Pass HPE6-A78 Exam Guide

To prevent users from exploiting Address Resolution Protocol (ARP) on a network with ArubaOS-Switches, the correct approach would be to enable DHCP snooping globally and on VLAN 201 before enabling ARP protection, as stated in option C. DHCP snooping acts as a foundation by tracking and securing the association of IP addresses to MAC addresses. This allows ARP protection to function effectively by ensuring that only valid ARP requests and responses are processed, thus preventing ARP spoofing attacks. Trusting ports that connect to employee devices directly could lead to bypassing ARP protection if those devices are compromised.

The company’s goal is to prevent internal users from exploiting ARP within their ArubaOS-Switch network. Let’s break down the options:

• Option A (Incorrect): Enabling ARP protection globally on Switch-1 and all VLANs is not the best approach. ARP protection should be selectively applied where needed, not globally. It’s also not clear why Switch-1 is mentioned when the exhibit focuses on Switch-2.
• Option B (Incorrect): Making ports connected to employee devices trusted for ARP protection is a good practice, but it’s not sufficient by itself. Trusted ports allow ARP traffic, but we need an additional layer of security.
• Option C (Correct): This is the recommended approach. Here’s why:
• Option D (Incorrect): While static ARP bindings can enhance security, they are cumbersome to manage and don’t dynamically adapt to changes in the network.

References:

• ArubaOS-Switch Management and Configuration Guide for WB_16_10 - Chapter 15: IP Routing Features
• Aruba Security Guide

Based on the exhibit showing the firewall rules, the following traffic is permitted:

• Client 1 is allowed to send HTTPS traffic to any destination within the subnet 10.1.10.0/24 because there is a permit rule for the user to access svc-https to that subnet.
• Responses to initiated connections are typically allowed by stateful firewalls; hence, an HTTPS response from 10.1.10.10 to client 1 is expected to be permitted even though it is not explicitly mentioned in the firewall rules (assuming the stateful nature of the firewall).

When deploying an Aruba Instant AP in a location where users can physically access it, enhancing security for management access could involve several measures: C. Disabling the Web UI will prevent unauthorized access via the browser-based management interface, which could be a security risk if the AP is within physical reach of untrusted parties. E. Installing a CA-signed certificate helps ensure that any communication with the AP's management interface is encrypted and authenticated, preventing man-in-the-middle attacks and eavesdropping.