Last week VMware released NSX-v 6.2.3 Build 3979471
and it’s anything but your standard point release. Running through the list off the release notes this could have easily been a major dot release. In good news for vCloud Air Network Service Providers there have been some major enhancements to the Edge Services Gateways which adds availability and protocol enhancements as well as added general stability through bug fixes and security updates.
There has also been additional management and monitoring built into the Web Client and other UI enhancements. The new licensing features as previously discussed in this post have come into effect as of this build so you will now see the license type and number of licenses used for VXLAN and DFW in the Web Client under NSX Managers -> Summary
As this is a big release I am going to filter through the release notes and pick the best features and fixes as it pertains to Service Providers and highlight the ones that I feel improve the ability to SPs to deliver strong networking services based on NSX-v as part of their service offerings.
Web Client Additions:
As mentioned above there have been a few UI enhancements in the 6.2.3 release including a new NSX Dashboard (shown below) that provides visibility into the overall health of NSX components in one view, Traceflow Enhancement for Network Introspection Services and the Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.
Going through the upgrade from previous NSX versions I noticed a few other UI additions. Once the Controllers are upgraded you can now see Disk Latency of each controller disk. The Controllers are extremely disk sensitive so it’s good to see this worked into the UI.
In addition to that new installations of NSX 6.2.3 will deploy NSX Controllers with updated disk partitions to provide extra cluster resiliency. Previously log overflow on the controller disk might impact controller stability. If you upgrade to NSX 6.2.3 the Controller will retain their original disk layout.
I also noticed a Channel Health option in the Host Preparation Tab that shows the status of the NSX Host agents and there are some other UI additions letting you modify the UUID of the NSX Instance and modify the VXLAN Port which can be done under Logical Network Preperation -> VXLAN Transport.
NSX Edge Service Gateway Changes:
As mentioned there have been a number of enhancements to the NSX ESGs which have further added to the maturity of the Edge appliance and makes it even more attractive for use with vCloud Director offering Hybrid Networking solutions…or just as a web frontend for key internet services. IS-IS has also been removed as a routing protocol option under dynamic routing as support has been pulled. TLS 1.0 has been depreciated and there have been some Cipher support changes for the IPSec, SSLVPN and L2VPN.
- New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.
- Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.
- Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.
- NSX Edge — Resource Reservation: Reserves CPU/Memory for NSX Edge during creation. Admin user can modify the CPU/Memory settings after NSX Edge deployment using REST API to configure VM appliances.
- Change in NSX Edge Upgrade Behavior: Replacement NSX Edge VMs are deployed before upgrade or redeploy. The host must have sufficient resources for four NSX Edge VMs during the upgrade or redeploy of an Edge HA pair. Default value for TCP connection timeout is changed to 21600 seconds from the previous value of 3600 seconds.
- Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.
- Maximum number of NAT rules: For NSX Edge versions prior to 6.2, a user could configure 2048 SNAT and 2048 DNAT rules separately, giving a total limit of 4096 rules. Since NSX Edge version 6.2 onwards, a limit is enforced for the maximum allowed NAT rules, based on the NSX Edge appliance size: 1024 SNAT and 1024 DNAT rules for a total limit of 2048 rules for COMPACT edge. 2048 SNAT and 2048 DNAT for a total limit of 4096 rules for LARGE edge and QUADLARGE edge. 4096 SNAT and 4096 DNAT rules for a total limit of 8192 rules for XLARGE edge.
- Logging is now enabled by default for SSL VPN and L2 VPN. The default log level is notice.
- NSX Edge technical support logs have been enhanced to report memory consumption per process.
Other Key Features and Additions:
- NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network
- New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472. See the NSX Upgrade Guide for details.
- Firewall — Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.
- Guest Introspection — Windows 10 support
- SSL VPN Client — Mac OS El Capitan support
- Service Composer — Performance Improvements: enables faster startup/reboot of NSX Manager by optimizing synchronization between security policy and firewall service, and disabling auto-save of firewall drafts by default
- VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+
Upgrade Notes – RTFM:
In the release notes there is a detailed section on the upgrade and interoprability of this version of NSX with other key VMware components. It’s important that it’s read so as to not have a poor experience during the upgrade.
There are a large number of Resolved Issues which can be found on the release notes…below are the ones that relating to Service Providers running Edge Services Gateways.
- Extended HA failover times for Edge Services Gateway (ESG) or DLR with Edge VM when using only static routes
- NAT does not translate IP addresses when NSX Edge firewall is disabled
- vCenter 6.0 restart/reboot may result in duplicate VTEPs on VXLAN prepared ESX hosts
- After upgrading the NSX Edge from 6.1.x to 6.2.x, the NSX Manager vsm.log shows “INVALID DHCP CONFIG”
- Unexpected TCP interruption on TCP sessions during Edge High Availability (HA) failover in NSX 6.2.x
NSX Design Guide v3:
Overall a huge release for NSX-v. If you have the right entitlements you can login to MyVMware and download the binaries.