In this article

Six months ago, my peer Matt Hilliker wrote about the new features of NSX-T 3.0. Here we are at the beginning of November, with NSX-T 3.1 released less than a week ago. Like 3.0, 3.1 brings an impressive list of updates, additions and fixes. 

1. Federation

I realize this was mentioned in the 3.0 update, but we have to address the reality. Federation support in 3.0 was limited and not officially recommended in production per the release notes based on a few challenges upon release. With 3.1, Federation is now officially supported in production to connect multiple data centers with global policy management utilizing the Global Manager application. 

One of the key factors in making this happen is support for a standby Global Manager cluster. Now we can fail over the Global Manager from one data center to another in a disaster. The last important update for Federation was doubling the scale for the number of hosts supported. Federation still supports up to four data centers defined within a Global Manager cluster.

2. Distributed IPS

NSX-T 3.0 brought the Distributed Intrusion Detection System (D-IDS). Now, 3.1 brings the Distributed Intrusion Prevention System (D-IPS). Instead of just detecting and alarming for malicious traffic, now NSX-T will deny the traffic. The D-IPS is an easily customizable signature-based system. By default, NSX Manager checks for new signatures daily, and new signature updates are published every two weeks. 

If you are familiar with the distributed firewall function in NSX-T, you will feel at home with the D-IPS, as the interface is very similar. With the D-IPS in NSX-T, you will have the ability to provide enhanced security for your East-West traffic within the data center without forcing all that traffic into a bottlenecked appliance.

3. Multicast

NSX-T 3.0 was the first version to support multicast routing. With 3.1, there are significant enhancements. One of the biggest enhancements is the ability to support multicast routing at the T1 router level and IGMP support on all T1 uplinks and downlinks. 

Multicast traffic is now supported as well with the distributed firewall. Please keep in mind that, currently, multicast routing is limited to Any-Source Multicast (ASM). Source-Specific Multicast (SSM) is not supported.

4. Automation

NSX Policy API enhancements allow for the ability to filter and retrieve objects within a subtree versus just the root of the tree, like previous versions. Additionally, for those customers using the popular infrastructure-as-code platform Terraform, NSX-T 3.1 supports a Terraform provider for Federation. 

5. Operations

One of the challenges with any virtualization platform is lifecycle management. It becomes even more complicated when you add software-defined networking on top. NSX-T 3.1 with vSphere 7.0 Update 1 supports the use of vSphere Lifecycle Manager (vLCM). This will allow you to address both ESXi and NSX-T updates with one remediation task in vLCM versus multiple steps.

Adding physical servers has become easier, with the process being managed within NSX manager compared to running Ansible scripts.

Typically, NSX Manager is run as a cluster of three virtual machines. Running on a single NSX Manager was only supported for lab scenarios and not production. As of NSX-T 3.1, you may run a single NSX Manager appliance in conjunction with vSphere High Availability (HA). Keep in mind this deployment model is not recommended except in particular situations. The highest availability and fastest failover are still achieved by using an NSX Manager cluster.

6. Role-based access control

Previously with NSX-T, you had defined role-based access control (RBAC). You worked with what VMware provided you with no customization allowed. The 3.1 upgrade provides the ability to customize your RBAC environment.


VMware has been moving fast and furious in the software-defined networking world. This upgrade from 3.0 to 3.1 is a significant improvement, with many features added. Based on the announcements at VMworld, this is not going to slow down in the slightest bit. Their acquisition of Lastline will get incorporated into the NSX Advanced Threat Protection family. The ability to offload NSX functions to SmartNICs such as Pensando will be fascinating to watch.

Keep an eye out for future articles on these subjects by following our Data Center Networking topic area.