Pre-Summer Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

NCP-NS-7.5 Nutanix Certified Professional - Network and Security (NCP-NS) 7.5 Questions and Answers

Questions 4

An administrator has been tasked with upgrading the Nutanix cluster to a newer version of AOS. The cluster is running a mix of different versions across nodes... What is the recommended first step when upgrading a Nutanix cluster with different AOS versions across nodes?

Options:

A.

Begin by upgrading the storage and network components to the latest version before upgrading the controller VMs.

B.

Upgrade all nodes to the same version of AOS before proceeding with any other components.

C.

Upgrade the Nutanix Controller VMs first to ensure compatibility with the new AOS version.

D.

Upgrade the entire cluster at once to minimize downtime and ensure consistency.

Buy Now
Questions 5

An administrator notices that several VMs in a Nutanix AHV cluster are intermittently losing network connectivity. In Prism Central, a critical alert appears: "Network Function VM (NFVM) packet processing delays" What is the next step that the administrator should take for this issue?

Options:

A.

Review the Alerts and Events in Prism Central to confirm if the affected host shows NIC or uplink errors.

B.

Reboot the affected VMs to re-establish virtual NIC connections.

C.

Increase the MTU size on all virtual switches to improve packet throughput.

D.

Disable all Flow policies on the cluster to eliminate microsegmentation as the cause.

Buy Now
Questions 6

An administrator is building a new VPC in Prism Central to isolate a test environment. The administrator plans to connect it to an external network later, but they want to complete the initial creation first. Which configuration items are the minimum required to successfully create the VPC?

Options:

A.

VPC name and one External Access VLAN

B.

VPC name and Transit VPC toggle switch

C.

VPC name and one Overlay Subnet

D.

VPC name and cluster selection

Buy Now
Questions 7

An administrator is deploying a multi-tier (web, app, database) application on a Nutanix cluster using AHV. The administrator needs to allow internal communication between tiers and provide external access to the web tier. How should the administrator satisfy this requirement?

Options:

A.

Create separate VLAN networks for each tier and configure routing on the physical network.

B.

Create a VPC with a single subnet and assign workloads of each tier to this subnet.

C.

Create separate VPCs for each tier and connect them to the same external NAT network and configure routing policies for inter-tier traffic.

D.

Create a VPC with subnets for each tier and configure the Externally Routable Prefix to include only web subnets.

Buy Now
Questions 8

An administrator plans to upgrade a Nutanix cluster running AHV and Prism Central. The current cluster is on AOS 6.10, and the administrator wants to move to AOS 7.3 while ensuring all components remain compatible. What is the correct upgrade order to minimize downtime and maintain cluster functionality?

Options:

A.

Upgrade CVMs - > Upgrade cluster AOS - > Upgrade Prism Central - > Upgrade AHV hosts

B.

Upgrade cluster AOS - > Upgrade AHV hosts - > Upgrade Prism Central - > Upgrade CVMs

C.

Upgrade Prism Central - > Upgrade AHV hosts - > Upgrade CVMs - > Upgrade cluster AOS

D.

Upgrade AHV hosts - > Upgrade cluster AOS - > Upgrade Prism Central - > Upgrade CVMs

Buy Now
Questions 9

What is the role of the Network Controller in Flow Virtual Networking?

Options:

A.

Distribute the network traffic load across multiple guest VMs efficiently.

B.

It enables you to configure and manage common administrative tasks that are applicable to the platform and various Nutanix apps.

C.

It is used to create VPN, VTEP, or BGP gateways to connect subnets using VPN connections, Layer 2 subnet extensions over VPN or VTEP, or over BGP session.

D.

It manages configuration, monitoring, and optimization of network resources.

Buy Now
Questions 10

An administrator manages a four-node cluster Each node has a 4 available 10GB uplinks, and all four are configured as an Active/Active bundle. They want to use Flow Virtual Networking to provide networking to the VMs in the cluster with the following requirements: VMs should be in a single VPC. VMs should be reachable by their real IP addresses. The VPC should have access to the most north/south bandwidth possible. No changes can be made to the physical infrastructure. How can this best be achieved?

Options:

A.

Create a VPC with a single No-NAT External Network with three gateway nodes.

B.

Create a VPC with four No-NAT External Networks, each with a single gateway node.

C.

Create a VPC with a single No-NAT External Network with four gateway nodes.

D.

Create a VPC with a single NAT External Network with three gateway nodes.

Buy Now
Questions 11

An enterprise has deployed a VPC called FinanceVPC using Nutanix Flow Virtual Networking. The Finance team needs the following connectivity: Internal servers in the VPC must reach an on-premises corporate data-center via a point-to-point encrypted link. Some servers in the VPC must also access the public internet with source NAT and receive inbound access via floating IPs. The corporate network uses overlapping IP space with other VPCs in the environment, so address translation is necessary for those workloads. The networking design must support routing via BGP for future site expansions and provide low-latency north-south connectivity. Which actions should the administrator take to satisfy this requirement?

Options:

A.

Use two No-NAT External Networks—one for the on-prem link and one for Internet access; configure static routes for both without NAT.

B.

Use a single No-NAT External Network for both on-prem and Internet access; configure BGP and direct routing out to the internet without NAT.

C.

Use a No-NAT External Network for the on-premises link and a NAT External Network for Internet access. Configure a VPN tunnel to the on-premises location and enable BGP on the VPC router for the on-premises link.

D.

Use a single NAT External Network for both the on-prem link and Internet access; configure a default route to the external network and enable SNAT and floating IPs for all traffic.

Buy Now
Questions 12

An administrator creates a new VPC in No NAT mode to allow VMs in a web tier to reach an external firewall. After deployment... none of the VMs can reach external IP addresses... Which action should the administrator take to restore routed north-south connectivity from the VPC?

Options:

A.

Configure a Flow Security Policy to allow egress traffic from the VPC subnet.

B.

Create an Externally Routable Prefix (ERP) entry for the overlay subnet in the VPC.

C.

Change the VPC mode to NAT so that outbound traffic is automatically translated.

D.

Add a default static route in each VM pointing to the external firewall's IP address.

Buy Now
Questions 13

While configuring a new security policy in a Nutanix microsegmentation environment, an administrator wants the policy to remain flexible even if virtual machines change subnets or obtain new IP addresses. Which configuration approach should the administrator use when defining the policy scope?

Options:

A.

Configure the policy only on specific VLAN IDs.

B.

Use VM categories to define the secured and allowed entities.

C.

Apply the policy after setting static routes for each VM.

D.

Assign IP addresses manually to all VMs included in the policy.

Buy Now
Questions 14

Which prerequisite is required before enabling Flow Network Security Next-Gen micro segmentation?

Options:

A.

Network Controller must be enabled in Prism Central.

B.

All workloads should be on VLAN networks.

C.

A Flow license is optional and cannot be installed later.

D.

The environment must use ESXi as the hypervisor.

Buy Now
Questions 15

Which statement is correct about cloning Application Security Policies?

Options:

A.

The system prevents saving the cloned policy if it has the same secured entities as the original.

B.

The policy type can be changed while cloning a policy.

C.

Only one policy can be cloned at a time.

D.

The default name of the cloned policy must be manually entered; the system does not provide a default.

Buy Now
Questions 16

An administrator has created a VPC with the following subnets: 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 What action must be taken for these networks to be externally routable?

Options:

A.

Assign a No-NAT External Network & ERP 10.1.0.0/22

B.

Assign a No-NAT External Network & ERP 10.1.0.0/23

C.

Assign a NAT External Network & ERP 10.1.0.0/22

D.

Assign a NAT external network & ERP 10.1.0.0/23

Buy Now
Questions 17

An administrator needs to delegate the management of security policies to a dedicated SecOps team. To enforce the principle of least privilege, the administrator assigns the predefined Flow Policy Author role to a user on the team. The user confirms they can create, monitor, and enforce security policies. However, when attempting to build a new application security policy for a set of newly deployed VMs, the user reports they are unable to create a new category to group these VMs. The option is not available in the Prism Central UI. Which statement explains this behavior?

Options:

A.

The Flow Policy Author role must be cloned into a custom role before it can be used.

B.

The user's role must be assigned with a scope for the specific projects they manage.

C.

The user is missing the Flow Admin role, which is required for category management.

D.

The Flow Policy Author role can only apply policies to existing categories by design.

Buy Now
Questions 18

An administrator is deploying a new multi-tenant environment in Prism Central and has created a VPC named TenantVPC1. The administrator needs to enable external connectivity for this VPC so that some services inside the VPC can be accessed from the corporate network without NAT translation, while other services require Internet access through SNAT translation. The administrator plans to use an External Network(s) to provision this connectivity. Which configuration should the administrator apply to satisfy this requirement?

Options:

A.

Create two External Networks for TenantVPC1: one NAT (for Internet access) and one Routed/No-NAT (for corporate network access). Attach both to the VPC.

B.

Create two External Networks both of type Routed/No-NAT and attach both to TenantVPC1, one for corporate access and one for internet access.

C.

Create a single External Network of type NAT only and attach it to TenantVPC1. Define SNAT and Floating IPs for both the corporate-network services and internet-facing services.

D.

Create one External Network of type Routed/No-NAT only, attach to TenantVPC1, and configure routing policy to translate IP addresses for internet-facing services.

Buy Now
Questions 19

When configuring an Application policy, an administrator defines a VM Category Application:MySQL as a Secured Entity. The administrator wants to ensure that traffic between VMs in the Secured Entity is kept to only required replication traffic on the default mysql service port. How should the administrator best accomplish this?

Options:

A.

Create an Inter-Tier Rule specifying the mysql service as the allowed traffic.

B.

Create an Intra-Tier Rule specifying the mysql service as the allowed traffic.

C.

Create an Inbound Rule specifying the mysql service as the allowed traffic.

D.

Create an Outbound Rule specifying the mysql service as the allowed traffic.

Buy Now
Questions 20

An administrator needs to configure a security policy that controls VM-to-VM communication within a category defined as secured entity. Which configuration action should the administrator take to restrict all intra-tier communication between the VMs within a category defined as secured entity?

Options:

A.

Apply the policy with inbound rules that block all inter-VM communication.

B.

Configure the security policy with allow-all intra-tier traffic.

C.

Set the security policy to allow-specific traffic for intra-tier communication.

D.

Use deny-all intra-tier traffic configuration in the policy.

Buy Now
Questions 21

Before creating a new Application Security Policy in Prism Central, what prerequisite must exist?

Options:

A.

A category key/value pair must be defined for use in the policy.

B.

Flow Network Security must be enabled on all registered clusters.

C.

Targeted VMs must have category assignments.

D.

The Network Controller must be deployed on each cluster in the policy's scope.

Buy Now
Questions 22

An administrator has configured a VPC and associated a NAT external network. A virtual machine connected to a subnet within this VPC is required to be accessible externally. What action must the administrator take to accomplish this?

Options:

A.

Configure a static route on the VPC's routing table.

B.

Create a Network Security Group allowing inbound traffic.

C.

Assign a Floating IP address to the virtual machine.

D.

Attach a second interface to the virtual machine.

Buy Now
Questions 23

Refer to Exhibit:

An administrator is reviewing an enforced security policy "Secure 3-VM Inventory App", as shown in the exhibit. The policy's inbound rules are configured to allow traffic from specific sources to each tier of the application. The visualization shows one blocked traffic flow. Based on the information presented in the exhibit, which statement best describes this behavior?

Options:

A.

The AppTier: FrontEnd and AppTier: AppLogic entities are on different subnets.

B.

The Inventory App VM is being blocked from initiating a connection to the AppTier: Database category.

C.

The AppTier: Database category is being blocked from initiating a connection to the Inventory App VM.

D.

The security policy is blocking traffic because the Inventory App VM is using a port not allowed by the policy.

Buy Now
Questions 24

Which policy mode blocks all traffic that is not explicitly allowed by the policy?

Options:

A.

Monitor Mode

B.

Save Mode

C.

Block Mode

D.

Enforce Mode

Buy Now
Questions 25

When cloning a Flow Network Security policy, what should be verified before enabling Enforce mode?

Options:

A.

The cloned policy's secured entities reference the intended categories.

B.

The cloned policy is configured to a different scope than the source policy.

C.

The cloned policy must first be saved before it can be enforced.

D.

The cloned policy must be renamed before it can be enforced.

Buy Now
Questions 26

A customer wants to extend a VLAN subnet to a remote data center using VTEP. The administrator configures a Subnet Extension which shows UP in the Prism Interface, yet traffic fails to pass. Which setting is most likely misconfigured?

Options:

A.

Route Policy for VTEP has not been configured.

B.

VLAN ID does not match in the remote data center.

C.

Remote gateway IP address has not been configured.

D.

VXLAN UDP port is set to 4789.

Buy Now
Questions 27

A service-insertion firewall VM protects user VMs access to the internet. The virtual and physical switches, as well as all user VMs, currently use the default MTU size of 1500. Everything functions normally until a user VM is migrated to another host. After the migration, the user reports that some websites fail to load while ping to those same sites still succeeds. Routing and security policies appear normal. Which two configuration changes could resolve the issue? (Choose two.)

Options:

A.

Increase the MTU across all vSwitch and physical uplinks on the relevant network path to 1558 or greater.

B.

Lower the MTU across all vSwitch and physical uplinks on the relevant network path to 1442 or lower.

C.

Decrease the MTU on the user VM's vNIC to 1442 or lower.

D.

Increase the MTU on the user VM's vNIC to 1558 or greater.

Buy Now
Questions 28

In Nutanix Flow, which action transitions a security policy from observing traffic to actively enforcing the rules?

Options:

A.

Disable Traffic Visualization for the policy.

B.

Enforce policy by setting its scope.

C.

Change policy mode from Monitor to Save.

D.

Change policy mode from Monitor to Enforce.

Buy Now
Questions 29

An administrator has two user VPCs connected via a Transit VPC. Routing works for most subnets, but one overlay subnet cannot reach external networks. What is the most probable cause?

Options:

A.

Incorrect ASN in the BGP configuration in the Transit VPC

B.

Mismatch in ERP configuration in user and Transit VPC

C.

Floating IP not assigned to the gateway

D.

DHCP configuration is disabled on the overlay subnet in the user VPC

Buy Now
Questions 30

An administrator must delegate management of a single tenant VPC to a junior engineer. The engineer should be able to modify that VPC but must not see or change any other VPCs or networking configurations in Prism Central. The administrator wants to meet this requirement using RBAC. Which action should the administrator take to meet this requirement?

Options:

A.

Assign the Network Infrastructure Admin role and restrict its scope to the desired VPC.

B.

Assign the VPC Admin role and restrict its scope to the desired VPC.

C.

Assign a Custom Role cloned from Network Infrastructure Admin and restrict its scope to the desired VPC.

D.

Assign a Custom Role cloned from VPC Admin and restrict its scope to the desired VPC.

Buy Now
Questions 31

An administrator recently deployed a new set of virtual machines... 3-tier web application... restricted as follows: Only application VMs can talk to database VMs on port 3306 Frontend VMs should only communicate with application VMs on port 8080 Which action will correctly create and configure the Security Policies in Nutanix Flow to satisfy this task?

Options:

A.

Create VLANs for each tier and configure ACLs to restrict communication.

B.

Create IP-based rules for each VM category within a Security Policy.

C.

Configure a global "Allow All" Security Policy and rely on guest OS firewalls for tier-based restrictions.

D.

Create categories for each tier then define an Application Policy allowing specific ports between them.

Buy Now

NCP-NS |

Exam Code: NCP-NS-7.5
Exam Name: Nutanix Certified Professional - Network and Security (NCP-NS) 7.5
Last Update: Apr 26, 2026
Questions: 106
NCP-NS-7.5 pdf

NCP-NS-7.5 PDF

$25.5  $84.99
NCP-NS-7.5 Engine

NCP-NS-7.5 Testing Engine

$30  $99.99
NCP-NS-7.5 PDF + Engine

NCP-NS-7.5 PDF + Testing Engine

$40.5  $134.99