Starting with VMware NSX-T Datacenter 2.5, two plugins are available for integrating Openstack Neutron with NSX-T:
  • The NSX-T Policy plugin interacts with NSX-T policy manager, using intent-based API abstractions. This is a new plugin and is the recommended choice for new installations.
  • The NSX-T Manager plugin interacts with NSX-T manager, using imperative APIs. This is the existing NSX-T plugin and must be used for existing installations, as well as for use cases not yet covered by the NSX-T Policy plugin
Table 1. Plug-in Feature Comparison
Networking and Security Features NSX-T MP Plugin NSX-T Policy Descirption
Switching
Overlapping IP subnets support Yes Yes Each project can dynamically create networks that are private to the project. These networks can have IP subnets that overlap with each other.
DHCP Yes Yes Instances have automaic addressing via DHCP.
Static IPv6 address binding No Yes
Routing
Logical routing Yes Yes Enable routing among multiple private logical networks, as well as between a logical network and an external network.
IPv6 logical routing No Yes Enable routing among multiple private IPv6 logical networks, as well as between a logical network and an external network
External networks Yes Yes Networks that provide external access to the instances. Private networks will be uplinked to the external network via a router to provide external access to the instances on the private networks.
IPv6 external networks Yes Yes External network with IPv6.
Static routes Yes Yes Insert a static route.
IPv6 static routes No Yes External network with IPv6.
Floating IP for instances Yes Yes Assign public routable IP addresses to instances to enable external access in to the instances.
No-NAT router Yes Yes No-NAT routing topology.
IPv6 no-NAT router No Yes The No-NAT topology is the only routing topology supported by OpenStack with IPv6. NAT with IPv6 is not supported.
Neutron Router dual stack interfaces No Yes Support of IPv4 and IPv6 dual stack on the same interfaces of a Neutron Router.
IPv6 SLAAC No Yes Support of stateless address autoconfiguration.
Security
Firewalling - security groups Yes Yes OpenStack security groups (with NSX, security group are used + DFW rules created using those SG. This allow micro-segmentation)
IPv6 firewalling (security groups) No Yes Neutron security group with IPv6.
Port security Yes Yes Neutron Port Security is implemented using NSX SpoofGuard capabilities.
IPv6 port security No Yes Neutron Port Security is implemented using NSX SpoofGuard capabilities. This allows for allowed_address_pairs and an IPv6 subnet mapping to a port
Firewalling (L3 FWaaS) Yes Yes
IPv6 Firewalling (L3 FWaaS) No Yes
Other services
Load balancing Yes Yes
Quality of service Yes Yes
DNS Yes Yes
VPNaas Yes No

Upgrades

There is no migration path from Openstack Neutron with NSX-T manager plugin to Openstack Neutron with NSX-T Policy plugin. When upgrading, existing installations should keep running the NSX-T Manager plugin. A migration path from NSX-T Manager to NSX-T Policy will become available in future releases. The NSX-T Policy plugin is the recommended solution for new installations as it includes unique features (IPv6); furthermore, moving forward new features will be available exclusively for the NSX-T plugin.