On the heels of the release of VMware vSphere 7.0, VMware has released NSX-T 3.0 for general availability (GA). VMware's NSX software-defined networking (SDN) solution is the ­­­ SDN solution on the market today for the enterprise data center. It allows customers to do some amazing things when it comes to connectivity and security. Let's take a look at VMware NSX-T 3.0's new features to see what capabilities it brings to the enterprise datacenter.

SDN facilitates many of the capabilities and features that today's software-defined solutions offer. The network is still required to get the packets where they need to go, regardless of whether a workload exists on premises or in the cloud.

Quick NSX-T overview

As a quick overview of NSX-T, where does it fit in the VMware ecosystem? NSX-T is certainly the way forward for VMware and their SDN portfolio of products. While NSX-V is a "vSphere-only" solution, NSX-T is a multi-hypervisor solution also capable of spanning on-premises and multi-cloud environments.

VMware is still supporting and enhancing NSX-V; however, this is most likely for the short term because they recommend all greenfield deployments to be NSX-T. VMware has also rolled a "V-to-T" migration tool into NSX-T itself to help get existing NSX-V customers over to NSX-T.

At one point, NSX-V still offered more features to VMware customers. However, this is no longer the case. NSX-T now has feature parity with NSX-V and has even surpassed its capabilities, especially in the NSX-T 3.0 release. With that being said, what are the new features in NSX-T 3.0?

NSX-T 3.0 new features

Some terrific new features in this release help make NSX-T 3.0 truly scalable for organizations with multiple sites and multicloud architectures.

  • NSX-T Federation
  • Distributed Intrusion Detection System (D-IDS) and other new security features
  • Support for VMware vSphere 7.0
  • New telecommunications company (telco) cloud features

Let's delve into each of these new features.

NSX-T federation

Customers have long been asking for a way in the NSX world to manage multiple sites in a cohesive and single-pane-of-glass view. With the release of NSX-T 3.0, VMware has given customers the ability to do this effectively. They have introduced a new NSX-T manager that allows managing all the "managers" of the multiple site locations. The new role is the Global Manager.

NSX T Global Manager role introduced in NSX T 3.0

NSX T Global Manager role introduced in NSX T 3.0

You can think of the Global Manager as a "manager of managers" if you will. Using the Global Manager appliance, customers can now manage the managers in other locations in a single graphical interface and an intent-based representational state transfer (REST) application programming interface (API) endpoint. This will help ensure consistent implementation of security policies across sites.

Distributed Intrusion Detection System (D-IDS)

One of the other major new enhancements with NSX-T 3.0 is the D-IDS functionality. VMware has essentially accomplished with the D-IDS/intrusion prevention system (IPS) what they have done with the distributed firewall. With D-IDS/IPS, NSX-T 3.0 can distribute the application of IDS and IPS rules at the hypervisor level. This holds multiple advantages over traditional firewalls applying IDS/IPS rules.

With traditional firewalls, traffic has to leave the virtual environment, travel up the wire to the firewall, have the IDS/IPS rules applied to the traffic, and then travel back down the wire in the same direction it came from. This is "hairpin" traffic and is largely the way most environments using traditional hardware firewalls have to apply firewall and IDS/IPS rules. It is extremely inefficient.

VMware NSX helped solve traffic hairpinning for firewall rules with the distributed firewall because traffic never leaves the context of the hypervisor to have firewall rules applied, a much more efficient design. Now with the distributed IDS/IPS functionality in NSX-T 3.0, this same functionality applies to IDS/IPS rules. Applying these at the hypervisor level ensures traffic never leaves the hypervisor and eliminates the need to hairpin traffic.

Functionality of the D-IDS system includes:

  • Granular application of D-IDS rules at the virtual machine (VM) or virtual network interface controller (vNIC) VM level
  • Automatic signature updates
  • Efficient application at the hypervisor level

Other new security features

VMware has introduced many other great new features with NSX-T 3.0. One such feature is micro-segmentation for Windows physical servers. Up until this release, in a very general sense, NSX has primarily been a "virtual workloads" networking and security tool. However, with this release, Windows physical servers can take advantage of the security advantages of micro-segmentation with NSX-T 3.0.

What if you only need to enforce firewall rules during specific times? NSX-T 3.0 has a new time-based scheduling of firewall rules. This means you can have firewall rules applied and unapplied depending on the day and time.

In the NSX-T 3.0 release, VMware is introducing a "feature preview" of functionality to do URL analysis. They will no doubt release this new feature for GA in the future. It will provide classification and reputation scores of URLs.

There have been many other security improvements across the platform in the areas of the identity-based firewall and automation for micro-segmentation with virtual LANs (VLANs).

Support for VMware vSphere 7.0

Recently, VMware released what they are calling the biggest release of vSphere since the beginning: vSphere 7.0. With this release, VMware has completely restructured vSphere and integrated Kubernetes right into the core of vSphere 7.0.

This means that vSphere 7.0 natively supports containerized workloads with Kubernetes and also allows interacting with vSphere via the Kubernetes APIs. This is a game changer for how both IT admins and developers will interact with vSphere moving forward.

VMware NSX-T 3.0 now supports the newest version of vSphere: 7.0. In fact, setting up the supervisor cluster for Kubernetes in vSphere 7.0 requires NSX-T. Specifically, the workload management feature that allows creating namespaces requires installation of NSX-T to configure the namespaces.

VMware vSphere 7.0 requires NSX T to create Kubernetes namespaces

VMware vSphere 7.0 requires NSX T to create Kubernetes namespaces

To go along with vSphere 7.0 support with NSX-T 3.0, VMware has introduced a new version of the vSphere Distributed Switch (VDS) and the NSX-T VDS (N-VDS) switch. They have merged the two functionalities together, and now NSX-T can run on top of the native VDS in vSphere 7.0.

VMware is deprecating the native N-VDS switch in VMware NSX-T, and future releases will transition to using the native VDS in vSphere 7.0 and higher. This will simplify things moving forward and allow using existing network connections to the ESXi hosts.

New telco cloud features

NSX-T 3.0 has introduced some great new features in layer 3 (L3) functionality that will certainly benefit telco providers. These new features and capabilities include:

  • L3 Ethernet VPN (EVPN): Provides northbound connectivity for virtual routing and forwarding (VRF) advertisement on tier-0 gateways using Multiprotocol Border Gateway Protocol (MP-BGP)
  • IPv6 for containers: NAT64 stateful DHCPv6 support
  • Network function virtualization (NFV) E/W service chaining: Chain services together now for edge traffic in addition to distributed traffic
  • L3 multicast: NSX-T 3.0 is the first release to introduce L3 multicast into the platform

These and many other improvements in the L3 functionality of NSX-T will no doubt benefit telco service providers.

Wrapping up

Much like VMware vSphere 7, NSX-T 3.0 is a giant release for the NSX SDN solution. VMware has made great strides to bring NSX-T full circle as the solution for not only VMware customers but in multicloud environments for SDN.

Subscribe to 4sysops newsletter!

The new NSX Federation and D-IDS will introduce the ability to manage multiple environments with a single-pane-of-glass view. The features also more efficiently enforce IDS along with the distributed firewall solution already found in NSX. NSX-T is becoming more mature and is the solution of choice moving forward if you are installing SDN in a vSphere or non-vSphere environment.


Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account