SD-WAN 6.8 release notes

We are pleased to announce the release of SD-WAN 6.8. This release brings improvements to the management server database, support for bridge interfaces, as well as a number of new API endpoints.

Major Features

  • The SD-WAN 7.0 preview, codenamed “Laywire”, is now available. This version implements a new vision of SD-WAN that allows for many new use cases that were previously difficult or impossible to implement. Initially, a number of features will not be immediately available, but they will be added over the coming months. In this release the following features are available: - Basic interface configuration

    • Static IPv4 and IPv6 addresses with peer and gateway routing

    • DHCP

    • Configuration can be set to persist on service shutdown for maintenance

    • Alternative interface names can be set

    • SD-WAN tunnels, now called peers - Multiple peers can be established to any number of other nodes or groups

      of nodes simultaneously or as failover

      • Multiple levels of failover are supported

      • Failover is managed exclusively by the nodes themselves

    • Nexthop object based routing - Routes can be created that target peers and fall back to other peers or

      local gateways

    • Multiple VRFs can be defined for routing separation - Traffic for multiple VRFs can be passed over single peers

    • Manual network configuration is no longer required for nodes used as concentrators. All configuration is managed via the web interface

    • Orchestration mesh for reliable communication between nodes and the manager

    • Access rule configuration

  • SD-WAN 6.8 now supports the following distributions: - openSUSE Leap 15.6 - openSUSE Leap 15.5 - openSUSE Leap 15.4 - Debian 12 “Bookworm” - Debian 11 “Bullseye” - Debian 10 “Buster” is supported to allow migration of nodes to newer

    versions of Debian

Deprecations

Warning

The following distributions have been deprecated in SD-WAN 6.8:

  • Debian 8 “Jessie”

  • Debian 9 “Stretch”

  • All versions of Red Hat Enterprise Linux

Warning

The following distributions will be deprecated in SD-WAN 6.9:

  • Debian 10 “Buster”

  • Debian 11 “Bullseye”

  • openSUSE Leap 15.3

  • openSUSE Leap 15.4

Bondingadmin

Changes:

  • Bondingadmin has been updated to run on Debian 11 “Bullseye”

  • A new frontend framework has been built for managing 7.x nodes

  • The main page shows a simple dashboard instead of the bond list

  • All node keys are now generated with a common prefix specific to the management server. This will be used to allow pre-built images on deployed hardware without the need for server-specific customization - On upgrade all nodes will be assigned new node keys. However, any

    previously-set node keys will continue to work

  • A new v5 API has been added for managing SD-WAN 7.0 configuration - HTTP basic authentication is no longer valid for V5. The login mechanism

    now returns a bearer token to be used on subsequent calls. This token is accepted for V4 and V3 calls as well

  • New documentation viewers are available for all API versions: - Stoplight Elements (allows in-browser interaction) - Swagger-UI (allows in-browser interaction) - Redoc

  • All cron-based task have been migrated to Systemd timers

  • A configuration manager was added for tracking changes and building configurations for SD-WAN 7.x nodes

  • A node manager was added for tracking the state of SD-WAN 7.x nodes and sending configurations generated by the configuration manager

  • A new orchestration mesh was implemented to allow for reliable communication between the manager and nodes, as well as between nodes

  • The TimescaleDB PostgreSQL extension has been added

  • Migrated the SSH keys used for backups from RSA to ECDSA

  • Updated the system requirements to reflect recent changes

Fixes:

  • Some upgrade and migration issues that required manual intervention to resolve have been fixed

  • The uWSGI cache size has been increased to match the expected size, solving cache-full issues found in some environments

  • The openSUSE Leap repositories set via Salt now use the management server URLs instead of the upstream ones

  • Fixed incorrect OSPF allow rule when OSPF was configured on an openSUSE node

  • Fixed an issue where a bond could not be deleted while processing an update for it from an aggregator

  • Fixed an issue where multiple spaces created at the same time sometimes resulted in resources appearing to be in multiple spaces

Bonding Node

Changes:

  • Support Debian 11 “Bullseye” and Debian 12 “Bookworm”

  • Bumped the mimimum kernel version on Debian Buster to 5.10

  • The DHCPv4 client was changed back from ISC to udhcpc due to incorrect renewal behaviour

  • Support setting some modern Ethernet interface speeds: - 2.5Gbit - 25Gbit - 40Gbit - 100Gbit

  • When unsetting a custom interface hardware address, it is now reverted to the recorded permanent address if available

  • Custom BIRD configuration on Private WAN routers will now load even when not active

  • bonding-deconfigure now calls bonding-setup to set up as a default bonder

  • bonding-sysprep now supports all distributions

  • Created a new troubleshooting interface setup service that works across distributions to replace the old Debian interfaces setup

  • bonding-setup now ensures that the Systemd journal is preserved across reboots

  • Ensure a time daemon is set up in bonding-setup

  • The Systemd service units were updated to use the newer StartLimitIntervalSec option

  • All cron tasks have been migrated to use Systemd timers

  • Changed all legacy syslog calls to log directly to the Systemd journal

  • Use a direct netlink method of querying the root interface queuing discipline that is faster than calling an external command

Fixes:

  • Fixed an issue with DHCP on legs wiping out the leg routing table on certain configuration changes

  • Fixed an error that would occur on DHCP LEASEFAIL and NAK events

  • Fixed a race condition in DHCP that would occur in certain environments where the service is not started quickly enough

  • Fixed crash caused by sending a router solicitation on an interface without a link local address

  • Fixed missing restart actions on legs that resulted in a crash on leg changes

  • Fixed a race condition in the jitter buffer interface setup

  • Fixed a crash setting a space gateway on an aggregator where the managed trunk interface is missing

  • Changed the management tunnel notification timeout from 5 seconds to 30 seconds to avoid an unnecessary failure on slower devices

  • Don’t crash on interface names with non-UTF8 characters

  • Fixed an issue with tunnel bypass rule ordering

  • Fixed an issue where a route change caused the nftables manager to crash

  • Fixed an issue where a conencted IP change caused the nftables manager to crash

  • Fixed custom filter-forward rules not getting picked up

  • Fixed QoS not getting restored when nftables is manually restarted

  • Fixed issues with usrmerge in Debian Buster

  • bonding-setup no longer rejects partially working configurations

  • bonding-setup now considers interface altnames when checking interfaces

  • Fixed troubleshooting interface detection in bonding-setup

  • Fixed an issue in nodessl where the CA was not downloaded when changed on the manager

Laywire Node

Changes:

  • Added the Laywire node for version 7.0. This replaces all node types from bonding 6.x - A command line tool, laywire, can be used used to check status and

    inject temporary custom configurations

    • A built-in multi-link caching DNS resolver was built - It keeps track of DNS connectivity on all available interfaces - It detects and rejects DNS servers that return bogus results as well as

      interfaces where redirection to such servers is present

    • Full traffic isolation avoids a number of undesirable situations that were possible in 6.x

    • Version 7 nodes are not compatible with version 6 nodes