Huawei H12-721 HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Exam Practice Test

Note: IKE messages use UDP port 500. When NAT traversal is not enabled, AH and ESP are directly carried over IP. The protocol numbers are 51 and 50 respectively. In the case of NAT traversal, the first phase--messages and destinations of the IKE exchange process use UDP 4500 for both the source port and the destination port. All IKE messages exchanged with the initiator use 4500 ports. If the initiator is inside the NAT, Then NAT changes the source port of the initiator to another port to communicate with other devices. After the first phase of IKE is completed, both parties to the communication know the existence of NAT, and then negotiate whether to use NAT traversal in the SA load of the second phase of IKE, by adding two new encapsulation modes: UDP-tunnel and transmission mode. . An ESP header is encapsulated directly after the UDP header. The source port number and destination port number in the UDP packet header are the same as the IKE protocol. Therefore, it is necessary to check whether the intermediate device blocks protocol numbers 51 and 50, and the packets of UDP 500 and UDP 4500 ports pass. Analysis - because display ike sees no messages, that is, the first phase of IKE is not completed. The correct answer should be AC

key configuration: First, create/delete VPN instance [undo] ip vpn-instance vpn-instance-name [vpn-id vpn-id] Second, specify the route ID for the VPN instance route-distinguisher vpn-route-distinguisher

Note: Special packet attacks: one is a large ICMP message; the other is an ICMP unreachable message; the third is a Tracert message.

Note: Virtual firewalls are a combination of VPN instances (Instances), instances of multiple instances, and configuration of multiple instances. The virtual firewall provides the following multiple instances: one is VPN multi-instance; the other is secure multi-instance; the third is to configure multiple instances; the fourth is NAT multi-instance; the fifth is routing multi-instance; the sixth is UTM multi-instance.

Note: In L2TP over IPSec, packets are encapsulated with L2TP and then encrypted with IPSec. Authentication--L2TP is completed, encryption--IPSec is completed, and there is no direct relationship between authentication and encryption.

Note: DHCP snooping is a DHCP security feature that filters DHCP messages that do not contain information through MAC address restriction, DHCP snooping security binding, IP+MAC binding, and Option 82 features. DHCP DoS attack, DHCP server spoofing attack, ARP man-in-the-middle attack, and IP/MAC Snooping attack. DHCP snooping is enabled on all interfaces of the DHCP client. If the user-side interface is not configured with the Trusted mode, the interface is enabled with the Snooping feature. The default interface mode is Untrusted. This prevents the DHCP server from being attacked by the bogus. To prevent the attack from being attacked by the DHCP server, you can configure the DHCP snooping function on the device to configure the interface on the user side as Untrusted and the interface on the DHCP server as Trusted. All received from the Untrusted interface. DHCP relay packets are discarded. DHCP snooping is configured on the firewall. The DHCP snooping binding function is used to forward packets only if the received packets are the same as those in the binding table. Otherwise, the packets are discarded.

Note: Compared with T151 RD: indicates that this SA has been successfully established; ST: indicates that this end is the channel negotiation initiator; RL: indicates that this channel has been replaced by a new channel, will be deleted after a while; FD: indicates this A soft timeout has occurred on the channel. It is still in use. The hard timeout will delete the pass. TO: indicates that the SA has not received the keepalive message after the last keepalive timeout, if the next keepalive timeout occurs. If no keepalive packet is received, this SA will be deleted.

Note: Choose template mode or non-template mode: There are three main modes depending on the characteristics of the peer device: First, remote mobile client access, do not know the client IP address, can not configure remote-address, can only be used Template mode + barbarian mode name authentication; second, communication between two branches, IP address is fixed, non-template mode is used; third, branch office is not fixed IP, then the headquarters uses policy template mode, branch use Strategy mode.

Note: 1. USG A and USG B each start the BFD state machine. The initial state is Down and the BFD packet is Down. For a static BFD session, the value of the Your Discriminator is specified by the user. For the dynamic BFD session, the value of the Your Discriminator is 0. 2. After receiving the BFD packet whose status is Down, the USG B switches to Init. And send a BFD packet with the status of Init. 3. If the local BFD state of USG B is Init, the packets of the received state are Down. 4. The BFD state of USG A is the same as that of USG B. 5. After receiving the BFD packet in the Init state, the local state is switched to Up. 6. The BFD status of USG A changes with USG B. 7. After the state transition of "DOWN-->INIT" occurs on USG A and USG B, a timeout timer is started. If the BFD packet is in the Init or Up state, the local state is automatically switched back to Down.

Note: VGMP management group priority is lowered by default 2

Note: Packets that do not match IP and MAC will pass, and only packets with IP or MAC mismatch will be discarded.

Note: The IKE master mode of the certificate mode can also implement NAT traversal of IPSec VPN.

Note: To establish a pair of IPSec, IKE V1 needs to go through two phases: "main mode + fast mode" or "barbaric mode + fast mode". The former needs to exchange at least 9 messages, and the latter requires at least 6 messages. In IKE V2, an IKE SA and a pair of IPSecs can be completed by using a total of four messages in two exchanges. If the required IPSec SA is greater than 1 pair, the first pair of SAs only needs to add 1 additional exchange, that is, 2 messages can be completed. This is much easier than IKE V1. IKE V2 defines three types of exchanges: initial exchange, creation of SA exchange, and notification exchange.