Chapter 9: Monitoring, Automation, and the Network Analytics Engine (NAE)

Learning Objectives

9.1 Traditional Monitoring Tools

SNMP, sFlow, Syslog, and mirror sessions are the four traditional pillars. Each answers a different operational question, and AOS-CX supports all four natively so you can integrate with existing NMS, flow collectors, SIEMs, and packet brokers.

SNMPv2c vs SNMPv3

SNMP is poll-based: the manager sends a GET for an OID, the agent replies. Traps and informs are unsolicited messages pushed when an event occurs. AOS-CX runs v2c and v3 simultaneously.

FeatureSNMPv2cSNMPv3
AuthenticationCommunity string (cleartext)User-based MD5/SHA, SHA-2
EncryptionNoneDES, 3DES, AES-128/192/256
IntegrityNoneHMAC
Security Levelsn/anoAuthNoPriv, authNoPriv, authPriv
Production?NoYes (authPriv only)
switch(config)# snmp-server vrf mgmt
switch(config)# snmpv3 user netops auth sha auth-pass-plaintext "S3curePass!" priv aes priv-pass-plaintext "Pr1vKey!"
switch(config)# snmp-server host 10.10.10.50 trap version v3 user netops

sFlow Sampling

sFlow samples 1-in-N packets at the ASIC, exports the first ~128 bytes plus periodic counters to a collector, and gives statistically representative top-talker data with very low CPU. Aruba guidance: 1-in-4096 for 1 GbE access; 1-in-8192 to 1-in-16384 for 10/25 GbE uplinks.

Syslog Severity

RFC 5424 numbers severities 0 (Emergency) through 7 (Debug). Lower number = more severe. Forward severity 5 (Notice) and lower to a SIEM; Debug is reserved for troubleshooting. Set clock timezone and NTP first or your timeline correlation is broken.

Mirror Sessions

When sampling is not enough — security investigations, IDS feeds — mirror sessions copy 100% of traffic from source interfaces to a destination port (or GRE-tunneled remote endpoint, ERSPAN-equivalent).

Key Points

Pre-Quiz: Traditional Monitoring (Test yourself before reading more)

1. Which combination is the only acceptable SNMPv3 profile for a production switch handling regulated data?

noAuthNoPriv with a strong community string
authNoPriv with SHA-2
authPriv with SHA + AES
SNMPv2c over the management VRF

2. An engineer wants to identify which application is consuming a 10 GbE uplink. Which tool is the best fit?

SNMPv3 polling of ifInOctets
sFlow with a 1-in-8192 sampling rate
Syslog filtered to severity Debug
A mirror session to a Wireshark host

3. To reduce SIEM volume while still catching operationally meaningful events, which Syslog severity threshold is most appropriate?

Forward severity 7 (Debug) and lower
Forward severity 5 (Notice) and lower
Forward severity 0 (Emergency) only
Forward all severities; let the SIEM filter

4. What is true about the destination interface of an AOS-CX mirror session?

It can still forward normal user traffic alongside the copy
It is dedicated and cannot forward normal traffic
It must be configured as a routed L3 interface
It supports only ingress mirroring, never egress

9.2 REST API and Automation

AOS-CX exposes its entire configuration and operational state through a versioned REST API. To enable read-write and bind it to the management VRF:

switch(config)# https-server rest access-mode read-write
switch(config)# https-server vrf mgmt

The API lives at https://<switch-ip>/rest/v10.04/ (the version suffix follows your firmware). An interactive Swagger UI at /api/ documents and exercises every endpoint live.

Session-Cookie Authentication

You POST credentials to /login; a 200 response sets a cookie that subsequent calls reuse until you POST /logout. requests.Session in Python handles the cookie jar automatically.

import requests, json
base_url = "https://10.10.10.5/rest/v10.04"
creds = {"userName": "admin", "password": "ArubaNet!"}
session = requests.Session()
session.post(f"{base_url}/login", data=json.dumps(creds), verify=False)
# subsequent session.get/post calls carry the cookie automatically
session.post(f"{base_url}/logout", verify=False)
Animation 1 - REST API Session-Cookie Authentication
Python Client requests.Session AOS-CX Switch REST API /rest/v10.04 1. POST /login {userName, password} POST 2. 200 OK + Set-Cookie: session=... 200 CK cookie stored 3. GET /system/vlans Cookie: session=... GET 4. 200 OK + JSON payload JSON

CRUD on the Configuration Tree

Objects are addressable as URIs under /system. GET reads, POST creates, PUT replaces, PATCH merges, DELETE removes. The selector query parameter selects configuration, status, or default views.

# Create VLAN 200
new_vlan = {"id": 200, "name": "Guest", "admin": "up", "type": "static"}
session.post(f"{base_url}/system/vlans", data=json.dumps(new_vlan), verify=False)
# Returns 201 Created

pyaoscx and Ansible

The pyaoscx SDK wraps REST in idiomatic Python objects (Vlan, Interface, Vrf, etc.) and handles cookies and materialization. The arubanetworks.aoscx Ansible Collection provides declarative modules built on top of pyaoscx for fleet orchestration.

Key Points

Pre-Quiz: REST API

1. After a successful POST /login, how does the AOS-CX REST API authenticate subsequent requests?

An HTTP Basic auth header on every call
A Bearer token returned in the JSON body
A session cookie set in the Set-Cookie response header
Mutual TLS using a client certificate

2. Which HTTP verb creates a new VLAN object under /rest/v10.04/system/vlans?

GET
POST
PUT
DELETE

3. You need a Python script to manage VLANs across a fleet. Which option requires the least manual cookie handling and payload construction?

Raw curl commands wrapped in subprocess
The pyaoscx SDK
A custom requests wrapper you write from scratch
SNMPv3 SET operations

4. Which command enables the REST API in read-write mode on the management VRF?

https-server rest access-mode read-only
ip http secure-server + vrf forwarding mgmt
https-server rest access-mode read-write and https-server vrf mgmt
snmp-server rest enable vrf mgmt

9.3 The Network Analytics Engine (NAE)

NAE runs Python directly on AOS-CX to monitor, alert, and remediate — no external server, no polling latency, no separate license. The hierarchy is tidy:

ConceptRole
ScriptPython file with Manifest + ParameterDefinitions
AgentRunning instance of a script with parameter values
MonitorSubscription to a switch state URI
ConditionBoolean expression on monitor values; fires once on transition
ActionPython code: ActionSyslog, ActionCLI, webhook, REST self-heal
Animation 2 - NAE Cascade: Script -> Agent -> Monitor -> Condition -> Action
Script link_flap.py Manifest + ParameterDefs Agent instance interface=1/1/1 Monitor REST URI link_state Condition m1 == 'down' Boolean rule Action Syslog + CLI capture Event bubble cascades through the hierarchy A monitor reading triggers a condition which fires an action 1. template 2. instantiate 3. subscribe 4. evaluate 5. remediate

NAE Script Skeleton

from Manifest import Manifest

Manifest = {'Name': 'interface_link_monitor', 'Version': '1.0'}
ParameterDefinitions = {
    'interface_id': {'Type': 'string', 'Default': '1/1/1'}
}

class Agent(NAE):
    def __init__(self):
        uri = '/rest/v10.04/system/interfaces/{}?attributes=link_state'.format(
            self.params['interface_id'].replace('/', '%2F'))
        self.m1 = Monitor(uri, 'Link State')
        self.r1 = Rule('Interface Down')
        self.r1.condition('{} == "down"', [self.m1])
        self.r1.action(self.action_alert)

    def action_alert(self, event):
        ActionSyslog('Interface DOWN', severity=SYSLOG_WARNING)
        ActionCLI('show interface {}'.format(self.params['interface_id']))

HPE publishes a public, tested library of NAE scripts at github.com/aruba/nae-scripts covering BGP/OSPF flaps, DHCP snooping anomalies, high CPU, MAC churn, PoE budget, microbursts, and STP topology changes.

Key Points

Pre-Quiz: NAE

1. In NAE terminology, what is the difference between a Script and an Agent?

A Script runs continuously; an Agent runs once
A Script is the Python template; an Agent is a running instance with parameter values
A Script lives on Aruba Central; an Agent lives on the switch
A Script writes to syslog; an Agent writes to a database

2. In an NAE script, the line self.r1.condition('{} == "down"', [self.m1]) defines what?

A monitor that subscribes to a REST URI
A Python action that runs show interface
A Boolean rule evaluated on the monitor value, firing once on transition to true
A Manifest entry describing the script's author

3. Which is NOT a typical NAE Action?

ActionSyslog to write a message at a chosen severity
ActionCLI to run a show command and capture the output
A REST callback to AOS-CX to remediate configuration
An OSPF LSA flood to neighbor switches

4. Which statement about NAE licensing and platform support is correct?

NAE requires a separate per-switch license sold with AOS-CX
NAE is free and bundled; NAE-Lite is the reduced variant on lower-tier platforms
NAE only runs on Aruba Central, not on the switch
NAE is included only with HPE GreenLake subscriptions

9.4 Aruba Central and NetEdit

For multi-switch fleets, HPE offers two complementary tools: Aruba Central (cloud-managed) and NetEdit (on-prem). Both validate config and detect drift, but only Central does ZTP.

Aruba Central ZTP Onboarding

  1. Pre-provision the device in Central with serial number + MAC address.
  2. Apply HPE GreenLake licensing.
  3. Place in a template group with a JSON variables file keyed by serial/MAC.
  4. Power on at the remote site. The factory-default switch DHCPs, contacts activate.arubanetworks.com, gets redirected to your tenant by serial, pulls its template+vars, applies config, and establishes an IPSec tunnel back to Central.
  5. Verify in Central UI ("up") and on the device with show system.
Animation 3 - Aruba Central ZTP Onboarding Sequence
AOS-CX Switch Factory default DHCP site gateway + DNS activate. arubanetworks.com redirector by serial Aruba Central tenant + group template + JSON vars Admin (Day 0) Add Serial + MAC Apply GreenLake license 1. DHCP DISCOVER 2. HTTPS w/ serial 3. Lookup tenant -> redirect 4. Push rendered config 5. IPSec tunnel up - device shown UP

UI Group vs Template Group

AspectUI GroupTemplate Group
EditorGUI form-drivenText template + JSON vars
Best forSmall fleets, simple configsLarge fleets, scripted ops
Per-device customizationLimitedFull (one JSON entry/device)
Drift detectionYesYes

NetEdit (On-Prem)

For air-gapped or regulated environments, Aruba NetEdit is the on-premises virtual appliance that talks to AOS-CX over REST. Capabilities: configuration validation, multi-switch atomic transactions (all-or-nothing rollback), golden-config compliance, visual diffs, and change history. Critically: no ZTP from activate.arubanetworks.com — that capability is exclusive to Central.

Key Points

Pre-Quiz: Aruba Central / NetEdit

1. A factory-default AOS-CX switch is plugged in at a remote site for ZTP. Which DNS name does it contact first?

portal.central.arubanetworks.com
activate.arubanetworks.com
aoscx.update.hpe.com
greenlake.hpe.com

2. Which two values must you pre-provision in Aruba Central before a ZTP-eligible switch ships?

Hostname and management IP
Serial number and MAC address (plus GreenLake license)
SSH public key and admin password
VLAN list and SNMP community

3. A regulated customer requires that all switch management remain inside their data center. Which orchestration tool is appropriate?

Aruba Central in template-group mode
Aruba Central in UI-group mode
Aruba NetEdit on-prem virtual appliance
A direct sFlow + Syslog pipeline

4. Which capability is exclusive to Aruba Central and NOT available in NetEdit?

Configuration validation before deploy
Multi-switch atomic transactions
Drift detection / compliance checking
Zero Touch Provisioning via activate.arubanetworks.com

Chapter Summary

Your Progress

Answer Explanations