Skip to main content

What's new in NSX-T 3.0

There is various enhancement done in NSX-T version 3.0 by VMware. 

Let's talk about architecture change in NSX-T version 3.0

Some of the below changes were made concerning the internal communication mechanism within the NSX-T components. 

They are:

Architecture ramp-up:

  • NSX Manager and its cluster communicate with their transport nodes through APH Server (Appliance Proxy Hub)

  • NSX Manager communicates with NSX-Proxy through port 1234.

  • CCP (Central control plane) communicates with NSX-Proxy through port 1235.

  • RabbitMQ messaging is replaced with NSX-RPC between the management plane and CCP.



Add caption

Alarm and Events


In NSX-T version 3.0, there is an introduction of Alerts and Events which help in the active monitoring of different components of the environment.


Network Topology UI


In NSX-T 3.0 there is a view of the network topology which gives a diagram of each component of NSX-T.  This view gives about numbers of VM connected to segments, numbers of segments, T1, T0. Numbers of uplinks connected to T0.



In the NSX-T 3.0 version, now we can leverage the vCenter VDS as well as NVDS.

In the ESXi host which are managed by the vCenter server can now be configured using VDS during transport node preparation.

For the standalone ESXi host environments, NSX Manager installs the NSX-T virtual distributed switch (NVDS) on transport nodes.

The distributed port group and NSX distributed port groups can coexist on the same VDS.


The requirement of the VDS environment on NSX-T requires having vCenter 7 & ESXi host 7, as well as VDS, must be configured with VDS7. MTU value of VDS7 should be in 1600.



VRF Lite

The new introduction of version 3.0 is VRF Lite where multiple routing instances can be configured without deploying additional Tier-0 gateway along with edge nodes.


VRF Lite does not use MPLS/MP-BGP protocol as other traditional VRF.

Through VRF lite it provides isolation of logical routing and extents peers that are compatible with VRF lite technology.


The requirement of VRF lite 

To have a default Tier-0 gateway with eternal connectivity with layer 3 peer. 

The peer device supports the 802.1Q protocol for VLAN tagging.


Limitation of VRF lite 

 It's not compatible with VPN and Load Balancer.


Ethernet VPN (EVPN) is an IEEE standard and has the following characteristics.

  • Provides L2 VPN and L3 VPN services.

  • Provides control plane and data plane separation.

  • Supports several types of encapsulation, such as VXLAN, Multiprotocol label switching.

  • Uses Multiprotocol BGP (MP-BGP) for the control plane.

NSX Edge and Routing Enhancement.


The following enhancement has been made in NSX Edge in 3.0

  • New Extra large form factor with 16 vCPUs and 64 GB of RAM.

  • The NSX Edge nodes settings can be changed after deployment.

  • A nice feature is where Edge VM is configured to automatically power on in vSphere Cluster where high availability is disabled.

QoS( Quality of Services profile)

QoS profiles are only supported on the Tier-1 gateway and applied on the uplink ports.

 Characteristics of the QoS profile.


  • Profiles for different Tier-1 gateway ono the same NSX Edge are isolated from each other.
  • An individual profile can be configured for ingress and egress traffic.
  • Also, the individual profile can be configured with a single rate.
  • Rate-limiting is applied to all traffic (Unicast, BUM, IPV4/IPV6)

Time-Based Firewall Rules:

One can use time-based firewall rules to configure security rules that are valid for a specific period.


  • They are available for distribution and gateway firewalls.
  • They are configured at the firewall policy level.
  • Both recurring and once-off firewall rules can be configured.
  • They are only supported on ESXi host and NSX Edge nodes
  • These are only configured on the Tier-1 gateway.
  • Use cases for Time-based Firewall rules:
  • Allow users to access the internet during a specific time slot.
  • Allow users to only specific services only during the maintenance window.

The requirement for Time-based Firewall rules

  • NTP services should be on all participating transport nodes.
  • Validate the ntp setting on transport nodes using  /etc/init.d/ntpd status.
  • On Edge nodes validate the services using “ get service NTP”
  • Validate the NTP Client to successfully communicate to configure NTP serve # ntpd –p




Popular posts from this blog

Changing the FQDN of the vCenter appliance (VCSA)

This article states how to change the system name or the FQDN of the vCenter appliance 6.x You may not find any way to change the FQDN from the vCenter GUI either from VAMI page of from webclient as the option to change the hostname always be greyed out. Now the option left is from the command line of VCSA appliance. Below steps will make it possible to change the FQDN of the VCSA from the command line. Access the VCSA from console or from Putty session. Login with root permission Use above command in the command prompt of VCSA : /opt/vmware/share/vami/vami_config_net Opt for option 3 (Hostname) Change the hostname to new name Reboot the VCSA appliance.   After reboot you will be successfully manage to change the FQDN of the VCSA . Note: Above step is unsupported by VMware and may impact your SSL certificate and face problem while logging to vSphere Web Client. If you are using self-signed certificate, you can regenerate the certificate with the

Issue : Configure Management Network option is Grayed out into ESXi

Last week I got into an issue of one of my client into Vsphere environment where one of its ESXi went done out of the network. Issue was IP address was showing on main Esxi screen and when I tried to change the network configuration, its " Configure Management network option was greyed out.  I tried to gid into it and try to analyis its vmKernal and vmwarning logs. What I found is its VMkernal switch got removed due to unexpected reason. So to resolve the issue I tried to reconfigure its vswitch0 (vmk0) by going into Tech Mode of that Exi. Below are the steps which I followed to resolve the issue. 1) Login to ESXi 2) Press F2, Check if you " Configure Management network " is greyed out or not" if yes,    follow below 3) Press ALT+F1 to move the ESXi screen to tech mode   ( This is command line like dos) 4) login with root account 5) Run the following command into it esxcli network ip interface add --interface-name= vmk0

Collecting Logs from NSX-T Edge nodes using CLI

  This article explains how to extract the logs from NSX-T Edge nodes from CLI. Let's view the steps involved: 1) Login to NSX-T  Edge node using CLI from admin credentials. 2) Use of  " get support-bundle " for Log extraction. get support-bundle command will extract the complete logs from NSX-T manager/Edge nodes. nsx-manager-1> get support-bundle file support-bundle.tgz 3) Last step is to us e of " copy file support-bundle.tgz url " command. copy file will forward your collected logs from the NSX-T manager to the destination(URL) host from where you can download the logs. copy file support.bundle.tgz url scp://root@ Here, the URL specified is the ESXi host ( under /tmp partition where logs will be copied and from there one can extract it for further log review. Happy Learning.  :)