New and Changed Information

New and Changed Information

Your software release might not support all the features in this document. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release.

Table 1. New and Changed Security Features

Feature

Description

Changed in Release

Where Documented

X.509 certificate based SSH Authorization using TACACS

Beginning with Cisco NX-OS Release 8.4(10), authorization of X.509 certificates for SSH using a TACACS+ server can be configured using the aaa authorization ssh-certificate default group command.

8.4(10)

X.509 certificate based SSH Authorization using TACACS

Scale ACL

Starting from Cisco NX-OS Release 8.4(2), Scale ACL is supported on M3 series modules for RACL policies.

8.4(2)

Configuring Scale ACL

ACL name length

Starting from Cisco NX-OS Release 8.4(2), the IP ACL name length can have upto 256 characters.

8.4(2)

Creating an IP ACL

Router ACL

Starting from Cisco NX-OS Release 8.4(1), Router ACL is supported on Bridge domain interfaces.

8.4(1)

Configuring IP ACLs

4096 bit RSA Keys

Starting from Cisco NX-OS Release 8.4(1), you can use 4096 bit RSA keys to secure SSH, SCP and SFTP sessions. You can also associate a 4096 bit RSA key with a trust point.

8.4(1)

Configuring SSH and Telnet

Configuring PKI

Non-standard Ethernet Type and DMAC Support for MACsec

Added support for changing the EAPoL destination address and the Ethernet Type values to non-standard values.

8.3(1)

Configuring MACsec Key Agreement

CoPP

Support for uRPF exception CoPP class is introduced in Cisco NX-OS Release 8.2(6).

8.2(6)

Configuring Control Plane Policing

MACsec Enhancements

Enhanced the following—should-secure security policy, break-out capability of PSK, MKA Unique PSK scale support up to 400, MKA Unrecoverable SAK support, SECurity entitY MIB IEEE8021-SECY-MIB support.

8.2(3)

Configuring MACsec Key Agreement

Flexible ACL TCAM Bank Chaining

Added the support for Cisco Nexus M2 series modules for the flexible ACL TCAM bank chaining feature.

8.2(1)

Flexible ACL TCAM Bank Chaining

DHCP Redirect Response

Added support for the DHCP redirect response feature.

8.2(1)

Information About DHCP Response Redirect

MACsec Key Agreement

Added support for the MACsec Key Agreement protocol.

8.2(1)

Configuring MACsec Key Agreement

SGT Tagging Exemption for Layer 2 Protocols

Added support to exempt SGT tagging for L2 control packets.

8.1(1)

SGT Tagging Exemption for Layer 2 Protocols

SGACL Policy Enforcement Per Interface

Added the support to enable or disable SGACL policy enforcement on L3 physical interfaces and port-channels.

8.0(1)

Overview of SGACL Policy Enforcement Per Interface

Flexible ACL TCAM Bank Chaining

Added the support for Cisco Nexus M3 series modules for the flexible ACL TCAM bank chaining feature.

8.0(1)

Flexible ACL TCAM Bank Chaining

X.509v3 Certificate-Based SSH Authentication

Added the support for the X.509v3 Certificate-Based SSH Authentication feature.

8.0(1)

SSH Authentication Using Digital Certificates

System Security Monitoring

Added the functionality to monitor status for the system security features.

8.0(1)

Monitoring System Security

IPv6 First Hop Security

Added the support for the IPv6 First-Hop Security features.

8.0(1)

Configuring IPv6 First-Hop Security

SGACL Egress Policy Overwrite

Added the support for the SGACL Egress Policy Overwrite feature.

8.0(1)

Overview of SGACL Egress Policy Overwrite

Runtime Integrity Assurance

Added the support for the Runtime Integrity Assurance feature.

8.0(1)

Software Integrity Assurance

SXPv4

Added the support for the SGT Exchange Protocol Version 4.

8.0(1)

Overview of Cisco TrustSec with SXPv4