ACMP_6.3

8/17/2019 ACMP_6.3

http://slidepdf.com/reader/full/acmp63 1/92

Aruba ACMP_6.3

Aruba Certified Mobility Professional 6.3

Q1Which of the following Aruba controllers is able to provide IEEE 802.3af? (Choose two)

A. 3200B. 620C. 650D. 6000 with M3E. 7000

Answer: B,C

Explanation:Q2What is the maximum number of remote APs supported by a 3600 controller?

A. 512B. 1024

C. 128D. 256E. 2048

Answer: A

Explanation:Q3Which dual radio access point models support concurrent operations in the 2.4Ghz band as well as the 5Ghz band? (Choose three)

A. AP-92B. AP-93C. AP-105D. AP-224E. AP-135

Answer: C,D,E

Explanation:

8/17/2019 ACMP_6.3


Q4Which of the following APs do NOT support dual radio operations? (Choose two)

A. AP 93B. AP 105C. RAP 3WND. AP 224E. AP 135

Answer: A,C

Explanation:

Q5Centralized licensing is not in use on an Aruba based network which has a Master and three local controllers. No APs terminate on the Mastercontroller. Roles and Firewall policies need to be created and applied, hence PEF-NG license is required

On which controller should the license be installed?

A. Only the master controller since role and firewall policies are created here.B. Only the local controllers since firewall policies are applied hereC. The master and all three local controllers

D. This isn't the correct license for this purpose, use PEF-VPN licenseE. This is not needed because PEF-NG is part of base OS

Answer: C

Explanation:Q6What information do you need to generate a feature license key for an Aruba controller?

A. The controller's MAC address and the feature description.B. Controller's MAC address and the certificate numberC. Controller's Serial Number and the feature descriptionD. Controller's Serial Number and the certificate numberE. Controller's MAC address and Serial Number

Answer: D

Explanation:Q7

8/17/2019 ACMP_6.3


What are the PEF-NG license limits based on?

A. Number of APsB. One license per controllerC. Number of usersD. Number of local controllersE. Master Controller total user count

Answer: A

Explanation:Q8

Which of the following licenses are consumed by Mesh APs advertising an SSIDs?

A. AP licenseB. Mesh licenseC. PEF-V licenseD. No license is requiredE. RAP License

Answer: A

Explanation:Q9The permanent licenses on the controller will be deleted with the use of which command?

A. Delete licenseB. Write eraseC. Licenses cannot be deleted once activatedD. Write erase allE. Reboot delete all

Answer: D

Explanation:Q10

A network administrator wants to terminate VPN sessions on a local controller in the DMZ. Which statement is true about the PEF-VPN license?

A. It is only applied to the master controllerB. It is only applied to the DMZ controller.

8/17/2019 ACMP_6.3


C. It is based on the number of APsD. One license is needed on the master and the DMZ localE. It is distributed by the license server as needed

Answer: D

Explanation:Q11What is the best practice regarding licensing for a backup master to support Master Redundancy in a network without centralized licensing?

A. Backup master only requires the AP licenseB. Supported limits and installed licenses should be the same on primary master and backup Master

C. Licenses are pushed from the primary to the backup Master along with the configurationD. The Backup Master does not require licenses to support master redundancyE. On the backup only one license of each typeis needed.

Answer: B

Explanation:Q12Which of the following licenses can be included in the licensing pool for centralized licensing? (Choose three)

A. Factory default licensesB. PEFNG licenseC. Evaluation licensesD. RFProtect licenseE. PEFV license

Answer: B,C,D

Explanation:Q13By default Centralized licensing messages between master controllers are sent _______________.

A. In the clear unencryptedB. Using CPSecC. Using IPSec site to site VPN tunnelsD. Encrypted using GREE. PAPI

8/17/2019 ACMP_6.3


Answer: A

Explanation:Q14Which of the following will occur if a master license server fails with no standby server present? (Choose two)

A. Local controllers licenses will continue to be valid for 30 daysB. Local controllers will immediately remove all installed licensesC. No licenses will be sent to any new controllers that come onlineD. All licenses go back into the pool for redistributionE. A Local Controller elects itself master license server

Answer: A,C

Explanation:Q15Which may be applied directly to an VLAN interface? (Choose three)

A. Access List (ACL)B. Firewall PolicyC. Roles

D. AAA profilesE. RF Plan Map

Answer: A,B,D

Explanation:Q16When creating a firewall rule on an Aruba controller, which parameter is optional?

A. DestinationB. ServiceC. SourceD. LogE. Action

Answer: D

Explanation:Q17

8/17/2019 ACMP_6.3


An administrator creates a WLAN with an unmodified default AAA profile. What is the default role the user is placed in?

A. default-logonB. logonC. guest-logonD. default-apE. AP-Role

Answer: B

Explanation:Q18

What is the first role a user is given when a user associates to an open WLAN?

A. The guest post authentication roleB. The initial role in the captive portal profileC. The role in the server group profileD. The initial role in the AAA profileE. The initial role in the 802.1x profile

Answer: D

Explanation:Q19Which of the following could be used to set a user's post-authentication role or VLAN association? (Choose two)

A. AAA default role for authentication methodB. Server Derivation RuleC. Vendor Specific AttributesD. AP Derivation RuleE. The Global AAA profile

Answer: B,C

Explanation:Q20Which describe "roles" as used on Aruba Mobility Controllers? (Choose two)

A. Roles are assigned to users.B. Roles are applied to interfaces.

8/17/2019 ACMP_6.3


C. Policies are built from roles.D. A user can belong to only one role at a time.E. Roles are a set of authentication rules

Answer: A,D

Explanation:Q21Which netdestination aliases are built into the controller? (Choose three)

A. logonB. any

C. userD. guestE. localip

Answer: B,C,E

Explanation:Q22What are aliases used for?

A. Improve controller performanceB. Simplify the configuration processC. Tie IP addresses to portsD. Assign rules to policiesE. Assign policies to roles

Answer: B

Explanation:

Q23Which of the following firewall rules allows a user to initiate an ICMP session to other devices? (Choose two)

A. localip any svc-icmp permitB. user any svc-icmp permitC. user user svc-icmp permitD. any any svc-icmp permitE. mswitch any svc-icmp permit

8/17/2019 ACMP_6.3


Answer: B,D

Explanation:

Q24The Aruba Policy Enforcement Firewall (PEF-NG) module supports destination network address translation (dst-nat).

Which is the default use of this statement in an Aruba controller configuration?

A. Source the IP addresses of users to specific IP addressB. Redirect HTTP sessions to Captive PortalC. Redirect Access Points to another Aruba controllerD. Provide a telnet connection to the controller

E. Redirect a SSH session to terminate on the controller

Answer: B

Explanation:Q25The Aruba Policy Enforcement Firewall (PEF) module supports source network address translation (src-nat).

Which is a use of this statement in an Aruba configuration?

A. Provide a single source IP address for users in a roleB. Redirect Captive Portal HTTP sessionsC. Redirect Access Points to another Aruba controllerD. Provide IP addresses to clientsE. Redirects clients to Aruba Firewall

Answer: A

Explanation:

Q26The network administrator wishes to terminate the VPN encryption on the Aruba controller. When writing a firewall rule to accomplish the task ofautomatically moving the VPN traffic for the wireless clients from a third party VPN concentrator to an Aruba controller, which action needs to beconfigured in the rule?

A. redirect to IPSec GroupB. source NATC. destination NATD. redirect to tunnel

8/17/2019 ACMP_6.3


E. redirect to GRE

Answer: C

Explanation:Q27Review the following truncated output from an Aruba controller for this item.

(example) #show rights logon

access-list List

----------------

Position Name Location

-------- ---- --------

1 logon-control

2 captiveportal

logon-control

-------------

Priority Source Destination Service Action

-------- ------ ----------- ------- ------

1 user any udp 68 deny

2 any any svc-icmp permit

3 any any svc-dns permit4 any any svc-dhcp permit

5 any any svc-natt permit

captiveportal

8/17/2019 ACMP_6.3


-------------

Priority Source Destination Service Action

-------- ------ ----------- ------- ------

1 user controller svc-https dst-nat 8081

2 user any svc-http dst-nat 8080

3 user any svc-https dst-nat 8081

4 user any svc-http-proxy1 dst-nat 8088



Based on the above output from an Aruba controller, an unauthenticated user assigned to the logon role attempts to start an http session to IPaddress 172.16.43.170.

What will happen?

A. the user's traffic will be passed to the IP address because of the policy statement:user any svc-http dst-nat 8080B. the user's traffic will be passed to the IP address because of the policy statement:user any svc-https dst-nat 8081C. the user's traffic will be passed to the IP address because of the policy statement:user any svc-http-proxy1 dst-nat 8088D. the user will not reach the IP address because of the policy statement:

user any svc-http dst-nat 8080E. the user will not reach the IP address because of the implicit deny any any at the end of the policy.

Answer: D

Explanation:Q28Refer to the following configuration segment for this item.ip access-list session anewone

8/17/2019 ACMP_6.3


user network 172.16.1.0 255.255.255.0 any permit

user host 172.16.1.1 any deny

user any any permit

An administrator wants users to have access to all destinations except 172.16.1.1. Based on the above Aruba Mobility Controller configurationsegment, which statements best describe this policy? (Choose two)

A. The rule user host 172.16.1.1 any deny is redundant because of the implicit deny all at the end.B. The rule user network 172.16.1.0 255.255.255.0 any permit is redundant.

C. The two rules user network 172.16.1.0 255.255.255.0 any permit and user host 172.16.1.1 any deny need to be re-sequenced.D. The last statement user any any permit is not requiredE. The last statement should be any any any deny

Answer: B,C

Explanation:Q29Refer to the following configuration segment for this item.

netdestination "internal"

no invert

network 172.16.43.0 255.255.255.0 position 1

range 172.16.11.0 172.16.11.16 position 2

!

ip access-list session "My-Policy"

alias "user" alias "internal" service_any permit queue low

!

A user frame is evaluated against this firewall policy with the following attributes:Source IP: 172.17.49.3 Destination IP: 10.100.86.37 Destination Port: 80

8/17/2019 ACMP_6.3


Referring to the above file segment, how will the frame be handled by this firewall policy?

A. The frame will be dropped because of the implicit deny all at the end of the netdestination definition.B. The frame will be dropped because of the implicit deny all at the end of the firewall policy.C. The frame will be forwarded because of the implicit permit all at the end of the firewall policy.D. The frame will be passed because there is no service specified in the firewall policy.E. The frame will be dropped because there is no service specified in the firewall policy.

Answer: B

Explanation:

Q30ip access-list session anewone


user any any permit

host 10.1.1.1 host 10.2.2.2 any deny

A user sends a frame with the following attributes:

Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25

Based on the above Mobility Controller configuration file segment, what will this policy do with the user frame?

A. The frame is discarded because of the implicit deny all at the end of the policy.B. The frame is discarded because of the statement:user host 10.1.1.1 host 10.2.2.2 deny.C. The frame is accepted because of the statement:

user any any permit.D. The frame is accepted because of the statement:user network 10.1.1.0 255.255.255.0 any permit.E. This is not a valid policy.

Answer: C

Explanation:Q31

8/17/2019 ACMP_6.3


ip access-list session anewone


user host 10.1.1.1 any deny

user any any permit

Referring to the above portion of a Mobility Controller configuration file, what can you conclude? (Choose two)

A. This is a session firewall policy.B. This is an extended Access Control List (ACL).

C. Any traffic going to destination 10.1.1.1 will be denied.D. Any traffic going to destination 10.2.2.2 will be denied.E. Any traffic going to destination 172.16.100.100 will be permitted.

Answer: A,E

Explanation:Q32Which of these are NOT a client attribute that can be configured in user derivation rules?

A. MAC addressB. DHCP option valueC. BSSIDD. Filter IDE. encryption

Answer: D

Explanation:

Q33What are the types of user derivation rules that can be applied to a user? (Choose two)

A. SSIDB. MACC. VLAND. RoleE. AP

8/17/2019 ACMP_6.3


Answer: C,D

Explanation:

Q34Which is a Device Specific Attribute that can be evaluated in a user derivation rule?

A. user login nameB. authentication serverC. location by AP NameD. controller Loopback addressE. controller IP

Answer: C

Explanation:Q35Which match condition can be used by a server derivation rule? (Choose two)

A. greater thanB. less thanC. inverse ofD. containsE. equals

Answer: D,E

Explanation:Q36

An administrator wants to assign a VLAN to a user based upon the authentication process using Vendor Specific Attributes (VSA). Where are Aruba Vendor Specific Attribute (VSA) values provisioned?

A. controllerB. clientC. RADIUS serverD. Internal user databaseE. Option 60 of DHCP reply

Answer: C

Explanation:

8/17/2019 ACMP_6.3


Q37View the Server group screen shot above.

A company has provisioned the same VAP, AAA and SSID profiles at both its Miami and NY offices. This Server Group is applied for 802.1xauthentication at both locations. The user's credentials are only found in the Miami Radius server "RadiusMiami". There is no Radiussynchronization and both servers are reachable. What happens when the user attempts to authenticate?

A. The controller recognizes the users Domain and sends the authentication request directly to RadiusMiami.B. The request is initially sent to RadiusNY1 then RadiusNY1 redirects the controller to send the authentication request to RadiusMiamiC. RadiusNY1 receives the request and returns a deny. No other action is taken.D. RadiusNY1 receives the request and returns a deny. The authentication request will then be sent to RadiusMiami.E. The RadiusNY1 sends the request to RadiusMiami that replies to the controller

Answer: C

Explanation:Q38View the Server group and User Roles screen shots above.

8/17/2019 ACMP_6.3


A user associated to an SSID with 802.1x using this server group. RadiusNY returned a standard radius attribute of filter-Id with a value of"employee". The user was placed in the guest Role.

8/17/2019 ACMP_6.3


What statements below are correct? (Choose two)

A. The user was placed in the 802.1x authentication default Role guest

B. The user was placed in the initial Role guestC. Role derivation failed because roles are case sensitiveD. Role derivation failed because the incorrect operation "value-of" was usedE. 802.1x authentication failed so the user was automatically placed in the guest Role

Answer: A,C

Explanation:Q39

View the Server group and User Roles screen shots above.

8/17/2019 ACMP_6.3


A user associated to an SSID with 802.1x using this server group. RadiusNY returned a standard radius attribute of filter-Id with a value of"employee".

8/17/2019 ACMP_6.3


What Role will the user get?

A. The User will get the Emp RoleB. The User will get the 802.1x authentication default RoleC. The User will get the employee RoleD. The User will get the Employee RoleE. The User will get the initial Role

Answer: B

Explanation:

Q40Which profiles are required in an AP Group to enable an SSID with VLAN 1, WPA2 and LMSIP? (Choose three)

A. Virtual-AP profileB. WLAN profileC. 802.1x authentication profileD. AP System ProfileE. SSID Profile

Answer: A,D,E

Explanation:Q41

A user connected to a Captive Portal VAP successfully. When the user opens their browser and tries to access their homepage, they getredirected as expected to another URL on the Aruba Controller. However, they see an error message that web authentication has been disabled.What might be a cause of this?

A. Captive Portal has not been assigned in the SSID profile.B. The Captive portal profile has not been assigned to the AAA profile.

C. A server group has not been assigned to the captive portal profile.D. An initial role has not been assigned to the AAA profile.E. The Captive portal profile has not been assigned to the initial role.

Answer: E

Explanation:Q42Which of the following will accept named VLANs as a parameter? (Choose three)

8/17/2019 ACMP_6.3


A. Virtual AP profileB. User derivation rule for a single VLAN

C. Server derivation rule for a single VLAND. Server derivation rule for a VLAN PoolE. Access VLAN for a VLAN Pool

Answer: A,B,C

Explanation:Q43

A customer has a remote AP deployment, where each remote AP has an IPSEC VPN tunnel with L2TP to the controller. 1 of the remote APs is

stuck in the user table and hasn't yet transitioned to the AP active table in the controller. The customer suspects that the AP is not setting up itsVPN connection successfully. Which of the following commands might be useful in troubleshooting this? (Choose three)

A. Logging level debugging security process localdbB. Logging level debugging security process l2tpC. Logging level debugging security process dot1xD. Logging level debugging security process cryptoE. Logging level debugging security process vpn

Answer: A,B,D

Explanation:Q44The screen captures below show the 802.1X authentication profile and AAA profile settings for a VAP.

8/17/2019 ACMP_6.3


8/17/2019 ACMP_6.3


If machine authentication fails and user authentication passes, which role will be assigned?

A. employeeB. guestC. contractorD. logonE. no role is assigned

Answer: B

Explanation:Q45The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.

8/17/2019 ACMP_6.3


8/17/2019 ACMP_6.3


If machine authentication passes and user authentication fails, which role will be assigned?

A. employeeB. guestC. contractorD. logonE. no role is assigned

Answer: B

Explanation:Q46The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.

8/17/2019 ACMP_6.3


8/17/2019 ACMP_6.3


If machine authentication fails and user authentication fails, which role will be assigned?

A. EmployeeB. GuestC. Captive PortalD. LogonE. No role will be assigned

Answer: E

Explanation:Q47What can NOT be configured from the Aruba controller configuration wizards?

A. Controller IPB. Boot PartitionC. User firewall policy.D. User derivation rules.E. Radius Servers

8/17/2019 ACMP_6.3


Answer: B

Explanation:Q48

An administrator is setting up a factory default controller. No new AP groups were created. When adding a WLAN SSID in the Campus WLANwizard what AP group is available?

A. The air-monitors AP groupB. The logon AP groupC. The default AP groupD. The initial AP groupE. The Spectrum AP group

Answer: C

Explanation:Q49The reusable Aruba Controller wizards are accessible in what way?

A. Only on startup through the CLIB. Through the CLI, after the initial CLI wizard has been completed

C. In the Web UI under maintenance.D. In the Web UI under configuration.E. Must be initialized from CLI first.

Answer: D

Explanation:Q50The Contrtoller wizard enables which of the following controller clock configurations? (Choose three)

A. NTP to a time serverB. Set time zoneC. Daylight savings timeD. Only GMT can be configuredE. Manual configuration of date and time

Answer: A,B,E

8/17/2019 ACMP_6.3


Explanation:Q51When configuring ports in the Controller wizard, which of the following are NOT configuration options? (Choose two)

A. Inter-VLAN routingB. SpeedC. TrustedD. LACPE. Trunk

Answer: A,D

Explanation:Q52By default, which CLI based remote access method is enabled on Aruba controllers?

A. RSHB. TelnetC. SSHD. Telnet and SSHE. Telnet, SSH and RSH

Answer: C

Explanation:Q53

An Aruba controller can be accessed with which CLI based remote access methods? (Choose two)

A. RSHB. TelnetC. SSH

D. SFTPE. SCP

Answer: B,C

Explanation:Q54

As an admin/root user, what other type of role-based management users can be created on Aruba controllers?

8/17/2019 ACMP_6.3


A. Auditing-compliance userB. AirWave management userC. Reporting Generation user

D. Guest provisioning userE. Maintenance user

Answer: D

Explanation:Q55Which log type should be enabled to troubleshoot IPSec authentication issues on Aruba Controllers?

A. Security LogsB. Management LogsC. Wireless LogsD. IDS LogsE. System Logs

Answer: A

Explanation:Q56

Exhibit:

8/17/2019 ACMP_6.3


8/17/2019 ACMP_6.3


Referring to the above screen capture, if an administrator desires to change a specific AP into a Spectrum Monitor without assigning the AP to anew group, which menus could be used?

A. Network > ControllerB. Wireless > AP ConfigurationC. Wireless > AP InstallationD. Advanced Services > WirelessE. Wizards > WIP Wizard

Answer: B

Explanation:Q57

A customer forgot all passwords for a controller. What method could you use to reset the passwords?

A. Telnet to the controller and login to the password recovery accountB. SSH to the controller and login to the password recovery accountC. Connect directly to the serial console and login to the password recovery accountD. Interrupt the boot process at CP-boot and select password recoveryE. Open the controller and press the reset switch

Answer: C

Explanation:Q58With CPSec disabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?

A. Basic IPB. GREC. IPinIP

D. Mobile IPE. IPSec

Answer: B

Explanation:Q59In an Aruba controller based system, the L3 mobility tunnel exists between the home agent and which other element?

8/17/2019 ACMP_6.3


A. the default gatewayB. the remote APC. the foreign agent

D. the mobile nodeE. the foreign switch

Answer: C

Explanation:Q60When an 802.11 client roams what device decides when to move the client to another AP?

A. Aruba APB. Aruba controllerC. ClientD. Radius ServerE. Router

Answer: C

Explanation:Q61

Exhibit:

8/17/2019 ACMP_6.3


The above diagram has one master and three local controllers. AP1 GRE terminates on controller Local 1. All controllers are configured with thewireless user VLAN 201. A wireless user associates with AP 1. Only L2 mobility is enabled.

Which elements will know about this association?

A. Local 1 onlyB. Local 1 and the MasterC. Local 1 and Local 2 and the MasterD. Local 1 and AP1E. All Controllers

Answer: B

Explanation:

8/17/2019 ACMP_6.3


Q62Which command will show all client association history?

A. Aruba-6000# show mobile trail current (ip address)B. Aruba-6000# show ip mobile trail (ip address)C. Aruba-6000# show ap client status (mac address)D. Aruba-6000# show current client ip (ip address)E. Aruba-6000# show client ip (ip address) mobility

Answer: B

Explanation:Q63With CPSec enabled, which tunnel protocol is used between APs and Controllers in an Aruba environment?

A. EAPB. SSHC. IPinIPD. Mobile IPE. IPSec

Answer: E

Explanation:Q64By default, how long will an AP scan a single channel when ARM is enabled?

A. 80 millisecondsB. 90 millisecondsC. 100 millisecondsD. 110 milliseconds

E. 200 milliseconds

Answer: D

Explanation:Q65Which actions does ARM (Adaptive Radio Management) perform? (Choose two)

A. Allows controllers to provision the AP Radio type

8/17/2019 ACMP_6.3


B. Allows controllers to provision the best channel for APsC. Allows controllers to provision the best power setting for APsD. Allows controllers to provision allowed Radio bands

E. Allows controllers to provision lower power when unauthorized APs are detected

Answer: B,C

Explanation:Q66Which of the following metrics does the ARM feature use to calculate the optimal channel and power level for Access Points? (Choose two)

A. RF Spectrum IndexB. Priority Index

C. Interference IndexD. Coverage IndexE. Frequency Index

Answer: C,D

Explanation:Q67How does the ARM Band Steering feature encourage 5GHz capable clients to move/connect to the 5GHz radios of Aruba APs?

A. ARM suppresses the probe response on the 2.4 GHz radioB. ARM utilizes third party software on the wireless clientsC. Current Wi-Fi chipset firmware supports this by defaultD. It's not possible the move clients to 5GHz radios when they can see both 2.4 and 5GHz APsE. ARM disables the 2.4Ghz radio for the specified client

Answer: A

Explanation:Q68Which of the statements below are TRUE regarding ARM's Spectrum Load Balancing feature? (Choose two)

A. Available only on 5GHz radiosB. Disabled by defaultC. Balances client load across available channels/APsD. Enabled by defaultE. Available only on 2.4GHz radios

8/17/2019 ACMP_6.3


Answer: B,C

Explanation:Q69What is the function of Band Steering?

A. Balancing clients across APs on different channels within the same bandB. Encourages clients, 5GHz capable, to connect on the 5GHz spectrumC. Coordinate access to the same channel across multiple APsD. Enables selection of 20 vs. 40 MHz mode of operation per bandE. Enables acceptable coverage index on both the "b/g" and "a" spectrums

Answer: B

Explanation:Q70What are the Airtime Allocation Policy options for Airtime Fairness? (Choose three)

A. Default AccessB. Priority AccessC. Fair Access

D. Preferred AccessE. Distributed Access

Answer: A,C,D

Explanation:Q71Which of the following statements is true of Spectrum Mode?

A. No licenses are required to run an AP in Spectrum modeB. Spectrum mode can only be configured for one AP at a timeC. An AP can be in spectrum mode for both 2.4 and 5G bands at the same timeD. An AP can be placed in Spectrum Mode via the Spectrum ProfileE. Spectrum mode can be configured from the GUI under AP installation

Answer: C

Explanation:

8/17/2019 ACMP_6.3


Q72Which ARM feature addresses the issue of sticky clients by moving clients to associate to APs with better 802.11 signal quality?

A. Co-Channel interference mitigationB. Airtime FairnessC. ClientMatchD. Coordinated access to a single channelE. Band Steering

Answer: C

Explanation:Q73

Aruba Client Match does NOT use which of the following parameters to determine the best AP for a client connection? (Choose two)

A. Device typeB. LocationC. Signal to Noise RatioD. Access Point loadE. Spectrum Analysis

Answer: C,D

Explanation:Q74Which settings cannot be modified directly from a local controller?

A. Port VLAN settingB. Switch Time ZoneC. Port trustedD. Roles

E. SNMP Enable Trap Generation

Answer: D

Explanation:Q75Masters communicate configuration information with locals using which tunnel type?

A. GRE

8/17/2019 ACMP_6.3


B. IP in IPC. Provision Tunnel ProtocolD. IPSec

E. PPTP

Answer: D

Explanation:Q76In the above screen capture:

8/17/2019 ACMP_6.3


The administrator notes that most of the configuration options are grayed out and have no action.

What is the cause of the problem?

A. attempting to make global changes on a Master ControllerB. attempting to make global changes on a Local ControllerC. this change can only be performed via the CLID. does not have the correct software licenseE. there is an error in the configuration

8/17/2019 ACMP_6.3


Answer: B

Explanation:Q77Exhibit:

Referring to the above screen capture, on which Controller can you create a vlan?

A. Controller 10.1.11.100 onlyB. Controller 10.1.11.101 and 10.254.1.3 only

C. All three ControllersD. None of the ControllersE. Controller 10.254.1.101 only

Answer: C


8/17/2019 ACMP_6.3


Referring to the above screen capture, on which controller can you add an administrative user and assign a controller management role?

A. Controller 10.1.11.100 onlyB. Controller 10.1.11.101 and 10.254.1.3 onlyC. All three ControllersD. Must be done in the RADIUS serverE. Controller 10.254.1.101 only

Answer: C

Explanation:

Q79Refer to the above screen capture.

By default, which controller's internal database will be used for user authentication?

A. Controller 10.1.11.100 onlyB. Controller 10.1.11.101 and 10.254.1.3 only

8/17/2019 ACMP_6.3


C. All three ControllersD. You can't tell from this screenE. The Controller with the user session

Answer: A


Referring to the above screen capture, on which controller can you modify APs configuration to enable ARM?

A. Controller 10.1.11.100 onlyB. Controller 10.1.11.101 and 10.254.1.3 onlyC. All three ControllersD. None of the ControllersE. On Controllers where ARM is enabled

Answer: A

Explanation:Q81With CPSec disabled, Aruba access points are Layer 3 connected to controllers using which protocol?

A. 802.1qB. LWAPPC. PPTPD. GREE. HTTPs

8/17/2019 ACMP_6.3


Answer: D

Explanation:Q82With CPSec disabled, which encryption protocol does a tunnel mode campus AP use on client traffic?

A. TKIP and AESB. It is provisioned by the AdministratorC. WEP and AESD. WEP, TKIP, and AESE. No encryption is used

Answer: E

Explanation:Q83In a campus environment, where are encryption keys sent or stored when users roam between tunneled mode APs on the same controller using802.1X?

A. sent to the new AP via GREB. sent to the new AP via IPSec

C. stored on the controllerD. stored on the RADIUS serverE. original AP sends keys to new AP

Answer: C

Explanation:Q84In the diagram provided for this question, the wireless user's laptop is associated with an Aruba AP in tunnel forwarding mode. The AP terminateson the local controller.

8/17/2019 ACMP_6.3


When the client transmits, where will the 802.11 headers be removed?

A. AP

B. L2 SwitchC. RouterD. ControllerE. Internet

Answer: D

Explanation:

8/17/2019 ACMP_6.3


Q85When configuring a server group containing 3 servers, a customer chooses 'fail through mode'. What other configuration option has to be enabledon the controller for this to work with 802.1x authentication?

A. Machine authenticationB. EAP TerminationC. Server group fall through modeD. MAC authenticationE. Round robin or top down mode

Answer: B

Explanation:

Q86 A campus AP has been provisioned with a VAP in bridge forwarding and standard operation modes. Which of the following authentication typesare supported? (Choose two)

A. 802.1X authenticationB. Open System authenticationC. Local authenticationD. Captive portal authenticationE. VPN authentication

Answer: A,B

Explanation:Q87Which method is NOT supported to provision an Aruba campus AP?

A. Telnet directly to APB. SSH to the AP's controllerC. Web interface to the AP's controllerD. Console to APE. CLI on controller

Answer: A

Explanation:Q88When direct consoled to an AP, what is the command sequence to factory default the AP and re- bootstrap?

8/17/2019 ACMP_6.3


A. setenv bootstat initB. setenv master init, bootC. purge, save, bootD. init, save, bootE. print, purge, boot

Answer: C

Explanation:Q89What settings need to be changed on a factory default AP in order for it to use ADP to discover the Aruba Controller?

A. DNS of the controllerB. Static routeC. AP groupD. enable multicastE. no changes needed

Answer: E

Explanation:

Q90 As illustrated in the above diagram, a company has two campus locations and a building headquarters all located in different cities.

8/17/2019 ACMP_6.3


Following best practices, what would be the best way to construct mobility domains for the company?

A. Buildings (1, 2) in one domain and Buildings (3, 4, 5, 6) in one domain

B. Buildings (1, 2) in one domain, Building (3) in one domain, and Buildings (4, 5, 6) in one domainC. Buildings (1, 2, 4, 5, 6) in one domain and Building (3) in one domainD. Buildings (1, 2, 3, 4, 5, 6) in one domainE. Buildings (1) in one domain building (4) in one domain

Answer: B

Explanation:

8/17/2019 ACMP_6.3


Q91How many Aruba controllers can be added to a single mobility domain?

A. 64 controllers of any typeB. 128 controllers supporting 2000 usersC. 256 controllers with no more than 1024 subnetsD. Controllers supporting up to 6000 AP'sE. There is no controller limit

Answer: E

Explanation:Q92

In a master-local controller scenario, where is the mobility domain defined?

A. the AP groupB. the master controllerC. the local controllerD. the master and the local controllersE. the master and the local controllers where roaming is needed

Answer: B

Explanation:Q93

A university has 2 departments. Department 1 has its own mobility domain with one controller. Department 2 has multiple controllers configured ina second domain. The university is planning on offering a new application and needs users to be able to roam between both mobility domains.

What is the best way to accomplish this?

A. The 2 existing domains should be left as they are. A 3rd mobility domain should then be created and all 3 controllers need to be added to itB. Merge the controllers into the same mobility domain

C. The IP subnets of all controllers need to be configured to matchD. This cannot be accomplishedE. Create a new domain between a department 1 controller and one of the department 2 controllers

Answer: B

Explanation:Q94

8/17/2019 ACMP_6.3


A port firewall policy is applied to a trunk port that denies controller access. An "allow all" Vlan firewall policy is applied to VLAN 33 on the sameport. A user connected to VLAN 33 on that port attempts to gain access to the controller. Which of the following statements is true?

A. The Port policy is applied, therefore no controller accessB. The Vlan policy is applied, then the port policy, therefore no controller accessC. The Vlan policy is applied, therefore access to the controller is allowedD. You cannot place a firewall policy on a Ports Vlan when the Port already has a policy, therefore no controller accessE. When locally connected to a controller's port you always have controller access

Answer: C

Explanation:Q95

An access port has been placed in trusted mode. The Vlan on the port is in Untrusted mode.Which of the following statements is true?

A. The traffic is trusted since the port is trustedB. The traffic is untrusted since the VLAN is untrustedC. This is an invalid configuration, both must be set the sameD. You cannot set Vlans as trusted or untrustedE. Only traffic from that specific port is trusted, all other traffic is untrusted

Answer: B

Explanation:Q96

A wired device is connected to an untrusted port on a controller. How can a role be assigned to the device?

A. An initial Role can be assigned directly to the VLANB. Roles are assigned to devices connected to a trusted portC. A default Role can be directly assigned to an untrusted portD. Adding a wired AAA profile to a VLAN on the untrusted port

E. The Role assigned to the untrusted port

Answer: D

Explanation:Q97

A port on a controller has been configured as untrusted. No wired access AAA profile or Global AAA profile is configured. When a user connects tothat port which of the following statements is true?

8/17/2019 ACMP_6.3


A. Since there is no wired access AAA profile, only port policies will be appliedB. The user will fall into the default wired access AAA profile and will be given the initial role.C. Since there is no wired access AAA profile or Global AAA profile the user will be given the logon role.

D. When configuring the port as untrusted, an error message of "no wired access AAA profile exists" Therefore this is an invalid configuration.E. the user is denied all access automatically because no wired access AAA or Global AAA profile is assigned.

Answer: C

Explanation:Q98Which method can APs use to discover a controller?

A. DHCPB. Dynamic DNS (DDNS)C. PnPD. PAPIE. HTTPS

Answer: A

Explanation:

Q99When APs boot up, in which order do they discover a controller?

A. DNS, DHCP, ADP multicast, ADP unicast, staticB. static, DNS, DHCP, ADP broadcast, ADP multicastC. static, DHCP, ADP multicast, ADP broadcast, DNSD. static, DHCP, DNS, ADP multicast, ADP broadcastE. DNS, static, ADP multicast, ADP broadcast

Answer: C

Explanation:Q100

An AP is not communicating with the controller. Upon investigation you find that the AP is not discovering its controller through DNS. Instead, itreceived a DHCP reply with option 43 specifying the SIP server's IP address. How do you resolve this problem?

A. Statically configure the AP to ignore Option 43B. Remove the option 43 configuration on the DHCP server

C Staticall config re the AP to onl se DNS resol tion and not other d namic disco er methods

8/17/2019 ACMP_6.3


C. Statically configure the AP to only use DNS resolution and not other dynamic discovery methodsD. After failing option 43 the AP should have proceeded with ADP, therefore the AP is faulty and needs to be replacedE. The AP should be purged

Answer: B

Explanation:Q101How is an AP redirected to a Local controller after DNS resolution returns the Master's IP address?

A. Master looks at the AP-Group and CONTROLLER-IP attributesB. Master looks at the AP-Group and LMS-IP attributesC. In the AP-provisioning screen, the LMS-IP attribute must be set

D. The AP must be statically configured to find the local controllerE. In the AP-provisioning screen, set the CONTROLLER-IP attribute

Answer: B

Explanation:Q102

An AP was configured and assigned to an AP group then powered off for over a week. When the AP is redeployed, what previous configurationwill it retain?

A. It's AP name and AP GroupB. It's Serial NumberC. The controller's IP addressD. After a few days all configurations are lostE. The controller IP address and the AP Group

Answer: A

Explanation:

Q103 A 3600 controller has 64 PEF-NG license, 128 AP licenses and 1 RFProtect license. How many AP's can terminate on the controller?

A. 1 Campus APsB. 64 Campus APsC. 128 Remote APsD. 256 Remote APsE. 512 Remote APs

8/17/2019 ACMP_6.3


Answer: A

Explanation:

Q104 A 3200 controller has 16 AP licenses,16 PEF-NG licenses, 16 RFProtect licenses. There are 10 Campus APs terminating on the controller. Howmany remote AP's can terminate on the controller?

A. 6B. 12C. 16D. 24E. 32

Answer: A

Explanation:Q105Centralized licensing is not enabled in a network of 1 Master and 2 Local controllers, what should be the license count on all controllers toterminate 8 APs on each Local controller and support Local redundancy?

A. 16 AP license on all controllers

B. 8 AP license on Master and 16 AP license on both localsC. 8 AP license on all controllersD. 1 AP license on Master and 16 AP license on both localsE. 16 AP licenses on the Locals

Answer: D

Explanation:Q106

An 7240 controller is Licensed for 560 APs. The controller has 500 Campus APs terminating on the controller. How many Remote APs can

terminate on this controller?

A. 12B. 24C. 48D. 60E. 120

Answer: D

8/17/2019 ACMP_6.3


Answer: D

Explanation:Q107

An Aruba Controller is configured with VLAN 1,5, 200, and 4095. All VLANs have IP addresses assigned. Which is the default management VLANon the Aruba controller?

A. VLAN 5B. VLAN 1C. VLAN 200D. None, it must be definedE. VLAN 4095

Answer: B

Explanation:Q108Which of the following statements is true?

A. Aruba Campus APs must be physically attached to the Aruba Controller.B. Aruba Campus APs must be in the same broadcast domain as the Controller.C. Aruba Campus APs can be in different subnets from the Controller.

D. Aruba Campus APs must be physically attached to the same Layer 3 switch.E. Aruba Campus APs can be connected directly to the public internet.

Answer: C


8/17/2019 ACMP_6.3


Referring to the diagram provided for this question, in which locations must you define the new data VLANs for wireless client traffic? (Choose

two)

A. in all L2 switches where an Aruba AP is physically connectedB. in all APs and the L2 switches to which they are connectedC. in the Aruba controller and the router it's connected to in an L2 deploymentD. in the routers and switches where the APs are physically connectedE. only on the Aruba controller in an L3 deployment

Answer: C,E

Explanation:Q110

A controller is provisioned in L3 Mode for Wireless Users. What must be configured on the controller to enable DHCP requests to an externalDHCP server?

A. an IP helper commandB. the IP address of the DNS serverC. the IP address of the APs

D. the subnet address of the DHCP server

8/17/2019 ACMP_6.3


E. the DHCP server IPSEC Key

Answer: A

Explanation:Q111Which parameter(s) does a Master controller use to determine where a provisioned AP should terminate its GRE tunnel?

A. the IP address of the APB. the MAC address of the APC. the IP address of the switch nearest to the APD. the name and group settings of the AP

E. the VLAN the AP is attached to

Answer: D

Explanation:Q112Which of the following configurations can accept a VLAN pool? (Choose two)

A. Trunk native VLANB. Virtual AP profileC. User RoleD. Server derived roleE. FW Policies

Answer: B,C

Explanation:Q113What does Aruba Layer 3 redundancy require to operate?

A. LMS-IPB. Backup LMS-IPC. VRRPD. Backup AP groupE. ARM

Answer: B

8/17/2019 ACMP_6.3



8/17/2019 ACMP_6.3


In the diagram provided for this question, the client laptop is associated with the Aruba AP. The Aruba controller is configured to perform L2switching for this SSID.

What will be the client laptop default gateway?

A. AB. BC. CD. DE. E

Answer: C

Explanation:Q115In the diagram provided for this question, the Aruba controller terminates one end of a GRE tunnel that carries wireless user traffic.

8/17/2019 ACMP_6.3


Where does the other end terminate?

A. AB. B

C. CD. DE. A or B

Answer: A

Explanation:Q116

In the above diagram, the system shows two Aruba access points and a wired user.

8/17/2019 ACMP_6.3


Which VLAN(s) do NOT need to be configured on link A between the L2 switch and router to support the wireless users?

A. 101 and 102B. 101 and 103C. 102 and 103D. only 101E. only 103

Answer: A

Explanation:Q117In the above diagram, the system shows two Aruba access points.

8/17/2019 ACMP_6.3


Which VLANs must be configured on trunk link D between the router and Aruba controller to support wireless users when the controller isprovisioned for L2 operations?

A. 10, 101 and 102B. 101 and 102

C. 101, 102 and 103D. 10, 101,102 and 103E. 10 and 103

Answer: A


8/17/2019 ACMP_6.3


Referring to the diagram provided for this question, if the Aruba controller is configured to perform L3 switching, what will be the wireless clientlaptop default gateway?

A. AB. B

8/17/2019 ACMP_6.3


C. CD. D

E. E

Answer: D

Explanation:Q119When configuring Captive Portal, which protocols are supported when accessing the Captive Portal? (Choose two)

A. HTTPS

B. VPNC. HTTPD. TELNETE. SSH

Answer: A,C

Explanation:Q120When the controller is configured for Captive Portal and the user is only required to provide an email address for authentication, which option isconfigured in the GUI?

A. enable terminationB. enable guest logonC. enable user logonD. eap methodE. disable CP Login

Answer: B

Explanation:Q121

A user logged in with the Captive Portal settings shown in the above screen capture.

8/17/2019 ACMP_6.3


What does the user need to do to logout?

A. wait 30 minutes then logout

8/17/2019 ACMP_6.3


B. wait 60 minutes then logoutC. click Logout on the browser screen

D. he cannot logoutE. wait 10 seconds for redirect

Answer: C

Explanation:Q122Screenshots of the Captive Portal authentication profile and server group of a guest network are displayed above.

8/17/2019 ACMP_6.3


8/17/2019 ACMP_6.3


How was the user authenticated?

A. with a radius server called Radius01

B. with the Internal databaseC. with a radius server called InternalD. with another form of authenticationE. user wasn't authenticated against any server

Answer: E

Explanation:Q123

Where should mobility domains be enabled in a network with 1 master, 1 backup master and 5 local controllers?

A. Only on the master controllerB. All the local controllers in the networkC. All the controllers where the client is allowed to roamD. Master and backup masterE. Only on the backup master

Answer: C

Explanation:

8/17/2019 ACMP_6.3


Explanation:Q124

What are two different methods of configuring AP redundancy between 2 local controllers? (Choose two)

A. Fast-FailoverB. Configure the locals as remote nodesC. Use named VLANSD. LMS and Backup LMS IPE. AP Redundancy can only be configured between a Master and Local

Answer: A,D

Explanation:Q125

An Aruba 650 controller is functioning as a standby Master. How many APs can it control while in standby mode?

A. 0B. 16C. 24D. 128E. 256

Answer: A

Explanation:Q126

Aruba pair of 3200XM controllers are licensed to their maximum and are configured as a VRRP pair. Each controller terminates 24 APs. One ofthe controllers fails. How many of the APs from the failed controller can fail over to the remaining controller?

A. 8

B. 16C. 32D. 48E. 96

Answer: A

Explanation:

Q127Which protocol does the Aruba controller utilize for controller redundancy?

8/17/2019 ACMP_6.3


A. HSRP

B. VRRPC. VPND. GREE. IP-IP

Answer: B

Explanation:Q128With Fast-Failover disabled, to which IP address should the Aruba AP terminate its GRE tunnel for layer 2 controller redundancy to work and tosupport failover of access points?

A. VRRP IP addressB. management IP of an Aruba controllerC. management IP of the backup Aruba controllerD. HSRP IP addressE. Loopback IP address of backup Aruba controller

Answer: A

Explanation:Q129When an Aruba 6000 controller has two M3 modules installed, for which uses may the modules be used? (Choose two)

A. hot standby operationsB. VRRP backupC. higher AP density per switch chassisD. Active-Active masters

E. Active-Active master-backup

Answer: B,C

Explanation:Q130Referring to the diagram provided for this question, an employee brought an unauthorized AP from home and attached the LAN port to the cubicleEthernet port. All Aruba APs and AMs as well as the employee AP are in VLAN 80 and within RF range of each other. No traffic from the wired or

wireless network has passed through the unauthorized AP yet, but the AP began wireless broadcasts.

8/17/2019 ACMP_6.3


8/17/2019 ACMP_6.3


How will the Aruba system initially classify the employee's non-Aruba AP?

8/17/2019 ACMP_6.3


A. a valid AP

B. an AMC. a Rogue APD. an interfering APE. a known interfering AP

Answer: D

Explanation:Q131Referring to the diagram provided for this question, an employee brought an unauthorized AP from home and attached it to the cubicle Ethernetport as shown in the diagram. The APs are in VLANs as shown in the diagram. Only AP1 is within RF range.

8/17/2019 ACMP_6.3


How will the Aruba controller classify this AP?

A AP

8/17/2019 ACMP_6.3


A. an AP

B. an AMC. a Rogue APD. an Interfering APE. a workstation

Answer: D

Explanation:Q132Referring to the diagram provided for this question, an employee brought an unauthorized AP from home, but did not attach it to the LANinfrastructure. The APs are in the VLANs as shown in the diagram. Only AP1 is within RF range of the employee AP.

8/17/2019 ACMP_6.3


By default, how will the Aruba system classify the employee's AP?

A an AP

8/17/2019 ACMP_6.3


A. an AP

B. an AMC. a Rogue APD. an Interfering APE. a valid workstation

Answer: D

Explanation:Q133What can an AM do that an AP cannot do?

A. Detect rogue APsB. Detect an AP failureC. Scans all channels in under 1 minuteD. Detect interfering APsE. Scan all valid channels

Answer: C

Explanation:Q134(group8) #show ap active

Active AP Table

---------------

Name Group IP Address 11g Clients 11g Ch/EIRP/MaxEIRP 11a Clients 11a Ch/EIRP/MaxEIRP

---- ----- ---------- --------- ------------------- ----------- -------------------

AP1 building1 10.1.80.150 0 AM 0 AM

AP2 building1 10.1.80.151 0 AM 0 AM

A user called technical support because they cannot see any of their APs in building one. You perform the "show" command as illustrated above.

What can you conclude about these two APs from this output?

A the GRE for the APs terminate on two different controllers: 10 1 80 150 and 10 1 80 151

8/17/2019 ACMP_6.3


A. the GRE for the APs terminate on two different controllers: 10.1.80.150 and 10.1.80.151

B. the system will not function because there is no building1 group definedC. the building1 APs will not accept any user connectionsD. the user needs to configure his client to use the b/g bandE. the user needs to configure his client to use the a band

Answer: C


Based on the above screen capture for Interfering APs, what can you conclude?

A. The APs must be connected to the Aruba network.B. The APs are classified as interfering because they are all transmitting on channel 6.C. There must not be any evidence that the APs are attached to the wired corporate network.D. These APs are classified as interfering because they are not Aruba APs.

8/17/2019 ACMP_6.3


g y

E. They are classified as interfering because they are running in g mode.

Answer: C

Explanation:Q136

As illustrated in the above diagram and screen capture, a wireless hacker injects messages into your network to detach a client from your Aruba AP.

8/17/2019 ACMP_6.3


What action should you take to identify and prevent the Intruder from connecting to your system? (Choose two)

A. Enable Detect disconnect Station Attack

B. Enable Spoofed Deauth BlacklistC. Take no action as there is no protection against this form of attackD. Take no action as the Aruba system ignores this attack because it is against the clientE. Enable Detect EAP rate Anomaly

8/17/2019 ACMP_6.3


Answer: A,B

Explanation:Q137(group8) #show ap arm history ap-name AP1

Interface :wifi0

ARM History

-----------

Time of Change Old Channel New Channel Old Power New Power Reason

-------------- ----------- ----------- --------- --------- ------

2010-10-28 07:58:53 157+ 149+ 21 21 I

2010-10-28 07:52:06 149+ 157+ 21 21 M

2010-10-28 07:16:59 157+ 149+ 21 21 I

Interface :wifi1

ARM History

-----------

Time of Change Old Channel New Channel Old Power New Power Reason

-------------- ----------- ----------- --------- --------- ------

2010-10-28 08:52:53 6 1 21 21 I

Referring to the output above. What can you conclude about AP1?

A. This device is scanning channels.B. This device is unstable because the channel assignment changed.C. The device changed channels recently.

8/17/2019 ACMP_6.3


D. The device changed channels and power levels recently.E. The device is transmitting at maximum power levels.

Answer: C

Explanation:Q138Which of the following parameters can be specified in a rule for AP classification? (Choose three)

A. SSID of an AP

B. Number of clients connected to an AP.C. SNR of an AP.D. Operating mode of an APE. Discovering APs

Answer: A,C,E

Explanation:Q139

Which of the following functions can be configured in the Controller WIP wizard? (Choose three)

A. Configure APs as Air MonitorsB. Configure rules for AP classification.C. Configure preset levels for intrusion detectionD. Blacklisting Rules for clientsE. Identify encryption method used in your network.

Answer: B,C,E

Explanation:Q140

A client device associates with an SSID provisioned with 802.1X authentication. The client is set for PEAP authentication. EAP termination (AAAFastconnect) is disabled on the controller. But the client continuously cycles through the authentication process. Which of the following couldcause this? (Choose two)

A. The client is provisioned with the wrong EAP type.

B. The client has an expired or revoked server certificate.C. The DHCP server is not enabled.D. The VLAN is missing for the SSID.E. The controller does not support PEAP in this mode.

8/17/2019 ACMP_6.3


Answer: A,B

Explanation:Q141

A client device associates with an SSID provisioned with 802.1X authentication. The client is set for LEAP authentication. EAP termination (AAAFastconnect) is enabled on the controller. But the client continuously cycles through the authentication process. Which of the following couldcause this?

A. The Radius server is rejecting the client credentials.

B. The client has an expired or revoked server certificate.C. The DHCP server is not enabled.D. The VLAN is missing for the SSID.E. The controller does not support LEAP in this mode.

Answer: E

Explanation:Q142

A client attaches to a secure jack interface set to untrusted. But when the client tries to access the captive portal page, the following messageappears, "Web Authentication is not enabled." What might be wrong?

A. The client has the browser provisioned with proxy settings.B. The controller port needs to be set to trusted.C. A "aaa" profile needs to be selected on the Wired Access page.D. A Captive Portal profile needs to be assigned to the initial role.E. Web Authentication cannot be used in this way.

Answer: D

Explanation:Q143Which command, when executed on a master controller, will show the APs connected to all controllers?

A. show stm connectivityB. show ap active

C. show ap databaseD. show ap bss-tableE. show ap controller-lms

8/17/2019 ACMP_6.3


Answer: C

Explanation:Q144Which of the following commands is most useful in showing the traffic of an individual user?

A. show datapath session tableB. show acl hitsC. show rightsD. show firewall

E. show traffic client

Answer: A

Explanation:Q145

An Aruba based network has a Master and four local controllers deployed. But one of the locals, a new installation, is not seen by the Master.What might be wrong? (Choose two)

A. PAPI is not enabled on the local controller.B. The master controller can only support three local controllers.C. IPSec is blocked by the internal network between the local and the master controllers.D. The passphrase does not match on the master and local controllers.E. GRE is blocked between the master and local controllers.

Answer: C,D

Explanation:Q146

An Aruba controller is configured with the correct IP address and gateway information and is connected to the corporate LAN via a core layer 2switch. Control Plane Security is not enabled on the network. An access point is provisioned with AP name and group and connected to a differentLayer 2 switch on the corporate LAN that has IP connectivity to the core layer 2 switch. The AP powers on and layer 2 connects to the network,but the wireless radios do not power on.

Which could cause this condition? (Choose two)

A. the layer 2 switches have ACLs that block GRE trafficB. the layer 2 switches are configured to block IPSec trafficC. a DHCP server is not configured for the segment to which the AP is connectedD. the AP's mac address needs to be configured in the Aruba controller whitelist.E the AP and controller are in different subnets

8/17/2019 ACMP_6.3


E. the AP and controller are in different subnets

Answer: A,C

Explanation:Q147In the diagram provided for this question, four buildings are identified on a college campus. Most of the wireless LAN traffic will be from studentsaccessing the internet.

8/17/2019 ACMP_6.3


According to Aruba best practices, which building is the best location to install the Aruba mobility controller?

A. data centerB. dormitory

8/17/2019 ACMP_6.3


yC. server farmD. libraryE. 3rd party site

Answer: A

Explanation:Q148Referring to the diagram provided for this question, representing an office wireless LAN deployment, there will be approximately 250 users in the

offices section of the building. All Switches are setup as L3 routers.

8/17/2019 ACMP_6.3


According to Aruba best practice, which network device is the best choice for the wireless clients' default gateway?

A. device 'A'B. device 'B'C. device 'C'D. device 'D'E. device 'C or D'

Answer: B

Explanation:Q149One hundred (100) additional APs were deployed in an existing network. But some APs are not able to connect to the lms-ip address, even thoughall of the APs belong to the same AP group. Which of the following are NOT potential causes? (Choose two)

8/17/2019 ACMP_6.3


A. The problem APs are not getting an IP address.B. The problem APs have the wrong lms-ip address setting.C. There is a firewall between the problem APs and the controller blocking PAPI.D. The controller does not support that many APs in a single AP-Group.E. There are not enough AP licenses to support the additional quantity of APs.

Answer: B,D

Explanation:Q150IEEE 802.11r provides support for which of the following:

A. radio measurements within a WLANB. radio measurement within an ESSC. fast roaming within an ESSD. fast roaming within a BSSE. roaming across controllers

Answer: C

Explanation:Q151If a Remote AP (RAP) is attempting to contact a controller that is behind a NAT device what protocol must be allowed through the NAT/Firewall?

A. PAPIB. NATTC. IPSecD. SSHE. GRE

Answer: B

Explanation:Q152

Which of the following are NOT valid RAP forwarding modes? (Choose two)

A. TunnelB. BridgeC. Split-TunnelD B k

8/17/2019 ACMP_6.3


D. BackupE. Standard

Answer: D,E

Explanation:Q153Which of the following are valid RAP operating modes?

A. Always, Backup, Standard, PersistentB. Always, Backup, Tunnel, PersistentC. Always, Hotel-Connect, Tunnel, StandardD. Backup, Hotel-Connect, Standard, PersistentE. Backup, Normal, Tunnel, Always

Answer: A

Explanation:

Q154When configuring split tunnel mode on a Remote AP (RAP) where is the routing function for the split tunnel defined?

A. On the IP routing tab in the configuration screen.B. On the AP provisioning screen.C. In the RAP static routing tablesD. In the Firewall policyE. In the RAP whitelist

Answer: D

Explanation:Q155When does a RAP's backup SSID begin broadcasting?

A. When the GRE tunnel to the controller is established.B. When the IPSec tunnel to the controller is established.

C. When the controller cannot be reached with PAPID. When bridging is required for guest users.E. When the controller cannot be reached with SSL

Answer: C

8/17/2019 ACMP_6.3


Explanation:Q156

A Remote AP provisioned in "Split-Tunnel" Forwarding mode has which characteristic?

A. Local traffic first goes to the controller and is then spilt back to the local network.B. Traffic is IPSec encrypted before it is sent to the controller.C. The user role must have a "Permit" statement in order to locally bridge the traffic.D. The user role must have a "route dst-nat" statement to locally bridge the traffic.

E. The RAP uses PAPI to send data traffic to the controller.

Answer: B

Explanation:Q157

A Remote AP was properly functioning before losing it's internet connection and now cannot communicate with the controller. What SSID is the APbroadcasting?

A. The SSID in Operational mode Always and Forwarding mode BackupB. The SSID in Operational mode Split Tunnel and Forwarding mode BridgeC. The SSID in Operational mode Always and Forwarding mode TunnelD. The SSID in Operational mode Standard and Forwarding mode TunnelE. The SSID in Operational mode Persistent and Forwarding mode Bridge

Answer: E

Explanation:Q158

A Remote AP provisioned with an SSID in "Bridged" forwarding mode has which one of the following characteristics?

A. The client obtains its IP address from the controller.B. The client's default gateway must be the controller.C. The client traffic is forwarded through a GRE tunnel to the controller.D. The client's default gateway may be the Access Point or a local gateway.E. The client's authentication must be 802.1X.

Answer: D

Explanation:Q159An AP 105 was converted into a RAP The RAP can authenticate its IPSec tunnel to a controller using which of the following methods? (Choose

8/17/2019 ACMP_6.3


An AP 105 was converted into a RAP. The RAP can authenticate its IPSec tunnel to a controller using which of the following methods? (Choosetwo)

A. 802.1X/EAP authenticationB. Captive Portal authenticationC. IP address authenticationD. Username/Password authentication.E. Certificate/MAC address authentication.

Answer: D,E

Explanation:Q160Which of the following describes a Remote AP provisioned in "Split-Tunnel" Forwarding mode?

A. Local user traffic first goes to the controller and is then spilt back to the local network.B. All data and control traffic goes to the controller unsecured.C. The user role must have a "Permit" statement in order to locally bridge the traffic.

D. The user role must have a "route src-nat" statement to locally bridge the traffic.E. The RAP uses PAPI to send data traffic to the controller.

Answer: D

Explanation:Q161

A Remote AP provisioned in "Split-Tunnel" Forwarding mode has which of the following characteristics?

A. Local traffic first goes to the controller and is then spilt back to the local network.

B. User Traffic is CPSec encrypted before it is sent to the controller.C. The user role must have a "Permit" statement in order to locally bridge the traffic.D. The user role must have a "permit dst-nat" statement to locally bridge the traffic.E. The RAP uses UDP 4500 to send traffic to the controller.

Answer: E

Explanation:Q162What is the purpose of Mesh Clusters?

A. To separate Mesh points from Mesh Portals.B To ensure that mesh APs with the same VAPs are not in the same cluster

8/17/2019 ACMP_6.3


B. To ensure that mesh APs with the same VAPs are not in the same cluster.C. To define a group of mesh APs that create mesh links with each other.D. To cluster mesh APs of the same model together.E. To enable mesh APs to join the nearest mesh portal cluster.

Answer: C

Explanation:Q163

A company purchased an indoor mesh deployment using the 620 controller and the AP 105 models, where 5 APs will be deployed on a floor toprovide wireless internet access for users. Users may open VPN tunnels using software clients over the wireless network to a 3rd party VPNconcentrator overseas. The company wants to limit wireless user access to TCP traffic locally and VPN traffic overseas.

In addition to the base AOS, which licenses will be necessary for this deployment?

A. VPN, PEF-NGB. AP Capacity, PEF-NGC. AP Capacity, PEF-NG, VPN

D. AP CapacityE. PEF-NG, PEF-V

Answer: B

Explanation:Q164When deploying Remote Mesh Portals, what is one of the purposes of the Mesh Private VLAN?

A. To separate wireless user traffic coming from mesh networks from non-mesh networks

B. To tag mesh wireless user traffic on a particular APC. To allow Mesh Points to form private vlan networks with certain usersD. To tag control plane traffic from Mesh points to the controllerE. To tag clients high priority traffic

Answer: D

Explanation:Q165How does an Aruba infrastructure calculate a wireless device's location?

A. GPS

B. RF Fingerprinting

8/17/2019 ACMP_6.3


g p gC. RSSI triangulationD. TDOAE. LBS

Answer: C

ACMP_6.3

Documents