• Home
• Huawei Exams
• H12-831 - HCIP-Datacom-Advanced Routing & Switching Technology

H12-831 Huawei Practice Test Questions and Exam Dumps

Question 1

To accelerate the detection of link failures in an IS-IS network, IS-IS can be integrated with BFD.

A. TRUE
B. FALSE

Correct Answer: A

Explanation:
IS-IS (Intermediate System to Intermediate System) is a dynamic routing protocol used in many large-scale networks for exchanging routing information within a domain. One of the challenges in any routing protocol is the speed of failure detection — that is, how quickly the protocol can recognize that a link or neighbor has gone down so it can reroute traffic accordingly.

This is where BFD (Bidirectional Forwarding Detection) comes into play. BFD is a protocol designed specifically to provide rapid detection of faults in the path between two forwarding engines, which may be physical links, tunnels, or even virtual connections. It works independently of the underlying transport protocol and is used to supplement routing protocols by reducing failure detection time.

Let’s break down how BFD enhances IS-IS operation:

• Default IS-IS Hello Intervals: By default, IS-IS relies on the exchange of Hello packets to detect neighbor reachability. The typical hello interval might be in the range of 10 seconds, with a hold time of 30 seconds. This means that it could take up to 30 seconds to detect a failed link, which is too long in high-performance environments.

• Using BFD with IS-IS: When BFD is configured alongside IS-IS, BFD takes over the role of fast failure detection. BFD sessions are established between IS-IS neighbors, and BFD is capable of detecting failures in milliseconds (often as low as 50 ms). Once BFD detects a failure, it informs the IS-IS process, which can then immediately withdraw routes learned from the failed neighbor and trigger a faster convergence.

• Operational Benefit: This integration is particularly useful in carrier-grade networks or data centers, where uptime and fast rerouting are critical. BFD offloads the failure detection responsibility from IS-IS and provides a far more granular and responsive mechanism.

• Implementation Support: Most modern network vendors and equipment support IS-IS and BFD integration, and it is a recommended best practice in networks where rapid failure detection is required.

• Unidirectional Detection: Another strength of BFD is that it works in both directions independently, which means it can detect failures even if the path is unidirectionally broken — something routing protocol hellos might miss.

To conclude, BFD acts as a fast failure detection mechanism that significantly enhances IS-IS convergence time, especially in large-scale or mission-critical networks. This is why integrating IS-IS with BFD is a recognized and effective method to speed up link failure detection.

Hence, the correct answer is A.

Question 2

In OSPF, does the ABR convert all Type 7 LSAs in a Not-So-Stubby Area (NSSA) into Type 5 LSAs?

A. TRUE
B. FALSE

Correct Answer: B

Explanation:

In the Open Shortest Path First (OSPF) routing protocol, different Link-State Advertisement (LSA) types are used to distribute routing and topology information throughout the network. The handling of these LSAs varies depending on the type of area they are generated in and the routers that process them.

A Not-So-Stubby Area (NSSA) is a special type of OSPF area that allows the importing of external routes (like those from another routing protocol) but restricts traditional Type 5 LSAs that are used in standard OSPF areas for external route advertisements. To support external routing in an NSSA, OSPF introduces a special LSA type called Type 7 LSA.

Type 7 LSAs are created by Autonomous System Boundary Routers (ASBRs) inside the NSSA to advertise external routes. However, because routers in standard areas do not understand Type 7 LSAs, they must be converted to Type 5 LSAs before being advertised outside the NSSA.

This is where the Area Border Router (ABR) comes in. An ABR connects the NSSA to the backbone area (Area 0) and is responsible for converting Type 7 LSAs into Type 5 LSAs. However, the key point is that the ABR does not convert all Type 7 LSAs—only those that are specifically flagged as eligible for translation.

This eligibility is determined by the P-bit (propagate bit) in the Type 7 LSA. If the P-bit is set, the LSA is eligible for conversion from Type 7 to Type 5. If it is not set, the ABR will not perform the translation, and the LSA remains within the NSSA only.

Additionally, it’s important to note that not all ABRs in the NSSA necessarily perform the conversion. OSPF uses a deterministic election process to designate a single ABR that will handle the Type 7 to Type 5 conversion for each specific external route. This avoids multiple routers redundantly advertising the same route externally.

In summary, although ABRs in an NSSA can convert Type 7 LSAs to Type 5, they do not convert all Type 7 LSAs—only those that have the P-bit set and are designated for external advertisement beyond the NSSA. Thus, the statement in the question is not entirely accurate.

Therefore, the correct answer is B.

Question 3:

Which of the following statements about IP Source Guard (IPSG) is incorrect?

A. IPSG can prevent IP address spoofing attacks
B. IPSG is a source IP address filtering technology based on the three-layer interface
C. IPSG can turn on the IP packet inspection and alarm function, and cooperate with the network management to perform alarms
D. IPSG can prevent the host from changing the IP address privately

Correct Answer: C

Explanation:

IP Source Guard (IPSG) is a network security feature typically implemented on switches to prevent IP address spoofing on untrusted Layer 2 interfaces. It works by filtering traffic based on IP-to-MAC address bindings and the DHCP snooping binding table. By doing so, IPSG ensures that only traffic with valid IP-MAC combinations is forwarded, thus securing the network from certain types of attacks.

Let’s examine each of the statements to identify which one is incorrect.

Option A: IPSG can prevent IP address spoofing attacks
This statement is correct. IPSG is explicitly designed to prevent IP spoofing attacks by ensuring that a device connected to the network cannot use a fake (spoofed) IP address. It filters IP packets based on the bindings established between IP addresses and MAC addresses (typically through DHCP snooping), effectively blocking any traffic that attempts to use an unauthorized IP address.

Option B: IPSG is a source IP address filtering technology based on the three-layer interface
This is also correct. IPSG operates on Layer 3 interfaces (IP layer) and uses the Layer 2 (MAC address) and Layer 3 (IP address) combination to perform filtering. It is not a general packet inspection tool but a very specific IP-to-MAC validation tool used to secure IP addressing within a subnet.

Option C: IPSG can turn on the IP packet inspection and alarm function, and cooperate with the network management to perform alarms
This is the incorrect statement and thus the correct answer to the question. IPSG is a filtering mechanism and does not provide deep IP packet inspection or alarm capabilities as described in this statement. While some security tools and intrusion detection/prevention systems (IDS/IPS) can inspect packets and generate alerts in cooperation with network management systems, IPSG does not have these capabilities. It does not analyze the contents of IP packets nor generate alarms; it simply blocks unauthorized IP traffic based on binding rules.

Option D: IPSG can prevent the host from changing the IP address privately
This statement is correct. A host trying to manually assign itself an IP address (one that is not authorized or bound via DHCP snooping) will have its traffic blocked by IPSG. This prevents devices from circumventing DHCP-based IP allocation policies, which can otherwise be exploited in spoofing or man-in-the-middle attacks.

While options A, B, and D correctly describe the functionality of IP Source Guard, option C introduces capabilities (packet inspection and alarms) that IPSG does not possess. These functions belong to more advanced security tools, not to a basic IP filtering mechanism like IPSG.

The correct answer is: C

Question 4

Which of the following are not included in the security protection actions that a secure MAC address can perform?

A. Protect
B. Restrict
C. Shutdown
D. Remark

Correct Answer: D

Explanation
This question asks us to identify which one of the listed actions is not a valid response that a switch can take when a secure MAC address violation occurs.

Switches that implement port security use secure MAC addresses to control which devices can send traffic through a given port. If a device with an unauthorized MAC address tries to send traffic, the switch can respond in three different ways:

The protect action causes the switch to drop packets from unauthorized MAC addresses silently, without logging or disabling the port.

The restrict action also drops packets from unauthorized MAC addresses but adds logging and optional alerts like SNMP traps.

The shutdown action disables the port entirely, putting it into an error-disabled state. This requires manual intervention to bring the port back up.

These are the only three officially recognized port security actions: protect, restrict, and shutdown.

Remark, on the other hand, is not a valid port security action. It does not play any role in the enforcement of secure MAC address policies. It might be used in other areas such as quality of service marking or configuration comments, but it has no relevance to secure MAC address behavior.

Therefore, the correct answer is D.

Question 5

In an IS-IS network with multiple redundant links and equal-cost routes, which of the following statements is incorrect?

A. When the number of equal-cost routes in the networking is greater than the number configured through commands, and the priorities of these routes are the same, the route with the higher System ID of the next hop device is preferred for load sharing.
B. If negative arbitration sharing is configured, the traffic will be evenly distributed to each link.
C. After the equal-cost routing priority is configured, when the IS-IS device forwards the traffic that reaches the destination network segment, it will not adopt the load sharing method, but will forward the traffic to the next-hop with the highest priority.
D. For each route in the equal-cost route, the priority can be specified, and the route with the higher priority will be preferred. The rest are used as backup routes.

Correct Answer: B

Explanation:

Intermediate System to Intermediate System (IS-IS) is a link-state interior gateway protocol used for routing within an Autonomous System. When multiple paths exist to reach the same destination with equal cost (called equal-cost multipath or ECMP), the IS-IS protocol can use these routes for load balancing or designate a preferred path based on additional configuration.

Let’s evaluate the options one by one to identify which one is incorrect:

Option A is accurate. When there are more equal-cost routes than what is allowed by configuration (for example, if the device supports up to 4 ECMP routes but finds 6), the router must select which paths to use. If priorities are the same, IS-IS uses the System ID of the next-hop device as a tiebreaker—the higher System ID is favored. This behavior helps ensure deterministic route selection.

Option C is also correct. If equal-cost routes are assigned explicit priorities, IS-IS will no longer perform load balancing among them. Instead, it selects the route with the highest priority as the primary forwarding path. The other routes remain as standby and will be used only if the primary route becomes unavailable. This approach gives administrators more control over traffic paths and can improve performance or meet policy requirements.

Option D is valid. It’s possible to assign different priorities to each equal-cost route. This feature allows one route to be favored while others are kept in reserve. The higher-priority route is selected for traffic forwarding, and lower-priority paths are treated as backups. This is a common strategy when administrators want to prefer a specific link over others while still maintaining redundancy.

Option B is the incorrect statement. The idea of negative arbitration sharing does not exist in standard IS-IS terminology or behavior. The term appears to be incorrectly used or fabricated. In IS-IS, load sharing across equal-cost routes typically uses per-packet or per-flow methods depending on the router’s capabilities and configuration. If equal-cost routes exist and no explicit priority is set, IS-IS will usually distribute traffic evenly. However, negative arbitration is not a valid or recognized method for configuring load balancing or traffic distribution in IS-IS networks.

In conclusion, B is the wrong statement because it refers to a non-existent concept in IS-IS routing, making it factually incorrect within the context of the protocol.

Question 6:

Which two features listed below are key characteristics of Huawei’s CloudEngine series switches? (Choose two.)

A. Support for SDN (Software-Defined Networking) architecture
B. Native integration with Huawei's FusionSphere platform
C. High-performance ASIC (Application-Specific Integrated Circuit) design for packet forwarding
D. Built-in wireless LAN controller functionality
E. Full support for MPLS (Multiprotocol Label Switching) on Layer 2 and Layer 3

Correct Answers: A and C

Explanation:

Huawei's CloudEngine series switches are designed for high-performance, scalable, and intelligent networking in modern enterprise and data center environments. These switches support a wide range of advanced features, and their design reflects a focus on performance, automation, virtualization, and openness. Let's evaluate each of the options to determine which ones are indeed key features of the CloudEngine family.

Option A: Support for SDN (Software-Defined Networking) architecture
This is a key feature of the CloudEngine series. Huawei's CloudEngine switches are built with SDN in mind, meaning they can be centrally managed and programmed through a controller such as Huawei’s Agile Controller or a third-party SDN controller. The switches can support OpenFlow, NetConf, and other SDN protocols, allowing dynamic network adjustments, traffic engineering, and automation. This enables better agility, programmability, and alignment with modern cloud-networking demands.

Option B: Native integration with Huawei's FusionSphere platform
This is not a core feature of the CloudEngine series. FusionSphere is Huawei's cloud computing virtualization platform, and while CloudEngine switches can be part of a data center infrastructure that includes FusionSphere, there is no "native" integration as a built-in switch feature. Integration would generally happen at a higher orchestration or management layer, not inherently within the switching hardware or software itself. Therefore, this is not considered a key feature of the CloudEngine switches.

Option C: High-performance ASIC (Application-Specific Integrated Circuit) design for packet forwarding
This is definitely a key feature. One of the standout aspects of Huawei's CloudEngine switches is their use of custom-designed high-performance ASICs. These chips are specifically built for efficient and fast packet forwarding, enabling the switches to handle extremely high throughput and low latency — crucial for data center environments and high-performance computing networks. The ASIC architecture supports large forwarding tables, deep buffers, and fine-grained traffic management.

Option D: Built-in wireless LAN controller functionality
This is not a typical feature of CloudEngine switches. Wireless LAN controller functionality is generally found in Huawei’s Agile Switches or in dedicated WLAN controllers like Huawei’s AC series, not in the CloudEngine line. The CloudEngine series is primarily designed for core, aggregation, and data center environments, not as an all-in-one access layer solution that includes WLAN control.

Option E: Full support for MPLS (Multiprotocol Label Switching) on Layer 2 and Layer 3
This feature is partially correct, but it is not universally applicable across the entire CloudEngine portfolio. While some high-end CloudEngine models support MPLS, especially in data center interconnect and service provider settings, this is not a consistent feature across the full line. Therefore, although some models may support MPLS, it is not considered a universal key feature of the series as a whole.

The two most universally applicable and fundamental features of Huawei's CloudEngine switches are support for SDN architecture and the high-performance ASIC design that enables powerful packet forwarding capabilities. These features are central to the value proposition of the CloudEngine series in cloud and data center networking environments.

The correct answers are: A and C

Question 7

Which two types of technologies are used to improve network resilience in Huawei's Agile Network? (Choose 2.)

A. MPLS TE (Traffic Engineering)
B. Virtual Routing and Forwarding (VRF)
C. TRILL (Transparent Interconnection of Lots of Links)
D. Link aggregation with LACP (Link Aggregation Control Protocol)
E. Spanning Tree Protocol (STP) for loop prevention

Correct Answer: C and D

Explanation
This question asks us to select two technologies that specifically contribute to enhancing network resilience within Huawei’s Agile Network architecture.

In Huawei’s Agile Network solutions, the focus is on achieving high availability, fast convergence, and fault tolerance across the network. Let’s examine each option and how it relates to resilience.

Option A, MPLS TE (Traffic Engineering), is a mechanism used primarily in service provider environments to optimize traffic paths through a network. While it improves efficiency and can reroute traffic around failures, it is not a core component promoted within Huawei's Agile Network solutions for enterprise-level network resilience.

Option B, VRF (Virtual Routing and Forwarding), is a technology that allows multiple routing instances to coexist on the same router. This improves segmentation and isolation but does not directly contribute to physical or logical link-level resilience. It’s more about logical separation of networks rather than fault tolerance or redundancy.

Option C, TRILL, is designed to replace traditional spanning tree-based Ethernet networks. It allows for all paths to be active, supporting multipath routing and faster convergence, which significantly boosts network resilience. TRILL removes the need to block redundant paths (as STP does) and provides better utilization of links and quicker failure recovery.

Option D, Link Aggregation with LACP, combines multiple physical links into a single logical link. This adds resilience by allowing traffic to continue flowing even if one of the physical links fails. LACP also provides load balancing across links, enhancing both redundancy and performance.

Option E, Spanning Tree Protocol (STP), was traditionally used for loop prevention but is considered less optimal today due to its slow convergence times. In modern resilient networks like Huawei’s Agile Network, newer alternatives like TRILL or shorter path bridging are favored over STP.

Therefore, the two technologies most relevant to improving network resilience in Huawei’s Agile Network context are C and D.

Question 8

When setting up Huawei’s eSight management platform, which two features does it offer for managing network devices? (Choose two.)

A. Fault detection and performance monitoring
B. Real-time traffic analysis for security breaches
C. Configuration management and software deployment
D. Automatic backup of all network configurations
E. Integrated firewall configuration and management

Correct Answers: A, C

Explanation:

Huawei’s eSight is a comprehensive network management platform designed to manage and monitor various ICT resources such as routers, switches, servers, storage systems, and virtual infrastructure. The platform aims to unify management across multiple network domains by providing visibility, automation, and centralized control. Among the many features eSight provides, several core capabilities are essential to day-to-day network operations and maintenance.

Option A: Fault detection and performance monitoring
This is one of the primary functions of the eSight platform. It continuously monitors the health of network devices and links, identifying issues such as device failures, interface errors, and degraded performance. It also collects metrics such as CPU usage, memory utilization, and interface throughput. Alerts and alarms are generated based on predefined thresholds, which allow network administrators to respond proactively to problems before they escalate into major outages. Performance monitoring also enables trend analysis and capacity planning.

Option C: Configuration management and software deployment
eSight includes tools for managing network device configurations. This includes pushing configuration templates, updating device settings in bulk, comparing current configurations to baselines, and automating changes. Software deployment is also supported, allowing administrators to push firmware and software updates to devices in a structured and controlled way. This helps maintain device consistency and security compliance across the network.

Now, let's look at why the other options are not correct:

Option B: Real-time traffic analysis for security breaches
Although eSight can monitor traffic patterns and detect anomalies to some extent, deep traffic inspection and advanced threat analysis are generally outside the scope of this tool. These features are typically provided by specialized security appliances such as intrusion detection systems (IDS), intrusion prevention systems (IPS), or Security Information and Event Management (SIEM) platforms. eSight is primarily designed for infrastructure and network management rather than being a comprehensive cybersecurity solution.

Option D: Automatic backup of all network configurations
While eSight can facilitate scheduled backups of device configurations, the wording "automatic backup of all network configurations" is overly broad and somewhat misleading. Backup functionality is available but typically requires configuration by the administrator to define which devices and when to back up. It is not an all-inclusive automatic feature that happens out-of-the-box for every device type without configuration.

Option E: Integrated firewall configuration and management
Although Huawei offers security product integration with eSight, firewall-specific configuration and policy management is not its core function. There may be integration points with security platforms like USG firewalls, but full-featured firewall configuration and rule-base management is better handled through dedicated security management consoles, not general-purpose platforms like eSight.

In summary, the two functions most accurately reflecting the capabilities of Huawei’s eSight platform in managing network devices are fault detection and performance monitoring (A) and configuration management and software deployment (C).