VMware NSX 4.x Professional 2V0-41.23 Exam Practice Test

Page: 1 / 14
Total 107 questions
Question 1

Which of the following settings must be configured in an NSX environment before enabling stateful active-active SNAT?



Answer : C

To enable stateful active-active SNAT on a Tier-0 or Tier-1 gateway, you must configure an Interface Group for the NSX Edge uplinks. An Interface Group is a logical grouping of NSX Edge interfaces that belong to the same failure domain. A failure domain is a set of NSX Edge nodes that share the same physical network infrastructure and are subject to the same network failures.By configuring an Interface Group, you can ensure that the stateful services are distributed across different failure domains and can recover from network failures1


Question 2

Where in the NSX UI would an administrator set the time attribute for a time-based Gateway Firewall rule?



Answer : D

According to the VMware documentation1, the clock icon appears on the firewall policy section that you want to have a time window. By clicking the clock icon, you can create or select a time window that applies to all the rules in that policy section. The other options are incorrect because they either do not exist or are not related to the time-based rule feature. There is no option to set a time-based rule in the rule itself, as it is a policy-level setting. There is also an option to set a time-based rule in the NSX UI, so it does not require using the command line interface.

https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-8572496E-A60E-48C3-A016-4A081AC80BE7.html


Question 3

Refer to the exhibit.

An administrator would like to change the private IP address of the NAT VM I72.l6.101.il to a public address of 80.80.80.1 as the packets leave the NAT-Segment network.

Which type of NAT solution should be implemented to achieve this?



Answer : B

SNAT stands for Source Network Address Translation. It is a type of NAT that translates the source IP address of outgoing packets from a private address to a public address.SNAT is used to allow hosts in a private network to access the internet or other public networks1

In the exhibit, the administrator wants to change the private IP address of the NAT VM 172.16.101.11 to a public address of 80.80.80.1 as the packets leave the NAT-Segment network. This is an example of SNAT, as the source IP address is modified before the packets are sent to an external network.

According to the VMware NSX 4.x Professional Exam Guide, SNAT is one of the topics covered in the exam objectives2

To learn more about SNAT and how to configure it in VMware NSX, you can refer to the following resources:

VMware NSX Documentation: NAT3

VMware NSX 4.x Professional: NAT Configuration4

VMware NSX 4.x Professional: NAT Troubleshooting5

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-7AD2C384-4303-4D6C-A44A-DEF45AA18A92.html


Question 4

How is the RouterLink port created between a Tier-1 Gateway and Tier-O Gateway?



Answer : A

The RouterLink port is automatically created when a Tier-1 Gateway is connected with a Tier-0 Gateway from the NSX UI1. The RouterLink port is a logical interface that is assigned an IP address and is associated with a physical or virtual interface.The RouterLink port acts as an end point of the IPSec tunnel and routes traffic between the Tier-1 Gateway and the Tier-0 Gateway2. The other options are incorrect because they involve manual creation of logical switches or segments, which are not required for RouterLink port creation.Reference:Configure NSX for Virtual Networking from vSphere Client,Virtual Private Network (VPN)

https://docs.vmware.com/jp/VMware-NSX/4.0/administration/GUID-3F163DEE-1EE6-4D80-BEBF-8D109FDB577C.html


Question 5

Which Is the only supported mode In NSX Global Manager when using Federation?



Answer : B

NSX Global Manager is a feature of NSX that allows managing multiple NSX domains across different sites or clouds from a single pane of glass. NSX Global Manager supports Federation, which is a capability that enables synchronizing configuration and policy across multiple NSX domains. Federation has many benefits such as simplifying operations, improving resiliency, and enabling disaster recovery.

The only supported mode in NSX Global Manager when using Federation is Policy mode. Policy mode means that NSX Global Manager acts as a policy manager that defines and distributes global policies to local NSX managers in different domains. Policy mode also allows local NSX managers to have their own local policies that can override or merge with global policies.

https://docs.vmware.com/en/VMware-NSX/4.0/administration/GUID-29998FC5-C1AB-40BC-B669-6E8E9937F345.html


Question 6

Which two steps must an NSX administrator take to integrate VMware Identity Manager in NSX to support role-based access control? (Choose two.)



Answer : C, E

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-EAAD1FBE-F750-4A5A-A3BF-92B1E7D016FE.html


Question 7

A company Is deploying NSX micro-segmentation in their vSphere environment to secure a simple application composed of web. app, and database tiers.

The naming convention will be:

* WKS-WEB-SRV-XXX

* WKY-APP-SRR-XXX

* WKI-DB-SRR-XXX

What is the optimal way to group them to enforce security policies from NSX?



Answer : C

The answer is C. Group all by means of tags membership.

Tags are metadata that can be applied to physical servers, virtual machines, logical ports, and logical segments in NSX. Tags can be used for dynamic security group membership, which allows for granular and flexible enforcement of security policies based on various criteria1

In the scenario, the company is deploying NSX micro-segmentation to secure a simple application composed of web, app, and database tiers. The naming convention will be:

WKS-WEB-SRV-XXX

WKY-APP-SRR-XXX

WKI-DB-SRR-XXX

The optimal way to group them to enforce security policies from NSX is to use tags membership. For example, the company can create three tags: Web, App, and DB, and assign them to the corresponding VMs based on their names. Then, the company can create three security groups: Web-SG, App-SG, and DB-SG, and use the tags as the membership criteria. Finally, the company can create and apply security policies to the security groups based on the desired rules and actions2

Using tags membership has several advantages over the other options:

It is more scalable and dynamic than using Edge as a firewall between tiers. Edge firewall is a centralized solution that can create bottlenecks and performance issues when handling large amounts of traffic3

It is more simple and efficient than doing a service insertion to accomplish the task. Service insertion is a feature that allows for integrating third-party services with NSX, such as antivirus or intrusion prevention systems. Service insertion is not necessary for basic micro-segmentation and can introduce additional complexity and overhead.

It is more flexible and granular than creating an Ethernet based security policy. Ethernet based security policy is a type of policy that uses MAC addresses as the source or destination criteria. Ethernet based security policy is limited by the scope of layer 2 domains and does not support logical constructs such as segments or groups.

To learn more about tags membership and how to use it for micro-segmentation in NSX, you can refer to the following resources:

VMware NSX Documentation: Security Tag 1

VMware NSX Micro-segmentation Day 1: Chapter 4 - Security Policy Design 2

VMware NSX 4.x Professional: Security Groups

VMware NSX 4.x Professional: Security Policies


Page:    1 / 14   
Total 107 questions