Question No : 1
Which feature supported by SNMPv3 provides an advantage over SNMPv2c?

• A.Transport mapping
• B.Community strings
• C.GetBulk
• D.Encryption

Show Answers

Answer:
Explanation:
Encryption is a feature supported by SNMPv3 that provides an advantage over SNMPv2c. Encryption protects the confidentiality and integrity of SNMP messages by encrypting them with a secret key.
SNMPv2c does not support encryption and relies on community strings for authentication and authorization, which are transmitted in clear text and can be easily intercepted or spoofed. Transport mapping, community strings, and GetBulk are features that are common to both SNMPv2c and SNMPv3.
References:
https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/snmp/snmp.htm
https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/snmp/snmpv3.htm

Question No : 2
A customer is using a legacy application that communicates at layer-2. The customer would like to keep this application working across the campus which is connected via layer-3. The legacy devices are connected to Aruba CX 6300 switches throughout the campus.
Which technology minimizes flooding so the legacy application can work efficiently?

• A.Generic Routing Encapsulation (GRE)
• B.EVPN-VXLAN
• C.Ethernet over IP (EolP)
• D.Static VXLAN

Show Answers

Answer:
Explanation:
EVPN-VXLAN is a technology that allows layer-2 communication across layer-3 networks by using Ethernet VPN (EVPN) as a control plane and Virtual Extensible LAN (VXLAN) as a data plane3. EVPN-VXLAN can be used to support legacy applications that communicate at layer-2 across different campuses or data centers that are connected via layer-3. EVPN-VXLAN minimizes flooding by using BGP to distribute MAC addresses and IP addresses of hosts across different VXLAN segments3. EVPN-VXLAN also provides benefits such as loop prevention, load balancing, mobility, and scalability3.
References: https://www.arubanetworks.com/assets/tg/TG_EVPN_VXLAN.pdf

Question No : 3
You are configuring Policy Based Routing (PBR) for a subnet that will be used to test a new default route for your network Traffic originating from 10.2.250.0/24 should use a new default route to 10.1.1.253. Other non-default routes for this subnet should not be affected by this change.
What are two parts of the solution for these requirements? (Select two.)
A)



B)



C)



D)



E)

• A.Option A
• B.Option B
• C.Option C
• D.Option D
• E.Option E

Show Answers

Answer:
Explanation:
These are the correct parts of the solution for the requirements of configuring Policy Based Routing (PBR) for a subnet that will be used to test a new default route for your network. Option A defines a PBR policy named test-default-route with a rule named new-default-route that matches traffic from source IP address 10.2.250.0/24 and sets the next hop IP address to 10.1.1.253. Option E applies the PBR policy to VLAN 10 interface, which is the subnet that needs to use the new default route. The other options are incorrect because they either do not match the correct traffic or do not set the correct next hop.
References:
https://www.arubanetworks.com/techdocs/AOS-CX/10.04/HTML/5200-6728/bk01-ch02.html
https://www.arubanetworks.com/techdocs/AOS-CX/10.04/HTML/5200-6728/bk01-ch03.html

Question No : 4
In an ArubaOS 10 architecture using an AP and a gateway, what happens when a client attempts to join the network and the WLAN is configured with OWE?

• A.Authentication information is not exchanged
• B.The Gateway will not respond.
• C.No encryption is applied.
• D.RADIUS protocol is utilized.

Show Answers

Answer:
Explanation:
This is the correct statement about what happens when a client attempts to join the network and the WLAN is configured with OWE (Opportunistic Wireless Encryption). OWE is a standard that provides encryption for open networks without requiring any authentication or credentials from the client or the network. OWE uses a Diffie-Hellman key exchange mechanism to establish a secure session between the client and the AP without exchanging any authentication information. The other options are incorrect because they either describe scenarios that require authentication or encryption methods that are not used by OWE.
References:
https://www.arubanetworks.com/assets/wp/WP_WiFi6.pdf
https://www.arubanetworks.com/assets/ds/DS_AP510Series.pdf

Question No : 5
Which Aruba AP mode is sending captured RF data to Aruba Central for waterfall plot?

• A.Hybrid Mode
• B.Air Monitor
• C.Spectrum Monitor
• D.Dual Mode

Show Answers

Answer:
Explanation:
Spectrum Monitor is an Aruba AP mode that is sending captured RF data to Aruba Central for waterfall plot.
Spectrum Monitor is a mode that allows an AP to scan all channels in both 2.4 GHz and 5 GHz bands and collect information about the RF environment, such as interference sources, noise floor, channel utilization, etc. The AP then sends this data to Aruba Central, which is a cloud-based network management platform that can display the data in various formats, including waterfall plot. Waterfall plot is a graphical representation of the RF spectrum over time, showing the frequency, amplitude, and duration of RF signals. The other options are incorrect because they are either not AP modes or not sending RF data to Aruba Central.
References:
https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/1-overview/spect
https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/1-overview/water
https://www.arubanetworks.com/products/network-management-operations/aruba-central/

Question No : 6
What is an Aruba-recommended best practice for hardening that only applies to Aruba CX 6300 series switches with dedicated management ports?

• A.Implement a control plane ACL to limit access to approved IPs and/or subnets
• B.Manually enable Enhanced Security Mode from a console session.
• C.Disable all management services on the default VR
• D.Create a dedicated management VRF, and assign the management port to it.

Show Answers

Answer:
Explanation:
This is an Aruba-recommended best practice for hardening that only applies to Aruba CX 6300 series switches with dedicated management ports. A dedicated management port is a physical port that is used exclusively for out-of-band management access to the switch. A dedicated management VRF is a virtual routing and forwarding instance that isolates the management traffic from other traffic on the switch. By creating a dedicated management VRF and assigning the management port to it, the administrator can enhance the security and performance of the management access to the switch. The other options are incorrect because they either do not apply to switches with dedicated management ports or do not follow Aruba-recommended best practices.
References:
https://www.arubanetworks.com/assets/ds/DS_AOS-CX.pdf
https://www.arubanetworks.com/assets/tg/TB_ArubaCX_Switching.pdf

Question No : 7
Two AOS-CX switches are configured with VSX at the the Access-Aggregation layer where servers attach to them An SVI interface is configured for VLAN 10 and serves as the default gateway for VLAN 10. The ISL link between the switches fails, but the keepalive interface functions. Active gateway has been configured on the VSX switches.



What is correct about access from the servers to the Core? (Select two.)

• A.Server 1 can access the core layer via the keepalrve link
• B.Server 2 can access the core layer via the keepalive link
• C.Server 2 cannot access the core layer.
• D.Server 1 can access the core layer via both uplinks
• E.Server 1 and Server 2 can communicate with each other via the core layer
• F.Server 1 can access the core layer on only one uplink

Show Answers

Answer:
Explanation:
These are the correct statements about access from the servers to the Core when the ISL link between the switches fails, but the keepalive interface functions. Server 1 can access the core layer via both uplinks because it is connected to VSX-A, which is still active for VLAN 10. Server 2 can also access the core layer via its uplink to VSX-B, which is still active for VLAN 10 because of Active Gateway feature. Server 1 and Server 2 can communicate with each other via the core layer because they are in the same VLAN and subnet, and their traffic can be routed through the core switches. The other statements are incorrect because they either describe scenarios that are not possible or not relevant to the question.
References: https://www.arubanetworks.com/techdocs/AOS-CX/10.04/HTML/5200-6728/bk01-

Question No : 8
A company deployed Dynamic Segmentation with their CX switches and Gateways After performing a security audit on their network, they discovered that the tunnels built between the CX switch and the Aruba Gateway are not encrypted. The company is concerned that bad actors could try to insert spoofed messages on the Gateway to disrupt communications or obtain information about the network.
Which action must the administrator perform to address this situation?

• A.Enable Secure Mode Enhanced
• B.Enable Enhanced security
• C.Enable Enhanced PAPI security
• D.Enable GRE security

Show Answers

Answer:
Explanation:
To address the situation of unencrypted tunnels between the CX switch and the Aruba Gateway, the administrator must enable Enhanced security on both devices. Enhanced security is a feature that provides encryption and authentication for GRE tunnels between CX switches and Aruba Gateways using IPSec.
Enhanced security can be enabled globally or per tunnel on both devices using CLI commands or Web UI options. The other options are incorrect because they either do not provide encryption or authentication for GRE tunnels or do not exist as features.
References:
https://www.arubanetworks.com/techdocs/AOS-CX/10.04/HTML/5200-6728/bk01-ch05.html
https://www.arubanetworks.com/assets/ds/DS_AOS-CX.pdf

Question No : 9
In AOS 10. which session-based ACL below will only allow ping from any wired station to wireless clients but will not allow ping from wireless clients to wired stations"? The wired host ingress traffic arrives on a trusted port.

• A.ip access-list session pingFromWired any user any permit
• B.ip access-list session pingFromWired user any svc-icmp deny any any svc-icmp permit
• C.ip access-list session pingFromWired any any svc-icmp permit user any svc-icmp deny
• D.ip access-list session pingFromWired any any svc-icmp deny any user svc-icmp permit

Show Answers

Answer:
Explanation:
A. ip access-list session pingFromWired any user any permit
This will allow all traffic from any source to wireless clients (user). Not what we want.
B. ip access-list session pingFromWired user any svc-icmp deny any any svc-icmp permit
The first rule denies ICMP (ping) from wireless clients (user) to any destination.
The second rule permits ICMP from any source to any destination. However, since the deny rule is processed first, pings from wireless clients will be blocked.
This option looks correct based on the rules provided.
C. ip access-list session pingFromWired any any svc-icmp permit user any svc-icmp deny
The first rule permits ICMP from any source to any destination. This includes wireless clients pinging wired stations.
The second rule denies ICMP from wireless clients to any destination. However, since it comes after the permit rule, it will never be processed.
This doesn't match the desired behavior.
D. ip access-list session pingFromWired any any svc-icmp deny any user svc-icmp permit
The first rule denies ICMP from any source to any destination. Since this is the first rule, it will block all ICMP traffic.
This option will not allow the desired behavior.
Given the explanations above, the correct answer is:
B. ip access-list session pingFromWired user any svc-icmp deny any any svc-icmp permit

Question No : 10
You are doing tests in your lab and with the following equipment specifications
* AP1 has a radio that generates a 10 dBm signal
* AP2 has a radio that generates a 11 dBm signal
* AP1 has an antenna with a gain of 9 dBi
* AP2 has an antenna with a gain of 12 dBi.
* The antenna cable for AP1 has a 2 dB loss
* The antenna cable for AP2 has a 3 dB loss
What would be the calculated Equivalent Isotropic Radiated Power (EIRP) for APT?

• A.26 dBm
• B.30 dBm
• C.17 dBm
• D.-12 dBm

Show Answers

Answer:
Explanation:
EIRP = Transmitter power + Antenna gain - Cable loss
EIRP for AP1 = 10 dBm + 9 dBi - 2 dB = 17 dBm