NSX-T Data Center 2.5 provides a variety of new features to provide new functionality for virtualized networking and security for private, public, and hybrid clouds. Highlights include enhancements to intent-based networking user interface, context-aware firewall, guest and network introspection features, IPv6 support, highly-available cluster management, profile-based NSX installation for vSphere compute clusters, and enhancements to migration coordinator for migrating from NSX Data Center for vSphere to NSX-T Data Center.
NSX-T Data Center 2.5 introduces NSX Intelligence v1.0, a new NSX analytics component. NSX Intelligence provides a user interface via a single management pane within NSX Manager, and provides the following features:
- Close to real-time flow information for workloads in your environment.
- NSX Intelligence correlates live or historic flows, user configurations, and workload inventory.
- Ability to view past information about flows, user configurations, and workload inventory.
- Automated micro-segmentation planning by recommending firewall rules, groups, and services.
Container API Support
New API support is available for container inventory. See the API documentation.
- Enhancements for the Edge Bridge – The Edge bridge now allows attaching the same segment to multiple bridge profiles, thus providing the ability to bridge a segment multiple times to VLANs in the physical infrastructure. This new functionality supersedes and deprecates the original ESXi bridge in previous versions of NSX-T Data Center. Caution: Use this feature at your risk. It introduces the risk of creating a bridging loop by bridging the same segment twice to the same L2 domain in the physical network. There is no loop mitigation mechanism.
- MTU/VLAN Health Check – From an operations point of view, network connectivity issues caused by configuration errors are often difficult to identify. Common scenarios include ones wherein virtual network admins using NSX Manager while physical network admins take management ownership of physical network switches.
- VLAN Health Check – Checks whether N-VDS VLAN settings match trunk port configuration on the adjacent physical switch ports.
- MTU Health Check – Checks whether the physical access switch port MTU setting based on per VLAN matches the N-VDS MTU setting.
- Guest Inter-VLAN Tagging – The Enhanced Datapath N-VDS enables users to map guest VLAN Tag to a segment. This capability overcomes the limitation of 10 vNICs per VM and allows guest VLAN tagged traffic (mapped to different segments) to be routed by the NSX infrastructure.
- Tier-1 Placement Inside Edge Cluster Based on Failure Domain – Enables NSX-T to automatically place Tier-1 gateways based on failure domains defined by the user. This increases the reliability of Tier-1 gateways across availability zones, racks, or hosts, even when using automatic Tier-1 gateway placement.
- Asymmetric Load Sharing After Router Failure in ECMP Topology – On active/active Tier-0 gateway when one faulty service router was going down another router was taking over the faulty router traffic doubling the traffic going through the service router. After 30 minutes of a router failure, the faulty router IP address is removed from the list of next-hops avoiding the additional traffic to a specific router .
- Get BGP Advertised and Received Routes Per Peer through API and UI – Simplifies BGP operations by avoiding CLI usage to verify the routes received and sent to BGP peers.
- BGP Large Community Support – Offers the option to use communities in conjunction with 4-byte ASN as defined in RFC8092.
- BGP Graceful Restart Helper Mode Option Per Peer – Offers the option for Tier-0 gateway to help maintain router for northbound physical routers with redundant control plane without compromising on the failover time across Tier-0 routers.
- DHCP relay on CSP – Extends the support of DHCP relay to CSP port, offering DHCP relay to endpoints connected to NSX-T through a VLAN.
- Bulk API to Create Multiple NAT Rules – Enhances the existing NAT API to bundle the creation of a large number of NAT rules into a single API call.
- Support Mellanox ConnectX-4 and ConnectX-4 LX on Bare Metal Edge Node – Bare Metal Edge nodes now support Mellanox ConnectX-4 and ConnectX-4 LX physical NICs in 10/25/40/50/100 Gbps.
- Bare Metal Edge PNIC Management – Provides the option to select the physical NICs to be used as dataplane NICs (fastpath). It also increases the number of physical NICs supported on the Bare Metal Edge node from 8 to 16 PNICs.
Enhanced IPv6 Support
NSX-T 2.5 continues to enhance the IPv6 routing/forwarding feature-set. This includes the support for:
- IPv6 SLAAC (Stateless Address Autoconfiguration), automatically providing IPv6 addresses to virtual machines.
- IPv6 Router Advertisement, NSX-T gateway provides IPv6 parameters through Router Advertisement.
- IPv6 DAD, NSX-T gateways detects duplicate IPv6 address allocation.
Layer-7 AppID Support
NSX-T 2.5 adds more Layer-7 capabilities for distributed and gateway firewall. This includes the support for:
- Layer-7 AppID support for distributed firewall on KVM.
- Layer-7 AppID support for gateway firewall.
- Multiple Layer-7 AppID configuration in a single firewall rule.
FQDN/URL Filtering Enhancements
NSX-T 2.5 has minor enhancements to FQDN filtering support, including:
- Configuring TTL timers for DNS entries.
- Support for workloads running on KVM hypervisor.
Firewall Operations have been enhanced with the following features:
- Autosave Configuration & Rollback Feature – The system creates a copy of the configuration when published. This configuration can be re-deployed to rollback to an existing state.
- Manual Drafts – Users can now save drafts of their rules before they publish those rulesets for enforcement. Users can stage the rules in manual drafts. The system allows you to have multiple users work on the same draft with a locking mechanism to disable overriding of rules from different users.
- Session Timers – Users can configure session timers for TCP, UDP and ICMP sessions.
- Flood Protection – Both distributed firewall and gateway firewall can have SynFlood protection. Users can provide thresholds to alert, log and drop traffic to make it custom workflows.
- System auto-generates two groups when NSX LoadBalancer is created and virtual servers are deployed. One group contains the server pool while the other group contains virtual server IP. These groups can be used on distributed firewall or gateway firewall to allow or deny traffic by firewall admins. These groups track the NSX load balancer config changes.
- The number of IP addresses detected per VM – vNIC has been increased from 128 to 256 IP addresses.
- With NSX-T 2.5, we support Active Directory Servers deployed on Windows 2016.
- We support the Identity Firewall for Windows Server workloads without Terminal Services enabled. This will allow customers to strictly control the lateral movement of administrators from one server to another.
- Packet Copy Support – In addition to redirecting traffic through a service, NSX-T now supports the Network Monitoring use case, in which a copy of packets is forwarded to a partner Service Virtual Machine (SVM), allowing inspection, monitoring or collection of statistics while the original packet does not pass through the network monitoring service.
- Automatic Host-based Partner SVM Deployment – As of NSX-T 2.5, two modes of Partner SVM deployment are supported; clustered deployment in which Service Virtual Machines are deployed on a dedicated vSphere (Service) Cluster and Host-Based in which one Service Virtual Machine per service is deployed on each Compute Host in a particular cluster. In this mode, when a new compute host is added to a cluster, the appropriate SVMs are automatically deployed.
- Notification Support for North-South Service Insertion – NSX-T 2.4 introduced the notification framework for East-West Service Insertion, allowing partner services to automatically receive notifications upon relevant changes such as dynamic group updates. With NSX-T 2.5, this notification framework has also been extended to N-S Service Insertion. Partners can leverage this mechanism in order to allow customers to use dynamic NSX groups (i.e. based on Tags, OS, VM Name) in the partner policy.
- Additional Troubleshooting and Visualization Features – With NSX-T 2.5, several serviceability enhancements have been made to allow for better troubleshooting of Service Insertion related issues. This includes the ability to verify the runtime status of a Service Instance, the ability to fetch available Service Paths through the API and the inclusion of Service Insertion related logs in the support bundle.
Endpoint Protection (Guest Introspection)
- Linux Support – Support for Linux-based operating systems with Endpoint Protection. Please see the NSX-T Administration Guide for supported Linux operating systems for Guest Introspection.
- Endpoint Protection Dashboard – Endpoint Protection dashboard for visibility and monitoring the configuration status of protected and unprotected VMs, issues with Host agent and service VMs, and VMs configured with the file introspection driver that was installed as part of the VMware Tools installation.
- Monitoring Dashboard – To monitor the partner service deployment status across clusters in the system .
- API to Retrieve the Status on Edge Capacity for Load Balancers – New API calls have been added to allow the admin to monitor the Edge capacity in terms of load balancing instances.
- Intelligent Selection of Health Check IP Address – When SNAT IP-list is configured, the first IP address in the list is going to be used for health monitoring instead of the uplink IP address of a Tier-1 Gateway. The IP address can be the same as the Virtual Server IP address. This enhancement allows the load balancer to use a single IP address for both source-nat and health monitoring.
- Load Balancer Logging Enhancement – With this enhancement, the load balancer can generate a rich log message per Virtual Server for monitoring. For example, the Virtual Server access log includes not only the client IP address but also a pool member IP address.
- Persistent Enhancement in LB Rules – A new action called “Persist” is introduced in LB rules. The Persist action enables the load balancer to provide application persistency based on a cookie set by a pool member.
- LB Fits – A small LB instance can fit into a small Edge VM. A medium LB instance can fit into a medium Edge VM. Previously, the small Edge VM did not support load balancing services because the size of an Edge VM had to be bigger than the size of an LB instance.
- VS/Pool/Member Statistics – All LB related statistics are available in simplified interface. Previously, the information was only available in Advanced Networking and Security interface.
- ECC (Elliptical Curve Certificate) Support for SSL Termination – EC certificates can be used for increased SSL performance.
- FIPS Knob – There is a global setting via API for FIPS compliance for load balancers. By default, the setting is turned off to improve performance.
- IPsec VPN Support on Tier-1 Gateway – IPsec VPN can be deployed and terminated on Tier-1 gateway for better tenant isolation and scalability. Previously, it was supported on only Tier-0 gateway.
- VLAN Support for Layer-2 VPN on NSX-managed Edge – With this enhancement, VLAN-backed segments can be extended. Previously, only logical segments were supported for Layer-2 extension. This includes VLAN Trunking support enabling multiple VLANs to be extended on one Edge Interface and Layer-2 VPN session.
- TCP MSS Clamping for IPsec VPN – TCP MSS Clamping allows the admin to enforce the MSS value of all TCP connections to avoid packet fragmentation.
- ECC (Elliptical Curve Certificate) Support for IPsec VPN – The EC certificate is required to enable various IPsec compliance suites, such as CNSA, UK Prime, etc.
- Easy Button for Compliance Suite Configuration – CNSA, Suite-B-GCM, Suite-B-GMAC, Prime, Foundation, and FIPS can be configured with a single click in the UI or a single API call.
Automation, OpenStack and other CMP
- Expanded OpenStack Release Support – Now includes the Stein and Rocky releases.
- OpenStack Neutron Plugin supporting Policy API – In addition to existing plugin supporting management API, we now offer an OpenStack Neutron plugin consuming the new NSX-T Policy API. This plugin supports IPv6 for Layer-2, L3, firewall and SLAAC.
- OpenStack Neutron Router Optimization – The plugin now optimizes the OpenStack Neutron Router by managing the creation/deletion of the service router dynamically. This allows a customer to have only a distributed router when no services are configured and one as soon as the services are added, all managed by the plugin.
- OpenStack Neutron Plugin Layer-2 Bridge – The Layer-2 bridge configured from OpenStack is now configured on the Edge Cluster and not on the ESXi cluster.
- OpenStack Octavia Support – In addition to LBaaSv2, the OpenStack Neutron Plugin supports Octavia as a way to support Load Balancing.
For more details please see the VMware NSX-T Data Center 2.5 Plugin for OpenStack Neutron Release Notes.
- Addition of a New Mode of Operation – NSX Cloud will now have two modes of operation, this officially makes NSX Cloud the only Hybrid Cloud solution in the market to support agented and agentless modes of operation.
- NSX Enforced Mode (Agented) – Provides a “Consistent” policy framework between on-premises and any public cloud. NSX Policy enforcement is done with NSX tools which are installed in every workload. This provides VM level granularity and all tagged VMs will be managed by NSX. This mode will overcome the differences/limitations of individual public cloud providers and provide a consistent policy framework between on-premises and public cloud workload.
- Native Cloud Enforced Mode (Agentless) – Provides a “Common” policy framework between on-premises and any public cloud. This mode does not require the installation of NSX tools in the workloads. NSX Security Policies are converted into the Native Cloud providers security constructs. Hence, all the scale and feature limitations of the chosen public cloud are applicable. The granularity of control is at the VPC/VPNET level and every workload inside a managed VPC/VNET will be managed by NSX unless it is whitelisted.
Both modes will provide Dynamic Group membership and a rich set of abstractions for nsx group membership criteria.
- Support for Visibility and Security of Public Cloud Native Services from NSX Cloud – From this release, it will be possible to program the security groups of Native SaaS services in Azure and AWS which have a local VPC/VNET endpoint and a security group associated with it. The primary idea is to discover and secure cloud native service endpoints with user-specified rules on NSX policy. The following services will be supported in AWS (ELB, RDS & DynamoDB) and Azure (Azure Storage, Azure LB, Azure SQL Server & CosmoDB) in this release. Future NSX-T releases will add more support for more services.
- New OS support:
- Support for Windows Server 2019
- Windows 10 v1809
- Support for Ubuntu 18.04
- Enhanced Quarantine Policy and VM White-listing – Starting with NSX 2.5, NSX Cloud allows users to whitelist VMs from the CSM interface. Once whitelisted, cloud security groups of such VMs are not be managed by NSX, and users can put the VMs in whatever cloud security groups they want.
- Enhanced Error Reporting on CSM Interface – Enables quicker troubleshooting.
- Support of vSphere HA for the NSX Manager(s) – The NSX management cluster can now be protected by vSphere HA. This allows one node of the NSX management cluster to be recovered if the host running it fails. It also allows for the entire NSX management cluster to be recovered to an alternate site if there is a site-level failure. Please see the NSX-T Installation Guide for details on supported scenarios.
- Capacity Dashboard Improvements – New and improved metrics to the capacity dashboard show the number of objects a customer has configured relative to the maximum supported in the product. For a complete list of configuration maximums for NSX-T Data Center, see the VMware Configuration Maximums Tool.
- Support for vSphere Lockdown Mode – Enable more deployment options for customers by providing the ability to install, upgrade and operate NSX-T in a vSphere lockdown mode environment.
- Logging Enhancement – Reduce service impact during troubleshooting by enabling dynamic change of log levels via the NSX command line interface for NSX user space agents.
- SNMPv3 Support – Enhanced security compliance by adding support for configuring SNMPv3 for NSX Edge and Manager appliance.
- New Traceflow Capability for Troubleshooting VM Address Resolution Issues – Added support for injecting ARP/NDP packets via Traceflow to detect connectivity issues while doing address resolution for an IP destination.
- Upgrade Order Change – When upgrading to NSX-T 2.5, the new upgrade order is Edge-component upgrade before Host component upgrade. This enhancement provides significant benefits when upgrading the cloud infrastructure by allowing optimizations to reduce the overall maintenance window.
- Log Insight Content Pack Enhancement – Added support for out-of-box log alerts with the new NSX-T Content Pack compatible with NSX-T 2.5.
- FIPS – Users can now generate FIPS compliance reports. including the ability to configure and manage their NSX deployments in FIPS-compliant mode. Cryptographic modules are validated per the FIPS standards, offering security assurance for customers who want to be compliant per federal regulations or operate NSX in a secure manner that adheres to prescribed FIPS standards. With noted exceptions, all cryptographic modules in NSX-T 2.5 are FIPS certified. To view granted certifications for FIPS-validated modules, see https://www.vmware.com/security/certifications/fips.html.
- Enhancements to Password Management – Users can now extend the password expiry duration (day-count) since the last password change even after upgrade. Thirty-day expiry warnings and password expiry notifications now appear in the interface, CLI, and syslogs.
Support for Single Cluster Design
Support of single cluster designs with fully collapsed Edge+Management+Compute VMs, powered by a single N-VDS, in a cluster with a minimum of four hosts. The typical reference designs for VxRail and other cloud provider host solution prescribe 4x10G pNICs with two host switches. One switch is dedicated to Edge+Management (VDS), whereas the other one is dedicated to compute VMs (N-VDS). Two host-switches effectively separate the management traffic from the compute traffic. However, with the trending economics of 10 and 25G, many small data center and cloud provider customers are standardizing on two pNICs host. Using this form factor, small data centers and cloud provider customers can build an NSX-T based solution with single N-VDS, powering all the components with two pNICs.
NSX Data Center for vSphere to NSX-T Data Center Migration
- Migration Coordinator Enhancements – The Migration Coordinator has several usability enhancements that improve the workflow of the process required to migrate from NSX Data Center for vSphere to NSX-T Data Center, including improvements to providing user feedback during the migration.
This information and more can be found at the VMware release note website: VMware NSX-T Data Center 2.5 Release Notes