-
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
-
Preface
-
New and Changed Information
-
Overview
-
Configuring FIPS
-
Configuring AAA
-
Configuring RADIUS
-
Configuring TACACS+
-
Configuring LDAP
-
Configuring SSH and Telnet
-
Configuring PKI
-
Configuring User Accounts and RBAC
-
Configuring 802.1X
-
Configuring NAC
-
Configuring Cisco TrustSec
-
Configuring IP ACLs
-
Configuring MAC ACLs
-
Configuring VLAN ACLs
-
Configuring Port Security
-
Configuring DHCP
-
Configuring Dynamic ARP Inspection
-
Configuring IP Source Guard
-
Configuring Password Encryption
-
Configuring Keychain Management
-
Configuring Traffic Storm Control
-
Configuring Unicast RPF
-
Configuring Control Plane Policing
-
Configuring Rate Limits
-
Index
-
Feedback
New and Changed Information
This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.
New and Changed Information
This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.
The latest version of this document is available at the following Cisco website:
To check for additional information about this release, see the Cisco Nexus 7000 Series NX-OS Release Notes available at the following Cisco website:
http://www.cisco.com/en/US/products/ps9402/prod_release_notes_list.html
This table summarizes the new and changed features for the Cisco Nexus 7000 Series NX-OS Security Configuration Guide and tells you where they are documented.
Table 1 New and Changed Security FeaturesFeature
Description
Changed in Release
Where Documented
VLAN ACLs
Added support for deny ACEs in a sequence.
6.1(3)
Cisco TrustSec
Removed the requirement for the Advanced Services license.
6.1(1)
Cisco TrustSec
Added MACsec support for 40G and 100G M2 Series modules.
6.1(1)
CoPP
Added a new class for FCoE; added the LISP, LISP6, and MAC Layer 3 IS-IS ACLs to the critical class; added the fcoe-fib-miss match exception to the undesirable class; added the MAC Layer 2 tunnel ACL to the Layer 2 unpoliced class, and added the "permit icmp any any 143" rule to the acl-icmp6-msgs ACL.
6.1(1)
FIPS
Added support for digital image signing on switches that contain the Supervisor 2 module.
6.1(1)
FIPS
Updated FIPS guidelines for M2 Series modules.
6.1(1)
IP ACLs and MAC ACLs
Updated for M2 Series modules.
6.1(1)
Cisco TrustSec
Updated for F2 Series modules.
6.0(1)
CoPP
Added the dense default CoPP policy.
6.0(1)
CoPP
Added the ability to configure the CoPP scale factor per line card.
6.0(1)
FIPS
Updated FIPS guidelines for F2 Series modules.
6.0(1)
IP ACLs, MAC ACLs, and VACLs
Updated for F2 Series modules.
6.0(1)
Configuring IP ACLs, Configuring MAC ACLs, and Configuring VLAN ACLs
Rate limits
Added support for F2 Series modules.
6.0(1)
RBAC
Added support for F2 Series modules.
6.0(1)
TACACS+
Added the ability to configure command authorization for a console session.
6.0(1)
User accounts and RBAC
Added the ability to configure a read-only or read-and-write rule for an SNMP OID.
6.0(1)
ACLs and CoPP
Changed the show running-config aclmgr and show startup-config aclmgr commands to display only the user-configured ACLs (and not also the default CoPP-configured ACLs) in the running and startup configurations.
5.2(1)
Configuring IP ACLs, Configuring MAC ACLs, Configuring VLAN ACLs, and Configuring Control Plane Policing
Cisco TrustSec
Added support for pause frame encryption and decryption on interfaces.
5.2(1)
CoPP
Added the ability to change or reapply the default CoPP policy without rerunning the setup utility.
5.2(1)
CoPP
Changed the CoPP best practice policy to read-only and added the ability to copy the policy in order to modify it.
5.2(1)
CoPP
Added the show copp profile and show copp diff profile commands to display the details of the CoPP best practice policy and the differences between policies, respectively.
5.2(1)
CoPP
Changed the show copp status command to display which flavor of the CoPP best practice policy is attached to the control plane.
5.2(1)
CoPP
Changed the name of the none option for the best practices CoPP profile in the setup utility to skip.
5.2(1)
CoPP
Updated the default class maps with support for MPLS LDP, MPLS OAM, MPLS RSVP, DHCP relay, and OTV-AS.
5.2(1)
DHCP
Added subnet broadcast support for the DHCP relay agent and support for DHCP smart relay.
5.2(1)
FCoE ACLs
Added support for FCoE ACLs on F1 Series modules.
5.2(1)
IP ACLs
Added support for ACL capture on M1 Series modules.
5.2(1)
LDAP
Deprecated the ldap-server port command.
5.2(1)
Password encryption
Added support for AES password encryption and a configurable master encryption key.
5.2(1)
RADIUS
Added type-6 encryption support for RADIUS server keys.
5.2(1)
TACACS+
Added type-6 encryption support for TACACS+ server keys.
5.2(1)
Control plane policy map
Added the ability to specify the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold.
5.1(1)
CoPP
Updated the default policies with the 802.1Q class of service (cos) values.
5.1(1)
CoPP
Added support for non-IP traffic classes.
5.1(1)
DHCP snooping
Optimized DHCP snooping to work in a vPC environment.
5.1(1)
FIPS
Added the ability to configure Federal Information Processing Standards (FIPS) mode.
5.1(1)
Rate limits
Added support for F1 Series module packets.
5.1(1)
Rate limits
Added the ability to configure rate limits for packets that reach the supervisor module and to log a system message if the rate limit is exceeded.
5.1(1)
Rate limits
Added options to disable rate limits and to configure rate limits for a specific module and port range.
5.1(1)
SCP and SFTP servers
Added the ability to configure SCP and SFTP servers on the Cisco NX-OS device to support the copy of files to and from a remote device.
5.1(1)
User roles
Added the ability to display the syntax of the commands that the network-admin and network-operator roles can use.
5.1(1)
VTY ACLs
Added support to control access to traffic received over a VTY line.
5.1(1)
802.1X
Supports configuring 802.1X on member ports of a port channel.
5.0(2)
AAA authorization
Supports configuring the default AAA authorization method for TACACS+ servers.
5.0(2)
CHAP authentication
Allows the enabling or disabling of CHAP authentication.
5.0(2)
CoPP
Updated the default policies with support for ACL HSRP6.
5.0(2)
DHCP
Allows the DHCP relay agent to support VRFs. Also adds the ip dhcp relay information option vpn command and modifies the ip dhcp relay address command.
5.0(2)
DHCP
Supports enabling DHCP to use Cisco proprietary numbers 150, 152, and 151 for the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions.
5.0(2)
IP ACLs, MAC ACLs, and VACLs
Allows up to 128K ACL entries when using an XL line card, provided a scalable services license is installed.
5.0(2)
Configuring IP ACLs, Configuring MAC ACLs, and Configuring VLAN ACLs
LDAP
Supports configuring the Lightweight Directory Access Protocol (LDAP).
5.0(2)
Local authentication
Enables fallback to local authentication when remote authentication fails.
5.0(2)
Local authentication
Allows the disabling of fallback to local authentication.
5.0(2)
OTP
Supports one-time passwords.
5.0(2)
Periodic server monitoring
Supports global periodic RADIUS and TACACS+ server monitoring.
5.0(2)
PKI
Supports a remote cert-store and certificate mapping filters.
5.0(2)
Privilege roles
Supports permitting or denying commands for users of privilege roles.
5.0(2)
Rate limits
Supports Layer 2 Tunnel Protocol (L2TP) packets.
5.0(2)
SGACL policies
Allows the enabling or disabling of RBACL logging.
5.0(2)
SGACL policies
Allows the enabling, disabling, monitoring, and clearing of RBACL statistics.
5.0(2)
SSH
Supports configuring a maximum number of SSH login attempts.
5.0(2)
SSH
Supports starting SSH sessions from the boot mode of a Cisco NX-OS device in order to connect to a remote device.
5.0(2)
SSH
Supports copying files from a Cisco NX-OS device to an SCP or SFTP server without a password.
5.0(2)
TACACS+ privilege-level authorization
Supports the mapping of privilege levels configured for users on the TACACS+ server to locally configured user roles on the Cisco NX-OS device.
5.0(2)