Practice Free HPE6-A90 Exam Online Questions

Question #1

What is the primary method to securely execute CLI commands on an AOS-10 Gateway managed by Central without requiring direct network reachability to the gateway’s local management IP address?

A . By deploying a local Mobility Master on-premises to proxy the terminal connection back to the cloud.
B . By utilizing the Remote Console feature integrated natively within the HPE Aruba Networking Central WebUI.
C . By connecting a physical console cable to the gateway and using dedicated terminal emulation software.
D . By establishing a direct SSH session using port 22 to the gateway’s public WAN interface over the internet.

Reveal Solution Hide Solution

Correct Answer: B

Question #2

A NOC Operations Engineer is troubleshooting an AOS-10 Gateway cluster that is failing to form. Both gateways are physically patched into an AOS-CX 8325 core switch. Central reports the cluster status as "Down/Isolated".

The engineer investigates the wired underlay configuration connecting the two gateway nodes:

[AOS-CX 8325 Switch – Interface Status]

Interface 1/1/1 (Connected to Gateway Node 1)

VLAN Mode: Trunk

VLAN Trunk Allowed: 10, 20, 30

Native VLAN: 10

Interface 1/1/2 (Connected to Gateway Node 2)

VLAN Mode: Trunk

VLAN Trunk Allowed: 10, 20, 40

Native VLAN: 20

Which TWO configuration issues on the underlay switch will prevent these AOS-10 Gateways from forming a valid, fully functional Layer 2 cluster? (Choose 2.)

A . The gateways are attempting to negotiate dynamic LACP with the core switch, a protocol that is explicitly blocked when native VLANs differ across a chassis.
B . The native (untagged) management VLANs mismatch (VLAN 10 vs VLAN 20), breaking the fundamental Layer 2 cluster heartbeat and discovery process between the nodes.
C . Layer 2 clustering requires Spanning Tree Protocol (STP) to be completely disabled on the switch ports to allow the proprietary multicast heartbeat frames to pass unhindered.
D . The allowed trunk VLANs are inconsistent (missing VLAN 30 on port 1/1/2, and missing VLAN 40 on port 1/1/1), which will cause asymmetric dropping of client data plane traffic during a failover event.
E . The switch ports are configured as 802.1Q trunks, whereas AOS-10 Gateways strictly require standard access ports to successfully negotiate their cluster virtual MAC addresses.

Reveal Solution Hide Solution

Correct Answer: B, D

Question #2

A . The gateways are attempting to negotiate dynamic LACP with the core switch, a protocol that is explicitly blocked when native VLANs differ across a chassis.
B . The native (untagged) management VLANs mismatch (VLAN 10 vs VLAN 20), breaking the fundamental Layer 2 cluster heartbeat and discovery process between the nodes.
C . Layer 2 clustering requires Spanning Tree Protocol (STP) to be completely disabled on the switch ports to allow the proprietary multicast heartbeat frames to pass unhindered.
D . The allowed trunk VLANs are inconsistent (missing VLAN 30 on port 1/1/2, and missing VLAN 40 on port 1/1/1), which will cause asymmetric dropping of client data plane traffic during a failover event.
E . The switch ports are configured as 802.1Q trunks, whereas AOS-10 Gateways strictly require standard access ports to successfully negotiate their cluster virtual MAC addresses.

Reveal Solution Hide Solution

Correct Answer: B, D

Question #4

A Campus IT Manager is designing the spanning tree architecture for a new distribution block utilizing AOS-CX 6400 switches. The design mandates that VLANs 10-50 share a single spanning-tree forwarding topology to minimize control plane CPU overhead, while VLANs 51-100 utilize a separate forwarding topology.

Which spanning tree protocol must be implemented to fulfill this specific architectural requirement?

A . Rapid Spanning Tree Protocol (RSTP – 802.1w)
B . Traditional Spanning Tree Protocol (STP – 802.1D)
C . Multiple Spanning Tree Protocol (MSTP)
D . Rapid Per-VLAN Spanning Tree Plus (RPVST+)

Reveal Solution Hide Solution

Correct Answer: C

Question #5

A Security Operations Analyst needs to restrict which administrators can execute elevated CLI commands (such as write erase or reload) via SSH on AOS-10 Gateways. The organization requires a centralized, role-based approach to command authorization.

Which configuration strategy correctly fulfills this security requirement?

A . Configure an ACL on the gateway uplink interface to restrict TCP port 22 access exclusively to pre-approved IP subnets.
B . Disable SSH service on the gateway cluster and require all administrative access to occur exclusively via the physical console port.
C . Modify the AOS-10 SSH banner configuration to display a prominent legal warning message explicitly prohibiting execution of privileged commands without documented security team authorization.
D . Integrate the AOS-10 Gateways with ClearPass Policy Manager to enforce TACACS+ role-based command authorization for SSH sessions, enabling granular validation of specific privileged CLI commands like write erase and reload against centrally defined administrative roles.

Reveal Solution Hide Solution

Correct Answer: D

Question #6

A NOC Operations Engineer is deploying a new building with AOS-CX 6200 access switches and AOS-10 Campus APs. The design mandates a "Mixed Forwarding" approach to handle different device classes.

[AOS-10 AP Configuration]

SSID: Corp_Laptops -> Forwarding Mode: Tunnel

SSID: IoT_Sensors -> Forwarding Mode: Bridge -> VLAN 50

[AOS-CX 6200 Switch Configuration]

interface 1/1/10

description

UPLINK-TO-CAMPUS-AP-01

[Pending Configuration]

To ensure both SSIDs function correctly, which THREE statements describe the mandatory VLAN and interface configurations required on the connected AOS-CX access switch port? (Select all that apply.)

A . The switch port must explicitly allow and tag the destination VLAN for the Corp_Laptops SSID, as tunnel mode relies on the local switch to route the corporate traffic.
B . The switch port must be configured as a trunk port because it must natively carry the tagged traffic for the bridged IoT VLAN (VLAN 50).
C . The switch port must not block UDP port 4500, as this port is strictly required for the AP to encapsulate the tunnel mode data plane traffic and send it to the AOS-10 Gateway cluster.
D . The switch port must allow the AP’s management VLAN to pass (typically untagged/native) so the AP can obtain an IP address, reach Central, and build the IPsec tunnels for the Corp_Laptops SSID.
E . The switch port must be configured as a standard access port assigned exclusively to the management VLAN to allow the AP to build its control plane tunnel.

Reveal Solution Hide Solution

Correct Answer: B, C, D

Question #6

A . The switch port must explicitly allow and tag the destination VLAN for the Corp_Laptops SSID, as tunnel mode relies on the local switch to route the corporate traffic.
B . The switch port must be configured as a trunk port because it must natively carry the tagged traffic for the bridged IoT VLAN (VLAN 50).
C . The switch port must not block UDP port 4500, as this port is strictly required for the AP to encapsulate the tunnel mode data plane traffic and send it to the AOS-10 Gateway cluster.
D . The switch port must allow the AP’s management VLAN to pass (typically untagged/native) so the AP can obtain an IP address, reach Central, and build the IPsec tunnels for the Corp_Laptops SSID.
E . The switch port must be configured as a standard access port assigned exclusively to the management VLAN to allow the AP to build its control plane tunnel.

Reveal Solution Hide Solution

Correct Answer: B, C, D

Question #8

MAC Authentication with

ClearPass

VSAs

Which TWO proposed features represent absolute hardware or software anti-patterns for the AOS-CX 6200 series platform and must be removed from the design? (Choose 2.)

A . Attempting to use the 6200 series to execute Dynamic Segmentation (User-Based Tunneling), as this requires a dedicated hardware GRE module only found on the 6400 chassis.
B . Configuring the 6200 series to act as an EVPN-VXLAN Route Reflector (BGP RR), a role that exceeds the platform’s routing table capacity and intended architectural placement.
C . Integrating MAC Authentication with ClearPass VSAs, which is an advanced identity feature exclusively supported on the AOS-10 Gateway clusters.
D . Designing the aggregation layer to use Virtual Switching Extension (VSX) Active-Active Gateways, as the 6200 series strictly supports Virtual Switching Framework (VSF) instead.
E . Utilizing OSPF Underlay Routing for point-to-point links, because the 6200 series only supports static routing and basic RIPv2 protocols.

Reveal Solution Hide Solution

Correct Answer: B, D

Question #9

A NOC Operations Engineer is troubleshooting a datacenter redundancy issue. Remote Microbranch APs are configured to build primary IPsec tunnels to VPNC-Primary and secondary tunnels to VPNC-Standby.

When VPNC-Primary was rebooted for scheduled maintenance, the Microbranch APs failed to establish tunnels to VPNC-Standby, causing a complete site outage.

[Microbranch AP Datapath Log]

10:02:15 IKE Phase 1: Initiating main mode to VPNC-Primary (198.51.100.10)

10:02:20 IKE Phase 1: Timeout connecting to VPNC-Primary

10:02:20 IKE Phase 1: Initiating main mode to VPNC-Standby (203.0.113.50)

10:02:21 IKE Phase 1: VPNC-Standby rejected proposal. MM_NO_STATE

10:02:21 ERROR: IPsec Tunnel to VPNC-Standby failed to establish.

Based on the provided log data, which TWO configurations are the most likely causes of this failover failure? (Choose 2.)

A . Microbranch APs inherently only support a single, non-redundant IPsec tunnel to a single VPNC to conserve memory.
B . VPNC-Standby has a mismatched IPsec Pre-Shared Key (PSK) or certificate trust chain compared to the Microbranch APs’ provisioning profiles.
C . VPNC-Standby is missing the correct routing configuration to advertise the datacenter subnets to the remote Microbranch APs.
D . The IKE/IPsec crypto maps on the VPNC-Standby do not match the encryption algorithms proposed by the remote Microbranch AP.
E . The Microbranch APs lack the Advanced subscription license required to support multiple concurrent IPsec tunnel destinations.

Reveal Solution Hide Solution

Correct Answer: B, D

Question #10

A Security Operations Analyst is utilizing a Python script to ingest HPE Aruba Networking Central AI Insights into a corporate SIEM platform.

The script retrieves the following JSON payload:

{

"insight_name":

"Excessive 802.1X Authentication Failures",

"insight_category":

"Security",

"affected_clients": 45,

"root_cause_analysis":

{

"reason":

"RADIUS Server Timeout",

"server_ip": "10.50.10.100",

"failure_percentage": "88%"

}

}

Based on this specific API response, which TWO actions should the analyst prioritize to resolve this campus-wide connectivity issue? (Choose 2.)

A . Ensure the ClearPass Policy Manager server at 10.50.10.100 has not exhausted its active session license limits or experienced a service crash.
B . Update the affected clients’ supplicant settings to blindly accept the new EAP-TLS certificate recently installed on the Campus APs.
C . Enable "MAC Authentication Fail-Through" on the AP groups to allow the 45 affected clients to authenticate using their hardware addresses.
D . Migrate the affected SSIDs from WPA3-Enterprise to WPA2-Personal (PSK) to temporarily bypass the failing cloud authentication service.
E . Verify that the intermediate firewalls between the Campus APs and the 10.50.10.100 RADIUS server are permitting UDP ports 1812 and 1813.

Reveal Solution Hide Solution

Correct Answer: A, E

1 2 3

Exams