ACMP_6.3 Flashcards by Deleted Deleted

Which of the following Aruba controllers is able to provide IEEE 802.3af? (Choose two)

A. 3200

B. 620

C. 650

D. 6000 with M3

E. 7000

B. 620

C. 650

How well did you know this?

Not at all

Perfectly

What is the maximum number of remote APs supported by a 3600 controller?

A. 512

B. 1024

C. 128

D. 256

E. 2048

A. 512

How well did you know this?

Not at all

Perfectly

Which dual radio access point models support concurrent operations in the 2.4Ghz band as well as the 5Ghz band? (Choose three)

A. AP-92

B. AP-93

C. AP-105

D. AP-224

E. AP-135

C. AP-105

D. AP-224

E. AP-135

How well did you know this?

Not at all

Perfectly

Which of the following APs do NOT support dual radio operations? (Choose two)

A.
AP 93

B.
AP 105

C.
RAP 3WN

D.
AP 224

E.
AP 135

A.
AP 93

C.
RAP 3WN

How well did you know this?

Not at all

Perfectly

Centralized licensing is not in use on an Aruba based network which has a Master and three local controllers. No APs terminate on the Master controller. Roles and Firewall policies need to be created and applied, hence PEF-NG license is required
On which controller should the license be installed?

A.
Only the master controller since role and firewall policies are created here.

B.
Only the local controllers since firewall policies are applied here

C.
The master and all three local controllers

D.
This isn’t the correct license for this purpose, use PEF-VPN license

E.
This is not needed because PEF-NG is part of base OS

C.
The master and all three local controllers

How well did you know this?

Not at all

Perfectly

You need to generate a feature license key for an Aruba controller?

What information do you need to generate a feature license key for an Aruba controller?

A.
The controller’s MAC address and the feature description.

B.
Controller’s MAC address and the certificate number

C.
Controller’s Serial Number and the feature description

D.
Controller’s Serial Number and the certificate number

E.
Controller’s MAC address and Serial Number

D.
Controller’s Serial Number and the certificate number

How well did you know this?

Not at all

Perfectly

What are the PEF-NG license limits based on?

A.
Number of APs

B.
One license per controller

C.
Number of users

D.
Number of local controllers

E.
Master Controller total user count

A.
Number of APs

How well did you know this?

Not at all

Perfectly

Which of the following licenses are consumed by Mesh APs advertising an SSIDs?

A.
AP license

B.
Mesh license

C.
PEF-V license

D.
No license is required

E.
RAP License

A.
AP license

How well did you know this?

Not at all

Perfectly

The permanent licenses on the controller will be deleted with the use of which command?

A.
Delete license

B.
Write erase

C.
Licenses cannot be deleted once activated

D.
Write erase all

E.
Reboot delete all

D.
Write erase all

How well did you know this?

Not at all

Perfectly

A network administrator wants to terminate VPN sessions on a local controller in the DMZ.
Which statement is true about the PEF-VPN license?

A.
It is only applied to the master controller

B.
It is only applied to the DMZ controller.

C.
It is based on the number of APs

D.
One license is needed on the master and the DMZ local

E.
It is distributed by the license server as needed

D.
One license is needed on the master and the DMZ local

How well did you know this?

Not at all

Perfectly

What is the best practice regarding licensing for a backup master to support Master Redundancy in a network without centralized licensing?

A.
Backup master only requires the AP license

B.
Supported limits and installed licenses should be the same on primary master and backup
Master

C.
Licenses are pushed from the primary to the backup Master along with the configuration

D.
The Backup Master does not require licenses to support master redundancy

E.
On the backup only one license of each type is needed.

B.
Supported limits and installed licenses should be the same on primary master and backup
Master

How well did you know this?

Not at all

Perfectly

Which of the following licenses can be included in the licensing pool for centralized licensing? (Choose three)

A.
Factory default licenses

B.
PEFNG license

C.
Evaluation licenses

D.
RFProtect license

E.
PEFV license

B.
PEFNG license

C.
Evaluation licenses

D.
RFProtect license

How well did you know this?

Not at all

Perfectly

By default Centralized licensing messages between master controllers are sent _______________.

A.
In the clear unencrypted

B.
Using CPSec

C.
Using IPSec site to site VPN tunnels

D.
Encrypted using GRE

E.
PAPI

A.
In the clear unencrypted

How well did you know this?

Not at all

Perfectly

Which of the following will occur if a master license server fails with no standby server present? (Choose two)

A.
Local controllers licenses will continue to be valid for 30 days

B.
Local controllers will immediately remove all installed licenses

C.
No licenses will be sent to any new controllers that come online

D.
All licenses go back into the pool for redistribution

E.
A Local Controller elects itself master license server

A.
Local controllers licenses will continue to be valid for 30 days

C.
No licenses will be sent to any new controllers that come online

How well did you know this?

Not at all

Perfectly

Which may be applied directly to an VLAN interface? (Choose three)

A.
Access List (ACL)

B.
Firewall Policy

C.
Roles

D.
AAA profiles

E.
RF Plan Map

A.
Access List (ACL)

B.
Firewall Policy

D.
AAA profiles

How well did you know this?

Not at all

Perfectly

When creating a firewall rule on an Aruba controller, which parameter is optional?

A.
Destination

B.
Service

C.
Source

D.
Log

E.
Action

D.
Log

How well did you know this?

Not at all

Perfectly

An administrator creates a WLAN with an unmodified default AAA profile. What is the default role the user is placed in?

A.
default-logon

B.
logon

C.
guest-logon

D.
default-ap

E.
AP-Role

B.
logon

How well did you know this?

Not at all

Perfectly

What is the first role a user is given when a user associates to an open WLAN?

A.
The guest post authentication role

B.
The initial role in the captive portal profile

C.
The role in the server group profile

D.
The initial role in the AAA profile

E.
The initial role in the 802.1x profile

D.
The initial role in the AAA profile

How well did you know this?

Not at all

Perfectly

Which of the following could be used to set a user’s post-authentication role or VLAN association? (Choose two)

A.
AAA default role for authentication method

B.
Server Derivation Rule

C.
Vendor Specific Attributes

D.
AP Derivation Rule

E.
The Global AAA profile

B.
Server Derivation Rule

C.
Vendor Specific Attributes

How well did you know this?

Not at all

Perfectly

Which describe “roles” as used on Aruba Mobility Controllers? (Choose two)

A.
Roles are assigned to users.

B.
Roles are applied to interfaces.

C.
Policies are built from roles.

D.
A user can belong to only one role at a time.

E.
Roles are a set of authentication rules

A.
Roles are assigned to users.

D.
A user can belong to only one role at a time.

How well did you know this?

Not at all

Perfectly

Which netdestination aliases are built into the controller? (Choose three)

A.
logon

B.
any

C.
user

D.
guest

E.
local ip

B.
any

C.
user

E.
local ip

How well did you know this?

Not at all

Perfectly

What are aliases used for?

A.
Improve controller performance

B.
Simplify the configuration process

C.
Tie IP addresses to ports

D.
Assign rules to policies

E.
Assign policies to roles

B.
Simplify the configuration process

How well did you know this?

Not at all

Perfectly

Which of the following firewall rules allows a user to initiate an ICMP session to other devices? (Choose two)

A.
localip any svc-icmp permit

B.
user any svc-icmp permit

C.
user user svc-icmp permit

D.
any any svc-icmp permit

E.
mswitch any svc-icmp permit

B.
user any svc-icmp permit

D.
any any svc-icmp permit

How well did you know this?

Not at all

Perfectly

**The Aruba Policy Enforcement Firewall (PEF-NG) module supports destination network address translation (dst-nat).
Which is the default use of this statement in an Aruba controller configuration?**

A.
Source the IP addresses of users to specific IP address

B.
Redirect HTTP sessions to Captive Portal

C.
Redirect Access Points to another Aruba controller

D.
Provide a telnet connection to the controller

E.
Redirect a SSH session to terminate on the controller

B.
Redirect HTTP sessions to Captive Portal

How well did you know this?

Not at all

Perfectly

``` The Aruba Policy Enforcement Firewall (PEF) module supports source network address translation (src-nat). **Which is a use of this statement in an Aruba configuration?** ``` A. Provide a single source IP address for users in a role B. Redirect Captive Portal HTTP sessions C. Redirect Access Points to another Aruba controller D. Provide IP addresses to clients E. Redirects clients to Aruba Firewall

A. Provide a single source IP address for users in a role

The network administrator wishes to terminate the VPN encryption on the Aruba controller. When writing a firewall rule to accomplish the task of automatically moving the VPN traffic for the wireless clients from a third party VPN concentrator to an Aruba controller, **which action needs to be configured in the rule?** A. redirect to IPSec Group B. source NAT C. destination NAT D. redirect to tunnel E. redirect to GRE

C. destination NAT

Review the following truncated output from an Aruba controller for this item. (example) #show rights logon access-list List —————- Position Name Location ——– —- ——– 1 logon-control 2 captiveportal logon-control ————- Priority Source Destination Service Action ——– —— ———– ——- —— 1 user any udp 68 deny 2 any any svc-icmp permit 3 any any svc-dns permit 4 any any svc-dhcp permit 5 any any svc-natt permit captiveportal ————- Priority Source Destination Service Action ——– —— ———– ——- —— 1 user controller svc-https dst-nat 8081 2 user any svc-http dst-nat 8080 3 user any svc-https dst-nat 8081 4 user any svc-http-proxy1 dst-nat 8088 5 user any svc-http-proxy2 dst-nat 8088 6 user any svc-http-proxy3 dst-nat 8088 Based on the above output from an Aruba controller, an unauthenticated user assigned to the logon role attempts to start an http session to IP address 172.16.43.170. **What will happen?** A. the user’s traffic will be passed to the IP address because of the policy statement: user any svc-http dst-nat 8080 B. the user’s traffic will be passed to the IP address because of the policy statement: user any svc-https dst-nat 8081 C. the user’s traffic will be passed to the IP address because of the policy statement: user any svc-http-proxy1 dst-nat 8088 D. the user will not reach the IP address because of the policy statement: user any svc-http dst-nat 8080 E. the user will not reach the IP address because of the implicit deny any any at the end of the policy.

D. the user will not reach the IP address because of the policy statement: user any svc-http dst-nat 8080

Refer to the following configuration segment for this item. ip access-list session anewone user network 172.16.1.0 255.255.255.0 any permit user host 172.16.1.1 any deny user any any permit An administrator wants users to have access to all destinations except 172.16.1.1. Based on the above Aruba Mobility Controller configuration segment, **which statements best describe this policy? (Choose two)** A. The rule user host 172.16.1.1 any deny is redundant because of the implicit deny all at the end. B. The rule user network 172.16.1.0 255.255.255.0 any permit is redundant. C. The two rules user network 172.16.1.0 255.255.255.0 any permit and user host 172.16.1.1 any deny need to be re-sequenced. D. The last statement user any any permit is not required E. The last statement should be any any any deny

B. The rule user network 172.16.1.0 255.255.255.0 any permit is redundant. C. The two rules user network 172.16.1.0 255.255.255.0 any permit and user host 172.16.1.1 any deny need to be re-sequenced.

**How will the frame be handled by this firewall policy?** Refer to the following configuration segment for this item. netdestination “internal” no invert network 172.16.43.0 255.255.255.0 position 1 range 172.16.11.0 172.16.11.16 position 2 ! ip access-list session “My-Policy” alias “user” alias “internal” service\_any permit queue low ! A user frame is evaluated against this firewall policy with the following attributes: Source IP: 172.17.49.3 Destination IP: 10.100.86.37 Destination Port: 80 Referring to the above file segment, how will the frame be handled by this firewall policy? A. The frame will be dropped because of the implicit deny all at the end of the netdestination definition. B. The frame will be dropped because of the implicit deny all at the end of the firewall policy. C. The frame will be forwarded because of the implicit permit all at the end of the firewall policy. D. The frame will be passed because there is no service specified in the firewall policy. E. The frame will be dropped because there is no service specified in the firewall policy.

B. The frame will be dropped because of the implicit deny all at the end of the firewall policy.

**What will this policy do with the user frame?** ip access-list session anewone user network 10.1.1.0 255.255.255.0 any permit user any any permit host 10.1.1.1 host 10.2.2.2 any deny A user sends a frame with the following attributes: Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25 Based on the above Mobility Controller configuration file segment, what will this policy do with the user frame? A. The frame is discarded because of the implicit deny all at the end of the policy. B. The frame is discarded because of the statement: user host 10.1.1.1 host 10.2.2.2 deny. C. The frame is accepted because of the statement: user any any permit. D. The frame is accepted because of the statement: user network 10.1.1.0 255.255.255.0 any permit. E. This is not a valid policy.

C. The frame is accepted because of the statement: user any any permit.

ip access-list session anewone user network 10.1.1.0 255.255.255.0 any permit user host 10.1.1.1 any deny user any any permit Referring to the above portion of a Mobility Controller configuration file, **what can you conclude? (Choose two)** A. This is a session firewall policy. B. This is an extended Access Control List (ACL). C. Any traffic going to destination 10.1.1.1 will be denied. D. Any traffic going to destination 10.2.2.2 will be denied. E. Any traffic going to destination 172.16.100.100 will be permitted.

A. This is a session firewall policy. E. Any traffic going to destination 172.16.100.100 will be permitted.

**Which of these are NOT a client attribute that can be configured in user derivation rules?** A. MAC address B. DHCP option value C. BSSID D. Filter ID E. encryption

D. Filter ID

**What are the types of user derivation rules that can be applied to a user? (Choose two)** A. SSID B. MAC C. VLAN D. Role E. AP

C. VLAN D. Role

**Which is a Device Specific Attribute that can be evaluated in a user derivation rule?** A. user login name B. authentication server C. location by AP Name D. controller Loopback address E. controller IP

C. location by AP Name

**Which match condition can be used by a server derivation rule? (Choose two)** A. greater than B. less than C. inverse of D. contains E. equals

D. contains E. equals

An administrator wants to assign a VLAN to a user based upon the authentication process using Vendor Specific Attributes (VSA). **Where are Aruba Vendor Specific Attribute (VSA) values provisioned?** A. controller B. client C. RADIUS server D. Internal user database E. Option 60 of DHCP reply

C. RADIUS server

![]() A company has provisioned the same VAP, AAA and SSID profiles at both its Miami and NY offices. This Server Group is applied for 802.1x authentication at both locations. The user’s credentials are only found in the Miami Radius server “RadiusMiami”. There is no Radius synchronization and both servers are reachable. **What happens when the user attempts to authenticate?** A. The controller recognizes the users Domainand sends the authentication request directly to RadiusMiami. B. The request is initially sent to RadiusNY1 then RadiusNY1 redirects the controller to send the authentication request to RadiusMiami C. RadiusNY1 receives the request and returns a deny. No other action is taken. D. RadiusNY1 receives the request and returns a deny. The authentication request will then be sent to RadiusMiami. E. The RadiusNY1 sends the request to RadiusMiami that replies to the controller

C. RadiusNY1 receives the request and returns a deny. No other action is taken.

A user associated to an SSID with 802.1x using this server group. RadiusNY returned a standard radius attribute of filter-Id with a value of “employee”. The user was placed in the guest Role. **What statements below are correct? (Choose two)** A. The user was placed in the 802.1x authentication default Role guest B. The user was placed in the initial Role guest C. Role derivation failed because roles are case sensitive D. Role derivation failed because the incorrect operation “value-of” was used E. 802.1x authentication failed so the user was automatically placed in the guest Role

A. The user was placed in the 802.1x authentication default Role guest C. Role derivation failed because roles are case sensitive

![]() A user associated to an SSID with 802.1x using this server group. RadiusNY returned a standard radius attribute of filter-Id with a value of “employee”. **What Role will the user get?** A. The User will get the Emp Role B. The User will get the 802.1x authentication default Role C. The User will get the employee Role D. The User will get the Employee Role E. The User will get the initial Role

B. The User will get the 802.1x authentication default Role

**Which profiles are required in an AP Group to enable an SSID with VLAN 1, WPA2 and LMSIP? (Choose three)** A. Virtual-AP profile B. WLAN profile C. 802.1x authentication profile D. AP System Profile E. SSID Profile

A. Virtual-AP profile D. AP System Profile E. SSID Profile

A user connected to a Captive Portal VAP successfully. When the user opens their browser and tries to access their homepage, they get redirected as expected to another URL on the Aruba Controller. However, they see an error message that web authentication has been disabled. **What might be a cause of this?** A. Captive Portal has not been assigned in the SSID profile. B. The Captive portal profile has not been assigned to the AAA profile. C. A server group has not been assigned to the captive portal profile. D. An initial role has not been assigned to the AAA profile. E. The Captive portal profile has not been assigned to the initial role.

E. The Captive portal profile has not been assigned to the initial role.

**Which of the following will accept named VLANs as a parameter? (Choose three)** A. Virtual AP profile B. User derivation rule for a single VLAN C. Server derivation rule for a single VLAN D. Server derivation rule for a VLAN Pool E. Access VLAN for a VLAN Pool

A. Virtual AP profile B. User derivation rule for a single VLAN C. Server derivation rule for a single VLAN

A customer has a remote AP deployment, where each remote AP has an IPSEC VPN tunnel with L2TP to the controller. 1 of the remote APs is stuck in the user table and hasn’t yet transitioned to the AP active table in the controller. The customer suspects that the AP is not setting up its VPN connection successfully. **Which of the following commands might be useful in troubleshooting this? (Choose three)** A. Logging level debugging security process localdb B. Logging level debugging security process l2tp C. Logging level debugging security process dot1x D. Logging level debugging security process crypto E. Logging level debugging security process vpn

A. Logging level debugging security process localdb B. Logging level debugging security process l2tp D. Logging level debugging security process crypto

**If machine authentication fails and user authentication passes, which role will be assigned?** A. employee B. guest C. contractor D. logon E. no role is assigned

B. guest

**If machine authentication passes and user authentication fails, which role will be assigned?** A. employee B. guest C. contractor D. logon E. no role is assigned

B. guest

**If machine authentication fails and user authentication fails, which role will be assigned?** A. Employee B. Guest C. Captive Portal D. Logon E. No role will be assigned

E. No role will be assigned

**What can NOT be configured from the Aruba controller configuration wizards?** A. Controller IP B. Boot Partition C. User firewall policy. D. User derivation rules. E. Radius Servers

B. Boot Partition

An administrator is setting up a factory default controller. No new AP groups were created. When adding a WLAN SSID in the Campus WLAN wizard **what AP group is available?** A. The air-monitors AP group B. The logon AP group C. The default AP group D. The initial AP group E. The Spectrum AP group

C. The default AP group

**The reusable Aruba Controller wizards are accessible in what way?** A. Only on startup through the CLI B. Through the CLI, after the initial CLI wizard has been completed C. In the Web UI under maintenance. D. In the Web UI under configuration. E. Must be initialized from CLI first.

D. In the Web UI under configuration.

**The Contrtoller wizard enables which of the following controller clock configurations? (Choose three)** A. NTP to a time server B. Set time zone C. Daylight savings time D. Only GMT can be configured E. Manual configuration of date and time

A. NTP to a time server B. Set time zone E. Manual configuration of date and time

**When configuring ports in the Controller wizard, which of the following are NOT configuration options? (Choose two)** A. Inter-VLAN routing B. Speed C. Trusted D. LACP E. Trunk

A. Inter-VLAN routing D. LACP

**By default, which CLI based remote access method is enabled on Aruba controllers?** A. RSH B. Telnet C. SSH D. Telnet and SSH E. Telnet, SSH and RSH

C. SSH

**An Aruba controller can be accessed with which CLI based remote access methods? (Choose two)** A. RSH B. Telnet C. SSH D. SFTP E. SCP

B. Telnet C. SSH

**As an admin/root user, what other type of role-based management users can be created on Aruba controllers?** A. Auditing-compliance user B. AirWave management user C. Reporting Generation user D. Guest provisioning user E. Maintenance user

D. Guest provisioning user

**Which log type should be enabled to troubleshoot IPSec authentication issues on Aruba Controllers?** A. Security Logs B. Management Logs C. Wireless Logs D. IDS Logs E. System Logs

A. Security Logs

**Referring to the above screen capture, if an administrator desires to change a specific AP into a Spectrum Monitor without assigning the AP to a new group, which menus could be used?** A. Network \> Controller B. Wireless \> AP Configuration C. Wireless \> AP Installation D. Advanced Services \> Wireless E. Wizards \> WIP Wizard

B. Wireless \> AP Configuration

A customer forgot all passwords for a controller. **What method could you use to reset the passwords?** A. Telnet to the controller and login to the password recovery account B. SSH to the controller and login to the password recovery account C. Connect directly to the serial console and login to the password recovery account D. Interrupt the boot process at CP-boot and select password recovery E. Open the controller and press the reset switch

C. Connect directly to the serial console and login to the password recovery account

**With CPSec disabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?** A. Basic IP B. GRE C. IPinIP D. Mobile IP E. IPSec

B. GRE

In an Aruba controller based system, the L3 mobility tunnel exists between the home agent and **which other element?** A. the default gateway B. the remote AP C. the foreign agent D. the mobile node E. the foreign switch

C. the foreign agent

**When an 802.11 client roams what device decides when to move the client to another AP?** A. Aruba AP B. Aruba controller C. Client D. Radius Server E. Router

C. Client

The above diagram has one master and three local controllers. AP1 GRE terminates on controller Local 1. All controllers are configured with the wireless user VLAN 201. A wireless user associates with AP 1. Only L2 mobility is enabled. Which elements will know about this association? A. Local 1 only B. Local 1 and the Master C. Local 1 and Local 2 and the Master D. Local 1 and AP1 E. All Controllers

B. Local 1 and the Master

**Which command will show all client association history?** A. Aruba-6000# show mobile trail current (ip address) B. Aruba-6000# show ip mobile trail (ip address) C. Aruba-6000# show ap client status (mac address) D. Aruba-6000# show current client ip (ip address) E. Aruba-6000# show client ip (ip address) mobility

B. Aruba-6000# show ip mobile trail (ip address)

**With CPSec enabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?** A. EAP B. SSH C. IPinIP D. Mobile IP E. IPSec

E. IPSec

**By default, how long will an AP scan a single channel when ARM is enabled?** A. 80 milliseconds B. 90 milliseconds C. 100 milliseconds D. 110 milliseconds E. 200 milliseconds

D. 110 milliseconds

**Which actions does ARM (Adaptive Radio Management) perform? (Choose two)** A. Allows controllers to provision the AP Radio type B. Allows controllers to provision the best channel for APs C. Allows controllers to provision the best power setting for APs D. Allows controllers to provision allowed Radio bands E. Allows controllers to provision lower power when unauthorized APs are detected

B. Allows controllers to provision the best channel for APs C.

**Which of the following metrics does the ARM feature use to calculate the optimal channel and power level for Access Points? (Choose two)** A. RF Spectrum Index B. Priority Index C. Interference Index D. Coverage Index E. Frequency Index

C. Interference Index D. Coverage Index

**How does the ARM Band Steering feature encourage 5GHz capable clients to move/connect to the 5GHz radios of Aruba APs?** A. ARM suppresses the probe response on the 2.4 GHz radio B. ARM utilizes third party software on the wireless clients C. Current Wi-Fi chipset firmware supports this by default D. It’s not possible the move clients to 5GHz radios when they can see both 2.4 and 5GHz APs E. ARM disables the 2.4Ghz radio for the specified client

A. ARM suppresses the probe response on the 2.4 GHz radio

**Which of the statements below are TRUE regarding ARM’s Spectrum Load Balancing feature? (Choose two)** A. Available only on 5GHz radios B. Disabled by default C. Balances client load across available channels/APs D. Enabled by default E. Available only on 2.4GHz radios

B. Disabled by default C. Balances client load across available channels/APs

**What is the function of Band Steering?** A. Balancing clients across APs on different channels within the same band B. Encourages clients, 5GHz capable, to connect on the 5GHz spectrum C. Coordinate access to the same channel across multiple APs D. Enables selection of 20 vs. 40 MHz mode of operation per band E. Enables acceptable coverage index on both the “b/g” and “a” spectrums

B. Encourages clients, 5GHz capable, to connect on the 5GHz spectrum

**What are the Airtime Allocation Policy options for Airtime Fairness? (Choose three)** A. Default Access B. Priority Access C. Fair Access D. Preferred Access E. Distributed Access

A. Default Access C. Fair Access D. Preferred Access

**Which of the following statements is true of Spectrum Mode?** A. No licenses are required to run an AP in Spectrum mode B. Spectrum mode can only be configured for one AP at a time C. An AP can be in spectrum mode for both 2.4 and 5G bands at the same time D. An AP can be placed in Spectrum Mode via the Spectrum Profile E. Spectrum mode can be configured from the GUI under AP installation

C. An AP can be in spectrum mode for both 2.4 and 5G bands at the same time

**Which ARM feature addresses the issue of sticky clients by moving clients to associate to APs with better 802.11 signal quality?** A. Co-Channel interference mitigation B. Airtime Fairness C. ClientMatch D. Coordinated access to a single channel E. Band Steering

C. ClientMatch

Aruba Client Match does NOT use which of the following parameters to determine the best AP for a client connection? (Choose two) A. Device type B. Location C. Signal to Noise Ratio D. Access Point load E. Spectrum Analysis

C. Signal to Noise Ratio D. Access Point load

**Which settings cannot be modified directly from a local controller?** A. Port VLAN setting B. Switch Time Zone C. Port trusted D. Roles E. SNMP Enable Trap Generation

D. Roles

**Masters communicate configuration information with locals using which tunnel type?** A. GRE B. IP in IP C. Provision Tunnel Protocol D. IPSec E. PPTP

D. IPSec

The administrator notes that most of the configuration options are grayed out and have no action. **What is the cause of the problem?** A. attempting to make global changes on a Master Controller B. attempting to make global changes on a Local Controller C. this change can only be performed via the CLI D. does not have the correct software license E. there is an error in the configuration

B. attempting to make global changes on a Local Controller

**Referring to the above screen capture, on which Controller can you create a vlan?** A. Controller 10.1.11.100 only B. Controller 10.1.11.101 and 10.254.1.3 only C. All three Controllers D. None of the Controllers E. Controller 10.254.1.101 only

C. All three Controllers

**Referring to the above screen capture, on which controller can you add an administrative user and assign a controller management role?** A. Controller 10.1.11.100 only B. Controller 10.1.11.101 and 10.254.1.3 only C. All three Controllers D. Must be done in the RADIUS server E. Controller 10.254.1.101 only

C. All three Controllers

**By default, which controller’s internal database will be used for user authentication?** A. Controller 10.1.11.100 only B. Controller 10.1.11.101 and 10.254.1.3 only C. All three Controllers D. You can’t tell from this screen E. The Controller with the user session

A. Controller 10.1.11.100 only

**Referring to the above screen capture, on which controller can you modify APs configuration to enable ARM?** A. Controller 10.1.11.100 only B. Controller 10.1.11.101 and 10.254.1.3 only C. All three Controllers D. None of the Controllers E. On Controllers where ARM is enabled

A. Controller 10.1.11.100 only

**With CPSec disabled, Aruba access points are Layer 3 connected to controllers using which protocol?** A. 802.1q B. LWAPP C. PPTP D. GRE E. HTTPs

D. GRE

**With CPSec disabled, which encryption protocol does a tunnel mode campus AP use on client traffic?** A. TKIP and AES B. It is provisioned by the Administrator C. WEP and AES D. WEP, TKIP, and AES E. No encryption is used

E. No encryption is used

**In a campus environment, where are encryption keys sent or stored when users roam between tunneled mode APs on the same controller using 802.1X?** A. sent to the new AP via GRE B. sent to the new AP via IPSec C. stored on the controller D. stored on the RADIUS server E. original AP sends keys to new AP

C. stored on the controller

In the diagram provided for this question, the wireless user’s laptop is associated with an Aruba AP in tunnel forwarding mode. The AP terminates on the local controller. **When the client transmits, where will the 802.11 headers be removed?** A. AP B. L2 Switch C. Router D. Controller E. Internet

D. Controller

When configuring a server group containing 3 servers, a customer chooses ‘fail through mode’. **What other configuration option has to be enabled on the controller for this to work with 802.1x authentication?** A. Machine authentication B. EAP Termination C. Server group fall through mode D. MAC authentication E. Round robin or top down mode

B. EAP Termination

A campus AP has been provisioned with a VAP in bridge forwarding and standard operation modes. **Which of the following authentication types are supported? (Choose two)** A. 802.1X authentication B. Open System authentication C. Local authentication D. Captive portal authentication E. VPN authentication

A. 802.1X authentication B. Open System authentication

**Which method is NOT supported to provision an Aruba campus AP?** A. Telnet directly to AP B. SSH to the AP’s controller C. Web interface to the AP’s controller D. Console to AP E. CLI on controller

A. Telnet directly to AP

**When direct consoled to an AP, what is the command sequence to factory default the AP and re-bootstrap?** A. setenv bootstat init B. setenv master init, boot C. purge, save, boot D. init, save, boot E. print, purge, boot

C. purge, save, boot

**What settings need to be changed on a factory default AP in order for it to use ADP to discover the Aruba Controller?** A. DNS of the controller B. Static route C. AP group D. enable multicast E. no changes needed

E. no changes needed

As illustrated in the above diagram, a company has two campus locations and a building headquarters all located in different cities. **Following best practices, what would be the best way to construct mobility domains for the company?** A. Buildings (1, 2) in one domain and Buildings (3, 4, 5, 6) in one domain B. Buildings (1, 2) in one domain, Building (3) in one domain, and Buildings (4, 5, 6) in one domain C. Buildings (1, 2, 4, 5, 6) in one domain and Building (3) in one domain D. Buildings (1, 2, 3, 4, 5, 6) in one domain E. Buildings (1) in one domain building (4) in one domain

B. Buildings (1, 2) in one domain, Building (3) in one domain, and Buildings (4, 5, 6) in one domain

**How many Aruba controllers can be added to a single mobility domain?** A. 64 controllers of any type B. 128 controllers supporting 2000 users C. 256 controllers with no more than 1024 subnets D. Controllers supporting up to 6000 AP’s E. There is no controller limit

E. There is no controller limit

**In a master-local controller scenario, where is the mobility domain defined?** A. the AP group B. the master controller C. the local controller D. the master and the local controllers E. the master and the local controllers where roaming is needed

B. the master controller

A university has 2 departments. Department 1 has its own mobility domain with one controller. Department 2 has multiple controllers configured in a second domain. The university is planning on offering a new application and needs users to be able to roam between both mobility domains. **What is the best way to accomplish this?** A. The 2 existing domains should be left as they are. A 3rd mobility domain should then be created and all 3 controllers need to be added to it B. Merge the controllers into the same mobility domain C. The IP subnets of all controllers need to be configured to match D. This cannot be accomplished E. Create a new domain between a department 1 controller and one of the department 2 controllers

B. Merge the controllers into the same mobility domain

A port firewall policy is applied to a trunk port that denies controller access. An “allow all” Vlan firewall policy is applied to VLAN 33 on the same port. A user connected to VLAN 33 on that port attempts to gain access to the controller. **Which of the following statements is true?** A. The Port policy is applied, therefore no controller access B. The Vlan policy is applied, then the port policy, therefore no controller access C. The Vlan policy is applied, therefore access to the controller is allowed D. You cannot place a firewall policy on a Ports Vlan when the Port already has a policy, therefore no controller access E. When locally connected to a controller’s port you always have controller access

C. The Vlan policy is applied, therefore access to the controller is allowed

An access port has been placed in trusted mode. The Vlan on the port is in Untrusted mode. **Which of the following statements is true?** A. The traffic is trusted since the port is trusted B. The traffic is untrusted since the VLAN is untrusted C. This is an invalid configuration, both must be set the same D. You cannot set Vlans as trusted or untrusted E. Only traffic from that specific port is trusted, all other traffic is untrusted

B. The traffic is untrusted since the VLAN is untrusted

**A wired device is connected to an untrusted port on a controller. How can a role be assigned to the device?** A. An initial Role can be assigned directly to the VLAN B. Roles are assigned to devices connected to a trusted port C. A default Role can be directly assigned to an untrusted port D. Adding a wired AAA profile to a VLAN on the untrusted port E. The Role assigned to the untrusted port

D. Adding a wired AAA profile to a VLAN on the untrusted port

**A port on a controller has been configured as untrusted. No wired access AAA profile or Global AAA profile is configured. When a user connects to that port which of the following statements is true?** A. Since there is no wired access AAA profile, only port policies will be applied B. The user will fall into the default wired access AAA profile and will be given the initial role. C. Since there is no wired access AAA profile or Global AAA profile the user will be given the logon role. D. When configuring the port as untrusted, an error message of “no wired access AAA profile exists” Therefore this is an invalid configuration. E. the user is denied all access automatically because no wired access AAA or Global AAA profile is assigned.

C. Since there is no wired access AAA profile or Global AAA profile the user will be given the logon role.

**Which method can APs use to discover a controller?** A. DHCP ``` B. Dynamic DNS (DDNS) ``` C. PnP D. PAPI E. HTTPS

A. DHCP

**When APs boot up, in which order do they discover a controller?** A. DNS, DHCP, ADP multicast, ADP unicast, static B. static, DNS, DHCP, ADP broadcast, ADP multicast C. static, DHCP, ADP multicast, ADP broadcast, DNS D. static, DHCP, DNS, ADP multicast, ADP broadcast E. DNS, static, ADP multicast, ADP broadcast

C. static, DHCP, ADP multicast, ADP broadcast, DNS

**An AP is not communicating with the controller. Upon investigation you find that the AP is not discovering its controller through DNS. Instead, it received a DHCP reply with option 43 specifying the SIP server’s IP address. How do you resolve this problem?** A. Statically configure the AP to ignore Option 43 B. Remove the option 43 configuration on the DHCP server C. Statically configure the AP to only use DNS resolution and not other dynamic discovery methods D. After failing option 43 the AP should have proceeded with ADP, therefore the AP is faulty and needs to be replaced E. The AP should be purged

B. Remove the option 43 configuration on the DHCP server

**How is an AP redirected to a Local controller after DNS resolution returns the Master’s IP address?** A. Master looks at the AP-Group and CONTROLLER-IP attributes B. Master looks at the AP-Group and LMS-IP attributes C. In the AP-provisioning screen, the LMS-IP attribute must be set D. The AP must be statically configured to find the local controller E. In the AP-provisioning screen, set the CONTROLLER-IP attribute

B. Master looks at the AP-Group and LMS-IP attributes

An AP was configured and assigned to an AP group then powered off for over a week. **When the AP is redeployed, what previous configuration will it retain?** A. It’s AP name and AP Group B. It’s Serial Number C. The controller’s IP address D. After a few days all configurations are lost E. The controller IP address and the AP Group

A. It’s AP name and AP Group

A 3600 controller has 64 PEF-NG license, 128 AP licenses and 1 RFProtect license. **How many AP’s can terminate on the controller?** A. 1 Campus APs B. 64 Campus APs C. 128 Remote APs D. 256 Remote APs E. 512 Remote APs

A. 1 Campus APs

A 3200 controller has 16 AP licenses,16 PEF-NG licenses, 16 RFProtect licenses. There are 10 Campus APs terminating on the controller. **How many remote AP’s can terminate on the controller?** A. 6 B. 12 C. 16 D. 24 E. 32

A. 6

Centralized licensing is not enabled in a network of 1 Master and 2 Local controllers, **what should be the license count on all controllers to terminate 8 APs on each Local controller and support Local redundancy?** A. 16 AP license on all controllers B. 8 AP license on Master and 16 AP license on both locals C. 8 AP license on all controllers D. 1 AP license on Master and 16 AP license on both locals E. 16 AP licenses on the Locals

D. 1 AP license on Master and 16 AP license on both locals

An 7240 controller is Licensed for 560 APs. The controller has 500 Campus APs terminating on the controller. **How many Remote APs can terminate on this controller?** A. 12 B. 24 C. 48 D. 60 E. 120

D. 60

An Aruba Controller is configured with VLAN 1,5, 200, and 4095. All VLANs have IP addresses assigned. Which is the default management VLAN on the Aruba controller? A. VLAN 5 B. VLAN 1 C. VLAN 200 D. None, it must be defined E. VLAN 4095

B. VLAN 1

**Which of the following statements is true?** A. Aruba Campus APs must be physically attached to the Aruba Controller. B. Aruba Campus APs must be in the same broadcast domain as the Controller. C. Aruba Campus APs can be in different subnets from the Controller. D. Aruba Campus APs must be physically attached to the same Layer 3 switch. E. Aruba Campus APs can be connected directly to the public internet.

C. Aruba Campus APs can be in different subnets from the Controller.

Referring to the diagram provided for this question, i**n which locations must you define the new data VLANs for wireless client traffic? (Choose two)** A. in all L2 switches where an Aruba AP is physically connected B. in all APs and the L2 switches to which they are connected C. in the Aruba controller and the router it’s connected to in an L2 deployment D. in the routers and switches where the APs are physically connected E. only on the Aruba controller in an L3 deployment

C. in the Aruba controller and the router it’s connected to in an L2 deployment E. only on the Aruba controller in an L3 deployment

A controller is provisioned in L3 Mode for Wireless Users. **What must be configured on the controller to enable DHCP requests to an external DHCP server?** A. an IP helper command B. the IP address of the DNS server C. the IP address of the APs D. the subnet address of the DHCP server E. the DHCP server IPSEC Key

A. an IP helper command

**Which parameter(s) does a Master controller use to determine where a provisioned AP should terminate its GRE tunnel?** A. the IP address of the AP B. the MAC address of the AP C. the IP address of the switch nearest to the AP D. the name and group settings of the AP E. the VLAN the AP is attached to

D. the name and group settings of the AP

**Which of the following configurations can accept a VLAN pool? (Choose two)** A. Trunk native VLAN B. Virtual AP profile C. User Role D. Server derived role E. FW Policies

B. Virtual AP profile C. User Role

**What does Aruba Layer 3 redundancy require to operate?** A. LMS-IP B. Backup LMS-IP C. VRRP D. Backup AP group E. ARM

B. Backup LMS-IP

In the diagram provided for this question, the client laptop is associated with the Aruba AP. The Aruba controller is configured to perform L2 switching for this SSID. **What will be the client laptop default gateway?** A. A B. B C. C D. D E. E

C. C

**Where does the other end terminate?** A. A B. B C. C D. D E. A or B

A. A

**Which VLAN(s) do NOT need to be configured on link A between the L2 switch and router to support the wireless users?** A. 101 and 102 B. 101 and 103 C. 102 and 103 D. only 101 E. only 103

A. 101 and 102

**Which VLANs must be configured on trunk link D between the router and Aruba controller to support wireless users when the controller is provisioned for L2 operations?** A. 10, 101 and 102 B. 101 and 102 C. 101, 102 and 103 D. 10, 101,102 and 103 E. 10 and 103

A. 10, 101 and 102

Referring to the diagram provided for this question, if the Aruba controller is configured to perform L3 switching, **what will be the wireless client laptop default gateway?** A. A B. B C. C D. D E. E

D. D

When configuring Captive Portal, **which protocols are supported when accessing the Captive Portal? (Choose two)** A. HTTPS B. VPN C. HTTP D. TELNET E. SSH

A. HTTPS C. HTTP

When the controller is configured for Captive Portal and the user is only required to provide an email address for authentication, **which option is configured in the GUI?** A. enable termination B. enable guest logon C. enable user logon D. eap method E. disable CP Login

B. enable guest logon

**What does the user need to do to logout?** A. wait 30 minutes then logout B. wait 60 minutes then logout C. click Logout on the browser screen D. he cannot logout E. wait 10 seconds for redirect

C. click Logout on the browser screen

**How was the user authenticated?** A. with a radius server called Radius01 B. with the Internal database C. with a radius server called Internal D. with another form of authentication E. user wasn’t authenticated against any server

E. user wasn’t authenticated against any server

**Where should mobility domains be enabled in a network with 1 master, 1 backup master and 5 local controllers?** A. Only on the master controller B. All the local controllers in the network C. All the controllers where the client is allowed to roam D. Master and backup master E. Only on the backup master

C. All the controllers where the client is allowed to roam

**What are two different methods of configuring AP redundancy between 2 local controllers? (Choose two)** A. Fast-Failover B. Configure the locals as remote nodes C. Use named VLANS D. LMS and Backup LMS IP E. AP Redundancy can only be configured between a Master and Local

A. Fast-Failover D. LMS and Backup LMS IP

An Aruba 650 controller is functioning as a standby Master. **How many APs can it control while in standby mode?** A. 0 B. 16 C. 24 D. 128 E. 256

A. 0

Aruba pair of 3200XM controllers are licensed to their maximum and are configured as a VRRP pair. Each controller terminates 24 APs. One of the controllers fails. **How many of the APs from the failed controller can fail over to the remaining controller?** A. 8 B. 16 C. 32 D. 48 E. 96

A. 8

**Which protocol does the Aruba controller utilize for controller redundancy?** A. HSRP B. VRRP C. VPN D. GRE E. IP-IP

B. VRRP

**With Fast-Failover disabled, to which IP address should the Aruba AP terminate its GRE tunnel for layer 2 controller redundancy to work and to support failover of access points?** A. VRRP IP address B. management IP of an Aruba controller C. management IP of the backup Aruba controller D. HSRP IP address E. Loopback IP address of backup Aruba controller

A. VRRP IP address

**When an Aruba 6000 controller has two M3 modules installed, for which uses may the modules be used? (Choose two)** A. hot standby operations B. VRRP backup C. higher AP density per switch chassis D. Active-Active masters E. Active-Active master-backup

B. VRRP backup C. higher AP density per switch chassis

Referring to the diagram provided for this question, an employee brought an unauthorizedAP from home and attached the LAN port to the cubicle Ethernet port. All Aruba APs and AMs as well as the employee AP are in VLAN 80 and within RF range of each other. No traffic from the wired or wireless network has passed through the unauthorized AP yet, but the AP began wireless broadcasts. **How will the Aruba system initially classify the employee’s non-Aruba AP?** A. a valid AP B. an AM C. a Rogue AP D. an interfering AP E. a known interfering AP

D. an interfering AP

Referring to the diagram provided for this question, an employee brought an unauthorized AP from home and attached it to the cubicle Ethernet port as shown in the diagram. The APs are in VLANs as shown in the diagram. Only AP1 is within RF range. How will the Aruba controller classify this AP? A. an AP B. an AM C. a Rogue AP D. an Interfering AP E. a workstation

D. an Interfering AP

Referring to the diagram provided for this question, an employee brought an unauthorized AP from home, but did not attach it to the LAN infrastructure. The APs are in the VLANs as shown in the diagram. Only AP1 is within RF range of the employee AP. **By default, how will the Aruba system classify the employee’s AP?** A. an AP B. an AM C. a Rogue AP D. an Interfering AP E. a valid workstation

D. an Interfering AP

What can an AM do that an AP cannot do? A. Detect rogue APs B. Detect an AP failure C. Scans all channels in under 1 minute D. Detect interfering APs E. Scan all valid channels

C. Scans all channels in under 1 minute

(group8) #show ap active Active AP Table ————— Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a Ch/EIRP/MaxEIRP —- —– ———- ——— ——————- ———– ——————- AP1 building1 10.1.80.150 0 AM 0 AM AP2 building1 10.1.80.151 0 AM 0 AM A user called technical support because they cannot see any of their APs in building one. You perform the “show” command as illustrated above. **What can you conclude about these two APs from this output?** A. the GRE for the APs terminate on two different controllers: 10.1.80.150 and 10.1.80.151 B. the system will not function because there is no building1 group defined C. the building1 APs will not accept any user connections D. the user needs to configure his client to use the b/g band E. the user needs to configure his client to use the a band

C. the building1 APs will not accept any user connections

**Based on the above screen capture for Interfering APs, what can you conclude?** A. The APs must be connected to the Aruba network. B. The APs are classified as interfering because they are all transmitting on channel 6. C. There must not be any evidence that the APs are attached to the wired corporate network. D. These APs are classified as interfering because they are not Aruba APs. E. They are classified as interfering because they are running in g mode.

C. There must not be any evidence that the APs are attached to the wired corporate network.

As illustrated in the above diagram and screen capture, a wireless hacker injects messages into your network to detach a client from your Aruba AP. What action should you take to identify and prevent the Intruder from connecting to your system? (Choose two) A. Enable Detect disconnect Station Attack B. Enable Spoofed Deauth Blacklist C. Take no action as there is no protection against this form of attack D. Take no action as the Aruba system ignores this attack because it is against the client E. Enable Detect EAP rate Anomaly

A. Enable Detect disconnect Station Attack B. Enable Spoofed Deauth Blacklist

(group8) #show ap arm history ap-name AP1 Interface :wifi0 ARM History ———– Time of Change Old Channel New Channel Old Power New Power Reason ————– ———– ———– ——— ——— —— 2010-10-28 07:58:53 157+ 149+ 21 21 I 2010-10-28 07:52:06 149+ 157+ 21 21 M 2010-10-28 07:16:59 157+ 149+ 21 21 I Interface :wifi1 ARM History ———– Time of Change Old Channel New Channel Old Power New Power Reason ————– ———– ———– ——— ——— —— 2010-10-28 08:52:53 6 1 21 21 I **Referring to the output above. What can you conclude about AP1?** A. This device is scanning channels. B. This device is unstable because the channel assignment changed. C. The device changed channels recently. D. The device changed channels and power levels recently. E. The device is transmitting at maximum power levels.

C. The device changed channels recently.

**Which of the following parameters can be specified in a rule for AP classification? (Choose three)** A. SSID of an AP B. Number of clients connected to an AP. C. SNR of an AP. D. Operating mode of an AP E. Discovering APs

A. SSID of an AP C. SNR of an AP. E. Discovering APs

**Which of the following functions can be configured in the Controller WIP wizard? (Choose three)** A. Configure APs as Air Monitors B. Configure rules for AP classification. C. Configure preset levels for intrusion detection D. Blacklisting Rules for clients E. Identify encryption method used in your network.

B. Configure rules for AP classification. C. Configure preset levels for intrusion detection E. Identify encryption method used in your network.

A client device associates with an SSID provisioned with 802.1X authentication. The client is set for PEAP authentication. EAP termination (AAA Fastconnect) is disabled on the controller. But the client continuously cycles through the authentication process. **Which of the following could cause this? (Choose two)** A. The client is provisioned with the wrong EAP type. B. The client has an expired or revoked server certificate. C. The DHCP server is not enabled. D. The VLAN is missing for the SSID. E. The controller does not support PEAP in this mode.

A. The client is provisioned with the wrong EAP type. B. The client has an expired or revoked server certificate.

A client device associates with an SSID provisioned with 802.1X authentication. The client is set for LEAP authentication. EAP termination (AAA Fastconnect) is enabled on the controller. But the client continuously cycles through the authentication process. Which of the following could cause this? A. The Radius server is rejecting the client credentials. B. The client has an expired or revoked server certificate. C. The DHCP server is not enabled. D. The VLAN is missing for the SSID. E. The controller does not support LEAP in this mode.

E. The controller does not support LEAP in this mode.

A client attaches to a secure jack interface set to untrusted. But when the client tries to access the captive portal page, the following message appears, “Web Authentication is not enabled.” **What might be wrong?** A. The client has the browser provisioned with proxy settings. B. The controller port needs to be set to trusted. C. A “aaa” profile needs to be selected on the Wired Access page. D. A Captive Portal profile needs to be assigned to the initial role. E. Web Authentication cannot be used in this way.

D. A Captive Portal profile needs to be assigned to the initial role.

**Which command, when executed on a master controller, will show the APs connected to all controllers?** A. show stm connectivity B. show ap active C. show ap database D. show ap bss-table E. show ap controller-lms

C. show ap database

**Which of the following commands is most useful in showing the traffic of an individual user?** A. show datapath session table B. show acl hits C. show rights D. show firewall E. show traffic client

A. show datapath session table

An Aruba based network has a Master and four local controllers deployed. But one of the locals, a new installation, is not seen by the Master. **What might be wrong? (Choose two)** A. PAPI is not enabled on the local controller. B. The master controller can only support three local controllers. C. IPSec is blocked by the internal network between the local and the master controllers. D. The passphrase does not match on the master and local controllers. E. GRE is blocked between the master and local controllers.

C. IPSec is blocked by the internal network between the local and the master controllers. D. The passphrase does not match on the master and local controllers.

An Aruba controller is configured with the correct IP address and gateway information and is connected to the corporate LAN via a core layer 2 switch. Control Plane Security is not enabled on the network. An access point is provisioned with AP name and group and connected to a different Layer 2 switch on the corporate LAN that has IP connectivity to the core layer 2 switch. The AP powers on and layer 2 connects to the network, but the wireless radios do not power on. **Which could cause this condition? (Choose two)** A. the layer 2 switches have ACLs that block GRE traffic B. the layer 2 switches are configured to block IPSec traffic C. a DHCP server is not configured for the segment to which the AP is connected D. the AP’s mac address needs to be configured in the Aruba controller whitelist. E. the AP and controller are in different subnets

A. the layer 2 switches have ACLs that block GRE traffic C. a DHCP server is not configured for the segment to which the AP is connected

Most of the wireless LAN traffic will be from students accessing the internet. According to Aruba best practices, which building is the best location to install the Aruba mobility controller? A. data center B. dormitory C. server farm D. library E. 3rd party site

A. data center

Referring to the diagram provided for this question, representing an office wireless LAN deployment, there will be approximately 250 users in the offices section of the building. All Switches are setup as L3 routers. According to Aruba best practice, **which network device is the best choice for the wireless clients’ default gateway?** A. device ‘A’ B. device ‘B’ C. device ‘C’ D. device ‘D’ E. device ‘C or D’

B. device ‘B’

One hundred (100) additional APs were deployed in an existing network. But some APs are not able to connect to the lms-ip address, even though all of the APs belong to the same AP group. **Which of the following are NOT potential causes? (Choose two)** A. The problem APs are not getting an IP address. B. The problem APs have the wrong lms-ip address setting. C. There is a firewall between the problem APs and the controller blocking PAPI. D. The controller does not support that many APs in a single AP-Group. E. There are not enough AP licenses to support the additional quantity of APs.

B. The problem APs have the wrong lms-ip address setting. D. The controller does not support that many APs in a single AP-Group.

**IEEE 802.11r provides support for which of the following:** A. radio measurements within a WLAN B. radio measurement within an ESS C. fast roaming within an ESS D. fast roaming within a BSS E. roaming across controllers

C. fast roaming within an ESS

**If a Remote AP (RAP) is attempting to contact a controller that is behind a NAT device what protocol must be allowed through the NAT/Firewall?** A. PAPI B. NATT C. IPSec D. SSH E. GRE

B. NATT

**Which of the following are NOT valid RAP forwarding modes? (Choose two)** A. Tunnel B. Bridge C. Split-Tunnel D. Backup E. Standard

D. Backup E. Standard

**Which of the following are valid RAP operating modes?** A. Always, Backup, Standard, Persistent B. Always, Backup, Tunnel, Persistent C. Always, Hotel-Connect, Tunnel, Standard D. Backup, Hotel-Connect, Standard, Persistent E. Backup, Normal, Tunnel, Always

A. Always, Backup, Standard, Persistent

**When configuring split tunnel mode on a Remote AP (RAP) where is the routing function for the split tunnel defined?** A. On the IP routing tab in the configuration screen. B. On the AP provisioning screen. C. In the RAP static routing tables D. In the Firewall policy E. In the RAP whitelist

D. In the Firewall policy

**When does a RAP’s backup SSID begin broadcasting?** A. When the GRE tunnel to the controller is established. B. When the IPSec tunnel to the controller is established. C. When the controller cannot be reached with PAPI D. When bridging is required for guest users. E. When the controller cannot be reached with SSL Show Answer

C. When the controller cannot be reached with PAPI

A Remote AP provisioned in “Split-Tunnel” Forwarding mode has **which characteristic?** A. Local traffic first goes to the controller and is then spilt back to the local network. B. Traffic is IPSec encrypted before it is sent to the controller. C. The user role must have a “Permit” statement in order to locally bridge the traffic. D. The user role must have a “route dst-nat” statement to locally bridge the traffic. E. The RAP uses PAPI to send data traffic to the controller.

B. Traffic is IPSec encrypted before it is sent to the controller.

A Remote AP was properly functioning before losing it’s internet connection and now cannot communicate with the controller. **What SSID is the AP broadcasting?** A. The SSID in Operational mode Always and Forwarding mode Backup B. The SSID in Operational mode Split Tunnel and Forwarding mode Bridge C. The SSID in Operational mode Always and Forwarding mode Tunnel D. The SSID in Operational mode Standard and Forwarding mode Tunnel E. The SSID in Operational mode Persistent and Forwarding mode Bridge

E. The SSID in Operational mode Persistent and Forwarding mode Bridge

**A Remote AP provisioned with an SSID in “Bridged” forwarding mode has which one of the following characteristics?** A. The client obtains its IP address from the controller. B. The client’s default gateway must be the controller. C. The client traffic is forwarded through a GRE tunnel to the controller. D. The client’s default gateway may be the Access Point or a local gateway. E. The client’s authentication must be 802.1X.

D. The client’s default gateway may be the Access Point or a local gateway.

**An AP 105 was converted into a RAP. The RAP can authenticate its IPSec tunnel to a controller using which of the following methods? (Choose two)** A. 802.1X/EAP authentication B. Captive Portal authentication C. IP address authentication D. Username/Password authentication. E. Certificate/MAC address authentication.

D. Username/Password authentication. E. Certificate/MAC address authentication.

Which of the following describes a Remote AP provisioned in “Split-Tunnel” Forwarding mode? A. Local user traffic first goes to the controller and is then spilt back to the local network. B. All data and control traffic goes to the controller unsecured. C. The user role must have a “Permit” statement in order to locally bridge the traffic. D. The user role must have a “route src-nat” statement to locally bridge the traffic. E. The RAP uses PAPI to send data traffic to the controller. Show Answer

D. The user role must have a “route src-nat” statement to locally bridge the traffic.

**A Remote AP provisioned in “Split-Tunnel” Forwarding mode has which of the following characteristics?** A. Local traffic first goes to the controller and is then spilt back to the local network. B. User Traffic is CPSec encrypted before it is sent to the controller. C. The user role must have a “Permit” statement in order to locally bridge the traffic. D. The user role must have a “permit dst-nat” statement to locally bridge the traffic. E. The RAP uses UDP 4500 to send traffic to the controller.

E. The RAP uses UDP 4500 to send traffic to the controller.

**What is the purpose of Mesh Clusters?** A. To separate Mesh points from Mesh Portals. B. To ensure that mesh APs with the same VAPs are not in the same cluster. C. To define a group of mesh APs that create mesh links with each other. D. To cluster mesh APs of the same model together. E. To enable mesh APs to join the nearest mesh portal cluster.

C. To define a group of mesh APs that create mesh links with each other.

A company purchased an indoor mesh deployment using the 620 controller and the AP 105 models, where 5 APs will be deployed on a floor to provide wireless internet access for users. Users may open VPN tunnels using software clients over the wireless network to a 3rd party VPN concentrator overseas. The company wants to limit wireless user access to TCP traffic locally and VPN traffic overseas. In addition to the base AOS, which licenses will be necessary for this deployment? A. VPN, PEF-NG B. AP Capacity, PEF-NG C. AP Capacity, PEF-NG, VPN D. AP Capacity E. PEF-NG, PEF-V

B. AP Capacity, PEF-NG

**When deploying Remote Mesh Portals, what is one of the purposes of the Mesh Private VLAN?** A. To separate wireless user traffic coming from mesh networks from non-mesh networks B. To tag mesh wireless user traffic on a particular AP C. To allow Mesh Points to form private vlan networks with certain users D. To tag control plane traffic from Mesh points to the controller E. To tag clients high priority traffic

D. To tag control plane traffic from Mesh points to the controller

**How does an Aruba infrastructure calculate a wireless device’s location?** A. GPS B. RF Fingerprinting C. RSSI triangulation D. TDOA E. LBS

C. RSSI triangulation

ACMP_6.3 Flashcards

(165 cards)