ACMP_6.3

Question 1

Which of the following Aruba controllers is able to provide IEEE 802.3af? (Choose two)

A. 3200

B. 620

C. 650

D. 6000 with M3

E. 7000

Answer 1

B. 620

C. 650

Question 2

What is the maximum number of remote APs supported by a 3600 controller?

A. 512

B. 1024

C. 128

D. 256

E. 2048

Answer 2

A. 512

Question 3

Which dual radio access point models support concurrent operations in the 2.4Ghz band as well as the 5Ghz band? (Choose three)

A. AP-92

B. AP-93

C. AP-105

D. AP-224

E. AP-135

Answer 3

C. AP-105

D. AP-224

E. AP-135

Question 4

Which of the following APs do NOT support dual radio operations? (Choose two)

A.
AP 93

B.
AP 105

C.
RAP 3WN

D.
AP 224

E.
AP 135

Answer 4

A.
AP 93

C.
RAP 3WN

Question 5

Centralized licensing is not in use on an Aruba based network which has a Master and three local controllers. No APs terminate on the Master controller. Roles and Firewall policies need to be created and applied, hence PEF-NG license is required
On which controller should the license be installed?

A.
Only the master controller since role and firewall policies are created here.

B.
Only the local controllers since firewall policies are applied here

C.
The master and all three local controllers

D.
This isn’t the correct license for this purpose, use PEF-VPN license

E.
This is not needed because PEF-NG is part of base OS

Answer 5

C.
The master and all three local controllers

Question 6

You need to generate a feature license key for an Aruba controller?

What information do you need to generate a feature license key for an Aruba controller?

A.
The controller’s MAC address and the feature description.

B.
Controller’s MAC address and the certificate number

C.
Controller’s Serial Number and the feature description

D.
Controller’s Serial Number and the certificate number

E.
Controller’s MAC address and Serial Number

Answer 6

D.
Controller’s Serial Number and the certificate number

Question 7

What are the PEF-NG license limits based on?

A.
Number of APs

B.
One license per controller

C.
Number of users

D.
Number of local controllers

E.
Master Controller total user count

Answer 7

A.
Number of APs

Question 8

Which of the following licenses are consumed by Mesh APs advertising an SSIDs?

A.
AP license

B.
Mesh license

C.
PEF-V license

D.
No license is required

E.
RAP License

Answer 8

A.
AP license

Question 9

The permanent licenses on the controller will be deleted with the use of which command?

A.
Delete license

B.
Write erase

C.
Licenses cannot be deleted once activated

D.
Write erase all

E.
Reboot delete all

Answer 9

D.
Write erase all

Question 10

A network administrator wants to terminate VPN sessions on a local controller in the DMZ.
Which statement is true about the PEF-VPN license?

A.
It is only applied to the master controller

B.
It is only applied to the DMZ controller.

C.
It is based on the number of APs

D.
One license is needed on the master and the DMZ local

E.
It is distributed by the license server as needed

Answer 10

D.
One license is needed on the master and the DMZ local

Question 11

What is the best practice regarding licensing for a backup master to support Master Redundancy in a network without centralized licensing?

A.
Backup master only requires the AP license

B.
Supported limits and installed licenses should be the same on primary master and backup
Master

C.
Licenses are pushed from the primary to the backup Master along with the configuration

D.
The Backup Master does not require licenses to support master redundancy

E.
On the backup only one license of each type is needed.

Answer 11

B.
Supported limits and installed licenses should be the same on primary master and backup
Master

Question 12

Which of the following licenses can be included in the licensing pool for centralized licensing? (Choose three)

A.
Factory default licenses

B.
PEFNG license

C.
Evaluation licenses

D.
RFProtect license

E.
PEFV license

Answer 12

B.
PEFNG license

C.
Evaluation licenses

D.
RFProtect license

Question 13

By default Centralized licensing messages between master controllers are sent _______________.

A.
In the clear unencrypted

B.
Using CPSec

C.
Using IPSec site to site VPN tunnels

D.
Encrypted using GRE

E.
PAPI

Answer 13

A.
In the clear unencrypted

Question 14

Which of the following will occur if a master license server fails with no standby server present? (Choose two)

A.
Local controllers licenses will continue to be valid for 30 days

B.
Local controllers will immediately remove all installed licenses

C.
No licenses will be sent to any new controllers that come online

D.
All licenses go back into the pool for redistribution

E.
A Local Controller elects itself master license server

Answer 14

A.
Local controllers licenses will continue to be valid for 30 days

C.
No licenses will be sent to any new controllers that come online

Question 15

Which may be applied directly to an VLAN interface? (Choose three)

A.
Access List (ACL)

B.
Firewall Policy

C.
Roles

D.
AAA profiles

E.
RF Plan Map

Answer 15

A.
Access List (ACL)

B.
Firewall Policy

D.
AAA profiles

Question 16

When creating a firewall rule on an Aruba controller, which parameter is optional?

A.
Destination

B.
Service

C.
Source

D.
Log

E.
Action

Answer 16

D.
Log

Question 17

An administrator creates a WLAN with an unmodified default AAA profile. What is the default role the user is placed in?

A.
default-logon

B.
logon

C.
guest-logon

D.
default-ap

E.
AP-Role

Answer 17

B.
logon

Question 18

What is the first role a user is given when a user associates to an open WLAN?

A.
The guest post authentication role

B.
The initial role in the captive portal profile

C.
The role in the server group profile

D.
The initial role in the AAA profile

E.
The initial role in the 802.1x profile

Answer 18

D.
The initial role in the AAA profile

Question 19

Which of the following could be used to set a user’s post-authentication role or VLAN association? (Choose two)

A.
AAA default role for authentication method

B.
Server Derivation Rule

C.
Vendor Specific Attributes

D.
AP Derivation Rule

E.
The Global AAA profile

Answer 19

B.
Server Derivation Rule

C.
Vendor Specific Attributes

Question 20

Which describe “roles” as used on Aruba Mobility Controllers? (Choose two)

A.
Roles are assigned to users.

B.
Roles are applied to interfaces.

C.
Policies are built from roles.

D.
A user can belong to only one role at a time.

E.
Roles are a set of authentication rules

Answer 20

A.
Roles are assigned to users.

D.
A user can belong to only one role at a time.

Question 21

Which netdestination aliases are built into the controller? (Choose three)

A.
logon

B.
any

C.
user

D.
guest

E.
local ip

Answer 21

B.
any

C.
user

E.
local ip

Question 22

What are aliases used for?

A.
Improve controller performance

B.
Simplify the configuration process

C.
Tie IP addresses to ports

D.
Assign rules to policies

E.
Assign policies to roles

Answer 22

B.
Simplify the configuration process

Question 23

Which of the following firewall rules allows a user to initiate an ICMP session to other devices? (Choose two)

A.
localip any svc-icmp permit

B.
user any svc-icmp permit

C.
user user svc-icmp permit

D.
any any svc-icmp permit

E.
mswitch any svc-icmp permit

Answer 23

B.
user any svc-icmp permit

D.
any any svc-icmp permit

Question 24

**The Aruba Policy Enforcement Firewall (PEF-NG) module supports destination network address translation (dst-nat).
Which is the default use of this statement in an Aruba controller configuration?**

A.
Source the IP addresses of users to specific IP address

B.
Redirect HTTP sessions to Captive Portal

C.
Redirect Access Points to another Aruba controller

D.
Provide a telnet connection to the controller

E.
Redirect a SSH session to terminate on the controller

Answer 24

B.
Redirect HTTP sessions to Captive Portal

Question 25

The Aruba Policy Enforcement Firewall (PEF) module supports source network address translation (src-nat).
**Which is a use of this statement in an Aruba configuration?**

A.
Provide a single source IP address for users in a role

B.
Redirect Captive Portal HTTP sessions

C.
Redirect Access Points to another Aruba controller

D.
Provide IP addresses to clients

E.
Redirects clients to Aruba Firewall

Answer 25

A.
Provide a single source IP address for users in a role

Question 26

The network administrator wishes to terminate the VPN encryption on the Aruba controller.
When writing a firewall rule to accomplish the task of automatically moving the VPN traffic for the wireless clients from a third party VPN concentrator to an Aruba controller, which action needs to be configured in the rule?

A.
redirect to IPSec Group

B.
source NAT

C.
destination NAT

D.
redirect to tunnel

E.
redirect to GRE

Answer 26

C.
destination NAT

Question 27

Review the following truncated output from an Aruba controller for this item.
(example) #show rights logon
access-list List
—————-
Position Name Location
——– —- ——–
1 logon-control
2 captiveportal

logon-control
————-
Priority Source Destination Service Action
——– —— ———– ——- ——
1 user any udp 68 deny
2 any any svc-icmp permit
3 any any svc-dns permit
4 any any svc-dhcp permit
5 any any svc-natt permit
captiveportal
————-
Priority Source Destination Service Action
——– —— ———– ——- ——
1 user controller svc-https dst-nat 8081
2 user any svc-http dst-nat 8080
3 user any svc-https dst-nat 8081
4 user any svc-http-proxy1 dst-nat 8088
5 user any svc-http-proxy2 dst-nat 8088
6 user any svc-http-proxy3 dst-nat 8088
Based on the above output from an Aruba controller, an unauthenticated user assigned to
the logon role attempts to start an http session to IP address 172.16.43.170.
What will happen?

A.
the user’s traffic will be passed to the IP address because of the policy statement:
user any svc-http dst-nat 8080

B.
the user’s traffic will be passed to the IP address because of the policy statement:
user any svc-https dst-nat 8081

C.
the user’s traffic will be passed to the IP address because of the policy statement:
user any svc-http-proxy1 dst-nat 8088

D.
the user will not reach the IP address because of the policy statement:
user any svc-http dst-nat 8080

E.
the user will not reach the IP address because of the implicit deny any any at the end of
the policy.

Answer 27

D.
the user will not reach the IP address because of the policy statement:
user any svc-http dst-nat 8080

Question 28

Refer to the following configuration segment for this item.
ip access-list session anewone
user network 172.16.1.0 255.255.255.0 any permit
user host 172.16.1.1 any deny
user any any permit
An administrator wants users to have access to all destinations except 172.16.1.1. Based on the above Aruba Mobility Controller configuration segment, which statements best describe this policy? (Choose two)

A.
The rule user host 172.16.1.1 any deny is redundant because of the implicit deny all at
the end.

B.
The rule user network 172.16.1.0 255.255.255.0 any permit is redundant.

C.
The two rules user network 172.16.1.0 255.255.255.0 any permit and user host
172.16.1.1 any deny need to be re-sequenced.

D.
The last statement user any any permit is not required

E.
The last statement should be any any any deny

Answer 28

B.
The rule user network 172.16.1.0 255.255.255.0 any permit is redundant.

C.
The two rules user network 172.16.1.0 255.255.255.0 any permit and user host
172.16.1.1 any deny need to be re-sequenced.

Question 29

How will the frame be handled by this firewall policy?

Refer to the following configuration segment for this item.
netdestination “internal”
no invert
network 172.16.43.0 255.255.255.0 position 1
range 172.16.11.0 172.16.11.16 position 2
!
ip access-list session “My-Policy”
alias “user” alias “internal” service_any permit queue low
!
A user frame is evaluated against this firewall policy with the following attributes:
Source IP: 172.17.49.3 Destination IP: 10.100.86.37 Destination Port: 80
Referring to the above file segment, how will the frame be handled by this firewall policy?

A.
The frame will be dropped because of the implicit deny all at the end of the netdestination
definition.

B.
The frame will be dropped because of the implicit deny all at the end of the firewall policy.

C.
The frame will be forwarded because of the implicit permit all at the end of the firewall
policy.

D.
The frame will be passed because there is no service specified in the firewall policy.

E.
The frame will be dropped because there is no service specified in the firewall policy.

Answer 29

B.
The frame will be dropped because of the implicit deny all at the end of the firewall policy.

Question 30

What will this policy do with the user frame?

ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user any any permit
host 10.1.1.1 host 10.2.2.2 any deny
A user sends a frame with the following attributes:

Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25
Based on the above Mobility Controller configuration file segment, what will this policy do
with the user frame?

A.
The frame is discarded because of the implicit deny all at the end of the policy.

B.
The frame is discarded because of the statement:
user host 10.1.1.1 host 10.2.2.2 deny.

C.
The frame is accepted because of the statement:
user any any permit.

D.
The frame is accepted because of the statement:
user network 10.1.1.0 255.255.255.0 any permit.

E.
This is not a valid policy.

Answer 30

C.
The frame is accepted because of the statement:
user any any permit.

Question 31

ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user host 10.1.1.1 any deny
user any any permit
Referring to the above portion of a Mobility Controller configuration file, what can you conclude? (Choose two)

A.
This is a session firewall policy.

B.
This is an extended Access Control List (ACL).

C.
Any traffic going to destination 10.1.1.1 will be denied.

D.
Any traffic going to destination 10.2.2.2 will be denied.

E.
Any traffic going to destination 172.16.100.100 will be permitted.

Answer 31

A.
This is a session firewall policy.

E.
Any traffic going to destination 172.16.100.100 will be permitted.

Question 32

Which of these are NOT a client attribute that can be configured in user derivation rules?

A.
MAC address

B.
DHCP option value

C.
BSSID

D.
Filter ID

E.
encryption

Answer 32

D.
Filter ID

Question 33

What are the types of user derivation rules that can be applied to a user? (Choose two)

A.
SSID

B.
MAC

C.
VLAN

D.
Role

E.
AP

Answer 33

C.
VLAN

D.
Role

Question 34

Which is a Device Specific Attribute that can be evaluated in a user derivation rule?

A.
user login name

B.
authentication server

C.
location by AP Name

D.
controller Loopback address

E.
controller IP

Answer 34

C.
location by AP Name

Question 35

Which match condition can be used by a server derivation rule? (Choose two)

A.
greater than

B.
less than

C.
inverse of

D.
contains

E.
equals

Answer 35

D.
contains

E.
equals

Question 36

An administrator wants to assign a VLAN to a user based upon the authentication process
using Vendor Specific Attributes (VSA). Where are Aruba Vendor Specific Attribute (VSA) values provisioned?

A.
controller

B.
client

C.
RADIUS server

D.
Internal user database

E.
Option 60 of DHCP reply

Answer 36

C.
RADIUS server

Question 37

A company has provisioned the same VAP, AAA and SSID profiles at both its Miami and NY
offices. This Server Group is applied for 802.1x authentication at both locations. The user’s
credentials are only found in the Miami Radius server “RadiusMiami”. There is no Radius
synchronization and both servers are reachable. What happens when the user attempts to authenticate?

A.
The controller recognizes the users Domainand sends the authentication request directly to RadiusMiami.

B.
The request is initially sent to RadiusNY1 then RadiusNY1 redirects the controller to send
the authentication request to RadiusMiami

C.
RadiusNY1 receives the request and returns a deny. No other action is taken.

D.
RadiusNY1 receives the request and returns a deny. The authentication request will then
be sent to RadiusMiami.

E.
The RadiusNY1 sends the request to RadiusMiami that replies to the controller

Answer 37

C.
RadiusNY1 receives the request and returns a deny. No other action is taken.

Question 38

A user associated to an SSID with 802.1x using this server group. RadiusNY returned a
standard radius attribute of filter-Id with a value of “employee”. The user was placed in the
guest Role. What statements below are correct? (Choose two)

A.
The user was placed in the 802.1x authentication default Role guest

B.
The user was placed in the initial Role guest

C.
Role derivation failed because roles are case sensitive

D.
Role derivation failed because the incorrect operation “value-of” was used

E.
802.1x authentication failed so the user was automatically placed in the guest Role

Answer 38

A.
The user was placed in the 802.1x authentication default Role guest

C.
Role derivation failed because roles are case sensitive

Question 39

A user associated to an SSID with 802.1x using this server group. RadiusNY returned a standard radius attribute of filter-Id with a value of “employee”.
What Role will the user get?

A.
The User will get the Emp Role

B.
The User will get the 802.1x authentication default Role

C.
The User will get the employee Role

D.
The User will get the Employee Role

E.
The User will get the initial Role

Answer 39

B.
The User will get the 802.1x authentication default Role

Question 40

Which profiles are required in an AP Group to enable an SSID with VLAN 1, WPA2 and LMSIP? (Choose three)

A.
Virtual-AP profile

B.
WLAN profile

C.
802.1x authentication profile

D.
AP System Profile

E.
SSID Profile

Answer 40

A.
Virtual-AP profile

D.
AP System Profile

E.
SSID Profile

Question 41

A user connected to a Captive Portal VAP successfully. When the user opens their browser
and tries to access their homepage, they get redirected as expected to another URL on the
Aruba Controller. However, they see an error message that web authentication has been
disabled. What might be a cause of this?

A.
Captive Portal has not been assigned in the SSID profile.

B.
The Captive portal profile has not been assigned to the AAA profile.

C.
A server group has not been assigned to the captive portal profile.

D.
An initial role has not been assigned to the AAA profile.

E.
The Captive portal profile has not been assigned to the initial role.

Answer 41

E.
The Captive portal profile has not been assigned to the initial role.

Question 42

Which of the following will accept named VLANs as a parameter? (Choose three)

A.
Virtual AP profile

B.
User derivation rule for a single VLAN

C.
Server derivation rule for a single VLAN

D.
Server derivation rule for a VLAN Pool

E.
Access VLAN for a VLAN Pool

Answer 42

A.
Virtual AP profile

B.
User derivation rule for a single VLAN

C.
Server derivation rule for a single VLAN

Question 43

A customer has a remote AP deployment, where each remote AP has an IPSEC VPN tunnel with L2TP to the controller. 1 of the remote APs is stuck in the user table and hasn’t yet transitioned to the AP active table in the controller. The customer suspects that the AP is not
setting up its VPN connection successfully. Which of the following commands might be useful in troubleshooting this? (Choose three)

A.
Logging level debugging security process localdb

B.
Logging level debugging security process l2tp

C.
Logging level debugging security process dot1x

D.
Logging level debugging security process crypto

E.
Logging level debugging security process vpn

Answer 43

A.
Logging level debugging security process localdb

B.
Logging level debugging security process l2tp

D.
Logging level debugging security process crypto

Question 44

If machine authentication fails and user authentication passes, which role will be assigned?

A.
employee

B.
guest

C.
contractor

D.
logon

E.
no role is assigned

Answer 44

B.
guest

Question 45

If machine authentication passes and user authentication fails, which role will be assigned?

A.
employee

B.
guest

C.
contractor

D.
logon

E.
no role is assigned

Answer 45

B.
guest

Question 46

If machine authentication fails and user authentication fails, which role will be assigned?

A.
Employee

B.
Guest

C.
Captive Portal

D.
Logon

E.
No role will be assigned

Answer 46

E.
No role will be assigned

Question 47

What can NOT be configured from the Aruba controller configuration wizards?

A.
Controller IP

B.
Boot Partition

C.
User firewall policy.

D.
User derivation rules.

E.
Radius Servers

Answer 47

B.
Boot Partition

Question 48

An administrator is setting up a factory default controller. No new AP groups were created.
When adding a WLAN SSID in the Campus WLAN wizard what AP group is available?

A.
The air-monitors AP group

B.
The logon AP group

C.
The default AP group

D.
The initial AP group

E.
The Spectrum AP group

Answer 48

C.
The default AP group

Question 49

The reusable Aruba Controller wizards are accessible in what way?

A.
Only on startup through the CLI

B.
Through the CLI, after the initial CLI wizard has been completed

C.
In the Web UI under maintenance.

D.
In the Web UI under configuration.

E.
Must be initialized from CLI first.

Answer 49

D.
In the Web UI under configuration.

Question 50

The Contrtoller wizard enables which of the following controller clock configurations?
(Choose three)

A.
NTP to a time server

B.
Set time zone

C.
Daylight savings time

D.
Only GMT can be configured

E.
Manual configuration of date and time

Answer 50

A.
NTP to a time server

B.
Set time zone

E.
Manual configuration of date and time

Question 51

When configuring ports in the Controller wizard, which of the following are NOT configuration
options? (Choose two)

A.
Inter-VLAN routing

B.
Speed

C.
Trusted

D.
LACP

E.
Trunk

Answer 51

A.
Inter-VLAN routing

D.
LACP

Question 52

By default, which CLI based remote access method is enabled on Aruba controllers?

A.
RSH

B.
Telnet

C.
SSH

D.
Telnet and SSH

E.
Telnet, SSH and RSH

Answer 52

C.
SSH

Question 53

An Aruba controller can be accessed with which CLI based remote access methods?
(Choose two)

A.
RSH

B.
Telnet

C.
SSH

D.
SFTP

E.
SCP

Answer 53

B.
Telnet

C.
SSH

Question 54

As an admin/root user, what other type of role-based management users can be created on
Aruba controllers?

A.
Auditing-compliance user

B.
AirWave management user

C.
Reporting Generation user

D.
Guest provisioning user

E.
Maintenance user

Answer 54

D.
Guest provisioning user

Question 55

Which log type should be enabled to troubleshoot IPSec authentication issues on Aruba
Controllers?

A.
Security Logs

B.
Management Logs

C.
Wireless Logs

D.
IDS Logs

E.
System Logs

Answer 55

A.
Security Logs

Question 56

Referring to the above screen capture, if an administrator desires to change a specific AP
into a Spectrum Monitor without assigning the AP to a new group, which menus could be used?

A.
Network > Controller

B.
Wireless > AP Configuration

C.
Wireless > AP Installation

D.
Advanced Services > Wireless

E.
Wizards > WIP Wizard

Answer 56

B.
Wireless > AP Configuration

Question 57

A customer forgot all passwords for a controller. What method could you use to reset the passwords?

A.
Telnet to the controller and login to the password recovery account

B.
SSH to the controller and login to the password recovery account

C.
Connect directly to the serial console and login to the password recovery account

D.
Interrupt the boot process at CP-boot and select password recovery

E.
Open the controller and press the reset switch

Answer 57

C.
Connect directly to the serial console and login to the password recovery account

Question 58

With CPSec disabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?

A.
Basic IP

B.
GRE

C.
IPinIP

D.
Mobile IP

E.
IPSec

Answer 58

B.
GRE

Question 59

In an Aruba controller based system, the L3 mobility tunnel exists between the home agent and which other element?

A.
the default gateway

B.
the remote AP

C.
the foreign agent

D.
the mobile node

E.
the foreign switch

Answer 59

C.
the foreign agent

Question 60

When an 802.11 client roams what device decides when to move the client to another AP?

A.
Aruba AP

B.
Aruba controller

C.
Client

D.
Radius Server

E.
Router

Answer 60

C.
Client

Question 61

The above diagram has one master and three local controllers. AP1 GRE terminates on controller Local 1. All controllers are configured with the wireless user VLAN 201. A wireless
user associates with AP 1. Only L2 mobility is enabled.
Which elements will know about this association?

A.
Local 1 only

B.
Local 1 and the Master

C.
Local 1 and Local 2 and the Master

D.
Local 1 and AP1

E.
All Controllers

Answer 61

B.
Local 1 and the Master

Question 62

Which command will show all client association history?

A.
Aruba-6000# show mobile trail current (ip address)

B.
Aruba-6000# show ip mobile trail (ip address)

C.
Aruba-6000# show ap client status (mac address)

D.
Aruba-6000# show current client ip (ip address)

E.
Aruba-6000# show client ip (ip address) mobility

Answer 62

B.
Aruba-6000# show ip mobile trail (ip address)

Question 63

With CPSec enabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?

A.
EAP

B.
SSH

C.
IPinIP

D.
Mobile IP

E.
IPSec

Answer 63

E.
IPSec

Question 64

By default, how long will an AP scan a single channel when ARM is enabled?

A.
80 milliseconds

B.
90 milliseconds

C.
100 milliseconds

D.
110 milliseconds

E.
200 milliseconds

Answer 64

D.
110 milliseconds

Question 65

Which actions does ARM (Adaptive Radio Management) perform? (Choose two)

A.
Allows controllers to provision the AP Radio type

B.
Allows controllers to provision the best channel for APs

C.
Allows controllers to provision the best power setting for APs

D.
Allows controllers to provision allowed Radio bands

E.
Allows controllers to provision lower power when unauthorized APs are detected

Answer 65

B.
Allows controllers to provision the best channel for APs

C.

Question 66

Which of the following metrics does the ARM feature use to calculate the optimal channel and power level for Access Points? (Choose two)

A.
RF Spectrum Index

B.
Priority Index

C.
Interference Index

D.
Coverage Index

E.
Frequency Index

Answer 66

C.
Interference Index

D.
Coverage Index

Question 67

How does the ARM Band Steering feature encourage 5GHz capable clients to move/connect to the 5GHz radios of Aruba APs?

A.
ARM suppresses the probe response on the 2.4 GHz radio

B.
ARM utilizes third party software on the wireless clients

C.
Current Wi-Fi chipset firmware supports this by default

D.
It’s not possible the move clients to 5GHz radios when they can see both 2.4 and 5GHz
APs

E.
ARM disables the 2.4Ghz radio for the specified client

Answer 67

A.
ARM suppresses the probe response on the 2.4 GHz radio

Question 68

Which of the statements below are TRUE regarding ARM’s Spectrum Load Balancing feature? (Choose two)

A.
Available only on 5GHz radios

B.
Disabled by default

C.
Balances client load across available channels/APs

D.
Enabled by default

E.
Available only on 2.4GHz radios

Answer 68

B.
Disabled by default

C.
Balances client load across available channels/APs

Question 69

What is the function of Band Steering?

A.
Balancing clients across APs on different channels within the same band

B.
Encourages clients, 5GHz capable, to connect on the 5GHz spectrum

C.
Coordinate access to the same channel across multiple APs

D.
Enables selection of 20 vs. 40 MHz mode of operation per band

E.
Enables acceptable coverage index on both the “b/g” and “a” spectrums

Answer 69

B.
Encourages clients, 5GHz capable, to connect on the 5GHz spectrum

Question 70

What are the Airtime Allocation Policy options for Airtime Fairness? (Choose three)

A.
Default Access

B.
Priority Access

C.
Fair Access

D.
Preferred Access

E.
Distributed Access

Answer 70

A.
Default Access

C.
Fair Access

D.
Preferred Access

Question 71

Which of the following statements is true of Spectrum Mode?

A.
No licenses are required to run an AP in Spectrum mode

B.
Spectrum mode can only be configured for one AP at a time

C.
An AP can be in spectrum mode for both 2.4 and 5G bands at the same time

D.
An AP can be placed in Spectrum Mode via the Spectrum Profile

E.
Spectrum mode can be configured from the GUI under AP installation

Answer 71

C.
An AP can be in spectrum mode for both 2.4 and 5G bands at the same time

Question 72

Which ARM feature addresses the issue of sticky clients by moving clients to associate to APs with better 802.11 signal quality?

A.
Co-Channel interference mitigation

B.
Airtime Fairness

C.
ClientMatch

D.
Coordinated access to a single channel

E.
Band Steering

Answer 72

C.
ClientMatch

Question 73

Aruba Client Match does NOT use which of the following parameters to determine the best AP for a client connection? (Choose two)

A.
Device type

B.
Location

C.
Signal to Noise Ratio

D.
Access Point load

E.
Spectrum Analysis

Answer 73

C.
Signal to Noise Ratio

D.
Access Point load

Question 74

Which settings cannot be modified directly from a local controller?

A.
Port VLAN setting

B.
Switch Time Zone

C.
Port trusted

D.
Roles

E.
SNMP Enable Trap Generation

Answer 74

D.
Roles

Question 75

Masters communicate configuration information with locals using which tunnel type?

A.
GRE

B.
IP in IP

C.
Provision Tunnel Protocol

D.
IPSec

E.
PPTP

Answer 75

D.
IPSec

Question 76

The administrator notes that most of the configuration options are grayed out and have no action. What is the cause of the problem?

A.
attempting to make global changes on a Master Controller

B.
attempting to make global changes on a Local Controller

C.
this change can only be performed via the CLI

D.
does not have the correct software license

E.
there is an error in the configuration

Answer 76

B.
attempting to make global changes on a Local Controller

Question 77

Referring to the above screen capture, on which Controller can you create a vlan?

A.
Controller 10.1.11.100 only

B.
Controller 10.1.11.101 and 10.254.1.3 only

C.
All three Controllers

D.
None of the Controllers

E.
Controller 10.254.1.101 only

Answer 77

C.
All three Controllers

Question 78

Referring to the above screen capture, on which controller can you add an administrative user and assign a controller management role?

A.
Controller 10.1.11.100 only

B.
Controller 10.1.11.101 and 10.254.1.3 only

C.
All three Controllers

D.
Must be done in the RADIUS server

E.
Controller 10.254.1.101 only

Answer 78

C.
All three Controllers

Question 79

By default, which controller’s internal database will be used for user authentication?

A.
Controller 10.1.11.100 only

B.
Controller 10.1.11.101 and 10.254.1.3 only

C.
All three Controllers

D.
You can’t tell from this screen

E.
The Controller with the user session

Answer 79

A.
Controller 10.1.11.100 only

Question 80

Referring to the above screen capture, on which controller can you modify APs configuration to enable ARM?

A.
Controller 10.1.11.100 only

B.
Controller 10.1.11.101 and 10.254.1.3 only

C.
All three Controllers

D.
None of the Controllers

E.
On Controllers where ARM is enabled

Answer 80

A.
Controller 10.1.11.100 only

Question 81

With CPSec disabled, Aruba access points are Layer 3 connected to controllers using which protocol?

A.
802.1q

B.
LWAPP

C.
PPTP

D.
GRE

E.
HTTPs

Answer 81

D.
GRE

Question 82

With CPSec disabled, which encryption protocol does a tunnel mode campus AP use on client traffic?

A.
TKIP and AES

B.
It is provisioned by the Administrator

C.
WEP and AES

D.
WEP, TKIP, and AES

E.
No encryption is used

Answer 82

E.
No encryption is used

Question 83

In a campus environment, where are encryption keys sent or stored when users roam between tunneled mode APs on the same controller using 802.1X?

A.
sent to the new AP via GRE

B.
sent to the new AP via IPSec

C.
stored on the controller

D.
stored on the RADIUS server

E.
original AP sends keys to new AP

Answer 83

C.
stored on the controller

Question 84

In the diagram provided for this question, the wireless user’s laptop is associated with an Aruba AP in tunnel forwarding mode. The AP terminates on the local controller.

When the client transmits, where will the 802.11 headers be removed?

A.
AP

B.
L2 Switch

C.
Router

D.
Controller

E.
Internet

Answer 84

D.
Controller

Question 85

When configuring a server group containing 3 servers, a customer chooses ‘fail through mode’. What other configuration option has to be enabled on the controller for this to work with 802.1x authentication?

A.
Machine authentication

B.
EAP Termination

C.
Server group fall through mode

D.
MAC authentication

E.
Round robin or top down mode

Answer 85

B.
EAP Termination

Question 86

A campus AP has been provisioned with a VAP in bridge forwarding and standard operation modes. Which of the following authentication types are supported? (Choose two)

A.
802.1X authentication

B.
Open System authentication

C.
Local authentication

D.
Captive portal authentication

E.
VPN authentication

Answer 86

A.
802.1X authentication

B.
Open System authentication

Question 87

Which method is NOT supported to provision an Aruba campus AP?

A.
Telnet directly to AP

B.
SSH to the AP’s controller

C.
Web interface to the AP’s controller

D.
Console to AP

E.
CLI on controller

Answer 87

A.
Telnet directly to AP

Question 88

When direct consoled to an AP, what is the command sequence to factory default the AP and re-bootstrap?

A.
setenv bootstat init

B.
setenv master init, boot

C.
purge, save, boot

D.
init, save, boot

E.
print, purge, boot

Answer 88

C.
purge, save, boot

Question 89

What settings need to be changed on a factory default AP in order for it to use ADP to discover the Aruba Controller?

A.
DNS of the controller

B.
Static route

C.
AP group

D.
enable multicast

E.
no changes needed

Answer 89

E.
no changes needed

Question 90

As illustrated in the above diagram, a company has two campus locations and a building headquarters all located in different cities.

Following best practices, what would be the best way to construct mobility domains for the company?

A.
Buildings (1, 2) in one domain and Buildings (3, 4, 5, 6) in one domain

B.
Buildings (1, 2) in one domain, Building (3) in one domain, and Buildings (4, 5, 6) in one
domain

C.
Buildings (1, 2, 4, 5, 6) in one domain and Building (3) in one domain

D.
Buildings (1, 2, 3, 4, 5, 6) in one domain

E.
Buildings (1) in one domain building (4) in one domain

Answer 90

B.
Buildings (1, 2) in one domain, Building (3) in one domain, and Buildings (4, 5, 6) in one
domain

Question 91

How many Aruba controllers can be added to a single mobility domain?

A.
64 controllers of any type

B.
128 controllers supporting 2000 users

C.
256 controllers with no more than 1024 subnets

D.
Controllers supporting up to 6000 AP’s

E.
There is no controller limit

Answer 91

E.
There is no controller limit

Question 92

In a master-local controller scenario, where is the mobility domain defined?

A.
the AP group

B.
the master controller

C.
the local controller

D.
the master and the local controllers

E.
the master and the local controllers where roaming is needed

Answer 92

B.
the master controller

Question 93

A university has 2 departments. Department 1 has its own mobility domain with one controller. Department 2 has multiple controllers configured in a second domain. The university is planning on offering a new application and needs users to be able to roam
between both mobility domains. What is the best way to accomplish this?

A.
The 2 existing domains should be left as they are. A 3rd mobility domain should then be
created and all 3 controllers need to be added to it

B.
Merge the controllers into the same mobility domain

C.
The IP subnets of all controllers need to be configured to match

D.
This cannot be accomplished

E.
Create a new domain between a department 1 controller and one of the department 2
controllers

Answer 93

B.
Merge the controllers into the same mobility domain

Question 94

A port firewall policy is applied to a trunk port that denies controller access. An “allow all” Vlan firewall policy is applied to VLAN 33 on the same port. A user connected to VLAN 33 on that port attempts to gain access to the controller. Which of the following statements is true?

A.
The Port policy is applied, therefore no controller access

B.
The Vlan policy is applied, then the port policy, therefore no controller access

C.
The Vlan policy is applied, therefore access to the controller is allowed

D.
You cannot place a firewall policy on a Ports Vlan when the Port already has a policy,
therefore no controller access

E.
When locally connected to a controller’s port you always have controller access

Answer 94

C.
The Vlan policy is applied, therefore access to the controller is allowed

Question 95

An access port has been placed in trusted mode. The Vlan on the port is in Untrusted mode. Which of the following statements is true?

A.
The traffic is trusted since the port is trusted

B.
The traffic is untrusted since the VLAN is untrusted

C.
This is an invalid configuration, both must be set the same

D.
You cannot set Vlans as trusted or untrusted

E.
Only traffic from that specific port is trusted, all other traffic is untrusted

Answer 95

B.
The traffic is untrusted since the VLAN is untrusted

Question 96

A wired device is connected to an untrusted port on a controller. How can a role be assigned to the device?

A.
An initial Role can be assigned directly to the VLAN

B.
Roles are assigned to devices connected to a trusted port

C.
A default Role can be directly assigned to an untrusted port

D.
Adding a wired AAA profile to a VLAN on the untrusted port

E.
The Role assigned to the untrusted port

Answer 96

D.
Adding a wired AAA profile to a VLAN on the untrusted port

Question 97

A port on a controller has been configured as untrusted. No wired access AAA profile or Global AAA profile is configured. When a user connects to that port which of the following statements is true?

A.
Since there is no wired access AAA profile, only port policies will be applied

B.
The user will fall into the default wired access AAA profile and will be given the initial role.

C.
Since there is no wired access AAA profile or Global AAA profile the user will be given the
logon role.

D.
When configuring the port as untrusted, an error message of “no wired access AAA
profile exists” Therefore this is an invalid configuration.

E.
the user is denied all access automatically because no wired access AAA or Global AAA
profile is assigned.

Answer 97

C.
Since there is no wired access AAA profile or Global AAA profile the user will be given the
logon role.

Question 98

Which method can APs use to discover a controller?

A.
DHCP

B.
Dynamic DNS (DDNS)

C.
PnP

D.
PAPI

E.
HTTPS

Answer 98

A.
DHCP

Question 99

When APs boot up, in which order do they discover a controller?

A.
DNS, DHCP, ADP multicast, ADP unicast, static

B.
static, DNS, DHCP, ADP broadcast, ADP multicast

C.
static, DHCP, ADP multicast, ADP broadcast, DNS

D.
static, DHCP, DNS, ADP multicast, ADP broadcast

E.
DNS, static, ADP multicast, ADP broadcast

Answer 99

C.
static, DHCP, ADP multicast, ADP broadcast, DNS

Question 100

An AP is not communicating with the controller. Upon investigation you find that the AP is not discovering its controller through DNS. Instead, it received a DHCP reply with option 43 specifying the SIP server’s IP address. How do you resolve this problem?

A.
Statically configure the AP to ignore Option 43

B.
Remove the option 43 configuration on the DHCP server

C.
Statically configure the AP to only use DNS resolution and not other dynamic discovery
methods

D.
After failing option 43 the AP should have proceeded with ADP, therefore the AP is faulty
and needs to be replaced

E.
The AP should be purged

Answer 100

B.
Remove the option 43 configuration on the DHCP server

Question 101

How is an AP redirected to a Local controller after DNS resolution returns the Master’s IP address?

A.
Master looks at the AP-Group and CONTROLLER-IP attributes

B.
Master looks at the AP-Group and LMS-IP attributes

C.
In the AP-provisioning screen, the LMS-IP attribute must be set

D.
The AP must be statically configured to find the local controller

E.
In the AP-provisioning screen, set the CONTROLLER-IP attribute

Answer 101

B.
Master looks at the AP-Group and LMS-IP attributes

Question 102

An AP was configured and assigned to an AP group then powered off for over a week. When the AP is redeployed, what previous configuration will it retain?

A.
It’s AP name and AP Group

B.
It’s Serial Number

C.
The controller’s IP address

D.
After a few days all configurations are lost

E.
The controller IP address and the AP Group

Answer 102

A.
It’s AP name and AP Group

Question 103

A 3600 controller has 64 PEF-NG license, 128 AP licenses and 1 RFProtect license. How many AP’s can terminate on the controller?

A.
1 Campus APs

B.
64 Campus APs

C.
128 Remote APs

D.
256 Remote APs

E.
512 Remote APs

Answer 103

A.
1 Campus APs

Question 104

A 3200 controller has 16 AP licenses,16 PEF-NG licenses, 16 RFProtect licenses. There are 10 Campus APs terminating on the controller. How many remote AP’s can terminate on the controller?

A.
6

B.
12

C.
16

D.
24

E.
32

Answer 104

A.
6

Question 105

Centralized licensing is not enabled in a network of 1 Master and 2 Local controllers, what should be the license count on all controllers to terminate 8 APs on each Local controller and support Local redundancy?

A.
16 AP license on all controllers

B.
8 AP license on Master and 16 AP license on both locals

C.
8 AP license on all controllers

D.
1 AP license on Master and 16 AP license on both locals

E.
16 AP licenses on the Locals

Answer 105

D.
1 AP license on Master and 16 AP license on both locals

Question 106

An 7240 controller is Licensed for 560 APs. The controller has 500 Campus APs terminating on the controller. How many Remote APs can terminate on this controller?

A.
12

B.
24

C.
48

D.
60

E.
120

Answer 106

D.
60

Question 107

An Aruba Controller is configured with VLAN 1,5, 200, and 4095. All VLANs have IP addresses assigned. Which is the default management VLAN on the Aruba controller?

A.
VLAN 5

B.
VLAN 1

C.
VLAN 200

D.
None, it must be defined

E.
VLAN 4095

Answer 107

B.
VLAN 1

Question 108

Which of the following statements is true?

A.
Aruba Campus APs must be physically attached to the Aruba Controller.

B.
Aruba Campus APs must be in the same broadcast domain as the Controller.

C.
Aruba Campus APs can be in different subnets from the Controller.

D.
Aruba Campus APs must be physically attached to the same Layer 3 switch.

E.
Aruba Campus APs can be connected directly to the public internet.

Answer 108

C.
Aruba Campus APs can be in different subnets from the Controller.

Question 109

Referring to the diagram provided for this question, in which locations must you define the new data VLANs for wireless client traffic? (Choose two)

A.
in all L2 switches where an Aruba AP is physically connected

B.
in all APs and the L2 switches to which they are connected

C.
in the Aruba controller and the router it’s connected to in an L2 deployment

D.
in the routers and switches where the APs are physically connected

E.
only on the Aruba controller in an L3 deployment

Answer 109

C.
in the Aruba controller and the router it’s connected to in an L2 deployment

E.
only on the Aruba controller in an L3 deployment

Question 110

A controller is provisioned in L3 Mode for Wireless Users. What must be configured on the controller to enable DHCP requests to an external DHCP server?

A.
an IP helper command

B.
the IP address of the DNS server

C.
the IP address of the APs

D.
the subnet address of the DHCP server

E.
the DHCP server IPSEC Key

Answer 110

A.
an IP helper command

Question 111

Which parameter(s) does a Master controller use to determine where a provisioned AP should terminate its GRE tunnel?

A.
the IP address of the AP

B.
the MAC address of the AP

C.
the IP address of the switch nearest to the AP

D.
the name and group settings of the AP

E.
the VLAN the AP is attached to

Answer 111

D.
the name and group settings of the AP

Question 112

Which of the following configurations can accept a VLAN pool? (Choose two)

A.
Trunk native VLAN

B.
Virtual AP profile

C.
User Role

D.
Server derived role

E.
FW Policies

Answer 112

B.
Virtual AP profile

C.
User Role

Question 113

What does Aruba Layer 3 redundancy require to operate?

A.
LMS-IP

B.
Backup LMS-IP

C.
VRRP

D.
Backup AP group

E.
ARM

Answer 113

B.
Backup LMS-IP

Question 114

In the diagram provided for this question, the client laptop is associated with the Aruba AP. The Aruba controller is configured to perform L2 switching for this SSID.
What will be the client laptop default gateway?

A.
A

B.
B

C.
C

D.
D

E.
E

Answer 114

C.
C

Question 115

Where does the other end terminate?

A.
A

B.
B

C.
C

D.
D

E.
A or B

Answer 115

A.
A

Question 116

Which VLAN(s) do NOT need to be configured on link A between the L2 switch and router to support the wireless users?

A.
101 and 102

B.
101 and 103

C.
102 and 103

D.
only 101

E.
only 103

Answer 116

A.
101 and 102

Question 117

Which VLANs must be configured on trunk link D between the router and Aruba controller to support wireless users when the controller is provisioned for L2 operations?

A.
10, 101 and 102

B.
101 and 102

C.
101, 102 and 103

D.
10, 101,102 and 103

E.
10 and 103

Answer 117

A.
10, 101 and 102

Question 118

Referring to the diagram provided for this question, if the Aruba controller is configured to perform L3 switching, what will be the wireless client laptop default gateway?

A.
A

B.
B

C.
C

D.
D

E.
E

Answer 118

D.
D

Question 119

When configuring Captive Portal, which protocols are supported when accessing the Captive Portal? (Choose two)

A.
HTTPS

B.
VPN

C.
HTTP

D.
TELNET

E.
SSH

Answer 119

A.
HTTPS

C.
HTTP

Question 120

When the controller is configured for Captive Portal and the user is only required to provide an email address for authentication, which option is configured in the GUI?

A.
enable termination

B.
enable guest logon

C.
enable user logon

D.
eap method

E.
disable CP Login

Answer 120

B.
enable guest logon

Question 121

What does the user need to do to logout?

A.
wait 30 minutes then logout

B.
wait 60 minutes then logout

C.
click Logout on the browser screen

D.
he cannot logout

E.
wait 10 seconds for redirect

Answer 121

C.
click Logout on the browser screen

Question 122

How was the user authenticated?

A.
with a radius server called Radius01

B.
with the Internal database

C.
with a radius server called Internal

D.
with another form of authentication

E.
user wasn’t authenticated against any server

Answer 122

E.
user wasn’t authenticated against any server

Question 123

Where should mobility domains be enabled in a network with 1 master, 1 backup master and 5 local controllers?

A.
Only on the master controller

B.
All the local controllers in the network

C.
All the controllers where the client is allowed to roam

D.
Master and backup master

E.
Only on the backup master

Answer 123

C.
All the controllers where the client is allowed to roam

Question 124

What are two different methods of configuring AP redundancy between 2 local controllers? (Choose two)

A.
Fast-Failover

B.
Configure the locals as remote nodes

C.
Use named VLANS

D.
LMS and Backup LMS IP

E.
AP Redundancy can only be configured between a Master and Local

Answer 124

A.
Fast-Failover

D.
LMS and Backup LMS IP

Question 125

An Aruba 650 controller is functioning as a standby Master. How many APs can it control while in standby mode?

A.
0

B.
16

C.
24

D.
128

E.
256

Answer 125

A.
0

Question 126

Aruba pair of 3200XM controllers are licensed to their maximum and are configured as a VRRP pair. Each controller terminates 24 APs. One of the controllers fails. How many of the APs from the failed controller can fail over to the remaining controller?

A.
8

B.
16

C.
32

D.
48

E.
96

Answer 126

A.
8

Question 127

Which protocol does the Aruba controller utilize for controller redundancy?

A.
HSRP

B.
VRRP

C.
VPN

D.
GRE

E.
IP-IP

Answer 127

B.
VRRP

Question 128

With Fast-Failover disabled, to which IP address should the Aruba AP terminate its GRE tunnel for layer 2 controller redundancy to work and to support failover of access points?

A.
VRRP IP address

B.
management IP of an Aruba controller

C.
management IP of the backup Aruba controller

D.
HSRP IP address

E.
Loopback IP address of backup Aruba controller

Answer 128

A.
VRRP IP address

Question 129

When an Aruba 6000 controller has two M3 modules installed, for which uses may the modules be used? (Choose two)

A.
hot standby operations

B.
VRRP backup

C.
higher AP density per switch chassis

D.
Active-Active masters

E.
Active-Active master-backup

Answer 129

B.
VRRP backup

C.
higher AP density per switch chassis

Question 130

Referring to the diagram provided for this question, an employee brought an unauthorizedAP from home and attached the LAN port to the cubicle Ethernet port. All Aruba APs and AMs as well as the employee AP are in VLAN 80 and within RF range of each other. No traffic from the wired or wireless network has passed through the unauthorized AP yet, but the AP began wireless broadcasts.

How will the Aruba system initially classify the employee’s non-Aruba AP?

A.
a valid AP

B.
an AM

C.
a Rogue AP

D.
an interfering AP

E.
a known interfering AP

Answer 130

D.
an interfering AP

Question 131

Referring to the diagram provided for this question, an employee brought an unauthorized AP from home and attached it to the cubicle Ethernet port as shown in the diagram. The APs are in VLANs as shown in the diagram. Only AP1 is within RF range.

How will the Aruba controller classify this AP?

A.
an AP

B.
an AM

C.
a Rogue AP

D.
an Interfering AP

E.
a workstation

Answer 131

D.
an Interfering AP

Question 132

Referring to the diagram provided for this question, an employee brought an unauthorized AP from home, but did not attach it to the LAN infrastructure. The APs are in the VLANs as shown in the diagram. Only AP1 is within RF range of the employee AP.

By default, how will the Aruba system classify the employee’s AP?

A.
an AP

B.
an AM

C.
a Rogue AP

D.
an Interfering AP

E.
a valid workstation

Answer 132

D.
an Interfering AP

Question 133

What can an AM do that an AP cannot do?

A.
Detect rogue APs

B.
Detect an AP failure

C.
Scans all channels in under 1 minute

D.
Detect interfering APs

E.
Scan all valid channels

Answer 133

C.
Scans all channels in under 1 minute

Question 134

(group8) #show ap active
Active AP Table
—————
Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a
Ch/EIRP/MaxEIRP
—- —– ———- ——— ——————- ———– ——————-
AP1 building1 10.1.80.150 0 AM 0 AM
AP2 building1 10.1.80.151 0 AM 0 AM
A user called technical support because they cannot see any of their APs in building one.
You perform the “show” command as illustrated above.
What can you conclude about these two APs from this output?

A.
the GRE for the APs terminate on two different controllers: 10.1.80.150 and 10.1.80.151

B.
the system will not function because there is no building1 group defined

C.
the building1 APs will not accept any user connections

D.
the user needs to configure his client to use the b/g band

E.
the user needs to configure his client to use the a band

Answer 134

C.
the building1 APs will not accept any user connections

Question 135

Based on the above screen capture for Interfering APs, what can you conclude?

A.
The APs must be connected to the Aruba network.

B.
The APs are classified as interfering because they are all transmitting on channel 6.

C.
There must not be any evidence that the APs are attached to the wired corporate
network.

D.
These APs are classified as interfering because they are not Aruba APs.

E.
They are classified as interfering because they are running in g mode.

Answer 135

C.
There must not be any evidence that the APs are attached to the wired corporate
network.

Question 136

As illustrated in the above diagram and screen capture, a wireless hacker injects messages into your network to detach a client from your Aruba AP.

What action should you take to identify and prevent the Intruder from connecting to your system? (Choose two)

A.
Enable Detect disconnect Station Attack

B.
Enable Spoofed Deauth Blacklist

C.
Take no action as there is no protection against this form of attack

D.
Take no action as the Aruba system ignores this attack because it is against the client

E.
Enable Detect EAP rate Anomaly

Answer 136

A.
Enable Detect disconnect Station Attack

B.
Enable Spoofed Deauth Blacklist

Question 137

(group8) #show ap arm history ap-name AP1
Interface :wifi0
ARM History
———–
Time of Change Old Channel New Channel Old Power New Power Reason
————– ———– ———– ——— ——— ——
2010-10-28 07:58:53 157+ 149+ 21 21 I
2010-10-28 07:52:06 149+ 157+ 21 21 M
2010-10-28 07:16:59 157+ 149+ 21 21 I
Interface :wifi1
ARM History
———–
Time of Change Old Channel New Channel Old Power New Power Reason
————– ———– ———– ——— ——— ——
2010-10-28 08:52:53 6 1 21 21 I
Referring to the output above. What can you conclude about AP1?

A.
This device is scanning channels.

B.
This device is unstable because the channel assignment changed.

C.
The device changed channels recently.

D.
The device changed channels and power levels recently.

E.
The device is transmitting at maximum power levels.

Answer 137

C.
The device changed channels recently.

Question 138

Which of the following parameters can be specified in a rule for AP classification? (Choose three)

A.
SSID of an AP

B.
Number of clients connected to an AP.

C.
SNR of an AP.

D.
Operating mode of an AP

E.
Discovering APs

Answer 138

A.
SSID of an AP

C.
SNR of an AP.

E.
Discovering APs

Question 139

Which of the following functions can be configured in the Controller WIP wizard? (Choose three)

A.
Configure APs as Air Monitors

B.
Configure rules for AP classification.

C.
Configure preset levels for intrusion detection

D.
Blacklisting Rules for clients

E.
Identify encryption method used in your network.

Answer 139

B.
Configure rules for AP classification.

C.
Configure preset levels for intrusion detection

E.
Identify encryption method used in your network.

Question 140

A client device associates with an SSID provisioned with 802.1X authentication. The client is set for PEAP authentication. EAP termination (AAA Fastconnect) is disabled on the controller. But the client continuously cycles through the authentication process. Which of
the following could cause this? (Choose two)

A.
The client is provisioned with the wrong EAP type.

B.
The client has an expired or revoked server certificate.

C.
The DHCP server is not enabled.

D.
The VLAN is missing for the SSID.

E.
The controller does not support PEAP in this mode.

Answer 140

A.
The client is provisioned with the wrong EAP type.

B.
The client has an expired or revoked server certificate.

Question 141

A client device associates with an SSID provisioned with 802.1X authentication. The client is set for LEAP authentication. EAP termination (AAA Fastconnect) is enabled on the controller. But the client continuously cycles through the authentication process. Which of the following could cause this?

A.
The Radius server is rejecting the client credentials.

B.
The client has an expired or revoked server certificate.

C.
The DHCP server is not enabled.

D.
The VLAN is missing for the SSID.

E.
The controller does not support LEAP in this mode.

Answer 141

E.
The controller does not support LEAP in this mode.

Question 142

A client attaches to a secure jack interface set to untrusted. But when the client tries to access the captive portal page, the following message appears, “Web Authentication is not
enabled.” What might be wrong?

A.
The client has the browser provisioned with proxy settings.

B.
The controller port needs to be set to trusted.

C.
A “aaa” profile needs to be selected on the Wired Access page.

D.
A Captive Portal profile needs to be assigned to the initial role.

E.
Web Authentication cannot be used in this way.

Answer 142

D.
A Captive Portal profile needs to be assigned to the initial role.

Question 143

Which command, when executed on a master controller, will show the APs connected to all controllers?

A.
show stm connectivity

B.
show ap active

C.
show ap database

D.
show ap bss-table

E.
show ap controller-lms

Answer 143

C.
show ap database

Question 144

Which of the following commands is most useful in showing the traffic of an individual user?

A.
show datapath session table

B.
show acl hits

C.
show rights

D.
show firewall

E.
show traffic client

Answer 144

A.
show datapath session table

Question 145

An Aruba based network has a Master and four local controllers deployed. But one of the locals, a new installation, is not seen by the Master. What might be wrong? (Choose two)

A.
PAPI is not enabled on the local controller.

B.
The master controller can only support three local controllers.

C.
IPSec is blocked by the internal network between the local and the master controllers.

D.
The passphrase does not match on the master and local controllers.

E.
GRE is blocked between the master and local controllers.

Answer 145

C.
IPSec is blocked by the internal network between the local and the master controllers.

D.
The passphrase does not match on the master and local controllers.

Question 146

An Aruba controller is configured with the correct IP address and gateway information and is connected to the corporate LAN via a core layer 2 switch. Control Plane Security is not enabled on the network. An access point is provisioned with AP name and group and connected to a different Layer 2 switch on the corporate LAN that has IP connectivity to the core layer 2 switch. The AP powers on and layer 2 connects to the network, but the wireless
radios do not power on.
Which could cause this condition? (Choose two)

A.
the layer 2 switches have ACLs that block GRE traffic

B.
the layer 2 switches are configured to block IPSec traffic

C.
a DHCP server is not configured for the segment to which the AP is connected

D.
the AP’s mac address needs to be configured in the Aruba controller whitelist.

E.
the AP and controller are in different subnets

Answer 146

A.
the layer 2 switches have ACLs that block GRE traffic

C.
a DHCP server is not configured for the segment to which the AP is connected

Question 147

Most of the wireless LAN traffic will be from students accessing the internet.

According to Aruba best practices, which building is the best location to install the Aruba mobility controller?

A.
data center

B.
dormitory

C.
server farm

D.
library

E.
3rd party site

Answer 147

A.
data center

Question 148

Referring to the diagram provided for this question, representing an office wireless LAN deployment, there will be approximately 250 users in the offices section of the building. All Switches are setup as L3 routers.

According to Aruba best practice, which network device is the best choice for the wireless clients’ default gateway?

A.
device ‘A’

B.
device ‘B’

C.
device ‘C’

D.
device ‘D’

E.
device ‘C or D’

Answer 148

B.
device ‘B’

Question 149

One hundred (100) additional APs were deployed in an existing network. But some APs are not able to connect to the lms-ip address, even though all of the APs belong to the same AP group. Which of the following are NOT potential causes? (Choose two)

A.
The problem APs are not getting an IP address.

B.
The problem APs have the wrong lms-ip address setting.

C.
There is a firewall between the problem APs and the controller blocking PAPI.

D.
The controller does not support that many APs in a single AP-Group.

E.
There are not enough AP licenses to support the additional quantity of APs.

Answer 149

B.
The problem APs have the wrong lms-ip address setting.

D.
The controller does not support that many APs in a single AP-Group.

Question 150

IEEE 802.11r provides support for which of the following:

A.
radio measurements within a WLAN

B.
radio measurement within an ESS

C.
fast roaming within an ESS

D.
fast roaming within a BSS

E.
roaming across controllers

Answer 150

C.
fast roaming within an ESS

Question 151

If a Remote AP (RAP) is attempting to contact a controller that is behind a NAT device what protocol must be allowed through the NAT/Firewall?

A.
PAPI

B.
NATT

C.
IPSec

D.
SSH

E.
GRE

Answer 151

B.
NATT

Question 152

Which of the following are NOT valid RAP forwarding modes? (Choose two)

A.
Tunnel

B.
Bridge

C.
Split-Tunnel

D.
Backup

E.
Standard

Answer 152

D.
Backup

E.
Standard

Question 153

Which of the following are valid RAP operating modes?

A.
Always, Backup, Standard, Persistent

B.
Always, Backup, Tunnel, Persistent

C.
Always, Hotel-Connect, Tunnel, Standard

D.
Backup, Hotel-Connect, Standard, Persistent

E.
Backup, Normal, Tunnel, Always

Answer 153

A.
Always, Backup, Standard, Persistent

Question 154

When configuring split tunnel mode on a Remote AP (RAP) where is the routing function for the split tunnel defined?

A.
On the IP routing tab in the configuration screen.

B.
On the AP provisioning screen.

C.
In the RAP static routing tables

D.
In the Firewall policy

E.
In the RAP whitelist

Answer 154

D.
In the Firewall policy

Question 155

When does a RAP’s backup SSID begin broadcasting?

A.
When the GRE tunnel to the controller is established.

B.
When the IPSec tunnel to the controller is established.

C.
When the controller cannot be reached with PAPI

D.
When bridging is required for guest users.

E.
When the controller cannot be reached with SSL

Show Answer

Answer 155

C.
When the controller cannot be reached with PAPI

Question 156

A Remote AP provisioned in “Split-Tunnel” Forwarding mode has which characteristic?

A.
Local traffic first goes to the controller and is then spilt back to the local network.

B.
Traffic is IPSec encrypted before it is sent to the controller.

C.
The user role must have a “Permit” statement in order to locally bridge the traffic.

D.
The user role must have a “route dst-nat” statement to locally bridge the traffic.

E.
The RAP uses PAPI to send data traffic to the controller.

Answer 156

B.
Traffic is IPSec encrypted before it is sent to the controller.

Question 157

A Remote AP was properly functioning before losing it’s internet connection and now cannot communicate with the controller. What SSID is the AP broadcasting?

A.
The SSID in Operational mode Always and Forwarding mode Backup

B.
The SSID in Operational mode Split Tunnel and Forwarding mode Bridge

C.
The SSID in Operational mode Always and Forwarding mode Tunnel

D.
The SSID in Operational mode Standard and Forwarding mode Tunnel

E.
The SSID in Operational mode Persistent and Forwarding mode Bridge

Answer 157

E.
The SSID in Operational mode Persistent and Forwarding mode Bridge

Question 158

A Remote AP provisioned with an SSID in “Bridged” forwarding mode has which one of the following characteristics?

A.
The client obtains its IP address from the controller.

B.
The client’s default gateway must be the controller.

C.
The client traffic is forwarded through a GRE tunnel to the controller.

D.
The client’s default gateway may be the Access Point or a local gateway.

E.
The client’s authentication must be 802.1X.

Answer 158

D.
The client’s default gateway may be the Access Point or a local gateway.

Question 159

An AP 105 was converted into a RAP. The RAP can authenticate its IPSec tunnel to a controller using which of the following methods? (Choose two)

A.
802.1X/EAP authentication

B.
Captive Portal authentication

C.
IP address authentication

D.
Username/Password authentication.

E.
Certificate/MAC address authentication.

Answer 159

D.
Username/Password authentication.

E.
Certificate/MAC address authentication.

Question 160

Which of the following describes a Remote AP provisioned in “Split-Tunnel” Forwarding mode?

A.
Local user traffic first goes to the controller and is then spilt back to the local network.

B.
All data and control traffic goes to the controller unsecured.

C.
The user role must have a “Permit” statement in order to locally bridge the traffic.

D.
The user role must have a “route src-nat” statement to locally bridge the traffic.

E.
The RAP uses PAPI to send data traffic to the controller.

Show Answer

Answer 160

D.
The user role must have a “route src-nat” statement to locally bridge the traffic.

Question 161

A Remote AP provisioned in “Split-Tunnel” Forwarding mode has which of the following characteristics?

A.
Local traffic first goes to the controller and is then spilt back to the local network.

B.
User Traffic is CPSec encrypted before it is sent to the controller.

C.
The user role must have a “Permit” statement in order to locally bridge the traffic.

D.
The user role must have a “permit dst-nat” statement to locally bridge the traffic.

E.
The RAP uses UDP 4500 to send traffic to the controller.

Answer 161

E.
The RAP uses UDP 4500 to send traffic to the controller.

Question 162

What is the purpose of Mesh Clusters?

A.
To separate Mesh points from Mesh Portals.

B.
To ensure that mesh APs with the same VAPs are not in the same cluster.

C.
To define a group of mesh APs that create mesh links with each other.

D.
To cluster mesh APs of the same model together.

E.
To enable mesh APs to join the nearest mesh portal cluster.

Answer 162

C.
To define a group of mesh APs that create mesh links with each other.

Question 163

A company purchased an indoor mesh deployment using the 620 controller and the AP 105 models, where 5 APs will be deployed on a floor to provide wireless internet access for users. Users may open VPN tunnels using software clients over the wireless network to a 3rd party VPN concentrator overseas. The company wants to limit wireless user access to TCP traffic locally and VPN traffic overseas.
In addition to the base AOS, which licenses will be necessary for this deployment?

A.
VPN, PEF-NG

B.
AP Capacity, PEF-NG

C.
AP Capacity, PEF-NG, VPN

D.
AP Capacity

E.
PEF-NG, PEF-V

Answer 163

B.
AP Capacity, PEF-NG

Question 164

When deploying Remote Mesh Portals, what is one of the purposes of the Mesh Private VLAN?

A.
To separate wireless user traffic coming from mesh networks from non-mesh networks

B.
To tag mesh wireless user traffic on a particular AP

C.
To allow Mesh Points to form private vlan networks with certain users

D.
To tag control plane traffic from Mesh points to the controller

E.
To tag clients high priority traffic

Answer 164

D.
To tag control plane traffic from Mesh points to the controller

Question 165

How does an Aruba infrastructure calculate a wireless device’s location?

A.
GPS

B.
RF Fingerprinting

C.
RSSI triangulation

D.
TDOA

E.
LBS

Answer 165

C.
RSSI triangulation