A company Is deploying NSX micro-segmentation in their vSphere environment to secure a simple application composed of web. app, and database tiers.
The naming convention will be:
• WKS-WEB-SRV-XXX
• WKY-APP-SRR-XXX
• WKI-DB-SRR-XXX
What is the optimal way to group them to enforce security policies from NSX?
Correct Answer:C
The answer is C. Group all by means of tags membership.
Tags are metadata that can be applied to physical servers, virtual machines, logical ports, and logical segments in NSX. Tags can be used for dynamic security group membership, which allows for granular and flexible enforcement of security policies based on various criteria1
In the scenario, the company is deploying NSX micro-segmentation to secure a simple application composed of web, app, and database tiers. The naming convention will be:
✑ WKS-WEB-SRV-XXX
✑ WKY-APP-SRR-XXX
✑ WKI-DB-SRR-XXX
The optimal way to group them to enforce security policies from NSX is to use tags membership. For example, the company can create three tags: Web, App, and DB, and assign them to the corresponding VMs based on their names. Then, the company can create three security groups: Web-SG, App-SG, and DB-SG, and use the tags as the membership criteria. Finally, the company can create and apply security policies to the security groups based on the desired rules and actions2
Using tags membership has several advantages over the other options:
✑ It is more scalable and dynamic than using Edge as a firewall between tiers. Edge firewall is a centralized solution that can create bottlenecks and performance
issues when handling large amounts of traffic3
✑ It is more simple and efficient than doing a service insertion to accomplish the task. Service insertion is a feature that allows for integrating third-party services with NSX, such as antivirus or intrusion prevention systems. Service insertion is not necessary for basic micro-segmentation and can introduce additional complexity and overhead.
✑ It is more flexible and granular than creating an Ethernet based security policy.
Ethernet based security policy is a type of policy that uses MAC addresses as the source or destination criteria. Ethernet based security policy is limited by the scope of layer 2 domains and does not support logical constructs such as segments or groups.
To learn more about tags membership and how to use it for micro-segmentation in NSX, you can refer to the following resources:
✑ VMware NSX Documentation: Security Tag 1
✑ VMware NSX Micro-segmentation Day 1: Chapter 4 - Security Policy Design 2
✑ VMware NSX 4.x Professional: Security Groups
✑ VMware NSX 4.x Professional: Security Policies
An architect receives a request to apply distributed firewall in a customer environment without making changes to the network and vSphere environment. The architect decides to use Distributed Firewall on VDS.
Which two of the following requirements must be met in the environment? (Choose two.)
Correct Answer:BD
Distributed Firewall on VDS is a feature of NSX-T Data Center that allows users to install Distributed Security for vSphere Distributed Switch (VDS) without the need to deploy an
NSX Virtual Distributed Switch (N-VDS). This feature provides NSX security capabilities such as Distributed Firewall (DFW), Distributed IDS/IPS, Identity Firewall, L7 App ID, FQDN Filtering, NSX Intelligence, and NSX Malware Prevention. To enable this feature, the following requirements must be met in the environment:
✑ The NSX version must be 3.2 and later1. This is the minimum version that
supports Distributed Security for VDS.
✑ The VDS version must be 6.6.0 and later1. This is the minimum version that supports the NSX host preparation operation that activates the DFW with the default rule set to allow.
References:
✑ Overview of NSX IDS/IPS and NSX Malware Prevention
Which three DHCP Services are supported by NSX? (Choose three.)
Correct Answer:ABC
Gateway DHCP: NSX supports DHCP services configured on the gateway, allowing it to provide IP addresses to clients within the network.
Segment DHCP: NSX can provide DHCP services at the segment level, where DHCP is configured directly on a network segment to assign IP addresses to connected clients. DHCP Relay: NSX supports DHCP Relay, which allows forwarding of DHCP requests to an external DHCP server for IP address assignment.
When a stateful service is enabled for the first time on a Tier-0 Gateway, what happens on the NSX Edge node?
Correct Answer:B
When a stateful service (such as NAT or firewall) is enabled for the first time on a Tier-0 Gateway, the Service Router (SR) is instantiated on the NSX Edge node and automatically connected with the Distributed Router (DR). This connection enables the Tier-0 Gateway to handle stateful services by routing traffic through the SR, which manages stateful packet processing, while the DR provides distributed routing functionality.
An NSX administrator has deployed a single NSX Manager node and will be adding two additional nodes to form a 3-node NSX Management Cluster for a production environment. The administrator will deploy these two additional nodes and Cluster VIP using the NSX UI.
What two are the prerequisites for this configuration? (Choose two.)
Correct Answer:BD
For a 3-node NSX Manager cluster, all nodes must be within the same subnet to ensure proper communication and functionality between them.
A compute manager must be configured before adding nodes to the cluster, as it provides the necessary integration between the NSX Manager and the underlying virtualization infrastructure (such as vSphere or vCenter).
Which two statements are true for IPSec VPN? (Choose two.)
Correct Answer:AC
IPSec VPN services can be configured at Tier-0 and Tier-1 gateways: In NSX, IPSec VPN services can be applied to both Tier-0 and Tier-1 gateways, allowing secure site-to-site connections from these gateway levels.
IPSec VPNs use the DPDK accelerated performance library: NSX leverages the Data Plane Development Kit (DPDK) for optimized performance, which accelerates packet processing for IPSec VPNs and improves throughput.