Question 4 - HP HPE6-A84 Real Exam Questions [Jan 2026 Update]

Q: 4

Several AOS-CX switches are responding to SNMPv2 GET requests for the public community. The customer only permits SNMPv3. You have asked a network admin to fix this problem. The admin says, “I tried to remove the community, but the CLI output an error.” What should you recommend to remediate the vulnerability and meet the customer’s requirements?

Options

Correct Answer:

Explanation

The most precise and direct method to meet the customer's requirement is to configure the switch's SNMP agent to operate exclusively in SNMPv3 mode. The snmp-server v3-only command in ArubaOS-CX is specifically designed for this purpose. It disables the processing of SNMPv1 and SNMPv2c requests, thereby remediating the vulnerability of responding to a public community string. This command directly addresses the root cause and enforces the security policy, resolving the issue the administrator faced when attempting to remove the default community while older SNMP versions were still implicitly enabled.

Why Incorrect

A. Enabling control plane policing to automatically drop SNMP GET requests: This is an indirect, network-layer control. It is not the intended method for managing SNMP protocol versions and could unintentionally block legitimate SNMPv3 traffic if not configured precisely.

C. Adding an SNMP community with a long random name: This is a hardening technique for SNMPv2c, but it does not disable it. The switch would still be running SNMPv2c, failing to meet the customer's requirement to permit only SNMPv3.

D. Enabling SNMPv3, which implicitly disables SNMPv1/v2: This is incorrect. On ArubaOS-CX switches, SNMPv1/v2c and SNMPv3 can operate concurrently. Enabling SNMPv3 does not automatically disable the older, less secure versions.

References

1. ArubaOS-CX 10.12 Security Guide

Page 289

"SNMPv3" section. The guide states

"By default

the switch responds to SNMPv1

SNMPv2c

and SNMPv3 requests. To configure the switch to respond only to SNMPv3 requests

enter the snmp-server v3-only command." This directly supports option B and refutes option D.

2. ArubaOS-CX 10.10 Command-Line Interface Reference Guide

Page 5881. The documentation for the snmp-server v3-only command confirms its function: "Enables SNMPv3 only mode. In this mode

the SNMP agent will not respond to any SNMPv1 and SNMPv2c requests." This validates the explanation for the correct answer.

3. ArubaOS-CX 10.12 Security Guide

Page 288

"SNMPv1 and SNMPv2c" section. This section details the configuration of community strings

showing that adding a new one (as in option C) is part of configuring SNMPv2c

not disabling it. It also explains that a default "public" community exists.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE