In this migration mode, you migrate the Distributed Firewall configuration, NSX-V hosts, and workload VMs.

If you have Identity Firewall (IDFW) configured, it will also be migrated. For more information about migrating IDFW, see Migrating Identity Firewall (End-to-End and Lift-and-Shift).

The existing NSX-V prepared compute clusters are migrated to NSX. You do not require separate compute host clusters in your destination NSX environment.

The migration process will create the required infrastructure to extend the networks between hosts that are still on NSX-V and hosts that are migrated to NSX. The layer-2 extension allows the migration of the environment without disrupting the connectivity between the VMs on NSX-V hosts and the VMs on hosts that are migrated to NSX.

The following objects in the DFW configuration are migrated:
  • User-defined Distributed Firewall (DFW) rules
  • Grouping Objects
    • IP Sets
    • MAC Sets
    • Security Groups
    • Services and Service Groups
    • Security Tags
  • Security Policies created using Service Composer (only DFW rule configurations are migrated)

    Guest Introspection service configuration and Network Introspection rule configurations in the Service Composer are not migrated.

Migration of a single site NSX-V deployment that contains an NSX Manager in primary mode, no secondary NSX Managers, and with universal objects on the primary site, is supported. Such a single site NSX-V deployment is migrated to a single site NSX environment (non-federated) with only local objects.

For a detailed list of all the configurations that are supported for the migration of Distributed Firewall configuration, see the Detailed Feature Support for Migration.

Prerequisites for DFW, Host, and Workload Migration

  • A new NSX is deployed for this migration.
    • Deploy NSX Manager appliances.

      In a production environment, add an NSX Manager cluster with three appliances. However, for migration purposes, a single NSX Manager appliance is adequate.

    • Deploy a vCenter Server appliance.

      The vCenter Server must be added as a compute manager in NSX. You can share the vCenter Server that is used in NSX-V or deploy another one in NSX.

    • This migration mode does not require you to deploy NSX Edges before starting the migration. However, to provide routing, Layer 3 networking services, and north-south connectivity to the physical ToR switches, you must deploy Edges in your NSX environment.
    • Create overlay segments in NSX with the same virtual network identifier (VNI) and subnet address as the Logical Switches in NSX-V.

      That is, for each NSX-V Logical Switch, add a corresponding overlay segment in NSX. Same subnet address helps in ensuring that the IP addresses of the workload VMs are retained after the VMs move to NSX segments. Use the NSX APIs to create the overlay segments. You cannot create overlay segments with the same VNI in the NSX Manager UI.

      You must create the segments with the SOURCE replication mode, and change the mode to MTEP only after the migration is done.

    • Create VLAN segments in NSX with the same VLAN IDs and subnet address as the VLAN Distributed Virtual Port Groups (DVPG) in NSX-V.
      Note: VLAN DVPG must be associated only with a VLAN ID. VLAN Trunk is not supported.
  • No user-defined DFW rules exist in NSX before this migration.
  • All states in the System Overview pane of the NSX-V dashboard are green.
  • There are no unpublished changes for Distributed Firewall and Service Composer policies in the NSX-V environment.