Extend Security Policy from NSX-V to NSX-T

If you are moving from an NSX-V deployment to an NSX-T deployment or combining and NSX-T deployment with an NSX-V deployment, you can extend your existing security policy from NSX-V to NSX-T without having to recreate the policy rules. This is achieved by leveraging your existing device groups and sharing them between the NSX-V and NSX-T service definitions. After migrating your policy to NSX-T, you can continue using the VM-Series for NSX-V or remove your NSX-V deployment.
  1. Configure an NSX-T service definition for each NSX-V service definition in your deployment. Do not create new device groups; instead use your existing NSX-V device groups. Using the existing device groups allows you to apply the same security policy rules used on NSX-V to the VM-Series firewalls deployed on NSX-T. If you have policy that reference a particular zone, add the same template stack from your NSX-V service definition to your NSX-T service definition. Additionally, if your device group references a particular template, ensure that you select the template stack that includes the template referenced in the device group.
  2. Configure an NSX-T service manager and associate the NSX-T service definitions to the service manager.
  3. Prepare your NSX-T environment and deploy the VM-Series firewall. You must create your security groups, service chains, and traffic redirection policy before launching the VM-Series firewall.
  4. Add the NSX-T tags to you existing dynamic address groups.
    1. Select
      Address Groups
    2. Click on the name of an existing NSX-V dynamic address group.
    3. Click
      Add Match Criteria
      to display the tags from NSX-V and NSX-T.
    4. Add the NSX-T tag to the dynamic address groups. Be sure to use the
      operator between the tags.
    5. When you have added all the necessary tags, click
    6. Commit
      your changes.
  5. After your VM workloads have successfully migrated from NSX-V to NSX-T, you remove the NSX-V tags from your dynamic address groups if you plan to discontinue use of NSX-V. All NSX-V tags and corresponding IP addresses are unregistered after all NSX-V related configuration is removed from the Panorama plugin for NSX and VM-Series firewall configuration is removed from NSX-V manager.

Recommended For You