VMware Study Guide

VMware VCP-NV: Network Virtualization Study Guide

The VMware VCP-NV (Network Virtualization) certification validates your ability to design, install, configure, secure, and troubleshoot VMware NSX network-virtualization environments. It is aimed at network and virtualization administrators who deploy and operate NSX overlay networking, distributed routing and switching, micro-segmentation, and NSX Edge services. The exam has 628 items across five domains, a 130-minute duration, and a scaled passing score of 600.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice VMware VCP-NV questions free Create free account

Domain 1: Architecture and Technologies

Key concepts you must know · 129 practice questions

NSX uses three planes: the Management Plane (NSX Manager, configuration and policy), the Control Plane (CCP/LCP, computes and distributes logical state), and the Data Plane (transport nodes that forward packets).
The NSX Manager cluster contains three Manager appliance nodes that collapse the management plane and Central Control Plane (CCP) functions into a single converged appliance for high availability.
The Central Control Plane (CCP) runs inside the Manager cluster and computes the logical networking and security state, then distributes it to the Local Control Plane (LCP) agent on each transport node.
The Local Control Plane (LCP) runs on every transport node, communicates with the CCP, and programs the data plane (forwarding tables) on that node.
NSX overlay traffic is encapsulated with Geneve (Generic Network Virtualization Encapsulation), which uses a variable-length options header to carry metadata, replacing the older fixed VXLAN header.
Tunnel Endpoints (TEPs) are the IP addresses on transport nodes that originate and terminate Geneve tunnels for east-west overlay traffic between nodes.
The N-VDS (NSX Virtual Distributed Switch) is the NSX-managed switch on transport nodes; on vSphere 7+ NSX can also run directly on the vSphere VDS (CVDS).
A Transport Zone defines the span of logical segments - which transport nodes can participate in a given overlay or VLAN network; a segment belongs to exactly one transport zone.
The Policy API is the modern declarative/intent-based RESTful interface (PUT/PATCH of intent) exposed through NSX Manager, while the older Manager API is imperative.
NSX is multi-hypervisor by design, supporting ESXi and KVM hosts as transport nodes, plus bare-metal and Edge transport nodes.
The NSX Edge runs centralized services such as N-S routing (SR component), NAT, load balancing, VPN, and gateway firewall; the Edge datapath uses DPDK for performance.
NSX Federation uses a Global Manager (GM) to coordinate Local Managers (LMs) at each site, providing consistent stretched networking and security policy across locations.
The Distributed Firewall (DFW) is a kernel-level stateful firewall enforced at the vNIC of every workload, enabling micro-segmentation independent of physical topology.
If the CCP becomes unavailable, existing data-plane forwarding continues to operate, but no new configuration changes can be applied until the control plane recovers.

Domain 2: NSX Installation and Configuration

Key concepts you must know · 124 practice questions

Installation begins by deploying the NSX Manager OVA; the Medium form factor (4 vCPU, 16 GB RAM) is the typical production size, and three nodes form the cluster.
The standard host preparation order is: create IP Pool, create Uplink Profile, create Transport Zone, then configure the Transport Node.
Configuring a host as a transport node automatically installs the NSX VIBs (kernel modules) and configures the host switch (uplink profile + transport zone assignments).
A Transport Node Profile applies a consistent transport-node configuration to all hosts in a vSphere cluster, including current and future hosts added to that cluster.
TEP IP addresses are assigned from an IP Pool configured in NSX Manager (or via DHCP); the Uplink Profile defines the TEP VLAN ID and teaming policy.
The transport VLAN carrying TEP traffic must be trunked end to end, and MTU must be at least 1600 bytes between all TEPs to accommodate Geneve overhead.
The Uplink Profile defines the teaming policy (failover order or load balancing such as Load Balance Source), the active/standby uplinks, and the transport VLAN ID.
NTP must be configured and synchronized across all infrastructure; excessive time skew between NSX Manager nodes prevents the cluster from forming or causes cluster instability.
The NSX Manager cluster VIP must reside on the same subnet as all Manager node management addresses; for cross-subnet redundancy use an external load balancer instead.
A single NSX Manager cluster can register multiple vCenter Servers as compute managers, allowing NSX to discover ESXi clusters and automate transport-node preparation.
Edge nodes should be placed on different physical hosts or racks (anti-affinity) so that an Edge cluster survives a single host or rack failure.
Federation stretches networking and security policy across sites: the Global Manager pushes intent to Local Managers so policies are applied consistently at every location.
Micro-segmentation is delivered by the Distributed Firewall; it is one of the primary use cases configured immediately after install in brownfield environments.
NSX supports both in-place migration (Migration Coordinator on existing hardware) and lift-and-shift migration to new NSX infrastructure.

Domain 3: NSX Switching and Routing

Key concepts you must know · 135 practice questions

NSX uses a two-tier routing model: Tier-0 gateways provide north-south routing to the physical network, and Tier-1 gateways provide tenant-level routing connected upstream to a Tier-0.
A common multi-tenant design is a single Tier-0 gateway with a separate Tier-1 gateway per tenant for isolation and independent service configuration.
Every gateway has a Distributed Router (DR) component that runs on all transport nodes where connected workloads exist, providing optimized first-hop (distributed) routing.
The Service Router (SR) component runs on Edge nodes and handles stateful or centralized services such as NAT, load balancing, VPN, and gateway firewall.
A segment (logical switch) is a Layer 2 broadcast domain that spans the transport nodes within its transport zone; an overlay segment uses Geneve while a VLAN segment maps to a VLAN ID with no encapsulation.
Active-active ECMP routing on a Tier-0 requires at least two Edge nodes; both establish BGP sessions and forward north-south traffic in parallel for higher throughput.
Active-standby Tier-0/Tier-1 services support preemptive failback - when configured, a recovered preferred Edge node becomes active again automatically.
BGP is the most common dynamic routing protocol between Tier-0 and physical routers; OSPF is also supported, and area-ID or authentication mismatches will break OSPF adjacency.
To advertise connected subnets toward the physical fabric you must enable route advertisement (route redistribution) on the Tier-1, and route redistribution on the Tier-0.
DHCP for overlay workloads can use a local DHCP server on the gateway or DHCP Relay on the Tier-1 to forward requests to an external DHCP server.
The NSX load balancer attaches to a Tier-1 gateway and consists of a virtual server, a server pool, and a health monitor; persistence (e.g., cookie persistence) keeps a client on one backend.
NAT services include SNAT (source translation for outbound) and DNAT (destination translation, e.g., to publish an internal web server on a public IP).
NSX supports IPSec VPN (policy-based or route-based) for site-to-site connectivity and L2 VPN to extend Layer 2 segments between Edge nodes at two sites.
Service Insertion uses a service chain to redirect (steer) traffic to a partner service VM for advanced inspection beyond native NSX capabilities.

Domain 4: NSX Security

Key concepts you must know · 120 practice questions

The Distributed Firewall (DFW) is a stateful, kernel-level firewall enforced at the vNIC of each VM, applying granular policy to workloads regardless of network location (micro-segmentation).
DFW rule categories are evaluated top to bottom in this order: Ethernet, Emergency, Infrastructure, Environment, then Application; higher categories are processed before lower ones.
A common micro-segmentation pattern sets the default rule in the Application category to Drop and places explicit Allow rules above it (positive security / allow-list model).
Security Groups can use dynamic membership based on NSX security tags applied to workloads, so policy follows the workload automatically as VMs are created or moved.
If traffic you expect to be blocked is still allowed, check for a higher-priority Allow rule in a category that is evaluated before your Block rule - rule order and category matter.
Use the Applied To field to scope a policy to specific groups; this reduces rule sprawl and lowers resource (memory/CPU) consumption on transport nodes.
The Gateway Firewall is a centralized firewall running on the Tier-0 or Tier-1 SR on Edge nodes, used primarily for north-south traffic at the perimeter.
NSX Distributed IDS/IPS inspects east-west traffic against known threat signatures; setting an IDS/IPS profile rule action to Drop silently discards matching traffic (prevent mode).
Layer 7 / App-ID context profiles identify applications by inspecting packet payload signatures regardless of the TCP/UDP port used, enabling application-aware firewall rules.
NSX URL Analysis runs on the Gateway Firewall with Layer 7 context profiles to categorize and report on outbound web traffic by URL.
Enable logging on individual DFW rules and forward logs to an external syslog server, since the DFW does not retain extensive logs locally.
Identity Firewall ties DFW rules to Active Directory user identity, allowing policy based on logged-in user rather than only IP or VM.
Distributed firewall policy follows the workload during vMotion because enforcement is at the vNIC, so security state is preserved across hosts.
Security tags and groups should be planned around application tiers (web/app/db) to build maintainable, intent-based micro-segmentation policy.

Domain 5: NSX Troubleshooting and Operations

Key concepts you must know · 120 practice questions

Geneve adds encapsulation overhead, so the physical network MTU must be at least 1600 bytes; an MTU of 1500 causes fragmentation or packet drops on overlay traffic.
Traceflow is a diagnostic tool that injects a synthetic packet and traces its path through the NSX data plane, showing where (e.g., which DFW rule) a packet is dropped.
To verify TEP-to-TEP connectivity, run a TEP ping (vmkping with the TEP VMkernel stack and large packet size with do-not-fragment) from the hypervisor CLI between hosts.
Verify NSX VIBs on an ESXi host with esxcli software vib list and filter for nsx; missing VIBs indicate incomplete host preparation.
Run upgrades in order: NSX Manager (Upgrade Coordinator) first, then Edge clusters, then host transport nodes - never reverse this sequence.
When a transport node shows configuration accepted by the management plane but not realized on the data plane, the realized state differs from the intended state and requires investigation of the LCP/CCP path.
BUM (broadcast, unknown-unicast, multicast) replication uses head-end replication or hierarchical two-tier replication, where a designated host replicates to other hosts in remote TEP subnets.
MAC learning is disabled by default on overlay segments; the control plane populates MAC and ARP tables, so an Edge that has not received tables from the CCP cannot forward correctly.
Layer 2 bridging extends an overlay segment to a VLAN using an Edge Bridge Profile, useful for migration or connecting physical workloads.
NSX backups are taken to a remote SFTP server configured in the NSX Manager UI; restores rebuild Manager configuration and state from that backup, so test SFTP connectivity, credentials, and directory permissions.
Use packet capture tools such as NSX port mirroring (SPAN/RSPAN) or the ESXi pktcap-uw utility to capture and inspect traffic at specific points in the data path.
Alarms and the system health dashboard report on the status of NSX components - Manager cluster, Edge nodes, and host transport nodes - and should be the first stop for proactive monitoring.
CLI commands like get logical-switch and ARP/MAC table lookups on a host show the entries learned for a specific overlay segment, helping isolate east-west connectivity problems.
If vCenter registration fails, confirm NSX Manager can resolve the vCenter FQDN and reach it on TCP port 443, and verify NTP synchronization between the systems.

VMware VCP-NV exam tips

Memorize the three-plane model (Management/Control/Data) and which component lives where: NSX Manager cluster (3 nodes) holds the Management Plane plus the converged CCP, while the LCP runs on each transport node.
Lock down the two ordered lists the exam loves: the install workflow (IP Pool > Uplink Profile > Transport Zone > Transport Node) and the upgrade order (Manager > Edge clusters > Host transport nodes).
Know the MTU rule cold: Geneve overhead requires at least 1600 bytes end to end; an MTU of 1500 is a classic cause of overlay drops and a frequent distractor.
Understand DFW category precedence (Ethernet, Emergency, Infrastructure, Environment, Application) and that a higher allow rule can override a lower block rule - many security questions hinge on rule order.
For routing questions, separate Tier-0 (north-south to physical, ECMP/BGP) from Tier-1 (tenant), and distinguish the distributed DR (on all hosts) from the centralized SR (on Edge nodes).

Study guide FAQ

How many questions are on the VCP-NV exam and how long do I get?

The exam has 628 questions and a 130-minute time limit, with a scaled passing score of 600. Pace yourself at roughly one question per 12 seconds and flag longer scenario items to revisit.

Which NSX version should I study for VCP-NV?

Study current NSX (the NSX-T 3.x / NSX 4.x lineage that dropped the -T suffix). Focus on the Policy (declarative) API and management UI, two-tier Tier-0/Tier-1 routing, the Distributed Firewall, and Federation, since these are the architecture and features the modern exam tests.

What is the difference between the Manager API and the Policy API?

The Policy API is the modern declarative, intent-based interface where you PUT or PATCH the desired end state and NSX realizes it; the Manager API is the older imperative model where you create objects individually. New deployments and the exam emphasize the Policy API.

How much hands-on experience do I need to pass?

VMware recommends real experience installing and operating NSX. Practice deploying the Manager cluster, preparing transport nodes, building segments and Tier-0/Tier-1 gateways, writing DFW micro-segmentation rules, and running Traceflow and TEP ping for troubleshooting - the exam rewards practical familiarity over rote memorization.

Test yourself: 628 VMware VCP-NV practice questions