Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x
New and Changed Information
Downloads: This chapterpdf (PDF - 1.12MB) The complete bookPDF (PDF - 10.7MB) | The complete bookePub (ePub - 3.43MB) | Feedback

New and Changed Information

New and Changed Information

This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.

New and Changed Information

This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.

The latest version of this document is available at the following Cisco website:

http:/​/​www.cisco.com/​en/​US/​products/​ps9402/​products_​installation_​and_​configuration_​guides_​list.html

To check for additional information about this release, see the Cisco Nexus 7000 Series NX-OS Release Notes available at the following Cisco website:

http:/​/​www.cisco.com/​en/​US/​products/​ps9402/​prod_​release_​notes_​list.html

This table summarizes the new and changed features for the Cisco Nexus 7000 Series NX-OS Security Configuration Guide and tells you where they are documented.

Table 1 New and Changed Security Features

Feature

Description

Changed in Release

Where Documented

Cisco TrustSec

Removed the requirement for the Advanced Services license.

6.1(1)

Configuring Cisco TrustSec

Cisco TrustSec

Added MACsec support for 40G and 100G M2 Series modules.

6.1(1)

Configuring Cisco TrustSec

CoPP

Added a new class for FCoE; added the LISP, LISP6, and MAC Layer 3 IS-IS ACLs to the critical class; added the fcoe-fib-miss match exception to the undesirable class; added the MAC Layer 2 tunnel ACL to the Layer 2 unpoliced class, and added the "permit icmp any any 143" rule to the acl-icmp6-msgs ACL.

6.1(1)

Configuring Control Plane Policing

FIPS

Added support for digital image signing on switches that contain the Supervisor 2 module.

6.1(1)

Configuring FIPS

FIPS

Updated FIPS guidelines for M2 Series modules.

6.1(1)

Configuring FIPS

IP ACLs and MAC ACLs

Updated for M2 Series modules.

6.1(1)

Configuring IP ACLs and Configuring MAC ACLs

ACLs and CoPP

Changed the show running-config aclmgr and show startup-config aclmgr commands to display only the user-configured ACLs (and not also the default CoPP-configured ACLs) in the running and startup configurations.

5.2(1)

Configuring IP ACLs, Configuring MAC ACLs, Configuring VLAN ACLs, and Configuring Control Plane Policing

Cisco TrustSec

Added support for pause frame encryption and decryption on interfaces.

5.2(1)

Configuring Cisco TrustSec

CoPP

Added the ability to change or reapply the default CoPP policy without rerunning the setup utility.

5.2(1)

Configuring Control Plane Policing

CoPP

Changed the CoPP best practice policy to read-only and added the ability to copy the policy in order to modify it.

5.2(1)

Configuring Control Plane Policing

CoPP

Added the show copp profile and show copp diff profile commands to display the details of the CoPP best practice policy and the differences between policies, respectively.

5.2(1)

Configuring Control Plane Policing

CoPP

Changed the show copp status command to display which flavor of the CoPP best practice policy is attached to the control plane.

5.2(1)

Configuring Control Plane Policing

CoPP

Changed the name of the none option for the best practices CoPP profile in the setup utility to skip.

5.2(1)

Configuring Control Plane Policing

CoPP

Updated the default class maps with support for MPLS LDP, MPLS OAM, MPLS RSVP, DHCP relay, and OTV-AS.

5.2(1)

Configuring Control Plane Policing

DHCP

Added subnet broadcast support for the DHCP relay agent and support for DHCP smart relay.

5.2(1)

Configuring DHCP

FCoE ACLs

Added support for FCoE ACLs on F1 Series modules.

5.2(1)

Configuring IP ACLs

IP ACLs

Added support for ACL capture on M1 Series modules.

5.2(1)

Configuring IP ACLs

LDAP

Deprecated the ldap-server port command.

5.2(1)

Configuring LDAP

Password encryption

Added support for AES password encryption and a configurable master encryption key.

5.2(1)

Configuring Password Encryption

RADIUS

Added type-6 encryption support for RADIUS server keys.

5.2(1)

Configuring RADIUS

TACACS+

Added type-6 encryption support for TACACS+ server keys.

5.2(1)

Configuring TACACS+

Control plane policy map

Added the ability to specify the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold.

5.1(1)

Configuring Control Plane Policing

CoPP

Updated the default policies with the 802.1Q class of service (cos) values.

5.1(1)

Configuring Control Plane Policing

CoPP

Added support for non-IP traffic classes.

5.1(1)

Configuring Control Plane Policing

DHCP snooping

Optimized DHCP snooping to work in a vPC environment.

5.1(1)

Configuring DHCP

FIPS

Added the ability to configure Federal Information Processing Standards (FIPS) mode.

5.1(1)

Configuring FIPS

Rate limits

Added support for F1 Series module packets.

5.1(1)

Configuring Rate Limits

Rate limits

Added the ability to configure rate limits for packets that reach the supervisor module and to log a system message if the rate limit is exceeded.

5.1(1)

Configuring Rate Limits

Rate limits

Added options to disable rate limits and to configure rate limits for a specific module and port range.

5.1(1)

Configuring Rate Limits

SCP and SFTP servers

Added the ability to configure SCP and SFTP servers on the Cisco NX-OS device to support the copy of files to and from a remote device.

5.1(1)

Configuring SSH and Telnet

User roles

Added the ability to display the syntax of the commands that the network-admin and network-operator roles can use.

5.1(1)

Configuring User Accounts and RBAC

VTY ACLs

Added support to control access to traffic received over a VTY line.

5.1(1)

Configuring IP ACLs

802.1X

Supports configuring 802.1X on member ports of a port channel.

5.0(2)

Configuring 802.1X

AAA authorization

Supports configuring the default AAA authorization method for TACACS+ servers.

5.0(2)

Configuring TACACS+

CHAP authentication

Allows the enabling or disabling of CHAP authentication.

5.0(2)

Configuring AAA

CoPP

Updated the default policies with support for ACL HSRP6.

5.0(2)

Configuring Control Plane Policing

DHCP

Allows the DHCP relay agent to support VRFs. Also adds the ip dhcp relay information option vpn command and modifies the ip dhcp relay address command.

5.0(2)

Configuring DHCP

DHCP

Supports enabling DHCP to use Cisco proprietary numbers 150, 152, and 151 for the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions.

5.0(2)

Configuring DHCP

IP ACLs, MAC ACLs, and VACLs

Allows up to 128K ACL entries when using an XL line card, provided a scalable services license is installed.

5.0(2)

Configuring IP ACLs, Configuring MAC ACLs, and Configuring VLAN ACLs

LDAP

Supports configuring the Lightweight Directory Access Protocol (LDAP).

5.0(2)

Configuring LDAP

Local authentication

Enables fallback to local authentication when remote authentication fails.

5.0(2)

Configuring AAA

Local authentication

Allows the disabling of fallback to local authentication.

5.0(2)

Configuring AAA

OTP

Supports one-time passwords.

5.0(2)

Configuring RADIUS

Periodic server monitoring

Supports global periodic RADIUS and TACACS+ server monitoring.

5.0(2)

Configuring RADIUS and Configuring TACACS+

PKI

Supports a remote cert-store and certificate mapping filters.

5.0(2)

Configuring PKI

Privilege roles

Supports permitting or denying commands for users of privilege roles.

5.0(2)

Configuring TACACS+

Rate limits

Supports Layer 2 Tunnel Protocol (L2TP) packets.

5.0(2)

Configuring Rate Limits

SGACL policies

Allows the enabling or disabling of RBACL logging.

5.0(2)

Configuring Cisco TrustSec

SGACL policies

Allows the enabling, disabling, monitoring, and clearing of RBACL statistics.

5.0(2)

Configuring Cisco TrustSec

SSH

Supports configuring a maximum number of SSH login attempts.

5.0(2)

Configuring SSH and Telnet

SSH

Supports starting SSH sessions from the boot mode of a Cisco NX-OS device in order to connect to a remote device.

5.0(2)

Configuring SSH and Telnet

SSH

Supports copying files from a Cisco NX-OS device to an SCP or SFTP server without a password.

5.0(2)

Configuring SSH and Telnet

TACACS+ privilege-level authorization

Supports the mapping of privilege levels configured for users on the TACACS+ server to locally configured user roles on the Cisco NX-OS device.

5.0(2)

Configuring TACACS+