VMware NSX 6.2.3 is out - default license for vShield Endpoint.

By | October 21, 2016

VMware released NSX 6.2.3. It introduced a long awaited feature - at least for me and my customers πŸ™‚ NSX 6.2.3 has default license "NSX for vShield Endpoint" which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. vShield Manager is EOL in September this year and it was not possible to use NSX Manager + Guest Introspection without normal NSX license before.

There are some requirements to perform an upgrade properly. Please follow this guide to upgrade vCloud Networking and Security (vShield Manager) to NSX Manager.

There are some changes andΒ  improvements in NSX 6.2.3 as below:

  • New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.
  • NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network
  • New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472.
  • Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.
  • Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.
  • NSX Edge β€” On Demand Failover: Enables users to initiate on-demand failover when needed.
  • NSX Edge β€” Resource Reservation: Reserves CPU/Memory for NSX Edge during creation.
  • Cross VC NSX β€” Universal Distributed Logical Router (DLR) Upgrade: Auto upgrade of Universal DLR on secondary NSX Manager, once upgraded on primary NSX Manager.
  • Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.
  • Distributed Firewall β€” TFTP ALG: enables use cases such as network boot for VMs.
  • Firewall β€” Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.
  • Guest Introspection β€” Windows 10 support
  • SSL VPN Client β€” Mac OS El Capitan support
  • NSX Dashboard: Simplifies troubleshooting by providing visibility into the overall health of NSX components in one central view.
  • Traceflow Enhancement β€” Network Introspection Services: Enhances ability to trace a packet from source to destination, by identifying whether packets were forwarded to 3rd-party network introspection services, and whether the packet comes back from the 3rd-party service VM or not.
  • SNMP Support: Configure SNMP traps for events from NSX Manager, NSX Controller, and Edge.
  • Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.
  • Central CLI for Host Health: Shows host health status, with 30+ checks in one command (including network config, VXLAN config, resource utilization, etc.)
  • VMware vRealize Log Insight 3.3.2 for NSX: monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts.

For more known issues/bugs please follow the release guide.

Update: Please follow this post on how to install and configure NSX vShield Endpoint for Guest Introspection.

Author: Mariusz

Architect (~ 15 years experience based on passion...) with strong background as a System Administrator and Engineer. Focused on Data Center Solutions: Virtualization/Cloud Computing and Storage/Backup Systems. Currently living in Poland.