VCF 5.2 Admin Exam

Questions and Answers

How does applying a segment profile to a segment affect the ports within that segment?

• The profile is not applied to any of the segment's ports unless explicitly specified.
• The profile is applied to only the first port of the segment.
• The profile is applied to all ports of the segment, and cannot be overwritten at the port level.
• The profile is applied to all ports of the segment, but can be explicitly overwritten at the port level. (correct)

Which of the following is NOT a supported segment profile in NSX?

• Firewall Hardening (correct)
• Port Mirroring
• IP Discovery
• QoS (Quality of Service)

In VMware Cloud Foundation, when is the NSX Manager three-node cluster deployed?

• During the initial deployment of vCenter.
• As a manual step after the VI workload domain is created.
• When the first virtual machine is created in the VI workload domain.
• When the first VI workload domain that is supported by NSX is created. (correct)

What role do NSX Edge nodes typically play in a multi-tenant cloud environment regarding tenant boundaries?

They create virtual boundaries for each tenant ensuring isolation. (A)

After NSX Manager adds a VI workload domain vCenter instance as a compute manager, what network infrastructure components are created?

VLAN and overlay transport zones are created to which all host transport nodes are added. (D)

Which of the following is NOT a type of object to which VM storage policies can be applied, according to the content?

Physical server hardware profiles (A)

In a four-node vSAN cluster, what is a primary consideration when choosing between RAID 1 (Mirroring) and RAID 5 (Erasure Coding) for an object?

RAID 1 requires less temporary disk space during policy changes compared to RAID 5. (B)

What is the default Reactive Rebalance threshold in vSAN?

80 percent (D)

In the context of a four-node vSAN cluster running both NSX Manager (RAID 5) and SDDC Manager (RAID 1), what is a likely outcome if a second host failure occurs during an extended maintenance period on the first host?

SDDC Manager remains operational, but NSX Manager becomes unavailable and potentially inoperable. (A)

Why might adding a fifth host to a four-node vSAN cluster be recommended when using RAID 5?

To ensure redundancy levels are maintained even if a host fails. (B)

Why is it important to consider FTT (Failures To Tolerate) = 2 for production workloads when planning vSphere host maintenance?

Because maintenance mode counts as a failure, and FTT=2 provides sufficient redundancy. (C)

How does deduplication differ from compression in the context of vSAN?

Deduplication removes redundant data across multiple data blocks, while compression removes redundant data within each data block. (B)

What considerations should be taken into account when planning for vSphere host maintenance mode in a vSAN environment?

Ensuring accessibility and full data migration. (A)

What best describes NVMe in the context of vSAN?

A high-performance storage protocol optimized for NUMA architectures. (C)

Which infrastructure services are critical for VMware Cloud Foundation to function correctly?

Directory Services, DNS, NTP, DHCP, Certificate Authority, and BGP peers (B)

Which of the following statements regarding component rebuilds in vSAN is most accurate?

vSAN might not be able to rebuild a component if a host is in maintenance mode, depending on the protection policy and available resources. (D)

Why is NTP critical for VMware Cloud Foundation?

For ensuring accurate time synchronization, which is essential for authentication and troubleshooting purposes (B)

What is the primary reason for recommending at least two domain controllers in a VMware Cloud Foundation environment?

To ensure high availability of directory services. (B)

Which of the following maintenance mode options offers the LEAST amount of data accessibility?

No Data Migration (B)

In the context of vSAN, what does enabling 'vSAN Reserved Capacity' primarily help with?

Facilitating vSAN cluster maintenance. (A)

Why is highly available DNS critical for VMware Cloud Foundation?

Because VMware Cloud Foundation software components cannot communicate without proper name resolution. (B)

Which of the following tasks can be automated using vSphere Lifecycle Manager?

All of the above. (D)

What is the smallest unit used by vSphere Lifecycle Manager to install VMware and third-party software on ESXi hosts?

Component (A)

Who creates and releases ESXi base images?

VMware by Broadcom (B)

Which element is mandatory when creating a vSphere Lifecycle Manager image?

ESXi base image (A)

What is the primary purpose of vendor add-ons in vSphere Lifecycle Manager?

To offer custom OEM images tailored for specific server families. (B)

Before adding a firmware or driver add-on to your image, what prerequisite must be met?

Installing the Hardware Support Manager plug-in for the respective server family. (D)

Which of the following BEST describes what a component provides upon installation in vSphere Lifecycle Manager?

A visible, usable feature such as a third-party network driver. (D)

What is the role of the NSX upgrade coordinator in VMware Cloud Foundation LCM?

To ensure that NSX components are upgraded in the correct order. (D)

What is the primary purpose of configuring route maps on the backup availability zone's BGP neighbor paths?

To ensure the backup routes are less preferred under normal operating conditions. (D)

In the context of network routing, what do IP Prefix Lists primarily define?

Ranges of IP addresses that are advertised to other routers. (D)

What role do Route Maps play in influencing network traffic flow?

They serve as sets of rules that use IP prefix lists to determine preferred or less preferred routes. (A)

What is the significance of setting up BGP Neighbors in the context of ensuring network resilience?

It allows routers to share routing information, facilitating failover to backup routes. (A)

How do route maps use IP prefix lists to determine the best routes?

By setting preferences for routes that match the IP ranges specified in the lists. (D)

In a scenario where the primary router fails, what mechanism allows network traffic to switch smoothly to the backup route?

Automatic failover based on pre-configured route preferences and BGP neighbor relationships. (B)

What is the relationship between IP Prefix Lists and Route Maps?

IP Prefix Lists define the IP ranges, and Route Maps use these lists to make routing decisions. (C)

Why is it important to configure route maps to make the backup availability zone's BGP neighbor paths less preferred under normal conditions?

To ensure that the primary route is always used when available, reserving the backup for actual failures. (B)

What is a key consideration when determining the number of clusters that will utilize a network pool?

All hosts within a cluster must use the same network pool, consuming one IP address per configured subnet. (A)

Which of the following actions is permitted when adjusting an existing network pool?

Adding additional included IP address ranges. (B)

Why is it important to carefully plan network pools and reserve only the necessary IP address ranges?

After an IP address range is included in a network pool, those addresses are locked to that pool. (C)

What is the primary function of an overlay transport zone?

To serve as the internal tunnel for Geneve-encapsulated traffic between ESXi hosts and NSX Edge transport nodes. (D)

What is the typical use case for VLAN transport zones in NSX deployments?

Northbound connectivity from NSX Edge nodes to top-of-rack switches. (A)

Which statement accurately describes the relationship between transport nodes, transport zones, and NSX virtual switches?

A transport node can have multiple NSX virtual switches if it has sufficient pNICs, but a transport zone can only be attached to a single NSX virtual switch on that node. (C)

What restriction applies to the attachment of NSX virtual switches to overlay transport zones?

An NSX virtual switch can only attach to a single overlay transport zone. (C)

In a Layer 2 transport switch fabric design, what role do top-of-rack (ToR) switches and upstream Layer 3 devices play?

They form a switched fabric for the network. (D)

Flashcards

Segment Ports

Entities (routers, VMs, containers) connect to a segment.

Segment Profiles

Layer 2 networking config for logical switches/ports; applied at port or segment level.

NSX Edge Nodes

Appliances hosting distributed routing/services with HA using active-active or active-standby models.

NSX Edge Use Cases

Creates virtual boundaries for each tenant, deployed in DMZs and multi-tenant environments.

NSX Transport Zones

VLAN and overlay networks created to attach all transport nodes to a central network.

Network Pool

A group of IP addresses reserved for use by a cluster.

Transport Zone

Defines the scope of a logical network over the physical infrastructure.

Overlay Transport Zone

The internal tunnel between ESXi hosts and NSX Edge nodes.

VLAN Transport Zone

Used at NSX Edge uplinks for external connectivity.

Transport Node Virtual Switches

Can have multiple NSX virtual switches if the transport node has more than two pNICs.

Transport Zone per vSwitch

Can only be attached to a single NSX virtual switch on a given transport node.

Transport Zone Function

Determines which hosts can participate in a network.

VCF Overlay Transport Zone

VMware Cloud Foundation supports one overlay transport zone per NSX instance.

Network Infrastructure Check

Verifying network performance and configuration including throughput, VLANs, and jumbo frames.

Network I/O Control

Technology used to manage the network traffic for virtual machines, ensuring efficient bandwidth allocation

VCF Default Configurations

Default settings may need adjustments to suit specific needs.

vSAN CPU/Memory Overhead

Consider the CPU and memory consumed by vSAN itself.

vSAN Failure Domains

Structures that define how failures are handled within the vSAN cluster.

Reactive Rebalance Threshold

Threshold at which vSAN starts rebalancing data across the cluster.

Essential Infrastructure Services

Critical services for VMware Cloud Foundation to function correctly.

NTP Importance

Critical for accurate timekeeping and authentication.

SPBM (Storage Policy-Based Management)

Method to protect vSAN data by strategically placing data objects across the datastore.

Objects Affected by VM Storage Policies

VM namespaces, VMDK objects, swap objects, snapshots, memory objects, performance data, file system services.

RAID 5 Component Distribution in Four-Node Clusters

An object is split into four components across all four hosts.

RAID 1 (Mirroring) Advantage in Four-Node Clusters

Has more rebuild flexibility than RAID 5 in a four-node setup.

RAID 5 Space Requirement During Conversion

Requires extra temporary space when changing from RAID 1, due to it's method of erasure coding.

Benefit of a Fifth Host in a Four-Node Cluster

To ensure continued redundancy if a host fails.

Impact of Host Failure on NSX Manager (RAID 5) and SDDC Manager (RAID 1)

NSX Manager might become unavailable. SDDC Manager keeps running.

NVMe (Non-Volatile Memory Express)

High-performance, NUMA optimized storage protocol connecting host to memory.

IP Prefix Lists

Lists that specify ranges of IP addresses to share with other routers.

Route Maps

Sets of rules that use IP prefix lists to determine preferred routes.

BGP Neighbors

Other routers with which we exchange routing information (BGP).

Traffic Preference Control

Ensuring traffic smoothly switches to a backup route if the main route fails.

The Goal

To maintain continuous operation even if the primary router fails.

Primary Router Failover

Making sure the backup location can take over seamlessly if the primary fails.

Route Maps in AZ2

Used to make routes in the secondary AZ less preferred for inbound/outbound traffic.

IP Address Ranges

Ranges of IP addresses that we want to advertise to other routers.

vSphere Lifecycle Manager

Automates tasks like managing VMware Tools, VM hardware upgrades, ESXi patching, and third-party software installation.

ESXi Base Image

A complete ESXi installation package providing software fixes and enhancements.

Component (in vSphere)

A logical grouping of one or more VIBs that encapsulates functionality in ESXi.

Vendor Add-ons

Custom OEM images with components tailored for a specific family of servers.

Firmware and Driver Add-ons

Bundles containing firmware and driver updates for specific server types.

Component Function

Used by vSphere Lifecycle Manager to install VMware and third-party software on ESXi hosts. Basic packaging for VIBs and metadata.

Firmware/Driver Add-on Requirement

You must first install the Hardware Support Manager plug-in to add this type of add-on to your image.

NSX Upgrade Coordinator

Ensures NSX components are upgraded in the correct order in VMware Cloud Foundation domains.

Study Notes

• SDDC Manager is essential for configuration changes, software updates, adding/removing hosts from workload domain clusters and ensuring accurate inventory within VMware Cloud Foundation (VCF).

Key SDDC Manager Services

• UI: HTML5-based interface consistent with VMware UIs
• Lifecycle Manager: Monitors/updates software, ensures product compatibility, automates upgrades, updates inventory
• Domain Manager: Orchestrates workload domain creation, deletion, and scaling
• SoS Utility: Performs health checks and collects logs via command line or API
• Network Pools: Provides IP address pools for deployed resources like ESXi hosts
• Inventory: Maintains a database of managed entities

User Management

• Roles include admin, operator, and view-only.
• Actions within SDDC Manager involve changing passwords, deploying NSX Edge, adding/removing hosts, and creating vSphere clusters.
• Actions outside SDDC Manager involve changing Active Directory permissions, adding resource pools/port groups, and applying vSphere license keys.
• vSphere admin actions can have serious ramifications on VCF, requiring a deep understanding to avoid issues like inaccessible clusters. Contact Broadcom support before attempting to fix such issues.

Password Management

• SDDC Manager uses the "admin" account for internal API calls, so the password should be changed periodically.
• Password resets for local accounts in SDDC Manager differ from changing the API "admin" account password.

Changing "root" and "vcf" Passwords

• Access SDDC Manager via SSH as the "vcf" user.
• Use the su command to switch to the “root” account.
• Then, use the passwd command.

Changing API "admin" Password

• Access SDDC Manager via SSH as the "vcf" user, switch to “root”, and run: /opt/vmware/vcf/commonsvcs/scripts/auth/set-basicauth-password.sh admin <password>
• Ensure proper escaping of special characters is applied.

NSX Overview

• Segments, or logical switches, provide switching functionality in NSX, similar to VLANs, with VNIs scaling beyond VLAN limits.
• Segments contain segment ports where entities like VMs connect.
• Segment profiles configure logical switches and ports, with NSX Manager providing default profiles.
• Profiles applied at the segment level apply to all ports unless overwritten at the port level and multiple profiles are supported, including QoS and port mirroring.
• NSX Edge nodes are appliances providing distributed routing and other services.
• NSX Edge offers high availability through active-active and active-standby models.
• VMware Cloud Foundation automates NSX Edge deployment in DMZs and multi-tenant environments.

NSX with VI Workload Domain Creation

• A three-node NSX Manager cluster deploys in the management domain when the first VI workload domain supported by NSX is created.
• The cluster can be shared or dedicated to single/multiple VI workload domains.
• NSX Manager adds VI workload domain vCenter instances as a compute manager, and creates VLAN and overlay transport zones for host transport nodes.
• NSX Manager creates and applies an uplink profile to transport nodes.

Uplink Profiles

• An uplink profile defines how Edges and transport nodes connect to VLAN/Overlay networks and specifies the NICs used
• Workload domain traffic separation allows separation of VMkernel traffic types.
• Separation can include management, storage, vSphere vMotion, and overlay traffic.

Multi-NIC Host Use Cases

• Use-cases involve adhering to legacy practices and traffic segregation for security/bandwidth limitations.
• VCF replaces the practice of multi-NIC by using consolidated VDS (NSX) with VLANs and GENEVE/ TEPs.
• Physical segregation environments can map management/storage/VM traffic to a logical switch connected to dedicated physical NICs.

Importing vSphere Infrastructure

• Two scenarios exist for importing vSphere infrastructure, depending on SDDC Manager deployment status.
• Scenario 1 involves deploying SDDC Manager into a vSphere cluster and using an import script to convert it into a management domain.
• Scenario 2 involves using an import script to import vSphere clusters as VI workload domains into an existing SDDC Manager deployment.

NSX Edge Networking

• VMware Cloud Foundation automates NSX Edge cluster deployment/configuration:
• Deployment of NSX Edge VMs with initial Tier-0 and Tier-1 gateways.
• Configuration of NSX Edge uplink profiles and segments.
• Enabling BGP when used.
• Scaling of existing NSX Edge clusters.
• NSX Edge clusters are associated with workload domains, sharing North-South routing and networking throughout the entire Workload Domain and other workload Domains that use the same NSX Manager cluster.

Edge Cluster Prerequisites

• Separate VLANs and subnets must be available.
• Host TEP VLAN and Edge TEP VLAN need routing.
• Reserve an ASN.
• Set two BGP peers on TORs or infra ESG.
• Populate DNS entries for NSX Edge.
• Have L2 Uniform vSphere clusters to host Edge clusters, with identical networking.
• Use identical PNIC speed and same NSX enabled VDS uplinks for the hosting vSphere cluster.

Edge Cluster Profile Options

• Select the default configuration unless BFD is required for BGP peering..
• BGP peering is used to enhance network reliability.
• BGP is required for dynamic route advertisement that requires a physical switch configuration.

Routing Options

• Select between BGP, which distributes routes automatically, or Static, where routes are configured manually.
• External BGP is typically preferred for automatic route redistribution. Static routes might be best when extra security is desired in various environments.

NSX Edges Appliances

• You must configure network interfaces for each NSX Edge Appliance before deploying: Mgt IP, one edge TEP for each edge note on the edge TEP VLAN and an uplink IP on separate uplink VLANs.
• NSX Edge nodes can be removed only if certain requirements are satisfied (active cluster, more than two nodes).
• Equal-cost multi-path routing (ECMP) load balances traffic across layer 3 connections.

BGP Protocol

• BGP exchanges routes and peer with NSX Edge nodes.
• Serves as interdomain routing protocol for loop-free routing among domains with independent policies.
• The new dvPortgroups in vSphere and NSX managed logical switches are connected north-south to ECMP On-Ramp.

L2 Fabric vs L3 ToR

• Edge nodes pair with L3 devices to which ToR connects.
• Both BGP and OSPF are applicable in L2 design.
• The L3 ToR design has the following characteristics: Simple design is using non-LACP uplink teaming and MLAG terminates LACP at the ToR
• With the use of MLAG (Arista etc.) LACP is terminated at the TOR and BGP or OSPF can be used.
• You are able to set the routing feature on Tier-0 logical router that does the peering with the Layer 3 device. Also, static routes or Multihop external BGP(eBGP).

BFD Protocol

• BFD aids in resilience via rapid detection of link/path failures.
• Is either set up with an internal iBGP, with BGP routers in the same AS, or categorized as external BGP (eBGP) sessions.
• Internal BGP are more secure.
• Equal-Cost Multi-Path (ECMP) is a technique, not routing protocol for balance with performance and reliability.

Appplication Virtual Networks (AVNs)

• Are software defied networks that serve a special purpose in the SDDC.
• Span clusters and traverse NSX Edge service gateways for North/South traffic.
• Implements SDN utilizing NSX in the management domain
• They contain a Tier-0 gateway that peers with physical networks.
• Made up of both a Tier-1 Gateway that services NSX segments and a NSX Edge cluster.

AVN Uses

• Mgmt-RegionA01-VXLAN is for VMware Aria Suite workloads, VMware Aria Operations for Logs and VMware Aria Automation Proxy Servers guided deployment. Does not require region portability
• Mgmt-xRegion01-VXLAN is used for VMware Aria Suite workloads that require portability, VMware Aria Suite Lifecycle guided deployment.

AVN Configuration

• Overlay-backed NSX segment are best, requiring a direct connection to the Tier-1 gateway. The traffic is carried between VMs and the traffic has its layer carried by a tunnel.
• VLAN- backed NSX has Layer 2 traffic that is across the VLAN network between running VMs on different hosts.

WLD Checklist

• After commissioning the host, the parameters should be rechecked if they match below criteria and ensure separate VLANs and subnets if required are setup.
• Before changing the storage, reach out to support and ensure required network pool is created.

Network Pools

• Each pool constitutes a range of IP addressed to assign specific VCF services.
• A vSphere vMotion subnet should be configured during it. Hosts are first connected to a Standard VSwitch and then upon Domain integration to the VMware Distributed Switch (VDS).

Transport node

• Follow a basic guideline that allows only one overlay transport zone, ensure transport nodes more than two pNICs and a single segment assigned to a single transport zone. For the best results, refer to the VMware installation documents for recommendations. All transport modes should be of same types (ESXi and NSX).
• Ensure appropriate bandwidth depending on type of usage on the network.
• A transport zone is also not a security boundary.
• VMware Cloud Foundation leverages a single Overlay Transport Zone per NSX instance.

Overlay Zone

• An overlay transport zone has TEP. The VLAN assigned enables effective traffic traversing.
• Use cases: NSX edge nodes and host edge.

Fabric Design:

• Has an upstream layer and all L2 VLANS is used to extend and connect across racks.
• VLAN must have support for both Layer 3 and gateway functionality.
• Single vendor is preffered and supported.

Per rack

• There are different NSX profile configurations for each rack.
• In Nsx a cluster or host is common elements that address and share network features.

Preparations

• You must configure both A DCHP server for NSX overlay and a Static IP pool for host. After host commissioning you may assign to the inventory.
• Also verify DNS records exist for both vCenters and NSX manager as well as unassigned hosts to the correct Storage.