Upgrade/Migrate from VMWare vCNS / vShield Manager 5.x to NSX 6.2.x – Methodology and Steps
Agent less antivirus is a big boon for IT admins as this simplifies most of the work by achieving the necessary compliance. Many organizations has implemented vShield to protect the virtual machines. NSX is a great product introduced by VMWare which has replaced vShield. However many organizations are still using vShield and not even aware of upgrading to NSX. This post will cover the detailed methodology and steps of upgrading from vCNS / vShield Manager 5.x to VMWare NSX.
NSX is a network & security virtualization platform for SDDC, providing great Network & Security capabilities to secure the data center. The beauty of NSX is that it has lots of capabilities in built , however NSX can be integrated with almost all the major Anti Virus and Security vendors. Complete list of all the supported technology vendors can be found here.
Direct upgrade from vShield Manager 5.5 to NSX Manager 6.2.x is supported . If you have a prior version of vShield Manager in your infrastructure, you must first upgrade to version vShield Manager 5.5 and then to NSX Manager 6.2.x
Other NSX Posts:
VMWare NSX Manager 6.7 Installation and Initial Configuration
VMWare NSX 6.7 Micro-Segmentation Configuration steps
Contents of the Post
NSX Editions & Offerings
- Standard Edition: For organizations that need agility and automation of the network.
- Professional Edition: For organizations that need Standard, plus micro-segmentation. They may have public cloud endpoints.
- Advanced Edition: For organizations that need Professional, plus advanced networking and security services and integration with a broad ecosystem. They may have multiple sites.
- Enterprise Plus Edition: For organizations that need the most advanced capabilities of NSX Data Center, plus vRealize Network Insight for network visibility and security operations, and NSX Hybrid Connect for hybrid cloud mobility.
- Remote Branch Office Edition: For organizations that need to virtualize networking and security for applications in the remote office or branch office.
Prerequisites
• vSphere Support:
• vCenter 5.5: All features supported
• vCenter 5.1: Not supported (due to NSX dependency on NGC server 5.5 which is not supported on vCenter 5.1)
• ESXi 5.5: All features supported
• ESXi 5.1: Subset of features supported, except:
• Controller based VXLAN
• VXLAN Teaming enhancements
• DLR and L2 Bridging
• Identity Firewall and Activity Monitoring
• ESXi 5.0: Only NSX Edge, Endpoint, and Data Security are supported
Pre-Upgrade Steps:
1. Verify that vCNS is at least version 5.5.4.1
2. Check you are running one of the following recommended builds vSphere 5.5U3 or vSphere 6.0U2
3. Verify that all required ports are open
4. Verify that your vSphere environment has sufficient resource for the below components (Not all components will be applicable)
5. Verify that all your applicable vSphere clusters have sufficient resource to allow DRS to migrate running workloads during the host preparation stage (n+1).
6. Ensure that forward and reverse DNS, NTP as well as Lookup Service is working.
7. If any vShield Endpoint partner services are deployed, verify compatibility before upgrading:
• Consult the VMware Compatibility Guide for Networking and Security.
• Consult the partner documentation for compatibility and upgrade details
8. If you have Data Security in your environment, uninstall it before upgrading vShield Manager.
9. Check all running edges are on the same latest version as the vShield Manager i.e. 5.5.4.3
10. Verify that the vShield Manager vNIC adaptor is VMXNET3.this should be the case if running vShield Manager version 5.5.4.1 however the e1000 vNIC may have been retained if you have previously upgraded the vShield Manager. In order to replace the vNIC follow the steps in KB 2114813.
11. Increase the vShield Manager memory to 16GB.
12. Verify that you have a current backup of the vShield Manager, vCenter and other vCloud Networking and Security components. See Appendix B for the necessary steps to accomplish this.
13. Purge old logs from the vShield Manager “Purge log Manager” and “purge log system”
14. Take a snapshot of the vShield Manager, including its virtual memory.
15. Take a backup of the vDS
16. Create a Tech Support Bundle.
17. Record Segment ID’s and Multicast address ranges in use
18. Increase the memory on the vShield Manager to 16GB and 4 vCPU.
19. Ensure that forward and reverse domain name resolution is working, using the nslookup command.
20. If VUM is in use in the environment, ensure that the bypassVumEnabled flag is set to true in vCenter. This setting configures the EAM to install the VIBs directly to the ESXi hosts even when the VUM is installed and/or not available.
21. Download and stage the upgrade bundle, validate with md5sum.
22. Do not power down or delete any vCloud Networking and Security components or appliances before instructed to do so.
23. VMware recommends to do the upgrade work in a maintenance window as defined by your company.
vShield Manager Upgrade Steps
1. Backup to FTP upgraded vCNS and shut-down VM
2. Check Snapshot has been taken of vShield Manager
3. Check Support Bundle has been taken
4. Shutdown vShield Manager and check the appliance has 4 vCPU’s and 16GB of memory.
5. Power on vShield Manager
6. Upload vShield-NSX Upgrade, apply and reboot (upgrade file size is 2.4G!)
7. Check you can login to NSX Manager A once the upgrade has completed
8. You may need to restart the VC Web Client in order to see the plugin in the vSphere Web Client
9. Check SSO single sign-on in NSX Manager configuration. May need to re-register
10. Configure Segment ID’s and Multicast Address (Recorded from vShield Manager)
11. Configure backup to FTP location – take backup of NSX Manager A
12. Create Snapshot on NSX Manager A
13. Shutdown NSX Manager A
14. Deploy new NSX Manager B from OVF with same IP as A
15. Restore FTP Backup from NSX Manager A
16. Check vCenter Registration and NSX Manager Login
17. Check NSX Manager for list of Edges, Logical Switches
Once happy connectivity is functioning continue with the upgrade
Upgrading to NSX
Host Upgrade Steps
1. Place DRS in to manual mode (Do not disable DRS)
2. Click Networking & Security and then click Installation.
3. Click the Host Preparation tab.
All clusters in your infrastructure are displayed.
4. For each cluster, click Update or Install in the Installation Status column.
Each host in the cluster receives the new logical switch software.
The host upgrade initiates a host scan. The old VIBs are removed (though they are not completely deleted until after the reboot). New VIBs are installed on the altboot partition. To view the new VIBs on a host that has not yet rebooted, you can run the esxcli software vib list –rebooting-image | grep esx command.
5. Monitor the installation until the Installation Status column displays a green check mark
6. After manually evacuating the hosts, select the cluster and click the Resolve action. The Resolve action attempts to complete the upgrade and reboot all hosts in the cluster. If the host reboot fails for any reason, the Resolve action halts. Check the hosts in the Hosts and Clusters view, make sure the hosts are powered on, connected, and contain no running VMs. Then retry the Resolve action.
7. You may have to repeat the above process for each host.
8. You can confirm connectivity by performing the following checks
a. Verify that VXLAN segments are functional. Make sure to set the packet size correctly and include the don’t fragment bit.
b. Ping between two VMs that are on same virtual wire but on two different hosts (one host that has been upgraded and one host that has not)
i. From a Windows VM: ping -l 1472 –f <dest VM>
ii. From a Linux VM: ping -s 1472 –M do <dest VM>
c. Ping between two hosts’ VTEP interfaces.
i. ping ++netstack=vxlan -d -s 1572 <dest VTEP IP>
9. All virtual wires from your 5.5 infrastructure are renamed to NSX logical switches, and the VXLAN column for the cluster says Enabled.
vShield Edge to NSX Edge Upgrade Steps
1. In the vSphere Web Client, select Networking & Security > NSX Edges.
2. For each NSX Edge instance, double click the edge and check for the following configuration settings before upgrading
a. Click Manage > VPN > L2 VPN and check if L2 VPN is enabled. If it is, take note of the configuration details and then delete all L2 VPN configuration
b. Click Manage > Routing > Static Routes and check if any static routes are missing a next hop setting. If they are, add the next hop before upgrading the NSX Edge
3. For each NSX Edge instance, select Upgrade Version from the Actions menu
If the upgrade fails with the error message “Failed to deploy edge appliance,” make sure that the host on which the NSX edge appliance is deployed is connected and not in maintenance mode.
4. After the NSX Edge is upgraded successfully, the Status is Deployed, and the Version column displays the new NSX version
5. If an Edge fails to upgrade and does not rollback to the old version, click the Redeploy NSX Edge icon and then retry the upgrade
vShield Endpoint to NSX Guest Introspection
1. In the Installation tab, click Service Deployments.
The Installation Status column says Upgrade Available.
2. Select the Guest Introspection deployment that you want to upgrade.
The Upgrade () icon in the toolbar above the services table is enabled.
3. Click the Upgrade () icon and follow the UI prompts.
After Guest Introspection is upgraded, the installation status is Succeeded and service status is Up. Guest Introspection service virtual machines are visible in the vCenter Server inventory.
Other NSX Posts:
VMWare NSX Manager 6.7 Installation and Initial Configuration
VMWare NSX 6.7 Micro-Segmentation Configuration steps
Hope this post is useful, please leave your feedback and comments.