• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Let’s look at a few VMware NSX interview questions to help job seekers and professionals who want to get certified in network virtualization.

    VMware acquired NSX from Nicira in July 2012, which was primarily used for network virtualization in a Xen-based hypervisor. NSX abstracts the physical layer (virtualize the network) so that software runs on the top of the hypervisor, which is dynamically configured and updated. Currently, NSX has two versions: NSX-T (designed for multi-hypervisors and cloud-native applications) and NSX-V (designed for vSphere environments only).

    NSX is the future of modern IT infrastructures that offers rich capabilities to manage and secure your virtual infrastructure. 82% of the fortune 100 has adopted VMware NSX. With businesses rapidly adopting VMware NSX, an experienced workforce is always in high demand.

    For this purpose, we have prepared some interview questions with explanatory answers

    These interview questions are categorized into the following technical areas:

    • Basic concepts
    • NSX Core Components
    • NSX Functional Services
    • Edge Services Gateway
    • Service Composer
    • Monitoring
    • Managing NSX

    Basic Concepts of NSX

    #1. What is decoupling?

    An important concept of network virtualization is the decoupling of software and networking hardware. The software works independently of the networking hardware that physically interconnects the infrastructure. Any networking hardware that can inter-op with the software will always enhance the functionality, but it is not necessary. Remember that your network hardware performance will always limit your throughput on the wire.

    #2. What is Control Plane?

    The decoupling of software and networking hardware allows you to control your network better because all the logic resides in the software. This control aspect of your network is called the control plane. The control plane provides the means to configure, monitor, troubleshoot, and allow automation against the network.

    #3. What is Data Plane?

    The networking hardware forms the data plane where all the data is forwarded from source to destination. The management of data resides in the control plane; however, the data plane consists of all the networking hardware whose primary function is to forward traffic over the wire from source to destination.

    #4. What is the Management Plane?

    The management plane primarily consists of the NSX manager. The NSX manager is a centralized network management component and primarily allows for a single management point. It also provides the REST API that a user can use to perform all NSX functions and actions. During the deployment phase, the management plane is established when the NSX appliance is deployed and configured. This management plane directly interacts with the control plane and also the data plane.

    #5. What is Logical Switching?

    NSX allows the ability to create L2 and L3 logical switching that enables workload isolation and separation of IP address space between logical networks. NSX can create logical broadcast domains in the virtual space that prevent the need to create any logical networks on the physical switches. This means you are no longer limited to 4096 physical broadcast domains (VLANs).

    #6. What are NSX Gateway Services?

    The Edge gateway services interconnect your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway.

    #7. What is Logical Routing?

    Multiple virtual broadcast domains (logical networks) can be created using NSX. As multiple virtual machines subscribe to these domains, it becomes crucial to be able to route traffic from one logical switch to another.

    #8. What is East-West Traffic in Logical Routing?

    East-west traffic is traffic between virtual machines within a data center. In the current context, this typically will be traffic between logical switches in a VMware environment.

    #9. What is North-South Traffic?

    North-south traffic is traffic moving in and out of your data center. This is any traffic that either enters your data center or leaves your data center.

    #10. What is a Logical Firewall?

    Logical firewalls are of two types: distributed firewall and Edge firewall. A distributed firewall is ideally deployed to protect any east-west traffic, while an Edge firewall protects any north-south traffic. A distributed logical firewall allows you to build rules based on attributes that include IP addresses, VLANs, virtual machine names, and vCenter objects. The Edge gateway features a firewall service that can be used to impose security and access restrictions on north-south traffic.

    #11. What is a Load Balancer?

    The logical load balancer distributes incoming requests among multiple servers to allow load distribution while abstracting this functionality from end-users. The logical load balancer can also be used as high availability (HA) mechanism to ensure your application has the most uptime. An Edge services gateway instance must be deployed in order to enable the load balancer service.

    #12. What is Service Composer?

    The service composer allows you to allocate network and multiple security services to security groups. Virtual machines that are part of these security groups are automatically allocated the services.

    #13. What is Data Security?

    NSX data security provides visibility into sensitive data, ensures data protection, and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report any violations based on the security policy that applies to these virtual machines.

    #14. Configuration Maximum of NSX 6.2

    Description Limit
    vCenters 1
    NSX Managers 1
    DRS Clusters 12
    NSX Controllers 3
    Hosts per Cluster 32
    Hosts per Transport Zone 256
    Logical Switches 10,000
    Logical Switch Ports 50,000
    DLRs per Host 1,000
    DLR per NSX 1,200
    Edge service gateways per NSX Manager 2,000

    NSX Core Components

    #15. Define NSX Manager?

    The NSX manager allows us to create, configure, and manage NSX components in an environment. The NSX manager provides a graphical user interface and REST APIs that enable you to interact with various NSX components. NSX Manager is a virtual machine that you can download as an OVA and deploy it on any ESX host managed by vCenter.

    #16. Define NSX Controller Cluster?

    NSX controller provides a control plane functionality to distribute logical routing and VXLAN network information to the underlying hypervisor. Controllers are deployed as virtual appliances and should be deployed in the same vCenter NSX manager is connected to. In a production environment, it is recommended to deploy a minimum of three controllers. We need to ensure DRS ant-affinity rules are configured to deploy controllers on a separate ESXi host for better availability and scalability.

    #17. What is VXLAN?

    VXLAN is a layer 2 over layer 3 tunneling protocol that allows logical network segments to extend on routable networks. This is achieved by encapsulating the Ethernet frame with additional UPD, IP, and VXLAN headers. Consequently, this increases the size of the packet by 50 bytes. Hence, VMware recommends increasing the MTU size to a minimum of 1,600 bytes for all interfaces in the physical infrastructure and any associated vSwitches.

    #18. What is VTEP?

    When a virtual machine generates traffic meant for another virtual machine on the same virtual network, the hosts on which the source and destination virtual machines run on are called VXLAN tunnel endpoints (VTEP). VTEPs are configured as separate VMKernel interfaces on the hosts.

    The outer IP header block in the VXLAN frame contains the source and the destination IP addresses that contain the source hypervisor and the destination hypervisor. When a packet leaves the source virtual machine, it is encapsulated at the source hypervisor and sent to the target hypervisor. On receiving this packet, the target hypervisor decapsulates the Ethernet frame and forwards it to the destination virtual machine.

    Once the NSX Manager prepares the ESXi host, we need to configure VTEP. NSX supports multiple VXLAN vmknics per host for uplink load balancing features. In addition to this, Guest VLAN tagging is also supported.

    #19. Describe Transport Zone?

    A transport zone defines the extension of a logical switch across multiple ESXi clusters that span across multiple virtual distributed switches. A transport zone enables a logical switch to extend across multiple virtual distributed switches. Any ESXi hosts that are part of this transport zone can have virtual machines as part of that logical network. A logical switch is always created as part of a transport zone, and ESXi hosts can participate in them.

    #20. What is Universal Transport Zone?

    A universal transport zone allows a logical switch to span multiple hosts across multiple vCenters. A universal transport zone is always created by the primary NSX server and is synchronized with the secondary NSX managers.

    #21. What is NSX Edge Services Gateway?

    The NSX Edge Services Gateway (ESG) offers a feature-rich set of services that include NAT, routing, firewall, load balancing, L2/L3 VPN, and DHCP/DNS relay. NSX API allows each of these services to be deployed, configured, and consumed on-demand. You can install the NSX Edge as an ESG or as a DLR.

    The number of Edge appliances, including ESGs and DLRs, is limited to 250 on a host. The Edge Services Gateway is deployed as a virtual machine from the NSX manager, which is accessed using the vSphere web client.

    Note: Only the enterprise administrator role, which allows for NSX operations and security management, can deploy an Edge services gateway:

    #22. Describe Distributed Firewall in NSX?

    NSX provides L2-L4 stateful firewall services using a distributed firewall that runs in the ESXi hypervisor kernel. Because the firewall is a function of the ESXi kernel, it offers massive throughput and performs at a near-line rate. When NSX initially prepares the ESXi host, the distributed firewall service is installed in the kernel by deploying the kernel VIB—VMware internetworking service insertion platform (VSIP). VSIP is responsible for monitoring and enforcing security policies on all the traffic flowing through the data plane. The distributed firewall (DFW) throughput and performance scales horizontally as more ESXi hosts are added.

    #23. What is Cross-vCenter NSX?

    Beginning from NSX 6.2, you can manage multiple vCenter NSX environments using the cross-vCenter functionality. This allows you to manage multiple vCenter NSX environments from a single primary NSX manager. In a cross-vCenter deployment, multiple vCenters are all paired with their own NSX Manager per vCenter. One NSX Manager is assigned the primary while other NSX managers become secondary. This primary NSX manager can now deploy a universal controller cluster that provides the control plane. Unlike a standalone vCenter-NSX deployment, secondary NSX managers do not deploy their own controller clusters.

    # 24. What is a VPN?

    Virtual private networks (VPNs) allow you to securely connect a remote device or site to your corporate infrastructure. NSX Edge supports three types of VPN connectivity. SSL VPN-Plus, IP-SEC VPN, and L2 VPN.

    #25. What is SSL VPN-Plus?

    SSL VPN-Plus allows remote users to access applications and servers in a private network securely. There are two modes in which SSL VPN-Plus can be configured: network access mode and web access mode. In the network access mode, a remote user can access the internal private network securely. This is done by a VPN client that the remote user downloads and installs on their operating system. In web access mode, the remote user can access the private networks without any VPN client software.

    #26. What is IPSec VPN?

    The NSX Edge service gateway supports a site-to-site IPSEC VPN that allows you to connect an NSX Edge services gateway-backed network to another device at the remote site. NSX Edge can establish secure tunnels with remote sites to allow secure traffic flow between sites. The number of tunnels an Edge gateway can establish depends on the size of the edge gateway deployed. Before configuring IPsec VPN, ensure that dynamic routing is disabled on the Edge uplink to allow specific routes defined for any VPN traffic.

    Note: Self-signed certificates cannot be used with an IPSEC VPN.

    #27. What is L2 VPN

    An L2 VPN allows you to stretch multiple logical networks across multiple sites. The networks can be both traditional VLANs and VXLANs. In such a deployment, a virtual machine can move between sites without changing its IP address. An L2 VPN is deployed as a client and server where the destination Edge is the server, and the source Edge is the client. Both the client and the server learn the MAC addresses of both local and remote sites. For any sites that are not backed by an NSX environment, a standalone NSX Edge gateway can be deployed.

    NSX Functional Services

    #28. How many can NSX managers be installed and configured in a cross-vCenter NSX environment?

    There can only be one primary NSX manager and up to seven secondary NSX managers. You can select one primary NSX manager, following which you can start creating universal objects and deploying universal controller clusters as well. The universal controller cluster will provide the control plane for the cross-vCenter NSX environment. Remember that in a cross-vCenter environment, the secondary NSX managers do not have their own controller clusters.

    #29. What is the Segment ID pool, and how to assign it?

    Each VXLAN tunnel has a segment ID (VNI), and you must specify a segment ID pool for each NSX Manager. All traffic will be bound to its segment ID, which allows for isolation.

    #30. What is L2 Bridge?

    A logical switch can be connected to a physical switch VLAN using an L2 bridge. This allows you to extend your virtual logical networks to access existing physical networks by bridging the logical VXLAN with the physical VLAN. This L2 bridging is accomplished using an NSX Edge logical router that maps to a single physical VLAN on the physical network.

    However, L2 bridges should not be used to connect two different physical VLANs or two different logical switches. You also cannot use a universal logical router to configure bridging, and a bridge cannot be added to a universal logical switch. This means that in a multi-vCenter NSX environment, you cannot extend a logical switch to a physical VLAN at another data center through L2 bridging.

    Edge Services Gateway

    #31. What is Equal Cost Multi-Path (ECMP) Routing?

    ECMP allows the next-hop packet to be forwarded to a single destination over multiple best paths that can be added statically or dynamically using routing protocols such as OSPF and BGP. These multiple paths are added as comma-separated values when defining the static routes.

    #32. What are the default ranges for directly connected, static, external BGP, etc.?

    The value ranges from 1 to 255 and default ranges are: Connected (0), Static (1), External BGP (20), OSPF intra-area (30), OSPF inter-area (110), and Internal BGP (200).

    Note: Any of the above values will be entered in “Admin Distance” by editing the Default Gateway configuration in Routing Configuration.

    #33. What is Open Shortest Path First (OSPF)?

    OSPF is a routing protocol that uses a link-state routing algorithm and operates within a single autonomous system.

    #34. What is Graceful Restart in OSPF?

    Graceful Restart allows for non-stop packet forwarding even if the OSPF process is being restarted. This helps in non-disruptive packet routing.

    #35. What is Not-So-Stubby Area (NSSA) in OSPF?

    NSSA prevents the flooding of an external autonomous system link state advertisements by relying on the default routes to external destinations. NSSAs are typically placed at the Edge of an OSPF routing domain.

    #36. What is BGP?

    The BGP is an exterior gateway protocol designed to exchange routing information among autonomous systems (AS) on the internet. BGP is relevant to network administrators of large organizations that connect to two or more ISPs and internet service providers who connect to other network providers. If you are the administrator of a small corporate network or an end-user, then you probably don’t need to know about BGP.

    #37. What is Route Distribution?

    In an environment where multiple routing protocols are being used, route redistribution enables cross-protocol route sharing.

    #38. What is Layer 4 Load balancer?

    Layer 4 load balancer takes routing decisions based on IPs and TCP or UDP ports. It has a packet view of the traffic exchanged between the client and a server and takes decisions packet by packet. The layer 4 connection is established between a client and a server.

    #39. What is Layer 7 load balancer?

    A layer 7 load balancer takes routing decisions based on IPs, TCP, or UDP ports, or other information it can get from the application protocol (mainly HTTP). The layer 7 load balancer acts as a proxy and maintains two TCP connections: one with the client and one with the server.

    #40. What is Application Profile in configuring Load Balancer?

    Before we create a virtual server to map to the pool, we have to define an application profile that defines the behavior of a particular type of network traffic. When traffic is received, the virtual server processes the traffic based on the values defined in the profile. This allows for greater control over managing your network traffic:

    #41. What is the sub-interface?

    A sub-interface, or an internal interface, is a logical interface that is created and mapped to the physical interface. Sub-interfaces are simply a division of a physical interface into multiple logical interfaces. This logical interface uses the parent physical interface to move data. Remember that you cannot use sub-interfaces for HA because a heartbeat needs to traverse a physical port from one hypervisor to another between the Edge appliances.

    #42. Why is Force Sync NSX Edge necessary for your environment?

    Force sync is a feature that synchronizes the Edge configuration from the NSX Manager to all of its components in an environment. A synchronization action is initiated from the NSX Manager to the NSX Edge that refreshes and reloads the Edge configuration.

    #43. Why is a remote Syslog server necessary to configure in your virtual environment?

    VMware recommends configuring Syslog servers to avoid log flooding on the Edge appliances. When logging is enabled, logs are stored locally on the Edge appliance and consume space. If left unchecked, this can have a performance impact on the Edge appliance and can also result in the Edge appliance stopping due to a lack of disk space.

    Service Composer

    #44. What are Security Policies?

    Security policies are sets of rules that apply to a virtual machine, network, or firewall services. Security policies are reusable rulesets that can be applied to security groups. Security policies express three types of rulesets:

    • Endpoint Services: Guest-based services such as anti-virus solutions and vulnerability management
    • Firewall rules: Distributed Firewall policies
    • Network introspection services: Network services such as intrusion detection systems and encryption

    These rules are applied to all objects and virtual machines that are part of a security group to which this policy is associated.

    Monitoring

    #44. What is Endpoint Monitoring in NSX?

    Endpoint Monitor provides insight and visibility into applications running within an operating system to ensure that security policies are correctly enforced. Endpoint Monitoring requires guest introspection to be installed. On virtual machines, you will need to install a guest introspection driver, which is part of the VMware tools installation.

    #45. What is Flow Monitoring?

    NSX Flow monitoring is a feature that allows detailed traffic monitoring to and from protected virtual machines. Flow monitoring can uniquely identify different machines and services exchanging data and, when enabled, can identify which machines are exchanging data over specific applications. Flow monitoring also allows live monitoring of TCP and UDP connections and can be used as an effective forensic tool.

    Note: Flow monitoring can only be turned on for NSX deployments where a firewall is enabled.

    #46. What is Traceflow?

    Traceflow is an interesting tool built to allow administrators to seamlessly troubleshoot their virtual network environment by tracing a packet flow in a similar way to the legacy Packet Tracer application. Traceflow enables you to inject a packet into the network and monitor its flow across the network. This flow allows you to monitor your network and identify issues such as bottlenecks or disruptions.

    Managing NSX

    #48. How does the Syslog server work in NSX?

    Configuring NSX Manager with a remote Syslog server lets you collect, view, and save all log files to a central location. This allows you to store logs for compliance purposes; when you use a tool such as VMware vRealize Log insight, you can create alarms and use the built-in search engine to review logs.

    #49. How do backup and restore work in NSX?

    Backups are critical for an NSX environment that allows you to restore them appropriately during a system failure. Apart from vCenter, you can also perform backup operations on the NSX Manager, controller clusters, NSX Edge, firewall rules, and Service Composer. All these can be backed up and restored individually.

    #50. What is the SNMP trap?

    Simple network management protocol (SNMP) traps are alert messages sent from a remote SNMP-enabled device to a collector. You can configure the SNMP agent to forward SNMP traps.

    By default, the SNMP trap mechanism is disabled. Only critical and high severity notifications are sent to the SNMP manager when the SNMP trap is enabled.

    I hope you have enjoyed reading this post. Good luck with your interview! 👍