VMware announced NSX-t 3.0 General Availability a few days ago and it’s now available for download in VMware’s portal.
NSX-T 3.0 is a major upgrade from 2.5.1 and has plenty of new features, improvements as well as bug fixes.
I have summarized some of the important features and improvements of the new NSX-T 3.0 in this post and I hope you will find it informative.
Here are the new features:
- NSX Federation is the ability to manage, control and synchronize multiple NSX-T deployments over different locations in on-prem, AWS, Azure and Public Clouds.
- Global Manager is the key component of NSX Federation which provides GUI and REST API endpoint and makes you able to configure consistent security policies across multiple locations and stretched networking objects such as Tier-0 and Tier-1 gateways and segments through a single pane of glass.
- In the below Youtube video, Dimitri Desmidt explains NSX-T Federation in details as part of Tech Filed day 21VMware Demo and Preview program.
- Security policies attach to the workload which means the policies move with the workload during failover or migration between environments. This takes care of full network and security fail-over along with SRM VM fail-over which simplifies DR as the network entities would be created once and the segments stretched across between locations. So in event of a disaster the workload can be fully failed-over to the recovery location with all the security policies in place.
Comprehensive Treat protection (Distributed IDS/IPS)
- NSX Distributed Firewall (DFW) now supports Windows 2016 physical servers in addition to Linux physical servers.
- New Firewall configuration wizard that simplifies rule creation specially for VLAN backed micro-segmentation
- Distributed IDS/IPS, Micro-Segmentation for Windows Physical Servers, Time-based Firewall Rules, and a feature preview of URL Analysis for URL Classification and Reputation.
- The intrusion detection and prevention capabilities can now be enabled within the hypervisor to detect vulnerable network traffic on a per VM or even more granular on per vNIC of a VM basis with granular context based rule inspection which NSX Manager easily downloads and keeps the threat signature pack updated.
- IDS/IPS can be enabled within Hypervisor to detect vulnerable network traffic on a per VM or even more granlar on per vNIC of a VM
- Threat detection in NSX IDS is much more efficient comparing to traditional IDS due to its context based inspection mechanism, so you can assign relevant signatures to a VM based on the running serives i.e. Linux or Wondows
NSX-T networking and security for vSphere with Kubernetes
- Supports full stack netwrking and security for vSphere with Kubernetes including key networking functions: Switching, Distributed routing (T0/T1), Distributed Firewalling, load balancing, Distributed LB, NAT and IPAM and network identity lifecycle.
- Watch the below Youtube vidoe from Vinay Reddy that explains the networking and security capabilities of NSX-T in vSphere with Kubernetes:
- Integration with VMware Tanzu Kubernetes Grid Service
- L2-7 container networking services to non-VMware Kubernetes platforms
Telco cloud enhancements
- Multi tenancy enhancement and support by adding VRF Lite and Overlay EVPN
- The below link compares VRF Lite and VXLAN/EVPN but it explains the basics about these technologies as well. check it out if you would like to read more:
- VRF Lite support provides multi-tenant data plane isolation through Virtual Routing Forwarding (VRF) in Tier-0 gateway
- L3 EVPN support provides northbound connectivity Telco VNFs to the Overlay networks and maintains the isolation on the dataplane by using one VNI per VRF
- Multicast routing for scalable networking and accelerated data plane performance. Multicast replication is only supported on T0. According to VMware, T1 will be supported in future releases.
- NAT64 which provides stateful NAT from IPv6 to IPv4
- East-West service chaining for NFV is the ability to chain multiple services for edge traffic that can now also be extended to redirect edge traffic.
- IPv6 support for containers
Some other new features
Converged VDS 7.0
- NSX-T now supports VDS and you can deploy NSX-T on the existing VDS 7.0 with no VM network disruption which makes deployments much easier in brown fields.
Support for vRNI 5.2
- “In addition to NSX, VMware also rolled out VMware vRealize Network Insight 5.2, the company’s network visibility and analytics software. The new software features machine learning support for Flow Based Application Discovery will automatically group VMs into applications and tiers for a better understanding of what is occurring on the infrastructure,” VMware stated.
- “vRealize Network Insight 5.2 has new end-to-end visibility of the network path from VM through to VMware Cloud on AWS including the AWS Direct Connect section. For VMware SD-WAN users, there will be additional visibility into SD-WAN application and business policy support,” VMware stated.
- I review vRNI 5.2 new features and improvements in another post later on.
Automation, OpenStack and other CMP
- Search API: Exposes NSX-T Search capabilities (already available in UI) through API
- Terraform Provider for NSX-T – Declarative API support: Provides infrastructure-as-code by covering a wider range of constructs from networking (T0/T1 Gateway, segments), security (centralized and distributed firewall, groups) and services (load balancer, NAT, DHCP).
- Enhanced Ansible Module for NSX-T support for Upgrade (in addition to install) and Logical object support.
- OpenStack Integration Improvements: extended IPv6, VPNaaS support and vRF lite support
User interface improvements
- Brand new Alarms dashboard and Network Topology Visualizations: Provides an interactive network topology diagram of Tier 0 Gateways, Tier 1 Gateways, Segments, and connected workloads (VMs, Containers), with the ability to export to PDF.
- New Getting Started Wizards: A new getting started wizard is introduced for preparing clusters for VLAN Micro-Segmentation in three easy steps.
- Quick Access to Actions and Alarms from Search Results: Enhanced search results page to include quick access to relevant actions and alarms. Added more search criteria across Networking, Security, Inventory, and System objects.
- User Interface Preferences for NSX Policy versus Manager Modes: You can switch between NSX Policy mode and NSX Manager mode within the user interface, as well as control the default display. By default, new installations display the UI in NSX Policy mode, and the UI Mode switcher is hidden. Environments that contain objects created through NSX Manager mode (such as from NSX upgrades or cloud management platforms) by default display the UI Mode switcher in the top right-hand corner of the UI.
- UI Design Improvements for System Appliances Overview: Improved UI design layout for displaying resource activity and operational status of NSX system appliances.
- Security Dashboards: NSX-T 3.0 introduces new Security Overview Dashboards for security and firewall admins to see at-a-glance the current operational state of firewall and distributed IDS.
- Security wizards for VLAN-based Micro-Segmentation: You can configure your data centers to introduce segmentation using NSX-T in very easy steps.
- Container Inventory & Monitoring in User Interface: Container cluster, Namespace, Network Policy, Pod level inventory can be visualized in the NSX-T User Interface. Visibility is also provided into co-relation of Container/K8 objects to NSX-T logical objects.
- NCP Component Health Monitoring: The NSX Container Plugin and related component health information like NCP Status, NSX Node Agent Status, NSX Hyperbus Agent Status can be monitored using the NSX Manager UI/API.
- Physical Servers Listing: NSX-T adds UI support for listing physical servers.
As I mentioned before this release is a major upgrade for VMware NSX solution and I believe it’s moving in right direction. Combination of NSX-T and SDWAN would be a tempting solution for Telco service providers as Telco is adopting virtualization more than ever and network virtualization plays a key role in that transformation.
Here is the “What’s new at a glance” slide for a quick review of new features but more details can be found in the release notes of the product:
If you are keen to deep dive into NSX-T 3.0 details I would suggest you to check out NSX-T 3.0 release notes and then enroll in the VMware Hands-On-Lab NSX-T sessions and do some practice in a very well built lab environment and then download the product and build your own sandbox and check the new features practically.
I hope you find this post useful and thank you for reading!
The material and information contained on this article and my blog are for general information purposes only. You should not rely upon the information on this article as a basis for making any business, legal or any other decisions. Whilst I try to keep the information up to date and correct, I will not be liable for any false, inaccurate, inappropriate or incomplete information presented in this article. I would advise you to check with VMware as a reference in order to make any decision.