In HPE Aruba Networking (AOS-CX and ArubaOS-S), Group-Based Policy (GBP) provides policy- based segmentation between roles by defining source and destination roles within the GBP configuration.
These policies are defined using GBP classes, policies, and roles that determine how traffic between different user groups is handled.
From the configuration snippet shown in the exhibit, the following GBP policies and roles are defined:
class gbp-ip GBP-EMPLOYEE
class gbp-ip GBP-CONTRACTOR
port-access gbp GBP-EMPLOYEE
port-access gbp GBP-CONTRACTOR
When the command
Edge-1(config-pa-role)# associate gbp GBP-EMPLOYEE
is executed, the error message appears:
"The destination role in one or more classes of the policy does not match the role to which the policy is being associated to. % Command failed." This message clearly indicates that the role being associated (EMPLOYEE) does not match the destination role name defined in the GBP policy (GBP-EMPLOYEE).
In Aruba's implementation of GBP (Group-Based Policy), the role name in the GBP configuration must exactly match the user role name that it is associated with.
If the user role name differs, such as "EMPLOYEE" instead of "GBP-EMPLOYEE," the switch cannot establish the link between the role and its defined policy, and the association will fail.
HPE Aruba Official Explanation (Extracted from ArubaOS-S and AOS-CX Configuration Guide):
"The GBP role name must match the user role name exactly when associating a GBP policy with a port- access role.
If the configured GBP role name does not correspond to the user role name, the association will fail, and the system will generate a mismatch error." Therefore, in this scenario, the role EMPLOYEE should be renamed or recreated as GBP-EMPLOYEE so that the GBP policy association succeeds.
Option Analysis:
* A. Configure a user role called GBP-EMPLOYEE instead of EMPLOYEE - Correct.The role name must match the GBP role name exactly. This resolves the mismatch error.
* B. Associate the port-access role to the GBP role using the role ID - Incorrect.GBP does not use role IDs; it uses role names for matching and association.
* C. Update the port-access GBP policies to reference the EMPLOYEE role - Incorrect.GBP policy definitions cannot be dynamically modified in this manner. The correct fix is to align role naming.
* D. Update the entries in the class maps to reference the EMPLOYEE role - Incorrect.The class map references traffic classification, not the association of user roles.
Final Verified answer: A
Reference Sources (HPE Aruba Official Materials):
* ArubaOS-S 16.x Security Configuration Guide - Group-Based Policy (GBP) Roles and Policies
* ArubaOS-CX 10.x Advanced Traffic Management and Policy Enforcement Guide
* HPE Aruba Certified Switching Professional (ACSP) Study Guide - Role-Based Access Control and GBP Association

In Aruba CX 6300 and other AOS-CX switches, device profiling enables automatic assignment of roles and policies to endpoints based on device attributes such as MAC OUI, LLDP, or DHCP fingerprint - without requiring an external authentication server such as ClearPass or RADIUS.
The configuration snippet shows:
mac-group iot
seq 10 match mac-oui 81:cd:93
port-access device-profile iot-prod
enable
associate role iot-prod
associate mac-group iot
This means that any device with a MAC address matching the OUI 81:cd:93 will automatically be assigned the iot-prod device profile and its associated role (iot-prod).
However, the requirement also specifies that any other device connected to the same interface (that does not match the OUI or device profile) should still be assigned a default role called iot-default.
To ensure that endpoints not matching any known device profile still receive limited network access, Aruba AOS-CX uses the fallback-role feature under port-access configuration.
The command:
port-access fallback-role iot-default
defines the role that will be automatically assigned to endpoints that fail to match any of the configured device-profile conditions.
This mechanism is crucial in lab or standalone environments where no external authentication (e.g., RADIUS, ClearPass) is configured. It ensures devices are still given a default policy, preventing them from being left in an unauthenticated or blocked state.
Official HPE Aruba Extract (ArubaOS-CX Security and Access Guide):
"The fallback-role command allows the switch to assign a predefined local role to a device when no authentication server is available, or when the device does not match any configured device profile."
"This command is typically used in test or lab environments where profiling is local to the switch, and a baseline role must still be enforced for unknown devices." Therefore, in this case:
* Devices matching the MAC OUI 81:cd:93 # assigned iot-prod role
* All other devices # automatically assigned iot-default role via port-access fallback-role iot-default Option Analysis:
* A. Incorrect - The port-access onboarding-method precedence command changes the priority order between authentication methods (e.g., 802.1X, MAC-auth, device profile). It does not control fallback behavior.
* B. Incorrect - The block-until-profile-applied option delays port activation until profiling completes, but it doesn't provide a fallback role.
* C. Correct - The port-access fallback-role iot-default command ensures that any device not matching the iot-prod profile receives the iot-default role.
* D. Incorrect - Lowering precedence has no effect on assigning a default role.
Final Verified answer: C
Reference Sources (HPE Aruba Official Materials):
* Aruba AOS-CX Security and Access Configuration Guide - Device Profiling and Role Assignment
* Aruba Certified Switching Professional (ACSP) Study Guide - Port Access and Device Profiling
* ArubaOS-CX Fundamentals Guide - Port Access and Fallback Role Implementation

In BGP, the route marked with a ">" symbol is the best route that is chosen based on BGP attributes in the following order: highest weight (Cisco-specific), highest local preference, originated by BGP running on the local router, shortest AS path, lowest origin type, lowest MED, eBGP over iBGP, closest IGP neighbor, and lowest BGP router ID. Based on the table provided, Option E would be marked with a ">" symbol as it has the highest local preference of 100 which is a decisive factor in the BGP best path selection process.

Comprehensive and Detailed Explanation From Exact Extract of HPE Aruba Networking Documentation Multicast frames over Wi-Fi are traditionally transmitted at the lowest basic data rate, making them slow and unreliable, particularly outdoors where environmental RF effects are more significant.
Aruba provides a feature designed for this scenario:
# Dynamic Multicast Optimization (DMO)
* Converts multicast streams into unicast transmissions per associated client
* Allows the AP to use the highest possible unicast data rate supported
* Significantly improves reliability, throughput, and range for critical multicast applications HPE Aruba documentation statement:
"Dynamic Multicast Optimization increases the reliability of multicast traffic by converting multicast frames to unicast and allows transmissions using higher data rates." This directly supports the requirement in the question:
# increase reliability
# use the highest possible data rate
Why the Other Options Are Incorrect
Option
Reason Incorrect
A). Increase basic rate
Raising basic rates often reduces coverage range and can disconnect distant outdoor clients B). Multicast Transmission Optimization This older mode still transmits multicast over the air, not at highest rate D). Enable WMM WMM is for QoS prioritization, not for increasing multicast PHY rates or reliability
# Final Verified answer: C. Dynamic Multicast Optimization
# Reference Sources (HPE Aruba Official Materials):
* Aruba Mobility and WLAN Optimization Guides - Dynamic Multicast Optimization operation and benefits
* Aruba Outdoor Wi-Fi Deployment Best Practices - Multicast performance enhancements
* ACMP (Aruba Certified Mobility Professional) Study Material - Multicast Optimization for IoT and GPS Applications

Comprehensive and Detailed Explanation (Verified Extract from HPE Aruba Networking AOS-10 Gateway and Cluster Design Documentation) When primary and secondary gateway clusters are defined in an SSID profile in AOS-10, the Access Points (APs) dynamically distribute their tunnel termination sessions based on the availability of both clusters.
If both clusters are operational and cluster preemption is not enabled, the APs maintain their current session distribution, resulting in an approximately equal split of AP tunnels across both clusters.
Aruba Documentation Extract:
"When both primary and secondary gateway clusters are reachable and cluster preemption is disabled, APs remain distributed across both clusters to maintain balance and prevent disruption."
"Cluster preemption, if enabled, causes APs associated with the secondary cluster to move back to the primary cluster once it becomes available, consolidating tunnel load." Thus:
* The equal split (72 APs per cluster) indicates both clusters are active,
* and cluster preemption is disabled (so APs remain distributed instead of failing back to the primary cluster).
Why the Other Options Are Incorrect:
* A. Cluster homogeneity/heterogeneity does not influence AP distribution behavior.
* B. If preemption were enabled, APs on the secondary cluster would fail back to the primary, not stay split.
* D. The number of nodes does not determine AP load balancing or distribution.
# Final Verified answer: C. The primary and secondary gateway clusters are up, but the cluster preemption is not enabled.
# Reference Sources (HPE Aruba Official Materials):
* Aruba AOS-10 Gateway Clustering and Redundancy Guide - AP Distribution and Preemption
* Aruba Central Network Design Guide - SSID Profile Gateway Assignment Behavior
* Aruba Certified Mobility Expert (ACMX) Study Guide - Gateway Clustering and Failover Logic