Which dual radio access point models support concurrent operations in the 2.4Ghz band as well as the 5Ghz band? (Choose three)
- A . AP-92
- B . AP-93
- C . AP-105
- D . AP-224
- E . AP-135
Which of the following APs do NOT support dual radio operations? (Choose two)
- A . AP 93
- B . AP 105
- C . RAP 3WN
- D . AP 224
- E . AP 135
An AP135 has been configured with 3 SSIDs supported on both 2.4Ghz and 5Ghz bands.
How many GRE tunnels will be created between the AP 135 and the controller?
- A . 3
- B . 4
- C . 6
- D . 7
- E . 8
D
Explanation:
1-3 C Licensing
Centralized licensing is not in use on an Aruba based network which has a Master and three local controllers. No APs terminate on the Master controller. Roles and Firewall policies need to be created and applied, hence PEF-NG license is required.
On which controller should the license be installed?
- A . Only the master controller since role and firewall policies are created here.
- B . only the local controllers since firewall policies are applied here
- C . the master and all three local controllers
- D . this isn’t the correct license for this purpose, use PEF-VPN license
- E . this is not needed because PEF-NG is part of base OS
What information do you need to generate a feature license key for an Aruba controller?
- A . The controller’s MAC address and the feature description.
- B . controller’s MAC address and the certificate number
- C . controller’s Serial Number and the feature description
- D . controller’s Serial Number and the certificate number
- E . controller’s MAC address and Serial Number
What are the PEF-NG license limits based on?
- A . Number of APs
- B . One license per controller
- C . Number of users
- D . Number of local controllers
- E . Master Controller total user count
Which of the following licenses are consumed by Mesh APs advertising an SSIDs?
- A . AP license
- B . Mesh license
- C . PEF-V license
- D . No license is required
- E . RAP License
The permanent licenses on the controller will be deleted with the use of which command?
- A . delete license
- B . write erase
- C . Licenses cannot be deleted once activated
- D . write erase all
- E . reboot delete all
A network administrator wants to terminate VPN sessions on a local controller in the DMZ.
Which statement is true about the PEF-VPN license?
- A . It is only applied to the master controller
- B . It is only applied to the DMZ controller.
- C . It is based on the number of APs
- D . One license is needed on the master and the DMZ local
- E . It is distributed by the license server as needed
What is the best practice regarding licensing for a backup master to support Master Redundancy in a network without centralized licensing?
- A . Backup master only requires the AP license
- B . Supported limits and installed licenses should be the same on primary master and backup Master
- C . Licenses are pushed from the primary to the backup Master along with the configuration
- D . The Backup Master does not require licenses to support master redundancy
- E . On the backup only one license of each type, is needed.
Which of the following licenses can be included in the licensing pool for centralized licensing? (Choose three)
- A . Factory default licenses
- B . Master Controller licenses
- C . Evaluation licenses
- D . Local Controller licenses
- E . PEFV license
By default Centralized licensing messages between master and local controllers are sent ___________________.
- A . In the clear unencrypted since the master and local controllers already share IPSEC tunnels.
- B . Using CPSec
- C . Using IPSec site to site VPN tunnels
- D . Encrypted using GRE
- E . PAPI
Which of the following will occur if a master license server fails with no standby server present? (Choose two)
- A . Local controllers licenses will continue to be valid for 30 days
- B . Local controllers will immediately remove all installed licenses
- C . No licenses will be sent to any new controllers that come online
- D . All licenses go back into the pool for redistribution
- E . A Local Controller elects itself master license server
A evaluation License is valid for a maximum of ________?
- A . 30 Days
- B . 60 Days
- C . 90 Days
- D . 6 Months
- E . 12 Months
The following licenses have been installed on these controllers: Master-1: 8 AP licenses Local-2 : 8 AP licenses Local-3 : 5 Evaluation AP Licenses Local-4 : 10 Factory installed AP licenses Central Licensing is enabled.
What is the AP Pool capacity on the Central License Server?
- A . 8
- B . 16
- C . 21
- D . 26
- E . 31
Centralized licensing is not enabled in a network of 1 Master and 2 Local controllers, what should be the license count on all controllers to terminate 8 APs on each Local controller and support Local redundancy?
- A . 16 AP license on all controllers
- B . 8 AP license on Master and 16 AP license on both locals
- C . 8 AP license on all controllers
- D . 1 AP license on Master and 16 AP license on both locals
- E . 16 AP licenses on the Locals
Which may be applied directly to an VLAN interface? (Choose three)
- A . Access List (ACL)
- B . Firewall Policy
- C . Roles
- D . AAA profiles
- E . RF Plan Map
When creating a firewall rule on an Aruba controller, which parameter is optional?
- A . Destination
- B . Service
- C . Source
- D . Log
- E . Action
What are valid methods of blacklisting a device? (Choose three)
- A . Manually
- B . Firewall Rule
- C . Firewall Policy
- D . Authentication Failures
- E . Data Rate Thresholds
What is the blacklist default time?
- A . 30 seconds
- B . 1800 seconds
- C . 3600 seconds
- D . No default time, it must be done manually
- E . 1 day
C
Explanation:
2-2 – Roles
An administrator creates a WLAN with an unmodified default AAA profile.
What is the default role the user is placed in?
- A . default-logon
- B . logon
- C . guest-logon
- D . default-ap
- E . AP-Role
What is the first role a user is given when a user associates to an open WLAN?
- A . the guest post authentication role
- B . the initial role in the captive portal profile
- C . the role in the server group profile
- D . the initial role in the AAA profile
- E . The initial role in the 802.1x profile
Which of the following could be used to set a user’s post-authentication role or VLAN association? (Choose two)
- A . AAA default role for authentication method
- B . Server Derivation Rule
- C . Vendor Specific Attributes
- D . AP Derivation Rule
- E . The Global AAA profile
Which describe "roles" as used on Aruba Mobility Controllers? (Choose two)
- A . Roles are assigned to users.
- B . Roles are applied to interfaces.
- C . Policies are built from roles.
- D . A user can belong to only one role at a time.
- E . Roles are a set of authentication rules
AD
Explanation:
2-3 – Aliases
Which netdestination aliases are built into the controller? (Choose three)
- A . logon
- B . any
- C . user
- D . guest
- E . localip
What are aliases used for?
- A . improve controller performance
- B . simplify the configuration process
- C . tie IP addresses to ports
- D . assign rules to policies
- E . assign policies to roles
Which of the following firewall rules allows a user to initiate an ICMP session to other devices? (Choose two)
- A . localip any svc-icmp permit
- B . user any svc-icmp permit
- C . user user svc-icmp permit
- D . any any svc-icmp permit
- E . mswitch any svc-icmp permit
What is true about Global Session ACL? (Choose two)
- A . Any rules will apply to all users in the AP-group
- B . Any rules will apply to all users in the Network
- C . Any rules will apply to all users in the controller
- D . Is in the first position in all roles
- E . When added it is in the first position in selected Role
When creating a firewall rule what are valid choices for the Service/Application field? (Choose three)
- A . Applications
- B . Applications Category
- C . Internet Protocol
- D . Internet Category
- E . Protocol
ABE
Explanation:
2-4 C NAT
The Aruba Policy Enforcement Firewall (PEF-NG) module supports destination network address translation (dst-nat).
Which is the default use of this statement in an Aruba controller configuration?
- A . source the IP addresses of users to specific IP address
- B . redirect HTTP sessions to Captive Portal
- C . redirect Access Points to another Aruba controller
- D . provide a telnet connection to the controller
- E . redirect a SSH session to terminate on the controller
The Aruba Policy Enforcement Firewall (PEF) module supports source network address translation (srcnat).
Which is a use of this statement in an Aruba configuration?
- A . provide a single source IP address for users in a role
- B . redirect Captive Portal HTTP sessions
- C . redirect Access Points to another Aruba controller
- D . provide IP addresses to clients
- E . redirects clients to Aruba Firewall
A
Explanation:
2-5 – Policy Interpretation
Review the following truncated output from an Aruba controller for this item.
(example) #show rights logon
access-list List
—————-
Position Name Location
——– —- ——–
1 logon-control
2 captiveportal
logon-control
————-
Priority Source Destination Service Action
——– —— ———– ——- ——
1 user any udp 68 deny
2 any any svc-icmp permit
3 any any svc-dns permit
4 any any svc-dhcp permit
5 any any svc-natt permit
captiveportal
————-
Priority Source Destination Service Action
——– —— ———– ——- ——
1 user controller svc-https dst-nat 8081
2 user any svc-http dst-nat 8080
3 user any svc-https dst-nat 8081
4 user any svc-http-proxy1 dst-nat 8088
5 user any svc-http-proxy2 dst-nat 8088
6 user any svc-http-proxy3 dst-nat 8088
Based on the above output from an Aruba controller, an unauthenticated user assigned to the logon role attempts to start an http session to IP address 172.16.43.170.
What will happen?
- A . the user’s traffic will be passed to the IP address because of the policy statement: user any svc-http dst-nat 8080
- B . the user’s traffic will be passed to the IP address because of the policy statement: user any svc-https dst-nat 8081
- C . the user’s traffic will be passed to the IP address because of the policy statement: user any svc-httpproxy1 dst-nat 8088
- D . the user will not reach the IP address because of the policy statement: user any svc-http dst-nat 8080
- E . the user will not reach the IP address because of the implicit deny any any at the end of the policy.
Refer to the following configuration segment for this item.
ip access-list session anewone
user network 172.16.1.0 255.255.255.0 any permit
user host 172.16.1.1 any deny
user any any permit
An administrator wants users to have access to all destinations except 172.16.1.1. Based on the above Aruba Mobility Controller configuration segment, which statements best describe this policy? (Choose two)
- A . The rule user host 172.16.1.1 any deny is redundant because of the implicit deny all at the end.
- B . The rule user network 172.16.1.0 255.255.255.0 any permit is redundant.
- C . The two rules user network 172.16.1.0 255.255.255.0 any permit and user host 172.16.1.1 any deny need to be re-sequenced.
- D . The last statement user any any permit is not required
- E . The last statement should be any any any deny
Refer to the following configuration segment for this item.
netdestination "internal"
no invert
network 172.16.43.0 255.255.255.0 position 1
range 172.16.11.0 172.16.11.16 position 2
!
ip access-list session "My-Policy"
alias "user" alias "internal" service_any permit queue low
!
A user frame is evaluated against this firewall policy with the following attributes:
Source IP: 172.17.49.3 Destination IP: 10.100.86.37 Destination Port: 80
Referring to the above file segment, how will the frame be handled by this firewall policy?
- A . The frame will be dropped because of the implicit deny all at the end of the netdestination definition.
- B . The frame will be dropped because of the implicit deny all at the end of the firewall policy.
- C . The frame will be forwarded because of the implicit permit all at the end of the firewall policy.
- D . The frame will be passed because there is no service specified in the firewall policy.
- E . The frame will be dropped because there is no service specified in the firewall policy.
ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user any any permit
host 10.1.1.1 host 10.2.2.2 any deny
A user sends a frame with the following attributes:
Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25
Based on the above Mobility Controller configuration file segment, what will this policy do with the user frame?
- A . The frame is discarded because of the implicit deny all at the end of the policy.
- B . The frame is discarded because of the statement: user host 10.1.1.1 host 10.2.2.2 deny.
- C . The frame is accepted because of the statement: user any any permit.
- D . The frame is accepted because of the statement: user network 10.1.1.0 255.255.255.0 any permit.
- E . This is not a valid policy.
ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user host 10.1.1.1 any deny
user any any permit
Referring to the above portion of a Mobility Controller configuration file, what can you conclude? (Choose two)
- A . This is a session firewall policy.
- B . This is an extended Access Control List (ACL).
- C . Any traffic going to destination 10.1.1.1 will be denied.
- D . Any traffic going to destination 10.2.2.2 will be denied.
- E . Any traffic going to destination 172.16.100.100 will be permitted.
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.
If machine authentication fails and user authentication passes, which role will be assigned?
- A . employee
- B . guest
- C . denyall
- D . logon
- E . no role is assigned
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.
If machine authentication passes and user authentication fails, which role will be assigned?
- A . employee
- B . denyall
- C . guest
- D . logon
- E . no role is assigned
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.
If machine authentication fails and user authentication fails, which role will be assigned?
- A . employee
- B . guest
- C . Captive Portal
- D . Logon
- E . no role will be assigned
E
Explanation:
3-2 – Configuration Wizards
What can NOT be configured from the Aruba controller configuration wizards?
- A . Controller IP
- B . Boot Partition
- C . User firewall policy.
- D . User derivation rules.
- E . Radius Servers
An administrator is setting up a factory default controller. No new AP groups were created.
When adding a WLAN SSID in the Campus WLAN wizard what AP group is available?
- A . The air-monitors AP group
- B . The logon AP group
- C . The default AP group
- D . The initial AP group
- E . The Spectrum AP group
The reusable Aruba Controller wizards are accessible in what way?
- A . Only on startup through the CLI
- B . Through the CLI, after the initial CLI wizard has been completed
- C . In the Web UI under maintenance.
- D . In the Web UI under configuration.
- E . Must be initialized from CLI first.
The Controller wizard enables which of the following controller clock configurations? (Choose three)
- A . NTP to a time server
- B . Set time zone
- C . Daylight savings time
- D . Only GMT can be configured
- E . Manual configuration of date and time
When configuring ports in the Controller wizard, which of the following are NOT configuration options? (Choose two)
- A . Inter-VLAN routing
- B . Speed
- C . Trusted
- D . LACP
- E . Trunk
AD
Explanation:
3-3 – Management
By default, which CLI based remote access method is enabled on Aruba controllers?
- A . RSH
- B . Telnet
- C . SSH
- D . Telnet and SSH
- E . Telnet, SSH and RSH
An Aruba controller can be accessed with which CLI based remote access methods? (Choose two)
- A . RSH
- B . Telnet
- C . SSH
- D . SFTP
- E . SCP
As an admin/root user, what other type of role-based management users can be created on Aruba controllers?
- A . Auditing-compliance user
- B . AirWave management user
- C . Reporting Generation user
- D . Guest provisioning user
- E . Maintenance user
Which log type should be enabled to troubleshoot IPSec authentication issues on Aruba Controllers?
- A . Security Logs
- B . Management Logs
- C . Wireless Logs
- D . IDS Logs
- E . System Logs
Referring to the above screen capture, if an administrator desires to change a specific AP into a Spectrum Monitor without assigning the AP to a new group, which menus could be used?
- A . Network > Controller
- B . Wireless > AP Configuration
- C . Wireless > AP Installation
- D . Advanced Services > Wireless
- E . Wizards > WIP Wizard
A customer forgot all passwords for a controller.
What method could you use to reset the passwords?
- A . Telnet to the controller and login to the password recovery account
- B . SSH to the controller and login to the password recovery account
- C . Connect directly to the serial console and login to the password recovery account
- D . Interrupt the boot process at CP-boot and select password recovery
- E . Open the controller and press the reset switch
C
Explanation:
3-5 C Roaming
With CPSec disabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?
- A . Basic IP
- B . GRE
- C . IPinIP
- D . Mobile IP
- E . IPSec
In an Aruba controller based system, the L3 mobility tunnel exists between the home agent and which other element?
- A . the default gateway
- B . the remote AP
- C . the foreign agent
- D . the mobile node
- E . the foreign switch
When an 802.11 client roams what device decides when to move the client to another AP?
- A . Aruba AP
- B . Aruba controller
- C . Client
- D . Radius Server
- E . Router
The above diagram has one master and three local controllers. AP1 GRE terminates on controller Local 1. All controllers are configured with the wireless user VLAN 201. A wireless user associates with AP 1. Only L2 mobility is enabled.
Which elements will know about this association?
- A . Local 1 only
- B . Local 1 and the Master
- C . Local 1 and Local 2 and the Master
- D . Local 1 and AP1 E. All Controllers
Which command will show all client association history?
- A . show mobile trail current (ip address)
- B . show ip mobile trail (ip address)
- C . show ap client status (mac address)
- D . show current client ip (ip address)
- E . show client ip (ip address) mobility
With CPSec enabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?
- A . EAP
- B . SSH
- C . IPinIP
- D . Mobile IP
- E . IPSec
A client Roams from one Local controller-1 to another Local controller-2. The controllers are in different subnets and L3 Mobility is enabled.
How is the client traffic sent back to Local-controller-1?
- A . IP-IP tunneled
- B . FTP
- C . Multicast
- D . L2 GRE Tunnel
- E . Routed locally
A network needs to implement L3 roaming. On the Master Controller, the administrator, enabled IP mobility, created a Domain and created the HAT table with all the IP addresses of the local controllers. He then enabled Mobility on the VAPs.
The configuration was then saved. L3 Mobility is still not working, what could be the cause? (Choose two)
- A . IP Mobility must be enabled on all controllers.
- B . IP-IP tunnels must be configured between controllers.
- C . The Domain must activated on each controller.
- D . The HAT table must be configured on each controller.
- E . The HAT table must be configured with each controllers supported subnets.
AC
Explanation:
3-6 – RF Management
By default, how long will an AP scan a single channel when ARM is enabled?
- A . 80 milliseconds
- B . 90 milliseconds
- C . 100 milliseconds
- D . 110 milliseconds
- E . 200 milliseconds
Which actions does ARM (Adaptive Radio Management) perform? (Choose two)
- A . allows controllers to provision the AP Radio type
- B . allows controllers to provision the best channel for APs
- C . allows controllers to provision the best power setting for APs
- D . allows controllers to provision allowed Radio bands
- E . allows controllers to provision lower power when unauthorized APs are detected
Which of the following metrics does the ARM feature use to calculate the optimal channel and power level for Access Points? (Choose two)
- A . RF Spectrum Index
- B . Priority Index
- C . Interference Index
- D . Coverage Index
- E . Frequency Index
How does the ARM Band Steering feature encourage 5GHz capable clients to move/connect to the 5GHz radios of Aruba APs?
- A . ARM suppresses the probe responses on the 2.4 ghz radio?
- B . ARM utilizes third party software on the wireless clients
- C . Current Wi-Fi chipset firmware supports this by default
- D . It’s not possible the move clients to 5GHz radios when they can see both 2.4 and 5GHz APs
- E . ARM disables the 2.4Ghz radio for the specified client
Which of the statements below are TRUE regarding ARM’s Spectrum Load Balancing feature? (Choose two)
- A . Available only on 5GHz radios
- B . Disabled by default
- C . Balances client load across available channels/APs
- D . Enabled by default
- E . Available only on 2.4GHz radios
What is the function of Band Steering?
- A . Balancing clients across APs on different channels within the same band
- B . Encourages clients, 5GHz capable, to connect on the 5GHz spectrum
- C . Coordinate access to the same channel across multiple APs
- D . Enables selection of 20 vs. 40 MHz mode of operation per band
- E . Enables acceptable coverage index on both the "b/g" and "a" spectrums
What are the Airtime Allocation Policy options for Airtime Fairness? (Choose three)
- A . Default Access
- B . Priority Access
- C . Fair Access
- D . Preferred Access
- E . Distributed Access
Which of the following statements is true of Spectrum Mode?
- A . No licenses are required to run an AP in Spectrum mode
- B . Spectrum mode can only be configured for one AP at a time
- C . An AP can be in spectrum mode for both 2.4 and 5G bands at the same time
- D . An AP can be placed in Spectrum Mode via the Spectrum Profile
- E . Spectrum mode can be configured from the GUI under AP installation
Which ARM feature addresses the issue of sticky clients by moving clients to associate to APs with better 802.11 signal quality?
- A . Co-Channel interference mitigation
- B . Airtime Fairness
- C . ClientMatch
- D . Coordinated access to a single channel
- E . Band Steering
Aruba Client Match does NOT use which of the following parameters to determine the best AP for a client connection?
- A . Device type
- B . Location
- C . Signal to Noise Ratio
- D . Access Point load
- E . Spectrum Analysis
What is the function of Station Handoff Assist, if enabled?
- A . Force device to 5Ghz band
- B . Force device off AP if RSSI is below threshold
- C . Send message to device to change AP
- D . Send message to adjoining AP to accept device
- E . Send message to adjoining AP to initiate association to the device