Which statement is correct regarding ACLs and TCAM usage?
- A . Applying an ACL to a group of ports consumes the same resources as specific ACE entries
- B . Using object groups consumes the same resources as specific ACE entries
- C . Compression is automatically enabled for ASIC TCAMs on AOS-CX switches
- D . Applying an ACL to a group of VLANs consumes the same resources as specific ACE entries
What is correct regarding rate limiting and egress queue shaping on AOS-CX switches?
- A . Only a traffic rate and burst size can be defined for a queue
- B . Limits can be defined only for broadcast and multicast traffic
- C . Rate limiting and egress queue shaping can be used to restrict inbound traffic
- D . Rate limiting and egress queue shaping can be applied globally
A
Explanation:
you could apply egress queue shaping to the high priority queues to prevent starvation of low priority queues. Egress queue shaping allows you to apply a maximum bandwidth to a priority queue, as well as a burst size. The port buffers excess traffic up to the burst size and sends the buffered traffic at the max rate, smoothing out bursts while also preventing the high priority queue from exceeding its maximum rate and starving out lower priority queues.
A network administrator needs to replace an antiquated access layer solution with a modular solution involving AOS-CX switches. The administrator wants to leverage virtual switching technologies. The solution needs to support high-availability with dual-control planes.
Which solution should the administrator implement?
- A . AOS-CX 8325
- B . AOS-CX 6300
- C . AOS-CX 6400
- D . AOS-CX 8400
C
Explanation:
Reference: https://andovercg.com/datasheets/aruba-cx-8325-switch-series.pdf
A company has implemented 802.1X authentication on AOS-CX access switches, where two ClearPass
servers are used to implement AAA. Each switch has the two servers defined.
A network engineer notices the following command configured on the AOS-CX switches:
radius-server tracking user-name monitor password plaintext aruba123
What is the purpose of this configuration?
- A . Implement replay protection for AAA messages
- B . Define the account to implement downloadable user roles
- C . Speed up the AAA authentication process
- D . Define the account to implement change of authorization
C
Explanation:
Radius service tracking locates the availability of the RADIUS service configured on the switch. It helps to minimize the waiting period for new clients in the unauth-vid (Guest Vlan) when authentication fails because of service is not available, as well as previously authenticated clients in unauth-vid (Guest Vlan) when re-authentication fails because service is not available during the re-authentication period. Note that this feature is disabled by default. https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/16-02/5200-1650_WB_ASG/content/ch04s04.html
A company has an existing wireless solution involving Aruba APs and Mobility controllers running 8.4 code.
The solution leverages a third-party AAA solution. The company is replacing existing access switches with AOS-CX 6300 and 6400 switches. The company wants to leverage the same security and firewall policies for both wired and wireless traffic.
Which solution should the company implement?
- A . RADIUS dynamic authorization
- B . Downloadable user roles
- C . IPSec
- D . User-based tunneling
A network engineer is having a problem adding a custom-written script to an AOS-CX switch’s NAE GUI. The script was written in Python and was successfully added on other AOS-CX switches.
The engineer examines the following items from the CLI of the switch:
What should the engineer perform to fix this issue?
- A . Install the script’s signature before installing the new script
- B . Ensure the engineer’s desktop and the AOS-CX switch are synchronized to the same NTP server
- C . Enable trust settings for the AOS-CX switch’s SSL certificate
- D . Remove a script that is no longer used before installing the new script
Which option correctly defines how to identify a VLAN as a voice VLAN on an AOS-CX switch?
- A . Switch(config)# port-access lldp-group <LLDP-group-name>
Switch(config-lldp-group)# vlan <VLAN-ID> - B . Switch(config)# port-access role <role-name>
Switch(config-pa-role)# vlan access <VLAN-ID> - C . Switch(config)# vlan <VLAN-ID>
Switch(config-vlan-<VLAN-ID>)# voice - D . Switch(config)# vlan <VLAN-ID> voice
An administrator will be replacing a campus switching infrastructure with AOS-CX switches that support VSX capabilities. The campus involves a core, as well as multiple access layers.
Which feature should the administrator implement to allow both VSX-capable core switches to process traffic sent to the default gateway in the campus VLANs?
- A . VRF
- B . VRRP
- C . IP helper
- D . Active gateway
D
Explanation:
Active gateway = both devices route/forward traffic VRRP = Active-standbye, only active member routes/forwards traffic
Understand the Active Gateway principle In a VSX system, active gateway provides redundant default gateway functionality for the end-hosts. The default gateway of the end-host is automatically handled by both the VSX systems.
What is correct regarding the tunneling of user traffic between AOS-CX switches and Aruba Mobility Controllers (MCs)?
- A . Uses IPSec to protect the management and data traffic
- B . Uses IPSec to protect the management traffic
- C . Supports only port-based tunneling
- D . Uses the same management protocol as Aruba APs
D
Explanation:
because both AP and Switch use PAPI. Moreover in AOS-CX switch currently not support port based
tunnel. AOS-CX switch only support User Based Tunnel (UBT)
An administrator is implementing a multicast solution in a multi-VLAN network.
Which statement is true about the configuration of the switches in the network?
- A . IGMP snooping must be enabled on all interfaces on a switch to intelligently forward traffic
- B . IGMP requires join and leave messages to graft and prune multicast streams between switches
- C . IGMP must be enabled on all routed interfaces where multicast traffic will traverse
- D . IGMP must be enabled on all interfaces where multicast sources and receivers are connected
How is voice traffic prioritized correctly on AOS-CX switches?
- A . By defining device profiles with QOS settings
- B . By placing it in the strict priority queue
- C . By implementing voice VLANs
- D . By implementing weighted fair queueing (WFQ)
An administrator is replacing the current access switches with AOS-CX switches. The access layer switches must authenticate user and networking devices connecting to them. Some devices support no form of authentication, and some support 802.1X. Some ports have a VoIP phone and a PC connected to the same port, where the PC is connected to the data port of the phone and the phone’s LAN port is connected to the switch.
Which statement is correct about this situation?
- A . 802.1X must be configured to work in fallback mode
- B . Device fingerprinting is required for authentication
- C . The client-limit setting for port access needs to be changed
- D . Device mode should be implemented
C
Explanation:
fallback mode if for the radius part; client limit is for multiple authent on one port (ie phone + pc)
From doc:
aaa port-access authenticator <port-list> client-limit <1-32>
Used after executing aaa port-access authenticator <port-list> to convert authentication from port-based to user-based. Specifies user-based 802.1X authentication and the maximum number of 802.1X-authenticated client sessions allowed on each of the ports in <port-list>. If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another client session begins later on the same port while an earlier session is active, the later session will be on the same untagged VLAN membership as the earlier session.
Examine the network exhibit.
A company has a guest implementation for wireless and wired access. Wireless access is implemented through a third-party vendor. The company is concerned about wired guest traffic traversing the same network as the employee traffic. The network administrator has established a GRE tunnel between AOS-CX switches where guests are connected to a routing switch in the DMZ.
Which feature should the administrator implement to ensure that the guest traffic is tunneled to the DMZ while the employee traffic is forwarded using OSPF?
- A . OSPF route maps using the “set metric” command
- B . Policy-based routing (PBR)
- C . User-based tunneling (UBT)
- D . Classifier policies
B
Explanation:
Guest traffic can be routed with PBR to use GRE tunnels that terminate in the DMZ.
An administrator has an AOS-CX switch configured with:
router ospf 1
area 0
area 1 stub no-summary
It is the only ABR for area 1.
The switch has the appropriate adjacencies to routing switches in areas 0 and 1.
The current routes in each area are:
Area 0: 5 routes (LSA Type 1 and 2)
Area 1: 10 routes (LSA Type 1 and 2)
External routes: 2 (LSA Type 5)
Based on the above configuration, how many OSPF routes will routing switches see in Area 1?
- A . 15
- B . 6
- C . 11
- D . 12
A network administrator is managing a network that deploys a multicast service. The administrator has
multiple streams successfully being routed by PIM-DM in the network. The administrator then adds a new stream with a destination address of 239.0.0.1. However, clients who have not joined the stream are receiving it.
What should the administrator do to fix this problem?
- A . Verify that IGMP is enabled between the switches connecting the multicast source and receivers
- B . Change the destination multicast address to 239.1.1.1
- C . Define the 239.0.0.1 stream on the rendezvous point (RP)
- D . Define the 239.0.0.1 stream on the PIM candidate bootstrap router
B
Explanation:
MAC/IP overlap. 239.0.0.1 would be the same MAC for 224.0.0.1. 224.0.0.0/24 is always flooded over every port.
Which protocols are used by NetEdit to interact with third-party devices? (Choose two.)
- A . telnet
- B . SNMP
- C . SSH
- D . Restful API
- E . CDP
An administrator is implementing a downloadable user role solution involving AOS-CX switches. The AAA solution and the AOS-CX switches can successfully authenticate users; however, the role information fails to download to the switches.
What policy should be added to an intermediate firewall to allow the downloadable role function to succeed?
- A . Allow TCP 443
- B . Allow UDP 1811
- C . Allow UDP 8211
- D . Allow TCP 22
A
Explanation:
pg 681 from the Aruba guide – "When using DUR, the ClearPass HPE-CPPM-Role VSA is used in combination with HTTPS to transfer the role to the switch." UDP 8211 (PAPI) is related to dynamic segmentation and the communication to the MC not DUR.
A network administrator is attempting to troubleshoot a connectivity issue between a group of users and a particular server. The administrator needs to examine the packets over a period of time from their desktop; however, the administrator is not directly connected to the AOS-CX switch involved with the traffic flow.
What is correct regarding the ERSPAN session that needs to be established on an AOS-CX switch? (Choose two.)
- A . On the source AOS-CX switch, the destination specified is the switch to which the administrator’s desktop is connected
- B . On the source AOS-CX switch, the destination specified is the administrator’s desktop
- C . The encapsulation protocol used is GRE
- D . The encapsulation protocol used is VXLAN
- E . The encapsulation protocol is UDP
A, C
Explanation:
In AOS CX the remote mirroring is done using a tunnel interface, so the Mirror source and destination must be configured on each Switch. On the source Switch, the source interface (from where the traffic is mirrored) and destination interface (the tunnel interface to where the traffic is sent to). In the destination Switch, the source interface (which would be the tunnel interface (receiving the traffic from the source switch tunnel)) and the destination would be the client where Wireshark enabled client is connected.
What is correct regarding the operation of VSX and multicasting with PIM-SM routing configured?
- A . Each VSX peers runs PIM and builds its own group database. One of the VSX peers is elected as the designated router (DR) to forward multicast streams to a receiver VLAN
- B . Each VSX peers runs PIM and creates a shared group database. Both VSX peers can forward multicast
streams to receivers in a VLAN, achieving load sharing - C . Each VSX peers runs PIM and builds its own group database. Both VSX peers can forward multicast streams to receivers in a VLAN, achieving load sharing
- D . Each VSX peers runs PIM and creates a shared group database. One of the VSX peers is elected as the designated router (DR) to forward multicast streams to a receiver VLAN
A
Explanation:
"both VSX switches as a PIM Designate Router (DR). One node is the actual DR, the other node is the proxy DR." "Only the actual DR performs multicast routing and forward traffic destined to groups to its downstream VLANs in the data-path." https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7888/Content/Chp_Pre_tra_loss/ip-mul-rou-10.htm
An administrator wants to track what configuration changes were made on a switch.
What should the administrator implement to see the configuration changes on an AOS-CX switch?
- A . AAA authorization
- B . Network Analysis Engine (NAE)
- C . AAA authentication
- D . VSX synchronization logging
Examine the AOS-CS switch output:
Based on this output, what is correct?
- A . 802.1X authentication was successful, but MAC authentication is yet to start
- B . 802.1X authentication occurred and downloadable user roles are deployed
- C . A local user role was deployed using a ClearPass solution
- D . Only 802.1X authentication is configured on the port
An administrator in a company of 349 users has a pair of AOS-CX switches with connections to external networks. Both switches are configured for OSPF. The administrator wants to import external routes on both switches, but assigns different seed metrics to the routes, as well as imports them as external type-1 routes.
What is the best way for the administrator to accomplish this?
- A . Create a route map with the correct route type and metrics
- B . Define the route type and metrics in the OSPF process
- C . Create a classifier policy with the correct route type and metrics
- D . Define a class and policy map with the correct route type and metrics
An administrator is concerned about the security of the control plane connection between an AOS-CX switch and an Aruba Mobility Controller (MC) when implementing user-based tunneling.
How should the administrator protect this traffic?
- A . IPSec with a digital certificate
- B . GRE with a pre-shared key
- C . PAPI with an MD5 pre-shared key
- D . IPSec with a pre-shared key
A network administrator is implementing a configuration plan in NetEdit. The administrator used NetEdit to push the configuration plan to the switch.
Which option in the NetEdit planning section should the administrator select to save the configuration running on the switch to the startup-config?
- A . EDIT
- B . VALIDATE
- C . COMMIT
- D . DEPLOY
Examine the network exhibit:
The ACL configuration defined on Core-1 is as follows:
If telnet was being used, which device connection would be permitted and functional in both directions? (Choose two.)
- A . Client 3 to Client 2
- B . Client 1 to Client 2
- C . Server 2 to Client 2
- D . Server 1 to Client 1
- E . Client 1 to Client 3
B, D
Explanation:
CL3 – CL2 – drop on forward path by core1 cause match VLAN 20 and CL3 not CL1 as SRC IP
CL1 – CL2 – pass – no ACL cause forwarded by Access2
SR2 – CL2 – pass on forward path by core1 cause match VLAN 10
Drop on return path by core1 cause match VLAN 20 and no CL1 as SRC IP
SR1 – CL1 – pass on forward path by core1 cause match VLAN 10
pass on return path by core1 cause match VLAN 20 and CL1 as SRC IP
CL1 – CL3 – pass on forward path by core1 cause match VLAN 20 and CL1 as SRC IP
drop on return path by core1 cause match VLAN 20 and not CL1 but CL3 as SRC IP
An administrator has an aggregation layer of 8325CX switches configured as a VSX pair. The administrator is concerned that when OSPF network changes occur, the aggregation switches will respond to the changes slowly, and this will affect network connectivity, especially VoIP calls, in the connected access layer switches.
What should the administrator do on the aggregation layer switches to alleviate this issue?
- A . Implement route aggregation
- B . Implement bidirectional forwarding detection (BFD)
- C . Reduce the hello and dead interval timers
- D . Implement graceful restart
A
Explanation:
"BFD tests the connectivity between two IP addresses in a BFD session. BFD reports when connectivity is lost. The router (or routing switch) can then use that information to take the appropriate actions, depending on the functions to which you have tied BFD"
How is NetEdit installed at a customer location?
- A . Via an Aruba NetEdit hardware appliance
- B . Via a DVD using a virtualized platform like Microsoft’s Hyper-V
- C . Via the Aruba Central cloud solution
- D . Via an OVA file and a virtualized platform like VMware’s ESXi
What is correct regarding multicasting and AOS-CX switches?
- A . IGMP snooping is disabled, by default, on Layer-2 VLAN interfaces
- B . IGMP query functions are enabled, by default, on Layer-2 VLAN interfaces
- C . IGMP snooping is enabled, by default, on Layer-3 VLAN interfaces
- D . IGMP-enabled AOS-CX switches flood unknown multicast destinations
A company has recently upgraded their campus switching infrastructure with AOS-CX switches. They have implemented 802.1X authentication on access ports where laptop and IOT devices typically connect. An administrator has noticed that for POE devices, the AOS-CX switch ports are delivering the maximum wattage to the port instead of what the device actually needs.
Concerned about this waste of electricity, what should the administrator implement to solve this problem?
- A . Implement a classifier policy with the correct power definitions
- B . Create device profiles with the correct power definitions
- C . Enable AAA authentication to exempt LLDP and/or CDP information
- D . Globally enable the QoS trust setting for LLDP and/or CDP
A company requires access by all users, guests, and employees to be authenticated. Employees will be authenticated using 802.1X, whereas guests will be authenticated using captive portal.
Which type of authentication must be configured on an AOS-CX switch ports where both guests and employees connect?
- A . Both 802.1X and captive portal
- B . 802.1X only
- C . Both 802.1X and MAC-Auth
- D . 802.1X, captive portal, and MAC-Auth
C
Explanation:
Employees use 802.1x
The Aruba guest solution uses MAC-auth.
The Portal is not configured on the switch port.
Examine the output from an AOS-CX switch implementing a dynamic segmentation solution involving
downloadable user roles:
Switch# show port-access role clearpass
Role information:
Name: icxarubadur_employee-3044-2
Type: clearpass
Status: failed, parsing_failed
Reauthentication Period:
Authentication Mode:
Session Timeout:
The downloadable user roles are not being downloaded to the AOS-CX switch.
Based on the above output, what is the problem?
- A . The certificate that ClearPass uses in invalid
- B . The AOS-CX switch does not have the ClearPass certificate involved
- C . DNS fails to resolve the ClearPass server’s FQDN
- D . There is a date/time issue between the ClearPass server and the switch
C
Explanation:
"The top-right example shows a parsing_failed status, typically indicative of either a DNS or network connectivity issue."
Examine the attached diagram.
The two PCs are located in VLAN 11 (10.1.11.0/24).
Which example defines how to implement active gateway on the VSX core for VLAN 11?
- A . interface vlan 11
active-gateway ip 10.1.11.1
active-gateway mac 02:02:00:00:01:00 - B . interface lag 254
active-gateway vlan 11 ip 10.1.11.1
active-gateway vlan 11 mac 02:02:00:00:01:00 - C . interface lag 254
active-gateway ip 10.1.11.1
active-gateway mac 02:02:00:00:01:00 - D . vsx
vrrp group 1
An administrator has configured the following on an AOS-CX switch:
What is the correct ACL rule configuration that would allow traffic from anywhere to reach the web ports on the two specified servers?
- A . access-list ip server 10 permit tcp any web-servers group web-ports
- B . access-list ip server 10 permit tcp any object-group web-servers object-group web-ports
- C . access-list ip server 10 permit tcp any group web-servers group web-ports
- D . access-list ip server 10 permit tcp any web-servers web-ports
A
Explanation:
Switch1(config-acl-ip)# show run cur
access-list ip server
10 permit tcp any web-servers group web-ports
A network administrator wants to centralize the management of AOS-CX switches by implementing NetEdit.
How should the administrator purchase and/or install the NetEdit solution?
- A . Install as a hardware appliance
- B . Installed on a supported version of RedHat Enterprise Linux
- C . Installed in a virtualized solution by using the Aruba-supplied OVA file
- D . Installed on a supported version of Debian Linux
A network engineer is using NetEdit to manage AOS-CX switches. The engineer notices that a lot of thirdparty VoIP phones are showing up in the NetEdit topology. The engineer deletes these, but they are
automatically rediscovered by NetEdit and added back in.
What should the administrator do to solve this problem?
- A . Change the VoIP phone SNMP community string to something unknown by NetEdit
- B . Disable LLDP globally on the AOS-CX switches where phones are connected
- C . Disable SSH access on all the VoIP phones
- D . Disable the RESTful API on all the VoIP phones
A
Explanation:
"NetEdit will now algo discover and display third-party devices that are using the stantard MIB’s.
Using SNMP with NetEDit, administrators can also enter SSH credentials for third-party devices.
Examine the following AOS-CX configuration:
Based on this configuration, which statement is correct regarding IoT traffic?
- A . If 10.100.1.2 is not reachable, the IoT traffic will be automatically dropped by the switch
- B . If a specific route is not available in the routing table, the traffic will be routed to 10.100.1.2
- C . The next hop of 10.100.1.2 can be one or more hops away from the AOS-CX switch
- D . All routes are ignored in the routing table for IoT traffic, which is routed to 10.100.1.2
Which protocol does NetEdit use to discover devices in a subnet during the discovery process?
- A . LLDP
- B . ARP
- C . DHCP
- D . ICMP
Examine the following AOS-CX switch configuration:
Which statement correctly describes what is allowed for traffic entering interface 1/1/3?
- A . IP traffic from 10.1.11.0/24 is allowed to access 10.1.110.0/24
- B . IP traffic from 10.0.11.0/24 is allowed to access 10.1.12.0/24
- C . Traffic from 10.0.12.0/24 will generate a log record when accessing 10.0.11.0/24
- D . IP traffic from 10.1.12.0/24 is allowed to access 172.0.1.0/23
B
Explanation:
People seem to be confused by inverted mask/wildcard masks. They would be correct for Cisco switches, but AOS-CX does NOT use wildcard masks; "AOX-CX switches do not support wildcard masks – only prefixes or subnet masks – when created ACEs."
Cisco: 255.0.255.0 = xx.123.xx.123
AOS-CX: 255.0.255.0 = 123.xx.123.xx
An administrator creates an ACL rule with both the “count” and “log” option enabled.
What is correct about the action taken by an AOS-CX switch when there is a match on this rule?
- A . By default, a summarized log is created every minute with a count of the number of matches
- B . Logging will not include certificate and TLS events, but counting will
- C . The “count” and “log” options are processed by the AOS-CX switch’s hardware ASIC
- D . The total in the “log” record and the count could contain different rule matching statistics
D
Explanation:
From the "AOS-CX 10.08 ACLs and Classifier Policies Guide" : "You may see a minor discrepancy between the ACL logging statistics and the hit counts statistics due to the time required to record the log message."
An administrator is defining a VSX LAG on a pair of AOS-CX switches that are defined as primary and secondary. The VSX LAG fails to establish successfully with a remote switch; however, after verification, the remote switch is configured correctly. The administrator narrows down the problem to the configuration on the AOS-CX switches.
What would cause this problem?
- A . Local optimization was not enabled on the VSX LAG
- B . The VSX LAG hash does not match the remote peer
- C . The VSX LAG interfaces are in layer-3 mode
- D . LACP was enabled in active mode on the VSX LAG
Examine the configuration performed on newly deployed AOS-CX switches:
After performing this configuration, the administrator notices that the switch ports always remain in the EAP start state.
What should the administrator do to fix this problem?
- A . Define the server group cppm
- B . Set the ports to client-mode
- C . Create and assign a local user role to the ports
- D . Enable change of authorization (CoA)
A
Explanation:
https://community.arubanetworks.com/blogs/esupport1/2020/04/29/downloadable-user-role-configuration-in-aruba-os-cx-with-mac-authentication
A network has two AOS-CX switches connected to two different service providers. The administrator is
concerned about bandwidth consumption on the service provider links and learned that the service providers were using the company as a transit AS.
Which feature should the administrator implement to prevent this situation?
- A . Configure route maps and apply them to BGP
- B . Configure the two switches as route reflectors
- C . Configure a classifier policy to disable MED
- D . Configure bi-directional forwarding detection on both switches
A company has just purchased AOS-CX switches. The company has a free and open-source AAA solution.
The company wants to implement access control on the Ethernet ports of the AOS-CX switches.
Which security features can the company implement given the equipment that they are using?
- A . Port-based tunneling
- B . Device fingerprinting
- C . Local user roles
- D . Downloadable user roles
The network is configured for OSPF with the following attributes:
Core1 and Core2 and ABRs
Area 1 has 20 networks in the 10.1.0.0/16 range
Area 0 has 10 networks in the 10.0.0.0/16 range
Area 2 has 50 networks in the 10.2.0.0/16 range
The ASBR is importing a static route into Area 1
Core2 has a summary for Area 2: area 0.0.0.2 range 10.2.0.0/16 type inter-area
Here is the OSPF configuration performed on Core1:
Based on the above information, what is correct?
- A . Area 0 has 13 routes
- B . Core1 has no OSPF routes
- C . Core1 has received one LSA Type 5 from the ASBR
- D . Area 1 has 23 routes
A network administrator is implementing NAE on AOS-CX switches. When attempting to create an agent on a particular switch, the agent appears in the NAE Agents panel with a red triangle error symbol and a status of “Unknown”.
What is the cause of this issue?
- A . The administrator does not have the appropriate credentials to interact with NAE
- B . The number of scripts or agents has exceeded the hardware’s capabilities
- C . A connectivity issue exists between NAE and the AOS-CX switch
- D . The RESTful API has not been enabled on the AOS-CX switch
B
Explanation:
https://www.arubanetworks.com/techdocs/AOS-CX/10.06/HTML/5200-7717/Content/Chp_TS/err-nae-age-not-cre-db-con-vio-err.htm