Skip to main content

What's new in NSX-T 3.0

There is various enhancement done in NSX-T version 3.0 by VMware. 

Let's talk about architecture change in NSX-T version 3.0

Some of the below changes were made concerning the internal communication mechanism within the NSX-T components. 

They are:

Architecture ramp-up:

  • NSX Manager and its cluster communicate with their transport nodes through APH Server (Appliance Proxy Hub)

  • NSX Manager communicates with NSX-Proxy through port 1234.

  • CCP (Central control plane) communicates with NSX-Proxy through port 1235.

  • RabbitMQ messaging is replaced with NSX-RPC between the management plane and CCP.



Add caption

Alarm and Events


In NSX-T version 3.0, there is an introduction of Alerts and Events which help in the active monitoring of different components of the environment.


Network Topology UI


In NSX-T 3.0 there is a view of the network topology which gives a diagram of each component of NSX-T.  This view gives about numbers of VM connected to segments, numbers of segments, T1, T0. Numbers of uplinks connected to T0.



In the NSX-T 3.0 version, now we can leverage the vCenter VDS as well as NVDS.

In the ESXi host which are managed by the vCenter server can now be configured using VDS during transport node preparation.

For the standalone ESXi host environments, NSX Manager installs the NSX-T virtual distributed switch (NVDS) on transport nodes.

The distributed port group and NSX distributed port groups can coexist on the same VDS.


The requirement of the VDS environment on NSX-T requires having vCenter 7 & ESXi host 7, as well as VDS, must be configured with VDS7. MTU value of VDS7 should be in 1600.



VRF Lite

The new introduction of version 3.0 is VRF Lite where multiple routing instances can be configured without deploying additional Tier-0 gateway along with edge nodes.


VRF Lite does not use MPLS/MP-BGP protocol as other traditional VRF.

Through VRF lite it provides isolation of logical routing and extents peers that are compatible with VRF lite technology.


The requirement of VRF lite 

To have a default Tier-0 gateway with eternal connectivity with layer 3 peer. 

The peer device supports the 802.1Q protocol for VLAN tagging.


Limitation of VRF lite 

 It's not compatible with VPN and Load Balancer.


Ethernet VPN (EVPN) is an IEEE standard and has the following characteristics.

  • Provides L2 VPN and L3 VPN services.

  • Provides control plane and data plane separation.

  • Supports several types of encapsulation, such as VXLAN, Multiprotocol label switching.

  • Uses Multiprotocol BGP (MP-BGP) for the control plane.

NSX Edge and Routing Enhancement.


The following enhancement has been made in NSX Edge in 3.0

  • New Extra large form factor with 16 vCPUs and 64 GB of RAM.

  • The NSX Edge nodes settings can be changed after deployment.

  • A nice feature is where Edge VM is configured to automatically power on in vSphere Cluster where high availability is disabled.

QoS( Quality of Services profile)

QoS profiles are only supported on the Tier-1 gateway and applied on the uplink ports.

 Characteristics of the QoS profile.


  • Profiles for different Tier-1 gateway ono the same NSX Edge are isolated from each other.
  • An individual profile can be configured for ingress and egress traffic.
  • Also, the individual profile can be configured with a single rate.
  • Rate-limiting is applied to all traffic (Unicast, BUM, IPV4/IPV6)

Time-Based Firewall Rules:

One can use time-based firewall rules to configure security rules that are valid for a specific period.


  • They are available for distribution and gateway firewalls.
  • They are configured at the firewall policy level.
  • Both recurring and once-off firewall rules can be configured.
  • They are only supported on ESXi host and NSX Edge nodes
  • These are only configured on the Tier-1 gateway.
  • Use cases for Time-based Firewall rules:
  • Allow users to access the internet during a specific time slot.
  • Allow users to only specific services only during the maintenance window.

The requirement for Time-based Firewall rules

  • NTP services should be on all participating transport nodes.
  • Validate the ntp setting on transport nodes using  /etc/init.d/ntpd status.
  • On Edge nodes validate the services using “ get service NTP”
  • Validate the NTP Client to successfully communicate to configure NTP serve # ntpd –p




Popular posts from this blog

Changing the FQDN of the vCenter appliance (VCSA)

This article states how to change the system name or the FQDN of the vCenter appliance 6.x You may not find any way to change the FQDN from the vCenter GUI either from VAMI page of from webclient as the option to change the hostname always be greyed out. Now the option left is from the command line of VCSA appliance. Below steps will make it possible to change the FQDN of the VCSA from the command line. Access the VCSA from console or from Putty session. Login with root permission Use above command in the command prompt of VCSA : /opt/vmware/share/vami/vami_config_net Opt for option 3 (Hostname) Change the hostname to new name Reboot the VCSA appliance.   After reboot you will be successfully manage to change the FQDN of the VCSA . Note: Above step is unsupported by VMware and may impact your SSL certificate and face problem while logging to vSphere Web Client. If you are using self-signed certificate, you can regenerate the certificate with the

Unable to poweron the VM. (Failed to lock the file)

I have encountered may issues like where after some upgrade or migration we were unable to power on the VM. Figure 1 An error was received from the ESX host while powering on VM HSSVSQL01. Failed to start the virtual machine. Cannot open the disk '/vmfs/volumes/578d835c-18b2c97a-9b0d-0025b5f13920/SAMPLE1_cloud/000000.vmdk' or one of the snapshot disks it depends on. Failed to lock the file In above Figure:1, where while powering on the VM, its prompt for an error. Well, there are several reason for where the VM unable to poweron and you can find many article on this. Here in this article we will discuss to resolve this issue. Please use below step to resolve the disk lock issue  C hecked that VM is running on snapshot if its getting error " VM Consolidation required". Checked the snapshot manager if its showing any snapshot. If yes, try to delete the  snapshot. Verified the same from Esxi cl

VM Creation Date & Time from Powercli

Most of the times we have several requirement when we talk about IT environment like designing , deployment , compliance check or for Security auditing the environment. Somewhere during security auditing we require to provide several information to security team to get successful audit. One of them is the compliance of Virtual machine auditing of creation date and time. Here into this post we will explore how to get the creation date and time of virtual machine hosted into the vCenter or ESXi. To get the details we will use VMware Powercli to extract the details. By default there is no function added into Powercli to get such details, so here we will add a function of vm creation date. Below is the function which needed to be copy and paste into the Powercli. ======================================================================= function  Get-VMCreationTime  {     $vms  =  get-vm     $vmevts  = @()     $vmevt  =  new-object  PSObject     for