Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

NSX VCP-NV > NSX Set 5 > Flashcards

NSX Set 5 Flashcards

1
Q

Which is not a feature of IPsec VPNs?

a. Data origin authentication
b. Data confidentiality
c. Data integrity
d. Data replay

A

d. Data replay

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An NSX Edge is configured with an IPsec site-site VPN tunnel over the Internet to a remote location. The IPsec VPN peer at the remote location only has RFC1918 addresses, and the remote site has a NAT router to connect to the Internet.
Which requirement must be met for the IPsec VPN to function correctly?

a. The peer ID of the remote router must be a non-RFC1918 address.
b. The peer ID of the remote router must be the NAT IP.
c. The peer endpoint of the remote router must match the Peer ID.
d. The peer endpoint of the router must be the NAT IP.

A

d. The peer endpoint of the router must be the NAT IP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the role of IKE in IPsec VPN?

a. It provides the encryption mechanism for the IPsec tunnels.
b. It establishes the conditions for the creation of a secure communication channel.
c. It establishes data confidentiality.
d. It establishes the security proposals for the IPsec VPN peers.

A

b. It establishes the conditions for the creation of a secure communication channel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which two DH groups does the NSX Edge support? (Choose two.)

a. DH Group 1
b. DH Group 2
c. DH Group 4
d. DH Group 5

A

b. DH Group 2

d. DH Group 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which IKE Phase 2 mode does the NSX Edge support?

a. Main Mode
b. Quick Mode
c. Fast Mode
d. Secure Mode

A

b. Quick Mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which NSX Edge CLI command can be used to verify the subnets allowed over the IPsec VPN tunnel?

a. show service vpn sa
b. show service ipsec sp
c. show service ipsec networks
d. show service vpn networks

A

b. show service ipsec sp

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the NSX Edge default port for SSL VPN-Plus?

a. TCP 443
b. UDP 443
c. TCP 636
d. UDP 636

A

a. TCP 443

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the maximum number of SSL VPN-Plus active sessions supported by a single NSX Edge?

a. 50
b. 100
c. 1,000
d. 6,000

A

c. 1,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which two components do not need to be configured for Network Access Mode SSL VPN-Plus? (Choose two.)

a. IP pool
b. Login script
c. SSL VPN-Plus server settings
d. Web resource

A

b. Login script

d. Web resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How does a user get the SSL VPN-Plus client installed?

a. From VMware’s site, http://www.vmware.com/. The user must have a VMware account to download it.
b. FromtheNSXManager,https://NSX-MANAGER-IP_OR_FQDN/ VPN-PLUS. The user must have at least NSX Manager Read-Only access.
c. From the NSX Edge, https://EDGE-IP_OR_FQDN/. The NSX Edge must authenticate the user first.
d. From a link provided to the user by the NSX administrator. The user must have appropriate rights to access the link.

A

c. From the NSX Edge, https://EDGE-IP_OR_FQDN/. The NSX Edge must authenticate the user first.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the name of a NAT that changes the source IP of a packet?

a. INAT
b. SNAT
c. DNAT
d. PNAT

A

b. SNAT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the name of a NAT that changes the destination IP of a packet?

a. INAT
b. SNAT
c. DNAT
d. PNAT

A

c. DNAT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which two NAT rules can be configured in the NSX Edge? (Choose two.)

a. INAT
b. DNAT
c. PNAT
d. SNAT

A

b. DNAT

d. SNAT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an NSX load balancer virtual server?

a. The mapping of the VIP with a server pool and an application profile
b. A virtual machine with an installed operating system
c. The servers that are members of the NSX load balancer server pool
d. The servers that are members of the NSX load balancer application profile

A

a. The mapping of the VIP with a server pool and an application profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What type of load balancing is not supported by the NSX Edge?

a. Load balancing based on the UDP header
b. Load balancing based on the IGMP header
c. Load balancing for applications communicating over HTTP
d. Load balancing for applications communicating over HTTPS

A

b. Load balancing based on the IGMP header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the load balancing mode the NSX Edge is configured for if an SNAT is done in the user traffic?

a. Layer 4 load balancing mode
b. Transparent mode
c. Layer 7 load balancing mode
d. Proxy mode

A

d. Proxy mode

17
Q

Which persistence method is not supported for HTTPS?

a. Source IP
b. Destination URI
c. Cookie
d. SSL Session ID

A

b. Destination URI

18
Q

Which type of security does the NSX Edge firewall provide? (Choose two.)

a. Layer 2 firewall
b. Layer 3 firewall
c. Layer 4 firewall
d. Layer 7 firewall

A

b. Layer 3 firewall

c. Layer 4 firewall

19
Q

When processing traffic, where are NSX Edge firewall rules matched against traffic?

a. NSX Edge firewall rules are matched against ingress traffic of the selected Edge vNIC.
b. NSX Edge firewall rules are matched against egress traffic of the selected Edge vNIC.
c. By default, NSX Edge firewall rules are matched against all traffic after any configured NAT rules are applied.
d. By default, NSX Edge firewall rules are matched against all traffic coming in the Edge.

A

c. By default, NSX Edge firewall rules are matched against all traffic after any configured NAT rules are applied.

20
Q

If a firewall rule’s source is configured to match a logical switch, how does the
NSX Edge match traffic to the firewall rule?

a. The NSX Edge receives the IP address of all vNICs connected to the logical switch from vCenter and uses these IPs to match traffic to the firewall rule.
b. The NSX Edge receives the IP address of all vNICs connected to the logical switch from NSX Manager and uses these IPs to match traffic to the firewall rule.
c. The NSX Edge receives the IP address of all vNICs connected to the logical switch from the ESXi hosts and uses these IPs to match traffic to the firewall rule.
d. The NSX Edge receives the IP address of all vNICs connected to the logical switch from the NSX Controllers and uses these IPs to match traffic to the firewall rule.

A

b. The NSX Edge receives the IP address of all vNICs connected to the logical switch from NSX Manager and uses these IPs to match traffic to the firewall rule.

21
Q

Which is not a design compromise that might be made to provide network se- curity to virtual workloads?

a. Deploy all the tiers of a multitier application in the same Layer 2 broad- cast domain.
b. Span VLANs among multiple ESXi hosts.
c. Provide multiple IP subnets to support multitier applications.
d. Allow unrestricted access for virtual workloads in the same Layer 2 broadcast domain.

A

a. Deploy all the tiers of a multitier application in the same Layer 2 broad- cast domain.

22
Q

Which statement is true regarding the distributed firewall?

a. The distributed firewall is a firewall configured on each ESXi host managed by a single vCenter instance. Each ESXi host gets the same distrib- uted firewall configuration.
b. The distributed firewall is a firewall configured on each NSX-prepared ESXi host. Each ESXi host gets the same distributed firewall configuration.
c. The distributed firewall is the name of the NSX firewall component applied to each VM.
d. The distributed firewall is the name of the NSX firewall component applied to every vNIC on every VM.

A

d. The distributed firewall is the name of the NSX firewall component applied to every vNIC on every VM.

23
Q

What component(s) contains the distributed firewall?

a. The NSX Manager
b. The NSX Controllers
c. The ESXi hosts
d. The VMs

A

c. The ESXi hosts

24
Q

Which two layers of the OSI model are not protected by the distributed fire-
wall? (Choose two.)

a. Layer 1
b. Layer 3
c. Layer 4
d. Layer 7

A

a. Layer 1

d. Layer 7

25
Q

How many distributed firewall rules are supported by NSX Manager?

a. 1,000
b. 10,000
c. 100,000
d. 1,000,000

A

c. 100,000

26
Q

An NSX administrator adds Layer 3 and Layer 4 firewall rules to the distrib- uted firewall for virtual machine DB_02 with the goal of having the rules processed before an existing Layer 2 firewall rule defined for the same VM.
What must be done to ensure these rules are enforced in the desired order?

a. Nothing. Layer 2 distributed firewall rules are enforced before any Layer 3 and Layer 4 rules.
b. Nothing. Existing distributed firewall rules get enforced before any new firewall rules.
c. Configure the Layer 3 and Layer 4 distributed firewall rules above the Layer 2 rule.
d. Disable the Layer 2 distributed firewall rule, add the Layer 3 and Layer 4 rules, and then re-enable the Layer 2 rule.

A

a. Nothing. Layer 2 distributed firewall rules are enforced before any Layer 3 and Layer 4 rules.

27
Q

Which two are valid options for the Source field of a universal DFW rule? (Choose two.)

a. vNIC
b. IP
c. Universal security group
d. IP sets

A

b. IP

c. Universal security group

28
Q

What two components/features should be configured/installed for a firewall rule with a destination that includes the name of a virtual machine to be effective? (Choose two.)

a. VMware Tools should be installed in the VM.
b. VMware Endpoint Services should be deployed to the ESXi host where the VM is running.
c. The Applied To field should include the VM name.
d. DHCP snooping.

A

a. VMware Tools should be installed in the VM.

d. DHCP snooping.

29
Q

Which statement must be true for a rule that has a source that includes an LDAP group to function properly?

a. vCenter has been added to the LDAP domain.
b. The NSX Manager that owns the rule has been added to the LDAP domain.
c. The ESXi hosts that have a copy of the distributed firewall’s rule have been added to the LDAP domain.
d. The rule is a universal firewall rule.

A

b. The NSX Manager that owns the rule has been added to the LDAP domain.

30
Q

Which ESXi host command shows the vNICs that are not in the exclusion list?

a. vsipioctl getrules
b. vsipioctl getaddrsets
c. vsipioctl getvnics
d. vsipioctl getfilters

A

d. vsipioctl getfilters

31
Q

What is the configuration of the default SpoofGuard policy?

a. Include all portgroups and logical switches that are not members of an existing SpoofGuard policy.
b. Require manual approval of all IPs for VMs added to the policy.
c. Requires that VMs be manually added to the policy.
d. Enforce VMware Tools installation to all VMs that get added to the policy.

A

a. Include all portgroups and logical switches that are not members of an existing SpoofGuard policy.

NSX VCP-NV (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions