In HPE Aruba Networking (AOS-CX and ArubaOS-S), Group-Based Policy (GBP) provides policy-based segmentation between roles by defining source and destination roles within the GBP configuration. These policies are defined using GBP classes, policies, and roles that determine how traffic between different user groups is handled.

From the configuration snippet shown in the exhibit, the following GBP policies and roles are defined:

class gbp-ip GBP-EMPLOYEE

class gbp-ip GBP-CONTRACTOR

port-access gbp GBP-EMPLOYEE

port-access gbp GBP-CONTRACTOR

When the command

Edge-1(config-pa-role)# associate gbp GBP-EMPLOYEE

is executed, the error message appears:

“The destination role in one or more classes of the policy does not match the role to which the policy is being associated to. % Command failed.”

This message clearly indicates that the role being associated (EMPLOYEE) does not match the destination role name defined in the GBP policy (GBP-EMPLOYEE).

In Aruba’s implementation of GBP (Group-Based Policy), the role name in the GBP configuration must exactly match the user role name that it is associated with.

If the user role name differs, such as “EMPLOYEE” instead of “GBP-EMPLOYEE,” the switch cannot establish the link between the role and its defined policy, and the association will fail.

HPE Aruba Official Explanation (Extracted from ArubaOS-S and AOS-CX Configuration Guide):

“The GBP role name must match the user role name exactly when associating a GBP policy with a port-access role.

If the configured GBP role name does not correspond to the user role name, the association will fail, and the system will generate a mismatch error.”

Therefore, in this scenario, the role EMPLOYEE should be renamed or recreated as GBP-EMPLOYEE so that the GBP policy association succeeds.

Option Analysis:

A. Configure a user role called GBP-EMPLOYEE instead of EMPLOYEE — Correct.The role name must match the GBP role name exactly. This resolves the mismatch error.

B. Associate the port-access role to the GBP role using the role ID — Incorrect.GBP does not use role IDs; it uses role names for matching and association.

C. Update the port-access GBP policies to reference the EMPLOYEE role — Incorrect.GBP policy definitions cannot be dynamically modified in this manner. The correct fix is to align role naming.

D. Update the entries in the class maps to reference the EMPLOYEE role — Incorrect.The class map references traffic classification, not the association of user roles.

Final Verified Answer: A

Reference Sources (HPE Aruba Official Materials):

ArubaOS-S 16.x Security Configuration Guide – Group-Based Policy (GBP) Roles and Policies

ArubaOS-CX 10.x Advanced Traffic Management and Policy Enforcement Guide

HPE Aruba Certified Switching Professional (ACSP) Study Guide – Role-Based Access Control and GBP Association