Answer: A,B
QUESTION NO: 11
SVN3000 file sharing interactive process, the correct order is:
1, file server accepts the request packet, the format of the response SMB packet to SVN;
2, the client user initiates a request inwards network file server HTTPS format, sent to SVN;
3, SVN SMB response packet will be converted to HTTPS format and forwarded to the client;
4, SVN HTTPS requests will be converted to the format of packets SMB packet format and
forwarded to the file server.
A. 1-2-3-4
B. 2-4-1-3
C. 3-1-4-2
D. 3-1-2-4
Answer: B
QUESTION NO: 12
Access control lists which mainly consists of the following scenarios? (Choose three)
A. Network Address Translation (NAT)

B. QOS
C. Policy Routing
D. GRE

Huawei H12-711 Exam
Answer: A,B,C
QUESTION NO: 13
Which of the following protocols are GRE VPN technology in the world's most used Internet
transport protocol?
A. GRE
B. IPX
C. IP
D. TCP
Answer: C
QUESTION NO: 14
Use one or many- way NAT translation (non- PAT), when all are using the external IP address
(using NAT technology to access the Internet application scenarios), the subsequent network
users Internet For what will happen?
A. Squeezing out the previous user,forcing the NAT Internet

B. Subsequent users will not access the network
C. NAT PAT automatically switch to the Internet
D. The packets are synchronized to other devices for NAT NAT translation
Answer: B
QUESTION NO: 15
Which of the following is a multi -channel protocol?
A. FTP
B. Telnet
C. HTTP
D. SMTP

Huawei H12-711 Exam
Answer: A
QUESTION NO: 16
About stateful inspection firewall and packet filtering firewall description is correct.
A. Packet filtering firewall is not required for each packet entering the firewall rule matching;
B. Because the UDP protocol is connectionless -oriented protocol,so stateful inspection firewall
UDP packetscannotmatch state table;
C. When stateful inspection firewall to inspect packets,packets of the same before and after the
connection is not relevant.
D. Stateful inspection firewall only needs to connect to the first packet to match the access
rule,which is connected directly to the subsequent packets matching(to TCP applications,for
example) in the state table
Answer: D
QUESTION NO: 17
Firewalls can protect the internal network security in the Internet, but cannot protect the host
security in an internal network.
A. True
B. False
Answer: B
QUESTION NO: 18
Applied on the interface of the firewall packet filtering, cited acl2000, the source IP address of the
IP address 192.168.0.55 to reach the interface, the following statements is correct? (Choose two)
acl 2000 match-order auto
rule permit source 192.168.0.1 0.0.0.255

Huawei H12-711 Exam
rule deny source 192.168.0.32 0.0.0.31
A. The IP packet matching allows policy to be forwarded by the firewall

B. The IP packet matching refused strategy will be discarded by the firewall
C. configured to match the order of priority of use acl2000
D. acl2000 using a depth-first match order
Answer: B,D
QUESTION NO: 19
SVN file sharing technology is to convert the file sharing protocol to SSL-based Hypertext Transfer
Protocol (Https), for end-users feel is a Web-based file server application.
A. True
B. False
Answer: A
QUESTION NO: 20
LNS through what information (protocol field) to determine the packet as L2TP packet and sent
L2TP protocol processing module for processing?
A. LAC client source IP address

B. The LNS destination IP address
C. Source UDP port 1701
D. UDP port 1701
Answer: D
QUESTION NO: 21
When TSM system supports strong linkage anti-virus software, anti-virus software will be able to
drive anti-virus and other operations.

Huawei H12-711 Exam
A. True
B. False
Answer: A
QUESTION NO: 22
In these types of scenarios, mobile users need to install additional features (L2TP) for VPDN
software?
A. Based on user-initiated L2TP VPN

B. Based NAS -initiated L2TP VPN
C. Initiated based on LNS L2TP VPN
D. All other options are
Answer: B
QUESTION NO: 23
The following are the main features stateful inspection firewall is which?
A. Processing speed
B. Excellent follow-up packet processing performance
C. Only detect the network layer
D. Packet filtering detection for each package
Answer: B
QUESTION NO: 24
When configuring l2tp, for commands allow l2tp virtual-template, statements is correct?
A. LNS is used to specify the trigger condition to initiate a call

B. LAC is used to specify the trigger condition to initiate a call
C. LAC is used to specify the call to accept Virtual-Template used

Huawei H12-711 Exam
D. LNS to accept the call to specify the use of Virtual-Template
Answer: D
QUESTION NO: 25
AH which can provide the following security features? (Choose three)
A. Data origin authentication

B. Data Confidentiality
C. Data integrity check
D. Anti-replay
Answer: A,C,D
QUESTION NO: 26
Which of the following agreement is a multi- channel protocol?
A. WWW
B. FTP
C. PING
D. TELNET
Answer: B
QUESTION NO: 27
PPPoE is mainly used for which scene?
A. Provide remote access users access to Ethernet

B. Provide access to remote Ethernet services for dial-up users
C. Enables users to access the Internet data packets are encrypted
D. To the user can access the Internet faster

Huawei H12-711 Exam
Answer: A
QUESTION NO: 28
Following on E1 and CE1, saying right there? (Choose three)
A. Can operate in clear channel mode

B. E1 work in the non -channel mode are unframed mode
C. E1 work in framing mode,only once timeslot bundling
D. CE1 work in unframed mode, you can bundle multiple slots
Answer: A,C,D
QUESTION NO: 29
Packet filtering firewall at the application layer for each packet inspection, forwarding or discarding
packets according to the configured security policy:
A. True
B. False
Answer: B
QUESTION NO: 30
Interzone packet filtering matching principle is: first find inter-domain Policy, if there is no matching
policy, the domain will not find among other strategies, but directly to discard the packet, refused
to pass.
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 31
Meaning Trunk Access Port PVID value and significance of the port PVID bit different, in Access
represents the value of the default VLAN, but said the port belongs to the VLAN Trunk actually.
A. True
B. False
Answer: B
QUESTION NO: 32
Compare similar symmetric encryption algorithms and asymmetric encryption algorithm key
distribution method, encryption and decryption are performed by the information sent to the
receiver key, the method can be used to send E-mail and other means.
A. True
B. False
Answer: B
QUESTION NO: 33
Packet filtering firewall does not check the session state data content analysis, safety cannot be
adequately protected.
A. True
B. False
Answer: A
QUESTION NO: 34
Asymmetric encryption algorithm strength stronger than symmetric algorithms, asymmetric

Huawei H12-711 Exam
algorithms because the longer the key length.
A. True
B. False
Answer: B
QUESTION NO: 35
SVN3000 virtual gateway, which can be accessed using the IP address, and can be accessed
using the domain name which of the following types?
A. Exclusive type
B. Share -based
C. Fixed
D. Manual type
Answer: A
QUESTION NO: 36
Stateful inspection firewall intercepts packets at the network layer and application layer extracted
from each state information security policies need, and save the session table, through the
analysis of these sessions tables and data packets associated with the connection request to
make a follow-up appropriate decision.
A. True
B. False
Answer: A
QUESTION NO: 37
Which of the following ways L2TP VPN, the tunnel is established between the client and the LNS
Client -side?

Huawei H12-711 Exam
A. Client-Initialized L2TP way
B. NAS-Initialized L2TP way
C. Unsolicited L2TP
D. VPDN
Answer: A
QUESTION NO: 38
VPN for mobile users have access? (Choose two)
A. GRE
B. L2TP
C. MPLS
D. L2TP + IPSec
Answer: B,D
QUESTION NO: 39
USG (Eudemon) firewall nat configuration is as follows:
nat address-group 1 10.1.1.5 10.1.1.10
nat server 1 protocol tcp global 1.1.1.1 ftp inside 10.1.1.2 ftp
nat-policy interzone dmz untrust inbound
policy 0
action source-nat
policy destination 1.1.1.1 0
address-group 1

Huawei H12-711 Exam
The following statement is correct that:
A. NAT outbound configuration,network users to access the external network into an address in
the address pool 10.1.1.5 10.1.1.10
B. untrust host access nat server 1.1.1.1, destination address into 10.1.1.2, the original address
unchanged
C. Built- domain nat,DMZ host access nat server 1.1.1.1, destination address into 10.1.1.2, the
source address into the address pool 1
D. NAT inbound configuration,untrust host access nat server 1.1.1.1, destination address into
10.1.1.2, the source address into the address pool 1
Answer: D
QUESTION NO: 40
Common symmetric encryption algorithms are there? (Choose three)
A. DES
B. 3DES
C. AES
D. MD5
Answer: A,B,C
QUESTION NO: 41
Address range rule permit ip source 192.168.11.32 0.0.0.31 represents the?
A. 192.168.11.0-192.168.11.255
B. 192.168.11.32-192.168.11.63
C. 192.168.11.31-192.168.11.64
D. 192.168.11.32-192.168.11.64
Answer: B

Huawei H12-711 Exam
QUESTION NO: 42
The following statement about the NAT address translation Which is correct: (Choose three)
A. NAT technology can effectively hide the hosts on the LAN,is an effective network security
technology.
B. NAT can follow the user’s needs, providing FTP, WWW, Telnet and other services outside the
LAN.
C. Some application layer protocols carry IP address information in the data,but also to modify the
data in the upper IP address information when they make NAT.
D.
For some non- TCP, UDP protocol(such as ICMP, PPTP), NATcannotdo the conversion.
Answer: A,B,C
QUESTION NO: 43
When you configure ipsec, ike local-name for the command statement is correct? (Choose two)
A. When using aggressive mode,when the name of the authentication,you need to configure the
local name
B. Use main mode when you need to configure the local name
C. The local name must be on the side of the remote-name consistent configuration
D. Local name must configure remote-name local consistency
Answer: A,C
QUESTION NO: 44
SVN3000 following ways in which you can access the user control? (Choose three)
A. IP
B. MAC
C. PORT
D. URL
Answer: A,C,D

Huawei H12-711 Exam
QUESTION NO: 45
When the device at both ends of the tunnel is using IPSec non-template approach, ACL need to
completely mirror configuration?
A. True
B. False
Answer: A
QUESTION NO: 46
The following description of the error on the standard ACL is:
A. Standard access control list,also known as basic access control lists.

B. Standard access control list including rule number,perform an action and the source IP
address.
C. Application of standard access control lists typically need only the source address of the packet
defined scenes.
D. Standard access control list can be controlled protocol type
Answer: D
QUESTION NO: 47
The following protocol, the data link layer to work with? (Choose three)
A. IP
B. PPP
C. HDLC
D. FR
Answer: B,C,D

Huawei H12-711 Exam
QUESTION NO: 48
Which of the following hardware components SACG primarily for data exchange?
A. SM management server
B. SC control server
C. Agent
D. The database server
Answer: B
QUESTION NO: 49
Which of the following types of Ethernet switch ports, after the data flow out of the port may also
carry VLAN identification? (Choose two)
A. Access Port
B. Trunk port
C. Hybrid port
D. Switch port
Answer: B,C
QUESTION NO: 50
SVN3000 network expansion capabilities, the need to implement a remote user can only access
the corporate network, you cannot access the local LAN and Internet, the client needs to use
routing as follows:
A. Full- channel mode (Full Tunnel)

B. Separation channel mode (Split Tunnel)
C. Routing (route Tunnel)
D. Manually (Manual Tunnel)
Answer: A

Huawei H12-711 Exam
QUESTION NO: 51
Source socket means: source IP address + port + source and destination IP address
A. True
B. False
Answer: B
QUESTION NO: 52
For inter-domain packet filtering, the following statements is correct? (Choose three)
A. policy 1 disable command to disable policy 1

B. By default,Policy to create higher the priority,the more the first match
C. By policy move command to adjust the position of the policy,policy id will change accordingly
D. Once matched to a Policy, in accordance with the Policy on the definition of processing packets
no longer continue to match directly down
Answer: A,B,D
QUESTION NO: 53
When a router receives a packet, if no match is found, the specific route entry, the default routing
table can be forwarded.
A. True
B. False
Answer: A

Huawei H12-711 Exam
QUESTION NO: 54
Source address, destination address, protocol type, IP bearer senior ACL2000 ~ 2999 can use the
packet (such as TCP source port, destination port, ICMP protocol type, message code, etc.)
defined rules.
A. True
B. False
Answer: B
QUESTION NO: 55
In the inter- domain packet filtering firewall, the following is not a direction (Outbound)?
A. Data from the DMZ zone to the Untrust zone flow

B. Data from the Trust zone to the DMZ zone flow
C. Data from the Trust zone to the Untrust zone flow
D. Data from the Trust zone to the Local area streams
Answer: D
QUESTION NO: 56
View l2tp command -line user information?
A. display l2tp session

B. display l2tp tunnel
C. display access-user
D. display right-manager online-users
Answer: C
QUESTION NO: 57

Huawei H12-711 Exam
Here on Client-Initialized the L2TP VPN, right there saying? (Choose three)
A. L2TP tunnel connection request initiated remote users via PSTN / ISDN access to NAS, to get
permission to access the Internet directly to the remote LNS.
B. L2TP LNS device receives user connection requests,based on the user name and password to
authenticate the user
C. LNS assigns a private IP address for the remote user.
D. VPN remote dial-up users do not need to install software
Answer: A,B,C
QUESTION NO: 58
Which of the following products can be achieved on NAT audit log management?
A. TSM
B. DSM
C. eLog
D. VSM
Answer: C
QUESTION NO: 59
Note that when the Clear to clear ISAKMP SA SA Stage 1, and then remove IPSEC SA Phase 2.
A. True
B. False
Answer: B
QUESTION NO: 60
Which of the following components are optional TSM system?

Huawei H12-711 Exam
A. TMC (TSM Management Center)
B. SM Security Manager
C. SC safety controller
D. SA Security Agent
Answer: A
QUESTION NO: 61
Under the same conditions for an encryption algorithm, key lengths longer need to crack the
higher the cost.
A. True
B. False
Answer: A
QUESTION NO: 62
IPSec if want to do a new IP packet header validation, you need to use what IPSec security
protocol?
A. AH
B. ESP
C. MD5
D. SHA1
Answer: A
QUESTION NO: 63
Digital certificates do not include which of the following section?
A. Name of the certificate holder

B. The certificate is valid

Huawei H12-711 Exam
C. Public key certificate
D. Certificate private key
Answer: D
QUESTION NO: 64
Network extensions that do not support the following access modes:
A. Separation mode (Split Tunnel)

B. Full routing mode (Full Tunnel)
C. Fixed Mode (Fixed Tunnel)
D. Manual mode (Manual Tunnel)
Answer: C
QUESTION NO: 65
Which of the following three types of VPN more assurance in terms of security?
A. GRE
B. PPTP
C. IPSec
D. L2F
Answer: C
QUESTION NO: 66
IP-link which is mainly used in the following scenarios? (Choose two)
A. Link Aggregation
B. Static Routing
C. Hot Standby
D. Long connection

Huawei H12-711 Exam
Answer: B,C
QUESTION NO: 67
About ASPF the following statements is correct? (Choose two)
A. ASPF checking application layer protocol application layer protocol information and monitor the
connection status
B. ASPF by dynamically generating ACL to determine whether the packet through the firewall
C. Servermap table is a temporary table entry
D. Servermap table with the five-tuple to represent a conversation
Answer: A,C
QUESTION NO: 68
No matter under what circumstances? 2 packets between interfaces must flow through the firewall
interzone packet filtering?
A. True
B. False
Answer: B
QUESTION NO: 69
For E1/CE1 configuration (1, 2 configure virtual serial port IP address, configure virtual serial link
layer protocol 3, 4 E1 configuration mode, configure timeslot bundling), correct configuration
sequence is:
A. 1-2-3-4
B. 2-1-3-4
C. 3-4-2-1
D. 4-3-2-1

Huawei H12-711 Exam
Answer: C
QUESTION NO: 70
In network security, interruption means an attacker to compromise a network system resources,

making it become invalid or useless. This is () attack?
A. Availability
B. Confidentiality
C. Integrity
D. Truth
Answer: A
QUESTION NO: 71
Which of the following types of VPN adapt to mission personnel?
A. Access VPN
B. Intranet VPN
C. Internet VPN
D. Extranet VPN
Answer: A
QUESTION NO: 72
About NAT argument error are: (Choose two)
A. NAT Outbound refers to the source IP address conversion,NAT Inbound refers to the
destination IP address conversion
B. NAT Inbound NAT Server commands and command consistent feature configuration can be
selected according to personal preference
C. Outbound direction NAT supports the following applications: one -many,many-to-
D. NAT technology to support multi-channel protocols, such as FTP and other standard multi-

Huawei H12-711 Exam
channel protocol
Answer: A,B
QUESTION NO: 73
In the system view, execute the command reset saved-configuration, the configuration file will be
erased.
A. True
B. False
Answer: B
QUESTION NO: 74
In IPSEC VPN, the tunnel mode is mainly used in which of the following scenarios?
A. Between the host and the host

B. Between the host and the security gateway
C. Between security gateways
D. Between tunnel mode and transport mode
Answer: C
QUESTION NO: 75
ACL 2009 belonging to ()
A. Standard access control list

B. Extended access control lists
C. MAC address -based access control lists
D. Time -based access control lists
Answer: A

Huawei H12-711 Exam
QUESTION NO: 76
TSM system which consists of the following regions? (Choose three)
A. Pre-authentication domain
B. After authentication domain
C. Isolated domain
D. TSM domain
Answer: A,B,C
QUESTION NO: 77
Between the Client and the LAC protocol by which to communicate? (Choose two)
A. PPP
B. PPPOE
C. IP
D. UDP
Answer: A,B
QUESTION NO: 78
In some scenarios, it is necessary to convert the source IP address, destination IP address but
also for the conversion, is called bidirectional NAT.
A. True
B. False
Answer: A

Huawei H12-711 Exam
QUESTION NO: 79
Which of the following devices will not be affected "Monitoring USB storage device " policy
control?
A. USB mouse
B. U disk
C. USB drive
D. USB hard drives
Answer: A
QUESTION NO: 80
Execution acl 3000 match-order auto configured, the data flow will match what way the ACL?
A. Matching automatically sorted according tothe "depth-first" principle to match.

B. Match the order configured.That is according to the order the user to configure the ACL match.
C. Press the automatic sorting match,then match the order configured.
D. The firewall is not configured
Answer: A
QUESTION NO: 81
GRE Tunnel ends of the device if configured to identify keyword, keyword identification must be
consistent in order to pass validation.
A. True
B. False
Answer: A
QUESTION NO: 82

Huawei H12-711 Exam
In the firewall, detect ftp command configuration in which mode?
A. System Mode
B. Interface Mode
C. Domain mode
D. Inter-domain model
Answer: D
QUESTION NO: 83
Tunnel interface (Tunnel Interface) is a virtual interface to achieve multipoint type of packet
encapsulation provided.
A. True
B. False
Answer: B
QUESTION NO: 84
SVN3000 product extensions supported by the network access methods, including what?
(Choose three)

Answer: A,B,D
QUESTION NO: 85
About L2TP message, saying the error is:

Huawei H12-711 Exam
A. L2TP supports two types of messages : control messages and data messages
B. Control messages for tunnel and session connection establishment, maintenance,and
transmission control.
C. Data messages are used to encapsulate PPP frames and transmitted over the tunnel.
D. Control messages and data messages are transmitted reliably provide flow control and
congestion control.
Answer: D
QUESTION NO: 86
When a data frame into the switch port VLAN Access will check whether the data frame with VLAN
tag tag tag tag if carry, then discarded; If no tag tag, be marked PVID of the port.
A. True
B. False
Answer: A
QUESTION NO: 87
About GRE checksum verification techniques, when the end of the configuration checksum while
the client does not check and when configured correctly described below have () (Choose two)
A. The end of paper checks and verification of a received message

B. Peer checks the received packet checksum
C. The end of the checksum is calculated and sent packets
D. For end-to- send packets to calculate the checksum
Answer: B,C
QUESTION NO: 88
Private business network address cannot be on the road in the internet, if the user needs to
access the private network address internet, need to go through the NAT.

Huawei H12-711 Exam
A. True
B. False
Answer: A
QUESTION NO: 89
Security Alliance (SA) is composed of tuples which uniquely identify? (Choose three)
A. SPI
B. Source IP address
C. Destination IP address
D. Security Protocol No.
Answer: A,C,D
QUESTION NO: 90
Matching advanced ACL, you can dimension source IP address, destination IP address, source
MAC address, destination MAC address, protocol traffic to match.
A. True
B. False
Answer: B
QUESTION NO: 91
Following on TSM deployments statement is correct? (Choose three)
A. Centralized deployment of SM and SCcannotbe installed on the same server

B. SC centralized deployment can be madeinto a cluster approach to achieve system redundancy
C. The size of the terminal is quite large, consider using a distributed network,to avoid a large
number of terminal access TSM server,take up a lot of network bandwidth
D. When distributed deployment,TSM security agents to select the nearest control server,access

Huawei H12-711 Exam
authentication and access control,and other business.
Answer: B,C,D
QUESTION NO: 92
LAC is a device with PPP and L2TP protocol processing capabilities.
A. True
B. False
Answer: A
QUESTION NO: 93
Which of the following IKE exchange mode IP address can be used to identify or by Name manner
peer?
A. Master Mode
B. Aggressive Mode
C. Fast mode
D. Passive mode
Answer: B
QUESTION NO: 94
When configuring l2tp, the command start l2tp {ip ip-address, statement is correct? (Choose three)
A. LNS is used to specify the trigger condition to initiate a call

B. LAC is used to specify the trigger condition to initiate a call
C. You can specify the domain name as a trigger condition
D. You can specify the full name as a trigger condition
Answer: B,C,D

Huawei H12-711 Exam
QUESTION NO: 95
Firewall access control lists default settings steps
A. 1
B. 3
C. 5
D. 10
Answer: C
QUESTION NO: 96
Which of the following techniques can be implemented to refuse illegal host or illegal data
packets? (Choose three)
A. MAC and IP address binding

B. ACL
C. Blacklist
D. Static Routing
Answer: A,B,C
QUESTION NO: 97
For VPN Client users, you can use the following way to the LAC device which initiated the
request? (Choose two)
A. PPP
B. PPPOE
C. IP
D. TCP
Answer: A,B

Huawei H12-711 Exam
QUESTION NO: 98
GRE is a technology by which of the following protected data stream that is selected packets are
encapsulated into GRE packets?
A. ACL
B. Static Routing
C. Routing Policy
D. User Account
Answer: B
QUESTION NO: 99
IKE main mode and aggressive mode are the main differences? (Choose two)
A. Exchange messages using the three main mode packet mode uses six brutal message
B. Finally, there are two main mode message encryption, identity protection
C. Finally, there are two messages savage mode encryption, identity protection
D. Master mode only way to identify the IP address of the peer,and barbarous mode can be used
to identify the IP address or name of the peer manner.
Answer: B,D
QUESTION NO: 100
In tunnel mode IPSec applications in which data packets following areas protected by encryption?
(Choose two)
A. The entire data packet

B. Original IP header
C. The new IP header
D. Transport layer and upper layer packets

Huawei H12-711 Exam
Answer: B,D
QUESTION NO: 101
The following types of interfaces can handle PPP protocol packets?
A. interface Virtual-Template 1
B. interface Ethernet 0/0(within the network)
C. interface Ethernet 0/0(external network)
D. interface loopback 1
Answer: A
QUESTION NO: 102
For stateful inspection firewall, if not the first TCP packet package will not be interzone packet
filtering checks.
A. True
B. False
Answer: A
QUESTION NO: 103
Single TSM server system supports a maximum concurrent users.
A. 5000
B. 10000
C. 20000
D. 40000
Answer: C

Huawei H12-711 Exam
QUESTION NO: 104
Which of the following IKE exchange mode can only use IP addresses to identify peer manner?
A. Master Mode
B. Aggressive Mode
C. Fast mode
D. Passive mode
Answer: A
QUESTION NO: 105
The following agreements, in the application layer have? (Choose two)
A. ARP
B. IGMP
C. TELNET
D. TFTP
Answer: C,D
QUESTION NO: 106
After the LAC configure the Ethernet interface to bind the virtual template interface, Ethernet
interface may configure the IP address.
A. True
B. False
Answer: A

Huawei H12-711 Exam
QUESTION NO: 107
For the firewall that comes trust and untrust security zone statement right there? (Choose two)
A. Untrust zone access area from the trust direction outboud direction
B. Untrust zone access area from the trust direction inboud direction
C. Follow the direction of inter-domain access does not matter which area initiated only associated
with priority
D. When entering the inter-domain view,the trust must be placed in front of the area
Answer: A,C
QUESTION NO: 108
Following the agreement, the work at the network layer have? (Choose two)
A. ICMP
B. IGMP
C. FTP
D. TELNET
Answer: A,B
QUESTION NO: 109
Packet forwarding based routing table information, which of the following information will then be
routed to match forwards?
A. Mask length of the longest route entry

B. Cost routing
C. Route priority
D. Routing Protocol
Answer: A

Huawei H12-711 Exam
QUESTION NO: 110
After a successful L2TP user authentication, IP address obtained is wrong to say :
A. User address allocation has been assigned an IP address bound and dynamically assigned IP
addresses from the address pool in two ways
B. L2TP user-assigned IP address can be any address
C. L2TP user-assigned IP address and the address of the network to be accessed in the same
network segment
D. Address assignment plan well in advance to avoid address conflicts exist
Answer: B
QUESTION NO: 111
Which of the following statements is correct?
A. Ability to International Organization for Standardization definition of " security" is a way to

identify and mitigate insecurity
B. Security is to find a balance between confidentiality and integrity
C. A high level of security technologies and policies can make the device or network without any
risk
D. Information security is a subset of network security is a comprehensive and continuous
technology
Answer: A
QUESTION NO: 112
About L2TP VPN configuration statement is correct: (Choose three)
A. The LNS L2TP client must configure the IP address of the virtual interface template,and the
virtual interface template need to join the security domain
B. Firewall policies in order to ensure the normal dial-up users log on,you must configure the
firewall to receive L2TP tunnel packets security zone where the physical interface between the
regions and the Local
C. Dial-up users need access to internal network resources, you must configure the firewall policy
template region corresponding virtual interface and internal security network located between
areas where security

Huawei H12-711 Exam
D. If a virtual template interface is added to a safe area,you can directly delete the security zone.
Answer: A,B,C
QUESTION NO: 113
Users log in via TELNET device, because many times forgotten password login authentication
fails, resulting in the account is frozen for several minutes, what is the role of technology?
A. ACL
B. Attack prevention
C. Blacklist
D. Account frozen
Answer: C
QUESTION NO: 114
GRE’s features include: (Choose three)
A. Simple mechanism
B. CPU load on both ends of the small tunnel
C. Encrypt data
D. Does not provide traffic control and QoS.
Answer: A,B,D
QUESTION NO: 115
When configuring L2TP group, which of the following commands can be described l2tp-group 1 is
the default L2TP group?
A. allow l2tp virtual-template 1 remote Client01

B. allow l2tp virtual-template 1 remote default
C. allow l2tp virtual-template 1

Huawei H12-711 Exam
D. allow l2tp virtual-template 1 default
Answer: C
QUESTION NO: 116
TSM system support and Duba Online version 5.0, KV2010 Jiangmin and Rising Online antivirus
software, such as the strong linkage.
A. True
B. False
Answer: B
QUESTION NO: 117
The following area is not correct about TSM is?
A. Pre-authentication domain is the area by the client before authentication can be accessed
B. After authentication domain is the area the client can access through the security certification
C. Isolated domain refers to the area by the client access authentication must
D. Isolated domain is required for access to the area when the client security authentication failure
Answer: C
QUESTION NO: 118
TSM supports access control which of the following? (Choose three)
A. Hardware SACG(Hardware Security Access Control Gateway)

B. 802.1X
C. Software SACG(host firewall)
D. ARP control
Answer: A,B,C

Huawei H12-711 Exam
QUESTION NO: 119
eLog log management system products using the B / S architecture supports centralized,
distributed deployment, diverse log acquisition mode, provides the industry's most extensive
device support.
A. True
B. False
Answer: A
QUESTION NO: 120
Proxy Firewall role in the transport layer of the network, its essence is the business directly
between the internal network and external network users by the proxy firewall takes over.
A. True
B. False
Answer: B
QUESTION NO: 121
The following information about the different types of firewalls correct to say there? (Choose three)
A. Packet filtering firewall for each packet through the firewall,should be carried out to check ACL
match
B. Stateful inspection firewall does not hit only the first session packets matching ACL checks
C. Stateful inspection firewall needs to be configured packet " go " and "back" in both directions
ACL
D. Proxy Firewall is the essence of the business directly between the internal network and external
network users to take over
Answer: A,B,D

Huawei H12-711 Exam
QUESTION NO: 122
Priority DMZ area is how much?
A. 5
B. 50
C. 85
D. 100
Answer: B
QUESTION NO: 123
The following are symmetric encryption algorithm is: (Choose two)
A. DES
B. 3DES
C. SHA-1
D. MD5
Answer: A,B
QUESTION NO: 124
SVN can be achieved only allows users to access remote enterprise network cannot access the
Internet and local area networks.
A. True
B. False
Answer: A

Huawei H12-711 Exam
QUESTION NO: 125
Encryption technology which of the following elements? (Choose three)
A. Tunneling algorithm
B. Key
C. Ciphertext
D. Encryption Algorithm
Answer: B,C,D
QUESTION NO: 126
About the VLAN tag processing, the following description of the error is?
A. When Trunk port receives a frame,if the frame does not contain 802.1Q tag header, will be
marked with PVID port; If the frame contains the 802.1Q tag header, no change.
B. When Trunk port to send the frame,when the port’s PVID VLAN ID of the frame is not the
same,discarded; When PVID VLAN ID and port with the same time frame,the pass-through
C. When Access port receives a frame,if the frame does not contain 802.1Q tag header, will be
marked with PVID port; If the frame contains the 802.1Q tag header, the switch does not deal with
them directly discarded.
D. When Access port to send frames,stripping 802.1Q tag header, frame issued ordinary Ethernet
frames
Answer: B
QUESTION NO: 127
About domain NAT statement is correct (Note: the internal network IP address is a private
address, the IP address of the network boundary public address) (Choose two)
A. First NAT within the user's source IP address of the request packet into the network server IP
address
B. Will request packets based on source and destination IP address conversion
C. The request packet destination IP address into the IP address of the network server
D. After the data within the network server will receive a packet processing, packet destination IP
address back to convert that into a public IP address(the IP address of the network boundary)

Huawei H12-711 Exam
Answer: B,C
QUESTION NO: 128
Hardware packet filtering ACL number ranges?
A. 2000-2999
B. 3000-3999
C. 4000-4999
D. 9000-9499
Answer: D
QUESTION NO: 129
Proxy firewall to check request from the user, the user checks the security policy through the
firewall on behalf of external users to establish a connection to the real server, forwarding an
external user request, and returns a response back to the real server to the external user.
A. True
B. False
Answer: A
QUESTION NO: 130
GRE VPN itself does not have to provide data integrity verification and confidentiality of
transmission capacity.
A. True
B. False
Answer: A

Huawei H12-711 Exam
QUESTION NO: 131
If the main mode IKE negotiation mode, you can only configure the IP address in the form of ID
type. If aggressive mode negotiation mode, you can only configure the ID type the name of the
form.
A. True
B. False
Answer: B
QUESTION NO: 132
Outbound NAT configuration based on the direction, in the case of no-pat configuration
commands, the following description of what is wrong? (Choose three)
A. Conducted only source IP address translation

B. Conducted only destination IP address translation
C. The source IP address and source port translation
D. Be the destination IP address and destination port translation
Answer: B,C,D
QUESTION NO: 133
VPN tunneling technology is to achieve data encryption algorithm (such as DES, 3DES)
transmission in the network will not be intercepted.
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 134
The following does not belong to the IP packet quintuple is ()
A. Source IP address
B. Destination MAC address
C. Agreement No.
D. Source port
Answer: B
QUESTION NO: 135
Firewall supports three main VPDN VPN, namely, L2TP, PPTP, IPSec:
A. True
B. False
Answer: B
QUESTION NO: 136
SVN3000 port proxy function is mainly used for C / S and other techniques cannot be used to
access web applications.
A. True
B. False
Answer: A
QUESTION NO: 137
In order to ensure the normal remote L2TP dial-up users to access the corporate network, the user
is required to assign an IP address within the enterprise network services and resources to be

Huawei H12-711 Exam
accessed not on the same network segment (without considering the ARP Proxy technology).
A. True
B. False
Answer: A
QUESTION NO: 138
When the port is configured to allow certain vlan trunk through, trunk belongs to these vlan.
A. True
B. False
Answer: A
QUESTION NO: 139
In some scenarios, it is necessary to convert the source IP address, destination IP address but
also for the conversion, is called bidirectional NAT.
A. True
B. False
Answer: A
QUESTION NO: 140
Under IPSec in tunnel mode, ESP on which field do validation?
A. Original IP packet header

B. The new IP packet header
C. TCP packet header
D. Application layer data

Huawei H12-711 Exam
Answer: A
QUESTION NO: 141
SVN3000 network expansion feature is the use of technology for which the following business
resource access control?
A. Static Routing
B. Dynamic Routing
C. ACL
D. Policy Routing
Answer: A
QUESTION NO: 142
SVN3000 virtual gateway, domain names can only be accessed using a virtual gateway is which
of the following types?
A. Exclusive type
B. Share -based
C. Fixed
D. Manual type
Answer: B
QUESTION NO: 143
LAC is to achieve the established L2TP VPN tunnel by what means? (Choose two)
A. User Account
B. Domain name
C. ACL
D. Routing Table

Huawei H12-711 Exam
Answer: A,B
QUESTION NO: 144
In the configuration time for ACL, they can specify the name of the binding period, while in the
same time period name, you can configure multiple time periods, these time periods are ()
relationship.
A. "Or"
B. "And"
C. "XOR"
D. " With or"
Answer: A
QUESTION NO: 145
Servermap used in the table which follows?
A. Quintuple
B. Quad
C. Triples
D. Tuple
Answer: C
QUESTION NO: 146
To make the trip within the enterprise mobile users can access the file server, which can use the
following functions to achieve optimal SSL VPN?
A. Web Proxy
B. File Sharing
C. Port Forwarding
D. Network expansion

Huawei H12-711 Exam
Answer: B
QUESTION NO: 147
L2TP supports the following protocols that load data.
A. IP
B. IPX
C. NetBEUI
D. More support
Answer: D
QUESTION NO: 148
Firewall trust untrust domain client wants to access the ftp server services, has allowed clients to
access the server tcp 21 port, but only log in to the server, but cannot download the file, the
following solutions are possible: (Choose three)
A. Untrust domain repair the trust between the two-way access policy to allow default
B. FTP works when port mode,modify untrust trust between domains inbound direction to permit
the default access policy
C. Enable detect ftp between trust untrust domain configuration
D. FTP works when passive mode,modify untrust trust between domains inbound direction to
permit the default access policy
Answer: A,B,C
QUESTION NO: 149
To support dynamic routing protocols, IP addresses Tunnel interfaces at both ends must be
configured in the same segment.
A. True
B. False

Huawei H12-711 Exam
Answer: A
QUESTION NO: 150
What are the main features Secospace DSM product? (Choose three)
A. Encrypt the document management

B. Document Actions behavior records of employees, providing audit logs
C. Control employee access to documents
D. The document archive management,in order to prevent loss of documents
Answer: A,B,C
QUESTION NO: 151
USG (Eudemon) supports NAT firewall features include: (Choose three)
A. NAT outbound
B. NAT server
C. NAT Traversal
D. NAT Inbound
Answer: A,B,D
QUESTION NO: 152
Stateful inspection firewall subsequent packets (non- first packet) forwarding mainly based on
which of the following?
A. route table
B. MAC address
C. session table
D. FIB table
Answer: C

Huawei H12-711 Exam
QUESTION NO: 153
FTP protocol port numbers may be used there? (Choose two)
A. 23
B. 21
C. 20
D. 25
Answer: B,C
QUESTION NO: 154
SVN3000 network expansion capabilities, the need to implement remote users can access the
corporate network and local area network, you cannot access the Internet, the client needs to use
routing as follows:

Answer: B
QUESTION NO: 155
Which of the following does not support GRE technology? (Choose two)
A. Tunneling
B. Encryption and decryption technology
C. Key management technology
D. End checksum
Answer: B,C

Huawei H12-711 Exam
QUESTION NO: 156
For command tunnel name, statement is correct? (Choose two)
A. Is used to specify the name of the end of the tunnel

B. Is used to specify the name of the end of the tunnel
C. Must be consistent on the side of the tunnel name configured
D. If you do not configure the tunnel name, the tunnel name is the name of the local system
Answer: A,D
QUESTION NO: 157
Check the NAT session command?
A. display nat translation

B. display firewall session table
C. display current nat
D. display firewall nat translation
Answer: B
QUESTION NO: 158
When you configure the security level of firewall security zone, the principles to be followed arE.
(Choose three)
A. New security zone,the security level is not set before it,the system requirements of its security
level to 100
B. Can set the security level for the custom security zones
C. Once you set the security level is not allowed to change
D. The same system,two security zones do not allow the same level of security configuration
Answer: B,C,D

Huawei H12-711 Exam
QUESTION NO: 159
As a general L2TP Layer 2 VPN technology to support packet encryption.
A. True
B. False
Answer: B
QUESTION NO: 160
Bidirectional NAT usage scenarios include: (Choose two)
A. Common use of NAT outbound and NAT inbound

B. NAT outbound and common use of NAT server
C. NAT Inbound and NAT Server used together
D. Domain used in conjunction with NAT and NAT Server
Answer: C,D
QUESTION NO: 161
SSL protocol by which elements to accomplish? (Choose three)
A. Handshake protocol
B. Record Protocol
C. Warning agreement
D. Heartbeat Protocol
Answer: A,B,C

Huawei H12-711 Exam
QUESTION NO: 162
GRE VPN technology itself can provide which of the following techniques?
A. Tunneling
B. Encryption and decryption technology
C. Flow control and QoS
D. Key Management
Answer: A
QUESTION NO: 163
L2TP technology, LAC client uses port number _____ _____ protocol encapsulated packets.
A. TCP 51
B. UDP 51
C. UDP 1701
D. TCP 1701
Answer: C
QUESTION NO: 164
You can connect to a specific length of TCP, UDP data streams to set long aging time, ensure that
the session information for a long time not to be aging.
A. True
B. False
Answer: B
QUESTION NO: 165
When you configure ipsec vpn, for the sa duration command statement is correct? (Choose two)

Huawei H12-711 Exam
A. Is used to configure sa lifetime
B. Can be configured based on the flow and cycle time based on survival
C. After configuring the life cycle,and for the use of ike sa created manually take effect
D. For IKE sa way to build both ends,the configuration must be consistent sa lifetime
Answer: A,B
QUESTION NO: 166
You cannot add any interface to the firewall Local security zone, the firewall interface itself belongs
to the Local security zone.
A. True
B. False
Answer: A
QUESTION NO: 167
When configuring ACL need to use anti- mask, elected the following statements are true about the
anti-mask option.
A. Take anti- mask bit 0,which means that the network needs to match the corresponding bit
comparison
B. Take anti- mask bit 1,which means that the network needs to match the corresponding bit
comparison
C. Not all anti- mask value of 0
D. Not all anti- mask value of 1
Answer: A
QUESTION NO: 168
There is VPN Client -side, LAC, LNS and other three components of the application scenario,
which of the following components used between the L2TP TUNNEL? (Choose two)

Huawei H12-711 Exam
A. Between the VPN Client and LAC
B. Between the VPN Client and LNS
C. Between LAC and LNS
D. All other options are correct
Answer: B,C
QUESTION NO: 169
MAC address -based ACL application, which of the following description is correct?
A. Can only be a source MAC address filtering

B. Can only be a source MAC address and destination MAC address filtering
C. Only data link layer protocol type, source MAC address and destination MAC address filtering
D. Only network layer protocol type, source MAC address and destination MAC address filtering
Answer: C
QUESTION NO: 170
VPDN tunneling protocols include: (Choose three)
A. L2TP
B. GRE
C. PPTP
D. L2F
Answer: A,C,D
QUESTION NO: 171
Which of the following configuration command parameter is not consistent with the actual scenario
or technology implementations?
A. ah authentication-algorithm md5

Huawei H12-711 Exam
B. ah encryption-algorithm des
C. esp authentication-algorithm md5
D. esp encryption-algorithm des
Answer: B
QUESTION NO: 172
In the transmission mode IPSec applications, the following data packets which area may be
subject to encryption security?
A. The network layer and the upper layer packets

B. Original IP packet header
C. The new IP packet header
D. Transport layer and upper layer packets
Answer: D
QUESTION NO: 173
In tunnel mode and ESP, which of the following regional information is expressly transfusion?
A. The new IP packet header

B. Original IP packet header
C. Transport layer header
D. Application layer packet header
Answer: A
QUESTION NO: 174
In the inter-domain packet filtering, and firewall into the direction of data flow (Inbound) refers to
the direction of data from high to low security zones security zone transfer.
A. True

Huawei H12-711 Exam
B. False
Answer: B
QUESTION NO: 175
IPSEC WEB configuration wizard which does not support the following scenarios?
A. Gateway to Gateway
B. Gateway Center
C. Branch Gateway
D. Host and Host
Answer: D
QUESTION NO: 176
Which of the following addresses can be used to manage the SVN web address? (Choose three)
A. Interface address
B. Sub- interface address
C. Sub- IP address of the interface
D. loopback address
Answer: A,B,C
QUESTION NO: 177
After the firewall interface is added to a security zone, the interface will no longer belong to the
Local area
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 178
For firewall security zone statement is correct?
A. Different firewall security zones,priority can be the same

B. Firewall with an interface can belong to different security zones
C. Different interfaces of the firewall may belong to the same security zone
D. Built-in firewall security zones can be deleted
Answer: C
QUESTION NO: 179
Which of the following IPSec security protocol provides encryption?
A. AH
B. ESP
C. SA
D. IKE
Answer: B
QUESTION NO: 180
Before SVN3000 configure Web proxy basic functions, you need those data for the following:
(Choose two)
A. Name of Web resources

B. URL address of the Web resources
C. Account Information Web Resources
D. All other options are not right
Answer: A,B

Huawei H12-711 Exam
QUESTION NO: 181
Middle attack both passive and active attacks characteristic attack
A. True
B. False
Answer: A
QUESTION NO: 182
Proxy firewalls need to develop a protocol for each application layer proxy, long development
cycle, but it is difficult to upgrade.
A. True
B. False
Answer: A
QUESTION NO: 183
In GRE VPN technology, GRE packet header belongs transport protocol.
A. True
B. False
Answer: B
QUESTION NO: 184
In the GRE configuration environment, which of the following configuration can be achieved
without the need to configure rules can guarantee inter-domain data streams forwarded correctly.

Huawei H12-711 Exam
A. Tunnel interface to the physical interface and its bearers belonging to different security zones
B. Tunnel interface to the physical interface of its bearers belonging to the same security zone
C. Physical interface belongs Untrust zone and its bearing Tunnel interface belongs to Local area
D. All other options are correct
Answer: B
QUESTION NO: 185
Description of the error based GRE encapsulation and de-encapsulation yes?
A. Packaging process: after the original packet routing to pass through to find the packet to start
trigger GRE tunnel interface module encapsulation
B. Packaging process: After the GRE module package, this package will enter the IP module for
further processing
C. Decapsulation process: After receipt of GRE packet destination,find the route to pass through
the packet to the GRE tunnel interface module start trigger decapsulate
D. Decapsulation process: After the GRE module solution package, this package will enter the IP
module for further processing
Answer: C
QUESTION NO: 186
When the host receives the ARP response packet, it will not be sent to verify whether they had the
ARP request, but the response bag MAC address and IP corresponding relationship directly
replace the original ARP cache table out
A. True
B. False
Answer: A
QUESTION NO: 187
IKE negotiation mode include? (Choose two)

Huawei H12-711 Exam
A. Master Mode
B. Aggressive Mode
C. Fast mode
D. Transfer mode
Answer: A,B
QUESTION NO: 188
Under USG (Eudemon) series firewall VRP command, which is the highest level of authority?
A. Visit level
B. Monitoring level
C. Configuration level
D. Management level
Answer: D
QUESTION NO: 189
Seen through the display ike sa result follows statements is correct? (Choose two)
current ike sa number: 1
connection-id peer vpn flag phase doi
0x1f1 2.2.2.1 0 RD | ST v1: 1 IPSEC 0x60436dc4
flag meaning
RD - READY ST - STAYALIVE RL - REPLACED FD - FADING TO - TIMEOUT
A. The first phase has been successfully established ike sa

B. The second phase has been successfully established ipsec sa
C. ike using version V1
D. ike using version V2
Answer: A,C

Huawei H12-711 Exam
QUESTION NO: 190
Active attacks focused prevention, rather than detection, for such attacks are generally uses
encryption technology to protect the confidentiality of the information
A. True
B. False
Answer: B
QUESTION NO: 191
VPN tunneling technology and DDN line like the link to achieve security by building physical
channel.
A. True
B. False
Answer: B
QUESTION NO: 192
The main scope of NAT host visits in the same security domain, you need to convert the IP
address of the target host via NAT outbound command.
A. True
B. False
Answer: B
QUESTION NO: 193

Huawei H12-711 Exam
In GRE VPN applications, the network physical interface and Tunnel interfaces added to the same
security zone, you can reduce the inter -domain packet filtering policy configuration.
A. True
B. False
Answer: A
QUESTION NO: 194
In the WLAN configuration, if the authentication type is set to open system authentication, all
clients will request certification by certification.
A. True
B. False
Answer: A
QUESTION NO: 195
Stateful inspection firewall session table to track the use of a variety of active TCP sessions and
UDP sessions, which decided to establish a session by the access control list, only when a packet
associated with the session will be forwarded.
A. True
B. False
Answer: A
QUESTION NO: 196
The following statement on local-address command is correct? (Choose three)
A. Require local-address for the virtual IP address hot standby Network

B. Interface Application IPSec policy if configured with multiple IP addresses(IP address or if the

Huawei H12-711 Exam
primary sub-interface),multiple equal-cost routes,and use of virtual interface templates may be
looking in the wrong address,you need to configure the local-address is the actual the IP address
of the IKE negotiation
C. local-address should be consistent with the peer specified remote-address
D. The other three options are wrong to say
Answer: A,B,C
QUESTION NO: 197
Which authentication technology is the use of the following ways to recognize the legitimacy of the
user identity? (Choose two)
A. Username Password
B. USB KEY
C. Cryptographic algorithms
D. Private key information to identify
Answer: A,B
QUESTION NO: 198
TSM system "Computer Peripherals Monitor" strategy which cannot be controlled for the following
devices?
A. Bluetooth devices
B. U disk
C. Infrared equipment
D. Floppy
Answer: B
QUESTION NO: 199
When configuring the firewall packet filtering ACL rules, if we want to 192.168.0.0/24 network is
set to match the object ACL rules, the match operation is rejected, the following configuration is

Huawei H12-711 Exam
correct ().
A. rule 0 deny source 192.168.0.0 255.255.255.0

B. rule 2 deny source 192.168.0.0 0.0.0.255
C. rule 3 deny source 192.168.0.0 24
D. rule 4 deny source 192.168.0.0 0.0.255.255
Answer: B
QUESTION NO: 200
About NAT’s statement is correct
A. NAT will do within the packet source address

B. NAT compatible with all current IPSec security protocol
C. Because the FTP protocol is a multi- channel protocol,it does not support NAT
D. NAT support for TCP / IP two,three,four conversion
Answer: A
QUESTION NO: 201
Firewall own security zone cannot be deleted, but you can modify the security level
A. True
B. False
Answer: B
QUESTION NO: 202
pppoe-server bind virtual-template 1 This command applications which interface?
A. LAC’s internal network port

B. LAC’s external network

Huawei H12-711 Exam
C. LNS within the network port
D. LNS external network port
Answer: A
QUESTION NO: 203
USG2000 (Eudemon 200E) series firewall default ACL match type
A. auto
B. config
C. predefine
D. custom
Answer: B
QUESTION NO: 204
Security access control gateway (Security Access Control Gateway, referred SACG) main function
is to control network access terminals for different users, different security situation open different
permissions.
A. True
B. False
Answer: A
QUESTION NO: 205
Which of the following options are part of the 5-tuple integral part? (Choose three)
B. Destination IP address
C. Agreement No.
D. Source MAC Address

Huawei H12-711 Exam
Answer: A,B,C
QUESTION NO: 206
Which of the following stages of the second stage belongs to IKE exchange mode?
A. Master Mode
B. Aggressive Mode
C. Fast mode
D. Passive mode
Answer: C
QUESTION NO: 207
Which of the following is the best technology to solve business interruption issues for some
applications (such as an Oracle database application data flow due to extended lead -free
connection is interrupted)?
A. Configure a business long connection

B. Configure default session aging time
C. Optimization of packet filtering rules
D. Open the fragment cache
Answer: A
QUESTION NO: 208
Security Alliance (SA) is bidirectional security associations can be achieved through data streams
in both directions for security protection.
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 209
Firewalls are several network access control point, all incoming and outgoing network protected by
a firewall data flow should first go through the firewall and out to form an information gateway.
A. True
B. False
Answer: A
QUESTION NO: 210
Seen through the display ike proposal command results are as follows, the following statements is
correct? (Choose two)
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
-------------------------------------------------- -------------------------
default PRE_SHARED SHA DES_CBC MODP_768 86400
A. Authentication algorithm is SHA

B. DES encryption algorithm
C. DH group using group2
D. Use a barbaric mode
Answer: A,B
QUESTION NO: 211
A USG (Eudemon) L2TP main firewall configuration is as follows:

Huawei H12-711 Exam
[LNS] l2tp-group 1
[LNS-l2tp1] tunnel name LNS
[LNS-l2tp1] allow l2tp virtual-template 1 remote client1
[LNS-l2tp1] tunnel authentication
[LNS-l2tp1] tunnel password simple Password123 on the above configuration statement is correct
:
A. l2tp-group 1 is the default l2tp group,all the different remote name of the client can be
connected
B. Only the remote device or client’s tunnel name when LNS, L2tp able to build the tunnel
C. Enable the L2TP authentication and encryption features
D. Client1 only a remote name for the user to be able to establish the connection l2tp
Answer: D
QUESTION NO: 212
After SVN3000 network extensions configured for full- channel mode (Full Tunnel), network users
can access Internet resources.
A. True
B. False
Answer: B
QUESTION NO: 213
Meaning as access control lists are:
[USG (or Eudemon)] acl number 3100
[USG (or Eudemon)-acl-3100] rule deny icmp source 10.1.10.10 0.0.255.255 destination any
icmp-type host-unreachable
A. The serial number is 3100 rule prohibited to 10.1.10.10 host unreachable packets to all hosts

Huawei H12-711 Exam
B. The serial number is 3100 rule prohibiting all 10.1.0.0/16 that host unreachable packets
C. The serial number is 3100 rule prohibited from 10.1.0.0/16 to all hosts on the network
unreachable packets
D. Rules of the serial number is 3100,banned from all hosts 10.1.10.10 host unreachable packets
Answer: C
QUESTION NO: 214
USG (Eudemon) series firewall ike default using. dh group2
A. True
B. False
Answer: B
QUESTION NO: 215
About trunk port is correct there? (Choose two)
A. Upon receipt of a trunk port carries the label of a data frame,if different from the label and
PVID,then forwarded directly
B. Upon receipt of a trunk port carries the label of a data frame,if the label and PVID different, then
discards
C. Upon receipt of a trunk port carries the label of a data frame,if the label and the same PVID,
then forwarded directly
D. After the trunk port carries the label when you receive a data frame,if the label and the same
PVID, then remove the label forwarding
Answer: A,D
QUESTION NO: 216
Which of the following is not a proxy firewall features:

Huawei H12-711 Exam
A. Safe
B. Processing speed
C. Application layer security
D. Easy to upgrade
Answer: D
QUESTION NO: 217
Asymmetric encryption algorithm encryption key and decryption key are not the same.
A. True
B. False
Answer: A
QUESTION NO: 218
The following fragment cache function on the firewall, saying right there? (Choose two)
A. Configure fragmented packets directly after forwarding,firewall does not fragment packets
cache
B. Configure fragmented packets directly after forwarding the packet is not the first piece
fragmented packets,the firewall will be forwarded in accordance with inter -domain packet filtering
policy.
C. Fragmented packets will create the session table will look when forwarding the session table
D. Fragmented packets of non-first fragment packets, because there is no port number, so
fragmented packets forwarding function generallycannotbe used directly in a NAT environment
Answer: A,D
QUESTION NO: 219
Which of the following are Huawei security software products? (Choose three)

Huawei H12-711 Exam
A. TSM
B. DSM
C. eLog
D. SVN3000
Answer: A,B,C
QUESTION NO: 220
Address-group {number | name} meaning no-pat in no-pat parameter is?
A. Do address translation
B. The port multiplexing
C. Not convert the source port
D. Not convert the destination port
Answer: C
QUESTION NO: 221
Which of the following user system can be modified, such as user account or password
information directly on SVN3000 system?
A. VPNDB Users
B. LDAP user
C. Radius Users
D. All user system
Answer: A
QUESTION NO: 222
Switcher (not configured VLAN) when it receives a data frame, if no match is found in the MAC
address table, it will forward the data frame (including switcher receiving port) to all ports.

Huawei H12-711 Exam
A. True
B. False
Answer: B
QUESTION NO: 223
SVN3000 port forwarding is based on the way the port control access to network resources for
what applications?
A. TCP
B. UDP
C. TCP or UDP
D. SPX
Answer: A
QUESTION NO: 224
GRE VPN tunnel interface (Tunnel Interface) interface borrows the IP address of the other as its
IP address on this interface to enable the dynamic routing protocol.
A. True
B. False
Answer: B
QUESTION NO: 225
SVN support the following types of file-sharing, which has several? (Choose two)
A. SMB
B. Windows
C. NFS
D. Linux

Huawei H12-711 Exam
Answer: A,C
QUESTION NO: 226
After the write function is enabled USB encryption policies, end-user copy to U disk files are
encrypted, only the enterprise user and installed TSM terminal security agents in order to use
these encrypted files, encrypted files copied from disk to the local U hardware automatically
decrypted;
A. True
B. False
Answer: A
QUESTION NO: 227
IKE first and second switching stage comprises ()? (Choose three)
A. Fast mode
B. Aggressive Mode
C. Transfer mode
D. Master Mode
Answer: A,B,D
QUESTION NO: 228
ESP packet encapsulation mode in what can be achieved on the original IP header data
confidentiality?
A. Transfer mode
B. Tunnel Mode
C. Transfer Mode + tunnel mode
D. Encryption mode

Huawei H12-711 Exam
Answer: B
QUESTION NO: 229
Packet filtering firewall interfaces, inbound high priority area is the access interface from low-
priority areas in the interface.
A. True
B. False
Answer: B
QUESTION NO: 230
For firewall access control process : 1, 2 routing table lookup, find interzone packet filtering rules
3, 4 session table lookup, find the blacklist, the correct order?
A. 1-3-2-4
B. 3-2-1-4
C. 3-4-1-2
D. 4-3-1-2
Answer: D
QUESTION NO: 231
SVN provides the following IP address allocation which way? (Choose three)
A. DHCP allocation
B. IP address pool(randomly assigned)
C. IP address pool(user account with an IP address binding)
D. Virtual IP address allocation
Answer: A,B,C

Huawei H12-711 Exam
QUESTION NO: 232
SVN3000 support functions are not included?
A. WEB push
B. Port Forwarding
C. File Sharing
Answer: A
QUESTION NO: 233
In IKE Peer view, if the implementation of exchange-mode main, then the following configuration
which is impossible in force?
A. remote-address 202.101.0.1
B. remote-address 202.101.0.1 202.101.0.5
C. remote-name chengdu
D. All other options are
Answer: C
QUESTION NO: 234
Configuration [LAC-l2tp1] start l2tp ip 3.3.2.1 full username pc1 in, pc1 mean?
A. The end of the tunnel name

B. On the end of the tunnel name
C. The end of the account name to initiate certification
D. Peer initiates an authentication account name
Answer: C

Huawei H12-711 Exam
QUESTION NO: 235
IKE protocol is based on the framework by the Internet Security Association and Key Management
Protocol ISAKMP definition. It is able to provide auto-negotiation IPSec key exchange to establish
security associations, in order to simplify the use and management of IPSec.
A. True
B. False
Answer: A
QUESTION NO: 236
SVN support routing protocols include: (Choose three)
A. Static Routing
B. RIP
C. OSPF
D. BGP
Answer: A,B,C
QUESTION NO: 237
In the GRE configuration environment, which of the following statements are true? (Choose three)
A. To make both ends of the tunnel to forward data packets,the two devices are configured
through the Tunnel interface routing.
B. Enable both ends to verify the configuration keywords,the keywords should be the same
C. When the local device to send data packets,the IP protocol field value by identifying GRE to
decide whether to submit to the GRE protocol packet processing module
D. When receiving a data packet to the client device,by identifying GRE IP protocol field value to
determine whether the data submitted to the GRE protocol packet processing module
Answer: A,B,D

Huawei H12-711 Exam
QUESTION NO: 238
SVN3000 default virtual gateway supports only a few, in order to increase the number of virtual
gateways need to purchase License.
A. True
B. False
Answer: A
QUESTION NO: 239
Following on inter-domain packet filtering firewall policy Policy, statements is correct?
A. Priority match match between packet filtering Policy in accordance with the order in the
arrangement of the former
B. Interzone packet filtering Policy in accordance with the ID number match the size of a small
number of priority match
C. Interzone packet filtering Policy in accordance with the size to match the ID number,a large
number of priority match
D. Interzone packet filtering policy automatically arranged according to the size of the serial
number,when changing the order in which numbers can change with it.
Answer: A
QUESTION NO: 240
Commands allow l2tp virtual-template virtual-template-number [remote remote-name], when l2tp

group is 1:00, you must specify the remote-name parameter
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 241
Configuration [LNS-l2tp10] allow l2tp virtual-template 1 remote client1 in, client1 mean?
A. The end of the tunnel name

B. On the end of the tunnel name
C. The end of the account name to initiate certification
D. Peer initiates an authentication account name
Answer: B
QUESTION NO: 242
Which of the following is the TSM system "illegal outreach" strategy has the function? (Choose
two)
A. Allows connection to external networks through the legal route

B. Prohibit access to the Internet
C. Prohibit access to corporate resources critical business systems
D. Prohibit terminal visits
Answer: A,B
QUESTION NO: 243
Which TSM system mainly consists of the following components? (Choose three)
A. SM management server
B. SC control server
C. Admission Control
D. Anti -virus server
Answer: A,B,C

Huawei H12-711 Exam
QUESTION NO: 244
In SVN3000 configuration, set the port number if the Web interface and IP address to bind to port
other than 443, then enter the IP address of the Web interface login next, followed by the IP
address, please add " : port ", such as "https://xxxx:port", otherwise it will not log the Web
interface.
A. True
B. False
Answer: A
QUESTION NO: 245
SVN TCP port forwarding applications include three static ports: single-port single-server, single-
port multi-server, multi-port multi-server. The following are single-port single server?
A. Outlook
B. FTP
C. Lotus Notes
D. Http
Answer: D
QUESTION NO: 246
Which of the following business functions SSL VPN will be used to control? (Choose two)
A. Web Proxy
B. File Sharing
C. Port Forwarding
Answer: C,D

Huawei H12-711 Exam
QUESTION NO: 247
How to see the number of matches the ACL ()
A. display current-configuration
B. display ACL all
C. display startup saved-configuration
D. display device
Answer: B
QUESTION NO: 248
L2TP VPN, and L2TP tunnels and sessions on the statement is correct: (Choose two)
A. Between the same pair of LAC and LNS can create multiple L2TP tunnel,the tunnel consists of
a control connection and at least one session (Session) composition
B. Tunnel multiplexed on the session connection for the session,said carrying PPP tunnel
connecting each
C. After the session connection must be established successfully in the tunnel
D. L2TP tunnel control message transmission, data message transmission in the session
Answer: A,C
QUESTION NO: 249
In the TCP three-way handshake, for packet SYN (seq = b, ack = a +1), the following statement is
correct there?
A. Confirmation of the number of data packets is b

B. A +1 on the number of packets that are recognized
C. A desired number of the next data packet received is b
D. A desired number of the received packet is a +1
Answer: D

Huawei H12-711 Exam
QUESTION NO: 250
As a kind of generic GRE VPN encapsulation protocol encapsulated in the VPN can include
multicast packets, including all L3 packets.
A. True
B. False
Answer: A
QUESTION NO: 251
What are Web proxy implementations? (Choose two)
A. Web-link
B. Web rewritten
C. Web Forwarding
D. Web pass-through
Answer: A,B
QUESTION NO: 252
Which TSM system supports the following authentication methods? (Choose three)
A. User Name Password Authentication

B. MAC address authentication
C. Fingerprint Authentication
D. LDAP Authentication
Answer: A,B,D

Huawei H12-711 Exam
QUESTION NO: 253
GRE encapsulation is a work in which of the following interfaces (protected data stream arriving at
the interface)?
A. interface tunnel 1
B. interface Ethernet 0/0(within the network)
C. interface Ethernet 0/0(external network)
D. interface loopback 1
Answer: A
QUESTION NO: 254
As illustrated connection : PC1 ----- SW1 ------------ SW2 ----- PC2; SW1 two ports defined for
VLAN1 access type port, SW2 two ports defined as VLAN 2 access port type, (PC1 and PC2 in
the same subnet) then the following description is correct?
A. Because all access port,in fact, do not pass VLAN tag information, so you can access PC1
PC2.
B. Because VLAN SW2 SW1 and the ends are different, so youcannotcommunicate between two
PC.
C. If two switches are connected to the port is set to trunk ports, two PC can communicate.
D. Because PVID default port on the switch is VLAN 1, so the PC can be both visits.
Answer: A
QUESTION NO: 255
TSM systems enable the "Monitoring DHCP settings" strategy, end users will be forced to only use
DHCP to obtain an IP address automatically.
A. True
B. False
Answer: A

Huawei H12-711 Exam
QUESTION NO: 256
L2TP VPN configuration on the following statement in the correct precautions are: (Choose three)
A. The LNS L2TP client must be configured virtual interface template (Virtual-Template) the IP
address of the virtual interface template needs to join the domain
B. The default firewall requires authentication of the tunnel. If you do not configure
authentication,you need to undo tunnel authentication command
C. To enable L2TP dial-up users can normally access the network address, the address assigned
to L2TP users can dial up the network and the user's address on the same network segment or
need to enable proxy ARP
D. LNS side is not allowed to configure multiple L2TP-Group
Answer: A,B,C
QUESTION NO: 257
Which of the following security zones can be conditionally deleted?
A. Regional Security
B. trust region
C. untrust area
D. dmz area
Answer: A
QUESTION NO: 258
Stateful inspection firewall can detect TCP protocol, but cannot detect UDP, since UDP is a
connectionless protocol face.
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 259
The following types of encryption algorithm, encryption and decryption key are the same?
A. DES
B. RSA (1024)
C. MD5
D. SHA-1
Answer: A
QUESTION NO: 260
When you configure NAT through the web, you need to configure the trust and untrust regional
inbound direction, you need to select the security domain trust area in front, untrust area on the
back.
A. True
B. False
Answer: B
QUESTION NO: 261
IPSec IKE aggressive mode is mainly to solve the problem?
A. Solve the problem of slow negotiation ends of the tunnel

B. Negotiation process to resolve security issues
C. Solve the NAT traversal problem
D. Address the source address of the originator of uncertainty andcannotchoose a pre -shared key
issues
Answer: D

Huawei H12-711 Exam
QUESTION NO: 262
Which of the following algorithms in IPSec encryption algorithm does not belong?
A. DES
B. SHA1
C. 3DES
D. AES
Answer: B
QUESTION NO: 263
In order to ensure the confidentiality of information, the need for confidentiality encryption
algorithm:
A. True
B. False
Answer: B
QUESTION NO: 264
Which of the following are the first stage of IKE exchange mode? (Choose two)
A. Master Mode
B. Aggressive Mode
C. Fast mode
D. Passive mode
Answer: A,B

Huawei H12-711 Exam
QUESTION NO: 265
What is the purpose IPSec IKE pre-shared key configuration is?
A. Do the encryption key messages

B. The key to decrypt the packets do
C. Do key authentication algorithm
D. Do negotiate key exchange material
Answer: D
QUESTION NO: 266
ALG main function is to ensure smooth communication protocol what kind of conduct?
A. All application layer protocol

B. All the transport layer protocol
C. All network layer protocol
D. Multi-channel application layer protocol
Answer: D
QUESTION NO: 267
USG2200 (Eudemon200E)-A between USG2200 (Eudemon200E)-B equipment and the

establishment of GRE tunnels, the following configuration of GRE tunnel establishment does not
affect (both ends are configured gre checksum). A side configuration : gre key usg2200 (or
Eudemon200E)-a; B -side configuration : gre key usg2200 (or Eudemon200E)-b;
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 268
Hybrid port allows multiple VLAN frames through, and you can enter the port in the direction of
some of the Tag VLAN frames stripped.
A. True
B. False
Answer: B
QUESTION NO: 269
Which of the following techniques can be achieved after a key is compromised, will not affect the
security of other keys?
A. DH (Diffie-Hellman) key exchange and distribution

B. Perfect forward secrecy (Perfect Forward Secrecy)
C. Authentication
D. Identity Protection
Answer: B
QUESTION NO: 270
About Advanced ACL, the following statements is correct? (Choose two)
A. Advanced ACL can match the source IP address

B. Advanced ACL can match the destination IP address
C. Advanced ACL can match the source MAC address
D. Advanced ACL can match the destination MAC address
Answer: A,B
QUESTION NO: 271

Huawei H12-711 Exam
For nat inbound direction, the following statement is correct: (Choose two)
A. Mainly used in internal hosts do not need to know the situation of a public network of
B. Is the source address of the external network user request packet,converted to network
addresses
C. Is a network user address into internet addresses
D. In order for the internal private network users can access internet address
Answer: A,B
QUESTION NO: 272
Configuration [LAC-l2tp1] start l2tp ip 3.3.2.1 full username pc1 in, ip address 3.3.1.1 means?
A. This initiates an IP address

B. The end of the virtual template address
C. The LNS public address
D. Virtual template addresses the LNS
Answer: C
QUESTION NO: 273
In L2TP scenario, private address allocation is done by the user which of the following
components?
A. LAC
B. LNS
C. VPN Client
D. User-configurable
Answer: B
QUESTION NO: 274

Huawei H12-711 Exam
In the case of using detect regional command application protocol if it is non-standard port, which
of the following techniques to solve the problems brought by a non-standard port?
A. Port identification
B. MAC and IP address binding
C. Packet filtering
D. Long connection
Answer: A
QUESTION NO: 275
SVN3000 business functions include? (Choose three)
A. Web Proxy
B. Network expansion
C. Port Sharing
D. File Sharing
Answer: A,B,D
QUESTION NO: 276
In the TSM system supports access control devices, which of the following devices do not support
access control terminal visits functions?
A. Hardware SACG(Hardware Security Access Control Gateway)

B. 802.1X
C. Software SACG(host firewall)
D. ARP control
Answer: A
QUESTION NO: 277

Huawei H12-711 Exam
In the Internet world, the protocol that you can do the following transport protocols, and can do the
passenger protocol:
A. IP
B. GRE
C. IPX
D. TCP
Answer: A
QUESTION NO: 278
Encryption refers to the cipher text into the plaintext message to be transmitted in the network.
A. True
B. False
Answer: B
QUESTION NO: 279
Check whether the L2TP tunnel has been established command is:
A. display l2tp tunnel

B. display lac tunnel
C. display lns tunnel
D. display tunnel
Answer: A
QUESTION NO: 280
IP-Link auto- detection results can only be applied to detect double hot backup.
A. True

Huawei H12-711 Exam
B. False
Answer: B
QUESTION NO: 281
What are the common hashing algorithms? (Choose two)
A. DES
B. AES
C. MD5
D. SHA-1
Answer: C,D
QUESTION NO: 282
What are the main cryptographic services security capabilities? (Choose three)
A. Confidentiality
B. Integrity
C. Repudiation
D. Scalability
Answer: A,B,C
QUESTION NO: 283
Which statement is correct?
A. Latency refers to the first bit of the packet enters the firewall to the first bit of the output firewall
interval indicator,is an ideal situation for measuring the speed of processing data firewall
B. Refers to the maximum number of concurrent connections per second, the new set up through
the firewall can be a complete TCP / UDP connection
C. If the USG (Eudemon) transparent firewall mode to work,just like the place in the network

Huawei H12-711 Exam
bridges (bridge) the same access to the USG (Eudemon) firewall device without the need to
modify the original structure and configuration
D. When USG (Eudemon) firewall using routing mode,no ACL packet filtering,ASPF dynamic
filtering, NAT conversion functions
Answer: C
QUESTION NO: 284
SSL is a security protocol that provides a secure connection for TCP-based application layer
protocol, SSL between the TCP / IP protocol stack between the fourth and fifth layers. SSL
provides secure connections for HTTP (Hypertext Transfer Protocol) protocol.
A. True
B. False
Answer: A
QUESTION NO: 285
VLAN port types include: (Choose three)
A. Access Port
B. Trunk ports
C. Hybrid port
D. Ethernet port
Answer: A,B,C
QUESTION NO: 286
In GRE VPN technology, which of the following is an encapsulation protocol?
A. GRE
B. IPX

Huawei H12-711 Exam
Answer: A
QUESTION NO: 287
Huawei firewall security zones are provided by default () (Choose three)
A. local area
B. trust region
C. untrust area
D. Regional Security
Answer: A,B,C
QUESTION NO: 288
IPSEC configuration steps include: (Choose three)
A. Restart Firewall
B. Define the data flow and inter-domain protection rules
C. Configure IPSec security proposal
D. Configure IKE Peer
Answer: B,C,D
QUESTION NO: 289
For AH and ESP, the following statement is correct? (Choose three)
A. AH provides data integrity and encryption

B. Tunnel mode,AH for the new IP header must verify,so AH IPSEC VPNcannotbe applied in the
middle of a situation nat conversion.
C. AH ESP can provide all of the features in addition to data encryption outside
D. Tunnel mode,ESP packets do not verify the new IP header.
Answer: B,C,D

Huawei H12-711 Exam
QUESTION NO: 290
IETF protocol based SSL3.0 launched TLS1.0, also known as SSL3.1.
A. True
B. False
Answer: A
QUESTION NO: 291
VPN technology belong there? (Choose three)
A. GRE
B. L2TP
C. DPI
D. IPSec
Answer: A,B,D
QUESTION NO: 292
Symmetric encryption algorithm encryption key and decryption key are the same.
A. True
B. False
Answer: A
QUESTION NO: 293

Huawei H12-711 Exam
Source port by the application (protocol) decision, the same application (protocol) using the same
source port
A. True
B. False
Answer: B
QUESTION NO: 294
Security Alliance (SA) is the basis of IPSec is agreement between the communicating peers on
certain safety elements.
A. True
B. False
Answer: A
QUESTION NO: 295
LAC device via L2TP users to understand what information is requested to initiate a tunnel which
LNS?
B. Destination IP address
C. The source IP address and destination IP address
D. Username + Password
Answer: D
QUESTION NO: 296
IPSec by AH (Authentication Header) and ESP (Encapsulating Security Payload) protocol to

achieve these two private security, integrity, authenticity, and anti-replay, and also through IKE
(Internet Key Exchange) provides auto-negotiation exchanged for IPSec key to establish and

Huawei H12-711 Exam
maintain security alliance services to simplify the use and management of IPSec.
A. True
B. False
Answer: A
QUESTION NO: 297
L2TP user authentication statement is correct:
A. In the LAC can authenticate the user

B. The LNS can authenticate the user
C. After LAC authenticates the user,LNS can authenticate the user again
D. All other options are on the argument
Answer: D
QUESTION NO: 298
L2TP protocol registered ports are:
A. TCP 1701
B. TCP 1710
C. UDP 1701
D. UDP 1702
Answer: C
QUESTION NO: 299
When renting leased line to connect two ISP firewall port to use by SA, two firewalls are DTE
devices, clocks are set to slave.
A. True

Huawei H12-711 Exam
B. False
Answer: A
QUESTION NO: 300
In most scenarios, NAT Inbound refers to the use of an Internet address instead of the internal
LAN address, his role is used to hide the actual IP address of the Internet server.
A. True
B. False
Answer: B
QUESTION NO: 301
Protocol mainly used for encryption mechanisms are:
A. HTTP
B. FTP
C. TELNET
D. SSL
Answer: D
QUESTION NO: 302
TSM management system which supports the following dimensions? (Choose two)
A. Organization and management

B. Regional Management Network
C. Management hardware features
D. Administration
Answer: A,B

Huawei H12-711 Exam
QUESTION NO: 303
IPSec AH + ESP used to establish an IPSec tunnel mode, will create several IPSec SA?
A. 2
B. 3
C. 4
D. 1
Answer: C
QUESTION NO: 304
Microsoft patch does not include what level?
A. Key
B. Serious
C. Important
D. Medium
Answer: D
QUESTION NO: 305
Following on the firewall access control lists, statements is correct? (Choose three)
A. Basic Access Control Lists can be filtered for the source and destination IP address
B. Advanced Access Control Lists can be filtered for agreement
C. You can filter on the data link layer protocol header type field in the MAC -based access control
list
D. The hardware packet filtering ACL,you can dimension source MAC address, destination MAC
address, protocol,etc. to match traffic
Answer: B,C,D

Huawei H12-711 Exam
QUESTION NO: 306
USG2000 (Eudemon 200E) Firewall supports the following which match the pattern? (Choose two)
A. config mode
B. auto mode
C. acl mode
D. rule mode
Answer: A,B
QUESTION NO: 307
The vast majority of endpoint security threats from Internet, internal network only need to deploy
anti-virus software can solve the problem.
A. True
B. False
Answer: B
QUESTION NO: 308
About SVN3000 hardware description, is correct: (Choose three)
A. SVN3000 a 1U standard chassis,the chassis with Console port

B. There are four pairs SVN3000 fixed 10/100/1000M Ethernet optical ports are mutually exclusive
C. Provided a total of two expansion slots on the chassis,one for encryption card is
inserted,another spare for extended functions.
D. SVN3000 installed two internal AC or DC power modules, redundant dual power supply and
backup power supply.
Answer: A,C,D

Huawei H12-711 Exam
QUESTION NO: 309
Source host sends ARP-request, the data package source IP address field of the source host IP
address, source MAC address field is the MAC address of the source host, destination IP address
field of the destination host IP address, destination MAC address of the destination host is
encapsulated MAC address
A. True
B. False
Answer: B
QUESTION NO: 310
In order to ensure the success of the tunnel verification, LAC and LNS client -side configuration
must be consistent, such as password information.
A. True
B. False
Answer: A
QUESTION NO: 311
VLAN tag information which is contained in the message section?
A. Ethernet packet header

B. IP packet header
C. TCP packet header
D. UDP packet header
Answer: A

Huawei H12-711 Exam
QUESTION NO: 312
USG2000 (Eudemon 200E) firewall on the same match order of ACL description of the different
rules is correct: (Choose three)
A. In multiple rules configured with an ACL,there are two matching order: automatic matching
mode (auto) and configure priority mode (config).
B. Firewall defaults to auto mode
C. In automode:depth-first rule matching principles,namely: the higher the smaller the address
range rule priority.
D. In configmode:priority rules are configured first match,which is the serial number of the smaller
the priority rule.
Answer: A,C,D
QUESTION NO: 313
Similar anti- mask and subnet mask format, but the value has different meanings: 1 indicates that
the corresponding IP address bits need to compare, 0 indicates that the corresponding IP address
bits ignored comparison.
A. True
B. False
Answer: B
QUESTION NO: 314
Which of the following statements is true? (Choose two)
A. New connections per second per second refers to establish TCP connections through the
firewall,including the semi- connection
B. Throughput refers to the maximum amount of data that can be processed simultaneously
firewall,generally 1500Byte packets as a test standard
C. Latency refers to the last bit of the packet enters the firewall to the first bit of the output firewall
interval indicator
D. Refers to the maximum number of concurrent connections Connection Firewall can
accommodate the number of

Huawei H12-711 Exam
Answer: C,D
QUESTION NO: 315
Local firewall security zones do not contain any interface. Ping firewall on the firewall when an
interface IP address, the packet will be given to those inside the firewall module for processing,
not to be forwarded. Because they belong to the same security zone, so no need to configure
interzone packet filtering can communicate properly.
A. True
B. False
Answer: A
QUESTION NO: 316
Packet filtering firewall main features include: (Choose three)
A. With the complexity and increase the length of ACL,the firewall filtering performance
exponentially decreasing trend
B. ACL rules difficult to adapt static dynamic security filtering requirements
C. Do not check the session state data is not analyzed,it is very easy for hackers to get away
D. Complete control of the network to exchange information and control the session,with high
security
Answer: A,B,C
QUESTION NO: 317
NAT technology which has the following characteristics? (Choose two)
A. Provide addresses for the network user to hide,there is a certain security

B. Does not support an unlimited number of IP for network NAPT conversion
C. For network users both inside and outside,feel the IP address of the conversion process,the
entire process is transparent for the user,

Huawei H12-711 Exam
D. After you configure a bidirectional NAT, an external user can access the network resources
within
Answer: A,C
QUESTION NO: 318
Which of the following key management techniques are often applied to the VPN environment?
A. IKE
B. Authentication
C. IPSec
D. PKI / CA
Answer: A
QUESTION NO: 319
SVN3000 Shared Web gateway can be accessed via IP, domain names in two ways.
A. True
B. False
Answer: B
QUESTION NO: 320
SVN3000 network expansion capabilities, the need to implement a remote user can access the
corporate network and local area network, and can access the Internet, the client needs to use
routing as follows:


Huawei H12-711 Exam
Answer: D
QUESTION NO: 321
Firewall configured nat server global 202.106.1.1 inside 10.10.1.1, and now need to filter through
the interface technology package allows users of the public network WWW server access is
correcT.
A. rule permit TCP source 202.106.1.1 0 source-port 80

B. rule permit TCP source 10.10.1.1 0 source-port 80
C. rule permit TCP destination 202.106.1.1 0 destination-port 80
D. rule permit TCP destination 10.10.1.1 0 destination-port 80
Answer: D
QUESTION NO: 322
There are several IPSec protocol encapsulation mode? (Choose two)
A. Tunnel Mode
B. Transfer mode
C. Master Mode
D. Aggressive Mode
Answer: A,B
QUESTION NO: 323
After receiving the L2TP LNS packets, check if the newspaper wengong IP address is not found in
the local header successfully established the link, but also to the next step L2TP packet of
information processing.
A. True
B. False

Huawei H12-711 Exam
Answer: B
QUESTION NO: 324
Multiple interfaces of the firewall can belong to the same security zone?
A. True
B. False
Answer: A
QUESTION NO: 325
Transparent firewall mode works like a switch, according to MAC address forwarding for packets
matching ACL check is not performed, nor generate the session table
A. True
B. False
Answer: B
QUESTION NO: 326
Which of the following applications are dynamic port TCP applications?
A. SSH
B. FTP
C. Http
D. Telnet
Answer: B

Huawei H12-711 Exam
QUESTION NO: 327
L2TP default group primarily to scenes acceptable any client calls.
A. True
B. False
Answer: A
QUESTION NO: 328
USG (Eudemon) Series firewalls from priority (priority) to define security zones can be set which of
the following values ? (Choose two)
A. 150
B. 100
C. 80
D. 40
Answer: C,D
QUESTION NO: 329
Extended access control lists can be used to carry traffic which of the following Latitude match?
(Choose two)
A. Source MAC
B. Destination MAC
C. Source IP
D. The purpose of IP
Answer: C,D
QUESTION NO: 330

Huawei H12-711 Exam
Address conversion technology advantages include: (Choose three)
A. NAT allows the internal network users(private IP address)to easily access the Internet.
B. NAT allows many hosts to share a single internal LAN IP address of the Internet.
C. Address conversions can handle IP header encryption.
D. NAT can shield the user’s internal network,improve the security of the internal network.
Answer: A,B,D
QUESTION NO: 331
TCP / IP V4 version, there are security risks there? (Choose three)
A. Lack of data origin authentication mechanism

B. Lack of data packet acknowledgment mechanism
C. Lack of data integrity verification mechanism
D. Lack of confidentiality safeguards
Answer: A,C,D
QUESTION NO: 332
ARP-REPLY packet sent using the broadcast, the host can receive on the same Layer 2 network,
and accordingly to the IP and MAC address learning correspondence.
A. True
B. False
Answer: B
QUESTION NO: 333
The following types of firewall packet processing speed is the fastest non-first?
A. Packet filtering firewall

Huawei H12-711 Exam
B. Proxy Firewall
C. Stateful inspection firewall
D. Software firewalls
Answer: C
QUESTION NO: 334
Normal access to the user Wang credited l2tp vpn from outside the network address, found inside
the firewall can ping the network port, but cannot access the network server, check the
configuration discovery, Virtual-Template is added to the untrust zone within the network port in
trust area, resulting in the cause cannot access the server, the following statements is correct?
(Choose two)
A. The server is not configured gateway

B. Untrust and trust between domain rules unopened
C. Untrust and local inter-domain rules unopened
D. The other three options are correct
Answer: A,B
QUESTION NO: 335
Which of the following are VPDN tunneling protocol? (Choose two)
A. PPPOE
B. L2TP
C. PPTP
D. IPSec
Answer: B,C
QUESTION NO: 336
TSM system to prohibit end users to copy important data to the storage medium of information
security incidents caused, but the business needs to allow end users to read data stored inside,

Huawei H12-711 Exam
enable Which of the following strategies?
A. Disable removable storage devices

B. Read-only removable storage devices
C. Monitoring removable storage devices
D. Write encrypted removable storage devices
Answer: B
QUESTION NO: 337
VPN by business use classification does not include which of the following?
A. Access VPN
B. Intranet VPN
C. Internet VPN
D. Extranet VPN
Answer: C
QUESTION NO: 338
If the DNS server addresses SVN configuration has been completed, the URL of the Web proxy
function must be configured IP.
A. True
B. False
Answer: B
QUESTION NO: 339
Use NAT technology to hide internal IP addresses deployment, it is possible to improve the
security of the network.

Huawei H12-711 Exam
A. True
B. False
Answer: A
QUESTION NO: 340
Virtual private network (Virtual Private Network) is a "private data channel established through
shared public network, each virtual network require access to this network or a terminal connected
through tunnels (channels), constituting a dedicated, having certain security and quality of service
network.
A. True
B. False
Answer: A
QUESTION NO: 341
SSL VPN supports file sharing types are divided into two kinds of SMB and NFS, SMB
corresponding Windows hosts, NFS corresponding Linux host.
A. True
B. False
Answer: A
QUESTION NO: 342
SSL and IPSec security protocols, encryption and authentication. However, SSL protocol only on
the application of both data communications transmission is encrypted, but not all of the data from
one host to another is encrypted (such as TCP / IP and application layer protocol).
A. True
B. False

Huawei H12-711 Exam
Answer: A
QUESTION NO: 343
USG2000 (Eudemon200E) on how the device is booted into bootrom main menu (Main Menu)?
A. Press CTRL + C
B. Press CTRL + B
C. Press CTRL + Z
D. Press CTRL + ALT + A
Answer: B
QUESTION NO: 344
In the GRE configuration environment, the local peer network device configuration GRE private
network need to point which of the following interfaces or IP address? (Choose two)
A. Tunnel Interface
B. External network(Internet)interface
C. Tunnel Interface IP address
D. External network(Internet)interface IP address
Answer: A,C
QUESTION NO: 345
GRE configuration, the Tunnel interface mode which of the following items must be configured?
(Choose three)
A. source ip-address
B. destination ip-address
C. Tunnel Interface IP address
D. gre encryption-algorithm 3des

Huawei H12-711 Exam
Answer: A,B,C
QUESTION NO: 346
Port-mapping function is used to publish certain port internal server to the external network.
A. True
B. False
Answer: B
QUESTION NO: 347
Which of the following security protocols IPSec NAT traversal (middle ipsec vpn tunnels
circumstances nat device)?
A. AH
B. ESP
C. AH + ESP
D. AES
Answer: B
QUESTION NO: 348
SVN3000 web proxy server resources can only be accessed by clicking on the web SVN list.
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 349
Which of the following symmetric encryption algorithms in the same scene, encryption and
decryption is the fastest?
A. DES
B. 3DES
C. RSA (1024)
D. MD5
Answer: A
QUESTION NO: 350
GRE VPN technology is mainly used in which of the following scenarios? (Choose two)
A. The discontinuous subnets connected

B. The non- IP protocol networks connected via an IP network
C. Confidentiality will be required to transfer data network connected via GRE VPN
D. Applied to the need to provide flow control characteristics of the network and Qos
Answer: A,B
QUESTION NO: 351
Here on the NAS-Initialized the L2TP VPN, correct statement are: (Choose three)
A. Remote users via PSTN / ISDN access NAS (LAC), LAC determine whether the L2TP users.
B. L2TP remote user to user,LAC to the LNS initiates channel connection establishment request.
C. LNS assigns a private IP address for remote dial-up users
D. Validation of remote dial-up users can only be done at the LNS
Answer: A,B,C
QUESTION NO: 352

Huawei H12-711 Exam
When SVN3000 configuration, VPNDB user information to create a single, you can also create a
batch file by importing.
A. True
B. False
Answer: A
QUESTION NO: 353
In ipsec vpn configuration if you use pre-shared key authentication mode, you can choose whether
to configure the key for the end, but if you configure a key, the key must be the same on both
sides.
A. True
B. False
Answer: B
QUESTION NO: 354
You can also use the template mode IPSEC remote-address is the address specified above.
A. True
B. False
Answer: A
QUESTION NO: 355
ADSL configure dialer-rule 1 ip permit, and configuration of the following correspondence

between?
A. dialer1
B. dialer bundle 1

Huawei H12-711 Exam
C. dialer-group 1
D. pppoe-client dial-bundle-number 1
Answer: C
QUESTION NO: 356
For the end user, SVN equivalent web___________, while the internal servers, SVN has assumed
the role of __________ of:
A. Server,
B. The client,the client
C. Client, server
D. Server,the client
Answer: D
QUESTION NO: 357
Use NAT technology, the data packets in the network layer information (IP header) for encryption
to enhance the security of the data.
A. True
B. False
Answer: B
QUESTION NO: 358
All Categories Access Control List support for IP access control quintuple
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 359
Establish a GRE tunnel between the two companies through the Internet Internet, the A corporate
network port IP address is 192.168.0.1, Tunnel port IP address is 10.10.10.1, Loopback port IP
address is 172.16.15.1, external network is 171.13.15.1. Will the Tunnel interface mode, source
address is configured which one?
A. 192.168.0.1
B. 10.10.10.1
C. 172.16.15.1
D. 171.13.15.1
Answer: D
QUESTION NO: 360
In the USG (Eudemon) series firewall, which of the following techniques first to be matched?
A. Packet filtering
B. Attack prevention
C. Blacklist
D. White List
Answer: C
QUESTION NO: 361
The main difference between symmetric and asymmetric encryption algorithm encryption
algorithm that different algorithms, but they are using the same key to encrypt and decrypt.
A. True
B. False
Answer: B

Huawei H12-711 Exam
QUESTION NO: 362
Which of the following IKE exchange mode does not provide identity protection?
A. Master Mode
B. Aggressive Mode
C. Fast mode
D. Passive mode
Answer: B
QUESTION NO: 363
Huawei firewall nat outbound which supports the following scenario? (Choose three)
A. One address translation

B. -Many address translation
C. -Many address translation
D. Many-to- address translation
Answer: A,C,D

Thank you for trying our product.
Premium Packages:
Package Subscription Price
Premium Copper Saving Pack (All BeCertfy Exams) 1 Month $199
Premium Diamond Saving Pack (All BeCertfy Exams) Lifetime $399
Corporate Copper Saving Pack (All BeCertfy Exams) 1 Month $499
Corporate Diamond Saving Pack (All BeCertfy Exams) Life Time $899
Reseller Copper Saving Pack (All BeCertfy Exams) 1 Month $999
Reseller Diamond Saving Pack (All BeCertfy Exams) Life Time $4999
There are more purchase options available like 3 Months, 6 Months, 1 Year etc. Visit the
below link for detailed information about packages and prices.
To buy any of above packages; click on below url:

http://www.becertify.com/ordernow-50.htm
BeCertify provides premium packages in which you can have access to all of BeCertify
Exams in one price. Just pay once and get any exam of your choice whenever you need.
All the exams questions are available in most popular PDF format that are immediately
available for download after payment. Its the best deal you ever find so don't miss it.
BeCertify Features:
Free demo of all exams allowing you to try before buy.
BeCertify offers both printable PDF and a Self Test Software for practice. The
practice software is important if you have never taken a prometric or VUE exam
before.
Payment is accepted from world renowned secure servers PayPoint and
PayPal.
BeCertify offers a full refund if you fail your test after preparing all Q&A's.
Get Complete Collection of Exam's Questions and Answers.

http://www.becertify.com/

H12 711

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

H12 711

Transféré par

Droits d'auteur :

Formats disponibles

Huawei

Total Questions: 363 Q&A's

BeCertify H12-711 Saving Pack

BeCertify guarantees your success at your first

Get Complete Collection of H12-711 Exam's Questions and Answers.

A. vpn device software version is incorrect

"Pass Any Exam. Any Time." - 100% Guarantee 2

Which of the following is an IETF industry standard VPN protocols?

"Pass Any Exam. Any Time." - 100% Guarantee 3

A. The end of the Tunnel interface IP address

"Pass Any Exam. Any Time." - 100% Guarantee 4

Which of the following are IPSec security protocol? (Choose two)

SVN3000 file sharing interactive process, the correct order is:

A. Network Address Translation (NAT)

"Pass Any Exam. Any Time." - 100% Guarantee 5

A. Squeezing out the previous user,forcing the NAT Internet

Which of the following is a multi -channel protocol?

"Pass Any Exam. Any Time." - 100% Guarantee 6

acl 2000 match-order auto

rule permit source 192.168.0.1 0.0.0.255

"Pass Any Exam. Any Time." - 100% Guarantee 7

A. The IP packet matching allows policy to be forwarded by the firewall

A. LAC client source IP address

"Pass Any Exam. Any Time." - 100% Guarantee 8

A. Based on user-initiated L2TP VPN

A. LNS is used to specify the trigger condition to initiate a call

"Pass Any Exam. Any Time." - 100% Guarantee 9

AH which can provide the following security features? (Choose three)

A. Data origin authentication

Which of the following agreement is a multi- channel protocol?

PPPoE is mainly used for which scene?

A. Provide remote access users access to Ethernet

"Pass Any Exam. Any Time." - 100% Guarantee 10

Following on E1 and CE1, saying right there? (Choose three)

A. Can operate in clear channel mode

"Pass Any Exam. Any Time." - 100% Guarantee 11

"Pass Any Exam. Any Time." - 100% Guarantee 12

"Pass Any Exam. Any Time." - 100% Guarantee 13

VPN for mobile users have access? (Choose two)

USG (Eudemon) firewall nat configuration is as follows:

nat address-group 1 10.1.1.5 10.1.1.10

nat-policy interzone dmz untrust inbound

policy destination 1.1.1.1 0

"Pass Any Exam. Any Time." - 100% Guarantee 14

Common symmetric encryption algorithms are there? (Choose three)

Address range rule permit ip source 192.168.11.32 0.0.0.31 represents the?

"Pass Any Exam. Any Time." - 100% Guarantee 15

"Pass Any Exam. Any Time." - 100% Guarantee 16

The following description of the error on the standard ACL is:

A. Standard access control list,also known as basic access control lists.

"Pass Any Exam. Any Time." - 100% Guarantee 17

A. Full- channel mode (Full Tunnel)

"Pass Any Exam. Any Time." - 100% Guarantee 18

A. policy 1 disable command to disable policy 1

"Pass Any Exam. Any Time." - 100% Guarantee 19

A. Data from the DMZ zone to the Untrust zone flow

View l2tp command -line user information?

A. display l2tp session

"Pass Any Exam. Any Time." - 100% Guarantee 20

Which of the following components are optional TSM system?

"Pass Any Exam. Any Time." - 100% Guarantee 21

Digital certificates do not include which of the following section?

A. Name of the certificate holder