NSX-T 3.0 was released a few days ago so I thought it best to post about just a few of the new features that are now available in this rather significant release.
The full release notes can be found Here
NSX-T 3.0 introduces the ability to federate multiple on-premises data centers through a single pane of glass, via a Global Manager (GM).
Through the Global Manager, you can configure centralised security policies and enforcement across multiple locations and stretched networking objects: Tier0 and Tier1 gateways and segments.
This is a big feature update and brings NSX-T into feature parity with NSX-V as a lot of customers that I deal with have cross site NSX configurations which prevented them from moving to NSX-T until now.
The federation features are still somewhat limited but this will be improved upon throughout the year. his is one I will be setting up on my lab and blogging about.
NSX-T Support on vDS 7.0
NSX-T can now run on the native vDS built into vSphere 7.0.
It is recommended that new deployments of NSX-T use the vDS 7.0 and move away from the N-VDS.
The N-VDS NSX-T host switch will be deprecated in a future release.
If you are an existing NSX-T customer and have already deployed and are using the N-VDS then the recommendation is to remain using that for the moment. However, you will in the future need to plan to move away from this, consider the following when planning this.
- VDS is configured through vCenter. N-VDS is vCenter independent. With NSX-T support on VDS and the eventual deprecation of N-VDS, NSX-T will be closely tied to vCenter and vCenter will be required to enable NSX.
- The N-VDS is able to support ESXi host specific configurations. The VDS uses cluster-based configuration and does not support ESXi host specific configuration.
- This release does not have full feature parity between N-VDS and VDS.
- The backing type for VM and vmKernel interface APIs is different for VDS when compared to N-VDS.
Data plane isolation between multiple tenants in Tier-0 gateway. VRF has its own isolated routing table, uplinks, NAT and gateway firewall services.
L3 EVPN support provides a northbound connectivity option to advertise all VRFs on a Tier-0 gateway through MP-BGP EVPN AFI (Route Type 5) to a Provider Edge and maintain the isolation on the dataplane with VXLAN encapsulation by using one VNI per VRF.
Distributed Intrusion Detection is a part of the platform’s Threat & Vulnerability Detection capabilities. This feature allows you to enable intrusion detection capabilities within the hypervisor to detect vulnerable network traffic. This distributed mechanism can be enabled on a per VM and per vNIC of a VM basis with granular rule inspection. As part of this feature set, the NSX Manager is able to download the latest signature packs from the NSX Signature Service. This keeps the NSX Distributed IDS updated with the latest threat signatures in the environment.
Time Based Firewall Policy
NSX-T 3.0 can now schedule enforcing of specific rules for specific time intervals. Apply a different Security Policy based on Day/Time this can be combined with VDI/RDSH, IDFW, GFW and DFW.