Exam A (70 questions)
Question 1
Which CLI command on NSX Manager and NSX Edge is used to change NTP
settings?
A. set time-server
B. get timezone
C. set ntp-server
D. set timezone
Answer: C
Question 2
Which tool could be used to inspect the path of a packet in the data plane?
A. Port Connection
B. Port Mirroring Session
C. Netflow
D. Traceflow
Answer:D
Question 3
Which two commands are used to query the arp-table of a logical switch?
(Choose two.)
A. get logical-switch arp-table <logical-switch-uuid>
B. get logical-switch arp-table <vni>
C. get logical-switch arp-table
D. get logical-switch <logical-switch-uuid> arp-table
E. get logical-switch <vni> arp-table
Answer:DE
Question 4
The NSX Control Plane is responsible for which two functions? (Choose two.)
A. receive and validate configuration from NSX Policy
B. host API services
C. propagate topology information
D. push stateless configurations to forwarding engines
E. maintain packet-level statistics
Answer:C
Question 5
Which command is used to set the NSX Manager's logging-level to debug mode
for
troubleshooting?
A. set service nsx-manager logging-level debug
B. set service nsx-manager log-level debug
C. set service manager log-level debug
D. set service manager logging-level debug
Answer:D
Question 6
An NSX administrator would like to export syslog events that capture messages
related to NSX
host preparation events.
Which message ID (msgid) should be used in the syslog export configuration
command as a
filter?
A. SYSTEM
B. FABRIC
C. GROUPING
D. MONITORING
Answer:B
Question 7
How does Traceflow tool identify issues in a network?
A. Compares intended network state in the control plane with Tunnel End
Point (TEP)
keepalives in the data plane.
B. Compares the management plane configuration states containing control
plane
traffic and error reporting from transport node agents.
C. Injects synthetic traffic into the data plane and observes the results in the
control
plane.
D. Injects ICMP traffic into the data plane and observes the results in the
control
plane.
Answer:C
Question 8
Which three steps must be carried out to configure North-South / East-West
Network
Inspection? (Choose three.)
E. Service Deployment
F. Service Insertion
G. Service Consumption
H. Service Registration
I. Service Introspection
Answer:EGH
Question 9
Which three services are compatible with VRF Lite? (Choose three.)
A. VPN
B. Intrusion Detection
C. NAT
D. Load Balancer
E. DHCP
Answer:BCE
Question 10
Which two choices are prerequisites to configure NSX-T on VDS? (Choose two.)
A. MTU 1500
B. MTU 1400
C. vSphere Distributed Switch 6.5
D. vSphere Distributed Switch 7.0
E. MTU 1600
Answer:DE
Question 11
Which to steps must an NSX administrator take to integrate VMware Identity
Manager in NSXT
to support role-based access control? (Choose two.)
A. Create a SAML authentication in VMware Identity Manager using the NSX
Manager FQDN.
B. Add NSX Manager as a Service Provider (SP) in VMware Identity Manager.
C. Create an OAuth 2.0 client in VMware Identity Manager.
D. Enter the Identity Provider (IdP) metadata URL in NSX Manager.
E. Enter the service URL, Client Secret, and SSL thumbprint in NSX Manager.
Answer:CE
Question 12
An NSX administrator has been tasked with deploying a NSX Edge Virtual
machine through an
ISO image.
Which virtual network interface card (vNIC) type must be selected while creating
the NSX
Edge VM allow participation in overlay and VLAN transport zones?
A. e1000
B. VMXNET2
C. VMXNET3
D. Flexible
Answer:C
Question 13
Which command is used to display the network configuration of the Tunnel
Endpoint (TEP) IP
on a bare metal transport node?
A. ifconfig
B. tcpdump
C. debug
D. ipconfig
Answer:A
Question 14
Where are Distributed Firewall logs containing access decisions stored?
A. NSX API
B. NSX Edge
C. NSX Manager
D. Hypervisor transport node
Answer:D
Question 15
An NSX administrator is planning to deploy a multi-tier routing topology in their
NSX-T Data
Center environment to provide north-south connectivity for the VMs.
Which routing component must be deployed?
A. Tier-1 Gateway
B. Edge Services Gateway
C. Tier-0 Gateway
D. Layer 2 Gateway
Answer:C
Question 16
What are two supported N-VDS modes? (Choose two.)
A. DPDK Datapath
B. Overlay Datapath
C. Secure Datapath
D. Enhanced Datapath
E. Standard Datapath
Answer:DE
Question 17
Which NSX CLI command is used to check the GENEVE tunnel status on ESXi
transport node?
A. get host-switch <Host-Switch-Name> tunnels
B. get transport-node tunnel status
C. get host-switch <Host-Switch-Name> tunnel status
D. get transport-node tunnel state
Answer:A
Question 18
In a NSX-T Data Center environment, an administrator is observing low
throughput and
congestion between the Tier-0 Gateway and the upstream physical routers.
Which two actions could address low throughput and congestion? (Choose two.)
A. Deploy Large size Edge node/s.
B. Configure ECMP on the Tier-0 gateway.
C. Configure NAT on the Tier-0 gateway.
D. Add an additional vNIC to the NSX Edge node.
E. Configure a Tier-1 gateway and connect it directly to the physical routers.
Answer:AB
Question 19
How many IPs are required when deploying a highly available NSX Management
Cluster with
VIP in a production environment?
A. 5
B. 6
C. 3
D. 4
Answer:D
Question 20
Which CLI command does an NSX administrator run on the NSX Manager to
generate support
bundle logs if the NSX UI is inaccessible?
A. get support-bundle file vcpnv.tgz
B. set support-bundle file vcpnv.tgz
C. vm-support
D. esxcli system syslog config logger set --id=nsxmanager
Answer:A
Question 21
Which two BGP configuration parameters can be configured in the VRF Lite
gateways? (Choose
two.)
A. Route Aggregation
B. Route Distribution
C. Graceful Restart
D. BGP Neighbors
E. Local AS
Answer:AD
Question 22
Which step must be performed before deploying an additional NSX Manager from
the NSX-T
UI?
A. Prepare the ESXi hosts as Transport Nodes.
B. Configure the Virtual IP of the cluster.
C. Register vCenter Server as a Compute Manager.
D. Create an Edge Cluster.
Answer:C
Question 23
Which three protocols could an NSX administrator use to transfer log messages
to a remote
log server? (Choose three.)
A. SSL
B. HTTPS
C. TLS
D. UDP
E. SSH
F. TCP
Answer:CDF
Question 24
An NSX administrator wants to create a Tier-0 Gateway to support equal cost
multi-path
(ECMP) routing.
Which failover detection protocol must be used to meet this requirement?
A. Beacon Probing (BP)
B. Host Standby Router Protocol (HSRP)
C. Bidirectional Forwarding Detection (BFD)
D. Virtual Router Redundancy Protocol (VRRP)
Answer:C
Question 25
Which three can an administrator define in a transport node profile? (Choose
three.)
A. Logical Router
B. Segment Profile
C. Segment
D. Uplink Profile
E. VDS switch configuration
F. N-VDS switch configuration
Answer:DEF
Question 26
Which component does the hyperbus interface (vmk50) provide network
connectivity to?
A. containers running on ESXi/KVM transport nodes
B. virtual machines and containers running across transport nodes
C. virtual machines running on the same hypervisor
D. virtual machines running in the same segment
Answer:A
Question 27
An NSX administrator is configuring the KVM hypervisor host as a transport node
and wants to
apply the Failover Order as a NIC teaming policy.
Which profile allows the administrator to configure the NIC Teaming policy as
Failover Order?
A. N-VDS/VDS Profile
B. Transport Node Profile
C. Host Switch Profile
D. Uplink Profile
Answer:D
Question 28
Which TraceFlow traffic type should an NSX administrator use for validating
connectivity
between App and DB virtual machines that reside on different segments?
A. Multicast
B. Anycast
C. Unicast
D. Broadcast
Answer:C
Question 29
Which CLI command should be executed on a KVM hypervisor to retrieve the VM
interface
UUID?
A. virsh dumpxml <VM Name> | grep interfaceid
B. virsh get-interface <VM Name>
C. virsh show <VM Name> | grep interfaceid
D. virsh list-interface <VM Name>
Answer:A
Question 30
Which two logical router components span across all transport nodes? (Choose
two.)
A. DISTRIBUTED_ROUTER_TIER0
B. SERVICE_ROUTER_TIER0
C. TIER0_DISTRIBUTED_ROUTER
D. DISTRIBUTED_ROUTER_TIER1
E. SERVICE_ROUTER_TIER1
Answer:AD
Question 31
An NSX administrator is creating a Tier-1 Gateway configured in Active-Standby
High
Availability Mode. In the event of node failure, the failover policy should not allow
the original
failed node to become the Active node upon recovery.
Which failover policy meets this requirement?
A. Non-Preemptive
B. Preemptive
C. Enable Preemptive
D. Disable Preemptive
Answer:A
Question 32
Which statement is true about an alarm in a Suppressed state?
A. An alarm can be suppressed for a specific duration in days.
B. An alarm can be suppressed for a specific duration in minutes.
C. An alarm can be suppressed for a specific duration in seconds.
D. An alarm can be suppressed for a specific duration in hours.
Answer:D
Question 33
Which two commands does an NSX administrator use to check the IP address of
the VMkernel
port for the GENEVE protocol on the ESXi transport node? (Choose two.)
A. esxcfg-nics -1
B. net-dvs
C. esxcli network nic list
D. esxcfg-vmknic -1
E. esxcli network ip interface ipv4 get
Answer:DE
Question 34
What is the most restrictive NSX-T built-in role which will allow a user to apply
configuration
changes on a NSX Edge?
A. Cloud Service Administrator
B. Network Engineer
C. Network Operator
D. NSX Administrator
Answer:B
Question 35
Which two statements are true about the implementation of multicast in NSX-T
Data Center?
(Choose two.)
A. Multicast routing is implemented with PIM Sparse-Mode.
B. IGMP Snooping is used to populate multicast forwarding tables.
C. Tier-0 gateways can be the Rendezvous Point.
D. Multicast is supported in ESXi and KVM transport nodes.
E. An Edge can be the Rendezvous Point.
Answer:AB
Question 36
Which network virtualization technologies can be used with an Ethernet VPN
(EVPN)
deployment in NSX-T Data Center? (Choose two.)
A. Virtual Extensible Local Area Network (VXLAN)
B. Multiprotocol Border Gateway Protocol (MP-BGP)
C. Open Shortest Path First (OSPF)
D. Multiprotocol Label Switching (MPLS)
E. Virtual Routing and Forwarding (VRF)
Answer:AB
Question 37
What needs to be configured on a Tier-0 Gateway to make NSX Edge Services
available to a
VM on a VLAN-backed logical switch?
A. Service interface
B. Loopback Router Port
C. Downlink interface
D. VLAN Uplink
Answer:A
Question 38
Which three functions require a Services Router (SR) component on an Edge
node? (Choose
three.)
A. Service Insertion
B. Distributed Routing
C. Packet Forwarding
D. Gateway Firewall
E. Distributed Firewall
F. Virtual Private Network
Answer:ADF
Question 39
Which two statements describe the characteristics of an Edge Cluster in NSX-T
3.0 Data
Center? (Choose two.)
A. can have a maximum of 8 edge nodes
B. must have only active-active edge nodes
C. can have a maximum of 10 edge nodes
D. can contain multiple types of edge nodes (VM or bare metal)
E. must contain only one type of edge nodes (VM or bare metal)
Answer:CD
Question 40
An NSX administrator is using ping to check connectivity between VM1 running
on ESXi1 to
VM2 running on ESXi2. The ping tests fails. The administrator knows the
maximum
transmission unit size on the physical switch is 1600.
Which command does the administrator use to check the VMware kernel ports
for tunnel end
point communication?
A. esxcli network diag ping -H <destination IP address>
B. vmkping ++netstack=geneve -d -s 1572 <destination IP address>
C. vmkping ++netstack=vxlan-d -s 1572 <destination IP address>
D. esxcli network diag ping -I vmk0 -H <destination IP address>
Answer:C
Question 41
An NSX administrator has configured a load balancer virtual server on a Tier-1
Gateway.
In order to advertise the load balancer virtual IP to the Tier-0 Gateway, which
route
advertisement configuration has to be done on the Tier-1 Gateway? (Choose
two.)
A. Advertise All LB SNAT IP Routes
B. All Static Routes
C. Information
D. Advertise All LB VIP Routes
E. Advertise All NAT Routes
Answer:AD
Question 42
Which three teaming policy modes are supported by NSX-T Data Center?
(Choose three.)
A. Destination MAC
B. Load Balanced Source IP
C. Failover Order
D. Destination Port
E. Load Balanced Source MAC
F. Load Balanced Source
Answer:CEF
Question 43
Which three steps are required to create an IPsec VPN tunnel? (Choose three.)
A. Create an IPsec service.
B. Add a local endpoint.
C. Configure an IPsec session.
D. Configure a distributed firewall policy.
E. Add a logical switch.
Answer:ABC
Question 44
Which CLI command is used to start the NSX Manager virtual machine in the KVM
environment?
A. virsh start <NSX-Manager-ID>
B. virsh poweron <nsx-manager-ID>
C. virsh start <NSX-Manager-Name>
D. virsh poweron <nsx-manager-name>
Answer:C
Question 45
Which profile must be attached to the ESXi cluster to prepare the host for NSX-T
Data Center?
A. Transport Node Profile
B. Uplink Profile
C. Switching Profile
D. Host Profile
Answer:A
Question 46
A customer has a network where BGP has been enabled and the BGP neighbor is
configured
on the Tier-0 Gateway. A NSX-T Data Center administrator used the get logical-
routers
command to retrieve this information:
Which two commands must be executed to check BGP neighbor status? (Choose
two.)
A. vrf 3
B. vrf 1
C. vrf 4
D. sa-nsxedge-01(tier1_sr)> get bgp neighbor
E. sa-nsxedge-01(tier0_sr)> get bgp neighbor
F. sa-nsxedge-01(tier0_dr)> get bgp neighbour
Answer:AE
Question 47
How is the RouterLink port created between a Tier-1 Gateway and Tier-0
Gateway?
A. Automatically created when Tier-1 is created.
B. Manually create a Segment and connect to both Tier-1 and Tier-0
Gateways.
C. Manually create a Logical Switch and connect to bother Tier-1 and Tier-0
D. Gateways.
E. Automatically created when Tier-1 is connected with Tier-0 from NSX UI.
Answer:E
Question 48
Refer to the exhibit
Which NAT type must the NSX-T Data Center administrator create on the Tier-0
or Tier-1
Gateway to allow Web VM to initiate communication with public networks?
A. SNAT
B. Reverse NAT
C. DNAT
D. 1:1 NAT
Answer:A
Question 49
A security administrator needs to configure a firewall rule based on the domain
name of a
specific application.
Which field in a distributed firewall rule does the administrator configure?
A. Profile
B. Source
C. Service
D. Policy
Answer:A
Question 50
A user is assigned these two roles in NSX Manager:
LB Admin
Network Engineer
What privileges does this user have in the system?
A. read permissions on all networking services and full access permissions on
load
balancing features
B. full access permissions on all networking services and full access
permissions on
load balancing features
C. full access permissions on all networking services and read permissions on
load
balancing features
D. read permissions on all networking services and read permissions on load
balancing features
Answer:B
Question 51
An NSX administrator is troubleshooting a connectivity issue with virtual
machines running on
an ESXi transport node.
Which feature in the NSX UI shows the mapping between the virtual NIC and the
host's
physical adapter?
A. Switch Visualization
B. Port Mirroring
C. Activity Monitoring
D. IPFIX
Answer:A
Question 52
An NSX Administrator has created a segment named WEB-LS from the NSX UI
and noticed the
segment is not realized on the KVM Transport node.
What are two possible causes for this issue? (Choose two.)
A. The KVM Transport node has hardware issues and will not realize the WEB-
LS
Segment.
B. Since the Compute Manager is disconnected in NSX UI, the WEB-LS
segment will
not be realized on the KVM Transport Node.
C. The virtual machines running on the KVM Transport Node are connected to
the
WEB-LS segment, but are in Powered Off state.
D. The virtual machines running on the KVM Transport Node are not
connected to
the VDS.
E. The virtual machines running on the KVM Transport Node are not
connected to
the WEB-LS Segment.
Answer:BE
Question 53
A DevOps user has deployed a Kubernetes Pod in vSphere.
What does the term ClusterIP represent within NSX-T?
A. Deployment of T1 with NLB service.
B. Deployment of Distributed Router.
C. Deployment of Distributed Load Balancing service.
D. Deployment of T0 and T1
Answer:C
Question 54
Which statement describes the VMware Virtual Cloud Network Vision?
A. Virtual Cloud Network connects and protects virtual machines running in
KVM
environments.
B. Virtual Cloud Network connects and protects virtual machines running in
vSphere
environments.
C. Virtual Cloud Network connects and protects applications, regardless of
their
physical locations.
D. Virtual Cloud Network connects and protects applications and data,
regardless of
their physical locations.
Answer:D
Question 55
What are three NSX Manager roles? (Choose three.)
A. cloud
B. manager
C. zookeeper
D. policy
E. master
F. controller
Answer:BDF
Question 56
A customer is preparing to deploy VMware Kubernetes on an NSX-T Data Center.
What is the minimum MTU size for the UPLINK profile?
A. 1500
B. 1650
C. 1550
D. 1600
Answer:D
Question 57
When a stateful service is enabled for the first time on a Tier-0 Gateway, what
happens on the
NSX Edge node?
A. SR and DR doesn’t need to be connected to provide any stateful services.
B. DR is instantiated and automatically connected with SR.
C. SR is instantiated and automatically connected with DR.
D. SR and DR is instantiated but requires manual connection.
Answer:C
Question 58
Which CLI command shows syslog on NSX Manager?
A. show log manager follow
B. get log-file auth.log
C. get log-file syslog
D. /var/log/sysloq/syslog.log
Answer: C
Question 59
An NSX administrator has deployed an NSX Edge on a bare-metal server.
Which command registers the NSX Edge with the NSX Manager?
A. join management-cluster <nsx-cluster-IP> username admin password
<adminpassword>
thumbprint <nsx-manager-thumbprint>
B. join cluster <nsx-cluster-IP> username root password <root-password>
thumbprint <nsx-manager—thumbprint>
C. join policy-manager <nsx-manager-ip> username root password
<rootpassword>
thumbprint <nsx-manager-thumbprint>
D. join management-plane <nsx-nanager-ip> username admin password
<adminpassword>
thumbprint <nsx-manager-thumbprint>
Answer:D
Question 60
Which two ports are used by a transport node to communicate with the
management and
control planes in NSX-T Data Center 3.0? (Choose two.)
A. 5685
B. 1235
C. 5671
D. 5678
E. 1234
Answer:BE
Question 61
What are two types of supported IPSec VPNs in NSX-T Data Center? (Choose
two.)
A. policy-based IPSec VPN
B. Layer-7 based IPSec VPN
C. route-based IPSec VPN
D. Open source based IPSec VPN
E. SSL based IPSec VPN
Answer:AC
Question 62
A company is deploying a NSX-T Data Center micro-segmentation in their
vSphere
environment to secure a simple application composed of web, app, and database
tiers.
The naming convention will be:
WKS-WEB-SRV-XXX
WKY-APP-SRR-XXX
WKI-DB-SRR-XXX
What is the optimal way to group them in order to enforce security policies from
NSX-T Data
Center?
A. Create an Ethernet based security policy.
B. Group all by means of tags membership.
C. Use Edge as a firewall between tiers.
D. Do a service insertion to accomplish the task.
Answer:B
Question 63
An NSX administrator has configured a KVM hypervisor as a transport node.
Which kernel module on KVM implements a N-VDS?
A. openvswitch
B. etherswitch
C. nsx-vswitch
D. dyswitch
Answer:A
Question 64
When deploying east-west network introspection, which Service Virtual Machine
(SVM)
deployment method achieves the least amount of traffic hairpinning?
A. Create a secondary vNIC on each quest VM for SVM communication.
B. Place a partner SVM on each compute cluster node.
C. Centralize partner SVMs in a service cluster.
D. Add partner SVMs to an edge cluster.
Answer:B
Question 65
What are the advantages of using a Tier-0 Gateway in ECMP mode? (Choose
two.)
A. stateful services leveraged
B. Failover of services
C. traffic predictability
D. traffic load balancing
E. increased north/south bandwidth
Answer:DE
Question 66
Which two choices are use cases for Distributed Intrusion Detection? (Choose
two.)
A. Identify security vulnerabilities in the workloads.
B. Use agentless antivirus with Guest Introspection.
C. Quarantine workloads based on vulnerabilities.
D. Identify risk and reputation of accessed websites.
E. Gain insight about micro-segmentation traffic flows.
Answer:AC
Question 67
An NSX administrator noticed that the nsxcli command times out after 600 secs
of idle time.
Which CLI command disables the nsxcli time out value on NSX Manager?
A. set cli-timeout 0
B. set cli-timeout enabled
C. set cli-timeout disabled
D. set cli-timeout 1
Answer:
Question 68
When running nsxcli on an ESXi host, which command will show the Replication
mode?
A. get logical-switch <Local-Switch-UUID> status
B. get logical-switch <Logical-Switch-UUID>
C. get logical-switches
D. get logical-switch status
Answer:B
Question 69
What are two valid options when configuring the scope of a distributed firewall
rule? (Choose
two.)
A. Segment Port
B. Group
C. Segment
D. DFW
E. Tier-1 Gateway
Answer:BD
Question 70
Which two choices are solutions of the NSX portfolio (Choose two.)?
A. vRealize Automation
B. NSX Distributed IDS/IPS
C. vRealize Network Insight
D. Tanzu Kubernetes Grid
E. NSX Service Mesh
Answer:BE