juniper认证考试
A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST. However, the administrator does not want the server to be able to init
题目
A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST. However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST zone. Which configuration statement would correctly accomplish this task?()
- A、from-zone UNTRUST to-zone TRUST { policy DenyServer { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone TRUST to-zone UNTRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
- B、from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then {deny; } } } from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
- C、from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-ftp; } then { permit; } } }
- D、from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then { permit; } } } from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match {source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
相似问题和答案
第1题:
A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.
B. Specify the DNS entry (hostb.example.com.) as the destination address in the policy.
C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference this entry in the policy.
D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference this entry in the policy.
第2题:
A network administrator wants to ensure that only the server can connect to port Fa0/1 on a Catalyst switch. The server is plugged into the switch Fa0/1 port and the network administrator is about to bring the server online. What can the administrator do to ensure that only the MAC address of the server is allowed by switch port Fa0/1?()
A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Employ a proprietary connector type on Fa0/1 that is incompatible with other host connectors.
C. Configure the MAC address of the server as a static entry associated with port Fa0/1.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.
E. Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server.
F. Configure an access list on the switch to deny server traffic from entering any port other than Fa0/1.
第3题:
The Ezonexam network administrator wants to ensure that only a single web server can connect to pot Fa0/1 on a catalyst switch. The server is plugged into the switch's Fast Eth. 0/1 port and the network administrator is about to bring the server online. What can the administrator do to ensure that only the MAC address of this server is allowed by switch port Fa0/1? (Choose two)
A.Configure port Fa0/1 to accept connections only from the static IP address of the server
B.Configure the MAC address of the server as a static entry associated with port Fa0/1
C.Employ a proprietary connector type on Fa0/1 that is incomputable with other host connectors
D.Configure port security on Fa0/1 to reject traffic with a source MAC address other than that of the server
E.Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address
解析:Explanation:
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses specified for that port.
When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host.
The port's behavior. depends on how you configure it to respond to a security violation. When a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.
第4题:
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?() [edit security policies from-zone trust to-zone untrust] user@host# show policy tunnel-traffic { match { source-address local-net; destination-address remote-net; application any; then { permit; } }
- A、set policy tunnel-traffic then tunnel remote-vpn
- B、set policy tunnel-traffic then permit tunnel remote-vpn
- C、set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit
- D、set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
正确答案:D
第5题:
Assume the default-policy has not been configured.Given the configuration shown in the exhibit, which two statements about traffic from host_a inthe HR zone to host_b in the trust zone are true?() [edit security policies from-zone HR to-zone trust] user@host# show policy one { match { source-address any; destination-address any; application [ junos-http junos-ftp ]; } then { permit; } } policy two { match { source-address host_a; destination-address host_b; application [ junos-http junos-smtp ]; } then { deny; } }
- A、DNS traffic is denied.
- B、HTTP traffic is denied.
- C、FTP traffic is permitted.
- D、SMTP traffic is permitted.
正确答案:A,C
第6题:
A. The untrust zone does not have a management policy configured.
B. The trust zone does not have ping enabled as host-inbound-traffic service.
C. The security policy from the trust zone to the untrust zone does not permit ping.
D. No security policy exists for the ICMP reply packet from the untrust zone to the trust zone.
第7题:
Computers on a small network are not able to receive new addresses from the DHCP server. However, the administrator has checked the server and ensured it is connected, responding, and functional. Which of the following is the MOST likely problem in this scenario?()
- A、The DHCP server has an incorrect gateway configured.
- B、The DHCP server was incorrectly configured with a six hour lease time on addresses.
- C、The DHCP server was incorrectly configured with no-expiring lease time on addresses.
- D、The DNS server is no longer functional and internal name-address resolution is down.
正确答案:C
第8题:
A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST zone.Which configuration statement would correctly accomplish this task?()
A. from-zone UNTRUST to-zone TRUST { policy DenyServer { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone TRUST to-zone UNTRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
B. from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then {deny; } } } from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
C. from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-ftp; } then { permit; } } }
D. from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then { permit; } } } from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match {source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
第9题:
An administrator mistakenly shutdown production after a fallover because the service IP address Was shifted from the normal production node to the standby node. What can be done to avoid this type of mistake in the future?()
- A、 Include the service IP address in the administrator’s PS1 prompt
- B、 Alias the service IP address to the hostname in the /etc/host file
- C、 Define a persistent IP address with HACMP and make it a practice to use the persistent address for administration work
- D、 Add a DNS entry to map the standby node name to the service IP address so telnet connections will be to the correct node
正确答案:C
第10题:
You are the administrator of a Windows 2000 network. You install Windows 2000 Professional on a new computer and configure the TCP/IP settings to have a static IP address. While testing network connectivity from the new computer, you discover an error in the DNS server address that is configured in the TCP/IP settings. You configure the correct DNS server address, which is 10.1.1.5. However, you are still unable to successfully connect to network resources by name. You run the IPconfig/all command. The results indicate that the DNS server address is now configured as 0.0.0.0 You need to ensure that the computer can connect to network resources by name. What should you do?()
- A、Stop and restart the DNS Client service.
- B、Add 10.1.1.5 to the DNS server list on the TCP/IP Advanced Properties tab.
- C、Add an A (host) record for the computer to the DNS server’s zone file.
- D、Configure your DHCP server to have a DNS server address of 10.1.1.5.
正确答案:A