/ #network #nsx 

What's new in NSX for vSphere 6.2

NSX for vSphere 6.1 has been available for almost one year and now is the time to welcome a new major version of the product: NSX for vSphere 6.2.

As a reminder for those who have lived in a cave the last years, NSX is VMware’s solution to virtualize network and security for your software-defined data centerNSX network virtualization decouples the network from hardware into a software abstraction layer which allows you to programmatically create, provision, and manage your networks.

VMware NSX Ninja

Although NSX-v 6.2 supports both vSphere 5.5+ and 6.0+, vSphere 6.0 is required for use of the new Cross-vCenter network & security features in NSX-v 6.2.

What’s new?

  • Cross vCenter Network Virtualization: NSX-v 6.2 with vSphere 6.0 supports Cross-vCenter NSX where logical switches, distributed logical routers and distributed firewallscan be deployed across multiple vCenters, thereby enabling logical networking and security for applications with workloads (VMs) that span multiple vCenters or multiple physical locations. Note: although the official full name for this feature is Cross-vCenter Network and Security, it can be referred as Cross-VC NSX or Cross-vCenter NSX.

    • Consistent firewall policy across multiple vCenters: Firewall Rule Sections in NSX can now be marked as “Universal” whereby the rules defined in these sections get replicated across multiple NSX managers. This simplifies the workflows involving defining consistent firewall policy spanning multiple NSX installations

    • Cross vCenter vMotion with DFW: Virtual Machines that have policies defined in the “Universal” sections can be moved across hosts that belong to different vCenters with consistent security policy enforcement.

    • This feature requires the usage of new “universal components”:

      • Universal Logical Switch (ULS) - This new functionality introduced in NSX-v 6.2 as a part of Cross vCenter NSX allows creation of logical switches that can span multiple vCenters, allowing the network administrator to create a contiguous L2 domain for an application or tenant. This eliminates the need to extend the L2 domain over the physical infrastructure solely for the purpose creating a single L2 domain needed for a virtualized application or tenant.

      • Universal Distributed Logical Router (UDLR) - This new functionality introduced in NSX-v 6.2 as a part of Cross vCenter NSX allows creation of distributed logical routers that can span multiple vCenters. The universal distributed logical routers enable routing across the universal logical switches described earlier. In addition, NSX UDLR is capable of localized north-south routing based on the physical location of the workloads.

      • Universal IP sets, MAC sets, security groups, services, and service groups.

  • Support for vSphere 6.0 Platform Services Controller topologies: Amongst new features, the vSphere 6.0 architecture introduced a new component called Platform Services Controller (or PSC). The PSC provides common infrastructure services for the datacenter, like vCenter SSO, license service, lookup service, VMware Certificate Authority and so on. As per KB 2110197, VMware NSX for vSphere (version 6.1.3+) was only tested with vCenter Server with embedded PSC (see opposite). Other vSphere 6.0 topologies with NSX 6.1.3+ may produce unexpected results. NSX-v 6.2 now supports external PSC, in addition to the already supported embedded PSC configurations.

  • L2 Bridging Interoperability with Distributed Logical Router: L2 bridging can now participate in distributed logical routing. The VXLAN network to which the bridge instance is connected, will be used to connect the routing instance and the bridge instance together.

  • New IP address discovery mechanisms for VMs: Authoritative enforcement of security policy based on VM names or other vCenter-based attributes requires that NSX know the IP address of the VM. In NSX 6.1 and earlier, IP address discovery for each VM relied on the presence of VMware Tools on that VM or the manual authorization of the IP address for that VM. NSX-v 6.2 introduces the option to discover the VM’s IP address using DHCP snooping or ARP snooping. These new discovery mechanisms enable NSX to enforce IP address-based security rules on VMs that do not have VMware Tools installed. Note: To use these new detection methods, you must enable them per host cluster.

  • Operations and Troubleshooting Enhancements

    • Central CLI: Central CLI reduces troubleshooting time for distributed network functions. Commands are run from the NSX Manager command line and retrieve information from controllers, hosts, and the NSX Manager.

    • New traceflow troubleshooting tool: Traceflow is a troubleshooting tool that helps identify if the problem is in the virtual or physical network. It provides the ability to trace a packet from source to destination and helps observe how that packet passes through the various network functions in the virtual network.

    • Flow monitoring and IPFix separation: In NSX 6.1.x, NSX supported IPFix reporting, but IPFix reporting could be enabled only if flow reporting to NSX Manager was also enabled. This tended to create too much flow traffic in large-scale deployments. Starting in NSX 6.2.0, these features are decoupled. In NSX 6.2.0 and later, you can enable IPFix independent of flow monitoring on NSX Manager.

    • Show health of the control plane: NSX-v 6.2.0 adds automatic health checking for control plane operations. This feature checks the connection status between NSX Manager and the firewall agent, between NSX Manager and the control plane, between the host and the NSX Controller.

  • LB Health Monitoring Improvements: Delivers granular health monitoring, that reports information on failure, keeps track of last health check and status change, and reports failure reasons.

  • Support VIP and Pool port range: Enables LB support for applications that require a range of ports.

  • …and a lot more!

Additional resources:

Author

Romain

Staff II Technical Product Manager, technologist with 18+ years of Networking and Security experience in Data Center, Public Cloud & Virtualization (VMs and Containers). He is a double VCDX (DCV and NV, #120), VCDX panelist, frequent VMUG/VMworld speaker and contributor to the community via this blog or social media (follow him on Twitter @woueb).