VMware NSX 6.2.4 released

So after the huge cock-up with 6.2.3, VMware have turned around a new version of NSX in a matter of weeks to fix all the bugs!

http://blogs.vmware.com/kb/2016/08/vmware-nsx-vsphere-6-2-4-now-available.html

Of major concern was the whole HA issue that meant DLR nodes got stuck in a ‘split-brain’ mode after 24 days of operations – and every 24 days after that! It also didn’t help that the previous version was causing VMs to lose network connectivity if the pMAC of the DLR was the MAC address in the default gateway.

Anyways, hopefully all the bugs have been ironed out and the new release is more stable!

Release Notes can be found here.

For some of my customers, the release of 6.2.4 brings back the vShield Endpoint management support which is great given vCNS and vShield Manager is going end of general support on the 19th Sept!

For more info about this, read my previous blog entry: NSX 6.2.3 Released – support for vShield Endpoint Management

NSX 6.2.3 Released – support for vShield Endpoint Management

As most people are aware, VMware pulled their support for vCloud Network & Security (and with that vShield Manager) earlier this year and a lot of my customers have been wondering what’s going to happen to their vShield Endpoint deployments (for agentless AV). It was strange that VMware announced the EoA for vCNS without really announcing it’s successor – although that said, most of us already had an inkling that NSX Manager would probably pick up the management of vShield Endpoint.

NSX 6.2.3 was released in June (as always to limited/no fanfare) and with this release was the announcement that NSX now supports the management of vShield Endpoint (now renamed NSX Guest Introspection). Customers who purchased vSphere with vShield Endpoint (pretty much all versions, Essentials Plus and above) are now able to download NSX Manager from their My VMware portal, under the vSphere product – download site. The license that comes embedded in NSX Manager 6.2.3 includes an unlimited capacity NSX for vShield Endpoint license key. To ensure customers do not use any other unlicensed NSX features (For example VXLAN, DFW, Edge services), the license key will have hard enforcement to prevent NSX host preparation and block Edge creation.

VMware NSX for vSphere provides NSX Guest Introspection, which provides all features of vShield Endpoint and support for additional service categories like vulnerability management, IDS/IPS using the in-guest thin agent.

vCloud Networking and Security Manager version 5.5 is supported until September 2016 after which customers will need to upgrade to NSX Manager in order to continue with vShield Endpoint support (Technical Guidance will still be available for vCNS till March 2017).

More information on the procedures for upgrading from vCNS 5.5.x to NSX 6.2.x can be found here: http://pubs.vmware.com/NSX-62/index.jsp#com.vmware.nsx.upgrade.doc/GUID-D2CDB014-39D8-48CC-9733-981308249F52.html or at this VMware KB: https://kb.vmware.com/kb/2144620

The process of upgrading can be summarised as follows:

  1. Upgrade vShield Manager to NSX Manager.
  2. Deploy NSX Controller cluster (update Transport Zones and Logical Switches).
  3. Install the new VIBs on ESXi hosts in the cluster (virtual wires are renamed as logical switches).
  4. Upgrade vShield App to NSX Distributed Firewall – configuration is migrated across.
  5. Upgrade vShield Edge devices to NSX Edge devices – configuration is migrated across.
  6. Upgrade vShield Endpoint to NSX Guest Introspection

Note that for upgrade to work, each function must be on version 5.5.

NSX 6.2.3 Release Notes: http://pubs.vmware.com/Release_Notes/en/nsx/6.2.3/releasenotes_nsx_vsphere_623.html

Installing vShield Endpoint (vCNS Mgr 5.5.4-3)

Very quick blog entry as I’m busy tying up loose ends before jetting off on my summer hols….

It’s pretty easy to install vShield Endpoint as it’s a wizard-based OVA deployment. I’m not going to step through the process as it’s very simple (plus the install guide explains it very well). Once that’s done log into the console and run ‘setup’ to configure the IP address and DNS information.

After that, it’s a case of logging into vShield Manager and connecting to vCenter Server.

Once connected to the vCenter, you should see your datacenter and hosts in a hierarchical tree on the left menu. Select each host and installed vShield Endpoint.

vShield Installation guide: http://www.vmware.com/pdf/vshield_55_install.pdf

However, I did encounter a few issues (due to prior deployments which hadn’t been cleaned up properly).

Error 1: VMKernel Portgroup present on incorrect vSwitchvcns1
This occurred because the hosts had a previous vSwitch labelled vmservice-vswitch, but the VMkernel port vmservice-vmknic-pg resided on a different vSwitch (previous deployment). To correct this I had to delete the old VMkernel port and recreate it on the correct vmservice-vswitch.

Error 2: VirtualMachine Portgroup present on incorrect vSwitch

vcns2Again this was due to a mis-configuration on a previous deployment! What should happen is once you’ve setup the vmservice-vswitch and created the vmservice-vmknic-pg portgroup and VMkernel port, the installer will create a new portgroup on that vSwitch called vmservice-vshield-pg. Like before, this was residing on the wrong vSwitch.

In the end I just deleted the wrong vSwitch and started again by creating the vmservice-vswitch and the vmservice-vmknic-pg. After that the installation of vShield Endpoint went swimmingly!

vcns3

Which goes to show that cleaning up an old deployment within your demo environment can sometimes be very handy! =)

 

vShield Endpoint with vSphere 6.0 – Explaining the confusion around the product range!

So I had a customer ask me what was going on with vShield Edge and vCloud Networking & Security, and whether the products are still available or has NSX replaced them…. and what is with this vShield Endpoint feature?

Anyways, after explaining my take on vShield and vCNS I decided to do a bit more digging into vShield Endpoint and why there has been so much confusion with the product range regarding licensing, support, and availability of the products!

I came across this great blog post by Josh Townsend which pretty much explains the history behind vShield, vCNS and NSX and also talks about how you can deploy vShield Endpoint. Rather than me regurgitating what he wrote, I’ll advise you to definitely click through to his blog and have a read! Hopefully all will become clear!

http://vmtoday.com/2015/05/vshield-endpoint-vsphere-6-0/