ACMP-6.4 Aruba Certified Mobility Professional 6.4

Page 1   
Question 1

By default Centralized licensing messages between master and local controllers are sent
___________________.
A. In the clear unencrypted since the master and local controllers already share IPSEC
tunnels.
B. Using CPSec
C. Using IPSec site to site VPN tunnels
D. Encrypted using GRE
E. PAPI



Answer : A Topic 2, Firewall Roles and Policies2-1 - Policy Design

Question 2

Review the following truncated output from an Aruba controller for this item.
(example) #show rights logon
access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal
logon-control
-------------
Priority Source Destination Service Action
-------- ------ ----------- ------- ------
1 user any udp 68 deny
2 any any svc-icmp permit
3 any any svc-dns permit
4 any any svc-dhcp permit
5 any any svc-natt permit
captiveportal
-------------
Priority Source Destination Service Action
-------- ------ ----------- ------- ------
1 user controller svc-https dst-nat 8081
2 user any svc-http dst-nat 8080
3 user any svc-https dst-nat 8081
4 user any svc-http-proxy1 dst-nat 8088
5 user any svc-http-proxy2 dst-nat 8088
6 user any svc-http-proxy3 dst-nat 8088
Based on the above output from an Aruba controller, an unauthenticated user assigned to
the logon role attempts to start an http session to IP address 172.16.43.170.
What will happen?

  • A. the user's traffic will be passed to the IP address because of the policy statement:user any svc-http dst-nat 8080
  • B. the user's traffic will be passed to the IP address because of the policy statement:user any svc-https dst-nat 8081
  • C. the user's traffic will be passed to the IP address because of the policy statement:user any svc-http-proxy1 dst-nat 8088
  • D. the user will not reach the IP address because of the policy statement:user any svc-http dst-nat 8080
  • E. the user will not reach the IP address because of the implicit deny any any at the end of the policy.


Answer : D

Question 3

An administrator creates a WLAN with an unmodified default AAA profile. What is the
default role the user is placed in?

  • A. default-logon
  • B. logon
  • C. guest-logon
  • D. default-ap
  • E. AP-Role


Answer : B

Question 4

ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user host 10.1.1.1 any deny
user any any permit
Referring to the above portion of a Mobility Controller configuration file, what can you
conclude? (Choose two)

  • A. This is a session firewall policy.
  • B. This is an extended Access Control List (ACL).
  • C. Any traffic going to destination 10.1.1.1 will be denied.
  • D. Any traffic going to destination 10.2.2.2 will be denied.
  • E. Any traffic going to destination 172.16.100.100 will be permitted.


Answer : A,E

Question 5

The Aruba Policy Enforcement Firewall (PEF) module supports source network address
translation (src-nat).
Which is a use of this statement in an Aruba configuration?

  • A. provide a single source IP address for users in a role
  • B. redirect Captive Portal HTTP sessions
  • C. redirect Access Points to another Aruba controller
  • D. provide IP addresses to clients
  • E. redirects clients to Aruba Firewall


Answer : A

Explanation: 2-5 - Policy Interpretation

Question 6

ip access-list session anewone
user network 10.1.1.0 255.255.255.0 any permit
user any any permit
host 10.1.1.1 host 10.2.2.2 any deny
A user sends a frame with the following attributes:
Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25
Based on the above Mobility Controller configuration file segment, what will this policy do
with the user frame?

  • A. The frame is discarded because of the implicit deny all at the end of the policy.
  • B. The frame is discarded because of the statement:user host 10.1.1.1 host 10.2.2.2 deny.
  • C. The frame is accepted because of the statement:user any any permit.
  • D. The frame is accepted because of the statement:user network 10.1.1.0 255.255.255.0 any permit.
  • E. This is not a valid policy.


Answer : C

Question 7

Refer to the following configuration segment for this item.
netdestination "internal"
no invert
network 172.16.43.0 255.255.255.0 position 1
range 172.16.11.0 172.16.11.16 position 2
ip access-list session "My-Policy"
alias "user" alias "internal" service_any permit queue low
A user frame is evaluated against this firewall policy with the following attributes:
Source IP: 172.17.49.3 Destination IP: 10.100.86.37 Destination Port: 80
Referring to the above file segment, how will the frame be handled by this firewall policy?

  • A. The frame will be dropped because of the implicit deny all at the end of the netdestination definition.
  • B. The frame will be dropped because of the implicit deny all at the end of the firewall policy.
  • C. The frame will be forwarded because of the implicit permit all at the end of the firewall policy.
  • D. The frame will be passed because there is no service specified in the firewall policy.
  • E. The frame will be dropped because there is no service specified in the firewall policy.


Answer : B

Question 8

Which describe "roles" as used on Aruba Mobility Controllers? (Choose two)

  • A. Roles are assigned to users.
  • B. Roles are applied to interfaces.
  • C. Policies are built from roles.
  • D. A user can belong to only one role at a time.
  • E. Roles are a set of authentication rules


Answer : A,D

Explanation: 2-3 - Aliases

Question 9

When creating a firewall rule what are valid choices for the Service/Application field?
(Choose three)

  • A. Applications
  • B. Applications Category
  • C. Internet Protocol
  • D. Internet Category
  • E. Protocol


Answer : A,B,E

Question 10

What are valid methods of blacklisting a device? (Choose three)

  • A. Manually
  • B. Firewall Rule
  • C. Firewall Policy
  • D. Authentication Failures
  • E. Data Rate Thresholds


Answer : A,B,D

Question 11

What is the blacklist default time?

  • A. 30 seconds
  • B. 1800 seconds
  • C. 3600 seconds
  • D. No default time, it must be done manually
  • E. 1 day


Answer : C

Explanation: 2-2 - Roles

Question 12

What are aliases used for?

  • A. improve controller performance
  • B. simplify the configuration process
  • C. tie IP addresses to ports
  • D. assign rules to policies
  • E. assign policies to roles


Answer : B

Question 13

Which of the following firewall rules allows a user to initiate an ICMP session to other
devices?(Choose two)

  • A. localip any svc-icmp permit
  • B. user any svc-icmp permit
  • C. user user svc-icmp permit
  • D. any any svc-icmp permit
  • E. mswitch any svc-icmp permit


Answer : B,D

Question 14

Refer to the following configuration segment for this item.
ip access-list session anewone
user network 172.16.1.0 255.255.255.0 any permit
user host 172.16.1.1 any deny
user any any permit
An administrator wants users to have access to all destinations except 172.16.1.1. Based
on the above Aruba Mobility Controller configuration segment, which statements best
describe this policy? (Choose two)

  • A. The rule user host 172.16.1.1 any deny is redundant because of the implicit deny all at the end.
  • B. The rule user network 172.16.1.0 255.255.255.0 any permit is redundant.
  • C. The two rules user network 172.16.1.0 255.255.255.0 any permit and user host 172.16.1.1 any deny need to be re-sequenced.
  • D. The last statement user any any permit is not required
  • E. The last statement should be any any any deny


Answer : B,C

Question 15

Which of the following could be used to set a user's post-authentication role or VLAN
association? (Choose two)

  • A. AAA default role for authentication method
  • B. Server Derivation Rule
  • C. Vendor Specific Attributes
  • D. AP Derivation Rule
  • E. The Global AAA profile


Answer : B,C

Page 1