[VMCINV] VMware Certified Implementation Epert Network Virtualization Certification Exam P, Exams of Technology

A technical preparation resource focused on software-defined networking, network segmentation, security policies, and virtualization architecture. Practice scenarios and configuration examples help reinforce real-world skills.

Typology: Exams

2025/2026

Available from 02/20/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 96

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
[VMCINV] VMware Certified Implementation
Epert Network Virtualization Certification
Exam Preparation Guide
Question 1. Which component provides the centralized management plane for NSX
in a multi-site deployment?
A) NSX Edge Cluster
B) NSX Global Manager
C) NSX Transport Node
D) NSX Distributed Router
Answer: B
Explanation: The NSX Global Manager orchestrates configuration across multiple
NSX Managers, enabling federation and multi-site disaster recovery.
Question 2. In an NSX Manager HA cluster, what is the purpose of the Virtual IP
(VIP)?
A) To load-balance API traffic among the managers
B) To assign a static IP to each Edge VM
C) To host the overlay tunnel endpoints
D) To identify the primary transport node
Answer: A
Explanation: The VIP is a floating address that clients use; it is moved between
active managers to provide high-availability and load-balancing of management
traffic.
Question 3. When preparing an ESXi host as a Transport Node, which switch type is
required for NSX-V 5.5 and later?
A) Standard Switch (VSS) only
B) vSphere Distributed Switch (VDS) only
C) Both VSS and VDS are supported
D) Only a physical switch can be used
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60

Partial preview of the text

Download [VMCINV] VMware Certified Implementation Epert Network Virtualization Certification Exam P and more Exams Technology in PDF only on Docsity!

Epert Network Virtualization Certification

Exam Preparation Guide

Question 1. Which component provides the centralized management plane for NSX in a multi-site deployment? A) NSX Edge Cluster B) NSX Global Manager C) NSX Transport Node D) NSX Distributed Router Answer: B Explanation: The NSX Global Manager orchestrates configuration across multiple NSX Managers, enabling federation and multi-site disaster recovery. Question 2. In an NSX Manager HA cluster, what is the purpose of the Virtual IP (VIP)? A) To load-balance API traffic among the managers B) To assign a static IP to each Edge VM C) To host the overlay tunnel endpoints D) To identify the primary transport node Answer: A Explanation: The VIP is a floating address that clients use; it is moved between active managers to provide high-availability and load-balancing of management traffic. Question 3. When preparing an ESXi host as a Transport Node, which switch type is required for NSX-V 5.5 and later? A) Standard Switch (VSS) only B) vSphere Distributed Switch (VDS) only C) Both VSS and VDS are supported D) Only a physical switch can be used

Epert Network Virtualization Certification

Exam Preparation Guide

Answer: B Explanation: NSX requires a VDS to host the uplink and overlay ports; VSS does not provide the needed distributed port-group capabilities. Question 4. What is the main difference between a VDS and an N-VDS in NSX? A) N-VDS is only used for KVM hosts B) VDS supports only VLAN traffic, N-VDS supports overlay traffic C) N-VDS is a logical switch created by NSX for overlay networks, while VDS is a vSphere-native switch D) There is no functional difference; they are synonyms Answer: C Explanation: An N-VDS (NSX-Virtual Distributed Switch) is an NSX-managed logical switch that carries overlay traffic, whereas VDS is a vSphere-managed switch for physical and VLAN traffic. Question 5. Which Edge form factor is recommended for high-throughput North-South traffic in a production data center? A) Edge VM in a standard VM-kernel B) Edge VM with a dedicated NIC for each interface C) Bare-Metal Edge appliance D) Edge VM running on a nested ESXi host Answer: C Explanation: Bare-Metal Edge provides dedicated hardware resources and higher packet-processing capacity, making it suitable for demanding North-South workloads. Question 6. In NSX Federation, what role does a Local Manager play?

Epert Network Virtualization Certification

Exam Preparation Guide

Explanation: TEPs are IP addresses on the uplink interfaces of Transport Nodes that encapsulate and decapsulate overlay traffic. Question 9. Which segment profile enforces MAC address learning restrictions to prevent MAC spoofing? A) IP Discovery Profile B) SpoofGuard Profile C) Segment Security Profile D) MAC Discovery Profile Answer: B Explanation: The SpoofGuard profile validates source MAC addresses against allowed values, blocking traffic that attempts MAC address spoofing. Question 10. What does the IP Discovery profile enable on a logical segment? A) Automatic allocation of IP addresses to VMs via DHCP B) Detection of duplicate IP addresses on the segment C) Automatic ARP suppression for traffic reduction D) Mapping of IP addresses to security groups for DFW rules Answer: B Explanation: The IP Discovery profile monitors the segment for duplicate IP usage and can generate alerts, helping prevent IP conflicts. Question 11. In a logical-to-physical L2 bridging scenario, which component handles the VLAN-to-overlay mapping? A) NSX Edge Services Gateway B) VDS uplink port group

Epert Network Virtualization Certification

Exam Preparation Guide

C) Bridge Endpoint (BE) on the Transport Node D) NSX Manager configuration API Answer: C Explanation: The Bridge Endpoint (also called a bridging bridge) on a Transport Node maps physical VLAN traffic to the overlay segment, enabling L2 bridging. Question 12. Which replication mode is most efficient for BUM traffic when a large number of VMs are attached to a segment? A) Source replication B) Destination replication C) Hybrid replication D) Unicast replication only Answer: A Explanation: Source replication sends a single copy of BUM traffic from the source VM to each destination, reducing the number of packets traversing the overlay compared with destination replication. Question 13. When configuring a Tier-0 gateway, which option determines whether the gateway advertises routes to external BGP peers? A) Route redistribution settings B) Edge Cluster placement C) NAT rule order D) L2 bridging mode Answer: A Explanation: Route redistribution on a Tier-0 gateway controls which internal routes (e.g., OSPF, static) are advertised to external BGP peers.

Epert Network Virtualization Certification

Exam Preparation Guide

Explanation: Active-Active Tier-0 gateways with ECMP (Equal-Cost Multi-Path) distribute traffic across multiple uplinks, offering both load-balancing and failover capability. Question 17. VRF Lite in NSX is primarily used to: A) Separate management traffic from data traffic on the same physical NIC B) Provide multi-tenant routing isolation within a single Tier-0 gateway C) Enable Layer-2 bridging across different sites D) Replace the need for a distributed firewall Answer: B Explanation: VRF Lite creates separate routing tables (VRFs) inside a Tier- 0 gateway, allowing different tenants to have isolated routing domains without separate hardware. Question 18. In a Zero-Trust micro-segmentation design, which NSX object is used to apply firewall rules based on workload attributes? A) Distributed Firewall (DFW) tag groups B) Edge Services Gateway firewall C) VLAN ID assignment D) Physical NIC teaming policy Answer: A Explanation: DFW tag groups allow administrators to classify workloads (e.g., by OS, application) and enforce security policies that are independent of network topology. Question 19. Which firewall level enforces security for traffic entering the data center from the internet? A) Distributed Firewall on Tier-1 gateways

Epert Network Virtualization Certification

Exam Preparation Guide

B) Distributed Firewall on Tier-0 gateways C) Edge Firewall on the Tier-0 gateway (Gateway Firewall) D) Host-based firewall inside the VM Answer: C Explanation: The Gateway Firewall (Edge firewall) on the Tier-0 gateway controls North-South traffic at the perimeter, providing the first line of defense. Question 20. What is the primary function of NSX Distributed IDS/IPS? A) To replace the need for a physical intrusion detection system B) To provide signature-based detection and prevention of threats at the hypervisor level for every VM C) To encrypt traffic between overlay segments D) To monitor CPU usage on the Edge appliances Answer: B Explanation: Distributed IDS/IPS inspects traffic on each hypervisor, applying signatures to detect and block malicious activity close to the source. Question 21. NSX Intelligence leverages which data source to provide traffic visualization? A) vCenter Server event logs only B) Flow data collected from the distributed firewall and NSX telemetry services C) Physical switch SNMP traps D) DNS query logs from the DHCP service Answer: B Explanation: NSX Intelligence aggregates flow data from the DFW and telemetry services, enabling visualization of communication patterns and anomaly detection.

Epert Network Virtualization Certification

Exam Preparation Guide

D) No-NAT (Transparent) Answer: B Explanation: SNAT rewrites the source IP of packets leaving a segment so that return traffic is sent back to the Edge’s IP address. Question 25. Stateless DHCP in NSX differs from stateful DHCP in that: A) It does not keep lease information on the server B) It assigns IP addresses based on MAC address only C) It requires a separate DNS forwarder service D) It can only be used on Tier-1 gateways Answer: A Explanation: Stateless DHCP provides only network configuration parameters (e.g., DNS, gateway) without maintaining lease records; the client must configure its own IP address. Question 26. The Metadata Proxy in NSX is primarily used for integration with which platform? A) OpenStack B) Microsoft Azure C) Amazon Web Services (AWS) D) Google Cloud Platform (GCP) Answer: A Explanation: The Metadata Proxy enables OpenStack instances to retrieve cloud-init metadata via the NSX overlay network. Question 27. Which automation tool uses the NSX Policy API to declaratively configure network objects?

Epert Network Virtualization Certification

Exam Preparation Guide

A) PowerCLI B) Terraform C) Ansible only D) vRealize Orchestrator (vRO) only Answer: B Explanation: Terraform has a provider for NSX that interacts with the Policy API, allowing infrastructure-as-code definitions for NSX objects. Question 28. What is the purpose of the nsxcli command “traceflow” in troubleshooting? A) To capture a full packet dump on a physical NIC B) To simulate a packet flow through the NSX data plane and show drop reasons C) To display the configuration of all Tier-0 gateways D) To restart the NSX Manager services Answer: B Explanation: Traceflow creates a synthetic packet that traverses the NSX forwarding path, reporting each hop and any policy-based drops. Question 29. Which log aggregation solution is natively integrated with NSX for real-time telemetry? A) Splunk Enterprise B) vRealize Log Insight C) Elastic Stack (ELK) only D) Graylog Answer: B

Epert Network Virtualization Certification

Exam Preparation Guide

C) Distributed Firewall logging D) NSX Intelligence flow export Answer: A Explanation: Port Mirroring creates a copy of traffic from a source VM/segment and forwards it to a destination VM for analysis. Question 33. In an NSX environment, which object defines the allowed VLAN IDs for a physical NIC uplink? A) Transport Node profile B) Uplink VLAN binding in the Edge Cluster C) VMkernel NIC network label D) Distributed Switch VLAN group Answer: D Explanation: The Distributed Switch VLAN group (or VLAN ID range) defines which VLANs are permitted on a physical NIC used as an uplink. Question 34. Which of the following best describes the function of a “Segment Security Profile” in NSX? A) It defines MAC address limits for a segment B) It configures L2-L3 routing between segments C) It enables or disables broadcast traffic on a segment D) It sets the maximum number of ports per segment Answer: A Explanation: The Segment Security Profile can limit the number of MAC addresses learned on a segment, helping to prevent MAC flooding attacks.

Epert Network Virtualization Certification

Exam Preparation Guide

Question 35. When configuring OSPF on a Tier-0 gateway, which area type is used for the backbone? A) Area 0 (zero) B) Area 1 (one) C) Area 2 (two) D) Area 255 (stub) Answer: A Explanation: OSPF designates Area 0 as the backbone area; all other areas must connect to it. Question 36. Which of the following is a prerequisite for enabling BGP on a Tier- 0 gateway? A) The Tier-0 must be in Active-Standby HA mode only B) An Edge Cluster must be attached to the Tier-0 gateway C) The Tier-0 must have a static default route configured D) The Tier-0 must have a connected uplink logical router port Answer: D Explanation: BGP requires a logical router port with an IP address that can be used as the BGP peer address. Question 37. What does ECMP stand for and why is it used in NSX routing? A) Enhanced Cloud Management Protocol; for API scaling B) Equal-Cost Multi-Path; to distribute traffic across multiple equal-cost links C) Encrypted Control Management Plane; for secure communication D) Edge-to-Core Multiplexing Protocol; for VLAN trunking Answer: B

Epert Network Virtualization Certification

Exam Preparation Guide

D) Extending DHCP services to VMs on a segment Answer: B Explanation: L2 Extension (or L2 bridging) maps a physical VLAN to an overlay segment, allowing VMs on the overlay to communicate with devices on the physical network. Question 41. When deploying an Edge Cluster, what is the minimum number of Edge VMs required for Active-Active HA? A) 1 B) 2 C) 3 D) 4 Answer: B Explanation: At least two Edge VMs are needed to provide Active-Active redundancy, allowing traffic to be processed by either node. Question 42. Which NSX service provides DNS forwarding for overlay networks? A) NSX Distributed DNS B) NSX Edge DNS Forwarder C) NSX DHCP Service D) NSX Metadata Proxy Answer: B Explanation: The NSX Edge DNS Forwarder resolves DNS queries from overlay VMs by forwarding them to upstream DNS servers. Question 43. Which of the following is true about “Stateless NAT” in NSX?

Epert Network Virtualization Certification

Exam Preparation Guide

A) It maintains a session table for each translation B) It can translate both source and destination addresses simultaneously C) It does not keep per-session state, relying on a static mapping table D) It is only used for inbound traffic Answer: C Explanation: Stateless NAT uses a predefined mapping table and does not track individual sessions, making it lightweight but less flexible than stateful NAT. Question 44. What is the primary benefit of using the NSX Policy API over the legacy API? A) It requires no authentication B) It allows declarative configuration of intent-based policies C) It only works with Avi Load Balancer D) It can be used only from the NSX Manager UI Answer: B Explanation: The Policy API lets administrators define the desired state (intent) of network objects, and NSX ensures that the actual configuration matches that intent. Question 45. Which PowerCLI cmdlet is used to retrieve a list of NSX Transport Nodes? A) Get-VMHostNetworkAdapter B) Get-NSXTransportNode C) Get-VMNetworkAdapter D) Get-NSXLogicalSwitch Answer: B

Epert Network Virtualization Certification

Exam Preparation Guide

C) Applied To – Logical Switch (segment) D) Service Group only Answer: C Explanation: The “Applied To” field allows a rule to be bound to a specific logical switch (segment), restricting its effect to that segment. Question 49. Which of the following best describes “Route Redistribution” in NSX? A) Converting static routes into BGP routes automatically B) Sharing routes learned from one routing protocol with another (e.g., OSPF ↔ BGP) C) Exporting routes to an external firewall appliance D) Balancing traffic across multiple VLANs Answer: B Explanation: Route redistribution enables routes learned via one protocol to be advertised into another, facilitating mixed-protocol environments. Question 50. A tenant requires isolated routing tables for three business units within the same data center. Which NSX feature should be used? A) Multiple Tier-0 gateways with separate VRFs (VRF Lite) B) Separate NSX Managers for each business unit C) VLAN tagging on the physical switches only D) Distributed Firewall tags only Answer: A Explanation: VRF Lite creates separate routing tables inside a single Tier-0 gateway, allowing isolated routing for each business unit.

Epert Network Virtualization Certification

Exam Preparation Guide

Question 51. Which NSX service provides real-time detection of anomalous traffic patterns using machine learning? A) NSX Distributed IDS/IPS B) NSX Intelligence (NDR) C) NSX Edge Load Balancer D) NSX DHCP Service Answer: B Explanation: NSX Intelligence’s Network Detection and Response (NDR) component applies ML to flow data to surface anomalies and potential threats. Question 52. In an NSX deployment, which object determines the maximum number of logical ports a segment can host? A) Segment Profile – MAC Discovery B) Transport Node profile – Uplink MTU C) Segment – Port Allocation Limit setting D) NSX Manager global setting Answer: C Explanation: The Port Allocation Limit on a segment restricts how many logical ports (VM NICs) can be attached, preventing overallocation. Question 53. Which of the following is true about “Edge Firewall” rules versus “Distributed Firewall” rules? A) Edge Firewall rules are applied at the hypervisor level, DFW at the physical switch B) Edge Firewall protects North-South traffic, DFW protects East-West traffic C) Edge Firewall can only use TCP/UDP protocols, DFW can use any protocol D) Edge Firewall rules are stateless, DFW rules are stateful only