Product offerings for VMware NSX-T Data Center 3.2.x
Article ID: 319112
Updated On:
Products
VMware NSX
VMware vDefend Firewall
Issue/Introduction
This article provides information on licensing editions of VMware NSX-T and list of features associated with the various licensing editions in VMware NSX-T Data Center 3.2.x.
New VMware NSX-T editions became available to order on August 5th, 2021. The tiers of NSX Data Center licenses are as follows:
NSX-T Editions
- NSX-T Professional Edition: For organizations needing Standard, plus micro-segmentation, and may have public cloud endpoints.
- NSX-T Advanced Edition: For organizations needing Professional, plus advanced networking and security services, and may have multiple sites.
- NSX-T Enterprise Plus Edition: For organizations needing the most advanced capabilities NSX Data Center has to offer, plus network visibility and security operations with vRealize Network Insight™, and hybrid cloud mobility with VMware HCX.
- NSX-T for Remote Office Branch Office: For organizations that need to virtualize networking and security for applications in the remote office or branch office.
Environment
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Resolution
The following tables outline specific functions available by edition. NSX-T is available as a single download image with license keys required to enable specific functionality.
Networking
| Feature | NSX-T Editions | |||
|---|---|---|---|---|
| Switching | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| vSphere Distributed Switch10 | Yes | Yes | Yes | Yes |
| VLAN Backed Logical Switching | Yes | Yes | Yes | Yes |
| Overlay Backed Logical Switching | Yes | Yes | Yes | No |
| Multiple TEP Support | Yes | Yes | Yes | No |
| Optimized ARP Learning and Broadcast Suppression | Yes | Yes | Yes | No |
| GENEVE Encapsulation | Yes | Yes | Yes | No |
| Unicast Replication | Yes | Yes | Yes | No |
| Headend Replication | Yes | Yes | Yes | No |
| Spoofguard | Yes | Yes | Yes | No |
| LACP (Edge and Host) | Yes | Yes | Yes | Yes |
| L2 Multicast | Yes | Yes | Yes | No |
| L3 Multicast | No | Yes | Yes | No |
| Quality of Service (QoS) | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| QoS Marking | Yes | Yes | Yes | No |
| QoS DSCP Trust Boundary | Yes | Yes | Yes | No |
| QoS Rate-Limit Northbound Traffic on Tier-1 Gateway | Yes | Yes | Yes | No |
| L2 Bridging to Physical Environment | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Software Based L2 Bridge to Physical Environments | Yes | Yes | Yes | No |
| Routing | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Distributed Routing | Yes | Yes | Yes | No |
| Multi-Tier Routing | Yes | Yes | Yes | No |
| Dynamic Routing with ECMP | Yes | Yes | Yes | No |
| Active / Standby Redundancy for Routing | Yes | Yes | Yes |
No |
| Active / Active Redundancy for Routing | Yes | Yes | Yes | No |
| Virtual Routing and Forwarding (Tier-0 Gateway VRFs) | No | Yes | Yes | No |
| EVPN | No | No | Yes | No |
| OSPF v2 | Yes | Yes | Yes | No |
| Static Routing - IPv4 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Static Routing | Yes | Yes | Yes | Yes |
| BFD | Yes | Yes | Yes | Yes |
| Null Routes | Yes | Yes | Yes | Yes |
| Device Routes | Yes | Yes | Yes | Yes |
| Static Routing - IPv6 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Static Routing | Yes | Yes | Yes | No |
| Null Routes | Yes | Yes | Yes | No |
| Device Routes | Yes | Yes | Yes | No |
| BGP - IPv4 Unicast | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| eBGP | Yes | Yes | Yes | No |
| eBGP Multihop | Yes | Yes | Yes | No |
| iBGP | Yes | Yes | Yes | No |
| Graceful Restart | Yes | Yes | Yes | No |
| BFD | Yes | Yes | Yes | No |
| 4-byte ASN | Yes | Yes | Yes | No |
| BGP - IPv6 Unicast | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| eBGP | No | Yes | Yes | No |
| eBGP Multihop | No | Yes | Yes | No |
| iBGP | No | Yes | Yes | No |
| Graceful Restart | No | Yes | Yes | No |
| 4-byte ASN | No | Yes | Yes | No |
| BFD - IPv4 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Sub-Second Keepalive Timer | Yes | Yes | Yes | No |
| Route Maps | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Match on Prefix-List and Community-List | Yes | Yes | Yes | No |
| Set Weight, MED, AS Path, Prepending, Local Preference, and Community | Yes | Yes | Yes | No |
| Other | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| High Availability Virtual IP (HA VIP) | Yes | Yes | Yes | No |
| Route Redistribution | Yes | Yes | Yes | No |
| IP Prefix-Lists | Yes | Yes | Yes | No |
| Per Interface RPF Check | Yes | Yes | Yes | No |
| DNS, DHCP and IPAM (DDI) | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| IPAM | Yes | Yes | Yes | Yes |
| IP Blocks | Yes | Yes | Yes | Yes |
| IP Subnets | Yes | Yes | Yes | Yes |
| IP Pools | Yes | Yes | Yes | Yes |
| IPv4 DHCP Server | Yes | Yes | Yes | Yes |
| IPv6 DHCP Server | No | Yes | Yes | No |
| IPv4 DHCP Relay | Yes | Yes | Yes | Yes |
| IPv6 DHCP Relay | No | Yes | Yes | No |
| IPv4 DHCP Static Bindings / Fixed Addresses | Yes | Yes | Yes | Yes |
| IPv6 DHCP Static Bindings / Fixed Addresses | No | Yes | Yes | No |
| IPv4 DNS Relay / DNS Proxy | Yes | Yes | Yes | Yes |
| IPv4 Meta-Data Proxy | Yes | Yes | Yes | No |
Distributed Security
| Feature | NSX-T Editions | |||
|---|---|---|---|---|
|
Distributed Firewall |
Professional |
Advanced |
Enterprise Plus |
Remote Office / Branch Office |
| Distributed Firewall for NSX Switchports | Yes | Yes | Yes | Yes |
| Distributed Firewall for VDS Switchports | Yes | Yes | Yes | Yes |
| Stateful L2 and L3 Rules | Yes | Yes | Yes | Yes |
| Stateless L2 and L3 Rules | Yes | Yes | Yes | Yes |
| Distributed FQDN Filtering | No | Yes | Yes | No |
| Basic L7 Application Identification Rules | No | Yes | Yes | Yes |
| Advanced L7 Application Identification Rules | No | No | No | No |
| Distributed Flood Protection | Yes | Yes | Yes | Yes |
| Agent-Based enforcement for Physical Servers | Yes | Yes | Yes | Yes |
| User Identity Firewall | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Distributed Identity Firewall using Guest Introspection | No | Yes | Yes | No |
| Distributed Identity Firewall using Active Directory Event Server | No | Yes | Yes | No |
| Distributed Identity Firewall using third-party log sources | No | No | No | No |
| NSX Distributed Threat Prevention7 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Distributed Intrusion Detection Service (IDS) | No | Requires additional license7 | Requires additional license7 | No |
| Distributed Behavioral IDS | No | Requires additional license7 | Requires additional license7 | No |
| Distributed Intrusion Prevention Service (IPS) | No | Requires additional license7 | Requires additional license7 | No |
| NSX Distributed Advanced Threat Prevention9 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Distributed Malware Detection and Prevention | No | No | No | No |
| Cloud Sandboxing and Artifact Analysis10 | No | No | No | No |
| Distributed IDS Event Forwarding to NDR | No | No | No | No |
| Distributed Service Insertion Integrations | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Distributed Endpoint Protection | No | Yes | Yes | No |
| Distributed Network Introspection | No | Yes | Yes | No |
| Policy, Tagging and Grouping | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Object Tagging / Security Tags | Yes | Yes | Yes | Yes |
| Network Centric Grouping | Yes | Yes | Yes | Yes |
| Workload Centric Grouping | Yes | Yes | Yes | Yes |
| IP Based Groups | Yes | Yes | Yes | Yes |
| MAC Based Groups | Yes | Yes | Yes | Yes |
| Tag Based Rules | Yes | Yes | Yes | Yes |
| Firewall Operations | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Firewall Logging | Yes | Yes | Yes | Yes |
| Distributed Firewall based IPFIX | Yes | Yes | Yes | Yes |
| Rule Hit Count, Popularity Index, Flow Statistics | Yes | Yes | Yes | Yes |
| Firewall Drafts | Yes | Yes | Yes | Yes |
Gateway Security
| NSX-T Editions | ||||
|---|---|---|---|---|
|
Feature |
Professional |
Advanced |
Enterprise Plus |
Remote Office / Branch Office |
| Stateful L3 Rules | Yes | Yes | Yes | Yes |
| Stateless L3 Rules | Yes | Yes | Yes | Yes |
| Basic L7 Application Identification Rules | No | Yes | Yes | Yes |
| Advanced L7 Application Identification Rules | No | No | No | No |
| URL Filtering | No | No | No | No |
| Gateway Flood Protection | Yes | Yes | Yes | Yes |
| Identity Firewall | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Gateway Identity Firewall using Active Directory Event Server | No | No | No | No |
| Gateway Identity Firewall using third-party log sources | No | No | No | No |
| NSX Gateway Threat Prevention7 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Gateway TLS Decryption | No | No | No | No |
| Gateway Intrusion Detection Service (IDS) - Behavioral | No | No | No | No |
| Gateway Intrusion Prevention Service (IPS) | No | No | No | No |
| NSX Gateway Advanced Threat Prevention7 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Malware Detection | No | No | No | No |
| Cloud Sandboxing and Artifact Analysis10 | No | No | No | No |
| NAT | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| NAT on North/South and East/West Logical Routers | Yes | Yes | Yes | Yes |
| Source NAT | Yes | Yes | Yes | Yes |
| Destination NAT | Yes | Yes | Yes | Yes |
| NAT N:N | Yes | Yes | Yes | Yes |
| Stateless NAT | Yes | Yes | Yes | Yes |
| NAT Logging | Yes | Yes | Yes | Yes |
| NAT64 | No | Yes | Yes | No |
| Active/Active NAT Services | No | No | No | No |
| VPN | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| L2 VPN | Yes | Yes | Yes | Yes |
| Active / Standby L3 VPN | Yes | Yes | Yes | Yes |
| Gateway Service Insertion Integrations | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Gateway Network Introspection | Yes | Yes | Yes | Yes |
| Gateway Firewall High Availability11 | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Active/Standby Gateway Firewall Services (Firewall, NAT, IDS/IPS, VPN, Malware Detection) | Yes | Yes | Yes | Yes |
| Policy, Tagging and Grouping | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Object Tagging / Security Tags | Yes | Yes | Yes | Yes |
| Network Centric Grouping | Yes | Yes | Yes | Yes |
| Workload Centric Grouping | Yes | Yes | Yes | Yes |
| IP Based Groups | Yes | Yes | Yes | Yes |
| Tag Based Rules | Yes | Yes | Yes | Yes |
| Per-Gateway and Multi-Gateway Policy Management | Yes | Yes | Yes | Yes |
| Gateway Firewall Operations | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Firewall Logging | Yes | Yes | Yes | Yes |
| Rule Hit Count, Popularity Index, Flow Statistics | Yes | Yes | Yes | Yes |
NSX Intelligence
| NSX-T Editions | ||||
|---|---|---|---|---|
| Feature | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Layer 4 VM-to-VM Traffic Flow Analysis | No | No | Yes | No |
| Layer 4 Firewall Visibility | No | No | Yes | No |
| Layer 4 Automated Security Policy | No | No | Yes | No |
| Layer 4 Rule and Group Recommendation Analytics | No | No | Yes | No |
| Network Traffic Analytics | No | No | No | No |
Load Balancing8
| Feature | NSX-T Editions | |||
|---|---|---|---|---|
| Protocols | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| TCP (L4-L7) | No | Yes | Yes | Yes |
| UDP | No | Yes | Yes | Yes |
| HTTP | No | Yes | Yes | Yes |
| Load Balancing Methods | ||||
| Round Robin | No | Yes | Yes | Yes |
| Source IP Hash | No | Yes | Yes | Yes |
| Least Connections | No | Yes | Yes | Yes |
| L7 Application Rules with RegEx Support | No | Yes | Yes | Yes |
| Health Checks | ||||
| TCP | No | Yes | Yes | Yes |
| ICMP | No | Yes | Yes | Yes |
| UDP | No | Yes | Yes | Yes |
| HTTP | No | Yes | Yes | Yes |
| HTTPS | No | Yes | Yes | Yes |
| Monitoring | ||||
| View VIP / Pool / Server Objects | No | Yes | Yes | Yes |
| View VIP / Pool / Server Statistics | No | Yes | Yes | Yes |
| View Global Statistics VIP Sessions | No | Yes | Yes | Yes |
| Load Balancing Automation | ||||
| Pool Members Based on vCenter Context or IP Addresses | No | Yes | Yes | Yes |
| Other | ||||
| Connection Throttling | No | Yes | Yes | Yes |
| High-Availability | No | Yes | Yes | Yes |
NSX Cloud for AWS and Azure
| Feature | NSX-T Editions | |||
|---|---|---|---|---|
| Professional | Advanced | Enterprise Plus | Remote Office / Branch Office | |
| NSX on-prem license portability for Public Cloud workloads | No | Yes | Yes | Yes |
| NSX Enforced Mode (Agent-Based Cloud Security) | Yes | Yes | Yes | Yes |
| Distributed Identity Firewall using Active Directory Event Server | No | Yes | Yes | No |
| Cloud Enforced Mode (Agentless Based Cloud Security) | Yes | Yes | Yes | Yes |
| L7 Security Features (Basic L7 Application Identification Rules) | Yes | Yes | Yes | Yes |
| Advanced Security capabilities in Public Cloud Gateway | No | No | No | No |
| VPN (on-prem to public cloud; public cloud - public cloud; intra public cloud) | Yes | Yes | Yes | Yes |
| Support for AWS Gov Cloud and Azure Government Cloud workloads | Yes | Yes | Yes | Yes |
Modern Apps
| Feature | NSX-T Editions | |||
|---|---|---|---|---|
| Professional | Advanced | Enterprise Plus | Remote Office / Branch Office | |
|
Container Networking and Security |
No | Yes | Yes | No |
| VMware Container Networking with Project Antrea Enterprise | No | Yes | Yes | No |
Automation
| Feature | NSX-T Editions | |||
|---|---|---|---|---|
| API Driven Automation | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| REST API | Yes | Yes | Yes | Yes |
| Hierarchical Policy API | Yes | Yes | Yes | Yes |
| JSON Support | Yes | Yes | Yes | Yes |
| OpenAPI / Swagger Spec | Yes | Yes | Yes | Yes |
| Java SDK | Yes | Yes | Yes | Yes |
| Python SDK | Yes | Yes | Yes | Yes |
| Auto-generated API Documentation | Yes | Yes | Yes | Yes |
| Terraform Provider6 | Yes | Yes | Yes | Yes |
| Ansible Modules6 | Yes | Yes | Yes | Yes |
| Integration with Cloud Management Platforms | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Integration with vRealize Automation1,6 | No | Yes | Yes | No |
| Integration with vCloud Director1,6 | Yes | Yes | Yes | No |
| Integration with VMware Integrated OpenStack1,6 | Yes | Yes | Yes | No |
| Integration with other OpenStack Platform3,6 | Yes | Yes | Yes | No |
Platform
| Feature | NSX-T Editions | |||
|---|---|---|---|---|
| Platform Features | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| ESXi Support1 | Yes | Yes | Yes | Yes |
| KVM Support2 | Yes | Yes | Yes | No |
| Controller Clustering | Yes | Yes | Yes | Yes |
| vCenter Integration1 | Yes | Yes | Yes | Yes |
| Multi-vCenter® Networking and Security | No | Yes | Yes | No |
| Federation | No | No | Yes | No |
| Edge Platform Features | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Edge in VM Form Factor | Yes | Yes | Yes | Yes |
| Edge in Bare-Metal Form Factor for Routing | Yes | Yes | Yes | No |
| Edge in Bare-Metal Form Factor for Gateway Firewall | No | No | Subscription Only | No |
| DPDK Optimized Forwarding | Yes | Yes | Yes | Yes |
| Authentication and Authorization | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Authentication using Workspace ONE Access1,5 | Yes | Yes | Yes | Yes |
| Direct Active Directory Integration via LDAP | Yes | Yes | Yes | Yes |
| Authentication via OpenLDAP | Yes | Yes | Yes | Yes |
| Session Based Authentication | Yes | Yes | Yes | Yes |
| Certificate Based Authentication (Principle Identity) | Yes | Yes | Yes | Yes |
| Role Based Access Control | Yes | Yes | Yes | Yes |
| Log Management | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| vRealize Log Insight Integration1,4 | Yes | Yes | Yes | Yes |
| Splunk Integration2 | Yes | Yes | Yes | Yes |
| Installation | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Automated Manager Deployment | Yes | Yes | Yes | Yes |
| Manual Manager Deployment | Yes | Yes | Yes | Yes |
| Automated Edge Deployment | Yes | Yes | Yes | Yes |
| Manual Edge Deployment | Yes | Yes | Yes | Yes |
| Automated Host Preparation by Cluster | Yes | Yes | Yes | Yes |
| Operations | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Port Mirroring | Yes | Yes | Yes | Yes |
| Traceflow | Yes | Yes | Yes | Yes |
| NSX Live Traffic Analysis | Yes | Yes | Yes | Yes |
| Tunnel Health Monitoring | Yes | Yes | Yes | No |
| Port Connectivity Tool | Yes | Yes | Yes | No |
| Switch Based IPFIX | Yes | Yes | Yes | Yes |
| LLDP | Yes | Yes | Yes | Yes |
| Automated Technical Support Bundles | Yes | Yes | Yes | Yes |
| Packet Capture | Yes | Yes | Yes | Yes |
| Backup and Restore | Yes | Yes | Yes | Yes |
| SNMP v1/v2/v3 with Traps | Yes | Yes | Yes | Yes |
| Time-Series Metrics | No | No | Subscription Only | No |
| Upgrades and Migrations | Professional | Advanced | Enterprise Plus | Remote Office / Branch Office |
| Upgrade Coordinator | Yes | Yes | Yes | Yes |
| NSX for vSphere to NSX-T Migration Coordinator | Yes | Yes | Yes | Yes |
| NSX Manager to Policy Promotion | Yes | Yes | Yes | Yes |
Notes:
1 Please refer to the VMware Product Interoperability Matrices for specific versions supported with NSX-T Data Center.
2 Please refer to the NSX-T Data Center release notes for specific versions.
3 Please refer to the NSX-T Data Center partner website for specific versions.
4 VMware vRealize Log Insight for NSX provides intelligent log analytics for NSX Data Center. Log Insight provides monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis, and alerts. VMware vRealize Log Insight version 3.3.2 and later accepts NSX Data Center Standard/ProfessionalAdvanced/Enterprise Plus edition license keys issued for NSX-T 1.0.0 and later. This means you will have an enterprise-level Log Insight license for every license of NSX Data Center.
5 VMware Workspace ONE Access - A license to use VMware NSX Data Center includes an entitlement to use the VMware Workspace ONE Access feature, but only for the following functionalities:
- Directory integration functionality of VMware Workspace ONE Access to authenticate users in a user directory such as Microsoft Active Directory or LDAP.
- Conditional access policy.
- Single-sign-on integration functionality with third party Identity providers to allow third party identity providers’ users to single-sign-on into NSX Data Center.
- Two-factor authentication solution through integration with third party systems. VMware Verify, VMware’s multi-factor authentication solution, received as part of VMware Workspace ONE Access may not be used as part of NSX Data Center.
- Single-sign-on functionality to access VMware products that support single-sign-on capabilities.
6 Integration with automation tools such as vRealize Automation, vCloud Director, VMware Integrated OpenStack, and other OpenStack distributions, Ansible, and Terraform is available for all editions of NSX, however, you must have the appropriate NSX edition for the feature which is automated by these tools. For example automation of load balancing from Terraform or OpenStack requires NSX Data Center Advanced, Enterprise Plus, or ROBO.
7 NSX Distributed Threat Prevention requires an additional subscription-based purchase.
8 Both IPv4 and IPv6 are supported for all Load Balancing features except for IPv6-VIP-to-IPv4-member and IPv4-VIP-to-IPv6-member translations.
9 Customers who have purchased the legacy NSX editions can apply their licenses to NSX-T Data Center.
10 Requires VDS 7.0 or higher
11 Migration Coordinator will migrate the deployment in NSX for vSphere and the features used in NSX-T. It is the responsibility of the customer to ensure the version of NSX-T allows the use of those features.
12 Network Detection and Response supports event and artifact submission from Distributed Firewall only. It is a hosted service running from various VMware Regions.
13 A single sensor socket entitles up to 250 artifact submissions per day with a maximum artifact size of 64MB.
14 Subject to Gateway Firewall features available in that specific SKU. Please refer to Product offerings for NSX-T 3.2 Security.
15 Please refer to NSX Security Features covered in Product offerings for NSX-T 3.2 Security
Additional Information
For Product offerings for VMware NSX-T Data Center 4.0.x, refer to NSX Feature and Edition Guide.
Feedback
Yes
No
Powered by
