Download NFV SDN Practice Exam 2026/2027: 67 Questions & Answers for Network Virtualization Prep and more Exams Computer Science in PDF only on Docsity!
Master Your 2026/2027 Certification: 67
Practice Questions & Answers Covering
Network Functions Virtualization (NFV),
Software-Defined Networking (SDN),
OpenStack Modules & Security
Description: Ace your network virtualization certification with this complete 2026/2027 practice exam. Features 67 realistic questions and detailed explanations covering NFV, SDN, OpenStack, security protocols, and orchestration. Designed for CCIE, VCP-NV, and network engineer exam prep. Boost your confidence and secure your passing score—download your essential study guide today!
NFV SDN Practice Exam 2026/2027: 67 Questions & Answers for
Network Virtualization Certification Prep
Instructions: This examination paper assesses knowledge of modern network architectures, including Network Functions Virtualization (NFV), Software-Defined Networking (SDN), and associated security and management principles. Answer all questions by selecting the most appropriate option(s). Section 1: Network Virtualization & NFV Fundamentals
- The primary motivation for migrating from proprietary hardware appliances to Network Functions Virtualization (NFV) is to: A. Increase the physical footprint of network infrastructure. B. Eliminate the need for all network security functions. C. Reduce capital expenditures and accelerate service deployment times. D. Mandate the use of a single vendor's software stack. Answer: C Explanation: NFV decouples network functions from dedicated hardware, allowing them to run as software on commercial off-the-shelf (COTS) servers. This reduces reliance on expensive, proprietary appliances (lowering CapEx) and enables faster provisioning and scaling of services, thus reducing time-to-market.
- Within the ETSI NFV architectural framework, which component is responsible for the lifecycle management of individual software-based network functions, such as instantiation, scaling, and termination? A. NFV Orchestrator (NFVO) B. Virtualized Infrastructure Manager (VIM) C. VNF Manager (VNFM) D. Operations Support System (OSS) Answer: C Explanation: The VNF Manager (VNFM) is a core component of the NFV Management and
C. Elimination of all physical network switches in favor of virtual-only networks. D. Mandatory use of the OpenFlow protocol for all network communications. Answer: B Explanation: SDN's foundational principle is the separation of the control plane (which makes decisions about how traffic should flow) from the data plane (which forwards traffic based on those decisions). This allows for centralized, programmable network control.
- In an SDN architecture, which interface is defined for communication between the SDN controller and the underlying network devices like switches and routers? A. Northbound Interface (NBI) B. Eastbound/Westbound Interface C. Southbound Interface (SBI) D. Management Interface Answer: C Explanation: The Southbound Interface (SBI) is the API or protocol used by the SDN controller to communicate with and manage the data plane devices (e.g., switches, routers). OpenFlow is a canonical example of an SBI protocol.
- The SDN controller's role can be best described as: A. A passive monitor that logs traffic but does not influence forwarding. B. The centralized "brain" that programs flow rules on data plane devices based on application requests. C. A simple relay station for broadcast traffic within a VLAN. D. A replacement for all hypervisor functions in a virtualized data center. Answer: B Explanation: The SDN controller acts as the centralized logic center. It translates high-level network policies from applications (received via the NBI) into specific flow table entries, which it then installs on switches via the SBI, thereby dictating how traffic is forwarded.
- Which protocol, standardized by the Open Networking Foundation (ONF), is most commonly associated as a southbound interface for SDN to program flow tables in switches? A. Border Gateway Protocol (BGP) B. Simple Network Management Protocol (SNMP) C. OpenFlow D. Link Layer Discovery Protocol (LLDP) Answer: C Explanation: OpenFlow is a dominant open standard protocol that provides a well-defined SBI for an SDN controller to remotely configure the flow tables of network switches, thereby controlling packet forwarding paths. Section 3: Virtualization, Overlays, & OpenStack
- A Virtual Extensible LAN (VXLAN) primarily addresses which limitation of traditional VLANs in large cloud data centers? A. The lack of encryption for data in transit. B. The 12-bit VLAN ID limit, which restricts scalability to 4094 segments. C. The inability to route between subnets. D. The high cost of Ethernet switches. Answer: B Explanation: VXLAN is an overlay network technology that encapsulates Layer 2 Ethernet frames within Layer 4 UDP packets. It uses a 24-bit VXLAN Network Identifier (VNI), enabling the creation of over 16 million logical networks, thereby solving the scalability limitation of traditional 4094 VLANs.
- In the OpenStack cloud platform, which module is responsible for providing software-defined networking services, such as creating networks, subnets, and routers, and managing IP addresses? A. Nova B. Cinder
Section 4: Security in Virtualized & Software-Defined Networks
- The cybersecurity framework that advocates for layering multiple defensive mechanisms to protect assets, so if one layer is compromised, others remain in effect, is known as: A. Cyber Kill Chain B. Defense in Depth C. Penetration Testing D. Vulnerability Scanning Answer: B Explanation: Defense in Depth is a security strategy that employs a series of layered, redundant defensive controls (physical, technical, administrative) to protect valuable data and information. If one mechanism fails, subsequent layers continue to provide protection.
- In the context of NFV security, which NIST recommendation suggests using kernel-based virtual firewalls for VMs running I/O-intensive applications? A. VM-FW-R B. VM-FW-R C. VM-FW-R D. VM-FW-R Answer: B Explanation: NIST Special Publication 800-125B (Securing Virtual Network Functions) recommendation VM-FW-R2 specifically advises that for VMs with high I/O requirements, kernel-based virtual firewalls (which operate within the hypervisor kernel) are preferable to subnet-level virtual firewalls to minimize performance overhead.
- The "Reconnaissance" phase in the Cyber Kill Chain model involves: A. The weaponization of a remote access Trojan. B. The establishment of a command-and-control channel. C. The initial gathering of intelligence about the target. D. The exfiltration of data from the victim's network.
Answer: C Explanation: Reconnaissance is the first phase of the Cyber Kill Chain. During this stage, attackers collect information about their target (e.g., email addresses, network structure, software versions) to identify potential vulnerabilities for exploitation.
- A Moving Target Defense (MTD) technique that involves dynamically changing network attributes, such as IP addresses or routing paths, to confuse attackers is categorized as: A. Host-Level MTD B. Application-Level MTD C. Network-Level MTD D. Data-Level MTD Answer: C Explanation: Network-Level MTD strategies aim to increase uncertainty and complexity for attackers by dynamically altering the network's attack surface. This includes changing IP addresses (IP shuffling), modifying network configurations, or randomizing routing paths. Section 5: Network Operations, Management & Protocols
- Which Linux-based technology is a native kernel function that provides Layer 2 bridging capabilities and can be managed via brctl or the ip link command? A. Open vSwitch (OVS) B. Linux Bridge C. iptables D. Netfilter Answer: B Explanation: Linux Bridge is a kernel module that provides basic Layer 2 switching/bridging functionality. It is a simple, stable tool often used to connect virtual machine interfaces to physical networks in virtualization hosts.
connecting over SSH (by default), pushing and executing modules temporarily on the target machine. Configuration plans are written in YAML files called playbooks. Section 6: Advanced SDN Concepts & Network Operations
- Which open-source SDN controller platform, launched in 2014, is known for its modular, plug- in-based architecture that supports multiple southbound protocols including OpenFlow and NETCONF? A. NOX B. Floodlight C. OpenDaylight (ODL) D. Ryu Answer: C Explanation: OpenDaylight is a highly modular, open-source SDN controller framework hosted by the Linux Foundation. Its pluggable architecture allows it to support a variety of southbound protocols and northbound APIs, making it a popular choice in production environments.
- The Virtual Network Embedding (VNE) problem primarily addresses the challenge of: A. Encrypting data between virtual machines. B. Optimally mapping virtual networks and their resource requests onto a shared physical substrate network. C. Configuring VLAN tags on hypervisor switches. D. Automating the installation of operating systems on bare-metal servers. Answer: B Explanation: VNE is a resource allocation problem in network virtualization. It involves finding an efficient mapping of virtual nodes and virtual links onto the physical network's nodes and paths, optimizing for factors like cost, load balancing, and acceptance ratio.
- In an SDN security context, which mechanism involves deploying multiple, logically centralized controllers in an active/standby configuration to guard against a single point of failure? A. Dynamic Device Association
B. Clustering C. Security Domains D. Moving Target Defense Answer: B Explanation: Controller clustering is a high-availability technique where multiple controller instances are grouped. In active/standby mode, if the active controller fails, a standby instance takes over, ensuring the control plane remains operational and mitigating the risk of a single controller failure.
- Which protocol provides a standards-based method for precise clock synchronization in distributed measurement and control systems, often used in telecommunications? A. Network Time Protocol (NTP) B. Precision Time Protocol (PTP) - IEEE 1588 C. Dynamic Host Configuration Protocol (DHCP) D. Simple Network Time Protocol (SNTP) Answer: B Explanation: IEEE 1588, the Precision Time Protocol (PTP), is designed for sub-microsecond synchronization accuracy in local area networks. It is critical in NFV and telecom environments where stringent timing is required for financial transactions, media streaming, or 5G network slicing. Section 7: Virtualization Infrastructure & Services
- What is the primary function of OpenStack's Ironic module? A. To provide object storage services. B. To manage bare-metal servers as if they were hypervisor-based compute resources. C. To orchestrate containerized applications. D. To serve as a graphical dashboard for users. Answer: B Explanation: Ironic is the OpenStack Bare Metal Provisioning service. It enables the
C. Barbican D. Zaqar Answer: A Explanation: Congress is the OpenStack policy service. It provides a governance framework for defining, enforcing, and auditing compliance rules (policies) across the entire cloud deployment, ensuring configuration and operational standards are met. Section 8: Core Networking Protocols & Functions
- A DHCP client typically listens for server responses on which UDP port? A. Port 67 B. Port 68 C. Port 69 D. Port 53 Answer: B Explanation: In the DHCP process, the client uses UDP port 68 as its source port when broadcasting a discovery request and as its destination port to listen for offers and acknowledgments from the server, which operates on port 67.
- The Address Resolution Protocol (ARP) is used to resolve: A. A hostname to an IP address. B. An IP address to a MAC address on the same local network. C. An IP address to a fully qualified domain name (FQDN). D. A MAC address to an IP address. Answer: B Explanation: ARP is a Layer 2 protocol that dynamically maps a known IPv4 address (Layer 3) to its corresponding physical MAC address (Layer 2) on the same Ethernet broadcast domain, enabling proper frame delivery.
- A key functional difference between an Ethernet hub and an Ethernet switch is that a switch: A. Operates at the physical layer only. B. Broadcasts all frames to every connected port. C. Learns MAC addresses and forwards frames only to the specific destination port. D. Cannot connect devices within the same LAN. Answer: C Explanation: An Ethernet switch is an intelligent Layer 2 device that builds and maintains a MAC address table, allowing it to perform selective forwarding. It sends frames only to the port associated with the destination MAC, reducing collisions and improving security compared to a hub's broadcast behavior.
- The Generic Routing Encapsulation (GRE) protocol is primarily used to: A. Encrypt payload data for confidentiality. B. Create a stateless, point-to-point tunnel between two network nodes. C. Provide precise clock synchronization. D. Dynamically assign IP addresses. Answer: B Explanation: GRE is a simple, lightweight tunneling protocol that encapsulates a wide variety of network layer protocols inside virtual point-to-point links. It creates logical direct connections over an intermediate network but does not provide encryption natively. Section 9: Security Assessments & System Lifecycle
- The process of actively attempting to exploit identified vulnerabilities in a controlled manner to assess the security posture of a system is called: A. Vulnerability Scanning B. Network Mapping C. Penetration Testing D. Log Analysis
Answer: C Explanation: The Disposition phase occurs when a system is retired. Key security tasks include securely archiving or destroying data (information preservation) and using certified methods (e.g., wiping, degaussing) to sanitize storage media, preventing data leakage from decommissioned assets. Section 10: Specialized Network Functions & Architectures
- The IEEE 802.1Q standard defines a protocol for: A. Wireless LAN security. B. Carrying VLAN traffic over Ethernet networks (VLAN tagging). C. Link aggregation. D. Power over Ethernet. Answer: B Explanation: IEEE 802.1Q is the networking standard that supports Virtual LANs (VLANs) on an Ethernet network. It defines a system of VLAN tagging where a 4-byte tag is inserted into the Ethernet frame header to identify the VLAN membership of the frame.
- What is the primary purpose of a TAP (Test Access Point) or SPAN (Switched Port Analyzer) port in network security monitoring? A. To act as a primary firewall for inbound traffic. B. To provide a copy of network traffic for analysis by an IDS/IPS without impacting the production data path. C. To serve as the default gateway for a subnet. D. To encrypt traffic between two network segments. Answer: B Explanation: TAP and SPAN ports are used for traffic mirroring. They send a copy of passing network packets to a monitoring device (like an IDS or packet analyzer). This allows for passive, out-of-band security monitoring and troubleshooting without introducing latency or a single point of failure in the inline path.
- The OpenStack module "Magnum" is primarily associated with which technology? A. Bare-metal provisioning B. Container orchestration (e.g., Kubernetes, Docker Swarm) C. DNS-as-a-Service D. Key management Answer: B Explanation: Magnum is an OpenStack API service that provisions and manages container orchestration engines (COEs) like Kubernetes, Docker Swarm, and Apache Mesos as first-class resources within the cloud, enabling Container-as-a-Service (CaaS) functionality.
- In the NFV reference architecture, which repository contains the templates that define the deployment and operational behavior of a VNF? A. NFVI B. NFV Catalog C. VIM Database D. Element Management System Answer: B Explanation: The NFV Catalog is a repository within the MANO framework. It stores declarative template files such as VNF Descriptors (VNFDs) and Network Service Descriptors (NSDs), which describe the components, requirements, and lifecycle of VNFs and composite services. Section 11: Network Security Mechanisms & Attacks
- A security attack where an adversary infers information about network state or configuration by observing variations in packet processing times is known as a: A. Denial-of-Service (DoS) attack. B. Side-channel attack. C. Man-in-the-Middle (MitM) attack. D. Malware injection attack.
Answer: B Explanation: Passive attacks are focused on information gathering without affecting system resources. Examples include eavesdropping or traffic analysis. Their goal is secrecy violation, and they are difficult to detect because the data flow is not altered. Section 12: Virtual Network Functions & Management
- According to NIST guidelines, which virtual firewall deployment model is recommended for VMs running delay-sensitive applications? A. Physical firewalls at the data center perimeter. B. Subnet-level virtual firewalls. C. Kernel-based virtual firewalls integrated with the hypervisor. D. No firewall is needed for performance reasons. Answer: C Explanation: NIST SP 800-125B (VM-FW-R1) recommends kernel-based virtual firewalls (like those in the hypervisor's virtual switch) for delay-sensitive VMs. This architecture typically offers lower latency and higher throughput than routing traffic through a separate subnet-level virtual firewall appliance.
- In a virtualized environment, which method provides the strongest form of resource isolation between competing VNFs? A. Rate-limiting CPU usage. B. Physical segregation of hardware resources (dedicated servers). C. Using a round-robin scheduler on a shared host. D. Applying network Quality of Service (QoS) policies. Answer: B Explanation: While various software methods (rate-limiting, scheduling) provide isolation, physical segregation—dedicating specific servers, NICs, or storage arrays to a VNF—offers the strongest guarantee. It eliminates "noisy neighbor" problems and provides a clear security boundary.
- The OpenStack "Sahara" module is designed to provide which type of service? A. Relational Database-as-a-Service B. Big Data Processing frameworks (e.g., Hadoop, Spark) as a Service C. Message Queuing-as-a-Service D. Shared File System-as-a-Service Answer: B Explanation: Sahara is the OpenStack project for provisioning and managing scalable data processing clusters (e.g., Hadoop, Spark, Storm). It simplifies the deployment and operation of big data frameworks within an OpenStack cloud.
- Which component in an NFV-based network is responsible for the automated placement of VNFs onto specific hypervisors within the NFVI? A. VNF Manager B. Hypervisor Kernel C. NFV Orchestrator D. Virtual Switch Answer: C Explanation: VNF placement is a key orchestration function. The NFV Orchestrator (NFVO) uses policies, resource availability from the VIM, and service requirements to decide where (on which host/region) to instantiate each VNF for optimal performance, resilience, and resource utilization. Section 13: Network Addressing & Translation
- The primary purpose of Network Address Translation (NAT) is to: A. Encrypt traffic between private and public networks. B. Map private IP addresses to a public IP address (or pool) for internet access. C. Prevent MAC address flooding attacks. D. Dynamically assign IP addresses within a local network.