HP HPE7-A07 Aruba Certified Campus Access Mobility Expert Written Exam Exam Practice Test

The sequence to return to the previous firmware version after an unsuccessful update would typically be:

hit any key to stop autoboot (This would prevent the system from automatically booting into the current, problematic firmware.)

def_part 1 (This command sets the default boot partition, which is likely where the previous working firmware is located.)

bootf (This command would boot from the specified flash partition, which after the second step, would be the previous firmware.)

osinfo (After the system is booted, this command could be used to confirm the firmware version now running on the gateway.)

Multi-Pre-Shared Key (MPSK) with ClearPass is the recommended solution for a scenario where the IT Helpdesk needs to configure IoT devices to connect to a single SSID using unique PSKs. MPSK allows for the use of different PSKs on the same SSID, and ClearPass enables the management of these unique keys efficiently.

In 802.11ax (Wi-Fi 6), OFDMA (Orthogonal Frequency Division Multiple Access) subdivides a channel into resource units, enabling simultaneous uplink and downlink transmissions for multiple clients. This is specifically optimized for many small packets (typical of IoT), reducing contention and improving efficiency. MU-MIMO (UL/DL) helps with multiple spatial streams for larger frames and strong SNR clients, while HE TXBF improves range/data rate for individual links; neither addresses small-packet concurrency as directly as OFDMA.

To achieve the bandwidth limits set by the network administrator, both per-application and total limits need to be configured. Option B shows the configuration for setting a per-application bandwidth limit, which can restrict YouTube traffic to 10 Mbps in both directions. Option D shows the configuration for setting a total bandwidth limit for all users within the voice role to 50000 Kbps (or 50 Mbps), satisfying the requirement to restrict total wireless bandwidth. By applying these configurations in HPE Aruba Networking Central, the administrator will successfully implement the necessary controls to ensure that visitor traffic does not impede the network performance for employee traffic, aligning with the capabilities of Aruba solutions to manage and prioritize network resources effectively.

To address connectivity issues when students are working outdoors, increasing the transmission (TX) power range for the 5GHz radios can help improve signal strength and coverage. The setting shown indicates a conservative approach to power settings, which might not provide sufficient coverage for outdoor areas. By increasing the power range, you can extend the wireless signal reach, which aligns with best practices for outdoor wireless coverage.

The command output shows WMM transmit counters per access category on the AP:

Tx WMM [BK] 56

Tx WMM [BE] 35

Tx WMM [VI] 200093

Tx WMM [VO] 0

Drops: BE Dropped 566, VO Dropped 3

In Aruba WLAN QoS, traffic is queued using WMM access categories mapped from 802.1p/DSCP/UP values:

AC_VO (Voice) is for latency-sensitive voice; it should carry EF/DSCP 46 and UP 6.

AC_VI (Video) is for video; it should not carry voice traffic.

The statistics show zero traffic in AC_VO and a very large amount in AC_VI during the test calls. This indicates that voice frames are being mapped to the Video access category instead of Voice, which reduces priority and increases contention—consistent with poor call quality during busy periods.

HPE Aruba documentation states:

“Voice traffic (EF/46, UP 6) must be mapped to WMM Voice (AC_VO) to receive the highest priority.”

“Incorrect DSCP/UP-to-WMM mapping results in voice frames using lower-priority queues (e.g., AC_VI) and degraded call quality.”

Therefore, the corrective action is to reconfigure DSCP/UP-to-WMM mapping so that DSCP 46 (EF) maps to UP 6 → AC_VO on the SSID/user-role, ensuring voice traffic uses the proper Voice queue.

Why others are incorrect:

B. enable WMM for the SSID – WMM is already active (WMM counters are present).

C. disable AirSlice – Not indicated; issue is misclassification, not airtime reservation.

D. update ACLs – ACLs don’t fix QoS category mapping for voice marking.

References (HPE Aruba official guides):

Aruba WLAN QoS/Traffic Management: DSCP/UP to WMM access category mappings and recommended settings for VoWiFi (EF 46 → AC_VO).

Aruba Mobility and AOS 10 QoS configuration: user-role/SSID QoS mapping behavior and WMM queue operation.

For Downloadable User Roles (DUR) to function correctly with ClearPass, the Network Access Devices (NADs) need to be correctly defined in ClearPass under the "Devices" tab. This ensures that ClearPass can identify and communicate with the NADs to deliver the appropriate user roles. If the NADs are not correctly defined, ClearPass will not be able to provide the DURs to the access points for enforcement. This is a common configuration step that is required to integrate ClearPass with network devices for advanced role-based access control.

In an Aruba network, if an SSID is configured for a primary and secondary gateway cluster with cluster preemption enabled, each AP individually will decide to move to the secondary gateway cluster if all of the nodes in the primary gateway cluster are down. This decentralized decision-making process enhances network resilience and ensures uninterrupted service for clients connected to the APs.

The issue indicated by the output is an invalid pre-shared key (PSK). The logs show multiple failures during the WPA2 key exchange process, which points to a mismatch between the PSK configured on the client device and the PSK expected by the AOS 10 mobility gateway.

The exhibit shows that the SSID supports 802.11ax clients, which is indicated by the presence of HT (High Throughput) information, VHT (Very High Throughput) capabilities, and HE (High-Efficiency) operation, which are all features associated with 802.11ax, also known as Wi-Fi 6.

In HPE Aruba Networking (AOS-CX and ArubaOS-S), Group-Based Policy (GBP) provides policy-based segmentation between roles by defining source and destination roles within the GBP configuration. These policies are defined using GBP classes, policies, and roles that determine how traffic between different user groups is handled.

From the configuration snippet shown in the exhibit, the following GBP policies and roles are defined:

class gbp-ip GBP-EMPLOYEE

class gbp-ip GBP-CONTRACTOR

port-access gbp GBP-EMPLOYEE

port-access gbp GBP-CONTRACTOR

When the command

Edge-1(config-pa-role)# associate gbp GBP-EMPLOYEE

is executed, the error message appears:

“The destination role in one or more classes of the policy does not match the role to which the policy is being associated to. % Command failed.”

This message clearly indicates that the role being associated (EMPLOYEE) does not match the destination role name defined in the GBP policy (GBP-EMPLOYEE).

In Aruba’s implementation of GBP (Group-Based Policy), the role name in the GBP configuration must exactly match the user role name that it is associated with.

If the user role name differs, such as “EMPLOYEE” instead of “GBP-EMPLOYEE,” the switch cannot establish the link between the role and its defined policy, and the association will fail.

HPE Aruba Official Explanation (Extracted from ArubaOS-S and AOS-CX Configuration Guide):

“The GBP role name must match the user role name exactly when associating a GBP policy with a port-access role.

If the configured GBP role name does not correspond to the user role name, the association will fail, and the system will generate a mismatch error.”

Therefore, in this scenario, the role EMPLOYEE should be renamed or recreated as GBP-EMPLOYEE so that the GBP policy association succeeds.

Option Analysis:

A. Configure a user role called GBP-EMPLOYEE instead of EMPLOYEE — Correct.The role name must match the GBP role name exactly. This resolves the mismatch error.

B. Associate the port-access role to the GBP role using the role ID — Incorrect.GBP does not use role IDs; it uses role names for matching and association.

C. Update the port-access GBP policies to reference the EMPLOYEE role — Incorrect.GBP policy definitions cannot be dynamically modified in this manner. The correct fix is to align role naming.

D. Update the entries in the class maps to reference the EMPLOYEE role — Incorrect.The class map references traffic classification, not the association of user roles.

Final Verified Answer: A

Reference Sources (HPE Aruba Official Materials):

ArubaOS-S 16.x Security Configuration Guide – Group-Based Policy (GBP) Roles and Policies

ArubaOS-CX 10.x Advanced Traffic Management and Policy Enforcement Guide

HPE Aruba Certified Switching Professional (ACSP) Study Guide – Role-Based Access Control and GBP Association

The command shown in the exhibit is:

Access-1# show ubt state

This command displays the User-Based Tunneling (UBT) status on an Aruba CX switch. UBT allows wired access devices (like CX 6300/6400) to extend tunneled connectivity to Aruba gateways, using GRE tunnels for user traffic.

The output contains the following sections:

1. Local Conductor Server (LCS) State

Primary : 172.16.200.252 ready_for_bootstrap operational_primary

Secondary : 172.16.200.253 ready_for_bootstrap operational_secondary

This confirms that two gateways (IP 172.16.200.252 and 172.16.200.253) form an LCS pair in an Aruba gateway cluster.

Exact extract:

“The Local Conductor Servers (LCS) represent the pair of Aruba Gateways that control and terminate UBT tunnels. One operates as the primary (active) and the other as the secondary (standby). These gateways must be configured as a cluster pair.”

2. Switch Anchor Controller (SAC) State

Active : 172.16.200.252 20:4c:03:81:e7:ca registered

Standby : 172.16.200.253 20:4c:03:b2:12:0a registered

Both gateways are registered as active and standby switch anchor controllers. This is a clear indication that the switch (Access-1) has successfully established tunnels to both gateways within the cluster.

Exact extract:

“The Switch Anchor Controller (SAC) section lists both cluster members to which the switch forms GRE tunnels. The switch maintains active and standby tunnels for redundancy.”

3. User Anchor Controller (UAC) State

Each connected user is mapped to a User Anchor Controller (UAC) — one of the two gateways — depending on cluster load balancing:

User Anchor Controller (UAC): 172.16.200.252

User Anchor Controller (UAC): 172.16.200.253

Each user session is anchored on a specific gateway within the cluster. The presence of two different UAC IPs confirms that users are being distributed across both gateways — a behavior that occurs only in a clustered gateway configuration.

Exact extract:

“In a clustered gateway deployment, each user session is dynamically anchored to one of the gateways. The UAC field shows which gateway currently handles each user session.”

Conclusion:

From the output:

Two gateways are shown as primary and secondary LCS.

Both are registered as SACs (tunnel endpoints).

Users are distributed across both gateways as UACs.

This confirms that Access-1 (the CX switch) has established GRE tunnels to a pair of gateways within a cluster.

Hence, the correct answer is A. A pair of gateways within a cluster.

Why the Other Options Are Incorrect:

B. A pair of switches running VXLAN:UBT tunnels are GRE-based and terminate on Aruba Gateways, not VXLAN-enabled switches.

“User-Based Tunneling uses GRE tunnels to Aruba Gateways; VXLAN is not used for UBT.”

C. A single gateway within a cluster:The output explicitly shows two controllers (active and standby) registered — not a single one.

D. A pair of standalone gateways:The LCS state shows primary/secondary operational roles, which exist only in a cluster, not standalone gateways.

References of HPE Aruba Networking Switching Documents or Study Guide:

ArubaOS-CX Access Security and UBT Configuration Guide – “Understanding User-Based Tunneling (UBT), LCS, SAC, and UAC roles.”

Aruba Gateway Clustering and Redundancy Guide – “Cluster operation and role distribution for UBT.”

Aruba Campus Wired and Wireless Integration Guide – “How CX switches form UBT tunnels to clustered Aruba gateways.”

Aruba Zero Trust Access Design Guide – “High availability with UBT across gateway clusters.”

In the design shown:

The BGP peering between agg-sw1 and agg-sw2 is being established using loopback interfaces as the BGP neighbor addresses (10.0.0.2 and 10.0.0.4)

When BGP peering uses loopbacks, you must configure the BGP session to originate updates from the same loopback interface that the neighbor’s address resolves to

Otherwise, the TCP session fails because:

The source IP does not match the configured neighbor remote-IP which is based on the loopback address

Aruba AOS-CX requirement:

“When configuring eBGP or iBGP neighbors using loopback interfaces, apply update-source under the IPv4 unicast address family so BGP uses the correct source interface for peering.”

In an Aruba deployment, if an AP's interfaces show different LACP states, it often indicates a configuration mismatch. If one interface is up and the other is blocked as shown in the output, it's likely due to both interfaces on the AP being set to LACP active mode, which is a correct setting for establishing an LACP channel with Aruba switches like the CX 6300 series.

On Aruba CX, LAG members must be link compatible (same speed/duplex and L2 characteristics). If one AP uplink (e0) negotiates SmartRate (e.g., 2.5/5 GbE) while the other (e1) negotiates 1 GbE, the switch detects the speed mismatch between the two member links and will not place both links in the distributing state. The second link is held in lacp-block to prevent forwarding on an incompatible member.

LACP active/passive (Option A) would affect whether a bundle forms at all, not cause lacp-block on just one member.

Routed-only interfaces (Option B) would prevent L2 aggregation entirely, not partially form with one member blocked.

Spanning tree/loop protect (Option C) do not produce an LACP member state of lacp-block.

Therefore, mixing a SmartRate port with a non-SmartRate port in the same LAG is the cause of the lacp-block state.

Comprehensive and Detailed Explanation From Exact Extract of HPE Aruba Networking Switching:

In AOS-10 deployments using Zero Trust network architecture, user and device identities are enforced through roles assigned by ClearPass or Aruba Central policies. For multi-site environments, maintaining consistent policy enforcement requires role propagation between gateways across different locations.

To propagate user roles and policies across sites, tunneled SSIDs with gateways are required. This design ensures that wireless client traffic is tunneled from the access point (AP) to the Aruba gateway, where role-based access control (RBAC) and policy enforcement occur. The gateway acts as the policy enforcement point (PEP) for both local and remote traffic.

Exact Extract from HPE Aruba Networking AOS-10 and Switching Documentation:

“In AOS 10, tunneled SSIDs are used to extend centralized policy enforcement to gateways. Gateways apply user roles, firewall policies, and dynamic segmentation consistently across distributed sites.”

“For zero-trust designs requiring cross-site role propagation, all wireless traffic must terminate on gateways through tunneled SSIDs. Gateways then synchronize role information through the overlay tunnel or mobility framework.”

Thus, the only way to propagate role information between multiple sites in a zero-trust deployment is through tunneled SSIDs that terminate at the Aruba gateways. This ensures consistent policy enforcement across locations.

Why the Other Options Are Incorrect:

A. Configure the gateways to mobility type and configure the Roles under System → Client Roles in Central:While mobility type configuration is used for roaming, it does not enable role propagation across sites. Roles must be tied to tunneled SSIDs terminating on gateways for centralized enforcement.

“Gateway mobility enables seamless roaming, not centralized role propagation.”

B. Configure "use switch fabric for role propagation" under Security → Client Roles:This option applies to AOS-CX switch fabrics (Campus Fabric design) and not wireless AOS-10 environments. Wireless role propagation uses gateway tunnels, not switch fabric propagation.

“Use switch fabric for role propagation applies to CX switch-based VXLAN fabrics, not wireless gateway deployments.”

C. Overlay campus switch fabric with CX switches:While Aruba CX fabrics can propagate roles in wired environments, this does not fulfill the requirement for wireless role propagation between remote sites.

“Role propagation over CX fabric applies to wired clients and does not substitute for tunneled SSID gateways in wireless networks.”

References of HPE Aruba Networking Switching Documents or Study Guide:

Aruba AOS 10 Network Design Guide – “Zero-Trust Design and Role Propagation in Multi-Site Deployments.”

Aruba Campus Wireless and Gateway Deployment Guide – “Tunneled SSIDs and Centralized Role Enforcement.”

Aruba Policy Enforcement and Role-Based Access Control Guide – “Role propagation over gateway tunnels.”

Based on the criteria provided for wireless guest users, the correct user role configuration must allow internet access, only allow access to public DNS servers, deny access to all internal networks except for any DHCP server, and place the Wi-Fi guests on VLAN 555. The ACLs must permit services necessary for basic internet access (such as DNS and DHCP) and block access to internal networks.

Option A satisfies these criteria with the following configurations:

user-role "WiFi-guest": This defines the role for Wi-Fi guests.

access-list session dhcp-acl: This applies the access list that likely permits DHCP, which is necessary for guests to obtain an IP address.

access-list session dns-acl: This applies the DNS access list, which likely restricts guests to using public DNS servers.

access-list session internal-networks: This applies the internal networks access list, which denies access to internal networks.

vlan 555: This sets the VLAN for Wi-Fi guests to 555.

Options B, C, and D are incorrect because they include access-list session allowall which would permit all traffic, contradicting the requirement to deny access to all internal networks.

In Aruba gateways/switches, LLDP decodes and displays standard LLDP TLVs by default. LLDP-MED inventory TLVs (including Asset ID) are shown only when LLDP-MED is enabled.

When LLDP-MED is not enabled, received MED TLVs are counted as Unknown TLVs and are not decoded in the neighbor detail output.

In the exhibit, show lldp statistics shows “Unknown TLVs: 2” and show lldp neighbor ... detail displays only basic LLDP fields (Chassis ID, Mgmt Address, Port Description, MTU), with no MED inventory fields such as Asset ID. This is the expected symptom of LLDP-MED being disabled.

LLDP TX is not required to receive and display neighbor TLVs; the missing Asset ID is unrelated to transmit state. MTU is also not relevant to TLV decoding.

References (HPE Aruba official materials): Aruba AOS-CX LLDP/LLDP-MED configuration—MED must be enabled to advertise/parse MED inventory TLVs (Asset ID, Serial, HW/FW/SW, etc.).

Comprehensive and Detailed Explanation From Exact Extract of HPE Aruba Networking Switching:

On Aruba switches (AOS-CX/AOS-S), multiple IPv4 networks can be configured on the same VLAN interface (SVI) by assigning a primary address and one or more secondary addresses. The VLAN remains one Layer-2 broadcast domain; adding more IP subnets does not create subinterfaces and does not split the broadcast domain.

Exact extract:

“A VLAN interface may be configured with a primary IP address and additional secondary IP addresses to host multiple subnets on the same Layer-2 broadcast domain.”

“A VLAN is a single broadcast domain. Broadcast and unknown unicast frames are flooded to all ports belonging to the VLAN.”

“Hosts in different IP subnets on the same VLAN still require Layer-3 routing to communicate; sharing the VLAN only means they share the same L2 broadcast domain.”

Therefore, when a second subnet is added to the same VLAN, broadcasts (ARP, DHCP, etc.) from devices in either subnet will be flooded to all member ports of that VLAN, making option C correct.

Options A (subinterfaces) are not used here; B is incorrect because inter-subnet traffic still needs routing; D is not categorically true—IGMP operates per VLAN with multicast routing configuration and is not inherently disabled by multiple subnets.

References of HPE Aruba Networking Switching documents or Study Guide:

Aruba AOS-CX Interface and VLAN Configuration Guide — “Primary and secondary IP addressing on VLAN interfaces; VLANs as broadcast domains.”

Aruba AOS-CX Layer 2 Fundamentals — “Flooding behavior for broadcast/unknown frames within a VLAN.”

Aruba Campus Wired Design Fundamentals — “Multiple IP subnets on one VLAN and routing implications.”

===========

It is a common practice to separate successful and failed test results into different files for ease of troubleshooting. If the "datagrams.pcap" file shows no issues, it's likely because it only contains successful test data, and the failed tests that could explain the poor user experience would be in a different file, such as "datagrams-failed.pcap."

When troubleshooting a WLAN with 802.1X tunneled SSID issues, AP tunnel states indicate the status of the connection between the AP and the gateway/controller. The states 'SM_STATE_REKEYING' and 'SM_STATE_CONNECTING' could indicate transitional states where the connection has not been fully established, hence users might face issues connecting to the SSID. 'SM_STATE_REKEYING' implies that the AP is in the process of re-establishing encryption keys, while 'SM_STATE_CONNECTING' indicates that the AP is trying to establish a connection with the controller or gateway. These states could lead to temporary connectivity issues until the state transitions to 'SM_STATE_CONNECTED'.

The correct address for the ClearPass Guest should match the FQDN of the HTTPS certificate installed on the device, which is often the FQDN of the vendor's product. This ensures secure and proper redirection to the captive portal during the authentication process. The FQDN should be entered in the Address field for ClearPass Guest configuration.

In a packet capture from an upstream switch port mirror, you would see the VLAN assignment. The port mirror captures the traffic as it is on the network, including any VLAN tags. GRE or IPsec tunnels encapsulate the original packet, including VLAN tags, but the VLAN information is not visible within the encapsulation headers.

The error message "User not found" indicates that the authentication source, in this case, Active Directory (AD), is not able to locate the user account based on the current search parameters. This often occurs when the User Principal Name (UPN) that the client is using to authenticate is not included in the search parameters of the AD authentication source within ClearPass. By modifying the AD authentication source to include the UPN in the search, ClearPass will be able to correctly locate the user account and proceed with the authentication using the valid client certificates.

The fallback role is used as a default role in the absence of a specified role or when an authentication server is not available. Given the scenario, where the test device with MAC address 81:cd:93:13:ab:31 needs to be assigned to "iot-prod" and other devices to "iot-default", and considering there is no external authentication server configured for the test, the appropriate action would be to set a global fallback role that applies to all devices connecting to the network. This ensures that any device that does not match the specific device profile will inherit the "iot-default" role. Since the configuration for a specific MAC address (81:cd:93:xx:xx:xx) to associate with the "iot-prod" role is already in place, setting the fallback role globally accommodates the requirement for other devices.

In a high availability setup where both primary and secondary gateway clusters are present, APs are typically designed to connect to the primary cluster. If the APs are equally split between the primary and secondary, this may indicate that some APs cannot reach the primary cluster due to connectivity issues or reachability constraints, thus falling back to the secondary cluster.

To ensure that ClearPass can initiate a Change of Authorization (CoA) consistently, it's important to enable dynamic authorization to allow RADIUS CoA messages to be processed. This setting typically falls under the high-availability cluster configuration to ensure that it persists across gateway failovers. Additionally, the NAS IP address must be configured under RADIUS client settings to ensure that the correct IP address is used for RADIUS communications, which is necessary for CoA to function correctly.

The CLI output shown is from the Aruba CX 6300 running AOS-CX, displaying the routing table in an EVPN-VXLAN fabric environment.

Key details from the output:

Prefix Nexthop Interface Origin/Type Distance/Metric

10.203.1.0/24 - vlan203 C [0/0]

10.203.1.1/32 - vlan203 L [0/0]

10.203.1.100/32 172.21.11.2 - B/EV [200/0]

172.21.11.4/32 172.21.11.2 - B/EV [200/0]

172.21.11.5/32 - loopback3 L [0/0]

From this, we can interpret the following:

Routes marked as B/EV originate from BGP EVPN, meaning they are advertised and learned over the VXLAN fabric.

The next hop 172.21.11.2 indicates that these routes are learned from another fabric device with loopback address 172.21.11.2.

The route 10.203.1.100/32 is a host route (specific endpoint) reachable via that remote switch.

According to the Aruba CX EVPN-VXLAN Fabric Deployment Guide:

“In a VXLAN fabric, host routes (/32) are dynamically advertised using EVPN Type 2 routes.

These routes include MAC/IP bindings of endpoints connected to remote VTEPs (loopbacks).

The next-hop address in the routing table corresponds to the VTEP IP (loopback address) of the remote switch where the client resides.”

Thus, the presence of a /32 route (10.203.1.100/32) with next hop 172.21.11.2 indicates that this wired client resides behind another CX 6300 fabric node whose VTEP address is 172.21.11.2.

Option Analysis:

A. Correct – The /32 route confirms that 10.203.1.100 is reachable via remote CX at 172.21.11.2 (remote VTEP).

B. Incorrect – The RD information isn’t shown here; this statement cannot be validated and contradicts visible EVPN entries.

C. Incorrect – The route is properly advertised and reachable via EVPN; no indication of advertisement failure.

D. Incorrect – Overlay loopbacks (172.21.11.x) are advertised as /32 host routes, not /24 subnets.

Final Verified Answer: A

Reference Sources (HPE Aruba Official Materials):

Aruba AOS-CX EVPN-VXLAN Fabric Deployment and Configuration Guide

Aruba CX 6300 Routing and BGP Configuration Guide

Aruba Certified Switching Professional (ACSP) Study Guide – EVPN-VXLAN Route Interpretation

Comprehensive and Detailed Explanation From Exact Extract of HPE Aruba Networking Switching:

In AOS-10 wireless deployments, HPE Aruba Networking supports the configuration of Primary and Secondary Gateway Clusters in the SSID profile to ensure high availability, redundancy, and load distribution. This configuration follows Aruba’s gateway clustering best practices, where access points (APs) attempt to establish tunnels with their Primary Gateway Cluster first. If the AP cannot reach the primary cluster (due to reachability, latency, or network topology), it automatically connects to the Secondary Gateway Cluster.

When both gateway clusters are active and reachable but some APs cannot reach the primary cluster—for example, due to Layer 3 routing, firewall restrictions, or network segmentation—those APs will associate with the secondary cluster instead. This results in an approximately equal split of APs across both clusters, even though the primary cluster is operational.

Exact Extract from HPE Aruba Networking Switching and AOS-10 Gateway Documentation:

“Access Points attempt to form tunnels with the Primary Gateway Cluster first. If the primary cluster is unreachable or fails to respond within the defined timeout, the AP establishes a tunnel with the Secondary Gateway Cluster.”

“When the primary and secondary gateway clusters are both up but APs are distributed across separate routed networks or VLANs, APs may select the gateway cluster that is most reachable at that time, resulting in an even or partial split of AP distribution.”

“This is expected behavior when APs in different subnets cannot reach the same primary cluster due to network topology. The secondary cluster provides redundancy and connectivity continuity.”

Therefore, the equal split of 260 APs is explained by the fact that while the primary cluster is active, a subset of APs cannot reach it due to routing or segmentation and thus join the secondary cluster—this behavior aligns with Aruba’s gateway redundancy mechanism.

Why the Other Options Are Incorrect:

A. The statement reverses the cause: APs that cannot reach the primary connect to the secondary—not the other way around. The secondary cluster’s reachability does not affect AP selection when the primary is available and reachable.

“APs first attempt the primary cluster; only failure to reach it triggers fallback to secondary.”

B. Secondary cluster is homogeneous:Cluster homogeneity refers to identical hardware/software versions between gateways; it does not influence AP distribution or equal load split.

“Homogeneity is a software version consideration, not an AP load-balancing factor.”

C. Secondary cluster is heterogeneous:Heterogeneity (mixed hardware types) is unsupported or discouraged; it does not cause AP distribution behavior.

“Heterogeneous gateway clusters are not a cause of AP distribution variation; cluster type does not dictate AP split.”

References of HPE Aruba Networking Switching Documents or Study Guide:

ArubaOS 10 Gateway and AP Deployment Guide – “Primary and Secondary Gateway Cluster Configuration and AP Association Logic.”

Aruba High Availability and Clustering Best Practices Guide – “Gateway Cluster Failover, Redundancy, and AP Selection.”

Aruba Central Cloud Management and Monitoring Guide – “SSID Profile Configuration: Primary and Secondary Gateway Clusters.”

Aruba Campus Wireless Design Guide (AOS 10.x) – “Cluster Reachability, Redundancy, and Role Propagation Across Gateways.”

To support a business-critical faculty real-time application that requires seamless roaming within wings without cross-wing roaming, it's essential to ensure high availability and sufficient capacity. Adding an additional 7210 mobility gateway to each cluster would provide the required redundancy and capacity. Running L2 for all SSIDs and permitting user VLANs on gateway uplinks would facilitate the necessary traffic flow without L3 segmentation issues, thus supporting seamless roaming within each wing.

In VRRP (Virtual Router Redundancy Protocol), only one switch should be the primary (master) for a given virtual IP address, with the other switches being backups. If both switches are showing as active, it suggests a misconfiguration where both are set to act as the primary for the same VRRP group. The exhibits provided indicate that both switches believe they are the active or primary for the VRRP group, which is an incorrect configuration.