It’s April 2020 and VMware NSX-T 3.0 is launched, which includes a variety of new features to provide new functionality for virtualised networking and security for private, public, and multi-clouds. As a consultant I’ve had extensive experience of working with both NSX-V and NSX-T, here’s my overview of this latest version’s most exciting new features and capabilities.

NSX-T adds new features and capabilities in the areas of intrinsic security, modern application networking and streamlined operations. I’ve picked a few of the more notable ones below.

NSX Distributed Intrusion Detection System (D-IDS)

The advanced threat detection engine purpose-built to detect lateral threat movement on east-west traffic. This will be available as an add-on subscription to customers with advanced or enterprise plus licencing.

NSX Federation

Centralised policy configuration and enforcement across multiple locations from a single pane of glass, enabling network-wide consistent policy and operational simplicity. This is by far the most eagerly awaited feature of this release.

I have spoken with several customers over the last 6 months who are awaiting this particular feature as it now means NSX-T surpasses NSX-V in terms of feature parity. VMware will continue to develop this particular feature over the course of this year so be sure to check the release notes carefully as to what is and isn’t currently supported.

NSX-T for vSphere with Kubernetes

NSX has been designed-in as the default pod networking solution for vSphere with Kubernetes (Project Pacific) and provides a rich set of networking capabilities including distributed switching and routing, distributed firewalling, load balancing, etc

VRF Lite

Complete data plane isolation among tenants with a separate routing table, NAT, and Edge firewall support in each VRF on the NSX Tier-0 gateway.

L3 EVPN

Seamlessly connects telco Virtual Network Functions to the overlay network. The NSX Edge implements standards based BGP control plane to advertise IP Prefixes into the telco core, running MP-BGP sessions with the telco Provider Edge/DC Gateways.

L3 EVPN

NSX-T Support on VDS 7.0

NSX-T can now leverage the native VDS built into vSphere 7.0. It is recommended that new deployments of NSX-T leverage this and move away from the N-VDS. If you are an existing NSX-T customer and have already deployed and are using the N-VDS then the recommendation is to remain using that for the moment. However, you will in the future need to plan to move away from this, consider the following when planning this.

  • VDS is configured through vCenter. N-VDS is vCenter independent. With NSX-T support on VDS and the eventual deprecation of N-VDS, NSX-T will be closely tied to vCenter and vCenter will be required to enable NSX.
  • The N-VDS is able to support ESXi host specific configurations. The VDS uses cluster-based configuration and does not support ESXi host specific configuration.
  • This release does not have full feature parity between N-VDS and VDS.
  • The backing type for VM and vmKernel interface APIs is different for VDS when compared to N-VDS.

Security and Firewalling

It’s not possible to leverage Federation to have a consistent security policy across multiple sites (note VMC support will come in a future release). NSX-T introduces the concept of a global manager and has the capability to sync security policies across multiple sites providing a single pane of glass view.

Xtravirt’s Networking and Security Services

Xtravirt are a UK based consulting business specialising in cloud and the digital transformation of enterprise organisations. We are a VMware Principal Partner and hold five VMware Master Services Competencies (MSC’s) including the MSC for Network Virtualization.  To find out more about our networking and security services, please email [email protected]