VMware Certified Professional - Network Virtualization Advanced Practice Exam: Hard Questions 2025

An organization is experiencing asymmetric routing issues in their NSX-T environment where northbound traffic from VMs traverses Edge Node 1, but return traffic enters through Edge Node 2, causing stateful firewall drops. The environment uses ECMP with two Tier-0 gateways in Active-Active mode connected to upstream physical routers. BGP is configured with the same AS number on both edges. What is the MOST effective solution to resolve this issue while maintaining high availability?

A security architect is designing microsegmentation for a three-tier application with strict zero-trust requirements. The application includes web servers (segment Web-Seg), application servers (segment App-Seg), and database servers (segment DB-Seg). Database servers must accept connections ONLY from authenticated application servers, and all connection attempts must be logged for compliance. The environment uses NSX-T distributed firewall with identity-based policies. Which combination of DFW rule configuration and placement provides the MOST secure and operationally efficient solution?

During a network outage investigation, an NSX-T administrator discovers that overlay traffic between transport nodes is failing intermittently. The command 'get vteps' shows all VTEPs are reachable, but packet captures reveal that some GENEVE encapsulated frames are being dropped. MTU is configured to 1600 on physical switches, TEP interfaces use MTU 1600, and overlay segments use MTU 1500. TEPs are using VLAN-backed segments on the same physical infrastructure. What is the ROOT CAUSE of this issue?

An organization is implementing NSX-T Federation across three geographic locations: New York (Primary), London (Secondary), and Tokyo (Secondary). They require stretched security policies and segments with local egress at each location for internet-bound traffic to minimize latency. Each location has dedicated Tier-0 and Tier-1 gateways. Universal segments need to span all locations while location-specific segments remain local. What is the CORRECT architectural approach to meet these requirements?

A network administrator notices that after implementing Distributed Firewall rules with Layer 7 application context awareness, CPU utilization on certain ESXi hosts has increased significantly. Analysis shows the affected hosts are running legacy VMs with older VM hardware versions that don't support Guest Introspection. Application identification is critical for security policies. What is the MOST appropriate solution that maintains security requirements without requiring VM downtime?

An NSX-T environment experiences a control plane failure where the management cluster becomes unavailable. The environment consists of three NSX Manager nodes in a cluster, multiple Edge nodes, and ESXi hosts configured as transport nodes with prepared overlay and VLAN segments. What is the expected behavior of the data plane during this outage?

A company has implemented NSX-T with multiple Tier-1 gateways connected to a single Tier-0 gateway. They notice that VMs on different Tier-1 gateways in the same overlay transport zone cannot communicate despite having DFW rules that should permit the traffic. The Tier-0 gateway is configured in Active-Active mode with ECMP enabled. Tier-1 gateways are connected via service interfaces. Routing protocol is not configured between Tier-0 and Tier-1. What is the MOST likely cause and resolution?

During a security audit, you discover that despite having a well-configured Distributed Firewall policy with Application category rules blocking database traffic, certain VMs are still able to establish unauthorized database connections. Investigation reveals that these VMs are part of a security group used in an Environment category rule that permits broader access. Both rules apply to the same VMs. What explains this behavior and what is the correct remediation?

An NSX-T administrator is troubleshooting intermittent connectivity issues for VMs on overlay segments. The command 'get logical-switch <UUID> vteps' shows all expected VTEPs, but 'get logical-switch <UUID> mac-table' reveals missing MAC entries for affected VMs. The vSphere environment recently underwent a storage vMotion migration, and affected VMs were moved to new datastores. VMware Tools is running on all VMs. What is the MOST likely root cause requiring immediate investigation?

A financial services company requires that all north-south traffic be inspected by their third-party Next-Generation Firewall appliance before reaching external networks. The environment uses NSX-T with Tier-0 and Tier-1 gateways. They need to maintain high availability, support multiple VLANs for different security zones, and ensure that failure of the third-party appliance triggers automatic traffic redirection to a secondary path. What is the MOST appropriate NSX-T design pattern to implement this requirement?