During V2T migration ESG rules with local Security Group cannot be migrated to Global Managers (GM)
book
Article ID: 327366
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
If an edge firewall rule contains a security group (SG) and this edge is mapped to GM, these SGs cannot get migrated and the rules using these SGs will be skipped during migration.
Symptoms: V2T migration: Edges mapped to GM with a rule containing local Security Group (SGs) are skipped.
Environment
VMware NSX-T Data Center 3.x VMware NSX-T Data Center
Cause
An edge firewall rule uses a security group (SG) Edge which is getting migrated is mapped to the Global Manager GM
Resolution
This is an expected behaviour. Please follow the workaround to avoid any traffic disruption.
Workaround: To avoid traffic disruption, please execute following steps manually: * Create affected SGs on NSX-T with membership similar to the ones on NSX-V * SGs region should be set to Global * If SGs on NSX-V have dynamic membership, for example by VM name, please also include those VMs internal IP address in the SG. These IP addresses are needed during edge cutover, they can be removed from SG after host migration. Dynamic criteria may not work during edge cutover because a VM may not be available on NSX-T before host migration, hence we need to add these IP addresses to the SGs. * Create affected rules on NSX-T, identical to the ones on NSX-V * These rules should be created in the section that gets created by V2T (after L3 Migrate Configuration stage). Order of these rules should be same as that on NSX-V
Additional Information
Impact/Risks: Depending on the rule definitions (actions, order, etc.), traffic may get dropped during edge cutover.