Recently I worked on a customer engagement where I installed NSX-T into their environment. After the installation, a migration needed to be done from the VSS port groups (VLAN backed) to the NSX-T Segments (VLAN backed).
This customer initially did not intend to use the distributed routing features from NSX-T. The hosts were prepped with the NSX bits to be able to configure an N-VDS to the host. The use case for this was micro-segmentation with vRealize Network Insight.
I am not covering the initial steps which I needed to perform in detail, since I want to share the script that I used for the virtual machines instead of explaining the whole migration plan.
High over the following steps were performed;
- Install NSX-T Manager
- Add Compute Manager (vCenter)
- Create two transport node profiles
- 1-PNIC-Migration-TN-Profile (only configure 1 vmnic to the N-VDS, the other ‘leg’ is still on the VSS)
- 2-PNIC-Final-TN-Profile (both vmnics are configured on the N-VDS, this profile is applied after the Virtual Machine migration)
- Create migration script;
- Apply final Transport Node Profile (requires maintenance mode per ESXi host)
The customer had to migrate approximately 3000 VMs in different batches and timeframes. The script I wrote is levering a single *.csv file with only VM names like this;
##You can add as many if-else statements here as you need. In my original script, I had 30 of them since I had 30 source port groups to migrate from
PORTGROUPNAME = Name of VSS based Portgroup on ESXi host
vSphere 6.5 U3
If you have any questions or remarks, feel free to reach out!
Awesome script and work Wesley!
just curious, were in the case you mentioned only N-VDS segments used at the end? So all migrated VSS portgroups were removed? I´m thinking whether there is an overhead when using NSX-T segments compared to traditional VDS portgroups when not using NSX-T features.
In this case almost all VSS port groups were removed. There is no real overhead using VLAN backed NSX-T segments compared to traditional VDS.VSS Portgroups. In the end it is also a port group with just a VLAN ID.
Do we need to mirror all NSXV port groups on NSXT Switch or just Portgroups will be managed by NSXT firewall rules?
Nowadays you can enforce NSX-T Firewall rules onto Portgroups on a VDS with vSphere 7.0 and above.