Aruba Certified Mobility Professional 6.4 v1.0
Question 1
The Aruba Policy Enforcement Firewall (PEF) module supports source network address translation (src-nat).
Which is a use of this statement in an Aruba configuration?
- A. provide a single source IP address for users in a role
- B. redirect Captive Portal HTTP sessions
- C. redirect Access Points to another Aruba controller
- D. provide IP addresses to clients
- E. redirects clients to Aruba Firewall
Answer : A
Explanation:
2-5 - Policy Interpretation
Question 2
Review the following truncated output from an Aruba controller for this item.
(example) #show rights logon
access-list List
----------------
Position Name Location -
-------- ---- --------
1 logon-control
2 captiveportal
logon-control
-------------
Priority Source Destination Service Action
-------- ------ ----------- ------- ------
1 user any udp 68 deny
2 any any svc-icmp permit
3 any any svc-dns permit
4 any any svc-dhcp permit
5 any any svc-natt permit
captiveportal
-------------
Priority Source Destination Service Action
-------- ------ ----------- ------- ------
1 user controller svc-https dst-nat 8081
2 user any svc-http dst-nat 8080
3 user any svc-https dst-nat 8081
4 user any svc-http-proxy1 dst-nat 8088
5 user any svc-http-proxy2 dst-nat 8088
6 user any svc-http-proxy3 dst-nat 8088
Based on the above output from an Aruba controller, an unauthenticated user assigned to the logon role attempts to start an http session to IP address
172.16.43.170.
What will happen?
- A. the user's traffic will be passed to the IP address because of the policy statement:user any svc-http dst-nat 8080
- B. the user's traffic will be passed to the IP address because of the policy statement:user any svc-https dst-nat 8081
- C. the user's traffic will be passed to the IP address because of the policy statement:user any svc-http-proxy1 dst-nat 8088
- D. the user will not reach the IP address because of the policy statement:user any svc-http dst-nat 8080
- E. the user will not reach the IP address because of the implicit deny any any at the end of the policy.
Answer : D
Question 3
Refer to the following configuration segment for this item.
ip access-list session anewone
user network 172.16.1.0 255.255.255.0 any permit
user host 172.16.1.1 any deny
user any any permit
An administrator wants users to have access to all destinations except 172.16.1.1. Based on the above Aruba Mobility Controller configuration segment, which statements best describe this policy? (Choose two)
- A. The rule user host 172.16.1.1 any deny is redundant because of the implicit deny all at the end.
- B. The rule user network 172.16.1.0 255.255.255.0 any permit is redundant.
- C. The two rules user network 172.16.1.0 255.255.255.0 any permit and user host 172.16.1.1 any deny need to be re-sequenced.
- D. The last statement user any any permit is not required
- E. The last statement should be any any any deny
Answer : BC
Question 4
Refer to the following configuration segment for this item.
netdestination "internal"
no invert
network 172.16.43.0 255.255.255.0 position 1
range 172.16.11.0 172.16.11.16 position 2
!
ip access-list session "My-Policy"
alias "user" alias "internal" service_any permit queue low
!
A user frame is evaluated against this firewall policy with the following attributes:
Source IP: 172.17.49.3 Destination IP: 10.100.86.37 Destination Port: 80
Referring to the above file segment, how will the frame be handled by this firewall policy?
- A. The frame will be dropped because of the implicit deny all at the end of the netdestination definition.
- B. The frame will be dropped because of the implicit deny all at the end of the firewall policy.
- C. The frame will be forwarded because of the implicit permit all at the end of the firewall policy.
- D. The frame will be passed because there is no service specified in the firewall policy.
- E. The frame will be dropped because there is no service specified in the firewall policy.
Answer : B
Question 5
ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user any any permit
host 10.1.1.1 host 10.2.2.2 any deny
A user sends a frame with the following attributes:
Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25
Based on the above Mobility Controller configuration file segment, what will this policy do with the user frame?
- A. The frame is discarded because of the implicit deny all at the end of the policy.
- B. The frame is discarded because of the statement:user host 10.1.1.1 host 10.2.2.2 deny.
- C. The frame is accepted because of the statement:user any any permit.
- D. The frame is accepted because of the statement:user network 10.1.1.0 255.255.255.0 any permit.
- E. This is not a valid policy.
Answer : C
Question 6
ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user host 10.1.1.1 any deny
user any any permit
Referring to the above portion of a Mobility Controller configuration file, what can you conclude? (Choose two)
- A. This is a session firewall policy.
- B. This is an extended Access Control List (ACL).
- C. Any traffic going to destination 10.1.1.1 will be denied.
- D. Any traffic going to destination 10.2.2.2 will be denied.
- E. Any traffic going to destination 172.16.100.100 will be permitted.
Answer : AE
Question 7
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.
If machine authentication fails and user authentication passes, which role will be assigned?
- A. employee
- B. guest
- C. denyall
- D. logon
- E. no role is assigned
Answer : B
Question 8
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.
If machine authentication passes and user authentication fails, which role will be assigned?
- A. employee
- B. denyall
- C. guest
- D. logon
- E. no role is assigned
Answer : B
Question 9
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP.
If machine authentication fails and user authentication fails, which role will be assigned?
- A. employee
- B. guest
- C. Captive Portal
- D. Logon
- E. no role will be assigned
Answer : E
Explanation:
3-2 - Configuration Wizards
Question 10
What can NOT be configured from the Aruba controller configuration wizards?
- A. Controller IP
- B. Boot Partition
- C. User firewall policy.
- D. User derivation rules.
- E. Radius Servers
Answer : B
Question 11
An administrator is setting up a factory default controller. No new AP groups were created. When adding a WLAN SSID in the Campus WLAN wizard what AP group is available?
- A. The air-monitors AP group
- B. The logon AP group
- C. The default AP group
- D. The initial AP group
- E. The Spectrum AP group
Answer : C
Question 12
The reusable Aruba Controller wizards are accessible in what way?
- A. Only on startup through the CLI
- B. Through the CLI, after the initial CLI wizard has been completed
- C. In the Web UI under maintenance.
- D. In the Web UI under configuration.
- E. Must be initialized from CLI first.
Answer : D
Question 13
The Controller wizard enables which of the following controller clock configurations? (Choose three)
- A. NTP to a time server
- B. Set time zone
- C. Daylight savings time
- D. Only GMT can be configured
- E. Manual configuration of date and time
Answer : ABE
Question 14
When configuring ports in the Controller wizard, which of the following are NOT configuration options? (Choose two)
- A. Inter-VLAN routing
- B. Speed
- C. Trusted
- D. LACP
- E. Trunk
Answer : AD
Explanation:
3-3 - Management
Question 15
By default, which CLI based remote access method is enabled on Aruba controllers?
- A. RSH
- B. Telnet
- C. SSH
- D. Telnet and SSH
- E. Telnet, SSH and RSH
Answer : C