A VMWARE lança o NSX 6.3.0 !!!

Na primeira semana de fevereiro de 2017, tivemos um grande lançamento do NSX 6.3.0, com muitas novidades e correções.

Alguns sites que recomendo a leitura:

Release notes
Nosso Guru em VMWARE
Network Virtualization Blog, introdução ao NSX 6.3 e NSX-T 1.1
Documentação do NSX 6.3
Endereço para o download do NSX for vSphere 6.3.0

 

Abaixo as novidades:

Platform and Compliance Features

  • On the Platform side:
    • Controller Disconnected Operation (CDO) mode: A new feature called Controller Disconnected Operation (CDO) mode has been introduced. This mode ensures that data plane connectivity is unaffected when hosts lose connectivity with the controller. See the section Controller Disconnected Operation (CDO) Mode in the NSX Administration Guide.
    • Cross-vCenter NSX Active-Standby DFW Enhancements: NSX 6.3.0 has the following enhancements:
      • Multiple Universal DFW sections are now supported. Both Universal and Local rules can consume Universal security groups in Source, Destination, and AppliedTo fields.
      • Universal Security Groups: Universal Security Group membership can be defined in a static or dynamic manner. Static membership is achieved by manually adding a universal security tag to each VM. Dynamic membership is achieved by adding VMs as members based on dynamic criteria (VM name).
      • Universal Security Tags: You can now define Universal Security tags on the primary NSX Manager and mark for universal synchronization with secondary NSX Managers. Universal Security tags can be assigned to VMs statically, based on unique ID selection, or dynamically, in response to criteria such as antivirus or vulnerability scans.
      • Unique ID Selection Criteria: In earlier releases of NSX, security tags are local to a NSX Manager, and are mapped to VMs using the VM’s managed object ID. In an active-standby environment, the managed object ID for a given VM might not be the same in the active and standby datacenters. NSX 6.3.x allows you to configure a Unique ID Selection Criteria on the primary NSX Manager to use to identify VMs when attaching to universal security tags: VM instance UUID, VM BIOS UUID, VM name, or a combination of these options. See Unique ID Selection in the NSX Administration Guide for more information.
    • Control Plane Agent (netcpa) Auto-recovery: An enhanced auto-recovery mechanism for the netcpa process ensures continuous data path communication. The automatic netcpa monitoring process also auto-restarts in case of any problems and provides alerts through the syslog server. A summary of benefits:
      • automatic netcpa process monitoring
      • process auto-restart in case of problems, for example, if the system hangs
      • automatic core file generation for debugging
      • alert via syslog of the automatic restart event
    • vSphere 6.5 Compatibility: NSX 6.3.0 introduces support for vSphere 6.5a and later. NSX 6.3.0 retains compatibility with vSphere 5.5 and 6.0.
  • Compliance features:
    • FIPS: NSX 6.3.0 has a FIPS mode that uses only those cipher suites that comply with FIPS and Common Criteria standards. NSX Manager has a FIPS Mode that can be enabled via an NSX REST API call.VMware development partners are undergoing certification of new, FIPS-compliant partner solutions for use in NSX. Consult your partner documentation for details.
    • Common Criteria: For Common Criteria compliance, NSX has been tested for compliance with the EAL2+ level of assurance. Running a Common Criteria-compliant NSX installation requires that you configure NSX as explained in the document Configuring NSX for Common Criteria. as part of the NSX Administration Guide.
    • ICSA: This is an industry-wide accepted standard certification which tests and certifies products including anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware, and PC firewall products. Both Distributed Firewall and Edge Firewall are certified against ICSA Corporate Firewall criteria.
    • Change in DFW packet log format due to ICSA certification requirement: NSX 6.3.0 introduces a change to the DFW packet logs. In 6.3.0 and later, we include the ICMP type and code to satisfy ICSA certification requirements.This is how the pre-6.3.0 log looked, without ICMP code and type:

      2016-09-29T20:52:21.983Z 6673 INET6 match PASS domain-c27/1001 IN 96 ICMP
      fe80:0:0:0:21d:b502:f984:c601->ff02:0:0:0:0:0:0:1
      In 6.3.0 and later, it looks like the following with ICMP code and type. In this example, 8 is the code and 0 is the type:

      2016-09-29T20:54:16.051Z 42991 INET match PASS domain-c27/1001 IN 84 ICMP 8 0 10.113.226.5->10.28.79.55

Operations Enhancements

  • Troubleshooting Dashboard: NSX Dashboard is updated in NSX 6.3.0 to include more features such as service deployment status, NSX Manager backup status, and Edge Appliance notifications.
  • Security Tagging: This allows assigning and clearing multiple tags for a given VM through API calls.
  • Syslog Enhancements: A new syslog update is available specifically for Load Balancer.
  • Log Insight Content Pack: This has been updated for Load Balancer to provide a centralized Dashboard, end-to-end monitoring, and better capacity planning from the user interface (UI).
  • Role-Based Access Control: This feature restricts user management only to Enterprise Administrators, and as a result, the NSX Administrator will no longer have permission to create new users or assign roles to new users. From a security standpoint, this helps in creating a clear demarcation of these two admin roles.
  • Drain state for Load Balancer pool members: You can now put a pool member into Drain state, which forces the server to shutdown gracefully for maintenance. Setting a pool member to drain state removes the backend server from load balancing, but still allows the server to accept new, persistent connections.

Service and Routing Enhancements

  • 4-byte ASN support for BGP: BGP configuration with 4-byte ASN support is made available along with backward compatibility for the pre-existing 2-byte ASN BGP peers.
  • NAT enhancement for 5-tuple match: In order to offer more granular configuration and flexibility for NAT rules, a 5-tuple match support is available for NSX 6.3.0:
    • Match criteria is on the basis of five parameters – protocol, source IP, source port, destination IP, and destination port.
    • User interface (UI) changes have been provided for to help you more easily specify SNAT/DNAT configurations. When changing DNAT/SNAT configurations on older Edge versions, the UI continues to display the old style of panes.
    • The NSX REST API adds fields for the new parameters:
              <natRules>
                <natRule>
                {...}
              <!-- new fields applicable for DNAT -->
                  <dnatMatchSourceAddress>any</dnatMatchSourceAddress>
                  <dnatMatchSourcePort>any</dnatMatchSourcePort>
                </natRule>
      
                <natRule>
                {...}
              <!-- new fields applicable for SNAT -->
                  <snatMatchDestinationAddress>any</snatMatchDestinationAddress>
                  <snatMatchDestinationPort>any</snatMatchDestinationPort>
                </natRule>
              </natRules>
      
  • Improved Layer 2 VPN performance: Performance for Layer 2 VPN has been improved. This allows a single Edge appliance to support up to 1.5 Gb/s throughput, which is an improvement from the previous 750 Mb/s.
  • Improved Configurability for OSPF: While configuring OSPF on an Edge Services Gateway (ESG), NSSA can translate all Type-7 LSAs to Type-5 LSAs.

Security Enhancements

There are several improvements in the Distributed Firewall:

  • DFW timers: NSX 6.3.0 introduces Session Timers that define how long a session is maintained on the firewall after inactivity. When the session timeout for the protocol expires, the session closes. On the firewall, you can define timeouts for TCP, UDP, and ICMP sessions and apply them to a user defined set of VMs or vNICs. See Session Timers in the NSX Administration Guide.
  • New features to support micro-segmentation: To support micro-segmentation in visibility and planning tools, two new features have been introduced:
    • Application Rule Manager simplifies the process of creating security groups and whitelisting firewall rules for existing applications.
    • Endpoint Monitoring allows an application owner to profile their application and identify processes making network connections.
  • Linux support for Guest Introspection: NSX 6.3.0 enables Guest Introspection for Linux VMs. On Linux-based guest VMs, NSX Guest Introspection feature leverages fanotify and inotify capability provided by the Linux Kernel. See Install Guest Introspection for Linux in the NSX Administration Guide for more information. See Minimum Recommended Versions for a list of Linux flavors supported by NSX.
  • Publish Status for Service Composer: Service Composer publish status is now available to check whether a policy is synchronized. This provides increased visibility of security policy translations into DFW rules on the host.

Cloud Management Platform (CMP) and Partner Integration

  • Better interoperability between vCloud Director 8.20 and NSX 6.3.0 helps service providers offer advanced networking and security services to their tenants. vCD 8.20 with NSX 6.3.0 exposes native NSX capabilities supporting multiple tenants and tenant self-service.
  • NSX 6.3.0 supports the new vRO plugin version 1.1, which supports vRA and introduces the ability to support other, non-vRA applications.
  • NSX NetX 6.3.0 provides scale and performance improvements related to service insertion.

Install and Upgrade

  • NSX kernel modules now independent of ESXi version: Starting in NSX 6.3.0, NSX kernel modules use only the publicly available VMKAPI so that the interfaces are guaranteed across releases. This enhancement helps reduce the chance of host upgrades failing due to incorrect kernel module versions. In earlier releases, every ESXi upgrade in an NSX environment required at least two reboots to make sure the NSX functionality continued to work (due to having to push new kernel modules for every new ESXi version).
  • Rebootless upgrade and uninstall on hosts: On vSphere 6.0 and later, once you have upgraded to NSX 6.3.0, any subsequent NSX VIB changes will not require a reboot. Instead hosts must enter maintenance mode to complete the VIB change. This includes the NSX 6.3.x VIB install that is required after an ESXi upgrade, any NSX 6.3.x VIB uninstall, and future NSX 6.3.0 to NSX 6.3.x upgrades. Upgrading from NSX versions earlier than 6.3.0 to NSX 6.3.x still requires that you reboot hosts to complete the upgrade. Upgrading NSX 6.3.x on vSphere 5.5 still requires that you reboot hosts to complete the upgrade.
  • NSX 6.3.0 also checks for NSX readiness before taking a host out of maintenance mode. This ensures that DRS only moves workloads to a host where NSX is ready. This prevents loss of networking for some workload VMs.
  • OVF Parameters now comma-separated: The following OVF parameters have changed from being space separated to comma separated:
    • DNS Server list (vsm_dns1_0)
    • Domain Search List (vsm_domain_0)
    • NTP Server List (vsm_ntp_0)

Leave a Reply

Your email address will not be published. Required fields are marked *