In this migration mode, you migrate the Distributed Firewall configuration, NSX-V hosts, and workload VMs.

If you have Identity Firewall (IDFW) configured, it will also be migrated. For more information about migrating IDFW, see Migrating Identity Firewall (End-to-End and Lift-and-Shift).

The existing NSX-V prepared compute clusters are migrated to NSX-T. You do not require separate compute host clusters in your destination NSX-T environment.

The migration process will create the required infrastructure to extend the networks between hosts that are still on NSX-V and hosts that are migrated to NSX-T. The layer-2 extension allows the migration of the environment without disrupting the connectivity between the VMs on NSX-V hosts and the VMs on hosts that are migrated to NSX-T.

The following objects in the DFW configuration are migrated:
  • User-defined Distributed Firewall (DFW) rules
  • Grouping Objects
    • IP Sets
    • MAC Sets
    • Security Groups
    • Services and Service Groups
    • Security Tags
  • Security Policies created using Service Composer (only DFW rule configurations are migrated)

    Guest Introspection service configuration and Network Introspection rule configurations in the Service Composer are not migrated.

Migration of a single site NSX-V deployment that contains an NSX Manager in primary mode, no secondary NSX Managers, and with universal objects on the primary site, is supported. Such a single site NSX-V deployment is migrated to a single site NSX-T environment (non-federated) with only local objects.

For a detailed list of all the configurations that are supported for the migration of Distributed Firewall configuration, see the Detailed Feature Support for Migration.

Prerequisites for DFW, Host, and Workload Migration

  • A new NSX-T is deployed for this migration.
    • Deploy NSX Manager appliances.

      In a production environment, add an NSX Manager cluster with three appliances. However, for migration purposes, a single NSX Manager appliance is adequate.

    • Deploy a vCenter Server appliance.

      The vCenter Server must be added as a compute manager in NSX-T. You can share the vCenter Server that is used in NSX-V or deploy another one in NSX-T.

    • This migration mode does not require you to deploy NSX-T Edges before starting the migration. However, to provide routing, Layer 3 networking services, and north-south connectivity to the physical ToR switches, you must deploy Edges in your NSX-T environment.
    • Create overlay segments in NSX-T with the same virtual network identifier (VNI) and subnet address as the Logical Switches in NSX-V.

      That is, for each NSX-V Logical Switch, add a corresponding overlay segment in NSX-T. Same subnet address helps in ensuring that the IP addresses of the workload VMs are retained after the VMs move to NSX-T segments. Use the NSX-T APIs to create the overlay segments. You cannot create overlay segments with the same VNI in the NSX Manager UI.

    • Create VLAN segments in NSX-T with the same VLAN IDs and subnet address as the VLAN Distributed Virtual Port Groups (DVPG) in NSX-V.
      Note: VLAN DVPG must be associated only with a VLAN ID. VLAN Trunk is not supported.
  • No user-defined DFW rules exist in NSX-T before this migration.
  • All states in the System Overview pane of the NSX-V dashboard are green.
  • There are no unpublished changes for Distributed Firewall and Service Composer policies in the NSX-V environment.