A network engineer is having a problem adding a custom-written script to an AOS-CX switch’s NAE GUI. The script was written in Python and was successfully added on other AOS-CX switches.
The engineer examines the following items from the CLI of the switch:
What should the engineer perform to fix this issue?
- A . Install the script’s signature before installing the new script
- B . Ensure the engineer’s desktop and the AOS-CX switch are synchronized to the same NTP server
- C . Enable trust settings for the AOS-CX switch’s SSL certificate
- D . Remove a script that is no longer used before installing the new script
A network has two AOS-CX switches connected to two different service providers. The administrator is concerned about bandwidth consumption on the service provider links and learned that the service providers were using the company as a transit AS.
Which feature should the administrator implement to prevent this situation?
- A . Configure route maps and apply them to BGP
- B . Configure the two switches as route reflectors
- C . Configure a classifier policy to disable MED
- D . Configure bi-directional forwarding detection on both switches
Examine the output from an AOS-CX switch implementing a dynamic segmentation solution involving downloadable user roles:
Switch# show port-access role clearpass
Role information:
Name: icxarubadur_employee-3044-2
Type: clearpass
Status: failed, parsing_failed
Reauthentication Period:
Authentication Mode:
Session Timeout:
The downloadable user roles are not being downloaded to the AOS-CX switch.
Based on the above output, what is the problem?
- A . The certificate that ClearPass uses in invalid
- B . The AOS-CX switch does not have the ClearPass certificate involved
- C . DNS fails to resolve the ClearPass server’s FQDN
- D . There is a date/time issue between the ClearPass server and the switch
C
Explanation:
"The top-right example shows a parsing_failed status, typically indicative of either a DNS or network connectivity issue."
Which protocol does NetEdit use to discover devices in a subnet during the discovery process?
- A . LLDP
- B . ARP
- C . DHCP
- D . ICMP
What must a network administrator implement in order to run an NAE script on an AOS-CX switch?
- A . Deployment
- B . Schedule
- C . Plan
- D . Agent
A company has an existing wireless solution involving Aruba APs and Mobility controllers running 8.4 code.
The solution leverages a third-party AAA solution. The company is replacing existing access switches with AOS-CX 6300 and 6400 switches. The company wants to leverage the same security and firewall policies for both wired and wireless traffic.
Which solution should the company implement?
- A . RADIUS dynamic authorization
- B . Downloadable user roles
- C . IPSec
- D . User-based tunneling
Examine the AOS-CX configuration:
The switches have a default factory password setting NetEdit fails to access the configuration of the AOS-CX switches.
What should the administrator do to solve this problem?
- A . Set a password for the default admin user account.
- B . Disable telnet globally.
- C . Use the default VRF instead of the mgmt VRF
- D . Enable IP routing globally
What is the correct way of associating a VRF instance to either a VLAN or an interface?
- A . Switch(config)# interface <interface-ID> Switch(config-if)# vlan access <VLAN-ID> vrf attach <vrf-name>
- B . Switch(config)# vlan <VLAN-ID> vrf attach < vrf-name >
- C . Switch(config)# vlan <VLAN-ID> Switch(config-vlan-<VLAN-ID># vrf attach < vrf-name >
- D . Switch(config)# vlan <VLAN-ID> vrf < vrf-name >
A company has a few servers in a secure, remote location storing highly-confidential documents connected to two AOS-CX 6400 switches configured in a VSX pair The AOS-CX switches perform access control with 802 1X and will be implementing user-based tunneling (UBT) so that Aruba gateway application inspection and stateful firewall policies can be applied to the traffic. The gateways are running version 84 and implement the AP, PEF, and RFP licenses
Which licensing is needed for the two AOS-CX switches?
- A . 2 AP and 2 PEF licenses only
- B . 1 AP license only
- C . 2 AP, 2 PEF, and 2 RFP licenses only
- D . 1 AP, 1 PEF, and 1 RFP licenses only
When cutting and pasting configurations into NetEdit, which character is used to enter commands within the context of the previous command?
- A . <ESC>
- B . ">"
- C . Space
- D . Tab
An administrator will be replacing a campus switching infrastructure with AOS-CX switches that support VSX capabilities. The campus involves a core, as well as multiple access layers.
Which feature should the administrator implement to allow both VSX-capable core switches to process traffic sent to the default gateway in the campus VLANs?
- A . VRF
- B . VRRP
- C . IP helper
- D . Active gateway
D
Explanation:
Active gateway = both devices route/forward traffic VRRP = Active-standbye, only active member routes/forwards traffic
Understand the Active Gateway principle In a VSX system, active gateway provides redundant default gateway functionality for the end-hosts. The default gateway of the end-host is automatically handled by both the VSX systems.
What is a best practice concerning voice traffic and dynamic segmentation on AOS-CX switches?
- A . Controller authentication and user-based tunneling of the voice traffic
- B . Switch authentication and user-based tunneling of the voice traffic
- C . Controller authentication and port-based tunneling of the voice traffic
- D . Switch authentication and local forwarding of the voice traffic
What is correct regarding the tunneling of user traffic between AOS-CX switches and Aruba Mobility Controllers (MCs)?
- A . Uses IPSec to protect the management and data traffic
- B . Uses IPSec to protect the management traffic
- C . Supports only port-based tunneling
- D . Uses the same management protocol as Aruba APs
D
Explanation:
because both AP and Switch use PAPI . Moreover in AOS-CX switch currently not support port based tunnel. AOS-CX switch only support User Based Tunnel (UBT)
A network administrator needs to replace an antiquated access layer solution with a modular solution involving AOS-CX switches. The administrator wants to leverage virtual switching technologies. The solution needs to support high-availability with dual-control planes.
Which solution should the administrator implement?
- A . AOS-CX 8325
- B . AOS-CX 6300
- C . AOS-CX 6400
- D . AOS-CX 8400
C
Explanation:
Reference:
https://andovercg.com/datasheets/aruba-cx-8325-switch-series.pdf
Examine the attached exhibit.
The network administrators is trying to add a remote location as area 3 to the network shown in the diagram.
Based on current connection restrictions, the administrator cannot connect area 3 directly to area 0. The network is using AOS-CX switches.
Which feature should the administrator implement to provide connectivity to the remote location?
- A . Not-so-stubby areas
- B . Bidirectional forward detection (BFD)
- C . OSPFv3
- D . Virtual links
A network engineer is setting up BGP on AOS-CX switches. The engineer is establishing two different eBGP peering’s to two different service providers. The engineer has dozens of contiguous C-class public networks that need to be advertised to the two service providers. The engineer manually defines the networks to be advertised individually with the "network" command.
How can an administrator advertise only a summarized route to the two service providers?
- A . Create a summarized static route and redistribute this into OSPR
- B . Summarize the networks with the "aggregate-address" BGP command
- C . Enable auto-summarization in the IPv4 address family of the BGP configuration
- D . Create a summarized route in OSPF
A network administrator is implementing a configuration plan in NetEdit. The administrator used NetEdit to push the configuration plan to the switch.
Which option in the NetEdit planning section should the administrator select to save the configuration running on the switch to the startup-config?
- A . EDIT
- B . VALIDATE
- C . COMMIT
- D . DEPLOY
When implementing deficit weighted round robin queuing, what importance does the weight value have?
- A . Prioritizing latency-sensitive traffic
- B . Queue priority in processing traffic
- C . Strict priority queue
- D . Percentage of interface bandwidth
Examine the network exhibit.
A network administrator is implementing OSPF on a VSX pair of aggregation switches: Agg1 and Agg2. VLANs 10 and 20 are connected to layer-2 access switches. Agg-1 and Agg-2 are configured as the default gateway for VLANs 10 and 20, with active gateway enabled.
What is the best practice for configuring OSPF on the aggregation switches and their connection to the Core switch?
- A . Define a layer-2 VSX LAG associated with a layer-3 VLAN interface. Enable active gateway for the Layer-3 VLAN.
- B . Define separate layer-3 VLAN interfaces between the aggregation and core switches.
Enable active forwarding for the Layer-3 VLAN. - C . Define separate layer-3 VLAN interfaces between the aggregation and core switches.
Enable active gateway for the Layer-3 VLAN. - D . Define a layer-2 VSX LAG associated with a layer-3 VLAN interface. Enable active forwarding for the Layer-3 VLAN.
Examine the commands entered on an AOS-CX switch:
What is true regarding this configuration for traffic received on interface 100?
- A . The default next-hop address supersedes the two preceding next-hop addresses
- B . The traffic is always dropped is the next-hop addresses are unreachable
- C . The traffic will be routed with the IP routing table entries if the next-hop addresses are unreachable
- D . The next-hop address of 1.1.1.1 is overwritten by the next-hop address of 2.2.2.2
C
Explanation:
"interface null: equivalent to the policy drop policing action. Any packets matching the class criteria for that policy entry will be dropped and not routed any further." https://www.arubanetworks.com/techdocs/AOS-CX/10.05/HTML/5200-7300/index.html#GUID-DC7E5E47-8F31-4DE4-B257-1A68665B2AF4.html
More than one next hop can be assigned with an ACL and they work by priority (based on the sequence number: lower sequence number -> higher priority). So next-hop 2.2.2.2 will be used if 1.1.1.1 is not reachable. If both are unreachable, then the packet will be routed looking at the default routing table, if no specific entry will be found, then the pacjet will be routed to the default next hop defined in the ACL.
Which concept is implemented using Aruba’s dynamic segmentation?
- A . Root of trust
- B . Device fingerprinting
- C . Zero Touch Provisioning
- D . Colorless port
What would prevent two OSPF routers from forming an adjacency? (Select two.)
- A . Different priorities
- B . Different area types
- C . Different MTU sizes
- D . Different IP addresses
- E . Different router IDs
Which protocols are used by NetEdit to interact with third-party devices? (Choose two.)
- A . telnet
- B . SNMP
- C . SSH
- D . Restful API
- E . CDP
A customer has twenty AOS-CX switches that will be managed by NetEdit and would like support for NetEdit these switches will exist in the network for at least five years.
Which type of licensing should be used by this customer?
- A . 20 Aruba NetEdit permanent licenses
- B . 20 Aruba NetEdit single node subscription licenses
- C . 25 Aruba NetEdit permanent licenses
- D . 1 Aruba NetEdit SMB License
In AOS-CX switching, what determines when a frame is forwarded by the switch between the ingress and the egress port?
- A . Egress port
- B . Ingress port
- C . VSX switch tables
- D . Fabric Load Balancer
How should a network administrator add NAE scripts and implement NAE agents that will run on an AOS-CX switch?
- A . Use the web interface of the NetEdit server
- B . Use the web interface of the AOS-CX switch
- C . Use the web interface of Aruba Central
- D . Use the CLI of the AOS-CX switch
Examine the attached diagram.
The two PCs are located in VLAN 11 (10.1.11.0/24).
Which example defines how to implement active gateway on the VSX core for VLAN 11?
- A . interface vlan 11
active-gateway ip 10.1.11.1
active-gateway mac 02:02:00:00:01:00 - B . interface lag 254
active-gateway vlan 11 ip 10.1.11.1
active-gateway vlan 11 mac 02:02:00:00:01:00 - C . interface lag 254
active-gateway ip 10.1.11.1
active-gateway mac 02:02:00:00:01:00 - D . vsx
vrrp group 1
A network administrator is implementing OSPF, where there are two exit points. Each exit point has a stateful, application inspection firewall to implement company policies.
What would the best practice be to ensure that one firewall will see both directions of the traffic, preventing asynchronous connections in the network?
- A . Both ASBRs should define External Type 1 routes for the
- B . Both ASBRs should define External Type 1 routes for the
- C . Both ASBRs should define External Type 2 routes for the
- D . Both ASBRs should define External Type 2 routes for the
When an AOS-CX switch uses a temporary copy of the Configuration State database, what kind of analysis does NetEdit perform to ensure that the configuration is correct?
- A . Syntax validation
- B . Semantic validation
- C . Conformance validation
- D . Change validation
D
Explanation:
Validation processes
+ Syntax validation
C When: while typing
C What: command syntax including in-line help
+ Semantics validation
C When: VALIDATE button (in multi-editor) or before DEPLOY
C What: configuration consistency
+ Conformance validation
C When: while editing
C What: compliance with conformance rules: corporate policies, minimum connectivity requirements, etc.
+ Change validation
C When: during DEPLOY (before and after configuration deployment)
C What: compares device state before and after changes are applied (using show commands)
An administrator will be deploying NetEdit to manage an Aruba solution.
What does NetEdit support?
- A . Manages AOS-CX switches and Aruba gateways
- B . Support for Aruba-supplied security updates
- C . Tracks configuration and hardware information
- D . Can be purchased as a VM and/or hardware appliance
An administrator is replacing the current access switches with AOS-CX switches. The access layer switches must authenticate user and networking devices connecting to them. Some devices support no form of authentication, and some support 802.1X. Some ports have a VoIP phone and a PC connected to the same port, where the PC is connected to the data port of the phone and the phone’s LAN port is connected to the switch.
Which statement is correct about this situation?
- A . 802.1X must be configured to work in fallback mode
- B . Device fingerprinting is required for authentication
- C . The client-limit setting for port access needs to be changed
- D . Device mode should be implemented
C
Explanation:
fallback mode if for the radius part; client limit is for multiple authent on one port (ie phone + pc)
From doc:
aaa port-access authenticator <port-list> client-limit <1-32>
Used after executing aaa port-access authenticator <port-list> to convert authentication from port-based to user-based. Specifies user-based 802.1X authentication and the maximum number of 802.1X-authenticated client sessions allowed on each of the ports in <port-list>. If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another client session begins later on the same port while an earlier session is active, the later session will be on the same untagged VLAN membership as the earlier session.
A network administrator is tasked to set up BGP in the company’s network. The administrator is defining an eBGP peering between an AOS-CX switch and a directly-connected service provider.
The administrator has configured the following on the AOS-CX switch:
However, when using the "show bgp all summary" command, the state does not display "Established" for the eBGP peer.
What must the administrator configure to fix this issue?
- A . router bgp 64500 neighbor 192.168.1.1 ebgp-multihop
- B . router bgp 64500 enable
- C . router bgp 64500 address-family ipv4 unicast neighbor 192.168.1.1 activate
- D . router bgp 64500 neighbor 192.168.1.1 update-source loopback0
An administrator is managing a pair of core AOS-CX switches configured for VSX. Connected to this core are pairs of aggregation layer AOS-CX switches configured for VSX. OSPF is running between the aggregation and core layers. To speed up OSPF convergence, the administrator has configured BFD between the core and aggregation switches.
What is a best practice the administrator should implement to reduce CPU processing on the switches if a BFD neighbor fails?
- A . Disable ICMP redirects
- B . Implement graceful restart
- C . Increase the BFD echo timers
- D . Increase the VSX keepalive timer
Examine the AOS-CS switch output:
Based on this output, what is correct?
- A . 802.1X authentication was successful, but MAC authentication is yet to start
- B . 802.1X authentication occurred and downloadable user roles are deployed
- C . A local user role was deployed using a ClearPass solution
- D . Only 802.1X authentication is configured on the port
A switch will apply a device profile to a port based on which pieces of information? (Select two.)
- A . IP header
- B . MAC address
- C . LLDP
- D . User role
- E . 802.1Q
A company is implementing AOS-CX switches at the access layer. The company wants to implement access control for employees and guests.
Which security features will require a ClearPass server to be installed and used by the company?
- A . Downloadable user roles
- B . Dynamic segmentation
- C . User-based tunneling (UBT)
- D . Change of authorization (CoA)
What is correct regarding policy-based routing?
- A . Policies can only be applied to routed interfaces.
- B . Policies can be applied inbound and outbound.
- C . Monitoring of policy interfaces occurs every 60 seconds.
- D . Policy actions include routing permitting or dropping traffic.
An administrator is managing a network comprised of AOS-CX switches deployed at the aggregation layer. The switches are paired in a VSX stack and run the OSPF routing protocol. The administrator is concerned about how long it takes for OSPF to converge when one of the VSX switches has to reboot.
What should the administrator to do speed up the OSPF convergence of the switch that is rebooting?
- A . Change the VSXISL link from an OSPF broadcast link point-to-point.
- B . Implement graceful restart on the VSX switches and their neighboring OSPF switches.
- C . Decrease the VSX initial synchronization timer on the two VSX switches.
- D . Define non-backbone areas on the VSX switches as totally stubby areas.
An administrator of a company has concerns about upgrading the access layer switches. The users rely heavily on wireless and VoIP telephony.
Which is the best recommendation to ensure a short downtime for the users during upgrading the access layer switches?
- A . Install the in-service software upgrade (ISSU) feature with clustering enabled
- B . Install AOS-CX 6300 or 6400 switches with always-on POE
- C . Implement VSF on the AOS-CX access switches
- D . Implement VSX on the AOS-CX access switches
B
Explanation:
The key is to reduce the impact. VSF or not will have same impact when the switch reboots. But if the switch support always on poe then at least the POE clients will be ready before the switch finish booting up. If you dont have always on POE, then the poe clients will reboot AFTER the switch boots up.
An administrator wants to implement a virtual switching technology that implements a single control-plane solution.
Which S-CX switches would meet these criteria?
- A . All AOS-CX switching platforms
- B . AOS-CX 6300 and 6400 switches
- C . AOS-CX 6300, 6400, and 83xx switches
- D . AOS-CX 6300 switches