New and Changed Information

This chapter provides release-specific information for each new and changed feature in the Cisco Nexus 9000 Series NX-OS Security Guide, Release 7.x.

New and Changed Information

This table summarizes the new and changed features for the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 7.x and tells you where they are documented.

Table 1. New and Changed Features for Cisco NX-OS Release 7.x

Feature

Description

Changed in Release

Where Documented

MACsec

Added MACsec support on N9K-X9732C-FX line cards.

NX-OS 7.0(3)I7(8)

Guidelines and Limitations for MACsec

SSH Algorithm Support

The ssh ciphers and ssh kexalgos commands were modified. The aes256-gcm keyword was added to the ssh ciphers command and ecdh-sha2-nistp384 keyword was added to the ssh kexalgos command.

NX-OS 7.0(3)I7(8)

Configuring Legacy SSH Algorithm Support

MACsec

Added the capability to drop CDP/LLDP packets whenever the MACsec configuration on a port with a must-secure policy is not in a secured state.

NX-OS 7.0(3)I7(7)

Guidelines and Limitations for MACsec

MACsec

Added the ability to disable MACsec without removing the MACsec configurations for Cisco Nexus 9000 Series switches with N9K-X9732C-EXM and N9K-X9736C-FX line cards.

NX-OS 7.0(3)I7(4)

Configuring MACsec

IP ACLs

Added IPv6 wildcard mask support for access lists and object groups for Cisco Nexus 9200, 9300-EX, and 9300-FX/FX2/FXP switches and the Cisco Nexus 9364C switch.

NX-OS 7.0(3)I7(3)

Creating an IP ACL

Creating and Changing an IPv6 Address Object Group

MACsec fallback key

Introduced this feature.

NX-OS 7.0(3)I7(3)

Configuring MACsec Fallback Key

SSH

Added new SSH commands for enabling legacy security algorithms.

NX-OS 7.0(3)I7(3)

Configuring Legacy SSH Algorithm Support

Unicast RPF

Introduced this feature for Cisco Nexus 9300 platform switches.

NX-OS 7.0(3)I7(3)

Configuring Unicast RPF

Unicast RPF

Introduced this feature for Cisco Nexus 9500 Series switches with N9K-X9636C-R and N9K-X963Q-R line cards.

7.0(3)F2(1)

Configuring Unicast RPF

MACsec

Introduced this feature for Cisco Nexus 9500 Series switches with the N9K-X9736C-FX line card.

7.0(3)I7(2)

Configuring MACsec

802.1X

Introduced this feature.

7.0(3)I7(1)

Configuring 802.1X

Traffic storm control

Added the ability to enable packets per second for Cisco Nexus 9500 Series switches with 94xx line cards and Cisco Nexus 9300 Series switches.

7.0(3)I7(1)

Configuring Traffic Storm Control

Option 82

Introduced this feature.

7.0(3)I7(1)

DHCP Snooping Option 82 Data Insertion

First-hop security

Introduced this feature.

7.0(3)I7(1)

Configuring IPv6 First Hop Security

ACL TCAM regions

Added new ACL TCAM regions for the Cisco Nexus 9300-FX Series switches.

7.0(3)I7(1)

ACL TCAM Regions

VACL redirect

Supports the VACL redirect option.

7.0(3)I6(1)

Configuring VLAN ACLs

Storm control

Added support for configuring the traffic storm control rate for ARP packets entering a port channel.

7.0(3)I6(1)

IPv6 ACL/UDF ERSPAN

Added support for IPv6 ACLs with UDF-based match.

7.0(3)I6(1)

Egress rate-limiter

Added support for the hardware rate-limiter to show statistics for outbound traffic on SPAN egress ports.

7.0(3)I6(1)

Configuring Rate Limits

Port security over vPC

Supports security on vPCs.

7.0(3)I6(1)

Configuring Port Security

SSH

Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format.

7.0(3)I6(1)

Configuring SSH and Telnet

DHCP

Added the ability to configure Option 82 to use encoded string format.

7.0(3)I5(2)

Enabling or Disabling Option 82 for the DHCP Relay Agent

IPv4 ACLs

Added UDF-based match support for port ACLs.

7.0(3)I5(2)

ACL Types and Applications

IPv6 RA guard

Introduced this feature.

7.0(3)I5(2)

Configuring IPv6 RA Guard

Port security

Introduced this feature.

7.0(3)I5(1)

Configuring Port Security

SSH

Added support for X.509v3 certificate-based SSH authentication.

7.0(3)I5(1)

Configuring SSH and Telnet

SSH

Changed the default value of the show ssh key command to display the fingerprint in SHA256 format by default and added the md5 option if you want to see the fingerprint in MD5 format.

7.0(3)I4(6)

Configuring SSH and Telnet

AAA

Added the ability to log successful and failed login attempts.

7.0(3)I4(1)

Logging Successful and Failed Login Attempts

CoPP

Changed the police CIR rate range to start with 0 to initiate a packet drop.

7.0(3)I4(1)

Configuring a Control Plane Policy Map

IP ACLs

Enabled access control entry (ACE) and ACL information to be displayed in the output of the show logging ip access-list cache command.

7.0(3)I4(1)

Configuring ACL Logging

ACL TCAM regions

Added new ACL TCAM regions for the Cisco Nexus 9200 Series switches.

7.0(3)I3(1)

ACL TCAM Regions

ACL TCAM templates

Added the ability to create and apply custom TCAM templates.

7.0(3)I3(1)

Using Templates to Configure ACL TCAM Region Sizes

CoPP

Introduced static CoPP ACLs and new show commands for the Cisco Nexus 9200 Series switches. Also added default class maps for Cisco NX-OS Release 7.0(3)I3(1) and instructions for configuring the policer rate for the Cisco Nexus 9200 Series switches in bits per second (rather than in packets per second).

7.0(3)I3(1)

Dynamic and Static CoPP ACLs

Verifying the CoPP Configuration

Default Class Maps

Configuring a Control Plane Policy Map

DHCP

Added the ability to program Option 82 with the VLAN + slot + port format.

7.0(3)I3(1)

Enabling or Disabling Option 82 for the DHCP Relay Agent

IP ACLs

Added support for Cisco Nexus 9200 Series switches.

7.0(3)I3(1)

Guidelines and Limitations for IP ACLs

Keychain management

Added support for OSPFv2 HMAC-SHA authentication.

7.0(3)I3(1)

Configuring Keychain Management

DHCP client

Added support for the Cisco Nexus 9500 Series switches.

7.0(3)I2(2)

Configuring DHCP

User accounts

Added support for an underscore (_) as the first character in a username

7.0(3)I2(2)

Configuring User Accounts and RBAC

AAA

Introduced the following secure login features:

  • Ability to block login attempts and enforce a quiet period.

  • Ability to restrict the maximum login sessions per user.

  • Ability to restrict the password length

  • Ability to prompt the user to enter a password after entering the username

  • Ability to hide the shared secret used for RADIUS or TACACS+authentication or accounting

7.0(3)I2(1)

Configuring AAA

ACL TCAM regions

Added ACL TCAM regions for multicast PIM Bidir, network address translation (NAT), OpenFlow, sFlow, and static MPLS. Also added the ability to attach user-defined fields (UDFs) to the racl, ifacl, and vacl TCAM regions to configure UDF-based SPAN or ERSPAN.

7.0(3)I2(1)

ACL TCAM Regions

CoPP

Changed the behavior of the no copp profile and no service-policy input commands. If you try to disable CoPP using one of these commands, an error message appears. If you enter these commands in previous releases, packets are rate limited at 50 packets per seconds.

7.0(3)I2(1)

Configuring Control Plane Policing

CoPP

Removed the Skip CoPP policy option from the Cisco NX-OS initial setup utility.

7.0(3)I2(1)

Configuring Control Plane Policing

DHCP client

Introduced this feature for Cisco Nexus 9300 Series switches.

7.0(3)I2(1)

Configuring Control Plane Policing

IP ACLs

Added the ability to specify the length of the TCP options header in packets in HTTP method matches.

7.0(3)I2(1)

User Accounts

Introduced SHA256 hashing support for encrypted passwords.

7.0(3)I2(1)

Configuring User Accounts and RBAC

DHCP relay

Added DHCP relay source interface support for IPv4.

7.0(3)I1(2)

Configuring DHCP

DHCP snooping

Added support for multiple IP addresses with the same MAC address and VLAN in static binding entries.

7.0(3)I1(2)

Configuring DHCP

Switchport Blocking

Introduced this feature.

7.0(3)I1(2)

Configuring Switchport Blocking

ACL TCAM

Added ACL TCAM regions for DAI and IPSG.

7.0(3)I1(1)

ACL TCAM Regions

DHCP snooping

Introduced this feature.

7.0(3)I1(1)

Configuring DHCP

Dynamic ARP Inspection (DAI)

Introduced this feature.

7.0(3)I1(1)

Configuring Dynamic ARP Inspection

IP Source Guard

(IPSG)

Introduced this feature.

7.0(3)I1(1)

Configuring IP Source Guard