VMware released NSX 4.0 a few days ago, and took that opportunity to rename the product “VMware NSX“, replacing the well-known NSX-T Data Center.
As many of you know by now, NSX-V (NSX for vSphere) is no longer supported since earlier this year and many customers have already started the transition to migrate from NSX-V to NSX-T. There is then no reason to keep the name NSX-T Data Center and it makes more sense to simply keep “NSX”.
What’s new in NSX 4.0
NSX 4.0 is a major release with new networking and security features as well as some enhancements.
Installation/Upgrade Improvement
Starting NSX 4.0, upgrades can be performed faster and benefit from up to 10% compared to the previous versions of NSX. You will get also new alarms for the lifecycle status of physical servers and notifications once a NSX update is available.
NSX Application Platform and associated services
NSX 4.0 is compatible with NSX Application Platform 3.2.1 that allows you to leverage security features and services such as NSX NDR, NSX Intelligence, NSX Malware and NSX Metrics.
However, for those still running NSX Application Platform 3.2, it will be required to migrate first to 3.2.1 before upgrading to NSX 4.0.
Please find below some of the new features and enhancements in NSX 4.0:
Layer 3 Networking
- IPv6 external-facing Management Plane introduces support for IPv6 communication from external systems with the NSX management cluster (Local Manager only). The NSX Manager now supports dual-stack (IPv4 and IPv6) in the external management interface. IPV6-only deployments are not supported in this release.
The following external communication and systems are supported:
- Access to NSX User Interface (UI) through IPv6
- Access to NSX API through IPv6
- IPv6 communication with vCenter
- In this release vCenter services and clients using vCenter Extension Manager to communicate with NSX Manager, such as vLCM, WCP and Supervisor Cluster, will be using IPv4 to connect to NSX Manager.
- IPv6 syslog
- IPv6 SNMP
- IPv6 SSH
- IPv6 SFTP (Backup & Restore)
- IPv6 communication with DNS server (name resolution)
- IPv6 communication with NTP server
- IPv6 Cluster VIP
- IPv6 communication with LDAP/AD servers, for user authentication and IDFW
- IPv6 interaction with Operations tools: vRNI, vRLI & vROPs
- IPv6 support for telemetry/VAC
- Internal T0-T1 transit subnet prefix change after Tier0 creation allows users to change the prefix used for the T0-T1 transit subnet after the Tier-0 creation. Before this feature the user was allowed to change the default value (100.64.0.0/16) only at the Tier-0 creation time.
Networking Services (NAT, DHCP, DNS)
- NAT support for Policy-based VPN on T0/T1 Gateway allows the configuration of DNAT/NO-DNAT rule that matches traffic decapsulated from the Policy-based VPN. At the time we want to translate the Destination IP for the traffic decapsulated from the VPN we can configure DNAT/NO-DNAT and select “match” for the policy based VPN. The default behavior will be kept to bypass which means it does not match traffic decapsulated from policy-based VPN.
- DHCP UI configuration workflow improvement offers in a simpler and easier configuration of Local DHCP server; Gateway DHCP server or DHCP Relay . It also offers better visibility and monitoring options.
- DHCP Standby relocation improves the availability for the DHCP server, allowing the configuration of standby relocation where, in case of failure, the new standby Edge will be elected.
Edge platform
- Edge relocate API gives the option when an Edge VM enters maintenance mode, to gracefully relocate all T1 auto allocated SRs to other Edge VMs.
- Maintain Edge Node parameters during upgrade – post-upgrade all user-edited settings of Edge Node will be preserved and not reset to default.
Distributed Firewall
- Block Malicious IPs in Distributed Firewall is a new capability that allows the ability to block traffic to and from Malicious IPs. This is achieved by ingesting a feed of Malicious IPs provided by VMware Contexa. This feed is automatically updated multiple times a day so that the environment is protected from the latest malicious IPs. For existing environments, the feature will need to be turned on explicitly. For new environments, the feature will be default enabled.
- NSX Distributed Firewall has now added support for the following versions for physical servers: RHEL 8.2, 8.4, Ubuntu 20.04, CentOS 8.2, 8.4.
To see the full list of the new features, please check the link below to open the Release Notes.
Deprecated features
As we get new capabilities and enhancements in major new releases, we also do have some features being deprecated:
- Support of Non-VIO OpenStack and KVM: NSX will no longer support either KVM-based hypervisors or OpenStack distributions from third-party vendors. Support for VMware Integration OpenStack (VIO) remains. Please see the VMware Product Interoperability Matrix for details on which versions of NSX and VIO are compatible.
- NSX N-VDS Host Switch support: NSX 3.0.0 and later has the capability to run on the vSphere VDS switch version 7.0 and later. This provides a tighter integration with vSphere and easier NSX adoption for customers adding NSX to their vSphere environment. Please be aware that VMware has removed support of the NSX N-VDS virtual switch on ESXi hosts starting this release, NSX 4.0.0.1. N-VDS will remain the supported virtual switch on NSX Edge nodes, native public cloud NSX agents, and bare metal workloads.
To get the full list of deprecated features, please check the Release Notes here.
Hope you enjoyed that blog post, but stay tuned as more coming soon.