New and Changed Information
The following table provides an overview of the significant changes to the organization and features in this guide up to this current release. The table does not provide an exhaustive list of all changes made to the guide or of the new features up to this release.
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
EIGRP Authentication |
Support for EIGRP keychain authentication |
Chapter: Protocol Authentication |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
802.1x enhancements |
Support for IP Phones |
Chapter: 802.1x |
|
Per Leaf Aggregate for DPP |
Support for Shared Policer Mode |
Chapter: Data Plane Policing |
|
SAML Enhancements |
Support for Encrypted SAML Assertions |
Chapter: TACACS+, RADIUS, LDAP, RSA, and SAML |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
Document Reorganization |
The topics in this section were collected from the Custom Certificate for ACI Cisco HTTPS Access Knowledge Base article. |
Chapter: HTTPS Access |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
CoPP per Interface per Protocol |
Support for configuring CoPP on a per interface per protocol basis. |
Chapter: Control Plane Traffic |
|
CoPP Prefilter |
A CoPP prefilter profile is used on spine and leaf switches to filter access to authentication services based on specified sources and TCP ports to protect against DDoS attacks. |
Chapter: Control Plane Traffic |
|
FIPs SHA1 Key Support |
When FIPs is enabled, SHA1 key is supported for NTP authentication |
Chapter: Fabric Security |
|
LDAP Group Map |
Enables LDAP configuration in the APIC GUI as an alternative to configuring a Cisco AVPair. |
Chapter: TACACs+, RADIUS, LDAP, RSA, and SAML |
|
RSA Secure ID |
Provides token based password authentication |
Chapter: TACACs+, RADIUS, LDAP, RSA, and SAML |
|
Server Monitoring |
Provides a method to determine whether a remote AAA server is alive or not. |
Chapter: TACACs+, RADIUS, LDAP, RSA, and SAML |
|
Basic GUI topics removed |
Basic GUI procedures are no longer supported |
The following topics have been removed:
|
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
First Hop Security |
Enables better IPv4 and IPv6 link security and management over the layer 2 links. |
Chapter: First Hop Security |
|
SAML Management/2 Factor Authentication |
SAML is an XML-based open standard data format that uses security tokens containing assertions that pass information between an SAML identity provider and a SAML service provider. |
Chapter: TACACs+, RADIUS, LDAP, RSA, and SAML |
|
Local User Authentication using OTP |
OTP is a one-time password that is valid for only one session. Once OTP is enabled, APIC generates a random human readable 16 binary octets that are base32 OTP Key. |
|
|
Password Strength |
Allows configuration of user password parameters for security management. |
|
|
SSH Private Key File |
Allows password authentication for outside access. |
|
|
Data Plane Policing at the EPG level |
Support for configuring the data Plane Policing at the Endpoing Group (EPG) level. |
Chapter: Data Plane Policing |
|
802.1x Support |
Support for configuring 802.1x |
Chapter: 802.1x |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
EPG level Data Plane Policing |
Support for configuring the Data Plane Policing at the Endpoint Group (EPG) level. |
Chapter: Data Plane Policing |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
Document Reorganization |
The topics in this guide were collected from Cisco APIC Basic Configuration Guide, Release 2.x, Cisco ACI and Port Security, and the following Knowledge Base articles:
|
Cisco APIC Security Configuration Guide (this guide) |
|
Control Plane Policing |
Protects the control plane and Configuring Security separates it from the data plane, which ensures network stability, reachability, and packet delivery. |
Chapter: Control Plane Traffic |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
Support for changing remote user role |
Allows the remote user to request a role-change |
|
|
Support on all platforms (except N9K-C93180YC-EX) for: |
Support on all platforms (except N9K-C93180YC-EX) for: |
Chapter: Data Plane Policing |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
FIPS |
Support for FIPS is enabled. |
Chapter: Fabric Security |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
|
Chapter: Port Security |
|
COOP |
COOP authentication supported |
Chapter: Protocol Authentication |
|
Support for Ethertype, protocol, L4 port, and TCP flag filters is available. |
Support for Ethertype, protocol, L4 port, and TCP flag filters is available. |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
AAA RBAC Roles and Privileges |
This guide was released to provide a description of AAA RBAC roles and privileges. |
|
|
Support for egress policers on the N9K-C93180YC-EX. |
Support for egress policers on the N9K-C93180YC-EX. |
Chapter: Data Plane Policing |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
Data Plane Policing |
Support for Data Plane Policing |
Chapter: Data Plane Policing |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
TACACS+, RADIUS, and LDAP |
Support for TACACS+, RADIUS, and LDAP |
Chapter: TACACs+, RADIUS, LDAP, RSA, and SAML |
|
Feature or Change |
Description |
Where Documented |
|---|---|---|
|
Signature-Based Transactions |
The APIC controllers in a Cisco ACI fabric offer different methods to authenticate users. |
|
|
Custom Certificate for Cisco ACI HTTPS Access |
Configure a custom certificate for HTTPS access when using Cisco ACI |
Chapter: HTTPS Access |
Feedback