What is the VMware recommended way to deploy a virtual NSX Edge Node?
Correct Answer: D
Through the NSX UI. According to the VMware NSX Documentation2, you can deploy NSX Edge nodes as virtual appliances through the NSX UI by clicking Add Edge Node and providing the required information. The other options are either outdated or not applicable for virtual NSX Edge nodes.
Question 52
An NSX administrator is using ping to check connectivity between VM1 running on ESXi1 to VM2 running on ESXi2. The ping tests fails. The administrator knows the maximum transmission unit size on the physical switch is 1600. Which command does the administrator use to check the VMware kernel ports for tunnel end point communication?
Correct Answer: B
Explanation The command vmkping ++netstack=geneve -d -s 1572 <destination IP address> is used to check the VMware kernel ports for tunnel end point communication. This command uses the geneve netstack, which is the default netstack for NSX-T. The -d option sets the DF (Don't Fragment) bit in the IP header, which prevents the packet from being fragmented by intermediate routers. The -s 1572 option sets the packet size to 1572 bytes, which is the maximum payload size for a geneve encapsulated packet with an MTU of 1600 bytes. The <destination IP address> is the IP address of the remote ESXi host or VM. References: : VMware NSX-T Data Center Installation Guide, page 19. : VMware Knowledge Base: Testing MTU with the vmkping command (1003728). : VMware NSX-T Data Center Administration Guide, page 102.
Question 53
A company Is deploying NSX micro-segmentation in their vSphere environment to secure a simple application composed of web. app, and database tiers. The naming convention will be: * WKS-WEB-SRV-XXX * WKY-APP-SRR-XXX * WKI-DB-SRR-XXX What is the optimal way to group them to enforce security policies from NSX?
Correct Answer: C
The answer is C. Group all by means of tags membership. Tags are metadata that can be applied to physical servers, virtual machines, logical ports, and logical segments in NSX. Tags can be used for dynamic security group membership, which allows for granular and flexible enforcement of security policies based on various criteria1 In the scenario, the company is deploying NSX micro-segmentation to secure a simple application composed of web, app, and database tiers. The naming convention will be: WKS-WEB-SRV-XXX WKY-APP-SRR-XXX WKI-DB-SRR-XXX The optimal way to group them to enforce security policies from NSX is to use tags membership. For example, the company can create three tags: Web, App, and DB, and assign them to the corresponding VMs based on their names. Then, the company can create three security groups: Web-SG, App-SG, and DB-SG, and use the tags as the membership criteria. Finally, the company can create and apply security policies to the security groups based on the desired rules and actions2 Using tags membership has several advantages over the other options: It is more scalable and dynamic than using Edge as a firewall between tiers. Edge firewall is a centralized solution that can create bottlenecks and performance issues when handling large amounts of traffic3 It is more simple and efficient than doing a service insertion to accomplish the task. Service insertion is a feature that allows for integrating third-party services with NSX, such as antivirus or intrusion prevention systems. Service insertion is not necessary for basic micro-segmentation and can introduce additional complexity and overhead. It is more flexible and granular than creating an Ethernet based security policy. Ethernet based security policy is a type of policy that uses MAC addresses as the source or destination criteria. Ethernet based security policy is limited by the scope of layer 2 domains and does not support logical constructs such as segments or groups. To learn more about tags membership and how to use it for micro-segmentation in NSX, you can refer to the following resources: VMware NSX Documentation: Security Tag 1 VMware NSX Micro-segmentation Day 1: Chapter 4 - Security Policy Design 2 VMware NSX 4.x Professional: Security Groups VMware NSX 4.x Professional: Security Policies
Question 54
An NSX administrator would like to export syslog events that capture messages related to NSX host preparation events. Which message ID (msgld) should be used in the syslog export configuration command as a filler?
Correct Answer: D
Explanation According to the VMware NSX Documentation2, the FABRIC message ID (msgld) captures messages related to NSX host preparation events, such as installation, upgrade, or uninstallation of NSX components on ESXi hosts. The syslog export configuration command for NSX host preparation events would look something like this: set service syslog export FABRIC The other options are either incorrect or not relevant for NSX host preparation events. MONITORING captures messages related to NSX monitoring features, such as alarms and system events2. SYSTEM captures messages related to NSX system events, such as login, logout, or configuration changes2. GROUPING captures messages related to NSX grouping objects, such as security groups, security tags, or IP sets2.
Question 55
What must be configured on Transport Nodes for encapsulation and decapsulation of Geneve protocol?
Correct Answer: D
Explanation According to the VMware NSX Documentation, TEP stands for Tunnel End Point and is a logical interface that must be configured on transport nodes for encapsulation and decapsulation of Geneve protocol. Geneve is a tunneling protocol that encapsulates the original packet with an outer header that contains metadata such as the virtual network identifier (VNI) and the transport node IP address. TEPs are responsible for adding and removing the Geneve header as the packet traverses the overlay network.
