New and Changed Features in Contrail Service Orchestration Release 4.1.0
This section describes the new features or enhancements to existing features in Contrail Service Orchestration (CSO) Release 4.1.0:
Support for downloading CSO package directly to kernel-based virtual machine (KVM) host—From CSO Release 4.1.0 onward, you can download the CSO package directly to your kernel-based virtual machine (KVM) host by using the CSO Downloader GUI. You must have the IP address and root credentials of the host. Additionally, the host must have an Internet connection and Python 2.7.x installed.
Support for downloading CSO package to the existing installer VM—From CSO Release 4.1.0 onward, you can download the CSO package directly to your existing installer VM (IVM) by using the CSO Downloader GUI. You must have the IP address and root credentials of the VM. Additionally, the VM must have an Internet connection and Python 2.7.x installed.
Access to application logs via CSO Downloader GUI—From CSO Release 4.1.0 onward, you can access application logs from within the CSO Downloader GUI. To access the logs, click the View Logs icon at the top-right corner of the GUI.
Reduced installation time for retries—From CSO Release 4.1.0 onward, the CSO installer maintains awareness of the state of the deployment. This enables the CSO installer to identify components that failed to deploy during the installation process. It then reattempts installing only those components that have a status of failed, or in-progress, or no-status from the previous runs. Restricting installation to only such components helps reduce the installation time for retries.
Revised number of supported sites—From CSO Release 4.1.0 onward, the number of sites supported for various deployment types is revised as follows:
Small deployment—Increased from 450 to 500 sites.
Large deployment—Increased from 5000 to 6000 sites.
The number of sites supported for Medium deployments remains 3500.
Reduced server requirements— From CSO Release 4.1.0 onward, the following server requirements have been reduced.
Medium deployment—Decreased from 4 to 3 servers.
Large deployment—Decreased from 9 to 7 servers.
Support for dynamic VPN tunnels—From CSO Release 4.1.0 onward, for tenants that have Real Time-Optimized SD-WAN mode configured, CSO dynamically creates or deletes VPN tunnels between two sites based on the threshold values for creation and deletion of tunnels.
The SP administrator, OpCo administrator, or the Tenant administrator can also create or delete dynamic VPN tunnels between a source site and a destination site by using the CSO GUI.
Support for mesh tags—From CSO Release 4.1.0 onward, for tenants that have Real Time-Optimized SD-WAN mode configured, you can associate a WAN link with a mesh tag.
A mesh tag is a label that you associate with a WAN link of a site. An overlay tunnel is established between the WAN links of two sites if the WAN links are associated with the same mesh tag.
While configuring an on-premises spoke site, you must associate only one mesh tag; and for a gateway site, you can associate one or more mesh tags.
Support for both full-mesh and hub-and-spoke topologies for the tenant—From CSO Release 4.1.0 onward, a single tenant supports both full-mesh and hub-and-spoke topologies.
Support for breakout profiles—From CSO Release 4.1.0 onward, you can configure breakout profiles for local breakout (underlay), central breakout (backhaul), or cloud breakout. You can then reference the breakout profiles in SD-WAN policy intents to enable breakout traffic.
For cloud breakout, Zscaler is the only cloud-based security platform supported in CSO Release 4.1.0.
Support for additional breakout options—From CSO Release 4.1.0 onward, you can configure breakout at the department level or the application level (cacheable applications only) by using breakout profiles in SD-WAN policy intents. In releases before CSO 4.1.0, breakout could be configured only at the site level.
Support for adding gateway sites—From CSO Release 4.1.0 onward, you can add a new SD-WAN site, called a gateway site, that is used to carry site-to-site traffic between on-premise spoke sites and to break out backhaul (central breakout) traffic from on-premise spoke sites. You can add gateway sites from the Sites page.
Support for data center departments and dynamically routed LAN segments—From CSO Release 4.1.0 onward, you can designate a department as a data center department. You can add LAN segments that are not connected directly to a site by specifying the OSPF or BGP configuration for the data center department to which the LAN segment is assigned. The data center department then learns the routes from the LAN side by using the OSPF or BGP configuration.
A data center department can be attached only to gateway sites.
Security enhancements in SD-WAN device templates—From CSO Release 4.1.0 onward various SD-WAN device templates for NFX150, NFX250, and SRX Series devices are updated with additional security parameters. Stage-1 and stage-2 configurations supported by the templates are also enhanced with additional security options.
Backup and restore of CSO—From CSO Release 4.1.0 onward, backup and restore of the various databases, encrypted passwords, and system certificates used by CSO are enabled automatically during CSO installation. Triggering backup or restore operations requires the use of the cso_backupnrestore script, which exists only on the installer-vm. Backup and restore ares done on a system-wide basis and can be scheduled using the backup scheduler command option available in the script.
Support for CPU pinning on NFX250— From CSO Release 4.1.0 onward, for NFX250 devices, you can view and modify the physical CPUs to which the vCPUs of the vSRX (gateway router) should be pinned, by using the Template Settings page (Resources > Device Templates > Edit Device Template > Template Settings).
Support for site upgrade, ZTP, and AppQoE over low-bandwidth, high-latency links—From Release 4.1.0 onward, CSO supports site upgrade, zero touch provisioning (ZTP), and Application Quality of Experience (AppQoE) over low-bandwidth, high-latency links such as VSAT links. When only a low-bandwidth, high-latency link is available, the link is considered as an Internet-type WAN link and CSO extends support for all operations that are supported over Internet links over the low-bandwidth, high-latency link.
Ability to stage images to devices—From Release 4.1.0 onward, CSO enables you to stage images to devices independent of the deploy operation. The ability to stage an image before deploying the image along with an option to configure the stage timeout period helps you prevent stage operations from timing out over low-bandwidth, high-latency connections. When you stage an image over a low-bandwidth, high-latency link, you can increase the stage timeout value. On faster connections, you can choose to stage and deploy the image in one step.
Improved authentication for the Kibana GUI— From CSO Release 4.1.0 onward, authentication is enabled for Kibana to enhance security. To view the csplogs logs, you must now log in to the Kibana GUI by using the Elasticsearch credentials.
Support for purging audit logs—From CSO Release 4.1.0 onward, you can manage the volume of audit log data stored by purging log files from the CSO database without archiving them, or by purging log files after archiving them. You can purge audit logs immediately or schedule the purging for a later date, and schedule the purging on a recurring basis.
Support for ANR report definitions—CSO Release 4.1.0 consolidates various predefined report definitions that are available in previous releases into a single report definition named Application and Network Risk (ANR) report. The ANR report is the only predefined report definition available on the Security Report Definitions page in CSO Release 4.1.0. Reports generated from the predefined ANR report definition consist of the top 10 records from the last 24 hours.
You can also create custom ANR report definitions from the Security Report Definitions page and generate customized reports.
Support for additional chart types in log report definitions—From Release 4.1.0 onward, CSO provides additional chart type options—bubble chart and donut chart— on the Create Log Report Definition page.
Support for generating reports for a custom time period—From CSO Release 4.1.0 onward, you can generate log reports, bandwidth reports, and ANR reports for a custom time period.
Enhancements to creating a user in CSO—From CSO Release 4.1.0 onward, you can create users with roles in multiple scopes from a single page. Earlier, you had to access each scope to create a user and assign the roles.
Support for Global Administrator role—CSO Release 4.1.0 introduces the Global Administrator role with administrative privileges in Service Provider, Operational Company (OpCo), and Tenant scopes.
Return Material Authorization (RMA) support for individual devices of an NFX250 dual CPE cluster—From CSO Release 4.1.0 onward, when an NFX250 device in a dual CPE cluster fails, you can perform RMA for only the failed device. In previous releases, you had to perform RMA on both the devices in the cluster. The ability to perform RMA for only the failed device helps reduce network downtime.
Support for configuring APN settings—From CSO Release 4.1.0 onward, you can configure access point name (APN) settings for LTE WAN links on NFX150 and NFX250 CPE devices in an SD-WAN deployment. After successful device activation, you can change the APN settings with SIM card change or without SIM card change for the device.
You change the default APN settings to support local network as opposed to remote network and consequently avoid the roaming charges.
Enhancement related to SD-WAN reports—From CSO Release 4.1.0 onward, you can generate the following new SD-WAN reports at the tenant level:
Top sites by current active tunnels
Top sites by highest packet loss
Top sites by highest latency
Top sites by highest jitter
You can generate the following new SD-WAN reports at the site level:
Top applications by packet loss
Top applications by latency
Top applications by jitter
Support for automatic renewal and revocation of PKI certificates—From Release 4.1.0 onward, CSO supports automatic renewal and revocation of public key infrastructure (PKI) certificates for IPsec tunneling on NFX250, NFX150, and SRX Series devices, including dual CPE devices, for SD-WAN deployments.
Improvements to site deletion—From CSO Release 4.1.0 onward, the speed and efficiency of the delete site operation are improved.
Support for SRX4100 and SRX4200 as CPE devices—From CSO Release 4.1.0 onward, you can add SRX4100 and SRX4200 devices as a single CPE device or as dual CPE devices in an SD-WAN deployment.
The following device templates are supported:
SRX-4x00 as SD-WAN CPE
Dual SRX4x00 as SD-WAN CPEs