Check the Available HPE7-A07 Exam Dumps with 127 QA's UPDATED 2026
Download HPE7-A07 Exam Dumps Questions to get 100% Success in HP
HP HPE7-A07 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
NEW QUESTION # 54
A customer is evaluating device profiles on a CX 6300 switch. The test device has the following attribute:
* MAC address = 81:cd:93:13:ab:31
The test device needs to be assigned the "iot-prod" role. In addition, the "iot-default" role must be applied for any other device connected to interface 1/1/1.
This is a lab environment with no configuration of any external authentication server for the test.
Given the configuration example, what is required to meet this testing requirement?
- A. Enter the command port-access device-profile mode block-until-profile-applied globally
- B. Enter the command port-access onboarding-method precedence to set device profiles with a higher precedence
- C. Enter the command port-access onboarding-method precedence to set device profiles with a lower precedence
- D. Enter the command port-access fallback-role iot-default globally
Answer: D
Explanation:
In Aruba CX 6300 and other AOS-CX switches, device profiling enables automatic assignment of roles and policies to endpoints based on device attributes such as MAC OUI, LLDP, or DHCP fingerprint - without requiring an external authentication server such as ClearPass or RADIUS.
The configuration snippet shows:
mac-group iot
seq 10 match mac-oui 81:cd:93
port-access device-profile iot-prod
enable
associate role iot-prod
associate mac-group iot
This means that any device with a MAC address matching the OUI 81:cd:93 will automatically be assigned the iot-prod device profile and its associated role (iot-prod).
However, the requirement also specifies that any other device connected to the same interface (that does not match the OUI or device profile) should still be assigned a default role called iot-default.
To ensure that endpoints not matching any known device profile still receive limited network access, Aruba AOS-CX uses the fallback-role feature under port-access configuration.
The command:
port-access fallback-role iot-default
defines the role that will be automatically assigned to endpoints that fail to match any of the configured device-profile conditions.
This mechanism is crucial in lab or standalone environments where no external authentication (e.g., RADIUS, ClearPass) is configured. It ensures devices are still given a default policy, preventing them from being left in an unauthenticated or blocked state.
Official HPE Aruba Extract (ArubaOS-CX Security and Access Guide):
"The fallback-role command allows the switch to assign a predefined local role to a device when no authentication server is available, or when the device does not match any configured device profile."
"This command is typically used in test or lab environments where profiling is local to the switch, and a baseline role must still be enforced for unknown devices." Therefore, in this case:
* Devices matching the MAC OUI 81:cd:93 # assigned iot-prod role
* All other devices # automatically assigned iot-default role via port-access fallback-role iot-default Option Analysis:
* A. Incorrect - The port-access onboarding-method precedence command changes the priority order between authentication methods (e.g., 802.1X, MAC-auth, device profile). It does not control fallback behavior.
* B. Incorrect - The block-until-profile-applied option delays port activation until profiling completes, but it doesn't provide a fallback role.
* C. Correct - The port-access fallback-role iot-default command ensures that any device not matching the iot-prod profile receives the iot-default role.
* D. Incorrect - Lowering precedence has no effect on assigning a default role.
Final Verified answer: C
Reference Sources (HPE Aruba Official Materials):
* Aruba AOS-CX Security and Access Configuration Guide - Device Profiling and Role Assignment
* Aruba Certified Switching Professional (ACSP) Study Guide - Port Access and Device Profiling
* ArubaOS-CX Fundamentals Guide - Port Access and Fallback Role Implementation
NEW QUESTION # 55
Refer to the exhibit.
Which statement is true?
- A. The client performed passive scanning
- B. The client is failing 802.1X authentication
- C. The client used an incorrect passphrase
- D. The client is using BSS Fast Transition
Answer: B
Explanation:
The exhibit shows a series of 802.1X authentication steps with multiple "Deauthentication" frames, which indicate that the client is not successfully completing the authentication process. Since the frames show repeated attempts at authentication followed by deauthentication, this suggests that the client is failing the
802.1X authentication process, which is required for network access in a WPA2/WPA3-Enterprise security environment.
NEW QUESTION # 56
Which data transmission method provides the most efficient use of airtime for VoIP traffic?
- A. TWT
- B. OFDM
- C. FDMA
- D. MU-MIMO
Answer: D
Explanation:
MU-MIMO (Multi-User, Multiple Input, Multiple Output) provides the most efficient use of airtime for VoIP traffic among the options listed. MU-MIMO allows multiple users to receive multiple data streams simultaneously, improving the overall efficiency of the network, especially in dense environments where VoIP applications need consistent and reliable connectivity.
NEW QUESTION # 57
You configured a tunneled SSID with captive portal and a ClearPass Guest Self Registration workflow when testing and launching the self-registration workflow, after successful registration, the login action shows the following error:
What is the best solution to resolve this error?
- A. You need to include the root and intermediate certificates in the captive portal certificate for your gateway
- B. You need to include the root and intermediate certificates in the captive portal certificate for your access points
- C. You need to change the Login Address in ClearPass to securelogin arubanetworKs.com
- D. You need to De connected to the guest SSiD while testing.
Answer: A
Explanation:
Including the root and intermediate certificates in the captive portal certificate for the gateway will resolve the error seen during the login action after successful registration. This is necessary to ensure the SSL/TLS handshake can be completed successfully, as the client browser needs to validate the entire certificate chain.
NEW QUESTION # 58
A customer's infrastructure is set up to use both primary and secondary gateway clusters on the SSID profile based on best practices What is a valid cause tor having an equal spirt in APs connected to the primary and secondary gateway clusters?
- A. The secondary gateway cluster is homogeneous
- B. The secondary gateway cluster is heterogeneous
- C. The primary gateway cluster is up. out some APs cannot reach the secondary gateway cluster. These APs would connect to the secondary gateway cluster
- D. The primary gateway cluster is up. out some APs are unable to reach the primary gateway cluster. These APs would connect to the secondary gateway cluster
Answer: D
Explanation:
In a high availability setup where both primary and secondary gateway clusters are present, APs are typically designed to connect to the primary cluster. If the APs are equally split between the primary and secondary, this may indicate that some APs cannot reach the primary cluster due to connectivity issues or reachability constraints, thus falling back to the secondary cluster.
NEW QUESTION # 59
A network technician racked up two 9240 mobility gateways in a single cluster that will be terminating 1700 APs in a medium-sized branch office Next, the technician cabled the gateways with two SFP28 Direct Attach Copper (DAC) cables, distributed between a two-member core switching stack and powered them up.
What must the network administrator do next regarding the gateway configuration to ensure maximum wired bandwidth utilization?
- A. Map two physical ports to a port channel on each gateway.
- B. Disable the spanning tree and allocate unique VLANs to each port.
- C. Make an ports trunk interfaces and permit data VLANs
- D. Manually set 25Gbps speeds on all ports.
Answer: A
Explanation:
To maximize wired bandwidth utilization, especially when multiple APs are terminating on mobility gateways, it's best practice to aggregate physical ports into a port channel. This provides redundancy and increased bandwidth by combining the throughput of multiple ports.
NEW QUESTION # 60
Your customer's employees connected to a wired network are complaining about a poor user experience. The customer has UXI sensors deployed on their premises. These sensors nave been running for multiple months.
They are testing both the wired network (using the wired Interface of each sensor) and the wireless networks.
Your customer used the UXI dashboard to find the reason for the poor user experience to find more details, the customer asked you to check the packet captures that have been downloaded from the sensors using the UXI dashboard.
From the zip file downloaded from the UXI sensors, you checked the "datagrams" .pcap file, but you were not able to find any issues How can you explain this?
- A. The "datagrams- pcap file only contains me successful tests Failed tests are contained in the "datagrams- failed" .pcap file
- B. The default filers of the packet captures do not allow tailed tests to be captured by the sensor
- C. The UXI sensor could not upload the latest test results to the cloud, so the packet capture is outdated
- D. The datagrams captured on the physical Ethernet interface are in a different .pcap file.
Answer: A
Explanation:
It is a common practice to separate successful and failed test results into different files for ease of troubleshooting. If the "datagrams.pcap" file shows no issues, it's likely because it only contains successful test data, and the failed tests that could explain the poor user experience would be in a different file, such as
"datagrams-failed.pcap."
NEW QUESTION # 61
An administrator is creating a fabric with NetConductor in HPE Aruba Networking Central Considering an EVPN VXLAN fabric, click on the most appropriate layer to be configured as a Rome-Reflector Persona.
Answer:
Explanation:
Explanation:
In the context of an EVPN VXLAN fabric, the Route-Reflector Persona is most appropriately configured at the Services Aggregation layer. This layer is responsible for interconnecting different network services and typically includes more robust, higher-capacity devices capable of handling the route-reflection functions for EVPN VXLAN.
In an Aruba Networks fabric, route reflectors are used to optimize the distribution of BGP routes. The Services Aggregation layer, which is centrally located in the network topology, is best suited for this role due to its high availability and ability to efficiently manage routes between the core and access layers.
Therefore, if you were to click on the image provided, you would select the Services Aggregation layer to configure the Route-Reflector Persona.
NEW QUESTION # 62
Refer to the exhibit.
To which devices has AP-1 established tunnels?
- A. A pair of standalone gateways
- B. A single gateway within a cluster
- C. A pair of switches running VXLAN
- D. A pair of gateways within a cluster
Answer: D
Explanation:
The command shown in the exhibit is:
Access-1# show ubt state
This command displays the User-Based Tunneling (UBT) status on an Aruba CX switch. UBT allows wired access devices (like CX 6300/6400) to extend tunneled connectivity to Aruba gateways, using GRE tunnels for user traffic.
The output contains the following sections:
1. Local Conductor Server (LCS) State
Primary : 172.16.200.252 ready_for_bootstrap operational_primary
Secondary : 172.16.200.253 ready_for_bootstrap operational_secondary
This confirms that two gateways (IP 172.16.200.252 and 172.16.200.253) form an LCS pair in an Aruba gateway cluster.
Exact extract:
"The Local Conductor Servers (LCS) represent the pair of Aruba Gateways that control and terminate UBT tunnels. One operates as the primary (active) and the other as the secondary (standby). These gateways must be configured as a cluster pair."
2. Switch Anchor Controller (SAC) State
Active : 172.16.200.252 20:4c:03:81:e7:ca registered
Standby : 172.16.200.253 20:4c:03:b2:12:0a registered
Both gateways are registered as active and standby switch anchor controllers. This is a clear indication that the switch (Access-1) has successfully established tunnels to both gateways within the cluster.
Exact extract:
"The Switch Anchor Controller (SAC) section lists both cluster members to which the switch forms GRE tunnels. The switch maintains active and standby tunnels for redundancy."
3. User Anchor Controller (UAC) State
Each connected user is mapped to a User Anchor Controller (UAC) - one of the two gateways - depending on cluster load balancing:
User Anchor Controller (UAC): 172.16.200.252
User Anchor Controller (UAC): 172.16.200.253
Each user session is anchored on a specific gateway within the cluster. The presence of two different UAC IPs confirms that users are being distributed across both gateways - a behavior that occurs only in a clustered gateway configuration.
Exact extract:
"In a clustered gateway deployment, each user session is dynamically anchored to one of the gateways. The UAC field shows which gateway currently handles each user session." Conclusion:
From the output:
* Two gateways are shown as primary and secondary LCS.
* Both are registered as SACs (tunnel endpoints).
* Users are distributed across both gateways as UACs.
This confirms that Access-1 (the CX switch) has established GRE tunnels to a pair of gateways within a cluster.
Hence, the correct answer is A. A pair of gateways within a cluster.
Why the Other Options Are Incorrect:
* B. A pair of switches running VXLAN:UBT tunnels are GRE-based and terminate on Aruba Gateways, not VXLAN-enabled switches.
"User-Based Tunneling uses GRE tunnels to Aruba Gateways; VXLAN is not used for UBT."
* C. A single gateway within a cluster:The output explicitly shows two controllers (active and standby) registered - not a single one.
* D. A pair of standalone gateways:The LCS state shows primary/secondary operational roles, which exist only in a cluster, not standalone gateways.
References of HPE Aruba Networking Switching Documents or Study Guide:
* ArubaOS-CX Access Security and UBT Configuration Guide - "Understanding User-Based Tunneling (UBT), LCS, SAC, and UAC roles."
* Aruba Gateway Clustering and Redundancy Guide - "Cluster operation and role distribution for UBT."
* Aruba Campus Wired and Wireless Integration Guide - "How CX switches form UBT tunnels to clustered Aruba gateways."
* Aruba Zero Trust Access Design Guide - "High availability with UBT across gateway clusters."
NEW QUESTION # 63
An ACME company employee complained about a recent poor-quality VoIP call while moving around their office environment HPE Aruba Networking Central reported a fair UCC score for this call while your VoIP engineer reported that their systems reported a MOS of 2, 3. The VoIP devices are operating over the 5GHz frequency band.
What are the possible contributing factors? (Select two.)
- A. There was localized interference at the caller's location
- B. 802.tr is enabled in the WLAN Security settings.
- C. Coverage AP deployment plans generally don't support enough cell overlap for VoIP.
- D. 802.1K is disabled in the WLAN Security settings
- E. The client roamed into an area that continuously operates Zigbee.
Answer: C,E
Explanation:
VoIP quality can be negatively impacted by insufficient cell overlap in AP deployment plans, which can cause poor handoffs between APs as a user moves around. This results in a degraded VoIP experience.
Additionally, roaming into an area with continuous Zigbee operation can cause interference with the 5GHz frequency band, further contributing to poor VoIP call quality. The Zigbee communication protocol operates on the same frequency band as Wi-Fi and can introduce noise and interference, which leads to a reduced MOS score, as reported by the VoIP engineer.
NEW QUESTION # 64
Your customer asked for help to apply an ACL for wireless guest users with the following criteria:
* Wi-Fi guests are on VLAN 555
* allow internet access
* only allow access to public DNS servers
* deny access to all internal networks except for any DHCP server
These session ACLs are already present in the CLI of the mobility gateway group:
You have access to the CLl. Which user role meets all the criteria?
- A.

- B.

- C.

- D.

Answer: A
Explanation:
Based on the criteria provided for wireless guest users, the correct user role configuration must allow internet access, only allow access to public DNS servers, deny access to all internal networks except for any DHCP server, and place the Wi-Fi guests on VLAN 555. The ACLs must permit services necessary for basic internet access (such as DNS and DHCP) and block access to internal networks.
Option A satisfies these criteria with the following configurations:
user-role "WiFi-guest": This defines the role for Wi-Fi guests.
access-list session dhcp-acl: This applies the access list that likely permits DHCP, which is necessary for guests to obtain an IP address.
access-list session dns-acl: This applies the DNS access list, which likely restricts guests to using public DNS servers.
access-list session internal-networks: This applies the internal networks access list, which denies access to internal networks.
vlan 555: This sets the VLAN for Wi-Fi guests to 555.
Options B, C, and D are incorrect because they includeaccess-list session allowallwhich would permit all traffic, contradicting the requirement to deny access to all internal networks.
NEW QUESTION # 65
The ACME company has an AOS-CX 6200 VSF switch slack with an uplink over subscription ratio of 9.6:1.
They have indicated that their low-priority TCP traffic has been flagged with a DSCP marking coloring them yellow.
Refer to the exhibit.

They are considering adding two more nodes to thestack without adding any additional uplinks due to existing wiring constraints.One of their architects has suggested adding the following configuration:
What would be the impact of applying the acmethreshold profile as shown? (Select two.)
- A. Only VoIP packets egressing queue 5 on LAG1 will likely be protected from uplink over-utilization.
- B. Yellow-flagged TCP traffic egressing LAG1 will be subject to drop probability
- C. VoIP packets egressing any queue on LAG1 will more likely be protected from uplink over-utilization
- D. All TCP traffic egressing LAG1 wail be subject to drop probability
- E. All upper-layer protocol traffic egressing LAG1 will be subject to drop probability.
Answer: B,E
Explanation:
Applying the 'acmethreshold' profile as shown in the exhibit would set a minimum and maximum threshold for queue 0, which affects the drop probability for traffic that exceeds these thresholds. The yellow marking indicates a medium drop precedence, so yellow-flagged traffic would be more likely to be dropped when congestion occurs, and the uplink is over-utilized. This action is intended to protect higher-priority traffic, such as VoIP, by giving it a lower probability of being dropped.
NEW QUESTION # 66
A campus topology uses VSXwith a collapsed core topology.The customer added redundant SFP+ transceivers and reconfigured their mobility gateways from a single link to an aggregate Link.You are asked to verify the CLI output for the link aggregation configuration for one of the mobility gateway cluster members below.
What is a valid configuration?
- A.

- B.

- C.

- D.

Answer: C
Explanation:
The configuration shown in Option A is a valid configuration for a multi-chassis link aggregation (MC-LAG) setup. It specifies the use of LACP (Link Aggregation Control Protocol) with a fast rate of LACP PDUs exchange, which is appropriate for creating a resilient and high-throughput link aggregation. The 'vlan trunk allowed all' command allows all VLANs across the trunk, and 'vlan trunk native 100' sets VLAN 100 as the native VLAN for untagged traffic.
NEW QUESTION # 67
A customer is planning to add loT devices that connect wirelessly to the existing 802.1X SSlD. The customer will use ClearPass to authenticate the IoT devices by MAC address but other devices will still need to authenticate by only 802 1X Exhibit.
The customer provided the current configuration and reported their non-loT 802. IX devices are no longer able to connect. Which configuration change can be made to fix the issue?
- A. Add i2-autn-fairtnrougn to the WLAN configuration
- B. Remove mac-authentication from the WLAN configuration
- C. Modify max-authentication failures to 0.
- D. Modify opmode wpa3-aes-gcm-256 to opmode wpa2-aes
Answer: B
Explanation:
The existing configuration for the WLAN ssid-profile has enabled MAC authentication which, while suitable for IoT devices that may not support 802.1X, can interfere with the normal 802.1X authentication process for other devices. By removing the mac-authentication directive from the WLAN configuration, the non-IoT
802.1X devices should be able to connect without issues as the authentication process will not be disrupted by MAC authentication checks. This adjustment ensures that the WLAN ssid-profile is correctly aligned with the authentication requirements for both IoT and non-IoT devices within the network environment, conforming to the best practices for mixed-device WLAN configurations.
NEW QUESTION # 68
A network administrator wants to configure an 802.1X supplicant for a wireless network that includes the following:
* AES encryption
* EAP-MSCHAPv2-based user and machine authentication
* Validation of server certificate in Microsoft Windows 10
The network administrator creates a WLAN profile and selects the Change connection settings option. Then the network administrator changes the security type to Microsoft: Protected EAP (PEAP) and enables user and machine authentication under Additional Settings.
What must the network administrator do next to accomplish the task? (Select two)
- A. Enable user authentication
- B. Enable server certificate validation
- C. EAP-TLS-based user and machine authentication
- D. Change default RC4 encryption for AES
Answer: A,B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract of HPE Aruba Networking Switching:
When configuring an 802.1X supplicant in Microsoft Windows for EAP-PEAP (Protected EAP) using EAP-MSCHAPv2, both user and machine credentials can be used for authentication. The network administrator has already enabled user and machine authentication under Additional Settings, but to meet the stated requirements (AES encryption and server certificate validation), two critical steps remain:
* Enable server certificate validationThis ensures the client validates the identity of the RADIUS server (such as Aruba ClearPass or another authentication server) to prevent man-in-the-middle attacks.
It satisfies the requirement for "validation of server certificate in Windows 10".
Exact Extract:
"For EAP-PEAP with EAP-MSCHAPv2, select 'Validate server certificate' to ensure the client trusts the authentication server's identity. The server certificate must be signed by a CA trusted by the client."
* Enable user authenticationWhile both user and machine authentication are possible, user authentication must be explicitly enabled so that credentials (domain or local user) are sent after machine authentication completes. This enables the full EAP-MSCHAPv2-based user and machine authentication process.
Exact Extract:
"In EAP-PEAP properties, ensure 'Enable user authentication' is selected to authenticate both the workstation and logged-on user credentials when using EAP-MSCHAPv2." Additionally, Windows 10 uses AES encryption automatically when WPA2/WPA3-Enterprise is configured, fulfilling requirement (1). RC4 encryption is not applicable because AES is the default cipher for WPA2 Enterprise networks.
Why the Other Options Are Incorrect:
* C. EAP-TLS-based user and machine authentication:The question specifies EAP-MSCHAPv2, not EAP-TLS. EAP-TLS uses digital certificates for mutual authentication, while PEAP with EAP- MSCHAPv2 uses username and password-based credentials.
"EAP-TLS is certificate-based; PEAP-MSCHAPv2 uses password-based authentication."
* D. Change default RC4 encryption for AES:RC4 is used in older WPA or TKIP security types. When using WPA2-Enterprise, AES is automatically selected and cannot be manually overridden.
"WPA2-Enterprise (802.1X) uses AES-CCMP encryption; RC4/TKIP is not applicable to modern configurations." References of HPE Aruba Networking Switching Documents or Study Guide:
* Aruba Secure Connectivity and Authentication Guide (AOS-10) - "Configuring Windows 802.1X Supplicant for PEAP-MSCHAPv2."
* Microsoft Windows 10 Enterprise Network Configuration Guide - "PEAP with EAP-MSCHAPv2 Setup and Server Certificate Validation."
* Aruba ClearPass Deployment Guide - "Certificate Validation and EAP Methods Overview."
* Aruba WLAN Security and AAA Configuration Guide - "EAP Frameworks and Supported Encryption Methods."
NEW QUESTION # 69
Which command would allow you to verity receipt of a CoA message on an AOS 10 GW?
- A. tcpdump host-port 3799
- B. packet-capture datapath udp 3799
- C. packet-capture controipath udp 3799
- D. packet-capture interprocess udp 3799
Answer: C
Explanation:
The Change of Authorization (CoA) messages are used in network access control scenarios and are typically received by the network access server, in this case, an Aruba AOS 10 Gateway. The correct command to verify the receipt of a CoA message is related to the control path traffic because CoA is a control plane function.
Option B,packet-capture controlpath udp 3799, is the correct answer because it specifies capturing control plane traffic on UDP port 3799, which is the standard port for CoA messages.
Options A, C, and D are incorrect because:
Option A captures data plane traffic, not control plane traffic.
Option C'spacket-capture interprocess udp 3799does not refer to a standard command for capturing CoA messages.
Option D,tcpdump host-port 3799, does not specify the correct syntax for capturing traffic on Aruba devices.
NEW QUESTION # 70
A network administrator wants to configure an 802 1X supplicant for a wireless network that includes the following:
1. AES encryption
2. EAP-MSCHAPv2-based user and machine authentication
3. validation of server certificate in Microsoft Windows 10
The network administrator creates a WLAN profile and selects the change connection settings option Then the network administrator changes the security type to Microsoft Protected EAP (PEAP) and enables user and machine authentication under Additional Settings.
What must the network administrator do next to accomplish the task?
- A. Enable user authentication
- B. Enable server certificate validation
- C. Change the security type to Microsoft: Smart Card or other certificate.
- D. Change default RC4 encryption for AES
Answer: B
Explanation:
When configuring an 802.1X supplicant for wireless network access with Microsoft Windows 10, enabling server certificate validation is a critical step to ensure the security of the authentication process. Server certificate validation helps prevent man-in-the-middle attacks by ensuring the RADIUS server presenting the certificate is the correct server that the client expects to communicate with.
NEW QUESTION # 71
A customer wan a gateway connected to a device on gigabitethernet 0/0/3 configures an Asset ID TLV on the device for inventory management.
Exhibit.
The customer mentions me Asset ID is not shown What is causing the issue?
- A. LLPD-MED needs to be enabled.
- B. LLDP TX is not enabled.
- C. Unknown TLVs cannot be displayed.
- D. MTU size is too small.
Answer: C
Explanation:
The issue is that unknown TLVs (Type Length Values) cannot be displayed. LLDP (Link Layer Discovery Protocol) is used to share device information with network neighbors, but if a TLV is not recognized by the LLDP implementation on the gateway, it won't be displayed or processed. Hence, the Asset ID TLV set on the device for inventory management is not showing up because it is unrecognized or unsupported by the gateway's LLDP.
NEW QUESTION # 72
......
Best Value Available! 2026 Realistic Verified Free HPE7-A07 Exam Questions: https://www.braindumpspass.com/HP/HPE7-A07-practice-exam-dumps.html
100% Accurate Answers! HPE7-A07 Actual Real Exam Questions: https://drive.google.com/open?id=1Xo9iGZfbql29LUrLfGPcMGmhjPCdZHDB