NSX-T 3.1.1 released with support for OSPFv2

VMware NSX-T 3.1.1 has just been released with awaited OSPF routing support for the north band connectivity. Prior to 3.1.1 there was no OSPF routing protocol available so we had to use BGP instead as dynamic routing protocol for connecting to the corporate and outside network.

OSPF can now be enabled only on the external interface and also can be in the same OSPF area even across multiple Edge Nodes. That’s a great news for you if you have NSX-V in your environment and planning to migrate to NSX-T, because the OSPFv2 will make the migration a lot easier if you are already using OSPF in your environment.

There are lots of other enhancements in 3.1.1 that I will list some of the key ones below:

L3 Networking

  • OSPFv2 Support on Tier-0 Gateways
    • NSX-T Data Center now supports OSPF version 2 as a dynamic routing protocol between Tier-0 gateways and physical routers. OSPF can be enabled only on external interfaces and can all be in the same OSPF area (standard area or NSSA), even across multiple Edge Nodes. This simplifies migration from the existing NSX for vSphere deployment already using OSPF to NSX-T Data Center.

NSX Data Center for vSphere to NSX-T Data Center Migration

  • Support of Universal Objects Migration for a Single Site
    • You can migrate your NSX Data Center for vSphere environment deployed with a single NSX Manager in Primary mode (not secondary).
  • Migration of NSX-V Environment with vRealize Automation – Phase 2
    • The Migration Coordinator interacts with vRealize Automation (vRA) to migrate environments where vRealize Automation provides automation capabilities. This release adds additional topologies and use cases to those already supported in NSX-T 3.1.0.
  • Modular Migration for Hosts and Distributed Firewall
    • The NSX-T Migration Coordinator adds a new mode to migrate only the distributed firewall configuration and the hosts, leaving the logical topology(L3 topology, services) for you to complete. You can benefit from the in-place migration offered by the Migration Coordinator (hosts moved from NSX-V to NSX-T while going through maintenance mode, firewall states and memberships maintained, layer 2 extended between NSX for vSphere and NSX-T during migration) that lets you (or a third party automation) deploy the Tier-0/Tier-1 gateways and relative services, hence giving greater flexibility in terms of topologies. This feature is available from UI and API
  • Modular Migration for Distributed Firewall available from UI
    • The NSX-T user interface now exposes the Modular Migration of firewall rules. This feature simplifies lift-and-shift migration where you vMotion VMs between an environment with hosts with NSX for vSphere and another environment with hosts with NSX-T by migrating firewall rules and keeping states and memberships (hence maintaining security between VMs in the old environment and the new one).
  • Fully Validated Scenario for Lift and Shift Leveraging vMotion, Distributed Firewall Migration and L2 Extension with Bridging
    • This feature supports the complete scenario for migration between two parallel environments (lift and shift) leveraging NSX-T bridge to extend L2 between NSX for vSphere and NSX-T, the Modular Distributed Firewall.

Identity Firewall

  • NSX Policy API support for Identity Firewall configuration
    • Setup of Active Directory, for use in Identity Firewall rules, can now be configured through NSX Policy API

Advanced Load Balancer Integration

  • Support Policy API for Avi Configuration
  • Service Insertion Phase 2 – Transparent LB in NSX-T advanced load balancer

Some other key features and changes:

  • Supports for Guest Users and Local User accounts
  • Upgraded FIPS compliant Bouncy Castle
  • NSX Cloud
    • NSX Marketplace Appliance in Azure
    • NSX Cloud Service Manager HA
    • NSX Cloud for Horizon Cloud VDI enhancements
  • UI-based Upgrade Readiness Tool for migration from NVDS to VDS with NSX-T Data Center
  • Enable VDS in all vSphere Editions for NSX-T Data Center Users
  • This release supports a maximum scale of 50 Clusters (ESXi clusters) per vCenter enabled with vLCM, on clusters enabled for vSphere with Tanzu
  • Starting with NSX-T 3.1.1, NSX-T will reject x509 certificates with duplicate extensions

There are long list of bug fixes in this release.

Check out the details on the official VMware release notes here.

Support for NSX-T in VMware Skyline 2.5

A good news for NSX-T users. VMware announced VMware Skyline Collector 2.5 and Advisor releases with support for NSX-T and new Findings & Recommendations.

Skyline now supports NSX-T 2.5 and above that means you can connect your NSX-T endpoints to your collectors and then Skyline will discover your NSX-T proactive Findings and Recommendations within Advisor. Just bear in mind that it may take 24-48 hours for these new findings to appear within Skyline Advisor.

The other handy feature is the ability to automatically upload NSX-T tech support log bundle to VMware technical support for NSX-T using Log Assist that will save a lot of time for operation support teams for dealing with technical support cases for NSX-T.

There are new Findings and Recommendations:

  • NSX-T Findings that picks up deployments issues within your NSX-T
  • VMware Security Advisories has new security advisories added to inform you about potential vulnerabilities to be vigilant about security risks

If you have the Auto Upgrade feature enabled in your Skyline Collector, your Collectors will update automatically. Otherwise you can download the new version from the Collector VAMI. Note, The Skyline Collector must be able to receive update notifications from vapp-updates.vmware.com.

VMware NSX-T 3.0 released

VMware announced NSX-t 3.0 General Availability a few days ago and it’s now available for download in VMware’s portal.

NSX-T 3.0 is a major upgrade from 2.5.1 and has plenty of new features, improvements as well as bug fixes.

I have summarized some of the important features and improvements of the new NSX-T 3.0 in this post and I hope you will find it informative.

Here are the new features:

NSX Federation

  • NSX Federation is the ability to manage, control and synchronize multiple NSX-T deployments over different locations in on-prem, AWS, Azure and Public Clouds.
  • Global Manager is the key component of NSX Federation which provides GUI and REST API endpoint and makes you able to configure consistent security policies across multiple locations and stretched networking objects such as Tier-0 and Tier-1 gateways and segments through a single pane of glass.
  • In the below Youtube video, Dimitri Desmidt explains NSX-T Federation in details as part of Tech Filed day 21VMware Demo and Preview program.
  • Security policies attach to the workload which means the policies move with the workload during failover or migration between environments. This takes care of full network and security fail-over along with SRM VM fail-over which simplifies DR as the network entities would be created once and the segments stretched across between locations. So in event of a disaster the workload can be fully failed-over to the recovery location with all the security policies in place.

Comprehensive Treat protection (Distributed IDS/IPS)

  • NSX Distributed Firewall (DFW) now supports Windows 2016 physical servers in addition to Linux physical servers.
  • New Firewall configuration wizard that simplifies rule creation specially for VLAN backed micro-segmentation
  • Distributed IDS/IPS, Micro-Segmentation for Windows Physical Servers, Time-based Firewall Rules, and a feature preview of URL Analysis for URL Classification and Reputation.
  • The intrusion detection and prevention capabilities can now be enabled within the hypervisor to detect vulnerable network traffic on a per VM or even more granular on per vNIC of a VM basis with granular context based rule inspection which NSX Manager easily downloads and keeps the threat signature pack updated.
  • IDS/IPS can be enabled within Hypervisor to detect vulnerable network traffic on a per VM or even more granlar on per vNIC of a VM
  • Threat detection in NSX IDS is much more efficient comparing to traditional IDS due to its context based inspection mechanism, so you can assign relevant signatures to a VM based on the running serives i.e. Linux or Wondows

NSX-T networking and security for vSphere with Kubernetes

  • Supports full stack netwrking and security for vSphere with Kubernetes including key networking functions: Switching, Distributed routing (T0/T1), Distributed Firewalling, load balancing, Distributed LB, NAT and IPAM and network identity lifecycle.
  • Watch the below Youtube vidoe from Vinay Reddy that explains the networking and security capabilities of NSX-T in vSphere with Kubernetes:
NSX-T for vSphere Kubernetes by Vinay Reddy
  • Integration with VMware Tanzu Kubernetes Grid Service
  • L2-7 container networking services to non-VMware Kubernetes platforms

Telco cloud enhancements

  • Multi tenancy enhancement and support by adding VRF Lite and Overlay EVPN
  • VRF Lite support provides multi-tenant data plane isolation through Virtual Routing Forwarding (VRF) in Tier-0 gateway
  • L3 EVPN support provides northbound connectivity Telco VNFs to the Overlay networks and maintains the isolation on the dataplane by using one VNI per VRF
  • Multicast routing for scalable networking and accelerated data plane performance. Multicast replication is only supported on T0. According to VMware, T1 will be supported in future releases.
  • NAT64 which provides stateful NAT from IPv6 to IPv4
  • East-West service chaining for NFV is the ability to chain multiple services for edge traffic that can now also be extended to redirect edge traffic.
  • IPv6 support for containers

Some other new features

Converged VDS 7.0

  • NSX-T now supports VDS and you can deploy NSX-T on the existing VDS 7.0 with no VM network disruption which makes deployments much easier in brown fields.

Support for vRNI 5.2

  • “In addition to NSX, VMware also rolled out VMware vRealize Network Insight 5.2, the company’s network visibility and analytics software. The new software features machine learning support for Flow Based Application Discovery will automatically group VMs into applications and tiers for a better understanding of what is occurring on the infrastructure,” VMware stated.
  • “vRealize Network Insight 5.2 has new end-to-end visibility of the network path from VM through to VMware Cloud on AWS including the AWS Direct Connect section. For VMware SD-WAN users, there will be additional visibility into SD-WAN application and business policy support,” VMware stated.
  • I review vRNI 5.2 new features and improvements in another post later on.

Automation, OpenStack and other CMP

  • Search API: Exposes NSX-T Search capabilities (already available in UI) through API
  • Terraform Provider for NSX-T – Declarative API support: Provides infrastructure-as-code by covering a wider range of constructs from networking (T0/T1 Gateway, segments), security (centralized and distributed firewall, groups) and services (load balancer, NAT, DHCP).
  • Enhanced Ansible Module for NSX-T support for Upgrade (in addition to install) and Logical object support.
  • OpenStack Integration Improvements: extended IPv6, VPNaaS support and vRF lite support

User interface improvements

  • Brand new Alarms dashboard and Network Topology Visualizations: Provides an interactive network topology diagram of Tier 0 Gateways, Tier 1 Gateways, Segments, and connected workloads (VMs, Containers), with the ability to export to PDF.
  • New Getting Started Wizards: A new getting started wizard is introduced for preparing clusters for VLAN Micro-Segmentation in three easy steps.
  • Quick Access to Actions and Alarms from Search Results: Enhanced search results page to include quick access to relevant actions and alarms. Added more search criteria across Networking, Security, Inventory, and System objects.
  • User Interface Preferences for NSX Policy versus Manager Modes: You can switch between NSX Policy mode and NSX Manager mode within the user interface, as well as control the default display. By default, new installations display the UI in NSX Policy mode, and the UI Mode switcher is hidden. Environments that contain objects created through NSX Manager mode (such as from NSX upgrades or cloud management platforms) by default display the UI Mode switcher in the top right-hand corner of the UI.
  • UI Design Improvements for System Appliances Overview: Improved UI design layout for displaying resource activity and operational status of NSX system appliances.
  • Security Dashboards: NSX-T 3.0 introduces new Security Overview Dashboards for security and firewall admins to see at-a-glance the current operational state of firewall and distributed IDS.
  • Security wizards for VLAN-based Micro-Segmentation: You can configure your data centers to introduce segmentation using NSX-T in very easy steps.
  • Container Inventory & Monitoring in User Interface: Container cluster, Namespace, Network Policy, Pod level inventory can be visualized in the NSX-T User Interface. Visibility is also provided into co-relation of Container/K8 objects to NSX-T logical objects.
  • NCP Component Health Monitoring: The NSX Container Plugin and related component health information like NCP Status, NSX Node Agent Status, NSX Hyperbus Agent Status can be monitored using the NSX Manager UI/API.
  • Physical Servers Listing: NSX-T adds UI support for listing physical servers.

Wrap-up

As I mentioned before this release is a major upgrade for VMware NSX solution and I believe it’s moving in right direction. Combination of NSX-T and SDWAN would be a tempting solution for Telco service providers as Telco is adopting virtualization more than ever and network virtualization plays a key role in that transformation.

Here is the “What’s new at a glance” slide for a quick review of new features but more details can be found in the release notes of the product:

If you are keen to deep dive into NSX-T 3.0 details I would suggest you to check out NSX-T 3.0 release notes and then enroll in the VMware Hands-On-Lab NSX-T sessions and do some practice in a very well built lab environment and then download the product and build your own sandbox and check the new features practically.

Credits

Release notes:
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/rn/VMware-NSX-T-Data-Center-30-Release-Notes.html

Downlaod

https://my.vmware.com/en/web/vmware/info/slug/networking_security/vmware_nsx_t_data_center/3_x

I hope you find this post useful and thank you for reading!

Disclaimer

The material and information contained on this article and my blog are for general information purposes only. You should not rely upon the information on this article as a basis for making any business, legal or any other decisions. Whilst I try to keep the information up to date and correct, I will not be liable for any false, inaccurate, inappropriate or incomplete information presented in this article. I would advise you to check with VMware as a reference in order to make any decision.