CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. HP
  5. HPE6-A84

Free HPE6-A84 Exam Braindumps (page: 4)

Page 4 of 16
PDF with 60 Questions

Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

· Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
· Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
· VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

What is one change that you should make to the solution?

  1. Change the ubt-client-vlan to VLAN 13.
  2. Configure edge ports in VLAN trunk mode.
  3. Remove VLAN assignments from role configurations on the gateways.
  4. Configure the UBT solution to use VLAN extend mode.

Answer(s): C

Explanation:

The UBT solution requires that the VLAN assignments for the wired clients are done by the gateway, not by the switch. Therefore, the role configurations on the gateways should not have any VLAN assignments, as they would override the VLAN 20 that is specified in the enforcement profile. Instead, the role configurations should only have policies that define the access rights for the clients in the "eth-internet" role. This way, the gateway can assign the clients to VLAN 20 and apply the appropriate policies based on their role1


Reference:

1: Aruba Certified Network Technician (ACNT) | HPE Aruba Networking, section "Get the Edge: An Introduction to Aruba Networking Solutions"



Refer to the scenario.

A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).

Switches are using local port-access policies.

The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the "eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.

The plan for the enforcement policy and profiles is shown below:

The gateway cluster has two gateways with these IP addresses:

· Gateway 1

o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
· Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
· VRRP on VLAN 20 = 10.20.20.254

The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.

Assume that you are using the "myzone" name for the UBT zone.

Which is a valid minimal configuration for the AOS-CX port-access roles?

  1. port-access role eth-internet gateway-zone zone myzone gateway-role eth-user
  2. port-access role internet-only gateway-zone zone myzone gateway-role eth-internet
  3. port-access role eth-internet gateway-zone zone myzone gateway-role eth-internet vlan access 20
  4. port-access role internet-only gateway-zone zone myzone gateway-role eth-internet vlan access

Answer(s): B

Explanation:

The UBT solution requires that the edge ports on the switches are configured in VLAN trunk mode, not access mode. This is because the UBT solution uses a special VLAN (VLAN 4095 by default) to encapsulate the user traffic and tunnel it to the gateway. The edge ports need to allow this VLAN as well as any other VLANs that are used for management or control traffic. Therefore, the edge ports should be configured as VLAN trunk ports and allow the necessary VLANs1


Reference:

1: Aruba Certified Network Technician (ACNT) | HPE Aruba Networking, section "Get the Edge: An Introduction to Aruba Networking Solutions"



Refer to the scenario.

A customer requires these rights for clients in the "medical-mobile" AOS firewall role on Aruba Mobility Controllers (MCs):

Permitted to receive IP addresses with DHCP

Permitted access to DNS services from 10.8.9.7 and no other server

Permitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22

Denied access to other 10.0.0.0/8 subnets

Permitted access to the Internet

Denied access to the WLAN for a period of time if they send any SSH traffic

Denied access to the WLAN for a period of time if they send any Telnet traffic

Denied access to all high-risk websites

External devices should not be permitted to initiate sessions with "medical-mobile" clients, only send return traffic.

The line below shows the effective configuration for the role.



There are multiple issues with this configuration.
What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, "medical-mobile" rule 1 is "ipv4 any any svc-dhcp permit," and rule 6 is "ipv4 any any any permit'.)

  1. Apply the "apprf-medical-mobile-sjcT policy explicitly to the 'medical-mobile' user-role under the 'medical-mobile" policy.
  2. In the "medical-mobile" policy, change the action for rules 2 and 3 to reject.
  3. In the "medical-mobile" policy, move rule 5 under rule.
  4. In the "medical-mobile* policy, change the subnet mask in rule 5 to 255.255.252.0.

Answer(s): D

Explanation:

The scenario requires that the clients in the "medical-mobile" role are denied access to the 10.1.12.0/22 subnet, which is a range of IP addresses from 10.1.12.0 to 10.1.15.255. However, the current configuration in rule 5 has a subnet mask of 255.255.240.0, which means that it matches any IP address from 10.1.0.0 to 10.1.15.255. This is too broad and would deny access to other subnets in the 10.1.0.0/16 range that should be permitted according to the scenario. Therefore, the subnet mask in rule 5 should be changed to 255.255.252.0, which would match only the IP addresses from 10.1.12.0 to 10.1.15.255 and deny access to them as required by the scenario.1


Reference:

1: Configuring Firewall Policies - Aruba, section "Firewall Policies"



A customer requires a secure solution for connecting remote users to the corporate main site. You are designing a client-to-site virtual private network (VPN) based on Aruba VIA and Aruba Mobility Controllers acting as VPN Concentrators (VPNCs). Remote users will first use the VIA client to contact the VPNCs and obtain connection settings.
The users should only be allowed to receive the settings if they are the customer's "RemoteEmployees" AD group. After receiving the settings, the VIA clients will automatically establish VPN connections, authenticating to CPPM with certificates.
What should you do to help ensure that only authorized users obtain VIA connection settings?

  1. Set up the VPNCs' VIA web authentication profile to use CPPM as the authentication server; set up a service on CPPM that uses AD as the authentication source.
  2. Set up the VPNCs' VIA web authentication profile to use an AD domain controller as the LDAP server.
  3. Set up the VPNCs' VIA connection profile to use two authentication profiles, one RADIUS profile to CPPM and one LDAP profile to AD.
  4. Set up the VPNCs' VIA connection profile to use one authentication profile, which is set to the AD domain controller's hostname.

Answer(s): A

Explanation:

The VIA web authentication profile is used to authenticate the users who want to download the VIA connection settings from the VPNCs. The VPNCs can use either an internal database or an external server (such as RADIUS or LDAP) as the authentication source for this profile. To ensure that only authorized users obtain VIA connection settings, you should use CPPM as the external server and configure a service on CPPM that uses AD as the authentication source. This way, you can leverage the role mapping and enforcement features of CPPM to check if the users belong to the "RemoteEmployees" AD group and grant or deny them access accordingly1 The other options are not correct because they do not allow you to verify the users' AD group membership before providing them with VIA connection settings. Option B would only check the users' credentials against AD, but not their group membership. Option C would only apply to the VPN connection phase, not the VIA connection settings phase. Option D would not work because the

VPNCs do not support LDAP as an authentication source for VIA connection profiles2


Reference:

1: Configuring the VIA Controller - Aruba, section "Configuring VIA Web Authentication Profile" 2:
Configuring VIA Connection Profile - Aruba, section "Configuring Authentication Profile"



Page 4 of 16



Post your Comments and Discuss HP HPE6-A84 exam with other Community members:

fabio commented on September 09, 2024
great work at all
Anonymous
upvote