Chapter 1: Introduction to HPE Aruba CX Switching and the ACSA Exam

If you have arrived at this book hunting for the "HPE7-A01" code on the HPE certification site, you may already have noticed that the catalog is in flux. The most current associate-level switching exam in the HPE Aruba portfolio is the Aruba Certified Associate - Switching (ACA-Switching), currently coded HPE6-A86, and the underlying body of knowledge — AOS-CX fundamentals — is the same content that "HPE7-A01" maps to in legacy and third-party study material. Whether your voucher reads HPE7-A01 or HPE6-A86, the blueprint, the question style, and the recommended preparation path are the same. This book treats the two codes as interchangeable and uses ACSA (the credential name) as the canonical label.

Exam objectives and weighting

The ACSA blueprint is built around five weighted domains. Memorize these percentages early — they tell you exactly how many study hours each topic deserves.

A practical reading of the table: 70 percent of the exam is "classic" Layer 2 and Layer 3 networking expressed in AOS-CX terms (switching, routing, security). The remaining 30 percent is what makes AOS-CX modern — cloud management through Aruba Central and on-box programmability through NAE and REST.

Figure 1.1: ACSA exam domain weighting

Question format and duration

• Number of questions: approximately 60 multiple-choice items.
• Duration: 90 minutes (~90 seconds per question).
• Passing score: approximately 66 percent.
• Delivery: proctored at Pearson VUE; online proctoring also available in most regions.

Real-world analogy: Think of the 90-minute clock as a single highway commute. You want a steady cruising speed (~1 question / 90 s), pull over briefly for "construction zone" scenarios, and avoid camping on a single hard problem.

Recommended experience level

There are no formal prerequisites, but HPE strongly recommends the AOS-CX Switching Fundamentals course (Rev. 24.31). Successful candidates typically have:

• 6 to 12 months of switching experience (any vendor; concepts transfer).
• Comfort reading and writing CLI configurations (subnetting, VLAN tagging, basic OSPF).
• A willingness to think in terms of databases and APIs rather than just CLI commands.

Worked example — building a 6-week study plan (10 hr/week):

• Weeks 1-2: Switching & VLANs — 20 hours (30%)
• Week 3: Routing & OSPF — 13 hours (20%)
• Week 4: Security & ACLs — 13 hours (20%)
• Week 5: Aruba Central — 10 hours (15%)
• Week 6: Monitoring, NAE, REST + practice — 14 hours (15% + review)

Key Takeaway: The ACSA exam is a 60-question, 90-minute, ~66%-to-pass associate-level credential dominated by L2/L3 fundamentals (70%) but distinguished by 30% cloud + programmability content. Plan study time in proportion to the published weights.

Figure 1.2: Aruba CX switch portfolio hierarchy by network tier

Access switches (6000/6100/6200)

The 6000-class switches are the workhorses of the wiring closet. They terminate user devices — laptops, IP phones, wireless APs, IoT — and they dominate by sheer count in any campus deployment.

The differentiator inside the 6000-class line is PoE budget and uplink speed. The 6200 handles Wi-Fi 6/6E access points that need 2.5G mGig downlinks and 25G uplinks back to aggregation.

Aggregation / Core (6300/6400/8100/8325/8360)

Two acronyms recur here:

• VSF (Virtual Switching Framework): up to 10 fixed switches behave as a single logical switch with a single control plane. Most commonly deployed as a ring topology using 50G DAC cables on the 6300.
• VSX (Virtual Switching Extension): active-active, dual-control-plane alternative for the 6300, 6400, and 8000-series. Each VSX peer keeps its own control plane and reboots independently — giving non-disruptive upgrades and fast failover.

Worked example — choosing between VSF and VSX. A retail customer with two CX 6300s per store who accepts a brief firmware-upgrade outage → VSF: simple, single management plane. A hospital with two CX 8325s in the DC core that refuses any maintenance window → VSX: independent control planes allow per-peer upgrades.

Data center (8400/9300/10000)

The CX 10000 is the headline product of the data-center line: integrated Pensando DPUs allow it to run stateful firewalling, microsegmentation, and telemetry directly on the switch ASIC, eliminating "service hairpin" trips to a centralized appliance.

Choosing the right platform — the exam-day decision tree

1. Terminating end-user devices? → 6100/6200 (or 6000 for branch).
2. Closet aggregation pair that should look like one switch? → 6300 + VSF.
3. Campus aggregation/core pair needing non-disruptive upgrades? → 6400 / 8100 / 8325 / 8360 + VSX.
4. Data-center core? → 8400 (legacy), 9300 (modern), or 10000 (DPU).

Key Takeaway: Memorize the tier each model belongs to and recognize VSF as the campus stacking story versus VSX as the active-active redundancy story.

If you remember only one thing from this chapter, make it this: AOS-CX is database-driven, not CLI-driven. Every switch capability — VLANs, OSPF neighbors, interface counters, even the running configuration — lives as rows and columns in a centralized in-memory database. The CLI, REST API, and NAE Python agents are simply different "lenses" on the same underlying data.

Figure 1.3: AOS-CX database-driven architecture layers

Time-series database (OVSDB-based)

AOS-CX uses an OVSDB-style centralized configuration and state database combined with a time-series database for telemetry. Two databases work together:

• The configuration/state database holds the current declared configuration plus live operational state (interface up/down, neighbor adjacencies, MAC table).
• The time-series database records timestamped samples — interface counters every 5 seconds, CPU every 10 seconds, queue depth every second. This is what lets NAE detect "error rate has been climbing for the last 30 minutes."

Real-world analogy: Think of a hospital. The configuration/state database is the patient's current chart — name, room, current medications. The time-series database is the bedside monitor — heart rate every second, oxygen saturation every five seconds. Doctors (CLI), automation (REST), and on-call alerts (NAE) all read the same charts and monitors.

Modular daemons and process isolation

1. Process isolation. A bug in OSPF cannot corrupt LACP state and cannot crash the switch.
2. Hot-patch and ISSU. Daemons are independent, enabling in-service software upgrades on supported platforms.
3. Common image across the portfolio. The same AOS-CX binary set runs from 6100 to 10000.

Worked example — daemon isolation in action. A malformed OSPF Type 5 LSA triggers a regression. On a legacy monolithic NOS the entire control plane could panic. On AOS-CX the OSPF daemon crashes, the supervisor restarts it within seconds, the time-series store flags the event, an NAE agent emails the on-call engineer — and traffic keeps forwarding in hardware because the data plane was never affected.

REST API and Python on-box scripting

NAE overview

An NAE agent is a Python script that:

1. Subscribes to the time-series database for one or more metrics.
2. Evaluates a condition every sampling period (e.g., "error rate > 1% for 60 seconds").
3. When the condition fires, takes action — log, webhook, CLI command, or ticket.

Real-world analogy: NAE is the on-call doctor who lives inside the hospital instead of being paged from home. The data never leaves the building, the response is measured in seconds, and only true anomalies escalate to humans.

Key Takeaway: AOS-CX is built around a centralized OVSDB-style database plus a time-series telemetry store. Modular daemons read/write through the database; the REST API and NAE expose the same data programmatically; the entire CX portfolio runs the same image.

Figure 1.4: HPE Aruba switching certification pathway

ACA, ACSA, ACSP, ACSE progression

Cross-track relevance

• ClearPass appears in the ACSA blueprint under Security & ACLs (RADIUS / 802.1X with ClearPass).
• Aruba Central is the unified cloud-management plane for all tracks.
• AI Insights in Central is increasingly cross-track — campus, mobility, and security signals together.

Recertification policies

HPE certifications have historically followed a three-year recertification cycle. Retain a credential by:

• Re-passing the same exam, or
• Passing a higher-level exam in the same track (earning ACP-Switching automatically renews ACSA), or
• Passing a delta/refresh exam if HPE publishes one.

Worked example — career trajectory. A network technician earns ACSA in year 1. In year 2 she leads a 6300/6400 deployment and earns ACP-Switching. ACP-Switching automatically extends her ACSA. By year 4 her exposure to multicast and VSX prepares her to attempt ACE-Switching — and she never has to "re-take" ACSA because each upward step renews it.

Key Takeaway: ACSA is the entry point of a four-tier ladder. Each level cumulatively assumes the one below, skills transfer across tracks via Aruba Central, and you can renew ACSA simply by climbing one rung higher within the recertification window.

This chapter framed the three things you need before opening Chapter 2: the exam, the hardware, and the operating system. The ACSA exam (HPE7-A01 / HPE6-A86) is a 60-question, 90-minute, ~66%-to-pass associate-level credential weighted 30/20/20/15/15 across Switching & VLANs, Routing & OSPF, Security & ACLs, Aruba Central, and Monitoring & API.

The Aruba CX hardware portfolio is intentionally tiered. The 6000/6100/6200 land in the wiring closet; the 6300/6400/8100/8325/8360 occupy aggregation and campus core; the 8400/9300/10000 anchor data-center cores, with the 10000 distinguished by integrated Pensando DPUs. VSF delivers campus stacking, while VSX provides active-active redundancy with non-disruptive upgrades. All platforms run the same AOS-CX image.

That operating system is database-driven from the ground up. An OVSDB-style central database plus a time-series telemetry store sit at the core; modular Linux daemons, the REST API, NAE Python agents, and Aruba Central are all "lenses" on that same data. Finally, ACSA is one rung on a four-tier ladder; passing it begins the ACSA → ACSP → ACSE journey, with skills that transfer across wireless and security tracks.