VMware NSX 4.x Professional Topic 1
Q1. What are two valid BGP Attributes that can be used to influence the route path traffic will take? (Choose two.)
A. AS-Path Prepend
B. Cost
C. BFD
D. MED
Hint answer: A D
Q2. What are two supported host switch modes? (Choose two.)
A. Overlay Datapath
B. DPDK Datapath
C. Standard Datapath
D. Enhanced Datapath
E. Secure Datapath
Hint answer: C D
Q3. Which two commands does an NSX administrator use to check the IP address of the VMkernel port for the Geneve protocol on the ESXi transport node? (Choose two.)
A. net-dvs
B. esxcli network ip interface ipv4 get
C. esxcfg-vmknic -1
D. esxcfg-nics -1
E. esxcli network nic list
Hint answer: B E
Q4. Which choice is a valid insertion point for North-South network introspection?
A. Tier-0 gateway
B. Host Physical NIC
C. Guest VM vNIC
D. Partner SVM
Hint answer: A
Q5. An NSX administrator is troubleshooting a connectivity issue with virtual machines running on an ESXi transport node.
Which feature in the NSX UI shows the mapping between the virtual NIC and the host’s physical adapter?
A. Port Mirroring
B. IPFIX
C. Activity Monitoring
D. Switch Visualization
Hint answer: D
Q6. Which two statements describe the characteristics of an Edge Cluster in NSX? (Choose two.)
A. Can have a maximum of 10 edge nodes
B. Can have a maximum of 8 edge nodes
C. Can contain multiple types of edge nodes (VM or bare metal)
D. Must contain only one type of edge nodes (VM or bare metal)
E. Must have only active-active edge nodes
Hint answer: A D
Q7. When deploying an NSX Edge Transport Node, what two valid IP address assignment options should be specified for the TEP IP addresses? (Choose two.)
A. Use a Static IP List
B. Use BootP
C. Use an IP Pool
D. Use RADIUS
E. Use a DHCP Server
Hint answer: A C
Q8. When running nsxcli on an ESXi host, which command will show the Replication mode?
A. get logical-switch status
B. get logical-switch status
C. get logical-switch
D. get logical-switches
Hint answer: B
Q9. When collecting support bundles through NSX Manager, which files should be excluded for potentially containing sensitive information?
A. Audit Files
B. Core Files
C. Management Files
D. Controller Files
Hint answer: B
Q10. An administrator needs to download the support bundle for NSX Manager.
Where does the administrator download the log bundle from?
A. System > Utilities > Tools
B. System > Settings > Support Bundle
C. System > Support Bundle
D. System > Settings
Hint answer: B
Q11. What should an NSX administrator check to verify that VMware Identity Manager integration is successful?
A. From the NSX UI the status of the VMware Identity Manager Integration must be “Enabled”.
B. From VMware Identity Manager the status of the remote access application must be green.
C. From the NSX UI the URI in the address bar must have “local=false” part of it.
D. From the NSX CLI the status of the VMware Identity Manager Integration must be “Configured”.
Hint answer: A
Q12. An administrator has deployed 10 Edge Transport Nodes in their NSX Environment, but has forgotten to specify an NTP server during the deployment.
What is the efficient way to add an NTP server to all 10 Edge Transport Nodes?
A. Use a Node Profile
B. Use the CLI on each Edge Node
C. Use Transport Node Profile
D. Use a PowerCLI script
Hint answer: A
Q13. Which statement is true about an alarm in a Suppressed state?
A. An alarm can be suppressed for a specific duration in hours.
B. An alarm can be suppressed for a specific duration in seconds.
C. An alarm can be suppressed for a specific duration in minutes.
D. An alarm can be suppressed for a specific duration in days.
Hint answer: A
Q14. An architect receives a request to apply distributed firewall in a customer environment without making changes to the network and vSphere environment. The architect decides to use Distributed Firewall on VDS. Which two of the following requirements must be met in the environment? (Choose two.)
A. VDS version 6.6.0 and later
B. vCenter 8.0 and later
C. NSX version must be 3.2 and later
D. NSX version must be 3.0 and later
Hint answer: A C
Q15. An administrator has been tasked with implementing the SSL certificates for the NSX Manager Cluster VIP.
Which is the correct way to implement this change?
A. Send an API call to https://
B. Send an API call to https://
C. SSH as admin into the NSX manager with the cluster VIP IP and run nsxcli cluster certificate vip install
D. SSH as admin into the NSX manager with the cluster VIP IP and run nsxcli cluster certificate node install
Hint answer: A
Q16. What are the four types of role-based access control (RBAC) permissions? (Choose four.)
A. Network Admin
B. None
C. Read
D. Auditor
E. Full access
F. Execute
G. Enterprise Admin
Hint answer: B C E F
Q17. Which of the two following characteristics about NAT64 are true? (Choose two.)
A. NAT64 is stateless and requires gateways to be deployed in active-standby mode.
B. NAT64 is supported on Tier-1 gateways only.
C. NAT64 is supported on Tier-0 and Tier-1 gateways.
D. NAT64 requires the Tier-1 gateway to be configured in active-standby mode.
E. NAT64 requires the Tier-1 gateway to be configured in active-active mode.
Hint answer: C D
Q18. Which command on ESXi is used to verify the Local Control Plane connectivity with Central Control Plane?
A. esxcli network ip connection list | grep 1235
B. esxcli network ip connection list | grep ccpd
C. esxcli network ip connection list | grep netcpa
D. esxcli network ip connection list | grep 1234
Hint answer: A
Q19. Which two are supported by L2 VPN clients? (Choose two.)
A. 3rd party Hardware VPN Device
B. NSX Autonomous Edge
C. NSX for vSphere Edge
D. NSX Edge
Hint answer: B D
Q20. An administrator wants to validate the BGP connection status between the Tier-0 Gateway and the upstream physical router. What sequence of commands could be used to check this status on NSX Edge node?
A. – enable
– get vrf
– show bgp neighbor
B. – set vrf
– show logical-routers
– show bgp
C. – get gateways
– vrf
– get bgp neighbor
D. – show logical-routers
– get vrf
– show ip route bgp
Hint answer: C
Q21. Which two steps must an NSX administrator take to integrate VMware Identity Manager in NSX to support role-based access control? (Choose two.)
A. Create a SAML authentication in VMware Identity Manager using the NSX Manager FQDN.
B. Enter the Identity Provider (IdP) metadata URL in NSX Manager.
C. Create an OAuth 2.0 client in VMware Identity Manager.
D. Add NSX Manager as a Service Provider (SP) in VMware Identity Manager.
E. Enter the service URL, Client Secret, and SSL thumbprint in NSX Manager.
Hint answer: C E
Q22. When a stateful service is enabled for the first time on a Tier-0 Gateway, what happens on the NSX Edge node?
A. SR and DR is instantiated but requires manual connection.
B. SR is instantiated and automatically connected with DR.
C. DR is instantiated and automatically connected with SR.
D. SR and DR doesn’t need to be connected to provide any stateful services.
Hint answer: B
Q23. Which two logical router components span across all transport nodes? (Choose two.)
A. DISTRIBUTED_ROUTER_TIER1
B. TIER0_DISTRIBUTED_ROUTER
C. SERVICE_ROUTER_TIER0
D. DISTRIBUTED_ROUTER_TIER0
E. SERVICE_ROUTER_TIER1
Hint answer: A D
Q24. Which two choices are use cases for Distributed Intrusion Detection? (Choose two.)
A. Identify risk and reputation of accessed websites.
B. Quarantine workloads based on vulnerabilities.
C. Gain insight about micro-segmentation traffic flows.
D. Identify security vulnerabilities in the workloads.
E. Use agentless antivirus with Guest Introspection.
Hint answer: C E
Q25. A company security policy requires all users to log into applications using a centralized authentication system. Which two authentication, authorization, and accounting (AAA) systems are available when integrating NSX with VMware Identity Manager? (Choose two.)
A. LDAP and OpenLDAP based on Active Directory (AD)
B. RSA SecureID
C. Keygen Enterprise
D. SecureDAP
E. RADII 2.0
Hint answer: A B
Q26. Which three of the following describe the Border Gateway Routing Protocol (BGP) configuration on a Tier-0 Gateway? (Choose three.)
A. It supports a 4-byte autonomous system number.
B. The network is divided into areas that are logical groups.
C. Can be used as an Exterior Gateway Protocol.
D. BGP is enabled by default.
E. EIGRP is disabled by default.
Hint answer: A C D
Q27. Which is an advantages of a L2 VPN in an NSX 4.x environment?
A. Enables Multi-Cloud solutions
B. Enables VM mobility with re-IP
C. Achieve better performance
D. Use the same broadcast domain
Hint answer: D
Q28. Which NSX feature can be leveraged to achieve consistent policy configuration and simplicity across sites?
A. NSX HTML5 UI
B. Ethernet VPN
C. VRF Lite
D. NSX Federation
Hint answer: D
Q29. Which two statements are true about IDS Signatures? (Choose two.)
A. Users can upload their own IDS signature definitions.
B. An IDS signature contains data used to identify the creator of known exploits and vulnerabilities.
C. IDS signatures can be High Risk, Suspicious, Low Risk and Trustworthy.
D. An IDS signature contains data used to identify known exploits and vulnerabilities.
E. An JDS signature contains a set of instructions that determine which traffic is analyzed.
Hint answer: D E
Q30. An NSX administrator is creating a Tier-1 Gateway configured in Active-Standby High Availability Mode. In the event of node failure, the failover policy should not allow the original failed node to become the Active node upon recovery. Which failover policy meets this requirement?
A. Enable Preemptive
B. Non-Preemptive
C. Preemptive
D. Disable Preemptive
Hint answer: B
Q31. Which three DHCP Services are supported by NSX? (Choose three.)
A. Port DHCP per VNF
B. Segment DHCP
C. Gateway DHCP
D. VRF DHCP Server
E. DHCP Relay
Hint answer: B C E
Q32. Which two statements are true for IPSec VPN? (Choose two.)
A. VPNs can be configured on the command line interface on the NSX manager.
B. Dynamic routing is supported for any IPSec mode in NSX.
C. IPSec VPNs use the DPDK accelerated performance library.
D. IPSec VPN services can be configured at Tier-0 and Tier-1 gateways.
Hint answer: C D
Q33. Which two CLI commands could be used to see if vmnic link status is down? (Choose two.)
A. esxcfg-nics -1
B. esxcfg-vmknic -1
C. esxcli network vswitch dvs vmware list
D. esxcfg-vmsvc/get.networks
E. esxcli network nic list
Hint answer: A E
Q34. HOTSPOT –
Refer to the exhibit.
Which two items must be configured to enable OSPF for the Tier-0 Gateway in the image? Mark your answers by clicking twice on the image.
1. Enable OSPF 2. Set Area Definition
Q35. A customer has a network where BGP has been enabled and the BGP neighbor is configured on the Tier-0 Gateway. An NSX administrator used the get gateways command to retrieve this information:
Which two commands must be executed to check BGP neighbor status? (Choose two.)
A. vrf 3
B. sa-nsxedge-01(tier1_sr)> get bgp neighbor
C. vrf 4
D. sa-nsxedge-01(tier0_dr)> get bgp neighbor
E. vrf 1
F. sa-nsxedge-01(tier0_sr)> get bgp neighbor
Hint answer: A F
Q36. Which two of the following are used to configure Distributed Firewall on VDS? (Choose two.)
A. vCenter API
B. NSX UI
C. NSX CLI
D. vSphere API
E. NSX API
Hint answer: B E
Q37. What are four NSX built-in role-based access control (RBAC) roles? (Choose four.)
A. Read
B. Network Admin
C. Full Access
D. Enterprise Admin
E. LB Operator
F. Auditor
G. None
Hint answer: B D E F
Q38. Which two built-in VMware tools will help identify the cause of packet loss on VLAN Segments? (Choose two.)
A. Packet Capture
B. Live Flow
C. Traceflow
D. Flow Monitoring
E. Activity monitoring
Hint answer: A C
Q39. Which two statements are correct about East-West Malware Prevention? (Choose two.)
A. NSX Application Platform must have Internet access.
B. NSX Edge nodes must have Internet access.
C. A SVM is deployed on every ESXi host.
D. An agent must be installed on every NSX Edge node.
E. An agent must be installed on every ESXi host.
Hint answer: A C
Q40. As part of an organization’s IT security compliance requirement, NSX Manager must be configured for 2FA (two-factor authentication). What should an NSX administrator have ready before the integration can be configured?
A. VMware Identity Manager with NSX added as a Web Application
B. Active Directory LDAP integration with OAuth Client added
C. VMware Identity Manager with an OAuth Client added
D. Active Directory LDAP integration with ADFS
Hint answer: C
Q41. An NSX administrator is creating a NAT rule on a Tier-0 Gateway configured in active-standby high availability mode. Which two NAT rule types are supported for this configuration? (Choose two.)
A. Destination NAT
B. Reflexive NAT
C. Port NAT
D. Source NAT
E. 1:1 NAT
Hint answer: A D
Q42. What is the VMware recommended way to deploy a virtual NSX Edge Node?
A. Through the NSX UI
B. Through automated or interactive mode using an ISO
C. Through the vSphere Web Client
D. Through the OVF command line tool
Hint answer: A
Q43. Which of the following exist only on Tier-1 Gateway firewall configurations and not on Tier-0?
A. Applied To
B. Actions
C. Sources
D. Profiles
Hint answer: D
Q44. Which three security features are dependent on the NSX Application Platform? (Choose three.)
A. NSX Intelligence
B. NSX Firewall
C. NSX Network Detection and Response
D. NSX TLS Inspection
E. NSX Distributed IDS/IPS
F. NSX Malware Prevention
Hint answer: A C F
Q45. Which two of the following will be used for ingress traffic on the Edge node supporting a Single Tier topology? (Choose two.)
A. Inter-Tier interface on the Tier-0 gateway
B. Tier-0 Uplink interface
C. Downlink Interface for the Tier-0 DR
D. Tier-1 SR Router Port
E. Downlink Interface for the Tier-1 DR
Hint answer: B C
Q46. Which two are requirements for FQDN Analysis? (Choose two.)
A. The NSX Edge nodes require access to the Internet to download category and reputation definitions.
B. ESXi control panel requires access to the Internet to download category and reputation definitions.
C. The NSX Manager requires access to the Internet to download category and reputation definitions.
D. A layer 7 gateway firewall rule must be configured on the Tier-1 gateway uplink.
E. A layer 7 gateway firewall rule must be configured on the Tier-0 gateway uplink.
Hint answer: A D
Q47. DRAG DROP
–
Match the NSX Intelligence recommendations with their correct purpose.
The security policy recommendations are of the East-West distributed firewall (DFW) security policies in the application category. The security group recommendations consist of the VMs or physical servers whose traffic flows were analyzed for the time period and the boundary you had specified. The service recommendations are service objects that were used by applications in the VMs or physical servers that you had specified, but the services are not yet defined in the NSX inventory.
Q48. Which steps are required to activate Malware Prevention on the NSX Application Platform?
A. Activate NSX Network Detection and Response and run Pre-checks.
B. Select Cloud Region and Deploy Network Detection and Response.
C. Activate NSX Network Detection and Response and Deploy Malware Prevention.
D. Select Cloud Region and run Pre-checks.
Hint answer: D
Q49. An administrator is configuring service insertion for Network Introspection. Which two places can the Network Introspection be configured? (Choose two.)
A. Partner SVM
B. Host pNIC
C. Tier-0 gateway
D. Tier-1 gateway
E. Edge Node
Hint answer: C D
Q50. In which VPN type are the Virtual Tunnel interfaces (VTI) used?
A. Policy & Route based VPNs
B. Route & SSL based VPNs
C. SSL-based VPN
D. Route-based VPN
Hint answer: D
Q51. Which of the following settings must be configured in an NSX environment before enabling stateful active-active SNAT?
A. A Punting Traffic Group for the NSX Edge uplinks
B. Tier-1 gateway in distributed only mode
C. Tier-1 gateway in active-standby mode
D. An Interface Group for the NSX Edge uplinks
Hint answer: D
Q52. Which command is used to test management connectivity from a transport node to NSX Manager?
A. esxcli network ip connection list | grep 1234
B. esxcli network connection list | grep 1235
C. esxcli network ip connection list | grep 1235
D. esxcli network connection list | grep 1234
Hint answer: A
Q53. A security administrator needs to configure a firewall rule based on the domain name of a specific application. Which field in a distributed firewall rule does the administrator configure?
A. Profile
B. Service
C. Source
D. Policy
Hint answer: A
Q54. An NSX administrator is reviewing syslog and notices that Distributed Firewall Rules hit counts are not being logged. What could cause this issue?
A. Zero Trust Security is not enabled.
B. Distributed Firewall Rule logging is not enabled.
C. Syslog is not configured on the NSX Manager.
D. Syslog is not configured on the ESXi transport node.
Hint answer: B
Q55. What can the administrator use to identify overlay segments in an NSX environment if troubleshooting is required?
A. VNI ID
B. VLAN ID
C. Segment ID
D. Geneve ID
Hint answer: A
Q56. A company is deploying NSX micro-segmentation in their vSphere environment to secure a simple application composed of web, app, and database tiers.
The naming convention will be:
WKS-WEB-SRV-XXX –
WKY-APP-SRR-XXX –
WKI-DB-SRR-XXX –
What is the optimal way to group them to enforce security policies from NSX?
A. Use Edge as a firewall between tiers.
B. Group all by means of tags membership.
C. Create an Ethernet based security policy.
D. Do a service insertion to accomplish the task.
Hint answer: B
Q57. Which troubleshooting step will resolve an error with code 1001 during the configuration of a time-based firewall rule?
A. Changing the time zone on the ESXi host.
B. Re-installing the NSX VIBs on the ESXi host.
C. Restarting the NTPservice on the ESXi host.
D. Reconfiguring the ESXi host with a local NTP server.
Hint answer: C
Q58. Which is the only supported mode in NSX Global Manager when using Federation?
A. Controller
B. Proxy
C. Policy
D. Proton
Hint answer: C
Q59. How is the RouterLink port created between a Tier-1 Gateway and Tier-0 Gateway?
A. Manually create a Segment and connect to both Tier-1 and Tier-0 Gateways.
B. Automatically created when Tier-1 is created.
C. Manually create a Logical Switch and connect to bother Tier-1 and Tier-0 Gateways.
D. Automatically created when Tier-1 is connected with Tier-0 from NSX UI.
Hint answer: D
Q60. Which three selections are capabilities of Network Topology? (Choose three.)
A. Display the uplinks configured on the Tier-1 Gateways.
B. Display how the different NSX components are interconnected.
C. Display the VMs connected to Segments.
D. Display the uplinks configured on the Tier-0 Gateways.
E. Display how the Physical components are interconnected.
Hint answer: B C D
Q61. An NSX administrator has deployed a single NSX Manager node and will be adding two additional nodes to form a 3-node NSX Management Cluster for a production environment. The administrator will deploy these two additional nodes and Cluster VIP using the NSX UI. What two are the prerequisites for this configuration? (Choose two.)
A. The cluster configuration must be completed using API.
B. All nodes must be in separate subnets.
C. All nodes must be in the same subnet.
D. A compute manager must be configured.
E. NSX Manager must reside on a Windows Server.
Hint answer: C D
Q62. Which two BGP configuration parameters can be configured in the VRF Lite gateways? (Choose two.)
A. Route Aggregation
B. Route Distribution
C. Graceful Restart
D. BGP Neighbors
E. Local AS
Hint answer: A D
Q63. A customer is preparing to deploy a VMware Kubernetes solution in an NSX environment. What is the minimum MTU size for the UPLINK profile?
A. 1700
B. 1550
C. 1650
D. 1500
Hint answer: A
Q64. What needs to be configured on a Tier-0 Gateway to make NSX Edge Services available to a VM on a VLAN-backed logical switch?
A. Loopback Router Port
B. VLAN Uplink
C. Service interface
D. Downlink interface
Hint answer: C
Q65. Which two of the following features are supported for the Standard NSX Application Platform Deployment? (Choose two.)
A. NSX Network Detection and Response
B. NSX Intelligence
C. NSX Malware Prevention Metrics
D. NSX Intrinsic Security
E. NSX Intrusion Detection and Prevention
Hint answer: A C
Q66. Which CLI command is used for packet capture on the ESXi Node?
A. debug
B. pktcap-uw
C. set capture
D. tcpdump
Hint answer: B
Q67. Which two choices are solutions offered by the VMware NSX portfolio? (Choose two.)
A. VMware Aria Automation
B. VMware NSX Distributed IDS/IPS
C. VMware NSX Advanced Load Balancer
D. VMware Tanzu Kubernetes Grid
E. VMware Tanzu Kubernetes Cluster
Hint answer: B C
Q68. Which three NSX Edge components are used for North-South Malware Prevention? (Choose three.)
A. IDS/IPS
B. Security Analyzer
C. Reputation Service
D. RAPID
E. Thin Agent
F. Security Hub
Hint answer: A D F
Q69. When configuring OSPF on a Tier-0 Gateway, which three of the following must match in order to establish a neighbor relationship with an upstream router? (Choose three.)
A. Address of the neighbor
B. Subnet mask
C. MTU of the Uplink
D. Protocol and Port
E. Area ID
F. Naming convention
Hint answer: B C E
Q70. HOTSPOT –
Refer to the exhibit.
An administrator configured NSX Advanced Load Balancer to redistribute the traffic between the web servers. However, requests are sent to only one server.
Which of the following pool configuration settings needs to be adjusted to resolve the problem? Mark the correct answer by clicking on the image.
Q71. Which three data collection sources are used by NSX Network Detection and Response to create correlations/intrusion campaigns? (Choose three.)
A. Distributed Firewall flow data from the ESXi hosts
B. East-West anti-malware events from the ESXi hosts
C. Files and anti-malware file events from the NSX Edge nodes and the Security Analyzer
D. IDS/IPS events from the ESXi hosts and NSX Edge nodes
E. Suspicious Traffic Detection events from NSX Intelligence
Hint answer: C D E
Q72. Where does an administrator configure the VLANs used in VRF Lite? (Choose two.)
A. uplink interface of the default Tier-0 gateway
B. uplink trunk segment
C. uplink interface of the VRF gateway
D. downlink interface of the default Tier-0 gateway
E. segment connected to the Tier-1 gateway
Hint answer: B C
Q73. DRAG DROP –
Refer to the exhibits.
Drag and drop the NSX graphic element icons on the left found in an NSX Intelligence visualization graph to its correct description on the right.
Hint answer:
Q74. An administrator has a requirement to have consistent policy configuration and enforcement across NSX instances. What feature of NSX fulfills this requirement?
A. Federation
B. Policy-driven configuration
C. Load balancer
D. Multi-hypervisor support
Hint answer: A
Q75. Which two tools are used for centralized logging in VMware NSX? (Choose two.)
A. VMware Aria Automation
B. VMware Aria Operations for Logs
C. Syslog Server
D. VMware Aria Operations
E. VMware Aria Operations for Networks
Hint answer: B C
Q76. Which command is used to display the network configuration of the Tunnel Endpoint (TEP) IP on a bare metal transport node?
A. tcpdump
B. ifconfig
C. tcpconfig
D. debug
Hint answer: B
Q77. An administrator has connected two virtual machines on the same overlay segment. Ping between both virtual machines is successful. What type of network boundary does this represent?
A. Layer 2 VPN
B. Layer 2 broadcast domain
C. Layer 2 bridge
D. Layer 3 route
Hint answer: B
Q78. Which CLI command on NSX Manager and NSX Edge is used to change NTP settings?
A. get time-server
B. set timezone
C. get timezone
D. set ntp-server
Hint answer: D
Q79. How does the Traceflow tool identify issues in a network?
A. Compares intended network state in the control plane with Tunnel End Point (TEP) keepalives in the data plane.
B. Injects ICMP traffic into the data plane and observes the results in the control plane.
C. Compares the management plane configuration states containing control plane traffic and error reporting from transport node agents.
D. Injects synthetic traffic into the data plane and observes the results in the control plane.
Hint answer: D
Q80. In an NSX environment, an administrator is observing low throughput and congestion between the Tier-0 Gateway and the upstream physical routers. Which two actions could address low throughput and congestion? (Choose two.)
A. Add an additional vNIC to the NSX Edge node.
B. Configure NAT on the Tier-0 gateway.
C. Configure ECMP on the Tier-0 gateway.
D. Configure a Tier-1 gateway and connect it directly to the physical routers.
E. Deploy Large size Edge node/s.
Hint answer: C E
Q81. The security administrator turns on logging for a firewall rule. Where is the log stored on an ESXi transport node?
A. /var/log/fw.log
B. /var/log/messages.log
C. /var/log/dfwpktlogs.log
D. /var/log/vmware/nsx/firewall.log
Hint answer: C
Q82. An NSX administrator is using ping to check connectivity between VM1 running on ESXi1 to VM2 running on ESXi2. The ping tests fails. The administrator knows the maximum transmission unit size on the physical switch is 1600. Which command does the administrator use to check the VMware kernel ports for tunnel end point communication?
A. vmkping ++netstack=geneve -d -s 1572
B. esxcli network diag ping -I vmk0 -H
C. esxcli network diag ping -H
D. vmkping ++netstack=vxlan -d -s 1572
Hint answer: D
Q83. Which table on an ESXi host is used to determine the location of a particular workload for a frame-forwarding decision?
A. TEP Table
B. ARP Table
C. Routing Table
D. MAC Table
Hint answer: D
Q84. Which CLI command would an administrator use to allow syslog on an ESXi transport node when using the esxcli utility?
A. esxcli network firewall ruleset set -r syslog -e true
B. esxcli network firewall ruleset -e syslog
C. esxcli network firewall ruleset set -a -e false
D. esxcli network firewall ruleset set -r syslog -e false
Hint answer: A
Q85. Which three protocols could an NSX administrator use to transfer log messages to a remote log server? (Choose three.)
A. TLS
B. SSH
C. SSL
D. HTTPS
E. UDP
F. TCP
Hint answer: A E F
Q86. An NSX administrator would like to create an L2 segment with the following requirements:
• L2 domain should not exist on the physical switches.
• East/West communication must be maximized as much as possible.
Which type of segment must the administrator choose?
A. Hybrid
B. Overlay
C. Bridge
D. VLAN
Hint answer: B
Q87. Which field in a Tier-1 Gateway Firewall would be used to allow access for a collection of trustworthy web sites?
A. Destination
B. Profiles -> Context Profiles
C. Source
D. Profiles -> L7 Access Profile
Hint answer: D
Q88. What are two functions of the Service Engines in NSX Advanced Load Balancer? (Choose two.)
A. It collects real-time analytics from application traffic flows.
B. It stores the configuration and policies related to load-balancing services.
C. It deploys web servers to perform load-balancing operations.
D. It performs application load-balancing operations.
E. It provides a user interface to perform configuration and management tasks.
Hint answer: A D
Q89. Where is the insertion point for East-West network introspection?
A. Guest VM vNIC
B. Partner SVM
C. Tier-0 router
D. Host Physical NIC
Hint answer: A
Q90. Where in the NSX UI would an administrator set the time attribute for a time-based Gateway Firewall rule?
A. There is no option in the NSX UI. It must be done via command line interface.
B. The option to set time-based rule is a clock icon in the policy.
C. The option to set time-based rule is a field in the rule itself.
D. The option to set time-based rule is a clock icon in the rule.
Hint answer: B
Q91. An NSX administrator wants to create a Tier-0 Gateway to support equal cost multi-path (ECMP) routing. Which failover detection protocol must be used to meet this requirement?
A. Beacon Probing (BP)
B. Bidirectional Forwarding Detection (BFD)
C. Virtual Router Redundancy Protocol (VRRP)
D. Host Standby Router Protocol (HSRP)
Hint answer: B
Q92. What are two valid options when configuring the scope of a distributed firewall rule? (Choose two.)
A. Segment Port
B. DFW
C. Tier-1 Gateway
D. Segment
E. Group
Hint answer: B E
Q93. Which VMware GUI tool is used to identify problems in a physical network?
A. VMware Site Recovery Manager
B. VMware Aria Automation
C. VMware Aria Operations Networks
D. VMware Aria Orchestrator
Hint answer: C
Q94. Which TraceFlow traffic type should an NSX administrator use for validating connectivity between App and DB virtual machines that reside on different segments?
A. Multicast
B. Anycast
C. Broadcast
D. Unicast
Hint answer: D
Q95. NSX improves the security of today’s modern workloads by preventing lateral movement, which feature of NSX can be used to achieve this?
A. Virtual Security Zones
B. Network Segmentation
C. Edge Firewalling
D. Dynamic Routing
Hint answer: B
Q96. Which CLI command does an NSX administrator run on the NSX Manager to generate support bundle logs if the NSX UI is inaccessible?
A. esxcli system syslog config logger set –id=nsxmanager
B. get support-bundle file vcpnv.tgz
C. vm-support
D. set support-bundle file vcpnv.tgz
Hint answer: B
Q97. An NSX administrator would like to export syslog events that capture messages related to NSX host preparation events. Which message ID (msgid) should be used in the syslog export configuration command as a filter?
A. MONITORING
B. GROUPING
C. FABRIC
D. SYSTEM
Hint answer: C
Q98. What must be configured on Transport Nodes for encapsulation and decapsulation of Geneve protocol?
A. STT
B. TEP
C. UDP
D. VXLAN
Hint answer: B
Q99. What are three NSX Manager roles? (Choose three.)
A. master
B. manager
C. cloud
D. zookeeper
E. policy
F. controller
Hint answer: B E F
Q100. Which NSX CLI command is used to change the authentication policy for local users?
A. set auth-policy
B. set cli-timeout
C. get auth-policy minimum-password-length
D. set hardening-policy
Hint answer: A
Q101. Refer to the exhibit.
An administrator would like to change the private IP address of the NAT VM 172.16.101.11 to a public address of 80.80.80.1 as the packets leave the NAT-Segment network.
Which type of NAT solution should be implemented to achieve this?
A. DNAT
B. Reflexive NAT
C. NAT64
D. SNAT
Hint answer: D
Q101. Which CLI command shows syslog on NSX Manager?
A. show log manager follow
B. get log-file syslog
C. /var/log/syslog/syslog.log
D. get log-file auth.log
Hint answer: B
Q102. Which VPN type must be configured before enabling a L2VPN?
A. SSL-based IPSec VPN
B. Route-based IPSec VPN
C. Port-based IPSec VPN
D. Policy-based IPSec VPN
Hint answer: B
Q103. Which command is used to set the NSX Manager’s logging-level to debug mode for troubleshooting?
A. set service manager logging-level debug
B. set service nsx-manager logging-level debug
C. set service nsx-manager log-level debug
D. set service manager log-level debug
Hint answer: A
