- Expert Verified, Online, Free.

Prepare for your HPE6-A73 exam with additional products

Study Guide

1211 PDF Pages

$19.99

Buy Now

 Custom View Settings

6 votes.
Topic 1 - Single Topic

Question #1 Topic 1

Which statement is correct regarding ACLs and TCAM usage?

A. Applying an ACL to a group of ports consumes the same resources as specific ACE entries

B. Using object groups consumes the same resources as specific ACE entries

C. Compression is automatically enabled for ASIC TCAMs on AOS-CX switches

D. Applying an ACL to a group of VLANs consumes the same resources as specific ACE entries

Correct Answer: B

Community vote distribution

B (100%)

  [Removed] Highly Voted  2 months, 1 week ago

With the suggestion of my friend, I explored itexamslab.com online study plan. I purchased their Study guide, went through the reviews, and took
the practice tests of HP HPE6-A72. I am excited to say that I have passed my exam with more than a 90% score. Highly appreciated and
recommended.
upvoted 13 times

  cloud29 Highly Voted  2 years, 10 months ago

B is correct
upvoted 11 times

  SeidorBruno Most Recent  8 months ago

Selected Answer: B

Page 308 Study Guide:

upvoted 2 times

  riadyoussef 11 months ago

does any one have the study guide ?
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: B

B is correct
upvoted 1 times

  sentinel44 2 years, 2 months ago

Selected Answer: B

confirm p310 :
Using an object group uses the same resources as specific ACE entries
upvoted 3 times

  Mahmoud_Adel 2 years, 3 months ago

please anyone can send me the study book?
upvoted 2 times

  Kevin1983 2 years, 7 months ago

B (study book page 310)
upvoted 5 times

  riyaskallayil 2 years, 6 months ago

Can you please send me the study material for me
upvoted 3 times

  AM1234 2 years, 7 months ago

B is Correct
upvoted 2 times
Question #2 Topic 1

What is correct regarding rate limiting and egress queue shaping on AOS-CX switches?

A. Only a traffic rate and burst size can be defined for a queue

B. Limits can be defined only for broadcast and multicast traffic

C. Rate limiting and egress queue shaping can be used to restrict inbound traffic

D. Rate limiting and egress queue shaping can be applied globally

Correct Answer: A

Community vote distribution

A (60%) D (30%) 10%

  SeidorBruno 8 months ago

Selected Answer: A

https://www.arubanetworks.com/techdocs/AOS-CX/10.08/PDF/qos_832x.pdf
Page 851 Study Guide:
Egress queue shaping allows you to apply a maximum bandwidth to a priority queue, as well as a burst size.
[Aruba Networks]
upvoted 1 times

  Greenmile84 8 months ago

Should be A

Click Quality of Service > General > Egress Shaping per Queue.
The Egress Shaping Per Queue page displays the rate limit and burst size for each queue.
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

D: On Aruba AOS-CX, rate limiting and egress queue shaping can be applied globally on the switch or on specific interfaces
upvoted 1 times

  abhi7815 1 year, 1 month ago

Selected Answer: A

A is correct answer.
upvoted 1 times

  MrBB 1 year, 3 months ago

Selected Answer: A

Same question as the other one in the database. It should be A

upvoted 1 times

  E_Nick 1 year, 3 months ago

Correct answer is A
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: D

i think should be D, tested with 8325 and the qos queue and schedule profile could be apply globally and not must with int
upvoted 1 times

  Alialo 1 year, 3 months ago

Sorry i have tested again, answer should be A, in schedule profile, only bandwidth and burst can be defined. and the profile cannot be applied
globally.
upvoted 1 times

  LRAndy 1 year, 3 months ago

Selected Answer: C

See also Question 71

Only answer, common to both questions is
C: Rate limiting and egress queue shaping can be used to restrict inbound traffic
upvoted 1 times

  ripcurl 2 months, 1 week ago

you cannot control inbound traffic using QoS features, only outbound or egress traffic, so C is certainly wrong
upvoted 1 times
   LRAndy 1 year, 3 months ago
damn - no edit function
should read
D: Rate limiting and egress queue shaping can be applied globally
upvoted 2 times

  manrodman 1 year, 3 months ago

Selected Answer: D

I think that D is correct because rate limiting can be applied globally by a policy and for egress queue shapping apply the global schedule profile
when apply the queue profile.
Based on the schedule profile, DWRR is being used and the queue and schedule profile are applied globally.

A is not correct: traffic rate and burst size can be defined for only strict priority queue -> Egress queue shaping allows you to apply a maximum
bandwidth to a priority queue, as well as a burst size. The port buffers excess traffic up to the burst size and sends the buffered traffic at the max
rate, smoothing out bursts while also preventing the high priority queue from exceeding its maximum rate and starving out lower priority queues.
Only process queues under the 7 queue if not have traffic in the 7 queue
To process all queues Aruba-CX uses DWRR or WFQ -> In both algorithms, each queue receives a predictable share of the bandwidth based on the
queue's relative priority, or weigh

B is not correct: restrict unknow unicast

C is not correct: egress queue shaping can be used to restrict outbound traffic
upvoted 2 times

  stephen 1 year, 8 months ago

A you could apply egress queue shaping to the high priority queues
to prevent starvation of low priority queues. Egress queue shaping allows you to apply a
maximum bandwidth to a priority queue, as well as a burst size. The port buffers excess traffic
up to the burst size and sends the buffered traffic at the max rate, smoothing out bursts while
also preventing the high priority queue from exceeding its maximum rate and starving out lower
priority queues.
upvoted 1 times

  turanmuslim 1 year, 9 months ago

Selected Answer: A

Answer A
upvoted 1 times

  poy4242 1 year, 10 months ago

Selected Answer: A

answer A
upvoted 2 times

  darthandy 2 years, 4 months ago

b is incorrect because rate-limiting can also be applied to unknown unicasts.
upvoted 2 times

  Ivan007 2 years, 4 months ago

The answer is A, page 896
upvoted 4 times

  Ben1009 1 year, 11 months ago

hi, where you download the ebook ? or you purchased.
upvoted 1 times

  kup 2 years, 5 months ago

A page 258
upvoted 3 times

  demifsud 2 years, 6 months ago

I also went with A
upvoted 2 times

  AM1234 2 years, 7 months ago

the correct Answer is A
upvoted 2 times
Question #3 Topic 1

A network administrator needs to replace an antiquated access layer solution with a modular solution involving AOS-CX switches. The

administrator wants to leverage virtual switching technologies. The solution needs to support high-availability with dual-control planes.

Which solution should the administrator implement?

A. AOS-CX 8325

B. AOS-CX 6300

C. AOS-CX 6400

D. AOS-CX 8400

Correct Answer: A

Reference:

https://andovercg.com/datasheets/aruba-cx-8325-switch-series.pdf

Community vote distribution

C (100%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is C because 8325 is not modular like 6400

upvoted 6 times

  El3den 2 years, 8 months ago

why not 8400 ?
upvoted 3 times

  AM1234 2 years, 8 months ago

as its mentioned for the access layer
upvoted 3 times

  SeidorBruno Most Recent  8 months ago

Selected Answer: C

Page 25 Study Guide:

For high availability (HA), the AOS- CX 6400 supports VSX Live Upgrades and also has redundant management cards, fans, power supplies, etc.
[Aruba Networks]
upvoted 1 times

  gcg 8 months, 1 week ago

Yes I think the answer is C because is modular switch
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

C: Correction - the key part of the question says virtual switching which is VSF so the only device listed is the 6400 - disregard my previous answer.
upvoted 2 times

  Redrum702 8 months, 3 weeks ago

D: the Aruba 6400 switch series does not support high-availability with dual-control planes. The Aruba 6400 series switches are fixed-configuration
switches designed for access and aggregation deployments in campus networks. While they offer advanced features and performance, including
support for 10GbE and 40GbE interfaces, they do not incorporate dual-control planes for redundancy and high availability.

However, Aruba offers other switch series, such as the Aruba 5400R zl2 and Aruba 8400, that do provide dual-control planes for enhanced
resiliency. These series are typically targeted for more demanding network environments where high availability and redundancy are critical.

If you require high availability and dual-control planes, it is recommended to consider the Aruba 5400R zl2 or Aruba 8400 series switches or consult
the official Aruba documentation to explore other switch models that meet your specific requirements.
upvoted 1 times

  IV2709 1 year, 3 months ago

Selected Answer: C

Answer is C
upvoted 1 times

  cjoseph 1 year, 4 months ago

Selected Answer: C

Answer is C
upvoted 1 times
  E_Nick 1 year, 4 months ago

Selected Answer: C

Mark key words, 'access layer', 'modular', 'high-availability', so only 6400

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

CX6400 can VSX and could be usefull for access layer

upvoted 1 times

  d_nat 1 year, 5 months ago

I think it is C as the CX 6400 is an access/aggregation layer switch, has dual plane capability and is modular. See
https://www.arubanetworks.com/assets/ds/DS_6400Series.pdf
upvoted 1 times

  Moreson 1 year, 11 months ago

Selected Answer: C

Mark key words, 'access layer', 'modular', 'high-availability', so only 6400

upvoted 1 times

  Ivan007 2 years, 4 months ago

The answer seems to be C: (See pages 4 & 13)
- 6300 can't perform dual-plane (VSX)
- Neither the 8325 nor the 8400 are modular
- Neither the 8325 nor the 8400 are for the access layer
upvoted 3 times

  jagoanneon 2 years ago

a bit correction... 8400 is modular
upvoted 1 times

  kup 2 years, 5 months ago

C Modular for Access
upvoted 2 times

  clupato2 2 years, 6 months ago

C is the answer
upvoted 1 times

  demifsud 2 years, 6 months ago

I would have gone C. 6400 is intended for access layer and has support for VSX for dual control planes.
upvoted 2 times

  AM1234 2 years, 7 months ago

the Correct Answer is C
upvoted 3 times

  cloud29 2 years, 10 months ago

C is the correct answer
upvoted 4 times
Question #4 Topic 1

A company has implemented 802.1X authentication on AOS-CX access switches, where two ClearPass servers are used to implement AAA. Each

switch has the two servers defined. A network engineer notices the following command configured on the AOS-CX switches: radius-server tracking

user-name monitor password plaintext aruba123

What is the purpose of this configuration?

A. Implement replay protection for AAA messages

B. Define the account to implement downloadable user roles

C. Speed up the AAA authentication process

D. Define the account to implement change of authorization

Correct Answer: C

Reference:

https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/16-01/5200-0122_access_security_guide/content/ch09s02.html

Community vote distribution

C (100%)

  cloud29 Highly Voted  2 years, 10 months ago

Radius service tracking

Radius service tracking locates the availability of the RADIUS service configured on the switch. It helps to minimize the waiting period for new
clients in the unauth-vid (Guest Vlan) when authentication fails because of service is not available, as well as previously authenticated clients in
unauth-vid (Guest Vlan) when re-authentication fails because service is not available during the re-authentication period.

Note that this feature is disabled by default.

​
radius-server tracking
Syntax
[no] radius-server tracking <enable|disable>
upvoted 7 times

  slotblocker 8 months, 2 weeks ago

True,

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/16-02/5200-1650_WB_ASG/content/ch04s04.html
upvoted 1 times

  dodds Highly Voted  2 years, 10 months ago

C looks correct to me

https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/16-02/5200-1650_WB_ASG/content/ch04s04.html
upvoted 5 times

  SeidorBruno Most Recent  8 months ago

Selected Answer: C

Page 706 Study Guide:

Effect of RADIUS tracking on pre- auth role: If RADIUS tracking is enabled and no RADIUS server is available for authentication, the port will be
changed from a pre- auth role VLAN to a critical VLAN. The time taken to move from pre- auth role VLAN to critical VLAN depends on the time it
takes for RADIUS tracker to inform the subsystem.
[Aruba Networks]
upvoted 2 times

  Mar_a_Lagoon 2 years ago

Selected Answer: C

C is correct (although the link provided is referring to AOS-S, not CX)

upvoted 4 times

  Ivan007 2 years, 4 months ago

C, page 694
upvoted 2 times

  kup 2 years, 5 months ago

C Form Radius config guide
upvoted 2 times
  AM1234 2 years, 7 months ago
the correct Answer is C
upvoted 3 times

  fasty 2 years, 10 months ago

I also think C is correct
upvoted 4 times

  poris27 2 years, 10 months ago

I think the answer is A . radius server tracking is use to track the status of the radius server
upvoted 1 times
Question #5 Topic 1

A company has an existing wireless solution involving Aruba APs and Mobility controllers running 8.4 code. The solution leverages a third-party

AAA solution. The company is replacing existing access switches with AOS-CX 6300 and 6400 switches. The company wants to leverage the

same security and firewall policies for both wired and wireless traffic.

Which solution should the company implement?

A. RADIUS dynamic authorization

B. Downloadable user roles

C. IPSec

D. User-based tunneling

Correct Answer: A

Community vote distribution

D (77%) A (23%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is D. we talk about UBT in this question where user connect to switch will go to MC by use Tunnel
upvoted 9 times

  SahilERT Most Recent  8 months ago

Correct answer should be A. As it says customer wants to leverage the existing AAA and firewall third party policy it could be CISCO Server as well.
If he wants to use UBT he still can do it with LUR but it is new AAA setup for both wired and wireless.
upvoted 1 times

  SeidorBruno 8 months ago

Selected Answer: D

Page 748 Study Guide:

The bottom line is this: Use the tunneled- node feature whenever you want to apply Aruba controller- based security/control mechanisms to both
wireless and wired traffic. You get unified access control – same policies regardless of whether they have a wired or wireless connection.
[Aruba Networks]
upvoted 2 times

  Redrum702 8 months, 2 weeks ago

A: Aruba ClearPass supports RADIUS dynamic authorization. RADIUS (Remote Authentication Dial-In User Service) is a protocol widely used for
network access control, authentication, and accounting. It allows for the centralized management of user authentication and authorization for
network devices.
upvoted 1 times

  slotblocker 8 months, 2 weeks ago

third-party AAA solution , not Clearpass.
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: D

should be D, LUR is used with CPPM and also with third party AAA servers
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: D

Answer is D. User based tunneling with LUR

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: A

Agree with demanmetdehamer, its A. UBT ist only Supported with Clearpass and not with a third-party AAA solution.
upvoted 3 times

  Moreson 1 year, 11 months ago

Mark key words, 'Aruba APs and MC', '3rd Party AAA', 'FW for both Wired and wireless means same user can be either', so need to be Aruba
tunneling using LUR
upvoted 2 times

  jagoanneon 2 years ago

Selected Answer: D
 Answer is D. User based tunneling with LUR
upvoted 4 times

  sentinel44 2 years, 1 month ago

Selected Answer: D

correct answer is D
upvoted 2 times

  demanmetdehamer 2 years, 4 months ago

Answer A is correct. UBT is only supported with Clearpass as radius server.
The question clearly states that the company has a third party solution.
upvoted 1 times

  kadis500 2 years, 1 month ago

UBT is only supported with Clearpass when you use DUR , but when you use LUR you d'ont need clearpass
upvoted 6 times

  Ivan007 2 years, 4 months ago

Answer is D, see pages 789 791
upvoted 2 times

  AM1234 2 years, 7 months ago

the Correct answer is D
upvoted 2 times
Question #6 Topic 1

A network engineer is having a problem adding a custom-written script to an AOS-CX switch's NAE GUI. The script was written in Python and was

successfully added on other AOS-CX switches. The engineer examines the following items from the CLI of the switch:

What should the engineer perform to fix this issue?

A. Install the script's signature before installing the new script

B. Ensure the engineer's desktop and the AOS-CX switch are synchronized to the same NTP server

C. Enable trust settings for the AOS-CX switch's SSL certificate

D. Remove a script that is no longer used before installing the new script

Correct Answer: D

Community vote distribution

D (100%)

  SeidorBruno 8 months ago

Selected Answer: D

Reached Maximum Scripts Capacity. NTP doesn't matter here.

upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: D

D, I think is the most correct answer given that it is impossible to deploy more scripts than the switch capacity allows for.
upvoted 3 times

  Mar_a_Lagoon 2 years ago

Selected Answer: D

D. The script is not yet uploaded (to this particular switch) and the capacity has been reached. NTP is not relevant here.
upvoted 4 times

  Ivan007 2 years, 4 months ago

 D is correct, see page 176

"show capacities-status nae" tells us that the script capacity has been reached

B is not the best answer here. NTP should always be in sync but the web GUI is not being used in this scenario, which is dependent on NTP, the CLI
is not.
upvoted 2 times

  pabx31 2 years, 4 months ago

B stands out but the book clearly states the NTP sync is for the WEB GUI between your browser/PC and the switch. This is CLI so I don't see how
NTP affects anything. The command is being ran directly on the switch.

I am betting on D being correct.

upvoted 3 times

  Emad 2 years, 5 months ago

B seems Correct, the scrip and NAE Agents are installed on the system. however, NTP is not in sync with Desktop which may not show the actual
status on the GUI. Lab guide starts with having NTP Setup and to make sure time matches with Desktop from where the GUI is accessed. The time
difference should be within seconds. The NAE web UI is using the client
browser time to get the time for the 'live' graphs, so therefore it is important to have
correct time on the PC client and the switch.
upvoted 1 times

  I_C_U 2 years, 5 months ago

D is the answer, you can still add a script if the time is out and it will just warn you.
upvoted 2 times

  clupato2 2 years, 6 months ago

D is the answer
upvoted 1 times

  demifsud 2 years, 6 months ago

D, I think is the most correct answer given that it is impossible to deploy more scripts than the switch capacity allows for.
upvoted 4 times

  Itachi22 2 years, 7 months ago

the answer should be B as a User guide explain : the time zone for Web client and the switch based on NTP sync or based on UTC .
upvoted 1 times

  AM1234 2 years, 7 months ago

the correct Answer is D
upvoted 2 times

  dodds 2 years, 9 months ago

I think the answer is D.

if switch and browser time is not in sync, only information displayed in the web ui might not be accurate.

From ACSP student guide p.156

upvoted 2 times

  WifiX 2 years, 9 months ago

B is correct : user guide page 73
upvoted 4 times

  kur0 2 years, 10 months ago

I think B is the correct answer because NTP should be in synchronization with the NAE agent.
upvoted 2 times
Question #7 Topic 1

Which option correctly defines how to identify a VLAN as a voice VLAN on an AOS-CX switch?

A. Switch(config)# port-access lldp-group <LLDP-group-name> Switch(config-lldp-group)# vlan <VLAN-ID>

B. Switch(config)# port-access role <role-name> Switch(config-pa-role)# vlan access <VLAN-ID>

C. Switch(config)# vlan <VLAN-ID> Switch(config-vlan-<VLAN-ID>)# voice

D. Switch(config)# vlan <VLAN-ID> voice

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 8 months ago

Selected Answer: C

Page 870 Study Guide:

To c r e a t e a v o i c e V L A N , c o n f i g u r e t h e v o i c e c o m m a n d i n t h e V L A N c o n t e x t , like this: Switch(config)# vlan <VLAN- ID>
Switch(config- vlan)# voice
[Aruba Networks]
upvoted 1 times

  IV2709 1 year, 3 months ago

Selected Answer: C

Answer C ! Sure !
upvoted 1 times

  d_nat 1 year, 5 months ago

Selected Answer: C

See student guide vol. 2, page 267

upvoted 1 times

  d_nat 1 year, 5 months ago

Student Guide, Vol2, Page 267:
Voice VLANs
To create a voice VLAN, configure the voice command in the VLAN context,
like this:
Switch(config)# vlan <VLAN-ID>
Switch(config-vlan)# voice
So answer C
upvoted 2 times

  AM1234 2 years, 7 months ago

the correct Answer is C
upvoted 3 times

  cloud29 2 years, 10 months ago

C is correct
upvoted 2 times
Question #8 Topic 1

An administrator will be replacing a campus switching infrastructure with AOS-CX switches that support VSX capabilities. The campus involves a

core, as well as multiple access layers. Which feature should the administrator implement to allow both VSX-capable core switches to process

traffic sent to the default gateway in the campus VLANs?

A. VRF

B. VRRP

C. IP helper

D. Active gateway

Correct Answer: B

Community vote distribution

D (100%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is D since in VSX the best practise is we use Active gateway instead of VRRP
upvoted 15 times

  Mikie2825 Most Recent  5 months, 3 weeks ago

The question just states that the switches are VSX capable. It does not say they are configured with VSX enabled. I would say that B is the correct
answer given the stated question.
upvoted 1 times

  SeidorBruno 8 months ago

Selected Answer: D

Page 180 Study Guide:

Remember that the VSX pair acts as the default gateway for the access VLANs. To do so, the pair uses the active gateway feature.
[Aruba Networks]
upvoted 3 times

  beerdeliveryguy 8 months, 2 weeks ago

Selected Answer: D

VSX active gateway is the only answer

upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: D

should be D, the question need to allow both VSX-capable core switches to process traffic.
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: D

D is correct
upvoted 1 times

  Rockford 1 year, 4 months ago

D:
Remember that the VSX pair acts as the default gateway for the access VLANs. To do so, the pair uses the active gateway feature. This feature
allows each switch in the pair to act as an active default gateway for the VLAN using a shared virtual IP address (VIP) and virtual MAC address. It
eliminates the need for Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router Protocol (HSRP). Simple to configure, the active gateway
feature relies on VSX operations so it does not add any protocol overhead. It also supports redundancy for DHCP relay functions.
upvoted 1 times

  Araz 1 year, 4 months ago

Selected Answer: D

D is correct
upvoted 1 times

  d_nat 1 year, 5 months ago

Selected Answer: D

Student Guide Vol.1, page 190:

It eliminates the
need for Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router
Protocol (HSRP).
So D is correct
 upvoted 1 times

  sentinel44 2 years, 1 month ago

Selected Answer: D

Answer is D, page 216

Active gateway = both devices route/forward traffic

VRRP = Active-standbye, only active member routes/forwards traffic
upvoted 4 times

  Ivan007 2 years, 4 months ago

Answer is D, page 216

Active gateway = both devices route/forward traffic

VRRP = Active-standbye, only active member routes/forwards traffic
upvoted 3 times

  kup 2 years, 5 months ago

D - 189 page of study book
upvoted 1 times

  I_C_U 2 years, 5 months ago

D is the correct answer as.

Understand the Active Gateway principle

In a VSX system, active gateway provides redundant default gateway functionality for
the end-hosts. The default gateway of the end-host is automatically handled by both the
VSX systems.
upvoted 3 times

  clupato2 2 years, 6 months ago

D is the answer
upvoted 2 times

  AM1234 2 years, 7 months ago

the correct Answer is D
upvoted 4 times

  clupato2 2 years, 8 months ago

D is the answer.
upvoted 4 times

  cloud29 2 years, 10 months ago

D is the answer
upvoted 4 times
Question #9 Topic 1

What is correct regarding the tunneling of user traffic between AOS-CX switches and Aruba Mobility Controllers (MCs)?

A. Uses IPSec to protect the management and data traffic

B. Uses IPSec to protect the management traffic

C. Supports only port-based tunneling

D. Uses the same management protocol as Aruba APs

Correct Answer: C

Community vote distribution

D (100%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is D because both AP and Switch use PAPI . Moreover in AOS-CX switch currently not support port based tunnel. AOS-CX switch
only support User Based Tunnel (UBT)
upvoted 5 times

  SeidorBruno Most Recent  8 months ago

Selected Answer: D

Page 749 Study Guide:

The switch uses two protocols to connect to an Aruba Mobility Controller (MC) The control plane uses PAPI (UDP port 8211) - the same protocol
used by AP- to- MC communications. However, where APs use IPSec to protect the PAPI connection between the AP and MC, AOS- CX switches do
not support this protection. Instead, you can optionally implement an MD5 HMAC function to protect PAPI between the AOS- CX switches and
MCs.
[Aruba Networks]
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: D

should be D, the switch uses two protocols to connect to an MC: PAPI (control plane) and GRE (data plane). However, where APs use IPSec to
protect the PAPI connection between the AP and MC, AOS-CX switches do not support this protection. Instead, you can optionally implement an
MD5 HMAC function to protect PAPI between the AOS-CX switches and MCs
upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: D

Answer is D
upvoted 1 times

  Araz 1 year, 4 months ago

D is correct
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: D

Answer is D
upvoted 1 times

  sentinel44 2 years, 1 month ago

Selected Answer: D

Answer is D, see page 784

Switches do not use IPsec or port-based tunneling

upvoted 1 times

  Ivan007 2 years, 4 months ago

Answer is D, see page 784

Switches do not use IPsec or port-based tunneling

upvoted 1 times

  clupato2 2 years, 6 months ago

D is the answer
upvoted 2 times
  AM1234 2 years, 7 months ago
the correct Answer is D
upvoted 4 times

  fasty 2 years, 10 months ago

D is correct
upvoted 3 times
Question #10 Topic 1

An administrator is implementing a multicast solution in a multi-VLAN network. Which statement is true about the configuration of the switches in

the network?

A. IGMP snooping must be enabled on all interfaces on a switch to intelligently forward traffic

B. IGMP requires join and leave messages to graft and prune multicast streams between switches

C. IGMP must be enabled on all routed interfaces where multicast traffic will traverse

D. IGMP must be enabled on all interfaces where multicast sources and receivers are connected

Correct Answer: B

Community vote distribution

C (75%) D (25%)

  watermellonhead Highly Voted  2 years, 4 months ago

Looks like C is correct. Found a PDF the specifically says this. Google "AOS-CX switch igmp", first result (pdf), then go to "Multicast Deployment
Summary".
A - incorrect. This is configured globally on the switch, not per-interface.
B - incorrect. This is a PIM function. Not IGMP.
D - incorrect. IGMP is enabled on L3 interfaces towards the sources/receivers. Not ALL interfaces.
upvoted 12 times

  Linares1234 2 years, 4 months ago

Thanks bro i have tomorrow my exam.
upvoted 2 times

  davo92726 2 years, 3 months ago

did you pass?
upvoted 1 times

  seb6869 Highly Voted  2 years, 6 months ago

D is correct. IGMP is enabled only on clients and multicast servers VLAN. PIM is enabled on routed interfaces between clients and servers VLAN to
route multicast flow
upvoted 5 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: C

Page 567 Study Guide:

A querier is required for proper IGMP operation. For this reason, you must enable IGMP on the L3 Interface. If the querier functionality is not
configured or disabled, you must ensure that there is an IGMP querier in the same VLAN.
[Aruba Networks]
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

C: IGMP has to be configured on routed interfaces
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

C: IGMP must be enabled on all routed interfaces. This allows the routers to participate in IGMP signaling and properly handle the multicast traffic.
upvoted 1 times

  E_Nick 1 year, 3 months ago

Selected Answer: C

C is correct
upvoted 1 times

  a__p 1 year, 3 months ago

Selected Answer: D

I think D is correct
A - incorrect, switches will always forward traffic
B - Graft and Prune are PIM functions
C - IGMP is only required on the VLAN where the receivers and source are connected, PIM is required across L3 domains. IGMP manages flooding
of multicast on a segment.
D - Correct - VLAN interfaces where source and receivers are connected
upvoted 1 times

  mindaugasv 1 year, 4 months ago

 Selected Answer: C

C is correct
upvoted 1 times

  gondolf 1 year, 10 months ago

None of these are correct. I'm going to assume they are talking about VLAN interfaces, and go with answer D if I get this question on the test.
https://i.imgur.com/vW7V2UL.png
upvoted 2 times

  guidogiesen 1 year, 9 months ago

in the picture you shared is saying that "igmp enable snooping optional but recommended" but answer "D" is saying it must be enabled. so D is
not correct
upvoted 1 times

  Mar_a_Lagoon 2 years, 4 months ago

D is correct. See "AOS-CX Multicast deployment and troubleshooting guide" page 8 Multicast Deployment Summary point 6: "Enable IGMP/MLD
on L3 interfaces towards receiver subnets"
upvoted 1 times

  filthyx 2 years, 3 months ago

It's C. You answer says it. "L3 interfaces" Option D says nothing about routed interfaces.
upvoted 2 times

  pabx31 2 years, 4 months ago

C - Book states "If you want the benefits of IGMP in VLAN 30, you must enable it on the routed interface for VLAN 30" and "You enable IGMP on a
per VLAN basis."
upvoted 4 times

  Pcpimp 2 years, 4 months ago

Look at module 9 page 17 and 18. I think D is correct.
upvoted 1 times

  kup 2 years, 5 months ago

C page 531
upvoted 1 times

  I_C_U 2 years, 5 months ago

when are you planning to do the exam? or have you already done it?
upvoted 1 times

  I_C_U 2 years, 5 months ago

the question is specifically asking for switch config, so I think D is correct.
What is mentioned in B happens anyway (with version 3 IGMP) without any extra config being done. i.e. Without IGMP in place PIM will not work.
upvoted 1 times

  Mrvn 2 years, 7 months ago

C is correct Graft and prune relate to PIM-DM not IGMP
upvoted 2 times

  AM1234 2 years, 7 months ago

the correct Answer is C
upvoted 2 times

  WifiX 2 years, 9 months ago

B is correct page 253
upvoted 1 times

  jagoanneon 2 years ago

The question is what is true about "configuration". B does not say anything about configuration, it is just text book general knowledge
upvoted 2 times
Question #11 Topic 1

How is voice traffic prioritized correctly on AOS-CX switches?

A. By defining device profiles with QOS settings

B. By placing it in the strict priority queue

C. By implementing voice VLANs

D. By implementing weighted fair queueing (WFQ)

Correct Answer: C

Community vote distribution

C (57%) B (43%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is B because in Strict Priority (SP) we can put VOIP traffic in top priority (priority 7)
upvoted 5 times

  Moreson 1 year, 11 months ago

just wondering what is the point to have voice key word under vlan interface then? give you this option, there is a reason. though you can
achieve in multiple ways, but most optimized option is C
upvoted 3 times

  alper3192 Most Recent  5 months ago

Selected Answer: B

"Sensitive traffic like VOIP uses Strict Priority queuing " B is correct
upvoted 1 times

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: C

Page 868-869 Study Guide

upvoted 1 times

  Redrum702 8 months, 3 weeks ago

B" voice traffic can be prioritized correctly on an Aruba AOS-CX switch by placing it in the strict priority queue. The strict priority queue is a QoS
mechanism that gives the highest priority to specific types of traffic, such as voice or real-time communication traffic. Here's how you can achieve
this:

Enable Strict Priority Queue: Configure the AOS-CX switch to support strict priority queuing. This ensures that traffic assigned to the strict priority
queue will be given the highest priority and processed before other queues.
upvoted 2 times

  alex711 11 months, 4 weeks ago

C is Correct
upvoted 1 times

  devadarshan91730 1 year, 3 months ago

B is correct.
The qos priority default setting is 0 (normal), with 1 as the lowest priority and 7 as the highest priority.

If you configure a voice VLAN with a VID of 10, and want the highest priority for all traffic on this VLAN, execute the following commands:

HP Switch(config) #: vlan 10 qos priority 7

HP Switch (config) #: write memory
upvoted 3 times

  d_nat 1 year, 5 months ago

Selected Answer: C

In the student guide vol.2 on page 267 it is stated , that you enable voice VLAN with a command in the vlan configuration context.
upvoted 1 times

  gondolf 1 year, 10 months ago

The question is how is voice traffic prioritized *correctly*. I'm positive they are looking for the VLAN "voice"-command, even though a manual SP
could give it a higher priority.
upvoted 1 times

  Mar_a_Lagoon 1 year, 11 months ago

Selected Answer: C
 By tagging the port as voice (Alt C) the switch will by default honor whatever priority the end device uses. This can be changed if needed.
upvoted 2 times

  sentinel44 2 years, 1 month ago

Selected Answer: B

I think the answer is B because in Strict Priority (SP) we can put VOIP traffic in top priority (priority 7)
upvoted 2 times

  AM1234 2 years, 7 months ago

the correct Answer is C
upvoted 1 times

  cloud29 2 years, 10 months ago

I think they ask us about something else.
With SP we can put priority at any traffic.
But they want us to know that turning on voice vlan will put voice vlan in a higher priority.
Thats why the answer i think should be C
upvoted 3 times
Question #12 Topic 1

An administrator is replacing the current access switches with AOS-CX switches. The access layer switches must authenticate user and

networking devices connecting to them. Some devices support no form of authentication, and some support 802.1X. Some ports have a VoIP

phone and a PC connected to the same port, where the PC is connected to the data port of the phone and the phone's LAN port is connected to

the switch.

Which statement is correct about this situation?

A. 802.1X must be configured to work in fallback mode

B. Device fingerprinting is required for authentication

C. The client-limit setting for port access needs to be changed

D. Device mode should be implemented

Correct Answer: A

Community vote distribution

C (100%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: C

Page 693 Study Guide

After you set the limit, the port begins tracking MAC addresses and defines the authorization status and settings for each separately. For example,
in the scenario with the computer and VoIP phone, the switch port sends an EAP Request/Identity to each separate MAC address detected on the
port. If the VoIP phone authenticates successfully, but the computer fails, the computer traffic is blocked.
[Aruba Networks]
upvoted 2 times

  Alialo 1 year, 3 months ago

Selected Answer: C

if you want the computer and IP phone to authenticate separately so that an unauthorized user cannot piggyback on the IP phone’s session. Make
sure to set the 802.1X client-limit to 2 so that the port operates in user-mode and authenticates each device separately.
what is the meaning in A, fallback mode, just combine the MAC-Auth and 802.1X, not fallback
upvoted 1 times

  a__p 1 year, 4 months ago

Selected Answer: C

The default for client-limit is 1 "Command specifies the maximum number of clients. Default: 1. Range: 1 to 32 (6200). 1 to 256 (6300, 6400)."
Therefore this needs to be change
C is correct
upvoted 2 times

  d_nat 1 year, 5 months ago

If B refers to MAC authentication, I would chose this, else A. Why I do not believe the answer to be C: the question says:
"Some devices support no form of authentication, and some support 802.1X. Some ports have a VoIP phone and a PC connected to the same port,"
There are devices who support 802.1X and some no authentication at all, which leaves MAC auth as only possibility - or bypassing 802.1X (fallback)
upvoted 3 times

  poy4242 1 year, 10 months ago

Selected Answer: C

fallback mode if for the radius part; client limit is for multiple authent on one port (ie phone + pc)

From doc :
aaa port-access authenticator <port-list> client-limit <1-32>

Used after executing aaa port-access authenticator <port-list> to convert authentication from port-based to user-based. Specifies user-based
802.1X authentication and the maximum number of 802.1X-authenticated client sessions allowed on each of the ports in <port-list>. If a port
currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership
to which the port is assigned during the session. If another client session begins later on the same port while an earlier session is active, the later
session will be on the same untagged VLAN membership as the earlier session.
upvoted 1 times

  sentinel44 2 years, 1 month ago

Selected Answer: C

C - absolutely correct
upvoted 1 times

  aru_n 2 years, 2 months ago

 Selected Answer: C

Correct answer is C
upvoted 1 times

  Mar_a_Lagoon 2 years, 4 months ago

Pretty sure both A and C are necessary here.
upvoted 1 times

  kup 2 years, 5 months ago

C - absolutely correct
upvoted 1 times

  AM1234 2 years, 7 months ago

the correct Answer is C
upvoted 2 times

  WifiX 2 years, 9 months ago

C is correct page 306 user guide
upvoted 1 times

  poris27 2 years, 10 months ago

I think the answer is C. we need to chnage the client device limit . A is not correct because VOIP device is not for 802.1X
upvoted 4 times
Question #13 Topic 1

Examine the network exhibit.

A company has a guest implementation for wireless and wired access. Wireless access is implemented through a third-party vendor. The

company is concerned about wired guest traffic traversing the same network as the employee traffic. The network administrator has established a

GRE tunnel between AOS-CX switches where guests are connected to a routing switch in the DMZ.

Which feature should the administrator implement to ensure that the guest traffic is tunneled to the DMZ while the employee traffic is forwarded

using OSPF?

A. OSPF route maps using the ‫ג‬€set metric‫ג‬€ command

B. Policy-based routing (PBR)

C. User-based tunneling (UBT)

D. Classifier policies

Correct Answer: C

Community vote distribution

B (100%)

  pabx31 Highly Voted  2 years, 4 months ago

B - my book has this on page 410. Guest traffic can be routed with PBR to use GRE tunnels that terminate in the DMZ.
upvoted 6 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: B

Page 896 Study Guide:

Policy- Based Routing (PBR) - to override normal destination- based routing entries learned by static, OSPF, or BGP routes.
[Aruba Networks]

Page 905 Study Guide:

interface tunnel: Specify a GRE, 6in4 or 6in6 tunnel as the outbound interface for all matching packets. The tunnel must exist before configuring.
Packets sent into the tunnel interface egress at the router at the endpoint of the tunnel. If the tunnel is misconfigured or down the traffic may be
lost.
[Aruba Networks]
upvoted 1 times

  Neyce 10 months ago

B: Guest traffic can be routed with PBR to use GRE tunnels that terminate in the DMZ
upvoted 1 times

  NetExpert 1 year, 4 months ago

B is correct
upvoted 1 times

  d_nat 1 year, 5 months ago

Selected Answer: B

B makes most sense to me. As previously mentioned, there is already a GRE tunnel, so no need for an additional tunnel. With PBR you can steer the
traffic to where you want it
upvoted 1 times
  Moreson 1 year, 11 months ago
the key words are 'The network administrator has established a GRE tunnel', so the tunnel is there, no need to build UBT, just a matter of split the
traffic from OSPF, so B should be the one
upvoted 2 times

  sentinel44 2 years, 1 month ago

Selected Answer: B

B - my book has this on page 410. Guest traffic can be routed with PBR to use GRE tunnels that terminate in the DMZ.
upvoted 3 times

  DianaDecker 2 years, 1 month ago

Selected Answer: B

B is correct
upvoted 1 times

  maccchinguwo 2 years, 5 months ago

SORRY B is the correct answer
upvoted 1 times

  maccchinguwo 2 years, 5 months ago

the correct answer is C
upvoted 1 times

  clupato2 2 years, 5 months ago

I think it's C
upvoted 1 times

  AM1234 2 years, 7 months ago

the correct Answer is B
upvoted 1 times

  WifiX 2 years, 9 months ago

B is correct page 411 guide
upvoted 3 times

  cloud29 2 years, 10 months ago

B is correct
upvoted 2 times

  dodds 2 years, 10 months ago

Agreed, B should be the correct answer
upvoted 1 times

  poris27 2 years, 10 months ago

I think the answer is B. With PBR we can separate the traffic
upvoted 1 times
Question #14 Topic 1

An administrator has an AOS-CX switch configured with:

router ospf 1

area 0

area 1 stub no-summary

It is the only ABR for area 1. The switch has the appropriate adjacencies to routing switches in areas 0 and 1. The current routes in each area are:

Area 0: 5 routes (LSA Type 1 and 2)

Area 1: 10 routes (LSA Type 1 and 2)

External routes: 2 (LSA Type 5)

Based on the above configuration, how many OSPF routes will routing switches see in Area 1?

A. 15

B. 6

C. 11

D. 12

Correct Answer: C

Community vote distribution

C (100%)

  WifiX Highly Voted  2 years, 9 months ago

default route + 10 routes =11

upvoted 18 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: C

Page 397 Study Guide:

The no- summary option transforms a stub area to a totally stub area – it suppresses all external route advertisements as normal for a stub area. It
also prevents the ABR from generating non- aggregated Inter- Area (IA) summary routes for this area.
[Aruba Networks]
upvoted 2 times

  devadarshan91730 1 year, 3 months ago

Option c : Totally stub area = intra area routes (local route) + default route
upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: C

Its a completely stub area so no type 5 lsa will come in, only the local routes and the default so 11 is the correct answer for sure.
upvoted 1 times

  I_C_U 2 years, 5 months ago

Its a completely stub area so no type 5 lsa will come in, only the local routes and the default so 11 is the correct answer for sure.
upvoted 2 times

  AM1234 2 years, 7 months ago

the correct Answer is B
upvoted 2 times

  AM1234 2 years, 7 months ago

No its C
upvoted 4 times

  jagoanneon 2 years ago

How come it's B? The area itself already has 10 routes.
upvoted 1 times
Question #15 Topic 1

A network administrator is managing a network that deploys a multicast service. The administrator has multiple streams successfully being

routed by PIM-DM in the network. The administrator then adds a new stream with a destination address of 239.0.0.1. However, clients who have

not joined the stream are receiving it.

What should the administrator do to fix this problem?

A. Verify that IGMP is enabled between the switches connecting the multicast source and receivers

B. Change the destination multicast address to 239.1.1.1

C. Define the 239.0.0.1 stream on the rendezvous point (RP)

D. Define the 239.0.0.1 stream on the PIM candidate bootstrap router

Correct Answer: C

Community vote distribution

B (100%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: B

Page 536 Study Guide:

As a recommendation do not use x.0.0.x or x.128.0.x, since these addresses will overlay with the Link- Local Multicast address scope.
[Aruba Networks]
upvoted 4 times

  Neyce 10 months ago

B: MAC/IP overlap. 239.0.0.1 would be the same MAC for 224.0.0.1. 224.0.0.0/24 is always flooded over every port.
upvoted 1 times

  Unkn0wnProtocol2 2 years ago

Selected Answer: B

B is coorect. MAC/IP overlap. 239.0.0.1 would be the same MAC for 224.0.0.1. 224.0.0.0/24 is always flooded over every port.
upvoted 1 times

  sentinel44 2 years, 1 month ago

Selected Answer: B

B correct. Due to MAC/IP overlap, guidelines is to not use x.0.0.x or x.128.0.x addresses.
upvoted 2 times

  Disposable_Me_2018 2 years, 4 months ago

A wrong as solution already works.
C wrong as this is PIM-DM
D wrong as this is PIM-DM

B correct. Due to MAC/IP overlap, guidelines is to not use x.0.0.x or x.128.0.x addresses.
upvoted 4 times

  kup 2 years, 5 months ago

B correct not use x.0.0.x as destination because overlaps with linklocal - Study book
upvoted 4 times

  I_C_U 2 years, 5 months ago

Which study book are you referring to and what page?
upvoted 1 times

  mgruber 2 years, 7 months ago

I think it's A. Cause without IGMP enabled on switches between the streams it will be broadcasted to all known devices/clients.
upvoted 2 times

  WifiX 2 years, 9 months ago

B is correct page 252
upvoted 2 times

  poris27 2 years, 10 months ago

We should never use x.0.0.x as destination
upvoted 4 times

  cloud29 2 years, 10 months ago

 Why B?
upvoted 1 times

  poris27 2 years, 10 months ago

I think the answer is B
upvoted 1 times
Question #16 Topic 1

Which protocols are used by NetEdit to interact with third-party devices? (Choose two.)

A. telnet

B. SNMP

C. SSH

D. Restful API

E. CDP

Correct Answer: BC

Community vote distribution

BC (100%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: BC

Page 73 Study Guide:

NetEdit will now also discover and display 3rd party devices that are using standard SNMP MIB’s, and you can enter SSH credentials for 3rd party
devices.
[Aruba Networks]
upvoted 2 times

  slotblocker 9 months ago

REST APIs ONLY for Aruba-CX
https://www.arubanetworks.com/assets/ds/DS_NetEdit.pdf
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: BC

For 3rd party devices it is SNMP and SSH.

upvoted 1 times

  Rockford 1 year, 4 months ago

BC
For further simplicity, NetEdit automatically discovers new network infrastructure devices using the Link Layer Discovery Protocol (LLDP), using
REST APIs for Aruba CX switches and SNMP for Aruba wireless and third- party devices. Newly connected switches appear automatically in the
Network tab, so you can automate switch configuration change workflows without programming.
NetEdit will now also discover and display 3rd party devices that are using standard SNMP MIB’s, and you can enter SSH credentials for 3rd party
devices.
upvoted 3 times

  gravyboy 2 years, 4 months ago

The key point here is 3rd party devices. B & C.
upvoted 1 times

  Yoshiki 2 years, 7 months ago

Correct answer should be B and D.
NetEdit automatically discovers
new network infrastructure devices using the Link Layer
Discovery Protocol (LLDP), using REST APIs for Aruba CX switches
and SNMP for Aruba wireless and third-party devices.
https://www.arubanetworks.com/assets/ds/DS_NetEdit.pdf
upvoted 1 times

  Itachi22 2 years, 5 months ago

but the study guide specifies that third-party devices discovered by netedit using SNMP and ssh
upvoted 3 times

  Itachi22 2 years, 5 months ago

so its B & C
upvoted 1 times

  kup 2 years, 5 months ago

D used for AOS-CX for others not
upvoted 2 times
Question #17 Topic 1

An administrator is implementing a downloadable user role solution involving AOS-CX switches. The AAA solution and the AOS-CX switches can

successfully authenticate users; however, the role information fails to download to the switches. What policy should be added to an intermediate

firewall to allow the downloadable role function to succeed?

A. Allow TCP 443

B. Allow UDP 1811

C. Allow UDP 8211

D. Allow TCP 22

Correct Answer: C

Community vote distribution

A (92%) 8%

  Letu 3 months, 3 weeks ago

Selected Answer: C

If any firewall or network infrastructure device with ACLs are in the path, they must allow GRE and PAPI traffic. Enable GRE on IP protocol 47 and
PAPI on UDP 8211
upvoted 1 times

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: A

Page 775 Study Guide:

This means that a HTTPS certificate has to be installed on the edge switch.
[Aruba Networks]
upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

HTTPS uses TCP 443, so it is A and not C

upvoted 1 times

  NetExpert 1 year, 4 months ago

A is correct
upvoted 1 times

  d_nat 1 year, 5 months ago

Selected Answer: A

Answer A is correct. Student Guide Vol2, page 115:

"Roles can be configured locally on the switch using a Local User Role (LUR) or on a
ClearPass server, using a downloadable user role (DUR). Roles that are configured locally
can be assigned via any RADIUS server, using the Aruba-User-Role VSA. When using
DUR, the ClearPass HPE-CPPM-Role VSA is used in combination with HTTPS to transfer
the role to the switch."
upvoted 4 times

  JazzyJ151 1 year, 9 months ago

DUR is a CPPM feature, so assumption is that the AAA is CPPM. AOS switches download their roles from CPPM using HTTPS, you just have to put a
CA cert on the switch for the CPPM and reference the FQDN. Definitely A.
upvoted 2 times

  SniBBz 1 year, 10 months ago

Selected Answer: A

Answer is A
upvoted 1 times

  jordib4 2 years, 1 month ago

pg 681 from the Aruba guide - "When using DUR, the ClearPass HPE-CPPM-Role VSA is used in combination with HTTPS to transfer the role to the
switch."
UDP 8211 (PAPI) is related to dynamic segmentation and the communication to the MC not DUR.
upvoted 2 times

  sentinel44 2 years, 1 month ago

Selected Answer: A

HTTPS uses TCP 443, so it is A and not C

 upvoted 3 times

  Mar_a_Lagoon 2 years, 4 months ago

REST API is used for this, so A HTTPS
upvoted 3 times

  kup 2 years, 5 months ago

C only this port mentioned in study book. v2-169
upvoted 1 times

  Mrvn 2 years, 7 months ago

C is correct (HTTPS is used between switch and CPPM)
upvoted 1 times

  [Removed] 2 years, 7 months ago

And HTTPS uses TCP 443, so it is A and not C
upvoted 4 times

  AM1234 2 years, 7 months ago

The correct Answer is A
upvoted 1 times

  fasty 2 years, 10 months ago

Correct it is A
upvoted 2 times

  poris27 2 years, 10 months ago

I think the answer Should be A because something wrong with HTTPS maybe the switch failed to download the certificate or there is firewall block
TCP443. If UDP 8211 (PAPI) is related for dynamic segmentation instead of DUR
upvoted 3 times
Question #18 Topic 1

A network administrator is attempting to troubleshoot a connectivity issue between a group of users and a particular server. The administrator

needs to examine the packets over a period of time from their desktop; however, the administrator is not directly connected to the AOS-CX switch

involved with the traffic flow.

What is correct regarding the ERSPAN session that needs to be established on an AOS-CX switch? (Choose two.)

A. On the source AOS-CX switch, the destination specified is the switch to which the administrator's desktop is connected

B. On the source AOS-CX switch, the destination specified is the administrator's desktop

C. The encapsulation protocol used is GRE

D. The encapsulation protocol used is VXLAN

E. The encapsulation protocol is UDP

Correct Answer: BC

Community vote distribution

AC (56%) BC (44%)

  vrvinod Highly Voted  2 years, 7 months ago

In AOS CX the remote mirroring is done using a tunnel interface, so the Mirror source and destination must be configured on each Switch. On the
source Switch, the source interface (from where the traffic is mirrored) and destination interface (the tunnel interface to where the traffic is sent to).
In the destination Switch, the source interface (which would be the tunnel interface (receiving the traffic from the source switch tunnel)) and the
destination would be the client where Wireshark enabled client is connected.
So, the answer is A & C.
upvoted 13 times

  [Removed] 2 years, 7 months ago

You said it yourself. Target is the client itself, not the switch it is connected to. It's B&C.
upvoted 15 times

  cloud29 Highly Voted  2 years, 10 months ago

Acording to student guide, page 149.

"AOS switches support mirroring to other AOS switches. AOS-CS switches, however, do not support this feature. Instead, the remote mirroring must
be to a device that supports it, like Wireshark"

Thats why, I think that the answer is B and C

upvoted 10 times

  joalv Most Recent  4 months, 3 weeks ago

BC. ERSPAN uses layer 3, so can send traffic directly to a device. https://community.arubanetworks.com/community-
home/librarydocuments/viewdocument?DocumentKey=43a0aad6-4f7a-4cd2-83a0-3aa846accefd&CommunityKey=2fd943a6-8898-4dbe-915f-
4f09e4d3c317&tab=librarydocuments
upvoted 1 times

  OscarChew 6 months, 1 week ago

Selected Answer: AC

AOS-CX switches also support remote port mirroring, in which the switch forwards the mirrored packets to a destination device. The switch
achieves this by encapsulating the mirrored packets in a GRE header that uses the remote switch’s IP address as the destination. The remote, or
destination, switch is configured to decapsulate traffic from this GRE tunnel and to forward the traffic out an exit port (see the previous slide on
setting up local mirroring).
upvoted 4 times

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: BC

Page 159 Study Guide:

ERSPAN is an acronym that stands for encapsulated remote switched port analyzer . ERSPAN mirrors traffic on one or more source ports and
forwards the mirrored traffic to a destination on a remote device. The traffic is encapsulated in generic routing encapsulation (GRE) and is,
therefore, routable across a layer 3 network between the source switch and the destination device, like a packet sniffer, e.g. Wireshark
[Aruba Networks]

In addition in page 160 it says:

Note: AOS switches support mirroring to other AOS switches. AOS- CX switches, however, do not support this feature. Instead, the remote
mirroring must be to a device that supports it, like Wireshark.
[Aruba Networks]
So, definetely B&C
upvoted 3 times

  gcg 8 months, 1 week ago

 Selected Answer: AC

the desktop of administrator is in other switch and the ERSPAN can send it traficc to the desktop administrator.
upvoted 1 times

  slotblocker 9 months ago

B and C, I found a guide for Aruba - ERSPAN solution with a workstation as a destination address.

https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=43a0aad6-4f7a-4cd2-83a0-
3aa846accefd&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocuments
upvoted 2 times

  alex711 11 months, 4 weeks ago

Selected Answer: BC

BC is correct.
upvoted 1 times

  tcan4075 1 year, 2 months ago

Selected Answer: BC

BC based on Airheads community

upvoted 2 times

  sirtack 1 year, 2 months ago

https://community.arubanetworks.com/blogs/esupport1/2021/06/28/arubaos-cx-send-mirrored-traffic-to-workstation-with-erspan
So BC
upvoted 1 times

  IV2709 1 year, 3 months ago

Selected Answer: BC

GRE tunnel to the admin's desktop directly

upvoted 1 times

  IV2709 1 year, 3 months ago

Selected Answer: BC

GRE to the admin's wireshark directly

upvoted 1 times

  devadarshan91730 1 year, 3 months ago

The question clearly says "the administrator is not directly connected to the AOS-CX switch" how come option A comes in. Answer is B and C.
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: BC

I have to correct myself: B&C look correct, as per my review of the documentation:
"The traffic is encapsulated in generic routing encapsulation
(GRE) and is, therefore, routable across a layer 3 network between the source switch and
the destination device, like a packet sniffer, e.g. Wireshark."
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: AC

A&C are correct per the study guide

upvoted 3 times

  Rockford 1 year, 4 months ago

AC
My switching guide states that:
Packet captures can facilitate network troubleshooting. To facilitate this, you configure an appropriate switch or switches for port mirroring.
You are telling the switch that traffic for some source port should be copied or mirrored to some destination.
This could be:
• local storage on the switch itself
• A local port on the switch, to which you have attached some capture device – perhaps a Linux or Windows host running the popular Wireshark
utility or similar. You can then use the packet capture utilities on your capture device for traffic analysis.
• Tunnelled to some remote switch, where a capture device is attached.
upvoted 1 times

  Rockford 1 year, 4 months ago

Also:
AOS- CX switches also support remote port mirroring, in which the switch forwards the mirrored packets to a destination device. The switch
achieves this by encapsulating the mirrored packets in a GRE header that uses the remote switch’s IP address as the destination. The remote, or
destination, switch is configured to decapsulate traffic from this GRE tunnel and to forward the traffic out an exit port.
upvoted 1 times

  NetExpert 1 year, 4 months ago

B and C are correct.
upvoted 3 times
Question #19 Topic 1

What is correct regarding the operation of VSX and multicasting with PIM-SM routing configured?

A. Each VSX peers runs PIM and builds its own group database. One of the VSX peers is elected as the designated router (DR) to forward

multicast streams to a receiver VLAN

B. Each VSX peers runs PIM and creates a shared group database. Both VSX peers can forward multicast streams to receivers in a VLAN,

achieving load sharing

C. Each VSX peers runs PIM and builds its own group database. Both VSX peers can forward multicast streams to receivers in a VLAN,

achieving load sharing

D. Each VSX peers runs PIM and creates a shared group database. One of the VSX peers is elected as the designated router (DR) to forward

multicast streams to a receiver VLAN

Correct Answer: B

Community vote distribution

A (63%) D (38%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: A

Page 634 Study Guide:

Both VSX peers have the same Control Plane information. This means that both members will be able to establish PIM neighborships, send PIM
Join messages to the RP and Build a Shortest Path Tree (SPT). However, multicast traffic (data plane) is only routed from the VSX peer that acts as
the PIM DR. The mechanism to have a pre- established Control Plane on both VSX peers permits the VSX cluster to achieve a fast fail over in case
the PIM DR fails.
[Aruba Networks]
upvoted 3 times

  Redrum702 8 months, 3 weeks ago

A: In Aruba VSX (Virtual Switching Extension), the VSX peers do not run PIM (Protocol Independent Multicast) individually and maintain their own
multicast group databases.
upvoted 1 times

  Redrum702 8 months, 4 weeks ago

A: Multicast Traffic Flow: In a VSX environment with PIM-SM, multicast traffic is forwarded based on the multicast distribution tree established by
PIM-SM. Each physical switch in the VSX pair independently participates in the PIM-SM operations, including joining the appropriate multicast
distribution tree and forwarding multicast traffic accordingly.

VSX and Multicast: When operating VSX and using PIM-SM routing, each physical switch within the VSX pair independently runs PIM-SM. This
means that each switch has its own RP and maintains its own multicast routing tables.
upvoted 1 times

  slotblocker 9 months ago

Answer is A:

Multicast traffic to these IGMP groups is pruned/forwarded based on the individual IGMP group database on each VSX node. ISLP does not
synchronize IGMP groups between VSX peers.

Source:
https://www.arubanetworks.com/techdocs/AOS-CX/10.06/HTML/5200-7727/Content/Chp_prev_traf_loss/igm-sno-10.htm
upvoted 2 times

  Alialo 1 year, 3 months ago

Selected Answer: A

i think the Answer is A.

Each VSX switch has an identical IGMP group database:
• Each VSX node individually learns any JOIN/LEAVE message received from a downstream VSX LAG.
• The VSX IGMP process translates the received IGMP from the ISL into an IGMP join message from the VSX LAG.
Multicast traffic to these IGMP groups is pruned/forwarded based on the individual IGMP group database on each VSX node. ISLP does not
synchronize IGMP groups between VSX peers. The IGMP database construction is a data-plane based process.
- Chapter 7, Preventing traffic loss, "ArubaOS-CX Virtual Switching Extension (VSX) Guide for 10.03"
upvoted 3 times

  IV2709 1 year, 3 months ago

Selected Answer: D

Answer D
Same routing table for fast failover and one is elected DR and share traffic and the other one is DR Proxy.
 upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

As the question stands A is correct.

upvoted 2 times

  omen 1 year, 5 months ago

Selected Answer: D

In my opinion it is D... A also sounds quite good, but it is crucial that both VSX peers have and use the same multicast tables. "Both the DR and
proxy DR maintain the same multicast tables and build the shortest path tree."
Reference: https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7888/Content/Chp_Pre_tra_loss/ip-mul-rou-10.htm
upvoted 3 times

  omen 1 year, 5 months ago

I have to correct my statement, it is answer A. The IGMP Group DB is a copy, each peer has its own database
upvoted 2 times

  Moreson 1 year, 11 months ago

"both VSX switches as a PIM Designate Router (DR). One node is the actual DR, the other node is the proxy DR."

"Only the actual DR performs multicast routing and forward traffic destined to groups to its downstream VLANs in the data-path."

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7888/Content/Chp_Pre_tra_loss/ip-mul-rou-10.htm
upvoted 2 times

  sentinel44 2 years, 1 month ago

Selected Answer: A

it should be A
upvoted 2 times

  Mar_a_Lagoon 2 years, 4 months ago

As the question stands A is correct. As Mrvn says, each VSX peer can be the DR for a VLAN, but not both at the same time.
upvoted 2 times

  kup 2 years, 5 months ago

In stufy book we can see that on peer stands as DR. meanst its A or D. I perefered A
upvoted 2 times

  Mrvn 2 years, 7 months ago

C answer can be misleading though..
Each VSX peers runs PIM and builds its own group database.= correct
Both VSX peers can forward multicast streams to receivers in a VLAN, = not same VLAN !
achieving load sharing = correct only if each VSX is configured as DR for different VLANs
so answer A could be more correct as it is less open for misinterpretation
upvoted 4 times

  Mrvn 2 years, 7 months ago

C is correct
upvoted 3 times

  AM1234 2 years, 7 months ago

The correct Answer is A
upvoted 1 times

  clupato2 2 years, 8 months ago

Yes: it should be A.
upvoted 1 times

  cloud29 2 years, 10 months ago

The answer should be A
upvoted 1 times
Question #20 Topic 1

An administrator wants to track what configuration changes were made on a switch. What should the administrator implement to see the

configuration changes on an AOS-CX switch?

A. AAA authorization

B. Network Analysis Engine (NAE)

C. AAA authentication

D. VSX synchronization logging

Correct Answer: B

Community vote distribution

B (100%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: B

Page 85 Study Guide:

The Audit feature records all hardware and software versions, as well as other configuration changes. You can then search and view all changes, or
groups of changes. This allows you to track all changes to hardware, software, and configurations with automated versioning whether made
through NetEdit or directly on the switch. You can immediately rollback to any previous configuration. You can perform these rollbacks selectively,
based upon factors such as the location of the switches or the date of the changes.
[Aruba Networks]
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: B

B is correct
upvoted 1 times

  darthandy 2 years, 2 months ago

There's an agent you can install on a switch that tracks all network configurations using NAE.
upvoted 1 times

  Mar_a_Lagoon 2 years, 4 months ago

I think B is supposed to be NetEdit, not NAE
upvoted 2 times

  Disposable_Me_2018 2 years, 4 months ago

How is B correct?
upvoted 1 times

  I_C_U 2 years, 5 months ago

B is the answer
upvoted 1 times

  Kevin1983 2 years, 7 months ago

B is correct
upvoted 3 times
Question #21 Topic 1

Examine the AOS-CS switch output:

Based on this output, what is correct?

A. 802.1X authentication was successful, but MAC authentication is yet to start

B. 802.1X authentication occurred and downloadable user roles are deployed

C. A local user role was deployed using a ClearPass solution

D. Only 802.1X authentication is configured on the port

Correct Answer: B

Community vote distribution

B (85%) D (15%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: B

Page 435 Lab Guide:

In this example, the numbers 3044 and 7.
3044: Every enforcement profile in ClearPass has an internal object number, the range
starts at 3000. This is the unique identifier of the enforcement profile, while the name
makes it easy to recognize it.
7: This is the version number. Every time an enforcement profile is saved, the version
number is incremented with 1.
The complete DUR consists of:
• Enforcement Profile name: aruba_contractor
• Enforcement Profile internal object number: 3044
• Enforcement Profile version number: 7
upvoted 3 times

  Redrum702 8 months, 3 weeks ago

Correction B: When the configuration status shows "applied," it means that the specified AAA settings are in effect and active on the AOS-CX
switch. This confirms that the configured authentication and authorization parameters are being used to control user access and permissions on
the network.
upvoted 3 times

  Redrum702 8 months, 4 weeks ago

D: If the output of the command show aaa authentication port-access interface <interface> client-status on an Aruba switch shows that "dot1x" is
authenticated but "mac-auth" is not attempted, it means that the switch is successfully performing 802.1X authentication for clients on that
interface, but it is not attempting MAC authentication.
upvoted 1 times

  Killorp 1 year, 8 months ago

Selected Answer: B

I too think it's B. The role 'aruba_contractor-3044-7' is the exact correct format for a DUR. See page 814.
upvoted 1 times

  moe706706 9 months, 2 weeks ago

what do you mean by correct format ? you can name the role as you wish , the name doesnt point whether role is locally pushed or downloaded
via clearpass. Actually, the role information section from the show command is where we can find out whether its local or clearpass, since its
 shown in the output so what we only conclude from this that 802.1x is the only method of authentication , so D is the correct answer
upvoted 1 times

  Luke80 2 years ago

Selected Answer: B

Look at the role that has been applied - looks like a typical DUR
upvoted 4 times

  jordib4 2 years, 1 month ago

Selected Answer: B

I think that its B. because the Role has been assigned as per the book page 723.
upvoted 3 times

  DianaDecker 2 years, 1 month ago

Selected Answer: D

It is D. (Book pages 703 & 711)

No mac-auth configured.
upvoted 2 times

  filthyx 2 years, 3 months ago

B seems correct. The precedense is: 802.1x and if it times out, mac-auth.
upvoted 3 times

  Cloudeiv 2 years, 7 months ago

B is correct
upvoted 3 times

  Linares1234 2 years, 4 months ago

i think that it's A
upvoted 1 times
Question #22 Topic 1

An administrator in a company of 349 users has a pair of AOS-CX switches with connections to external networks. Both switches are configured

for OSPF. The administrator wants to import external routes on both switches, but assigns different seed metrics to the routes, as well as imports

them as external type-1 routes.

What is the best way for the administrator to accomplish this?

A. Create a route map with the correct route type and metrics

B. Define the route type and metrics in the OSPF process

C. Create a classifier policy with the correct route type and metrics

D. Define a class and policy map with the correct route type and metrics

Correct Answer: A

Community vote distribution

A (100%)

  AM1234 Highly Voted  2 years, 7 months ago

The correct Answer is A

upvoted 6 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: A

Page 381 Study Guide

Page 235 Lab Guide:
Configure a route map to control external cost types, such as Metric type1 and type2.
upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

A is correct
upvoted 1 times

  WifiX 2 years, 9 months ago

A is correct page 182 user guide
upvoted 2 times

  cloud29 2 years, 10 months ago

Sorry, A is correct.
"To change the LSA metric-type (type 1 or 2), you must use a route map.
upvoted 1 times

  cloud29 2 years, 10 months ago

Shouldnt it be B?
upvoted 1 times
Question #23 Topic 1

An administrator is concerned about the security of the control plane connection between an AOS-CX switch and an Aruba Mobility Controller

(MC) when implementing user-based tunneling. How should the administrator protect this traffic?

A. IPSec with a digital certificate

B. GRE with a pre-shared key

C. PAPI with an MD5 pre-shared key

D. IPSec with a pre-shared key

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: C

Page 762 Study Guide:

Important: You should always implement PAPI MD5 security to protect communications between the controller and switch, as well as protecting
against malicious misuses of licenses, since each switch request consumes a license(s) on the MC.
[Aruba Networks]
upvoted 2 times

  d_nat 1 year, 4 months ago

Selected Answer: C

I think it is C. Implementing ArubaOS-CX Switching Rev 20.21, page 164:

"(...) However, where APs use IPSec to protect the PAPI connection between
the AP and MC, AOS-CX switches do not support this protection. Instead, you can optionally
implement an MD5 HMAC function to protect PAPI between the AOS-CX switches and MCs"
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Agreed, answer is C
upvoted 1 times

  Kevin1983 2 years, 7 months ago

C (page 785 Study Book)
upvoted 3 times

  AM1234 2 years, 7 months ago

The correct Answer is C
upvoted 1 times

  Moshiko 2 years, 9 months ago

The answer is C, Page 343
upvoted 2 times
Question #24 Topic 1

A network administrator is implementing a configuration plan in NetEdit. The administrator used NetEdit to push the configuration plan to the

switch. Which option in the NetEdit planning section should the administrator select to save the configuration running on the switch to the startup-

config?

A. EDIT

B. VALIDATE

C. COMMIT

D. DEPLOY

Correct Answer: C

Community vote distribution

C (100%)

  Kaldimaar Highly Voted  2 years, 6 months ago

C. Deploy puts the config to running-config, Commit saves it to startup-config.

upvoted 7 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: C

Page 83 Study Guide:

Write (Commit) the deployed running configuration to startup.
[Aruba Networks]
upvoted 2 times
Question #25 Topic 1

Examine the network exhibit:

The ACL configuration defined on Core-1 is as follows:

If telnet was being used, which device connection would be permitted and functional in both directions? (Choose two.)

A. Client 3 to Client 2

B. Client 1 to Client 2

C. Server 2 to Client 2

D. Server 1 to Client 1

E. Client 1 to Client 3

Correct Answer: BE

Community vote distribution

BD (92%) 8%

  pabx31 Highly Voted  2 years, 4 months ago

E is wrong
Inbound VACL will apply to all ports that are receiving the VLAN traffic. Client 1 may be able to reach client 3 but the traffic will not return since it
will be dropped by the VACL.
B is correct because the traffic never crosses the core so the VACL is not used.
D is correct because the server is inbound to VLAN 10 so VACL is not used and return traffic is permitted by VACL.
C is wrong because the return traffic will cross the ACL and is not permitted for client 2.
This picture is in my book and traffic flow is explained.
upvoted 7 times

  sentinel44 Highly Voted  2 years, 1 month ago

Selected Answer: BD

BD is correct
upvoted 6 times

  udo2020 Most Recent  5 months, 1 week ago

The only valid solution is B and E because traffic within vlan 20 is not affected from the VACL. Traffic from server 1 will be blocked because of a
wrong IP source.
upvoted 1 times

  OscarChew 6 months, 1 week ago

Selected Answer: BE

BE is correct
 upvoted 1 times

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: BD

CLIENT1 - CLIENT2 - pass - Forwarded by Access2, no need to go trough CORE1

SERVER1- CLIENT1 - pass - Server 1 inbound VLAN10 on CORE1 return traffic from CLIENT1 in VLAN 20 match the ACL and is permitted.
upvoted 3 times

  poy4242 1 year, 10 months ago

Selected Answer: BD

CL3 - CL2 - drop on forward path by core1 cause match VLAN 20 and CL3 not CL1 as SRC IP
CL1 - CL2 - pass - no ACL cause forwarded by Access2
SR2 - CL2 - pass on forward path by core1 cause match VLAN 10
Drop on return path by core1 cause match VLAN 20 and no CL1 as SRC IP
SR1 - CL1 - pass on forward path by core1 cause match VLAN 10
pass on return path by core1 cause match VLAN 20 and CL1 as SRC IP
CL1 - CL3 - pass on forward path by core1 cause match VLAN 20 and CL1 as SRC IP
drop on return path by core1 cause match VLAN 20 and not CL1 but CL3 as SRC IP
upvoted 2 times

  Mar_a_Lagoon 2 years, 3 months ago

E is correct because that traffic never passes through core, so never hits the VACL.
upvoted 2 times

  Disposable_Me_2018 2 years, 4 months ago

Only correct answer I can see is B.
Can somebody explain how options D or E can operate in both directions through that VACL?
upvoted 1 times

  gondolf 1 year, 10 months ago

D - because initial traffic (inbound vlan 10) is not matched on VACL to the client, but return traffic (inbound vlan 20) is matched and permitted
by ACL.
upvoted 2 times

  kup 2 years, 5 months ago

BE correct . Servers in another vlan and must go thru core from another interface and our rule will no mutch these traffic. a has a n implicit deny
upvoted 3 times

  I_C_U 2 years, 5 months ago

what you seem to be forgetting here is the VACL will only apply on core 1 for traffic that is coming into the switch and into VLAN 20, so any device
outside VLAN 20 will not have the source IP of the client. Hence B and E are correct.
upvoted 3 times

  clupato2 2 years, 6 months ago

B & E is correct. ACL permits traffic only from 10.101.20.21/32 IP address that is Client1.
The question asks for a connection "in both directions". So only devices in the same VLAN can communicate in both directions, as they are not
affected by a VACL.
upvoted 3 times

  seb6869 2 years, 6 months ago

The correct answer is B&D
upvoted 1 times

  AM1234 2 years, 7 months ago

The correct Answer is B&D
upvoted 1 times

  Williams926 2 years, 8 months ago

I think correct answer is B&D. Because inbound VACL filter all traffic arrives on a VLAN whether switched or routed.
upvoted 2 times

  public2002 2 years, 9 months ago

So D&E are the only possible connections. Client1 to Client2 will work but not affected by the ACL
upvoted 1 times

  public2002 2 years, 9 months ago

and the telnet traffic must flow through the core switch
upvoted 1 times

  public2002 2 years, 9 months ago

telnet can only be spoken with Client1. A VACL rules l2 and L3 traffic. Ergo, Clinet 1 must be involed if the VACL must permit the traffic
upvoted 1 times
Question #26 Topic 1

An administrator has an aggregation layer of 8325CX switches configured as a VSX pair. The administrator is concerned that when OSPF network

changes occur, the aggregation switches will respond to the changes slowly, and this will affect network connectivity, especially VoIP calls, in the

connected access layer switches.

What should the administrator do on the aggregation layer switches to alleviate this issue?

A. Implement route aggregation

B. Implement bidirectional forwarding detection (BFD)

C. Reduce the hello and dead interval timers

D. Implement graceful restart

Correct Answer: A

Community vote distribution

A (57%) B (43%)

  I_C_U Highly Voted  2 years, 5 months ago

Answer is A, question is asking about OSPF routing changes and not about the neighbour going down. BFD is useful only when neighbour goes
down. If you aggregate routes then there will be less chance of the individual routing change impacting this router
upvoted 11 times

  watermellonhead 2 years, 5 months ago

100% Agree. Answer is A. "Network Changes" mean route table updates not neighbors going down which would be the only reason B would
make sense.
upvoted 9 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: A

Page 368 Study Guide

upvoted 3 times

  Greenmile84 8 months, 1 week ago

Should be B.

Fast convergence, including features like BFD, VSX operations with OSPF and OSPF graceful restart
upvoted 1 times

  slotblocker 8 months, 3 weeks ago

BFD

" We can tune timers for fast convergence, for example OSPF can be configured to use a dead interval of only one second. The problem however is
that all of these protocols were never really designed for sub-second failover. Hello packets and such are processed by the control plane so there is
quite some overhead. BFD was designed to be fast, its packets can be processed by some interface modules or line cards so there isn’t much
overhead.

BFD runs independent from any other (routing) protocols. Once it’s up and running, you can configure protocols like OSPF, EIGRP, BGP, HSRP,
MPLS LDP etc. to use BFD for link failure detection instead of their own mechanisms. When the link fails, BFD will inform the protocol. "
upvoted 1 times

  Redrum702 8 months, 4 weeks ago

A: the question implies a routing update has occurred so route aggregation is the only suitable answer
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: B

i think B makes most sense in this scenario.

It is one VSX is AGGREGATION layer, not Core Layer, and affect the service from Access layer.
when i see the route aggregation in A, the first the that came to mind is ABR.
BTW, in study guide, Aruba explained the BFD and how to use it direct after the chapter OSPF Failover and Convergence.
upvoted 3 times

  devadarshan91730 1 year, 3 months ago

OSPF aggregation combines groups of routes with common addresses into a single routing table entry.
However, The Bidirectional Forwarding Detection (BFD) protocol is a simple hello mechanism that detects failures in a network.
The question says "network changes occur," which in case a link failure or link flap, where BFD fits well.
upvoted 1 times
  d_nat 1 year, 4 months ago

Selected Answer: A

For me, A makes most sense. As these are aggregation switches, aggregating the routes makes sense. B (BFD) concerns with a peer being not
reachable anymore, so it does not apply in this case. C won't help, as it concerns also the reachability of peers.
I fail to see the benefit in respond time of D
upvoted 1 times

  rasmusbirkelund 1 year, 5 months ago

While I can certainly see that B would be the the answer, as it provides faster detection when a neighbor fails, the question states that the
Administrator is concerned about network changes, and that the Agg-pair will respond slowly. Wouldn't Graceful Restart be the best option here?
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: A

The question is about an aggregation switch and not about a core, therefore A makes the most sense... B,C and D would make sense if we were
talking about the Core.
upvoted 2 times

  JazzyJ151 1 year, 9 months ago

Selected Answer: B

BFD - those echos will fail faster than the ospf hello/dead timers.
upvoted 1 times

  poy4242 1 year, 10 months ago

Selected Answer: A

B will reduce neigbor failure detection, aggregating route will reduce the possibility of route calculation when topology change
upvoted 2 times

  sentinel44 2 years, 1 month ago

Selected Answer: B

B is correct (Book 437 & 438)

upvoted 1 times

  DianaDecker 2 years, 1 month ago

Selected Answer: B

B is correct (Book 437 & 438)

upvoted 1 times

  AM1234 2 years, 7 months ago

The correct Answer is B
upvoted 2 times

  cloud29 2 years, 10 months ago

I think the answer is B

"BFD tests the connectivity between two IP addresses in a BFD session. BFD reports when connectivity is lost. The router (or routing switch) can
then use that information to take the appropriate actions, depending on the functions to which you have tied BFD"
upvoted 3 times

  d_nat 1 year, 4 months ago

It states " BFD reports when connectivity is lost." So this is about a peer failure, not a routing change. That's why I think A is correct
upvoted 1 times

  poris27 2 years, 10 months ago

I think the answer should be B. BFD can detect for non direct-connection interface
upvoted 4 times
Question #27 Topic 1

How is NetEdit installed at a customer location?

A. Via an Aruba NetEdit hardware appliance

B. Via a DVD using a virtualized platform like Microsoft's Hyper-V

C. Via the Aruba Central cloud solution

D. Via an OVA file and a virtualized platform like VMware's ESXi

Correct Answer: D

Community vote distribution

D (100%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: D

Page 61 Study Guide:

NetEdit runs as an Open Virtualization Application (OVA) virtual machine (for example, VMware’s ESXi , KVM, Hyper- V, etc.) on a server.
[Aruba Networks]
upvoted 2 times

  d_nat 1 year, 4 months ago

Selected Answer: D

You download the OVA from asp.arubanetworks.com and deploy it, so D is correct
upvoted 1 times

  JazzyJ151 1 year, 9 months ago

Selected Answer: D

Only available as OVA.

upvoted 1 times

  SniBBz 1 year, 10 months ago

Selected Answer: D

D is correct
upvoted 1 times

  sentinel44 2 years, 2 months ago

Selected Answer: D

D si correct
upvoted 3 times

  AM1234 2 years, 7 months ago

D correct
upvoted 3 times
Question #28 Topic 1

What is correct regarding multicasting and AOS-CX switches?

A. IGMP snooping is disabled, by default, on Layer-2 VLAN interfaces

B. IGMP query functions are enabled, by default, on Layer-2 VLAN interfaces

C. IGMP snooping is enabled, by default, on Layer-3 VLAN interfaces

D. IGMP-enabled AOS-CX switches flood unknown multicast destinations

Correct Answer: D

Community vote distribution

A (79%) D (21%)

  AM1234 Highly Voted  2 years, 7 months ago

The correct Answer is A

upvoted 6 times

  sentinel44 Highly Voted  2 years, 1 month ago

Selected Answer: A

Correct answer is A
upvoted 6 times

  onaicul Most Recent  7 months, 1 week ago

A is correct : https://www.arubanetworks.com/techdocs/AOS-CX/10.11/HTML/cli_6200/Content/Chp_igmp_sno/igmp_sno_cmds/ip-igm-sno-
vlan.htm
upvoted 1 times

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: D

Page 565 Study Guide:

One exception applies: an IGMP snooping switch DOES forward both unknown and known multicasts on any port on which it has heard IGMP
queries – port 1/1 in the figure. This behavior is required so that a multicast stream can reach the multicast router. In fact, by default, the switch
forwards unknown multicasts that arrive on one VLAN on any port on which it has heard queries in any VLAN. To c h a n g e t h i s b e h a v i o r a n
d r e s t r i c t f o r w a r d i n g t o q u e r i e r p o r t s f o r t h a t s p e c i f i c V L A N , e n t e r the command: Switch(config)# ip igmp snooping
drop- unknown vlan- exclusive
[Aruba Networks]
upvoted 3 times

  mammoura 7 months ago

The IGMP enabled switch will filter the unknown traffic , but the IGMP-snooping switch will forward it. so I think D is not correct
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

Disregard my answer of B. The correct answer is A :)
upvoted 2 times

  Redrum702 8 months, 4 weeks ago

B: On Aruba AOS-CX switches, IGMP query functions are enabled by default on Layer-2 VLAN interfaces. IGMP (Internet Group Management
Protocol) queries are used to discover multicast group memberships and maintain the multicast group membership information within a VLAN.

When IGMP snooping is enabled on a Layer-2 VLAN interface, the switch actively sends IGMP queries to the hosts within the VLAN to discover
which multicast groups they are interested in. These queries allow the switch to build and maintain the multicast forwarding tables, ensuring that
multicast traffic is forwarded only to the ports where interested receivers are located.

A is incorrect: on Aruba AOS-CX switches, IGMP snooping is enabled by default on Layer-2 VLAN interfaces. IGMP snooping is a feature that allows
switches to monitor IGMP messages exchanged between hosts and multicast routers, enabling the switch to learn which hosts are interested in
receiving specific multicast traffic and selectively forward the multicast traffic to those hosts.
upvoted 1 times

  QiQi 10 months, 2 weeks ago

Selected Answer: A

IGMP default configuration:

IGMP is disabled by default.
The default IGMP version is IGMPv3.
https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7876.pdf page17
upvoted 1 times

  alex711 11 months, 3 weeks ago

 I think it is D
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: A

Correct answer is A
upvoted 2 times

  aru_n 2 years, 2 months ago

Selected Answer: A

Correct answer is A
upvoted 2 times

  clupato2 2 years, 8 months ago

I think the answer is A
upvoted 3 times

  Davidkanigui1 2 years, 8 months ago

I agree the answer should be A
upvoted 2 times

  cloud29 2 years, 10 months ago

The answer should be A
upvoted 3 times

  poris27 2 years, 10 months ago

I think the answer is A
upvoted 4 times
Question #29 Topic 1

A company has recently upgraded their campus switching infrastructure with AOS-CX switches. They have implemented 802.1X authentication on

access ports where laptop and IOT devices typically connect. An administrator has noticed that for POE devices, the AOS-CX switch ports are

delivering the maximum wattage to the port instead of what the device actually needs. Upon connecting the IoT devices, the devices request the

maximum wattage through information exchange.

Concerned about this waste of electricity, what should the administrator implement to solve this problem?

A. Implement a classifier policy with the correct power definitions

B. Create device profiles with the correct power definitions

C. Enable AAA authentication to exempt LLDP and/or CDP information

D. Globally enable the QoS trust setting for LLDP and/or CDP

Correct Answer: B

Community vote distribution

C (75%) B (25%)

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: C

Page 875 Study Guide:

Device profile with LLDP-MED
First the devices do a handshake to negotiate PoE, if required.
[Aruba Networks]......
If you are implementing authentication on the port, like 802.1X, MAC authentication, or captive portal, remember to allow LLDP: switch(config)#
interface <interface- ID> switch(config- if)# aaa authentication port- access allow- lldp- bpdu
[Aruba Networks]
upvoted 2 times

  Redrum702 8 months, 4 weeks ago

B: Device Profiles provide for PoE Priority and Allocation of power
upvoted 2 times

  alex711 11 months, 4 weeks ago

Selected Answer: B

B is correct, see the link.

https://www.arubanetworks.com/techdocs/central/latest/content/nms/aos-switch/cfg/conf-device-profile.htm
upvoted 2 times

  Jo2241 1 year, 4 months ago

Selected Answer: C

Answer C
- The negotiation must take place before the authentication. Whether for LLDP or CDP (e.g.: voip phone or camera)
upvoted 2 times

  Jo2241 1 year, 4 months ago

Selected Answer: C

Answer C
- Disable LLDP on the switch makes no sense.
upvoted 2 times

  Rockford 1 year, 4 months ago

Agree C:
When phones receive Power over Ethernet (PoE) from the switch, LLDP- MED can help the switch allocate and deliver exactly the power that the
phone needs.
If you are implementing authentication on the port, like 802.1X, MAC authentication, or captive portal, remember to allow LLDP:
switch(config)# interface <interface- ID> switch(config- if)# aaa authentication port- access allow- lldp- bpdu
upvoted 2 times

  Seegurke9 1 year, 4 months ago

Answer C; p.359
upvoted 4 times
Question #30 Topic 1

A company requires access by all users, guests, and employees to be authenticated. Employees will be authenticated using 802.1X, whereas

guests will be authenticated using captive portal. Which type of authentication must be configured on an AOS-CX switch ports where both guests

and employees connect?

A. Both 802.1X and captive portal

B. 802.1X only

C. Both 802.1X and MAC-Auth

D. 802.1X, captive portal, and MAC-Auth

Correct Answer: B

Community vote distribution

C (95%) 5%

  sentinel44 Highly Voted  2 years, 1 month ago

Selected Answer: C

C is correct.
Employees use 802.1x
The Aruba guest solution uses MAC-auth.
The Portal is not configured on the switch port.
upvoted 8 times

  poris27 Highly Voted  2 years, 10 months ago

I think the answer should be C

upvoted 5 times

  Pierrou Most Recent  3 months, 3 weeks ago

Selected Answer: C

https://www.arubanetworks.com/techdocs/Instant_85_WebHelp/Content/instant-ug/authentication/mac-cpportal-au.htm
upvoted 1 times

  onaicul 7 months, 1 week ago

C is correct
Not configurable captive portal on switch only MAC-auth and 802.1x
upvoted 1 times

  SeidorBruno 7 months, 3 weeks ago

Selected Answer: C

Page 929 Study Guide:

The captive portal solution provides user access based on http/https redirection. First the client does MAC or 802.1X authentication.
[Aruba Networks]
upvoted 2 times

  hongducnp 9 months, 4 weeks ago

Selected Answer: B

B is correct.
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: C

After successful authentication on captive portal server, the client will go through MAC authentication on the switch and upon successful
authentication, the client will get the access to the internet.
upvoted 1 times

  Killorp 1 year, 8 months ago

Selected Answer: C

I think C is correct. See page 977 Study Guide. Unregistered device.

Authentication on Port :
Required: RADIUS MAC-Auth
Optional add on: 802.1X (for employee onboarding solutions)
upvoted 3 times

  guidogiesen 1 year, 9 months ago

Captive Portal should manage MAc-address itself, no need mac-auth configured on the switch port I belive. only 802.1x needed
 upvoted 1 times

  Luke80 2 years, 1 month ago

Selected Answer: C

C is correct - also see page 334 on official student guide vol 2

upvoted 4 times

  Disposable_Me_2018 2 years, 4 months ago

C is correct.
Employees use 802.1x
The Aruba guest solution uses MAC-auth.
The Portal is not configured on the switch port.
upvoted 3 times

  Mrvn 2 years, 7 months ago

C is the correct answer - MAC-auth (for captive portal) and 802.1x on port config
upvoted 4 times

  kup 2 years, 5 months ago

AAA needed for captive, not MAC address
upvoted 1 times

  clupato2 2 years, 6 months ago

You don't need MAC-auth for GUESTS users through a captive portal.
upvoted 2 times

  AM1234 2 years, 7 months ago

The correct Answer is C
upvoted 1 times

  clupato2 2 years, 8 months ago

B is correct. You configure captive-portal authentication globally on the switch, but ON THE PORTS, you only need 802.1X
upvoted 4 times

  cloud29 2 years, 10 months ago

If they guest need to be authenticated with captive portal, why D is not the correct answere?
upvoted 1 times

  [Removed] 2 years, 10 months ago

Because "Captive Portal" is not a configurable option with cx switches.
upvoted 2 times
Question #31 Topic 1

Examine the output from an AOS-CX switch implementing a dynamic segmentation solution involving downloadable user roles:

Switch# show port-access role clearpass

Role information:

Name : icxarubadur_employee-3044-2

Type : clearpass -

Status: failed, parsing_failed -

Reauthentication Period :

Authentication Mode :

Session Timeout :

The downloadable user roles are not being downloaded to the AOS-CX switch. Based on the above output, what is the problem?

A. The certificate that ClearPass uses in invalid

B. The AOS-CX switch does not have the ClearPass certificate involved

C. DNS fails to resolve the ClearPass server's FQDN

D. There is a date/time issue between the ClearPass server and the switch

Correct Answer: A

Community vote distribution

C (100%)

  sentinel44 Highly Voted  2 years, 1 month ago

Selected Answer: C

C is correct DNS - page -2/201

upvoted 5 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: C

Page 789:
parsing_failed status, typically indicative of either a DNS or network connectivity issue.
[Aruba Networks]
upvoted 3 times

  Greenmile84 8 months ago

Sorry, my mistake

Answer C 100%

a parsing failed status typically indicative of either a DNS, or network connectivity issue
upvoted 1 times

  Greenmile84 8 months, 1 week ago

Answer D 100%

a parsing failed status typically indicative of either a DNS, or network connectivity issue
upvoted 1 times

  SirNebur85 1 year, 4 months ago

Selected Answer: C

C is correct DNS - page -2/201

upvoted 3 times

  omen 1 year, 5 months ago

Selected Answer: C

"Status: failed, parsing_failed" clearly indicates a DNS problem according to the guide. Answer is C
upvoted 3 times

  kup 2 years, 5 months ago

C is correct DNS - page -2/201
upvoted 4 times
   Roebi 2 years, 1 month ago
I can confirm this.
"The top-right example shows a parsing_failed status, typically indicative of either a DNS or network connectivity issue."
upvoted 4 times

  Cloudeiv 2 years, 7 months ago

The correct answer is c. This information is in guide
upvoted 2 times

  AM1234 2 years, 7 months ago

The correct Answer is C
upvoted 2 times

  cloud29 2 years, 10 months ago

C is the answer
upvoted 1 times

  poris27 2 years, 10 months ago

I think the answer should be C
upvoted 2 times
Question #32 Topic 1

Examine the attached diagram.

The two PCs are located in VLAN 11 (10.1.11.0/24). Which example defines how to implement active gateway on the VSX core for VLAN 11?

A. interface vlan 11 active-gateway ip 10.1.11.1 active-gateway mac 02:02:00:00:01:00

B. interface lag 254 active-gateway vlan 11 ip 10.1.11.1 active-gateway vlan 11 mac 02:02:00:00:01:00

C. interface lag 254 active-gateway ip 10.1.11.1 active-gateway mac 02:02:00:00:01:00

D. vsx vrrp group 1

Correct Answer: A

Community vote distribution

A (100%)

  cloud29 Highly Voted  2 years, 10 months ago

A is correct
upvoted 7 times

  SeidorBruno Most Recent  7 months, 3 weeks ago

Selected Answer: A

Page 417 Study Guide:

The VSX pair is probably the default gateway for subnets such as those associated with VLANs 10 and 20 . You should typically set up the active
gateway feature on those VLANs.
[Aruba Networks]
upvoted 1 times

  SirNebur85 1 year, 4 months ago

Selected Answer: A

A is correct
upvoted 2 times
Question #33 Topic 1

An administrator has configured the following on an AOS-CX switch:

What is the correct ACL rule configuration that would allow traffic from anywhere to reach the web ports on the two specified servers?

A. access-list ip server 10 permit tcp any web-servers group web-ports

B. access-list ip server 10 permit tcp any object-group web-servers object-group web-ports

C. access-list ip server 10 permit tcp any group web-servers group web-ports

D. access-list ip server 10 permit tcp any web-servers web-ports

Correct Answer: D

Community vote distribution

A (100%)

  clupato2 Highly Voted  2 years, 6 months ago

It's A: only port groups need to be preceded by the "group" parameter.

upvoted 6 times

  AM1234 Highly Voted  2 years, 7 months ago

The correct Answer is A

upvoted 5 times

  FAJE35 Most Recent  4 months, 3 weeks ago

Selected Answer: A

A is correct
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 296 Study Guide:

The figure shows an example of configuring both IP and port object groups, which are then applied to an ACL. Note that you precede a port group
in the ACL with the keyword group.
[Aruba Networks]
upvoted 2 times

  alex711 11 months, 4 weeks ago

Selected Answer: A

A is Correct.
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: A

Answer is A. CLI Context tested and approved

Switch1(config-acl-ip)# show run cur

access-list ip server
10 permit tcp any web-servers group web-ports
upvoted 4 times

  d_nat 1 year, 4 months ago

That's a helpful output. Thank you. So A it is
upvoted 1 times

  Luke80 2 years, 1 month ago

Selected Answer: A

A is correct
 upvoted 1 times

  DianaDecker 2 years, 1 month ago

Selected Answer: A

A is correct. See book page 304

upvoted 1 times

  Davidkanigui 2 years, 7 months ago

Sorry, correct answer is A
upvoted 4 times

  Davidkanigui 2 years, 7 months ago

I think the correct answer is C See example on Page 303-304 student Guide Vo.1 Rev 20.21
upvoted 2 times

  clupato2 2 years, 8 months ago

A is the answer
upvoted 4 times

  cloud29 2 years, 10 months ago

A should be the answer
upvoted 3 times

  poris27 2 years, 10 months ago

I think the answer should be A. Page 303 studeng guide Vo.1 Rev 20.21
upvoted 4 times

Question #34 Topic 1

A network administrator wants to centralize the management of AOS-CX switches by implementing NetEdit. How should the administrator

purchase and/or install the NetEdit solution?

A. Install as a hardware appliance

B. Installed on a supported version of RedHat Enterprise Linux

C. Installed in a virtualized solution by using the Aruba-supplied OVA file

D. Installed on a supported version of Debian Linux

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 61 Study Guide:

NetEdit supports all switches running AOS- CX. NetEdit runs as an Open Virtualization Application (OVA) virtual machine (for example, VMware’s
ESXi , KVM, Hyper- V, etc.) on a server.
[Aruba Networks]
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: C

Download the OVA from asp.arubanetworks.com

upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: C

C. Installed in a virtualized solution by using the Aruba-supplied OVA file

upvoted 1 times

  AM1234 2 years, 7 months ago

C is Correct
upvoted 3 times
Question #35 Topic 1

A network engineer is using NetEdit to manage AOS-CX switches. The engineer notices that a lot of third-party VoIP phones are showing up in the

NetEdit topology. The engineer deletes these, but they are automatically rediscovered by NetEdit and added back in.

What should the administrator do to solve this problem?

A. Change the VoIP phone SNMP community string to something unknown by NetEdit

B. Disable LLDP globally on the AOS-CX switches where phones are connected

C. Disable SSH access on all the VoIP phones

D. Disable the RESTful API on all the VoIP phones

Correct Answer: A

Community vote distribution

A (78%) B (22%)

  clupato2 Highly Voted  2 years, 6 months ago

I think it' A.
Netedit uses LLDP to discover the devices, but it adds them in the topology only if the credentials set for the subnet work with those devices.
Credential you can set are:
- SNMP;
- SSH;
- SNMP.
So, the best matching answer is A.
upvoted 8 times

  haus24 Most Recent  6 months ago

Selected Answer: A

A is correct.
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 79 Study Guide:

Third- party support NetEdit supports any third- party devices that use SNMP.
[Aruba Networks]
upvoted 3 times

  Redrum702 8 months, 2 weeks ago

Correction - answer is A: To manage VoIP phones in Aruba NetEdit, you would typically configure the SNMP settings on the VoIP phone itself, such
as specifying the SNMP community string and enabling SNMP-based management. Aruba NetEdit can then communicate with the VoIP phone
using SNMP to retrieve its configuration and perform configuration management tasks.
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

B: If you prefer not to see the third-party VoIP phones in the NetEdit topology, you may have the option to disable CDP or LLDP on the switch
ports to prevent the discovery and inclusion of those devices. However, disabling these protocols could limit the visibility and information available
for network troubleshooting and monitoring.
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: A

I think it should be A, refer to the Video "https://www.youtube.com/watch?v=DMpF4RoSE2I".

For Answer B, disable global LLDP will affect the other devices connected to the Switches. I understand it is not good idea.
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: A

A is Correct, agree with clupato2.

upvoted 2 times

  Moreson 1 year, 11 months ago

Selected Answer: B

initial discovery is using SNMP/REST API/SSH, for sure but once entering seed and found, it would use LLDP to discover all connected devices, so
use B, as it is not practical to login each phone to change SNMP, as they are 'a lot'
upvoted 2 times
  filthyx 2 years, 3 months ago
I think its A. It say's Third-party devices. From the study guide, page 40:
"NetEdit will now algo discover and display third-party devices that are using the stantard MIB's. Using SNMP with NetEDit, administrators can also
enter SSH credentials for third-party devices.
upvoted 1 times

  clupato2 2 years, 6 months ago

Sorry, i repeated SNMP twice. I meant to write Restful API (that work only with Aruba OS-CX devices).
upvoted 1 times

  Mrvn 2 years, 7 months ago

B is more correct here .. Netedit used LLDP by default as discovery.. so it will keep discovering every 5 minutes.
upvoted 2 times

  [Removed] 2 years, 7 months ago

I'm afraid that this is correct, even if it's a stupid solution ...
upvoted 3 times

  AM1234 2 years, 7 months ago

A is Correct
upvoted 4 times
Question #36 Topic 1

Examine the following AOS-CX configuration:

Based on this configuration, which statement is correct regarding IoT traffic?

A. If 10.100.1.2 is not reachable, the IoT traffic will be automatically dropped by the switch

B. If a specific route is not available in the routing table, the traffic will be routed to 10.100.1.2

C. The next hop of 10.100.1.2 can be one or more hops away from the AOS-CX switch

D. All routes are ignored in the routing table for IoT traffic, which is routed to 10.100.1.2

Correct Answer: B

Community vote distribution

B (100%)

  fasty Highly Voted  2 years, 10 months ago

I think B is correct
upvoted 9 times

  [Removed] 2 years, 10 months ago

B iss correct. See CLI reference:
default-nexthop
Sets the next hop for routing the packet when there is no explicit route for its destination.
upvoted 9 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: B

Page 905 Study Guide:

Unlike nexthop, default- nexthop only applies if there is no destination lookup match in the main routing table for matching packets.
[Aruba Networks]
upvoted 2 times

  omen 1 year, 5 months ago

Selected Answer: B

B is correct
upvoted 1 times

  AM1234 2 years, 7 months ago

B is correct
upvoted 4 times

  poris27 2 years, 10 months ago

I think the answer is D ?
upvoted 1 times

  Moreson 1 year, 11 months ago

Correct if the key word is not 'default-nexthop'
upvoted 4 times
Question #37 Topic 1

Which protocol does NetEdit use to discover devices in a subnet during the discovery process?

A. LLDP

B. ARP

C. DHCP

D. ICMP

Correct Answer: D

Community vote distribution

A (100%)

  AM1234 Highly Voted  2 years, 7 months ago

The correct Answer is A

upvoted 7 times

  poris27 Highly Voted  2 years, 10 months ago

I think the answer should be A

upvoted 5 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 79 Study Guide:

Then define one seed device in the subnet that will then discover other devices based on LLDP. Assuming good connectivity, NetEdit finds all
connected subnets that seed device.
[Aruba Networks]
upvoted 2 times

  gian911 8 months, 2 weeks ago

Selected Answer: A

Agree A
upvoted 1 times

  Jo2241 1 year, 4 months ago

Selected Answer: A

The correct Answer is A

upvoted 1 times

  NetExpert 1 year, 4 months ago

A is the correct
upvoted 1 times

  Cabron 1 year, 6 months ago

Selected Answer: A

LLDP is the correct answer, To provide further simplicity, NetEdit automatically discovers
new network infrastructure devices using the Link Layer
Discovery Protocol (LLDP), using REST APIs for Aruba CX switches
and SNMP for Aruba wireless and third-party devices
upvoted 4 times

  clupato2 2 years, 6 months ago

A is the correct answer
upvoted 3 times

  cloud29 2 years, 10 months ago

LLDP - A
upvoted 5 times

  Simba80 2 years, 10 months ago

I agree. It should be LLDP.
upvoted 4 times
Question #38 Topic 1

Examine the following AOS-CX switch configuration:

Which statement correctly describes what is allowed for traffic entering interface 1/1/3?

A. IP traffic from 10.1.11.0/24 is allowed to access 10.1.110.0/24

B. IP traffic from 10.0.11.0/24 is allowed to access 10.1.12.0/24

C. Traffic from 10.0.12.0/24 will generate a log record when accessing 10.0.11.0/24

D. IP traffic from 10.1.12.0/24 is allowed to access 172.0.1.0/23

Correct Answer: C

Community vote distribution

B (89%) 11%

  cloud29 Highly Voted  2 years, 10 months ago

The question is " Which statement correctly describes what is allowed for traffic entering interface 1/1/3?"

I think that what is allowed to enter the interface 1/1/3 is

everything from:
ANY TO -> 10.X.11.X(this is allowed and counted) or 10.X.12.X(this allowed and loged), thats why i think the answer is B
Everything with other "destination" should be denny.
upvoted 15 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: B

As per ACL definition:

Matching seq 20 "permit ip any 10.0.12.0/255.0.255.0 log"
So trafic from any source ip address is permitted to 10.x.12.x
upvoted 3 times

  alex711 11 months, 4 weeks ago

Selected Answer: B

B is correct
upvoted 1 times

  Bahadorkh 1 year, 3 months ago

B is correct
upvoted 1 times

  Jo2241 1 year, 4 months ago

Selected Answer: B

B is correct
upvoted 1 times

  NetExpert 1 year, 4 months ago

B is correct
upvoted 1 times

  Jo2241 1 year, 6 months ago

Selected Answer: B

No wildcard mask with Aruba CX. B answer

upvoted 1 times

  root2022 1 year, 8 months ago

B is correct
upvoted 1 times
  gondolf 1 year, 10 months ago

Selected Answer: B

People seem to be confused by inverted mask/wildcard masks. They would be correct for Cisco switches, but AOS-CX does NOT use wildcard
masks; "AOX-CX switches do not support wildcard masks - only prefixes or subnet masks - when created ACEs."

Cisco: 255.0.255.0 = xx.123.xx.123

AOS-CX: 255.0.255.0 = 123.xx.123.xx

My answer is B.
upvoted 2 times

  jagoanneon 2 years ago

Selected Answer: D

I think the answer is D.

Here is the simplified access list with X=any (0-255)
permit any -> X.0.X.0 count
permit any -> X.0.X.0 log

They are practically the same ACL with only different the top does count and bottom does log.

A. IP traffic from 10.1.11.0/24 is allowed to access 10.1.110.0/24

We dont care with source (10.1.11.0/24). The source can be any.
But the destination is 10.1.110.0/24 and it does not match. The second octet must be 0.

B. IP traffic from 10.0.11.0/24 is allowed to access 10.1.12.0/24

Same with A. 10.1.12.0 does not match because second octet is 1

C. Traffic from 10.0.12.0/24 will generate a log record when accessing 10.0.11.0/24
This actually match both ACEs but since ACL matches from top to bottom, so it will match the top ACE (count).

D. IP traffic from 10.1.12.0/24 is allowed to access 172.0.1.0/23

this would match the ACL. We dont care about source and destination 172.0.1.0 (match X.0.X.0)

Samw
upvoted 1 times

  pabx31 2 years, 4 months ago

My opinion: B
Only traffic destined TO the listed subs is allowed
This excluded A and D
Only traffic TO 10.1.12.0 is logged
This excludes C
This leaves B
.11.0 is part of ANY so it is allowed to access .12.0
This traffic will be logged but that isn't part of the answer.
upvoted 1 times

  clupato2 2 years, 6 months ago

I think it's C. ACL entries work with wildcard mask. The wildcard mask is 255.0.255.0. This is a wildcard mask and not a subnet mask also because it
is not a valid subnet mask.
In a wildcard mask made in this way you have to match bits where wildcard is 0.
So, it matches packets where the DESTINATION IP ADDRESS is X.0.X.0. In a /24 network, you will never have a destination IP where the last octet is
0. So i think this ACL is not valid, by the way, the only answer that matches the ACL entries is the C BUT it matches the first entry, so it will never
generate a log, but a counter increment. This is a bad question with no matching answers. The "best matching" answer is C even if it is wrong.
upvoted 3 times

  OICU812 2 years, 4 months ago

In the official HPE study book, it clearly states that AOS-CX switches do not support Wildcard Masks when creating ACEs.
upvoted 4 times

  watermellonhead 2 years, 5 months ago

Got it backwards. 10.0.12.0/255.0.255.0 will match 10.1.12.0/24 .Therefore B should be correct. Right from the student guide. 1's match 0's
ignore. Ch. 5 - Task 2 , or search book for 255.0.255.0 "In this example any destination IP address that has '10' in the first byte, and '12' in the
third byte will match the rule.
upvoted 2 times

  maccchinguwo 2 years, 7 months ago

B sound correct but check the ip addresses properly 10.0.11.0/24 and 10.0.12.0/24 where is 10.1.12.0/24 coming from? C is correct then
upvoted 1 times

  Williams926 2 years, 8 months ago

I think answer is B.
upvoted 2 times

  El3den 2 years, 8 months ago

but 10.1.12.0 is not matching the wild card mask.
i see answer C more accurate, because count will generate syslog message right ?
 upvoted 1 times

  El3den 2 years, 8 months ago

sorry it is subnet mask no wild card, B is correct
upvoted 2 times

  Simba80 2 years, 10 months ago

It's possible that B is correct but look at the log and count entries in the commands. I think C is correct. A log entry will be generated for this
subnet.
upvoted 2 times

  fasty 2 years, 10 months ago

the log count is only active for destination 10.x.12.x
upvoted 1 times

  LoneRaccoon 4 months, 2 weeks ago

AOS-CX does not support Wildcard / Inverted Subnet Masks...
Study Guide states: "AOS-CX switches do not support wildcard masks - only prefixes or subnet masks - when creating ACEs". Therefore C is
most probably the answer
upvoted 1 times

  fasty 2 years, 10 months ago

Only log*
upvoted 1 times

  poris27 2 years, 10 months ago

I agree , B
upvoted 4 times
Question #39 Topic 1

An administrator creates an ACL rule with both the `count` and `log` option enabled. What is correct about the action taken by an AOS-CX switch

when there is a match on this rule?

A. By default, a summarized log is created every minute with a count of the number of matches

B. Logging will not include certificate and TLS events, but counting will

C. The ‫ג‬€count‫ג‬€ and ‫ג‬€log‫ג‬€ options are processed by the AOS-CX switch's hardware ASIC

D. The total in the ‫ג‬€log‫ג‬€ record and the count could contain different rule matching statistics

Correct Answer: D

Community vote distribution

D (100%)

  clupato2 Highly Voted  2 years, 6 months ago

A cannot be correct because the default log times is 300s (5 minutes). The answer that best matches this is D
upvoted 10 times

  Disposable_Me_2018 Highly Voted  2 years, 4 months ago

It's D.
From the "AOS-CX 10.08 ACLs and Classifier Policies Guide" :
"You may see a minor discrepancy between the ACL logging statistics and the hit counts statistics due to the time required to record the log
message."
upvoted 8 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: D

Page 267 Study Guide:

Note: You may see a minor discrepancy between the ACL logging statistics and the hit counts statistics due to the time required to record the log
message.
[Aruba Networks]
upvoted 2 times

  fubofake92 2 years, 6 months ago

Correct answer is A
upvoted 1 times
Question #40 Topic 1

An administrator is defining a VSX LAG on a pair of AOS-CX switches that are defined as primary and secondary. The VSX LAG fails to establish

successfully with a remote switch; however, after verification, the remote switch is configured correctly. The administrator narrows down the

problem to the configuration on the

AOS-CX switches.

What would cause this problem?

A. Local optimization was not enabled on the VSX LAG

B. The VSX LAG hash does not match the remote peer

C. The VSX LAG interfaces are in layer-3 mode

D. LACP was enabled in active mode on the VSX LAG

Correct Answer: B

Community vote distribution

C (100%)

  Mrvn Highly Voted  2 years, 7 months ago

Answer should be C - VSX LAG are not supported at Layer 3

VSX LAG does support all the standard LAG adjustments: timers, L2 or L3 hashing, LACP fallback.
It supports both LACP mode active or static mode, and only Layer 2 (i.e. no routed mode).
upvoted 16 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: C

Page 215 Study Guide:

VSX LAGs are layer 2 only,
[Aruba Networks]
upvoted 4 times

  slotblocker 8 months, 3 weeks ago

This document says NO layer 3 interfaces for VSX LAG:
https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/vsx/Content/Chp_Start/vsx-sol-req-10.htm

Answer: C
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

In Aruba's Virtual Switching Extension (VSX) technology, the LAG interfaces can be configured in both Layer 2 and Layer 3 modes, depending on
the specific requirements of your network design
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

B: Verify that the LAG hash settings match on both the local and remote VSX peers.
upvoted 1 times

  alex711 11 months, 4 weeks ago

I think B is correct. check the following link.
https://www.arubanetworks.com/techdocs/AOS-CX/AOSCX-CLI-Bank/cli_6200/Content/VSX_cmds/sho-lac-agg-10.htm
upvoted 3 times

  Jo2241 1 year, 4 months ago

Selected Answer: C

I think C is the good answer.

VSX LAG are not supported at Layer 3
upvoted 2 times

  clupato2 2 years, 6 months ago

I think it's B, because, as the question is exposed, i understand that the VSX LAG has been configured, but fails to establish. If interfaces where in
Layer 3 mode, you will not be able to configure them as a LAG.
upvoted 4 times

  JazzyJ151 1 year, 11 months ago

Switches can bring up VSX LAG with differently defined hashes, its not B IMO.
upvoted 1 times
   Moreson 1 year, 11 months ago
try accessing the device from lab then you will find you are wrong, and hash is not something manual configured, so not a possible human
error, this question is asking for trouble shooting skills.
upvoted 1 times

  Davidkanigui 2 years, 7 months ago

B is correct.
upvoted 1 times

  Disposable_Me_2018 2 years, 4 months ago

Pretty sure that switches do not negotiate the lag hash algorithm in the handshake.
Cannot be B.
I vote for C.
upvoted 1 times

  Williams926 2 years, 8 months ago

I think D is correct.
upvoted 1 times

  gbermudez11 2 years, 8 months ago

Why do you think it is correct?
upvoted 1 times
Question #41 Topic 1

Examine the configuration performed on newly deployed AOS-CX switches:

After performing this configuration, the administrator notices that the switch ports always remain in the EAP-start state. What should the

administrator do to fix this problem?

A. Define the server group cppm

B. Set the ports to client-mode

C. Create and assign a local user role to the ports

D. Enable change of authorization (CoA)

Correct Answer: D

Community vote distribution

A (100%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is A

upvoted 12 times

  AM1234 Highly Voted  2 years, 7 months ago

The correct Answer is A

upvoted 10 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 679 Study Guide:

The servers that you add are automatically added to the global RADIUS server group, which is called radius, and referred to as the global group
[Aruba Networks]
You might want to use only a subset of servers for a particular task, instead of all the globally defined ones. You can do this by creating RADIUS
groups
[Aruba Networks]
upvoted 3 times

  Jo2241 1 year, 4 months ago

Selected Answer: A

the answer is A
upvoted 2 times

  Linares1234 2 years, 4 months ago

I think same that its A
https://community.arubanetworks.com/blogs/esupport1/2020/04/29/downloadable-user-role-configuration-in-aruba-os-cx-with-mac-
authentication
upvoted 3 times

  kup 2 years, 5 months ago

D-student guide V2.88
upvoted 3 times

  I_C_U 2 years, 5 months ago

I agree, the switch will not accept that command if cppm group is not setup (i.e. switch throws an error).
upvoted 1 times

  filthyx 2 years, 3 months ago

Just tryed it on GNS3 and the switch does allow the command even if cppm group is not setup.
upvoted 2 times

  filthyx 2 years, 3 months ago

 Taking this into consideration, i read on the guide that the "default" group when you add a server to RADIUS is called 'radius'. So in this
case, the group would need to be created because is explicitly configuring cppm group.
upvoted 2 times

  clupato2 2 years, 6 months ago

A is correct
upvoted 4 times

  fasty 2 years, 10 months ago

Correct answer is A
upvoted 5 times

Question #42 Topic 1

A network has two AOS-CX switches connected to two different service providers. The administrator is concerned about bandwidth consumption

on the service provider links and learned that the service providers were using the company as a transit AS.

Which feature should the administrator implement to prevent this situation?

A. Configure route maps and apply them to BGP

B. Configure the two switches as route reflectors

C. Configure a classifier policy to disable MED

D. Configure bi-directional forwarding detection on both switches

Correct Answer: A

Community vote distribution

A (100%)

  AM1234 Highly Voted  2 years, 7 months ago

The correct Answer is A

upvoted 6 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 501 Study Guide:

Several scenarios could cause your AS to become a transit AS: The ISPs advertise Internet routes differently with different aggregation. Any route
that your BGP routers receive from only one ISP, they could begin advertising to the other ISP. You connect a single AOS- CX switch or VSF fabric to
both ISPs. In this case, the switch has two eBGP neighbors, and it will advertise best routes received from one to the other.
[Aruba Networks]
Page 502 Study Guide:
n this example, you are setting up route maps to restrict outbound advertisements to eBGP neighbors.
[Aruba Networks]
upvoted 2 times

  a__p 1 year, 4 months ago

Selected Answer: A

I think A is the correct answer. Route-map to control the advertised routes to the provider
upvoted 2 times
Question #43 Topic 1

A company has just purchased AOS-CX switches. The company has a free and open-source AAA solution. The company wants to implement

access control on the Ethernet ports of the AOS-CX switches.

Which security features can the company implement given the equipment that they are using?

A. Port-based tunneling

B. Device fingerprinting

C. Local user roles

D. Downloadable user roles

Correct Answer: D

Community vote distribution

C (100%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is C because use 3rd party AAA server. DUR is use for CLeapass
upvoted 16 times

  fasty Highly Voted  2 years, 10 months ago

I think C aswell
upvoted 11 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: C

Page 756 Study Guide:

Local User Role (LUR): You define user roles locally on the switch. First some device connects and authenticates. Then the RADIUS server tells the
switch which of its LUR’s to apply by sending a User- Role name VSA. You can use ClearPass or a a third- party AAA server with LUR
[Aruba Networks]
upvoted 2 times

  Jo2241 1 year, 4 months ago

Selected Answer: C

Only local user roles for 3rd party AAA solution.

Answer C is correct
upvoted 2 times

  a__p 1 year, 4 months ago

Selected Answer: C

All the other options are ClearPass features

upvoted 3 times

  cpfan 1 year, 4 months ago

Selected Answer: C

DUR only for cppm

upvoted 3 times

  Kevin1983 2 years, 7 months ago

D is for ClearPass only indeed, I think its C also
upvoted 6 times

  AM1234 2 years, 7 months ago

The correct Answer is C
upvoted 7 times
Question #44 Topic 1

Examine the network topology.

The network is configured for OSPF with the following attributes:

✑ Core1 and Core2 and ABRs

✑ Area 1 has 20 networks in the 10.1.0.0/16 range
✑ Area 0 has 10 networks in the 10.0.0.0/16 range
✑ Area 2 has 50 networks in the 10.2.0.0/16 range
✑ The ASBR is importing a static route into Area 1
✑ Core2 has a summary for Area 2: area 0.0.0.2 range 10.2.0.0/16 type inter-area
Here is the OSPF configuration performed on Core1:

Based on the above information, what is correct?

A. Area 0 has 13 routes

B. Core1 has no OSPF routes

C. Core1 has received one LSA Type 5 from the ASBR

D. Area 1 has 23 routes

Correct Answer: B

Community vote distribution

B (100%)

  NaCin Highly Voted  2 years, 10 months ago

I think the correct answer is B. Because with "passive interface default" you would need a no passive interface on the Vlan 10 and Vlan 100
interfaces for neighborhoods to be established. C is not possible, because Area is stub not NSSA (Not-so-stuby-Area).
upvoted 13 times

  [Removed] 2 years, 9 months ago

Passive Interface prevents it from forming a neighborship, so the core doesn't learn any routes from C2 ( as lomg as there isn't any other active
interface). However C1 should at least have OSPF routes to it's directly connected networks and therefore i think B is wrong.
upvoted 3 times
   dodds 2 years, 9 months ago
What is your answer then?
I think it's B. Because of passive-interface, core1 has no ospf neighbor. core1 probably see 10 connected routes, not ospf routes. So A seems
to be wrong
upvoted 2 times

  Davidkanigui Highly Voted  2 years, 7 months ago

D is correct because area 1 is a Stub area, 2 routes for the inter-area networks + 1 default route from the ABR will be injected in Area in addition to
the 20 route = 23
Student Guide Vol 1 Rev 20.21 page 403
upvoted 9 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: B

Page 332 Study Guide:

If you are only enabling OSPF on the VLAN because you want to advertise its subnet, and you do not want the router to form adjacencies with
other routers on the VLAN, configure the VLAN as a passive OSPF interface.
[Aruba Networks]
As no "passive interface default" is Globally defined, no routes are advertised since on the VLANS there is no command "no passive-interface"
configured.
upvoted 3 times

  [Removed] 10 months, 2 weeks ago

B is correct. If you do a 'passive interface default' under the global OSPF config, and then do NOT set the interface as 'no ip ospf passive', you get
no neighbors, hence no OSPF routes.
upvoted 2 times

  moe706706 9 months, 2 weeks ago

Thats the most relevant answer, thank you ! since ip ospf wasnt enabled on interface level using no ip ospf passive then core wont form any
adjacencies and wont learn any OSPF routes
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: B

B "passive interface defualt"

upvoted 3 times

  NetExpert 1 year, 4 months ago

D is correct
upvoted 2 times

  DIOGENES 2 years, 3 months ago

I read the aruba certified book, I found the answer for the question, Its D. two aggregate routes for inter-area (are0 10.0.0.0/16 and area1
10.1.0.0/16) and 1 default route for the ASBR.
upvoted 3 times

  kadis500 2 years, 5 months ago

ths answer is not B , because when you perform: ip ospf x area x On interface , it will enable
OSPF on this interface
upvoted 1 times

  Disposable_Me_2018 2 years, 4 months ago

OSPF can be enabled on an interface AND passive on that same interface. They are not the same thing.
upvoted 4 times

  seb6869 2 years, 6 months ago

The answer B is correct (miss no passive interface on SVI)
upvoted 2 times

  AM1234 2 years, 7 months ago

The correct Answer is B
upvoted 3 times

  fasty 2 years, 10 months ago

I also think it is C, core 1 should have 10 LSA 2, 2 LSA 3, 1 LSA 4 and 1 LSA 5, so A is not Correct
upvoted 1 times

  acot333 2 years, 10 months ago

I think it's C
upvoted 1 times

  poris27 2 years, 10 months ago

The answer is A ?
upvoted 1 times
Question #45 Topic 1

A network administrator is implementing NAE on AOS-CX switches. When attempting to create an agent on a particular switch, the agent appears

in the NAE

Agents panel with a red triangle error symbol and a status of `Unknown`.

What is the cause of this issue?

A. The administrator does not have the appropriate credentials to interact with NAE

B. The number of scripts or agents has exceeded the hardware's capabilities

C. A connectivity issue exists between NAE and the AOS-CX switch

D. The RESTful API has not been enabled on the AOS-CX switch

Correct Answer: C

Community vote distribution

B (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Page 144 Study Guide:

Suppose you attempt to create an agent that would exceed the maximum agents supported on the switch. The agent appears in the GUI Agents
panel with a red triangle error symbol and status of Unknown, with the error message as shown in the figure.
[Aruba Networks]
upvoted 4 times

  MEDO162 1 year, 2 months ago

Selected Answer: B

https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/nae/Content/Chp_TS/err-nae-age-not-cre-db-con-vio-err.htm
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: B

I think B is correct: https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7877/Content/Chp_TS/err-nae-age-not-cre-db-con-vio-

err.htm
Cause

Attempting to create the agent resulted in creating more monitors than the NAE supports on the switch.
upvoted 3 times

  omen 1 year, 5 months ago

Selected Answer: B

Correct Answer: B
upvoted 2 times
Question #46 Topic 1

A network engineer for a company with 896 users across a multi-building campus wants to gather statistics on an important switch uplink and

create actions based on issues that occur on the uplink. How often does an NAE agent gather information from the current state database in

regard to the uplink interfaces?

A. Once every 60 seconds

B. Once every 1 second

C. Once every 30 seconds

D. Once every 5 seconds

Correct Answer: A

Community vote distribution

D (100%)

  Simba80 Highly Voted  2 years, 10 months ago

Yep. Correct answer is D. Page 61 of the ACSP study guide.

upvoted 7 times

  AM1234 Highly Voted  2 years, 7 months ago

The correct Answer is D

upvoted 6 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: D

Page 11 Study Guide:

The agent collects the data every five seconds and writes the data to the time- series database on the switch's hard disk
[Aruba Networks]
upvoted 2 times

  d_nat 1 year, 4 months ago

Selected Answer: D

The book reads:

"The agent checks the state against the condition every 5 seconds."
upvoted 1 times

  Jo2241 1 year, 4 months ago

Selected Answer: D

The agent checks the state against the condition every 5 seconds.
Answer D is correct.
upvoted 1 times

  a__p 1 year, 4 months ago

Selected Answer: D

From the techdocs " As noted within the manual, time series data is collected and stored every 5 seconds."
upvoted 1 times

  NetExpert 1 year, 4 months ago

D is correct
upvoted 1 times

  cloud29 2 years, 10 months ago

D is the answer
upvoted 4 times

  poris27 2 years, 10 months ago

I think the answer is D
upvoted 4 times
Question #47 Topic 1

How does PIM build the IP multicast routing table to route traffic between a multicast source and one or more receivers?

A. It uses the unicast routing table and reverse path forwarding (RPF)

B. It uses IGMP and calculates a shortest path tree (SPT)

C. It uses the shortest path first (SPF) algorithm derived from link state protocols

D. It uses the Bellman-Ford algorithm derived from distance vector protocols

Correct Answer: A

Community vote distribution

A (100%)

  cloud29 Highly Voted  2 years, 10 months ago

Answer is A

"PIM also relies on the unicast routing tables to identify the path back to a multicast source. This routing method is known as reverse path
forwarding (RPF). The unicast routing protocols create the unicast routing tables. With this information, PIM sets up the distribution tree for the
multicast traffic.
upvoted 8 times

  AM1234 Highly Voted  2 years, 7 months ago

The Correct Answer is A
upvoted 5 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 618 Study Guide:

Each router in the network must calculate the tree independently based on the information it has received, whether by dynamic protocol updates
(PIM), or by configuration. Using Reverse Path Forwarding (RPF), the router checks for loops and creates the Outgoing Interface List (OIL) from the
best (sometimes called shortest) paths from the unicast routing table. For this reason, a source tree is also called a shortest path tree.
[Aruba Networks]
upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

The Correct Answer is A

upvoted 1 times
Question #48 Topic 1

An administrator is managing a pair of core AOS-CX switches configured for VSX. Connected to this core are pairs of aggregation layer AOS-CX

switches configured for VSX. OSPF is running between the aggregation and core layers. To speed up OSPF convergence, the administrator has

configured BFD between the core and aggregation switches.

What is a best practice the administrator should implement to reduce CPU processing on the switches if a BFD neighbor fails?

A. Disable ICMP redirects

B. Implement graceful restart

C. Increase the BFD echo timers

D. Increase the VSX keepalive timer

Correct Answer: A

Community vote distribution

A (100%)

  cloud29 Highly Voted  2 years, 10 months ago

The question is ""What is a best practice the administrator should implement to reduce CPU processing on the switches if a BFD neighbor fails?"

I think the Correct answer is A

According to Study Guide:

"In some cases, the ech could have a source and destination on the same subnet, which would usually trigger the switch to send an ICMP redirect.
The extra processing can cause issues on the Switch. Disabling ICMP redirects prevenets these issues."
upvoted 9 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 415 Study Guide:

It is also best practice to disable ICMP redirects on the switches that use BFD in echo mode. Before you enable OSPF BFD, you should disable ICMP
redirects on the AOS- CX switch. In some cases, the echo could have a source and destination on the same subnet, which would usually trigger the
switch to send an ICMP redirect. The extra processing can cause issues on the switch. Disabling ICMP redirects prevents these issues.
[Aruba Networks]
upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

the Correct answer is A

According to Study Guide
upvoted 1 times

  AM1234 2 years, 7 months ago

Correct answer is A
upvoted 4 times

  fasty 2 years, 10 months ago

A is Correct
upvoted 3 times

  acot333 2 years, 10 months ago

B should be correct
upvoted 1 times

  Itachi22 2 years, 5 months ago

the right answer is A (check the cloud's comment)
upvoted 2 times
Question #49 Topic 1

A network engineer is examining NAE graphs from the Dashboard but notices that the time shown in the graph does not represent the current

time. The engineer verifies that the AOS-CX switch is configured for NTP and is successfully synchronized. What should be done to fix this issue?

A. Ensure the engineer's web browser is configured for the same timezone as the AOS-CX switch

B. Ensure the engineer's PC is synchronized to the same NTP server as the AOS-CX switch

C. Ensure NetEdit and the AOS-CX switch are synchronized to the same NTP server

D. Enable trust settings for the AOS-CX switch's SSL certificate

Correct Answer: C

Community vote distribution

A (50%) B (50%)

  cloud29 Highly Voted  2 years, 10 months ago

ACSP Student Guide, p.138

Common Troubeshooting Tips:
* Make sure your desktop time and the switch's time is synched from the same NTP server.

So I think the correct answer is B.

upvoted 9 times

  Admirall2 Highly Voted  2 years, 6 months ago

I looked in the NAE Guide and it verifies B as well.
https://techhub.hpe.com/eginfolib/Aruba/OS-CX_10.04/5200-6724/index.html#GUID-2048A4D8-5458-4C00-ACA7-8C392182215E.html
upvoted 6 times

  a_exam_candidate Most Recent  4 months ago

Selected Answer: B

You cannot configure NTP in a Web Browser. It must be B. The webbrowser is running on the Desktop and the Desktop is configured via NTP
upvoted 1 times

  Tangobob2006 5 months ago

Selected Answer: B

It says this is in troubleshooting - make sure the desktop time and the switch time are synched from the same NTP Server
upvoted 2 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 147 Study Guide

Things you can do to fix this issue:
·Try clearing or resetting the web client browser cache.
·Ensure that the web client from which you are viewing the Web UI is set to a time zone based on UTC. For example, if your workstation is set to
Eastern Standard Time (EST), and you want to use Pacific Standard Time (PST), change the time by setting the time zone instead of by manually
resetting the time.
·Ensure that the switch is set to use NTP or to a time zone based on UTC time. NTP synchronizes the time of day among a set of distributed time
servers and clients to correlate events when receiving system logs and other time- specific events from multiple network devices. All NTP
communications use Coordinated Universal Time (UTC). To show the NTP status, use the show ntp status command. After you configure the switch,
clear the NAE data by entering the clear nae- data command from the manager context.
[Aruba Networks]

Web Client Browser --> TimeZone

Swicth--> NTP
upvoted 2 times

  Greenmile84 8 months ago

Should be A

Action
Try clearing or resetting the web client browser cache.
Ensure that the web client from which you are viewing the Web UI is set to a time zone based on UTC.
For example, if your workstation is set to Eastern Standard Time (EST), and you want to use Pacific Standard Time (PST), change the time by setting
the time zone instead of by manually resetting the time.

Ensure that the switch is set to use NTP or to a time zone based on UTC time.
upvoted 1 times

  slotblocker 8 months, 2 weeks ago

 https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/nae/Content/Chp_TS/err-swi-tim-bro-tim-not-syn.htm

It says set the same time-zone, not the same ntp server.

Answer: A
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

B: Timezone Configuration: Check the timezone configuration of the Aruba NAE system. The displayed time in the graphs may be based on the
configured timezone. Ensure that the timezone settings are accurate and aligned with the desired time representation.
upvoted 2 times

  mmilev 1 year ago

Selected Answer: A

Ensure the engineer's web browser is configured for the same timezone as the AOS-CX switch
- Time Zone is the key here. PC running the UI and switch must be in the same time zone.
upvoted 3 times

  Jo2241 1 year, 4 months ago

Selected Answer: B

the correct answer is B.

upvoted 2 times

  NetExpert 1 year, 4 months ago

B is correct
upvoted 1 times

  AM1234 2 years, 7 months ago

Correct answer is B
upvoted 4 times

  clupato2 2 years, 8 months ago

B is the answer
upvoted 3 times

  public2002 2 years, 9 months ago

Somewhere in the Student Guide you can read the Browser and the switch shuold be in the same timezone.
upvoted 2 times

  acot333 2 years, 10 months ago

It can also be B
upvoted 3 times

  fasty 2 years, 10 months ago

Yes you right, but i think it is more a browser issue then a pc issue.
upvoted 1 times

  fasty 2 years, 10 months ago

Correct answer is A
upvoted 1 times

  Moreson 1 year, 11 months ago

so you recon same timezone would fix the issue instead of same NTP sync?
upvoted 1 times
Question #50 Topic 1

A company is implementing a new wireless design and needs it to support high availability, even during times of switch system upgrades. The

solution will involve

Aruba Mobility Controller (MC) and Aruba AP connections requiring POE. Which campus AOS-CX switch solution and virtual switching should the

company implement at the campus access layer?

A. AOS-CX 6400 and VSX

B. AOS-CX 6300 and VSF

C. AOS-CX 8325 and VSF

D. AOS-CX 8400 and VSX

Correct Answer: C

Community vote distribution

A (100%)

  AM1234 Highly Voted  2 years, 7 months ago

Correct answer is A
upvoted 7 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 25 Study Guide:

For high availability (HA), the AOS- CX 6400 supports VSX Live Upgrades and also has redundant management cards, fans, power supplies, etc.
[Aruba Networks]
upvoted 2 times

  Jo2241 1 year, 4 months ago

Selected Answer: A

Correct answer is A. HA for upgrades = VSX and Access modular switches and always on PoE = 6400
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

The correct answer is A

upvoted 1 times

  NetExpert 1 year, 4 months ago

A is correct
upvoted 1 times

  Williams926 2 years, 8 months ago

Correct answer is A.
upvoted 4 times

  Moshiko 2 years, 9 months ago

The answer is A. only 6400 support highly available during upgrades
upvoted 3 times

  cloud29 2 years, 10 months ago

I also think that the Correct answer is A, as 6400 supports VSX
But both 6300 and 6400 support always On PoE
upvoted 4 times

  fasty 2 years, 10 months ago

The answer should be A, they need high availability during software upgrades, that is only possible with VSX
upvoted 3 times
   Simba80 2 years, 10 months ago
Answer should be B. 8325 switches don't do VSF.
upvoted 1 times

  [Removed] 2 years, 10 months ago

B is wrong, because VSF doesn't offer availability during updates.
upvoted 2 times

Question #51 Topic 1

An administrator is looking for a data center switching solution that will greatly reduce the likelihood of dropped frames when uplink congestion is

experienced.

Which AOS-CX switch queuing feature meets the administrator's needs?

A. FIFO

B. VOQ

C. WFQ

D. DWWR

Correct Answer: B

Community vote distribution

B (100%)

  cloud29 Highly Voted  2 years, 10 months ago

As they are asking for a "feature" Shouldnt it be B?

Virtual Output Queuing (VOQ) feature mitigates head-of-line (HOL) blocking

upvoted 9 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: B

Page 43 Study Guide:

The figure shows that 4 packets have arrived at some interface, sitting in a queue, waiting for service. If the ingress buffer used a single queue,
Head Of Line (HOL) blocking could delay traffic. This occurs when the first packet in the queue (at the “head of the line”) is destined out a
congested port, it delays all packets behind it, even though those that are destined to noncongested ports. | AOS- CX switches use an intra- switch
queuing method called Virtual output Queuing ( VoQ ). VOQ prevents this problem by providing deep ingress buffers with separate queues for
each egress port.
[Aruba Networks]
upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: B

B is correct
upvoted 1 times

  tacklemenow 2 years, 5 months ago

Is it B? Because the rest of Schedule profiles while B is a queuing profile.
upvoted 2 times

  fasty 2 years, 10 months ago

Is it not C? Not sure..
upvoted 1 times

  [Removed] 2 years, 7 months ago

C and D both accomplish it, but it's the algorithm behind it. Therefore i think B is meant as a feature.
upvoted 2 times
Question #52 Topic 1

An AOS-CX switch is configured to implement downloadable user roles. Examine the AOS-CX switch output:

Based on this output, what is the state of the user's access?

A. No downloadable user role exists

B. MAC authentication has passed, but 802.1X authentication is in progress

C. The RADIUS request timed out to the AAA server

D. The port should be configured for 802.1X

Correct Answer: D

Community vote distribution

A (100%)

  AM1234 Highly Voted  2 years, 7 months ago

Correct answer is A
upvoted 11 times

  Kevin1983 Highly Voted  2 years, 7 months ago

D is incorrect I think, you do not need 802.1x for DURs. I dont see a time out. So I think the answer is A.
upvoted 8 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Cannot be B --> dot1x is NOT in progress.

Cannot be C --> There is NOT timeout
Cannot be D --> dot1x is "Not attempted which means it's already configured.
upvoted 3 times

  Greenmile84 8 months ago

Answer A, 100%
upvoted 1 times

  a__p 1 year, 4 months ago

Selected Answer: A

Correct answer is A
upvoted 1 times

  NetExpert 1 year, 4 months ago

A is correct
upvoted 1 times

  rorzabal 1 year, 9 months ago

Answer is A
User role "Authenticated" was passed down but does not exist
upvoted 1 times
  Cloudeiv 2 years, 7 months ago
The answer is A
upvoted 3 times

  cloud29 2 years, 10 months ago

I think the A is the correct answer.
upvoted 4 times

  fasty 2 years, 10 months ago

Correct answer is A
upvoted 4 times
Question #53 Topic 1

Examine the commands entered on an AOS-CX switch:

What is true regarding this configuration for traffic received on interface 100?

A. The default next-hop address supersedes the two preceding next-hop addresses

B. The traffic is always dropped is the next-hop addresses are unreachable

C. The traffic will be routed with the IP routing table entries if the next-hop addresses are unreachable

D. The next-hop address of 1.1.1.1 is overwritten by the next-hop address of 2.2.2.2

Correct Answer: A

Community vote distribution

C (56%) B (44%)

  asciithrowaway Highly Voted  2 years, 4 months ago

Its B
1) Try NH 1.1.1.1 (Seq 10)
2) Try NH 2.2.2.2 (Seq 20)
3) Try default NH 3.3.3.3 (Seq 30)
4) Match interface null, which means drop the packet. (Seq 40)

C is not correct, as interface null action will drop packets before the fallback to routing table can be leveraged.
upvoted 9 times

  Linares1234 2 years, 4 months ago

Yes, but if the sentence its correct when NH its 1.1.1.1 not apply the dropped packet
upvoted 1 times

  jordib4 2 years ago

"interface null: equivalent to the policy drop policing action. Any packets matching the class criteria for that policy entry will be dropped and not
routed any further."
https://www.arubanetworks.com/techdocs/AOS-CX/10.05/HTML/5200-7300/index.html#GUID-DC7E5E47-8F31-4DE4-B257-1A68665B2AF4.html
upvoted 1 times

  Mrvn Highly Voted  2 years, 7 months ago

C is correct... If 1.1.1.1 is not reachable then next hop uses 2.2.2.2 if both of these are unreachable then normal routing table is used..and only if no
route is available in routing table then default next-hop will kick-in
upvoted 7 times

  A10busted Most Recent  4 months, 3 weeks ago

B: is the closest: If none of the routers in the list are reachable, the packet may be dropped (through the null interface entry if configured) or
forwarded according to a system route table entry.
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Page 905 Study Guide:

The figure shows that 4 packets have arrived at some interface, sitting in a queue, waiting for service. If the ingress buffer used a single queue,
Head Of Line (HOL) blocking could delay traffic. This occurs when the first packet in the queue (at the “head of the line”) is destined out a
congested port, it delays all packets behind it, even though those that are destined to noncongested ports. | AOS- CX switches use an intra- switch
queuing method called Virtual output Queuing ( VoQ ). VOQ prevents this problem by providing deep ingress buffers with separate queues for
each egress port.
[Aruba Networks]
upvoted 3 times

  slotblocker 8 months, 2 weeks ago

Answer: B.
upvoted 1 times

  Redrum702 8 months, 3 weeks ago

 B: If none of the routers in the list are reachable, the packet may be dropped (through the null interface entry if configured) or forwarded according
to a system route table entry.
upvoted 1 times

  theklee 1 year, 1 month ago

Answer is B. A PBR action list is processed from the top down like an ACL. After the three nexthop entries, there's an interface null entry. This will
drop all traffic that matches on the pbr-action-list.
upvoted 2 times

  Alialo 1 year, 3 months ago

Selected Answer: C

I think C is correct, firstly 1.1.1.1, if not active ->2.2.2.2, if not active->Routing Table, if no matched-> 9.9.9.9, if not active-> interface Null.
upvoted 1 times

  karlkurt 1 year, 3 months ago

Selected Answer: B

From manual: If none of the routers in the list are reachable, the packet may be dropped (through the null interface entry if configured) or
forwarded according to a system route table entry.
upvoted 1 times

  Rockford 1 year, 4 months ago

Answer is B
interface null means that if all three are unreachable packets are dropped, only B works for me:
The active entry is the one with the lowest sequence number – the one entered first, by default. (1.1.1.1) This next hop is used exclusively unless
that address becomes unavailable. Within 5 seconds, the router uses the next entry – 2.2.2.2. If both of those are down, then the router uses the
default- nexthop 9.9.9.9. If all three are down, the interface null action ensures packets are merely thrown away. If you omit the interface null
command, then the router falls back to using destination- based route table entries.
upvoted 5 times

  NetExpert 1 year, 4 months ago

B is correct
upvoted 2 times

  HuanChing 1 year, 8 months ago

B should be the correct one.
upvoted 2 times

  rorzabal 1 year, 9 months ago

The answer is B it will fall thru like an ACL
upvoted 2 times

  Luc 2 years ago

Selected Answer: C

I think its C. If nexthop 1.1.1.1 is unreachable it will try nexthop 2.2.2.2.. If that one is also unreachable it will go toward the default-nexthop policy.
Book explains default-nexthop as: Used if no specific route exists in routing table. So i believe it will first look at the routing table to foward the
traffic, if there is no route there.. It will try 9.9.9.9, if that one is also unreachable he will drop the traffic because of interface null.
upvoted 4 times

  Luke80 2 years ago

Agree - Answer B is not correct as traffic will NOT ALWAYS beeing dropped - only if no routing entry exists AND default-nexthop is unreachable.
upvoted 2 times

  clupato2 2 years, 6 months ago

D is correct: the second instruction overwrite the first one.
upvoted 1 times

  clupato2 2 years, 6 months ago

I must correct myself. I think it's C. More than one next hop can be assigned with an ACL and they work by priority (based on the sequence
number: lower sequence number -> higher priority). So next-hop 2.2.2.2 will be used if 1.1.1.1 is not reachable.
If both are unreachable, then the packet will be routed looking at the default routing table, if no specific entry will be found, then the pacjet will
be routed to the default next hop defined in the ACL.
upvoted 7 times

  [Removed] 2 years, 7 months ago

I think it's b. PBR action list works like an ACL. Every entry is checked one by one and the first match is used. If the next hops are unavailable they
don't match and it comes to interface null which iss the equivalent to dropping traffic.
upvoted 4 times

  AM1234 2 years, 7 months ago

i think its C
upvoted 3 times
Question #54 Topic 1

Examine the following ACL rule policies:

✑ Permit traffic from 10.2.2.1 through 10.2.2.30 to anywhere

✑ Permit traffic from 10.2.2.40 through 10.2.2.55 to anywhere
✑ Deny all others
Based on this policy, place the following ACL rule statements in the correct order to accomplish the above filtering policy.

A. deny ip 10.2.2.31 255.255.255.255 any permit ip 10.2.2.40 255.255.255.248 any permit ip 10.2.2.48 255.255.255.248 any deny ip

10.2.2.32 255.255.255.224 any permit ip 10.2.2.0 255.255.255.192 any

B. permit ip 10.2.2.40 255.255.255.248 any permit ip 10.2.2.48 255.255.255.248 any permit ip 10.2.2.0 255.255.255.192 any deny ip

10.2.2.31 255.255.255.255 any deny ip 10.2.2.32 255.255.255.224 any

C. deny ip 10.2.2.31 255.255.255.255 any deny ip 10.2.2.32 255.255.255.224 any permit ip 10.2.2.40 255.255.255.248 any permit ip

10.2.2.48 255.255.255.248 any permit ip 10.2.2.0 255.255.255.192 any

D. deny ip 10.2.2.31 255.255.255.255 any permit ip 10.2.2.40 255.255.255.248 any deny ip 10.2.2.32 255.255.255.224 any permit ip 10.2.2.48

255.255.255.248 any permit ip 10.2.2.0 255.255.255.192 any

Correct Answer: A

Community vote distribution

A (100%)

  AM1234 Highly Voted  2 years, 7 months ago

Correct answer is A
upvoted 8 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

deny ip 10.2.2.31 255.255.255.255 any --> Denies 10.2.2.31

permit ip 10.2.2.40 255.255.255.248 any --> Permits 10.2.2.40 - 10.2.2.47
permit ip 10.2.2.48 255.255.255.248 any --> Permits 10.2.2.48 - 10.2.2.55
deny ip 10.2.2.32 255.255.255.224 any --> Denies 10.2.2.32 - 10.2.2.63 but 40-55 perm.
permit ip 10.2.2.0 255.255.255.192 any --> Permits 10.2.2.0 - 10.2.2.30
upvoted 2 times

  mmilev 1 year ago

Selected Answer: A

Nice oldschool question:

Correct is A.
deny ip 10.2.2.31 255.255.255.255 any (deny .31)
permit ip 10.2.2.40 255.255.255.248 any (permit .40-47)
permit ip 10.2.2.48 255.255.255.248 any (permit .48-55)
deny ip 10.2.2.32 255.255.255.224 any (deny .32-63) #already permitted 40-55
permit ip 10.2.2.0 255.255.255.192 any (permit .0-63) #already denied 32-39 from above ACE
# implicit deny any any
result: permitted .1-30 and .40-55 and denied any
upvoted 1 times

  jhtemail 1 year, 4 months ago

I agree its A however its a stupid way to do it.
upvoted 3 times

  Disposable_Me_2018 2 years, 4 months ago

None of these are correct.
upvoted 4 times

  Rockford 1 year, 4 months ago

A is best fit because of where the deny 10.2.2.32/27 sits in the other options, this denies .33 to .62 so permit .40 to .55 needs to come before
this statement. But I agree none are actually correct...
upvoted 2 times
Question #55 Topic 1

A company has a third-party AAA server solution. The campus access layer was just upgraded to AOS-CX switches that perform access control

with MAC-Auth and 802.1X. The company has an Aruba Mobility Controller (MC) solution for wireless, and they want to leverage the firewall

policies on the controllers for the wired traffic.

What is correct about how the company should implement a security solution where the wired traffic is processed by the MCs?

A. Implement downloadable user roles with a gateway role defined on the AOS-CX switches

B. Implement local user roles with a gateway role defined on the AOS-CX switches

C. Implement standards-based RADIUS VSAs to pass policy information directly to the AOS-CX switches and MCs

D. Implement downloadable user roles with a device role defined on the AOS-CX switches and MCs

Correct Answer: D

Community vote distribution

B (100%)

  poris27 Highly Voted  2 years, 10 months ago

I think the answer is B because it use 3rd party aaa server

upvoted 12 times

  AM1234 Highly Voted  2 years, 7 months ago

Correct answer is B
upvoted 8 times

  FAJE35 Most Recent  4 months, 3 weeks ago

Selected Answer: B

B because DUR is only possible with CPPM

upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Page 756 Study Guide:

Note: On the older AOS switches, the term secondary role was used instead of gateway role. With AOS- CX switches, the appropriate term used to
describe the role the switch passes to the controller is the gateway role.
[Aruba Networks]
upvoted 4 times

  d_nat 1 year, 4 months ago

Selected Answer: B

B should be correct. DURs work with Clearpass only, wheras LURs can be used with 3rd party AAA solutions
upvoted 2 times

  cpfan 1 year, 4 months ago

Selected Answer: B

B as stated in the description of LUR (Local User Roles)

upvoted 2 times

  Roebi 2 years, 1 month ago

Answer is B as stated in the description of LUR (Local User Roles)
upvoted 3 times

  acot333 2 years, 10 months ago

I think it's C
upvoted 1 times
Question #56 Topic 1

An administrator wants to leverage always-on PoE on AOS-CX switches. Which statement is correct regarding this feature?

A. Provides up to 60W of power per port

B. Supports all AOS-CX switches

C. Provides surge protection for PoE and non-PoE ports

D. Requires NetEdit to implement

Correct Answer: A

Community vote distribution

A (100%)

  maccchinguwo Highly Voted  2 years, 7 months ago

Correct answer is A not all switches offer PoE

upvoted 10 times

  cloud29 Highly Voted  2 years, 10 months ago

A is correct
upvoted 7 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 42 Study Guide:

The typical use case for this would be a device power outage. Aruba 6300 Module SKUs are to be release with IEEE802.3bt or 4- pair PoE enabled.
The Fixed SKUs are 2- Pair PoE, but the mainboard is hardware- designed to support a 4- pair PoE controller and is 4- pair (60W per port) ready.
[Aruba Networks]
upvoted 1 times

  cucobg92 8 months ago

None of the answers actually concern what is being asked. The Always-On PoE feature means that the switches keep delivering power despite a
switch reboot, including software upgrades.
C would have been correct if they were asking about "PoE Protection" feature instead.
A is the only one that could work since 60W is PoE++ and the switches with Always-On feature also support this... so A must be "correct".
upvoted 1 times

  lee119 10 months, 2 weeks ago

Correct answer is A
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: A

A should be correct: the 6300/6400 offers 60W and always-on PoE.

B is not correct, because not all switches support PoE
C is not correct, as I found no hint in the datasheets that this is a feature for these switches
D is not correct, because you can make configurations via NetEdit, but it cannot push configurations, that one could not do from the CLI
upvoted 1 times

  Rockford 1 year, 4 months ago

always-on - persistent power
PoE Protection - Surge protection
6300 and 6400 have PoE
Netedit?
So answer is A
upvoted 1 times

  Beagly 1 year, 6 months ago

Correct answer is C, the Always-on PoE has also the surge protection for PoE and non PoE ports (see study guide pag 27/449)
upvoted 3 times

  AM1234 2 years, 7 months ago

Correct answer is B
upvoted 2 times
Question #57 Topic 1

An administrator of a company has concerns about upgrading the access layer switches. The users rely heavily on wireless and VoIP telephony.

Which is the best recommendation to ensure a short downtime for the users during upgrading the access layer switches?

A. Install the in-service software upgrade (ISSU) feature with clustering enabled

B. Install AOS-CX 6300 or 6400 switches with always-on POE

C. Implement VSF on the AOS-CX access switches

D. Implement VSX on the AOS-CX access switches

Correct Answer: C

Community vote distribution

B (100%)

  AM1234 Highly Voted  2 years, 7 months ago

Correct answer is B
upvoted 6 times

  jagoanneon Highly Voted  2 years ago

Selected Answer: B

Answer is B. The key is to reduce the impact. VSF or not will have same impact when the switch reboots. But if the switch support always on poe
then at least the POE clients will be ready before the switch finish booting up. If you dont have always on POE, then the poe clients will reboot
AFTER the switch boots up.
upvoted 5 times

  A10busted Most Recent  4 months, 2 weeks ago

Mikie2825,
Think your mixing VSF with VSX. VSF won't help at all and VSX is okay for your routing and fancy stuff but its not gonna help a powerd on VoiP
device on the access port. So its B POE allways on keeps the device powerd on while the switch reboots. As soon as the ports are alive the Voip
devices are all goed to go and do their thing.
upvoted 1 times

  Mikie2825 6 months ago

C is the correct answer. It states that they want to insure a short downtime. They do not need to make sure PoE is always on. With this crucial detail
in mind C is correct.
upvoted 2 times

  savaskuyumcuoglu 1 year, 10 months ago

but why especially 6300 or 6400 switchies?
upvoted 1 times

  d_nat 1 year, 4 months ago

They both support always-on PoE
upvoted 1 times

  Jeyyoo 2 years, 8 months ago

6400 for an access layer switch... go ahead
upvoted 4 times

  jagoanneon 2 years ago

For big companies, installing modular switches on access layer is normal. We have hundreds of ports per rack. Modular switches such as Aruba
6400 or Cisco 4500 offer better and cleaner solution (less power cables, stacking cables and dual supervisor).
upvoted 3 times

  cloud29 2 years, 10 months ago

Same here, the answer is B
upvoted 3 times

  fasty 2 years, 10 months ago

I think also B
upvoted 3 times

  poris27 2 years, 10 months ago

Answer is B
upvoted 4 times
Question #58 Topic 1

How should a network administrator add NAE scripts and implement NAE agents that will run on an AOS-CX switch?

A. Use the web interface of the NetEdit server

B. Use the web interface of the AOS-CX switch

C. Use the web interface of Aruba Central

D. Use the CLI of the AOS-CX switch

Correct Answer: B

Community vote distribution

B (100%)

  AM1234 Highly Voted  2 years, 7 months ago

Correct answer is B
upvoted 7 times

  jagoanneon Most Recent  2 years ago

Selected Answer: B

B is correct
upvoted 2 times
Question #59 Topic 1

Which concept is implemented using Aruba's dynamic segmentation?

A. Root of trust

B. Device fingerprinting

C. Zero Touch Provisioning

D. Colorless port

Correct Answer: B

Community vote distribution

D (100%)

  poris27 Highly Voted  2 years, 10 months ago

Agree D
upvoted 12 times

  maccchinguwo Highly Voted  2 years, 7 months ago

D is the correct answer

upvoted 5 times

  A10busted Most Recent  4 months, 2 weeks ago

Its D,
Page 40 and 746 ,study Guide.
Dynamic Segmentation : Colorless ports.
upvoted 1 times

  devadarshan91730 1 year, 4 months ago

D is correct.
- as this allows implementing colorless ports using roles
upvoted 1 times

  a__p 1 year, 4 months ago

Selected Answer: D

Correct Answer is D
upvoted 2 times

  Davidkanigui 2 years, 7 months ago

I think B is correct because CleasPass is used in this process to fingerprint each device. ClearPass will then use the profile of each device to
successfully authenticate the device.
upvoted 1 times

  filthyx 2 years, 3 months ago

On dynamic segmentation, no interaction with ClearPass is done. Everything happens between the MC and the AOS-CX Switch.
upvoted 1 times

  AM1234 2 years, 7 months ago

Correct answer is D
upvoted 4 times

  cloud29 2 years, 10 months ago

Shouldn't it be B?
upvoted 1 times

  cloud29 2 years, 10 months ago

Sorry: D
upvoted 2 times
Question #60 Topic 1

Examine the attached exhibit.

The network administrators is trying to add a remote location as area 3 to the network shown in the diagram. Based on current connection

restrictions, the administrator cannot connect area 3 directly to area 0. The network is using AOS-CX switches.

Which feature should the administrator implement to provide connectivity to the remote location?

A. Not-so-stubby areas

B. Bidirectional forward detection (BFD)

C. OSPFv3

D. Virtual links

Correct Answer: D

Community vote distribution

D (100%)

  Kevin1983 Highly Voted  2 years, 7 months ago

D is correct (page 450 study book)

upvoted 7 times

  d_nat Most Recent  1 year, 4 months ago

Selected Answer: D

D is correct. https://www.networkbulls.com/ask/what-is-difference-between-abr-and-asbr-in-ospf-network
upvoted 1 times

  AM1234 2 years, 7 months ago

Correct answer is D
upvoted 2 times
Question #61 Topic 1

Examine the attached diagram -

Two AOS-CX switches are configured for VSX at the access layer, where servers attached to them. An SVI interface is configured for VLAN 10 and

serves as the default gateway for VLAN 10. The ISL link between the switches fails, but the keepalive interface functions. Active gateway has

been configured on the switches.

What is correct about access from the servers to the Core?

A. Server 2 can successfully access the core layer via the keepalive link.

B. Server 1 and Server 2 can communicate with each other via the core layer.

C. Server 2 cannot access the core layer.

D. Server 1 can access the core layer via both uplinks.

Correct Answer: D

Community vote distribution

C (78%) B (22%)

  fykloo Highly Voted  1 year, 4 months ago

Selected Answer: C

when only ISL is down and peer-keepalive is up the VSX secondary switch disable all his agregate interfaces, so server 2 is isolated. His ports is stil
up but there is no connection to the core.
upvoted 6 times

  Max69 Highly Voted  9 months, 2 weeks ago

Selected Answer: C

The answer is C. If the ISL link breaks, the multi-chassis LAGs links on the VXS pair will no longer work on the second member.
Server 2 will therefore be isolated
upvoted 5 times

  ASV2020 Most Recent  3 months, 2 weeks ago

Selected Answer: C

C
https://www.arubanetworks.com/techdocs/AOS-CX/10.11/HTML/vsx/Content/Chp_TS/tra-los-whe-isl-out-of-syn-kee-dow-10.htm

Traffic loss after the ISL has been out-of-sync and keepalive is down
Symptom
Traffic loss is seen after the ISL has been out-of-sync and keepalive is down.
Cause
 If the ISL becomes out-of-sync and keepalive is established, the secondary VSX LAGs are brought down. If keepalive then fails and you have split
recovery mode enabled (default setting), the secondary switch brings up its VSX LAGs.
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: C

Answer C. Ater an ISL failure, ports and SVI associated to a VSX LAG automatically turned off (shutdown), ports and SVIs not related to and VSX
LAG still operating. In this case, server 2 and VLAN 10 are still operating, but since there are no external uplinks and routes, server 2 is isolated.
upvoted 2 times

  karlkurt 1 year, 3 months ago

Selected Answer: C

During ISL cut, if the VSX Secondary node has a port that is a member of a VSX LAG then the associated SVI of the VLAN transported by the said
VSX LAG is turned OFF/SHUT on the VSX Secondary node, whether or not there is an orphan port carrying that given VLAN.
Hence the SVI is down on the secondary, and server 2 is disconnected
upvoted 2 times

  a__p 1 year, 3 months ago

Selected Answer: C

I vote C - the question states the SVI has Active-Gateway configured, therefore must be on the VSX pair, also, uplink to the core is a MC-LAG and
will be shut down.
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: B

I go for B.
A: keepalive is only for hellos
B: Server 1 traffic travelns via Primary to Core to Secondary to Server 2
C: When ISL fails, LAG interfaces are shut down; not the access ports, to which devices are connected to
D: Uplink to Secondary is shut down because of ISL fail. So it is not correct.

https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/vsx/Content/Chp_TS/fai-sce-spl-rec.htm
upvoted 2 times

  cjoseph 1 year, 4 months ago

Selected Answer: C

Must be C, When ISL is down and KA is up ALL VSX-MC are shutdown from the secondary switch.
upvoted 4 times

  omen 1 year, 5 months ago

Selected Answer: B

D = no, as the link to the secondary peer is deactivated in the case of an MC-LAG, the two VSX peers should no longer see each other.
C = why not? This is a normal link, which remains even if the two VSX peers are interrupted.
A = Keepalive link only sends "hellos" back and forth between the VSX nodes to detect a split brain.
Consequently, it must be B.
upvoted 4 times
Question #62 Topic 1

An administrator is configuring BGP and has two connections to a service provider to two different local routers.

Which BGP metric should the administrator configure to influence which local router the service provider will use to reach certain routes?

A. Weight

B. Multiple exit discriminator

C. Local preference

D. Origin

Correct Answer: B

Community vote distribution

B (100%)

  Alialo 1 year, 3 months ago

Selected Answer: B

I vote B, Key words: two local routers and which local router will be used
the MED is used to tell routers outside of an AS which entrance path to take, the LOCAL_PREF is used locally within an AS
thttps://www.examtopics.com/exams/hp/hpe6-a73/view/16/#o tell routers which exit path to take out from an AS.
upvoted 1 times

  bpbenabd 1 year, 3 months ago

i Think that the correct answer is D. because we need to influence the service provider side and not the local side
upvoted 1 times

  warwalker 1 year, 4 months ago

Selected Answer: B

B is correct.

The BGP multiple exit discriminator (MED, or MULTI_EXIT_DISC) is a non-transitive attribute, meaning that it is not propagated throughout the
Internet, but only to adjacent autonomous systems (ASs). The MED attribute is optional, meaning that it is not always sent with the BGP updates.
The purpose of MED is to influence how other ASs enter your AS to reach a certain prefix.
upvoted 1 times
Question #63 Topic 1

A network has an ABR that connects area 0 and 1. A network engineer configures a summarized route for area 0. The ABR is a designated router

(DR) for the segment it uses to connect to area 1.

Which LSA type is assigned to this route when the summarized route is advertised into area 1 by the ABR?

A. LSA 1

B. LSA 4

C. LSA 3

D. LSA 2

Correct Answer: B

Community vote distribution

C (100%)

  d_nat 1 year, 3 months ago

Selected Answer: C

Answer C, Type 3: https://www.router-switch.com/faq/6-types-of-ospf-lsa.html

upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: C

Type 3
upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: C

Type 3 are summary LSAs

upvoted 1 times

  cjoseph 1 year, 4 months ago

Selected Answer: C

LSA 3 - Summary, Advertise network in other areas.

upvoted 2 times

  fykloo 1 year, 4 months ago

Selected Answer: C

Type 3 LSAs are summary LSA i confirm

upvoted 2 times

  Rockford 1 year, 4 months ago

C: Type 3 LSAs are summary LSAs
You see Type 1 and 2 LSAs inside an area. ABRs inject Type 3 summary LSAs into an area. ASBRs send type 5 external LSAs, and sometimes Type 7
LSAs, while Type 4 LSAs are information about those ASBRs.
upvoted 3 times
Question #64 Topic 1

A company uses NetEdit to manage a network of 700 AOS-CX switches and approximately 1,000 other SNMP-capable devices.

Which management solution should the company use to monitor all the devices, as well as see a topology picture of how all the devices are

connected together?

A. NetEdit

B. Aruba AirWave

C. Aruba Activate

D. Network Analysis Engine (NAE)

Correct Answer: A

Community vote distribution

A (100%)

  omen 1 year, 5 months ago

Selected Answer: A

Correct Answer: A
upvoted 3 times
Question #65 Topic 1

An administrator is managing a network comprised of AOS-CX switches deployed at the aggregation layer. The switches are paired in a VSX stack

and run the

OSPF routing protocol. The administrator is concerned about how long it takes for OSPF to converge when one of the VSX switches has to reboot.

What should the administrator to do speed up the OSPF convergence of the switch that is rebooting?

A. Change the VSX ISL link from an OSPF broadcast link point-to-point.

B. Implement graceful restart on the VSX switches and their neighboring OSPF switches.

C. Decrease the VSX initial synchronization timer on the two VSX switches.

D. Define non-backbone areas on the VSX switches as totally stubby areas.

Correct Answer: B

Community vote distribution

B (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Page 419 Study Guide:

failure of the VSF master or VRRP master could still disrupt routing and connectivity. OSPF graceful restart ensures nonstop routing as the standby
member takes over as the master.
[Aruba Networks]
upvoted 2 times

  slotblocker 8 months, 2 weeks ago

Selected Answer: B

https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/ip_route_4100i-6000-6100-6200/Content/Chp_OSPFv2/cnf-gra-res-osp-rou.htm
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: B

Graceful restart is correct

upvoted 3 times
Question #66 Topic 1

A network administrator wants to replace older access layer switches with AOS-CX 6300 switches.

Which virtual switching technology can the administrator implement with this solution?

A. Both VSF and VSX

B. Only Backplane stacking

C. Only VSF

D. Only VSX

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 26 Study Guide:

It also supports ten- unit VSF stacking.
[Aruba Networks]
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: C

Answer is C. 6300 can do VSF, wheras 6400 does VSX

upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: C

VSF is the 6300

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C
upvoted 1 times
Question #67 Topic 1

A network administrator is installing NetEdit. In order for NetEdit to manage the AOS-CX switches in the network, what must be defined on the

AOS-CX switches?

(Choose two.)

A. Enabling telnet

B. Defining an admin user password

C. Defining the https user-group

D. Enabling the RESTful API for read and write access

E. Enabling SFTP

Correct Answer: BD

Community vote distribution

BD (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: BD

Page 71 Study Guide:

To c o m m u n i c a t e w i t h A r u b a N e t E d i t , t h e A O S- CX switch requires some minimum configuration. The REST interface is disabled by
default, and like HTTPS, must be enabled. Likewise, access requires a switch account with administrative access.
[Aruba Networks]
upvoted 3 times

  d_nat 1 year, 4 months ago

Selected Answer: BD

B&D are required

upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: BD

B & D are both required

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: BD

Correct Answer: BD
upvoted 1 times
Question #68 Topic 1

What are best practices when implementing VSX on AOS-CX switches? (Choose two.)

A. The ISL lag should use the default MTU size.

B. Timers should be left at their default values.

C. The default system MAC addresses should be used.

D. The keepalive connection should use a direct layer-3 connection.

E. The ISL lag should use at least 10GbE links or faster.

Correct Answer: BD

Community vote distribution

BD (92%) 8%

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: BD

Page 194 Study Guide:

Keep ISL timers (dead- interval, hello- interval, hold- time, peer- detect- interval) at default value
[Aruba Networks]

Page 193 Study Guide:

Keepalive Link
The best practice for the Keepalive connection is to use a direct L3 circuit, which can be a low speed port (1G transceiver is enough, 1GBASE- T
works as well) between both VSX nodes.
[Aruba Networks]
upvoted 3 times

  MaxAMG45 8 months, 3 weeks ago

B & D is correct,
B: p193 of SG (default timer)
D: p190 of SG (direct-connected L3 Lag)
upvoted 2 times

  Max69 9 months, 2 weeks ago

Selected Answer: BD

B & D are correct. The question talks about best-practice.

10G on ISL is not best-practice. Aruba recommends 40 or 100 GB, so answer E is wrong
upvoted 1 times

  ETSega6912 11 months, 3 weeks ago

Selected Answer: BD

ISL ports can be 1G

https://www.arubanetworks.com/techdocs/AOS-CX/10.09/HTML/vsx/Content/Chp_Start/int-swi-lin-isl-10.htm
All ISL ports must have the same speed. The speed can be 1G, 10G, 25G, 40G, 50G or 100G, with 40G and 100G being the preferred speeds.
upvoted 1 times

  alex711 11 months, 3 weeks ago

Selected Answer: BD

Correct answer is B&D.

Best practices page 193. (Leave the timers at their default values)
upvoted 1 times

  devadarshan91730 1 year, 4 months ago

Answer is D and E.
Reason B cannot be it because it bluntly says timers but doens't specify which timer. If it says "ISL Timers should be left at their default values." then
that ould be true.
For instance, VSX linkup-delay-timer is st to 600 so that nullifies option B.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00094242en_us
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: DE

D & E should be correct, suggested 40g but can work on 10g

upvoted 1 times

  cjoseph 1 year, 4 months ago

 Selected Answer: BD

B & D are correct

Whilst you can use 10GbE SFPs for an ISL it is not recommended by Aruba thus not a best-practice.
upvoted 2 times

  Jo2241 1 year, 4 months ago

DE
The best practice for ISL bandwidth is at least 2x40G (QSFP+) or 2x 50G(SFP56) or 2x100G (QSFP28). It is technically possible to use2x10Gor 2x25G;
The best practice for Keepalive connection is to use a direct L3 circuit
p16 and p29 VSX COnfiguration Best praticse document
upvoted 1 times

  manrodman 1 year, 3 months ago

B & D: The best practice for inter-switch-link timers(dead-interval, hello-interval, hold-time, peer-detect-interval) is to keep the default timers
(i.e.no specific configuration) -> p19

Whilst you can use 10GbE SFPs for an ISL it is not recommended by Aruba thus not a best-practice.
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: BD

Correct Answer: BD
upvoted 3 times

Question #69 Topic 1

An administrator wants to implement dynamic segmentation policies. The network consists of AOS-CX and Aruba gateways.

Which type of forwarding should the administrator implement for users that already connect via wireless, but will also be connecting on Ethernet

switch ports?

A. User-based tunneling (UBT)

B. Port-based tunneling (PBT)

C. Switch-to-switch tunneling (SST)

D. Local switching

Correct Answer: A

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 41 Study Guide:

The figure introduces you to tunneling options related to dynamic segmentation
• User- Based Tunnel (UBT) : each user is assigned their own role
• Port- Based Tunnel(PBT) : each port (and all the devices connected to the same port) are assigned the same role (PBT is not currently supported in
AOS- CX 10.4 but there are plans to add it in a future release)
• Switch- to- switch tunneling: planned release in AOS- CX 10.5
• None : Exempt certain traffic from tunneling by performing local switching/forwarding (like voice, for example)
[Aruba Networks]
upvoted 3 times

  E_Nick 1 year, 4 months ago

A is correct
upvoted 1 times

  omen 1 year, 5 months ago

Correct Answer: A
B: Port-based tunneling is not supported on AOS-CX
C: SST never heard
D: dont make sense
upvoted 3 times
Question #70 Topic 1

Examine the partial output of the BGP routing table of an AOS-CX switch:

The switch is learning about four possible path to reach the 1.0.0.0/8 network. Based on this output, which next-hop route will the AOS-CX select

to be placed in the IP routing table?

A. 192.168.1.5

B. 192.168.2.5

C. 192.168.3.5

D. 192.168.4.5

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 485 Study Guide:

You see the BGP attributes and the preferred values for each one. Attributes are listed in the order by which the router examines them when
selecting the best route. That is, the router selects the route with the better weight first.
[Aruba Networks]
upvoted 3 times

  devadarshan91730 1 year, 4 months ago

Answer is C, as Highest Weight beats all. As highest weight is "20" so this is more preferred route , 192.168.3.5 is added to route table.
BGP path attributes
upvoted 2 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C
upvoted 1 times
Question #71 Topic 1

What is correct regarding rate limiting and egress queue shaping on AOS-CX switches?

A. Rate limiting and egress queue shaping can be used to restrict inbound traffic

B. Limits can be defined only for broadcast and multicast traffic

C. Rate limiting and egress queue shaping can be applied globally

D. Traffic rate limit is configured on queue level

Correct Answer: D

Community vote distribution

D (80%) C (20%)

  A10busted 4 months, 2 weeks ago

C:
Rate limiting, you configure it per physical or lag interface.
P:825 Study Guide
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

https://www.arubanetworks.com/techdocs/AOS-CX/10.08/PDF/qos_832x.pdf
Page 851 Study Guide:
Egress queue shaping allows you to apply a maximum bandwidth to a priority queue, as well as a burst size.
[Aruba Networks]
upvoted 2 times

  QiQi 10 months, 2 weeks ago

Selected Answer: D

D is correct。
for example:
switch(config)# qos schedule-profile EQSExample
switch(config-schedule)# strict queue 0
switch(config-schedule)# strict queue 1 max-bandwidth 10000000 burst 120
switch(config-schedule)# strict queue 2
switch(config-schedule)# strict queue 3
switch(config-schedule)# strict queue 4 max-bandwidth 20000000
switch(config-schedule)# strict queue 5
switch(config-schedule)# strict queue 6
switch(config-schedule)# strict queue 7 max-bandwidth 30000000 burst 120
switch(config-schedule)# exit
switch(config)# interface 1/1/1
switch(config-if)# apply qos schedule-profile EQSExample
upvoted 2 times

  Alialo 1 year, 3 months ago

Selected Answer: D

I think it should be D. EQS can be configured with a schedule profile and be applied on an ETH port or LAG, cannot be applied in globally (Test with
8400 and 8325).
upvoted 1 times

  MrBB 1 year, 3 months ago

Selected Answer: D

Page 258 vol2 says Egress queue shaping limits the amount of traffic transmitted per output queue.
upvoted 1 times

  manrodman 1 year, 3 months ago

Selected Answer: C

I think that C is correct because rate limiting can be applied globally by a policy and for egress queue shapping apply the global schedule profile
when apply the queue profile.
Based on the schedule profile, DWRR is being used and the queue and schedule profile are applied globally.
A is not correct: queue shaping restrict outbound traffic
B is not correct: restrict unknow unicast
D is not correct: traffic rate limit is configured on interface level
upvoted 2 times

  slotblocker 8 months, 3 weeks ago

D. the traffic rate limit is configured on an interface level. You maybe defined max-bandwidth in strict queue, but you applied to an interface.
 upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: D

Correct Answer: D
upvoted 2 times
Question #72 Topic 1

What is the correct way of associating a VRF instance to either a VLAN or an interface?

A. Switch(config)# interface <interface-ID> Switch(config-if)# vlan access <VLAN-ID> vrf attach <vrf-name>

B. Switch(config)# vlan <VLAN-ID> vrf attach < vrf-name >

C. Switch(config)# vlan <VLAN-ID> Switch(config-vlan-<VLAN-ID># vrf attach < vrf-name >

D. Switch(config)# vlan <VLAN-ID> vrf < vrf-name >

Correct Answer: C

Community vote distribution

C (75%) A (25%)

  A10busted 4 months, 2 weeks ago

E:
It is... as Alialo explained none are correct and his explanation is correct.
#>interface vlan101
#>>vrf attach campus
Page: 892 study guide.
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 518 Lab Guide:

ICX-Tx-Core1(config-if-vlan)# vrf attach blue
upvoted 2 times

  Max69 9 months, 2 weeks ago

Selected Answer: C

C is correct.
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: C

now all the answers are wrong, VRF will be assigned as below:
INT:
switch(config)# interface 1/1/1
switch(config-if)# vrf attach test
SVI:
switch(config)# vlan 3
switch(config-vlan)# exit
switch(config)# interface vlan 3
switch(config-if-vlan)# vrf attach test

If we follow the SG from Aruba, we should use C. Checked with SG, Figure14-4.
upvoted 2 times

  Bar_x 1 year, 3 months ago

Selected Answer: C

C
Option A is alyer 2 interface, can't be attached to a VRF
upvoted 1 times

  devadarshan91730 1 year, 3 months ago

@Omen, there is also another option we can configure just like in option A if this for a layer 3 routed interface . Option A is correct
upvoted 1 times

  omen 1 year, 5 months ago

Actually, none of these answers is correct. The correct syntax would be as follows.

Switch1(config)# inter vlan 11

Switch1(config-if-vlan)# vrf attach testvrf
upvoted 4 times

  rasmusbirkelund 1 year, 5 months ago

Selected Answer: A
While I agree that C is correct, when attaching a VRF to a VLAN, I notice that the configuration context changes to "config-vlan-<VLAN-ID", and
not just "config-vlan", as show on p. 942 in the Study Guide.
A is correct, according to Study Guide.
upvoted 2 times
Question #73 Topic 1

When an AOS-CX switch uses a temporary copy of the Configuration State database, what kind of analysis does NetEdit perform to ensure that the

configuration is correct?

A. Syntax validation

B. Semantic validation

C. Conformance validation

D. Change validation

Correct Answer: D

Community vote distribution

B (92%) 8%

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Page 89 Study Guide:

There are several advantages to offloading the process of validation at the device level. As shown in the figure, NetEdit analyzes the configuration
in the context of the device’s state using the existing configuration validation process in the switch and creates a temporary copy in the Current
State DB (CSDB) to perform the analysis. NetEdit uses the REST interface to send the configuration to the device and to receive the result in JSON
format.
[Aruba Networks]
upvoted 3 times

  Max69 9 months, 2 weeks ago

Selected Answer: B

Semantic validation
upvoted 1 times

  d_nat 1 year, 3 months ago

Selected Answer: B

B seems right:
"NetEdit analyzes the configuration in the context of the device’s state using the existing
configuration validation process in the switch and creates a temporary copy in the Current
State DB (CSDB) to perform the analysis"
upvoted 3 times

  devadarshan91730 1 year, 4 months ago

Answer B. Semantic validation
-When: VALIDATE button (in multi-editor) or before DEPLOY
– What: configuration consistency
upvoted 1 times

  manrodman 1 year, 5 months ago

Validation processes
+ Syntax validation
– When: while typing
– What: command syntax including in-line help
+ Semantics validation
– When: VALIDATE button (in multi-editor) or before DEPLOY
– What: configuration consistency
+ Conformance validation
– When: while editing
– What: compliance with conformance rules: corporate policies, minimum connectivity requirements, etc.
+ Change validation
– When: during DEPLOY (before and after configuration deployment)
– What: compares device state before and after changes are applied (using show commands)

Answer D: before and after configuration deployment

upvoted 2 times

  Alialo 1 year, 3 months ago

the question is how to ensure that the configuration is correct, not to check the device state after changes, so should be B?
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: B
 Sorry, I have to correct my answer. According to Study Guide Page 62, it is the "Semantic validation", i.e. B. "The device uses a temporary copy of is
Current State DB (CSDB) to perform the analysis"
upvoted 4 times

  omen 1 year, 5 months ago

Selected Answer: D

Correct Answer: D
upvoted 1 times

Question #74 Topic 1

What must a network administrator implement in order to run an NAE script on an AOS-CX switch?

A. Deployment

B. Schedule

C. Plan

D. Agent

Correct Answer: D

Community vote distribution

D (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 119 Study Guide:

An NAE script has no effect until it has an associated agent, which instantiates the script and starts monitoring the attribute and taking actions.
[Aruba Networks]
upvoted 2 times

  devadarshan91730 1 year, 4 months ago

D . Agent - For NAE agents represents NAE scripts
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: D

Correct Answer: D
upvoted 1 times
Question #75 Topic 1

What is correct regarding policy-based routing?

A. Policies can only be applied to routed interfaces.

B. Policies can be applied inbound and outbound.

C. Monitoring of policy interfaces occurs every 60 seconds.

D. Policy actions include routing permitting or dropping traffic.

Correct Answer: A

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 902 Study Guide:

Apply the policy Access config- interface mode on the appropriate interface and apply the policy – always as an inbound policy. In other words, the
policy is applied as packets enter the router inbound. This makes sense, correct? The purpose of PBR is to override normal destination- based
routing. If you applied the policy outbound on an interface, it would be too late – routing decisions are already made.
[Aruba Networks]
upvoted 3 times

  Greenmile84 8 months ago

A
PBR can only be applied inbount and only to routed interfaces.
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: A

PBR can only be applied inbound and only to routed interfaces.

upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: A

For routing you need a L3 port

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: A

Correct Answer: A
upvoted 1 times
Question #76 Topic 1

An administrator is supporting a network with the access layer consisting of AOS-CX 6300 and 6400 switches. The administrator needs to quickly

deploy Aruba

IAPs and security cameras in the network, ensuring that the correct QoS and VLAN settings are dynamically applied to the switch ports. Currently,

switches are not configured to do device authentication, and no authentication server exists in the network.

Which AOS-CX feature should the administrator use to dynamically assign the policy settings to the correct switch ports?

A. Device profiles

B. Change of authorization

C. Dynamic segmentation

D. Voice VLANs

Correct Answer: C

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 873 Study Guide:

AOS- CX supports device profiles to make it even simpler to deploy Aruba Instant APs (IAP) and other devices. Use it when you are not sure what
switch port the device might connect to. Typically, you have a standard configuration that applies to all AP- connected ports. This would include
the native, untagged VLAN where IAPs have their IP addresses. It also includes tagged VLAN assignments for static and dynamic VLANs assigned
to WLANs for Aruba IAPs, the PoE settings such as a critical PoE priority, and so on.
[Aruba Networks]
upvoted 3 times

  d_nat 1 year, 4 months ago

Selected Answer: A

Without authentication server of any kind, device profiles are the way to go for quick deployment of the devices
upvoted 2 times

  Jo2241 1 year, 4 months ago

Selected Answer: A

Correct Answer is A, no authentication server exist on the network.

upvoted 1 times

  cjoseph 1 year, 4 months ago

Selected Answer: A

Correct answer: A

B & C requires authentication from ClearPass

upvoted 1 times

  cpfan 1 year, 4 months ago

Selected Answer: A

no authentication server exists in the network

upvoted 2 times

  omen 1 year, 5 months ago

Selected Answer: A

The question is not how should it be done properly, but how can it be done so quickly without a radius etc? My opinion is therefore A. Not a good
solution, but quickly implemented.
upvoted 1 times
Question #77 Topic 1

Examine the network topology.

The network is configured for OSPF with the following attributes:

✑ Core1 and Core2 and ABRs

✑ Area 1 has 20 networks in the 10.1.0.0/16 range
✑ Area 0 has 10 networks in the 10.0.0.0/16 range
✑ Area 2 has 50 networks in the 10.2.0.0/16 range
✑ The ASBR is importing a static route into Area 1
✑ Core2 has a summary for Area 2: area 0.0.0.2 range 10.2.0.0/16 type inter-area
Here is the OSPF configuration performed on Core1:

Based on the above information, what is correct?

A. ISP 1 is not reachable from any area.

B. Core1 has received one type 5 LSA from the ASBR.

C. Area 0 has 81 routes

D. Area 1 has 23 routes

Correct Answer: C

Community vote distribution

A (86%) 14%

  spillo3000 Highly Voted  1 year, 5 months ago

ISP 1 is not reachable from any area

upvoted 6 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 395 Study Guide:

To e l i m i n a t e e x t e r n a l r o u t e s a n d a d v e r t i s e m e n t s f r o m a n a r e a , d e f i n e t h e a r e a a s a s t u b a r e a . ABRs for stub
areas do not forward Type 4 or Type 5 LSAs into those areas, and internal routers in those areas do not generate or accept them.
[Aruba Networks]
upvoted 3 times

  SahilERT 8 months ago

ISP can reach out to area1 via default route. Correct option D
 upvoted 1 times

  theklee 1 year, 1 month ago

Stub area does not allow type 5 LSA or ASBR. Answer is A, ISP cannot be reached by any area
upvoted 2 times

  theklee 1 year, 1 month ago

Stub area does not allow type 5 LSA or ASBR
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: D

i would like to choose D, but not totally sure about that.

ASBR importing a static route into Area 1, not LSA5.
20 local+1 LSA3+1 Static from ASBR+1 default from Area 0= 23 routes
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

To eliminate external routes and advertisements from an area, define the area as a stub area.
upvoted 3 times
Question #78 Topic 1

Examine the network topology.

Company XYZ has two connections to a service provider (ISP1). Here is the configuration of Router1:

Here is the configuration of Router2:

Based on configuration of Router1 and Router2, which BGP metric is being manipulated?

A. Weight

B. Multiple exit discriminator

C. Local preference

D. AS path length

Correct Answer: B

Community vote distribution

B (100%)
  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Pages 496 & 497 Study Guide:

The Multiple Exit Discriminator (MED) attribute is shared with a multi- homed eBGP peer to influence how they will enter your network. Te
command to be applied is "set metric xxx"
[Aruba Networks]
upvoted 3 times

  Greenmile84 8 months ago

B
the only difference between the config on both routers is the MED value, so should be B
upvoted 1 times

  slotblocker 8 months, 3 weeks ago

B. Metric=MED
upvoted 1 times

  bpbenabd 1 year, 3 months ago

i think that is C.
upvoted 2 times

  cjoseph 1 year, 4 months ago

Correct answer: B

BGP Metric is commonly known as MED.

upvoted 3 times

  omen 1 year, 5 months ago

Selected Answer: B

Correct Answer: B - make sense

upvoted 3 times
Question #79 Topic 1

An administrator wants to drop traffic from VLAN 6 (10.1.6.0/24) to VLAN 5 (10.1.5.0/24), but allow all other traffic. What is correct configuration

to accomplish this?

A.

B.

C.

D.

Correct Answer: C

  mrdoctor 6 months, 2 weeks ago

Answer is D.
upvoted 2 times

  SeidorBruno 7 months, 2 weeks ago

Correct Answer D:
Page 316 & 317 Study Guide:
olicies can also be applied to a VLAN or an interface. The apply command is used, but in the interface or VLAN context.
[Aruba Networks]
Note: There are no implicit deny in policies. If you want to apply a policy on traffic, it must match a permit.
[Aruba Networks]
upvoted 3 times

  gcg 8 months, 1 week ago

I think is letter D
upvoted 1 times

  slotblocker 8 months, 2 weeks ago

Selected Answer: D

switch(config)# class ip VLAN5

switch(config-class-ip)# 10 match ip 10.1.6.0/24 10.1.5.0/24
switch(config-class-ip)# exit
switch(config)# policy VLAN5
switch(config-policy)# 10 class ip VLAN5 action drop
switch(config-policy)# exit
switch(config)# vlan 5
 switch(config-vlan-5)# apply policy VLAN5 in
switch(config-vlan-5)# exit
upvoted 2 times

  slotblocker 8 months, 2 weeks ago

switch(config-if-vlan)# apply access-list ip VLAN5 in
Invalid input: in
switch(config-if-vlan)# apply access-list ip VLAN5
routed-in Routed inbound (ingress) traffic
routed-out Routed outbound (egress) traffic

New AOS-CX does not accept under C.

upvoted 1 times

  gian911 8 months, 2 weeks ago

for me it's D
From study guide, an ACL cannot be applied to a SVI interface so it cannot be C
upvoted 2 times

  alex711 11 months, 3 weeks ago

C is correct answer
upvoted 2 times

  Alialo 1 year, 3 months ago

i have to choose D
A wrong, should apply policy, not access-list
B wrong, should deny 10, not permit
C looks right, but now in CX CLI, it should be routed-in, not in (tested with 8400)
D is ok and tested with 8400

vlan 20
apply policy vlan20 in
or
interface vlan 20
apply access-list ip vlan20 routed-in
upvoted 3 times
Question #80 Topic 1

What is correct regarding the configuration of ACLs on AOS-CX switches?

A. Statements with the log keyword are always processed by the switch CPU.

B. Standard ACLs are used to match on routes when performing route distribution.

C. Wildcard masks are used to match on a range of IP addresses.

D. Numbers 100 through 199 and 2000 through 2999 are used when creating extended ACLs.

Correct Answer: C

Community vote distribution

A (69%) C (25%) 6%

  zeroprox 7 months ago

Selected Answer: A

A is correct
upvoted 1 times

  zeroprox 7 months ago

Selected Answer: D

D is correct
upvoted 1 times

  zeroprox 7 months ago

Wrong A is correct
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 268 Study Guide:

Important: Logging information is processed by the CPU of the switch.
[Aruba Networks]
upvoted 3 times

  gian911 8 months, 2 weeks ago

Selected Answer: A

A is correct, statements with "log" are processed by CPU

Study guide p.266
upvoted 2 times

  alex711 11 months, 3 weeks ago

Selected Answer: C

CX Switches do support wildcard masks

upvoted 2 times

  devadarshan91730 1 year, 3 months ago

A is correct.
B - no route distrubtuion in ACL
C - AOS-cx doens't support wildcards
D - Range is from 100- 199, 2000-2699
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: A

CX Switches do not support wildcard masks

upvoted 1 times

  mindaugasv 1 year, 4 months ago

Selected Answer: A

AOS-CX does not support wildcard mask - only prefixes or subnet masks, so correct answer is A
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: C

C is correct, CX does support wildcard masks ie 10.0.10.0 255.0.255.0

 upvoted 2 times

  cpfan 1 year, 4 months ago

Selected Answer: A

CX not support wildcard

upvoted 3 times
Question #81 Topic 1

When comparing PIM-DM and PIM-SM, which multicast components are only found with PIM-SM in multicast routing? (Choose two.)

A. IGMP querier

B. Rendezvous point

C. Bootstrap router

D. Shortest path tree

E. Designated router

Correct Answer: BD

Community vote distribution

BE (63%) BC (38%)

  d_nat Highly Voted  1 year, 4 months ago

Selected Answer: BE

A rendezvous point (B) is used by SM only. Shortest path three (D) is optional for SM but available. Designated router (E) is available on SM only.
So: BE
upvoted 5 times

  udo2020 4 months, 2 weeks ago

You are generally right. But the only exception is when you use IGMPv1 with Dense-Mode...in that case, the PIM DR will work as the IGMP query
router because IGMPv1 doesn’t have a query router election.
upvoted 1 times

  A10busted Most Recent  4 months, 2 weeks ago

B,E,
Study Guide :P 615, PIM-SM Designated Router.
P:617 PIM-SM Rendezvous Point.
upvoted 1 times

  udo2020 4 months, 3 weeks ago

I think its B and C.
In a multicast topology, BSR (Bootstrap) is a protocol that is used to automatically find the RP in a sparse mode network topology.
upvoted 2 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: BC

Page 627 Study Guide:

BSR is a RP high- availability mechanism that provides active/standby functionality and automatic downstream RP information propagation.
[Aruba Networks]
upvoted 1 times

  slotblocker 8 months, 3 weeks ago

D. and E.

https://networklessons.com/multicast/multicast-pim-designated-router
upvoted 1 times

  slotblocker 8 months, 3 weeks ago

B and E.
upvoted 3 times

  cjoseph 1 year, 4 months ago

Selected Answer: BC

B. Rendezvous point
C. Bootstrap router
E. Designated router

All three are uniquely for PIM SM.

Boostrap router to find Rendezvous point. Designated Router to act on the behalf of the multicast source.

Answer should be B & C.

upvoted 2 times

  Rockford 1 year, 4 months ago

 BE
PIM-SM uses DR and RP
A designated router (DR) is required on both the source-side network and receiver-side network. A source-side DR acts on behalf of the multicast
source to send register messages to the RP
upvoted 3 times

  spillo3000 1 year, 5 months ago

BC SORRY on dense mode not exist rendevous point and designated routeR
upvoted 1 times

  spillo3000 1 year, 5 months ago

BD , on dense mode not exist rendevous point and designated router
upvoted 2 times
Question #82 Topic 1

Examine the network exhibit.

A network administrator is implementing OSPF on a VSX pair of aggregation switches: Agg1 and Agg2. VLANs 10 and 20 are connected to layer-2

access switches. Agg-1 and Agg-2 are configured as the default gateway for VLANs 10 and 20, with active gateway enabled.

What is the best practice for configuring OSPF on the aggregation switches and their connection to the Core switch?

A. Define a layer-2 VSX LAG associated with a layer-3 VLAN interface. Enable active gateway for the Layer-3 VLAN.

B. Define separate layer-3 VLAN interfaces between the aggregation and core switches. Enable active forwarding for the Layer-3 VLAN.

C. Define separate layer-3 VLAN interfaces between the aggregation and core switches. Enable active gateway for the Layer-3 VLAN.

D. Define a layer-2 VSX LAG associated with a layer-3 VLAN interface. Enable active forwarding for the Layer-3 VLAN.

Correct Answer: A

Community vote distribution

B (79%) A (16%) 5%

  a__p Highly Voted  1 year, 4 months ago

Selected Answer: B

From the tech docs "Active forwarding is an optimization for layer 3 unicast traffic flowing from the upstream (core) to the downstream (access)
through the VSX peers (aggregate). "
upvoted 5 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: B

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7888/Content/Chp_Pre_tra_loss/act-for-10.htm
Active forwarding is an optimization for layer 3 unicast traffic flowing from the upstream (core) to the downstream (access) through the VSX peers
(aggregate). Active forwarding prevents the bridged traffic from switching over the ISL. It also minimizes latency and the ISL bandwidth

B & D Active Forwarding must be enabled on VLAN NOT on Layer 3 VLAN:

"The active forwarding, which is set per- VLAN...."
[Aruba Networks]
C no sense
upvoted 2 times
  slotblocker 8 months, 3 weeks ago
Note: Interface LAG assignments and VLAN access statements cannot be assigned to an interface simultaneously. An error occurs when saving the
MultiEdit configuration, if the vlan access 1 statement is not removed, so you need to define a separate layer 3 interface, and to configure the
Active forwarding.

Answer: B
upvoted 2 times

  techhorst 9 months, 2 weeks ago

Selected Answer: D

Chapter 6 - Advanced OSPF - Using OSPF with VSX.

Same Graphic - Description: Transit OSPF interfaces - Layer 2 VSX LAG associated with Layer 3 VLAN (or VLANs), Active Forwarding on VLAN. So
Answer D
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: B

should be B. The question is for the connection to the Core switch, should be active forwarding. Active gateway is useful for dowstream VSX LAG to
access-switches
upvoted 4 times

  bpbenabd 1 year, 3 months ago

the right answer is C, with active gateway and not active forwarding
upvoted 1 times

  devadarshan91730 1 year, 4 months ago

Answer D : layer-2 VSX LAG associated with a layer-3 VLAN interface. Enable active forwarding for the Layer-3 VLAN - These are for transit OSPF
interface and so forth, it applies.
Study guide: Page : 196
upvoted 3 times

  Jo2241 1 year, 4 months ago

Selected Answer: B

Answer B : Active forwarding should be enable on every OSPF interface that is a transit network.
upvoted 4 times

  omen 1 year, 5 months ago

Selected Answer: A

Correct Answer: A
upvoted 3 times
Question #83 Topic 1

When implementing user-based tunneling on an AOS-CX switch, which component defines the primary and backup Aruba gateways?

A. Transit VLAN

B. Gateway role

C. Server group

D. Zone

Correct Answer: D

Community vote distribution

D (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 769 Stduy Guide:

Configure zone To s e t u p U B T L U R , y o u f i r s t n e e d t o d e f i n e a z o n e : switch(config)# ubt zone <zone- name> vrf <VRF- name>
switch(config- ubt- zone)# primary- controller ip <IP- address> switch(config- ubt- zone)# backup- controller ip <IP- address> switch(config- ubt-
zone)# papi- security- key <key> switch(config- ubt- zone)# enable switch(config)# ip source- interface ubt {interface <IFNAME> | <IPV4- ADDR>}
[vrf <VRFNAME>]
[Aruba Networks]
upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: D

ubt zone <zone name> vrf <vrf name>

primary-controller ip <ip>
backup-controller ip <ip>
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: D

Correct Answer: D
upvoted 2 times
Question #84 Topic 1

When implementing deficit weighted round robin queuing, what importance does the weight value have?

A. Prioritizing latency-sensitive traffic

B. Queue priority in processing traffic

C. Strict priority queue

D. Percentage of interface bandwidth

Correct Answer: B

Community vote distribution

D (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 853 Study Guide

upvoted 3 times

  Bar_x 1 year, 3 months ago

Selected Answer: D

"Using weights that add up to 100 makes it easy to estimate the bandwidth: the weight converts to a percentage of the bandwidth"
HPE Press Study Guide, Page 385
upvoted 4 times

  cpfan 1 year, 4 months ago

Selected Answer: D

Assigns the deficit weighted round robin (DWRR) algorithm and its weight to a queue in a schedule profile. DWRR allocates available bandwidth
among all non-empty queues in relation to the queue weights.
The no form of this command removes the DWRR algorithm from a queue in a schedule profile.
upvoted 4 times

  spillo3000 1 year, 5 months ago

D DWRR allocates available bandwidth among all non-empty queues in relation to the queue weights.
upvoted 3 times
Question #85 Topic 1

A network administrator is implementing OSPF, where there are two exit points. Each exit point has a stateful, application inspection firewall to

implement company policies.

What would the best practice be to ensure that one firewall will see both directions of the traffic, preventing asynchronous connections in the

network?

A. Both ASBRs should define External Type 1 routes for the external routes, using a different initial cost value for each ASBR.

B. Both ASBRs should define External Type 1 routes for the external routes, using the same initial cost value for each ASBR.

C. Both ASBRs should define External Type 2 routes for the external routes, using the same initial cost value for each ASBR.

D. Both ASBRs should define External Type 2 routes for the external routes, using a different initial cost value for each ASBR.

Correct Answer: A

Community vote distribution

D (100%)

  mkareem 7 months, 2 weeks ago

Selected Answer: D

Correct Answer
upvoted 2 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 391 Study Guide:

Ensure traffic via a FW is seen in both directions - E2 with appropriate seed metric to prefer one primary path.
upvoted 3 times

  cjoseph 1 year, 4 months ago

Selected Answer: D

Correct answer is: D

upvoted 1 times

  Rockford 1 year, 4 months ago

Answer is D:
Ensure traffic via a FW is seen in both directions - E2 with appropriate seed metric to prefer one primary path.
upvoted 4 times
Question #86 Topic 1

What is a concept associated with PIM sparse mode (SM)?

A. Reverts to forwarding when the pruning state times out.

B. Requires periodic joins to maintain the shortest path tree (SPT).

C. Recommended for use when high bandwidth connections exist.

D. Implements a push content to forward traffic from the multicast source.

Correct Answer: B

Community vote distribution

B (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7876/Content/Chp_pim-sm/how-pim-sm-wor-10.htm:
In a PIM domain, each PIM interface on a router periodically multicasts PIM hello messages to all other PIM routers (identified by the address
224.0.0.13 for V4 and ff02::d for V6) on the local subnet. Through the exchanging of hello messages, all PIM routers on the subnet determine their
PIM neighbors, maintain PIM neighboring relationship with other routers, and build and maintain shortest path trees (SPTs).
upvoted 2 times

  omen 1 year, 5 months ago

Selected Answer: B

Correct Answer: B
https://www.youtube.com/watch?v=PhzMcUcS6UA
upvoted 2 times
Question #87 Topic 1

Which AOS-CX feature is used to prevent head-on-line (HOL) blocking?

A. VSF

B. WFQ

C. VOQ

D. VSX

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 822 Study Guide:

ArubaOS- CX switches use an intra- switch queuing method called Virtual Output Queuing
(VoQ). If the ingress buffer used a single queue, head of line (HOL) blocking could delay the traffic. If the packet at the front of the queue is
destined out a congested port, it delays all packets behind it, even though those that are destined to non- congested ports. VoQ prevents this
problem
[Aruba Networks]
upvoted 3 times

  d_nat 1 year, 4 months ago

Selected Answer: C

Wire speed and VOQ

A network is only as fast as its slowest component. Without the right performance and capacity for your wired network, the move to Wi-Fi 6 isn’t
feasible. Many legacy switches suffer from head-of-line blocking, which limits the throughput of each port—costing both time and the bottom line.

Look for switches that have a non-blocking architecture with virtual output queuing (VOQ) and wire speed performance. While common in data
center switches, such capabilities will also be critical for campus or edge networks with high-density Wi-Fi 6 deployments in order to:

Prevent head-of-line blocking by optimizing traffic flows through the switch

Achieve maximum performance on every port
upvoted 1 times
Question #88 Topic 1

Examine the following AOS-CX switch configuration:

Which access control entries would allow web traffic to the web servers 10.1.0.100 and 10.1.1.100?

A. permit tcp servers eq 80

B. permit tcp any 10.1.0.100 0.0.1.0 eq 80

C. permit tcp any 10.1.0.100/10.1.1.100 eq 80

D. permit tcp any 10.1.0.100/255.255.254.255 eq 80

Correct Answer: B

Community vote distribution

D (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 259 Study Guide:

AOS- CX switches do not support wildcard masks — only prefixes or subnet masks — when creating ACEs.
[Aruba Networks]
upvoted 3 times

  Jo2241 1 year, 4 months ago

Selected Answer: D

Correct answer is D, CX do not support wildcard

upvoted 1 times

  cjoseph 1 year, 4 months ago

Selected Answer: D

Correct answer D
upvoted 1 times

  cpfan 1 year, 4 months ago

Selected Answer: D

aos-cx so not support wildcard mask

upvoted 1 times

  cpfan 1 year, 4 months ago

Selected Answer: D

cx do not support wildcard mask

upvoted 1 times

  spillo3000 1 year, 5 months ago

D os-cx do not support wildcard mask
upvoted 1 times

  spillo3000 1 year, 5 months ago

aos-cx so not support wildcard mask
upvoted 1 times
Question #89 Topic 1

Which AOS-CX switches support weighted fair queuing (WFQ)?

A. Both 8320 and 8325

B. Both 6300 and 6400

C. 8400 only

D. 6300 only

Correct Answer: C

Community vote distribution

C (100%)

  ripcurl 2 months, 1 week ago

The factory default profile has eight queues, numbered 0-7. For each queue, you specify a scheduling algorithm and settings associated with that
algorithm. All the AOS-CX switch models support strict priority (SP) for the algorithm. In addition, the 8325, 8320, 6400, and 6300 support deficit
weighted round robin (DWRR) while the 8400 supports weighted fair queuing (WFQ).
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 849 Study Guide:

the 8325, 8320, 6400, and 6300 support deficit weighted round robin (DWRR) while the 8400 supports weighted fair queuing (WFQ).
[Aruba Networks]
upvoted 4 times

  slotblocker 8 months, 2 weeks ago

Selected Answer: A , Only 8320 and 8325

this is from 8400 Data sheet:

Quality of Service (QoS)

• Strict priority (SP) queuing and Deficit Weighted
Round Robin (DWRR)
upvoted 1 times

  Redrum702 8 months, 2 weeks ago

A: 8320 and 8325 both support WFQ
upvoted 2 times

  spag22500 1 year, 3 months ago

in this datasheet 8320 and 8325 => ok
https://www.securewirelessworks.com/datasheets/switches/DS_8320Series.pdf
https://www.frings-it.de/fileadmin/fis/pdf/Produktdaten/HPE_aruba_8325Series.pdf
Quality of Service (QoS)
Supports the following congestion actions: strict priority (SP)
queuing and weighted fair queuing
upvoted 4 times

  NetDon 1 year, 5 months ago

Answer C: "Plattform: 8400"
https://www.arubanetworks.com/techdocs/AOS-CX/AOSCX-CLI-Bank/cli_8400/Content/QoS_cmds/wfq-que-xl-swi.htm
upvoted 4 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C
upvoted 2 times
Question #90 Topic 1

An administrator of a large campus network needs a solution that will provide root cause analytics to quickly identify problems so that they can

quickly be fixed.

Which AOS-CX switch feature should the administrator utilize to help with root cause analytics?

A. NAE

B. VoQ

C. NetEdit

D. VSX

Correct Answer: A

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 110 Study Guide:

Using NAE, intelligent AOS- CX switches provide a foundation for security, DevOps/operation automation, supportability, capacity planning, and
monitoring/root cause analysis.
[Aruba Networks]
upvoted 2 times

  omen 1 year, 5 months ago

Selected Answer: A

Correct Answer: A
upvoted 1 times
Question #91 Topic 1

What is a best practice concerning voice traffic and dynamic segmentation on AOS-CX switches?

A. Controller authentication and user-based tunneling of the voice traffic

B. Switch authentication and user-based tunneling of the voice traffic

C. Controller authentication and port-based tunneling of the voice traffic

D. Switch authentication and local forwarding of the voice traffic

Correct Answer: C

Community vote distribution

D (88%) 13%

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 757 & 760 Study Guide:

Local switching is typically used when delay- sensitive traffic is involved between access- layer devices, like voice or video communications (VoIP
phones, for example) or a third- party firewall already exists in the network and the company wants to continue using the policy function of that
firewall.
[Aruba Networks]
mportant: Currently, voice traffic must use local switching
[Aruba Networks]
upvoted 2 times

  alex711 11 months, 3 weeks ago

Selected Answer: D

D is correct.
(important!) voice traffic must use local switching. page 793
upvoted 1 times

  Rockford 1 year, 4 months ago

D is correct:
Tunnelling options related to dynamic segmentation
User- Based Tunnel (UBT) : each user is assigned their own role
Port- Based Tunnel(PBT) : each port (and all the devices connected to the same port) are assigned the same role (PBT is not currently supported in
AOS- CX 10.4 but there are plans to add it in a future release)
Switch- to- switch tunnelling: planned release in AOS- CX 10.5
None : Exempt certain traffic from tunnelling by performing local switching/forwarding (like voice, for example)
upvoted 2 times

  cpfan 1 year, 4 months ago

Selected Answer: D

CX not support port-based tunneling

upvoted 2 times

  NetDon 1 year, 5 months ago

Selected Answer: D

Student Guide p. 757 ---> Voip should always be switched locally.

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: D

Sry my answer is wrong... could be C because AOS-CX not support Port-Based Tunneling... Should be D i think.
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C
ACSP Study Guide Page 783 - Locally switch traffic for delay-sensitive applications like voice or video
upvoted 1 times
Question #92 Topic 1

What is required when implementing captive portal an AOS-CX switches?

A. Certificate installed on the switch

B. Web server running on the switch

C. Device fingerprinting

D. AAA server

Correct Answer: D

Community vote distribution

D (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 942 Study Guide:

1. Configure RADIUS servers (ClearPass) and a server group. • As part of the authentication setup, make sure to specify ClearPass as the RADIUS
server. Configure the correct shared secret and enable dynamic authorization
[Aruba Networks]
upvoted 1 times

  d_nat 1 year, 3 months ago

Selected Answer: D

D is correct, given the "AAA Server" is a Clearpass.

https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=ce70cde8-c017-4540-b0d8-54a37bd6f14a
upvoted 3 times
Question #93 Topic 1

The AOS-CX mobile app allows a network engineer or technician to perform which tasks? (Choose two.)

A. Use NetEdit to manage switch configuration.

B. Create a stack of AOS-CX switches.

C. Transfer files between the switch and your mobile device.

D. Securely access the switch using SSH.

E. Schedule an operating system upgrade.

Correct Answer: CD

Community vote distribution

BC (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: BC

Page 93 Study Guide:

Create virtualized stack with just a few steps.
Transfer files between the switch and your mobile device.
[Aruba Networks]
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: BC

As per study guide and omen's confirmation it is BC

upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: BC

BC is correct
upvoted 1 times

  cpfan 1 year, 4 months ago

Selected Answer: BC

Create a stack of AOS-CX switches

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: BC

Correct Answer: BC
B: i created more then 1K Stacks with the mobile APP, yes its possible :)
C: ACSP Study Guide Page 66 - Key Features (Transfer files between the switch and your mobile device)
Interestingly, D is not entirely wrong either... It is possible to call up the CLI via the Mobile APP and thus plan an update.
upvoted 3 times
Question #94 Topic 1

An administrator implements interim accounting for guest users so that ClearPass can track the amount of bandwidth that guests upload and

download. Guests that abuse bandwidth consumption should be disconnected from the network. The administrator configures the following on

the AOS-CX access switches:

After performing this configuration, the administrator notices that guest users that have exceeded the guest bandwidth limit are not being

disconnected. Upon further investigation, Access Tracker in ClearPass indicates a disconnect CoA message is being sent to the AOS-CX switch.

What is causing this issue?

A. RADIUS change of authorization is not enabled on the AOS-CX switch.

B. Bandwidth consumption of the guests is not being reported by the AOS-CX switch.

C. NTP is not configured on the AOS-CX switch.

D. There is a time discrepancy between the AOS-CX switch and ClearPass.

Correct Answer: A

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 675 Study Guide:

Enable acceptance of Change of Authorization (CoA) messages Aruba ClearPass can assess endpoints on an ongoing basis and change an
endpoint’s authentication status or settings. To make these changes, ClearPass sends disconnect messages (DMs) and CoA messages. For the
switch to accept these messages, you must enable dynamic authorization for the RADIUS globally on the switch, as shown in the figure. Without
this option, some solution components might work, but others will fail.
[Aruba Networks]
upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

A is correct
upvoted 1 times
Question #95 Topic 1

A company is implementing AOS-CX switches at the access layer. The company wants to implement access control for employees and guests.

Which security features will require a ClearPass server to be installed and used by the company?

A. Downloadable user roles

B. Dynamic segmentation

C. User-based tunneling (UBT)

D. Change of authorization (CoA)

Correct Answer: B

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 775 STudy Guide:

DUR Require ClearPass
upvoted 2 times

  slotblocker 8 months, 3 weeks ago

Downloadable user roles require Clearpass.

Answer: A
upvoted 1 times

  alex711 11 months, 3 weeks ago

B is Correct. se the link
https://www.arubanetworks.com/techdocs/AOS-CX/10.08/HTML/fundamentals_4100i-6000-6100/Content/Chp_Dyn_Seg/dyn-seg-10.htm
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

A is correct
upvoted 1 times

  cpfan 1 year, 4 months ago

Selected Answer: A

Which security features will require a ClearPass server to be installed and used by the company
upvoted 2 times

  omen 1 year, 5 months ago

Selected Answer: A

A is correct.
B is not correct, the Dynamic Segmentation is a feature that includes DUR and LUR... DUR explicitly requires Clearpass, while LUR can be done by
third AAA solutions. C UBT is only there for how the traffic flow is... Local Switching or UBT.
upvoted 3 times
Question #96 Topic 1

An administrator will be implementing tunneling between AOS-CX switches and Aruba gateways. Which list of protocols must minimally be

allowed by an intermediate firewall between two sets of devices?

A. IP protocol 50 and UDP 8209

B. UDP 4500 and IP protocol 47

C. UDP 8211 and IP protocol 47

D. UDP 4500 and UDP 8209

Correct Answer: B

Community vote distribution

C (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Pages 753 Study Guide

Enable GRE on IP protocol 47 and PAPI on UDP port 8211.
[Aruba Networks]
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: C

C is correct: PAPI and GRE are used. See Implementing ArubaOS-CX Switching Rev 20.21, page 164
upvoted 3 times

  cpfan 1 year, 4 months ago

Selected Answer: C

- PAPI: UDP 8211 - GRE: Protocoll 47

upvoted 2 times

  spillo3000 1 year, 4 months ago

C correct
upvoted 1 times

  spillo3000 1 year, 4 months ago

B must be minimal
IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controlleris encapsulated in IPsec
upvoted 1 times

  ripcurl 2 months, 1 week ago

And whats that relation between minimal and IPsec that you are trying to uncover?
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C
ACSP Study Guide Page 788 - Allow the following protocols/ports
- PAPI: UDP 8211
- GRE: Protocoll 47
upvoted 3 times
Question #97 Topic 1

In AOS-CX switching, what determines when a frame is forwarded by the switch between the ingress and the egress port?

A. Egress port

B. Ingress port

C. VSX switch tables

D. Fabric Load Balancer

Correct Answer: B

Community vote distribution

A (100%)

  LoneRaccoon 4 months, 2 weeks ago

Selected Answer: A

"Tx Drops shows the sum of packets that were dropped across all line modules (due to insufficient capacity) by the ingress Virtual Output Queues
(VOQs) destined for the egress port."

Page 25: https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7879.pdf

upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 45 Study Guide:

In a VOQ architecture, the egress side selects which traffic will cross the fabric.
[Aruba Networks]
upvoted 2 times

  Alialo 1 year, 3 months ago

Selected Answer: A

VoQ affects traffic traveling between the ingress and egress ports, and in a VOQ architecture, the egress side selects which traffic will cross the
fabric. so i think A is answer
upvoted 2 times

  manrodman 1 year, 3 months ago

Selected Answer: A

In a VOQ architecture, the egress side selects which traffic will cross the fabric. In the 6400 Switch Series, this block is called the Traffic Regulator,
which sends small messages across the fabric to tell ingress VOQs how much they can send into the fabric
upvoted 2 times

  d_nat 1 year, 4 months ago

I thought my English is not bad. But I don't get this question
upvoted 3 times

  FlowRyan 1 year, 3 months ago

same for me :D
upvoted 1 times
Question #98 Topic 1

Which protocol should be configured to allow NetEdit to discover third-party devices?

A. SNMP

B. SSH

C. HTTPS

D. HTTP

Correct Answer: A

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 73 Study Guide:

NetEdit will now also discover and display 3rd party devices that are using standard SNMP MIB’s
[Aruba Networks]
upvoted 2 times

  d_nat 1 year, 3 months ago

Selected Answer: A

A is correct. For 3rd party devices, SNMP is used

upvoted 1 times

  devadarshan91730 1 year, 4 months ago

https://www.arubanetworks.com/assets/ds/DS_NetEdit.pdf
upvoted 1 times

  NetDon 1 year, 5 months ago

Selected Answer: A

NetEdit Datasheet: To provide further simplicity, NetEdit automatically discovers

new network infrastructure devices using the Link Layer
Discovery Protocol (LLDP), using REST APIs for Aruba CX switches
and SNMP for Aruba wireless and third-party devices
upvoted 2 times
Question #99 Topic 1

Examine the VSX-related configuration of the core layer AOS-CX switch:

A network administrator is troubleshooting a connectivity issue involving the VSX LAG (link aggregation) between the core and access layer

switch, during HW replacement of one of the core switches.

Which configuration should the administrator add to the core switch to fix this issue?

A. ICX-Tx-Core1(config)# vsx ICX-Tx-Core1(config-vsx)# system-mac 02:01:00:00:01:00

B. ICX-Tx-Core1(config)# interface lag 1 multi-chassis ICX-Tx-Core1(config-if-lag-if)# mtu 9198

C. ICX-Tx-Core1(config)# interface 1/1/46-1/1/47 ICX-Tx-Core1(config-if-vlan)# active-gateway ip 10.1.11.1 mac 02:02:00:00:01:00

D. ICX-Tx-Core1(config)# interface 1/1/45 ICX-Tx-Core1(config-if-vlan)# active-gateway ip 192.168.0.0 mac 02:02:00:00:01:00

Correct Answer: D

Community vote distribution

A (100%)

  omen Highly Voted  1 year, 5 months ago

Selected Answer: A

Difficult question, don't see a suitable answer at the moment, therefore exclusion procedure.
D: 1/1/45 is for the KeepAlive, which is connected to the secondary peer. So no.
C: What is this configuration for anyway? First switch to Int-Range 1/1/46-1/1/47, then switch to an L3 interface and set an Active Gateway there? In
addition, the MAC address 12:02:00:00:XX:0Y is recommended for the Active Gateway. So also no
D: Makes as little sense as C. Therefore also no, otherwise answer A remains...
upvoted 6 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: A

Page 191 Study Guide:

ne of the main VSX best practice is to set VSX system- mac. Do not leave it blank so the default system- mac is used. You want the VSX system-
mac to be independent from the physical hardware MAC address. Thus, hardware replacement on the VSX primary switch will not affect your
configuration, and so has no impact on the VSX secondary because the cluster ID remains unchanged
[Aruba Networks]
upvoted 3 times

  MaxAMG45 8 months, 4 weeks ago

 Lab04 - VSX best practice guidelines:
• On the VSX primary switch, set the system-mac manually. This will ensure that in
case this switch needs to be replaced due to hardware failure, the new switch
can be configured with the same system-mac as the original switch. By default,
the hardware system MAC is used, which would result in a different system MAC
address after a hardware change.
upvoted 1 times

  Alialo 1 year, 3 months ago

Selected Answer: A

i think the key issue is LAG256 has not been added to 1/1/46-1/1/47！
here perhaps they want to ask the best practice for hardware change, to set the system-mac manually on the VSX primary switch...

have to choose A...

upvoted 1 times

  Bar_x 1 year, 3 months ago

didi anyone notice ports 46,47 are not joined to LAG 256 and that could be the main issue ?
all answers seem wrong for this question
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

A is correct
upvoted 1 times

  cjoseph 1 year, 4 months ago

Correct answer: A

Can't be D as the gateway specified belongs to KA network

upvoted 2 times

  Seegurke9 1 year, 4 months ago

A has to be right. "One of the main VSX best practices is to set the VSX system-mac and not leave it blank with default HW system-mac being
used"
upvoted 3 times
Question #100 Topic 1

The company has just upgraded their access layer switches with AOS-CX switches and implemented an AAA solution with ClearPass. The

company has become concerned about what actually connects to the user ports on the access layer switch, Therefore, the company is

implementing 802.1X authentication on the AOS-

CX switches. An administrator has globally enabled 802.1X, and has enabled it on all the access ports connected to user devices, including VoIP

phones, security cameras, and wireless Aruba IAPs. Wireless users are complaining that they successfully authenticate to the IAPs; however, they

do not have access to network resources. Previously, this worked before 802.1X was implemented on the AOS-CX switches.

What should the company do to solve this problem?

A. Implement device-based mode on the IAP-connected AOS-CX switch ports.

B. Implement local user roles and local forwarding on the AOS-CX switches.

C. Implement downloadable user roles and user-based tunneling (UBT) on the AOS-CX switches.

D. Implement AAA RADIUS change of authorization on the AOS-CX switches.

Correct Answer: C

Community vote distribution

A (71%) C (29%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 690 Study Guide

upvoted 2 times

  alex711 11 months, 3 weeks ago

Selected Answer: A

A is correct.
page 759
upvoted 3 times

  Alialo 1 year, 3 months ago

Selected Answer: A

Answer is A.
C is not correct, because customer doesnt have MC, only has IAP.

Here is the detail explaination from SG:

The IAP itself is responsible to handle the authentication, so it would perform 802.1X authentication with the wireless clients. But then the traffic is
forwarded as regular traffic on the switch port, so the switch would also attempt to perform authentication of this client. Since the 802.1X traffic of
the client is terminated at the IAP, the switch would attempt to perform MAC authentication for the client MAC address. This is unnecessary and
confusing, since ClearPass would see the same MAC address as 802.1X authenticated on the IAP, and MAC-authenticated on the switch port. For
this scenario, the switch can be set to ‘port-based’ authentication; that is, device mode.
upvoted 3 times

  MrBB 1 year, 3 months ago

Selected Answer: C

You have clearpass so.. UBT and DUR are configurable.

upvoted 1 times

  E_Nick 1 year, 3 months ago

Selected Answer: C

C is the correct answer

upvoted 1 times

  Jo2241 1 year, 4 months ago

Selected Answer: A

Answer A: Device mode = AP authentication and all the clients don't need to authenticate anymore
upvoted 1 times

  Rockford 1 year, 4 months ago

C

A is a security concern
B LUR is task intensive
D must already be configured as APs, phones, cameras are already working.
 upvoted 2 times

  cpfan 1 year, 4 months ago

Selected Answer: A

Should use device profile

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

I think its C
upvoted 2 times

Question #101 Topic 1

How does an administrator install a script and create an agent and actions for the Network Analysis Engine running on AOS-CX switches?

A. Access the switches' command-line interface.

B. Access the switches' web user interface

C. Use Aruba Central's web user interface

D. Use the NetEdit web user interface

Correct Answer: B

Community vote distribution

B (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Page 122 Study Guide:

Use the AOS- CX Web UI to access information for NAE agents, scripts, and alerts.
[Aruba Networks]
upvoted 2 times

  Max69 9 months, 2 weeks ago

Selected Answer: B

B : the switches' web user interface

upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: B

Correct Answer: B
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: B

Correct Answer: B
upvoted 2 times
Question #102 Topic 1

When cutting and pasting configurations into NetEdit, which character is used to enter commands within the context of the previous command?

A. Space

B. Tab

C. ‫>ג‬€‫ג‬€

D. <ESC>

Correct Answer: D

Community vote distribution

A (89%) 11%

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 31 Lab Guide:

The <SPACE> is important here to tell NetEdit that the next command is not a global
command, but should be under the interface context. A switch CLI would put you in
the 'interface' context, while in the NetEdit CLI you are still at the 'global' level.
upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: A

Lab Guide: IMPORTANT:

The <SPACE> is important here to tell NetEdit that the next command is not a global command, but should be under the interface context.
upvoted 1 times

  NetDon 1 year, 5 months ago

Selected Answer: A

Lab Guide: IMPORTANT:

The <SPACE> is important here to tell NetEdit that the next command is not a global command, but should be under the interface context.
upvoted 4 times

  Rockford 1 year, 4 months ago

Answer B
Full text out of the lab guide:
MPORTANT:
The <SPACE> is important here to tell NetEdit that the next command is not a global
command, but should be under the interface context. A switch CLI would put you in
the 'interface' context, while in the NetEdit CLI you are still at the 'global' level.
upvoted 1 times

  Rockford 1 year, 3 months ago

I meant A
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Exclusion procedure :)
A: Space shows the available options for the command.
B: does not work and no information available in the study guide
C: not sure what these hyroglyphs mean, I guess "Enter" --> Enter the Command and use <Enter> to submit the command
D: ESC certainly a good idea, but doesn't really work and there's nothing in the study guide about it that....
My answer is C
upvoted 1 times
Question #103 Topic 1

A company has recently purchased a ClearPass AAA solution. Their network consists of AOS-CX switches at the access layer. The company is

implementing a rollout of IoT devices for smart building management to control the lighting and HVAC systems. The network administrator is

concerned about allowing secure access to these devices since they only support MAC-Auth.

Which ClearPass feature should the administrator leverage to help determine that MAC address spoofing is not occurring for this group of

devices?

A. User-based tunneling

B. Device fingerprinting

C. RADIUS change of authorization

D. Downloadable user roles

Correct Answer: A

Community vote distribution

B (75%) 13% 13%

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Pages 651 & 652 Study Guide:

To improve overall security with MAC Authentication, use ACLs to strictly limit what devices can access. You can also use device fingerprinting to
examine device protocol information, like DHCP and HTTP payload information. Then use this information to identify additional information about
the device, like the product, operating system, and other information.
[Aruba Networks]
upvoted 2 times

  MaxAMG45 8 months, 3 weeks ago

B is correct, p651-652 of SG
"To improve overall security, add ACL and/or fingerprint to exam device info..."
upvoted 3 times

  alex711 11 months, 3 weeks ago

Selected Answer: A

I think it is A. Se the following link.

https://www.arubanetworks.com/techdocs/AOS-CX/10.08/HTML/security_6200-6300-6400/Content/Chp_Dev_fngprnt/abo-dev-fngprnt.htm
upvoted 1 times

  sirtack 1 year, 2 months ago

Selected Answer: B

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=26855
This leans to device fingerprinting so B
upvoted 2 times

  Alialo 1 year, 3 months ago

Selected Answer: D

I would choose D, the challenge is to avoid MAC address spoofing, i think Device fingerprinting is not enough.
A is for Dynamic Segmentation, here they dont have gateway.
Refer to:
-Downloadable User Role configuration in Aruba OS CX with mac-authentication
https://community.arubanetworks.com/blogs/esupport1/2020/04/29/downloadable-user-role-configuration-in-aruba-os-cx-with-mac-
authentication
upvoted 1 times

  cpfan 1 year, 4 months ago

Selected Answer: B

Device Fingerprint to identify the Device type

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: B

Correct Answer: B
upvoted 1 times
Question #104 Topic 1

A network administrator sets up two aggregation layer AOS-CX switches in a VSX pair. The switches have layer-2 VSX LAGS to access layer

switches. The VSX pair has IGMP configured on the layer-3 VLAN interfaces serving the access layer switches.

What is correct regarding how the VSX pair will interact with multicast traffic and messages?

A. IGMP snooping must be disabled on the ISL interface to ensure correct multicast traffic forwarding.

B. Forwarding and pruning of multicast traffic is based on a shared IGMP group database.

C. Join and leave messages are always forwarded across the ISL link between the VSX aggregate switches.

D. If one of the VSX switches reboots, the IGMP group database is automatically synchronized between the two switches.

Correct Answer: A

Community vote distribution

C (85%) B (15%)

  E_Nick Highly Voted  1 year, 4 months ago

Selected Answer: C

Each VSX node individually learns any JOIN/LEAVE message received from a downstream VSX LAG. For example: Agg-1 learns on downlink from
SW1, whereas Agg-2 learns on the ISL as the ISL is always included as a forwarding port for IGMP, as shown in the following figure.
upvoted 5 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: C

Page 569 Study Guide:

Both switches hear JOIN/LEAVE messages they receive from the downstream VSX LAGs because the ISL is always included as a forwarding port for
IGMP.
[Aruba Networks]
upvoted 2 times

  karlkurt 1 year, 3 months ago

Selected Answer: C

ISL is always included as a forwarding port for IGMP

upvoted 3 times

  devadarshan91730 1 year, 4 months ago

Not B : Multicast traffic to these IGMP groups is pruned/forwarded based on the INDIVIDUAL IGMP group database on each VSX node
https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-7888.pdf
Answer is C
n Each VSX node individually learns any JOIN/LEAVE message received from a downstream VSX LAG. For
example: Agg-1 learns on downlink from SW1, whereas Agg-2 learns on the ISL as the ISL is always
included as a forwarding port for IGMP, as shown in the following figure.
upvoted 3 times

  cpfan 1 year, 4 months ago

Selected Answer: C

Should be C not B typo

upvoted 1 times

  cpfan 1 year, 4 months ago

Selected Answer: B

IGMP snooping
VSX switches can be configured for IGMP snooping on downstream VLANs facing the access switches. When enabled, the IGMP group database is
independently constructed on each VSX switch. Multicast traffic to these groups is appropriately pruned/optimized.
Each VSX switch has an identical IGMP group database:
Each VSX node individually learns any JOIN/LEAVE message received from a downstream VSX LAG. For example: Agg-1 learns on downlink from
SW1, whereas Agg-2 learns on the ISL as the ISL is always included as a forwarding port for IGMP, as shown in the following figure.
The VSX IGMP process translates the received IGMP from the ISL into an IGMP join message from the VSX LAG.
Multicast traffic to these IGMP groups is pruned/forwarded based on the individual IGMP group database on each VSX node. ISLP does not
synchronize IGMP groups between VSX peers. The IGMP database construction is a data-plane based process.
If a VSX node reboots, it must relearn all the IGMP groups. The VSX switch floods multicast traffic within the VLANs that have active physical ports
being forwarded. It then sends an All Hosts Query message. When the VSX node receives all join messages, it relearns and recreates the IGMP
groups database.
upvoted 2 times

  spillo3000 1 year, 4 months ago

Correct B
 upvoted 1 times

  spillo3000 1 year, 4 months ago

Each VSX node individually learns any JOIN/LEAVE message received from a downstream VSX LAG. For example: Agg-1 learns on downlink from
SW1, whereas Agg-2 learns on the ISL as the ISL is always included as a forwarding port
upvoted 2 times
Question #105 Topic 1

Examine the network exhibit.

Examine Route r4's partial OSPF configuration:

router ospt 1

area 0

exit

interface vlan 100

ip ospf area 0

exit

interface vlan 40

ip ospf area 0

exit

interface 1/1/1

vlan access 100

mtu 9000

ip ospf heilo-interval 1

ip ospf dead-interval 4

ip ospf authentication simple-text

ip ospf authentication-key key 123

When executing the "show ip ospf neighbors" command, Router 4 is in a FULL state with Router 3 and Router 2, but a 2-WAY state with Routed.

What is causing the 2-WAY state with Router 1?

A. The timers on interface 1/1/1 is mismatched with Router 1's VLAN 100 interface

B. Router 4 and Router 1 are acting as a DROTHER

C. Router 1 and Router 3 have a mismatched authentication key

D. The MTU size on interface 1/1/1 is mismatched with Router 1's VLAN 100 interface

Correct Answer: A

Community vote distribution

B (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B
 Page 340 Study Guide:
The DR and BDR form a Full adjacency with all other routers. Or you could say that all DROTHER routers from a full adjacency with the DR and BDR.
DROTHER routes only reach the 2WAY state between each other.
[Aruba Networks]
upvoted 3 times

  Redrum702 8 months, 2 weeks ago

A: During the 2-way state, OSPF routers exchange Hello packets and verify that they have bidirectional communication with each other. This state
confirms that both routers are on the same subnet, have compatible OSPF parameters, and can establish a neighbor relationship.
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: B

There is only a DR/BDR, so only two will be FULL

upvoted 1 times

  spillo3000 1 year, 4 months ago

correct B - dr/bdr + drother 2/wat is router 1
upvoted 1 times
Question #106 Topic 1

What would prevent two OSPF routers from forming an adjacency? (Choose two.)

A. Different priorities

B. Different MTU sizes

C. Different area types

D. Different router IDs

E. Different IP addresses

Correct Answer: DE

Community vote distribution

BC (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: BC

Page 337 Study Guide

upvoted 2 times

  Max69 9 months, 2 weeks ago

Selected Answer: BC

Correct Answer: BC
upvoted 2 times

  JonBabi 1 year ago

Are the people who made this site even trying to answer these questions correctly? What is going on? Seems like every other question is incorrect,
thank God for this forum.
upvoted 3 times

  slotblocker 8 months, 3 weeks ago

They just take an exam from another provider, together with the answers..
upvoted 1 times

  yourVictoria 1 year, 2 months ago

Correct B,C:
From Aruba book - OSPF match requirements:
Same area number and type;
Same authentication configuration;
Same subnet;
Same hello and dead interval timers;
Network type : broadcast vs point-to-point;
Interface MTU size
upvoted 1 times

  cjoseph 1 year, 4 months ago

Selected Answer: BC

Answer B&C
upvoted 2 times

  cjoseph 1 year, 4 months ago

Same Area, type, auth, subnet, hello/dead intervals , network type and MTU size are required to become neighbors.
upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: BC

B. Different MTU sizes

C. Different area types
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: BC

Correct Answer: BC
upvoted 3 times

  omen 1 year, 5 months ago

Correct Answer: BC
 upvoted 2 times

Question #107 Topic 1

A network administrator is tasked to set up BGP in the company's network. The administrator is defining an eBGP peering between an AOS-CX

switch and a directly-connected service provider. The administrator has configured the following on the AOS-CX switch:

However, when using the "show bgp all summary" command, the state does not display "Established" for the eBGP peer. What must the

administrator configure to fix this issue?

A. router bgp 64500 neighbor 192.168.1.1 ebgp-multihop

B. router bgp 64500 enable

C. router bgp 64500 address-family ipv4 unicast neighbor 192.168.1.1 activate

D. router bgp 64500 neighbor 192.168.1.1 update-source loopback0

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 462 Study Guide

upvoted 2 times

  E_Nick 1 year, 4 months ago

Selected Answer: C

C. router bgp 64500 address-family ipv4 unicast neighbor 192.168.1.1 activate

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C ACSP Study Guide Page 538 eBGP Peering to ISP
upvoted 1 times
Question #108 Topic 1

A company has an existing wireless solution involving Aruba APs and Aruba gateway. The solution leverages a third-party AAA solution. The

company is replacing existing access switches with AOS-CX 6300 and 6400 switches. The company wants to leverage the same security and

firewall policies for both wired and wireless traffic.

Which solution should the company implement?

A. IPSec

B. User-based tunneling

C. RADIUS dynamic authorization

D. Downloadable user roles

Correct Answer: B

Community vote distribution

B (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: B

Page 747 Study Guide:

Tunneled- node provides tighter and simpler unification of wired and wireless access.
[Aruba Networks]
upvoted 1 times

  E_Nick 1 year, 4 months ago

Selected Answer: B

B is right, UBT can use LUR with 3rd party AAA, only UBT with DUR requires clearpass
upvoted 1 times

  Rockford 1 year, 4 months ago

B is right, UBT can use LUR with 3rd party AAA, only UBT with DUR requires clearpass
upvoted 1 times

  Rockford 1 year, 4 months ago

With UBT, the switch tunnels authenticated user traffic to an Aruba MC, to be processed by security policies. Advantages over local switching
include: Centralized security policies for both wired and/or wired traffic: users have a consistent experience whether they connect via wired
Ethernet or Wi- Fi.
upvoted 2 times

  spillo3000 1 year, 4 months ago

C - CoA, for UBT need clearpass
upvoted 1 times
Question #109 Topic 1

MAC authentication is enabled on port 1/1/27 of an AOS-CX switch. The following MAC addresses are defined on the AAA server:

* 88:3a:30:97:b6:00

* 00:50:56:b1:fc:9b

Examine the AOS-CX switch output:

Based on this information, what is true concerning port 1/1/27?

A. Device-mode is enabled with a client limit of 1.

B. Device-mode is enabled with a client limit of 2.

C. Client-mode is enabled with a client limit of 1.

D. Client-mode is enabled with a client limit of 2.

Correct Answer: D

Community vote distribution

C (100%)

  Espeto 6 months ago

Answer : C
upvoted 1 times

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 693 Study Guide

upvoted 2 times

  cpfan 1 year, 4 months ago

Selected Answer: C

denied on the seconds client

upvoted 2 times

  spillo3000 1 year, 4 months ago

C - denied on the seconds client
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C
ACSP Study Guide Page 749 and https://www.arubanetworks.com/techdocs/AOS-CX/AOSCX-CLI-Bank/cli_6300-
6400/Content/Chp_Port_acc/Port_acc_rol_cmds/aut-mod-fl-10.htm

client-mode = Selects client mode. In this mode, all clients connecting to the port are sent for authentication.
device-mode = Selects device mode. In this mode, only the first client connecting to the port is sent for authentication. Once this client is
authenticated, the port is considered as open and all subsequent clients trying to connect on that port are not sent for authentication.
upvoted 4 times
Question #110 Topic 1

What is the purpose of the transit VLAN when implementing dynamic segmentation policies involving AOS-CX switches and an Aruba gateway

solution?

A. It identifies the VLAN that the switch will use when tunneling the traffic to the gateway.

B. It identifies the VLAN that the user traffic will be assigned to, whether the traffic is tunneled or locally switched.

C. It defines the VXLAN identifier to identified UBT traffic between the AOS-CX switches and the gateway solution.

D. It identifies the VLAN that the user traffic will be assigned to when it comes out of the tunnel and is forwarded by the gateway.

Correct Answer: C

Community vote distribution

A (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: A

Page 771 Study Guide:

Remember that the transit VLAN is what the switch will use when tunneling the user traffic to an MC (if the switch is not performing switching of
the traffic).
[Aruba Networks]
upvoted 4 times

  cpfan 1 year, 4 months ago

Selected Answer: A

The transit VLAN is what the switch will use when tunneling the
user traffic to an MC (if the switch is not performing switching of the traffic).
upvoted 1 times

  NetDon 1 year, 5 months ago

Selected Answer: A

Student guide page 771

upvoted 1 times
Question #111 Topic 1

What is true regarding VSX and keepalives on AOS-CX switches?

A. A separate VLAN on the ISL link is used.

B. A VSX LAG for the keepalives is a best practice.

C. The OOBM port must be used.

D. A 1GbE or faster port is used.

Correct Answer: D

Community vote distribution

D (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 193 Study Guide:

he best practice for the Keepalive connection is to use a direct L3 circuit, which can be a low speed port (1G transceiver is enough, 1GBASE- T
works as well) between both VSX nodes.
[Aruba Networks]
upvoted 3 times

  E_Nick 1 year, 4 months ago

Selected Answer: D

Correct Answer: D
upvoted 1 times

  Rockford 1 year, 4 months ago

agree with omen: D
Keepalive Link
The best practice for the Keepalive connection is to use a direct L3 circuit, which can be a low speed port (1G transceiver is enough, 1GBASE- T
works as well) between both VSX nodes. This circuit need not be directly connected and the path can include active L2 and L3 equipment.
upvoted 3 times

  omen 1 year, 5 months ago

Selected Answer: D

Correct Answer: D
upvoted 1 times
Question #112 Topic 1

An administrator is designing an access layer solution in a data center. A key requirement is to dual-home mission-critical server connections to

two different switches, ensuring that the servers always have network access, even during switch software upgrades. This feature should support

strictly-controlled provisioning.

What would best meet the administrator's needs when deploying AOS-CX switches?

A. VSF

B. Dynamic segmentation

C. VSX

D. NAE

Correct Answer: C

Community vote distribution

C (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: C

Page 174 Study Guide:

VSX maintains the AOS- CX default behavior - ports are disabled and operate at Layer 3. Finally, VSX delivers high availability during software
upgrades, with near zero downtime and continuous packet forwarding.
[Aruba Networks]
upvoted 1 times

  d_nat 1 year, 3 months ago

Selected Answer: C

C is correct
upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: C

Correct Answer: C
upvoted 2 times
Question #113 Topic 1

A customer has twenty AOS-CX switches that will be managed by NetEdit and would like support for NetEdit. These switches will exist in the

network for at least five years.

Which type of licensing should be used by this customer?

A. 1 Aruba NetEdit SMB License

B. 20 Aruba NetEdit permanent licenses

C. 25 Aruba NetEdit permanent licenses

D. 20 Aruba NetEdit single node subscription licenses

Correct Answer: C

Community vote distribution

D (100%)

  SeidorBruno 7 months, 2 weeks ago

Selected Answer: D

Page 70 Study Guide:

NetEdit is currently available on a trial basis for up to 25 nodes. There are also licensing options for one- year and three- year subscriptions for
nodes 26 and upwards.
[Aruba Networks]
upvoted 1 times

  d_nat 1 year, 4 months ago

Selected Answer: D

Implementing ArubaOS-CX Switching Rev 20.21, page 75: per node, 1 or 3 years subscription
upvoted 1 times

  cjoseph 1 year, 4 months ago

Selected Answer: D

Answer is D.

Licenses are purchased per single node basis of 1Y or 3Y.

upvoted 1 times

  omen 1 year, 5 months ago

Selected Answer: D

Correct Answer: D
C is not possible that this licence is only available as a trial licence and not as a permanent licence. ACSP Study Guide Page 46
upvoted 2 times
Question #114 Topic 1

A company has a third-party AAA server solution. The campus access layer was just upgraded to AOS-CX switches that perform access control

with MAC-Auth and 802.1X. The company has an Aruba gateway solution for wireless, and they want to leverage the firewall policies on the

controllers for the wired traffic.

What is correct about how the company should implement a security solution where the wired traffic is processed by the gateways?

A. Implement standards-based RADIUS VSAs to pass policy information directly to the AOS-CX switches and gateways.

B. Implement downloadable user roles with a gateway role defined on the AOS-CX switches.

C. Implement downloadable user roles with a device role defined on the AOS-CX switches and gateways.

D. Implement local user roles with a gateway role defined on the AOS-CX switches.

Correct Answer: C

Community vote distribution

D (100%)

  omen Highly Voted  1 year, 5 months ago

Selected Answer: D

D is correct. DUR is only possible with Clearpass, but the customer has a third-party AAA server
upvoted 6 times

  SeidorBruno Most Recent  7 months, 2 weeks ago

Selected Answer: D

Page 751 Study Guide:

For example, the MC might apply MAC Auth or 802.1X — or some combination. After successful authentication, the controller applies a role to the
traffic. Based on that role, it controls traffic with firewall policies and other policy actions. Finally, it forwards the packet towards its destination.
[Aruba Networks]
upvoted 2 times

  d_nat 1 year, 4 months ago

Selected Answer: D

I go with D, too. DUR is only a thing with Clearpass

upvoted 3 times