New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HPE7-A02 Exam - Topic 3 Question 8 Discussion

Actual exam question for HP's HPE7-A02 exam
Question #: 8
Topic #: 3
[All HPE7-A02 Questions]

A port-access role for AOS-CX switches has this policy applied to it:

plaintext

Copy code

port-access policy mypolicy

10 class ip zoneC action drop

20 class ip zoneA action drop

100 class ip zoneB

The classes have this configuration:

plaintext

Copy code

class ip zoneC

10 match tcp 10.2.0.0/16 eq https

class ip zoneA

10 match ip any 10.1.0.0/16

class ip zoneB

10 match ip any 10.0.0.0/8

The company wants to permit clients in this role to access 10.2.12.0/24 with HTTPS. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: A

Comprehensive Detailed Explanation

The requirement is to permit HTTPS traffic from clients to the 10.2.12.0/24 subnet.

ZoneC is configured to drop all HTTPS traffic to the 10.2.0.0/16 subnet. Therefore, the first match in the zoneC class (priority 10) will drop the desired traffic.

To override this behavior, you must add a higher-priority rule (lower rule number) to zoneC that explicitly matches 10.2.12.0/24 and permits the traffic.

Thus, adding the rule 5 match any 10.2.12.0/24 eq https to zoneC ensures the desired traffic is permitted while maintaining the drop behavior for the rest of 10.2.0.0/16.

Reference

AOS-CX Role-Based Access Control documentation.

Understanding class priority and policy rule ordering in AOS-CX.


by Louann at Mar 24, 2025, 05:28 PM

Limited Time Offer

25%

Off

Get Premium HPE7-A02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Dominic
2 months ago
Definitely not B, that would just complicate things.
upvoted 0 times
...
Hollis
2 months ago
Wait, can you really ignore TCP in zoneA? That seems odd.
upvoted 0 times
...
Suzi
2 months ago
I think option A makes the most sense here.
upvoted 0 times
...
Denise
3 months ago
Looks like zoneC is blocking access to 10.2.12.0/24.
upvoted 0 times
...
Kara
3 months ago
I agree with A, we need to allow HTTPS traffic for that subnet.
upvoted 0 times
...
Verda
3 months ago
Adding a rule to zoneA seems wrong because it drops traffic. I think we should focus on zoneC for allowing HTTPS access.
upvoted 0 times
...
Lettie
3 months ago
I’m a bit confused about the difference between 'match' and 'ignore' in this context. I thought we always want to match the traffic we want to allow.
upvoted 0 times
...
Kenda
4 months ago
I remember practicing a similar question where we had to adjust rules in a policy. I feel like zoneB might be the right choice here.
upvoted 0 times
...
Emilio
4 months ago
I think we need to add a rule to zoneC since it matches HTTPS traffic, but I'm not sure if the action should be 'match' or 'ignore'.
upvoted 0 times
...
Millie
4 months ago
Hmm, I'm not entirely sure about this one. The policy and class configurations are a bit complex, and I want to make sure I understand everything before making any changes. I'll need to take a closer look and think it through carefully.
upvoted 0 times
...
Chan
4 months ago
I've got an idea! Since the company wants to permit access to 10.2.12.0/24 with HTTPS, we should add a rule to zoneB to match that subnet and action. That seems like the most straightforward solution.
upvoted 0 times
...
Rory
4 months ago
I'm a bit confused here. The policy already has rules for zoneA and zoneB, so I'm not sure if adding a rule to zoneC is the right approach. Let me re-read the question and think this through.
upvoted 0 times
...
Noah
5 months ago
Okay, I think I've got it. We need to add a new rule to the zoneC class to permit HTTPS access to 10.2.12.0/24. That should do the trick.
upvoted 0 times
...
Sherill
5 months ago
Hmm, this looks like a tricky one. I'll need to carefully read through the policy and class configurations to figure out the best approach.
upvoted 0 times
...
Essie
11 months ago
I agree with Terrilyn, option A seems to be the most appropriate choice.
upvoted 0 times
...
Terrilyn
11 months ago
But adding the rule to zoneC makes more sense, doesn't it?
upvoted 0 times
...
Val
11 months ago
Alright, let's think this through. I'm going to go with option D as well, it seems to be the only one that directly addresses the requirement.
upvoted 0 times
Lemuel
9 months ago
Great, let's go with option D then.
upvoted 0 times
...
Kristofer
9 months ago
Adding the rule to zoneC with 'ignore tcp' will allow access to 10.2.12.0/24 with HTTPS.
upvoted 0 times
...
Lai
9 months ago
Yes, I agree. Option D seems to be the most appropriate solution.
upvoted 0 times
...
Josefa
9 months ago
I think option D is the correct choice.
upvoted 0 times
...
Tamekia
9 months ago
Great, let's go with option D then.
upvoted 0 times
...
Raelene
9 months ago
Adding the rule to zoneC with 'ignore tcp' will allow access to 10.2.12.0/24 with HTTPS.
upvoted 0 times
...
Fannie
9 months ago
Yes, I agree. Option D is the only one that matches the requirement.
upvoted 0 times
...
Beckie
10 months ago
I think option D is the correct choice.
upvoted 0 times
...
...
Edda
11 months ago
Haha, 'zoneC' - sounds like a secret agent operation or something. Gotta keep those clients in the right zone!
upvoted 0 times
...
Stephanie
11 months ago
I disagree, I believe the correct answer is C.
upvoted 0 times
...
Bo
11 months ago
I'm curious, why did they include the 'plaintext' code blocks? Seems a bit unnecessary if it's just showing the policy config.
upvoted 0 times
...
Raul
11 months ago
Hmm, this looks like a tricky one. I'm leaning towards option D, it seems to make the most sense to add the rule to zoneC.
upvoted 0 times
Vivienne
10 months ago
Yes, option D is the way to go. Adding the rule to zoneC makes the most sense.
upvoted 0 times
...
Paz
10 months ago
I agree, adding the rule to zoneC in option D seems like the right move.
upvoted 0 times
...
Herman
11 months ago
I think option D is the best choice. It makes sense to add the rule to zoneC.
upvoted 0 times
...
...
Terrilyn
11 months ago
I think the answer is A.
upvoted 0 times
...

Save Cancel