Question 5 - HP HPE7-A02 Real Exam Questions [Jan 2026 Update]

Q: 5

A company has AOS-CX switches. The company wants to make it simpler and faster for admins to detect denial of service (DoS) attacks, such as ping or ARP floods, launched against the switches. What can you do to support this use case?

Options

Correct Answer:

Explanation

Why Monitoring Control Plane Policing (CoPP) with an NAE Agent Is Effective for Detecting DoS

Attacks

Control Plane Policing (CoPP): AOS-CX switches use CoPP to protect the CPU from excessive traffic

caused by DoS attacks (e.g., ARP floods, ICMP floods). CoPP enforces rate limits and drops malicious

traffic at the control plane level.

NAE (Network Analytics Engine) Agent:

The NAE on AOS-CX switches can monitor CoPP counters in real time and trigger alerts if thresholds

for certain traffic types (e.g., ICMP, ARP) are exceeded.

Admins can use NAE to automate detection and respond faster to DoS attacks.

Analysis of Each Option

A . Deploy an NAE agent on the switches to monitor control plane policing (CoPP):

Correct:

NAE agents provide real-time visibility into CoPP behavior, helping detect DoS attacks more quickly.

By analyzing CoPP statistics, the NAE can pinpoint abnormal traffic patterns and alert admins.

This is the most efficient and scalable solution for this use case.

B . Configure the switches to implement RADIUS accounting to HPE Aruba Networking ClearPass and

enable HPE Aruba Networking ClearPass Insight:

Incorrect:

While ClearPass can provide visibility into user authentication and device activity, it is not specifically

designed to detect or mitigate DoS attacks against switches.

C . Implement ARP inspection on all VLANs that support end-user devices:

Incorrect:

ARP inspection helps mitigate ARP spoofing or poisoning, but it does not directly address detection

of DoS attacks like ICMP or ARP floods.

It is a preventative measure, not a detection tool.

D . Enabling debugging of security functions on the switches:

Incorrect:

Debugging logs can help troubleshoot specific issues but are not practical for real-time detection of

DoS attacks.

Enabling debugging can overload the switch and is not suitable for proactive monitoring.

Final Recommendation

Deploying an NAE agent to monitor CoPP is the best solution because it provides real-time detection,

alerting, and insights into traffic patterns that indicate DoS attacks.

Reference

AOS-CX Network Analytics Engine (NAE) Configuration Guide.

HPE Aruba AOS-CX Control Plane Policing Documentation.

Best Practices for Protecting Switches Against DoS Attacks in Aruba Networks.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE