Refer to the exhibit.
AOS-Switches will enforce 802.1X authentication on edge ports. The company has two RADIUS servers, which are meant to provide redundancy and load sharing of requests. The exhibit shows the planned RADIUS settings to deploy to the switches.
What should customers understand about this plan?
- A . AOS switches do not support two RADIUS servers for redundancy, instead, a secondary authentication method is required.
- B . Dynamic authentication is only permitted on one of the RADIUS servers and must be removed from the other.
- C . Each RADIUS server must use a unique port number for the authentication and dynamic authorization port.
- D . Each AOS-Switch will send all RADIUS requests to the first server on the list unless that server becomes unreachable.
An administrator wants to ensure that an AOS-Switch forwards all traffic that it receives on interface 1 with high priority.
– Switches should also communicate the high priority to other switches across the traffic path.
– The switch has type of service disabled.
– The administrator plans to apply 802.1p priority 5 to interface 1.
What should the administrator check to ensure that the configuration will work properly?
- A . Interface 1 receives traffic with a tag.
- B . The AOS-Switch is configured to use eight queues.
- C . The forwarding path for the traffic uses VLAN tags.
- D . An 802.1p-to-DSCP map exists for priority 5.
Refer to the exhibit.
A network administrator sets up prioritization for an application that runs between Device 1 and Device 2. However, the QoS for the application is not what the administrator expects.
How can the administrator check if the network infrastructure prioritizes traffic from Device 1 and Device 2?
- A . Run a packet capture on Device 2, run the application, and look in the packet capture for a high value DSCP in the IP header.
- B . Set up RMON alarms on the switches that trigger when a high number of packets are dropped. Then, run the application and check for the alarm.
- C . Clear interface statistics on the switches. Then, run the application and check the interface queue statistics for the switch-to-switch links.
- D . Run a packet capture on Device 1, run the application, and look in the packet capture for a high value DSCP in the IP header.
Refer to the exhibits.
Exhibit 1.
Exhibit 2.
The exhibits show the current operational state for routes on Switch-3. The company wants Switch-3 to prefer the link to Switch-1 over the link to Switch-2 for all intra-area, inter-area, and external traffic.
What can the network administrator do to achieve this goal?
- A . Set the OSPF cost on VLAN 108 higher than 1 on Switch-2 and Switch-3.
- B . Set the OSPF administrative distance on Switch-2 higher than 110.
- C . Set the OSPF area type to normal on all of the switches in Area 1.
- D . Set the cost in the OSPF Area 1 stub command higher than 1 on Switch-2.
An AOS-Switch implements tunneled node.
Which benefit does the PAPI enhanced security key provide?
- A . It validates the signature for firmware pushed to the switch dynamically.
- B . It encrypts traffic sent and received by tunneled-node endpoints.
- C . It authenticates control traffic between the switch and its Mobility Controller.
- D . It provides an extra layer of authentication for endpoints on tunneled-node ports.
Refer to the exhibit.
A network administrator needs to deploy AOS-Switches that implement port-based tunneled node. Their Aruba controller has IP address 10.1.10.5/24. The architect has assigned tunneled-node endpoints to VLAN 20.
What is one issue with the current configuration planned for VLAN 20 on the switch?
- A . VLAN 20 must have GRE enabled on it.
- B . VLAN 20 cannot have an IP address.
- C . VLAN 20 must have an IP address in the same subnet as the controller.
- D . VLAN 20 must not enable jumbo frames.
OSPF Area 1 has two ABRs. One ABR is configured with this range for Area 1: 10.10.0.0/16. The other ABR is not configured with a range for Area 1.
Which type of issue occurs due to this mismatch?
- A . The ABRs create a discontinuous area and disrupt intra-area routing between devices within Area 1.
- B . The ABR core would send Area 1 traffic destined to the other switch through an access switch.
- C . The ABRs lose adjacency entirely and cannot route traffic between each other at all.
- D . The ABRs lose adjacency in Area 1 and must route all traffic to each other through Area 0.
Refer to the exhibits.
Exhibit 1.
Exhibit 2.
The company wants to minimize congestion on Link 1.
Which spanning tree implementation meets this goal?
- A . Instance 1 = VLANs 4-5 Instance 2 = VLANs 6-7Switch 2 instance 1 priority = 0 Switch 2 instance 2 priority = 1Switch 3 instance 1 priority = 1 Switch 3 instance 2 priority = 0
- B . Instance 1 = VLANs 4,6 Instance 2 = VLANs 5,7Switch 2 instance 1 priority = 0 Switch 2 instance 2 priority = 1Switch 3 instance 1 priority = 1 Switch 3 instance 2 priority = 0
- C . Instance 1 = VLANs 4,6 Instance 2 = VLANs 5,7Switch 2 instance 1 priority = 0 Switch 2 instance 2 priority = 1Switch 3 instance 1 priority = 0 Switch 3 instance 2 priority = 1
- D . Instance 1 = VLANs 4-5 Instance 2 = VLANs 6-7Switch 2 instance 1 priority = 0 Switch 2 instance 2 priority = 1Switch 3 instance 1 priority = 0 Switch 3 instance 2 priority = 1
Refer to the exhibit.
The network administrator enables DHCP snooping globally and on VLAN 2. An additional step is mandatory for DHCP snooping to operate correctly and for clients to receive DHCP settings.
What is the additional mandatory step?
- A . Define trk1 as a trusted DHCP port.
- B . Define an authorized DHCP server.
- C . Enable ARP protection.
- D . Define edge ports as untrusted DHCP ports.
A network administrator configures connection rate filtering on interface 1 with the throttle action. Device 1 crosses the threshold and triggers the action.
What does the switch do?
- A . It temporarily drops all IP traffic from Device 1 only.
- B . It temporarily drops all IP traffic on interface 1.
- C . It drops all IP traffic from Device 1 until the host is manually unblocked.
- D . It drops all IP traffic on interface 1 until the interface is manually unblocked.
What must an OSPF router do to ensure nonstop routing should a standby member take over as commander when the original VSF commander fails?
- A . It must run the shortest path first algorithm.
- B . It must participate in a new election for the Designated Router.
- C . It must initiate a graceful restart.
- D . It must re-establish adjacency with its Designated Router.
Two AOS-Switches are directly interconnected. The network administrator wants to prevent broadcast storms and other Layer 2 issues that could occur if there is physical damage to a cable.
Which technology should the administrator implement on the connected switch interfaces?
- A . MAC Lockdown
- B . Bidirectional Forwarding Detection (BFD)
- C . Spanning Tree Root Guard
- D . Unidirectional Link Detection (UDLD)
Refer to the exhibit.
The routing switches shown in the exhibit run OSPF on the links between each other. The commander in the Switch-1 VSF fabric goes down. Traffic is disrupted for several seconds.
What should a network administrator do to support a faster failover in a similar situation?
- A . Configure echo mode BFD on the VLAN that connects Switch-1 and Switch-2.
- B . Add VRRP on the VLAN between Switch-1 and Switch-2.
- C . Configure graceful restart, or nonstop OSPF, on Switch-1 and Switch-2, with a proper timer.
- D . Create a redundant virtual link between Switch-1 and Switch-2.
Which benefit is provided by MD5 authentication for BGP?
- A . It validates that BGP messages arrive from an authorized device.
- B . It verifies that received BGP routes have valid next hop IP addresses.
- C . It enables users to authenticate to a server across BGP AS boundaries.
- D . It protects BGP routing information from eavesdroppers.
Refer to the exhibits.
Exhibit 1.
Exhibit 2.
The VoIP phone connects, authenticates successfully, and is dynamically assigned to tagged VLAN 6. The endpoint connected to the phone does not authenticate but starts to send untagged traffic.
How does the switch handle this traffic?
- A . It forwards the traffic in VLAN 5.
- B . It relays the traffic to the RADIUS server for authentication.
- C . It forwards the traffic in VLAN 6.
- D . It drops the traffic.
An AOS-Switch needs to be configured to support tunneled node in role-based mode. The Mobility Controller administrators tell the switch administrators that the AOS-Switch will integrate with a cluster of Mobility Controllers. The cluster virtual IP address is 10.1.1.10.
How should switch administrator integrate the AOS-Switch with the cluster?
- A . Double-check the settings with the Mobility Controller administrators because the planned configuration is incomplete with the switch settings.
- B . Configure the virtual IP address as the tunneled-node-server address, tunneled node will work, but the clustering features will not provide redundancy.
- C . Configure the virtual IP address as the tunneled-node-server address. The switch will automatically learn controller IP addresses to which to tunnel various traffic.
- D . Configure the virtual IP address for the primary tunneled-node-server and an actual controller IP address for the backup tunneled-node-server in order to receive redundancy.
Refer to the exhibit.
A company wants to change Area 1 shown in the exhibit from a stub area to a totally stub area.
What will be one effect of this planned change?
- A . Routing devices within Area 0 will temporarily lose adjacency with each other.
- B . Switch-1 and Switch-2 will adjust the cost with which they advertise area 1 traffic in the backbone.
- C . Some traffic from Area 1 to other areas will no longer follow the lowest cost path.
- D . Endpoints within Area 1 will no longer be able to reach endpoints in other areas.
An AOS-Switch runs IGMP on A VLAN.
What is a requirement for the switch to be a potential IGMP querier on that VLAN?
- A . The switch must run PIM-SM or PIM-DM on that VLAN.
- B . The switch must have an IP address on that VLAN.
- C . The switch must have IGMP fast leave disabled globally.
- D . The switch must have at least one IGMP group configured on it manually.
Refer to the exhibit.
Switch-1 runs BGP.
What should the network administrator do to permit Switch-1 to establish a neighbor relationship with Router-1?
- A . Configure 192.168.1.2 as a neighbor manually within the BGP context.
- B . Specify 192.168.1.0/30 with the network command in the BGP context.
- C . Enable BGP on VLAN 100.
- D . Set the BGP AS number to 46501.
Refer to the exhibit.
An AOS-Switch has an extended ACL that is applied to several physical interfaces.
– New interfaces have been brought online.
– The ACL has been applied to them as well.
A network administrator sees the output in the exhibit and is concerned that the switch will reach the limit for rules.
What can the administrator do to address this concern?
- A . Resequence the ACL with less space in between the entries.
- B . Enable ACL grouping, and apply ACLs as shared ACLs.
- C . Reconfigure the ACL as a standard ACL, and then reapply it.
- D . Remove static ACLs, and have the RADIUS server send dynamic ACLs.
Refer to the exhibit.
A company requires distribution layer switches that can provide Layer 2 and Layer 3 redundancy. The exhibit shows the proposal for these switches.
Which change to the proposal will help meet the company’s requirements?
- A . The proposed switches should be replaced with switches such as the Aruba 2930M to support the backplane stacking technology.
- B . VRRP should be implemented instead of backplane stacking to support the Layer 3 redundancy requirements.
- C . Link aggregations should be established without LACP to support the Layer 2 redundancy requirements and backplane stacking limitations.
- D . The proposed switches should be replaced with switches that support VSF to support the required distance between stack members.
Network administrators need to track when traffic matches deny entry in an ACL applied to a port. They want the alert to be sent to a syslog server that is already set up to send logs.
What should administrators do to enable alerts?
- A . Specify the log option for the ACL entry, and enable ACL debugging.
- B . Set the debug destination to session, and enable ACL debugging.
- C . Enable ACL debugging, and enable SNMP port security traps.
- D . Specify the log option for the ACL entry, and enable SNMP port security traps.
Refer to the exhibits.
Exhibit 1
Exhibit 2
In the exhibits, VLAN 20 under a device name indicates that the device is configured with that VLAN. The exhibits also indicate whether VLAN 20 is statically configured on each link, either as an untagged or a tagged VLAN. If the link has no label, VLAN 20 is not statically configured on that link.
A network administrator needs to deploy AOS-Switches that use port-based tunneled node. The plan calls for tunneled-node endpoints to be assigned to VLAN 20 and for the Aruba Mobility Controller to handle the tunneled-node traffic at Layer 2.
Which exhibit shows the correct plan for VLAN 20 in the wired infrastructure?
- A . A
- B . B
- C . C
- D . D
Refer to the exhibits.
Exhibit 1
Exhibit 2
Switch-1 has a power issue that causes it to fail. When Switch-1 comes back up, endpoints lose connectivity for a few minutes. The network administrator decides to enter this command on Switch-1:
Switch-1 (config)# vlan 10 vrrp vrid 10 preempt-delay-time 120
Exhibit 2 shows the VRRP configuration just after the change.
What is the effect of this change?
- A . Switch-1 and Switch-2 both become Master in their own VRRP virtual router due to the delay timer mismatch. The mismatch must be fixed.
- B . Switch-1 now waits to take over as Master if it fails and recovers. This should prevent the connectivity issue from occurring again.
- C . Switch-1 experiences an internal error in the VRRP process. This error causes Switch-2 to take over as Master for VLAN 2.
- D . Switch-1 continues to act as it did before the preempt delay time was set. Administrators must plan additional changes to fix the issue.
Refer to the exhibits.
Exhibit 1
Exhibit 2
Exhibit 1 shows a portion of the BGP routing table when the BGP solution was first deployed. Exhibit 2 shows the same portion at the current time.
What can explain the current state?
- A . Due to changes in the private network, Switch-1 can no longer reach 192.168.2.1.
- B . Switch-1 can no longer reach ISP 1 at 192.168.1.1.
- C . Due to changes at ISP 1, Switch-1 now selects a different best route.
- D . An administrator has applied a route map on Switch-1 that filters advertised routes.
Which switches can be deployed in a mesh topology for backplane stacking?
- A . Aruba 2920 switches
- B . Aruba 2930F switches
- C . Aruba 2930M switches
- D . Aruba 3810 switches
D
References:
A network administrator needs to create a QoS policy on an AOS-Switch.
What is one component that the administrator must create before the policy?
- A . an extended IPv4 ACL
- B . a traffic behavior
- C . an extended MAC ACL
- D . a traffic class
Refer to the exhibits.
Exhibit 1
Exhibit 2
Switch-1 and Switch-2 are configured to provide VRRP in VLAN 2. The default gateway for VLAN 2 is set to the VRRP virtual IP. Client-1 in VLAN 2 cannot ping its default gateway.
Based on the exhibits, what can administrators determine?
- A . The VRRP preempt delay time has not yet expired, and administrators should try to ping the gateway again in several minutes.
- B . Switch-1 and Switch-2 have the same virtual router ID. The conflict interferes with connectivity.
- C . Preempt mode is enabled on both Switch-1 and Switch-2, so the Master role continues to alternate between them, and the pings go astray.
- D . This is the expected behavior, and Switch-1 should still be able to route traffic for Client-1.
A network administrator needs to create a backplane stack with four AOS-Switches. The administrator wants to choose which switch becomes the commander.
Which procedure meets those needs?
- A . Boot all of the switches at the same time and then connect the backplane stacking links. Then, access the desired commander, and make sure it has member ID 1.
- B . Configure backplane switches settings on each switch while disconnected. Make sure the desired commander has priority value 1. Then, connect the switches.
- C . Boot up the desired commander first and make sure stacking is enabled on it. Then, connect the stacking links and boot the other switches.
- D . Configure backplane switching settings on each switch while disconnected. Make sure the desired commander has member ID 1. Then, connect the switches.
A company deploys AOS-Switches at sites with inexperienced IT staff. The main office network administrators want to monitor thresholds to generate alerts on branch switches.
What should be set up for this purpose?
- A . an SNMP trap
- B . an RMON alarm
- C . an auto-config server
- D . an sFlow instance
A network administrator configures DHCP snooping on VLAN 2.
How does the switch handle DHCP traffic that arrives in this VLAN on an untrusted interface?
- A . It accepts packets from a DHCP server, but drops client packets.
- B . It drops all DHCP traffic and logs a security event.
- C . It accepts both client and server packets as long as they match the DHCP binding table.
- D . It accepts client packets, but drops packets from a DHCP server.
Refer to the exhibit.
A network administrator wants to add the protections of root guard to the network.
Based on the spanning tree topology, on which ports should the network administrator implement root guard?
- A . 3-24
- B . 1 and 2
- C . A1 and A2
- D . 2 and A3
The implementation plan for AOS-Switches calls for them to implement port-based tunneled node. The Aruba Mobility Controllers that will support the AOS-Switches run software 8.1. The controllers will also support APs, are managed by Mobility Master, and use clustering.
Which issue with this plan needs to be addressed?
- A . The controllers cannot support tunneled node with AOS-Switches when they are managed by the Mobility Master.
- B . The switches cannot connect to controllers that also support APs.
- C . The controllers must have their software updated before they can support the switches.
- D . The switches must use role-based tunneled node to work with clustering controllers.
What is one difference between BPDU protection and root guard?
- A . BPDU protection works with RPVST+, RSTP, and MSTP. Root guard works with RSTP or MSTP, but not RPVST+.
- B . BPDU protection blocks a port if it receives any BPDU, but root guard blocks a port only if the BPDU indicates a better root path.
- C . BPDU protection is typically implemented on edge ports, but root guard is typically implemented on uplinks with the root port role.
- D . BPDU protection drops BPDUs received on a port, but does not block the port. Root guard blocks the port if it receives a BPDU.
B
References:
Refer to the exhibit.
The exhibit shows configurations for interface 5 and VLAN 20. Note that DHCP snooping and ARP protection are also enabled.
A network administrator finds that interface 5 on an AOS-Switch is disabled. The administrator re-enables the interface, but it shuts down again.
What should the administrator investigate?
- A . a device that sends too much unicast traffic
- B . rogue DHCP server
- C . a loop on the interface
- D . a device that sends unauthorized ARP messages
Refer to the exhibit.
Switch-1 and Switch-2 connect on interface A23. The switches experience a connectivity issue. The network administrator sees that both switches show this interface as up. The administrator sees the output shown in the exhibit on Switch-1.
What is a typical issue that could cause this output?
- A . asymmetric routing introduced by a routing protocol
- B . an issue with VLAN mismatch
- C . mismatched subnet mask on the VLAN for the link
- D . a jumbo frame mismatch
What is a reason to implement PIM-DM as opposed to PIM-SM?
- A . to control exactly which multicast groups are routed through the network
- B . to permit a higher density of RP routers in the network core
- C . to conserve bandwidth over WAN links
- D . to use on high-bandwidth routed connections
An AOS-Switch enforces 802.1X. It receives an Access-Accept with this HPE VSA from its Radius server:
Attribute Name and ID = HPE-User-Role (25) Value = contractor
The switch then rejects the client.
What is one requirement for the switch to accept the message and authorize the client?
- A . The initial user role must be set to the factory default permit any role.
- B . User role authorization must be enabled globally on the switch.
- C . An aaa authentication local user group must have the contractor name.
- D . The RADIUS server settings must permit dynamic authorization.
Network administrators need to configure a BGP neighbor on an AOS-Switch.
What defines the neighbor as an iBGP neighbor?
- A . It has BGP synchronization enabled.
- B . It has an AS number in the range of 64512 to 64535.
- C . Its update source is set to a private company IP address.
- D . Its remote-AS is the same as the AOS-Switch BGP AS.
Refer to the exhibits.
Exhibit 1
Exhibit 2
Exhibit 1 shows the topology for the network. The network administrator sees the log entries shown in Exhibit 2.
Which type of failure is indicated?
- A . A link between Switch-1 and Switch-2 went down. BFD detected the lost connectivity and behaved as expected.
- B . Graceful restart helper was not enabled on Switch-2, so BFD was unable to operate correctly, and the session was taken down.
- C . A hardware issue caused a unidirectional link; BFD detected the issue at Layer 2 and prevented a broadcast storm.
- D . BFD was set up incorrectly on Switch-2, so it caused Switch-2 to lose adjacency with Switch-1 rather than repair the session.