VMware NSX-T 3.0 – What’s New

VMware just launched NSX-T 3.0 so let me provide you with an overview of some of the most exciting new features.

NSX-T adds new features and capabilities in the areas of intrinsic security, modern application networking and streamlined operations. I’ve picked a few of the more notable ones below.

NSX Distributed IDS is an advanced threat detection engine purpose-built to detect lateral threat movement on east-west traffic. This will be available as an add-on subscription to customers with advanced or enterprise plus licencing.

Federation: Centralized policy configuration and enforcement across multiple locations from a single pane of glass, enabling network-wide consistent policy and operational simplicity. This is by far the most eagerly awaited feature of this release.

I have spoken with several customers over the last 6 months who are awaiting this particular feature as it now means NSX-T surpasses NSX-V in terms of feature parity. VMware will continue to develop this particular feature over the course of this year so be sure to check the release notes carefully as to what is and isn’t currently supported.


NSX-T for vSphere with Kubernetes (Project Pacific): NSX has been designed-in as the default pod networking solution for vSphere with Kubernetes and provides a rich set of networking capabilities including distributed switching and routing, distributed firewalling, load balancing, etc.

VRF Lite: Complete data plane isolation among tenants with a separate routing table, NAT, and Edge firewall support in each VRF on the NSX Tier-0 gateway.

L3 EVPN: Seamlessly connects telco Virtual Network Functions to the overlay network. The NSX Edge implements standards-based BGP control plane to advertise IP Prefixes into the telco core, running MP-BGP sessions with the telco Provider Edge/DC Gateways.

NSX-T Support on VDS 7.0: NSX-T can now leverage the native VDS built into vSphere 7.0. It is recommended that new deployments of NSX-T leverage this and move away from the N-VDS. If you are an existing NSX-T customer and have already deployed and are using the N-VDS then the recommendation is to remain using that for the moment. However, you will in the future need to plan to move away from this, consider the following when planning this.

  • VDS is configured through vCenter. N-VDS is vCenter independent. With NSX-T support on VDS and the eventual deprecation of N-VDS, NSX-T will be closely tied to vCenter and vCenter will be required to enable NSX.
  • The N-VDS is able to support ESXi host-specific configurations. The VDS uses cluster-based configuration and does not support ESXi host-specific configuration.
  • This release does not have full feature parity between N-VDS and VDS.
  • The backing type for VM and vmKernel interface APIs is different for VDS when compared to N-VDS.

Security and Firewalling:  It’s not possible to leverage Federation to have a consistent security policy across multiple sites (note VMC support will come in a future release). NSX-T introduces the concept of a global manager and has the capability to sync security policies across multiple sites providing a single pane of glass view.