In this migration, the migration coordinator migrates only the Distributed Firewall configuration from NSX Data Center for vSphere to NSX-T Data Center.

Se migran las siguientes configuraciones de objetos lógicos:
  • Reglas de firewall distribuido (DFW) definidas por el usuario
  • Objetos de agrupamiento
    • Conjuntos de direcciones IP
    • Conjuntos de direcciones MAC
    • Grupos de seguridad
    • Servicios y grupos de servicios
    • Etiquetas de seguridad
  • Directivas de seguridad creadas con Service Composer (solo se migran las configuraciones de reglas de DFW)

    No se migran las configuraciones de la regla de introspección de red y la configuración del servicio de Guest Introspection en Service Composer.

Depending on the DFW configuration, there are two ways to migrate the workload VMs after you migrate the DFW configuration. If "Applied To" is set to "DFW" and all the rules are IP-based, you only need to follow the procedure Migrar máquinas virtuales de carga de trabajo (caso simple). In the cases listed below, you must follow the procedures Crear grupos de máquinas virtuales para la migración de la carga de trabajo and Migrar máquinas virtuales de carga de trabajo (caso complejo).
  • If "Applied To" is set to "DFW" in all the rules, and there are rules with Security Groups with dynamic memberships based on Security Tags or with static memberships.
  • If "Applied To" is set to a universal security group or a universal logical switch in any rule, and there are rules with Security Groups with dynamic memberships based on Security Tags or with static memberships.
  • If "Applied To" is set to a universal security group or a universal logical switch in any rule, and all the rules are IP-based.

A partir de NSX-T 3.1.1, la migración de una implementación de NSX for vSphere de un solo sitio que contiene una instancia de NSX Manager en modo principal, no se admiten instancias secundarias de NSX Manager con objetos universales en el sitio principal. Una implementación de NSX for vSphere de un solo sitio se migra a un entorno de NSX-T de un solo sitio (no federado) solo con objetos locales.

Para obtener una lista detallada de todas las configuraciones admitidas para la migración de la configuración del firewall distribuido, consulte Compatibilidad de funciones detallada del coordinador de migración.

You have the following migration goals:
  • Use the migration coordinator to migrate only the existing Distributed Firewall configuration from NSX-v to NSX-T Data Center.
  • Use Layer 2 Edge bridge and vSphere vMotion to migrate workload VMs from NSX-v to NSX-T.

To extend Layer 2 networks, you can use the NSX-T native Edge bridge.

Importante: Cuando se utiliza el enfoque de elevación y desplazamiento para migrar la configuración de DFW desde NSX-v a NSX-T, debe ejecutar el modo de migración solamente de DFW del coordinador de migración una única vez. Después de migrar la configuración de DFW a NSX-T, no debe actualizar la configuración de DFW en el entorno de NSX-v y volver a ejecutar el modo de migración solamente de DFW. No se recomienda ejecutar el modo de migración solamente de DFW varias veces.

Prerequisites for DFW-Only Migration

  • Supported software version requirements:
    • Se admite NSX-v 6.4.4, 6.4.5, 6.4.6, 6.4.8 y versiones posteriores.
    • NSX-T Data Center version 3.1 or later.

      NSX-T 3.1 supports this migration only with APIs. Migration with UI is available starting in NSX-T 3.1.1.

  • A new NSX-T Data Center is prepared for this migration, and a Layer 2 bridge is pre-configured to extend the VXLAN Logical Switch in NSX-v to the overlay segment in NSX-T Data Center.
  • No existen reglas de DFW definidas por el usuario en el NSX-T Data Center de destino antes de la migración.
  • Todos los estados del panel Información general del sistema del panel de control de NSX-v están en color verde.
  • No hay cambios sin publicar para el firewall distribuido y las directivas de Service Composer en el entorno de NSX-v.
  • La versión de exportación del firewall distribuido debe estar establecida en 1000 en los hosts de NSX-v. Debe comprobar la versión de exportación y actualizarla si fuera necesario. Para obtener más información, consulte Configurar la versión de exportación del filtro de firewall distribuido en los hosts.
  • All hosts in the NSX-managed cluster (NSX-v as well as NSX-T) must be connected to the same version of VDS and each host within the NSX-managed cluster must be a member of a single version of VDS.
Nota:
  • The lift and shift migration of DFW-only configuration does not involve migrating hosts from NSX-v to NSX-T. Therefore, it is not mandatory for the ESXi version that is used in your NSX-v environment to be supported by NSX-T.
  • This Guide explains the DFW-only migration workflow in the migration coordinator UI. If you are using NSX-T 3.1, this migration is supported only with NSX-T APIs. To migrate using APIs, see the API calls that are explained in the Lift and Shift Migration Process section of the NSX Tech Zone article.
  • In DFW-only migration mode of the migration coordinator, the firewall state (DVFilter) for existing connection sessions is maintained throughout the migration including vMotion. The firewall state is maintained regardless of whether the VMs are migrating within a single vCenter Server or across vCenter Servers. Also, the dynamic membership in the firewall rules is maintained after the migration coordinator migrates the Security Tags to the workload VMs.
  • Objects that are created during the migration must not be updated or deleted before the migration is finished. However, you can create additional objects in NSX-T, if necessary.
  • In NSX-T, DFW is enabled out of the box. All flows with sources and destinations as "any" in the DFW rules are allowed by default. When Distributed Firewall is enabled in the NSX-T environment, you cannot migrate the workload VMs again from NSX-T to NSX-v. Roll back of migrated workload VMs is not supported. The workaround is to add the workload VMs to the NSX-T Firewall Exclusion List, and then migrate the workload VMs back to NSX-v using vSphere vMotion.
  • The automated migration of the DFW configurations supports workload VMs that are attached to NSX-V logical switches. These VMs will be migrated to NSX-T overlay segments. Workload VMs in NSX-V that are attached to vSphere Distributed Virtual Port Groups are not automatically migrated to NSX Distributed Virtual Port Groups. As a workaround, you must create the NSX Distributed Virtual Port Groups manually and attach the workload VMs to them.