Pass Using HPE6-A78 Exam Dumps

In an HPE Aruba Networking AOS-8 Mobility Controller (MC), firewall rules are applied based on the user role assigned to a client. The rules are evaluated in order, and the first matching rule determines the action (permit or deny) for the packet. The client’s role has the following firewall rules:

ipv4 any any svc-dhcp permit: Permits DHCP traffic (UDP ports 67 and 68) from any source to any destination.

ipv4 user 10.5.5.20 svc-dns permit: Permits DNS traffic (UDP port 53) from the user to the IP address 10.5.5.20.

ipv4 user 10.1.5.0 255.255.255.0 https permit: Permits HTTPS traffic (TCP port 443) from the user to the subnet 10.1.5.0/24.

ipv4 user 10.1.0.0 255.255.0.0 https deny_opt: Denies HTTPS traffic from the user to the subnet 10.1.0.0/16, with the deny_opt action (which typically means deny with an optimized action, such as dropping the packet without logging).

ipv4 user any any permit: Permits all other traffic from the user to any destination.

The question asks how the MC treats HTTPS packets (TCP port 443) to two IP addresses: 10.1.20.1 and 10.5.5.20.

HTTPS packet to 10.1.20.1:

Rule 1: Does not match (traffic is HTTPS, not DHCP).

Rule 2: Does not match (destination is 10.1.20.1, not 10.5.5.20; traffic is HTTPS, not DNS).

Rule 3: Does not match (destination 10.1.20.1 is not in the subnet 10.1.5.0/24).

Rule 4: Matches (destination 10.1.20.1 is in the subnet 10.1.0.0/16, and traffic is HTTPS). The action is deny_opt, so the packet is denied.

HTTPS packet to 10.5.5.20:

Rule 1: Does not match (traffic is HTTPS, not DHCP).

Rule 2: Does not match (traffic is HTTPS, not DNS).

Rule 3: Does not match (destination 10.5.5.20 is not in the subnet 10.1.5.0/24).

Rule 4: Does not match (destination 10.5.5.20 is not in the subnet 10.1.0.0/16).

Rule 5: Matches (catches all other traffic). The action is permit, so the packet is permitted.

Therefore, the HTTPS packet to 10.1.20.1 is denied, and the HTTPS packet to 10.5.5.20 is permitted.

Option A, "Both packets are denied," is incorrect because the packet to 10.5.5.20 is permitted.

Option B, "The first packet is permitted, and the second is denied," is incorrect because the packet to 10.1.20.1 (first) is denied, and the packet to 10.5.5.20 (second) is permitted.

Option C, "Both packets are permitted," is incorrect because the packet to 10.1.20.1 is denied.

Option D, "The first packet is denied, and the second is permitted," is correct based on the rule evaluation.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"Firewall policies on the Mobility Controller are evaluated in order, and the first matching rule determines the action for the packet. For example, a rule such as ipv4 user 10.1.0.0 255.255.0.0 https deny_opt will deny HTTPS traffic to the specified subnet, while a subsequent rule like ipv4 user any any permit will permit all other traffic that does not match earlier rules. The ‘user’ keyword in the rule refers to the client’s IP address, and the rules are applied to traffic initiated by the client." (Page 325, Firewall Policies Section)

Additionally, the guide notes:

"The deny_opt action in a firewall rule drops the packet without logging, optimizing performance for high-volume traffic. Rules are processed sequentially, and only the first matching rule is applied." (Page 326, Firewall Actions Section)

The scenario involves AOS-CX switches tunneling client traffic to an HPE Aruba Networking Mobility Controller (MC) in an AOS-8 architecture. The MC will apply firewall policies and perform deep packet inspection (DPI) on the tunneled traffic. The MC is dedicated to receiving traffic from the AOS-CX switches, and there are 114 employees (implying 114 potential clients). The question asks about the licensing requirements for the MC.

Tunneling from AOS-CX Switches to MC: In this setup, the AOS-CX switches act as Layer 2 devices, tunneling client traffic to the MC using a mechanism like GRE or VXLAN (though GRE is more common in AOS-8). The MC treats the tunneled traffic as if it were coming from wireless clients, applying firewall policies and DPI.

Licensing in AOS-8:

AP License (Access Point License): Required for each AP managed by the MC. Since the scenario involves AOS-CX switches tunneling traffic, not APs, AP licenses are not required.

PEF License (Policy Enforcement Firewall License): Required to enable the stateful firewall and DPI features on the MC. The PEF license is based on the number of devices (e.g., switches, APs) or users that the MC processes traffic for. In this case, the MC is processing traffic from AOS-CX switches, and the license is typically per switch (not per user or employee).

WCC License (Web Content Classification License): An optional license that enhances DPI by enabling URL-based filtering and web content classification. This is not mentioned as a requirement in the scenario.

Option A, "One PEF license per switch," is correct. Since the MC is dedicated to receiving traffic from the AOS-CX switches, and the MC will apply firewall policies and DPI, a PEF license is required. In AOS-8, when switches tunnel traffic to an MC, the PEF license is typically required per switch (not per user). With 114 employees, the number of switches is not specified, but the licensing model is per switch, so one PEF license per switch is needed.

Option B, "One PEF license per switch, and one WCC license per switch," is incorrect. While a PEF license is required, a WCC license is not mentioned as a requirement. WCC is for advanced web filtering, which is not specified in the scenario.

Option C, "One AP license per switch," is incorrect. AP licenses are for managing APs, not switches. Since the scenario involves switches tunneling traffic, not APs, AP licenses are not required.

Option D, "One AP license per switch, and one PEF license per switch," is incorrect for the same reason as Option C. AP licenses are not needed, but the PEF license per switch is correct.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"The Policy Enforcement Firewall (PEF) license is required on the Mobility Controller to enable stateful firewall policies and deep packet inspection (DPI). When AOS-CX switches tunnel client traffic to the MC for firewall processing, a PEF license is required for each switch. The license is based on the number of devices (e.g., switches) sending traffic to the MC, not the number of users. For example, if 10 switches tunnel traffic to the MC, 10 PEF licenses are required." (Page 375, Licensing Requirements Section)

Additionally, the HPE Aruba Networking Licensing Guide notes:

"PEF licenses on the Mobility Controller are required for firewall and DPI features. In deployments where switches tunnel traffic to the MC, the PEF license is typically per switch. AP licenses are not required unless the MC is managing APs. The Web Content Classification (WCC) license is optional and only needed for advanced URL filtering, which is not required for basic DPI." (Page 15, PEF Licensing Section)