Principles
- Based on a given upgrade scenario, identify requisite steps and components for upgrading to NSX 6.x
- Upgrade vCNS 5.5 to NSX 6.x
- Upgrade vCNS Virtual Wires to NSX Logical Switches
- Upgrade to NSX Components
- Upgrade to NSX Firewall
- Upgrade to NSX Edge
- Upgrade vShield Endpoint from 5.5 to 6.x
- Upgrade to NSX Data Security
- Upgrade NSX Manager from 6.0 to 6.x
- Update vSphere Clusters after NSX upgrade
- Understand the impact of availability to the aspects of NSX during an upgrade
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- NSX Installation Guide
https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf
- NSX Upgrade Guide
https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_upgrade.pdf
Based on a given upgrade scenario, identify requisite steps and components for upgrading to NSX 6.x
Deployment upgrade process flow:
- NSX Manager
- NSX Controllers
- NSX Host Clusters
- NSX Edges
Thigs to consider
- Downgrades are not supported
- Perform a backup of the current configuration through the NSX Manager UI
- Verify vSphere and ESXi hosts meet interoperability requirements for upgrade
- Check Guest Introspection services compatibility
- Remove Data Security before upgrading
- Take a snapshot the NSX Manager
- Create an NSX Tech-Support log bundle
- Check forward and reverse name resolutions
- Ensure the bypassVumEnabled flag is set to true in vCenter (if configured)
- Check license requirements
Upgrade vCNS 5.5 to NSX 6.x
Preparation
- vCNS must be at v5.5 before upgrade
- Check any installed vCNS partner services are compatible with NSX
- Uninstall Data Security
- Migrate networks from Nexus 1000v to vDS
- Upon upgrade vCNS license is converted to an NSX for vShield Endpoint license
- Default licence from NSX 6.2.3 onwards
- Allows the deployment of vShield Endpoint for anti-virus offload only
- Host Prep, DFW, VXLAN and Edge deployment not permitted
- Existing vCNS prepared hosts, virtual wires, vShield App and vShield Edge continue to work but no further deployment or changes possible
- License upgrade need to utilise NSX properly
Installation Order
- vShield Manager to NSX Manager
- Deploy NSX Controller Cluster – optional
- Required for DLRs and changing transport control plane to Hybrid or Unicast
- Upgrade Clusters and Hosts
- Update Transport Zone – optional
- Only needed if NSX Controller is deployed and control plane to be changed to hybrid or unicast
- Edit the Transport Zone and change the replication mode to Unicast or Hybrid as desired and select the “Migrate existing Logical Switches to the new control pane”
- vShield App to Distributed Firewall
- vShield Edge to NSX Edge
- vShield Endpoint to NSX Guest Introspection
Upgrade vCNS Virtual Wires to NSX Logical Switches
- Clusters must undergo Host Preparation to install NSX VIBs and convert existing Virtual Wires to NSX Logical Switches
- Following Host Preparation “install” appears under Installation Status – click to convert Virtual Wires to NSX Logical Switches
- Virtual Wires deployed with vCNS use DHCP or Static as the IP assignment method
- Update VXLAN Port
- vCNS uses UDP 8472
- NSX uses UDP 4789
- Recommend this is updated to align with future cross-vcenter installation which requires all hosts use the same port
Upgrade to NSX Components
Upgrade to NSX Firewall
- Pre-requisites:
- vShield App version 5.5
- vShield Manager has been upgraded to NSX Manager
- Virtual Wires have been upgraded to NSX Logical Switches
- Do no delete vShield App until rules have been migration to DFW
- DFW can be upgraded from the “Host Preparation” Tab following VIB installation and VXLAN preparation
- A new section is created in the DFW for existing vCNS rules
- Existing vShield App VMs can be shutdown and then removed after the ruleset has been verified and all alarms cleared
Upgrade to NSX Edge
- Pre-requisites:
- Pre 5.5 vShield Edges cannot be managed or deleted after upgrading to NSX so upgrade them beforehand
- vShield Manager has been upgraded to NSX Manager
- A local segment ID Pool has been configured
- Verify sufficient hardware resources are available to support the temporary deployment of NSX Edges alongside vShield Edges
- New NSX Edges are deployed alongside existing vShield Edges
- Following installation Existing Edges are disconnected and new NSX Edges are connected
- New Edge sends out a GARP to update the connected switch ARP tables
- Packet forwarding is suspended temporarily during upgrade
- OSPF Adjacencies are withdrawn unless graceful restart is configured
- L2 VPN configurations must be deleted prior to installation
- Check any static routes configured on an Edge have the correct next hop assigned before starting the upgrade
- NSX Edge Firewall does not support Source Port so rules are modified as following during the upgrade:
- If no applications are used in the rule a new service is created with protocol=any, port=any, sourcePort=<existingRuleSourcePort>
- If applications or application groups are used in the existing rules, they are re-created with source port added
- Re-configure L2 VPNs
Upgrade vShield Endpoint from 5.5 to 6.x
- Guest Introspection VMs can be upgraded from vSphere Web Client
- “Upgrade Available” is shown under Service Deployments
- Click to upgrade and set the Datastore, Network and IP Assignment method
Upgrade to NSX Data Security
- NSX Data Security deprecated from NSX 6.2.3
- Can continue to be used but will be removed from future releases
- NSX Data Security should be uninstalled before upgrade
- Use REST API to uninstall old version if already upgraded and then redeploy Data Security
Upgrade vShield Manager from 5.5 to 6.x
- Do not uninstall vShield Manager
- Upgrade is conducted from vShield Manager
- Following upgrade default license “NSX for vShield Endpoint” is applied
- Permits NSX vShield Endpoint Deployment only
- Does not permit Host Preparation, VXLAN, DFW, Edges
Update vSphere Clusters after NSX upgrade
- Clusters must undergo Host Preparation to install NSX VIBs and convert existing Virtual Wires to NSX Logical Switches
- Following Host Preparation “install” appears under Installation Status – click to convert Virtual Wires to NSX Logical Switches
- Virtual Wires deployed with vCNS use DHCP or Static as the IP assignment method
- A host reboot is performed following the upgrade
- DRS manages the order of installation if enabled
Understand the impact of availability to the aspects of NSX during an upgrade
Order of upgrade:
- vShield Manager
- Host clusters and virtual wires
- vShield App
- vShield Edge
- vShield Endpoint
vCenter Upgrade
- If upgrading from vCenter 5.5 with embedded SSO with vCenter 6.0 vShield Manager may lose connection to vCenter if registered with “root”
- From NSX 6.2 registering with root is deprecated
- Change vShield Manager vCenter registration to administrator@vsphere.local prior to upgrade
vShield Manager Upgrade
If upgrading to vShield Manager 5.5 prior to NSX the following applies during upgrade:
- Configuration blocked
- API unavailable
- Existing VM communication continues to function
- New VMs cannot be connected to virtual wires
All changes are permitted after upgrade is complete
Host Cluster upgrade and Virtual Wires
- New VIBs installed on Hosts -> requires a reboot
- Existing Virtual Wires are renamed Logical Switches
- VMs cannot be provisioned on hosts undergoing upgrade as they will be in maintenance mode
- DRS manages order of upgrade if configured
- Logical Switches can continue to be provisioned during host preparation (partial upgrade)
vShield App migrated to Distributed Firewall
- vShield App migrated to DFW during upgrade
- Existing filters continue to work during migration
- Do not add or modify filters during migration
- Remove vShield App via Service Deployment page in NSX following migration
vShield Edge Upgrade
- Can be upgraded independently of host upgrades
- Configuration changes are blocked during upgrade and packet forwarding is halted
- After upgrade configuration changes are not blocked but any new features introduced in NSX will be not available until Controllers are deployed and host preparation is complete
- L2 VPN must be reconfigured after upgrade
- SSL VPN client must be reinstalled after upgrade
vShield Endpoint migrated to Guest Introspection
- vShield Endpoint renamed Guest Introspection in NSX 6.x
- Go to Networking & Security -> Installation -> Service Deployments and select “Upgrade”
- Guest Introspection virtual appliance and host agent deployed on each host
- If VMs are modified during the upgrade protection is temporarily affected
- Following upgrade all VMs are protected
Migrate Local Admin user to CLI Admin User
- In NSX: prior to 6.x the “admin” user was in the local database. From 6.x it became a CLI user
- In vCNS the cli “admin” and UI “admin” users are different
- CLI = OS account
- UI = vCNS (VSM) user database account
- VSM user database deprecated from NSX 6.x
- Following an upgrade the CLI And UI admin account is present in both the CLI And Web UI databases as separate accounts
- In a fresh (greenfield) NSX deployment the admin account is a single entity that can be used to login to the CLI And Web UI
- To make the upgraded environment behave as a new one either:
- Change internal admin password with REST API call
- Requires ongoing maintenance i.e. whenever the CLI password is changed, update the Web UI password and vice versa
- Add super_user role to CLI admin account and remove old Web UI Admin account
- Requires a second super_user account to be added before existing Web UI “admin” account can be removed
- Change internal admin password with REST API call
NSX Services that cannot be upgraded directly
- NSX Data Security
- Should be uninstalled before upgrade
- Use REST API to uninstall old version if already upgraded and then redeploy Data Security
- SSL VPN
- NSX 6.2 only accepts TLS
- From NSX 6.2.3 TLS 1.0 is deprecated to connections from existing clients will fail
- Uninstall SSL VPN Clients and install the NSX 6.2.x version to enable support
- NSX L2 VPN
- Existing L2 VPN configurations must be deleted from vShield Edges prior to upgrade and re-created after