NSX for vSphere (NSX-v) features and configurations that can be migrated are listed below.
Platform Support
See the VMware Interoperability Matrix for supported versions of ESXi and vCenter Server.
NSX-v Configuration |
Supported |
Details |
---|---|---|
NSX Data Center for vSphere with vSAN or iSCSI on vSphere Distributed Switch |
Yes |
|
Pre-existing NSX-T configuration |
No |
Deploy a new NSX-T Data Center environment to be the destination for the NSX Data Center for vSphere migration. During the Import Configuration step, all NSX Edge node interfaces in the destination NSX-T Data Center environment are shut down. If the destination NSX-T Data Center environment is already configured and is in use, starting the configuration import will interrupt traffic. |
Cross vCenter NSX |
(NSX-T 3.1) No (NSX-T 3.1.1 and later) Yes if the NSX-v deployment has an NSX Manager in primary mode and no secondary NSX Managers. |
Starting in NSX-T 3.1.1, migration of a single site NSX for vSphere deployment that contains an NSX Manager in primary mode, no secondary NSX Managers, and with universal objects on the primary site, is supported. Such a single site NSX for vSphere deployment is migrated to a single site NSX-T environment (non-federated) with local objects. Migration of a true cross-vCenter NSX-V deployment with a primary NSX Manager and multiple secondary NSX Managers is not supported. Migration Coordinator will only migrate from an NSX-V Manager with the role of Primary or Standalone. You can modify the NSX-V environment by changing the status of the secondary managers in order to migrate each NSX-V environment independently. |
NSX Data Center for vSphere with a Cloud Management Platform, Integrated Stack Solution, or PaaS Solution |
Yes |
Migration of NSX for vSphere with vRealize Automation is supported if the integrated environment is configured in a supported topology. See Topologies Supported for Integration with vRealize Automation for details. Contact your VMware representative before proceeding with migration. Scripts and integrations might break if you migrate the integrated environments:
For example:
|
vSphere and ESXi Features
NSX-v Configuration |
Supported |
Details |
---|---|---|
ESXi host already in maintenance mode (no VMs) |
Yes |
|
Network I/O Control (NIOC) version 3 |
Yes |
|
Network I/O Control (NIOC) version 2 |
No |
|
Network I/O Control (NIOC) having vNIC with reservation |
No |
|
vSphere Standard Switch |
No |
VMs and VMkernel interfaces on VSS are not migrated. NSX Data Center for vSphere features applied to the VSS cannot be migrated. |
vSphere Distributed Switch |
Yes | |
Stateless ESXi |
No |
|
Host profiles |
No |
|
ESXi lockdown mode |
No |
Not supported in NSX-T. |
ESXi host pending maintenance mode task. |
No |
|
Disconnected ESXi host in vCenter cluster |
No |
|
vSphere FT |
No |
|
vSphere DRS fully automated |
Yes |
Supported starting in vSphere 7.0 |
vSphere High Availability |
Yes (when maintenance mode is used) |
|
Traffic filtering ACL |
No |
|
vSphere Health Check |
No |
|
SRIOV |
No |
|
vmknic pinning to physical NIC |
No |
|
Private VLAN |
No |
|
Ephemeral dvPortGroup |
No |
|
DirectPath IO |
No |
|
L2 security |
No |
|
Learn switch on virtual wire |
No |
|
Hardware Gateway (Tunnel endpoint integration with physical switching hardware) |
No |
|
SNMP |
No |
|
Disconnected vNIC in VM |
No |
Due to ESX 6.5 limitation, stale entries might present on DVFilter for disconnected VMs. Reboot the VM as a workaround. |
VXLAN port number other than 4789 |
No |
|
Multicast Filtering Mode |
No |
|
Hosts with multiple VTEPs |
Yes |
NSX Manager Appliance System Configuration
NSX-v Configuration |
Supported |
Details |
---|---|---|
NTP server/time setting |
Yes |
|
Syslog server configuration |
Yes |
|
Backup configuration |
Yes |
If needed, change NSX Data Center for vSphere passphrase to match NSX-T Data Center requirements. It must be at least 8 characters long and contain the following:
|
FIPS |
No |
FIPS on/off not supported by NSX-T. |
Locale |
No |
NSX-T only supports English locale |
Appliance certificate |
No |
Role-Based Access Control
NSX-v Configuration |
Supported |
Details |
---|---|---|
Local users |
No |
|
NSX roles assigned to a vCenter user added via LDAP |
Yes |
VMware Identity Manager must be installed and configured to migrate user roles for LDAP users. |
NSX roles assigned to a vCenter group |
No |
Certificates
NSX-v Configuration |
Supported |
Details |
---|---|---|
Certificates (Server, CA signed) |
Yes |
This applies to certificates added through truststore APIs only. |
Operations
Details |
Supported |
Notes |
---|---|---|
Discovery protocol CDP |
No |
|
Discovery protocol LLDP |
Yes |
The listen mode is turned on by default and can’t be changed in NSX-T. Only the Advertise mode can be modified. |
PortMirroring:
|
Yes |
Only L3 session type is supported for migration |
PortMirroring:
|
No |
|
L2 IPFIX |
Yes |
LAG with IPFIX is not supported |
Distributed Firewall IPFIX |
No |
|
MAC Learning |
Yes |
You must enable (accept) forged transmits. |
Hardware VTEP |
No |
|
Promiscuous Mode |
No |
|
Resource Allocation |
No |
vNIC enabled with resource allocation is not supported |
IPFIX – Internal flows |
No |
IPFIX with InternalFlows is not supported |
Switch
NSX-v Configuration |
Supported |
Details |
---|---|---|
L2 Bridging |
No |
|
Trunk VLAN |
Yes |
Trunk uplink portgroups must be configured with a VLAN range of 0-4094. |
VLAN Configuration |
Yes |
Configuration with only VLAN (no VXLAN) is supported. |
Teaming and Failover:
|
Yes |
Supported options for load balancing (teaming policy):
Other load balancing options are not supported. |
Teaming and Failover:
|
No |
|
LACP | Yes | For VDS 7.0 and later, the LACP functionality is not modified during migration. For earlier versions of VDS, a new N-VDS switch replaces the VDS. This will lead to traffic loss during host migration. IPFIX configured on DVS (not DFW IPFIX) is not supported with LACP |
Switch Security and IP Discovery
NSX-v Configuration |
Supported fro Migration |
Details |
---|---|---|
IP Discovery (ARP, ND, DHCPv4 and DHCPv6) |
Yes |
The following binding limits apply on NSX-T for migration:
|
SpoofGuard (Manual, TOFU, Disabled) |
Yes |
|
Switch Security (BPDU Filter, DHCP client block, DHCP server block, RA guard) |
Yes |
|
Migrating datapath bindings from Switch Security module in NSX Data Center for vSphere to Switch security module in NSX-T |
Yes |
If SpoofGuard is enabled, bindings are migrated from the Switch Security module to support ARP suppression. VSIP – Switch security not supported as VSIP bindings are migrated as statically configured rules. |
Discovery profiles |
Yes |
The ipdiscovery profiles are created after migration using the IP Discovery configuration for the logical switch and the global and cluster ARP and DHCP configuration. |
Central Control Plane
NSX-v Configuration |
Supported |
Details |
---|---|---|
VTEP replication per logical switch (VNI) and routing domain |
Yes |
|
MAC/IP replication |
No |
|
NSX Data Center for vSphere transport zones using multicast or hybrid replication mode |
No |
|
NSX Data Center for vSphere transport zones using unicast replication mode |
Yes |
NSX Edge Features
For full details on supported topologies, see Supported Topologies.
NSX-v Configuration |
Supported |
Details |
---|---|---|
Routing between Edge Service Gateway and northbound router or virtual tunnel interface |
Yes |
BGP is supported. Static routes are supported. OSPF is not supported. |
Routing between Edge Services Gateway and Distributed Logical Router |
Yes |
Routes are converted to static routes after migration. |
Load balancer |
Yes |
See Supported Topologies for details. |
VLAN-backed Micro-Segmentation environment |
Yes |
See Supported Topologies for details. |
NAT64 |
No |
Not supported in NSX-T. |
Node level settings on Edge Services Gateway or Distributed Logical Router |
No |
Node level settings, for example, syslog or NTP server, are not supported. |
IPv6 |
No |
|
Unicast Reverse Path Filter (URPF) configuration for Edge Services Gateway interfaces |
No |
URPF on NSX-T gateway interfaces is set to Strict. |
Maximum Transmission Unit (MTU) configuration Edge Services Gateway interfaces |
No |
See Modify NSX Edge Node Configuration Before Migrating Edges for information about changing the default MTU on NSX-T. |
IP Multicast routing |
No |
|
Route Redistribution Prefix Filters |
No |
|
Default originate |
No |
Not supported in NSX-T. |
Edge Firewall
NSX-v Configuration |
Supported |
Details |
---|---|---|
Firewall Section: Display name |
Yes |
Firewall sections can have a maximum of 1000 rules. If a section contains more than 1000 rules, it is migrated as multiple sections. |
Action for default rule |
Yes |
NSX Data Center for vSphere API: GatewayPolicy/action NSX-T API: SecurityPolicy.action |
Firewall Global Configuration |
No |
Default timeouts are used |
Firewall Rule |
Yes |
NSX Data Center for vSphere API: firewallRule NSX-T API: SecurityPolicy |
Firewall Rule: name |
Yes |
|
Firewall Rule: rule tag |
Yes |
NSX Data Center for vSphere API: ruleTag NSX-T API: Rule_tag |
Sources and destinations in firewall rules:
|
Yes |
NSX Data Center for vSphere API:
NSX-T API:
NSX Data Center for vSphere API:
NSX-T API:
|
Firewall rule sources and destinations:
|
No |
|
Services (applications) in firewall rules:
|
Yes |
NSX Data Center for vSphere API:
NSX-T API:
|
Firewall Rule: Match translated |
No |
Match translated must be ‘false’. |
Firewall Rule: Direction |
Yes |
Both APIs: direction |
Firewall Rule: Action |
Yes |
Both APIs: action |
Firewall Rule: Enabled |
Yes |
Both APIs: enabled |
Firewall Rule: Logging |
Yes |
NSX Data Center for vSphere API: logging NSX-T API: logged |
Firewall Rule: Description |
Yes |
Both APIs: description |
Edge NAT
NSX-v Configuration |
Supported |
Details |
---|---|---|
NAT rule |
Yes |
NSX Data Center for vSphere API: natRule NSX-T API: /nat/USER/nat-rules |
NAT rule: rule tag |
Yes |
NSX Data Center for vSphere API: ruleTag NSX-T API: rule_tag |
NAT rule: action |
Yes |
NSX Data Center for vSphere API: action NSX-T API: action |
NAT rule: original address (Source address for SNAT rules, and the destination address for DNAT rules.) |
Yes |
NSX Data Center for vSphere API: originalAddress NSX-T API: source_network for SNAT rule or destination_network for DNAT rule |
NAT rule: translatedAddress |
Yes |
NSX Data Center for vSphere API: translatedAddress NSX-T API: translated_network |
NAT rule: Applying NAT rule on a specific interface |
No |
Applied on must be “any”. |
NAT rule: logging |
Yes |
NSX Data Center for vSphere API: loggingEnabled NSX-T API: logging |
NAT rule: enabled |
Yes |
NSX Data Center for vSphere API: enabled NSX-T API: disabled |
NAT rule: description |
Yes |
NSX Data Center for vSphere API: description NSX-T API: description |
NAT rule: protocol |
Yes |
NSX Data Center for vSphere API: protocol NSX-T API: Service |
NAT rule: original port (source port for SNAT rules, destination port for DNAT rules) |
Yes |
NSX Data Center for vSphere API: originalPort NSX-T API: Service |
NAT rule: translated port |
Yes |
NSX Data Center for vSphere API: translatedPort NSX-T API: Translated_ports |
NAT rule: Source address in DNAT rule |
Yes |
NSX Data Center for vSphere API: dnatMatchSourceAddress NSX-T API: source_network |
NAT rule: Destination address in SNAT rule |
Yes |
NSX Data Center for vSphere API: snatMatchDestinationAddress NSX-T API: destination_network |
NAT rule: Source port in DNAT rule |
Yes |
NSX Data Center for vSphere API: dnatMatchSourcePort NSX-T API: Service |
NAT rule: Destination port in SNAT rule |
Yes |
NSX Data Center for vSphere API: snatMatchDestinationPort NSX-T API: Service |
NAT rule: rule ID |
Yes |
NSX Data Center for vSphere API: ruleID NSX-T API: id and display_name |
L2VPN
NSX-v Configuration |
Supported |
Details |
---|---|---|
L2VPN configuration based on IPSec using pre-shared key (PSK) |
Yes |
Supported if the networking being stretched over L2VPN is an overlay logical switch. Not supported for VLAN networks. |
L2VPN configuration based on IPSec using certificate-based authentication |
No |
|
L2VPN configuration based on SSL |
No |
|
L2VPN configurations with local egress optimizations |
No |
|
L2VPN client mode |
No |
L3VPN
NSX-v Configuration |
Supported |
Details |
---|---|---|
Dead Peer Detection |
Yes |
Dead Peer Detection supports different options on NSX Data Center for vSphere and NSX-T. You might want to consider using BGP for faster convergence or configure a peer to perform DPD if it is supported. |
Changed Dead Peer Detection (dpd) default values for:
|
No |
In NSX-T, dpdaction is set to “restart” and cannot be changed. If NSX Data Center for vSphere setting for dpdtimeout is set to 0, dpd is disabled in NSX-T. Otherwise, any dpdtimeout settings are ignored and the default value is used. |
Changed Dead Peer Detection (dpd) default values for:
|
Yes |
NSX Data Center for vSphere dpdelay maps to NSX-T dpdinternal. |
Overlapping local and peer subnets of two or more sessions. |
No |
NSX Data Center for vSphere supports policy-based IPSec VPN sessions where the local and peer subnets of two or more sessions overlap with each other. This behavior is not supported on NSX-T. You must reconfigure the subnets so they do not overlap before you start the migration. If this configuration issue is not resolved, the Migrate Configuration step fails. |
IPSec sessions with peer endpoint set as any. |
No |
Configuration is not migrated. |
Changes to the extension securelocaltrafficbyip. |
No |
NSX-T Service Router does not have any local generated traffic that needs to be sent over tunnel. |
Changes to these extensions: auto, sha2_truncbug, sareftrack, leftid, leftsendcert, leftxauthserver, leftxauthclient, leftxauthusername, leftmodecfgserver, leftmodecfgclient, modecfgpull, modecfgdns1, modecfgdns2, modecfgwins1, modecfgwins2, remote_peer_type, nm_configured, forceencaps,overlapip, aggrmode, rekey, rekeymargin, rekeyfuzz, compress, metric,disablearrivalcheck, failureshunt,leftnexthop, keyingtries |
No |
Those extensions are not supported on NSX-T and changes to them are not migrated. |
Load Balancer
NSX-v Configuration |
Supported |
Details |
---|---|---|
Monitor / health-checks for:
|
No |
If an unsupported monitor is configured, the monitor is ignored and the associated pool has no monitor configured. You can attach it to a new monitor after migration has finished. |
Application rules |
No |
NSX Data Center for vSphere uses application rules based on HAProxy to support L7. In NSX-T, the rules are based on NGINX. The application rules cannot be migrated. You must create new rules after migration. |
L7 virtual server port range |
No |
|
IPv6 |
No |
If IPv6 is used in virtual server, the whole virtual server would be ignored. If IPv6 is used in pool, the pool would be still migrated, however, the related pool member would be removed. |
URL, URI, HTTPHEADER algorithms |
No |
If used in a pool, the pool is not migrated. |
Isolated pool |
No |
The pool is not migrated. |
LB pool member with different monitor port |
No |
The pool member which has different monitor port is not migrated. |
Pool member minConn |
No |
Configuration is not migrated. |
Monitor extension |
No |
Configuration is not migrated. |
SSL sessionID persistence / table |
No |
Configuration is not migrated, and the associated virtual server has no persistence setting. |
MSRDP persistence / session table |
No |
Configuration is not migrated, and the associated virtual server has no persistence setting. |
Cookie app session / session table |
No |
Configuration is not migrated, and the associated virtual server has no persistence setting. |
App persistence |
No |
Configuration is not migrated, and the associated virtual server has no persistence setting. |
Monitor for:
|
No |
|
Monitor for:
|
Yes |
|
Haproxy Tuning/IPVS Tuning |
No |
|
Pool IP filter
|
Yes |
IPv4 IP addresses are supported. If Any is used, only the IPv4 addresses of the IP pool are migrated. |
Pool IP Filter
|
No |
|
Pool containing unsupported grouping object:
|
No |
If a pool includes an unsupported grouping object, those objects are ignored, and the pool is created with supported grouping object members. If there are no supported grouping object members, then an empty pool is created. |
DHCP and DNS
NSX-v Configuration |
Supported |
Details |
---|---|---|
DHCP Relay configured on Distributed Logical Router pointing to a DHCP Server configured on a directly connected Edge Services Gateway |
Yes |
The DHCP Relay server IP must be one of the Edge Services Gateway’s internal interface IPs. The DHCP Server must be configured on an Edge Services Gateway that is directly connected to the Distributed Logical Router configured with the DHCP relay. It is not supported to use DNAT to translate a DHCP Relay IP that does not match an Edge Services Gateway internal interface. |
DHCP Relay configured on Distributed Logical Router only, no DHCP Server configuration on connected Edge Services Gateway |
No |
|
DHCP Server configured on Edge Services Gateway only, no DHCP Relay configuration on connected Distributed Logical Router |
No |
NSX-v Configuration |
Supported |
Details |
---|---|---|
IP Pools |
Yes |
|
Static bindings |
Yes |
|
DHCP leases |
Yes |
|
General DHCP options |
Yes |
|
Disabled DHCP service |
No |
In NSX-T you cannot disable the DHCP service. If there is a disabled DHCP service on NSX Data Center for vSphere it is not migrated. |
DHCP option: "other" |
No |
The "other" field in dhcp options is not supported for migration. For example, dhcp option '80' is not migrated. <dhcpOptions> <other> <code>80</code> <value>2f766172</value> </other> </dhcpOptions> |
Orphaned ip-pools/bindings |
No |
If ip-pools or static-bindings are configured on a DHCP Server but are not used by any connected logical switches, these objects are skipped from migration. |
DHCP configured on Edge Service Gateway with directly connected logical switches |
No |
During migration, directly connected Edge Service Gateway interfaces are migrated as centralized service ports. However, NSX-T does not support DHCP service on a centralized service port, so the DHCP service configuration is not migrated for these interfaces. |
NSX-v Configuration |
Supported |
Details |
---|---|---|
DNS views |
Yes |
Only the first dnsView is migrated to the NSX-T default DNS forwarder zone. |
DNS configuration |
Yes |
You must provide available DNS listener IPs for all Edge Nodes. A message is displayed during Resolve Configuration to prompt for this. |
DNS – L3 VPN |
Yes |
You must add the newly configured NSX-T DNS listener IPs into the remote L3 VPN prefix list. A message is displayed during Resolve Configuration to prompt for this. |
DNS configured on Edge Service Gateway with directly connected logical switches |
No |
During migration, directly connected Edge Service Gateway interfaces are migrated as centralized service ports. However, NSX-T does not support DNS Service on a centralized service port, so the DNS Service configuration is not migrated for these interfaces. |
Distributed Firewall (DFW)
NSX-v Configuration |
Supported |
Details |
---|---|---|
Identity-based Firewall |
No |
|
Section -
|
Yes |
If a firewall section has more than 1000 rules, then the migrator will migrate the rules in multiple sections of 1000 rules each. |
Universal Sections |
(NSX-T 3.1) No (NSX-T 3.1.1 and later) Yes if the NSX-v deployment has an NSX Manager in primary mode and no secondary NSX Managers. |
|
Rule – Source / Destination:
|
Yes |
|
Rule – Source / Destination:
|
Yes |
maps to Security Group |
Rule – Source / Destination:
|
No |
|
Rule – Source / Destination:
|
(NSX-T 3.1) No (NSX-T 3.1.1 and later) Yes if the NSX-v deployment has an NSX Manager in primary mode and no secondary NSX Managers. |
|
Rule – Applied To:
|
Yes |
maps to Distributed Firewall |
Rule – Applied To:
|
Yes |
maps to Security Group |
Rule – Applied To:
|
No |
|
Rule – Applied To:
|
(NSX-T 3.1) No (NSX-T 3.1.1 and later) Yes if the NSX-v deployment has an NSX Manager in primary mode and no secondary NSX Managers. |
|
Rules Disabled in Distributed Firewall |
Yes |
|
Disabling Distributed Firewall on a cluster level |
No |
When Distributed Firewall is enabled on NSX-T, it is enabled on all clusters. You cannot enable it on some clusters and disable on others. |
DFW Exclusion List | No | DFW exclusion lists are not migrated. You need to re-create them on NSX-T after migration. |
Note: When migrating DFW rules, be sure to migrate the objects referenced by the rules also. NSX-T cannot apply a rule if the objects referenced by the rule are not part of the NSX-T network.
Partner Services: East-West Network Introspection
NSX-v Configuration | Supported | Details |
---|---|---|
Service |
No |
Service registration is not migrated. Partner must register the service with NSX-T before migration. |
Vendor Template |
No |
Vendor template is not migrated. Partner must register the vendor template with NSX-T before migration. |
Service Profile |
No |
Service profiles are not migrated. Either you or the partner must create the service profiles before migration. In the Resolve Configuration step of the migration, the migration coordinator prompts you to map each NSX for vSphere service profile to an NSX-T service profile. If you skip the mapping of service profiles, the rules that use these service profiles are not migrated. Migration coordinator creates a service chain in NSX-T for each service profile in NSX for vSphere. The service chain is created with the following naming convention: Service-Chain-service_profile_name The same service profile is used in the forward path and reverse path of the service chain. |
Service Instance |
No |
Partner service virtual machines (SVMs) are not migrated. The NSX for vSphere partner SVMs cannot be used in NSX-T. For east-west Network Introspection service in NSX-T, partner service VMs must be deployed on an overlay segment. |
Section
|
Yes |
A section maps to a redirection policy. ID is user-defined, and not auto-generated in NSX-T. If a firewall section in NSX for vSphere has more than 1000 rules, migration coordinator migrates the rules in multiple sections of 1000 rules each. For example, if a section contains 2500 rules, the migration coordinator creates three policies: Policy 1 with 1000 rules, Policy 2 with 1000 rules, and Policy 3 with 500 rules. Stateful or stateless firewall rules in NSX for vSphereare migrated to stateful or stateless redirection rules in NSX-T. |
Partner Services: Rules |
||
Name |
Yes |
|
Rule ID |
Yes |
Rule ID is system generated. It can be different from the rule ID in NSX for vSphere. |
Negate Source |
Yes |
|
Negate Destination |
Yes |
|
Source/Destination
|
Yes |
|
Services/Service Groups |
Yes |
For details, see the Services and Service Groups table. |
Advanced Settings
|
Yes |
|
Service Profile and Action
|
Yes |
A service profile binding can have Distributed Virtual Port Groups (DVPG), Logical Switches, and Security Groups as its members. A service profile binding in NSX for vSphere maps to the Applied To field of a redirection rule in NSX-T. Applied To field accepts only Groups, and this field determines the scope of the rule. In NSX-T, rule redirection is at the level of a policy. All rules in a redirection policy have the same scope (Applied To). Applied To field in an NSX-T redirection rule can have a maximum of 128 members. If the number of members in a service profile binding exceeds 128, reduce them to <= 128 before starting the migration.
For example, assume that a service profile binding has 140 members (Security Groups). Do the following steps in
NSX for vSphere before starting the migration:
Now, the total number of members in the service profile binding is 128 (127 + 1), and it is within the maximum limit of the migration coordinator. |
Enable/Disable Rule |
Yes |
- Service Segment
- Migration coordinator creates a service segment in the overlay transport zone that you select in the Resolve Configuration step of the migration. In the NSX for vSphere environment, if the VXLAN transport zone is not prepared with NSX for vSphere, the migration coordinator provides you the option to select the default overlay transport zone in NSX-T to create the service segment. If one or multiple VXLAN transport zones are prepared with NSX for vSphere, you must select any one overlay transport zone to create the service segment in NSX-T.
- Service Profile Priority
- In NSX for vSphere, a service profile has a priority. If a service has multiple service profiles, and multiple profiles are bound to the same vNIC, the service profile with higher priority is applied first on the vNIC. However, in NSX-T, service profile does not have a priority. When multiple redirection rules have the same Applied To setting, the rule order decides which rule is hit first. In other words, the migration coordinator places the rules with a higher profile priority before the rules with a lower profile priority in the NSX-T rule table. For a detailed example, see scenario 2 in Order of Migrated Network Introspection Rules in NSX-T Data Center.
- Service Precedence
-
To redirect traffic to multiple services, NSX for vSphere uses multiple DVFilter slots in the service insertion data path. One DVFilter slot is used to redirect traffic to one service. A service with high precedence is placed higher in the slot compared to a service with low precedence. In NSX-T, only a single DVFilter slot is used and it redirects traffic to a service chain. After migration to NSX-T, the rules that use a partner service with higher precedence are placed before the rules that use a partner service with a lower precedence. For a detailed example, see scenario 3 in Order of Migrated Network Introspection Rules in NSX-T Data Center.
Migration coordinator does not support redirection of traffic on a vNIC to multiple partner services. Redirection to only a single partner service is supported. Although, all the NSX for vSphere rules are migrated to NSX-T, the migrated rule configurations use a service chain with only one service profile. You cannot modify an existing service chain that is used in redirection rules.
Workaround: To redirect traffic on a vNIC to multiple services, create a new service chain and define the order of service profiles in the service chain. Update the migrated rules to use this new service chain.
- Network Introspection Service on VMs Connected to a VM Network
- In the NSX-v environment, if Network Introspection service rules are running on VMs that are connected to a VM Network, these VMs lose security protection after host migration. To ensure that the Network Introspection rules are enforced on the vNICs of these VMs post host migration, you must connect these VMs to an NSX-T segment.
Grouping Objects and Service Composer
IP Sets and MAC Sets are migrated to NSX-T Data Center as groups. See in the NSX-T Manager web interface.
NSX-v Configuration |
Supported |
Details |
---|---|---|
IP Sets |
Yes |
IP sets with up to 2 million members (IP addresses, IP address subnets, IP ranges) can be migrated. IP sets with more members are not migrated. |
Mac Sets |
Yes |
MAC sets with up to 2 million members can be migrated. MAC sets with more members are not migrated. |
Security Groups are supported for migration with the limitations listed. Security Groups are migrated to NSX-T Data Center as Groups. See in the NSX-T Manager web interface.
NSX Data Center for vSphere has system-defined and user-defined Security Groups. These are all migrated to NSX-T as user-defined Groups.
The total number of ‘Groups’ after migration might not be equal to the number of Security Groups on NSX-v. For example, a Distributed Firewall rule containing a VM as its source would be migrated into a rule containing a new Group with the VM as its member. This increases the total number of groups on NSX-T after migration.
NSX-v Configuration |
Supported |
Details |
---|---|---|
Security Group with members that don’t exist |
No |
If any of the members of the Security Group do not exist, then the Security Group is not migrated. |
Security Group that contains a Security Group with unsupported members |
No |
If any members of the Security Group are not supported for migration, the Security Group is not migrated. If a Security Group contains a Security Group with unsupported members, the parent Security Group is not migrated. |
Exclude membership in Security Group |
No |
Security Groups with an exclude member directly or indirectly (via nesting) are not migrated |
Security Group Static Membership |
Yes |
A Security Group can contain up to 500 static members. However, system-generated static members are added if the Security Group is used in Distributed Firewall rules, lowering the effective limit to 499 or 498.
If any members do not exist during the Resolve Configuration step, the security group is not migrated. |
Security Group Member Types (Static or Entity Belongs To):
|
No |
If a security group contains any of the unsupported member types, the security group is not migrated. |
Security Group Member Types (Static or Entity Belongs To):
|
Yes |
Security groups, IP sets, and MAC sets are migrated to NSX-T as Groups. If an NSX for vSphere security group contains an IP set, MAC set, or nested security group as a static member, the corresponding Groups are added to the parent Group. If one of these static members was not migrated to NSX-T, the parent security group does not migrate to NSX-T. For example, an IP set with more than 2 million members cannot migrate to NSX-T. Therefore, a security group that contains an IP set with more than 2 million members cannot migrate. |
Security Group Member Types (Static or Entity Belongs To):
|
Yes |
If a security group contains logical switches that do not migrate to NSX-T segments, the security group does not migrate to NSX-T. |
Security Group Member Types (Static or Entity Belongs To):
|
Yes |
If a security tag is added to the security group as a static member or as a dynamic member using Entity Belongs To, the security tag must exist for the security group to be migrated. If the security tag is added to the security group as a dynamic member (not using Entity Belongs To), the existence of the security tag is not checked before migrating the security group. |
Security Group Member Types (Static or Entity Belongs To):
|
Yes |
|
Using “Matches regular expression” operator for dynamic membership |
No |
This affects Security Tag and VM Name only. “Matches regular expression” is not available for other attributes. |
Using other available operators for dynamic membership criteria for attributes:
|
Yes |
Available operators for VM Name, Computer Name, and Computer OS Name are Contains, Ends with, Equals to, Not equals to, Starts with. Available operators for Security Tag are Contains, Ends with, Equals to, Starts with. |
Entity Belongs to criteria |
Yes |
The same limitations for migrating static members apply to Entity Belongs to criteria. For example, if you have a Security Group that uses Entity Belongs to a cluster in the definition, the Security Group is not migrated. Security Groups that contain Entity Belongs to criteria that are combined with AND are not migrated. |
Dynamic membership criteria operators (AND, OR) in Security Group |
Yes. |
When you define dynamic membership for an NSX Data Center for vSphere Security Group, you can configure the following:
NSX Data Center for vSphere does not limit the number of dynamic criteria, dynamic sets, and you can have any combinations of AND and OR. In NSX-T Data Center, you can have a group with five expressions. NSX Data Center for vSphere security groups which contain more than five expressions are not migrated. Examples of security groups that can be migrated:
Using “Entity belongs to” criteria with AND operators is not supported. All other combinations or definitions of a security group containing unsupported scenarios are not migrated. |
In NSX Data Center for vSphere, security tags are objects which can be applied to VMs. When migrated to NSX-T security tags are attributes of a VM.
NSX-v Configuration |
Supported |
Details |
---|---|---|
Security Tags |
Yes |
If a VM has 25 or fewer security tags applied, migration of security tags is supported. If more than 25 security tags are applied, no tags are migrated. Note: If security tags are not migrated, the VM is not included in any groups defined by tag membership. |
Services and Service Groups are migrated to NSX-T Data Center as Services. See in the NSX-T Manager web interface.
NSX-v Configuration |
Supported |
Details |
---|---|---|
Services and Service Groups (Applications and Application Groups) |
Yes |
Most of the default Services and Service Groups are mapped to NSX-T Services. If any Service or Service Group is not present in NSX-T, a new Service is created in NSX-T. |
APP_ALL and APP_POP2 Service Groups |
No |
These system-defined service groups are not migrated. |
Services and Service Groups with naming conflicts |
Yes |
If a name conflict is identified in NSX-T for a modified Service or Service Group a new Service is created in NSX-T with a name in format: <NSXv-Application-Name> migrated from NSX-V |
Service Groups that combine layer 2 services with services in other layers |
No |
|
Empty Service Groups |
No |
NSX-T does not support empty Services. |
Layer 2 Services |
Yes |
NSX Data Center for vSphere layer 2 Services are migrated as NSX-T Service Entry EtherTypeServiceEntry. |
Layer 3 Services |
Yes |
Based on the protocol, NSX Data Center for vSphere layer 3 Services are migrated to NSX-T Service Entry as follows:
ICMPTypeServiceEntry
|
Layer 4 Services |
Yes |
Migrated as NSX-T Service Entry ALGTypeServiceEntry. |
Layer 7 Services |
Yes |
Migrated as NSX-T Service Entry PolicyContextProfile If an NSX Data Center for vSphere Layer 7 application has a port and protocol defined, a Service is created in NSX-T with the appropriate port and protocol configuration and mapped to the PolicyContextProfile. |
Layer 7 Service Groups |
No |
|
Distributed Firewall, Edge Firewall, or NAT rules that contain port and protocol |
Yes |
NSX-T requires a Service to create these rules. If an appropriate Service exists, it is used. If no appropriate Service exists, a Service is created using the port and protocol specified in the rule. |
NSX-v Configuration |
Supported |
Details |
---|---|---|
Service Composer Security Policies |
Yes |
Firewall rules defined in a Security Policy are migrated to NSX-T as Distributed Firewall rules. Disabled firewall rules defined in a Service Composer Security Policy are not migrated. Guest Introspection rules or Network Introspection rules defined in a Service Composer Security Policy are migrated. If the Service Composer status is not in sync, the Resolve Configuration step shows a warning. You can either skip the migration of Service Composer policies by skipping the relevant Distributed Firewall sections. Alternatively, you can cancel the migration, get Service Composer in sync with Distributed Firewall, and restart the migration. |
Service Composer Security Policies not applied to any Security Groups |
No |
Active Directory Server Configuration
Configuration |
Supported |
Details |
---|---|---|
Active Directory (AD) server |
No |