VMware NSX 4.0.0.1 Released
VMware has released NSX 4.0.0.1, this is the new version of NSX-T Datacenter that is renamed to NSX. This is a major release with many new features, primary around IPv6 support and Firewall enhancement.
Please read the release notes, before upgrading, there are some things that need to be done before upgrading, link are at the bottom of the blog.
What’s new:
- Layer 3 Networking
- IPv6 external-facing Management Plane introduces support for IPv6 communication from external systems with the NSX management cluster (Local Manager only). The NSX Manager now supports dual-stack (IPv4 and IPv6) in the external management interface. IPV6-only deployments are not supported in this release.
- The following external communication and systems are supported:
- Access to NSX User Interface (UI) through IPv6
- Access to NSX API through IPv6
- IPv6 communication with vCenter
- In this release vCenter services and clients using vCenter Extension Manager to communicate with NSX Manager, such as vLCM, WCP and Supervisor Cluster, will be using IPv4 to connect to NSX Manager.
- IPv6 syslog
- IPv6 SNMP
- IPv6 SSH
- IPv6 SFTP (Backup & Restore)
- IPv6 communication with DNS server (name resolution)
- IPv6 communication with NTP server
- IPv6 Cluster VIP
- IPv6 communication with LDAP/AD servers, for user authentication and IDFW
- IPv6 interaction with Operations tools: vRNI, vRLI & vROPs
- IPv6 support for telemetry/VAC
- Internal T0-T1 transit subnet prefix change after Tier0 creation allows users to change the prefix used for the T0-T1 transit subnet after the Tier-0 creation. Before this feature the user was allowed to change the default value (100.64.0.0/16) only at the Tier-0 creation time.
- Networking Services (NAT, DHCP, DNS)
- NAT support for Policy-based VPN on T0/T1 Gateway allows the configuration of DNAT/NO-DNAT rule that matches traffic decapsulated from the Policy-based VPN. At the time we want to translate the Destination IP for the traffic decapsulated from the VPN we can configure DNAT/NO-DNAT and select “match” for the policy based VPN. The default behavior will be kept to bypass which means it does not match traffic decapsulated from policy-based VPN.
- DHCP UI configuration workflow improvement offers in a simpler and easier configuration of Local DHCP server; Gateway DHCP server or DHCP Relay . It also offers better visibility and monitoring options.
- DHCP Standby relocation improves the availability for the DHCP server, allowing the configuration of standby relocation where, in case of failure, the new standby Edge will be elected.
- Edge platform
- Edge relocate API gives the option when an Edge VM enters maintenance mode, to gracefully relocate all T1 auto allocated SRs to other Edge VMs.
- Maintain Edge Node parameters during upgrade – post-upgrade all user-edited settings of Edge Node will be preserved and not reset to default.
- Distributed Firewall
- Block Malicious IPs in Distributed Firewall is a new capability that allows the ability to block traffic to and from Malicious IPs. This is achieved by ingesting a feed of Malicious IPs provided by Vmware Contexa. This feed is automatically updated multiple times a day so that the environment is protected with the latest malicious IPs. For existing environments the feature will need to be turned on explicitly. For new environments, the feature will be default enabled.
- NSX Distributed Firewall has now added support for these following versions for physical servers: RHEL 8.2, 8.4, Ubuntu 20.04, CentOS 8.2, 8.4.
- Federation
- Physical servers are now supported are on Local Managers that are part of a Federation. Physical servers can now be part of groups defined on Global Manager, those groups can then be used in firewall rules (DFW or Gateway Firewall).
- Service insertion
- Service Insertion has now added additional alarms to monitor the health and liveness of the Service Insertion components.
- NSX Application Platform and Associated Services
- NSX 4.0.0.1 is compatible with NSX Application Platform 3.2.1 version, along with the related NSX features (NSX Intelligence, NSX Network Detection and Response, NSX Malware Prevention, and NSX Metrics).
- If you are running NSX Application Platform 3.2.0, you must upgrade to NSX Application Platform 3.2.1 (or any subsequent maintenance release) before you can upgrade to NSX 4.0.0.1.
- Installation and upgrade
- Faster Upgrades – benefit from up to a 10% reduction in NSX upgrade time overall to use the maintenance windows more effectively.
- Monitoring – New alarms for lifecycle status of physical servers (install, uninstall, upgrade).
- Usability Enhancements:
- Generate system notifications when newer NSX versions become available.
- Operations and Monitoring
- Live Traffic Analysis & Traceflow support for VPN – get an end-to-end view of live packets in a VPN tunnel using Traceflow or the Live Traffic Analysis Tool
- Edge Support for Live Traffic Analysis – use the Live Traffic Analysis tool to perform packet capture on NSX Edge interfaces
- Enhancements to events, alarms & operations – several known issues with the Live Traffic Analysis tool and Traceflow have been addressed in this release. Also, high latency alerts have been added in the the management and network infrastructure.
- AAA and Platform Security
- Improved Local User Password Configuration – NSX supports additional complexity requirements to align with newer industry regulations
- API
- Logging of Deprecated APIs: The system will flag in the logs when an API involved is deprecated in order to simplify the transition from deprecated APIs to their replacement.
- Licensing
- License Enforcement – Enhanced feature-level enforcement on NSX Firewall license editions, restricting access to features based on license edition. New users are able to access only those features that are available in the edition that they have purchased. Existing users who have used features that are not in their license edition are restricted to only viewing the objects; create and edit will be disallowed.
See the full release notes here.