ACSP - Aruba Certified Switching Professional Switch Security Features Questions and Answers

Question 1

A network administrator wants to prevent man-in-the-middle attacks that leverage ARP spoofing. They have already enabled DHCP Snooping on the user access VLANs. Which additional security feature must be enabled to validate ARP packets against the DHCP Snooping binding database?

Accepted Answer

Dynamic ARP Inspection (DAI)

Answer

Dynamic ARP Inspection (DAI) is the feature designed to mitigate ARP spoofing attacks. It intercepts ARP packets on untrusted ports and validates the IP-to-MAC address binding against the trusted database built by DHCP Snooping. Port Security limits MAC addresses, CoPP protects the CPU, and RA Guard is for IPv6 rogue router advertisements.

Question 2

An administrator configures port security on an ArubaOS-CX switch interface connected to a public kiosk. The requirement is to allow only the first device that connects to the port. If an unauthorized user unplugs the kiosk and connects their own laptop, the port should immediately be disabled and a log message generated. Which violation action should be configured?

Accepted Answer

shutdown

Answer

The 'shutdown' violation action will disable the port and generate a log message when a security violation occurs, such as exceeding the MAC address limit. 'Notify' only logs the event without disabling the port. 'Restrict' drops packets and logs, but the port remains up. 'Protect' silently drops packets from unknown MACs without logging.

Question 3

In a network using 802.1X for port-based access control, what is the role of the ArubaOS-CX switch?

Accepted Answer

Authenticator

Answer

In the 802.1X framework, the switch or access point that controls physical access to the network is the Authenticator. The end device (e.g., a laptop) is the Supplicant, and the server performing the credential check (e.g., ClearPass or a RADIUS server) is the Authentication Server.

Question 4

A network is experiencing performance degradation on a core switch. The administrator suspects a denial-of-service (DoS) attack using a high volume of broadcast traffic is overwhelming the switch's processor. Which security feature is specifically designed to protect the switch's CPU by rate-limiting traffic destined for the control plane?

Accepted Answer

Control Plane Policing (CoPP)

Answer

Control Plane Policing (CoPP) is a feature designed to protect the CPU of a network device from being overwhelmed by excessive traffic. It does this by applying rate-limiting to specific types of control plane traffic, such as routing protocol updates, ARP, and other packets that require CPU processing, thereby preventing DoS attacks.

Question 5

An administrator is configuring DHCP Snooping on an ArubaOS-CX switch to mitigate rogue DHCP server attacks. What is the default state of all switch ports when DHCP Snooping is first enabled on a VLAN?

Accepted Answer

Untrusted

Answer

When DHCP Snooping is enabled, all ports are considered untrusted by default. The administrator must explicitly configure the ports connected to legitimate DHCP servers or upstream switches as trusted to allow DHCP server messages to pass.

(ACSP) Aruba Certified Switching Professional Practice Test

(ACSP) Aruba Certified Switching Professional Practice Test

ACSP - Aruba Certified Switching Professional Switch Security Features Questions and Answers