New and Changed Information

This chapter includes the new and changed features for the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 10.5(x).

New and Changed Information

Table 1. New and Changed Features

Feature

Description

Changed in Release

Where Documented

MACsec ND ISSU

Two new commands are introduced at the MACsec policy level to support MACsec ND ISSU on Cisco Nexus 9300-H2R switch

10.5(3o)

Guidelines and Limitations for MACsec

Configuring a MACsec Policy

Verifying the MACsec Configuration

Enhancement to retrieve Type-6 primary key detail

Added new show command to display the stored details (protection-type, time stamp, first-16-characters of primary key hash, length of primary key) of the Type-6 primary key.

10.5(3)F

Verifying the Password Encryption Configuration

Configuration Examples for Password Encryption

Caching RADIUS Credentials

The RADIUS Credential Caching feature stores authenticated user credentials locally thus eliminating repeated authentication requests to the RADIUS server for the same credentials.

10.5(3)F

RADIUS credentials cache

Custom CoPP

Added Custom CoPP support on Cisco Nexus 9364E-SG2-Q and 9364E-SG2-O switches.

10.5(3)F

Guidelines and Limitations for CoPP

RACL support for both ingress and egress directions

Added RACL support for both ingress and egress directions on Cisco Nexus 9364E-SG2-Q switches.

10.5(3)F

Guidelines and Limitations for IP ACLs

ACL support

Added ACL support on the Cisco Nexus 9364E-SG2-Q and 9364E-SG2-O switches

10.5(3)F

Guidelines and Limitations for IP ACLs

DHCP relay support

Added DHCP relay support on the Cisco Nexus 9364E-SG2-Q switches

10.5(3)F

Guidelines and Limitations for DHCP

QKD MACsec fallback support

Added QKD MACsec fallback to Pre-Shared Key (PSK) support to establish a secured MKA session when the primary Postquantum Preshared Key (PPK) fails.

10.5(2)F

Postquantum Preshared Keys (PPK)

Guidelines and Limitations

CoPP configuration consistency

Added support to check CoPP configuration consistency.

10.5(2)F

CoPP Consistency Checker

DACL support on Cisco Nexus 9300 switches

Extended support for the DACL feature on Cisco Nexus 9300-FX3, GX, GX2, H2R, and H1 Series switches.

10.5(2)F

Guidelines and Limitations for Per-User DACL Support for 802.1X

uRPF support

Added uRPF support on Cisco Nexus 9800 Series switches.

10.5(2)F

Guidelines and Limitations for Unicast RPF

Increase RSA key size to 4096 bits

Extended support for RSA key sizes to 4096 bits for SSH and to 3072 and 4096 bits for cryptographic certificates.

10.5(2)F

Generating SSH Server Keys

Configuring SSH Passwordless File Copy

Generating an RSA Key Pair

Support for Dot1x with Voice VLAN

Added support for the 802.1X Voice VLAN feature to enable multi-domain 802.1X authentication on a single port, providing authentication support for both VoIP phone and data client behind it.

10.5(2)F

About 802.1X for Voice VLAN

Critical Authentication

802.1X Guidelines and Limitations for Voice VLAN

Configuring 802.1X for Voice VLAN

Security Group ACL (SGACL) Feature interaction support

Added support of Security Group ACL for the ESI, VXLAN-TE, VXLAN-PBR, CloudSec (DCI), and TRM features.

10.5(1)F

Guidelines and Limitations for IP ACLs