In this migration, the migration coordinator migrates the Distributed Firewall configuration, NSX Data Center for vSphere hosts, and workload VMs to a new NSX-T Data Center.

The existing NSX-v prepared compute clusters are migrated to NSX-T. You do not require separate compute host clusters in your destination NSX-T environment.

In this migration mode, the migration coordinator creates the required infrastructure to extend the networks between hosts that are still on NSX-v and hosts that are migrated to NSX-T. The Layer 2 extension allows the migration coordinator to migrate the environment without disrupting the connectivity between the VMs on NSX-v hosts and the VMs on hosts that are migrated to NSX-T.

The following objects in the DFW configuration are migrated:
  • User-defined Distributed Firewall (DFW) rules
  • Grouping Objects
    • IP Sets
    • MAC Sets
    • Security Groups
    • Services and Service Groups
    • Security Tags
  • Security Policies created using Service Composer (only DFW rule configurations are migrated)

    Guest Introspection service configuration and Network Introspection rule configurations in the Service Composer are not migrated.

Starting in NSX-T 3.1.1, migration of a single site NSX for vSphere deployment that contains an NSX Manager in primary mode, no secondary NSX Managers, and with universal objects on the primary site, is supported. Such a single site NSX for vSphere deployment is migrated to a single site NSX-T environment (non-federated) with only local objects.

For a detailed list of all the configurations that are supported for the migration of Distributed Firewall configuration, see the Detailed Feature Support for Migration Coordinator.

Prerequisites for DFW, Host, and Workload Migration

  • Supported software version requirements:
    • NSX-v versions 6.4.4, 6.4.5, 6.4.6, 6.4.8 and later are supported.
    • NSX-T Data Center version 3.1.1.
    • See the VMware Product Interoperability Matrices for required versions of vCenter Server and ESXi.
    • The version of ESXi used in your NSX-v environment must be supported by NSX-T.
    • vSphere Distributed Switch versions 6.5.0, 6.6.0, and 7.0 are supported.
    • The NSX-v environment must match the NSX-T system requirements for ESXi, vCenter Server, and vSphere Distributed Switch.
  • A new NSX-T Data Center is deployed for this migration.
    • Deploy NSX Manager appliances.

      In a production environment, add an NSX Manager cluster with three appliances. However, for migration purposes, a single NSX Manager appliance is adequate.

    • Deploy a vCenter Server appliance.

      The vCenter Server must be added as a compute manager in NSX-T. You can share the vCenter Server that is used in NSX-v or deploy another one in NSX-T.

    • This migration mode does not require you to deploy NSX-T Edges before starting the migration. However, to provide routing, Layer 3 networking services, and north-south connectivity to the physical ToR switches, you must deploy Edges in your NSX-T environment.
    • Create overlay segments in NSX-T with the same virtual network identifier (VNI) and subnet address as the Logical Switches in NSX-v.

      That is, for each NSX-v Logical Switch, add a corresponding overlay segment in NSX-T. Same subnet address helps in ensuring that the IP addresses of the workload VMs are retained after the VMs move to NSX-T segments. Use the NSX-T APIs to create the overlay segments. You cannot create overlay segments with the same VNI in the NSX Manager UI.

    • Create VLAN segments in NSX-T with the same VLAN IDs and subnet address as the VLAN Distributed Virtual Port Groups (DVPG) in NSX-v.
      Note: VLAN DVPG must be associated only with a VLAN ID. VLAN Trunk is not supported.
  • No user-defined DFW rules pre-exist in the destination NSX-T Data Center before this migration.
  • All states in the System Overview pane of the NSX-v Dashboard are green.
  • There are no unpublished changes for Distributed Firewall and Service Composer policies in the NSX-v environment.
  • The export version of Distributed Firewall must be set to 1000 on the NSX-v hosts. You must verify the export version and update if necessary. For more information, see Configure Export Version of Distributed Firewall Filter on Hosts.