What's New in NSX-T 3.0
In this article
Now in it's third year of availability, it's fitting that VMware has released version 3.0 of its popular NSX-T software-defined data center networking solution. This product has seen a rapid pace of change, and NSX-T 3.0 continues this trend with the introduction of many new features and capabilities.
While it's always difficult to determine which enhancements are the "best," below are a few of the latest additions to NSX-T that we feel are the most noteworthy.
NSX-T support on VDS 7.0
The release of vSphere 7.0 came with many new enhancements, and one of these was the latest version of the vSphere Distributed Switch (VDS), version 7.0. NSX-T 3.0 is the beginning of a major shift in that NSX can now be run on the native VDS, whereas before administrators were required to run NSX on the NSX distributed switch (N-VDS).
Organizations that have adopted NSX-T can continue to operate on the N-VDS, though they should be aware that the N-VDS will eventually be deprecated as it pertains to ESXi hosts. The N-VDS will continue being the host switch for bare-metal workloads, KVM hosts, Edge Nodes and public cloud NSX agents.
Federation
Prior to this latest release of NSX, there was not a scalable way to interconnect your NSX-powered data centers. This was a major concern, as many organizations desire a solution with a unified policy model across sites. NSX-T 3.0 addresses this by introducing a feature called Federation.
From a high level, Federation allows you to easily manage multiple data centers that are running NSX-T. This is accomplished via a new component called the Global Manager (GM). Whereas individual data centers could previously be seen as "islands" of NSX, GM allows you to bring those sites together under unified networking and security management, if desired. This capability will enable use cases such as disaster recovery and active-active data centers to become a reality.
Distributed IDS
Undoubtedly, the killer feature of NSX is the Distributed Firewall (DFW) feature. The Distributed Firewall provides protection for east-west traffic flows, which account for the vast majority of traffic within the data center. NSX-T 3.0 includes a considerable enhancement to the Distributed Firewall's security features: a Distributed Intrusion Detection System Service (D-IDS).
The D-IDS feature protects ESXi-based workloads by detecting malicious activity on the network without negatively impacting the host itself with computational overhead. Like the DFW, the D-IDS capability is embedded in the hypervisor itself. This allows for truly distributed analysis of traffic that scales much better compared to a traditional physical appliance.
The Distributed IDS feature will be quickly followed by a complementary Distributed Intrusion Prevention System (D-IPS) service in a subsequent release, allowing you to seamlessly detect and block malicious network behavior.
Support for bare-metal Windows 2016 Servers
Many organizations make use of Microsoft Windows servers that are not virtualized, often to support resource-intensive workloads such as databases or other applications where virtualizing the server does not make sense. Bare-metal workloads have historically been a challenge for NSX, but this is changing as time goes on.
This latest release of NSX-T brings support for bare-metal Windows 2016 Server. Previously, only Linux-variant bare-metal workloads were supported, so this feature would allow for the expansion of NSX networking and security policy into areas previously unreachable. IT engineers can now connect and secure their bare-metal Windows workloads as a true part of their NSX domain.
AWS and Azure Government Cloud
Cloud computing has taken the world by storm, and many businesses small and large have reaped the benefits. However, some organizations have more stringent requirements than others for what the public cloud must provide. Amazon Web Services (AWS) and Azure Government Cloud provides the compliance and regulatory requirements to allow U.S. agencies to take advantage of cloud workloads.
NSX Cloud is the specific functionality to where NSX network and security policy can be extended from your on-premise data center to both AWS and Azure public cloud platforms. With NSX-T 3.0, that functionality is now available in both AWS and Azure Government Clouds, within all government cloud regions in the United States.
VRF Lite and Layer-3 multicast support
Network architects can rejoice at the fact that NSX-T now supports VRF Lite, allowing for the design of a truly multi-tenant architecture without the need for NAT to separate entities. The VRF support is implemented within the Tier-0 Gateway construct, and each VRF will have its own routing table and uplinks.
Another new feature also implemented at the Tier-0 Gateway level is support for Layer-3 IP Multicast. With this being the initial release for multicast support, this particular feature will see enhancements in the future that will allow for a multicast environment to be fully contained within the NSX domain. Today, your PIM Rendezvous Point or Bootstrap Router must be configured outside the NSX environment, and multicast routing is only supported with IPv4.
Conclusion
IT engineers and architects face many challenges in the quest to leverage the best technology to accomplish the aims of their business, and the realm of data center networking is no exception. VMware's NSX-T solution can help organizations realize their goals of becoming more agile, secure and cloud-ready.
While the above descriptions are brief feature overviews intended for reader awareness, stay tuned for additional articles that will go deeper into the technical implications of these features and how they can be utilized effectively. Stay up to date by following our Data Center Networking topic.