50 VMware Certified Professional - Network Virtualization Practice Questions: Question Bank 2025

An administrator needs to explain why NSX-T is considered a "decoupled" networking solution compared to traditional physical networks. Which statement best describes this concept?

A workload must be isolated at Layer 2 from other workloads while still allowing connectivity through a Tier-1 gateway. Which NSX-T construct should the administrator create to provide Layer 2 connectivity for that isolated segment?

A security team requests that firewall rules be applied closest to the workload NIC and follow the workload if it moves to another host. Which NSX-T feature should be used to meet this requirement?

An administrator wants a quick way to validate that NSX-T overlay tunnels between Transport Nodes are operational without relying on guest OS tools. Which NSX-T capability is most appropriate?

A company wants to route traffic between multiple overlay segments in the same site while minimizing the number of centralized forwarding hops. Which design best aligns with NSX-T best practices?

A team is implementing micro-segmentation and wants policy to reference application groups dynamically based on VM attributes rather than static IP addresses. Which approach is most appropriate in NSX-T?

After adding a new ESXi Transport Node, VMs attached to overlay segments on that host cannot communicate with VMs on other hosts. Underlay IP connectivity is verified. Which configuration issue is the most likely cause?

A design requires connecting an NSX-T Tier-0 gateway to two upstream routers for redundancy and dynamic route exchange. Which statement best describes the recommended routing approach?

A customer must enforce security policy for traffic entering and leaving the environment (north-south) and also for traffic between VMs on the same segment (east-west). They want a single logical policy intent but correct enforcement points. Which combination best meets the requirement?

A virtual machine on an overlay segment cannot reach an external physical network. East-west communication within the overlay works. The Tier-1 is connected to a Tier-0, and the Tier-0 has uplinks to the physical network. Which troubleshooting step is MOST likely to identify a routing advertisement or next-hop issue between NSX-T and the physical network?

An administrator needs to provide L2 connectivity for VMs across multiple ESXi hosts with minimal manual VLAN configuration on physical switches. Which NSX-T feature best meets this requirement?

A security team wants to block east-west traffic between two application tiers on the same NSX Segment, while still allowing both tiers to reach a shared database segment. Which approach is the most appropriate?

An administrator is asked to ensure that a given Segment provides IP address assignment to VMs without using an external DHCP server. Which service should be configured in NSX-T?

A new NSX deployment requires north-south connectivity where the physical network uses BGP. The design must support equal-cost multipath (ECMP) to multiple NSX Edge nodes. Which Tier-0 configuration is most appropriate?

After configuring a new Overlay Segment, VMs on different hosts cannot communicate. The transport nodes show as healthy in NSX Manager, but no overlay traffic passes. Which underlay requirement is MOST likely missing?

A company wants to automatically classify VMs into security groups based on VM tags from vCenter, and then apply micro-segmentation rules to those groups. Which NSX-T object best enables this design?

An administrator needs to publish only a subset of learned routes from Tier-1 to Tier-0 and avoid advertising certain internal segments northbound. Which configuration is most appropriate?

A troubleshooting team observes that traffic from a VM to an external IP is allowed by the distributed firewall, but still fails to reach the destination. They suspect a Tier-0 service issue. Which NSX-T tool/action is most appropriate to validate the route and next-hop selection on the Edge?

A customer requires centralized stateful inspection for north-south traffic, while still using distributed firewall for east-west micro-segmentation. Which design satisfies this requirement with clear separation of responsibilities?

During an incident, multiple ESXi transport nodes show 'UP' status, but an administrator finds inconsistent firewall behavior across hosts (some enforce the latest policy, others do not). Which root cause is MOST likely, and what is the best next step?

An administrator is designing an NSX environment and wants a clear separation between the management plane (policy/configuration) and the data plane (forwarding). Which NSX component primarily provides the centralized management and policy API for administrators and automation tools?

A team needs to allow application owners to consume networking (segments, distributed firewall rules) without giving them permissions to modify the underlying transport configuration (TEPs, uplinks, N-VDS/VDS mappings). What is the recommended approach?

A virtual machine is attached to an NSX segment and cannot reach another VM on the same segment. The administrator suspects local switching is not occurring on the host. Which component is responsible for providing distributed switching for NSX segments on transport nodes?

An organization wants east-west microsegmentation rules that automatically follow workloads even if the VMs are moved to another cluster. Which object type is best to use as the source/destination in distributed firewall rules to meet this requirement?

A tenant requires outbound internet access from a private segment, but the upstream network will only route a single public /32 to the tenant. Which NSX feature should be configured to satisfy this requirement?

After enabling distributed firewall rules to block traffic between two application tiers, the application still communicates successfully. The administrator confirms the VMs are on the same segment. Which configuration issue most likely explains why the DFW rules are not taking effect?

A team is building an NSX logical routing design. They want to provide north-south routing to the physical network while allowing multiple Tier-1 gateways to share the same upstream BGP peering. Which component should establish the BGP peering to the physical routers in a typical design?

An administrator needs to troubleshoot intermittent packet drops for traffic between two VMs on different segments connected to the same Tier-1 gateway. They want to see the exact path, hop-by-hop (including where firewall rules are evaluated), for a specific flow. Which NSX tool is best suited for this task?

A customer uses an external physical load balancer for production traffic but wants to use NSX to provide L7 load balancing for a small internal dev environment. They also want to minimize the blast radius so that dev changes do not affect production routing. Which design best meets these requirements?

In an NSX environment, east-west traffic between two VMs on different segments is unexpectedly hairpinning through an Edge node, increasing latency. The design intent is distributed routing on the hosts. Which condition most commonly causes east-west traffic to be forwarded via an Edge node instead of using distributed routing?

An administrator wants to centralize NSX-T authentication and apply role-based access using existing enterprise identities. Which NSX-T feature should be configured?

A team needs east-west micro-segmentation for VMs in the same subnet and wants rules to follow workloads during vMotion. Which object type is best to use as the primary grouping criterion in Distributed Firewall policies?

A new overlay segment has been created, but no VMs can attach because the segment is not visible to any ESXi hosts. Which configuration is required for hosts to realize the segment?

An administrator wants to confirm whether a specific Distributed Firewall rule is being hit by traffic between two VMs. Which built-in NSX-T capability provides per-rule hit information?

A company requires that only approved services are reachable from the internet. All other inbound connections must be blocked before reaching internal workloads. Where should the security policy primarily be enforced in NSX-T for this requirement?

A workload on an overlay segment can reach other VMs on the same segment but cannot reach a routed network via the Tier-1 Gateway. The Tier-1 shows the segment connected and interfaces up. Which item should be checked first to validate that routing is possible?

An organization wants to apply consistent networking and security settings to multiple NSX Edge nodes and ensure configuration drift is minimized. Which NSX-T construct best supports this goal?

A security team needs to detect and block brute-force attempts against an internal SSH service. They want the system to automatically identify offending sources and temporarily block them without manual rule creation. Which NSX-T feature best matches this requirement?

After deploying an NSX Edge cluster for north-south routing, BGP sessions to two upstream routers intermittently drop. The physical network team confirms no interface flaps. Which NSX-T configuration is most appropriate to improve fast failure detection for the BGP peers?

A customer uses Federation with an active/active design. They create a security policy in the Global Manager but it is not enforced in one location. Local administrators report they made local changes to the same policy area. What is the most likely cause?

An administrator is preparing an NSX deployment and needs the ESXi hosts to participate in the overlay. Which NSX component is responsible for creating overlay tunnels and encapsulating/decapsulating traffic on the hosts?

A security engineer wants to segment east-west traffic so that only a specific application set can communicate, regardless of IP addressing, and wants the rules to follow VMs as they move. Which object is the BEST match criterion to use in Distributed Firewall rules?

A team needs to verify if an NSX Edge node is properly peering with a physical router using BGP on a Tier-0 gateway. Where should they check BGP neighbor state and routes in the NSX UI?

A customer requires active/active north-south traffic forwarding and wants ECMP to upstream routers. Which design best meets this requirement in NSX?

After creating a new segment, VMs on that segment cannot reach VMs on another segment through the Tier-1 gateway. Both segments are connected to the same Tier-1. The admin suspects the issue is in the data plane. What is the most appropriate first step to validate overlay health for the affected hosts?

A company wants centralized, stateful firewall inspection for north-south traffic entering from the internet to multiple internal segments. Which NSX capability should be used?

An administrator enabled NAT for a workload behind a Tier-1 gateway, but inbound connections still fail. The NAT rule looks correct. What additional configuration is MOST likely required for inbound access from external networks?

A network engineer wants to extend an existing physical VLAN into NSX so that physical servers and overlay workloads share the same L2 domain during a migration. Which NSX feature is designed for this requirement?

A security team needs to apply URL filtering and advanced threat prevention to north-south web traffic, and they want policy to be consistently enforced through NSX. What is the most appropriate NSX approach?

A production cluster experiences intermittent packet loss only for overlay traffic between two racks. VLAN traffic is unaffected. The physical network team confirms IP reachability between TEP subnets, but MTU consistency is uncertain. Which troubleshooting action is MOST likely to confirm the root cause quickly in NSX?