H12-841_V1.5 Questions and Answers

Huawei CloudCampus is an intelligent campus network solution designed to simplify deployment, improve O&M efficiency, and enhance user experience through cloud-based and automated technologies. Its advantages mainly focus onnetwork automation, unified management of campus network devices, and intelligent services, rather than full IT infrastructure management.

Option A is a core advantage of CloudCampus. Through cloud-based controllers and automation technologies, CloudCampus supportsautomatic deployment of physical networks, reducing manual configuration and shortening service rollout time.

Option B is also an important advantage. CloudCampus supportsplug-and-play of devices, where network devices can automatically go online, download configurations, and complete provisioning after being powered on and connected, significantly reducing on-site workload.

Option D is another key feature. Cloud Campus supportsfree mobility, allowing users to roam across different access points or areas while maintaining consistent network access policies and service experience, which is especially important in modern wireless campus environments.

Option C isnot an advantageof the Huawei Cloud Campus solution. Cloud Campus focuses on unified management ofcampus network devicessuch as switches, routers, and wireless devices. It does not provide unified management forstorage servers, which fall outside the scope of campus network management and belong to data center or IT infrastructure management solutions.

Therefore, unified management of Huawei switches, routers, and storage servers is not an advantage of the Cloud Campus solution.

According to HCIP Datacom Campus Network architecture principles, campus networks can be classified from multiple dimensions to support scientific planning, design, and deployment. These classification methods help network designers select appropriate architectures, devices, and technologies based on actual service requirements.

Network scaleis a primary classification dimension. Campus networks are commonly divided into small, medium, and large-scale networks based on the number of users, terminals, access points, and network devices. This classification directly influences topology design, such as whether a simple two-layer architecture or a more scalable three-layer architecture is required.

Served objectsis another important classification method. Campus networks may serve office users, guests, teaching staff, students, production terminals, IoT devices, or video surveillance systems. Different served objects have different requirements for bandwidth, security, and access control, making this dimension critical for policy and service design.

Access moderefers to how users and devices connect to the campus network, including wired access, wireless access, or a hybrid of both. This classification impacts WLAN planning, authentication methods, and network access control strategies.

Service complexityreflects the types and number of services carried by the network. A campus network may provide basic data services or support complex services such as voice, video, cloud access, and industry applications. Higher service complexity requires more advanced network design and management capabilities.

Therefore, all listed options are valid classification methods for campus networks.

In campus network architecture, theegress zoneplays a critical role as the boundary between the internal campus network and external networks such as the Internet, WAN, or cloud services. According to HCIP Datacom Campus Network design principles, the egress zone must meet multiple functional and security requirements to ensure stable, secure, and flexible network operation.

First,network connectivityis a fundamental requirement. The egress zone must reliably connect the campus intranet to external networks, ensuring uninterrupted access to external resources and services. High availability and redundancy are often considered in this aspect to avoid single points of failure.

Second,network secure ensuranceis essential. As the main security boundary, the egress zone must protect the campus network from external threats. This typically involves deploying security mechanisms such as firewalls, intrusion prevention, traffic filtering, and attack defense to ensure data and service security.

Third, the egress zone must provide strongservice control capability. This includes traffic identification, policy-based forwarding, bandwidth management, and application control. These capabilities allow administrators to optimize service quality, prioritize critical applications, and manage user access to external services.

Finally,various and flexible access modesare required to support different external connection scenarios, such as Internet access, MPLS WAN access, VPN connections, and cloud interconnection. This flexibility enables the campus network to adapt to evolving business and service requirements.

Therefore, all listed options are essential requirements for proper egress zone design, makingA, B, C, and Dthe correct answers.

Position 1 → Before authenticationBefore users are authenticated, they are placed in thepre-authentication domain. At this stage, access is strictly limited to basic network services such as theAdmission server,DHCP server, andDNS server. This allows users to obtain IP addresses and reach authentication-related services only.

Position 2 → Upon authentication failuresIf user authentication fails or security posture checks (such as antivirus or patch verification) do not pass, users are redirected to theisolation domain. In this domain, access is restricted to remediation resources likevirus signature database serversandpatch servers, preventing users from accessing business services while allowing problem resolution.

Position 3 → After successful authenticationAfter authentication succeeds, users enter thepost-authentication domain. At this stage, full or role-based access is granted to enterprise resources such asoffice data,R&D data,marketing systems, as well asintranet or Internet services, based on assigned policies.

This mapping reflects Huawei’s standardNAC domain-based access control model, ensuring secure, staged network access.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In a Layer 2 VXLAN gateway, the MAC address table recordslocal and remote MAC addressesassociated with specific Bridge Domains (BDs) and outbound interfaces. Entries learned fromremote VTEPsare shown with an outbound interface that is aVXLAN tunnel endpoint IP address, such as10.3.3.3, indicating VXLAN-based learning.

StatementAis correct because both MAC addresses0000-0000-0010and5489-9893-48a3are associated withBD 10, meaning they are in the same Layer 2 broadcast domain.

StatementCis correct because MAC entries learned with an outbound interface displayed as an IP address representremote MAC addresses learned through the VXLAN tunnel.

StatementDis also correct. The MAC address5489-9893-48a3is learned from the local physical subinterfaceGE1/0/1.10, which belongs toBD 10, confirming local access.

StatementBis incorrect. Even though5489-982d-77e2is associated withGE1/0/1.20 (BD 20), hosts inBD 20 and BD 10 cannot communicate directly at Layer 2because they belong to different bridge domains.

Therefore, the correct answers areA, C, and D.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In astatic VXLAN tunneldeployment, MAC address learning relies ondata-plane trafficrather than a control-plane protocol. Unlike BGP EVPN-based VXLAN, where MAC and IP information is distributed through BGP, static VXLAN does not have a centralized or dynamic control mechanism to advertise host information.

As a result, VTEPs learn remote MAC addresses by inspectingencapsulated traffic, such as ARP request and reply packets, exchanged between hosts in the same VXLAN segment. When a host sends an ARP request, the local VTEP encapsulates the frame into a VXLAN packet and forwards it to the remote VTEP. Upon receiving the packet, the remote VTEP extracts the source MAC address and associates it with the corresponding VNI and tunnel endpoint.

This data-plane learning mechanism means that MAC address entries are built dynamically as traffic flows, which is why initial host communication may require broadcast or unknown unicast flooding. According to HCIP Datacom Campus Network documentation, this behavior is a defining characteristic of static VXLAN deployments.

Therefore, the statement isTRUE, and optionAis correct.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In campus networks, devices such as servers, print servers, and video surveillance systems requirestable and predictable IP addressesto ensure reliable access, simplified maintenance, and consistent policy enforcement. While fully dynamic DHCP allocation is easy to deploy, it does not guarantee IP address consistency, which complicates device management, monitoring, and troubleshooting.

Huawei campus network design best practices recommendstatic address allocation through DHCP based on MAC addresses, also known as DHCP reservation or static binding. With this approach, the DHCP server assigns a fixed IP address to a device according to its MAC address. This method combines the advantages of centralized DHCP management with the stability of static IP addresses.

PPPoE address binding is typically used in broadband access scenarios and is unsuitable for enterprise campus devices. The BOOT protocol is obsolete and not used in modern campus networks. Pure dynamic DHCP allocation does not meet the stability requirements of infrastructure and service devices.

According to HCIP Datacom Campus Network documentation, MAC-based DHCP static allocation is the recommended solution for managing critical campus devices, making option D correct.

Comprehensive and Detailed Explanation (200–250 words):

In an iMaster NCE-Campus policy control matrix, rows representsource security groupsand columns representdestination security groups. A green check mark indicates that communication is allowed, while a red cross indicates that communication is denied. This matrix enables fine-grained user access control in VXLAN-based virtualized campus networks.

From the figure, communication betweenGuest_Group and Research_Groupis explicitly denied in both directions, as indicated by red crosses. Therefore, statementsAandDare both correct. The matrix also shows a green check mark forSales_Group communicating with itself, meaning intra-group communication is permitted, makingstatement B correct.

Theunknowngroup represents users that are not classified into Guest_Group, Research_Group, or Sales_Group. In the matrix, the unknown group is not completely blocked from all resources by default; access behavior depends on explicit policy configuration. Since the figure does not indicate a universal deny policy for unknown users toward all destinations,statement C is incorrect.

According to HCIP Datacom Campus Network policy control design, security group–based access control allows administrators to precisely define which user groups can communicate, improving security and service isolation. Hence, the correct answers areA, B, and D.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

Dynamic VLAN authorization allows edge devices to dynamically assign users to specific VLANs based on authentication results. This mechanism is widely used to guide user traffic into the correct VN in a CloudCampus virtualized campus network.

Forwired users, bothMAC address authenticationand802.1X authenticationsupport dynamic VLAN assignment. Once authentication succeeds, the authentication server delivers authorization VLAN information to the edge node, and users are placed into the corresponding VLANs. Therefore, statementsCandDare correct.

Forwireless users,802.1X authenticationalso supports dynamic VLAN authorization, making statementBcorrect. However,Portal authentication for wireless users does not support dynamic VLAN assignmentin CloudCampus networks. Wireless Portal authentication typically controls access rights rather than VLAN placement.

According to HCIP Datacom Campus Network documentation, statement A is false, making it the correct answer.

In HCIP Datacom Campus Network security design,port securityis used to limit the number of MAC addresses that can be learned on an access interface, preventing unauthorized device access and MAC address spoofing. When the number of learned MAC addresses reaches the configured upper limit, the switch behavior depends on the configuredviolation mode.

One possible action isshutdown mode, where the switch sets the interface to an error-down state and generates an alarm. This corresponds to option A. The interface must be manually or automatically recovered before normal communication can resume. This mode provides the highest level of security and clear fault notification.

Another supported behavior isprotect mode, in which the switch silently discards packets from unknown source MAC addresses after the limit is reached. No alarms are generated in this case, which matches option C. This mode minimizes network disruption while still blocking unauthorized devices.

Therestrict modeis also supported. In this mode, the switch discards packets with unknown source MAC addresses and generates an alarm or log entry, corresponding to option D. This allows administrators to detect violations without shutting down the interface.

Option B is incorrect because when an interface enters the error-down state due to a port security violation, an alarm or log notification is always generated according to HCIP Datacom Campus Network behavior. Therefore, the valid actions are A, C, and D.

WLAN planning and design aim to minimize co-channel and adjacent-channel interference while maximizing spectrum utilization and user experience. According to HCIP Datacom Campus Network WLAN design principles, proper channel planning is a core task, especially in environments with high user density.

On the2.4 GHz frequency band, only three non-overlapping channels—1, 6, and 11—are traditionally recommended. These channels do not overlap in frequency, which helps reduce interference between adjacent APs. Inhigh-density scenarios, to further improve spectrum utilization,channels 1, 5, 9, and 13can be used. This approach shortens the channel spacing but is acceptable when transmit power is well controlled and AP placement is carefully planned, enabling higher AP density while keeping interference manageable.

On the5 GHz frequency band, there are more available channels and less interference compared to 2.4 GHz. HCIP Datacom documentation recommendsstaggering high-frequency and low-frequency channels between adjacent APs. This staggered channel allocation reduces the likelihood of co-channel interference and improves overall throughput and roaming performance, especially in large or high-density campus deployments.

These channel planning strategies are standard WLAN design best practices supported by Huawei and are widely applied in enterprise campus networks. Therefore, the statement accurately reflects recommended WLAN planning principles and isTRUE.

In the Huawei CloudCampus Solution,device registrationis a key step that allows network devices such as switches, routers, and APs to establish a trusted management relationship withiMaster NCE-Campus. When a device is powered on and configured for cloud or controller-based management, it sends a registration request to the controller using a predefined service port.

According to HCIP Datacom Campus Network documentation,port 18008is used as thedestination portfor device registration requests sent to iMaster NCE-Campus. This port is specifically reserved for device onboarding and registration services, ensuring secure and standardized communication during the initial connection phase. Once the registration is successful, the controller can authenticate the device, assign it to a site, and push management and service configurations.

The other options are not correct in this context.Port 53is used for DNS services and has no role in controller registration.Port 179is used by BGP for routing protocol communication and is unrelated to device management.Port 10020is commonly associated with other management or telemetry functions but is not used for device registration in CloudCampus solutions.

Correctly configuring network connectivity and firewall rules to allow traffic to destination port18008is essential for successful zero-touch provisioning and automatic onboarding of devices. Therefore, the correct destination port number for device registration requests to iMaster NCE-Campus is18008, making optionDthe correct answer.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In a CloudCampus virtualized campus network,Virtual Networks (VNs)provide service isolation, whilesecurity groupsenable identity-based access control. Even when inter-VN routing is technically available, communication between users in different VNs isnot permitted by default. Access permissions are controlled bysecurity group–based policies.

To allowR&D personnel and sales personnelto communicate, the network administrator must explicitly define thesecurity policy relationshipbetween the two security groups. This is achieved by deploying apolicy control matrixon iMaster NCE-Campus. The policy control matrix specifies whether traffic between source and destination security groups is allowed or denied and enforces the policy on relevant network devices.

Deploying an external network is unnecessary because communication is required within the campus network. Configuring access management relates to authentication and authorization during network access, not inter-group communication control. Configuring inter-VN communication enables routing capability but does not definewhethercommunication is permitted at the security policy level.

According to HCIP Datacom Campus Network documentation,security group communication permissions are controlled through the policy control matrix, making optionAthe correct task to meet the requirement.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In the Huawei CloudCampus virtualized campus architecture, aVirtual Network (VN)is a logical service container used to isolate different types of services and user traffic. When a VN is created on iMaster NCE-Campus, it is internally mapped to aVPN instanceon network devices. This VPN instance provides traffic isolation at the control plane and forwarding plane levels.

Each VN has its own independent routing table and forwarding context, ensuring that traffic belonging to different services cannot interfere with each other unless explicitly permitted through policy. This mechanism is similar to traditional VPN technologies and is fundamental to service segmentation in VXLAN-based campus networks.

According to HCIP Datacom Campus Network documentation, creating a VN effectively achieves service isolation in the same way as creating a VPN instance. Therefore, the statement is TRUE.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In the Huawei CloudCampus Solution, devices such as switches and APs support multipleprovisioning modesto integrate with iMaster NCE-Campus, including Web interface provisioning, CLI-based provisioning, and registration center query. These methods allow devices to obtain controller information and register successfully.

Firewalls, however, have stricter provisioning mechanisms due to security considerations. They do not supportDHCP Option 148, which is commonly used by switches and APs to automatically discover the management controller.

Instead, firewalls must be provisioned manually through the Web interface or CLI, or discovered via registration center mechanisms. According to HCIP Datacom Campus Network documentation,DHCP Option 148 is not supported by firewalls, makingoption Cthe correct answer.

iMaster NCE-Campus adopts amulti-plane architectureto improve system security, scalability, and operational stability. The planes are logically isolated so that different types of traffic and functions do not interfere with each other. The two most commonly referenced planes are themanagement planeand theservice plane.

Themanagement planeis mainly responsible for system-level operations such as device registration, controller maintenance, system management, and internal communication between system components. For this purpose, it uses a dedicated access interface and port number to ensure secure and stable management connectivity.

Theservice plane, on the other hand, is designed fordaily network service operations. Administrators access this plane to perform tasks such as campus network planning, configuration delivery, monitoring, alarm viewing, and intelligent O&M operations. To keep service access independent and secure, the service plane uses its own dedicated login port.

According to HCIP Datacom Campus Network documentation, theservice plane of iMaster NCE-Campus uses port 18009. Administrators log in to the service plane by accessing the service IP address together with this port number. This separation ensures that service operations remain available even when management-plane functions are restricted or under maintenance.

Therefore, the correct port number for theservice planeis18009, making optionBthe correct answer.

Comprehensive and Detailed Explanation (200–250 words):

In a VXLAN-based virtualized campus network, user terminals located in different access locations communicate with each other overVXLAN tunnelsestablished between VXLAN Tunnel Endpoints (VTEPs). These VXLAN tunnels form the overlay network, which abstracts the physical underlay and enables flexible Layer 2 and Layer 3 connectivity across the campus.

When communication is confined within the virtualized campus network, traffic remains inside the VXLAN overlay and is encapsulated and forwarded between VTEPs. However, when users or services inside the VXLAN network need to accessexternal networks, such as traditional IP networks, the Internet, or data centers that do not support VXLAN, traffic must exit the VXLAN overlay. This function is performed byborder nodes.

Border nodes act as the boundary between the VXLAN overlay and non-VXLAN networks. They are responsible for VXLAN encapsulation and decapsulation, routing between VXLAN segments and external networks, and enforcing security and policy controls at the network edge. According to HCIP Datacom Campus Network architecture principles, all traffic entering or leaving the VXLAN-based campus must pass through border nodes to ensure proper routing, policy enforcement, and service control.

Therefore, the statement is TRUE, and option A is correct.

In Huawei campus networks, access authentication and authorization are implemented based on the AAA framework. After a user is successfully authenticated, the network enforces anauthorization result, which defines what network resources the user is allowed to access and how traffic is controlled. These authorization results are typically delivered by the authentication server or configured locally on network devices.

According to HCIP Datacom Campus Network documentation,authorization results focus on policy and access control attributes, not basic network parameter assignment. Common authorization items includeVLAN assignment,security group assignment, andACL application. VLANs determine the user’s logical network location, security groups enable group-based policy control, and ACLs restrict or permit traffic based on predefined rules. These elements directly affect access permissions and security enforcement.

AnIP address, however, does not need to be defined in the authorization result. In campus networks, IP addresses are usually assigned dynamically throughDHCP, either by a DHCP server or a DHCP relay function on network devices. The IP address allocation process is independent of user authorization and does not represent an access control policy.

Separating IP address assignment from authorization simplifies network design and improves scalability. It allows users to obtain IP addresses automatically while access rights are enforced consistently through identity-based policies. Therefore, among the given options,IP addressis not an item that must be defined in the authorization result.

Hence, the correct answer isB.

In iMaster NCE-Campus–based virtualized campus networks,user network segmentsare logical subnets created within aVirtual Network (VN)to provide Layer 2 or Layer 3 connectivity for users. HCIP Datacom Campus Network documentation describes multiple flexible methods for creating these network segments during VN deployment, allowing administrators to balance efficiency and control.

Administrators canmanually create user network segments one by one, which is suitable for small-scale deployments or scenarios requiring precise customization of subnet parameters such as gateway address, VLAN, and IP pool. This method provides maximum control but is less efficient for large networks.

For medium- or large-scale deployments,batch import using templatesis widely supported and recommended. Templates allow administrators to define network segment parameters in advance and import multiple segments at once, significantly improving deployment efficiency and reducing configuration errors.

Another supported method isautomatic batch allocation, where iMaster NCE-Campus automatically allocates VNIs, VLANs, and IP resources from predefined resource pools. This method is commonly used in VXLAN Fabric deployments and enables fast, standardized VN provisioning with minimal manual input.

However,directly invoking user network segments from the global fabric resource poolis not supported during VN creation. The global resource pool is used for automatic allocation reference but does not allow direct binding of pre-created segments to a VN.

Therefore, the valid methods aremanual creation,template-based batch import, andautomatic batch allocation, making optionsA, B, and Dcorrect.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In VXLAN-based networks, inter-subnet communication and external network access requireLayer 3 forwarding capabilities. ALayer 3 VXLAN gatewayperforms routing between different VXLAN segments (VNIs) and enables traffic to exit the VXLAN overlay toward traditional non-VXLAN networks.

The NVE interface is responsible only for VXLAN encapsulation and decapsulation and does not perform routing. VLANIF interfaces are used in traditional VLAN environments and do not provide VXLAN interworking. A Layer 2 VXLAN gateway supports bridging only and cannot route between subnets.

Therefore, the Layer 3 VXLAN gateway is the correct solution for inter-subnet communication and external access.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

In Huawei campus authentication architecture, anauthentication profiledefines how users are authenticated and which domain is used during authentication. A key concept is theforcible domain, which has the highest priority during domain selection. If a forcible domain is configured, the device ignores any domain information carried in the user name and forcibly authenticates the user in the specified domain. Therefore, statementD is correct.

Statement A is incorrect because the default domaincan be modifiedusing CLI commands, allowing administrators to flexibly control user authentication behavior. Statement B is also incorrect; on the same interface, different authentication types (such as 802.1X, MAC authentication, and Portal)can be configured with different domains, depending on access control requirements.

Statement C is incorrect because the default authentication triggering sequence on Huawei devices is802.1X → MAC address authentication → Portal authentication, not the order described. This sequence ensures strong authentication is attempted first before falling back to weaker mechanisms.

According to HCIP Datacom Campus Network documentation, forcible domain configuration guarantees unified policy enforcement and simplifies authentication control, making option D the only correct statement.

In BGP EVPN-based VXLAN networks, route advertisement follows clearly defined standards regarding how endpoint and tunnel information is carried. According to HCIP Datacom Campus Network documentation,BGP EVPN does not use an EVPN Router MAC Extended Community to advertise the Router MAC of a VTEP. This statement is therefore incorrect.

In EVPN, different route types serve specific purposes. For example,EVPN Route Type 2 (MAC/IP Advertisement routes)are used to advertise MAC addresses (and optionally IP addresses) of endpoints. These routes associate endpoint information with a VTEP by using theBGP next-hop attribute, which contains the VTEP IP address. Similarly,EVPN Route Type 3 (Inclusive Multicast Ethernet Tag routes)also relies on the BGP next hop to identify the VTEP for VXLAN tunnel establishment and BUM traffic forwarding.

The Router MAC of a VTEP is alocal forwarding attribute, primarily used during VXLAN encapsulation and decapsulation on the device itself. It is not distributed through EVPN extended communities. While EVPN does define several extended communities for control and policy purposes, there is no standard or HCIP-defined “EVPN Router MAC Extended Community” used to carry the Router MAC field of a VTEP during route advertisement.

Therefore, based on HCIP Datacom Campus Network VXLAN EVPN principles, the statement is false.

The command output shows an EVPNRoute Type 2 (MAC Advertisement Route), which is used in VXLAN BGP EVPN fabrics to advertise host reachability information. The route clearly carries both aMAC address(b0d5-9dc7-3c41/48) and ahost IP address(172.16.1.173/32). In HCIP Datacom Campus Network VXLAN design, when a Type 2 route includes both MAC and IP information, it is classified as anIRB (Integrated Routing and Bridging) Type 2 route, enabling distributed gateways to perform Layer 2 forwarding and Layer 3 routing based on the same control-plane information. Therefore, statement A is correct.

Statement B is incorrect because ARP-related learning is not represented as a separate “ARP Type 2” EVPN route. EVPN uses MAC/IP Advertisement routes to distribute host reachability, not ARP-only route types.

Statement C is correct. The route containsRoute Target extended communities RT 0:2 and RT 0:3, which control EVPN route import. Any VPN instance configured with an import RT of 0:2 or 0:3 can successfully import this route and learn the corresponding host MAC and IP information.

Statement D is also correct. The output explicitly showsRT extended communitiesand theEVPN Router’s MACextended community. These attributes are essential for VXLAN tunnel identification, split-horizon forwarding, and correct EVPN operation in a campus fabric.

Hence, the correct answers are A, C, and D.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

To prevent users from accessing the network using statically configured IP addresses, Huawei campus networks rely on a combination ofDHCP SnoopingandIP Source Guard (IPSG). DHCP Snooping works by monitoring DHCP message exchanges and building atrusted binding tablethat records legitimate IP–MAC–VLAN–interface mappings learned dynamically from a legal DHCP server. This binding table becomes the foundation for several Layer 2 security mechanisms.

IP Source Guard uses the DHCP Snooping binding table to strictly control traffic entering an interface. When IPSG is enabled, the switch permits only packets whose source IP address and MAC address match an entry in the DHCP Snooping binding table. If a user manually configures a static IP address, no valid DHCP binding exists for that host, so IPSG drops the traffic and denies network access. This directly prevents statically configured IP addresses from being used to access the network.

Dynamic ARP Inspection (DAI) focuses on preventing ARP spoofing and man-in-the-middle attacks, not static IP misuse. Port Security limits MAC addresses per interface but does not verify IP address legitimacy. Therefore, neither DAI nor Port Security alone can prevent users from assigning static IP addresses.

According to HCIP Datacom Campus Network security design principles,only the combination of DHCP Snooping and IPSGeffectively enforces IP address legitimacy and blocks statically configured IP access, making optionCthe correct answer.

In Huawei campus networks, user access authentication is implemented through a standardized AAA framework that supports flexible authentication, authorization, and accounting methods. Statements A, B, and D correctly describe the authentication configuration process defined in HCIP Datacom Campus Network documentation. Administrators must first identify user domains and corresponding AAA schemes to ensure users are authenticated using appropriate methods. This is a foundational step for implementing network access control.

Access profiles and authentication profiles work together to define how users are authenticated. An authentication profile specifies the authentication mode, such as 802.1X or MAC authentication, while the access profile defines access control behavior. Binding these profiles and applying them to interfaces or VAP profiles enables consistent enforcement of access policies across wired and wireless networks.

When external authentication servers such as RADIUS or HWTACACS are used, interconnection parameters—including server IP addresses, shared keys, and ports—must be configured within the AAA scheme. This ensures reliable communication between network devices and authentication servers.

Statement C is false becauseiMaster NCE-Campus does support interconnection with third-party RADIUS servers. This capability allows enterprises to integrate existing authentication systems with Huawei campus solutions, improving compatibility and deployment flexibility. Therefore, the incorrect statement is option C.

Comprehensive and Detailed 200 to 250 words of Explanation From HCIP Datacom Campus Network documents knowledge without any URL or Links:

IPsec VPN supports a variety ofsymmetric encryption algorithmsto protect data confidentiality during transmission. Commonly supported algorithms includeDES,3DES, andAES, all of which are used to encrypt the payload of IP packets in ESP.

AESis the most widely recommended algorithm due to its strong security and high performance.3DESandDESare legacy algorithms that are still supported for compatibility reasons, although they are considered less secure and are gradually being phased out in modern deployments.

DSA (Digital Signature Algorithm), however, isnot an encryption algorithm. It is an asymmetric algorithm used fordigital signatures and authentication, not for encrypting data. IPsec uses DSA only indirectly in certificate-based authentication scenarios, but it is never used as a data encryption algorithm in IPsec VPNs.

According to HCIP Datacom Campus Network documentation, IPsec VPN encryption relies exclusively on symmetric encryption algorithms such as DES, 3DES, and AES. Therefore,DSA is not supported as an IPsec encryption algorithm, makingoption Athe correct answer.