What's new in NSX-T Data Center 3.0

What's new in NSX-T Data Center 3.0
NSX-T Data Center 3.0 version has been released today, with this release VMware introduce a variety of new features to provide new functionality for virtualized networking and security for private, public, and multi-clouds. Highlights include the following focus areas and new features:

• Cloud-scale Networking: NSX Federation
  
• Intrinsic Security: Distributed IDS, Micro-Segmentation for Windows Physical Servers, Time-based Firewall Rules, and a feature preview of URL Analysis
  
• Modern Apps Networking: NSX-T for vSphere with Kubernetes, container networking and security enhancements
  
• Next-Gen Telco Cloud: L3 EVPN for VM mobility, accelerated data plane performance, NAT64, IPv6 support for containers, E-W service chaining for NFV
  

Some of the new features will be discussed down here, most o them and enhancements are available in the NSX-T Data Center 3.0.0 release Notes.

Before to drill down into the new features I would like to remember that VMware NSX-T provide functionality, all the way from layer two layer seven on the stacks of connectivity. They have logical layer two layer three across physical bare metal and container workloads. They also support layer to VPN and layer three base route and policy VPN. and so on .. the are continuing to add more Layer seven capabilities and more Context Aware inside the Firewall engine.
Below a simple picture of a NSX-T Single Heterogeneous SDN Platform before NSX-T Data Center version 3.0

Release of the new features concern Full-stack Networking and Security Virtualization ...

... let's have a look below of some new features:

NSX Federation
NSX-T 3.0 introduces the ability to federate multiple on-premises data centers through a single pane of glass, called Global Manager (GM). GM provides a graphical user interface and an intent-based REST API endpoint. Through the GM, you can configure consistent security policies across multiple locations and stretched networking objects: Tier0 and Tier1 gateways and segments.

VRF Lite in NSX-T 3.0
Now is possible to have multi-tenant data plane isolation through Virtual Routing Forwarding (VRF) in Tier-0 gateway. VRF has its own isolated routing table, uplinks, NAT and gateway firewall services; the solution can scale up to 100 VRFs per Tier0 Gateway.

Converged VDS
With new vSphere version 7.0 is possible to run NSX straight on VDS 7.0 that's part of it, giving the possibility to use the existing VDS dvPortGroups for NSX switching.

Actually this features is for GreenField only, where you start with a fresh deploy. Where we already have a previous NSX-T installation we can continue to leverage on N-VDS. However, it is recommended that new deployments of NSX and vSphere take advantage of this close integration and start to move toward the use of NSX-T on VDS. The N-VDS NSX-T host switch will be deprecated in a future release. Going forward, the plan is to converge NSX-T and ESXi host switches. The N-VDS remains the switch on the KVM, NSX-T Edge Nodes, native public cloud NSX agents and for bare metal workloads.


Some UI enahcement
In previous NSX-T 2.4 version was introduced the whole policy UI mode and Advanced mode. So now we have a switch to seamlessly switch between the policy and the manager view to configure objects

New Getting Started Wizard to prepare clusters for micro-segmentation has been introduced.

Networking topology visualizations has been introduced. This feature provide graphical visualization of the network infrastructure with the possibility to export the topology in PDF.
With this new features, we can see containers attached if we have containers networking in our views; it is also possible to drill deep inside a particular topology and look the routing table, the forwarding tables etc.

New Alarm Dashboard for managing alarms.

Distributed Intrusion Detection System (D-IDS)
Challenges with the traditional Data Center IDS/IPS (picture below) most of the time deployed in a physical IDS/IPS appliance in large clusters that are deployed behind firewall with their own management console (when IDS/IPS in not integrated into firewall) and traffic is hairpin across the physical network.

Introducing in NSX Platform the capability of Distributed Intrusion Detection as a part of the platform's Threat & Vulnerability Detection capabilities. This feature allows you to enable intrusion detection capabilities within the hypervisor to detect vulnerable network traffic. This distributed mechanism can be enabled on a per VM and per vNIC of a VM basis with granular rule inspection. As part of this feature set, the NSX Manager is able to download the latest signature packs from the NSX Signature Service. This keeps the NSX Distributed IDS updated with the latest threat signatures in the environment.

Service Insertion and Guest Introspection
E-W Service Chaining for NFV-SFC at the Edge - The ability to chain multiple services was earlier available only to distributed traffic but is now available for edge traffic. The East-West service chains can now also be extended to redirect edge traffic.
Disable cloning of NSX Service VMs - Cloning of Service VMs is now prevented from the vSphere Client to prevent malfunctioning of the VMs.

Container Networking and Security
Container Inventory & Monitoring in User Interface - Container cluster, Namespace, Network Policy, Pod level inventory can be visualized in the NSX-T User Interface. Visibility is also provided into co-relation of Container/K8 objects to NSX-T logical objects.
IPAM Flexibility - The NSX Policy IP Block API has been enhanced to carve out IP subnets of variable sizes. This functionality helps the NSX Container Plugin carve out variable size subnets for Namespaces using Policy API.
NCP Component Health Monitoring - The NSX Container Plugin and related component health information like NCP Status, NSX Node Agent Status, NSX Hyperbus Agent Status can be monitored using the NSX Manager UI/API.

..... most of the features and enhancements are available in the NSX-T Data Center 3.0.0 release Notes

Enjoy!!

Notes: All information, texts and images contained in this article are owned by VMware.