Device fingerprinting on an AOS-CX switch allows the switch to collect information about connected clients to aid in profiling and policy enforcement, often in conjunction with a solution like ClearPass Policy Manager (CPPM). The commands provided create a device fingerprinting profile named "myprofile" and enable the collection of DHCP and LLDP information:

client device-fingerprint profile myprofile: Creates a fingerprinting profile.

dhcp: Enables the collection of DHCP information (e.g., DHCP options like Option 55 for fingerprinting).

lldp: Enables the collection of LLDP (Link Layer Discovery Protocol) information (e.g., system name, description).

However, creating the profile and enabling DHCP and LLDP collection is not enough for the switch to start collecting this information from clients. The profile must be applied to the interfaces (ports) where clients are connected.

Option C, "Apply the policy to edge ports," is correct. In AOS-CX, the device fingerprinting profile must be applied to the edge ports (ports where clients connect) to enable the switch to collect DHCP and LLDP information from those clients. This is done using the command client device-fingerprint profile under the interface configuration. For example, on port 1/1/1, you would enter:

text

CollapseWrapCopy

Switch(config)# interface 1/1/1

Switch(config-if)# client device-fingerprint profile myprofile

This ensures that the switch collects DHCP and LLDP data from clients connected to the specified ports.

Option A, "Configure the switch as a DHCP relay," is incorrect. While a DHCP relay (using the ip helper-address command) is needed if the DHCP server is on a different subnet, it is not a requirement for the switch to collect DHCP information for fingerprinting. The switch can snoop DHCP traffic on the local VLAN without being a relay, as long as the profile is applied to the ports.

Option B, "Add at least one LLDP option to the policy," is incorrect. The lldp command in the fingerprinting profile already enables the collection of LLDP information. There is no need to specify individual LLDP options (e.g., system name, description) in the profile; the switch collects all available LLDP data by default.

Option D, "Add at least one DHCP option to the policy," is incorrect. The dhcp command in the fingerprinting profile already enables the collection of DHCP information, including options like Option 55 (Parameter Request List), which is commonly used for fingerprinting. There is no need to specify individual DHCP options in the profile.

The HPE Aruba Networking AOS-CX 10.12 Security Guide states:

"To enable device fingerprinting on an AOS-CX switch, create a device fingerprinting profile using the client device-fingerprint profile command, and specify the protocols to collect, such as dhcp for DHCP information and lldp for LLDP information. To start collecting data from clients, apply the profile to edge ports where clients connect using the command client device-fingerprint profile under the interface configuration. For example, interface 1/1/1 followed by client device-fingerprint profile myprofile enables fingerprinting on port 1/1/1." (Page 160, Device Fingerprinting Configuration Section)

Additionally, the HPE Aruba Networking AOS-CX 10.12 System Management Guide notes:

"The device fingerprinting profile must be applied to the ports where clients are connected to collect DHCP and LLDP information. The dhcp and lldp commands in the profile enable the collection of all relevant data for those protocols, such as DHCP Option 55 for fingerprinting, without requiring additional options to be specified." (Page 95, Device Fingerprinting Setup Section)