Professional Documents
Culture Documents
QUESTION NO: 2
What are two advantages for using NSX for vSphere's Logical Switching? (Choose two.)
A. Expands the number of available VLANs.
B. Allows for Layer 2 switching over Layer 3 infrastructure.
C. Distributes Layer 3 data across multiple hypervisors
D. Provides for 10,000 logical segments.
Answer: B,D
Explanation:
QUESTION NO: 3
Based on VMware's best practices, what two statements define the best solution for scaling layer
2 services for the virtual network? (Choose two.)
A. Employ a layer 2 switched network.
B. Employ a layer 3 switched network.
C. Use GRE for an overlay network.
D. Use VXLAN for an overlay network.
Answer: B,D
Explanation:
QUESTION NO: 4
Which component provides for installation of NSX hypervisor kernel components and user world
agents?
A. NSX Controller
B. NSX Edge Virtual Appliance
C. NSX Manager
D. vRealize Automation
Answer: C
Explanation:
QUESTION NO: 5
Which NSX service or feature provides optimized management of virtual machine broadcast
(ARP) traffic?
A. NSX Controller
B. NSX Manager
C. Edge Services Gateway
D. VTEP
Answer: A
Explanation:
QUESTION NO: 6
You are tasked with designing a data center architecture that should maximize the use of vMotion
within your environment. The design has these requirements:
The network must utilize widely offered layer 2 switching and layer 3 switching services
Purchase of new equipment should be minimized
QUESTION NO: 7
Which two statements describe the benefits provided by firewall services deployed by NSX?
(Choose two.)
A. Firewall services deployed using a software appliance will provide east-west traffic filtering and
security.
B. Firewall services deployed using a distributed kernel module will provide east-west traffic
filtering and security.
C. Firewall services providing edge security services uses a virtual appliance and is centrally
managed.
D. Firewall services providing edge security services uses a distributed kernel module.
Answer: B,C
Explanation:
QUESTION NO: 8
Which two statements are valid regarding vCloud Networking and Security (vCNS) and NSX?
(Choose two.)
A. Both vCNS and NSX support multiple hypervisor environments.
B. NSX provides support for multiple hypervisor environments, vCNS does not.
C. Both vCNS and NSX support dynamic routing protocols.
D. NSX supports dynamic routing protocols, vCNS does not.
Answer: B,D
Explanation:
QUESTION NO: 9
An administrator wishes to upgrade to NSX from the following infrastructurE.
What is a valid, minimum set of steps to properly upgrade this environment to NSX?
A. 1. Upgrade vCenter Server 4.1 to vCenter Server 5.5
2. Upgrade vShield 5.0 to vShield 5.5
3. Upgrade ESXi hosts to ESXi 5.1 or greater
4. Install the NSX upgrade bundle
B. 1. Upgrade vCenter Server 4.1 to vCenter Server 5.1
2. Upgrade vCenter Server 5.1 to vCenter Server 5.5
3. Upgrade ESXi hosts to ESXi 5.1 or greater
4. Install the NSX upgrade bundle
C. 1. Upgrade vCenter Server 4.1 to vCenter Server 5.5
2. Upgrade ESXi hosts to ESXi 5.1 or greater
3. Install the NSX upgrade bundle
D. 1. Upgrade vCenter Server 4.1 to vCenter Server 5.5
2. Upgrade vShield 5.0 to vShield 5.5
3. Install the NSX upgrade bundle
Answer: A
Explanation:
QUESTION NO: 10
Layer 2 Multipathing (L2MP) and Multi-chassis Etherchannel (MEC) features have distinct scaling
differences with the network switching and routing services provided by NSX.
Which two statements provide a proper contrast of these services? (Choose two.)
QUESTION NO: 11
An administrator has recently deployed NSX, but is still using a pair of physical network security
devices. The administrator wants to use the physical security devices to filter virtual machine traffic
hosted in the overlay network.
Which NSX component will provide the connectivity between the overlay and the physical
network?
A. Distributed Firewall
B. NSX Controller
C. Edge Services Gateway
D. Logical Router
Answer: D
Explanation:
QUESTION NO: 12
Which two are valid statements regarding third-party services and NSX? (Choose two.)
A. Third party services are automatically registered with NSX Manager.
B. Third party services can either be automatically or manually registered with NSX Manager.
C. Third party services require the deployment of a virtual appliance.
D. Third party services may or may not utilize a service virtual appliance.
Answer: B,D
Explanation:
QUESTION NO: 13
Where must you go to manually register a third-party service with VMware NSX?
A. vSphere Web Client -> Networking & Security -> Installation -> Service Deployments tab
B. vSphere Web Client -> Networking & Security -> Service Composer -> Service Deployments
tab
C. vSphere Web Client -> Networking & Security -> Service Definitions
D. vSphere Web Client -> Networking & Security -> Distributed Firewall -> Service Definitions
Answer: C
Explanation:
QUESTION NO: 14
What two statements correctly describe the way NSX provides integration with Cloud Management
Platforms (CMPs)? (Choose two.)
A. OpenStack provides integration with the Cinder plug-in.
B. OpenStack provides integration with the Neutron plug-in.
C. VMware provides open source API plug-ins for their own CMP products such as vCloud
Director and vRealize Automation.
D. VMware provides out of the box integration with their own CMP products such as vCloud
Director and vRealize Automation.
Answer: B,D
Explanation:
QUESTION NO: 15
Which VMware NSX for vSphere component can be created on-demand using
vRealize Automation?
A. The logical switch
B. The logical distributed router
C. The distributed firewall
D. The NSX Edge Services Gateway
"Pass Any Exam. Any Time." - www.actualtests.com
QUESTION NO: 16
Which NSX feature provides the ability to audit network traffic, define and refine firewall polices,
and identify threats to the network?
A. ERSPAN
B. Flow Monitoring
C. Logical Routers
D. Service Composer
Answer: B
Explanation:
QUESTION NO: 17
Which statement is true regarding deploying NSX over a physical network?
A. OSPF can be used for Management traffic in a Layer 3 fabric design.
B. NSX can implement IPv6 on an IPv4 physical network.
C. Routing is supported on bridged interfaces.
D. VLANs are not required to separate traffic between virtual machines.
Answer: B
Explanation:
QUESTION NO: 18
How does NSX simplify physical network design?
A. VLANs are moved into the virtual network for virtual machine traffic, eliminating the need to use
Private VLANs on the physical network.
B. Network administrators only need to configure routing on the physical network for virtual
machine traffic since all other network functions are moved to the virtual network.
C. Transport zones are created in the virtual network for virtual machine traffic, removing the need
to make changes to the physical network.
"Pass Any Exam. Any Time." - www.actualtests.com
QUESTION NO: 19
Which two statements are true regarding NSX? (Choose two.)
A. Workloads can be placed and moved independently of physical topology.
B. Operational efficiency can be achieved through automation of the physical network.
C. Workload deployments are non-disruptive over the existing physical network.
D. NSX implementation requires a VMware vSphere environment.
Answer: A,C
Explanation:
QUESTION NO: 20
How does NSX simplify the underlying physical network?
A. All configuration and state information is available via the REST APIs to automate the
configuration of the physical network.
B. All configuration and state information are readily accessible, as is the mapping between virtual
network topologies and the physical network.
C. All configuration and state information is stored in the local NSX BPDU database, eliminating
the need for Spanning Tree Protocol (STP) on the physical network.
D. All configuration and state information is cached by the NSX controllers, reducing the number of
MAC/ARP table entries on the physical network.
Answer: B
Explanation:
QUESTION NO: 21
Which statement best describes scaling a fault tolerant spine-leaf multipathing fabric architected
for an NSX deployment?
QUESTION NO: 22
If unicast mode is configured for the overlay transport in an NSX deployment, which two
statements correctly define the network support that is required? (Choose two.)
A. Configure NSX High Availability.
B. Layer 2 switching support in theaccess and distribution layers
C. Layer 3 switching support in theaccess and distribution layers
D. Configure Jumbo Frame support
Answer: C,D
Explanation:
QUESTION NO: 23
Which two characteristics of the underlying physical network does VMware NSX require for robust
IP transport? (Choose two.)
A. The physical network should provide scalable network I/O using Layer 2 Multipathing (L2MP)
and Multichassis Link Aggregation (MLAG).
B. The physical network should provide scalable network I/O using Equal Cost Multipathing
(ECMP).
C. QoS is not necessary since classification and marking will be done in the overlay.
D. QoS classification and marking is required to provide end-to-end flow control.
Answer: B,D
Explanation:
10
QUESTION NO: 25
On a vSphere Standard Switch, how does teaming two or more physical network adapters provide
load balancing when using the Load Balancing feature Route based on the originating virtual port
ID?
A. They physical network adapter is chosen by use of a round robin based algorithm for each
additional virtual port in the port group that becomes active.
B. The physical network adapter is chosen by using the source IP address of the virtual machine
and the destination IP address as variables in an algorithm.
C. The physical network adapter is chosen by using the source MAC address as a variable in an
algorithm.
D. The physical network adapter is chosen based on the workloads from each port and the
number of physical adapters.
Answer: A
Explanation:
QUESTION NO: 26
What are two valid methods of configuring virtual machines to use a vSphere Distributed Switch
(vDS) that are currently using a vSphere Standard Switch (vSS)? (Choose two.)
A. Select each virtual machine and drag it to the vSphere Distributed Switch.
B. Select the vSS in use by the virtual machines and select the Move to option on the right-click
"Pass Any Exam. Any Time." - www.actualtests.com
11
QUESTION NO: 27
A network security administrator wants to monitor traffic on several VLANs configured on a
vSphere Distributed Switch. The traffic will be sent to another distributed port.
What type of port mirroring session must be configured to meet these requirements?
A. Select the session type Distributed Port Mirroring when configuring the Port Mirroring session.
B. Select the session type Remote Mirroring Source when configuring the Port Mirroring session.
C. Select the session type Remote Mirroring Destination when configuring the Port Mirroring
session.
D. Select the session type Distributed Port Mirroring (legacy) when configuring the Port Mirroring
session.
Answer: C
Explanation:
QUESTION NO: 28
What are three switch features found only on vSphere Distributed Switches? (Choose three.)
A. Network I/O Control
B. CDP
C. LLDP
D. SR-IOV
E. Port Mirroring
Answer: A,C,E
Explanation:
QUESTION NO: 29
"Pass Any Exam. Any Time." - www.actualtests.com
12
What feature can you configure to provide the most accurate account for only the traffic between
the web servers and the clustered database?
A. On the vSphere Distributed Switch, configure the use of a port mirroring session using the
Encapsulated Remote Mirroring (L3) Source session type.
B. On the vSphere Distributed Switch, configure the use of a port mirroring session using the
Remote Mirroring Destination session type.
C. On the vSphere Distributed Switch, configure the use of an Isolated Private VLAN for the ports
of the four virtual machines.
D. On the vSphere Distributed Switch, configure Netflow for the distributed virtual port group and
enable Process internal flows only for the distributed switch.
Answer: D
Explanation:
QUESTION NO: 30
Which three network policy settings can only be configured on a vSphere 5.5 Distributed Switch?
(Choose three.)
A. Access Control Lists (ACLs)
B. Network I/O Control
C. LACP v2
D. NetFlow
E. DSCP Marking
Answer: A,C,E
Explanation:
QUESTION NO: 31
What is the minimum MTU size recommended by VMware for the physical network when
deploying NSX for vSphere?
"Pass Any Exam. Any Time." - www.actualtests.com
13
QUESTION NO: 32
A company wants to deploy VMware NSX for vSphere with no PIM and no IGMP configured in the
underlying physical network. This company also must ensure that non-ESXi hosts do not receive
broadcast, unknown unicast or multicast (BUM) traffic.
Which replication mode should the logical switches be deployed with?
A. Unicast Replication Mode
B. Multicast Replication Mode
C. Hybrid Replication Mode
D. Transport Zone Mode
Answer: A
Explanation:
QUESTION NO: 33
A company wants to deploy VMware NSX for vSphere and ensure the least amount of bandwidth
consumption in the underlying physical architecture.
Which replication mode should the logical switches be deployed with?
A. Multicast Replication Mode
B. Unicast Replication Mode
C. Hybrid Replication Mode
D. vSphere Replication Mode
Answer: A
Explanation:
14
QUESTION NO: 35
Your data center is made up of two VMware vCenter Server instances. Each vCenter Server
manages three clusters with 16 hosts per cluster.
In preparing for your VMware NSX deployment, how many vShield Endpoint instances will you
have?
A. 2
B. 6
C. 48
D. 96
Answer: D
Explanation:
QUESTION NO: 36
Which option is VMware's best practice for the deployment of NSX Manager and NSX Controller
components?
A. Deploy the NSX Manager and NSX Controller components to a management cluster.
B. Deploy the NSX Manager component to a management cluster and the NSX Controller
components to a resource cluster.
C. Deploy the NSX Controller components to a management cluster and the NSX Manager
component to a resource cluster.
"Pass Any Exam. Any Time." - www.actualtests.com
15
QUESTION NO: 37
You want to use an existing NSX Manager to extend logical networks to the ESXi hosts of a new
cluster.
QUESTION NO: 38
What is the earliest version of vCloud Network and Security (vCNS) that can be upgraded to
VMware NSX for vSphere 6.0?
A. vCNS 5.0
B. vCNS 5.1
C. vCNS 5.5
D. vCNS 6.0
Answer: C
Explanation:
16
QUESTION NO: 40
Which statement is correct when upgrading vShield Data Security to NSX Data Security?
A. NSX Data Security does not support a direct upgrade.
B. NSX Controller must be deployed before the upgrade.
C. The vCloud Network and Security Virtual Wires must have been upgraded.
D. vCould Network and Security must be at least version 5.1 before starting the upgrade.
Answer: A
Explanation:
QUESTION NO: 41
A new ESXi 5.5 host is deployed in a vSphere environment with VMware NSX for vSphere.
How can the host be prepared for VMware NSX for vSphere?
A. By using Image Builder to pre-load the NSX for vSphere VIBs in the ESXi image in an Auto
Deploy solution.
B. By leveraging VMware Update Manager to install the new NSX for vSphere VIBs into each of
the hosts.
C. By creating a new VMkernel port in the host from the Host and Clusters inventory view in
vSphere Web Client.
D. By entering the ESXi 5.5 management IP address in the NSX Controllers so the VIBs can be
installed.
"Pass Any Exam. Any Time." - www.actualtests.com
17
QUESTION NO: 42
When preparing a vSphere host cluster to work with VMware NSX, which two options show VIBs
that are installed and registered with all hosts within the prepared cluster? (Choose two.)
A. NSX VXLAN
B. NSX Distributed Firewall
C. NSX Edge
D. NSX Data Security
Answer: A,B
Explanation:
QUESTION NO: 43
What is a prerequisite to deploying a Logical Switch?
A. Configure the VXLAN Tunnel Endpoint's (VTEP) VLAN on the trunk in the physical switches.
B. Add the ESXi hosts to the same vSphere Distributed Switch.
C. Prepare and configure VTEPs on the ESXi hosts using the vSphere Web Client.
D. Create a port group on the vSphere Distributed Switch.
Answer: A
Explanation:
QUESTION NO: 44
After consulting with the network team, it is decided that Transport Zones will be configured with
Unicast Replication Mode for a new NSX for vSphere deployment.
Which statement is true regarding the function of the VXLAN Tunnel End Points (VTEPs)?
A. The VTEPs will send unicast frames to the NSX Controllers when the VTEPs do not have a
18
QUESTION NO: 45
How is the Bridge Instance chosen?
A. It is chosen based on the ESXi host where the Logical Router Control VM is running.
B. It is manually assigned by the vSphere administrator when the distributed portgroup is
configured.
C. During an election process among all ESXi hosts. The host with the highest MAC address is
selected.
D. The VTEP configured with the highest VXLAN Network Identifier (VNI) is selected.
Answer: A
Explanation:
QUESTION NO: 46
Where is the layer 2 bridge instance deployed when configuring a bridge connection between a
logical switch and a VLAN?
A. On the ESXi host running the logical router
B. On the ESXi host running the logical switch
C. On both ESXi hosts that make up the layer 2 bridge
D. On each virtual machine that will utilize the layer 2 bridge
Answer: A
Explanation:
19
QUESTION NO: 48
Which two components are required to enable layer 2 bridging? (Choose two.)
A. Distributed firewall rule to allow layer 2 traffic in the bridge.
B. Deployed Logical Switch.
C. Deployed Logical Router.
D. VLAN trunk configured on logical switch.
Answer: A,C
Explanation:
QUESTION NO: 49
A vSphere administrator added a new interface to a Distributed Router with a subnet of
172.16.10.0/24 and wants to make this subnet reachable to the rest of the network. How can the
vSphere administrator achieve this?
A. Enable OSPF on the Distributed Router. Configure the uplink interface in the Backbone area
and redistribute into OSPF the 172.16.10.0/24 subnet.
B. Enable OSPF on the Distributed Router. Configure the uplink interface in the normal area and
the new interface with the subnet 172.16.10.0/24 in a Backbone area.
C. Enable OSPF on the Distributed Router. Configure the uplink interface in the Backbone area
and redistribute from OSPF the 172.16.10.0/24 subnet.
D. Enable OSPF on the Distributed Router. Configure the uplink interface in the Backbone area
and the new interface with the subnet 172.16.10.0/24 in a normal area.
20
QUESTION NO: 50
How many Logical Interfaces can be assigned to a single Distributed Router instance?
A. 1
B. 12
C. 1000
D. 1200
Answer: C
Explanation:
QUESTION NO: 51
A vSphere administrator wants to add a VLAN LIF to a Distributed Router. What must the vSphere
administrator do for the VLAN LIF to be added successfully?
A. The vSphere administrator must assign a VLAN number to the distributed portgroup that the
VLAN LIF connects to.
B. The vSphere administrator must assign a VLAN number to the Distributed Router that the
Logical Switch connects to.
C. The vSphere administrator must assign a VLAN number to the Logical Switch that the
Distributed Router connects to.
D. The vSphere administrator must assign a VLAN number to the uplink on the distributed switch
that the VLAN LIF connects to.
Answer: A
Explanation:
QUESTION NO: 52
-- Exhibit --
21
-- Exhibit -Refer to the Exhibit. You are designing a network for NSX and your customer has stated that
virtual machine traffic needs to span the virtual and physical space.
QUESTION NO: 53
A company hosts an internal website on multiple virtual machines attached to a Logical Switch
with VNI 7321. A Distributed Router serves as the virtual machines' default gateway.
When a user resolves the URL for the website, the internal DNS server responds with the IP
address of one of the virtual machine's IP addresses in a round robin fashion. This approach
"Pass Any Exam. Any Time." - www.actualtests.com
22
The company wants to deploy a NSX Edge Service Load Balancer to improve on this situation.
Which distribution method can be configured on the NSX Edge Load Balancer to meet the
company's needs?
A. LEAST_CONN
B. IP_HASH
C. LEAST_LOAD
D. URI
Answer: A
Explanation:
QUESTION NO: 54
A vSphere administrator deploys the NSX Edge Load Balancer in Inline mode. Which is not a
requirement for the Load Balancer to operate correctly?
A. Perform Source NAT on the traffic from the clients.
B. Connect the Load Balancer directly to the same subnet as the VMs that are part of the Server
Pool.
C. Perform Destination NAT on the traffic from the clients.
D. Point the virtual machines in the Server Pool to the Load Balancer as their default gateway.
Answer: A
Explanation:
QUESTION NO: 55
A vSphere administrator deployed an NSX Edge Load Balancer in High Availability (HA) mode.
What happens in the event the Load Balancer has a failure?
A. The secondary NSX Edge Load Balancer assumes the role of primary. Existing Flows will need
to have their connections reestablished.
B. HA will start the NSX Edge Load Balancer on another ESXi host in the cluster. All existing flows
will need to have their connections reestablished.
C. HA will start the NSX Edge Load Balancer on another ESXi host in the cluster. The NSX
Controller caches existing flows and hands them to the Load Balancer when it is back up.
"Pass Any Exam. Any Time." - www.actualtests.com
23
QUESTION NO: 56
Which two statements are true regarding Layer 2 VPNs? (Choose two.)
A. Layer 2 VPNs are used to securely extend Ethernet segments over an untrusted medium.
B. The NSX Edge Service Gateway can form a Layer 2 VPN with a standards-compliant physical
appliance.
C. The Distributed Router can form a Layer 2 VPN to another Distributed Router or NSX Edge
Service Gateway.
D. Layer 2 VPNs require the two VPN endpoints be in the same Layer 2 segment.
Answer: A,B
Explanation:
QUESTION NO: 57
A vSphere administrator wants to setup an NSX Edge Service Gateway to provide traveling
employees secure access to company servers located in specific network segments within the
corporate Data Center. The remote access solution must provide a method to authenticate the
users.
Which two methods can be used with the NSX Edge Service Gateway? (Choose two.)
A. TACACS+
B. MS-CHAP
C. RSA Secure ID
D. Active Directory
Answer: C,D
Explanation:
24
QUESTION NO: 59
A vSphere administrator wants to setup an NSX Edge Service Gateway to provide traveling
employees secure access to company servers located in specific network segments within the
corporate Data Centers. The solution has to be as scalable as possible.
Which Virtual Private Network solution will satisfy the administrator's requirements?
A. SSL VPN
B. MPLS VPN
C. Layer 2 VPN
D. IPSec VPN
Answer: A
Explanation:
QUESTION NO: 60
Which statement is true regarding an NSX Edge gateway device configured with a DNS Server?
A. The NSX Edge will forward all DNS requests from virtual machines sent to it to the DNS Server.
"Pass Any Exam. Any Time." - www.actualtests.com
25
QUESTION NO: 61
An NSX Edge Service Gateway has two interfaces:
A vSphere administrator wants to add a SNAT rule to allow traffic from the internal network
segment to access external resources via the uplink interface.
Which three steps should the vSphere administrator do to add the SNAT rule? (Choose three.)
A. Apply the SNAT rule to the Internal Access interface.
B. Select 10.10.10.1 as the translated source IP.
C. Apply the SNAT rule on the Physical Uplink interface.
D. Select 10.10.10.0/24 as the original subnet.
E. Choose 20.20.20.2 as the translated source IP address.
Answer: C,D,E
Explanation:
QUESTION NO: 62
"Pass Any Exam. Any Time." - www.actualtests.com
26
What should the administrator configure to ensure external connections to the TFTP server are
successful?
A. Create a DNAT rule with the original port of 69 and translated port of 1069.
B. Create a SNAT rule with the original port of 1069 and translated port of 69.
C. Create a SNAT rule with the original port of 69 and translated port of 1069.
D. Create a DNAT rule with the original port of 1069 and translated port of 69.
Answer: A
Explanation:
QUESTION NO: 63
Which two actions take place when an active NSX Edge instance fails? (Choose two.)
A. Once the original NSX Edge instance is recovered, it preempts the other NSX Edge instance
and takes over the active role.
B. The standby NSX Edge instance becomes the active instance and requests routing updates
from the routing neighbors.
C. Once the original NSX Edge instance is recovered, the NSX Manager attempts to place it on a
different host from the other NSX Edge instance.
D. The standby NSX Edge instance becomes the active instance and retains any routing neighbor
adjacencies.
Answer: C,D
Explanation:
QUESTION NO: 64
Which two statements are true regarding NSX High Availability (HA)? (Choose two.)
A. NSX HA is configured as Active-Active.
B. NSX HA is configured as Active-Standby.
C. If an Active node fails, there is no service interruption during failover.
"Pass Any Exam. Any Time." - www.actualtests.com
27
QUESTION NO: 65
High Availability (HA) was not initially configured when an administrator deployed an NSX Edge
Service Gateway. What should the administrator do to configure the NSX Edge with HA?
A. Select the NSX Edge instance from the NSX Edges view in Networking & Security. Go to
Manage> Settings> Configuration and add a NSX Edge appliance.
B. Delete the NSX Edge instance and redeploy it with HA. The existing NSX Edge configuration
data will be lost.
C. Delete the NSX Edge instance and redeploy it with HA. The configuration data is retained by
NSX Manager and pushed to the new NSX Edge instance.
D. Select the NSX Edge appliance from the Virtual Machines and Templates view. Go to Actions>
All vCenter Actions> Enable HA to configure High Availability.
Answer: A
Explanation:
QUESTION NO: 66
-- Exhibit --
28
-- Exhibit -An administrator has created an NSX network as shown in the exhibit.
Both VMs in the exhibit use the same distributed router for their default gateway. VM-B obtains its
IP address via DHCP. VM-A wants to send a packet to VM-B.
29
QUESTION NO: 67
-- Exhibit --
-- Exhibit -An administrator has created the NSX network shown in the exhibit.
Both VMs use the same Distributed Router for their default gateway. VM-B receives an IP
30
QUESTION NO: 68
-- Exhibit --
31
What destination IP address will Host-A use when sending a VXLAN frame to Host-B?
A. The IP address of one of Host-B's new vmkernel ports created during host configuration.
B. The IP address of Host-B's management vmkernel port, which is also the VTEP IP address.
C. The IP address of Host-B's NSX Controller. The NSX Controller forwards the VXLAN frame to
Host-B.
D. The IP address Host-B provided to Host-A during VXLAN tunnel setup negotiations.
Answer: A
Explanation:
QUESTION NO: 69
-- Exhibit --
32
QUESTION NO: 70
Where does the Distributed Logical Firewall enforce firewall rules?
A. At the Virtual Machine's virtual Network Interface Card (vNIC).
B. At the Logical Switch virtual port that the Virtual Machine connects to.
C. At the NSX Controller's firewall kernel module.
D. At the ESXi host vmnic used by the vSphere Distributed Switch.
Answer: A
Explanation:
QUESTION NO: 71
Which is not a valid Destination option for a General Logical Firewall rule?
A. Datacenter
B. Virtual App
C. MAC Set
D. Network
Answer: C
Explanation:
33
QUESTION NO: 72
How are Logical Firewall rules applied to affected virtual machines?
A. They are pushed by the NSX Controllers to all the ESXi hosts in the same Transport Zone.
B. They are pushed by the NSX Manager to the ESXi hosts running the source and/or destination
virtual machines.
C. They are pushed by the NSX Controllers to the ESXi hosts running the destination virtual
machines.
D. They are pushed by the NSX Manager to all the ESXi hosts in the NSX environment.
Answer: B
Explanation:
QUESTION NO: 73
If a Security Group is the Source for a General Logical Firewall Rule, which Virtual Machines will
be affected by the rule?
A. Each Virtual Machine defined in the Security Group.
B. Each Virtual Machine defined in the Source and Destination fields of the Logical Firewall Rule.
C. Each Virtual Machine identified in the Applied To field of the Logical Firewall Rule.
D. Each Virtual Machine identified in the Destination field of the Logical Firewall Rule.
Answer: C
Explanation:
QUESTION NO: 74
An administrator wishes to control traffic flow between two virtual machines. The virtual machines
are in the same subnet, but are located on separate ESXi hosts. The administrator deploys an
Edge Firewall to one of the hosts and verifies the default firewall rule is set to deny, but the two
virtual machines can still communicate with each other.
34
QUESTION NO: 75
An administrator has deployed NSX in an environment containing a mix of vSphere 5 hosts. The
implementation includes the Distributed Firewall Service, but the administrator finds that rules are
not being applied to all affected virtual machines.
QUESTION NO: 76
Which Virtual Machine cannot be protected by the Distributed Firewall?
A. A Virtual Machine connected to a vDS Portgroup running on an ESXi 5.1 host.
B. A Virtual Machine connected to a vSS Portgroup running on an ESXi 5.5 host.
C. A Virtual Machine connected to a vDS Portgroup running on an ESXi 5.5 host.
D. A Virtual Machine connected to a logical switch running on an ESXi 5.1 host.
Answer: D
Explanation:
QUESTION NO: 77
35
QUESTION NO: 78
An administrator wants to perform Activity Monitoring on a large group of virtual machines in an
NSX environment.
How would this task be accomplished with minimal administrative effort?
A. Create a PowerCLI script to enable virtual machine data collection on each virtual machine.
B. Create a security group in Service Composer and add the virtual machines to the security
group.
C. Add the virtual machines to the pre-defined Activity Monitoring security group in Service
Composer.
D. Add the virtual machines to a VM folder in vCenter Server and enable data collection.
Answer: C
Explanation:
QUESTION NO: 79
Which service cannot be included in a Security Policy using Service Composer?
A. Endpoint Services
B. Firewall Rules
C. Virtual Private Network Services
D. Network Introspection Services
Answer: C
Explanation:
36
QUESTION NO: 81
What is the most restrictive NSX role that can be used to create and publish security policies and
install virtual appliances?
A. Security Administrator
B. NSX Administrator
C. Auditor
D. Enterprise Administrator
Answer: D
Explanation:
QUESTION NO: 82
Which two NSX Data Security roles could be assigned to view configured policies and violation
reports? (Choose two.)
A. Security Administrator
B. NSX Administrator
C. Auditor
D. Enterprise Administrator
Answer: A,C
Explanation:
37
QUESTION NO: 84
Which port is used for NSX REST API Requests?
A. 80
B. 443
C. 5480
D. 8443
Answer: B
Explanation:
QUESTION NO: 85
Which component automates the consumption of third-party services and provides mapping to
virtual machines using a logical policy?
A. NSX Manager
B. Cloud Management Platform (CMP)
C. Service Composer
D. NSX Data Security
Answer: C
Explanation:
38
QUESTION NO: 87
Which tool is used to detect rogue services?
A. NSX Logical Firewall
B. NSX Logical Router
C. Activity Monitoring
D. Flow Monitoring
Answer: D
Explanation:
QUESTION NO: 88
What is required before running an Activity Monitoring report?
A. Enable data collection on the NSX Controller.
B. Enable data collection on the vCenter Server.
C. Enable data collection on the NSX Manager.
D. Enable data collection on the virtual machine.
Answer: D
Explanation:
39
QUESTION NO: 90
Which NSX component can validate that security policies at your organization are being enforced
correctly?
A. Activity Monitoring
B. Flow Monitoring
C. ERSPAN
D. Distributed firewalls
Answer: A
Explanation:
QUESTION NO: 91
Where does an administrator configure logging for the NSX Manager?
A. In the vSphere Web Client
B. In the NSX Manager GUI
C. In the NSX Manager command line interface (CLI)
D. In the vSphere Syslog Collector
Answer: B
Explanation:
QUESTION NO: 92
"Pass Any Exam. Any Time." - www.actualtests.com
40
QUESTION NO: 93
Which two options are pieces of information required to perform an NSX backup? (Choose two.)
A. Transfer protocol
B. Default Port
C. Number of backups retained
D. Filename prefix
Answer: A,D
Explanation:
QUESTION NO: 94
An administrator needs to perform a configuration backup of NSX. From which two locations can
this task be performed? (Choose two.)
A. Directly on the NSX Manager
B. From the vSphere Web Client
C. Using the NSX API
D. Directly on each NSX Controller
Answer: A,C
Explanation:
QUESTION NO: 95
An administrator needs to verify which port the switch manager is using. Which command should
"Pass Any Exam. Any Time." - www.actualtests.com
41
QUESTION NO: 96
Which tool is used to display VXLAN connection information?
A. pktcap-uw
B. NSX Controller CLI
C. esxtop
D. VDS Health Check
Answer: B
Explanation:
QUESTION NO: 97
An administrator has created a logical switch, but when attempting to select a transport zone, the
dropdown box is empty. Which option is causing this issue?
A. The transport zone has not been enabled on the NSX Controller.
B. A VXLAN has not been created.
C. A VLAN has not been created.
D. The transport zone has not been assigned an IP address pool.
Answer: B
Explanation:
QUESTION NO: 98
-- Exhibit -"Pass Any Exam. Any Time." - www.actualtests.com
42
-- Exhibit -An administrator is deploying a distributed router and is adding an interface for a logical switch, as
shown in the following exhibit.
The administrator clicks on the Change link to specify the network to connect to. Selecting the
distributed portgroup, the administrator finds that no portgroups are listed. The administrator
verifies the desired portgroup exists in vCenter Server.
43
QUESTION NO: 99
An administrator configures the IPSec VPN service on an NSX Edge instance, but the negotiation
fails. Examining the log file, the administrator notices the following messagE.
INVALID_ID_INFORMATION
44
-- Exhibit -An administrator is testing connectivity between two ESXi hosts and uses the ping utility, as shown
in the Exhibit.
45
-- Exhibit -An NSX administrator has deployed the network shown in the Exhibit.
46
-- Exhibit -An administrator is troubleshooting a NSX controller cluster issue and runs the control-cluster
command, as shown in the Exhibit.
What information can be determined from the output provided in the exhibit?
A. This is the control cluster majority leader controller.
B. There are two controllers in the cluster.
C. This is not the control cluster majority leader controller.
D. The persistence_server role is not functioning correctly.
"Pass Any Exam. Any Time." - www.actualtests.com
47
-- Exhibit -An NSX administrator is examining an error in the Event Console as shown in the Exhibit.
48
-- Exhibit -Your data center clusters are configured as shown in the exhibit.
Core0 uses Virtual SAN and hosts virtual machines running the following components:
vCenter Server
Single Sign-On Server
Update Manager
SQL Server database
Core1, Core2, and Core3 use a single Fibre Channel attached storage array. Core1 hosts over
500 virtual machines. Core2 hosts over 400 virtual machines. Core3 hosts 100 virtual machines.
Following VMware's best practices, NSX Controller components should be deployed to which
location(s)?
A. Deploy three NSX Controllers, one on each host of Core0.
B. Deploy four NSX controllers, one on each cluster in the data center.
C. Deploy 27 NSX controllers, one for each host in the data center
D. Deploy three NSX controllers. Deploy one in Core1, one in Core2, and one in Core3.
Answer: A
49
-- Exhibit -The Exhibit details the network connectivity from an NSX network and the supporting physical
network. Locations C and D may be required to process packets with QoS tags.
Based on the exhibit, which statement details proper processing of packets if they are QoS
tagged?
A. Locations C and D will trust the QoS tags of the encapsulated frame when passing packets.
B. Location B should trust the QoS tags of the encapsulated frames that are switched.
C. Location A will mark the inner header of the encapsulated frame.
D. Location B should trust the QoS tags of the external header.
Answer: D
Explanation:
50
-- Exhibit -An administrator has configured an NSX network as shown in the Exhibit.
Both VM-A and VM-B use the same Distributed Router for their default gateway.
Based on the exhibit, if VM-A sends a packet to VM-B,what happens to the packet before it
reaches VM-B?
A. Distributed Router in Host-A receives the packet from VM-A and forwards it to Logical Switch
7775 in Host-B, via a VXLAN frame, which delivers it to VM-B.
B. Logical Switch 7321 in Host-A receives the packet inside a frame from VM-A and forwards it to
Logical Switch 7775 in Host-B, via a VXLAN frame, which delivers it to VM-B.
C. Distributed Router in Host-A receives the packet from VM-A and forwards it to Logical Switch
7321 in Host-B, via a VXLAN frame, which delivers it to Logical Switch 7775 before it is delivered
to VM-B.
D. Logical Switch 7321 in Host-A receives the packet from VM-A and forwards it to the Distributed
Router in Host-B, which passes it along to Logical Switch 7775 in Host-B before it is delivered to
VM-B.
Answer: A
Explanation:
51
Both VM-A and VM-B use the same Distributed Router for their default gateway. VM-B receives an
IP message from VM-A.
Based on the exhibit, what is the source MAC address of the IP message received by VM-B?
A. VM-B's default gateway's MAC address.
B. VM-A's MAC address.
C. VM-A's default gateway's MAC address.
D. Logical Switch 7321's MAC address
Answer: A
Explanation:
52
53