NSX-T is now available and its a massive release so lots of blogging opportunities await!
For the full release notes go HERE.
Below is an extract of whats new 🙂
NSX-T Data Center 3.2.0 is a major release offering many new features in all the verticals of NSX-T: networking, security, services and onboarding. Here are some of the major enhancements.
- Switch agnostic distributed security: Ability to extend micro-segmentation to workloads deployed on vSphere networks.
- Gateway Security: Enhanced L7 App IDs, Malware Detection and Sandboxing, URL filtering, User-ID firewall, TLS inspection (Tech Preview) and Intrusion Detection and Prevention Service (IDS/IPS).
- Enhanced Distributed Security: Malware detection and Prevention, Behavioral IDS/IPS, enhanced application identities for L7 firewall.
- Improved integration with NSX Advanced Load Balancer (formerly Avi): Install and configure NSX ALB (Avi) from NSX-T UI; Migrate NSX for vSphere LB to NSX ALB (Avi).
- NSX for vSphere to NSX-T Migration: Major enhancements to the Migration Coordinator to extend coverage of supported NSX for vSphere topologies and provide flexibility on the target NSX-T topologies.
In addition to these features, many other capabilities are added in every area of the product.
Layer 2 Networking
- Support dual NIC bonds on Windows physical servers – Connections using dual physical NIC (pNIC) bonds are now supported on physical servers. This allows configuration of active/active or active/standby bond. This feature is supported on VLAN and overlay networks.
- NUMA-aware teaming policy – NSX now supports processing of the traffic on the same NUMA node as the pNICs used to leave ESXi. This feature enhances the performance in deployment leveraging teaming policies across multiple NUMA.
- Enhanced Datapath new capabilities – Enhanced Datapath Switch now supports Distributed Firewall (DFW), Distributed Load-Balancer (DLB), and port mirroring capabilities.
Layer 3 Networking
- Support L3 EVPN route server mode – ESXi is now capable of directly sending VXLAN traffic to the data center fabric routers bypassing the Edge node in the data path. In this deployment model, the Tier-0 SR (Service Router) hosted on the Edge Node is still necessary only to handle the control plane, i.e., advertising the connected prefixes through EVPN l2vpn address-family to the fabric. ESXi now supports ECMP towards multiple physical routers in the fabric and test the availability of the routers with BFD.
- 5-tuple ECMP on ESXi and KVM – The distributed router (DR) hosted on ESXi now supports 5-tuple hashing algorithm when ECMP is enabled. With this feature, the hashing is based on IP address source, IP address destination, IP protocol, layer-4 port source, layer-4 port destination. This allows a better distribution of the traffic across all the available Service Routers (SRs).
- Proxy ARP support on Active/Active Tier-0 Gateway – In simple topologies without a need for dynamic routing, a Tier-0 gateway in active/active HA mode can now be used, providing higher throughput.
- Support for Active/Active on Tier-0 SR for Multicast Traffic – NSX now supports ECMP of multicast traffic across multiple Tier-0 SRs (Service Routers), offering a better throughput for multicast traffic.
- UEFI support on Bare Metal Edge – NSX now supports the deployment of bare metal edge node on servers running in UEFI mode. This allows edge nodes to be deployed on a broader set of servers.
- Distributed Firewall supports VMs deployed on Distributed Port Groups on VDS switches– In previous releases, NSX could only enforce Distributed Security features for N-VDS switchports. Now you can leverage Distributed Firewall capabilities for VDS based VLAN networks without having to convert the switchport to N-VDS.
- Support for dynamic tag criteria on Groups of IP Addresses.
- Distributed Firewall Support for Physical servers – Redhat Enterprise Linux 8.0 operating system.
- Addition of more Application IDs for L7 Firewall usage.
- Malware Prevention for Distributed Firewall (E-W use case) – NSX Distributed Firewall now has zero-day malware detection and prevention capabilities using advanced machine learning techniques and sandboxing capabilities.
- Configuration of AD Selective-Sync for IDFW – Identity firewall AD configuration now supports selectively adding OUs and users.
- Identity Firewall Statistics – Enhanced the Security Overview dashboard to include Identity Firewall statistics for active users and active user sessions.
Distributed Intrusion Detection/Prevention System (D-IDPS)
- Distributed IDS/IPS is supported for VMs deployed on Distributed Port Groups on VDS.
- Distributed IDS/IPS now supports Behavior-based detection and prevention – A new class of IDS signatures is now available both on the distributed IDPS and on the edge. Rather than attempting to identify malware-specific behavior, these signatures attempt to identify network behaviors that could be associated to sign of a successful infection. This includes, for instance, the identification of Tor communication in the network, the presence of self-signed TLS certificates on high ports, or more sophisticated stateful detections such as the detection of beaconing behavior. This class of signatures is characterized by the severity level “informational”. If NSX NDR is enabled, further ML-based processing is applied on alerts produced by these signatures to prioritize cases that are very likely to be anomalous in the specific monitored environment.
- Curation and Combination of Trustwave and VMware Signatures – NSX IDS/IPS signature set now allows access to a new IDS ruleset that is developed and curated by VMware to ensure high-security effectiveness and minimize the likelihood of false positives. The ruleset combines detections developed by third-party vendors such as Trustwave and Emerging Threats with a corpus of VMware-developed signatures and optimized for the NSX IDS engines.
- User Identity-based Access Control – Gateway Firewall introduces the following additional User Identity Firewall capabilities:
- For deployments where Active Directory is used as the user authentication system, NSX leverages Active Directory logs.
- For all other authentication systems, NSX can now leverage vRealize Log Insight based logs to identify User Identity to IP address mapping.
- Enhanced set of L7 AppIDs – Gateway Firewall capabilities are enhanced to identify a more comprehensive number of Layer-7 applications.
- TLS Inspection for both inbound and outbound traffic (?Tech Preview; not for production deployments) – More and more traffic is getting encrypted on the network. With the TLS inspection feature, you can now leverage NSX Gateway Firewall to do deep-packet inspection and threat detection and prevention services for encrypted traffic as well.
- URL Filtering (includes categorization and reputation of URLs) – You can now control internet bound traffic based on the new URL Filtering feature. This feature allows you to control internet access based on the URL categories and as well as the reputation of the URLs. URL repository, including the categorization and reputation data, is updated on an ongoing basis for updated protection.
- Malware Analysis and Sandboxing support – NSX Gateway Firewall now provides malware detection from known as well as zero-day malware using advanced machine learning techniques and sandboxing capabilities. The known malware data is updated on an ongoing basis.
- Intrusion Detection and Prevention (?Tech Preview; not for production deployments) – For NSX Gateway Firewall, Intrusion Detection and Prevention capabilities (IPS) are introduced in a “Tech Preview” mode. You can try the feature set in non-production deployments.
New NSX Application Platform
NSX Application Platform – VMware NSX Application Platform is a new container based solution introduced in NSX-T 3.2.0 that provides a highly available, resilient, scale out architecture to deliver a set of core platform services which enables several new NSX features such as:
|NSX Network Detection and Response|
|NSX Malware Prevention|
The NSX Application Platform deployment process is fully orchestrated through the NSX UI. Refer to the Deploying and Managing the VMware NSX Application Platform guide for more information on the infrastructure prerequisites and requirements for installation.
Network Detection and Response
- VMware Network Detection and Response correlates IDPS, Malware and Anomaly events into intrusion campaigns that help identify threats and malicious activities on the network.
- Correlation into threat campaigns rather than events, which allows SOC operators to focus on triaging only a small set of actionable threats.
- Network Detection and Response collects IDPS events from Distributed IDPS, Malware events (malicious files only) from Gateway, and Network Anomaly events from NSX Intelligence.
- Gateway IDPS (Tech Preview) events are not collected by NSX Network Detection and Response in NSX-T 3.2.
- Network Detection and Response functionality runs in the cloud and is available in two cloud regions: US and EU.
Refer to the following for more information:
- See the VMware NSX Network Detection and Response Activation and Administration Guide for installation information.
- For usage information, see the Working with the NSX Network Detection and Response Application section of the Using and Managing VMware NSX Intelligence guide.
- Enhanced Service level alarms for VPN – IPSec Service Status details.
- Additional logging details for packet tracing – Display SPI and Exchange Information for IPSec.
- Guest Introspection Enhancements – Guest Introspection provides a set of APIs in the data plane for consumption within the guest context. This enhancement ensures only users with appropriate entitlement are provided this access.
- Additional OS support for GI – Guest Introspection now supports CentOS 8.2, RHEL 8.2, SLES15 SP1, Ubuntu 20.04.
- Support VM tag replication between Local Managers – During disaster recovery (DR), replicated VMs are restarted in the DR location. If the security policy is based on NSX VM tags, the replicated VMs in the DR location must have those NSX tags on the remote Local Manager at recovery time. NSX Federation 3.2 now supports VM tag replication between Local Managers. The tag replication policy is configurable only through API.
- Federation communications monitoring – The location manager page now offers a view on the latency and usage of the channels between Global Managers and Local Managers. This provides a better visibility of the health between the different components of federation.
- Firewall Drafts – Draft of the security policies are now available on Global Manager. This includes support for auto-drafts and manual drafts.
- Global Manager LDAP Support – Global Manager now supports configuration of LDAP sources for Role-Based Access Control (RBAC) similarly to support on Local Managers.
Container Networking and Security
- Antrea to NSX-T Integration – Added the ability to define Antrea Network Policies from the NSX-T Distributed Firewall UI. Policies are applied on K8s clusters running Antrea 1.3.1-1.2.2 using the interworking controller. Also adds inventory collection: K8s Objects like Pods, Namespaces & services are collected in NSX-T inventory and tagged so that they can be selected in DFW Policies. Antrea Traceflow can now be controlled from the NSX-T Traceflow UI page, and Log bundles can be collected from K8s clusters using Antrea. There is no mandatory requirement to have NSX-T data-plane enabled on your K8s Antrea cluster nodes.
- Grouping Enhancements – Added support for Antrea container objects. Added support for Not In operator on segment port tag criteria. Adds support for AND operator between group membership criteria involving segments and segment ports.
- VMware NSX Advanced Load Balancer (Avi) Installation through NSX – VMware NSX Advanced Load Balancer (Avi) Controllers can now be installed through the NSX-T Manager UI, which provides a single pane for installation of all NSX components.
- Cross-Launch VMware NSX Advanced Load Balancer (Avi) UI from NSX-T Manager UI – Launch VMware NSX ALB (Avi) UI from the NSX-T Manager for advanced features.
- Advanced Load Balancer (Avi) User Interfaces displayed within NSX – Configure VMware NSX Advanced Load Balancer (Avi) from within NSX Manager.
- Migrate Load Balancing from NSX for vSphere to VMware NSX Advanced Load Balancer (Avi) – Migrate Load Balancers to VMware NSX ALB (Avi) when using the Bring your own Topology model with the Migration Coordinator.
- NSX-T native Load Balancer – Load balancing features would not be added or enhanced going forward. NSX-T platform enhancements would not be extended to the NSX-T native load balancer.
- Load Balancing Recommendation
- If you are using Load Balancing in NSX-T, you are advised to migrate to VMware NSX Advanced Load Balancer (Avi), which provides a superset of the NSX-T load balancing functionality.
- If you have purchased NSX Data Center Advanced, NSX Data Center Enterprise Plus, NSX Advanced, or NSX Enterprise, you are entitled to the Basic edition of VMware NSX Advanced Load Balancer (Avi), which has feature parity with NSX-T LB.
- It is recommended that you purchase VMware NSX Advanced Load Balancer (Avi) Enterprise to unlock enterprise grade load balancing, GSLB, advanced analytics, container ingress, application security and WAF.
Note: It is recommended that new deployments with NSX-T Data Center take advantage of VMware NSX Advanced Load Balancer (Avi) using release v20.1.6 or later and not use the native NSX-T Load Balancer.
For more information:
- VMware NSX Advanced Load Balancer (Avi) page: https://www.vmware.com/products/nsx-advanced-load-balancer.html
- Migrate to VMware NSX Advanced Load Balancer (Avi): https://www.vmware.com/products/nsx/migrate-to-advanced-load-balancing.html
- Deploy VMware NSX Advanced Load Balancer (Avi) on VCF with Advanced Load Balancing for VCF VMware Validated Solution
- How to apply your NSX Data Center license to VMware NSX Advanced Load Balancer (Avi): https://avinetworks.com/docs/
- VMware NSX Advanced Load Balancer (Avi) Editions: https://avinetworks.com/docs/21.1/nsx-license-editions/
- Extended OS Support on NSX Cloud – NSX Cloud now supports the following OS, in addition to the ones already supported:
- Ubuntu 20.04
- RHEL 8.next
- NSX Cloud support of Advanced Security (Layer 7) features on PCG (?Tech Preview; not for production deployments) – NSX Cloud offers some Advanced Security (Layer 7) capability on the PCG on both Azure and AWS, enabling you to benefit from application layer security for your workloads in the public Cloud. You can try the feature set in non-production deployments.
- NSX Cloud support of IDFW for single user VDI (?Tech Preview; not for production deployments) – NSX Cloud offers identity firewall to offer user based security for VDI deployment. It will be able to associate to a VM a security profile mapped to the user connected, hence simplifying security management and strengthening security. You can try the feature set in non-production deployments.
Operations and Monitoring
- Command del nsx to clean up NSX on a Physical / Bare Metal Server – In continuation with the del nsx feature support on ESX servers, a CLI command
del nsxis available to remove NSX from a Physical / Bare Metal Server running a Linux OS. If you have a Physical / Bare Metal Server with NSX VIBs in a stale state and are unable to uninstall NSX from that host, you can use the CLI command
del nsxfor a guided step-by-step process to remove NSX from that host and bring it back to a clean state so NSX can be reinstalled.
- Live Traffic Analysis through NSX Manager UI – The Live Traffic Analysis feature is now available on the NSX Manager UI, allowing you to easily analyze the live traffic flows across data centers. This features provides a unified approach of diagnosis by combining Traceflow, and packet capture. You can perform both actions in one shot – trace live packets and perform packet capture at source. Live Traffic Analysis helps in accurately determining issues in network traffic and provides the ability to perform the analysis on specific flows to avoid noise.
- Selective Port Mirroring – Enhanced mirroring with flow based filtering capability and reduced resource requirements. You can now focus on pertinent flows for effective troubleshooting.
- Fabric MTU Configuration Check – An on-demand and periodic MTU check will be available on the NSX Manager UI to verify MTU configuration for overlay network; alerts are raised for MTU mismatches.
- Traceflow support on VLAN backed Logical Network – You can perform Traceflow on a VLAN backed logical network. This feature is available through the API.
- Improved Logging – Improved logging by detecting and suppressing repetitive log messages emitted too frequently to prevent important log messages from being lost or overshadowed.
- Improved CLI guide and additional commands – Introduced a set of new CLI commands mapped with the UI constructs (Policy) like for instance segment. This allows for simpler consumption of the CLI for users. A completely refactored CLI guide is also introduced to simplify consumption.
- Time-Series Monitoring – Provides the ability to collect and store metrics for a longer duration up to one year with NSX Application Platform. Time-Series metrics helps to monitor the trend in key performance indicators, performs before and after analysis, and provides the historical context helpful in troubleshooting. Time-series metrics is available for Edge Node, Tier-0 and Tier-1 Gateways, NSX Manager, NSX Application Platform and security features, which includes TLS Inspection, IDPS, Gateway Firewall. These time-series metrics are available through NSX-T APIs and a subset of these metrics are also available on the NSX Manager UI.
- Events and Alarms
- Certificates – CA Bundle Update Recommended
- Operation – Cluster Down, Cluster Unavailable, Management Channel To Manager Node Down, Management Channel To Manager Node Down Long
- Federation – GM to GM Latency Warning, GM to GM Synchronization Warning, GM to GM Synchronization Error, GM to LM Latency Warning, GM to LM Synchronization Warning, GM to LM Synchronization Error, LM restore While Config Import In Progress, Queue Occupancy Threshold Exceeded
- Transport Node Health – Transport Node Uplink Down
- Distributed Firewall – DFW Session Count High, DFW Vmotion Failure
- Edge – Edge Node Settings and vSphere Settings Are Changed, Edge Node Settings Mismatch, Edge VM vSphere Settings Mismatch, Edge vSphere Location Mismatch
- Edge Health – Edge Datapath NIC Throughput High, Edge Datapath NIC Throughput Very High, Failure Domain Down
- VPN – IPSec Service Down
- NAT – SNAT Port Usage on Gateway Is High
- Load Balancing – Load Balancing Configuration Not Realized Due To Lack Of Memory
- MTU Check – MTU Mismatch Within Transport Zone, Global Router MTU Too Big
- NSX Application Platform Communication – Delay Detected In Messaging Overflow, Delay Detected In Messaging Rawflow, TN Flow Exporter Disconnected
- NSX Application Platform Health – ~55 alarms to monitor health of the platform
Usability and User Interface
- Customize login messages and banners – You can configure and customize the login message from NSX Manager and specify the mandatory fields the user needs to accept before logging in.
- Search and Filter Enhancements – Enhanced the existing search and filtering capability in the NSX UI. An initial screen displays the possible search phrases and the most recently searched items. A separate panel is available for ‘Advanced Search’ that allows users to customize and configure ‘Searches’. Search queries now surface information from tags and alarms.
- VPAT – Fixes to bridge the accessibility gap in the product.
- NSX Topology – Visualize the underlying fabric associated with gateways. This feature provides you the ability to visualize the edge clusters, host switch configuration, and gather details on the host and edge configurations.
- Improve Usability of Object Selector in UI – This feature provides the ability to select multiple objects that are in the same category. Additionally, you can select all the objects.
- Revamped Security Overview – Revamped the Security Overview page to provide a holistic view of the security configurations. You can view ‘Threats and Responses’ across different features as well as view the existing configuration and capacity of the system.
- NSX-T UI Integrated in vCenter – NSX-T can now be installed and configured via the vCenter UI with the vCenter plugin for NSX-T. This feature is supported ONLY from vCenter 7.0U3 onwards.
- Deployment wizard of NSX-T for common use cases – When installed via the vCenter plugin, NSX-T can now enable NSX-T features based on common use cases, allowing users to quickly turn on NSX-T features leveraging the deployment wizards. This release supports two wizards, one to enable Security features of NSX and the other to enable Virtual Networking features of NSX.
- NSX Manager to NSX Policy Promotion Tool – Provides ability to promote existing configuration from NSX Manager to NSX Policy without data path disruption or deletion/recreation of existing objects. Once the NSX Manager objects are promoted to NSX Policy, the NSX Manager objects are set to read-only through the Manager UI/API, and you can then interact with the same objects through NSX Policy UI/API.
AAA and Platform Security
- Certificate Management Enhancements for TLS Inspection (?Tech Preview; not for production deployments) – With the introduction of the TLS Inspection feature, certificate management now supports addition and modification of certification bundles and the ability to generate CA certificates to be used with the TLS Inspection feature. In addition, the general certificate management UI can carry modifications that simplify import/export of certificates.
- High Availability and Scale enhancements for LDAP Integration – LDAP configuration now supports the configuration of multiple LDAP servers per domain and support for ‘trust’ of multiple certificates associated with different LDAP servers per domain.
- Increased Scale – There are several increases in the supported scale for the largest deployments. For details on scale changes, see the VMware Configuration Maximums tool.
- License Enforcement – NSX-T now ensures that users are license-compliant by restricting access to features based on license edition. New users are able to access only those features that are available in the edition that they have purchased. Existing users who have used features that are not in their license edition are restricted to only viewing the objects; create and edit will be disallowed.
- New Licenses – Added support for new VMware NSX Gateway Firewall and NSX Federation Add-On and continues to support NSX Data Center licenses (Standard, Professional, Advanced, Enterprise Plus, Remote Office Branch Office) introduced in June 2018, and previous VMware NSX for vSphere license keys. See VMware knowledge base article 52462 for more information about NSX licenses.
NSX Data Center for vSphere to NSX-T Data Center Migration
- Migration for VMware Integrated OpenStack – Added the capability to perform NSX for vSphere to NSX-T migration in VIO environments without breaking the OpenStack representation of the objects. This feature requires the support of migration capabilities by the VMware Integrated OpenStack version that is used.
- Bring your own Topology – The Migration Coordinator extends its model to offer migration between NSX for vSphere and a user defined topology in NSX-T. This offers more flexibility for users to define their NSX-T topology and extends the number of topologies which can be migrated from NSX for vSphere to NSX-T.This feature can only be used for the configuration migration in order to enable lift and shift or as part of the complete workflow doing in place migration.
- Support OSPF Migration for fixed topologies – The Migration Coordinator supports fixed topologies with OSPF (instead of BGP and static). This allows users wanting to use fixed topologies (and not BYOT) to do so even when they have OSP configured for N/S connectivity between ESG and top of rack (OSPF between ESG and DLR was already supported and replaced by NSX-T internal routing).
- Increased scale for Migration Coordinator – The Migration Coordinator scale is increasing in order to cover larger environments and come closer to NSX for vSphere maximum scale.
- Migration of Guest Introspection – NSX for vSphere to NSX-T migration for GI is now added in migration coordinator. You can use this feature provided the partner vendor also supports the migration coordinator.
- IDFW/RDSH Migration – The migration coordinator now supports Identity based firewall configurations.