QUESTION 1.

An NSX administrator is troubleshooting a connectivity issue with virtual machines running

on an ESXi transport node.
Which feature in the NSX UI shows the mapping between the virtual NIC and the host's physical
adapter?

A. Port Mirroring
B. IPFIX
C. Activity Monitoring
D. Switch Visualization
Correct Answer: D

QUESTION 2. What needs to be configured on a Tier-0 Gateway to make NSX Edge

Services available to a VM on a VLAN-backed logical switch?

 A. Loopback Router Port

 B. VLAN Uplink
 C. Service interface
 D. Downlink interface

Correct Answer: C

QUESTION .3 Which two of the following will be used for ingress traffic on the Edge
node supporting a Single Tier topology? (Choose two.)

 A. Inter-Tier interface on the Tier-0 gateway

 B. Tier-0 Uplink interface
 C. Downlink Interface for the Tier-0 DR
 D. Tier-1 SR Router Port
 E. Downlink Interface for the Tier-1 DR

Correct Answer: BE

QUESTION 4. Which three security features are dependent on the NSX Application
Platform? (Choose three.)

 A. NSX Intelligence
 B. NSX Firewall
 C. NSX Network Detection and Response
 D. NSX TLS Inspection
 E. NSX Distributed IDS/IPS
 F. NSX Malware Prevention
 Correct Answer: ACE

QUESTION 5. Which of the following exist only on Tier-1 Gateway firewall

configurations and not on Tier-0?

 A. Applied To
 B. Actions
 C. Sources
 D. Profiles

Correct Answer: A

QUESTION 6. When collecting support bundles through NSX Manager, which files
should be excluded for potentially containing sensitive information?

 A. Audit Files
 B. Core Files
 C. Management Files
 D. Controller Files

Correct Answer: A

QUESTION 7. An administrator has deployed 10 Edge Transport Nodes in their NSX

Environment, but has forgotten to specify an NTP server during the deployment.
What is the efficient way to add an NTP server to all 10 Edge Transport Nodes?

 A. Use a Node Profile

 B. Use the CLI on each Edge Node
 C. Use Transport Node Profile
 D. Use a PowerCLI script

Correct Answer: A
 QUESTION 8. Which two BGP configuration parameters can be configured in the VRF
Lite gateways? (Choose two.)

 A. Route Aggregation
 B. Route Distribution
 C. Graceful Restart
 D. BGP Neighbors
 E. Local AS

Correct Answer: AD

QUESTION 9. Which two choices are solutions offered by the VMware NSX portfolio?
(Choose two.)

 A. VMware Aria Automation

 B. VMware NSX Distributed IDS/IPS
 C. VMware NSX Advanced Load Balancer
 D. VMware Tanzu Kubernetes Grid
 E. VMware Tanzu Kubernetes Cluster

Correct Answer: BC

QUESTION 10. Which VPN type must be configured before enabling a L2VPN?

 A. SSL-based IPSec VPN

 B. Route-based IPSec VPN
 C. Port-based IPSec VPN
 D. Policy-based IPSec VPN

Correct Answer: B
 QUESTION 11. Which statement is true about an alarm in a Suppressed state?

 A. An alarm can be suppressed for a specific duration in hours.

 B. An alarm can be suppressed for a specific duration in seconds.
 C. An alarm can be suppressed for a specific duration in minutes.
 D. An alarm can be suppressed for a specific duration in days.

Correct Answer: A

QUESTION 12. What can the administrator use to identify overlay segments in an NSX
environment if troubleshooting is reQuestion uired?

 A. VNI ID
 B. VLAN ID
 C. Segment ID
 D. Geneve ID

Correct Answer: A

QUESTION 13. Which two built-in VMware tools will help identify the cause of packet
loss on VLAN Segments? (Choose two.)

 A. Packet Capture
 B. Live Flow
 C. Traceflow
 D. Flow Monitoring
 E. Activity monitoring

Correct Answer: AC

QUESTION 14. What should an NSX administrator check to verify that VMware Identity
Manager integration is successful?
 A. From the NSX UI the status of the VMware Identity Manager Integration must be
"Enabled".
 B. From VMware Identity Manager the status of the remote access application must be
green.
 C. From the NSX UI the URI in the address bar must have "local=false" part of it.
 D. From the NSX CLI the status of the VMware Identity Manager Integration must be
"Configured".

Correct Answer: A

QUESTION 15. Which two are reQuestion uirements for FQUESTION DN Analysis?
(Choose two.)

 A. The NSX Edge nodes reQuestion uire access to the Internet to download category
and reputation definitions.
 B. ESXi control panel reQuestion uires access to the Internet to download category and
reputation definitions.
 C. The NSX Manager reQuestion uires access to the Internet to download category and
reputation definitions.
 D. A layer 7 gateway firewall rule must be configured on the Tier-1 gateway uplink.
 E. A layer 7 gateway firewall rule must be configured on the Tier-0 gateway uplink.

Correct Answer: AD

QUESTION 16. What is the VMware recommended way to deploy a virtual NSX Edge
Node?

 A. Through the NSX UI

 B. Through automated or interactive mode using an ISO
 C. Through the vSphere Web Client
 D. Through the OVF command line tool

Correct Answer: C
 QUESTION 17. An NSX administrator has deployed a single NSX Manager node and
will be adding two additional nodes to form a 3-node NSX Management Cluster for a
production environment. The administrator will deploy these two additional nodes and
Cluster VIP using the NSX UI.
What two are the prereQuestion uisites for this configuration? (Choose two.)

 A. The cluster configuration must be completed using API.

 B. All nodes must be in separate subnets.
 C. All nodes must be in the same subnet.
 D. A compute manager must be configured.
 E. NSX Manager must reside on a Windows Server.

Correct Answer: CD

QUESTION 18. Which CLI command shows syslog on NSX Manager?

 A. show log manager follow

 B. get log-file syslog
 C. /var/log/syslog/syslog.log
 D. get log-file auth.log

Correct Answer: B

QUESTION 19. Which NSX CLI command is used to change the authentication policy
for local users?

 A. set auth-policy
 B. set cli-timeout
 C. get auth-policy minimum-password-length
 D. set hardening-policy

Correct Answer: A
 QUESTION 20. What are four NSX built-in role-based access control (RBAC) roles?
(Choose four.)

 A. Read
 B. Network Admin
 C. Full Access
 D. Enterprise Admin
 E. LB Operator
 F. Auditor
 G. None

Correct Answer: BEF

QUESTION 21. Which two of the following are used to configure Distributed Firewall on
VDS? (Choose two.)

 A. vCenter API
 B. NSX UI
 C. NSX CLI
 D. vSphere API
 E. NSX API

Correct Answer: BE

QUESTION 22. Which command is used to test management connectivity from a

transport node to NSX Manager?

 A. esxcli network ip connection list | grep 1234

 B. esxcli network connection list | grep 1235
 C. esxcli network ip connection list | grep 1235
 D. esxcli network connection list | grep 1234

Correct Answer: C
 QUESTION 23. What are three NSX Manager roles? (Choose three.)

 A. master
 B. manager
 C. cloud
 D. zookeeper
 E. policy
 F. controller

Correct Answer: BEF

QUESTION 24. A customer has a network where BGP has been enabled and the BGP
neighbor is configured on the Tier-0 Gateway. An NSX administrator used the get
gateways command to retrieve this information:
 Correct Answer:

QUESTION 25. Which two commands must be executed to check BGP neighbor
status? (Choose two.)

 A. vrf 3
 B. sa-nsxedge-01(tier1_sr)> get bgp neighbor
 C. vrf 4
 D. sa-nsxedge-01(tier0_dr)> get bgp neighbor
 E. vrf 1
 F. sa-nsxedge-01(tier0_sr)> get bgp neighbor

Correct Answer: F

QUESTION 26. Which two CLI commands could be used to see if vmnic link status is down?
(Choose two.)
A. esxcfg-vmsvc/get.network
B. esxcfg-vmknic -1
C. esxcfg-nics -1
D. excli network nic list
E. esxcli network vswitch dvs wmare list

Correct Answer: CD

QUESTION 27. Which two choices are use cases for Distributed Intrusion Detection? (Choose
two.)
A. Identify security vulnerabilities in the workloads.
B. Gain Insight about micro-segmentation traffic flows.
C. Use agentless antivirus with Guest Introspection.
D. QUESTION uarantine workloads based on vulnerabilities.
E. Identify risk and reputation of accessed websites.
Correct Answer: AD

QUESTION 28. What is the VMware recommended way to deploy a virtual NSX Edge Node?
A. Through automated or Interactive mode using an ISO
B. Through the NSXUI
C. Through the OVF command line tool
 D. Through the vSphere Web Client
Correct Answer: B

QUESTION 29. What are three NSX Manager roles? (Choose three.)
A. policy
B. manager
C. zookeepet
D. master
E. cloud
F. controller
Correct Answer: ABF

QUESTION 30. Which command Is used to test management connectivity from a transport
node to NSX Manager?
A. esxcli network connection list | grep 1234
B. esxcli network ip connection list | grep 1235
C. esxcli network ip connection list | grep 1234
D. esxcli network connection list | grep 1235
Correct Answer: C

QUESTION 31. Which two choices are solutions offered by the VMware NSX portfolio?
(Choose two.)
A. VMware NSX Advanced Load Balancer
B. VMware Tanzu Kubernetes Cluster
C. VMware Aria Automation
D. VMware NSX Distributed IDS/IPS
E. VMware Tanzu Kubernetes Grid

Correct Answer: AD

QUESTION 32. Which two of the following will be used for Ingress traffic on the Edge node
supporting a Single Tier topology? (Choose two.)
A. Inter-Tier interface on the Tier-0 gateway
B. Tier-1 SR Router Port
C. Downlink Interface for the Tier-0 DR
D. Downlink Interface for the Tier-1 DR
E. Tier-0 Uplink interface
Correct Answer: CE
QUESTION 33. Which choice is a valid insertion point for North-South network introspection?
A. Tier-0 gateway
B. Host Physical NIC
C. Guest VM vNIC
D. Partner SVM
Correct Answer: A

QUESTION 34. Which VPN type must be configured before enabling a L2VPN?
A. SSL-bosed IPSec VPN
B. Port-based IPSec VPN
C. Route-based IPSec VPN
D. Policy based IPSec VPN
Correct Answer: C

QUESTION 35. Which two CLI commands could be used to see if vmnic link status is down?
(Choose two.)
A. esxcfg-nics -1
B. excli network nic list
C. esxcli network vswitch dvs wmare list
D. esxcfg-vmknic -1
E. esxcfg-vmsvc/get.network
Correct Answer: AB

QUESTION 36. Which two choices are use cases for Distributed Intrusion Detection? (Choose
two.)
A. Use agentless antivirus with Guest Introspection.
B. QUESTION uarantine workloads based on vulnerabilities.
C. Identify risk and reputation of accessed websites.
D. Gain Insight about micro-segmentation traffic flows.
E. Identify security vulnerabilities in the workloads.
Correct Answer: BE

QUESTION 37. Which two choices are solutions offered by the VMware NSX portfolio?
(Choose two.)
A. VMware Tanzu Kubernetes Grid
B. VMware Tanzu Kubernetes Cluster
 C. VMware NSX Advanced Load Balancer
D. VMware NSX Distributed IDS/IPS
E. VMware Aria Automation
Correct Answer: CD

QUESTION 38. Which two of the following will be used for Ingress traffic on the Edge node
supporting a Single Tier topology? (Choose two.)
A. Inter-Tier interface on the Tier-0 gateway
B. Tier-0 Uplink interface
C. Downlink Interface for the Tier-0 DR
D. Tier-1 SR Router Port
E. Downlink Interface for the Tier-1 DR
Correct Answer: BC

QUESTION 39. Which choice is a valid insertion point for North-South network introspection?
A. Guest VM vNIC
B. Partner SVM
C. Tier-0 gateway
D. Host Physical NIC

Correct Answer: C

QUESTION 40. Which VPN type must be configured before enabling a L2VPN?
A. Route-based IPSec VPN
B. Policy based IPSec VPN
C. SSL-bosed IPSec VPN
D. Port-based IPSec VPN
Correct Answer: A

QUESTION 41. Which two tools are used for centralized logging in VMware NSX? (Choose
two.)
A. VMware Aria Operations
B. Syslog Server
C. VMware Aria Automation
D. VMware Aria Operations for Logs
E. VMware Aria Operations for Networks
Correct Answer: BD
QUESTION 42. Which two of the following are used to configure Distributed Firewall on VDS?
(Choose two.)
A. vSphere API
B. NSX API
C. NSX CU
D. vCenter API
E. NSX UI
Correct Answer: BE

QUESTION 43. Which CLI command would an administrator use to allow syslog on an ESXi
transport node when using the esxcli utility?
A. esxcli network firewall ruleset set -r syslog -e true
B. esxcli network firewall ruleset -e syslog
C. esxcli network firewall ruleset set -r syslog -e false
D. esxcli network firewall ruleset set -a -e false
Correct Answer: A

QUESTION 44. When running nsxcli on an ESXi host, which command will show the
Replication mode?
A. get logical-switch <Local-Switch-UUID> status
B. get logical-switch <Logical-Switch-UUID>
C. get logical-switches
D. get logical-switch status
Correct Answer: C

QUESTION 45. Which three security features are dependent on the NSX Application
Platform? (Choose three.)
A. NSX Intelligence
B. NSX Firewall
C. NSX Network Detection and Response
D. NSX TLS Inspection
E. NSX Distributed IDS/IPS
F. NSX Malware Prevention
Correct Answer: ACF

QUESTION 46. Which of the two following characteristics about NAT64 are true? (Choose
two.)
 A. NAT64 is stateless and reQuestion uires gateways to be deployed in active-standby mode.
B. NAT64 is supported on Tier-1 gateways only.
C. NAT64 is supported on Tier-0 and Tier-1 gateways.
D. NAT64 reQuestion uires the Tier-1 gateway to be configured in active-standby mode.
E. NAT64 reQuestion uires the Tier-1 gateway to be configured in active-active mode.
Correct Answer: CD

QUESTION 47. Which table on an ESXi host is used to determine the location of a particular
workload for a frame-forwarding decision?
A. TEP Table
B. MAC Table
C. ARP Table
D. Routing Table
Correct Answer: B

QUESTION 48. A customer is preparing to deploy a VMware Kubernetes solution in an NSX

environment.
What is the minimum MTU size for the UPLINK profile?
A. 1500
B. 1550
C. 1700
D. 1650
Correct Answer: C

QUESTION 49. An NSX administrator would like to create an L2 segment with the following
reQuestion uirements:
* L2 domain should not exist on the physical switches.
* East/West communication must be maximized as much as possible.
Which type of segment must the administrator choose?
A. VLAN
B. Overlay
C. Bridge
D. Hybrid
Correct Answer: B

QUESTION 50. Which field in a Tier-1 Gateway Firewall would be used to allow access for a
collection of trustworthy web sites?
A. Source
B. Profiles -> Context Profiles
C. Destination
 D. Profiles -> L7 Access Profile
Correct Answer: D

QUESTION 51. Which of the two following characteristics about NAT64 are true? (Choose
two.)
A. NAT64 is stateless and reQuestion uires gateways to be deployed in active-standby mode.
B. NAT64 is supported on Tier-1 gateways only.
C. NAT64 is supported on Tier-0 and Tier-1 gateways.
D. NAT64 reQuestion uires the Tier-1 gateway to be configured in active-standby mode.
E. NAT64 reQuestion uires the Tier-1 gateway to be configured in active-active mode.
Correct Answer: CD

QUESTION 52. Which table on an ESXi host is used to determine the location of a particular
workload for a frame-forwarding decision?
A. TEP Table
B. MAC Table
C. ARP Table
D. Routing Table
Correct Answer: B

QUESTION 53. A customer is preparing to deploy a VMware Kubernetes solution in an NSX

environment.
What is the minimum MTU size for the UPLINK profile?
A. 1500
B. 1550
C. 1700
D. 165
Correct Answer: C

QUESTION 54. An NSX administrator would like to create an L2 segment with the following
reQuestion uirements:
* L2 domain should not exist on the physical switches.
* East/West communication must be maximized as much as possible.
Which type of segment must the administrator choose?
A. VLAN
B. Overlay
C. Bridge
D. Hybrid
Correct Answer: B
QUESTION 55. Which field in a Tier-1 Gateway Firewall would be used to allow access for a
collection of trustworthy web sites?
A. Source
B. Profiles -> Context Profiles
C. Destination
D. Profiles -> L7 Access Profile
Correct Answer: D

QUESTION 56. Which command on ESXI is used to verify the Local Control Plane
connectivity with Central Control Plane?
A.

B.

C.

D.

Correct Answer:

QUESTION 57. In which VPN type are the Virtual Tunnel interfaces (VTI) used?
A. Route & SSL based VPNs
B. Route-based VPN
C. Policy & Route based VPNs
D. SSL-based VPN
Correct Answer: B

QUESTION 58. Which two statements are true about IDS Signatures? (Choose two.)
A. Users can upload their own IDS signature definitions.
B. An IDS signature contains data used to identify known exploits and vulnerabilities.
C. An IDS signature contains data used to identify the creator of known exploits and
vulnerabilities.
D. IDS signatures can be High Risk, Suspicious, Low Risk and Trustworthy.
E. An IDS signature contains a set of instructions that determine which traffic is analyzed.

Correct Answer: BE

QUESTION 59. Which three selections are capabilities of Network Topology? (Choose three.)
 A. Display how the different NSX components are interconnected.
B. Display the uplink configured on the Tier-0 Gateways.
C. Display how the Physical components ate interconnected.
D. Display the VMs connected to Segments.
E. Display the uplinks configured on the Tier-1 Gateways.
Correct Answer: ABD

QUESTION 60. Sort the rule processing steps of the Distributed Firewall. Order responses
from left to right.

Discussion 0
Correct Answer:
QUESTION 61. How is the RouterLink port created between a Tier-1 Gateway and Tier-O
Gateway?
A. Automatically created when Tier-1 is connected with Tier-0 from NSX UI.
B. Automatically created when Tier-1 is created.
C. Manually create a Logical Switch and connect to bother Tier-1 and Tier-0 Gateways.
D. Manually create a Segment and connect to both Tier-1 and Tier-0 Gateways.
Correct Answer: A

QUESTION 62.A customer has a network where BGP has been enabled and the BGP neighbor
is configured on the Tier-0 Gateway. An NSX administrator used the get gateways command
to retrieve this Information:

QUESTION 63. Which two commands must be executed to check BGP neighbor status?
(Choose two.)
A. vrf 1
B. vrf 4
C. sa-nexedge-01(tier1_sr> get bgp neighbor
D. sa-nexedge-01(tier0_sr> get bgp neighbor
E. sa-nexedge-01(tier1_dr)> get bgp neighbor
F. vrf 3

Correct Answer: DF

QUESTION 64. Which two are supported by L2 VPN clients? (Choose two.)
A. NSX for vSphere Edge
B. 3rd party Hardware VPN Device
C. NSX Autonomous Edge
D. NSX Edge

Correct Answer: CD
QUESTION 65. Which command is used to display the network configuration of the Tunnel
Endpoint (TEP) IP on a bare metal transport node?
A. tepconfig
B. ifconfig
C. tcpdump
D. debug
Correct Answer: B

QUESTION 66. An administrator has deployed 10 Edge Transport Nodes in their NSX
Environment, but has forgotten to specify an NTP server during the deployment.
What is the efficient way to add an NTP server to all 10 Edge Transport Nodes?
A. Use Transport Node Profile
B. Use the CU on each Edge Node
C. Use a Node Profile
D. Use a PowerCU script
Correct Answer: C

QUESTION 67.An NSX administrator wants to create a Tler-0 Gateway to support eQuestion
ual cost multi-path (ECMP) routing.
Which failover detection protocol must be used to meet this reQuestion uirement?
A. Bidirectional Forwarding Detection (BFD)
B. Virtual Router Redundancy Protocol (VRRP)
C. Beacon Probing (BP)
D. Host Standby Router Protocol (HSRP)
Correct Answer: A

QUESTION 68. An architect receives a reQuestion uest to apply distributed firewall in a

customer environment without making changes to the network and vSphere environment.
The architect decides to use Distributed Firewall on VDS.
Which two of the following reQuestion uirements must be met in the environment? (Choose
two.)
A. vCenter 8.0 and later
B. NSX version must be 3.0 and later
C. NSX version must be 3.2 and later
D. VDS version 6.6.0 and later
Correct Answer: CD

QUESTION 69. An NSX administrator has deployed a single NSX Manager node and will be
adding two additional nodes to form a 3-node NSX Management Cluster for a production
environment. The administrator will deploy these two additional nodes and Cluster VIP using
the NSX UI.
What two are the prereQuestion uisites for this configuration? (Choose two.)
 A. All nodes must be in separate subnets.
B. The cluster configuration must be completed using API.
C. NSX Manager must reside on a Windows Server.
D. All nodes must be in the same subnet.
E. A compute manager must be configured.
Correct Answer: DE

QUESTION 70. What needs to be configured on a Tler-0 Gateway lo make NSX Edge Services
available to a VM on a VLAN-backed logical switch?
A. Downlink Interface
B. VLAN Uplink
C. Loopback Router Port
D. Service Interface
Correct Answer: D

QUESTION 71. An administrator needs to download the support bundle for NSX Manager.
Where does the administrator download the log bundle from?
A. System > Utilities > Tools
B. System > Support Bundle
C. System > Settings > Support Bundle
D. System > Settings
Correct Answer: B

QUESTION 72. Which steps are reQuestion uired to activate Malware Prevention on the NSX
Application Platform?
A. Select Cloud Region and Deploy Network Detection and Response.
B. Activate NSX Network Detection and Response and run Pre-checks.
C. Activate NSX Network Detection and Response and Deploy Malware Prevention.
D. Select Cloud Region and run Pre-checks.
Correct Answer: D

QUESTION 73. Which NSX CLI command is used to change the authentication policy for local
users?
A. Set auth-policy
B. Set hardening- policy
C. Get auth-policy minimum-password-length
 D. Set cli-timeout
Correct Answer:
A
QUESTION 74. Which two of the following features are supported for the Standard NSX
Application Platform Deployment?
(Choose two.)
A. NSX Intrusion Detection and Prevention
B. NSX Intelligence
C. NSX Network Detection and Response
D. NSX Malware Prevention Metrics
E. NSX Intrinsic Security
Correct Answer: CD

QUESTION 75. Which CLI command is used for packet capture on the ESXi Node?
A. tcpdump
B. debug
C. pktcap-uw
D. set capture
Correct Answer: C

QUESTION 76. What are two valid options when configuring the scope of a distributed
firewall rule? (Choose two.)
A. DFW
B. Tier-1 Gateway
C. Segment
D. Segment Port
E. Group
Correct Answer: AE

QUESTION 77. A company security policy reQuestion uires all users to log Into applications
using a centralized authentication system.
Which two authentication, authorization, and accounting (AAA) systems are available when
Integrating NSX with VMware Identity Manager? (Choose two.)
A. RADII 2.0
B. Keyoen Enterprise
C. RSA SecurelD
D. LDAP and OpenLDAP based on Active Directory (AD)
E. SecureDAP
Correct Answer: CD
QUESTION 78. How does the Traceflow tool identify issues in a network?
A. Compares the management plane configuration states containing control plane traffic and
error reporting from transport node agents.
B. Compares intended network state in the control plane with Tunnel End Point (TEP) keepalives
in the data plane.
C. Injects ICMP traffic into the data plane and observes the results in the control plane.
D. Injects synthetic traffic into the data plane and observes the results in the control plane.

Correct Answer: D

QUESTION 79. When collecting support bundles through NSX Manager, which files should be
excluded for potentially containing sensitive information?
A. Controller Files
B. Management Files
C. Core Files
D. Audit Files

Correct Answer: C

QUESTION 80. An NSX administrator is reviewing syslog and notices that Distributed Firewall
Rules hit counts are not being logged.
What could cause this issue?
A. Syslog is not configured on the ESXi transport node.
B. Zero Trust Security is not enabled.
C. Syslog is not configured on the NSX Manager.
D. Distributed Firewall Rule logging is not enabled.

Correct Answer: D

QUESTION 81. Where in the NSX UI would an administrator set the time attribute for a time-
based Gateway Firewall rule?
A. The option to set time-based rule is a clock Icon in the rule.
B. The option to set time based rule is a field in the rule Itself.
C. There Is no option in the NSX UI. It must be done via command line interface.
D. The option to set time-based rule is a clock Icon in the policy.

Correct Answer: D

QUESTION 82. Which troubleshooting step will resolve an error with code 1001 during the
configuration of a time-based firewall rule?
A. Reinstalling the NSX VIBs on the ESXi host.
B. Restarting the NTPservice on the ESXi host.
C. Changing the lime zone on the ESXi host.
 D. Reconfiguring the ESXI host with a local NTP server.

Correct Answer: B

QUESTION 83. When a stateful service is enabled for the first lime on a Tier-0 Gateway, what
happens on the NSX Edge node'
A. SR is instantiated and automatically connected with DR.
B. DR Is instantiated and automatically connected with SR.
C. SR and DR Is instantiated but reQuestion uites manual connection.
D. SR and DR doesn't need to be connected to provide any stateful services.
Correct Answer: A

QUESTION 84. Which of the following settings must be configured in an NSX environment
before enabling stateful active-active SNAT?
A. Tier-1 gateway in active-standby mode
B. Tier-1 gateway in distributed only mode
C. An Interface Group for the NSX Edge uplinks
D. A Punting Traffic Group for the NSX Edge uplinks
Correct Answer: C

QUESTION 85. NSX improves the security of today's modern workloads by preventing lateral
movement, which feature of NSX can be used to achieve this?
A. Network Segmentation
B. Virtual Security Zones
C. Edge Firewalling
D. Dynamic Routing
Correct Answer: A

QUESTION 86. In an NSX environment, an administrator is observing low throughput and

congestion between the Tier-O Gateway and the upstream physical routers.
Which two actions could address low throughput and congestion? (Choose two.)
A. Configure NAT on the Tier-0 gateway.
B. Configure ECMP on the Tier-0 gateway.
C. Deploy Large size Edge node/s.
D. Add an additional vNIC to the NSX Edge node.
E. Configure a Tier-1 gateway and connect it directly to the physical routers.
Correct Answer: BC

QUESTION 87. Which two statements are true for IPSec VPN? (Choose two.)
A. VPNs can be configured on the command line Interface on the NSX manager.
 B. IPSec VPN services can be configured at Tler-0 and Tler-1 gateways.
C. IPSec VPNs use the DPDK accelerated performance library.
D. Dynamic routing Is supported for any IPSec mode In NSX.
Correct Answer: BC

QUESTION 88.Which two commands does an NSX administrator use to check the IP address
of the VMkernel port for the Geneve protocol on the ESXi transport node? (Choose two.)
A. esxcfg-nics -1l
B. esxcli network ip interface ipv4 get
C. esxcli network nic list
D. esxcfg-vmknic -1
E. net-dvs

Correct Answer: BC

QUESTION 89. Match the NSX Intelligence recommendations with their correct purpose.

Discussion 0
Correct Answer:
Explanation:
QUESTION 90. Which three of the following describe the Border Gateway Routing Protocol
(BGP) configuration on a Tier-0 Gateway? (Choose three.)
A. Can be used as an Exterior Gateway Protocol.
B. It supports a 4-byte autonomous system number.
C. The network is divided into areas that are logical groups.
D. EIGRP Is disabled by default.
E. BGP is enabled by default.

Correct Answer: ABD

QUESTION 91. Which CLI command on NSX Manager and NSX Edge is used to change NTP
settings?
A. get timezone
B. get time-server
C. set timezone
D. set ntp-server

Correct Answer: D

QUESTION 92. Where does an administrator configure the VLANs used In VRF Lite? (Choose
two.)
A. segment connected to the Tler-1 gateway
B. uplink trunk segment
C. downlink interface of the default Tier-0 gateway
D. uplink Interface of the VRF gateway
 E. uplink interface of the default Tier-0 gateway

Correct Answer: BD

QUESTION 93. Refer to the exhibit.

An administrator configured NSX Advanced Load Balancer to redistribute the traffic between
the web servers.
However, reQuestion uests are sent to only one server
Which of the following pool configuration settings needs to be adjusted to resolve the
problem? Mark the correct answer by clicking on the image.

Discussion 0
Correct Answer:
Explanation:
Load Balancing Algorithm
You specify the following parameters during the creation of a server pool:
* Name: A uniQuestion ue name for the server pool.
* Cloud: The cloud connector details for the NSX environment.
* VRF Context: Virtual Routing Framework (VRF) is a method to isolate traffic in a system. VRF is
also called a route domain in the load balancer community. A global VRF context is created by
default. Network administrators might create custom VRF contexts to isolate traffic between different
tenants or subsets.
* Default Server Port: New connections to servers will use this destination service port. The default
port is 80.
* Load-balancing algorithm: The selected load-balancing algorithm controls how the incoming
connections are distributed among the servers in the pool.
* Tier-1 gateway (logical router): Specify the Tier-1 gateway th
QUESTION 94. An architect receives a reQuestion uest to apply distributed firewall in a
customer environment without making changes to the network and vSphere environment.
The architect decides to use Distributed Firewall on VDS.
Which two of the following reQuestion uirements must be met in the environment? (Choose
two.)
A. vCenter 8.0 and later
B. NSX version must be 3.2 and later
C. NSX version must be 3.0 and later
D. VDS version 6.6.0 and later

Correct Answer: BD

QUESTION 95. A company Is deploying NSX micro-segmentation in their vSphere

environment to secure a simple application composed of web. app, and database tiers.
The naming convention will be:
* WKS-WEB-SRV-XXX
* WKY-APP-SRR-XXX
* WKI-DB-SRR-XXX
What is the optimal way to group them to enforce security policies from NSX?
A. Use Edge as a firewall between tiers.
B. Do a service insertion to accomplish the task.
C. Group all by means of tags membership.
D. Create an Ethernet based security policy.
Correct Answer: C

QUESTION 96. What are two supported host switch modes? (Choose two.)
A. DPDK Datapath
B. Enhanced Datapath
C. Overlay Datapath
D. Secure Datapath
E. Standard Datapath
Correct Answer: BE

QUESTION 97. Where does an administrator configure the VLANs used In VRF Lite? (Choose
two.)
A. segment connected to the Tler-1 gateway
B. uplink trunk segment
C. downlink interface of the default Tier-0 gateway
D. uplink Interface of the VRF gateway
E. uplink interface of the default Tier-0 gateway
Correct Answer: BD
Refer to the exhibit.
An administrator configured NSX Advanced Load Balancer to redistribute the traffic between the web
servers.
However, reQuestion uests are sent to only one server
Which of the following pool configuration settings needs to be adjusted to resolve the problem? Mark
the correct answer by clicking on the image.

Discussion 0
Correct Answer:
QUESTION 98. An architect receives a reQuestion uest to apply distributed firewall in a customer
environment without making changes to the network and vSphere environment. The architect decides
to use Distributed Firewall on VDS.
Which two of the following reQuestion uirements must be met in the environment? (Choose two.)

A. vCenter 8.0 and later

B. NSX version must be 3.2 and later

C. NSX version must be 3.0 and later

D. VDS version 6.6.0 and later

Correct Answer: BD

QUESTION 99.A company Is deploying NSX micro-segmentation in their vSphere environment to secure
a simple application composed of web. app, and database tiers.
The naming convention will be:
* WKS-WEB-SRV-XXX
* WKY-APP-SRR-XXX
* WKI-DB-SRR-XXX
What is the optimal way to group them to enforce security policies from NSX?

A. Use Edge as a firewall between tiers.

B. Do a service insertion to accomplish the task.

C. Group all by means of tags membership.

D. Create an Ethernet based security policy.

Correct Answer: C

QUESTION 100.What are two supported host switch modes? (Choose two.)

A. DPDK Datapath

B. Enhanced Datapath

C. Overlay Datapath

D. Secure Datapath

E. Standard Datapath

Correct Answer: BE

QUESTION 101. Which three DHCP Services are supported by NSX? (Choose three.)

A. Gateway DHCP

B. Port DHCP per VNF

 C. Segment DHCP

D. VRF DHCP Server

E. DHCP Relay

Correct Answer: ACE

QUESTION 102. Which two logical router components span across all transport nodes? (Choose two.)

A. SFRVICE_ROUTER_TJER0

B. TIERO_DISTRI BUTE D_ ROUTER

C. DISTRIBUTED_R0UTER_TIER1

D. DISTRIBUTED_ROUTER_TIER0

E. SERVICE_ROUTER_TIERl

Correct Answer: CD

QUESTION 103. When deploying an NSX Edge Transport Node, what two valid IP address assignment
options should be specified for the TEP IP addresses? (Choose two.)

A. Use an IP Pool

B. Use a DHCP Server

C. Use RADIUS

D. Use a Static IP List

E. Use BootP

Correct Answer: AD

QUESTION 104. What should an NSX administrator check to verify that VMware Identity Manager
Integration Is successful?

A. From VMware Identity Manager the status of the remote access application must be green.
 B. From the NSX UI the status of the VMware Identity Manager Integration must be "Enabled".

C. From the NSX CLI the status of the VMware Identity Manager Integration must be "Configured".

D. From the NSX UI the URI in the address bar must have "locaNfatse" part of it.

Correct Answer: B

QUESTION 105. Which two statements are correct about East-West Malware Prevention? (Choose two.)

A. NSX Edge nodes must have Internet access.

B. A SVM is deployed on every ESXi host.

C. An agent must be installed on every NSX Edge node.

D. NSX Application Platform must have Internet access.

E. An agent must be installed on every ESXi host.

Correct Answer: BD