NSX-T 2.2 Released

NSX-T 2.2 has just been released, and includes a number of great new features. Read the article for further information, including a link to the release notes.

What’s New?

  • NSX Management of Workloads in Azure
    • NSX Datacenter and NSX Cloud offers a single pane of glass for on-premise and Azure workloads
    • Single security policy across hybrid, offering a rich set of attributes, including VM names, custom tags, etc.
    • Decouples workload deployment from security enforcement
  • Improved Controller Cluster Deployment Experience
    • It is now possible to automatically deploy a cluster of NSX controllers from the NSX Manager onto vSphere clusters discovered from a vCenter. This makes installation of NSX easier in a vSphere environment.
  • IPFIX, Traceflow, ERSPAN in ‘Enhanced Datapath’
    • Benefits of monitoring and troubleshooting features – IPFIX, Traceflow and ERSPAN are now extended to workloads powered by N-VDS configured to run in ‘Enhanced Datapath mode’.
  • NIOCv3 with NSX-T
    • Network IO control (NIOC) allows configurable limits and shares on the network for both system-generated and user-defined network resource pools, based on the capacity of the physical adapters on a ESXi host. Network I/O Control version 3 introduces a mechanism to reserve bandwidth for system traffic based on the capacity of the physical adapters on a host. It also enables fine-grained resource control at the VM network adapter level similar to the model that you use for allocating CPU and memory resources. In Network I/O Control version 2, you configure bandwidth allocation for virtual machines at the physical adapter level. In contrast, NIOC version 3 lets you set up bandwidth allocation for virtual machines at the level of the entire distributed switch (N-VDS)
  • Guest VLAN Tagging
    • With Virtual Guest Tagging, the vSwitch (N-VDS in this case) port acts like a trunk and inspects incoming VLAN tags to ensure they match correct destination virtual port however the VLAN tags themselves are left intact by the N-VDS. This feature is applicable for both VLAN backed and overlay backed traffic and supports bridging only (no routing based on guest VLAN tag within the hypervisor) for forwarding packets based on guest VLAN tag
  • VLAN Based Logical Switch Teaming Policy Support for ESXi Hosts
    • Enables association or pinning of Logical Switch traffic to a specific Uplink. Configurable using teaming policy of Route based on the originating virtual port, this feature allows for VLAN-backed Logical switch traffic to be pinned to the specified uplink so as to achieve deterministic traffic path from vSwitch to the Host uplinks
  • VPN
    • IPsec-based L2 VPN and L3 VPN support for site-to-site connectivity has been introduced however this release offers only API configuration and there is no GUI support.
  • Log Insight Content Pack and Splunk App Updates
    • Both the Log Insight Content Pack and Splunk App now have new widget to track backup and restore activities.
  • Interface Based Edge Firewall:
    • NSX-T can provide L4 stateful firewall on a per uplink basis on the T1/T0 routers. This will enable users to selectively filter traffic coming from various uplinks.
  • Realization of State for Distributed and Edge Firewall:
    • Users can query via APIs the status of their firewall publish operation. Users can retrieve information whether a rule has been deployed on a particular VM. This helps for a centralized place for users to view the status of their firewall.
  • Principle Identity Role Support
    • It is now possible to configure principle identities with one of the default NSX roles.
  • Search
    • The search feature now supports auto-complete.
  • Backup Enhancements
    • NSX now supports the option to trust certificate thumbprints presented by the system where remote backup/restore archives are stored.
  • Support VLAN backed downlinks on Tier0 or Tier1 LR
    • Support VLAN backed downlinks on Logical router: ability to connect VLAN-backed logical switch to Tier0 or Tier1 logical router, this feature is leveraging centralized router port, port available only on the edge node.
  • Load Balancing
    • HTTPS Load Balancing Support
      • NSX-T load balancer can now load balancing HTTPS traffic with SSL termination on the load balancer.
      • This allows SSL-Offload load balancing (HTTPS from Client to LB, decrypted and HTTP from LB to server), and SSL-EndToEnd (HTTPS from Client to LB, re-encrypted in new HTTPs from LB to server).
    • VIP Real Time Statistics Graphics
      • Real time statistics are displays in graphics for “Concurrent Connections”, “New Connection Rate”, “Throughput”, and “HTTP Request rate”
    • Scale increase
      • Number of LB supported per Edge Node increased for Edge VM Large and Edge Bare Metal
    • Miscellaneous Management/Operation enhancements
      • Access Log higher granularity. Access Log setting is no more on per Load Balancer, but now per Virtual Server.
      • Simple single API to download the whole Load Balancer configuration
    • Miscellaneous Application support enhancements
      • WebSocket application support (“enhanced” HTTP protocol)
      • Sorry server. Ability to define per Virtual Server a second pool (sorry server) to use in case all members of first pool is down.
      • LB rule enhancement. New rule “Match cookie value” and “match value case insensitive”
      • L4 multiple port range support. Previously only 1 port range was supported.
      • New LB algorithm with “Weighted Least Connection”
      • Slow start enabled automatically for the LB algorithm “Least Connection” and “Weighted Least Connection”. This is to prevent a new server added to an existing production pool to be hammered by new connections.
      • End users POST requests can now be limited in size. This setting is via API only “request_body_size”).
  • Edge L2 Bridge
    • NSX supports VLAN to overlay service hosted on the Edge node, providing better performance than ESX-based L2 bridge and Layer-3 firewall.
  • Cisco VIC 1387 support on Bare Metal Edge
    • This release of NSX added the support for NICs used in Cisco UCS systems.
  • Customer Experience Improvement Program
    • NSX now supports the VMware Customer Experience Improvement Program in which product usage information is collected and reported back to VMware to improve the quality of NSX. Customers can optionally disable this feature if desired.
  • API Rate Limiting
    • NSX now offers an API rate limiting features to limit the number of transactions per second and concurrent transactions to the NSX REST API. This protects the system from being impacted when one or more API clients make API requests at a rate the API cannot process.
  • As of NSX-T 2.2, the Distributed Network Encryption feature has been deprecated.

See the release notes here

Bal Birdy on LinkedinBal Birdy on Twitter
Bal Birdy
Bal is an Open Group Certified IT Architect, and VCDX #269, specializing in the network and security arena, with over 15 years experience in enterprise level network/system technologies. His goal has always been to maintain a holistic view of the architecture allowing him to understand how various technology streams may impact the networking/infrastructure space.
Bal has a proven record of delivering on enterprise network designs, leading data center and site migrations as a result of business mergers and acquisitions, and vendor migrations e.g. Cisco to Checkpoint/Juniper. As part of this he worked across several business sectors: Utilities, Banking, Retail and Government, and can base designs around sector specific standards e.g. PCI-DSS, DSD and ISM. He is proficient in several technology areas including Cisco, Juniper, F5, VMware, Citrix and Microsoft. These skills are supported by non-technical certifications: Prince2 Project Management Practitioner, ITILv3, TOGAF 9.1 Certified and Open Group Certified IT Architect – Open CA.
In addition to supporting the Livefire Team, Bal leads several innovation efforts within the VMware WRACE organization, including projects investigating the use of Virtual Reality/Augmented Reality, AI/ML and Interactive 360, to support customer and partner enablement.

Certifications:
BSc (Hons) Computer Science
CCNP/CCDP
VCDX-NV #269
Open Group Certificated Architect
Member of the Associated of Enterprise Architects

Leave a Reply