VCAP NV Questions

QUESTION.
1
Management has approved an expansion of the virtual infrastructure. You have been tasked to
prepare Cross vCenter configuration with the second vCenter Server. Another administrator has
provided a pre-configured vDS configuration file located on the Control Center Server. All
identifiers must be maintained.
Requirements:
vCenterB server: vcsa-01b.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
vCenterB VAMI Credentials: root / VMware1!
Cluster: Computer Cluster 1B
ESXI Hosts: esx-01b.corp.local, esx-02.corp.local
Platform service controller: psc-01a.corp.local (192.168.110.9)
NSX Manager: nsmgr-01b.corp.local (192.168.210.15)
Credentials: admin / VMware1!
Time Zone : US/Pacific
 Configure nsmgr-01b.corp.local for vCenterB and psc-01a.corp.local

 Ensure nsxmgr-01b.corp.local uses the same NTP server as psc-01a.corp.local with a
US/Pacific TimeZone.
 Import the new vDS configuration vds-site-b-Compute-New.zip
o All identifiers must be maintained.
 Assign the remaining two used vmnics for the ESXi hosts to the newly imported vDS.
NOTE:
Do not migrate VMkernels from the standard switches on the hosts.
QUESTION. 2
In the previous scenario, vCenter vcsa-b.corp.local was configured for NSX. Now the hosts must
be prepared for NSX and the initial VXLAN configuration should be completed.
Requirements:
vCenter: vcsa-01b.corp.local
Credentials: [email="administrator@vshpere.local"]administrator@vshpere.local[/email] /
VMware1!
Cluster: Compute Cluster 1B
ESXi Hosts: esx-01b.corp.local, esx-02b.corp.local
VTEP Information:
VMKNic Teaming Policy: Fail Over
VLAN: 0
MTU: 1600
IP Pools for VTEP:
Name: Compute_1B_VTEP_Pool-New
Gateway: 192.168.230.1
Prefix Length: 24
Static IP Pool: 192.168.230.51 – 192.168.230.60
Segment ID Pool: 6001-7000
VXLAN Span: Compute Cluster 1B
Transport Zone: Local-Transport-Zone-B-New
Host must be prepared for NSX
Use provided information to complete the initial VXLAN configuration.
The underlying physical network does not support multicast.
Ensure that requirements are met:
Create the IP Pool as given:
Do the Host preparation.
Create a Local Transport Zone as given.
Create the segment ID as give.
QUESTION. 3
You have been tasked with creating a new Layer 2 network toplogy for test and development
systems which mirrors the existing production environment.
Requirements:
vCenter: vcsa-01a.corp.local
VMware1!
Transport Zone: Local-Transport-Zone-A
New Dev Segments:

Dev-Web-Tier-01-NEW
Dev-App-Tier-01-NEW
Dev-DB-Tier-01-NEW
 Create Layer 2 network toplogy for the test and development systems.
NOTE:
The routing components will be addressed in subsequent scenarios.
QUESTION. 4:
Management requires you to build a new logical topology for a new application that will include
a hardware search appliance (HAS). The new application must contain a web tier and database
tier on separate IP domains. Use the existing App01-DLR to complete the task.
Requirements:
vCenter: vcsa-01.corp.local
VMware1!
vDS: vds-mgt-edge-a
Existing DLR Name: App01-DLR
New object prefix – App01
New object suffic - New
 Create a new distributed port group for this task named vds-HSA-NEW.
 The HAS must reside on the same IP subnet as the database.
 The new application must contain a web tier and database tier on separate domains to be
used at a future date.
 Once deployed the HAS will be connected to a network with VLAN ID 500.
 The proper physical switch ports for the uplinks have already been trunked to include
VLAN 500.
 VLANs configured in the compute racks are isolated to a single rack.
 Any objects/items created must be named with a prefix of App01 and a suffix containing
their function with NEW (for example: App01-Function-NEW)
NOTE:
The hardware appliance and application virtual machines have not been deployed. Attempts to
connectivity to the appliance will not succeed.
QUESTION. 5:
Configure the Layer 3 connectivity between the newly created Dev-segments by assigning them
to a new DLR named Dev-DLR-NEW.
Requirements:
Ccredentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] .
VMware1!
Default GW for Dev-subnets:

Dev-Web-Tier-01-NEW 172.16.10.1/24
Dev-App-Tier-01-NEW 172.16.20.1/24
Dev-DB-Tier-01-NEW 172.16.30.1/24
DLR Settings:
DLR Name: Dev-DLR-NEW
Uplink IP Address: 192.168.6.5/30
Interface: Dev-Transit
Password: VMware1!WMware1!
Cluster: Management & Edge Cluster
 Ensure east-west routing has been optimized.

 The control plane failover should begin 15 seconds on logical switch HA-VXLAN.
 Ensure secure shell is available.
 Connect the Web, App and DB virtual machines to their respective dev tiers.
 Dev-web-01, Dev-web-02a, Dev-web-04a

 Dev-app-01a
 Dev-db-01a
QUESTION. 6:
Complete the configuration of Dev-Edge to allow north-south routing connectivity for the new
Dev-segment. Workloads will have overlapping IP addressing with production workloads. The
developers will RDP into a jump host server (Dev-Jumphost) on the Dev-Web segment. An RDP
shortcut named To Dev-JumpHost.rdp has been created on the ControlCenter Desktop.
The following has been preconfigured on Dev-Edge:
 The uplink interface on the Dev-Edge has been pre-configured to communicate the
upstream Gateways and attached to Dev-to-PGs-Transit.
 Dev-DLR-NEW and Dev-Edge interfaces have been preconfigured to communicate with
each other.
 ECMP has been disabled.
Requirements:
VMware1!
Dev-Jumphost information:
Credentials: administrator / VMware1!
Internal IP of Dev-Jumphost: 172.16.10.100
External IP of Dev-Jumphost: 192.168.5.100
Connection Information:
Dev-Edge-Uplink IP: 192.168.5.3/24
Dev-Edge-Internal IP : 192.168.6.6/30
Preimeter-Gateway-01-Internal IP: 192.168.5.1/24
Preimeter-Gateway-02-Internal IP: 192.168.5.2/24
Logical switch: Dev-to-PGs-Transit
ECMP: Enabled.
BGP AS: 65001
Credentials for all Edge Devices: admin / VMware1!VMware1!
 The networking team requires BGP as a routing protocol with an AS of 65001 for North-
bound access for the Dev-environment.
 Use the fewest number of static routes and utilize network prefixes to ensure accessibility
to the Dev-Web-Tier-01-NEW within the Dev-environment.
 Ensure Dev-Jumphost is on Dev-Web-Tier-01-NEW.
 Ensure the ability to RDP into the Dev-Jumphost server from the production network
(ControlCenter).
QUESTION. 7:
Enable load balancing for the development environment allowing HTTPS access to the Dev-
Web-01a and Dev-Web-02a servers.
Requirements:
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email]
Self-signed certificate parameters:

Common Name: 192.168.5.100
Organization Name: ABC Medical
Organization Unit: IT
Locality: Palo Alto
State: CA
Country: United States
Message Algorithm: RSA
Key Size: 2048
Number of Days: 365
Web Servers: Dev-Web-01a, Dev-Web-02a
 Use the secondary IP address of 192.168.5.100

 New connections should consider current connections among all available members of
the pool.
 The web servers will not have SSL certificates installed. The web team has indicated that
analytics based on source IP should be available.
Ensure all requirements have been met.
QUESTION. 8:
Configure a solution that extends an IP subnet between two data centers. The solution must
ensure secure communication between two data centers. A standalone Edge Appliance has
already been deployed and preconfigured in Site-B on the Compute Cluster.
Requirements:
VMware1!
HQ Site Information:
Edge: Preimeter-Gateway-01
Logical Segment: Extend-LS-01
Connected to: vds-mgt-a_Trunk_Network
VPN Server settings: 192.168.100.3
Use the system generated certificate.
Preconfigured Standalone Edge Appliance: NSX l2vpn
Edge: 192.168.200.5
L2VPN Server Information:

Name: Peer-Site-NEW
Trunk ID = 10
User ID = peeruser1
Password = VMware1!
Encryption = AES256-SHA
The solution must ensure secure communication between the data centers.
NOTE:
 No virtual machines are attached to the Logical switch Application-Tier-01, so there is no

need to test communication across the tunnel.
 Ensure that L2VPN server statistics shows Tunnel status of UP.
QUESTION. 9:
Provide automatic IP assignment for the servers on the DEV-DB-Tier-01-NEW segment.
Requirements:
VMware1!
Edge: Dev-Edge
 Automatically allocate IP addreesses in the 172.16.30.100-149 range.

o Lease time: 1 hour
o Ensure hosts that receive an IP assignment will be able to reach the other Dev
subnets.
 The legacyhost-NEW with the MAC address 40:00:00:00:00:01 must always be assigned
172.16.30.99
 Ensure other parameters match those of the dynamic allocation mechanism (Task1).
 Enable logging with the highest level of detail for automatic IP allocations.
Ensure all requirements have been met.
NOTE:
Do not configure DHCP Relay agent on the Dev-DLR-NEW as this will be done by another
administrator.
QUESTION. 10:
In the Dev environment, you have the application and database servers on separate networks
created previously. Configure inbound only network security to allow only Dev application
servers access to Dev database servers using MYSQL service port.
Requirements:
VMware1!
Service Port: MYSQL
Networks: Dev-App-Tier-01-NEW and Dev-DB-Tier-01-NEW
Credentials for Dev VMs: root / VMware1!
 This rule should be in its own “DB security-NEW” section.

 Ensure inbound only network security allows Dev application servers access to Dev
database servers.
 This rule should not be prpogated to all NSX prepared clusters.
 This rule should be created in a way that any new virtual machines on App and DB
segments will be secured.
 This rule should be created with the fewest rule(s) possible.
 All other servers should be denied.
Ensure inbound security requirements are met.
QUESTION. 11:
Create a security policy for specific web-based applications.
Requirements:
NSX Manager: 192.168.110.15
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] .
VMware1!
New Security Policy Name: Web-Policy-NEW
New Web Security Group Name: Secure-Web-NEW
New NSX Tag: web-security-NEW
New App Security Group Names: Secure-App-NEW
 Create a new security policy to deny HTTP/HTTPS from App server to the Web Server.
 Create a new Security Group for the Web servers to meet the following requirements:
 Existing and future virtual machines that have in their name dev-web should be added.
 Any VM with a NSX tag of web-security-NEW should be added to this policy.
o Ensure virtual machine dev-web-04a has been then tagged.
 Create a new security group for the App server that has virtual machine dev-app-01a
added.
QUESTION. 12:
Create a backup of only the vDS portgroup the NSX controllers utilize along with the NSX
Firewall configuration. Also, the security team had identified a missing security policy that needs
to be added.
Requirements:
VMware1!
Components to backup:
 vDS Portgroup that the controllers utilize.

 NSX Firewall configuration.
 Backup file name: vdsPortGroup-backup-NEW.zip, nsxfw-backup-NEW.xml
 Backup file location: Desktop of the ControlCenter.
Security Policy:
File to import: sec-policy-blueprint located on the desktop of the ControlCenter.
 Backup only the vDS portgroup that the NSX Controllers utilize.
 Backup the NSX Firewall configuration.
 Import the sec-policy.blueprint file
Ensure requirements are met.
QUESTION. 13:
Two administrators (John and Chris) share admin responsibilities for an NSX deployment that is
leveraging Centralized CLI as part of their management. Security requirements prohibit use of
shared admin accounts in Site A.
Requirements:
NSX Manager: nsxmgr-01a.crop.local

New administrator accounts: “John” and ”Chris”
Default password: VMware1!
 Create accounts for John and Chris.

 Use one of the newly created accounts to display all clusters enabled for the distributed
firewall.
 Use Putty’s “Copy All to Clipboard” feature to paste the command and output to a text
file dfw-NEW.txt on the ControlCenter desktop.
NOTE:
Screenshot is shown on how to use Putty’s Copy all to Clipboard feature.
QUESTION. 14:
You have been tasked with enabling syslog on the NSX Manager (nsmgr-01a.corp.local) and all
NSX Controllers.
Requirements:
vCenter: vcsa-01a.crop.local
NSX Manager A: nsxmgr-01a.corp.local
Password: VMware1!
Syslog Information:
Server: 192.168.110.24
Port: 514
Protocol: UDP
Header Information:
Authentication: Basic
Content-Type: application/xml
 Enable syslog for NSX Manager.

 Enable syslog for NSX controllers.
QUESTION. 15:
The security team has submitted two requests to change or limit access in NSX for Site A’s
vCenter groups.
Requirements:
NSX Manager: nsxmgr-01a.corp.local
VMware1!
 Grant all members of vCenter group AuditTeam the minimal access necessary to view
NSX Data Security policy configurations for all objects in Site A.
 Grant all members of vCenter group ScanTeam the minimal access necessary to enable
them to start and stop data security scans in Site A.
 Ensure that the principles of least privilege are adhered to.
NOTE:
The Active Directory groups associated with the vCenter groups has already been preconfigured.
QUESTION. 16:
The security team has requested that

[email="administrator@corp.local"]administrator@corp.local[/email] have the ability to fully
manage NSX Manager (192.168.210.15) for Site B.
Requirements:
vCenter: vcsa-01b.corp.local
VMware1!
Ensure [email="administrator@corp.local"]administrator@corp.local[/email] has the ability to

fully manage NSX Manager in SiteB.
NOTE:
You may have to log out of the web client and back in for 192.168.210.15 to show in web client.
QUESTION. 17:
Enable and configure cross vCenter support for and NSX implementation that contains two
vCenter Servers: vcsa-01a.corp.local and vcsa-01b.corp.local
Requirements:
vCenter: vcsa-01a.corp.local and vcsa-01b.corp.local

VMware1!
NSX Manager Credentials: admin/VMware1!
 The NSX Manager registered to vcsa-01a.corp.local should be responsible for all
universal NSX objects.
 A segment ID range of 16789-17563 is available for use with this exercise.
NOTE:
Allow time for synchronization to complete.
QUESTION. 18:
Build a multi-tier network capable of supporting application virtual machines deployed across
multiple vCenter instances.
Requirements:
VMware1!
Resource Pools: Management and Edge Cluster 1A
 The underlying physical network does not support multicast.

 All new items created must have a prefix of “U” followed by their function name and a
suffix of “New”. i.e. U-App-Tier-NEW.
 Create a LS for HA management interface calle U-HA-VXLAN=NEW but do not enable
HA on any of the edge devices deployed.
 Deploy logical switches using separate subnets for the three tier application shared by
both NSX Manager instances.
 Deploy the required east-west routing component used across multiple vCenter instances
for the multi-tier network.
 Utilize a default gateway up to the Perimeter-Gateway02 (tenant router) from the
east/west router.
 Utilize a static route from the tenant router to reach the three tiers of the application.
 Subnets for the tiers:
 172.7.10.0/24 for the Web Tier.

 172.17.20.1/24 for the App Tier.
 172.17.30.0/24 for the Database Teir.
 Use the first available IP address for the router on each of the tiers.
 Subnet for the Transit VXLAN uplink from the application tier routing to the tenant
router.
o 192.168.190.0/29
o Uplink IP address of the application tier should be the first available IP address.
o Downlink from the tenant router will use the second available IP addresses.
 The password for new edge device(s) must be VMware1!VMware1!
 Add all virtual machines with a prefix “universal-“ to their respective segments.
 Ensure all LIFs are reachable from ControlCenter.
QUESTION. 19:
Provide cross vCenter security functionality for the Universal Web Multi-Tiered network
application.
Requirements:
VMware1!
New Section Name: Universal-Rules-New
Networks:
Web-Tier: 172.17.10.0/24
App-Tier: 172.17.20.0/24
DB-Tier: 172.17.30.0/24
Secure east/west network communication for each of the three tiers allowing only.
 Firewall Rule section Name: Universal-Rules-NEW

 Web Tier: any source address incoming on TCP port 80 and 443
 Application Tier: access from the web tier on the incoming TCP port 8443
 Database Tier: access from the application tier on the incoming TCP port 3306
 Traffic that does not meet the above requirements should be blocked.
NOTE:
This rule must only affect the universal tiers.
QUESTION. 20:
An NSX administrator has been troubleshooting a communication issue between Edge device
TS-Comm-Edge-01 and the TS-Comm-DLR-01 logical router with no success and has reached
out to you for further assistance. The following troubleshooting has already been performed.
 Temporarily disabled the firewall between both devices.

 Unsuccessful ping from TS-Comm-Edge-01 to TS-Comm-DLR-01
 Unsuccessful ping from TS-Comm-DLR-01 to TS-Comm-Edge-01
Determine and resolve the communication issue between the two devices.
Requirements:
vCenter: vcsa01a.crop.local
VMware1!
Troubleshooting Information:
Edge: TS-Comm-Edge-01 (192.168.33.1)
DLR: TS-Comm-DLR-01 (192.168.33.8)
Transit Network: TS-Comm-Transit
IP Subnet: 192.168.33.0/29
Ensure communication between both devices is successful.
NOTE:
IP addresses must remain unchanged.
QUESTION. 21:
The troubleshooting NSX deployment is growing and running out of compute capacity. An
additional ESXi host is being added for VXLAN.
Host preparation has failed on esx-05a.corp.local on several attempts and the Compute Cluster
2A was left in an error state, determine and resolve the issue.
Requirements:
VMware1!
Cluster: Compute Cluster 2A
IP Pool: Compute-2A
Transport Zone: Local-Transport-Zone-A
Esx-05a.corp.local IP information:
IP: 192.168.110.58
Netmask: 255.255.255.0
Gateway: 192.168.110.1
DNS: 192.168.110.10
 Resolve deployment issue.
 Prepare esx-05-a.corp.local for NSX in Compute Cluster 2A.
 Ensure once the issue is resolved with the Compute Cluster 2A cluster, that it is
connected to Local-Transport-Zone-A.
QUESTION. 22:
Routing through TS-Edge-01 is not working. The service provider (SP) has confirmed their
configuration is correct.
Requirements:
vCenter: vcsa01a.corp.local
Credential: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Edge: TS-Edge-01
Credential: admin / VMware1!VMware1!
Problem Edge: TS-Edge01
Local IP Address: 192.168.100.202
SP provided configuration:
Area ID: 10
Type: Normal
Authentication: None
Ensure the OSPF session is established.

Ensure all learned OSPF routes appear.
Copy OSPF routing table information and output to file on ControlCenter Desktop named TS-
Edge-01 OSPF.txt
NOTE:
Do not use static route or configure Default Gateway on any Edge.
QUESTION. 23:
You have been tasked with modifying an existing NSX API call to capture flow information for
an organization. The existing API call is located on the ControlCenter desktop in a file name
flowapi.txt.
The API call should be modified to collect Layer3 flow statistics between the dev-web-01a and
the ControlCenter virtual machine.
Requirements:
vCenter: vcsa01a.corp.local
Credential: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
File location: flowapi.txt on the desktop of ControlCenter.
Modify and Save the existing API call to capture the requested information.
A REST Client has been added to Chrome and Firefox for this exercise.
Output the Response Body to a text file called apiresults.txt on the desktop of ControlCenter.

VCAP NV Questions

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

VCAP NV Questions

Hochgeladen von

Copyright:

Verfügbare Formate

QUESTION.

 Configure nsmgr-01b.corp.local for vCenterB and psc-01a.corp.local

New Dev Segments:

Default GW for Dev-subnets:

 Ensure east-west routing has been optimized.

 Dev-web-01, Dev-web-02a, Dev-web-04a

The following has been preconfigured on Dev-Edge:

Credentials for all Edge Devices: admin / VMware1!VMware1!

Self-signed certificate parameters:

 Use the secondary IP address of 192.168.5.100

Ensure all requirements have been met.

L2VPN Server Information:

 No virtual machines are attached to the Logical switch Application-Tier-01, so there is no

Provide automatic IP assignment for the servers on the DEV-DB-Tier-01-NEW segment.

 Automatically allocate IP addreesses in the 172.16.30.100-149 range.

Ensure all requirements have been met.

Credentials for Dev VMs: root / VMware1!

 This rule should be in its own “DB security-NEW” section.

Ensure inbound security requirements are met.

Create a security policy for specific web-based applications.

New App Security Group Names: Secure-App-NEW

 vDS Portgroup that the controllers utilize.

Ensure requirements are met.

NSX Manager: nsxmgr-01a.crop.local

 Create accounts for John and Chris.

 Enable syslog for NSX Manager.

The security team has requested that

Ensure [email="administrator@corp.local"]administrator@corp.local[/email] has the ability to

vCenter: vcsa-01a.corp.local and vcsa-01b.corp.local

Resource Pools: Management and Edge Cluster 1A

 The underlying physical network does not support multicast.

 172.7.10.0/24 for the Web Tier.

 Firewall Rule section Name: Universal-Rules-NEW

 Temporarily disabled the firewall between both devices.

Ensure communication between both devices is successful.

Ensure the OSPF session is established.

File location: flowapi.txt on the desktop of ControlCenter.

Das könnte Ihnen auch gefallen