In this migration mode, you migrate the Distributed Firewall configuration, NSX-V hosts, and workload VMs.
If you have Identity Firewall (IDFW) configured, it will also be migrated. For more information about migrating IDFW, see Migrating Identity Firewall (End-to-End and Lift-and-Shift).
The existing NSX-V prepared compute clusters are migrated to NSX-T. You do not require separate compute host clusters in your destination NSX-T environment.
The migration process will create the required infrastructure to extend the networks between hosts that are still on NSX-V and hosts that are migrated to NSX-T. The layer-2 extension allows the migration of the environment without disrupting the connectivity between the VMs on NSX-V hosts and the VMs on hosts that are migrated to NSX-T.
- User-defined Distributed Firewall (DFW) rules
- Grouping Objects
- IP Sets
- MAC Sets
- Security Groups
- Services and Service Groups
- Security Tags
- Security Policies created using Service Composer (only DFW rule configurations are migrated)
Guest Introspection service configuration and Network Introspection rule configurations in the Service Composer are not migrated.
Migration of a single site NSX-V deployment that contains an NSX Manager in primary mode, no secondary NSX Managers, and with universal objects on the primary site, is supported. Such a single site NSX-V deployment is migrated to a single site NSX-T environment (non-federated) with only local objects.
For a detailed list of all the configurations that are supported for the migration of Distributed Firewall configuration, see the Detailed Feature Support for Migration.
Prerequisites for DFW, Host, and Workload Migration
- A new NSX-T is deployed for this migration.
- Deploy NSX Manager appliances.
In a production environment, add an NSX Manager cluster with three appliances. However, for migration purposes, a single NSX Manager appliance is adequate.
- Deploy a vCenter Server appliance.
The vCenter Server must be added as a compute manager in NSX-T. You can share the vCenter Server that is used in NSX-V or deploy another one in NSX-T.
- This migration mode does not require you to deploy NSX-T Edges before starting the migration. However, to provide routing, Layer 3 networking services, and north-south connectivity to the physical ToR switches, you must deploy Edges in your NSX-T environment.
- Create overlay segments in NSX-T with the same virtual network identifier (VNI) and subnet address as the Logical Switches in NSX-V.
That is, for each NSX-V Logical Switch, add a corresponding overlay segment in NSX-T. Same subnet address helps in ensuring that the IP addresses of the workload VMs are retained after the VMs move to NSX-T segments. Use the NSX-T APIs to create the overlay segments. You cannot create overlay segments with the same VNI in the NSX Manager UI.
- Create VLAN segments in NSX-T with the same VLAN IDs and subnet address as the VLAN Distributed Virtual Port Groups (DVPG) in NSX-V.
Note: VLAN DVPG must be associated only with a VLAN ID. VLAN Trunk is not supported.
- Deploy NSX Manager appliances.
- No user-defined DFW rules exist in NSX-T before this migration.
- All states in the System Overview pane of the NSX-V dashboard are green.
- There are no unpublished changes for Distributed Firewall and Service Composer policies in the NSX-V environment.