Documente Academic
Documente Profesional
Documente Cultură
1
Management has approved an expansion of the virtual infrastructure. You have been tasked to
prepare Cross vCenter configuration with the second vCenter Server. Another administrator has
provided a pre-configured vDS configuration file located on the Control Center Server. All
identifiers must be maintained.
Requirements:
vCenterB server: vcsa-01b.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
vCenterB VAMI Credentials: root / VMware1!
Cluster: Computer Cluster 1B
ESXI Hosts: esx-01b.corp.local, esx-02.corp.local
Platform service controller: psc-01a.corp.local (192.168.110.9)
NSX Manager: nsmgr-01b.corp.local (192.168.210.15)
Credentials: admin / VMware1!
Time Zone : US/Pacific
NOTE:
Do not migrate VMkernels from the standard switches on the hosts.
QUESTION. 2
In the previous scenario, vCenter vcsa-b.corp.local was configured for NSX. Now the hosts must
be prepared for NSX and the initial VXLAN configuration should be completed.
Requirements:
vCenter: vcsa-01b.corp.local
Credentials: [email="administrator@vshpere.local"]administrator@vshpere.local[/email] /
VMware1!
Cluster: Compute Cluster 1B
ESXi Hosts: esx-01b.corp.local, esx-02b.corp.local
VTEP Information:
VMKNic Teaming Policy: Fail Over
VLAN: 0
MTU: 1600
IP Pools for VTEP:
Name: Compute_1B_VTEP_Pool-New
Gateway: 192.168.230.1
Prefix Length: 24
Static IP Pool: 192.168.230.51 – 192.168.230.60
Segment ID Pool: 6001-7000
VXLAN Span: Compute Cluster 1B
Transport Zone: Local-Transport-Zone-B-New
Host must be prepared for NSX
Use provided information to complete the initial VXLAN configuration.
The underlying physical network does not support multicast.
Ensure that requirements are met:
Create the IP Pool as given:
Do the Host preparation.
Create a Local Transport Zone as given.
Create the segment ID as give.
QUESTION. 3
You have been tasked with creating a new Layer 2 network toplogy for test and development
systems which mirrors the existing production environment.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Transport Zone: Local-Transport-Zone-A
Create Layer 2 network toplogy for the test and development systems.
NOTE:
The routing components will be addressed in subsequent scenarios.
QUESTION. 4:
Management requires you to build a new logical topology for a new application that will include
a hardware search appliance (HAS). The new application must contain a web tier and database
tier on separate IP domains. Use the existing App01-DLR to complete the task.
Requirements:
vCenter: vcsa-01.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
vDS: vds-mgt-edge-a
Existing DLR Name: App01-DLR
New object prefix – App01
New object suffic - New
Create a new distributed port group for this task named vds-HSA-NEW.
The HAS must reside on the same IP subnet as the database.
The new application must contain a web tier and database tier on separate domains to be
used at a future date.
Once deployed the HAS will be connected to a network with VLAN ID 500.
The proper physical switch ports for the uplinks have already been trunked to include
VLAN 500.
VLANs configured in the compute racks are isolated to a single rack.
Any objects/items created must be named with a prefix of App01 and a suffix containing
their function with NEW (for example: App01-Function-NEW)
NOTE:
The hardware appliance and application virtual machines have not been deployed. Attempts to
connectivity to the appliance will not succeed.
QUESTION. 5:
Configure the Layer 3 connectivity between the newly created Dev-segments by assigning them
to a new DLR named Dev-DLR-NEW.
Requirements:
vCenter: vcsa-01a.corp.local
Ccredentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] .
VMware1!
DLR Settings:
DLR Name: Dev-DLR-NEW
Uplink IP Address: 192.168.6.5/30
Interface: Dev-Transit
Password: VMware1!WMware1!
Cluster: Management & Edge Cluster
QUESTION. 6:
Complete the configuration of Dev-Edge to allow north-south routing connectivity for the new
Dev-segment. Workloads will have overlapping IP addressing with production workloads. The
developers will RDP into a jump host server (Dev-Jumphost) on the Dev-Web segment. An RDP
shortcut named To Dev-JumpHost.rdp has been created on the ControlCenter Desktop.
The uplink interface on the Dev-Edge has been pre-configured to communicate the
upstream Gateways and attached to Dev-to-PGs-Transit.
Dev-DLR-NEW and Dev-Edge interfaces have been preconfigured to communicate with
each other.
ECMP has been disabled.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Dev-Jumphost information:
Credentials: administrator / VMware1!
Internal IP of Dev-Jumphost: 172.16.10.100
External IP of Dev-Jumphost: 192.168.5.100
Connection Information:
Dev-Edge-Uplink IP: 192.168.5.3/24
Dev-Edge-Internal IP : 192.168.6.6/30
Preimeter-Gateway-01-Internal IP: 192.168.5.1/24
Preimeter-Gateway-02-Internal IP: 192.168.5.2/24
Logical switch: Dev-to-PGs-Transit
ECMP: Enabled.
BGP AS: 65001
The networking team requires BGP as a routing protocol with an AS of 65001 for North-
bound access for the Dev-environment.
Use the fewest number of static routes and utilize network prefixes to ensure accessibility
to the Dev-Web-Tier-01-NEW within the Dev-environment.
Ensure Dev-Jumphost is on Dev-Web-Tier-01-NEW.
Ensure the ability to RDP into the Dev-Jumphost server from the production network
(ControlCenter).
QUESTION. 7:
Enable load balancing for the development environment allowing HTTPS access to the Dev-
Web-01a and Dev-Web-02a servers.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email]
QUESTION. 8:
Configure a solution that extends an IP subnet between two data centers. The solution must
ensure secure communication between two data centers. A standalone Edge Appliance has
already been deployed and preconfigured in Site-B on the Compute Cluster.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
HQ Site Information:
Edge: Preimeter-Gateway-01
Logical Segment: Extend-LS-01
Connected to: vds-mgt-a_Trunk_Network
VPN Server settings: 192.168.100.3
Use the system generated certificate.
Preconfigured Standalone Edge Appliance: NSX l2vpn
Edge: 192.168.200.5
The solution must ensure secure communication between the data centers.
NOTE:
QUESTION. 9:
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Edge: Dev-Edge
Ensure other parameters match those of the dynamic allocation mechanism (Task1).
Enable logging with the highest level of detail for automatic IP allocations.
NOTE:
Do not configure DHCP Relay agent on the Dev-DLR-NEW as this will be done by another
administrator.
QUESTION. 10:
In the Dev environment, you have the application and database servers on separate networks
created previously. Configure inbound only network security to allow only Dev application
servers access to Dev database servers using MYSQL service port.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Service Port: MYSQL
Networks: Dev-App-Tier-01-NEW and Dev-DB-Tier-01-NEW
QUESTION. 11:
Requirements:
vCenter: vcsa-01a.corp.local
NSX Manager: 192.168.110.15
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] .
VMware1!
New Security Policy Name: Web-Policy-NEW
New Web Security Group Name: Secure-Web-NEW
New NSX Tag: web-security-NEW
Create a new security policy to deny HTTP/HTTPS from App server to the Web Server.
Create a new Security Group for the Web servers to meet the following requirements:
Existing and future virtual machines that have in their name dev-web should be added.
Any VM with a NSX tag of web-security-NEW should be added to this policy.
o Ensure virtual machine dev-web-04a has been then tagged.
Create a new security group for the App server that has virtual machine dev-app-01a
added.
QUESTION. 12:
Create a backup of only the vDS portgroup the NSX controllers utilize along with the NSX
Firewall configuration. Also, the security team had identified a missing security policy that needs
to be added.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Components to backup:
Security Policy:
File to import: sec-policy-blueprint located on the desktop of the ControlCenter.
Backup only the vDS portgroup that the NSX Controllers utilize.
Backup the NSX Firewall configuration.
Import the sec-policy.blueprint file
QUESTION. 13:
Two administrators (John and Chris) share admin responsibilities for an NSX deployment that is
leveraging Centralized CLI as part of their management. Security requirements prohibit use of
shared admin accounts in Site A.
Requirements:
Use Putty’s “Copy All to Clipboard” feature to paste the command and output to a text
file dfw-NEW.txt on the ControlCenter desktop.
NOTE:
Screenshot is shown on how to use Putty’s Copy all to Clipboard feature.
QUESTION. 14:
You have been tasked with enabling syslog on the NSX Manager (nsmgr-01a.corp.local) and all
NSX Controllers.
Requirements:
vCenter: vcsa-01a.crop.local
NSX Manager A: nsxmgr-01a.corp.local
Password: VMware1!
Syslog Information:
Server: 192.168.110.24
Port: 514
Protocol: UDP
Header Information:
Authentication: Basic
Content-Type: application/xml
QUESTION. 15:
The security team has submitted two requests to change or limit access in NSX for Site A’s
vCenter groups.
Requirements:
NSX Manager: nsxmgr-01a.corp.local
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Grant all members of vCenter group AuditTeam the minimal access necessary to view
NSX Data Security policy configurations for all objects in Site A.
Grant all members of vCenter group ScanTeam the minimal access necessary to enable
them to start and stop data security scans in Site A.
Ensure that the principles of least privilege are adhered to.
NOTE:
The Active Directory groups associated with the vCenter groups has already been preconfigured.
QUESTION. 16:
Requirements:
vCenter: vcsa-01b.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
NOTE:
You may have to log out of the web client and back in for 192.168.210.15 to show in web client.
QUESTION. 17:
Enable and configure cross vCenter support for and NSX implementation that contains two
vCenter Servers: vcsa-01a.corp.local and vcsa-01b.corp.local
Requirements:
NOTE:
Allow time for synchronization to complete.
QUESTION. 18:
Build a multi-tier network capable of supporting application virtual machines deployed across
multiple vCenter instances.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Use the first available IP address for the router on each of the tiers.
Subnet for the Transit VXLAN uplink from the application tier routing to the tenant
router.
o 192.168.190.0/29
o Uplink IP address of the application tier should be the first available IP address.
o Downlink from the tenant router will use the second available IP addresses.
The password for new edge device(s) must be VMware1!VMware1!
Add all virtual machines with a prefix “universal-“ to their respective segments.
Ensure all LIFs are reachable from ControlCenter.
QUESTION. 19:
Provide cross vCenter security functionality for the Universal Web Multi-Tiered network
application.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
New Section Name: Universal-Rules-New
Networks:
Web-Tier: 172.17.10.0/24
App-Tier: 172.17.20.0/24
DB-Tier: 172.17.30.0/24
Secure east/west network communication for each of the three tiers allowing only.
NOTE:
This rule must only affect the universal tiers.
QUESTION. 20:
An NSX administrator has been troubleshooting a communication issue between Edge device
TS-Comm-Edge-01 and the TS-Comm-DLR-01 logical router with no success and has reached
out to you for further assistance. The following troubleshooting has already been performed.
Determine and resolve the communication issue between the two devices.
Requirements:
vCenter: vcsa01a.crop.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Troubleshooting Information:
Edge: TS-Comm-Edge-01 (192.168.33.1)
DLR: TS-Comm-DLR-01 (192.168.33.8)
Transit Network: TS-Comm-Transit
IP Subnet: 192.168.33.0/29
NOTE:
IP addresses must remain unchanged.
QUESTION. 21:
The troubleshooting NSX deployment is growing and running out of compute capacity. An
additional ESXi host is being added for VXLAN.
Host preparation has failed on esx-05a.corp.local on several attempts and the Compute Cluster
2A was left in an error state, determine and resolve the issue.
Requirements:
vCenter: vcsa-01a.corp.local
Credentials: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Cluster: Compute Cluster 2A
IP Pool: Compute-2A
Transport Zone: Local-Transport-Zone-A
Esx-05a.corp.local IP information:
IP: 192.168.110.58
Netmask: 255.255.255.0
Gateway: 192.168.110.1
DNS: 192.168.110.10
Resolve deployment issue.
Prepare esx-05-a.corp.local for NSX in Compute Cluster 2A.
Ensure once the issue is resolved with the Compute Cluster 2A cluster, that it is
connected to Local-Transport-Zone-A.
QUESTION. 22:
Routing through TS-Edge-01 is not working. The service provider (SP) has confirmed their
configuration is correct.
Requirements:
vCenter: vcsa01a.corp.local
Credential: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Edge: TS-Edge-01
Credential: admin / VMware1!VMware1!
Problem Edge: TS-Edge01
Local IP Address: 192.168.100.202
SP provided configuration:
Area ID: 10
Type: Normal
Authentication: None
NOTE:
Do not use static route or configure Default Gateway on any Edge.
QUESTION. 23:
You have been tasked with modifying an existing NSX API call to capture flow information for
an organization. The existing API call is located on the ControlCenter desktop in a file name
flowapi.txt.
The API call should be modified to collect Layer3 flow statistics between the dev-web-01a and
the ControlCenter virtual machine.
Requirements:
vCenter: vcsa01a.corp.local
Credential: [email="administrator@vsphere.local"]administrator@vsphere.local[/email] /
VMware1!
Modify and Save the existing API call to capture the requested information.
A REST Client has been added to Chrome and Firefox for this exercise.
Output the Response Body to a text file called apiresults.txt on the desktop of ControlCenter.