Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
New and Changed Information
Downloads: This chapterpdf (PDF - 1.23MB) The complete bookPDF (PDF - 10.86MB) | The complete bookePub (ePub - 3.54MB) | Feedback

New and Changed Information

New and Changed Information

This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.

New and Changed Information

This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.

The latest version of this document is available at the following Cisco website:

http:/​/​www.cisco.com/​en/​US/​products/​ps9402/​products_​installation_​and_​configuration_​guides_​list.html

To check for additional information about this release, see the Cisco Nexus 7000 Series NX-OS Release Notes available at the following Cisco website:

http:/​/​www.cisco.com/​en/​US/​products/​ps9402/​prod_​release_​notes_​list.html

This table summarizes the new and changed features for the Cisco Nexus 7000 Series NX-OS Security Configuration Guide and tells you where they are documented.

Table 1 New and Changed Security Features

Feature

Description

Changed in Release

Where Documented

Cisco TrustSec

Added support for batching SGACL programming tasks.

6.2(6)

Configuring Cisco TrustSec

Cisco TrustSec

Added the ability to map VLANs to SGTs.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Added the ability to encrypt the SAP PMK and display the PMK in encrypted format in the running configuration.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Added the show cts sap pmk command to display the hexadecimal value of the configured PMK.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Added the show cts capability interface command to display the Cisco TrustSec capability of interfaces.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Enabled the cts sgt, policy static sgt, and clear cts policy sqt commands to accept decimal values.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Added the ability to download sgname tables from ISE and to refresh the environment data manually and upon environment data timer expiry.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Added optional keywords to the show cts role-based sgt-map command to display a summary of the SGT mappings or the SGT map configuration for a specific SXP peer, VLAN, or VRF.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Added the brief keyword to the show cts interface command to display a brief summary for all CTS-enabled interfaces.

6.2(2)

Configuring Cisco TrustSec

Cisco TrustSec

Added SGT support for F2 and F2e Series modules.

6.2(2)

Configuring Cisco TrustSec

CoPP

Updated the output of the show policy-map interface control-plane command to show the 5-minute moving averages and peaks of the conformed and violated byte counts for each policy in each module.

6.2(2)

Configuring Cisco TrustSec

CoPP

Added VRRP6 ACL support to police VRRP IPv6 traffic. The HSRP ACL is modified to reflect the correct destination addresses of control packets.

6.2(2)

Configuring Control Plane Policing

CoPP

Changed the behavior of multicast traffic from being policed at different rates in different classes to being grouped into three classes (multicast-host, multicast-router, and normal) and policed at consistent rates.

6.2(2)

Configuring Control Plane Policing

CoPP

Added the ability to monitor CoPP with SNMP.

6.2(2)

Configuring Control Plane Policing

DHCP

Added support for the DHCPv6 relay agent.

6.2(2)

Configuring DHCP

IP ACLs

Added support for ACL TCAM bank mapping.

6.2(2)

Configuring IP ACLs

IP ACLs

Added support for ACL TCAM bank mapping.

6.2(2)

Configuring IP ACLs

Rate limits

Added support for Layer 3 glean fast-path packets.

6.2(2)

Configuring Rate Limits

VLAN ACLs

Added support for deny ACEs in a sequence.

6.1(3)

Configuring VLAN ACLs

Cisco TrustSec

Removed the requirement for the Advanced Services license.

6.1(1)

Configuring Cisco TrustSec

Cisco TrustSec

Added MACsec support for 40G and 100G M2 Series modules.

6.1(1)

Configuring Cisco TrustSec

CoPP

Added a new class for FCoE; added the LISP, LISP6, and MAC Layer 3 IS-IS ACLs to the critical class; added the fcoe-fib-miss match exception to the undesirable class; added the MAC Layer 2 tunnel ACL to the Layer 2 unpoliced class, and added the "permit icmp any any 143" rule to the acl-icmp6-msgs ACL.

6.1(1)

Configuring Control Plane Policing

FIPS

Added support for digital image signing on switches that contain the Supervisor 2 module.

6.1(1)

Configuring FIPS

FIPS

Updated FIPS guidelines for M2 Series modules.

6.1(1)

Configuring FIPS

IP ACLs and MAC ACLs

Updated for M2 Series modules.

6.1(1)

Configuring IP ACLs and Configuring MAC ACLs

Cisco TrustSec

Updated for F2 Series modules.

6.0(1)

Configuring Cisco TrustSec

CoPP

Added the dense default CoPP policy.

6.0(1)

Configuring Control Plane Policing

CoPP

Added the ability to configure the CoPP scale factor per line card.

6.0(1)

Configuring Control Plane Policing

FIPS

Updated FIPS guidelines for F2 Series modules.

6.0(1)

Configuring FIPS

IP ACLs, MAC ACLs, and VACLs

Updated for F2 Series modules.

6.0(1)

Configuring IP ACLs, Configuring MAC ACLs, and Configuring VLAN ACLs

Rate limits

Added support for F2 Series modules.

6.0(1)

Configuring Rate Limits

RBAC

Added support for F2 Series modules.

6.0(1)

Configuring User Accounts and RBAC

TACACS+

Added the ability to configure command authorization for a console session.

6.0(1)

Configuring TACACS+

User accounts and RBAC

Added the ability to configure a read-only or read-and-write rule for an SNMP OID.

6.0(1)

Configuring User Accounts and RBAC

ACLs and CoPP

Changed the show running-config aclmgr and show startup-config aclmgr commands to display only the user-configured ACLs (and not also the default CoPP-configured ACLs) in the running and startup configurations.

5.2(1)

Configuring IP ACLs, Configuring MAC ACLs, Configuring VLAN ACLs, and Configuring Control Plane Policing

Cisco TrustSec

Added support for pause frame encryption and decryption on interfaces.

5.2(1)

Configuring Cisco TrustSec

CoPP

Added the ability to change or reapply the default CoPP policy without rerunning the setup utility.

5.2(1)

Configuring Control Plane Policing

CoPP

Changed the CoPP best practice policy to read-only and added the ability to copy the policy in order to modify it.

5.2(1)

Configuring Control Plane Policing

CoPP

Added the show copp profile and show copp diff profile commands to display the details of the CoPP best practice policy and the differences between policies, respectively.

5.2(1)

Configuring Control Plane Policing

CoPP

Changed the show copp status command to display which flavor of the CoPP best practice policy is attached to the control plane.

5.2(1)

Configuring Control Plane Policing

CoPP

Changed the name of the none option for the best practices CoPP profile in the setup utility to skip.

5.2(1)

Configuring Control Plane Policing

CoPP

Updated the default class maps with support for MPLS LDP, MPLS OAM, MPLS RSVP, DHCP relay, and OTV-AS.

5.2(1)

Configuring Control Plane Policing

DHCP

Added subnet broadcast support for the DHCP relay agent and support for DHCP smart relay.

5.2(1)

Configuring DHCP

FCoE ACLs

Added support for FCoE ACLs on F1 Series modules.

5.2(1)

Configuring IP ACLs

IP ACLs

Added support for ACL capture on M1 Series modules.

5.2(1)

Configuring IP ACLs

LDAP

Deprecated the ldap-server port command.

5.2(1)

Configuring LDAP

Password encryption

Added support for AES password encryption and a configurable master encryption key.

5.2(1)

Configuring Password Encryption

RADIUS

Added type-6 encryption support for RADIUS server keys.

5.2(1)

Configuring RADIUS

TACACS+

Added type-6 encryption support for TACACS+ server keys.

5.2(1)

Configuring TACACS+

Control plane policy map

Added the ability to specify the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold.

5.1(1)

Configuring Control Plane Policing

CoPP

Updated the default policies with the 802.1Q class of service (cos) values.

5.1(1)

Configuring Control Plane Policing

CoPP

Added support for non-IP traffic classes.

5.1(1)

Configuring Control Plane Policing

DHCP snooping

Optimized DHCP snooping to work in a vPC environment.

5.1(1)

Configuring DHCP

FIPS

Added the ability to configure Federal Information Processing Standards (FIPS) mode.

5.1(1)

Configuring FIPS

Rate limits

Added support for F1 Series module packets.

5.1(1)

Configuring Rate Limits

Rate limits

Added the ability to configure rate limits for packets that reach the supervisor module and to log a system message if the rate limit is exceeded.

5.1(1)

Configuring Rate Limits

Rate limits

Added options to disable rate limits and to configure rate limits for a specific module and port range.

5.1(1)

Configuring Rate Limits

SCP and SFTP servers

Added the ability to configure SCP and SFTP servers on the Cisco NX-OS device to support the copy of files to and from a remote device.

5.1(1)

Configuring SSH and Telnet

User roles

Added the ability to display the syntax of the commands that the network-admin and network-operator roles can use.

5.1(1)

Configuring User Accounts and RBAC

VTY ACLs

Added support to control access to traffic received over a VTY line.

5.1(1)

Configuring IP ACLs

802.1X

Supports configuring 802.1X on member ports of a port channel.

5.0(2)

Configuring 802.1X

AAA authorization

Supports configuring the default AAA authorization method for TACACS+ servers.

5.0(2)

Configuring TACACS+

CHAP authentication

Allows the enabling or disabling of CHAP authentication.

5.0(2)

Configuring AAA

CoPP

Updated the default policies with support for ACL HSRP6.

5.0(2)

Configuring Control Plane Policing

DHCP

Allows the DHCP relay agent to support VRFs. Also adds the ip dhcp relay information option vpn command and modifies the ip dhcp relay address command.

5.0(2)

Configuring DHCP

DHCP

Supports enabling DHCP to use Cisco proprietary numbers 150, 152, and 151 for the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions.

5.0(2)

Configuring DHCP

IP ACLs, MAC ACLs, and VACLs

Allows up to 128K ACL entries when using an XL line card, provided a scalable services license is installed.

5.0(2)

Configuring IP ACLs, Configuring MAC ACLs, and Configuring VLAN ACLs

LDAP

Supports configuring the Lightweight Directory Access Protocol (LDAP).

5.0(2)

Configuring LDAP

Local authentication

Enables fallback to local authentication when remote authentication fails.

5.0(2)

Configuring AAA

Local authentication

Allows the disabling of fallback to local authentication.

5.0(2)

Configuring AAA

OTP

Supports one-time passwords.

5.0(2)

Configuring RADIUS

Periodic server monitoring

Supports global periodic RADIUS and TACACS+ server monitoring.

5.0(2)

Configuring RADIUS and Configuring TACACS+

PKI

Supports a remote cert-store and certificate mapping filters.

5.0(2)

Configuring PKI

Privilege roles

Supports permitting or denying commands for users of privilege roles.

5.0(2)

Configuring TACACS+

Rate limits

Supports Layer 2 Tunnel Protocol (L2TP) packets.

5.0(2)

Configuring Rate Limits

SGACL policies

Allows the enabling or disabling of RBACL logging.

5.0(2)

Configuring Cisco TrustSec

SGACL policies

Allows the enabling, disabling, monitoring, and clearing of RBACL statistics.

5.0(2)

Configuring Cisco TrustSec

SSH

Supports configuring a maximum number of SSH login attempts.

5.0(2)

Configuring SSH and Telnet

SSH

Supports starting SSH sessions from the boot mode of a Cisco NX-OS device in order to connect to a remote device.

5.0(2)

Configuring SSH and Telnet

SSH

Supports copying files from a Cisco NX-OS device to an SCP or SFTP server without a password.

5.0(2)

Configuring SSH and Telnet

TACACS+ privilege-level authorization

Supports the mapping of privilege levels configured for users on the TACACS+ server to locally configured user roles on the Cisco NX-OS device.

5.0(2)

Configuring TACACS+