8/17/2019 Aruba-ACMA_6.3 http://slidepdf.com/reader/full/aruba-acma63 1/33 Aruba Exam ACMA_6.3 Aruba Certified Mobility Associate 6.3 Q1 When local controller is selected as the controller's operation mode in the startup wizard, which is no longer configurable? A. Licenses B. WLANs C. VLANs and IP addressing D. Controller country code E. Time zone Answer: B Q2 A Remote AP uses which type of secure tunnel to communicate with a controller: A. NAT-T B. IPSec C. PPTP D. GRE E. IP-IP Answer: B Q3 When configuring roles under `Access Control' in the Controller's Configuration page, what does the `show reference' action tell us? A. Which firewall hits were detected that refer to the role B. Which profiles refer to the role
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 1/33
Aruba
Exam ACMA_6.3
Aruba Certified Mobility Associate 6.3
Q1
When local controller is selected as the controller's operation mode in the startup wizard,which is no longer configurable?
A. LicensesB. WLANsC. VLANs and IP addressingD. Controller country codeE. Time zone
Answer: B
Q2
A Remote AP uses which type of secure tunnel to communicate with a controller:
A. NAT-TB. IPSecC. PPTPD. GREE. IP-IP
Answer: B
Q3
When configuring roles under `Access Control' in the Controller's Configuration page, whatdoes the `show reference' action tell us?
A. Which firewall hits were detected that refer to the roleB. Which profiles refer to the role
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 2/33
C. What policies are inside the roleD. What users are currently assigned that roleE. What authentication methods use Roles with these policies
Answer: B
Q4
When would you use the Reject action in a firewall policy?
A. To let hackers know which ports are open on your firewallB. To let your users know they they are in violation of corporate policies
C. To tell down stream routers to use a more appropriate routerD. To aid in troubleshooting firewall policy configurationE. To let the system count the violations
Answer: D
Q5
In what order does the AP dynamically discover the Master controller?
A. DNS query, ADP Broadcast, ADP Multicast, DHCP option 43B. DHCP option 43, ADP Multicast, ADP Broadcast, DNS queryC. DHCP option 43, DNS query, ADP Multicast, ADP BroadcastD. ADP Multicast, ADP Broadcast, DHCP option 43, DNS queryE. DHCP option 43, ADP Broadcast, ADP multicast, DNS Query
Answer: B
Q6
What does SET ORIENTATION option do in the Visual RF Plan edit tool?
A. Set the horizontal plane on each floorB. Give the option to resize a floorC. Sets the North/South orientation of the buildingD. Sets the proper vertical floor plan alignmentE. Allows the planner to set the directional antenna orientation
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 3/33
Answer: D
Q7
Which of these are supported by the Aruba Controller? (Select two)
A. SNMPB. HSRPC. AES EncryptionD. Blowfish encryptionE. BGP
Answer: A,C
Q8
In the startup wizard the ports configuration screen allows you to do the following (Selectthree)?
A. Identify trunk portsB. Configure port channels
C. Assign VLANsD. Identify the native VLAN for a portE. Specify the IP address of the Vlan
Answer: A,C,D
Q9
An administrator wants to assign a VLAN to a user based upon the authentication processusing Vendor Specific Attributes (VSA). Where are Aruba Vendor Specific Attribute (VSA)values provisioned?
A. controllerB. clientC. RADIUS serverD. Internal user databaseE. Option 60 of DHCP reply
Answer: C
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 4/33
Q10
A port firewall policy is applied to a trunk port that denies controller access. An "allow all"Vlan firewall policy is applied to VLAN 33 on the same port. A user connected to VLAN 33on that port attempts to gain access to the controller. Which of the following statements istrue?
A. The Port policy is applied, therefore no controller accessB. The Vlan policy is applied, then the port policy, therefore no controller accessC. The Vlan policy is applied, therefore access to the controller is allowedD. You cannot place a firewall policy on a Ports Vlan when the Port already has a policy,
therefore no controller accessE. When locally connected to a controller's port you always have controller access
Answer: C
Q11
What is the purpose of the validuser ACL?
A. When a user transmits data through the controller, the validuser ACL is used to check ifthe user is in the layer 3 user-tableB. Before a client is added to the controller's user table, the validuser ACL is checked tomake sure the client has a valid IP addressC. The validuser ACL is used during 802.1X authentication to check that the client is in thelayer 3 user-tableD. When an AP needs to transmit data to a user, it checks the validuser ACL to make surethe user has a valid IP addressE. A list of configured MAC addresses that define the valid users
Answer: B
Q12
A reboot of the controller is necessary in which of the following scenarios? (Select two)
A. Changing controller IPB. Changing the VLAN of a Virtual AP ProfileC. Creating of a new AP Group
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 5/33
D. Changing of Controller RoleE. Extending a license range
Answer: A,D
Q13
Which of these are NOT a client attribute that can be configured in user derivation rules?
A. MAC addressB. DHCP option valueC. BSSID
D. Filter IDE. encryption
Answer: D
Q14
When configuring a default gateway in the startup wizard it must be a part of:
A. A VLAN configured with an IP interface and assigned to a portB. An IP range that is not assigned to a port or VLANC. A VLAN assigned to a port but without an IP interface configuredD. A VLAN not configured on the controllerE. The management Vlan
Answer: A
Q15
View the Server group screen shot above.
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 6/33
A company has provisioned the same VAP, AAA and SSID profiles at both its Miami andNY offices. This Server Group is applied for 802.1x authentication at both locations. Theuser's credentials are only found in the Miami Radius server "RadiusMiami". There is noRadius synchronization and both servers are reachable. What happens when the userattempts to authenticate?
A. The controller recognizes the users Domain and sends the authentication requestdirectly to RadiusMiami.B. The request is initially sent to RadiusNY1 then RadiusNY1 redirects the controller tosend the authentication request to RadiusMiamiC. RadiusNY1 receives the request and returns a deny. No other action is taken.
D. RadiusNY1 receives the request and returns a deny. The authentication request willthen be sent to RadiusMiami.E. The RadiusNY1 sends the request to RadiusMiami that replies to the controller
Answer: C
Q16
Which method can APs use to discover a controller?
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 7/33
A. DHCPB. Dynamic DNS (DDNS)
C. PnPD. PAPIE. HTTPS
Answer: A
Q17
When adding licenses in the startup wizard license screen a reboot is required:
A. After each license is installedB. Before any other configuration can take placeC. Only if the Policy Enforcement Firewall license is installedD. Once the last License is addedE. A reboot is not required until you have completed the configuration wizard
Answer: E
Q18
Which of the following is NOT available for configuration via startup wizard?
A. Controller nameB. Country CodeC. Loopback IPD. VLAN IPE. Firewall Roles
Answer: C
Q19
In a master-local controller scenario, where is the mobility domain defined?
A. the AP groupB. the master controllerC. the local controller
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 8/33
D. the master and the local controllersE. the master and the local controllers where roaming is needed
Answer: B
Q20
Which of the following is NOT available for configuration in the startup wizard?
A. RF PlanB. Administrator and enable passwordsC. Native VLANs on a per port basis
D. WPA-PSK encryptionE. Radius Server
Answer: A
Q21
When looking at clients in the `Monitoring Clients' section of the Controller, which of thefollowing information is NOT visible?
A. RoleB. MAC addressC. Output power of client radioD. Method of authenticationE. Age
Answer: C
Q22
A wired device is connected to an untrusted port on a controller. How can a role beassigned to the device?
A. An initial Role can be assigned directly to the VLANB. Roles are assigned to devices connected to a trusted portC. A default Role can be directly assigned to an untrusted portD. Adding a wired AAA profile to a VLAN on the untrusted portE. The Role assigned to the untrusted port
8/17/2019 Aruba-ACMA_6.3
http://slidepdf.com/reader/full/aruba-acma63 9/33
Answer: D
Q23
Which of the following statements about management accounts is false?
A. The root account can be used to monitor access points connected to the controllerB. The guest-provisioning account can see the controller's configuration but cannot changeitC. The read-only account cannot delete internal database entriesD. The guest-provisioning account can make changes to the internal AP database
E. The network-operations account cannot access configuration
Answer: B
Q24
802.1X authentication takes place:
A. Prior to granting access to L2 media
B. After the user has an IP addressC. After the user sees the captive portal pageD. Prior to the user associating with the APE. Once the IPSEC tunnel is up
Answer: A
Q25
What are the four views available in Visual RF Plan (Select four)?
A. User VIewB. Controller ViewC. Access Point ViewD. Floor Plan ViewE. Network, Campus and Building View
Which of the following is true of an Aruba Mobility Controller acting as a layer 2 switch?
(Select two):
A. The Mobility Controller is the client's default router.B. The Mobility Controller acts as a bridge.C. All stations must use the same VLAND. Uplink ports on the Mobility Controller can use 802.1q taggingE. VLANs cannot have IP addresses
Answer: B,D
Q27
Firewall policy should be written from:
A. Least specific to most specificB. Most specific to least specificC. Most important resources firstD. Order is not important
E. Policies with the most rules 1st
Answer: B
Q28
A port on a controller has been configured as untrusted. No wired access AAA profile orGlobal AAA profile is configured. When a user connects to that port which of the followingstatements is true?
A. Since there is no wired access AAA profile, only port policies will be appliedB. The user will fall into the default wired access AAA profile and will be given the initialrole.C. Since there is no wired access AAA profile or Global AAA profile the user will be giventhe logon role.D. When configuring the port as untrusted, an error message of "no wired access AAAprofile exists" Therefore this is an invalid configuration.E. the user is denied all access automatically because no wired access AAA or Global AAAprofile is assigned.
An access port has been placed in trusted mode. The Vlan on the port is in Untrustedmode. Which of the following statements is true?
A. The traffic is trusted since the port is trustedB. The traffic is untrusted since the VLAN is untrustedC. This is an invalid configuration, both must be set the sameD. You cannot set Vlans as trusted or untrusted
E. Only traffic from that specific port is trusted, all other traffic is untrusted
Answer: B
Q30
802.11n APs operate in which bands? (Select two)
A. 900 MHzB. 2.4 GHzC. 2.4 MHzD. 5 GHzE. 5 MHz
Answer: B,D
Q31
What is NOT a basic configuration in the startup wizard when configuring a WLAN?
A. SSIDB. VLANC. Radio TypeD. Antenna TypeE. Firewall Role
Which of the following can be configured in the GUI setup wizard? (Select three)
A. timezoneB. WLANC. VLAND. Loopback addressE. DHCP Option 43
Answer: A,B,C
Q33
The Guest Provisioning user account has the ability to do which of the following?
A. Add a new employee to the internal databaseB. Change the "look" and "feel" of the guest provisioning pageC. Change the available data fields on the guest provisioning pageD. Add a guest user to the internal databaseE. Assign a Role to a guest account
Answer: D
Q34
Where in the controller would we configure a wireless network NOT to use encryption?
A. AAA profileB. SSID profileC. ARM profile
D. Radio profileE. VAP profile
Answer: B
Q35
Aruba's recommended best option for authenticating guest users is:
A. Temporary employee accountB. KerberosC. Captive Portal
D. Windows logonE. Email address
Answer: C
Q36
Which is the strongest encryption type?
A. AESB. TKIPC. WEPD. MSCHAPv2E. DES
Answer: A
Q37
How many roles should be created on a controller?
A. One per authentication typeB. As many as necessaryC. The same number as firewall policiesD. One less than the number of firewall policiesE. The same number as SSIDs
Answer: B
Q38
In a Campus AP deployment, an access point has been provisioned statically with an IPaddress, subnet mask, default gateway and Controller IP address. Control Plane Securityhas been disabled. Both the Controller and the Access Point are using 6.3 firmware. If a3rd party firewall is placed in between the AP and controller, what traffic would need to beallowed for the AP to boot successfully and broadcast Wireless Networks? (Select two)
Which of the following information is gathered by APs during scanning periods? (Selectthree)
A. MAC addresses of neighboring APsB. Security threats in the surroundingsC. Type of non-802.11 interference detectedD. Interfering Clients connected to other APsE. 4.9 GHz devices
Answer: A,B,D
Q43
What Controller modes of operation are available from the startup wizard (Select three)?
A. PrimaryB. StandaloneC. MasterD. LocalE. Backup controller
Answer: B,C,D
Q44
When configuring a guest WLAN via the WLAN section of the startup wizard, whichsecurity option is NOT available?
A. WEP encryptionB. Direct access to the internet with no captive portalC. Captive portal with authentication via credentials
D. Captive portal with email registrationE. Captive Portal with no authentication or registration
Answer: A
Q45
The characteristics of 802.1X Authentication include (Select three):
A. L3 AuthenticationB. Extensible Authentication ProtocolC. Support of RADIUS external authenticationD. Port based authenticationE. EAP terminates on authenticator
Answer: B,C,D
Q46
Visual RF Plan requires certain building information when defining a new building. Whichone of the following is NOT a user supplied building specification?
A. Building nameB. Longitude and LatitudeC. Attenuation between floorsD. Desired data rateE. Number of APs
Answer: E
Q47
Which of the following is true about configuring a server group?
A. Server rules are used to send information to the configured servers
B. A server group can have more than 1 serverC. If the internal database is used in the server group, then no external servers can beadded
D. If multiple servers are assigned to the server group, all except the 1st will be ignoredE. All the servers in a server group will be used round robin style
Answer: B
Q48
What is the IP address of the controller when using the startup wizard?
A. 192.168.1.1B. 172.16.0.1C. 10.1.1.1D. 172.16.0.254E. 10.1.10.100
Answer: D
Q49
When a client is blacklisted, the controller will:
A. Send a message telling the client it has been blacklistedB. De-authenticate the client from the network but allow it to keep transmitting dataC. Only block the client if it hasn't yet associated with an APD. Stop the client from associating with any SSID on the controllerE. Block the client from the SSID he was connected to
Answer: D
Q50
What are some best practices when configuring the Aruba Firewall (Select two)?:
A. Use aliases when possibleB. Write rules from least specific to most specific
C. Take actions like blacklisting when users violate policiesD. Create a different policy for each unique ruleE. Create different policies for access to different servers
Answer: A,C
Q51
Clients connecting to a remote AP at a branch office can get an IP address through whichof the following methods? (Select three)
A. DHCP server connected to the Remote AP's controller
B. DHCP server at a branch officeC. Address must be statically assignedD. DHCP server inside the Remote APE. DHCP from global content server for Remote APs
Answer: A,B,D
Q52
How many Aruba controllers can be added to a single mobility domain?
A. 64 controllers of any typeB. 128 controllers supporting 2000 usersC. 256 controllers with no more than 1024 subnetsD. Controllers supporting up to 6000 AP'sE. There is no controller limit
Answer: E
Q53
When a barcode scanner connects to an AP, what is the 1st role that is assigned to it?
A. MAC authentication default roleB. 802.1X default roleC. Server derived roleD. Initial role
Which of the following parameters is not needed by Visual RF Plan in order to Plan APs ona floor region?
A. AP TypeB. PHY TypeC. Distance to ControllerD. EnvironmentE. Desired Data Rate
Answer: C
Q58
Remote AP in tunnel mode, by default, uses which of the following to encrypt user trafficback to the mobility controller?
A. L2TP over IPSec is used to carry user traffic and control trafficB. PPTP is used to tunnel user trafficC. The AP does not encrypt user traffic. The user's link layer encryption is used.
D. Remote AP traffic is unencryptedE. Certificate based tunnel
Answer: C
Q59
Which of the following deployment types is NOT a valid option when using the AP Wizard?
A. LANB. RemoteC. RoamingD. Remote MeshE. LAN Mesh
C. Aruba Controller's Master IP AddressD. An established NTP connection to the Master ControllerE. Establish an IPSEC tunnel with the Master controller
Answer: A,B,C
Q67
In what formats can Visual RF Plan export a Bill of Material (Select two)?
A. Microsoft ExcelB. CSV database format
C. Microsoft WordD. HTMLE. MySQL
Answer: C,D
Q68
In decrypt-tunneled forwarding mode, which of the following is true?
A. Client sets up an IPSEC tunnel with the controllerB. The AP decrypts and then the 802.11 frame is sent in a GRE tunnel to the controllerC. The AP decrypts the 802.11 frame and bridges it on the wireD. The AP decrypts the 802.11 frame, encrypts it as an Ethernet frame and sends it to thecontrollerE. Clients decrypted traffic is sent down the GRE tunnel
Answer: B
Q69
Guest access can be provided securely by combining the following components of an Aruba system: (Select two)
A. Use restrictive firewall policies to limit the guest user's access to internal resourcesB. Providing guests their own APs and controllersC. Dedicated APsD. Authenticate users with the internal captive portal against the internal database or other
standard radius attribute of filter-Id with a value of "employee".
What Role will the user get?
A. The User will get the Emp RoleB. The User will get the 802.1x authentication default RoleC. The User will get the employee RoleD. The User will get the Employee RoleE. The User will get the initial Role
Answer: B
Q73
Which of the following is true of an Aruba Mobility Controller acting as a layer 3 router?(Select two):
A. The Mobility Controller is the client's default router.B. The Mobility Controller acts as a bridge.C. DHCP can be provided by the network infrastructure or the Mobility Controller.D. The Mobility Controller supports BGP.E. OSPF must be configured
Answer: A,C
Q74
A university has 2 departments. Department 1 has its own mobility domain with onecontroller. Department 2 has multiple controllers configured in a second domain. Theuniversity is planning on offering a new application and needs users to be able to roambetween both mobility domains.
What is the best way to accomplish this?
A. The 2 existing domains should be left as they are. A 3rd mobility domain should then becreated and all 3 controllers need to be added to itB. Merge the controllers into the same mobility domainC. The IP subnets of all controllers need to be configured to matchD. This cannot be accomplishedE. Create a new domain between a department 1 controller and one of the department 2
Which match condition can be used by a server derivation rule? (Choose two)
A. greater thanB. less thanC. inverse ofD. containsE. equals
Answer: D,E
Q76
Which role is assigned prior to launching the captive portal splash screen?
A. Pre-authentication roleB. Post-authentication role
C. AAA roleD. AAA-CP roleE. CP default role
Answer: A
Q77
Which of the following is NOT one of the four continuous functions of ARM?
A. Monitoring the environment for the current operating and alternate channelsB. Collecting and classifying information obtained during background scansC. Computing the best channel and power level to operate onD. Create two indices for each AP, for each channelE. Determining the best controller for APs to terminate
B. Pre-Authentication roleC. Authenticated roleD. Unauthenticated role
E. The Logon Role
Answer: B,C
Q85
Identify the benefits of using aliases when writing firewall policies (Select three)
A. Makes policies more readable.B. Changes to policy rules that use aliases are auto updated.C. End users are applied to the proper role.D. Can be applied to a RoleE. Simplifies repetitive configuration.
Answer: A,B,E
Q86
Aliases are used in firewall policies to:
A. Apply firewall polices to ports in a stateful mannerB. Make firewall rules act like traditional ACLsC. Ease readability and maintainability for source and destination addressesD. Are a part of roles, not the firewallE. Are applied as an action in a rule
Answer: C
Q87
Which is a Device Specific Attribute that can be evaluated in a user derivation rule?
A. user login nameB. authentication serverC. location by AP NameD. controller Loopback addressE. controller IP
A user associated to an SSID with 802.1x using this server group. RadiusNY returned astandard radius attribute of filter-Id with a value of "employee". The user was placed in the
guest Role. What statements below are correct? (Choose two)
A. The user was placed in the 802.1x authentication default Role guest
B. The user was placed in the initial Role guestC. Role derivation failed because roles are case sensitiveD. Role derivation failed because the incorrect operation "value-of" was usedE. 802.1x authentication failed so the user was automatically placed in the guest Role