VMware NSX-T 3.0 – végre itt

A VMware NSX-T Data Center 3.0 mától publikusan elérhető. Release notes itt: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/rn/VMware-NSX-T-Data-Center-30-Release-Notes.html

Így kell frissíteni:

Újdonságok – csak pár ami szerintem lényegesebb

L2 Networking

NSX-T support on VDS 7.0

NSX-T now has the capability to run on the vSphere VDS switch version 7.0. It is recommended that new deployments of NSX and vSphere take advantage of this close integration and start to move toward the use of NSX-T on VDS. The N-VDS NSX-T host switch will be deprecated in a future release. Going forward, the plan is to converge NSX-T and ESXi host switches. The N-VDS remains the switch on the KVM, NSX-T Edge Nodes, native public cloud NSX agents and for bare metal workloads. – Jól érted, mostantól a VDS 7 javasolt és az N-VDS előbb-utóbb viszlát.

The current NSX-T ESXi host switch, the N-VDS, continues to be supported for this release and it is recommended that NSX deployments that currently use the N-VDS on ESXi continue to utilize the same switch. The reason for this is two-fold:

  1. The conversion of N-VDS to VDS 7.0 for existing NSX deployments is a manual process. Please contact your VMware representative for further details if required. – Szóval migráln nem lehet, létre kell hozni és mozgatni rá a VM-eket.
  2. The APIs between N-VDS and VDS are different. There are no changes to N-VDS or VDS APIs. However, if you move to use the VDS in your environment you will have to start invoking the VDS APIs instead of N-VDS APIs. This ecosystem change will have to be made before converting the N-VDS to VDS.

The following deployment considerations are recommended when moving from N-VDS to VDS:

  • VDS is configured through vCenter. N-VDS is vCenter independent. With NSX-T support on VDS and the eventual deprecation of N-VDS, NSX-T will be closely tied to vCenter and vCenter will be required to enable NSX.
  • The N-VDS is able to support ESXi host specific configurations. The VDS uses cluster-based configuration and does not support ESXi host specific configuration.
  • This release does not have full feature parity between N-VDS and VDS.
  • The backing type for VM and vmKernel interface APIs is different for VDS when compared to N-VDS.

RHEL support: We add RHEL 7.6 and RHEL 7.7 to the list of supported operating systems for NSX. This applies to KVM and Bare Metal workloads.

Edge

  • New Edge VM XLarge form factor provides more scale for advanced services and better throughput.
  • Enhanced convergence time on Tier-0 gateway with lower BFD interval supported on Edge VM down to 500ms and 50ms on Bare Metal Edge. – Ez jelentős fejlesztés, VM esetén ez 1200 msec volt.
  • Enhanced Edge VM deployment: During Edge VM deployment through NSX, the following actions are taken:
    • Auto start the Edge VM on ESX reboot
    • Disable edit settings of Edge VM in vCenter
    • Edge VM added in the DFW exclude list
    • Configuration of the following parameters: allow SSH, allow root login, NTP server list, domain search list, DNS server list and default users credentials
  • AMD EPYC support: Edge Nodes, VM and Bare Metal can now be deployed on AMD EPYC series CPU: – végre!!!!!!!!!!!!!!! Go AMD
    • AMD EPYC 7xx1 Series (Naples)
    • AMD EPYC 3000 Embedded Family and newer
    • AMD EPYC 7xx2 Series (Rome)

Firewall

  • Consistent Security Policy across multiple sites using NSX Federation -NSX-T 3.0 introduces the concept of a Global Manager (GM) that can manage multiple NSX Managers. With NSX-T 3.0, the global manager has the capability of consistent security policy across multiple sites through a single pane of glass. – Ha valakinek több NSX környezete lenne, akkor immáron tehető fölé egy, amelyben a security-t érintő dolgok egy helyen kezelhetők.
  • Introducing Security Dashboards -NSX-T 3.0 introduces new Security Overview Dashboards for security and firewall admins to see at-a-glance the current operational state of firewall and distributed IDS.
  • Time-based Scheduling of Firewall Rules -With NSX-T 3.0, you can now schedule enforcing of specific rules for specific time intervals. – Ez elég nagy durranás! Ütemezhető szabályok.
  • Introducing wizards to quickly do VLAN-based Micro-Segmentation -You can configure your data centers to introduce segmentation using NSX-T in very easy steps.
  • Micro-Segmentation for Windows Physical Servers -Introducing micro-segmentation for windows physical servers in NSX-T 3.0. – Erről keveset tudok, de elég jól hangzik.
  • URL Analysis – Feature Preview -Introducing a preview of URL Filtering with detection, classification and reputation scores of URLs. This feature preview is available only on the gateway firewall.
  • Supporting TCP/UDP and ICMP Session Timer Configuration for FW in KVM -Supporting firewall timer configuration changes in KVM for workloads running on KVM.

Identity Firewall

  • Filter ICMP traffic for VDI environments as part of Identity Firewall rules -This allows the creation of Identity Firewall rules for VDI users to filter traffic based on the ICMP protocol. This is limited to VDI and not available for RDSH users.
  • Selectively sync AD groups for Identity Firewall groups -This allows syncing of specific AD groups to be used as endpoints in Identity Firewall rules. This capability optimizes the performance and usability of the AD Groups. This capability is currently available using the API only.
  • Filter UDP traffic for Identity Firewall rules – This allows filtering UDP traffic as part of Identity Firewall rules. – Ez fontos rész, eddig csak TCP-re működött, még NSX-V idejében is.

Distributed Intrusion Detection System (D-IDS)

Introducing in NSX Platform the capability of Distributed Intrusion Detection as a part of the platform’s Threat & Vulnerability Detection capabilities. This feature allows you to enable intrusion detection capabilities within the hypervisor to detect vulnerable network traffic. This distributed mechanism can be enabled on a per VM and per vNIC of a VM basis with granular rule inspection. As part of this feature set, the NSX Manager is able to download the latest signature packs from the NSX Signature Service. This keeps the NSX Distributed IDS updated with the latest threat signatures in the environment. – Ez ráborítja az asztalt úgy elég sok más gyártóra és átütő képesség.

Service Insertion and Guest Introspection

  • E-W Service Chaining for NFV-SFC at the Edge – The ability to chain multiple services was earlier available only to distributed traffic but is now available for edge traffic. The East-West service chains can now also be extended to redirect edge traffic.
  • Disable cloning of NSX Service VMs -Cloning of Service VMs is now prevented from the vSphere Client to prevent malfunctioning of the VMs.

Letöltés

Már elérhető a letöltési oldal is, szóval hajrá!

További információ

Igen jó összefoglaló a képességekről sokkal részletesebben:

https://blogs.vmware.com/networkvirtualization/2020/04/nsx-t-3-0.html/?src=so_5e8ca03f27baa&cid=70134000001CUn1