ExamGecko
Search Search Login
Home Home / VMware / 2V0-41.23
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which two are requirements for FQDN Analysis? (Choose two.)
Which three of the following describe the Border Gateway Routing Protocol (BGP) configuration on a Tier-0 Gateway? (Choose three.)
An NSX administrator wants to create a Tler-0 Gateway to support equal cost multi-path (ECMP) routing. Which failover detection protocol must be used to meet this requirement?
An NSX administrator Is treating a NAT rule on a Tler-0 Gateway configured In active-standby high availability mode. Which two NAT rule types are supported for this configuration? (Choose two.)
Which TraceFlow traffic type should an NSX administrator use tor validating connectivity between App and DB virtual machines that reside on different segments?
Which CLI command would an administrator use to allow syslog on an ESXi transport node when using the esxcli utility?
An administrator has connected two virtual machines on the same overlay segment. Ping between both virtual machines is successful. What type of network boundary does this represent?
Which three DHCP Services are supported by NSX? (Choose three.)
Which two statements describe the characteristics of an Edge Cluster in NSX? (Choose two.)
Which two are supported by L2 VPN clients? (Choose two.)

Question 12 - 2V0-41.23 discussion

Report
Export

A company Is deploying NSX micro-segmentation in their vSphere environment to secure a simple application composed of web. app, and database tiers.

The naming convention will be:

* WKS-WEB-SRV-XXX

* WKY-APP-SRR-XXX

* WKI-DB-SRR-XXX

What is the optimal way to group them to enforce security policies from NSX?

A.
Use Edge as a firewall between tiers.
Answers
A.
Use Edge as a firewall between tiers.
B.
Do a service insertion to accomplish the task.
Answers
B.
Do a service insertion to accomplish the task.
C.
Group all by means of tags membership.
Answers
C.
Group all by means of tags membership.
D.
Create an Ethernet based security policy.
Answers
D.
Create an Ethernet based security policy.
Suggested answer: C

Explanation:

The answer is C. Group all by means of tags membership.

Tags are metadata that can be applied to physical servers, virtual machines, logical ports, and logical segments in NSX. Tags can be used for dynamic security group membership, which allows for granular and flexible enforcement of security policies based on various criteria1

In the scenario, the company is deploying NSX micro-segmentation to secure a simple application composed of web, app, and database tiers. The naming convention will be:

WKS-WEB-SRV-XXX

WKY-APP-SRR-XXX

WKI-DB-SRR-XXX

The optimal way to group them to enforce security policies from NSX is to use tags membership. For example, the company can create three tags: Web, App, and DB, and assign them to the corresponding VMs based on their names. Then, the company can create three security groups: Web-SG, App-SG, and DB-SG, and use the tags as the membership criteria. Finally, the company can create and apply security policies to the security groups based on the desired rules and actions2

Using tags membership has several advantages over the other options:

It is more scalable and dynamic than using Edge as a firewall between tiers. Edge firewall is a centralized solution that can create bottlenecks and performance issues when handling large amounts of traffic3

It is more simple and efficient than doing a service insertion to accomplish the task. Service insertion is a feature that allows for integrating third-party services with NSX, such as antivirus or intrusion prevention systems. Service insertion is not necessary for basic micro-segmentation and can introduce additional complexity and overhead.

It is more flexible and granular than creating an Ethernet based security policy. Ethernet based security policy is a type of policy that uses MAC addresses as the source or destination criteria. Ethernet based security policy is limited by the scope of layer 2 domains and does not support logical constructs such as segments or groups.

To learn more about tags membership and how to use it for micro-segmentation in NSX, you can refer to the following resources:

VMware NSX Documentation: Security Tag 1

VMware NSX Micro-segmentation Day 1: Chapter 4 - Security Policy Design 2

VMware NSX 4.x Professional: Security Groups

VMware NSX 4.x Professional: Security Policies

Show Answer
asked 16/09/2024
Koos Witkamp
33 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms