Leave us your email address and be the first to receive a notification when Robin posts a new blog.
For small to medium sized companies it is now possible to use NSX-T as a plugin for vCenter. At least that is how VMware positions this feature. Similar to how NSX-V was configured through vCenter, NSX-T can now be operated in the same manner.
As said, you need at least vCenter 7.0 update 3 to be able to use the NSX-T plugin. Furthermore, the requirements are the same as for using security on distributed port groups.
- The ESXi hosts need to be compatible with vCenter 7.0.3 (update 3)
- The virtual distributed switch needs to be version 6.6 or later
To be able to use the NSX-T plugin in vCenter, the NSX-T manager also needs to be deployed from vCenter. Currently it is not possible to deploy an NSX-T manager and register it to vCenter, like the way NSX-V was deployed. Only greenfield deployments are able to use this feature. A single NSX-T manager is deployed in this manner.
Installation or deployment
To deploy an NSX-T manager from vCenter, go to the NSX tab in the vCenter client and click Install NSX.
The NSX-T manager is installed with the normal deploy OVF method. Select the NSX-T 3.2 appliance OVA and fill out the required information to start the deployment. Select either a Medium or a Large size NSX-T manager during the deployment, otherwise the NSX-T manager will not be registered.
Make sure to deploy the OVA to a host that is connected to the vCenter where you want the NSX-T manager to register to. I have tried multiple options with linked vCenters, but the NSX-T manager is always registered to the vCenter which also manages that ESXi host.
During the installation you can’t select to which vCenter the NSX-T manager will be registered to. But you can find to which vCenter it is registered in the vAPP settings of the virtual machine. If you need to remove the NSX-T plugin from vCenter, see the removal part at the end of this blog.
In my lab environment it took about 15 to 20 minutes to deploy the OVA and another 20 to 25 minutes for the installation to complete. During this last period the NSX-T manager is started, configured, and once completed it registers itself to vCenter. So, grab a cup of coffee and try to be patient.
After the NSX-T manager is deployed and registered to vCenter, the ‘Start NSX Onboarding’ button appears, or a blue banner in the top of the vCenter is displayed. You can either refresh the browser or click the start onboarding button, which refreshes the browser.
The next step is to enter an NSX-T license key.
Once the license key has been applied you can start adding Security or Virtual Networking. In this blog, I’ll show the steps for Security, which are in the end the same as for NSX-T distributed firewall on distributed virtual port groups. (See this blog)
Once the NSX-T manager is deployed, the plugin has been registered and a license has been added. It is finally time to start configuring the Security Only option.
Like in the Quick Start menu in the NSX-T manager, the first step is to install NSX-T Security to a vSphere cluster. As you can see below, I’m installing NSX-T Security to a cluster with mixed vSphere ESXi versions, which isn’t best practice but a nice way to show that it works on different versions in one go.
Note that the vSphere 6.7 host I’m using is version 6.7 U2. An older host gets an ‘error installing’ message. Check the interoperability matrix for all supported ESXi version by NSX-T 3.2.
The installation takes about 5 minutes to complete. If the installation fails, the error can be viewed in the same way as it is viewed in the NSX-T manager. In my case there isn’t enough memory available on the ESXi host.
In my lab environment I’m using nested ESXi servers. So, for me the fix was simple. I was able to shut down the ESXi host and add some memory. After adding the memory, I was able to resolve the issue and install NSX-T on the ESXi host.
When NSX-T Security is installed on the ESXi hosts the next step is to add some firewall rules. These steps are not so intuitive to me. I can understand that VMware wants to help use deploy some basic rules, but there also should be a way to skip creating these basic rules. An option to go for a default Allow rule and go from there. But if you already have an idea of the firewall rules you want to deploy, this can help you to set them up.
For this step to succeed you need to create at least one Infrastructure group. For now, I have created a DNS and NTP group based on an IP-address.
After some basic groups have been created. The next step is to create some default firewall rules based on the groups created in the previous step. For each group created in the previous step a firewall rule is created. With the Service Entry based on the group type that was selected in the previous step. In this case 53 for DNS and 123 for NTP.
By clicking Next in the middle of the screen, you can add rules based on Environment and Application groups. If you have created them in the previous step. It is also possible to skip to the 4th step on this screen because that is the important one. Here you can select what the action will be for the final rule in the distributed firewall rule base.
If you are not sure what to do, leave it at Allow. That is the safest, especially if you are deploying to a vSphere cluster with running workloads.
The last step is to publish the firewall rules.
And the initial installation and configuration is complete!
After clicking done, the NSX-T manager can be viewed and used directly from vCenter. But it is still possible to access the NSX-T manager in its own separate browser.
For example, you can view the Compute manager that was created during the deployment or the firewall rules that were created with the wizard during the deployment.
Now that the installation of NSX-T is complete the next steps in a normal installation would be to config things like RBAC, Backup, Certificates, deploying the other NSX-T appliances in the cluster etc. At the moment it is not very clear to me what is supported or possible and what is not. When that’s clearer I’ll update this or write an additional blog about it.
So, there is much to discover with this new feature. Although at this moment I don’t see that much added value for this feature over opening a new browser for the NSX-T manager. Normally I open multiple browser windows to switch between NSX and vCenter anyway.
But let’s see where VMware goes with this feature.
NSX-T plugin removal
As a final part of this blog, some notes about removing the NSX-T vCenter plugin.
Because I used a linked vCenter setup, my first deployment was registered to the wrong vCenter. Therefore I had to re-deploy them again. If you need to remove or redeploy the NSX-T plugin you can simply shutdown and delete the NSX-T manager that was deployed.
In vCenter you need to unregister the plugin. A complete description on the steps can be found here.
In short: the steps are to connect to the vCenter MOB and go to the ExtensionManager page. Select UnregisterExtension and use this method on “com.vmware.nsx.management.nsxt”
After removal of the plugin my OVA deployment didn’t work every time. Sometimes the OVA did deploy but didn’t auto start. Deleting the deployed VM and starting over usually solves the issue.
Thanks for reading and I hope this was useful to you. If you have any question or remarks, please leave a note or contact me.
Questions, Remarks & Comments
If you have any questions and need more clarification, we are more than happy to dig deeper. Any comments are also appreciated. You can either post it online or send it directly to the author, it’s your choice.