Extend Security Policy from NSX-V to NSX-T

If you are moving from an NSX-V deployment to an NSX-T deployment or combining an NSX-T deployment with an NSX-V deployment, you can extend your existing security policy from NSX-V to NSX-T without having to recreate the policy rules. This is achieved by leveraging your existing device groups and sharing them between the NSX-V and NSX-T service definitions. After migrating your policy to NSX-T, you can continue using the VM-Series for NSX-V or remove your NSX-V deployment.
  1. Configure an NSX-T service definition for each NSX-V service definition in your deployment. Do not create new device groups; instead use your existing NSX-V device groups. Using the existing device groups allows you to apply the same security policy rules used on NSX-V to the VM-Series firewalls deployed on NSX-T. If you have policy that reference a particular zone, add the same template stack from your NSX-V service definition to your NSX-T service definition. Additionally, if your device group references a particular template, ensure that you select the template stack that includes the template referenced in the device group.
    nsx-v-and-nsx-t-service-definitions-migration.png
  2. Configure an NSX-T service manager and associate the NSX-T service definitions to the service manager.
    nsx-v-and-nsx-t-service-managers-migration.png
  3. Prepare your NSX-T environment and deploy the VM-Series firewall. You must create your security groups, service chains, and traffic redirection policy before launching the VM-Series firewall.
  4. Add the NSX-T tags to you existing dynamic address groups.
    1. Select
      Panorama
      Objects
      Address Groups
      .
    2. Click on the name of an existing NSX-V dynamic address group.
    3. Click
      Add Match Criteria
      to display the tags from NSX-V and NSX-T.
    4. Add the NSX-T tag to the dynamic address groups. Be sure to use the
      OR
      operator between the tags.
    5. When you have added all the necessary tags, click
      OK
      .
    6. Commit
      your changes.
    nsx-v-and-nsx-t-combined-dag-migration.png
  5. After your VM workloads have successfully migrated from NSX-V to NSX-T, you remove the NSX-V tags from your dynamic address groups if you plan to discontinue use of NSX-V. All NSX-V tags and corresponding IP addresses are unregistered after all NSX-V related configuration is removed from the Panorama plugin for NSX and VM-Series firewall configuration is removed from NSX-V manager.

Recommended For You