SD-WAN 6.8 release notes¶
We are pleased to announce the release of SD-WAN 6.8. This release contains a number of bugfixes and updates as well as a preview of our next generation SD-WAN 7.0.
Major Features¶
The SD-WAN 7.0 preview, codenamed “Laywire”, is now available. This version implements a new vision of SD-WAN that allows for many new use cases that were previously difficult or impossible to implement. Initially, a number of features will not be immediately available, but they will be added over the coming months. In this release the following features are available:
Basic interface configuration
Static IPv4 and IPv6 addresses with peer and gateway routing
DHCP
Configuration can be set to persist on service shutdown for maintenance
Alternative interface names can be set
SD-WAN tunnels, now called peers
Multiple peers can be established to any number of other nodes or groups of nodes simultaneously or as failover
Multiple levels of failover are supported
Failover is managed exclusively by the nodes themselves
Nexthop object based routing
Routes can be created that target peers and fall back to other peers or local gateways
Multiple VRFs can be defined for routing separation - Traffic for multiple VRFs can be passed over single peers
Manual network configuration is no longer required for nodes used as concentrators. All configuration is managed via the web interface
Orchestration mesh for reliable communication between nodes and the manager
Access rule configuration
SD-WAN 6.8 now supports the following distributions:
openSUSE Leap 15.6
openSUSE Leap 15.5
openSUSE Leap 15.4
Debian 12 “Bookworm”
Debian 11 “Bullseye”
Debian 10 “Buster” is supported to allow migration of nodes to newer versions of Debian
Deprecations¶
Warning
The following distributions have been deprecated in SD-WAN 6.8:
Debian 8 “Jessie”
Debian 9 “Stretch”
All versions of Red Hat Enterprise Linux
Warning
The following distributions will be deprecated in SD-WAN 6.9:
Debian 10 “Buster”
Debian 11 “Bullseye”
openSUSE Leap 15.3
openSUSE Leap 15.4
Warning
Support for Quagga will be deprecated in SD-WAN 6.9. If Quagga is enabled on nodes running 6.9, dynamic routing will not work. As a result, bonders and aggregators must be directly configured with dynamic routing protocols before upgrading to 6.9.
Please see Configuring dynamic routing in bonding for instructions on how to configure dynamic routing protocols.
Warning
Private WAN routers will be deprecated in SD-WAN on August 1, 2025. Please see Migrating to managed mesh for information on migrating an existing deployment using private WAN routers to a managed mesh.
Bondingadmin¶
Changes:
Bondingadmin has been updated to run on Debian 11 “Bullseye”
A new frontend framework has been built for managing 7.x nodes
The main page shows a simple dashboard instead of the bond list
All node keys are now generated with a common prefix specific to the management server. This will be used to allow pre-built images on deployed hardware without the need for server-specific customization
On upgrade all nodes will be assigned new node keys. However, any previously-set node keys will continue to work
A new v5 API has been added for managing SD-WAN 7.0 configuration
HTTP basic authentication is no longer valid for V5. The login mechanism now returns a bearer token to be used on subsequent calls. This token is accepted for V4 and V3 calls as well
New documentation viewers are available for all API versions:
Stoplight Elements (allows in-browser interaction)
Swagger-UI (allows in-browser interaction)
Redoc
All cron-based task have been migrated to Systemd timers
A configuration manager was added for tracking changes and building configurations for SD-WAN 7.x nodes
A node manager was added for tracking the state of SD-WAN 7.x nodes and sending configurations generated by the configuration manager
A new orchestration mesh was implemented to allow for reliable communication between the manager and nodes, as well as between nodes
The TimescaleDB PostgreSQL extension has been added
Migrated the SSH keys used for backups from RSA to ECDSA
Updated the system requirements to reflect recent changes
Fixes:
Some upgrade and migration issues that required manual intervention to resolve have been fixed
The uWSGI cache size has been increased to match the expected size, solving cache-full issues found in some environments
The openSUSE Leap repositories set via Salt now use the management server URLs instead of the upstream ones
Fixed incorrect OSPF allow rule when OSPF was configured on an openSUSE node
Fixed an issue where a bond could not be deleted while processing an update for it from an aggregator
Fixed an issue where multiple spaces created at the same time sometimes resulted in resources appearing to be in multiple spaces
Bonding Node¶
Changes:
Support Debian 11 “Bullseye” and Debian 12 “Bookworm”
Bumped the minimum kernel version on Debian Buster to 5.10
The DHCPv4 client was changed back from ISC to udhcpc due to incorrect renewal behaviour
Support setting some modern Ethernet interface speeds:
2.5Gbit
25Gbit
40Gbit
100Gbit
When unsetting a custom interface hardware address, it is now reverted to the recorded permanent address if available
Custom BIRD configuration on Private WAN routers will now load even when not active
bonding-deconfigurenow callsbonding-setupto set up as a default bonderbonding-sysprepnow supports all distributionsCreated a new troubleshooting interface setup service that works across distributions to replace the old Debian interfaces setup
bonding-setupnow ensures that the Systemd journal is preserved across rebootsEnsure a time daemon is set up in
bonding-setupThe Systemd service units were updated to use the newer
StartLimitIntervalSecoptionAll cron tasks have been migrated to use Systemd timers
Changed all legacy syslog calls to log directly to the Systemd journal
Use a direct netlink method of querying the root interface queuing discipline that is faster than calling an external command
Fixes:
Fixed an issue with DHCP on legs wiping out the leg routing table on certain configuration changes
Fixed an error that would occur on DHCP LEASEFAIL and NAK events
Fixed a race condition in DHCP that would occur in certain environments where the service is not started quickly enough
Fixed crash caused by sending a router solicitation on an interface without a link local address
Fixed missing restart actions on legs that resulted in a crash on leg changes
Fixed a race condition in the jitter buffer interface setup
Fixed a crash setting a space gateway on an aggregator where the managed trunk interface is missing
Changed the management tunnel notification timeout from 5 seconds to 30 seconds to avoid an unnecessary failure on slower devices
Don’t crash on interface names with non-UTF8 characters
Fixed an issue with tunnel bypass rule ordering
Fixed an issue where a route change caused the nftables manager to crash
Fixed an issue where a conencted IP change caused the nftables manager to crash
Fixed custom filter-forward rules not getting picked up
Fixed QoS not getting restored when nftables is manually restarted
Fixed issues with usrmerge in Debian Buster
bonding-setupno longer rejects partially working configurationsbonding-setupnow considers interface altnames when checking interfacesFixed troubleshooting interface detection in
bonding-setupFixed an issue in nodessl where the CA was not downloaded when changed on the manager
Laywire Node¶
Changes:
Added the Laywire node for version 7.0. This replaces all node types from bonding 6.x
A command line tool,
laywire, can be used used to check status and inject temporary custom configurationsA built-in multi-link caching DNS resolver was built
It keeps track of DNS connectivity on all available interfaces
It detects and rejects DNS servers that return bogus results as well as interfaces where redirection to such servers is present
Full traffic isolation avoids a number of undesirable situations that were possible in 6.x
Version 7 nodes are not compatible with version 6 nodes