Hi Guys,
While working on NSX-T, I noticed that the component (Like Tier-0, Tier-1, or any logical switch) which I created using the below interface (Advance Networking & Security) doesn't come up in the "Networking" tab.
But the component which I created in the "Networking" tab that does show in the "Advance Networking & Security" tab with an icon ⊜ which means that it is protected object and in read-only mode and cannot be configured through "Advance Networking & Security" tab.
After a little bit of study, I found that both interfaces do the same work. Just difference is that
- If you are deploying a new environment with NSX-T 2.4 or later then to use this policy based interface is the best to proceed.
- Some features (Below is the detail) are not available in the policy-based interface so to use those feature you can use Advance interface
- If you are upgrading to NSX-T 2.4 or later, continue to use Advance Networking & Security interface.
Below is the detail of when to use policy-based and when to use advance interface for any configuration in NSX-T
Note that if you are using the "Advanced Networking & Security" interface then us it only and if you are using "Policy Interface" then use only that interface. Do not use both interfaces to create objects. However, objects which you create in "Policy Interface" can be visible in "Advance Networking & Security" but vice-versa doesn't happen.
Now, there is a difference in names as well. Refer to the below table, please and remember both do the same thing just name is different due to interface difference.
While working on NSX-T, I noticed that the component (Like Tier-0, Tier-1, or any logical switch) which I created using the below interface (Advance Networking & Security) doesn't come up in the "Networking" tab.
 | ||||
| Advance Interface |
 |
| Policy Interface |
After a little bit of study, I found that both interfaces do the same work. Just difference is that
- If you are deploying a new environment with NSX-T 2.4 or later then to use this policy based interface is the best to proceed.
- Some features (Below is the detail) are not available in the policy-based interface so to use those feature you can use Advance interface
- If you are upgrading to NSX-T 2.4 or later, continue to use Advance Networking & Security interface.
Below is the detail of when to use policy-based and when to use advance interface for any configuration in NSX-T
| Policy Interface | Advanced Interface |
| Most new deployments should use the policy-based interface. | Deployments which were created using the advanced interface, for example, upgrades from versions before the the policy-based interface was present. |
| NSX Cloud deployments | Deployments that integrate with other plugins. For example, NSX Container Plug-in, Openstack, and other clouds management platforms. |
| Networking features available in the Policy interface | Networking features available in the Advanced interface |
| DNS Services and DNS Zones | Layer 3 forwarding for IPv4 and IPv6 |
| VPN | Forwarding up timer |
| Forwarding policies for NSX Cloud | Change internal transit network IP |
| VIP HA support on Tier-0 | |
| Standby relocation | |
| Route advertisement filtering based on the list of prefixes on Tier-1 | |
| Loopback creation | |
| BGP multihop | |
| BGP source addresses | |
| Static routes with BFD and interface as next-hop | |
| Metadata proxy | |
| DHCP server attached to an isolated segment and static binding | |
| Security features available in the Policy interface only | Security features available in the Advanced interface only |
| Endpoint Protection | Ability to enable or disable Distributed Firewall, Identity Firewall, and Gateway Firewall |
| Network Introspection (East-West Service Insertion) | Distributed Firewall session timers |
| Context Profiles - L7 applications, FQDN | Exclusion lists |
| New Distributed Firewall and Gateway Firewall Layout - Categories, Auto service rules | CPU and memory thresholds |
| Sections for stateless rules | |
| Bridge Firewall | |
| Section Locking | |
| Distributed Firewall rule IDs | |
| Distributed Firewall rules based on IPs in source and destination |
Note that if you are using the "Advanced Networking & Security" interface then us it only and if you are using "Policy Interface" then use only that interface. Do not use both interfaces to create objects. However, objects which you create in "Policy Interface" can be visible in "Advance Networking & Security" but vice-versa doesn't happen.
Now, there is a difference in names as well. Refer to the below table, please and remember both do the same thing just name is different due to interface difference.
|
|||||||||||||||||
| All this I learned from https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.4/nsxt_24_admin.pdf from page number 12. |
|||||||||||||||||
| Hope you find this information informative. Stay tuned for more information. Thank you, vCloudNotes | |||||||||||||||||
0 Comments:
Post a Comment